From b9fe3fc301ea66e5287c059ca24a0bcb4eca9786 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Mon, 11 Nov 2024 14:28:32 -0500 Subject: [PATCH 01/71] new pages to test --- src/.vuepress/navbar.ts | 3 +- src/.vuepress/sidebar.ts | 8 +++++ src/README.md | 3 ++ src/courses/advanced/12.md | 1 + src/courses/advanced/13.md | 8 +++++ src/courses/delta/25.md | 66 ++++++++++++++++++++++++++++++++++++++ src/courses/delta/26.md | 47 +++++++++++++++++++++++++++ 7 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 src/courses/advanced/13.md create mode 100644 src/courses/delta/25.md create mode 100644 src/courses/delta/26.md diff --git a/src/.vuepress/navbar.ts b/src/.vuepress/navbar.ts index d68b8f2e4..e89a3fc95 100644 --- a/src/.vuepress/navbar.ts +++ b/src/.vuepress/navbar.ts @@ -10,7 +10,8 @@ export default navbar([ { text: "Beginner Security Automation Developer Class", link: "/courses/beginner/", icon: "creative" }, { text: "Advanced Security Automation Developer Class", link: "/courses/advanced/", icon: "creative" }, { text: "Security Guidance Developer Class", link: "/courses/guidance/", icon: "creative" }, - { text: "InSpec Profile Development & Testing", link: "/courses/profile-dev-test/", icon: "creative"} + { text: "InSpec Profile Development & Testing", link: "/courses/profile-dev-test/", icon: "creative"}, + { text: "SAF Delta Class", link: "/courses/delta/", icon: "creative" }, ]}, { text: "Resources", icon: "book", diff --git a/src/.vuepress/sidebar.ts b/src/.vuepress/sidebar.ts index 60cb04788..219912708 100644 --- a/src/.vuepress/sidebar.ts +++ b/src/.vuepress/sidebar.ts @@ -39,5 +39,13 @@ export default sidebar({ children: "structure", collapsible: true }, + { + icon: "creative", + text: "SAF Delta", + prefix: "courses/delta/", + children: "structure", + collapsible: true + }, + ], }); diff --git a/src/README.md b/src/README.md index c304426fa..3569ca10c 100644 --- a/src/README.md +++ b/src/README.md @@ -21,6 +21,9 @@ actions: - text: InSpec Profile Updating & Development link: /courses/profile-dev-test/ type: primary + - text: SAF Delta + link: /courses/delta/ + type: primary highlights: - header: What You Will Learn diff --git a/src/courses/advanced/12.md b/src/courses/advanced/12.md index acd6acad7..a3209a8c8 100644 --- a/src/courses/advanced/12.md +++ b/src/courses/advanced/12.md @@ -1,6 +1,7 @@ --- order: 12 title: 12. Next Steps +next: 13.md author: Emily headerDepth: 3 --- diff --git a/src/courses/advanced/13.md b/src/courses/advanced/13.md new file mode 100644 index 000000000..d332d29e2 --- /dev/null +++ b/src/courses/advanced/13.md @@ -0,0 +1,8 @@ +--- +order: 13 +title: 13. Delta +author: Daniel +headerDepth: 3 +--- + +## Testing \ No newline at end of file diff --git a/src/courses/delta/25.md b/src/courses/delta/25.md new file mode 100644 index 000000000..c17d86e4c --- /dev/null +++ b/src/courses/delta/25.md @@ -0,0 +1,66 @@ +--- +order: 25 +next: 26.md +title: InSpec Delta - Laying the Ground for a Clean Release Branch +shortTitle: Delta - Prep & Setup +author: Aaron Lippold +--- + +## InSpec Delta + +### Preparing the Profile Before Running Delta + +Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: + +1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. + +```shell +AllCops: + Exclude: + - "libraries/**/*" + +Layout/LineLength: + Max: 1000 + AllowURI: true + IgnoreCopDirectives: true + +Naming/FileName: + Enabled: false + +Metrics/BlockLength: + Max: 400 + +Lint/ConstantDefinitionInBlock: + Enabled: false + +# Required for Profiles as it can introduce profile errors +Style/NumericPredicate: + Enabled: false + +Style/WordArray: + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + Enabled: false + +Style/RedundantPercentQ: + Enabled: true + +Style/NestedParenthesizedCalls: + Enabled: false + +Style/TrailingCommaInHashLiteral: + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + Enabled: false + +Lint/AmbiguousBlockAssociation: + Enabled: false +``` + +2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. diff --git a/src/courses/delta/26.md b/src/courses/delta/26.md new file mode 100644 index 000000000..e4f602575 --- /dev/null +++ b/src/courses/delta/26.md @@ -0,0 +1,47 @@ +--- +order: 26 +next: 27.md +title: InSpec Delta - Making the Delta Release Branch +shortTitle: Delta - Making your Branch +author: Aaron Lippold +--- + +## Prepair Your Environment + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +## Delta Workflow Process + +![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") + +## Using Delta + +The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. + +Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. + +1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. +2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. + +For more information on these commands, refer to the following documentation: + +- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) +- [saf generate delta](https://saf-cli.mitre.org/#delta) + +## Scope of Changes by Delta + +Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. + +If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. + +It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. + +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. + +### Further InSpec Delta Information and Background + +- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). +- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. +- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. +- Parameterizing should be considered. From 1d8ff0c81f74d1d0409589cce3589540c481b8d7 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Mon, 11 Nov 2024 14:28:32 -0500 Subject: [PATCH 02/71] new pages to test --- src/.vuepress/navbar.ts | 3 +- src/.vuepress/sidebar.ts | 8 +++++ src/README.md | 3 ++ src/courses/advanced/12.md | 1 + src/courses/advanced/13.md | 8 +++++ src/courses/delta/25.md | 66 ++++++++++++++++++++++++++++++++++++++ src/courses/delta/26.md | 47 +++++++++++++++++++++++++++ 7 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 src/courses/advanced/13.md create mode 100644 src/courses/delta/25.md create mode 100644 src/courses/delta/26.md diff --git a/src/.vuepress/navbar.ts b/src/.vuepress/navbar.ts index d0e67529f..80d5fe5a3 100644 --- a/src/.vuepress/navbar.ts +++ b/src/.vuepress/navbar.ts @@ -10,7 +10,8 @@ export default navbar([ { text: "Beginner Security Automation Developer Class", link: "/courses/beginner/", icon: "creative" }, { text: "Advanced Security Automation Developer Class", link: "/courses/advanced/", icon: "creative" }, { text: "Security Guidance Developer Class", link: "/courses/guidance/", icon: "creative" }, - { text: "InSpec Profile Development & Testing", link: "/courses/profile-dev-test/", icon: "creative"} + { text: "InSpec Profile Development & Testing", link: "/courses/profile-dev-test/", icon: "creative"}, + { text: "SAF Delta Class", link: "/courses/delta/", icon: "creative" }, ]}, { text: "Resources", icon: "book", diff --git a/src/.vuepress/sidebar.ts b/src/.vuepress/sidebar.ts index 60cb04788..219912708 100644 --- a/src/.vuepress/sidebar.ts +++ b/src/.vuepress/sidebar.ts @@ -39,5 +39,13 @@ export default sidebar({ children: "structure", collapsible: true }, + { + icon: "creative", + text: "SAF Delta", + prefix: "courses/delta/", + children: "structure", + collapsible: true + }, + ], }); diff --git a/src/README.md b/src/README.md index c304426fa..3569ca10c 100644 --- a/src/README.md +++ b/src/README.md @@ -21,6 +21,9 @@ actions: - text: InSpec Profile Updating & Development link: /courses/profile-dev-test/ type: primary + - text: SAF Delta + link: /courses/delta/ + type: primary highlights: - header: What You Will Learn diff --git a/src/courses/advanced/12.md b/src/courses/advanced/12.md index acd6acad7..a3209a8c8 100644 --- a/src/courses/advanced/12.md +++ b/src/courses/advanced/12.md @@ -1,6 +1,7 @@ --- order: 12 title: 12. Next Steps +next: 13.md author: Emily headerDepth: 3 --- diff --git a/src/courses/advanced/13.md b/src/courses/advanced/13.md new file mode 100644 index 000000000..d332d29e2 --- /dev/null +++ b/src/courses/advanced/13.md @@ -0,0 +1,8 @@ +--- +order: 13 +title: 13. Delta +author: Daniel +headerDepth: 3 +--- + +## Testing \ No newline at end of file diff --git a/src/courses/delta/25.md b/src/courses/delta/25.md new file mode 100644 index 000000000..c17d86e4c --- /dev/null +++ b/src/courses/delta/25.md @@ -0,0 +1,66 @@ +--- +order: 25 +next: 26.md +title: InSpec Delta - Laying the Ground for a Clean Release Branch +shortTitle: Delta - Prep & Setup +author: Aaron Lippold +--- + +## InSpec Delta + +### Preparing the Profile Before Running Delta + +Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: + +1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. + +```shell +AllCops: + Exclude: + - "libraries/**/*" + +Layout/LineLength: + Max: 1000 + AllowURI: true + IgnoreCopDirectives: true + +Naming/FileName: + Enabled: false + +Metrics/BlockLength: + Max: 400 + +Lint/ConstantDefinitionInBlock: + Enabled: false + +# Required for Profiles as it can introduce profile errors +Style/NumericPredicate: + Enabled: false + +Style/WordArray: + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + Enabled: false + +Style/RedundantPercentQ: + Enabled: true + +Style/NestedParenthesizedCalls: + Enabled: false + +Style/TrailingCommaInHashLiteral: + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + Enabled: false + +Lint/AmbiguousBlockAssociation: + Enabled: false +``` + +2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. diff --git a/src/courses/delta/26.md b/src/courses/delta/26.md new file mode 100644 index 000000000..e4f602575 --- /dev/null +++ b/src/courses/delta/26.md @@ -0,0 +1,47 @@ +--- +order: 26 +next: 27.md +title: InSpec Delta - Making the Delta Release Branch +shortTitle: Delta - Making your Branch +author: Aaron Lippold +--- + +## Prepair Your Environment + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +## Delta Workflow Process + +![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") + +## Using Delta + +The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. + +Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. + +1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. +2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. + +For more information on these commands, refer to the following documentation: + +- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) +- [saf generate delta](https://saf-cli.mitre.org/#delta) + +## Scope of Changes by Delta + +Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. + +If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. + +It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. + +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. + +### Further InSpec Delta Information and Background + +- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). +- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. +- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. +- Parameterizing should be considered. From 0b13f007a68527c2eb841aa324482832bbf742cc Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Mon, 2 Dec 2024 13:03:36 -0500 Subject: [PATCH 03/71] Overview of process --- src/courses/delta/01.md | 107 +++++++++++++++++++++++++++++ src/courses/delta/{26.md => 02.md} | 1 - src/courses/delta/25.md | 66 ------------------ 3 files changed, 107 insertions(+), 67 deletions(-) create mode 100644 src/courses/delta/01.md rename src/courses/delta/{26.md => 02.md} (99%) delete mode 100644 src/courses/delta/25.md diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md new file mode 100644 index 000000000..ed0d4a8e6 --- /dev/null +++ b/src/courses/delta/01.md @@ -0,0 +1,107 @@ +--- +order: 01 +next: 02.md +title: InSpec Delta - Laying the Ground for a Clean Release Branch +shortTitle: Delta - Overview +authors: Daniel Medina and George Dias +--- + +## InSpec Delta + +### Overview + +Inspec Delta is a SAF CLI functionality that automates and facilitates the process of changing inspec profile baselines. + +The SAF CLI Delta process can include two distinct processes: +1. Updates Controls for Delta (`update_controls4delta`) +2. Delta (`delta`) + +::: note +When referring to inspec profiles, there are distinctions: +Inspec profile repository: contains the controls, code, etc. +Inspec profile file: JSON formatted file containing profile summary, used as input for these delta process. +::: + +### Update Controls for Delta + + + +### Delta + +update_controls4delta --> major releases + +This process is used to prepare profile controls from one SRG or STIG baseline to another. + +The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format (XCCDF). + +Given a STIG specification and an inspec profile Delta can: +1. Apply revisions for minor releases to a STIG guidance + Generating new controls in a STIG guidance +2. Apply revisions and control renamings for major releases to a STIG guidance +3. Map equivalent controls between two different inspec profiles + + +### Preparing the Profile Before Running Delta + +Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: + +1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. + +```shell +AllCops: + Exclude: + - "libraries/**/*" + +Layout/LineLength: + Max: 1000 + AllowURI: true + IgnoreCopDirectives: true + +Naming/FileName: + Enabled: false + +Metrics/BlockLength: + Max: 400 + +Lint/ConstantDefinitionInBlock: + Enabled: false + +# Required for Profiles as it can introduce profile errors +Style/NumericPredicate: + Enabled: false + +Style/WordArray: + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + Enabled: false + +Style/RedundantPercentQ: + Enabled: true + +Style/NestedParenthesizedCalls: + Enabled: false + +Style/TrailingCommaInHashLiteral: + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + Enabled: true + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + Enabled: false + +Lint/AmbiguousBlockAssociation: + Enabled: false +``` + +2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. + +3. Glossary of Terms + +|Term |Definition| +|------|-----------| +|XCCDF| The XCCDF document is an XML formatted file that containing the updated structured collection of security configuration rules for a specific target system. | +|SRG| Security Requirements Guides are documents that provide detailed security requirements for various technologies, applications,databases, and operating systems. SRGs offer guidance on how to configure and secure different technologies to meet specific security standards. | +|STIG|Security Technical Implementation Guides are configuration standards that provide technical guidance for securing software, networks, servers, and computers. They are based on Department of Defense (DoD) policy and security controls. | \ No newline at end of file diff --git a/src/courses/delta/26.md b/src/courses/delta/02.md similarity index 99% rename from src/courses/delta/26.md rename to src/courses/delta/02.md index e4f602575..68139efea 100644 --- a/src/courses/delta/26.md +++ b/src/courses/delta/02.md @@ -1,6 +1,5 @@ --- order: 26 -next: 27.md title: InSpec Delta - Making the Delta Release Branch shortTitle: Delta - Making your Branch author: Aaron Lippold diff --git a/src/courses/delta/25.md b/src/courses/delta/25.md deleted file mode 100644 index c17d86e4c..000000000 --- a/src/courses/delta/25.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -order: 25 -next: 26.md -title: InSpec Delta - Laying the Ground for a Clean Release Branch -shortTitle: Delta - Prep & Setup -author: Aaron Lippold ---- - -## InSpec Delta - -### Preparing the Profile Before Running Delta - -Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: - -1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. - -```shell -AllCops: - Exclude: - - "libraries/**/*" - -Layout/LineLength: - Max: 1000 - AllowURI: true - IgnoreCopDirectives: true - -Naming/FileName: - Enabled: false - -Metrics/BlockLength: - Max: 400 - -Lint/ConstantDefinitionInBlock: - Enabled: false - -# Required for Profiles as it can introduce profile errors -Style/NumericPredicate: - Enabled: false - -Style/WordArray: - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" - Enabled: false - -Style/RedundantPercentQ: - Enabled: true - -Style/NestedParenthesizedCalls: - Enabled: false - -Style/TrailingCommaInHashLiteral: - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - Enabled: true - EnforcedStyleForMultiline: no_comma - -Style/TrailingCommaInArrayLiteral: - Enabled: true - EnforcedStyleForMultiline: no_comma - -Style/BlockDelimiters: - Enabled: false - -Lint/AmbiguousBlockAssociation: - Enabled: false -``` - -2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. From b7e7b2d00a7420864b9c5c8ec0822220c4140771 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Mon, 2 Dec 2024 17:13:25 -0500 Subject: [PATCH 04/71] additional info + use cases --- src/courses/delta/01.md | 109 +++++++++++++++++----------------------- src/courses/delta/02.md | 60 +++++++++++----------- src/courses/delta/03.md | 20 ++++++++ src/courses/delta/04.md | 47 +++++++++++++++++ 4 files changed, 140 insertions(+), 96 deletions(-) create mode 100644 src/courses/delta/03.md create mode 100644 src/courses/delta/04.md diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md index ed0d4a8e6..19b406f69 100644 --- a/src/courses/delta/01.md +++ b/src/courses/delta/01.md @@ -3,7 +3,7 @@ order: 01 next: 02.md title: InSpec Delta - Laying the Ground for a Clean Release Branch shortTitle: Delta - Overview -authors: Daniel Medina and George Dias +author: Daniel Medina, George Dias --- ## InSpec Delta @@ -12,93 +12,74 @@ authors: Daniel Medina and George Dias Inspec Delta is a SAF CLI functionality that automates and facilitates the process of changing inspec profile baselines. -The SAF CLI Delta process can include two distinct processes: -1. Updates Controls for Delta (`update_controls4delta`) -2. Delta (`delta`) - ::: note When referring to inspec profiles, there are distinctions: Inspec profile repository: contains the controls, code, etc. Inspec profile file: JSON formatted file containing profile summary, used as input for these delta process. ::: -### Update Controls for Delta - - - -### Delta - -update_controls4delta --> major releases - -This process is used to prepare profile controls from one SRG or STIG baseline to another. +The SAF CLI Delta process can include two distinct processes: +1. Updates Controls for Delta (`update_controls4delta`) +2. Delta (`delta`) -The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format (XCCDF). +::: warning +This process has been tested using DISA XCCDF STIGs Guidance files only +::: -Given a STIG specification and an inspec profile Delta can: -1. Apply revisions for minor releases to a STIG guidance - Generating new controls in a STIG guidance -2. Apply revisions and control renamings for major releases to a STIG guidance -3. Map equivalent controls between two different inspec profiles +### Update Controls for Delta +The `update_controls4delta` process is used to prepare profile controls from one [SRG](#glossary-of-terms) or [STIG](#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](#glossary-of-terms)). -### Preparing the Profile Before Running Delta +The `update_controls4delta` process may be the only command needed to facilitate changes to Inspec profile baselines (delta process), refer to [use cases for running delta](./02.html#use-cases-for-running-delta). -Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: +The process of preparing controls from one baseline to another (baseline X to Y) consists of: -1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. +1. The directory where baseline X controls are located is provided. +2. An InSpec json formatted file containing all baseline X controls is provided or generated. + a - The json file is generated using the [inspec or cinc-auditor] json CLI command +3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site. + a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls. + b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./02.html#use-cases-for-running-delta)) +You can invoke the command as such: ```shell -AllCops: - Exclude: - - "libraries/**/*" - -Layout/LineLength: - Max: 1000 - AllowURI: true - IgnoreCopDirectives: true - -Naming/FileName: - Enabled: false - -Metrics/BlockLength: - Max: 400 - -Lint/ConstantDefinitionInBlock: - Enabled: false - -# Required for Profiles as it can introduce profile errors -Style/NumericPredicate: - Enabled: false +saf generate update_controls4delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -c baseline_X_controls_directory +``` -Style/WordArray: - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" - Enabled: false +Additional capabilities can be obtained using the `--help` flag on the `update_controls4delta` command as such: +```shell +saf generate update_controls4delta --help +``` -Style/RedundantPercentQ: - Enabled: true +The renaming of controls can be done either using the group ID (use `--help` for additional info) or the legacy field contained within the XCCDF. -Style/NestedParenthesizedCalls: - Enabled: false +### Delta -Style/TrailingCommaInHashLiteral: - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - Enabled: true - EnforcedStyleForMultiline: no_comma +If the delta between baseline X and Y does not encompass tracability, the update_controls4delta command will not identify any profiles and will therefore not update any controls to the new baseline (no mapping). -Style/TrailingCommaInArrayLiteral: - Enabled: true - EnforcedStyleForMultiline: no_comma +The `delta` process extends the capabilities of the `update_controls4delta` process by providing the following functionalities: -Style/BlockDelimiters: - Enabled: false +1. Creates new controls found in updated guidances +2. Fuzzy matching capability (optional) + a - Maps controls based on similarity and not control IDs + b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control +3. Detailed logging + a - report file (.md), mapping statistics (CliProcessOutput.log) -Lint/AmbiguousBlockAssociation: - Enabled: false +You can invoke the command as such: +```shell +saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` +::: tip +The `-M` and `-c` flags can be removed if not using fuzzy matching feature. +::: -2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. +Additional capabilities can be obtained using the `--help` flag on the `delta` command as such: +```shell +saf generate delta --help +``` -3. Glossary of Terms +### Glossary of Terms |Term |Definition| |------|-----------| diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 68139efea..9f49b13d1 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -1,46 +1,42 @@ --- -order: 26 -title: InSpec Delta - Making the Delta Release Branch -shortTitle: Delta - Making your Branch -author: Aaron Lippold +order: 02 +previous: 01.md +next: 03.md +title: InSpec Delta - Use Cases +shortTitle: Delta - Use Cases +author: Daniel Medina, George Dias --- -## Prepair Your Environment +## Use Cases for Running Delta -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +Use Case 1 - Update to verify if control IDs were changed (run update controls) +Use Case 2 - Update control IDs and metadata (run update controls) +Use Case 3 - Update control IDs based on group ID (run update controls) +Use Case 4 - No mappings were found using update controls (run Delta with fuzzy matching) +Use Case 5 - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) +Use Case 6 - Need detailed logging of process (run Delta w/o fuzzy matching) -## Delta Workflow Process +### Use Case 1 -![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") +### Use Case 2 -## Using Delta +### Use Case 3 -The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. +### Use Case 4 -Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. +Running update controls may result in no controls being updated / no mappings were found from baseline X to baseline Y. This could be due to there being too many revisions / releases between the two baselines creating no way to map between them. In this case, we have no alternative but to use Delta with fuzzy matching. -1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. -2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. +### Use Case 5 -For more information on these commands, refer to the following documentation: +### Use Case 6 -- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) -- [saf generate delta](https://saf-cli.mitre.org/#delta) -## Scope of Changes by Delta +distinctions: +if baseline Y has new controls not present in baseline X (new / not found) +if baseline X has controls not present in baseline Y (skipped) -Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. - -If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. - -It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. - -Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. - -### Further InSpec Delta Information and Background - -- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). -- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. -- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. -- Parameterizing should be considered. +Given a STIG specification and an inspec profile Delta can: +1. Apply revisions for minor releases to a STIG guidance + Generating new controls in a STIG guidance +2. Apply revisions and control renamings for major releases to a STIG guidance +3. Map equivalent controls between two different inspec profiles \ No newline at end of file diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md new file mode 100644 index 000000000..0bc2effa5 --- /dev/null +++ b/src/courses/delta/03.md @@ -0,0 +1,20 @@ +--- +order: 03 +previous: 02.md +next: 04.md +title: InSpec Delta - 03 +shortTitle: Delta - Overview 03 +authors: Daniel Medina and George Dias +--- + +## InSpec Delta + +### Preparing the Profile Before Running Delta + +Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: + +1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. + +```shell + +``` \ No newline at end of file diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md new file mode 100644 index 000000000..065ba3f42 --- /dev/null +++ b/src/courses/delta/04.md @@ -0,0 +1,47 @@ +--- +order: 04 +previous: 03.md +title: InSpec Delta - 04 +shortTitle: Delta - 04 +author: Aaron Lippold +--- + +## Prepair Your Environment + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +## Delta Workflow Process + +![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") + +## Using Delta + +The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. + +Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. + +1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. +2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. + +For more information on these commands, refer to the following documentation: + +- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) +- [saf generate delta](https://saf-cli.mitre.org/#delta) + +## Scope of Changes by Delta + +Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. + +If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. + +It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. + +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. + +### Further InSpec Delta Information and Background + +- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). +- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. +- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. +- Parameterizing should be considered. From 2f32e13b8191edde8f1613b6fa6de3b45b3bfeef Mon Sep 17 00:00:00 2001 From: George M Dias Date: Mon, 2 Dec 2024 16:52:13 -0600 Subject: [PATCH 05/71] added use case definition Signed-off-by: George M Dias --- src/courses/delta/01.md | 4 ++-- src/courses/delta/02.md | 34 +++++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md index 19b406f69..530e4efde 100644 --- a/src/courses/delta/01.md +++ b/src/courses/delta/01.md @@ -1,8 +1,8 @@ --- order: 01 next: 02.md -title: InSpec Delta - Laying the Ground for a Clean Release Branch -shortTitle: Delta - Overview +title: InSpec Delta - Updating Profiles Baselines +shortTitle: Delta Process - Overview author: Daniel Medina, George Dias --- diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 9f49b13d1..9977011ad 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -2,31 +2,47 @@ order: 02 previous: 01.md next: 03.md -title: InSpec Delta - Use Cases +title: InSpec Delta Process- Use Cases shortTitle: Delta - Use Cases author: Daniel Medina, George Dias --- ## Use Cases for Running Delta -Use Case 1 - Update to verify if control IDs were changed (run update controls) -Use Case 2 - Update control IDs and metadata (run update controls) -Use Case 3 - Update control IDs based on group ID (run update controls) -Use Case 4 - No mappings were found using update controls (run Delta with fuzzy matching) -Use Case 5 - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) -Use Case 6 - Need detailed logging of process (run Delta w/o fuzzy matching) +[Use Case 1](#use-case-1) - Check and update control IDs based on new guidance (run update controls) +[Use Case 2](#use-case-2) - Update control IDs and metadata (run update controls) +[Use Case 3](#use-case-3) - Update control IDs based on group ID (run update controls) +[Use Case 4](#use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) +[Use Case 5](#use-case-5) - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) +[Use Case 6](#use-case-6) - Need detailed logging of process (run Delta w/o fuzzy matching) ### Use Case 1 +Updated guidances sometimes modify the control identification (IDs) values of a given control. +To make these modification from baseline X to baseline Y the update controls process with the +provided XCCDF guidance. The process checks if the new guidance changes the control numbers +and updates them if necessary. ### Use Case 2 +Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have +changed the control metadata (impact value, descriptions, etc). Running the update controls makes +use of baseline Y metadata and updates the control with the describe block (code) from baseline X. ### Use Case 3 +If there is'nt any mapping between baseline X and Y using the default rule identification (rule Id) +for the control, it may be necessary to index the controls based on controls group identifications +(group Id). Running the update controls with the group Id may be required to provide a +mapping from baseline X to Y. ### Use Case 4 - -Running update controls may result in no controls being updated / no mappings were found from baseline X to baseline Y. This could be due to there being too many revisions / releases between the two baselines creating no way to map between them. In this case, we have no alternative but to use Delta with fuzzy matching. +Running update controls may result in no controls being updated / no mappings were found from +baseline X to baseline Y. This could be due to there being too many revisions / releases between +the two baselines creating no way to map between them. In this case, we have no alternative +but to use Delta with fuzzy matching. ### Use Case 5 +Most often the new guidances contain new controls that weren't previously defined, in this +case running the delta process generates the control stubs with all metadata, minus the +describe block (code) content. ### Use Case 6 From 6455e9cb9f744aa1f67079c281b69b16cc462b69 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Tue, 3 Dec 2024 16:41:31 -0500 Subject: [PATCH 06/71] revise and expand --- src/courses/delta/01.md | 2 +- src/courses/delta/02.md | 32 ++-- src/courses/delta/03.md | 318 +++++++++++++++++++++++++++++++++++++++- src/courses/delta/04.md | 14 +- 4 files changed, 341 insertions(+), 25 deletions(-) diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md index 530e4efde..543af9d7f 100644 --- a/src/courses/delta/01.md +++ b/src/courses/delta/01.md @@ -10,7 +10,7 @@ author: Daniel Medina, George Dias ### Overview -Inspec Delta is a SAF CLI functionality that automates and facilitates the process of changing inspec profile baselines. +Inspec Delta process is a SAF CLI functionality that automates and facilitates the process of changing inspec profile baselines. ::: note When referring to inspec profiles, there are distinctions: diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 9977011ad..b6d6d61ae 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -9,12 +9,13 @@ author: Daniel Medina, George Dias ## Use Cases for Running Delta +There are several use cases for conducting the delta process. + [Use Case 1](#use-case-1) - Check and update control IDs based on new guidance (run update controls) [Use Case 2](#use-case-2) - Update control IDs and metadata (run update controls) [Use Case 3](#use-case-3) - Update control IDs based on group ID (run update controls) [Use Case 4](#use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) [Use Case 5](#use-case-5) - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) -[Use Case 6](#use-case-6) - Need detailed logging of process (run Delta w/o fuzzy matching) ### Use Case 1 Updated guidances sometimes modify the control identification (IDs) values of a given control. @@ -22,37 +23,48 @@ To make these modification from baseline X to baseline Y the update controls pro provided XCCDF guidance. The process checks if the new guidance changes the control numbers and updates them if necessary. +Process: Run `update_controls4delta` + ### Use Case 2 Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have changed the control metadata (impact value, descriptions, etc). Running the update controls makes use of baseline Y metadata and updates the control with the describe block (code) from baseline X. +Process: Run `update_controls4delta` + ### Use Case 3 -If there is'nt any mapping between baseline X and Y using the default rule identification (rule Id) +If there isn't any mapping between baseline X and Y using the default rule identification (rule Id) for the control, it may be necessary to index the controls based on controls group identifications (group Id). Running the update controls with the group Id may be required to provide a mapping from baseline X to Y. +Process: Run `update_controls4delta` + ### Use Case 4 Running update controls may result in no controls being updated / no mappings were found from baseline X to baseline Y. This could be due to there being too many revisions / releases between the two baselines creating no way to map between them. In this case, we have no alternative but to use Delta with fuzzy matching. +Process: Run `delta` + ### Use Case 5 Most often the new guidances contain new controls that weren't previously defined, in this case running the delta process generates the control stubs with all metadata, minus the describe block (code) content. +Process: Run `delta` + ### Use Case 6 +The `delta` process is also capable of updating control metadata when the control IDs haven't been renamed. However, unlike `update_controls4delta`, the delta process will produce several artifacts: + +Process: Run `delta` + +#### Report Markdown File (.md) +Specified by the report flag (`-r`) -distinctions: -if baseline Y has new controls not present in baseline X (new / not found) -if baseline X has controls not present in baseline Y (skipped) +#### delta.json -Given a STIG specification and an inspec profile Delta can: -1. Apply revisions for minor releases to a STIG guidance - Generating new controls in a STIG guidance -2. Apply revisions and control renamings for major releases to a STIG guidance -3. Map equivalent controls between two different inspec profiles \ No newline at end of file +#### CLIProcessOutput.log +Outputted to the directory where the delta process is being executed. \ No newline at end of file diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 0bc2effa5..620ed4719 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -4,17 +4,323 @@ previous: 02.md next: 04.md title: InSpec Delta - 03 shortTitle: Delta - Overview 03 -authors: Daniel Medina and George Dias +author: Daniel Medina, George Dias --- -## InSpec Delta +## InSpec Delta Process -### Preparing the Profile Before Running Delta +### Preparing the Profile Before Running Delta Process -Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: +Before performing delta process, it's beneficial to use a common format. Follow these steps: -1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. +1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. ```shell +AllCops: -``` \ No newline at end of file + NewCops: enable + + Exclude: + + - "libraries/**/*" + +Layout/LineLength: + + Max: 1500 + + AllowURI: true + + IgnoreCopDirectives: true + +Naming/FileName: + + Enabled: false + +Metrics/BlockLength: + + Max: 1000 + +Lint/ConstantDefinitionInBlock: + + Enabled: false + +# Required for Profiles as it can introduce profile errors + +Style/NumericPredicate: + + Enabled: false + +Style/WordArray: + + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + + Enabled: false + +Style/RedundantPercentQ: + + Enabled: true + +Style/NestedParenthesizedCalls: + + Enabled: false + +Style/TrailingCommaInHashLiteral: + + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + + Enabled: false + +Lint/AmbiguousBlockAssociation: + + Enabled: false + +Metrics/BlockNesting: + + Enabled: false + +Lint/ShadowingOuterLocalVariable: + + Enabled: false + +Style/FormatStringToken: + + Enabled: false + +Style/FrozenStringLiteralComment: + + Enabled: false + +# The following cops were added to RuboCop, but are not configured. + +# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. + +# For more information: https://docs.rubocop.org/rubocop/versioning.html + +Gemspec/DateAssignment: # new in 1.10 + + Enabled: true + +Gemspec/RequireMFA: # new in 1.23 + + Enabled: true + +Layout/LineEndStringConcatenationIndentation: # new in 1.18 + + Enabled: true + +Layout/SpaceBeforeBrackets: # new in 1.7 + + Enabled: true + +Lint/AmbiguousAssignment: # new in 1.7 + + Enabled: true + +Lint/AmbiguousOperatorPrecedence: # new in 1.21 + + Enabled: true + +Lint/AmbiguousRange: # new in 1.19 + + Enabled: true + +Lint/DeprecatedConstants: # new in 1.8 + + Enabled: true + +Lint/DuplicateBranch: # new in 1.3 + + Enabled: true + +Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 + + Enabled: true + +Lint/EmptyBlock: # new in 1.1 + + Enabled: true + +Lint/EmptyClass: # new in 1.3 + + Enabled: true + +Lint/EmptyInPattern: # new in 1.16 + + Enabled: true + +Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 + + Enabled: true + +Lint/LambdaWithoutLiteralBlock: # new in 1.8 + + Enabled: true + +Lint/NoReturnInBeginEndBlocks: # new in 1.2 + + Enabled: true + +Lint/NumberedParameterAssignment: # new in 1.9 + + Enabled: true + +Lint/OrAssignmentToConstant: # new in 1.9 + + Enabled: true + +Lint/RedundantDirGlobSort: # new in 1.8 + + Enabled: true + +Lint/RequireRelativeSelfPath: # new in 1.22 + + Enabled: true + +Lint/SymbolConversion: # new in 1.9 + + Enabled: true + +Lint/ToEnumArguments: # new in 1.1 + + Enabled: true + +Lint/TripleQuotes: # new in 1.9 + + Enabled: true + +Lint/UnexpectedBlockArity: # new in 1.5 + + Enabled: true + +Lint/UnmodifiedReduceAccumulator: # new in 1.1 + + Enabled: true + +Lint/UselessRuby2Keywords: # new in 1.23 + + Enabled: true + +Naming/BlockForwarding: # new in 1.24 + + Enabled: true + +Security/IoMethods: # new in 1.22 + + Enabled: true + +Style/ArgumentsForwarding: # new in 1.1 + + Enabled: true + +Style/CollectionCompact: # new in 1.2 + + Enabled: true + +Style/DocumentDynamicEvalDefinition: # new in 1.1 + + Enabled: true + +Style/EndlessMethod: # new in 1.8 + + Enabled: true + +Style/FileRead: # new in 1.24 + + Enabled: true + +Style/FileWrite: # new in 1.24 + + Enabled: true + +Style/HashConversion: # new in 1.10 + + Enabled: true + +Style/HashExcept: # new in 1.7 + + Enabled: true + +Style/IfWithBooleanLiteralBranches: # new in 1.9 + + Enabled: true + +Style/InPatternThen: # new in 1.16 + + Enabled: true + +Style/MapToHash: # new in 1.24 + + Enabled: true + +Style/MultilineInPatternThen: # new in 1.16 + + Enabled: true + +Style/NegatedIfElseCondition: # new in 1.2 + + Enabled: true + +Style/NilLambda: # new in 1.3 + + Enabled: true + +Style/NumberedParameters: # new in 1.22 + + Enabled: true + +Style/NumberedParametersLimit: # new in 1.22 + + Enabled: true + +Style/OpenStructUse: # new in 1.23 + + Enabled: true + +Style/QuotedSymbols: # new in 1.16 + + Enabled: true + +Style/RedundantArgument: # new in 1.4 + + Enabled: true + +Style/RedundantSelfAssignmentBranch: # new in 1.19 + + Enabled: true + +Style/SelectByRegexp: # new in 1.22 + + Enabled: true + +Style/StringChars: # new in 1.12 + + Enabled: true + +Style/SwapValues: # new in 1.1 + + Enabled: true +``` + + + + bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile + bundle exec rake lint # Run RuboCop + bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) + bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) + bundle exec rake pre_commit_checks # pre-commit checks + +:::note +In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. +::: \ No newline at end of file diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 065ba3f42..0bedb42a9 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -8,6 +8,10 @@ author: Aaron Lippold ## Prepair Your Environment +Summary / conclusion of the process + +Additional technical details + - **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. - **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. @@ -29,15 +33,9 @@ For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) - [saf generate delta](https://saf-cli.mitre.org/#delta) -## Scope of Changes by Delta - -Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. - -If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. - -It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. +### Scope of Changes by Delta -Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. ### Further InSpec Delta Information and Background From a9b790ff0fd7d562b870b5b4092a85a3256fd542 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 09:49:12 -0500 Subject: [PATCH 07/71] additional --- src/assets/img/delta_diagram.png | Bin 0 -> 101284 bytes .../img/update_controls4Delta_diagram.png | Bin 0 -> 74464 bytes src/courses/delta/01.md | 5 + src/courses/delta/02.md | 2 + src/courses/delta/03.md | 322 +---------------- src/courses/delta/04.md | 331 ++++++++++++++++-- src/courses/delta/05.md | 25 ++ 7 files changed, 346 insertions(+), 339 deletions(-) create mode 100644 src/assets/img/delta_diagram.png create mode 100644 src/assets/img/update_controls4Delta_diagram.png create mode 100644 src/courses/delta/05.md diff --git a/src/assets/img/delta_diagram.png b/src/assets/img/delta_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..f97ed4c1b6b21c037241b6955f6c2b14b860024c GIT binary patch literal 101284 zcmeFa2YeLO`aevSrcx9T0YM~m!tTsg`u5)YQo?NSv%LWUyiyb_^aK>7NfRQy7q1kB z0Mf+Jf|MYk1PBR)`ku+|hNY-@f8MM9U-^XHoik@neV*@A&U4PZFBNlMssCpEYSpT} z!s9aK)vDDj1^)?kUjiw&8~gLXSM`9LL$9`cf2&K?s*RcwWNCx$sKxFwSIdAIiC-BI z&V~kp889;gf>5|8_kBHOem8G(iDgV@!Qj? z!-@!-{Q*1ZTxC~N1!Fe?M#N=KB;ylZH=ur#*`G)P{e?1MRtAm+vSNQQ!(>OSe#8wf zJP2r1Wq~HMD+mS%E6;99BteNJ*jLr$QH7j%zI&MuPbL~s zj|a^D6B!Y|ADiUL{v|81psr-^k_lcwCQszR5){vjD3+?Rn}W7vUOX<@KI{h9Y`5By zRa1z`8wSMawEEGICt05d^?>=udhSM2#U!%^YzUynM9Gy&>C=@M;nX<$Q4~~^Hk;|U zQ<>aRhS`NpLu!O$2DeAcl0hss&C6y+NOG!P+&x)2pt3)xz^W1TS25lnUa`UIiki(Z z&E?K=6S5Fd#LIAYhp35x4FqE;MlhSeEG92ef6#_nQ4iu`Jx--pPK_Cx9E|lJ=Mkc) z7bN0AqQe{v#*!q7gn}qYvIX6)|sF~y!YgImsWM70xK%OMw{d!w4 z=zbCUO!hO3xI)P$W!F6+0vjJPGS0=!UNA`b~xG0H2V7cAsf(gu%Qm7A=|GZ;QtWVUWCX}q(<}m z5ezj`#NkElo*+Pq7bDd~DXFsDQ7QH`C@o2|FfJ*=k~E7aB`5y3fj7P6UoJmY-v6z9 z7-+lf#6Y~r&{bv!nqf+m{Q5J=+?Ar?w{pIi1W6KJngpSnJw}@w@dG^;7xJ2rAW$un zSZ}h2Q_?^Jo&Xs-q23@+xDgl7>8s>HTDAmPr?Dm)3cBnbGowls#n2H$;55{PV2BNR z2h)KDZn6V;kh+(I@TcGxW>ZKI0c1}=`%{@sNWfO5!lYnWh=~X(8n9!H2dJNbFhv5(loE*U zDCn}+mWf0HgiOqe%L>E-K{M8dN~xCC-3fFe@}9yO@H889c=1mGImtBOr~4{|E8~5Qjge z1#^f4)-DWq5?t!A%hUxEgT=>J*dSw9zi+yKQ{zrf&|gq4VL1NVRvF0ihbr93@koP9 zy9Z-%0ELbK=2ZcB3P&;ZF%WVC5Czik7j$2{yV9zD79Wx~m;iY}Ikdzj#P)iuz>{KE z(2sEBN-6g zY5^ZMk2@;EeuNwfuUk#k668$Os&m9VDyl`{6Zs{e)9kQ6PQ)IeQ&^6eE}*msJw&P; zCkMBHOlQYE9@K$~0k5;cpH@m$>O*cS8sjjnS}Rj!4sq$~I2BSzFb|K6WGAZvK-|!s zMh*CMKrFv4#M4;We62s~2I)@znLI`&iC=aPcO@?faof44KBC_kuwzb z%1m~e&VjI0F0+;%HgdoSvBgYXz`zU=n06uR;7Vj9rc$op%Df)D5#{16a!4kY1qoU> zCQ?UP-5viX4lw9g~%6i(xn(Zilj0#65t5kL7ZM{WY81@ zzQiI^1reXZZ)KUyF?-zPiV|6D0#6-8R8$t5Dc0!SE;d!bL|77;Rml%&X-pc68`E-~ zbc5By_xXc>$mu*KPQqen=^n9D67_kAc8*d-gcNjvFobvG^lBDCt~BCY7NaO&)$v6! z1(nJJWUeH6A%sey$i!?0lj^lgG(L;l7@!(FTpY*lV(Ya&uL3V{Sm;)cO&N6fTtP|z z0cSjyB#Njs!LZzFrqL)OchIRfu|P&K+bOdetq4&9 z2O?gOpmSSgOjevhk9t{bR$LVfnWQ*Yz#`FT@LqD%5{_|Tm`!(!MRF0y4%|BQu+tqQ zM`1ZrA&jGBf;l3?xJoJV2B>m_$6~XD!(^-o9l@h@^DvHyay(+PmZ(+& zgkkgbSV1&1!DV&IwR$;r>BN(GEGdJcS9{{T5MC`6+v8NNCI+hojEKtZgE=6RA%gNf zzPOSP-07%=;*%=$uCPR74S2;4cYxrF`DHk*TFjx!bRf3_?~!4EO!E=-F$)uM*c48w z1o)dEHcz3z8pYG;sKzMBN`S&NMv%-DQ4H)b$0ZgLaBQK2=Rrjg1=XYR$6PKa$?6VE zamt_-9}Ia}GC5IajI((mn+f)^oI;Y97-R&fKp@}{hcv)*(IJMDE!E0QT&${~QV4v7 zpkkwuidQQ=OrBHdB@n5?7;FxUaY$I|BReqpi@~qJAi{-2A@BZxCuhsBpQn+u`;w_6y-TM0eu)) zBT}7DA@xe)2Ajpr@=0JjgQ}9@q+}DM;JD*nGA27CG&_UoMRjVIDI5ZD%r?kvKEB%- zWcalriA-k{dMJ3X_CVxG)FD5~i;}1sp#QJ~h{G-P>)lqKp6H~LXkvDd9ajKGWea5% z9^YX%>SUIXSIU>0ZJ2_fQ$ZoG&ZX4ACNGIhwU}6nh{KEqkwCzOnyFE45Dk#Y9=406 z2AULIFJQT3(Wnc-Bf5}F7qB@{hkzs1gtdBO0C+Ez7~3Iavj|W(TdK0z!@M|KAu{U2 zpkR>12W9w3zNjb8j5&;c1>Pa#NBmm3C9Jgr6&tlEWGXW4u*yf%+1&z!Zk6LDZZ6##H+iTrKPduPyhX@o(HWzZhN*^F3I#=w`Ic#Rs0A#S)5y!*W?4Ukx zT&Ja)bOA(SFxv$*e-MlcfUZak;&{nQGQ%s^M6gEraCjSE>x#zNP7WAoI-cOeaKR;~ z1|)8llV0SaDb5DVS0cu0p3AiTmPL_IDtj?W^-)m|y0#`~l| z+$*(+!z5z}xg4ijY~z{~z)8)fv8j5tU#Yc&>7rU`T)Ds<#S7sekoqnXMkZW8PGIBG znQ9q?lX9b84kR@oP{_p5hCDj0$K+L5TwaG&6pwK|s6ma7tGqO~*hrH3g;6(`jc3RG zLAgMKs&HY1;nP!sVj?8^Mj#p^{6sAeW7iwKR zri-W(kX`tQiV~EmT`mFH2l6O|7Af8(MsQx6*d4dh;uM{d?Nn2R4jj$wh9Nx(M~cVP zVYW%b^AW9azn_L8c08HSbjVG9nTk&I`20XY4jOnkS&X7G8Cf_MNg9bUK)dMD7(o!k zRqBLM5?27}C4P-cujlc3LYo|C(<54pyB)%)Osj_ZAwCp9oopt>Q~3nqi@?q>LbFBX zYKDY_aKbzr5MOKoizEw36&jqz$9FIzad9lFr$An@AsQ4a5iym5)7rFJ8)^~S@oXf- zH*u|a0nOlZ5~FluJmm0ktZ`I~GwB%+fuNzIW>&gk_0|P!VeJTDh|i()iS(nB4X5lbxxS#7pmk!uRdm_+K5qW)aQ0lsUnmC zYZwT}CnVyT5m-$NNDL~RL>QNQ@HnW2#p=1`)Crq9H(M%aL?bxFMq{B?#L9Iul$h2X(lBj4x-$mk8l5GV z0&X^nWfHfOj^G)Hkz=qiKqiF<6dcj$fi~|In%!IyO~ww!V^#_d(;ei}5JZVa1X#uP z7#}ff*nSP)MG{4D0jkVwB@iRJsFFqGqD&c;g7Fg~Cem#TIfWzkD)b?Sf$PMJg+aa1 zBV)w*8nGy5gF_LN!HN+GUMVi@_lt1uFy9lU5I7+cR~+P6b!LM~?GdW^K@!fX5!jsu z0wd}W%QZ0D4_005S|=*yv1p-y(Ho71@gh81Cr~kEgrLsgH?c&_I3;3=Q?YrB*`ye< z#DIcMb$IDAqc9-gYuz@TUhA>i%pRAM;Bt%jG76W)3-aRvhMz!jaUCJDg$73qridHi zT8ROfUSmi6dK+0Fq^qd!cTjBBeI4&!X;o{*#a!MeMbMQSL4qcANY#|pN z#|SH6nvvpiNabP{BsXe|Mx7eioI!>?D)!QWp2_C0V71&$buz(|Q6*4%sC=qH8)eF| zNpnR75*bq(4Mu~ah+2+|`6(fvT^;7gxCq;&QJRE!$ckD`N`^m>uypf`!t0J&g zt^uoW79c6SCKG9H-rgZE>~m%dapSENie;Ms*S$oZ7f|#Z=+}laUqZ%h?+u`#e)V1E=U955mj*6Vgx7}R+SxL z1@W*us3)1^PAU)PnBzd)QGoH|j}d^sf*wbhRJBjWn2v{ zNHh9Hc(vc7_Xa{9wG8tipl+jBLSbQchcWE%5E+ulliR_xsPRgp+@uCRbsC5~3E6Zit-@xFQ6R)4 z^n1L129s~40)rSIG!p2vD6l0susG@Hz!E091LL`O`&*G}>R-zKe;$p0% zb~?g*dlaZhbShaKw2;_hx5mn|MPg>2#D<1UCW!Udib*IanNGE_#9W3oOadMjBaO-<(5Pylo}eV1NMPd;R8qt!bCTEy?2gNPQkR<* zin9f-5RED`(WAPsEkI@a5i05k2c;2BI1~{xZ8)!oXO<{}bW_|#Vg-E`4%gvTgoNra zljHWw)hKM1*y6xwu@Zz5Ukuc*;KhYxIm*={C=pZtAg?|W#WCm*R}>SlUDQA{6qcy` zVRMkG#;}KpmnoS}Hdh|fN<2b=Kpmu08GgKxEbvIVmWaVewtHchOlD%oBSHk@HJ&r5 z7ixuOFO?~@A=a>k9)}`4h)*$ci9`~}pdjGsG(Sly30n**lRN?m#BvI#i_Jz5n_7aG zg+pQ~LlZ(Jc2q*7vm#WAT_yJ51sa^pCc}yFfsi^JruiZ^gcO#!flHDacA-40hvcFX z@nNACB4Iu!pA8|)rA|8zAEQ?)x<!A|w;VQa%l0_>4fEG)W8^X2cXBZ~}gr zf#yfmd?|!Pn6NHF;joEpiVb0CjdGRB6ofHzAR>}W4F+n279mj?LW`3eCvbhiI3?x} zaa4SBjG!<$nGQNhPePb52lg0f8m<;KRXQ!e<3wvX9Op}&QJIPr)~kUhi()nj5f4zu zaV)z{W`p%qF;${tKru!LG@fmV#UxI>&j&n;24G;C%y>yqXQn`5K5X@fQ7r&=vR@HZ z;4lz(k|V(Ej%k2JXR}f$rnp2*!BEk__Gw%~F+C!Ibv6NDU&H_$6D~2%#uYlX+7MAd zh4sMmqapy0S^zxYq((>_y$T=;oyrB00+w^-7QN3cU_?~}r-RDC!4Z#H;Neq%iiPzJ zmCy+$D2Ca;ZW5m)_P9LWs1&9^Ml+pC7lthaJdY2nfFJ{5J~e0+*t9eji>ZXId>t&w-QR_*Nx@i<%`; zl?KRtRL&(hr7}V!iidz^Ce%WZm5sWIG^fq1X2oN6krOg9aw^0K|J-{utBu-_~88jass)R8rlgwt3fyoD) zC|Zpc^-J{(8L%l#n73BW7Ax3X7T4$}2kmm4-Y=lZ8F)Die3Wd9&K44~f<{)5MdgZ} zQWjWeGD_tXw$!61TU{0#tPn^Id<&1`rAx$i$Pi~Jq#>Oa;=-uX5@pZ@d<~6HK_F0% z8F>7)TCLd`HJKT7kHu;ay2Nq_WuPFpPn%2Nyc&tLw3W|cpc{h4@x zCs){?Uh)5ZOR!iae^68x0bdy!4aOSS@s$z1ByyrLX>0C8Vj?Mh%{`U&*I9E1z=3t+ zPg`>*|Cx*KcmUs6@Bf0U?!O*%lpbdVGybd5U_=VQg)~b4qocuySYQ6{<^Rp1!BUi$ z7T*9OwLruy@EYNyeiREy0(#z4toct&*Z*H)x`?Tr8%g={cZlhFZX7K>DPYnF{TZ^x zcBXiNI*}f3_(Tx-Q;~*GMwVm2SdaAtEPy;w!G9cy2jP@`w6N- zOsgVlNvWvsga$aidC1ObbDPu>IyTd;dlUBvFWussUTY?#O(;M`zM5nH5A z1c`M=4GysS3IMb!R5sDJ)Ygfoa5WVbifzcM+!FD$rkSL#MCd2LZkQfK48RdqxpxXo zZsj#M6~2$hVq`&vv>?*ThCi{jp;C8#cJl;?YGYUa14Ur1c+P%_|GL(l&WE5qVDXJ& zdG4+Yl96IISg@9YeHw~nEN*gh(u*=-3LpLe?L3{E2v8;guoRT~NHpgO-Xh{NacTdO z4fzXk8gOSl#c9bcK|GHFghD3OghZw^1wKX1ZqyXQ0PNYQ>LfWQcl=Z`+i%)rZoA1; zS=uiUZYpH_52D$s>YgG-Gu}irlR>ARj6nxvN+pqDgaq#V36z)IIYERnVLTZ}PJJX= zk^+6O*A`Er5~z40L?l2knUJ`hMzsL^GKqKy4;-b5k3^0qsFspRA;BbkRZ)p7e<7+( zb}LOjB&k-*U@(DW;TN#?A8N&R=K=2+^n9`V2jb+5P%9n>WrCg76g*5MQeg6~B&_Nra?!FCCY*b_=F_8Cc61 z2+kx^a0E)~BS{ZQ%!UcXOd$7!7P3jCOdLce5Xdl*K*bTL z$t=%<>=!XHFnO}9-lq76#93c58O-YOi(up^z)1-8x zq!Rx$b62STn^J)FwpU9io&sMo3o=DFi zV*Yn8I4J;)Jy`N0znWJN5;V<0sxvPNc?}g-|hJ_J-KM`1f60wG4MZtISm5sl{CQLk6Q578zmMu+aG(#43V|?A0+~Xh5b;SOOCkGTfb5e3Fpcc1 zeBV#eY~UZA%anrRUnkpNV%}e7_ZKDfKi=^8b)Aa<9L7 zCQ#nU6c{3sAS#{=2rFH`N#}wWQE7gk(v{M%(l|Gj^#88Xm0TuF{28d;AkCGlyKxMKSnr7aAHAqBO)4vC$A&(a1(QbBU-ZztXAZg}!Z3Ei zF*fWee?KL8o${6>B15H#1M;wpzb%myrefmrza5(iIsgJ_pXfo#;s5&@nriNI$LQ%Q zh)Lb*_f_%NjnI7VVPww+Ux>lpk>{|e5If=yI5N|Ys!MrHtB#KQ#U+EvRk<|Z|C8R& zsu=rU@Z+;cV9Vk29P`iR&J^T4Z6f~h@oqS9oH#Yc&VU5Wl@TZqP75xLAmRdS{Q+S% zz+?R6ZCz@yKkcmN5axmd*(^yia-rbJsZ>6ol&58VhPWOd?T^K$JdaS)hz&6WP**5u zrumJjlb69m$m6TZb^a&L`NzohDN_3bLw5ggQiGo&HJFmrlG8}7>h&t=v{se)*CDnS zSb%%soi@O&Sry!$81&zc`}u{*`Qzo%)4OR>*XeVXf{Z8T?5_t9&)ElJa;<;O_;t&pgXv&o!D-4E_g5+P@>KJnP_R13FEN zU7FEcr6K*Z{RPDPVH*nm+r*UA-N9?%s7dLWRNPW{n@(*YFo&4b@zb$6wIlMcBTg~3 z{3*@+@8^$6$(O&mL*~DF!U2@h6;d`Q<_yPX{`dK}f6;~hbom50$tAz9{J*a2<+=C* zC7C?U_wu`JA7J?4Qijg+!wvp1WxzSgV3d;ZOCUe%qx>6NGvGx-l}wmMKPi3m7d2zB zr3rfj9To-ew;DPD1_tN+VUEtqFA#o(#bjY|McpmQ*U({E)m3kz0~dy>*V%P{sx%O+ zlPDNju9+mHR!WNO9i~>$Z62H(3o2sasU2UY5S4kS9%Cwi%KHvUr6mqt|$K8(cMA-_2jdmAb6DgvZ_?mOE4 zG`5BbNq=pMt)JsqO4%t-urb&w{Z!n@pYM8xl6`s11knG$eECn`rdIi!)aUTE+qHF z0u;jDA*`%?HzEb&{6s?Ph>^!Bsr`VJulh~lgE3^N+>M)f<9g)*J0`myY;R7yH4;oM zcG6DefjB7*0$X}WL$Ali07f~W+{8=Fv5Wt~D~r?dFR5MqKH|j&`H9us|6DmqS+7YD z!>1Ph)3gyPm6%CR#^hcXNtR@FMId_M2DUHQ5oc z@(EtlS^3`i++G)O)nvmn_4g-lzOkoN-gDlRuETR$KFIz~;vc$h><-bk3B%tyuxHXk#u#Ut zKD`#rp1*Lx=v#r4EfwcCI+uTPoVaxN=sKUJ*Vy*;>N|R$t6Af%jzcoOJk{)kXB|5F z}=r43@EapM44w;TBSnEvM(1do*(nr-~^*sb8y6>EcG_VM0d@wPA2pyTYaS2CYQS73GZczcXJuuA=-+GJz+hI`Uta`P_^xreB`M``p%hM*yu5|^e=AIKYyY4%Nqn(=G{1aIuYH4CPq8*D zom0MecRM(5{E!Dz9yJO zA+OYGduC)c!|Ce1m(U->X#1wscMOw{ZeV;ng{f6Q)NWjiT|K>|O0sYJUEQ`tle-Pc zY48jj_s@r4N@I=WPaYd^h^hKF1M4#RLmrL#mme+Jws+<15%rX+k|Ai^caA%={*;E1 z?>~(&YRN*cSYI8O$Df`-ZQ=HJL5;_=d4*5J{8}vioiV1#a6SyZq3f!DrADJRx$U>_M;ST@rfnr9zIj?e$-z1K?lL9}p1*XyrVa8DfD zyR_wX{JFvpa;0^xV+-<<2=HdvD@V*D0;R)MnI}CUzoa1)8CIRZRs~Q6RcTWce+eX*~4@$JRO4~d#2yfoEm4_vU3^q8U#8B!zuB)^z5%fCsjqy2As)zDw6FBT8*?}~@yq=Z zT^`xG#<*CoDV=JLYTy3z!v0HUDju-)k#BNt4BqH6x4rk}_}i7TVAIBfU&MpS4 zGY5VD)z({Wpx(zA)wZ}pj8i3T7&QxmtJagt2QBckmVE}`|I4Yz(4RvyRhE;{nx4%S zr`J8|pE;-Xl0oK~vMDFZ1Vp?Ha&7ims=lGwHSHr=l%k?OoCN>(*IE ze$Kfa*PEw;Nh}quszB!r+On}Q_u`z96*LA8{|La6zuxerVX~*-3-gVA@6sQ*clQ{S zf7w7=Ht_o8HSsdXr5{(!yLI`Pq-W&X6(0HHHvKY(-zz`rYDx9apTBV7&_m*FZ<;yz z1E%61ezEXCP6lipzM#+M!)=N#ZR=6Wet79QF>LtJPe7+w8&Bu?wyH=yPt84Z3_mt2!5}lL8D=%EQGIrkuV&^RLl>#a zb%XA{V%O^%i)@z#;t$Dt0M>8p`~&*KvR9XlpPF-Q`p)7y+R+X&K=-ya7xnA^)w$`J zMP*}a9Beh^!r`Ar59rL@{!z}l;}&DH(jw}vc}z zBP%{}?fl+9PSS){<#x-B4Ql_!&SCe$ZhvwqO#rt`A;i*lLW6*_Sd2Z>y>NIpbdT@GZ32z?z zL(}oqc6r|5K3CzR?CF_<{6`fn!hJ6H&Awj%x0)3%?%V=5r2q2SIV#KPJ+JmLwz;yY zc7tZzz0BjH=T^|L;u@lAK%IMQJ&H?qle||^NBHZgW4mSR(bXKg- zIrCugtjkA!E|bW-Hp z?XQok>KI$VrH-Sc25pmHA`I<{--diM<`aWBeI(eu9V3m6#)Mh)>_=KdfoGHf9@H1biuY0eczbt zEm_IfbcP!H=~72#>vyMP8tC_4-Kz0xG^G^}K49jz)crj4%+yY^ zDL%|7Xj5a+mdkUX(s(a*Zm{d=IpS61<2Uwn&EuAw-cnO=M>SwvY}>~}?kA0$`ELP< zTD-H>$C%D>{_RHZ=aB24a~xe#d*uzr*jJ}^oIOmwcS_6KJ5QW~^GbZ0y=RsUo(wds z!wV%1yZuByK1co9gg5Z*uFQ%-rS}`96b`NhNK4a4Z>?nj@KWP_DSNGv1{ARV>=!UL8V@rXIa&!TcvjyX5p)TSE*fG2(+qwgExxObhhM^jY=m}RaaF}|4G1_>Zsd}YmV{H z=6Y{PCTWIWUie+hLQ&y{fEB-W+m`GHcjxxqbp78AE_^?S0cGEh+D~moaZM=>~brN7byuUvzu-Qqs|(XU8||-UW!3sTl5+sh1Dz z{K}hzPbN%wxkW0jH)ORalLHmRMvnst@aA0E2p zi8)XIJo3gx%@!@cdDpI`>Jg3aTq)|XPH@R^p`G7*?sVv8S&!MZi%D$1@E4-P$7O|`tM?nSy;|(=Cc{{Ra zlH9A;I*%-xb9BJQ;9}vd-nx4wqM0Q7gUHX{)7~0>OD4+ipS5=I&nixp!)g>QuLP880ihbgyukrJ~8y^Zy!L zI{#=ORHJ*yk)3y>OO|9z_VFIq3wC&B^RLz~d#Cv7%%fS~Zokyf zx3XRQaH!?mmW7+!kI$aDbhvt%t9$I;!+txmceK8{`rXVT)ei%kpY5`DS!S=?ie}yQ zwi>4fs_WhV>6@_^o0P_P72X+yYrMQcws~y4?&srUW$QA3_;C1O|92T1-s*jaFmP6I ze8uRBos(<6HV>oLJD4p}hqj}3T}sCGeI)XUIlDgD`tsl&^Tx;fz;AVd+c@$4hTjbW zX*0gV834MA%~w@zfLS@B(Zt-`&R`Jh_wFs#4PAbx@sMmJ`~5=Oyp9;-E(X@lZ2gU0 z0|2mmb@}^n#coa?)4q?U9*^w&;PvU-2F7m}n2R56+Mjov$#34hW9bj~SLAO!w&uYF zKv642x6WUB4MMKft++mRU5${(b!+;ny;p8OTs~agd)fSx$LEh14yKT#U&OAeZ=M&u zGv5^Nd}4U_Q+Jm2zQ4cqsGG0AJ$i1+KmC>H^HZ$POqbYe^0WV?&YWj!5xap-Za3IH z=~qItxubL+cPxqAyibK`e~^A z`>(ip*ED@PjBsYpUgkKEeRt8Y4QF2)VBR;nSncTa+O>z%mu+nD!$Z#95kG#T)-9!% z+{$@J1?_)->(I3eg1O7vd^vZ|%G;X| z+w#0NGmh(~x$pMt8$f(OMrhKBYG-}yn)1(tm?4Ev8?E{F_YyyeD_ z>QTPkLkDeM3KKevfjUtVyMA^ku!aMJ-x1;^J$Zbe(8OA)hGM#n#NPAY@PbaZ}6A zMa}OG%gws7YHs^VxCL2jHX1o{+o1Fu$DBXnJ}X-3Iku#?x!rg9S-Nc> zzPzFA<31JY)=P$$zV@gWbU-uFQgpHJ3ex<3#i3Y4Y%}V{%)EO3;dehTeJQ_WvBZ z;ozYq56jl>95(gP(eoR}kewGUD;=G>7Z04g^xBsf4x4v>-Tk<=P510xUy&azDfN6p zTQ{M8!GR-a*5qRsx4zNoaK*|x^QEKc^7YagCr{shI50Hg)Y^et2Sm!72F8=SO=&t{ zTCJ^^9`e)Bh|t!$Q{mkGYvc>h#*P;*>tV~=lKF9i8jZf6XSL_7eARBA*SK_D)(?Z~ zH}BMqRe!-nYOu$;oUFE8*LDlFEy|nNvuR6P*@=Na(z;CDBRsA(Qfi$Qf!aRJv1Y%2 zJ7<2SEtn0+`*t9Bn*B#)@~>$FZg6v>xPw(aN~RLj@L2D+}aToHGG_}QH>4tysP%@BWAu$-1>qs9)T9}G zN*`sP@7P(tUi;(LT_Ya6yLr>kW&JmB8*U$Zf7itecN_G2@9J1g_}XgZ_h?sC^LkF! zouic^yMH%8jz-?(wQWDCRqLbAdUufw^Oh6toa^}Uo*AvX&TCd$O!Teka^!Gvmik_o zOGoaX9$0JF{fjMhn@TlTS7oj1{#uBlUTt{z?vm-;hxaQMXeXY9ZmnHa=gy^Ln~7Q9 zj_oHr^zdZ%kX2WDuI_Vv(0s$gPgfEb2v^+HKNx(hykV;`(`(Jy$*kM{(`tYm8|Ccm zT`KtZ*iJ8DExQh!K%4Xa{XX2NuH=mO2igYv`HX3`OB@9Q-qfJYR!(gG@WFi7iEW)F zx!lum;d(v1;qnKk-@aGj-}!QdtKeR2&lF*g4EQ1HTYjM5U`WRveq)MxXphLOCM#!u zR%hLJ0l3YoZt%_W@BFf|qMzo-Yt(4;eO=tP^KaG7?{Objsk&?z0X2bq=@6+_Z*JQo zv(z1n*zJlwyERW;bJ+1?TXQ0ZQt(hTzg{uD?E>)lj}6JC!8Ii;&W^F zv}~a2q|-%~2fXLk+P+JFB1x0hh*q)?Xu;Z}V!yN0h!Kf0-WZ}~U7%_rs<{hcn) zFW<7U{`mtPFO9Cxz0hQ5`&CN(V*Qdu1E=WNOQv+`(!$OH9DaXNzpSl4w%`bsHyM&$ zQL{(s_@#^wcVSxf{PuuZ`D0oyeEXA`+s~C0b}d|XFRy&gp0y1(hNj#vJd!zzt|8mH z0^pz6xxwz*eOn&A(Apl{zo79P<}&h5OHJbMr+Yi%@EG4w?9 z`GrFxK#_?1n#X?LNNZeX99+Cqd>~K%#TemW9O--UwwAM|9+)<~kv3PlSoy`~V*wBI zfs{fS^=Ye#lM4#`Z7ZXM1ZbwK&jrts*yjdeHo756ZmxmBlTXxHf*qZUngaG#jvn628s zsLSMQGc%68(yyPi=%Z#0_w*TYciXtTve9|*<;%~1Ti`->TTaav?;LY8f5ObGqpuYOOtN&B`_BuimqAPBv_Mvk4`4IGa?`uU$X)iLT>GSEo(wRWA79(v_Ug z<+=Cr<*Wtfef&eWT4h`j@DKjG_UM7bh1WM8s$1HibbQyEJ7VC%i>VXD_PyIeQ%UAuqqRQ86u%au!( ztYs1pISalhshL|*KckBvKGCq!cK{t_DOPRlzqZZEZeu@c^L<~%)=sn6&wb~U;TEb9w(!?@rQf+!#KT9sgySrlA{SH}qCpv8U$ds`I$~ZeywY2S^9(^@?e+ zZf?Ij3h*;~$o*qIzTGr_@VZm8jyHTn-#vmo^`~{Gcpo%78E7xq)kB}rfP8Jj08-yK zir=j${VvuNI)BjJShBikCmp&Z^`yv+2UPnzD?Xa<&%3ek4+cs z?>zSN+jQxqZ(k~!-oAdbFA|pC&`NEjzrXSN%Vn3%|3XTJw*R4F$*nI2>Q|ZDt2#Mp z{l6<;R_7x}i;CJU!|_S7EjJgOe^^v@{@;7d^ZP%%KWla4d7FU@-#HZjbvsN7HmWNg zncsU}O)$n?YV6V!t=Y6_a_^Hxmp(5?3)ay#PIweJbMIbWamRJ!ZT%MCFPpKVc*os7 zyH}cSo-I6IxRkWFMcF7$-Y(UiZy)SCFnQwzf&b7Jj`2KkRZiCCW{t0aK?RD96d1=7 z8UiP$z3!*Ihqs#>`MyoBn9>tn;oH7#lfHb~rsY3RCOnKE{QjMe;_vS5J+^oC?Cj}^ z0_$9otov9^$plGPZGZm4=F`ry>f7Cm71wXK>G$?-v1RXKxZvz9-PcXmbg>Jr!2*9Z z!;!D~6FTI-U0C6ruJ)^wr84+dS&PjdrqoW?O3tWZyQpc>&o5ib$vdy z*MRa#oARQaY)f}b-kN+l%k}!5tw0j^Wos<7y_#-QJ0HvX@#{HLA1+(|UfIQ^4w!)cs<%JI8+q~bzR0|^GUy?7Xb}@t5lrSB5p4PvdQ&h?G+t-1i+WJcOk7(Pe zqrTDAG2cJ-jk!p2_)~Hby+LGkRC=xA@S}oerD5TsPi3kB8xNemyLt86R+KIy9^J1~ z5Wb$%ddh}9=U+7dCZ^gH{b^+t`W*Q$??d2K{# zvx1Eyj5|W-RC9J8{aCQua(m2`{p;(HnrwQhu%}*sbX(s^UADeS7I9Ot0GUIJgde^9 zsN?`Nv~1eA2TH@n0f#ppTCK1BT{o4o{`m$OKb4a5!WWim&MftJkS8NYkf`FuX-`<&|cUkj=sy$FL&NwK` zndD^7R8LeGJ{;jH96xyMEN2Is1Py0()Hu2hd`1-VrjvZuipPV*MqLbBi{RxdF8Ke9sY8#ZitvbZ#=D3d>TL$K` z5))L0G+S6V{lAv5H{xUA#RCWV&=XR^0VzW)?;9wKl^d(YkG_Z2cFGQum+J{aLT#mr z<#EDmc|NB-apKaWCXR}mVwYLFXh1CK?bf>)r2gaHmKuYYtHY4vW~2FbmIdr0e<_Qr z;L_tG(y4-2J$NNRCOc|Fx?M-dqo1n17vRDhYt#hYmE5&JBk;37HT z`B)?Goc1-l@oIg~ORvE_JZte-q(XHX1E(ve-d1y!GNP65QVMr;cC2}QV>z;%0pc)S zcAzi8lFaAcsBWjY($%pdD6o`By*WQ>TPas|u|r#x8hSl0mA$)%gHh*BY6q1lG?`~a zR5X2Oo`yTp>31&bcU8cq z`O&o#AI-uBoPW&KdFJU$grVQNp$!e*sp^Q3o^a->dKTU9_Ln||#rJk;FbIom!BgjU z>vk?AbLmund~N4g7)zi_yZrzzc06a#FMRhoI&S{D`+`^HB%emmUtc_ zz_OQK(;tmPZFfdk*>{fH#9IldtT$`%hKXQJI>C6S-PQbqjiFJdxFTVW6s3mWt>hg{`hwdZwz>< zN(~K4LLAF&#~miD+2TE%Bd3i0IT~)3RH@Pj=jNoimXI*4dy&VJ&xVt%Uv-YO3>oh1 zF8P_5?JN~k#+GmqNTu5fKJ*~Iw2240uHO3WT~({Yr5kCy731{^u$lhCXF@gglcJhT z?fnNC?CM<;1NBi7ie)xmbPuox#@`+R$ZG)?4`lgc2H5Jfv%onJkjR1FG9xXYifp3@ zQN5w4Y)bNmQe*1NYvoX<&cUs4?=SQqd7{xP-hnp`&!Q7}w>eFG;;T+ouJ-ZMV!O}j zm6}HsIHc`lG`KC#-mS63Bv+3X2>O3|vw!~p>m^?f>aI0k`D$W5i(`G( z7AUs21{0>~G9Ti4606Npiw;B2EifE3zn$zEP{5kXn>{$_%JSe}_Fo=c+*zH%si;{7 zNsZLYMS(Z}%iJ8b{H>oIrAxmCIdhNWbFUD)!$%;q2RgR`vgWZ_IS!J&=tkS3a>{Kl zXJ;e*vaIs}U+^8>5rcZ(G$`~gi2^}f=3s9LV;AFFg~&e=F_m=PJFc~>MO40ku84bx zuT(!$otA2-s&KhjH?%$by{_LLwVS?!RCKS%(^fufJbdHD_PxnOE`tjJQY7lO#J|3m z7mmB69qXpcb%|ZsK1t>I-@gEu1Q6wS2~^C*m?8;@O4S(RKsk~HGwcB)oJ2YE*S*rH zDU-JcDY5Ztm!uZ%W|s)xcU-MZN9QKaf9lCQ>|<}Ci8e0bcBuvvE=BdX-VGkP>9pU2mzH4U!2rZ z-J{MceCigHm!n+04B73EiWStxeoTAa&*~RgitXZl?zX8n+G$Y#?TLE@i4eVyO_UH_P>*9T>( z{EqF>>ZiUo`UMDa@20F+lcFhax$FCH(&$BL_qX<6`DaSkdyF!_i7;|bGyhgmOQF;o z(NMAdPORDE?&wZ~rI%>eJ8TOsKJ9nKtobdVMws5}3}FiUt0^h_E6&liUKO_E8lBWt zlKDtXkKEH~8ZN0Q+XE3Rp?8-be4ude9aa;!-`!;ViU9@JXi%6?L?%|}6vjgw(K#`IQr>~B2Te1hlI2+JjZieGxF7Ft z>Hqdq_kgHeZfTq)lw?|;f2Te-qRvSECVeMD>ebM!OzfuE!J&Bn|nu&wtlh*jq zV*f$J>d*?0es%l}FeMi-%rPx*OAH`Z{yN#`vn?0Hl8IR_2k%s_Jj8VzI#M>Uz(;!fd zzrfZh-N;Uq%}vj4f4H0FBSK*$^2n~P8m^8YTWd|kD0F0EpA()rJ0YO*KIJYqtK_lb zblEqfNvQt(G7F0Qs+3{9F%ElltwSuC!6ht)EA}SZwQjUDNvylRO_9ueHKojteUyu} zpcv7QbL`;O8!Qc>LGi``#1UX?oNQ6le3%?JNNNyExC1a?l6lLasWUktyb?5dZM}2ek@LXjZMjOTs6a)VZnXL)8l_l=agX4B%jnly>K*N`=f*s#}5c`d-=??E^XXb zPV>2W7w_h8<3IcdXgZ5(F9fV+yz)K71H=9jje=rxj;E=oFkN~&pw!%Up6xfHrv)Bg z&};CmbU)P_tM8{^8?){NwW)QhLRK0J37HsHP5^u%oS7*ByC1t@LD^b4+3%h3YTXwCXAa;I-?Bk(bh0DOt?tc0U|=cL5Mi zbG7O-&9y7srej4KVm^%gq-fwW&WwEhQeW5ZLaCvY=Gd)cVggiL88;|DYM(eWX>kDZ zXYa!#nWmWu$1d2!_RJPWB^}qj%6F)+*mPXrxL(@Fpe4L|WV9CFC)T$oL_XRXbt!1R z*7Bh{)kD3w!OS5H%$ZQYuhea4e0zy4eYo<)yuHTPE^!HzXBIzOzd^c5Ty9Uz`o zI^DrY_ zap#RbvaM@aan+zWSK1q3rzLUmmah0ioFTi`*p%@nX|FC9b@SA3Y9&==e$qmHcgyk* zr>GZHE5b~F8qOTt0{K%?VC&(97q6jAT0+X!3kX^>Ar zSXE0Uk^O9`YVhO%MPKia%@FNt9YtfYXK*^igzxufIGPWSNp5W%O{zDXB*jhaYJm)l z*11RF3)({gj>Rho{j&`=W5%#Lw@~hpQr(xshaaUYKIjzt-1+oGzc9~8S%0XITb_*O z{OEDgRAm>&$t!x`+4T#b&c+xOSnEay72Y)&?Ds7EaS6net{5!a&hyYKzf(UEz*|;A zLJk#a23+N{UPd%!>ZD~_42RC-?j5lPmjauKhHw470M0{28<6Kc;+BfCwU~5Pe(G^1o(?`(KQOjH@}&4>qMFm$RYq*EuUGOo zdquojXx%6e4bx=;#daRq1?~^>bgqF$)+QORN%5($X5DKC0~x)L{n?z-`A6TCdEkZD z&wdKrS_~vp31JD$dW!3_*J~Gp@?@ZjC_(#6b#>LSqVsYbdyy4)MW;SvrezL!X8^#Y z(Q#B5)jbDU(i6`gj2|!;FphcaV^8vFcp!IpFn3rv7Y>?**iXAM9FIR1+k2Ed-dG-V zu#(y@ZRFTVOJWn`)2}?h3>lb>f7N!}GF#8u0cFsRmkjz!3T{!=VW|U_J?)t-4IM#U z!=YjvQ$1P6sk;lGVg0-6PhEQ2;x*L*V z)_=%Pz<0d{XH}EykaJ^~6M>y=@VY-~wB`20FBn@Ej4!515kgS0x_@ zo@`DBHWy~nAR_c)D?a{Vj9reG3h7MGh3k*#3oPRFqSa;i?A2VZ*HWM()t(!Gpx#Go z)O^Sog>&rIq21ZuG*n&HcB#c@2FD2sKun~=L4jfi#ylOz)~h-YOi;zB>{}&X=g7&a zqWar&UO1)E3>$pA1@sdXe&cT=P!Mv(_KOjTt50KlugB?is+Z8$iEp%&h^t3>!Yzji{Wte4 zr(OnqA1ZpJvQ|@GxYM)qX!vtoP`3t2(d#CLC} z3w&mNmYUA2_gnre?M;uO{l$UOwDOlvCKg_*u_(;Cok7twBbNQcF5uaec^h;I&Ji;X zGk?7FW-s}k*wPD+!;r8-yaCo>o{b0#+m1u&c$-gYC=nw3uyVmWm6FpchuPI4EL?{Xww zpodNW+ARnBW)Gq-VjeRw zDI(2W8n<`9&|x5zAH`;{ixRapW=O~}zNd?L#f(n^F7s(Bojc@vn96EtqFc55 zB9>kfqB6L=kYs30Ej=Zb%(wm3=FF>pVrN<4HSZ%abSG6#0$1RKCVr~G@r6_sY3J*% z;Wqb*^~wzDQq=0Q)#?g+dOFS*0NV_2e^_ zFSR+NcqRDknY!V+BnLfi>_?A8?tpqVipGoe1d>f(0D$72p%pcuvf}g~$40zTfAB77 zt|zuGx+g-3-0S$jyYoj;iY!v`9Iq0#u1&3-48+@h9`_puVPf8r{JM)9fn-s(Jz79kYpez5f^(;M%xIzW3X^^m{$G^k%ogLYNF*Os~C%G`)+NF1-e z&Lny}JT_|=lXa-=#dX|GBQh2xZ_M+B@veIa_gE!g={tVzf}TMw^aphRoT1g&$7?c@ zZ*7wAv;cfLV|MrmKZkUR=uacwN7|<`peU&8Ug%9C9PS{zDYH9p)l>Zi(mN%J!aF`7 zK0=@$T=gkE_(h66u#{?ldlZym(*hBypgB&`Y{`5+n_xDVJR1ffL-N%`Z5H1~$%dW9 zN3l$Lpvawp^g+y&NsYMY?(>zp`bs;nvV)|dkewwn_Xd-td>`H-BQ9%-x{Vo&G2=OC z{P9z)8^nFX-f?Bn${lKIs6vWug?1?gk-bzZv!>3J_M$`Ag_e-tp-I4ZD99S9emi#_ zu#*j>{~A$rO5;H47PQCal@=HZ;-0;O(CA_KfuzNPTpTpvrLUjbzO^t zEW5N*7`Sv*%C_BTlh-y8D2N0;nmum#(=G5XlRO#q>!%Xhv-f?lXZRT-926Mw($NeA z5lfpTJe4xoN4lsZ*{mg&jcRb+QbWKps%`s$+WSx3M+p-_WRD9siSmpc z>)0YLP=K8MM9!(G@N|9pOFFJ?-uon$;TY%Nkl>f|1gfx0J8&8dX8K7hD7>{9uhvk3 za-PY#%>Gee6UFWMj`fRY5WoQRgqdO|So95;$(|he`QbWy?x+f;cgpVa>8RD3y*}$}oJIA$3B5f-baKW&^ExzOq1Bd8H(GBtdze-q)aasUq!ekUP8I?kujlx# z;{R=#NSNh$prOV$8oMiLGNP|0Qer}Wt}PhDOb+RdJbu>}1WraRnbL@=N7Qb4sXM=q z-+g@7Td3}aWck&|4{qM1sUIf zi_;eO()J{VL`^5Pey#`dBl%901yJg93I=J#TfaP>hy0u&C8YeRSJ%AOpxBlZ5#Td9 zCc)mTV6}@XK8dRVGrNx$f+6aGO*E~y8}?Yj?&5*+DbPhd8D{!l=KL>n{#SGU)2s^g zE20^_4>e*URd?VJ3`*eT_k1%~)@M7csN^*Jf$VT@{qlA_R!O)~t&1&8(DHo@r*@}h z%1AWVW|(mEG0GqS)($@dt_BJuG5VKmf?HF!ZMRV z_gmOba6=yejkF|qCtwQ71WV^{98NEUovJuV!T)n=Rk~50Fj&L#)lXt6OQKKYC$>zf z!~=%F2j7WIg3$opi_&3Y{$x^nqO8)kCrkTCTZ8IYjt*ku3L)hyFeNicYqyw;r*d`9u# z#kXKV>{c&$Gs^?q5(`1|C&B7<|5QQ3!MFI|0_+7^9Uj&#boSsZG^9)l$zK8)50j`q z3jb!XprhmZ_dMSrx(}Yn&FcuQ1?cbfSm9C5!)K zwcIqgX%VJx8AOdyX|J*!)3NAD;t-j9lcCDn$Bh@@9GEv9(L4WlmAX#IhgkPR?2NwD zEHo6w;ttRm0^*tR0F1W8sDSwV4zFiq;(wD>$9-v1Y}J&P!CCTaH;NFO?>sQwA{w;U zA0t`kGWIToQ~WgxFry5#o+%Ko4QCktQ<(_Rm-+$``q+91#$s`*!P}-qTxRmX{}dTe z9yAr$F_iRgJ5JtwdU;dGdN2}LYKsoorcUBi@dYrk$O{y)>__8&>hZJ@p#^ghcX%#1 zguBSzld}XQZ&HCZ=!H%Hr!lSHB;aCZ)Z&kb+_ji4IS0_eb-cxu`2DBWHo6n}kz(UR zAOVP7zxVQhADbuC(f*w}mX864a~&V%2h^pgD-4@67?}eWJJ4H-Sbu-6!XpnG^V2C{tJ=cl&flXhL{hLcb+;1#Y zsxr91j}EUk1u$>=Ii3f9x7d;aQeP`n5)@uvnv`QaDv4f=10@(l3|zb52o@m+hztMB9e{sIG$f{8Ew z#9i_H&k0pmp?&Ov=y2Zv{6dE(l)U|K7Siss?mdj*&?4+w153>`hX{aMU;ATY4y5AYHOu*@Mvdx@SFMV)L zi<)v5^*|g3u|Lm(UtvZSIQ1}*e^SE*B_th1%S&)=CgsDL_AEGFwADbi)xioCX7Z}s z6M$5k!QAyAt^GggW>00j2yfc3iL9mgW&7R~iF5%BYWN#%*)~w@|8Zwa1LU&a-o|Vj z@zT|@HI;IB*BiIGeFL7BRB=eD%Ztga#R1V%y>zoAcmuh65>m3hzo>$bcT)ev z8bF|Xljn&9B0cav!u0Px;?Mrfs5&ZL{HHt~fTg(q9(mvR`xr&pRnePH(mAx819@T_ zej&fVVFRE4UFiSUJd&Us&eh6M0e6Y-sQ$S?>_eRYl?a4a9lW%a{s!fy|L9{dgk}a@ zT>FlpSIHCn4FuRz7IXEl z#>yhwZWpS=OC4*K?TIKvCr}RXsSh$0W0T@6~jpPx#N#5N5RmKhS~! z+Xr6!Z??ZxsPc*8+8w3O&db?6aUx{f-wO<0vUme;Bj7M2M=M|!92=sWn)`GS+!kLC z0(WK|->|K0uQV*#H@zhvJ$(w(?^)N4L?R;(Ho8~!M}$qANft-Sa^{=fT}{iRCE0tA zhaXD+6YzzxVMq8 zt(EEkXggeA6Ige`j^<<-ulm*VbyaRfUJiknG@Cnj$R;5j#K)!eW2NV7~**2@|Zv zp_2&YWOcK|6?as@17Y5f2p5RQZT_NN8as%0*rWdQL>`KG=a>1nwBujSPg21_Tjoc+ zgGdVDRGqu)>MOCMI!x=pOg9W-{ywi3+)Qswd*fzdD5X4EeNGxG!kCZ~C&JsHyA#fE zPX~WJv->%;PB(4?`bL3&DpUD`;TXYVy?Y01&jUVKFhvd$8GCHVukujhZzcy_cT;-J zFJ?V>3o;YJUOu(Q8X+D%DEZk+{4nWTU@E@*{~MlH%m0B_j7>^td=cO2WQAfE0^0-?XEZQ3Z+jL&fr~TvKYBLe?M!Dz~!+2?p86=C1*m;(?!PfZ}zvW z9#(VtY8OAfZ|jV7>Xle<#$2)kAS3XUSI?dX9ia>96SgO&u*1GF^k@a#({6@He zLIlIT?CqT0mvM>$v1RVZ@ICRpX@CBjHi{k2C9}Dp?kK81)~?t(rDFvT0qtQCUaP91 zM@eKQ?2m-x>JdqI9ayF3JM6asDqYRfDw!Hcd`hzUY@YfU9%A5daSGGT_cBlrN$jQYTZD}3^D ze9C^@60Kr+=bZ0lmXDp>1qpYqz#(}M<_$WZzg;ZL~=-tUhs z3~1W+zpFU&MyYImQuW?05*t=Zu1M#7PS}3yP8XDm9q;@AHahcQph|Da7EVkuY~-4} zQ-_QEg0SsBT)z($s#nmny(CCxcx1ngj@S3iYq&mw=pJ~Zo;y0!K%q0`F=eF|tjE@b z^!!odDr7GuG+MAblA%aJD`ICj9ma*(c|2c+)$aZ_dT@YlAf73>ORMWd^t_#~pYbnj zj=M_p1^}rykv{zQRCFXaPkrHYv}nDy?$jDFN=c&7h^QLhJ7y(z8st zbiKPvMOTGGm!48kz5Zf%Wf)Zkd#!N*xQOa(ggdG{UE(733&DcZ5yiq1$4cEMN=NO! zmszTlXX#fm=GAMz9rw6Zjtfd1v z8B%9W|D;Yu?6Rymjqc{9KbpXP9N%~v0G1}At-7uiXauj)dg%K^W3u0Rrb86dmk1sf zI8Q4ehb&?hwy4&gz#ScQmGw%(N#)?O5lx=iXd~TpE%QCu5QsCz-b*!V!O1Qn2ThP?w7j_(EymQr4 zD;0LcU*>9RUu?eft=>4n#Cr3u_{6ThQgRt&VlsrB_uO_TT)PtO>pP6Gw`PbNZhfT9 zYwV?!vX*Up=d(fmMa5$%Pg}K14BmAM1+K^^EDJUK3~+aI`~3ZFNzx^L`)v!>3C8DV zr}kdSR54%Uw>M0qv=RNRcbm>rThGH2?i*EGPh?c^Iv(KDdD_Q13)+igq)7h$*-WWl zkH%;oAIgkmSA$n(AfgDnG6r}55bUG#SfTyj2+(l6`S8P~E1f?x*d^!!FSeX>AC>I& z!=ybc+OnOOExNee->S|VH(T5AFrR7*pF1+0BV3&4`>-U!7nXig`%tA3cyt_{;A{vO zp%WPS(p;!9t#AIFl`8X{{M|1gHhlJDxb{Na*2MeQQ_C=5av2pO;{=8IY zzz&x%b&5Su$tshddP^BoF!tcPy>Hp=-sU=V-VK&m)3%@curI><-m|Ivq@!U@2$!st zTbfFob>zE~`hX}by&uGY__~TwL3`tKjB3+~f*8(F$v5jyX$399Dqov4_QQFD z3fBgG>*OjKKU&R(60`OyOZ#7a6?Ov(3j!NMy8<)Fzwnq+KX3 zyBOOk?7V+iZZ$x7fE+qaY@UIe+!u91&2_w0GM_@fhpuviUX`}=-zxcpm6l1B(m3|I331JJk2)t;F)dFZxXMA7PpB) z7(yD^Mv|FJ`=|3u`3e*;COum_e)vOgQ!FTQgGViz_VPqA@Wn9V>BXIRlZTdGyC3r;7O0hfTtBmRgpEUYA++UI^&x6oxku11{ymcdOoP zm};<3EXP3^ezww1xhMX~B>*9-RE(C(fJvtmk+n@w9Z;It1znp7%cOjXC+2k@I^v$H z?o6zI>529h*$+2Q{4#livP<$s*YRI2DHw8mY|XMx$?m(svMe);hi1!tusZcF>6$21A+=iL*kBqu@K21pW^$ZsE&r zOxk}1L@G?~=2*!*yXoYW>|iox6sv;589*j0AoDsYkp;d4vrcf52#Yq0gSQH#LVwhN zTLcWM&sD)}Nwq@%(nkKJe%HQG0k6&1ki4nW0w2+Jm2mZBT+Qo6A!+@p&kwTe_rqd% zj5=M6&dD&1049Er@cV&(Z>90xznO&&v!i(87w^hW@_Sk9{FcK3)~QI}CX)|qMq^#= z%n?d%`cX>AG;X5kw?4xyhoNX5DESx#B-S##GixqNjRx{v@;ts%MXCNf9|dgi5N|75 zIFJEsV8OG2)ry**k(8%XW|{(A^2aPq72r*EBr@E~G6m6J1+`plx=jL(ym8~CfD{z3 zh-`B@bgSnBUuFiYGzl5P-FC(edk{!t6NRF~AWl`{+1E+es8jn8E92P%-=j^XRhHd+gO458wTR$rp4C?q2r(Vs5 z4y+p0*=4+5!3A(1m_Pi8i{V#SUDz33SQ=X?+wX6euWEbJvEr{y*9tx7zRMWXLxGdE z=sgnFo%;DCAe3vW4b%`OY3+YcUxIOwzpz(C{O&McbDBsnBM!G4gTN?Sr=j)Cgr?Ai$LBLam`#|@~ z^(~4*&1b*3wAz&NS|o$FAsc|jB!@v?RlN+gX8j>d=u~U*rKm`+4XXtK|W|XBuB~po}2y8&FkuOx=fmg?9{EEzDhs6aFpEnomZxCqWbr$i?}>>jDI+JVpX6xOe%g=jAnuu&U0QNF+cVI zE-WL_7mU7@CQ=J*$3YCu}vsZ2-g;f)u7zQoaPz91@ z!1X?5?l<3YIT+fAKT|PqdL7Ai?G@gO6ph zgLf6_H}EBHAN+)4Gh(7dMl=Gn|7tH$o+nD^X z2e*6&!NVGg$ebNMrjR<|6EBJX{+a-xN_)fZ825;mP1R!#o$L1*Y3pNn!sFFP`eyF} z5u^jl4#r+)*zZ6Kn@%QQ1;Pg-a66<|13eZ^sm+hSC6l-v>}h_!VJex`6oCO{q;o)p zSW#N9ejGHJgFPJNP7c0Gb(;)(#d);DuR@S=YiB*ng9A)%Q4pL0v4;b2C?a0Hgc;4~ z3JkIN;z`UWS8r5lr{Rdk(hBh28smu!f@i4K5w@&J!}U#Rh`18_qG=1u^jAXj5bid5_qbXx)Bj1dLp6~@i zD#wZcX!PRSEtDO!I`UOA~pb1Wwf_2(if6*$ZftBh+C3U<@ zo(S`q@L@OSG1HH9Kfv{n{Tdy;h~&v^YFv?@lPg-EYjrA0ojI zY~k)?!<{N=lBd%ZsWQ~%J|La%CrwX65AL~oB~|GsOgVYdyQwDg;>9^gyDEvf3?Q*I z-XUiVl@Xb;;mN+m1$4{)eds)6Z=6$J+UOPFm*+Zd#-uf+U9&f9M^9#sEDr*t_)%9N$+!U$DnRFZ>PMLcCr1Uj=_P{Mc^D zmRbF+Bvet?ZVLYmvj6cLwnD}-*YBt1v7YBoJs+irWS5O8{$>kK=}N*1?eEE`d6{z5QZ5)2zWV9s=oR`I5g}RsEVJq^-ea7;_76v) z*01PnXOwc3xxS38-uiXmV>q~#9`IDUkDbU}Mob>rMsu*ah{?3B5YWtZtBGV-Na~34 zz{-+&4K?-`c}F3gxL8oLbP8^vm+cn>viE-1q2e<3|C^bTV$CtoY4~|7r7a>rWD!;6crV zikC!@wDMlXy%Z}Ge1ejPj}1N-73!K?WnI1JO8Fc@RF|sAY${3hO&-baC+2yR3%_EN z?0=Qc_DlHB3$+6+;E52AP`G|O+4CS}eK)s0B!c&=zr^|5-i5g9+v6`Fzd|HSy{8CZ zlH071^%7&q&K&EnBe9EAn2=y@u+QM4pdLQS3ZVx!h3;uj*B-|Ics~pnIGoXdoP7@3 zt0sWi7dQ+}6e8u0)3rT&a99y%{K0}JvEzHUfzbH=MR!4WqB=%JRrxfw^-S;>n8Q@E9yQ9Pb>|6mP%TBN(Z*G)d`om-^1dwC``e z>c64bcVKSDg1SVd-0Z>fX~41+M1a~$C%N9=9geP4`L*20h^pQ%YIPKr#D0?WX>-^V zq=(1z!1xG0dpA`(yd#;x=S;PNr7wn@@jp`HBSFGSftykLGA+*CZIWSYy7m!2Fr)(# zHo??j5}eqw`^ab0jJd8jKC|7xb2Kqp?CK#(zZ?U}Xksu1gHYhT*}pRE2l&A8o?%-4 zzv|vYlujM*-1C+z_ZhjOLtX{}l13KHQcH$@_8uqjX~X02YXtJ7@_FNm&2NE+$8G?} z%WfSEi3r6Cj*M*1-g7cLet)zUc1pkdA(LXJPUzdwV}utoP(w;n$x6eq@kxU#JV&CH z;jJYV>1+dY-@SBIvh>ZfUYESNqVy zc|vGoLe?@{?F)V|Od3H3My>r*i#pjHpAL=x5WcqX{k?@{M~=ZlXW^v-51wD)GWDkV zdNsM7P|b2_{Uj^J$%(4axGpWe24*tLL&42XNw_cA7DTuI5{0;w4S%9aw_I|Kz-&sMG?_-Wj0(dau*k|^^hu8Om-it~ak0M;e$|9AXH=8DSL!>)fqVz=OcWNwK2EP9 z?9{deXPeY*>r5ucH3Y~Y^JJ#Dh+r1f^LyScc|y$|`AR4|MbhC5Mx$1YDY`{zVV(|% z!92ZtHkQW;qDI%<4!;=AOC|`&^49$7FLuu0cv>!~X;84Qwd37j7Iog^kYn{F+e)JG zI6Xh(!&e@Ui1AqI%kB5cWWm@UB@e#Gf}(nOl8FFD461ad?&8RElWXj>v{{+QPDiKH zC4MaEY)xFobnwnmVQLi51Kq*s=Iew0-aE5N7nW{01L(2mkr+%6%~iAe{=kTTa6D)K zfKgrQ*}+f$kx$=>!UrXnFw#@vI|`jm)It7tR4gVLMt?`n|3grov9Jh*zGYer=!$d< z*%rozCKzW5We~ZIY?{v>oS7n)!yzLqI%g?TB$^A1o7^^M0%-8zgfNxdeH*e`;k5tq zmrju(k9XZ{k-ji)c)sBU3^LR!)mG2JQ)o>kJc}k~jsS+-=F;kzBLq@_BjTMd*@*2J zVefj4Nv~ZVtn;?Y;^AuufFq!ku3q;A*E=uw1S6$QkVl{ueL2YjB?{H=C!uYDP7@11^4DI(W6+ z?G=7)Coh(2m@mU#xAH|6kE=-)uF6n#YFl`;>L4_xoo8@yKCXhk+Fd`{__ni%CF_yvoWBoCU) z`pc&LHOpMW8(m=wX4YNU9ArHAg3%A@x8(FUskyZKmJE!%s5XJ@JZvnvUG-J3@S6x> z=)1DUK1&Pn%8P`)U=wg%8Bc+GWxa!*9+~AsA)}>?CRHqs7N!I|TZw%oCi09c@`kdy zD@0y&wLlxSyC$F{$+*R!eq8pL*;j+va)Hk;ymp&%^&u7P<0?ovF`rp?5BCO(AVCvM^pow?m@Yqqkk>%`MAya?w$iVZi|48}fnpB-9g z4I*gWM+NUIx8nsoz}H7&Dd>kfo0mw)6{UG2p47xQPlMaeN-DKg1~N5+FY0{i5*FP`7HmbJ?~z zW~|b_y8;v;NuL^9*c*;s504j_>9^HPGVJ>*zxt{kv{@8n`=U(HxC7W?Rd6&5KE*3&R zme`M9-cq}V+^nROy3_h3y(6yIkLtOX~<%=XLgcZ&+fo}+Qyu_N#%bZgjE)~2FsDPzE| zOzk#$CL$7gxG+}K|2o{Afv$zA!-bV6?T9H!C$xZjgXcJQ2U)w@;J%Aoo?`G?-<`uQ z_I9YNiw`OLT^TLOD2iJ!KFld|HRjof;KW$#xF35`*lb=C+kH?aQh$Ip*!eYLM)BD? zXa7hMBN>Bc^m<$-fmurOSv^?kv*|^+$6z}UsG=(R_)$T$t-V8rgqxL_q?l|2NxKJG z=V3W%M8`KvdYc<%+G;1y!`wWu z+FY`mB?8Hcv1llH7aA)J8_sFrI=7a!vZm)&XK4)Oc%4w^YUNQsu;Ogw2HTgQn4G_n z)5s}^2cPM3=EDws5Qe!j`V2=K8kE{Kz&2xT)DxBzP^)H_{%MhqNG>-A zs(tQYae)YA;!!In?==Av`l1^#;2Y+ou&Smj|Maa-$hP~x%2+nr#Rcql=-|~atfH_p zZV#s^1z|EegWl<3S+k)bPMI5mPzshd@d$)EE2gI#p zTf%lk@*yh*{5J~P_o>}O=8|RcNIT+wd^_TFnW0Rod=!4cvZ*I6^0KJVS@}hqOVX&- zImUlDksQkDwk?^b&IuR0y`EFk*!Bz#oBdqD_UCEC{b=m^3k&j1s*F8ZuW%0+8X1gW zeb7p~lSZL0NwSzDPvI%K!Te8@cwCCF43O;lw*q~yE@2)#gO(JQb=zKJnQ*ti{-j=e z`MWPZ9k_83&}T*tv%e2Zg`k}@59Dp1TENA$I})HT3A>yZzv-Q&uXBGYdTx$A@&-(5 zHS9Qc*Tj=saFPD@Q=bRPVnc4;;Jm?Q9;Z?ml?P-}o&REhOFGQ>y?qW;E)Y~H+Yt=) zz<@eDe!Ld88NW4fQ~ai4s>7=vs-2pJE|3Dl+pmie>;2_7w;xucEJShD_sy;R!&Rbh zV1_3owOcPp_MLtEq&2^=Ft)W-VcAv|)y<-SO2ph@+X_AuvB^1pnH{!wBnR2}CY8W| zAPw6|W#5fv@U}X3FMWJxAtLprteWVj!LCd03<9Y?2EV=X2a@-{ZIl)XF{{sv$};zA zuc7HMKHBBwP@v~iiAGMnLcgxr_$oUa{7ofsFh$O6@|-^WeiXzTp%HjJ>Nu85;FyQZ zY;tK>uj5M;Hu{^xvv(v+7?8;BammUt@1`E|J2nBMtCT*!XLw? zAUQ?}!F3mpI=tPVoIP5XgGnqHVY`2Inaxxy_sIIRrNncm^2VoLI*PugKPTVr5!KlF zL_8na>+RvKS2hQYHuzrY$v0B$cE4j-cW8y9Za4Aq=C)NWC5$iWnYLdQs`I+y@E=HO%?X;^ccGfsiG$gyqgMUlPiDe zxe578dCfQrSU1O)cJ~0@kq4C;Ue-Ywxb@bSA-8{sbbbv`>A%mE4~~n&DxjjU)!vtw zFb=(xt6ancW|J4pK@jA#GJ}c&#U5xk);Gk0Nz>4{-GZmPLmsRit)O!m=BoQ?r+w;G*LKh3UhP_g zR^{4It-N}ZB1-kz1@jsb7#|rboeQ$K?P|8QC)FV#a;*0G^(3;!>*0}p&H6hB$G-Zb z`N8{&Gz@}pnz>70LpW>to|n@p;|*k|!x;gS3!Q^hu6R+M|0AkMq`P+xMTM5&x;5-* z&@weTHRVm7R*?Z}q37UJM+#*7;NW__;(M`~tFa>oW+4MBM?t(@E2^KfSdCuy&gIO{ zV#($=$-EbvH*gY~>tRMK>|1=Ecjc{hJvj_qesQwfd&j(f0sfyqoUcW=3Ctw9b2npU zQC(e$qch5czu4K>6{Zk0{>xiyg*PQwzN8(AVn&F%g zctfrFXTIDtdE;i}iM}MkumWFsOF4xudAB%!m}~IfXB|Og>nj}MENYg#dz~znhVqZv zU)npfOnMHyu*~+dS{-&=f;2=~W_vn4`We=C%uT#fXAo79T~)37iwcXX(V0~#IOkAA zq9HX_>Dv3C=&CX;aLp_Ha3{KKKHL?ToY*honw3||GMUW%e0f}^Hw@8$ga^s( z6GUBKgjeLXRPpT7H>*Em?ll_FHup>Lf^hW6+i>zt3U)!4GKsWYmLx11&VrY<6jS(jjYyAMG@aLT8&XYAcjR)zKz1ZK?UkS<4y_K z2Z?}KI!3EU8vYL1CgRZU@&EAl=HXDb?;mhUQ7KZAN3RA-zvuZL@Ao*~HZJ>wOM{4~Oa2A@zn{c=<2`EL+i9Oo zNNsS3=L6BTVcQUuxsU5FmENCJ`W&UQJh|x5c*g^cF|W^bn@8uLnYnDd-!Jc3R+mX2 zRqolqXc-4I;1&KHk6A3QX)!$duB-ah>Wi<~tRHEZJ1mW}*v0Hol8ei$DlcUAAGxY3 z$=VuHW#vdXY%#k$c<{w}L#v%(pkJJM8nouZh`U~$7dn0l7j4A|U24_!KRO%v^h_yo zDWYoE`sYs7W3}pLM?BtDOm%hpWaxJvepqk9%H+K7!-o%|wk6cPir7%oqC;NxSToab*wNhT*YH>C96ZC9k##>JQTGV`KB5r4wqC|7&u38tiRD`c$b@R@tjq;skcfDqF?tS6>J(n zcI)Gmny3WC75U@DZ4O#LD8Qjg5qwz?EQa#nd7klIvY>=H;ki6h?Lx_w)wrQ|5L)Gr zkwT`Omb-=TgEf4vW;L?Y8;aO)(5mlFs|zrfVe`d|TqHzz0zMOqiR%}ed;zn2!ht*) z!?33aOXVUOs4&7|4ymqwa0(gGZtR|p9|lGo{*w?odfA`@m8H(%ut@fhXu>KuncRww z##Tr>(a2K-^2y>%TMY{KVz`x0E2>h+9Ob1H%pzC?H!Rrq*cXwv0~L;#fu}o7PU_-K*`ZkD$-!3DVB! zT$2bVhWBecYhEGBaC+uZi*_l7ReN5Rw4p;QQ`o(&-}3cK?v)&{Y*dH$?ITZFB>|Uq z^RU%cTIRt|s)nnp~BRGH`+ed28 zo`z+RzLpwlrh(7ktU+n?)}%B}?E~-SJln!hU6uWNyTkAN?(kB>S)EN9Ft>e?7N150khyLCb8g6- z2YT1m22Xiw-EIU&qEW_d3*yBz)e2qFGVxZOv&>YL) z2gA7u)*KhW%}=Xq;E_6P2)jVqwj$5OA0=D^b;2Tp@&Gf}BSGZj{jH^pD3-y8BB}At z(LD*6qhq+}A=r+79JiGj8kq!HvVi`jo>-akO3SnWq-w!YzeDz9NelQfd?YLK{k4Qg zoyU9qJ41Y_cQHq6gO7%*?EB9OU zdR8pZURk4}LFN7JyKn$Kob0!>DIgl+?C+l(o9?h5YYdGg^o9CRCix-n6XelR+Oh0< zL}}OTT3M^)BP$UgxLO1;Y48^O=oC_zQ*pDmB0xjo0;!R>_g9FC0j#Y*If^}JI-Q#w zJE4@FLEE0RHevizf$(#-wfr%E+TGw2YMPEBYUKvFL^kkq^k#eV%NA0Vq+IXhrK6aR ztHgdaN`oRZIq);4>vyJ)G52J=B>ZVEv5u~Gg?5iu)UrtXkH0pqyWP|vn>`ihY!G@4@&dgu7!&J!WK*WXK{WYm zZ8yqAoLPRrIDRs|l@C+2@?vGr%y$zMgVf=;haF`{-g}9dm?&2ylmycj3H|pis*NMn zEk>&dviJJy|4*M}H(-Pxooe-&dYNnC^uK)4bGbh>@qMO2+`Kza9Kwi@6Ns`ylUoxm zAolpePiOj{wooZ9ZTn1Md4gdKY3Es>f4=j`favFyWYG(d|2eXCq*QGe82T%Dnr$H+i?Ln2?p)p;QW(_ za5eZmJD*vrhp&zMZs!^baP7`g8VdA2ZL zgPB^=POB|*N)|omUaF49_VZ#W)k*f@%GOSsxj~TK{RcbshD!=^Y7hP?MXUFE_K&mI zW~7T8e=D4HTz{zX@xzB|+of~k-(6qFm}HNRscbd}*IV zO}u+iMo0^69!7b0idvcwwD#{%IEB9GY&8*}I5RG?6(q9T{DqFkP2lEbuP+27;=Zf; zg7aJn2blWuKke;5*TEM#TB<{@t$k5ad#|A>ZX=dq@)4!-#gJa-V9_U;9-b=5ofcwM zs9U;|Ng$umq+Q$W(BKeP?1mVh#&!f|AKP=kaskY(id=+fOR}1Q^pRK{Em&+z6yn~I z&6Q@~*fV@zEhHbxCJ<&R*-W;zNq9p=)Lo<{8C}jpmgqBCr@kXKM zUV$?`y2YafRf072rYcd9W%9kb)vuL0|DvQ&m8n54<#EM!{zvPT~0xo14(aiotGY#)f? zRjhm5EpjW>%b#?SrO~{?>6uyO#_K6V`_QCI5|ie4##7e@EH^3nOyud^o_-Lf;{PUS zz^rEQ^{d1q1(Y-Ux;^~+lmz^edQf;QwK^{=zaGO6t}qQ9buJqYxpGwhox|7QFX5L= zk8QE9W*wuR%Kpa1v6^W)l%gk< zORa19}BvS=>!!yv(4n?lSVIu4Kbo6htN86?Nxz_GM^??vW>j@YUs5_+PejP zhC&8x`cvI32ptUrZR*!1x8i}Win3c=W@r-cB4Q-M?c%LDsl0Ak1~VV^rm6@e5!yr= z%x*sr)}z0(cmt^GbBaftPn|*J^p?v+?V&8kp^Ay%t6-h&=gxU#t7wUuw{#p#?-#m! z`{lh|?uj4!m-p?GJ6wxVQPFv4hcSA>0HvlM+It7@FrGE{QdcGL3-2(wz)Hd6h2`n4 zJSD(7-&9?)aOo8|I$9NQU((hhWU}deh108m@scFG#(d-5>?69Z;Y)#~5sNkVgoAoz zWoAylT3q!qIwJs6C7v!6+Ir()nbHgvh36Cg@wO3Gz_r?n(i=o!m;d}hIEc}ox*R-y z4p)^z{JWZwv1vm(yH;Uq);Sr{-V*DRR_omrW^P@R-lVukc(lVKM%r=Fw%m7fLdGFM z4N5~&Z^@pE=)*Z#iMO)+*GlBsRhdIEpHNa^_v6!LTn!`kLyH8&+?4XrX6vBDV}xD= z)&(l#0!Rtjly5jcA)3pR9*K`um#SFa4k})7e=RFFH2a_;v8y7n&(+yN=KF}x>u7^| z+ZtlK4w=^OXzzne>6Mp9Fp%*kvfkA7@D;?%jrvc$crM|tTMQScaI-kgw53#FwM zWDL#r8jH{lL+E44pRO~7735F55#&Vgl^Kw2lhrq8e(t0^S9J|Oaf29ce{t!DGiu=O zm17A{b}(CA2k{xMi1LUUl?xi8-U04SshXlZ=UmT(0gGgicXw^2iU*ZgIZwsvb+L2<7arLYqlnh<2ne6l==5{CZVCP#nLy|_%tjaF&~KZd=7fbo7vS} z6$+vt7>9Fm{7qeYB|xL~yo3zB_WJUoP5ufVM@Bw@9-MsEGN7%^E6%mLL2r|Vt#_$E zS8j%0$A;lDzd*yDzUL2(wiE57iu5|_-))K%D){<(fq7?!(Wih;jdC|jv7~@p(Ou&9 z)fb+o+=^i=ps4gzKcRMDmPgwZ8p%PZ5D4X%?XF5D&*ue%d``u3CA*hJah1@CKKDZ~ z)WLln*Fp2?>>=RXfhHo0UUwOm9_{rxB?%4nT%+T@_n$Vh`hN1=+T|DR(&a~LdiF4V z-%=5eU0sETbmH~MCbqRqJ1&&0XASpU&HSI0ZK!-wnd zmj_x_p2p>5FJEWunfH$kVIMnNR99PRR@rzNf-J!pZJT^ob%>v^{|5)|7Quziy|@-t zYf*@gNnsh|?=8`pUH{%6gbUU*}3MR>P?aJshb%!~_WaJYo`p~~kEc{gpnm!n0t*J)Gnck`_MVnd>O zWEFM@Y}5Zt!`ybD(5Uhqo92eiA0?2xfAG@|Kcz(9{8!ugYiaF5Z)oxm@$m%aM-#EO zTgUI|Q zNM7*5L}q?SpMm#)mr~9l2(?|7^*9M0L*+B6E<`Odz~lVQ7kjTpX?r$fvd8N4Sggvo zA64VNcb`67eZ^j*X}t6Zu#W*96h=c_Nfjjd4TX;(hG zV^dreeN-T5+=G5->OL6UH4Z%Un`;ze2!pFH?#_VcbEd zaSu_eg_=T_Hr<`OcIC=#!<9rG@#5mA-PE(Zuqy%<@`5+{5F1kh;-szu7qyg=i;3d^ zVAXPLcRe4%Uy=CEB?N%;iBsjzUa|Zjs_iKR1tq5u^6n7*0$GR@_4G&lD7%=KjQ&`R zJ147sJp7jk(499=1L{E7;E7FZglx`(Pki2V8=y59KBh{iRQx*D8}MPR)v#O%BdDpV zfe+NEu7_r^D88LsYk^vOa6>_G`6%+?HERHPh<^&@0*DoJ=E2pC`m1p4k+&{`yp1N( zlvV+*6>$zi*@73cF0W$N1!y9%DM}(8D3m_gKjN|8bJd<8N*N!2j2RP=*j)$M$3K1* zQD><*Of?JtOJXq3d+>0zI!)KEX1xo@fpiM5g%<3(cK`b}BGHv8*|9Iado>eI=p~>x zt^ZEIhA~S=l0H*d4g%O9y!Fou308xd$;glrHT;ns@dn7^i>@hD4uRWOE&oBzv3kEq z^5K*Fl|!Gh$q&7@3HvlyTQ;#!=OoOe57cq>;3J)mp<5gugOI=i7||XbB2uoR&Rm*3B{!y@Jcqd2yhpu(j_in z(aaOVn%2iC`YMNhTqN6+oh7oCdH*oWcS{=|cp)O(;ObE=E*Ktpr@p@a^7(uLT119t z!122;t`eP0D2XBE8r!SrHw(KS>zAr&iLpM8dHHT;mwiEMk{;f+ME?xcDo?LAxZy>n zBLK;)zzzhWVd_*2TtKc<9s0wl%#yatomV<3U|1YqIcsb%6<>)yFm_a=)*xiQ?u}QR zeZwB56drmCp(1->rdkp4{_3u}x;HhVM|Tzxha@tc{QMZ&6RBSdHSGdOR|4b--tYbG zd`5IK6^(P11J_;(a>PzlMh{5S$rB6MdXwnEPx!|@*5P^G9_O9IRK`V|YTNp?hTbTj z-{Gi9;nC~MQT^E8_U_a%N`V+nt?%H%N}%Bx;JC(hUVzV@G>4Oc#aY~0Y-<*3^7blX z`|)YLg`(cq_*K~sBf8f;N(bk9?gRnrW#&4l|R z=t$_(keleyoTn#UnxmsM7k1fdBCk9B(?mR`C`Gldtx0kGYoVodbVrC$hy^<Vq=zD%%2!N495&u%ftHOhC2&F+rS_NoAwsYgjtav8-RLiYQ^9-?n|dQ-vYV%` zsLx#cx3~`K*`xdhXBWoTHL z@8VJPp$P(gq|7W%Xkh|}p}+EWVJz2XUsrTXnjtHe4bmsjgNlu4x2?4zG=(R9`GJH^ z7r$5F5cVJK@x&hzJ>*%i4~~sqaLM_5JM|E&bDU3y2}jqQKz}mtC+H_Q0Q9-$fYvL=CYImXq9lXQGiAaj zq-PI~Wu^pQKasR#W02Z*#yb#K*|(mI&Fq>_IfXZ{G%0D1HcKq6@eKgaiQ#nZ6k{3FgM}G^EAd3x*{2XHJT3zNmx9T# z;5g0;|MC;lKM@|oc=K3%b`z3o(aCPS6T(6JZmmM4J@x%~iq#&%*nFg(3d2TeUxCV! z83tK94WF3Ne(v&4l*i?>o)N}A$&Xh!_Ei9r5K{Sf6;x!nlO|lX^Z+?TQmh2kHcO5J zkSB9adgHnE;4(D$$Qf;f=pPrzCv%j(%H9}H5Vl>+WY5tbj?@Htb%8B`8?9%a8I>}S z%0j@fl+5+|hZK8EEzNBV^?PO$+J9<@E^arnI9^oLVE_HCQ$sSn&xh=V?;D;-)lY$h z8u>4UVNHG$sPgwk4X#P8CZc(kx_uhzl#M11lGphBfUEhig)8?LsRHel?`?sZhwVVj zN}(@^8p+&9X#gm18~wsJTY8_EU2xfPtwgN&~IP9dTRfeYV)5v9?f;kDSWqKSw9oW`0HVNXzx?yj?=vo2xa7#|u)P z7C(#5dcWvZVzRh!`Qeqf((Vop8S*EWx!2=J(RW{%_IM(3rmtFT8DPS&Zi9W7IR=x| zKqmQEtZ)8hl}blwpA%_yzAK@3;MPIGf%-2N@~_8J&FJ-&70Cfzg>w~4i*WFQ9hB{) zdtbC(AYd;&m>sU@&zi+8@za(xc=X;zA42dqY^x{IMG*=7VzeNf8H4CP+@ayFsl7w! z0b=TCbRVgWZ2`fMK++9?xRVN~k?I&qXwO#ALd*8xu63aB=BuBwFa?S&JrhZp$YJ~5 z^t{3W(PsPXZ0xItk6;#Ft({^xWjnk)SfQ6VkfPuMHTuPC;*;S~Y z&9i}#<>Fo%JDKRkG7iYl&|U%3-Tw4@I7ai7hY2XYw?oXpMYs86ZB`m;|7;Sz9@s8P z@4=X_)X(*=wBG0{Qw7MJ#R9$Kn6h>vvmcK^@1zotwwwiUvzL>)} zKDl9c`O#Lj=4a>T9q*F==6bLhF9@4fn~YvDDCl@Sj&>wG!AAP*NSS-uGUh=Tjg~)X zp<*I4qL$fZ7&0qXcDfT|5E0xkHgjdQ+4YvO8usX17czt9Iih{QfF5(MPK}K4b^H&7Pl&K zA14w=4J-VUY9GR?-&2FOL%hp$Aa@fkT1UY60~@fo;j05rHgX(*l+@@bPF!?T477Vz zy~VmPWSDFJ{#>7^Ui4uqUCGj_ff#IgTKg$8E_zk8UJ@KNa6I7VpwHIG6h4B5?sOb! z@2AOJFGLF@1*adPBy@~k`3}{0_|*`~kl@pC-vkUTf>~(xXT1k!R$JuOf4pSYy@wwG zK%b-19PwzbA*@qnZfn^nPLV2zJ36?RNB+WHQ*-kKn+)tGE4sUqeXTq<;GY*V!PhA-QzvxSRdLb;TjY4U5Wsq}#cw z(V1#%LM4M{`YJjbHYOl$d-|GNr#X%v0ihSj6wCO=b`z=9zM)!XkL`IJG>~JmoIOUx zd924#ZF;*pSwB*f_`D}H=UyB`epXfPU9|q`k}$5KzT}T!tg1E#g9NmI7ungFE?DW~y(X!RubX z-QF)BqRxzIOa^g0c>MjkbzT4#uPlh)xgW&q<2uRQy1h6q9JTXB+==p#N2Oh(mLo{k zoZ3iJq9T<$P32IDm4MxzMMnyPBNrGyHhFLGX!IfkYRXt-NA5#lqcg|7H!oy%_vZ*X zS$7rN1BAL;o0Qg>D$a+`y=-&$9)QTE)pjV{G5`fZeK27 z)CQN^FZB->*uU!L(;GdUyAeBhq4T+#m7aw2){_Qn853B=@5+I3cAwwel126+Fy^nl z*lv&3VI1sJY2U&}XB!%mr&9J=>J;ALpOGIW`uKRKC-6$F4g?$dzU?yO(Y2`W%M(-C zKAeYK-t6#_F0eo?zq7{63!tqlBrUKN%H0iX)md(*dRh1(hE`vfe@U%an1o-Mf9IK` zwK$8{Iec%vRc23qSt=>e}qP0#O#AUP15TW zjVGEab{bkl@a(nNOwcVJ``E&BWkPEE+{37yGNEO3f1`7a)Gvn0IE!;li~PrXH;(wU zZh3zwmJvLjG&g2a#UVn6(h368m@=4Q;; z!AiyckgjqMc6;TRZEKs4AzY>Ni>nR_9Qc{lWufbC)ID2eUo)~+$j;8JAak1RVO-ad zz0r+CbX7B+kBomXnAFu?kb=f_q|ln8veI0=nq~3;;H?)k@+I9-=veBzP{Eo1V0=~J zY{2ct3QEeW=)24vZ!KdO2ga%xQ;ICFs$5nC^% zmTxRuu=4B@G_qH&6J_y}+%#MjKF0U%NCAChwMA#hEW!rZ_H-HhY_jaTf%(SJri9e) z0GaKi)&PDl{?oU?wn~wNpS@cU`(w-bVcg8}(K3qxi|(!j41M)QcU(t7T3}g$ZZ=vu z*U7;S!i4TT#ptN9{dm0m1j`y9mT`to^8ITw^$*box#4jE8!rXiD-&v@a1bvOE8g}j z@@wK#Pg)C1Ym<~KO6R#27c?uz8v87(S6-( z%{0B8$uBYhSCu-`F>b=1ejSZ9au-^U;+xofG!(L{ZfryGx$ia-R{{(6TbTwWU1lE> zSgC>_B)`~;V!TL)%9oXqc+Kv8i5`6U+jmmO9#>F~1yL4frL$dcD@{V$QT61WP|vX7 zr7jm9PvS&#M#Zw)RdSc_A{}Z)0?e(xg$y&U$`T{0T$~|%fVMREP(BIuFSD;kQ@JH* z*EZMFtZzP|6N9?n6NA5Z(j>x&+?4CY#KU=|;$-tLN&{tI@y%Hl(4#RCF|Df;D z%T$JE0RJD>d_7{B2R`{Fc;DOr29Tub8caLSPB=7>Gp7IWRg!&JQxdqidMjGHsHU{D zPLwLW)GG;{g0wI0<reN6thj?=$dt;Yqb5(J5Ep`59$Q z)#7XFCYCeyWTiaP(%aL|vaNC5qZ4HDlSEXIpW)MJt0?@Ai~W>_%|R4PN4sxL4vxw_ z^qm>a>d0Bs`|GShWK)z!%vtx76UF4tlkMZz1LilNsD_ttjMp{Wa2_AK@6}s_>Bh&a z@E0SiQqJ9txO-?V&QM2SQ$S6XfabN$fl?{rHN>MbG$L_V^_KOC2yQn$z4s5beq#$z zMyu|)j!6vT?mpDIUPSlWE3cCi(7&+>A)5Fv3AsYFboN2bpw}z?=5KHSN?b@mZR&t8ABU3){%ceozug0KyGH+yWeVvY-MxUWS8!|d~ zy-c|;sHw&#yZ&yV5~S&VFBzO(KQ$tI?LD7dE#n%cugaR8$GhoT6RAg}F`FlX}S>F9L(lYJjpe&qt7L#EeUZ4Nv~5eM5zPUg-HrZ8VHhSG<&{IZ=Q zSc!iYB((lRLBhyuIW$@vPslf|ZXraEeF#kweo;wn^Cy*OU!JS#7$F6&GfCu`8~uWs zWk09U7!g(Bm9y2NO3_9yik|Wn{H^4<#tROP^m7GxLvjZg;U;N{|YXu2btW zwS6P4YI{*sp=~r#n=ig9xhaNmXb~_%UG@rYN^J$mo z;^b1#;&-*iVzLSYUG}X~&nKIy5@ly%E7&iB7D?BNh;3?1Nm|g>&)wj8yKK83omfeq zJEpz^7wvyVVyT3ze6YlnoTNuD_3Rk1y=ENoJ;(u#*Z6qwb>&uNEBqqf5vSBJ<`yB* zeXyoJ_{HlnB^mXZn#B+JPAsN-7#(kNqI#?=nsrWr>|ZYfmmNf<>AL#X<@wD)zu6V28=0GbeIDz2G6v(eq|b<)z|y zr{TzmIi=X`D#Os@-ty5QiTH@(C`Bw^1*SS-aeF zwtj}PyAX7xKHI;vBn{J@QSz>g&p`YMl7Lgd>88K9(`jvz6^??&O=l9w!r^?=N?!Qd z7Iw3$gEhexEHmjJsId&u>FToWe=+GkeG0Ad-jBxeQHNP9%Hymfc|J{u8mcjUppNb{ zlXe5LN!r9Hwr8pF7)MG?uWz(UsjBkwg(9{ij&Qw0l~3tyws`Mlk?&6hqnwMEmHIl{ z*!`x)arC^er%4MX>*q;vL3L4t3y1Ei(au2e0+fv25~b7gmhzP6APc~OP}QnaIKQxM z=*&=VzmHS)Q$j`Gp)X4*sdc^i+9YA8;-{`X>~{^1xIHk5o)6|E_>Y9+Gt+{f2tLy0 z#pEDBdx~qD+C3{(FploiWNgDrs$8zy<$f?uL;UG3aqMDC$8g0MgUNN3JAMUCz?K2OnDe*egVlzV@7WhUNFdNR7)32lc@ zT;`rLWQW?IidVfuJD!>el9$a%T^Z#2j&(ta^4edoTUr{Jc@)Y!=ND8~F9v=HlR?_-{0$O8WEp;5)(Nrd~zF zie;tmK}pw^=qHQ1=c#%R9cIbO<$V6kjl`h0Rw3*mhp6iE7njwOZs5^Ob{m{R%p>T{ho&HFohp_va}kQ&~UK-^ftfP26El3$Rh0&fg{A!z#Z`ujkaTTFojPMtuSjjW`-*V1&ytd9Sk+O}f7wU+4nASO z^Q;d&;$*dD5Lf!$ma#U;53gAE2xnX1UHtEdJZ$;itG*K_y|j+rErNfaXU$m|ba;^r zMY2!^T=`?1dnSlfnU%EW`z=!Xutf7=ndQl8%lyyd(HVY8?Q4zP{^n(AVEICJ05hKd z$dpam?nTgi^r6OpE}7TYEmV1SOnIaFOvfUJS|4fTOc6aSTYOaH`8BdlEFksbOaXjX zHaGfqk=Ka&VWents{!LfAEt`j z$A+IRcbcndBF?+5Kj}A`%ZwemaBoN#YH*xG;81 zrtIxIV-SwUPrV}fz$mjtc|dQcq~&C!qP<-J#pmxxUeq)!8=AadWw(NjbEm8WHiS6pU^PW^p* z?Ui?7o+JWJbDYUCo)L2qWyyvk*?-FQMG7xAZjv-XrFnRiVNZ?3pCHuqPP4smp+0rh zQfM^qF1t&t$Y`#j+r)c8EGCpbfwNGlpneI`;Jr0$fu>EyVS1(MIG!i7#O%(v<=N+K zb6;*wfh+wrYBbkkMki!i5+erHUBb2REeRw(phn0)Jng;a; zbv06Lf(V2fPRv&5$9v^qP;l+jW1@SSZ1X&23kM|w5OXGb_sRcD20p61!0$}ffZlek}A zZj1oTM%93$y=h2~=vZ=|6wEEc)#X7jk_j&UMC}?l5Rf}cRvaXLY zM!4h6Z$?OIZ6(^p?ql__S;fGB;pdk5j#pa_>@$aAL^Nj3&9WlUO(3yzboWC4P0gu~ z^AZ`O=C<}}f&u#KE}R|Vq#>yU9EmVg81%ugNI(PkY^nkS`gV=N~7;`-Fn2+aq6ArfHt9jU8)mzB^% z3Un=#DX7mp%G|n#VM~8%&@()9?b`+D>4IQNl{1A!fS~HfeMdUika89D z=;TVrL#aHE%%n6wx6oA*2WK|rx5Ne&n{MT_lSZZe*w&16OaCiFVGzbmjPw6dP7a;b zxBT98)VWQ(i^cgm^`OvRj;KotlD?xMbM>29#yKaLbY&rjKt>da7ncGk!^Q%770FzA z>=@;bwDT2>gbb;ja(NK`Hr56G;Cyy?J2OfZBHXHXh6Ny4xtbf=+I)f6RWJR#mN$k8 z2)yCWac*SHZEBEJ1;yZyA~3!6w4?H({F88w;}XE-xws5F5Ub1!5T1%)LpsVrZqzyu zgxi2dCNUc2$dE|#PwF-s;U*d;@l{?h=k-{{=B{Tk}5xp$+2ZE z3~&#!u+H7zaUTNusxLWLJ5r>=gy4?Hm=iD-il&tfp}8&gsYb~7{MNA43xi3>rJ<`K z=z5(Mo->8#jAgVd;JH7Vr|hzTybm!bvB^C2!gnJR50n%*@z?ooL0Sw0bWHL@YG@H{ zDzh7r)Iu(s@*15dw~_VV`x!Om_zq!H z8PxxM9T0(ck=gL~yD+TD{Zr*@!`OgAGBNh$NV(`AL|+BVL@qN{Er(4Ut{15SX5;73 z0O`zs3`s|--3AZH#JekO3^PTvV7!6C8f5)3fEV7lfm9?Xz>AjkheNLYZ3sxh6L>>~ z{W}5g{eL+^Kd!0#ZG*!k%SKJBw*?`E8SINnWD!8}0ptN5*B{EN)h==@_=9_>1Fyj6yCimuPX zYb%AGUxf_CJJ87iDw)sAGV}9ahMxV~h=0XfcaqjMi?bGT{2p($db+j_za3|Y-8{S+ z(n)|w9vs3CVGp4FC8gn(qOZeBrXz6&>|@~Tzoa$fYCN)U=3=#v0J4&<{w#cQ!2k

V!0<3sm1H=ik( zy|$}U6v_R4Y&QCOvc6l-<;o=`Sc-4)-|Wrd4a_K{MUltrJ}CQqcD`Fz!7M=Z)Z{1G z(Z`RnY)|(qFJF8y-CGb1C7-g-C845p9YRpazf|(?1g)-IFIN@3^hbaP8hIpXxwxt! z-~I8g-;IS%4o`}wfxpv-w*52F2KA5p%y(BtzMcH9--etT=p53ljnK^GUupKUc61Il z>9qZb2FQlpPv;m?#;O3o3&qZQT)T^3XiQjqCpUDM3yA{&r5=1lZ1}qBcb6? zZUfenPQ}qT{4*in%Y1>80Y%GJsW2fWmVe&gXeT(JNFR`*qsV7B{{<%gpVR6%HPyK_ zZm>wsE*={5=s+3}?!o#S#&&kn>3KY2^JDU=kY#j|$!d4?&D!9L<_z6`W`mV8-8dkW zL+sd(kKcHGa{^@V?1R|9qAxTHPm;JIt!z!HTt-jaha6O6Q#L}qd#PU~t$**3&5m-Z ziObNSs1xP01(k*~ZGk&s_}O6IY(n**A-zDczdtA;0Ac^i&by3X3Bx^8d3!eW_${X( zn7WqL`b)$ik_vbr)J^|NILibKzE<2h6;d6Xo-N#;lWk&~Gt%B85n4qxaMD_U-b5bx z5olW#q)75jc_?+M_g8K$v}?LazrVhtXH3$tLuM8-C>w8PzEv6{mMBiV9b#{6EF2AI zgIlrg=#&^<;IvlR_ks81xP{ELx->zw!(&FVZMG@Jb@!f(V(HX$f@d~thvlyjAqYJh zU!PsOBt}S6>5;_XKF^kIv38pzog!P;hIyduLDe$*;C4Ku3(&HFtr4nyu zbVyH7P5eHI$+QFhk9_kcBq8&1hW|8_=&kg?D>Jw`%Wb#cWh&-n6%l=VVWp%HE%l5~ zWm17h_H0CJ`~J8;O6~@avVET~9c>>UBj<(-QbqzG#vx7jRGpawNSOq%o~n9@Cf#~` znXY{DgWghT0HZCRW>E3miQL|ZyIlI038c!uhZ!m9jEsz&JkOSUNtMX@Sf66CAHDy! z$|?SlYUydqX|hOj*^?{2ojD<2A`abxD9tYCwsOzPdl^NieO?m*M6uSReXwIsd=a{% zW#B`}v4*i;rrezay)sm;3sNNA3D+!F@3Z(lJ1?qWW#|(ZrHL1->s|#yeUoB6gN4e+JCr zu5f}o&t90tZz8;*kQknVgUHNEb1v`sff`6Ms+uErd|Eq>RHoIAQ+HieqJ8Z8br@G{ zF|d%}Ciz-KfE-n57Nuc>8oAa&96zwEj2`cOEzb-^B_~dhAy>h&?SgQ3g%i3+O=;Ch zKH2U)&^z!`8lFxa{V}0L!&fm}CO#`eXGQ8QCW6J#Fv~gx;UEe_coQ^AVAs3ljhJv? z7(lzZqw36{8=jrxk3`{xW>Q(GoPJ*yNZ7z9#3gzTG$}Ilu;`htqm7WruI$R6IUo$& zHSqi>mqiHn;&inA+go^_@TRiF&j=tb-O$nS=?Ynf59Si6`p|K)3Pn}c?1PM0fLuq^ zTU%!Jcmt#`yl}>ce>pP0EnAhM$GgV)F5{Twg5y&?hxdMUE6y{tDq6{J0BR%CJ%^aQ zryT8eaG*$1cV!X17V-OFV2-W>Lsxs}8p}Aw@#m#SxDfRLZ9RTkD9EO*TCrVm(TCQ> zFpmEyJragIq4VoF{|`^_pF=JGu6_;@vk3#o5k(6w!N3O${-gNyWHtVBNL? zTJil7_6Q4u1F@Rb{sd(-Az13RiVep-x@Lh&?8tuJ$0mMfhAqPUJ42FQUfgy`)e6zL zGB^JKQoy_Undzwd&R+S#Yp0)`NNOU2PMyBnfC$~dtY10`2!?Rf8u%3g7Ff^D6?0vi zkLUkP1Im$(2CQbj1(f4nEn#T%O9CT&5`%e%{IXB2SjD6XL*2dv#hu}rkjREi1$qL( zHKuoorVE$Sw*(W3UzL5n*re z@D9Q+sMguPQVqfoI6Wx#%W(OVj4L1D{^hg57|(C4d>))g4M5m;@WFY!q(mFT4J}=| z1nn>QLXIAg`Hdx4{6FyLR?sog%iwo1OFB~0YXl&t1sUk4tD_5O7(9{@xjRo6@goBr zalg-W#SJ=*RQOCV{qjEHn4H-HxsS*Z`ROlaY(XAjG;3|P$be!dKBWTU?@S?sFw_AV z67jFCybUJ&R7;rciuL~2Z13UdLP%>0jl(&KSyAy3 zTfimNJl!_cW?ZBhIjtDzQF<48{77%vod|o5Ot6yqBI)QkCML#udq2nOlR|r5{mKP! zuj|P7p7g%H4qQ$32aZYZ#vj92Y%?}*wy!qzwqaR0)g0duHswTqfit*@xn2_n=XM@J zyunprt-vHEX=fF7gsGZ4Q3Uz>jSLm;e)1qxmaU+vIzm9%c;^fgV9Sl*^H_5z zn;~exU;gDmkbg*nl|T7NKmt9-@z;+b13#_4uvzTS-1D@opJLt?n9FxCj(iV1 zI%p|#2>I@cELz!}(~yVb!Mg8^G2*Z}SPesd{)fx(#`dd*Z7UDNAYg6zl#T}xW`*>eBV5CAQo z5Qov9osdWYgaWaa`!0WfwsYlyX4nuz3+3TROCU6~S3)kNTM@Jf%dBF$4gv}gdf|9j zv+0v~17Hd%;13VAAEpSJu!?CICYULaHvJA-6(a3}5U%;P*)TtKkOmMsh|`5Ni?`@z z!lrKrQk3uqXRX}28|DiWY>77vJO^#JknTmunpVUojLmUF<1=AtlrT^>l)6S7Wz;S$lX<#A0EG10REp7t~$M>>d*T03U#~WDZqh51|J69B8F?l-@JU- zVJW*DGu5nJQr~Vn=XhBt?{f!E_wnd2K9BqZN4zaA1d&d?3NAB-(qv>jB0as=2-4~r zQz8=tp$MCED=>--oT4L&wZR7jbrHsSuBBSH@JRFa<8$w$+DG_3QNaFn#H3tvL8O%+ z6uaC&B=r%Q-(G++-0O!Y!(th4GC!PWiNT~FSr2Dv9~?%$f~;meCHTN`fbiq% zMn_8S76bRw_R3{t1s}cb$?MF{0%Yd}iQOztEWijFkQ|PbW{KjKry8U);O681JCBa- zVS_~t4&OeXnQEp<%bWEm4en=jM1BQo{;&Oc(0PkIOT4) ztvBPg&$zlTRqYOV?PVZ|uN0)ka%3)@1wy?2?}UKpoUAK3G;Ik*E5dnydf75~sb+J` zi>>(Bk)}4G7v3tOA6_gn?WGBQX(VdG9KlTabB>p+&;4DPS_+~na`dvV zDtzo(F0webZ|J_F2zg5>ap|UZYRs9TMUVXl19h1c4G?9!Y79Y z-WL{pezwu6O5S=uZd*E1ZSPY{Ow$G&;Gpm&yZ*)$mx$KtNk3lJ27fg_Wlcux#im1><_)iBXk9XK-y*_%sUxGSOPLgMmgZEac0 zVrtW7R9fSUTSS&2-rq(P#o3knJ~K5lv&_Eo5;4L>WIT$kB8lAsNxh|KHa~+5g2DSZ zlDq%6GGsQPrKp~9(4{K~FAd)vi1fP^Ne^cgm9%RUlwsK--jDo&NWM|z<#gXV_ zj9JIDlil64ltr1T1Oz$s1oY!i=J*E&mV88%xMcNh(V!rJG{^0;D)rW=QX_gXV(WN; zynQU=GjQ!+GNGuly13X}TtXtZP3^Ni=*T#noHew4bc+?*4{);u@;%4@eqfO3DFS~V z(fRLZ;GczoJr=Hf`+vIo@_4Ab_iv13sVrk13M1>tSQ=w_&fL}gy}$SO`Q!I`J+J3^e$V3%FE5{&^Eu}_*Lh#> z>pIuDj`8)^jhm5e~lY{i#zG~C^^Aipp|vnsj7 zmOXrYWSctMTY!l?C^Geq2YSZOb8Hk5Y9$3XQ@DE((k0zUG6{(%N#9J2j&RF zE!a^aI4<1WxWH8wXG!A_Z9>7Qd7dkG-t1GVA#sLWZ#@u(wRo*}jfS5?!Z~&=<>iL* zLv{%ZUeB_^fmTMeC#GrrvTW;)9GHVDR?m2|XeK67J=iFv`81o;c=9%y3X_P|A(q`f zDMn+O3&0jvC(PRd%gCdDW(;Jic+I2`09ok~YL;LlADV6u~7^vr-`ftLCgCDy| zlgZmOnkf1ICdz+b7IpSJDFu8InZxVS!wwH=WGGTA2l+;i(z$of^jp%ls9tIlz6wiV zHGK&5gR_I3{v;WsHzn7(jyM$buF4$-nt1pn_HdOXnPbPbbYX}(g-XQh|5FI5ESJ~&O&KBLLz*3_Ne$H~HF!MBf z+!1;c!I5(A&if8j(6+N9YHPUG+5YR>M;=4=DV>Ga^QN9hoz;_~^G{A`d*wc9H`Ni> zGx%!aA=^dFRwxTsM&&vG)w}gSzD5bBUS|L^6!H$&ad6wPQ_QLXDB#<;Hb;zFq7oYv zBoCd4uwQrQtFK`Js31wdW=MJV?C9*r+z_%G<)nV{WwhIv-B^QnmF+v$8B%|Lf6<~k zKgQ_xbXU^ne0`qT!OFZsG#`R8ol^Dgh(*Wd+I&7x-sH1Z;(!)0*jxg-#%pk4ELL@qsfI$z${bI|Xkqu$rP{o7$Y)?$FYoHyrr9j~L&-BwarY4avr^v-0w z{@J(^REx4%W^OI5#a|g9|G+S5J&o=vpT*&Rr5}bteODL2%}e&x-SVi90f zPnGei0R4Ft)H<%DGPlmQFmMIibxJDsr3I+YDXMn?P`D);g#$&?f3GY>`i=di&)_E2 zE9q_xMc@6IQ!g+ODqoj^YN>bg-gPt`D1Hm*=~qwfG{!5bF3{LyjXViD=N8La0FGSR7Db{Q99s^{t43NdT zj%0mMnc2CGSjsViNEi?#pxJsCSq;Up3Pb@CRm=EB1mg+NeqU{g`~Y z4z+aC9NIcCJ021gc+GHg=*nk%^4ZUIuE!h^r$y0ET20;?HeD)KNe|-UkP*Bv1d5`MIp<+FLVy8?@(=hFCDn3kSw+O99sw$-$G67QYG+?o zp`RuNv{vdlp!AYE8p$5_y^q0jgQztH;-=dctM6=;zB|rzr9`FNa>mC+@SgyJ=`u$! zd;s-mvJq*Jud>r$TBl!hNd6dWfW;-qCsc3bM^=a~a-Uz@_>{6;ej+#abBu9$zYNL| zvo=1K5mk?2t9@+&Ip@xnWa17J2uRqkycYW0Va9-HP>cGgO)H$QaGn4zRt82#F_?)5 z_B6W*{oZfXgQ*DxP0DE6E4w=Vb*Ce-z<#i!1QeAw_L)WJeR6^ZkQXhR1QDd$_3%;B zllP}?Az0q(5c`7`HdODAU#ouaFAp;Qp&o74o@7#{eFq`C(J|L#%f!0`lom{?F2$=H zD|L{F$lPeHzgXnluPYT~8f2;;jH_SftKWK#neMm~^OU;OG=7>q;v6KQU=?s9f!D_b ziXt?7VDh$yOC5A!d;vGg4aYcqEpBG|6OBLI$CoARtCN59iFy}3pxAY6dzu)Q?H>f! z^wj$lZX#Ez6YPHM6`9)JAoy-BWGbn8F5^5gdES%c?jQ3^%#Dln7H4D7u1iUK`>m8! zM)uwuo14s9Gqvoy>h>XqKO_I^jI~$HnQf=E1S4OSo%55>9_X46T@qXOQ09g-kanK8 z$`<3uw)Aw*BVRdQ$1snEyI-D*2C7a}?3se3WX;r^AD0Q(Sa>B)vJNlbq->npJvf&e zX8`;eX=dQXmX|hturk7ASCww`b@F&OyG}7K4jmQZU+wUZB_K#(ABCj z%=DN{HmW;dp;5Qme%<=fb@!Gn+sYe|?Puo=;l5)O2QzZFe{r3q_mGLqkI&>6z}GM& zCjIcIzMSvf7I#Q%j>!*i_8qTA$1dd)YcWpwIQ9``+4ls#xd^@`CMHeHg2{qoHp0~K z!s5jlb}#ZxI1cSdAPI*yfE4qwJ6AfJAcbtxeIwyu|D{>tkF8|P{CYE)sIoVo(D*D5 zT#YefpdNZ1R5*O@XGR%IAVi!+%0SIbrbkEo*FpmJr}z(m&Gs#hL%+aQ;}Xm0tJ|6T z-8;8P=#r;_3el}{+kr#->iu^bEC(*F6+OkoQL3W91_=6Fg46wmb>lwA(v&HvOY>v) zZ5#Fmfz5nAACW6ttB{PrarLd+X@07*pcdB$>06)e)W)B9KJ9}~4@k;-I&7LCFY_ZZbJEtiCrsO+Ti%C{UfVW1RU;2X} z4?j6b5`MhlxFlaPxWvR7W=D{Up$aELRmjtt{j!uS-KnPBR*&_P2+HBEbU{qcs2?=} zhHHW@ASP9=s^6qBXK=9bPx=I8P z&tX)5WDJvH(Anf`)ac~-QJc={y-I?BDRGQr@2E_+l=aOt4wXA|s+YUFM@SEpHjKSD zg74XY0uF)JS8lGP8O5A$)mpq^zXHCG3G30U1lvi;x#eqTYc~kG6c6KKY$H1J)%-e_ zuX<8K z#9jj&mKuGBq1Ksg}0kc1O$$#vM<|i8%8Pi9b$${r0!N zCZi`LDT9-tuCU)umqCHsxn^HhdVCAslMz!iM6rOi&RFEO?ug&(ZSaPx7`P6wfa5C7 zm}hHQ-zE*WY!U)%HL0G>m<8^;+y08^n|>)iR2ILM=GU8G$Uej0MVp*$x~8~5`U2xQuLb!*(GY2 z+abNOSt$oF3mEyw7)i2quKHYuwtf5gR-JFV&;VZsNfY-O_brYXxKO0nMY+p^H%ED% zD2q5G7Jd@z!bU!O#OxM#%Hnv(b0bcBE>3=K&b3$154v|oo_POA_W*~SQ)ud|bK;yy z6XBe8+|%7f^F>+y?-t8P#?XzM>)Y!}S3)7^WFv5Jy}ZF2BR@HPPwbwJ^{yb?bHud| z9J#37ynj{}J5umCB2x%uI4N&bjowqsF22d==l!)oS;;DUzuS)Gn)b%fD1*S7TtMTZ zORT^vf-LlED&&r|pn(`sE`V&PpqdCxC)LFfW-_=H!^0>Q$W&0ibD#Qb;ImTbuKh9s zIaocop4}i;Fx1%IG^R`5snWh*?npFIT^HFyytga9UstJH%|$_1m}#QEy=k+4TQPb& zoP~_DtCL2t=hw`9LLSp;39>ju9J39DqYs|s1pBoNp_D{JMBJP8gG7^*Q-+NOOM%}$ zO_o|RjoD^b!$Ia2uj)O!)qqz|e~ri+rR?s%iXe&L*lTdLJd(W_@S=l*d2A;wHz z8ajz>j1~(9$$8vD*aEMwQG7m1)&>e+dG<_2YICqI&aRFu#h*mA9^6`372HU)D6oc1 zMZRh}#K=rel4e__r)TUst&!^M%tai#l&Ar6>{xH=r)Cf4Un+O7Z*lQ;zw&0Qb?cTq zY-bnGeu=j)HBLK!7q@xwv|bwP5g{yOdFtbNMozIubT));y;R?0*TIgevA9O6(d=6u zB^Q3;#{95Z7IJInxU(~Y@?utYI!h^b%4Fu_aMZ=^2&1aK%;e52b^lm81_~P|am?Z0 zCE{HaS8^*&YQ(BEJ8c}Te~L23#gSNM)tI}pC%p4(%I=8}sd=eZKEFq3mzjs=toOMwv7WGIDC<$S~IFhtz;efMVwT?_E*8m@360k#zh49Yd1vHAx$! zIsRyUd=jN<>}GxYmeq#(83lqz1fn`HV0n~^O@FT+dnc$ud%V4F5S+GKA*y(MZpuh5JtQ zd!1~&Ui!E?jFQd4dlH9lJ)9`ucTb&HUXfb&y5h#dn@x4cB`%M#1H0T?-#&)0KZWkj z8MY(pMH{e-oJ7oiLr*Y(H86nUY}C_eO!U=cRUcSp zQIzX?7|!OT^_5iATeDmvpi6dOg~vO_wupeaVW%zc-i@+2n^J7bA`*9mXu{MdG2Q1w zP4iXd-100Skwkn)Wy~6UmQrW43AW?@Xw#JyGC4$h1&bS3-?`W)-m1p3yXCoS^*-jP zxXNP9jXaM~N|gcJ?C5c9N?6(@U}1E?_zoM$YwLjAaTZQuufmM`6UDBQ*(~ZCTgtQv z9`n*5JtT=@)_bahBUVN9t{VOb6~DWgY$>U5_`Hl$wo#D8zZ#Ltm_*$2D~6q%By_H>{Jxfs)z0JP1HH4uGysLiaVW zk^=vnbprYl@=B`I$N@fkdvNu17@0%O@+6bstDt3z4b|1utEoOE3jJPr5$z`FID*wF~oE)Lqz%j!uZ~%0MVBa zYfmdIAwqp98NW7Oa_=|?f8Pa^^Fq7iv&Vd6#oy<<9v4525&_B~a_+jA5m3;q+lO`O z=o$GKLg8*;CV*KgXj3ggcb+7c z?8nenL3UD75LKEKj2^V-sedsJPn$nm$}bwV^WzjR!Yqg~-KM`%9?K@K|3DgQM%IJ@ z)usT|p27)>fc`P+on0mn7pukv6^Q*k&zBl6$Bqpi&*m`?J3Jskrjka?kkrBLH0!k; zoc?q-dRM_&D&?%dxsU6R7E;YF@d9+$n2>j!1Qz)a)UkXrjnc#-vB}Vm&@tl31oOfO z=7me~o)<5e7cq3(Ah(76Ru^i;Y5jemvz;O-9ET}2W}Q!>>{%y?vk}MAX9vzt!V;$? z)H{Z|8yyXkh~3XRqtOImed{1u(wBuws+-K@`|oM$kX02mdvbheNJ$s$)3|u5?AfAKThfv~Gucf<52P zh^AUiQ@4AZYZ(a3>^c<%7Q=kfVCkcpk@_nyhnt;JpoM>uxoXt+9dnX#5-1*)h{Ww04t$5=@Nk4oI z?%fHsqpmN*p0s1Pk-Vb!iT;Fa>TM1~^{KDTHk-h?6GCKW7BO2a_7N zR{-hK@+9qkp4Z?^fXACx*W*x8jS~kH#?A%>&hzt{2V7qkRO+;e&KN1M%xAW{T)7~l~j?a;sj~v zVW_PXAc6%ke;Yag924;Vq}Jl2P_$3x6Fx<~BkHZUu*)qI-}k;&WFecJAA2OQANWdv zzql$8;Ne?Mew9xI)vX2mzX^ldItC^&ahiZBfoX6`yRtiZEjO?)=aY=x)a@dE)AU;H z^{!_AEffBkbrpztor~}Wwn3p#x2#>zZ%{MM1YYg2R&63!&N?iQ>Xq1NfNmbG4l2b` zTVaS*&@r?lowIm zRMJ*ukFopqG1p_h46TQD8*h;s-T5Y;4JW2O++3K`9>jG^qmTkKscf?xcpz^d`t}RH zx_k`8^$kmlIq#=<`&E>8n|uhGb#ktEqm=E1E>1wkd*JZBfhPDj`2dxQl6mY?7#^jy zTR5-VIcHJ=cTkHtCS>Cc)(Y39UoO}o(HyP09L_Ask&C$mNjR-rEb+xFfY)C^bAZ zC{Xlni4} z=O6AEkgC5M;_=DKck#}ql|@9O^JON7Ga!xNh5y;eFx-+`LEHL}s!FVxkA7)q~njhYK~lZ|ED@8M?c=G*VzG#|R1Zg{Mr1F%xU_Gs~QE)bzGOG7=r zSN>QNbf)+6@98~pJKU0bO+mIz{rg)kGYGLd3{I{0l@va5U#AaQ8pP8FS0U#{O_14foa4|@VT znWz_JX=9DTM)W%hd@Crp$b|Gv-!3Z1dd4#GE)?D$Uf->jtXVa0CdT}6ikB;hb{RM z?piJNp{t3Vye^Lnzyy?^e$;TM4dDO;>u_wylFQ5a;!<(o&I7po!;*M0*xCF2Hanw8 zz7q@P*5^`V?|NVk5ffB=SNZ4}S-Ai(kNq;W8tshFGaO({LgX5%mCw*g#Vdph7jf+O z)=}Lb^I!F?&E;h&jDx&DaxKh;X(Da%E+|TLEduFa-Cve%gYV7DwpVzAC`YEzCfG=g z@`CSv8~y8J^q&tA7j@ZIU#(d-Si4?MH5!B-VVOH?qo$dl0|89=2z`4~`ft;4;+jxb z0I^$gYOV%kp#`Zac3Z1D!>mz8)exqM=AF%X-UH+`AO6jos&joC!F!nY6}+2&Gl}gd z6oOlr!~47eFtQoO;e)N!At-cj$)06wOWMd6&o#_`vdx{PzM_Ow3o6+x*Kk6z`b}=Q z|NiS7D%f@6!z2mFz8P6?p@Mj-{@SMvjlmSfxt0a6*}S}OucvkQhf`Of_^u{+_K4?Q zl9u#H$9j0^i5}PUt7+2E1Jxa%Zn2Oc7==aDZKsOK(-5~WG_ z0}K0|7PpA`Z3}==WnBukoH=w+HA2WD6#@!+q=eTWMG4#yGfCwLkZa$+Q0>so>d?Ps ztQCDDkUq!SHFfa-%js9#;vSKql*buIl*8y4P96pm@6Pg@V==$b$VrqSJEST=C2qw? zqk7Cf&YVs~x!ts}cAbGhMGIq9cU)kXFTXCk7N>mz3z@3JAUh&FTY#C%aagZ&kLK;dx^4Se~V^T67d*+pM1a? zOMtePo?F=CV-7`cw)9EkC#j3xcJHFo*@0)_zjwfG^JdF%ot5EW(B&(fb19`ydlsEu zIBu|4;!!PcQNLm!r7AyTAa}Br#V^tYpJ4sg4+%7GIvN5OM;!WaF`JF+ezT+6xB?F- z9ZX$cOrL!cDBjGzJZHc%mvy6nP@-_WP#RX3G!G)OWqXQ+y_@~_JoGQSUEaH}m<=-f z#r^7_s?=;S1z|-VCY22N`^iDjjqs+b75X8^SdqtzqIjBXUCB~9zEvp~C;GX11dXCb zQvrFkNZh2kG8_y;gxqqi?%9HD0mkEM%!kD}r!Q`5&Bu_H`*G8l6i4>AQPpm9;?_Bd zHap}45>q%qHPKUoiqC(<81Dgei!-5(3ECtoShiiwhhK|Nb#k#hVAFD<^d`_P=0u24 zm-EbmV|aH0PQi8faOv}6$xdLR4k)8cZ#g?VPq(v4?I#$(%2!H0*4%#mFlThM-ZNy^ z1SJ`;R6iqwPbWQBfVi2Mk*&Tci_Q6_#tNvKgH(*8j56epveqRKLO_>Gnem&Z=3`-* zVmnK5Vv=0MJdm$K&scl~aE&a3x}l$;T$8go+6D!NnKCGj>IlB`*b+`xe8HO*_CfJc zgLHYx>I1__j(Yx`EX2x{>jhaQ{0z#2xC|v(=K1y7;_-D>iHH;v$^q=MF%4he$;n=3 zVcxfc~*P?u(A+(T2VG=}0lZVU2Y^)=^14df5omEOlm{O;eKVnT%o{67NejUPu z0m&^dz};|ZK}7f9!=oLbu+3gQej?MVihj#Tm2>~*IcebQXSESscc02isb1O4@G`if zjFYFvR~VlL;+}wN>~-=kOeHKW0VI#exyQS$qg^LCTHHFv|J4coIz!2`YDsZf%76o` zn8zAGaWiz^W4`e3i0DDYXi=#|or!9x@q|osm=Jd6BZx?!K_8C>r0Fx`0{4BW4FQ>X zD=`UfUxuT`T-mz#DjB#Zc3|Nrs0OVH&@-;^00ip(%gcMjbxq=jx3{;9``3%6(_9JxUVjAh z@73caj_p1lyWT%%TbdMjnFw%@_=G3gF<~fsgL`>tuB=}AT%^&&GDd9eQ zEk-(M<+Xar{k;tlAiQ?y$8wY}3ps}66t-a2i17~1KcscwBF(#2a`ggHkH<9E=KEj6 z__G~r5OcPs+ynOY0u8#q{R`-5%NYekh}x2ip<@sL3hL(dE581-6AvK3kU)?}K{SJd z=E^Dm67^5_tE~h8u7rBD$b$z=;B&_^e;b@Xzx>m!P_KIrX=*hNhss-?74VB&Rc?g1 ztT~k2T{ox>5$tC#=^jd+!@p>_;<5I&B;ONnc#;IEKN_iwtX5|efC>Re0rGNOsk!(} z-yaF`xKQ{;_Tm5NAi`}&OUt5<#p;*)a<=ukY0L#;M`6n1HMd``kWvXQEzLijh-YnChJ6AN8unp)&pN1EW!qITl~_L zyu-IXP#kBPl?CgnP>A_#E3xf;s}iBdUxiCUrL6|o=Kp3wAlBf3Fi_a4`(N5KymckP z9bN5+g&VqIf2siZrP0KYbckr8sJ#B;j!0R<+;Zg)$~*e^iQuG)1!i$vAta|bXfiw+ z+(>ze<~LSCicPK^J%870AH=FejX1Ynzul8GEa7C2tvKh=HG2y4W~2K+*OPR4Lx-#B zpYDcP)uN3)1j<+t-fWhd-i4(ri}bz}h#2DOf5|@Ez+UZIYfnu(6@)J=tB{736MP9M z&k7L@YMN_d9W(&`sK#aJ_~0QVrNZ2dOyLPm+Yw7o;c4dEGKN({Cj0N4a|N`Me>CC= zA75Vq)xWQD%u`L~Y4;U0Wm48K&RwLOZL?^;4pLX$T|{7o#pvU6=c?Z{ZLaNZ5jWym z&RpL%72H+~&4SccA0H7pbe+LBccWG5()P^kga|u}K!Wb`a7oZ=F=gml^9 zuNxYXm@CdQQrnTc>x?0GYr?A+T_l=)R2}~4Q^@eBq`ur!MbU|LPH!%r92&nM5xBX| zQY=p`b*Tn7o6LM$&SQtwlnBl7&=Gs~G#YR#nsAyx*#|WT*}vL&7QeS4h-h~3tLO|b z);eBu9PDb^IrMc6Z;j)fTg*Isy}d~_dmVaookxf=y1UsTLxKi2%imlaiXpmjtdUP- zMuSMlt~1yL{VQ5R3mFLAvr)4sbl+DTs{qP@YhWDo3k=s*Bs3KL>!fpdi ziFb}@a`|G0&l{F)wPd00vBgCV>8jisc4WPn)>|<~Pkhzq6XcnNRhx5$1iljQvshbu z6d{nJDZ-?Sv=myn&RT7N=bLWW1rAvNVIiPP?z05tiqf~I(xe?c`#%8e0ZJMMW2rm1 znoO?9xvMT%-W9r6gIrN*X>%#e)Du%jFfMI(Pn_U6iH%qr^3FV(A};&A_>s*0w?dr? z*z{QD)H}v&!xklLM^>}|sR$e!O?C}$7t>UwIktE951;Olh6#w@T~~#q;x|f_e2G_f z!ouO6ryg$4JWr*nXG_DzKllqUlcOC&K~d)&=jit!PWKbky_kQnlIz_19Etjs;I5n; z?`$lcAS9K8&DOmXt2^cZ^G~<<+&>s)m4@cPOZeEUb;*+NS%8fXSzH$a83e7CA+6im z|J;B54c8i<+ncr#l}PJGNVe=T)n2}JY{kQY5&WX-`kdqD+Wq==*IR{M>rGY2nZ^y^EapXYVY;P@2w`nuH!*J`{10>q=ecl&!Dx`6%u z*h^FXhT{YWSnN5AYx05ycR|d=1&8JFpv#i!^nSKozm1dlu>f}*I!R{;E?7m;8P@}1xW zF#g{9&{9yX%9|FBYS(l$i9c{IC{b5Ld=_>SB=1ze?)te&{o9BJ>#>ln4;~`C;y2|| z%P3xIfyZc@aMZLj0cC=34c-$3359or?v3|c@P291?~VY{|wpwictKi*z}A| zfUY#J^eQqi`_b6Sr+>M9H0twzm96|Y94=*aOM(DBoiHcb+0TVa?y*vtR)tv9xg?#w zQ^1IiZa^lMTGuudZdQ5Uo|Vv_{u|jKFF7W%4U}1(5@CvoU(yvkUHir<&+?E3@1h^D zp!xWrX4{gK$De7bCpeXVC?P-!M9UX*rjPG%Qay^Ng=ZQZPL2I7d%5mt~%5o9=<5{97&c zE9DTPcPd03Vh-E&}0P{!jvr(L)I zs(35!Rg-U-yMs5Pedwo(jrv_lCq7R0?&*;?RKbpz-f$p19m;YW$elYsa&3G3l}#SF z*yDPlCm@)et11Nw=3$V)Ci|7Lm8g<%hq~30c{R$9-V7Ci_F1RAi=@S0w&2_M$Djf%Ftb6EUhxCD_o!mTk5)i@0VSoj{ z_d))Y=ZVu;iNcB`SCx)uuRpWTulp=kRKOxAV7nnDiplzLs7*CuW?NZd*u!nZV6WlY zx$N(z_Er796E;kHarpVRVoXdL!eBW}r`)||I|VI+!zwrvE)?pL)TDix7sik<_}nLo z2T{p!Z!B-2TCo)0YW2F)!Y(;|+>rq>$a7?Pxm3;3p#|X{20x!{*6W}*Hq|h}Mz=Q4 zO*)$*n7J-e2_e?HQ`r|~0W%@LZ2jXSJ)x%Z1MWy5D(Kx!yGbylntu-Irgkd&O%89d z?|7bf#fqDntYF>4dGj;{jyBm5+3ZK?>{yNwSI%|&&~j2ApU-5myX-UZJZT;Q=O3spW0>J0c7H6_ zo=U=7pRR_rXfO0TQ9lJ&?96Z8OjUrOk|KtZ>+fi6WBCgBiT!iCRSGHR8_+dH*5C2! z3h2)%;@J7hZ@R+%s|%m*Drk(_5WG%c1GXhz9zO=4wIJ*t?5houie}>X&R4*9)maZ6 zut>w(j9ITmS9KGR=QH{J`cdN+>sbp87A2Q(PaH=avddZ&A;d+gy*21&?^a6*vJHq0 zArhr--Adco#9!<`55V2%^#23`ZvCi3-=Fb!u(nB`?w6gi!4=IrPAyh|Te}0jBhv$X z9uLsbu~^e`0h-f=@Sw2CNQ+taQWSDPbs-JzS<;}?V+jJp=jI*zR7m*zPe-<-RrsrF zlL8~5!b}rIK7G1^_wT9~-*!ur@=0$-IuO(XG;l?D_4{(x2WdJk_fLfYj6mWH`R1w? zxJJvnuy?lq%HmueI=`g1ub*YsX}%s@gF&cr1GGwT>E$W8k&;=Den>H(17)jdgUo|o zH)=X?(wV^kKR_sm)DA%lR~rwD{8ag9Epp}BW=@zm=-f_%Q? zJX$1Q&kJ5WDn)a4yAA$f1+M|ANod7IN4OT?O@<@Bat|eLVBWOkEE7)aGQ|(h=qVWZ z?}E4w@87offO}6fkUSqqtdIS5%xa$#oKfStP|Ffz`9R~o2Ejl(;uKt6)g66w-7ui} z-FV>nlf|^0fGnGTYGeEVns5H!(Axd)3`P8ZHCzp)_AQpNO+S7S5PqR!c-i)0epeKR z@;B*GT-}Us>yt7Q&K&8#j9cQjMYXoHSkKMP*?nmbQ<{%4KWlL^lrmTl!}^!6;YSNi zL8%i558jJJ_x6PY4Ly9i!lK&8W9~Knu$lgk=}^kAaN;jYd-__JbgUeRQ$4)|qH#wZ zGtbd_@hAJU2fO4cyctB0CNKvgPbTW`_H+JXew@o-+k8WvX%!f(Vp<}~&jht!9?xU2 z3GgeFf4KtWF1=3B#sAgC7qr|3nH#HIASL2Bh^cm6{bWQ7e$iSMdQHpvFcPrRr3?OB zBR?PJG|-Z)&SyUXFC#*py)^1?w4r=6JK_fCDy?j4M@oyv3I1L7p z-kY5_=MqKeF2SXfftS*`5AHn`LL=*AdTYJQ}88K+LvfK znNSbgqknaT^R|6f0Btal5Rko!I#nzDTb#@lGXH(Q6UuxwyYZrFxpnLTn%Fe1GVIpe zxS=%vqvvyVKt!t3)~?gs{GaC`kDRqktzIget}^+2@#0bNV=G9;usm-@c+v@uNy5+|8gicLUTf#AQt59Ix_Oqr*}N_236@~~%$ zHGen%OG7kR?AXZe`{3;tHje(sH(5i&D6c{;*r>f{$rJx){}!a7kA;j6g!rL3*b`xeV{p4(eWu?UkS9A<7mTTR9_&)#{BvDrY literal 0 HcmV?d00001 diff --git a/src/assets/img/update_controls4Delta_diagram.png b/src/assets/img/update_controls4Delta_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..07044659e766837dfe80af80f870bf71c4f50f45 GIT binary patch literal 74464 zcmeFa2S8Ov+CHwv7-OOa)EG@{C~7q5?M0(_d++_Cm~(qSw>NuYjM%Zp9(!+CQGrBF zY!MO*c8LXvA{q-SAn>09_Zlq8=C`}wx4YkegA3=(nKLtI=6T=unRniq%@7M&En9SK z(Wp_QmK-)++NjYR3E+Rp&6|Ogcc+ZL4E{9sNmT=KR-k5cZN+?hp|yI zmR5h2j6qpopFbH(PsU&v4x`@hg!ypJXJ!xBJpZysAN;3s2f;M!re z8^IrzQE!KlR}5Y#)Xxfo>=;mAKcq1;kl714!Ho+7t*R?A;5I;h<8VFf0$u3v;pj$(AM_Yffz?o-1#d#>AR`)=LeyhO zDMl<7pF+T*^(hz}WI_{BM6w?BN@ejXone+2a$5wj!RP=*8p5&GVMw3`q!L45+s$4$;EL7f zf?WV0$d@~zcrmf8J_`ikT3>QqQp4e_@8Nhqdtn$<)L^t5K8|N{hG|9zG7Rw^j@1JY z_y7Lx^M3L^m$!eUI4l{BM;S>tk_n9`;ZXXNSouN75r_?hjKZw%D4#zPM?R1azZHxM z#bGrgGUA8bK#ZZ-ox^AXy+ZZ5A-&aQmLt#Tq~8nKZrCA_1Qnfyy z1AnN#dJLiwm0_@Y0jTQ5(gz2Saif}m2+3kC!-0E?-{}Bvqrqj}a2t^UM_ztDtjLWX zc3SnZ2M$PQbWoq;g9bZbM4Iam0$u|GYJUzkq*$azCgij_5E)V$y#~ky#gbzJ1HPjU zT5jm~QHpmg=s9Ct9Fbgqj-KB!#4-Yv=J!Sbj^eKqVQV4f;=%;|9Sfn%kdKW@nkGpp+ej3KAzFUv=N7+8JH9-_7#j7 z4M6f^0}Ffo7T65CAP3|3)R)Hh_dI;K4sys?*^GXFBsMBgzz>6@1_1e!k&L4t8G}XD z{RiIk`5~{Lf@raZ@BnE{VDDmJ`on<-c=hUIBK3;Y0W*a3Jo3q)9B@;ImOt;>*FwW< zbU=P}E^p-s! zG9z3M0m1*QI>aCdLaK>@5=$oaBgO=)fku3ut)WIlqhlH40RGo&MB*#B`S(+Z0Ic4K z8qs|HFeow@=eh(y&wP3|213jXP|3fFJy8K3ydMay58c1ymoM1Z$jz@63iWc zXV5;o(XU6QF9`4fm33HMM%wd96OxFKlLopJgT*jGuVATQE@`j=X^KCK@l-HVZ>W^9 zOcDWu@Zoy?`ch^CLyPnj?pT?=a4)*(DCnz}1_Me-qmx$Hx zT=+$jj?gm5=dPa}nyg`@9n?Cw8@-Gm_%MX6AerKJ(isMy?6&lSLOxtS#33=<7xDRx zNE_;?dxIuFZ_5jF52QC^37}|1Pt~LKf7Tv>IrI1p?EAaOacE1WeN*JVFp)X1^7ir(W6cdL}yA zZxoNbLM1V55sgo7;=Ax;?eD~tg) zRT(8?WFo}BDwIqfAnaL@4p&)YynX8OAFp1PKd65=n(9ip>Gq%#>Opc(jklaGCrHqm>3> zv<#z}t;Ko4vyj~E&{D}#2T5k)(2%C#gdv_oZ5K(IejOMls@;NPLjnmG4(Otw9==3K zr3$QsDELMKgXy7o!0=G%>ad zArFxxvZ}0JGS@~i;PGs9z$l8irCh8t93=&PawJ_NjtaCIxrWT*IQ>{W7+9tRXQo-z z0;3EU)dV0K$^fdB!6dpz#0x})TslF)#)Vw+FwJ0aNr`Mb#e>Cx{-zpPGDV0WG#Vid z2G5~z;V=%;2;Hz-9p%^|BgQ15CNz|Wdcvg zP8B0~6o@58$j9P4{V1(iPov0iT#-ql@IxM%*UT^)Bi5+F5ymr^IF8Z}DaZ^aU8vGJ z9ZWKh4lzU$vz!}HQ|J^1JECUWsXDWZ>+$*l$f+DTO2nY4sV<>i6!y6AR+e0W$H=HW zegN%6X_X9|RIW!kOnQOOtlWyT35c9l>= z@P`O~kBmhy`XnMNM?}=9+(ZHs<}jpTq0oS{6NC}6hbomx_)3P%Ao4l+x-bRh<5=t( zlpyRTY0<(6g~g?Ybzz|3hgF_ zO~D8Yi)B)sLV;8OvV-{}HE4H6h+(XhF5^dGBF-3+AW|h4xP4@)&SkQgf zh!b?!r6j8c=TbX4h{S|hE+J8kSIU8gVRE%dK@=m-VYW-vS}AgCM-w;rWpA%)X}1ydfXE(CL3o~WD)7Smu8$s?9&9YK-G>~jlkP9M$_@k&r? zrI1CIXh3co+9g30GR1?}Moe_bW|7&&BH&fSFgY?A(kPBbL)M2uRvacsq4|k)0ZGRU zvK&G_4#ni#I4)Qal9631Z^YrS6U@$_7$x_c(f)v&A(7%W`Y4kVuo$pzhMiAv{e7oB70yK#6jKY}#|g(xT}_7H7| z{YBI-PbWYH1Oae`5d;+qlaZm5LsUG@>I-1R7z)M)MNG1&hbK}CsaUO6W0aXmR;m?I z<1C@v&1C9L3cU%(3@Ql$D#phpIr)&)LEr+ZrYK=G-^y~JwIQx6B4AO1bcW5wMx*6! zGur2Lb5J3&n5)!^To$>(OBL7z!LZ*I^rG!VVT3?~sT2$wZ5Fy%Zh}1=W!SxZ7t7Dq zc_Lz+%w-VpLNqdofKm$3VG@?^c3b2`l##}Su`tQ3M?Q#c47inYF4hrdp&V3-SSK+{ zX>v`}WKcy77|2PWFgPMJO&x?`j*aEh2EhbQtntXiZc$WcF*z9?5!Om0D|PBTY~w^IoeA=A%{%7CCU`4SU{YqRP#5>vn}=1Pqggdk`Xn1Ea3kgKo; zH-Sht85pvV%?SG;pU(js$zir1_7RCLrh}mbOp2=IF&vU`*a4v-O~9e?S!}S4#}cc8 zYOUS})~Mx(*g-_20HB*GR#>b-PLwGV=(RymFi7HpGCTxN*cGKmYfGDIg7rz+XO}tOoWC6;PvKE!`g0sHIw1<7GuGK8!=Cvq{YCfS$}F zIeB8FXrnSD^12a??{*0zXt|POQyN4{o=t_1K(L?9r;>1ZDMKJr67@V{lu7|gijE3+ zJwmHUZPub4Onz7@4l8ULES5xInuTf=9xv2*U2-oMNFEgizH6o}sPIrURwoalnx$xw zlT9^84K8xTO9)}iZnr=Ip`soqUFCq$T#l6MCz%3lj>l}(n+Rf!oNTa$+)Y!)M|12))bi=wf}=)fL#RHG&vG(JeAGg^5RuOIXZP+g%2hUF&8 zi8QxV6+#;2L7^>NwIdv5+F78Zsc4)B(F+bK*(Y)`#8gknhF0NJswm5WaX=P2#z#U+ zbV9x}5)Eh|90n~j@L`vOh~hHvQKef9DbXG=F!ypbWHU%;d^XFj6k6B@8CalaQkY~d z(<@h7!Elky6tBA0HH8oUw( z74PzR0YUcbI4DVkq%i0iCl}c~uInmc!-nEmD+4 z3#k$5w(-LfwGzt>a4|mE&ZLuEb#FkP5Y`@qD3-8PNfQwuR*+)>=8MT=5F|daOodW; zxHftyDvX4+B#c|A3;X$UNJu83)E2ec0-N|&G!qJN4Qw--N6~rg_%Kx;4cI&^a}*Y$ z3|blnhf`5uBO_$j0Mih`Iy`a}&d*h-wY)IwWQfQZFxO!yRD8MDOyGGS5!Z*8Dp)M1 zTTOE_@sM5xmjAFMFJB?$yR{KB*@6$7!yc!DOcua2tcnJ)JbXNw9>OXqK9Np=67i!_ z7aGMhEB$Vye{4dVhfQN(D0E24V5=hpf+k{N(^Vle-{>`mOdOq=?GT9Q3X0QDjX+kv zhQop>HVRWJLQ$zc(1V=Yhlz@p- zSQL?!>W4!p$U$3K#?&0(TJIZLb!ue9KevmAs$k(HNu6ADyCP(br1w0l#eVinsNA$ zCM;***)Ux~MnX@hkPuI`(4-`m&@IyjXganXE#&*PdY6P2<*I~&hy@!6!8Aq$hjWWj zL9bVUat67sFbT&B5ZFRL%d9c#6iOFg$@LRZb`{TR*WqYkn^3C4GQD6m-m134Vh)26 z@af&*a1bp(Gc`N~U4rv#bY25PK#!6_hA0^s$B0FYXqE^d=wzFlD$(TDMW);F6SXgvlx8LN=RC!5WDW zAIw_#L4uq`w`g1_vp|C9$ps20hAp(oMRtflg2X1FD@q3C#JV zk)33@jgGZ({Sk!I>s7h>Ds)i{+huHx+{YnMbYl?7nSPad`qpC1MkscFZ zcohVM=mrqO%VrAPC>7&$h^Z=p!9iAX1RAZAOalsmN;CoQM<^sj z*loa|!r~zk!jv>jwL+rjT19qj1m|Y!h@mJRqYcAy2Lml(t0;bo-YY;Wy)LcW7jP*h zhz|jF>V+Z_1DSW|gEkkQhVUv^(BZ(#gCUupEhCX&C0ePm>!b=ahT_!7i6)2K6_Mfv z24h%2q>=S36Ar->!35|%$*0!n0)UR_G!B@mKuN7SvxrC#BAD`NFc_(dD~1guv%^Le z@nsmI#L6VGcqD_g zfhlyV%p6N7V&sS{aKK<78T>e@J)%K!%QbGV8tb5%m>~kiW&Z%-(zC2ZEjhBuME;zPOnr6V~rw96iiyo zIKIde0rkr`Q9e-$v(*rcN9Z5Mtqp}yG%AKIi13&WvM(G6iWJ_U(N9()x`&RI$mw<_ zTN+S{Tzno+>8FxuUbLRbbBWoekj_K2y0H$4#K4S(_z)s%9J^o3SM!Z-GM#UM%s~@1 ziV1NrT#}xR#}hyX84gXQcnM-r(4TdZ|KT@FOu&)Q~_b*6GM0N{B$F@lAGO6vy`Xqojy8z*2CH5u8kCr`xCm zEdioqSy-2jqGGFIL!HwCypA^qgHf*79+oH=L9G&avPeb)A94XYj$&9X5(`#K7Lr98 z8YV&ufW|XTk%-8y^>~0sQ3ocN1|wSJ*BD8dAQx+P31Kx*>_o3DEJGnm+)fOEX?H{g zW^@)aiDZb1gd{{O>X;stgD<3pL|Bc52gDcB0mpX`vtgunYjbPC} zlo11iJ1`L7pPz2DL@9h4%#iCCIHAs=@YkVUKD z5IyLjGSDii9vd)G$W#gnq{BhPJs>2wagf=pGool=utaR}@cB-vG(@n|Pyt8-J|-xN zuz=T39CoTySi4UQn;lNFzwR6O3}FOsGdqC?Q9!rh!@vzo@rPpHj&r(Tycr7k0OiF7 zVV44a26gz#$iG z@wp>W0$u~=>*5fiO-0%W50Y_6Ob^cpaWF;|m4Q;ZbZ!w~32Z4_MkN5M64E+V1RT?# zL3l^@lc_W^gFu#XoenfgisIN%A{5swr?Fw9NUTr+yAMm* zIJ;Pa3x&}bz|8n+493iaop_4fVpKAs5v#zC(bJ@C0}_DFBymG%238APTqrHWK#5}6 zZW&!6_Rt{-4d5HBZxHl8ojYnF`}A6%x0s?RnL(vdJX}nj8Y9z*Oa>85`G6Bety05Y zv6dzQa|#3Et(7u`GA5hB)_aM5s}!a6@+eXoT8afeN~TF;3Gf+yJ;To+vxRms1FSRY z#ZnSe?9vj=4wD5d;WAT2K31OCDG*|$EoD?-N$|RXM$_PRf=p?Yh1^$A6 zh}V)O!#V_D+7|*#Toj5-p%h7Zc$$X8L6$oIB)T9T6Y=_piB|$6;@Mvbp?EPUpU80k}cn0v=!AkcNQ^@w9)Vzy&bm05A<#P5&1H z7wQ7t>Vx7)Xe0usE#=tfQ8+7EZqM?WZXXzsH}GY7pPS)w^%`>etiscEM6G_ z*&hPxZ^liafl@|#_rHM?uMeESV`A|8p9-8H|5M8U4-1@#qpm^Z1PGf$Hck>pvsfE*=im0N}5{8QI9@2Fkl(%;yW+ zmEz%^Ac%;dCmD67KhyNDPzMYuwtWxM#W#F`iNIfrL`EXWp6}jxzF`C(-=7y79ZY;% zUW4Jm#)FbyAQed57$VI7KCB|Xx$A`is^9nl_#9Z=XuvlJo&d5zur8K2rG6(HSaw38 zac;0Sh=iqr--vBb3B|T&Ay08gXT=@@PUlaF5lZA)-PSrxyx92ulVlvq3057EW$gMe zvJ_Zn1M9Ou5kB9MQs1`v{VJ~jDjrOR?8mIze)2LGjWN~wy?k|h@%)euxXS9bP6AoO zQo%htzQ?SN_JD*2k-4!wfem7W|6to4fGo4_zgV}uW~bdBM*YT#_CLzY8_E@E4_KZf znO?iWHTFD) z&-m6-1dxAo8s@Yb40Wab0TSbZ^*}!V86bRK-Am{)q78T>5j6P4NPU1iGJ%MNkoiJ= zhcpaV{~t#eGC2X&z7)fbNA<&j0Yt{I0sLOOrHX*$BaEE^p@X&G1`JV~9n7gEb-upvU7qU7X5ICFQHJfH)+v}fia*3O}xL>J$ z!;ao!bpV%s1Z*k-G7R=C>+SJ7ss;91qd=cQ@h$RoTbg4#b?RIbzvqx4Z-NpKUFtO= zsyegX+Xq5t?FLfEB%D?%2`y|6M!29d<2AS^vBXc__{x2M5MUB zlvj_(_zOH8nM5?0i9SC^p}r6QCY_1z$$n*i`sagNkM)=4q49ZV44n-?{8~vv}zTRTJ2<|!^UJv&;xRE3nz`*3FJ9@(c zh`SMSX1@&hx?QBtflUSKiG~74JOPMmLjFUxap?rvEc^c5Djz z5_hWejv)j8w{)O6`u3rDQAD;E&VH$wWT=xT~lE)%efx$RnYhFVXn_ zg&3_r&@zAB0>@k3;84fcj&*#o_}?r@3Snx0%LVrjxzmQjDRivS5LL;CV})E%km?xj zd(GLhac>0h0Q||qxhZzoD&nC~K0j|2-28s1Zwl};Bd4|^S-fUlZwwNR2zEiB8eRZP z49xS(i|3+%-wj;l7?jlL3poB{&AfgoUFQW^e`@k>IAC_dx_;Fp)$pC1p_V5L8v_r-OJxNGS7a>k33 z&-euP#beD-C@O;qB2ivF94s2}8vB7`eZg4PMKIL)f?hgNEN1dvCde=9>^jl@`?WI` z^`fu;`Prxq)N?%grQu8v7klk>)6;*JxYmjEADmeo_qG3iZg|5!sCybe$h`hR>;>RT z0RC@exuI}1o!Y2T*G3#VMIKJSvp6)i-IzLWlis}5h4+R>@4ij0oS3iN+ww!= zQ3bI^Vj5XXyEb6X<7e9odS@0K_?}lhskGT~QD0U2s>Q=bk4|4AIT%R1=u}u0AAZsM z;D*k$B_DK?tr^v~U~onIb+UbPg^E*L{S(@}?gNkivas3g1@m+dPETxKyq;GzLArZK z#~;3b?})p}U3`{i7V|;DRoY5H>0ImXJ7b2A>C2n9>9?V<%(!`TU`xqk{FdsHP8E40 zx_msBv4+;F&%@}=p;c$1Mc<4bHve%Mzi(c}JMDXIVy!3qHll8*+0(&?uT6b#%ajot z&NaEa|Nd@x|Ga*~C3mJzsG2^l`m3uG8qZ6vnRwp1pMIck&e?*K2PMyJJ(l-4vGvWv z1vNeTH#a0U9x(HJd#k5C;w#mFP|t`Nv&?3yE4hNcKTi7v-B~KE){*VZ$*z?Q%J^dm{V<- zn`elJs!x1&9tWz+){I*G@Iz+Rhd=KP*xFC-Nrqkfzn;+U1bS(Up^e9d6Mky<*zoYj+?v^U zhZS!TRnumk(BSj-g$Djm$t=olwQlW7U;evoo_dcvVD@QA*dm#1BW(Gz#Id<=&Ve_~tfLlGNa|Uzt7sce)Q$Nfmugq_2Qk~JWQ`)^(pV$xKqY&-0SL+06R0h5(Z|!~=f!=&vH^W7zp3dR9i_jQoUnfIQP+Vl zW;EY7>@neuCnr8v?KnJ0tr&moePUIk(blr&_N}s3O)+1NokkCD%5Y_Dg?C-P*h$72 zud3*ocy+M4?3wOJO2WDe%K#Yq_ghr`V|4b%E0#p5jhf77e)D7EvW~XeWs(tTW!qa0 zNX)#$AHR;icEGtYGdfp2?Bp$7+L=54!SOzC;L)s-5-*8@YFhla0ySy*u9@U(Z&Wqw|DFK_tW+$vXT=yvVBy`}w1 zYtL>YlMppcg}4)xp~+=-H}U~6Ak6PH%)u<%{MWYpSt!f zT7b77o6(JS|`PX|YE=w0@u*+NKPNL6NBt4r#-*d5pvPY8Y>7qMZSA4k2Y4$Ez;Xcb66g}Pd$FjNahjJDZ%O6vq zom=+ouzbPkaiD`Kbrnn1_W{I8o(cNrv%q@i8wE{N2VQk#*TFOCiO@S^ABGegl!8m+TXz~D?>yqpwnK#8 zX@l>So-SNlQ(cud)ARJ|SMB$?o;|%^*mD2OH_Ii`2jBzevF9yax>Vh3QR3D70?qWD z_OsfGmYqL6H}ic(>wO#FPtmH&za9{vJb{-!}FC9HVwyjszN0%sto70w(n!>D}a?Sdh$I6td zVO@?cnQ*P-VcEe2AMGs;bH;ZX_1oUJRgy`K-)J^5@$D*RQKyf$c5i+A*?~9P4;A0} z;mWk6-X3+9A!ABMd>l`&!cicaXCjm!aq znxxxTR=xA3A&tjNW8K*)a1!MYYZq-7&O5%P(@RCcmF@a=_`bxw8%BZf5f7Zl3-b;&O459iys(J(BiA zOin#-8mCSelB7G+sYcN(H zb7cI0C!cwH9vD1t#vRZ0{HzPR;iWq|ub&3=bJv8%t$SyERZkENjT-kzdSgIFpC1;E z-ArE#KfWwtWVM!FBvu?T(P59$*KA0^4s1+bIM{=lG0{K(&s(- zHShh@^}R>OfB8Ir_==1k<6^wC>tsMDHK*s}l6`MCjm+ATlzjVgo4dWJ#(pWbRxwIB z3F*(IIlqxBPd zjHvzMm@MbxeZ%uc>ry*#S1ClEy|>qIxN+XRbWY3yeLtG@Wo7NYyL zoq@c!2h5?b-L2TL@Y&!|mFmxz-Jo1PeX(NEh`ZTdMAGsW4hXED(rIAf`u)+1{_8(X zO*tBVayi7?UtW1_a{pb2hRjKIT_Tn4MRXN>eAkx;Q(966k1ia3?Zyw4hbs?%f(+ez z?<1dHRrEoRF14uduATjcsgIOR;GDdEb=TWVM(rD#Tt&3>YMp~8-QQlac_i-w&H*2K zwmtja@ypk@h=yXH%{+T!)w=G+2m4!ZT#8?Jd1(6n%3);Zk?%5a^ZYsKn@Lw&GmFNR-eH*Jp&&e-$Y*L_zxS4?|QLWG4k9^PpOAKSikP(N9F{*KXw%dgZt*kT_&=iTc~ zvcGNL;k|N#EiGwL zz(1Ef@~OM8cG;no={eEdt=(pQ)_iNtwwgDwSx4F-8idn?J$_=>1pd^n&D*wZ+hck2 zV9n#H(Q}DE=Z+e|8?4-!+L6CnJAwez|uTk1JDAx5W=@O{OEgO#q4__*YwE5n(i z27j8lnzyjC_wfAboD;k)_plUa*1e#0g%>$7p!C+C-cb6d86elBf6 zt3i*%k=p7fDf7ii-}TCEs;*VnUK==IU5BP!XH0FH#Y}1uYImeU)Tw`33*wx0OPehU zFMPK7_!;fl!A}b}J^1cN;*OJh+jKg&XT_BL&r-E#h4X8dU8<`WkmOZNXrT4q+ z!mJ{8{(S#}@-01v73OtieH1~o%X>#H8Rv#><>Xgh%*=hVVp5-X2VY;NtGI$&z4XVY z_s8VURdnAncR${u-S%m1b$Rc|wd$%-DJt8r2Q&uC^7O1(4)oT% zTVw9!JXr}BfSS@YcpL zm7@++t|^!_8_^Sfp!PbioYDO9RoY%h&u?Y(uU+299zVLaYeMBl_S--~4w*NkkbCH| zxmF;&{nG|{E7jo8>QA0Ugc-P=i9hFz5@p|8G`wJFxZT=(#-~qi{gjx8nM&tB%d1$m zi!~_t_+;jwL8pFW$wS;3`5lryx#lLA`$^&j^sP1R?)5Fq3r`(p1MURFTjQq8o!DvL zJH^HQnc6|yf~5tRs~1NV98)bFQP831pbNFkw4?=v)^2M8&o<4;bzYx#a%b7m?>CQn zvhRMD?Uc9Fe0_CwU(e%fhgzAB3^J!mY-D}z(|ynM*M_&TR(7fyu};2hrhN14UhMsQ>6N2Ynj{w;QKi#e;ftDYr(l|7kvsO|jhk0$RbGA9gM<<{w$P z8q~55fL6+BTG~ZcHyfCN)X}`8eV2|7a|`eK8N{a77-P$)m-kQaKJx-FJK4-e8Ncx9 zo2N!DyfbcN*RjCvYS1&RO+oXvHJ#DCN0R=n{_VaR(hu0H854(guHDh8$$Jx*3}N!d zw<)?br|9_D_LV(G8=_k)*A`wju!~A|MsF-P3um_baGu6`+}rco;*s7(^@;sZ zuj$8*%W5;(W{~@F`k2h3kD{()UN+Df214V))PyJB*$VT1?0o8UXHZ2dGMZ%rcOR|I z*>&$0^G$HIU$OnzCkeMb8>)y7^RO|Fg>6>B^EON>zar~Wqq(_diL=`Acv6Sut?+Xd zNv*7-SI+J~JbgV-J*^k-zW3Rl>iM{PqaxKC+HV@O`O+T#=qvlPeoWjpJf~2)Tl+?7 z<%hy-tmnvpnu9Yt0_(R9sK|D`Zp>|7m?!T(v5v~Hr-P3^H1~kOdsBRms2pBc#=Ldu z!PnATpH}8~%F-R2o_zA_{k@j^ChKoxU57u}xu~@%_hYyqypz6QLB-A+CsKdS+g1rz zGv{gZZwva~xcc_)$m$N!pL>%x8s|M?zM}$Cy{+4~m8$)H)wMb-Ze4RQ0^O0p3+p%3 z^e#5?5Lp_>@A_@!nj#*Mzvq$#h61}N&t4#`xVi=oTpX4(Z1MW?m5gdaVS&tPUXW*- zyEf~1<*n1#ETt#q7v~o`(&v*#Naki~i6pV@=Gk5Sj00tw=H8Y~ukpr~Z+VmpRZqTm zZk4GHutzKz?$CET`!6vsR`ot!QZra|{OvN~slAU7+jgTD4N-UHpYE9cY}?uH+Oz%C zgVJ0d1eUeE+vg|lJ^tyfrZ$ng$9B^fm;W*=yXhpl;mML5>7EhO9lg(W+pdIXYx)w8 zEO5S=WjLrjKXeZ-c=t;8KEucfN4E@>+`gg8EDYG$IqMZSwwlUUI;*wPfq7Z-&Fb`H z8~nv`?%?yxvE}#9b~aWY-}SR#MAt^+NQuDkh{wWX%KKD!udaFD-fq~Ql1064wANSl zI=2-0f3(t$NbOKvfz4Pt=;zwxTRVy*%<2{Sq<14F`G@dhNY&{TPrrKm!R4$`=8q66 zGUiV8+IL46KcFx0P5ZS!adB|EgnT#Uo!eINiPBv&C9(;<9&{M_!xs-8PdS^I`9Znq zwrcZ2i@a6Fb;f4}SCV)gm5vKNi#A>8I{cFg&HI~*k_HCvp*LH~`^;H6?282_cPhG* z_jra`)q{rHlQ zXLfGATkvRZ^!CY`mKToF;FiK?{89R%)zF9)ovR&ptGrL1mbN+jZr%;NBw^Cghl96{ zE?gP(Meg4Y74PWwRUrV9tufrB8nwCpC;Z`-%4|TE)G{>{MI;Us-gd z2!Hj&#wqD_e5?mZ2{I*9xpC-?1;;#_Iv%66v`?O-{O#z- zChVq(nH4L(ejli;`P8nZJ#>I(W*1-jWrhWt+Kc8k!3ym^gT_sb-ttDIZHKvCu3)Z$n>5#3uP~FR`J;t(StKt zJF{GASNnU`d{#Pq*+{ZgxnaRa7nhG)6#WcqRqUQHyVoZPpFA4tGgs@Y-w99590c6m z&uKA{{`FH|?k9zLi@G#v1iBbAyHR3-=kV00 zHzbkB?bIFiW%&a?jb2SX-uCC8`i&pIEb-hf-|i_@qcipo&}TY|vIm~dDmx%=y4-qV zy|>KMY2(AhcE>i9knWEgvK82o&x?6?5d;5ukFoTo93tb&-Cm#GQZg17eGsV_vyxiT zV(+{e{cbi5-nr7Zzi?r%+WFb1ql@fqyOjTWwokib$IAw_n$xD0MK=gDw{_FclfJEN z-&XVBON3mv0@JyV@|Ua{`gnTLk;KF2o6TDP?yai*AD!8|@M!YNspQ5xGjCOFxq0;I zy?ONaGq)yO4jhBL2WqBHWFH#&qrqFQuEk_OSvwF}JV@w~bU^aU$VYb&;Y7^x=Hmmm&ttrwDK0y^o1#C7fBJJ5K%V$(5W3*C%XRe&x&z)yEY|TykQ;NOW4y-kIkVUi+zBqOd(@&ZKs$ zY^z!5{zMK;=mn@ksIEqS?68&lg`TCXOka{dClt z_gTlGlxds=xspw$2McKhBGLfUUBH^ds+5^T;edeXlI(z(Pzdz z<@$MN$`Z>H2cDWfvyI|x>9o?%2Gz_F-E8w&_3>weSH6kh<{GuDxrdH-wP%O>N8g+O zTiLliTl*`g%i--o-gsg6(`nn!y#H~&@YkPO5Kc@waj`hNf61|x-)~rHE9Rc8{f*$g zyKED0(Ek1UC!I@29y(ssZ)USI4{kgyoOi$Kuj#+`ZA1he-Db2&+~z#2 z%)VK%y?9Map8g_yc8P!A(D09nRfPrFU!7ao?a2}>Kf0rKDgb18=GY6`mAiW8{B~wP zUA`{X+rLn&|f&3yJYDj zx?^BCFS@Dt*5u){0DItWy8h0rrL)`jY>9Ot8t%rK(o}5jw0E9$+v-24>`+tTsIZ-1 zpzBb0Y|AHkrI(ofewFWKgSp|!W^E$wvqQ^F+I^eE>GQX-uhd*+ozFIJ30^-PnRw-` zoiljTNkeYSH!UC4>Fw*3I$qehd!`mB+4IbWBx|<`vJl$ucd(llznsMUl|`M>qMN5H zP(5^YZIcdKLyN}EZ;-|3)n6O`XuM8&Y4fopBd!J9DTTE@WKV1s&=hSq07cR z)7-84<-_yyubFZrQ%Bw!^R%(|L1RIWEmFp&UF)8O$}aca_vC%ebf2Q}=iK7s_KYJ- zau^uz?TWM71i^yjdp~McE9T$ax#4K1UV*G7x$+CF#hL0{ z>%LEhkWc#l#j4>&e@vP>I`WGPc%yi9Xr;4MatGnrONugmOo3;?J*zgio9$?;k!=R5_KI zq{Fo+bY1LrcG|+E(p~LsXKsJP3~ZdYZyj7YYt(6dTI%pDZSFJA)E~7w(|46!O35b< z>7BVYebr3A^*puMgZ(-rK^nbE+^!W1Gy$9cq z4chc=>=ZC)my%|*OGH1)8F6Fkt^UQzf^2PCwys^py%a1kR-=fayX-@X%kbQq!^0My znsUIkfA9Ics+?Qei(jsnZ|ti2DDcg*$G^;#l89ofi(kk`XgRHVK84p#pU1c}N%svu6WW2s= z*eu$N=CzV}A0N&egHB6dyzSn)&(;kt>v(!*>Auc}oT(Q|x9c7fI^dn-M((xDX>02| zK{;@mO}Vazxywl|kg%O=+aJzO<$g4H(UV!9k|T2+m$L^d@SBQKe|pHibz%K7r8eMxz-iXHn3{wTW^l0BDG_3H+qdV=2 zj)IxMLQBb1Aaf-(51RH&O87ZcduEGZ?w6&6H5(^R>iCGfXVuWlt8&b3btOv%J-9cY zXMA+_9plCPlilCDdtf$uEjICuX=Pn|?Xu3Ki+3HzE-je*F;BT>;|A_eCBG=WwB29q zI61R-xXH#bRUd4xc{8=JcVh%$g`DxWpCY1QyYkUZ%gO5l#11E)RBXI=YtV=%N8p+Z z958c$c9ySfm2>0n_F7YQYGT5uCrfL$OgCJ9JZh8-Kwh)w#*tmh9p9EdEEAR9xL;s8 z_CRn^YAmi8k(|gP!d>%HH-E8Xqb!HMU=V}x;F;>7;m+>K^g%m6K2rkhO>yq2)}lF6 zioRmkX~;uYnG(dhebS^u`;6X~6kW%Re)#_UPw#!P=+1#>#}vgUHxs!<{ZyK=E~Ls3 zm`_*>YX=tbPn?>+yi4ab)1GZ96hy9ftndovJwAD`yL79)AU!hTF$QSy)`csE9Nl zWdLDwcj8j_#2uT{Fx;)9t6D`KAJ2Yp_foMolFXAY8yU&oc9HU6VerJDqVD&-nHGKdI>L;<0JCMN*_0TB=Z0VPTXMeRlj zO-7RB93@9Zl$^69$vFs;)19lqefGQeKKr}(o^ii%ejNWWhHI@EYSyfJ>ZzKu)3i(C zmTyCpPW%VaWUcj_fUqT^zs$B1DfqwOH{fb3^e!ZO7uuhcqZx-h>-e_b#Q22gv zPkfcl`0#8FL=@(gJRI@SdqwFpSwO{9uRmO=JG^gMzRt6rC$QcjuwIiiEa8VbN1%5* z`3|#-TnalZDxxP)r;G-nV6M)gQs^YHuBPVZU;j=sQ9XNg66xmtlt>^wezS3*YnNHd zg-cq)qCYw>l8vmf(LH-EoSXXeOF(GU?p$uFLuf*Yy~hOHs)&1}((VWEg?DGiF+Ib! zKZdMZV3#8bL{6%Siq4*Pe7>rN`7mO$L7Hb#OYXQ(lRX7IN4I)!cB+(u@dw!ndMQn0bTOJ7WzjC|IEw}qX*MfB_<3YP~rx%09tl(2{M`@|qHB+_4PKx$QT zt#5o>oouLo9km(C?kA$$byy}Ean?a=`PmD@9#xfPpPT#l011=DUm68rXp;k3#V(Dc ziZ7;Qh|AJ=O2a_EdKpagU@M%`+mkiG&+L%#wp0=QT=TvSU zNXgjxAf@_XbDVO1@bwZ^uGNxT&hMo*@pN5=Gro|KD9mvG;==`42m)GVO297?cjpY~ zSFk-_%Q)B{47QSqc(eGave(LO79L*t`yEoK+tJ_M{SMo&Wo+o7be7}6LQNGGz4Erk z*(OwH`31_AO+3MAQr3FtIrT)oeY0@wp`!SvbwJVVU}?I3ndMPKv&HaLcfw}PHfmf>;sFbnDBtRTP38U8+}gzj9_ z(Y&s&2t|9z)O}rosG&IfdOm~nGpQ0IbM0Ak<=+Cm8aA74u|d%QHr9$n1PxW$o_%{-tfxud1!~(SV18 zXg18qFLdw9TZz%Eq1DgQJQMF2(+kdItLDCBge4c5-9&!;3i~uM80>qsWu*M9Oj=!Gw)&~y}8M_u8n(SQJ z9&p}tD*ObZ=RBv*?A>4eEtd|S^{L%susY0Ylm%GB&==HXahVI1rG4T6hZhI-xOdW)es-A&nyqQ4+Von{>L@lHDI~JgM%@ zVk*sD^XZ`iJNlAT9qCkkj@Eqs4k7?(tVYykLB>Gk=O%Ye7m;Rr!nNGOfea5?&n*nUT>uMyX2w)z|gX6)L+8@dGlg z8_kI?{ZwFqg8sL80jo6e9*EkHMioNcHyQoa;iGP+2e6rC4Ti4zH;n_H&t5(dmdmf>qQJ$ZBBf=)r*|%A14DGHfFaJnu0PdQfICyhT97-;AJO;?#*F)ENvw``nMuX@fpOV{fntR=ktOCK;${^G+ z?ac{cg!`mT%T$;-T8mYDP-V{!xW}TeXTQ`>Z(g)WVi)GzTqv#uXopJug1h9|LkOXb zFiEj{C238!*UcK%b%p9;g|VzZ@Dj8H=VSO-dPJM?klfIc5EA4mBEW*och9;2_bNe% z;^vu6wiym~K5(Un!^W2e3T;BmR~Hf6o11b4H0g8Qk-(M7G?&YU+)J?`?M}a!Unr1T z_jQW8?7B>UsbT2Tkpk)6_B_4Gu9o!cxafnX4at`D!szMy-06GW_YeKik(4X9$U)L6 z2t*o4>?N5h6U7iHgY~c*w+p)s^*?QYDteOrV9VA)g($N^#D(;-->_!8CrrNyt3;ml z+hxF3%WT#~BVbf9HQ`&Tg?uQr-N#6qXYBRaL3^+5j8i##38ZnsLvg!g3$)R^N$UhL z%FQ-aUW=>aRsnKlL;mZohjWJqtY1Z)fZ{z@x=cn^|GhfOdRnN{sO5t~Zsu&s+rp4^ zU*N8F^0$r1fjR~3e+y*^=Y5mP0g^=&1bM2E;L_C!qRXAWnn1e;B+#@tW7HNM+_&f{ zvrm`oA6oI1E>`K+FLYD+T+}A&hm(0Kx4$(n&F>W~r#8~9D|-sKm-~kex2=nz@*)ok z&x|1A*AGFe2P$VEy>-wx51Vy-Lc=3S5w??h@$h=K`#J)S#d9snefU=Rp#S=|(>5h* zpRwCY|1wjW4f*udLDd@z`Bf9@XO=Ab-FhSTWZ@tS+Tz8j62^!#IL!V9@L0V{+u=Z6 zQceRkr6;ONW(^yDf@eDpmy^+g^rL$#(zl}TR9Wi8mLCkkw_l8&nKzY9@^fF0SD#b1 z@BE;i*h-fPIp9P#6WYDcl&04*+%w#<7sSqh;u`ChAoJ`sS3xuk3OV*~(zRp#4woba z%DbOyjpRD`l<6@wJJVq5{G*5S3`6C$%VkAAREbaRmCKy5pRH059AfH8QI!$o%VbZ! z)+g^fnC&_7oDiX#kXsTBl22Jb<%0Uo$+6*s3?|GoBZPQUuCMfJo5X?jfoNXJZg~V0 z{Bb|~y$ni)=1kXL^w98G27`FFk!Z~=fGpx{hm){*T2lJV*SkJuI-CJQNs=c`RpZlE zxaaP5anEmNxTBDdeeRoq5+fr@sQGRRzV~zNJfZGUru$>guG>s44hfz{#TL_+^BkQJ z-IR1)kAuDF>89N~wG!*e1c|TO9Tf_s0vV=vOtq3r?~PHDc>XrN%5A(q(0ew+{rMH2 zE)ZVV-Nx7AgvB(w>Mvb$cP(6xcHXxkBvto<5SI} zPT#1!l4qgQA<3(gjWSW?4Lv%U-2!i4QT1Z?=X?AGx77igc4~gH$Hn?Bj&adndhehO z!Z0ssKwmyupCVgbau`pnTdzS>aVbUet2q6h8FeT$o$f9D;@MH*+M2&c_v!__cyrh} z)4TuB$AlwQ{T@NJ_FY2G=lSfa8=#Cj zkjwCUo#S-WWo1^QqY|>`2oK~|9~H{W?`FMh#0hw;kGB^djDM|($GF<-v~`b`Nj;TS zIqcuRPty0v#BXAHx)Ic+Ca5OLswykflCj+*{>YH$1(m#c@`DmHmxc2T)zV=`i3%q$ zZBmleCx}xrZWOC-)I#*6xR8G|5H8$+M#2hLSQ9V+Mk%lARzcQ9)ma) z+3AzCZDkHtj=PIRnNPgD#ZxjBtSYx3pJ2o?;^tn1IRPIvw4#NHR5P$!fcm1_Z15d< zF$?1~)kJSb5}hK;V6*Nt83Th@P(%BQLqX&dlMrP4pVLD!p#O^uL`YxECWcPTrDuoa z8rEvV&_%;eayuJ~?DW#ULGNyq)=hVSR4HztNNAvZ|1i)T>q%MDjs#5Ke9Zpx32%fP z)Da092CYsD5XRrFj{k{yeUE4Llu#ge4%D=W*q?Dny8h1#|09S0(TD%p7YyhAd)fzC zziW3UI+aA%xoWqJyDOX>!ug*++G8VE^%?t7yE$m%*T)Tmdn36_q8*du!*0?oJYwa1 zOknM5f!1>3N)42d~Ni zvv}?TJ${KBY1I6pG~#{IS+G3 zUXPf0U%8FKs(5#}hFg=_PKr#$dOM%sRo4@MqTVOrKV=wUD=G4JDA?HVsoViD+D z7i2cEqhOm=1mI&(xa^%{DSUy0a`VXuyOQZY4@+4UULDt>8v`F7bXsRgFX&IF4$~qW z$L;b1(Y`18-x9476Ra~yA&^Po0|Czru8J4u-20$%{a(gjS;|L}s*o}PuT28TA%z&b zW0y*Ow2GfKfk)2f|0Me9&+Pg|Yfb5n9*VsM&_e=q>-682`2M-$(UT|x6!YB^=K1F{ zsm|BOCoDZP7=gqrdI>vo{yhBB#BL4MdO+oUlwburovx4VOdSga{Q_TA_^3l#Ca@A= zw#cM=^u1PbHWm9oPnzz{L1m*rZ-_&Hu&<9~G*qOdpc+CsIp?ZMcJ3l%H-!COGhvE)0R@vr z;+)?Se8G2~$QmPV)$_-F)j)+KLbQS2(zuTTA78gS76*YeEj#1bV$n!Q?KNk4CdJ4r zR|RmSBvfz$=IkLx4tvs_7JOZ={C>J5C<2qEb=q9wAZ3#G2Nm3=cWJTL@DMO00*#z$ zCR2qnE?_5cV?10BGv+dOMRGC%hzSsVqu!vD6NSvNIU?sk!v>_!hDFmk$7~c4BSl;e*Bo=g^5<3~iiR)mrML_n|Q3qQJAM?R;e`12_Wx8NN zQQY^ct)w_Q1VWm!wB7qQJ#t946VDfm<+Cs28VDD8mnw=I-~=09)b2D0gs4xH2=c$Q zfwj80rW>&b|j=ce-9_pbv30s!K;!@S{yJY zpT=q~64O95k_1Bwhs|C}cy_!3;lwk;qVq{=!F9!($go>k@lca>y2iobr8* zGV{eP7K56f_^}-^g&jZE9>O|b#}lb~B>-{Uvc5@jy)ElD9_;tiFh zKL|9)1JN>pOk{z+EQ0(?#^5Xf5W}XH?EbNs7*EdtF_dQb6EhN>B)Sk}@bwL&*BA4Z zlqawDwep`}2km-wQC_3hC7^v${j9_P>XC^iIf-9t{W0POJ45wwL&9*)^kC)00w-B! z@pQEFL<4(vzMBiES=Y8&{8V&{^$RT=>*RGLCZ}kBsB{YG90}i_Cd7HG=jCf=+T%$F zBJSmnl}twmf+I4mb82?Ct4sFl!Ly0_z;_mo-UAQOaU!_QjO1ElId(z**YI=&+7v>0 z;iKOLjT({uz{YDZqBE{Cec?TG z^zqbXfn)3c@=x0zo!I2ojz%rV%-8%98ntJ}antCGYc~$~EA5N1A93PW<`RDOR z=j)BDN9MkfiMJVd$jmd6_PFQBE4L4L;YS}&kqR8ox%yAfIZij^8jj{H$HdbNsm}?| z$UjdbDMe=a$Z^B|Jq;7Uxrq}5)qi@%D=nX&bVTc(H+mo=YTmV@_qDdB%R`*jU(X!kN?pkBC!k}=ZZ z9FEbqdr7dPH8;eqIWT^PCs~H3aJwG6bbZX}*nn;wKZd!{JhsK)6vpWHrKD97VlOdZ zmV5KX`rB6BJ2MBu7S&;8i2I&;fE+ zQfhB%NKmq$EAd>x=7*aK+RZT-*7~kbN)5IgLWjF7ZIi({>x;rG9`7l5q~^NQr_Eba z%B6iM871Cc2wog0(wXd^+|gEU;_eJ4{x-ccpS_uA6`TWj8f@p}b;l*|2j$rsFMgqGwB{tN)Bw!|e7z|8 zfbiUvhcMy&-<_E$)hnZ4Czr~W3*D03lH>5Ux3|a2zhvrHRWdU3JZ?g@RUIDea;W64 zX^dI_FiqB~Dw_NrLcNP9`kfM!ZoO2#rs%lxg(#Ew?e6y<2b&y4g9vaGE)Yg9b-%xV za=?)tmOC)I=bAS!?RQOgA>xIDQEfd!i(*N*{7n*v{cRzWibd}1iVbbYsc@4TU$*}3 zAFioCo^FOxpJFq2z09F~?|mSTQ}BBOUnPMLhi7pH@-6aaK6F6`n5DrjW7Ij%M+Ac= zL_x~7^F18c@0INjfE^PCA&K>f>!z0Y!;vQEp~zDA$5uAaN1B)eFAG_1DpYV>E)449 z1M$qhZ7%wiY_jFk#X1>oP@ZI_{z%AAh|@vKyVKC`4pXnLL)14ZiviX}r);zbxUOL~ zIR>sec~DgP7@SbHUhmdqrcPXP`k~qeVwv;``x3U3&JkgknfZ2Y=h6}P^#;Oa4QDn% zj?C`yA5Z+)_f?&l56%-Cb^5*h$9S#M=;C4#s;Ipsit$|jO3&q4*)^yjB6K1D?kw3d8VsBOde0qLi&PeA? zWN)#gly3I@i&y!T-<+pDcmk7xixN@4oK7HiCP->r$b)p5taL!Bci#CwX863T9jiWKR$=Cy5eN2KD7?|n_q~P6eAAwZj8}OeFxqJ@^^xC;b@-*Iog1u)9NmA0OXoUZpnAx(+mD=eR=4|R10MJ{J5$HmV*sdA_u z{xFF&XM?%!{AT?XS9)*y!r-#*iqoyEwP%Gtt|eWdPxo7!Rd)j=u$Bd@PRw4;LTaV! zb~Nx!r+)pkWRGtT1(jd>W zShu6tK$hPwEPJUI<5WRaeGd`jAEe>CB)47OA<$~YPg7)8)S4|_p5$ckvG=^I;JTfj z`6lk*rh{J}ji~;EFf*6c-KIa@sA*=iuM6jm(0%gKYyn>g$}1;Z6Q&pjD9MmiwuKs} zRI*|m;bbd;Opd|9I7BFcX!t=Y;6#m6K>@*S)52x&5oW{b?uX@5yZ*7>S5y4F5d{17 zgcugN->grvCSsibI0=CX^DoNI>H-!EIKb5^my({CvK&6lwQAF!XOX^fx60AHXxC&eZt`l&YDBbXujC<-CIIKz}Rtgf@B`}KW=bsfG z*sfrXBC4T19##s>%~(lo2o{V2exlk?fdL`jgNt6zi6UTvLDdSckY0@u9S}U60qlvb z%qf3g6!L^J?0#k_v5+uHR$@Nqgfi6w z4cdx%?tRs6ImWJ&4i@WR@c1$atwB`&xXIujMXzvQ_muBIMhR6NF@ z#bKcHKqC2X`J-ok;;ahnUul|d90LPFaLajP0n4VIR<|@%7N3r+VdOcGwLdWsj<^i+1a8D=v;S4}{huv&!q-|HpVVRfJpnJv^)8Ky{}dJOxCY$)X3ju#~q5dew} zON}KErn&4!dE6<5@le8n%s*OiT~~!xQUn z3IIz01o$D4am)yXtf3bB1x+S^1ez=*3TeA?v;!;;!h_x;!`cv_lHi2r3ef7&+#4$J ze?J#!6lL$EKs3aFkRr_sN~48^w<~qQ0o{8CvRAH(koa-t2FZ6QFDr$Re}V;d79L_R zz%*CxlVZ^RyjXO=3brpm{)M30d!|`V^}C3%Ugj={-t_=%DU$y}G3MO`ks~GemplDP zqF|O$qrE9A^xGgJPXru;V7&|}K3EZgx=T*hP~DL7LrT0$}418 zYvRZ3<10ddWEw!WlZA>;KT90p^5uS#JkBMvbatKIM=&64CoVyppcuH9F7`ER7!rlN z`M}N^=WxVLl8`Zk7u6g(h8JWfae#ptRp`U9PSZdR<4{xA`p>R{#iZ65gqa0x=B`;JdiJJ z?t*u?{?m8F5c1!_C4l0M)A=Z`R$m!IKxWY%}Py`PX^^xU&ml^1DHyGbf1p{SjHPil*Li=o?v#DJH%;;Av^=C zDVAkdVnA@XnCiaA2}4_rCI1~nUFCm~x=Vrr_y*)F_yoWdO9}oCbb#QITMu>ClNR!= zNRn~3OkpfKeyJFIBv!@E*C<*vY_$lc@Y- zd0SJcuhMqudXheA56BhuHJ|!_Gh{EmOr*^`=Y?qU0+LH)seQU*ah0n#SG zfDDC6|FdSwCav!__sn*`NvHD zLYJ&Swy%Tg?B8@2x8zLENH6P#E(}-btgfwL(Q$Dzf^=^HsQNX3i2+d|au?AtUfT_v zMt~pQFez+w4{R0yG;^Zr&41Iu+MDZ*z`L{Sr{UOZqFLaSH_#$$a-e*6XK_pRH?+#w ziGa=i8aKnO>~#}xQcbrAM;H9ff4|0UxlYEL3(FGV?n4o_p|TDC#$A2JRzEk5=ohxd zPy2H8mK~=jZ)3vPF{c;7ZR1C<nY25` zvs&Gm-iIE#-cetw+;^LwecR#(X8?|C^WpDpI?y=~91i@Vm|&kCHwO@&r$qAcvzA-| zMJ>)^O)>lu8%x6x*7?^D?LG6Kj$Ah`T_tOfc^iKb6@FuZV8h3BeU8_tM)a-DH$STV zB)fQvkr$i71)+QMlb16_&L7Sbr>Z4q*-0GC24TK+4A^Np4%_ao_lR~EQcd$sPj85( z*R*zDT(A(FI~2;Fe-a#DILW_e-P0_GxOYvb$RapXr|7=Q855But6xKrLl)}o-fov4 zJXm<6JBiIW*jT?E$b8LF+bP=m4H?&SZ{G&Py@+hBZ8p#6J({}lUUl`=zCpzTDKRt- z@v8_9gDu0)b)dbB}D?S{F{4w^kykEmkC9kc#-whLCy4hS-Avx3PaOWxJZG+Mf z!@$_e*GR1ZO-7|2s|TF!PCpO5>%aIlhH8)030Y-y^DWGc%&8UG>rx2rag`jlyv;y) zvYCGw+qV88b0?GKcPuR`rWKr z`-|qgk#?1gcxjd~t|BUm{8`c%LBaUbvWUoabz?zytKKiZ4~pqw;NCyB%t`}4uBcUD zEyPVCy*?0Ph{+sstN&^|R>5U&r83^>AX`w!U$mcZ>MDle5YroY+|^vR^T4LRfYI`U zMX5dI?!wE4T5>NXW_MM2;RW+SzUr1}Stb~pkM0{C#qt(par}*zMMZGop2={_4(EgN zk9}IF%A%J9OO3xa*Q6^bswhWBx~hLb27MPoXX-GS`)Xx6PRx9xTZJ}RWTcn*go z+oEq^nV>w#v`?xleR`!j$W^z@cIdUja-bc=nj4Up?#+Y6OZnAq9u$J+%_lucxV?df5Ak$WD8bdJ9AUY&# z#hI!InZrmWzmPj3D57d_qmKt|s35CqtVHUE&&aF7KVTq}Snam~q zabBYCmwHk;7R_z2Hi^Lb50`LRPZP+8gWENS`7d80e<9M2iXzL|oJ|%a{dG{g+<=!k z5W-Iyn^Lv6b7g+zmu6>Gen-lyt`;gQJCVDt3n@~9a4wsT&DHJDz;{t^R|F3Yz-63D zHmg6hjeGUGRidbKTahW|Bl|1V0?C^tGDQxKl8A*AU)LlCQO=RlVLu+2;xM?g$3<&B z^TY*>-8UV=^bFOJ;rg05gE`v!^vrDw&SCk@9Hy|uv zw0sS1Bqnw53AcfFilBhzb(~Xa`zIU$#=FH^IwpMIg4+)j0RkqVK~@B(o&jd!#J%S0 zM;a7)9mWjU6CDKNn%kv|cmQlepo9%_C;tFSV$M-B?-p1Dz$cRmbP_c7DOo!?B8tSF z^nTni7KDq@UOo-khlTHVfS(Eddq1<1RIm`St$k(MWy_~0B2)cwrr@pKhCn1q9WM^L zlyUhXk-dz64PAoe=QkrVJJZi=O3?BgwJdexA6vc|d*s3BeuC;s2;T7hBfJ5e3IpPf zHb}QZuyQ3DkT@dAk_Z<$ens1#6TpCTzHKC&z(sgHw7T2 zA%H@sIbwi^6*pr=>;6#$-} zY)6t~Rwz>L+8-^od>C;caNZy+J@WB5s2h0-nBSrQBGd)I?0ySA*u$28k0n9e4P=lH zU^Nm#@(|bcpNI*AOsMsPP&yFOzr+;($3nWxfC%{n2(c`kzqhp@I);D*z&BXpKrRpz zc!jhA;}PRYY4jFyL|$LKFgIDjD=x<%2Uk?ks0DC*FUMb1>F;Gt`=19XA|NE#!bJ@r zLYc%xDC9Wn^tV9x|1d&g z=whSq`t=u-2g1-ur0`AMZvZmSU4-tV6Z;H;R3tw+L|+_0<=ENu$o?%yI4ME>mz{#EgTiuNq6g3*h1CJpXAaGXqRT zudb#+i0}_RQFOSCiR9jTc{SMs97a05JV{h z5&$9``Um8x}Bhx=BJ8~rB6O<`Qt^^Bo)AYFfXNG#C^1cFoqKqe5~ z0Td1PAJ)yluhN%VsG;0(Edktco@d-ho_a4eAf-eLs>jPQcy%x1K3A!yY&{D3!SDnI zMM@hg;qj_lrWRsiBd?*5TPymm>*^&xU!JYufPs{L@LA6Cn|o(oKZqN0Q_ry36L7y~ z9gN_FuAjF4_3d)w#^L~}T`D+FFzC8DWL-<`fYhsckPS@pGVJ3n(_H!7wrX(!?c~k0 zft13l1M@jSv#1lE4;Vgo{s%WQT1_MTB1iaF4e9E@$bp7s$t1bJs2AzPr&f``s=Z0h z)fS=Ux|oCC%=6#5bVMD79h1*da3fm;=dYJ677k2=8Tw*5tM*i{IZnVF!M(G{Ur@gN zQvtZPa{lA13jx5;Fn4sNs7Ul=>nmMC5XR$SR+b2==+DhDVfb`vAAVMQeIKypfJr$o z&w$vwVLDix`*g6l{YM@+w(-!yK;=+fRKL{Lbc^gvNzLQt5A~&X^9k0I4Ly9z-D&E9 z)z#vupcY^c+{8-P%OvtmARdOK8|&muV}ceY8zy4`m>?W<0-1?XhkBk?VM9r}ApX9X zy*(Ed(W>7aa$mER>lhElX%788PZDX5J#=4PT{Y^jNi% zfG&)jKpasL#ekBSg_GIcuW+)9TLG7RParQ$-tuqoS1)r7HeFxTCU zV5m0j6G^+gLaQpo$Vh#~rcJOMHPnV{$mA9xG>+u9g~_d#EXZG6TcElNIvi80g?^I6 z1UL8`#RDVEL7nlug+pB*BG>8&}=jQUEEyl$iBN_cm~z^VA$X?X2% zjK8QL{DqXHw=A7yQWg9MyN;puA7*n>ZS%*?>*r; z3?0b{Xkx?nQ%%{6JoI5GziCruP)EqG4UkX7e`e#!n^15?f`I=L-6d zN+pr3fQ#8^0pmysEqU2pnb(h$fV*?O{4MRJoAmWZ-TZ7PJ^gWH3ra$v>IxWH8x2Q- z*JsYP*C+ysFCKs(J@GE#@2EJiJoc{w&U}kL0oXDJl?*n37t(}McASRJ1B>r12x3pf2d0Tc`_(uM(L{tqd!Um77Ua{^>6?(0jm(1ZOuaCk>-HRag`#`3hF&YV2FebXS}ItT9TNBqcn_{&9L zF(JBVd6CLVeIu=#{av?;%T|5^YW!xB&sgP}~Yxv3G6u7z?sP59`bhEZ?b{E57sC~CatmL}HM-0Uq)=7tNTb3YN; z>+)IkU*|RNVt^YA@0;pEb#tcYKhokzbK37@j*t1k)-2oAEV4s+-AL8%d`*FQW~n8s z(b>_$R$Ro=Z-VHeds2|t;8;o5t#zse8Rkc}Nd`70_JCzofCyNC6-N|S_X3cK^~XTo z4`}2QF>A)>a$ajAr(U08rAhn{6RJNKPQ2^#in==okQ`=xRXSA$QCHhaEpn6DSm~5a zxVmb6U+^=&Oy&vSEEs_p4X+VHw#7Y2nHTRO2?anoLS4y?&8Ig3>2P6CNz~esLUu!h zP+itk$;5g}>qlq!LSEMwv*{B2T~nnc2Yx_q*iJAtZ6a6DnrqKPn>C*?A*zQVJ3;)G zM$!Zr4uphI%d{CiY)UNfj%S@Pa~25oap90<6UgTN#bn8XC9!Ejc?s}j_2H^iAMstr zZL=fG2<_`Li6Gcy31cMy28h+rV^JQaNCKJ0XIm<^kgep-A9u;RZI!V>!P0;CRhz?c*;2faggn#h0&eo-G2o75_iw{hvQc@g%=^?Y_}wp|SClPO;mYiSDO5Q}gUoeAuL@C62ZA2gIK8V3J0vR+9Rf42T_(kA&gC zT|tJ+`;#OBa(ddf6e^D^g>JV7vhiNLzP2u^NKL!wtib;N@v#gdt{hWjnFb}Ltk^D{ z1FL-{tN#N#9GiJZuB;m8Bn^D|GV}b2IpkSM>0qod?4O^0pu2SnLyX5QX$1Tg9t)`jeVo)fx<-S;Pwp?AkVn(#k?=}l1+K*Vl#kO5=`U>S3xZ-tc z{KQy^tQ65oN>Py5BJJsyGAw8CVow#5`Xy>6v;`f?d>Q!q&fd#%@>RZ}*>(f6Q66>o zbMJw>+b1CnP|et@ZPPq`#m237+D1frBiiQu$ku_IIbWsud#+ISaM}wo5G3)kS$~I2 z2n2}$YTx`ZB0wMc375bb;iIxl=&vTwN{>F+2h>9X0S5J!K6C3XI1Wp%l!e3~ivv!N zt%O4knqRXDg%o53Fn$!p?gn=7UR@x&3Idj8^pf8N1gx~MmTpcsR#Da;ZOh-`O#^(k z=<0-Q5X$TS_hDFpyU)Xy-B61^KIuQLTrOWP{bAfYWH@rz6Tz7(p;Roiu|G(R7X#3Z zh;jPXeJpy+MvUM9x~H6YI<5FR{MS_DCiA1+>JQ`HZ+*2wQhbJXt_9DyS-$b$1hdlT zo|KA2c~Lpio~b$#F4+Te4C>5AJ=H*$0X>cEk8_(6AK^d&WD^7m?jm5Ru?ewfj#_V^ z!EBk!f^K93J+1doHg^H@s8RO#JMp z%{Z4mdPKKUKG-b!n0>R;Os#Ysj*;CQC|p)ntIR`D^BMV5I_!w@K2_TZ>77&)36&j@ zy!{e+NoJ&~lBRN9Z#`7=U`+of@*Lh<;&S(xJKZXzinc5WK5?zRD59}fGmku_Zn9=4j;=DN|zME`A z9Q69LqR{e#kl2LV7Z?z{L79AB$h}|+pl5x{*EmR4Z5ZO%sTtzds|p4oF6IROER=gR zp)8SPsOG@r6qVN@?YF7TUvkKBKHZa8nO&!#S5lrC@(R_DiDWhlhlV-4Up_WDx>*e7gZkKSga0 z&aKa6yT>=h%vUPXJTIRs-uC^uDQHhoR4Kh9=(r_Hs1qP)c@XVnI3F>$&R3XX+^ES) zU6i5yzUt>H?RA^I4OuV8s5>GUn~mO(RQ4O;S8noYnm)Z@oxP-UFmScZSG`bacF=A1 zEa^)QW%ws>jmp;x)Fc_iro)dHup?~(x@hDC!3Rs+A()SJcnoo$@$Vw`0*J%q-y!P~ zdWPRH1ddHQ45|&RSy|#a*$mhh%taT>t&JZ@-+UO}X1Vv3-Sc7H^1`Bg>EdZaDFX3W z=5D!ZMJuOhF{buFlcsDL??Ltfw+mZ8-E?=jvIm^AhrcWnUTxz<%jivMy~MY+BOI-%KX4WG@|s`G)0w}p6&?oGAYD^M&e&!F-cOu9SCus%jsd@ zXSpi;h7W89gntgqT=m>eEhho>#|K?{N+HbeDf)j8A}dbTtp5lKQxZ7nv*bbv5z+LC z`iD8e>2f28f)^{B>r2tE$j`wD)og$3C^IczZi>u)>^{5qF!(z;uk)&v9JmcuTf=A) zSxYr3@6||@i$&ufKI!Cz3T=qHfCV^3eiA-fgq%?-T_>lo39wQsZ??G2ZC25p6pgI& ze6&kuEEg!S&9}@~^msN|a@M>vh?wJAM-l6(BxKzN!bT|YF;oVPAlMc+Ym067!6av<6p91nzS{V%bng}CyzwLVGpkQKG z^7!uBuRA$#1JSVpy{6|H2zdQmG>rf{9#}_X1={ zUs`C|A9mDMWp5pJ&C)9pUwGNbz99T=Z}9yW5oeX3G3d4|EzC0x`WlG8{P+PkNnd0! zBg|=)MQI6}d|5%z`8^!34Q^mnz*Tg)e>3{lUf9oi$*H@>`^b;2??q%R-1dEb&^@(D zSE~TnPKnY?BX3G0RwKIQo)V%dH(bf2BhZ>BnnlSZuZW}D8Lryr@FYwrjMDjs%-!C2 zMd7RsW1Edat_sF_axxyp3iSpT>u$H*g~T`1`&`Ubky+u$4E-v-^VEX*TH!C&oHY>T zGGv~h;*ty$=UobW23eIS_s*zX7$?6kYpY9#zs@k0EV`fi0sIP*(?V`-7bt<~^1wSO zd-oKEMUs*N{K|#0I6!coG7wVKXlUKLB(fl~whPxb4K?3KJe2dw5N?XTqk}<~ulMN8 zt;HOc&&|xNm@A);lSIe{$`XQukwJh%R(U9nC3XjUfjicm*p}`iV|CD5z7ZFm;>XER z_NuKSyBUJuu$Y|0c?^pJ8wL1f2W4)k*V9n1_>F#9cNl5m&$lnurhwB0I*Wa|@wdIB z9EP>l7Y8)YQ*bi`V!_X5DRJl&UJop!;`K&O_(ooUiXf3tfn0S^vm}Jg6^z@>!cU`- zdrw0ny2ie}>t1UW&Ax5%;~rI3hS+tjJchtga8O*^&fflU$89)PNJ9{+t@aNCfyNbs zJwgcIx~)GmQ9m7Kf&f4Ilb8j5BI<)Y5ZX1fZ{B2cU1~}S)JiJu+4nK1JHfZ0GB{c? zFbTFRkQAA-<#sAQUQnUte)LKENX%l z{L%S5GR{yLVh5<=O!&&B!7jP)XPxnor~EXgj^u_ysIOT3GKM6)_}6!;?mL@KjfwRaHu6ui3^LA7<4FX zpQGP-sa=j^p_uUr(j71QAg-`e`f9eIWhMRAkVWHEDsXI9T!hv#UiT7-cItmmqQ6;{ z(YzNYI5d25`LIfN2kRcDKlu3jL(zbqCHCQzlJx%2W@E{elqyY-Nq#?Ewqnn_IyfH4 zTRlXQ!tcpDQmN!R7r?`=2)1(C3GW>m<78TvM1S-PiuOPUjthtr2x9iEGPWnr1}8Yv z@rZt(t>i5;@!R-mqAlEH)v*LwU#rIv zjZ{9F36P$4?6(3EVnEw?*%&a!eRenp|D_4S&2q%8*J4alP6c9KKXW9A2uR(xt-@;> z<(O8vb44xdK8g`e7<)_CHjkWjW7-VkT%&}Y8uBIfESLY)wmEx0|3wWIox^L8&PjQv z0Ss|w+n6@=r|Sf~{Y++1Hl*PUjK*?a0wq=qFef{)o!gp#thpeP!|exR9?K7*BSR)sA$^sUC)XA?m7O?nK5% z9sMyH=}TJaBBD#~1fhL8aRKkk<~9*9^=yxx?|#Vq@1Rl;?8j^nd!2XW<0Qo7Pp-Q1DE73Xhi6Qw8T7f%6UY`2@3+?g z*+-CuMw*vHBs=mqB}f!}lHHdD;R#Ch-i9nPps=`?20sJ2707-WA&GcUhtIX82x8Dt z3MAr8##7vTZYU(&>0lTX8Ag;L5Yh(Wz(PF9RQW z8YMS3QzLN{e)I$K$IC`iMyv$@y+|dM8=%&)*~nVex5~rUF;UqUsJ4|Cc1vLRB0w2k8Z_*45wQN;L}Q?h?PeayJd)!< z_3Fj}Xaw`GF9~NbbqP|YU7$+Y%UOUGfdIdHHuqag9mq5X1W}8igzK+Cl$JCGX`~Rg zLASz(o9N&!9tOqC2tui=rr$1tR%jd>1Z5cz=GFNZ0VdKqpA(fz5qr+v51DZC^4~{e ze{0ACc`F^f`Coado=?LB8q>dPDhnCD;r*I@9C3koLI&hpM)R>~;qMj{5P9hQo z$vJ0GRC17B1|u0S9LZGXo*S&A*?GYmI%;s3z^}9Lp}awgEY%I! zl^)$qOF_agHdy~D7wu{MJN^^Jp>#Qt*i5ALc>V3S#b+ibGg{LmxAxVBO3a@qJ&P_! z_D2y|EQS0^uR}-gxsx0E7U-0lNO8P!FjL81;N;B8uIRTs0`|VovfBg*ul$fE1}4rA zg~3;@sJ~lzp%+cy6qU03(FP-5=FI_H%sNFOrj=jzhkUkXzmu8m9nagJ<(86NmEoB5 zM#Mt-a>{YlyxrO9B}N@U2CFNm&CBj52eoDQH(di`++W0|b4LWs(lyF3fyVmA65%z{ zeY>uv!b-8WW8_h^bl{~4Yt-&Cr8R?&!_n6GQ}xbqbAAt=n;B=Adjqt-pWc zeN;5zXMH|G_mNjk%S+AzWdSXTDZFd8xKQ+gHO_@A}%obsLJawZ>qrBi*br-t8BC=wkz zZ{9h~VcGfS-b<>160c&zvsW%=j@EaRi{0qhVY9w*5kcm@MSL|-zBupgJ5(I}pfd(n zLPe{~wQrb2-37M4ZW|ofXxeXTM-tWkJ#MKh+h!%Qed#jSX`#Suc`wgh-P_#0Xa1g> zgf>d5*Hv$wtb8Z6!dMJVxn&Qi(xlHP%Yx%Vkov0f>+Sg*yw62<7@PI3?ALuh6My^V z^*#aD!Bl>pS?=xV#_RSCl|QVo9i598qZmoIvQmx;gjdiSFIB%k@B`)K!t-d?#RiST zC8(^=cv-%In9XEs+S2Ep0(z>b0c*6_sG8D%_o?4u*~(N?N{h)wm>g{I(*CY#% z8tj&bRL{bxr%!pN($q?Q)Am-2?ULDAy;4eO3#sb{lxmMSbLd&U4|ayOyy4|6(X2C# zqrbHPAWGPp=WUkYIDe@t9e=a=++JE0iFOQK67VV2Ibm! zAimkGnO(GVjn7Z`;k{UsRhNYMmdD(E$glkxJ;D-5Gh-UtLaXt3iXa*lIQ6-bF}~vY zND?;;=$~>}V7mgfD0castFsW&8`U%tKM4V%@z=>i-@F6fJ9b-^Ru7zj?1Q2epu9`c zqWBZVt|EppcV$Lc<5`?_P4|3YV!VR+#!k)qh86rQjRS6Eo73NZmu2bjX-&gU=bHA+ zh&3nn-R)3Z=OHvB@j zUjYjkdHN%91kiEtNbQ0?RS&S0F0`9QMb0z97T6r#i}WxQJilr=g!Wgjl=aym*U~Wa=iR+4%Pa?NE{mjr;G|%z zw<=n+=5_~Q5LkY`RVCz22^m~oQATAnPYW1NbFKS4TV~NLn(`dFsvvieOmMWKEG#~2 zWb0Czl4c@K*5M-@eQ;y2m=Ct-ru|mcpI1hXBDP00j~(X9ffh@;or_$4Oy#YLEX(2> ziY6GdB-3&;Vt=}mEI_t<(L_XJKZS`A(Vwzv&3PZVht_PtTAjd}vO2k@hjVaYxEXj; z1O_|q$;sV{)z!v|otYj~T2(C{l0nl%P`dbH-!CO{P<%s;lM#B zSb81xA`t`zf+=ZwcwMVE^PDJ&lO#Vn{PF29|JA39)Ht8n@N9PQJHbUfAzUIzq9O)kAH|0a}o(ekpEff#5@15aJ!@$oCk<*cA`^` z8QsL?QjUwT!)H4MlSdp%fgrztw_WfxjAzh5*06fa#zH;Y3%xpb9V4w?~UIG#ofYt`63wKV1MiY8lKu4 zI?OyJ@JM1nlZ4!IlYS8!bjV-4FG7;dr15IWfKhF!SFI@ed^tc2P&-Ze1;m_t#0#Ud zN_(N&o7Numt+XqO1W=s{>^EtW3$M)ZUB^z&?R+BDawm5=wg&>YwRw>KM=7y^O9v4= z06O7BWhK*>X{T(_mPMCdgJ}NNpBLlW=|#bfapL8OC47CDr<~hB%LWc5U|W#P@el=t^qTjtETf#w>k`?{skfIZI)#TTQ+0Jvc7rmdl|deYXVw3|;X+kBD?LfPnz=p*%-~RvnSY=l^~IxTC>$ zVT=H0k^;B*DaaxI_n-dz^#+zSWgmUmdv>fUFZs~|L_7m4^nw7FZH92!Xn=MRqyV@! z^RPUSmTQ?(v=7}xn#m{58#6>o`!X;_pC0m~qupyr)7Vfd4UP9O| zkDtgbz5JG|8*Swjj0lbT(3@s(ZMtJ3*9P-G1i#hr9e%eBy`8UIJ|&g#U!ith(%o-) zq`Tw!2{Vx36WaZ^*Gz>P)OYI0;IE3LpLC= zn#xjWGSKD09L4Wf@~qdc7Jd>U(4x=Px^Nmof%(azjRdtytEC}pG?^odxP9fk6aP!i zp#BdP<$r;SlLN?Yj~@ zC>2O-o+I}AS(y#&A`IP~AmA2xkr5$aV0-Kf`B*RSNe2*Gd#dKd`g-Y}*dBQrs71(8 z_~wtOV9OiaezDoUbOAL|XP+B%&}xn%eLr&vWdBNM$$sBTqIp?(F>l%%)!LjIFgv7e zP{7Vu`KTBUyX=x-2l=jwP3Ln(-G9CML}H_PRx!lo$L%Cgzt@9pl&aGd3Jnpv01OY& zHH$P;JTSCyw-g6^k%~xAcpI8j%S^aFuX7#hH-+yyhHFLUNNA2~M`zY0Q zC-(g2Z+@>iS0J67m4vh1xSzhRY?kbj`Oas-d1tF7uCC2boaMdtMI$Q?Vk0=L(&cu?C(8yG#pFek zCJ>4b8%0Gzv0c>RtU)*-hy$%o-)B+vjhxs>ovo7C<&~w38Zh{Nm0GtXhtE1Nk>3)A zt9f0`y&*NKi0*!$jGV84t9`BKUR;Le4+2$TZ<+&^Plh6kzk(#tZJ!I*H71ouz;rmb z;|U1wH~y9~aFo4&rt8as1O#Xevvq*uC&ZzlRaCy2r#Q+4g_Q zBLkv)zk!k_qqv@M{bipH;fzhc<+fKq+|zHYpad#exZw5{m)xXCS9<6fhu>ZKqhkqj zMa}~r;Jm0UD9^(NDso67*mRFIZwbQHc8H!H1JFT=17gt4lb|iI+<<>ljR+5*+clS} z@+k9>F=@=fRN&*TdmMuM|LAhWN4QE@=)f!9y4ly&f)WM~2`AqLA}4n`A=dNUyfpaWiRz4&Md#{Ur>pt=2q zaWi36^D|8b?mK+t>)y2}B5zxkW=qk*WFoT+LDI}09h1`u+!GHBIiCBZ4jZ0_{Feib zSJ^2it)v-qElUuL+Vy-kxp=bz%lPK$x38Ip(pwd|fR%mY_AS zd;RBDM9{)&kA`vBVeJH65Oh+2~8u<9#P zK2!!TMbdVj@&xwUKuqN`Slf?HDmaXte`OL4Q1OzGf*2VDIasxgUlfs)N_VSx=wUVQ zGa10dM1on;gN(^eq*P=FySJ9PgH1g6bkiPAV^EQ*6c|7{*pnghbzzlM0FYNmPYezI zwVzDT+S$DVwRTg?D{|a)iB`pl4tRU#@CvTEFHNmu2jnNh9V->(p)?=}lg%A%XH|oba{Iwq*HT?d38Z=wb15Hj`lX(RsDj z0hIiXaJjyImm>Pd(4womhr$<1e=f(H_3@(k4l*C}dD? z7Zk7^|c2Z0ldz-rwbsL+mepS%I4>!0eJtb%B;~A8N>6?l!?4pI;n1UuQP5Ll+Ep zCp5jQ%@TeadpdV|VkHc~xznAZD z6E~MpTM?O>7%RGKAbw_5H3Da1NO!03OWgRj&7PGkliYx0$$^~0I^T~tM?aU*sr z%MH7pHS}~)kiRVb6?Kkm5)WI!hOX^Wjajm`MsGrHGV1uY%h1SDb}Q{cY(EcVbfi2< zxspd6>x}L#H})hstGqWJE@|I?bLVmHD_V(1p=XosE~}wc7k4UFD!MHKiGQJh^F>z@|y|iFus4877xhrGV+bcY2=t|(uLw^+gHO_^vt&byu z7N6*PFIn#V?7h`)@~qKg;5oldzw=JOZPKCC^h^9CnV-nuOTkT^B@-qZKH}b685JU2 ziLO#>ggHV&aTkBI6t*^;HttkZFB}C_3nlb9ipb^1 z?n$-Q)21BlPv3b&3$BUApUEO(<~$Mb69r{gzHs*kEk%~#xR5H1hJl>?v(-bsU!iW( zM-#n`2mKS+I$y6krboA|?KIfM`^z#syMiYsVh&sPHmPy+kit2PxdDl|JX(39FxjEv zopbv1$6NFx<3%|9sPH=b-wV132M z#>Za&I$Fa?@`IefSUMxJ1xKm?2C!jXaP8mia~O zwDXKetI#=VWt_OvBBcT4MwwTfTxF81d9*zVBJ`F`YblJa_{-C%wiTDdKse{`$b z_vh{M<2?ov+w20ZQDeT=A*?I2n8#g~+8unkJqA(*4+YvaG9ob;1?F4nu(e3^yw;NX zmRTXya(y5mDApD4>}oLqrGaX<48r8-tW)^cWhceD#T776x zbTwo6kFRpcjWKX}cg|0UY8w@y-x~88SNym-k(O2fw+>D+gZ?oBL@G#S!`XClp~OL;Xm6aBl}61@@-c^L!b!hBhuRc;K+Fy36K zGZ4}7>2?sf8F+kJdqHVvE%?ZOUZ8Xq-IyeBi!OQ82dFf~s{nUIuCpZ|^uyzk<DPdIiJs4u>u z^Gxx&jwyD^t1=&p9zdBXt&Nvg&ArvNYQ{2IH|Ggeu)%)FsV?tQd@@+!;mW?3334fD zgGRgq7v6)G^I^VCQ0(l#p6o{hTTXeZ%J(2H{$mSG5_Wv1DTDl^k>Br|a-;WS5*HPT z%Db^OvR;(Bk$@WJiB91cS&sjzh(4+Amu0^JPq$)+0j^F*h}1|?K^+rOsiTkKw)!-! z9_`F@e|Na^hsF+@9K`V)17h%cEhG3fFV*fIb9gL)uGU(XOGX0-0Or&OXP{afthu|( zBMx|Hr~MO_Kf?BEWoj1mGoWw+tF2piRyahzUS^d*HEm|L6Bz;0k474!h0pxuW%HD4 z8eQJrQlT_+>Eu9==AlX)#6w@4-LGR@V@h>zH?tG`8}*H7M5 zn)p_GGv8<4@1M!$$#R`gG2Zkf5g|1yLJm%h!xmPQ9jf^Fg;i78OJV_6B8KvEE&PmM zI))q)Pqo@2o?uS@VZNY@kDPb<1Rr>DtXFJ?@8mO?il zi3e{YEp|t)1H<=jh@h#6^}Ns>j=;=dls5=uEkA#s3dSb;up>XpVIsCiCyaDFgrmi` zEfmqo*H+izi=>z?8|_6v_h9Nhk|xi_%35;`&#)LyRq}pAR^~k{3s3tO1v@p&p)+&c zrtE}$bMi}Ly8zya;959+-aVs|3A>bRpj+G?*vy;mpGzfTHP?z9+$*~CPE5T*G8?}vwYoC^526=fwQ5c~yp0xINJ z-0GC+HsZQ#L^JD+K|!;idaJNgQTm5=A{qv>Wl6WW`nUa&Fk8loKjhCa=#38nrisiL==~02thYFy?D>lQO(;@u1dx44q?|0! z+Ro#Gr>z1(l)t13KFFjkTI`BX*UEqV9-IM|pi$)fg8`u3t@$uM@W8v!C$QFDT#>kV zKAw)`ra->y(!o+nQ6VT}Jyd4an^}OvqCoXZjW|P}8Y*FD^MTa_aO$XrY7RI`Or8Ur zxN(JAkbB#4YKg>m|MO#>d%^T;dq5<-IY8}{=w98b58}_d8hTz3sents$Jx5TpRk^f zr&diCeKO@bVN;<{=QYPE5x$k<83}*?)pVlL#$HZ z)~wqb*0s|FFk7qt5Sp(?P`W+$RefRoR>wHLA)|}|s+o&)d!aKfuf}O9H=fTd*R=D^ z&^S1AO}~mPjN75axLljP%XNPI*N;}W)pP^BQnuf14B>;7d;y_P_S;Y1eTB(U_sMjr zKcEg30y(ty!eaPfcm;8E5;ezzW+H}f=Bp9Pj_b_|k$>&XL5>4iJ$j@50t zcp&7teP&--6+!?VHu2)Y_ea5sOPThqn0af$g{8idha^Ow|}P{D3X z1wWglJR$#EI;bwEWA1N}h>19lwlV84X1cG0ZqVuZ!l=(z(HpbDT5llbjKmJVO!43o}Lj0+nHcya=7zGc?eDz%od;7*v3W~ zwV!N7{l zef$&6&WK2Vw(|j$6OTs1n8BhG0;|~XHbgO{7>%ekvNTWTGN`K70t6VO_q9JE`t5V# z%q;ZyWH~*2I8C7U&ay&fIfE+CySoP$$rprDpn8_?;`*B4?kf6M$Xl#S3*J3~MnlAVp?9 z2VG*gLVlYIqKW+8fL(`U7OFK3U?9*fj?z;N3=m34>k^7|kGXUI0ocAGh1IEWI%pyQ z*N}z$qLM<)IsD)R8>29YUa|Au-u&oBx&1 zAR9u^$l^zVp9{1B*^axEBKUOQd7;OxflP;Hw-2kVss_AGA0IReG)d|B#wU7>P2@i* zd#TpW*75~IIy7dMLgQ71uF0jJIVlFU7{1rWvTI*FGi(%jwmx1_an!vT6|vv7>Brqv zB;^}Fne4ei>6P*&BhDaKz$}ju*{2u0w_T;T9#E zvDFJ^0IRpAgKw1@yWxu%xkEBf)+cBHyFYpjiRf!VTF0!&pv!1H!9gb0;YUk=%9qbt zi0!Pi-CfqBnMy`^UEaR9lvTShfis(DmcwuK*o~or5rb=EW&U1-56Su~Jk1XFB%Q^nDca^_OmW z6-N!lg1vJ@-^fAm0($Wpur2RRt`R|&3+N=(o(kbcpxWw)^em0>S=E%QhDN5c8aPyk zq>@GE3Fcb?zHR!YI`DzG_k*oyQ)&~OCG=F-q6MdvRbNHrq?lpT% zq7*mFY%m4a)#M%%pE<6kI7~zRJaK^cB7OI|vJN6lWTX12RqV7Yzfm*#`^=6O!kHMH z(CKB95W`SS`1v1*D3q;+HxL4d!I{Xy&y|;H9KOJ?l@qpkV$(zQvOf1L`Wbh?R&T-y zI}AZv7evKvH_Z4P<&^aZ=e#wG9`k94|huH7M0$jK<%#80_8=$FN3fu&f)=G;`d87tX?>qhZBc3AKt9}tQ0Pqrw zA-)eh3A(3X11Guzpcp`DgX4zWp%g{L1Bm5%1o=Eq`=J>C<@J2O0Cu&xGtm;s6N}E@ z20!WKp=GQ_ur^@z;&3xiHQ3Q&%?hM@E=SD-AsNl&FM}?wA)Kd&vENGk&~w8}twxGh z7))Dr{0%Sr5-O2uh5;T>pZjkR?0;Iu)S&6CLmi@Z1!ZMr10~b~#96VQ4(@V3gNmz1 zkb|v(BdQ$a#5}?=R*!O~DcPaT))qJ|uc4!cBv&E#C2c2n_A1m&CWzx=jVHbUI4)4> z9dKM)*3M9k>5npCK?OgdX9kxz+-nvU3cm$CN*Mrz@pBmtpvfO_&-#$jT@1mmNYFIo zk1v`-OvV4AMTX+dl5#Q)h4gop`waANgw%tI#gYhj5%A(`*}wxz>tErr{yAdk)Sy%P z)FSS5$#74T9~+{EF&?kCD0?ShQH$D%)gDT_NuC2iO4**tMaWvcA*>;!9OlS#$^@XT;JL9%Y$En zSzd+pUcXZF6wqI;Pt?BU-B?l)mV>a5DWA^u3ai7lA(6)c*A)7=yw6CQ&itS5NYCs+ zn8kR7wygChBN2@iMV?sGKf1sE*So<SD(4R zLA~8+x6RZB7poD6;@TLpc&EOuR`$wUcqlBMpt!1zvDz^_qtX*?1izN`!v$0Jen&@FP z9+4O^LzFL%o-KMJw(_s<9Rc!=U@tF*0D2k3W7JJ4EJlmV7NQ<#z%EDuu1>2AvzTn3cxix&yt+wc9p z{|H=8Kohxnorno6#B+F*VA}9rRQ?TC%Wd4VZeLE2f&z*l;8_MKzFvg}S`P2-zB~DK#zT@Lo>z20yqU_*%1R?CDe1vcC@Sgh;4o#z z*G&CIHz{`iPA)ba=l=cbKPZ$9;&<}US1~e1w9fD|B8;M_bTXo~Uafqli=c#0X-H8TY7*NJL}9-L|f+`~lxHp|YD zq^uU|9TzV5Yd{`z&X4uq#0awH?k>MP(%QM*4iuT<`)~nlOq2M4oe+I<(wW303nGGQ z*+0aP-;+P`A~50sJ6=&w2?Lq{%Vy5kViz z18v$fp8JT3PL<7IO8P2Xj2Zq>WV0bd+@VL2fY)MAZY-1X!#!8aU}|(IARg@Oa8%;L6rhS zV`G%JH~$O6k$DO1&30g$o;hGZfseicqC7Li>l{%OWDC9%fC(0fymk>>lHn#;?o&cs zMf?AW5P_=&2%CjKa|!bBSaD{d0Jm`t=e-hv1~VoI7`!wS-s_-ua7iVRx+Q&(4}Tsi z>%jS($v}CcYV+Z5vu+aGWI!&1yaCVpSBU9~S&Ey3_lg<}IF{cQq4rkv_c&=r)TF~6 z0Ro$>#AS~wSlGvju~+PO{X5k3BbSX2PKsaew>%ye9mzw26=8o?bR7mJ(6u&TaQmn? zup-)dfxf5m%%s18dLYjtIx~+;IX?R$jaaq^_m#p3LBr#zV2G>t&vTww-PAR#vjS{+ zD8I**U_LCPaQnRajOP(Y)kupy*!(SxLoVM5O_Zf+qDc=zwl=R0n*QdrVl~`p$&{JT zX-&!1cLdut=}7O+h~BO8tko>dN`Re0r00Q*7%RxA?4$OkBJDvnd|-n0 z_YCnBYDII#=U){zkpw{N%d{h^e}Vmp4lHrCy$qK~u)HM=rehq~YE|zvfu2RmH6Ix& zp-^@hJan6@NK5oHG{FsFlV%fF=k z*F|_OCTdOd#!F4}qEy=#NPV7M;Ff5QC7jWBo7C6+RIGh*TTEE1M!V?x+Y;jAWyy-= zS27g}Wg)#Ab!X>K>b99|0v;T94-rL2j|Fav?UmMGKSZ+Rj>YM{H|YvIJDJ6{e7!fE zYd9Ap4t&D?-R<_c;le)aba^!GCQOb-?FX4@nqhb}?Gc7SJfqR`cL$v>5G6eSw%d8r zFf36cem>zxzfGGKk1k@{MNR7hXtOr28F;Yy$W z_}~(;N!l(%A_&wJvA`y(Y%Vh!pvWZ0&sI)Wha#oJ)+&?QlaG}Wou2DyuCnKEa-Y8( zO>koId(^1~yyg!)IT#}3Hxz9h2{I63YSudzvpfhHFmm{cXr;0%BBbw)V{UYnk*P6v zg$k}<3WLIe{0lG8NWV=*J5zp~s0qS)Av+#vUX$Rl(^Z?ty;!Z2 z<0~}qtO#k|`0oAuP*3oi>dqzaCp4!dw+N@DO+}8>H^bRLf0Q3fR8N9cEt#qe$ci9T zbWSlQONdYpl#7llyRta#+@2%Ue$PqIuGxafKRIY5ItWGD!)kVA%^|=>Br@d+rND>I zM)x`!r)IO1CT<}cl#LU}B3IE$|6;+*=QLR4+hiN9B$gT4G;;&Rt$Svmq(AD}ll(m) z@l_IcenKK)`U%OT#OVF&_p%nN1QXGWBB0J**r8>%2{u zbtv_G)cQ!F-N}vM`fZp|;PVH(J6FFACnyIz5bd@C4^>VBwF(ZS=c`FoKt8=Zx~4)Q zyli@YvT-=^TooH^@ss860SC{^!PB{9+6ZeORB#Lj%qXRKVl#-99k%Pr!{LY^0+=m1 ziN#DvLp-u=XUBxK5IO2-=BT7|27(@IOfgBoDu<&y^3Zn#R5Xm2wS{4VLSA16=;3QP zt2)AZUac2tQUY@C)5`mZUM1&uoZU+?F;;B`kdi00WsK^6dOi|4)$<{KLia;dAu`Cl zZ45RxjL4%_&_*!!fDDP;N_d}g{$otrUbx^y{Af>%-Pb+{k38QB(JQ;4qS5io28tO` zQX}!)q3IrzWB@{C_nz$5*iL9QYyH){o32!As@e!(@p-AkoBWG|wz`sQS*!s`nBoh} zYZ?c#s*i|7uIJYP^6PFw>iFJUo$; zi4DNsVYk;-l(*`NIqaSnCWs~FBqNdCIR>yk)g;B$6=frKx$di46Zs(Z0!oYs7;2J7 zA0+dp^qBYtVos)itSFD2E4B0hby@-*LUM)B=QgmmkYGEzmtoR)a)H z9=Y+6kbwyTVQ0|!P+hQn{YQKU7Vo13V3OC5`GDQ0!_}q^(iWP8PF7821n%SiK~V%= z4V)n0uKy{Run$x;AoDa^;~5T6q68rnU-?~PVCg}QJ=ig;>nW+A9di*pYcZr6iW~pb zD0J6`8uhQx&Fm-eR+S-W8CK?84HZI_6at>&LK{Om=#?#8iM#_X>IR&f1PtZu4K<2Pt3ZzJVHneb-?W(C04yiCT64{plWuDV~cS{J`{CE)MYx zLBd8K={7Pbjz!IXx?(BS>IKOmFcX(ABSHn!iF>G(HpLs#C!;#}|K%rX%Uuyt4;40k z#Aee^fIo*r)~hQ%dqZtflmhI~=)dCM!{!)_<+ncncZ*W0;&wnzIbI zv`P;Y3D&NL)eZei@uAtji@hS4=lc1OG;;LpS5c!=1!{jOeDFrV4hDIb!-caA zS8H?rv8^*SVLpoCX+{zJCbf>oKl?>ebT_daYt0m&xQf|a=E)jHvnY6mvav!>ydHVf zQvVej%*Xkf@mV*U#B1bTEB_g3I#7-nbhTMS9|ahl^GgIkd%znRqg__OhB&80ey5-$ z(RWJQ-_ryxwo{*j1+JC)UlPI(Ickm6iceVANUfjH>@QY~jA$`@c;NA%-u>Cnv+g1P zxOB9R4H1NZL{&?#Se8Mjugl zJj2vxdsdQqXTq^^5xk(@B4hk-_ek?YUZc32*lt^qCCGhrSEceud*|IwroRPm>3jZt zG9mIsJx(HJKz0WTfv(9Xya)#@XHxrVyz=}~S2f!;jL*rD%Y>4hk~AMCf^e@Ux`)u@ z>qh6~xbfxSFTZ}fNEEeW=2cZctX7!$uyKua3cWZHFSh$8o9@t2u{d_cQ{Aqm269xS zZix#<+@a|O3^z4_A2|uf)k^yns+d&+;PO_K02a?vQ})z*Z*N0A%Li2s=?&^^%%a?V z%NJW+Odqy#z+o*dVSz(o_6ON~+d8FCR3m4x)$w*${U%hfs{ z5o~8moSNsL>0>F?cLSO}GdPodDfxlVt^n;xU2$wsF=6THygpE-lEO@zsX*Vx5d79~ zciO7`wRf}5TbRosA$k!t5jL*@a)@^+i8yW}V2kuN7P{el$_QnLD65?}%ni*jX00cn zP7V=+ZqIy%wn*AMV;J%+btJ*esc;PqbohI<{(B^j88pU|QACTCXPY6g3TTfOdTT&v zAV(=N&w+?UuKtz&j6?T5fBN`RHNayw?DiXAxLNvkJN%~+u_KD;Bs-@7)2VTn_n@8) zZG-T2IYigzZFyviuQJ=PD0s`G{CP?sJv`@E2zg%IgvC`IcST5Hu2&@`o;~tadaQyX>Gmx*O%w79>0e-2At zQSS+A{Y7avCsq-ecPTF;34~&ejnln7m_QD4|%n^{tnZaNK(R;8P8@+!rtQ zaDtWdGyqQeDA6+z-z8w86gn-v4r=(NrC^3kd!YoM#S5?IX|rt3C3DMdAK)Zt zeAwePB=U{Aii=`H>8NvY>qc}q&(fy=@i_oKfPy8lpY?IuCOD%>o+YxIIeY6!j&}0e zfo|ylhAlzMi&AOSO?~+{*;vH;AvWACY(pZ(P>B2uKsZur(6;^`aVxH75|Bj(!I`4p zgFiuZOhnM+>(DUB#8d+m%ASY)3qVM#RUjLxSEM!v*^3B}*$2`V?p_6E2v=S4a3S4BGpz4#3#8ylNk0L@#ZgN(#ieM_vu{XHnMsn4-Y;p~Rg2+tgPl;(+T6a3@c!xF9VG)nt~2u>u`8g z5FRNgwFi=_aPSx%%-{ot4)`!c5Jjg9RPz7t*uShluL5tfKmZaW^(C0Pc+p}1{a?gq zx1R%w=jj@J`Q!HGBAwiB1x0C(vpZ|Z}Gm-uvsVqC-GDR*pZcYMTj4MGY zuPyATcAX#$t$5=fgL;iMQL^lyjNnU7R&uUZkwJlM$PL(S14aa#nG@1Q{5>^Zq~KF2 zAgTSX5y_)dDkKO0`G_E7YBKT*8Q_WFuK)F>Cj4f``}og5?R~{l-$4##=JQ&Ja7!!0CAFu~?v_Z80oQe+!%`x&ybP++BZ8iUz zxPKn!LwXGp(OShU^p_FocV+Ypztr|WTWT&Z$#~xY0cVg4Qx16J_MiOk*iQqX8rL)aV8aBIC3=+-A^wl%5C}p6 k@Ev*_%Kv}SNWZgNiP#e5&%rN#odf?AWK@ua_n*G}A6_VM>i_@% literal 0 HcmV?d00001 diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md index 543af9d7f..9c01961d6 100644 --- a/src/courses/delta/01.md +++ b/src/courses/delta/01.md @@ -79,6 +79,11 @@ Additional capabilities can be obtained using the `--help` flag on the `delta` c saf generate delta --help ``` +For more information on these commands, refer to the following documentation: + +- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) +- [saf generate delta](https://saf-cli.mitre.org/#delta) + ### Glossary of Terms |Term |Definition| diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index b6d6d61ae..6ea0e8b65 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -25,6 +25,8 @@ and updates them if necessary. Process: Run `update_controls4delta` + + ### Use Case 2 Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have changed the control metadata (impact value, descriptions, etc). Running the update controls makes diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 620ed4719..5938f80f6 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -2,325 +2,19 @@ order: 03 previous: 02.md next: 04.md -title: InSpec Delta - 03 -shortTitle: Delta - Overview 03 +title: InSpec Delta Process- Logging Capabilities +shortTitle: Delta- Logging author: Daniel Medina, George Dias --- -## InSpec Delta Process +## Logging Capabilities of Delta -### Preparing the Profile Before Running Delta Process +#### Report Markdown File (.md) -Before performing delta process, it's beneficial to use a common format. Follow these steps: +Specified by the report flag (`-r`) -1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. +#### delta.json -```shell -AllCops: +#### CLIProcessOutput.log - NewCops: enable - - Exclude: - - - "libraries/**/*" - -Layout/LineLength: - - Max: 1500 - - AllowURI: true - - IgnoreCopDirectives: true - -Naming/FileName: - - Enabled: false - -Metrics/BlockLength: - - Max: 1000 - -Lint/ConstantDefinitionInBlock: - - Enabled: false - -# Required for Profiles as it can introduce profile errors - -Style/NumericPredicate: - - Enabled: false - -Style/WordArray: - - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" - - Enabled: false - -Style/RedundantPercentQ: - - Enabled: true - -Style/NestedParenthesizedCalls: - - Enabled: false - -Style/TrailingCommaInHashLiteral: - - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - - Enabled: true - - EnforcedStyleForMultiline: no_comma - -Style/TrailingCommaInArrayLiteral: - - Enabled: true - - EnforcedStyleForMultiline: no_comma - -Style/BlockDelimiters: - - Enabled: false - -Lint/AmbiguousBlockAssociation: - - Enabled: false - -Metrics/BlockNesting: - - Enabled: false - -Lint/ShadowingOuterLocalVariable: - - Enabled: false - -Style/FormatStringToken: - - Enabled: false - -Style/FrozenStringLiteralComment: - - Enabled: false - -# The following cops were added to RuboCop, but are not configured. - -# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. - -# For more information: https://docs.rubocop.org/rubocop/versioning.html - -Gemspec/DateAssignment: # new in 1.10 - - Enabled: true - -Gemspec/RequireMFA: # new in 1.23 - - Enabled: true - -Layout/LineEndStringConcatenationIndentation: # new in 1.18 - - Enabled: true - -Layout/SpaceBeforeBrackets: # new in 1.7 - - Enabled: true - -Lint/AmbiguousAssignment: # new in 1.7 - - Enabled: true - -Lint/AmbiguousOperatorPrecedence: # new in 1.21 - - Enabled: true - -Lint/AmbiguousRange: # new in 1.19 - - Enabled: true - -Lint/DeprecatedConstants: # new in 1.8 - - Enabled: true - -Lint/DuplicateBranch: # new in 1.3 - - Enabled: true - -Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 - - Enabled: true - -Lint/EmptyBlock: # new in 1.1 - - Enabled: true - -Lint/EmptyClass: # new in 1.3 - - Enabled: true - -Lint/EmptyInPattern: # new in 1.16 - - Enabled: true - -Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 - - Enabled: true - -Lint/LambdaWithoutLiteralBlock: # new in 1.8 - - Enabled: true - -Lint/NoReturnInBeginEndBlocks: # new in 1.2 - - Enabled: true - -Lint/NumberedParameterAssignment: # new in 1.9 - - Enabled: true - -Lint/OrAssignmentToConstant: # new in 1.9 - - Enabled: true - -Lint/RedundantDirGlobSort: # new in 1.8 - - Enabled: true - -Lint/RequireRelativeSelfPath: # new in 1.22 - - Enabled: true - -Lint/SymbolConversion: # new in 1.9 - - Enabled: true - -Lint/ToEnumArguments: # new in 1.1 - - Enabled: true - -Lint/TripleQuotes: # new in 1.9 - - Enabled: true - -Lint/UnexpectedBlockArity: # new in 1.5 - - Enabled: true - -Lint/UnmodifiedReduceAccumulator: # new in 1.1 - - Enabled: true - -Lint/UselessRuby2Keywords: # new in 1.23 - - Enabled: true - -Naming/BlockForwarding: # new in 1.24 - - Enabled: true - -Security/IoMethods: # new in 1.22 - - Enabled: true - -Style/ArgumentsForwarding: # new in 1.1 - - Enabled: true - -Style/CollectionCompact: # new in 1.2 - - Enabled: true - -Style/DocumentDynamicEvalDefinition: # new in 1.1 - - Enabled: true - -Style/EndlessMethod: # new in 1.8 - - Enabled: true - -Style/FileRead: # new in 1.24 - - Enabled: true - -Style/FileWrite: # new in 1.24 - - Enabled: true - -Style/HashConversion: # new in 1.10 - - Enabled: true - -Style/HashExcept: # new in 1.7 - - Enabled: true - -Style/IfWithBooleanLiteralBranches: # new in 1.9 - - Enabled: true - -Style/InPatternThen: # new in 1.16 - - Enabled: true - -Style/MapToHash: # new in 1.24 - - Enabled: true - -Style/MultilineInPatternThen: # new in 1.16 - - Enabled: true - -Style/NegatedIfElseCondition: # new in 1.2 - - Enabled: true - -Style/NilLambda: # new in 1.3 - - Enabled: true - -Style/NumberedParameters: # new in 1.22 - - Enabled: true - -Style/NumberedParametersLimit: # new in 1.22 - - Enabled: true - -Style/OpenStructUse: # new in 1.23 - - Enabled: true - -Style/QuotedSymbols: # new in 1.16 - - Enabled: true - -Style/RedundantArgument: # new in 1.4 - - Enabled: true - -Style/RedundantSelfAssignmentBranch: # new in 1.19 - - Enabled: true - -Style/SelectByRegexp: # new in 1.22 - - Enabled: true - -Style/StringChars: # new in 1.12 - - Enabled: true - -Style/SwapValues: # new in 1.1 - - Enabled: true -``` - - - - bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile - bundle exec rake lint # Run RuboCop - bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) - bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) - bundle exec rake pre_commit_checks # pre-commit checks - -:::note -In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. -::: \ No newline at end of file +Outputted to the directory where the delta process is being executed. \ No newline at end of file diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 0bedb42a9..85cc18248 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -1,45 +1,326 @@ --- order: 04 previous: 03.md -title: InSpec Delta - 04 -shortTitle: Delta - 04 -author: Aaron Lippold +next: 05.md +title: InSpec Delta - 03 +shortTitle: Delta - Overview 03 +author: Daniel Medina, George Dias --- -## Prepair Your Environment +## InSpec Delta Process -Summary / conclusion of the process +### Preparing the Profile Before Running Delta Process -Additional technical details +Before performing delta process, it's beneficial to use a common format. Follow these steps: -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. -## Delta Workflow Process +```shell +AllCops: -![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") + NewCops: enable -## Using Delta + Exclude: -The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. + - "libraries/**/*" + +Layout/LineLength: -Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. + Max: 1500 -1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. -2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. + AllowURI: true -For more information on these commands, refer to the following documentation: + IgnoreCopDirectives: true + +Naming/FileName: -- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) -- [saf generate delta](https://saf-cli.mitre.org/#delta) + Enabled: false + +Metrics/BlockLength: -### Scope of Changes by Delta + Max: 1000 + +Lint/ConstantDefinitionInBlock: -Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. + Enabled: false + +# Required for Profiles as it can introduce profile errors -### Further InSpec Delta Information and Background +Style/NumericPredicate: -- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). -- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. -- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. -- Parameterizing should be considered. + Enabled: false + +Style/WordArray: + + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + + Enabled: false + +Style/RedundantPercentQ: + + Enabled: true + +Style/NestedParenthesizedCalls: + + Enabled: false + +Style/TrailingCommaInHashLiteral: + + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + + Enabled: false + +Lint/AmbiguousBlockAssociation: + + Enabled: false + +Metrics/BlockNesting: + + Enabled: false + +Lint/ShadowingOuterLocalVariable: + + Enabled: false + +Style/FormatStringToken: + + Enabled: false + +Style/FrozenStringLiteralComment: + + Enabled: false + +# The following cops were added to RuboCop, but are not configured. + +# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. + +# For more information: https://docs.rubocop.org/rubocop/versioning.html + +Gemspec/DateAssignment: # new in 1.10 + + Enabled: true + +Gemspec/RequireMFA: # new in 1.23 + + Enabled: true + +Layout/LineEndStringConcatenationIndentation: # new in 1.18 + + Enabled: true + +Layout/SpaceBeforeBrackets: # new in 1.7 + + Enabled: true + +Lint/AmbiguousAssignment: # new in 1.7 + + Enabled: true + +Lint/AmbiguousOperatorPrecedence: # new in 1.21 + + Enabled: true + +Lint/AmbiguousRange: # new in 1.19 + + Enabled: true + +Lint/DeprecatedConstants: # new in 1.8 + + Enabled: true + +Lint/DuplicateBranch: # new in 1.3 + + Enabled: true + +Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 + + Enabled: true + +Lint/EmptyBlock: # new in 1.1 + + Enabled: true + +Lint/EmptyClass: # new in 1.3 + + Enabled: true + +Lint/EmptyInPattern: # new in 1.16 + + Enabled: true + +Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 + + Enabled: true + +Lint/LambdaWithoutLiteralBlock: # new in 1.8 + + Enabled: true + +Lint/NoReturnInBeginEndBlocks: # new in 1.2 + + Enabled: true + +Lint/NumberedParameterAssignment: # new in 1.9 + + Enabled: true + +Lint/OrAssignmentToConstant: # new in 1.9 + + Enabled: true + +Lint/RedundantDirGlobSort: # new in 1.8 + + Enabled: true + +Lint/RequireRelativeSelfPath: # new in 1.22 + + Enabled: true + +Lint/SymbolConversion: # new in 1.9 + + Enabled: true + +Lint/ToEnumArguments: # new in 1.1 + + Enabled: true + +Lint/TripleQuotes: # new in 1.9 + + Enabled: true + +Lint/UnexpectedBlockArity: # new in 1.5 + + Enabled: true + +Lint/UnmodifiedReduceAccumulator: # new in 1.1 + + Enabled: true + +Lint/UselessRuby2Keywords: # new in 1.23 + + Enabled: true + +Naming/BlockForwarding: # new in 1.24 + + Enabled: true + +Security/IoMethods: # new in 1.22 + + Enabled: true + +Style/ArgumentsForwarding: # new in 1.1 + + Enabled: true + +Style/CollectionCompact: # new in 1.2 + + Enabled: true + +Style/DocumentDynamicEvalDefinition: # new in 1.1 + + Enabled: true + +Style/EndlessMethod: # new in 1.8 + + Enabled: true + +Style/FileRead: # new in 1.24 + + Enabled: true + +Style/FileWrite: # new in 1.24 + + Enabled: true + +Style/HashConversion: # new in 1.10 + + Enabled: true + +Style/HashExcept: # new in 1.7 + + Enabled: true + +Style/IfWithBooleanLiteralBranches: # new in 1.9 + + Enabled: true + +Style/InPatternThen: # new in 1.16 + + Enabled: true + +Style/MapToHash: # new in 1.24 + + Enabled: true + +Style/MultilineInPatternThen: # new in 1.16 + + Enabled: true + +Style/NegatedIfElseCondition: # new in 1.2 + + Enabled: true + +Style/NilLambda: # new in 1.3 + + Enabled: true + +Style/NumberedParameters: # new in 1.22 + + Enabled: true + +Style/NumberedParametersLimit: # new in 1.22 + + Enabled: true + +Style/OpenStructUse: # new in 1.23 + + Enabled: true + +Style/QuotedSymbols: # new in 1.16 + + Enabled: true + +Style/RedundantArgument: # new in 1.4 + + Enabled: true + +Style/RedundantSelfAssignmentBranch: # new in 1.19 + + Enabled: true + +Style/SelectByRegexp: # new in 1.22 + + Enabled: true + +Style/StringChars: # new in 1.12 + + Enabled: true + +Style/SwapValues: # new in 1.1 + + Enabled: true +``` + + + + bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile + bundle exec rake lint # Run RuboCop + bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) + bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) + bundle exec rake pre_commit_checks # pre-commit checks + +:::note +In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. +::: \ No newline at end of file diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md new file mode 100644 index 000000000..aa9c2896a --- /dev/null +++ b/src/courses/delta/05.md @@ -0,0 +1,25 @@ +--- +order: 05 +previous: 04.md +title: InSpec Delta - Additional Technical Details +shortTitle: Delta - Technical Details +author: Daniel Medina, George Dias +--- + +## Additional Technical Details + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +### update_controls4delta process + +![update_controls4delta process](../../assets/img/update_controls4delta_diagram.png) + +### delta Process + +![Delta Workflow Process](../../assets/img/delta_diagram.png) + +### Scope of Changes by Delta + +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. + From b653c660d762ed904ce57669430b6f1d6a082d94 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 12:49:58 -0500 Subject: [PATCH 08/71] Revise structure --- src/courses/delta/01.md | 93 ---------- src/courses/delta/02.md | 78 ++------- src/courses/delta/03.md | 80 ++++++++- src/courses/delta/04.md | 341 ++++-------------------------------- src/courses/delta/05.md | 24 +-- src/courses/delta/06.md | 324 ++++++++++++++++++++++++++++++++++ src/courses/delta/07.md | 23 +++ src/courses/delta/README.md | 22 +++ 8 files changed, 503 insertions(+), 482 deletions(-) delete mode 100644 src/courses/delta/01.md create mode 100644 src/courses/delta/06.md create mode 100644 src/courses/delta/07.md create mode 100644 src/courses/delta/README.md diff --git a/src/courses/delta/01.md b/src/courses/delta/01.md deleted file mode 100644 index 9c01961d6..000000000 --- a/src/courses/delta/01.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -order: 01 -next: 02.md -title: InSpec Delta - Updating Profiles Baselines -shortTitle: Delta Process - Overview -author: Daniel Medina, George Dias ---- - -## InSpec Delta - -### Overview - -Inspec Delta process is a SAF CLI functionality that automates and facilitates the process of changing inspec profile baselines. - -::: note -When referring to inspec profiles, there are distinctions: -Inspec profile repository: contains the controls, code, etc. -Inspec profile file: JSON formatted file containing profile summary, used as input for these delta process. -::: - -The SAF CLI Delta process can include two distinct processes: -1. Updates Controls for Delta (`update_controls4delta`) -2. Delta (`delta`) - -::: warning -This process has been tested using DISA XCCDF STIGs Guidance files only -::: - -### Update Controls for Delta - -The `update_controls4delta` process is used to prepare profile controls from one [SRG](#glossary-of-terms) or [STIG](#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](#glossary-of-terms)). - -The `update_controls4delta` process may be the only command needed to facilitate changes to Inspec profile baselines (delta process), refer to [use cases for running delta](./02.html#use-cases-for-running-delta). - -The process of preparing controls from one baseline to another (baseline X to Y) consists of: - -1. The directory where baseline X controls are located is provided. -2. An InSpec json formatted file containing all baseline X controls is provided or generated. - a - The json file is generated using the [inspec or cinc-auditor] json CLI command -3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site. - a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls. - b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./02.html#use-cases-for-running-delta)) - -You can invoke the command as such: -```shell -saf generate update_controls4delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -c baseline_X_controls_directory -``` - -Additional capabilities can be obtained using the `--help` flag on the `update_controls4delta` command as such: -```shell -saf generate update_controls4delta --help -``` - -The renaming of controls can be done either using the group ID (use `--help` for additional info) or the legacy field contained within the XCCDF. - -### Delta - -If the delta between baseline X and Y does not encompass tracability, the update_controls4delta command will not identify any profiles and will therefore not update any controls to the new baseline (no mapping). - -The `delta` process extends the capabilities of the `update_controls4delta` process by providing the following functionalities: - -1. Creates new controls found in updated guidances -2. Fuzzy matching capability (optional) - a - Maps controls based on similarity and not control IDs - b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control -3. Detailed logging - a - report file (.md), mapping statistics (CliProcessOutput.log) - -You can invoke the command as such: -```shell -saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory -``` -::: tip -The `-M` and `-c` flags can be removed if not using fuzzy matching feature. -::: - -Additional capabilities can be obtained using the `--help` flag on the `delta` command as such: -```shell -saf generate delta --help -``` - -For more information on these commands, refer to the following documentation: - -- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) -- [saf generate delta](https://saf-cli.mitre.org/#delta) - -### Glossary of Terms - -|Term |Definition| -|------|-----------| -|XCCDF| The XCCDF document is an XML formatted file that containing the updated structured collection of security configuration rules for a specific target system. | -|SRG| Security Requirements Guides are documents that provide detailed security requirements for various technologies, applications,databases, and operating systems. SRGs offer guidance on how to configure and secure different technologies to meet specific security standards. | -|STIG|Security Technical Implementation Guides are configuration standards that provide technical guidance for securing software, networks, servers, and computers. They are based on Department of Defense (DoD) policy and security controls. | \ No newline at end of file diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 6ea0e8b65..f5d06629a 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -1,72 +1,28 @@ --- order: 02 -previous: 01.md next: 03.md -title: InSpec Delta Process- Use Cases -shortTitle: Delta - Use Cases +title: 2. Delta Process Requirements author: Daniel Medina, George Dias --- -## Use Cases for Running Delta +## 2.1 Requirements: +To conduct the delta process, the following are needed: -There are several use cases for conducting the delta process. +1. An inspec profile + a. Clone or download an existing profile from a repository source to your local environment. +2. A guidance file (XCCDF) + a. Download either a DISA STIG or a CIS Benchmark from the appropriate site. -[Use Case 1](#use-case-1) - Check and update control IDs based on new guidance (run update controls) -[Use Case 2](#use-case-2) - Update control IDs and metadata (run update controls) -[Use Case 3](#use-case-3) - Update control IDs based on group ID (run update controls) -[Use Case 4](#use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) -[Use Case 5](#use-case-5) - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) +::: note Using Generated Profile Stubs +Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to use as a skeleton profile based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. +::: -### Use Case 1 -Updated guidances sometimes modify the control identification (IDs) values of a given control. -To make these modification from baseline X to baseline Y the update controls process with the -provided XCCDF guidance. The process checks if the new guidance changes the control numbers -and updates them if necessary. +The [Delta CLI Tools section](./03.md#31-cli-tools) covers specific requirements for both the `delta` and `update_controls4delta` commands. -Process: Run `update_controls4delta` +## 2.2 Glossary of Terms - - -### Use Case 2 -Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have -changed the control metadata (impact value, descriptions, etc). Running the update controls makes -use of baseline Y metadata and updates the control with the describe block (code) from baseline X. - -Process: Run `update_controls4delta` - -### Use Case 3 -If there isn't any mapping between baseline X and Y using the default rule identification (rule Id) -for the control, it may be necessary to index the controls based on controls group identifications -(group Id). Running the update controls with the group Id may be required to provide a -mapping from baseline X to Y. - -Process: Run `update_controls4delta` - -### Use Case 4 -Running update controls may result in no controls being updated / no mappings were found from -baseline X to baseline Y. This could be due to there being too many revisions / releases between -the two baselines creating no way to map between them. In this case, we have no alternative -but to use Delta with fuzzy matching. - -Process: Run `delta` - -### Use Case 5 -Most often the new guidances contain new controls that weren't previously defined, in this -case running the delta process generates the control stubs with all metadata, minus the -describe block (code) content. - -Process: Run `delta` - -### Use Case 6 -The `delta` process is also capable of updating control metadata when the control IDs haven't been renamed. However, unlike `update_controls4delta`, the delta process will produce several artifacts: - -Process: Run `delta` - -#### Report Markdown File (.md) - -Specified by the report flag (`-r`) - -#### delta.json - -#### CLIProcessOutput.log -Outputted to the directory where the delta process is being executed. \ No newline at end of file +|Term |Definition| +|------|-----------| +|XCCDF| The XCCDF document is an XML formatted file that containing the updated structured collection of security configuration rules for a specific target system. | +|SRG| Security Requirements Guides are documents that provide detailed security requirements for various technologies, applications,databases, and operating systems. SRGs offer guidance on how to configure and secure different technologies to meet specific security standards. | +|STIG|Security Technical Implementation Guides are configuration standards that provide technical guidance for securing software, networks, servers, and computers. They are based on Department of Defense (DoD) policy and security controls. | \ No newline at end of file diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 5938f80f6..40671fd2c 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -1,20 +1,82 @@ --- order: 03 -previous: 02.md next: 04.md -title: InSpec Delta Process- Logging Capabilities -shortTitle: Delta- Logging +title: 3. Delta Process CLI Tools author: Daniel Medina, George Dias --- -## Logging Capabilities of Delta +## 3.1 CLI Tools -#### Report Markdown File (.md) +The delta process consists of either or both of the following commands: +1. Updates Controls for Delta (`update_controls4delta`) +2. Delta (`delta`) -Specified by the report flag (`-r`) +::: note About Inspec Profiles +When referring to inspec profiles, there are distinctions: +Inspec profile repository: contains the controls, code, etc. +Inspec profile file: JSON formatted file containing profile summary, used as input for these delta process. +::: -#### delta.json +### 3.2 Update Controls for Delta -#### CLIProcessOutput.log +The `update_controls4delta` process is used to prepare profile controls from one [SRG](#glossary-of-terms) or [STIG](#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](#glossary-of-terms)). -Outputted to the directory where the delta process is being executed. \ No newline at end of file +update_controls4delta specifically updates existing controls within an inspec profile repository. + +The `update_controls4delta` process may be the only command needed to facilitate changes to Inspec profile baselines (delta process), refer to [use cases for running delta](./03.html#use-cases-for-running-delta). + +The process of preparing controls from one baseline to another (baseline X to Y) consists of: + +1. The directory where baseline X controls are located is provided. +3. An InSpec json formatted file containing all baseline X controls is provided or generated. + a - The json file is generated using the [inspec or cinc-auditor] json CLI command +3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site. + a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls. + b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./03.html#use-cases-for-running-delta)) + +You can invoke the command as such: +```shell +saf generate update_controls4delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -c baseline_X_controls_directory +``` + +Additional capabilities can be obtained using the `--help` flag on the `update_controls4delta` command as such: +```shell +saf generate update_controls4delta --help +``` + +The renaming of controls can be done either using the group ID (use `--help` for additional info) or the legacy field contained within the XCCDF. + +If there is no way to trace controls in baseline X to its corresponding controls in baseline Y, then `update_controls4delta` will not update any controls (no mapping). + +### 3.3 Delta + +The `delta` process extends the capabilities of the `update_controls4delta` process by providing the following functionalities: + +1. Creates new controls found in updated guidances +3. Fuzzy matching capability (optional) + a - Maps controls based on similarity and not control IDs + b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control +3. Detailed logging + a - report file (.md), mapping statistics (CliProcessOutput.log) + +You can invoke the command as such: +```shell +saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory +``` +::: tip Optional Fuzzy Matching Flags +The `-M` and `-c` flags can be removed if not using fuzzy matching feature. +::: + +Additional capabilities can be obtained using the `--help` flag on the `delta` command as such: +```shell +saf generate delta --help +``` + +For more information on these commands, refer to the following documentation: + +- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) +- [saf generate delta](https://saf-cli.mitre.org/#delta) + +::: warning +This process has been tested using DISA XCCDF STIG Benchmark Guidances only. +::: diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 85cc18248..5c0e1188c 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -1,326 +1,61 @@ --- order: 04 -previous: 03.md next: 05.md -title: InSpec Delta - 03 -shortTitle: Delta - Overview 03 +title: 4. Delta Use Cases author: Daniel Medina, George Dias --- -## InSpec Delta Process +## 4.1 Use Cases for Running Delta -### Preparing the Profile Before Running Delta Process +There are several situations that warrant the use of the delta process. These are broken down in the following use cases: -Before performing delta process, it's beneficial to use a common format. Follow these steps: +[Use Case 1](#use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) +[Use Case 2](#use-case-2) - Update control IDs based on group ID (run update controls) +[Use Case 3](#use-case-3) - Update controls but create a backup (run update controls) +[Use Case 4](#use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) +[Use Case 5](#use-case-5) - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) -1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. +### 4.1.1 Use Case 1 +Updated guidances sometimes modify the control identification (IDs) values of a given control. +To make these modification from baseline X to baseline Y the update controls process with the +provided XCCDF guidance. The process checks if the new guidance changes the control numbers +and updates them if necessary. -```shell -AllCops: +if everything is already updated, then it only renames - NewCops: enable +Process: Run `update_controls4delta` - Exclude: +### 4.1.2 Use Case 2 - - "libraries/**/*" - -Layout/LineLength: +If there isn't any mapping between baseline X and Y using the default rule identification (rule Id) +for the control, it may be necessary to index the controls based on controls group identifications +(group Id). Running the update controls with the group Id may be required to provide a +mapping from baseline X to Y. - Max: 1500 +Use the -g flag - AllowURI: true +Process: Run `update_controls4delta` +### 4.1.3 Use Case 3 - IgnoreCopDirectives: true - -Naming/FileName: +Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have changed the control metadata (impact value, descriptions, etc). Running the update controls makes +use of baseline Y metadata and updates the control with the describe block (code) from baseline X. - Enabled: false - -Metrics/BlockLength: +use the -b flag - Max: 1000 - -Lint/ConstantDefinitionInBlock: +Process: Run `update_controls4delta` - Enabled: false - -# Required for Profiles as it can introduce profile errors -Style/NumericPredicate: +### 4.1.4 Use Case 4 +Running update controls may result in no controls being updated / no mappings were found from +baseline X to baseline Y. This could be due to there being too many revisions / releases between +the two baselines creating no way to map between them. In this case, we have no alternative +but to use Delta with fuzzy matching. - Enabled: false - -Style/WordArray: +Process: Run `delta` - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" +### 4.1.5 Use Case 5 +Most often the new guidances contain new controls that weren't previously defined, in this +case running the delta process generates the control stubs with all metadata, minus the +describe block (code) content. - Enabled: false - -Style/RedundantPercentQ: - - Enabled: true - -Style/NestedParenthesizedCalls: - - Enabled: false - -Style/TrailingCommaInHashLiteral: - - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - - Enabled: true - - EnforcedStyleForMultiline: no_comma - -Style/TrailingCommaInArrayLiteral: - - Enabled: true - - EnforcedStyleForMultiline: no_comma - -Style/BlockDelimiters: - - Enabled: false - -Lint/AmbiguousBlockAssociation: - - Enabled: false - -Metrics/BlockNesting: - - Enabled: false - -Lint/ShadowingOuterLocalVariable: - - Enabled: false - -Style/FormatStringToken: - - Enabled: false - -Style/FrozenStringLiteralComment: - - Enabled: false - -# The following cops were added to RuboCop, but are not configured. - -# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. - -# For more information: https://docs.rubocop.org/rubocop/versioning.html - -Gemspec/DateAssignment: # new in 1.10 - - Enabled: true - -Gemspec/RequireMFA: # new in 1.23 - - Enabled: true - -Layout/LineEndStringConcatenationIndentation: # new in 1.18 - - Enabled: true - -Layout/SpaceBeforeBrackets: # new in 1.7 - - Enabled: true - -Lint/AmbiguousAssignment: # new in 1.7 - - Enabled: true - -Lint/AmbiguousOperatorPrecedence: # new in 1.21 - - Enabled: true - -Lint/AmbiguousRange: # new in 1.19 - - Enabled: true - -Lint/DeprecatedConstants: # new in 1.8 - - Enabled: true - -Lint/DuplicateBranch: # new in 1.3 - - Enabled: true - -Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 - - Enabled: true - -Lint/EmptyBlock: # new in 1.1 - - Enabled: true - -Lint/EmptyClass: # new in 1.3 - - Enabled: true - -Lint/EmptyInPattern: # new in 1.16 - - Enabled: true - -Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 - - Enabled: true - -Lint/LambdaWithoutLiteralBlock: # new in 1.8 - - Enabled: true - -Lint/NoReturnInBeginEndBlocks: # new in 1.2 - - Enabled: true - -Lint/NumberedParameterAssignment: # new in 1.9 - - Enabled: true - -Lint/OrAssignmentToConstant: # new in 1.9 - - Enabled: true - -Lint/RedundantDirGlobSort: # new in 1.8 - - Enabled: true - -Lint/RequireRelativeSelfPath: # new in 1.22 - - Enabled: true - -Lint/SymbolConversion: # new in 1.9 - - Enabled: true - -Lint/ToEnumArguments: # new in 1.1 - - Enabled: true - -Lint/TripleQuotes: # new in 1.9 - - Enabled: true - -Lint/UnexpectedBlockArity: # new in 1.5 - - Enabled: true - -Lint/UnmodifiedReduceAccumulator: # new in 1.1 - - Enabled: true - -Lint/UselessRuby2Keywords: # new in 1.23 - - Enabled: true - -Naming/BlockForwarding: # new in 1.24 - - Enabled: true - -Security/IoMethods: # new in 1.22 - - Enabled: true - -Style/ArgumentsForwarding: # new in 1.1 - - Enabled: true - -Style/CollectionCompact: # new in 1.2 - - Enabled: true - -Style/DocumentDynamicEvalDefinition: # new in 1.1 - - Enabled: true - -Style/EndlessMethod: # new in 1.8 - - Enabled: true - -Style/FileRead: # new in 1.24 - - Enabled: true - -Style/FileWrite: # new in 1.24 - - Enabled: true - -Style/HashConversion: # new in 1.10 - - Enabled: true - -Style/HashExcept: # new in 1.7 - - Enabled: true - -Style/IfWithBooleanLiteralBranches: # new in 1.9 - - Enabled: true - -Style/InPatternThen: # new in 1.16 - - Enabled: true - -Style/MapToHash: # new in 1.24 - - Enabled: true - -Style/MultilineInPatternThen: # new in 1.16 - - Enabled: true - -Style/NegatedIfElseCondition: # new in 1.2 - - Enabled: true - -Style/NilLambda: # new in 1.3 - - Enabled: true - -Style/NumberedParameters: # new in 1.22 - - Enabled: true - -Style/NumberedParametersLimit: # new in 1.22 - - Enabled: true - -Style/OpenStructUse: # new in 1.23 - - Enabled: true - -Style/QuotedSymbols: # new in 1.16 - - Enabled: true - -Style/RedundantArgument: # new in 1.4 - - Enabled: true - -Style/RedundantSelfAssignmentBranch: # new in 1.19 - - Enabled: true - -Style/SelectByRegexp: # new in 1.22 - - Enabled: true - -Style/StringChars: # new in 1.12 - - Enabled: true - -Style/SwapValues: # new in 1.1 - - Enabled: true -``` - - - - bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile - bundle exec rake lint # Run RuboCop - bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) - bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) - bundle exec rake pre_commit_checks # pre-commit checks - -:::note -In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. -::: \ No newline at end of file +Process: Run `delta` \ No newline at end of file diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index aa9c2896a..d69f13f05 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -1,25 +1,17 @@ --- order: 05 -previous: 04.md -title: InSpec Delta - Additional Technical Details -shortTitle: Delta - Technical Details +next: 06.md +title: 5. Delta Logging Capabilities author: Daniel Medina, George Dias --- +## 5. Logging Capabilities of Delta -## Additional Technical Details +### Report Markdown File (.md) -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +Specified by the report flag (`-r`) -### update_controls4delta process +### delta.json -![update_controls4delta process](../../assets/img/update_controls4delta_diagram.png) - -### delta Process - -![Delta Workflow Process](../../assets/img/delta_diagram.png) - -### Scope of Changes by Delta - -Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. +### CLIProcessOutput.log +Outputted to the directory where the delta process is being executed. \ No newline at end of file diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md new file mode 100644 index 000000000..d5c1ac10e --- /dev/null +++ b/src/courses/delta/06.md @@ -0,0 +1,324 @@ +--- +order: 06 +next: 07.md +title: 6. Delta Formatting +author: Daniel Medina, George Dias +--- + +## 6. InSpec Delta Formatting Process + +### Preparing the Profile Before Running Delta Process + +Before performing delta process, it's beneficial to use a common format. Follow these steps: + +1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. + +```shell +AllCops: + + NewCops: enable + + Exclude: + + - "libraries/**/*" + +Layout/LineLength: + + Max: 1500 + + AllowURI: true + + IgnoreCopDirectives: true + +Naming/FileName: + + Enabled: false + +Metrics/BlockLength: + + Max: 1000 + +Lint/ConstantDefinitionInBlock: + + Enabled: false + +# Required for Profiles as it can introduce profile errors + +Style/NumericPredicate: + + Enabled: false + +Style/WordArray: + + Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" + + Enabled: false + +Style/RedundantPercentQ: + + Enabled: true + +Style/NestedParenthesizedCalls: + + Enabled: false + +Style/TrailingCommaInHashLiteral: + + Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/TrailingCommaInArrayLiteral: + + Enabled: true + + EnforcedStyleForMultiline: no_comma + +Style/BlockDelimiters: + + Enabled: false + +Lint/AmbiguousBlockAssociation: + + Enabled: false + +Metrics/BlockNesting: + + Enabled: false + +Lint/ShadowingOuterLocalVariable: + + Enabled: false + +Style/FormatStringToken: + + Enabled: false + +Style/FrozenStringLiteralComment: + + Enabled: false + +# The following cops were added to RuboCop, but are not configured. + +# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. + +# For more information: https://docs.rubocop.org/rubocop/versioning.html + +Gemspec/DateAssignment: # new in 1.10 + + Enabled: true + +Gemspec/RequireMFA: # new in 1.23 + + Enabled: true + +Layout/LineEndStringConcatenationIndentation: # new in 1.18 + + Enabled: true + +Layout/SpaceBeforeBrackets: # new in 1.7 + + Enabled: true + +Lint/AmbiguousAssignment: # new in 1.7 + + Enabled: true + +Lint/AmbiguousOperatorPrecedence: # new in 1.21 + + Enabled: true + +Lint/AmbiguousRange: # new in 1.19 + + Enabled: true + +Lint/DeprecatedConstants: # new in 1.8 + + Enabled: true + +Lint/DuplicateBranch: # new in 1.3 + + Enabled: true + +Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 + + Enabled: true + +Lint/EmptyBlock: # new in 1.1 + + Enabled: true + +Lint/EmptyClass: # new in 1.3 + + Enabled: true + +Lint/EmptyInPattern: # new in 1.16 + + Enabled: true + +Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 + + Enabled: true + +Lint/LambdaWithoutLiteralBlock: # new in 1.8 + + Enabled: true + +Lint/NoReturnInBeginEndBlocks: # new in 1.2 + + Enabled: true + +Lint/NumberedParameterAssignment: # new in 1.9 + + Enabled: true + +Lint/OrAssignmentToConstant: # new in 1.9 + + Enabled: true + +Lint/RedundantDirGlobSort: # new in 1.8 + + Enabled: true + +Lint/RequireRelativeSelfPath: # new in 1.22 + + Enabled: true + +Lint/SymbolConversion: # new in 1.9 + + Enabled: true + +Lint/ToEnumArguments: # new in 1.1 + + Enabled: true + +Lint/TripleQuotes: # new in 1.9 + + Enabled: true + +Lint/UnexpectedBlockArity: # new in 1.5 + + Enabled: true + +Lint/UnmodifiedReduceAccumulator: # new in 1.1 + + Enabled: true + +Lint/UselessRuby2Keywords: # new in 1.23 + + Enabled: true + +Naming/BlockForwarding: # new in 1.24 + + Enabled: true + +Security/IoMethods: # new in 1.22 + + Enabled: true + +Style/ArgumentsForwarding: # new in 1.1 + + Enabled: true + +Style/CollectionCompact: # new in 1.2 + + Enabled: true + +Style/DocumentDynamicEvalDefinition: # new in 1.1 + + Enabled: true + +Style/EndlessMethod: # new in 1.8 + + Enabled: true + +Style/FileRead: # new in 1.24 + + Enabled: true + +Style/FileWrite: # new in 1.24 + + Enabled: true + +Style/HashConversion: # new in 1.10 + + Enabled: true + +Style/HashExcept: # new in 1.7 + + Enabled: true + +Style/IfWithBooleanLiteralBranches: # new in 1.9 + + Enabled: true + +Style/InPatternThen: # new in 1.16 + + Enabled: true + +Style/MapToHash: # new in 1.24 + + Enabled: true + +Style/MultilineInPatternThen: # new in 1.16 + + Enabled: true + +Style/NegatedIfElseCondition: # new in 1.2 + + Enabled: true + +Style/NilLambda: # new in 1.3 + + Enabled: true + +Style/NumberedParameters: # new in 1.22 + + Enabled: true + +Style/NumberedParametersLimit: # new in 1.22 + + Enabled: true + +Style/OpenStructUse: # new in 1.23 + + Enabled: true + +Style/QuotedSymbols: # new in 1.16 + + Enabled: true + +Style/RedundantArgument: # new in 1.4 + + Enabled: true + +Style/RedundantSelfAssignmentBranch: # new in 1.19 + + Enabled: true + +Style/SelectByRegexp: # new in 1.22 + + Enabled: true + +Style/StringChars: # new in 1.12 + + Enabled: true + +Style/SwapValues: # new in 1.1 + + Enabled: true +``` + + + + bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile + bundle exec rake lint # Run RuboCop + bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) + bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) + bundle exec rake pre_commit_checks # pre-commit checks + +:::note +In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. +::: \ No newline at end of file diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md new file mode 100644 index 000000000..9719ed045 --- /dev/null +++ b/src/courses/delta/07.md @@ -0,0 +1,23 @@ +--- +order: 07 +title: 7. Additional Technical Details +author: Daniel Medina, George Dias +--- + +## 7. Additional Technical Details + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +### update_controls4delta process + +![update_controls4delta process](../../assets/img/update_controls4delta_diagram.png) + +### delta Process + +![Delta Workflow Process](../../assets/img/delta_diagram.png) + +### Scope of Changes by Delta + +Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. + diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md new file mode 100644 index 000000000..325c7ce3d --- /dev/null +++ b/src/courses/delta/README.md @@ -0,0 +1,22 @@ +--- +order: 01 +next: 02.md +title: Delta Process Developer Class +author: Daniel Medina, George Dias +--- +## 1.1 Class Overview + +The purpose of this class is to outline how the delta process can be used to facilitate changes to inspec profile baselines. Often, it can be used to create a new baseline profile from older revisions of the same baseline. + +### 1.1.1 Class Objectives: + +By the end of this class, you should be able to: +- Know the requirements for conducting the delta process +- Understand the purpose of the SAF Delta process tools, `update_controls4delta` and `delta` +- Use these tools to update inspec profiles +- Understand how and where to apply these tools in different situations (Use Cases) +- Be familiar with the delta process logging capabilities and generated artifacts +- Using the delta fuzzy matching system to map controls between two profiles by using + +### 1.2 The Road to Conducting the Delta Process + From 37bd0a298195ec7801a3a2ad04f96e4efe299ded Mon Sep 17 00:00:00 2001 From: George M Dias Date: Wed, 4 Dec 2024 13:27:52 -0600 Subject: [PATCH 09/71] Updated formatting and Use Cases - need updates, page 5 and 7 Signed-off-by: George M Dias --- src/courses/delta/03.md | 10 +++++----- src/courses/delta/04.md | 14 +++----------- src/courses/delta/05.md | 8 ++++---- src/courses/delta/06.md | 14 ++++++++++---- src/courses/delta/07.md | 2 +- 5 files changed, 23 insertions(+), 25 deletions(-) diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 40671fd2c..e3ad674e3 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -35,12 +35,12 @@ The process of preparing controls from one baseline to another (baseline X to Y) b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./03.html#use-cases-for-running-delta)) You can invoke the command as such: -```shell +``` saf generate update_controls4delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -c baseline_X_controls_directory ``` Additional capabilities can be obtained using the `--help` flag on the `update_controls4delta` command as such: -```shell +``` saf generate update_controls4delta --help ``` @@ -60,7 +60,7 @@ The `delta` process extends the capabilities of the `update_controls4delta` proc a - report file (.md), mapping statistics (CliProcessOutput.log) You can invoke the command as such: -```shell +``` saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` ::: tip Optional Fuzzy Matching Flags @@ -68,7 +68,7 @@ The `-M` and `-c` flags can be removed if not using fuzzy matching feature. ::: Additional capabilities can be obtained using the `--help` flag on the `delta` command as such: -```shell +``` saf generate delta --help ``` @@ -77,6 +77,6 @@ For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) - [saf generate delta](https://saf-cli.mitre.org/#delta) -::: warning +::: warning Delta Process Limitations This process has been tested using DISA XCCDF STIG Benchmark Guidances only. ::: diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 5c0e1188c..a29477e25 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -21,30 +21,22 @@ To make these modification from baseline X to baseline Y the update controls pro provided XCCDF guidance. The process checks if the new guidance changes the control numbers and updates them if necessary. -if everything is already updated, then it only renames - Process: Run `update_controls4delta` ### 4.1.2 Use Case 2 - If there isn't any mapping between baseline X and Y using the default rule identification (rule Id) for the control, it may be necessary to index the controls based on controls group identifications (group Id). Running the update controls with the group Id may be required to provide a mapping from baseline X to Y. -Use the -g flag - Process: Run `update_controls4delta` -### 4.1.3 Use Case 3 -Like Use Case 1 where the IDs are changed, the new controls identified in baseline Y may have changed the control metadata (impact value, descriptions, etc). Running the update controls makes -use of baseline Y metadata and updates the control with the describe block (code) from baseline X. - -use the -b flag +### 4.1.3 Use Case 3 +Like Use Case 1 an 2 updates controls in baseline X with new controls identified in baseline Y +based on selected indexed identification but backup controls that are modified. Process: Run `update_controls4delta` - ### 4.1.4 Use Case 4 Running update controls may result in no controls being updated / no mappings were found from baseline X to baseline Y. This could be due to there being too many revisions / releases between diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index d69f13f05..0e29398fa 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -4,14 +4,14 @@ next: 06.md title: 5. Delta Logging Capabilities author: Daniel Medina, George Dias --- -## 5. Logging Capabilities of Delta +## 5.1 Logging Capabilities of Delta -### Report Markdown File (.md) +### 5.1.1 Report Markdown File (.md) Specified by the report flag (`-r`) -### delta.json +### 5.1.2 delta.json -### CLIProcessOutput.log +### 5.1.3 CLIProcessOutput.log Outputted to the directory where the delta process is being executed. \ No newline at end of file diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md index d5c1ac10e..92e1baf55 100644 --- a/src/courses/delta/06.md +++ b/src/courses/delta/06.md @@ -5,15 +5,16 @@ title: 6. Delta Formatting author: Daniel Medina, George Dias --- -## 6. InSpec Delta Formatting Process +## 6.1 InSpec Delta Formatting Process -### Preparing the Profile Before Running Delta Process +### 6.1.2 Preparing the Profile Before Running Delta Process Before performing delta process, it's beneficial to use a common format. Follow these steps: 1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. -```shell +::: details Rubocop Configuration File (rubocop.yml) +``` AllCops: NewCops: enable @@ -310,15 +311,20 @@ Style/SwapValues: # new in 1.1 Enabled: true ``` +::: +## 6.2 Testing Commands +### 6.2.1 Linting and validating controls: +``` bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile bundle exec rake lint # Run RuboCop bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) bundle exec rake pre_commit_checks # pre-commit checks +``` -:::note +:::note Profile Controls Formatting In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. ::: \ No newline at end of file diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md index 9719ed045..dbc85ef05 100644 --- a/src/courses/delta/07.md +++ b/src/courses/delta/07.md @@ -4,7 +4,7 @@ title: 7. Additional Technical Details author: Daniel Medina, George Dias --- -## 7. Additional Technical Details +## 7.1 Additional Technical Details - **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. - **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. From 9cccb8769f025198d6aad400124cb76790df57df Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 16:23:42 -0500 Subject: [PATCH 10/71] First draft of Delta class --- src/assets/downloads/CliProcessOutput.log | 1069 ++ src/assets/downloads/delta.json | 1136 ++ src/assets/downloads/report.md | 10483 ++++++++++++++++ .../img/update_controls4delta_output.png | Bin 0 -> 198053 bytes src/courses/delta/02.md | 2 + src/courses/delta/03.md | 6 +- src/courses/delta/05.md | 33 +- src/courses/delta/06.md | 13 +- src/courses/delta/README.md | 3 +- 9 files changed, 12735 insertions(+), 10 deletions(-) create mode 100644 src/assets/downloads/CliProcessOutput.log create mode 100644 src/assets/downloads/delta.json create mode 100644 src/assets/downloads/report.md create mode 100644 src/assets/img/update_controls4delta_output.png diff --git a/src/assets/downloads/CliProcessOutput.log b/src/assets/downloads/CliProcessOutput.log new file mode 100644 index 000000000..6ae8e024f --- /dev/null +++ b/src/assets/downloads/CliProcessOutput.log @@ -0,0 +1,1069 @@ +==================== Delta Process ===================== +Date: 2024-11-26T18:06:16.889Z +Process Flags =========================================== +logLevel=info +inspecJsonFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\profile_update4delta.json +xccdfXmlFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\xccdf\SQL_Server_16\U_MS_SQL_Server_2016_Database_V2R8_Manual_STIG\U_MS_SQL_Server_2016_Database_STIG_V2R8_Manual-xccdf.xml +deltaOutputDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\delta_controls +idType=rule +runMapControls=true +controlsDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\controls + + +Mapping controls (using fuzzy logic - lower value = best match) from the old profile to the new profile + +Mapping Process =========================================================================== + New XCCDF Control: SV-213900 +* No Mapping Provided * + +Processing New Control: SV-213901 + New Control Title: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + Best Match Candidate: SV-213764 --> SV-213901 + Matching Score: 0.0508 + +Processing New Control: SV-213902 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213902 + Matching Score: 0.83125 + +Processing New Control: SV-213903 + New Control Title: SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213903 + Matching Score: 0.7890625 + +Processing New Control: SV-213904 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213904 + Matching Score: 0.7890625 + +Processing New Control: SV-213905 + New Control Title: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. + Old Control Title: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. + Best Match Candidate: SV-213766 --> SV-213905 + Matching Score: 0.0131 + +Processing New Control: SV-213906 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213906 + Matching Score: 0.59375 + +Processing New Control: SV-213907 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213907 + Matching Score: 0.49395 + +Processing New Control: SV-213908 + New Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Best Match Candidate: SV-213770 --> SV-213908 + Matching Score: 0.04478571428571428 + +Processing New Control: SV-213909 + New Control Title: The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213909 + Matching Score: 0.49609375 + +Processing New Control: SV-213910 + New Control Title: In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. + Old Control Title: In the event of a system failure, SQL Server must preserve any information necessary to return to operations with least disruption to mission processes. + No Match Found for: SV-213773 --> SV-213910 + Matching Score: 0.6003999999999999 + +Processing New Control: SV-213911 + New Control Title: The Database Master Key encryption password must meet DOD password complexity requirements. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + No Match Found for: SV-213779 --> SV-213911 + Matching Score: 0.7395833333333334 + +Processing New Control: SV-213912 + New Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Best Match Candidate: SV-213779 --> SV-213912 + Matching Score: 0.007050000000000001 + +Processing New Control: SV-213913 + New Control Title: The Certificate used for encryption must be backed up, stored offline and off-site. + Old Control Title: Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key. + No Match Found for: SV-213781 --> SV-213913 + Matching Score: 0.7708333333333334 + +Processing New Control: SV-213914 + New Control Title: SQL Server must isolate security functions from non-security functions. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213914 + Matching Score: 0.78125 + +Processing New Control: SV-213915 + New Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Old Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Best Match Candidate: SV-213775 --> SV-213915 + Matching Score: 0.0131 + +Processing New Control: SV-213916 + New Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Old Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Best Match Candidate: SV-213776 --> SV-213916 + Matching Score: 0.001 + +Processing New Control: SV-213917 + New Control Title: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Old Control Title: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Best Match Candidate: SV-213777 --> SV-213917 + Matching Score: 0.05291666666666667 + +Processing New Control: SV-213918 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Best Match Candidate: SV-213784 --> SV-213918 + Matching Score: 0.0131 + +Processing New Control: SV-213919 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Best Match Candidate: SV-213785 --> SV-213919 + Matching Score: 0.0131 + +Processing New Control: SV-213920 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Best Match Candidate: SV-213786 --> SV-213920 + Matching Score: 0.0131 + +Processing New Control: SV-213921 + New Control Title: SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213921 + Matching Score: 0.6171875 + +Processing New Control: SV-213922 + New Control Title: Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. + Old Control Title: SQL Server must be monitored to discover unauthorized changes to stored procedures. + No Match Found for: SV-213769 --> SV-213922 + Matching Score: 0.8359375 + +Processing New Control: SV-213923 + New Control Title: SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213923 + Matching Score: 0.8125 + +Processing New Control: SV-213924 + New Control Title: SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213924 + Matching Score: 0.796875 + +Processing New Control: SV-213926 + New Control Title: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Best Match Candidate: SV-213788 --> SV-213926 + Matching Score: 0.04334375 + +Processing New Control: SV-213927 + New Control Title: SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Duplicate Match: SV-213788 --> SV-213927 + Matching Score: 0.15120833333333333 + +Processing New Control: SV-251040 + New Control Title: SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-251040 + Matching Score: 0.6484375 + +Mapping Results =========================================================================== + Old Control -> New Control + SV-213764 -> SV-213901 + SV-213766 -> SV-213905 + SV-213770 -> SV-213908 + SV-213779 -> SV-213912 + SV-213775 -> SV-213915 + SV-213776 -> SV-213916 + SV-213777 -> SV-213917 + SV-213784 -> SV-213918 + SV-213785 -> SV-213919 + SV-213786 -> SV-213920 + SV-213788 -> SV-213926 +Total Mapped Controls: 11 + +Control Counts =========================== +Total Controls Available for Delta: 43 + Total Controls Found on XCCDF: 28 + +Match Statistics ========================= + Match Controls: 11 + Possible Mismatch Controls: 0 + Duplicate Match Controls: 1 + No Match Controls: 15 + New XCDDF Controls: 1 + +Statistics Validation ============================================= +Match + Mismatch = Total Mapped Controls: (11+0=11) true + Total Processed = Total XCCDF Controls: (11+0+1+15+1=28) true + + +Updating Controls =========================================================================== +Mapping (From --> To): SV-213764 --> SV-213901 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213764.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb to reference ID SV-213901 + New control name: SV-213901.rb + +Mapping (From --> To): SV-213766 --> SV-213905 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213766.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb to reference ID SV-213905 + New control name: SV-213905.rb + +Mapping (From --> To): SV-213770 --> SV-213908 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213770.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb to reference ID SV-213908 + New control name: SV-213908.rb + +Mapping (From --> To): SV-213779 --> SV-213912 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213779.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb to reference ID SV-213912 + New control name: SV-213912.rb + +Mapping (From --> To): SV-213775 --> SV-213915 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213775.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb to reference ID SV-213915 + New control name: SV-213915.rb + +Mapping (From --> To): SV-213776 --> SV-213916 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213776.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb to reference ID SV-213916 + New control name: SV-213916.rb + +Mapping (From --> To): SV-213777 --> SV-213917 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213777.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb to reference ID SV-213917 + New control name: SV-213917.rb + +Mapping (From --> To): SV-213784 --> SV-213918 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213784.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb to reference ID SV-213918 + New control name: SV-213918.rb + +Mapping (From --> To): SV-213785 --> SV-213919 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213785.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb to reference ID SV-213919 + New control name: SV-213919.rb + +Mapping (From --> To): SV-213786 --> SV-213920 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213786.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb to reference ID SV-213920 + New control name: SV-213920.rb + +Mapping (From --> To): SV-213788 --> SV-213926 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213788.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb to reference ID SV-213926 + New control name: SV-213926.rb + +Update Results =========================================================================== + +## Automatic Update: -> + +### New Controls: ++ SV-213900 - SQL Server databases must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. ++ SV-213902 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. ++ SV-213903 - SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). ++ SV-213904 - SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. ++ SV-213906 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. ++ SV-213907 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. ++ SV-213909 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. ++ SV-213910 - In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. ++ SV-213911 - The Database Master Key encryption password must meet DOD password complexity requirements. ++ SV-213913 - The Certificate used for encryption must be backed up, stored offline and off-site. ++ SV-213914 - SQL Server must isolate security functions from non-security functions. ++ SV-213921 - SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. ++ SV-213922 - Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. ++ SV-213923 - SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. ++ SV-213924 - SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). ++ SV-213927 - SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. ++ SV-251040 - SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + + +### Updated Check/Fixes: +#### Checks: +

+ Click to expand. +SV-213901: +Old: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +Review the permissions actually in place in the database. + +The database permission functions and views provided in the supplemental file Permissions.sql can help with this. + +If the actual permissions do not match the documented requirements, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +If the database is tempdb, this is NA. + +Review the permissions actually in place in the database. + +If the actual permissions do not match the documented requirements, this is a finding. + +Use the supplemental file "Database permission assignments to users and roles.sql". + +``` +--- +SV-213905: +Old: +``` +If SQL Server Audit is not in use at the database level, this is not applicable (NA). + +Obtain the list of approved audit maintainers from the system documentation. + +Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions: +ALTER ANY DATABASE AUDIT +CONTROL ON DATABASE + +The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions: + SELECT + * + FROM + STIG.database_permissions P + WHERE + (P.[Permission] = 'ALTER ANY DATABASE AUDIT') + OR + (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE') + ; + +To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one: + SELECT * FROM STIG.members_of_database_role(); + +To see all the permissions in effect for a database principal (server role or login): + SELECT * FROM STIG.server_effective_permissions(); + +If designated personnel are not able to configure auditable events, this is a finding. + +If unapproved personnel are able to configure auditable events, this is a finding. + +``` + +Updated: +``` +Obtain the list of approved audit maintainers from the system documentation. + +Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. + +SELECT + R.name AS role_name, + RM.name AS role_member_name, + RM.type_desc +FROM sys.database_principals R +JOIN sys.database_role_members DRM ON + R.principal_id = DRM.role_principal_id +JOIN sys.database_principals RM ON + DRM.member_principal_id = RM.principal_id +WHERE R.type = 'R' + AND R.name = 'db_owner' +ORDER BY + role_member_name + +If any role memberships are not documented and authorized, this is a finding. + + +Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. + +ALTER ANY DATABASE AUDIT +CONTROL + +Use the following query to determine the roles and users that have the listed permissions: + +SELECT + PERM.permission_name, + DP.name AS principal_name, + DP.type_desc AS principal_type, + DBRM.role_member_name +FROM sys.database_permissions PERM +JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id +LEFT OUTER JOIN ( + SELECT + R.principal_id AS role_principal_id, + R.name AS role_name, + RM.name AS role_member_name + FROM sys.database_principals R + JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id + JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id + WHERE R.type = 'R' +) DBRM ON DP.principal_id = DBRM.role_principal_id +WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') +ORDER BY + permission_name, + principal_name, + role_member_name + + +If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. + +``` +--- +SV-213908: +Old: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination: +USE ; +GO +SELECT DISTINCT + S.[Schema/Owner] AS [Owner], + O.[Schema/Owner] AS [Schema], + O.[Securable] +FROM + STIG.database_permissions O + INNER JOIN STIG.database_permissions S + ON S.[Securable] = O.[Schema/Owner] + AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN' + AND S.[Securable Type or Class] = 'SCHEMA' +WHERE + S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... ) + -- Complete the "NOT IN" list with the names of user accounts authorized for ownership. +; +If any of the listed owners is not authorized, this is a finding. + +``` + +Updated: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The following query can be of use in making this determination: + +;with objects_cte as +(SELECT o.name, o.type_desc, + CASE + WHEN o.principal_id is null then s.principal_id + ELSE o.principal_id + END as principal_id + FROM sys.objects o + INNER JOIN sys.schemas s + ON o.schema_id = s.schema_id + WHERE o.is_ms_shipped = 0 +) +SELECT cte.name, cte.type_desc, dp.name as ObjectOwner +FROM objects_cte cte +INNER JOIN sys.database_principals dp +ON cte.principal_id = dp.principal_id +ORDER BY dp.name, cte.name + +If any of the listed owners is not authorized, this is a finding. + +``` +--- +SV-213915: +Old: +``` +Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. + +If there is no documented procedure for data movement from production to development/test, this is a finding. + +If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. + +``` + +Updated: +``` +Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding. + +``` +--- +SV-213918: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding. + +``` +--- +SV-213919: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding. + +``` +--- +SV-213920: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding. + +``` +--- +SV-213926: +Old: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: +In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter. + +If the value displayed is False, this is a finding. + +If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns. + +If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: + +SELECT +DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' +WHEN 1 THEN 'Unencrypted' +WHEN 2 THEN 'Encryption in progress' +WHEN 3 THEN 'Encrypted' +WHEN 4 THEN 'Key change in progress' +WHEN 5 THEN 'Decryption in progress' +WHEN 6 THEN 'Protection change in progress' +END AS [Encryption State] +FROM sys.dm_database_encryption_keys + +For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. + +If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-213905: +Old: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions: +USE ; +GO +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO +(The role name used here is an example; other names may be used.) + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. + +Then, for each authorized database user, run the statement: +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER ; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +New: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): + +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO + +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: + +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +--- +SV-213908: +Old: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code: +USE ; +GO +ALTER SCHEMA TRANSFER .; +GO + +Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +New: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code as an example: + +USE AdventureWorks2012; +GO +ALTER SCHEMA HumanResources TRANSFER Person.Address; +GO + +Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +--- +SV-213915: +Old: +``` +Create and document a process for moving data from production to development/test systems and follow the process. + +Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations. + +``` +New: +``` +Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations. + +``` +--- +SV-213916: +Old: +``` +Use triggers, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +New: +``` +Use parameterized queries, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +--- +SV-213917: +Old: +``` +Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users. + +``` +New: +``` +Adjust database code to remove any information not required for explaining the error to an end user. + +Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. + +Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance. + +``` +--- +SV-213918: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213919: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213920: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213926: +Old: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE". + +Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data". + +``` +New: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. + +Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +``` +--- + + +### Updated Impacts +
+ Click to expand. +SV-213901: +Old: 0.5 +New: 0.7 +--- +SV-213905: +Old: 0 +New: 0.5 +--- +SV-213912: +Old: 0 +New: 0.5 +--- +SV-213918: +Old: 0 +New: 0.5 +--- +SV-213919: +Old: 0 +New: 0.5 +--- +SV-213920: +Old: 0 +New: 0.5 +--- +SV-213926: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-213901: +Old: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. +New: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +--- +SV-213905: +Old: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. +New: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-213917: +Old: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +New: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +--- +SV-213918: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +--- +SV-213919: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +--- +SV-213920: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +--- +SV-213926: +Old: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +New: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-213901: +Old: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +New: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +--- +SV-213905: +Old: +``` +Inspec attributes has specified that SQL Server Audit is not in use at + the database level, this is not applicable (NA) + +``` +New: +``` +Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. + +Suppression of auditing could permit an adversary to evade detection. + +Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-213908: +Old: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +New: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +--- +SV-213912: +Old: +``` +No databases require encryption hence this is not a finding + +``` +New: +``` +When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account. + +``` +--- +SV-213915: +Old: +``` +The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls. + +``` +New: +``` +Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. + +Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls. + +``` +--- +SV-213916: +Old: +``` +Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. + +A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. + +Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. + +``` +--- +SV-213917: +Old: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +``` +--- +SV-213918: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213919: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213920: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213926: +Old: +``` +If the application owner and Authorizing Official have + determined that encryption of data at rest is NOT required, this is not a + finding. + +``` +New: +``` +DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. + +``` +--- +
diff --git a/src/assets/downloads/delta.json b/src/assets/downloads/delta.json new file mode 100644 index 000000000..fe81a5181 --- /dev/null +++ b/src/assets/downloads/delta.json @@ -0,0 +1,1136 @@ +{ + "ignoreFormattingDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213901": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213902": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213903": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213904": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213905": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", + "impact": 0.5, + "descs": {} + }, + "SV-213906": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213907": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213908": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213909": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213910": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213911": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213912": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.", + "impact": 0.5, + "descs": {} + }, + "SV-213914": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213915": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213916": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213917": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213918": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213919": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213920": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213921": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213922": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213923": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213924": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213926": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.", + "impact": 0.5, + "descs": {} + }, + "SV-213927": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-251040": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + } + } + }, + "rawDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nSQL Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together, contain an overall mechanism supporting an organization's automated account management requirements." + } + }, + "SV-213901": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81847" + ], + [ + "-", + "V-67357" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy." + } + }, + "SV-213902": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account.\n\nIf the computer account of a remote computer is granted access to a SQL Server database, any service or scheduled task running as NT AUTHORITY\\SYSTEM or NT AUTHORITY\\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process." + } + }, + "SV-213903": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. \n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring SQL Server's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to SQL Server, even where the application connects to SQL Server with a standard, shared account. \n\nApplications should use temporal tables to track the changes and history of sensitive data." + } + }, + "SV-213904": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nSQL Server provides the ability for high privileged accounts to impersonate users in a database using the TRUSTWORTHY feature. This will allow members of the fixed database role to impersonate any user within the database." + } + }, + "SV-213905": { + "describe__deleted": " if input('server_audit_at_database_level_required')\n impact 0.5\n else\n impact 0.0\n desc 'Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)'\n end\n\n approved_audit_maintainers = input('approved_audit_maintainers')\n\n # The query in check-text is assumes the presence of STIG schema as supplied with\n # the STIG supplemental. The below query ( partially taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n SELECT DPE.PERMISSION_NAME AS 'PERMISSION',\n DPM.NAME AS 'ROLE MEMBER',\n DPR.NAME AS 'ROLE NAME'\n FROM SYS.DATABASE_ROLE_MEMBERS DRM\n JOIN SYS.DATABASE_PERMISSIONS DPE\n ON DRM.ROLE_PRINCIPAL_ID = DPE.GRANTEE_PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPR\n ON DRM.ROLE_PRINCIPAL_ID = DPR.PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPM\n ON DRM.MEMBER_PRINCIPAL_ID = DPM.PRINCIPAL_ID\n WHERE DPE.PERMISSION_NAME IN ( 'CONTROL', 'ALTER ANY DATABASE AUDIT' )\n OR DPM.NAME IN ('db_owner')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'List of approved audit maintainers' do\n subject { sql_session.query(query).column('role member').uniq }\n it { should match_array approved_audit_maintainers }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81851" + ], + [ + "-", + "V-67361" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)", + "__new": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)" + } + }, + "SV-213906": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213907": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213908": { + "describe__deleted": " # The query in check text is assumes the presence of STIG schema as supplied\n # with the STIG supplemental. The below query ( taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n ;WITH OBJECTS_CTE\n AS (SELECT O.NAME,\n O.TYPE_DESC,\n CASE\n WHEN O.PRINCIPAL_ID IS NULL THEN S.PRINCIPAL_ID\n ELSE O.PRINCIPAL_ID\n END AS PRINCIPAL_ID\n FROM SYS.OBJECTS O\n INNER JOIN SYS.SCHEMAS S\n ON O.SCHEMA_ID = S.SCHEMA_ID\n WHERE O.IS_MS_SHIPPED = 0)\n SELECT CTE.NAME,\n CTE.TYPE_DESC,\n DP.NAME AS OBJECTOWNER\n FROM OBJECTS_CTE CTE\n INNER JOIN SYS.DATABASE_PRINCIPALS DP\n ON CTE.PRINCIPAL_ID = DP.PRINCIPAL_ID\n ORDER BY DP.NAME,\n CTE.NAME\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe \"Authorized users for Database: #{input('db_name')}\" do\n subject { sql_session.query(query).column('objectowner').uniq }\n it { should cmp input('authorized_principals') }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81861" + ], + [ + "-", + "V-67371" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed." + } + }, + "SV-213909": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213910": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. In the event of a system failure, SQL Server must be able to bring the database back to a consistent state." + } + }, + "SV-213911": { + "describe__deleted": " query = %{\n SELECT\n COUNT(credential_id) AS count_of_ids\n FROM\n [master].sys.master_key_passwords\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'Count of `Database Master Key passwords` stored in credentials within the database' do\n subject { sql_session.query(query).row(0).column('count_of_ids') }\n its('value') { should cmp 0 }\n end ", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk." + } + }, + "SV-213912": { + "describe__deleted": " query = %(\n SELECT NAME\n FROM [master].sys.databases\n WHERE is_master_key_encrypted_by_server = 1\n AND owner_sid <> 1\n AND state = 0\n AND name = '#{input('db_name')}';\n )\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n results = sql_session.query(query)\n\n if results.empty?\n impact 0.0\n desc 'No databases require encryption hence this is not a finding'\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n For the database #{results.column('name')} verify in the System Security\n Plan that encryption of the Database Master Key using the Service Master Key\n is acceptable and approved by the Information Owner, and the encrypted data\n does not require additional protections to deter or detect DBA access.\n If not approved, this is a finding.\n\n If approved and additional protections are required, then verify the additional\n requirements are in place in accordance with the System Security Plan. These\n may include additional auditing on access of the Database Master Key with\n alerts or other automated monitoring.\n\n If the additional requirements are not in place, this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81871" + ], + [ + "-", + "V-67381" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "No databases require encryption hence this is not a finding", + "__new": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "No databases require encryption hence this is not a finding", + "check": { + "__old": "If no databases require encryption, this is not a finding.\n\nFrom the query prompt:\nSELECT name\nFROM [master].sys.databases\nWHERE is_master_key_encrypted_by_server = 1\nAND owner_sid <> 1\nAND state = 0;\n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)\n\nIf no databases are returned by the query, this is not a finding.\n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.\n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.\n\nIf the additional requirements are not in place, this is a finding.", + "__new": "If no databases require encryption, this is not a finding. \n\nFrom the query prompt: \n\nSELECT name \nFROM [master].sys.databases \nWHERE is_master_key_encrypted_by_server = 1 \nAND owner_sid <> 1 \nAND state = 0; \n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) \n\nIf no databases are returned by the query, this is not a finding. \n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. \n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. \n\nIf the additional requirements are not in place, this is a finding." + }, + "fix": { + "__old": "Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.", + "__new": "Where possible, encrypt the Database Master Key with a password known only to the application administrator.\n\nWhere not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data." + } + } + }, + "SV-213914": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality." + } + }, + "SV-213915": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81879" + ], + [ + "-", + "V-67389" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls." + } + }, + "SV-213916": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81881" + ], + [ + "-", + "V-67391" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.", + "check": { + "__old": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions are not reflective of the data, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.", + "__new": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. \n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding. \n\nIf column/field definitions are not reflective of the data, this is a finding. \n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding. \n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. \n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding." + } + } + }, + "SV-213917": { + "describe__deleted": " # The below query was taken from 2016 MSSQL STIG\n\n query = %{\n DBCC\n TRACESTATUS (3625, -1)\n GO\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'TRACEFLAG 3625' do\n subject { sql_session.query(query).rows[0] }\n its('status') { should cmp 1 }\n its('global') { should cmp 1 }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81887" + ], + [ + "-", + "V-67397" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers." + } + }, + "SV-213918": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81891" + ], + [ + "-", + "V-67401" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213919": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81893" + ], + [ + "-", + "V-67403" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213920": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81895" + ], + [ + "-", + "V-67405" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213921": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control." + } + }, + "SV-213922": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse." + } + }, + "SV-213923": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nSQL Server must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). \n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc." + } + }, + "SV-213924": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications." + } + }, + "SV-213926": { + "describe__deleted": " data_at_rest_encryption_required = input('data_at_rest_encryption_required')\n\n query = %{\n SELECT\n d.name AS [Database Name],\n CASE e.encryption_state\n WHEN 0 THEN 'No database encryption key present, no encryption'\n WHEN 1 THEN 'Unencrypted'\n WHEN 2 THEN 'Encryption in progress'\n WHEN 3 THEN 'Encrypted'\n WHEN 4 THEN 'Key change in progress'\n WHEN 5 THEN 'Decryption in progress'\n WHEN 6 THEN 'Protection change in progress'\n END AS [Encryption State]\n FROM sys.dm_database_encryption_keys e\n RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name\n WHERE d.name IN ('#{input('db_name')}')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n unless data_at_rest_encryption_required\n impact 0.0\n desc 'If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.'\n end\n\n describe \"Database: #{input('db_name')} encryption state\" do\n subject { sql_session.query(query).column('encryption state').uniq }\n it { should cmp 'Encrypted' }\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n If full-disk encryption is required, and Windows or the storage system is not\n configured for this, this is a finding.\n\n If database transparent data encryption (TDE) is called for, check whether it\n is enabled:\n In SQL Server Management Studio, Object Explorer, expand the instance and\n right-click on the database name; select properties. Select the Options page,\n State section, Encryption Enabled parameter.\n\n If the value displayed is False, this is a finding.\n\n If column encryption, done via SQL Server features, is required, review the\n definitions and contents of the relevant tables and columns.\n\n If any of the information defined as requiring cryptographic protection is not\n encrypted in a manner that provides the required level of protection, this is a\n finding.\n\n If table/column encryption and/or a separation between those who own the data\n (and can view it) and those who manage the data (but should have no access) is\n required for PII or similar types of data, use Always Encrypted. The details\n for configuring Always Encrypted are located here:\n https://msdn.microsoft.com/en-us/library/mt163865.aspx.\n\n Review the definitions and contents of the relevant tables/columns for the\n Always Encryption settings, if any of the information defined as requiring\n cryptographic protection is not encrypted this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81899" + ], + [ + "-", + "V-67409" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.", + "__new": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding." + } + }, + "SV-213927": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "SQL Server’s handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + } + }, + "SV-251040": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices." + } + } + } + } +} \ No newline at end of file diff --git a/src/assets/downloads/report.md b/src/assets/downloads/report.md new file mode 100644 index 000000000..a16403227 --- /dev/null +++ b/src/assets/downloads/report.md @@ -0,0 +1,10483 @@ +## Automatic Update: -> + +### New Controls: ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-230262: +Old: +``` +Verify the system-wide shared library files are group-owned by "root" +with the following command: + + $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} +\; + + If any system wide shared library file is returned and is not group-owned +by a required system account, this is a finding. + +``` + +Updated: +``` +Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. + +``` +--- +SV-230379: +Old: +``` +Verify all accounts on the system are assigned to an active system, +application, or user account. + + Obtain the list of authorized system accounts from the Information System +Security Officer (ISSO). + + Check the system accounts on the system with the following command: + + $ sudo more /etc/passwd + + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + games:x:12:100:games:/usr/games:/sbin/nologin + gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as +they do not support authorized system functions. + + If the accounts on the system do not match the provided documentation, or +accounts that do not support an authorized system function are present, this is +a finding. + +``` + +Updated: +``` +Verify that there are no unauthorized interactive user accounts with the following command: + +$ less /etc/passwd + +root:x:0:0:root:/root:/bin/bash +... +games:x:12:100:games:/usr/games:/sbin/nologin +scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash +djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash + +Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. + +Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. + +If there are unauthorized local user accounts on the system, this is a finding. + +``` +--- +SV-230470: +Old: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the +following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement +is not applicable. + + $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + + AuditBackend=LinuxAudit + + If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or +the line is commented out, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + +Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. + +$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + +AuditBackend=LinuxAudit + +If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230524: +Old: +``` +Verify the USBGuard has a policy configured with the following command: + + $ sudo usbguard list-rules + + If the command does not return results or an error is returned, ask the SA +to indicate how unauthorized peripherals are being blocked. + + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the USBGuard has a policy configured with the following command: + +$ sudo usbguard list-rules + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230548: +Old: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. + +``` +--- +SV-230559: +Old: +``` +Verify the gssproxy package has not been installed on the system with the +following commands: + + $ sudo yum list installed gssproxy + + gssproxy.x86_64 +0.8.0-14.el8 @anaconda + + If the gssproxy package is installed and is not documented with the +Information System Security Officer (ISSO) as an operational requirement, this +is a finding. + +``` + +Updated: +``` +Verify the gssproxy package has not been installed on the system with the following commands: + +$ sudo yum list installed gssproxy + +gssproxy.x86_64 0.8.0-14.el8 @anaconda + +If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. + +If NFS mounts are being used, this is not a finding. + +``` +--- +SV-244527: +Old: +``` +Check that RHEL 8 has the packages required to enabled the hardware random +number generator entropy gatherer service with the following command: + + $ sudo yum list installed rng-tools + + rng-tools.x86_64 6.8-3.el8 +@anaconda + + If the "rng-tools" package is not installed, this is a finding. + +``` + +Updated: +``` +Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. + +Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: + +$ sudo yum list installed rng-tools + +rng-tools.x86_64 6.8-3.el8 @anaconda + +If the "rng-tools" package is not installed, this is a finding. + +``` +--- +SV-244547: +Old: +``` +Verify USBGuard is installed on the operating system with the following +command: + + $ sudo yum list installed usbguard + + Installed Packages + usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + + If the USBGuard package is not installed, ask the SA to indicate how +unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify USBGuard is installed on the operating system with the following command: + +$ sudo yum list installed usbguard + +Installed Packages +usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-244548: +Old: +``` +Verify the operating system has enabled the use of the USBGuard with the +following command: + + $ sudo systemctl status usbguard.service + + usbguard.service - USBGuard daemon + Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor +preset: disabled) + Active: active (running) + + If the usbguard.service is not enabled and active, ask the SA to indicate +how unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the operating system has enabled the use of the USBGuard with the following command: + +$ sudo systemctl status usbguard.service + +usbguard.service - USBGuard daemon +Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +Active: active (running) + +If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-257258: +Old: +``` +Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. + +``` + +Updated: +``` +Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. + +Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + +StopIdleSessionSec=600 + +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-230379: +Old: +``` +Configure the system so all accounts on the system are assigned to an +active system, application, or user account. + + Remove accounts that do not support approved system activities or that +allow for a normal user to perform administrative-level actions. + + Document all authorized accounts on the system. + +``` +New: +``` +Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: + +$ sudo userdel + +``` +--- +SV-230548: +Old: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +New: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +--- +SV-257258: +Old: +``` +Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logind + +Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". + +``` +New: +``` +Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=600 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logind + +``` +--- +
+ +### Updated Impacts +
+ Click to expand. +SV-230223: +Old: 0 +New: 0.7 +--- +SV-230224: +Old: 0 +New: 0.5 +--- +SV-230230: +Old: 0 +New: 0.5 +--- +SV-230234: +Old: 0 +New: 0.7 +--- +SV-230235: +Old: 0 +New: 0.7 +--- +SV-230238: +Old: 0 +New: 0.5 +--- +SV-230239: +Old: 0 +New: 0.5 +--- +SV-230244: +Old: 0 +New: 0.5 +--- +SV-230273: +Old: 0 +New: 0.5 +--- +SV-230275: +Old: 0 +New: 0.5 +--- +SV-230285: +Old: 0 +New: 0.3 +--- +SV-230300: +Old: 0 +New: 0.5 +--- +SV-230328: +Old: 0 +New: 0.5 +--- +SV-230329: +Old: 0 +New: 0.7 +--- +SV-230332: +Old: 0 +New: 0.5 +--- +SV-230347: +Old: 0 +New: 0.5 +--- +SV-230351: +Old: 0 +New: 0.5 +--- +SV-230352: +Old: 0 +New: 0.5 +--- +SV-230354: +Old: 0 +New: 0.5 +--- +SV-230376: +Old: 0 +New: 0.5 +--- +SV-230380: +Old: 0 +New: 0.7 +--- +SV-230382: +Old: 0 +New: 0.5 +--- +SV-230385: +Old: 0.7 +New: 0.5 +--- +SV-230493: +Old: 0 +New: 0.5 +--- +SV-230502: +Old: 0 +New: 0.5 +--- +SV-230506: +Old: 0 +New: 0.5 +--- +SV-230507: +Old: 0 +New: 0.5 +--- +SV-230523: +Old: 0 +New: 0.5 +--- +SV-230530: +Old: 0 +New: 0.7 +--- +SV-230535: +Old: 0 +New: 0.5 +--- +SV-230536: +Old: 0 +New: 0.5 +--- +SV-230537: +Old: 0 +New: 0.5 +--- +SV-230538: +Old: 0 +New: 0.5 +--- +SV-230539: +Old: 0 +New: 0.5 +--- +SV-230540: +Old: 0 +New: 0.5 +--- +SV-230541: +Old: 0 +New: 0.5 +--- +SV-230542: +Old: 0 +New: 0.5 +--- +SV-230543: +Old: 0 +New: 0.5 +--- +SV-230544: +Old: 0 +New: 0.5 +--- +SV-230545: +Old: 0 +New: 0.5 +--- +SV-230546: +Old: 0 +New: 0.5 +--- +SV-230547: +Old: 0 +New: 0.5 +--- +SV-230548: +Old: 0 +New: 0.5 +--- +SV-230549: +Old: 0 +New: 0.5 +--- +SV-230550: +Old: 0 +New: 0.5 +--- +SV-230557: +Old: 0 +New: 0.5 +--- +SV-237640: +Old: 0 +New: 0.5 +--- +SV-244519: +Old: 0 +New: 0.5 +--- +SV-244521: +Old: 0 +New: 0.5 +--- +SV-244522: +Old: 0 +New: 0.5 +--- +SV-244530: +Old: 0 +New: 0.5 +--- +SV-244535: +Old: 0 +New: 0.5 +--- +SV-244536: +Old: 0 +New: 0.5 +--- +SV-244538: +Old: 0 +New: 0.5 +--- +SV-244539: +Old: 0 +New: 0.5 +--- +SV-244545: +Old: 0 +New: 0.5 +--- +SV-244546: +Old: 0 +New: 0.5 +--- +SV-244550: +Old: 0 +New: 0.5 +--- +SV-244551: +Old: 0 +New: 0.5 +--- +SV-244552: +Old: 0 +New: 0.5 +--- +SV-244553: +Old: 0 +New: 0.5 +--- +SV-244554: +Old: 0 +New: 0.5 +--- +SV-250315: +Old: 0 +New: 0.5 +--- +SV-250317: +Old: 0 +New: 0.5 +--- +SV-251710: +Old: 0 +New: 0.5 +--- +SV-251711: +Old: 0 +New: 0.5 +--- +SV-251712: +Old: 0 +New: 0.5 +--- +SV-251718: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-230226: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a graphical +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. +--- +SV-230227: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a command line +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. +--- +SV-230229: +Old: RHEL 8, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an +accepted trust anchor. +New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +--- +SV-230230: +Old: RHEL 8, for certificate-based authentication, must enforce authorized +access to the corresponding private key. +New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. +--- +SV-230231: +Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. +New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +--- +SV-230232: +Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing +algorithms for all stored passwords. +New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. +--- +SV-230234: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require authentication upon booting into single-user mode +and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. +--- +SV-230235: +Old: RHEL 8 operating systems booted with a BIOS must require +authentication upon booting into single-user and maintenance modes. +New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. +--- +SV-230236: +Old: RHEL 8 operating systems must require authentication upon booting into +rescue mode. +New: RHEL 8 operating systems must require authentication upon booting into rescue mode. +--- +SV-230237: +Old: The RHEL 8 pam_unix.so module must be configured in the password-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-230238: +Old: RHEL 8 must prevent system daemons from using Kerberos for +authentication. +New: RHEL 8 must prevent system daemons from using Kerberos for authentication. +--- +SV-230240: +Old: RHEL 8 must use a Linux Security Module configured to enforce limits +on system services. +New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. +--- +SV-230243: +Old: A sticky bit must be set on all RHEL 8 public directories to prevent +unauthorized and unintended information transferred via shared system +resources. +New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. +--- +SV-230245: +Old: The RHEL 8 /var/log/messages file must have mode 0640 or less +permissive. +New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. +--- +SV-230252: +Old: The RHEL 8 operating system must implement DoD-approved encryption to +protect the confidentiality of SSH server connections. +New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. +--- +SV-230254: +Old: The RHEL 8 operating system must implement DoD-approved encryption in +the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. +--- +SV-230255: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. +--- +SV-230256: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the GnuTLS package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. +--- +SV-230259: +Old: RHEL 8 system commands must be group-owned by root or a system +account. +New: RHEL 8 system commands must be group-owned by root or a system account. +--- +SV-230263: +Old: The RHEL 8 file integrity tool must notify the system administrator +when changes to the baseline configuration or anomalies in the operation of any +security functions are discovered within an organizationally defined frequency. +New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. +--- +SV-230264: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components from a repository without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230265: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components of local packages without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230267: +Old: RHEL 8 must enable kernel parameters to enforce discretionary access +control on symlinks. +New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. +--- +SV-230271: +Old: RHEL 8 must require users to provide a password for privilege +escalation. +New: RHEL 8 must require users to provide a password for privilege escalation. +--- +SV-230273: +Old: RHEL 8 must have the packages required for multifactor authentication + installed. +New: RHEL 8 must have the packages required for multifactor authentication installed. +--- +SV-230276: +Old: RHEL 8 must implement non-executable data to protect its memory from +unauthorized code execution. +New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. +--- +SV-230277: +Old: RHEL 8 must clear the page allocator to prevent use-after-free +attacks. +New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. +--- +SV-230280: +Old: RHEL 8 must implement address space layout randomization (ASLR) to +protect its memory from unauthorized code execution. +New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. +--- +SV-230281: +Old: YUM must remove all software components after updated versions have +been installed on RHEL 8. +New: YUM must remove all software components after updated versions have been installed on RHEL 8. +--- +SV-230285: +Old: RHEL 8 must enable the hardware random number generator entropy +gatherer service. +New: RHEL 8 must enable the hardware random number generator entropy gatherer service. +--- +SV-230286: +Old: The RHEL 8 SSH public host key files must have mode 0644 or less +permissive. +New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. +--- +SV-230288: +Old: The RHEL 8 SSH daemon must perform strict mode checking of home +directory configuration files. +New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. +--- +SV-230290: +Old: The RHEL 8 SSH daemon must not allow authentication using known host’s +authentication. +New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. +--- +SV-230291: +Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except +to fulfill documented and validated mission requirements. +New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. +--- +SV-230296: +Old: RHEL 8 must not permit direct logons to the root account using remote +access via SSH. +New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. +--- +SV-230299: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that contain user home directories. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. +--- +SV-230300: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. +--- +SV-230302: +Old: RHEL 8 must prevent code from being executed on file systems that +contain user home directories. +New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. +--- +SV-230303: +Old: RHEL 8 must prevent special devices on file systems that are used with +removable media. +New: RHEL 8 must prevent special devices on file systems that are used with removable media. +--- +SV-230304: +Old: RHEL 8 must prevent code from being executed on file systems that are +used with removable media. +New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. +--- +SV-230305: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are used with removable media. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. +--- +SV-230306: +Old: RHEL 8 must prevent code from being executed on file systems that are +imported via Network File System (NFS). +New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230307: +Old: RHEL 8 must prevent special devices on file systems that are imported +via Network File System (NFS). +New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). +--- +SV-230308: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are imported via Network File System (NFS). +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230309: +Old: Local RHEL 8 initialization files must not execute world-writable +programs. +New: Local RHEL 8 initialization files must not execute world-writable programs. +--- +SV-230316: +Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at +least two name servers must be configured. +New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. +--- +SV-230317: +Old: Executable search paths within the initialization files of all local +interactive RHEL 8 users must only contain paths that resolve to the system +default or the users home directory. +New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. +--- +SV-230318: +Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, +or an application user. +New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. +--- +SV-230319: +Old: All RHEL 8 world-writable directories must be group-owned by root, +sys, bin, or an application group. +New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. +--- +SV-230320: +Old: All RHEL 8 local interactive users must have a home directory assigned +in the /etc/passwd file. +New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. +--- +SV-230321: +Old: All RHEL 8 local interactive user home directories must have mode 0750 +or less permissive. +New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. +--- +SV-230322: +Old: All RHEL 8 local interactive user home directories must be group-owned +by the home directory owner’s primary group. +New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. +--- +SV-230323: +Old: All RHEL 8 local interactive user home directories defined in the +/etc/passwd file must exist. +New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. +--- +SV-230324: +Old: All RHEL 8 local interactive user accounts must be assigned a home +directory upon creation. +New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. +--- +SV-230325: +Old: All RHEL 8 local initialization files must have mode 0740 or less +permissive. +New: All RHEL 8 local initialization files must have mode 0740 or less permissive. +--- +SV-230328: +Old: A separate RHEL 8 filesystem must be used for user home directories +(such as /home or an equivalent). +New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). +--- +SV-230329: +Old: Unattended or automatic logon via the RHEL 8 graphical user interface +must not be allowed. +New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. +--- +SV-230331: +Old: RHEL 8 temporary user accounts must be provisioned with an expiration +time of 72 hours or less. +New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. +--- +SV-230332: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230333: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230334: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230335: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230336: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230337: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230340: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230341: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230342: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230343: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230344: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230345: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230346: +Old: RHEL 8 must limit the number of concurrent sessions to ten for all +accounts and/or account types. +New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. +--- +SV-230347: +Old: RHEL 8 must enable a user session lock until that user re-establishes +access using established identification and authentication procedures for +graphical user sessions. +New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. +--- +SV-230351: +Old: RHEL 8 must be able to initiate directly a session lock for all + connection types using smartcard when the smartcard is removed. +New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. +--- +SV-230352: +Old: RHEL 8 must automatically lock graphical user sessions after 15 +minutes of inactivity. +New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. +--- +SV-230354: +Old: RHEL 8 must prevent a user from overriding the session lock-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. +--- +SV-230355: +Old: RHEL 8 must map the authenticated identity to the user or group +account for PKI-based authentication. +New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. +--- +SV-230357: +Old: RHEL 8 must enforce password complexity by requiring that at least one +uppercase character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. +--- +SV-230358: +Old: RHEL 8 must enforce password complexity by requiring that at least one +lower-case character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. +--- +SV-230359: +Old: RHEL 8 must enforce password complexity by requiring that at least one +numeric character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. +--- +SV-230360: +Old: RHEL 8 must require the maximum number of repeating characters of the +same character class be limited to four when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. +--- +SV-230361: +Old: RHEL 8 must require the maximum number of repeating characters be +limited to three when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. +--- +SV-230363: +Old: RHEL 8 must require the change of at least 8 characters when passwords +are changed. +New: RHEL 8 must require the change of at least 8 characters when passwords are changed. +--- +SV-230364: +Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime +restriction in /etc/shadow. +New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. +--- +SV-230366: +Old: RHEL 8 user account passwords must have a 60-day maximum password +lifetime restriction. +New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. +--- +SV-230367: +Old: RHEL 8 user account passwords must be configured so that existing +passwords are restricted to a 60-day maximum lifetime. +New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. +--- +SV-230372: +Old: RHEL 8 must implement smart card logon for multifactor authentication +for access to interactive accounts. +New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. +--- +SV-230373: +Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) + must be disabled after 35 days of inactivity. +New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. +--- +SV-230378: +Old: RHEL 8 must enforce a delay of at least four seconds between logon +prompts following a failed logon attempt. +New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +--- +SV-230380: +Old: RHEL 8 must not allow accounts configured with blank or null +passwords. +New: RHEL 8 must not allow accounts configured with blank or null passwords. +--- +SV-230381: +Old: RHEL 8 must display the date and time of the last successful account +logon upon logon. +New: RHEL 8 must display the date and time of the last successful account logon upon logon. +--- +SV-230382: +Old: RHEL 8 must display the date and time of the last successful account +logon upon an SSH logon. +New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. +--- +SV-230383: +Old: RHEL 8 must define default permissions for all authenticated users in +such a way that the user can only read and modify their own files. +New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. +--- +SV-230384: +Old: RHEL 8 must set the umask value to 077 for all local interactive user +accounts. +New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. +--- +SV-230386: +Old: The RHEL 8 audit system must be configured to audit the execution of +privileged functions and prevent all software from executing at higher +privilege levels than users executing the software. +New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. +--- +SV-230388: +Old: The RHEL 8 System Administrator (SA) and Information System Security +Officer (ISSO) (at a minimum) must be alerted of an audit processing failure +event. +New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. +--- +SV-230389: +Old: The RHEL 8 Information System Security Officer (ISSO) and System +Administrator (SA) (at a minimum) must have mail aliases to be notified of an +audit processing failure. +New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. +--- +SV-230390: +Old: The RHEL 8 System must take appropriate action when an audit +processing failure occurs. +New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. +--- +SV-230392: +Old: The RHEL 8 audit system must take appropriate action when the audit +storage volume is full. +New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. +--- +SV-230394: +Old: RHEL 8 must label all off-loaded audit logs before sending them to the +central log server. +New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. +--- +SV-230396: +Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to +prevent unauthorized read access. +New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. +--- +SV-230397: +Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read +access. +New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. +--- +SV-230398: +Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized +read access. +New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. +--- +SV-230399: +Old: RHEL 8 audit log directory must be owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. +--- +SV-230400: +Old: RHEL 8 audit log directory must be group-owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. +--- +SV-230401: +Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive +to prevent unauthorized read access. +New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. +--- +SV-230402: +Old: RHEL 8 audit system must protect auditing rules from unauthorized +change. +New: RHEL 8 audit system must protect auditing rules from unauthorized change. +--- +SV-230404: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. +--- +SV-230405: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect +/etc/security/opasswd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. +--- +SV-230406: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. +--- +SV-230407: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. +--- +SV-230408: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. +--- +SV-230409: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. +--- +SV-230410: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers.d/. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. +--- +SV-230412: +Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. +--- +SV-230418: +Old: Successful/unsuccessful uses of the chage command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. +--- +SV-230419: +Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. +--- +SV-230421: +Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. +--- +SV-230422: +Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. +--- +SV-230423: +Old: Successful/unsuccessful uses of the mount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. +--- +SV-230424: +Old: Successful/unsuccessful uses of the umount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. +--- +SV-230425: +Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. +--- +SV-230426: +Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. +--- +SV-230427: +Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. +--- +SV-230428: +Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. +--- +SV-230429: +Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. +--- +SV-230430: +Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. +--- +SV-230431: +Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. +--- +SV-230432: +Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. +--- +SV-230433: +Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. +--- +SV-230434: +Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. +--- +SV-230435: +Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. +--- +SV-230436: +Old: Successful/unsuccessful uses of the pam_timestamp_check command in +RHEL 8 must generate an audit record. +New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. +--- +SV-230437: +Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. +--- +SV-230444: +Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. +--- +SV-230446: +Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. +--- +SV-230447: +Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. +--- +SV-230448: +Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. +--- +SV-230462: +Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. +--- +SV-230463: +Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. +--- +SV-230464: +Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. +--- +SV-230465: +Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. +--- +SV-230466: +Old: Successful/unsuccessful modifications to the faillock log file in RHEL +8 must generate an audit record. +New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. +--- +SV-230467: +Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. +--- +SV-230468: +Old: RHEL 8 must enable auditing of processes that start prior to the audit +daemon. +New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. +--- +SV-230469: +Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to +capture processes that start prior to the audit daemon. +New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. +--- +SV-230471: +Old: RHEL 8 must allow only the Information System Security Manager (ISSM) +(or individuals or roles appointed by the ISSM) to select which auditable +events are to be audited. +New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-230475: +Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of +audit tools. +New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. +--- +SV-230476: +Old: RHEL 8 must allocate audit record storage capacity to store at least +one week of audit records, when audit records are not immediately sent to a +central audit record storage facility. +New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. +--- +SV-230477: +Old: RHEL 8 must have the packages required for offloading audit logs +installed. +New: RHEL 8 must have the packages required for offloading audit logs installed. +--- +SV-230478: +Old: RHEL 8 must have the packages required for encrypting offloaded audit +logs installed. +New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. +--- +SV-230479: +Old: The RHEL 8 audit records must be off-loaded onto a different system or +storage media from the system being audited. +New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. +--- +SV-230480: +Old: RHEL 8 must take appropriate action when the internal event queue is +full. +New: RHEL 8 must take appropriate action when the internal event queue is full. +--- +SV-230481: +Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a +different system or media from the system being audited. +New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. +--- +SV-230482: +Old: RHEL 8 must authenticate the remote logging server for off-loading +audit logs. +New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. +--- +SV-230483: +Old: RHEL 8 must take action when allocated audit record storage volume + reaches 75 percent of the repository maximum audit record storage capacity. +New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +--- +SV-230484: +Old: RHEL 8 must securely compare internal information system clocks at +least every 24 hours with a server synchronized to an authoritative time +source, such as the United States Naval Observatory (USNO) time servers, or a +time server designated for the appropriate DoD network (NIPRNet/SIPRNet), +and/or the Global Positioning System (GPS). +New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). +--- +SV-230491: +Old: RHEL 8 must enable mitigations against processor-based +vulnerabilities. +New: RHEL 8 must enable mitigations against processor-based vulnerabilities. +--- +SV-230493: +Old: RHEL 8 must cover or disable the built-in or attached camera when not +in use. +New: RHEL 8 must cover or disable the built-in or attached camera when not in use. +--- +SV-230497: +Old: RHEL 8 must disable the transparent inter-process communication (TIPC) +protocol. +New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. +--- +SV-230500: +Old: RHEL 8 must be configured to prohibit or restrict the use of +functions, ports, protocols, and/or services, as defined in the Ports, +Protocols, and Services Management (PPSM) Category Assignments List (CAL) and +vulnerability assessments. +New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +--- +SV-230504: +Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy +for allowing connections to other systems. +New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. +--- +SV-230524: +Old: RHEL 8 must block unauthorized peripherals before establishing a +connection. +New: RHEL 8 must block unauthorized peripherals before establishing a connection. +--- +SV-230525: +Old: A firewall must be able to protect against or limit the effects of +Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting +measures on impacted network interfaces. +New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. +--- +SV-230526: +Old: All RHEL 8 networked systems must have and implement SSH to protect +the confidentiality and integrity of transmitted and received information, as +well as information during preparation for transmission. +New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. +--- +SV-230527: +Old: RHEL 8 must force a frequent session key renegotiation for SSH +connections to the server. +New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. +--- +SV-230530: +Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a +graphical user interface is installed. +New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. +--- +SV-230531: +Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be +disabled. +New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. +--- +SV-230533: +Old: The Trivial File Transfer Protocol (TFTP) server package must not be +installed if not required for RHEL 8 operational support. +New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. +--- +SV-230534: +Old: The root account must be the only account having unrestricted access +to the RHEL 8 system. +New: The root account must be the only account having unrestricted access to the RHEL 8 system. +--- +SV-230535: +Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-230536: +Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) +redirects. +New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. +--- +SV-230537: +Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) +echoes sent to a broadcast address. +New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. +--- +SV-230542: +Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by +default. +New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. +--- +SV-230543: +Old: RHEL 8 must not allow interfaces to perform Internet Control Message +Protocol (ICMP) redirects by default. +New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. +--- +SV-230544: +Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) +redirect messages. +New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. +--- +SV-230545: +Old: RHEL 8 must disable access to network bpf syscall from unprivileged +processes. +New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. +--- +SV-230551: +Old: The RHEL 8 file integrity tool must be configured to verify extended +attributes. +New: The RHEL 8 file integrity tool must be configured to verify extended attributes. +--- +SV-230552: +Old: The RHEL 8 file integrity tool must be configured to verify Access +Control Lists (ACLs). +New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). +--- +SV-230553: +Old: The graphical display manager must not be installed on RHEL 8 unless +approved. +New: The graphical display manager must not be installed on RHEL 8 unless approved. +--- +SV-230555: +Old: RHEL 8 remote X connections for interactive users must be disabled +unless to fulfill documented and validated mission requirements. +New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. +--- +SV-230556: +Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the +proxy display. +New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. +--- +SV-230557: +Old: If the Trivial File Transfer Protocol (TFTP) server is required, the +RHEL 8 TFTP daemon must be configured to operate in secure mode. +New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. +--- +SV-230558: +Old: A File Transfer Protocol (FTP) server package must not be installed +unless mission essential on RHEL 8. +New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. +--- +SV-230559: +Old: The gssproxy package must not be installed unless mission essential on +RHEL 8. +New: The gssproxy package must not be installed unless mission essential on RHEL 8. +--- +SV-230560: +Old: The iprutils package must not be installed unless mission essential on +RHEL 8. +New: The iprutils package must not be installed unless mission essential on RHEL 8. +--- +SV-230561: +Old: The tuned package must not be installed unless mission essential on +RHEL 8. +New: The tuned package must not be installed unless mission essential on RHEL 8. +--- +SV-237642: +Old: RHEL 8 must use the invoking user's password for privilege escalation +when using "sudo". +New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". +--- +SV-244519: +Old: RHEL 8 must display a banner before granting local or remote access to +the system via a graphical user logon. +New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. +--- +SV-244521: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require a unique superusers name upon booting into +single-user mode and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. +--- +SV-244523: +Old: RHEL 8 operating systems must require authentication upon booting into +emergency mode. +New: RHEL 8 operating systems must require authentication upon booting into emergency mode. +--- +SV-244524: +Old: The RHEL 8 pam_unix.so module must be configured in the system-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-244527: +Old: RHEL 8 must have the packages required to use the hardware random +number generator entropy gatherer service. +New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. +--- +SV-244530: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot/efi directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. +--- +SV-244531: +Old: All RHEL 8 local interactive user home directory files must have mode +0750 or less permissive. +New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. +--- +SV-244532: +Old: RHEL 8 must be configured so that all files and directories contained +in local interactive user home directories are group-owned by a group of which +the home directory owner is a member. +New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. +--- +SV-244533: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/system-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. +--- +SV-244534: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/password-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. +--- +SV-244535: +Old: RHEL 8 must initiate a session lock for graphical user interfaces when +the screensaver is activated. +New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. +--- +SV-244536: +Old: RHEL 8 must disable the user list at logon for graphical user +interfaces. +New: RHEL 8 must disable the user list at logon for graphical user interfaces. +--- +SV-244538: +Old: RHEL 8 must prevent a user from overriding the session idle-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. +--- +SV-244539: +Old: RHEL 8 must prevent a user from overriding the screensaver +lock-enabled setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +--- +SV-244541: +Old: RHEL 8 must not allow blank or null passwords in the password-auth +file. +New: RHEL 8 must not allow blank or null passwords in the password-auth file. +--- +SV-244542: +Old: RHEL 8 audit records must contain information to establish what type +of events occurred, the source of events, where events occurred, and the +outcome of events. +New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. +--- +SV-244543: +Old: RHEL 8 must notify the System Administrator (SA) and Information +System Security Officer (ISSO) (at a minimum) when allocated audit record +storage volume 75 percent utilization. +New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. +--- +SV-244546: +Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, +permit-by-exception policy to allow the execution of authorized software +programs. +New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +--- +SV-244550: +Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-244554: +Old: RHEL 8 must enable hardening for the Berkeley Packet Filter +Just-in-time compiler. +New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. +--- +SV-250315: +Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context + type to allow the use of a non-default faillock tally directory. +New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. +--- +SV-257258: +Old: RHEL 8 must terminate idle user sessions. +New: RHEL 8.7 and higher must terminate idle user sessions. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-230221: +Old: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + + Note: The life-cycle time spans and dates are subject to adjustment. + +``` +New: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + +``` +--- +SV-230222: +Old: +``` +Timely patching is critical for maintaining the operational + availability, confidentiality, and integrity of information technology (IT) + systems. However, failure to keep operating system and application software + patched is a common mistake made by IT professionals. New patches are released + daily, and it is often difficult for even experienced System Administrators to + keep abreast of all the new patches. When new weaknesses in an operating system + exist, patches are usually made available by the vendor to resolve the + problems. If the most recent security patches and updates are not installed, + unauthorized users may take advantage of weaknesses in the unpatched software. + The lack of prompt attention to patching could result in a system compromise. + +``` +New: +``` +Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + +``` +--- +SV-230223: +Old: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +``` +New: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + + + +``` +--- +SV-230224: +Old: +``` +RHEL 8 systems handling data requiring "data at rest" protections + must employ cryptographic mechanisms to prevent unauthorized disclosure and + modification of the information at rest. + + Selection of a cryptographic mechanism is based on the need to protect the +integrity of organizational information. The strength of the mechanism is +commensurate with the security category and/or classification of the +information. Organizations have the flexibility to either encrypt all +information on storage devices (i.e., full disk encryption) or encrypt specific +data structures (e.g., files, records, or fields). + +``` +New: +``` +RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + + + +``` +--- +SV-230225: +Old: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + +``` +--- +SV-230226: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230227: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230229: +Old: +``` +Without path validation, an informed trust decision by the relying +party cannot be made when presented with any certificate not already explicitly +trusted. + + A trust anchor is an authoritative entity represented via a public key and +associated data. It is used in the context of public key infrastructures, X.509 +digital certificates, and DNSSEC. + + When there is a chain of trust, usually the top entity to be trusted +becomes the trust anchor; it can be, for example, a Certification Authority +(CA). A certification path starts with the subject certificate and proceeds +through a number of intermediate certificates up to a trusted root certificate, +typically issued by a trusted CA. + + This requirement verifies that a certification path to an accepted trust +anchor is used for certificate validation and that the path includes status +information. Path validation is necessary for a relying party to make an +informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes +certificate revocation lists or online certificate status protocol responses. +Validation of the certificate status information is out of scope for this +requirement. + +``` +New: +``` +Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + + + +``` +--- +SV-230230: +Old: +``` +If an unauthorized user obtains access to a private key without a +passcode, that user would have unauthorized access to any system where the +associated public key has been installed. + +``` +New: +``` +If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + +``` +--- +SV-230231: +Old: +``` +Passwords need to be protected at all times, and encryption is the +standard method for protecting passwords. If passwords are not encrypted, they +can be plainly read (i.e., clear text) and easily compromised. + + Unapproved mechanisms that are used for authentication to the cryptographic +module are not verified and therefore cannot be relied upon to provide +confidentiality or integrity, and DoD data may be compromised. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD requirements. + +``` +New: +``` +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. + +``` +--- +SV-230232: +Old: +``` +The system must use a strong hashing algorithm to store the password. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230233: +Old: +``` +The system must use a strong hashing algorithm to store the password. +The system must use a sufficient number of hashing rounds to ensure the +required level of entropy. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230234: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230235: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230236: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-230237: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230238: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + The key derivation function (KDF) in Kerberos is not FIPS compatible. +Ensuring the system does not have any keytab files present prevents system +daemons from using Kerberos for authentication. A keytab is a file containing +pairs of Kerberos principals and encrypted keys. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230239: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230240: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230241: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + Policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include +load_policy to load SELinux policies, setfile to label filesystems, newrole to +switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +--- +SV-230243: +Old: +``` +Preventing unauthorized information transfers mitigates the risk of +information, including encrypted representations of information, produced by +the actions of prior users/roles (or the actions of processes acting on behalf +of prior users/roles) from being available to any current users/roles (or +current processes) that obtain access to shared system resources (e.g., +registers, main memory, hard disks) after those resources have been released +back to information systems. The control of information in shared resources is +also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information +technology product, but it can also apply to the configuration of particular +information system components that are, or use, such products. This can be +verified by acceptance/validation processes in DoD or other government agencies. + + There may be shared resources with configurable protections (e.g., files in +storage) that may be assessed on specific information system components. + +``` +New: +``` +Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +``` +--- +SV-230244: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + + RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-230245: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230246: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230247: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230248: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230249: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230250: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230251: +Old: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230252: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + + The system will attempt to use the first hash presented by the client that +matches the server list. Listing the values "strongest to weakest" is a +method to ensure the use of the strongest hash available to secure the SSH +connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230253: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not +use high-entropy sources by default. By using the SSH_USE_STRONG_RNG +environment variable the OPENSSL random generator is reseeded from /dev/random. + This setting is not recommended on computers without the hardware random +generator because insufficient entropy causes the connection to be blocked +until enough entropy is available. + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. + +``` +--- +SV-230254: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230255: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230256: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Transport Layer Security (TLS) encryption is a required security setting as +a number of known vulnerabilities have been reported against Secure Sockets +Layer (SSL) and earlier versions of TLS. Encryption of private information is +essential to ensuring data confidentiality. If private information is not +encrypted, it can be intercepted and easily read by an unauthorized party. SQL +Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all +non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 +specifies the preferred configurations for government systems. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + The GnuTLS library offers an API to access secure communications protocols. + SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto +policy defines employed algorithms in the +/etc/crypto-policies/back-ends/gnutls.config file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. + + + +``` +--- +SV-230257: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230258: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230259: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230260: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230261: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230262: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230263: +Old: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + +``` +New: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + + + +``` +--- +SV-230264: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230265: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230267: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230268: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + + By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230271: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230272: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230273: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + A privileged account is defined as an information system account with + authorizations of a privileged user. + + Remote access is access to DoD nonpublic information systems by an + authorized user (or an information system) communicating through an external, + non-organization-controlled network. Remote access methods include, for + example, dial-up, broadband, and wireless. + + This requirement only applies to components where this is specific to the + function of the device or has the concept of an organizational user (e.g., VPN, + proxy capability). This does not apply to authentication for the purpose of + configuring the device itself (management). + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +``` +--- +SV-230274: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + RHEL 8 includes multiple options for configuring certificate status +checking, but for this requirement focuses on the System Security Services +Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol +(OCSP) checking and certificate verification using a sha256 digest function. + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + + + +``` +--- +SV-230275: +Old: +``` +The use of PIV credentials facilitates standardization and reduces the + risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support + identity management and personal authentication for systems covered under + Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a + primary component of layered protection for national security systems. + +``` +New: +``` +The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +``` +--- +SV-230276: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + +``` +--- +SV-230277: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. This prevents many types of use-after-free +vulnerabilities at little performance cost. Also prevents leak of data and +detection of corrupted memory. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + + + +``` +--- +SV-230278: +Old: +``` +Syscalls are special routines in the Linux kernel, which userspace +applications ask to do privileged tasks. Invoking a system call is an +expensive operation because the processor must interrupt the currently +executing task and switch context to kernel mode and then back to userspace +after the system call completes. Virtual Syscalls map into user space a page +that contains some variables and the implementation of some system calls. This +allows the system calls to be executed in userspace to alleviate the context +switching expense. + + Virtual Syscalls provide an opportunity of attack for a user who has +control of the return instruction pointer. Disabling vsyscalls help to prevent +return oriented programming (ROP) attacks via buffer overflows and overruns. If +the system intends to run containers based on RHEL 6 components, then virtual +syscalls will need enabled so the components function properly. + +``` +New: +``` +Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + + + +``` +--- +SV-230279: +Old: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + + + +``` +--- +SV-230281: +Old: +``` +Previous versions of software components that are not removed from the +information system after updates have been installed may be exploited by +adversaries. Some information technology products may remove older versions of +software automatically from the information system. + +``` +New: +``` +Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. + +``` +--- +SV-230282: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230283: +Old: +``` +The "shosts.equiv" files are used to configure host-based +authentication for the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230284: +Old: +``` +The ".shosts" files are used to configure host-based authentication +for individual users or the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230285: +Old: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-230286: +Old: +``` +If a public host key file is modified by an unauthorized user, the SSH +service may be compromised. + +``` +New: +``` +If a public host key file is modified by an unauthorized user, the SSH service may be compromised. + +``` +--- +SV-230287: +Old: +``` +If an unauthorized user obtains the private SSH host key file, the +host could be impersonated. + +``` +New: +``` +If an unauthorized user obtains the private SSH host key file, the host could be impersonated. + +``` +--- +SV-230288: +Old: +``` +If other users have access to modify user-specific SSH configuration +files, they may be able to log on to the system as another user. + +``` +New: +``` +If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. + +``` +--- +SV-230290: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230291: +Old: +``` +Configuring these settings for the SSH daemon provides additional +assurance that remote logon via SSH will not use unused methods of +authentication, even in the event of misconfiguration elsewhere. + +``` +New: +``` +Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230292: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230293: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230294: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230295: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230296: +Old: +``` +Even though the communications channel may be encrypted, an additional +layer of security is gained by extending the policy of not logging on directly +as root. In addition, logging on with a user-specific account provides +individual accountability of actions performed on the system. + +``` +New: +``` +Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. + +``` +--- +SV-230298: +Old: +``` +Configuring RHEL 8 to implement organization-wide security +implementation guides and security checklists ensures compliance with federal +standards and establishes a common security baseline across the DoD that +reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry +settings; account, file, directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230299: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230300: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230301: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. The only legitimate +location for device files is the /dev directory located on the root partition. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. + +``` +--- +SV-230302: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230303: +Old: +``` +The "nodev" mount option causes the system not to interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230304: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230305: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230306: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary as they may be incompatible. Executing files from untrusted +file systems increases the opportunity for unprivileged users to attain +unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230307: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230308: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230309: +Old: +``` +If user start-up files execute world-writable programs, especially in +unprotected directories, they could be maliciously modified to destroy user +files or otherwise compromise the system at the user level. If the system is +compromised at the user level, it is easier to elevate privileges to eventually +compromise the system at the root and network level. + +``` +New: +``` +If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. + +``` +--- +SV-230310: +Old: +``` +Kernel core dumps may contain the full contents of system memory at +the time of the crash. Kernel core dumps may consume a considerable amount of +disk space and may result in denial of service by exhausting the available +space on the target file system partition. + + RHEL 8 installation media presents the option to enable or disable the +kdump service at the time of system installation. + +``` +New: +``` +Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. + +RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. + +``` +--- +SV-230312: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + + When the kernel invokes systemd-coredumpt to handle a core dump, it runs in +privileged mode, and will connect to the socket created by the +systemd-coredump.socket unit. This, in turn, will spawn an unprivileged +systemd-coredump@.service instance to process the core dump. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. + +``` +--- +SV-230313: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230314: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230315: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230316: +Old: +``` +To provide availability for name resolution services, multiple +redundant name servers are mandated. A failure in name resolution could lead to +the failure of security functions requiring name resolution, which may include +time synchronization, centralized authentication, and remote system logging. + +``` +New: +``` +To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. + +``` +--- +SV-230317: +Old: +``` +The executable search path (typically the PATH environment variable) +contains a list of directories for the shell to search to find executables. If +this path includes the current working directory (other than the user's home +directory), executables in these directories may be executed instead of system +commands. This variable is formatted as a colon-separated list of directories. +If there is an empty entry, such as a leading or trailing colon or two +consecutive colons, this is interpreted as the current working directory. If +deviations from the default system search path for the local interactive user +are required, they must be documented with the Information System Security +Officer (ISSO). + +``` +New: +``` +The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). + +``` +--- +SV-230318: +Old: +``` +If a world-writable directory is not owned by root, sys, bin, or an +application User Identifier (UID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230319: +Old: +``` +If a world-writable directory is not group-owned by root, sys, bin, or +an application Group Identifier (GID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230320: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230321: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-230322: +Old: +``` +If the Group Identifier (GID) of a local interactive user’s home +directory is not the same as the primary GID of the user, this would allow +unauthorized access to the user’s files, and users that share the same group +may not be able to access files that they legitimately should. + +``` +New: +``` +If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. + +``` +--- +SV-230323: +Old: +``` +If a local interactive user has a home directory defined that does not +exist, the user may be given access to the "/" directory as the current +working directory upon logon. This could create a denial of service because the +user would not be able to access their logon configuration files, and it may +give them visibility to system files they normally would not be able to access. + +``` +New: +``` +If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. + +``` +--- +SV-230324: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230325: +Old: +``` +Local initialization files are used to configure the user's shell +environment upon logon. Malicious modification of these files could compromise +accounts upon logon. + +``` +New: +``` +Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. + +``` +--- +SV-230326: +Old: +``` +Unowned files and directories may be unintentionally inherited if a +user is assigned the same User Identifier "UID" as the UID of the un-owned +files. + +``` +New: +``` +Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. + +``` +--- +SV-230327: +Old: +``` +Files without a valid group owner may be unintentionally inherited if +a group is assigned the same Group Identifier (GID) as the GID of the files +without a valid group owner. + +``` +New: +``` +Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. + +``` +--- +SV-230328: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230329: +Old: +``` +Failure to restrict system access to authenticated users negatively +impacts operating system security. + +``` +New: +``` +Failure to restrict system access to authenticated users negatively impacts operating system security. + +``` +--- +SV-230330: +Old: +``` +SSH environment options potentially allow users to bypass access +restriction in some configurations. + +``` +New: +``` +SSH environment options potentially allow users to bypass access restriction in some configurations. + +``` +--- +SV-230331: +Old: +``` +If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. To +mitigate this risk, automated termination of all temporary accounts must be set +upon account creation. + + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts without the demand for +immediacy in account activation. + + If temporary accounts are used, RHEL 8 must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + + To address access requirements, many RHEL 8 operating systems may be +integrated with enterprise-level authentication/access mechanisms that meet or +exceed access control policy requirements. + +``` +New: +``` +If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. + +``` +--- +SV-230332: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230333: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230334: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230335: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230336: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230337: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230338: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230339: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230340: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230341: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230342: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230343: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230344: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230345: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230346: +Old: +``` +Operating system management includes the ability to control the number +of users and user sessions that utilize an operating system. Limiting the +number of allowed users and sessions per user is helpful in reducing the risks +related to DoS attacks. + + This requirement addresses concurrent sessions for information system +accounts and does not address concurrent sessions by single users via multiple +system accounts. The maximum number of concurrent sessions should be defined +based on mission needs and the operational environment for each system. + +``` +New: +``` +Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +``` +--- +SV-230347: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. + + Regardless of where the session lock is determined and implemented, once +invoked, the session lock must remain in place until the user reauthenticates. +No other activity aside from reauthentication must unlock the system. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. + + + +``` +--- +SV-230351: +Old: +``` +A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but + does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be + determined. Rather than be forced to wait for a period of time to expire before + the user session can be locked, RHEL 8 needs to provide users with the ability + to manually invoke a session lock so users can secure their session if it is + necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230352: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. Rather than be forced to wait for a period of time to expire before +the user session can be locked, RHEL 8 needs to provide users with the ability +to manually invoke a session lock so users can secure their session if it is +necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230354: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-230355: +Old: +``` +Without mapping the certificate used to authenticate to the user +account, the ability to determine the identity of the individual user or group +will not be available for forensic analysis. + + There are various methods of mapping certificates to user/group accounts +for RHEL 8. For the purposes of this requirement, the check and fix will +account for Active Directory mapping. Some of the other possible methods +include joining the system to a domain and utilizing a Red Hat idM server, or a +local system mapping, where the system is not part of a domain. + +``` +New: +``` +Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. + +``` +--- +SV-230357: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require uppercase characters, without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230358: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require lower-case characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230359: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that in order to require numeric characters, without degrading +the minlen value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230360: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxclassrepeat" option sets the maximum number of allowed +same consecutive characters in the same class in the new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + +``` +--- +SV-230361: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxrepeat" option sets the maximum number of allowed same +consecutive characters in a new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. + +``` +--- +SV-230362: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "minclass" option sets the minimum number of required classes +of characters for the new password (digits, uppercase, lowercase, others). + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). + +``` +--- +SV-230363: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "difok" option sets the number of characters in a password +that must not be present in the old password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. + +``` +--- +SV-230364: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230365: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230366: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230367: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230369: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Configurations are set in the "etc/security/pwquality.conf" file. + + The "minlen", sometimes noted as minimum length, acts as a "score" of +complexity based on the credit components of the "pwquality" module. By +setting the credit components to a negative value, not only will those +components be required, they will not count towards the total "score" of +"minlen". This will enable "minlen" to require a 15-character minimum. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + +The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230370: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230371: +Old: +``` +To ensure accountability and prevent unauthenticated access, +interactive users must be identified and authenticated to prevent potential +misuse and compromise of the system. + + Interactive users include organizational employees or individuals the +organization deems to have equivalent status of employees (e.g., contractors). +Interactive users (and processes acting on behalf of users) must be uniquely +identified and authenticated to all accesses, except for the following: + + 1) Accesses explicitly identified and documented by the organization. +Organizations document specific user actions that can be performed on the +information system without identification or authentication; and + + 2) Accesses that occur through authorized use of group authenticators +without individual authentication. Organizations may require unique +identification of individuals in group accounts (e.g., shared privilege +accounts) or for detailed accountability of individual activity. + +``` +New: +``` +To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + + + +``` +--- +SV-230372: +Old: +``` +Using an authentication device, such as a Common Access Card (CAC) or +token that is separate from the information system, ensures that even if the +information system is compromised, that compromise will not affect credentials +stored on the authentication device. + + Multifactor solutions that require devices separate from information +systems gaining access include, for example, hardware tokens providing +time-based or challenge-response authenticators and smart cards such as the +U.S. Government Personal Identity Verification card and the DoD CAC. + + There are various methods of implementing multifactor authentication for +RHEL 8. Some methods include a local system multifactor account mapping or +joining the system to a domain and utilizing a Red Hat idM server or Microsoft +Windows Active Directory server. Any of these methods will require that the +client operating system handle the multifactor authentication correctly. + +``` +New: +``` +Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. + +There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. + + + +``` +--- +SV-230373: +Old: +``` +Inactive identifiers pose a risk to systems and applications because + attackers may exploit an inactive identifier and potentially obtain undetected + access to the system. Owners of inactive accounts will not notice if + unauthorized access to their user account has been obtained. + + RHEL 8 needs to track periods of inactivity and disable application + identifiers after 35 days of inactivity. + +``` +New: +``` +Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +``` +--- +SV-230374: +Old: +``` +Temporary accounts are privileged or nonprivileged accounts that are + established during pressing circumstances, such as new software or hardware + configuration or an incident response, where the need for prompt account + activation requires bypassing normal account authorization procedures. + + If any inactive temporary accounts are left enabled on the system and are + not either manually removed or automatically expired within 72 hours, the + security posture of the system will be degraded and exposed to exploitation + by unauthorized users or insider threat actors. + + Temporary accounts are different from emergency accounts. Emergency accounts, + also known as "last resort" or "break glass" accounts, are local logon accounts + enabled on the system for emergency use by authorized system administrators + to manage a system when standard logon methods are failing or not available. + + Emergency accounts are not subject to manual removal or scheduled expiration + requirements. + + The automatic expiration of temporary accounts may be extended as needed by + the circumstances but it must not be extended indefinitely. A documented + permanent account should be established for privileged users who need long-term + maintenance accounts. + +``` +New: +``` +Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. + +``` +--- +SV-230375: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that to require special characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230376: +Old: +``` +If cached authentication information is out-of-date, the validity of +the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this +requirement will be focus on the System Security Services Daemon (SSSD). By +default sssd does not cache credentials. + +``` +New: +``` +If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. + +``` +--- +SV-230377: +Old: +``` +If RHEL 8 allows the user to select passwords based on dictionary +words, this increases the chances of password compromise by increasing the +opportunity for successful guesses, and brute-force attacks. + +``` +New: +``` +If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +``` +--- +SV-230378: +Old: +``` +Configuring the operating system to implement organization-wide +security implementation guides and security checklists verifies compliance with +federal standards and establishes a common security baseline across the DoD +that reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example, registry +settings; account, file, and directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230379: +Old: +``` +Accounts providing no operational purpose provide additional +opportunities for system compromise. Unnecessary accounts include user accounts +for individuals not requiring access to the system and application accounts for +applications not installed on the system. + +``` +New: +``` +Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. + +``` +--- +SV-230380: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-230381: +Old: +``` +Providing users with feedback on when account accesses last occurred +facilitates user recognition and reporting of unauthorized account use. + +``` +New: +``` +Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230382: +Old: +``` +Providing users with feedback on when account accesses via SSH last +occurred facilitates user recognition and reporting of unauthorized account +use. + +``` +New: +``` +Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230383: +Old: +``` +Setting the most restrictive default permissions ensures that when new +accounts are created, they do not have unnecessary access. + +``` +New: +``` +Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +``` +--- +SV-230384: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230385: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230386: +Old: +``` +Misuse of privileged functions, either intentionally or +unintentionally by authorized users, or by unauthorized external entities that +have compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use of +privileged functions is one way to detect such misuse and identify the risk +from insider threats and the advanced persistent threat. + +``` +New: +``` +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + + + +``` +--- +SV-230387: +Old: +``` +Cron logging can be used to trace the successful or unsuccessful +execution of cron jobs. It can also be used to spot intrusions into the use of +the cron facility by unauthorized and malicious users. + +``` +New: +``` +Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. + +``` +--- +SV-230388: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230389: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230390: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230392: +Old: +``` +It is critical that when RHEL 8 is at risk of failing to process audit +logs as required, it takes action to mitigate the failure. Audit processing +failures include software/hardware errors; failures in the audit capturing +mechanisms; and audit storage capacity being reached or exceeded. Responses to +audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, +RHEL 8 must continue generating audit records if possible (automatically +restarting the audit service if necessary) and overwriting the oldest audit +records in a first-in-first-out manner. + + 2) If audit records are sent to a centralized collection server and +communication with this server is lost or the server fails, RHEL 8 must queue +audit records locally until communication is restored or until the audit +records are retrieved manually. Upon restoration of the connection to the +centralized collection server, action should be taken to synchronize the local +audit data with the collection server. + +``` +New: +``` +It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. + +``` +--- +SV-230393: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +``` +--- +SV-230394: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging is needed to determine who, what, and when events occur on +a system. Without this, determining root cause of an event will be much more +difficult. + + When audit logs are not labeled before they are sent to a central log +server, the audit data will not be able to be analyzed and tied back to the +correct system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. + +``` +--- +SV-230395: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging aids in making sense of who, what, and when events occur +on a system. Without this, determining root cause of an event will be much +more difficult. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +``` +--- +SV-230396: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230397: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230398: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230399: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230400: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230401: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + + + +``` +--- +SV-230402: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230403: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230404: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230405: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230406: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230407: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230408: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230409: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230410: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230411: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-230412: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "su" command allows a +user to run commands with a substitute user and group ID. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230413: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230418: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chage" command is +used to change or view user password expiry information. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230419: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chcon" command is +used to change file SELinux security context. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230421: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-agent" is a +program to hold private keys used for public key authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230422: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "passwd" command is +used to change passwords for user accounts. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230423: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" command is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230424: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "umount" command is +used to unmount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230425: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" syscall is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230426: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +"Unix_update" is a helper program for the "pam_unix" module that updates +the password for a given user. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230427: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postdrop" command creates a file in the maildrop directory and copies +its standard input to the file. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230428: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postqueue" command implements the Postfix user interface for queue +management. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230429: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "semanage" command is used to configure certain elements of SELinux +policy without requiring modification to or recompilation from policy sources. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230430: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setfiles" command is primarily used to initialize the security context +fields (extended attributes) on one or more filesystems (or parts of them). +Usually it is initially run as part of the SELinux installation process (a step +commonly known as labeling). + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230431: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "userhelper" command is not intended to be run interactively. +"Userhelper" provides a basic interface to change a user's password, gecos +information, and shell. The main difference between this program and its +traditional equivalents (passwd, chfn, chsh) is that prompts are written to +standard out to make it easy for a graphical user interface wrapper to +interface to it as a child process. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230432: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setsebool" command sets the current state of a particular SELinux +boolean or a list of booleans to a given value. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230433: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "unix_chkpwd" command is a helper program for the pam_unix module that +verifies the password of the current user. It also checks password and account +expiration dates in shadow. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230434: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-keysign" program +is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230435: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "setfacl" command is +used to set file access control lists. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230436: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "pam_timestamp_check" +command is used to check if the default timestamp is valid. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230437: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "newgrp" command is +used to change the current group ID during a login session. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230438: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230439: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230444: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "gpasswd" command is +used to administer /etc/group and /etc/gshadow. Every group can have +administrators, members and a password. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230446: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "delete_module" +command is used to unload a kernel module. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230447: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "crontab" command is +used to maintain crontab files for individual users. Crontab is the program +used to install, remove, or list the tables used to drive the cron daemon. This +is similar to the task scheduler used in other operating systems. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230448: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chsh" command is +used to change the login shell. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230449: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230455: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230456: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230462: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "sudo" command allows +a permitted user to execute a command as the superuser or another user, as +specified by the security policy. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230463: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "usermod" command +modifies the system account files to reflect the changes that are specified on +the command line. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230464: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chacl" command is +used to change the access control list of a file or directory. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230465: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "kmod" command is +used to control Linux Kernel modules. + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230466: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + + From "Pam_Faillock man" pages: Note the default directory that +pam_faillock uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230467: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230468: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230469: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + Allocating an audit_backlog_limit of sufficient size is critical in +maintaining a stable boot process. With an insufficient limit allocated, the +system is susceptible to boot failures and crashes. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +``` +--- +SV-230470: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230471: +Old: +``` +Without the capability to restrict the roles and individuals that can +select which events are audited, unauthorized personnel may be able to prevent +the auditing of critical events. Misconfigured audits may degrade the system's +performance by overwhelming the audit log. Misconfigured audits may also make +it more difficult to establish, correlate, and investigate the events relating +to an incident or identify those responsible for one. + +``` +New: +``` +Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-230472: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +``` +--- +SV-230473: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230474: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230475: +Old: +``` +Protecting the integrity of the tools used for auditing purposes is a +critical step toward ensuring the integrity of audit information. Audit +information includes all information (e.g., audit records, audit settings, and +audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + + It is not uncommon for attackers to replace the audit tools or inject code +into the existing tools with the purpose of providing the capability to hide or +erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed to +provide the capability to identify when the audit tools have been modified, +manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +New: +``` +Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +--- +SV-230476: +Old: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which +to write the audit logs, RHEL 8 needs to be able to allocate audit record +storage capacity. + + The task of allocating audit record storage capacity is usually performed +during initial installation of RHEL 8. + +``` +New: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. + +``` +--- +SV-230477: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230478: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "rsyslog-gnutls" (which is a secure +communications library implementing the SSL, TLS and DTLS protocols), and you +have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230479: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + + + +``` +--- +SV-230480: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230481: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230482: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + "Rsyslog" supported authentication modes include: + anon - anonymous authentication + x509/fingerprint - certificate fingerprint authentication + x509/certvalid - certificate validation only + x509/name - certificate validation and subject name authentication. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +"Rsyslog" supported authentication modes include: +anon - anonymous authentication +x509/fingerprint - certificate fingerprint authentication +x509/certvalid - certificate validation only +x509/name - certificate validation and subject name authentication. + + + +``` +--- +SV-230483: +Old: +``` +If security personnel are not notified immediately when storage volume + reaches 75 percent utilization, they are unable to plan for audit record + storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-230484: +Old: +``` +Inaccurate time stamps make it more difficult to correlate events and +can lead to an inaccurate analysis. Determining the correct time a particular +event occurred on a system is critical when conducting forensic analysis and +investigating system events. Sources outside the configured acceptable +allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of +time stamps for information systems with multiple system clocks and systems +connected over a network. + + Organizations should consider endpoints that may not have regular access to +the authoritative time server (e.g., mobile, teleworking, and tactical +endpoints). + + If time stamps are not consistently applied and there is no common time +reference, it is difficult to perform forensic analysis. + + Time stamps generated by the operating system include date and time. Time +is commonly expressed in Coordinated Universal Time (UTC), a modern +continuation of Greenwich Mean Time (GMT), or local time with an offset from +UTC. + + RHEL 8 utilizes the "timedatectl" command to view the status of the +"systemd-timesyncd.service". The "timedatectl" status will display the +local time, UTC, and the offset from UTC. + + Note that USNO offers authenticated NTP service to DoD and U.S. Government +agencies operating on the NIPR and SIPR networks. Visit +https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + +``` +New: +``` +Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + +RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. + +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + + + +``` +--- +SV-230487: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + The telnet service provides an unencrypted remote access service that does +not provide for the confidentiality and integrity of user passwords or the +remote session. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + +``` +--- +SV-230488: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230489: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230491: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + Kernel page-table isolation is a kernel feature that mitigates the Meltdown +security vulnerability and hardens the kernel against attempts to bypass kernel +address space layout randomization (KASLR). + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). + +``` +--- +SV-230492: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The rsh-server service provides an unencrypted remote access service that +does not provide for the confidentiality and integrity of user passwords or the +remote session and has very weak authentication. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + + + +``` +--- +SV-230493: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) +can result in subsequent compromises of organizational information. Providing +easy methods to physically disconnect from such devices after a collaborative +computing session helps to ensure participants actually carry out the +disconnect activity without having to go through complex and tedious procedures. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. + + + +``` +--- +SV-230494: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Asynchronous Transfer Mode (ATM) is a protocol operating on network, +data link, and physical layers, based on virtual circuits and virtual paths. +Disabling ATM protects the system against exploitation of any laws in its +implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. + +``` +--- +SV-230495: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Controller Area Network (CAN) is a serial communications protocol, +which was initially developed for automotive and is now also used in marine, +industrial, and medical applications. Disabling CAN protects the system against +exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230496: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Stream Control Transmission Protocol (SCTP) is a transport layer +protocol, designed to support the idea of message-oriented communication, with +several streams of messages within one connection. Disabling SCTP protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230497: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Transparent Inter-Process Communication (TIPC) protocol is designed to +provide communications between nodes in a cluster. Disabling TIPC protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230498: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Removing support for unneeded filesystem types reduces the local attack +surface of the server. + + Compressed ROM/RAM file system (or cramfs) is a read-only file system +designed for simplicity and space-efficiency. It is mainly used in embedded +and small-footprint systems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Removing support for unneeded filesystem types reduces the local attack surface of the server. + +Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. + +``` +--- +SV-230499: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time +communication. Disabling FireWire protects the system against exploitation of +any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230500: +Old: +``` +To prevent unauthorized connection of devices, unauthorized transfer +of information, or unauthorized tunneling (i.e., embedding of data types within +data types), organizations must disable or restrict unused or unnecessary +physical and logical ports/protocols on information systems. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services provided by default may not be +necessary to support essential organizational operations. Additionally, it is +sometimes convenient to provide multiple services from a single component +(e.g., VPN and IPS); however, doing so increases risk over limiting the +services provided by any one component. + + To support the requirements and principles of least functionality, the +operating system must support the organizational requirements, providing only +essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official +business or to address authorized quality-of-life issues. + +``` +New: +``` +To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. + +``` +--- +SV-230502: +Old: +``` +Automatically mounting file systems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + +``` +New: +``` +Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +``` +--- +SV-230503: +Old: +``` +USB mass storage permits easy introduction of unknown devices, thereby +facilitating malicious activity. + +``` +New: +``` +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + + + +``` +--- +SV-230504: +Old: +``` +Failure to restrict network connectivity only to authorized systems +permits inbound connections from malicious systems. It also permits outbound +connections that may facilitate exfiltration of DoD data. + + RHEL 8 incorporates the "firewalld" daemon, which allows for many +different configurations. One of these configurations is zones. Zones can be +utilized to a deny-all, allow-by-exception approach. The default "drop" zone +will drop all incoming network packets unless it is explicitly allowed by the +configuration file or is related to an outgoing network connection. + +``` +New: +``` +Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + +``` +--- +SV-230505: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-230506: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + + + +``` +--- +SV-230507: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + +``` +--- +SV-230508: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230509: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230510: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230511: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230512: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230513: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230514: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230515: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230516: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230517: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230518: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230519: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230520: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230521: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230522: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230523: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-230524: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-230525: +Old: +``` +DoS is a condition when a resource is not available for legitimate +users. When this occurs, the organization either cannot accomplish its mission +or must operate at degraded capacity. + + This requirement addresses the configuration of RHEL 8 to mitigate the +impact of DoS attacks that have occurred or are ongoing on system availability. +For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exists to limit +or, in some cases, eliminate the effects of DoS attacks (e.g., limiting +processes or establishing memory partitions). Employing increased capacity and +bandwidth, combined with service redundancy, may reduce the susceptibility to +some DoS attacks. + + Since version 0.6.0, "firewalld" has incorporated "nftables" as its +backend support. Utilizing the limit statement in "nftables" can help to +mitigate DoS attacks. + +``` +New: +``` +DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. + +``` +--- +SV-230526: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-230527: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + + Session key regeneration limits the chances of a session key becoming +compromised. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + + + +``` +--- +SV-230529: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230530: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230531: +Old: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the +console can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230532: +Old: +``` +The debug-shell requires no authentication and provides root +privileges to anyone who has physical access to the machine. While this +feature is disabled by default, masking it adds an additional layer of +assurance that it will not be enabled via a dependency in systemd. This also +prevents attackers with physical access from trivially bypassing security on +the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + +``` +New: +``` +The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +``` +--- +SV-230533: +Old: +``` +If TFTP is required for operational support (such as the transmission +of router configurations) its use must be documented with the Information +System Security Officer (ISSO), restricted to only authorized personnel, and +have access control rules established. + +``` +New: +``` +If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. + +``` +--- +SV-230534: +Old: +``` +If an account other than root also has a User Identifier (UID) of +"0", it has root authority, giving that account unrestricted access to the +entire operating system. Multiple accounts with a UID of "0" afford an +opportunity for potential intruders to guess a password for a privileged +account. + +``` +New: +``` +If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. + +``` +--- +SV-230550: +Old: +``` +If unrestricted mail relaying is permitted, unauthorized senders could +use this host as a mail relay for the purpose of sending spam or other +unauthorized activity. + +``` +New: +``` +If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. + +``` +--- +SV-230551: +Old: +``` +Extended attributes in file systems are used to contain arbitrary data +and file metadata with security implications. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230552: +Old: +``` +ACLs can provide permissions beyond those permitted through the file +mode and must be verified by file integrity tools. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230553: +Old: +``` +Internet services that are not required for system or application +processes must not be active to decrease the attack surface of the system. +Graphical display managers have a long history of security vulnerabilities and +must not be used, unless approved and documented. + +``` +New: +``` +Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + +``` +--- +SV-230554: +Old: +``` +Network interfaces in promiscuous mode allow for the capture of all +network traffic visible to the system. If unauthorized individuals can access +these applications, it may allow them to collect information such as logon IDs, +passwords, and key exchanges between systems. + + If the system is being used to perform a network troubleshooting function, +the use of these tools must be documented with the Information System Security +Officer (ISSO) and restricted to only authorized personnel. + +``` +New: +``` +Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. + +If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. + +``` +--- +SV-230555: +Old: +``` +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding. A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly requesting +X11 forwarding, which can warrant a "no" setting. + + X11 forwarding should be enabled with caution. Users with the ability to +bypass file permissions on the remote host (for the user's X11 authorization +database) can access the local X11 display through the forwarded connection. An +attacker may then be able to perform activities such as keystroke monitoring if +the ForwardX11Trusted option is also enabled. + + If X11 services are not required for the system's intended function, they +should be disabled or restricted as appropriate to the system’s needs. + +``` +New: +``` +The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. + +X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. + +``` +--- +SV-230556: +Old: +``` +When X11 forwarding is enabled, there may be additional exposure to +the server and client displays if the sshd proxy display is configured to +listen on the wildcard address. By default, sshd binds the forwarding server +to the loopback address and sets the hostname part of the DIPSLAY environment +variable to localhost. This prevents remote hosts from connecting to the proxy +display. + +``` +New: +``` +When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. + +``` +--- +SV-230557: +Old: +``` +Restricting TFTP to a specific directory prevents remote users from +copying, transferring, or overwriting system files. + +``` +New: +``` +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. + +``` +--- +SV-230558: +Old: +``` +The FTP service provides an unencrypted remote access that does not +provide for the confidentiality and integrity of user passwords or the remote +session. If a privileged user were to log on using this service, the privileged +user password could be compromised. SSH or other encrypted file transfer +methods must be used in place of this service. + +``` +New: +``` +The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. + +``` +--- +SV-230559: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The gssproxy package is a proxy for GSS API credential handling and could +expose secrets on some networks. It is not needed for normal function of the OS. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. + +``` +--- +SV-230560: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The iprutils package provides a suite of utilities to manage and configure +SCSI devices supported by the ipr SCSI storage device driver. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. + +``` +--- +SV-230561: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The tuned package contains a daemon that tunes the system settings +dynamically. It does so by monitoring the usage of several system components +periodically. Based on that information, components will then be put into lower +or higher power savings modes to adapt to the current usage. The tuned package +is not needed for normal OS operations. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. + +``` +--- +SV-237640: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-237641: +Old: +``` +The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password and confirms +your request to execute a command by checking a file, called sudoers. If the +"sudoers" file is not configured correctly, any user defined on the system +can initiate privileged actions on the target system. + +``` +New: +``` +The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. + +``` +--- +SV-237642: +Old: +``` +The sudoers security policy requires that users authenticate +themselves before they can use sudo. When sudoers requires authentication, it +validates the invoking user's credentials. If the rootpw, targetpw, or runaspw +flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the +sudoers(5) manual page. + +``` +New: +``` +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page. + +``` +--- +SV-237643: +Old: +``` +Without re-authentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the organization requires the user to +re-authenticate when using the "sudo" command. + + If the value is set to an integer less than 0, the user's time stamp will +not expire and the user will not have to re-authenticate for privileged actions +until the user's session is terminated. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +``` +--- +SV-244519: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + + +``` +--- +SV-244523: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-244524: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-244525: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-244526: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/ directory. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + + +``` +--- +SV-244527: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The rngd service feeds random data from hardware device to kernel random +device. Quality (non-predictable) random number generation is important for +several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-244528: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-244529: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-244530: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-244531: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-244532: +Old: +``` +If a local interactive user's files are group-owned by a group of +which the user is not a member, unintended users may be able to access them. + +``` +New: +``` +If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. + +``` +--- +SV-244533: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244534: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244535: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + + + +``` +--- +SV-244536: +Old: +``` +Leaving the user list enabled is a security risk since it allows +anyone with physical access to the system to enumerate known user accounts +without authenticated access to the system. + +``` +New: +``` +Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. + +``` +--- +SV-244538: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244539: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244541: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-244542: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-244543: +Old: +``` +If security personnel are not notified immediately when storage volume +reaches 75 percent utilization, they are unable to plan for audit record +storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-244544: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-244545: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244546: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244547: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244548: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244549: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-250315: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "faillock.conf" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + re-enabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250316: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "Pam_Faillock" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + reenabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250317: +Old: +``` +Routing protocol daemons are typically used on routers to exchange network + topology information with other routers. If this software is used when not required, + system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. + + All configuration files are sorted by their filename in lexicographic order, regardless + of which of the directories they reside in. If multiple files specify the same option, + the entry in the file with the lexicographically latest name will take precedence. + + Files are read from directories in the following list from top to bottom. Once a file of a + given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +--- +SV-251707: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate + testing and approvals that are part of a robust change management process. + + This requirement applies to RHEL 8 with software libraries that are accessible + and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs that execute with escalated privileges. Only + qualified and authorized individuals will be allowed to obtain access to + information system components for purposes of initiating changes, including + upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251708: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251709: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251710: +Old: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. + Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the + system security policy and supporting the isolation of code and data on which the protection is based. Security functionality + includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), + setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and + environments that require this functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-251711: +Old: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, + system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as + well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" + file allow configured users to run programs without re-authenticating. Use of these configuration + options makes it easier for one compromised account to be used to compromise other accounts. + + It is possible to include other sudoers files from within the sudoers file currently being parsed + using the #include and #includedir directives. When sudo reaches this line it will suspend + processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the + end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are + included may themselves include other files. A hard limit of 128 nested include files is enforced + to prevent include file loops. + +``` +New: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. + +``` +--- +SV-251712: +Old: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + + + +``` +--- +SV-254520: +Old: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +New: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +--- +
\ No newline at end of file diff --git a/src/assets/img/update_controls4delta_output.png b/src/assets/img/update_controls4delta_output.png new file mode 100644 index 0000000000000000000000000000000000000000..fced845c8f88ad9a7e259200b84a9d44d9da129a GIT binary patch literal 198053 zcmeFZRa70(wl;`saCdhNgy0Ur9X1;$XmEFTcXtWy?(RVY!QGvWyEQrIo_o*j|Muwq z`>7xLp~k3PRjXEwsC@+D8fR6wM28JXhDW(ht2Ez*m1|b9o^KoS5cyY;Q$ny0cOeo&MU_K}>fvruy)!`J;Vdw9&ZXX=&GtqU ze(qs0L7DA+-lbzbQiFBGf^tc}3ics?;5d00>Kq-VwE^=oPrv+^ssAmt-WT&^75Ht7 zZDERX4D>6k1y5uC(Q3lu!k~1jeNO*rJ)7W1AU|8Hx#=`c0 z)wb*r!6tTMNMv1P4a3>$>7gVaV9PH^ZMi)sXsYwXOLc>7i>Q=k0Y7-|8S!F3B!YzW z5ZVhjtGaX0(3{f(=EP?(4*F$FOm6fEZGx5HaKFhgN`LBHlp}!~ZF^a9gz=Xi0 z#DrB{!B2HyGco4w1hnEO?sS}wN-%3rt~F}!b!+$toO29V&X*YOsuV2YLUVmP1#+I6 za~Io7a`Q>)bw=;Hr0#sW*jwupmZaDce zzX?&qqQO0Q63rI7#JU55OG>#T_TP?+^;sDxmWv3sB8B9Ul>mT{E``a9!}^aFLg}c7 z7mu{79fXh9-oWpX&>XusipKz)JukNf8S<0l)5AETVJ(VN^1)9n9x z_WyM8fBYo<3b9nna>Vf8ZuCE2Dn#+GZovQc!vDY13o=CdX((iLSHb`E-2YQ|Li-fC zzoN&xCE9}iA3xfFFzLdPCIEX{r}<6F&5cMtg${Q-pP~9hoQWyZ7AY~4FkcvQr9>}> zl!L=``c&_#B=7s&l|ZKltXbBZFg**Rl1J>1UJ;TBz0IF@cU7tGX4NV73q4u~ZNJid zMX4KlIrKAsk8xcqSEV%QE^ks*rhGkY!1tRA>Jdb){u#f`Dwm-v=`(&`S!HtQ-tH&# zT{tzGr!KnAs`@JBO-pu;<7J0JihHX?bJ=@kKed%4M_F3WD}m&?tt%EB?jq(S7(*df zF-Ji4%dOO?MguJ*eo_m3-l#Of?THMLfZ*QSCG1`WFpldFes+HUdGY@1Jw+c0dBkq_ zE3z>MhsI=qHD}8t&urZ=2=jO)C45*=dPz-92La`twz!F@Dfcdlvq*7DdbDb zW@^f5y?2VsN42%mygsO8w=u35z9~s4o(`f%7RDXi7CyP#P^waI#=={L23b^GTMuir zfe4oOnvit=3?0`C!5S4F z?QOO_&*!RGPa#ho|#*Ftcl2I7hLvbxO-3Z(`ghYVx#l673p80iU%PKRIs zn{)9#L!U-{t}EpWEllYReRr(2*FbW-pYxU!eOu6!xWT5@ty zec9~a&Ea4;_T)kC<9AnVDG9a5t**e{;WXwsu1&#XW}=F8YJcd?k!tOJH4$8^+?hXX zD%^)e$-P7R$~p$0lI%#vE8_L6IC1+kP?iNdm;C&8IX6rV3 z=J*2IcSPMH!pC;M3KQp+rDhzVAlL-7npfoO64%{u_TJt+RPUbZr}CR7IAeHB1;O$F z-V=@cW}JIv1Eg#C@`7^v98Sn9r&tW7+y01^#mZe9uH(}p&bx1Ku#X%|arT~0e*d|~ zJTQ==z9Nq2Nhk=a&lorA$G+Pv)KfuWz5{+4LlnfnAD(wBK%TX$L#}!FKzmL4T(FA= zf3p5r&Y~v_-UQrwKQNF37uPg1OGRF-_Tzb2Eub^jNskE9Imp(qy5mHZ)Ge*q+t3U= zgbNDweqK|MlUr)&{SBaN*Xt(L@!XPbdk9~jfnhnjRjz6bC_N<@<Ghs5*RAH$?%Ba6B(Cw38fdJLd-RZEsn->|K9KRK7?Qa4(_b$eDQU3W~ zw6QxEMFC9LWj7yh)KL6DpPraEn&bI}LP7=;g1ZBPWS($Kw{wKkRDQNmmiNcT57DyD z8+0Ywe5<9~+d56b#csi%v9Zzs_48_k()LYHYVcs?t=Zy|&Bg_Qc#^V&vlSDT!0jiO zOrOQNy0*&^iWy~>Ki~UHFAsl4);&(CZ3dwHdhd@(tar6@^jca{^;jwtaWvv+R@`!! zQku*eTSO>833~7bs+&{cn;xAKz;!qSZURt|Zja<9o=@e@PO23Oo7d!*kaVOr59N#Y z;jUHAuu|Zqg3-TA#ns;^ARr$q5Xolt)`?GEU&HyAIz4|^eOaV5Xoj}e^=h=bb;&+? z5G2E(~OB?aj8?HPxSH5%D#G1oPmHWoMdxoVsA8U%%5cMyp1HOJ{` z6>93wwg2bn`wdq?4TT<0WLus1Bj_k32lIEJlyL_Hr|gRLn(Q#K8UwT4Bu{60R}Nn8 z{wF&Zr`_+j`K}>U!$kM0Gn^YRB?XkSDC_NkSJ%9UVAOoN-^-(pj}Ng1LI{Bh1U9qj z@me<%&5zqv$7}b9atj)Ys;hR_Y?`J*?X-8B%LpLmj)n!9*7@jyIve1v&+hlyN{))# zGB4U-V!SDzSxX3hsiZT3#dt1a6A0wA-!Kxk2AMZ(ld5Q?T{iy+hvwDm=6`b%KQ%wF zRgbQhvOG9ulN6&;a$fTj;LE_c8 zjOxU<fLwHbIFrd^SWlVm&1O#TR!># z_r>c-AQlECX|-&#>8VF!dZm=VXfW$#Em?1PpLu2AXGJbI`xNDRf3o^dEjH#{dqxyU z`=}Xnp&Sld>{EDN&DoKs3psBJ$F#JYU-1jlQ|yJEzh*j;*Gn#m*e9;p6Bu)RmHxFg zih!UYi5pUOOZSf)^PfrD7l?8wzd)mq3_wGpv67)-lP5M4b25;`R!LPAvxq2|W4is+ zXO;Q&31%<}b0kr$R&dka988O!vmHDGQIaWD6^qvS%1Z zvhMNAvC(;gDjn;}NxSYgo(z+>*aO#zBgzVid6JoLGAaAvPI3GbWj$mV%lhXob;G*D zX=OA?_Y*P%7pK(MgyqiFW?HnLBix9s%qH^p_bpGhCzy3E*^0>>e6m%P1V$`Tduj(P zT4`aKT}DUy8Z7bNTVv3Q!9M5JToJuWQ;~t1I>WMefUYh4DC$A3#iZC6jPQnGx5TE# zgRN-VJ;y_g01|^NmuJur?)gS{*733Z5BRCG%b}lTV`mR)N1c`!Q5#0f871D4!^Hd| zS0D+^&Db)aff?RO#g71g2G|@b8SzI=rzxGf|=4 z74UWGQ5#lvmpjPP?(z{>vzJf^UD5uYc8%yPM2Vqfx^r3LM2Vg8hBN~NiMliSgfU_g z65q+3YVuWEJHuA2WqB^CGh5Q4BAD7ieV3%}qrz_uW|*$;0h8L=&g<%WF2q{*9qXKv zC#5#?ZQ7^Bo|&yBf2`0e{B86(6;LBDUBzH$0w3LcH`Ca|khw8-7{ctZe-+p;6 z4I$=uN^h$*Sl4rCxqKp{ogJLeNkNao*a}CW$QI|U>=S{6k@O>Vst|*fC$|nkkF7KC z8=3+TU=RT6eo{;+oLQE_T>20hc9i=QHo4{aOy4rzGh8ek%=Q?Cym0l@o5!6V(|0us z0w*2U23!1kumIB-DkV?*1V~p67RsZqx9X3JEYPq>Y)nm8!ceuYbj?S(klfxe3UH}2 zD7JKr z>f1td#v9g6Qsq+So=X5F_!{7P|JnF19K>ijvJGZGwbr zD*tvX{lh8ntq4Cv_D4Wl%-S0DwKk=SDc^WU!*^~ih|>2E>zo~>N<2o*I$TXtc}`G+{Fq6oFYmC^&zltdlDBJTnF#8fsqNJE+T@2z$fgTCwi&R! zt6!gbiNBl-%g;<(wT=jadZ|RTH@x(MP@A4l=WwyK^gn4?YrxwKuyY;yx*uyS9qq$# zZR^U>pu*Qu7YMT{h|=FJ$fw}5S%lbKphTrBUPRi5bAo0z~w?vJ|Z2LEor-=dw5c) z+^pvz+3e73K0`hD0JrN~zxlE%;=uoG;Rh>P%+}lJr!G8K7mo7!a-7b@mAYr^Z^TV^@t2Dlp3V0ie8XjRP2Dz9 za(oKX;{+g_3gie9_tXs{pE64Kf5SFp*T>kY4=A5y+wpk0XEM1jy1qlA$va z1okCsiNW%nepf2#)tTHB{`Nd9N1M<>To$Qnb-95wn%x!m*6~_(8A6?Qr@4YzuAM|p z%gpCO__-rm*RzmvuK+f2lT_mjLY!Gr8mb1c?JOUZ zM3kKtkY-eaPD=}G7lF!fxaxBohbzK$(4<|!Lm2cSAF4S4$@|*4|B#==EVeyp= z%IMR&TB`aPGYZ4Qn!{2zV8-noBwA^i2N~uRvzLFypu$?u!LXmV;&N}2(KIucQi&R= zgj*qsh5=XGvx$y&J^(v}EAZ=MmNMdB@HnqV>#>|g!AJK)139zU>!gQJnGGX-9|9~U z(23Pu1==aBhumF8Ij^q*h_!8WxC85?q+-KRD%Ne*UG&V?z5^Tbu@f{0e7s`~y=Noa z=2gK&!>~<^Szq23avZ)6Qy-4mA!Mr$vh~(}p3}9jZOQGGie(Bl1{1us;vW@{D;|k1 z3P8>u+KFMmHh{GfiPZwyVs>2Q+eO`|6jP~OF2mtTp_ zcW4W>j677Ds;)jFsf$alwCzNnUccMa`D^Mx!z+6n4H8y7u>IjF@cJWHvL8Mc^hxQc zhQ5d_RzJcLlyGn7Drd7-z;-LB4^h>{XvKB4HZX=xHc>6xu4t*t zF^avuOBEz^)VYJKY_N`_7k9M~w~%1ByZ)E!FG@Es#s zn2N3BqrHh3jxJ6=sfs&*vtvC4peXkAzY;;!GH5oh1z)|N%V|l0P`>B+0clYOK(y%( zTdrL4q9TD{6KYN*-i1ROIFvZfoVecz&wa%B}MtHaRxdv_QgUh%v(}}L^dqp z*u3$;j&~*Sg`6DhI!J`Rvu2J89{tj*{S|TL;)OeD>M`{S`#2-D+liUXmi8Yg@A4*Q z)GdOdiXODBi3Wc$E2YyIgY>ejt5D*!)lgYa@q5KA(HNlGi-{h z+ris0j!cDglPvD9Yjt`lltyymTf+)JqpU|!-zyDx&v$+qakPr%ePekwx7qrDr0tsM zl?0}XTwpMp+eMFaEl9FRI}v3Jjj_S&1J-gs$s%t%p21RLm}_1d4Lt~Kka-`cie0gF zgGG#a1|4h9EziVT#WMr)^Gd^(0z)tSjS<*Nk)?_{fAI~+mF-w#PG9Opzuq8qA8bOP zL0REpG`62Eik-89bU}91-?5u_;v%d!)<}be6#ZoVsfK-sSu0F0bh~cylSFXO+8i+C z3~^EgzhTqlhKubioGjMf(XBtoHFeHk8J-1jiFcDFEM6f@p=AHmebF-AbU)K!^fySt zIPq*7YU}J8qCm!3P~|#*e)D)X7Hu6P3g8geUv5{uKaYS5x2L)QM^OeJomP&P+T0wroiuLHG>a#CN#-l%|X#f7Y`|e$o+TDvKkH`?O26pimz8pde zjwh6!?<-zZ_Ve-ln&})4g=)=n0XFKh^Iot%f7ZwMLLzK3i>mH?OC`J;|dXm{bt6W?$%#M!gxA2RAZEo^F(%v_36jnBpLId5R z=S~NAXlgjd6fF1R73N%4P1a*@)wps@&}ne(AfXV`#J2akO6$;XnGl(0TnU8|Zz1pI zxR*@p`lSNJB&WF?=moJ3^mPifL8MKheBeug-ZC$VBcpz_gz1s*D6|x5cG%U{P7`D7 z1y{i4nhIYFiU9{-83x`ZKY>1Tcu*4SZi_SS%mH}}T(%F$S@3zbAXE~!3-Pg6d}Yx>9;!P-*y$)`>?3BQknj4TGfqO3yUxNca=*bnis*9vu*H8bJ9dMTI zVY{ZbR(yW4uM$;8R_j>~P-{t)J$x?Eo)K(=BxR0U_j5=AsLxasFV z?Da@NK=a4d1k^!Vg>rg#MiY7D7({L4omwM)t|HZ4v8e9%ULD`fjz{ABk@TSB!#qZH ztF#cmR%B5T5)nZ~>ekW_sh({kTFHyYP`~A{P9mzI@i1N=yh7^;gA@UWsZyipi`n%M zk4m%{qKpHQEc>=GjKCqtao&jYT$;n^L?;ur9Wopmk9b68>!WgU{2mGU2AHQL6%QxQ z_|c|A=X%TWF>1tu2LoxdRw6wj$9r$*e1czgF}Rf5G6lLLMt_wOFUTq zuq#+&Xmrmr8Y^7A0wCJ1ZsOuQ_JftSl|NmQ2qm`0sYbDLI#DH1&z3i*P28XGIc%80 zTIXKG6dPCbmuBm9>@jOg?!noglm3ck56RD$cXJQUxBrIxpfMco(^86{^<*ul>AW*x zpW^_iip3S0xA=A1kMN07`cIrhC@($GMs>}t9T*aJ(k7Y5&9K;Z5hJ+kW@BuD97zNO z20pg>KUiIw=?9Us>`8i`z<@v>8Nw~)c{8Yif+N$tE;C4^Yd6kLiSA{?YZwD(*vQa= zeP9v}Sz7@Pz;_}Ndl3UR?y-i(R~|(Z8B4CuvExEou$D+-QqD~^Lt~xcv(GsC-JroM zVj_sPQg9~+efVd)m}tcTaIU&3XsVlZ7dslUSiZ1n#X3pmkln0Gw71~DVma^xRgz$7 zE9OD7dJAk8^(8FCceW)^-J0I-N+(R&xnB+oN^C$P2UoyK4gVS2?7WMqNpG^b7;A=$ zT0K`kKqwAwK@G@((0goxN-K>94gI2Isgnzcl{YEG3dP*}2I;nGB1#8?CNyhB5UURF zSySF~pt!&4?P84ieXFn&kWZo1N)cUkJIgt@u4?1+#2s^?~BI|IyLWLJzTJ0mmK{!dS84;vAZVJ%0XoKT6?!<5d1=F zL6QZe9ymcG)H0k}%TN|^*Pj#I?Yu{n%@>vD@^nj6QF9*n)9YCRg}W8t1{@sz8@D-k z+QIm*JMseiKVSHX_q(t|vYi_y@$Akmg#T^kc+IeM*X9-7`2{7JKD0L12vjXVR&}u+ zz)Kdo;t|Q07MymhUcr=2CYkTz((Roky%!@Gv0beYY?UsRb^d)nzU8s7d;Sm(3uWis=97(Q8)5DJ?Llgvktgo<#-)i*AU8O80 z4xCBK|3pwL9LY{17(&$rLtuLOK`rSZQeI5*Qcsi7v|UnNBI`R(2#$(i1v69t2ce&D zIayj;ZRl$=x=I^#n@b5zbx)i#1S)LzJP^b^iXu`>X#skPyhT7m1hJ^{o{z`3~HHws^DKbzY@m5q$F?A!Y=U(QIkbKJjnUq8XxSY{Vnv!ePeZFI7 z$N~gyc60bMA3Tm7tx9%4R1`HP5LqwB!*f-Dz837X+V%-x-A{}G@8jo7J1-|&2gfyG zFza_{lG%@xL>6>gwG-Ckt_=6uv!MF;1C5OB zBEe!D8sq*vc)#~UoETU=-FfJOB z^8}ZRvE1W|4W|dEeSkvi{nBL=%q(-Cn;K91kn&fhN5Orl@Vn`C*j8M3I6o$p87#Ie z>F?LD(;0geYFD8bn~84Wi?r?@36v-%npnOxYB;vcF$5k|WX0I$?$_j`BtbC^OW?|< zz8?B*XL|cS)wiq9p1)S8+K0Gs%2>5adXg|GL)2S`F=#h(J5(XwLGlnMaB!Ga#+<7o zm;B#CPZ-Jg7v&JN3w>8<_w_eyhj%zCjV>OjcKu#qZMo{WLX#qGi7-xWVv$CTQ-7V7LsdzPW5aDLQpz~@?CIKGkRBm!7l%TJ zCmz4b!~sUqbkyX6u=ByaAf=`qFND9<*q#q&aBuSun~<;jA&Q*v_jT1}kLh;xrK_G> z{FlI+_4!~nTL}r!%1sLVl&;9d zVZ53Cz!2lJ4uyFBa-qzt?^{^5ysynZRKx*HrR%< z*7^@3%BrGii02%e-Q#V7d;hnR#H@Iw$a{7ro<0Y*4X7^V53dO7j^{u`Xd0AXO64U( z$7HFAFue1OS`~S>692wq`DvqR!0m6l4IV)ajDqsc645wJMFA~i8tU>jgl!?(6LHjL zUC?EE=*LiPPTHj1!_{G8nidq74o6}Wi_5USbe6`kIOQsga$;UPdv(grsp>8)Zn;`b z(J?0<;bp93^?q~m#>$#1Fe{Q`Zr`A5-8+r4Q&vX^t@v8m*{s93n`S{nCecI zfXmIU`0}}e&X zx?BGlx4x_2yoLo;AABYKswaY~NQ+BKV6$kFox{zb08z+0$9Y_~hps2qI%F@Ma7gG6 z-j9UsO|ovM0NvXenBZ#0a@EdsKY9|06?ey@GR^6c_KVP_&8|4ik+B@TTO3CwJ(YM+WZNXo4O0^|&cF{lSM9=FT4J@_``w)F zbX+yIpGDmhHjA%%Xh;hR(QaKgwB>(`I0R=j9lz_7Pl?Z4=FPdHHm%zL*)276aZqY1b9kd-F;IxL z4cE(N4ys;1z_i%dj&ibSo2$*KcdgZ6T5SfZ-y%%cgrQAQxP-+`a(XniI18^L!@F8u zm)l?u@xnPr>NneZQH@#;8fap0pNfKO@@;*l_q^j4$=&=QQVr0*d%+`QUz;|ZsIr(5 zl}R6~I$LF>p;!kej-}dal+tQUL`a0jPdlJsDtu{OAwIWBWR}Jz11!&gSMA9{1~u$p2ko(IhU2SgQN34dNnhV zZs1qo0%g^$oWog9+>1gI>ygfKmrO96|1!H$~O7!!rwLXzN)5FnUjYkhe zjF@h3MXHn+;=aIoySU$==r`}R%Qb&yxF>C_c!4|uCpox7!SvQ$Icd^vK9i*;(%K!P zH>ofJl&2{n14_yq%m;ZS!yxbWp7G(uVmg2m?lYIc_NZ0Pxm@*QNhwvi(=IH9b|_3+ zixg<;V98?T5Puik!m+jGTb{`oyMN%@%huo+H0+79a6CxOYT<`qzw9P%I}eLi80hfw zA?KJ(T|7sR&D$$8%npb$D7$`t0LrngA{_7t-k~Ynb0b?IUZM}#*m7yZy4S+DW%DuY zFa_TSIdgfT6V+AfIpxND;!A?r>-CghlaTiox$7^?zLYELVpE@25rt7H2?luAZBkw% z0@A*%+Wit=!5R59Zp_ahdX*i(Kn}Og;N-Mab^iIvh}`6dI-lJ$D0rI~kQ3XFT$=Jg zxCmS8NZkHewP4|yu$f%Lj@@}RIV=3G&p@>k_Vc&I-0l>;4u7HSvg?|_M$KA{KA95B z?541xw&K2-SX=}}AcoMU!8eGpZC{#@U=@Y9o=(M*J+BM2$?z+zS`N}%(=0l_AuLx? ziOnXe*#s;*M%!v=cw~IBTkYi5I_QJNMw!<%iXb@Q^dYoiDX+XPFFRU@@|aA){c=$| zk|4;BHGG_I72GZWY&>@U`$~NV0kr|JRKw$_5VI43FI~v_Pav4~i`Z%y2a$bE%T3)r zV%;FDwvSt<%{<#G$W)zR*Z$cgL+Zk0H=qym9(UA;rH+32q==t80{gS`P^yS*NJ&a= z1_ZzkpJggm<&UQGhFrx@Tc+~_h0J)xema^z;g^P`$Jy)31k_K_!Nu%+3_$!fTjmD=6b>+}8-qR-sBV!8W75X*6?TRnURl7aA2NtjOw z1tO#$DG|r*G6~&(43BmLEn??F)M4=UlO*g&h7FE59d1YB+1EN{b_9`jQ$z-|Ck!w_O$_&HfX6c5(Yma%-}0@gVf(Vl@k>?Kkk7zjSkQ_Ww0yyjD% zM{des5>6FG^i-4Vi@tZubCa=>n5c&bcjts%R=int#sMxsjC27O$+9@ikXN0Kd_Dnz zu<9wd$uwJ6?g0qh+cfM@rV@|O1ZS|a;8ymbre<<02Y`JIW zE>f%8HaTr!B1leMvpS#a$QAvCp(1lMw-B+1I@NFT(hikeUE?}<9VJeR0LwTonJgp@ zZ9UXxzF@v$UmTI0D$Aj+N5x!RX45I|xkJGmWIqfA-J$$IW@~$-hu~~ANGUaKm_VBY=>of`?i1^E&`+f{rt6`6g4{3pGU>2ns|DFx2GXYf;xB7Y zS_M0^&!|N`TE|)qhVoOkU1i)4RpfLB9KPLtOIZA^fmN2^Vk1t^{Tynbph2^XY>1uHnY-&E?Mef1l6bO-FJYH;TRCT@Nz zB9Nt`f3j{Av6m(}(cbJlnzg->@;8P|uvF?jG&Gjp?ntr2F1OLmCiB49Law?D+}U#k z`3JpxdN)@fha%7Beu4LeRyc89krDzi!|P;&xq*>mOtqqvKR+snhw7~NhQmONLA}Qa ziYLLGBvlN33jpphIA2lF*G2?H8yI@qknkh|qTNP5OZ+;7r9Ho%g5UkL9C3hrE#DGq z=%a@3fV>KZDVO;JhQmhS0*t*Y6cb;AN!ejSZQs-1_hitJIBslfMqWg*72MH0GR6K{ z;5o8V{|+a<u*7whs1eG2 z&ZkpRL;r6@Gn2UQyD|-nv$`rNMe-GbZY=gknX6KPp?dT}5vtR3u z;d6+F>-twN95Hx{n7Hk-t|csZb?n`^jAy2V4ADtW+p6w2b)$7&L5cbqn8oX=*xqXJ z^qzW{Ix?E#I@1>pCn+OyRnyo&J-LEiIxOSSnRqfgta^jg>xuy%`U!5ELdY-B&UcY8 z{IH~QqR8W$`fpx7`BMlB++CGz%tNjsora1_C( z+=8b8`Wyju1rZ0YpwJ8YIfMk~LkKAAX|Gu>4$bJ9%r*^vxvabU0bwbmqp#@#Glcz+ z>j2Ph>etkxs{U?BRwC*5>nyu(YU$^!1s|lY&A$Dd`P+P`NB>;ZQgna%k6poX3~wRL za_-f$c7mg-?$+XtDZdEi3q#NT$~i9-=V&($>pASBq!PRGrsIx`+JFZ7oaM5YyULWi zvJPCtV>h*fn#L}MjrW@0+AV%TxIoXmP~>r^9pZ@h_5sbRKV2EMphTAW)(YnU#~>CT zPJ<$uSmM#4s}q|<(hhXYRvQvBp4je-)&nYFb)!H_9mLkw^OnSA5K06xy!Ip{JVHNV zgw12VR1D&0FbinAlRm%BJid^z%$}R0-3VY36fg{SMl`Xi(*yB)ZYXjC${y`yJYX-* zN(+k9TVLqg2yB2LIRZYPW&hDC|p?M<_$7R z*im?7+#cyA9Wm}05*zcmhLq=`r-CMvez)OuPA4R3(*aE(uNvw&k8$aV%)K!>k4Lto z3U*?V@L@dqk-oqx+g*=B5J70J5!HK^8MPfu1SGI*0L!_YGJi;6b-+`pFyiy1s&liK z!}F(7``W?!qHVxtA+5BBh5v{E$f|1a3{A2T6p9+JO~RO|*}R_q!SBvf@@#^TF4={A z#o%L(_@F35Y<1r`*&|<#x-lX}>Ao5Pi}&>j9bS77#q!B{gya*~y<$+C%J5PN<{tXz zF;Bdj2F4Vpu%61ZHP~Z}hhjkelxp zGYQZ)O^bHC`wd{kV6|hQi#lbf?zva>Wb|&U{+;WAh4|}d+0?t7?&~HxT%tqVqr_Ai z#Zq%D+l^5afUqG~WJ<&#Wl6jmDV^n`<_@lzGN(ntX1o}Tbl6Ho zta{V08@ytdJo&ueg!H35rQxp2di4;0rx2gc9&6mReQ|3o|My;bVtL|Ngu1) zp^U?(<5e{!;tDmOpyCVTRJF<~QSqIAFY#4UN|4cH_S8A}yo4hf%bC+N;f}z~5mCM# z@bZ(vx>R;rhhpNbAx+{Rbv;8~1%69`AEK@sCv zlR7ik{g~ROM8_A;wC!=~O7(rKss>u+ehQ0d`6Hho zkpKCyx*N@<(JM8q;!ch;&a|%G2=-X?6bY#2SR+#r%}6c84aN;&zOr*hYV{2c!?f24 zW~4rXgcD9ayVj}^4Ey+xL@09R=3!A(nE*!3KSy5wktEuNfI-0N4PJ7ud$udCE^@H_ z0>|SkiDKrdmiBk-cL&`#JSnp?h&CD_Lxi8U+`l2zzKvuiJ5^JKO0fsxz)+&c0{*Ns z%(@4Q2|4ZX7(A5poXs0-0#MLnPHT!5o_&y@HrLBPwBU5_QJi$=h)tkS*76#$57|4P z(oG+e{NU074?2bq66XAit`M1?$75lBgSgGWExHyHmYmy+ZF5twQ|(c#=zug8*Ni8n_&pZbo6A(;>u43T$F*3oskw2m=J5)NFw&W3C@aQ5LvAB0Ha<94PZSRD!idk zf0{pAWvKgzIwG<`_(cnKRg_pCxKi2 zh+F#A0KdPt_DgLiB_@-5ICI$SjP! zVF|oL#0-00`8;Q}_-aw`<`Go>cjsEo5XI)ayKES9a>R=?3Kgz{Pk$w4C>7uj#O6)_cJf5ZPps#aerd$G!@0Cl{c67 zf3U_G;eXiXMjCkYSAPEY-v4Vz{97sXPa7Q#R09jWg6+}3zsYa@ZNmHyE&t#3@?~iY zo;eHnpE`j5o9_H%MTHWG(wrq6J^uNe{}xvMubN&23RS5bS1{(cTfZh;UGZcxtFWeu ztLrXAXlin8;nQ++iv_?mDRm17o10JOFLm!KiT0Q6dAZ*s&+xnksOn+@$Naxx+^UeVoSd2LQDvv?Smh_~;vYixLJn)vJ>C{UQ# z^+YYW@8m@WiMmO$fb=1~$P@4?`Ei_(SpP!_<_op zWhs0{U?ZECos_6E<{;<9fhCtMGK=;&m8_pxSZ@WHBFdWrsvW~nrpDdw6g!`25vVngXes1nJiv8}^%Kbo{-Tndxf)8orqA<h?hG;n5>n-jl6@nk3t{;j;v~9KSZU#Hev1Sp`2e?f(r|TX@i#gqN z`sA)rNpiZ8)3>)b+gpCG9yF_CE06#tT55Z&qI$7xQJybdO3~hw{1F+0c_#%eH8j>- zchSsB+mC9tW?gTTzAe2R&|mb1?7nYFjB0dnwRN3ZmUW&glkwE0Yn6PIcC-gm#+J}C zAtIiF6%38&QT2{@NKm@G3{S$L!B00u`(AfNcee}0Gb`4`r@>W}wvIF^4uOxQcj04! zl%ioZ1tS_yG|;d&#mLl?`b*>ok8V)Cvu&@e^xl@}wJQ+Z)m_U?PrOr3FFCRB@tIUI zvu5fmO;*i?O-#*+ZofJ2)kn9xnr&MA_!MeJ|7K(K?RaA0!exsGv&>1mo9Au9&J9+b zSaUh<2!3#?R3?p~|N1Wg2nN{pz_GEm@wvM%^E-}77L}s^PJn(ydNnvoO5ROfx@m+z zD1vmk@Cl=?(AKF`?Mx?k4lhA=p$WWg(D6wBvG^sjOf)a3w7{kdNl{8F zmAJzNe(%8LH@K{8M<0M-Zf=?(6otDc`|ElM2i5&R^s)?d$k2C*L7I&VVudPcEbT%_l&n%BW zRlF7TQ+FTE>Ue5R^?!X*xh8{+P;N6m$Z{>bX-@o*kIIyJG~$MQBkmAK$a=c8(cD z7MH4QC~&(|rFG1QyDrTb!N-b|V}gOBhvN+2Sfcpk_JhVw>#@crsyQ#n(C zqy^??z(I?iPL>?IPpGrqUMj0S`aH!6irLRX8Hd5Pk!)wRzi#)Md)_6(>K)m+gwemE zDOcwNw`jHYg$Aa?)Iq+OrUnxw2Ztu7OOuo;*EE&5R>7%KS`wqLaGSvGM(sq%6kcQF z@0v}K@2kV1D!!?Tz{hCs!gy4dzub)-Bj0LvNV!Od3Tgy=a$xO%drW=Z_9`5+zLOz# zIZEwhyO)b$yFagp7TrDjqV2lW5aePrz-eil_w^1yQg5Xl~iM_ zZHRON{2!d1bC6_RyXDI^x~wjnU1pc<>auOywz|+|+qP}nw(ZIO-nlW~y)zMWXJSX> zUzrh^C(qgY+3Q*Bx9b6UNCgC5$)xbx20-J&u)%JPEUllED|wmo%r@=ZUynM4Q?7@!t+y zNjN!SU`qnf3q~)b+l|NaQEhs|(pH+6YtQI#5p#=h_hr*W{GRxZ#|Mm#ydIp6YMiFd zy!P5NUyUoq2E0dyQX)7v$oztoK-=8>bt8v}Ib+Gjr$E7`(#0KzQ!sVJBkM3poj5K| zv341?pZ66}s&bvuDppzzpagR0tS?&=Ow*x$DPi8ww3?xR!)D-z0V^>e<+Mey<4W*N zK!;`VZe0DdTpf>x=jLs0BKafq>kM;G3w^(O;_W@6(xgSlZ;H1Ff{bgQV*n8>!tmFx zn~skj`@%E2L3psr>hR1zKNr}xOk<0*ek)v7b&U>rQ?i@Jn$;vCeh($pI#@lEIb`2) zz@d9EGpDxl37UoAfwXg47D1t2Bs5q!qiWK5 ztK#pY$JH|zs$T`-qFbA;b)mfP&Ax{phq7xDb2usd0+x_SmcOD-6Q@t1KK?QFI}xN0yMqwy4r=1G1mq#_SX&6C#*%0Et4DR)>+SJp^Nw#Xd5VF;wE z@7JSW;YKrlv-E9vUFCJR+|KQhI!zbKUUqF8#%13)ANsK!#*00jaO+M-OeD-!J+v?) zi&?Dyc0<#cPzpxOtqRtKBTAyQ$_W27#HZp^VhF3>^dZ*0<>8-ac@vluaL&t3-{h;< zZ+#?S$dmo-+3fayG+JP$#t~rXR+jCFpvO)EFP$D%nZ2Vr0+34Lm1o(bbQ=KCZMh!m zFVd~^6=MVnb&U}Cz1F4V)*P0>(>wpK+f%O})9gP~wAj*J+h+!c_hAbtL2xj*pZr%; z(9T({Hr$RBVzpjW!7DqntLr5m|=>)U?}l^4Q{jknVU^ zN@Q=$s#|YzjAmX4RI;|~;>YIK9a#2#h%md^$+1-p_Z1t-;M)?coXjUgV31)5M&jqa+LPVaZymiT zU)jh^K2l9wete=W2|E%GbL;!?U(mY|M7(R;lT8$|`L{iuDlD=XU}+9oKi7G$?|Yn> zZ?ZXxS)G$9&G}%@3{lR`U$ux4d8y)X{#nG8m%$#(=4rjh2{vlgY{Bmd4~Bm+SM*zm zQKA29FkGCJPsraWKyKMS;@CHYhX&?H^B5NQu<2Jbv=PdZU}9V;?Pr_7${gElR@2sx z&uNl5ZHqMhf6}wIR`r%Gr9B(YeekQtk7-GEow#H*os{9wR<%GN{$0Ms3`G)E7^b6gN~w!gO_F^suJ?k?|o5lNy@achrz|e zfEFdzCrhep`kgk`mczxB|BL(S{6}0;HmF zRmp#NPgSju^B_U=?VGf)PtKW37f4sWBcSoBV7XcA%$fH~ddLR@I;(UDGj!CO!x0`p z5#VCLZG3^gkv(lNccmK#df;6ibZ<)%oL5_3#fh|zgf*8nn)O~rFvg9>1Kf^pmz$Pz zDy^@z=>Ci_0ZtV9AVl9VHNWp>Ja=REk+-bfL%s9wpu7;Ae^2b@(nlV& zPa)cm$E3coC;e&s-t6%C-?` zUfHZUjFgB_Hp_JzX+oZ|jNKyuT2Q>sQ64Legtk8B<*>#^k$Fbf&hI4J_*d}&SbBxj z4zNs8FC>@Pna?B-5E3@IE(u8wy>1F9stnK({h@%z69ZrGa}E^A%LISEM}^m^xlQaE zrKf;5uiJgVt&9fz>~cMKEp55Pc8f-W?6ZCV0_R@e5cliyE{BZ6xZTanJf zFi~AxeF!q5;W5%h8S*8TBNI!rg8QqVYD0N@DTZ5cw_SG~Eyib_hEwYx6&>)6-f+uy zkxcU4Vm9&)`Bag2Hm3J(sa^SQ^6&=UYj(+bTqPM+{%WmFeQkOFPw4QC%=DcD^uaCcvIdpv)0TlNI1f$5s6h z%J7@%{oZxe!YXH%n@R@%1%5DaiEd+_RQR7=)XQxY`m1%F5B)IZktAqhw@(SulN^=) zJnzUKvE|G@P;$J~epg*4B^3V3YwhDDR59+()e5+a0H+E#KH8WZ86y5N-6GydLd2~e zhksC`O}ny?O^2e;FRj+^<^`{;8dx{!vCb!1EnxOIbXU4Nc3WB*W$GI0wbHW#5-cn~ z7}JoDwX3BB$QFnIwLr=dyMoht)OXI$v6`&TohMvPLjP=9gIwoiytHGy!HqGVNs{qh zXKwo$Ktr`335qIKyn6q63N-iuZgVVIyIuh*Ps_zR*X$hRZfJNHOexOv-5rl>k#_*6 zYou{W-Micispy!^5Jf|K=cUJCKEme=PP3{bLRhZcUOz*2NwsNd$+drHHx=f{Ys<%` z%aX#S#h|(nO3EYo^wSGjK)y16Cm&T93+BL-a){*GF4i~}PR^b9nnUFhg7+n`0{dIt zcfOd@DO^e+$Z|}H%dV{VttqrSwq}3_Ubq$pXtQzP+dO-(T)g0j`ZJma)pg8N@SIE> zP_Hy3K0lx#kyT!6z2VLE`ust*DCk`Boue6eM`wAxYC8h0@0$Fi*6O| z5Eg|;4-oXZ`cY%0kDK~s!^&|(dvivfzkHeEu}p4GRhHVh1*u}3V8>vZqhNojAZeT_4Py1%-JrD7RGeT?9mj5}V07rTPCk@gB^- zI*f3zSa%;C)pD7zY}{6(nx z5vkmEl%+*lmRQ!Dfx0rF^4)F@!UGHH(Cb*hGJX;SgXyV;8tXHIez%~*wg?17RJ`4O zhOf#?@u1ND4ICA_deQI7;rWq(r8JmZL z9}42{yFGoK4Kmv=2Qzn@2&^p4M)W>#GjE2$dOQH`iG&Y4JCfkn}ypKP9cxV8-7)bFZU~4R_Ue zuoy&}D)`%A|8a=NbiflG`gbtK`f@|aRV16g5B4MP0Ctz)%EmW+O@a2tCGC)p=9Cd0 zQUE`I>Za{eGfDC^uadM)dPx-#14EMk*47NGihCiLON&XlP z`x`Pvp>7TkrRNPP5oa}G0o^(voYonWnB;A~X+i&}$ftIykc2XT7=uiTF)O(JS-8FM zg$4OuQ7+COj>f|(zw5iL-&0lvy#h?iL_;QYvTnR?pov)7gzr@S9nH!&%crc$N0S`U zY~VDIR+dn1-{nzLX5f9)=gf-A{T;d`^XnA{<3iyV-5Y+4V3Ex{GI#3Na;JCswJr<9$NQ<@wG<~#Ft zUV&g!)|1?-5FfK{SGxpobZ^q3lG#&!S4XY%tCk?6fc_Sxmq+ zFg|ZWxUVWKC;VzaVIvs$ej#ta>L2o zOmtL1Uu{>eySslZEvq!?KENx77?&zUfNZktm3C@w2;+R$TAtduI{zn$5TRq_KgYDD5W+-N=W#f_qG4ptPHRsig`R))qL1@@>IkQGPZz#P_XnD z4JdeFqj+|X6-AvTkA?1Ub5m}CF(~Ef;3IaEDavTuHFX=T6DXnUmq+-1k%>4=iA!c_ zGXFfUjhPNyWF66Uj_YjnR=$WHp=n3UubQegVGV$Y#Xh9k+i^b=k#@}XGPcL%W&+AA zXxS&xRfmo)3Z8xM&e&LbX)SRk!l58(Hx$8m9~G|%(?M=K))x42$`L#%ZnPgF4R&W5 zR;(LA**sBIr-~uqW4UQMfJO1b;k>}DT1g-hoYcYR0opF;34a}0V13hIe}rXRsY~DL z22KE_qwVeCOo__p-Rz#r`(PB;A4jVH)^F@bSu!MhnLWXC67oMMbCYs`;OAau>kroDmL4>#VE-h=tD33rL zI5n4R?y88v#fZJO%koBzhBYI15*Uw!o1nuAwTz7(>h6cBTs8u<<^;%EFgi`C5ynkY zc7&U72bv6D5Twd#&Rfv=@oxmQ9_IqU<-LbM8&HoH==5e4FYA{EPVO`Nlo=yxdXfB# za=y9rv4m|Feqft!LnNI0LTsHRo516hFQRJ2y|zKpNFJuPtv5$b8Lx=XMi}- zxW$I`TnKulr)-Ytl;h1U+`wss{ScaklwYwOx+{+gIKq*DI|T1X0=7sb0}b{vNa@Y8 zLEv}*sc$?t84JI)zDz(GL$iFq@H(?ev;-NL(8BT8pP@&*dGaKKB-m>G(mhuaLa}Y_ zvi;5(EhywIdIu;1MRr;m$ymfB0B!F|ln`=n(20?m>)h7O$s~(5A8`~YEEYxlSIc^{ z>r_p{MfGvOL0bI!3oM)@#USnYC0xV5b)%~vzsIuH=E;%(z4#0BKAzxzqlN)z_V?t3 zes2(TSHXrsXyz2Z7bT!$P$?e{Gh2}#=;^60BZQ6ono zL_cYIZPN?#7ow^#4E5}}0OO6dus$B3Ypd02Ad1g$#$A*muQP%+TttMJnHe2LCQ96lqDOT+_ zX_g)v^`Nk1NXMT-&Sou?sN95~O@~{A&*K29ZOC8}s#vBJDj3$J5jY+cB*pN@miO4` zC_yd_Yq=GKo-Vo_7dnR?mCp-i=l(^!mO(nKa`gf*tR{zmy=$TeH!vg6K>^CMiwlaX zD1WvsZQG7W^cCYzO%v#o9&3edD)4;~M##5dF8nGp(tsg)BE)k(-@dp3fpWvZu{2$u z082T#Hg1)jKe%Oc$fo#}wLi;&qW{LQ|CV}6t%i+&BCe}uCrkwzfD?un%EC17f} zvl#4ka<|XA44*lp8%R<-_>eC>7M)p zAjNf%_=IWX%HgH$`LqslIsWE59d`Vu-D9e&%8zQ3tE$Ns-u}(3P;T^>YT^rGPSIB4 zOE?Iksi^zFx~|dvF&2nvos*z}3RWrtWJvLe1jm|Li&Tj}*;#GVyH+TMND`g*el`cEmQga$D?G8w)3PPu#4Ju{##qsTnf8frX{nwisO`30Mzt> z@k}3wXb#7DWGDHu=`Irs2-T>8w6^nu`)H(o_L$}l6@hIdi+31+Uk;Fne>9QdG4*;&7KwSo{KuvQz)?(6`+D(p{-mx~5; zv_kaE!Ys;%Vt)QIp&(kz$v2xK$C|-t#Z}d#*^Nz|qnDFc4fk;BDX*0RGXM6zS(v>e zougkfFH)(-sr$8W8MPYL(&BaHV36xWgzPQKoPbQ-_qIV*lJDM6Uya~Z>lM{xXSIj} z-$Vb{#^9s<`Se!ub+FL4@M^g`k~{}3zlRtB#$d743TOs*I?9qY%By6na~HQTmY6{R zX@X@AzRfLCvV)w@P@X{H^BakN>;X)KZNCc;N*~;}V#&>FWc$U@>Lu22io7_^&85ZP zVu^m{m+VQck=?;@JP_d$QK0v1Cy-?vy>BtNF*xHce4KqRfw1#sAm`WB0(DWb-C6X! z7BJ>UZ-b>)EmG3djYW)SoWxk)ThMa!Q`JBCe8fqN?A*ee(W9Jux}!ft1}P?|j{0I( zsC_k={I058ATg_K?XrqNx96Ho8XQ#9uX7@!$657n?Ia5pkQwY?G^c}noHz7k~|Ka z2E)ZXGD?oqI>rs7**2DKU4q+d$|bf}!KhC&#B!B`05N+aEYAzK_Go4gZ>RN)e<(Sn zjRh8M1I7>|en9gQXd^ewZOpe+=0CV@{mzAv?1p_mFC6LGT8lbz0~b!d%yBhHyTa?u~&md<`O+>O|2{wA7BrM@lxMOsj~czjD>;qfHFMN9-;u|)N_8W-(JB= z1bTS>f3T1&wicWkg2u?2%_G!Hs^|)JVU4;_`iH7vLgAYu6vFLQ`JPQC>d9{Ew^-ig zoacU#sh|}+t*0gY5PlQENpTWsXcEZXJB!wbX_ESB;TxnAd{Q?66SY9cy&K5k*%i?9aQ@#Ldrd&hjm)he_sA2 zAQxxiOrkBsi;4(9b<+-P^If;i<@o@$(Qa9_Mya(xmKYrnh#@|+H~C~=->qsl9kg1R zFr6%a*HK|KAgxoMh_tW%shpumy(l1oTTQ>UBu41IKVZK2JDM#az_tN&AVsUP-4Q&h z(}Oa~!xVZ5Kdc#~nnWG_ub@n$b-7siAJ7N@@(K12drD5e$h28=g@O>IShPjul`z|e zw)hAVUa>Vt+n%DzuQjU;DXyz!lAEB)PRpQi^ipxTYe9fMC4%6xbwc4XGAmQ?aM{K> ztD?~;<_Xeoqu>CdUbM?vl2nTR5W1C}`P3=pjNhyS`f%t1OtSJw<{rJH4dqX`Lb!S3 z-FB{nJI=BjElIc9$#1Mnccz9F50Ije1+KMA%Ep|%V&ceA83o&R!vJ?Y+EevwAg;4m zNB>bbZ)m~Ya#YUuj?JTH^pWtin!UzzrFx8Sd8a&~jJaSR9q+s7V7E#cA*AIC;S(s@ zKaK9{rCAnv(367u<$QZnfj}^rQB=P{a&xexyN82a27$0#1;p5@Bvge~0GIHcNkOwz zc7t+&JW=Ij@*HrkTL}0EK*;kX8&z8Na5!Hm{3Sd6j4ib5w^Pt5w$Z^2?>;3yig`Je zTNmBwmQ-hUfN|kpCj?^7cUpctKMW4TR54%FcBd4s0*N7u-C!XC!r()8(U%UvrJ?I6 zfAP1x0bbJi3vYpIdRtk5Xj$)EF-B>}ddX%O;0b10i6{>T5CUW;bA=-_7z>f+h)zk5 z3w@Q-2gjKA=j)R;Tu{#_G{@fdQHx0CZAVAy_1{%XTaTr490*LCw`4vvM z+isP7A1o#C4jDF=n#n&z$zdNZHMf)MSW@$&WKJ$9QtScwmx)CY&2XpZk9hzqZoc*i z-yWJ#W;;nP;@_uvdXNn4Vr$)NHiYM>7-ij#o9ku#Ly(N7Em}jSJY|po!I>X=$%dz4qGQQ>gv}&HwU@6cYl47tyX1AjsWDeq$pgBGoK$5 zzcpn~_@%~Wv7xZZZ!ihIgMMs(NlFUT#9YYyIRn`Qr-2I zCr@|ih_porx1EVJ`im555N?dH9nxJ*(`|=y_t|o+AMr4x%|_#!FiU+?^4uEk5@pI` zt6Q|5Fqpm9bhmRVd!xevhdxh9_f9FIxyRwjLST$ClBEYXq(w+`$B*`FNgu>P?& zkJ)`DEXY4&qFNoAH1vKkuROjUe7_CUNvW*|qt|Nn!d5mOwI^UX6Sx^068`FN2shl8 zgI$ukFEA0mxVKcna&5bNBMqUIl(vn_%bY73XEYO>ZSmj?C@=9*zth!cUKJYimYR>F7ex2_FE`R>pz4yO|l}W8Q057+b**$ ztgobFWmWNs8`kCc!t;WZ=oONK{!FM!um(@~RY) zOnP9M)Vv-ZVAZlAUv2|VFVL1bqEj87x~_U8`AN8&(w7CKdR=eblmWJX89#jh9Scdw zbd&y8-J12K6u5kVS8hsJ9e@4xtf*vGtvzCH$r7sEsZY+Ai_*q^Ou>5i^q3=PcJLW2(g^Fh3`L>G>s<7 zp_;Y150P7N=`KjX5^?y82J_1_l`#%)l{O8OtuIJ1U>R{BHj!zNjyp|9mHtc9R1$f+ zYknkR108)hw4mJ|BY)rr+dbMDm@?NsO0Z*k~x$o7R<{=dsQY(%+Crmi{2M&E8b#id$&$g5v+RJK>8nh zg(1w$bb3B_hQL|$P*Ahd7tQ5?VY3RP9QoTDG28$Ewcmw8O&E*Da@hgp$^x4U?O{xb zy4r$iu>gi0Y>Q9gAs3vP{>ENfi)KS=*N@#zTPK6Yy=pRSfNLa>Aa>Cl0YK^&X+5*K zq`Y$2&P992+_JTB+6u@p(2mk*5OyauUoWlTyfQu~tQak7r0VhlG)k%H2mRf(7dR{{ zu125uXjm|;b%`Lp=}_c?I&3r#?S9eKB%Re?8JBY%L^#ovZ4hc{fv+C?9Ct)^5vmyt zs;zl{#UX{N0u#Pm14LBz={+yqpcgGB0Br?AZcn~<3a9Q|L6GD-e*a#EqSmeOYz^kCV_u403L14g?FLtAtq=vw`n1`+s=tSMj0=n>Zx0eWJX0i+8tsB% zY8i588a>;ffG*#&J-g%#hRvN7r?o#;n0CvI46t@8?&YFgfu zmo%fhQijiNrV`f1c%)enz44bii3Y~*zv}MH11xp(trv}CGr%r3p;^EnBoeMtM?{1i zfp@Q6DSGGRZyCCszx4%!oy-vi8J7^-`AMj9LHC7DHlCpL%2NGWaB= zKWOH3ou>S_Q~gV1Deb-BVLb{4drmoN-m3lsJOjLB;AeKFFye*q^y|le_AFQ+4WF)< z0DXnWeEYoMpOR6dAkPU^s4UJ^B=rfrMRrB?GtX%Ua?42&l_@x69AOOfQV}$(*7c(| zPKPaOmpPK74~^~tU4yEm^WIJTO~u}-_`2X_Ep1Vy(a!Izhg&{G0N0!4GmdLE2NL!a1*3EncMOGpxkl-uAKDFSI+K;lDhqj-FcD3E$^5Gw>M`e zedity<@zz1U=0b6w(}uknUk#pp3BD#_%jHjjV4{9P+ODq3#V2NXD;XUgaQDlyaO`^ z9bJG*@3yOiL*rXSw*pyQw?t#$T{NKaw5dPFKyJsim~mSf?I5QRJeIN#9jpr7I;^>X zTShB4KT>L?B6dWlX;^7{8J|f|xXpPc7qTU~64f4_ihfv#vKEh77MNoThmnj~R#B#6 zpM7T}ru=`AaF}Ae1jpX;l;2Wr9)8u5N-k?J=p`EonM5G`seC33~o{Z`u-P z-_%0O=p>=bBC}(NRNI#~?Sv^2U$Cg?$Cc~eo zO!ECtgP&ZS&=ig}0gnl~Dy67tbHaFPVc1P4b#3uY9pvxONCTUlT~`|Cpq^xJ2$vyH z6i!<%Ym3U+31_bb;snj6lk()&!QpId44Vns3#tSC{NdCA7Mo{2&0AS%BIJOCief4$ zoo75L?C;ZUM??V9#efM>gm}cSD{B%wFyg&0Z*?3R)^?B;mOl_d>2vO+1>OvK3P>!3MwgqZXuug&35I6 zGMQ{y3LG3Bw*+^MhRBwT27)Z2hx11idx^hTLc?;!l*SEmI z){Qx!ChGswpW&O-Z4CGcm}L{*O71}aT>rEZuvpXr54#8k=lQl>Q|P0M=~%xSFXlLm z?{t;YTSd#A(y3guezYQA-_R)DL>GnqlF3Kk%!h~it^_BYYqc^_y!OM1+#zYLaNEbJCPpZTwB?X)>C)R;Gmz4BCOLKFJLQWSg z6PK#Dxqtm}gn$QmzjmW>0(jte!m^0VrlLeglLb8_v6zu^`*RP^S(&4HD-DM(j+UL> z5O9>^#}A`~xS3BB^Sy_!-&4#dEf@~aZ_Y~V6+wXf2WUZI;|wH$(F`p8(K0%$yY&~* zgJbV7_NsH5bIXW?#S+=<2P%x&MeF0*Zi3E&vr*Qvh`D9$gulNE=hZpPs)y{}(B*Sm z`0-Si!oE?>$5dAtbU2SsV2k5t0jZLr!RO3XmE+rsYOEm5^)wx_iHFRQTKy$Xv*T!h zxta;ebb-D+h%4g3VLi-%kCF0m_^v8$8lLRm?fywQjZRPSm0T2_M%wuKeyD>MDP;Rs zG;eO6!cj=pTrbn#Q|mG^NZ#eWwclK@eT-N`?n>VK-iy!sj$_L~2VxAbH8<2JMg!1U zDt3RUZ)vu2z!8(+|5nA~YJ3hyaH7}wQK<;eyH?|WySh6Tn6uaD^yIufbSXqd?M6q- znHA-EV|i>_)3XQLrqAeg8Tk$XR~vD)ntTY}|LV*AbBI3f#M+g1#zQATlfToR2{*PL zQ;Whh;FY1x^BY@(O~+v9(4Jo8AcMcH=;9};B>4>eg9GPB%4w#ORMEkg=>40(0(pJ0 zUJW9mYj7(m`i#v(*Ie?Cx{f8KO+lH_%s(D957H-lR$T=ZL8I!UCr7V3DMh5b;ii}e zl{BrPP?<&ErsgXVnq9q93zZyrm+9x{4>Yq1*a^I`k5XG&ENzu;JRMpuz#no?4*6}+ ztJ)%-oEhDBR$Y-j0Mi^1;2Z?cweGD9?Go33Pg~k-#XH%;`25Rz$qgHpvd1(8tKOU4 z+FV!)4&D@P3XdQO4OVB0y(=LBeO|m+j=;bj>XM>o8Q)rTZXFYQohudZEosMbQL@g>(T#}v54cmq`_fbL=suz>bI2UYs+K ze`lx+DnI9n)+}osFXFa`a+RW0?dr6FX3*sF5B8f+iu)`|qNaGB6s#egZ@l*6VX4~pq^04tN~(vt zumf}Q8WK%k_(qg;2xPhLZP2Wqj%R)@Y08T%Y3k6p%I*9r(7FR6=3uRN+7DI7_Oeg> zrE&~=+o-^RrBBzBT_{mQ7^1o@AZ$%_N2C5E9R!(JOJzT8WFQNYtfNV{IL5X)S-7+{ z8qEV?5KBx8IPT6d5m$nZY_|TFLtrL|JU($uMc6Qno3S~5$BWF6$@V6f1SO^ThZYuc z;rDeYZlEgK&h%|~xZapObm_7Z6MN{3xK11|%@4OCOfEV~&X`A|fq{JKDaX><+=7Zk z?K0Q21-Rh&v;6fv3L@(}hFjL^SAKJ!*1|QT z-nN#R4Y90WQ`te~*Oktq###u@I!gOE<+OJXs?8WP*lBL*JC}kvDR^0=k$*UDRvgb- z+d9G*d1jsS`f3r$*uI{98s2GbeoL3Qn^%y^xV+mdALydW41 zbv=7wgevT1YlP7nh|-LY@H0g`Hn34|6$nQ~n3)a|BJ%_vfu12of@h#B`-#DLhWt!` zGc_0^)7$4~(Wu(TPe_g>pUhkDnsq+d(*#U-r&qsgF!UyrqRKb;44^U+xZ+beQVs0( zn2?D$eTjwdQ0|~a_%H_mx3l6kuprCxwWzd}G;i{4$`>>2;I#J1*KMY($zJrrvfmYv z->UEdI&@jPl~9?M4Wzp$V8PBFBSD&91`gn7K%A@Uk}RT}I;h?0mVP_G$W;_kh89bQ zovO&@J1mH&7TK?%uWJXxSY^YCp1Sr3BgqPj>m(I6RusQUUH z{nSvI_Ex(VqJKOxGB~#6i8q*SKjy`t^VCEDYaa@Z|2{Hw**?ns`+?YNO9`-KQok%{ z&;kR7-z1(%raE?J%r!r=F?aI zVeoQE?kd5`%=D1(webRYY0By_eKse$C)7hxP+}_jAAADsE73>0^LxYd zb2l`;B3{%#635)#sbi^(bZ=*j1VdnQ0xB`<@Td38fyY?Tv*QYvwGMJUUv{H}R1lp< zv!;*BkmxwN;klbJo08sTqSNbZr5C5w%9J9p82DO1i-ldywQny_|E(kT0&?hKhT81^$2|$;9=%cWe+oM;V=Mj6)uemW8LMVCq8_ z9@#GxZ}yx%MsA5#)h{?OT|KWup5s$C=vUqeLAc)&C23Y2c$SybHMin;2uZ>E+ms1j z-o-+CVfb2q40M9k=MX<$$v5L#BLK*QKPYnbj*BfTP~<37uC{CskYFF!LOf;`>_JF2 z(qH-d-;9(lZ|)U0svK<>f#(DCJb_xCR1Q3}zbS7DQW+UR%Ha|dAbqmUCxmN4V0_CI zl%snRqarF3=v8`-x;6X9f>)YanJcE`;_PAMp8wcT{jKb?`@fKAk?X5E=9R?E-_8bz_#$m7i zlc&|a<{uoiXwEz2s;#)vedF=L9h~JZjmdDwq23>z#8yH0t^vKrL+umE&Qo`2Q4^)o zw%GYl1K2_F1GXI%p8vC7hXyy)yBNw{{4AF=)pj6E$Bw~^MpBe zT*-BLIF5go{p6klA!v)=DYzDxjkqJq*gH{1H6~X862H5}E4u6(1RMpGK&Z2S&QlHf zop|)dNh(Y+PPvvM2R*Vbl&r2PUiYD2b)&Q=P1fPpinXKTD%~mH$1}cmwmr}G zb>-(oE3nkx6nFD^XMsJRIbq=1d+d_|A8ukr@^)kOn-i}!=6T=SkNwtSt3l0_oW6=;~wZReAWlfh^k@_(> zu@m}M-=+=7bZ&M`;LVfebYjz`c`Z|%V3T6Q@k1Z>sv$0A0;c%|2%853hvqk9UZ=p9v(KUR}Qq*~)%+(hN(-}QAc+^#K5+0|bKB}lR~`i{q)+1P8= zntXWG1u*Fxa5#^WFOqbxZm&GE37!-Bz#e-&l2x(tApUEy`+OEkfL;`E-6PhCU0B|! z(q=!(;I^SUOBqd1@Lapuw)t?X%`D*^Doa2K_zxDqHs}=7ZNQFKXy=*wnHjq1bNTLZ zW+Sxm(G!n0k477EBdbmf%lG`{Pwu-qTjx&_c4AOY0(^a zGmUKnJ?q44xLxz1!+}RSVVTxH_nm=nv95NWY+%$}ZaCUszs$tNzQg&vXLMvQiD0_Z z^qFn`(G&=7S5eV^csqWrW`3ib;m;MtU972ldiVkn ziuY8v+oehx)TkQZ)nXP`h7dzQw)T8l=xIZ3^Z{i#G?4^Ob?i(0mXa7T`#dlQG$DPR zjBw6hpj`N0GfaXgNn_4ro!BNDI=<4V$WLBpD}F{dpej7_=<>p*t+D9l8BhsZOtlIy zVYNwyy#93c|=h!Bw7Js^y(zaouKnIyM;g$1q6<`flfGVM3 zP~B36D!Le&&Rc9kwto!V!{D|J?BqD(c7ZR(9>Xp7%r^IuoZy-#qVz0`Ba>;skLyog z*DjCo1cVHm?HJ4l)`J<~g1)Fsy{`w{5rqY`8!(7)Po`s}b|bGoEY>Y#gnzziLN|iX%6E0?I2F4u5edfdj<>29J;e#h?deZBne!z_aol$Ck%>@525Rv1X)lVt>gRZ z`-b4RqY)Sc0mETs<0-lzsh;@Mx?CZj>#3#BPpq*dNOjwZf=E#;PttM=YEsLvjJ}8H zQDl!N2a;qN2Z1vz=V0>hYEgvvZqb#vc(gXT~nWl8o(B#oz$qUsSiOw=He+d zVSLH)gE2Ytb3j9dX<>Z=Z%!jxyDCx8ycXTxHB!2XSfjTE7Rs^y47=6Zi21pLNSZ`4 zj3tsFo>myDNM$4s?72SuVXoI7KbpIt+EU9bsPkTRZ+GR%uXgVsIuZpUh&vRQy|H`@ zA$5;f#&-b(?avX`zswLW5LU&>itf!wU_;%KnZvu9(K@~tFx$kyp<`BAwr)@~m9|g0 zyj-|64mY!`M^R^DJ8M=>`6(8pQ#55qVG+jnS$>q~Mqlo=f)~QssLATMKL4Sf^?;#$ z6=X@{U41VP*fmYnG{pztVIpswhuytJ1A}5Bus4KOi0VWy%kV! z+F$m&8{m_s=E4*@?^OJ=2Gxjo1i^3G(_^6ig0r~`m>JgmHvbBZ#|qFwfE*UGvi&4< ztkNz4OZlY5@w1Z*6%Suj$LRCZc@S<3FlnyQ5 zm8v~8B3#|{i-<0jZObE$KLNTp37yI}%HRG}>ML$qy@)d0ZRmgk$!vDwr|Y0e6x+V%|$}N1(ux-5y#AV4pHX4pSbE zgFd=@MHkNtxepcn`eVURJE;*XVO9?2y`S^&6PdMqtk23azvMx)rCAu1eD{sDG~nkBTf&j5fh5UDHO5PI}Z)+htXnPPmLvg=cy{~bd_O3WPn)bkAl0pf6E}ppvDp~-f z2DvH8f<6gZ5}|D8=rIm;iV&m{M!h}*kV?W7pY^O?u1VMDke(B&k3cMN?$~_ zs|080DABx)HpHxQ@)Lri-`KdNx`!bm!P+b0)__Lwd=f?n3oO(a0}adM7Pq=S_2`BA z^P?1(yLI0anhOlm89tvaL^Hc`*Mz_O?-{AE17*U6E!zywbN@_l#{+l8S9tY^!2B zso1t{+pZ)P+pgHQZCgF_|Gu?*t-bo%yLTV-H4o;=46gY;@B55r-1qMu9unOVh5bcL zGy@I2dW6rB4-3OfN>4%Lm-8UA+|sVle7X-z218XS+2xP-%~?&s%t#p+_2mtTk>f<5~+3FxR)5*lIxP}1n*#3w2U~= zJj*Y4YCrQ5y8Xzt<*!n1KaV0wI4@}rQ5qR}IB&${8nO&c+0V^PTHNQrv`%KFO9_c? zns(n%Iw*uelv!l119}^0e$GybLolfe;k&?({6Mtv6x_S(c?CxH3*AyX3`2l-k=elw z@BlaBz1UxUv#td+!+pToQ6uk$T#ykeObmJ=jH+g^-n<~EsazhK)rA|phpIK0%oQ4K z_ICBy4ZO*BUZ)ltHY21w>hwYGG~X|OVP8OY>SpS?Hkuyn{+aZ`K{Q-tFeh|tA?day zoI!07Arg4{01ZJKdJ2o0eDY+2D}Fa^z($a5{YQkW0?Ri(i@l-#sNTB-Tm+d|Y_xCIdlh$lo#}Ox#{IHg?2Jg-z0`i&8TY1$P~^erLDh8H zvu9RQQEtfXIuMw0-s6GhxL}slYk>lDKb)!cZX2uv-1Ca1)0U#GMAx1)nl@PqSA!mz zd8KCsI@}(^wE{&B893GlM@p>ErSt@z2?NI-57H2ET^cRjh&_BRYdOVVk5E17cfMKd zf{OkP6M_=cXJ=;wx|&@9?+E*qZB1cpnpGO4*ZBVXD-_bO$&WoGSni=~@Kw&Vgg>`5 z-@n?2uABjx+=B~;M5*nz>tSQO#?7pldoo)T;NABkGe>^+K%NF!?f20{eyfO`-@l_Q zu}7L@;)5WTmY3EdG}d8y!=6$>*$R;7DA5w}=v@H?0ZubSGyC&waF++pGIsr;?)-_6 za1*|{W%{9bNDFGrgqP7{9k)|n*n!CVQB8G0b^}^67a_e>Ck`~P_O(Gjb=^tD(7cZ4 zaat`rOP5lnL#ZAyxWk1^gYH<=cPkrR2s_l5$lPO&^d+<0mfI4OXVGdr!*>s?@mmw$W>4@oCnU4 zTbae5n3WESZ7BLN(y5u>`_VQ=1m2qInn?>;whQt6aAK!AU?;Pl(oPqtr!NWgk&1Fh zW!!@Y&RG|`9KP}{Kw@=%u|HRS{&TiC;5~b|z5p3^$!&pyYf$kQU_&zq8PWK4&OB8! zlBu-abL?)sKfcM`=Ye;MfTBR`4|>Tj{GO(daIN#y{vu_Q5SN+|y4J%53FE~jXh=zf zgnTbQApd6@C4V~>8)C#u_$ljewbiQ$Tv0Kb^gWhEK$`$R2jL9TbjZ^ONS}djv?O?1 zLPi8Cp{E`#o~CDuIMs*Kxl7=XATzDSTgZmN(oAHaBeGG%k@#HCgQRn~YvG*)GKWQF zL2JyV9tK7hb>u07?Z{>1pL4ZQu`+E7zLzgSm4F*sczh}DtVg424{VO$Eflh+#E#a( zTGIbUJ6_2d^fwHc&|kLAqS4Vt%|x#&olm~#;>n@h;^k%lum}|{%&*#Gfd+PIj44-0 z1OxLVkE2b%Bd%*$gbqiEA`0pRR7Z#&AWm?S2sxJo2Irjigfo))ibr$Ds8(`i!RiQR z;W9R?ENPJNChGpWn2*-mMdCWqJ7jkazMnYaV6y2)7ZS zo;rS*IUzCc_ATo5cP}WznE;@`zje@0j_UF%W)kwkw8%+Ir-rK{x3`WGLiiICIt{Ax znVVKO+YyXl*LxsjB%L%LCkuI+M=}KUsTN}79VxdW;^E*eTeP@g8Di(>i8Oun+OAY{ z(I~fx#_1KUyd+czV^1TlQTsyz6ENrxG!tp)m`5~AEg=mjr3*0V zPp;aCn+bs6!8&$w+0)f?wAeq80#hMx)2 zRE{g6e~P-UQD~^b-U)O{KI3BF{;(E4GHOFbLoX;#jE^N`K1#5FzYE1xq0bICqOt!B z6yFr0aY?)t?K6fg-qV?}AYA|mFL1vy`<=)*4ZhG|h;q)%BcSO@GpF&fjrYB4`^rES zW2B}w*WP0;}NES&g_|(dfjgTck46)-Q`to+W%iouwbVzdf@M*mM zLM|Z2p)xoFHNxE@i4tIjBdhBNyYx1AxUU^B61wc6ZB`gNCzIkc9y-z zIe2z#In~DQpP__ZX0{fDwg%0@`w^wv-=^Twl^# z@Yim8bRogt8QyW}=S9a;J53w!xq^JPA|MhJ><=nO-s61)3Suz(8>}l1cR%wCJFsvw z*E6`Tbq8g4^pcM{{-{qjk|NHE8(Kl$yNYM^)^(^hzxEKc8ubZs-P40D_$=JzZ$L38 zJnmUOGe<4h4^GQlVSrsQIC@;#7;w&ZMU?t;#ji7BU|ELQ z3s0g?+7IjlsF-WDC|3U|n6s{cL!e1o`LYOUUGzZ_;XXZXU69_Yw338l_>#mJZY+=Q z5Ixq2@WI-zo>zT0x1FVEP!@BC>POGzFXU;^+(w3jJN2tXu*L}{8{FI1k&lrOyp(S% zWS!EUP{>^*mj$#G_ZN$Mpm6lg9?N}VMeCZ#x5{(Hd%LJNN%iP}==GCK*i>T0{cDL7 zh8>DkUq#n)5%++BlbT-K8#yUqDWH+^zx%#giCw9I6YA4YpiP>}Gy3Dp3>+lt^1EV9 zA~4b{-ay%7X($4GJH-Zy`#?y>1WAXSm|Y6;%kz^pe`w@*mzD(06dPm+@C?zSM;yvm z_+Eg@aiOL}d>#8Zp-g#&%f#(p@C4le%{s5P3ayN@g+=`3TpJb6)p-|pI*rMU*$?>% zO2oWM6TgErEkr}>ME4V) z4@xvoAL%zAR%5Q-p~F^eXj^2uLwlD&Cb065a3~NaaL6J*6F3wWDG_^K!d2ROUgj4Y z0GiDlDH6H?B%0hi)^CtNK&sAf-$&LhTA)v+engtYKo)^~a}xgG9mHWhP)baI7Jy?1>tYts@VLVJM2d^`!e$)rjpQ^B{MwvIh?sDl`jyf&A zWaQ=4-S|Y2XZ4Z zxg!T_CV8}TjEo((ty*pkZR2Re!*}Y6)Yicng#NJROls2R@NpQdEbnrdK5#j%HEcb< zAOha!@F!%6+ry1hN##@3R*^}mnRb*SCn*f90p+stspwMs&k3nAF1F+yC>bdVK2|ybx;a-uGOS z?oZ^n0?Sce2DzGFbUy@%YXJ2^-4Y{Tiw3 z!gl!7qQt-74P?LC>d_%7SA0o$m8-ytG%1b*U(4(a_NUlh`rQrIho|nQxL0WDG_Ap5 zwnhsvHisBfm{jM<%fuzG5Y-znL%?% z*}nv4sw&wNH`K7z{{B9CxwY_!8(Erh^Papf;tw{~RYyS@u}-Wk*ku*KL^A~WZSsmH z&T+vPDSy7w0Ql7Z>)9Vox>crct3_+u!#tp*&`K@|iWk-$snbl625~V@pvMtwx{&U< zvbLiO3osZ4^UyC**d6sa-C>cp!KcKIeIKDNZ59NmX_)+6@TND}Ic$6)B$7?1Hg8eb zBHqZ*QAVm{OB^Ji5OCj!R4#lZ z3}p~gRM)vxtT0ZguNo@f)GDHEf_YW+$&meDZi^4ssJZ8L7nVpIaei8f?;PJ4GvlZv zY@Fu;YA_`J3UsiaoS_7}FejX(n^$6+@@br_s5EKXIPcx7hizIr7i&e9dcgK-8l zkc{Jf+A3yU*dmGIgP9x?I1n-Nbs5C?Ef#`4&`Fop;@-KIoguomKsP1Gu0N@(OlH5j zS>n`t$byD*@kJ*V;ck|G2dynys^_1x^@5Ha1}6yhCMy>|2Jb^?shI#}2J*I(S-&n` z?2PVQ!oDRow0&(FTxvsapl#x&D0zI0=?%6aJ1!lu*-8D)B8U3PE661FKqO)2BgkRy z90TgaK8ayOVa1{Sj!SpcxYIZ@2DFEd+Jd(rR?ObvDNmUGJBzuhv-~c~Ny3a~x1Pih zQripNLwS%3Z6bcCd0gr{15@`cO9JXlh$M=Ou3%9vt}D5&ykp!Fr`aNBqw7Py(+IsG zxfvv0hNpM;B>LGnH9R3^TN)9^;`lklsu)SkYz?@@s5>qLU#%7Yg82ULhRhMWl1V$& zVO1l`yyU36rA$Dp<822EC=>B$_Jp2Y;a9>CE)YB47$SumFc%bH-%y~X{@(QLOU{!o z75SjDk{CKhIe$ota+;Rp0H~$3C(FH7aOus}h-5$);NtTAh)jqW$z7z@)$f{G&7yF* zvg{ECK!?yoZK#z{EOA>1oTu^Zvv+!7~&6N;m2hjPuJ6l4HZR=|7qeNwwP}1G-)mrE!kmtCeS_ zfQbjko16-`E~yLU;Bb#Di2JUGOUk?+ou@y9PDQ-)G6t+rEQ0nRVZ38U(#_{=AF!gF z7b|R3H2_`R=!ca8fjx5m53&|AU#_$!341D@lejJc-b+%;Gwzcs4JrUdN}=Q(z%%HJ z0YWIj3U}$+71d^*ARCxNq4(m;2x_4&uV3am2^#Rk-zPBT%=2b?Ur)K zh^slEX$q!p&iRi!K@x?!Bfo7WhhI3r$X;%RWsgXZ( z+yHp|fYqX@ILdIy2igaQSGs5;~!k%9Q; z->Lo(FB@xka^2-xqE;iy+Wne+uIvhY0|@5860(NsWSO*y5XH8J&`_=`etKkYNm-gU zn7UgXJfY~c#=Y;H?59A2D2CmRR(ljkNNAbIneFJ$AQM!W#QEW4_ezfzJOjbn+}Sm$ zRRGTcZ6t%tN-cHxsRoH4ZF7Hey^rB1-Tn2z}I zQlkHq{0#3C20#lFwLeBUdGJph)|79YI4f;OMBFW9atxHSV|Ge@kQ767G1<&sT2{Z$ zHpu;8p}KUfLD=d(_7HC&Ap93a30p3K0t2$v9Y%?>C7^*Wh+aHmUv<6cJF^~J8XqtE2( zF^IQr_Z1#OkEtKjck1md+Je{eEA63G{ofoo^T;Eu)T@}OoheJ;!YbA6Y7Fe^n-ZZD zJXKderw2q?e+HYE2jj%%;wpXjJK~*2@&TB+mOD4h0nT?}6_E4qB@8R?802pQU1>-i z*MAkCb>JS4b&W$w_Ql~4L>3bzEWrQ5qPfTc`5OBq(6v8rH+*(~!kDhj8wnl*BZ|F^ zl4Mgv{N48TQ^*6zfMom={Lj%^IOI4f6uBmPjzC_lJhNgwxigKkwKH`Xa$+ASWwPm+ z6yE>UF5`Ia6GzxSc22P$= zLFR(LY%Es z#qOx$H=<55l-2^Yi&4k{q)h?(skC zq0x1z)|zxiHoKPH@W?Q%L^I--+qmJz!HKW&{&q?fmxHMqZ4czupAty3IqAe0;aA^i z@9#)!wnJH0^NeC3(^mAPTyOXQ*4Q6ZywCKX4Z@&YaZTN39@A-Mcd?uPMCRVlQ(B33 zsPE1Nn>;~eH)~GHOw{fUKX0Pu%SGkT9TW-r6bms#Aa;Ee3Tu#Bi547Y?mX5JoEto3 zVLrNhQ-nemM!av==m?$NB$s4eXVHoL2pWt}QSDQjvl|0Hcqrr+EtFJc@Vi-$S0Dwz$&dw47TTmrwNc15WBu!?RSM7 z=q30dYA1_qRM?{Irah=OJMH;_jU4n^Psc|{dvc8XX?4)6&8Dv}`%&G-J@-(XC?Ar8 zuG)GR7ifvR9BX?_0`n&w9k*(AjW4`K26wPCwQli24$TI7sPU5@JP}~;<|yCK!~q-y z(w(JN)$428?SdFs9Zf=o+Fu3KU>AQheP;J?v{P@J`r8vw2PUzXUIF(JnW`Ol*NeSe zG_qW4TVwSZ;-z_|GQ8+_R_uo=VsZuo2W}2WU68qVo*CJA3BTbbG531VIIQyzpd_PQ zUd#R|j$mS%L_wh9L7>?f`JH9jU~wXN`Sr|k%meFXBGk+)(Th}@#A|2JSo8FV3zdmA z=tF!W&oZ96Z&(FooG}oluOA?ybDifNelB z5Nz1q0~HL1bn`VQ(#>}bXJ$%X8C@1pnkJXtHCqjOnxTYzm~Psx9^iTd$Pi-YWlWR# zPXAa)u_>|AR!jHxhT}r_7@8;_b-kD~yt8I6v?CfW4|QjcymeqnhwtS89Z8FZwUNf^ zq|>yuKlK)>n`@13pI9nS8F|Ouup8(MmQ^|in6wpmXSzNaGK$%|^c`9YnI6E%yr;`k zzzX{qP5`ZAvSV+QK7TxyKcq&5%q``VY$Y+!37$J|Y-|~eyHoIz3(n|meYdSy`*?iw z$dB#JJPjUKOZMg0nb2abT17qaK5i>4mrrl;Cg!TrON>9v9Abh?!fjL3i_bSzMb0$jQpF$6@R1N^DfkAxTx zlmrR`F`L_4WvN+zYKFg&CpWRn$F;EtJFmq%#fwHU6hcT?D$3wE4=`RqACYN!bnIB! z+_NH{1>)e-@k>1E9TV5*wJ2?Q$5409oW4_0x7J)S3aG^ELW>ZN>cJKv#Dfy^Nd>gY zQ;_Q&)e;vQZR#5gwk6@$Dink}8-ot&FGIo>@wxgV=O#WwjF+U*CVnnKTB4&V)LC?) zL(BUeBEmTH0e%%EN;|P6Su}#;6G92^L=6erbm@@>qzhf?cfI^O5{xp-&SAP z(*0RzRBQEVx1dAzaDWVnHrSj$Z#;nE_(Pw7&(JrPg_t43+BHItnr-^P@cU$~e?>offOqPO ziw|s2uDVYWFGi3&!wGymJ&FNL6S_Vx?O&eFLrH?l5|1i`P4T>X*Y~1%e^iQm5;WyP zHKAAW_AucFIUW9G!XzDPZyK(<-wYWU;C{;JAsL# zRr|S;x2fg&R7r=ySs%}G@G~_q;zK5{L4aY!p?00&=bou{K?U8Yv2dgIYu;BZY@*;_UHMGt$}QNNFen_wQCA2nd8 z!Wz9RD&8EW=qf%#>SnqYFI`idYF^fG+pIemjnQ>AXCf?3`WDsS81djas7xYU+7(|~ z3$qO!bt;$XLp7z;HOP_=${a=~G#aLvUPU~s$xR6^TfSAf^uwAU3y**i3lAGRtPf8f zOdsN48H)kdsP=j#XA>@UuLtzn0ZCq>puJ@qez|(4VLeGrDo~pr{>u%dHOW)(4A4gO z6%vgNCB{gp?P?TRmyBz`A<00(INqdhDnFA6wAgN;H@gwuky~->;rb~)nkXv8O|DXH zn+cUs1$R#?Pn({r;uXB%;k-iz zWU`zHCd)4qL37-&?%!|$1>^9u{d(_fAn_&H zRfG9|=K{*B_D7d8Hs8Lyq-Tsw%o@yZ$=q1{H-2bK226s~8F%a8$;umEr)*?O=b=2ZOPe+JBEyU6v4OUoV&`S(X^g`^+4jY5IS9m-a4cr4IT872UYzZ&d zb8>PzLE?+U%VgKq0`Wg^VO^=*G7^HMH@2z{sqO^u9ibx2T<2fcE6Lof#WyksnM4IQ zGDy$`ynFf`nO~u@k+@anhXXY5dJ@ zr^bp$sAnd3g*5gi?knY1cri@vz;wN1D{qN%NW&p~@n=H$9D)qQp-Zm^YlMJyT)1sy z8JgL|6f?vX^stW(cW(lGZR6$dBQ`qJK2}G!{{l%hK;n{oD{4Teu&+>lN?i9dCTkPt zgGv;!nEjhM78V8Zy?wP;fgptT1Q0Rk=-)95{!dBbqur%=-@l43{z6p>tc{{rnHjWh zmOWxNiTu(2vSnSlc~}8U-HiNiyWtV&K@O*fVcc}187k~nbb1{8YaIh}OqWWXvK{O> zKdTDyKpyDyNWJ8x^kC!pO?YiIW0w+xZ$!p_zWjdhNIy*MD0ig)xJ>{1cg-rW z`Wl1Njz{;s|NV#m;}e>JUqAH!(_cb47e&SpyX)q`rXVdEzhG*p|2qxe zAP6F#vmrfK-~l@iz`wUQDU~!=Tby%tcD}9rHi6yWZ&YxAo&GZ~QE#t|!ouc~So%d; zSqC>wFpmDi@%7YnH|LIUE1ChGk}!y01oD(o16Zph$R}@JdTrg>4+9m53bnL3Wy>S) zzF2)`vuQ);jh1!rEI6J>4atde3wtIMo$c*HyBBZV<||$<<{M_@=Co9WPgFV< zR8$nV{VAa<++EB5V|Av{71no@dlMrlw%VmGPyTZm7q$B==ZqqICvgPv_*Bbp5WM>LM+af zR!p}pHf@p!uAjJG!d8%t-cKB~GzO3xv+K(ez4-fw4L-%!s$?jKr!vooEO6Kh8;PsZ z*G>)P-DUZE91axcb(5<}mFGowcv3*&s(Ji}UaDr4M!b)nKSzsJ>}P7PUQ} z0tJ~*Yse|wK0I@7r`c@}4->eU6HwH2?BEAnMojMvtY)(kgi=pcBtH!BNa=K~d2ko( zb~|5VPfLhP-9m8N&zl`;xiGmjq*@jCt#*SLdo-u&5}s#%TsmM_W{WsjO1GT}(t5pO zYGrW-&lpeSM=t8br27p~LAtHYG||t$ZF0=b6gP1jSw2JJ!$q0l`}EefCuy{yE8eVe zB;MaKckVw8Wo1dDKd$$A*d_8@BTH)3mk43`kY9~$WwV~QQfmUQ_{`>c&glBsdBnKG zgI4y5$-NK7eWdRM6$IT>;Y!&>or|V7&M7hSVLz^`&W%1_g7z-ySr;DU!yWG-l+{&zoY_ock5pE6$hK*Pb`nZRd{nR z`%lpgdhx!OYz(vDEr1bx%ed{}nop0;@M41e*EYX}S$)xN5Z{Rr%8HQtEX)8U#vSoz zcMST;VpEuPt2Jto{a=_*UX1@Iw0L{TX&4-R^yCza z{z2q(iP)0dzEuDmLjjWN=p0A2HROJy^mG`f``9)nv!^yjgLnaqLvhJ~`JAni2u0Ya zW-DbJy@WXb3$&O@Q7*C7!7Ga=aFNNQi0!YJ`2ar^yt|M|pd0qeuYCETCRHzrn)yW&W*D!CUi zd?(SA{FtXdR3onYEO_ibHAY5G>k{OmMVBwTVhZcS1(A)bhvdR?6?Uk$=vU! zC|qbW6k>{^pQf+mC4jwYu|?uadt8dJnB<5sfJq7_1|+Sywcsw8TVUPR%sR^#zr;tB z9_zM6oIn?04`;>6SYct!4edtrRircJWSLuQTw46QD*9I*i(~6QRdE&CSl`|0<&4>g zL(7@p>2I$G=V{7^fI1Tdh+ouAaXYwrdv(Zt=EgW6r(x|q|x)T#uf+hm;cAwfs_0me^fghb7YfTGZIeVQSF*Pt3bIwyhZ z_9rXy@xRvMaMeGpbwHyl7!2t0`2sSSh&_UEn8@g?jt5&bXv*iP2;ygfdGDB$B4A*|MvjvY%U^)0&zJ3Q7QDS9yGJ z^k3yN%2yvm*i_OsLRN=*VT+n=s37}|l5`H%qJS~xZgvq1OTcAD`k3W=6OXL;NG%X? z6k)+Ow;$X*Fi5P~<|Zos{;;`eaWs^ELsR6Pbt;P>*fSUdc%b-fd_J@R2m$&5;CVyx?gBZ0w zf?@m9uMm}84UG;fAi%VPa^@%|H6a>#;)4;ast*0gbjy;f(1q`kRUVx|5$MRW|OGJyL?6LO&vj2l2#zW8rL6EJXIq!47ci6yG9`EPElK>Ck zI(!urF#UT9_`3faOuWgda(nH<=XlpCkR1)kRY4y>kWUUN9;upj9&ZL%Qz4 z$V3nb{z=x)=1<-AgTtlRJvamoGy#w`NG5Ndfee#x^>f?x1ty_~t^=c0p`PebppOSf z(cWM|t-dX%Q~7qi+H!h(bx_Py&)|?!tFboV1Jr$Ui{kd1qw=f z?v+xqTf_~%t~ZdE)M{0F)1+^>JKl|2k_;dWl_=77arQ9Oy=iw7z4h!$_4D!ivu^$9s9t-{=cUG}*YaN|ZMMFq9}Szt=exdkFc`pX-7$pEUE7l54aXVxJcZ?O$ELI! z*D(KOicV6OtmO7;B^Z}{{}&a`CsDSt4-t@&{tgcgaE2@+@(EJn84;nKHAI5aw`Z#_ zQ*0Sv{vm%qZ;BcMSuQc59;r)lxRv1o#F%G_)~*2d4~qAWM@qA8K^u4q4QxongU%)l zFCjCy%iFuhWe;7MA9V0lrz^9vEUtGnopR|!HFhu9Hg0YreKMmey6(^o42dymK=
g-Cr_w44@ikp0ofg62r z4(0vCTo0HPGbsn9BZ0!4$%cWip)5&*KY0XWX-d6!9}D-M4?(x%`3tVJ58y}*cs zAP}C=^L{49bJ1+Af#?Q0l0~4p9kbB|repUC9+NiYc}8nk^C}LNEXBUJ(f1796<${n zB$4j}evMe;b8A`~ffyhd5VrvRZIHHvi!A9|dXr)ygc<#zL191hgXxD7Ae^n;0@z+# zytxcbrXCM@$3*R5iT^HwZAU22PB^?fHon=uNU-7|p8-cNTMvQI&vT?{Gc1DYoUBrf z&~@-lL?`1+48NGwx=Oz*FTbL&NNR;kX-&~B+GtkV<3ixRT_!w}Z45FWp$^Z-Uw?yj zi0HqR>(%K0jU|4UI_EG^n%T~r?E5LF0MFMf^S0n=F3FWS?VUM^{1r9mP9gqKrdd~D;f6~8|55O%4}0i&*!Y7y@(FtvS?xBTgOid z4@vIbw2z|e05UZ1aqede)#R{&B_ON6Qx%dw^g_s5FDDc#Q@TaVN%XrlK4jyqu;rY4 zr+_78tWjgldI%PXXaRvhJu2*k*>FzTA~&6-Urs;aIIs$c{ypG!=S=q6^bK!%t{qWC ziXMH#1{Aaw1_dI&1`@y>oqu*UhSMhsQ3niuPGEy<53X&m>=Fl<_nFxkQM|9zhXj`Zi6bv|lh84S8 zG_W01=h%&?_8O=#jqeQB2NIY8+=jB6YDH`a_}c}Ri!zqByOWFg9u#hDmj?}<2JbHs z<8O^`c${7?m#tF7>p!d$Vi~^+Ia1hz5Mp2wAYaRPI>!4+TsVI8n(;ebuxE8qy}h7E zkAn-dX?uFNqzW}ha)9*V=d#qf0fq*`g=CK1+pat=>_c`KwOREOCQ8R^EL{O#dM$<` z&#@a;SLJ_;NQdO>3UUAh&vf;d0R<~8j*tA<`dHNRL_Q>=*yaYe88Ke&u0d7S_K5P$ z?UBILj2#7Hzn6Y?6O1E|!o3&6mv$5e9D*bf~?xPp@%1wyI0wl6!~8DO{g=Gdn5hc3$O%85-NIrC{-RQE#^r zaT6QsQ?Ny(qQhJ|#%u$M;DW;^l>Cr8HR*27q`cu?=NcUg+4ucx-sjdO|B&`{^CZ9I ztMxB*ssG3VxMP-*nm|O(^V6ar*t;0YeBths@G@Ej%4d!JiQ{IP{(6rdZjWa9on0>XVf{)L5S=+lo(U#KAb5 zUP^by+ehWBN814cvcSj6wF|F?!}^NudKfvBDOINIFLqRF=zTgwxM{Rf=FY;C zvMLga5z_f=yH>eiL5}o34(NDx3Fb(^P*6}vyzI8pO|LDQ3= z9&)gpK0CTfJupnMANnv8u|_1Aj6owAj>E=ov)pUI`uF(-q*$sb-_TdRCoN#NUopzKdrHImQL930Q~lgBhR> z(B2fgazlFV$=SSl^JC|Y)$x0cT2M{KmK$sk)q+&p4c!BYQdulpLAl z8_oZ(TXvEJf%yOe^ksaC$y?~Ai(UW{?S!m1YmD9;kk^%6GJ`Y!G4Q^bx?4Jfr=dHy zNscF3jQ3M1t}_e+>t%Zm>B&gUMgLo0i8dmcY=o5&>241*S-U0TMnP_!Oc|O^f?SF0 z!QM#-^BoM-#^lvX$63Dpc7@i2r;Jf(h2CBuqy@J4f!EqJPW%KIR9Xm@WN_CZtim>i zEfvF-ILsW~KrtulvNcH)UyT6hG-o$2WTOv2Hc(R2dvguCCa0^+1d1Tu_v@_j>7(t( zv6>|zuvDosdvvYerTzXDxOO&R?lLi)sgz|h-3$o9>Yl~g+v8~D#c*b-&2}KFi@~ad zhiE}%mjt%;iu>WN#{;yfMsCwlAinhwFc=&RwlKMk^+>US^%5`-i#F9G9$jO)&~7~m#!J+J0$H^%P56pmCiAfDDlM0vzRoJ~>OxL8q0 zlRVQ`1+_*kXt|geL6fF%k*DxXLMrTf2b-`m945R|P&4aztougw>UF1v7)N zu+KcuSGg0A=t9q(zViB?WQ$kZk&2)BM^d7ahCGZC6fJUiU{4u$h`c`#o)kqBx+(k% zTRs{ZM^fz6Q) z>HvxS&Dy(?e>nN=N2nk&y^*ZfErhKLL$gL{+;*1vB(Gv-upsa2aIsf7$>#?by;f#I zRKa*GS3%LEb8k0bMkuEElN8WGhb`2k`MQ~bFluPJfOnK_32gx3lB;xMJV#E*efmjF z*WuEN%s_?>^zOF_lb;!)(vKU&;d*0*R=6s5#|Ho7`0ZCA3L?+!OyW_!K+OTn0>!r@ zz+kR5nw=4!>zP85wC-C9(t~t8?gH_#lF^O>g~NqM_0*tV zUT@X%6mt1GBe^PNl=Kbu@wsk<0@P>x76&ZxU_VBpBGqJ;7i6n2kv;VU4+@qPCX@Q2 zHMaCuWQVf>YmUPgFQxwDA_E4oyBdScM>rKf@86f&z zz1BygYcPM$#yXFCJ#|vo`^F=#u1Yfh{}FzRy`Gj}>@^~6P$?9rR1m;znc>G_<`{=o5MDC&jHKy@Tuu1ZrHNk8RS z4{>onh@fx4FbQHrQ5OOZukqEutOQSd>BsnoLLLYia`COU_)u8Th{dliO2*^qSj<{u zQwNyG4AtkYNDkA?H)TfKinN}y1*h>&3vb|_u_FQvZrF9(@4pf!&e)SgtBCfCt1NEchuMx7kzk8^qJ+2*l4?8A9RYX(mI6{-E*R)9Q zQ2?u+FjPqOhth_7L@fG>K%vZRmotW20urOxumsqyB|F*?2WwMAD6ep*grru>NNC`% zmKLlDxrF}|Qr^8l?N@@u)#`x~TcwfkH}%3AS%k1Zk|f6&tle2oJ}++zXilOU|HZd^ zsh+aO#!!rd{1t-mn2jQ5yS%cwQ0wfojwp=x?QbZ`@<0Ls`u^j}Y^b0Bp}LCFl_!uh z$Y*Yb&E-HWU>1?KOqRftRaD_9 z<*=J$7`ZNRyIBRGVch=LAEz}v#1vo?tBv{VrI>a~Wpw@o?>JF9HU>z&;&L;`!{(_y zPR3^azsP&bsJNr0-4k~wXyY0rxVuXrxVw|!uEE_2?(V_e-QC^Y-Su{I_xHfz3Ut0r z1|N}!Lgu_ZI*U!8EidbLB;OCd;}!9Xv&FnAVCz84;5gN zq0hh&>z#g`cKL@Os&=gsTEQ}2hiNklik_7w0DHPe5UhvoeXW3YxpoFKg-Y~U%ig-f z@5VhGbyB_iu#17p`>T&FX;`cWc%*n;X;IcAaX9omeWz8FJqisysO!x13Q?V4q^Yz=tPpLU9KtK4e&*|tMBV>oc>qR>-C@6aMM(s!<`bizLn|vV$ z{Oj-B+ISTKCPLk(xMbi5qS_)3mDxR0kEpOcQ{N=CqSC$)?PkNwErJfVCA53=szvjQ ziex3>D6dxVACX-&r!Yp4mh(MJT&ngp`RS#BuIgM*bU1_uDjrf!+FMvbq4@8+`+MN< zVs+TYHWmF_qxJXjHvISS_W!{ROD<@g%Hozql*5$e4K@l@e~Fg(3;%QCsn4$}Hfju6 z4to9OOF$nLauIa?kmx~t*yls#-?4{4A@q>hp#bL}Ni*bY)Gq!V*%KhObzObMxL|h| zZ9psEy6`%p;E#=|&|bkY4c9`Zn)!_gd!z`is^tOrH{?hYfmyYz zx{+m>ssVxUn^TuVVTo3Yaoz0Zf@c=YO(Ko6uRH9`{V7%jTS1T1Fry2*?XDg%2bB?+ z9p5!^sj_~u&3IarI(;1kC(gyvZ&Yp?NX;DudXdJUBJswj<|a2^l*zb97y>1B3KU&e z;&0fUPlunmu`E3k>7)u)&gszPGDxu%&?VPVe*`?)&l&GI-~hfEMxfz%Qa+r!lXNF6 zb%H)(!?KbCtVfu_QLo|yV}m=_Ol1w6J$+~mS^^AE1F@Yw`SQn8&SE!LwYpYyw}<0N z9zc28^mjoZ5VOpq8?v6OM?O2hTCSH+8@I)i)cWj|Q2^x*xxy}k0>xgJ$}FS0g}yR#J?2MIf)fN>clw`*RO%QaDYw`coL!)i>!cT4Au zIR-l-&^odoyK22QVkKm4OY+G5I%KHOcgIW8i43i&$w~`KK$pSGlvzV{^O{=?X+;Cm zvEcze;HXw{nYT&bg$;evLx6nkj90g3kA2d9b=T*C36SihNBYibiVLU8ocVq)&TNsD zNB-JAByo@!9pt;VqZXgMyJ2;5yM~w>oR^KTW;EUtaELXEI+@~_?IjA!=4|vKQ=i^N z|JdmqBl-F`~2#m#ixF+uE8Q?F{ zh4^wYAm)E2s&MI#*gjcIZEV>Lcck=FxvqggFOV!Pk(*uovw9nr@S=}hLbR@rzTW25 zIr6>OU3)+$TuUuL9;LexT><QBwpGq-1PBQCBCt6LZ*8axhAt0-Fs4iyUJw*i#~de?m*-M+dMKk1&%+lk?e* zAO%H%Mf4_;+wJAnr|CKau^l|Q{{D~{uE28-ppDg9{|z=$ECy9u5}qSwLPYXLz5P+4 z-`Gfoe8#v6aOO@+>Tv1DZ@a`~{_uBR&A$*JdNeWKeWt9nzp(5eplk+znSu^gAoFy3 zyFB|LLi4{FkYQyqFDwFYP>)AOS~= zdOi~NJ<%Ce%N62*8|qRBilzr-{6zg>;lcsLFiatMf_rg}Jiu4Z+@~k3gv7gNQLDUn z9fF42p8(H_C9hnT3sjleaXS|c-C;NxqtmH4XPv^z8L3}5j$eJ_4fqVgVhr{0At zBJL4oIc0IwOd}eyPxV4C%*;ep?5vU!d9{)pe(8IM;Yxy4!sXi=)fbsvGht%r- z>>)LR?I0JVHZPIySu$l=)^2Fm{^2oM$+c`A1@$WvZvuc zvg+o~T>qpE$Sk=h#Ctq&9T)JXOui8rZH4I*e{@K`_n`4GX%buMa1BQj|X-FoiVoXkK2?nR~jL5O8bEyE5A0e zP;;+&gE>iH|Jy{GO4a6HT2PC~wh)gSCZzva0QDOPSZ}xlZ5X%?9`HaW1++?`ec1y_ zhgGl{qBX&l?6)9ErW!vHgp+z({`f+Twg6fIX?8RdWY+kl!W4d-u~upf@&GtBYj`#S z=gYJC7pksoA`uU=QZ*`M$e*8(fRklt#BHDh0c3hmtVjgC3``cm`uQevi&eWPkmu$C zPTfM(M4mi026qDlq(p6_cN!eq;FG!~4`Zu=GjES@J&miaC*>rr%*TTIq3#IA)o_kb z9WsxSYBhnzrlVB54wtU5TtBj6M~Z-3ekm)SLsoEPcU{~?dku|HooTvcDh0nN@XCAe zfpwrhd?psLCon{U_NFGXnPjP<@D~J|Neb28g6>#QTyNm7MzNm5bNj9>!5KP&9i-XaM)@mm)3ADD0HP%)0+fL98{&($S8XGZ4Q7-s0 zi;eQ1tX8om^j_M4)ww@|!)DG>|gX6#ly7;)+R_IEb^;{$Sao}klEU?~yRC2#&LLQg$T*kQc z9kYKNnoPOpQn<)=P!DY=rpdB%-g|Q{eGn=Flg*B(0(zJtE&h3Kkfm^R|`OfKVBqg&!2BraJZLDgJJ zzE>cD(mV%}m*)qB7-a~qL7#C^a>!ynUPlUDMJjsd=5PXmWKveo$4^c+lL^M97h`WP zic5I|mgYvXKjUKEKO`8&y>)q<)tpz8(_Vg0s@a2pM{_!suopK0rKD|7q9VBj*1v{R zt#8XIB^opOq7{goWm*K~xeb@YKf4t#6h|E$0%EQx z&{1$ucE!CxVRt~9I6qBIO-4&KME)*dcTHP_TxZ~r4N=V5k=}_$XaPy zi!)5kj`DR1Z^|4s7YL2~I#^lo9sa^lFW?cTr}_Ne+K@xPcau@@HI>fgf)VhAB_Ddb z%wZigHbqf>i=4w+H(~e#LzP^gvqyKN?y^VZ${t<0_+VBcoO2Bi74 z0;fk@CE6E+POR&g!Q&wST>&~(F{QCAU_Dh(TRy!&&F%2IKvIsIiC zC2v;!NW&#JvkK|fx^7dd>0wn_=c;wcQYS6f=?|e}A%LV{pCPQ!!_Jy>pCB|K4R!vc z_8dq{nupQGckxR6}E;!exI z8f2owQgmp&^`}4Ib zn!v!}Y(W+VT+~5;e>S&QO5HJ%)=xf4sa;<{Y>*JjOX-u2S@FH$kAe2XC#*%a=VEn; z1HG2leN8e|Z#)UcCssQ=rB#>MXuKlI+J0P%xHb9ko5!mHlW*=#Rwc4#Kd8rP?%RtE z8MsInz?S{kL$nOp%nY1d&!@>tlEOikByKo_(>YzTfIw7@;u9bcRhjCi{U0Fe4oC(y zY(UQ+AZlzS1EJF1b~v+R^GbVDTaZ$l+P03OE6t_Cr`)zW0SEjAwhf_sAElEB7~-L` zuAXAUo3UcUkuTqJz_-?;`N1J1!Y`BP1cdBhGEYA20;@8PKgf3EN)Q3-#je-`t9+MW zzlws9qS5ynR;m5V6u>9MSl=sI`rOjN*J2@NJp$fK+~;`)s<-pkfy(?(BG#>%DEK{r5U|;F?FY%R)SS(VPw{Qm$}8p^ z-mfImpx4-s7vkITjdT32Z>3#}#HV*O5z-AG zI6g*+XMEaNPN0bu-K2_@-Xz!TKZx`yiqSEh_y;F-TpQ;_FE3n)X$T#z2Gzlb^EYP( z9mDKUsU@3)VM5h)(xH5Yb;0Cj7Z3cBc+(f2Fx)M*IMfvd>>7W4oA9^PC_2tNoNS#qUR9 z3nwO=tWVUj2*eb{lTaq72NRi@uW4lDOeNMa^|shGPbU?PT0%Tq&BXlDTL5bc{0q90 zaV^xuhiLy`?jy1z(m1N0j%M9U_ox)rTYOu5j|y^ubsyyXcK*^0AIR*?d}<4hc%Z%^8IEY^Uqfs1Hk zJ3GfyaH%x-RH40u4Iw?wR9~YCM3$5_SZF?len+eZ^C=e~cC@2IdnLxhx+cDa_v_h2 z*dsgUnMpQPOWx58gEApO1Vb z2(tCMo}wcy0j8_ADC%JrE(dbCFECio?z;c8Ss1QB++JHM`o zJ!)k!yi;Gz{}eAi{GeciA=4eY5`&TR^>`^GuG|iTou}=UgYds%XYwl)opdS6(#1Aq zgFvq1MWSoKVHY?p;;q+P8yRmt9MTu?r-A$H|MoQ@!F;do0sYh_^*5OR55MrwqUm2> zE3S_+G$?+U*<6!~hT?y0-2dA@{;$8oLzy%R0{`rm_|HZ2|NK6`k-$<;)f~&?=av57 zelk#K2$rQSkkIw~{|@VafAoKpfB*5av&2uJJ+_3CQ{;o-1sda%11Elg+~*)VAW^uk z!M;mb?)o}75D9j=^PSktawL0+A5+f$CUno^`3`<+Q;@i%6h_fB`1|_>-?L?V6c@L< z!Lg_={av|l;&|QglD9D1;U+Ev-Jx-sYw?1VIz5*Q)rlyywhC!wHOga$AE3CDMQEk~ z3rLrHQc1vVUeh6x)B2R%gJhYfwetJ52}`QDJj3f}-sb_lIRQ=UCCrD@Aj-s<16|C1 z-g0CkP_WmX=BGu&&#N8$@zSnw*O;_}VEHk>QOb+6FFQeJ_ihy5D>@X`tBr?bHTt9+ zp5A8fAKF4L1&w}nv#;l+&8v)L+?EAGAs5_hJ7-^dgDP>o3l5i+oyoiAmBjd_S_q{B zECjarSmRbYCsLZZs9lYibD3=QGK?>i%r98-Uv(GHlS*J*I|{ zTc6I4Yj9!QgYe_E8JmqP?-pv>uw8oukGl3sm2JAaOExQCxO1DsdV?#gg4$za9bqk$ z$XnoQEY7m5;Dv35T6d4Sh~;80JY@Qh2r4y!;fTTS)GK4z;k|AanY#e`Jep#!aL*JVddcm6IIc;Q!EkvN$rPCaT3*<$tf9C(-j zc+V2Z3e$1Rk9&Xl-qaTS`wYL{GT%>}Wh%w5#a5A$PAf^4eN9Ce9?MY|6F4TdOtmh= zxcRx@xU?K;hKh22YTwH|QQNTmLU_YNHw$UxI{3q!4Euf?wtu>)21-sbmK}{6U^57X zzrBTP-LYbu0Ic2GR*yI9EL!GDkH2T&;u2I^Gh+5-T^x8?4G{N^g7@6r|`B_*E~6og#ERb^VPQkl@t7Ei+C64CpcwO=MzdcoCZ`h6;|3`lOD9IZ4-vtA=#IM zg?a*UHSl?3;5IU3`eb>M8GQ#M{g#ms0b<`iI6{PkgNn5KWB4BhSTNhU;;ULiyFFfh zef-8zdhYbA+H;{%P!V%vkKC)nqXsxbKY2c8izmBq+e~bxK(VhUeeQTkMcVV&@S3<= zlWdG4vIH8l%1Ffqn|C^Ff=lS|zH#F7N~X}Yvmf_sNox0zD{(kdW3=5?s|O^ywH<~* z2`sW{+3*EGBeJZF{4g)vF3ia3{%A8fADR6+f*J(B^y_1!Vt2tvyg+aM?%xMUy?8OA zd#og3RRXV)(gBMu6fbM`DoO~150xQPu)IM2+mCkO$kaM_<~1jAR*!DN$0d@UAjqTZ zuta%pUKNHXi1kkldGU$j-#6M)i^CqirD#nFYfGPU-OO^;bodAyiv@i9Sf&#Z=a9a= zq4zYi9LslHIErqDMnaf^{LqrY(wdfaxXh_YbSuM`HrF+9Ba7-w?rv8|{Ozqh?}ZPbTw91Q^TFA;DRE7L ztBTttJ)kDr9y@;h14OguQ9LpM8{*mpim#QE#N#E#dOR)3aH)Q(>D_IX;aQ0Bvrxlo z0Y!2XJ}yfzNqqclU(JK6KTC!^TP(o z!c5anCxWC!dzU@o%}+bjm*?)gANSnDnvD$gZL3;ljo)ig@P~`i9tP0v!H#70+X?2A zHHP}tDPEw!Dq<1eh(vncUgTFY+~p3I%@v;z*%hqpWzjh5V~>`)Z;H2K!u-jEBQEm> zHD96Ki4aJl!7nX-z5V3()jM8v15kT>N3&f7TdH`6WPbthpFE~U!^X6VhRs^3j%+4q zD%i|?+v7Y;eL>%|+2CH#R6VD3*#kZlrm_|?Ngt8&>BKBS#O{`T8|BiJ!#1om2SUs? zk!h)~Wy77@6#Hrg;he5xfDfXVw4Y5UH;5W5p>wH=Fow)qrZPrb`F|!dy?{TZCi%oEN;I?Z;#aPes|o{cDC)WC34-$ZFe$NI9%|7p{eD% zLVgQ}pLz&{G>KOOusqsk&CevbUINuWf(SlsX!b0ZYXs>ZwqLzwo1iaBnprM%sr1@1 z|K0ZRxNzvU^U@S21P(2~0(2o`b~_^f zQ8scg0<+{3tsHtdnEAmS|90R6TeCacCv%_R{R_v}u0VARA!u5%AE%qcxWu}>$sX2A zl)i(+!+gz)|Em1EQBHxu=p18SxZnPdrMdPVB#J3{t}SA?*1P&8t43MEncSSs8~WtK z#gqY8Z(o3=1TYJS{OAClx{X)ZP0L+nqm93cVP+BsD6C7%YrrY6i5!Z zf?OvtcFsLGt@BD#K!$6(yAuLTFe&nlNoT{uT=U!3057k0bm7hoJ-CpQg!*}gs>j;A z`5gJ02Y5m>;lZP^$qB0}T^-v&qmF8#6mv%eqV1jfxN^dwc$Rkq3?tA7E9!@;X?JDK?qK!diK+WYJTvo=I+^v;DGd4vr8J)4%;F+K zBQ}^#m+d;8S-)s*3=C9_YJdLoon0ycna`s?#XF`YgIng!PmIlra*V`G>)R9QM#g2Gvac%w(kC_qMF33>e$z*PpE!ogmp)8HkraNeNBx55DN0 zpMrL?BMDt~rVolsNfts1X7k!&r!>Sq+E32Vo-w9d06 zaAj=g(?T_f=j8rwOln?~E9qY6IL>m~&W=6w$sHzFtG}ovJ@7juC5J2gmfOjF;gq=F z4A1wGZ=z{Nx~&Z(ft4p@sK9zFqpyd zp@3~_Yj#|JPUs=${AAKzz@t z89id%@UuIP`iTJ!atl=rBTDCCO3Tvz$yoRa)s)fCd=Bn}g*nza_VtEf4UI)%>-()D zE(FFxPV2wyU+@+s7*=-xXucO-C~eMbs-h(qR++^xj((;KBI8mJ+$&vp8qoSTL@xCa zEx$ueJQlujHJ4!>@Y^hq5SLpwwQ0bt@H$(E41KYocehf9wccf3w9ceBR-D1#hvL}Q zwmDnmV@b5eZLCX7K3U9*8 zYQMg7zlOMtOH8t$mm>^I!QXmmS1ipXR}W~|NwieS7>G=~I#JP`!)h4$!e(BG9#zIZ z5YAQc%U*@|S%mYOd&_}8s&fAr(~_FAqIfkECq8~$haNGcs|kIKI!$rMzL~Fn!)=B; z$E!TXK;cF#*Mj=MrPXGT#?qOyoZxH{47fY%@Nh56Ns|VGjRkLyJYL ze6|cx{N491ZLW_*-J;WTcXu+j3nRN?$6lXVPKRLsBSDJ~yzyLLoGo%>85>i)hR?oo zMkv^bVT2y5cD=51XO1_s?04IW-wamTC+yakILG7Qji# zU^-nmTyRWnSH9YGp79!$<=nQvP~BFX^wNl$yw)U&B2gaK!}EkJJFg1beJJU;VxWgh z4obK~CRoNV;uCy@QN*BM2t*Ozm`F%t!B4doBS)u9p77n&eK!bfq23fZ`GMLV#9hDq zwZ!)!?C9#3(B8LPnFM!y4&qEiA;Wxayjw)8dK^l3c262i2HRYS-gFW`WyOwlYJrH8 zOH-8cil7zzIz`M);01;Ye!{v3^4{B35Oq%Ce;xq?VT}Awy#=lAqdb?LPS|i6vR=f` zBnReZ)`2cSY6gX~cJr{G=Ii{~Ko{UW&;`iYV2cN~!`96T^tq!&-Ct~c%fTi``xpq9 zB;OE=HTIKRbcl7T(@apt^uz7mLjaf^esuc74V|DWav%a8o&2gy1#0=NTaABC=H*l< zr@P#hFeM)XgaBWTGFb9czBX!EuMw@etfBGIM@iCVqNwqIY}@ld_sgK*qjYpg2^EmT zS0z~CRSQCk+bFCiA9F|@INs#=C00`j#oV%BQ#kLM4iJ;#9xY)FPs_M7aiRe;wb*29op8X;yaVG4CtQcW2 z7D*Yxy0V19DR5B6rkltw4$oAM$I-OEpy9k!a2)qRX3TrT+KYO|Ji<|eCPzZq$NN~l z2f*@zdkBRD`Zu)$4oY};^;tXI>A0*p(;Yp%j`fi7C0fmCp)EhEA(>M(Y}wb^TiDl& z{OCHqC+md|Z~g-)8Wj09bdcS^lC8ey-)@G39M@AIFO(>*BttbG;oAD!WqG~ zk+WGxT(q{{Pa_&}PTGn$coMB|CpFB6DZ;;f6_Wm`ckj8Pp&ZM+E<%I12dP`S=v)x7Z%3|7!Doe1ayBvMfC@|Pl?=zpIk z4_#`TrH zR^Dlq6De#<>k%uV4m$yD1p}`iG{pWfXwgK7x%8VxeOSrs#Oc67?k-V_)+m@dNc~6~ zvcE0%t5wA0B(Z|>J09C0g(TehUUSnK0AV8HgGby^JmHHtzT_iwKuC3pq73WZ$Seo* ziqrvI_~6vi6=bHTSY*v{?wJpf5STr=1VWp`FsWHA&;$5<%WS+d!of^q)3p6eP(26j z=XvzDLp}h0PP*Gw`GCdzfC?15;-TYfT21{XTezGQp!)=4=Nu>fGpR?ijb`QE>vCDZ z&T2RN2#-%1Ved2gssTI|Ttywhlj3Q7(OmwWY7o z&|WKv(~k{HRZ>EjSdUK3kU{j26}K}-jw8UnDGh{w{4lq_soV=4ck0X4C|Ff`Xk%NH z@|vKhO6^&*)aVVej))7plJ?IK##{xAd8z+s3#!mSFbO$61@7xhV+$b?W5%LtCI!waJe z_B79gt{q=RKNA6L;ptr%TGzWXk54YD3)>?TK=QxkoyQFPh2G05kTo`D3l6Wj63SFG@6zGqG z4qzyjWjxyab-Zf)=>ToCCI!!!sW?w*a!yx-PY`wh;)~5K+n0_O)4KYGgOt3m`0w8> zjoFB)dGwQoq)UVqrr6_OIF=o{14y`Zc2{L}uicS|Q3NMd801@aoXTz~cFy;3P0>wY zxe0g=fr-`t1_EP{%*F2YK&HnX>SAx|fDWtsdm+BY58R;6S2`|E&~Idb4xNF>I@yqZ z>yl@Ulc)xy?N4uk(gqVWtNe{o&)3%Jz^2>%B}}NQZ0lPx?#cbV1`_9D+S19(KHx>a zr*Q<|j~%i*l_kTAu1l^QBE(W3A;7ja%^vL$Xz{DpzZKiIA6-TK`AF=}N*kBl_pLAz zEeBi&!5El!-mOhSUjRZ|wKc@*INN{vk6%a;Njbwy`=Y7}!O*eCDAS3cdgeVIh{Vk^flwLpIDq(0OrEGVjznX2T8o}D!$`$wuL_rM{vqxip3xxGUk z>lreb$OdsXxqiRIjr+Kv&oKv=0AHV9(umw3fJJ;fg0MiBd zgJGfrrhjx(y717YwKyvMGf5g83?6yNvFJzZ{kOT)@x4On@12^^RTHQyUWd^{b4mch z3L-B%J2O~)+fM}F0Vjz%OHpl>zG&V150Goj1nCYV5J*c|eu}#3_f0slI>0O8@>DE* zh8djgeZKk)EE(*jho-JmWuyftp>w@^1%bwPhZq7E0s(6t%8KUtsNS=n$g?w7i_9Kg z0uO=9ltfeNV>zbu9_y_pIKjrO9%Rc;05}+AiITf*Eth7VcO@K^FDb(XF1(#8;N3XH zhbbH)$Pg21zlkm)huiE=BD`Qiu4ikEg~ruJitm(e@7xG~*RRt09PJJa=O6A4j2t~P zN*QUplDakZUw#_G99_M|kHwsQOFLX^TjvsF7RR_$;H+h!=wDM5bzZAi3r5+Utd7B- zB%XS_<8nIn2xa$N*s{?aw1vDXsc1udaRS7;f1THC5WaSPt0K#s&E!frW>PfdRnVY@ z9U|Ss;JNt;f4sP!lpK+C^Ul#fyiJ+G(k+(FEJsVtAg%AjkoUNB;D6Z372XUZuE2fn z#HR6FZ27QOyxS2ap*gIW1FXvX1_Q29{2i&>j*JccKBT~O+d~9G<9Jx)ue~?*fTv90 z4o=F%L(zMP$5PH188ojE*1U)UhmUfwfqOzYFeI#g#ic)i4ukNt#+#^Z`$0_MIn?tJ zzY|a)6YoF4WZpdM((em$OilHxT{*I;AK}ffoe6-~ur2}}{UYM|YDYZEAWNoGky=+S z;^7C{yuT~2(E6Ujh^Bz>L?{r~^vfZFncXs9fnv2G(>3Ly&~?9g2CiFRE3DAtVXY`c zxOETcvr{G+YV*tE8pkUMUD`V$2<2pM?s{m>6s{+hR_>j4HlGSLuSh&eYxtSG3sOxW zWsI+*M@ z{(60FbP%xo9ha-ZEx`5|HSr5dbBW8aA>-X5yVim^H{-8%?R+S@rm=o@dz#qQ%l01o z>fJ5zB9DXgyn2b+v@$c<)T?ttck(`2e$rjcdo0;xp)NrGS5%%%3445}#@qUTU*)L) z{_Fscxj1N$n`v-=&>d_Oco&S+PTl{-;46tdDGKPpEkTPs4UKzh)44 zBRJ2;Q6&_-Ak5LwZ`D#;5OCXB>NN-yJ|&9;o!UGe>?N1T01bgW$nhYguUnj@*M@(R zdg_&PDANEW9{c$3QRs$Z6!Y^mZ)}q==50=+e79H^%$Vn&7jn0_%#AeyimGr@~Sc7 zt}e^sS++&jb_kpm=hD3G41Eq9xZdlI(k$)OpvLocM_SKWu}+-=-4H)8@A>yYlBFIb zv->YaAvEwlye&h#@&Pj=|0^y9c`8>LvLNx=pIt$OeQ6=BsO{FKL*b_J@FD>t!+S=% zLnh}=TV4H8e zo{L|!qKpk?9GZNVj>w~=&*{dX49ThkK|gu;_;YB%lU?qoQcMwZyIsj%;}b>Vetd>k zRV6Q_VzG&KT^(~&3|PDU7Jt_)eZX!I|3%8FJ25Y`U5DrDPrC)1mFEqM7@g`;KrD^jT_m`>#B3T#O#vZt z*7%XMa*t6Afv44C+RdJ&ad@jk-(1CXWkS-J6Fs7-w+w zxAc<=dJ#qm2E7D{)p_$VtXOH?T~uF(r$z8^M)Ngm-6cBDS6E59C^^Syt?`gqfTRPV z=1G7!ASU{hCW_Uy`9+-)-ZHmUoQVO;@ zNo3;obo$6q4)NWhf*CGVw>D8&?Le6j4n(Yj7kI8*p$|So<*# z`<>g_3UZpeu_#P?*)NBtPF+b;u^S9MwzBk7n_MZj&B|)W!CsFoe-Ezm)WoXu{LnjK0NrXzVVRh?#~@ER3aa8{3As^M3p1Gc>f59vk`As5^4r7z^zB2}GD;@A{B^^?KlqCGvj|gLn59KrxZpJMqQ} zyc0((k6ry}8t*u=dsGJw#~QWb3cD%36xQb9N;Be$mfa8w3x+kKY;z!@a90d|`V7*|;C%f-L z5*)Z-^bO;W{qgBkuTsE}|1At7bi&%*e4R0(-8`zHRPk4}@-N9PaWrZ*I8>1%hcqMv zCnib?SWN@!I@p#jMK3ITes>CyJS!Se&t;HNWk`4c%$?0MKQvjJMd+=7po?)QNB{#s z%^;!i`c#0^izPg~O~Kfu+Y_Sze&e&1W2Y-aN}A`_G8e&#k2P`j4HaRh9Pqu?!;^d+ z{}1`*9Uk(l=Yq(JqCFldJ3EYlRjC!LtFgZcV1@C>F|Dr!v#rTW$Kg_eEu;MEzNK%} z^IaE6&(sfM=^qvP2yDaIWKB3+GOj4pjU(!RKWzA|4iS=A_C(Xlr#KcGQ)*PABkGy! z$}>||{bE%G1$M$%XXU|H?4f4zRd=>b0uDQ~teQ7=&I;0%DDHtISd)IiMY$Ik$-qWj zoPA{Z{rzGliE%y@PR`)B1{d!5Fm|W3;r^AxA0A#Q2Zg^s=EQ|u&-?!3Gc#1M`47^y zrA(QBq*%sGY&lcEv$B0LQ-?+Jj}o-A`<;}nc#H_1(!2I?LcwF-u&hx!z=aS-WI&>< z{3+>OM%vfjT;JUNspE~J37NqhhYVV%naBb08j~f%gH1WSX_@CAioP-;hj0eNBKrGZ z)LY(e%)iyIDH)cgI4zRMY@DxW1#5IF0OOMCr^wr%s5P>mDJJQogv+Ra{RXXImb!FH zU>lpbkWVBBg1mdQ4B^UaXt(PPS#HPm;OosGxW6eF#5yaCX#k3qr8IWYPwIOV6^2{Y zOv7koI|E-Yn5YGpbI$FM_>Y?jCAM=UXOWV`)pl{{f}Pgx5LP+U2Ftm3^;62{O6b*Xe85J+QF;W&?( zvo%#27>s2H6dDssZFdpnCY9bV3%sB(b!chl(MTpy6 z`nidl385yZVUgvpVr5a$AR8_!d1GPBr4%k(`3-~%-KbLY)E9#60k~t;FwA+~uABM()y77>O!87NZ@`r7s2Tle=2-Me8~sVHX{F3NevELAB-Gp1B~6zLT8_05eXCK zjG%9&?+6q;{GDO!Oaw|jR0rnJh*MEYzL*rWb0r1ld+pQKVD1i7!UZGxhbaWwxo|w0 zj@4pb)vj}G3n0y?3KkW<&aW696@$^y693Mj>~il;2^-WcsK4DfOOvjohV|u~P2-|k5#F-?N6TO42Ru>naq20bmP!!3s_(VN3=+WMG_Ux9M+;G+a{-t zW!(7B-G)kS(2QbnSshrqmEi&zC2yDhb#7Ja(^5q0UgG6k_MQFY`b|h z`O6}E_(M9^*I<;mA2_aYwO9lUAgLsm&x0>_>~&OIxs_Y_rLK0kssgKn($?kZPcU2y zCL|`C0%q8}DGczfng+1D=WkaFU@%wch?Mhgo$qMVBN|-21cWeedw0$1CpInR-CGV; ztyN^!{jLm2+qgYRr=lwU?N+x#nw8#F%>AG2$a-5L)|4uJM_ihM(v-|Mj7_g1yQ_SW z`5mZ*#whV*NBTEp>l)U(7wT54!dKGIxX;Kk)aKps5587kd?$C6Hqpr63{&f#9q5&i z2@-799BI-$c@aqUvr8V9<+_2 zEeuf)(wX|7T(Bt{BG3R?g0=QS1H?jRDsQ&gPP{4aL!`5>Qz!hzLJBYVyJLL~#=<_2 z(|=8W2!pA4Vl@BQ_$V$28`q^11G1VYL*3ieH3XOL@0=baTgh}+- zrUG07I_|k-{hgcnRt?5;qdNXvp^0j5>sRpxcsGAETx-Y2b*sOESSN`|4SHm=kfJre zGUUGKvd>j!*C?aqXWCfs66bvi4;h{WpFYa|P`SNaE!wo9#O6l9?n7BVNIoze5Gb$( ziX}cJ9BH`Wm?k&>qn6ReRzCrKg6jsK2FN0rr>j9vfmT#`EJh=vO{UPpFt-EM`O8X1 zL5Zd%ZDk@W$wgQb4k#N$2q+mS{i@^={Rk68tiq1^Qb z)!yy&@BHeJ7k$HbZLkSdm)7m~elnB*a0-*WuUR>u?1tJ$b<+u}M=>9KB({gBb|qG) z9b{~L*9t{8(hQw6euQYyi61YRW{r;|j6d169I~sGCYO#0E3o!iV&V-FXiNzZ{@u_x|N(io^?Pl&IE&A&fWKwXa zqM=-QC&ug`p`ot86?RRd?1^PC38(;0A0GT)?7d}FUEQ{>8QeWcaQC3WU4y%8@BqOb zf?IHR3-0djZo%E%Ex6U>`_4W)XYW&|Ro&KZyY-`fuC`b#)?$t^`{@0B-q(2Ku)KAV z8xN*K$h?dy(^PEdo*{xm#Z*50aWKFbA_Aw1LI4rk7HJt}MN`;?V+rb17e ze|d2Ov6?P3+D|~C#>za15fjS0Do%BL%QUumJvz)|sEU#qt`W|m;Ybqbr}&ja}VsO>Wy-cs8qJ9?HTebrn&tE%!-0Ft92kLS{@% zrK+ldCiFDF2uBI2ucj*^90R6 zsE13)7D&vAjct1{YcunkJOZt`0|#=C%0|LI)%0!XJM(J)u{E?>O8c)mE`=_%?dTD$S9qr7O)W_E8Bm1^m z%cBS1Z|C&^dA@Ycs$TOi?%o0#izXHAw*n~Ai9J0O3AL_D9o;63Xn4rw51Y7bw--5s zl@DD@@R0VAwbX;nu9jIcWX@#*6tOOkY5J$SVfTnaNzQY3u4SsDyJtTF*t8ZBE$XFd z!X7?rPx3|19)38z0Rk0Ob=N+x?sbTKxMOTXnLWH|Zt8Ert~U$1l$Zw4z1p?Wc>#5Y zbd92`6G{4qB0EN)*<5s^XX>uncBNCvVFQN7$Z#)+g6BNTb1t{JMmFo3HoFq)kbkv# zGJNn!Om$?{fyB6xbVu)7Nei&gRB4F^bN_7rC$Lw`^ABK;qy*N@UTo7AUyK23S6#m^ zLCRI_2Z%FG2Mys!P^%vI=YiCY-v`?vu5sYJFKS{)j7>L36n@^soIeQ;QdJ>Fdb%-e6 z9Td3awD_;M-svwk2Y6AFZ4G|6bMh$j5z*0>TuCaY161V_E&{>i{tws#onYD<19KAE zY{&wI5*sN~Qk(GjQ0GeGl(>lE!eJSH{`WtrF-=knr&ex8Pk3?;dr@zbhcvwt^kG78 z5Pi&3tcV`@i>^ieBDZhWH>NA^cc&|N;>jnxt*r(!KtM@Foux1di8%bmuRS@s)nu0uauoxkC*s37oyfl!QOi?NL&<@2C)cLo3u@t86W3BMhMFTcz|1 za8|cba3bQwV)LuDg>~Dz!R|i_(I%+Ijj(ba@!IDfsCY*qLEpTx@vunqYv~US#?t}H zz`>L!!V5Y94TA7Wo7yB-AZe0?JdhveN=XqRR;3thBY6d z3CiZK1Y!zAV*uKRas6_zVrTa}jdAIk^ix-P0^3NX*w5Q94nxgbIY{Kk8!bb@72MUH zTet5#Rd12$-vCgszt+WXAf z-5Z%0x%NUe7H!-}XmhpcA8!WGAg`Sxn%$kcn+05MM_=)T8<@v#SXaI^<8fIYDi|?k z()SrSIQ$q&e6q3_jvFLCj}<3BkN&u2*UzUUUS4gI7}J1vB(ql*>dv4bN}aR~oc`qr0KUB`@SQG>eS@# zapI7qe4;psl^J}V9+!5}u>%Ed;){KHBfI78o3=0)en$aM4E|OvN%k$x1)O#wTB|~+ z#HTqiIT3P@)z4_7brB3vGmR4gwz4ce2EW?Obkb8>{O_TImdrWr%#djK{tlk`TEVR z-b-RNV~}$Yb_YNnELWS6iL#I zYy?d@kE!eLi>Rd@PK_VmxZc^>Kg-U*VQu5k;eQm>w3ia3ubfjD-2NP9ZCs0lT3aI*Q@zDCAwadg1rN8iNbiK$>9&Q|F(CsxKMaXayW}wk_EI%($w=E9_Ra*C z`&j`aFKlrw;k^a5yVt>V;R}NJqKv2RVP)xpXg_jNJQ{R)sf_@KApX}>Q7Wg{oCU$Va_i< zWF!2Jpm!!4PdO)7a9Noi0Z)Z@6ehQx%va;^of&yn=ev|i>_Nc* zgD>cO&+rlbf|s7xwSHcjWL%kXv;RCdyn&x;J1Exh2DL-C5>9_}pe0$*gcK659z;Z3 z8cVic>Gn>35rI`d>J!ro%g7|O$t<`h)i?qWA0Fs{DyqO3BB|D1g>swARTbA>cg88~ zKBDQr!+8qWI4{aVRro0TpQ_zAH-~>6`B=>8_K2b0ex9N9L+w|%fgsQ;cFbOs%sTkN}U_tH2K;u_6{?SpI z_}haydSPEE|AH!FsWhUj`}W8E`g`8Pg(!0??e?zz*<(pI9OJI_&-j|S%UGIA08HLM-2*VPgvEFZqdfLn{ynB z1;@q@v0r#z>0_E2>Y<2(YTEl8?aAhdp7dRXx*6>!b;(=A<@%AKUqir%m>-32C3@51rR1 zPuRp za0rR<)g5o*gDZ@*Yfjgb3Imd;>ccg{#7DL#0dIcH*549T&$kn{ZYZitT;G-?pd!9z zu|PR(<;iF@Fl1OZl?GtY9k$V0USDgJo1qQcUrW!ZYvbi9%9Lb}zRuD$_i3#Kwmr7- z8VL1ALb=pqsl(2$F%j$3R-? zso``bMQ`It3(jz6G60XlgQ~^DW(`e#u|Wj{O7hL2WS-~VUunNPP#d_Q`#;{0ys9!6 z{Pu=27`{-+DG5Ea#2q&0c3u|P#z&N&@z18pC)qEgr3RFTY-YTtSfHJ`;G`N0curAg{RA^~jr}W!=IQUX z4>ljGEl1*}m9+%@74sD)BZ;q8IVM zgy`KpYPC>(5u>4x_|@jdrigi#@~JT^uqkogVYkr1*b~fqIt(`DrB?e#xOL+Gp6=81 zVzT5>*%Xlj5-wI2+)HCBT|-XB{`%XwQG+XStSz(5{l+XW8_|lPQc$yFiEfagM-4P{ zSGfu#@Y}CWI7^*A^}IK6QA_N#k1t({J9Mg@Xel>+hHG7D`u9BA$M++GVV{iqMAX&U zY1NZu74hj4U^dP#v26GiHADw}(P$11_FPxN*tDAczVn`)4JpO>WPVaW;aU(f{&-dL zdtH~+SZI%dy7d*L?)WMK_ah_p_67WRXFK7C8?v=j4#xf}i)_2+>jJ&s{`zu$mW|TV zOqzV3z9NfI(-el7oRveHa_@a32bs;>q>7NApeZl;L7p478~{n}aSU_H{#s#V;4qvS zXqa;{>nkcZyb<`p;i_MGedTuG^~5Q*-dgXQTVvz2^~6^qPTR%BLcoxP@+^Yv7-BM` z>pM>gb8U23wbTs)xDEx*gTRk~$J^{Wp4*>ewR3rwIF>ofyXmCX-zcW4{r42R$uMEW z1F$#5qw4RFU`rW)d`VOd@O19+`UBJR!GiEfc@E2Pc#<9f7hla1VeF5#0Iy#LfM!eT zae=kv49dXA)yCB(TfR=3e85GaVABx3(5DZj&5YbOng0=g1 zD^keUt{m8OZ=B4JY*yJMNam4|?D=V0pVvm<}Bxh{tj@io7G~XXC2USwR z$ZWRM6!!Pmu0cY>r>~e3)z&_S-vqm{$U>Ms6C1t;Xg)z0)$3WVUgLdQENaUp4;TcU zY(;oCXbXR9Or77?3gxvV2gf+Z&jhY=->neLo6Yb7G9UY{0+Xe`P!!f`LusP)kACX_ zxD#t|iZL1bEh*)w)1zGxD0-u~HrK+x?#?RUpwMUcPm%#d4Y5Mexgp12zZx1)ye{O1 z3E7m1RSDH1f$7{!1K~x*|3^4I=v!uT!OYYHW#;Zo`)Hd02AQP86suFMF5QXYavP~JUBl5^JW+Tj0O z7sZKwJ+jhYJe&V+w{SC>WS)+uNZ1*0#zkI|NC@I$6u`4JU+i!!jf%~i8WeF|K!g0_ zLZu6f(qlUczjoKJYsEo0f}92pwCVa4-Uspd?Ev2BIpO$>o*ym}W!N+hu%LH#Q zK~xD?Ly4+o0%(p}NVm5LKS6H)?$vhJBI<5jmBAlQ&#Y(&gq(yB5V$@>W_%sC^=X>> zNqfyEd0t-Zmkd^r-`#Xemk2zTr=}oWIC)>02n_>ccTQbq<}6xOv?o{CzQEkugzFmD z>DcWknA?RPIXE}k?Rt<;9=Gx$?x;ZEOsFO;+Dsodr1Nydqt)3~>w}vy%$Z(be zdzkfEo-F}Qt7MguIOJ_izijnuL90d#O?gX(%9R+qo(Z~8N)wtU#DOL}~2{!ddtO#XgJr^Lu&st2C zt}-;#fwf?_rbZ6`1>+;emibBPYrJ}QCjy(4m}AF4;D-*E;RGB=doK3xTZHeCT3~D! zL)R>Bh#8lb1*pc27=1aT?9tKXRpp6x=(g(6V8(Zmu1ZdE53`ncYV#_mFW%D|F*fj^ z;%WExPWJ{Vpx^Y#L)D@or3oY9D${jVx##0?5C{`c$+KHvL#(>gH-DPbKEKCYS(;@j zp9>qmo@O)Gq??`M9n-2gsDtLtN#+iV-Vi zr$qQ$y%D_R_tczq^Qo;|0ce-BVu{W8EZAJcsfvP^>c1yxXj}TQ6^O*}XePYV29`3x zb4r|lUbLbc>UT>x+N0kU#_-G#zR+)m0@X=()q0Gq+v$!61n-Mqa*}l<0aSzP$7oH} z;kg^l;q<%W!6C@kOUyAv1%8fH3UFX!$j9U6fYo&i(?H_(f=LhC=7l0J+=na2d?Wh$ zM~9bOeL}8tZf$B1ca%2|IS#V4wT1s#?RzWZc-KVYIYOsWH}@1zJLYU$@T$05e>g=KPuHNt=8B6knd3cGLSH#8+6RVJCZ!ZV>O0d&SD_} z$7)_L8k@j<(tWic=CIc*XUOU@0g;?5w6vv#j`OHSgAtlo=R3)Gk^N9@=9sjDI&e_7 zzyj2x2IsU3rjIJ)4~t7qMXGUw!fSbLDuQS3a>7?0Hzwcm4r---64rx3*A4gmmOgaw zd&$EAE_wm&{#81~MtTKPW)x!`d$pl-{=>&#C+?}iZ9!uT;V{daS#+)`SEw5}fMzv0NBHwEn0|f*EeCCa zLFwyt9=Kkv^WCMQqoJW~lfiCs)HGwsiS38E z-w!R{AVjjnr}M7iT&4s51?lB*-8yv_d@h~7a!q$--DSG^`I0ml?z&Z6=ED}zG4<UBU6bPm*%`A7sCXsOuC(JoPSovweyfY z)H1>AZuTZHGpb(`fRHyJhCd#~HPJQZsjigo>bEXP&oaqi;f7Pnoyd*l+i;edZD|{c z?z1E<9?js(2-b0q`d)34V$$(zv2v7k`DSsFHMB3$UFSFP_^K*cn54n3-Bsmh98OV! zHiowZzX`?h#HK9$dLx{1&KN=5p?+%UYybIYM^oOYQ80AFn1OON@4F85o#V(<+B}o1gx=N0yleSn$2<+v|yCLmrt}Fzioz5 z_LS@AMitklLu6TkEFO7>9fr5r6{&OVf{q|2-+_*Q2rX~udOoFQN(Ui)x3#ful-g@S z(+N_48(AAX`FNWDtGx`ZJT|`jMRouRYyAXNHtPn@DRP-FPF1HD+yIqnQpej!lgu$N z5VcFGces|QXX3V+Ojo3TH${H12XM#aAMp8_9s(*;la8_B)?iRvnnUf}o`_FiTF708 zimpO^cDrWK@>!1hwSFzMi@VGxS<=vCbXB!Mwo(07JQ9%4v5p|gT0BrIQv9^t0_wz04Ewe$unmnh|?X`G- z+zjp#P?DL`=DLCU-Dk9>?hh8@fcn%9r=N(yl0@r`KEL?-`Vx>i#-9AdXDmg1&zek& z|r2M%l{@;kb{QsZW``=FNZOHsh>_PS-?>!ZK zj$SGN!4h48E+;wlocfS&XXyiyn!j$UT#7Y|P1nNTRr!Tt0Ari!hms1zhQeTVW&5W= zMDt@;We|HHwQt*i(sftefUTS@-67xuofxYARj-$f*eu?GxigoT9+D9w4c|AO1ezbQ z>}YDx%6?UNOBNIXVt#T8pr|=|zadgf?ue(ja_q7Z3SXi_{Nd$y7-(9HI~tr621`+} zIfaXcGP)rbNX0u_wb<(2eK#5}GWH5i2dZ`oNMJnk801y#h6?jMlCVvT-43+8QCylW za{GK_`Rvk_2`rGnQBV_UU~bQ3CG)wnSjmut0OPfxx&#|zm37 zh-IQ{XmyBb_Y)!wF!UKlIDBIXJwJ1c=U6>jHe+*$H|S{TlB&xFzL9#G|4QnO5P@a0 z7hL|A#d_%bwpcq<2@tfiLhk@5PahRecLe%Zw<7g6+kokDBM3rw*#6BZb^dWak^I@Y8uxqMZ2^9Ood4orH4mu%x^j7%?aKj6)#jP4Hw`y&D>!Q``&xQg>TLF0QpP)(Lvf;1Grq1K*t=tdGJAzmz zH9|DfTgZuPA`}!qgABLkj^-E}MUrLz`OULl> z1uhPQ>iHB6R#tU}iJ(#jP2JbN8}NO@a%wa<&x4k73&9@eOZY;mI{AIMQvVNFPYe>P zHR=vmPZgBFV?YN1j*MG!sxaGc-wRU+=+8vHrX+2?1jwG1s*S`ViqS(Z~E z)S>k8RLEcPm7=jt#dytRjtY5wk*eixh1d$(d2BMW$n*GHBdJtt*i~j5S#z)_4Dp6Da^$h&84zbd z5E)wT$uT{Jk#CCV`YD2VXOqge?q|%k6}nC}KE=WyI3E$-aOgiG;i2Xvn{92OZ_CQa zd?ca`?*g+hc%GzrtgM%o6P$l)`{~w~9b=jFS104Jc#4s(z* ziQq}(+1-8QRwaVQ1cDaA^o2k+K*VcxQsHD1`ZK7zi$oL`-j_qooAI-gfNP@#?t8C) zFh}2Bk#BUeY`s7tl23Q7lN$J7&QY5l+@^D8FcY6b#*p@;*7!c{$(ci&&p4=r#!8re z4lA8_!6zxD&0x}}DFdywc}|n!>uv$yaUO`#*VEuu^k&xthvI{)p;86LNs9f(<+jRR z^qq0yTEcOZ5$asm*6XcV8raGXx*j=-y_E6AZ^t|+_A6)`o0WW)kR&5=$!YO1Nw*Tf zTf$+kMzLEZ=vPyJ>WLAZr?iI*7J&$$a;D@D&TyCcfmqUA5MoVQyJcyTotv@fxRxgI z^7x}BmzzxDtWh;oixNpdEG{cShn4k?4|RW&9F$7o@|W-+n2)areJimcROrBYB67Cf zuZBK$d=2xDhx$U4_WV+A<|UrE6i7zBM}9oAgbdqGw_1+9&#HG1I7*l2o;%JP#foGb z%wjQOg%_a^Ak)eU#O}qoc3~eLpxljE*)3ax5D9OCp6+%86ZO*HI0<$3GrUZe%!Yf<@oMWbeO@o0w=@aQ4u@G9w7P!Gh!5{sP` zLL&03_PG^38D$H0O7trWQAw^3ZH4oERzAH&yxHxT_ns5>JEQrr7M}sBLwTtXo^GX0 zxSTc=rnjfv2Z0cb8_+{uip9(C; zqx-rcKPPje)PQd*NExWrr_%WNx=oI1#tnCJH^qfWm}eEwZy(cc_# zg7BX2IW$spUYFYl7QzaPM&$fE@u?|n_ueTwh zOEVEwvKkf0=6skk$+j|l=1EETMAbQ>9*Jv`sv!x2&!uTGK^`=4Vsjcbpyp4cxX1aC zIq1zabK2yHxBj1tS%3a*G0#4B1xvR$)F*CykE}(KDM8-6Mjk7zT%s#ACE{T?BDlQa z5_zM_a9>s~|V%=;IY0 z>o4{4_r4MOYZt=_d*WD9+m`|ZEX55U+Gj6yX3@fQ%^Lt!RFf$|dfDBIw;OUM-vz!O z9pF)k5i!Y*Hou}|5kJ_Y7D)7FnrMupMg{QKgH%L8-umI^jEHjvEKFU_c!dSAE$GqR zBpPk&-4Xg@!mH40_0@)b)k6?jT}C^$OqYhtPH%Q|hhXZHpAKVBo328gU>yBi`Z)4r z?iNTOGAo*3!I&N!-RHEaywvAYf8qqWmjZgIYwr3Z29Z^A0^evGI=21oBq{QK{u7=0q17KoD*GIk=oc zhacpCH1`xTIlSI9;pK4>z$T-CW;rfqz)NvsQX;4FTDAf!fX>>HaSyidOWL{H9RR?5S!^uehvcE`iGl)1h&uH(`*GR zRZ@BMErOhLy1D~q$Tkg@Ns+?0m9;$1zdNs_#b2zh5M(L)5Oiq&?B1)nqX0{0f-l+Y z`wJ*RzkS3HOn;vb;=F0#7mGyhX7FH8f@!3Wzdl2U8Vz4=x;jqVR#`zudk7V=r_S(= zm&9G`dR$KoD0yrL_{s}&j04QxSMTlUXh{U)_Gc^9vM*?vh(?Lo1XGo+!?`AFae zK9h+h+u#SD)XOZkhrH#lK4=%b^3GXUEjH7vf@A<`PROakG6JaLFYr|qFcDk|>ngvk zBU>V)t0=JE=~i7759L-#eezJ8nG3^De9P?Xw-p->OI!!JXy|C?Da<{*IjsuUT zSOOOhxLOc{>H>kZeO1-1th`*pia;nHBZMy@*2~Z0lG>uT+GFj(UXvqbGmC^%t)2r3 z3Fe5{ZVm$Pc^8@>fxNaNzK#dty-~KAY+mT!Eka};ABoS6hMlRvZy5{xkNmbSG*o2H z?_>wS9+B3?>}`>8gi!j(KMfG#C=Jj>NV8+~AKQ~Ae=aCt!0|#0n)}P~flZk%&WN*L zo%*DiGw=*AYTv=HUbZfH&W%!suZf)-yN8OyrNwTtlHk@HD2Wx$pOFeK;C;Cxg%8f! zOi=yKSLF=fb$u)Rj(6Tw@lw#~5dFwEch9Dc$Ol*Ib1pA!V#AB>Q4sPO3JtI90ZA6? z#!_(8b^Dt)A(FoV>La)jN8(9+%uOVC!{=k#cse*Ox2(vbz&Fp+w9LQM0*eS&_j z?9Uls(K@UmK$Kq#(-$wnLp{j#ungowiLU<7f;vIL)=FzcWUC8!4P5{^lIp z)DHO%2nt7b&iQdg-qL!u-i&EpTIO8(Llshp&~cT8^g*+FA8zC! zHVO1WO1x8kL(Q5SWPTR})Ez zZEjziV8)kA>oATg5xa?hVD;o8NqJI`cQ)2m)V4mYdBiM3B_05@7m+q{6Qm0q_Bd|} zb)S|+`XRt`C?u;yHfSd@PGdfb#aZ*WCe6^^qa_~ip`WuOyIUL314qP~q(Bp{y1nTKYsXX<$+i-Ef3;}6?Q zqZ#!b>0t%|J;U~^7KE;6Wt}bl3)4H7Ddg=ZB-ri&e?`VGzgV{GL8E!y%P9P|jCcA2 zQ8KNKz~fUr=|n^0j2)TI0xmiG`m^!17aY<)y&<{TUY!MH+Hkm3YF> zK}{afo<>GgSxYnjR3&}MB|$dV6N};O4=c&fDoB7dCf#%zKPGsp=`}trv8Q+P&33gYh#Qq}1yVD~zr4iQbcQrOCv@G??_qsdzIoG)RaK?HTaX{Bi0xCyMrccL@@V)K z{|#{vyJ46>nmu`-Q*|()s<~bkK1wR8Z<|QG4y>Eo+bg|%n74jLQ2lfNr zNRa0=leQa`HQ`$u2JF>g38vCv(iic597xsT^o!Yu%?fXc-OIf<`_U&pfrq_^&0J!=<6uE&gz$#wcyQoW-g?Ak&lJ2Xzf&uSU~9W@<;)3!&m) zjT}4s81{=fhWt|1KUSeNZb8d>)O+_a?Hn1M@BTfJy!9jE5_3>R9Vx{4BMGa0Q9_k? zvV%K&edYvhi2Bk{;)g;?Op;<327h!c6PSB+c6fN>781v{80S_?83)o8%xfQHTME;S z9tf2mZ9&SB+0eDwq@TX4sl?#@VxDmmyGB`k3-YVH(Z*Ai^!p}QP?wnWaQFo~9(pYY z{GPD{R3B_3D>f4sU*<)fxm1L^v_70Yvir9(@*!3GHLJR7kr$j~L&3f{qh1*<^`%0c z#W+tc_X<7=`l~Q8}XE`#u2hH`vMaMS6L1x!Nquy!{ho#wPrW z$cy;DBl7rC{#zn1l<$8NkvCtgZp>&vUY$G|>dGLbe4@xaDnouD!-d9Viz%4}`RZWXkQLb-u)c5{xmT=rOu@VgDLV({@ z81wS;xNvI-h7(Sy(?X#?>r##OB^se;j4L@mS6scgX_4_XiKlPV8Wh7q zhu;#UfK4mIa`zFM?Jp2%zau!1N_&hzMx~rNuGD(szlowWME4EGqE%lk5{X}HA@pjZ zgt9Xp&RrU<^Rx$K)28Y1gMCf;Lrij5kaEsw{K)#EsKffc1c;*)>HPYM+fcfl00mQy zr5mLQHfg_D82wet8_G7v;HZ?ejW?X61%vdHJtd2c_U;JAF;3s33?7*<^iWMGx5OeG z5|)=VinIIn^FzvF?795>xxy?rM;HyErC~hFT+ny$G;?MYW@|#0P<-ji>J9@KLpEw~ zlS3U?}Wb-fYg-I?h{wbGyyuN|4#yWs5kt{HQpmte^R8AnvK}~iry+)yu}2ZVg{Q>Y*RxlpDUm&T z%xoxQ_Dxx`3t=uX+;9dtoo&EZ5t_*4%lFT8;l4;C3BQ;L@d$y47F2^T=L+>pRc6NY zf_S}>B_3yY5{%(46LXTSmJZh%r+}6Aek4le28A5dz(=ygiRbbZv-w{O)IpQ7>~-nL z3b1{`M*AQKzkhksykxWj1=jI3r>2m!zYVUe+G*@nN=%zd~ zXqz3nlJ@18|L1#O^Nc;+V0@d6Jocq-zB)zGke^f1QWH})>p?2kV zMSPGuGF}BXS0eg7AxP%CEa>t3wM+-(Ls9Qr(k z9UDbRW^QBZ%6<{b9@|cf!ickoHf|A7tWyj^DX4FhUu>Zf6Cy)GM3ZB#nhq$zwcEQ} z55)c&36NN*8@ss@6-_O59DC`DD+8j!Sfma_6>6XyFYn{||$x z1qB_WYN{t1=9;JW6KIOPP~5S0%Gp+EYj-~+GnW|!K+4~HK;vq;&aEif&BSHhl{H@4 z%0F#=FYwXUWE5BUJ^y}auVV$|W`@9U?cQ2^hTERcY{3CD`pcje>+&prMG;p5Oc-Gd zu3B1X4F`>i7<>dn`8%X+shq8M-4fy_WTl36?wyzbJ3`syh&Q5$HvWlpfJj!sz}%Wc~JWfE@3Id2T<`2 zJ|jhE_yU-pRgn28qQmLFL=}p{HOxMxaI44A%4fZY=Q(R>!mZTSCH3auWA(&I5jNkvUzv)Q<&*^YD^X zfuE0Arc=tOt$&t&JR)AN3KaB?s!D_;@mH`qkr;C;(?TU^N(WB_zWB)_^eCLNnU+Pmj0=l7<6(umHXT1$Dpe^(Zh>L9r_&r@I!YOVptV^1N`ow<=y~4 zRsirbGpjmCuSEak+aIL;1;O{bL@Fp=K2D(2SKmX=qB=mi*>swc!0IfXLLFMNqhxo! zt)ynFHmvk0%cm-+`+Wvw9>)#<{I;j?xG|~auQC%jlt*XGiif&XMor9)aE@ze4#o$skQlbvs{Ppddb(!lGrQ&YH=Cz-8=6+4Hy5VY)1H_bcX!)ML&X z%e{s239Qbv1Tn>Z(Gg0CG@fntUv59$<$^cWU)j=Z)T&KxC)-@LwlJt$q6_=9Ia1_D z5IJjx==69h+Js|uLUd-gp7s6-Yt7o+VGRt=KqpMIR>YOeY`LhE^UU~|uyiQDj=J6b zD7TfGzR$;1XNKcj>DiFe8vQ3s%P&Nb7`l{MV0J5h{hL50U;I(c8IZ}h6XHNuJW8mo z4Y9Z*IAV|DBwRVLv~rf(Y}L z$p_n=T7)>~DWZsvssC;kR_z3Lvtv~*z1v9U%gwi;5VgM$zgVv<`;!^Tw@|*H?v$T{ z5^AU;zG;$R6h3u$g+?MldI|%fe8po1=KXE!xe4m(4~0qKF4kJEdn>3k{B)!rp0F7a zhb-HL#1LcAj^`rcs@#HY@%dJfNANax+6s9KOWz~kSKUf$`%ZqS#E>H>5#PqIRzUNP zt5z+O8=PbvlM}!oxA!Mmqj6Z{2PdPsXEsjm`9O>Kr4Uth9xwU_HlGdJl}H?2AG_kh z8{)^DGt`SQo*WDyep!?!r7*;g4fTx}RY*A+s>0CXWk?t@AGwbCKMDmT3PUZo5_v#E zM^bJuo_yxFh2Fb%zmKcTICk>6mkCDrFk8rh)vv|(cOYL6C3Wi~KG8R2=9U~~m-7)q zQJA5=<=xj~JL={raV~Ry2c#3_9gX^3X1r|N`dfB+jv^Umyjv&?W#M3eX_Z7b(i*LYj2u*;S4eR zIz^v437<^UGvdk5Cv-GWG2n#>%r-s((nz(SilWHaVgpcS0#*$))eIsZgXi^|UwoV`B&g*;ovrh{jUNPfM*nvzNo8 zGIUJY2CE-PF|RkFep@Rd69H5wkkw}LWd7EEM^yE&s6r}J1QTz4L+Ymy$OZ$}o>tW$$i zwKqU@Cfm8hjj|x)nEkS+=pHd)k1TAh2XP5Y2ZiT}Ro2OSSoDXmdH@$3H5$)4^Bji; zK>Z+Orsl(9r-DVyIa~h`0|20Y?>0PbzlXD}(Yz&UN&} zJKZxR_c7@$iSHCom1veAX{xHM7M#%(@~X>A7v=={nu|UR2u!==GB@{9eQ;_g=VaQn?6nkLeY&4M2`(;(GNAc%(j2kjYC5M~ zxIQyCD_#Y5+CcgO4t0A|t=Z5qk`!*ksZWws{%_z|Q}`R|2cfSs7zA6yB?dX)uad8%x!Wao5^R>I`a1qUcDfcoYA zh5EsQBdd;J1E}9Fn;pwvsNZ*Z&zE!A2(KgSoyocb^2rri6{g4Ck=%DsCb#Zfdw-*T z6}yzl-2Si`t{R{nf%7MFV^upxhOe+0Zt497y!UM{qFNoLF=@ZT{uTAxL$S6us2%$! z>X!{oNG@@vBS6H3ol^A`r2pg>9T@YYF)^L6ib`{vY?6D5{Sg4Ca)Kk5lZGbZK{t$9 z7GGk}jT|Q;c{XwV5K>6o>poZG$Gb(yaK^mv=gSFMD~-BRf^O7}Z3h zU$N%#`?UQpZ{a&3!>Ffv6FC)w>>a5?M_(X*`wECvE086iPQRlxQdM!J=3XvM)u>;I zU#y$=5#(u7bVL|uQC3#^|ilzP{8XL}Nk-Y3v!S)M+9 ziX=BS6c=0lox`ZM&asO{n_}_mYR9GDeT&aI_VJN;sH{vz-C?7O2^JBz!w8DXX@SXL zq`>B<+2CmImsgMXMFo)$b}A)us!cTr2?>hU*0Lcwn|&sGvwEX&Aq#R@9fOjuWo%>>|N}FCN6r1s?=a zNS=sm;hj~Qli+cbgtH#6d8Z6D*qhR=*jPDfG?i@CHCU9-*(#^a=M`BMjRXfHr@6bL zpPVNE*|UeU_`jc#JRH>P`k!0lf6j-HVM&tE9Sb=)tcn##bpXd}WVkuCy_N84`xUmD zVGEp=ys#M)cit^VZcS|T(LcymhPXVYdL&|kuMqkPK99Pc%*el|sjtF0RQFaD zYAbI8?kH=Aa!rmolWw8!-j`?b?>&>NuwzKOaA(`VST+!`q}mhLTDB@Hab?cadaM&& zj;7%_@Zv#jSgufNDGAH{GG@VPr<#(FXdSUOrP3=|>b*U|6)H4u|K-0GpB5lDMFgd| zl$Vm6>nAD68HJb0+gkY0Cl93c!H{r?Oy#AFYiGS(Nwt=>=ny~_o`%Dw^-u;&3T(!` z(;_r67vdp1`&Z11%PPJA3%=FfQ+iO)N?hSc!>II~PSh<;# zY!|)|iN5gcmJE->Sn^pIZsvykQcWxA9z$Q{OOHG6;pU8UT!CanZZGUWglh7jRV0YQ zr5#l{6-g*@u&&~l5@ti0O7bzC+GJ``op0%8t5$qPd^@Cnvw?#RP?T1y+z!EqV_XRu z^$UI6j*9|qmq%s!eL_gNc|u6!$RAY(@3)YsoiE5>TW;H~?KN(2!nsri!k2YDNixW} zCVeXD{uwEH#0fgl-hu0S^}CuZO$AVEygK4(3i4lA#c7fAH(e1t``(o2g9Xe^wQf=G zqrLcMP%$~n(P+EPP{UUA!eV4}B!dRmOinW3*?!@vy=tVI%JOW=;Tm-Lj||v zV3(eCtC8_CktgWe9||fNQ&?AWM21$s_!4S6UYIoAF-`JAm=j zul5Z3!4^p4FChRcD6Ou^UZR#HIh8>dw}w!0iRI|5Eg?FX9W#8;h{?qVW?-o!;Nr5n z7B|QW8$4;P{#zeOy>_H{QnP*`89mLn!1)P$_AgdY9(wy6_Pd&$pW97N%l%b$nbD%a z5}+s_MNbG3M6nnyD~_3Y=xlR`p=nxjxqeBGT#UkGgsFf*m+=gS)p4_sR-$q+oST;0 zP#m}JzYqLKQ;ZYNOa0M-4WBU-JDjJFGUZiEK>ipw1P-Y;eQIhu{#Mj@2}{ITm7H97 zzF3C=u~^j$@z?bk-r#4HTgi3kpD!jm+XNS#N_{FoOoyA5~UWSlDNb zeY_gC<qTWuvttOjEbCaQTu;sA zn8(Pxk|y|vl*8r6{|xT|5IrRf@*p}UOb95c?aA<^e2Pk6k4RGB;SceCQdLS8yD@>1 z(6)4(tb$i|E>4$NPC2eY)cqtkj)ko4=t|PkNpBlmUT^Q#PjMyCcURY=E@uG%?@>%POJlxfW7-5u^t{r#Dy0^wzS~)P>1*$(u zl431tb!(L`1R4E`4!M^crTG!7ws7pn9I|Qn*Ha2mg?-WhRfre8|M!zxe7#@#7w8Yh zLF#DTl`SU>T{Ci)PGG3YEl7w@zps?VY2MI@H3=#vMQNGfJ2sKfWrOGXB`XiiGs^7k z2srP?Pw2-!bw{eHw5lUju-7ieYY+)iT7{~|Q{mJpAsFX#E%gY8=GYNtbtD%$RPdRhbM4Nw(v$>W?}we#}3p3xXpg2g#4 zm?0CSiR7WJa$*%)LNnXVxU#lwX0Y%rZp)vP%hIz7vEHVfgpiafWv-9W?C8vjgGD<6 z*Y83iHl!n!*U~jVwPwE+kPAb3+SO8k3?VE4IXg3OFcPv4zxWCE9vT#N z^x2|owt8jC@j)uX_67xoE&Aolm&>;%h6Xlgip%i4pL6wVf%dG~}n`Pdl0R}G;r6RVZBZ6Tw-$DoY5-|8;l;jI?h5!@dx(H&0@1}hIf(i6%|tOX5?AH zvorAP{d#{ovo7Ypoq<}%8MD_-%(Dv#YBy+L(Vfwo!J!#IM`>O(a90 zh&@9|gkhb(J?zliG?4L0{&|6{xZ#^OF5i@!jvab_^jw`|-6GVRXKR_`l6v_gIqOZ7 zRaNVp&OQ~E0VVP1M%M8ny1$Hp;Eh_HIM_r!Q&U5&O32evf3T`gk`nlLgjaqHrpw}r z__!St|58R!iD-)|W*B`2k>!EF*ifhgWy3~oc=BRfiQ`|wK+n56Wh*Om=FLWd6<0OW zW|DS>)a|5gI;M@%SLrZ&er%GXfPks7P?ha#8tZ1Zy`EItjZd5`oF}!k{eHj5 z5r4lo3pJV?=`+0(dg|i;ws7`!mAksIO+r24mTY^I$u7Q3)qvVdp!wMr*iXqDMKdxE z3pf633rr@|m;P2wNbSUXwEud8P49L~wQ9fJw4Y?I$@m@l7^I=`KrP3PVuX#FDno*x zv`h5ikF+nD6I2{gfx`LWCjUZ@jyO{976LB4U3D%Ye1kV0~qao!j-9 zgw`OknhTvVlux5vMQ1ia?>npG`FA_ucH`rNfQlY)%>5jd;gNE{<=0n;6^5Ri@9>oW#)u7VxzKm$->hOF zsfJkd@szlL=4*sbZ+5zOv;ulF^xQWzMD-IqW*~`P3=yUvYT`v07J0#kmiKm9`&Bme zD^AG6y)4{E?wk2q&^Y$(%xy3H;>;{<= z0CK@zLMGYkh1Q=A?nhUA@g);^xi&T}n&KzkO2Vk#XZcq7d!qoWSO>6*-VyuBKlYIx z5AdMZ&p``Y#ZZpmyyQY5b6RKoLvg#tB3-fgGYX}S* z@RD<+>)Z%R)MrkRK$K}ebiS_|8@iY~WA|FF)41wAa_&D$-Mfq}8D+~opSB+)9HoxDRcnIBk6z_Iz!gm?Cl^c^&jBM2FR4&-~+bK?a+&|#k-v% zoBiIx;-1QfwC%QhhqNM^Jo~V_XHIb#;1rX(9;{j4?YzMBskA+1A2XW4+l4He4QPp< zQEt+^E;1X%PuPyE26*@!P&aqPe0Licpt@H4eZ}>z^E2Ji(cThqNyl-85+t=4T*>Lr z{byY=M0&ES`&#XTTPP0!k|t(|!}_l90X>#iptkdZbSUI1%=~OU`*g?iI$^4!CZ-aT z(k6I$RKz~Xr=q`U@ZrIQk|45V=IAl)}+jA3oAuFT+^f@j$;0=lrA5imkSx6Zn2j?Ed&xjQXecKd-Q2a1)}=!sIub{G>-s z4mekPlV`ct-&BkDgd=th@#u;Ij~B_FIQkX$ZOv-<5YGe0t#pEf8_`_Qg3En7a$DVr zLU}hWHf*3tYUjFCU{0ifqq=Z(*SXOgCBNo05!mo+#UwQvI{~%VMGNOA?8?`dA(y*H zF5iSc4A#sp6o9vjKkWS?(jh7Z7g^ZWFMpW?H9aKYrLhJ{L;1-oynfeq??P*F>G(t( zg+1Dw?UEA)dbNt}2K+g}Y0vdEqO-_oR#NdY>l+zB$8+)`2>0_(mZ=F zskx;<&BD>BG1xDm@eS#!hNeMgJMU;-L*Y<{M3yLeP@2{zRR^|D#W-{)IrGs;Er^0py-yL(xSBZuy7MItkGliBX!*1%J#j`L8SOAGwJOkQOY@K!u zFAfSWB-MrpyG*}fVS3w^YIbd+jGJlnjDk;Oet**Q`r$`pMHi&RNsr8a<~w~Sk4P-c z+`KXV|o6e?g z0W?cQ=|gg6&~^~itVW*7 z{gQHQcJch~;!EfDvqLHzZAxxiAKZApOuQ;&2n1*#Ti+q{Ivn*NZgEFeAX0FmSL3I)t;=s@gF!|_) zX<9OT!;;;@tN9^6(RSB+@#401UbhHL#O@V+y6JVmH#mpKEased|I}vAIQT%$^Z^qU z9x_KF5ld?3qH@B6|Dpt~!2sg^y{^+wTsgwOl<$~s&#-oe-Ye8tIz({>L#UHXo5$Q> z2deN|_R31L`}L*9Iys!SrZ3;-$ee-Dm%b{F(>DHq3_h=6r!?m zQmp|bgm|2(`@GE@>-=%cHPHB_@g;SapgV`msXP?Yn|W8QP>#Qi1-g&$tRQ;U6M{Hy zeqrSSihvv*2Q)4Cu25k+J}#Z+Ybaf-RKg5xR9)C%G2iYxG zi+O7y!N1=Rh8^VHZGN#`jqSQ5Ff4%uUDz>IP)|3)U72y(WoadN*S}`?X@ELv(bf$SHS+FwA3VLVlx7vf z0?Ns*jGhPdRS;7Y_9ArYg4RL){^;UOYuuk_q!AC7)a|=#Fj#O_uW@SKk7uOb6S}b8 zaL2w2TRa<(s6VmB6eIgCOw$>&seeN>^WK$J-)_)?{M+?HZuF-r)R7a)FdQX`oU;R` zL+~B0%{|Scp5^b#>%X8!`Y&z)yNKh;iU9OzkXxsKFH$)a;v}eRysW3+tt=U8$&faF zcddPAD%J=H3OOVUcKFopB4v?6?Ws@2FjQU+{ZxsNj_Malv3r%z1(Vr*B(v6yF<)$0 z)L>S`XXXzK)fmye=8EuG9mBfdYUncmBvFO(Vx{S*ZtC5VQjFN3)-A3!!)fIBpZ5x} zFS^2mh~<9U+-vMx&AZXY{-X1`#p+J+U;L&%OlE(M|Cp09-1fL!C}I0aLQ8GMrTlW3 ziLMVFw+*x5f!=k`)WXp8-O^hT<=2O+k@nud)fcp2Rea)i!J~TocGx)lLKPEinZ?J1 z#w(G8>fD*1uo25XlT}1XQ|TS2GB7HyR;~TTJZcIV=%>ee((t8;OZnr5zb`yjwL_ng z7}`cR;_JbQlK)lTqZk4u4(`hSdHdwU9`oAlY#%h+!Y{@U>4Z9r(x4$Khulz86-)Aq z5}L5ajvTAM5;>@ikfk@Jak?Qpg#^#vY+uah;t%{iOBIN35b0$KGbly_7#Ybe+`16y zVU%j&M@TyD>{PrWR_W!_rIImfx-&|=-Vs# zElamJ?UNCsFwA3$9?-OB64I>|Jb+Fokj1a7o6OoHscf=+NEw+h*`Mj$kPabAC3sS0 za+}sT(Yx>eE{0K{FkIJ^^3YkW=&Jq}6e+5}SEL1!7tI!o_A4PBDAOPVKYUYfCP>$y zFNtStOpl%K1yR^dBDlXs+IgrKo2N>LXE8Z8)?mNaRtNUWbp?31h#1%H9B;k5f+6|s zYgL*L2Bom8yQfD&w!(}~8de zFx5SH)vKnmktgWN!L^SP2kyizSyeeOX8zC%^@0KJ7!o1S1j2vxJ@ui|W;ySg*xoaf zt*|sNA`YE~b>tvRTZfcI=w1rH>(_#}b5T1?cej2LlZrFbr^B-EOHnwYozyD_{z=25 z_(=-x#cDAM?oDylB(vcSoA%!kbwXTITzIQ z6ZVFMfC7%K25N%1fN698m4xqFu=h=SYDF`1PXol&s=O8b&JG7~76Rj@5*vWCkRowP zQdibFwXE_j3rm8}*7^jyo?9EG$ZvSx6KDNbrl#xfpE#F3l9Ru|$D%7R$bLcZu`WT* zTY-_!vJ|Zr(Ha^5RnX!MZ(L|b5`z=HY{*8?TYPGQ39+@ug0*;!aM(xC3>BF~=-bpU zOl1c{&eZu;qKo?MD$9R#zK{9UJ4$Swms(CVwm^t`!g$&DQ&r2>L~Qy z4|yM0F?_v8Zp?W4Lxg>*2~r~i6^@-~6#VoeXCyq&BCWBAG5G^fkRSQtCdB&TCf#`r z0p-axCFoev>2L$h4r>T&Yegi6#0*_RBK`dGmBjWp;?rvM64-_!6zxCO@+j0iON-l3 zJ!&=|=xoe<5FUU)_T@%WG*m;bK5nPihdCuRl!f7@REL(Ldf&-s+~C(eBai_SNtukn zy9`@Rc6vX3wq8@*+OV$?D!RDb)4z(-kFEG z6($e9oaTxPxRr43bXc~Xu;oERCCY?#3%{l4K+7XpfG)k8(s96x|JJ&iq<94H&L43_ zyckCBaqLE3Z`)@3$I*i1y;e*XX)2nk%!J))3-Gudl3QmOA2=BH(#*7Jk3^B0904VNe^-G}W6Q&OMPnH$4CtSr zk+1a~RJ>dM-HE_BnyDl|$w-il50+q3kh;e=lOYK=eNUV$vyAs~w%iDU6`yZEDG2X) zLRErV&b6X}@=pkh7xkiE{di^KPNxby8-5(qEstU_W6RB&0@B9yTS~=(XHe2I%nT_8 zkdJmEkjOkM488ix_0q*`{X)QkwvC_gxHe}~R))P=&Mci=_VQb;_k;2oyBYgP^9RE#8FKBp( z+B%@;G&t|Z`&L;^p(lLc&bkch3aS*2YleP7|CsT4+j{X+s*D?%>{>!^9Py?uWD~QT zyMF?i?rIICL_mnFBs2A9IS~dN@Nn#&4!QX%Z8@`Nh*&ZiR-kY&(1~IUR}}~Y$P3}- zby2C_83+FLEqF+`z$WQlL{=$Dd?DcaPSGHuUrobxBTwx-$rV3yz!|?eV!3QR8H88n zp_u({%<=5}RquY7eLt?HobPu#JXZk_Jo>K4R|LU7!TUiNTu|Jk9!u^=?n-|MwGXxs z&Koi=w!%(%!lmybCdbJ_`qTgnZM@iYUG=$?D6iSxccdTm5PC;NVU!Bet@YjRS#f{f* z$f@2WT`I#s^3r#Odj1R+mnj#9Gbd`huega~l1IEkLZlVZR}*%bT5h?~gD^{-0{tD8 z`r$IniC+5hREM(+V@ogaW#_rP^zlj9D_Od}Q5p22ga5VN{_z90+lZCu7h7QoTa}78 z6<}pLFxJ+j^jbN|L~e8TnomirxcB8cjPZ1FT2cZ@JTYK8%vz1IJ{;TMKxHs}nq58r zHO=*kG5Rt3MG?@X*MG%`OQm8?Ew+VfO?&FA~5u1nInJLj7NSy|p;V;IC^$Em%hIe>)GbCu06XNJ z+7cJ5@v^K|;dLM1F8+JV*GeM_X*y$hlE}K=qcX~4TFe5Ng)iB@Eg|VRlDEN{WH2Yy z3bfDisBiZVx$q(TyCV$_Z4kbEyK6yNc=m972S3xhaCueV0>e&`bdlW>G@}1Q#Qq}- zZR?(ldu-VUg^w+YxEWFimc&l4G(z-_*@7dS(B1=w;g+CyH3=QPV&gBCa{)x+jq!1? zk1`*;)SFD|&iZVsj+`dZnUaLF?qcWjw?T5JKDVpB-hOKrcRBoDZ9RB=w+26mM6K(9 zCVXvuAWJt_vqsZc9LV4|Xn^K$!{R0CRwZgj;6HwJe8r$bwS#EIEw-VH*!)pPS_8*-a8TTNBf{nHYt5P1>hhF-hwTq;JUj;n7~4Y?B(vNah9Inut{YcvMOD~W^7*o#QitpkO z2i4C00563kU$dkiH#}`*JT2btSxdsV=1eV~ESIC-2ySG)6RYm4R7i%c*#j>c=2gyk z4FU|)$89sWevdmp%A55K2Y(Y)pN{_Vzf%N#x}Jh;H$rgcO9?fK-9t1I>EY*ztXuLQlH8D zs{fyko$uAF=Xg6MVXH1{2D0GF7qhtFRg5C4L;$puRjo(1tjZbB{m$X|%*z%j$YN=-I zMfv)3gTLuw<=BLlH)`y;M~8YNRD3j0NCjG*y5gwS{fw+ocAw;4w8-4H*8_|fiDnYwyxpLL6%eoaka;hRjM1$4qLqMTn71 zTah+qh6VHp*c|ST>#&LQiE~RDdHxhiNmq&l(%DZkuPE#pg_9K4RF360w+gXd{tU0b z!qmt>tdNz5a|_DH>l@D}P@j;HOZk+tRdttMwfM0xPZI=zWdW^u^)eh0!x6;jS}|c` zwckC}GnX%wR?q;332NeC!rOd|5ic%=jz*5k+P0-t@5DJo@H16elDFQ3V25hK+7vwW zaryJ7tC*RQxEvBVYmGAFL$68$`pJ0pQEVaK!H7B$KPsQ**nIS+^{Y0gqJ!%Y?vSpT z&+eNwtU_+^mh)cei@6eL^|NG@?CWa`R+Cl38kK@m-$^&?W~ z_h+E~-OG#!GrHiXs9o~7E-6HA3y2Tfj~9h)>?;<_P#~IOZuyU_cKFOzrN~p}*0vzLhx>OEF05F|J{@UZnttH~UyO+~a{J)yUb@`UfM>7b6 zzAvU^a0kzDn%|!@Sa9&2`yNVQ+DWyySvkIJeugV~rc=09yqbne%Q!&$xyPe!ZR#LW zZR-_LT9Vbu7^0qP^|ckmiNgAeq1m!Jt`&!+H+Cnc)XAKt*iYY7(E>_p(<`qP4eEVm z@K5gwD#(mJcGKc4Z_4$`0dVEP-*Bb%VbkE7Ak>*>xRQD}27oI+AAbL{{AE_${U`c8 zja!nC;zP6l7;meVjuv?YCQ~l{{h_Bqo=GFz{R_m3;lU zb6^N$_a5trcUpDjptsm6f8i%kh9EdC7JGB@+%>s?(FnqPdOCki}egtBQ+#}B)!J8T%C5R4H%|r zun5yCDrYG$K)sQd!6fZwAmdzPk)a9twWUYXj)Uipo#byrUVANv|* zfpc|gj9o?SBkd0|etQ46cLDh=oF-E7Px9LC#gwJxq3Fk6C zbjfe3;v6Fn(Iah9Na@zis(jIYx$b?k%0VGmm(9hXQL&sxR}o#aLe}p zO>{NG$)$}bsZjp4+X$7siE7zh`^$xB zWmR|J{*6C5`1JywB9Qu!-4HZQyA|AhKqZKHEyAQbVEqbj?~0|rRO)Zct1zdvf>8ZL z$re3!2n&tcuGR z61iwpf#EH(iaszwNgUd-Pq|yaI-T7R+2xy9^Jxe7SU5TO#YhxTNczOZCD&7tQ?(Py zh*Z+SmnZgm!H(ro?*)q&#c|IY3?Vt4ubK{U^Bb^b?JX-@manaEs!LwkH(DK(h6@j* zVWFrl8PmnK4y1f8Prcq^((IahZH&T3lA{N)Mge!514T3idCL_uo63kTj;A0}Uh3>W zlM4CjIQ^>I0xlPx%uaHf*CrQw?jh6(SDKP~$k!zFR6&DsCAaOtG;$Y7gfAPTpf%Qb zd-4e(Ke&L=QjU}Qa-EpAN^Mc*e@q!e+mReUXEphBKG}8H zctBwe!h`x;-V^+4c~Bsaea(zbNE})wjlqgXz^b%F-+SBq#7G9+=`Vh0epDCHcr>o1 z15hq3QoJ6VD>7T|C1JN{pe;q-kmh?%Qpp{0uU*!V@pA8l+r?219lT#+)pCJ4qxS-JwWZe>z@TeQ@*W zmyz!Is^a@>PP|U5E=D3PA)CAY{{^Y^>7`@RH#`g7B?=S9MF%HEGx>(1EPZpDE~~BE zRv-{yi!UyJD5Tph{lKxQA3juyk!#m1zx0_o1;>W{x(^=g)l2<~2qU)bfW$=OTzoAOTvo1QEJ#M;k z6%}`B#$+q~)86ud&~u`X)H>l-!z?AM7pop&Ch$CrA4&kKQV!Wk?Tn3}(I*3ti!MR%J-neK)wQWT&=U z8Ria~1`;8oT0?9RXKg1!?0H>&ZhUXRVPO6*u5!O=mU#dcGud_QqM|ADNzH$5n*<6J z^Ba^>yOCc=;;zZed zN7?k2IbCJnZ{RUTR}n4XqK#3hpp?IfaW94g=IPBt1T}1o^MhAiMa@h%0*k2Oltqw%-NelS8}-0^PZNIlJ5V6gnA8~qUKk{Ju0hQ<3$Ky5v-pFrZm zDXFnRrH#NhKO-fex9|)`3KrzpAoZn637ZIGlD58z0{thIusk?TS)c z2wt)m7B^~HscX&^|CX}?)|9watvaVCWzem*?qoLevu{zarH739h;eT9Da(gO-f$y! zQj3|vV7)pm1U-26nj$iF*LA4o*LByzE0ky7;y`l>mvRC2h~;OT382mvbvL{05kxKz zb@yOQECF5Ai!TwCS&cX^=0|@_(~LibozNOx2WH2lTsBJuwmi{w;vl4(MAoIp?peko zC3YosQsv?Rm8rhF{EZ|}{r41TyWXa?Mq|4dtTbN28&rCw`}_DVV5bX>si$KDRl?Dr zEcFz859k){)32X(iyoC@rnRs07(ISBW4+gfTqaRKcuA-z?w6 zAmEc=H>4qA;|B8JKV1VTCM_mx1qf4vnRt$9$f02bc_c&L4XY&P1tWGg9B#g4xt=H? z0D>Ng@yI-rh$f3~I>Si`qp;39*CKzNpe)l18Tj3SHnThxbsCxbB>mf6>-x1-o!eUD{fn z?DdThPrx0{T(J4>B@ZeA*KGA7(||njfGdkO3Apzl&0>_uMre9Fhrfr6o)K;M;sDpB zzewO-2y`Bw7+^B?n7#@Njr>IgtPIyYeV)IT8O1NaXRnM_q%)G6z;RcbwDFU>`f#pn zP6;ilX$#-a7f&jAZC13kkoIJ>+&vyoq?6H@~~;1h*GOeE0LH?v5}!BvfL*<{X=`qb*~(->y4M`PZqcl zsZATwq%#bH{-p#Gt_LdM|uzwSS#>-)g=LdB0uH)!1`Cp$=5!p z)hStbqR{568zC}(In&(y_j)I()Rr5%G_N6YD%t4JxpCbZI=c)w`iX@VIHyf^(1nJ+ zOKF2^m#3IV5V$BGItTEI0m9??pTEa_b$Qs)phQ{HZ zZ0cjU@6S9#616j)?Vv(5`OyJt+Uk-)oVj^RO~tJ++#!!vq_ z=3ze2lEsYu^p5qF6ct(Nr!j`9uYuyiPV2lzx8FOCW{lQA7}$}A6$P_*-so@!R{+vU zp(pV`^IORDAOfixMK%s7dWYr^Slcm-HFrcO-8y7d9N)m8{7xw;!^~&?N?DdTXHoQd zAvUnN)(ILG9z@ClV(9dR?GZ&8?U#9SY}^z5{m+oWzlTqp;jkAB#OAXhr&{lYo>Y*_ zb>x@#Wi99bRYio_AZ_gi6%q79xwm`X@VdF8m2RjnA056aL)6AMa1z2l4EL-^rQw~a z_pQXg3+qL{{j7P1MD}rdOe|%_OUx0K9me-sxDC4B2XwDCV}KtubXM;!DSc>}NM7EE z`_`v#(oA(5GelHs%LXJn~HW4KAQ5gMmTYb+GP2#F}vm=3BnWyd6Z<7KxSFvkbzuo-qR^G}RiV{TMoSlK^%CU8~ z&p70LQHq{#Dap{Nku$q*hmpLy~H0b^jjUQM$7%zS9s1!Cw0 zb@E&s!^nvVjud>No?lh3!gB$wBhE+X&;og`%x3XTrgTrsWeY|W^f#Yt_IuXjge*Dn z1TRi%u*98-r|fKhkQMV?yz)a*qOIH(@*sP2q3`Wi+2SiI;2wQ)Q2yPuD|be%ij;*u zyLeIZ!V5qC8;PWw(8CnHJQTfc)C_@`S|z0|yiq~Rd4$Wk>ib{I-4EpGd` z)9EfOwbs?)Zih8~9^13Jt9vSZLYeBhWrf#W6hq#dXbi5~(+cJ)o;m9c#(?qh;fm|r zyoz%AbpQN+cB9imVX{92Nn(i^UUhks7M)~It7XQrNOX^-F~e|DE|0n1KOV0fJAQm^ za?yeJ?D9T+FM)tz0o-1+Bwp5m*PnKcdk@g7t7-68VOx+I&)8EAJ4E6KTSfpuAwX?3mi>^f^fgP(BW|WkdZi zz8B&|l(JQd>H^Bgkbfy3*^44m>E=bUaKAQcjxyq$*h^4+5V3Y z9@0A;?_jm_*xp+YEp!?74(X&kIucL*@$;dl>Z;$p4t%9D@Y`E}u31ru!bs?MHf z*xXIAMLb>iY7STNqA}UxV3jSVCqKx;A8gzUnKO(qLQFYkz7x^jNO^K+ZOmz(nWLvJ z2a+dR69`pMDNT#iK@|B^)3P%=#t!psa#h2LRjL)kI1bbv_*7D+^$;m?m?EQ0RlezX zzxD%!`JX^ASTWzjhhs3OX{XlKtUmIEeef>cxf9r*^X*qUjx<*YF1!)^jlcj%j11GV ztSM&bV`TPHrgy@@`gv84Ra9Jh`;P?7aa7DpiLigHo^O2RgrCo|H!}agHW_WZKbQp3 z@IEHJu?ulH)>OYdN_)X!8r)ox8~Gilmye0(xS^2G^S6_aj7-;MN9!=1P;%Y zx`pq>p?V@7x8zPWy*teGjr#gt>8!`afJ^R&V>-MRWH6V5Mb2CJLSgr2i^IDbtILU1w`BXOy+FG+$B zUFH{bW8maFUc7C-kl8CAd|H=eC|Y5F11B#W4V9o}MsxNS%fujS)A?0S5Lp{#{bJ5| z7Y*}t*FjbR?p)}SSp$MdXXR9rEisiBIaEs;c!75xuc%ajl@%D7)&W`~lrBGw7=F)s zZhRUn3bXpcjJ0pdmVGzPDfluK zuAKKxY*^L4*ey~(E+^M@!Wh@pEJ4%eyClYBPS?}#L^;R9kxhQ#Qf({gHk-Ea;&#&@ zk}YoF3jbbF4Z@A+w))<%7Y=!Vaq{T(onEPtWz5=Ir<})^k4L`3akbce!s}B-=`y1z zfg|j~A7(P`t1wB(c!sQr#5B>+VrZ9IA)<07!otE_kIQ7gev|{otms_=r|0Y1Wh1b# zeRsS(ifKDdHbYC>qWe>F41HhJn&oq6Ou5FbIb7B}K+78>IPuRDU&S?+loT+&Vq|HF z&+)-z*lcjZDCFuTfrNyF;eu1*$FD&Tk&C8&f+BX*@a)vehZqfM`~4t{;PRIQirG;& z-U7=*Vuzr?Qx}1-5ClvT%=S#(cjA|bbI0{AumVpi{X@8znEj-i^1e1FC0DoIk$l=s zWD5Pe`Uw7qQ8h~f)`K|(1z!#} zMiq3=*b6Bf^fOeI1qZ%hc2xFQHqs%oxC{+-)fmA)HAZ3;zF^C)I460Kp(a1BYYoZR z1iLl}U}yxm7LwuPFd-XUXbi{npE(=f{#-Yf;5uBlFh>P^EwvX2eX>VTs>bZsWRD77b3r z%$qSJO6P{~wqyI#fiTPH=tA7Ky|9)LD9xrzs(|zqn~TzfgBCO^f>vpvmS78KskH}B zZ%$G3An-&?rWi|gx7WqGvW?v=RJ{3*6D^7$Af!SiqYz8q#PEg)JCQmHP zN!x66%J8-KqeOqD)A)hsW=qDOPo=}XUPJxKVZ6&Uoig`doiE@z2_q#P$>ftV5s@-@ z0Hwiuwze2TGd7uh$A#(lJ;p7kgN0Oj62lRE6;AyIqG|AU4zoq#o8n2pSRj8Gi&j9u zpQ~6Hk$rFodYbqWIyISTFHCr5DTsy>Y9iUZDrxnl2;s~V%ebWkLR<#~0v>rJ+~M8c z;uM>8iFgsOY1T?Pt5dHoo-mp5o&d`xQvcW>&Uvom2no$k-?*g7sTPDpwIi=~uvZ6s zVpWYFwd7-}jmqXKx*5cb(QV8Zd5n<}!?F~(H=|9&D(?7ws6vA3^>p>vvkU_+$(WT< z>#kjHmEbA{I}XLBB5>h9GLsC_Kax?K1d;dxTK0nMyAMh{IIqa)$juX0w)p z3R^t4-HI+-2fXZ_`mW>?6=`}{M9cp*8x89|^c5!S|=< zCB0R@g!i6Zk~9BuNiJR&w>2yuH+a5J_p-0$`J~pS6`^^x^*;ZD185hXk|8|xxrbcv zP29XnON-8BP{m?9z848_N&YDy>g|;|6T_&y%e6kt^zya<(k#21d}(WA?)svIa^(CW ztr-u8!^LJGPRJFcBm+XA_l^lwEjzk2Pv}SueWs-m8q;SES2C(w6O5wwh_U@}o0|+9 zIsOsGN!zU0x+Q8#+OOYD<5jzJ_n#+_>kAI$GF^vz8J1VIYdXLZYT=HvlI)?CH0C+`oPThMNuNQ zFv-C;3O<^fzze-51AE=9!L%?vj}F|Pgirbw#RlkmOQXp$zD8v`XQ)@<2_ulyj3jeA zK4~Xvbk(V~zVVKGx_;HKBK!|PGk0P-oLhE>Xo<0B%GbTDEHrT!JU#s<@yNd=I*Dru z1SY{3y2WhgdsO3v9+&@J4OAf#GF}v+p1++Ku$mtHEg!Zg?;N>O*gg1 zV)jEg_W_3{URno3{bO<6eY0GgfG5R++a1X!hCKUGZ5=(RkwKpK55nw6Mo{saB`dDQ znt1DWQ~2FsLu^JxB&fdE(J7B5GyISOu(f8E>*^Fx+gB!7Jdb>UDuE#YT4iiT6Z{${2$sNB6zRS?Mw((d`?>yxzPK90b9a>(E$ zT^9@+5UKuA=SP3d8zA*GZheO*FifmwIF##r<86o0OO=je401B#)3UA>3l}$V=Sc=5 ztFAo3V=h;1MF2Y0j6gzIT{!@1%s`WZfToqU&9vyOUZc#rkA@ZK5^`icFn+S)EjTCM zbGC!)&i6(?eP$~+o$tSz+sN4xvvf4=-DAbG2im?ihU+2Ku}nB^=(?E4vwJ_&tkRa8 zNO}nvxQEE&a23f7Uk(>r~aM>pcs zER247R|P!A(Atz?RvZ^5ZsaQX%2#XdZSlGd!aRio=p`p#)n6?5lhp_JE1lk>_L;Ag zx1M@T>PEr!?4(u;E`JmTQ`SLV3#z+ z`@j`7Zm^?+Jo3#+ChDdW)I6`$MFYP(g5y_?xiZpCj4a_0(W7$gcdJD?MU-q=Z$_TZreS>ySXzMj;T#Ql1@d~aU^6Fh|oL3%k7 z@Bj6tAbzs2SS+Ml$?h#^ncj$>^Y%-x~p^DeE5 zU^eHN4n)K~t#VmWHwyU&AQ)u}V>ai0KHof4*ca%BF{t%5*s#Tz=5&ps8;S-teiCW{ z=nQYKq8$_c+2EgbT0#>>TC|b0X?j?xm6YM9&Yn)0qW@tt2kw9U#b&<$9Uc;?WNeYXxn&%qYAhaaY-1Q*H@&Lg^Hk&olLDUypMv53BzdBc_5YO1%Rl>i; z9af^jc=Lm1hGZ}rdh?$ScB0)q_F;w}Y>7aiP+ z7I(J-rMNp3EzaPs1I4|#yASRTJN?VM@7a@+&DrdSO*WYigpdp~d7kHY+jU>`Fh;DB z(IW3Ia)I>pN3_c=MI(X(Da*0Jn*E9{S&3F!TDAOmw+sgd7h4(*u3m+lC}4^Tw(lVY z7C|{LM!e;F>a5Ic+q{0GL+PKzY?R|Nx1Y8`JaT7?*SLyY)7wFMb8VC%)-+`!73M|Y=O+> zCl9N<(0+(BlGWsN|66)B-pY{zOYp+JB@a}JoyU5)er2AObU^p$6_^2zeIvnn3svWz0AnzOkor3( zYW?d(^#50A%mi5>(9-*!7K-=9c0$86pWdw_p%Af!bPal|n9xGCiF9&LdA`!0q2EJ) z9I(%=(R_HD`{f63LT0FA1&cC^E6xH{##gHk5LzFZZ}j2+J2a-SX0_+Cq&FgKn|OpI z`R5_Royh1N zbsJH^3p)_;)OMNEJd!-^-1w=p8$vrHO(%nE=ZIWyQS_EywHZ&amr-{@KS+ku9^$R< zEg#WKPQ3{#JVyGK419u#DW(6ZEc~@{=&won7_xy@S@*_MI-dfvG(@c*nXsj~ev@BY zV7uXAL-ZaZ?oCZ>`oU2-eFJlnMPPX!uh#pTPbH&IGKy6&YW<@5V@nBE%UBa~k+R2s1WHO{ewTiwT11n6<;1YWXAyV+ zv=nE(ewFwZwnGJ`rX2J4$k=FY=3dC13RgmGQN>^m52?g<{)v2~%OZ|q_(iiHtA=X% z=916lz&n)Fhx@aucCbC->AapN+0_OBa2;<|XCBsdd}k!VQWVvcc)+D=B&egq^s>J* z&!pwdOVVO)Nh1X_^Std9EUPzrvTlg@VD`HrSmZq-I-=AXIxE_kpEtepT4b)nfj4;a zTxsHWw(3QfYLTp_41w@P1$|>QIb0GWVtI?jn-gxh-E}IMn(|`Sc;ZsF16Yna_mY;4 z2_U|=Xt8KyjAc`UTU-5>!1}9#XGys)!=jj0CEw>kd=!FPGQlL3_mHy{kF-#7-w$Ow zkf-kmUP$J6EL__fI3kA<665uM6Pdr&O#_S)Nss;MRX^Kz`V(%ScI|stClZ$1DvG!Y zTYjS{Z!?c?AP{>%#xb#>0c{M)>-OiOULKg34&J+GHy+o(b1UBTPW-7h8WGzz9wZjN z5j`TKnX}(kRGnl{7*$jq>3b=>U%~e^t+*oZcsdt`H#1)Inq4x6yfki291;Szi{x;S zdlPh|6N0%Jk6U!Xon6klxxasataNV{Y|mQiD>#vRu$Y*BJ?Myf)!lGZe27VMpn*8U zySg%ReZTY?ggG%E_X-9W=r?7_Qw&;%DnGQXg@hSZRo1>XY(zk|qCo&=I8#ZvJ^gAy z&iN1$-@D`OxUGy87i+y>Lrr6{G-oFB2Ad-8iy>L>xzn&olJd*A{AAbElsAgrVw%DF z#>4_Mm~@y)6BQMwn*Ek#)kiIkUDlL3>acx)0~vxQy_Fe8o``{?f~=cFBgCIFKb0DN zl*PLU;F$RwBunuh&yE3X4#3(th;`kvH5Fb_?1YXSPI<#YudxVWz?D{J4wD;%gM<5g z|NF$e1a|I9d0r>a`tYt~XiDKH>-hO&!b!Z5Z^=k6{ z0c_fX1iOYEt-M*lvt9G9VXw~uz}`*{DLCbl_Er&(SLSl4dw!tjXw74yWbvRMb~k6R zX|#jjf`D5^)OWv-&nrTsV&od>k4tRfE`}Vx<6-r-BNJh+459Y5M1i2u>Uu!75G>xY z?sDS=*jUWfxPV46WsiR>qVNu?ec(0uBC6=(vJngf8&ZWBTAyNw;=yj@*(|Z5hYrcH z#dAAPv7)I%UCpxjz3W(*?r(*&Ldr*uq5$W&XP^+4Wqzrm6V3jU>-J4i9 z66eiiBvn)1>5_SP?rt&sNX)*`-wv44S){MO=GfhkR*g&1zj1OZOd+S@TL#K$h zA{nNW;gmKQPdvbAZ$<(xFuX2sr?4q(G#K86%-B8H8=@l0zM%C1aERC#ehNr?*Ps;8 zx5)0>CIdha-AfPGq)RkPM6WO`-g2X%lv>p**=(y!N5R$jOfQSkKVbe@)8DJY z%7SlK1dca(%IYCX&3x6T{N1`g_W6e?UDx0(;y%Kmu)O-n{8Y(V+88hHD0ncrZ2muMWlvH1h>7N2(IhuC=y2v30@T={tilJQKy=Us!m3|`I56nh8fEhpY>Uw<%g3M649i` zHisrkyz&<%=7+{XX?4bMSeDJ0du}X0DipfC&)KG1bDb@0TO4iPS0}#gKIrP-lJkiF zeK`Xr*aAjJxi|*FuaddX#$Y5_Y%919mlL z-obda9#0KvP}f!-Ur*h4-3HNkZE4=sa`6py7{y5X*YXkW!*+jEgeKt>T`ik#1nl5v zvKwv`p+D=Vk$aQyr84C35nhj&(2}7b)AxDn`wkBb9Op1`fvu4~8xY#_6Y_p$^u2xc zw00Ovrqmb6h{4VBFM;_Y`@aZG*Z(~Nv!Yy-i#|!0yu?l}a%vBS16y5_O6^52e)+Y0 zLPDV}qb}QmYGk!B)HNX}lPsps`&+F-K1@$XuO>V{CkXRd^0BLl%@;gY}i4Eb+4meZ_veRlt{^Jl%#|Z;F32_%{*0a$aIllTylS0 zbWV6a*Rm0VZQTF)b+`2ok4gLg2Ojfw<;(v!dCYF4*D?PykBLb6|A5CNHpSSIP$*i* zDg>6K()z%~ky!^INxyKVlOFN~ z`?Uj9EZJySWYyHhI`~)?fZd~zH80B=0~Iwj{PeZG3F!#D`l~b~;gT^UbSaP!tit$_ zWHZ1x{2cMxtu`r~Ko$(!ah@Gpxv_{#mdJMQlWImz_1n!Qp;8f>&IGF_CcC2RYYj3V zQM~c{j+a2}5=5Os1zRfi7_Q!rC>#%uUw#l>YgDvXq3Z;6r(zG)$nk)gMZ@u&pTV2I z=Pjbj)cNnd34#mU0PYyx5dTGad}|@y{lP_Ehkn~#NYpI z@Gb={9WG5U%-$`fihw{v&5Mi*5Etjkq2wh?p(gJoOX4b+OPPDV2Pq6+U0e-0U5*@# zEI%&qR4)iFO%b+%mIPJGmp#+0Cd-!`D1U>wZ)%!%>zB(^QGTH3bb~Ui%Xv zUgP-~s_5%baID0Aa`v%v8yu2cXmS63+w#=Z2^dTHhx>et7dPt8eg(z(UVcroV87kE z>_sjQnVakYlon}c*OA(+((~ecoex%WXrVp|x9SF)_BtzGy$$9uPDntWQd(agX097m zy{?_RLQk;uET~qdFe#@V)i%1UT;_wffV6&BcMv;0AZobwlgr$OoH^HA4!clD#vQdT z%H-FIhxqpSjeIL<&PchsCaU-QxIJ*6Uk5P%NR8}xXdN}`hEO1*D>!$P7p zxOpO?*JrbORJj`letLq+)j0YFjHTw_=yY!vY%OP4f)}#k$p;4xCJ7U4kNQiD02z# znob5y4q#2P9|#)HqwM2!4Sj7`uo+2X*5T>^Y0t}eJF;PGH`ucI-@LN%GlW0N84~AZ zB4O0a-1uZzyV88`+9j_aR~P=JW%U;>5uPa9#8FNx>e@D1rCSA=j-`Bv_js|cQKKf+ z6%NhYM9sO}W73u11-MaCz39>aq~{wM;GP0VAy<1n#TY(R@oxQ^W%iei4=Up5@ zQ&dDCmd{C&_lan}#R(5;^ozeV%lyTnYj{q6Bxnoe!lgOFW~Ep2M34;iRB{Jz?dOeVzkkmfNJLp;i|GWGJScX~ez z0PW~XQUAo}6Vi0^5D0}15=$M#FuK#qS?@Iy!<-Fd{A@Z*@@I#C$EkdbrkT#vWKeyNAES9Y9&MouPSzD)9J(5!$; zI?(@-RlE(I2unfBw%$5wes}PZPw3@3cZwODh1oh+N@^+BsPQoV}k>_v;KD1C!n*X<9o*IF}5eMZdz&ssMa#?+(Xe3d26L+ZDQ@Bx@j! z^GHy5AeOw`1R7e3H2F9*U~$;2it@s#Go7lXU=a9uGD}%)%T3X`=c(1LCO25_@jbjN zMG;NS@V=Vf>Ml^|m1M5C3-)>lxh-6hTnmt&pX_#D^jrT}UX>_-TsNz;xETEQBY=@V zQdsXZ;Y~#@Fghs8Y`MfgEHjtCa(T&Rilue2$jI>Y<&1va7lh$m3raJlDa7@R_b#BQ2dPj*S7hN~TSDXWdSL=8g0pvvg2^ zW0!FQWbydKws5euefMV2nfeLtn(=8tEIVOWGLK*u^3kTVM#oE^sh?3$<_z1`=A+bN zawgDS-O49lE;Niqx(W+N*=Lu9qPBF`@gS!+I7)7>LKMjKFo-pi%YJj3f2qTz?*U7H;}Kd{3S*_Rx~n2v22<_ML+)+t?DY`vPd>WHON`2 zsUWYZihi0`!1NT?lAfna;qhU{kq?}^NTUf1`t)@@GEUh&nDQIPo`>jmXW4U2U|o{=XMH|8Mv_XVKdB(k6=adRl6V+KtJLi zm1gp~!&cyV@J4kJz0Zjk&+~QII00rrz%Z05WS=0vP4vh}16Qo=Wuom3dgiYiPWz)$$Ve@_26V%Z#mp^cD?mJ^!d% zp|5S3)bC4w$wXJ;bJ%JaM%J~_4fGw571#|tvSosM|EA&{ zH5iT%5#jZIzTQS%!bcdA7IyVAs=u+W+PA=agPJAKzV{od8~a*Ndq;#XkG?Z(-Yw(i zh-WRyW1XURgL!>kCZ5K5W~H#0*3LEI1{xJ|?A4G9U9m^ztk@!2$NG4r)K6+-NvScV z3qXrVrsu8Tdu>h~Mzr^e998pWhDe4K-OKO8G_~?t-jzEPUZ+~CY1%NBPv_M zHLNl-i1+2^F544F=5P0JuHX0|wELSGR1Z6e*x2fc3X8eFkN_N=JAjXpCMC5!l(c>5&g;}+I&Wy1IlZ#l1* z3I-=m+1r|%N7&CAH-Sel#wb?9cXWp#DO@z)N zxY4PPQ2zE_Dy>hUS&aSrWPO1O&O+Fvb9Osz%JFA2%m%Lpj<3hFYt=gY_mc^)mN#et z3dHyP2+MBXM@^;Oh(@)yM+qwZTy}2s>BzltC$1~xHgSe%9){QS{jJ_qTV;PdI0pdf z4J-Iur-wQwL-%~cayF1sy!ru;Y`8D?jda93aiA$y$&zLw2GlIBARnNg(+Hu5n+wP`y zT(@_+$0G}^zNKRNo zFCTq>)1y7Hk8a5>mnEiY>EDvJ132UG-ywm1no0e+l*fdL| zk=)g#b-SRT$3o^Eiumd6*W|Ec)2ZOO4g?wP=$1P%^6D&|l1Rdga%Z<0CfbWgwzsU? zc8jhIsM+SL=A7}Y=ep#aF=R@Y~ZYa7yO`0WrdJ;4j65K3a{ZT3&FaZUVS5;&Jb=1B4mAC(Wg9%zDhtNPS%&Fw2ys z?clswbX&en%@)FCyWuo^!;$V-rshDIIm=kmmwUkF;Xtnc$HZwkVVf^+TEZ^%bY3_7 zqcfM?kU2|0BW_nHQF^#zb@oj96ND_(~MLupWGWJMe z@EXO&g!U!5-Qk(wkgZ(lq|ZN61_SDtcLj~lx{0n+L;mPEGiqGvq>g^t4(gO8WvP-z zd^NBSFT-ld-$q6d&=eLCds-r;y*{n&>Fy6`(z%-cp|c z;HC`E;0Dmy-8Yjg^XPe}aWbcpIg+`{1&n^6Lo6R7vvuhCOoxLR8=Bl?)jp-J?)vQY z-p`7c*edENx_o{EX7PRX?YKp|NN8~FXKN)@HuJZ4YX@qPh|KI1d$3#a_Dc|VRMrMK z`jMyxtFT#K%T_z=k=;;L&OD;%x@!qLzS_?IoYX!Ikyi}vHH1YC*{0Gvzo~qfzNRhSNk zoHN`d&%q|inFwV2J~NTM@8y&MsS^G8VS_Zg50k~)a?Ty%nR>O%_~Ry-BMO>w;Zm&J zDppgVDMg7!#={uUB-`hV)GilVn7LDq2LL7g0mIW1WwOql!kFV00i}(A6>T}wb?kqr z&jntyeZy1*UT3Ga{lK|ZlIl15PrqIt`DWqB$a6K37%kYA$vPf~#!>-f7~^5$PLuQP ztu}yUsQ)y#|9(Z8$wGvdxAslpnzSLXD zO#m}_2D)@^WgQcDR$5RF{-1FqBOGtSAB|_F98)7A`VSjIZe<@J(b8Un!e5s(PWTHr zlxMAVM}Zr~QWv8cY8k9PaEj99`Ol=izbu{?eS5_U05OJcv37cXmX=%zZC?U~;g9P0 zUAdZKL`a)>^rfc4T7&N2b+SI%lfUo0y`1a z^I#_F$Vf;kU8rr##6zw#Qk@<`iq#E)lYuly`zz8`cLsM^G* z4(8hI`PlH+UjGyE{~hd0|S zuLYrhySh4d(RBa%i9W&~y7Q_6{A09Uw&P*)N255ckYqxa_DL9nC?8EUHVp3Ej&$D` zKA)N?ia%r1%nbXUggti#3-xHw_$m>R3CEJg*Dc%LT9#_Mo|*e>N-+?9(^YT z9g?|1U!2(6^Al)R*nOxgzsm455l|}$Ro9zhSp^tVYncDnKktXC&^{9}_05)$^smPy ze*6o=9Jw@-iGj%FHat%Cb(h~J2KKIi^$+p!7?qi!&1o9^cp672lzP%|@A+};bQjeU zd{0E}d%ZM{JicPS{Wlf*Cn4g3Q*|NGj;av)&%^kC^@AG1ZrA`CF@D^?5!e54q5Rh` z2}oZu@`sj6YEb;w$M_%L_U|{Rd=L+YdyUIumA7of4W?&He+w{lW zre)l8J{Fg`HMG5k=A9nGlWo+eDaB01YKjsNg|D)Z-jqS(PfA7YI7Lq%h)RNo-j?s9 zWUGZ`5-SCj38a;Oay#wHq~#8_TWt!R6=WtbiZ3A|(x&5j49N^tNXv)XH0w%ikFxs9 zY?XcRIx{BJH*X?gELSw4@CCn>P26nz;$QHpxKPo1Wl@vifzmxGDXmhtC_r z?a`!Kn6AFoV^q>F@0IQjV~sf0z{T=7_>`XWov}pK_|%Y4vq3RI{3mq-5wu;=xwdU( z%=QdkA;FtXA)&6GxR__f3tcm)Ym3^guiJvJlLV>8FGnC_HmMwmyqW zObhgEZ1P!R7wVJMt4>V=l)E>sJK&#-RAA|4{9S1@U&>+%A8r1~^W#o&v4zxL4&sc^bD823ZU-RBCWqVkG9Om z%PwvH2KadQ+Z0ENzQ{!aQe5#~x>ty6t<1kIR zb7|pOeY`%jb%`pRW*=3Ll9}_nzTnWLiIE0yV*3{K#{(#OJ+JPvp(`#6YhXN7(EJ25 zz8hKb`c@L?GT`}jh7;MRZb7QAA?kvDEcf1FL`AS*m(hX+mVK%S-XE6akb*PS6y&~4 z>$?ONyFFgkYy{p!Cv!;CLZPbSZV4CsD-7sLk=&!=Mn8XPT+4J@I;zeEQFvfSLC@Pw z(~8@4+wzcRw15c;IhCKkRZ$Chr&_b#$K;fILFW{#c_+MwLgqdt0P|I0W zG30Lk!s(1*?044u2(R{)jB00hQsJ5F^6MDD#LGqY-HBZ!(qJNk8*Z}kB*<>;(Q}n^%=u z?*Nec<}N%q{AU{me8fKE+wA9ITc?tAmjg9oz44rk1d5yPx0XYp#c>KcImKOu5OxKww!2T3j*Cp2eSGW=>z%J?el~l3O`(4B^K9C zzxnN6UZX5Wc3qtZZP1sWa;_*Umv1{l+OD?l+t=oIE@}1s9b*_+)xH31d}YWanr#Z~ zZijUs3_6GZQv{m+4nILe;b#=7lb@O7`kW`aO z_Lb9FB856gL7<3n*-b@4=$@&yWn6j6{@1D2n9}%6xy5mtwuF#AjT+^Is?J?!t1@tg z2WY&I)lM28;zKXKF_B-~X6vPk>9dAje0sf8IDQl(vwHDydj~&5fegYY3ha-jW@31Y zF05V&Qk#yusIVIA-SYY7Z*FkTtO|p38SS;RqSAcFBHG@L^4-eQqs8|5BW~MeSvyV0 zgDwX3r$;-^8jnlx%IgQ=n|nnRZoRfBnj|3MlTB&J>{u0Ak^ak zY=UB}zP9s1YS4u&DKz$N7*UD1bp%OqDF}Z2X#9~6v~xTvJ5plcL2AaX7s-Hhq z0Q_5{K=1WXN2Ua_d{}VHnc?!zmhu@63RJO8+-DhVRC-eJ?qSp%4XLG^P|MifHN8Gi;$(X~m&sqG5B9 z@d<(d*j~+2GMg4z78_}+@(*uF0#1UkeDBi)yGHf)_N;6rHK;g#88r&xG;NkjMS68-6AR#|tUQobb;$@MMB=)Fno389Msqfla?6Enf z+ITuW9WNoVh0Yq1W90aH2gKO)PIoBQ3u zB3DOJNv)8t-8n(YNu&|E>_0cSvozU9;_tE#ggz%BT%m=+e+8pxq;s=6Q)$#ZDs zczDQMt~`uFox#`*^u;Bzh0OK4ps3(y`*JXcV7{)jXi6;bkN&ds?LTPcX~ScAhV-z# zeaYrcvyUnPrlOMwBd{A$%;D+90$JPi&!fkM6R0#j<<E6ezUE`lZbGTqgK1?m&kF48ROZ}?a3WT3LybfJEO-{k znPai`i_KbhQ=XsbPi<`3CFs$Le?*S=_JBK$Z*>{dks{4Qp@tdoet(O1URW{b?oMVY zj9ZeUdpjjGOg+(z@hpgq6m3<`Fpc%hZ!kSS|C?5gl+U8szYa{7Efp&AnzqKH4LJdS z@_!tdsEOZFx|VurX*Kyiu)VT1O_`70bNlVe-E%Vl#4a8g3D%+k+`Jv>wqe9?)Z{WB)S52781icYPURgC=a z`jLs>$K=UAGK*~X_yNf^@Z&FdR~D+y;*g*hu|&YaYE%GxkVP?Q508OAt@@e1W6tay~xJ?4_!H$zblgZZ4n!1(UCzS zNGNtqKiEEzssJ|#eo2h2$I=!e)?4yw*4U`>NJ9+f!E|xtek-{nl9SgR0)sG1DsC7{ zb}_Oi?SXuDIQIPEA`B(Wzc-gdLk&Ai4_+066$9Apv5VZ^ce-)EzO@2odfRL&nX6B+ zj~3e~x$LqcH>m3>&)3P_U183|#59{6L&{Hf5@v@|7=U04dRK8YP>^_Mg^7Om58h9p zTnJFlQy$3wz1Z@Hk^5cdxzMM?09Q1c-;QkVnB4zK00vq8TIl&(+>UN7Tj%YY$)}jm zkmwo0S3Q@6gbx(8ZKezI`;1>9K>FYLxi87fQ~NuX-v$=)JxE%cpNioOes1fk`zjl^ zqxY(a=bedrJt>$wTG`^^cy4VUi$7OafimTS)W=>Vo@}H*%2Q$ zAB^c}J!=iifUT+ID3kx7lXd!swPoe?UJx(&)DJa>e#rZiaSBs~*g|0XS(yoT2|xc? zEX9h)yBY@G(#YS-UXHK_XR^U95U+f8V9nAuQQcDM9$$ zp06g8-_JP93>7atFBX~#^Eq?`OXC}-S%Q)Ksnt_s{a%8&p4kZrO_2RHNzH{foB~6Z z?to=D#7uFjDxcCQ4>&SZL9*O-QzqGCv7i_co+B2cc z<@c9<^8M|H2X-fGl_3ej1=m?E3xLkAeGAX(S3c?bg-rV~*F{%BvIcu{->YTLJcy|s zr}+VjDxpoD&)(^L0E)KcKc>sn=41IO!q>?13+@+6jDRw)ML2c+lcnQ?k<4egZqp$g zVj0)IE|+rX{fG@C<6%G}2iyzpU|}y?gL6?Omdm3jGEN@H?=BPYD^Ij|l8C@x`(>>x zvzrYiZ(%59NABmtL)WH}n`5Ly?vlC`;!Fm-%+_9=N3}kC)8gn+<~wv5coZhHcWrE; zHJ*h%?nojplS2ZAc?LDq67fZksa%OJeVb&ueOwdkWcKFHpKH#t#o?SiVKC+6f>o)} zGsp9`s?xh{#g88BcHUfmOP{k5xIrm~)?d2Ev~BliiQq|XbD=g3?=P7|bTBrKik0C? zcO*8+$!CW`>|gFD#dr78vj?%g@Q$+g%Q{I=5KQOo6`0IE*obmodhdfflfO1TI29eg z^gLDS)VOs#I;`Up$l=jBbJ4Z7N6L7ns~KWM2)a=~-IHw*!`N&=rr@*wXU5T$9{t zb2q5M55ylk&OT_!=e zH+A>?r0wW6Tm3_H=oxU^=cRs|F@g{5Mh_Tekm}(OZz*kX4H3y;I#IswIFX3M#O9+{xYKAx^Oi~;u8B)7{)x_tRjw^nt*WAJ{4XO;^Wh15Qarl0nh*G1MwnS;nU1x+|% z6Hc4Bn?f*la&mB(bS4Mepz=i#?sX6j{U3JHaccjpLSk8v?!mB#?{3!ILWIeQGUZMq z^Wp(WWSU`N^6=^cCdRpghi>90e(CAMn9dGH{ib1H7ZU8co~Qn4d<%B}YH%3vyZA@y zr`?%;+i--NmX{>2lZ&GI(eui09lMN^)L3Wj=}iQzrTepA*tv9Zw{l8-g5v$0F%2LT z8@znHU{3d^H@k;l>sCnnxYJ9sEqQMak(Pg9q|8kfXMS?O;=GBAmuAq^#n8}e3`C1` z2K{LfvV5__86fIn`>Jrin` zj}lKw)=NRx5vm}i8H7;=$*_2y3ekFPIQ|)Qr{4JyuH;q@!40M$t*SC#=W;0ZI264w05DSm#;qAOUX_?+#hL66gQRM@-*u&2BHW{XrYFY?a5EBm#MQDO$YNE#c=251W#By{y*s~;JNN?zMm#F5Y*80sKdo-iqeiby zhejb}dmh|>u8iDx4QpC|ygaT5h#VX98R$QIkti7}kXgZ4uwB+%Jx#UHp9Qv#0Z4Ld&T8Kcj1Lk{YL;r(1E8=d5abpyATe_qCUa-WDVKk)*|0 zO9()Gsd~A>c54Da0aiTBXqnWVM+kss2fvRiLh%ppm+RYjE{!=Wfn^Bo2y5GEd}?GB zs_rM*e7gD8-j@<(zA0xCv6U8SC48E$N))#dRO1D!PZ*+y@B2*vNWfI(v>xN%oPmslU=8eiD|svh;hOz`CwfrbN`B{&Qfa40iQf@+~8l6ZJZq(#Fj&S1kF z)u3-hw#oNAnoiRZN=^@AhQh5h$Gi<9-~8*O32GOtrb@_(j<~#a@AcF(Iqsc%=DO~FDuzuwZT2&F_4TYx@y3`V_^X+??BqAr@yQ5Vc)71-kmNi%u?5tQ)C3=EG&sEg__qng`zM_> zIq+&2ux7zq7S*owP`MfyPYIEuNqez62J@K;-t)w5CL5QwiZKyx4w_w4A@9BT)!OVO z3+tWOwko?DoDVC9M&1FRH#Op<(myx8koa_qOpyu=Eq`7$$Ne!!&zz|1lx?HV_!EOa z`6RIYP+@rGsSL@O?UhZ`I^Lo{9h9;7pfk!zmp_Xjy5A9OS`OLft2A|&1?v=p78)T6 zmy+M#K46F8(Iq;;BcP|~z}muqavf_R?zvbsbV);aRm)NCSXTdDTBtWg|LK+oY5(np z1F}6#ksB}nr9Lt-kj<=cmI0K(9=A&OJfK*2){D>At^23`5?TkWM7KJl1~C%t$vxx&io<4vUjoyq zV3SnG-fO*mo=hm!z9G$A^qW^WK*Waq!Gdx4QTR#H(SDUtt0|v*rQWBf;Gxkqas?qu z<55_?D-bRKII2I<32fK>jor3V)M_ZQ_7XLXwG2j3rn_<*%z#uLm9zy7%8<~^8nX8B zhy`&3jF$Wx_yJcVh&x_o3G{#Jf3D1TGO-fa#$7mo%{X zQE9ad+Z?1eD0t}m=xr!QTtcmH+n_yZU{98zbVnBf69Hwd?`?^ilL19slbvMM!FrhS zc-4o?!-k*5&9_9liIwq%kaZcs{=f^I21rrkapnl}tu0tOi$L_Z&LNUi*?GS_i(&q(Kuwzo4U4SseZ{KG@D_v1!Ol~hUTr>-*u|B#2Z#C@^X&r~P2OY+?N z=TpxfBFJ9f$7z&~1&p#^kQA5Tmn0Ti2pxvU?^AdYS=;q^Ri}#_;6HAu<9!Zv=c+v9 zcGa7k|BkxbA4HxXR}Z7NT^PRKU@OKW#&|_kQZ=rlLBl8x$JC#DQxw$9gTP1GHNZHEO}%oQBx^gB1iRX$^qRe)6{t@nlWvaD zi^kEwKZeVA`qq`_3>Qhn{Roqt^q-}jHTzA*`7yMHy7V?Fb`b2~ziCQ52YpdSfm3sX zz#RR7{{1D=hUS1@Q$YCj<)Zsl_{-07ecTUw&>9-T@-{|nmXLnHw5i=Kaav`QTE)8F z3>w}o-q)QBb-U-wgZd~T4B1y*Lwz*2Wu1zp4F+*$RqBhU0xdgM!e&iTt+$iQj^%1L zYi@_u^+mhKqtnvul1ejc-QA=AB<&TyaOjh(e!ktaY}JK>k&)EoaCtqfCR_Qqa&4sV zR}Fu_*OV_G{2k))gnGrG`&V6V8;za zy%FqgY6nxcN&rf;q~6sTTP&C0Jj%5DE}eA?s)43zg?3XRmc zJvtA-g5^wi+n)E+{0V5jA7QRanMi7E{rqC%1FJgeOf2!E%Rh8v4`xc^w5_%jtlNVO z;cAXTB#ZlZ)cK|&2%#}*={hh?KL0Um$WAc6c4ql^E@Amf+$;&d)l3?396hj#eXo!<81FFum;R5iKq5j;{Zxy{3I+9)2>@ zHy}70$~Z+wMDe&_TV7m&rVZ!h834DCE1zIq88EfyT))WY6(|QYRdE7D#)zck7HdU{ z$$fbKe1{)T6?*x<&eeJ`gw@Lpq^eluC8+EKT%<|A$+ZTQ9&%-F4AmWE?cskfxnKay zhv`}!Wy@K=KT2kcV1SMPBI=E*ejT-^7c6Uo@Eto5?;U|l$0$kSCZqwbAk`d31gf-Y)5e}to25|$>nZy$0WmaYk& zl;8frB=-&GCa;In3F8CI?R9D7cW@=YNMJ>Zy^oeY(?u5WomY5_Fb!n;T!jBP{+-VT zk7-*~qS4>Mg(LP*$YlpTOh}{cHN(Aeh7l_5BHsE)^oM`j-4*M2uv^ARi|xg2%k9?s zgkW|lJ%%a5?FIggWl+s07XZ&Hlx7CoyP;j9iY9if$|wcl{yXI^w{dJk_1&D(;Kh?9 zMN)~c(5glVI29v0^n%p8yYhqR+c-7-=m+F_{F{Iu4m||+b0CsJtp33%HSLQc`0gr% zvpdqr93v3`|03)xbkvRZvR=4~l;evCT&?HyXHi$1I7UZ~6(T68xsyhcv8C0Jnq=XZ2XoRqj9=8qiu9I?fZ@+6d^Ud93`))ehmvGS+v zG+`4(4ul8v0rlJ^0KgTg>RG#)*J$wdU+Pu*;fwn9Z!sX}dJNXCk=@!|P!WW(AC$P7 zTN(0Mui7{BaBp0%@iinx-mT3$^`zjf7*QPZ$pQttiS?JKEMFd$~&6+Rrl8 z$lV|>=wibHjC1f=Yz=|@14tWHgHks)Tar`rE2_A!eR7VC+WGW=h3 zlMcE_^@=^EsBj?a7i@qh91N}nV=5iNH>cHmyv@V(g3&l?uam#}r(s%E$}DQQQ0hvI zM}%{$u%CY0=#eM(`9IkE>aZ%Ct#73f1tdhIrMtVkyGuHxd($Z(Al)J<-Q8@uOS;)~ zhjhcY@p&JQ`keQif4)E8>*Den_nv#tteClH)>^-{zCsm27Pn{izT|zEU6i)z0WK=o zU{iif0WLV14P?1$y9>|bEM|<#v)s5TcMrlr?3J4r9Ahf!%_Ni0OW*XL?;US2GUwrU*{VAykia$Wh3V+s zNJ;lo^#=;9o5z62-V8g`?9~chL;2i%nE~*o4$xa5DC?|Q#-Js*JN2sytK%pk!?vl> z3fP*Db)!bAe*@HLwvLd|*I(a^H3u_|bM_&BoqygpN2{G(wi?eeRwgiYafd`PzTIp- zQOpHEiT@0Dj3`O@DOKmzA@MqoOgcomuj5W;>~LsEvTFVrVr@8makkWk;8_?$M&*J! zQO4atzr;#M=BwxqKuC}qps1V%YiS7RMJWuN>}A zbMm(<#}wmdGo`g-a=>*br#{oK#ovof9C(XVT1H>74E23PH~YN2X0 zBCQ}}hQ9Zx7^i((Jo)K)aan*$X5w&X^$UBXt15y>CAqf2d1tXs$qcUA9kYq6kks9k zm#}cdKTA(uJKZ^fk&aW3NJot@+Zd$lHmZju+>(>cZd1v^awJ}*7Z^GyQX|WK6}QO% z#Z+Xz1#0ex3y-@p{h{4waSEOaxg4j~W&SjXN789q-nz~FE7*?MfWm5h%-aasCxle}^UcWW0^wX^+Us$0?O<$QRdmuPdBERVioPteDO+ zldIFP&X=Zc{rx>)#JWj4519=^BB;a~^c6Qox8^H4R7KZX>{ZhT{ImpJ@4^NrCP(+7 z-B=E}dL5UXJJ+%>T74~ptE^tf=dIq$FbD|eLrrPItxX?Nr^hj-U~8JAP|fFt;FFBDNi(H|p{UIQ1+ExHpgTu)q>{z717Tlvpg)%tv0 z<9lL8DAIcrR?Aq9Uhx@cihm{qe2Y`A1hBfv>2!-CW|BQy>7KyzLt=6!lE|LMu_UBf2!fNaF%~w+<*=N zePMm4EdSP>9~L^?J>`I7g2XaRA2O9@e@iOMKZ#&Og!#a%l~@B3tUMxQ#tVYTjs8&V=iI|md! zBmO~k(upxb!IN4uNzFWKnGHRJPVbi;-8KklST-0&Bz=11@<-R$0F;8e#f4@J#jkeT zFm(EeLWAru%2D(-Oze#YVNoiyytrI7PcS2QUxR0SyLom%gcrH|T2sYnt{jxPxNiOhl z7_MNmz@;YL9_W@$zz5eWm?Dz|hvPey68$a-ZdI&@+D6&z+QX z%e6j!7MLy3iLWE^ty`nKIBg~cp$wX&8?$|Yg64#)74rxk5V z@Xf>oU?|0AuY-3^W71o3sk9smr zz)YQ{bS&U0k%fo-LbnYq6n}&T+2WBW=Q0M$0MmAuB-l3Y#{fB8KG|z~m*PkH7H*L; zIXTPc=JgaBA>%k@64=vau!5_S8gY0qnYC)Kix-^rwKFtb-j$oimhvwo)S>%0#;dOz z+#l)nq4v3tYKfoqDcWPlm0D47l?-;#|8DE>1T?_UN>-RKlpOAQG^8y~E3ylb{uQgxtSfa?HmEIO| z%<)oB~kEY~{XT4-Y!!)Yi%fXlx!UN_=-7hC8c_nKD;=ZsJg=rv|FnJdn03v^3o_05_Z3l560VbkSCec#Xb1X`I*9oe<$j>E@2oc!+A|~{9{qV&z8WXy!Fg0v9_Z+E)6ra(j$4i2a?@^z#xWG!A ztDLt@$Y;0gsJm0ONO+sl3ou0NE-7T{Y3*_!!U>t_C@=9FH}^zowG&Y+{2WUG?vS&;|E zoVwH7Z9=Y7qTxo2sM*z?bnu|zl)kx%lUfsm-wMO{fDSSru zPZ((2G2^@e%(C*VD7*$p zC3v%87zCRf(*Nm}v-@3)9jkZz?b|8uKC>ri(BE0hJIv!p)6Qh-ki5meyIU?hLs|o} ze5UGtyn$R-(c@VP(k*I12*W@fy`=N`VCy}NEiy7PBA-uFTPw^>wc0^h8qn$}atncj z@dNo=$@}N}9HVKCKGEx49va&Nxybst9<498EIOZaKj>F+sHXUf44i!1NHj~CFg8DK zo8%fEm?Y6@-d%8MxG0H*_o^}H7>7Q5Mpn(6d`L#!L^+-6o-d*e_)5k@Tr`&f@rnmQ zc;snW5p6NN9UjQp+|@(RG63Fz%v?GGa568HBJy2JFgaplq}x2pBUI?sf&#w6) zP!x98Q3pX)Mb0^<`6yckG6WH)RtpA&Ys@6Q2=R30?3P*Y3xt1g?n zYEQ3)dX}a>+J18ws?+H8an~;>d>dUpx7F+7?!s7*ZFxOd*=wPQ9*<)^H^45%K{yG~ z=f@m$V30W8v2#4y86w5N4RadE70$S(?h9MLOy*&9{USK6RN?OXUd+n#SFoi@y%Z}d z;vty4>ZtwV(KPLBjPbCRn%~@d)fr#f*Wd6963Nz}lV2zCKb44&GB zi1Ye4QjR)Fmb{>=x4a$r@6DvPZl-7t!gM@Jb&;l+Sv$`dZ%|#3dfYqU%JQtg-Mqe| zvozCcqC_2*8@TCBwZ2l4oz!vEu5exMq)?aA&H#~nIxztoo29bID5nvAl@fbLFS@wn+TPhTAe>r!Xp>9r98(# z5USkOrLQlfQJ1J+P)tz}(XaeIyf7nx^A%&zzQiZxwgelgaaOj1qIl|wf>>>Fg$9=Q ziWuuIu+N^{wjM)U1}cj_q5>6uMFoC&{qzwPs0$ta*}|c!vl^rozp;o;EGQMDLqeYR>Sr%I)xi+Q z)20wwRyY}+4acfN$dpLG0?s~6%h+<=bPCZ%Jku)=B9O3=%27Z?mJGFi+i|SYnf2bT{ao z6kj#AZA^*2{#6>?k){v)RTygcRCKjzs8bV>ilk%B;z6xulCJdLf+eeE7792}MM@t# z%kd2IfhHlT7(O6y;%Ar@7^(G|5Q5#Zlzv9f_j~=W!y)L6;kwzqicbB>#t+L~p(zyD zD`uA8QOKqXLach=!7&Re+`&bevMJJ6_hyH5)~>xg7FTj8G=((4o_nnE`1KR-(~jI( z_c7p637okc8dN}j{zO{G+g7}JTLN6)M!Jp{LsIY=G?d9kj*ji%G}R;WXic$oC}5mH z4hfD|#?IZrLB93PKK7KPrd6KVz01P~B_}X^FpQU=wTZHmTI>H03NVcFiJESXC!Sp|9W2<^H+X{dd`L?_Ha9 zhT6%`^>xGyy;}5}j>^QXGnDU=D!2&MtY%@%!|JiDl&S#pd5|sLIkFh>k_e=RH)e-* zs$B+E`QS2PFKw|%4E_Fq0gC^C0b0OQN+mNd$JFOV2e6ho5tYur`nM(UNh}VJ+`rb$|JG4=1v#zU zVC59uT;jhC|LZ)n$6p`*oeSVUJ_nw&+zh?#bujaqx1963=}^vf`2qF!PK?GK12Emc>Ck~pZ}G@2E!qxz5w;5e;!Q# z#m(QD=MJW58PY%SfBXLD=Ol<=FeZtNPFeP!lKh8+d7%2-!?F-x6mzC!9E<+MI{&0y z?H*34Q8}+~J^ZIv>MulUGM|c(=#6-Y^1cohi7S@6*KaKS@jM>H<=~WS3k8qKAL>Bz z%BQdokts_g2B-3Sf?9Il?4SJPV}a<(_-Yb9WYOy!_M6U;JbwhpRDO7ci<-@=F8}AK zJ>uT4aM)kcKmFUk00tbkKoKH~&G@jiw)y=|#3Og;j^Mv#7_3|nX#UEZ2$?jdJ3`+7 zD!qu7j<1HCvq(f>w|Pmr*8Us%wDPT>z^(ofd? zn}+w}=7o!YEB4>$p(}gbT*|IPs{Z@tf=qVej$09a)N6~L%99(=7pOEticV2Z#9(X` zuF5ZnE|_nfW0l24k-ZaWt}I@%x#X;D$4<#Qf~`72dtT7$2&2@G>hR>__mQ= z_e_EcgRK8iQzB`^*8yXfhCq=Zzxbb~=11=F@x!56i7*H{8WbSr<6bS}Xj|h`LzATM zmRQK6TPtPb&~^lNWY$Xbtf?8=CQ@w2CwkLI2^nae-KH4`y+<$UU7HvE@&)UuaSSY7 z-PnDSFok^T>qy0geN@#MJw{K<(J*gAmo$@b8R&HdLwTagazZf=H^8<+*#wNTxNJ~< zc6obweB9Vt8H!8JM+L=2%BF^x{A^HFez}X%hxMI({0q%uu4lG9dlf``oYnZ)!G=;@ zn)*X;5w>%A-E(?|-iK-MvS7`-@8VNV`v z>kB#0Tsn;36s?EWhhEv~c`P&SpR{f~G2Xc63`!BWRT@ zO0Dc?E~31j9GbtObB3v~{$TT7RA^#xA{XtH(n#IbR0R;iA73E z4PM%@0?kzh0^Z0X4vVf5=~;-g56ac3ML?BMgB9PGWSC^~p%_vs$-LV689E25IAFWE zw26#50TqlWq@zm%s10a<(3%d8AI;Q`8O}hHkqXK?z7V0wF9i$OiD}jDt+wXJGK0B$ z{aioG%-i$Swo_N!d(!qCq&lBM;j2byG z<8`#Y9>eyOVr=k7kjTtM@C!!pmCP<~ZkRAK%tJ9G9nk=^GZM=tGvJIAT0G~>{LAM5 z1Rjcj&bTk^zG&G5l;~cZqMehUl8aNE`q~w|R=96xnn;6@wO}bDqJX-#)Jv3ZVglYR z%ql>mTr;s1l#c}|S-wNV$izY(kQ4G${43J%%5P85v-&e_SJABXb48|Akn%>eS`7-< z3`w4}ttEwO3g~n2Nw`Y*k#h)~YZh0x7NK?(CmQ-Hk3~Gk@c0TakFhc>FM>f(;ix;Wp*gb+!M=+-XV%2vSBP5Yk9$` zz87c?QZU%f)$V@4K#LRTaIN8Fv2I5U-(N722&$5``#Yyz zl5sF(rbGl*HArlS^MP(4!Wdt?6~og+p#&!tl8?9bu+B(nQ}Jq!PjI{}j+0+Q^MZv- zrUNlE2&}{ZruAx`@ShUP30Wxf$yWkR_ftD#6%kvJk`4rCCzdoIpQ#Wa*AnDkY5Ezw zjB3QSlGJB}sgk6Cx;mIEQWPeB&0Hwl$3vs~!s{~=b_6P~#)9wgqCv6v#`zf0q8}7E zlMxr)(ey>A74s$Zdsr1QeTdaj@%&?AQE}8t;K7RDo*$NPNZUTxxcz*L>cCPg)_Q1t zmgeSeQv!ZCn^E(ugDys{X+;L1FC@D{^KAWY?mTyKp@C_vZ!`J)%%e&3g~cN2na%V{ zAi0+Jd&$^{0XemA?)Fub`;Fk3AyoXV1qS5u(=zF1XiTIdWf0g`w06pzQr_inHiYe#bJW4+;}uFOyXmg-Oa!W-6?9adp=zbYh%HE>Fbv&KXY}#J zUP3N9Emd43Y$F^VS-g*~D%}ogbtGnKv(kR{iYbAvHG%2keZD*kC&5n0-q&5EOwb8R zPWpYHI3lg;6^o_4cAVqX`QpGt_iI|cE*YM=SLas|1(tUxTwL{f&B0VuilJT!T)vcD za!Fj)v0M4yyw>eS>*p|S<+CB}kk*1b*H}Hz?ns8u>UWdI&@%ZiHJSpW&Jd$$qhMSP z5-yNOH+K+rP2d^O;Wczf9lt+#dPHukM_q7ya6W)q*|qfarr&PrxS2U$>}VjZ?)rWK zv!?1LT|wd1@ZEN#(Glrby?ZJOj7L%Jy?ZF$y^rS^wZt%=?m8hY=<#KkaJqhL>qhau zBq6h=siCg{4kS%vd3A$+jfoO@Nn}-qY2tIu)-g>UaD+gzdbKEYb)<6T+1%`25_|Yk zFm@37|~Cr5YPw4ws zjA$+qI-Xac)4VIP0v^Kr^{wse3d?5b_nM8w#WRk0L^N|zyelu^DsGloMCIcO#X&>b z*5n==QeRBszh)bl?gh-XapCz^ z7D4y42O{eD*9#uGNPm;?_m6?RdtiQ>pV zm^`lyH1RCQi?a~~&g*qfAQf3~pH64Lvc`QckZQq@`JjEVm zDD}Thc(njSg_)0Aq@2u)YL24bYE2~NF<3QIeaUZ$hNHHxc2?QJ7U`;c_8N_S9j{)6 z*SNpOu~-TswoQYCBpOz288bG>oDgmg!5s37A3in75ZLUhf;&qgibk^lTm61r;gGfA zjCqT)W=;PUiw*$O^X59RqL#CNy1S{p|GMq*J(d1WP6hup6-4{F_0(5%oY&?PNKZp1={t*21;@Rs#GepKIx>%b1wDNV-DLn9Lo>QylcPdg zutXo$(y$LmHJ8j)%7Q$Yo}4mF+D_@tTw0>S1hs*(ElEK5nn`Yqrg%wqeqqT1m4oM3 z$d#7L4+Zi~pxyD|;&)|M5{gbe)H5}LHCCPzUgnB@#_fcunn_1k0oK{{LEe zu8Je6@lptXz3Ta(2el-Sajtw!eIf}L*|W08b9O|CUho~iYNh;HFd`hu*z%&`3?7Cl zfc-L36JQ?AV{)&|tCh23WgDja(D055iQ_E)P^hW!6)He68VR7qP?cIQCd)ImIFpP1 zdgIz+ZnlBglA*S?%$e_cWSmvg<@yWMJTr=>_B?cNFssc+D)KR}jW2^N49!xMoTUsX z&rl09nNaTRQdP8Cb|9_lmtY_c2=Kwt0RRJgib)f+tt|!jwAlSpgXPQ4+Rh`jbvlC0Tnm?Na?S1DLx>_YE{s&rfUe zD6!Xl3Gjr~XO8ia+bOICCzi7tL#&(Ncp%Km@C73nOiq8(r2UihRg7{0)|SgoLzS~T z#|$F$DdO_uHxj$SQ#iYbWLkO?PxDgtgV)z!qH;XI+7tJvJr@ydGiCLl#=)WUd3cT? zi^G~y>_*26PuvjT_qgqQi+%z!@Cvz_uW4en9e!^vmnRf7|89u2)O|9S?btV#HU=kR zb}mWjv}Pq=5$e#{C1a}-`gi3Ch`Np6##G+AASpEdRP}PcU8Rx1VmYuA_3|A&=HNwz zl;!H7x8bJ!?`f?lpZL&&;quQS3<^xPy1+K26H7edLlF?R@DkwM%p`islH4p)<@y&vxpCzC!6@ z5I-f6)P;udNy;b|#6f`aNOMRapFey)H@#IsfyI~!msApcv-J>&V?xHRIhV2Gr;!th zo;Axr!oK)&73yvy*|x2N7Rob!K}FGfU3Ho__-(9B6&VuW5~0-V=;(v2sNvi$wr zM~HIl(mGblo7V-AkfF&D7sheMGrV|IUDgw;8C%h6e9lh#<}o;TD~rz{{PR2y3=5XX zhG#y3=nP1A6QqEFZEGRMCT<5yjr(lv%>0jWI_uh7z#e7b{*}Pd3k{?>0N|TDsT~KG zpxHhBo(O7OyK{KkDBZ}H$`mP{ufB~H&nCM4>jT?PwI@xKd_YNM6W9fM9SZGkG|?aK zJmab?Z*d~vS;K$3`L@`J>Pp4ns6mI}?bzI*$=*-*3Na9%Zi*l)woz`pCYfGPAh#+K zDWt*xNNTiEv&kCioEcu58CW`{a$!{i^9CyRbd`r6Jl7 zd}vu=LAe^(KAv{C8c7^i9hVq*u`j6Z`TTr;O^Pc{oTG3$fYy-kWYQZ(@eqf zvBRjsi$*QoF_z}r3LFGi>wxW5e1jZ0%L*5s>FOdPmA7#Y`U_>Ufp4_j_+WE{TkL9+ zd~}7a2s({#1J;uqrTW~+EPzW<`*j9$82s$v*}$2;*CD_j72tlIz)@9R;9%4H=tChH z%{yxs(~V3kA+>(+|>1@8Zrdi4$Ly1H1AG;}tmfE-DHi zS4XK}z|?QXx0VltbR>OB2RralK6_=>1XY?m*F8xp-y63(WCAjI2@d) z+-$3BYMY@n?8<+<*3Z&kb&0MjAiJyz#Cjry)(Y#eIU=b%hN&o}3}IQOkL`;WEq~RX zNv+b(@4`?jp1O0Fy;}Y3h>(sQsQ~*@Awby|{@EdQ&z$Ju$>Oko-;}0I^|1dz%}XOB zHw4M#wzc3$l#36c*i68jK^IWb;N@V%WH#-onPhZ$4iKE@&wHdXh};AX6MTY_qUS#t zl)s>-*kE*eHo=m#DVR{L%&n2*+Dtf!b8K-qqpc4B*NiyKERpQA)Xb`VLzQXTS%j&| z-esMB`HBKW=MmX8Ya`A{HW>-+3X3MFFT*9+3au+l7!g=<)fy4&u~w_y_Q7-*HyM*QnCi9D$F(XV zZzDfjRHY4xc=`${(y06M1r>zEs0|JtlCxNe7>`d&6N6@>Wn;;F>vqp+Ff8VttV3%V zVEQ0X))q)y$;gDksX6hb!TGe@Jt;J!Bj3L3&#WEAFuqjHb!S9lUHPtdHuuq28&-ld z(7L&`3LBup_5#CFJCGVnW}A7j472&^D9nC{)S3TW#gGA!sS7x%p@(HK{47fnSJV57 zg`~uU^*sY?0-jWak-wPEU#D@GX3*+0Ew!O7cbBU+ye_Z0;U~GWatX3d?6M}f%y{SD z!>TxE7gq7)Voq%mPEWeZ?&FgOy=g2+yEqnqohh8lFpnk-to=+B;S zltL^T8Ui8Q0)eAz?M59pF;v{c zU$gq~%^RwR-*o*6yeUL`1ury=!Wrld&IioSQ_lv;1|vHROwiuv3Ss;Bs=$Cy2&dvOQ)~8>LhH3$2IW;c%pt zaPq(xlD$oRPWb^@vRy^DN-y&*<`dw`#4=wbo5}q1gw--k`3c9gjy;>uglQ>u5?iiM zc*fBt5tix4FBDit(aJ%-lj%wjEm+$R8sWi3T)8%Q4%nppslsI@9lPa&#D-HoDvuV)U(duS$DCB>)9C8N=p`(x0c`B7%lK%^JLR!U!7hdS6faXO@K3W zMz)+Qhi5fBdp_zp$K=y(eLP8t1`=4qs;2dww}#FuS+B@McC-mk)xvH&2A>PU@6s-e zdHUY$av^s=WhfOcxlehSM88!#6?15eNqpr21@d$CoKC;4IUEsRMnO8vZvk(3=+)u& zp*TvWjol>y`bQ;lXPql=DyFk{yDcfMiOXiiijxbColZw;w{snFXsX+6)>L1`dn z-^tkRKUM@j9oL-3(q!CeT>ka$XXS2LBWUp1YllrQ2(eA`JiWF?Lz%=y6;J7fs+2

L27_BLhWyN7r zPp0(dp2#r*f5}Ifq)S8-R6T~#i)6p4%IRCU%QvaulORRZUY{ikaVcV`kIlP?nt=>~ zA=YWGd@Y)OuX}`aKu4E{NbWTzZ>Ov9gn#(V_PwH^4UpT$}i+bM3Ie6!AL6gbeegMGSr)5(m9hGW_Mz!j^w9x`EO zBW?R)0^f>#t-DzhoU0|GlEp**4$oGwGO3mzihkO2Cqt>K6b0>q9-=)=#CLp(#4D*9 zoIBJ0$7{xsTxrgi2XEriZMm6QfRLYB@)~z4@!o>fZ2P2pLx1~4uhd1vAmBx+@iFpmhRDJQsHokQuIznuTGhO4 zUa3h5#F&rpi}yuF8LDVFa5PpVw|YB^?s2!s4_uf;n)+CLBR)@RK4Lx13VJD3%RexQ z4Zu4|@w2|XHcvVWrvfJxPYcS}0w3!YvqA#Tc=L9njA~Du4(GrWe;@y(Yep(ZGC4(jDDxr9_Ix4Y^CnoedbCxD` z*UCyoEmWI=S4_UU_7n?EIDsk8RSQj49K)!V#Zep4Sj;?{c2qNnocFWgo_*O5bA)&~ zSM;PsEM`t_;AsQ@ee@k^T7Dc3oK@OOt{S{v_Ld9xc=vtcmlfUzp^tH5Vt82ksU zbJuS@kb9>wFjI(G2IM>=0EKxb$cTEEpKnj9s_IzB`W!-WPP7erHs?|wjmz&Hd%vfj z7mKL7FW0gQL|AYkm3_}#&gi{vz@w2|Kp;VKX)@o{dXF%w8pPQcAgMXJf<5!8g3bfm za4)UCdUcA4zK2B&=Q(GEX%SY{4_X>xp1z$eTtBPw z6M)^z7GFdz+0zEPc71j_NCOS~o+m+92#m9S2fPSz{hYbMngXr_@UNN^kDjj< zA!0fnuv1YY=4psP?a5fmMIGYt@F}@I_FCN{U|<;ESF4IU0Zyyt%-6hp@5vnRD18fUVC{sU4di2S1vb zGuJA7xMAZ(5Y&?Wr+fdeUn8@6Ob88lD0TYb5nqOXUd*26QL!8FQQ_&+zTJc881`gT zpGFab=!tmlV5_&rXl&9hy<4WdI(L=xcOo^E=>rQo+K<;AiRe_IB!qOHwNrI`%J_E< z)+Dfl)e2mI@dwj-IDNWKG#v5uE+@i2TAz|b*y2^>re_}C$x>Q zDZCZz@LkE=ehq*PA@unMr4gns&V-Y3kXBB}B>3(h-r9ajum?MCD#fVb@r|7(1{c$; zDo@00tKuiP?92P?F(7~lSu{B>?Ta_K-1l!6yGO5PEBvRs<5^$UAn1QX0l332e}!UT zC$w6mYm((}%kx*O&tGky^$0NK{dzg&;=hXZ-?U5LK6=%K!FxjNe{sOa34*0Y6`0&d z^2h1%*BL&xTY`na9&q%$ni-YfOy>Xa{G+HL!pqH+VLMSI{kNDPN)#}URWcWiHGlOO z{&qt8D|khhod_HtVK<#;f$|&c{+uMZn9F}*rq6@PA@>qxLH_++G6#7y3u9s%KE9Z! zJRe$CFtl9eZ0AEi<+C=j&Uk)4szx<_C>*GOdkPjlw9~VTe6fmA^auvX(QG}cS>V%k!Ygqxw<~jT8w7)(2Y>z6+g?2s=ZWv{{eOA%uV$xATIDpB z*v+p$`j1Y?-r!iC*PP`e%ddYM{U05LWuF*`jsRZ1`0yWx#m9R331?=@=J{Xp`Nz-v z#WbG`Qtz^_TMZv!1pXnbU#A-p`lKt&!hsFuPYL|WdvCrG)Rt-aQ*9wgg8yZ_zaH-q z0h7SOf$jGnDM;G_s}$KaO@_~JgZ$$eLqhK|LM)uH|EPHQa;H#qPG}w&BYgixEq@`k z{AJ5@WGG_yFCYDzCYdW(R>8m!Q~dudtQk1ny&jQ3ga1qc8aG&0!XRNLh>ES|4-fiSXn;*r*6M3+yC#oTMUK=Ld`cAa0=Uc zBo29%Q?&I`E*!7{baQQV2*Z|P&=>Ot|z%Hx088z8!!bL z-%4>c7Rfvb&ii)MU0HWs&kva5t~%(9r|255+^^oZzuBAEcbdzZ8cbwdn*C(dAHYzv zmalF#mMsLksjot{swaiNw}#TNz`8%PipZWjHkdSbNTbOxSESX+#Pq7Tu4_nbXG054 zip3|7?jj3F`zm>K<;@$I1q51^T3FnCr~Wuq8J4czCeN#gT~Iyf#lQhzomREBoO$3X zdX7K~=l9L5<&?Oz^S0aNXiCRXfkQOXzL{x?+KUEgClKJ%72w0i4lHxDfC-wZfSq?k z+MO<}^KvV76$r)QJSgqOxlciy8hN=eonGDSa(Ixof5=g3FY$&mj4PvkBB6C#SaIM} z=X6>BP}6}gZK1t_n43Bs@6mR?d0L$A;L*Rgb`$hW5pU?G2U-QrW2! z-!j4=!V;vqE}3_+VXNZ)Ur4*l5|xq#bjz+$CWG zwkh-mJ<0Zy*Dc>h<}^`01x=L1!Q#HqI4kgYXGfpZx5^(7rYJMJw5W$G08R|Nd2nN2 zn@iC65j8L6*g3(bi3?j_(LIdymWr&#YwrVhgam{3YS(24GL?{dNRaV%Au! zSo7hIdD8qr!x@bIy9$?+{kv@3ntc}YdDZ60y;H<#h0NWLPE%LQlS@vLbCTM5)DYXL zAaGV*Yrn|{jomlRGkblhn>eLepI{GA|4qmeJqbI&2rbK z<)wPElfceMzX81PQ|D)kmSW!2XNm1@hYhooe8ZtqL<0Z;9je`oI@fp&60i01_lKFC zvS;tUy@UGz|7mj`FcYO-tnW;5y%ngjuzYx6Q@@xaGe=?C79kC4YEOr0x9mGpPscj5 z@3!8VhsU#Y3~VZBAEXZ#b-4o9_ib$48E_ob=j54YTB@hQ&dfYcRW4p`upb!R*LpZl zn(sQ9tWVD;n7Z;&nfhL|p>NKy@AK!DOfIDxLhn?lt-5i#DqJ8;ti6!MuVvZHyHGuZ zHi>|7u3qfVKx$O<{H;Gq(S7`;NKMt(xfm)`at&MFeigMLhO7@l7uhz-{>b#f=35b} zQhD0%x=1k7%f-jbHL16dK55Z5E4(BtE1yu8r(YYN;x;ZMC&zRn4Ji_GVaIjNmU&+A#oEH^t825(Ew%&GzXw zS8-!#FA(!z*7*3G9)5C95MGZMZX)NEHCRpKRy2CwPPZ|(=sp|i8g|(`Cbe=xdN#*{ z$z>;gS=Vz4luPc@tZLZ^=cdk_&|0-=#PnLPN|a%OrG%O^bHli)Bh{|UE43cmb(@d4 z^H9`JZ`q+{jed@U;$o-tV3ob=s?#u6=~jYOS{h)~?iEff@g3`TwFHYLg4c(-YdR9? zEjf-1r;Fd*>~oxVnNU{~CA+?c3kuhqEOhI?Db6XeR)k;Z;Ws?8r%cJ2p^V)!^ z0D$$m%O(zMU8hNry>c~&Vqdx!zQT2)-0DDz_L zzAfgnP=qNci90OM>8-Z_SB_G-6B`+1OV~9&S5C0J)uU z&HM3ZRv?dhKc2{uUCsCbTiC`X%I(DCB+!rp>wPZ0x_Qhd+t6jGBFoTpP`@f`!a-ex zzS^@DV%0%Aue+O#VMi3HzCiblUV)3U&uH<2F(z991*$OVJFilChl|wIabI6B9WckI zxL*6VusQ6>?;q5Do%6lg48Jf;)l~cjtpjjhAORecvZ|3~Mgk%iG3rwUNGRZ|i6|;^ zv5&WFvLscYVT>_ZbSfNE6&Fc(G4eyfnFQ9j{BrjvTsq%wr-WEoj)CCglT1>N1IQ~^ zZx9dR?gPFbdVjBT&5qp^7l}Fnasi~SGTP2$x;A~5uNnrPcMy|z5fYPMl=pt(n*a=+ z>dgG}*3~5hz8k@~yG;kTpJ0?oQkZdaN=ldUz9zfib#PD8)V0lN_FAV>gmbDNb~kI! z)j%s3;MKdTBxYYIrC(Nm+c_o5lkm|1hh{alZDN9b{!JU{`jL7HQI2OlF}{o7Xgpju^7X=#CxWR2A40t!U9 z0EdP-$M{A0z$|19_YK#Y9s#{POWVHux8%j3=r*0HC>y6rFj2gMCR=tPmjEWK(+Zmc zV9RA`PLb&pz@Ivb!E5HYk8iug<1_7QFp4RqPQV6T&_=k`$)4OI9wzU`T!R=&pt=&G zHM5`X{Do!{rW3Oa&wb=%i#H|{&1pYY%xWd8!*!4yNB9PXIUOIgspFd0$V3W!-VXz{+ ziBg~t?k;4z$$^&!|q(?q9UpKXP8s?)SCL24Ae zHG5wrzX&N=V(tJ2s-rs_xgT;CK(?zCpXYEcF1~y9DM)HHy}(>(IT5MCVM=NNBd}eq zOK``r9dt2W)a_!OlN+>yE+P7M_-&Dzs)9WxM%I@F&jy~0k{lBuPnL(X@sFfpwc2$& z4>$hL5MC-RXBx((3*zElJmit6r5E$WmOn_lop*SKef^{Zs{ZjBs=MrSGv-POVLLJW za>WYb32P(RVXU-McA>M*ml+JG z%-xGJ9*pqB)|#TC@rfy<`lkIuZzY4kMgBK2;K`t>UuaB%d$ z=vngT*2zJ)qqxY#RGP5lad?if;3x?7~A8>DMs6r^M5?v@%DVwiz}_u}5q-uvF_v)}g*cz>G@%)p#+ zo!45&_gL$KIAGWrzbavkDICtmY|f&4_3^PE)N5; zBud*rO0Gh(+9VFN0#}fJtgi6=@$j}j=^9l{XG9A(@L#@|KE4QRr^-CUyB(|KQ&9yK zrc`i3TtJx9Bd`tDgmWoRGQko+*myjt)=;)?@$t}90wZuyw;=@{!^*k1$=7>!vKOK@ zkx5{l8eXyead*=Me6EEc4iq1=eA5y3-R3nj+|XgcG%m4D%#h#Gz-B>Oa9Sv*ve{l= zJNNtK%iHY`pD3Kjc2TtXaWjJ+o1ujY--il<&FTe4&STHU(;!JXRgtC3L(jzc;Lpio zt){-|tCg(ZT`HaU64p!aXQeg`#Mj`##t$2=8r+hm-bDpD@H9`bmtxXH6MOYHSs=2hxA1+Y! zZZAJF8Yagz+T1QRi!9T_kt?sl#LZ5lF(70YO=p;V86P;PY>(GdO=MvqAVY@J1oP<< zXS3i80~K+ZYI}It=Ot;x^));o5~Yxp4Vv>5PQCP6rrnxBM3AhG+1DXx)ly*jJRjBcA>= zjuQ8o4Q+751X^a>WEsq&H7J<}o5a+8C*s}*=k*b`hEbL07OB2wyoZ=%&xqG-n|Ev} z%5?LE1!id>rfF+S#oqPc<$PiH_y01Z@1bToGpf#Jd-qV1%uq`P)Q;r2xGbuQZ2z{X zHg~uL?W@zbG*C9EVGuQ6Bi-1lJOx0S77-@pYXu@ml-Z`nnA)Z z@HInDb&V_B7p&BbK8|aV5)YyiyiO%J`^FrK?0Qdqsb^Em$W@{rZZ~QfEg#at;nS)T z6ck((#W;Q!!npk~4|IE$SYO=}qRY!)qSUWv54u~%ye`W1Yq*0~iy;GTLV>TCg*>MD zm!ExU!ygUmsF=_*y6P^7kF=w~#4!x+-K&$UI6n&}km)-SCOgt!>{82JYlVM$TEEqg z3w5>Hw*n330iDhzChF6ox`sL=<1#LauT&X_H(FvA+@YNM zaq4BN6vHLnNY}P-Tg321gZ)+GNSjgj(MwTTS3>Qk_{_7@0_6iN9Fgfz*-k0V_z|&!QQ@8lzsI{`qpqP|A8a;?DAkoJAw(mF}sAVLEsp{E(1oW`G} zx!oCJL3*G$usAq&Syb_j8|)cfWoM9tmbHv2Gmxdf{0zWeYl)PbDn0Y>?QVcv_i*TOyu~t zgbP~XJ8n(;9`q69V!(;Pm0$CAT->Y63OgA!bSwT_oyo(RUYYMxPn=$V+g|T;iWNuVKF_=Lbn})ZWg@674c_|3MIj5G206CW z^m45=U!+KCEIVG-5-O<*oUzKVI%z1PsO=wB=hUfqCUm9kqL;8~!qOQvcVq@KII4gI zi`lITi33X2{@TN*hn+Zqc4{KHkVVp=)f$JEz<13+Tspr}J#k0!G+uFT>zL+dNG8

5!_zAELgzBIoXl+m|3wMjyngolVbG@&wR9`ySigtd;G`y0Y z&Qwg0KVg2vO@DOX)AVgZK>ebMB~?0)=FGy?=3|ff$jE>{smLbvdQ~8BgpS&Z-0=RZ z$z-@bCTr#v&v=Pg7!@pV2|CJ?qVxpJ)wbykt5EQ=WKaqgA_1?+cZTFmMiW2w3PO4s z6dNF1hIuz{g_fP5ucZ+^O4Kf$-U93>G#~8&8Ar>2iocI}Eb7{@aBkk{QP()RFtTd< zLJP$^N!8fgz8uT<-Y;>2>Woe2^!4ZT^tDIRifP-~vdRr6Uuun&Y5B}f zUG<6Sfc8H@$3#e8`&%p)<)_$j4G*px)yzfwK>N>3bdH1Odl30~I?;>GpAVH(feFg7hT5NKz zUE$fYMVE9q=*e%=H+%-G42at&|7I*uXpv#EMr)t0cot{PJ6^RoE&l?{$gFX&LgY=w zEK$Nt!O}TpVS$Ay4q}Fdhl{?PxmkWg0~zzMZPug){FuIwtiBUH_NfZ z{7!5J_U~a;J}2toRzfw=S4aDj0_juhg{NI&pK&lbzRZwe9YWRv!*th^GknIui8#X2 zd$oo}c6w}+dX}H_z;DI$9+W5X{5^vb*&ju&;VY8(Kq~ z7z0~s7M*F%-q55^1^0hFbBS?*FuU_TliLREQeqPzV$`X5CfMQ^*w%UR@qlh6bV-6t zd_)LA(zkksD(sv~G$KnaGQdPpi;1fdi+tu?IUTZ5J{jv}NXX(O2FOJqIMRO>;vO$( zsuCWbt?BDAQiP>fPa^%`?h7NA8<`i;k^8Jf4PJEN@VNF?Uod5fbNX7|N4EK1-(Su>!Y40?OBjb_Mk_lz>KFAU)CCYONhCxDZN zp(#M}=VAW)KVBQ9V%ULD4;i;A^h?(MAMXo$_X4C+Lk*Q2`!^ldbUY__vv2RL8Wu$I znBOJymrpIJAa(VaSKBf0DKe4YTd}izG_+W;# z*%E%HMyYmJs!7x*)-pDBI!wg#-wmLq=XkiWI0mvDW@IhTG9GFt%!26c${Dyi4puvA@hFlCuD@T8lyi89LBMIjPW zo$q%rHW1AdTocU!Ws;Y5EC8#lt>5BEYG&2F~`oA?`4*UimejAGE6muvV_n9JV2b%UD2v@=FIP!E`Ii*Nw@YpuZc?1Iy^T!f78&HTJ@hd)7m9vZQuUu>U~h-HkL-l*$!kC&H!pNGcuejp zb(Pn+c1MC4NB&NNkL;^Kg!}(Nf+=QH&AtlV<;|#{z~-3=?-JtgH7s?79}FR)qV4W; z7#&QhO5Q}=`;V*dg^|hK2vo&+HlVl6%*0OJ=%N_kIQ5pRC#})n^l>t%dL^Du>Di+( zuT*zDwf)s_LHp73oWV8<&8HU=e!6uHp*)Qpp#mgDet z3Ef?{@|@s5f){fQo`mPwCbPac42tS>;BLm$mFF(LeXgrj$=(p^7gH2P6lVS=k$GDc+q`qFh)K#hf6Z_1MYL2p_@F=q&&Y|V;Z2I>4n z)V|C`fffa09?^hU5CzFw=TJEHa~_-~Zkyhbpz*Li`Jlow*5{I%9x^dD#zs%7-x-zM zMh7f!uWK^hSXXGOvmU=&KoUZ%0babYaLQU+U zaA%=o=~{?fVfmAfeBei8x>`1<$ge2io)f(DK0f+pH&-p zJC5pnwtTWJM15YL)MxY2&j;8GqtaWFB!ciF`Kyna?r@CyS`q=Uw8}w=;bh~ipEe~! zXK%lss$udFgES*UEWKpB80r1KC8JQA+O=V06_F@}PWhjK0SDQ{Gn~)$&Q2^4{Z+%p zo<1pJwiW1avYPtBgry%cc|E?8pR}I7P|0eV)Sb$K>4|v19vQyolbyF26AVpd_!7@w zVyd!V}5U?s|Sk z{JbralGiEk@|vtUdJGVA%A%ZpsEAbFEj`a~GcStBTk|zgB4>{FtI}s_u9>TjA?>{L zwVZouBYL0`>GH-_#vEP^GK*s7?XwotdC3jfV`1iKA&oq>o5N(EO;w5fen3*^U7(sx z4tfnw?>cz2IoyGyBR6GtMTr@Js{A1h0^xk^4j90`K{4u1T^J zRr_o`Tgobqr?=*a;07-w{fGU9is=v=I*e1QBSmf{A(G1vt3xx)m@y<-kGl_j0vpbZ z_gVN;rAxbti`plokE++jr+u9Hy(1_bn)#@|hm&J_dQ{JA`v=xLkEKef+UC_Ld#nxP zD~gbzIkVV8*xSPXZ0GKR#m*!BkGD8ODOUysIdKf^7Xo`j^OZvZ6@ljLyc-hSR-bLD z1By4J<%jjTbR|?X>A}o=_GfE(IV`qjxF`x`c(PV$%Iv@Rnbk_eNSmLz)BZU4^XF)z zQ`ShnGfLPU=C;Xhko>yP-94#^N$t5D2$i)uJ9k4)9*JhQOc84y_1#b-m8?}aCO;-f zQqrX!!X_oipi{;1U3*`)-2Tn70$f&3fwTlwi`|~0GL0bA?;@Yycc0Jmcpa&##UkR; zqHC5F?Xw^3rB*2S?AYmC%7D32t%Dh!!+EsH3@SFsD`CZFdBcd5nRd+(#Sq9I_cmtC%H0e@t!&lbM9YNeY8?>1GfTe``nZKYnf-@Yd^GN7XD;kJ+5}&(Er01;k(>e8al0YsmJ9{-<(opQR zO2V1)vkkDfe5)*@+@pKZ*Sn+CsU$Nn>8&=#mayR>fsf`CH3?-BYsLNhOH4F0ZhE08 z9Nt^@B1=oft~m61OctpB>#`N^5C7YUY7kcY(tuD%fOM??&_`0`f))z zjpXImz0-U3J6K@BPMh5`p37@`OrUv9kN;Hu2R%NR7-@+62R+WX-YY7-8(e<$;SOmY zFDfId3!#U->g(UYjCHE2u$tAUq6zQ5k8!$p<59;xqm7dAy|dQGGU*Axz#@ctw}-Ly zeEgwr>CvF6g{wUmOr0bEQ3r8SjU@NNwe~p^0daQ3+i~uLSSF7pBk)1HGdAws8Ih+1 z1mOl2Ldtu+Eb`Wq-mC>uqi;;lw90!Le~upi2=M%rj8{Q!*HPTYEkjt<8(cJuDH&+1 z<@{s&D;_-Ry}u!&i-7t z1Cnd=82~%0gtPnJtVd?XQcMIjrgpBfZk*s%JsXF6H$$G#tsUKBR+!AYf+!eRtzx~V z(78g#@5WUQ+5kAJM}rWlapJ}iV+-v1Q)Fvc!`$9pz5UWO?>Yl+@F$be%`E^WE;wWx zu10)Yoq30Rfq~oO8JYgs`Mh>4gEH`Qe5H7HV=t-Tv3}UP&t@T?i%fYHGHS7BsRSvy zEofxPMI_-{|0bhf)7dEmMFs(9n@mj&KO%19t^iHK(Lq>~yDr$Z**#2=VEcnGjXH;2` zX7RSh<;CPMmGeXeyNi;j?vK+iF}E>g2&8fol05>}1{eF~9}BFEsdQJt8B}nv*!wa| z?h+nbTk>s&h+b}q7T;J;y7Jq@j!eq+`HEgWWI{;FDR0wZa%JX-%MJht^|`5G^kVND zDwXETJ|P?Mo4m?Lf$Fi{N8-zAuC}6B1yt+dGrmyY+Lx`EnP0f=r}^xLn6!K55fgw8 z_ASclfEkbieIMM3R1&Cg$?$IFkgY!S+Gt0d066%j>HEckG-lMW)(O(D(`A=oZPJ+w z2Wj~Vx&ULHlLvJVeu9xbv}6lao2U+}O1EuQnbBfdW!ZKCo4i`#E`Ert;AI!+k=4zr zNaL#DcF0Y)EgzlIuPj)g~Cdy05na$o1?=@`<`}G^klhe8OrG@ox-49Cv>IWye!ZKM@~Y@u-aZC1=id?Kl~KOy`dk= zgwV0SRW@{-J@n9Eh0`V@UKxWSL38Sl<((tlzz*edZ1ymMOhumz0y;@`lPv-kNcX-) z%!uqs%im%#6=&uJT2vkI`;HKUS*kejmCnv& zITm>cx4~iqg6r)DqRYreWjmHSFIisNON<1S9JE?eYM;T&-gy;aGL(yvv587JyQb}4 zf$+~q83*@0+w!t#PfFvPQt#K3wtkT4tD_y?yu)t4I>^`9NenDH-^AUlAG#d-A{N|g z>MC|L=0d;Hyb|N>aIeE8n#L)Gajj=i&<^wdO_OIFX`{3!pD>T|Vhk}sfJLNa9wY^~S}v ztBwZj8TE*$%*DJoM(yb{Ae>!z(g9Rfr1O{DpyWVfG24cRJ26y$V zDe^x$eeNIv8k8|0IsGGa;+;ehu#ZE{l8P2r<|ZZTcomyD6IsVxDvhR6UmA#v>aVpt z2pPCSTRd?;MfAyIJs_4StU=aLns&KT-k78O&m<;5hAJjIC}JVVardxZn<4khn}=&` zg7jc44K4V@m$QeFSQ`bn4z-nb68DyNhLFvBBRe9O%Mv5bzPMelCJ~`=(LRp3*nI;= zcv35z-rGMuScW@41Ruo=MkL44_l!bmXQ-jXbbiUPj3-jE4XZm~vz|MfE9>4%X9pi|bjdboz!UQ>Qwo zE?B-XZseCk*`Cy^qpMls&8nPUqV_2(JMt8suKx-2$#1i4B!@1g?vUeoq;-Hhq&rrH zy5L|eXc=5%ha1WiScugZCgjWk+?wV8B7&`xdYSauEsZmHo1Rn|;Q~jk$63Q|M=sWa zYgEr^2>m!u&R!!8jQt@AA1*fvkqYU|lztc}*2P(6^|sq}@Sb64&+A6fnV++5e<{@7auw*wqA=w2eyMmiKavmQs9F2 z0WP}p;&GbJ*!Q@*uHG$`^xe!^LWIWbe^9E4>eXNAS!GeL`DRhl2~dWQ&7cdTHu!Ju zmqN>M#e|DmMHkd|W@c8F!~1rfbV+s}%3nE&m3Tu11=D6|VqdO=vE?N@e!Tghs8``ckX6 zM>BeH;^7(>zyG0tCU@x{_w1eV{Q|ob%lm@+g1P{oWU(mDqTb#;%1Nzwe2r|0K9LXF z4f1nPr>+VySD6JTWlIhU#C*XltB8v}=dIUsJ0(8PBFLfYd!bzaNYc~=!5_ME7av)Y zCRRlJiIgq(croXc53vH{Q&|!lPISOsnfl}Uc0C_LBjhxw z%gggJauf%xuzaO)fW^=&D|P92aGovlXu2HT+CCfa-=4d%3*SulJ{9ml(v{4QFl*3V ziNL$^XEZ{4m?>p1^t0oR1_=kQ2z~GOsLi0Z>9bWo?^edsmJ8?r_Ws~i*^!~CgOZ5V z`%xvW1RwNcIUx$o6;8EmL^wncm_-|3BO!qw-y;=8Ip2DAieAXP_eLg$y-n4Kq-gNh zG5u{drLnf_iySdO# zd1SMF;H$b#R=uLA-S<@S1#HaQT-xxz;bGpV)d*?k9+0+}ftb0rbYR z>Tmka)4L7o5loaG7fcb+5zewB*BN!Z+qFU*e@9g$8);tEHF!;WH?E_rv?}8$r%nd| z^YSw-RuT(3LvHpSdDWkJGmP;Jx?I4S*A+9Y@EvxQxA@kN4$jdlZ~6AZk8rv-eaQ+~ z`Ood98Xo5jHn_+%32+TSe)L+*c%ZCy-ggi#ua1w4?{AQ5+-fEagXKbP*Jl)*M3X?9 zfd8|>bRn~Q9=`nvK5)r4((#y;tdPh<`j|Jd4L*O`cZN~*`5iS<{b)y^zGvUJ&}*o6 zX3;rOY2a>LBJTZ7nv%;sdHS5Yzj7yl^_O0mpB~fBQRm_*(aW}?6T?5nBmV%m>0wsS z!U|oIS*P_Hy{o9|!@L+TeL1yYprt-(Q1(u~ zEa!&bb^!6BdVPYoY?=??)t`vsPt`9epbr>v;8LedPU-bOADP}aB*Jf7%#6Udj!v)= zIjwKK0!XbEZ8X72phjMCDe5re+Y2 zL#Dr77%hyE4wiu+k5#TS7nrPu&$_My;D*%yIf{Sch$isIWNEZ7K0IT&u><SU zA$l>YYw8dUtAIhy?I5q_M~M@&RM4qVvOMoF&g3)iXtjy@(aaJ%&kNMQAnzeMX+YfI zLT?SyH7yCc^PR-fseBK%=+M520zfYxv=X;3*DED?^uK^qD)m#3g&2#-wsr1zSF8gl(+X{r%!Tv19kqQYtIRncGM+yC!LOc z4CDEcYb6?wa{Md7B>}`$vG4;tS>jsGiUwxxa0y;Mv>3uYIPI`d<3+9U)y)&jtiVH})7~ z(L#N}x#L^c^q`DOse%e?ebjb=A8sGxF|@AP-!}9hp1Gr*W*`mJO;agNk5FBEez(rJ1fPh3W!GO4t$%RRHCmwRpPm}?ztdLb{#)G~ zy8SKUv%i_0YaIJO2)A1XV7!VFgn#?dZ(e@>c-@g;V2y}|IgnI=t$rK z8{+w2hWI~2bH)cc5)eGN{m<|En=b}XZw3osslysQ-jM!lP``a6KQM&u(2$>(=%+tU z$OTa9jyb^^?Em`4fV6AUE+O%AVD!`Ugrxu-2~76MXZ|nkBNTxlI8$f;ds%)vf)06L zt)3xp?EZWEh$r;G5cnUcTss2(_rDlm@)W@KAH9R?{(Jj~n0R0aX(0^%xzImvz8BA~ z8({qZ?e^~p|Nqh$64yF)J((%3Kn{9agEOi8kAzBV(4A*_zr6GCh0(uAVx>yMyDkJq355S=J%y5 z_fcIy3ek_=M;ENCxoCjP#_P%l?olz{N z7Nx=2$FD>tL%1kL#{JhGke7Exl(4tzJ)`Q30_5I>SvEmL6ISb&!5+RP^KTd53rfn# zfffNP6FWOhYwkk)gjMMs%9_a}X3cxP45kuVy%Pz|pA09Oi$%vjc-+b4ZE5XtOKbRs z{qY+!OWsc3+%DIn4<3zt=2Ge1kA8DN=d%PbUdw$D=aa7yG1)Ad(+7vp^qG}9kV0lN zAgJ#HXdxK4;}UFP*9deBz%Ku;@ue4QxsYbobn@9lMF!exK7?Q*vhJhGinTCE6&>+xyQEti9B&AxeXBl_BT zW0jfAcY<=kY$0dI3ADF-Hpcr!-QQ>{CM(;=JdpGwP-g#WuM1U&9%T)vmt2phaWRHc zrI(|xW{vhKH*SqMP>{2~Zg@$0Q=m&dg1F7q0r2(R#G3idG55mwuDq3L*Q-Ta_u5*T zL$)a4;(+NxS&)&ydmvz&UT=+-vP^*m8! z7`8S8*}LirHVu4zMnX+9G*RbVSJM2wtmfm!&6_`FV{wB6H5>xVa@E=1ia8U|mrdE* zlDXPUB;;Z5B`SHl93~eGu&5;sa0Y&oSk20z$&&7Kv!{vXMuC6L|=2rHma7n+8?K#qAR403|%ZVxmVX zFa>DdUuF5U)mbzQW{~WOoxZLgtA`&afr8Y`Ms`_<)us15PU@U>Dq@D-aiK)34x}YR z!rQC)y1~zz7k46>n4<~D!9(2QF53?#H|#}m=Ef?AIpIsb6c8pKu6Y?*S>YR`d>zx~ZHU;RzWKlv{f9z{&?XX~%vlg4LBMOntQwmgXe|USyoRi}?gj{TJ zRKV-p38Lg_@(U+&jtE?s=}p+cU*~A_>0v>9hght2*#3x94_HCQ^;tAe+Rkq#l!$?z zg7rWO@#i^oT1gUiK$5rZp4s9x7g}fHSx%zeHZozb?RQa);W0TMx)U62ets=c+*k%u--4x>-H*uQi_eyB z3QC=%&Nw6EruQ?IB0hwWjK95Wh$%ei+5;G#6{l6bR+%uiI>3BfH!~yz-qVq~cv*$Ux6qst&iOp}of73?!gzsdKLtmte#n z1)vJ4axeC)`3Fd8SI2gy*S1YXm5P1JLB7bN#L7U^WCX-F|#y? zr#>E&wEno2F-Ng{*3*ue;3x+dEEbD1L`B*<&^qASbwETaM0?%w;s-rTrik6kk@FXr zyU{*hxPAD}O20_NZEs63BrWyvp}o%i^cA12=8YvtgU0PL$iwW|SG#2@5F_1Xm*~i2;@7S%z$5DI(oTb*&=c(i z-U1z4Pm(HHOlBH7Pr$>^$bRSj_v6NGX<;@Ely-x4c_dSZaF z)VbM*k%pnoFJog7m*u9&2$^(`?w9GQC#m~;yVVno@sC&?_3Kmx$|Jh?)JU_Vf*Z`Q zjtEHSy;U>xg=vCyaQ-0StpMx}p-*~S)@L8}gqtDp+=R}UfMn2BHvH<78);&@r|^*z z@YlE|8+mt!Q^AxVBbF8ub$IheU37W_#~DR|K{{SuG&(T5f5!+XlQ09q8bqkS6vCE`DH2R z;^wyk=_G_Cw67m4cf^?t8KdFUi}4VS^=k|qVD;*{m56jBqj_co?qBW!%VsHx5=_E* z%goA!J?q~1n+TY*M+*H*B_%7>dwN`@W-1lIi4y1y@USS^W9!V8rukse7!FqkPi`5FKEQJS)xD)W*ULSaMbjeMIA0L9>(=w|%n8Lhx8R6Q z5urRdEziwbl|0fLJ{gZ{?6hgNJHOE`k?+E_r`gSsz9TNVSF;*2*}34beQ!H~N`l%U zmEF&+yo5}#+zBNi7tznMYq3=FJD0H*cHet^*nyZ#-)>GQfw7d## z4H)#UZJfOGbHv0oiqBy5jB&Vi4_E6K3}6$w@6HMlPjd=0v9kMdi|htZg||JG$rl7) zX0Dsp{?n%*_5ClO!pinXTAbkTB%wpU&LnJ} zjf@9St&!K^`}L?-&l%d@E?N^@^x;-+U4Vz9Ui47z$|K$8hWB2ceZ)B;R3XM2XS8~D zds`wjp^hs!zShvqF8+M>pjb=azigee5y1T>$LR`4ibV0^!zDm=OxsQhS-vjD-q)3V zei+uyQb>Ee^9WMxA=;8BGDVVJ* z8ri`4U{&4@C_Eae<<*@AYNzfgKA5$Ur(((pS_AZStO#;WKcg9qy*CZZCr{`)j}~N>xdKiY zQig0P^8UkDy{e4$bRL%$79&Hkt2OT^Px%FMrO)Gm&SJDkXV1&UMEfGf@D_%kRzE`2 z_f77@t`&Pqw3NEht%FT{Z}A*DMoPykPjGL`A@)7<+Ng(Bi?1^^P|Rde`^G?BKyy8~ zakhvRF{eqo)=x}4Tv_Bvt6fQbC~cK@yffhPqH07#kr~=!GjP*_zORVdU}qxnHicv? z6S;VnEgCQs?}YjU9#U9ZOV=I7%na$7n}3hn;zzR|Ey3||$n)_`;|dWQJ0Ew;gam1U z`lR^hu4dM1WH_x+wx*V)P%xxZ!Xf9>=~@2{0k@_{YQbte6?<#wZhWu520vPwFr&Du zt;$WuFa0G}?PT4Xmeg9$R_4l6x(<iO87L?D+qo<&y#pMrMkSpeiy zaC{R}ga!|tZ!1}i7e9AwHC$I(R#s9YhW_;Xxi1XO{ql^#f5NoAm)#dy-_lxct4qgs z`HwnqO91$9sZJ3Gej0(w0X^23%k7<2&pIDKI0e!c*SbU<94%R_?{)UX);%_ahk@MW zKbYO~U=Wz2=b&roDT2Fw`G1l}wquNL)@0(nTR8ij8KCyE(aXfNV)bPClH7M(vN1(*abb_$z z+hX#Y?MMmLif0-)MJMLx8KK&BE~?Ry9^RSWts}ncHUlpiay%$!NNCw7irv=V@f}sO z?pIq5DA}n_z!s*m^loBC=i-S+r__g-EW@k}nBWw#V9wn?<7%tO?qGf6?V{rm)QecP zt(L@rDf96MCaJwChNOxeH>ExvB|0(Q%wEuKl6~65z7hG!L$ZFW?A*QCu{^wiOmdP4 zHY?#0GT9`t)xdDHrnPw@=12@{WM^v*Wimv*q5hCt&dX7;sQv*SlAx_fn_NZljZ{3S z7(?HR!PTt1ioi`&@6K=T)}b^pQcqGtZS<%rXkX`)m~>)#`}%6M23X-+)w4S?h*wM5QUxB{2z4z_^?5 zABEJ)*0+!USx9Xtu641k^RGhcpnnun_a3Nc;gSBUj{52)^3Pt$-6w;ax9?8wiE8SU zIb9wFWKvAvI1>#yNVACNk14 zx}I3hYRa#&=nA4Mr6}b}@ssJlYiH`h%#t^;-d*qj_TbIpVjfK$KssoJ6lNZ+$Lud;8*u41%AZK?t@;2v(wX7= zTykWrsQdo(&fI!(sk>Z-R-#WA(sZ?P&(9-xNA4agubF`sIlaBK-UP)srkn&@Q4{Z> z0mT=`Nd5M#KWhC)DTK?U4bo6P}|B z;73jOGyCHZfoRWs-jHlq)EzFq7NqqptzWG3t=`GTti!Swus+=t!YrX@BHkx_bncUw zo{ZmwD+)4GmNQ5URLIKNCpVJ~89j82*$+FTxNZ7aUDaPXLwLb?B|D>;b4$lG*N$%1 zNBvuA_XF2b_fgZQ4@dd>CKUbUp#^a+l-B@01bhwPLwHYWVVmApuU9ibbt4^(yoOg2 z$FG_WKZAA<9^*~z16w*am@A{KT>+0kjEo<2v{oGNWln#AhK!gDd?krbGCLq%@>IeDw45bsSrnzNdUhe7MJp+3yPjvGxQ9X~_QWCw+IJ*OOVC0DG zh5Wr1VUoby5o>gQXTTHJ0U+|YC3(wV?_|r5OdQ9u5OEh?~KjUJ-h$r75|zWquvKoCXwW7P4 zk#_pr{WpTy-*wc0mFo&oK2(6lZ|+=wdt=NsxB|Ufeg2y~?r$(5>^(rFR<`cw{P|z$ z+l!2AM0YQ0^lu;i%}WNHYkZhP`R4Y2A1vq^M$+>s{wAjT8)*B?2lPE>i1PdV@L%)! zx8MHz<(kZAA?Q)qO3lotmxzGX89l3>tqq`iR{HFhO50<_Rt4`H9Rd_}vvttDYR&pt zyJQ1i%fYucHq36Uq`h--B^Heesj3(bu_q%xbwGw&>zl8~T$gOyWQ@YfAw|Q&C;buN zZ4y}gwP}2YZ)yKZE>gD+>b93^znQwXUu&*Q^PK)_Y}_yTug1n=j{huU<(vN%e*9I&N>HB@0~ndc zJNPKvryD2r4+7m3d)3*oHt0q4-S(7q%xl;+@6XaiZ#i;Xy!JU<4+BS%Zzlty5c%9- zGtOQbp{Z2DGvvO9dlT{qH4m7oWS+T)3}5%YNb^I_rtIfaaz71zA&&lhzK~az}zF;y`k>amn)lhm{S6#dD%((*Gn>Po2uX?rjq5fqu`_ZaAC&ELEhATXENln2N zMeaZ@x0>PYXST3t{Swl=yE3kbks$93w2x@;7cxlvage)9x$}|byUR01-q!!a-dje+ zwQXCY2?V#`?(P;O!6Cs379a!*4nYdnDhM9j-GjTkySsaE2rh*c1+TKtIrrZ8-F@15 z@BjCQwy3tCmW(-PpJR;PJA$4Qj7#V2l{E)GO-=G7fibd%$6oySo1o_c{l#;|uWqt+ zmzH%;{SQ3XK=G-34X6zH5=9H)MG`bWo`eX-q~>ANk4gdo{!AHJQ@T($042>*!G^CR8(d^ArY(T zty$%}V?FZIwIG*9g${ug=od-vDiJ}!nnL}E&~)X~^-C@hJXHTG6N zFffzyIsJd@guQ^9iR@(hSE&UhAjKBEn6td<1vqr^t3OKP99LL}MjcM*SI4i%vWtk& zpC-D_Ba9W+s0a}WF|^1q+&=X2Q@HR|L?rX#PRzh~uOlMoDv}byO>qoQzj?0zuwQ+q zTPrw2(K>qt$_mSwK8m%}t)~O01HaD=h^~?l5txvPUjG`;DpMAI+at_|qmKjLJGm%& zUX6O=qzl{rL$=%MK8B492acxZ4~Vp|Z3bW$z^Ze0`mkl*LOQmqlXt(z%r07W7td-# zYz$_$w6{??xUy5_ZF}04yy@~YC?8mnSEAz=}uAAMWBQh#`e^i_QV!e8N{)_ec2|*{j96K)~fPf+Y zrx6qKe(cE;-tq_O92f$$i_JTj0XNj&xHu;^#+MAU=PG#w7>hy);-&ENi%fUGlZ%1} z^QFuRq#fEKMLX?bk zZ4SA2J>}#KDNIB-?J>wzS4i6jB)v6ZG7UM8gt!-@BcJX41NJ<}=0QH$?gcOvUo7$s z5;vK_1E4We?VJ$Sp&f5f_{=S|s2{pPX~qCBm}u$NbBA#pGIQ)#EHh{xw5zH)&bL&` zQHjrQJgpKTIlJ~Kp?l32DQDfrYG*#yAZ%OpdRULGNh3y6Mrh+%X`!*m@78ii!~@0j z<83oJf72ZQSsmfm^^txcO$0^?wu;)tHM+pno^-=zNkxk1)O+1ztG^qfOMekuEyLpI z3esD^6fK_W^FDuL1X47Fx zzu)KnMbaFX(_oNp>L6#AyMU2kf5qi=h9(_)ppx#jq5Zs09giHQ&J@*eHqrQs*Su4` zha4a_FS{IDXKHlbZW7=|6I9Wz&aXvP$+be!d_ zxUl<2VX4=14+K(eNa6Lmjzx5Z?c99T+i&9ehSbm60ZuV@CkCl*{VmP%Yv5g*Y5P%HSRxw9vCD9o29_oIIKze;r}Mo#$5xn}xA)=l zugE;xoYtC4;v?04FwKrMWd9U7`NF zGX?Cj<$H_zwBX|EdY)TEsmT^dWgG z4?|@yoDQhdeXzG-dN;lgpZ2@U9^kfnGAhncZkQ?B@z!BZ1&H$A@zFjs<*lF&j?j&b zn6PNhU5y5J7bY?PFv_bkF*?{dHqCKxD?M+H4di;EAP7<5K`(_X7_Fr-AxC8elp$r+@KJ34Z4m6uc>-x<+N$ya~|+oi@xh!-NGBZmM>E zhG223N}3a+;(4~akAMFID!QJ6AM(y=aLUdT&3lE|T-wp!s(rTU&@=e8maXw?ee&Ww zN8^+MEuA{=o_WuZ+VtjM!ouBhHVrnJ#6mdP_IN-0NB)$4U^#w&*_~i)8I$jCVcqdQ z*;0WqBNdaV55->*oE#lHR$z*~>RFly135P<9g;)2j`lxR1~xs_Kf(pX-IvjuJf#P0 zy`9jkdwxDnM{1<|Fn4>jm*#S7`vQpK^$GzWI~Wz`Q)ik!{woR9xGY~(nsYeRknggX z3IwWncnIjovTE<~Bz$B1I!~)N_sBY~Dl&N0XIv%cR+HOqIi9bCZ*LS`ot?oI&CQYCvB5gfNP;su|`Ts z{ZU>&k=)YxOq<|Wzh4toZ^LcBLH|%L47ILn+I3acr*{RlPtZXnvL&JpK77*%%Eujg(w?Jg?O{VS76Ap0f@|`WQbHNeQv50OuayDr5W4iKjCerkov@`}d0f4kGbp`AmjZj@G($K^~vlsxpb9n;YMRu?kpA1smh<7_@ zn^>*LXM$ybDB0?^KhW#Ipl*IL2cqj@T0+N6De&x3J8uo$8;tU|>1!QVp=`CwdM_<@ z(g@93dOGn#v}sasprxvKl%>M89<9X%d zaoH*(Yc4W=?ksy42otT6Cj7dw?KVu;$?-?;X3Rs+K;&U)Z45|#yjS)Ep%qb2TQD2$ z|CfX1KY!&SMaIhyj!Bq^rK@8}51wRrARn(V+Van z4c$?NgEo!m>4`PlhodofOq^Pqg?YEhGW7~f8lyC!95&VX^UKla)Dhr`9;waH93rmZ z9-8IZ&kx3CXSccgypnF>JO1LA4#?$e@mo~^QC6h#M2)&QYW!Lvi}h}XPMJQ5Uvw$% zWYX;iY=JFjw@Y?PfwkF_=9=Y4=o17#&OjnNZ+BL(*ku0hk%_}OhKqOgV=i<~(cIGn z22PiJvkeI&OHVH%9^@e7vuHdz*N(TmBg68n88|&e6^~1{l=#8!zaoiT)B$Z9*Y$F? z>SxGa{TYCbyW=4KnbqIl{j)I2Yep#hR@aLOxWN$=tf(-2Q|;hNtyBfkmrUhd7(@QN zLrxHO_4K8A)1z(cUEVTIXU|Mf`Er`mx0aL0+v6!f6gp8&akLCf#{AtVwha6DZ0XNZ zG!X&5>L%W&si<_g1+yL`mH5BHQFy`6My{mi*k2xok7snUa2q;etrWeM6DX^wMBZ=E( zn=#>)AF%>4-1IC)J!|oK4}<8#aJreBF69HYXHIVvGoP>C?;!YnKJz?H$e>$fH?Zhv za^8WYRYYE$oY@+Xp7dROy>2|1=6Ae{4lSEPJt7!EhgfI4TNKqp5ow6_4~n+>E*=A! z0M(cL$}dDBVEJC9XzB-+88ZxWI#_ty!M4Xo%(Exem5ue)#P<;laONkR#t@KhvbLL8 zxs5II%<>?g3td>0K-y_XlpHp*x_Sw5Atpon2{vUFN(W~z>?lTts)^PB&yHr=7&dJ_ z({4U8{hMK$h=ON*?6$Y`P3|W-F^}k@kA7+!PXxRH+){)hCy1}<3T(c27?|7{Ik~@2QboK zgZo(q$faK3#&6myv+cp!=u#5GzHza3a{sW%o_glUy_|aD(dq0lx}cRR0N_h&{rD?y zX48$Yy%=Id21 znd|j8bsZhxZovv+KyAY$D8yaqCkAZ7%x!DbBEL%>wD6g9C#n8Dzd{;wi{VDm#ft6# zNynHkLC|Q`4if2osSI;_}q^Lv{D_%bqy2rD~0bB$LA@^|6!Z^ zf7-VCEGbf%Y9m|I63VaecNv;W`?dUFM(!v};B>0|@h2(BaIz zyiHSnx;WL2F>D6VV4(8*n@B=gWGUKqNds-5XzAxd&3cIg!S)in0}J&@soo2@1`5^h zx4zN^t?iP-&kH)s#|K7f_a;zDd+Cf0M+ArD}|1bVi#QRIWvhfE3F_~LsQR6g?eDpL0s1h6Sfhv4*j^v= z{$juY6D1q>#+u0$VQ zjSHdEi3EGOTIGxl`CKB)xt=()?;RQF8HYRkK`|fWba_QYcK4=Pzl>>No>T^YwS!(i zyQJ>#dbq7U7|&1IUzpnLVRDD~$IbE6)KWa@`s^?#0qxJyPkC8M8=@c{)C(ph{#m{LaL5_k=PVDq6$N|7L-XxRjb3&Y`ZLebOwaK) z21fES3sohGODflSdzp3la^=P_*W&--JN(b%&gKtP*@%NcH7TiRomY5W$*+bil;7ov z6ve53;KutPus&-tF6#Xhw{{9uXlr^b)-2I=+1{@>ER-GBZ$BQ^v?7{Jw+9lTWsNS- zZCnuFs*r6r+9xL^HFM}Q%(#k}>ouDO;-KQ{NgldvP7kWU=g|mK?V!i)eRcZ-MT`8W zb)^Wi*9-cDq<1A$+r^vds#?ZB&D*pqTn`+Yj|n^{L}?Dg*@#2Fs%W#<+)-0Q^Y<$h z8rVIanrCf9L1ER+nHpQUG&t;`2M1jI~gso<(&Xr99D;xdJvzN?hu7bZSkA(%}4cp443IB~>o zOaIqA?xpq_{i$e*)yt#W^k%0KOCje&+big?qtfpx=fnB3fq7F{JRA*y-52x_kIh!4 zyuhhW@F!5LS^6_-{X3vnLP7Lvy7ap(l`_8WejMvkApXS2<_5$lB=tevO)pSO)s_Sq1l!|EyUDPM9KMsoj$L0*OX z-)b;*IA#yJBj-Tp_FJ%I`H(FN>HY8F*|ea7%-~jxHU6=>iP+1}>2Y>e4~f+KKo=IcV+#24c)m5e~^$MSQ*41(wADs%|W^OOgp}%DuL&C7RUBDJ5c>V2n8rt5}BzF(Ax99)# z6aU90cUse`OieBVr>(8$lhR#gu?PUzpv>i_j9|2i1ehkN5Py54R$ z@;Bz{|Me*UIuJ&lT-IXvX=HM92)VQEB?$FZgeFYvOPeusb^c-b?czPpnCV zz08^hz#`9o@R+B1i3PhOH*q8E|8%0ylEU}?h@}+)YvTVDb>ER-cO?9O!}EVc?f(fA zU*aVF-|+nZ7M}4-!=JR2Q^EyE_(BOHl9!iJY8*`SwA+79mwwT+WPo)Q@;_#()(o^f zD7h*(-S1YU)@a1nQ-Hlr&M{}&zmDqKJD1!~#PV6L>~|+ddgl(j5l~7JI{n7Q`PA@@ z<+}vM{RqtwZ?uXTp zJ>_A}O!FA(yHyPfpGUsCy5^lD9>F&@4qIyGbERfc{;03sB`Sw zyDtzM2--4OF(~#G%d1~}%VQp~g9+3$el(4B#x(;@B_$^b*p6Bx7Xgcghio2n6 z^=lL@yBytKH9+}!Kzyv3H9Rrl)xa_MGj#`N2+eWB^iAsQsnDL^Lo8Ht+KY8b(5wT0 z6@XiIxr##`3St-mEL?uPKVhAyY&^dwVC3Q5P~Z=g{AeB#-Vmjp%5HiOOl23rp2xh= zA*xvTav0XZRljC7Nd{C&Opc@+;P#PxC=dfwSqXrkKb9bEp!|x7jYVz)ucUUUji1Z2 z>)DhTV>mhGV!_00X!p|xRgzItW27*RGWP8ovgT%J7<$!6c2-3r;(CMDMjYtu*;7y7 z7zr=)Y@=o27@Xl%Qwd_zMjEG`UA%bSdC>E2cN_UBweWkRSs`_h59Dr2rmU*e_8yee^uSmqXUjf@ySG}S zndG5byZ$Vme!uzlDt3iy9do&3q?FNkBHrG8HO+NO_$skuo>2=DC$jBXkrK`yM;VSn zOv=iux3;@S`CQ5i(^Us#fH+Khbpb<3Zy{m$^WT5&ZjY#c)cN`Zwy*($!@M$WDG9gV zrOLgq+Sb=Qz9L;Q>Aj{{BxZhN6ff{p+cyi%9&$>roFnR|&~VCl zDCQG=lPNIqNn}^-t%=EqA#bBrMc4EXho$&p#&3#O?pI~ea7VCQaeOrh5tT?Q%fCD^ zn61wHW4N3(rGcESea#) z96$fQ``!Uma5~pK<~rnscGS@2dYkNnbz?Tb+TiOh!}&3Sc7r>!t$S2w5s-J(aJcHt zd#m}49l~C^5w|*+8mPD-k+yBZWRPIQ=|qm zS}`g;Gd7Q%yG)%GB=8arnp9m6K>}7M(YG-It|XI`eBt5X}%H zS0AEJw>YNbw;%N_>s{lr`S@brVvsL(vu4U(G`M zdH2_tD0^*K)1*c;tm5Xjd$pxRy&sgQ%T$GA3Ku3X+twV(;fZz3v%OXIQWV!nI9y>O zQ79%5vsP;fbHx4jYz3e56r2tvFl5o_kg%U+4H4CSo+mvpZOY$mc+ncs+)*_wo~{0) za-$o9VLTkc9#)~~ophYQ6%!bCAN6G15#P80cY1W(@ZKQq{2oyXaJ!(TBPEl(dRt7F z@?F$QN#pk#A^YZ)&2RkVv-Hk2TCJrlPlHaP?&Hg_TeaJ#6hoYM?P?Ot-5`3q;3COs0+aVvVnsgQMni zxlGGN$1Cog&gJlCXmk!MSSuhBxRoPf=8BSvC?Q)nGm!$&_o7#PxkG_OJ$vpNJ4&?X zy+U?`xQ}+NpS}3}?UpsiWM_tYIKd_=JSWUEGmY z2Rd7$F^678d7hOBBpS@ItbfCu_dHiOvg@k)N(Fk4*XZZ4VUMuRfE5ZS$kEtumOA>0 za)JOeuU(4}A{^vG!G*gO{Q@T9)%69%y@;BnzmK-6m67BX-xkO}nU4!Etkr&zgl@GS zeI)6-IJ0l18nqg|bT6v=$N6;~z%U{XWLWS>m|Be`(pJ5$4gXB?NJmXW>oiT>^ zsXVL@;TiTLh$#0WMN{21)h%{Vq)Ut zjwLKD(0)2&@FfsRunuT^1_#U3M9XlSP1a}3XS|u*cIQ83>beKU%E?vTo&(QbdDs{o z>df!26Y>O-lmnt&+ngfFZ3tUcvQz|0! z&OGvgCaeQQftv_MnNly<5M9$Jw;~9kWDa7i8g0u7ha3e&La+CvcCjwuaRM=s6Ds6O z4~>w2qw+b4`veji%L4WQyhLPUh6HuEnoMnm|?JVD93i?s4MOb>Mi4&_Gv!+M6A%vO7l zofZqVsWWAmu^ZLaS-hzdqCVN6#uU@-IJqkkm$z^C687rV)!J?PmIURRmAQ)94B_?@ z>GFUr>7__bC+fZ3u9GDRD%xzCJ6S=HBU?Bt`+1O=X1nwT;GB=edvH;# z8sSQu3=9)W>6Sv}rxOzi%DESDP=`03PjLDaq1%A>HxJID8KLGsglKFd-P{GiR}X zVj50@X` zUk;=rj-^}(@-nS@yLV(YdSuM;+Z^T${|N0W5*y@fu}dy0Nv-9*C6qIoz#59AV#=bn zqC+Pz+xfeA`Qt;8{YL;iUwRmVl@bTfFmUy8_hP905oLkt00^vky$HPhpT z?P_LkBT$MX2agrPgCk#a?;~6JhjuCM@8ut8G2rRGcGIeTTh+|SFl;@2-@7?FeU+%Q z%ZrX)flH6+P}Z28!O>jHUL<=BE6$#@_)p{13{WTPPnm`5FWs!Uq%tvnzo|$#il!?b z6mXOYOvJDgmgzR6eiCz-YxO=89T80Rd4Duo5BqCC$Duv&j$nG=i+B63tBGdinINW! z0NIMG?v7P~ZO2aQuI5s>XTKOdM>}dc$l6cx?zw#>BVnP-b#&soEq4}_UFyJYfA%;u z@ny7XL)RuW-D7&##NI#2(UHWa+TIC^G>Xzw>(TAE;`C0$C3S9TOD5z#kTi9aVhd%S z0a2MKZXwX5+2yq@R)5+RePpM>hbb}#r9Ukd2KoF4^>;W;vFnUt-7D#LQ*M~q1|3&z zE?2osT?%g_qy}CuQ#w>2cCh#Qy_AjtD5RO(dW6+5?cH8R9Lx=quGK z;p&t3T&{j=C1E70>tzYT)vrH)!5s3#JgDE|g9U4PQ+knY>Sw)}5~N3n&QNw3cLJ1l_lQ#skqne7 zrYz>=LpYe-`|XBy7#dYg4UMnR7v0Ez!WUzXP~V$qaN=$5XcDOK8$9$xzx(u;S-4w zC|oKJYT`(5HRfnB#y=)i>FNj>hRbF?x_$xz`Yw(93f)<=??I1o^@f&MjT*{u z@C*Hj-XAeIsD&Je_0|t$vKk0m%S{{S5MOln$zBqxT69`5aD00OTX&5dykD0w2J#xVvi$O$j_cON3`WDiCj78MQrm3(iJbM?zH;{UZK z1zetMcmKFPFy`A+(#ea9;TqJx4c)6<6Ic=q8GtzsYq&d#2gE4}{kTFv3}mF+WEcLJ zz?ST>;SfTwYg})Ibo)^k;DHgS8%qreiyfQ~RAjuH!UCr#hyE1g`1Yy4iaL*MfZBM_ zreLCt1QAH|j>?UHi@3TT=0_SiD|@+7*td2mY>Bt6Ul!ZKu#5w(NI;?Fa{0cin z`T_c*me5z_Q-Htdk8jG)8;sd|(xz|-uQCYBzs@svn^Qf`H?{^{dlxdM1anTPw312n z<7UM0ue)`VntWOotyRF&uU3?tRtkAZOfB>Y_h1#^} zDm~gjsa|oJh=_7yEp6raDh$)K5mOy+DMS6_;|81?9Vek+$t=SymEToXzs9nCRV=c* zy%f07hylNZo0I)ZgdFO?`9+^KO}|kT*VXXVVWARVH3QmV!^jDme=Jpjw8ps*10|RT zaIKd#7>+@mZ-`N7MJ4Yve%zYWxygPTXC6tPXxQ1^hkm5;^pER%dASCu#h!ufJu}a^ zWPgTD<|)N6*1k>--Db~)p(@`@K*#+bu>WxOg3|1i?|6mqSRnC>VWuP0>uNU?#bhS> zuR$b~Uf&G)`1UA>uCyEAy}?u?0x9L8a7W5w^Id@7s@RVyGnJkf=zIOL4^Eg42DdYM zts=eXD7`Nw)!D^-sS`u?5%I+D-(!#u7M&}*zkHr$^eDajsSyWv7Do(h5E7dQ4Yw~Hl5rIY|omIJPlA~HwvMO$msk%!l zdh`xR5qm4>w$qCch)Lw{#Yv6y#6->3&Mr>|&S0u-yD&C+XrChuvX&*W9!Z>iO2=W< z!ywlRPDEP{;pfDwCk>`~FXGEXj&$_8r$fdlM~eEMAB9!zM-^>u+j0aDdILy?9(jr= z7DU#GEF}bl!APr!k+d83(PeslpDB6v%zN5$KY>({N36W&zkL(~&+U{qns2uk`9dN+ zuv!mBx8_bxd0-2ULHg)6Rhlv#)Q{RC`c$#FEog$?x8i$te>&Ir^ozOZ#7p;-*Gi!{ zqnI1qVaX4V;wMp|$VHT3uD(5IqmE9PbYlK`MCVm@X=#-d#T0FfE1VizMMRg#L(EW* zm5Gbx>YeY6A-{(17iDb=5w=SGa3a$|N}34`w{oh@H?I(}{V7S@GIy>m6fEjZ+mzcD zDNzA*f7hLL7R*D@Ewm)DkUw5;J?{fY?-_IEekt=Kw<4clu&+oA-gktmT)tv%i+m*uy zr6tI^cU|kmUqfoUe82QDqW={#II6aFS9_Tb8!d`bGGL;i($#nJ7Rheh^=zh{$q9Wk z-RkqTc~ri_@}oFV+OUQh}kT?7<) zp>39!qG=Nxc@c=Y6#aIN#Iv83y*#h+^ ze01{jPvVyrd`?+JW{b3D{7<#|=C`Gk*yV>Qnf0IPZ@XQCHAQD^8~3M zJ$cCo^cqwolZ(WOlNAvAl5(n>Mn796a*+u>YxSkv3j`ZtGBmw{aqW8o*sPVw1r|gv zY^YD1Z^z~U)WCw30o&BAOf>R=CfHhZ4qJ8)v1ZbiUeN5LhYG$+S-$CQZYNEQ^94U<)Ih3%-G7jX%aV?SC7$WXK~xf@J;(qf+H z8x;EF=dbjB9TT}#AgY(N2}QT)vz{RfeFedL+!*8fI0nJU{iE-s+&Fq>54_sVSa07v zm|VWf{UThILVs5i?x}y?D8D zLMHP!Z1eAFKIO9?sd8QhU3;l^YXxuNBgP``>rGH_^@s_n^JA-xtd-t>Saqh(TmoRT zXC6`KZWQ;9eC%m(8p&m%V?9gk7(Xjl)ISouG$DvQ1A+#<&<+HcLmtJ!0s_hJxUFY@ zxN7(Pet#fxzs7r~FK5&QaOz+(8Qni(brph?y@BS3we?pKV1BONc!Vh7J1)Xc7z*zf zo2nVFQKneyvw2eDLs47tH1w|~8lqf%qpIN+Z`TVzs)Ix%2Fk6*^dyM6r<%#F*-d@5 z)1A9%!~kj#wwk7!`>l?68?c?8qxXf`VowWfNkXiJ?d%U4Ubh$N`HJB~yz()aG}^v& za1^+?e1(sDrSg5_D$(O=3ECV>?SHe{w()6@f{@)tfn`#aLjF3Zy}IASO5E_WZH90s z-6s-yiDH&QGvGVSJ0V}K$SvB*w7Hkm>5^Hk;w4r2EYK??iGWBFkATzv(pS4WO6aV- zVW{jRk>+uRj9kSCs%@ra77N~yD7sAi95%ogGl;&a{h9}zx0=apTQ z%AOttFeV=nElINg8rl*rJ-npl*}^B9O_lFc&}`dr3qv4mah zFt&i3(Y4SOB#dQH;trO$7g6uT1minWGL&(&=%|}-(EEq7$s>uQ%pucuN2wLyzz60D zSej)b&{K|@4fyag$|GBNp%S=A>7HPVOCRD9R)!N$9%3~*>HM!{U=GF9Ld$#@xp>z$ z_O-LJNUW`J0F1%rEeRR>b;UQS4l3GKT(GZgL(Zbt?UmX8*L;* z^H=Wh-}Lf6&xZ!7pFqL+XX<)W=wc}5fn>OdhGQmM-%;bjjd9+ga(W@VbFooSyk-ho zdzG97o~6#nTY5F%=hKJJq~d{jSZSDX4xgvp`W_pRg<~;L3|UeYLyl;|YY4zky`C!) zRKa}}q0iPIW+7%Bq}A6c8oh});2-@e5KFd+XbOh2J`k0v`jf?KRWZ1Cu*Kfy=)y(D zly7U%M+TW34}xFNt8JKnkYhdZqbX7`?D!yNcBO|!4GrXCXD_HrJq46iFW{k*v#2~O z4JV0{Me4Sx{7Va9uljVhE@uUlcr4K2C1vodeQRAO%Z}Wg^%UR83D20NwfJ|hUrQAC z*^0rJ2&m?xm(-oqj|r#%yMK&J$UqEqZ%AuhDu#ygh~D?T-=hRWNs7|GWyO~XX+`^*nGPO z5gppsaiUKs=Hv=o1YmEg{Xt5=)FP{~h#Cn9xnNMSr$Jq+Zko2+6C%;eMsoYnE z36r%9MNV%(v!`0AP-yg~DnBJLqvpwS?<8ypkerV7zRhxNFW4f z@S<$R(Ppzd_=#@~S1LmMOZ^I7zLKxg4RO^n#011NIx$N2_TpbA%~2{>myZq)t4XK3 zfkZdX5_E}w)B9c`)BaSm@N|CGRd7vkizS*zG$pX)myoolOItTE`((}BPsQ|=TZh#9 z+@widSMEwLGyW%&PvgLtORM718uYSG>vm!RkhfD}!!*aU(X`pvzWwu)4Lb2v&91&0 zGFoOka+zy1li+Pc-@FXd+kZ4r_tT#)Au~1@2DXZwa!U<2Lrfo9VGYzBAh|7?f!&w) zs)y@6TPvWBAYGw$=fDIsOL%m0E;sQEuYR%G*onGrp+CXRK`_&%wO`!wd1ctt0Zx)N zd{w~2gAR!ZFBnRBRArbO-VssF-p9MY;bZwU)zkk&vz_s1d+A(@fHg6a|gNz?Q9Pyfn&!gk@Tqxm5^LyDT z`wO^0i?@)z`@}MRCANsG-w*S@XDNQZ2+zq- z<`VWeGCy#-NS3f#XdFxyptSX&WWDXnfKx&ZsC6vR3(ZohP4UjRbv_e7J$jBQn$GPn zrQ6ygZ71H^p|D&mJ@# zMh^cIC@pMF_aZ>;CN<{x)YF_zHt>r>gg{y3AaS-n(Y*s_?+6VWE;=_db%34pphS$E z$~d2YA-2p2O;mn|!yx+A_tX(Ij4)=|FD2BaTaXsS2!f$2?l*Dk8e_p+*y$*{ zQo!e^v*J6{B}V=FxD)4|^{+P$tCRSEk(vpO)Yy+U4b(&HH8LGaK#U3kU0j#|nqfrL z&P|hvoRQ1#Z|3|S<(C&W*(c#=nTHUkdx9L8tX|3IBiNjMa4|c%??IjwkxmbcW(~!W zw=W$L*fSq#>$Q1S^m+=T6M<>oB>pqQ_mn&vH^i8ro6#>h!-ffqm9Fl+0x=u(t*qrrJ0m3?C+lhYaov7)O66i_PHv2y@^g5FA#+E5Mj#{PP zCmc86WglMa6ekpAO8!o7cHQHHeUd1+!NO?pIlzB{zbflxv42WjTGngPjh(mH=O0!0 zac-WXeivOUUw9fk%wGd8L|qzgyx*W2AVhxHSz!tooxk8GePGYU*lp``F94rxJ7;e= zq+1OVg(RAG|LO8NivFH5;mwW3POnc{#`I{Aqh zqK-*@SLuVO$$H=Hh{aft$n{`9SWT=wjFoLMWXNT`QCpG|wu%~&La1?TSQJiqd5Nl@ zhKdIkAB<}is2x_T*K!QaQsR2w*JEO8#TrIIIJ7b0HDw*!O`AJsq`H_DVP3uS^gTwi zr{vGn8}?`Fm0V6O;?UD#+AzAQs?Wny*s#a;IF5dgEU+Nnl+4sA7No)$;U9Lt1`HpuV46RCeK^W9lHu zAYqH-PxoDdHhDlwe}w^OQ(BK6=cdBpuGR2$O~IHH!jp1m<1=@@TpYDQgAnO{lbR=l3ne(3 zudTR%0G6eJh8@~;eZK{SJ-HKpk-zmJi&GI1tk5zh{m`+`dd{{BYvJMSuc6j)N}jmvTg^TZ`I*o^eD_{|A|nHZT?u3W{N0Mtj#ZI9tEZyN?l|;fiQO# z0CQU39h6`{wRr7WUE-EE^0$Hppk6BUt+3u}D-f1yH*H!hs+qS}cW?zMmSKQ{N^yqE z9^92$x5(@4igr7d0?lZ9ZT4Y2w{L|F(ygz}o@s(vj9O_Ke=tNsXY?@gWxOn!w$yL3 zgL0Bhk`O{4zS@2NIxi4s_lJ=|BEW^Kjk{vYxXyC6XxX`!EBH~8t`|eZmJ}!|#=tKL?T%FKh2f`LR(gf!$Jm-5d z_{%|KK1AvgdHVK+2$CmI#gO&M*z7>Njd=P9ZdL2Wy&g`2Luy%&b)o!Dl|x&~8*lvK zd-*}Z8*-_oh!e*O(VNtgvA5>sTne0@Gl2c3B^60WLF-EZ>2WSgl6^ zP`7kAk&tc?j-LcIB5D~t$`m#KeN(HE;*TJUN97eHS~SV|Mz}n$%=Vt4CoVcFZudIg z1TKZKkhFq?0HfNyiK$2+Ea|_!2W69|!Ek=Vc4i~Uh)<`f=@Y}Rlp9XIp=0>&V`2v{ zopiJD;FQCkTxP0xKUP}sXO3EGcmC~nKC{7$Sqx1Ltml!?g!ihW7l`mPm5=Q{MmnaS zGBVqOxeXZH5n+85C=^#;2qEmwVwu5SQet>c&%164`rUoU4a+S#a!&G~Y;CBeG|61M*rSHrB}Avw_Oizq3hp1> zH`!x1E0kjXK^<0~d%%2OOt^{v3P$r+t5jll9W2}>8o$`HhK2M9t9#LBcuf*^|Fm@>hW<%q>LYP|w;(N# z7QE#m(Q{TR@u@~cjKGbI&5ihJ_Z?e$#E=1;6G?bV6AZ=nK$p(s?daf9dMW&F+00h` z7M5Ik{}g>#e=Eq%U-WplOyKB9BaATL)fu3@h3w~;M5iKrWi3~oB4L+qTen*Y{^hfe z`9RRmW_r^b%eN<&Y#1xI{*XX@6^$j$nO#v{nns|rabxyPCf_;WlHH8b{2Sr?F6qG1 zjpIU47@DgXH0@+r!cBw-TVUN{R@Z%qhuya4+%m?jw6_tKy{_5Rj}a!`m*RftF5=i9 zNOvWY4Sa;Gm4y$TJ0Op_mi10OKWHs{_S=Rv8>QmXM`EJS!isy}+McpL$>?nQ+_nm< z>o+_l@j2-NwNt^lXv`(yz)(7-{!G^MUoGb`?v_n~t0#ST$DSvJRXw*bs&~C2=y(Nj zHn<9L8!Jq*(O`=>$JZQ^fTK)#I}$(~*Y$;Cg~#O2nsavnJe@21`D(zC!q=QhILhn( zC<#tj-#)q>>vRcV%uj3S8sExGFdAo+jRP_Ml+R-{OAZ^$wPZt z>YwV|@c*=T)^Am9{n{6h?vjv{MTj&4(y-_bN$FNnO1irj4bmafEnU)G(kb07xrle- z-sd^bb3E_0|AE6#lXXoPYs?&DeDBYFYxBOr1icEvK~%nkiWgCIZ9!a>mekFU3Tj;x zuVq7+oRHc*COg62vrmshh!WrLmCN=Pv~qhOP(T@P&Q%IMpU-?%C=DUA zDE58v9^78BI_J|yr_MYruMHHiiEKpJh@RMP7-;)`#Wk%f?1@8HaQf!|Rc8AD+}(6R z4z=2ZmOyL=JzvSSPA=%#;BWn$XFh8F#OA-P-VG`)ik1>Y!Va-TSUF>KWgc^rsz{`~ zY#C);mv3o<>IrBP^k}u%GdZ{ciXjrek=o;v-}fG{{^SE$2A1rigIgY`UK%wL%Qk@6 zV$rE+f_iMe(u}1Dxj(9gra7~b9&kQosmP5;S(>TdQ$5AR^EKagRx~|H^HifJ=uv!u zHUSxYqO3`U%%#9>C2S{t4w&^A*;8+SVpu$F&|OQ~bJ79#gDV?rGF^BCf7h-lRy<0&K$n&Ar-(RR1s~YA&L;z(7-^Y$NZ9HA&Md3IZl%jZYHalN&45HmIajt#Z+0dlfutgv>i!>e&~^f_9}=4!@pn-=COBx;g6oN@g2%)ObPE{HnG$NLb|M_*QpzJE#-y z>@C&(mQh!GMyEyU&k=!cJ7u1+rLUXx@bX=m#hgLTTf&F2U_^MD%72de z+&heP)LP!&_^vnyI5W3>^!QCLvE#>0+Lqjv&gWGPemb}nIy|Fy%|NZEanxhb;cQs) zur{?2$upZWVKaCl?t%XihM90xPu`ze8S~9Xk<22Z3}6r4$+K(=3|SP*LXVmowAvlN zzc0aw3D>!N=@241i1gMc=~D8I07D=(hXaK=OgI{gcW#LG0|!sE=tYUVb9P=l@^wsI z>&5~#ae}x}Ak|j)=rG&`CXj-0h>~KKD<7UruP9yHe}~In#PXKBs$+5#hU-`0o>ujH z#pb@WR7{gyOB~+Bo0Jr}MbdE^zMPHoZhAC8734o@9^Hp!i|Ny!NdJ~w!kCNDXSLlk zEZAQg(>Cxby=1wX0UTl=UPa7fzP{LS-iTUKp)jx=bEo$CBrj`$C2$NApwWCW435k< zE`6kXlN1g+PSj$c#*(f0Y?0hc((Fr?Z~A`BS$Q&rM=K?(_?D|7W%#+jwffq7r?8|$ z>E5D=M)a`ZR#V4o@=B|p)&J?H+WK87Ll%|&Jl;bSQ)KNG_o`b>3)0Ky<2ID%r`HJ~ zYSm0yt-mFCvW$IG2p3wSul$d4Z})pdIqqam6Xp|2Q}7lGLXYl>RnE^1(qAM^N=_*no_{E^*U1r5DD&h@q22s3KI< z|LBW|Fn2dT5U+`wLNG2cSScKe#v5(E?%2t6<(1>@iXn1B|-(G7>Q^4XEb5!f~ zKIZm`91#?L`tbJJC{GiQ6AlNF7)4=_XBfniu7AOOLuA)T*zxf|P8~e=+_hM-<;(Wk zC}&XIB`HCRW3~+eGclJ!$oE&V<1;0+!0;`>EyN9@>W)3hil)E&9OSMWzn!Cp2T#w( z_qsD<{vJ|!=*fPE_73Z(+ZQBfeJ#eVL(Z-EuOopX*-mX|n>XT%C3K2- zW;Lym&X=*|#?Lcso+*8}hhKoA5Q|Wj=py!L_3j|Xqi@${x+*1&)Up^quFi875$$qKCEw!jae1mSH3kT)r>GV z;F*$=Ht1>8IwS{cUo}Z$vtL^;rEgvHc`f3OlMA`&;$2$k$?+VoQ~C)B$UAuqsNKxC z-{$ad>cl*Krb}i6Vd1t~jleVCcm9ze!s(8I7wr{a&dcIJ@l}HLOVR+DZT{_lo7!= z(%qzWC_0kfj@|4_g^{Qs*;GH~xGZb?+7`JoXA5)dh#agUjjsEL6hQgUXeuIg5t#gA zM5Z)ZvHsmD_iL&5<%odt{w{{FMn$>!BB9Wu7-0M|Kf)sUTzzdM9*msFOloN8Gxo$G zRKn)jx!`?n2|jL*YU7`tYW|!%Z2*e{?vtz=<>|YdIu29Ojdr{WpN@D79N-~OWexjiVw|>ilOdJ$yDOZ3gIsiR zLaLLw>j6Yn-I2cm#LnzXmq2`1zQg~IuLTGqudhbTJD$>O^N)NP2$CkWV|ZySNK^Zd z%p62$3_#(OUdI&&|07yR1MJC)JK-Yxk2G2~c4kG+dpb?*e}d84WC6I(h$jCm=^uL~ zMkQnLY#zQCUB!f8FgBj8U2?cYD4BL_1&1nePDxl8#tfP4u5yXTg2sKaqF&X#VLE z`M(SF|1QvfxIKUiG@jj7k<8v2>wSI(OU9K()JtX=o1+LWj^yFe&|mSIE%ALVHXZ|z zS*vN!s`o1Z%XNEgI(u3^aCpq@n3Rx!eAXVOy6NLJk^D8IVA!sDr)24Uhf>u6r{89T z7Fr5CYPXz%LjBHmG0T=7-$;0PCxz^hqS!KYjeLi7NDg;15_pq@J(PU@^jM~Da2@oq$|* z`na8QV0J1!g z7-skj)5}t}XeW0~Etzrojb&+L%k1sx^w5X-tF9z;F{#lxHtYBqokdUaK*NtI%%S0z z2a{Z13ZW0WiPJMM@Eg#}Lk_p*ugeUUFX=`*VeNv0tah z`3#2nEdmM%x;6lJi)8Y2cENh|wX4j##z9xMJRKqeoqZRAA$G583lF<*3bX7jmxVrA z$|jb@gAR^~DPFf#!wY~W$mOCw&eoxs+VCU4QNVY{bRe6_%IA7I=i4mjNbk)KkWN!t zMZ|s5DLmcHo;kC{Rnr%|!(YzMM%+nnbNeBz04fr@!(;G;!(T;E+u}2mO;|jRn>S%O zuY$)UG4kh;6tlwgQ!e@_OKwYq%UuqQ&;1kj=!gZb+1&tBxEyzx_ncOI>9z3<#x5RQ z1e&-+|Ar>-Loan7M=UyS-rp!7yAanzudzQ(GD&84s*i{37jzGVZd`SGHMP&KF4IMK z_U6Sw)m*v7ZrYwSf4n0!E|GH|#u>-1)l}u)i69m}%mlf~$;sVd+T7`CrL?q&4kg=9 zdTxwj*f-IwE?1d7yt9HzCkMDbn#TY+U15zc8Yac669*5-W+O zo#b3^_DuJ?ERP#c?rrC@l!dmVgl_aatd)7EF!_PY`gX{iIFAJXlfX;Y z>fedY*scl0aBqb!A?R3rnll)6-+NvZ8yMMgZ+AA+YSH;d$shy!kiD(8xDgXWhrWL@Spta@I)G~Kybf5NUJM)(rr|Zun zA^j^-O4Lg>CU(stG`Ql9&a#>N#}{yK(QxRvPN#$|=#t)(apAve=erQEA$?7?s)}qA zT4+`zcTV*!&yt1bKHr)7;t{;FCFvctzRQE|6_sS=$R6>_mY7;JrG<*pmK>rHdOo zBTg{7IGT@V;9)|LBjnL%D0l{!J;lYOn+`yi!Dy@@E}r$9 zfg8xdAvUp+0-U$z%$H?J%z#_7Cjk2ti`BBdt$g`w!;t3IFxSIbgHn}*;jQ3>bA+>o zs4mXX>cI(oGCBsPU@!1+_$;`%2)GZasK|zX9fi2;?f_aVWzNE(r2oR!bU)%w?QQ>s ztvLhOT8W>Xp#A@Xt$8Bg{f(`Km`TSvQ%*@c3!}qvFr`Os@Q+dCV;|+L93Twk%Kjq6 zK2jqDX%i)|!uYIEY6a8PHbLv9!-MfpZ%dkMm*UVt49;xBJPH~nKONcVNBBu zlXr1#UQuSY0eK?SULjbErP(4)xAA5*4RZ&DtSATAp?|iG??NuvFNC=dt(QNpQ zC!A{4y161TMWRre*#4&8Uh5Zbkij4W1#e9)?uS3ehE1kOAWxXG#k0Gg&>PveVCX2&=CTE%SWI5h@mauS1koP^&(>n+b$o3L<@t%kY$H1>poY5WaN7|Wp7 z4AHbkXG7v>;1H9T$8sr|PLMr-z)>yabSV^Zy)7C0oV@+T5_I1v71I}A_H(S?dB>dh%OuQ>ib#;x_R`lW(&AKH zNRsS|0PB+UMnF)hE^^wW(d9L+sX77*9`z&Nv^g}YgWZ6L@=foyl6wcLS zQ01_{P;?-Ryq2%RWJrma-LkwC}q;p>}ulGvFB zEkAWuh#6^U`ekclu^e`;2hig>Sy1qF3+SE;YM7JXSvO5{~Se)5e5< zl>7FkKT&DNtX5agG%>Yyf!K=0{x$jK?=O?5nuF-q7u0;KQz{-;z^>lZSI}$uRk~hGuiGe@5Fe;*XHE8nrs1 zwqt8nz*{_!k3`^G9xYqG)@^iAj++DskSrsl156hLZ*m&)Hp$ZiTmt!58A_=-rAHg2 zV@2^C8kRh%9McHxf~qq2XwHsk183zY=BfHB?5Ae$>s~o~qOx>e z80nWdOLUz%cSfO(VD2O4h(7>!Zl*3|Iej9lUtolr>pN*I6LSwBb(F^ao|<#KUr5w| zr7sN_^*`sv#i&oG8YNL4(Ar#0?+JVn#?uO$O@bGYMx!R;5K|Z9_n3 zqLJ{oC9O;O90E;Zad20WSQ3h|f{a<@nZJ5?=sto?wn!1tPECH+VbRGVAc|2k87MpN6`5QFKmEw>ET>d|EfG z@}mQ_+y=-uM%{~`x!%^Fc6B6xVgtCSN^5`K4t{Mc5$<9P8rkIr?lfo8`j$0!jt?A7 z%!e_@__MjfzzrciXifN$0_g`Vyq3;lE};vJCHTS;dJ)QM{74TK|E7ofADnwsIwWiE z9PhZIw5^t!;z2fYNN8d}*}7EE%InB!^yb11iQWIFaHIZ&J$#nyM>NUiRNBrry@S-Mt^Jdo`o>XQVdoT1VJ&nHBYr^fKJyYFKl10fka! zoJaK0%;6`(Ut}J|-A#Q&GAzFU*r>M(JYZdEYYcKbyr$pt$=YLQ6zMmeBj3~4cU~

ykBgI;%I<~Znu(9^&y4Svwj3BzwSFxz&`%2tZr@psdY8$1_7-&ey3z;`m zLF+STAdJ2MV}%wPy4dPY-hd_+@|&Iuo8!hJLoBtMSMCX#aN(b{3sUAH?1~`a(R)(4d`7PuC6Pdwz!qJi+B&1|*?8tE<(>a}vL+A4w|6tDFGEMdA= z7WqpiPWMoZ0}s=@)$_aFplFyZ$OLrFR0#|il6Sy@cbY&|7*s|* z`Dx#gqp;(xYRIbl>{s|cxJHqvYj!_YYJt4X;G|TlbBcWzSM0OeK$~l`2l|ovxzx#zfr+dV-@qX2X@MO�k;c@148{bBHp%Ub++K7Be`ioJyHtpaH zIVsA%8WmhjutH|W0+lS@AK+{j^E)m)8X!wtQUA;1T&<+Ed}U&bcJ-F^Gr@v5Y9t*sT@j<#Zo_`2g9QE5A(Aq>4kT>)|1%rfZU-Q8u99 zd!%H+vkUkiec25IUzKPFSSYSSX#+W$erhWLgRqhWk|*^bAdbPc9DSNDw}kOjxm*wD z0gGOy!(_*mPyvN%4;AOa+CT^&wl(RO+XaePLddO~5SaG`34Rk759s#A)bzla?iX-6 zZ~Q|Eo6+jIxBoi&bZwH73yrz&nR5#U2%k&S?sa^Gq@bxY2}W3=d4_Diw@MhTS`~ZW z)4o1cOCln+Nw(-5u-!>`XzhNI|E7Nh>=G%*L-3MRF>SB~mXylR&7Y$@1Jsz9!#3dV zgvIna2?z4#{?{4I-PmS0!H2O$&F{n$9~}&s{#@;z(gB8pGca+2P_ZyVUbS~!NyAKz z*do{HK1yrPS4p#014o4O3)OW)K1U^|*x*nh87B{}i(-UFbnzOp_tpCFAs2}yKPd~t z5>BE=ij(t7(1gqyH~ViP)jVvJ?QBd1D`Og{)ZkDfhBKA&UAlkMqz@#)_rGlaF92ji zB<9zzEv{T}@1vv0hj=WahZy5*tyXR}P}VSj)mFnGTdM;8O0~AgWW0*OtM1sQ2;!*K z&{8*I%X`GmdVv41(83MhdZo900SwF6odu@hOs)UhsJ#Z@o)bzUwf8(8uapg*VTam) zTEIG<^`Ad@1gQFh=*So#dr2Y1Q{Q@*-Y1zUW$dVn$MGq9kpH9l!TQHH-bZV8& zD8faVEgkj`oP6n!;@{#%zbTBs90VA*|EjQgeyrUEg6SP0cSBhjFyA*`ZBm&Sf#Nzdj+VA3RTgFC1Rr`O(xnom&092AEiPP%p~z{;d6*%4yA z(VMYCgGf#=(t`nzax`yr{ni`p;Ir}`$&jqP!Y-;x%_fEDd~JAyvb zgkrs(*M=sCKUgd_jDWws)C&rxEoJ9eTp$p{7wMnII4Tc}!R(cF?j7*aC7t=oA1#F2 zU-rmMC@sv!D{p6ENIJcUlhLNcEJFvp>6I`{G)=7x>=s=Y8y?E|T=dO+E1ElOfpEf8!VEWH~qps8)Vg)#`g_FN>fb|Evs^AL1t6SU51I zvGZX)LhNA-O0X)|4NfqGEDvjYWkm?z zQZUo<39+fgnNYXuS}_S8X6cLPlYttCK&3u8VyEtC=wGO;tV8i8(y~R9O7nfqdCuc1 zo2{LR2iXGc*c17n+TXZ$CO*wO9nIz}QwVc3y@S~Q%PId`qh?H!Cdx>fvNRn#$GiGz zj=9=1jInbKNi72ExSAOP;`@w^Y9x7eT2XqVvV=j%`syMs)oWec`t+rRQid812*oOn01jFFbd z!SM#qA+T1zZtizfV}4?48FQ?}uNTs!DghV^eOv8ADsZpp2PlJ6GqipXx--8};Y0H0 zeD5O`aey;G7TClmB>Tzj1nb5q%0Rtt(hQcSb6Q(gEfGh}sq5v0Zrq_34eoo@xvD5di#nOe06zuE>jHQq$lHsN=nT>W*bRV14$ z@Yf=``u#TiHyc9_!Fto1RbA#^q@<)!;;Ph67S~IjIlnppsXXyGhyIu4|4xk| zlL&O?5gjp-eBR)yJf-X*u%cnJU^vtE@yqIF+qmO(!tax7!kc%*{vnvK-lzELzq>VOkgcGYg2mm2&9n1-aK-swv6LVARH z`ai8=pGT%4Sl-94fgB_mai-)&z&DIP3>Nk%e|*Yt1g02TI@ZsBxq>y9TaY&P+@erQ zxaO~~OP#o{4&T1#{wQ$F9u0#@dHvdWvZR&^bOd)ipT17tLi+K0|H9v~vlkKK<-x7LpOM4M; z+4r+_>`kQ$*Sb>9NBFb1Ltg|NRTk8NXLh*~u)3AhD7G=d}!rw9K zp(E#;Qd0Mi;x&Y-c}nwrq2}JLti4G>15}rL5xWz1W6t$|iL=?R{9r`qKSp%s1O@f0 zPFEAtsp|iHb5f_uDT|Ev;~fTjI=LL7As=Rj8XA;pod9p^ce28`JCLlf@C>3tfRO#4 z+Uz*^sk@z01m2YA71x-&xj#}}YCs}G6iApg@u2wSPbrisPsuz`jS|@0{)#==>8B{! zEU_VCBfr+qeeLRKvQa%_o>rfbHHamSj!^OFPOGk4$)I_Tic=_x3rDN&>e+Vg@89nh z1}+ee6Vr=#-l9JaR|=>sMb){v(8_ady}AY@?7g)L+H@{Y*eNnA8CA z6U^XiU_>E3Yr_QR&Lpnaxi@&>u|GmQ27~gUG+yIg?_rnN0*zn4)!IIL zeQPJ0XyH-E-D3AXNVPDhBqPCiXk?)7-!l?iXn>4_3rYt{AS1!-=kJUJgY~~M5+ou> zTc(X`YD{*GmN_%!!#N1O^zqs~2uGOWgFtBO2{wc^mn#9o`)-Trz+reKJ8$a*M!eOO zIy)e6->ZnoBwKGC`=KnlW~{A`V(xBEGS=Q8CF)Bv!sp!q=Nj$Dhzg;*54l@11u!SW z7bzyW=u&!Z=SQiJn6HLrm;k3E=TEXkDh%|w4sjz<6a73_xmV<^P_+b{eVz@(bSzJ?A@xoR@FFO2-M}{u)cN4aO{^!Ouj%i z_%x~Tu7py4@B2BX-(-QH21Hg`Fpdz>m2_MA^1JeU&cGgMBx3KI|NT`X$d_MiS2Zfh zfQURG*aisEF=FTzJHys*PLE|;to%zDeUb+VqX7#c>~^koGJNH-bgk{m8IKkFTOFqm zQ};EpyP{>$P{qX~Po>OVe&UtrIcfr!bpfT{Y*dw{rm>j>T{f4DyO*;=rr_e)G2`>r z7JY~=PHete2zU?>GnN0l>QGGH9Sw zwpGFh)%kl{R0u5AdGXtph6y91f;II-jjcx-8EaSd!~?-WrjCiQLlqoTu_q9~^a^`i zX$cog90j>2sH;3TFp`+{_4nQ8!Vs)km7Ku#*Dc>?^(_Duf}vI%8?!JFcDkU~;Oj70WBu|4 zdKy;VH?eKbzM8AY#6Am5-Q_Y&HUlcvxqI$V!UOH5_Y0dbeYyDz)zQ6+z6}No9fRkF zQh*41FKKoc7$47GM3rIggekVPT;`9uu5Fbwc_3B|5w)1VeDVa2NlH{$#kl+06$h}0 z{58fbololQ{C->LQu~oHAL`t4ChvgQw^tNdzLgjFw#c`+&W%)0BQi|A6le+ceU(mI z!iYP?65y`h_3SUXa0ZNXOPdT{EZM}B+P?ju8hPAJP6|ef)C#Yrz)R%bSLksM_%P|f zH)GmxC1e`4mIN5?DSM+(1MwP4r=IOVs!zyk2*X9YF3BHbSTbi&)|czTPn1rulJSl{ zv$=Hp!GJAH1}L+kwtr4+gkS@(lFqv$!SbQdK|Yvu0%3WKAzB#fJULM&1M>t#8jFWp zA01OS+H}ETjKIh*>eX`dGwf%%rs}Anvo=+GgEPc9bm%akw)>j(VIXn~;dytNpn>;- zXgi_D-{M@azr?wfi8%7!BitSO>I6!kk|c@KR#zXTDXU*O_7bo^Xch4UKTw@Ao|aaHRhhbmrF}Sfe^mRdvFtQ5psDeop~XDQ zD0tij5zS{y8TKg>7KPC7wt)>rN*G>VdX;@CISwzhg^-q|Ys{@iC=&Q!47Pas%8u~B zt{TD3SzDGI`{yp5g#JuJJiD|4C5xs{DzBaAoNN$ci3;9gDa6H=vsS(#r0smZd)ye2 zdrjdIBk2T|SODnYzqLju)n+ImHA*J(*!tNk#iDOiIa`gm-Agyxk_yoUX9Us$tyP@t z|M54#S8e-+q_Llr{*Dm&KmXl-_kzXSdoU7aR2%%eTbnvR&o}CiUY6QeU3!$_BL7== tfA@P03(K1YL-i8$ucPokHl%T{;NiyIQ?5{_IiCPOQeyI=rC@#E{|BIKu4@1Q literal 0 HcmV?d00001 diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index f5d06629a..91d6d3a07 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -15,6 +15,8 @@ To conduct the delta process, the following are needed: ::: note Using Generated Profile Stubs Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to use as a skeleton profile based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. + +For more information on this command, refer to the documentation for [`inspec_profile`](https://saf-cli.mitre.org/#inspec-profile) ::: The [Delta CLI Tools section](./03.md#31-cli-tools) covers specific requirements for both the `delta` and `update_controls4delta` commands. diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index e3ad674e3..29f377319 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -53,16 +53,19 @@ If there is no way to trace controls in baseline X to its corresponding controls The `delta` process extends the capabilities of the `update_controls4delta` process by providing the following functionalities: 1. Creates new controls found in updated guidances -3. Fuzzy matching capability (optional) +2. Fuzzy matching capability (optional) a - Maps controls based on similarity and not control IDs b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control 3. Detailed logging a - report file (.md), mapping statistics (CliProcessOutput.log) +
You can invoke the command as such: ``` saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` +
+ ::: tip Optional Fuzzy Matching Flags The `-M` and `-c` flags can be removed if not using fuzzy matching feature. ::: @@ -76,6 +79,7 @@ For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) - [saf generate delta](https://saf-cli.mitre.org/#delta) +
::: warning Delta Process Limitations This process has been tested using DISA XCCDF STIG Benchmark Guidances only. diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 0e29398fa..6fe9d4e17 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -6,12 +6,37 @@ author: Daniel Medina, George Dias --- ## 5.1 Logging Capabilities of Delta -### 5.1.1 Report Markdown File (.md) -Specified by the report flag (`-r`) +### 5.1.1 CLIProcessOutput.log + +A detailed log of the output of the command execution with additional information and metadata. + +[Example Log File Output](../../assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json -### 5.1.3 CLIProcessOutput.log +Automatically generated and outputted to the same directory as the outputted profile controls, this JSON file summarizes the results of the delta process. + +Results are summarized at the top of the report according to the type of change: +1. addedControlIDs: A list of new controls added to the profile +2. removedControlIDs: A list of controls removed from the profile +3. renamedControlIDs: A list of controls that had their IDs change +4. changedControlIDs: A list of controls with changes to the metadata + +Details of the changes are given afterwards as follows: + +1. addedControls: The contents of each control that was added to the profile +2. changedControls: The parts of each control that were modified / replaced during the command execution + +[Example delta.json file](../../assets/downloads/delta.json) + +### 5.1.3 Report Markdown File (.md) + +Specified by the report flag (`-r`), generates a markdown formatted report of the same information found in the delta.json file. + +[Example Report Markdown File](../../assets/downloads/report.md) + + +## 5.2 Logging Capabilities of Update Controls -Outputted to the directory where the delta process is being executed. \ No newline at end of file +![Example Output from update_controls4delta](../../assets/img/update_controls4delta_output.png) \ No newline at end of file diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md index 92e1baf55..077b08f6e 100644 --- a/src/courses/delta/06.md +++ b/src/courses/delta/06.md @@ -7,11 +7,11 @@ author: Daniel Medina, George Dias ## 6.1 InSpec Delta Formatting Process -### 6.1.2 Preparing the Profile Before Running Delta Process - Before performing delta process, it's beneficial to use a common format. Follow these steps: -1. **Run Rubocop:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. +### 6.1.1 Preparing the Profile Before Running Delta Process + +1. **Run Rubocop:** Install the Rubocop gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. ::: details Rubocop Configuration File (rubocop.yml) ``` @@ -315,15 +315,20 @@ Style/SwapValues: # new in 1.1 ## 6.2 Testing Commands +Upon completion of the delta process, you may want to test the correctness of the new and updated controls. + ### 6.2.1 Linting and validating controls: +The current available commands for testing are: + ``` bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile bundle exec rake lint # Run RuboCop bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) - bundle exec rake pre_commit_checks # pre-commit checks + bundle exec rake pre_commit_checks # Ensure the controls are ready to be committed into the repo ``` +
:::note Profile Controls Formatting In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md index 325c7ce3d..1e06e7d51 100644 --- a/src/courses/delta/README.md +++ b/src/courses/delta/README.md @@ -15,8 +15,9 @@ By the end of this class, you should be able to: - Understand the purpose of the SAF Delta process tools, `update_controls4delta` and `delta` - Use these tools to update inspec profiles - Understand how and where to apply these tools in different situations (Use Cases) +- Use the delta fuzzy matching system to map controls between two profiles - Be familiar with the delta process logging capabilities and generated artifacts -- Using the delta fuzzy matching system to map controls between two profiles by using +- Know how to format Inspec profile controls before and/or after executing delta commands ### 1.2 The Road to Conducting the Delta Process From 9921852cdc2e41fbb1f266516f2fb4038cf7064d Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 16:28:21 -0500 Subject: [PATCH 11/71] Remove profile dev delta pages --- src/courses/profile-dev-test/25.md | 82 +++++++++++++++--------------- src/courses/profile-dev-test/26.md | 43 +++++----------- src/courses/profile-dev-test/27.md | 76 +++++++-------------------- src/courses/profile-dev-test/28.md | 30 ----------- src/courses/profile-dev-test/29.md | 22 -------- 5 files changed, 70 insertions(+), 183 deletions(-) delete mode 100644 src/courses/profile-dev-test/28.md delete mode 100644 src/courses/profile-dev-test/29.md diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md index c17d86e4c..51c0cc462 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/25.md @@ -1,66 +1,64 @@ --- order: 25 next: 26.md -title: InSpec Delta - Laying the Ground for a Clean Release Branch -shortTitle: Delta - Prep & Setup +title: Tips, Tricks & Troubleshooting +shortTitle: Tips & Troubleshooting author: Aaron Lippold --- -## InSpec Delta +## Tips, Tricks and Troubleshooting -### Preparing the Profile Before Running Delta +### Test Kitchen -Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: +#### Locating Test Target Login Details -1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. +Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. ```shell -AllCops: - Exclude: - - "libraries/**/*" +.kitchen +├── .kitchen/hardened-container.yml +├── .kitchen/hardened-rhel-8.pem +├── .kitchen/hardened-rhel-8.yml +├── .kitchen/logs +├── .kitchen/vanilla-container.yml +├── .kitchen/vanilla-rhel-8.pem +├── .kitchen/vanilla-rhel-8.yml +└── .kitchen/vanilla-ubi8.yml +``` -Layout/LineLength: - Max: 1000 - AllowURI: true - IgnoreCopDirectives: true +#### Restoring Access to a Halted or Restarted Test Target -Naming/FileName: - Enabled: false +If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. -Metrics/BlockLength: - Max: 400 +#### AWS Console and EC2 Oddities -Lint/ConstantDefinitionInBlock: - Enabled: false +Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. -# Required for Profiles as it can introduce profile errors -Style/NumericPredicate: - Enabled: false +## InSpec / Ruby -Style/WordArray: - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" - Enabled: false +### Using `pry` and `pry-byebug` for Debugging Controls -Style/RedundantPercentQ: - Enabled: true +When developing InSpec controls, it's beneficial to use the `kitchen-test` suite, the `INSPEC_CONTROL` environment variable, and `pry` or `pry-byebug`. This combination allows you to quickly debug, update, and experiment with your fixes in the context of the InSpec code, without having to run the full test suite. -Style/NestedParenthesizedCalls: - Enabled: false +`pry` and `pry-byebug` are powerful tools for debugging Ruby code, including InSpec controls. Here's how you can use them: -Style/TrailingCommaInHashLiteral: - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - Enabled: true - EnforcedStyleForMultiline: no_comma +1. First, add `require 'pry'` or `require 'pry-byebug'` at the top of your control file. +2. Then, insert `binding.pry` at the point in your code where you want to start debugging. +3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. -Style/TrailingCommaInArrayLiteral: - Enabled: true - EnforcedStyleForMultiline: no_comma +***!Pro Tip!*** -Style/BlockDelimiters: - Enabled: false +- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. -Lint/AmbiguousBlockAssociation: - Enabled: false -``` +### Streamlining Your Testing with `inspec shell` + +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. + +Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: + +- For AWS test targets: `bundle exec inspec shell -i #{pem-key} -t ssh://ec2-user@#{ipaddress} --sudo` +- For Docker test instances: `bundle exec inspec shell -t docker://#{container-id}` + +### Using `kitchen login` for Easy Test Review and Modification -2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. +The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index e4f602575..48ee12ecc 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -1,47 +1,30 @@ --- order: 26 next: 27.md -title: InSpec Delta - Making the Delta Release Branch -shortTitle: Delta - Making your Branch +title: Background & Definitions author: Aaron Lippold --- -## Prepair Your Environment +## Background and Definitions -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +### Background -## Delta Workflow Process +#### Evolution of STIGs and Security Benchmarks -![Delta Workflow Process](https://user-images.githubusercontent.com/13986875/228628448-ad6b9fd9-d165-4e65-95e2-a951031d19e2.png "Delta Workflow Process Image") +The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. -## Using Delta +Initially, the system was known as the Vulnerability Management System (VMS). -The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. +In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. -Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. -1. **Preformat the Source Profile:** Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the `saf generate update_controls4delta` command. This prepares the profile for the Delta process. -2. **Run the Delta Command:** Execute `saf generate delta [arguments]` to start the Delta process. +However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. -For more information on these commands, refer to the following documentation: +Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. -- [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) -- [saf generate delta](https://saf-cli.mitre.org/#delta) +While these elements might seem confusing, understanding their historical context is essential. -## Scope of Changes by Delta +In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. -Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. - -If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. - -It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. - -Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile. - -### Further InSpec Delta Information and Background - -- The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). -- Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. -- Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. -- Parameterizing should be considered. +It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md index cdb6f62fb..496c4d319 100644 --- a/src/courses/profile-dev-test/27.md +++ b/src/courses/profile-dev-test/27.md @@ -1,64 +1,22 @@ --- order: 27 -next: 28.md -title: Tips, Tricks & Troubleshooting -shortTitle: Tips & Troubleshooting +title: Terms & Definitions author: Aaron Lippold --- -## Tips, Tricks and Troubleshooting - -### Test Kitchen - -#### Locating Test Target Login Details - -Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. - -```shell -.kitchen -├── .kitchen/hardened-container.yml -├── .kitchen/hardened-rhel-8.pem -├── .kitchen/hardened-rhel-8.yml -├── .kitchen/logs -├── .kitchen/vanilla-container.yml -├── .kitchen/vanilla-rhel-8.pem -├── .kitchen/vanilla-rhel-8.yml -└── .kitchen/vanilla-ubi8.yml -``` - -#### Restoring Access to a Halted or Restarted Test Target - -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. - -#### AWS Console and EC2 Oddities - -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. - -## InSpec / Ruby - -### Using `pry` and `pry-byebug` for Debugging Controls - -When developing InSpec controls, it's beneficial to use the `kitchen-test` suite, the `INSPEC_CONTROL` environment variable, and `pry` or `pry-byebug`. This combination allows you to quickly debug, update, and experiment with your fixes in the context of the InSpec code, without having to run the full test suite. - -`pry` and `pry-byebug` are powerful tools for debugging Ruby code, including InSpec controls. Here's how you can use them: - -1. First, add `require 'pry'` or `require 'pry-byebug'` at the top of your control file. -2. Then, insert `binding.pry` at the point in your code where you want to start debugging. -3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. - -***!Pro Tip!*** - -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. - -### Streamlining Your Testing with `inspec shell` - -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. - -Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: - -- For AWS test targets: `bundle exec inspec shell -i #{pem-key} -t ssh://ec2-user@#{ipaddress} --sudo` -- For Docker test instances: `bundle exec inspec shell -t docker://#{container-id}` - -### Using `kitchen login` for Easy Test Review and Modification - -The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. +## Terms & Definitions + +- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). +- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. +- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. +- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. +- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/28.md b/src/courses/profile-dev-test/28.md deleted file mode 100644 index edc8506b6..000000000 --- a/src/courses/profile-dev-test/28.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -order: 28 -next: 29.md -title: Background & Definitions -author: Aaron Lippold ---- - -## Background and Definitions - -### Background - -#### Evolution of STIGs and Security Benchmarks - -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. - -Initially, the system was known as the Vulnerability Management System (VMS). - -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. - -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. - -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. - -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. - -While these elements might seem confusing, understanding their historical context is essential. - -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. - -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/29.md b/src/courses/profile-dev-test/29.md deleted file mode 100644 index 0e970ff0b..000000000 --- a/src/courses/profile-dev-test/29.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -order: 29 -title: Terms & Definitions -author: Aaron Lippold ---- - -## Terms & Definitions - -- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. -- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. -- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). From 0566be6d5d768b5f38b1a5b5d33444a05762b025 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 16:36:40 -0500 Subject: [PATCH 12/71] fix links --- src/courses/delta/03.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 29f377319..430a07fd0 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -19,11 +19,11 @@ Inspec profile file: JSON formatted file containing profile summary, used as inp ### 3.2 Update Controls for Delta -The `update_controls4delta` process is used to prepare profile controls from one [SRG](#glossary-of-terms) or [STIG](#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](#glossary-of-terms)). +The `update_controls4delta` process is used to prepare profile controls from one [SRG](./02.md#glossary-of-terms) or [STIG](./#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](./02#glossary-of-terms)). update_controls4delta specifically updates existing controls within an inspec profile repository. -The `update_controls4delta` process may be the only command needed to facilitate changes to Inspec profile baselines (delta process), refer to [use cases for running delta](./03.html#use-cases-for-running-delta). +The `update_controls4delta` process may be the only command needed to facilitate changes to Inspec profile baselines (delta process), refer to [use cases for running delta](./04.html#use-cases-for-running-delta). The process of preparing controls from one baseline to another (baseline X to Y) consists of: @@ -32,7 +32,7 @@ The process of preparing controls from one baseline to another (baseline X to Y) a - The json file is generated using the [inspec or cinc-auditor] json CLI command 3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site. a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls. - b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./03.html#use-cases-for-running-delta)) + b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./04.html#use-cases-for-running-delta)) You can invoke the command as such: ``` @@ -82,5 +82,5 @@ For more information on these commands, refer to the following documentation:
::: warning Delta Process Limitations -This process has been tested using DISA XCCDF STIG Benchmark Guidances only. +The Delta process has been tested using DISA XCCDF STIG Benchmark Guidances only. ::: From ca8b57df71d2f30587abe1ed95f68d2b1c70e783 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 16:41:30 -0500 Subject: [PATCH 13/71] fix --- src/courses/delta/07.md | 19 ++++++++++--------- src/courses/delta/README.md | 5 +---- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md index dbc85ef05..937364d41 100644 --- a/src/courses/delta/07.md +++ b/src/courses/delta/07.md @@ -1,23 +1,24 @@ --- order: 07 -title: 7. Additional Technical Details +title: 7. Additional Technical Details and Resources author: Daniel Medina, George Dias --- ## 7.1 Additional Technical Details -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. - -### update_controls4delta process +### 7.1.1 Update Controls Process -![update_controls4delta process](../../assets/img/update_controls4delta_diagram.png) +![Update Controls Process Diagram](../../assets/img/update_controls4delta_diagram.png) -### delta Process +### 7.1.2 Delta Process -![Delta Workflow Process](../../assets/img/delta_diagram.png) +![Delta Workflow Process Diagram](../../assets/img/delta_diagram.png) -### Scope of Changes by Delta +### 7.2 Scope of Changes by Delta Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. +## 7.2 Additional Resources + +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. \ No newline at end of file diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md index 1e06e7d51..a9dc44591 100644 --- a/src/courses/delta/README.md +++ b/src/courses/delta/README.md @@ -17,7 +17,4 @@ By the end of this class, you should be able to: - Understand how and where to apply these tools in different situations (Use Cases) - Use the delta fuzzy matching system to map controls between two profiles - Be familiar with the delta process logging capabilities and generated artifacts -- Know how to format Inspec profile controls before and/or after executing delta commands - -### 1.2 The Road to Conducting the Delta Process - +- Know how to format Inspec profile controls before and/or after executing delta commands \ No newline at end of file From 7095235284cc8434ed6f7e9992c0190ede5989ef Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 16:44:12 -0500 Subject: [PATCH 14/71] fix more links --- src/courses/delta/03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 430a07fd0..2b8f2cb38 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -19,7 +19,7 @@ Inspec profile file: JSON formatted file containing profile summary, used as inp ### 3.2 Update Controls for Delta -The `update_controls4delta` process is used to prepare profile controls from one [SRG](./02.md#glossary-of-terms) or [STIG](./#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](./02#glossary-of-terms)). +The `update_controls4delta` process is used to prepare profile controls from one [SRG](./02.md#glossary-of-terms) or [STIG](./02.md#glossary-of-terms) baseline to another. The controls are updated based on guidance based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](./02.md#glossary-of-terms)). update_controls4delta specifically updates existing controls within an inspec profile repository. From cf50fa4b63d91c80878793589d45cd0e77557fff Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:00:26 -0500 Subject: [PATCH 15/71] fix report markdown file --- src/assets/downloads/{report.md => report} | 0 src/courses/delta/05.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename src/assets/downloads/{report.md => report} (100%) diff --git a/src/assets/downloads/report.md b/src/assets/downloads/report similarity index 100% rename from src/assets/downloads/report.md rename to src/assets/downloads/report diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 6fe9d4e17..d7accec22 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -34,7 +34,7 @@ Details of the changes are given afterwards as follows: Specified by the report flag (`-r`), generates a markdown formatted report of the same information found in the delta.json file. -[Example Report Markdown File](../../assets/downloads/report.md) +[Example Report Markdown File](../../assets/downloads/report) ## 5.2 Logging Capabilities of Update Controls From 9442e4ae13f2524bf7254e07db109793d6893062 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:10:21 -0500 Subject: [PATCH 16/71] fix link name --- src/courses/delta/05.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index d7accec22..143ec0ecf 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -39,4 +39,6 @@ Specified by the report flag (`-r`), generates a markdown formatted report of th ## 5.2 Logging Capabilities of Update Controls +The logging output of `update_controls4delta` provides information on which controls were found to require a name change, as well as additional statistics on skipped controls + ![Example Output from update_controls4delta](../../assets/img/update_controls4delta_output.png) \ No newline at end of file From b975a3b3dca4a68e10464cdb2c2a052140bce727 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:13:10 -0500 Subject: [PATCH 17/71] src/courses/delta/07.md --- src/courses/delta/07.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md index 937364d41..3a793bd9f 100644 --- a/src/courses/delta/07.md +++ b/src/courses/delta/07.md @@ -8,11 +8,11 @@ author: Daniel Medina, George Dias ### 7.1.1 Update Controls Process -![Update Controls Process Diagram](../../assets/img/update_controls4delta_diagram.png) +[Update Controls Process Diagram](../../assets/img/update_controls4delta_diagram.png) ### 7.1.2 Delta Process -![Delta Workflow Process Diagram](../../assets/img/delta_diagram.png) +[Delta Workflow Process Diagram](../../assets/img/delta_diagram.png) ### 7.2 Scope of Changes by Delta From 9f388fcfb354067ee42e68c5cc9d77cb11ecb13c Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:19:11 -0500 Subject: [PATCH 18/71] rename diagram --- .../img/update_controls4Delta_diagram.png | Bin 74464 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 src/assets/img/update_controls4Delta_diagram.png diff --git a/src/assets/img/update_controls4Delta_diagram.png b/src/assets/img/update_controls4Delta_diagram.png deleted file mode 100644 index 07044659e766837dfe80af80f870bf71c4f50f45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 74464 zcmeFa2S8Ov+CHwv7-OOa)EG@{C~7q5?M0(_d++_Cm~(qSw>NuYjM%Zp9(!+CQGrBF zY!MO*c8LXvA{q-SAn>09_Zlq8=C`}wx4YkegA3=(nKLtI=6T=unRniq%@7M&En9SK z(Wp_QmK-)++NjYR3E+Rp&6|Ogcc+ZL4E{9sNmT=KR-k5cZN+?hp|yI zmR5h2j6qpopFbH(PsU&v4x`@hg!ypJXJ!xBJpZysAN;3s2f;M!re z8^IrzQE!KlR}5Y#)Xxfo>=;mAKcq1;kl714!Ho+7t*R?A;5I;h<8VFf0$u3v;pj$(AM_Yffz?o-1#d#>AR`)=LeyhO zDMl<7pF+T*^(hz}WI_{BM6w?BN@ejXone+2a$5wj!RP=*8p5&GVMw3`q!L45+s$4$;EL7f zf?WV0$d@~zcrmf8J_`ikT3>QqQp4e_@8Nhqdtn$<)L^t5K8|N{hG|9zG7Rw^j@1JY z_y7Lx^M3L^m$!eUI4l{BM;S>tk_n9`;ZXXNSouN75r_?hjKZw%D4#zPM?R1azZHxM z#bGrgGUA8bK#ZZ-ox^AXy+ZZ5A-&aQmLt#Tq~8nKZrCA_1Qnfyy z1AnN#dJLiwm0_@Y0jTQ5(gz2Saif}m2+3kC!-0E?-{}Bvqrqj}a2t^UM_ztDtjLWX zc3SnZ2M$PQbWoq;g9bZbM4Iam0$u|GYJUzkq*$azCgij_5E)V$y#~ky#gbzJ1HPjU zT5jm~QHpmg=s9Ct9Fbgqj-KB!#4-Yv=J!Sbj^eKqVQV4f;=%;|9Sfn%kdKW@nkGpp+ej3KAzFUv=N7+8JH9-_7#j7 z4M6f^0}Ffo7T65CAP3|3)R)Hh_dI;K4sys?*^GXFBsMBgzz>6@1_1e!k&L4t8G}XD z{RiIk`5~{Lf@raZ@BnE{VDDmJ`on<-c=hUIBK3;Y0W*a3Jo3q)9B@;ImOt;>*FwW< zbU=P}E^p-s! zG9z3M0m1*QI>aCdLaK>@5=$oaBgO=)fku3ut)WIlqhlH40RGo&MB*#B`S(+Z0Ic4K z8qs|HFeow@=eh(y&wP3|213jXP|3fFJy8K3ydMay58c1ymoM1Z$jz@63iWc zXV5;o(XU6QF9`4fm33HMM%wd96OxFKlLopJgT*jGuVATQE@`j=X^KCK@l-HVZ>W^9 zOcDWu@Zoy?`ch^CLyPnj?pT?=a4)*(DCnz}1_Me-qmx$Hx zT=+$jj?gm5=dPa}nyg`@9n?Cw8@-Gm_%MX6AerKJ(isMy?6&lSLOxtS#33=<7xDRx zNE_;?dxIuFZ_5jF52QC^37}|1Pt~LKf7Tv>IrI1p?EAaOacE1WeN*JVFp)X1^7ir(W6cdL}yA zZxoNbLM1V55sgo7;=Ax;?eD~tg) zRT(8?WFo}BDwIqfAnaL@4p&)YynX8OAFp1PKd65=n(9ip>Gq%#>Opc(jklaGCrHqm>3> zv<#z}t;Ko4vyj~E&{D}#2T5k)(2%C#gdv_oZ5K(IejOMls@;NPLjnmG4(Otw9==3K zr3$QsDELMKgXy7o!0=G%>ad zArFxxvZ}0JGS@~i;PGs9z$l8irCh8t93=&PawJ_NjtaCIxrWT*IQ>{W7+9tRXQo-z z0;3EU)dV0K$^fdB!6dpz#0x})TslF)#)Vw+FwJ0aNr`Mb#e>Cx{-zpPGDV0WG#Vid z2G5~z;V=%;2;Hz-9p%^|BgQ15CNz|Wdcvg zP8B0~6o@58$j9P4{V1(iPov0iT#-ql@IxM%*UT^)Bi5+F5ymr^IF8Z}DaZ^aU8vGJ z9ZWKh4lzU$vz!}HQ|J^1JECUWsXDWZ>+$*l$f+DTO2nY4sV<>i6!y6AR+e0W$H=HW zegN%6X_X9|RIW!kOnQOOtlWyT35c9l>= z@P`O~kBmhy`XnMNM?}=9+(ZHs<}jpTq0oS{6NC}6hbomx_)3P%Ao4l+x-bRh<5=t( zlpyRTY0<(6g~g?Ybzz|3hgF_ zO~D8Yi)B)sLV;8OvV-{}HE4H6h+(XhF5^dGBF-3+AW|h4xP4@)&SkQgf zh!b?!r6j8c=TbX4h{S|hE+J8kSIU8gVRE%dK@=m-VYW-vS}AgCM-w;rWpA%)X}1ydfXE(CL3o~WD)7Smu8$s?9&9YK-G>~jlkP9M$_@k&r? zrI1CIXh3co+9g30GR1?}Moe_bW|7&&BH&fSFgY?A(kPBbL)M2uRvacsq4|k)0ZGRU zvK&G_4#ni#I4)Qal9631Z^YrS6U@$_7$x_c(f)v&A(7%W`Y4kVuo$pzhMiAv{e7oB70yK#6jKY}#|g(xT}_7H7| z{YBI-PbWYH1Oae`5d;+qlaZm5LsUG@>I-1R7z)M)MNG1&hbK}CsaUO6W0aXmR;m?I z<1C@v&1C9L3cU%(3@Ql$D#phpIr)&)LEr+ZrYK=G-^y~JwIQx6B4AO1bcW5wMx*6! zGur2Lb5J3&n5)!^To$>(OBL7z!LZ*I^rG!VVT3?~sT2$wZ5Fy%Zh}1=W!SxZ7t7Dq zc_Lz+%w-VpLNqdofKm$3VG@?^c3b2`l##}Su`tQ3M?Q#c47inYF4hrdp&V3-SSK+{ zX>v`}WKcy77|2PWFgPMJO&x?`j*aEh2EhbQtntXiZc$WcF*z9?5!Om0D|PBTY~w^IoeA=A%{%7CCU`4SU{YqRP#5>vn}=1Pqggdk`Xn1Ea3kgKo; zH-Sht85pvV%?SG;pU(js$zir1_7RCLrh}mbOp2=IF&vU`*a4v-O~9e?S!}S4#}cc8 zYOUS})~Mx(*g-_20HB*GR#>b-PLwGV=(RymFi7HpGCTxN*cGKmYfGDIg7rz+XO}tOoWC6;PvKE!`g0sHIw1<7GuGK8!=Cvq{YCfS$}F zIeB8FXrnSD^12a??{*0zXt|POQyN4{o=t_1K(L?9r;>1ZDMKJr67@V{lu7|gijE3+ zJwmHUZPub4Onz7@4l8ULES5xInuTf=9xv2*U2-oMNFEgizH6o}sPIrURwoalnx$xw zlT9^84K8xTO9)}iZnr=Ip`soqUFCq$T#l6MCz%3lj>l}(n+Rf!oNTa$+)Y!)M|12))bi=wf}=)fL#RHG&vG(JeAGg^5RuOIXZP+g%2hUF&8 zi8QxV6+#;2L7^>NwIdv5+F78Zsc4)B(F+bK*(Y)`#8gknhF0NJswm5WaX=P2#z#U+ zbV9x}5)Eh|90n~j@L`vOh~hHvQKef9DbXG=F!ypbWHU%;d^XFj6k6B@8CalaQkY~d z(<@h7!Elky6tBA0HH8oUw( z74PzR0YUcbI4DVkq%i0iCl}c~uInmc!-nEmD+4 z3#k$5w(-LfwGzt>a4|mE&ZLuEb#FkP5Y`@qD3-8PNfQwuR*+)>=8MT=5F|daOodW; zxHftyDvX4+B#c|A3;X$UNJu83)E2ec0-N|&G!qJN4Qw--N6~rg_%Kx;4cI&^a}*Y$ z3|blnhf`5uBO_$j0Mih`Iy`a}&d*h-wY)IwWQfQZFxO!yRD8MDOyGGS5!Z*8Dp)M1 zTTOE_@sM5xmjAFMFJB?$yR{KB*@6$7!yc!DOcua2tcnJ)JbXNw9>OXqK9Np=67i!_ z7aGMhEB$Vye{4dVhfQN(D0E24V5=hpf+k{N(^Vle-{>`mOdOq=?GT9Q3X0QDjX+kv zhQop>HVRWJLQ$zc(1V=Yhlz@p- zSQL?!>W4!p$U$3K#?&0(TJIZLb!ue9KevmAs$k(HNu6ADyCP(br1w0l#eVinsNA$ zCM;***)Ux~MnX@hkPuI`(4-`m&@IyjXganXE#&*PdY6P2<*I~&hy@!6!8Aq$hjWWj zL9bVUat67sFbT&B5ZFRL%d9c#6iOFg$@LRZb`{TR*WqYkn^3C4GQD6m-m134Vh)26 z@af&*a1bp(Gc`N~U4rv#bY25PK#!6_hA0^s$B0FYXqE^d=wzFlD$(TDMW);F6SXgvlx8LN=RC!5WDW zAIw_#L4uq`w`g1_vp|C9$ps20hAp(oMRtflg2X1FD@q3C#JV zk)33@jgGZ({Sk!I>s7h>Ds)i{+huHx+{YnMbYl?7nSPad`qpC1MkscFZ zcohVM=mrqO%VrAPC>7&$h^Z=p!9iAX1RAZAOalsmN;CoQM<^sj z*loa|!r~zk!jv>jwL+rjT19qj1m|Y!h@mJRqYcAy2Lml(t0;bo-YY;Wy)LcW7jP*h zhz|jF>V+Z_1DSW|gEkkQhVUv^(BZ(#gCUupEhCX&C0ePm>!b=ahT_!7i6)2K6_Mfv z24h%2q>=S36Ar->!35|%$*0!n0)UR_G!B@mKuN7SvxrC#BAD`NFc_(dD~1guv%^Le z@nsmI#L6VGcqD_g zfhlyV%p6N7V&sS{aKK<78T>e@J)%K!%QbGV8tb5%m>~kiW&Z%-(zC2ZEjhBuME;zPOnr6V~rw96iiyo zIKIde0rkr`Q9e-$v(*rcN9Z5Mtqp}yG%AKIi13&WvM(G6iWJ_U(N9()x`&RI$mw<_ zTN+S{Tzno+>8FxuUbLRbbBWoekj_K2y0H$4#K4S(_z)s%9J^o3SM!Z-GM#UM%s~@1 ziV1NrT#}xR#}hyX84gXQcnM-r(4TdZ|KT@FOu&)Q~_b*6GM0N{B$F@lAGO6vy`Xqojy8z*2CH5u8kCr`xCm zEdioqSy-2jqGGFIL!HwCypA^qgHf*79+oH=L9G&avPeb)A94XYj$&9X5(`#K7Lr98 z8YV&ufW|XTk%-8y^>~0sQ3ocN1|wSJ*BD8dAQx+P31Kx*>_o3DEJGnm+)fOEX?H{g zW^@)aiDZb1gd{{O>X;stgD<3pL|Bc52gDcB0mpX`vtgunYjbPC} zlo11iJ1`L7pPz2DL@9h4%#iCCIHAs=@YkVUKD z5IyLjGSDii9vd)G$W#gnq{BhPJs>2wagf=pGool=utaR}@cB-vG(@n|Pyt8-J|-xN zuz=T39CoTySi4UQn;lNFzwR6O3}FOsGdqC?Q9!rh!@vzo@rPpHj&r(Tycr7k0OiF7 zVV44a26gz#$iG z@wp>W0$u~=>*5fiO-0%W50Y_6Ob^cpaWF;|m4Q;ZbZ!w~32Z4_MkN5M64E+V1RT?# zL3l^@lc_W^gFu#XoenfgisIN%A{5swr?Fw9NUTr+yAMm* zIJ;Pa3x&}bz|8n+493iaop_4fVpKAs5v#zC(bJ@C0}_DFBymG%238APTqrHWK#5}6 zZW&!6_Rt{-4d5HBZxHl8ojYnF`}A6%x0s?RnL(vdJX}nj8Y9z*Oa>85`G6Bety05Y zv6dzQa|#3Et(7u`GA5hB)_aM5s}!a6@+eXoT8afeN~TF;3Gf+yJ;To+vxRms1FSRY z#ZnSe?9vj=4wD5d;WAT2K31OCDG*|$EoD?-N$|RXM$_PRf=p?Yh1^$A6 zh}V)O!#V_D+7|*#Toj5-p%h7Zc$$X8L6$oIB)T9T6Y=_piB|$6;@Mvbp?EPUpU80k}cn0v=!AkcNQ^@w9)Vzy&bm05A<#P5&1H z7wQ7t>Vx7)Xe0usE#=tfQ8+7EZqM?WZXXzsH}GY7pPS)w^%`>etiscEM6G_ z*&hPxZ^liafl@|#_rHM?uMeESV`A|8p9-8H|5M8U4-1@#qpm^Z1PGf$Hck>pvsfE*=im0N}5{8QI9@2Fkl(%;yW+ zmEz%^Ac%;dCmD67KhyNDPzMYuwtWxM#W#F`iNIfrL`EXWp6}jxzF`C(-=7y79ZY;% zUW4Jm#)FbyAQed57$VI7KCB|Xx$A`is^9nl_#9Z=XuvlJo&d5zur8K2rG6(HSaw38 zac;0Sh=iqr--vBb3B|T&Ay08gXT=@@PUlaF5lZA)-PSrxyx92ulVlvq3057EW$gMe zvJ_Zn1M9Ou5kB9MQs1`v{VJ~jDjrOR?8mIze)2LGjWN~wy?k|h@%)euxXS9bP6AoO zQo%htzQ?SN_JD*2k-4!wfem7W|6to4fGo4_zgV}uW~bdBM*YT#_CLzY8_E@E4_KZf znO?iWHTFD) z&-m6-1dxAo8s@Yb40Wab0TSbZ^*}!V86bRK-Am{)q78T>5j6P4NPU1iGJ%MNkoiJ= zhcpaV{~t#eGC2X&z7)fbNA<&j0Yt{I0sLOOrHX*$BaEE^p@X&G1`JV~9n7gEb-upvU7qU7X5ICFQHJfH)+v}fia*3O}xL>J$ z!;ao!bpV%s1Z*k-G7R=C>+SJ7ss;91qd=cQ@h$RoTbg4#b?RIbzvqx4Z-NpKUFtO= zsyegX+Xq5t?FLfEB%D?%2`y|6M!29d<2AS^vBXc__{x2M5MUB zlvj_(_zOH8nM5?0i9SC^p}r6QCY_1z$$n*i`sagNkM)=4q49ZV44n-?{8~vv}zTRTJ2<|!^UJv&;xRE3nz`*3FJ9@(c zh`SMSX1@&hx?QBtflUSKiG~74JOPMmLjFUxap?rvEc^c5Djz z5_hWejv)j8w{)O6`u3rDQAD;E&VH$wWT=xT~lE)%efx$RnYhFVXn_ zg&3_r&@zAB0>@k3;84fcj&*#o_}?r@3Snx0%LVrjxzmQjDRivS5LL;CV})E%km?xj zd(GLhac>0h0Q||qxhZzoD&nC~K0j|2-28s1Zwl};Bd4|^S-fUlZwwNR2zEiB8eRZP z49xS(i|3+%-wj;l7?jlL3poB{&AfgoUFQW^e`@k>IAC_dx_;Fp)$pC1p_V5L8v_r-OJxNGS7a>k33 z&-euP#beD-C@O;qB2ivF94s2}8vB7`eZg4PMKIL)f?hgNEN1dvCde=9>^jl@`?WI` z^`fu;`Prxq)N?%grQu8v7klk>)6;*JxYmjEADmeo_qG3iZg|5!sCybe$h`hR>;>RT z0RC@exuI}1o!Y2T*G3#VMIKJSvp6)i-IzLWlis}5h4+R>@4ij0oS3iN+ww!= zQ3bI^Vj5XXyEb6X<7e9odS@0K_?}lhskGT~QD0U2s>Q=bk4|4AIT%R1=u}u0AAZsM z;D*k$B_DK?tr^v~U~onIb+UbPg^E*L{S(@}?gNkivas3g1@m+dPETxKyq;GzLArZK z#~;3b?})p}U3`{i7V|;DRoY5H>0ImXJ7b2A>C2n9>9?V<%(!`TU`xqk{FdsHP8E40 zx_msBv4+;F&%@}=p;c$1Mc<4bHve%Mzi(c}JMDXIVy!3qHll8*+0(&?uT6b#%ajot z&NaEa|Nd@x|Ga*~C3mJzsG2^l`m3uG8qZ6vnRwp1pMIck&e?*K2PMyJJ(l-4vGvWv z1vNeTH#a0U9x(HJd#k5C;w#mFP|t`Nv&?3yE4hNcKTi7v-B~KE){*VZ$*z?Q%J^dm{V<- zn`elJs!x1&9tWz+){I*G@Iz+Rhd=KP*xFC-Nrqkfzn;+U1bS(Up^e9d6Mky<*zoYj+?v^U zhZS!TRnumk(BSj-g$Djm$t=olwQlW7U;evoo_dcvVD@QA*dm#1BW(Gz#Id<=&Ve_~tfLlGNa|Uzt7sce)Q$Nfmugq_2Qk~JWQ`)^(pV$xKqY&-0SL+06R0h5(Z|!~=f!=&vH^W7zp3dR9i_jQoUnfIQP+Vl zW;EY7>@neuCnr8v?KnJ0tr&moePUIk(blr&_N}s3O)+1NokkCD%5Y_Dg?C-P*h$72 zud3*ocy+M4?3wOJO2WDe%K#Yq_ghr`V|4b%E0#p5jhf77e)D7EvW~XeWs(tTW!qa0 zNX)#$AHR;icEGtYGdfp2?Bp$7+L=54!SOzC;L)s-5-*8@YFhla0ySy*u9@U(Z&Wqw|DFK_tW+$vXT=yvVBy`}w1 zYtL>YlMppcg}4)xp~+=-H}U~6Ak6PH%)u<%{MWYpSt!f zT7b77o6(JS|`PX|YE=w0@u*+NKPNL6NBt4r#-*d5pvPY8Y>7qMZSA4k2Y4$Ez;Xcb66g}Pd$FjNahjJDZ%O6vq zom=+ouzbPkaiD`Kbrnn1_W{I8o(cNrv%q@i8wE{N2VQk#*TFOCiO@S^ABGegl!8m+TXz~D?>yqpwnK#8 zX@l>So-SNlQ(cud)ARJ|SMB$?o;|%^*mD2OH_Ii`2jBzevF9yax>Vh3QR3D70?qWD z_OsfGmYqL6H}ic(>wO#FPtmH&za9{vJb{-!}FC9HVwyjszN0%sto70w(n!>D}a?Sdh$I6td zVO@?cnQ*P-VcEe2AMGs;bH;ZX_1oUJRgy`K-)J^5@$D*RQKyf$c5i+A*?~9P4;A0} z;mWk6-X3+9A!ABMd>l`&!cicaXCjm!aq znxxxTR=xA3A&tjNW8K*)a1!MYYZq-7&O5%P(@RCcmF@a=_`bxw8%BZf5f7Zl3-b;&O459iys(J(BiA zOin#-8mCSelB7G+sYcN(H zb7cI0C!cwH9vD1t#vRZ0{HzPR;iWq|ub&3=bJv8%t$SyERZkENjT-kzdSgIFpC1;E z-ArE#KfWwtWVM!FBvu?T(P59$*KA0^4s1+bIM{=lG0{K(&s(- zHShh@^}R>OfB8Ir_==1k<6^wC>tsMDHK*s}l6`MCjm+ATlzjVgo4dWJ#(pWbRxwIB z3F*(IIlqxBPd zjHvzMm@MbxeZ%uc>ry*#S1ClEy|>qIxN+XRbWY3yeLtG@Wo7NYyL zoq@c!2h5?b-L2TL@Y&!|mFmxz-Jo1PeX(NEh`ZTdMAGsW4hXED(rIAf`u)+1{_8(X zO*tBVayi7?UtW1_a{pb2hRjKIT_Tn4MRXN>eAkx;Q(966k1ia3?Zyw4hbs?%f(+ez z?<1dHRrEoRF14uduATjcsgIOR;GDdEb=TWVM(rD#Tt&3>YMp~8-QQlac_i-w&H*2K zwmtja@ypk@h=yXH%{+T!)w=G+2m4!ZT#8?Jd1(6n%3);Zk?%5a^ZYsKn@Lw&GmFNR-eH*Jp&&e-$Y*L_zxS4?|QLWG4k9^PpOAKSikP(N9F{*KXw%dgZt*kT_&=iTc~ zvcGNL;k|N#EiGwL zz(1Ef@~OM8cG;no={eEdt=(pQ)_iNtwwgDwSx4F-8idn?J$_=>1pd^n&D*wZ+hck2 zV9n#H(Q}DE=Z+e|8?4-!+L6CnJAwez|uTk1JDAx5W=@O{OEgO#q4__*YwE5n(i z27j8lnzyjC_wfAboD;k)_plUa*1e#0g%>$7p!C+C-cb6d86elBf6 zt3i*%k=p7fDf7ii-}TCEs;*VnUK==IU5BP!XH0FH#Y}1uYImeU)Tw`33*wx0OPehU zFMPK7_!;fl!A}b}J^1cN;*OJh+jKg&XT_BL&r-E#h4X8dU8<`WkmOZNXrT4q+ z!mJ{8{(S#}@-01v73OtieH1~o%X>#H8Rv#><>Xgh%*=hVVp5-X2VY;NtGI$&z4XVY z_s8VURdnAncR${u-S%m1b$Rc|wd$%-DJt8r2Q&uC^7O1(4)oT% zTVw9!JXr}BfSS@YcpL zm7@++t|^!_8_^Sfp!PbioYDO9RoY%h&u?Y(uU+299zVLaYeMBl_S--~4w*NkkbCH| zxmF;&{nG|{E7jo8>QA0Ugc-P=i9hFz5@p|8G`wJFxZT=(#-~qi{gjx8nM&tB%d1$m zi!~_t_+;jwL8pFW$wS;3`5lryx#lLA`$^&j^sP1R?)5Fq3r`(p1MURFTjQq8o!DvL zJH^HQnc6|yf~5tRs~1NV98)bFQP831pbNFkw4?=v)^2M8&o<4;bzYx#a%b7m?>CQn zvhRMD?Uc9Fe0_CwU(e%fhgzAB3^J!mY-D}z(|ynM*M_&TR(7fyu};2hrhN14UhMsQ>6N2Ynj{w;QKi#e;ftDYr(l|7kvsO|jhk0$RbGA9gM<<{w$P z8q~55fL6+BTG~ZcHyfCN)X}`8eV2|7a|`eK8N{a77-P$)m-kQaKJx-FJK4-e8Ncx9 zo2N!DyfbcN*RjCvYS1&RO+oXvHJ#DCN0R=n{_VaR(hu0H854(guHDh8$$Jx*3}N!d zw<)?br|9_D_LV(G8=_k)*A`wju!~A|MsF-P3um_baGu6`+}rco;*s7(^@;sZ zuj$8*%W5;(W{~@F`k2h3kD{()UN+Df214V))PyJB*$VT1?0o8UXHZ2dGMZ%rcOR|I z*>&$0^G$HIU$OnzCkeMb8>)y7^RO|Fg>6>B^EON>zar~Wqq(_diL=`Acv6Sut?+Xd zNv*7-SI+J~JbgV-J*^k-zW3Rl>iM{PqaxKC+HV@O`O+T#=qvlPeoWjpJf~2)Tl+?7 z<%hy-tmnvpnu9Yt0_(R9sK|D`Zp>|7m?!T(v5v~Hr-P3^H1~kOdsBRms2pBc#=Ldu z!PnATpH}8~%F-R2o_zA_{k@j^ChKoxU57u}xu~@%_hYyqypz6QLB-A+CsKdS+g1rz zGv{gZZwva~xcc_)$m$N!pL>%x8s|M?zM}$Cy{+4~m8$)H)wMb-Ze4RQ0^O0p3+p%3 z^e#5?5Lp_>@A_@!nj#*Mzvq$#h61}N&t4#`xVi=oTpX4(Z1MW?m5gdaVS&tPUXW*- zyEf~1<*n1#ETt#q7v~o`(&v*#Naki~i6pV@=Gk5Sj00tw=H8Y~ukpr~Z+VmpRZqTm zZk4GHutzKz?$CET`!6vsR`ot!QZra|{OvN~slAU7+jgTD4N-UHpYE9cY}?uH+Oz%C zgVJ0d1eUeE+vg|lJ^tyfrZ$ng$9B^fm;W*=yXhpl;mML5>7EhO9lg(W+pdIXYx)w8 zEO5S=WjLrjKXeZ-c=t;8KEucfN4E@>+`gg8EDYG$IqMZSwwlUUI;*wPfq7Z-&Fb`H z8~nv`?%?yxvE}#9b~aWY-}SR#MAt^+NQuDkh{wWX%KKD!udaFD-fq~Ql1064wANSl zI=2-0f3(t$NbOKvfz4Pt=;zwxTRVy*%<2{Sq<14F`G@dhNY&{TPrrKm!R4$`=8q66 zGUiV8+IL46KcFx0P5ZS!adB|EgnT#Uo!eINiPBv&C9(;<9&{M_!xs-8PdS^I`9Znq zwrcZ2i@a6Fb;f4}SCV)gm5vKNi#A>8I{cFg&HI~*k_HCvp*LH~`^;H6?282_cPhG* z_jra`)q{rHlQ zXLfGATkvRZ^!CY`mKToF;FiK?{89R%)zF9)ovR&ptGrL1mbN+jZr%;NBw^Cghl96{ zE?gP(Meg4Y74PWwRUrV9tufrB8nwCpC;Z`-%4|TE)G{>{MI;Us-gd z2!Hj&#wqD_e5?mZ2{I*9xpC-?1;;#_Iv%66v`?O-{O#z- zChVq(nH4L(ejli;`P8nZJ#>I(W*1-jWrhWt+Kc8k!3ym^gT_sb-ttDIZHKvCu3)Z$n>5#3uP~FR`J;t(StKt zJF{GASNnU`d{#Pq*+{ZgxnaRa7nhG)6#WcqRqUQHyVoZPpFA4tGgs@Y-w99590c6m z&uKA{{`FH|?k9zLi@G#v1iBbAyHR3-=kV00 zHzbkB?bIFiW%&a?jb2SX-uCC8`i&pIEb-hf-|i_@qcipo&}TY|vIm~dDmx%=y4-qV zy|>KMY2(AhcE>i9knWEgvK82o&x?6?5d;5ukFoTo93tb&-Cm#GQZg17eGsV_vyxiT zV(+{e{cbi5-nr7Zzi?r%+WFb1ql@fqyOjTWwokib$IAw_n$xD0MK=gDw{_FclfJEN z-&XVBON3mv0@JyV@|Ua{`gnTLk;KF2o6TDP?yai*AD!8|@M!YNspQ5xGjCOFxq0;I zy?ONaGq)yO4jhBL2WqBHWFH#&qrqFQuEk_OSvwF}JV@w~bU^aU$VYb&;Y7^x=Hmmm&ttrwDK0y^o1#C7fBJJ5K%V$(5W3*C%XRe&x&z)yEY|TykQ;NOW4y-kIkVUi+zBqOd(@&ZKs$ zY^z!5{zMK;=mn@ksIEqS?68&lg`TCXOka{dClt z_gTlGlxds=xspw$2McKhBGLfUUBH^ds+5^T;edeXlI(z(Pzdz z<@$MN$`Z>H2cDWfvyI|x>9o?%2Gz_F-E8w&_3>weSH6kh<{GuDxrdH-wP%O>N8g+O zTiLliTl*`g%i--o-gsg6(`nn!y#H~&@YkPO5Kc@waj`hNf61|x-)~rHE9Rc8{f*$g zyKED0(Ek1UC!I@29y(ssZ)USI4{kgyoOi$Kuj#+`ZA1he-Db2&+~z#2 z%)VK%y?9Map8g_yc8P!A(D09nRfPrFU!7ao?a2}>Kf0rKDgb18=GY6`mAiW8{B~wP zUA`{X+rLn&|f&3yJYDj zx?^BCFS@Dt*5u){0DItWy8h0rrL)`jY>9Ot8t%rK(o}5jw0E9$+v-24>`+tTsIZ-1 zpzBb0Y|AHkrI(ofewFWKgSp|!W^E$wvqQ^F+I^eE>GQX-uhd*+ozFIJ30^-PnRw-` zoiljTNkeYSH!UC4>Fw*3I$qehd!`mB+4IbWBx|<`vJl$ucd(llznsMUl|`M>qMN5H zP(5^YZIcdKLyN}EZ;-|3)n6O`XuM8&Y4fopBd!J9DTTE@WKV1s&=hSq07cR z)7-84<-_yyubFZrQ%Bw!^R%(|L1RIWEmFp&UF)8O$}aca_vC%ebf2Q}=iK7s_KYJ- zau^uz?TWM71i^yjdp~McE9T$ax#4K1UV*G7x$+CF#hL0{ z>%LEhkWc#l#j4>&e@vP>I`WGPc%yi9Xr;4MatGnrONugmOo3;?J*zgio9$?;k!=R5_KI zq{Fo+bY1LrcG|+E(p~LsXKsJP3~ZdYZyj7YYt(6dTI%pDZSFJA)E~7w(|46!O35b< z>7BVYebr3A^*puMgZ(-rK^nbE+^!W1Gy$9cq z4chc=>=ZC)my%|*OGH1)8F6Fkt^UQzf^2PCwys^py%a1kR-=fayX-@X%kbQq!^0My znsUIkfA9Ics+?Qei(jsnZ|ti2DDcg*$G^;#l89ofi(kk`XgRHVK84p#pU1c}N%svu6WW2s= z*eu$N=CzV}A0N&egHB6dyzSn)&(;kt>v(!*>Auc}oT(Q|x9c7fI^dn-M((xDX>02| zK{;@mO}Vazxywl|kg%O=+aJzO<$g4H(UV!9k|T2+m$L^d@SBQKe|pHibz%K7r8eMxz-iXHn3{wTW^l0BDG_3H+qdV=2 zj)IxMLQBb1Aaf-(51RH&O87ZcduEGZ?w6&6H5(^R>iCGfXVuWlt8&b3btOv%J-9cY zXMA+_9plCPlilCDdtf$uEjICuX=Pn|?Xu3Ki+3HzE-je*F;BT>;|A_eCBG=WwB29q zI61R-xXH#bRUd4xc{8=JcVh%$g`DxWpCY1QyYkUZ%gO5l#11E)RBXI=YtV=%N8p+Z z958c$c9ySfm2>0n_F7YQYGT5uCrfL$OgCJ9JZh8-Kwh)w#*tmh9p9EdEEAR9xL;s8 z_CRn^YAmi8k(|gP!d>%HH-E8Xqb!HMU=V}x;F;>7;m+>K^g%m6K2rkhO>yq2)}lF6 zioRmkX~;uYnG(dhebS^u`;6X~6kW%Re)#_UPw#!P=+1#>#}vgUHxs!<{ZyK=E~Ls3 zm`_*>YX=tbPn?>+yi4ab)1GZ96hy9ftndovJwAD`yL79)AU!hTF$QSy)`csE9Nl zWdLDwcj8j_#2uT{Fx;)9t6D`KAJ2Yp_foMolFXAY8yU&oc9HU6VerJDqVD&-nHGKdI>L;<0JCMN*_0TB=Z0VPTXMeRlj zO-7RB93@9Zl$^69$vFs;)19lqefGQeKKr}(o^ii%ejNWWhHI@EYSyfJ>ZzKu)3i(C zmTyCpPW%VaWUcj_fUqT^zs$B1DfqwOH{fb3^e!ZO7uuhcqZx-h>-e_b#Q22gv zPkfcl`0#8FL=@(gJRI@SdqwFpSwO{9uRmO=JG^gMzRt6rC$QcjuwIiiEa8VbN1%5* z`3|#-TnalZDxxP)r;G-nV6M)gQs^YHuBPVZU;j=sQ9XNg66xmtlt>^wezS3*YnNHd zg-cq)qCYw>l8vmf(LH-EoSXXeOF(GU?p$uFLuf*Yy~hOHs)&1}((VWEg?DGiF+Ib! zKZdMZV3#8bL{6%Siq4*Pe7>rN`7mO$L7Hb#OYXQ(lRX7IN4I)!cB+(u@dw!ndMQn0bTOJ7WzjC|IEw}qX*MfB_<3YP~rx%09tl(2{M`@|qHB+_4PKx$QT zt#5o>oouLo9km(C?kA$$byy}Ean?a=`PmD@9#xfPpPT#l011=DUm68rXp;k3#V(Dc ziZ7;Qh|AJ=O2a_EdKpagU@M%`+mkiG&+L%#wp0=QT=TvSU zNXgjxAf@_XbDVO1@bwZ^uGNxT&hMo*@pN5=Gro|KD9mvG;==`42m)GVO297?cjpY~ zSFk-_%Q)B{47QSqc(eGave(LO79L*t`yEoK+tJ_M{SMo&Wo+o7be7}6LQNGGz4Erk z*(OwH`31_AO+3MAQr3FtIrT)oeY0@wp`!SvbwJVVU}?I3ndMPKv&HaLcfw}PHfmf>;sFbnDBtRTP38U8+}gzj9_ z(Y&s&2t|9z)O}rosG&IfdOm~nGpQ0IbM0Ak<=+Cm8aA74u|d%QHr9$n1PxW$o_%{-tfxud1!~(SV18 zXg18qFLdw9TZz%Eq1DgQJQMF2(+kdItLDCBge4c5-9&!;3i~uM80>qsWu*M9Oj=!Gw)&~y}8M_u8n(SQJ z9&p}tD*ObZ=RBv*?A>4eEtd|S^{L%susY0Ylm%GB&==HXahVI1rG4T6hZhI-xOdW)es-A&nyqQ4+Von{>L@lHDI~JgM%@ zVk*sD^XZ`iJNlAT9qCkkj@Eqs4k7?(tVYykLB>Gk=O%Ye7m;Rr!nNGOfea5?&n*nUT>uMyX2w)z|gX6)L+8@dGlg z8_kI?{ZwFqg8sL80jo6e9*EkHMioNcHyQoa;iGP+2e6rC4Ti4zH;n_H&t5(dmdmf>qQJ$ZBBf=)r*|%A14DGHfFaJnu0PdQfICyhT97-;AJO;?#*F)ENvw``nMuX@fpOV{fntR=ktOCK;${^G+ z?ac{cg!`mT%T$;-T8mYDP-V{!xW}TeXTQ`>Z(g)WVi)GzTqv#uXopJug1h9|LkOXb zFiEj{C238!*UcK%b%p9;g|VzZ@Dj8H=VSO-dPJM?klfIc5EA4mBEW*och9;2_bNe% z;^vu6wiym~K5(Un!^W2e3T;BmR~Hf6o11b4H0g8Qk-(M7G?&YU+)J?`?M}a!Unr1T z_jQW8?7B>UsbT2Tkpk)6_B_4Gu9o!cxafnX4at`D!szMy-06GW_YeKik(4X9$U)L6 z2t*o4>?N5h6U7iHgY~c*w+p)s^*?QYDteOrV9VA)g($N^#D(;-->_!8CrrNyt3;ml z+hxF3%WT#~BVbf9HQ`&Tg?uQr-N#6qXYBRaL3^+5j8i##38ZnsLvg!g3$)R^N$UhL z%FQ-aUW=>aRsnKlL;mZohjWJqtY1Z)fZ{z@x=cn^|GhfOdRnN{sO5t~Zsu&s+rp4^ zU*N8F^0$r1fjR~3e+y*^=Y5mP0g^=&1bM2E;L_C!qRXAWnn1e;B+#@tW7HNM+_&f{ zvrm`oA6oI1E>`K+FLYD+T+}A&hm(0Kx4$(n&F>W~r#8~9D|-sKm-~kex2=nz@*)ok z&x|1A*AGFe2P$VEy>-wx51Vy-Lc=3S5w??h@$h=K`#J)S#d9snefU=Rp#S=|(>5h* zpRwCY|1wjW4f*udLDd@z`Bf9@XO=Ab-FhSTWZ@tS+Tz8j62^!#IL!V9@L0V{+u=Z6 zQceRkr6;ONW(^yDf@eDpmy^+g^rL$#(zl}TR9Wi8mLCkkw_l8&nKzY9@^fF0SD#b1 z@BE;i*h-fPIp9P#6WYDcl&04*+%w#<7sSqh;u`ChAoJ`sS3xuk3OV*~(zRp#4woba z%DbOyjpRD`l<6@wJJVq5{G*5S3`6C$%VkAAREbaRmCKy5pRH059AfH8QI!$o%VbZ! z)+g^fnC&_7oDiX#kXsTBl22Jb<%0Uo$+6*s3?|GoBZPQUuCMfJo5X?jfoNXJZg~V0 z{Bb|~y$ni)=1kXL^w98G27`FFk!Z~=fGpx{hm){*T2lJV*SkJuI-CJQNs=c`RpZlE zxaaP5anEmNxTBDdeeRoq5+fr@sQGRRzV~zNJfZGUru$>guG>s44hfz{#TL_+^BkQJ z-IR1)kAuDF>89N~wG!*e1c|TO9Tf_s0vV=vOtq3r?~PHDc>XrN%5A(q(0ew+{rMH2 zE)ZVV-Nx7AgvB(w>Mvb$cP(6xcHXxkBvto<5SI} zPT#1!l4qgQA<3(gjWSW?4Lv%U-2!i4QT1Z?=X?AGx77igc4~gH$Hn?Bj&adndhehO z!Z0ssKwmyupCVgbau`pnTdzS>aVbUet2q6h8FeT$o$f9D;@MH*+M2&c_v!__cyrh} z)4TuB$AlwQ{T@NJ_FY2G=lSfa8=#Cj zkjwCUo#S-WWo1^QqY|>`2oK~|9~H{W?`FMh#0hw;kGB^djDM|($GF<-v~`b`Nj;TS zIqcuRPty0v#BXAHx)Ic+Ca5OLswykflCj+*{>YH$1(m#c@`DmHmxc2T)zV=`i3%q$ zZBmleCx}xrZWOC-)I#*6xR8G|5H8$+M#2hLSQ9V+Mk%lARzcQ9)ma) z+3AzCZDkHtj=PIRnNPgD#ZxjBtSYx3pJ2o?;^tn1IRPIvw4#NHR5P$!fcm1_Z15d< zF$?1~)kJSb5}hK;V6*Nt83Th@P(%BQLqX&dlMrP4pVLD!p#O^uL`YxECWcPTrDuoa z8rEvV&_%;eayuJ~?DW#ULGNyq)=hVSR4HztNNAvZ|1i)T>q%MDjs#5Ke9Zpx32%fP z)Da092CYsD5XRrFj{k{yeUE4Llu#ge4%D=W*q?Dny8h1#|09S0(TD%p7YyhAd)fzC zziW3UI+aA%xoWqJyDOX>!ug*++G8VE^%?t7yE$m%*T)Tmdn36_q8*du!*0?oJYwa1 zOknM5f!1>3N)42d~Ni zvv}?TJ${KBY1I6pG~#{IS+G3 zUXPf0U%8FKs(5#}hFg=_PKr#$dOM%sRo4@MqTVOrKV=wUD=G4JDA?HVsoViD+D z7i2cEqhOm=1mI&(xa^%{DSUy0a`VXuyOQZY4@+4UULDt>8v`F7bXsRgFX&IF4$~qW z$L;b1(Y`18-x9476Ra~yA&^Po0|Czru8J4u-20$%{a(gjS;|L}s*o}PuT28TA%z&b zW0y*Ow2GfKfk)2f|0Me9&+Pg|Yfb5n9*VsM&_e=q>-682`2M-$(UT|x6!YB^=K1F{ zsm|BOCoDZP7=gqrdI>vo{yhBB#BL4MdO+oUlwburovx4VOdSga{Q_TA_^3l#Ca@A= zw#cM=^u1PbHWm9oPnzz{L1m*rZ-_&Hu&<9~G*qOdpc+CsIp?ZMcJ3l%H-!COGhvE)0R@vr z;+)?Se8G2~$QmPV)$_-F)j)+KLbQS2(zuTTA78gS76*YeEj#1bV$n!Q?KNk4CdJ4r zR|RmSBvfz$=IkLx4tvs_7JOZ={C>J5C<2qEb=q9wAZ3#G2Nm3=cWJTL@DMO00*#z$ zCR2qnE?_5cV?10BGv+dOMRGC%hzSsVqu!vD6NSvNIU?sk!v>_!hDFmk$7~c4BSl;e*Bo=g^5<3~iiR)mrML_n|Q3qQJAM?R;e`12_Wx8NN zQQY^ct)w_Q1VWm!wB7qQJ#t946VDfm<+Cs28VDD8mnw=I-~=09)b2D0gs4xH2=c$Q zfwj80rW>&b|j=ce-9_pbv30s!K;!@S{yJY zpT=q~64O95k_1Bwhs|C}cy_!3;lwk;qVq{=!F9!($go>k@lca>y2iobr8* zGV{eP7K56f_^}-^g&jZE9>O|b#}lb~B>-{Uvc5@jy)ElD9_;tiFh zKL|9)1JN>pOk{z+EQ0(?#^5Xf5W}XH?EbNs7*EdtF_dQb6EhN>B)Sk}@bwL&*BA4Z zlqawDwep`}2km-wQC_3hC7^v${j9_P>XC^iIf-9t{W0POJ45wwL&9*)^kC)00w-B! z@pQEFL<4(vzMBiES=Y8&{8V&{^$RT=>*RGLCZ}kBsB{YG90}i_Cd7HG=jCf=+T%$F zBJSmnl}twmf+I4mb82?Ct4sFl!Ly0_z;_mo-UAQOaU!_QjO1ElId(z**YI=&+7v>0 z;iKOLjT({uz{YDZqBE{Cec?TG z^zqbXfn)3c@=x0zo!I2ojz%rV%-8%98ntJ}antCGYc~$~EA5N1A93PW<`RDOR z=j)BDN9MkfiMJVd$jmd6_PFQBE4L4L;YS}&kqR8ox%yAfIZij^8jj{H$HdbNsm}?| z$UjdbDMe=a$Z^B|Jq;7Uxrq}5)qi@%D=nX&bVTc(H+mo=YTmV@_qDdB%R`*jU(X!kN?pkBC!k}=ZZ z9FEbqdr7dPH8;eqIWT^PCs~H3aJwG6bbZX}*nn;wKZd!{JhsK)6vpWHrKD97VlOdZ zmV5KX`rB6BJ2MBu7S&;8i2I&;fE+ zQfhB%NKmq$EAd>x=7*aK+RZT-*7~kbN)5IgLWjF7ZIi({>x;rG9`7l5q~^NQr_Eba z%B6iM871Cc2wog0(wXd^+|gEU;_eJ4{x-ccpS_uA6`TWj8f@p}b;l*|2j$rsFMgqGwB{tN)Bw!|e7z|8 zfbiUvhcMy&-<_E$)hnZ4Czr~W3*D03lH>5Ux3|a2zhvrHRWdU3JZ?g@RUIDea;W64 zX^dI_FiqB~Dw_NrLcNP9`kfM!ZoO2#rs%lxg(#Ew?e6y<2b&y4g9vaGE)Yg9b-%xV za=?)tmOC)I=bAS!?RQOgA>xIDQEfd!i(*N*{7n*v{cRzWibd}1iVbbYsc@4TU$*}3 zAFioCo^FOxpJFq2z09F~?|mSTQ}BBOUnPMLhi7pH@-6aaK6F6`n5DrjW7Ij%M+Ac= zL_x~7^F18c@0INjfE^PCA&K>f>!z0Y!;vQEp~zDA$5uAaN1B)eFAG_1DpYV>E)449 z1M$qhZ7%wiY_jFk#X1>oP@ZI_{z%AAh|@vKyVKC`4pXnLL)14ZiviX}r);zbxUOL~ zIR>sec~DgP7@SbHUhmdqrcPXP`k~qeVwv;``x3U3&JkgknfZ2Y=h6}P^#;Oa4QDn% zj?C`yA5Z+)_f?&l56%-Cb^5*h$9S#M=;C4#s;Ipsit$|jO3&q4*)^yjB6K1D?kw3d8VsBOde0qLi&PeA? zWN)#gly3I@i&y!T-<+pDcmk7xixN@4oK7HiCP->r$b)p5taL!Bci#CwX863T9jiWKR$=Cy5eN2KD7?|n_q~P6eAAwZj8}OeFxqJ@^^xC;b@-*Iog1u)9NmA0OXoUZpnAx(+mD=eR=4|R10MJ{J5$HmV*sdA_u z{xFF&XM?%!{AT?XS9)*y!r-#*iqoyEwP%Gtt|eWdPxo7!Rd)j=u$Bd@PRw4;LTaV! zb~Nx!r+)pkWRGtT1(jd>W zShu6tK$hPwEPJUI<5WRaeGd`jAEe>CB)47OA<$~YPg7)8)S4|_p5$ckvG=^I;JTfj z`6lk*rh{J}ji~;EFf*6c-KIa@sA*=iuM6jm(0%gKYyn>g$}1;Z6Q&pjD9MmiwuKs} zRI*|m;bbd;Opd|9I7BFcX!t=Y;6#m6K>@*S)52x&5oW{b?uX@5yZ*7>S5y4F5d{17 zgcugN->grvCSsibI0=CX^DoNI>H-!EIKb5^my({CvK&6lwQAF!XOX^fx60AHXxC&eZt`l&YDBbXujC<-CIIKz}Rtgf@B`}KW=bsfG z*sfrXBC4T19##s>%~(lo2o{V2exlk?fdL`jgNt6zi6UTvLDdSckY0@u9S}U60qlvb z%qf3g6!L^J?0#k_v5+uHR$@Nqgfi6w z4cdx%?tRs6ImWJ&4i@WR@c1$atwB`&xXIujMXzvQ_muBIMhR6NF@ z#bKcHKqC2X`J-ok;;ahnUul|d90LPFaLajP0n4VIR<|@%7N3r+VdOcGwLdWsj<^i+1a8D=v;S4}{huv&!q-|HpVVRfJpnJv^)8Ky{}dJOxCY$)X3ju#~q5dew} zON}KErn&4!dE6<5@le8n%s*OiT~~!xQUn z3IIz01o$D4am)yXtf3bB1x+S^1ez=*3TeA?v;!;;!h_x;!`cv_lHi2r3ef7&+#4$J ze?J#!6lL$EKs3aFkRr_sN~48^w<~qQ0o{8CvRAH(koa-t2FZ6QFDr$Re}V;d79L_R zz%*CxlVZ^RyjXO=3brpm{)M30d!|`V^}C3%Ugj={-t_=%DU$y}G3MO`ks~GemplDP zqF|O$qrE9A^xGgJPXru;V7&|}K3EZgx=T*hP~DL7LrT0$}418 zYvRZ3<10ddWEw!WlZA>;KT90p^5uS#JkBMvbatKIM=&64CoVyppcuH9F7`ER7!rlN z`M}N^=WxVLl8`Zk7u6g(h8JWfae#ptRp`U9PSZdR<4{xA`p>R{#iZ65gqa0x=B`;JdiJJ z?t*u?{?m8F5c1!_C4l0M)A=Z`R$m!IKxWY%}Py`PX^^xU&ml^1DHyGbf1p{SjHPil*Li=o?v#DJH%;;Av^=C zDVAkdVnA@XnCiaA2}4_rCI1~nUFCm~x=Vrr_y*)F_yoWdO9}oCbb#QITMu>ClNR!= zNRn~3OkpfKeyJFIBv!@E*C<*vY_$lc@Y- zd0SJcuhMqudXheA56BhuHJ|!_Gh{EmOr*^`=Y?qU0+LH)seQU*ah0n#SG zfDDC6|FdSwCav!__sn*`NvHD zLYJ&Swy%Tg?B8@2x8zLENH6P#E(}-btgfwL(Q$Dzf^=^HsQNX3i2+d|au?AtUfT_v zMt~pQFez+w4{R0yG;^Zr&41Iu+MDZ*z`L{Sr{UOZqFLaSH_#$$a-e*6XK_pRH?+#w ziGa=i8aKnO>~#}xQcbrAM;H9ff4|0UxlYEL3(FGV?n4o_p|TDC#$A2JRzEk5=ohxd zPy2H8mK~=jZ)3vPF{c;7ZR1C<nY25` zvs&Gm-iIE#-cetw+;^LwecR#(X8?|C^WpDpI?y=~91i@Vm|&kCHwO@&r$qAcvzA-| zMJ>)^O)>lu8%x6x*7?^D?LG6Kj$Ah`T_tOfc^iKb6@FuZV8h3BeU8_tM)a-DH$STV zB)fQvkr$i71)+QMlb16_&L7Sbr>Z4q*-0GC24TK+4A^Np4%_ao_lR~EQcd$sPj85( z*R*zDT(A(FI~2;Fe-a#DILW_e-P0_GxOYvb$RapXr|7=Q855But6xKrLl)}o-fov4 zJXm<6JBiIW*jT?E$b8LF+bP=m4H?&SZ{G&Py@+hBZ8p#6J({}lUUl`=zCpzTDKRt- z@v8_9gDu0)b)dbB}D?S{F{4w^kykEmkC9kc#-whLCy4hS-Avx3PaOWxJZG+Mf z!@$_e*GR1ZO-7|2s|TF!PCpO5>%aIlhH8)030Y-y^DWGc%&8UG>rx2rag`jlyv;y) zvYCGw+qV88b0?GKcPuR`rWKr z`-|qgk#?1gcxjd~t|BUm{8`c%LBaUbvWUoabz?zytKKiZ4~pqw;NCyB%t`}4uBcUD zEyPVCy*?0Ph{+sstN&^|R>5U&r83^>AX`w!U$mcZ>MDle5YroY+|^vR^T4LRfYI`U zMX5dI?!wE4T5>NXW_MM2;RW+SzUr1}Stb~pkM0{C#qt(par}*zMMZGop2={_4(EgN zk9}IF%A%J9OO3xa*Q6^bswhWBx~hLb27MPoXX-GS`)Xx6PRx9xTZJ}RWTcn*go z+oEq^nV>w#v`?xleR`!j$W^z@cIdUja-bc=nj4Up?#+Y6OZnAq9u$J+%_lucxV?df5Ak$WD8bdJ9AUY&# z#hI!InZrmWzmPj3D57d_qmKt|s35CqtVHUE&&aF7KVTq}Snam~q zabBYCmwHk;7R_z2Hi^Lb50`LRPZP+8gWENS`7d80e<9M2iXzL|oJ|%a{dG{g+<=!k z5W-Iyn^Lv6b7g+zmu6>Gen-lyt`;gQJCVDt3n@~9a4wsT&DHJDz;{t^R|F3Yz-63D zHmg6hjeGUGRidbKTahW|Bl|1V0?C^tGDQxKl8A*AU)LlCQO=RlVLu+2;xM?g$3<&B z^TY*>-8UV=^bFOJ;rg05gE`v!^vrDw&SCk@9Hy|uv zw0sS1Bqnw53AcfFilBhzb(~Xa`zIU$#=FH^IwpMIg4+)j0RkqVK~@B(o&jd!#J%S0 zM;a7)9mWjU6CDKNn%kv|cmQlepo9%_C;tFSV$M-B?-p1Dz$cRmbP_c7DOo!?B8tSF z^nTni7KDq@UOo-khlTHVfS(Eddq1<1RIm`St$k(MWy_~0B2)cwrr@pKhCn1q9WM^L zlyUhXk-dz64PAoe=QkrVJJZi=O3?BgwJdexA6vc|d*s3BeuC;s2;T7hBfJ5e3IpPf zHb}QZuyQ3DkT@dAk_Z<$ens1#6TpCTzHKC&z(sgHw7T2 zA%H@sIbwi^6*pr=>;6#$-} zY)6t~Rwz>L+8-^od>C;caNZy+J@WB5s2h0-nBSrQBGd)I?0ySA*u$28k0n9e4P=lH zU^Nm#@(|bcpNI*AOsMsPP&yFOzr+;($3nWxfC%{n2(c`kzqhp@I);D*z&BXpKrRpz zc!jhA;}PRYY4jFyL|$LKFgIDjD=x<%2Uk?ks0DC*FUMb1>F;Gt`=19XA|NE#!bJ@r zLYc%xDC9Wn^tV9x|1d&g z=whSq`t=u-2g1-ur0`AMZvZmSU4-tV6Z;H;R3tw+L|+_0<=ENu$o?%yI4ME>mz{#EgTiuNq6g3*h1CJpXAaGXqRT zudb#+i0}_RQFOSCiR9jTc{SMs97a05JV{h z5&$9``Um8x}Bhx=BJ8~rB6O<`Qt^^Bo)AYFfXNG#C^1cFoqKqe5~ z0Td1PAJ)yluhN%VsG;0(Edktco@d-ho_a4eAf-eLs>jPQcy%x1K3A!yY&{D3!SDnI zMM@hg;qj_lrWRsiBd?*5TPymm>*^&xU!JYufPs{L@LA6Cn|o(oKZqN0Q_ry36L7y~ z9gN_FuAjF4_3d)w#^L~}T`D+FFzC8DWL-<`fYhsckPS@pGVJ3n(_H!7wrX(!?c~k0 zft13l1M@jSv#1lE4;Vgo{s%WQT1_MTB1iaF4e9E@$bp7s$t1bJs2AzPr&f``s=Z0h z)fS=Ux|oCC%=6#5bVMD79h1*da3fm;=dYJ677k2=8Tw*5tM*i{IZnVF!M(G{Ur@gN zQvtZPa{lA13jx5;Fn4sNs7Ul=>nmMC5XR$SR+b2==+DhDVfb`vAAVMQeIKypfJr$o z&w$vwVLDix`*g6l{YM@+w(-!yK;=+fRKL{Lbc^gvNzLQt5A~&X^9k0I4Ly9z-D&E9 z)z#vupcY^c+{8-P%OvtmARdOK8|&muV}ceY8zy4`m>?W<0-1?XhkBk?VM9r}ApX9X zy*(Ed(W>7aa$mER>lhElX%788PZDX5J#=4PT{Y^jNi% zfG&)jKpasL#ekBSg_GIcuW+)9TLG7RParQ$-tuqoS1)r7HeFxTCU zV5m0j6G^+gLaQpo$Vh#~rcJOMHPnV{$mA9xG>+u9g~_d#EXZG6TcElNIvi80g?^I6 z1UL8`#RDVEL7nlug+pB*BG>8&}=jQUEEyl$iBN_cm~z^VA$X?X2% zjK8QL{DqXHw=A7yQWg9MyN;puA7*n>ZS%*?>*r; z3?0b{Xkx?nQ%%{6JoI5GziCruP)EqG4UkX7e`e#!n^15?f`I=L-6d zN+pr3fQ#8^0pmysEqU2pnb(h$fV*?O{4MRJoAmWZ-TZ7PJ^gWH3ra$v>IxWH8x2Q- z*JsYP*C+ysFCKs(J@GE#@2EJiJoc{w&U}kL0oXDJl?*n37t(}McASRJ1B>r12x3pf2d0Tc`_(uM(L{tqd!Um77Ua{^>6?(0jm(1ZOuaCk>-HRag`#`3hF&YV2FebXS}ItT9TNBqcn_{&9L zF(JBVd6CLVeIu=#{av?;%T|5^YW!xB&sgP}~Yxv3G6u7z?sP59`bhEZ?b{E57sC~CatmL}HM-0Uq)=7tNTb3YN; z>+)IkU*|RNVt^YA@0;pEb#tcYKhokzbK37@j*t1k)-2oAEV4s+-AL8%d`*FQW~n8s z(b>_$R$Ro=Z-VHeds2|t;8;o5t#zse8Rkc}Nd`70_JCzofCyNC6-N|S_X3cK^~XTo z4`}2QF>A)>a$ajAr(U08rAhn{6RJNKPQ2^#in==okQ`=xRXSA$QCHhaEpn6DSm~5a zxVmb6U+^=&Oy&vSEEs_p4X+VHw#7Y2nHTRO2?anoLS4y?&8Ig3>2P6CNz~esLUu!h zP+itk$;5g}>qlq!LSEMwv*{B2T~nnc2Yx_q*iJAtZ6a6DnrqKPn>C*?A*zQVJ3;)G zM$!Zr4uphI%d{CiY)UNfj%S@Pa~25oap90<6UgTN#bn8XC9!Ejc?s}j_2H^iAMstr zZL=fG2<_`Li6Gcy31cMy28h+rV^JQaNCKJ0XIm<^kgep-A9u;RZI!V>!P0;CRhz?c*;2faggn#h0&eo-G2o75_iw{hvQc@g%=^?Y_}wp|SClPO;mYiSDO5Q}gUoeAuL@C62ZA2gIK8V3J0vR+9Rf42T_(kA&gC zT|tJ+`;#OBa(ddf6e^D^g>JV7vhiNLzP2u^NKL!wtib;N@v#gdt{hWjnFb}Ltk^D{ z1FL-{tN#N#9GiJZuB;m8Bn^D|GV}b2IpkSM>0qod?4O^0pu2SnLyX5QX$1Tg9t)`jeVo)fx<-S;Pwp?AkVn(#k?=}l1+K*Vl#kO5=`U>S3xZ-tc z{KQy^tQ65oN>Py5BJJsyGAw8CVow#5`Xy>6v;`f?d>Q!q&fd#%@>RZ}*>(f6Q66>o zbMJw>+b1CnP|et@ZPPq`#m237+D1frBiiQu$ku_IIbWsud#+ISaM}wo5G3)kS$~I2 z2n2}$YTx`ZB0wMc375bb;iIxl=&vTwN{>F+2h>9X0S5J!K6C3XI1Wp%l!e3~ivv!N zt%O4knqRXDg%o53Fn$!p?gn=7UR@x&3Idj8^pf8N1gx~MmTpcsR#Da;ZOh-`O#^(k z=<0-Q5X$TS_hDFpyU)Xy-B61^KIuQLTrOWP{bAfYWH@rz6Tz7(p;Roiu|G(R7X#3Z zh;jPXeJpy+MvUM9x~H6YI<5FR{MS_DCiA1+>JQ`HZ+*2wQhbJXt_9DyS-$b$1hdlT zo|KA2c~Lpio~b$#F4+Te4C>5AJ=H*$0X>cEk8_(6AK^d&WD^7m?jm5Ru?ewfj#_V^ z!EBk!f^K93J+1doHg^H@s8RO#JMp z%{Z4mdPKKUKG-b!n0>R;Os#Ysj*;CQC|p)ntIR`D^BMV5I_!w@K2_TZ>77&)36&j@ zy!{e+NoJ&~lBRN9Z#`7=U`+of@*Lh<;&S(xJKZXzinc5WK5?zRD59}fGmku_Zn9=4j;=DN|zME`A z9Q69LqR{e#kl2LV7Z?z{L79AB$h}|+pl5x{*EmR4Z5ZO%sTtzds|p4oF6IROER=gR zp)8SPsOG@r6qVN@?YF7TUvkKBKHZa8nO&!#S5lrC@(R_DiDWhlhlV-4Up_WDx>*e7gZkKSga0 z&aKa6yT>=h%vUPXJTIRs-uC^uDQHhoR4Kh9=(r_Hs1qP)c@XVnI3F>$&R3XX+^ES) zU6i5yzUt>H?RA^I4OuV8s5>GUn~mO(RQ4O;S8noYnm)Z@oxP-UFmScZSG`bacF=A1 zEa^)QW%ws>jmp;x)Fc_iro)dHup?~(x@hDC!3Rs+A()SJcnoo$@$Vw`0*J%q-y!P~ zdWPRH1ddHQ45|&RSy|#a*$mhh%taT>t&JZ@-+UO}X1Vv3-Sc7H^1`Bg>EdZaDFX3W z=5D!ZMJuOhF{buFlcsDL??Ltfw+mZ8-E?=jvIm^AhrcWnUTxz<%jivMy~MY+BOI-%KX4WG@|s`G)0w}p6&?oGAYD^M&e&!F-cOu9SCus%jsd@ zXSpi;h7W89gntgqT=m>eEhho>#|K?{N+HbeDf)j8A}dbTtp5lKQxZ7nv*bbv5z+LC z`iD8e>2f28f)^{B>r2tE$j`wD)og$3C^IczZi>u)>^{5qF!(z;uk)&v9JmcuTf=A) zSxYr3@6||@i$&ufKI!Cz3T=qHfCV^3eiA-fgq%?-T_>lo39wQsZ??G2ZC25p6pgI& ze6&kuEEg!S&9}@~^msN|a@M>vh?wJAM-l6(BxKzN!bT|YF;oVPAlMc+Ym067!6av<6p91nzS{V%bng}CyzwLVGpkQKG z^7!uBuRA$#1JSVpy{6|H2zdQmG>rf{9#}_X1={ zUs`C|A9mDMWp5pJ&C)9pUwGNbz99T=Z}9yW5oeX3G3d4|EzC0x`WlG8{P+PkNnd0! zBg|=)MQI6}d|5%z`8^!34Q^mnz*Tg)e>3{lUf9oi$*H@>`^b;2??q%R-1dEb&^@(D zSE~TnPKnY?BX3G0RwKIQo)V%dH(bf2BhZ>BnnlSZuZW}D8Lryr@FYwrjMDjs%-!C2 zMd7RsW1Edat_sF_axxyp3iSpT>u$H*g~T`1`&`Ubky+u$4E-v-^VEX*TH!C&oHY>T zGGv~h;*ty$=UobW23eIS_s*zX7$?6kYpY9#zs@k0EV`fi0sIP*(?V`-7bt<~^1wSO zd-oKEMUs*N{K|#0I6!coG7wVKXlUKLB(fl~whPxb4K?3KJe2dw5N?XTqk}<~ulMN8 zt;HOc&&|xNm@A);lSIe{$`XQukwJh%R(U9nC3XjUfjicm*p}`iV|CD5z7ZFm;>XER z_NuKSyBUJuu$Y|0c?^pJ8wL1f2W4)k*V9n1_>F#9cNl5m&$lnurhwB0I*Wa|@wdIB z9EP>l7Y8)YQ*bi`V!_X5DRJl&UJop!;`K&O_(ooUiXf3tfn0S^vm}Jg6^z@>!cU`- zdrw0ny2ie}>t1UW&Ax5%;~rI3hS+tjJchtga8O*^&fflU$89)PNJ9{+t@aNCfyNbs zJwgcIx~)GmQ9m7Kf&f4Ilb8j5BI<)Y5ZX1fZ{B2cU1~}S)JiJu+4nK1JHfZ0GB{c? zFbTFRkQAA-<#sAQUQnUte)LKENX%l z{L%S5GR{yLVh5<=O!&&B!7jP)XPxnor~EXgj^u_ysIOT3GKM6)_}6!;?mL@KjfwRaHu6ui3^LA7<4FX zpQGP-sa=j^p_uUr(j71QAg-`e`f9eIWhMRAkVWHEDsXI9T!hv#UiT7-cItmmqQ6;{ z(YzNYI5d25`LIfN2kRcDKlu3jL(zbqCHCQzlJx%2W@E{elqyY-Nq#?Ewqnn_IyfH4 zTRlXQ!tcpDQmN!R7r?`=2)1(C3GW>m<78TvM1S-PiuOPUjthtr2x9iEGPWnr1}8Yv z@rZt(t>i5;@!R-mqAlEH)v*LwU#rIv zjZ{9F36P$4?6(3EVnEw?*%&a!eRenp|D_4S&2q%8*J4alP6c9KKXW9A2uR(xt-@;> z<(O8vb44xdK8g`e7<)_CHjkWjW7-VkT%&}Y8uBIfESLY)wmEx0|3wWIox^L8&PjQv z0Ss|w+n6@=r|Sf~{Y++1Hl*PUjK*?a0wq=qFef{)o!gp#thpeP!|exR9?K7*BSR)sA$^sUC)XA?m7O?nK5% z9sMyH=}TJaBBD#~1fhL8aRKkk<~9*9^=yxx?|#Vq@1Rl;?8j^nd!2XW<0Qo7Pp-Q1DE73Xhi6Qw8T7f%6UY`2@3+?g z*+-CuMw*vHBs=mqB}f!}lHHdD;R#Ch-i9nPps=`?20sJ2707-WA&GcUhtIX82x8Dt z3MAr8##7vTZYU(&>0lTX8Ag;L5Yh(Wz(PF9RQW z8YMS3QzLN{e)I$K$IC`iMyv$@y+|dM8=%&)*~nVex5~rUF;UqUsJ4|Cc1vLRB0w2k8Z_*45wQN;L}Q?h?PeayJd)!< z_3Fj}Xaw`GF9~NbbqP|YU7$+Y%UOUGfdIdHHuqag9mq5X1W}8igzK+Cl$JCGX`~Rg zLASz(o9N&!9tOqC2tui=rr$1tR%jd>1Z5cz=GFNZ0VdKqpA(fz5qr+v51DZC^4~{e ze{0ACc`F^f`Coado=?LB8q>dPDhnCD;r*I@9C3koLI&hpM)R>~;qMj{5P9hQo z$vJ0GRC17B1|u0S9LZGXo*S&A*?GYmI%;s3z^}9Lp}awgEY%I! zl^)$qOF_agHdy~D7wu{MJN^^Jp>#Qt*i5ALc>V3S#b+ibGg{LmxAxVBO3a@qJ&P_! z_D2y|EQS0^uR}-gxsx0E7U-0lNO8P!FjL81;N;B8uIRTs0`|VovfBg*ul$fE1}4rA zg~3;@sJ~lzp%+cy6qU03(FP-5=FI_H%sNFOrj=jzhkUkXzmu8m9nagJ<(86NmEoB5 zM#Mt-a>{YlyxrO9B}N@U2CFNm&CBj52eoDQH(di`++W0|b4LWs(lyF3fyVmA65%z{ zeY>uv!b-8WW8_h^bl{~4Yt-&Cr8R?&!_n6GQ}xbqbAAt=n;B=Adjqt-pWc zeN;5zXMH|G_mNjk%S+AzWdSXTDZFd8xKQ+gHO_@A}%obsLJawZ>qrBi*br-t8BC=wkz zZ{9h~VcGfS-b<>160c&zvsW%=j@EaRi{0qhVY9w*5kcm@MSL|-zBupgJ5(I}pfd(n zLPe{~wQrb2-37M4ZW|ofXxeXTM-tWkJ#MKh+h!%Qed#jSX`#Suc`wgh-P_#0Xa1g> zgf>d5*Hv$wtb8Z6!dMJVxn&Qi(xlHP%Yx%Vkov0f>+Sg*yw62<7@PI3?ALuh6My^V z^*#aD!Bl>pS?=xV#_RSCl|QVo9i598qZmoIvQmx;gjdiSFIB%k@B`)K!t-d?#RiST zC8(^=cv-%In9XEs+S2Ep0(z>b0c*6_sG8D%_o?4u*~(N?N{h)wm>g{I(*CY#% z8tj&bRL{bxr%!pN($q?Q)Am-2?ULDAy;4eO3#sb{lxmMSbLd&U4|ayOyy4|6(X2C# zqrbHPAWGPp=WUkYIDe@t9e=a=++JE0iFOQK67VV2Ibm! zAimkGnO(GVjn7Z`;k{UsRhNYMmdD(E$glkxJ;D-5Gh-UtLaXt3iXa*lIQ6-bF}~vY zND?;;=$~>}V7mgfD0castFsW&8`U%tKM4V%@z=>i-@F6fJ9b-^Ru7zj?1Q2epu9`c zqWBZVt|EppcV$Lc<5`?_P4|3YV!VR+#!k)qh86rQjRS6Eo73NZmu2bjX-&gU=bHA+ zh&3nn-R)3Z=OHvB@j zUjYjkdHN%91kiEtNbQ0?RS&S0F0`9QMb0z97T6r#i}WxQJilr=g!Wgjl=aym*U~Wa=iR+4%Pa?NE{mjr;G|%z zw<=n+=5_~Q5LkY`RVCz22^m~oQATAnPYW1NbFKS4TV~NLn(`dFsvvieOmMWKEG#~2 zWb0Czl4c@K*5M-@eQ;y2m=Ct-ru|mcpI1hXBDP00j~(X9ffh@;or_$4Oy#YLEX(2> ziY6GdB-3&;Vt=}mEI_t<(L_XJKZS`A(Vwzv&3PZVht_PtTAjd}vO2k@hjVaYxEXj; z1O_|q$;sV{)z!v|otYj~T2(C{l0nl%P`dbH-!CO{P<%s;lM#B zSb81xA`t`zf+=ZwcwMVE^PDJ&lO#Vn{PF29|JA39)Ht8n@N9PQJHbUfAzUIzq9O)kAH|0a}o(ekpEff#5@15aJ!@$oCk<*cA`^` z8QsL?QjUwT!)H4MlSdp%fgrztw_WfxjAzh5*06fa#zH;Y3%xpb9V4w?~UIG#ofYt`63wKV1MiY8lKu4 zI?OyJ@JM1nlZ4!IlYS8!bjV-4FG7;dr15IWfKhF!SFI@ed^tc2P&-Ze1;m_t#0#Ud zN_(N&o7Numt+XqO1W=s{>^EtW3$M)ZUB^z&?R+BDawm5=wg&>YwRw>KM=7y^O9v4= z06O7BWhK*>X{T(_mPMCdgJ}NNpBLlW=|#bfapL8OC47CDr<~hB%LWc5U|W#P@el=t^qTjtETf#w>k`?{skfIZI)#TTQ+0Jvc7rmdl|deYXVw3|;X+kBD?LfPnz=p*%-~RvnSY=l^~IxTC>$ zVT=H0k^;B*DaaxI_n-dz^#+zSWgmUmdv>fUFZs~|L_7m4^nw7FZH92!Xn=MRqyV@! z^RPUSmTQ?(v=7}xn#m{58#6>o`!X;_pC0m~qupyr)7Vfd4UP9O| zkDtgbz5JG|8*Swjj0lbT(3@s(ZMtJ3*9P-G1i#hr9e%eBy`8UIJ|&g#U!ith(%o-) zq`Tw!2{Vx36WaZ^*Gz>P)OYI0;IE3LpLC= zn#xjWGSKD09L4Wf@~qdc7Jd>U(4x=Px^Nmof%(azjRdtytEC}pG?^odxP9fk6aP!i zp#BdP<$r;SlLN?Yj~@ zC>2O-o+I}AS(y#&A`IP~AmA2xkr5$aV0-Kf`B*RSNe2*Gd#dKd`g-Y}*dBQrs71(8 z_~wtOV9OiaezDoUbOAL|XP+B%&}xn%eLr&vWdBNM$$sBTqIp?(F>l%%)!LjIFgv7e zP{7Vu`KTBUyX=x-2l=jwP3Ln(-G9CML}H_PRx!lo$L%Cgzt@9pl&aGd3Jnpv01OY& zHH$P;JTSCyw-g6^k%~xAcpI8j%S^aFuX7#hH-+yyhHFLUNNA2~M`zY0Q zC-(g2Z+@>iS0J67m4vh1xSzhRY?kbj`Oas-d1tF7uCC2boaMdtMI$Q?Vk0=L(&cu?C(8yG#pFek zCJ>4b8%0Gzv0c>RtU)*-hy$%o-)B+vjhxs>ovo7C<&~w38Zh{Nm0GtXhtE1Nk>3)A zt9f0`y&*NKi0*!$jGV84t9`BKUR;Le4+2$TZ<+&^Plh6kzk(#tZJ!I*H71ouz;rmb z;|U1wH~y9~aFo4&rt8as1O#Xevvq*uC&ZzlRaCy2r#Q+4g_Q zBLkv)zk!k_qqv@M{bipH;fzhc<+fKq+|zHYpad#exZw5{m)xXCS9<6fhu>ZKqhkqj zMa}~r;Jm0UD9^(NDso67*mRFIZwbQHc8H!H1JFT=17gt4lb|iI+<<>ljR+5*+clS} z@+k9>F=@=fRN&*TdmMuM|LAhWN4QE@=)f!9y4ly&f)WM~2`AqLA}4n`A=dNUyfpaWiRz4&Md#{Ur>pt=2q zaWi36^D|8b?mK+t>)y2}B5zxkW=qk*WFoT+LDI}09h1`u+!GHBIiCBZ4jZ0_{Feib zSJ^2it)v-qElUuL+Vy-kxp=bz%lPK$x38Ip(pwd|fR%mY_AS zd;RBDM9{)&kA`vBVeJH65Oh+2~8u<9#P zK2!!TMbdVj@&xwUKuqN`Slf?HDmaXte`OL4Q1OzGf*2VDIasxgUlfs)N_VSx=wUVQ zGa10dM1on;gN(^eq*P=FySJ9PgH1g6bkiPAV^EQ*6c|7{*pnghbzzlM0FYNmPYezI zwVzDT+S$DVwRTg?D{|a)iB`pl4tRU#@CvTEFHNmu2jnNh9V->(p)?=}lg%A%XH|oba{Iwq*HT?d38Z=wb15Hj`lX(RsDj z0hIiXaJjyImm>Pd(4womhr$<1e=f(H_3@(k4l*C}dD? z7Zk7^|c2Z0ldz-rwbsL+mepS%I4>!0eJtb%B;~A8N>6?l!?4pI;n1UuQP5Ll+Ep zCp5jQ%@TeadpdV|VkHc~xznAZD z6E~MpTM?O>7%RGKAbw_5H3Da1NO!03OWgRj&7PGkliYx0$$^~0I^T~tM?aU*sr z%MH7pHS}~)kiRVb6?Kkm5)WI!hOX^Wjajm`MsGrHGV1uY%h1SDb}Q{cY(EcVbfi2< zxspd6>x}L#H})hstGqWJE@|I?bLVmHD_V(1p=XosE~}wc7k4UFD!MHKiGQJh^F>z@|y|iFus4877xhrGV+bcY2=t|(uLw^+gHO_^vt&byu z7N6*PFIn#V?7h`)@~qKg;5oldzw=JOZPKCC^h^9CnV-nuOTkT^B@-qZKH}b685JU2 ziLO#>ggHV&aTkBI6t*^;HttkZFB}C_3nlb9ipb^1 z?n$-Q)21BlPv3b&3$BUApUEO(<~$Mb69r{gzHs*kEk%~#xR5H1hJl>?v(-bsU!iW( zM-#n`2mKS+I$y6krboA|?KIfM`^z#syMiYsVh&sPHmPy+kit2PxdDl|JX(39FxjEv zopbv1$6NFx<3%|9sPH=b-wV132M z#>Za&I$Fa?@`IefSUMxJ1xKm?2C!jXaP8mia~O zwDXKetI#=VWt_OvBBcT4MwwTfTxF81d9*zVBJ`F`YblJa_{-C%wiTDdKse{`$b z_vh{M<2?ov+w20ZQDeT=A*?I2n8#g~+8unkJqA(*4+YvaG9ob;1?F4nu(e3^yw;NX zmRTXya(y5mDApD4>}oLqrGaX<48r8-tW)^cWhceD#T776x zbTwo6kFRpcjWKX}cg|0UY8w@y-x~88SNym-k(O2fw+>D+gZ?oBL@G#S!`XClp~OL;Xm6aBl}61@@-c^L!b!hBhuRc;K+Fy36K zGZ4}7>2?sf8F+kJdqHVvE%?ZOUZ8Xq-IyeBi!OQ82dFf~s{nUIuCpZ|^uyzk<DPdIiJs4u>u z^Gxx&jwyD^t1=&p9zdBXt&Nvg&ArvNYQ{2IH|Ggeu)%)FsV?tQd@@+!;mW?3334fD zgGRgq7v6)G^I^VCQ0(l#p6o{hTTXeZ%J(2H{$mSG5_Wv1DTDl^k>Br|a-;WS5*HPT z%Db^OvR;(Bk$@WJiB91cS&sjzh(4+Amu0^JPq$)+0j^F*h}1|?K^+rOsiTkKw)!-! z9_`F@e|Na^hsF+@9K`V)17h%cEhG3fFV*fIb9gL)uGU(XOGX0-0Or&OXP{afthu|( zBMx|Hr~MO_Kf?BEWoj1mGoWw+tF2piRyahzUS^d*HEm|L6Bz;0k474!h0pxuW%HD4 z8eQJrQlT_+>Eu9==AlX)#6w@4-LGR@V@h>zH?tG`8}*H7M5 zn)p_GGv8<4@1M!$$#R`gG2Zkf5g|1yLJm%h!xmPQ9jf^Fg;i78OJV_6B8KvEE&PmM zI))q)Pqo@2o?uS@VZNY@kDPb<1Rr>DtXFJ?@8mO?il zi3e{YEp|t)1H<=jh@h#6^}Ns>j=;=dls5=uEkA#s3dSb;up>XpVIsCiCyaDFgrmi` zEfmqo*H+izi=>z?8|_6v_h9Nhk|xi_%35;`&#)LyRq}pAR^~k{3s3tO1v@p&p)+&c zrtE}$bMi}Ly8zya;959+-aVs|3A>bRpj+G?*vy;mpGzfTHP?z9+$*~CPE5T*G8?}vwYoC^526=fwQ5c~yp0xINJ z-0GC+HsZQ#L^JD+K|!;idaJNgQTm5=A{qv>Wl6WW`nUa&Fk8loKjhCa=#38nrisiL==~02thYFy?D>lQO(;@u1dx44q?|0! z+Ro#Gr>z1(l)t13KFFjkTI`BX*UEqV9-IM|pi$)fg8`u3t@$uM@W8v!C$QFDT#>kV zKAw)`ra->y(!o+nQ6VT}Jyd4an^}OvqCoXZjW|P}8Y*FD^MTa_aO$XrY7RI`Or8Ur zxN(JAkbB#4YKg>m|MO#>d%^T;dq5<-IY8}{=w98b58}_d8hTz3sents$Jx5TpRk^f zr&diCeKO@bVN;<{=QYPE5x$k<83}*?)pVlL#$HZ z)~wqb*0s|FFk7qt5Sp(?P`W+$RefRoR>wHLA)|}|s+o&)d!aKfuf}O9H=fTd*R=D^ z&^S1AO}~mPjN75axLljP%XNPI*N;}W)pP^BQnuf14B>;7d;y_P_S;Y1eTB(U_sMjr zKcEg30y(ty!eaPfcm;8E5;ezzW+H}f=Bp9Pj_b_|k$>&XL5>4iJ$j@50t zcp&7teP&--6+!?VHu2)Y_ea5sOPThqn0af$g{8idha^Ow|}P{D3X z1wWglJR$#EI;bwEWA1N}h>19lwlV84X1cG0ZqVuZ!l=(z(HpbDT5llbjKmJVO!43o}Lj0+nHcya=7zGc?eDz%od;7*v3W~ zwV!N7{l zef$&6&WK2Vw(|j$6OTs1n8BhG0;|~XHbgO{7>%ekvNTWTGN`K70t6VO_q9JE`t5V# z%q;ZyWH~*2I8C7U&ay&fIfE+CySoP$$rprDpn8_?;`*B4?kf6M$Xl#S3*J3~MnlAVp?9 z2VG*gLVlYIqKW+8fL(`U7OFK3U?9*fj?z;N3=m34>k^7|kGXUI0ocAGh1IEWI%pyQ z*N}z$qLM<)IsD)R8>29YUa|Au-u&oBx&1 zAR9u^$l^zVp9{1B*^axEBKUOQd7;OxflP;Hw-2kVss_AGA0IReG)d|B#wU7>P2@i* zd#TpW*75~IIy7dMLgQ71uF0jJIVlFU7{1rWvTI*FGi(%jwmx1_an!vT6|vv7>Brqv zB;^}Fne4ei>6P*&BhDaKz$}ju*{2u0w_T;T9#E zvDFJ^0IRpAgKw1@yWxu%xkEBf)+cBHyFYpjiRf!VTF0!&pv!1H!9gb0;YUk=%9qbt zi0!Pi-CfqBnMy`^UEaR9lvTShfis(DmcwuK*o~or5rb=EW&U1-56Su~Jk1XFB%Q^nDca^_OmW z6-N!lg1vJ@-^fAm0($Wpur2RRt`R|&3+N=(o(kbcpxWw)^em0>S=E%QhDN5c8aPyk zq>@GE3Fcb?zHR!YI`DzG_k*oyQ)&~OCG=F-q6MdvRbNHrq?lpT% zq7*mFY%m4a)#M%%pE<6kI7~zRJaK^cB7OI|vJN6lWTX12RqV7Yzfm*#`^=6O!kHMH z(CKB95W`SS`1v1*D3q;+HxL4d!I{Xy&y|;H9KOJ?l@qpkV$(zQvOf1L`Wbh?R&T-y zI}AZv7evKvH_Z4P<&^aZ=e#wG9`k94|huH7M0$jK<%#80_8=$FN3fu&f)=G;`d87tX?>qhZBc3AKt9}tQ0Pqrw zA-)eh3A(3X11Guzpcp`DgX4zWp%g{L1Bm5%1o=Eq`=J>C<@J2O0Cu&xGtm;s6N}E@ z20!WKp=GQ_ur^@z;&3xiHQ3Q&%?hM@E=SD-AsNl&FM}?wA)Kd&vENGk&~w8}twxGh z7))Dr{0%Sr5-O2uh5;T>pZjkR?0;Iu)S&6CLmi@Z1!ZMr10~b~#96VQ4(@V3gNmz1 zkb|v(BdQ$a#5}?=R*!O~DcPaT))qJ|uc4!cBv&E#C2c2n_A1m&CWzx=jVHbUI4)4> z9dKM)*3M9k>5npCK?OgdX9kxz+-nvU3cm$CN*Mrz@pBmtpvfO_&-#$jT@1mmNYFIo zk1v`-OvV4AMTX+dl5#Q)h4gop`waANgw%tI#gYhj5%A(`*}wxz>tErr{yAdk)Sy%P z)FSS5$#74T9~+{EF&?kCD0?ShQH$D%)gDT_NuC2iO4**tMaWvcA*>;!9OlS#$^@XT;JL9%Y$En zSzd+pUcXZF6wqI;Pt?BU-B?l)mV>a5DWA^u3ai7lA(6)c*A)7=yw6CQ&itS5NYCs+ zn8kR7wygChBN2@iMV?sGKf1sE*So<SD(4R zLA~8+x6RZB7poD6;@TLpc&EOuR`$wUcqlBMpt!1zvDz^_qtX*?1izN`!v$0Jen&@FP z9+4O^LzFL%o-KMJw(_s<9Rc!=U@tF*0D2k3W7JJ4EJlmV7NQ<#z%EDuu1>2AvzTn3cxix&yt+wc9p z{|H=8Kohxnorno6#B+F*VA}9rRQ?TC%Wd4VZeLE2f&z*l;8_MKzFvg}S`P2-zB~DK#zT@Lo>z20yqU_*%1R?CDe1vcC@Sgh;4o#z z*G&CIHz{`iPA)ba=l=cbKPZ$9;&<}US1~e1w9fD|B8;M_bTXo~Uafqli=c#0X-H8TY7*NJL}9-L|f+`~lxHp|YD zq^uU|9TzV5Yd{`z&X4uq#0awH?k>MP(%QM*4iuT<`)~nlOq2M4oe+I<(wW303nGGQ z*+0aP-;+P`A~50sJ6=&w2?Lq{%Vy5kViz z18v$fp8JT3PL<7IO8P2Xj2Zq>WV0bd+@VL2fY)MAZY-1X!#!8aU}|(IARg@Oa8%;L6rhS zV`G%JH~$O6k$DO1&30g$o;hGZfseicqC7Li>l{%OWDC9%fC(0fymk>>lHn#;?o&cs zMf?AW5P_=&2%CjKa|!bBSaD{d0Jm`t=e-hv1~VoI7`!wS-s_-ua7iVRx+Q&(4}Tsi z>%jS($v}CcYV+Z5vu+aGWI!&1yaCVpSBU9~S&Ey3_lg<}IF{cQq4rkv_c&=r)TF~6 z0Ro$>#AS~wSlGvju~+PO{X5k3BbSX2PKsaew>%ye9mzw26=8o?bR7mJ(6u&TaQmn? zup-)dfxf5m%%s18dLYjtIx~+;IX?R$jaaq^_m#p3LBr#zV2G>t&vTww-PAR#vjS{+ zD8I**U_LCPaQnRajOP(Y)kupy*!(SxLoVM5O_Zf+qDc=zwl=R0n*QdrVl~`p$&{JT zX-&!1cLdut=}7O+h~BO8tko>dN`Re0r00Q*7%RxA?4$OkBJDvnd|-n0 z_YCnBYDII#=U){zkpw{N%d{h^e}Vmp4lHrCy$qK~u)HM=rehq~YE|zvfu2RmH6Ix& zp-^@hJan6@NK5oHG{FsFlV%fF=k z*F|_OCTdOd#!F4}qEy=#NPV7M;Ff5QC7jWBo7C6+RIGh*TTEE1M!V?x+Y;jAWyy-= zS27g}Wg)#Ab!X>K>b99|0v;T94-rL2j|Fav?UmMGKSZ+Rj>YM{H|YvIJDJ6{e7!fE zYd9Ap4t&D?-R<_c;le)aba^!GCQOb-?FX4@nqhb}?Gc7SJfqR`cL$v>5G6eSw%d8r zFf36cem>zxzfGGKk1k@{MNR7hXtOr28F;Yy$W z_}~(;N!l(%A_&wJvA`y(Y%Vh!pvWZ0&sI)Wha#oJ)+&?QlaG}Wou2DyuCnKEa-Y8( zO>koId(^1~yyg!)IT#}3Hxz9h2{I63YSudzvpfhHFmm{cXr;0%BBbw)V{UYnk*P6v zg$k}<3WLIe{0lG8NWV=*J5zp~s0qS)Av+#vUX$Rl(^Z?ty;!Z2 z<0~}qtO#k|`0oAuP*3oi>dqzaCp4!dw+N@DO+}8>H^bRLf0Q3fR8N9cEt#qe$ci9T zbWSlQONdYpl#7llyRta#+@2%Ue$PqIuGxafKRIY5ItWGD!)kVA%^|=>Br@d+rND>I zM)x`!r)IO1CT<}cl#LU}B3IE$|6;+*=QLR4+hiN9B$gT4G;;&Rt$Svmq(AD}ll(m) z@l_IcenKK)`U%OT#OVF&_p%nN1QXGWBB0J**r8>%2{u zbtv_G)cQ!F-N}vM`fZp|;PVH(J6FFACnyIz5bd@C4^>VBwF(ZS=c`FoKt8=Zx~4)Q zyli@YvT-=^TooH^@ss860SC{^!PB{9+6ZeORB#Lj%qXRKVl#-99k%Pr!{LY^0+=m1 ziN#DvLp-u=XUBxK5IO2-=BT7|27(@IOfgBoDu<&y^3Zn#R5Xm2wS{4VLSA16=;3QP zt2)AZUac2tQUY@C)5`mZUM1&uoZU+?F;;B`kdi00WsK^6dOi|4)$<{KLia;dAu`Cl zZ45RxjL4%_&_*!!fDDP;N_d}g{$otrUbx^y{Af>%-Pb+{k38QB(JQ;4qS5io28tO` zQX}!)q3IrzWB@{C_nz$5*iL9QYyH){o32!As@e!(@p-AkoBWG|wz`sQS*!s`nBoh} zYZ?c#s*i|7uIJYP^6PFw>iFJUo$; zi4DNsVYk;-l(*`NIqaSnCWs~FBqNdCIR>yk)g;B$6=frKx$di46Zs(Z0!oYs7;2J7 zA0+dp^qBYtVos)itSFD2E4B0hby@-*LUM)B=QgmmkYGEzmtoR)a)H z9=Y+6kbwyTVQ0|!P+hQn{YQKU7Vo13V3OC5`GDQ0!_}q^(iWP8PF7821n%SiK~V%= z4V)n0uKy{Run$x;AoDa^;~5T6q68rnU-?~PVCg}QJ=ig;>nW+A9di*pYcZr6iW~pb zD0J6`8uhQx&Fm-eR+S-W8CK?84HZI_6at>&LK{Om=#?#8iM#_X>IR&f1PtZu4K<2Pt3ZzJVHneb-?W(C04yiCT64{plWuDV~cS{J`{CE)MYx zLBd8K={7Pbjz!IXx?(BS>IKOmFcX(ABSHn!iF>G(HpLs#C!;#}|K%rX%Uuyt4;40k z#Aee^fIo*r)~hQ%dqZtflmhI~=)dCM!{!)_<+ncncZ*W0;&wnzIbI zv`P;Y3D&NL)eZei@uAtji@hS4=lc1OG;;LpS5c!=1!{jOeDFrV4hDIb!-caA zS8H?rv8^*SVLpoCX+{zJCbf>oKl?>ebT_daYt0m&xQf|a=E)jHvnY6mvav!>ydHVf zQvVej%*Xkf@mV*U#B1bTEB_g3I#7-nbhTMS9|ahl^GgIkd%znRqg__OhB&80ey5-$ z(RWJQ-_ryxwo{*j1+JC)UlPI(Ickm6iceVANUfjH>@QY~jA$`@c;NA%-u>Cnv+g1P zxOB9R4H1NZL{&?#Se8Mjugl zJj2vxdsdQqXTq^^5xk(@B4hk-_ek?YUZc32*lt^qCCGhrSEceud*|IwroRPm>3jZt zG9mIsJx(HJKz0WTfv(9Xya)#@XHxrVyz=}~S2f!;jL*rD%Y>4hk~AMCf^e@Ux`)u@ z>qh6~xbfxSFTZ}fNEEeW=2cZctX7!$uyKua3cWZHFSh$8o9@t2u{d_cQ{Aqm269xS zZix#<+@a|O3^z4_A2|uf)k^yns+d&+;PO_K02a?vQ})z*Z*N0A%Li2s=?&^^%%a?V z%NJW+Odqy#z+o*dVSz(o_6ON~+d8FCR3m4x)$w*${U%hfs{ z5o~8moSNsL>0>F?cLSO}GdPodDfxlVt^n;xU2$wsF=6THygpE-lEO@zsX*Vx5d79~ zciO7`wRf}5TbRosA$k!t5jL*@a)@^+i8yW}V2kuN7P{el$_QnLD65?}%ni*jX00cn zP7V=+ZqIy%wn*AMV;J%+btJ*esc;PqbohI<{(B^j88pU|QACTCXPY6g3TTfOdTT&v zAV(=N&w+?UuKtz&j6?T5fBN`RHNayw?DiXAxLNvkJN%~+u_KD;Bs-@7)2VTn_n@8) zZG-T2IYigzZFyviuQJ=PD0s`G{CP?sJv`@E2zg%IgvC`IcST5Hu2&@`o;~tadaQyX>Gmx*O%w79>0e-2At zQSS+A{Y7avCsq-ecPTF;34~&ejnln7m_QD4|%n^{tnZaNK(R;8P8@+!rtQ zaDtWdGyqQeDA6+z-z8w86gn-v4r=(NrC^3kd!YoM#S5?IX|rt3C3DMdAK)Zt zeAwePB=U{Aii=`H>8NvY>qc}q&(fy=@i_oKfPy8lpY?IuCOD%>o+YxIIeY6!j&}0e zfo|ylhAlzMi&AOSO?~+{*;vH;AvWACY(pZ(P>B2uKsZur(6;^`aVxH75|Bj(!I`4p zgFiuZOhnM+>(DUB#8d+m%ASY)3qVM#RUjLxSEM!v*^3B}*$2`V?p_6E2v=S4a3S4BGpz4#3#8ylNk0L@#ZgN(#ieM_vu{XHnMsn4-Y;p~Rg2+tgPl;(+T6a3@c!xF9VG)nt~2u>u`8g z5FRNgwFi=_aPSx%%-{ot4)`!c5Jjg9RPz7t*uShluL5tfKmZaW^(C0Pc+p}1{a?gq zx1R%w=jj@J`Q!HGBAwiB1x0C(vpZ|Z}Gm-uvsVqC-GDR*pZcYMTj4MGY zuPyATcAX#$t$5=fgL;iMQL^lyjNnU7R&uUZkwJlM$PL(S14aa#nG@1Q{5>^Zq~KF2 zAgTSX5y_)dDkKO0`G_E7YBKT*8Q_WFuK)F>Cj4f``}og5?R~{l-$4##=JQ&Ja7!!0CAFu~?v_Z80oQe+!%`x&ybP++BZ8iUz zxPKn!LwXGp(OShU^p_FocV+Ypztr|WTWT&Z$#~xY0cVg4Qx16J_MiOk*iQqX8rL)aV8aBIC3=+-A^wl%5C}p6 k@Ev*_%Kv}SNWZgNiP#e5&%rN#odf?AWK@ua_n*G}A6_VM>i_@% From 9128fa46f2e11cd17d3fbfb2f672331d6bd25afc Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:23:08 -0500 Subject: [PATCH 19/71] re-add image --- .../img/update_controls4delta_diagram.png | Bin 0 -> 74464 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/assets/img/update_controls4delta_diagram.png diff --git a/src/assets/img/update_controls4delta_diagram.png b/src/assets/img/update_controls4delta_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..07044659e766837dfe80af80f870bf71c4f50f45 GIT binary patch literal 74464 zcmeFa2S8Ov+CHwv7-OOa)EG@{C~7q5?M0(_d++_Cm~(qSw>NuYjM%Zp9(!+CQGrBF zY!MO*c8LXvA{q-SAn>09_Zlq8=C`}wx4YkegA3=(nKLtI=6T=unRniq%@7M&En9SK z(Wp_QmK-)++NjYR3E+Rp&6|Ogcc+ZL4E{9sNmT=KR-k5cZN+?hp|yI zmR5h2j6qpopFbH(PsU&v4x`@hg!ypJXJ!xBJpZysAN;3s2f;M!re z8^IrzQE!KlR}5Y#)Xxfo>=;mAKcq1;kl714!Ho+7t*R?A;5I;h<8VFf0$u3v;pj$(AM_Yffz?o-1#d#>AR`)=LeyhO zDMl<7pF+T*^(hz}WI_{BM6w?BN@ejXone+2a$5wj!RP=*8p5&GVMw3`q!L45+s$4$;EL7f zf?WV0$d@~zcrmf8J_`ikT3>QqQp4e_@8Nhqdtn$<)L^t5K8|N{hG|9zG7Rw^j@1JY z_y7Lx^M3L^m$!eUI4l{BM;S>tk_n9`;ZXXNSouN75r_?hjKZw%D4#zPM?R1azZHxM z#bGrgGUA8bK#ZZ-ox^AXy+ZZ5A-&aQmLt#Tq~8nKZrCA_1Qnfyy z1AnN#dJLiwm0_@Y0jTQ5(gz2Saif}m2+3kC!-0E?-{}Bvqrqj}a2t^UM_ztDtjLWX zc3SnZ2M$PQbWoq;g9bZbM4Iam0$u|GYJUzkq*$azCgij_5E)V$y#~ky#gbzJ1HPjU zT5jm~QHpmg=s9Ct9Fbgqj-KB!#4-Yv=J!Sbj^eKqVQV4f;=%;|9Sfn%kdKW@nkGpp+ej3KAzFUv=N7+8JH9-_7#j7 z4M6f^0}Ffo7T65CAP3|3)R)Hh_dI;K4sys?*^GXFBsMBgzz>6@1_1e!k&L4t8G}XD z{RiIk`5~{Lf@raZ@BnE{VDDmJ`on<-c=hUIBK3;Y0W*a3Jo3q)9B@;ImOt;>*FwW< zbU=P}E^p-s! zG9z3M0m1*QI>aCdLaK>@5=$oaBgO=)fku3ut)WIlqhlH40RGo&MB*#B`S(+Z0Ic4K z8qs|HFeow@=eh(y&wP3|213jXP|3fFJy8K3ydMay58c1ymoM1Z$jz@63iWc zXV5;o(XU6QF9`4fm33HMM%wd96OxFKlLopJgT*jGuVATQE@`j=X^KCK@l-HVZ>W^9 zOcDWu@Zoy?`ch^CLyPnj?pT?=a4)*(DCnz}1_Me-qmx$Hx zT=+$jj?gm5=dPa}nyg`@9n?Cw8@-Gm_%MX6AerKJ(isMy?6&lSLOxtS#33=<7xDRx zNE_;?dxIuFZ_5jF52QC^37}|1Pt~LKf7Tv>IrI1p?EAaOacE1WeN*JVFp)X1^7ir(W6cdL}yA zZxoNbLM1V55sgo7;=Ax;?eD~tg) zRT(8?WFo}BDwIqfAnaL@4p&)YynX8OAFp1PKd65=n(9ip>Gq%#>Opc(jklaGCrHqm>3> zv<#z}t;Ko4vyj~E&{D}#2T5k)(2%C#gdv_oZ5K(IejOMls@;NPLjnmG4(Otw9==3K zr3$QsDELMKgXy7o!0=G%>ad zArFxxvZ}0JGS@~i;PGs9z$l8irCh8t93=&PawJ_NjtaCIxrWT*IQ>{W7+9tRXQo-z z0;3EU)dV0K$^fdB!6dpz#0x})TslF)#)Vw+FwJ0aNr`Mb#e>Cx{-zpPGDV0WG#Vid z2G5~z;V=%;2;Hz-9p%^|BgQ15CNz|Wdcvg zP8B0~6o@58$j9P4{V1(iPov0iT#-ql@IxM%*UT^)Bi5+F5ymr^IF8Z}DaZ^aU8vGJ z9ZWKh4lzU$vz!}HQ|J^1JECUWsXDWZ>+$*l$f+DTO2nY4sV<>i6!y6AR+e0W$H=HW zegN%6X_X9|RIW!kOnQOOtlWyT35c9l>= z@P`O~kBmhy`XnMNM?}=9+(ZHs<}jpTq0oS{6NC}6hbomx_)3P%Ao4l+x-bRh<5=t( zlpyRTY0<(6g~g?Ybzz|3hgF_ zO~D8Yi)B)sLV;8OvV-{}HE4H6h+(XhF5^dGBF-3+AW|h4xP4@)&SkQgf zh!b?!r6j8c=TbX4h{S|hE+J8kSIU8gVRE%dK@=m-VYW-vS}AgCM-w;rWpA%)X}1ydfXE(CL3o~WD)7Smu8$s?9&9YK-G>~jlkP9M$_@k&r? zrI1CIXh3co+9g30GR1?}Moe_bW|7&&BH&fSFgY?A(kPBbL)M2uRvacsq4|k)0ZGRU zvK&G_4#ni#I4)Qal9631Z^YrS6U@$_7$x_c(f)v&A(7%W`Y4kVuo$pzhMiAv{e7oB70yK#6jKY}#|g(xT}_7H7| z{YBI-PbWYH1Oae`5d;+qlaZm5LsUG@>I-1R7z)M)MNG1&hbK}CsaUO6W0aXmR;m?I z<1C@v&1C9L3cU%(3@Ql$D#phpIr)&)LEr+ZrYK=G-^y~JwIQx6B4AO1bcW5wMx*6! zGur2Lb5J3&n5)!^To$>(OBL7z!LZ*I^rG!VVT3?~sT2$wZ5Fy%Zh}1=W!SxZ7t7Dq zc_Lz+%w-VpLNqdofKm$3VG@?^c3b2`l##}Su`tQ3M?Q#c47inYF4hrdp&V3-SSK+{ zX>v`}WKcy77|2PWFgPMJO&x?`j*aEh2EhbQtntXiZc$WcF*z9?5!Om0D|PBTY~w^IoeA=A%{%7CCU`4SU{YqRP#5>vn}=1Pqggdk`Xn1Ea3kgKo; zH-Sht85pvV%?SG;pU(js$zir1_7RCLrh}mbOp2=IF&vU`*a4v-O~9e?S!}S4#}cc8 zYOUS})~Mx(*g-_20HB*GR#>b-PLwGV=(RymFi7HpGCTxN*cGKmYfGDIg7rz+XO}tOoWC6;PvKE!`g0sHIw1<7GuGK8!=Cvq{YCfS$}F zIeB8FXrnSD^12a??{*0zXt|POQyN4{o=t_1K(L?9r;>1ZDMKJr67@V{lu7|gijE3+ zJwmHUZPub4Onz7@4l8ULES5xInuTf=9xv2*U2-oMNFEgizH6o}sPIrURwoalnx$xw zlT9^84K8xTO9)}iZnr=Ip`soqUFCq$T#l6MCz%3lj>l}(n+Rf!oNTa$+)Y!)M|12))bi=wf}=)fL#RHG&vG(JeAGg^5RuOIXZP+g%2hUF&8 zi8QxV6+#;2L7^>NwIdv5+F78Zsc4)B(F+bK*(Y)`#8gknhF0NJswm5WaX=P2#z#U+ zbV9x}5)Eh|90n~j@L`vOh~hHvQKef9DbXG=F!ypbWHU%;d^XFj6k6B@8CalaQkY~d z(<@h7!Elky6tBA0HH8oUw( z74PzR0YUcbI4DVkq%i0iCl}c~uInmc!-nEmD+4 z3#k$5w(-LfwGzt>a4|mE&ZLuEb#FkP5Y`@qD3-8PNfQwuR*+)>=8MT=5F|daOodW; zxHftyDvX4+B#c|A3;X$UNJu83)E2ec0-N|&G!qJN4Qw--N6~rg_%Kx;4cI&^a}*Y$ z3|blnhf`5uBO_$j0Mih`Iy`a}&d*h-wY)IwWQfQZFxO!yRD8MDOyGGS5!Z*8Dp)M1 zTTOE_@sM5xmjAFMFJB?$yR{KB*@6$7!yc!DOcua2tcnJ)JbXNw9>OXqK9Np=67i!_ z7aGMhEB$Vye{4dVhfQN(D0E24V5=hpf+k{N(^Vle-{>`mOdOq=?GT9Q3X0QDjX+kv zhQop>HVRWJLQ$zc(1V=Yhlz@p- zSQL?!>W4!p$U$3K#?&0(TJIZLb!ue9KevmAs$k(HNu6ADyCP(br1w0l#eVinsNA$ zCM;***)Ux~MnX@hkPuI`(4-`m&@IyjXganXE#&*PdY6P2<*I~&hy@!6!8Aq$hjWWj zL9bVUat67sFbT&B5ZFRL%d9c#6iOFg$@LRZb`{TR*WqYkn^3C4GQD6m-m134Vh)26 z@af&*a1bp(Gc`N~U4rv#bY25PK#!6_hA0^s$B0FYXqE^d=wzFlD$(TDMW);F6SXgvlx8LN=RC!5WDW zAIw_#L4uq`w`g1_vp|C9$ps20hAp(oMRtflg2X1FD@q3C#JV zk)33@jgGZ({Sk!I>s7h>Ds)i{+huHx+{YnMbYl?7nSPad`qpC1MkscFZ zcohVM=mrqO%VrAPC>7&$h^Z=p!9iAX1RAZAOalsmN;CoQM<^sj z*loa|!r~zk!jv>jwL+rjT19qj1m|Y!h@mJRqYcAy2Lml(t0;bo-YY;Wy)LcW7jP*h zhz|jF>V+Z_1DSW|gEkkQhVUv^(BZ(#gCUupEhCX&C0ePm>!b=ahT_!7i6)2K6_Mfv z24h%2q>=S36Ar->!35|%$*0!n0)UR_G!B@mKuN7SvxrC#BAD`NFc_(dD~1guv%^Le z@nsmI#L6VGcqD_g zfhlyV%p6N7V&sS{aKK<78T>e@J)%K!%QbGV8tb5%m>~kiW&Z%-(zC2ZEjhBuME;zPOnr6V~rw96iiyo zIKIde0rkr`Q9e-$v(*rcN9Z5Mtqp}yG%AKIi13&WvM(G6iWJ_U(N9()x`&RI$mw<_ zTN+S{Tzno+>8FxuUbLRbbBWoekj_K2y0H$4#K4S(_z)s%9J^o3SM!Z-GM#UM%s~@1 ziV1NrT#}xR#}hyX84gXQcnM-r(4TdZ|KT@FOu&)Q~_b*6GM0N{B$F@lAGO6vy`Xqojy8z*2CH5u8kCr`xCm zEdioqSy-2jqGGFIL!HwCypA^qgHf*79+oH=L9G&avPeb)A94XYj$&9X5(`#K7Lr98 z8YV&ufW|XTk%-8y^>~0sQ3ocN1|wSJ*BD8dAQx+P31Kx*>_o3DEJGnm+)fOEX?H{g zW^@)aiDZb1gd{{O>X;stgD<3pL|Bc52gDcB0mpX`vtgunYjbPC} zlo11iJ1`L7pPz2DL@9h4%#iCCIHAs=@YkVUKD z5IyLjGSDii9vd)G$W#gnq{BhPJs>2wagf=pGool=utaR}@cB-vG(@n|Pyt8-J|-xN zuz=T39CoTySi4UQn;lNFzwR6O3}FOsGdqC?Q9!rh!@vzo@rPpHj&r(Tycr7k0OiF7 zVV44a26gz#$iG z@wp>W0$u~=>*5fiO-0%W50Y_6Ob^cpaWF;|m4Q;ZbZ!w~32Z4_MkN5M64E+V1RT?# zL3l^@lc_W^gFu#XoenfgisIN%A{5swr?Fw9NUTr+yAMm* zIJ;Pa3x&}bz|8n+493iaop_4fVpKAs5v#zC(bJ@C0}_DFBymG%238APTqrHWK#5}6 zZW&!6_Rt{-4d5HBZxHl8ojYnF`}A6%x0s?RnL(vdJX}nj8Y9z*Oa>85`G6Bety05Y zv6dzQa|#3Et(7u`GA5hB)_aM5s}!a6@+eXoT8afeN~TF;3Gf+yJ;To+vxRms1FSRY z#ZnSe?9vj=4wD5d;WAT2K31OCDG*|$EoD?-N$|RXM$_PRf=p?Yh1^$A6 zh}V)O!#V_D+7|*#Toj5-p%h7Zc$$X8L6$oIB)T9T6Y=_piB|$6;@Mvbp?EPUpU80k}cn0v=!AkcNQ^@w9)Vzy&bm05A<#P5&1H z7wQ7t>Vx7)Xe0usE#=tfQ8+7EZqM?WZXXzsH}GY7pPS)w^%`>etiscEM6G_ z*&hPxZ^liafl@|#_rHM?uMeESV`A|8p9-8H|5M8U4-1@#qpm^Z1PGf$Hck>pvsfE*=im0N}5{8QI9@2Fkl(%;yW+ zmEz%^Ac%;dCmD67KhyNDPzMYuwtWxM#W#F`iNIfrL`EXWp6}jxzF`C(-=7y79ZY;% zUW4Jm#)FbyAQed57$VI7KCB|Xx$A`is^9nl_#9Z=XuvlJo&d5zur8K2rG6(HSaw38 zac;0Sh=iqr--vBb3B|T&Ay08gXT=@@PUlaF5lZA)-PSrxyx92ulVlvq3057EW$gMe zvJ_Zn1M9Ou5kB9MQs1`v{VJ~jDjrOR?8mIze)2LGjWN~wy?k|h@%)euxXS9bP6AoO zQo%htzQ?SN_JD*2k-4!wfem7W|6to4fGo4_zgV}uW~bdBM*YT#_CLzY8_E@E4_KZf znO?iWHTFD) z&-m6-1dxAo8s@Yb40Wab0TSbZ^*}!V86bRK-Am{)q78T>5j6P4NPU1iGJ%MNkoiJ= zhcpaV{~t#eGC2X&z7)fbNA<&j0Yt{I0sLOOrHX*$BaEE^p@X&G1`JV~9n7gEb-upvU7qU7X5ICFQHJfH)+v}fia*3O}xL>J$ z!;ao!bpV%s1Z*k-G7R=C>+SJ7ss;91qd=cQ@h$RoTbg4#b?RIbzvqx4Z-NpKUFtO= zsyegX+Xq5t?FLfEB%D?%2`y|6M!29d<2AS^vBXc__{x2M5MUB zlvj_(_zOH8nM5?0i9SC^p}r6QCY_1z$$n*i`sagNkM)=4q49ZV44n-?{8~vv}zTRTJ2<|!^UJv&;xRE3nz`*3FJ9@(c zh`SMSX1@&hx?QBtflUSKiG~74JOPMmLjFUxap?rvEc^c5Djz z5_hWejv)j8w{)O6`u3rDQAD;E&VH$wWT=xT~lE)%efx$RnYhFVXn_ zg&3_r&@zAB0>@k3;84fcj&*#o_}?r@3Snx0%LVrjxzmQjDRivS5LL;CV})E%km?xj zd(GLhac>0h0Q||qxhZzoD&nC~K0j|2-28s1Zwl};Bd4|^S-fUlZwwNR2zEiB8eRZP z49xS(i|3+%-wj;l7?jlL3poB{&AfgoUFQW^e`@k>IAC_dx_;Fp)$pC1p_V5L8v_r-OJxNGS7a>k33 z&-euP#beD-C@O;qB2ivF94s2}8vB7`eZg4PMKIL)f?hgNEN1dvCde=9>^jl@`?WI` z^`fu;`Prxq)N?%grQu8v7klk>)6;*JxYmjEADmeo_qG3iZg|5!sCybe$h`hR>;>RT z0RC@exuI}1o!Y2T*G3#VMIKJSvp6)i-IzLWlis}5h4+R>@4ij0oS3iN+ww!= zQ3bI^Vj5XXyEb6X<7e9odS@0K_?}lhskGT~QD0U2s>Q=bk4|4AIT%R1=u}u0AAZsM z;D*k$B_DK?tr^v~U~onIb+UbPg^E*L{S(@}?gNkivas3g1@m+dPETxKyq;GzLArZK z#~;3b?})p}U3`{i7V|;DRoY5H>0ImXJ7b2A>C2n9>9?V<%(!`TU`xqk{FdsHP8E40 zx_msBv4+;F&%@}=p;c$1Mc<4bHve%Mzi(c}JMDXIVy!3qHll8*+0(&?uT6b#%ajot z&NaEa|Nd@x|Ga*~C3mJzsG2^l`m3uG8qZ6vnRwp1pMIck&e?*K2PMyJJ(l-4vGvWv z1vNeTH#a0U9x(HJd#k5C;w#mFP|t`Nv&?3yE4hNcKTi7v-B~KE){*VZ$*z?Q%J^dm{V<- zn`elJs!x1&9tWz+){I*G@Iz+Rhd=KP*xFC-Nrqkfzn;+U1bS(Up^e9d6Mky<*zoYj+?v^U zhZS!TRnumk(BSj-g$Djm$t=olwQlW7U;evoo_dcvVD@QA*dm#1BW(Gz#Id<=&Ve_~tfLlGNa|Uzt7sce)Q$Nfmugq_2Qk~JWQ`)^(pV$xKqY&-0SL+06R0h5(Z|!~=f!=&vH^W7zp3dR9i_jQoUnfIQP+Vl zW;EY7>@neuCnr8v?KnJ0tr&moePUIk(blr&_N}s3O)+1NokkCD%5Y_Dg?C-P*h$72 zud3*ocy+M4?3wOJO2WDe%K#Yq_ghr`V|4b%E0#p5jhf77e)D7EvW~XeWs(tTW!qa0 zNX)#$AHR;icEGtYGdfp2?Bp$7+L=54!SOzC;L)s-5-*8@YFhla0ySy*u9@U(Z&Wqw|DFK_tW+$vXT=yvVBy`}w1 zYtL>YlMppcg}4)xp~+=-H}U~6Ak6PH%)u<%{MWYpSt!f zT7b77o6(JS|`PX|YE=w0@u*+NKPNL6NBt4r#-*d5pvPY8Y>7qMZSA4k2Y4$Ez;Xcb66g}Pd$FjNahjJDZ%O6vq zom=+ouzbPkaiD`Kbrnn1_W{I8o(cNrv%q@i8wE{N2VQk#*TFOCiO@S^ABGegl!8m+TXz~D?>yqpwnK#8 zX@l>So-SNlQ(cud)ARJ|SMB$?o;|%^*mD2OH_Ii`2jBzevF9yax>Vh3QR3D70?qWD z_OsfGmYqL6H}ic(>wO#FPtmH&za9{vJb{-!}FC9HVwyjszN0%sto70w(n!>D}a?Sdh$I6td zVO@?cnQ*P-VcEe2AMGs;bH;ZX_1oUJRgy`K-)J^5@$D*RQKyf$c5i+A*?~9P4;A0} z;mWk6-X3+9A!ABMd>l`&!cicaXCjm!aq znxxxTR=xA3A&tjNW8K*)a1!MYYZq-7&O5%P(@RCcmF@a=_`bxw8%BZf5f7Zl3-b;&O459iys(J(BiA zOin#-8mCSelB7G+sYcN(H zb7cI0C!cwH9vD1t#vRZ0{HzPR;iWq|ub&3=bJv8%t$SyERZkENjT-kzdSgIFpC1;E z-ArE#KfWwtWVM!FBvu?T(P59$*KA0^4s1+bIM{=lG0{K(&s(- zHShh@^}R>OfB8Ir_==1k<6^wC>tsMDHK*s}l6`MCjm+ATlzjVgo4dWJ#(pWbRxwIB z3F*(IIlqxBPd zjHvzMm@MbxeZ%uc>ry*#S1ClEy|>qIxN+XRbWY3yeLtG@Wo7NYyL zoq@c!2h5?b-L2TL@Y&!|mFmxz-Jo1PeX(NEh`ZTdMAGsW4hXED(rIAf`u)+1{_8(X zO*tBVayi7?UtW1_a{pb2hRjKIT_Tn4MRXN>eAkx;Q(966k1ia3?Zyw4hbs?%f(+ez z?<1dHRrEoRF14uduATjcsgIOR;GDdEb=TWVM(rD#Tt&3>YMp~8-QQlac_i-w&H*2K zwmtja@ypk@h=yXH%{+T!)w=G+2m4!ZT#8?Jd1(6n%3);Zk?%5a^ZYsKn@Lw&GmFNR-eH*Jp&&e-$Y*L_zxS4?|QLWG4k9^PpOAKSikP(N9F{*KXw%dgZt*kT_&=iTc~ zvcGNL;k|N#EiGwL zz(1Ef@~OM8cG;no={eEdt=(pQ)_iNtwwgDwSx4F-8idn?J$_=>1pd^n&D*wZ+hck2 zV9n#H(Q}DE=Z+e|8?4-!+L6CnJAwez|uTk1JDAx5W=@O{OEgO#q4__*YwE5n(i z27j8lnzyjC_wfAboD;k)_plUa*1e#0g%>$7p!C+C-cb6d86elBf6 zt3i*%k=p7fDf7ii-}TCEs;*VnUK==IU5BP!XH0FH#Y}1uYImeU)Tw`33*wx0OPehU zFMPK7_!;fl!A}b}J^1cN;*OJh+jKg&XT_BL&r-E#h4X8dU8<`WkmOZNXrT4q+ z!mJ{8{(S#}@-01v73OtieH1~o%X>#H8Rv#><>Xgh%*=hVVp5-X2VY;NtGI$&z4XVY z_s8VURdnAncR${u-S%m1b$Rc|wd$%-DJt8r2Q&uC^7O1(4)oT% zTVw9!JXr}BfSS@YcpL zm7@++t|^!_8_^Sfp!PbioYDO9RoY%h&u?Y(uU+299zVLaYeMBl_S--~4w*NkkbCH| zxmF;&{nG|{E7jo8>QA0Ugc-P=i9hFz5@p|8G`wJFxZT=(#-~qi{gjx8nM&tB%d1$m zi!~_t_+;jwL8pFW$wS;3`5lryx#lLA`$^&j^sP1R?)5Fq3r`(p1MURFTjQq8o!DvL zJH^HQnc6|yf~5tRs~1NV98)bFQP831pbNFkw4?=v)^2M8&o<4;bzYx#a%b7m?>CQn zvhRMD?Uc9Fe0_CwU(e%fhgzAB3^J!mY-D}z(|ynM*M_&TR(7fyu};2hrhN14UhMsQ>6N2Ynj{w;QKi#e;ftDYr(l|7kvsO|jhk0$RbGA9gM<<{w$P z8q~55fL6+BTG~ZcHyfCN)X}`8eV2|7a|`eK8N{a77-P$)m-kQaKJx-FJK4-e8Ncx9 zo2N!DyfbcN*RjCvYS1&RO+oXvHJ#DCN0R=n{_VaR(hu0H854(guHDh8$$Jx*3}N!d zw<)?br|9_D_LV(G8=_k)*A`wju!~A|MsF-P3um_baGu6`+}rco;*s7(^@;sZ zuj$8*%W5;(W{~@F`k2h3kD{()UN+Df214V))PyJB*$VT1?0o8UXHZ2dGMZ%rcOR|I z*>&$0^G$HIU$OnzCkeMb8>)y7^RO|Fg>6>B^EON>zar~Wqq(_diL=`Acv6Sut?+Xd zNv*7-SI+J~JbgV-J*^k-zW3Rl>iM{PqaxKC+HV@O`O+T#=qvlPeoWjpJf~2)Tl+?7 z<%hy-tmnvpnu9Yt0_(R9sK|D`Zp>|7m?!T(v5v~Hr-P3^H1~kOdsBRms2pBc#=Ldu z!PnATpH}8~%F-R2o_zA_{k@j^ChKoxU57u}xu~@%_hYyqypz6QLB-A+CsKdS+g1rz zGv{gZZwva~xcc_)$m$N!pL>%x8s|M?zM}$Cy{+4~m8$)H)wMb-Ze4RQ0^O0p3+p%3 z^e#5?5Lp_>@A_@!nj#*Mzvq$#h61}N&t4#`xVi=oTpX4(Z1MW?m5gdaVS&tPUXW*- zyEf~1<*n1#ETt#q7v~o`(&v*#Naki~i6pV@=Gk5Sj00tw=H8Y~ukpr~Z+VmpRZqTm zZk4GHutzKz?$CET`!6vsR`ot!QZra|{OvN~slAU7+jgTD4N-UHpYE9cY}?uH+Oz%C zgVJ0d1eUeE+vg|lJ^tyfrZ$ng$9B^fm;W*=yXhpl;mML5>7EhO9lg(W+pdIXYx)w8 zEO5S=WjLrjKXeZ-c=t;8KEucfN4E@>+`gg8EDYG$IqMZSwwlUUI;*wPfq7Z-&Fb`H z8~nv`?%?yxvE}#9b~aWY-}SR#MAt^+NQuDkh{wWX%KKD!udaFD-fq~Ql1064wANSl zI=2-0f3(t$NbOKvfz4Pt=;zwxTRVy*%<2{Sq<14F`G@dhNY&{TPrrKm!R4$`=8q66 zGUiV8+IL46KcFx0P5ZS!adB|EgnT#Uo!eINiPBv&C9(;<9&{M_!xs-8PdS^I`9Znq zwrcZ2i@a6Fb;f4}SCV)gm5vKNi#A>8I{cFg&HI~*k_HCvp*LH~`^;H6?282_cPhG* z_jra`)q{rHlQ zXLfGATkvRZ^!CY`mKToF;FiK?{89R%)zF9)ovR&ptGrL1mbN+jZr%;NBw^Cghl96{ zE?gP(Meg4Y74PWwRUrV9tufrB8nwCpC;Z`-%4|TE)G{>{MI;Us-gd z2!Hj&#wqD_e5?mZ2{I*9xpC-?1;;#_Iv%66v`?O-{O#z- zChVq(nH4L(ejli;`P8nZJ#>I(W*1-jWrhWt+Kc8k!3ym^gT_sb-ttDIZHKvCu3)Z$n>5#3uP~FR`J;t(StKt zJF{GASNnU`d{#Pq*+{ZgxnaRa7nhG)6#WcqRqUQHyVoZPpFA4tGgs@Y-w99590c6m z&uKA{{`FH|?k9zLi@G#v1iBbAyHR3-=kV00 zHzbkB?bIFiW%&a?jb2SX-uCC8`i&pIEb-hf-|i_@qcipo&}TY|vIm~dDmx%=y4-qV zy|>KMY2(AhcE>i9knWEgvK82o&x?6?5d;5ukFoTo93tb&-Cm#GQZg17eGsV_vyxiT zV(+{e{cbi5-nr7Zzi?r%+WFb1ql@fqyOjTWwokib$IAw_n$xD0MK=gDw{_FclfJEN z-&XVBON3mv0@JyV@|Ua{`gnTLk;KF2o6TDP?yai*AD!8|@M!YNspQ5xGjCOFxq0;I zy?ONaGq)yO4jhBL2WqBHWFH#&qrqFQuEk_OSvwF}JV@w~bU^aU$VYb&;Y7^x=Hmmm&ttrwDK0y^o1#C7fBJJ5K%V$(5W3*C%XRe&x&z)yEY|TykQ;NOW4y-kIkVUi+zBqOd(@&ZKs$ zY^z!5{zMK;=mn@ksIEqS?68&lg`TCXOka{dClt z_gTlGlxds=xspw$2McKhBGLfUUBH^ds+5^T;edeXlI(z(Pzdz z<@$MN$`Z>H2cDWfvyI|x>9o?%2Gz_F-E8w&_3>weSH6kh<{GuDxrdH-wP%O>N8g+O zTiLliTl*`g%i--o-gsg6(`nn!y#H~&@YkPO5Kc@waj`hNf61|x-)~rHE9Rc8{f*$g zyKED0(Ek1UC!I@29y(ssZ)USI4{kgyoOi$Kuj#+`ZA1he-Db2&+~z#2 z%)VK%y?9Map8g_yc8P!A(D09nRfPrFU!7ao?a2}>Kf0rKDgb18=GY6`mAiW8{B~wP zUA`{X+rLn&|f&3yJYDj zx?^BCFS@Dt*5u){0DItWy8h0rrL)`jY>9Ot8t%rK(o}5jw0E9$+v-24>`+tTsIZ-1 zpzBb0Y|AHkrI(ofewFWKgSp|!W^E$wvqQ^F+I^eE>GQX-uhd*+ozFIJ30^-PnRw-` zoiljTNkeYSH!UC4>Fw*3I$qehd!`mB+4IbWBx|<`vJl$ucd(llznsMUl|`M>qMN5H zP(5^YZIcdKLyN}EZ;-|3)n6O`XuM8&Y4fopBd!J9DTTE@WKV1s&=hSq07cR z)7-84<-_yyubFZrQ%Bw!^R%(|L1RIWEmFp&UF)8O$}aca_vC%ebf2Q}=iK7s_KYJ- zau^uz?TWM71i^yjdp~McE9T$ax#4K1UV*G7x$+CF#hL0{ z>%LEhkWc#l#j4>&e@vP>I`WGPc%yi9Xr;4MatGnrONugmOo3;?J*zgio9$?;k!=R5_KI zq{Fo+bY1LrcG|+E(p~LsXKsJP3~ZdYZyj7YYt(6dTI%pDZSFJA)E~7w(|46!O35b< z>7BVYebr3A^*puMgZ(-rK^nbE+^!W1Gy$9cq z4chc=>=ZC)my%|*OGH1)8F6Fkt^UQzf^2PCwys^py%a1kR-=fayX-@X%kbQq!^0My znsUIkfA9Ics+?Qei(jsnZ|ti2DDcg*$G^;#l89ofi(kk`XgRHVK84p#pU1c}N%svu6WW2s= z*eu$N=CzV}A0N&egHB6dyzSn)&(;kt>v(!*>Auc}oT(Q|x9c7fI^dn-M((xDX>02| zK{;@mO}Vazxywl|kg%O=+aJzO<$g4H(UV!9k|T2+m$L^d@SBQKe|pHibz%K7r8eMxz-iXHn3{wTW^l0BDG_3H+qdV=2 zj)IxMLQBb1Aaf-(51RH&O87ZcduEGZ?w6&6H5(^R>iCGfXVuWlt8&b3btOv%J-9cY zXMA+_9plCPlilCDdtf$uEjICuX=Pn|?Xu3Ki+3HzE-je*F;BT>;|A_eCBG=WwB29q zI61R-xXH#bRUd4xc{8=JcVh%$g`DxWpCY1QyYkUZ%gO5l#11E)RBXI=YtV=%N8p+Z z958c$c9ySfm2>0n_F7YQYGT5uCrfL$OgCJ9JZh8-Kwh)w#*tmh9p9EdEEAR9xL;s8 z_CRn^YAmi8k(|gP!d>%HH-E8Xqb!HMU=V}x;F;>7;m+>K^g%m6K2rkhO>yq2)}lF6 zioRmkX~;uYnG(dhebS^u`;6X~6kW%Re)#_UPw#!P=+1#>#}vgUHxs!<{ZyK=E~Ls3 zm`_*>YX=tbPn?>+yi4ab)1GZ96hy9ftndovJwAD`yL79)AU!hTF$QSy)`csE9Nl zWdLDwcj8j_#2uT{Fx;)9t6D`KAJ2Yp_foMolFXAY8yU&oc9HU6VerJDqVD&-nHGKdI>L;<0JCMN*_0TB=Z0VPTXMeRlj zO-7RB93@9Zl$^69$vFs;)19lqefGQeKKr}(o^ii%ejNWWhHI@EYSyfJ>ZzKu)3i(C zmTyCpPW%VaWUcj_fUqT^zs$B1DfqwOH{fb3^e!ZO7uuhcqZx-h>-e_b#Q22gv zPkfcl`0#8FL=@(gJRI@SdqwFpSwO{9uRmO=JG^gMzRt6rC$QcjuwIiiEa8VbN1%5* z`3|#-TnalZDxxP)r;G-nV6M)gQs^YHuBPVZU;j=sQ9XNg66xmtlt>^wezS3*YnNHd zg-cq)qCYw>l8vmf(LH-EoSXXeOF(GU?p$uFLuf*Yy~hOHs)&1}((VWEg?DGiF+Ib! zKZdMZV3#8bL{6%Siq4*Pe7>rN`7mO$L7Hb#OYXQ(lRX7IN4I)!cB+(u@dw!ndMQn0bTOJ7WzjC|IEw}qX*MfB_<3YP~rx%09tl(2{M`@|qHB+_4PKx$QT zt#5o>oouLo9km(C?kA$$byy}Ean?a=`PmD@9#xfPpPT#l011=DUm68rXp;k3#V(Dc ziZ7;Qh|AJ=O2a_EdKpagU@M%`+mkiG&+L%#wp0=QT=TvSU zNXgjxAf@_XbDVO1@bwZ^uGNxT&hMo*@pN5=Gro|KD9mvG;==`42m)GVO297?cjpY~ zSFk-_%Q)B{47QSqc(eGave(LO79L*t`yEoK+tJ_M{SMo&Wo+o7be7}6LQNGGz4Erk z*(OwH`31_AO+3MAQr3FtIrT)oeY0@wp`!SvbwJVVU}?I3ndMPKv&HaLcfw}PHfmf>;sFbnDBtRTP38U8+}gzj9_ z(Y&s&2t|9z)O}rosG&IfdOm~nGpQ0IbM0Ak<=+Cm8aA74u|d%QHr9$n1PxW$o_%{-tfxud1!~(SV18 zXg18qFLdw9TZz%Eq1DgQJQMF2(+kdItLDCBge4c5-9&!;3i~uM80>qsWu*M9Oj=!Gw)&~y}8M_u8n(SQJ z9&p}tD*ObZ=RBv*?A>4eEtd|S^{L%susY0Ylm%GB&==HXahVI1rG4T6hZhI-xOdW)es-A&nyqQ4+Von{>L@lHDI~JgM%@ zVk*sD^XZ`iJNlAT9qCkkj@Eqs4k7?(tVYykLB>Gk=O%Ye7m;Rr!nNGOfea5?&n*nUT>uMyX2w)z|gX6)L+8@dGlg z8_kI?{ZwFqg8sL80jo6e9*EkHMioNcHyQoa;iGP+2e6rC4Ti4zH;n_H&t5(dmdmf>qQJ$ZBBf=)r*|%A14DGHfFaJnu0PdQfICyhT97-;AJO;?#*F)ENvw``nMuX@fpOV{fntR=ktOCK;${^G+ z?ac{cg!`mT%T$;-T8mYDP-V{!xW}TeXTQ`>Z(g)WVi)GzTqv#uXopJug1h9|LkOXb zFiEj{C238!*UcK%b%p9;g|VzZ@Dj8H=VSO-dPJM?klfIc5EA4mBEW*och9;2_bNe% z;^vu6wiym~K5(Un!^W2e3T;BmR~Hf6o11b4H0g8Qk-(M7G?&YU+)J?`?M}a!Unr1T z_jQW8?7B>UsbT2Tkpk)6_B_4Gu9o!cxafnX4at`D!szMy-06GW_YeKik(4X9$U)L6 z2t*o4>?N5h6U7iHgY~c*w+p)s^*?QYDteOrV9VA)g($N^#D(;-->_!8CrrNyt3;ml z+hxF3%WT#~BVbf9HQ`&Tg?uQr-N#6qXYBRaL3^+5j8i##38ZnsLvg!g3$)R^N$UhL z%FQ-aUW=>aRsnKlL;mZohjWJqtY1Z)fZ{z@x=cn^|GhfOdRnN{sO5t~Zsu&s+rp4^ zU*N8F^0$r1fjR~3e+y*^=Y5mP0g^=&1bM2E;L_C!qRXAWnn1e;B+#@tW7HNM+_&f{ zvrm`oA6oI1E>`K+FLYD+T+}A&hm(0Kx4$(n&F>W~r#8~9D|-sKm-~kex2=nz@*)ok z&x|1A*AGFe2P$VEy>-wx51Vy-Lc=3S5w??h@$h=K`#J)S#d9snefU=Rp#S=|(>5h* zpRwCY|1wjW4f*udLDd@z`Bf9@XO=Ab-FhSTWZ@tS+Tz8j62^!#IL!V9@L0V{+u=Z6 zQceRkr6;ONW(^yDf@eDpmy^+g^rL$#(zl}TR9Wi8mLCkkw_l8&nKzY9@^fF0SD#b1 z@BE;i*h-fPIp9P#6WYDcl&04*+%w#<7sSqh;u`ChAoJ`sS3xuk3OV*~(zRp#4woba z%DbOyjpRD`l<6@wJJVq5{G*5S3`6C$%VkAAREbaRmCKy5pRH059AfH8QI!$o%VbZ! z)+g^fnC&_7oDiX#kXsTBl22Jb<%0Uo$+6*s3?|GoBZPQUuCMfJo5X?jfoNXJZg~V0 z{Bb|~y$ni)=1kXL^w98G27`FFk!Z~=fGpx{hm){*T2lJV*SkJuI-CJQNs=c`RpZlE zxaaP5anEmNxTBDdeeRoq5+fr@sQGRRzV~zNJfZGUru$>guG>s44hfz{#TL_+^BkQJ z-IR1)kAuDF>89N~wG!*e1c|TO9Tf_s0vV=vOtq3r?~PHDc>XrN%5A(q(0ew+{rMH2 zE)ZVV-Nx7AgvB(w>Mvb$cP(6xcHXxkBvto<5SI} zPT#1!l4qgQA<3(gjWSW?4Lv%U-2!i4QT1Z?=X?AGx77igc4~gH$Hn?Bj&adndhehO z!Z0ssKwmyupCVgbau`pnTdzS>aVbUet2q6h8FeT$o$f9D;@MH*+M2&c_v!__cyrh} z)4TuB$AlwQ{T@NJ_FY2G=lSfa8=#Cj zkjwCUo#S-WWo1^QqY|>`2oK~|9~H{W?`FMh#0hw;kGB^djDM|($GF<-v~`b`Nj;TS zIqcuRPty0v#BXAHx)Ic+Ca5OLswykflCj+*{>YH$1(m#c@`DmHmxc2T)zV=`i3%q$ zZBmleCx}xrZWOC-)I#*6xR8G|5H8$+M#2hLSQ9V+Mk%lARzcQ9)ma) z+3AzCZDkHtj=PIRnNPgD#ZxjBtSYx3pJ2o?;^tn1IRPIvw4#NHR5P$!fcm1_Z15d< zF$?1~)kJSb5}hK;V6*Nt83Th@P(%BQLqX&dlMrP4pVLD!p#O^uL`YxECWcPTrDuoa z8rEvV&_%;eayuJ~?DW#ULGNyq)=hVSR4HztNNAvZ|1i)T>q%MDjs#5Ke9Zpx32%fP z)Da092CYsD5XRrFj{k{yeUE4Llu#ge4%D=W*q?Dny8h1#|09S0(TD%p7YyhAd)fzC zziW3UI+aA%xoWqJyDOX>!ug*++G8VE^%?t7yE$m%*T)Tmdn36_q8*du!*0?oJYwa1 zOknM5f!1>3N)42d~Ni zvv}?TJ${KBY1I6pG~#{IS+G3 zUXPf0U%8FKs(5#}hFg=_PKr#$dOM%sRo4@MqTVOrKV=wUD=G4JDA?HVsoViD+D z7i2cEqhOm=1mI&(xa^%{DSUy0a`VXuyOQZY4@+4UULDt>8v`F7bXsRgFX&IF4$~qW z$L;b1(Y`18-x9476Ra~yA&^Po0|Czru8J4u-20$%{a(gjS;|L}s*o}PuT28TA%z&b zW0y*Ow2GfKfk)2f|0Me9&+Pg|Yfb5n9*VsM&_e=q>-682`2M-$(UT|x6!YB^=K1F{ zsm|BOCoDZP7=gqrdI>vo{yhBB#BL4MdO+oUlwburovx4VOdSga{Q_TA_^3l#Ca@A= zw#cM=^u1PbHWm9oPnzz{L1m*rZ-_&Hu&<9~G*qOdpc+CsIp?ZMcJ3l%H-!COGhvE)0R@vr z;+)?Se8G2~$QmPV)$_-F)j)+KLbQS2(zuTTA78gS76*YeEj#1bV$n!Q?KNk4CdJ4r zR|RmSBvfz$=IkLx4tvs_7JOZ={C>J5C<2qEb=q9wAZ3#G2Nm3=cWJTL@DMO00*#z$ zCR2qnE?_5cV?10BGv+dOMRGC%hzSsVqu!vD6NSvNIU?sk!v>_!hDFmk$7~c4BSl;e*Bo=g^5<3~iiR)mrML_n|Q3qQJAM?R;e`12_Wx8NN zQQY^ct)w_Q1VWm!wB7qQJ#t946VDfm<+Cs28VDD8mnw=I-~=09)b2D0gs4xH2=c$Q zfwj80rW>&b|j=ce-9_pbv30s!K;!@S{yJY zpT=q~64O95k_1Bwhs|C}cy_!3;lwk;qVq{=!F9!($go>k@lca>y2iobr8* zGV{eP7K56f_^}-^g&jZE9>O|b#}lb~B>-{Uvc5@jy)ElD9_;tiFh zKL|9)1JN>pOk{z+EQ0(?#^5Xf5W}XH?EbNs7*EdtF_dQb6EhN>B)Sk}@bwL&*BA4Z zlqawDwep`}2km-wQC_3hC7^v${j9_P>XC^iIf-9t{W0POJ45wwL&9*)^kC)00w-B! z@pQEFL<4(vzMBiES=Y8&{8V&{^$RT=>*RGLCZ}kBsB{YG90}i_Cd7HG=jCf=+T%$F zBJSmnl}twmf+I4mb82?Ct4sFl!Ly0_z;_mo-UAQOaU!_QjO1ElId(z**YI=&+7v>0 z;iKOLjT({uz{YDZqBE{Cec?TG z^zqbXfn)3c@=x0zo!I2ojz%rV%-8%98ntJ}antCGYc~$~EA5N1A93PW<`RDOR z=j)BDN9MkfiMJVd$jmd6_PFQBE4L4L;YS}&kqR8ox%yAfIZij^8jj{H$HdbNsm}?| z$UjdbDMe=a$Z^B|Jq;7Uxrq}5)qi@%D=nX&bVTc(H+mo=YTmV@_qDdB%R`*jU(X!kN?pkBC!k}=ZZ z9FEbqdr7dPH8;eqIWT^PCs~H3aJwG6bbZX}*nn;wKZd!{JhsK)6vpWHrKD97VlOdZ zmV5KX`rB6BJ2MBu7S&;8i2I&;fE+ zQfhB%NKmq$EAd>x=7*aK+RZT-*7~kbN)5IgLWjF7ZIi({>x;rG9`7l5q~^NQr_Eba z%B6iM871Cc2wog0(wXd^+|gEU;_eJ4{x-ccpS_uA6`TWj8f@p}b;l*|2j$rsFMgqGwB{tN)Bw!|e7z|8 zfbiUvhcMy&-<_E$)hnZ4Czr~W3*D03lH>5Ux3|a2zhvrHRWdU3JZ?g@RUIDea;W64 zX^dI_FiqB~Dw_NrLcNP9`kfM!ZoO2#rs%lxg(#Ew?e6y<2b&y4g9vaGE)Yg9b-%xV za=?)tmOC)I=bAS!?RQOgA>xIDQEfd!i(*N*{7n*v{cRzWibd}1iVbbYsc@4TU$*}3 zAFioCo^FOxpJFq2z09F~?|mSTQ}BBOUnPMLhi7pH@-6aaK6F6`n5DrjW7Ij%M+Ac= zL_x~7^F18c@0INjfE^PCA&K>f>!z0Y!;vQEp~zDA$5uAaN1B)eFAG_1DpYV>E)449 z1M$qhZ7%wiY_jFk#X1>oP@ZI_{z%AAh|@vKyVKC`4pXnLL)14ZiviX}r);zbxUOL~ zIR>sec~DgP7@SbHUhmdqrcPXP`k~qeVwv;``x3U3&JkgknfZ2Y=h6}P^#;Oa4QDn% zj?C`yA5Z+)_f?&l56%-Cb^5*h$9S#M=;C4#s;Ipsit$|jO3&q4*)^yjB6K1D?kw3d8VsBOde0qLi&PeA? zWN)#gly3I@i&y!T-<+pDcmk7xixN@4oK7HiCP->r$b)p5taL!Bci#CwX863T9jiWKR$=Cy5eN2KD7?|n_q~P6eAAwZj8}OeFxqJ@^^xC;b@-*Iog1u)9NmA0OXoUZpnAx(+mD=eR=4|R10MJ{J5$HmV*sdA_u z{xFF&XM?%!{AT?XS9)*y!r-#*iqoyEwP%Gtt|eWdPxo7!Rd)j=u$Bd@PRw4;LTaV! zb~Nx!r+)pkWRGtT1(jd>W zShu6tK$hPwEPJUI<5WRaeGd`jAEe>CB)47OA<$~YPg7)8)S4|_p5$ckvG=^I;JTfj z`6lk*rh{J}ji~;EFf*6c-KIa@sA*=iuM6jm(0%gKYyn>g$}1;Z6Q&pjD9MmiwuKs} zRI*|m;bbd;Opd|9I7BFcX!t=Y;6#m6K>@*S)52x&5oW{b?uX@5yZ*7>S5y4F5d{17 zgcugN->grvCSsibI0=CX^DoNI>H-!EIKb5^my({CvK&6lwQAF!XOX^fx60AHXxC&eZt`l&YDBbXujC<-CIIKz}Rtgf@B`}KW=bsfG z*sfrXBC4T19##s>%~(lo2o{V2exlk?fdL`jgNt6zi6UTvLDdSckY0@u9S}U60qlvb z%qf3g6!L^J?0#k_v5+uHR$@Nqgfi6w z4cdx%?tRs6ImWJ&4i@WR@c1$atwB`&xXIujMXzvQ_muBIMhR6NF@ z#bKcHKqC2X`J-ok;;ahnUul|d90LPFaLajP0n4VIR<|@%7N3r+VdOcGwLdWsj<^i+1a8D=v;S4}{huv&!q-|HpVVRfJpnJv^)8Ky{}dJOxCY$)X3ju#~q5dew} zON}KErn&4!dE6<5@le8n%s*OiT~~!xQUn z3IIz01o$D4am)yXtf3bB1x+S^1ez=*3TeA?v;!;;!h_x;!`cv_lHi2r3ef7&+#4$J ze?J#!6lL$EKs3aFkRr_sN~48^w<~qQ0o{8CvRAH(koa-t2FZ6QFDr$Re}V;d79L_R zz%*CxlVZ^RyjXO=3brpm{)M30d!|`V^}C3%Ugj={-t_=%DU$y}G3MO`ks~GemplDP zqF|O$qrE9A^xGgJPXru;V7&|}K3EZgx=T*hP~DL7LrT0$}418 zYvRZ3<10ddWEw!WlZA>;KT90p^5uS#JkBMvbatKIM=&64CoVyppcuH9F7`ER7!rlN z`M}N^=WxVLl8`Zk7u6g(h8JWfae#ptRp`U9PSZdR<4{xA`p>R{#iZ65gqa0x=B`;JdiJJ z?t*u?{?m8F5c1!_C4l0M)A=Z`R$m!IKxWY%}Py`PX^^xU&ml^1DHyGbf1p{SjHPil*Li=o?v#DJH%;;Av^=C zDVAkdVnA@XnCiaA2}4_rCI1~nUFCm~x=Vrr_y*)F_yoWdO9}oCbb#QITMu>ClNR!= zNRn~3OkpfKeyJFIBv!@E*C<*vY_$lc@Y- zd0SJcuhMqudXheA56BhuHJ|!_Gh{EmOr*^`=Y?qU0+LH)seQU*ah0n#SG zfDDC6|FdSwCav!__sn*`NvHD zLYJ&Swy%Tg?B8@2x8zLENH6P#E(}-btgfwL(Q$Dzf^=^HsQNX3i2+d|au?AtUfT_v zMt~pQFez+w4{R0yG;^Zr&41Iu+MDZ*z`L{Sr{UOZqFLaSH_#$$a-e*6XK_pRH?+#w ziGa=i8aKnO>~#}xQcbrAM;H9ff4|0UxlYEL3(FGV?n4o_p|TDC#$A2JRzEk5=ohxd zPy2H8mK~=jZ)3vPF{c;7ZR1C<nY25` zvs&Gm-iIE#-cetw+;^LwecR#(X8?|C^WpDpI?y=~91i@Vm|&kCHwO@&r$qAcvzA-| zMJ>)^O)>lu8%x6x*7?^D?LG6Kj$Ah`T_tOfc^iKb6@FuZV8h3BeU8_tM)a-DH$STV zB)fQvkr$i71)+QMlb16_&L7Sbr>Z4q*-0GC24TK+4A^Np4%_ao_lR~EQcd$sPj85( z*R*zDT(A(FI~2;Fe-a#DILW_e-P0_GxOYvb$RapXr|7=Q855But6xKrLl)}o-fov4 zJXm<6JBiIW*jT?E$b8LF+bP=m4H?&SZ{G&Py@+hBZ8p#6J({}lUUl`=zCpzTDKRt- z@v8_9gDu0)b)dbB}D?S{F{4w^kykEmkC9kc#-whLCy4hS-Avx3PaOWxJZG+Mf z!@$_e*GR1ZO-7|2s|TF!PCpO5>%aIlhH8)030Y-y^DWGc%&8UG>rx2rag`jlyv;y) zvYCGw+qV88b0?GKcPuR`rWKr z`-|qgk#?1gcxjd~t|BUm{8`c%LBaUbvWUoabz?zytKKiZ4~pqw;NCyB%t`}4uBcUD zEyPVCy*?0Ph{+sstN&^|R>5U&r83^>AX`w!U$mcZ>MDle5YroY+|^vR^T4LRfYI`U zMX5dI?!wE4T5>NXW_MM2;RW+SzUr1}Stb~pkM0{C#qt(par}*zMMZGop2={_4(EgN zk9}IF%A%J9OO3xa*Q6^bswhWBx~hLb27MPoXX-GS`)Xx6PRx9xTZJ}RWTcn*go z+oEq^nV>w#v`?xleR`!j$W^z@cIdUja-bc=nj4Up?#+Y6OZnAq9u$J+%_lucxV?df5Ak$WD8bdJ9AUY&# z#hI!InZrmWzmPj3D57d_qmKt|s35CqtVHUE&&aF7KVTq}Snam~q zabBYCmwHk;7R_z2Hi^Lb50`LRPZP+8gWENS`7d80e<9M2iXzL|oJ|%a{dG{g+<=!k z5W-Iyn^Lv6b7g+zmu6>Gen-lyt`;gQJCVDt3n@~9a4wsT&DHJDz;{t^R|F3Yz-63D zHmg6hjeGUGRidbKTahW|Bl|1V0?C^tGDQxKl8A*AU)LlCQO=RlVLu+2;xM?g$3<&B z^TY*>-8UV=^bFOJ;rg05gE`v!^vrDw&SCk@9Hy|uv zw0sS1Bqnw53AcfFilBhzb(~Xa`zIU$#=FH^IwpMIg4+)j0RkqVK~@B(o&jd!#J%S0 zM;a7)9mWjU6CDKNn%kv|cmQlepo9%_C;tFSV$M-B?-p1Dz$cRmbP_c7DOo!?B8tSF z^nTni7KDq@UOo-khlTHVfS(Eddq1<1RIm`St$k(MWy_~0B2)cwrr@pKhCn1q9WM^L zlyUhXk-dz64PAoe=QkrVJJZi=O3?BgwJdexA6vc|d*s3BeuC;s2;T7hBfJ5e3IpPf zHb}QZuyQ3DkT@dAk_Z<$ens1#6TpCTzHKC&z(sgHw7T2 zA%H@sIbwi^6*pr=>;6#$-} zY)6t~Rwz>L+8-^od>C;caNZy+J@WB5s2h0-nBSrQBGd)I?0ySA*u$28k0n9e4P=lH zU^Nm#@(|bcpNI*AOsMsPP&yFOzr+;($3nWxfC%{n2(c`kzqhp@I);D*z&BXpKrRpz zc!jhA;}PRYY4jFyL|$LKFgIDjD=x<%2Uk?ks0DC*FUMb1>F;Gt`=19XA|NE#!bJ@r zLYc%xDC9Wn^tV9x|1d&g z=whSq`t=u-2g1-ur0`AMZvZmSU4-tV6Z;H;R3tw+L|+_0<=ENu$o?%yI4ME>mz{#EgTiuNq6g3*h1CJpXAaGXqRT zudb#+i0}_RQFOSCiR9jTc{SMs97a05JV{h z5&$9``Um8x}Bhx=BJ8~rB6O<`Qt^^Bo)AYFfXNG#C^1cFoqKqe5~ z0Td1PAJ)yluhN%VsG;0(Edktco@d-ho_a4eAf-eLs>jPQcy%x1K3A!yY&{D3!SDnI zMM@hg;qj_lrWRsiBd?*5TPymm>*^&xU!JYufPs{L@LA6Cn|o(oKZqN0Q_ry36L7y~ z9gN_FuAjF4_3d)w#^L~}T`D+FFzC8DWL-<`fYhsckPS@pGVJ3n(_H!7wrX(!?c~k0 zft13l1M@jSv#1lE4;Vgo{s%WQT1_MTB1iaF4e9E@$bp7s$t1bJs2AzPr&f``s=Z0h z)fS=Ux|oCC%=6#5bVMD79h1*da3fm;=dYJ677k2=8Tw*5tM*i{IZnVF!M(G{Ur@gN zQvtZPa{lA13jx5;Fn4sNs7Ul=>nmMC5XR$SR+b2==+DhDVfb`vAAVMQeIKypfJr$o z&w$vwVLDix`*g6l{YM@+w(-!yK;=+fRKL{Lbc^gvNzLQt5A~&X^9k0I4Ly9z-D&E9 z)z#vupcY^c+{8-P%OvtmARdOK8|&muV}ceY8zy4`m>?W<0-1?XhkBk?VM9r}ApX9X zy*(Ed(W>7aa$mER>lhElX%788PZDX5J#=4PT{Y^jNi% zfG&)jKpasL#ekBSg_GIcuW+)9TLG7RParQ$-tuqoS1)r7HeFxTCU zV5m0j6G^+gLaQpo$Vh#~rcJOMHPnV{$mA9xG>+u9g~_d#EXZG6TcElNIvi80g?^I6 z1UL8`#RDVEL7nlug+pB*BG>8&}=jQUEEyl$iBN_cm~z^VA$X?X2% zjK8QL{DqXHw=A7yQWg9MyN;puA7*n>ZS%*?>*r; z3?0b{Xkx?nQ%%{6JoI5GziCruP)EqG4UkX7e`e#!n^15?f`I=L-6d zN+pr3fQ#8^0pmysEqU2pnb(h$fV*?O{4MRJoAmWZ-TZ7PJ^gWH3ra$v>IxWH8x2Q- z*JsYP*C+ysFCKs(J@GE#@2EJiJoc{w&U}kL0oXDJl?*n37t(}McASRJ1B>r12x3pf2d0Tc`_(uM(L{tqd!Um77Ua{^>6?(0jm(1ZOuaCk>-HRag`#`3hF&YV2FebXS}ItT9TNBqcn_{&9L zF(JBVd6CLVeIu=#{av?;%T|5^YW!xB&sgP}~Yxv3G6u7z?sP59`bhEZ?b{E57sC~CatmL}HM-0Uq)=7tNTb3YN; z>+)IkU*|RNVt^YA@0;pEb#tcYKhokzbK37@j*t1k)-2oAEV4s+-AL8%d`*FQW~n8s z(b>_$R$Ro=Z-VHeds2|t;8;o5t#zse8Rkc}Nd`70_JCzofCyNC6-N|S_X3cK^~XTo z4`}2QF>A)>a$ajAr(U08rAhn{6RJNKPQ2^#in==okQ`=xRXSA$QCHhaEpn6DSm~5a zxVmb6U+^=&Oy&vSEEs_p4X+VHw#7Y2nHTRO2?anoLS4y?&8Ig3>2P6CNz~esLUu!h zP+itk$;5g}>qlq!LSEMwv*{B2T~nnc2Yx_q*iJAtZ6a6DnrqKPn>C*?A*zQVJ3;)G zM$!Zr4uphI%d{CiY)UNfj%S@Pa~25oap90<6UgTN#bn8XC9!Ejc?s}j_2H^iAMstr zZL=fG2<_`Li6Gcy31cMy28h+rV^JQaNCKJ0XIm<^kgep-A9u;RZI!V>!P0;CRhz?c*;2faggn#h0&eo-G2o75_iw{hvQc@g%=^?Y_}wp|SClPO;mYiSDO5Q}gUoeAuL@C62ZA2gIK8V3J0vR+9Rf42T_(kA&gC zT|tJ+`;#OBa(ddf6e^D^g>JV7vhiNLzP2u^NKL!wtib;N@v#gdt{hWjnFb}Ltk^D{ z1FL-{tN#N#9GiJZuB;m8Bn^D|GV}b2IpkSM>0qod?4O^0pu2SnLyX5QX$1Tg9t)`jeVo)fx<-S;Pwp?AkVn(#k?=}l1+K*Vl#kO5=`U>S3xZ-tc z{KQy^tQ65oN>Py5BJJsyGAw8CVow#5`Xy>6v;`f?d>Q!q&fd#%@>RZ}*>(f6Q66>o zbMJw>+b1CnP|et@ZPPq`#m237+D1frBiiQu$ku_IIbWsud#+ISaM}wo5G3)kS$~I2 z2n2}$YTx`ZB0wMc375bb;iIxl=&vTwN{>F+2h>9X0S5J!K6C3XI1Wp%l!e3~ivv!N zt%O4knqRXDg%o53Fn$!p?gn=7UR@x&3Idj8^pf8N1gx~MmTpcsR#Da;ZOh-`O#^(k z=<0-Q5X$TS_hDFpyU)Xy-B61^KIuQLTrOWP{bAfYWH@rz6Tz7(p;Roiu|G(R7X#3Z zh;jPXeJpy+MvUM9x~H6YI<5FR{MS_DCiA1+>JQ`HZ+*2wQhbJXt_9DyS-$b$1hdlT zo|KA2c~Lpio~b$#F4+Te4C>5AJ=H*$0X>cEk8_(6AK^d&WD^7m?jm5Ru?ewfj#_V^ z!EBk!f^K93J+1doHg^H@s8RO#JMp z%{Z4mdPKKUKG-b!n0>R;Os#Ysj*;CQC|p)ntIR`D^BMV5I_!w@K2_TZ>77&)36&j@ zy!{e+NoJ&~lBRN9Z#`7=U`+of@*Lh<;&S(xJKZXzinc5WK5?zRD59}fGmku_Zn9=4j;=DN|zME`A z9Q69LqR{e#kl2LV7Z?z{L79AB$h}|+pl5x{*EmR4Z5ZO%sTtzds|p4oF6IROER=gR zp)8SPsOG@r6qVN@?YF7TUvkKBKHZa8nO&!#S5lrC@(R_DiDWhlhlV-4Up_WDx>*e7gZkKSga0 z&aKa6yT>=h%vUPXJTIRs-uC^uDQHhoR4Kh9=(r_Hs1qP)c@XVnI3F>$&R3XX+^ES) zU6i5yzUt>H?RA^I4OuV8s5>GUn~mO(RQ4O;S8noYnm)Z@oxP-UFmScZSG`bacF=A1 zEa^)QW%ws>jmp;x)Fc_iro)dHup?~(x@hDC!3Rs+A()SJcnoo$@$Vw`0*J%q-y!P~ zdWPRH1ddHQ45|&RSy|#a*$mhh%taT>t&JZ@-+UO}X1Vv3-Sc7H^1`Bg>EdZaDFX3W z=5D!ZMJuOhF{buFlcsDL??Ltfw+mZ8-E?=jvIm^AhrcWnUTxz<%jivMy~MY+BOI-%KX4WG@|s`G)0w}p6&?oGAYD^M&e&!F-cOu9SCus%jsd@ zXSpi;h7W89gntgqT=m>eEhho>#|K?{N+HbeDf)j8A}dbTtp5lKQxZ7nv*bbv5z+LC z`iD8e>2f28f)^{B>r2tE$j`wD)og$3C^IczZi>u)>^{5qF!(z;uk)&v9JmcuTf=A) zSxYr3@6||@i$&ufKI!Cz3T=qHfCV^3eiA-fgq%?-T_>lo39wQsZ??G2ZC25p6pgI& ze6&kuEEg!S&9}@~^msN|a@M>vh?wJAM-l6(BxKzN!bT|YF;oVPAlMc+Ym067!6av<6p91nzS{V%bng}CyzwLVGpkQKG z^7!uBuRA$#1JSVpy{6|H2zdQmG>rf{9#}_X1={ zUs`C|A9mDMWp5pJ&C)9pUwGNbz99T=Z}9yW5oeX3G3d4|EzC0x`WlG8{P+PkNnd0! zBg|=)MQI6}d|5%z`8^!34Q^mnz*Tg)e>3{lUf9oi$*H@>`^b;2??q%R-1dEb&^@(D zSE~TnPKnY?BX3G0RwKIQo)V%dH(bf2BhZ>BnnlSZuZW}D8Lryr@FYwrjMDjs%-!C2 zMd7RsW1Edat_sF_axxyp3iSpT>u$H*g~T`1`&`Ubky+u$4E-v-^VEX*TH!C&oHY>T zGGv~h;*ty$=UobW23eIS_s*zX7$?6kYpY9#zs@k0EV`fi0sIP*(?V`-7bt<~^1wSO zd-oKEMUs*N{K|#0I6!coG7wVKXlUKLB(fl~whPxb4K?3KJe2dw5N?XTqk}<~ulMN8 zt;HOc&&|xNm@A);lSIe{$`XQukwJh%R(U9nC3XjUfjicm*p}`iV|CD5z7ZFm;>XER z_NuKSyBUJuu$Y|0c?^pJ8wL1f2W4)k*V9n1_>F#9cNl5m&$lnurhwB0I*Wa|@wdIB z9EP>l7Y8)YQ*bi`V!_X5DRJl&UJop!;`K&O_(ooUiXf3tfn0S^vm}Jg6^z@>!cU`- zdrw0ny2ie}>t1UW&Ax5%;~rI3hS+tjJchtga8O*^&fflU$89)PNJ9{+t@aNCfyNbs zJwgcIx~)GmQ9m7Kf&f4Ilb8j5BI<)Y5ZX1fZ{B2cU1~}S)JiJu+4nK1JHfZ0GB{c? zFbTFRkQAA-<#sAQUQnUte)LKENX%l z{L%S5GR{yLVh5<=O!&&B!7jP)XPxnor~EXgj^u_ysIOT3GKM6)_}6!;?mL@KjfwRaHu6ui3^LA7<4FX zpQGP-sa=j^p_uUr(j71QAg-`e`f9eIWhMRAkVWHEDsXI9T!hv#UiT7-cItmmqQ6;{ z(YzNYI5d25`LIfN2kRcDKlu3jL(zbqCHCQzlJx%2W@E{elqyY-Nq#?Ewqnn_IyfH4 zTRlXQ!tcpDQmN!R7r?`=2)1(C3GW>m<78TvM1S-PiuOPUjthtr2x9iEGPWnr1}8Yv z@rZt(t>i5;@!R-mqAlEH)v*LwU#rIv zjZ{9F36P$4?6(3EVnEw?*%&a!eRenp|D_4S&2q%8*J4alP6c9KKXW9A2uR(xt-@;> z<(O8vb44xdK8g`e7<)_CHjkWjW7-VkT%&}Y8uBIfESLY)wmEx0|3wWIox^L8&PjQv z0Ss|w+n6@=r|Sf~{Y++1Hl*PUjK*?a0wq=qFef{)o!gp#thpeP!|exR9?K7*BSR)sA$^sUC)XA?m7O?nK5% z9sMyH=}TJaBBD#~1fhL8aRKkk<~9*9^=yxx?|#Vq@1Rl;?8j^nd!2XW<0Qo7Pp-Q1DE73Xhi6Qw8T7f%6UY`2@3+?g z*+-CuMw*vHBs=mqB}f!}lHHdD;R#Ch-i9nPps=`?20sJ2707-WA&GcUhtIX82x8Dt z3MAr8##7vTZYU(&>0lTX8Ag;L5Yh(Wz(PF9RQW z8YMS3QzLN{e)I$K$IC`iMyv$@y+|dM8=%&)*~nVex5~rUF;UqUsJ4|Cc1vLRB0w2k8Z_*45wQN;L}Q?h?PeayJd)!< z_3Fj}Xaw`GF9~NbbqP|YU7$+Y%UOUGfdIdHHuqag9mq5X1W}8igzK+Cl$JCGX`~Rg zLASz(o9N&!9tOqC2tui=rr$1tR%jd>1Z5cz=GFNZ0VdKqpA(fz5qr+v51DZC^4~{e ze{0ACc`F^f`Coado=?LB8q>dPDhnCD;r*I@9C3koLI&hpM)R>~;qMj{5P9hQo z$vJ0GRC17B1|u0S9LZGXo*S&A*?GYmI%;s3z^}9Lp}awgEY%I! zl^)$qOF_agHdy~D7wu{MJN^^Jp>#Qt*i5ALc>V3S#b+ibGg{LmxAxVBO3a@qJ&P_! z_D2y|EQS0^uR}-gxsx0E7U-0lNO8P!FjL81;N;B8uIRTs0`|VovfBg*ul$fE1}4rA zg~3;@sJ~lzp%+cy6qU03(FP-5=FI_H%sNFOrj=jzhkUkXzmu8m9nagJ<(86NmEoB5 zM#Mt-a>{YlyxrO9B}N@U2CFNm&CBj52eoDQH(di`++W0|b4LWs(lyF3fyVmA65%z{ zeY>uv!b-8WW8_h^bl{~4Yt-&Cr8R?&!_n6GQ}xbqbAAt=n;B=Adjqt-pWc zeN;5zXMH|G_mNjk%S+AzWdSXTDZFd8xKQ+gHO_@A}%obsLJawZ>qrBi*br-t8BC=wkz zZ{9h~VcGfS-b<>160c&zvsW%=j@EaRi{0qhVY9w*5kcm@MSL|-zBupgJ5(I}pfd(n zLPe{~wQrb2-37M4ZW|ofXxeXTM-tWkJ#MKh+h!%Qed#jSX`#Suc`wgh-P_#0Xa1g> zgf>d5*Hv$wtb8Z6!dMJVxn&Qi(xlHP%Yx%Vkov0f>+Sg*yw62<7@PI3?ALuh6My^V z^*#aD!Bl>pS?=xV#_RSCl|QVo9i598qZmoIvQmx;gjdiSFIB%k@B`)K!t-d?#RiST zC8(^=cv-%In9XEs+S2Ep0(z>b0c*6_sG8D%_o?4u*~(N?N{h)wm>g{I(*CY#% z8tj&bRL{bxr%!pN($q?Q)Am-2?ULDAy;4eO3#sb{lxmMSbLd&U4|ayOyy4|6(X2C# zqrbHPAWGPp=WUkYIDe@t9e=a=++JE0iFOQK67VV2Ibm! zAimkGnO(GVjn7Z`;k{UsRhNYMmdD(E$glkxJ;D-5Gh-UtLaXt3iXa*lIQ6-bF}~vY zND?;;=$~>}V7mgfD0castFsW&8`U%tKM4V%@z=>i-@F6fJ9b-^Ru7zj?1Q2epu9`c zqWBZVt|EppcV$Lc<5`?_P4|3YV!VR+#!k)qh86rQjRS6Eo73NZmu2bjX-&gU=bHA+ zh&3nn-R)3Z=OHvB@j zUjYjkdHN%91kiEtNbQ0?RS&S0F0`9QMb0z97T6r#i}WxQJilr=g!Wgjl=aym*U~Wa=iR+4%Pa?NE{mjr;G|%z zw<=n+=5_~Q5LkY`RVCz22^m~oQATAnPYW1NbFKS4TV~NLn(`dFsvvieOmMWKEG#~2 zWb0Czl4c@K*5M-@eQ;y2m=Ct-ru|mcpI1hXBDP00j~(X9ffh@;or_$4Oy#YLEX(2> ziY6GdB-3&;Vt=}mEI_t<(L_XJKZS`A(Vwzv&3PZVht_PtTAjd}vO2k@hjVaYxEXj; z1O_|q$;sV{)z!v|otYj~T2(C{l0nl%P`dbH-!CO{P<%s;lM#B zSb81xA`t`zf+=ZwcwMVE^PDJ&lO#Vn{PF29|JA39)Ht8n@N9PQJHbUfAzUIzq9O)kAH|0a}o(ekpEff#5@15aJ!@$oCk<*cA`^` z8QsL?QjUwT!)H4MlSdp%fgrztw_WfxjAzh5*06fa#zH;Y3%xpb9V4w?~UIG#ofYt`63wKV1MiY8lKu4 zI?OyJ@JM1nlZ4!IlYS8!bjV-4FG7;dr15IWfKhF!SFI@ed^tc2P&-Ze1;m_t#0#Ud zN_(N&o7Numt+XqO1W=s{>^EtW3$M)ZUB^z&?R+BDawm5=wg&>YwRw>KM=7y^O9v4= z06O7BWhK*>X{T(_mPMCdgJ}NNpBLlW=|#bfapL8OC47CDr<~hB%LWc5U|W#P@el=t^qTjtETf#w>k`?{skfIZI)#TTQ+0Jvc7rmdl|deYXVw3|;X+kBD?LfPnz=p*%-~RvnSY=l^~IxTC>$ zVT=H0k^;B*DaaxI_n-dz^#+zSWgmUmdv>fUFZs~|L_7m4^nw7FZH92!Xn=MRqyV@! z^RPUSmTQ?(v=7}xn#m{58#6>o`!X;_pC0m~qupyr)7Vfd4UP9O| zkDtgbz5JG|8*Swjj0lbT(3@s(ZMtJ3*9P-G1i#hr9e%eBy`8UIJ|&g#U!ith(%o-) zq`Tw!2{Vx36WaZ^*Gz>P)OYI0;IE3LpLC= zn#xjWGSKD09L4Wf@~qdc7Jd>U(4x=Px^Nmof%(azjRdtytEC}pG?^odxP9fk6aP!i zp#BdP<$r;SlLN?Yj~@ zC>2O-o+I}AS(y#&A`IP~AmA2xkr5$aV0-Kf`B*RSNe2*Gd#dKd`g-Y}*dBQrs71(8 z_~wtOV9OiaezDoUbOAL|XP+B%&}xn%eLr&vWdBNM$$sBTqIp?(F>l%%)!LjIFgv7e zP{7Vu`KTBUyX=x-2l=jwP3Ln(-G9CML}H_PRx!lo$L%Cgzt@9pl&aGd3Jnpv01OY& zHH$P;JTSCyw-g6^k%~xAcpI8j%S^aFuX7#hH-+yyhHFLUNNA2~M`zY0Q zC-(g2Z+@>iS0J67m4vh1xSzhRY?kbj`Oas-d1tF7uCC2boaMdtMI$Q?Vk0=L(&cu?C(8yG#pFek zCJ>4b8%0Gzv0c>RtU)*-hy$%o-)B+vjhxs>ovo7C<&~w38Zh{Nm0GtXhtE1Nk>3)A zt9f0`y&*NKi0*!$jGV84t9`BKUR;Le4+2$TZ<+&^Plh6kzk(#tZJ!I*H71ouz;rmb z;|U1wH~y9~aFo4&rt8as1O#Xevvq*uC&ZzlRaCy2r#Q+4g_Q zBLkv)zk!k_qqv@M{bipH;fzhc<+fKq+|zHYpad#exZw5{m)xXCS9<6fhu>ZKqhkqj zMa}~r;Jm0UD9^(NDso67*mRFIZwbQHc8H!H1JFT=17gt4lb|iI+<<>ljR+5*+clS} z@+k9>F=@=fRN&*TdmMuM|LAhWN4QE@=)f!9y4ly&f)WM~2`AqLA}4n`A=dNUyfpaWiRz4&Md#{Ur>pt=2q zaWi36^D|8b?mK+t>)y2}B5zxkW=qk*WFoT+LDI}09h1`u+!GHBIiCBZ4jZ0_{Feib zSJ^2it)v-qElUuL+Vy-kxp=bz%lPK$x38Ip(pwd|fR%mY_AS zd;RBDM9{)&kA`vBVeJH65Oh+2~8u<9#P zK2!!TMbdVj@&xwUKuqN`Slf?HDmaXte`OL4Q1OzGf*2VDIasxgUlfs)N_VSx=wUVQ zGa10dM1on;gN(^eq*P=FySJ9PgH1g6bkiPAV^EQ*6c|7{*pnghbzzlM0FYNmPYezI zwVzDT+S$DVwRTg?D{|a)iB`pl4tRU#@CvTEFHNmu2jnNh9V->(p)?=}lg%A%XH|oba{Iwq*HT?d38Z=wb15Hj`lX(RsDj z0hIiXaJjyImm>Pd(4womhr$<1e=f(H_3@(k4l*C}dD? z7Zk7^|c2Z0ldz-rwbsL+mepS%I4>!0eJtb%B;~A8N>6?l!?4pI;n1UuQP5Ll+Ep zCp5jQ%@TeadpdV|VkHc~xznAZD z6E~MpTM?O>7%RGKAbw_5H3Da1NO!03OWgRj&7PGkliYx0$$^~0I^T~tM?aU*sr z%MH7pHS}~)kiRVb6?Kkm5)WI!hOX^Wjajm`MsGrHGV1uY%h1SDb}Q{cY(EcVbfi2< zxspd6>x}L#H})hstGqWJE@|I?bLVmHD_V(1p=XosE~}wc7k4UFD!MHKiGQJh^F>z@|y|iFus4877xhrGV+bcY2=t|(uLw^+gHO_^vt&byu z7N6*PFIn#V?7h`)@~qKg;5oldzw=JOZPKCC^h^9CnV-nuOTkT^B@-qZKH}b685JU2 ziLO#>ggHV&aTkBI6t*^;HttkZFB}C_3nlb9ipb^1 z?n$-Q)21BlPv3b&3$BUApUEO(<~$Mb69r{gzHs*kEk%~#xR5H1hJl>?v(-bsU!iW( zM-#n`2mKS+I$y6krboA|?KIfM`^z#syMiYsVh&sPHmPy+kit2PxdDl|JX(39FxjEv zopbv1$6NFx<3%|9sPH=b-wV132M z#>Za&I$Fa?@`IefSUMxJ1xKm?2C!jXaP8mia~O zwDXKetI#=VWt_OvBBcT4MwwTfTxF81d9*zVBJ`F`YblJa_{-C%wiTDdKse{`$b z_vh{M<2?ov+w20ZQDeT=A*?I2n8#g~+8unkJqA(*4+YvaG9ob;1?F4nu(e3^yw;NX zmRTXya(y5mDApD4>}oLqrGaX<48r8-tW)^cWhceD#T776x zbTwo6kFRpcjWKX}cg|0UY8w@y-x~88SNym-k(O2fw+>D+gZ?oBL@G#S!`XClp~OL;Xm6aBl}61@@-c^L!b!hBhuRc;K+Fy36K zGZ4}7>2?sf8F+kJdqHVvE%?ZOUZ8Xq-IyeBi!OQ82dFf~s{nUIuCpZ|^uyzk<DPdIiJs4u>u z^Gxx&jwyD^t1=&p9zdBXt&Nvg&ArvNYQ{2IH|Ggeu)%)FsV?tQd@@+!;mW?3334fD zgGRgq7v6)G^I^VCQ0(l#p6o{hTTXeZ%J(2H{$mSG5_Wv1DTDl^k>Br|a-;WS5*HPT z%Db^OvR;(Bk$@WJiB91cS&sjzh(4+Amu0^JPq$)+0j^F*h}1|?K^+rOsiTkKw)!-! z9_`F@e|Na^hsF+@9K`V)17h%cEhG3fFV*fIb9gL)uGU(XOGX0-0Or&OXP{afthu|( zBMx|Hr~MO_Kf?BEWoj1mGoWw+tF2piRyahzUS^d*HEm|L6Bz;0k474!h0pxuW%HD4 z8eQJrQlT_+>Eu9==AlX)#6w@4-LGR@V@h>zH?tG`8}*H7M5 zn)p_GGv8<4@1M!$$#R`gG2Zkf5g|1yLJm%h!xmPQ9jf^Fg;i78OJV_6B8KvEE&PmM zI))q)Pqo@2o?uS@VZNY@kDPb<1Rr>DtXFJ?@8mO?il zi3e{YEp|t)1H<=jh@h#6^}Ns>j=;=dls5=uEkA#s3dSb;up>XpVIsCiCyaDFgrmi` zEfmqo*H+izi=>z?8|_6v_h9Nhk|xi_%35;`&#)LyRq}pAR^~k{3s3tO1v@p&p)+&c zrtE}$bMi}Ly8zya;959+-aVs|3A>bRpj+G?*vy;mpGzfTHP?z9+$*~CPE5T*G8?}vwYoC^526=fwQ5c~yp0xINJ z-0GC+HsZQ#L^JD+K|!;idaJNgQTm5=A{qv>Wl6WW`nUa&Fk8loKjhCa=#38nrisiL==~02thYFy?D>lQO(;@u1dx44q?|0! z+Ro#Gr>z1(l)t13KFFjkTI`BX*UEqV9-IM|pi$)fg8`u3t@$uM@W8v!C$QFDT#>kV zKAw)`ra->y(!o+nQ6VT}Jyd4an^}OvqCoXZjW|P}8Y*FD^MTa_aO$XrY7RI`Or8Ur zxN(JAkbB#4YKg>m|MO#>d%^T;dq5<-IY8}{=w98b58}_d8hTz3sents$Jx5TpRk^f zr&diCeKO@bVN;<{=QYPE5x$k<83}*?)pVlL#$HZ z)~wqb*0s|FFk7qt5Sp(?P`W+$RefRoR>wHLA)|}|s+o&)d!aKfuf}O9H=fTd*R=D^ z&^S1AO}~mPjN75axLljP%XNPI*N;}W)pP^BQnuf14B>;7d;y_P_S;Y1eTB(U_sMjr zKcEg30y(ty!eaPfcm;8E5;ezzW+H}f=Bp9Pj_b_|k$>&XL5>4iJ$j@50t zcp&7teP&--6+!?VHu2)Y_ea5sOPThqn0af$g{8idha^Ow|}P{D3X z1wWglJR$#EI;bwEWA1N}h>19lwlV84X1cG0ZqVuZ!l=(z(HpbDT5llbjKmJVO!43o}Lj0+nHcya=7zGc?eDz%od;7*v3W~ zwV!N7{l zef$&6&WK2Vw(|j$6OTs1n8BhG0;|~XHbgO{7>%ekvNTWTGN`K70t6VO_q9JE`t5V# z%q;ZyWH~*2I8C7U&ay&fIfE+CySoP$$rprDpn8_?;`*B4?kf6M$Xl#S3*J3~MnlAVp?9 z2VG*gLVlYIqKW+8fL(`U7OFK3U?9*fj?z;N3=m34>k^7|kGXUI0ocAGh1IEWI%pyQ z*N}z$qLM<)IsD)R8>29YUa|Au-u&oBx&1 zAR9u^$l^zVp9{1B*^axEBKUOQd7;OxflP;Hw-2kVss_AGA0IReG)d|B#wU7>P2@i* zd#TpW*75~IIy7dMLgQ71uF0jJIVlFU7{1rWvTI*FGi(%jwmx1_an!vT6|vv7>Brqv zB;^}Fne4ei>6P*&BhDaKz$}ju*{2u0w_T;T9#E zvDFJ^0IRpAgKw1@yWxu%xkEBf)+cBHyFYpjiRf!VTF0!&pv!1H!9gb0;YUk=%9qbt zi0!Pi-CfqBnMy`^UEaR9lvTShfis(DmcwuK*o~or5rb=EW&U1-56Su~Jk1XFB%Q^nDca^_OmW z6-N!lg1vJ@-^fAm0($Wpur2RRt`R|&3+N=(o(kbcpxWw)^em0>S=E%QhDN5c8aPyk zq>@GE3Fcb?zHR!YI`DzG_k*oyQ)&~OCG=F-q6MdvRbNHrq?lpT% zq7*mFY%m4a)#M%%pE<6kI7~zRJaK^cB7OI|vJN6lWTX12RqV7Yzfm*#`^=6O!kHMH z(CKB95W`SS`1v1*D3q;+HxL4d!I{Xy&y|;H9KOJ?l@qpkV$(zQvOf1L`Wbh?R&T-y zI}AZv7evKvH_Z4P<&^aZ=e#wG9`k94|huH7M0$jK<%#80_8=$FN3fu&f)=G;`d87tX?>qhZBc3AKt9}tQ0Pqrw zA-)eh3A(3X11Guzpcp`DgX4zWp%g{L1Bm5%1o=Eq`=J>C<@J2O0Cu&xGtm;s6N}E@ z20!WKp=GQ_ur^@z;&3xiHQ3Q&%?hM@E=SD-AsNl&FM}?wA)Kd&vENGk&~w8}twxGh z7))Dr{0%Sr5-O2uh5;T>pZjkR?0;Iu)S&6CLmi@Z1!ZMr10~b~#96VQ4(@V3gNmz1 zkb|v(BdQ$a#5}?=R*!O~DcPaT))qJ|uc4!cBv&E#C2c2n_A1m&CWzx=jVHbUI4)4> z9dKM)*3M9k>5npCK?OgdX9kxz+-nvU3cm$CN*Mrz@pBmtpvfO_&-#$jT@1mmNYFIo zk1v`-OvV4AMTX+dl5#Q)h4gop`waANgw%tI#gYhj5%A(`*}wxz>tErr{yAdk)Sy%P z)FSS5$#74T9~+{EF&?kCD0?ShQH$D%)gDT_NuC2iO4**tMaWvcA*>;!9OlS#$^@XT;JL9%Y$En zSzd+pUcXZF6wqI;Pt?BU-B?l)mV>a5DWA^u3ai7lA(6)c*A)7=yw6CQ&itS5NYCs+ zn8kR7wygChBN2@iMV?sGKf1sE*So<SD(4R zLA~8+x6RZB7poD6;@TLpc&EOuR`$wUcqlBMpt!1zvDz^_qtX*?1izN`!v$0Jen&@FP z9+4O^LzFL%o-KMJw(_s<9Rc!=U@tF*0D2k3W7JJ4EJlmV7NQ<#z%EDuu1>2AvzTn3cxix&yt+wc9p z{|H=8Kohxnorno6#B+F*VA}9rRQ?TC%Wd4VZeLE2f&z*l;8_MKzFvg}S`P2-zB~DK#zT@Lo>z20yqU_*%1R?CDe1vcC@Sgh;4o#z z*G&CIHz{`iPA)ba=l=cbKPZ$9;&<}US1~e1w9fD|B8;M_bTXo~Uafqli=c#0X-H8TY7*NJL}9-L|f+`~lxHp|YD zq^uU|9TzV5Yd{`z&X4uq#0awH?k>MP(%QM*4iuT<`)~nlOq2M4oe+I<(wW303nGGQ z*+0aP-;+P`A~50sJ6=&w2?Lq{%Vy5kViz z18v$fp8JT3PL<7IO8P2Xj2Zq>WV0bd+@VL2fY)MAZY-1X!#!8aU}|(IARg@Oa8%;L6rhS zV`G%JH~$O6k$DO1&30g$o;hGZfseicqC7Li>l{%OWDC9%fC(0fymk>>lHn#;?o&cs zMf?AW5P_=&2%CjKa|!bBSaD{d0Jm`t=e-hv1~VoI7`!wS-s_-ua7iVRx+Q&(4}Tsi z>%jS($v}CcYV+Z5vu+aGWI!&1yaCVpSBU9~S&Ey3_lg<}IF{cQq4rkv_c&=r)TF~6 z0Ro$>#AS~wSlGvju~+PO{X5k3BbSX2PKsaew>%ye9mzw26=8o?bR7mJ(6u&TaQmn? zup-)dfxf5m%%s18dLYjtIx~+;IX?R$jaaq^_m#p3LBr#zV2G>t&vTww-PAR#vjS{+ zD8I**U_LCPaQnRajOP(Y)kupy*!(SxLoVM5O_Zf+qDc=zwl=R0n*QdrVl~`p$&{JT zX-&!1cLdut=}7O+h~BO8tko>dN`Re0r00Q*7%RxA?4$OkBJDvnd|-n0 z_YCnBYDII#=U){zkpw{N%d{h^e}Vmp4lHrCy$qK~u)HM=rehq~YE|zvfu2RmH6Ix& zp-^@hJan6@NK5oHG{FsFlV%fF=k z*F|_OCTdOd#!F4}qEy=#NPV7M;Ff5QC7jWBo7C6+RIGh*TTEE1M!V?x+Y;jAWyy-= zS27g}Wg)#Ab!X>K>b99|0v;T94-rL2j|Fav?UmMGKSZ+Rj>YM{H|YvIJDJ6{e7!fE zYd9Ap4t&D?-R<_c;le)aba^!GCQOb-?FX4@nqhb}?Gc7SJfqR`cL$v>5G6eSw%d8r zFf36cem>zxzfGGKk1k@{MNR7hXtOr28F;Yy$W z_}~(;N!l(%A_&wJvA`y(Y%Vh!pvWZ0&sI)Wha#oJ)+&?QlaG}Wou2DyuCnKEa-Y8( zO>koId(^1~yyg!)IT#}3Hxz9h2{I63YSudzvpfhHFmm{cXr;0%BBbw)V{UYnk*P6v zg$k}<3WLIe{0lG8NWV=*J5zp~s0qS)Av+#vUX$Rl(^Z?ty;!Z2 z<0~}qtO#k|`0oAuP*3oi>dqzaCp4!dw+N@DO+}8>H^bRLf0Q3fR8N9cEt#qe$ci9T zbWSlQONdYpl#7llyRta#+@2%Ue$PqIuGxafKRIY5ItWGD!)kVA%^|=>Br@d+rND>I zM)x`!r)IO1CT<}cl#LU}B3IE$|6;+*=QLR4+hiN9B$gT4G;;&Rt$Svmq(AD}ll(m) z@l_IcenKK)`U%OT#OVF&_p%nN1QXGWBB0J**r8>%2{u zbtv_G)cQ!F-N}vM`fZp|;PVH(J6FFACnyIz5bd@C4^>VBwF(ZS=c`FoKt8=Zx~4)Q zyli@YvT-=^TooH^@ss860SC{^!PB{9+6ZeORB#Lj%qXRKVl#-99k%Pr!{LY^0+=m1 ziN#DvLp-u=XUBxK5IO2-=BT7|27(@IOfgBoDu<&y^3Zn#R5Xm2wS{4VLSA16=;3QP zt2)AZUac2tQUY@C)5`mZUM1&uoZU+?F;;B`kdi00WsK^6dOi|4)$<{KLia;dAu`Cl zZ45RxjL4%_&_*!!fDDP;N_d}g{$otrUbx^y{Af>%-Pb+{k38QB(JQ;4qS5io28tO` zQX}!)q3IrzWB@{C_nz$5*iL9QYyH){o32!As@e!(@p-AkoBWG|wz`sQS*!s`nBoh} zYZ?c#s*i|7uIJYP^6PFw>iFJUo$; zi4DNsVYk;-l(*`NIqaSnCWs~FBqNdCIR>yk)g;B$6=frKx$di46Zs(Z0!oYs7;2J7 zA0+dp^qBYtVos)itSFD2E4B0hby@-*LUM)B=QgmmkYGEzmtoR)a)H z9=Y+6kbwyTVQ0|!P+hQn{YQKU7Vo13V3OC5`GDQ0!_}q^(iWP8PF7821n%SiK~V%= z4V)n0uKy{Run$x;AoDa^;~5T6q68rnU-?~PVCg}QJ=ig;>nW+A9di*pYcZr6iW~pb zD0J6`8uhQx&Fm-eR+S-W8CK?84HZI_6at>&LK{Om=#?#8iM#_X>IR&f1PtZu4K<2Pt3ZzJVHneb-?W(C04yiCT64{plWuDV~cS{J`{CE)MYx zLBd8K={7Pbjz!IXx?(BS>IKOmFcX(ABSHn!iF>G(HpLs#C!;#}|K%rX%Uuyt4;40k z#Aee^fIo*r)~hQ%dqZtflmhI~=)dCM!{!)_<+ncncZ*W0;&wnzIbI zv`P;Y3D&NL)eZei@uAtji@hS4=lc1OG;;LpS5c!=1!{jOeDFrV4hDIb!-caA zS8H?rv8^*SVLpoCX+{zJCbf>oKl?>ebT_daYt0m&xQf|a=E)jHvnY6mvav!>ydHVf zQvVej%*Xkf@mV*U#B1bTEB_g3I#7-nbhTMS9|ahl^GgIkd%znRqg__OhB&80ey5-$ z(RWJQ-_ryxwo{*j1+JC)UlPI(Ickm6iceVANUfjH>@QY~jA$`@c;NA%-u>Cnv+g1P zxOB9R4H1NZL{&?#Se8Mjugl zJj2vxdsdQqXTq^^5xk(@B4hk-_ek?YUZc32*lt^qCCGhrSEceud*|IwroRPm>3jZt zG9mIsJx(HJKz0WTfv(9Xya)#@XHxrVyz=}~S2f!;jL*rD%Y>4hk~AMCf^e@Ux`)u@ z>qh6~xbfxSFTZ}fNEEeW=2cZctX7!$uyKua3cWZHFSh$8o9@t2u{d_cQ{Aqm269xS zZix#<+@a|O3^z4_A2|uf)k^yns+d&+;PO_K02a?vQ})z*Z*N0A%Li2s=?&^^%%a?V z%NJW+Odqy#z+o*dVSz(o_6ON~+d8FCR3m4x)$w*${U%hfs{ z5o~8moSNsL>0>F?cLSO}GdPodDfxlVt^n;xU2$wsF=6THygpE-lEO@zsX*Vx5d79~ zciO7`wRf}5TbRosA$k!t5jL*@a)@^+i8yW}V2kuN7P{el$_QnLD65?}%ni*jX00cn zP7V=+ZqIy%wn*AMV;J%+btJ*esc;PqbohI<{(B^j88pU|QACTCXPY6g3TTfOdTT&v zAV(=N&w+?UuKtz&j6?T5fBN`RHNayw?DiXAxLNvkJN%~+u_KD;Bs-@7)2VTn_n@8) zZG-T2IYigzZFyviuQJ=PD0s`G{CP?sJv`@E2zg%IgvC`IcST5Hu2&@`o;~tadaQyX>Gmx*O%w79>0e-2At zQSS+A{Y7avCsq-ecPTF;34~&ejnln7m_QD4|%n^{tnZaNK(R;8P8@+!rtQ zaDtWdGyqQeDA6+z-z8w86gn-v4r=(NrC^3kd!YoM#S5?IX|rt3C3DMdAK)Zt zeAwePB=U{Aii=`H>8NvY>qc}q&(fy=@i_oKfPy8lpY?IuCOD%>o+YxIIeY6!j&}0e zfo|ylhAlzMi&AOSO?~+{*;vH;AvWACY(pZ(P>B2uKsZur(6;^`aVxH75|Bj(!I`4p zgFiuZOhnM+>(DUB#8d+m%ASY)3qVM#RUjLxSEM!v*^3B}*$2`V?p_6E2v=S4a3S4BGpz4#3#8ylNk0L@#ZgN(#ieM_vu{XHnMsn4-Y;p~Rg2+tgPl;(+T6a3@c!xF9VG)nt~2u>u`8g z5FRNgwFi=_aPSx%%-{ot4)`!c5Jjg9RPz7t*uShluL5tfKmZaW^(C0Pc+p}1{a?gq zx1R%w=jj@J`Q!HGBAwiB1x0C(vpZ|Z}Gm-uvsVqC-GDR*pZcYMTj4MGY zuPyATcAX#$t$5=fgL;iMQL^lyjNnU7R&uUZkwJlM$PL(S14aa#nG@1Q{5>^Zq~KF2 zAgTSX5y_)dDkKO0`G_E7YBKT*8Q_WFuK)F>Cj4f``}og5?R~{l-$4##=JQ&Ja7!!0CAFu~?v_Z80oQe+!%`x&ybP++BZ8iUz zxPKn!LwXGp(OShU^p_FocV+Ypztr|WTWT&Z$#~xY0cVg4Qx16J_MiOk*iQqX8rL)aV8aBIC3=+-A^wl%5C}p6 k@Ev*_%Kv}SNWZgNiP#e5&%rN#odf?AWK@ua_n*G}A6_VM>i_@% literal 0 HcmV?d00001 From d698b3bb64efb183c535da9a6ddacde131ccbda1 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:25:46 -0500 Subject: [PATCH 20/71] add git push --- src/courses/delta/07.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md index 3a793bd9f..937364d41 100644 --- a/src/courses/delta/07.md +++ b/src/courses/delta/07.md @@ -8,11 +8,11 @@ author: Daniel Medina, George Dias ### 7.1.1 Update Controls Process -[Update Controls Process Diagram](../../assets/img/update_controls4delta_diagram.png) +![Update Controls Process Diagram](../../assets/img/update_controls4delta_diagram.png) ### 7.1.2 Delta Process -[Delta Workflow Process Diagram](../../assets/img/delta_diagram.png) +![Delta Workflow Process Diagram](../../assets/img/delta_diagram.png) ### 7.2 Scope of Changes by Delta From 472682eb40a5658e9b0a896c0305ea550d76e7de Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 4 Dec 2024 17:46:01 -0500 Subject: [PATCH 21/71] fix images --- src/assets/img/delta_diagram.png | Bin 101284 -> 102353 bytes .../img/update_controls4delta_diagram.png | Bin 74464 -> 73041 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/src/assets/img/delta_diagram.png b/src/assets/img/delta_diagram.png index f97ed4c1b6b21c037241b6955f6c2b14b860024c..bffd38a55eabea8deac495e3dbdcd149b8511164 100644 GIT binary patch literal 102353 zcmeFa2YeJ&_dXsVG zfGB}TRZ6JR15*EYvb$k{sQ7+;Ex*5ha5Hn~&Ye5=p7WgNoLlAtnS`75N~2dYGBUFG zJeDFOBQrZAqe_n&)j&$qFXzqxe<}qOTt>!{!p0XfG6sDXWb1eL2Sfg3i?qGI0Wgi&EiR35TkJig1|Wthm?y0ms)Eb9y1yVfJ2E2{NQmQ znZN)?-~ySLIE<2sZ9od$>qRVDi&5wZV)qj$xdbvuZY|`g#G)LC362qm%L4vzEhZO= z-D38`kz5A~vP0l`xmabGc0cL{nK*ce3X;fVJRuiP#R_^_X$}F(g>p$CO$l3Jza#B& zSP@~1Ki~i_SN5u@g0Tw$6O33A$@s*p8&SX6;!oxTFAU`n*f}^l$cz0WFwG9w=7-(j z!~=s`m6d3=AVJVVSb+|6A}PxCp&o{kP06D`)QH#Vm&2~-3riL0j&l95*DgjuIiLu0 zG+7~t3QEKZHOCSuRO}8c!RAjrCs}JOLFtI6UL}<+M5CH7W-EgXyWY&Nk2I80~xhyHYyAmy&YG*%+f(NDbX8Pq+ zCU=x+L9lK}wQ$Vn_UPDhh|QsUIjjg-K{H6&B_9sN><=oiyhZ)xn)io4*l0td77Kxn zxbxh^JXjp@GF|N;TB2bC!B|QYEN0M)$y3xHw4*lE10(FGsf@C&v0$Bp>HgC^A{6z4 zL_A1zT7tn?QY7I}5Cuv0pc_eEO+3>J|Hj)UTP1*o{HCO&RoE)Tq;SK2n3T55C#1)ART@S0tX%8^ilw9CiTTuo(~h*mk|<>Cn z#cu*u09HSH8gvsN;W*UAg=gV1;q~N7l5QfELvb$kF;ITL^V3x24*yJSG zn;qelIgo-|Kn|A0>hL&%80!X%AN68KFajukxphdpCn4l%ii(DUh{I!HmJ?G9D=|Dy z!%&C-alpG07=VwP9l$!It|bBeIWQ)0sAPx;vL}H4xy)ubU@s>$DNq(+21AAh60bpE zCBQj#H3iv5G#EtPpx_rQRT|;J>Yi>i%FdG}7qc~Rz?)#;R!0=82ct|yEPi$vyck9+ zuuLiQ=#GL{_S$pdNPw7&Idyq~SRiP@>QH9m(yIKt)l`)cG^{m~W)u`n180dI_$w?9 zC8@1R?II?XInCfusEOL8+ZzfYk(NS~Kb3L?IYf(6OLj=8Xqd@|?OrM0opK4%g!oUe zHb6N1F&*eb9B_UKKtsW)9y?8)urQE(dWJPJcJ}+a`#1S_vV;DHRtiJ)-}cc!o$<*M7g=fW@rYSC zrX`XCF>F@wWB0hDa_k`FRC?VSnvSSop*FoU=26qEN}t#-1uxAB`{N|+76z5=jOha^ ztH?v5DR2sK30Qbe+~Yx=s08Rb2mI5?XevXw#kh9w{;NtV)!|bFf_q)s5oSZX*b( zKpcflM3*QmL=_=|n%OkAhAa~Mhz150y+RaZzCy|H*}*XjBrpU%J~;HUElP-?2It^} zXB4|aVXxfmpzED5Ta8$BjIfCdT8JZI=>tYqkjQd~P$y3+C$m%vB~R}4;7uqGXH`IQ zi9ATu5n^IZl%%GU_i?cmJ863F%F(1l1ms2v4b23??`5Id~_e^ z9tKMnH8B}6E!{%q%X}_%7`7WR?IWvrbVEF*<{G_99x7M6jxLg!K|H>ea>h zF4zKD<#df$VM1ggN=zOWIT$F8&#@{sWW7mcimSW?S5ztXMO+LSCXZs7+yV!JOZCT2!x!$SK*{=rjFr}xTH~^hveX@)FepB5Q;*0H_o786BQ~G4zZfV z0h?YRjwxw0J`i&i*$crmDpfAwFj+LOL#p*z-KGG|=;7hG4uoUS`MgTJ&}n7ZxOP?0 z=|h6l01VV#&UBinq^QOg^LgwpDa*#;IU$M9#I+G6a+g-3CkG?spijvqTLN;agD<7% zwO$IDgYwyms6=8Wy2z3k&BstEqQ^WWC%GT5hY4P36X$)4AR*UyiqSkPXOCWFG}m&b2wP{1z@2CgCUph({%pX~`Nb z2UVJE1O}5WBG`jg5815svK97t1R)?H#7kBYq=<&8gRDT-^)`CgrjmqFfSzOtk;*o6 zqHb92qtMK5NgNc*M${G>Rm2z5VgjF822uhFrq1EADx+bT6fuXyat|TsS0Qn$6RW%k zF9Ls}EGR5?i`6C?8xo1}PLr3wibS1u0th@aEDpOXKp>(pKa98(REM7E(Yg7U#zeUu z2}MWJr~txn1O}`ix`l|?Tne2*ft|YWWIkKQq#87yI6s8f$Rv(9O{a|!G(u)X?e-D4 zAd@kI3Ov5JN&uqksFmuIDGf+is-98K6l5hrVLCHNVTq|mPMC{GL_{1%N-lDWo9SjEs<6Mc#%i)-;YLk`732Vq91{4rb z-6Gh5kOe@i=^9iga&Qs6AtLa^#9Vrq#dbP*c)ZGM!w1}6J}yF&2{Z<&$F4H_8Dgh6 z91VKHe!Pn!iIJHogAVcVHi?JpCA*?=w#zT_aDzOfFD5f8J!Y{m!lY5jIE@$|r4m?P zuU$pKS(qG@fKqKH?1gxikXNG;5RfPrhcM_equi!os`PQISsOP)u$xS0^QAVXE{vjl zCpTaS18+p8_bFvwY20YHy4gM{!NH`dJ)Ni+OW=G3V>Lq3R63nVi5!B=E&4`N0=Yy zD8(j27!(YW1fUEb*%$T1Suv-{uf#h=f{0(Iu!eOGK(SG)QmzK_%b|u85h?g9647+P zzTrYT9BN>>qI#Xefa?9+m^}a?5~EXYlmiQ!cmzEfkC zYJ^TLDF&lKo`^vuk`!#QQbREbDRBlJfD{WC^7|wXsm^A=BOFmwA&aV=dIEt;=GY`U zEr}%2`#mbZ0B9Zq1>QKv8CLt~dWTyGGi(aH)Xihq;${ym<|juWo7XE=!??K5&C(($ zUcgrff>djW$M@MBCM#K{SJBLlh&RsEdPsm!a(IxFpz;AhV(=s$z0+<%jlc$5oN+t> z>mAhRjq7zZvpxVzjTVQH?hk@i0ninRL0m6IMPYgs+6Y!D9}aI9=#XffOduEg*HXWei`$iPsXf+Bg@15ZKOw0#v-*C=t11@sJ)SLU^TFgnAGPPQWI`HC`F4 z!TV&u+^cl3(=2C-cwCo8V&|EaAY{#Hg*mW&)TqJ7)n2+=Vj|1^qNtn4 z!E@sNphBoc)wnRs^cko@2?>&UbR?2Ti_qhWXfz_>g&;Fv7(tmFJWp+efos5Us{=-} znkUg}VHw*h^@^=_m(a~6lZ6mXVo(A%fukqbWg-Ep;Xx{iO3aa)#Tc<=;MLjym1UL- zL^_1eLP&Zc1;Izu)Sz60AVP`{VRjH))9*f=&>7Kt%Iy%@3> zQ5eLPal$B>Cxi@AzgBH9@CAI4U4gS3U>&C2PEk~@(+~t90Te)892V76b_eW>5L{uH zZjUN7Oeq=WhWU12zBocQSssunwK%O$;ABPOl33J0g}f4DG$>NR5*ih!v+Hzr)GBh| zIdDi|=GpK#)^Yk;-o)3w^Lu5FjbkT&~-zV|qCx*rWxco&>62q*jQ$hM0|JCq->hpBtgk z#3+-XWx`yah=gZF2pW1oYEg{I-adZ?y3cv6Q8zyMv4v>gArxGbWV)nqe~46oZbzwqI5i6 zCILTmJ!WMbWESuX=;j!aWut2V6Q^_OQU@c5MsTp5&PHvpjpt^nFxDN?vg|&FD+cTu zgRPJOZ8k~dQn!l%#CZ!k@9MKv8oA-(=ZXTH~=LF+18x@Cf2ZbyIQKJzd z_FzX$09&*izgB>d#SvV9Cb!s#q=-JMVv~3%OHRYasu{3^#IQ3JRIbFUG=!K&o(nG# z1q~*ToEaBrCE}Q!5Q?Boc8o~$%5Y)7UyO5y1)eCC$PJNsk|5Wnw;0tLk4Pg3l5sAr z(BU!?nNg=ip(SwqU<}5gbD=Umn;r_7ywPYFFUE89LN!ZH4C;-3Gh57xQzPa$4eQ64 zU4|h`3=njh)60;XL;;~d=eFw&I*-k6@gOcD;uZ_!R34ij6vTy0Kaq;?oFR&pPKX%I z5jV`Ukpgmq)&ctsc8XBMQ0v%Ks)1!SJEc^P(&O=Q5gVV0@bMu9H4w)+1s)HVp}=Fl z5W>JQ!%70(L`9r3g@g?$Oj?skuK_-1km-m@ybQoIIb1eDqj1w)EO2L31xOD~Kr`y1 zECtqSNK`15vt-d=G$@W}6u6k58uB?bVXmA9a}ce{EW$%J)Mi#OJ$k)bW5eN1R5e2# zA?OrZFcxP8mXbjr(gVQv@$e`nM}%f$xTp&7ShALfnps{u#-!Os4X83N&H&yVjb|}< z4PJ{F5l}T=jLB(K5+097Cs-)32zV``Fj>WA+4UZrO)Mt~RbsUp;z^t;sS74kVVPCp ziPJ#&q%cY3vSVaGz&5%Z0QfjUnwzF_vItH=Fs9bRUN@wM!WjO8e^y*b5>WvE$Osv& zS{%&_t07}lBDX6Hkd3Ph;R&vw9`pY-3YXpLvvcqgYS?GQs~9jtLx?JLC_RkW5ZE2m zs0Ds&OkgBHOpB1Ag(OlF6k_|;WQ^#BFvH8^iOqobS^|(1<4rWRg3XJo2{N@aCPyHX zS80yB5gaHBr-%iKY!k--5%6@f30B&G8Zhjz%O4?1>_)uTrIUzUT2L#pk!A&d#3Gv~ zB&EhVB8@M~l*Twj9%N(446wn@)`tvss*V^J0qX&4s5E&zXmsL&bO0VvC66P40nxCj z9WXnHC%A(KvRUDx@d;c@9GE*QaDMzTB8XQo;xLP*v8aN)XiSgS$8cetR*XipY?@c3 z5UEjx1~Td)4~eWdD{*{u+u|gV!X-|Mi7!J98m^&N-7oA;5B-e zQK7~|bhlnbu_7u@OhFQxEm1LrNi%V+STvYJwgP%j4e0d75TGMQJ%TdSIEBM#lTyeM zOr`>Q2vTSTGSp19Ax?%=q=YDP2ZzcPQq68B%c{YvObW9G#MJ3v9!kirSL>8^TZ{_9 z9+BVU^)p!l8x1(b_@If%phtl(!6it7ZYf2j2X@;d0U5j&6+J{|>hWxz#$h9=aBLo? zN*b3lEO0~tMPkq>lAx8$k+`)szC9AN@TGP%WHwXHL88JH(_^_+daqwcKp0j|giLqZ z@f@|-=A-D1aX?$*Aw1Pjv6-ZHV#sKQ#YO`kNAXiMJ_}A`*UE%sU@fEpFH6K^3b39E z>7yK+nuIPgHaMj{~)g+62&nY5KkNvau8Y|8VXC* z{;(xT(_q-c!pl`G7l)?^>7*W!P^bwqXiPueL=k#qJZr@0qd2?-L@qaT;t>&y=^Eb^ zG>CK}ia!6tArAqU09Ou$O3H(MdGE#zo@-jK@k&So#=QYG*r@HUd=~v4t#liGr!|8C`0T zJ%U+bi$oA3-~%`dgn~2B5#V2tWwFQUA|}dK8QDaM(X6xim<$$8PNdP}ag_}M4<;!D zT1QM54qzgS*P;bR0-W!&rDgLiQ42o6Ts!F{5C-)9w?A+zds8 z>|)|VupYcjSQ_JksGltA)@li^fDE-EZd$PH9YkzNjO4VrK?G6Ea+0DT3`-A2lJ8D* zdr*=M4g~<^C4^Cr4RVl}8lBuAbURpV9Lpw`s0nyb11*Oob$Ejoic17ynh_~mskJcz zI<21V)Y{RA2ek*hu{fEe2mZP&f}yF@5EH^mK9%DWT3|k8(K6ULt;gt<0+zs2@RSTP zpehlATT3Q#%zC_EZI`NvS}~plqH)f$NHK8a4LFv`#U-2l*S3s&1w=aC;+i+veS#2A-NJq2)m7HWgO%HwqFyW zn)MtcWJjfXh8iCsyVXRNPLIgsz%qHb2Cpuxw9yz$8kwh>=q3>9&?CYkcp|_nXwtE9I7CKXA=w{ z#Dz1k&Ga~d=T)-QG9L?;Gl6`A@eQ&mVD!fAw1CL~aEl|2)7T6q-6w#`V2sA1aM%>! z@_`_VPOC%xG6Pc%d$Wio^UEnPr` zA@Cdvi1_PtI*Ti6wlEnUtIZKaBnk*+qI4pQKniND7_*Gx!2k&Crt2ti4%N!n#4w`3 zqJj}F@E82UqLy4G0TBbYF9L?R=yau8BUK1VOg*0u20_8l+b<54rv~^d9{zt}ls}dI zh4}!_j<7#J;{W@GV6lh%L36x___CSOpsj%)UpBv&Oi5HGZOolSN+hL^xu??pK4b0x zII!3F%f{R(f90S%9>6#D_J6}s_g|lals@ZZ}Amw&>Xt_o+>;*$m@ zP0(KuYiym07to3H>4witDSvLJ;j{D1vB_9Zc>*?_Jn?}4dL|x(ORnaDjj8n@@=OXA=&d?7WN{4XI46?Z7WBn+0G>CnWCRL~39 zRMn?kBDKx|BW};Hg8;CP^%Sn`S|m9S9$O_r#OA>#F9O0AY?q{q*fj)OvGBt3i5w!% z4aO9)LF&XLv397@2}WN5fR;~{P1G&5km5O9P0b3$mS>eMka(VHCgm$J^%Gz>ff0m_ zAP`ozk_vQg**PyYnIDhMkp&sjCXtp^{F#LgW!(A2r4(RR8>j3)Py|+s3RX}2&slf6 z9)kLS!8fY4!ZjFV6V+n0Vl@S;Hk8S^xXGnTFRO$peE0*{dAc?cpZCX)*Z-6$ z+i&`0Zim@iR@yHJZfeT-A0)Hok9$rSEqF7@LIE%J>>P9;rZh5z0F%L$zd-Vm>nKQ2 zE&)%$QBpsNnxsGH1d)gkfkI4NPLo;yez_z(ga?7r#7`o}Gg3>%+!z``$J@4wQDtCW%SbC82jzlw*Hk=# zM4}NO2$zgz{J$ox$=6Dg)?b9xh{KJ*U=?-3FsIBNz9N8qKA;sWTa#$AI}k9I5Cd); z=;=TZtfNewG3=<{5eL`_R{kVcs(_$GYP}1X><+j?c@8CZC&-5J4!;FkUn)y21IB8T zo+O4-s}~ZfBDie30_;u`3N|J11{?{Ji`@vO(c2szMshJuS@HiB*gpr^0I;d%7ncnI z$fiO@0{O3nY>1Fcq2h?t)K5|#l9){(l5$Bz0tw4NBjE5AC;^R_TYfWE%!`msCgq{M6IHu3`wAd;wBwQE8gqrhJNY zvw|(Bz-~)b3P!+6VGkU%Ft9BIl9323F8nez{Hqt<;gc_urqqeIOCw3x+BhKc&$^PB z5~K@nlGCKPQIf)FcI$CDU2BrN{!1^Whoun~9(7+cRtV1Y^X!H5M@@kA;Am4AV`9Vw3+C~1NsgAx;M z_}gxE3R3?7MxUZi$qr2uV(7Q^j+RTrQy~bV;V3u)nFxU984>?e*Sl40)02Y+&&Vm} z6NC5z=+lrXi27Sgfoq%cV*$(u9oX8?gj-u~sS<8&8?cB8++3de9MQsjY0!%=@aA$5 zPM3Vl?MuP-Z-{@wwmmE9WoVz+WFRH!SP}|U$BLBgHDU+ugavF$@PhQ0Mfl34oB`mB ziLJ~7@(y;pAz=#!M|GL=zlJfqty1%TT|M8B;uX8RUM9U@7AR2)}AOLT< zf|1piz<%H#=K}IZp%Nex8KU7SK(NyJO}ZAm45j&fq$|a+(lj@f^#3mDN)8jIX?3E> z|0P|(bp2*f_y0<|QkeQL>H3X*$5IZ`GjjSo>3WW6m7Aw$h}P3o(7$C%(E%}gdWe-7 zL=_=pthEtr8E1h#NrDC-8En4vf^z)J&z{{)>K8^oUe;{=@e1+B@G~+gmj+QtWE_D= zgGi+39q)9*go)~JdEEb}ZEGsr^eGuYNYjsy7i^JWN%|G)01)1PL%Atd2K4>!KJWmX z;9UIE0Rs}Tf+!Y_mJ5-o5H0nS(6V&0Li!sGJX9#RDW3Xt!@h*vmc#V(zD07UynhEC z{#FAI5E-BQbc_s)KqN;&)3`MB|A4es6#98iK>vizk6zZ8Cdo?LCZZLpVA9F@n{J`^ z!nSuL0s-6b7;E-ayq}spPen@-Gec#G?eegUzip8du43Z%e?2!7ya1R$`^+1p0{*|R zqN(au*hbGkf|TS|zwZ%$-x-<}ZbtUvN{J5qs)im)y2Kp-=1tGZOgw0!HhUmP+h z8eT6TZM38@qr2t!mya2Q* zRQzX{3PLIXnX+{Mot^lHfjH2A3M<$&$Dnu$CNPuo%yOnb9>&|@a*5;= zj{lF5J2@w*9X@Gy%f&R&gDEBZM*{l`LdXfl<1rwYVmN353tyij6^S7mZE|)oHlaO@ zTBN2br#7&~hEq*;FfN>HwwN4=PjoOMc1O^n1mmw@iUTVGHo666{O<;clCSr?Jid$t zuXwsVF}3e_iaVq>xJ~l`Q#(qhhbU5MDPj5RV`-@%5d%G0vGAY4y3`p4#{R3s>A z!Uh`yC=v=<=zddb=Vfpc{Pe7Bod20!|1oiWPSpOuDZ78Ts1cqMH3BuslG8-3{9`NW zvR0n>_Yt<27=U}}l{O%(Sw6Wx(dfTD@8=gf=a08b&#$IQou~I%3NoJQv%eoeRIm;( zrO04L&0n>e#u^G(a-9H<{#`x;3}|A4({K9p<(t?)2Y)ZIeC9`t_UVfMF0~{Y*%F(HKy1~D$4A@5*v{Dj&iIf*(l>cCF27G9!ObOHE zC&fp9kr{&}P1yJ7uvzeao3S-eV6e|07U(Sd1EybLbF#2`MeVG~kJ4dTHRa!>11HAv zkK46-t~4-NCs9!PL88pmI(JaPvJV4FLqRWC;|1YFsO_a$^#5RUkFxJOVS`A|&H_%( zBz~z6HkGs5=ZCOHW0@!(SkvO)_<-h-669{;K6#}3$F_iwV9n=3q zfGV|DLyG4RXt}iX{}MGzqdf$2Zj!#HlO7^iqLRq^H=;es@#Np5cYmfzDJ+2y@+(_A zBwSXbA4tYiry!-Ezgp2$rj!={CfxjLX@3loC{rIdBExPhit8~3us^A)0S1u(!(Z6g zBBiutqZ?`4QIuH!|OsxsTWV|+|))fSnQhv%aY7CZ2KR0jWuMa&#$#;3G1kj)0zWldeQ!Beq zX7M|~*MZBv9gZ1@-zNya`H8h8)c&R`1SR|OPaK?n8DAqgKj9DjKqauAm;p^gdL{kE z4H|wO7m{mY0SaMX6jqge8ej*{Y#mLi?)Ox_O5C5j{!4xuv;wcCh@l?v*JYyf$bX zr(pJ{1Bv-3AKV?#e{1KrZtbV6@3>MK4xgW1a-(io+V4Q|))^7$e5G2g&goQVU`A%M zj7l}SWmGOdY}T@JXk1qF@huxZlbp!$UgcfYI#hn)o{Y+~U+YF5I&$K+=Su^(bt50F zUO{q={EQXNRnuBld-m~V&sj03%X78DlDo~z9G5lw$CmgCDmE_bb_L~RGI9nYHQspV z1A3zR>D3sB%&MLK-pL$w-mPS2&ZF}G^Rz|E?=@HHSAP7o4ufPhn`JY$^Nrgl}yfk@+oI?A?*xt?Ss8q4`BTh}ZyrgN5aommf^B4S7wU#*JXp3@Pp89!m{_0~cc=CKzJZ{$e#{*NvT}OD5MEzFS}A@z#mn zUE3F`LbX>u;?+v;S{TUZQ2KacvvIP@9^+VgBeorByG6 zw#_DKUcHbx;L5cpy$_#UH2GlH%X^03$tD|?N~e}`LK}9B$yP6o;~biwj`Z@}E3UJ) zWQu9g8x2a|s8*QY@CyXp|53YBn{GSXE;_&T$&sClkb4g%UG$%6^4Yeb1(dP%+rWpO zY&}z3Fw+#@`__|(^<(BM^=_`m-`)NA!Rn>U{ie%B?#UZIB3$ct@zk|w+lBo;rY!7r z7;Mm7V%y{Ues{lfkGYS#Pa5*YsjpnNwpq$*k5)eVs>jv*gSourX%Y_sp&R$j@VVa? zH#^-bdtb{U(YC7-uZ^wW*DC%oG@;)%xO(@Amm01t(NFB%FDM+Y&zW8C`i%pd%)3V% zb`@zhMT!P013UKK>2++4dr@$7%Vi}4Hpgt;>-BF}vUlQRINx&k66x@Y%}77ood%D; z-RwWnuElnD{@`N^suj#Q%_Vn&N_SuKH{|TR-DS&!tXn4^$aZwSJK;`=W$&hC4W{}V z)|?&cJg?7@Mhn}C)}Oe0>yrh?=-(CviCtT$uU!3nbTsWfnvHuM=)#;;ndb&}%glUb zdU5am`IPRj>@zY3ZeQ4cD%b zAKh!!c#fX?Ah3Gd-if^yzey{-_0F_&1qD-zTh*ge-sY!^=eI zk=xsO*8cR$&lj(EbTw%&Lf!ZKUspXsdQ0f#^r|@vC zaPc@{(^%)@EBeNBbA~-dfz}bwM1GXMr}m&unf@l#9Ie)UHlY8+9)0%iYBVC}%@$c# zCYCNU51G6bx#*SL3+%3T!aBQqZO$X-qTo+oZo2Glu(lAX@piVTm%$pSx3k^Wr4we3 zjUU}Izw+j_BU{WwWPG^reVmPI@6fAY(Dm8rc-3t_KtsWa%4cg2s!{W7_u}5IcC9VU zz}d)WKYs66!JDf*hgTH6S*sx0UqfEyII-Y<nd+XKHC+kHY~80xsi~41=$~az102s7aI!mv(ERe9_TW>r|4nn?i-=CF zKBxIpi?O9SK>ZOd=67p0KGWZBeZi@br_YgJDabp&ddttA&uYAzy>Iro^J_*;yk9#0 z$lOg9_t=9wH(uI2Dd))96S44+m4%H?#j=Oa|77FIC)>_g_IyX_fqr)I%XJ_Buzl0x zuZrBSa~fS}m;JHi7|V50(r}uE!eZu1ho^eiP20pE?qv77H30U zaOn)Ibp@CHlDk@tA9%|tEV(mg`=sI?Yv*Z2m+nj~Eg3uD@u=g`o%0$kEnfP~z9};w zt>d>VS=Kf;--R}G^t4>uw{z-;y_k+AtC7PihK1Ul{q(?;-2?iUbU&#X07>FaLGw$u!@`t6awnC#ODI^04%WK4;HVoq2fOr6Xw18nqKf zzjak$wA;*^_)aFHS?`TCp8WXX4@Gmjzty73V9|zJ{WkYc!YTjmlIh!P3}p)^>+?pc zGtb8NO}V(T+C%QF-Rt=!dp1u|9qE`kZS@4)&&L4(y|QOq-=BA?d-Z8}Wd(faZL4>#kuWUd%s}~C7QAX1((TpC z)(K0|V*{42+0_5y_L9Bh;DYz3PWmLT_Smj#3P{C~B_nZ%wj8LB6turxnAb+#xAAvh zxyIz>-kGxg+Kj-uhu3djUX-83Z5&>9ywi_e7OvU<2_@fmU}Lk=H|kk$cDi3e(JySi zul=kc1Mc;stv%&i-T%(F*G&VSRBzjP|6Uw)aa!1)xAw{SCxs7cEeMc?eW7lBqOi%` zDfOS+kF?Dzh>z&mt558Bbbf~O_?L20cMSzMr{$P|$4d4s9zCo}pTYyd%bIqs(X`S7 zGal=AR)4hV!(pXwbT2(H{?zh=y{4S%LOW>~W7(0}V&I8O_-kL)UX0(@sl%J?d)$uQ zapsonsaAk5TJ-AP?QI-aC9yK4XqFA=Te02doC;O`xj&nb7k#T?XU0zt4(p1SZrxZ^ z-}#`vjj(pp=?yCv=UpWgVn$`LPPaNPF3eef|MTM;SJ0P#pR*%>Nc$!D<^5uZ79ReA zwCM2`kB0nZzHP^qn5Lmf*Ftc-|9r|d+B=!0%Rc@v_W*hD_P%usMrGWZ@ztmX4%5+w z-}GMNKPx=4jI^-xzCDAN?Ok}M>67Ea$vpj)1;FH~ym$C}y0lWg^F!ve z%0#Vi)FV+xE%~G6TX@y>AL#PM)lGR18l9OkK4a~gNwl4exrl5wJob~NO#v>IE(;g; zuD|kralzQ-rOVfgFKdcEs&nU+WkVzQk=4s&H3t}o*1js^I%ke-J`Rm7d$jk~KH4?4 z6x!e3U3&G^(!*KSnZY{6xa-p@kv5+GzToYT+Hd;VJY?#u_2TpUSzS+^J+WxkvRauP z$9~XWvS9MNg&z!i)CpLvU2er$(UI5}Lmw;V*UKuI(tmy9nxAbb&4c#0+#@Da-{EY( z-Lb3h{DGP6OJ)w(*duZxVC9c_cgng!CMzSY#KdXY5u%<@3%vt1#R99 zOds{*xs^87{96Qf%O1Jkl&oRwd;IfvWN4|A^2#>!hp zw+R=YZY;fGTGVFgNEqrQ+xRJb1D8&zqsi?l}Y)j?yIkD92iRwJq}K3%f1 zX!)#pCAWXL-(jWx1!mc}rfq`_=Be!Un~%J^5Kxs=vCZ7k$}* zE)RC~yL;lDxikB(8=Xy&e80+JI(%ly`ky8o^Q_;0|JLcvLl);(yMJNNkkI8K{eY%j z`){~?>9DYs=%Z$x`;@Ng^)0blRwGr58B1iig>UZo@I>IVUDG2c+Z3FPyT**2cnm0@ z|D!i*uRZxmmwxMRUp^uwF2$R6?3zXkoSkZ$!M`%{!wWnnH^Lmd3gWjCFFsotcjWuSJ53EE@EnmMf+wm7}!$(M>jTbZV#SovUmfg?K+18ZD-Ho`mp=2-*JpyW^KjHPRKg z=ZAgO9*|#Yk$p0HCQJDG1=A@b-0JeTUx+8JaUaucDj7ZZ+QrGEb9=7S zLB{j@rWUo#JJY1^_02_n`aLLJJ!kO9L7xk!6umO{+9x~PWM8>hym$6RXWSsk&%S^3 z7Icon*xIyc*QC)|(isacpCgZC%>2q|8S*By4{(Y6!qC^ql0e=T>dMU<8SPGy@dw5* zyCtk~w{AdO2WEWm>LA5y-jl6=2zTwbq+R{euO7d1=W2_k(gAzFFIgzv*l$na=UWT& z3jNb3H7(jxtpzbSf7vZft%7>RS4V6~&b}mpabndF!?^Lf3^V@0-hqf-VF56_&^q%CO z#*3dU#54C^?iBd?D)L%M$#=y^?(|!^xY-dMJakCIBUidNe|VB3=aE0U`SBe2%Fmyi04yS=g7&k4Zp2>|<|Q|hczsm4%Nw{yGh6g+19^wnj~#gnT8CsnoD zRjoar$IdaeYPEGhhokFaEtl*RlkF$hy$#f(kG@YnglvVS{SY+9htJsKwfCyEJ=I^ancsrX1r_(<$lzs|P1Z{nu|*G7st6Yv^$7 ze9%WV&K^5ohg0`cN!QWPglegW)M>57c)y#rCkq&xX6G_Lom9zsZaYwV=kbB#{c}{c z%U$1X9NmF zR-UCB0;Fj9>{cyayh5(gEPKT_h2OmfYSqnH<0v}#AVd5KS$x0rYTNU7E-zUx$=z_B zF*N~T2jWjo52?MTSI3*XT38<4zXOG@=xC2_e|zrc-u6?j^)2bBIWZ%4erlr|#C;#( zO)PZUm$wQ#F2)s{2!HYnZmtLAE;@4O8{*C}+3$!yCXR=<4&S{lba~N{Q+=*=rrkcs z{M@p4^3AWS)aJ3-!`}F5Q1%?s* z-nD!^zRI}|9JRID)seYf4$WqNF8cWH+)GEQHNMgF;=xZpYu~tSQM>v1J4S|twa%Yd z|E+K1&2PT$wWn*JZ@RBAK04IsPU&>{o)*-lD;sx?ugZBN_~SFU&| zbZhOdt61AG)3AHf7q=eXI?%n|05SKJa24ls{Lo#P}Y>(o{ORcTj3;N zUB176>&NY*7C$`D`EHN3rQf^S6<^)D@=ehXsXfAZt3OMP=`zIi##iPK^` zYRC2$AO|~LaXh@V#b!RV;e)ETHqJSv-gvpkyoVp(t*3nJ&FM9YFJJBW*(5G*1zp>u zfqd4&%-c6sfa7lSx_O7M9+lA|d*8^K?I(P_aUDHp*!ZmQ)ZPbf9W{+z+?=C0iF~l2 z>6yJJeI$7n6Hdz3s~{M;E;F-Poeq^+RS{LY8G3hR=Pg6=hc+*IZ&$&J=14Kl_amzz z(LQeVE5=>pninmozJIHj+(53->)V`I7c$jiUuZF+AhTg!gS-uQUT2iW2-DoxNp%nA zm0pX*zPu2wcIyK9m6eC+dEXv>b)99)qRI!4c&LF%w|`o6tnCK$^JUTw#H`^ly$QV z0V=fzTGgv{-D;KV>=Jf+=id3Xz4x_Ye|zZa8}aav*zs*cb_);4meu-C*Qt$uIGyuW z=MkGXs<%qJG}07|IQmvsXgk{LT%D6Os&V^Rzp?3rBxMbSUn; zTfHDZYtNDXUw%#-x1#ZvQvwYe=J^Yno)OaSB70uNu;meE8&H$8#voqJ3#?}E_ui$Z z_RN~Su*sDJ(w$igmN$BP^vJ1%oGT8R78*K!>=&EckMG0lfPRLnPP^1+oxfWF>B47A zFSn~J-&1X6h>0#b*!|t_3()pG*N5LISx|jtd^7U-vbP#H)I4c6{rgPNL3dx-QUBVa z8a2yE^bLU0+qO>a(QKTd@~~D_I!tYU`)EPukCyefFqi*)FF$Mh`5{Q_?`rKi)33zc z2$}uny9gi_-95e$98YZgyU) zX?t&cmIt05yR>H1J708BEo|N2vUO5+*TU{I`*!;1Ka=iqcP?6Y@Qph0?bZV`I`3W2 zu*l*&rhGhR+dW0K>671PU|8CXRLNXrdZo&BYKXeMbMyX%`tSqVEB!4)BoC`MjxEX8 zT$A*3Hd!*yu~fIIMEey#Fmq{_8Y>zU&njVlv@`a`7fl(IJ~z4-9a~xd;>^1}Z1czF zVV7?I)OXq&+5?~Mx<55*P{-_=<_|M~QnZTfskURvzJ878;V|2<;%#7Q7M}lfSsh-} zN{?dHSyOHwYf-7gszr-(vV(^<8Lu`i?%j3O@&?7d3x|03?(8+U zc;+TOa~5bq!eS?zI5XuAQR} z))_c(NXFi2x1`msTw5__@Yvd!59{{s3-`To#8d;bL>ZO&pi(@AOZH}sNzKc&b7 zuKv$!n&gZC7UROuZf|v7zq$Y9!KVn>x0kKVE?hTvU9ZBeuZz1h>V_`IX{~PttXuCj zUwUpI_Y^L6@rPh3v;CtP#j~o*FKr%o-%B+c*S%M@O^eDvy|VYV0YI>4UJIoPt8l}X zz@YX1Olhexl;3UB!;`meW@#qex3$Q)eGT;DNeKK@4liSM=zfRu47-~BcWu&f}+_|;5Ahp^k!}#(#|#Wj=5iN zm3c<^eZ1?PK|mm7kAXa%J2m{fjLJDVfD$>pFU3uZ@23^g9F<-8m0Lbjt$6qwP`O&p+jzKrKuiiUi0=e;2 z=B)qJz-^?OtDF%wylog+qpU}UXRH{s5yZ?g-yVlTby~t*S2X8!0SYv3!;uF?5N z>-dZ_qwZ>KeQy+w99K4mQKvR&`cBh!SFJohr+41@Mft(*vD0&Jo}V(H=loe)Hb1^F zvQkgltg(T;!)JCPA{*VWuLI!D0LtIb_5KX*=CxVTjj)FAQ=>%*Upa!QZQWf;hwmRXk$=dTN08n{jbn(2zW^^Pgf z#Z|A@!?bufh-N~^@2Q$pme)P_Mve2;sy|}%-Kzg=QO)(S;P%0fx1dw1_Gb;@?`+dp z_4d5RyQUPp^-b@RZ=ck!ey-i7FBXo_ew^P#l)2?ab^avTY zug40(V(@`GI)_cs!2#OY&^tCJ5LK_(UN)$Gn5wQ0g#&7$#(J4Ryf z>#6TA>3iYmr}J-L{l3@z#s>>ut1WI+RKKXh>sIZ8I-}d~8m_q0`DP;AJOG2xXx&Dj zCfzWdtyKHOoZjOWygUB$%aq-l-t6B7eeb@a%RT>Mq!u5d5{@i>y{CaPrAzfy`SsSV zn!-F*V9sZ5e)C;%#*X?srX0H6$)6~86DYR-2X&iPuG5;=tpGauR?p?K3#3g88;S0h z2ERJ{*^QCA_X>YLvE}ul>vYTeA8^-SJLBZ^`??38kE;9Tz*0`{Z%e1&+&5Z!c6HUgXZMcj{uTQb+9bj7GaatB zt=}XtE9g1=-r4W?xvtD$pEu43iwx86mmwQaHf%`KJY!%#{hIm>-p#%}y4uho^$m}= zEIPhQz2or%=FdkyZExB8;q=FEk7&HE|A}?}T^rk-U2&$*o*$YR0v|GW^<6ok@fo4U z@Nql=l@qZdD}f?E?zUWOf4lLPYvfT!JQMKWo|@87sM(X-d0F#HV?7Hm6n(Mw;e{`U zoI6_O`?njvcCghsRpyQD0Y$U$lP+jaUCvykywJd-rA>ay=n8Zaj6@n*!_X26+>Tb0@u0=2`p* zBJb~yAgl!dS~KT#i9yu)y`Ki-=c@V~ z2fM#lgcP^>q~O|wChNoegZmr46TaH4>*M>I6>FsvKiw&1^E^yVuKJ zX3zMH6|)<69|JL)Rn2U*f4c7a`4Q9wKX3bP#DbM;&u*LT=Wkkg)9RY}pW8nLrvcO4 zqwxCi9^*Gv4b|P6S27@X?4!%f;#K{)^8F`fd3w%AidC;(JE$;di4)!&lWiD)emiIR z`>Nf;-5o8v*NIoeZ)xUlJ&<=KH5Xuwb4cHNhrj=H=^@qp8;hB*j$3%Y>DvIT z+Ai3~8aX55jPUm8-GE_W!!NS;L0#)KKM8mZBd3nJc3@srAAjFcD>)yG ztU2T3%*l&Rw4^*d=f1ULbZrm##YOjgg$l5#QyQG)cANUFn55D~#pyTg% zoA6F$1HS!=9|q$eS+=kHd?Ri2TQ?hNE#J?(xL|mnCp2xV0bg#T2&Z4k`+n|-+ZR_Y zRjskVedp3y<$qRB1OU;N;>nL_7ftpN>hGGnka91VId}5@vzvi(w|lqI{SSph?Et2O zqpQ6)KcQNgBY~}M{aWL10HYg_Ir6K@g?YK#M-&Zddgtq%jIl+gL&r<{)vCT^&mw-f z=#bj~ZQiN6J>92EXy#LsZ*E)@Xaw_hgIFEL%;i+2iP}gd~ZndXYfsq?U8QmzbxoJaojZaR(%n={oejhZdndJ%vlkbQqUbAv~0f{59N;<+xh*4 zxJN&{+L?G}l&yu6g$U_9vK*S1(#w_y1$>t)r@1 z*Zrq5}kyot?7+zuX-tBdUa5*ZO zvhY*B+J`rg^7Y!DBF$bKfWJLY>6d0KUyE4G*GhoW*rNYs*x)9lW4jB0hQH15)?)BWXYRd{FL zMN%d&SjMh>6g#pMd#z<0hUXPdVl-7L4+LXuNe-w)z#OOmU(sab!2iFzDR+coWm^_$ z_#!8;Y@CYmiul+ItVCo$qYp?SXyZLT96pvDcdFj`6K*MGYB_g+hf zlq>ZN!;k^B2fNg*vLEW%qjvStaQH+Q6EHG*m+1l>E#@ZzSV*T0N@UK=_fQi)!^7a? zC0sA`R$_zi7QAa02y~3(a-*c)wabqlEA#wtVso;Bu-n#D@s#b2y5;o!F~U0}JEaL9 zDT>k>C){<*=wzSb36LIOZ!G~BQD{p^q6ud~Wg&HtFs2laOKTR1$;r*oGd1%*GlR7^ znNT}NvFp|AP`aENB$SwBeeg{o!u~*Ej3?%{Tbmav)nv}9U{!y z;qPR^cKf|EHJfQl@!JXNOLn2CDx)LaPLP;afM^(d-5 z)mjpx$eDm>T!<2}fSVChM?(~-H277Q$F@C{y zYTsygxJyRWK}=Rb0KfnB`^ISJgG%ct8+S7{1BTJslUTe4i#WX%L*yd{^^0f@Xc}0o=khZ zxKj9x!_r4+b5Aw}J5b23eq<}}1=adQ{7MBpj!KwML(_VK=wk^h=}?^I0}=fP!ZzNc z4vgMqQolT{3O`tp5>vT{FM10#0+?NWj6Aqm!ya*2@fIBmq^0bnodVTVzM=YU)g4wm ziL_nZF2y4Q(}L%H!?2(Irahmgbf`?44f|BO52R8&jx$I{AN_nD01W$f;hCevl}P|I z%v$G%MhIK?vq`4wJhruhj&o&{F`OsSbOyd&C&RiVTOYjL1wC$#s|Hoc$1Yd3yqO?^pmYRHJJpAT28UYihCMJp7 zG{xa>jibGf3+Yo3>A?f0_-hOF>nJ{3bQ>*Yf%C6(+(GcWzA45?`6Py4tJa>vFc6Mm z#Cu1(divArCmDgIR9oeRloGCXm8WyDgKnSE^{U)_PZr+}n#2W4GJ~Aly1hCx_m56W z2{V0DkK02}U8pX&EfN@b;VqhJO1RAUsC(=UZXDl>?s~}VfK^4UcSqVID4&~CRvOWl z(wf+npI0Sd&AoOO*(!T9yVy~|d9*50DDPSREboSwbs_*$VO6a`J$iKSQ{%&)$H@kR z33VG-)t*~QDtw02WT-s;mL>puuJtTebsXIEI;WMs@BxBSfMRoNo%_RQ=%&rtk%ed; zb$JX?N!`JumScS0;?8@y?L{>4%GhGW;}^mD1`RZ>%}H;4n|p zw2bZH_Ic!6twPrL2X%k2k?}a{8X2+Y0(5v7!E8-U5XWD=4Wn9K<P%bH`xNlC z!anZgpn54ikYCf4U#&4g4gjFZj!s*<_}ZSWvXPdN$HKmM)Y@k!;yae502>EHgy$v& zDxMN3z5GJ}5<>BeNyIIqgZGyjq8eB`(Rv{d4Ke6LUv4J~o)SJ_8h_@Uw9BhyFwtuj zZ}+1OiLNKBU1gRb#J_8hPzo>q@GFh)QK--l?S4JFsgwjot@g#++jAkXcftlAo()(` ze5}*&%X_Eqvg0Grna0XgmajpnFp*=*Rej>;J74wS*bPG&R}@5S_WFP%4q9ShU52!P zuOp|RsEUmdeGjG5=&;mDH8TO1ALn%q2*nPwz1zJ)%eOvu8>j9p<>W_{X$rOheCmD5 z$-n#CRJ{eTm;94Kykr)EkGw9V265k zb!6(+A57x-4{1+{D8TN$maFi9Hl6kVF}6n!>O?A3E(bZSx^>gHIn z%1q79jl!mN{)=L686SuEYhok52&CGTNQ|1+^)fF5PW_-9>cU|NCqdowohlpnx!hKE z#b#vE(8%Bje$K$Tf)F3C`TQiTe7CVP7scSUO^a8-+%(s*T=UVcofAXMEhG3C?RLFB zQ)=Nf^>)23)2HAk`@dNFhw(mfeh>H5lLOBF+)E;5`$CJp8=Bx+=QFF=n1Hxa>b+-E zs&(G#&I0Smy8`}l6QWmahu&^x@tU^A@w-vFUNROgNa|4U1cAd<$G0(5i;H<(UOK&Z z_uB~rC#%wy=N;Y`Gq>rClIeg&jhNL0hE8HX%r*K5>|$)+w=mHk~cayZU9j z@@;I#$I+i7V+v_`S3Z?lGxD9wvM){Ly3SEWf#A~aWQE=&qdNCTw9V~B@hH9|w@mK* zxMLwq(IvbJ4#0X-p|^~#?^8)!9&HUE=H?b7A4X;h1Q}ly(gtYO-j+^V@0xNJ$93!_ zf1W?mnvSgQ)Y4RVBbsg(hLrl;azk%(~S{+ZR5jDGR+TA{<9wh^AV8Nq`; z1o96Y$z&HI-yQKaa zK2|3QEMjKhJh60+SVe-6V&~TGJFMw|h?NXaiMTzx!JOJm`Q{^!BSo>7n_nmde<)%K z(&=0{@M4BgR{;p`gGAm!(OaFvn?lciN%g;0Eo5RPKXLd7n{+|~)g}k*_3hvQ70tpp zrs*>|vpWVFD-{?927Ms9@@%5GuFQHsE|DjfeRp}anj&3cPd~8QZJT#Rp{s!MMIuro zFl9}*Lq$bU$*rQZez+OuO4AV?Wb$wPBS(=1B~A!kxBSIAFvoE026GXgd_XSA$yGQ* zyr?6oWRA7Jlt^LM!NQP6@&Uj4oAsKap`y;c*N@75e|8=`dMCnJ8Z8`Ib8+GgVIVx` z1>{LeqQOy4&WRaU+iF~`|mQ3(KE3%`n}*xo3iE?^<;Fm2n79>mU# zM&I4bPn^9?aUnKKZd3x7A__A5=tY?rpo;8((fE9~L^4F7|J`lDvc<*w$#x;LC&R(Po*@X2ZB>*;2k zM!=>;u-z2D*xQRneV9I!;$0tGVta&4+mY!sJT8yeezQv3<~X6XY%3#)^lO%XvuVmM z+ZtzcM38eS)Gk1#zLn53fUt-EU!+>si1Es_oXO_J0(HWL%Hta? z$j_0IAlL8if=%%h^ad=Cy@6b!T&dyF?HZ)S0yzSX~AH)=kRII9JD%%G%~lSL;H=7|kA z;%^YlFtbqbT2J0)<%LH;5w-JEiyRLSRa_mb{rpkN@oCE$TcX0u-L?6T9lQgz%J$E6 z`sJ4Gc_kkTDU!V2yb8+I&Sa-A9IxNqG7OC2D}uQK2S92%W z?mKC;1CclF*&60FA7?pqnRkQKq2v2Z`#k@Y>b_z_gJ;tp>!2uCn**Fxc(OcNa-uR^ zW_MZs^pm6iQ<8Le`Qo6N2i{|k*LA58Pyr5Lb-IQQbnhA{iAW$X_QE2bdtF7kb&t}j zBl`A0y|?!|-jnOV2VJKnee%Q#L2~bj-;~$!+Pwt@r!4A=)MBugY|5qQmSJF~2(chzGvbWqqXZ%q19VzjS&#Kxa~#zTO)9ElpM*`a9lDV+8q)yC<{6p?{QIC^&Eph6Jcs^rN(e{w@X3 z)Q+QS!`FxdwdJxP3Ph?ffMU&na zt8X=UsY!44|0DqQ86c9W6zj`F@E2a57Z;OmR#OpXsGRZoEOfHbymhov#FRc;(vB`A zNjvcla$8M736x!N>np00S9sLC7dD3&^&wiQMPKrjRPVFuDUa>$@km%uz?}0V1rTAO ze+x;K73#k-v={<&Ojs6E}gfJD+ z)3TbK0mXDZrd1V2O+b~%(c8E2fEDZoNuMRxK_mMulqVMs4k!eYrcSl!i_A8Jt{bMg z4FlKJU0iqnuh&Vw54S-2!51gW^X}+ZaR?Mh$p7nELQ!i#Kc)Bf3q72s9nrdAbq$5n z4sdWVA6+DT6;}6cA?b%@G-&NV8N>i2+7lo=tM6F0u{ZzLfcBa z71s?;Hx7Qh?F_=B%XeEDhwWJrTbuJLz2hxt)eNb68G!@j*{2GFLkC-i^lu(mf2Cb`v~qW8q(HCS!=}*0*i=&gs}Eo#A9_4U^mzU%djH@|jhmpnliRN0 zB}%zv>{Nv56kPs87rKBQJ)$0YIF z(q5Bl9j3dW@C}Hxt|R`l(AuErcfyna=Bw=0oH z(QW@1g~nDU6tRDw32hZr(Ep3sA;yW}5`$sb{6!-V31~`4bJ240j1FR)kiQrY|74u& zp342)#IegDC;`@wo3UGvG5S zg{KI+kH|efJ2~WZSX6agObdKoyFint>KkuoP)uq933p`p}9|+g^av&Ho@D z$#hhNn2;5w@3xdR;)L-*jvw?Cv0;{gz8lw*%{J4PAiNO;bWi2`Q99$seo`VpY25$l z!jZ?sUGI-Ytoy2|nx{EaM@J`NUkJneleH-sXxzC$!r7vc9bJWqq(ptq0Ab1C-zXsn zOP0tF7tvBOqW2f=HO!+8MR%*}=V3yT1R`Rr9 zKxn&*3nD89KLa5qvVIo)~`3Cgwbv)LvZ`k=Rce!im9(m{ZAy`q4T0n(T41&%Gg0x` zs(#eAwoRI(Q|FAA?e*h$)PThD>~&?x+Fn+KJ)QHF7fprt>D^r&ef(T|VK>o#x%C(q z$>IYe*O+veu;_~Gk3wy21P|n*{lMC)a5^$o}wZ zJisGE)nS;e(P3jHzh1D~ef`=p3C<-Rx+t){f)2pP!$G47h&ekzk>VZ`<`0356-l}w z2*%`>g_Hwi&mF#-d+*c`)iTC0iJ}}_U7^{)YJEF~yP?pqcI`cfchbEj2w+AY&ps^V z94_mQodv@S^bQj|YPXo%Yz*tqSyEXGt7xOw52_14vCDczk5gT&&+lDLOhr1bD)hPU z>8I1?487Z{dPEYv+1b8a!XkFJ;kN330%r)au+<#S%u$ev<0lh}2jjKayDuf1K6SLa#;22Su2pXlt z`Iy+>mcJ}8&;|Vu$9m(6Q@6vLavw2Zv?w$ju5jj&o_q^T6*cVXyL?R~sM^Y$QDSs7 zeVI`6uAtQIZtNLG*4t`b{odhEYZa6EqpPB-<4jGEQwU)t=w4Pc;4Tdt$t-yFrl56+U!eG}yOGv12mKE3K2Fo;>K^EyJ2H($FX-HptLi>-2HN)|ZU zk^whLRF^A4JvP5;-r~nmc0M!sp_Ih`&}%1yYJRo2$Bq@qQ;%NjDqmK@ zC;lQiXFY%L2JvmPZ9e_y0}7&wz!a@boj)v~@$PJvQ{5LYxd(owxWK5NP# zR@h$UiTbO8v$5AtM~5J>FAokHwbK&!COMN3G)9)Px52jlk~r^ioVlTngQ; zd=0#6+2=Or&M{N#mu6=XoYTj-9PK+{Y>s$ksRKAoFGg^@^<=R{wv#vT887Oz@bC{d zVxG>=cIMLd_|J8|e(5=|G9~l)e0OrK3w=Q|Py)578uT8~EIw}jq}x*$IKxK4UU|pj zR%HRvmwdQQMVcp;RN?TI9xH+eB758+wLEMcRs`Z5D~#e>_g2SC%>_J_m@Tn?bD)n5 zFB*Lq90P-cp&v94a?>MdNDDJT_kN=LSJ^QdysB^7U z!qpQ0(gzK>hoGT;W+Ex}^7iXD@StoOuvr@h4Pc77f!OOJN!(Lx>+kPXg`2`*iGimq ziVMSWdsk?cU6Zto1dDWpc8Am~rB!Qb$(cxU>&p{@Oy^~(-h7hpB>Uv2m?kTK@qy(WR=k~ie9xqG z>bQ{sPc%!V+M~-lqkhMA2*P0~@^oaVs7mq<;3=@z@Sp%zsE42*Wa*@O&!mllvXwshf1)kf|Lv=Hqn2X}CQZiH_B+QuFm)u4 zo=RC$I3+AB{$M=QKsRvBOPW4k;r!K~s`yTmO{k558m%K4BrT`(!nYs~QV#pi*wnwH z-f1Rj1-xp-XQsny|5O*~ zXlI>qYrBQ2Km)ed1}{0-i1Hs;pNtz}nJ6QsjH@$Ri77=6&ZIp3GFTI+Zuria-b49jie7Effq-oI-QNJwFAe~rTQmR# zC7WIlL6aCD#Vgg!W0c!tg-tr*YUb-%?wjz(B-5!G>bjGe@2C~Qp1gaVe1&jQ!p;I~ zNbN6~H~IRt6}s9MHiy(0FdAvNU=?&XIIIp3mE2Ov+ z5?A;!mU7R{vPSLLldZ_*b$w;{QxPEJ#;3mPS{Jq*t{m}i4p^i&Zr6JOkjmp*+8&2wiKhH%j(LvNopqTC{=vGvt&r=K6-%0_F77DR{?ZVA06bnAxl6wd zT;k-G&VbDI+o5@BNTzYLgGU6)$J77|5?M7WUl&fAOj(h=6z&G2Stg0ll=)`ZZh3XC z){rzSD_NvG*hFk>o4URjL25WPe;I1D3JI=NvYr&+4)bVYm^PHKHUuS2HIa5WZS{Ho z^}Rvm69|RoFgC=cTO<;XLYdSG7Pk$=QYZpNuc^;HH0_njTh*N(m46lQsGWeE7h(;?%pHV%I z$ciutocJC4@TX~3_=W;4lWNFr(9rBltWe#&vHqOH3(8at{0{lt6}+$%RB|ylvX~Qp zN<%E8m1~VZDN!_zqsaZ3U2t7#g<6tte0DEUkJ4%Ln=_gJs0ZxYf}iLjN<UmAEn?9j3Mjxg17os&aQMT)6Iyf(}zH6~m3S z7rI}_&zsKO1WOxrm=^qI3hwOjKQ#2rIsC}Xf6#EZP)m2B`crb?LyN2OC$)a$wIHkK zk`{gc#{bFEgVE2^tT3MCvO3;ohuC@T%m2x-a%Tm@<gS~;#wqP1DW{8YXzm; z6M!-payLOC5rRhkGy;(cWf~G&Aux+k51}i5)<*Pf;(dA*vZaF@tn@Q6={nFgB!DJj zye21fV!Iijel95B&c*95r#7@w=$SOVlDG5PM;W;BZI;Ry{VC|B9$Qo=0W&MOFP0gk z`h$gv0@^nGa@*c$>fE8{CXsh$PGVL^Gn4ggsGAz88sPylye6ezb9eyi8h|=D6Gy$2G`T06~Bw)XWBOSKYT!H=L3%DN{aKp(xm;4&E zSoGy$FVK?G)7HfokUMXUr1)K$;|^7k0bR~0e*i*|fXN2nwemaFzE*+St#q2O3uA$Z zah8#kl;>l()%^-;^6Nk7{DQ!U6m%$TiU8;bMh0lU{ZIjo$&vB}Mhl>Cw+eNf1xE=k z_73$wM|Qjva{~_r12mSphv*+d<`DO_3$i7?6Qk*WY4d*H1vK7lClym-nAR4h4nl8={^yq{06Ru52qz{J9?0h1m~eP>&F;jThO9~I4S0s% zcq*9kI}8!l0Wb@ACms)otXcx#xsl^c;jnf%u>v79N`kv40`P`~8&QrKWKbsFg?QL< zL=EOH?HjdF0eJYRjlCmL*$C;SJkfsj8g{rDj0N#V*nU@*m%g+;;(vNltXh~ZcX1O< zXKkL@S8(+z7Bax30xK&x4r1PEh?lvAL)5t-UqYD}IxL>NoK^;KRyu2s!7L{WR})Er zvYV!%iO}^;|L*#boK`mI`c+ftddL6qddr+x1#mKmkwGwRqVGF&6GO)>Ft0?C+wb2I zBlZznIXD25oJtz9j@+H@9a zf`P=Go99|C&(?Q)b{##g9oL;{S(91+g9k;QCmp6;`}KvDqy1~%o8kJN zKU8%}-3pY*_iOZRPh-k^{KWV(%b94&6#5Zh4umRGuN~AQm^}|c?0*#_QZ+Vu(y|_L zP2PAbqBe48hg~NOWv`6{or_JQ6w-KuV)>rC!`lBDi*h%|zNU^w$t$E`ci zATtYH?0<9K*=!o@>5WD319+nZiR-pp_0q3*`D-{VII9aBw*smSQ+G%1xH=BxX>u$O zT?f>5d++YaUrICWB*WX%`EIJ?9VF&^k^uSAmvk}{U7>|OK__4MOkp_BVuOWj!g)-~ zYpXO>J5cbuCgY7W{%dc94rLQG_Umk z_;~r@w-(IwWILV)-8S8Ciy{u!yW_sm6~?)i{%kju^rrujdW*eRWET#D$DOY-A)e1K z>lPU~p2iG6q8&9Jl|cMi3y>SAe}aeoY$*X8Kp8zC+E9C`J|qy&1R(HFOp(q_0BSiX z8w>pQEipj-G&rDYC23_OSYlp`pMX|fWW5yZxB{dS|1&}6Q=Sh<`|8ka8cBM^ZyO^$ ztX|qM?^AYkfOTiDMa{%!Z4)UZ3p#F@&Afl?IbPx!7&M17TKw2kpymb6QeU;f?Oe$e z+@Rlj`oBY6d6Js)Cku=awkDc8ky(m?F|bWU(M0*ATEMnp{9TIs<+0ewlSDU+K3IQ! z^%&z1A3I1yvWFp76BD-FFErq^JR#62g=@Tb2wF`RtHj5Svi8K;rc9H9f*&tsdHp(f zqqosJqrJN^`1)_DSx%%&pnnw+W5IdORFGH^S9dL$E{s&YMf;UYDFQ1ni^`j!H#DC9 z-H6reN?hr=z4JQvPbc5{KZgV*6f#4&Z9X>17OA7CaMkAo5~Uqnh~BEbkH$IX8$~-w zh*JreDQMm4Ha7G95vA#vh(@wP^#BQ8zsY>ZJyFfv*jjw+^m`v#I|AZ;j=QW|r*KR* zcIoDmbBywkDBt(Rdrc2Z6yya~d+#Z`%|ka}O!= zdY79XrQ2%U)@<$5OpQ*>*Qf!2q5_u`#Tv)ONL@!F(Pxm4h{4L%QJ@)zfR)^=mPZji z**;>d=)+Li&d(r#vz5j(_sycq;KQ6uF6^T^&qdfp_9Ji9+gEX0Pa(DFVoNRhf@y(n zs1x+SLn*0aEP z>Iv#t=Tc?9_2IL_nZ(V2Dc+L@D^`R!o^J#w$5oYnWKv^akcA9{a{en>+5?{W`6|4; zSMQ;uTLGuxJOBRkc~1C>Bj3@(jsQDiz&DA)0Wq*|Z;T#ifzU{Z$(qB-S>!s=*}TtpJF-dsZi}Nh+U&5?_F~=n-A=m5>kD$xF|htV8Gsk1Ql>YO$G6~Q%~t8~ zOu#dE_meRD!kq44mFHZyT`OO2B-wgZp^V^BoCm(6XT7S2c`YUR?#J@<2BE!A$y1f} z<;jm5%~OZQCX5Gex%7A|ti%>rMvu1Wl$ts6U>)be*v?OJX7rM07E{j^%({~!>`f)p zwqyo>d{qOEuOt~jd5odbaG1}=;hRt}KmU#+9_a1heMV~POZCmzq&ZENoHnmcmqGM! zTqU240O#yGjle=p={!#Tu`dIe$ngP}>#C2D78Ys@-jRjNaR+*s`+k^nXZT8Cc;VO2 z>h)T#Vp-(|KN5&jVbvBZ! zgJ`UK)X-8Ag5}OSuRCtMRZ&FCVa~}9`pEMz)eXm19(PzTyNxU@4CThD#m38f*Ktl{ z`4t-5AnZok+q?7NHj0zcqdokIhDP@_fccUM*{Nc}{|2yhcwO+YWw0T;#r5P{n<=o1 zI_8KO<=c8F=8LBTwK@Y@L4n(IKl4<#icctAX_0#|Fcv(s8iCRg@$d(jAQP0S{3lDC zJ$iS(pMWswLB-37;(PM%jMIf8Y81))-tv`-e|%K{H;-wNjd{kN=+YP^eb zcGfXtvfDAt`C>%KlFU!U%(S^o>%(w321tPv&&YgZBpYBRg@E5i_KtT>_vs+_l8YEC z(ArkhK^mX)G9P?Bk&wWTKb$yzRkcp;w z*Y|1|yID=P1K6%Mmw&B~A?JJV+-QS_R0f~GSqI!Uc@05LwuO1^GrUidd{_Uf{l_0$ zS)B%^%_D4j`Ih(Io=rR~uXwolEu8KJHmxyIE?ynHv8*Ml5&t zmQe4ScNpWdPCY(ga>b+oD)_=haccdnP-$b0^RoOoO_8#v#@UQ3v2K_#zeb9xhH@*#wXpek;Of5o7hpK7dVt4Adr-%cOCLC9{kf_Q0SekwX9U~GRsY} z-E2?Gj2o5;hv`@y*6zw&(14cA4l{7y+*6wkB~+@<7xWz6G&A*W)oSE8EngZ@zDca_ zQK#hTm{@Kgp(VA*M);HWI^iuAwjJAPnY3?YeAe{f8zE+Y%I~2fn-!vQYVSS4svhBL z9(h*+jFfQ(j2l~vTj zd&ur_hn^ZMEokDp3-IKhRs`u+J|u{Q$y|?T!?kv`xFx(mJA)G8hAy23%9=MDCFsar zZFUkuAP?M-?eSoGAi?z7oh%Q5w(O2!0G}}7=YFn=cUPS%C(GdC&_qPA)2=DMgBMfb zk_hH=%J*4ii6;;UZ+-#6s6i<}K*-AN)uhj%C8KTB)qG70Y@)*a_5ga!z&k+~|2l=& zY4jWkTE{wQxDhm;G{KnXW}?5@f%JGd+P84Rf1wc@qS2@T6Xx?BL>z*DXfhK4Sp&VH zJGbTgj*$UqJYbsED>w$Rho-6IZGXwwKeh2ZJC6x8qq&C{amk=J-Y6541&IIH0Koa*u#+d{v%*QyTDr zzD^v>_Ilu*;J>~dMzR&;zD!X4`&aXak2Tx>c*Dkd7A24H*wz{V0kS3cK7pG**$8zA zFBYnzi>)6Li9e~hlU%6^s>CmG&a`chf;LiAzd2xcexptp_{~md*Ci}4qM_z(?l8Z9 z|7H@rtMeo=Hb}%jUrn>zvhoAQ|7gtvw|eB@Ho|N?_myyw{Py+nn#YQbHdgyD7}{Wq z1{~xlcKFOp;~b0MJLd}8RZOx4j`!Eui)#0D=XL>gLcn1CDD$xl+~=!j;kcS-Fz{psvS z+4=kCup9S3j}5Rgjc@c(Wp^|;AGNh+50NZ!4(I0PB13$@$=^ey@%9$`T}gk8Gf84E z8s0eiHrkm{n8JF2t$9eqV_sX}0I}HC{-j@jw}F7<=oCLB%&=lJ9A-M{Kp-Rqjtuwl zM5M&!mNGj7(&EmQ-Uu&S`Ygw1BEh#q%4NC%_C-$e9x4RDZ9d?u^HY=V*@4D*Qy;k8 zPyW{z6JT;(AeZl37&r^GWu19uGLcib&y>iP8Hw%S*MR~{=kZUDc~b(*yd=OP(|sZ_ zLuJ=(d}w^;PV~;Q@RMP{nMwTag0opI+XA*=+tGHr=W(a+{+kF*HodD)7MVCf8n3{m z8AMO!DKxE-0aNrLgxEm=iAs>>EpE;G2r5RUq+=aAp`c0P$nSS4YY%9~5l9bkQN_Er znYCatJHF8VnW`&F@7Je?ty7{Skp$jeuIYCS5g&D>&`_7|fmP@}-bCAGAtS1Hh=iX# zdEU8E@+!U^4#Kh>;we&o)bKr!&N6T@xSVSDmt9aSX(R1 zB|JFHV=!3nnj#dDyj+>~C1eSUi8esti4>io0nlzOhV;s{xL>X&VY+ zW}fn)B52k~o_IiW(j(JC!EY_O`9QrFbAc}`$!sBMwoH@_%uT*qf-B*%pv;zPo!e(*!D%-uxtp%gdr4r?QKlJI zslT4wZPQj;skmD5%>1&wOA?*(?F-Sy!;j+1UBBYf83 zA%#iQGyKK%NxTPR+MA_zwj$qNS}^OQKma!3Eek@+DKxF-&^URL4(PZ14!eiEi)~Mq zHE@plWXoTPTV=SMyl$Jj#+3ZicC$0UKVHWc_Xa+8=}ZdEZfZgJueDFe+xMyH)+*ue z?y)HGv7n^L;Kf9LbwZ+lu32JB23XKOcNKs{kcQ4(@YyE39W{oY`|d&9-1)mb&-$)O zP4ldEE~Kqbzj!<46W+KolzOU?8+4WPJ20ApFmh45wZ~Oa78x9JG&%KMzp5XuQ+a4r ztPDMrIi2aY>pnMJEO1cGqm((f3npIcc~`inDd_R2Ugp8)4fCzIgkD!s@1JQi9cjnw z1`=v(kY@pLU$me)9wG;5JT zUT|vBHkm> z>2BfU+!V@78-u++aynX>Iel@shj)$dI971eM{oeRqeXEA0vT!273u~Br|{%``*Oz* zGY>oy+tEG6mWJ+AM%UJV$~&=LE;oGl9Apj#5+0jK3T`)jTm{|M^v##%3jOxD0zFXP zc=6O!p9>vmyIOubwi|X-o6jzxvsWpV z^LXzt%Z*a|O2%sRp`Nq4^5K_QZ-3>n!AD6c9zKnLLJ2zmXA7z^H(>|ucyH&Ue?f_O z{UJM7aHG@jb$y*4`q^k2r&a4r4Hp?Y&Pn$E*f7@v!JhkkE#8`PyqssbW&hU^vIC2x{Dq*HOL3-)pv>?4<nThODs8@CqT$eLus(lqzDZaun}-NX=WkXh zL*~L==IcIWxxcl_R4nR=X?T!|D|gi=fM>;|F=QP{vp^mfys6$v4MYOn#8)!a%tX>H zico{MCAslkel+pQlj zTEM_z0&BF=sb+=u#RNSUlXBeCUZFdh9#+H!xGs4CCS;s0#ZzOJQ$2Z;mjln@0R_(H1PvG+6w?MZO)kU()@J5Gr zO}l z;rO7dO7T1RutzS)prGElq8tH3r)DHT9S_GH^8<#^O>`v}$cH_+1tnUM;5)HktD0+c zWKX`a9s)htj?6cB2`>(qu#iQfXYgYZfqrH1dcI%?j2LwufH7o%cKKU)kblu!NCb?5 zuG9$y(Mb9{gMx-E^gI16M4Bu?yoy-vwx?0Go6lQ=<}&{1Z*$i-6Gz&@hjSU*YS)^o4psoR`V~mN_4SR zJ;Gji0eCLGZ{ii&ZeUHu&&!v^Li<7&A->39gAas)4EFOiu5~{sPl^%>=jbFHH;!fM z2RY;CFJoX!Cw|->Wiq@TBk?_r_gFBr8T(uV3uE2$fBk}9Z@JLMOzR$m4}IWU9+xX{ z11dGvsx(eLQ)wrLtz;@s7EF-|(FMGuK{fKIljns`(FZ2k=cfhvL3wbn6--PYl`k*nJudSlnzN98L;4E}tC<%(!jwMsqBwd623hu;tul!=bdXL=$|Eek2p zd({7B8-U`qN%x*Wd9a@#GuV_c!p+0Olh9&y6n&J2Z{AU?R{z*8sO8m5TfmJ!NYr;6~qQ6oTU4?|gXp=!kP0rl# zRt%_h2rzN6HglEWQj|3&&L(PZFF@F2Uwh9=0h!<+_N_z7e8oKQ4C$#y3JHdhj z3B)p{P>Px4BE`%ZBRvEq6zSE#d;NYRaO;9$3VWRXF01R_w@J>o*MP$&!;w zk&B$OfS{n{B$5S`Ai*MofQS+WBvV9@oO6b%yEff@x=)|eectyQ-@SK?JKpoB&k)#q z?X~8b;hE2zlSxj~lE8o5|7}tNm>Tfoe>OD?39XDLiQ1^^V7qh*z?<&` z_eXtF?`)6dC`@GJquX2-#w?Z#TaC|m9>R_}t} zdh+B2cz6o}I)i&}QO{3ub_gJ?592sc^_+IFPStalRTfP{L zbA^w48~?IOK;7WB^>Boek_kr)kdyO(QWatYMBInu<{#IT*3+SE#Ov^u`&O77bjn45 z!~?ms?GONf*nm>JOzJw)CwX{YAV0s|T-^(9d$!7Lwkt{8d_KP3|IL>kw5dBB($U3< zjk*~8H~-XYY1Lsjl{Ws+mrr!lEdu5Otk%PLftt$S-P^wqtzD6$rz6<8=#8f91E#bj zsCpZ)6H6O!1?E7r0&oLWGMAv1rq|bQUbZV|4}0?E1dE4-Xurw?O$@}86?}-seUnCDli_I zZsuzQg;aOMTtQo3z#6c9Cz{Xzyfd@bKfAa8R_E+6`|0`k*1g>O3hS~C1)4t)Zp!@f(6G^)O7)8kzvXK76sMg%F4I8m*+vc@6LgXxJ&(`z}4zd|HhQ`?# zRJRpv@@)9*th@>2or>C=3N1J6G{Ash98rfkoW*!G#02wBG_F^QrMhff;q{ohtTSF= z7!-b)QMo-O!P9ov$Fq5gK;5LNR+xWrv%tdjR)9;(ce2WxnW?6G_<$jVfJhJjq~=J& z7oX<1wq#?gbs9sjvNycOE`jdHe)@GqE)yQk#U75VM zzdz){1=bYNdq)oGKF&2G_N&VdD>|3lCSsCQc)UXoY$@JpbuOE{s}=S{JsLcBX?9Bb z##>5iyz{s3Dc$xdqWZxYb^%RF_8_<&atbae1kI2>|HU!Q$p>u^FIbKFST_iP#rXzT z%@14VahbHggQ1q;%O;bJJcynd#f^1;)+{N{ZN*zW_+PHsO*^Zbw9>7_$I=bVo;jZK zRf-K3tGjLZ@LAzqa9Hj-(XfTY&$Hx|__I8$qn|p^@USJx>>K>;J zmLFqm_ccCFT;tigP^d-9b~BCXi7$m8Rs`F6*4OCZuJ2mfs{7-ITm12DGE&^znl#dp zryk{9JEF*Gnu>=lcw?PGu}ID;LX4p(KN@F(*F_Z4*t;NUYwOCzMb3N9H4O89v0 zN}+a&o!k8loLed#rkQ6OSD)aM?g{u+jfTg7IqDw1xj8wJ%#L)?vuWRD$Vf8e=itLUvH&OGeP;z@TRX5h@O4JmVOR&w~wBK;1*J)`|_i`r1Mi z7^ivLJ@ZiH-un;c?^f?@=Q=H-RTpYe)?H-=9xm)dEXy!|fl&kBMHQh zP!ernMHOH~uCGjB91O!pMJ%@U+|*1iQv|!;*aQzj@cyf9Y~Zh`^3#BsR$Ryu1l5xQ z^6y6Lu7jp3ft;Sx_UHojru)|<;e(3UfAJt(U(Lr^mvIiR^k~3PvkcYp<)Su)9R#ho z&e8ehOjFS?Odl>`lwm>|B0$%I^kd6_z+8O*`6f-{ZHtliN0%X?RJz4qPT{U%<4@BDefQ(QqBAj z6c)89b4R2IyXFgl37KFWwf@5!$mduz;QN?8M?P;X zdYhAzb6vN`Jik{|F`D6-QquJXrQ^FL9Tw;O2v2+%P<i7s4^NF@rT+Kf^E)k~aBByns{izHX%D!O+ z!D4%RAt*Gp&Db}U>ujBSb_qInZR1gcK|GC39y~wOF&^Gs?7A&_bMghxYedW8VkRaU zhMFhJSgAv<^tn8Wz9meme_kMT)kaOaI?u_QV}Q-)UC z87j|M;!i8EoMUTQ`^iVwW>whRHlwJ)m*1kKhhVw|!I_XvSGya@>4vdJ7uf``QiqA8oAJ`< zJg+Kv6n)37^RcbT%c%3!bVbolBQ{h-B0YhOMRu6S?weVGv@ef|SC|gzPzH}5g5LD$ zFc>I~Y)c#)0U5M^vw}#N<>Hs61UmOO6KTe~kvqeht5?pnAb5Rx0m3x3FIM-H;F(nT z+|Q-BkU9~R{+PQ}z7x8(nA&d3aJ`;19dV|OGC#&0>o!_#vqn;OskD?a_!5eNAa~yw zxcz_SmWt~l8j|aDro1nT{7CdfyfO}bDlLxp7LLl%*5j2Q}md z672bY$FH#y-W=`grKwv=Dd;*_pw`psMc0hGd7nroN!a?WQ?3bI#B5WCInCwV`Y+EWUzis4_ubmlsH3E^!Lh7zUMkRV{`K-=Py@#Or57F*Qz3n@V zd_T9;2bL@!=+fy6-k@pN*YfdMO*+h2e@Ur8RL-O}l@=x~?=yW@0 zK~NSqy_99O)EsnzRAq8pr@RZIxKjz-YA3;7$lw1JKpLvpqq@XD(L$=_J(Ps|!`1)O zEB+7uGI48=f^7;j72HPtE#q^-(^5D?$UfbI>Knp%)_uLb_te#+89eqI=&3HqF6rYn z-QVZWTyg*0HHLfvH1xcsxRqHrS<@7{P}%SR}8|g{FHHUP$1rq zxIgpTmy|F|o}do6H%ZcEexc-_O#URsS=LH38 z0h7$%))-VEKMFkuQb&wJn(!F>mooqj#z*#vYyjM3#Qfkt|P&0u>W4_@#f#A|!|1^ChjMjCwA@TH-8kj9)|P3Z4)_@z7nI*O)u zOgWTxSsvGNnXfy$tpY`Vgsf>HRkGllbF-5Y2yx`0PS*rlQ;pD{O+8L$0AOwEDGsXa zu>aaS02Bzmy6YV{kvE9jqT~?9w|>ENkCYAI80ko-b3D?&A}Nye#=uy8=bhkbPrL@j z6x>&YB!iNDRSP7J7d)uoiV9->h-PiqVj8z{{%X+vyE~fcj^3vhqeD8!clP*6_%Rp5=$2p-yM6gqyQWK@8{^NR#kpiS7As1hBAeeLUjcPhQfSRJ z?6g3d|K0qYA3Iagqfy-bAEOi-+nabA6HDv@%wWao4t=tnq}hyMd+g9REH-fF2R{^` z6)UUk&mX#1POA{0AL?3utTs>A7j%g^I@+*8fRL?aOO`g~l97+$-Eit_rKP3kx)3sO z6@@NQ275~abc7W}OFi@cC~X^V9Z*M(16y{n@bSf;CR3#{T#%QTaIBCN3=&qsK#2g|c%9Q`x?E|9 zhU)>!v9cK6hUjyi%O6~o;3fIi!$|jvkWAv(twN^nW=w!@g-LYt72Y1dXhWS!l{QA1 z-XXbG_bxu`u-s|x1&D$0ulR0n8y?<3r=1H5xe@~d=mYw^QmqD&N8#~G^)dqtW_2xj zAnlBq9FX6Z{tFPQR$5n`zyovv*dmbIKoedQ!r_GgYa{ra1`b`}fwrNyb&CG2DYe26 zKCc_pJC8EZkDl*q!k^|pRI&FL+r?G_U?9=DYYhw@r2Cj%=K8XB#=#c3Y2?daUh`Qj z&r3N&WmtTp1(${oIV`P>EESr3m4WNA@wHAZ<9idE0?JRf>Xs8xSPl?1P%F5h1@8g< zVj)Zo{H6*x%3wxDyiA7?~x)eG6R%e*YIk=o-GW5XUrWGw`EfmbNw6 zZ@8rnkD8fhTX+g8%D!F`a;7_&zgW*o2y$S>$AP+4_o8x76h{^It*Hx8;Q)FCDt`HO zh8X?>W*}9M&}q#6L;iN3*8^%2nQKrI201tZLpEt;97#T{3A~Q|+DFvcYu zOwl{lry}-}BGW&A(iyRnVD}kTkMMo#7V3^a9D{u_R>ON>sYB*W6&M8zOmRyOo)&&5 zajY+QzRwjX%a5sv@AHA6>xzneeQ+XD8vB=SMf;z^VFysl6J)mbde=>yTtLpL_kte} zQ*I@|W<2f19#bNuMmSX!y6~YqeiwV7CY1PjbF#s2GzjxS>d7C7;SAAJsxRh%>ho1l zRpINE97@Pel*p%3K)ES%@C(31#Y%EO#%9g-%%6R$2X_O(DX}L#VPBwymh#5IlpQ1w z34x0E)p(xXB>>IukEyGK&LRTx5){TOAhW)u!F&yTfIje|#NieCbuVeo-8KZ-ZY4&-yONq_Ya)c&aOBtci7?2F+WS z-)WDqt%4E+m5}kbBh=Lo6rhheQYIvWy5Jo>gOakJX2BTE8{lgmo_c(S0c98P9C}^7(wq_)JjtfpQh5&eHmns>xFVQn%T%MhmQjBmB!@ zreXsEel$a_q*zbk?NOay!N2Rz=sce4Z%wAQZezo8HuxcEvCxQFid#^5%x%%RF!Ufn z_w)o7?om%w*b@AXWaD6~yo;~E$YA_^s-%6p+5zuXRQe4K%j+I}kPhj}3ygzKF9diy zfTpNLzy%KH4cG`7G8vm2$B}p@>ruNVgZr0)vBOisD>Vj?utR1`{?yUZLK|Y^X^x>j z^Z5=j&*w>YM-Np6;;Tjhf63(M)FR?r_6NZaYcDtowxjb%fzJ*nbPFRrgCP+*-|L9{4O@&EBf%01ZsfRvn|$GwxyG&uJPg- zj0S-O`iJc$eab@2`*EXE4~=YOvw(sxXQ{3v5pk*fXF9FW&MiO$SGuLm*Q>VP3Ke$! zvKgR5%SmyvbRnfK;2yYx*MB2_W@vo_(#|bGMX7ld=OO$I5rCbkjX>g;RZqk%I_j}L zpvx$%9MSul29&W(`qRKMOMA$6a&Y)_kRPEQO}uesGSWv#Z3?-Y58meWxom7AC5U1GMO10pYdmecov&hH z)6-&dXqA=LAkG0u5vz=`CgeeX{Pg5(_mE)saKZICFMi~TU;0?023%(ktA=a736Z7AYs%g9z$d;`Uk@6$#~y_)WTo7-AEv2m2|l~cSIU?^*uzHa`}5`% z(G5wSyI?H1u6{NgWH~+Ln7F92v*s#QxFTWb7+B#5w!~?*GT&*wud>8HogXJR=~H*P zSd222KpX8@lI)EH76B2+E>$it^5XDHrwt*btjDD?b8_T@lH8+S?$4iV&y?y$F-Vyh zBXX%pEpV<$M8J5R9)mAGnlCmv9CPl@SH2{Q2T?IT9olln_ALsu*vOJRQAjvZX}k*0 z+Q6oZL7yFMQzHwI&0=I%Rjk(si|8cR#ve&e0QAk<0V#*pXKfjeOn}onePFUgdIMy% zNK@Isxsld|JO`(Cue1d>wmYnvhQUhIdJQ%FXwgM*eho`}So;yvTJ@z&RYfTasN9&w z7ybLc+zC-|b+J(7Q+UGf^`RgG3Mt}R_#HLVjwGFJrm~U8MEm^%;SrO#NukJla%CWl zk&~u4e-_fO{=BAyq&FahosRkUMQC4Jo5|-#4cqhR%y-tIB%BA!%0gd$T)Qvmkm?62 z0HXZNlL3F!{*4Bd>qbbev!|cKK}mt9hz*=*NOndr_V8io6E5`HbOKDE<)9HJ*kZTt z{>~Fm#=$h8)Jb*$A5BVdF_iJdiD8T(P^1T=y#SP%1LaYFYLP)2)(QvN5(M`qj(dGI zvMmU6uLSWu`o0=GTUJ#m$;+U)NuA~NzG`b@t+eddiv3kD7=7T7}cHJ&^T zc(3z&zPP%BzHMHwFQivo>c3V})z63DVdJSi@x^Z;LTQAwxB;ep~^+YkQyT^{Y;rkvX(QB*( zN8Z#vb7WACir^x}!rSd2y@K5_t-`JWeeO%J$`W+>2n!Jl2MTn{Bj(*MYx!wbST|i~ zHAF+J=39H@UWb@_K4KZ|<$hidT?DkQCx^9A$trzSINnN9x06_@v>?scul8aKF?@o$#RPx)Cw zWZqO6=$8L-2a4{}6QLyJ0{q5>I;wAO`bvHL5jx-?u)e@z1ibNqN;89q>V37g);`z} z@Z)=a9+iI2>im#GXT^+02!)b-QbAPhf4a3#Y#-*@miOy^q`LV$^X{*`1w}H)d4( z;%o2PW~iVf`o8U(k*sI>iLK_Q6i^Gx`}pkhcV~Di7vdi4nU^@J<>~wQ?pnK-<4#Az za%Ya-$a_=vE&_iS9u3=X+}*nvKCRiCU3opoNA-fH5n#_iTpwRukF62Ss;ve6wE?-w z1DM)ynPQibV4=un+}6qf4O%6J9F`0EJuvvNKt^UyLmCILi+KHhrQU^%hz{DdxztQ; zIxDo+)*8G!-F^5Y$Hb_R`@RQgcj>2oINAq8)W)7Z82*`t{2oo@Q~lnjz;E+L}t^9}CVs5E#NQW!8pvbiJlZ1tF(4@-& z{7#Hu3j1~7D+|5R*oO3Z=N~k(G;nO$UdoT^@7LvQW8E=}g>Yf>o8zKx-VGE-E(7C^ z>3me5cRKT|6ucjwL#6LE{Y{@C*DLDanFk8unq}aJYKB|y`HRlc&f*9_!0Qnl*_qo1W%F#{v+YYKYOk(8%MeAZ8`L7(ZaAjN3zfLzvm3V`ad`Chz7W|_D+Qhg2Nj|B{Rr5VL*~y;=YX4m4|!=PC-;Q?-Ob;) z06-Cd9YTN>I$)44DH(Zt2%s=QKDUe*%dKWo@UtTXguVXbS~UkXXPaM+1aD?!drblG zoNQ6FN}XF)$=Dm``Vrf)5hj#-F9m{UFiz`n&U@8ZJxK z>N+=DYqIrqRBU_?gb-5hI04G$D&YxU>(jF}vN`PY6f8{s)-mRL=)U+C!1k!|=;62f z^d#U;Fxd|I^B?^3@a%X>>go2zZyG=Z0utmI32}0vLJ1$*Kg#=mR_k8#Xk|o)V`_83 z@nI|Xv8y?y!l=IDFKDUef>3|3Z=b(qcI`f7^~d-Rs2+}*{+d$fSV){E5D42H(&u%O zUSau$g`p1ipK-*^+ML(W^UioTIqo=oywN;KGOc+vJF)3kpW?wx9VYiYo%^HW4|(g^ zT7#XJc-)OVb{C=#DfLI4a^o?YBja_3=rrx$T$$-LsqhGZ@Os|wRWK+#P#u3r=Q20Z z?X$Q8aY}CKU75gYin!JIg60PsZ8~iMzoL(p`}@-aQ%o8voH&jj0X1QBBkQX_Z6KBp z7;$-EY;$$=`#N|og9bLUom;VeJ9BN>UfO8VSn}oHZdOp-d8^mpe?K#hm7l(Tef1`F z_te_+bEoldOQ&^nTqDnQFlm6$#)Y>A-T`?wnZAPay8H8MZ3qzGP1Rr74UU85l58(; z_zM`ed0Xjg4ah-Zd;@od_LgFb&Fr|xgpono@O+{#Km!Xso^NadoXOqz!K7MYQQt*O zt?NQ{v4COCeWOtoOFG%6^oTdUBFaGL>fK1tnJ#~04*7s1#E>KdN zJ-*3}FICO!pMYuu|J>?vwbrB&c_v3GCLwsQeyW!aVcS%@4*SXfV8ZcfaH!2F;PhZ;FFY2zK_VuEj=(co(Nj}Ym;yM^ZG zC+Y5VvMhP{zEpE0M*`Ngf(pc6`&CK2C$rOmXHz+1AGsX_v9nQq)@014a>Dv}TtqR9 zi+$WU)(<_7I9tc95a;t_dblo-(Jdes5VN=jX3LcJzP5n4dBUKuu7x-nd=g+>d41Uu z`|dh!O=4lLoj4qKahh&g6=R=T7>cD^fatd6)6ziMI~O9KZzOCFD86#qDb(gDZ6vf# zU^hWdgO6*{dtY<)nXl&~JAIGE45JkGx2_|e)#XvPkQF_bri-36LOUiGswb-3*AcP zXtgE{d7f=V>T8jn!-SPu@C7gGQC!VB$`};imR(mw&nQ~#uuz>I@ zH6yEyZ@Atw0b^sTb95%aimx`zh{;OjR}o;0MaFyBdeJloMV$bp{?6aj!}fX>7p-EL z&*B}se3lX9l(%=AKiSg63s1_XqBCkIH0wx?Q>C!0vfI{`LUeOb5!<6SSHm#Ta@M^o zJE`H(wn^*-fRR*3@;T*h23GXJBr)b#&74ZcF3jhOI?_aHt^^mMhw$+2gm)>)!x#-@)?M-|WG0EmqVrY@e4t^Y@*m9Qd$N1gNEP}c zW!=3Al8&fz*re6bq($cFdRwnI$P5+ijovoaJ^>9(#eRpP3btZ%^-|5_sm|%Xfti*F z#~_ck+uQ0KP8&f+b|1WsT4cF=RY-! z85ac1_fvGq%xYC@N3T=Tp;cazuF5ihIvv^PEI#$|Fg1==q&$|pM(7f!U*k4aW|?*3 z89fNK2A9`&h)+XvvH*_w^Nfdecoy-zrG_OdN5^dE0fVd zz(Ez_lf>I|Qk!xA1D`7XgR_3`TZ4WGe8C*&!8dXb#jr~ZT*N_~rC7=Fr}0-6N@d|O zQlVC#folbV?^k2A>l@KTnX?@RV4-gckZWSRI)%@B4i7h5aIp-}Fr6~Bw*4B3V5`PM z&O38U<)9>Nub=nPY@iKXGOAY{_^`h(usm|L}Ls zLA}2B^I59my+>uMNe2 zBvAF~-$+9aj~XuiX{ab>{n76M-4jrU0LtZ(=Rup3`?+dj&=q9ZmT5i3@DK{|M3H}l z)j;|RR>}uz&ywUc7Vtu#qp7_Ic9ZizpAC?yOV`gneIf$|zD2*sE1$0Vfv)TOJOgcj zY$umG>e-rtw`ys<;zX|Wu-*}SVVmR)pxH5c!m=F+dnQS^qGeWZ-NRnnjiB|e``J5~ zXJ4d@wFrBkZyT|CTojHR$O>J*Ub{c%gBli8Y@B>ecpIQA_2dda#nY~yM2%#B+@yN} zNbM@O2VVzrzxN z2-l8HS)Ma2ajM>v(v!nP$a#_NH!^2&GAS32U*P7YwnQGTt+DadA4(`J!!Yw*B6P&% zA#FeK!E5&R6aWbTvFaafbp#8#$lWpe$fS{1`F3`^P(ymbVp;cF7Y?gCsQ#{?#!$7o z$Dyuw13a#Gt^G!BRn1-|_w{tEd|xm=*DfXZ?2pXWJy1ZZGya{8BmR9O=8~o$1fAgg(@g`sR*!B=g|A1Ic{R3g-O&tb9p-~p<6#{l z-fu{gd1}q0E~V~k8+v9L!fjCvk%nJ}c|QPJ?;ZPCkgSZjHL>yY8dd9LqedUp_*Jaw zpQXwqAmyWn{8v^w>xfV)xZY%BX;_(MkGznp#pH-Ot9(mz6tTjX5$kp;GD6WPbN6O& z*0<}{)`^*NL)JA}PRpu^&DXd$+b^Lb%H;PPpkknzKvfN>y{!-NKY$}~=(@JyT9MA- zpCPr20zXW)00jV`_%C+@I(J7%UH{|UA+`VZ8W^T_15_eCN(=hjj_u*=F4mHr?|;^G znMzXr6+1)GUcL#+yqFqqN3iUtcXJd9BE5aCe&bwDT*Q)MMA!WRl4b-==4vD-H^sD~QjKWkkquq;^420{_ST54<>9FTsSYp@9~7Ji(<#K^DrdoS^T2ZpOvCJ< zp$u#%_1`Ln({_MHp+W|fXUM~M>R?O3hXtH|{uDfd{s#c*fRB>yV3G|UiSoM&{!t&` za(4WVFQF;M;_lEwgErWof%NbR1@Qrna57l)FWF%x96-=G{S16#1dKSALkjRIBVfJI zb3wH-AX*rYKnraJq(R^#X$k5BG~@x;%XG%UdGg-~5R44q5db8C{7t)T{VVJ^;2YC$ z!9QvN4W!>rJqbK3dKJJ!1rFZF)(Lj7#f;!J6!l8)z!#qe+jo|f04jR^!~pGlfYfxW z3fOMMS$^=`3c#EAVL5YI0AiACoGf%&gIEj9Sfv0|k8FGwA+Y9O^5pmMp`9l_*?DSq ztst=7^ip(`p_SK(~mOPOW(8(Og zh)N~z1Mo<+IPCvN5n)J9u+py7)x=ok+*1^4YRaZpxp_vBQDk>ab;!wF?*l`{*iGo= z9xy&1d<4{zTYcUXMVieH&fn>+<4Q?_+HlofA*T_cK*Xf$|)Io z8?bb9?MW+1V;328q+xN~4ME~?a15vfS5w$Yw(Oo6<*afl*YIw^iAUu4n!`NGrQFgx-e4s*z}a&d9a}fHuQapGa3Mcj_7#Gcv70D0rkP%6Z{v) zum?=*efSFOYWpa%I~Wq(xaUS3IXkL9+&i^Xa=D!1Fyrtjcfq-E(lide80;oBiGC#*eP2pIJtA63a|> z{dM&5yRcZYjr>Yrd9QurOZ1Jt6Hhe$Z{BOkMvbZ`z4!S6G+g26q-oDDNuOV1gn3}| zZvZ>|@N#y#T{Er}J%PG2kfn8XC=mE-qt8I~?MV`*Ibh>wTW8x`q;Y0hS^s?%yf?St z@YYxM8PiWr9W0`16t1=n{L>wKp=#tlkT zg1`_Th}&FgMO)!`SMKI#q3TDi(yL7k9d&FQ+DCw8X7Z@*n+&uIrXk6}k|$9?F2jp& zr_Z245OvRN3^Z=oh{{B|S&UH&u5U^Fj3<)U{jHkyi>{m>vN_ck%y-5jA?5nl`=b*F ztEaMdR>%H$dH6A(bdhSnlY=x&@Zk1-gGjk22ceSi{!7zgrrvFcire-S^oI1T-W`@= zQGUfPyfZ52KXCu5YjOFpc%hq{<<5Pc6iOmhE#kdNLy&i|$?}h*hj56Tazz_TJ%#fk zr}=$KKR^0HacOoYe@xxDFmG{coz2xNsI|}XG7z?rKOXw0pU+65ojFW(7Q@4GUwmpO zd7;0T3}_q0_Rqwt3&tbH#@&TV&(aFnzdbL!O_f7qq;^&ceq=@@@d`QD=jf??BRd|8 zJmY+^@XMFX_2{eu<7B`LXH#7V)PxoiC873erQjzdTAa2lH$mNEiTUL_bDk+~Dtas| zO0`OjFRyZJZ|6<5e#n@bjW?QX2`P%NvlZz8RdSv`#cKq-rUC`s(`Vcu(7lm{oZExb zV{G9lIBo5_o{*3I*HRQn>P&tM$`nn~AiV@E_%AFb$Oj?~6jxLX1${YWEaa*15n1Gg?`f1Pf!S`g!N_5hTJ8ibTNXGs7|txsy;RZG@gJK z;?vi4?U#l8>bdojK?}KW8}7E>a<1EPwjd!6rV1GTZj=1`ApJPqVeuRV65JGIUP#jq zd{m%xaD?YFs0Z!*Lo5kCj1^e*q}VJ^vT0cq#MYBI^yZ!maF1uA)bo7 zRwshdMDtOxZz;6agGM#YxOi=G43JCwL|hPPooSWH*YAOqLny=N66dPljxsC+lZhSG z>!5z5ZYH+i9&eqKkrfk^Ja%0hY9JQTzk0PFE_`3@t484}^`XK3Ru6xr)RkjBPN;g* zw)#6DJHu){*n@ob=>m0@EXd{4vNbLO4yi9;5Y~bm6bL`?wNH(k__<03?tbUh-wiA9 z3YEYzZb!1<>Hya@XsIPgl8^W>s7^9VuABlIZbJg`nSaG){^7@BKWydX0U|jbLc)*_L#~i zYASa74CfPF7%lS2D9IU>&wP7hZ+g|6=@@q_7NBbn*rc3@PDB0I*4=*(egFCOD%Pm< zi41v1-H>!iqq1^Ql~j>ZTW2R>ZM|-E;r!8l%9AnOnWs+0#lxOCd*3b*i-8&q~h;To=Ovfk0FA1TbIqm)x#uE+w z3PJ}YA}{yJL&*{7p14deSSoUC`ipa(Np_iIw=TQ;C6?$9AP2C2)W9XT<9u{}fE{Fc zaPuPO!O+EKP$vkmT=jFE2q@-7KwP0VwAsp6pe91detJWJGQ=nb>8-rWx+j|TNin#% z9dE<@^uQvZGE)$5-#_^kUX8W;l#uR?g96DU?-@hLqFrVf1BHh4Dpyb9`jQa9zlN;c zZID9wfn2y;aSjA_L=p1<`0AL)>cqJN56NKHYNfGgE zO%imBfZe>T*^|{AWZBB%2#RRB0RRJ>b152LTu5qzfk-k1_3wWIrNQdvPT*Ofa~>`L zdBh<=PV{85S}quUm7d!}W#s@m=M~o)!{l6cG8A4QD|i zsMb1xP8d~xN1YLXV^C*p;9eYF{ItYy$}blbWMm(Z$BRfnMY*{fpEFGwsM@f)u_Ld@ zfo+BRr8pZ!TU%DM@)AIoF7h)Y8#r*k5@5wLnJ>;$fk|!Nf;m&qqherm0-RCk)%%fS z$%h&aAzLSK;}t(;Dy`sKrI8J;G_Ucm{QV>1V4I>9dSQddU*we{YoWV+>)Kj z0m*bkGKQ6m7usFMKpB8;o;qUzl|w18bPEt8qz)X^TF5}3N4Zq+cYg9Xd*2k8FB+=3J%yks`0tm+Uw-+mhOSf$w# zORM|lX`hlLI(J@ht69qAXv)6(LxHi*`y)oFCSszeNH!u{Q*O|I2G9`y{(0`8=?!QC zgyZcxpEyit-^WuJ<7rc;wL@D}{*szcEsn>4J3h%X_~Z709<6d++V=|*0iyfQSUm?u zME6}~%2n@de7eTF@fq7beb2U%-U1CQPf@BPBEWkFg6zfVZvrRy%XcBV%jh3ogrT5j z0%{2w(i{}7<+Eg+mA%;e0bNN%m~;W}U6M0s2DrtGUf~#a=b&HE%HR1C;E}UfwY!uu z{6@7E9`d9AMN$4`CLUqv>>a__vA;We?MQ2K4`#{9gKa^;NG49#qTAD=+57rQwTZ?6 zg}gm2`_9eVqAR`Q<@e*c_1^w62G=XV5iUvvlL-HI>4emz^K~CcZ1PlQg#dR^hX|9J z%s(Z|+!kc(yZg#?nDv;El4tyKbsug5JAV}RO3Vdop4-|s>eF00nAhqcA5D~C>{gx28t*S{l z0lWJ>i{vBPg{0+spWWV~OB4tSx=cK}~AanmT=hK8l|7*{9debZwUs zbz3H?i9;{4td$rLWBs&2v#s3lxq#5NX00m`0l!PzuP=b5Smg1ZN5Bf(Odh2 zg390d{UKGH4Z0jknN(DN2TeT#Inh+c-Ka-H4U;C~sp?CL&r=|CM$S;Q(c{|^#H9r` zQKbT2@R`3eEtf5@HF;a#XY_*de$s?5(jXyW zmwEX4DFLr#FWVIXo22t}qWUGsSGO#pUS7T_*%(H{5wGtcmlY&iN5N#bJL=k|W0uUU zW#AmE@6;uO+UyW+1Af`mhbG!+1)iD*wbJB3^)v`oFX;zbz3y`teLI)-$z=Pk7~kgM%WVJ)=}YN z7;Pb^xrbGHKLsVztOg3+SW4FbQZ}M`xop!?vadX`+-#c|9|d1azJjlOq=_jIh*)#VotZOAI7cjYO{f*`Zo&ZhP=49V}5PD=HceH!g7z%hsWpguD*e7%8E4#uUzU=i2loynY;g~Rf7g;PFX9(Kz1i%)bl{#p`G3VZw}kBeN(X+r zeHy!ftI2=4Y0*o(2I@Z7@veIi=+;J+3s3?cN@@GN`CYe4<7fB51jfCJcby13Ebrlb zD3<73z}?0PsSm(&)C?%rxg`wV1-hOB)zl4;r-x#IF7}&?#)#9q5JZRFYjWsO6tLHn zVthJE>@kyI)=HtJU#|nRdDk^K7YW|1dF%U|z||J!SwluMlKn_(-=FKjFHKsv)jw9u z8hQCJt}C7k6;k?&T+067u+JZ_FrMskqtCm=ex~NOvJ#zBkn1Rq?G+y1gGndb`=g#N z@%9-_Elb>_36RfP*lQ9v~;^ycc8vf=GPpk z-M2}&Ez_t>%Sy8-6!)!U@LV$(;rFdB9B^=Ao@{TUXjT89PF&urs=$dE>Olt+o3wD%swoSiWaB-b%?H zRUl7ae197I3fR1m@(U2>LT%%f;*4VW;VeqGd%+f02%wnL9q9$s-Els6o=Q9Wv9KvP>hDf;+F3krdL z7948S5@c`8t-vYj*8_6eKWdRG0;YT`zPDX_W-gH$RC_bKs#`d0O9=`rymnfN?9Bft*RNARCn<+q8e?ev~GD)BAX%TMa_R+ycgXvLv@wQhDr@IcqL z0&hhNQ=ax{(|aPzy^`)4wSEph-{k!lV3D+VKF6Q#jaMz&2AE-u%kUnJv}0$v_((7# zSgzU-tWJYj_xH7ga-{H{b=5(c>r@~%F(9`HuX*3R z{=@E*8b^D7B>u%yK4{0osqz2S-g|~cwKQ#`T1cnVkPODH7*{-m295VscTcoX7k~a<8X@O1%m#u+IEHZ^@4~a;iwWl zAzazb?$XSwP1D0D10hFyt=96VvL^X^UprMIt_;K;y;+d?K6l9v)jy{=Cv0vmGZ25L zvX*#IRZpaHtpHRH*j=ii!>N=8(OvVS%7gj#Pf__Ax2N*y!T)4uU7hWo}#O(Wo;0Ju7!Jy z6K*>chI6_<&;0Uc=U(Q3F#zsnUVh`dHJKgTZwr~*Bx7!JDf@b+_PH*^f?}s;MsidgNBF&E}%eVB&;#et8i z>@+eg17BWHyoyL}NnxOP4k-m2Z?Z$R=Lhq~nWWMHB>H%p{`X!lt_kCZ_E7|IEtq5{ zeOi@2FwHk9IV+_Ns(rs0jD*;K3^JSXzlTm3*W8?qM>cPV`xGX0OthCDTQ7$19%J4= zk$1m|m8L|#__H2jwH$sd^~$-*j!xtQN0|_$0JE z^}a#0@iKtFNU`bKUVTqh$Ud=0PJ(qQgqxq|;ner>zPyV^3r0e#^_|hRt9wRypjN0@ z+;jvji@`VEi3fKRX0Mx`o_yI5hu|=wZ<$`{8g4Eo-kR^x+inXoX#% zMU(kA_*y7Mt2y^*G=l<1S&Y-lHNpAMvWF8R>%z~eWRn%fT}T|O4#p2oML`y<+iG3w zYcGtxK$0cprhGEJtUnL0k0#Tz3N$y_u~M#acd}CMb4&~*h3t8Ru-46whfc`rioHfQ z514=By*kP=_ugaRfFfL{w1p4)@P@q$m1Z>L$UzF^T3-#FnBzCsZpHmw<*26dgVO0v zrQ{Z+qWaoW)y}gWS1ABlQ0wq}2aVJNXzK~D+-!+M3rXoa#TJqvWlWIteUD5_Wg4Bn zbI>SoT{OR_IKsDLCEg^kUai`Cfu%YUfoBa6K(S^xopBL0!SZ9Z+uII};tK z)UYs&z$Fo5Ue(^3ucD-M8{2H%Z6_dC!Sw<{}nk3IS}0jG#|INZ@VzM^yQ zt8XlMM%j9PZ96Zq~}*^x_a&t&K@hG~UcA_e21_CPsCn zb6EhyIIRL_X)&%?c<8N$tiH@+Pod1j!HMJt*jAL1bhxv1;KKHi>}pKrc)LiO1p!`+K4BEc^gdG+f2^W?{KsSSIPH%xe1P(G)3g$n3|u5AwyAe1Z7r) z4II#!xp-uk6!Vc)zh1IxYJPvnz%Dq}l8cAX@z>4%x}U5{TQxZ#rN2i`weXmHp@nqM z((icRp2ZV$#B&7Rpv9F?jY9JrA2pr?M`0yNk3T;@4+{7A^&DJasO`8Z)ApcNs(I=( zFE~U#>Bp=RSzkDQQC05HPju@fvca&n6nZIIm22=Hhu5CH~dC^_NdcRZZL()0Wy1bMbY@n(I0g)gF^kD-6yDLw(DR0)V3==L&^?Wpx{P?*0nWro2P_HZf3{gYU zt;tsGm2gm~GSqV8d^2kPjV(EjJ2?d$5+U!n>I(fL{7KzWo)Bct(*u%nb;G7NvB7o( zni3=M-3P?%VRr92B|a>g!km^OHOh2k{4BG-L2eCK-Zo-||wI%|b<`JLHrH>s8sGN+RQL4enl>;#u z(9F*ZFFtZ|{)soBfIoX80CO#t8(f0OuOn+yQT~cxP?w@~qf7;N8PyZO7^s8fOb({} z;I!W~BP<;tUZyMF7&~xn3c>W6E&$aOgdnB>!VZClPq=6@s~J}|_eIgQP@%==TtYSlc;G2~ZtDvjlhZ&Cle+4<}IkAYEGRy4?AxPVx0Z zyVMM~u{p8TIZX-v$rLk9&W(lcw>jP*fNT7n1N!<*GKK_951`p}6Q6wrCAWGnJqDHa z6kyaKB$KH}1-1x8OA)oz^!%M_HG|j2*eL;5mdzvCf(y%~2FuZxbVYesR;o5hR*xIa zno;+QV#e-7y@WWvbvNB}8$4HycbW+xJq-d%<0{^!)y=R=vvPM{*>Jw7?U`zO6e{gKc&Li!IVplw1hexAF1de z3+>)F`1|b1Hsys`NT_8#KR;Q|Sd{u^BXcW_+p2L*=UAXXBu?aQ25;%Q4d8wiw#bk# zc?YxFji)1Db!b?wHKSf$1671yFe~EhO9^lTQv_Q%bk*TI#%FS{4@PA)s74C>Y^4x4 z_+6BFgtX;tVsnm-fhi6GI5u%9b2}cWpQlZGGtLF){*eo+p8xLA2_Ux=kPJ%5qfZq8 zPBv8#E4^xr)R72sNF{svQIw_6t6rHK&;gdB)dS$Nlmw_Mh&fbf{K$DNzRv_=U%DrO zrW!p{U3}im2i<6|W!9~EOYe!+OIDg3*9WK}$v%&j6WsWebq>rBj?r#Lop>Q_0Eq7% z-1_~D$?!4-^q|S(ds8pQAA6ct_q`@54d+}kvZV~ZTR;`tSJ*%mW@)ATZZV^;8?00w zRb1`Pf7ZzQooVuFrJ^eiqIo_??dBe}`w2O{H0&u*tXgPI15io5R(-d=f!ZOhe8pgr z1i>VM;D+}}ae@R-Pq*K>0HBAsXkgqGpEr*gL8b-;n|IoWu64iZSCuJd!DYHToj$q_ zlnzb6B52-T5CK*7MR-o&oYKS}d9&{1=e&UlumWo}rr5Z$Pz@ARb~z$sJJiX1w8lW; z>XS;yd)SkP-KB}(3C6!0W8ExowM@Fk24y6bzoa8(~e%jdphAh8FOo??-{m7d~i=up=&SU$W zDUaZYqlKZFMl2h<%eK9{IWm{DzW-`{|KgnV@mOt~>SWUTfyYJCC2!wOb|M-D7*7Bi zomwq?JlAzR*YTil$pO^h$FS|0ZT4?9>g%Uny8*k4O(7)R&0ea6C97)jH>^Bn#vj7}otHrLyXr@Vk=8d;N|LB*sy@{2^!#_9=xkG`Q^dAV?5o#v}eKIr!LB zg$9&o^78&7DQ!`RQo8uk+VC)yp1Fgcqn34ggq)#*^Pb|j_glalY(9HWL7a+=22KOd z_-?AlOF#yjFiMH5X2Ij=49&NbCZmuukg z0h(i-BL!r7>x$zykTjs8F7~*P;uF2*@4AewGo$?Iqo3A5a=6CcUp$v=!hVp`?W(uk zhKgGBEqS+fy8-n@P8lK0_g`lXk3g8BnfLkjk~g28fKa;nhv>Yp^ahk{jEI5k(Q(FO zG|A$1^6>nyg{2f~YQq5+Z4P8}fA2*8*&xV@kN`P85e*HlMrfpi|OjK)cN(-b7;!y z;l_>3kWGj}1rMLdl&twvglNs-z;phxRr%PVvvKMBtjrSEwPS2ohxvB4IYL+)3SWwl z^f)mEL7plKh|s8?L%RE{!b>NEdF;Eo*;SyRZ_VL#V}xFP91Hh0zee1ArI~=6GJOv; zKLdDpk3-CQz2<|O$-5lm7!LdoLr)uTp3=BZ1?G(frhiE^prjGiF6w6lh$0~&ag94bdj&30kFXh_aykH1Of9g@w81IV%R zWTXLa(LqW1CPF?$h!mD~w*kdMrAZ!t39I{1F@ur}7OC!!=Aeyv9!3sL6w@aI`UGD4 zN_Ht25^;RX+2ADA-nT+cYvJZ>Gp1SB`@(AG@Q<&C!SL_PN=Tf*C(@^bA=Sytvc98@f%Rn)^EoYv0blW+gxBAV0dZ%RTB|%eoCQ|+-E#TBd!i? zd8@ne8P92eVe6zT-teYGdLiDwThSUI?jJjPHQe7dHRK}|uqO_t;ah|@c49n{nHJX- z8g*`%mH?ake3N~Xqxlt=lG7pjvDox=n;xp z))(1UEq8CiLDKKDcj?|(zx_w$HlwDmtisV6*e*JAgd;CFFYNLU+2M4}5OmGpNZ+W& zW}D5mv5(1qYAC$*1mowCTHbj+gmNzGeb*}v@SgXd_xLmGK7~X3-uaSYIsFyz ziKkWeFy}holpchh$=7`_;uNwlT<+L7R`vZ8bRkMhL=WUU7^bU++q?UuQv|Z z#lRZXV-r$5YcUuiz?=7JLWXKMQ|2k5xPqa*Eyzt(1Sy3~N*71a&6*&(bF&!Tf))4Z zi%`=Gc*JJ{fm->~{!%OcSpTX^ItlPAZ%s;HZ`~IipJ-cc+C3%ThE^nH0ry@T_h#!D z2a-T2lp-YLf*^J|`n+I00CPKKQmQ|-l$jE9z3OOav9$g4CgveNJ2OoXIh1W!HzAeg z6bXy$JoX(TkcxI_h{^!rP&5pi`atr`$jc;}6U^7_@A;zOPBHK4lv#W;k>Gh)=x44J zva+%=gd~mg5%bzYmfCi6mRh#ZNdmTisQS#+H@exc+)Tt|5eGZpHLW$8Z8{RAOJNEP zCwAv86wIb$M9uT>zF&sBuD46&yCv zrg+=!-mEL7RtyNAQ}UJOH$X%qP0imRrRiZ7r>;9tmIi8shzyO5wK6t}cz-*|W5Kwi zfy9}bygH-dsM_~1f*0BRk$$?I7HrPdneYaZcLe`$Rx<97GQhSiSmimvdDRDYlIivk}22NH4@O)5$eA znZeUS-bAAnt1R7A6EpdUJule`g3Skpmhw_Iimy86IBtbgDHd*)gggL zu6;=qv*MvS;XGEm!9wYg5v=~|H!P{iszV5&muA=WG^_Q1Ij7%#4b0ikRT4ndlQ?J* z0-3!`Zj1;_8l<_JR5_W+M#rii+s5Bp-U4Ba|M5kLKa<5QA2_0AOq8(bix3^ zY$uW}26Z4Ibka$GG*qWYN^~P>kj@a1tcpNEtS3^28|@f^Jrecr@FSG%OP&$a|5o%! z|FDbDjQ5B(es2u23kczIqgjuxqxzSQ3Lpm{-Ro*E?gX%fW3QBM*NSb=+8U}SK38Lo zMjVZptSls3a^v~K|Zp|ngH0*PEG@tnETv%GYIl_-bs{z%uor|VaKpV8Si28 zaWaIREs+RuSKO}l(oikjoPzlJN=(Gk1GM9K4XQ~Kk_g;bO-&&+ zTFtaTK{ki1P!NQV@3(r=esaD z(Nn=z;^+NG^%x=C#!NmFUf&;u_VMFU@r&nh*q#_|e_0@$UpZzThzsU5bGJ>bIcIRziLY7f;_pxY1Jvsku zMSR=s%j2r&pqRN4Hf66pdwE-*iPN~0W!76;R3b9Un+=4Q12AAl>|Y*&`KGrIqkGv|A+!= zX&sm}bF0HT(n`=S7=q9;$0#6LqIl}@;!_`Q7!XiM%SbK+J-;9B>Ex-5)lDo+1LB`h z1zH_`J4&An8fEJw{1Y#nCC2GD3Nl-mDc3+UIH$ZihhT%8K?Dj7M52}D+>X<=&p&Qy zv3d$jI!mBF3jx_QK>YQ`G{22901XsmLCeXo(Wmcil&h^6R1yYZUhc8%`(*tT7pN*1 zIT6Y$s2~ym`&+@d1PDVIbpEq73v$xTNrYzbMPTfd`q}bx?2h719YoUhR+im2$_mOthz5Gkb%h*CL>-cf3AQSw~M)EgNHA0sMXEzR_CpMqF^!NFNqR}g6mQ`BG__A^KZf>m!*>> z?_AX_@m3xk9LyDYza*YnTlhJfwpnX5Uh>Yv#jE+IOa}%}RlJu9o9wq2Z_~}#%u0=~ z-C0j?JLEhwjuJJk&>eN33b$XMZLg=y5g$$=TxJaO*TB|Lm(oX$>x zc78TNK!EUqzqwYJ<|bs3h*k_C-zqw>Kj0Q?;rPwiv9VUwszq1BJpbK-pd{GUB`xaw zhiZ#iG6<-}ZwkFt7(z6jeBP8x&E{chcQ}6JvA@V(Ln(I$J+@gcKvp6)6L|_er!ST40Xd4>KlW=U) z$xm^Eu=K3$)JVS=AMTAKNI$Ed=Tn73;vOm}@H()aq;J(yo)8Fu%I~j#BNq(9Ax*RVd zu;bc?AsHo+cGJuMI$rD7qV{ZsL-#I_^}pO2ir;3Qhmq_?me{QikA_H|_V}zb?+${T zivFxC3HsDfZtgBEnG9C_?XyiR>AX5grc%hrJDd6xX*5w$|btMd?oetLCTONL3CmWU8StS1+&=5_djfuT)lyIa z8z~?k4ZJN9-2T!{{@)t!5FFoXaC04v$v246d6o9*Df{A^k(`GweVy&TrFYzsUHr_m z{O;`{fUF}4IDgB)F{Xgx%houuGk$*{XI1!m*4^Wd<;K+jQ(PcwqFw5aeAZQrTK(><-mqUCEALzIGCs4P;Op@$;q3CKp`7OGwX-&)mt!v| zx@xZ)o-25jE9Z42y+FGC=0tv6^}RBal6!g)OceU#6C8new3r))gvRfUms;q()gGlT z7S_+EqIF@i9u?;~?k4pcNzX^4>k|*fHg;0$pHM8@eCBYK-`(MLoqnc9WN=haRc28A zeJ{W6vfqcDFetr& znf|y@JK$hw^MviB5KotAjwi(t#-p4FA9X06WBz(Z<*1*v;582=V_v?;&3Ylc$_K;F zH~I(XUX3nh>JP}za|L<^^ooA7*6p=r3V!juSj{&}B;H+5w`9<|Fnp+3F{1mCf!aoFG_6#M zn9W_RYb#}86~C4{qBdt(Q4t%fDUY$?b|+7kG-o~cO<6GxaSrODzP9mPX8^*w6vyw> zK;m^_xmIGypSNYbAo1zg=AnK1W=Vu-&aAcfrdio^ z=1^i(LH3ijHm^j+-t!3MYYEU%zQd?Hvtts*SE_yEHJRbDS_&9BjmoV)kLpV)gTRSN zve14nWo|M>MDAn_4-z)$))r|baqhiRybOHgLrnZ_o1_ojNUTN2H2T=IWbJ^D9HbOq ziy%ZOchVv{QDeu~xsc5p@|!qo{?h>OFg6P!(O%3CI#CkVph)*O*944zy%CmXD{cOk zwepA+Lsog^w8Gxl0*1tEz2&M6{KH^zs{J`A^YUOF24(5@K)jeEE+#AwAVYqAlHayL z7lxb1tv$DD^Ezyp$b4az9J2l0i7+q%(e%jVuTy-B)!rf18!B&OYP}a;utAL%Ab890 z1SrRl=n6nVST(Dm@ii^;g}2|O_Oplcw>ilY2D|tfa?35bkW9fxQ?#Wvfp=>$m`5_< z4Q6}#j>%+ROu?f~IgB38Uo~!w*K}+lZLI^<&*na0{urbsdUtO(rl|c;dwKvd8GL9H zaS@t!oCa74M`#0z;ExA|hQs7Uc7oR$BWbVF+b$ABfI=1k0UHFniUx~xvR3+fWMzXX0?B~2~U6_N%mB${5vP6Rzu`nd^%fBph627}ETTR`7d z&;sImDmH_m0mW@%8uojFUMTpZQ;7oA8F3CSz$Tm`e2nz)^N0+ZKfC97-0sPA#sp02 zUEscsoaYq?MsqwqHSk9sJb;bmuZQ&z<7ij_K_0cWd<=qUpB5ncH5eNHr{LR8pF&@9 z`ujscBthz_h9(D6J?&%ZPdx$92gfvPiam0{$0zzbHTUTa20(gKIH%2%(w#u2l7tfQh%vQs1IUqtr8 z3mw-Sfd8gOzAP~>yDu~w^kKi>eif~y*bgYTZ}KaDW4shwgmO=e-{He5r{z!a>p?B_ z4;hck${Lx6_}+Gk+-pC)(|1O+M&C=?v9wC4ktFxVg}I;B*u-E`>)L({4sZ@{5}as2 zp&|qsxq%X?`_IhlH;|}BGT?%3KP(7?N{S$&@fUW~tSw;!yJKO^D@Ps{GOx3anN^;h zFCyX~?|gF?0UBvq3tOLqX=7=!S@IQO`9SAP1s)90!Yhh1xc}%g4Y&*mIvwmh9mf@@ z09!~8eAvI8pMSFmfXw=f;(-=`i4Po?vJsh&gUBEwliNyl?>gJH z0T>ndbx(%n{A9-Df|u4y;u&+FMx*+$vg=Qicn~$`+q8C-<-IGKghD-MGzPaWpBR-N zoy_qaLIi?P!*?nBHfoG`hG{XC-SG{taec4tn#>O#J1vd<%j1>RO+qAgQ{}Uxxi#Ls zlBGP*`{S!_HCG>eQomNMe~bgkQv$aKq^k|utK72omUicI*hh-RcLuB8&*nyNzcKV= z3NDjhYv!__y0yiHR1LG!eI%bKAub6_MV~DfB?xHz3Gw`JH&iH~M1n|b|HCwgnw=rU z!;7r)LQl|*sKpwWSMR`HGGR4ZBu{2t+LM4CH#-OZEPuPTndSgZ)8-fK=VaYsZX zP>HzISqxzhZOB!#{60<>-3R_pqtbty4+3L2pP)u&e zO_k*07dx!%#unb9DW|miYzDI}8)!+PUInfSrr^$}SXVHWg=H*?dBN=k7$S4FV< z*wse16(o2i+tRC zC~N*bAEBqLmnCna;zp^m<>Wh@o>zaOo18+kL|@ebF|twqA#B zFX5o&K?@NTvHk0gog`n2$G8yl-y1!J3dxFlIsD6tq$-gBi{z@wc@pY+34~U1r}bMg z0NUDXmGWX%+)+UKnkmk;W(VQwpYe~MhQv}(w*;+-#uz~2rNfnCII^{xH7M7*+o+}` zh@>YKUY?o1~q`qP>>#%3njdRQ$U5HsYron=bzBs&|O3fMVbrRUmR#rpR zza_H}i6~f?DUh^D_plrO&z6h8UfF5-Wb z2>IW}{|o;l*MQQYuI2BQ(+4CJ%z|RcdtGI7>1lFar=PdBpx9_aSuTQbxNrVxeMj5s z%F5N7H*eY>?rplZJ@tCEPNK@7j-Ako_xyuE6LDPUh21ZLnSJ$%8!xSKd-^IxRqg88 zg^}lu8o`0+)PK@+KbGq5Ns#2x>{wvO1bPsegogkgm!}RR&(E9z@Bw0gW%-*Gx-a8+ zzaNhgY*(58I2{>00E501ngO(`5ug{zps)9qdL94l|GWy=y2c;Q30Rf@6z^ZsWBvs; zV7dxmqa>hWzM_g3U<&w18u;`cekQn%`zQ4Grv})Sy|pg@kH83|R=|)sJ?q-$KNAqZ z)}sravYh}8)xE{_DsY%DwC9f`2mp7-aIec&9E4X)ek4>4Q1gc?|Hk{?IGd%LMFm*T zs2@X$PI|ESXGlTdr$F0X{62Bj&_=C?8vq;20 z0m&*LBLs$Q-XzqV`aLFmcJNs4MJ{;zHNgGAVac3(RrAL!NCi(XoCdw{zX1f(KvJ&5 zkcmrs`Oz<8To`vErP~suRFwW0a6Y>(Gl+%!?DY;V!6WrDD{ymoa4(|-FRpH!{OwMV zftj1A$GJ%(Krl4$3ZFE7$nS^zDRs4P$KIG>zlRW%CGz65W|v_nL77^QF-h`r_{!;} zs(}B-$L+IRaQ~Ll*1EUxHJyd=YmvtbK*0Z!;m=+xAc(%8$eaq+`vDze-t!|P?3ZTz z_@#nUKm~`=$Rgd<@r{`v$dz8FKg93vVSlCg0HOV27IXK`v55>KP}FYWkH_~*s<2dr z5gLvaSMof^z55NQtgjV6^LBm@59pZ-G3bV|nMdYO>75vpQhTF!kkIQg2<6NCB7gMh z*VpRG6%s+z^C9uVnAfUN#D%p-%;J`hR(VmM)v%Fah!om?4G@fC6M;20B@hKNE^xR5nWkvgt#2Rk6AD6lP*YKnnBhiyRTB1g3EKWh5JCh;K^684sGV*)(F|lXu zN8hAI&Wi#jVH7NJ%1tk9`-EPf)^%2))buHlg3tw;jyZ%%fb$=KBw>p`C2X-y`BLCJhP}u{hcg}oWufyMM^x*Qjv|ir-ZE=1}ASVa7Ix3_| zcmJ>XdI=tw6utQ4@Bbc>3NRyrGT&Tq>2p8wr+)n}pahtRo~TUIfB!Q+ksydI=ynHW z5C0`mvj14ye-BSr517(Wstcp4f6u2dcu-;~!1#C5p~uvscD2d<$ufLf2ZPKBK)77iiu;qk@jgZ((#IO7tK)^N>Uf5^dBVdJCiXmPCo3C=p$h z5p^&O!{9z6@B9AW_pYzp`+fIY*IJfYGtcaE&OUqp_HXaAk8c_0a}v+`;8L`JRtH;l+-Q!+gxKUYt;jRauSM>mchsT7c zEGP5G+iX3JIR2_0I+WKZ0Ij)Jk@J?@)9^U?u-OfPeeQ)Sk5f8()7LjW7>EGg%9!gGB{#7 z2Xk1#FZIvs93QvOJx+PMQQ9gLZTEf6%+H$K$F*-Q*03J1Nf2uclkY)z=9p&I( zK%FigY9No&OBt3{XcQa*E_r`=%XNgIDRImuzd^`fXC*j|O{R$f z+B}m{=qh_)++?lMDtx})d!?A^xm3K9eMcaa{fOtOf%%#urnq$Zyc7>mzjS`1b*yBz zV7$fSNMi%(U2z2ZyzGmS#PY3lop0B zBNFd_m#b`%n_U$%eSQf*bO%1rGb>~TmY;NL4ke(CM~4~d@8VC^^pE0eJ6!$gG--0> zSF6IF`~A$~F@e`VS*4EYz3bjb>Mwk`*cCs#ap6E?> zhLWzjxO>jrMR*vGK=&+)3H!p=zP{VNh2-I0O|Kq z_r4vkjr`0rp%9MbybU9x21ZK;vdMxf&vkB_%YrfhUYotelo{88(QQO&Ql} zm@}Vr=Ij#?kLTu6cYDmG_OuZ9-k>|WKc-88zaEA$n@0A*sv$Ki#8b%vKWzBmJ*y8z z%`D9@xk*J(WOJo%Y3OAIKKMExPxjcx@P?oy5U(|RYjxo?HB%Ail4moCCL^Ro6;fLJ ztJxFiTbh|O&lVqIs^vmoOI3FCAEtC{UhMlEpvA;|e8&9`1D z$zzFAoWS1j`suc}i;v9@&Km^PeUhAOa$0;Y1AWAFCY{uzof3P>64&`|g2MrSI8B=X zIA%I2QHXR~igZC=lTk$}kHmsgwXNA;ORB*7Vaqd9N4g_Y*tgo$WMP}ye#1j8%NcuQ zb4=v6Oh}8Z`78_Eg;a}pn0EhYa$La0q;M;vo}9qY*8?3mErGH**_O=An5Fy|#7M7F zO84b!d;qrZE0YpV3b^#4L&W;c7~*ZOp)%2hUCaXT2#e$RV}<1mHb3;{F#lcy3FOwd z+3lMg3(f-rYic8;*pkwxJnqZfLzk)rHj%vASxIUEr*S6vYimb~uph!1HgKsat^BXW zp1m+`meIlPJ`bk!!vX)TjGbE}cIb~ab zmbr%s{xxSj!X|k^Zz>_;}Iw;fPP|y|Jj5@PQ~Ih=%t$rvbDD& z10a2*hqQ3Y^62R$Bkiq3fWhX^1wL z*@?r^C)*r2^=_&a7g(pR|1jRMlW6QrVw^}osYFeH5Rq^0(QdvmwBlmAtqU)hs`D{^ z)GC5n$yy|~q2usBkl@DNMWF8F;3h%0LYuwDx8Mrh?V{Rg&`nCi zd=^YBmlSW8lPtLxgp$SV${7CMVd)11VVGyH!0#xlF&W%3KK1VlyTuP+m$p+v2QRI% zt=QSsSIn-uKhbYJnyz)AAbJ??Q%vXftCR*y2m_{ePsxXz;-Cedj|Xl^6dn08s>;ae8UZJVpt z^_;P($fr&PebqkDdNj~;ZD&4d>|E;1O_v z-g~;c6s3%`b64Ff(zEJZJ|*qb)`w!7-1JK8L06tGb9J|H=C?)kqoTGm74Krsr0*>60`4 zTGq15$S*!7i`VSrAv=v^lsz~8ys}OhZJO&QUy=rff)B7UmtP*KdNxzu=bW1`GqtDE zJedqdrq-$2@soS1qq=Cl(nq(-DsGX665NqxxzdLeL(YX4KEFlEf)vobRcw z-nO;@BrlVhzFT89tG3<~gJcwoXwZ!7a}s{g$0T($IVZLdvBxta`kKl=X!oTqt1P_B zlPY_JPTbH+RMA>qSmZ#n^kL-oZi+w_rNN&CJ=)-Z4% zQR^;6y5TD#g1At;rVdwEY>+Sv*509O?cuo7(EM-bew$`eB z_v}}GlxOd*jcJN{ZLTW|zh#u-2{=NJI?{=_<>ch&`weNd-mq5eGlub<M|d^9jM)|Fgk$`vi-!CaU%A7hQ&=rhOjkGrI-535BI|kuVNqn zmy;ie?=XIgJ%k%za~Oa>RecLOd#yxsrWMZ(r~5Kk{^P z#NSTe;m)qwGqxGU)9`x<3LXJL3=7LSjSabTAq=oRHxB1}gV zFUfl9n9Gf*{Bb&p*kJ)#{bXl}R0dENu7xdW5-8us!`xOUlae%p zB~YE#=!PWos;4n`+DENTUce)MVo=Mf^=?Z9v&n0P0CFVu_=ceUQ%hiFC^scce{XdR z4i6a1k|$TM;{4eRDoT85WdG3m8mbc==~>{Z=hvgLw4joP^)L9b4mCudGM8W7GBpuaxHPw2@A=)X_pzXXpjQ zmF&@2uZ8`O6MDo?Xa!LAqd}&vIxF}6IQd#1e-4SZH0UrVbvJ!xY&`%=(oYW9)0#Wp zpQRviWKHqFhqwFJI#1^~jFsN1T=>}DG!DFJ_S;8XMy~p0Gx(v`zun~cHSWFObx8K& z7u2axyLaH7rFibNcVL<})0(l*u8-VtYfH5vcTj7!sY89EVypO3cT}tSf(}MWvyy@h zF}nW|TjqzCE~+-TX@~9<;SyB1Y<3o+19d?p%qJ|Qz$aO}_1-yfG`Dq9@_H8V3|Xvs z--z{6NVB*k>x_U4D}ow;X-k1-!{h2`b{QVAaz{O7QRKY_O;6k%^;p-1PCM1fs6?X{ zDXTA(PKD6A&-;CrX4TmVdvufc;n%)Wpeiq;4quYA`)2`myWnVNtWNqq=sw@HvM&)b zQN{-LBuNR)iTM0nVUq(GUL@jp>DOn5l@Zkt6z2G~Tpyj`FTXk1-HZpWxNL!uprCmz zlON?Prl0(rb0$-xQg~v!hZC-ZoM}F%dZ1?<=F|Gt0{ch$lXDXcu&W*PZ*e4K@fKxx zk}%nV{b&(U#kOqdB^XDYTO><-4HaQ^jJXQanoR$&-3aFdU6Ts=?gq6~s)}O1%v+)=(_@PAi7yo851J$(6 ztS*In$6upOy}SfYuZ4UiocNEs7fX6^8RSO~{+!*P3G3ha(VqkVMa3-B`TlzS z7ZX!r;0Nb*oBTTBZ#?dguTr8StS(1%gpU9WKX3FwIvEFvm4b{89zR5b*FJ0>oX4lPoYQ5`Q)c2$OiF}#? ze1;re8g!0WrC`6SSZLI5KH?fT2N+mjILO=6FEwGmc;kL_WaI_fvp56fqa-oj6!eFG z=C^Hnpd~}LhaM2dzHAdNw(UhW>N|8^PuOx{Vc1B z)KG^LPG%7iz^FMyFI8!LerYLHukzeRmBWs(VZ-AX$MIUTqYsb1@w=^cm@;p6A*uV| zsdRjnukN(K0%t01-#%aep?$cwmZ%!fSq_iz=}?53R@=j>9LIGUypW~g4x$nMzd*H@XF z0lV7jeY{3hN)DA~&A#>Re%1D)RmjoY2*1{@0nQV?)_bkq)?AjvxP5K~x9^BM>)>3_ zT@vv<}z&Yr5P$`)ZK%C+ru6TAK@_941rGYZjHA)XQ*tD?Xj$Gq>h?@ zX#-X$&aXx`FP!tS{YIGFicsCC?4i}O9tx;jZ1}lM+%xrUUZ#Fo^OQzgs%T4Za1=%_ z!if+QTD#-HArx8UowLA!={>4aa;SBvFUk7|pS@b1?@<9}Zr!Z) zH^mR`o1{OFzyxDD;?7;k#<{}*E-fLJX(u9iz}nU?Bs`hf8QpThj5j;NS3=+>hXA7k zpH#r%b1>FK+?fLbx6pb+j}c5V0m_)hokjrS;i%iDNc%vY5Qf zcy+4L3w|fvb}+q!J4o2Ju>{@MrPD{jAo?iXe@8hgr>BKc%#$l839|Gk!JNAn(!0Co zd)Pz3_^KVna}Q@P&}d60&|ZRW-w908oS%CvO8D;b7f}xr;DjGRCi2b${k2R9z6p`I z12{l4O6&)rhXwxi^H+?m`-4~Y?eAXMJV`8RApd@%cnJLXtZ!KS5V@PgqQ^fF-q143 zu}WY@vy@5L*s?oaXDgXtX*TNsM~-I*I_NX0y1? zuRiVI0aXtWbmNL6?_59IlgO#hecgUJw7I03Rm%7wtEXbW@$u7AIAh9$VS>}4WL^MF ziIX)0ZThab|81gLg0}fPiDU7EG1b~uZuKJbYrS{kD!5U0=tCKg9$FYizjtOdR}w-z zR?m*u%ROFg_w(op=y*+?Ytx@%IWVy{?iEnjybV}1kR+m07pXuoisu9A#i&*sF%| zo8G;>ZhJn$A&VnU^Xe7OV@2ZD%-wzFhOJQ->i6DCVDuS^0#H{@#rOvyF*b;0K(bsY zM{3o>$4les6T^_yjm4AhU&ZJ9kcFDg@Fph-lvxAS6~sAOK@WB6v{I&KuqP%S zz;umCi?J7)+C4&;E1udofv^QfMSl8usXb-5JDW97t&>0RGcjAj`xM^H^Ol@|vP>}$ z!z#>%pz&J>(fQ5y8Njgpe5!ybD2MgE1`Jr9+)g=u)8XGK0=P|MYM(j8R zd3A8OcS*L;@cpEmv&;|*8u`Ba^X-cS*9Z;Hr_z!2T40i;nLG)T%#+M5g;SoAp6&4` z5IccTmiB$hEn0l%n)-3{cyuQN#Thnie|^?|6$cG1Y@n=wFjq=~deUc={ry6%q$G9n zfjCquDVJ|NTV8Y`n9gY92VK2W=6f_abX;GQ#2vrn>29_P5)=;`v(hbZ+lW0IJ2*zRs~(FIYx$8&GnBsRz|Qh zCWM{XWm>~V6l9~)yq5cl#{>N;%aa#HiApC}Os+x9JpXPDP)U5SGS(z${v}jOZRlhQ zYEii^S|zb%nqztLu0k+Zt$fGm*lY|R+j>l4aRImSS?~Et4se`mZcx6b4P+W;=Bwe2kp}>qt+s)QL=RYyl zlH@h?Crlu6NLL>+<$_=TK_QHa00Q*mU!7G69Y6sJ=LvNp16^s?3)kazdcS96-O*}z zYFMaWTB9#D#eY;SrvG|XY@%4ZI?rhIS?{_RbiixX4%Ubs-xLr1Q6*U<2e=h34_=nPIz!hyxbFDn8f zu^t@8p7fGDoSy56qmAfZ^yeBich_>z%?)IWgKR6oWJ*hyJ8oA#;wv;NDlmyR zR49t);GngW2OS;2#!8vD{Ge4-Exl|3#hl|sMHI_Mb>irC&TY_XRYDl@Z$+oJEg)w( zXG@OY=**rPiUyB(?Cc0n&_jsuQ%*1l#ITch5lPaGE-~0WAIPQ3eB?J5dfEuQA2_YP z$>k1BX73fwFcmVd@%F*^P15Ad`gwuG!q=6?=T`$DL$&wBY_(Wp5N?zgqGona=&MF6 zT{>(qA%M~#S*!3-UelPnv)r-Pg9kzH=wsr>$K9CLavUX}JwlYs-cqeyhm{a#8>eY! zJ(IE1Z_c`3qHkuO$bF0Yb-qIu<74Ep_7^PkC+z&O>+4|LKE%d=^>5njkbcTAzMy=` zm0}>=-UG&~tt|OVP}4{P!uB;nG`B?`jtQr+<~#YHpYKoJZ%( zc2Gg&F;>vrK0|MyfFo`*m38c*l#~|Y%{7W13E;3b>`*%x?ps>A_+{MDrOReIN24QT zr!O+}+(wh@;02$B)I_UqF1AGe)fLr?8%Kbx;uHn-&gBQm0SZD$DP}3BNzMqNjRcq& zTJ`(NdeVEH6Im;TvKJL*PNzUTQ^0S*eq|)_oE9V{r84Cat*6@+%-x$EM!gbIk$YxcqLAr)rhm3r}|$@C`~*K2o5rGs9?8a6a|4nci?W&tMzbGKaHq>FRwCSdQF z!zb@FzOiC$=VzTy)hlK)<&}i={&1IRBgIG1ur2PVCxu{#U`{aV2SJI4E^ zF~Y2NI(>rT^kEmE0Q*@xt^E4hl>2SfPF^Eca^cNLV zErx@#`8_}KR#>gw)b3qxepYC`FW4I&eUv(us5-zN`hNeRR_vGah{W4u*YbX+eST;3 zMB0t2Zf$SP`sHJ!-|g=d$lW{>qe^Sww%%O_8R>3x3Go|yS_~1Lr*Euw^G@#K31V;Y zQ;&6y^a(b-iYmJajOiVId>@%{F_Dr)Bd||A`y8ld4uVbyqPnplPJ9Zn@*eFnUMtfO zdFnoQbOc{zs}*jQD#Y%kl&`iQN_16N?aa?E&K3*x((VN*!aMbPz8v=hgK-T@s%}Hg zicb~=E0fHdu2HRndIhPD7MLtYQh)_eJCb+e0nAxmUm3-G9yxoLySBA98le*!OMk`P zKk@zcm4!{C`>1!Uw<-ggs5@?(C8W(A3PDC{avDghfRX45glX z?d272Pc6{Nj>%2W9N)vljM1@;aPPZMi@P*$#;utMkT9&V0YE z7F1TtMea8;Z6ZOR4T-I>W1p=Nn#1pe5f90|s=T!}F~g_h*HE5n1@E-=j2i}L4x6fK z=pTUL=M+mk?zxr35MST3cqOJY**e!c>a|X@8tKOL76%<%lETwEO_baC(#<#zKZ@>H zZa=F5m&t6S@8&rc__SNgoo+sRuc;>0iT1&WTGy43a5f(%L0r+AWx$&>D2$X|!c}e) zKwTSe0G_maEa+u+jlNawve^$=AE+Y+gf2IppA|JS8f}$~j6wf6%I^XgZw}rW!*z1ZUK2!q_Cux!5#p6&EdEzRq1L zRULqlb0or;iPF+IG6E2hxY%@3?H1>cUdszJ4;{5qf zTr|>&zymBLtLLL?DZ%V-?bVtUYG%&}12T!B(>$u74`^7;8k_M)2}RHDB;Jge`eI3n zq!X1fuO*Pf-A?7?tKDB*ar9XnMp`co98*;v=NrKmXY%$~1+t&25k3FD;+Wj9E9_&t zA{xHPb?nwLyqKGsqB5$}!Lsx6Q#o53E;0g_k6h&=&L$HDhQ?9mH?5Rq%58Px$KN9w zdt}EhRv8NTL^w&6$)5;q76qOQI1!hgFn3ej5xvUNO9KX$!G6O#p_)I$b~PA8ya&3|?^Hnf=39LRkCY>!wFf6VCsR~+S6w-TqI#G}}<)O^bP4iO+fV=~gekvrJ z%O#oX91sVtolzw@5Cd7F@1F~@y8UeH0BYFk7nQqmDqO8PhbpG4qTbW+k}{>0?^TL& z^Kh$wetRvtiowTquJXu8f;o-XuT9fgalN;DU4VZzm3n7s!l_2C@^ZJHDmCn8Vg_6P z06U}p{furZ5m*}cxQIv=fL@~EiZ&-hKu*b9;n4kWT(lA{x&F0wwcL~OD39L6SQ)^X z8K#=2*!O}g=6Bh^v0dxN8C)~7f`K6Z`qHhrD+CeW`(drEK!#>h_(0UH+7@QWcb6*# zkx7HS+6+R%yTuuc`_1S}X`K3X@1Hxnl_uarXb&wCdw`wdv4IWISXPyIMkx=Yfp;P- zAYW5f@O@lpAg*o?<7Ur|xJFtpce=cBw1|Nx_M&Cc8b5f`%;Yv3s@_yNX>sSNo@Ubp zos@K(5uMrXC|jHso4_U!BuvSIm~dY0{b{I#)yIj`_Iikm#~4VzedH z{ss*uGc2FRe8M?S_Yyp|V zv&Uf`m{f~bv+~zUtfF!tW{K+oBJnOU<>>EB z=Ng!7ajRW@5qL_n{-91zG|Gwk*@sD3KpjjW(IW=~W!Y(u5STjXLMy17*Py6L{Oe|(%J{TxiG2i%@O!=15OVCD}R z-a436PcF!@lN`jhIl-$a_n;mgrbd;y7eKnr75z>L{!qgPV*%{dh{Lx5KQ!m3X@+ooeiZ+Kbfj-YNroXABENL5&qr?D!#ZdI7IfNTp^ zd*oc$vqU5L_cMaCd-Lv}sh9ld&I%BY7p}ZMOXvg12`K>-k94jwiFZ^R0O^mFVcbWj z7`oQls_gUT+9%(@RTX`}VoA`6)M~R<&oy36o0+RIUQiP@m*X-8jmaN#P?_8z{?&wD zt|z`*2g>!x&ps8)zs5%?znOtB(vuA_V}hg^k5`0`JJj@$oAXvyN1nck7=$(Ql+cy1 zj|fl#7ElrLmzdxTqBFB^PX&X(O#2E20Vz|N{gIo`T!|DqoUM&e^SO_E++?oH+O3Lb z8}vRqpEvPS|A^Z+`CMKPO{zlUl%+m&?@iQM1UVX&G>HSBa}&(rvw+;qL+?y_5!%Du z!)GsZq+9$aZh5~o^~kjTR^3RU1Ps1yt=@Yr+V1~g0^Mp073qDA={QNs{9RaU4*{nm zL~ln#kk0mOR?6j?M{Fas+G$F=hq_ksLmz5D&SH*+Q!2*kNZ3yB^;NYv3ctZI4RM$K z9mY>6ur?bDRxT9#QtOI7G+o~HEY-4v?rpx@`ISE#?i>6rjuU9{2PW|SG;8aBR3vi~ zzwMbGMku3`w?gM`A=2cST}%-)h{PXn?i&3@EHMzVJnw3sCy->?T6(RyIIhWf(K`$M zR_fX4g5(xg6?q1?pLqx_@%?%X*^8S@o#i#{JT)|h+ zyynbcW;LRc_(!Une!A|OTz z4H`2>O`YE>_UM>LEf)4+KVdIVQpr2uT#(5k6fE9fV(pP`V$TF%XN z#hOjzo1LjBh3*{869S_1)BGxL(jRcKNS-RrRem#_ff+5WF(WQsmojNFJHZ^^=oU?5 z@QjS-Ot^#eYM!WgC)(fArAThQkzVK=^}Fc%4#Y081w|(ku-6Hewz<`_I27*eIuDZ*df z1&P(%VTCcq+$h#(nG!AXd2jT&FCu65;$V*{e3tS+jr*dD1Dq<(KH z%g_zbVqQHxM4?-#9Hn~=HBxY0arFtX)9*iZaWA8;yME0Q3W$)$VOT?6 zzRo)fu1t5qe%zPm2-ub8w)c@2!wi;A{x~oT(47D2wHcjD*Lv}waDe>4yL+*17I!Q% zb&B8)!<Xk(NJA=8x`zsnxsS zPVD85xlFR(>;%V=sd&g_+ZYM2!OfZ8ws=9>lGg@W<ZIP0|Lmx34d4a~#K8M@ zAH5sh@W}+C6MbTWH;41=?buV2yW7Vznyp~U3_ueNshZ-0T~{HC_R67{k7ou8z|$3%p-oU{qRUs%$h`$|X-ub7A82-E2)S${iXz{P^aj zg7fjFCH9cm(9#FyBSQhDKdykWr8geKihdGt?RQ!z3~HB!fPh^^n&G78@gO6T63Cdb z&5UQ)pV_}J+Ui;2INkbfXb`0NFp<{23;v0#@H|~6{q-NbEQk|F&b1Q#F>|fLs-~|s zg;#mBn0^`P%$sson>Vk$$F?BLKFkDYjc^1C*t*GC@9Wu|Hj(A#IM?gAX(*Jxr}Y{A z_~vuhQXwxeGEr7ZV@`T7$y>w?0CtZAew`zpJtdi+V?wE#ed*(Mz3%-S?2(ja>cAzj zTyu5g_-Spny^_&CPoeyHIUvi*1=&^r#V>Q!{GQ%QV&g-@@<(~=;&p;srbWnP2oqSF z=ayaOij$}F3O2Pj&wfsdOO$n*pSv1AGz>pn$gfz^`mW4fTzd0-0T8^q5=^cV&K#U; zaq`v0@QWynI~xI~1W(OWH#SVFd#)z3!R@%JdyE)!Z1XSnyaI`8Y$6p(^}tn@^ehU5 z;riA2&Ei7>T}TSXh6~3=3dfWSi@{SyOu_y`_DAo_T>PutZm*5F+DRQ&w6UWz-?0kt z8r2-3MvbkefKPgEyH;DdXs}}1?Z9B9q~IG<7nw0^JMbl^qqRGE*aH1cM_O-CS#IVv6wS?lzHTY~`aMbvvO+%opG1u>tZ8e1D!{@zOe_~f( z=$e0fpQ8!0&ohzyGRP~x z`@UjJ06Ko#<)lo(Sj1w#M~Ro~w63Q7em9qGE!h%1r3F-`Pwcwnqu{gA>A=y2n6wEA zpsZ!5Kg=*|NmAiGS%t+$<3{`|Cx)?_4|!cQJa0BqAfq*&7=tnXE3IiemNDi8aO>Bn zMepsHsBY+aHsVr-(-Z}8t4PN}gGGNXV6$mg`$q$kxcnXjl|BY34s#8gh&i@Xd zc2}A)tI)sZGLy}qlRvXv%8%m62As!Zb!rS!64)Vzs5ZY9cezVx57<*L(Zi+{E3GCo zvv-ES2UHw?EicPoAttwqNTFT|FTMc;`$L*%yL_3CpFqp=2C=bUw3TOZbOkE|lB>55 z=7|XDsSeP!@TG8yO^PblC)uq^t#l!x_5!pVr(UC6w7ae@?f!%xMg8aF*TFPiu=f@8 zc*@1^Qn#_xhZt7leT0aU8AD3GnHZ$$*)3dhaFtg_i44oDp21>k4ygt9pC-^t`lyVo zEx$9drn+A(^i&ixPd^gjGY#sDCVt6EY zU6}fdAtXlwz5v^?mhgSBx{aWLvYgShxl16!5Hqo(CQw$K`vc;L*ISNWhb|5zG{+9S zRk{d0Jpy`uz|&>>6v=p$FwI>WU&z7mJH+jG`zTTrkmQ4`?0z~+6P?o3*dGOY^|0L` z19p3`vBCu6Txz=oIRFm2y1_#+AOp+Seh#d5OM{18L(pAoxAnzwukb`3BmEiVUQ|Nv zJ}MWh2jx8NrxBivkvHT1$oRl7oNKa%x8gM)SINMLE;0@|v}j^C`ToX3$q>i1`yC+Z zoVUVi;ToFo2>&?850nmUdj${e6^pn-cye+S^*N_Mcq2gbX&(Tj$4~%Cuae&K4}o`w zDvo}UVvcO3zJwfyW;=HH2v*aazSHT*d9sjVwV1XL=|kSfTOYGib`K#Nc^((ja_B*G z?g^$3y+!%1?c|ByQVqmN37uSd^lmg9y=vvxYQFj*kOywcX;0C-J#RBDBTCqV%p~0mT!lF2)KIaEw*=*=_ z;#-uoK^~3z%C+IbL>z)rwJ`D1#4#3!+oYP&f^}t-fHpz;3?Qr z7KimxkvpgA%h$9zEe0u9zYK=&#VB&}3F2xJwov81gKP*+b5QWSW?%RIHW2|I^VT0H zc~3@+c7)u4VnA^T1TZ%EInpYV@IxG;y^-y*>UeX!(~(kA0YyF*@wl_!^0@I%Q7}qR zg*xtMp8PrN)5pphvMv26 zbkrvPMax^g+zciJI$26GV9i^Nr_@MeHE}TdkXltahJYx?;spDt#=9$1`RO^ZRiKZT zl;OqmOCWJ+qXDB~3ki#cG!vT8^X9~z$^^|s`e9OJ`KI0GRK44{b)s?%v%KYWRW=&1 zPk?iRrOJhZiyVpy7F%;4vrf8}fV0SU!nov3f|C~jn!`Tr@Hw!(^M$m6LWtv3owf>$ zgDC$h+k5^U1XsXomX86UASa+F$PqmwsNP_M_ssCmj}J%=GVp{aPu`ZBQc$5hm9+v0DiMn|~s;KiiNTgn`dVlI6)lz)oy@9SI8Xx%0n^5(mkku)%K~!X&rx z!9I;RCM8#XDn3TGuk0fiQL1D_bdWPoWWoiO^9+f%=2*d|9Y6LP;nhTZ83rfN^)yV! zTkVdsPA|%@xW*oGu)pFV*v^rr1z^)x>G_a_&kjCaN6?tRqGJ1<2ateFRTg)^br&4* z%IjI(G!}#e^(FJ`pRw~1_vQ)DR{2NY4-F`3qod$<=bd(c%etd_2!cjRk!JQx5O_}Z z1a}~>p!4NZ3J^;Ak!_|MH{vt)BDy{Z52;sZY_630n13G2o+ z?m{&^-X!fmdf@-~0xE*{Q`i-p)iFuioHc=Z$AFqNi&U|6eAvep(wO0A4c$I#hQU4b z|}&^U)0cOw)O<^?*6@0ggW7fd{Z>ZBhTBdVv2# zKmXI}0sa&H{7KnnB@5WTiRaMku}%L8w%LQA zAuat1JcB>OmLRaV`cBoUfoEw&AV^}$9r<%79`=cm*Uo#*wc*=F9h3<@oC%fbU_Ijz zUqK>COM(LfOF2A%Z}q}$?A&rBUiDdu{`X#3={9+SFm2msKZ&Jm2@5Ws`81^xH`r1> z@>+NX>@DEAEFCHOl3eOQghkrvOm?8OJy=7_*KgXsMnL%tY_=JpH97b=NQ-ZeYpn-| z1dlxbIPnY&j3A`U1_tInQ9uVswCK)0W{NffV^<-yOB0yancNP%?s1+5y5+7AIDz{z z?)Vmr<(ehl3)~<+G2^!v2-I!8%n%?L3Bi2|(lPLG#NWPy&IMcy4JngC+Q(o<>^rLW zLcdk^*JUcOk)uut4_rII^Z#-2;M#%zpNj|A4*Xy3d`&ynHY4B;i$Y{{z58e~#wV;7$B&Q|65%7xp*MX-r=-0;GgSpk39 z)lCB4rmYuE=m`g%QWFu($q_P}UpyyC@rzKx~)h#1Uim9E28lS&- z<2Jl$=e0koUs#*==A%BA#q5JCQ51jn63i=uw$Budvj`%_zZ(>QkG%3VxXB39;)AkT znQa9eJH#K(9KFON2Q3Im1r8ZO`i~)J?pR#i5wstP1|7CT9~`Gy0NuU&iIR% z*+{t~`sim^kR|V*fLD8?-+^v7Fn|8H*PbO}VDGXQ$*U_nJvv>MEecULMCgPZx895y z;O-y(Yh!UQl`IKHiy?{N<{Q~8deqWK_)v9&KgyPBNoUNHj_?bYSj4%1PKn6^k~7Io z(^u>t=Ho(0&v|A7ple@~J@^Rx4I7$d+DesbjW6*bqv|X{>NocUr-grda2p-r`s?S7 zOO&XYFiw4NN|JYQlKu%Y{}+OQ|078}%zUk0NVAox`pUj^2{A3W-~J}Q+oF=PrskNW z7!+H#yDW13^`+CiQ2evFrO(WUO^`9cUh9sO-}v{=v;*qW1B87)q%disqyF$oev+tDgq zhSL!q{yt7<`9EOpZ!%ejj&@gAvK8N6BJnEj;W#QaZ#_L}ym0*14GO}Z zO(o>t5v2Fkeh?eau1nCn35uF;59bH(m;oiG)m}4oT(jV3SPaUYyJP>n%?BLTQ;Oks zpX(pNXX`wEBlEO#eOP-_{niU2@*GgvS>!wU8Bine5*Rh*K0-}A*~jGqGfu+1DhTkA z!vB^nE-UrXQFJ(fw{w8>xJ|tUaDlOQ!+CZ`>r|+j>v9Gle{BbQx<_bT{t>+Xu&aTZ zBw?P+F>_g4@vAO_=@MD|D8$$|+R8o9y#LdoZH@cZ3=g&!x`J{6u%XLeVHMeqjc7D#Y@^587OUi^E64HPE%LA~PH3$}C3JYxhO!Y8@Sh{K+w zkN?1)iv*tX4byHl9Ze0%Zfl3zU5vTl^*(1o&9k2M%PP3&Cxr$69{Oi~dn!0Zzs~_@ zn-J}f0}IPPz~VO={5gSJh-NAX?kRsYP!`ue1F`qZK+_oKT6)VFI@b;|Fo*2I33~Al zu7DE+;Fj|LMACmv5b$rz>AxoFza|LyKU35H*pxv2_g~z(-&2yH94pk#R{^gr-&g(P zu5uvphfjoHwAIJ$xY9q^-P|8W8RkPX4_=c40TuX-s9$~mbq~7PM55HJ+34^$ZVjN) z$n%07b!r>IYqcrICjT~!{)tzVD84tv>DC!iKno5kzcyUnU=Z_+zr-NA*we&oP$qpx zGo6b?@lE{h?(TJCS$9fY{)Iy=dHlb#0(=+BGR~om1lhi>d!;H#QpdZ)S%d-O71pRK zf9!$l%499Pps)7wVUa(04g1{EBQ$gOuYdYfd-oF1^Opp~Sg03gQHAh3MXmpA-N@_#)5ATnXLD_VQ9mcbZ)v0eFTi6PaQxuQ|IYY#OH~ReZroRD@L0>^ zP825J`(9$~zzl$}!|ysTN6T*&mJklfD707sFQ;#Xf|qmMyjj=x)>~IyK8IYKIERNC z3TW={>+6d?+V0;l8W*x`Cs`S<%wPKa`g&##EeUY&21iJg{wyfki`G3q;fYHW=JZ|eL+j~6@of~ky~HTrYO4K2^)jwT;L=}4__7YKFE zM1T4BMYr#~14P`b`f3f;=sNtrWy!l+Z-Fv>^8&C3+bMgxd1|C2UMMex{oPS~ePg^2 z?M<#8GIb4npOgeBw^(tQSN3n47v_4$XlW8;dT(`9^*qJR58PdE75dih7>6ICHzpm9 zcKUmFH|p%F{mn-K*^$XiMOqRI*A0Sd|=mMd?A`S*~{*jOT1%r|bu6hrDB)JNw6U;XId2KusJ#I#I z4$lMq$v)O^iW9_to>mAtia|^tcO|s{39K2CxDE4G z;G4}+jx(9We`F|jwE5&!oDEa-2%(w(w)_S+CGHk<=uKax=X|2}BX@n~!`Z544_Mxc z$Bsxg*okA`eGAUObr1Yz?RD~Pz;DLI_*u!26!om%c$AMf1Hx?9I+E^h`W!Ui5ibO! zGud1{zvtJynTu3>5+r|-&K#28lVT3g3<$S`N*7&z;D1nt?hKvph*16cDcE{>AWbLp zA(4p3YCOG&o7~aG#Jk$edfTt|=%A0Og1PXdY_SCwgC4P3Km~M*fM+DN{DOK9=4}0c zhqYUXC-lNF*P~zAZ*l(@VIuv&sv)T_mfh&bss{nbIk?%9_u;OcdL3twUYUiAlSiNX zpv1BV>WVYSI)d?_0|(l41fHY@tOl0J*sqhwiRxm{ALXgVx1)>|-ZF^g?d9(~Br5VJ zRQjD3ABZ2!0WbOLyC~2ct5%Dl{V`O3c)eohtiD}wIC!=!%wtzOs`ZY%oK13|ZDnAL zFy5Qjyrt>g16SrbTd;^~wZA!Swd5ps6Dq_Me3#&CZTMn@yVQ}L8*xSHEut0Rj!YQ8 zvGf72A?iI`T`h)Rs}>c2@ibaWCa6)OfbyJV6Q}XtU>e7HQflBZHS02Ei&U|_PZo5Q z`F%yU{b_}fnR$WMEvF1|L!YB_cu=&VA?(%JK1$yu_$gP-^Zk*HF-_OucNGtw7?qs@ zRbUS;I;NCXoyGHn;LF|ny)aHT91MbNiAZg@)^OFSn3!bD)GH0$44g!NY;qdHZppv| zTNDhPt_YBu9J}lxlZ=9jT5paw^$&Y%7EX+|Qs~e6&)R8(8M1!v3;0p*CFmk0I8m}c zo~=khE9`7C7s-i2KU%89==Fb_I66YM63>@BpoO>-KKa5s#P}y=KeY+KSy&ELJ&5UxZ`8^${i{r%qP*PFGAgf3LLFyqIfL!&ua! z7c%94w+iE;XA4FYx7mPwB8D;>u{~n$1KVj*+c}WJd?ws&?p=qyI{@d8}3FE(}g8$3l0xiE>ADl(V zrcQ7A-SFIGR-5j{Gd&evq5mGFHox2$8xC*(H5c>j8UZbtGkU!|9& z%l~5S&BLK=`-kyJQ52GdWJ{7QBgvj@A!N^9*<}|R%Uo$w*>_`2k}{a=VJxMrW8e3L zk#%CSjP-Y3b>H{%Joj^d-|zb#$M28n2y>n1=ltyJdA+w?>#Vj+vT|Da(^&EAEEF6E zLE2Ty^D=(xqrNT4Zq-ee^l{H$qj6dPP zlIt+#?6hdioTO;ztFwmN8nr;X@3MzJ8%{`6I9s6%RSs z9AsUrpzpWrLxJRFmPn3J+<)dL6Q$LL_~jRSFp;X%+TtMjGOG!bxy*4i|Fg^OPx)P+ zzVm3l{7i1i&}}MaQ&J>6u&(%54aAlbBVVaJH=aD{DS9#eI#uYaE?^H5t4fB%-7F7t zYJW`@C!G(GzyISFtGHcg={>8O+@S(5jmq=ZCC3$#@HnZb^?WNI3&#nzYj*PWmofwA zqmx?}QlWvntC8Ht>umg|y%9TaCLJ-q-R4~gFQTE@}$MaSZsFL`fn7dv)SZsB|PQ`=_lj%`YL z5vH1+s+}hcm${|i)eL&!_#tqX0IiprRdwmuzF$@P*;9JJ+aaamXA#96y=&n4zJ>dN-G&l8EzTxY)U9i7lJPiuuR;r=6EBFSQ*Y8;Ws2Vf4gA~VDV13iT zqqqz7GipNMGL5>894QiJHkA77>{_CgmObi7Qg7unFEeQl`gr9nDtE1zeX+x(7y(0VeqmMh9FJbDaQwQ$mV%E#3s9;mRER2b}+L3&=gx56Z01==_xf-3Aw8H%KazAh)0c0L5^$$OcDF0i^*-IUnzWn z#AN+Ar988@JohFT`o)aTke_kMlM=H-;2|c&-w^o|PWEyc{%IZ=N$*yM3#R$+jGcJ% zjFy|gtEzecz{v~XJbj4D?w8|2@heQ0`Ya1>OHc?ICYS-LyE>o9p zM+gG7at{gRjPFOhBvzGTbW(TA@6AeFF)gdO{-$~}G*;N6*~jAWRjxsR#~8VX1MqDx zwKD%g7ctb8{^r9(Uw)e3>pJCr+3w~Yj|{4_idnK4ZfWF>xaMaXbq${(L>2w?LI0QS z5TbD0kzsmdynR@6)>M=>3$hQAr-L)_3_8D~Re*>9*#_*))>VKA9vBh4j?7}5hlHE2 zex(Pu43Or=^I(Y`j0{8Br{TKF;_MgeF2Hf=@|j;*rr<<1e1q4vU$rQBm>aB8Ct;59 zTN^QN!{IHhRIv$ndtT;WXWvWd!B|*qHR2#VYQc=t!2~&(CHm27b@-qo(yL7NP3xY` ztKtvEx;J82w%=dJWN$7Z`(3(r3NnHU>nl{vdW?do(@(yM>t3{|a?QNAu=`kO%U0{< zZmgJ&=FD3E%-rxo(PmepN?F6rriDj_?DcVn{nt5T+vskS;-jD$1 zf5uqdes^?&o)eWn5?~RD>;0miGbEoOgZDi$fH_*i07J0-k&}yT$BCI?X|HF#?K@D| zn})1xSqOV|Irf=Ee7B1CIkV8}d3w&Z1sR6>TrZum@g@SV+f^s>Hj~8ns27DOMkRN+ zA1qS@Ej^0c%NhCXs}RKvMffCWnfX$kK7Vq@Xf@vz>DWlkzRW57^W+O4#e*AvG{j!1 zwfar?Z)XXdtfa6MS?_wQ&RX_y#&f#4@9C=cJjcm#4#7ZWg*}MdC^ogjhS*Mi^r?3) z6tPPMS60>lxk(L;b1%Ca;>0^}iPEdm?jsf}-?0dF48E&b4Q3^jaxQjCEZlx*wENlj zc!yaoC{mZsga@zrXn6;EC5SAwx~6JvC>OJl)Qm`SpfH7~Ku z^i}@Q5$_kM*O!uY`pS;&=ID?fg&j#Qdm@WgNL-X=8KuSu)2Sxs#zR|}OIPJOo)OPw zNLB(7@=-TQm>f5RT~u)0NXVbjxz*%;w^PTyzNzD`pcBCU2HCe4_9VbnM?8NB-Fp8-*zR127$fSuh=wF9olf)^m7bjcKz5SujX3sgwLR}P zxmk+W7(=4@l=t8n58mMUez@tmal3LZloKvfL4W$`TXzG#hAB~w+`CNmEYX+x*5P6{ zSG3<@u3D7{aD|c#E!|$eG~Cbq7XvYncG)=ZPe$&OM)&>T^7I z#!S9${I5ql?!YXTPN}G^$HGWzqim?b{0cc3ez5$Zb8$8G)MJ;=)M^DQJphVvU)On% zbH4!N?fXCA4f;>SU4f0oG1c1nJE+=u+UeS;m_w6F4RGyiTlM9wpn$G?TjBDYCMhxB z);|I_5<}-L1ek8AWUBhZW%0@OfLDR*W7rV#81IZm`Y;yM;Eq2!)T#xs~Q04Yy!qHnNZ9;oXr!Rxgro`!Ra_n!kjz{BPC6(vJ6yBi>TLeH67?=%<8`%D z%Wy*cfdwT5o4(P4t5Ol5Zdl30@XPi|cv7l?F&)QwJN0a@;cEpCX*L@Vy|Fy<=ha_9 zJ>Y^5HGKA(DA)5UpdFcHe?Nwx)M%_(9~K%!IhPp-7@bz+WUY=B4olP-?3la^sPGC1 z_%rfxj?E_Gr8{G(CjkRMprdZ>(8(tOvv-(n_c~K){I)jqD$d-I&#H?cfn3vJz(>3U zefNQ_I$N-bhw`tZFEU=BC7GO;O3c{Kx#-E{Fzs6Z0c%B7N0sV5KT4 zc_XOc<|R=pQS!<(=}pkh13{M=-@3apmwzR+O!k;L-FpNRu>Kmfo{<2<_Tm?8yNb2% z;A12`1bg^j|+tH)ukFbGN~0V6@a_BNe4^MJfd zTreRedQG)r0SU5)t|@_~KQoe=82Fs;fw8bLj!*w|>>j6APh=m;$EmWzO9NSZdhT}S zFuWdvDqxdQR+Hj6X}F{G8B7|jIHOk3?CfdWtZ3NkiR*m7b%pzRb+G$74^4%vMdZI!qa1rv=w_lfC zhBe22HgK4~pM}}9q`8q(!Sm|rdGd#!-?tu^_xybI_|}yUek%W~(kl1{mMv&ymh{@G z1floNuRM}tCZ#DVfUHD|>aFd+yQ*IZ6MTY~j3j_k)f0IY@Zi1IGny|7-1pP}P$29#%HM^F{T-k*q4H_wDoxqoU&S+XiM8*nDHFle~*Ez6{n#s;YD~?mO~~ zoho?#hth#(1>qH=l<>UJ-zl_u7c+6Rvil3TtRx@=W7X{Wcf#a{|r+{P;+ZtaP z_QO9ah5|XqaGD+ApNebOMvyik#CAxs#37*sW0!+l+a(E>F?PbqO?|Cq5+j?({KfsL zsyNkn!FsxX2mHU_HpBQl4tRYBwNr5fQM`8pxiZLKGQF&k!oL1-p6*fL?&P{cbBc*q z@f`x+8jW8~*p<7`fH)^Kewmjr*^)dK4YPRa2KRr9(B?bC%B#^MeiMH-6O832VsE~C zDEs5b{-F%-y;ECnaF-`k&^t{+N6?!i_XW7!R?7>pcrS!Y)mk`RRl4f5i52V_3*3>f z#?1+`F<7*)RnRb-e%92tToEH4V47 zwpIRq_5KFMV5PlPTD!kOpCH%fBiqGC%W554wl+KjCPwwo0X%QJ?F)f5sAT#T2mYt# zF;*yMdlwl|)((BtuA;Z6ekgw`V~U)H4+yY+k{BWC=BMcjYm{$rI8`ZL=+Ns8|HuGa zg`|Z%Ka0kB)?I(UF^->KD{qJadD^1k6Hk9evnxICKUi@mbE+jl)Mow3VU}2Zex2vn zzI#5QWr-!3^~3>1&i{#H^YH@=tRcRt;GzFk5d@gtZ79Sj3nUwLe*$dxU3f*Vgs>P-D z+9>4d&>jxO4S12^j(n;4@W`0i3E>^7(y;o1l2;I4_f#LsSR>2SHtSx&i>_DNG6H(% z;93CVhmJqBtp}HYsbKuhKybbf`wqf-dey>DXpI&s)7C z(7+|OnZ9s4`=)HOndW?^tpMTgVOOi~n3|NoYmU<^zG9lFc8r zU3=t$mDUC>^ti%h`Y08sPlL+9b9XBMR*Mv~a$Sza;hTV>ww(Dts{ zY*#+!q!nlOkRE@#LLbTF$QrCvRA)n9eqDrcuG*{OlXW^SRaRpox(Hh2H0_<;h-W+m zYZ>TEj>PAH+-n3^wL|?!EruL9(~Pkhp@AN_o*WYyXZyV*DT~v7+aJxR<&zLfBIVz^ z-g{>X+$t8=Gt1l5UxR9FqUZv)1s3n}EhJlxoD$>Iau2vc4SP=?FNCMkJ|hnlT!;GN z8At_TDOL!QblkNARmTRct=RZkS+id6dF||fB{wi*^mFt$sYzstkyNfm2N;NCoNEf| zf-h{we0W-w&Eoa~ccjtcM8Wd)@GT3mo{{X$ElwSU+glTl2H$pK!+PZBNLR*X*HoM9 zn1df()UX@l82W8Tf6)s17qJ54(GjX0^Q_c_n9&Tr-0V;0!9P^KU8UqvpKcx~SOZiF=#hN>p9rk8g6r)wP0$li8^ zhH3%fd?&_BlSFFn2q4c5KJ}j25+F3#p~?>?DM3}yp9 z?UtEqj;~%CD%%Q)Z8{gzVp-J&vgedSp_rqwJEGMqS6|jJw&R2pM68Zo6z6QS^i{=q zV}LGl`0ecEo^b);*z2H>jKOE*lb?RROEiAGVE5fyZ2ap(k_~aGYNfW0-a&IgO-|Bu zXw)YLM{4)IC{}}7^kbD=DFO2b#&@hNa&The*g5&F&qZBDA|aw88REc)@Ld>5 z!=SQW#O)uP6eZxJ6)eUy>~?0x5rOs8L2{!xmL)m8S*<0K4lQ5eY7L>5(Kwpa-Pz!- z-8aKFpUftU5fu)o^}2Va$P)e$4LpXLQqtTvv#)HI>!nUaaEVV|fS9TU^zxSB-Zn|3 z!?|Zi&xJlTZwh%oT-V8_NNy7Wb&PFL-h4(HDSbhkHe;)j`kRwNSdH(1$z zOMFf-u{*j=e7)N0VzcnW*h{#ke- zqp-xs0Slw&y>`vfO; z1|9@Uh`HhK&3lK^9}Lw!9FOkbx@7lpRc@I8t|7lL;&d4quKe7N4tfk)mVWFd}t4N>@E0zB64fz}~;5OtV=5(#9_y&eI?O$*l ziV!x07@YQ9rDx7jEgtphaxHTzx{@_%0^9E?&_5!^@QMSK#V1OL>IS zsrXCw55suOgiGkp62b;Ot>aChUQQ{W$FjYULq1b)t7f%#(W)(JxYVt+1f(ku-LkZE zGaot~mMHnH%SA6;z$)&Dok!m1^*6%oD$kLVm-bb0*hV02gG})A)T{5>>*QoRINiSw zpZXchFHOAmIpBgnBk3q~@pMjj;vTftCR6)j&Ur*s#V6ra3lHT(p7@s^p{LCL&(D@J zC|s<+`Kl?Q{UM|EBb{d_x$h`P-BJ{Lo;1LIzTnoK;|DaI&)s=;fboDX!-?BLS&O?U z`|UPwAD^Yva^JRcndx%q;}Uv3g@m&gk@afkB8jnu3y&YSsh;-g=n}p{Xtm>Vq5ewl z6eyk=6CP}rC)1m(^&*hIgi5Flfn4nrCyA#ecPe*jqS3zTc0_)X<8h?TX|&{4n4x*G zNldmTHt+6he_|`G<-kD4xja*r6Da1dc{6*$a%IF5wCFM^acn{t%fomgmn0F7G(h*$ zi~O7)S!uNc^+CeUX}!1OYL^Szn z7`rVYuw8TUm2D6@Z?4C(FV~#oX1-=b8{+Ht(fuvDTnZF6X`Mm%WRCqNkw_Jx^o~kf zOE7@ARx+7GZ`hi++ZsQJsUy~hp5(2=vZW0J{W88@8<>nsY7-JLv0 z6=Y%)W-Pa}i+nAGmm|)ToQ(YU0_mMs*reC5mq}J{5zW@V58BXIIAw3{sFCDjiJT~d zB017r%7ewNg%0O-oPR922}i(|ok|=MC%Qmx9+`4}jyCerN;Nc%0kqBA#fKuAI_*z6 zpD8-R&OU{%%x(cc-8o}v^oWaO(z;!?qe^HE56W!}kk8m#$L~#@G1IJ&-q23hz}gdf zS2ey``R($}oY{FOm>iHjNZo{scdb$$!yYwMO%=cK zeV?rN!7DfXL)e!)HF!y#8`G6+Xh@B)7@GT7RfWKmboo)MD&fc{d~F(1H1B=(NOD$+ zg6WXTX|x)l#aooz8*>Tm%lV)`+T5(rwFbQs@2rzFr%G6~VFF+HuSH(s1^ql2H-(5Um2M5O}@;5&% zN19mGeQ41zvkpV>7tV{Sh*f_Zd3|s*j}XGmht9^a9hYFP+1g>RJ{5(u8C#Gv^5~2t zf4i?MJxmpelp(7TqL4DYf*HC|nm$I6qdPrrzo6kF`9wblIOhw?y^7dd#+7@1No4e#{(-R>mLFCR46F*R zuzO9%wqdQd-Akml3Mj=R_vEsdLfSdcE47t(kV)*~RtZen?BBP^k18 z_(}?5Ln6s~Z{udzY^r5bwE7?7XZTHXI(S#K&^&+vW{JYx%aO=#<>v{?FjwRPt_V=) z#TcN+k=YhW&#I2?G(rA15AOU>M$64ukXygE*nIn--lp`RAuUlTT_iD`X(yV^bV{W$ zAgZ?crfe?09fATNlcK4(XtTc3K+(bXeu_=~#=Q#yRqM$HE31x`3~14m&N~1TZf&rX zPwrMd$2Z6+6=P4qVigNy4WM__(?ocKz;K@IDJkmY;6PBI}%)IejG9)nEAC=7U5S1B%41y*632?$^{4BC94vm z$R8jkE|Nz(!=fNHh0WMeTVN7J9c|*I#ffG3-Kfg!%Pqt>d_<*(bIe+-|2sK^RhRp@ z7H~R~3;OD`j5Npml;xp2FzKJT4tMnOkTP_2FMNRkZ&CrPN2?kgM?=2GZ`T^f-CI`M z#x^RKYV=E&dMj0Q>eL9DY)5U&Y0#pygja&d*;QYgpBoBIa*})675B#QHP?`Sm6ID8hBa7$v9BJ%;)=gem5xgo&$Jo(fNClLKHUg zLhn}Ml?W{@$wS}N_o2&TSbk&iKvhy(;Q1YBu;!$Yx3^$w;L7Gcod0QD%RArf>K#w& zF~{=$>_JRTrA~$Dy9^b}&-hM7PuNxDg4SPb=3sq)OC2z_;7=LFZLxggp zNsYY29#|S(h2c`)_UqV#iiAmW)dPHkxM*<>4ki~a>i^n5k+06&kB)G2HE4;wDJMDU zogEd-`Js$=W{K60??(+ADr|c#x@bDgcQ-Y;$+&-X75Wi_*liBU$|>X-OBJ%7AGz8d zimSn6f|WNZqRt25L%2w`IQ5XXhtZ;xCsgz`VGNquR3ETK4Lxp{`YwL-QuN@{up=w@ z(e7#Rlh`p)jAA5t!|pT;#J!f->+d2gU5RON{kE|IizUOp)BN^UXNlWe`|YM_UmG6U zf%bc47Z#5NN3od+8V8ah&GKkwD=mm;5!iN@#C!cVgNv2pQPgKG7Gu@7sL>JjPov29 z2~UjT680h7f+c}z9cDE-6!rq&AnDN<5a5+*Mi>?3yr`dJH%-6Y3ANB49mO_z&Tgz1 z2MC*&pu+AAJeFIr{I>Zq%Jjf1qsMQlp=(Ra1l0Q}-)q)n#Lcm!Nb<_cQ8RV~XZ-Q$ zuIun=Edalii5DJYV+Ke12F^w}n~oPOubH37KBa5SS)ya9-p`*NxZ65T%^^%|PZh1H za*ZCjXm@kz;`YXR?1|Eg6lJ*)HH(%~1b^zrNBX-H3uw-J_=&dR78Bd#cUKEyiw}09jlfK3AV8)U%ui1T{<+c}l*@+5UOF4#3QecFP z*2rR|3>T@!In=Deb5RP~zR2p?tXSZZp7)fSRN8n`|Cj4y;to zTDAW2k4z7E4q-*wIi58jwmj|6mj`Xj~tk920Q zl#Oh6p+#z|$kTF?G5J*$#Z*3XkFN;P^aNI!+SOb#UfY`%D{#;;WeWnv#*wu}bu$Rh z{?UQ&+D&wXDH+=B(eRO73wwL}1N^GTD}#sL+gC3%Dj8mOtFK%c9QMl68ord#tWQJf zc&4MH953Vg<2m3@JVnP!<_GJquVJ_(cKPISBT3?do!Zw{5xkh7-&m?W20Z z_W;o2OE}sf0od4NOR(slXki2F){TgtgPFF_+(CRJx%?}8u|in ze__^k2>~#dfNa$L_12F8K;|g&0G%qE-YE*3>dTh5HF-(5)t?9k$%WP)0 ztZ|<(*|aY|M^wkQhcYOU>3gA8Sz_4*lU610yiM3m(`3M^!>n|TIFo$vNmITHY43ym z8k7}owf5rRd#5l1gOU(`eMe5JT*iU-sLWi8GF>2toqcnScW!}$w14}cqmmAS2}fl@ ztEUQ~b>$3*YaHmdXPT;P8munW`y{3)ppxjMre6+}wj0&i$w@1f&ROt|`umm`9`N91 z@TU~KYuscex~q0@``gB8*mX zLq<5hX=~)k@rHfv&;O_Ist`yQTIUcKWRybRmcm|ZBM-^09DI<+j(|hQ__A=3pr#g9 z;Y&Jz679!-X}0sP;-3K9LM@JP1J18oJbz~r(+6@m^>hY*TAX9VNIX(@0Ua>|C^Cs= zF*US=p%@b?TAygf<5EAW8WaHqTO{j!(Pm7@7<_bIN$~&pB>~Y{zxvtQ>=YPW=Id3q)rjZ~FiteHcJ6^Bc%Ksh}AKrzXZu40;D8(zo$>##zvz?HcG z=Zc~DiS;zJ>qByjw9m|O>7WM5?CgHxmPX$ zJX`kYBwDhC8GK?KS`W!CN6aE-mzq|}YC_v(Puo=ElxlyjkR|t|%=}!(kDx`}*xuz` zhrxRJH}--4k_7Er&Er(vSLR z{XgwVuT2h?UFq>!sm(LC|9{!jeQy#Yu#K|+8XL6afE%5tnH-Wm4Ow|~dl z|3pT)nDi5?eifB&Y^g9C|KC3MKze(LQ?&X#RCU|n?`MSmkBIe^{~?K-=q;NHUpBV+ zeaIhu`@3Jic~jMMZ#ehX7mRVA=9YF`P}r6`fxmE3#B4c@d`0j0H69=j+I=AO`6pFz zSNrSQR(7K%wn`X+s!=w7z!YK^c!qW?jo(G^lEBU7<}WQ-g@H2f-Z~k-AKCPtpRU|m z;z}($x9$ECSM~Z5O(Gz1^2GPBhyNp2K)4xQMpYN8x;O}0cUKLL@&;-9(z`gdjUcU|B{v*5X*^SYow z*Y#xJyX~zyx>M=6QX%>^-m9ym+2!SD_!vf8Q>7#ALE7r{pQ*W zrwrI#%Pr4_rk+d1$jH>>V6h3h{h_f-qkfH%ULyBUYakJU*!Wgt+qOlV7J;Ug1PYD! zs=T0@iN0mTQhh;rO}by#EW&f(oQZyos>n&{o0j(-O`#=Unbk#pCZL^Nww(K4w}B84 zbEp{PDw6IhZ98t3F@O+23K%{R0{nFn&an9p>g$b-1!awiEp0KhD6)PhLSaH@y~);i zTqrX*jh7`o(6m_N0~;kzA-PShvCFo_Hm1}C_DJ=tYN)&{tpDsKfQ(E_ocKt)5-NV{ zb5ZK5;JDr4aOgK?B)9h2hJ5eicFILeP0bns6aLKD$mqqfU646B=ZeHySPJ@%LfI+a zgmUf6e0y`5SY61-!*6v&qjbKgikGC+R&|blZ!B?>;*-4p(a6aN_EoSL&&C_FkO-_5(N_qW9u_8LrWHSB%%y!CL>Dg&Dp#8q8k7#;RQs@2qTZPP#;*0W z7;TPWHOylSHy6*OYn5642iNE#$TD!K)REUdbpDuwm7Vq}P%)QQc z&3emfx4uwxVk(?Nrs?%C|BEyapZ5FItwxph?;t}Q?bFnmGnVZS1ecAX7t;>-?zPEz zE#+&5{CpXt;Pcsk%CK(w)5nC%MTFaDhTVL|<#@c4M-W&Pu{uAeuo=k(0%ekAxHSd{ zyL|X$^ra`@H^C1Kt}@zGQ#qt*im-ddnETF;7T&HqINMY3C^y%P&t9k{!jhq zigct_7E?!k+HVS$?|?K@%6!>EXVIYEdX0jl;nA_Z8@dH&b&%)EE?TN@_Eq`Ghz~6( zV01mk>((1})lTtx%>+)FPo}vT*YrazQ@u)0mYJ{swK5WnPOBur`p`(hV5>N@V?+*@ z9PQOk&6TQ}c7D=QIsi`u;MQ$&p!6^>-_|mh9dF)-RW{>8yxL5T-Av_Dz+>RBiLm6p zvXC)BY?;_iXHN1x45>|IcTMP=+&jZAd8rYpprBrFh17jR1{O{Wf<~jUwu?ENwHgY3 z6CAT+MW)hj1tzx!^W{KR^mEk%W2aFb+4(BpBq0mqz~wfFO8bw#i)G1J<*n9O%w>(9 z;9b8Dp*wYnXZ=Sd#8+>9+}T$fk>!i5I-ki0^*j?Rms>?4u$*T%zO;fPFjJTkM*Ru& zQeQjH`jaQq_5z?qYjjmA{_i$N+`JdQhPDb-chFvk^abCXOraTjma1oeW}D3Ev-ACK zk)n1x78Uo7#%EpRRVK6~kCvUjZ+R& z?1KussnPWl;*fj=eocPzXy0}y9z*z!_U0owy%`bgG<{G-{bgFl+4YlzwM#^OKbygo%}H(S)<1AZz3Y}jt`b%j}%%!E;8;#NFzuI8BY(H?)q|CKy zM1J=Lp7$#3@LU&7he+u~Su<;+diiB9_IQR5wz#`8?~fg#L;@FO zn&VU>PQi_c$88Z&nggpVUVH?n8vhJAl12{y-r{Z6pLI;hi|GCu8NyaWlRgA}63B#( z)_JvT!-XPH9{TG4mLq#`xC#O)ApniGxBEBi=@AbuiO-ME((G%lC^_OI?RI%?2w27C zcimHJY8>a8DOxm-7+ZLL@L|r&((FGxTkh?rGcx`@L-z#UO1MO`zq$TM7+=x1Puo;% zS-L~M1IiUHCIZR6P~JKA^ETDaZ&P1HlD84W^)zq3KEN@rj!UP?ATE8o6LJl zrDy|#6Y|bYN72s87G^ctPBq)6J&Fc%nN$nZ`^#d%@HQV?tua8N!fxrc_xel)aM@Fcv^xELFmO1;1}TBg2ssKEze$3MrCE)+G0MV-5AjP-uJ z`+d@X=-pd7NY}XECAMija4vV@#<7}ikicIhB*$mi<=mi>Pg{M5M_T9ax5n-`*${Um z%MKnymp$#1yzoD}i<3MgC&wMl?)b|*HRGL?n!&AImBGW>XEW6-R#%;n)3aq9846!J z@}FCH?nUsQXoA#;*w}nC@2J4=5eey&Jjb=Zl8_;`1QJoI|H$U7(X05e;SDa*rMHBL z=l`Qi{p~~J_9&DxgMYn*+-So$4y${=ee3jew{^xYWJn1b+WUFPTPx-8yXjT>9q;O5 z*Iv`3GL8=ne9n#EhMYaVF$9AOMPPow_EL6X;JCKul!sjIMNp!9DB*Skgc7)S!h^7p zB!h7D-<-7uMMCepRsGYZUl*bjzHd}5-iv*kap*d<;B8O8Q_H!oF(R;zt=W#lEjJ@( ztMqjSku}7}OX3GwnciBJ810g4Te>Q=1R<%rjYqq3O32dSLZR!lDgpCBj(YmtmQEEe zM(@A%3eIN*W;fT?2VN#I4f-VH9otJI*M{qH#lQeL{;ul%88-reR*(5p;kCmFwHLs@CUu{1@HUFRpZi9fnMPEK{>I&ZOtXQ#34y zSX5-sNceMCa#r5K%1Y?R2NswgOzY9~bG6+)MQ0=LBjC$s<0plZ^;gGm-ADx5(Ec$< z3H?XZDPtaUiW#lrx%REs$L4n?;yzy%T^@)!_o2^&7cl~dj^{6j4*J744Za(l$wN|a zv&0RB1C_GO7FB$ZavIK--2S_(z38sxX<#GYG#Fw$45zy+d87NTybORTlKZ#l633CR z9{vK)FXg}NBm<(?hP%pLY&5YEuo{>670p8b3TMmeB$_~d_Kdx#r3;`e`F_|n)BQo< zk|)CAdsRZ{&fJ0WKL z!FyKWo%intsfoC^U>*VXYi_@MOslmIO&|8+AyB;$c#_;cko^j^28D25=bVT8s5C(C zBB3o@FcaV?b9r*k?U4Jv)Bc2VPOeBpN<4nJ31mn9aa-87rJ<44)Lc+4K7h3W#J{Qo z1_vl;VnJ#_G?l|x6;NJnvY{7`ze|~7Hy$@kL5b$81sR^6f571%C~R3Uv1`|&49fjg zX$BF)Kc6H(5r8Hx-kzZB1Be3oc!H$HgoXi_Q35exwN!_sU9|{*%B343^3Yp4shLma zK||9eo*z3twvF@u4t~^{RsXHXI*8dDi@L*HF<_yih=7S)|u7aE}XVY$hkt>15NTFHozSm+49^>ux2?>D} z%Fv0b_2;S#2rpTd|6jZ~G%(sT$7)A1kjp^=uivJbAwZ z5B%*=OSp(B(e<&VZB(;<#PksM^@v$;{;->aW01lkzkOrxr0UFPd54pBDg;)|@!Tt& zlfCsfuM&y`NQ&cP+rKIk??BF1ugL?Xa&H&``9PtKqj!3{_}V-@O6Z`Cp+m+pn&0B~ zVQl9#p1OUQ-W-Yc=i8d|>O;>+uN2;zux}$e-A#}{SFJVUtfUOjj)$)IfTF1m3*N0O zUsLo$uDaZ2&_mOu{Nc=@r8s0s>XoM6Hkrk5#U`Q={eilH#`H8O@lC{x;*(>6#0KGA z6ut1uk?%rHvexP;%TCZ;A-FDUvN!P>0n*c}0MwrB#G_ZaIKcn55m>t ziBEmtq{COvn77^#Z0cLVwWsa(ELzqGF9Q|hrUhL5*O#6-Pc$C(&|#AteOqvqt7Cji zn@Jfpr$wyyF4Q9#CgPCmbu^>9-8%B!QtY=tCxV2@A?SvKTTR7U-!MOc8C6rsr-^94 zStt_^2Xh>IJl(VaCJ>>LKiE9<0VRb4Kw`+YmaRU5Xa!`4z{+QF{Zp*tCF8DAXlzcd zQ(?eO6}@0Wx&5cr)2mkz#CRKDsnr<|$?#T*8=}d^{+**W-7WE>n!Bqi!Kd8chH?Z} zLHc7lgw_3&%-w<{QQXD6Ln#48OMY0Aw#-^gMMYf3S_`JuBpO*CJqmc1m$a?_YYO@d z$ljdMx&vM`+6VH=0HXGXP|1QIa%L3mIq_99<c49>oZF= z>vQFXF?`!gXyp1wPbczTBjzb2c3*o)^bx)+@R(xVwr=8(vy3A>_;oa&Tdqz`@O0p1?5c#n;;2`DX=c=Djvn75^V zw*40ctKtr0LVpj|BmNDsq(QzMjbt`aPpPP{+Oz0?%QuW2DV&B{JP}yqecwIHMvrFjo`#el$%E|5v~Pmd=mN7}#nC{&s&!>go893> z#?UOnro-^-uCoEw0h``Sa`ZYe(RIjRAT+Hc&%4^I{(&{q4QZn>03{2+r9)QmNA_dXEQJ zwn`pTOUEW;^;th;L%2P>;~uK#mGb%*+kW(=wL`3*Z_{CahfMGcFkrcriy z>Qowa4U)QSbJQoW)NN&VlNR!RXAVu?oLN6_HMg@^Qqp4ceS8zh2371)yI(krBWi zbQ1P8`6ghSl1)o!0V%)Z>(1XT*2e{`0?Mzc9%bj#cn<+Rhra9@tzU3##S0~NGhD$n z@*J{zTHdPoM!gPBTQ%%t4Ac6!1*&AB7jo-7ChzbSib%G|{stSB?x&c1c0QJ))yk!d zMX7H~-$mp!?0A&v?`%KJc=Sco)z&sk>c$?+A#{60Y=OauJ6xRlrb?FuoEn&Ev6Z+H{&W(d zw-OyK=y9$=J$Sh`TREAthTi2O?JBcseu=mU=jl*A?(j{IaMc*83JRf-uq8xaoE==@ zp0S+5r_D!@HIOf zAzhjMc3maL3EvI^u88!cq*d6yYLx2|iBcoRtfURipGLSv2uA^ac|_H9mbAEaii@2c zVzc>m`8-;N$cvVp=4O?0jx{hciZ{U-F0uk+Y2u(B}9UP$PBqnouE~!X$`Yk+fS{X{ls-kX2VxxeT_=yg1_}W@N z{^3HmQ;{xQ5LdyPTZK?%tbY0LW2%YEf`AXh3=lt;EB^oBZ*=13!# zvshAYW~bfr)BZH-eaf>o195vndD)-gp|6nDz0CFYVq zDP$nmbu>S4?bO#$NeNd4iwiYPFOJ9^G>}<6zmJ$(DO0`VYiJt>H>AErlauC>aEo3= ztoQND+TQjlD~~!VNT8YOL?@YY3G6Wil&-^j!ZYS50IBoGC$<~ zVywP?ejx#q!!Pn*_e)S~$$KKKk#_QNcr_U!nM2n0Od-Y}zR*J{ctWwArRVhE*azKeXB+bLv8}_}% z2Yt#K1%d><%Y6oJCm%o?f6C?j{2hl`p4ct&Uo$J{HskL}$JUTdrGO{gRqmxVCY!UI zh3y14l;JUAUTvZWW%QQXD%o_5Ls_|vkJf0EE_8OYK3Wn!v6&IhCJvRa`{-J?Lc|Fj zd9<;0+YZ;YQQA4L9>#`?QRINdBa%S!vw-*^(ijT)Pt`fTWNaCD+ilqyN!WRDC z0vq0XHFkLhMut?VX`IYt;9!Lty^Vb2@dI5~Vb)TICkkNB663k>yF<)a!&P^9t;(iu z?f{>am0?l#&oMW>Ca51n>(Y+DtEjgX7WZ;Gd9bf2)e_yGN@@$wNx$pSC7utG!Oa4? z_u8YS`*+8kD~}bvT-@ik<{Q#lNl5(|5lhwo#Uzq^VWEn=B18SL%IQhIKyC@FeD(wIk{Jz-}^@+WvnI<&x9f4OLVj>32#a1CY! zR9~jJ4Q5QDerl@~YKu=B_7y+T-s8*V!F4MHxLc`0;KR)bJ0y$_v*^`5*>dA4 zSt1dkk}V{JC}f*SS+Zwu3?7m#*|H9yl4PB-W|ub1FqJ)w3M1=aFpc$h9_9V+^Zvd+ z-|PBbzy5G_@jT}_=f3ZAZ|8O2hjEIg^)NMLq2)0`uP`j$hb0j5NvRZSC9&i0;H%&D zuL@{jGcK7Qp4TKORaaQw#CS`B8>HMo0brdBWqS5UBC2*o?Zcc)J(KT`p@4?rgC5$A z1LpMed+EKRd@!{c3*A$f*|I_r0R}EY%+mbRtY;wr)C%X6=6B&W5K{zh?T<=zQkKjS zdf>VW0(JQfvKB?T5l&XEE5T`DCY?i*Ru?7n9U~QI0f4D)mJhlW zf{W-gOUG*-p*K?H$3Q~NG&3^cg(eBFP@7FrmgYyQ2sj;ilB~WIw_%L3nObC_Y&ZDtaYWxiK%bKj-xV6u{6`Q}NZwve;bY z(4;@nF~)y*KAzxI%&9z>f%18%sm;WLDw%xmqm=|7rVO9=oq&*y_!@M51+{=d zg5uj{*@~CE`qNaeG!Z}ACqr(#QD?IVG!;05>P%v<_uy=VT56P_*R>S`;^Uy|hTH7) zqroQ)8MIqI0>8cd7T9C=eYUBC--ZJrI7ZRdo3~$_w!smz=iw*@1Thain9`HDxCW{_ zddXKP*X>BPIvK%9J%W^PE>$mNDC4gqlv;`Y*K5(eHDBBxD~(&-S308S`V!#pO$k&| zFnD1>301q=NZ!S0WldBpBCNf;mYZ*m>6@4)ie17>qrLQ>$CyQ9_uU>M;aJfmQ(NSZ zHXB=|e(L`0&uZ|N)A@VLfiqE2o}>2KU+hSiA3WPT73#CRLz=7~h@myU;l#Lp>Pu-c z2i_e2!86d`;;cftk#IlZH`5pOvBD@dxU5Gbh9Oz4`e= zzs-F3Za|y!%@?#T$I=pxNN*p2O|iAocKO4);k#h6iEZl24YFlfKYe<%$xoYuC)h=R zG8Rw!LP&xxq?J4Gh%O2ZJs%gk9YBD*Ub`QVlWQtsTpUrPoOoqoe+~r#$WNz1!On)0 z@-N>6nrXo+Uo9%HSHDKg98`V){lt6>*;#jZ1Dv!Mp7X^`CkKAN4kg{66P~}PF)IL? zM_5sFM-6U-Rw@mm+um5@w;x$E-KXjW~p6_l&OuFQU4aTa#%JMbO`m?tMns!abwT>xnY%KTP zF#s~6sW1B{#it-MX3)5ux0PV!t=g#UR9l;-p-z;ml>(wV)Dqfk}6X41tG*{2# zkGaSzuhnt8{l>LSMaENX%qx0vR795brNNJkn_vQj|NPdwpM7tT#DF&?FY_RrKFAZe zM_Hr0H@&I*O!&Vl9y;KP2k0Lq595vU2!t56zW7RAdwtC0M<`ABWevI0n^2X1XQ{S( zoZ!3tax%}-#5d_hwj1iL_oJ)b3ig=PDp=@5Q`5hLP^<~{p(dlX`*8N4M8Mz_8*a~K zenM@Dd2=sFcHlySCF4xVwSvH*z-sjwp*uc65Jnw{n|bAZ^8)N5_sl}>23sivR$22>uhp8w-*&ABaK|zH61`V zjNl`uTT$~5;j8;7iEhfnRa0%|4`=ZBG<)Mp zA5i_4CnFP4ipzz39M5}itl}=P#A*Sh2U)|~+whS@6KZCYGVAVgJ zfEsJ|D4Ahbv9=gR+@$k;@xBvpTKrx%PAbZ%ExcL%i0uhL^^GACFJJ6iF{a$DBtFG2 zpP=@o4kI3usH-GP1JIb53l*?ZI~wuRk{oT|6kP+b!Os~qHZ>1$njhF8v|cU0kd!!v zz);h)Oz0t{#Bht^_1EbQ%Wu6@Op)UGJQ zPs;F$IZz)~HO*!6F8bv;bBBBO=DE^HCvmoDH1*7fD*A)kQI@!GDrZCi^@7D+`70k*F^sjuzODqUXT9JLxP9P+Tse_mfbc=Fp?dPeg=u_i&-uKc-UKU;$S zDd$I*W0w6m>b=LqusNB2&jg=n9z+#DaAH2)u~Rk0Oa=H$sT3K@u!>rTP-Njp!%R5b z?iCAIZSNkdZXm1ZQ)!ZU2Z`i@=MM+gqX7*~vO?k}A8~QfjN5Xd$b~m^c`agtB{~=V zK?%estxb)8VRz7xrj@Uegd~vp@hYjEa@cOD{7$me4x~1-ph-+OcE5*Y&SG2i#393* zB=z+VPfQ4fsk}8gSTD)hm?}F25}Ulvy`;|uijb;b4~*`6ZX`%t-#H4hwdv`POe}`M ze_~GSmAIxJu&yh8>9CyV&L7Bqp43?{_`z?zr=LfB3C}63mS4vudAhnV-fVo9d`c4QQxV_Xjh-BnQkqT?tPtijQ8J-Tb1hjI;VI=){F2D zLcGG&oSRb0UA0qIyllIUP7;LbeYMhk-X8`I#sa@&ZH-=Q>8l}<0-gRU0CXeCb5M4wOC>sGJvan81KB1cHlS(XV3*D>i zs)K}at1@a(zSxAwix8qk97ybo(fjZRv$lG67aA8=A~9qBUmub?F#&dMcfUO(f4hTz z1`!qL-qf_nX5yF2+E>Y_#})OQ%jv*7)hR#$S7tLhj%C0|GEOJmPB*E$OwO8@$4{zX z^0QV7XRl||3EVpK*^7>d4@1OCppA685tchxgO+3+vy1Z%-%9x%8^!F6L)DjP%quxy z@o4@R_LVph3URBb7le|aENubFK!hAwBsC!HdX?SMn>PHiGxH^{i9&{eQK#Dz-jbiX zS7(oFQI-5eJp&5@dd8Hh&#zv5nE_7Xj+rhcmK@d}y^EnW^c|Ji7E8lFO^pUU{H&O) zjYzdJ52sh-tX^qIWKAfKatEg!^fPgqJSS86?!6&UlZMaTpeTOes98$8f`(IR>kr|A z`mV#${NA?2Rqe~QPjtxGHh|kw>+h#()M2cQKi?0&z*{)X7~>&&CBA09TxF+LxYE`l@6euC4*GX1$xs&TI_9U)14TC^_N0V zxV8gg*>&u)bf&9oWx&<(#EbQB2IhCZbRa)>Jb$LuxUVt+U!DEAmTHmc2F`CF>NLhg zxtjb9t$y&{m|FX5F$W^;@6i*5CJS2r^T$v}K_!`R z(+AV~bda?x^yA7A6P3=)^Zd*MGDKoqtRW?_*Ym&{g8ChaPC+=^8ivn5)1P11p`8!I z6@8W$J&cvOC@$_^+uyxrtmDc=@-v zL0~WC*B~*oDJ766cm=QFY1U@Z4Ym=X6s5+?RF;u6+ z=o?7y^4f-xXLuk5@`JyR?TJ73sgR<+AK3@e*Pg&3|15K}Zndcf1wAv3YT9yptWO5H z+{tg319)DG zEooxHIBb7sN#<>%^6>$Us>N}Rt95z)8rOJss0c{Fu_k6S297-pfw|m!VE7M5OI6aYpd&lM0zJ4vp5r(iWqkW1`S_oV5Tx{PgA?ek zo;w97=iNAVg5w@gw4nrz@thnCuqK{uFE~F;SL1mwklUNL1g~`LXp2o0yi}R!|F%>R zm2HeELpcus46d9auR&JgDL8nG&rqdIX@X*zRtI%k5(YyU@5vctpAiI5hk3W4{~Qk5 zl$DJr@88A?55^OGONd!?&z{pmE5=KVeFGk)2B_2n;PapZA* zTXI*S8O};%S8NL_$u4*gV|K{?v!e@@bFX#l1&h^ zMM=}@^wSghWC!wXa{SBV$6MuP&6z*Vas0g9l_NbGRoO6 zz4u~MehdeVe`miTI4 zb#&ssZ^KzzuFB)7Jr$9Y=xfPR$;lSmF_Jv#oh)&v{M*bK*I=>_Z>B7OGkB`G=6zmL zKf%|rQlTYqX3{n3>to$iw(Mn{@&(HsnP#;H9y z?@?0L%fa|QVGA=q>$;OJ7Ks7y=)9ZB33&9Dn)ms7mB=dV!UFTY*u&pv$F-~Pb$!lu z)cCGfC>i?X!O}L0iO$sLvSPQbhDc~<^$VK=e<5P+N4Pv`UxM&qt(Q=^LzIybUFT*v zYe3-I6j&gyCHNdB8B1_0{4t=SB~)bDIWY2caqPLUWb2Fn{osb4s-h3N4>Z;gW(Mw~ zLnu6>LnYSOp3LBRVkDvQwH=}=Cyy-bDsGQMmtWb#fs~Za{K@$l?)3gQ#$f~uoE-1{ zvx*2U>YC29owe^2>t(bLC7%#F#2y`Z=9uS%|56Jp;}pjA;^frht01*-exBw zFtafJ<*9A7H{5?%Gzws?_RAN6!*fGzU@IW|>tlNvq*cHHxypmF!{C^63pePp^9{VO z68P&L;#hh>;~ft!aKnRgssex(s6+=CgZVwzY?W3|KMP~OAP!``5R;9Bi#1ok!S?-~ zaQ|BXv)T?+A}65IPZA15R9Jr2psZAY<@8Dj)nlfkOo%T~57PwJm5TAd*b1broEs`kU@_V4?5@ z&MH-akz*|)wLszo*wule7B~k3o0>Sm12Ty&XIO%+z&0^a@61-10m7#&8bx7YF9XYuo}ef$DoJo^Co4?yp@_6P-2A82gBR7rS>( zV3nZ`QGCwKwM%R1V6Fa=f@5x2Q;pDzy8!d}0JM_;MbtNC83Y9GfJ+BB@qZuH?k8;j zEXGvI{^wDx+4F79*u5D20M@ZB0Fwg9;T>eIHPkaQ9b@l>-Wh!94HgiR%S86|2$wRGhsDem#R3ocMzJ)Xq8B-#HER z@kY)+_Aq$q-UBTYf!Gt^e`ohZLvXE8Y2FCf0G~Ym;l0EcsR-Nv@81>%i7`9GO(Ptv z*hfLGc~h~&E}^hxkji_&=-G>>eigMQ0kP90Z250`=+>_?HVFX4jmg*w{lne$+(yp> zG)S`iH*s#sD!Ba#oq1t2mG!e#$zsTX9#I%n{M2ZoakiyT$00aS5iG{D z{2xx}*bWA1xM`AW;~=Ot&Ar*Dea6T~^y=&v*@>r5@+_|nDXrgr3C$0b#DF?e*%!w^ z9qV?OrpNv^(SOpku7+8@)^F|ip%CaOl6Ky~Q5F91&;R=2IM7YvS@}GiTpZ>6SF%B% z2Itf-IK2}5@rVEQ;{ciidYF9HgvoaKzf$d2!Riv=$0v_J&a`1?bd#NPfSr<(t`0hI zVmOc; z?3s7`*s9n^)@s*1`(l7fWC4rv75?`%fz6YKh~_6Cz~1Bp@+X;rfv7wFot7VDzJUz_ z>ZQ#xz>E|b|DDG%c3_{v4N1z*!rx{6JL~vAHm&X4T+g2PkurH?B4`w(1>i)ON6g`n zArdK>Rm5|2dGfRhz$;y%H{-2~X!5&lOw;~%QP|kqt;0eE`0nG_M3zw2B!B`s0fUSmCcGkDJyz;7{3>_M^*jFVneFwBm>XG)?EuD$E(r&;6 zsR--@Gv6uH0t}`bF!Uczh#v;HftsEK+9ndYf3ApcN59v4I-G((Z^j&mA0;S*(1g6} zzmm>0359JEv(Erv3A@~t)Fs)rol6FqeBw|oSIECNtwYeddF#YudH!t}dQw$|3tiLjmEwyy_T75Yvb=E_Gt z9=tSVA~UZhSufh{x}eax*p}|d%a>g)nUPh0D<5#gbn|Ets6Pt-AhPQiN=QTTiTKEo zTkQ~M9CFt&yQq$BL9WbKyax1r*ME%k9R5e=l)>XCsPQy}Vud>c!oMH=Ch>^)Y^Id= z6VIaQV*t&$AaD(o1a7qGtJI5FLB_fR6z#BaMoRn!UNRFi-{0^i-E*avX6yQu(UDc%9_D={!;7 zbLF#O&z=JRZ}(5$0|z??>^rM&)j%oPW!F3!@gUD)u0#2VWJ`Vt?Q0+YSaA+FIY3{y ze|SKK%;h9O(4Kb8b9BFs<=cN-IY5RweOnTLyRP}Q-!$VkF$5^2qncX|`9FGuy^LEq zO(&_9RafJzv7xYFr%grR9Z(OPBFRM>!T^^AVCSRRPn^Zat_(be1k%bJyRa_o=+|h0K!103z)&|jBuJjgkO(Y6U!l+%D0~r94nsJ+~DN$wuT2I&# zCDy7WT&&~)*e5$M;L)R{<*_@owhVs&v=ppcnF7^;gopcK*Gokp8%!fXILU?Q5SYd< zZT{hdiP-&R+Z0>}*EB^wa95G?sdsZvZn$T_XX0UE zZ-O<+*)yL-DFNtKu5ADZ;9FTqO>_?_GLj|}lc$LQ?O@vJB-~eRhbU83q`Sl~+s6l* z8-B^eQpwQ7&uK*pwwC5F{Z$Ece!)_gL6hJe) zvuX^$PUPMYh?2$%Eo3l~IlR8F5CVLk;n%1Iply=At4aTSGi97WbYxTd$_|c@dxu|~ z7gz^OK0qQ*wsC;X($=Wd{@I zMrw+6Xnf)^wn!n0uI){zImG#3(yP}tF7RNKXA(W_iwoI zn*2QfV;-RJ>8#HdhI@c^+*`!;4K|fAEGx07_wWzvjA}Z14KP$>ASfse(*UqIcrKtx z5xBAS0q8I&0D(9}iJ^^OSvT~d`z2D(3%ruY(VRDjz^4zXa*4jj|4!_|t3L%s+)mFh z2fV;)>9gQBAW~CWy0z(C{>26Xu-J`qq6Qdcro^{t6#rvsFYp=WTj{|yci^vrpk>*H zO9=}(i2hE1AD}Ae_(sVI?eMjcqnobGUzFVV0{3P-2gZ02zVUq!VXA|K{62oLEdv!P zlbF%9z(CN2gWvzGl*}J;xe*(JP!HNjqKV!CQ7OYQTT<4W!vGoskMt`D(gsO0kY~$| z;w{pKgG^sr%%4-;2#~J9r9{*8o1rP#ELOV#niAe9zhcSk-S8u{&*xc9vO(DtzhVjg zFTsHOAIZQ{B_%_^|IN-wkPZ85Md0ldbU~jt9`Umm49ouvBIlS4Q!w2Pum11preLT- zaDxnWxq{@p=*0WGLA-U3bOZf^lPav(Lb?$^riX zfg&A4iv}2-+kPC56zPIGfS_E?ynbe1kczP#Nl;+O5Eefec)pYUmmmfn0{K@s@v0>R zh?{7ieHjQR3y6ly*_Djobiv=j=Lw(*;bt%JXEvmJgG&wU0H4o(q46m|_-D41em?pa zvOP2Jm&&&U0_HgqPfP*P9_Vj#68`XpQi2B(xCQ|{k1Nv=D?>P#voRY3`2UZ0z$<(2 z>UVBD5ep}FtLC&^@nBkTx1+yAbYlrpAmI&Xy5ZzYj&z|Xh{|umK>EEr^%OJ1>Pdo+bfXpJl z&j)^W7K#8R6~Fc21_yV7-~!~KFN%TTb1#aggA@krLl54W$=$#4z-Pb{eG{dzC{sXc z(DDhsZf`^7!eT=Q(T4(61v2`=iD1=No+au5$&dg-;;Q=d3Y>1BqaOn^%n{F=e-FAT z!VQgJ(b;4;n4lV92RLhp*9NN=YuC;JjNc20Q6b=$w{gvIkSCa7d!oMY4bTn@?xzGV zYD1C2`Tz=7|60E`Q9oQcnz2Wy*mT{g|CIqK-H-R$S-HlxPfF#PUiuEUP1OTl{eubu z9t?7QPBIupbh%U2*fY#Tb;TQT>!c=MaW2H^JTZCpa1D1|TXIA1FefDA4Y!k9Mn*5TA zb&(*0;SNZFQ^lOw;1npA%=|ulesaGw|L$uo$2CcplP*<(oJc9a@z%Y&tg;n;>PTAP z0~$eT`F`#9X1y#Zu}hF*{6bjnxicn{@@{YsE;JMf{+Q6m5?}7#(&Dg0*2CcM9N=2l zKoxJM=fUK?$F720k;uqn^gVpo`NW7jayD!ERj9eoniVZwmP@vGgwpSV)qjaBKm z_d8AxD~y`kOM%R=xGKCOtULsz*maJ9;DYMaUZu3O+Vw+qL(vfFAA70dJ%IJ)bj~< zdV)#*R0hA9xpY(L3E~D0?G$WauyN5BNLJLKp4mr)<8y@KZ9yNuv~L$UfkSp0*8g8E z4pCm;7lmsD8uo9I6=2aHgu_bvl*}J5fb!o^x!IsN+S{Cu zHyL9gRMshGu%(WGP09c8$nR>CElgJhAK4Dq|NPEkODf#0=W@+jsj{-yU}%! z+H(V-aYj2vAPnjNc@CF>iDK60aFW^Jw&(vjk?y@gBV{<7A78EJK2s!58}%!W9H({P zhnk~qK&}rcVQboLl|OhZ7naP^RtAjC!_(lz;w@qX^MJimkt_?9)Yr4elR@ghng=M{ineW&#T zSZ^~@z1d1)Nk^TBu2;N2dB;NzN<87L>2Za1>0Zb$vNfG&<%vZ~n_o2%$e^`r~?yU1&m<5Q?wO&jxgeb+Yf7R5KH7zH%u}WvQzPyKL z96k6SB8jZ>%)Me{WSSq`0Q=@5GOp!jQTV>YX#=mUSaSgcVFXIW5L~=}RKoL#+4{e) z5?6vJvH%1CA#FKACb9?sZzno9Pzwg=AL99W_cAa9DiLMWJ#U9h$V^|AnM;CGjJH63 zIHT=$9J#hgSISO2Ik+ zTxe%#@VeTgP*v|HPz#SEN;;gZi5yoOfm(P8oD9aC?SJs#dF>n$T9uXlZ`us{Pj&Wx zn8&+&T%U_96&$_TPho%(wI;P1gYKK=))6dQnBKx}=0l!8*!gI&1#3~sfvGrusuC!_ zVN%<9oHK3(2l4AaaIWZicfLJ>8R*|fN9d8*HElVkn-XDuqbm=J*s5+WnNyzXSL`_L z6jONT-rm*avGyEX_-?`BcihNhx1D?3X?FxD8abgXuyIQP$-=Z7nDPrveqW^b7b*kW zgyZ6G%I6u^GPjUiz%1iA`LgYh}1K4g1?4u^>rXRsv_6yCt( zHa9h_K&&^Bh0l@UIEH31dq>apQdx7Fu<*!>)WObF}&XHp0EvCb{{!LDuk-$m80QbiPT+ z4X@mWtcRQ8+In7ny~Co8Te-`;=i$o}zVkOLe}0cVlwv>+m=yeu(6oD1uUXWx3P|DG zxCT3%5|nV71*u75ITB{G=*C-F$_&(l#Fhm;T59V4v5${~DK0c2oumsDE(6vBRbIu{ z-|ZMBcXoE>PAMP6>0cXZN&K9x!#&pXGV6H-uODqBx%k~)^QNVRiEJRjNyjb4fTKij zbsh*DkM7xlP?btQq&~2O27^ z4f!u$TD=JszA^Mb=XhK`w(g8+`r|Tq$loxMKeQRF%%rqcT8q7>zI2}csRwmjoCLQ? z*_5=($^05lvB%(snse>P%zO8C*uC3c0?jqIWRGOjNyP0f933w38fD$1y2F3qJXch;9F@S&R|G1nbSvzky%HW~I{*ht6=Nk6x4Y(T#4-41?aP9qTp1+C7MeneEaa4J|vfu5) z!O5`lbEhg*c@6*vvJg0s0ZuP4Db1kJay6@i;wwcc|bB6fm(+amI}R{4eoY z-EF)2^xiq)!%s-B$}DVgCYM*dP}`ppKU0|KbJcnu=6`ATyekN z=)GRe`8=rj}0R{2KNu9^#iP@lCToXZGq4~B2{dzdiNsXm?YNnxEdo{yocmj%_VYs zeFA%%tl7Qo89(0$yY&}84IWe+DS9yBUJ`z|(FJ8RH4gP*T|tBN?&ue%#k1K0E)w{c z@*nWuy8R)rT35~*F>8FT{@U7|Cw)%Ru2lzJ*Cr%*?Qt^wFecw+M!waLJZ+NrIZ)*q7cUoILd_0; zAw0z;yFmSvyjpbRam?pv!=g@UtQ~G)aNuENC61-+wYkX&HXLNJupian#{crNL~xljut2AR7`a_zGi#uV_qY4q8Ede}#D_K8WadY{uQes)*z`2z zgO>P)-eVP6pB#{A%9KS7zaRNpC90o%|GmgnKjya@q)up(s(5SgQptN?IZ#r7bZvO~lMzmo1tGW>9> zyD&*dnewwk*ef@XX5F;vVWd~Mvj^NeRO$VEDPXQ7-umY@!QoXZ(PwEg{j{RT48a4J zNxjf$^b?1!Ieji!L9c4?fKPK8o;+KDO$B ziP!g0Sd$$>wjme1=@MC5d(){>fZ$nP3M&kKt5PFv5k4n*>_XhDZhm_r?63Is#nxey zOxvMq@U&iT1U|J6>}WZ1w(wK87b& z%JoAmUg}mql~Z<`svCX%0TkPJ$PfZu@OT7BFg`*R=)grO8kttB{GLK3Z#0c|K5hIkHS05wPI;kdXoL>C^S+>PA|fZyjBecALc9 zS{%)D9QFVCk~g5^TdOUb*Q#R0c<;sH0o=%dbSAbHJz1?;VzY>dFmS6|x&HF9$!e;s z9?EBcW@}1m_021{@ai>^{`r~m6a*o9q{N@T%g-j-SH&P(Ol@>_Xsyp+Nkz28*b&Kx?p6T+`@jvY<{Fdd zEF&F#q2S1-R(#(|5^iF#mO@h4mQAcq&EmxPjOr@iH2_T*pWHU34a5_}jt591O^rtS z`+OIIA@t5<-!5=izrx1xTkoozXYPM>Eq$k3^9s2lKh|G9s{Z7vfA986-?b`>uJa4I zvA8%|anyG-zpn*oFQ8XG=zRclhK4;qF<{d`wbAvj<@Np;Ft;*q@~~%6dF2}BwxSH^ z5%xjq>St@E!TTPu9jK8m2^kODRRyv%cb?>RKO|EEkG_pb4tro&rrRLC zN?d%EZ94VRIP*~r+V!;0Kp8GcJ|0ycCOf^4D2Ed2As@O&wVRg9@0n)Y5n@f0grb)Z zB_I_jBdVP;v<%JRn#c9-i}_(R&XzQO+@t>6%ki#+8swzkkitdfE3iWiYAH87DnO;% zcBIVyGVSOwj`fjoh<3g9;prTuWcJN6N`I%lruu6n<3CGg6R8rd7llqKZbur zf7AGa<-tCS-&>bt9ni1yR$%|BF+I#J+!T}l+lNBm=8_(uB-37?NzQmY+D>@D&i=nt(xJMJGl&gl$1VWVfR;=Rv%T$*=YH^cX zH&=a6Rb089?7hr2QaTw@b@r~;>=(}rK$B{*#T0Y*NuQP~>PfUK@?IQDnRWWL z831f!@s4~5mjK*kFkd)l^+}70>=Z@Hbii^ep1Z|9L6MS23?m0zjXt#)-oG~zP(_zF zaCEu?6bya1_E8a|PpUF2(GM$k6l`6tm9e0XXElS`b4 z`QfG~`s_A)*bj2CFT8rP+pRhL$omM*U2G>E?xwstA;zBgHI&_&Yos-IA~(bL-BeNE zKt=V^;_BjQNb9aiMUpDF->d|%GJuyg^e z-jJMrNyXMORmqqEFB3` z0~&RZIR|Or`dw7TZXtGX)=PhvmZ0Ys_hxZ7$tYPwuUdE7|Hr3CREDL)A}{GBu?bSh zppy~M*aMn_d~LPBiS(Q-8*V0rZS|AsGyMWqM8z$CkJQOQ67kH9tBS5kEwZS1iIviS zB-y=l**;8){6TTrcuHd4ty|x}^U$L^D~cu4QS--_#`n4X6lJ1J_X^>wqeO!M*pEv9 zpX2#GlGpn*LRbDf_txQXHMSj7(Aa$6^aCMm{qB{?d46hwc@Dy4IQ&%&2Llr&QHo`L z%NB-~qbeyrj(bQ0=Mz)_W^cz8os`U;?DIvoHg!%uZdz|v>Q}DHxvs5uv!3VaNQqO+ zUMDQ6AJxX}*eifHnHl~l%fK!gL1#s5)lTs_U;qwd4aHPa^vB+EpLRM(f~XT;Ofv#j z)($&5`q7?_$&6&2ju|!@{rDwPeKkzKcpDR?IYZeuhK`=b!cH2n{ZE>B<;LY-#Ypy9 z7Gz=uD|AF?1AEvK3N5Q2uWb!&{+_&kBv^7nvYz*LL`A^ITW0}7Zu91D+rscb5Uhy6 zWkqyWhnN}IFXYl$DP`|L4!>ZgXwbW(p3_-n9N4-AG)aLUI|V?(BNmrv1wQv4AS=fE@PgB+M4io9oGoWbCzB4wm1Z0IZ|o99>npXjUz*b^hysk0gR-7Z++D2k8qjd3r%l>V4*4tNQuUMZgIc3x zKEv+@&?QBBz>3U<<;)c$--B|8>LU*)6(NhyovFx=%NS5luQ}}da%ssoH$OifTp~`Y z5p}3^N@OQx5txN`gX>h_O|EJ@ART?;p-U200cPF% zD<34%iU+P#Hm+Dwm5<32-NXD!{LwT0%lNeSIx#n(7ixoz^lOGY&RnGT3$L3crr2x{33KTB!#r3G~Z-bX{ZM(Vx9NnR(Pq_^g!de_E($__4(TA zDO7DxaIYkUmdVB=MCh*POyIk1ugoKNYPtONi_4R5mXz(L_qY%2TIX8%@iCY+7P&sI z*XUO%T!o)vC*gMLd4LrxfEDCrUf&*0M{f_*QVwd7g}<6;TaSdg+vetnsCHt8*n|Vp z-_3HN*~G6@y)!SvR=S5Bvr!b=sQn%=+v=Ab(kv8c!l?P~LB9JwZ><<{=@l1~6un*3 zb0eJ>LkLzv2(1+CThqt-K%T6@PJdt*Qzr=6!wR-JrJY(BXH|eto(drBB^fbxh>vu5 zFJpWZA@&uI95PwZr(fE%%6mFxER%SB(6_>PZjM3;R-3~U29?*;JH+ahnAcZ4)-B&h z?-x^;D!rWLewS9Pi!$AR7@r)1ISz!st8cJzx z$qkl5p7v1H2mCk#tU>3AnEOC^vompl{Ry?#$+~ZY^&rlp5TBNQwQg=}rDv09?+dG} zW4GrKy(P{E+?-#oyT3Vqx>g^ektSU4_~7~7FI5x_T?gCxG9oDy2%6P1XgAQmaX|lS z#J64o8_Iu!^Tdkt0a_`NeY<#VY`~4%Arv+x3n51SSI~?(RdGJ$Vv2YEWS4^p%K2Lb z;Z0wr&mi(pb%l$BbKhi!$3;M8=N8;&VYfq`baVoATI#A-*sbc0;ZNQHR*(ZQ|7J0d z7(LTd{jcRQb1gdZQn({UvD9*~2o^HAp>$5p~Q-Z)<~tB6#k1CT`q7 zVYz7kV5es~0`yhp4D-`vCV@be<3XBAt7ZX9B+^^KR^`&lhrNrL9Lmv8cRosy!hZPq z?u%EH-ZM$-$-A_39b(k|jea9-yA;*vf~H_J`RHcAUjJPBu!U-s2s}o1JL6mlqo;2n0m%gn_93 zmPW`g;~J+X-4+I3`nxC>zzkrdavBu#E1HGKPHssuEc4D4CHT|fTnjZH#hyx8)twW5 z(o&_Gf-PpYImIOK)e@*~{~bSoVi34QqlcE}4xC=nPn#Qm{$)S5yosWfp;B%~8dXw4 zDy=%{c5T^JSS$LocO@q?F%eppA_rAKJvQ8xPX|$$iQ@$ag(KH~itzZELbQs)%R5RYANMu$cJ4hFpk$qJ7P)Rn%rYQ@z1|BU?TUslv>Imd zCHh7`4SlwBz#9g@n?0xOJ$V3YL@OG4xXf)>@q%eik!vs#VFg@m?KR z)2DVdaFdci5IuC4#-O*~@;q2n%b}Tf<=at9kyx9xQ6#QLzyA31X5eq!F=;tipjSK; zzc0v1oHD{k2Y&38bVg^hQpf?tFG{yQ@`iOLU66P6lt^Lflx0KWvn=H0Kre$qboOyn_8|%2bVA?AaF{`dMU_D?swhdfDWjf{4<-O08#KY8_Ks0?D%$ z{uXU+ooXpDIuCp=1{sFZ2=WE78f3zQ#cDFk8JO26=ns?^#6K&JeE4EL_Q8CF6q3VO z40u5d4-P$IEsK;X9aR_?G?Por)~slvO1C6m1&hA^HNhAOtnd6AWOD>#M!KP8XcPp@ zm*~tlZgR^9N9ClUs$H3w z!*+U+v$xpG@umT5gE;kKa)n}}AF9@V*A|8q*iZC$wCE^z^5n@^I)<>$Qh5~D@IbOY zZee!n8NuAAJ6%26aQ$7*69y)T!XLIe+_7u&fgR!ey^K$xI2p_kNP3M6SaWyYDQWwFV48e)=|>QO(22zFgLS(lJczR2MZI0OHt92 z6$q*Ta3QlmSOELZ@I(ZP=?HkuXHTy20dYS2LKM0OSab+Hq%Zg%-vk@)eFHwH825sr$#!Iya+^agE*_ZpJ$_vB3d_%W-TOLtqRyX!Y)HF4PfQ{-VtjE) zh0->YoEU1uS=6mH-qUj_f{}UgQbf{ zTz?fmQ}=at+v`)z6eHPz2)>;lit_*MzycC-Uah(P@;<*Zg3tHIA<*ha*C;v;QU%Tv zV1)xlYkla_WB-mvpQNpaujL*zPAgMeY^goCVsvnHQNhHl-02V%UnT!sv#^o>c8@B? z2vy>~P-4ViwBw5$wq2ZBgs|fk!PJaJe$$4T^OEYq&!HH?ykA4$7I#Xk zybgubnx17^VjJ}kg4Sr#w)lNxpR&SAYVsS3ZE)5|gsKmx&@_ z?kr7?tMw3CrLX~fqbV$7Y~6t5-dh^a`e^dflNPBK=Hp(m-8S=BuLil`iXB7a?bHI6 zrq<)4>`2Li~I?EtZO&+-1_qg&E|2Ve3UJu6n#Lz$_s3nJ?DRiXB@(h z&W%4(4IYluN|3_VtMt@>Th-j&aec1yU;e5SV(7<2$-b1W$Dj=& zD#<9vFAh<2$Et~;>$IFqJJz&z@gZlb(}BAS8U%@!f)`;SQ?-5MbQ%0aEU~~e>h41G zbTE`E!rA~5PGaXksC9ZXgozDgeXYFmjV(CQcJ(EM3|RvI@D8<*mMz#!i8j7Qdb(?`0}+g>v9!2#UfJP&-0gtL<|37Qvgm zJ$Qwv2WU#%jGk2KE6Yps8>;iI`>_aSM9+%j}Q`@(ocao zIW*`@108+bR}Bsl@6=(CN`7m!QH6gMFt6Ue zvsAY9cJ_zr9hak3_f#~1))c?KKkvyNkisy2NUe6H)7iVhQRYK4UFZsnkUN#2l6oiA1YJ%n-4$sJs zMhqMv3eX=eHL}hrNw=+^Pt1P3#cTW|dKrUS-4+-Sida9>Co@HoTXtd`&7Gn-q}49< zAf=wyJ-3@#keTNVG>NM)Y*x@n@!11y<`o#26WncxtQ3+qWMPHC;=?-a_5z-0 z;z!KOC($zav>*gEtbKBiheBdO7SQbye+iiiF98qbe+zXkk^In7!%A6{3qa%0MMop5 zZZ!DW0@~Uh=(X76>8L)P=f4(+lDm`tK-Bg4txl`8{s7)1lV*q$DKR(QaU7(01)q7| zEet#M03AK>+w!V3GCX-`>&hrVDP6Yo?iD(vMLercV6|Vwwtmch)v++1l_5V^Y7fOz z%3Q4&zhZ`Nf<8%?!UAj&orRfJ-R)VKHu7)$iUKe&ll7HoPkC=OY~5(+W%ha8gvjTl`kEF)?;dG$mYv5) zA$OHDfmX``{9qmCk((Ny{UN)nYe`sk6@z=o^@A@KCYCyyrn=elBwZSb7LU|kvd-8l zv=p|@^yBE!6s*e? zD}?i?2~zlZjN+P;>xB!@>%vQMYDe%U!=)dO0&nv%Fp*I@zxOGi!!~*=0yf`D)8AI9 zTWLP?KJ3|-(RfJ!If8{hdXFEcwNM-_o1lZ{Qk;aGn{|Ee8R${T0w#&}f;7jH zl4Y%U;zBCDGA1d0YT~{_6s_&iP_u+ePgsM>` z2RRmEoYZ4kETZnZY)uR$o(tI9+{J{oSZeU%OToFP^6Gp0(!kOIwLl8Wa3T%dg~-Q# zHU*0w{lbG#qgTochXk9^u`1X4HZo!4T_BdzK3TBi*2WLy))LZ0^aQAA?c>H_jI(S} zGb=sMv=-{gN>dbCXC%5(O{#0(xG6V=r{Bovs!2dgzPL{I=BPQ{k8_^pEmiMiC>d?s zq_pe7x0s`gK?Npt=a~qqe4|qC6j^~eay!x8(_yJIZGFyh;9#P0Nabpe?q2kj+B*zg zua=cL4+vY|f_$}9pJaQ&!^5MiNglp6_k?7KZxp4_s_{q?cYn;+D540Abxi*sZ7@MFYMnns9~`TJU7=&fcGYw zy{h?)m{vK2+zeA!ar-;S8tr#d>@dpo?stH`-cqs-iUxJm2ccdWACxmIEagO8e2_~n zL(qCAC-n=H!Pw-b_*G+(C{Ep)qsb5qY&!>_&$&gOKr1LZmqxPv1Z8jov`gd@&35nh@!6%pots=p(>nT zcTB3vMH4`>1(mG%(Q0_US1&uHtZ~qvYTstmv8_&%Wcq|PL>f;YZv?Wt9wrF|zN+Tr z^3{fU0Joe40pN}yG^{8nG$ac`QSA=|_?xt~`Zp{VtL6LqKHDy7-H`LE!x6%VlkvQ;NgjY+s-CWXKoEe?$`*mbPkCaG9{45p&3w>nrQC3LLPzON9 zhk;wio*Au2cV=9kt{+f7hXCM4Q^?3}BDI{#v8lqvJiQbjH2nq!D&NtH%r@&7O=zgn znCK&176n+i72gK0Ul8L#F=CtOSv^)lXJGIM_h26kzV*D$1774B40`_fVaWG}oB%=X zG~&(G2Ev%R>81W5%MCJ*S2WiZOq2ZIg4 z)c!0qdqxDYSKT;T<>EyV@WVAJ^V#S7*|T`VnDPo)UUBpaO2=WFV&JV|{ijIJ5m%xc z--3KusZo+x+kBV9%qTPW8+k!|S@g%x?CZ?1VmR?>Ug9M`R==1>dC=9v@G|?#c8l zx%^Z{VcqjfcE=M=o2E`*I^B$~(fShTGoAb(=lK336R94i;<VFQMW|wxXskkZuGS}|EcV*~#xp*K?Ddf-rN8>~Hb`r&wWP}ay@#va{lgBbf z`g1R%Vk_KD_k`0D@7sPY)-SsE*)g)NbhIvBLc}Rf4!sr%6kqzgt9|6hbXs7N9`?%Q z>oIgURbPoxNWyW`95+uvONP}W);+nRiPCiZD8cA|_{4ptC6u*LPvrC`UWaPgv!0LV*t%ix`YQFAic!t7jhT`?Ws+pCVwZ`eO%O9XH(wKz$GX5G`RA*c zOeA?_Q&1s6zZH2luWMQnHkNO9k~bzBo;1A~pCC(Bm^_LhBfm7B+3p2uQAAr5bVEU* zA!{PIq2QChk=D&x^OCVI+LpI`Rq`apA9E>43c2<%OB@q(n3>KYKQA92nVDpd-lA+qEVh?2~t6VACn;lkLQ;BfRw~ z(SQq?@rcrd{v=djPC@ycvypwaudpT9e=?lYS5Y31l?bMEpqHfO+Z@xTqq+VRZo|@a zWO*$R`(~jO)#22GEHXwD`WH`utCV>?aKYkbf%Oh~t3_eWKQ2KQi)L zlw!gj6%n&A2j$));$#b^LRZ-gz-l3^-jM1YAJoUp^}gQJ9GGTG&gG5yNOqB=iNT0b zmJi?M<==NRR?4f65H{iE7dSW{h_v;up|FnTRQbkr$Zmk>Q6tUR6!`=-?LP>=Y5BZR zeydBz$BHJNIXco}PaIh_WD2T`&`)i5y{=Sk-eU;E-ZQ_nsMcv>6xH1LhR8(bXpY_m zw)u4Al_393m!`TOBu*HoX=2)62P=y5qR|oHP1MsK(XRlVHyhv2i+&U5QM?<_?860G zBnWvQn?@HDa7FbGA~ z8sMLHnVpoKx7XxDRrwUIAk670GEIApVZ8#Mo`30ME3?mw&q0rm_>@+8oye}{mluY0 zKP58QdoTf-k|D0Fuy`nidMNkRZLXY$Kdx+G{N!MMd=N81vXn9$;C1>NSmOuwA-fvR z4RVSwq52?Ho&SXP4+#d6h(5~0@_TjV_*z=F5oOGKjUFelzfuZ|;YR4W84Mk-hLG1Bg%#6lbQQ)`K|?L_p-q>e(so`J5VlNQ~#Sd8_WGcU{d0f z!~Zdz|8v@n%NGRB z@AU2*h4J0J1%=8%{X!k8-?d0I5H4Td{|O1aWYaM7)KB4Pj`=y9cV)(R5I9B5(D3*?FoLps}2B^;#+f-@Nz0Hfweo^~c z6P-WJpq&dCY%QfJE7J`yHsYNyg@5KJZXI}0xp>9~Ix1{`u0jy~)`PvyPpSMHMP&}Z zev_1-y=+L}9#93W6XcC59vOO&pfa|`#0!)t+O&&!A$$X75 zoNiL~K~H>DHW~;IN?Nz9E=}6uq3tuXrSgbLTIo<8l8sG78Y5jm4Pu_JU*W=IpW;3l z^KVQD)$f<~?Ed(9;^O79w?HMdl%u5O=L1QdtqmSltC0KE=4;AK)3N9P!A^ozqu0Rt zcVFrk*XdXq&|7Vfxw39Hr+R-(=j?2?o@#&M{1EI=awN_lRGn{!4YG9YB9WoxEZ@`EIo zAJCVdkBJ%s^AiczMVwYfIFoVRQ~J6se%_-N!j>c3)Bdn^DQvvZ;VdG|U~-=kYGRUb z7K4%d^L%Mj2_;$#h_36w+MR7SV5E6LwD(gOCW!NX%#W>y7LJw6HX>*!43qipy)!&~ zJ9-hWNp@AsV2%;mm4@?;4BC13WWDR5Pn~5Q5&|P!nSpHyN-2Dm0wlZGcS5pH8_*N^p>D#?vXY|5PJb|sbxS@ZsL{CvU(MDA5BI)z z(=};>oLT4B(?h1zGuN#FQ8p`b0qA;$Oe_&WU?1r+t0_*+OYM`G&Yzq{q6=$TVLMY0 zfsLegdwyzfnLY6U;|99bH7%F63(4-&5H2dAVk;cfdCq`8!o_KvIFU3u&fM3y6U2Ed z)t^EEh=1VG0 zyfPEKW2KdLGOho5*hja(1MGXlMK>4>Fdw~NHK}QUC@hW-y^2~Z((yQ; z!A!}=&6se?J4qt|PYrWr8HJcI9y5(0pB+xiVNc)jvsb`Q0ZIh*ExhByreJ$8Y<7K5 zqj?|aVaX$6eM6&Ik2|*%Z0Er$^ahodQh(;A9j(M3zeXehln1%PB^D{m&-0#0$4X2i zp;9Rqd}tG~=YhgSbc{i7^kR;~VjiH?-bdkV*&~8bNEx+$rf*Z_YAE0jh97NfC0A*m zyao(~Yb_S!L~Af`>ZZ4%qr9@1HZ4)V%QVN0);y=(A7rVTiQI1LKBQ|AJOj8Pxu2#5 z0sM#4rR?hg@oT~RPZmF5d63%8P!7bfypKXW5-W#)iHn@_fq>>dW@fof`O=)dB$mmC$ zCRNaAP8<&B?B}XTJ#LKMHv0_`V@+8x;y*x0Ak1H(COVcw%g zk5kE9dGheLu86TY-f^ybs@Bz-u{!{pb@Kq2F_1^6Y=^t?z4tC)l088#nGJLX96(Rm z7{B~QYOWfT8U(ZMqsAh`AbSyDHOs8p4K6YP*L7_r1T?a<)c?VJpn|HrW5)c^$qZQi zpml6m8mKDP0s6K2*Y{TQWR-FyD4c|>6dldrR(>=xi-+!)!FsKoX*U2L49g*=7=nhg zN8nyKfnJOpqYErIxlf1nCt8>56=v=Di)|*Vz?4S~kG$tEDG+XQQIio38~s8Zhya;) zTIQHD(5fl8V%w@&RtCsy4Icv~#@tbGk|BH&Eb~P9otFR66RA@!sZaMf0`(hm-z==Rp6P3q^?jn)Y;`ZJtx?Qh4A@eqA(EbnKWO_gmcua!6F7`{ax} zhx>gA=BjNDiRAw5u0op+`}WC$&uJwA8CbJ9@AW|c0!CdYJbSI7yIvKprC<3KklxN8 zh5xe-m_OK@b#uwQbIgtIhmBG@Gt9P{C0ey2UIZ>USiNoTpvJ_?56XXO^rA_N(1R<( zH5yQb16anZ0u%}ASFbJ}6hHlC-TZx<^-)2gfR$HQu)!39nm?O6Cl>3pONv#0BMshVyM?f4ws}zh%(;n)*jWjl z?~YU51#GgmIjw$RoG7l4iHq)$ diff --git a/src/assets/img/update_controls4delta_diagram.png b/src/assets/img/update_controls4delta_diagram.png index 07044659e766837dfe80af80f870bf71c4f50f45..96aa1a612998b566dafbccb42a2e2fccf23d1036 100644 GIT binary patch delta 49387 zcmc$`c|6r^w?B>)g$yO_lzAp<3#kktvob5w4qIk2Pw^pz%DCBNCi5)wtZ1-JNtvex z^E{86{kt}Lp8Gz}_x#Q|-|u;y^T*wd{rOyLUF%xwy~b<*_(=SPF6<(WpkpYV$ll%fS-Jb(%cH2mWPsdrv&BCS-Q5WOQ|5z239IbJ0~| zHwjhp$&A8NVo}#>F}Aw8`o_Xv8 zvGpa|thHtlVnbjnzQup*s+>e%Rou7gYsRvgC@rXPBDmd1eXrj(6#Mf(j%|_&Nt~el zP#-mpYjONwxpTL#$HlP_t* z+m1C|mAj}eKeoQ^;VYB@UlTODFq*{ufC*c^z<$QHTp*tGDi#>@{L+a6c(9oHf{R|%Qa z=G`bA&G)AL{0O-!IDUQnL&{2o=RP78A*TYnCbk>>O=_MNQNd-13e`yL5FBTZ|qC6gWv{?qAtg>9z-N46N;v6LeY+bvqTvpAPefe~b%c-JayhpRoN&x>}( zp)k1G5{XHh}YI%Hi|;7K{qU)n<^XG~A+#ZF->03JZ%0^NU)n{2dZOXXtj@|MVqYsZ%o9 zY`#}e)Mq~>3S?mSr*{~cvA>6~OFyE?SAQ^GOX_n>D>k1|mem+c$MRnLICIsiQAI>Sd>muJ9Gxu_J$j~n3^=K=1j##W(#&!6 zZI?!I_o`L~7<+Iuh#bB?yX=>WaBM?YzsQ0VDrGR+>D5;oiG-^aJji)oYcy;WQwJ~R^eqPw>f1cs^^8C(Fi9^oyy)~@9bi*lZ z(5}J2pOP_ghBlsW6Ju-!f0<7(r6`+?q8?ZDZ=m2QL#buWw{PS+jJTo4z3=oh1DB*3 z3uMtWbhh2kK1FPQLRlsy0J)nodeQj1jgCsbb|sKu>p~_u{Y-xRYpq}@)K7`6OKZGP zOv65p{64**hM6)}k0JI(gi(pmq{`g9x)G!J90`%*!w4NY;fsm4QAWh?_w@$LZDtv} z7He1UR{ajSIaBcfCVF+*X}0?~o&FDnW}|>hJxn8!+#0ncPtYgpG<6s1Hb-QCT3T7n zl36PGONiB6Y>gJ!?4lR3jpr27JsqKggZB689NJ!AO}#zBVV%yIZ}~-_Z7}_10*3Tv zhhOm+gv7h%Nz!^cubK_>fWmP#X^n3je3PWylbwc3RHn(&ERv0(8gK=o~dZJ z{QI4vq^Tq>S(ujmA#NEn|KO<78XA&JpV z{DlSnedCoYExclw&Rat9hCD2~kZj4XU$P;cA4#`HqtbrvNjxM@sDV2onK4C^r-xhC zo(l%F>hNFc<+9nGSKo-@?5$9ujUdOx+uAje^TKY}1$fnHMvl^R_xNKkfgnqAwhg|rS0d}ztOaZ;Y^y_YlpI%`SdHHE8kNb8$O)n z38>3S3Fz}QtcD&jtXmU0`L&~FYQ1U*A1MjOp^YaOn>_Z0uS0S`D zKI*;H%LX}@HRf4QRgpyt!Y1@(QhKKc+$mu2w1=XlK_5GiOfd3)M3jvns%u2CTqIVE zBsYL9HFRSxt_jnqPUUObHyE^dN1zR4cWtyb2GjfaKVJD0=`oRmK$V=mQId&+$R6So zSXeV@lq&ucbRpv*0#x|&iL|YL4ysJzsdGGg8~(Up?S2l~X}nG0Bdlg3umV}W4D8Pz z@Joj=gAMs#c=hH;KnD>d6B&qN`ATU_pZz7`lk_KLg262LUY`2LMwkeE`KTn}#hr?g z)X-leV;B%KGV3jur3>k6k((AT<|}UYGqzg|mgfguy4jN(=?zIqe8@x$GYCEkqLUNY z^Zu0gprjUeN&HFWRCN8k8-R|bUsJA^ZL6m_s($*@BRk?n)u(ppVl%ugo_xI zZmglHNrEFu3@d9GmYDZKQHGaxTfR9$dN@1Q)7YnLGkssOsiO+ElhrOL^**_OZBcrM zaXvEi#A%KF{>6QbsDizs+jR+oEK+I2bG=E@X{ZW?YJKN9BfD zf^(F<`#5@J^ikVu<_OMv8!ZKh*@f=hXinyP5_?Xmh5iV)pU>YECvQvaZ~Zo`9dC{H zM9_;!{fd5h9Z^Wn{g~#=M8myFuj*q5k$#$=WVigM(8OBBL~rMof`IuDukrA!8m4{u zp1m6NQ(L^yt?kao6CTL6)ecmOd!Gf?>AUpG+7S1h)%vMQyXzHhZ&$2FD3xmlJ>M10 z&c{v8=nzsX;duz>;(%52q!1+|PF6HoJ~8l8Rl9;p!JS(>zQ80(x)WOwPF@q_ zk_f!UlJ-qa{c4x_3*4+Uuc8Q6M>AKwOOXl`K-Lfeu_8!At``7RPj@N9ei$sZ(AeX7 zmR;r^R#=K8hrvHYM5HT4d#u16CzS0x(RC;zC4a?_rqKo*nFAn5~KxztYp{M0a7B+1u&aAT5Xhnp8 z**@pWIk{s;P_Az$yZln2I4LZFu4K*XkbzkViZ8P`F$)jD+5@T#nX}c>|qWAjp&ashn zdH+P*m1rEge8Y3WtRZ(4+qbT(Tc^)1J^Q%X$6$1vYg~^B<1FXkPe9yA1x`5Xg0a^mjvgEUv%Be~NN?hHIbsIL=PEmu?dO<~WU%*?XaB{~H zRxXIK=5EO-^w#%!m7;&teAuw7g8%Gb$*)C+F(AZ9X`k&vX0Zn36&(6oO&~sZW4b{U zg9ZU)g8_S!EXE~!>c%;4u+wF#hc%ktP)0cPy!!ImZT05>f~ouoP)2G}@J1&Xo;d~J zKf;38b{XCA0Y0e`0S5RJXoI#9yw1(!0}POR%Kt1O{t(oNVj{`&(c923Jvf^7-!U=%;=OT#l)$%*8i=D5gYEi=jjmcy_GKpU zR^gS!<@e^kD5EZu2bBFcR!WnC%u9bszbfUM!zzWWCt|JshabU zXK!rfHyBUnn#WapuYJ&>`0(MGvslE{U+*#+J}(0}qZpwvU9sQ0>(5|lJ=0Zz=(npc zZgN<?MRvJc2R@RNCF}v_%3yk_`i5|ZdTc*m;cUw@oYl{2sfYCuKSyK7 zV|4(5wN$8jB}J!dyHD?3z3ZpYnF_xuC@Ojh2z-aM?|^{{%2mY94j(&6=0Q#uf%<8e zv&unEHne{>L&3m%x_1?}5rAt~r?oaccPxS;4!NAOUhJ|e++Xb#U|xBFI@_jO>P9bA9wk;?8qIH` z*J|Wd(=sxAL-Dil<#erAkGg6zWGyYPvFVf@oa>z!Tu#2L1|!hGR^l8fcqyUN$J;u` z*1G81H#;iZJyk`b3sk2F?eu8$iJQ`X(@~&F&`&c~T&T%w1Sx8q7dcuBr)N@}N>EJ{ z!mZNwI{mJ5d8=u^pj09Hv2MU2<12}%=e)g`sQH`mycK%0QSeGn64;HR=!>1XC2M{8 z+5;7~zSh?xlp*4Y27}doR+Eg3hPPbIz|Hx_Q)TG_H4EMgE1(<$p4#TIq%MMccITxI z`s8j{*~^z+?*@mau_~WPZ#7z-9$%`%DC+W%vcFJ{^K19%g1Ix2 z@cS63*;^pv1kivo>Z}WxB8k|{;56Q|ANSjxX`8OqC)mDzqU^4J^WN(flIQmA0ZSOF zzH*byHobDieQZy_O4n|y=|}(e5!kEB!ijdvG`oQEl^8;?vG4Eqkdl+bX|UD{_9mf1 zd&Z7;I^&zMbXE~z*YN@yIs=F`8!OESL!4fY-Cbpj!VjM8Ed=a+isb7-!$mlX9)8r_ z{us0k-%UloX;hoewP`&EPm_~_Id2&{s21|SS$TilR}m;i?pcc!UwlA_k27Hl6sL0n zxSuNeC%)%e@BMtmohqZ4xW}%aqrq$5Am)}?iuF)+U2zN!VO#z5Yo@eb)f&|2HJ&wG zqpBOi5|cxGm13~Df|zpOFAf7kj>)7i~xjnn8e8*`YK{?fbD--8KOljsGc@Mzi0 z1GeWI<>+3Q&oFh%u2Eq<9Xm2zA+*EePNc=8BuB(UqvAz=59j@56cL?i2qDVZ9*Z|= zW;(Ava%jp9z=YShP6qj#(4V<=k#M5naXjg9Je1E8he1Kax}D=3xgQ-Vk|fd1#V3h& z6bCkS@}tEs4JyQ)YbW#9{JOOrw7nA0J9=hVcD%twK{27!_N&xDx%G%7(c0_}`tpS( zLnwDT(!+vbXCm7!$<62DP$sWlrs8ph+NZ?&lY+fV$pQF?+}DY!8I7D0;eT0&$);&H zhMaG;LA{{RH3#C^DCrXy4T@gZzR01ud|sT=Yb0s?tAo3B2a9N_oes?Xhoptt*yHtM z0(Ik;NJSWbTlM70dX!qRl58ye@+zw-H+7uuDlh93@awA3$R8-x61E-WXUy;CD&&8_ zZ6#uNX0JJEHr+1fM(I5rnB!bMyhzEjck0qeYXV+=5JfzGnujHlHE$Ov35lRm`3?e?q~clT|z355^GkIIDEq0&^_*l zd{6gt&Jj1n{%(4O3_>SYCv!mCVI;+GES}{}%1;EMT=7P!#pS)5Wvki(u{XZ`EX*iC z@+R-_tsbuIDHW-SvX3Yaz&P{X~`P&MZKKq-)JtCN{j= zUCe+Jzc|CMomwZwp8sT_3r42iMQ;1IuQbO$Um2TS#ApXdkMB?f3ql*S0(6(&R&dJc z_p`jiey(_4+-<^r861WUo;J4O*YvSH=3^m>D)iOf_wS8f>;9gedkG{2HScHbAGFJ7 zRIMBBhpvuBduBE;54sBP$GYDC8kn=D>o3u;9zG<#u9eBQKKB{T$-pGH+1pKCpZt?p z;ODzGh@}lW=_*wW0nKz!NzP$s4Ygzcx@b4m^t{S#+y?&J6EhGza%^udRQnvCkN7); z8vvexu;Fym)vbooe7gjXg#>no&xpyFiMynpUfwvu6*TK+)M=ah?WC=I6hB|%KIn1x z(3*$LQ542h>*sO3zT;04CKex}6&eSy{< zyOq-si&Aa>*J@dv8q4XV-ik{2k zuL;G*JH-vg`h3OG4RX)ZkChtYU>hZq&-FlF*2eOO_GOl@_3N;@3Erl!yB!s`&U_9;8c3{-^v$%-ho^`8}Mc z;_h})M_F#{3J8bs+7?qc1~X+R;eJ!NJ9WHK<)&B|QRAntP68o{KphS%W`?F^L6V3)Qsfhca8L$+n*RR$m;->bxM z49+01-6h4wzoXtf?-V?P5I45lHuf!q8diRus#>)xbPuRgs&bnBu2$n3trW1pyLWTG zhwH^9XXlaLX3j5$TsuA4#=Xm)Yp6JXMs2?HP$3iHgaou~sAdIykK8VNdMPXq55CuK zGiiX5^)UuFqbGhdTcdpGh^m55N(il+zutwfFFvV|C{1_vMz($5v2=`3DJQ|s3hbYs zNvYG>)!hy?@oz5jLHpa>bZLpOs}(r2zhAwXGoUUYM!r96M1ryRTq9RD?#es9(wXNf zEr4e%POuLt$yNXbWR(uiJjX!FgRNcG4VQRt_{nnhBp zBphW^6anpPW)aPe=9X+~XNy%|Gc>(lW|50+fUS;Ci^T1>c)ksa6|v$Ny>2V9J@>=g zcl7Jl>L6o_0OE;;_yf=#ylT0Qz(Dhu^BuP06>K%hbCmf6o=h4k1n8U%tHa&L z>3w;)Hlvv^m^yd*>h3Td{gcO?*jTgHXLSNFjJ)Ob`4$lx%>BCeyAMa`84LMq;Hjqv zl{#)Bzr0&~#HatZ&G#|#$81#`Ndoi+igCd7%K;By#k70MYtV502skOO$4c2;+Dc%XTV>@NR> z5Q1e8dk=o>sV$D$7O1b6ZNW>Vg*{9Z(|Kxgd3b5Z1?FXw?`~Sy^5M>BsA*Tk5%yCG z-g4>O_(xnL4tuA^dO-JD_}#L6XpC2Gfi-Ec5PH~0H@Yiho3xXYN50%1EEO|9m>QvP zkKKQRIJb%5k)mvSqUXKWBGq5-X!do5p}V05J5|d13W%f@ue}MMP4-_^B!%C=>y^Vv zq&gg1XeZS0BbtnLe%a4ZZ%pvtz(*nYO*%eQBF;s(RwG0sCg%T2yU0GX0y}wo}~qlYSmA>g&s0cR!hlUn_*_ zH($6eu+GtaZ1DO;=gt)wUq>&Zcmyv)2Ot#P6(ZLU(uf*FE$(UVUmh_L0x4*7W`NHftX%K;M=;T)RE0 zenB|q*>Y=M-MrY?3!*NPly*X?t^q%2Noa#bqVl7%$)cJa7oV{02rVW1jbD!KmjAM0 zW4iUD-k~wEE)B~3grMmqve5T(p1-6q*#aE%%P6&D)W8^4MBB$LZW)ww+&MC*B-#-*1JEq5|u2b>P6VqwC$rQ*iu(6SGy0oRE_tGu7rMU zl`{kPhNdgTMViksz^Zl;yraTHB z-P~YF#FR_66i_R@aXNu|Zs^JHJ=NUHu^o5h<}M>{ScjEb_dtA_38ZHwKo;^TCtszxt{UY9yO zGtB;2Ne9Z3Aw4U4;CPyE(w@Y(Qv$>A4p?-_J}1NT7>fF*xxKt%1+&5G=a^!r;f&6= z8*^QT3p*8GCGwb(Ob6AbWcIBmCLix7=l&C zRYaRX&=}sWMJh9`qTYYbuEazQ?V1EZS-Hfab=C6wauOMnVfP9*$_}EVVciO+K&@L@ zQ9t*(XUB6Ra2(7X?!BB@gQ;sK-c2Xgqb3Lo-(OA?Wd6klk_IfD8IHvUul3_p&9zAL z@$KtcKl$H*qFGaFZDpZ=9=j{nxq#2GYJ@u_v8KC4rHOKNWK7d~SK~GGOv`QJNvXQ6 zmrHrx=mpzXkr}y33)j6L3T%gdArBWnemXq>lXPVn6x8wf5^#twU8I`NkxTYGw#Dhr zI5!iUp=tvLFXwP&Z&P1ud+ck&Pymz-jBi6Pjugf@S@l+@l~94W9V2HY478Xpe6(S| zz%`_4eCGZjq{uI7Srl}BC{&A_?lJA@R$=ZI2(2`}FP(l)$$E9?E6#wN5OQ5ys*^z#Xkl6EC`YlavMqUyR<{W{ru>;r5=*~ zNjkppUEFrmlUi{s^J9&f3-^R|TYfNHGF@D_lbcB4K9THxdS>AEC-PyP(+l6U)*7n1RD8BWw*`hF zvB)k^|8-|m6*|<43}*tnzG@YQm^xMOo14R(g~1d#N+q!uraLpzIWKwG;sgC!8%-X# zRfY8`+oQcGn_~OHkj}ymik3_b8(x@KTfM`IVI8aJ8B~u;c80@M+*O>G29yEPA4z8_ zPGND= zm&u?`flHd)&kuMGr6$B%s0wk8B7EyQtw{eh3V!H;w#@)b?=2yX38IU`RDN&tr0L@o%rn#Thb-{qoz)4Lsa!W_h!+DNZ;?g=420C|z1A}kB@`Pkx0X$jm z1mkcn8H?iUsM_Ua%NORiSy89T&3lyVAHO5O2bj-p=rbr}u+fMTig)x^m&H_f(9FTK2NJ z1f-IQ9DnAkJ*VAxcM=WK_5TKjL1Ufdpd~HLxmk9y^VuQ9s?-%N9-)CjHqyQy`m^+HO#Q9mZ4Hq zCUDoa)`d-e#)`oww)JZpD`E%A3kvSKeD8L*OVlm5jo>pZGX$X4cqUW`h!{jQL=~FT z+F2cC`L%^l8Q*%kiYDur;fn;*`p}@RZiP8Vdz?@%hw}GyQs4=wCnWq&;$xUGQq3~t z6n%7J;_hJI^xcFTTK*LD=RCy=U_sZH$VmNpOUa)%OlQQ^c8xr4qJZ%T-N`@etJn^q zb3(1e+n|CEr1<#*CS4+}%doF+c;aIhTze5oRZOZ1pn1=35urondk+%dmiZJ+&sj0* zUE{Pka!DSKdw{kFc!W5C5EDqiqHrBls^i0{nT?4;#Wr5YL;Kq+OHGum{bos*>}S|W z01X172OK^~nNAPz5|u(@3<2tAP!K8gnaUqe$&g)X3JxvYnaxQ!>|~$@rzrk$s%AJS zs6OqHhTtqd@-!V_!qyBa6Bza`1o&~A!SZ6~S#68{;&khQQiWI%I|ifEZ1{@lze9(n zGhaPbE;I_wtD_jrZ-D&u;e~a~%P;{2d<(Go2AHQ_cumm2cC~O zs88ns;jozB{x|PocX}J5l=!P;IPN9#CG8GPj!{Bee({bSq7I{8o0#bOwe&zx>m-$g z{vwONbNCL$u9W7wIAS~@u{uiq=(hU7$%Gl<4<77xaOJDLNjj)Cyyd@|}F zbL0V?JekhGAtdWxw(ARu;pD0cG=JGBC}v2qoiu}p57GgIg-Txjv%0aNaBA-5cv6p_sNfsYrx(aRva8 zoXX@Zl_E9~ysL(|oB=PL|inD)iVE7^dxM3cD(Jyd^nmauApzxqJ ziU+5TrtIXw6^3xG{W)afX24u+FC(V8<9>SDkxRS=JVaOLDHxaZ2xIZ8A;iXd%rBDV zXaG)Kh5#e4W|CILb+~SL(6!LJEl1Zw2m96cy0c?`8GxF)6ufZU>F46Z;gfooQ^(CT`>u{c=RgX znz{R6x=J%VPn zY>OAw@Yr0qWHriaf8hJU8pU#eal<%vb?Db03M@?_%17j5z(g3be40mZ>CcCzpXsZP z$QR!QuX>PaXJP+H`V_^rVtlCsY+LgrAzP~A1^9yHA#ap32(O*B@Mwg0j3CUOQoQS+ z5lTpk3Vir+j>6 zKP+K$hZTl~nT_Gq5bycU0nb-fifmhN-j#M4nGHpLxb;q+;Yc>7KsG#9os~HeM+Y5f z1tG)v4>*@hz5%>>cYi^6Z_a~~N5zhl9nIg`6`#t>{*L-Jul``VF7nLLGVXxJc#Iib z4oqQ#9yYw+#h&&8Ch!&C^dJ830sg(|KN%kLs!j%3+Beqck((dxV;-{mp@V9_5PfGnST`r!$KAW9 z`p(|Dc91F)vyRw?f^j8z*;Q4KT(8TMiXG=%(OR z7Z!W0&l2jjh3V&uf0XkLN9XrdK@>9!sqA-y0ymEX`J83s zdWVll&pLuzAlp*Kder70kTmCgQ9l`QX>4Ly1%*PwEo9MZ~y^}JduOxdB zUD#NERtbG1)BFDCUL0wOF+0`9HY93&J-YGH#7&sJ=E!l)#3mLP;5mE}=2MNId+?Fe z#?w1Z-|_qy>ZcTMrqO{+nx}tc4jeEPW1r2l{Q18zoV}&va++q;yw_#B;4V~R<`iL zrjW6c_uWb9JC4g{u$z2*Nej39&gDK4V>UB;%VW*FYPI8LdU<)zZiPymFsARVNnP*g z-PmgiVANEXQ5(1Wl#Ji}oz>RT&)~)?g8WZK2dAO=yE)_T0q?5w#Enpkbl+qCS~xFE zmLWu9-|gPDw)Cg=0~VPWa6h3A@>p#b5u3hW@+er}dwU%2G}U97 z7_H`+iH8fS5H}vIXARclq14g0e;&jrQE$lgl&2tRWA!{&lo1wFN!mRs z9lnBEww2Xl}*A-RGo`MnmBr6}$=eP~EkMoM51@<7*V4ix=%>|fWF zhh*JN0{e~*kL`%|jL-kSF`W4CGezhxw)mek#s5a?@u#7GAi@76b#3<4JFm_an|uy| z;t!@`hg`gP@b~`+h+s#2-2M*$=|3lh;VQ?>QtN)yyt=cq=se;3?uFr+idvvYUAZ~} zm4F;1%2s6Y?clb;*soUtQSbdoCjH;Nq~%3|`w9-j&b^q<6lq5dJDymTBcMI?2Wat# zet@)cci-Jg7GG@>T(@9+vh*JAzA`4y@Lgqx&d@Dolj)Y%j#Cx>G99SHbd_24%Fm`+ zNB~20m`reO`2+>i*I||G!yiQ!e`r+nU#XfaZe_91qpb!L-!03Z85iv*o`Tyec#N+s z+P1vT*7RKa?va!D_WoWOD|<5K4xRpE-`b@{G74`(2mt2zkmDD0Nym-WUFTaZymv9G z?xNdc5ssTy-uE$q#h1c^xGW}k^NUufgyYE|v42^SRdvp2^p?zwqEG+RRCTz`z%|ji zq9)|p)K|j?;8NH^zM}H$E4K?8_B|Fy*X*ieRrU0EH;z397cg(R#|WC;^%AqK-+put zsXV|VoSEp6v+2qzA?vTq)^K*Z!AiVW-!T~bgG6FUTOM5EoPZh{RudMRe}_u&pW(c_ zh7#P4E7j6e7Mp9Jdx-Zp(>O z=q*j}=`W3baEGU?mW+g8(3lVX))tECUR*M+dmS%7wCBdI?MF@FY<$?VGZ&pTG-L|F;aH(wY;YX>aX}`h; z?%ZrJrD*>AQU0-etx3@i)!T@#y3d)({CKB(5srnlloFPODNa<7yX zdgVVH+-bE)OR*b;>J7bA>SKNS{m*^Ce5sFLnK^a86V&a`%hrkUquxuh&~hGmB~a7* zyZ;ZT>LgKRr7U^WZuwZY(U7{cZLXUTcP!04tGk3Of30Ja^!8v!e>Bo31Yjyc*6}DcOZQiou(HA|upF%z`NM#S=3kGah|y(lFntbD-r$&$o{-~^-S_$61b+Bc%ra~g68!VI~AVN^qfdExrDwal&g`_O$4s{Nig12 zxmj0g9nF(jdwb>ES?TB-a$R2)*w9BF4lVPq+t?>@^c)PTr?6Q5^>N*ft9W$m>_vE9{IY0?q$8AslcC-mPQHj?=1vy}V4 z)a3mqj2ciqxKnz&1XbLjINI|4-t-e*^i5iD&HJ$}oO5zyevSQ;a&x_y*quA;rv{A~ zAx(0RA3&#E^uKWknsuzz*BKXZNzC2PgH|@Jsg7c)3z)|#=x>MN`cF(Ocb91@dM=r=`A(ue@yVGM zKSQYc6!oSS1xl@DMr%l4K>|7wH*q*QovtXwVS;g&M55bYQi`~k2X@Z2LZi#H{!CMYg&0xzMjxM=WTVekf$I~*Sh^<;cXL- zVdx>%mn(6sVny z`TKNyQD}n>GK}aG(tpvw{_|LQS>b^f>L8if1|eEnW&7_dd1rM*wC+eBq##<-#Se|Z zrLfX7=^$%e0rduX`#4q@M(8v!MB;UEFscwQ>evVIqlY@JBLz|6Z$2e+;o~qqkQl$L zIfe??{|!=1kP8iMIbuM`DCN$5e0+cg#56<79Pfg<7gic2KTTl%<0}BL&>fM4o-5jI(O<_Z!6oW28h8?u*y@i=E|mPRYK& z=Luu+lF+Pn`*=ueNa6M8MPCF!;-Z2r}B$mTz%RVTd$=2iNW-z9-t*V^qLQEwe`X&GI*;E3yRzX!l*g{t||tU+78FgtLGuFO+AyB zbugj9$TNB>;tN~J+(g#ViuO1#!fADp4R0#Yp{5|9+snEH>x?hO6!Me(&pG2CVmb zw@$iTCBn=%CJxzdZEO zix4AUV2>Af*5>+Lzs5vILaU;zgLH{n2e91>esAzA76IJkUN{YoHQ4VUb$9svh20ET z{W&8%ifM)b$Q14A5M>69QI=Qu)LmW{*~H!REG+2$GV0*+6AIK>*;8Lhu%M_VenV2C z{~aj*8XeRaGz|s!KVG`|U$Rl~{Zs$3k^VA{Z zzT2Xios~OycSiiLpw@kT4q*#Hni~?27FTGPg^3;RJ{$?E7>~4{9E&GHr4U8>5E2%&Vops@ z^d4BvLw>-G9Qi-Ff&O^c=g3I8SAC$xqQ8UBG;$k_!h=p7t0+G7=2gp+C_(UNG7MMf zxwp)qKC*TI_0K^nN_!#%d5z#M&T0s^bsphhQmhK}#ogu&NrPyF8iTa4w9mZydoSQ4 zm;3(JM?%0!-alOQoua=IBcN}tb)65TX7mH^cGS{Z-{P?b$&AgY+I5gtIQ6lJu`F&5bS zttuYNa;fZjf{M8sku=dF90ASWFlz2`z;j0qIyc!GZ0$U)*NzfgOmRhUDJ! zRA$)wcR1{CxpAK_XK|>_m+86bR)u%(=&3ZAw-GMCc}*IoL39vEfWR(V-R6L*B1{w= z>W3s24E3Oo6qf--{>9O;*A$1(Ax)sXj5m=7@1z-Xox4m7=$@TtBleMO10xxDXW<^E zrLl7G0MbN;6+#S4l%FZ4YCYTUo}6rvb0VGrDYKzMY4!lZxq+1|Arp z@C058&9e8>BfCMUfvPXnj|df zhl|I4$7j<`ua^+UbAF|)E5&N}O)#{#Kd6NK5Pgpe3{_J#vmPGR%JmhcJi&u^*-s~) zl9Pr%^=*)tomahl6(>;mYzJP+A^f<(JEe<_ig-o#a5uHVJMfvqcpY{u>#16J(8@!( zJ=3KXMQLkNWW?cy`Y+bJh}30I1@-D;Fy-sX z7|I}~u8~noM~vYrBw>P$FS80013!T8X|x?r0TRG#C$&c<+XX5N7o`MHI|*ZH5Wx+R ze3H1OvcPaN?^gobTxi;1M8(f4@#T}6JDsZg=|c{M9}%#n*1AZ+p_bor)&NuG{Z$As z5ASj*KHS}ySJ%^Pb>RkC_7pG32X8p>Fo2aQMgI`NOLu~h6Q}^*7hR`_`9Q=98&8pg zST16!>*3PF5A_L7K&ThelAgIXCh2Q%o2=}v^Lc^h(CdjWy z?R-P_QS8F`s$X4pt<(Vw)6aXac`v{FGS;}tzrrw(T8}loh8xZ`TU1pa6ZnD?zj_DE zN|9IX=fu@jhzvxZI?D@Ft9ZCF%?!g-+Qy@{wBiReS(vE)0TuQrjTcjE<;; zL6@^O*_4I`YV+MWK!TdVqTIi|H=x4^Ax=kiqhBi6u?DR@5 zLgL4sP2)Wd#mNqXT9S>1yGa8~wZ7>V-m5vSwYcv#VjBXBW(JQRr9!$Po3&m4AoJ~8fH~{A!Y@gjHo6tz z=v zPW^;@dIMH7_t%hqx7q}7jF-1N2YH+avNK5vSk5b4aqht4waoyuy+9*=+`eF4uPxsg3cW1&op`d~dTLs(TiCF1JeEofm>R@DF=K1MfNBs|=u!~J= z8NM#}Mz+kBkyT252|@p0*g1k9^s{3n z{g+dW07uC$R^wkLBc)c^#eet6W``83MEzc)g^oh(-=|-Y!F~V~_Ufn^ef`O&F#1lr zg;-Vvil+^}}$sQaZ10&L$W6c04v*``nS&DD-b23WKpmus;!zIte_cy4;KS z3yRSKXR1SF+t?!Qa6lEMy}7bfqg;_K%a_cO>4&>{vLoZO5yn-sULBs$$d+eWTu^&+ zmR}eHBDdO4e$1FJ^x*w4`dEO*O!y5aj zUCvvZjN3%##o#ZOKS_e2Pu7hq)cL24bAyCWOz@eDuAkuq>p5%Y{}7kbBBm7|%6%Jw zzFpZE(7G@Ig`$LdAIl8r#-FRwm#h0Iz|wDZFaK~D^8RL?)OqXPD0(%QsBbXV|5j9q z7+FTG5YY|2#L zAAZk&&M-YPa>*}buHGa96MkiP3zFb>vF1&=$*A6uti)D-wW~``JK{6R3KW+ft!^Rz_cRXBstukN`fD=I zvN%WcWA5+3$WR&^SF>)@?-u{taLu6NRrbqSXrS8kSvt0Q+LsoyaUOq#tV`v7*j#^OhQ5+3QZ zs9H#P3@C@-)~C{iK6(rqu>rvA-n$FO0~m=PbNs<^UgYKT{>U(&>j13Mzz7)r{`zau zCpGaVJl31g;XOKLCHwnu6Q+ zj1>0|$spkKf?yC1zVGS$)%W;=N|MZZUqP#8!2`AdkUv@uw}=Ig2fglj6XVru03V3_ zXM6zG*nfZrC*A(L*UJW(|L!%^cF_AQzp>h_S^jO`r6wVd`dsJ+3pBGB zqh_kN|A$yPw4(81reFj(l?AvF_K#M5)(=SYaen>sLiaP(M}BKi*@^Viu}2?gn**K% z0GOn-()ud15)Z5)P`Y@RCXbl$6$rhqI1+-uyW!aH{1s2VhyDfW;V*&uv%8Qh53*|X z3ucV!*8xWaM>T*ZxI_-3bm}Ai(AQ9o0ksDXdRIbrf6Z_Ltk6{mmSK3Lwj2r~4TYb7rJR zJdQX3z^u#o!jnueZu`GsM4%IT^&cpaf6a(|E4CO+)~|4gK@x?kCCgBZi(PCx zx$^$I3m!3~vz@sWR9h*bwn~XMn<4*v)n(fB)eIe^#T;l{hXQ{j$t+fqI;|bd98nL{ zl1V^P$GUv^pHMu&z;Ha3q>TiSspSkX!SC)J@p%7?YycXYe~jfd9gd9F-|!xk8R?*h z%_I~7c*WB84C_aXN#DMP_@Dg>SR5=(?ia;llKn=mq99-qKyW2a_(h+slm;xk>oi9T z?}V2An}A|J{>?{d>p5IF@pI1S0XG{_3``c_ln=ofW)o1|4@2(CRCj=xbYTMo{nRFO zTJzW)0Is2w_~^&sjvw)S16XE-NZQfeo|4JrP$iUEZk47~AQfxP{*u+ya>YtGtJ>$L zh?+g4vXyEqY9Vd%Ca}@5AX59wKk$3NWzNfQ5}gO@QBwjK^)BqiJF~Rfg{C31PD79F+!O!5nF{d*@QLE^O0Aw31oFObwA72<@oe*yu}!{W>`utA;y2w2(^!MVlRiMP@9$hEUZjOvNY%lkD&Nz^@Z{Bevv6 zEF3dG1S|-US%l#b{x1#Lh0di5qm9%(M5Y*y@V4H^Nh*O6$VLz;$zt9tv> zkZm&uT$WEZr*chhr+^;-7U!U1-LT)#u5Q8;Q0XWEd z^mCNJy-St5Fs7jYfx1X5$T0>&5d6*C_!lS`;cB&ntVTS3ImVTs8=GEjST^s|iJ6F* zc&HjGaSJTCHa9m2_D4wEh>YwS$R+{*?_U|{-sm!ziE!4bzZJRhA#3+iHvB~1Md4iw z|2F7gy;9|ejY2(w3VizaqG9p{k6Xv6gMdesV1ncp_@-|CtyU{do=5eM#gk)UD3M$h zq*^@>3TDBL-V9oAdXWZYB1R9kN~TQ2u-cqIpKjOAy=WlQ(xaPb3~Jlg_HVjFMpzF- z&VW{$d&GF|H2yL85G0D^Ju?i7CeqhCuSLz-?ye^KPR4pG0O>bx;k|St(?Qoq=_)+r z#NdnEz0X;#yH5aOQk_d}F1}3jfB}L-q~2TH2qH8eEL1=1HrM5e{m@#qRt9rWQ?ArP z5(#w2(2DyGd&{9w0FjWJv6Q@W9^FH2ob`BN32!}Bt$qd47EqqRyN$etbTJGWd-u3? z$d`Q#2!w^8Un~Lef+UMktz$`ugHtDk33%tZJWa0Ro$(Pz!1f2guN%)!F(Js%GAL1J zlK{Z=7hRPvu9T6=-$Pg3ImSyN9eMspWa0P?2YTRO?td}iS7T%-P?WA!I|h&bS1!mz ze1avG1ksLw#2;~et-BvWBw+B?Tl~^r-4FnESpTt6SI|x7U69J^m6Ne~fZLgJ<0#oT z4Q49@bA3z`Vyp`wPlV%vZP8l?z!LjI4XlaxS7scpjtL&Hzhyov*>A*?lr0YjS;gq>w-CM%bO5k-hosK3oEI z3(W1?@BTWwGYj?2_1o-a5*A;Y9fg?>E2Dc8m=yu>gC+kEgMs?%2LZRJ?6+@k+U#vW zM3lO!dw=|gc=VVKBTpXcf3~E zXb|vI6fgT!-_uXJ0dKA^@7HWczf`{?y1lwDWx~pPp$7Vb*PRo5b6bml&t`uxTMyKK zHcFOZs)Lv(at4<vG%`jufyF!}t}v-g_ZSaWV4V z`>Ug2$TX@*$=)s83c%x7pu=v=zAijy%}M~J9T)5Rw;a+*eJ+|=Z`Fp`FO>uO*$rQl zdk6yI`!!&DpAf8`8_f4sonk0JsW?whM(TrY>@djr0|lz;@v@hpo>=*^sds+Ce!cJYQrtrxy8v{o z09u61O~c$GdVskN8M#hotnnR+LARqm)@17yNo)-~TRCgxrTV13fYv37j8vD~sUpl( zSDN~mU`dnK@amN0X2bhvp791`*~nTSIWPqiIlet85$M-NopTG4uzNngr0Vcdu}c5P zWD0)GlHG-A3ylM-N0AolPbO1Qqv$cR;^qCEkI$@`8S1l}qx|&)AWtCO2vsfo1+0Z? zFQe}j0!={!;p_%gl`v5%rhEGq)h7Y{=N=U+yb zAK3Z<>nnFjz{t_}sYS4&LduyF#WhZ{4gMFc|HE&r)vx@5_z2HrJpJn@UjGNX4OV?n z%bSF;OE)}^Lt!JL1jZzKgls3vN)~8we$P{MI5}D-T&zqB|1Ucm{?E+E4JW@7Q~v4n zoa&XMgylLo$pSUG5?g1Ap~f5Dw_hSS4%elmX3qY*rWSziMp@iB7e{~G&}38b@+)Ux zNlITO$aSoZ;110LQPdxLUNB$;qxjpu9i24Eh_yKk_YAl;Aw18$TRu3WGi&Iz!Un0TZ`ze~fDH#t<2w&l=)iSco?T zPAi`{uS61%sQ*{L1|m_}He7HBi$nat8O-HmdQo#OJ4!`VQuXyII7Dgiv!cgn>%B_bl z$pzL}Ok761Tw9S3RK8Du1jJ29N{?K1mWhQzK*jpRTB@x3>G@ns(gT+q}K3CTb8XyaL z`uxR+i@v}XN@h)o8&I0EyZz1BDcQCkAB{2#w5;WbJg$(;_7#LuiOw6Us(*TU#b~dt zYw}2d7Wsvy0GwV)!Fly(&`a~&w`px|%`6>;B+iN+*KKN-NvM|9G@#+ZJBdiS5TXFP zp&71la(72V+Gtg#iPkeKKgfDVI45evl+F@U1j|h;lAS|0>4h@sjK$t{VEiZ+C7GZ@ zz-u;AsgrS8TO`=O>7i8oLn?1FH`WPd5-{X@RV@VG2X|2&!2kpu#@xRMODJd`#()hG zqw*A_v-F|aE_%cP2j6Z2cI=t5i*DQq);b-tfYDBkznN5nmCPLy2*SE}E(uT^?hZl* zqw!LPg8A+hVf!VXm_cb~<;rd>*)YvaqO0Yf;)6)CK$Fi0b@I9Go(>OZifG!GDmTdY z?4%7j>U+Q)iQl~2a1p3-`mFBv(ENNU9BM&fJ>p8UQ9S+kdF^MX! zTI)Pt#i6NVY{xoC=Xzm7GmOZpV$oOe(iv_k?#>?iFnm}#BMLJ&mX3@Jx~N3rK{f=m z+rBV5olM+HEV`w>ABF4szN0}g+USQ`8@gA@tv2(E=&F0^#xrH{4J)8zWnMbpCfZ7R zalPHGjX0OhCGH+gK3BzVv5RjgLt%nX=Hq$fy zhb2C$w{H3td}YacQp5#L*z9o#=5le|~%+r9?+t(wegoD2wKSM^Z? zkxKqmAnxteZ?0M$Ca(HYEPmD^qO;UxE}T#7uuzdsMruIk?HVjgX@Z3=^-FpV8Qa~YKb&^Z-Lj29;y?0WE%xm+Qz8*fdw3_J9iOv@GVw5Bn z#^&DA{cJAuWnxgbrezSyQRutDRQJwz+Ctuw15xgV2DyYsrq^7}!u8#=D{{>H*lEGt zCstYoLOvlxhdq3U4yA<(OfphBI&W-`dM zH2t_hXoln^bDij8i`;j3Rqp(=bVKoupj>~sz8u&3j}g!q!?IiW{fz--?Snm2ZHDXH z5ESap&Y*m^|8822R=YFBzGDT^K>^M4XbF&t)qVf)Iy|a7AajshIvnEvQr6qK^p^nf z++ak5-pk@N+H2@ltEs#auAPavJB!y=TIILyy;zq@vTGC8(9G4>f@Fq9?m-7$~jqYeF1Qr$#mi{r!o{-BEM7efXpRStzF>$q5v`$v!hm()wbO`u^`qk zGa7DOEWGoefitz=Z(*(n5JEY>1yf)zmF85l24lAf!7xU`NWsMJh%1If2^m_xe zkwQm$*jl)`Qfm54ElvKEMM{{!tJ36c(Vq4F_jpwa;FJs2-6ONpWX)OnVx~`nAY}JAVc_WicGECaQ2*1iRJQz z9CM8f-%fgjMpu|Rn8h@1cn&E+co_&rjZ&pBhU6A%JmP$PdzLnjHaG)EbnRBci!|D! z&qM$C1ponuL|Ap?2-A>5YkNCu6{Gt~{N{b_31P4-A}R0=TQ~}{Jgf^YBf2I(pvdHh zRHqU`z-mx}2Y_7iVvPd&KvalA8$<6+(ue5Cj^8y?Bd#kSN=97ddvf%34P%ELM~AT( z!5nZQks44p{g#2s(Yzu4ehe&<@I)s9jFxzdiIf1?Zq%If5?#hBBjPL@{MenUTLHJCe^HmO=D?%a3)9j28!`f%Yd+@VEfb*oUy{1erJ6t%Ct~i%Y zk4PzCFg_sQ-Havr5CAAEarZ;)sPskV^qq4+6~bz=zw4~MQ_C{NBw-FqX(QZ+r@nB- zhS{A9$P5A_FVAS-r9^p|F{$wCZ9~LLySqS{+qc}x`z`o5tv-uVaSkX2r!naEid87f z2%9JVh1F_HxBVqC%t7m`te;_D4BK@uc+?I%XleF|v2_j(h`rpQ%^3}yY+sGV zXRmBXhcC!mh1;DbyXzi$?(YD$zt3`<*lJ#M!i424!gP< zQs-K94PXTrn71ODuv_!vZv8qFh7Ow+o7|sJ35M8_DrIG^Y}ou`^NSC#0geh`uI^4B zW_v4I4_5}tk}xGZD>uW{l!c`lMpjA7Ru{XBW<&5@=Y+TWLPwzJ{4hH&+ixyg5Ke7jlHrR?ORF$gMual$y zeTebZAsy5sMJ78{!m&OiG~C67*n+Hv3d=eiSX<@mz<{ZZypS9m;2+samoVWzsM-1{ zYLJi0{ZDrmi@cbH3p~@rX<%N&*w+1ay1W~8b%-Z^vUPs zPwHdrLj21OPtUDMb9esvZ3-p;oeO-DP-bTkIO6SplRS1`oy9I4RVF5R{`GQZcUMXa zzpjYB9EORqrWImRnNbqu`}ilAh9q)|eL3L3y!Zo?$xoxQE4|`(z?QyaKm~HK3_E-P zm78enhQJ19>QjLUcYa}g*}S%U0cts~CO2)|rf)cER$06-LIbAlSD z=S844Ad<+|CktUfXgo}9YX>cq@n&xC9vmE8fa=Z!f=`O-rGB5i3M7r$F6v~8odV7) zl?&pVJ>l6FbwhTewez#2hxto3RHr=d9A}g3y6(nfkWM;+-*Ny;r9$X1bEnnSTjH!r zC1R+In>3i=7`$6g8Y@tO28Um3?1c{#%*-F&c4YKi0EPOFv3n9!iOp74&du7-+8w5( zyu0i+m>aK->u@O3IJ0ugTC8X^as7^HJSp86NHo`_z91t9;S80oj`wRI7lT6zKT&cd z^KVaSu9Z?u3512Zl`0M~fo;$qpP39#rCsoH=03qTU@2GAb?WQ=kXIVR!{Hdd;;d7- zI=9jXh>Gk-!%9ZP-3OkWj7cc7NTp`L4~Ml4)n5m?L#LJJFJ)?+>x!KAqfT8}{ zWx)X;WYJC6n&c3o99)7hpx1^QvbJ0zDnf@K^GF@k0b}$++kw$DUot`BIAT_R36z)r z>^%s$x_|lRe|~SvU3R^}>VNgvt-#QquAWYf9@g}D!aytyZ?XphAo)(>RG!TQV$^V> z6+sZ_K6@EM;Bode%>M%2%dR;12aa+{5kMNh@)xOD0+28L17WtKu3awR;df>QfH!3K;bjx})&=tbOj%F-5 z_N7d$Lzo`+`L7ep3)`=h-o91_iz7Zm!wp1-n-Cu@&LJ33u&h-&-1d6d&3HEVe&as- zg&$-PmmUy{5f<*+i6J^|2o`O%`i}rXz$(v+UvWQ{Sk`s9md=Y%$310O{0I-a&i2Kw zi}$$WMz>?iU)56C*Qcy^`*>4FMt%pG(_bIX&txzVi|Ony^{J7@&#ZYIR*yqAMU(8k z84Ki__n#Qt%G8ZLEIZ#VElo9U+c(na4Ue98YRPTX`15gs3fRLk^;InuvZ3FRdLEX| z8`#$_KHq;dVuy9(z(>n6Ne)1ZzBCzS1-a_DXNev<%Qbv%jsA3cA49V<(XwA#N30_9 zJ|gvUd=|N?0g7(PKb|)SQWi9tDVS_n`1PCeD&JGVi4AnXfc+2Fxgu1t+tJ)~j_?Ii z1tA4h3BIiY-fR3pR19G!ANm#(t(8nMaGRX}QC`ZWoXYAohLeAytnzkVFeiLH|2mG-a z!@|A!Biq!N3kRF$BlyB;qDJ3AuO??r5p7>j<0cu&ISv(l3VBWR-Oy!++|8JxWfA$> zdBtti|7XO#-0Sa_E85&&EdH6;y%_;kFQ&z=yQ@uD0|JfVj&X!?(n7rH`T!*3F?ml zI0N9rr7B?uwEW|GvTTGmRuJb9_hVmfMT(Y1;<_Qi`kRB0U$%ELIiKG|plavdbM05& zrY*v#6h=S41s#q_js{xD6EiAPJL+r%lze}=vhSFwrW}_r8Kc>pvLS9j{Aj5*hvSa1 za4WcEGe&W{!1GX;V$$y#A=l3E&`v}KV)&5CrYdJfe*TBhd3s;eX>1$+fx6p#Dd{Jx zRmIv}G>>xn>AM#min+|AO`W5Jz6R=YGI?SPH=na09BQ_*e6_K)o|t!d3XO?DAG8Uh z(!cckGByQ$r@}llG|{oFw(jp%X`R}$f-oMUP;YDw_Rw`|${p*tSS}wAhGP%|pKSOj zu4M)OnBsR?@4~m6g+&ngNQ%=T^zbASh|pgm;`%(rT)*6CT=3ZVtXN}tr>}rL4Zov& zf3*6KZV}e9LLj^|(q{H_wv2aGRK;){5f)=y>9SQn#29y<`(?}Jw(Fi-vk?Wipxv

c)hnGEETuFQirEn#7>eEs||x=K$@UhX<7(L{zZf)Vw^oq-ee zgtNbsJV3~)mvVF|#mKm3x6;AWP3Wh4d6>}HRkW!lO$gC`7@MoIRDt`ZxB-86bI{c^ zCB~#~1#ec#JN$OxH@VQJ;mR?4M>cMJ=mA1e8l8|C`w-{ZyH{vd?5590M3tOz(Zh6b|Nwnp3=KfM8HN=h% zwrXh|l^@Knk#PULMK)VKb^FVfEmswbWMGFY*VeU4lV9QP@m^8!RV)(~nKbG&*SA7U zm8CLkt6K%pqPY6;g&-2Ps8ZmtRQ7gX)2x_MU5bM^jaDpt2Se$~7DTA07Zry_qDmKX zG(;ECG6x~ve?uOX-3QV>Bf#iaay{WB45LH11ZPE@3b^~nDydHli!l*6+q{Lnx)J(r zQgGc@c6Uy-btIHdIZkfvB`cOtVp=V*h2?IMOLV|0OGR{OYX;)qZ6U?)Vo*V){Q`wU`aX5v>nXPj_W0kaUvA<|q$D5n*-SfeBGX zx91hQC`(nO%JYR1Y5yQ|9IkIo;B(c{9J=tsHhnvYgOMR3X#FV#Tw~;E&P|;Q0RE8J z+K0|)h9e_MqLk(3)~A;ywaXy;u&da_N65zmeXtko(_bzKH$yHH0)^n@QVRG4E_!t%6d$m!F9jnWWBMu)i z{yrtN1XMT(7&QVYH-0u_4d@!>b~lzN0SYMb)1c&no9IG((w4Z9X5cgb-f);=HO9KZ zPLfi|6G%Agtw4GX724V4O}vS;i07s@=EDFx*w^56PJxJXqP_#*VE~oCQr3hPu_JCU6R6J?Q`7U@%9T*%vTs0 zE^q{9-vwi`tR-H)2bhgYK?)q3;~uSU6r4U8G>;6%XQ24O3m`yAnRzw&NA1_rp{?EA zzIP`bibReHog{Yx2c7YaXDQK5r-C3gGwB32blSNM=iY3MnZx}&4f_?h8X0d46XR+8 zlQw(}=#wRokz)BJn3@9!l5)-Jg31v8pQSce@f7|Vu_#*9pW37dR|=6Qk_mb^TnDRq z_U&RD;e*e;s&0pdTo45b1sW4c@sppNGpS`a6U%gmFbz`5Nf?2}co7WG<~Xj{q7@Eb zz$>3&@AQ4CLwSpQY3}?F;I6KQpaK8}d27x(DeLs;Lw|`0yz4OdD`@LdK|X?jh1|0b zF48^#)G9c`YrZFVB-DIzd3JtjY4a(^X-{F%$_&P@n_5h6yGrnpVL7$~LBKyyiv0xl z1j3o$R~N-;0YYV9x^*!Z&V66Fd)($@OD>8}8;k<~_wqF#Ex7EQH^|~2w+ddE@wk^{ zKpIDe(7%oyG!$6}sL+YV{^OF?!5kW1!#F(6`AsyD5N3@%Y@C?D=$rTbTkkxOt3szd!odFx`zlxo<3s*M z<)J?{-Bt#}G1(+Py~SGzE3M-1&9CwtluuvTO>Jx5rmAMVHYubRL-Dp@Q_B;g#}B4Q zg=D{joG`=Y7py_qsY@h%me?h_Cm=%l_n$rbD2X_UEVv_)01U;rwKn44e(C@0UFf(O z|7TzRZ}=_*cmKb+Pydx>LI0hD`CobP$#bFq?OEK)3vyG~2bE*e?tM<4h0Eg3%#+*& z%LN>tt{b1HM_eRNJ)3B=-<{BOI{6(E@8Nxr^uv1tmc5{!=2_=|@hwo;gC(nicYs2;5-Yn>UbDsXo4}Rp0%yOTm*c_mw#7%f`4$f_iFnqyS*8Q@<*H^!B zkum9EWj}=p6dVEEf(gUdP59ptk^tL3+HoqOfWGfcG2Z8bza~d(-8Lcr>pO$Xxg|pM zjVo5g4Two2U|i=2ZW>fRYK`KN=FlsBsBc|+M$Qm|C6_>`7_Rf>vByUtJL7UGAqt!` z0J)tztFR6daKXT7c3+#B)E>(j0e_G%<;@HZ#-tnhg_P1`0RkfrK~e$R?J#JO>M&#@ zy%{~aCsnoLwxR}9gn=%YVaM);+?pKlw!qlEudIMeRhy!{Mj-x`6!wFO!hh(LEm^;r zOFwS#N6cp$?q^&czXeUVMyGPt?5#PZuDcS10nx(^Y9VUC+Mfol;7I@cnzBFj%6-nQ zeiND^`-L8bcdsYz5au$?~Q0=n;Hu{ORBuWhWWul0jc@)a5TGJdyP>a)A>W z;B=t+y;xCzqehRpjB%{~;*-5;^Rorlu3!CPOvixWV;7u*f8p38F+}M4N_Aci?uY!1 zn!_I`M?d9~(s7|OWCjpJVPHe!sz*RuRf2IGkD3VfSHX*Iy1MR4v+4Ad-kTahSM+hd3w>U0DwMK%Hc{=4USzT|xVmE00{eb(0 zrnPkEaPg8wk@d2KeXoV%rmqb2_VFLZ_uXG`eH^IL`-=&@2)<7%Mq_2ppgL|FDD80_ z!;4j$cGTB_)|HGEtAi@XFwu&Yi!WwhFIB#eemx9Ai&Cx7JNK`!;80#4OkfU(&XNj5 zq+i{nnl8kSIgamkheAV!t7dwC7pJAVBu1-XE!YxN0zWDdTB9fXm7f=10&sy-ot6l+F?f=RSr z@HqwD+uzb<)aJCGC=$q^yvm_*KEh2UfLctmAIde$Zn_ITufcMx|!n3T)TVvZdpy^I5v7zqvT-CF#r^c;9SiD zFeD34sD>1$mES!Y*QJV4Za_f5(=72_sDEjSiY&kTLW=epFB=vgJ)8V(JRXknLH)mN zjI%UifCphFwU{MEJW!of{6iQW2qYGv?vZYEh$lVWn_0h&xfdg&Wu>%v5IH=I)h~`0 zxyq8rtoe$JcR>o>m!qNvxTzKI#IK^;*Ag*E8P~O+=XXLxD0WwNW3R~?b5BN=A}-G@ zjQhAJ{1nD0u;F`%g7pgXk7JT_Ak3-tI_-f06R$_8ajA(OaoMUMRUZA!YT~+bG;*S( z&`eC9tz7zG!BVEM*sX^LWP@PD^;}l*cK#yQtyah_k$~=Jb zW$m*7{IKO7?Z@07F=ctCIpURK-rU%U8rt7vC|GXW62Ni@`%8v5Mgr=sM|~c zM91)qBo22AO?e_G@leKT}fxpf30CzF@FS=(Hk+z}ug|ItIH{<=60( zbA^oe%o)bLA^0hyuYSMUWEmuG;xMK-x^b2d@))hDP>glhMoH8?E>ll*D&YHRn{K`* zAxeoRC@Y@~_XaaUH@Y3L-wer+UOj4{^~bLnho#zz!k<$ANso>?#Dtg#5)@N>L*aQRILsXjCZfrJ)D`_@r1*yBx<$Zrx$=R^!Qx-tfYEg2 zwiURE;c}%{0Kt}wgzvL?P*o*O@&lR#j8OFPggK9Dcog~|@l<6xn}Eu($v^lkJT}KE zq9kttcT|`KIx-)27GHB1Q#D;$1{7B^ilRp?zTdLy3!Gm|ybEbikj7#`GH12I{XQr` ztPY9@!0D71%OW$bMND-&ucPtaA-8pe9Df5DY5JKEkf}a6_Mvt0*rE-Yik?apmw0Cf z!IxhhUI43(G6^lzkOYfM@WJS@tNV5%5jM5BXD7v)%f|CA%(M3nr=7SbTj;7mryySe z$Yv-2GhUqkieD7-=A-jZh0R5^whXRUJ8YXtn_`-GK2w6TxqfEzUTSu}${2eGjP{4= ztk94>%SVOk0aQGyin~6t^IOqYK{>g=TV!2r(N5ruh0-Y;#@h94+X{}W?XFcO;h4!A z^W->1CynyEL>h4?12ToxEuKRc{`rZ z86?tyrZfug85n;?xF4w2)TZrW7oU?0{1mq8*$BkXnjX`qSmbqx#W0v%fBwD5x}W?m z#YV&Jn>yU)pSi`C)ho?A@($xlkObBw0dZ#G=|Wm z{B-8>`_G#@Jz7s|R+h1pxMRX5ck>BQZaD|oQbLy0s{uD{Ufv0PVo1tAv!&Hd6J$yb zk)Y_RKZRK;w7U`rU*?y1 zx?Qz53Z-4>{c?QP~-gnDu7Kt|z#TlP%&Y~|pJZb#(3TM=2a zc0poOZyUI;?g;D$Z2r*I%n&H4OfNQfR+A-K!oA75X!~>h1?S+s#cH2dk7eSkldFt9wXmZpRa(%_N00;IVvo`eKDeqU zW;pCTsIOvad^j!8`i+*;0n6N8nNZ~jdynOOuX*oKA)_d z0XdWFlXOpviHSWLuAH0}CGzqq%W95uZnsyaN0eXnx$bVta8Z|A0qr_3cEIy-r?WSz znt$TO9e_mKY{`1GMy-p$U0**wH>WHvG*x=1gpaz7xw_><7}LmIZmV(}O8VUTapaLs zYOa@Y^AhUUQYeeNgxf^V2bGfD@_-7K3COrFkiuR)$yWOqQ1 zRUtL5rNhAi>0eKzse7!@AtJ${4mstM=iSblZ;5j&wd-&oP>(QTj}K>c&3D#!8wGfc z?=B9tRCaPkbb89$(GDrReksP?9!8VyDN>h+4d)i)WE!s+kZBs0aaQyFvvHRdF(7T)Ho-t}*enU<+0jnB(qg{Dw}vfW-;9PbL$f*}s*S8I zmlwX6sJ6tkJX$K92*;W8NQm+=zFHFh{pua;^)Kr^YanYAzfvMl@6VO9C424TezXNp zYt_hbDx%vfjf_+KMbAfv2nh;2(2`H*cx9|8O)ZcSWLlizSm01d742NyEa_fj-l1wg zkC-5}%Cgibc|wEeQI3SVMnYQ|8FG}eb5^)T?T(7w+?Y_xw4pH(sp8m-BXVYG1c@zy4rf{KvX^o*1Lm*IY0TP$ zn|7wVyg$lH6|meZdcl>6WZdxZ|#e zQbeaaV@ns9EXA{gQavEl-^0MVi}b6Hn^U?o@tA| zas(bY1B`L}9vI&O7Rw=?d?H0wIb6X_)8JIo*=627!D3JnQch~g6!jdCT4MSCCa}P5sf2ym6XpH#*I>+biF*yaq<(fGggOxI*Pf>mjbTa zW4{$+4x)R5WE$E}>xY;}T2YBTPF;GW`hgrm4m_9rDvkbvLH1!;HoC$#TwLvxy~_>; z4LCR3af#CjLz(Yaw%i+Uh__rU`NgWl{ktblUYGk(F$VeWlnnHYC1%K~EU;=>6eLwx z&)gX)tu;ZV%G;OgWpulrb?Zp!4}B7sv|eCF%@VnEHh&A8`Y{>erlOYqD1umGOwxc9 z3l`DsMG=SdDYmj0dLKCd6 zv&=vsirWmO5gVRC%j|lY+2%k1BM@b6T#iguj>yMa7PYV}vx;u1vKLe(^B}mfq~sND zSVp(I^<|b%v7ZT@_MFgGURMlY*+JMd_(j4NK;9o;D~o!E}I8>O*O!; zm=6x-x^J>W_6-P=v}Vo`ZXZyI^~MW5*)IS!^r9)4E@bh_A5SE7_zq> zf?`{J&yuXBH-q+9=qZWC_N<>dNE%bZd{Q{4euj&S%dep_JIa|6ckI%963xCTFXe6b zJtw9D`Zc?$4_f?q;*3)6g_oL6xr3`CUVwwT^PTcs8qE=0R)wIhLAg5*qYd=*S)*y2 zL*!CZUMRETe6MstDN++CD>nmxR}wleCS+J3xX~_&eW#o5l~N!FLW~c;Q|&;9Pb#fB zxvV#M4ZnDfBKjT=E-sS6(~4)sIOJTSqW1LN*B(h+ZD-PY zuO95L6BY%oPxFAUeFLK%vaYCMWH&uFIMQP7R}U8jf61H_1+rG;yFXS-Gn~PE zy+h5^O1}EwOZk(ASqbbrvr15VqGMZV&gS`1K50qOPC}#cYRD^%vi4lR>UyhU^c`TV zhjaQ33_$Xp`}Y8kK>mV`8OiMkd1`3y&xPB7QRwt3(_?F$cFw8)0>@$)%gA&WSLpE4 zRYCano)?M`2|g?`Op{-rTBo7qaztr;>L& zs*cLJGsf!yR4G8=s%s z38{6a%F9aIj(|h$q$1t2@4ZJ#5+fd<8?1Qv?X=Z0OBK-Xnw@9c6WvDmo{B26OFkFu z29cJx&jSV|2=cFjz2npD57G@(J`(b45+Xj|n63~^f>d7<8B4&?RfzEEV#*(TloH%) zCKONK%SgS0G?-G8ft5>67Q6@(7-itKt#j)91+~;Ary2qnE0n@<$~wdV+e) zAlvc#5(S_g@Bjnh%Y6yx#!q>;!w=^=_s`xt%_zxQ-@IK)Qc0gcLuXcP6CKg!tReA+ zBN*h?AzHnUa8Z$9k5fDd#2A?y8xP_EsYA`a@yhGq#x`&*kZ*@8{kDgAESOUJ9MLjh zBRPS&qyoo^0UIKBjsqQ<)IvTa`)Hc7bhCMD(#Q$ioD}dWTst^jEj0s3x9_j?+%kDE zIZO_!&-n%Fmf0F@7&<#P%y(x}&P1<3ox$5Jn8%STneAMIgKn7NB+PU8g#C*;?+bD@ zLV5#AC_~w_xdyP^;iNja_k-5yXriUyiIz>AOHo~06WU)Bu2@J$(RsR7h+qRor_XO8 z!|&ImDZlsH319ZW#b;Y@9n=vF=g|Fp|HYymljTkcID0R8`NB>f^o)y;eHafU)(O%g zlff-gctFW+T^a+{Qa$VKLV%ptKCgfak{BEkt_y@Fnh-BeX>E;K_y!l>$D178j4o-d ziM}>a#MCIq*_EoS1uEmcAGw@!*pi=nnJevUxdb;3`;9r^muf-GPQ?khAHX0HDV{w@ zk_zw(zm4{X?xCXmKQT(auLt)JP~I;*)&K1iaj=uvMj|n5RIGO1(+6FMkLO6bilo5= z2l+in18XE3c%q9Dl<@8%^EPg~rp|-_JFDR1?PuN;+(?XMY+5O=sOa9^gci<60Jc{$ z+!7tMQPn1jO#?>*3Q~|wc`oR%5v||ntbVTs0q)YU_1!gav;h`gj^AMbxjvuvJIu5^ z*X^cTRMuzOg7`z%aXoH=&2w`@kR0AfK%C(JyU*AXaYV~dF+LV+=&8L#h-Lt*N4lO~ z9c)-lFr<)Aa{#OAepoPu#yzO|i5W1NR%3&G{l zcwlW16c;M7I7}2lM`?s5(ur?IhU(86gIcLDe{nvWy#`wEt#q=ysRen}qGhC*Uje@H zD8~3wBH#;_vNPCIYY8%xvV^9mosg{zKf=x-nwp7GAz_S-8h_(2iCrI<1O-#8A2;@< zs{m)F^<&Ow13^B1F}3@X(Ccv@q7@#7M3Z|zmqq0*`qw^}FBDf$G!l(Gd&v8q?s5{e zu`{~U1x`EHv&##!G2DzC#xV2A$`d;|rqJKxl8&t76NIHGxe zhSNVep}+HnYkDZ_g_6+{i2y;{x1ACRQ{(A}+ijw*%*7VN6i|iUkE?{bqAwM81vw;c zM%XUgv1Ot-629t{QThUQ*cw(kAhq8R{RkuCAaeM0l4Ke(2`v)AK9PSdYBCua@7m}2%Wc!HS2Ny>M0iw9v=b4GKw^?L4tnCS&G0%X}#U8L?0ln6LAiuC(|;7=9pa-7|fsuII(0=NH}0#Ex7Oe# z*GV8zpDh=B33@HA0rpQuQx_N5vOv`U%h6v|d-_rXOAVh>6?}RJv=ax6CH$P%0{pCC z-JAzAZW+HNyNI9T@n#sa8AnS zWt3rN!N{%xHPg6kA_2HS(c16W-Y5;D@PLsig`|Ly6vTW>`bB)W`Mg(^<>reR)xL_>eScmX+7= zSekGm(GsV9g<~Y!u+8w3_^*$`a)e<2oSY#oB71l~cdg0j5Tfe7*8p5(1DjH#Gt~+V zlGa~Y3`484zmE#X0cSB*4m$r2y8t@g2LA)QKn-=H#KKkg|EulVS za;X$T8k9>oV66IDImlP6V66IE|O}Q1Jj>@?E zJ$p#K=RLpoyytV?qANLM9&8+UD+jr*g zBKH=FHz&~poss9ScbT@=dq|vZI^sMyc1ME!wk;U{3Df;*tYfKjpQc)KYp3H6kM&Oq z=GE0^@0gnyC-=)kH$mkO*vXTbMUGKty6V3K3U*-J+A(GY6bdr9g+d??1CHKY{pNvXqqwH`k}ctJ z^0llmbHn7farVx2&7M|IEOR>;={rG+5NhCB>h^Qr`?rT6^@uuqL^ zApdfsb+fEYXH)=ZYA7NFB|`^@6L!a|HV8f#bStcNE3m)qRi2b;E>{cWK+OUF8zxmR4*J}0+;(vlk7s^)4{=nQtb8R`kBmb6 zfbd_JeM_00vOD#O8ZYj1zG4$Ot|m2Q2-PVdYm-~$BLx#bTtC0A?RAtPZ=6TNJ!GVU zknYw|q@JGW)_FH?y)^I)Rp zWnA4Axi=eO2Y{Kp2k*M@^nH#d2V!hb$2JJ|`ka(lj#~7|8;;ctO`0j;7M!l6j}#>{ zfjO>D^a}^X&U$k2zE8LK@b7^A`fKE2{nYT>#r}O#9uFV-*WVdYEZt&F)ft}cBM!f9m+Qt&O?-4Kt-#WJ3w>rX$mUp`VoUICP5nlNkB& z7l{qWJgC=8ku3V@7lsQ+=gZ5Q51T3Ok%FZDDBwZ*(tHJEf{l2M159#5+rituyyj`K z1fH)cOQYZa_JxQGfh8hdf*y-jRW*wU&>9x~@t#>j`p90eq4!DjG z2TE3<|4mJtO~D!4tHrDP+D_lRxry5$G=3S*^!jt2FAmiD6MAvP97>`^$6b-}f@G{j zv!iWEXTGKsgNkr350Dm(KW1T z&1GVi946jOcok4Tvv_cwqWJ*hhQpzFB=2T#C0oO(-WQiy19Fozx{A(kcXPZ+ns;qx zvt-MEtSKZB4u{{hS<0+t&o2K8nfxkl`rOLG!XgQ!&{lf2YNTWo6ck`;1rA798;%_4 z)h|U2=0&MJsR*&cWkB8YM1EO8tKDW-J7>xE-KxY0du0G|4Slqv)MJc;iC2u%yy&%j zA4c!=acO1|uRz|S+sh$2)iaw8rcsZ4YBaumf_Y(5gjJGH16;hOp7Aai*Rx5~$|QxX zHVSBL6^52-CRZMaO2ym1er;2%DK^A0o6{w4^I=L#Y7rl2qMH;-wJpk1Q zg>LJohoCsU(QUx#>nWDwIpeaDqzDINY)AJY+EXFfSSGH>X17{FjGcWVQ%EJUc=O#8 zSO@&wIwCG%Xq4FGBA=XiT7_mle102BXhj_>O6#bhzCz=cLW2dw9T_a<>I0R(Ib-zX zCeQG5ntq*QjiJ-gk1J~BE3(eV?5?46kqAN6fuAwnkC@ZZS6T@E7u#t^mYQ`GOk~md zR~I;0dR~fW9>e(MJySUfnK+QORLvS*dHz9_qjZd_hUEiAD^w?H+w77~MLf6-Q8apSoi=9(BbNPQ17~3ei zcl9LR)QPT?dU(I%?x0r*nXD>19T%p}3ws^gCz9{ttC-_gV^z(kd#VT+x(HEuLj!@T z8lxx&2zsXv)u<)TBDZ+|keit%=$H!J40)yz4d&Lxg(GhZ(~M&Y>RJw;Rm^?v<|Km_ z>Pi<~Nv`yg^S6Yqv)a2S-P(D3Qsd$&7KvIP1eYdwZ^Kd%A}y-f%_sQJoa_^Qo^&dqKDr|H0(0sZ9`mM z52u@(DI{{uvyKgJJG8)?`V}0@vHe*u?hLrS?cF%-a!R8$Ffy3#t9gGivq`yYDMe4i zl7m7D*G-$q!)WCOFLKef23c_Hcg}f{zjK?xHWbY(6S94DeIa5D21gVL-s&NQ0!XMB z38uu?1|Y8X(_0F@L(F3I{O7szIE3ZS2aX+t&wyN*-h$t_&XrUTc_*RW)(}cA9FT*p zny($31EYT=$JFcmNgxXP-}y-Ne-?;x!z+-Qdj*Rg+`$XL><+Y!Q?vk#JW0AD!of>GV_z$rJbS=*ZITDf1nt6JFQeahlApH6R! z?iSR<^UTOndNL{OW#KM+z^IqTA>`f@>UIy!6poW>S1R4=ESxdiHVRyG2j67Iuw^R! zv=^CTZgUlfZ8uKj**zbH1Y_3Pf+sv9oK7QNVfocajW-`Id2w=2Mnvble`AVay+r1mJ2)=OUVy$(MazhPt&}qBkDeW=HZzqvbH@2Ls=bp|Jmb9l!jsXwtek@p+xfK&>+^+Qu zjKkyIVa>)jJ`3U#POp}ORdvF)IMLQ=TT@fy6LCRIVJ42<`mjE04iPI$<6!Y3ytgh3 z?#N6bsm6gIplZFVya8Bk$xz5s95iaFlwf%dStMOH5p~M9xrJDgd|@p>$_Y}RzH*tu zaryG>0!@Ql*Dpmay?grx_imsbaUC^M9ozVHeg_-hSLO^DE4)T9*e}p{Nt?{>0}nGP z^jT*Amx8I0!@h%=ug0=^rCsIq*}6SE1`|8)D7fB?B$rJ4cq*5HDCH=d_)gBqfxgl$ z13nb8q9V;q=MdSqEJj>B-NhU4sM_E<6@36PcUfiT5Zd*ve1mIM3;{O4G1`Mkczx1Cbeas9d?`d=GQ~f<2Zk|8*rT;kd5L zreX8ElQy|VE&0cDkPBdVGl_mVf4rwE-26V8t7|$|#(FJ#aLwFYzvO=LF@T8q{r!xoZ`25}p@r-)QWL|n zG5M$ASl!y~Hj@c%uavttQv$?Ps^PjMe?B$Lyo2i5FwP)WuZ=QqW(;%{u zJzH~H$9#3;Mdf=H#WVw5?aVc*3@gxfqBLt$f7k{Kuz3Kn%BZWFp&|9PIrB*Y=;W`M zPlWmR?C0M#pJ@Kq?||IDWIz9|`9wI9ga1g;f3=@~iJ=F?=P39mRZH|W;P9t8SLI{Z zFLF5WPZYpaIndJ&UH2mbd8w!g(qWZV0IKyPnjNuLMFJ*c?m1^k=An4}W$=Thz*!o< zlOhL~&$~+L&!)|8z{g$;p4akg9!tPG0?99@d(0f=;)0UR@bAk%_M!mNsb4n}FNT=Q z9e|GHwMciWb#^ZY|Ec|Nu{*Sium80TMdJ1d_zxB3TWpwVeV{*y z{YK{20Sfd8RTc*jA_Y&%Xx(to*SwEXnpz02;B%UW%U|s?AxY!xk>klUfU1KqF6f z6#~awpg_ZhfY$Ec8pBDG9bSZ9{YGf)t^JCO0+uf(A)p#vE=^C0*SpPw^d;4)Dw=NE zpxjTBjFIO)R2c)wy(or?z5(=Uke!3?l?L*@0aoIB-o@F+cD@kdKdmoybEhoG(%W!Y zF)NN>dErt5ziia`l&Vy`I1^`Z=_vZi(6^7?_qBk3%18uYx=u1^A~3q!=tAL6>4^Q3 zRH%y!Cvi7$z8dJ2ej9kHPYgg;ni5J(x&HVL=x@H2ehkpt>x(;M6UT@Q*~ZX7H_BZo zqzmB`R^Y>pY1=uu%l~Eb{BU(8wG1_utRY zZ?7|mFP!@uQty=>Qx>p+m1ps)Yk@`h)+YY_AO}k?;WPYNE%YJ&*I-836-6U1R2I(e zfkkeUC&UmTbk140#W@K2cn_FS|D|PLV1gewuE+a*W%z-|5ZuID OfB2ux472s^&ix;(MKI_9 delta 50830 zcmd43XIxWVlrId3iroYeL2021BGN=aiW++F9YmVcNSAs*Q3*&1Rk|R(ccexUrGvE4 zLAnr%0-=R+PXf=(+_`gSzPxwl{oqfMea_x%ukv4IubrM6@?YP{`H-s0GMCQNo+lw8 zxg;kGS0^Dk1p)uDQk((5x%l399Q=>eSzYEaNnzKmMG_L@yCr=0NlAIjtVs_p(Q0VQ z$*}U>du-ug_T1jo$rk+E^@X{qi-mKU=anIu$OQ>Vq~PP*krik8%g{P9r-@&!Fxmw$nefLXB#b0-@JE_2jhB<${ip_Zi%s_K*1O+^k)^$&JAGOdA`lcpvGv&Q zhNgf-h?vbaW(d`(o@`Q0O<7F=H#JFKSkS9YHd&Ohdk)^m>P2B$ne%pXnfplncJ&cQ zt(CHe^03FMSC?XST3Q-x>J%x3BnjD7KN50A5>g64QZiCfnB{TgwN}E%e;o-Xfqs=d zdFbTZ_Y{l}>Cdtk|LtSoSMUF~&yrsPNuZ_y!A<|HaQrg#>y7_#GT{Hy+5XGP{7T^0 zu3c|S+P;JmI>M)F{RH&T!cz2gR>j^DwxNbDb4tl?B)r#FdY#ajm^Bm6)pNpofnC}) zmu?ERY6%^xS$ZEmnHGuO+Ar(oKy^2MSC|XJo@rO%(xJvD8TtAeC#!vPg^t>5S!>;V z&G9Xd{z>u;CXFl~u5R&N>Ku*Q7-g+Kd9&>&vCN|FzY@+w#m55A*82mg=W-SBZ`G^H zX@7jb+VX;IRj^bqQhL36>Pfm1HpaSY888936k-eh7$P(*3JYC}7PbV74i@Nk(OwL< zW2Ca4T;|;HoHxV|cus!wHHzC>QRG7JUZ7?#kjcIO$BQUb*)VYH*%DWa-h1T@k*(JK ztwPkr-ZfDJmc!oS!$J?T{$`a^Ie`I`Ls)J$x8-}5)i-h*lWNO+qod(4YSn12Naf&3M5mr0y4GFv$DZ_L z_2r!GbmuP7K}AZWs%DbC$JTe9d|ZLWMy57=)R@0+WGeJUp6iR&UJE3yhYtCo$S7at zFKu7{8M3P_cgZYbDBgU<{s4KgG*Dn>4=6cFGpU;nAPpZJsR|!`9_n4kRZSX9hUSEo zd0V+y9J~!dPU2QQB3REG53=Ho4)$>Q6z_dDia=4#ZHuib+H%F_E(EwslrEJz9K3B} zKzMPX#zRMs?n$0GT4ZwcrCgj%=Yn)4kXrdHKSy=8#hi{t-=cxpWC z`{9{hhgi;{I|oTN4?%@7=O-QKe%rO1{W5zcbt{&%i^qGU(%NX*eHGWgYw@=Ja!xg( zdm&SamI^=J+)%w86!@U1tjegGwedho(|U!&{?fYs!U|88Zdj?u+n@I-BpEN0zXu1E z!tgf_N@W8?Rf?Q1=XAlZU0($_wq$y{%GRo_f_%OqCIv)~h9>U)QpbjwMgF*?ka+e* z)px82{z^=(cM)PK(Y_c>dIGEXw_b5-?()ZGuT;Fj}{*kSb>YU1)zt@!$LMFKya1RC2Y9x!-n)=wUV?9Y-}=U*dxa6OltXx;?kbP zr3T}}7x)9#%f>)n&2ZW;*Kb9aDMZor&ad1Dn{S`bn9FHsbw2!BFqSk2Z{;BQGS32d*V!B!ZZP$hHB)--w6t=}0m&y6w_=Un>79bsv z#fZxBQ92E|0G(Yn=#;qb%Koz!Zb;5ZDyR@VcM}gfJfncypOQTvlaR$pf9!y!(%KxQ zs(Bf#lwA^mqLvi{a^Tq_LqIq^euK^ln?f%iu-?vjs!I&-D;I#59@~8)`z+uh zgSeq(#|MDvlT28Q@4=p)(g#uZLc^C+Z!p~h&7l{EP_OW7Xp_|jyaU#K>1eG6dl!2& zSYTi^_jkf;jjC4p;9GbUQ6=;s*C@(Jh}{{;J? z;GZ+T*1wU_l9z$?3#}TfEEj*enPG3`l>F(%pp2MjKUc>}%yswrBq7|^Bh!ka&*jfw z%ds@lSW0Bb=y0u@%CJU&9D3@SYkw-JUSz=$zVIYS%xTavXY1^!0ht}Wu@x*4MdPm7 zC=PU^mVY!=pB<*LcSK~gRDK&UhMHdR+i=&)(^eV_xI!nQN$<5>(sZB0Kzte7kI6nf zz#Bw3?o7R-u65Yo`HQ(!7jYV=roIktF;+G^vO}Zo%6ere= z4L@%{$EKM=SwqjAqO_Y*p(N)s)@{JU-T14H)O{V>QxF`j(@8rJEZ1aIbtwt}LTPR7 zH=O7L+>NomA{r&^rMJc&VG0dW9*`qs*fjNW54W_r@kR`-$#16@HdemH->R8=DHlNJ z^QY#Vj#?1usWXAlb9m`Vy4%IfSC;l0Pg5JJF8`Pag>g9QmYO5q(+YB02z*h1)h$is z7X?{9z&c_Js`R0$ZJLYyGRU_;?k76l9t&v^F*0M@bo_-k<^~E11~SVPO7=pU8%K#{ z%CYT5bcWBc>CW6Q3UQe#R`RTnrR~;{RIg(Fg0dPFtG0QZEW#Xho?!KRpw+_;V699S z$sS6GU2Ma*{fVIPN{GN`j#cAijcnVSHW&MX>Ac-0>QY>K_lX9IMHT4#`d!YpzV6E{Kp15QR?VhZ(3x3gIAwfXMb!C$>iM*zje?vaZsRDnv>-eQqd-)r=6*D;%Zo zj-y6%5>gh}DG?;+j|9I$cs62dTt%w%iu$O~Zfo+=wavb`M3q-gn4aBo_JzKyJNhlj`3VwMJdoTCGzllcuv(GU?)V4|H2xk3H z_{sPUT!IE;s!2`w4j@Lspr)&VbfvA5ww>&d7_~~i1v$=_|1I0W5>lM26kK;9a%i?wPx=o}0cC85-@O>shBcGwA;#jkkn>Rabl@fj8j=uZKyxBXd zU9I6N6Y(1XA)2^@s}%nEk%8Uw4eY_b$+ll}wKLu(0-JN|jp?T6UY-?_c)X;U#~wM~ zkg_w3xPq1iKOx9pF4nwRZ@q$GFI*hhCENAg9bBIo0bw?GVITt72(2mC9Zu4}#r>{g z`I%;@{C?vsyHrq6K33$ugyE7Ff-$Ajg9p{E_wGnJlP8X|eUPWpS3A$fNO&Re@W ze>8bwn7u3doJcf0yGkoBVPD*5Pxn>o?4$Ai(cMI^)oLe#!J!jGTyx*kiDGi=JV#w- zeuQwhzT6&nR{-j8d(*)@l}(b-5)NYzur&nKLbO-D`NnA{cEW*#eV<$7nPD$gbR)Ectlg`TrtsTX|kw``%%TVX`N4$-t< zR=w6fK2xM($iE*kIGd5fY_VQqS`G}YcTJ(Ka|t}*56$>!MNhOv4*>EV*pEZb%_!7-g&{L zp9(ak8`pa_6f;FWr6@iuIXul@+CoKu5;-#2fIvowVhAI}wQJW{(kR>xw?aIJpgj#f zUJByc1^O1Pt>xBz`70`2vH=>fC;>y@07viw2GDQXnT*nbM;&9@k*Sq(LJ0I!}2QDCOJzYhBNw-Yb;QSP=?!4Ozw~_TG%`_p%~4=@RHF5u%Z1q8Pn*xadWN0k=$6?V1rSY?}$No#yBw1=Omu2(W!@ z_^x9RwY+h$3$Y!Ug#5z~P36q5yfd8kaY-W{K4cJoS!`3) zT2v&5hMX}xguGN5cHW(;Wmkoc$KbqBbWX~d#Fq*Ch3y0SgW@}wg7vQ*Lgl?RlypO% zKfSNpm(U+njyp;n+uf_sw+8B=^)4&Tz2#fJ77fW4`j~&!sUdpO-YiU6FX+9!YgBVh zRCgr{{-E1@b9uN-SF_PpG}5NphhywILnU8^5dEvVcw7;S5eCgDbIXGOGgn)mBZmx& z<+}DpQ4QOlf;caV&!j%voe;=O>Dc)TG{k5z7sb>GKG!dKcyxf{06eA-@IKr!7F#<~ zM-kr)=&@c6=DH%JAa3?YM%wWfqZfg-`t5YYWP>(ah0VZuMcDGU{-s5QrB9ci=GA1k z1nfQdbj>X|QN?~bNAd5?#e87Tr*SWnZ%Uiz7*d09u?J@d}KhcZ%t4cb%hqf)(=Xwq%?k}A7P z>f!d{Pbiu%1g^M`-p#0#5p&z>MTv>^{gKghmk;lvVRdY+im4up&uvx=S?Y`Nx38nQO9o{QP zGc`i9Fp8bpwK{XCqD;q|-Q@1rb~eUZK|D6D9j&}C4w~hY@!0nd#ZV2lqZ;YU9JDvLt4|NOCc^T8VctUP)1X=jlk@4r`ZXeq_nrkviP|Hx>r)cl{tW9w z|L&DjTi8xna@p&#OsAQhm7O~uogtsG4}Di1tk85VuG-s^7V219ZtoKA>eKzCJNidO zyhT?_dM3C^4yd{6a^zSB4PurMP7Z*JP%Kb0(Ars@cghVHBA=G>!-e5^jF}@wKp#{s zO@jQT2rmrr7`fn|&*%rbVLje(YjTjj67p~g7MR&t9;$becR}YB9%x8^R8B{BH85FH zS|NaPax8kX-H&>Y#n;@kcrP0>ZZ12yP~kb7W~CfKbu(7ay4{IwItegnh|Z19%eZ6P z#2(hxu5pBtwE`dCG6qnSw>%x%oMb`pFuzZVk$`M}wZWh}===KV!8IfZ5?v9kYCWp2 zTw9br4gOW9Rn~R~vgDYD7qYW50_+kfGZ3+PLAVJGhC{viqGbC6yR9Iaw9A4qTCmI3 zzUfgsCdRn{2trqqs@9%jn$383iPSlllKub*OG3r(Nr?7iBm8RgpaCXHtghj6|{?56Yu9niWwV1p#X)zOi+@SW_gDka~28&lk!(& z{IZudsQ{Ycv4Mg11xkZI5pCP8ygQYJa2+**871Z7(xndWW4bi}d#iY~O-y!a``%*z z^mA;l=4c$o&N%LYms(7zzR&|zoB6@YyB4AvdK6BV$fp(ja7CL9rU$`mLm8Gtt!;UZ zeBu7Jf+yK3Nr$6-;ZR(q{oIOjU(F`L)6KF!ApjrlVR_ho$sn`-;9XrY1BV-~sn=FH zf6A{Z_7?+|lpd>XRq!O-ugGfhAh`K^D2%JEY<;fQY_TOS-TpvdT@+oaS*UB=mgh33DK9=O?T1?% zq_;R|uk2CsVkGf@00q5}sviQtaqc=zWnH(W0*pQ{B(l$5G23GwN^wy|SnGR9&>ZaY zBU8kBj#wAVC)K16K6O2~=&{h%BnUh>Fy7sHcW!;W)W_-;AvOV)53(=%&aK1aokM@~ z2qn3NsR^%gUs$qM?Zj3_sA;@qU#Ic@@p^sh{U8)|182FUQ<(5v^D=Tq>S^}`Oo3J# zup42UEEr)lxwETxybAyP_#DR>oo@6xzPCb)S@^S~k+rUviH&AXpyG|l_eZDm z0a!lpmm#bFDp=6DOs2;U*+%oW)WqqeoDrmLw-r*1pubY3v>D^M)O&bor1c5nlJdTy zkJ)6Vsn;j^1G`nc)AkOQa_}O0R!|KB1hsC67yDw;-JCuCF1gQ@Go5AcHSEQCR!;{= z+=%`JP1*V5uWs%$c*kjqS4VzSnr^NeF_GA^Fw8X(WhLQdn0a@I{WAB`3eQo^yx5G> zXGTvluizka9Om(^>A;z|I`azejXn`jc70Vrf(3d?p?1b9p%X<7F3$~RY!_brK$1|A-hSYzSyFQ*{R?RiS|MP;p~4n^&L`fwe@uDHjHSe9pC>{)6$sviu@o!6TE zXqhxO%79kfl=&8~#EMpL$Oc@tvV0<+uokH|sHNC*4lxD~b|@HrN;_p+nI9E0I%pt~ zr_QS)BCw*FzYOB2L8@C{_j`t;*g&{Ieh+*-Pct&ZmYSv1dT{5eUbS_c-QA(*2Z|L^ z6-X7!tE#2^?Fy^UhO z1G%&5=WKOgc5vZkAW96(3;f9m;ilrUf$NR^cU1i5?L5$518>h$amts8a2K%4%;^-y zBRkW($KuXm%jm}YRg-A@Yi3m7<4MH<`h;54*wO4ADmoHNNQr0{o$gv zRMO-Pk6j@B@$UJW*zmja_>6c{ho=o*BAiY??Fzgw)PdV%h8mVpFb1h zi@8Gn3if4>`kLPQ8$!%|8BFzVbtPvQZiP*@K%0lpMCM*x#Mj*#s7YvLO%D+!tw1gA z7R|Trti{5wqlzKpu5G4HjfWwDvQ6F{=1w@>BfjeGY*9j<1z~|Ts{QibTqXpA30~si z<@W(FpFkZlD=Y0E##5ecmoh3u7H?fMx=tn~C6&>T^621jvD>O$v@BNYI!bk=El>B+ zsyObRaIVy;F4?GzPt|O!q!@HmAi+yXGGf3SFtEmIVU9=47<2{I z%RBy%f#hfHkDqQ&)UVIHEl8Uf2-mp{>}m_JLc6_r4cItPLt0L@eGNj&)N;{5R2eoI z=hKo)&4K>Wf~u7fGckJYISou0=O;Z-0M6U53%+3Rn}2toTiWs5LU zx74jcF>#|%mR3mD*9D(k?`7Vva%nnQNYm62QJn8l4jYR-$%%fUN5>?WWwJ za`6pn1(xdxPr7lRa%aIq8o{xKL+gU~c!!c(nDXRJ;qqwBJ9B?Zp?=g^ov}c-A*X@c za;c4K1E|Zo+$xtH3}t8svN?C7Ic3LlwVI}`mfChV2pJ(JD-5*lIK$Vpb7Kcqpg5># zUswdC)*v<%`&8^OT4f%fe0tEnFP?sypghx$8Le2JDNM1^{B6A&_h)73b1{#0m?omk zO(8&;x!<5{;QH+@<=;Qg-|r0S9G$D?S!hfDo|kSjC*OPY=f2ZwYJq}SU7guBJ=VLa zee!O^nSu4$9ZbmVmopXVKHo;v+0jlpqiInB`}q^z^`5UgjO%*UTrwOxwx)ik{_1A)r>`P<|u&>6L8te+KH{nyGHS7K>iGH>-dB#AL*jyEfld zAh(&-iixSnGXQ$t`HaSGigO+oXS|5*FsYR@K6Fd<#`k&7WCwUMjaM|gg_{}NzxFx} z$0?ip^#$PV^<(vtVv9*d!8+CgcldE<~n8QL|m* zcOYQh>;P7RzajL(K2x#FH*K23UAtYI;rM4X7@)1_4jMZqefPI!jVzcr_MV~icrj?W zVyRzSplTdfB0F(7B{N)YRpd6)?-4k0wjx|1?1AKxW6?XWZ> zJInMmDyy~BHMpQ5FV4hZ_2CAuaHi6>9kw0rg>g90OWym{&F9z!P)c~MPsh%M&jT`+ z_6aj1_gu>kCxzQ*7jKtI(dD}VHgj4rlXMvAE{Sq2{fLjFzFP0D%ol_+QKI|mo8+^) zjK@X}o(gBa36lOT^Z5OFCPzjPgW$SHWHkEb=SeAMANVJRQ!L#7=p6c4*Fj`uHGgd@ z`etnVTCy;2PnUnz1glSI9Se4pt_nC)I94}aV|wKFeJ@>0L+Cd(gQH(!kFP|ICex0P zRNj+O1|HqpVLp5H+0N88DU)t?w__Owv~A|KF!cd0ykM}!-nd8o+FzCm)RKJWa6xEE z&ePX-jQP9EULW4e1g00*>G}=&MQKVGHEL~)thLbgC2aQGV|VJ`(W7>T2LLe#lyCE) zctSiKzA~E|t^w@pt>S;(9FCi|tXB*1UIcbXoz_W}Sc=r83MzB<-B-rBYPYZJg*j`H zzLKA7w?(!j*Gus^E#0EoK7g+9LpyD>qP4vftO|^0V&eunW@-6<78v{Uy&zsk+|sjiEc7CIc=v zhWos@6N=dlJa1>+yVQ3NT5^aiK77O5%W;Z;RgPqOOb~aV!M8v$?#NVm+kWACbIasj zh&1e(z>wl)W`7wOY)W*}iws^75h7}B9%VO+T~#@!_( z$$`o?&WLca9+tgqtFIGkJ0P2@wH0c|K@(SLS8y>&Km-4`NJgNDXFJ6=02jp}{`W*~ zVI_bpHz>F#O=t3!X7bpCf(4TjKR09-M{-lO^`WO#{BQ^cGYtAyGc7A< z@>gF#L3PrtSY%%mt&>Uf54?BkpI!nZ9XAFRY6f>B%=YFo)nqG}AtXFs2mwuR;c%Ut z4F>6PKN=`f0%G1^?`P!)2GMQ`f6g!*S$_G}?pY<(?G!D4gpg2iZ8FZ0#a#wgir ze(0&t6-M?->j=1NWjlXLcg$@C?X3Jf`JW5Fw4I(*y)N&K;CM-v58!W<9iEoJaF7zz z3?mm{^V37cjSA;WjuXyx6{6|g-pyZI6!Y3{K^%?%a$rhfT7gTyTtB;7c4T=V0fqQ% zryLc9nU8Pz_-KHNulISjrBb{63wC2g1v~q<+p=w4X;j@}Zr6(yDkFqoL`xLDF3;Df zhsTRaNv-eeY?v=s1;fQEZVxPg&S$Qn?}|$F`^k5*M67I@l2#+Qx;tbv)JTpoEr1d5 z-MAk2aP4*Ca^rrR)?9C)ko@Fb9laHX2Yc>dqG63W5}j1+?2Aidpw9~3FTyB!%+T&S zDaCH}eq&ZIw(U0d@Y>=75&a70lVST_4oXMwjJpK9rov%1?)!(u3l^K3r}fuDo*UQJ z?B}hWvnV(}m~jl-AyeNnt^yz}-mKw{(7%g`?sLh&q(`M_v z)XY$&8}2g;>P4QXU=ZHl{gH=7aH)%7yIHbdu+8=udj~H>3gs$ zXr_95RF{lCT2FB66q{uJ`*ojceL2?Iyc5%}5|OK4ou>GCy1abp8}QwN`O98a*iEd- z@Q*7xk3gOJ6Dj#at|>8kvUSa52Y1Ua8ZmO{SpSe1MiOi6q!bam##Q-s~M0;gDcQiE)PIG3n>M6f_mi9ER_!-FTyp z_S}--oPjvOa`?)jzg-D$NZQ`^Ml_|l8kqmK;+JX-=vpuXSRS9%V6-OG6Uk_F3BF76 zOSq)8eA8L}$?&t2HG(~wuHwJ8*(V%^Haip!x8Cbmw1~R1ar$;5U(co89h5zSWVNm1 z6!KHtpL=FMbY6VG0y{H~4TkUBKz^PLJT?2O%RW7~Ie2TvwHQej-LFs>~6FI5c+kv8` zI6k^_ufUQ=^B#3a3rvS_AZSU>rw-GklmQOkKg2K2ATbjzBjZk85bA^q@lzTS5{u_N z9M?6F@srM5l%@8~*FBcefc(Cl?oq78(V4R_2xNP$mHE)tUPu9FZCo2~2zY@6R9duh zdn|o-nrSe&(+vokU^@p}+X%6~gXmw?#feO0)Q0S4o6rS|{>{^%$*JTn$-iFm;Hx~6 zyWNLkd_aJlq0+}p&AA;k%7`Ky@%`O;?>q|AYr+MiuqlWn521G5?-Lp@w+wX)8*SjOyV4)5@l7~(| ziWXj|8%vT+f|29OleWDD{7={u0wYJr`Lto07XSue`>w}Ef(|sq=T9A4VX%_jR!Cff zQlyF}=l(;l?+F+@ta5E^o3FIcUIlf8J)i)y# z{YSMD2^ZY;)?U0c!>FsRh1@&P1nV?~4{DMKk+s#KymG&G<`wGvpFxR)5DROq?hT}| z63kx$Yf?TF-pd5KV%G2;Xvwn~zQyg1R&^G9<$D(g$M^dMlfU!VIvEDJBNU{Qlbdg|ws&Db;>d(h{Ml9z;31Cr~4}1;b1d)ps7PmcQkk!*nb9mWnTx1j3PNIp7bg6d3}H1gdTXb!9IazKvGnjB!1@}FV;G9xNu>( z)J&&MKZ;97In;LeCltvhSkHV$p2f0gf`gK}Fe;2XKRo2LsMr+)ojWGVgiJ7tZm3^G zc0A3kRme2&e9n`}rJlm2y6+J<0}YHCtEv^}VK0^=CmPVv;}S!@A}Rq7)}(mm{TT7M z2-5NrsT!jGE+{rXDdqX(j(>{6xXq=~hGzW1!L?oMZ|dD{$zZvTP>n-Q{tX=b^X|!1 z;rRL&8UEQ|*1U@IMd~H5SRq+ews)6q9+@+^N9&WssKsoo^BlS?)>=v-zuL{*V0V1VK3#ox7T0HU2k8yE zD;+2+HU;r5_&vd0u&{!$<6p4AXAS~03$4dr$HCU<@v{~_RYz8PH+Dz8wmmD$z}&jj zv#$vMcev}?;fo;+O%}vav10Ovhkye1OKGm@C)(ZhKQuD(c_KMg7gmPqn}ejYWt%6` zU}}&+{avke%V>G^oNMRQ=CZSYq)X-HuV|0DuV7wjR5+d9b?#=)(CG8jJG>~seXB&S zX-}t=SRsB$tPp=EgpmDa#sf3PE3w4`9Yw4&4*Q0jS}m*G)Ng9f1L@txW|S%xoc4)O zWT54B9%HoB>i(L5UPXpvEg60=k4a^JOE*WmI&DiZ^W2~VS2*cRX3N`^9EL}>3*!~8 z%+)ytGC3yP-Q^E@&w?QiVp3xfJYrD$wM~d}_6fX64gYM?=+=&)59b%%#>Hx1biVnw z_0#%#KaieJ13*zwHO6!ORr^Iim9Fu=O~Y0UlNRcS;JU@^?s&R>Mo?Op!VV5(1A~wq zipwO4g?1sE@_TN}4|}j;L~kE2dm6WAD_#OtjNZYUY$VlbK#gaoFb{!e#}*s?=|6{z z?XJkKLf5_QtkpYOuNE}WmYbXsGw+`0ofLQvhXX<>12cLIc+I0frAB?y0~>^RttvSn z%El`~85{MpL$}13{_wZKaE%7yLS&ncT*u!6+EzcaQFgJ-0u6ENSD-q8?rH2d%!+`j z6NIxs&5bc0Q?Jd&h1uT+DlK~r=%bKF-!H3q3En^kI^4)k*w(SSQ%T>Q+r|6A8=%$h zuA2D!0=}`Qj@GB@ZboOeA+{%AdL`Bg-gQqi>UO`WV{g4_m8n<5w|yFw>)z_jcon7w zi4+OHF9?>NX5WL{4r5R!1mpKu!?mDOzUM|!1+{HvJ|_1pA{-Z~4=mo zp4Yl|b>Eze14~*R12@xU7rq0K(52imh>`yNDCUI0s)_B7^uxJj8M5^X&nDuP_<$A5 zxVo1W-d6S5UCSYZOT}BrvjPQ0&I3GbOXUI#HVW3Q~1B>3Evwd<#mXCii z%XuQ&>k#l^hC*gmM=PCU>(*CbyW86e6%2Vx1Bswxlk2RLkI~F_rX0xAEUy&KY56u! zS9?cpxW+8jZn8oK-&1Nl*WZr?rLWX>czb&slz68di)_K9VnISg`3`^ zE_ybL-r5mU$~o!ZbL0Cc1I=|p*EsENI<7$z^Ge|B&%ql+jNOckHEr_y31gYBT zj1E{?pFu<@)Q*Sae2$im4sU;x@C3EbQH7d{s`W=>lGB1{pLtijQVCG7SpBXtCNC6p z-v;Ho=GQ@;ia7Wl%MmB|HisKLVWJ@~RVVN+PopBa&hwiU!HB?fH$9#djTLubhncqM zT=l^bLa1g1ZPL0ta5LnJ{@GzDmA`7wJKLJ_L6JH-bEB48JFq;Xd(?K{=`*2E$&bcA zKZ@ebQ}B2QAaq1f3LFk$A&VZ*8TdtLKJ4XOIl5B>;9yV`sZUkO({~RKhwtoq?$X{K zvhe*gyvCO6e0|~8nEKu2a`dd$`BnR2-@$}^c_?^(+7-Z~_JNg%JnZ2W&{X3Fmx)Lt zN*+@UmFMazHf>vBA{Tm(*0KUcn5Xvt$Ot5h0cZz<)VjlQ=*te0r$dR-YQWtIBTMHCUtCX)gWAH~rpvB}(CZYcXrRtQyT}x~u-17Pt5;4n_wrER0Y0S0}M?u+J4(7puy z^J6Kbj=*DO`8w~rn0m<5xkC)19E=(j{aC{*CdvCnS+}lH>8UvA*Jnt^*bQ;=Yv-3W zJ?jfiDy@D2#4f~St-@U#$h&sSx!bNtqz@pn}>oTk}5?yGfiuT&L04+wgkU7&<$*tH~KMX?fh--INAPMIMXA>xfJT=rn2 z(tS?oo}#3^MXq{A5bITgDu-yBfm}IL(^RlE_cgbYco~~0!4Ehx6S%BU`1XfLWD(r2oa52k-Mg`xkX<6t6Pgx0=G7TqCD)jFtEq0odx9&|x z4q;Oc)<}Y23WSxe20{n|>H^vEZv+%hf;I7b(Mn555-)u^a0?Q zivOo;{AWu5|ArO+6GQ<2ULOC=L;x56Bc=H7BLX;vj{h+tfd5J52Ne?lP4K^u+y5uC zfq!t|e~1X+e*>fcf(ZFAda>C)6$u<~^Nz(py_b931IK6koY&Purbn8$$DG54_#n_A zIImT*N2cP3drZsEZu3}@JNeiL>ba}Z5pdBTY!oAtNi;e=yH^!bJ>gpf^o-@}@$Z7@ zn{M5gIV?D2eTfM1;IncdLSDSgOjhknnS@=DfxXYXfIMlr)>9xswu}^B$~66F@Kv17 zETMP`LT`%znJhdLr`v?<#3lSTM1U3jzvSsJiDQ0}ieUFO?_!{0j&$K9e8CgIqXHG< za{4KW2+w%+4(NDw8}wqmh@;?OenPJRp;wMj>tO>Yjw_y9mHKB@C->Dpr{jtJBEbub zFYm#^u|hrI##kDk*M#3VelNTN>3l-F|X>St-#0Tz!*dtHZA6wLw795FFK%uE_zTVQTEUFh9#P>tXUUm))OV$!O&ln4`uX+ss)?Q~_HTCi7;ac~i zsp#RzTS!S*sg*z<^hDW)!N)ADVx4th5E!8|$(b_c%*kDVhoBx_ykHLyI+mscb%(mr z#oowLoM&2DAr0q@T}G{!%_(yf{CC zf*dw96$G}2%EF7Ck85}!J54EHOi1MMOgk&Xt_J>kcMGJL5%RU0U!Gu2prit%fG<8r zcI)E#`GIi8t5X*RS;#;ZHpbaTfvFEs9`SyI2hPfJJpZJeZ0bs(#LXeJe-2Oag8ZjM1uIfdN(DpU;R}MnN@kiZ!>nE19qawL|D4fTd z=8DCXnzura79*ICRqdEfrQv>_lsF9)vFLTF4n1xNTS$8&?^Wx_K=@T8BNTuvUQ2&* zB7``K-xCtpOpWN4&)e`10)>iE)f~4;i6rYXo>)bk47i-05FHfdVaC`?%M1ba;NQ*B z=IijoMz~ynEMJ;Dz;E;1f2=HVunAq{11K^E$%wn^O#q%4UOJX!;48nvTfZ~g z&m)WHe(lVJRlyq%Is6~Yyys6hs&&JJ&37f)%6-pNN|=3n(;*zpK(0py%0;qKMTT;S zJXo~=FB^c2*w&LjIAIj)x!)ioYVyM=SkIn1dpXMV+gsLvueN`(pT9oPD}Rm}a~(92 z4FIO@JRz7%EYSV8F24-t#DYm1nI zgdy0UFQ=}w9OBnf!q2L3dEy0xMGU95v`CzzEHUA>0|NvNoJF~%t;CvY0C!Cx!&M?22bNpR6E0ZVQI#j zHgd0OWL?0fp96buYv=Ebuxx)!Cf!l1u6b% zCIC4=1%*h-%-X~eIW)VpoHb6|Xn54qiM1Nu9~$rXrlv zfM64NqFzr817t`*lnD>~Gk+6cJwda5*hj9jHH+aCXiqko^<&(XVH52Awn{A-?@nb)|+ zl0hk`i=|c(Q#$dAg%`mKY5*=lz#2B`y%8edFs6&Ah5pM$GkVf-JT(ETUi!pRu`&_8 zkNJ1aOvtg^&4_XbVbJUp$M`(a`cbQQrae!fbmwFk;>%#^f+Q-9`R29E^{W&Ck|08j zId_XW%|+|T1KSWZ$8bpgx*hyg34-&I z)_B`=RaX8>1E~)P0#Iua*CiIS=1|<6^jOys;UbxXOBQ&?`^v*Ve(!1crI!Zs7Hqq- z>tsS`S)aVS9KAAHWiU59x2Lb#!Pgf}@qGc%roPRs)~;3hX8LBOk?!v9PS<@cFhMu4vh!PZ$o@nh9pbsw zN;b5ookpy)^w3pvKVsh}2g@F4s6|j)K=>Lp- z%<62EstXpwjr!5hV+aD;Loioyn)KP$d;Aob?C=^-tN|<$&W@8E?2*)>h;5~MZtBXY zAt5l+IdCZnd@Y~lV7JmD#|Jh#*=Riz4HM;Y*9+=13ln1-G;&Y+E^R-0d&RRT&=35{ zh{dcFsQTPtRgEQhH`)m|puq#{+baj*_cy?OMa5a)iE? zOJhT;`%#B@!c&GlZY9{*Zg$Psi*J{lK-Ii1nv&|!G|+tgOi?yS`U`q-H$F3Hy)6e&~UIlDN(}Od>aB@QRUt$|5VJ{ zSpTNE^(#%u3wcz~hinx+@RmACu5zW>=hLcrTH1A>t3cJwXQe=#v($`XzY=Sm^;hJV z17g%^8#OL&P~3l?wC;S3$1ZRpcld8!EbO~*@ zI+P{}VT@7akvFHzC%0-@A7?1I-5B59sPZ^IH(pVYc*UojXL*jssbSm;OBP1|iZHY!2Y(a2=arJQGBFLBUo zNm-X!N7prDWCIfFow?LY5%}@ZxH0cU50Q=FcDGEIB`m8@2Csm%^NkHZzBHzP@b~#1 zubIN}dS+QXRAHo~+aXoX2Em^3KO}}run^vQ_aCvOa=#QsB;l_)~5&F!_%z0rOi(0;5W35BQx+i;p zm#9V!&XobW?KupXmFckpb! z#4tNoiRl3k$x~i~S*DKtOc)(C)Q`KE0Q1* zj|k4y*mj$ES=2pjh(W@{@Pm!_I=+MGnt;Xdz>eSBL;XbG6gZ?P!x{0FyslxcJAIyI zl$Hv9)1^}Tv|3?`2bAhhB%4QcG%-qi0&5$g6!xSe>Y=d6u65-a_!4r<^HKcTX?%EU z(5>vSAQ<^U>lq}6!shMgg|jJM|2PaUGme7m#}OOm8ZiBg*m0F9A21lheEGpmH}O^< z)?+20FsWt7^B?;){DLs|aVW6Ne4--DH<|q_DTq!{GV4a%NnS_BbTTYibK8smSfXAF zLfprp!1Bq|fy;DU{^b{uk^mTnNM^>Y#ZB<8I}exIXRYn-MVp4$XqmTH()n7*fL8;- zOe^S1@xviU=$TX0#&>3&|qlsOt#^gEZe!` zoRkg>@a}*pA1)n2%WLrLF$pqIPDYiOZQcd*(|{*r$iU0uL^66hB_bnG6qNeu#48*0 zVE+9O!z%w6mi9V~h-5As-Rb5mjRDt*zsy63zbL{4p%5lpz`cj)k(!=Aj!~y#f${Gl z^}!IJ8hj$KxEl$FpJgC&`1gE@T&rxrIqqIUfItxjX6f{{U^`bS8&nM{4mF54cQ(&V zKn}<`4~3w`Q>6)Py9Scc==ep+(B%)3m~27D_xW$rAn&D0=@Y_)DX@S6G@2=~z#e0W zx$Q*>7(^thQRy{2pgp0N5HtP;3oI^jr^7>K;UubpWh~G~EU#n(=FO20Xb62!s)V9~ zKMR<6Q@lF^h0u8u`J0viu(2{j*ve%IhcAo|L1w+oSBMJuk2VAR>uv~StfqlsG04}R zfIAtSRS$7-%VQNn{G1Bhg#2vwsz2=jXZw@EThyMxuIPY4r7T+2!tCs9j?I{KwU2T$ zy&P{9#EyL*ibmnd7&9d95sJXhtAA3y6vwi)f?Bkb;uv(xbuGoUj|r0MZVFgZgPAv& z1X^~O{(J5#UA*0BV`*_LAoCyn(lEYHDcRr=Ot=?e$M{?Sf0Dl(7+F~Scu&)tt@i0g z2xhGCJQOv0pn?Tk%632@!j^A3OsBn80mVm-3j9}X0{#zmdc^YBY6pV+nR?BEmIY=w z5p@O>qGT*src&VabAiLi{Bq-1Q51x7hyc4nQ!An9;x|o@4-1nY9R5HcJn;7~BE0+u z>egsxl*YmW6WQ_FT1Ihd<+cE;!#x zt+QiIQlK3$g4zeG*|k#VgPJ}LE+>ZIVC^uVIUcme{Bfz{ML(U>lh-1ED!UC>)0!pN zVxu_w|4li8W9hh^3g1V8!+)E0v@O3_>b7&=CPj0c2r(B)~dt zE(>p>ll)8APQ+Ehc4=kdE`N^gz~L}1>OK6!PZ-#WK;r)g)a|K~yK2z?+is3GLm;Cz zSQ^ZeSYXnWrBS(zkhmU|ekfQP79#+ck1|05MA!lQe~uL8rD2NCQDCozpX5t$qknWM zk^hUhw+^f7>(+(^5wYDHK~bqqgS2$RrV&I0loSDxZjfA}C~T!ey1PN?R1CVirMtV| zx$u`yoa=ed`0rwfZPjSB`@k(W@Qo7SPxAn zECs&=!YZ2kaxv!pWx-z);a{%!UwsPRGitOaRgq#B5cVV>Lh#l}<70zC!Ku9l((@qU z*o)wqY{KjFNEE`=|89#1+%-9huhF3`NwGP<6)ORKQxD>#w70mlvqe$PUmhjPop@;4 zj?Qz3C`y#g#5Gtu6b4oE;@;4OqNUI*8n#v^-bd6R86AU*@vOX(iUm3miy7{M@!xGX zi2wcfjractwj26oynSDI|Ho5Kr7r&hwJVL2-Lf<@e)d~oAN6kM(_@y$J&h{N)WEL-}p5@&qtR|fwi>+lj}d%Sc5vsQPc9N zW0(a8j#cF6f#U-l%*u_^XcQ{)#y`(dQB-@v_pYle)GyI5tVO^ztpD~JVU*ktP^D0` zVH(Ppa&Hm7^zoMn^`sgddJQ9WrIHu_i(T@@4J!^DSSIuwx&w;C%p?EqT|Ci=lJ7If zg(<7`E?xyrZPHqevf3aPx9>#s(_zs;$-P4-o{f=0J029@#C~@Qo~wBg=Rm78U;XZt zplBGC*K_P%yvS~?Oa3h0VE&A#>eHOpJ zXZ}i(E$c~}4DZFYG6C!3*@}DXjL1tV_qH29XXPY{5AJ!PcN#h5K%@m& zlA%z^f1aK)$(#F4-LqY9GsykIe%+bkI(+9K^u*+39T0Hif!~8p9G`H4g!cp}w-y4p zsKg-OHFFRqY`=BkkC}Ti?9>+c*EK^HhAY(9*4O<#+86f@&YH z=>iTUz!z&6A2E6WmJC3jxlwh-8|1*q)#-t2XE)Cw{Yiwf!47jUldK4V{@rGK;bhqU zFoRSbD8%gQxY5bz-Z23C;xvm+^n^eB`J0oK*FnXyuq+13GYZlVm2LSo>}ylC_`0e@ zzpyDb>CM$za+r}XS@t=rf81@_&Pcs6&x1ee9l0nMcjdeG1@!O882Zzbf`&0d*-Urt z1nrZSsQ)PEt*>ACaLYW<%T29 zR9~YV1_R#m7R-CDk4T{(JJKHYkRcFTh~GTr%1xKKG&y#I=80LkwtG!TxGQXN2g2H+ zan`EelaV|6rE3KB(jEy{q{5gMaJIY+H|IF? zz6p7#fA_t0m~5M1I`U$hzaZpbe)4+e$fe_XyfmehY+JFT*&xjK_5oW}hhdxj&2FKt z!duf^)6-i*8Q)sEt}K}H&K>jR&p!`ND4gV8x9V<^MLi@@FES0zQZIT0DV{eFTryuB ziX1XkZhPl?T|;Bxt>&bE=F!$BXCMuUgPLQs)ms8q%XdEYx(5+Ck9Xt~LmH<9Bsmd>ca4Mr!%YGrPDJ=0@g}itIFr zcn?@hj+;F)rQGO^zl`l#^-Bw6(Z1Tp)f{rJT0a{2UY`q9m1yU!(HJvy5T$Icd13b= zpA;zvFE?s;(LFv~G~SQ2t)#+AH;Zu*RFvn=mc;P#CY+N&MQ$qV^Fro5Uwkx*DG;DA zA$?Y*jxTG}8n7Co29fUJxEMSF`@HJE8<90oiLO-oT?U9Q)N&Uc<{P>QV<1Lht$}Bq zO=Wu;)_nz3X5pr#b~pDIUe(tSx+~B?59Ih4j0d@@o1=+l9~tSQ9F7k9!RMK!PHpU?ss_xIl>NnB zR{`WG--E@AC+M;@n#muchC?UQ-f1or8I{T)(%n4s@^G=_9epn{F1w(Gn43yeK)H6; z(#+P%Y}C?>LZ*--{SI<;$uM|(?Y$3J&wSPM#mK24AYB${ zZfn*JA24t$+Qn-UEMQ9s_HO*$zC&!l__z~bp0}0j*Ne3#5r^7=NlcDNi)UJrLVw(& z;WPK2Td{BT$0Hu5HWv2-E`t(PyQ-XA?(fN_vp$JBaVE}TGHwR2PX|>%hq&|BAmbtBcMwM{r24od zQwlMUln(o{Bjkrc4I$^pn^~tWtL(pR=ck~ojttXQJu#i5JtpTlNkLn4V-gdkxQlK$ z2oNeKSqfpGT0zw(fi`CMWVURmgS%bV{MPA2n`6paSb7H{AKuK_Mi*E0*_%mzd{gV{ z_~2t9FSI=9nAlE}k+K(6mR%R!JaOA}Y0q)hy0WHv0u;R5!!1h>otCGpjvzwn2!3!b z!^W&!O0twVLHjopBBYpLY@oMH;;APr@$fktr1LJ7mq+!^iHB+ZCtv|uyu(pC#{bBa z%~vV{a49g2%yG_G0PW(`!=^jGrcvY_1Pu^a)KMrB*K1d>00xIq3OztK|A*ruYvG79xIGvEcI-Ql|f`y1(wHwpU zJKo(9S<26{c<=Vq2coama-4vfGFD$Sx`*l)srjAL1k25DM`U$mTv8PyWB+w$38uf_ z8G_}IU;d2zC&<`@0T0(d0v;f{P@)9XK%^GNnk&&j=n+g2M>*pf`TbJhaPg_D6M?s0 z>1z&xz3WSqFd*9Kg=g4*f7*%m^4qNd%+!4;1%Z3V0Ea7hnxpntZ0q$oe4Pj2njQ2n zhYkX)&KH3%YrgU)Yy15L5de=8!g$oZ?gqfr&vzpUF)Ku=B6h!qTP_qY5cqPyS%3Nb z6961}23X>u-vKc6n=bW#3xEMud(?~#*0R}O0Vbg3pcnE1+D5|&A6CTvO-EtSi8a0e zyhCt5{Y#J`{XCof{l@Ao(~w04DJ~03rBC`A#NTbFXV~gYBmgp73W> z>sqRvpT&tDgZyV=_umvKa-h-PSdr7aqaLK_!w>~HDQI=(tP#9#?=x79o)&VT3r|E= z%0SP)PX@9eyF1}lWRQjz$ToWkQ~|Q93fO@09=`fl;^H6L;ye-rP}{z!A{9XdtFOe` zz$VzUSnr2+-DT+hK&U4g&CjCw9U$qsD{#3y;m?4=qPYoSf#V2H^;Rn|l0qvg+C*Lb z8sP7_WBX4UE4Uo!Q&0E;duGH?@ezS_KvMZ#EdfgHDp;KH^QZnk2Y!j8Kz~A`{!qpK zKHdH*$$+G|k9OC8;V3U^Jvt!A{9TNU{IAAj^P8FA@3{n{dDO7*j6zV2QshxVVHUZ( z5`h~bKqUGXqFW3s#({Od&x$O6o-?gNnkRwU&9-xUcoplT2nc-`IKUw5I63lw4H0pZy!h<5~k z^uWP}A{b1$4WO3%jkf(}2vXa)KpE5BucSw0DbbGU2dlnN5GemzTXlSB?y%Kopx+qE zYE?%SQVYWU*N23Y^Z-e`g#&s87DT{gLo`5t*f|~FN*`jr`f`W$L{OdmqkaQn+QYPf z)RM<=eqXN6>xY?-SWDex>ZH)&x~DKw_+%ksFJE^_*TAA}B#9JyXGPm(Q@P~ls|(*4 z5g;WX_yTh|%fb0K8u3G}%9+*&JP?UhFp3#2nr*fE{d&XJ;sCyF8U%JM47zL&S=A8R zqqV9ua)6m$M#Sz@&y~;ZJ}53An`B8JNG-fQFrOPVD|O0EgYt97pYq9QH7Wm#T>jN> z_-g|rM=E9|lY~5@?)Vd*S_A{D4knq`n)#M%V~#dx=6|rN3)v4lq+BFoLpSrz-zixv z9GD2z^@04Es}3HJI7}cMK$%?hDjcu>Q~;`L&d0vK8~`j1O?zjmqF8s1w!$?OZUPo& zWeKN>;^G`NhD*KX$!DcEkAS!i#Fk5Pl&AwH!@=S_lfmM){*Pd5$P-f?#bae5?NS@V z9fI>E-<~yv*Ol7NCt6L`cXKUwr7H(kSBpYvAerC*l#M0tp%(nklYl^zk99DoQ^SLk zgOD}_a?uHz0cGKw4~>Wy1O}26o}%9}w1GoF!Bs6MP`@;bVxU>fA|V3XM-`5?@hhM_`2_k} zwOQ^viOffNsJ0`JX*OkZtr|Bj9^taT6%1#(eY)Bvcdz9E48bM7`lnCO{<>4^$(;=D zqC(=Ya+(_4eMO62W!(XpV(=cEn#Z2clc|w9pQG3jxVcj2-R_EH z>bWF^7329)ABn4PT8UW`-~UqT6ukxN-@N<{lHGzK8CsmetaO%Iaio5_`Y|4tVb>DK zwbhDt-J6XRx_}s>P1GZXCv_aVywqtovXjU7jc3R?P$2emO|^OQ^W=8M@gRLFy z6}Te2Dg=85pqM;j8kBOxM(xDhtuA7K|GaQ7V#u$af?o~q$)ltYDrBDTNOg$1RMG+U z?3W23o#MG^o?%F8T6S&p?_Trl(IajO^Nb9`zIzw?lt3swagTk2xvbVh;T~-7f4je1AOi%5$Zu34`RWR&8b=1S$(!)7mx)Nfd8z=M zpUd^{>91TR?>z0|ra$fGccRBgiQTKZ0h-oI%9!Z>nR)$<6pq-Jmq1HB^*-@0iX9js zyVn8dzek?}nwq_0COyCp>3pejZ-1Mun&1|mL$QgXP#z61o|W&PDg*eWG9;o8*TsY3 z`wU1aLNDM_5xf%sCTdIbTE=;xp3YsS4~+XIW{F)t0n4;$_ZL7{=Pk!SQU-QW+5Udm zMUb2f{^wTdKfjF>I&7=jq3viq7L8patIK59tn|dZO5(k(2(9soVEY*-D-PrTUJXedh^rY zq#`e%oCN38FDDP=FsoFlo0Z?gJ#xK2X3$Z&E7QCPK`ME7iTiDXMj>MI{US5n!9uyx zUo1cip60)GA`-FB^iKHv zN43X(i*@*Pct<+-%;yid!7AtKQ&qM6jG4+*h5?1#9qCcR?{S(;TZ3+FHI9G(mLzwn z{_}fyiQ0XI^UR)d{n@Yg>1%IgG_htx7}+LhR5)HDT5TCs!QHx7aOe%SC^^+tX}Nyc zi#ohiwtnlVy)w$)mBD;^8$8x8pFO${HKRvuoekV&XqH6KjH*s|wjA9tKS4)ME0Ku$ZTNPF)l zSHaqxb@y)fy)yQIT#Ho*+xS+1=G%HPmpO3g0IEOt$*MEYVq$dn^5QK=<*oEChWA~H z(r@;-i%58g$|$aD9aK%Km6 z=FJ&8(xmX15be1zynW}_#9g^S1~KZbQm@j9y4_l8nwLUPM}FUcwX??O1vk~J6!x&~ zf)QBra39g7Up#?;_{$^kd+yc%$6XoG9+WDU|==%xW6N8 z;bZ3)qv;ateM5yMdu||q*i2A2ZlhN`Ro5*;np7>QQPsmBq6fGNski~KASf}u=4m4e z#FTKLfLkp;O*W7MPKc6OBZvh5&34IvQL%26a_3>s?mfwUeadzHWU;-5PK+eHzRxEC zCQ2JhhXX7To$kv;IfVRG*h*ULDB8eglP!PTIh)fwbBlmUc?avaZ)k_`6Z6Sr{H0tP`)1$yQ(py$Tw(9m0%|9b^bhNEHn{HoFTEq~{fUhYdPutk;-~+mjsLGqJoLAI`X?LD zrB3uhlzOr2+lej{^{IJ=DK7uys3perO$|IZIq;f#56s22RVh(>g0Z+^ zz<0qG?A<4E6zl@kY={(}Rq}DR1k!U{xwF10Bu`AX=yZ?a7OMaTULGIGIe~ovOfCZG0M^5lOyO5{=c7JL4NlP1`mr(Tn{)e z*wc|oq7G(}l+~m@69Gh^zZz#!ib2ZN4g@V$Tqsvou9y)j^yQ?z>FJAi&)KGpclyT7 zF;I_oYW&n#iHyYAmDHjj;YG4@ucT?uW5t~*#`jH9O>7N1mi{vE^}U_D+2redU8CK4 zbc39f$mgCT$n_JS3doP_QL}EEzG3a!Gi@y>xfN~gHL`Q$YRpw>?8O?w5Jq-6<{Z5L zz}ri z8iOtlI5)Nu2K#Gn)ha18FCBpQqf!j6U?CsW1~Mq35ZQXKxSau;B||iKF(duuW&AvC zxZB^60v9f{HX#!P^rzn%^1s&(b5OQDY}r+6vHz2{2~@dUzFFF@-!r5;a@-xkoF=AF z%(rzoh=&ye@Q$E<#?B*u&oOIZoFllzI^J}8@g3yqRKqsS)BWo3@h%Ua#~)I?hxSN< zXI#zRzGMdPrOh@e5h>+<%Yp2C6^sGhtqC*;F;eHZ>TV5m>QIo%^k3W-i$#J-Ad|>b z0EwUwX>o~h=YQS4o)oiVECZe+6ZrBr=r``j+h@hZP`BmIlRKOkjz|VI%J_0npsDLv z<;sEc>(Z@vY3T;OcGE`8%P+fyc2dKw7rl+X+p4Bjx(vt2Y!4JJ-&d;qC`HVr=XcY7 zPl&@rY41bNq>^BW%!oMWD>QUXdZen7v~p8xGeq@hO#3JLB9;eUITRz%rHC(YLyO`P zeS8pgwlje4tMwJ?xdWa#Teg>l&EVglWI*g!72J^6Thr!@<1*-nn4R_Hs#MFss@rmA z9+w5H>omlPWfOjmOSuoSFXSJmb-Ns^$C-@Dd{b&Ukk{Opd}Fk#90H}fdEB0%T$d0b zM+_%rw!R#3+8z?!PqD@edh=PHZ&~9*Tq5UXN)$&>7MDBvAeabDw%%nD#;a@Al<^G2 zl<}KY1%t3$a|(MF4q6)AED@)yX2j$cmDi%}c8QH&F-kL=9Eh#VZW2)_+@Ds6xP{|7 zNrhi#;_JU}z*r6rWH?@@iPRcs);n7A^gZCR9r)<*CFSRqKoL_EzDZLX!!@Du<73># zt_Ud)f(RZguKfUopF-A07dK~epoGSl`AT_G%ksJ6U7w%ZymmxIm6ChB4m(1)>H)lF zN70VD^AU5KT!pFn4XSj+MVV?|RX^9r?pPme$+$a22?$~!>#d#-X$(wZH(0n-4NaJ= za+cJO25y)6C>JWs4!X`>z<*Gg~EKkB(%?`dY zxIL*|URZ?WN*B-RO5ljb(R9g9%bPn!3sbiR8Z_oezZ+y2aJ{_q(^YeiHD|ynXZXu9 z?(J4)Pid{G$FFl2<=Ecx^<-vkCeW-*m7KMX^gWoX>kso()gHJl^@_yz+s;HsOGbzM zksgamMVC}f5|yaA_S~_X%j?^{17Qn!vV$#0X1W$x5S^#aK-h$qL){0q2*?dWiIz#A zG#c<$!GK;(1!WlGKbKP=znaxL?S_&U%yomZX2GJF# zzisvhg(~nI^_sCt@tq~@74i#pM3U!4oDE*AY^p2ud`)-}fvaS*p?;rw`Fdky&NFEC z;7Ks_gOI~%&0H4Lu2oafn?%>#nv`>IIGgA1iGBRMg9A?3!RrK;;0)nuN1-aYqmyBT0J^-I-)`?H0d`8C+^bjB~gtNw;>S4$FM@Ya9$yX@XJ6mlz9;~7ZqhJ%RH<({xF)zDxW126 zGYm0?4pC2J-81~O^||$!e zH(P*;3~9N0r6v_@Ur=A{%}d~X7X{f5Ki*s%P`yONMj7b8Ip3qes9ty{u<#bgJM@H4 zn%b#oTmK`Z)Il+-+BCzGH?{^ zQdhIJvwPOgiS*}F;f2$-{Xzi)xuJ7_3!`4wO$!6%bD;((aEcL>lnoBP3YP=@Mq>2+ z9l>0ulEOV=1w|<55k^WN_%57PM@9f%gZ{=i$Aive+M4&AWo6OjdH0Ap*WwmaOJI92aIg6Np3@sNrR?Nah9%_)El0-36oZ%C-r>)zf2rtH z92Zo!JU`^&i@x><3E#?1?DFDGjAsbqkg?BcsZEw~p_uA98p4V`iZAStyq&{qR!Oll zWZE#52E5!2XTJ5!H$7*CI<$WzQ?OKJHXX$CLPNt>mXE76_xzzy?ZIb1o(KhWFEI?K zmSpsWH0g_{rdFwfFtpcj*@_*<+TeH~NA=LvRBktpkxB)Zxd3(sd9b9@PrchC)lVU# zP4e@6LDUv#&v+Si3WdjzT}J=hVsL^v1MBR@g-VVx1K+Km25S6`=Iu+cAvS;ZVV?$S z3Dpj~J1fO2^S2*jT8{eJ3T&2as73^{j?2trw$D~Mt<6q%NyqR@ z+}o{3ap*KkaoDUNMEDw(AK@RU*C5S12j8IYpUwj4Pc80y!Bsqy5+v_(H_?q)4e@P z-6^dkKfLrZ8*1yl1@k+)d(^@Or44r<=R6uJ{|Ztz3O^3 z@a}JIZi%tv%!BR5#@zA92+%TN2gN_P!XEjHSmJf_CjbcF%8*N+;i}L7=n;^3AN#;-n5ErQj z54U8{0fogqq}ZA0oj```C~=fVEjH_pJRqo}L}=9cOp}xAT&2)R$D?78wHQ%`LP?_D z#mdL%1A7Sr|GOsyAqZ!JA8?D^Ym>+)o#ydNZ5b*3mHLo+N9b06PSIYC|LbtAnlo2Z zPvl{X>?P3Q)g|$iWYYjdH>c2soa)fh@smc5m_*6W&3qI4#Y_5tK;&*ME-l;)z+a?- zA`{4-EP0ZQ5Bod#_eG)r>?akBck-!2q!G(oJtWEkTL%^k`}VVa3N9<2eNf)=v;^J` zTv>=tz3)3X0H@}|2l6Ms(D*QczP~4pxrq`f@3Y4ym3&&q-bN$qRo^R*-^4`aT)wq? ze__7_fh`DTq;tKBT^ zLx)0v1Ks8}9xG!*ndn@=uNFZ**x&ipV@V8J?_TH@`3l#`s}AmCVWeoN0L!{<`27mF z4XHytuM8#1xH|s|KuM1;$yBXlhzh4CXM(6(PtNysC zj!VS=Zq&cL*B{IhEdu;1#gc{wfEc&ccpAjcPm^rBR1txg!U2`p67zN>o%38DiEV zkw6Iav+G1%Fs(nHDx1h{!Cyl*R|NQ3qrFffDE!OJIbuKTsJZxYekpGmnr{l}jH4MO z-gh-~f2jbbN6bfMXSfpEDi0a<@h_&P44B%B^~rtwJQtm&)j6@6JF=ZW%v^kBY=pSP zz$t%H?#y9U6d=3BoB!&YkzZ5nJkxtL<(d5nZ_~M4|0`6cZ}-XXgB?6*s`ki!vIa6l zi{Q4`Uj1N0Cjono%2`qyDLu}CB6C&M=9nZO!8z#0W=n#+uX9Ypb;0~mk%FCwo>cQY zGkDbpWBJl^@yr^Tf`ZR;8+4pVZ=I~7Z&Kg1m0kh99gZ`>0+!S01osU!MI?fA_1L#7 zqw{)-!ji;nv-+|T_c9OHN04)@X&X?&MHMoCk@3rvpAiGDG+8jDH0E`K4L6{60&1BF_92Pl+n z+EFtSRX8rjeQ?>&8E`YfO5L8_DO?;7ExOznXh~c|QdU>5g<;+2gi?5p^oCrpn2B?| z)_cjnmYN#u?f6Uf2(}doHC<`&T`{FZaMH|f$77U&>V`B5S~;H9upY4=r!z(GekW6S zrlE-QBbzTUc;b0OH=|L*2Z-y{&5k_hT7%Bb0~+s1m3OA zMtA2XBM0b?&RK8%;(XN`dI5I<7AV^Qr&8*->ziK*sQVc*-I!`R>t8p0f%zz#b2Pt& z^{zS{3v~S2Y5AO~tim+~(!<%G_{JE+t|9x>4h7r&@z+vf_Op0r-IZP`{JiG| zirx8UkSq#x>iP=ZG&yFYX$5pnZ*ADfHC)<#D5qjhXR1;mrULs*yXB0rzOsnQO%pp5 z)>=U5S1r3JLx&P*Zp}fYdGg4~H9uK)Xtum+W9^68w828TY>f90e7hxht3T@4vUy$< zScuw;?wJ(+lw+m+-;)Uddsv%btCIqWk50y(0wtelURzZ})0+2hs14Oc3YZB}!9jny+^`=mEa zI#}PxvOl*mqmU~N2h3-=WOT~hE-W)*+-0gHr7Q~5nnB&P$D#Vpy@$qwctk(=2Z_?7 zA-q6GkD;%Hlwk$WdZJhmAd@PM2C>Ci>c}9qd3h98g#)U3!UkdKH0&Co_lNLP5K?h& zLxMyDociqQNWw{U_sS2M6-Nen0nBqdYLp4K;c??|b0QVxB}^;BZMF}z;Ieo|q>foy zd)-}{>Afc<6`KtUsv|unY|K4<3I=R6ohZcS8pwx;S<{Qbr1s=Qr#8gdIv9$)qd<5A zve?&_7nY%6D2=XIb+5Yw*PlQijYsx?FdouhHLFd*0a(?^I{g6u2`a?YheQ=Y#q4dH zWC`%Z7{?iZ?apS&yS#UdUE?!bu68={DiJauo*kp)lWjQabE5HL?6?!6P~oryp&hlTP)T~9UGg))A6q^E*6Wuy&rUEkC)?W> zoLg#qm!uhuKGuDMMjHh01;gFusMz*o7Wj`O1F7dAghW z>(=(A8JgW%+bMhxa5nOsi-J3U30*yiIMA#>p$g~NV!S$MX5}1{s)spshnW{$pU%)I z=L|V@U6z*IjmF!bmE#p0)iJaE7!$82NKo&}8@PL;GnXAPWv?2l@S06r@_KNyLIwlE zj?rBpiY^^J^XR6F0{T-5dsiS{pAmtIy$-{Z&1g=7EnGc5rJWcmN>qEyya|&ifQ%*( z{d<)L;9O~~?Gk($nK3LBY%!dj^<0vYq`~T{a{|ZuyM@L@GkXMJt^lu-2VQtoLlNn> z4xHb#QjqLR2WfP|GH0!RERP*>>kxmFL@ZqQkx0mDK9uNR&NC4dNrr!m;j0B8Nt2 z2`jnc>1gLqJX~y^lienfGK`K~pmB%_wPGap@$%uvsqwko7TYPG1VEv#YdKYw&S?8I zxRmS9UIkl{sfi^0VfP&m)$UzbEK5CBw7c{zkgG85tAyZ$+9M!N(3}IfOiwNH(s_&p zCkM_Hs3!?S6b*ko6;vdH47OD?z%b75BF|sNSkM#WjGxpAvdFgiJ8Z2@1NkH=?IJAj zEQe)XIB5OXpF{tTzyELlTv!pw3UYU#&A^xgN_#=cn1h_T?&Hm@!F@(q53qxQt&aQM zNr*$dTl@LQpTqtxz%%~yioSJSEd`=($C3*N6i5RzV_W{@{r(t4R0;@CMarE0@sd^MW*eGlf9#|+uo|nCJy8^B(pMjaJ7uNR~85oUHz<_#^s2qa5h$JHYly ze?9r6rOww`FxG60!ROxXWyqyhkkBIi@3=^z*<1%f`Yo6OYnq=ao9pr)Qq#`mu%&G| z#sYp0Hn^Ph1?6Cs5X*wQ+#imx(C-%>~p%8WL9%#z(njyf9{qSf;&d81Z(E`XQ z=l|ChKyW9Vv|!|G(QwAmTD^9_ZyLk)@~0GDqiPI6N~_C`v#zZh)fdWa;T@Z-RH1jD z&jRH4@lM6|Qd!;2pJqU#Ax8kTSafhL9*1Ek$p+;TwOUieeL0=gf)6!0u8vtZm;fVTawz5@K~-+uSM z@fGwRwDEtk9nk+pU;R(C1NwIZ^OuMDd7uwsXb4kTYNkX#UJj#-dzsnJ)M1ev$?MS9Nb%k@bvTE|zg4$SJtN2-ze zKak*Eq-puF5;`wOdV*}HitoB|&IG4GWG7F2mFF?yARPXNtmD~V) zlyYbPE=4v;M%JDS)c90lKD$ob&f($gqm2}yyz`1a*Fwy$!GyW~CD=@V8~yi~fJe%Hk!5|~)LP+{1w4J3|G+dxTyfON^Ghe#H_?X0IBet9O=UhE3sCd>_ojc`s z3G1;p_jIIn=RK~WZ;w4qu67v7fJGl9+%6}JQ)oUCH`NlJV^%e}#k5`L4z*o+-znm8 z@p+oS`qNLQ2wa4FQv|2IKQ1MTQ_JiC1bpx)UvY`OIcMUe0M4I*oYfD__MNm8{UonL znLYAz`4#r7^k%PYK|R;eXIk|n%DrglD>G;6Y64AaT+J2b3%pYq!!C|B)v<3zyHvHZ z7$^%L<{}XnY?I7kL@QH;mCpZS_3f7{rpm_!UCeGQ)|}UIJ%;7dn5{ zFkT;9QRRZ;HnfOuA|23U&_a^&Oxx;BsYU-8qp|P!!6ll~t~uWmBwM0~RJbRi^QOJL z^O1Rb&0R)&6SBtRZHEQ?!e+E5*&Vbl{_LMEu#2kJeD)g02g+-#2PB=+*|+t@tM}1_ z+@~nxg?9*+O8wC@1UO$3S~#9RWJ?p;%~yIAvs|$Z4S#v}J-LUoM^CI!bh9tRzG(fj zVj;UG)U;_-_bSQg$W~i9q4`GA0;I~Vc~Rg5Y_0rArFAne-}$gtG;*|9cH8+o%YLlg zW-!+BI*0R^9mvKU6-LtE5KUN=Gl;fL4tJfj*{(#U58QD zT@a$sF>`A_oO$86@jT~A@(nAXP~srJlqJODd;m`aSNSO3MR!d51F zO0Nnq^=_R2f0*|L?2T&qo&y}w_y~$ix!KlpXex3%f5klGQ%tWG1@v8H(TET^YDq;% z%8OKVzMOtTq*unhDJ~j4QGitZUd}Q#15YB9V}XT!8dyb1GBmHHg+WgEDPMJ6d?^${ zjcFqc@0@7mx`>vQgy^w4M1uyQ(-LZvH)4B^KZlPW8bm=V3wc($Jm*0D1t~NSLxds+ z)qO&+gF>m}p|uD;=mV+;IBt|k^3`r9-avjr&V|)1#mg$PWm_F#69)WoX`bgTs}x{3 zSS5pD0oS9c9~pK6QQF-@nnDjaMGLqa6<;8b!mK#;D1`N8BUSAwIW(*I!vHN%*@7}a z2L!lFkSFzrG%olw4+2TGIPe0B4%EL@yaPFc8h!^S@Y_{|Ns)#cw5@pVr=4w|o3jFX z>{Y78X({xZz?N1}U8VP=FYHz=5@12HYF%<;7BHfAU1?cRPs8@a$k?Vw`P-4h_t^Vs z#}OEem(GU;;s#j!W^W+iq(NyAVHCakfifvKQgQSAlY{V6ND)Rj0RKD+Hir3H9D|DI zv4Iv|a<(XgC=(qNPyPNTc)e>5d!XLXulydt9_Bn6GVqL0dyBGCP(~aEcTqt>8nEKYhY}U?H;v}K z+MjkXt(V0Hf0?{aAW#AZ*Mj`Qx1ZQ<{FF~8Uk7&fej#SM7;*!SY$uA6`BoW&0Abp@ z9&k9CuR6gJ{d=_Yrk@?hp&0*I!Fi5|t{b3^bZt8mz&g*sxD15VYm9hhfi8Hp2EF{O z4Y>P5Y!D@P>xNZe^t|#{;-r%|fuzd9f5@Qej6SA{kRinVQ?$X}oL?DH)`v(ZY%uKD zF9y}*lQAE z9$840mAVJx)nq_Tiz{n>o|E&u}{;NY00#5LxW9 zizjI?Nyc~>T1^?E`*Pr^Xp)8_R*x1_IL7%DQ9HhT6NzBpm>qNn8hV~rR**P~5G>xx zZ!%~i*}Fxost!p2Mo!4xEOt|~Rh z_dhf+FrYLtjZ)0<>eSc*^>+K%w+hZuR`)a_?BNuOd`vqD7*@eH5F9qDg-A+;H(rAfNT>`dmI~+YO<>8@>2@k#qe^~82qXLOflhDTX;FQId)k{ z(&624U1i+-KC+bRJ*mAlpzKm?5V5Z7WYgd@C#2<)LO5OEQJ4YgQvGQgJ;9bFi(q&q z6{|&j3ublGXRgSi7Az1L*ZK&VyRLc+biLVM_v~4a4kEK&!llvp(TaE>>x|MT7DfV-VDP2!Gxj8;1yuF;|{9!X8M(37z(H=fj;x>2FDd9(o@SzObG5 zF2da`m@Q~BTGF@fY6ODu>&rxb^}QV?aK(=HOq%{Rug{UwBM&}i&2|+f2t+p~jk-Ad zMs;2C*u4MRksP|pH2J;ek)P+(V|ABlqs^5T(mK7Tl@1-xI857ZHs8?Ucf}^0<+zgk zg#bDIzRD?YKu^h4&}A*DfR8!SPGsR+8V^qh?)Z=Fnu?>!&4S`7?d`5df&DCRAIrKo zJ*56@`MsWyXn({|*8S9V|CvWGqDoDM^%?7)ggXRsFYt#QLlUTLIC#xe|k5`==zQ#`gmQL3=gZ z%ePNrO46q=&$X@yO1aA|Wk*{Ugxl0jFvaxCEZ7fO+MB+Lm@*PaVtrihIwldA>ii&% zlD=)Jiduleb9uOO(yKJv?i}5r6m<*fI~Z3N$6#^`yX98Tro+Q1wn*w^3pZgqb#{R5OJ8OFjw=zFf15|Jfmv@x-~rEYd* zCL$(#ei5-#Z^UvQL^^bX!>=5lI<(i~cP+?ffljF4uVX*la%e_Q=^ z&`v++_Ds1XsO$8e!iP7W(1Q_?{7vAf;rP5twoTM*|HTHwmhZR5x+ElhRR?XwE|QYTex|zN3>$mLUGM*%u^w4dAOWyMy1EJ z*NM&KjY(}Tc|rM`EOh90sIB6+m?wqoc~NPer3o!a#EThk`>vlJYJBRJ9isxBeWbkw z=xaCLwct1h;R&n`ET7)*rd}|Ha#e`=oKs8fn|zJceJPo(B!sn7XviGf_2oUCHWnZv z4Tc!^hCqG1m^`1*D`jDjMUzgW0)FOVn?!)KAcCFnI-!um|Yqs2KZHVa@<38*>nrW zFAtWWLGh=ffY_ zl$Il3H`PWuN1!s2ItY2$p_H%kH@d|sZ%vkI@u|5sS#sX;I5;XjBil7Q-t6gYQKC3} zd2dBz$i290TTcLk*PxWJ*Sy3$HKGPr7~-Gv5|oj9(rwKbbi37Tauarx4=V@a2=p`} z$lXv>)x!aLS3V76{dDvYwRM_uuP-n3N7w2Nfsl@nv^+?~%YyDXW^Ph{-YVFtcN;Vp z%u0zycRB?;NZ1OHK?f;#e!V=?KVa3E^Dgnj-&3`NcLk5nZQ9#(R=waQhxJi1~lFI0FpxJ1I4NZlXAm01I0IQVA5zRS2D z7Pm_<+(0H6Gax{WPmKp(M@ISq#;;IK6T@QsW%xm$4VCCtcf+{SCcPva7dij|#cQRM z;A*y;TievW!FcK_3n{iq6@VCwJ?I>PYl6^1>02{Bme|Kf?E^;RKHH_@C6k&-FwdA% zRWCcv?jm3OWE^pG*uY@Z-w$kb>ZuImJ$@}Eks()7X^Sl=%K{wD`NI+sLPfm1}v(hU+J2^VHV4Z^)W~^HGl3cFn5&{?{zzNgqq>BR8nNaSShcHFV4T&rjqWYDym>))Z?cd^-!lVwMsB^2sj@!TAHfj(earG-SU6x^0yu>h z=n-z{6(9JK_ksF}PU>j+3Fueo2~2x7YjF!^5LQ6qulJXf04cl^C$wrUi`((Fusjaf zz?(DG7?z-t`6vz?ZWf`GV>3CkbS(|aoalbMRAQLAg5&|`M2U|Jwu z<~+tEQ6wEt3M9*#}*1ZE;}#v2xjVx4OA9P~&P| zce%4SbBjTB>2J%k%h&4rakMGLwH&LN@i!(LLNZFMr_;mO4bt@+K6Lei1LZV}2z*#9 z^K|o785->-`d7zm?B^4-G(OU=*HZX)7P7zbe!Nq682%k0dAm)#@xi^@-aKIIt_80E z&RHxx?vohQZN_`m=P6pB&-=;c$GB|uJ&7NYYK0Q4LViysKqYEA8T;n%hqX9U`{9+0 zL~n3~XI8CLU+^zt?_)ryy|sbBi7a?e*^{QbRJF6t`9+%gjR@>c1kUAm$X}o&lQT2H z;NAK}NM3PC?uaqxZs7~X3Rl3z59+VCf%IXslkg80y+17q!9vrsrK6*CTLt9VDBDxT zN27bEZ#JHDR72`SV^~ygE{L@{>We3eYHe*XUShzY@t7aq!+bn*=YdsmtvWU!Lv+U$ zg+*R?@R1oW@BKXMJ9MI{UTZud)&B{n{!ZmLDdWxvA*Sjj)R1wisOo<9EANa2)$TSf z%F)C)TbYiUF6^W!)<@>xb1k@vJ%tkn3{j-q0q&IZMX7eUMG` zEkNo~MPFJG@B%`D{yHxQiVBk*c$NCB*-$$<`R#5bgXzimf-S&-dq8V6_t?}dI6$ZF za4ldR2R@guqbB7oaVBR?9ysaotmzCpqPq$U>cMmh1%*-|7lZwTb&t=lyB^w5 z^E^77N$~BC=WMw%BVCwJp}-n`*YLs0289c4-=NvG%~`p2|G^@Q(dwURQfibNCFd$k zr9swZUf6)o&F}g$;Em5-ywN&Y#@U#ns2|E3ZU>Cz=#vK!9P->UnB_PVFp<1~+Rjac`-8a$Ps8(#*I{m53XbFWGeq+b@efd`_!VfEcsL%Y z)|yHNa*jSHQXtM$+ou{IdMdBqO4zmH@Iazz-+;A${=337EIiD?pYL3T+vQ`Uxy*NU zVl|UO!V9mG#_c-J|LN_@!>L@`eYLeSRTh;L#WKb=q*7*O$+RL7yG#kmlq3yHyb2+i zNh?#KjG2c;hC;@WDYRszEo3Z08FKDtslEHobYd|cEu$A+hjy@(%y|=^W z8~evzCTMvR`^IO-oHAr8RCEkwKXbO)I!jepqnleA76;FYZ$dW>u-oQLMpE9}0JiVI z%RZHBd6_}p;tC2K6*=JzD80cg6r*1PsU!XJ9j@JE#;=b?od2lt(W$O7#D7j+o}Cq0 zpcM*e7)!TC#g94#$t*jb#_V3*F%h#wWh*+ydh)!SieD`^75?VS+?;nbgt3MFFa>lP z3MpOtXd4=Lm1$$O2b5QMCd2==TDd`sUg*yp|o-83|If z%hba8z*_G?Hc&JVtk{^58iUYFy;HLEMWEO(aA3;`0;h}KT+-KnMAU;@f;JWktDW#? z%b4f(UMz}fXT!Z)dz}K)Mj4U@%$-7%(5itj)g!=btcdb2D;;3HU^AV~D@V+MFvp$(l2c7s)Ip>3lEL7!mqmT&dK?yMafu7~gdEOsD*^$?gA zyr)2zGyeu?4G`jRfzlO}6p25AxG@7{1)XX`y8z`6y?j4snyOpiDh5V}=eF zQDy9>YH+RsPVfoABOM*D6*`AzakGkv!#Gdl+gA;(&1y5xl7r}+*7tu--gWR zj_(_}t>H&!frotjal%?$&n@w&k1 zu){M8dHoMsyFYm%y22UP3Tv=xHDul5lx$kEx{H80!+<*5Nt_>bG|er-laHMrHEl$I z*Dl5Wt_vT(NG_*0l6}Uhg+AwOa@C&QVc`ic*9q7_B`>Dsl_sEkhf=#h4>Y$20DU?y zE&hxktp7z?NOga>$`eJs(N3p(Zj#bek<>brV%4em=h~Dn;CY+Z%-WA(m zE8yR3-{r~sWv=#J&eDG!9WbnxIsavz2^|DVhhKx-WNSXC}loVgk5r}J@Twj zpzK%(0iQ3$c-Wnh`i)%H_N<+(AX>tzipIs-81M+qCW2YY%(!`JVh zK4buoRJ5Hd$C(A;Jg!>91zSh@SK>6BnO*e8cCkbsM4pBpn45lDw?@&rEYc6nM-S-Y zzjPb0f95y9J8x03)*NrP4M>upaeYiU$^^REQ^gR3;j5I=ZHEE&Ag%zHDk{S?6$YQ`6qw=d`OT;$&%scBM*eo0Gl0er#;)k%d4~?B0%7 zTo0c=G9A2pP|T}QQk2fwzuoW?>oUQ5PXm3IfIvtsZJz+%A}p*oh_E6#RW^g3I$kGj z3Fb%}Brj*j?i#d=JX*qIGvRD6!;2vi5 zxx114rn!B=7c}Zj25|8e(H+p>r}C3!50%_I-VuMXl-GZBW&8eS?9!v3^u!^hobCID zf6@{eeIF<7#@+^rMAei-4f#NcuYnqb3pev&ej=h(%-Ef4-Uc+R4@0C#B>w!6S3sy= zp-g8_57(~Af8azOtphRb1QMI}m7fHky%jt_8~m+Q1&o9g!&^q!WuXMNU*T~xeV3)3 zVxkx1|4$qWyPl7n&26-ykkuzbR}qitBJ@@IO?kAS5q_Zl60D>*!TiuOS3-?*T9IkL z8kLriI3s9Aq!vvcowjM(crMQ4J$4Z?6WmH~;`<8vIk$K0&nhz$AHJJKn)_fnC&AOD zry67c^!Mf**Ez`mIS&_s7RBk(d!#-C*NG$-t>=eoet)IVl}>LJx;|jfh=5%Ez%iQJf_PC^&3RA+c9yqUehZ8_%u~UW=tron9PO~4marEw zpQ(AIHjr8ypJsXiBsWJ_%S@Na&iv%j7k?7#tjWn7FByqNKyKm!Y zCY2=#;@X-!_h6ZZ;S%JG4RTg00LtD-SlITR9f)xjjw)&4U$=2YI;YIKM|^~$>z*Lf zJjgZXp|(vnPz=W&_*pW`(CAE33q(eU=x_6GZ-_Qb%M*?bKRd(ZfA(=0QsV`;pw>Qg zEy({ijF2y#ldJqdMmhFQ{mZbm+FnGmau>!?YgTs2h&Dml^`%UfD^IyU(oI)sJmS=X z|F@3I!=F^W#^t4LsU_CwuXC-_!*uK4b9kIsE2Uf?$wV`~+-qw5EZgYU&x&$}#YS11 z?&h#A4yzOl-&8Bm%)8w(@nm`R(v#1Ejy^{gn>v}p!+U%`E6(K>k0gZ(r}adcJg|D< zi!CqpkJLQh|0>P=U4#-Cifyx>>!V&}wmKwgc<-3Rsq^UlvDrGoJUD#Ef>8p1D``Yb@4b0c63tbQ_XSdZa?shZbS5aUxRVxLA0y+k zT3hWK+7s>A`46q8uRDfVtrBJt>mXB{C5)pMIkE_ukv6NmUjDE&+8L@EgpC!(*2gVs z$GDs^IX)_uF)6j0C7f}|cDmc82Kre6GCOX|UhfQd2!$Mnh~n{v!Q`t<{Ql|;THe}u z>*YBfSVnApk+)e-=tbax5B`~cL4IDDYk5@f-uHGcP4np+a-RtFh94DjVh>l@OT-w;H+!JB1oWkCHo`l2kOCsaaTf8F z)JZ=PG2HB>-QpMU%mD9h*=S3w=<-j0?i(TXx-eEwmgRLp}%tDc+#T#XuGzAU|rL@kzW~(@Ws#02(W{b~J4J!?QshmyJF0s}v2NZqa z;QaP|gB|CLRmPGgz%0KhqZlZ&z0vny&)wba>u8f}bb5d`J9lI+ z#L_6u-ESe^bswRT;}fFOWibm~L*_=?t#0mLWb4U(2iB$g=t1T}J^B8D8A*0WZR6jU zx+fKz2^X#AIb$RJh@WK6#YFz;TCLtGc? zkSjbj=z3upMR$2Dr3>5XQgezHhJ|;Nskai8V(Ta58!&#erW^T1VN30{$thjt82{Zm zUrle>>ygVFV6a~e?pylq+>Fv{a*M0ix2Xs*+~WypPSW27*baS#AiabaEztLRG|n0G?XJaI*lUxx z)<{bM(tCuE=P#!p)h8|zs19kxK z4ygYL^@)sRd(kzr_XWVF{3|vI%y<-<1bu^91ZMn7(S|P&j05?uDf*}Bs1p}>S9|jJ zvV!J^9Dk6Vlv1v3NOlfFTZ6YL$fsPXqIks!jq1BsXY&zESmGKD3{p1oE>cj@Rux$= zAK%yUC&I)`(M$M!HRLX%TTY-i`+q;gxNZfWx=y&Fm$DLuDh3vqp_MHs=vI0TsfdgF z9vP(Yj)1Xo1m}!y+@brn0ym1*qGv5IRzzbxe%-j5u^Po!VYuDezEt#y5eOLxQji7% z4jFdf|NM0{cyU33-sj<0k}yOKZ%!XAum)G+WUSQgT!Ql{O*ew1yY{2_8Qzyr#ISV} zjuUUPY&-+e&sE!=@uv|f?C`Zx=>U4d?a9x#4Ul-O`^)T2z%|lFq$ea zR8WT5wkd1ngcVvn#0b#~(xDMXd5=Z$tF*WL_Bba7dt>C~X2q^JQ<^#g*4D9Kl;w_! zmssd!FNutCIGo`5GFZ^nWyqg&qE2lp$H+6bN?JwtcP?j6x|Aij#;DOxv8}?N~ z6KANouBn#&t|PfuqdJ8!>U>=G?C1M0c8`=3Q<=8g{Qg_zMF{cqGHy{AeIb#~SF+wk zVTwjNL`(0QDEQPz>Y6&2uEhRFh=r=1a@2y=^M|d>!DRk7ll955#~Py-iCOHAOKl&% z{$Vg3Pf9OWQdgX<%d&%X%PYFut|r`buitDs#a`2T=522@7V23_kG3+~{2TI)*fgR& zgMlE8t^YKXzYD$$r4cgY1&metKNS= zS2t<2z{W#Vva3E+=>=Z1p8p7n0WoN9`Z<#KSR(t(iQcv^rT=VrXVWuy3p z!t)=nZ4skpUL91{2{JN|{?*_??Wh4ua)8fl-&I(pS^?og1 z;+Yvcud*q&!V>nv)AySBE_|owd{NW}t16m)D6-+_lShxk|mnnSd8v9+Eh|3T+{~gRNW9 z7NXHL_`0|w9%jg-3Z2M{VOh0CD^CA?N8k0B%Pzf z2T9bR0e#3`p5oAM%p*IVjf8leiYLO1aKl%crDkcX?ZK=r`X^}G`+9Z@HqelLg?o5KLe2{>ZLbL zY0gdiz4*wvdYF^Ee%WlBnZJ~9>uiHpA3m~6%RAP|#mD;1Yu5)*US~&{+$MGWi>l8W zgc^(}`bq)1F~}I;f?&o~*E5kZCdHIp)Ua2c19xeIit=d#OiOavd`Dy2Mnij9Mq|yF zOLNNiu_$3BAIG)1lSRvp6YnQm^K6D;g#_!kld)>*FwtAd>wH_PaC%nD5^3Bsw@G3| zi;%u9{bBqM19X!`qT|V_1p(N?JwYVdNcHil8!GJdW1Hkb0qN`MIY$qBSDBHAf$i5%#c0P`HwLn8jKkXd>eCy2E4V;2m60RM#;oDjd> zTY*7H-B19kI=@>Cs|GNYqJvbbNtWI_q&z|(l@Kx`_HF>3L@$OLk)O}C1ugekXzXkZ z1>G_433wj>rRslbm9`H*RO-K^QL(>YrT$AA75iIM>i_ZM;oC8wyZ%ml;(zt=kXv2L zJ+B)S7;_#&d!btRV_x!d5yJL8e!)$cd@s1iZ$h3BbaZq~11R4%5pp1JzLrbO@6K;r zlsIdB{;QgrF50cVe1MbnPMaI0%*oMQZC(~l93SV1sQB9J}jJRaG9Pmdp5mLriPK+ z1-(s-LEc(he_B^IkrVz0J`DH4!<2g@5dudXZ8J599zgE#Z+vuC;C~q9_2r#0BRRyX0MAdW;2)!=nhqiJ(5V~$0T~SRA^-pY From feb0958cd83a59669556b36fa58539c3d28cd7df Mon Sep 17 00:00:00 2001 From: George M Dias Date: Thu, 5 Dec 2024 09:29:05 -0600 Subject: [PATCH 22/71] language updates, removed duplic content Signed-off-by: George M Dias --- src/courses/advanced/02.md | 13 +++++---- src/courses/beginner/11.md | 59 ++++++++++++++++++++++++-------------- src/courses/delta/02.md | 14 ++++----- src/courses/delta/03.md | 14 ++++----- src/courses/delta/04.md | 2 +- 5 files changed, 57 insertions(+), 45 deletions(-) diff --git a/src/courses/advanced/02.md b/src/courses/advanced/02.md index bbd3facad..473875445 100644 --- a/src/courses/advanced/02.md +++ b/src/courses/advanced/02.md @@ -142,15 +142,16 @@ This example shows default metadata of the InSpec profile along with the optiona ::: details Difference between 'inspec.yml' and 'inputs.yml' -| inspec.yml | inputs.yml | +| inspec.yml | inputs.yml | | ------------- | ------------- | -| Required | Optional | -| Should not be renamed | Can be renamed | -| Needs to be at the root of the profile | Can be anywhere | -| Automatically used during execution
`inspec exec profile1` | Needs to be passed in during execution
`inspec exec profile1 --input-file ` | -| Purpose is to define default input values and profile metadata | Purpose is to override default input values with parameters for the local environments | +| Required | Optional | +| Should not be renamed | Can be renamed | +| Needs to be at the root of the profile | Can be anywhere | +| Automatically used during execution
`inspec exec profile1` | Needs to be passed in during execution
`inspec exec profile1 --input-file ` | +| Declare variables used within the profile, can provide default values | Override default input values (as needed) with parameters appropriate for the local environments | | Defined by the author of the profile | Defined by the user of the profile | + :::: code-tabs @tab inspec.yml diff --git a/src/courses/beginner/11.md b/src/courses/beginner/11.md index bef1582e1..a60aaa197 100644 --- a/src/courses/beginner/11.md +++ b/src/courses/beginner/11.md @@ -77,55 +77,70 @@ Download the `Red Hat Enterprise Linux 8 STIG` located here [RHEL8 STIG Download ::: note Timesaver Ahead! -We already converted the XCCDF STIG Benchmark into a starter profile using the `saf generate xccdf_benchmark2inspec_stub` command using the correct flags, mapping file and other options. In a moment we will show you how to grab our pre-made profile that we generated with the SAF CLI. +We already converted the XCCDF STIG Benchmark into a starter profile using the `saf generate inspec_profile` command with the appropriate flags, mapping file and other options. In a moment we will show you how to grab our pre-made profile that we generated with the SAF CLI. ::: -The SAF CLI has the `generate xccdf_benchmark2inspec_stub` sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile. +The SAF CLI has the `generate inspec_profile` sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile. -To learn how you can use the `saf generate xccdf_benchmark2inspec_stub` or any other `saf` cli command, go to the [saf-cli homepage](https://saf-cli.mitre.org/#generate) or use the help commands. An example help command to generate the stubs of the InSpec profile is below. +::: info SAF CLI InSpec Profile Stub Generator +The SAF CLI sub-command `xccdf_benchmark2inspec_stub` is an aliases to the new sub-command `inspec_profile` +::: + +To learn how you can use the `saf generate inspec_profile` or any other `saf` cli command, go to the [saf-cli homepage](https://saf-cli.mitre.org/#generate) or use the help commands. An example help command to generate the stubs of the InSpec profile is below. ::: code-tabs#shell @tab Command ```sh -saf generate xccdf_benchmark2inspec_stub --help +saf generate inspec_profile --help ``` @tab Output ```sh -Translate an XCCDF benchmark file to a skeleton for an InSpec profile +Generate a new skeleton profile based on a (STIG or CIS) XCCDF benchmark file USAGE - $ saf saf generate xccdf_benchmark2inspec_stub -i [-o ] [-h] [-m ] [-T - (rule|group|cis|version)] [-s] [-L (info|warn|debug|verbose)] + $ saf generate inspec_profile -X <[stig or cis]-xccdf-xml> [--interactive] [-L info|warn|debug|verbose] [-m ] [-s] [-T rule|group|cis|version] [-O ] [-o + ] FLAGS - -L, --logLevel=

+ Click to expand. +SV-213901: +Old: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +Review the permissions actually in place in the database. + +The database permission functions and views provided in the supplemental file Permissions.sql can help with this. + +If the actual permissions do not match the documented requirements, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +If the database is tempdb, this is NA. + +Review the permissions actually in place in the database. + +If the actual permissions do not match the documented requirements, this is a finding. + +Use the supplemental file "Database permission assignments to users and roles.sql". + +``` +--- +SV-213905: +Old: +``` +If SQL Server Audit is not in use at the database level, this is not applicable (NA). + +Obtain the list of approved audit maintainers from the system documentation. + +Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions: +ALTER ANY DATABASE AUDIT +CONTROL ON DATABASE + +The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions: + SELECT + * + FROM + STIG.database_permissions P + WHERE + (P.[Permission] = 'ALTER ANY DATABASE AUDIT') + OR + (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE') + ; + +To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one: + SELECT * FROM STIG.members_of_database_role(); + +To see all the permissions in effect for a database principal (server role or login): + SELECT * FROM STIG.server_effective_permissions(); + +If designated personnel are not able to configure auditable events, this is a finding. + +If unapproved personnel are able to configure auditable events, this is a finding. + +``` + +Updated: +``` +Obtain the list of approved audit maintainers from the system documentation. + +Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. + +SELECT + R.name AS role_name, + RM.name AS role_member_name, + RM.type_desc +FROM sys.database_principals R +JOIN sys.database_role_members DRM ON + R.principal_id = DRM.role_principal_id +JOIN sys.database_principals RM ON + DRM.member_principal_id = RM.principal_id +WHERE R.type = 'R' + AND R.name = 'db_owner' +ORDER BY + role_member_name + +If any role memberships are not documented and authorized, this is a finding. + + +Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. + +ALTER ANY DATABASE AUDIT +CONTROL + +Use the following query to determine the roles and users that have the listed permissions: + +SELECT + PERM.permission_name, + DP.name AS principal_name, + DP.type_desc AS principal_type, + DBRM.role_member_name +FROM sys.database_permissions PERM +JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id +LEFT OUTER JOIN ( + SELECT + R.principal_id AS role_principal_id, + R.name AS role_name, + RM.name AS role_member_name + FROM sys.database_principals R + JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id + JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id + WHERE R.type = 'R' +) DBRM ON DP.principal_id = DBRM.role_principal_id +WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') +ORDER BY + permission_name, + principal_name, + role_member_name + + +If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. + +``` +--- +SV-213908: +Old: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination: +USE ; +GO +SELECT DISTINCT + S.[Schema/Owner] AS [Owner], + O.[Schema/Owner] AS [Schema], + O.[Securable] +FROM + STIG.database_permissions O + INNER JOIN STIG.database_permissions S + ON S.[Securable] = O.[Schema/Owner] + AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN' + AND S.[Securable Type or Class] = 'SCHEMA' +WHERE + S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... ) + -- Complete the "NOT IN" list with the names of user accounts authorized for ownership. +; +If any of the listed owners is not authorized, this is a finding. + +``` + +Updated: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The following query can be of use in making this determination: + +;with objects_cte as +(SELECT o.name, o.type_desc, + CASE + WHEN o.principal_id is null then s.principal_id + ELSE o.principal_id + END as principal_id + FROM sys.objects o + INNER JOIN sys.schemas s + ON o.schema_id = s.schema_id + WHERE o.is_ms_shipped = 0 +) +SELECT cte.name, cte.type_desc, dp.name as ObjectOwner +FROM objects_cte cte +INNER JOIN sys.database_principals dp +ON cte.principal_id = dp.principal_id +ORDER BY dp.name, cte.name + +If any of the listed owners is not authorized, this is a finding. + +``` +--- +SV-213915: +Old: +``` +Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. + +If there is no documented procedure for data movement from production to development/test, this is a finding. + +If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. + +``` + +Updated: +``` +Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding. + +``` +--- +SV-213918: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding. + +``` +--- +SV-213919: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding. + +``` +--- +SV-213920: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding. + +``` +--- +SV-213926: +Old: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: +In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter. + +If the value displayed is False, this is a finding. + +If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns. + +If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: + +SELECT +DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' +WHEN 1 THEN 'Unencrypted' +WHEN 2 THEN 'Encryption in progress' +WHEN 3 THEN 'Encrypted' +WHEN 4 THEN 'Key change in progress' +WHEN 5 THEN 'Decryption in progress' +WHEN 6 THEN 'Protection change in progress' +END AS [Encryption State] +FROM sys.dm_database_encryption_keys + +For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. + +If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-213905: +Old: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions: +USE ; +GO +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO +(The role name used here is an example; other names may be used.) + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. + +Then, for each authorized database user, run the statement: +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER ; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +New: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): + +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO + +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: + +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +--- +SV-213908: +Old: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code: +USE ; +GO +ALTER SCHEMA TRANSFER .; +GO + +Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +New: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code as an example: + +USE AdventureWorks2012; +GO +ALTER SCHEMA HumanResources TRANSFER Person.Address; +GO + +Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +--- +SV-213915: +Old: +``` +Create and document a process for moving data from production to development/test systems and follow the process. + +Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations. + +``` +New: +``` +Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations. + +``` +--- +SV-213916: +Old: +``` +Use triggers, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +New: +``` +Use parameterized queries, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +--- +SV-213917: +Old: +``` +Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users. + +``` +New: +``` +Adjust database code to remove any information not required for explaining the error to an end user. + +Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. + +Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance. + +``` +--- +SV-213918: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213919: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213920: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213926: +Old: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE". + +Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data". + +``` +New: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. + +Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +``` +--- + + +### Updated Impacts +
+ Click to expand. +SV-213901: +Old: 0.5 +New: 0.7 +--- +SV-213905: +Old: 0 +New: 0.5 +--- +SV-213912: +Old: 0 +New: 0.5 +--- +SV-213918: +Old: 0 +New: 0.5 +--- +SV-213919: +Old: 0 +New: 0.5 +--- +SV-213920: +Old: 0 +New: 0.5 +--- +SV-213926: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-213901: +Old: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. +New: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +--- +SV-213905: +Old: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. +New: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-213917: +Old: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +New: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +--- +SV-213918: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +--- +SV-213919: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +--- +SV-213920: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +--- +SV-213926: +Old: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +New: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-213901: +Old: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +New: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +--- +SV-213905: +Old: +``` +Inspec attributes has specified that SQL Server Audit is not in use at + the database level, this is not applicable (NA) + +``` +New: +``` +Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. + +Suppression of auditing could permit an adversary to evade detection. + +Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-213908: +Old: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +New: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +--- +SV-213912: +Old: +``` +No databases require encryption hence this is not a finding + +``` +New: +``` +When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account. + +``` +--- +SV-213915: +Old: +``` +The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls. + +``` +New: +``` +Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. + +Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls. + +``` +--- +SV-213916: +Old: +``` +Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. + +A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. + +Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. + +``` +--- +SV-213917: +Old: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +``` +--- +SV-213918: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213919: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213920: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213926: +Old: +``` +If the application owner and Authorizing Official have + determined that encryption of data at rest is NOT required, this is not a + finding. + +``` +New: +``` +DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. + +``` +--- +
diff --git a/src/.vuepress/public/assets/downloads/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf b/src/.vuepress/public/assets/downloads/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf new file mode 100644 index 0000000000000000000000000000000000000000..c17a418a090e731e58c83b779279d0e7f700a64c GIT binary patch literal 892101 zcmZs=V|1pm*F9WYQ`?#vcR96f+r4Ys*3`CbcWT?VZFlPb{2r|L`S500qurLFTDt(lv>kej`Smq>=5&^%vTvKEo7 z`R6lFz4j)0y^pwZw6jk^&VtwYPEvvK1!XmcN~&Ne6}7jpVnNJF!Qh2K0QV%Qu-FA) z8e+__=;!(o5Z}G`l$zIx%ade8UACri-AO_OaKRuW-Nys!`* zH6rCr&5voncsOuT3NGPk=6R7A2|%;+VCgT8%o#}P#c+`pAC9T!U<}?vH72A%r+HD~ zb(UJZZHKgjmB*p1uLe+bJOuwkBKA-QY^8wvo@t*%iY4&)abBVPTPq;O-sp96OfiUb zfSH{}Le!@rS1U9fBjA7hf=#3h!K2aETy-dWZxqUg%f&GiZXR2sC-VY^>#MCl43-{1#v6r zq7m;%bzqEUaHQwG&l16+HxU$3<~(Y%zT*p@Sv-*lL5V}Pwu!9mH;Wk?i!B7~OvW

ne%&? zaed0nVb}v`S-O=I}ekbDpNW;GlvZf{$hC+7k#M(^%8rYdxh&i}ebm9Jq!T-eh&$$1U5Cum& zV`WokV(ovyM8t?0RZQKTi5Vqr{sk8LA1nMnR+3nkm{Hiy+Rjng-q6^T_&*9H?8HpW z_Mfo-rvIly|B(Dwvx>^Up#P0VMFl|2^}khiV&?w_`Jdhz@^~azzx4da|G&8Zo1g!kf>GJU$oan*`!D3gjOrF9|1^+=iHVp| z!qmbX_>aB+)FuBh|NpZ4f2H=Y3(^^1y@jDFU51he%}jZc+?p+Dksip_s5NOFFf=*&J7sbbzcD*a z6KXBx->36-jV)E;FSq0E_u8l0%%^)xo79TR%F5}rlV6$gIQidGHiRU3Yu^dOC>a7k zxO|)?)4H&OdPqR12Q6p9cL#Ao9toe z@r9jA=Qb&V35ivr6v8TwSe<}`>%St7hvy!tGlIop1a?qx)m>1#b^Y}iC-eV60$%Va z1?}c8!G?nst7hPP1%6Y(@EJj5XM}tiSB2<<_JN`d7k*FmeG=prU*GzLR6+tEJ0asf zN|NmnPWxBe{KYV52N5#9o-i%1>FFk?rsZYx?_dGkA;TrJqjb1>0zoiOq>CX6cp0_g z3yia;WB>>BXu`C!9qxI>)t#)lg|x*DeEwBbe*QGBEgX)eAAB2xfSu!LZXLx`v^=W< zc|JA+KHjn{oH~{GE9=@%=hg$2(gm5;cbS!vGo;+t>)k&!v*|VVi$omr*c_`U{F_Of zi&;GDIjn1~kkLfKXjrq0x`21Ed{@=PJVPdN1AZ6+MKYi*;ndU=y+NaB2sB&ewgEU_ zZ%8kMKsGM@d8|J*@e}?Bq{KN<|JPJ@?AX zMi^oMYs4{?Vabe}EW=};j#@od$<<~5BvZz@D10@r25M?Y?BQf~QV^iTx1G+jiORNf z&AxQbvv3AgmUexId+|(oc28jaa$^B|3cS6!3BR_8239}V+1=h)KiXA3*jD|t^i*7Z zB<(pfm0PI%eXL$S)qE%093S1>cQw^#Bl}e?yUnYc`R?_ZiKn}vwJDbILAefI(($=_ zoVYc8ko{ap5REarRcPRatNT50uSVf{!{0zjVF#VT%`c{eXrN94p^`fkPdDQ0geD`8_BNO@Wf}}+d zfDM?JGV265<7Ns6!2{iW4S}{5M6$?v>4bodK+1}_K@32fc>|kI+fS3aA-f`DG^l*J z*mU-ra<$xesM`7#|A3U*Mx0QW6t%GOOqrLv=+4oexXJK|@N%n-L`VHF;*uhKG=a$cL;}acyK7>jy z)MZ7Y^$lFk&93s+C9|Rp*Mbp;&H>Z*0lN}5qXGuAdsCVUMloHlxmj3%FZdLX&_Xk? z0W$g}?~K{nGH;Cw0KQ<3nJKR9l!iLENH!d{voAG-f?-vMQ;K@V)UylH_IDzAb&kjp zT%fG)f&U^q!wy^BKix7r{0@~4X|h29&9(H^1EOVYmq&*US|d|v!3Vg{hTG1*(r(kv z>{3GEUIF=-^k5x(vFN{IP^#{i>gQ9feNrhbZ=008ikD7kcXVmcYi2h~_EjflSIiL9 zmLXCQkqnU^!Z3qM)j%PUHR`BN<{DnFNgah|If%%-4^`jxMOVX^*by=2!m-=N#Q6+p zX$D`rcdssj!2V=BU1=3WCd4qEZKT2WcH(TlrgN zcaRZZ`A&VxX6cJROWo%+Z2fb6;ajtI*U=z+oFQ9ypb>~Jg0|W&&?_Z_1LkBdxD((r zAF4o*VGS9=vf$)Y^m;2Hyk_DwY;85ElKAZ{z6v)TH2YB&x1rcPP>3^ z;lSQY1Y%xN6U($2^QQ|rWdq-SW^@D`Geoa}$CvBQ(ewY>UFI;5$?+Td0pQJw^xwKAJp|>AzE{cBjw+ zoGBdI6Ckq4HRZE};=>Y5NlZi`G=GRH4JM%5JAmn>Anfd$o^eW6)KI6BPk9g(;zQ{nEYMG2AMTu5Bn&!zVdV0jZR7B9APz99a6 ze)5Px^qfI>XG92{c_C+T#>iWXO7qRK5Q6{A+Z7O#HN2+Zg-A5)L19vxO4N5p_#5QZ zOEF0fuKq(Oi2uCAEHD!MoZ$;CYmvzBinrHnFS?v5Y`C{KO-xz930pcqkvHvk#uv`h zRSr<%$`6xe;evJRfOqbSeSL3p<^1D3;`583BpnG9`@= z?6D%m1JFk_tDEOXtwi6L@?9jLEg}c-gGzF60u40RL^Pp9G%y8~T62X5+&m{N5%Ux- z(!Nuupe~$ll=RLxoX3u5CXn=)zO+V5Oz#kl@+N_@~je%8bez z@gds-_z05$ee@SK|Cno$4gUHH&$Ya?VmvL3wa5DnQsowBwb+%*@92`~a##NVZUNW> zcFDo(YYgze9l;m+OK)I}LhtXT7mK2CU_R0@{*GG!h3iel-D%#=^PaI8wl0L16H2sd zdvh+pVrYTaaB70NAz*Dv>{dM91spfXUamPHDh01rXF|Jk5x`^35k^3HD3(|hK_f*er5rKu+zCKqoC2H2ESar- z*dw1JMP!nU6S1i0xNrbt#|^PF2m@E!L^CWxrxKG_=9B?V`~f5_qa@4CpbU8kCauR09!}QK`dEg;rNog}lGHB{kd*g(A!WpB z42{iHlGB5`j4OfKgMP}7z%a3%+T*3X(Pe7@_r^B@RO3iJ6HSl-`&~XN5HGbawkr#sa-r1*oy`8ymuCbT z7$6vaUl>F9*y(Em9w2SBp~z_qm7vfLNMVp2f?sg{gTtvvsHg@Zk}8TbZiGNykKoI> z2Jkn#G#qy$RXD}Z@l^{wnlL{D*B$$`*+%1?KG?zpE}B`BBIo;PG=QK&JMqGpfiWQ? zDEVWSfcZM4?P0^neHpg;#nKuK;F&_BA(mj)6(1fawhwK`4xhB$6mHN6xGw38tC=GYbYQmPiSP4eX3VH0e0(EKH1p0uhNWxTi1e z`75P-AfIb@9~-iPG+E%^HYu8c0JjrjN=V}{GjP|Bg~qGKD%`}$>$prwx=Vs)0dfE%U?SVnYF}8!|7^UK6=q5k2A&Oo*M*VJ2yu z3Mw1Z*u7%)J;4_+mBT-VZG9ouY(HXkXQz*R5J=1lK%snK38>FZE=KoVN9NazmJ`~+ z2t>EG%QT5?e$BD6k0y!f*$iSRPiEbAPI2l{%c@Bw9HLRAbN55o7%p-*=83Ajyew1G z1--0768)8%(9CQ}H^QF;z>~7-v{-k5?#{Wpy}r=OdWtECeVHOgFI_w(FGVjH90*OG zel%J}ziexo4<|woWqYyZ)x*f6QOyoU(Ab2R3;iZ9_h)FQ3t&JhwC8}O`xJaM)a>C> z*_bWMzvEpS%$ctL_N8yO{`P32e~kR;q#t>JqYWW;NElKzU-<)F(fyK^;Mu4kZV;{{ zLu6N02xgO7fQ~a+<-xjw2Yw`?C`xFLuf&@n=T=pO>FF!Fw|n_8pX6c;_GK=CA!JCC$Q#L1mR%xkUG=q z@k;B5GOEmxmrW5ZvE{*dYA9zyygw~@`}Cwt%3gNtw8^y zdorAEG|*55u^Q6gJZpUSZ2*q;G|dweH2CWQiV}U&rAo~ZR4}I23+kiW49Buwh=9RZ zcH1YK*{wEATMbZNyGVxY(X@2l zC{!u)%UL3Yl|5Z?I!kar5`a}6@(B(K!#$7~bt#7!-ycsROahYQcEd%djpX##q)|@J z>t&SuN}RVWJqvZGf-ad`Y469hq|8^$Bw1+rlNP-(evaScsw~~~uUM$}Qn>pGBDUvp zQ?0WvJo0X$%|zKd})xaz&pnu}{oFHI%SaOcZ{ z*?`5#tMZn0#oohApNV897ftUBZ&pP@@OV;Q$qIIUk8F!eT(wg;F@y6I+UklwJtoCJ zWAd2T8s4ubT$Wz+4Ap2k-6{mb;-@w|p1VwoUQ$^J7gt)4V!i)9!J!IIqrJmXfCAcO zCD$S>k|%Mp1#i3`vtf6pWKe(xsN<Zspe(E5B=e=XZnWPJioqxedxs?p~ye`_m1KL2!Aw4)PB!>ZVO zANg8gWh%JEkT~EV2%>&t${-STqG1JTczz%zAs&52$d5`4(k!&GWvwnLOTBBLdh-ys zP_p3BJS`i7-|UT=GW?9z79A=D`)8DZNi2eL3H2 z1ClgDKY4zN=78`sqAQ(}kyNr$qd+2sdRzeAoLI^vTxn?yA6&2`f;`g_|Mf~~tf`{K zstx+8hUZ}jdZN5RqaB~_BTkiE`lSx6cZnE1fCN2PuJaN9LX2*pqFUE7shD#5Ng)P@5>z)qrRp)TeRl`z@$3z)O)pr(PAh?1+X9k2}010S;+gJij3;}2cJ;ztO8R|1v=aHXHT-e<=vy$0ZsiYQc6*G`l}B0d==P`0piZV4 zF9^Sv*vD5GjB6tw9U#81t)84$ExLf+FY9NDtgptDTbNdB{X^LC`Y=NC)H*x3Hy3l*o#LNQ_`Mx-njwz!lbMu$;0XYl z$zV_7z>yfT2cd|qiCe-5Gn^j64P_0f3_%XUWa;cHcp&fhJ>ew{p|eq$n(O!RC&tZw ztl$ZiM#rMvBO-=N2M1UGwbZRgw=qEBj|~Tpx2LO_rJ195{vW3zF29u=d9?-D1egLk z2gC)x_#BE&Ofk&IyiB`QEmZN;0~sX|wB(=e9{6$Hq@bk|i>l<6u%!~S$srfCfy)`| z7z91@?C|X0lQ|C~Y+qlPOVrykY55@!p5JIt?%~Q0X}K^@4EhXOuhU_@#W5gyJ@0&KdTd4XRQvpMe{hn}9EXD!KK%`aA zT~A>>8P%i;IJfd7xaaD~<{qq?uLUQ=$!!@ZfsPE{0L*1~x^TqYdLgVfMBue z=fi1Nk>9Pa(Qc40F629%>DCwICJ#dpHLMY>5fl+dkw(~oD50FA3YZcYHZ90yAdJX# zC?Fu{*uuTeLF}eWmXWioP&A(3U-gu0s}ZEPL+~Fk4ZYDitzK77O9YKKK8;98L%6aP zD%YG~OQ30ht6ULb8)IYK8$V%`R}dfv_8-5tV9+VBmKeDLZDjrKmmw*Z717um@g#A< zedLBo0fR#UIR$mlB!o6nt>JU2&*qS6t7r-X{1-!{tIpw_?@6XecEb^y*_PPfT(i9X zVk$pY`sc6wJa53eg=&_CKz0)dIxIUp1vC2Y-gB#oXOkhop=}~*v(apcrSjm>MhiGA z=;FbU11H-!3G+l#%=|ejrnW`mL;XQ#K)m!4fOL|qyTdH2gx0Vl%c?gYE@8tAv0nkQ z#z7=b!fU`XFj*d9rzs$kqoMHw5Qr;%BrJJFr-lz!2sQxeh2S^~VEZh+``qEm$Ncr} zo}wjFzE^}~5R?rDfe77id0Tfp0BvpAJ1gigF;)M(c*c;L&M+~@URpo>d((LZ!)h6I z4bvn5FD5mncqv#CLai59_f@R3=?}EzrIFemeb3hDlKaVxaGDJZcVy^ACN~@4ON=UQ zTDFjWL%!?f2)868EMnm}xn%wZXhtHsAvkC0-H7%77t|k4RQPD;ADbIE zLQMO$03(Kf5rGc+d9L1`#HO%v=9o2L^Uw||Btd~H(K(Sv7g8JLg@Z97jd%-dQmU%K z9IH*YC`$uKLW%P1P~|X-ltt4KL}@h916k`S8`d%gi$jWQK6y=fZTbqkVpxSS%V?2h zvjvl*rE26%1zsl_1JW zheUAea4aJ!Yh+!qWL|M*uD6S*7D48e6{S|I@ z-t1Y(MB;;7h65A$G;Q3+8CUtaF!~Fibh zeK=mDQxspiRVr`15P`f8qJ%z^*0HX5QDuaEDShU*cAlL6B0-qy6QjQz1QFPI91}^z znhFgoGOJsCKe_!#ohd;NT7?R$7JUO#Rhj4yC@TAfeARQ(Vg2<`S>Lk!jFBdY@bXmP zy_B8oyhg{2L@K#2%CLaDQ=vyrjt7(`F6aSR1iMD<{iQ={ z=&%vXMA*+Lo!_Z(Lr6@P;21uB`RHnVaPoj-d`To>3+rrMHG0B6Q6Rx>7F06rubosroWK&Kq@pS~Etj zQC9TkQg8lFh4P0VMh^oMY!S8Tsx-RU%_>R!YoRbLeo%@#!GZvJ2WW)x8JOCsiK{)5 z;IK!RmMDpOir&#LdhKh~Qc=dM+vszIA`~2&xkRX_+WcP5<=d>&J9%x?(hVg8Ni)H< zE|7qh6g@2d0huNXsnPE(poy*`CGZKZ93RUup&=Ts)nLSy_hZml>@|dO1(r?L$00#M z*AQDZT?&&D?-uQh4!ML`oLHmPyw*eB4(z;1RM(c(hgl<@-xKzy1%kMxh+#a#F2y0I zfWKkdNbu@S^C!3p2%gMmIXQ+uoH7~qa-H9KmsSQF=_6SF2AZyR*aaHZ2B|prM`*k8 z{Jbo%su{fnBLYn(aY#rim0YT5f_0fXkuAAiK^W||*9^I=n)%QGt=$=MM*>$iIoPL~ z!WvuP;Ff2p71!@;zgk}XT?9kOS@(dEUu4kc22aF2aDRf)p6p*-5-jg#&)bD3d>_&9 zZc%h$!gAx|sMKH}+-GXNPQ-G($^|)rU|WnPOgxbVbu??-2+Jhd=&|72v2S~%tjro^ z$>N5I!UF{Imbn2?)}F@yMbFOo?_;aMkB3r|iT{J|(%_&!QI&$_}7XibZ{Ud=!eOvbTM zy1qD!*B5zN^%^xXv8$U?A(YUqJhENsE}RbpYR3|3r8-V183qfmMd-j(xY@vSw~yl{NNlsdYjY0IG-T2L&UayIlp*pa~K%g)Cn`CF}yb-z7|I* z7A9cyhf8=jaR8ej^(kcW4PpXPELB*cC!=2t=74vu;fS=O>pifr@(EGBRBn_6M zv4P|GXoeNc9MQJu6D-mO_xphSG*I&iwcxIAf{346GAAdv5{@KA0_a0Rzq2iWh%?28 zL;^>Z6iwE4$!3Q@I^B6D+(Kfk?U7`sXXK2eZQ|ccQ0%oI$Aqwhnm!WSoz+=>1v5Z+ z3x!~-L08)4Gzp>@QnMUTJDB^q0XyJnl5@d)5bGbs0I%-P#YC2OnP*NxM=q&;NVA20@`kh)oAzl% zCVC|`4*0?umX?`c$t9@c{>^KB5TZyixgdZ4e4CKdH}fzy8srh(|JWUs@f07fqLi|y zBa-dZ*4a0d05gKg6)zT5{qw5&X`CjFmY{QYhx&2CukeIeJz2zOMrxaXg zvDWi~k+&_Qqp;1y@8}C&+^YRt?->Bn_nJ|&o-vJ8>uLFma-&k4kf_VE&EBm$x;7|6 zC(p{jpLJJ|4J_(rWH)$LhU^a<(-T@*poZ~<3a=sY8mWf%zUeNy7{;MdCDY)T3C#C6 zSwy5n)w(7ovWIyEIbH?m&n$?n{264tV7Hv-Xaii7!1U9_KjOH!{HGV|Ra$1ta}miE z%u`kN2zYQDp$rVYu<%cZub%9ZTFXB!rn0D6itDYfj&gaqaq|PEBRtU?uk?U$lhx)l z2XMmW83K`Cwi|wN>XrvmY~3hU;DykMDj+m<^H#HuM_(xf3(Yl+Q@&)nhT<`r7dQ+< zji%&+!2zVXq?3ajlgQ}tJtkgb57;BrTF zDSmhaVIXrO6YL4qPt=4rzD3ZJgR4x4mZ(oJv0l)W4BNoR?N$+%ov_in{CjU13=(fs zro@xs{SI7M-A6=pcVQ>pb*Nf_(u0#1j+f5UOiPPX57&paVr71!@wJ>Eai@%RSU=jJ zOuBKTZEdORdo$s1)LO)z<)D^bL)o7>64$*Z6n-U#iC}Hb6 zT5fD#jGRN`>A!IB*;MlS-H0hk!tN}KX8v65MX@o-Ky$Z67X{I4_W*C2r3u_istY|C zh%;FbQ6P?&NTfnBiO;KYXrT6?tBaEh(<#!#AEL|Zy}w1K1v3N-#}(w=U7**S*6J9S z>z~kRTr6mYWwp)h@Z#5Q$Qgd3vfn>DrdTfk=tgPqc1Y+xaAqyW(!`y{cmKUBYIqGX zY0>B0CdoQQ5;hjE`%|l>0L3ge85+>{*~RV-cy|5^4G!N1R%DC^r1Vx&bp&%hq_sC zeItRMnXE!vVs((jaz2!8xpfa%i{GF0Z+3@Ul8I9y0@NBfBl+8cSjj~BD74rOlU!DL zUfXnEnVcqll*VYHt`IC;u_q}OxXD>3xDhVnqLD@_Ndg;T(g`_&?yaxWGl{3_>4{Wa zxzMD)@pKl_*zFfwLS!Qn?HK6B^FYB;zZt;j32m+HSyT%?4N>yhAX~He)*nQ=7`ZnEz zESW0nU@$^y{J971s03O29E~;JT}xU?T&sQ=n9aVtUK9-iNaQCen6I!4B>r8_W@1TT zjX9Wj1jPc51LNQ}!M2w{*Ilqv(&Y-97LAF#+l|QLkt7z}-xE#ousdS)6^-o-zz8^f z$tXRj^6G7Xa@VIdcgyAz%kyo=nK)qj?bNH2-02K4dAH!pag#2H7{}MX+Vc371eR7= zmi%{rM}n_@;^}gFUb7UW(hjlC&i+cq)1ipst&re8QE(q=In8ky6Ru3Kyhy-m8Iomx zrC;Wv$2@Ym@5gFUMNIghN}*ueY|0$(55p9VMTc~wkG#=N-c-iib}g$)Ir*HF{F>vu zE~2yKXUxmG#;r8oYtrkdT6eJCCopmq+q~?4wmcu&iW%7+tJfMXcmn(>323aR3#CCM zjS3`wgJ@HthaV@VZG=rgFCYhvRN3mM<dqbMBkb4;T`R_ReDPgmTEUw?YhNCSngj>4i&Z$Kl(bkudTtb>zx zBbI3wnyYt>|z24 zvNY(wWdOaxvKmc_wkMNJ&T1#D$FoEpV2No{6|OBCzXna^bNd+?)q3sX{JhlT9=#MT zH)XJAz(ip#-VDr$^U^31)ou#-UPG-LW3I(65U|;THzT;=Gh zMJo$->F!BS^q1}j;&lennuTDwoAOIn5KhqQOG)F3ydpNx&xlaOlAA6?Mw+v4=uy+= zq^0tyCGj-WdYY=gDkZ!NWPJ+cysx$&CY#Q|htVV6?}w#OATxU(>!ng=nb>XjJ4$ji zMa{A{vNbwJO^o&2{k8S-8)$6Ds~^jBzT1f}wiSsl?Vcsd67(^|ZOIYRlSnX&A7tjX zo>A{AEB7NTAuPF5^*q05PO4SIyRY7l7|!g`8iVpfDZ`2mB>EWJU$SB|wOUz6$Jp{v zY_xw^uDrqetcwAi;AR<1@J zYgy`oI9B^WS#-X%%BxpzOOS%jG#nhfiueGy;O3%Uf7*k+g(*PWPyXb59k`KM-rGdV z_FUSI4i%dX7*PLy`*M`!QQr|Up>8A>Lf48DOrbcx@A4(a8{;LY;o)6ivcK5A5dJx& z=bqRc>d0CzU)RgH@bf`DYS1ZiQ|ls7ZKI!XqZ4!^%eUjhx3XVNbWZxgMxK1*2FC4^ zZq-G&?i18+g4K7(%0V;=I3c{&LN!kxi~q7RK|`3Xt_J^bLoJmn0Z+7UXH`e-WvabK zI^$)ixk)_cX{fzSL+$mGt{MZYTjg+N{dlG0sOx#ueV@>8i0#q8SsY5;($2QJu7Pc{ zoxZN}{d9CR;`bJnB&r)dt2{m&sL6YXO9#EiN#h}@+xW`IeT$t$V>t_V4h2x+zSNRbYFJ{j?dQkqy;!cVzzCK9Lf??c-(PxyJ6VOq3CHuM4waZnIH& z*XQQ_2U=nns}{=TP6;tO*;6dvMDm(jkaF4*UeIu;>F{EXZxvs#`kL$6{n&OWDzOs3 z>XFV!mcT9ZJ*PRg%Q(k-g}Y~(rEr1WYtVcG-0;$)bR4OJKzOhUdeVkNR2-=zhi|Xr z$o%~=b3YPSa!9y#enEXB&d03T$G6l}uhQu(`!;B3q@!kRBFg$%?+A0Vj;`}qS;?Wj zX0HB{%EBXCQME&HPB$}av!7KJYNR&KEt_@CL0Rp2mAQJDzEMv_V`}RyuIr>m^A)kO zssocbRm0cRWQ1J!f;__Mt1Banw@~&a=Q=_AJOLXW#^OAqWZxt?&P{_Pa$Z%8furtI zZQ*e}XgL69P?^)WUBbMX(rM1<3Tp&5&8&4e$ULju*mOP2Oy^h8St zf}3ZxHw>?OiS0nLSI4IbLVGa5JGW@d&hO@k-uR*B?_1Vt3aeM|2@zw{z#2`EB^Jk! z`UgklNYgkc-IMI=_)?1vR>0Jh8m9){ph;%vO|wkfah&VI&zk_%FXfAQN>jZkQ`=PO zud&%r`J_L{er3@dPy6Y&OA;ww_$;g?Xhg0;yPAv-s(7y zq2{jKl{wzZZ>&jHOy~rZ@|qLS#)w>&t-730c}OKcOowgmL*Ew=(K1|jy_tmR?KwQh zWCqf|Bts$x!s&}7t!QKLr`(h=uib|$e~q$y2N-V?m_Cad_6rL3s-^F!(TGnsws88q z_g?Hl^Yd}qSzguk&0@|V=WCPqXZU28vdCfAOg!sKH$1|Og9Rx^4j)JvvS6`ki4!-%DhUdra)k;lhrW>8XHka zGsL^b4kA2j&pfXdT$=!zz#9`!1T8>J>R~$9t3qHnLw~N;@!!ItBdNqzHZ`6<_N?}; ze2ds+M6qdMWO_D+5rbiZg`9kO@}{UOby>ivBDa_!wnEDy+W5XsKCRaO+bA(az|-TY zHDZ;k#-tWmZX?E45eXnvEI-Z|iG0A|b?Kf?38R+RSSTbbp9n}&kURz>c~AJ>0-m36 z8*kL?r>ggvUO8j8zuoKON4GUV37v^o@&#hiCIK%a>32!~1zy_*@@sR|2brV&7_{hp54B3QvT+K759(rvzUW?~72kCgf1w->h zz)J%id%kO@>CD`HTR*3%SrUMMxP0_mWkYo29>pW4*0i(Qyy4^dpe$v&NjG(iZomAP ztL0czPjdub%5U>pIqfhhvsi+zDHhhwW<%{|HY(M1BfoQ-`v9Y?r;Fbe{ifD+va@Q` zkB;VIH?=te&Q{y{k8$@?NY#Eh%S#6Fb+~*#Y>qhG_L$yEbVuoPZ}yzkNR9ej^b^dR zjB%kXL=b17Cg_UCjHg){`@qx2Qi-USuXQj0b8y34;hPwJj4WjF=8B(Ds{tKa3nY$- z58ijn+Q}=dg;G-ZU;vTR^BW=s^xKR;dtz{FmW7b<-&2T)0{NUL-Gs{|@8 z#O|3!$8gTNIVKBSgR$4hr0mKgvi&)>GbZg6$pU!0Rlj4&Ysi&Tyh}}%_dAl3`b%(w zqw$am1|DRVs+0seDy3>MC=iq&qqUw+Jdv=kWpv*3b?}hzJm?Z?$a77sJf@p9;xb~P zk%g&Azt9wF%>>*6LKvrY**&p)RXB5sy`ITq+q1d*!g0O00D}~>Zh~RAbMq#H=R88y zqSeBdpr;{4+d*H)W9;(~ZDA9>p#pl}#_g}R-J2Tbp)PN(%UPtXS_r_S)JMuerN(b( zH~l1*wbFItB6x8q;OtHl=c>Im?uZkwg?i1P5a_$Eu|=lR~| zaau1|JwEr{<30EpKOR@Forp$7Ag9IOn0l99%$dK&)6AtG^D#T#TS;!WamLTS9s6P9 z`?jJUl}(RLWsl+Z7p!`k*;RkbNx$>0&TZso_4MAEb@*7jh~NrTMGu(1{PD3FM+pO^KBIX8!VEaU6#{nO-0*ZDU=(%Bx4)13cXHH- zDl0ekVs@X5rq3Q(0q)k%9(0z-ctE&rS2AnxD?EJph$WB6eTNd}N@pE3Cx-sOeJVx} zHWZGLK=AZ`q z?_jO-D!S}@+Pcd*evLhRdAY8sp?^J&AKf`+u6e?%OyF6g^Z4v(`SMMXGB{6!Oh~H! zT4+Jn_wzj6t1SCcYkj2}J|*0Hozb?_-RQnJOv&4i3u4>AkJ_w`bg~(r(LCf&HPfka zcj36)2Nk^YaD8UYtN<1DjWxX%?isKth`bmMq0&hIcdhf5$<_hy7r1YAW8=AdcI}%> zTOUp_DesB5!57An4O`+au#cRzV_O}QPT02 z5WttnI&c3G-P#SJ<1$SgTQ*P8zU*1D2M{DRY3FJ{XVt?GvXv*@XV8nZx^Tit`|%s; zjSOP__9?U70fA>VZJ^9>R;f@LGX48UjW2xlH>!Ht_3$A*PYu>omr#(oqA^rOY?>#5 z_eCdGVq*e1rZU|Ckp0iPnZ>%8#o5q^*s+4*(4Bmb-on-|NK^g+h3oRjK;N!mg~THm zjGT6Se&dTG#41_o+h_ZW9QMa5GyCcs5IB`OCNRciQYlgx@8!ley`R1=iEJx)wi<7* z3J`pxBi;u^K3^laeOL#SYF<~KQ__6Zqdm5I&Kni@lNB2b7W}C>zF)>y@&Ow`qFezj z9q^>FS8zM2K6a7@UC(e_DcxHOu}a^^@X2$(3dDC$ z(Z6kV#A3itxt0xh<^_1&QH7W{)EY~@#-BgO1zwR@X#OZqLDrKj6_-^EgRNjY_0m;& zAitSUY#6`5Iq`fJ&xMQT%%GFqyiCxHcfEX!FB!PQa>Sqro087aMqkv%YT8iI#lrd= z9PhHIuT59?#9Elx)8=X+saxgZrLF(d`u4G9?9QN^Nk4zoW|`^UXmTc^haibQ-Sqn@ zd;|7tcL5V(j;Ah+$%iROgi=VJN*-I@-Hx${+IRMNpyKvf5QJ{z+51;V2xST1rw-F2U4S^f!)4H3Y8NO zeb}>+Cun#35=*gJzZ8=Rj zw^_1@>E?}7o#ln6n6%187u`=DOe-bOlq)>#ZlCf|Eb^p;!_s#~|21kwD@c8e|Pqk;z{PpGH-b?*dC&WWV}KXf96SZ8eeUTbI+! zHe0BzlFj&^w|!Y(HwQ)&Iq0NfsA+0w;cGjJv&(thi@LjaOQr9fPVfo&WqDNnD17}q zmu5CTqJ%!+(GuW4xe2ZH%9LeXnLIn%gLHZ!5nHFE0j!peEnhdn@5CD zQXvO%%s8zMrRdHD?)|Yg3d`@$k4pxDAW-d!y8v7F^?(HqEB?Q7FVOU`TXZND8~mCw zD{M)MYcZ4`oMpotCgKZRQZWPTxwvSQZ>9%b42irEz;m!?CE2zpIAWT3$WY8A3&Usj zP{>u#(XXo#_EZ)1irQBy&MwfC%$>?>2-HfXDgCVLu?%bEOlw$Nn(s?b{lX{n$F;439gw)Yp&851xvC{7SH z`u6KT-CC1o_*N+9su4VL@S`+Pcf!aW*z4*&xt|L>t3r<~Yt64|5%?_A-Sttt1|S3X zj+XiZM;a2KM#eog@4tEpMrNLz*RhUi;VZ2hq}ZuOvVSG>ZJ;u%mtuR^aLw%}xP8UB zcnhr8kJGPAdzvP5LwmXQjQ&3WF+k407&Y{}@_eRdaBW$zJ9Ify7E-aIWhF@$xb8kH8TC>6J`%E+ymVGM6 zCe7KV$nSX9Q@@fuK56l1Zuq@wbZTvM?&}S@_sVn2DR-L~Uyt0%O@$Tic?IW2x)nK9 zlKe;3TL(mC^@5`3Ru!);^Pbt}Jd-B<$PA5NVPU#?OWghLr^n7;(AJ{q8+*Xo5Lh1s zaa4w7()W0Cg?9|7IT-)&(1f=&KGj-fc=b{(n8EOB%6Gp0foc{cv`PH%J0gy0!!Yyy z{Ch(vumR?;#nW{S_=fx-V^OM+C=+M0iDu3-abdw*cEPEi?DL!I&ct5RIt?$_#6$^* zCiUycRK>O+U7&JBeg5A8>%YMj$fnFr(NbDhnGXUcAhz57vt|x z9)6&&Nt%DfGV73QqTv2Z&$c=#8nGQ8up1eVuj@H<^4|WC^2oi9PNg2a7Ep0TlziQ~ zq6tD?lA^ngTV9)IS94SEIPR-6Dm}3wCPmYCGtJGWd-P>r$8}>1OB`ED75fo*VIZ{( z6iF+I7OV6*z)V=3@yTaP*KIU-^t@kc7ozdeGLpc-KoG%}#~JW_b!k?MR~S|9y4u-~ zX|I<4VU2e_rg2@(lnHu9;doAzv3>M%hO9D&Fwh(}HRLwh<2Bt~g=XrotHJMwH~^NP zgq$t*0u@YTfrx>x{_XbP;R@sxwgJ3USHf!vXJ4Y>eba3r(*yRcO?JBvJFlm%HL`)% zDyBezIuu)ewH}shdE{7Gm<PIy3T1$`(&0xdMw(z1MkM$irH7z{nebF zZfR?uIP%cXmT6_y>8Y2xhOFZEyQFM;(0e1a%*Q#m(zReu@V4~$qZJNiKPn3@?0DH^ zlbhyMc+9i-f?e)yW#LWPmSdJXj=Ar;>{PIS+wEJf>B)W-JH4w8J69f37L@sHD+=FR zaQbm;Kxvido~+b+*Ti{Oq)GeA&L(vZB#(61_PjJ{c*1^o-}chYl!~Kii3buc^tFTrrfoN5ncJ=N52T)Jv&nnlu)T|2@=Cw>n()X&{n$#wfM{)|?u83mUyruh z1o#m6mU^)015y~m7+46&;QK>mBS5Qi--XYXXf4q)(0KRT78A}IV|DU*0kMLOJQO|wWg_46aUv0)t>a2#q4L&GQ0G0&a z4~er%hi|1ViC@Q0(c%Ox$D5}Yordb)-YLw2>Yhc~OvM_CwZ3T(OPXyc&Ze^C^$mR1 z!x7)3s&jFGc85OYIbhU$#aQHN!%K9rQvi?Y5dXJ$3gqHTO@`0rh05U z=+Zyn)7dI`{!HFK5cbo^Wsj{9(!9)+yRZF@K5;0z=$(Hkxa_oJ{#DETpRCJ%wAgY+ zxb3p#u8aF$)d!Xoxa8h&$a|zHtQVCwampVE%Wm2h+;U1ke(pu1Uv{x)?pfEuN0tRO z(%fo`qFWB-x7_yJQkFn&@+bEl1(a{t|Kd#V(tQ_3Cav=e z?Nc%nw#7G0XCJvK@QKCeZS^U>k+-M*lDKq>u;N7C^De8Blh&CRT}z%=6+JUAc>#e_ zVa0v!j?4V=13Mno_+{le7Cf{md?qfc$j$=-f zWnqV;pjA@XBr9&R-g=LnvgdGnn|W$t;I_j@9#`gEB%9DHRcjx+7X`fuQzqp?_bEPH<$kkD!2)VpFz}JG}D?i z)aEnP7nfgTZ6ao2CEp4N+@-Ce`-tt+2BuN@_TwQjnV^P;;C~zeEY2cWeWFA6B0}C7 zl3&bNk`ab0NG?8j(*D&ZGO4Xu)NW41Rj=|c z_oA2X#dn?aPdOAEvCKbiU2&O{b&i++bJ5oCM`uFo8tnQ<0`Jt>6 zfNdH6g_VKDMb}3!`t9*I&nWfWde5Wih+Fw-*L}Cer3b2NAN%d!A;~|YD0?6;s}&X1 z%F16#D;|ie&I=27?S0<9DXYr5?3QKuEou2}$(B3v$_L7l`*wNv-Se+j-g)MhztcVM zsbgNVRmpQ%@ncEZD|uB5MAzN2&s}Su4Xiva&pKpLc)~hkYe30fm&lCt?R)R^G;Yd@ z56sOgyYwLSYNNR5yhE{M&%MZ+y3oNkpN<;tvj+}=iEi$hdt|9UL6qJy@2vlxd+wz* zyo8?xrMJYp@0q9WVQh+7W@_5HFb>756k`)I)51&^N8+aOT=uOpj{fs9{;lSjkc?uD zzx?H$k3Pt$I0%bTRhkAsH9tHt5)vMxq4DwJ#mptkI1ipeJQZnty4=XpmuV3J;R{1p zCdu*UNR0CeWTQh-L!GX}*usQeSS<|(0IW6@(t=RGslpYM+x_e9U*igkQ2-+0$AEE= zRBBN5F3fk%w|Y*r`1Z9&{Cp#Ft?n|Sku_Zq1MkmVNA_B+Zw-ws-+k^+AAIrFM_>K< z{be`qcSAX6_0uMeKY#tr3WM)A2;Tjc`Ne7>lr@sTwR27W%X_O#1@2sn0Gily6~k(c ziDP(<>+^w!n+pyP&cz$Ej%B<{iiC zUkLl!iXfXM&tw&)ipv z`C)^KRIoSBvIycT{`x#N$J!w(1te{0&_Cj8HPrBujMcIiHjbpw!yTql}#ici8 z<@e0X9$1vzwJE-1Uwm`(-g_B0pV^n4a4f2^&2O+Ser{P&Eh&E@-TKnA=xpkdC$W{6 zJabQ3mR*-t+_T>L)V%PX&-Pkz{NbH1I~?+JHsz#V>F75I+aW1@xT!#txl7di+G(tT zi^loz|DIgCR~%GOWSzdlXZuC3;w|Tzh8fE^#@4VY#Qcq8JPq%H`-F6!hQ4~;essNR96;R|P zAPQzcBv;Of3@RWw=bUrS83~FxYrXT~{4;mG`+gV8g$Pw>ZBE!{pMB8h!QS}@DanK> z`0GJJMa$fs+vV9Qw^kp$08qhC_mh`zUcEF3Y8TF*UP3wpTf`e6C2US9!zT}T4l;WT#Q6};O2S0AJg zxcWeO0g{mL_U~U1tl*pa0IIFGZ_O zUS?QtBOLQE!HLVeG5dV|qC{#$@WY(ddW!q0yaAkOh?TKG&<B?rEI4kB?b%+lnOsgB z+-xYFZgJ;dDjKUuxSQ<}U&lzAvK7zRrmSFPBaZP6e#&Mm_GMECe0^*4*wUCe5p~EJ ze~9RHgdVXE^fr!HjvjMI;sIDB?SN|a!K04e!C(I7_uCJVc`+=x!2Tr`&nC0Ik*@rW z9#%h09Q~~E7r|G=5Fd92eZ$0rS05U{54eH}!N!XhbK~Q+`bS3}En#AB+S@rh8QJ-r#>Si5#2Oif>f~K8N`Rk> z2XEg(LACpc#jgMSrnYhA!#@nFxEFfZ=exh9-@K=PGW+Po=igZzGUD1|uVbjN-o@Qx zVeKQ0Y#GPiCi9I}7V5f>{^QBcF&3 zPV78E+mF*#1ZnSNc1@ARc^vhyThe1r!efwEIq905RGkcYV_MtXMPZ7qY7Qk|BMYA} z5+8AsR-xR&%d))6Ylyk64%&A3#we00D(^m3xQAAx7jdj_^Lc~a&%|_pG{i73o?O&zkSR|#p z28rC{HNxB7N`KxZ-=tb*!W=pIv6*-krJN)(C+{Q3KbkDjk@Y#SIE@A}nm z;q`(J>qkS2KYn=(&xt%{?)?Mlh9Q|}h8CHhK8v?8mEAN3`y+57++6e3zpMIys~vgF z&g>7#hX4P+09QMT2+*ek{NTLZj!^}mX=i!yf&MK7n|C0udR3%frs`Ku4c0@sAYcKr90O6TS|aBmpb6`M9Pue`9gv^&9B<090?DfEohcd-(p< zqqW`Nef8~ehaW6MjGfhB6SU9NAdKfV{dyi9KsO9dx4BwQOBmn?rl|4}hP3Wta&{nJ z)u&&*5l4?SW(udzQNK0?{#4DLMi^$4qa&kLSJb+Iu z&0Og7%aXHX?G*kzOFl;tjuE8&MCmYII0c%f|k@is~bB>Zn4)S|A zZ3{c4D5|jWN@^in+yr7{C)FfYHBFZGam00AqFdscDHq8YSvrT+bYOM$Bvma{*2565 z(fQ9p<)MY6gPeqVs%R3Y8bWD@92GM-**we#J>(5OYU!1{WM0z%KH)A|(Lhh@vr**P z3FY=zUGENNPdseCkQC2|?8HU1`=y9$x62cYFGdydNSbuKs)Vb!>&{C%udVV?R5H~q zj!E@2^{82J`sXItnxWRUXU#TF2TkofPNA+JBZVF$o!yHK-R*E5j_TF7tnAwL*S!ZU z@T?%9cWOH3e*NjsfBVtmgsn$z&Fp7C*#GKp#^$8Zd*DUz@lVIkc%H^wfR$JSEbMek zzdL{#9uYoRaeuky^mLA?2R%Hff?+ZYh(y{lxK@BL5Igw}k-Na#POXl-19*bZ`X{d7 zlcA*g_n!f0khrE_Zztus&W!= z1+zJlWQHW_W6Fxn1pYZ^(aMw+w-WT*`O{n%VVVo?z*v6d_t#i>RdRl^wN3{F17 zmXElID`*MPSrffLt1>0ER81RM*M(Cxkd(PD>crSmS@&97VC)UIxC$UWsvke}P=ti* zyt*INT)!(qU-t8iKVLc0n9}`#Bd7q857H?}x*elSaaWQJoJqGDGz*XWjjYhe?L1(X z3U>!!CG(K|jZ0D4;H3KNPrirM^2WZ!)V%gxzu$Ml+ViBXH|#6@WK7w882jY`dsB=T zyv(7o%Abu$pcpprMLeW%k>RWc|Bk0l;=X6G9fapCKOtz7ik?0D1eidTS|4zaF4pqKmV_zdQCVjFxP$@s^GnbCd>L z>`vpuzBz9DvpMGXUmVirHbcsWXMV1Kz5QZid+Wu2{r2yF|GUxg<5a`r6occ09}ZaC zV*^i`U$BK8XGcF%0&PLR;lsal5a;6(Re%x9Vdaa~+8GP&pks2YTV|oWI<;m%TsM5a zZJN8G56x}yx{G58kr!@F^ssqSSAHdv-^fg^Bx&jh@;S1&pCyqL z&W-zv%iRQ>B*hR`JxT<1igc8OluUyhWz&Vb&2d$YZjwys;>n^pv}_rzT7Z@i6bR?i z3Zw57u|@54Ssw<$)#L|Uc}uc|wPPGfA6YgDc@RKIQnmrE7@`S=U?#bv!i^_!5!F(~ z!_JB^jB*OAn1YspCF}H1mR&EtD{XIMiOOl>4!pbtr*38N#@X^NiZ%l;yqVe2a$TjQ zUJ1WFIqiR|%If09U=e5Kaq{3`;KZ>1tJjjz@pJCdW^c_f4P^PcHG;YyBWcI;28_IA zMlR&^)|81yea1E>rWURkRFbuo#NxE-gpF@b)ud}k^fyN=4xgcZeZa}UB+vpCVSxrq zlaQ}|v@tLtN>fU}&i4^4z3TO!e|O@b3Dt}ceH0xFqFmT%GB!PwrlmewcYVIjcsLiS zf8Gk3i5j%)SF2ZMV1)yl{!2n72{(+NN~aXsU@a zmFpGU!fL|m68XWp)zaee{Ax$Sg)5ARyr7sHeKU=*ca#BAfu9-zOBGwvK@+!8R5esx zD^5N^kqmiAaxNw3IP_wtI|U&N)rBn>fYiVPZ;PfJm2& zV?{Nrw0??w#UZNWR6vx8J9+p)M^QuO(PLINR-ulLVhc-|q5U~9`~B;Fb8AL`EiDX8 z+sy2u>|w*&^4#uy7~h}-uzlOfPDo$@omKDn;;%pb0Z8oAL>`zU!AicRBgYwcbY{x; z;TrwP!r2$ga{aqG{p-i?-@q#jT+u(d^Z)NV|I&XV^%sz;&@VuhzT*Olu=kJj&*~9S zJqUVoFG-zbbHbVk_Ae-s@RXI<%pv83oeV5=V5icO18bF`um^Y0D)g{*@G+DhP-bgT z7QWhe{T688C$sZ&zxvbnN9;V!85hk7!B#eG6I1i0#{*d{DTi1j(-1yaIz^9Nc2P{a z%KEvoN|w9?bV_7_JX%D%Hxi(qW$2gew-=9YJZ0P+xe}l`e_ko|ydf$csJpC9a~Cu* zL_>5{FG10cQ}#N^yMb#00^B{Z)%99V-ORd|L`zgvqqJQ>eiEdkc-a(DHboOpkP<7D zgKe&IKGabp!ML+>1PAz0OaearRN0F98kTSX=qZ#Ma5egGT-En8#f@aekh2_l15TAG z?BYmky;JIMRJ6Lt^I3AxR16a2)9^%i@gPOo%+=QR-V1uLsR-wgaJua5nXFxle2jJeVTrg_^{1rtH}^87E_g(l*D2m zWiv~3$3<2_N*v{V4UiIh}V59d3yAF~<9x!Uh{y z1{qsk{o*^efwB80>~-zz_HM)a98!V5o*e6iTti^`9k=m6fw~5^HpmeK$E(NB*a{`q zkM9S7m;Te)v-+nMNH#>yBL90#^S^P001h4&87u;5L3auf5zGVOd4Q^zd9|d3Go#z< zew{6m7G{4tVGpiQ;g-()B4pJlgB(NC=r>2u6I3#q<2pbJHI|gS-}|lkQ|zOs=!y z>d1+GWK|zt(}z}$I;ltS>Sl(d)gylFY+~=toYI7v3RZG4PF+owj{>f6(n&~^$Rq{sex@T9L%znK)lb=gk4-ws9;t~{j~!umd@q?#n} zb&?I?c; znTJ&}C&=}xA);)8o4DwiFiuG-FM6V9qzI|1%PFH}Wpj6W*2UeUZco-2TSI3ak7D%O z0jbNi!MS2)Lc)1%ZtdDj4lmzZJ4uWmWAbJlf{M^Sv7Afidmps8#IOwAnBSA#k7461 znF0$|G+eu@=zIR{QTFdYvq{aJ+=k2LAguwBF^to80B|)d>`#CAJ(=wSDeBWNO%9#$ zJBEc=kz|Ax7~A_8TYT2r?fHC__G*Fgb~y=IJ$}ErQ>7zc{lDM-`5{2jPU8q65x5N) z-0gIf8~VrPFD5U+DdhWWVc{2@?9etRokQTH%W=o+mL!oWE&)dBKUsL}vvP$^rDLct zaD_5+5}iUP9XfOVhf}QIeRZO}Zw`EQJh+#B`OELEQBhzWW{L-q9$Q@?oO#l1&LE##*<{RL-mWdIYMX4kkbJ3et1`RcYDZ7xc;k8f0)M5;S17b~jtun3 zZy>5`7|ETkv1(D(u&iN)&a1{r+OVoYN9{OTIYd@8L2C1eU+{<@Ax0~uyLymXNyT4Tz3{jyY1HMd=4r3`5oUfBcjhai~)c)JNxWcB4N!6;2Sj;wuY zhj5A>=uh3H>B9ORmaLKtff1^A*&JIu4})n}MMh$CHBDOujUHrMkgXC$gRtewkhHU9 zMZx(g@y%5q=TzC= zvGED17w}6N9xfd@dX*(jKZ(W&u`yfD^<-#i^3L6QsA*yoGIbjGDUW5vb zaT9n>>qibyY=6QN!9DVj_0=P`*Dc72{@3z=0)-M~{W(%f{d0%!aWO@wdDF zpYOi>`RhIV0RwpzeSiJl&HzqI;e|&D@?%a{EV0<@S1q5caNeyry_oUWKhJ~3c96Iu zS?*uI{wKUX;AyAKg5P#<1;4`)z;*q*KK(uZ>uK*7%f2JMp@)pVJ8nffi4Q;S6b{R| zWPc6bN9^Dd^_3ColYORN9CrM4ufrY#?{9wg`Qit+JqO+Xu^;=lgdb z=m-m|2qHtY*N8wn7drf80DpmL<8uQOcE?@aN#NDGX$D=CL$F-T7F7F3U02+WZr;cZ zN@lU*oVgMB>o+-1x7yk(6E8;ka@3WUk{&y0CkQOr{Bj>fRp!tJ2o)%bYDj-}@_uK{ zC|%jX7WTOERyj#C40*Z#?ZSk*My^Oim3IM|Ns!MvOO`+yK^ApUB?3`*4M(2Cl+_cJ zT{syCn3q^kn@Ka3Ewumxs$>MM8A0g={)H<+Ll09?K~i)%%b;&vWQ!JE1a0oBWJQ0K zld77a?j%ZQh~hbl7^)z^TOCJ{&FijlPtmc(Ft(n9#*-+W#j9pevQZGa1CtMIo2aJh zdgEnwn^e5g)UP`{B6nB!r5c(idOtm?Z7?bN!b;Ss%1HcL06!C+9@Cw0O+Q{lxLz z6J6|AOU^ImneR6f^zVm}lIdSq`hc!~{}HNs*abxzK$s_fz}1e1Wm5k*+tRIJ9 z+q-mc*C)FVp5$PO(N-2gRyIsyTchdc6ZGhC6aT9=VWmvLJUtPHxxF6B0fwN-PCn!$ zC=M3KHq93KXxNo6YR{L;o#L;$C-SR?rm~8P0uz)NX{U{L$yqZG>5L-igeAU^jH25! z^PcH>6jcd9)lE>2z^XfRWKm;ecysFy3vx>;1n77SBFgJ`IQbb~}iFT|?=UGAlva=LT}v;&zCx-w4!AlFo33rmTAHf*c79SGD7a;M%7ihs_!r*P{7Xt@ddzx1PWs# znx=;>uL#p6m&^<^m1>GMm#nE}X}efb=qB1h|HI&?G;a?@7xHMrL~NWiAx}~{TOXi4 zmo;AL6dB>8D|3}M6B3#kvSF%pmCf`l;s|ubwAJlXva<6O7p4MSl!O=a7;`|JBzglK7dxIj%j`|LrgVuE+iirb(1| za6q!NB}a!DY>YDWk6a%wd%t*8f_QO2i-)}JWV?TX3f@7g^qsN|NXwmF8+aDLGFTSB zzJEi%!O^dIEf2<+n|=pfDp-(#KQLSc{oIi06`8)evpNchf`Vq=_OAq z-Sy}F;HUJH)45a3q?3*UGjl)7lV6Ru2R>S*JX~cz+0f|q{W~u^yz(GU->K971uZ1x z0I`77SD=wbBoGL$R`u_*9j06YZDs624%-DAv3FYmwi z8j*d%N#9 zf_S!qR*a?xr|5K*boxunbiI|ZKNXR6wrVix!Dd2ko=cE0l5|sYJ~OZO(bm;6rB`~A zV~mKVu0*M8@Va(*>A9i-vUC8jK~U791PUT_DS*snSliG(WDYgDdW2 zh&!E>Jy^{E9>fgtrt_JV!71eoNee+T2>J)2a)Kcmpe2+g*0p-5c#g@vFuNg0rs;wi zj$p`F(HNGOp3q#umR7)hl!M1drazKyK)AasBBiVDnkFqoROl)iB1)ElzQd{S zk>vMCf+=@sHX}*_M~A2J*_R1UamgHzWDI{Vwqt zY;`?!6D0neeOL`PIMz2NcHzZ<3EI-sCdd}Wvq8lkHF4i}+yeL?V{7I|UzmD_YT=Sy z%kbJkGsj)O`{E~Kr|g`8=>`41L-zmq(e7jRI0F>TntL65GL2C@bGvH}cBJ@7!t%W9 zvu)Q$YccxAV4?*f2p(_e=)?aETs!d!+C>;7BIZ>{zX_i<^zv!!<4x}4O|QOo|D%WY zm|D7<;v!Cv65*U5SXmyj3IPYaKYnWh;=O^%1z0ux!^a;f6td~*Nr8ZOCnxI_D8ckE z|MB%_`^+vJM_)UIyJSXiIc&CPWTED!JjTW&7?V&5ETx^Y0|Wz*M7Z&(q8eG=l>Gk2 z)x~k{>m|p1g@-~wBAZEy9+X~@Hw3$W@#|;LUNp5d@A}2AzyIUwXRqH&HEI9#>E|aL;?DpLf(rrtNLE+o0dP1XoCo09_msvo=>qVjvZr4Vh>Tg8DWpPX{=pBI2$lc%w+i=rC0mm0rlMPOTeokI$fr zs#&TLmS`HRLg5u_5c<~Z<% z{0V^fzE%H9_IShf>7&5@p=g7XdyQ?p!BZN1Wq-5?{`-&U>q!LzQ}4&-^+u;C-|jih zv$SZbVrdMP5c!))7^W5U<$c88=~n$gQfN+Z8Ul5du(KkRMe&EKMUYQ5UnC zIihmB9O7y}kOpq@&X}SRFL5nHG((mxgQF3w>f`viF}0IiNrk7R+7XbZfm!4jOVq-M z(~0YQ&ZmJMwT>e00{Y8Y(~MWOLQM#$JF6?>S2YJ~nm9rrOhAb`LKh7)#lwJJqP7>4 z+DKHFa$+*N7GA0E*0^3x3{I(VQ&q_FE;I~Bc1>W%W{4+W5<%{czRV91Ne)i3d(xIE@N}5CdrV&>p7e zxBqYyZBIB0`##__{>zUK;aR~@X#*-wnxc*xQ$b~CM&KXA#vir?SMZ-_XA+;ybKcEb zKiKHezXR8o4?P?_B-H8dA2?}YhKq)y z+drAZDWZ#YowHEpfzlWx#E+in4I> zQO?4413f+?uB0~d)~!HQ9#cGxldL-cOQ7k6umRO0bz&^S1 zhPjG@i-oOpWf!PW@QPuAyql_MWGHH)^V`{?LZZCgN!kavVhUPs7L2&_Yr%DmEM3E@ z0VQ((mF{8=;~>TpciJEP8ui+dr9gXu3S+yH5r+9mz+?<)($XKy+D%qN~>L> zqJ1tM-`cvgy~G&pFk77GZoj@0qg8n%+;S1$VXE>eiV}vV0lsIfpv~#*6$58{`_^DW zo^+oT8n{Oj2cfBhV6P!PrKkaB&C5@pMDbF0|K#`|zuCX{Cmftjye=pLd_dWJA8t3k z*N>0P{^1XMEHGEi$U@}g6CvCbL(*w{^_w30HRI`tN?7iJ^%r2p{!hpPxdUWFBuqiA z4U?Ol5#gNved?nnmi`%ge2io1@T0Lk2WqM#4oSz*SAejBG>L5N!&NS*^Wie-Cg>0U z{yiLV0Fq(m)$cz3*~KrB;Ufpn=MxU1lW2`OCi1Wu{d~-Yxfe6L9W1P`B;v%?bTtsv z3(UkJ-N565wI?jGGP)$KU_e;db)K)?b*td32V24Iy)nM=d}>S+L%d8BuLIiysU$4E z;`|kUMx`pby8yIUR+>qwc#0~XrHbzn1Z&Qs6`Fj4B`xuksBd*u`tucTB2a-ow$%;V zr*uPKPZQ01h!q!Z7x~_)rY2VqR5dW#1NMoXFv1q)M^yAuWbI@n;0i`C-N3BU6t&{I zK~Dwn51jzE54gHWZjs@J8bRBTzC@=K8TNjek=|BBw&l&W^Qv}{YO6+0Mm4g;E)03a; z@4M?a4iEI^>fg^H&_d4AfwK^l@ko`06zU)9ENB%$)cLAS|Jdi{ecb9wKxISXo@4a= zR`GCt$Qa}O<9=Is3V?A_*C@oR4VWD6p!&C;95FcI0~f47$G-dsxxP(x4>@V+YGD^< z?GSm=m||&9oPID)zu;|uR*sFVCMX+-+E$RM_$lUHuQWv}E4#OwRc&$P#EYn?7+hRF zQ=B8|Y%JNBC-T*JX{nR0-%8nUm(u5;?S$qLMsMz-{J5MlWm#IJ`VtVBbkPtfwJ54_ zynKuyALJ%ghlujSRBA~>Ge=bm>?N@1MAaY=p2*BaG(m`OyHYaCk=Fu2S>nt0*P}V__RKSZ)1L{CAgqJmkR8HY#z^IRrg%dP! z7eicmwXD@!Q|KXT^b+(z=B288VV&7aR-Rbb>87~DP;`(bqsV%raKKm65Fom9UXz^M zISSnhJ!y!f>c&eu$%;N$hr}wHG4gVk+r=)rl;r;Yh+E~pf?C(4eu{VzBU^wB>yXm# zE!YC*C9+(Rd4DRjsum~8BgE7YA|!#y_>@lX=7pm3LXB_SATwbR=8q1#7Kqj6k-10l zoVJ1X%JLLL!~HgJa|aW9oD_M`;@tI1^-vaFIm-h^2u%N0_1j`;^{;;OC5B)F2OFQh zoQJty=#}{Y_;^2Zsg@iCH$lLD#1!KSZi)ppm#6L}y0RnS$t0n| z)A31NL`@fH$gzSh27lmk+5$UD?Je=()kT)C5Bq9$oCKWn)^tN-kz2HLyas?OBC`Z)Kk=MB;m;2||GPK1Mc@rp; zA#cKCh8DGu#iaja)0SCA!ZB^ZY6E7lJzk7tM!^kH*09C9*c-aKL(w&xr7 z4{hA)`ol8}r(JtK*|lr$AOCz{acv&B^jB~0FW+1H$6jM|%vm^+Zi0(ALk3ImYo;h~ zYiG3QxzlS;vS6(9=3b!wRV`HSz<|C+;uHW0s&oWbZvZh+vAkU;XAQFz;&U9DqD%YVBucbT69hnPf1kT#%D0IJD>!$jA~}9R)8x29UZ)yG|3=S+z%X}yXJ04 zUV*B!oFkTzWzE1(BGkHM4k8IvKEM=paCk-hN?3c>F;vAA6>LTf0C5DA5kp=}Q{-Q& z=%q@EfV^@AwTu{HvDm7L^F=)@bp=%hoIoF0G{%rEgcdX~rDaU<;Epn|mn5k@Ti8!g z)PV?xE}3M>VFRl%G{4nVUB(i2xQRea2-Cn?Z*8%tX@VM)1LGK1c{fu!z?6(rz}zD- zRn{>apeqH9A8_wr_y)6Yu#qHd2SIM(qRsYHD>YqR@Dl;l2SeNgU&WA4F=V5Vh3!-$ zR=O#gcAKJ`a@G{$RT{iN>>^OKEk7-2?hK6$Ru)NxrP*GRRB}=+CuNqX8^)&&Ii-NR z&Jg+XEkhexT~|$MQ{m6%C^N=+Bf@!b4>ml0xw7OLT+rL~%a6W0ZL{0T&fusEmwOY! z&c@anKqHB-+4Ud0k6Q#Du?&IB7hsSM_bg6h!cFX{#x_4U_owRbQD3eEynU7n;!h~L z;mG4oO9-CmAA%R8uY3BpqtEUspKj5fZF6NpvZbw!2`1PWe*+wwKiOjmG%Tb_0AWYR z5Q`D?+28gtcTrYxBm*vDsNA|~(%PWAy)0!tz#9}$Ead<TdS^;eh>lDVc|khc`m;;tfY=EE&;6t`1sMKqg42JNvBBC28Qx( zU|MEc|B$~d+e1(SpAR(GznTabO#+t!9Ith3KTSR8n5gs0$hvm7tYP7Pv^witRBU*B zq_!ljYPQ~uA4W?OQH8hgf_x`lv8{BNq!__nE_3wc*|8Xluhvdd9gaBRjmaUfcVlW3 zbL`|fptJw-o$=3>%)=O;J$o^$YlxWT&0B=iSV$H7yE^7JJAIv0*eZm)}AVG#*U(ENdaBvk7#y8+f7DYvF!wR&Uz>f=rNgN=Xy zZo4X@Nw#2f6 zKu&lFCrrTRi{1IW(y{)M;ZZ-)ZBIobY##u}1;sg2vPKiGkVOkPJ@jedJqr0DyL|I35IaiC%eW~RSUR+?v*2jJ+C^y>~^-Y zo+0UnrjMx@a82!VNo%62nvjZ1vg9i-;);OwAEXO&TqSL;q7fJV1Q748@_Nto>g!Dd z_DLxeWg}e$`_Tgo1r&tifNFQ)oy+M3DVqmW3TS4{qrceL+*7{=LgH876knb52W4HwgE_sLS{osrmxPAUJUICPMZn{G7 zL{P2Qr`;-XqWU1!%`NvFMT6lNSu zX=|u7t*KkKxg57N5b$93?DC>l@5s5_3Q0~?sb@wR@Khdg3DN19RpYDYRD~elb1NNP`v+nHozP-IH5ba!8H?p!uXL`dPX@ny!_kYR5^ZandzkX-;H8hj(&0 zM^Oy|V+4%}ldegF?yAbjhJLcT0H>~m@)8O~76;zYJAR(+ck>ne%H8LUb1$l zxE_XT8MK99@r}}Upi^EFl6uB9&cXX z-tdHb1nDXGQzsnFts~(s)fw6)uj{IXNBYmdI%#%_mS5Nf%Z)Hbgb6ruTx92F8C37E z-q<>D|35!5F*p-sO}u&3&hyVl_Rs4#n2L*L;UPp`B~3gAZd~{Vmd>V&0?k?;L zyVD$Ux6Vmg=BxtOAP;>&!MJzy+Pl6Hduse@+BRy$>< znZhWB$eZ?{Mj z(>^IBfz(U>L5ggI>4pALIN_DNWFMCMBc9Ryr1HAX$H0PN;&{UZe;IC49K&9R+R4!T z{2}9j$1g#B2jSvfD0t!i@^@2951>KI{TvuGcVcZ z>1Nc{miL1PSM_iE5tl#Y>)*gWG7`Jqt?J)aZLD}adcav(3JDE4bLte^8YKdsB|}tz z5y}N_H|+V*`p9A2-k%-+^2MouP$7IB)a^iLZNGd6@59@{6Zr2BGE8j3;lhy>$j$Gj9Kt82Q=SiX|XaVTz4!4XhjIbKo ze7txTR-QrB2by!NrV6WV1m{~Yq=Lyfgh#Am7B63drvux6vb-G@PC=AH5`)xp07MP| za%k#tiUnsW$k$8U)s65uV9W)w1OOgaHs~emj3^qS2=C%ywN}~ftcG~i>ZWRNmsUcm z3QH^SQdV&l$fVLu2g;cNw5%KW0ec;!`w@by%T-(*tS%K-brw%9UlYg!6E$>M8Cu=! zkkNulxkD3$^0K`8nmr#5l0mBde8F~p!RwO9!BY_HCcTSKtn|;C#PLCuF-A^kKkk0T zSLizXy7SN}=Mxqomh>xd=Kcge9t4@+>}S=sJOWUBxEHqZ=oOrKf_6@lT=doc)4Trj zPg%9SC!F04QE*!E{Ap4oT-)4l8GiNLfz`RF2ixu|E3kvy47)N&(0Tb1+46#!&Z`;y zo1!NVSg&4jXQrYKAO72^(|)$j3S&&vVLQLWHpDM}J^@o3G&<-s`WzSy9Wmql{xd@p zJ62WO$jU=-WY^E#d$H@6|2T2lAB~T)#RVTaW7oIRFV2Z^bWf&)6}u$$KvRQO^doyu za*q7P`n&agtoBwh5Gb1b!PzJqME-SV#ve(GYRdC27S)U2b@G8BJb>Q?_8VZI0Sj zl&XQMtPhkmUY3KB1lgSdR3J4xboYub(DK3T7z;}fiUEKVCZ!COTI`TqXRn;Fm#snW zc2G~*DHhSnRVP4>VgguGFfT=x#bjf!XhT%=<3Sh$OZ2i?oOFdHYlE3JMmFdm9YX;Q zl>;v7I!{fFhYZ$mxWqS1V z_@L?fld#5Fp>tFiM^gdR*)TUn~LH@b1Nn_Xx1yqS5HPN4h5u2oE06%gfFkF)*}5!wpdJ z0gG^Ehyt#_SGEsaxFR<)qMdLIHFF9xb`04M?l(sq#w5JP_U&gsi%q46!qev^_23Ou&7w0{4VN@ zzSu>fAxT;twUbadfmQ@7okl5OpxjQ@KyR4qFG{?cXG}|&y!b|TRY*#`dvYrwxy@12js^jzvV$vc@sl>w+QK^KM%?xOpAwU5nzkM!!l`>1x)QFo42Uw8U=mt9kmxYf10JdE z!I@R(GYaXl5&#cX+d$H_fwPCbpaoPD?x~}$vN~#P##v3aq_HiwqKVE+b&AdL%^I-P zE!(PBY!zFM@=dgI1y;!jvNon7<;vajJV>d7(6V`&xcLyxKw$}(y3Ja>5!Q(TJS z)lfCVZ1p%JvFa4nU6z$u-q>ttin1Vvz>&TKmRAp(htIAdkp?O&r6y^AaGOm2s1(aPi3V3$-@ zIrGW)XiI9Op=}WNybc^w|MAnA|N87Jh*w{Jd*Y0hCysdC!p`dq2AinichB~kVo%## z%Ja{fbx&I+!2hSF^VZ6{lGUZ?+exW)H$1PPxEF%FBO?67=W=ISF6TBAZj@MS7H!qb z_R1xg{W*!|h{AD-xErWNj-t~=P{)nE6OmGqTwfP;C!fkMgeo0&R|!xZDf_9)F;LSH zlg7Oh+rk8O(dnJ%bWK!k3tHI)&g}>QK*OM_gh=(zU?qb~H@yh1*ikGe8f7k_DwMVwBWuISMv3ZW zkQ0+-jWk|*kVK%X$kSC-pOt136Y^ct23VPcmWk!o%0&n5vV(5UQ9TAuBf!+rg}qFE z(cOC^iESw~!F6UrEcMEzi_*jdRa9y&uj+wbIk3%1N1Om1;_8|FCOfW}?t5e5!Lm8V z8aPt$ns#8y!L~({)yQ@a{qIlyvg<$o`?D_$4;d1UnK7ZZNs#42i3JlD80p|y7s1Bi z6y`iE%NU|0M$Tz=D6@!Y{MP+*54Sw-&qV8AckAD7Ba#N-TjAi&oBDebq3@osR~Fm} z1d~&io@WSghisz`ScR>>)6YJ5V{D1~^4pVt`J3@4KiKX+<7PvSgj?*|5$wL08va+XY>#r?1sOcJJE%+zGI=Qhum zl?{|$)82NCR^qROU(864z1t8)Cpxa5DIX6`9d%DC zNMW(On!SkshqQJk)&SWBo4YoHH6DMgJjKcq6_FyXX%)eVi>Jy zb<}~bV38u8MY0$Yta_1X1FKllMbNrC^Opb^ux$!s7vRzSfQFLHz*QY!IZ%o%pgTZd2Gtr~Q$teK(_}+*@d6yY zpzs%6RD(XL?H)SFaknf}8qpcO#MEiPHi|z=5O+dw3r)+^)!vOym51`Rf#Oma5Mac8 zpjE@B_hU5+$gZn;1m@SEuZDG3uAtvT(BPMx;jWRlkTckcB-|BlzIr1801?=ejQ@p0~jHodJYcUvZ$v9k*cp=A&=vY))Zm9SEl? z8)p8p`?yzV3<4?`(m;ybSzJ9}?0ndqd4_V;0Cn>iPG)B3;7l=ESi11+Vc^=>1^w$< z{TrA;LpS(D|87$MI&W(_K>x^lu#vx zcJ}=HKAXKqX?uRAe*FUmUgu-a({<+Poo7cZ#-LG|^!xrrsk z{*qK5;a#t!Ms5-$P*Ab{-GjBm~vgCO{*0?a)1|Y|SAC1JiH1i{m^oYqv(UZP zVU!Tf%1iwxUmV=K-$bm;hwauaI25JVPc7*$U(fsEYwL=damb_JA3SAj>gRxsvBh06 zM$w|PqYFnXPf~(e;dk*j!Nvzjr#V>p#A=(d>ROz%i6U(A)%7wH?|3St9KprVl<10y z-tz8c&Fx{X_AW<}@2aR`itFi;P9Otm!bKpZx!MI7DWa79D9yO7aEhUv3f47x#_Ph; zszS5cyt5~0DZ?<)1}zG-Z_bdXgb1tYDOlo)5I>7l5G{b){{+A}W0FD{1@rVF}R=oz8%x|v45tmP(@&|<4y#C5R&9GF!6>L}l z(yVPLUw?J%yS=BN9QthU!4p`P0XFa$@v1S(=fKIMw{zLsYZsm_pVL25>feqaNe~V* zz3zE1e-);OuU9SzqE6e{;mjPboucx;u?UtF4ujqb1onrIIefd%)ITH+o&xyTw6wP3 zq8acKEH3Vay8pNT{gtK76)XGr<2FIxn>#dZHTy`zQGrtOg$C!GX=s^2cZZ0&W$jRz z6JX0&zTud(O4F_|baiOH+9NH`GbNwQ&$?PVc)Pnx(@=LkH^)bPnVgYr4(R3j;XfjwKT&D?_!JNS-IpbXR&EPbzAO$-*<;vjl=*Ba| zk!<6se&vzAs%Ie~qsfn7$w_EniTXgc2Z3$}R8X5uK=gzC8YB-&CtyAfj|`G~;5>m! z1=b5z>Cx(G*qFvBMqvU)7sJvkYzZyGTn3Xego~blRkGmpo~wmz=kto(b=g#DJ_)$5 zhnEmvoL4qKojp7jlv03=z71+IMrxt6 zGMk_*qr)@`7`B7~h7OVOgESXxBCxVGs$!Lt)QY|=+l#j9*_sR&@eS=+jtt4c(>Fj~ z{^^f2V85;G8Grcnh`}ia-RIiMllPDWVXx}zFHi0H%JRt1*jKOhHqP8bR%F;OK7_ew zj6H9P!rq9ne01;Xo2{@X;N$TI20Adl*?#@JZEZ5>-Fo2Gn17h}K?`#%96&#ejrs2* zE}d(LASbh+&C5UPFJB&Z#Cbr!@b&HkyLNr?2Hp=Hpqn`c>AVx?j-@qPr1v?i=GjU(xHbUM8%B7}(ido{-a+!zO4LNntcP;i zfuHM|+v2Fm4dX>dYWQ&l+W3mn%f&;US<@f{h2j~N+K$rHIxA~|=L8ixL<77Q>CwPo z!9!K#ugrjTKf0_2gt(~WQ47_$ZSuUGasqzFi4ss6Pq0L5c|fkr@$j5Wb$hQeE; z$+qEx=88UlPdXf3kyg#YVDjt6ImVZen!{PQpPZzb8O8 z;>Mc_Q1;#|E0ee8#1|<7Wf5+|8y@O(ZhDWsxXD~q=8#_Rl-lP6ZaLy%F9}o*qfX#Q zkpeEb3rk~DW51+YYPtQEzl=!)!FR04@`_ui03~ApV zB&u#TLEHgj1yJVw^^eE@U&`JBI?nT27tVp6wkf6I#4L+h!_3Ugg3-)qKpKstkw(nS z%w&cn4m;p9j^mh_ZP_w2CypIEagy)u&%ViR&)@Uk+qJ%>C0nwVB|Wp>{qFrhT$mD{ zXaa6=coH{-Yb9z+Xx3JmwvsH-_;WEAW(ptQD!P599C@@I#nsPOKyH8Uv<>+-cyjM3 z216l8stM`=s_?m!%rZ$fhqgLA0OPl_>)MWn-eu}eq7jdFD``q+>+Aa z`H>QishXzC6`C|fwZYjdmq}_jzxr)>Nm>mZMWw4+rar1#@tJ#i6KtGy<1_jt=Vhb& zK|QLQg!A!=eE2rpo`g$I@RtI|0D?!4f*dA&bem`8mcn=Ulz+It^t}U~sV(-Q&Gw-k z&e6STL)-16JKan6x|i%O9Qs?`ie1&yJIY5kH!R&&}QKJrQT*oKN_>noRUC|$O( zaB6ez=vUs6ZQjw{zKQ+d4U#psC#`3zV_=VG=%9D-NZ$DA^5xf>*RQX9d%bu1W83f- zFn85XoKucpQcYfj?Spn?f5!3y+TKr`Q(FQn_88hfC|Yy4Yi!NH6Uy|GjLwhY z@D;%QWo#EO@Sfb!apQ;6@syVt@=T7Vi7aePpjJTO@1h7v3Qo9aQOvGgdr-Q|Psr|_ z=bm}y)yM?lmi?CjX=RN|UtP#o8(T$^dZKKcCaa7iM9$21Kf33;cQF&WyB-ayKu#m~ z-oAZGi`@0^+}MJ{Q;5ezL93k)D*R7%ZByUtJB*) zG&isDjco8w>?&G*CV$x__vDOs^*;O3&jUkygX8=1$G-}Ue3U;1F@Nt>EPJPTY+cQ= z&+PTn#*%SI{o0JWmFmI)QFbfe)1b;M6PXHND-lc5Qw5n)LxETyU@BZRg;QiJRCsEY zIc=E@YfC0~l}sM?5A4-U!E-=9vL7Z1>Y?-c;fo-R@$`K%_~!JA)w$8HJ@ZEQ>l>Go zkcX=gj8OWF7t{^VtNq!2)`C81dYRCi52QGbI*TT>YAgY<(iKVKB(fA#xm}zZ()wC0 z1q0@yF;i&FTsEo9>xI6qYGPCC>b>PdUxd2;RzJSGVaf8^sa2(u>w?pt6s*{pyW)^{ z`C-@ee#hwcqE-9LSMM@bO=dPO&FNaJ3wDdL>I|+Ds>l+P%!{PxEv@S{BfCY@yX51$ z1^FLvE%mdv4j7zlzRnFXOmt~0mR-017;@$k@*lr{O(;=5;SZx~n)g50`ph#geGAs@ zzwqHz)^d)xn9eOG$VO<2szg%4_MJ7~-u2u*mxkPVANc{eqq`p59J+Tw`S7Z3-3l*} z${@-sAPSbMY#3j&8?JjtPn-t613XX+(FX2`w)NWmdv|{N0seIVJK!PD6=@(@qmrof z#uA2?WlsB2bNXS z_n-W#e|Y%gcVKvHNOeE=dgMo24mv`Wuf$;IBvAk3g;p$F}$x?L%Bl`Yr+Uc3# z$iC(kdol_tC=`r@80qCFg+wVqc61i$6+3Be8ac+!q&qlbJ4fge)4U3@U21eF^iHM1 zA?IXD$u2qGAx?G*5(~7 zV<-6eiMisWY+*vS6z7vuv!tv{slYB*$cQvidTaUcHgC^%Fs}xkJ50ua9t?sYPxl62 z=bQOGD=G(<7B+UIWqGSAD)(>SJ}}-tFxm%WfmZpua?ujO*71l2UStyjIZ-4&b!OxF}Aqx55 z|4icRv0UAY(O8Bim8wXi$TF3wHGEY$N!?FYl=Bp-hGxyZZ-QT6b$)wx4Eb&bLEgOv zc_?>`_ii{n9t>NiB5EoLnr^VE6l+TV^kQUmA|p0M@ya~rAD&Bw()6Fdc})aEw1KH> z4}OA_l&svkmlm>^iemWUbbTN_hzFSOpi*O!Ml2;h-;l^~j zRRIAeiymJnp@n1&KM(8YVG6|f0zsUQ5s}S|%;UuR>5)a;*k%K%C!JX-iz^gG^>58zJ7enGEU$gHV03e4 z>B#PVXV09tu>H`k>)+md=fid1KDu}R(Zg%^9`8Q)t)pSJdvFKvWVA!4)kBw{Ni#y9 z1{1KpGi8ID%6dN4+A2A8eY)6?EfkkZSjD`gN?CllG$M=kqL(|j&d%s9)R~xz%avI!WT5l`3WdA-2g-i8JojGT~8 z9a4=SFt_g37ffUpWuE`~U^t#emIlD;ilpkI$s1paFuW4U=c%39MYXTYPyEfF!s75M zp}v41bg=dQg*chLsOz0C&ObL#!c#(6a1Z3puq9?^7URbC;J3Ftw@-B=4-X^Ax@%|4 z9^K8ne9og#N7AJxlD3AV@8$xBN|cjC5D^&Cfh8N(et789ji;8Z_=3ST0NCb5f{5ce zs9G>R1E&$Xq7=S3Uhe8#(X;NW5Bat#bLGdd=aNqzV!#A@^>y3SzQSc&GK>4DG=*Jd zY0LJMs9B{ld_Fh6fQ>2SQ3}|ULLMQ=!+69(pGe>nF|&o_Y+*`{Fd>H@?dL@oOED!< zT#c4hqu~Vk_-s~^pOfTc#s>tkes(nADu)r7%ZTz*!zObSdnd~4G>O%kxMFE!Kp5%g z$N7agzlh`)(lRB%*PU zvcC24I}mGo?KY5de*!Kf7*Mnfylu`Oc6V%oFip5+fS&`TiGgq)B_9r-Xzg94Gx|)b zbel+>EtTa8=mAz@DLYv-Xdu7S{*8}oXaW54R|KNBVxaAa2GIFjs3@A=ph+DtQt9BY2T;Lo1klX zXYL##ilsEvc&(AB?!xlxokeTcetPPe-_Bp0#0*bhERN+xrzl>H61))3`LEY8#+=%t z*Ad`N{q7|;M^;HPbil8kC2@#kDHpF4eSOn=>r4ys{cfmNH_p}Gzm<35NFJFTO_jSy zx(1@Ildh-;i<5K?FNbR;u-2i;xPA}47y*_x?U?=Ji*fNd@$8j*uy-a3y+T_vL=_|m zEbI4tQa|2h42&BpH^KEpHg&+V<_foShp=l~`otmM=-!$o`->ajAQKf1l_p!t%;Bcw zvEuU?2?dPg0xmX>o#NwDeLQlufRHP~2ZV_MQCyxd4vJD9FD3&wr&vy0UEzJZzM#vc z4aunmVj{dSv!w)ha>N9`2>n-CtQaRPtlmcN@Cb@Dm|SU+o0pi$PIhsLJ~1m-^qN>bXH6o}a_T*?f-12fQMHl;`mjXz`Rho$fibN+f+(w*dr$!bks2y3_$>PlSJBrE; zG`}d($4h{3$}b@LI3zEdlq%z-O4%7gj+@WT<}l#(Sjpt89aVIyyKInTC2JoD_|I^`151#q$VxBTUGBuN-UP*I_ z)cD!6q1!jS*U!`;KW;@Hueo)$_U^UNzI`PL#CVb{K+rWons6fBqfaXb6hUhI)2{}t z1sr^E>_SorbQ`F3a}op3(Q}PuBxNaC8H(fR_Fp}i+fu0utkBo)f`PVj`5|@xcF)@L z8eqhYorKp*M*pFz+#ET#4!PRO13!JBgDb4I7h-P;lBz6&?poo5wyi1Y92l!A4aX%1S5yct1qj1j)T#$ zsp9SRyRL(5>CQJd9zDMQ{s-%BU%#^PlTYqkx&`}wxB|cV;ZbMl3P{Cem zGGRc>ED#cd+=P5ibV!oq6D5_p&4EBZRp}`h{>n81TJl-&q68HZP{m**3wwDOrpd=) zV}3Ma_@ut_ZIWKQ@6!H`$-#K09Qq%kzL%n`crj82zj63=Lm7eJI5hA;#DYJA#CYeF}Rn8EH;*#T!oh-e2)pheiCGx|^$hU)!Z?)dKRQ%riS$Hm& zqAnvCnlXy1h!itqCjqYDE1Z3RLJPh!To0dqO_<77)QmHPCc4bd)R%#+2U%4RMiQR7 zcZOk8j7G#*t99nh^g<{I4U7~To$DntJfMdu;&z%jTh1xI(-g8d?;-D%C}EGult z$;eT0972knPw{Z#Qi%)G2=k!kxLJ$yB?+Y(Y>67vkjkjFF^hGiEMAiLKYX%jZBN_4SpWE?ne*r% z3w{J3$bE>OhHE~WaaO;PGqlavu{m|>7)0KK|D^4$>jKQ{J{{esrn_b2Og=u1k&?m1 zJ4MuxO;MbxC{I`WRU9iZ#z{{smoqA)bf+@e!jI0;QR+PE+Dt`>o&(>AIpy^<{G2Kc zxz{CYGIL6#q+&6xP{hn*(R^H*otlzKPjE8hb;&Phaic1&tQxy~sH)Iov4|vQlealA zuo0$wMj$*)!j|ESz1Um z_Ry4NFNO=?w+z4fZ+<}eF5o!}Z{d$m!Eoa-dU*lJJ@;}LUu4D`s_CXix~LLQVSW6! zjO#ai-`%W1zFCgkt$uj5HCMK`=BXOG{GS?Es#0S09$Q4!jscdFC%+ z&;0JS*kqPH*!=a6sDd6|w$HzwM3cE_x)Qpf0tAKxk?zpdV_3ODUHD;o-(~gaVcy8L z%)veB{a`yhW9&P^Z~Tf?^{H)S54dNzx;D5Q*BY~7Z)A#!O~PYw8ii6TS9%0-6&7ZH zKtGUYXv>myxMeL4QHhpNs>cUp@!68NfC`tdrRK=VE)l^c0+_`F)ucwdv@J_js%5yD z(b?RXN*$q0lhj}#G^Y|PwMqHnXlTOQsy) zcQ(J1*}K)$chEF`!8moxvhq7t-0N-?D@V=BkH=m9eD5v@h30W-&|qWLv!=$f3Y!uR{hWsf!<9<56kYN!XZ$Tn2|LFe+2aJk@K0;QKVR8;C<7B>+!U_$}xrj_Jlg z-4D2$g?R|NtQ?;~J-AvoF&+7JqupDNZK24eWPMqRsulX5dGT7v>V;7Q%vE4w2_ez@ z4_p9f6<4=~YU?#=wmA{u_Z~hbk_7_35yh1eTJd@;fxq%i{iVyUdsjlpok8Tb^ZRSA z2Va+U4M}Ng9bQv`(N@Isv-?Ii0CHe0_{?u#PvoZYO(CAtBbInDLfgOnDPr?iGeBVe z^NWcDekRjgLDh%g;%Uh)ICc9hS!b2ygG}j)ZfZs}u?v>G>cMly;q&^zqw@BRDS;79 z&wAVN7mf*#)a?V!UD1j|<;%CUyzy12?+rm(s559O%Mf~G1REI+RPk{}{ z67v;_L3LuDGBF!2NBnpvKiMU~4Mr+p^uO8aFQyt%rXtx#aI+lCN|i}?G9$W zl@yf3=Wt^J{G=iYu|`TQmGhhuDIUvq)J%aP9$b!8)5mrF+gu$VS2Zp>f9%qgBZrVj zH+Ss%pr$2o^9&^3LDhcz?X@fCj_rAHXZFa!jfakH2O9U)$B46TEHtsx(6U|E307(M z)0ZH$$Y_UHlp}}Zj9nxo1z8CpZgi<2s=g^&c6H}V1 zYWLfV^^$aQqK^gF6H0Pn8Wbn)Up}oMOPwNGh&=C-Vp+>2YSunjDOew+8Thy}|NFAWXFpj~t5hSbN z`Fu{mLz(doTF#W)X6;2^@ibyqWso>ynBl zCQh!ws4KzPA&QZ4_}GItS8s+dg=HEcq1^so%B$7ENT`j@6nthWFc zcX-AydJe4fz|q1vxx+j5Rqpr}vxI0Clk(D3&4pPt9$T)4pRJ$;wY0uG-Bg)rtXSP_ zr|tInYELF;T_(QS^MDioaG2P zJT6nH$dO2cB2Jlr6r_fivliBg!s-=aeVMp+drFBmvQQgapiT@KNzFc4Q-;>d!Q1fB zxg30%j9wxnz@4s6iK$g5Oy!H-ZM2RBC55VZCpRph#@DzcHP)0yH{WL#GU<%s=BdKL zjXC27?ciQG1ZgQ}bYo|AM-G8k64;UeuAtFU zb?w&IETI}Lvp0{#lHy3p09o6K=anbYvOm~#ZgBGb=UxU0pD-?tyK&=5z}1P_2RQ{b z;c?gm3<+>mT-b_F6619BV8_jrv~h&C>UzRAUl;szx9F!Up`R}Dez<1%`ew+TkHN?+ zcnC((mPS%7P^@ao2LAF~WO$wc{p-W>pF-$LBQ$W^d zQ)RmD@$ok|tY?~h#%i#;ybdcf(bz8K=v^QZ02LfuVbcaC678m}@owk%G)lT21n$$* zQg+BXvd=!YAB0i$b(JQ)icZ3d7?R9E~8q<)`K6o z4&(5#vkOEjbD~6-lt^DFOH+~6YJbO6pnpA>%oHy>#)wYH5-V~gk|GHYa8=HYZ;-`x zY7?3@kqx@Y0@15}(VR*fwlbBNBTsaT;&Q1At3-*_;uJt&K50QYGopqcRml%;)hFgM zUUrcGnk$P88VE2RF>w>EV!TGmX0w@eu`#c8jlE-I))MdoIm+vYX(xzxW`H_^5?n`5 zfcvF(|R5rBT{N|_o;Jy9`?Wt}*{Qlsnlh6F;zukTCU}9obR0Nh} zY6Z(>j=Y;IO7r9_ym3AI$J=?2&bW~CT;zJ{H#e$Mvr;gUOsuXIaJ2}px^V6h^r(Q+ zo8KX)zeQ&6A#2~+x@PScWAE%yrxukLRl`S#gft2;0QEt3S{_L#S^e%haN-iDhpbJz zECWFBH~=AB+M!FJa0eM?`q(Fu#_E@p1n-KL%<%!Rs)IW|7`y;u1Z6Ib9y5c9>-eeq zCGUrNS7lWUXdM+&O^(@;m+i_AI9&DluF?!iRXVrVFYj>hi$rnx?ATg0wZzQNfq{dD zTa%#;Y6S*DjFAu(P|(vDQBGbQjJN?;RaRk%j+ZZI=871F;`u>UY?g|ofLUTq$KcA1 zwS%8H%EqkuO|tYXcd_5*v7~v@bMgz#mfWnYI*TL2>a<&(>CW7&RCiidu07LZ$@H4@ z3bTB9&Qy1LR$(DSV;+8Q)4&HiDkj!z2-sY;+%Mtfiyh?^a{ApD5p=VCyza)Sm>eg7`mn(yk#4l zzy``9Jmne7Hm8p5Fb|=$ZNL>U_JK_;DqWEvHJ<z?Ql+J2f^KO0LIoZ%bIWzK^YZBpy}jrA3ru*5K|ye zuF#Vz^|T@x3FhTj}Pl(OpCPTZPEyDYx#2hsvOGR}lDPAoDT68-P0|&Q zQ%9b)Jz%e}8=NYkRVFlQlzM|jq|1O2x2|9yIJUKX)hYk@F>C)*-3$^5F_=Y*QblL4w%GF4W!)6h`Bh zv{UEB6>nmcsW5UcD6^BqF7RF;s@voEp`7}aH-1KXm%jg}*Are@NKc_y2`mSml_s_L z;llFtK6v8}^3uyVg079GL2)HkIBaPz-Tyj>+{yX=lpZ-LLoRymTsT9o5`zlMk*-t_%GkgI%`!P22KO@IMEeR(tnsM)z5uub4*8 zKIPqUR@`MyT<1;PmXF_-^@DBNtb6!){_u{{p^xeY)|54LX1TM?I+IOp%+y+7bZ<#~ z!9`y9bj}0gcRwekK!hojV9GTFv|Z;d_OTadGsCkPQ3ZTVnT!^o6S7$(mxOEAD2-~Z zMq%@$S41ulMMmi(lO6NPS&{tUt2oEJBzp?Zn-cE~PtJ%;$qG-*j=>a1#+Sq=)g;DN zVdBck2}L|oDC|`UHbEO6PV4MnuFde!q^f`-sYpw-Gs81jF@6OlOG>dzY3Xt{tnf5E za;lu=)rw#f>K8GJq|7`v(IQPWi<6|(a497wRmrn!RT{ZOrPMk6#lDK3VDGx3iLIcl z2U)$Y|D0y<3Q)5k+7j+W(7tNNkAXZ5lFN)eV6T1B-VM(QN8gFefx~bo0=}qiVvlpM zJHcTm6jez(mRW~CLrs%_p)_%dKYCsVDVYuHQ`8wJE^qgTtZ)V6=sPKf!AN$AAhqfI zcfce@_MNGKwHVT8`m^)SS(5~b5gkI^XCTd-rb#X1+Lj?h4Ea zVI~IQ7hv*s`xcO_o}C+s6KAmv?JRXg3XO2;>S^qJJ9=hBv)PhWlkc6|EMbxKFMUZ)ABG3!&4J5poD-K4iG%*7&{4HxU-(hF4l zpo-p|t8{VaS1}e>@M8+42?dgrN--m-Rtjy#1wz$4re!`hBL?S-P4-3MJPRrtnk8j?d;>etE|6x4 zr8YVV#;|?~uFA$PG!jFp3^Ok#OGQoe-S# zdB{6?JY(V{Fe2bm12k0B69A$yP)*qkD)~W4sz;uZpV4>5cY=BX>O2r%fn*4rQgz=k zb@y=~X~Qi^)%69CkjIy$QY|kMnyB-t)Y>;bvn)NUYrACYyJ47`(T{G^H?G4gGR|E5 zDi}1f)jpaAOw^l5nz~p{UU|=FpX~#icjUs?NF>(4R~K{DB~(c;nVXx)Da1*upr?0`X$g|gG zeH8=J>@i)(R`uW!AXJ-|p8>I_e%T(?^7rs{1%v{oAjIkUc!jNP*fhQaa3x=|M>T;) zjsiOuY)>?!d;ck@;4h)c1SJ$aPd`CFiW*$QlQ}x;8Qj;he3MY7@>#ewX{1JTY=b(| zOL_&Cj}>|mOc8woQnf`GQsYYXDdn7)a$!=QG#QqUr4mkoPNQ}>77ElaW3`J2uEj~- zh@_mwnCwM(_dG)S0&2#K^z4^Oo&{J}1m3d{m$ex0j>YCg;j*8@WG1T1BS~qIvHXNs z>{su;<))_qw5$|-CW{zUvUA0-{)>U(K&6cin^-pZ^K2Koa`|SDK;2@B>86QTtDU^DQ_7 z==#3Y_I>f@`#Hu?a$-4laf4Yr^)46#8agh(6bR;8fGcg?TO_sP>aBfwK?7Z$1r9Sb zQwuC~h|0o;VETb07nNs^zJc;h#bafb{hF z^`lQ=rk}hHFV7sX-!E!1XvBFYMnf8<*^FOXW^+@+fFJ=2?o?uUfdpHs!W7G5VI`Lb zlP)nXQwS4FmR+hSZt4C@A}4~Bu^8iBl$^f^Q#>azFN_$POU-|U?0tzGe3=lKkIP$x z%bSA_%){qLU<()Hi{S5n6PuANC|;PL`t9=(pM1Je&LF4q=`P~DN+rHpg>w;JZ?@1| zZOjTS(anr3(NLYN*fervw^!Ha(>7YUH9BgOiIrq(Dw^I8zQ;f-g>9p4;2?M@KgHG4 zV)aYC`ro)h1+Zw<0*M*atKGnPeu^s<$RYTF#krb7Xc0`bd2;v}B zUW6A0K#a`RRI;>HV66aUjjm~?0j^Z7@HZ5BBV9d4RFplzRnw!px`!vDzB>_*+(?Cb z6@fv|L7b`^1LkbnJTCBFcqKel4bM=;G8WVHg-m@FN7n%6#x!wItO+p1&IC?6Q5Ax( zPgj*-In)zZj=IYmlm$I$;Bq#$Up=}T^&&w1uD{eyyn!#zeM!EsVr^B`isAIOG3(e@ zz}r+!!Oj-~vp{Bb0oGVh;eUnAe|rZG!KcsDG6ip+!i+b3RX=qR_{nJ%BQm8f%ODOJ z=+y>N4tsH>n&6;@0ixikHM6?2B<<`{Gb>-y6w9x~#D|ShBE}KdPtHyjOuF^p6atZx{7&!90+;|@^ z3HW{)#E2pxu~%ZL_BA} zMXfjDie$+_2>~|gS(JowDKncCRmR8G$Ov^BYEYU|Vy4^0NlI!MFxWHu(MpAS`i&fg zVg+>@gtP!Bkl{Q<*VFI!39gQS>=B@aiZxKF+7n-hktY*T_{+hA*0HnT+^gyS%rf)| zc&lnV-<^KjJn&)mpQQ^3HNk|!7Et=6Lr7EqUU23?Wx4emX!_tgpH7b~ZNdnkN;H9q zA3QWoJw&Dgv>;FtvPH=1YQP&=T?=oaSUmw%BY1bvl+AQaD@hJinZLu;9pl59gzt`F zk?R>(E_FuXUL`9_h}r?7rW&mKdDDnOqFhUcuNk7M$eI;Xd1PHnJ`P2&Qoi}i_pe;dy2 zZ!emDQ&c+!DqvVQKqFy<5!S#Z^#CycQPYEe`k+I+e{8Yf)1YMWr!Rw_1Ni0zM>Z!> zwHB4Rz@q8OHVx)!U5t5taa2f)cd(=V5@Hqy=i^awxmc8or6A|&7(pG=FD4@=_8*^E z5{e+LGUdUXuGO5MxtO)D;|=80eRDJ;Gm49BJ^%COGpP|QV;l!LeEZb+=a~yQW0}>+ z?8Bw0g}KS}&jva_U*3@}jrEx@Ep|e=J{hir6{%taDc;T^!=^aErPRu3<=n(_Zfs8~ zr^lnHb;-57B%O=|W{;`;V1#uDRre2}S*`|H6GPDI=&!hX`ZIy%3IzNA4Ogh0CR)(I zz8>N;h9Dvn5?GEH`aU!cthEljWA1r-@;%eUXT^)Hq@;X*Y<9JM$yb?6c3Q#N8*FgE zV5H`6U^;YQc1wASpQg?ss9T_n&{TEsunf&KT>~T{!2_Eb=;z5=XzA<0#veTdRdDt- zLE;0nSOf)%E25%gG4c8H*PFfvT%AaMZ~~9ktE+7>_`j0nc|=tYPEkcw*HI+RbY(A9 z-AU4PP)r?=jKk3MQe<6Z2(wUjauh8LMIFSXqI(}r4M82iaM&lW&7_y+^0SLFAsKDO z46W{?=ky(_=9QV_Z+n(Z60-HQ9NzGk6Q0gS@4y5xP;MFlORL@5fg=WpR6|*pC;xxy z)l(EbJ^Oxr3#TDaT%e?bi(_bbQ$^!4i!$A-RJgfV7b~LO#U3b-=SX7<~N^?R|Q&bYF z!o6^#Dk8olAsM-P`-h?B9gDD^>NAnE*LPYRO^X(M`{wY0arn+($yd!QwlRZdj#Wgm zh}oGM4UnJHSPYcV!i?`TvwF>xa#0+R75xUDSuH3n&9{w!sPGVKc{FrH2V^jKWsT0l zItB=MztpS$0as|rg1aGFyPo_ju(&ybS~L$G082@I@3^*Y3PkkXYgL2m3mLhFIHxzs zQ|eo_$ujnlqVH2QmSy;`zUps8W&YVa$33A`qB0w%0UT{JJamvzXd9`T2BNxwtZPOe zV=G9N;cTMoTEOTJaK%tIa-mphI`GO4l6H)wDqKwZ(}nAGk8cC6F!zszbnMK1|#OZ8neX%kb?Ow~7%O$}IG zHCdM*OQxN>ebL`o!t(~;988@$0sn1!?MAGx!qzvIziN!?*Ql!XBU_fHHdg3rYLi?J z+sJZg1B?&|GB69QOCWM+;Pv=F)T>|r{^^1E>s#d$+aJg9j)MM;1(lObqRgpKw|Y~7 z4$+W7%atz97Kaz8aH+JILbcS(=X?1;(;{R^@L4i!DknlP@851L>q4gbS1(+!o5w}Y z9R5Tj7<%m$q_q{9J<&b?_1*>Zk(n9f%;}Z|^BbbVkPGL(uW6p18~GJaiX1<^nM@se z?FHo1W$)+7y@cOp5dYmN#M?MnyOOUL@+=C4keep0#@=PB|n|B%-_mQpsZn?3?gEXJCRFbqF( zw6Z@-Z>)*!F85wmDjZ?*VGy2zeP`%pvbV4rmmIsw%F8bGBVJqBUNzvAcr@g2?d zVdLb%jFFw*uFvx7*5u~4==n;Ahz%sSDibbGys*tdDOD#1#VN&7hKrPvujIOgq)Z{s zB_m{r5;I5(HWs^($-Xz{&zq4+kv(5-HOrUGn}gIfAjeM(%$?UgZys{`G%|ClebM5& z#fy-$7m&u@sTUUR7pRauM~-nMZ$^Y8Ye(0)TW_PvnC`3bRgR;}cNkTn;#RbqdV2i*`u1rbg}T=Kf~zOS zN>BPL^ppRO_Xu3{V7i_;#S&a$VB(RpMHNrDu#OX5s$LuwO5gbHssK;v9QRF z`3sOUXOWYq+ZRRDg@q%hFCq=SOaHoX4?}_+o;}JIcm3`U$g0V9Auh;^1&T$08d;;F zxf$`fQc{^!XlKW^W(o2oi|h1pEmlmon-?+*4H6kkU<Pb2J2V6nnLO=B6paf{4Ml$uv<0bIect15jjS?oS>^SC+3Ow|P;3>sEB@Idbb!eo*HZP$}UA-t*_ zBQL>9i}CVusv4$M^>9!^$pR4K^-VZU14#?T&7rg}{^q;7AMaRxJ}Z2DR`KJF%-eU0 z)%Mq@3O)Q2=<{L!$k22Vl+8p_J;7WH_73nh1=<>=p`mHj2Y982F0J5dP+XBr)dXW1 zQ5E3IJ-y>ASAPBu)8#U>L4f1=%%ykCBUep*O~0W;cYQvYJ5jVq9qXU2%b6NXcIceL zIquOaCs?Bo9Y!xW;GZ)J@wof{B~Za9^QSKgfs{Ua8a86CzMVDW+Y-roCeU{*1}I8d z>~K)!ln54gnFwtfY^MfaBZ?~KgcV7m3!v|kCKPg_T7^m1I?I=a&DkShBBu|3Az_a^ z{}NK$ip*RbSQOK;a1nCuB69Lv+oI^YMbXIV%Se6S(!Yl7WC)R?vxm5{!53dW-&9*h zO9CN`SAcEiL^QC&8-eD^i)b_w>I~Q(7q!ifuQtS%8B+pUszWDd^Yk(F%(VJXv-%D` zEmQya7BKVVL5EcEDnmhqJ}|igudOHEO6cbg!&!-1H^86xwehAg2F^$G^{cvB6|REF1<;-v*z zTmAQsk-fL>KJ!W(nP0?Lx5EvTsH>ouDyZ5b8b7PNZeaWAeRO*&Y@PHyvk(wz7`&ir zEB}iisqURFh>lHhupFbcuF(O!*OK0wmOWMiVILq1g}V&=a6pcS7Wsd%Uh$S(7foH2 zjGc!cHMFb+pp45K&aWKyx(jpyesQX@$8T=43u`qn>|fYxqxYy2p~5(hIY2p@;41y{l`)F2L=oj?wm+W%?h zRK?K#kw4NRIsUA?Wz8Aw#fw?g%8}mYH~LOZvrj4th4SxCsK~86Y9lw-YTjIAd|L zJTNCg{os4#$45x*^yIUPl39{UzOoBI3uJqet{moFbdC?)W=?){Hc=~<)vf~_v8oI9 z>1V}Fp#-Pg+~jI_w^Ll6Ca(57#>a>`8HN^h&REbhfabHqixJK;=sdv&_Fu)7VB)%D z;+kyYB1lBR2nf2?qNN8yL!YZ0wN#ElBQwcp^b9e#F3X&+VF1&hNrkIX6N6fqUr|c5 z+#&_D)WChK)KeWbZ^n3tC#)%KE^-d-uX^V%?wG#_&91I* zTl&H)+xSf6)c!BH#DUnkUz9lg^q71Vz1Su#5fhut0zWGOn5zW}QjwljVVC8l%555P zW~MWqA{3;ThbDJGL@e0EfdvhEmHR)>uRXvoHR{)5^~*b;{dwvI_hc4&2`yRU2Vg*I zf|$j@Bk6;uptZ=HD5(9k>{UUGs30qEPV1z8`4JVkNq6m( z6$~le`IjDCh#@C}S3ew5=*3L~VI@s40wqg>DJ=WQsxL2njqaeIeHDZ5rh#^@tzhUH zp{0it4NgEJnp;{)S89vv7!ST}`1yt(xsr?AD0+A?@7wPhyT&wZrHQF%q)Iv=%$KI> zh6NA-Oqk8Zi6SpwAA(TnAHGG32Rol#m;j@AaF1cBn_<*I)>X1~ReW)YEu(zq&Z!6~ zO)VRB9{Pw}RyYQ?$Z1v&j2(!0@_r+OTX z>VVGkU&WPTeS;CRE6-91QV!yRTs_+?Af&4m8EQpdn#HA6`m6@CR3hgI zNhA(|tt;<&Gqrk!vHo2&UtshwtchVx@(ZZ`?}&PO8vcqa@EC+-)n9N0G$e>;Is#!U z&e6{tQ@N>w3Y?uK%C}qkN9HROzQ&5l^^=MM9;eXAX<4dWc2YHdM$xfVQPdY`g7DA- zDQp5$UBuLM;Z&UzT{lAy)6TMFmUB*w036hTY4G(UKr12eu%sqZF3QwRGaD`ngRXa>1D4HscwwlW?p)jn6t{qGOWT@4!?HEYsJhjf7&g(rk1D=}=7 zG1QLN`rY{hY>C%Z*ViyO`A+Znq|uI?y|P299(v(5q`nz?^}g5V)`rhRE}TVX&i2la z?3fphoP_&e`{*mLd@Q3Om-m0^Q*Nnp%A^0J=fzr8bgx6N&aFw7rb*HZq6kv(i_XYt zO3UpIb$zJFovc_r>l`@*0k2O&SPrR&_NqsKjExT1pYCX$PSl^y6MmU0pgq-7L_M7< z{C{wD4mGqN-wCWLQ~zObWO5CE;#%T!PO7kWs?cu}*7ePm>&k}O-rT%`Y>nm>8-!hN zfT^Ht^t8NVGd;7Sb=mYsJKiS?=nOEsR&^#TI*95H7$$(t8d>Noshb3X0a$ZfzxB9h zcy&BcP82vGg9&g&P&WZdhNfvpZ;r~!1PW*AYVY++HQ$}fNA7eW-vGcWu3xKK_eo(q zNx+aav1CIm`8ZkDL)CR8Yl`FKUa}@1(xp)^((jSk?{1I2`RQ{n$;h;Nrm};nYXycO zMOrEpS0tn;E<8GKsLB#nOsK(YZv3ES@?hq&0dZaat04Vb+U8$6fXfYNyC$$XS;{J5 z$@fMynz0EUl5L`jPT+T3h+Aw(vG%^q+ zpquz_xI!mXfB!t~)&ECa4P8ZBtY2^iZf_Zbr|kV7`q$)jZYy4-h+?^QqQ?ojI7D6cfkbm*Vvm7%;Ok)-h$Z3Qc!k{~nOLf?xcdhbUzf#6REPeRSs*lAYH{ z6=XqznAB7vkQej$jd*g}-iv<=4dp9C)5=;1f;^yE0!s6v%GQr!vb>32W9ZFMPB72W z{YHYd$iH$VZM>CP)8t#b3;Ysc^{i?;l`(ebU&R#|W`cp0VF=|QffodbE~V4^WYfDL z$3z9rlOq=(1421`Q#o>3HgO7=Ikw5OlAb-1@g0zXXl?tjsO5w1miK1Ay1-#@8GL}Zo{kg0fIexS2uSv}@zd_D^fn40*`tn~po_!HH3=Wue%jUkcNkc_$?rOGS zGUZ_g=|ZbC*2%}-+x2A#;&mFf`-V@t$4(jh4#99(J9Sh(wog8NP&#oCT>I1$r-6J9 zJYi7Z!!#Jyf)+Gi;JAMLoN@xZ;AVlQu2^~;d>y9bM0JUuOCR0)GeFQ(CcV!roKy zx<>etKFzXn7f_h={b%GAACisc!}@xVyOzTZ0F7s-@^fQ3yi-I zWa^Dg>o*^HY6b$Td8EEN+L@XLZ=F*I)b_ioN^_K_K!ck_wA3!p)-%T3i~tv^^$-g-u~4gkQNr# zOyjv(6iE(Cna5X@@&!#;QrhazM@K&Cr`j9kRh!_%*MMj5@G;-&qlAL8=OheuQ<SyUb#(J3L%>`36<0^h{a`k7$vU(T z!Vc2Mj@bH-nL3U;hqtBnH}-9tq-6^!Zb5`R%i7o?(wta!W?s9_ zUQZF^vLxj^WiwaaMzFxRpa@u4$vFJQ6D>dAD7$g27;@(k=v%*Asg z0iv-6Yib12AYD<%71vXkp=V!a{N{N~3SFN-+2!$O${&lk&)r;B+!pqGq@fZyaD439 z*Q(|ck(v9*na7Rusg19tAO~lE?5S^ydKUShy^QdeVqS!w8;7#IM3h2GVs=8<{wuSf z1uzzMx;x(o<(hM9pQ?X{a_E?1_=;rUhIAOcx57dbT0!_WLF8_NW%1Yvcn5Yj@*zmW zIRh<$5_W|!j~d;JDrmrD9$jzEpe;IpYUmOG5?-_LKm`LzB)qKP)BYD_ZvmENp0*V|MSM#{r3O8 z?|#SeGWX%(fP)Or#r3;>=XC}c@3e|zYeL%=3rfP2Os zj?Vs)78=^z>(x96V252j;GEoG7epJKyKG>?uyjenmKjGI?)Z4D802HmDMXo>xyBnh zh8a2qo4AJAv67s4nZ_&R5i*n^BICFBXsOj)t)1zeL!~}k2 z#m~3nlp@&1+AYP-!+G@W?d1#sC0*?;Ipa-kC@$dzbu80bq!$@RrZ3_I>iUNn1|=H! zmn5|g#I^Og747y_;Y7eUZIB}A{$CXp{xG|7A6t7I7H4qdrz^%7ic!EmsAnWfz?KJw zRKDUHK9cKb3m&SI2-a~|JxAhzeNo5$doMt%u9egg&mJZDv;5sx_}hO`;kP>9_OoYA z1%x7>xY5<}<6o+OvLh}&A%rd88@4+mNLc=%reHlW4sx#nCv{${@ww zEZ$^AlALM8$|7UVCxqyIp8fl1=Sv@UY9>|mp-CFr3=GG?OBfIG?rFaV8PZ8 zI63^`!E#~NU%=jhr@F$GUBJ&8>4%Bi2mIgav9Gy~J1-o(k&sR{F0!sjz~R?XAOEU2 z{b$#7X62zjS%%vuR>vq?*xBiesdm2zJTupAFb|LU$cEunyN^);gdaoQc}D3;w=_kX zBBO8Yu%Rv0hMH!{t_J(gl3iy?ud?9?&8TI@?)kQ?QY%KTJ+Hu;m5Brs{A$U_G-u>k zb3mjiGiQ_-^D9B4f|F!G2xVrxX#QTpgW(+F?E!)~HTO{Z;(>s8kyui|bf$Y7GV^uW zLKAi+)<8Cl0vlSMJ-5V;Q|QReuw{VqS8dLzHDcH3vdVOMK)3RYdBw(9R#K}i-O`rX zSYCU6%Q-rjl2+zZeLO&XgNFsQx=+U;OvjjQlPdhm-EXCL5HqLpYsZ8o%&M;_#h<#D zITv-)B^SNdUS&3%{@>OWOWTFhmTXpvaVRhFLru;eN}RvvP)jhRLU26zsCWt3+M|r7 zJziyZ1%-XhC+?0BM3q`S3v=gJM3P^Wr-fB2!wK}@Xybq6*?vh3uO~*NB?da;ufHU& zULZyNrVLAuIn3ujYiO^n?$5&susAst(s^ z4@p1FlDvlbUnnMs$%8t=60&LV=kxD!>Ou2SfZW5G^pHkj4u<9FzkiRsm@}#1@+a z5TNr*D}0~N6h4~_e>z@Hygf<~1FvV>p4}77ObRx4h8tL#fZMFklISxkkyU~Fqb<7t zn;qQyEE!pr^fVKu6z-$=1G=1QT|t4qN3H?4(1clrE2^b?rmiDx$N6JL9YU+{Fpt8$ z!L_4K5_qljyHp?YYv>JYJf6L^2a9!^=nVH%Mb_FYw(;vfw9N;lAzUr zR5>sEho{L(6jidbO{|@DpoJ;lT0bk?^X1cdBr_t3 zw*sjLe8o|L;;=w=0yb_D(sd!?b>7uYnVU~GUVaj!J&qRV4;e3hB1Dt_y{;g)#My_s z;vjKA(@UBFC`m>Qj6>HXtKV}7`p7wAwO4t9;ut5R>RWqvmyELS7=AI@ZM^ahPWdrT zRbSM)ag6$o$qg&mfoJax3S#+otRQP@CgfT$-va@UwBTck%o%moT#+@}7f7M(N+6|R zI3U9d+0X`zJX7eG0X1-o3>o!kU#rawHg8Fq9*dc|?N7|s6GRV^<%k!%o=$l^pBD7@ zrRiBL0zpfkS+7s8w%}C&@4^FE6&d$97H!!@X3Tn1X1x(xrpK<-}VtJ@=ML@m)u%bOHR@Iu^ygO2U zB0$oIJRsNFUYh0{ckTZgXJAX7vSrg)g`jJ(w8znuIO?v23l!;{zHm<*MX-pAcGRKa zwr$hxfW+!ELlbX_7n66d!r9`|)tl?u_SNNzf^BT#VaaH>D8_A39B+-E%eS$#Z%(yD zoyv71MmmT)+a%sUU*3{TJla2Ss*!kmmuGJnU}KzUXO!(^mS$%WVQc2)U_iXNCs!2Q zzB_Em;N>;%r{r$sh!IqGnGVzV#-p6Zg9z>NlpOY{I~FWCcP_wVTEL;;+Gh3^9^|g zMpU&8GiSNsHv{JjUp!2_H{wIQUP};zWa!eX<8xC1^N&0xC$bGJKZfIwAyZ+-mY8$P z%~@GEJ;B{FWr@kP5u?O{CbVLR!S@5h!Gxb`#7!_^W}4x+WPuVgMV~NGme!-X!cpfW^#&?qcyeBs%?R?12Xf`IA@ znXaPU>aA`GkRZ209aq~_+}xqvw_$zP#^JG?m&BId;kMR;>rz!4f@=5q2+#W|Zju#M z56%@C76!%w{ujuGtUxrz74%`UuHYC0TYJRuD9HhUgM3x#$*8ttpHqA-qqCEnHsx*D z@u{U#jP{&OQp5LxjKu*(f3T1H&Ql!UHq9?S3}-T&>~nM zAs3i2vn*IyQpP#-H*U zxLX*ja5{J*-&We|CF}|k_xP3{O;BIp79aGe>I&9ep;mQ~`^UOXDCS~C77@{j zts@^frhQCJdfzqrH+In`Nt+UzW*KSQ4SeXkuk0<9H)3oycFwe7m0@avv;nHCW!ApG zSPFhHq<(N<;SQ>^!>)jnodpZ?0 zel?UJju6C+*RP%&wJFP_C0l$)5-yp8EKW-KB0gYW7Jwn+MPA)*XT+)FI1 zBkdgHzxk2!m(Proi{uzotfRxZ*nH`XQ1g8K{IAGvZ z>7YZ|IS_6Uz3p0%|B?IOGIoR|cVtC0$bF^zp+jMTFRH$YD*C@l=>J_;kQ{>2h7BX2 zMF0z-jf3f1`YQMJ7Hrs9*xr&P5lXi0C~EG^YuH-ed8Bm1akk=wuXJzqy8QsLxSwoe=Z)lUTO)`UV`o5Jq@>bq>C<_ac_#>s9()%HY| zO3#d(c<^L5L2S9+pL*d$(AmT6GY2TdL&38NzrHhps;>qs4kDE-t{56NJ-XiAX2Z8>e#h1rv4G!IkfWYF_~nVYkV*0`to#+PT; zwkbCp*mUUhy@f0!)Cc_Zre+CuUXh7YnmIKOyeuPHE*PGs9{DD;3M-mVNtwl~xtzI) zxO>AH1aX!i@GZjI9pa&QZY=2K(~u2YDa$O)A-yqURFNzQZl*aB!B~}gv>JVv0&7P3 zqMz(CGZaHtUm!dN9wYcm8#bI=tjDouraJNpfoYht65XPB=VymZIFW+*29U={BB+Mc zbFpM&Ao~Tj^w{TT7$q4~%MD5nCC9Yp1xU9bmjNPQz&QV775(>O`&aG3DwD)Nl{fI? z4CQ!a>%o!(9Zdtu)3fz=3FTcvIPqNcjMzH;WG@mBPM_P%sXa`~Z5MAo36lX#Sv$6B zV}sqLMPa$YwjLHAhq(Xa{>6s2YHt{mrrH@4I@@2l^LXwp!S_v1&Z+^}b*iuT-UD3u z2tSII{#QCrujlP&jn%k$$c2QHQO-);*lNDnV+POIq&Nz?A@ zZhtb@K6^Ls#74V2$0Fx1-0?=IdX;0#cZDnP~GHZU0_6OqAGnK5Pe7`z!_)5u7VO!-!1nS z>jdx?;LZ5XgyGSvH;?9Dqp0BCKL`J-Kdv^kiM3~w6dDvE>I!aYM%2_5<|Z3AF`iAw zE_5d)@%AD<2N@wjOb{ zyhcWWEA}OmuwM*(28QY)wzQ9grXCsApwc+^YFsIcz^i|)L`3C{y+}wSK9$Mn;lZc5y*r=L$ zgq#3kSEE>xX+sdA2e$%xPK4||lD+=0u(qSTr_=A&*{sc*m>c&-H|?y?6pM33jq1*( zvzKeSy7*JqeTnJRTSt61Rjz0*`tdISj(Hj64oQPDz4Ao6c?6~cE$!_@7olii1dTm+e`T|LB)z1M- zRz))Pmg>(5gq1Du*c&%7=RUfQnnO>GCtV6lkX7Mu_OUg^8#Bd@tw zyb(n;^M<&3XL62si&Uw!9;Jo*2w+k&b85l<0-Hw;21w}@#3qK+9Z68E z%V^0j-H{p76!Itg&m4;41!`$X!zEU2kBjg$ujPhE(`|VBP?9u1SvlW+HsCBUv7!cJ zs{-j3gf&Y9~Va==BHrcuP>iqVLKmK(&Ol($J@ZbN^#FQFKl5k*! z#45JuMleGBM;?tBxvX-|*vYT$M(QXo!elV-megc&s9$T^uHB zaZ1I&8M?}hY#{hlj&%#+;bs$e4qZ2uNVJn30G8(29NRCF{TtD>SQ z`ox9w%eRxe&IZOre<`kUm2{R}oIZEu>D8@0ZL+o?7Efn=n`uqa$7{8^<0G+sCtXe* zw4AyTIXA76)Fl=d6;SdOK6P8Y>W+phj}>j(w(-otyEBtj`7uK$q~qt(CN44WUuSgh zbT5wk7~~LX&Sx#vI@3epe}7Ns#Hl@>Ed6rm)zHSvwX%ajqE61ht%|qA`d36F64FLz z#J8SqKQz!#zFw3hEA}lb@~V>g)^GLF9%U&{QKda3;JL7k!j+Irca;wT4n+i~KmwWk z4R{lQxeW(qrs4!ocs@wl7c1KtSe9ShnOM6o!71Gl7YXy61h!JnsXF7Mg89rav+*W2 zL@vcU?PF65wYAso_3N7JTe>D7zQhpxOm?9KuhfcHY+|3j!Z?`1Pr;mkA?MGZe)ie- zKM4FI4J|naRsrCmLj`8TuffL0fLFQ-ihHhodIfv-QQWgJ-={-TV*VyE{|txVa{_Mn zkBRx~#KY#93HOIj{I(t{TViT&Mb81x8J6#8S!Bnf=6t=355MJXq3Cy?ee;hcX6CNJ z)|6;thfu7I4i7xG;-*2)Z|qhK#;GMG!qCxi@b)Q5YpPL@%A@)OFkU!LAVLeI0#?H{ zfws%FwA>-n_dCW2d7pfh>^3F z>{@KgaA3`@6m@%SZ9)BZap!S`tTQK57?7;&3@%go7fX|BDkBqI>g(v^=S$btx@X7O z9okv(=?6N!hl8a>e;vCJK+I`|2Fg>_t?{z0;dO(N!tPN)WD>t`Jj%sGdtM_&| zbT%2!PKv(xz0UgTkO)_u0}6|F(YJ4>CCe7;RLaV9X%yem(u4-3Pia14vs({s-PXJI z;-e#-=hVfU>inzJ?EH1~60L`DBecoDjj@ZN%X;zu;?soX7nXy+?gvT00XC1M#BvfT zdr+e=>xY5cQ&iimN*XOvHu_c{O|0)ol4T<6GGi^{6NhiCQX@<M?5l zu!H0h92Bi`Rc7IoW7l^URu{Rt2Rgc!*)iqd<{5DTo@W>_lI&?hH=fYcA>sSw&X4Aa zLtSS!?>RVncXp*Q!s1<=XY_W zy{jv7Oq+*~^ycX?*B7tD25z?eWMGaYK{AMkooB(#fswK)J$JQL#Pl=5ipN`Gz4R>1Yp{wp~iI5kXhG#Nz+Wxn7bADDhDK}K$ryhBjZ!p&>-&TV5SR0I@e zQ4+m4#nH^tD*Nmm^or{=;ZdgK6sx`u>q55bDo=9_OJT0O536KPMXy&qjQ#siS0L4} zCA~N~hX_0MOic591XWLpI z=@_kQh@ly0Hr+Nj#Y%|$e2}O#IM!mm#^TIEOGqq;<)zB^Oz^s`NZrY z;ss)z$+~*DFq;u`&xyz9pWTdkHRE&pK}cl&a$PqX`0eIw2{g`@lpBksE7Gi*sUT+fq}O8&fBq5}d#gUTmhI ztkn;gv+_1oHpy4s!R9We?VPu~*{sC($5>0cGTl#8Zyb~>$XvH7TIADsfuu{R9#9&t zL3RosFi*IwND(D@iP_LYZSJNu_ThF3INC=v;-H;!*W3UW>RY$fFQ+jqOHy2~Zrr>5 z!u)L6{zHMS*h(LzXpYeuFFHtWxYf__B)2?Ow=wrRRd<`_?6=6?{ar@2H=6mz2D zi^NG!=8w(IZ8^Fx!NEl5{_t8#ZeplH87$cpSaT$}`gDrqylUHpu!N*ltNxguX0*AL z^LVTwD##)<$k)w1GQVhdpzv%^^~q1x_~|(YmDWk?q}e04H=e#weBoB%smt+QSJFCm z`yTJg*uOij?^xdPt?@^vHXWMi%I-KArs~FW2dprvrW42=z%+7g(VFqR{}+ zNPy@%fBj7daX;yz(>V1JwG0RJH?FBaxcUdzB`Z#;Dt0SBwqK>6;BB0d!cuHwsg4R7 zryZ;N_)R^*Z9SB9`giEtGmNOw`hrAb|IF3wBx6bxIXBJ{K~YM&f0Zsb zV;MbTxntgk-*9jpUTNeED?%Gij5DLk*;V37sdHqDb-AK{xE9r<>JX2jr|qnF*NlI{~?}z-S@2AQ*?9|x9>iu^WHzq+yd-b3D%T!a2t#r{dRX<*?4ffgHIqQ zztux}maD$SR81iJ80otDF_KT{K8vG0jPnD(38Zs`LYGwG5=!bPoJ{|gi&!7i)f03r zs4o}cw?^KqL2RqPg#8-16CpLua5K09Srbikh+f^{C#)%4E85w!W%yq2%b0!udM{Z=OiQ1j>bSq~aIox9nC3uKWo>I*I7>`d zN}E%o5)7p>`npzcFXm^h^1wg-{Cm-61=J#mb&atV?RnBIRjTHXKYQ=+{;C(#o%crS zHn;hRYJ9)_?k{;|qMVB6WXblVns%KJJ`0EmTH8@h5a$VE|IC!=@?hM=?c4|VO6H%- zpUy~L&uJ0QH#a5QJKp0{S%fG?UrDcrvX@?umET1K*^_aus4G=Bi7+71Ni;@kZKRi+ zC1*JeBNQPFkZ*j+t^SKmjLtHaf0-gdlb_R><5wN?rMr<^ajHW}Sd%*L7-V#7{yVpiC>);PLV+tO>6Q}RByPu$n~H8Gz$b;JMR-AW`# zkOrZziMOaGG6nU;0%UN5c%ghW;Xm^<^up~dLl;BPP0eUEW>gU%R^0MT+%nB5xh75# zC6cYOwL2O9F~9%&GDJN8{d@Z#SJOKWoRzlk)U)Tid8Avpr`fY|?AQrrl;EkiBetGA zx7a41nk%r>2B^*^g{WtjM_20@QrOaV-GrPK;qjDW;cDM>UGH4GvhBD$GNrvR3WEzb z`KX2jDpFNJPV(fK0s9mZT^Fb>g3~VVRO~<3baSTW;q%nlr{T|LL!Um0hT5oY6Gyo= zMBJLH-c+L5n4@UTXlkixZIntkDTM25Yuj=~tr@Cy*{z+W>oboxHVLx_2_7eQHlcf7U>Yrx1T;)xobyJ=cbZlCp0YPPyQZ1P2X(VyDp$n?b@BB!?;J2uFIIS$~r%9ivD|whuNqByRyQyW}BHGL7#5c2#tF z9~=uk>PN#`CUnE<|I5%r-#arw*_7E{P_?go5mRrCKZ8<|7r*IIm;cdvN zy~Hg$XdV<(zOJ!ncmSpc4jl5Hh4Fi_W9ql&K0t9-=sM`Fwpn8tsb?Pt5P%Uax({%2 z^Z6wP{FSDD*6dWsaO|)nrdHUw*V@o4SGYzkb`6-iOnG%L;?C8OH*;;oTf`0$^DoFK zOk9{>%s(gV>g9dn?dIt_;g4qn@6G0Vh1nw36S#pnLxLM9Kz?%Xi~-Lvdbyd`pTAzU z+}sT(oso^#_e))T!U{+3zX0y>o4+jv{BBFnwgZ)do($Lb9j7&wYvs6;@^gEUOiEJJ z)B}LCyjxBNw4P$t?l(!$Fw5KjYUlH%djus@4N?v2%B6fWwQ?_Pn!M}p04&8fhlEw@ zuX4oWe9^c7%oA{y8ZK~}2KJubdg4M$|Mir?ON@(sCRh4&FQ3!v@3G#w&E@#<^b@DF zdk!`n?`b)DvT@fodC&2U8@o1b>FLQzx@Wc+bTuv;?y%}p>RxU&JEdNJ zVVC)V^*0EvZhv17>Z|2E0*{i3Z%^=)l_Mz{S*`&@biK|TvEvdQYEE%dA+I(m^xn!B=-=L(U)VUtXO*7 zdXMrx56LyMuA0vBn$B<(-G6q<|A8(1ky-K$C4HH9LGIQIo=w*o;^X#tN}E)%kFeVp zY1gtLTKy1olo(d|!by+1DNpfDcxAAf2I#HlJ;fdVVr`nbMzgi*;E~d^r;_`-_-9YC zcW?7a&!DE~SH%knRkvT^lA|%dg$!CEn~;ztK;%(X)OdSGJ8MKfta(%#`m5 zY}y6);P9HPh;)8wq4&Pl>=4KAZVszlxmC?M!_uWoD82KMIm*N>@4<-s>ev9^XG33t*FS6w4i2~J0<8_ z3IY;hFHGKj?+aTC8We?61dE&U3L$bw{H29^>Pqt!+6}qHqkzYEB4%z&iPzZ3qr=U= zc?)P0eG9FMc)I{&5yVAeuJP&pz~_%6u3pG9Hv7iZCBg*m9}uYWD*=T85HoVmjLccr zGc?z_y_e3pB&^HuVWBC!UjW z2$MGQ4(N@8PSR68ZP)msey7ykneDf;H{8(C_jk>0_i4Dnmvz~s*R1f5jZp0mRCJ-m z(G}OQxrScALwv_uIOZ+71qv>`@gk+QpQavQDSG|o2jiuiGpkjV;*t&9a(V{DU6(rw z>uZzi4kpM)f@N1hAEk&6dbRfYG+pt~46v1F;U&my?1ya#vtbY^Z#3Z!Z~2B$xuRxs z>*0aJ_a5IofA)~M?vjw~#9W0eMcx=CY>g0gMoKqkG;K0Ls*f!lqv~56lB+(l5B`H?&<9RQI(iXoQJ)`7%WIA^Qnl7z5krr! zhh<0LB5y{?wiOgRdWtOF6w3_?a?1}~8z=UkzP{YtBfBT+ijU zk%p8ybEd|OEk|||xG{#bauerZJJ;{7Uay8S;{J_j;_+UxSrL!lzCwi}1ZRzkf+89|~6DsXYT-WQb>GM|g zqHloY$!Y1Ls}FfJpW?~)`HJ@>Y7eEUcLWyJd1R!@_paZ8;+h{Cy0#TFTWWO@KO@4w zt_-V${Pm6Ht-?BGno<_Jz9Fbx||-xUjc!c`L2$t`v<4kq2Q>G@>ZDkIyJl9)XP(~t+9Xf@=_yfdoH{?3QgF#_|?j_%Ge^G zLMxklLrlLV+f9M?I6tB;GQ4j3E-^bl`|09EE9|4!P-={sY9p3XpI-%4$Qnwv72P8@ z*XY&L!r6NPQzL1_i;Ki7020q$zXmq&n2ZxdLA=2~Soh)mi0K+69#$fW>Dg4oo*ka6 zO;;Ja#~X2L^m#%f?gBf)CD(+Of2jXOPIc#>K3)3LQp3E$GW5NNPv#oiHt4+fnJYih z#j6C>2zjFkM*_F`rDnEAE_QA|z21-($;&>(6Ow3yyP70V1~&AEDbEB7PsBF#2Pk`2 zN2?6O+TvR-Cbl2`z|O%-mKV@a>#yAcjxJyv+zOGZ&NbLeo^uj*1aI8mGWnDxZw00upxo|PzuCL4ElAW* z+R=GnuxH}Q@R@-v4J|pzx!xt}(g>l1UDXoYIpiQY!>+%_Qck+m54mVBIyRoCv<-p` z%xS*j*L=gR;25Gv6SX~IqIKaSNxY_tnHSQejX!m|<=RaD#ko=Op`Bq;kymb}e`-W& zRn*DDwKp$HCvPYl+X9PazJe?^Ki@yPrVzO@k>cHfqFz5x*=6ATEch0Z>l^at2;5Fz z#bJNtPJeZ$zotF7tuT8}>(3sZG3xD3(aONmqd!xs7@51jpk#bTO>!z}kLWn-sXi6b zHpE5BuHA|3%zfwYqsLlhNgMQ>iCeN7T?x8J)INIVIBcsJFF@{5V9m#$mBKC{lk ztHOwrY00a#=2g1+RXcFfSDDhkTcU@;1P%s5ug>p2_~92bY_e@wslZVUsAbk3a%)hd zDWT@>tFJxmiLK0ajxM7XLJB<%e*nlxIl_~X4gKCVd&4y+!rQw1nht+v6Yo{N4eCy- zwCoS*x|#a{5tN2%+JaR3eB>uQG+lfxsJvInIYc!|m*6FsVAqf0uEa;Y0-Q!9w*=B_ z5SIbU2y7Vi6dtDLsj@e$JO5(h)a2!e@^oKGS)jN$f30YD|DJ32&zu?BTfe?EO_UlV zFAY@4J=7gs&0e;qi=zQ{GzeE`2=qL~<1jFRe+v#HG)aV3FMt63V5I_;^_6!A$d3og z4+Ylm39jEAtk(LB8bl;uc^JH?}jqa?8oQOj+A5FQ&s_=~vv&nIUkzG23Ql*wA5LgSygnj@@^1G$UL6%Tm6Xb;Pv?WL*t|rb6OQL`9zJ!@vGy z;_PeA&(`A<8?a&9sL*4IR#LKbDL!_zWi#W+#6$k@#c+byO@PHmj#5Awa0o8c6$T@+ zt{^;pOrC~s(6!D!zf<_)zAy1QQ=##5U{K(NYe1_o^DHvtf!|(cL?taK4V@Bx)}s{H zXzo3R_JCO1u^pLW-F>6D6;^5Xn^BP@US!}_VnM02a8K5^vsP~w4Njld<0e`)uAvKCLN@FPuim(r79HDskSkPt%D1pD_LTLt`H9j)l?{Q) zT>|wf>}#0XAztGhKoA`9h^KS{*F$do8Lk4E0z(Tx#5Gc=UVFe_ve~b^TE4sSDKRkf zVo&G#1bMZW<}BvIE2r=F3)^d=vjbBr6Vjylk+LcuRU=EY(@op$+;9<-3`0GPLPZov zVBL)X;SI3OJt4jT#PO@^6zOTUAp8NUb`e`D%x`#LXv1kdENI-vQ*Q88r~_;Bywf;o z1rFOgJ;w&3UW`P(z7g8H+4R_E#}oTJXP-1Zda~~Avr}i!sZ&A`~wRFWk z&-N<-WEhfbUUlQ4!r|Q3^R)QHs*QQlU9ntQ&Tp(%gf%D_1?7LY@%h#@iI%q^ruBlq z_99<3faYvnwhzAvXdD)Z&-+LQD2aK&#YGdus1w)5!8O#0lItWWhmF;0=M;VCNL;mK z>dw!%siBFNn;-{u1$B%e3={Z5u+u>gw&YNx z4FSZ9Tw;PYexnrZA+o_?n@EmS^RGyN^D#NLlM9{cSHuiiZX~XClbG$ef5UVBY4pT| z(8%&@Ae<2O7_u^r$*93{LkgUcip|`zmYVSKg`rOIIeO2J%q}pp;s_nta?p!Jbn=SY{ZWk%6PCNuyS)tWKEf8URjj1Jy^UkK)%aY zwOgRrDNya_sg7Vn2Tm!u>)@j z5WS+6k=t;XEUEg?RFOdg7zDF7UwvAj>`dJt+IK^FZX|KTx z$LC^C@Re@Qr_&|V&+BK16GtAL+c!5Gw)Kd!d=E^>VPNYoyA@P@Hc`5zrbAn|A+1Qo z`JLTLr=p|)h2*z-R>r|4$<3!j)rVr%o%U<(p(_u1v>)ZR9QA9x$P*1Pi_SVE9R1p2 z0N5NOPb^xp1;E{n~Jge=-R>J&ZAE;V%D*2#PHG>o+FftaAC}XN#2c?y0+iko|Mc#NPK*S@?vH)q&MI$yc?*%WSA#2 zNw69GwXR+hGk~)e>S~sF+dDNH@#0D3%!7iWVizkXS9^9E^jII;vbn%ySLs1>4UUjEQYfQOATBSeQQS} zL}!aTb~GMR4@_y#Ue7+=7jxo>*Rj3ytEVF-E|gwBncs5eW^(gU`0#tzU*{^OsER39 z<*2iI2TX#&EL}i0*obr;!-qExP0{+LzFv?wLL|M;v-YfCFFl>T$~bi-E^lj3gz$Ik}HI zHr6g|s7sgc<&_))MW3tbr^)+Z2<9Q{2AMXoS(LN3;B%u-odfL{W$N$P{w7huRR=bC zSLQ`(gehA!e{^+R8e8Mre%Y(-e8Ad^0#TP|#U9JxB1&Az@WZRle4d4SqCL0F&I1#B zyg4<=9O;PsViSkxKYyW*T^n93R2MdTFWwM6=cn-d?{yu`XmJ+wDqFS;5&Y+2%E%wK{2+Z9fh&QZ3m zv0r>|8JSd!lkwfN%7C)UDG_TXRF}OcXk)%>94#)~KO^jrT6iY%@;3P?&X9&+4MTM4 z8Na3;AI%Z{aMoWPR+SxS^Qq1H&FaOmYALHQb-54IJU%?Ku`Rq|uYRQHd!H(%unPv= z0_6xzGtAV0FFGcWjr$76BgFj$>$WNPYvo%~BBHy@rf<+Kw(nx4pHj*l0P|oYn&FrmhJV@4pGHtxYE=7ii5Thl|}-O zf$5tYcW*YZb+e*p;Ru5S#+aF??-;Q}-|MsQTz>N>{WVr0?|o)yLG?vx-2uDv4KXoE z$hG@)K3z`6m9nbIZ3_i>c&$0D(vg#8>11D2?Dp(Q%KW3q$*VcUQ-sN)XmI91OM;1= zAf0Cx3W_`h(WFpJZ^&a1|AMJlhFs~Z(luDB?;fYe5!vtyfHPRo zMK)|1%uBIDv}8uFwDSDw7nTb%`}!F1YyoMVnVZF@0%iAGGe2EwvXvKUzec)KvZCU% z(uO9lvZ90NX$2mVqZUO6*o|1Y54x6|@t2LeS0pa-b^M8|xBlV|SRVbtbjPlrmaqQM zj_)UJ2~{*N^^E$RQ2@2%D59O9DZt$j$`o(~xmvK?uR%~CfO~u+(iXOasCRi+Z|5W0 zTej6#x{*_}-c!8IQ@hz)yU$B`nkydQiI97B695;s*vKIwubJ{&AmKx+4iX(Xhu8PI zH(Z1Z4e9xyAhT{!FgOY^ePL}!?koRka}7)Y{|Rc9RGzBNliq`nXvqgjqnLL}5cvg! zd-_O@1c^6?*T{++B>PWqzIgM{%hzcyh}wIvHdVHi2bXO2spt>Zj?(J7>GcQb^6kD& zM?ICDKLvXJ62xRwq}rv2e?tk4(X^+uREdwsBkQBTbp6gglSwJh4Q(BOT{%ZIhd&e3ZOzZo3Ne)_;;ZpveByq1T&fBYwIGH^Qp4 zURrEJ-|~Qx?>P~I%8I6{DD~ zi$gU!)?UjJOCvY+aAX~SaB*=h&vC2FeBZ@5P`Ex!sxH_fsn}Vz+H09*6z)bIKJpq~ z-En{QB-Uiik|TP)MPAuOqpt>C{l0Uu52Ue^5Hy1Xhn2LV@6BVc-XmsS5RY(ydqorr z&wltF-@rNK+f~-z{IK%nbHd*c&^x1f zZ=Z6XPB4gBG}~daTu?N`eZ1`dURQV@{*~Mmk~M~UeM+`9&}Q&Fy)u2j?DmBBy(hjy z*W=As|KMuGTg}ae%vo2Eq07lM;Z?!_)A^Lt5Z3cEElYvjiY4bB##QZg~bpFHJ zySgHez+ZdUv;R|9Z!qVty)zzu_d&pur)3p+zC1^FJysExL;y4paBs}5AcJ_QQ9j{W z_&n1OUT3D(zyJQ~pH|TpnR0%1^1HKe?qU#p@9&NVc16| zX;lWCAWEtxQhS+Ma{*T^u4a&-IO-zQm=~lii)L742r{=T?NTE@uyoK5%5=$Yj$41} zE01ckob60SKMpUT3JgU*w)TLVIN(bNhdjl@u*dg;IRg$dEw;DdmYgLup6W?VQ>1gz zfSvwpr&J+&hP%~Pal7BZ|2E!SP5WU zc|u;{9y}tL+(bQVmLomMnIW>FDot5ZBM*^*XPF)+-ipc3$@6^ip#07KuxH}|#A_8n z+$L{%|KSaByC}MU))oHT3lf0E|!1QcZOxI7|c}| z89~kuX9j)8G;^0^uo}uM*8ldmi%iS{%pKzBz7?ySV?J8N`2B}}xjcHWvVQ*xvnU9$ z5mMmHuR=oNGII()I^@diHQ&5w$LK6h!3KV1Z-{!F+k66>INbQ)tgom;1M0 z$u6|;yeq|Dt8rl+pd11Njf?@34}-mc@gCbKSm?YvG;x;{sLlp853Y!)|JXhCYj%d8 ze3yNeST{1`FD^7sxje8@!4XxM#jg61ztlV>%rH62x=cou@1%>n!rMl9l?P#1w}NBQ zbV4~gKeEWwz|1+)l~rZS7p`{5q6UhVSp;|Phm#ipEfLO_keE1B6fS`H74Rdb;^uXS zbpG(YJuSnTQ(z0*e`J&}s*JfJeMZG<=OAOp73a>&d2Ux@#a9646VrAAum6 zw8N!V=-cNqy=pBTVvWuHDU4KC0BEjRdiJq8pIK^K8}B`tL+^E9#TeK}LM7zHlsGbL zz>PO{V0C68Ry;UPQN!iUJVw&2o_ zx>|VpNl>`@>k!hKyn0xL*C{TL2$is}qdP<+i$ z`SDeKKL$wOcS;t>55;tx`HCO+SE{#OLb_>2=8r)>pYiDiNrI&jUQXq5p86nH)9uxK z(Mxj~Vq2$-YV!!c;!P!&=K9TlHM2<9K7k!r1FFE?$7E4W&ywYI z{?a9#-~RTKufMZ!pq12WKm2UDp|!w)QEf#n#uSakG#QG-tkH8y2c}x5@Ob*HV)jAg zqdN)2vt1DRF0f*74g61UKpy6Qtt;{<#2fxjaurSPqUWaw;_{;@#jP7L52phjKk~G9 zj?A=$8Zk2A4JFt$ouv_>%ggqWE{ff9Effxk?^ z2i4Fn!^)+`ks*d+$ch%S(#~AAO?CdsMKfQHeRz>)?q*E3o=^hTpYd)w=h<+cDLc-P z?_tO{ndVj{?l={{vCkw{^;i4EPn=VOBqwZQ8!aQt%)`Y#)%^kDTNtOgkg2K$sp_+g zrb|ri6;O7e3r6@3AaoEiaR|CMb%Py;oK_0#B7rTaNsBzFJIT62kRLi23I<~jTtvWq z(wzLa{YI#s;FkCD=x-~VKY85w3li8Xi4w1edxBh`wLZb?b`#W>K~ zEp3fy@OvNVo#+|IsRt1#UYFU|FC&wa21o9E{*$h;1K*Y!=D^h=U`wBwX6lh=!4tue z!^%0>)m?vVJZJWC`1E+h+&vLN+$2ao48TiBb^p^FUU1CxzxoVY>l}(Z(MQF{c1j9;~UVYvBuuP5fabMx1C{IdxmUiG0;KKz#AnQX_5wPH3H zxYr_1i`=bnYfK#DR<8Pa!`h&^hv6?D``^EvLA*Ljyd_093$rsOrT_GXeucUsPs4XL zu&^*(s0YAZBwUI=aP9g1`uk(tCo^^vQ{sdKYi9=!dk0v-L)%pjvl@L~wk{hkTLpS< z@t|g%zBET3+}J)Y^jkA4H=RHHtzpCNb2k8J5jf~gT{B$-)vK-J8G#_UMt-etesW~! z!ptoTFIV@>^}N!({A!pNox=+Egw5Y#kHK%`If;b*cUA8XE!{COPf0qdo}pqJkPD%ZXA}t%}+f(d7-FTw!)TU z;1mfKF``Dy7^bJ^xmRfAxb8Ke*Ek5-7PkvZz zNHKH_wP$4*)1>+o)K!H6r^tkoYw65Rh|_y9lZjNprxO9M9s*mKc=P%N26Es93tkTY zp|0MdouGh7j^DewLXo{IE%H>vyYRtR5E~x7d-MNm?>(TKI@7gLCo`FxOeT{|8c9g# z9o(%hOO_?MsCUV7?;ZEvd+!w+Fc3--0!c_hDj_6*>p+%;O?5<=RNcX{_)pZ9r#dOE~|_X97SjbYQ4aXDTbmkeN8NnUQZRF-d{ zg)(IU+plQzx1B?zq>hadr%qfpd+PN!7SSyz%6nknICM5FyNaWUuyzRp?$p`68p#)$ zYZ9>5Zjz8*g2X{0L>>pwC;QF>SI2w7f=NT>!z&v66PatOHY{bvQ~#}2O98C zj?u4*BV}2e(0-!K3yIm09=|&$Y)i3!V^cuG$H7fM2R5Fb=UTW}U+33y$#26IujWg* zwK1jLG@G@POgAA3&`46ypeBf(7Z@NCO#YZ`>XOOzLhc=wac+JMjOmfNip@oV_jyY8!i;^Lsv(%^~; zztU1|X0|*v`%ST0omZpIYg*|R|DquHd4BkOY1VU`L~hLcKGi3swYS_5-Jn=me;D%@ zEIlJ72~kJ;ZY5NeTREv2uHjDlJZH~B)biE}6W*eQoayMe**{|T#Ea{!WgmTfWz9M* zi{kIl0XkOz!_pu1sDQe#B0R#yWrv;9u^Qp za%Gu|v%p^H65~jM_wvybMD@zC&?H;RlNU3*51#4){fMv6`sIr)8G-<+Lx4b%YRe5a z`~6!BDFT2JUHlUlGCVNHkS;0VD5}}gJX@zAJ2C%*ANQOY`{vZoMKb{Km{a+9t9oV&`#HNzNMz2YR$P>(iX#gXu+|XQS6C zuB9!y_Pf~nYnIy0t92Vfww$IXwmOyW@!9#4ckRysO#rE$@j~}O)k)v_i%=T6^7C%U zz1Os(l~~hwTiMtJ9tmk<7mN;BxIt*ydWMW8TgY+V5GRCk%KB^Sx@*`seKVPog79G8 zH*=1lx%TW(Ph4?@E#HH$j2F3OgSwL;&#`e$d)eA;-|2DmTcs5hJpGq9 z_#&?<*uEKJ?OJ(D%h!BozqPia9UuK@_RLaSK6_t1>KHW3BkUxDlRu>aEqw?Wz1I zsj-MIh(~Mo)34I@|I`kXjJ%dOIO}yABL#ij`esa#rnp4&G=8httgkL@zcg~j-rbGk zljdD`AiU+4y6m!{q071KtmpRIg7P2XJ9)l+3Bk4Z)^moYqaiy!b4bft;VXVl_-fu~ z5mn!;Pu=DpTbCG;*I3YYdbLaOORQx7=I@j>dtNX^@T)fYRBsP%ct5!D!@#;vLmCc7 zZ921l`+D_+%C+^gI5HJzH;E@gcePzqovLAL@j`N#vn>n6?IhB>+$;JbioxT>wW zWNf+&cq$wua{6uaDU9X`-uSgo!)F1_-v)ttz5Kh#t=BxNk76u1H*VWfL+T$`(iep; z%Z)BEy9&}j%1hmwma|*mdL*gkaIPpt__A=heN2E)Lu=6HPyIF?0`I+N>q%brr<{y^ zjyazM?Y!vSb}GE(w6W+TWojke+askl_t@Rj1&y1SPCjhmdafv$ElmbjC%A>z@RI62 zJo`h}>;#Dqe)Qg_Uw~BV@X^lWrv_h}&xCZ{?I&!R`gII9wg~lQ@TwK?_4Q~MCC4{w zikb34bQ!yam|yFRo*wlXyX8joHgEjZ`p9>bmhTLRMu4YN)^mxJJ zf@ft?SullINM}8~)!*rH=Z0};DB}G2)RoKTQ)z*Yl6scBnQkbd7;-TL6LiWnQM{8X zmCXs%s8acwVkceE8iwDzrQ+{TPN6xv^8txV1o4)7eTlVeinU9oz`cm?<$Vim>b$s5Z+Q9 zP*bljXz(c68Qy#-wE4Ji!zuJnAx{pC1UxEyFbs8qL;=@o@}15iWJ4T>LCmmg?oH>w zkLTHV%(LMK@5Te(OQGD7q4M&B`Efgaol==k(tmFqDqtrCI%eg#Z~V|>^C5lfaktHw^^CT9 zGD<}m!m#n0zV&ig*|+vy8B7mxQd9J??r)6|KFiD{Tw#i%G>xwS?@9(so4uVq9P)FZ7X2`->15-pu0IqGb>bGDPRhATC$ zqSLD0Ej&GREWA92>K3U=+T&ev#;X$63MG=W9$U^B+Kx&Ze-Kt7aO*Z~>@se=sH)v- z6A>xN34Gb{C3e7y)XhGd4wffwNQ>Xl7TfySLUn4)hi7zKb}xyIdC_^kJl|08S#{Zg z7EE!C+g=s1xz4Y?PMTBh)$pDtPyx*(jtj+NWh2=o3fqSy0Lk9jd_@n{gwV3-EJi$d zZ}{1>{wtrRPko!;_i5bhzhOg2TT}R!#*`1rGWOM1e7D!Pv2vb771+ExYTE&0#rscE zRPL2;M{M4a@XprE4;w@onw4(LUf?}FPq})9p94G9mysOF&dv*b|6A>*Lz0Fcooh~t z>o3b1+mV0Mw|44V+Lg8Eg@s3)eRHV_uf4~1UmH8>73JZo_LgglxPk({0#hTw_8Ess z4Ln_*Z+zRUE1b=qT`n;O!gio$bAO8Hdq6B)K?N5OYPe3a*fq9Z9B~#RM|-3b6;*Jn zSekl)TQWoB#gn*H)O$U6m~wy6Fxr#wXkZsH-D~Qu0h|DwXQo6t#Kweu`OhT_pOSVE z+ma6Y-)ut$iR6E=!JJMbjp;ZsePpD2L)Z0?;rq#bJsZM9oVgAt=si3`YxVo(*5@TMP%DW#OgXzi)L z=(W8Q86kbcH=M*gQDzK1#Nm0)A049|leQOBe!VZOW&1ptzoB7Y#NLw<^hU*dE_UP0 zldq#k^Ml&La=yyW|0XBGJ0oj{CmkcpJ%q7tBu&47toNkOegvyo8?*6 z9Ne)j z3$hJo)the`xA&@A(4C5Ld)LtcAusufo3xJ}^^T*b;it|kH^y!WbrKu4)`}YBs;qGk zRUv<9?V4nxh~RpJL9Jv}Z+&fnj803naqxU)DF;vkNEa3q7tov`aV0CPG*+m9IA`Hy>SFNz<0`v>p^8DW2|^&ofKr$y)8zoXn4|(iMIvPW zi^rT?{j#aa6T`+>laFSnNRJ-g|Kof-6xw}a2Fx=*^xewGRGop|v@4ej92}PMoZP@< z%aYZi{0#^+N!P3@;$Tj+Yv$Q|pcWx@6m|%~>H6^4;X&f)(axF;dvA{s+rBuo!d_w} z2({$JIY{$4F66{&pkyuhe(QuHRgB`&#OY7ZA9e~@?;2FAPTU(*^Swv)A$j?CZmpLL zZ5?u0tJdqz)fmiiE#%z}-z|qUl^dM0V}%(3*1_`suwT2}O+#BB7u2@TGOW~Z=KAn1@c z{Rl>ATJHCTZGFlO-TdMUlB$d3sLJM3y0Xs%@y-00GD%AH*@5dv+RuO-d%2ynOqVZK z*NF73wt`Z7O|z}CKp9sFD{y<}{s#xXU9n8Zqh-_hady1$C05cK_htrWNcd)6O^ex+ zuh?+?gvva=vWly$;prOClxL;L0Z$rT%A^S1x_+~AawvbKGkml&nV9(!+4UJ>42lMe zR6TQ64NenDpZ4EAuqC<32y)KXB3o5W77_0O?uB2QCQ+-XL?calZD#Pp-kX`j_k+5+ zz4q>NXKH&l};0p zQJJvyX1`ysY47n{qeOJ>&Xsmvpcw>zxRq;;zyl-j5?6C&6p7&K*rgx4zt_ZjbA5uH z!W#mr&ILB#1v~(ziiB~tb%XdwyX69}^i#LCL&i;?Q9RBiwh#0GW{7bhSy~5S7m(Ar}}P0Dr2{? zac|((1BUINXt#W<*|<-)@l(&XFMKwC=C^r&;Kq+)cYfkoS#R#4`!jR(%e-Y6%4Xwf z#SLYM)1sUbB4gj)lD6j)USi?PB0r0uqGugL7wNN?8uK{uEi2v9SLhR-rYa1Do0iA} zB=zshoA-O}IHB8g&TD(GVN;(=d57DEA&Mru0*T$BVYL zzG=%~NkUw-S z*H>{NR4wnmZ}#+`*=VSd$HE8-G{8I6aCEgCw@OPz3TR|j^Zv4Hf6VRM2{Qx96W4PH zSU{5G|M~+0Q{B)VK?;M(e!=lZDH)#9fBS$?k%|j)1qnoc9>`LBixehEB@$bJ&P)<_ zCP}^jp8eeu=8G2(baeO|y`OyY&zQ;n@&ewc-}gYFb&L?ZKE1ruQfnb82CX-u zT}(F+=u+*R6bl(IZ~dn5;`rgrwsItaxdHp+>6cWc9qya1N*jI@H{B9coi^;esM>T` zx#^(C_MhJHD>kDT9rL%Z4KG~gpTJ5evrlNGgf>%xwmK(%xjZ8CDUs2PCwtR7gc_Gf zi;3l>#v7_i{FncS#>GbvMmw0$v1h1#Zr!y0?t+JCWGLo#)Q|UPc@HzBNTm3h` zAKdo7wg38+I!`-aFPg7jo)YL?5D`=vVa)Q7WhC%p*01&SSf=x)gr#cA!6N=u%zNj; z-#&-NTSLV`e!{N*pohHWnrz`-@GRALQCP0`J4b|-pM%d3T&eP!yIyTmin6=Lnl4Sj zPtxRVg79>@QS#x*_xg!5n)T-9&Q5fhC&nS!i!z81mOiK>Pm-x%zK~?r%TD z5JD3wew-M&ID4aZ>PFP)UGIs>Y$xMOOn1&IrPkUQZ>0hENV%iaCXw)cmTNWDDgX5~ z+MX$5&!OXCsU;pkrEe_M+p~+8EDieLle4h+_h)ZU5(6W%Q|)(#*4P;wB=OGLeDFz< zLxfeSc1r){e7<*9$jQEACwq@5L)Ai0Z+&=SK=SUmf*)L)uPNF(wA*ir$+92{xF_7+ zK51w>7W&@#S2Y>0O5-ItZ+n)%6V|jheb;BvE$;+ZWQW(}hgB7LRq<>K9JyugqUyv&UY=`w z6S+}!E(vYUF&mgcSxY2_1!5Owpt~_j5SXrts|-wUNlf38o4BPkrma3=^Cpk#O@57g z*Y7wSx$U@9>boyFr9EjE`e$y^>dZq6UYY2NXZP?EfGiG1Z6b$$K*Z@<3? z>o75cB;r_5LCfnFQfHTB9xZ}x;mxJ{Ix51M+Gsm{hJ`u{v)kCJB%v;ZE|fYc)jB^P z;-PWmp4;%<^$+e<12asHBO$w$A6q|U*&kar$i$p3`di`n-*^rFHj)Av8gZ(V82R+U z^{nB}@PYosa~Ba}K^UMckPnJIY>| z$6K_*SX}-!0+YTmpkE)_*i+1Y|2+P?>!S;c&9!V%666X5CKzq1ZDnP@s=?vm@dh$+T-utMm`P6+F z*8E|@mXCc)H6GD?MOQ&^7W?u&z5Uz9t)Dlx1wL{a>*9M>1Q7uAP1HHS77 z`&Xvcy`R77v+9;Fsx!8xDN^*7p1h?7rxo6A%e})^`=xP`HvxL>+4!?d&gay~9X6rc z6m6HqP3QERZ;`B_MW=!qFNf9r>>OIja0?WN`l1GLy!&)GXvv+GESC_TD8WWu2nZbA zkb|~9raE>7%K)p_J5CIa6JLJQwPdC9s&&r8W5hGh&Vy(@csLFp{^04(Pd;x~EAx2l zc(FLgk;J-ZU0(v4K zLUWE1DOVt0`>H8b07VN}DOy~w5dHfHZ{*#*89g+bd*n=lIp;;TOo0T5 zy|R)jDduYGxT<=zdeNkrG-qUJvW*v5*4_XGa`PO!~ZI}FaomW)vU*VNC&n0M~G;o27&-2`Q&vRdyFL{#@ zPWPyEPkuMG__MmoueW)X=LFT)WbgY(k)QRVm`O`?;}>|+QYF+JqfM%cnXl#)YIvnu zix|FBq3=93(;*?;SY8&hb!+VAP2o+Y>F?Au|FC`6`8_GEDav@&QpvIxxi2r$uBJx2 zu+x1R>9MlfRzc}@r?UMhJ-ctYX54%YHv$Sk?i;@|H2#RPg0b|vSMgbC!cMwRu#JIN zv%l>8*on{19JUi_F~gMMoXC-+@#LA9pG8+yU_>&yQEXjfF)#(*IKm=$J~)#@6U60q zOf)4dtR2~06)?Y3#4uubhLgdZ8RQ_U;fh)S*aKG{`im*x%`=w6U7?E%HmpUb&H%BH zJ#;5>s5^ytu$e?y5jRN00tPUfloXzT)-%QQr26`8^%X`CAcJA5Wg`PWOiZ>DL;G)^ zPap4(>$?+k?o7Tdbso#fh^#N$y~qa5jB;>;gIBrGPMk!O#x9~LGV9wu`2Nrcf#LR8 zM0wpFvnSSBS^F}WL0jJ}eRFgt-|u&AyWO^1+qP|+@7lJuwr$(CZChL0-16z?_k8EC zd*_~$Oy*{iIl0LzdHrq8W)queHoN5qek&}pZloTs4l@F+aC z2kr8Ezlr?VJClHHee0^oJVooQZetwf98W>A-E&0hCUi~k@>-rTX%)114c|{lEi0mX zQTf+TGf)Y}V39FKCvm8@TDqxsZ{r(|xEH;HU>ic58X%TB={uXZZ>v6tya(swHVU!o zC*W!76+D7fin8#z|0&NB&Z6;WEcGFYD`qJPM#b8Ki2LMsw*Z%sV7$c)d$6psM74Mv ztDfJ|%>V2)okG}3-x@JV+I|AHzE5CC*W1|I(<(-HLl#*RD*0NN<@$!3O_p}tXi0cv z&^08_unj+$HD^_Y_bg+nN?hu>3fg5{X<;d+A}Y9R zeN7dKo2EmBvRq0*(Fz^W6|Jm-#O5eT?R-fh-=^QA&xzIcNUQ!6Q^SK&8@R=u*A8n- zlcnXkF08cmN^NTll*3e%+qis->|Kl0ZM_VX+3{hxWsBuzkMpMMR^3xp$yGzk6&G0u zC`i6JPh}ZDDC`f!)2|diF}zPYQOq`}2^g9ePENPV&u3Cx$Ti ztUd(Wb{gFk7_qEog2dyjSq$_CWAK;+I5K`3zDDSb-K?39!%aIvEq7kAmgOq0`-ip2 zS>DE#008xEgKCksRpknml}$6eF^r1daS^p)#0q^&UeAM|p`HA{sjwGg#0$ai(GqKP z7WB1M+4^4r?Y)390(COTOf*{Mx3k}v#l7ETYsBNcqey37KpOGK$X0dgCgp=xulu5j>7uX(ebf;wv@rep)lH?S-%_OPBJnxw)fS z9XhSv#rv=2+7emMyd+d?-7h7{u=2U%3TO+)%{+sy9nQqMTZef<{S?26x!Xr5Dn=%C z=(P7Q|Du+>oo%_{4Z5-W-ZDyKliW@xj#wv`dS5E~ZgszP^&Cf4oRhQ-_l4~3xGHTs zYlQFxj}(SPLncq(KvPew{R@vNzDszM(X{dZj%mefkk(%e?j?ZFER|DA@!M}b6JJfx z&dG#)npRJS7e|ACN0;r?XMso`HL3c6BcQW^_dUt{tGnyj^wadHW46#Gw!yLT{;E0y z@5a*2r)u3-pyyv$+rPH5>wvOnD$DhS3abVw6j$`NBPAfRdG$-T@ioE+DRbdfEl2Ombl&|63B{x=l0J?3RLMIeoD? ztcO9v{#$pC!TM+}OOt*j?v*?^@#y8BiNi8tNY`C3aq>kuTH-8)W$a{Ttf6y>?WV_cigLuXI75}f%QN9Y%#E`)!gvN^n;kc0HTUJqj0^g! zuvVNb7la5)o{t{9GXB$GnK<#;Rqs_m$sW+$e5B6<<~s(I(@O{IM_%pwJiKf(t(k(` zNEe(hY?^S)PfbRmH7DJUv(AR2R`Xqk!vWrGiQW|dQ%y(6v#aWcTxcE~bvLrEbv-)r z3FK^Z?8_k=D>ucbjk_;gsRpJlvVOe09Gs$AprOVoVy5h- zTvxM>u%W2Z)gYxzZ}PEHS-D+|-ceZ84syCQ4cMf05w2uew{nO;%vqdh+J*Q7MH7>$ zks`c>nw*|eb_;{_KXcwKHGMP`rIEpbOM>z?O^uq~b zNIz|#U>U6R)u0GmachYff`BPG0het;Pri({7T>=auCIE1eF};y5p#OhpbFG7oXTqF zdBo!O0K)(Vtwu(Xzp~UW*4LXHqE39|L#VySsFRr)8VfAbEy{p>G-cZgSSa%HP$92h!kk-hRC z)U*E8w4E}W3>r@1qp;(ySo0aKxxxs5Yd*xLg+Nz8f~TcqDq4~GUq_5s?Qq+5F5xA& z;)ClKw{*-_=Og}sIowoaf3)Tyt8}}NU2#`PIv!vUM zIJqX6Iqpc}2&3+Uhs`Idr^W(-GAW)lJA4%-SjZYvvTmV-CA zIEz9XC5;^GXts4K;2#Ex>4=dqM zQ91PUA2i6V*UX_;a-&w*j#|ipP`}qaQu@u5V_YF*5g1kzT+Mdgjv`hUXHDdoc-)*a z2`xGHuKEyqg||^twT^f4?&heksgEN8^SU@AMbZNdVac!>Ix!WAc#=qOskM6&nGDw@ z5IKEu2MdF+%|Cf{FBB%`4M=uMSs!ULp6T;QNC!Ue{lQj+rF@;Y^%M)!BZJ!$+#?IU zDw=irnqRya?yX3{{$aC52M+G~=Wm5+EpQN~e^UH$fjId$e#cF%T6dX)pn#%D0m3CI z&h#0JNvy@@y%8D@>g#PE&}kmC+gIJZ*xd@F8QZQpTK2VF#v$d(n-d-ZYW7IW($mig zV(KKHOaGikMc&oP`QXDIG%h9@RI3;<1*_ch<{orcG9D2#V>f;ued*0KTj>f+f+W%@yu z8%4D;Lc!HCg8O!)YDI+z^Gu(`oPp9P^Kq{puUZQEt@zR2zAv87pEGOmHK*%eOMUM8 z;ez5P@0}Epx~xw!$mS#uxXz+HybM$8-aZ|P+9(;~Y8z7V$VX5{)_6X6X!Se>rYh-h zQJ>4`0Zf?m0(7Gc)7MS=qO=VNI)gGA!*aqkYg*Z$cKtgFM|qVEsr{L<4VaLeRy-$} z^ayefn|HFC)$1`%#JazFe^SvK-eqHa^M86jG7pmG>t%O}X7}pq-p2G;=bG{Uq2mX6 z1jz$&H~Qlbe7Q9jrp1P1ESJ6_={%9PvgJ2R@oOH~0U8_BzIOaPhD#k6Mb(eq?sdHN zZye(Rvx7<|Ls!PHxHBx2(dQS#cXOteB;QSk!_#ck?O4x&h5|}C+zNreMe`fugIE<< zO7w)aMAM>^KskcewzXn!bg8(R;LrH*4ZtR4f*O(cyE=xPT+%#urToN6BiOkQ3xpOv zg(8+aJIhIZCTw4m6g@PWMB_~!xa^bg>OZW`6VD!*$*-tVDlM+W;JyXbF$tcTu*{I=!padWGa;91 zb&(BeaRYM}$=t%ysg2Pse96ovU2t1U;L%&iA!E&M(A0^O>b_Hy9co&uiO>2F;%fW z^MH}9nD+z>T0KQYp|^%JpUD5JcVgMj9CCaML~@9&w1J>OVscM_u@{=l1C0yC&+V9u z@qYfb`E)+A;|o#{(R5{B$_3B??! zW0R(9f=X10kQ<70V30ShtO_05ih>6+k2*bhdcu{&@+qD)o3Xe1ZFc1+rd{kVr{mS- zh|lk$rRC7$)M^xptE3*8R*4F>sGlPscT&#RB8F`godFnKp-5dJXIU7-pcAE-yL<*T$E~r-{nVhyESAUhcUapFPu?^yePs8^3jocw}4K z*(RrjHI6soxU>S0jxw|=N`wthFLa(ASq&*3N27K~y}flb7wHr$HcgaO(c2B}tXlC1WsW z6DTEBQFa2CiFQ|)cPU3*+wVkS=>_7TJ*chDM(o64;oU=p)MJ>kG6^a$3aU!M!$ z)5Y7`^Y5#9-lFFpZ?4m!v7hIlBnG#fs-tdJU#?${ww9%p!xK#!{)4W783+JrgUYf| z!5T*r%Z9BEmOP#5ppq8*IL1>~cs&0l?s%L|uIK3)g|+Q>yTas@e)BewH$>(n2$WH^ z+D;Y+iaHFg-iQy=2mQvhGTuu^Za?-EFq+gjyiD?PhAMQsa*KY=!HHe#h z@2<1|o{8N;=yvgW{0^?eFWh2ozCS|Yt8YX{59>LkV3Y-oI-yMzaTOoA)Z*C6@F~P| z@E5CKPRoY#_CyoSM&*Yku7_K$v6@N|=|hbKP|bj**hZ@Yf*6+2*hXkaL?WZv+?t#7 z+ujmywQ%rqZ~m0 zcKJ*Jh*}EW(`OV-l9-V7VFbbOOuj}oCK8vZTzLQ<6?Rqs^|`dp=eSSFbNcnfkLdL| zq9}rW*%MysL{4W%#7o*UEImXoKX34y+Vp@Vf?IM>Db<`>mQ{hE(Of2bxORb2n;ILQ znF$*m?)ErWdVN&{UwyKRG$_=}{R$Qx5)}Q#N8~}+rq`07QB&V1mK4#4DvOH;^0#_j<{fM-Kw2On`<|d z^0Czoq0muyZ3Y^l0FJMVFI7if7+yLdR$^s>GQ4oo<(|$r8_*O#T;2S{`j)D9l@1z@ zB&1sv$b|Q9OIkgf%F9=oH{;dX0JmOP)qXPbj`(o)rXcd8(*x6vHa#*vG~({0!Hj5W(J6c6y!2b z6O09RsPn1}-iv-k^zQZ?pP`8sQg#T+RV5Kb9wCnYs}LbAD{5LnLzKFiqN=2V(Sy7| z!@uX=4>K!xPVF;Dpq<8lZS?qknPmQs-459v*6&!`X?3Q3LY$@Ja%h1(JBm9E@FL?I zEL4Z!Erik28rMBCXc|;NH)0cw?_WvPj)c8>dcq};QNgw*&2chtLqf=dnp7d(XbYJu zCX~5-2=lh~xK5#|CRH|@cGjLu%}DXCE_AFegt5vlM4417t4AuU4uZ(w=+i^Cp_eac zAKJVJ*ess`K?^`!Mk~;#KZoGHa_Z1pE9X}$mn@ZPUN5#~VN9)>aGNVNobw4bm^ufz zo81_`{0TZp_2Lm)1j~@Hmo5C4U07A8z681eF%9a>9@4uAXMth8oqmBh&oYWx%EvCh zUqDm*pcEVd;!hPC_zWqFqnk6ea8w5`islkuTop&|qKaifK0A`9?Q!2@`WWNT(CTga zO09evsz^*SddV`6=xg0Z&)k;OYf03V*4b3#@z(hw`yHq-P1&?7)&L}&jaohG3F8HT zftB0_w=L8RqAZ#TIvl(sda?Q--~XDa&(!PAF7QXr^*R_fv%8A-#96)TqRCEF*w441 zqO4&0>n9L5d^dJTVL;UAALk$FF9{}LsAzJAmbzB?GRD1hS>8HD8~k&s_)f6pBQmFf z)6p&T_uSC*nMoml3{UD&KH<<|tPNzvgdDLhDG0c}MJ*w)-4tVjtAh+4&dyjQk1CH! zO3=n1m{FoUevc$bGi5R{ACFs}V%#O+I1+tWMHqJ(NuJJ!NTW-Fh~9??LpHUKrAXNK z5^WvJS5|qcUN!Sd)lM5*+Gb07h3IB4y;m+-WZq1JGC^R*;wa0sUs@2|G~Ff$bWPXX z7b^eVo^7uNK+?JnJKNjf{msrls~+>+Tyq2EzcGv{hFkNL8Mhi5B1GcgLa=F~v21hm1-L2fVAz zx@*(7WHdGHHK>V<4D+X}l-P74XpbZawfk9#G(`J9)xIyaGGC8H5_Ko=>~C_NT{~ju z@AX=N#<+?5V*xkmRo0t$eA>IdM6AdfY6dsMUK&R=XdRTe=EBp9Rcz`M90uEFr1f6} z|Hds@*W6UoSMIT-Eg0V12*^$S^uG2lj$wl5jRS7L-=T1`H>R!@=CjiDdVnccd;wL? zPJ!#n@_SF?ncb#-uc*33$fv^3_+9-8MO;*o|7=ZEoSmQ+H3Q(xEW$+;_x@&`{mqzG zJ|?=ctPQR^nyW+1plb6|z|7+cHDEqmH=hW+5^Kh^@aw6;K@HslCsZOHWKl&pH|1Dk}~PJblk%#OHZ;w9a-775fS9tP25>`2DkfV-iQa?V|JF3aDg{R`;b2_ z>zfi07uW+SF7jX~5I!5TyMvCR1d>=GY^{4baa6Y-c_O_43ax~;Iatj$St30F`xp91 z-r*pWP(6c+g=>O_xbDIg*OyG4FAyMq~E{7%C6**X$`~5U;>xu!qE%{ zudikF7H{vasR;{O>HDdRN?U~Zb80H1PH<{tTKbI2acSy*30FxCGi>hB$-ie=(2!lf{^jZuu-zA9sIDC8_Ho8K6R?bvv@-&1 z%qXZ+_ptW&DA_R|83k4elL^I`(*LM$tx(Aeyq#i0MnTW03n%?Vgilaygs>eISZpI~ zUc$OfwI+WBL_A_K;RTUo+wbxEHShh?Hn(%NP}aRdxkQmQjagnQRx*n~y~zCY?Ylko z`)#&la~_Q!M1|QU9BYGpE{DmT+TM|(sd4+n(+ff%{<((6DhC-{t)y#Xrn*lp)uuEs zHKBi~8*!tANpf*bm^1wB1_ zo2UwqihQzYZQVB#K)7$Jstd4i#t_Ls3rIj04&U81<-m2TQhd7DKy? z_>5C7F__a_%3zKoT054d80PTX=#u^!;f#w+CNJYn?86F;&Y&PDJ`JnuvLyD?Ibdh+ zMh*@^X0WX5J_Mbk*r>7P(<6T@;I~!64XILj=Vi zP%=Z8aNZI?dw;%^#!=Z}Symtb9Fs2f(Rn2HMI2OKG~iK!XW4BCHzy)$U$T54krJ6p zy_j)){TtUO7>z1jau6Z$3sY=jn*`sN*`D`(#wE9YFAoxR-e=ImgS191X;`LaWu9_I zD%ZknDj$dWEJP-Y_Z17Ffhwmgf}XD4P3~wMkmEUiex`1tuXo%Kfnz-`34j*X*Btuy z9%*XG39zDE*5ip0RuLC}!WF7VI z^kOlLaSjovJg}fIGqQXmX@d7X#<{7-56lRYh}nv`p`|G4@;SP^5Gqhz363haYb2Zh z>g)X2Ul|d1$pVT3$!~9=u?b2yQlo>3piqJsp{SDR>B$AQM#i_nMjvhYWerx-q z;r1lYy_ehLy?vFon`dw@k}r)UgWc!jO$lL>)f;?U7+D2eGeC){nkI!Tuv%_3z#RA* z;E3QPX@a1qDa^QpsfuS-c&kBeOlS1b?wYu{7I+-`@?h#|6jJMs@S=h=#23IJvR@A5 z!-$?_2qBvQ-afEQ=%jpjlu$(95bQW|-xrX_1^XRY>wNG2}*az1P=HY9PG~-g*)$FJ>Og4>T1iuieu#*Mzh2$4NVk)tg{+ zZb#p`uA{_$&3z&E`i-5?YN>;BN8~1<8i^E6O?Y+Pi#$qW38P&7iJV00);JchG#Y>Y z=!@@T6kvsHBw9EWCaBNW*a>}OOH4!Wk z0@OT2#m$1#$SOFKl``?l1e@Y(>u^RL=41I@mSs)GUAVS30%P1$2im25xciqXA`tngVlW$b~@V)oFJAK`|UEBHv=x&SJ>UM_U)=|D2@O(JA zbK%tU+Wz2HyD=|FYBnZJi^z)k$E*F^)O{n&>?|Rzn1xeo4d~48JMw_OOVUMkxP1(e zT9t6Q;Wg#V1=YyU(+j8`jCnyo$RxR%0TsGVltKpQ_Asq$8aLjm7&k0?AgpnU!Ps&a zmqb=q1B;D0Rs+;bYF398RcxyxL%cWhQ{Agl6M_JF7$%l2fI5ZyE|pO zGrwhg90rpT@OPWJ5;gyx9Z>#EJVKd(ft7GImXMgwU_Htqu;FN292|PB_s@*hO(nkB za?Z`UC5HOW^{vwRO{mlA+AM(8hiqI>GN`n=UJ+rl-5@w1<22i#SPV=AWeI!A*wgR> z&D|J~@Apg_!NmX`B6E%|>-Kag0ZO;)3$^Zk-p=m(GK$IGV)GkIOhA@Kqb-S&3dKCa z#zXKSrJ)WsEb-;~`)iz^&e=Y^$YE8vtsYL#S#?ppEwnyXp68P#yRhGixe@b(zFrU+ zt-AenB^1&(OorOqqI}!iiBK6Q+?phUK8{+)C!_(QnI{Ze73CqM7^)L28T@!>HPuO7 zW5RtVzmf)R_iK&y_Rm_=Lt|-9?#*vasO_hjQL_}y%5Nk5lXg*}AaoTAjC5F4%uF>x zEU&RwaOuQA8tMYAE%TLqXDg3a?}}zS+?$icyHj@3>vuW5csczSLeI%?@!d2SmN9Yy z@lWY9c$o2~W1b2>x}5V|8g-|aVIAGRq+<5HW`kJ=Hp%$`pdo5hADc9rc@O2a)lux; zY+jGny};H3V>)Mi{b5IFGpa?b5N|7=l4`G%V6tda3Ik%W#FX2^<(PfT8oKmqxx9!$ z`^;X`>-$jltCV?kCw0_=Tp(+Wt{JhS1%VcF)6yfHV08A>vy4~_gJ`#nI!S%jmMb44 z#!1!Wk>gShNto2?=k@k?T#lSSw1E@>j9B;?>&o=i8sfb>!82Qql*!&s!TYXCEC}2?-X&KmkIG} zi~BW}uGRqF*13k`8p#v`At01g<=APF^aVyFs=))xW}FrRteKHj&Smm573kI)sB8S{ zF8ll5!nsH4FGA8YDMfBD0LN(Mg?$qY+>acgw)fe`NoSv+3eL=Udm71K{+w!{5B;}t3BlhRK~In zG7c9+iUe3nvR7K^ilV%6wS)tw5pTt^E%Loo^TSH{+%u>b_Ig_ zjYm|YQYi;b;O3BoUSqXBZKJ--BLEUAS1~p$qvK(8ks`@?J&!kFYw11Tg4J_8{=tVq ziVTx?gq`D9*GiaDHb`LLc@PR`#@xfB!6MO@6$NT}!}H!&H&exH17zeHC)mHHn-S<~ zO{8D{t(4yrw3lIP+nYlrp<&z2 zLb~}fP|gLY%Q;0LzILB+ZHwN5A~fYA2(#iyZnJP8HaL+L!zU*DJqfG#S2j_H5O?U! z?4bN>yg*Xxadec;&HPVVhPmWiG#FWHyJPzq#9+#4W%jGVv7GMBQCa7zcc|B=_;s*+ z6vl4nW>#`}-h$dg5Dd)fSo{!BoD7+L+hS@uNO`+N12!*1C6|}kZVLT({?o0-K2c-By_W1 zD8%aV@FrKIYlE;d5B*?XKdlvqBCq&3$^>J|?1Z+LT@VPublR!a2?6*5EsF>W#ZsPz zonsUGlqVp{5Fg_eQ}$IO@VtJH85gIq!aK_L4GDHi%$a8 z1Ut1KX0H?H@hWF534k~coAUlD$o`Vw|9PE`qUXh#xG)s-Z)`(7e(XC!|u4PQ-olF*&-naenflD~_;GTt@_2m&o*;Md(vPR`sgy&&rFb z98VX2bn!FH){yFbi?Jj=@noP4b_pChcx($9xx#Vq+WNTuKIX^Gd{kZc5p)@PFGvsQ z3@bFya8LMjcmiP|U9QPE=>di~Dseh#MLD$+V@(S@6=`WPTciN6DMw?EiK*pHc2+;9Km_^X~?tW${GQ)txAE6TNv z|6H1&WS2~S)tdeqB+Gm;JAjg%BooPlJMraFM-1nP0nVj7_*MEG-5(R5Ai1 z2x{0$Ls+Tom$ zRV@dekuKp}-#qnXmTf~3wYZMgUAvyxCEkxoqJiE;}K^{0>)P0=bk-HTl1`$H)uzFi<5^$HG=_B zaPKiQALZ)-U-^AsgtPOmC-1AOg{?+mkTzfra4kNj7~ucf8zUaVHE;g}$L?B(#y(ohBA|!EzdlWTH^8?aeP=;7M78yfbBFRIjdt2Hd6VT6?S5pwFixh*Naf*1 zIw&I|)9!#hIu}s;RWX;{gxJ>oDr7q-A!pm^Z0)XD553{?gJ0CiQ>q{4qquQ2t_!!9 zV@m5_nZq;y1Y|b>H4~;(#ZcBDTV5#08d;5Ru`0*!TTh*oFTQ5bwD5q}|6($d!864k zWR(ILn$bfU7tK3C8B+ve$SS)XFXa|(5M@L$n$hamrHWuz#hOMUZ7?|_7(F}7plKk2Y%_nAw(kS_%BQ*?E2aT^1XsX#>|sPVc@_w>fN4)K zj&TZ8IJA(iN9Cy5oSP9YCO$<8pl(WZ-sNJozoW!)z*+XphYWH7dZVv1ntS_dRIx&RA8V(I1A2( zFa}{ASv2uqGHMp8CUK-aE&Zaq11T#^B+DwAq&VnTD#LSxKt2vYp=zlFjkIz5kp`jC zC|)V`Mc6u=rnQHCk_S?b?h!F)LD%3?;;8)#mVE7xdyigeORftr2dv8+;6t@zD;yrfilZ(2TFE-_PcfR*y_&h z@*Z$IF^8V+%E(-jmmp+-h4Td4r%7Pp;}?mfiK~6X zLB}!mZ!4s}+Y+D?<<;IcKEOA*z>n={&!+o5U{qSsoXol=d5(=0P(oEQRyZvR;S`=& zz4ApHy1L`+&d9%Xd12FXfCoIJ0EJ)(P+0dHE$>`B+Si=Fia8A}+zb=9pX{#%EXdDY zeEWU~n*lk3LxEijKrR1Nhd#LyN0TMtKWanXK^Y!c0M19pH+K*_ctY(uUi6s}wjO_7 zMi7-yg{8~lWjE*IjZIKICv|XZaWJJYwYxIKy3B})%QER_j;sbG;Lv)VNgOYtr{5Mx zx>pp$QPB%!;;%dB5x`TNWtKDf`D3IJ@u6E%7mrOZBo!eM>59bz7sM`^KzHy1Jv6Ef zYgF!2oRi?3%bwHZ;k9MZ2*lXD=E#IQphp6To08rbnJlA!t>7HVMkdyA`A%;Ku+EWd6TNs zqxCvo$~Zh+F^6=l-D1~c(r6#QP1PbKmTHwQ<>x5U$%Gt4E2GM`-cUN_U&N@IZd{|3 zEvLSsa6|&hno}MD6NWlBiA0-}cEx(T+=v~aGN&8xgz&Q{i=v$ZzXdL4UN6#*TYut6 zomq?ltESoW7u7m7b9VPVf3#Q{S~zeWk=!W+vY=%2;6}$uyyW`2`IcKf@qMF`?BQL-_pDfzK31mzfbk=R$vc0pa#7N_|SDQ<>ZqJ}gQPvS#%8kX5Rpfxu45D?+Mgh;#9B!~codziTG3R(1J}{#7q#%XCC@e1 z>ri2x)92<=5t2!kgBwB}3|D>`5Vw1S*Kz&baqLpcY?w#x=UA4UwjnQ*OVX|_=;JRO zA&pChP5y@V*E4p@7@A7KBU5mijY}?oY`@W}3_E=-+ z;hlAkP767$mJV^K8wjRn*oL&KGp9yJe&!>9xeaUm3 zC*E&0=bm)sUbSbC+}@!AU~cr5RrIb!^bV(b_XhGzcXiIL1;&mPcBXBAu&8tJC@=9h zJX3XSc!jH9LNeY%&fh~VAwsD}@KxkvR(Y^!f8)_*XO!jmXsoU#GTYPN7`i%s-tIPnzYiFZ_eT<@THws6Ouj0lMF7ZhlRFEh7n_j3+%=qG5?kGm}=v2 z6LDgMMX;Cak+CIzTG&F{q7a&&x+`(!`VuIO1`YuAs` z`qXjlwm5Ho(*Hmm1YhUbZ|;VB{f3?MFDTNnbMCB6?#m_bO}gGq{>9tg#kH`y4@B)N zydL~8=H1i$uW&c{5of&UE+?vz8^FYA^;Y_qC*Z>dV2LP*OTaBI!N99K3(AP5LLK&NP?L0oiiQI?~#@90sihZEL;gI{{p@NIYh>k zPwpEqJ5B-i&M%BVx?8JH?P;uNM^_y*wXpT3&yo0@Yy0L0Y$4RY0b^oo?BwidVrcW< z$PQo$!^lX$K=9vyhlhY(#lzl&fL=o$U}<9HOhB*f0&xDnJCZhrWoL>ulm^Z)a`jY(n7d=wbpxFKlOR=csINXk2{}_I9==w$20`1oSc{wq`%nnb_GlnOF(v#Vo9UsKU^T{YO^B#K_Lr zgn*9^=6?_G4t$vnnT0ldKl;g^dzYS^B?yd867~mKK|leC0T~_&CJakK@n@EVD@r1X z#0UTqNg^N!AS!Td^%5E9JZXFU*4A|!+?u-F$$!l;yk_3Nyq1ywxm4AcYkgfNDEIU^ zK)$z-8G4PG8|fJ*8`32(5)-ybOjzSD$w*tnkD1~>8c0uKMK3X?&4|Eb#9+=br0I|% zZ)N+Z>=xvd_)3EdCBXsn-Wwe1lHEE|bnRR|dE}4emhWPSe&f%xJ`#J`p~Ofr0zX{R zkdf+tPXiJZz}jU|GAP`lXxslX&hv@Jh(!(&sgEc{j3m^u%vWBjO^8TOrZ~!OsO=Q# zTx`^^N80lE(;j)Qwl@h|S)G43ifKo2Tjfkn+viXxWY{!^ZviDI3I0{ohhNhgpqFngm*~hFeCrs%!Ocg8)Y`0KOwecOh<0;1Q;N(^@bBB?Xy3}wC zKvTV{$sy*+hm&kr9sBgx%JPi zj{#&vLj=r11ZXYcp#fRGUg63yoh?I!UA6I=+uO}$u_feq6>_?EO?-N~V)Qb^!T5@p zF|y7xr`0pRTk|Dh8y9>@vuQR&eL7@yYQ)ym2yvb5i7oTJWcMw7y4O#7mrQ+r(m}UI z?)T|<$Be1&=z(YSPK^ycZ|V0I_)7tmjP3Le*~_GEVQ-3|-?B6wJY)ZLT%Jb7H$$Q+ zCL1P4^gw+P&%L?ClUAJWR^725gX(~E$p7rl5i$}*#*nz~9X+q($sYV14YjLv`I&Xe2$-Q1~#Ed?D=^d2c^P_6X5#WgMGmg z8zeZ6U>x`LVn(8ci%Jg>nb4}x*P9_efnDyoUQBc@j-){`@De!Sjs~{g-?8j&! zT)%{OEWJ=PTm#@$--ZAhA*z>rjzu*0Gqs+G*L zVXZEENKyDwP4>2QiDTy~&*at1;#Hc~y*RaVX1WWv{!GsR>6>yjr{v@wysefom^nR< zS7VdP={iL6%8kJ+?$#NzYZznA8fr1hCNb$5{>fjgmsBbJyF|**)sN6;^I!R+)98D_ zU$J=fR?ii%W9)3dX8}9exDOmL}0y15V)C= z{D`-MY-J0O#VyUg7pzAN&otD(B_17(e8S5W=3y0ibjQjTz91GOwbfk)pB zUSwbKA5SX7vp|&B7pk=?qKg$&0uf$8!6JyvK7JlkwSzh0zQ?S;@O7C>fP_CWp0}Qw zdr>#n@QtdUE-PvqF@T1Vc{wZWD;zUdA8S`1%V!zJ_a4^w-c}eQO9WcxQ1#5giz#HZ zIktJq`cE=f3jgDOgMRzx3!&W$xy0HAmwKR6|c!#KRvQ8ED+8+^{yejCNGpJ$D$pq7o_2@JIwARe-5xk5U*E z1UN~g8RMA6Np3#~CKKlWYrNbsRGR2IL3v_Oc2NOi{)})K>EAGec?2!QEPUHCuc-#H zfN6{{4vy9oQ_?i{=1d?IB#ZMTOP287%Gm9?Gzd-qC_gxQ?7Kq775|Xl>jM_IE%!#V zjCKB9+^96-3t8*fa6Fb#gm7dM?I~RD=g^DnM0emHpS3bmID;^O=b*oZ_cE4!J;K)H zDbw$l!qeEYTUqcpoFH}6C^Fv_S~8fjCY~SV@>uiJQPE>$)~%9 zjFBjgG=W9I`a|+MyYf^tDC|@}DIgqonEoYoL8Mo|+@V(^I8;$j+8FnFHlESY7%MmX zcY5|KVt9a|M>nm}m;_S}$fm&A3-hl&Yv<;Cx(iycQvXT?fsj6CeAF=**BT&Zdz2kg zc?AM&o@owzp%jYvh5h^JxEgR2;!@2dauLL@<5n6T#{aC8?*mjE^~C-^EQd1ldJQH) ziqoilLlOn~R!s@c_Ew8?NjM4+d1K~v6*9G_Q?frc`zsd~^B|xL&WrZ`7)aU3!;k)L zU9SF;Y1YqsL(&O(v9H%Hk&84AQ>QN%0ljLlX$DcyhO8r@iUY43?D8Yg^Qf(c8M6x3 zHG8J8z_o%a#{(PZl=6ZCAy_&q8z2(ni74cRn!0Sc(p9v<{kx_ZdxUTUMq%0D!>Chz z!?6tsggMDs7wogGw?qHm4-z~O8>|r63)}&7gl?Z^7+@z;wHZXT@kTS1`D@OLY)K^m zgP9^;gqNYNEKZ_u#XlDFvALD!iV7lG*GI?vFnD^+F5Qf$z+ab)L`N3mJxZUBa)EQh3DC&!{0H%Ip zZWFvPm7z*2CAnOQ|0;>I3iTz&ae8v7E6gvE{o-D@82MTM3p^_i*tZytEh+vs_NN$m zpQ)%Wo)mRnwt?PYNS_~=hEI-p35GfKyXQWyp>SjUlt2j~$hn~a2@(bh3;Cpz$5L6b z{i01eg>tGG_k9@qg(KX1Lc8z3&(cMMr`!)dyX)<)hHe4R$IH#m(BDg!8*5F!*V=$h ze=<0$w`$_Lb=zHrjcVO=cZ6% zC(zQ!FbLtG72F$(9P+Z4xDjJ;iZ;AjgBe>5A@D&!o^ER26Ppn8znr>}>Y*PaQNG>p zvvY#mvS3yLLnk8lVv&YMll{k~OK75dthYs&G_Yk_L2WPp{l4-YdF&63*>+f~bv!DX%wRFZWYA2nbA#bE-+U)B^SQey z7}fui!)?*4*iEn7#GhXG+#e(8W3|5~78)~iF-g)7g+MsA_*XrrILG2n?aXZXbkWw% z^G|wZjt!gX`5PM554{Gr(c6P=LY{cW_6S5fWkzzUgnJuL32R)+(dSLym4GRf|@ zPbvNBcheixwrjd3?OgR(CS?7 zC=9lwDRACsfOHXkaj;O@_y1+)cjFcWYjU%h(va=anEOQ;fCCg9`2#+M&y-_&qGd@Y za)S~yH=#pKMz0Bh8Wp4iVj92k7cxm#3Lb%l=GtJd!6XJ9^#g%ufH?p4kAB!XB@6{lKm;(B~oyUzQp@~nI%R~$Pze$qOxbuyk)5SUNRVV$Em#xh<<-AHFinz9antdabCkK2pa4e!lN? z|F9hU$9L8C_I@|5=$rkdx!nI#!U&l;Q0-(R;9KPTJyo?iy@rw~MkRLic;U1?C$=T_{(t&x_>n*Q#w%yGC)p**RMC175a=o?w*SO0k04vjZaiuuhgI19+ z0gA()j1g6r{VrpLYu(P6vN%v1Xoz6A%6&_8wVPNvFPli8Hd^#~m-DsmJ>BUPh-iG7 zSLt%OdeBhBhy6pf_($>NIgf*my+kc8hgGB7eeDud*UM)pk?;MDS&kjJzSqmcgr?Ah zzOWf{3pTzYT=&yoZWyGIdcFpgY%<PeeYP zJ@7P<*V~04a?d`SNNlE)k_z1)Q|;h-ME~ktzXkn6NCIAK7aUa`bsCG-IQ3dOi}AYqR~I57oXL z7O%{vtHU`_P*x&=Z;w~5F_@PFEXG@t$pY=gn&(|cgAr(8p1Y%qQ9a8~f&+!&aluXb zY}gs_SO}~}<~@yPi?(ZB1pR1u$hy@w{afa~H|$8&@l@k?2Q-nM$XOCU z0!?9xP_k2SrPlG0V4Fjd{G0D0Sw7*e@MU~bo5`u-HSMO>W5oHF;G^btn_3# zb1@ySQPeB$wj+}~GUUqV`x+u>^3L_zyFEpIVE2x9(4VT#OI|gxDV`J(2J0s2SSeFK9pG#q-v!X>jU*W;ERN*h|Mw?Sl50}vMaRNZ-tM6o>!;Z?xz;ryh zQ|HABkJBU9syW-X`;PF!aiT?W$d~8WYO`b4d|+*>2Bh_J%gKms|HR*V>E6TEyZbb7 zCG-G7h_%smWCwWeEP4!nHYvNni(ibDUSnVz8If$7Ggz)#mz2KPaF*-0ETo#FFWX11 zTedAk|GjE_yHS{lkYmRXVN|S1x&$rHUmgF_=PTwbo0mWuNyf4EgK2DgnVgHdn20Iw z9+2Tg$d@RaLP1EK9%L9I(xV#%3EfVYmAy1?{M_3Y%raZ+@C!)g@KhjAzwL{>u&uTq z#!$!P`+A21t9Fn{rYB~RjP?mtT@DM&L!5!*20^*qn)rOI8;5;U>^RPkv?*6cJ0dSO zK;5lqf4`*zKJm)~ogb_Z`2qtuq;2E&opT0e7Kq2Rd`< zp$`|6>m~oC@$$5O?luC~rbe?(U=x#zTj98s_bUR({qxE5G-!?;rs<-LTgU{&VSksV zs3udx^&%HERfrOgNRC_tro|xU+0^;mK0P%Qz}r4XLO=EgzKMxM6>752tfuCq%JlDG zqW=G&)oKB-_0MaXh-u_<$WZx+5gEz95xjkH_reh;E{qsRN#=hYYg#&{Z= zdht{>YH0p1Gd$Mw$_(35uQ8gsaL!8;>=+8K@7#I z9A;x{PAFBAZ0Y3WKV~#G-?dCxu2e0+IQBG_8*<0S(jwK97?Pzf^$+sazqYJWk@e0F`^8lJ_(P`pTV0y4i&j`YJS{UAWBF0fJj5$@<}>--AqL>~!-ir%0uEI!`Sm>a&+EVDt3Jl@-wzT`@XxKqy=ExgE*M*`MHROc zgg)-6vOUsOo%U$OBU>Q8@;ew?dOY9L%(7qB?|$=W%%YUwg+x-Lf=eJrTuF5bJQl%X z2&mf&a$0>-59hjsyTmOlG;jI2c}(&IXYu|7&US4oZ*PBXGWjF2nx*ng5bf9p^uko| zCAKcIw4e;zcR*AeivOKaN~9#Guq-HKfwKDyUg288 z*RhO-UA^FXH^j_~2|F>4n#kn9TZ711PEZus_<9gYl^Yq=6^v~NVb6@n zi=FIpwGzqM`|jRqOf`MuMX%k2f61{*#UB)-%;bO2C#j+~Jf-`-)5K@FfI^)MsB(P& z{17$lZ85x`{JNp)K|$iQ*%gvw(k=fN9Kar*xZ9~`8oHKmLwGb61ZRC&$`8FVA5$ci-o+8I$8%C`9cGf-X08|66jP% z&NXO|r|EM<_tSCsg>w}~&Ip&A|21W`SAx(;>4Kv(*#T}VWrPsVec zb$@wloy@6=eIEdEE}WWCoi7(9MYHR8_kWRku!Av%D5*w@}9PS^7;C_<D_aiOQ2I?Xm8FanEP4$Sq(BZ!)J!fJizeJm}1 z=E#vdwC{sW(7H`AFn>kn)IPh634(RD45RA%VaOwO#s*b5e8-gEjbz#{=>H1hG$)wp z9F3{{qjCI@HhGwNUp}R@DG4&jq2({Qvomnko#$6;BlHDhz^oMeDVd=Fm?I+ki^;pc z+1vg+3^)|RV>zlM>QD&JmUj#uGOh->ZwFky)QCT=$IHRgw!YIW1(U1CAOTF7PHWj+ z`K69##q)Nat>Ka%xzuz0j|@RF+b*wHI>x$7fj8nE-**{5M-3P8NhJXSKIfYTG)18O zJ61yXMACSJG#VVi0=^nBTVlCjGv99)C-5n51w?q4-G*5J;qGwV0?l^WEv1DY%I@?? z$UoreddzYy#e8>HTyHPj(- zO^uIEal7Pw$Nn#hU*#yw;|}1NAZQdFb#7MzmneE>4sIy{>BPjr6cUKGT42?&nZ`0A zByuZHv%8@r`<14Nv*=D zE0hNhQA0pb%*Az@p+zV^qlF9-Ih&4|&AMD^$Z84HFVu@{^Omd;aEKR2A4RVcu1b@U zI|T4x(J-ZP1dgODX)uk5MyA1Ajm^Ds1}=xTZ!<`fV4Ou5L)3_-q=at^ z;_HS;-GA(>1dMmd>(SFJ$DT?{gsA-+K*RJxT;thxq^5k8GY5(8Qqw1Lc0Nk&r<#v) zfMaNJkrSaSZt=T49&rEt(K`$J#ORp_`NNMpavGkf zycP6^V3E+V`^~>3?bdi(r|<*b2@?xaM>gq5K!26r$e~VhR0pHlz_va*sN(yO7vGA; zgxwCty{5)MjT;jwIx!^@9n_WF|K z;CVftGUy`H551-9iCnnGH9c6~db|K9Shs(bFwHT4{0bh3VH{?L#FQP;=+;GM;(BJ5 zO)-*htdNfukK@*qGy&nVXk7ekj}_bQfK3azGA&Egk6;XC6Y+|G+vKrZy43c#tqzTE z9)w^Ro;LuRJ&apYX6FJb2t~Tflge-8cfkJk2k_bJb=ghkyo7pY^;G`WC-&oC3sDiEx|;j=|S<f@!Shd?^>*c;zg-PG={>yC}?PT)8H+-d-lIGNO6`VVdxK!9|mn3F-W;6V^OvxQTT*Uvv?q+baMtY%ap@(hTIny@59mXGE33{9< zo7A=Hjq%9T_H1+!pIx3U=0rN!L~Vb74_}3}-FBz!YDZNTAg_LUU+C$D1aCyB9mepz334@mK$S2es%#?h(Rc&Mr8>fj-fP4oI z;3{>&J7sv3>BxAF!+zN!2F{nflXA?loqpwgtvs3Dm^rj}kqb0D@(YS>1WhOK%NL|i z)D6Ls6%dYySq{*21HaaS`+=s@;%yQl_sR@A9uLd<1#nUxo@=_(YjIw5R*E3_BTS#X z^o}l{iBbKv^YkA=8JmU@s{$SOUVEGb%HbaTmB~-zhlT_r7=b|T`ZofNgqJ(xK zn;6aSON97Jr`&qwR!!(;rqXzj|1Gly*D@RZ$f!_H_Yn7}B9gI9<8CCeohJL?^s4L# z?6d&$qYS)(VW&LAz+h%`f#k))TpyII|ANxAiMyd%(dZ9S zSJDYUCu?F9sjVSQdZx!ru3>w*t;zizj?PC(QR|Riouv%p`ajK->mLwdC%j}@?12q+ z<#mZ(E`{(AjZo%U+ z)L}RPYKXz_C>oON%%t*bzh6ZQ!oc9-ahXBq5SX^S@3G(~Ow8#GyU+Hvh|yD+(Nl<- z3>AcGj{e7BKyG+^w1&n%#~@{7IJha7+Zr!mtx8prlC6qOCPv!1i<`!ObPq(d zpJwJfeZeIOh!D4_0QJ3WGG@4C$5ZivjB%8We|+DD8Qj3tr%ua~^xmXS2)YV% z2ShXhELL>R^$XnZwLSaWVPf=9;Y@(Y>97G27EM*>cMuVrts2+fErU_%wrne4o!I$!=HWZ@z33Sr|0!tMN z@@pMQY_8)>8CuB5yYC7w|8@Mu%)%EkL_K6KMk09pxmYoLb6p_qh?yQeRPV*Sq8Ol=TCugT$XdjPj5n z7ON;>h6W>m<(3Ow^Ygw^z&!aAys`+Jx9UEwaNxo>w{+yxK+;L!w$vdZcO+_-<=j-q z8P|X2Rm#VGU{`m8+?b$Lm(X#Jf2WiXiUW0lP3P}M0C!&L~wjW)`ox8XF zm?V29igjzFrL^9$82e)RE{$>NuKykzrlsDs(1Y`Ze2BE0YpsjQCfNO+qKZ|0c&*F=Us{t6qM}R82I21TENzI!dW3}^9 zg&Oon+e0|e#h`hqO8e;@?zf_%SW^pLcb!J;=OMyKF*0rZe&UUJicXinH$&dX`BDE(35aZQdPs3E>#wmnLpwzF5mv#Q2m(hK z4iOk#MY6Io`ioY(wSXJxiZWqr2kara4nzMJX$HDQqUM2`0!lCSJ1XA|&jI!3)E zHoA8s=wPho1RuoRAgu3qRye2M8Zpjq@Ffq^UzKO2=sAmg1<;Nu(=?H%_V9wptg;!P zz6laY#F1rXn0$;B;ya>eWa{2Zi|~FtPmSOO#zykR+t7W1fLhHk2;D=BH?=-3Hyl3~ zHlgCL%Rbxxx|$yfvy6KXqCnbf$5P>Ra+}O)K4Yu4>{KrmS*glziky@>C-N(}J&2@& zO_ug;p&Zic(<@@3;j+GQhu7Q`{MZ5g2!5Y6q1zX&2A32e$jn?z<_W?r+K^oPl*%8fPYNC=9Y0 zXSvWxpY>+r;r&^W2sA-d4eK;KppQL+u@I}+1H-kD*15O;waG zCdZmXm2|n_;@vYTDoN##`pdneSfzB1p~akA@`6SjAyQ8r&)!uN+juq?DiW)E%mN=M zVT7mx=NgNrbb$|oPe6n#io{2~=iJ!It#$b3en%zx7_M8RQY!%DD;ieG(tu>w0B96ovmaMHoWWb=rq_95v z0cxKoqd|WMZE(Zs-?BZK-xM~p=>evphCyQRJvX@}JxF)+ZtVlR zg98vlaew1U@OoZ2i6Mn{0toDN9pG-Z`kG5KBc!smU8%!(3LvC9RV!1oP!zJ)J+1yL z+1-!L+by_W!Lwytw(TyK5nGO7cX!h*8u)d8*B8OHwab2dZceiUgVsGW(U`?YLEvWr z8H%Ab$^*X_8NhUJxLd$P^BL8)-e|?8Jlw?8boXY>L#JM~UW1GJMS2gpngBo@^Za;4 zpk8rv@{hbCJNc!_+meOe+?K*m0`jMaFYzJpzRY-ZA1?GT z>F&NS%Xb$#^`&?qo}~zOkn~^m=aXK)cK0B<+AST-dGU~^6i`jv0}sb$ zFQKE7EoqmFqA8|Y-qlaq1NwYy9OH?&r==+LhQBnY0pu@-1<%{^^FPXR%|3DhdC!Cc zgqG1FlC2(m?^&rqK&|ePQBj(k@B0-TIRnOt_#nP6Bw{!4G*6F38bXUkW(U9L4HK2g z*LGjGN5WQYe@Z`J_ZLFhauxb%^Cf975!deS@q)=O)7EtQ7wsGrf4>{e1{`+rj}4K9 zZ12Yv4$DPcUTX-~AQwoA5%Q2Lmc7={zK9F9H!SEy>ADaY1BAFI>39Du@@+almv?`p zF+8egVfA}hEU5-BdYl#s!n=fG)tzrc!{;ZNUp#B%9eyMxy7AbD<%pp3{*F}N-c#5! zb;&GvOhdu_YP?FRAx#b1R%*YfaLRMcFRB)!p?v)Saz!)4r? z?GIM=iWaLHlM(i5hMH{OlG5#lBxn4s#NyEG7-%tgfobCJNemOJHg}5d-|ih#$1x8) zu+SaYvdt~O0w!>Ahf=fqEp53A#Q46eXz?0eTS^AM4}#YuyI?s5+)mmB;betVx}VhI zKmE=-`1D;p%ca)wmy=yNM&&6AihMH&R?LSJz8}0GY9tDQmsz9|k#j_F+~KTFxY`4| zdJX2I8&8D#FKSgf04UZry_cdM=iD$EBJdQAT!Z{wN}Wg$oC9S@1j3e{h&dzldEY{&7W}w_PKA%2N(g{xd4|4~E!W0aeD<8AJ^0N(^v(AU zh52q85Sjf`Z|n!Bw#YVG;_;6{G2fvIdMH&1Z`s0>q9xjr(8zk85%*ZK7yQiM~2%rs)77il4wB zh1_o8#cv?kr@3GDEtbQIlX%x}MI6#JKo=Clul5k>W9wVjqXUNFm-x4IJG#g_@**v- ztdE_HH1O9x4xLJb5|IuZ8gXx|tq*a1tRvRXwpi_Lmp5b$_ zfz3uwMMW|%wV9R-(;$wJh59|88V8@fA&||ohIXV+Axz`~l~1di$!)^Z;My*}qaJ%FW&=9G%n;L5Ui#m- zr^>gwv1fPO0EcX%x%>cuv?Ef;4(_wZA9H3?Vv_^pLevgau%;?ly9JtYpo11GQqOSq zd=p>T_31y(?vs$rAo(yt0u(Fh5l6L$>iU^Oc25c{3~?x?MonJ~;9g=pGQ7psd;Uek zasp9J>r4J7Oz9UIF=#d)n!z(s6-Cl#IWW?E(_|rtt~Jz+FEP@=VU*Y%7XOB#w6j|o zXG_MyKKk$G5dx0;?Y9vymZb`==g8K)JdCa?cAg= zY!<}kz{Zec@Mz%K=*Gw(mOiV&cE&wh(x>+wW~#uN!tbkolm7kp(L~c??QHe~9y6vVUUG@&JFuH{&hut$Ao78TTS%n@w77Qom|1 zZp28*5dmz9>6Ty5aUlBqz(EX9>UfWdZR!+s1ygfskEfHP3V|@m+I@r7<71v7$|eln zr#l(_*Q>re1U2={DM%FNbpmYjbHyymMqO;WWQ3^tE`a?NAoQizq~6R3mj*3Z;u`8P zk!#A(M9U|qBgQYCUm?caqSOb&fyF&r_W8z^9n5s+g%a#d+)!WSMYb+TwQeOTW~E{i z5%m#+_ue0Je=fQ<+0-SPr;f#5LzcdD!!tIbf^*Bw5jr1LR6PbQ3Z+t`7F7!}KV14B zYV#|sdyNC-uH6EV0u^2;jrBJ@6)g&#I0On^_t@P?gj?C^p5ky|X*S23wm7xdj~Jnq z^n3iTLS>vRJ$HtILcv!)AXrI##qWEB!=mdjmGL``L3Q)v0Yc^M-|ClxOpSzzy+;a&2M z?Vmn!`)IF;%Deo%cXE_Fkt{p{OJIk zDWi(7v%qIayqw{&dt$hl+8^vBvp;u{GOgHZhSDoRR-wl5q(rzzv3w+@4VbGzIN~N+ zN>q4*F&N<7a}9fO99RH?1=r)9 z8HYD(AHfgLg^;CL>TBKour80yTL?J3?~k|~doXB{aTGS49thATAd5yK(fl{qSV83w z=NF>x_7Osn^_dc-7N`ifpihzAa+kK>RNw$>HW920I-^RW7ilxbw)^2yBE!?{a89n# zNUsceSd{-<@^-XP7M1TOm^klDctisf(#d6>nUE52ws6xMikN`_7;H-Ax?qcsLGN@@ z(!6CK;pgXg*MRg(;Jd~&if8d%iRR@h+W)q%#~=D=vihp?WcRp_b+~f_Xj0k1D>UJG z^R&`)Lg%-luYWCA&BWH*W!b}O@3P$A{}if&OnsTOzRlgpvcCdHalZugR>^;PV7@{h zQ#K(XJ$2kog%(7r0et#+4^OkrX~MdMfe+QHiWHNwOrWPB^DEeyqA7Z1`VN85u!I($ z$Hy$o<7i#kJaqAOVVZw}gB@9B<3reA#H=PRM|Y9rDJ+U@$PR&KaLsOGw@{+P;^Bt0 zoNYUpYTdN<>}g=@t?N&Om!V|WO9Y_x_vrOAhw_DqKe*Pg;+7*>fa*2J>#Azlw(m-4M@~9n z>Ux?J_Iuo0Pv;Avk`1IJf|&#POy4n1+;To_xLOgR7Qqk2Eu6kiqly)MUW`rnltz0o zvUwsPse}+4-|di^-XtuKV0<`UNNI=kkm6D@1DO(m=D*$+%ig@LjR9JY?H!#kgJ;Lr zl>|(`K@9}3hBd_S6cs_SNS%MP;g@!+)A1bT9?;JFDC2in@AxGt8&QhI*{`+$VTCM4 zj07IK-p=8-@D^0!IZi=J_hQ@gOwUbsc-H2g1S5rf9DA5(d=AOpP>sm4fbhgtDtJWD z z*R<)AI7tg~%V4hBUBr_zv@H=E9UGpmH!>?+W{*8Mi~)rbRrQ~ zYBhgWItDtFC|;zOqQnGEv5ofcoV$b9-einSQJA16!ewlal92a$$QH4;>lyu$00K*N zje#rHq=1-*A-8}Q*fyBuTP76O5E%nElcHfp_mi|iK-a-Hs<QgreH{F z=dnVEqfYKe=>JHIrWsfOMP}7@^NR9&%a3}*3xxEv@sB~kW#6So$A66`;IsyYC4NZV zB1GaCkQe+zz~KxKCLD*Uihck`%rk2~OcJlw zfu)nZTuAzN%z{#l#Z}|Elk!aL<0Y=}1KDwwIOTx836rR2RMtY+<~=4rUdk4D|6A6jMj5@C4o^luQ4OU3*5u`g;D<z_e4$CjMXmv9>KM+R?%`>Uj}<{Oz;Mp6T zmT2#$<|_BZPhk`ePa99XNCD0xA4u$n%t|a}PHrYOhhP(Qz*V{G{mj9sEY~eEvz1KN zWC|NwlU?`0>VH3nVEYI5NE}ERrEK=&4jJrPTA6lMhP5LrLlxBP36SCFaM*QoDIyj9 zZnd*9pP|naY^+96SwUGyaL^#}3HBMocX{G=y!&arUq`9!yKfFhr^G|T zYP2<))(~`6Bg4%vF$RNa@Qz#{15zWBxsx-u3JNIW+}qH7;H9>w*}y1yJm~@Ayb40D zHntM=Ey+EzB)Q*mmqUP|8>D$dX^z_PdGWzHs(L8sF8o=O`|} z;(f)yRE}TpUntQ09!%X`M;sOs+|KE#wYp=q(RJ(7$9iY7SxqE0RyeV4WNvKGAB^%R z@Oeerqi>NIQM5V9!oPu-HDJSg#+%%vcuJR@E3_~2B$VUW2%IRi=v;Kkd2u zK2+^bsXnW9*vjEFXcaKAYUeZ1eE29$er0%Tq`xuJ^OIa#qN>~7%Jcs^u8r~T^Gj+1 zf?;)ai>$-r3ws(M(mUO38WmWA1H%vHKP_RKu<_D5Y>FAPg<VlR(8#%40m)0b_w)f>hxmH0Z zY~y)qX7I`YHUh&V>joE}KzeS~J1X>ZxTz?710WLbf?Z2_lhK z@>~A+m`>t*;xpc&y7h;@cT2#A0NGEBBVc>n_|{rKPXoS$>yW-N^v{gIPiAci<%uW@Ru8~X=mTjSd|wPzz@{|)f-~125Vr8UEEn!_s%8JxCFMs;Jy&|l>RCz|@#VDw1O^OpC zr+#k56b34MX;Jco)ibIj7m1k~~-GhMIG3wKx{D3tl4N~J>Q}%V!OuM$B zva_TDh3W$^93};Tk9M9iFzasa0u>`YA(9m~FC~)ZGt{}kX*>X|%sqCGP8{F*z8+u4 z?-nK}{5lvfV4>PHmB{^(D+v|-nOV@U3d54*fN31DOThM9N_vwwO&G{-Rl>&yx#kTWRT8NZ;HgS-eFGz?^aZY_5rYuM|mZ#y+l{T5to1+*_ zU^X?y14SSUNe#G+rIsix1_~`w<99|miq#w7MuN;{af=R5myh9pW@aR|O^4iZ?NF~Z z)RDh-Omn)d3h6zErO#pQq#r=fU+FiW*k}_^jDB9(mI%I7RnwyzWJxr-<0um z2E0FPQ_|M2qvil<(`oQ}A{I&EzAXnij8oi%40r@|PHrUJP^t@%V)xd0I+)9p@TYvh zW^CN#O-A#;Bw~*|oYV2_Z_WiLZdCgmqtVv~^l>DxYWbwMOJC%*OpWXzC>dB&y;@Xb zJ0-iPf0ax7JEq(i!(C6HgQ~f$GX)O#OW%&rQv-ZH%V=wqTj3oek2Px?+9~ACU1tJ> z3IBMSbu}dwrF@1mJA9is2Z8(SVR9!7UU2Xu&*y_L0|UsGxZT2hcNO&w(LB&}_YjDrUX%krW%YH3yh$U#Ta{OUoVvb)c#;#5`f<|c zIOM2V_xH^HWqrIeh-ckSnS*!9m20u(I?;pt5FwW~$AS?d4z(llKgZLp2T$%ZpHU1X ze5dNV0bR4?l+KZH7UN3&SK`#P*9KoHN*MM_B_N3a^&|aM`0%=y82RfzeD%OJk%hyD z9heUWgWkBOGR+}=4rC{_+9#qRE)SS!wP&JQhUs~j_YpC22dR)Ho}=vY$pBO;$bk>q zU4jqpm+?}67Rq8gB?vZg;+s_L3CXX489C!a2uyla;9&4E52P0Hmii+;kG;oP+*G$} zvG=64m-lwY!MOg>Q%n5MC>3yNnXQ^_9G5mJV)_{p;-qav@=?C=47yfz0|t)_=jstp z1QtF-w6QSyL7d~hS~3WgDiqnr95h4SOl8<_@yqj`WRI6OY@w)eoSaB`(UNMxkDYr@ z;lmoWx2yr5J|Vci`Dvy zEV*JZ<6JXfXNH@6++j5}CCE-gIA*+JaZJ9TAQ)3p8>2~dST&4``M3?Dhh$$@ZD)i} zhV*$T0O8g5;=SSTgHdtQb69Enp2kGlFArY-W*C zM8;MR&k5w`cDha9b_Ei?(Txj;w{Jgz=o>N`OO3fpMH!k3u!qyYK-h^+6^%f$b63`T zH+<3k)+9>LbkfeM@pNnlgkS6jh7IV2Fgd+Q^8?j3#UdKF9u*{vRJKEp0-P3c_H`yH z{6_*myGhujcAyp6sk|Mt^9icA+!~4yB%J zgJVuG_pN4iovJQ}!4nZEK+c!Yn#||ww+z)75PirTLQu?dhUvB^0u!CX98NkFu1@cM zdl;M_5wGVI110suJl%TMpwRj`z2@Ooxx%L_tB<0;36|Jd-LX_EF29IF4aA+FhZJ>? zQvwNYB<((0?EB9c=qlMGuF#trArT2XH;s@VtD;)-H-U3utipX$$w4jC=Oc((#=%pF z^R0_b3a!#&bY8?1Rkden_Mp)QdT00?GIsl$x=J+Yb-mMoAYG>MMSj<6-DDoCAq_`61q_Zivt1nF=neRko>xq(Aed#txdW%*$lP zMgsvpNCSePSWT!DvKw~BfDK`|;}8-5V;41ybVPby5Yc?=9ug(w8+OFA_i?7~I^EC| z_Mo8D1NtEZi*Wm;{|DbdAip;#!^nNVx{oME3t-2gFE|(55b%coFuqaFKujBE4)ejk zkZ{J_y~AO67XjXAn~Vmj5DXWP4>UWf3Ns%I8VyUruRpC!&msehPJ-BEgtfp{E5tvRVKfLePyC z2)5D!_{KmFwsaM&#r_}6u1_qKeVD~sbQhEqZ@M@GNxV{LU|Ql8k|E_$ZeP6^01?KK8~Q+4uXQ*-iY&VdUkM(u;3(@ z=i51Rv2LnYzug}KIRE?$z%~qfYZQfdohQkEO05^i)u&Pj@62Bsp@TRO>wF)9WcQ;N{ zRWTqe{t>OLkWmLsA8zjSKX8X+TV>urbY~cBLh7Dz=9w(HF$TFEODZdQ(3q>(M|_i+ z4GpCm29b3jiRebk@eom(EGlS($WGIykKoz@)vtdA3l<`YxMOF*V6)MJS{z7zI)H1A zw4;^Xg6ZVxXPf~olIO0u1xh;70tvz@qFE%AyY^boVSGegYKoKkIavtB z6~*ocMmeo5Tf2Af>6lAro&6sSXRfH@tcX6QAFCz|88sb0HQO04ZsQ^+uva z;6b456U}xP)ng!R2!A@6BVf!aCOPNPqweL`M@2j#461@ z5HC;PSY4B7!=k;+HP@h^0q{T4ti|(f+d(`|NfbJ)hKZ^wdXDgCF@U>FH(=qq5xk>7 zl5F4!=F9~P$A%S#QNvkCY+W{R7f?2#WI<~H!UWXECHxzLk+K(RBiqx3_<|OYlbAnx zJO%~u2?`2>XQ+B>HJn|PA%-sL}}5tLkOPi^vj-g$?$2;Bx`};L=KkwpK0`$8w}r2|ssvFs&w`4p z+TQ=Ngr$_{Pd(;@+u-ET`Yf(&$-SCP^tQizZNG9>&9N8pbh0h5H&?^2Fv+B{S4@J_6ykq0&I-Fb34TA{9M9Qr? z-;kMTShNh<2l1;LZR)1R3)0@dVG6meNLhRA+J*YSfeEPvNlA<(wwrE9SH9tUE~HI? z9%sG5lj4sP`JN;uQ0v%1q*u7v9o_< zsKW>rf)-Nw9=Bww6edAKU>NS@jglYoP`DhA${lrr{+%22Uz%?oe5eVwHcFYB;=I6R z6~jJ!#3=t%Wbxx~6L@^rZlZbF=FFAV8vSABpy;V<^Ki2kneqGio8_D9Z@7UG=B_n^ zjMZb{3ngFjE<=4r{WzR~sfkzp4Ft{*5mTmq&C0)QIj_43DkLBfh$a^B^a?`>*{ipXI70AxRMjb`{2xH9k3ad0 z{3%R1%@V>@$XSR=2hl zVfO(!Q#GOgB1NGm(yo#piit$b2yBUN;3c4rXTv9kj}C3Z#vNfJ@E0h4X$nn^;zNoe z+1=N2_7V8&)~zFv%{@Dq6`&vWEPAB}b5rygtQy`zOj>S-n_@XZKvNM8WPh()zkb;8 z5#Z7p4S0>5H4iXF4X9zZ(;DWj`*MN%j6cgK6rvl=^3uzl8P9L$ifM*sbgx6W1yrj4 zMPp6%{0r?ki$poj;&yZ$;<+dTK4jQ%ckM`jQ+$Kwg5e)!O@oX81}SrlW`UYx$?|Nd zfJ5xbe=hR})X<%G-qob(BX#RFpgv2WI%DAkLq3g@>A)(5r^X|8Ca|Z^@)4}X!KG%; zmuZPtklZQ@6C}4d1C=un9J>n{m{L9#En<>$n?;xS`x$-{j==960kZjG$@yb&q^B!5 zRZ&U(DP#LR8axg)3>4Ace%~w;|B!$NWcqtX;Qm+Vq(%9&PESBglMLFUgVx zVPY|R0`^8&1-wo6D=r7l0smO-I(In|j0-6jDBds+(;Whe%8b0Tczf=@zp=YZci&rA z0bO|YNze3WY~5113W5=rn&#(noAOQ{I|i=~4zyvzN0Nl)ZjjV15?!w>R*amNX_iX? zwSYh)T@=R-eITp@t&{r{-A8a?@l~l>4QrHfU_FfY235r}8y$xx#WO|>1!x%wq^t+{ z$zv8lnu^FJu@r@ZuyspOTx0r5ovQXk^r!`=ajFI18d$ z)CyvpXGcHLYdmFyGq?ClQZh>vU;ql&M5uB+N0J%Wf501z27viS_dNg)9@%hU4;V(~ ziQaxZ#p=E~gO4(I*DPbqwNgC(Rl0$z&E0eK+Djcf`JWMWf&0Jy23JR|a8^9uBR%ig zyN`b^xf{eQjxQ0Loz|FL)FV?pg{O`u#q+|#x+$oT7J3Ro6~cd(d%9IR3)1^)yM{?l+&-P+1NXkD+#y2zB%S- zy4A9Ko?B-{3g}`aN#HA!$zD@!fwvCAXa?HK#EM2+`APrvs z+kH+pmYv;t^rCT3bqT^HwuaqAC<`!BZoSnD%tPyGxgt%y*|>2du0PhjD2q=%odB-b zomT9=%`2|BlAa(RxDkW{!Uy?`(4dFz8oNjyTtH19Y2N?!L8vDUSkO=O6u1JF#t1QX z_*bPFZR!T`0&8#NKMIugk6JN=2nv=$?%_Kb`+6bg-%K{C$LoNgWrz@=?2!4+O|i4X zu2M*FU>aaHs!@q;i_txD^gAlviJEaFgPWO~C7lYB&4cBD7>aR5P0$Wc$w|(_RXbzm ztkPGfTY>14Epts-7B-xv23@?>6h`Z-UAwsfJno61`;RnxRG&3BqOH*lr@9AdSYVTW zlpyCqu7%^5(ICwnlpre>On$o5xN%eeRrm(v62IcArG4>8Z`;milg+T_sWLC8iQj65km5bpvN{(=eqm&Z(zc6hhxO~iQE>T2x`jVLt_a_Y|HsocS@Eltu_v35!MXy0a(J2VIwf&0-28VEYJc( zVeoWuBY4*6Ic5l99pnbq0RflFRjS~Aq#eFt!{S4pkb+94rz5*$5H@W>ctSm)JhUh# z%#)L4BDu%&f4h(JLUN*>94iUc%PlhkYzSmRjbJ}`;>dQqa~NWLkNJ~fw`qA9=~PX; zlALMTtXT`KM~|T@R_e0l)`p$)aI@wV8SzX5ri~&GaawX|v|Hd);BqJe%)oeSHl`eO zlss|PEkwjHDrpVkFGo+&0?ROrM^6XzBQ_@I!mvSyIgx9vSh*4wEZoIRD$glo5a{fJ z$by4e@BpDfJHzM9bx~JLt>6K~8AzHi?><;xrDT`T6{Hqz3{qk_p)2^JW>KV24Cv1B;M9$&9O+c=UHQ0>tAI$C;M72~6&eZ%(kGikltc_h z`cbt!5=o(i9JnS3A_DsZvWt9~zWoR4E5pCThL3#wiKoEk1s;#4Aj-@_niVy#p(D8b zFBFmukQgv0H&4-Z*Ilm{0(ju}LtcB`^{55_SI(u8R|5wP<`j%3US!^43`6HvXQyV( zS}bKrZ^4WLd(ZJNb?ki3Ip;VB1n!`TU}-}{U^vi!{APdvIhUfhiacbWJEcw^>IoN+ z3LlPVW6^6Zraee(|Goc1zTw_6yYMbzr!XKoGCU^59;{fg5(_uOp}^V2QYvrWfD~q) z;7t`OT4JIPfk&c)-W)va*6OzfK3TXW)ehoG(UW*ulBYa<#>~K3#3U(Fv?%n0EXG(J zf$rm8XbR8yfddB}^APnxhlxP>Csnp=*;4yp*_auVefxy_1vCGvsnhU0yHCN-tktpM zTw?LVwZOsNefPc1TC~JI1%5+VkTJy0LOBKxVnj4J@W2y^J=Jf}kazi;*+Phi zxQ^EW-Y2f7himd zhQP22=^ln#h9nX|ILMK~YlqH75FvP%EM1N^;Zh^KUqD+d))dx zzyQ2?APm8TBv{6{8-Y%d8qn_bjPp#L9iXZdBhH&IpYx4p2ds`3Tt>pH8#WNm!Gq&j zcX%lv&P9WGn|buQ!HcL5T|gA+S0jWPQDmMD=trWNoDQN!b)3@&h6P^YV#SNQ&m!M} zgR$K-y9#y~U>Mkjgl+9i{2f9>XgN6r(eZlnrUOXkCAzm>J-08;ITyelCJaKJ_Yo-{cgbfAOKw~r z9XpZOd)&ae`kHG{j^N5Z{$xC83eP3z4{W8*wb;3-LM1w*u@Af=sFFZtHuotC11nqJ zix}h>E{7wuSh3>tj++iTXs`OHj%B8db9o<4JX z%N7AqxNm_a4IXvSiGe*Nr;HY`#P!v{6|Co?-2hs+ebQ|@cc znzeD?HL1_I$Wkzk6)8cvs}0?RFmTngB15POB(Oji8GH1)Sn}nFYh(vZ#Jqvw?U)({l~b!!8D^j6s8|C;j+So>(y_h7-ky5 z--7ps&NDI&Un`0!!7YS8{h=d(_+{2jnfCRVciw~QFfn(E`zf=}WX9*lvVoGsJfp#8#q&Y2+HKr}#B;?@0yUtKmK~aVOnI#Z61q77E4{N`{t_&>t zOmtYoVe@}n0HYXu>nyH3x27NAmM2GpzG)2tfEEmwUxB7}_0TGD1|lWMvJ^h{o;F9= z!U8D>ERuh!7Z82lML8TY9mr;UTaQuG8=kW5Cw%1 z-#2@{GKbd015x}_c}_7R2@Re-Foy&0M+9xG#zg%=(4fz zzE4hNJnWX!KB>XnDRvXq9}#NK(QjaQ}}R0R%4| z0GKxlD$r4eiXjmBZ7C}Q5~Ei zlZ2!=of4Xz7kJAVsw$|cNTlM$(f)w3habyLDF$-m^*015G;R8fl*LOR)&OpiV5vsP zwe>S?SlW>%h#!N2A}KuB>n>SW>&>1iQcq#)NVDY)ksj0o5=IMPfsM@)FDx(?Ef$jy zd7^N3yzvje|0j%qS#VBF%J`N@Z%kSP3`2=U4Yf?5SICt;Wr& z@IhjbocrCp`S@6fbK&zx7P0ZZi+^w5K5mnAr?|`1#5WfHdXh$f@dqi#LjlLa^J1d1 zdZ~VU4W6d^;X3;mCZ$SU-MPzaI;F9daJY%rPKrwJah@g*m&r-I2}=Yp49Nx;`wDEK z?;s6hc99092v3$?P7D6~Lsh|Q#dV#|cy{0=ZvFJLG>DIa9?>STV8^Y&!CKk|+zwL` zP&yulfBh@bl;#wcUcdrr6GsF!OnE)Iui#FSI2_w&_K_nDVc;l{9>|cj6uy5!AjHTP zPw9}98)A_XN0V}zrN^Vmo;wOZ{$oeL{Bq8*NWNHdsr2?#RkN(Ft>J5F($_$Y7QdNrWF!{Gfj_@UunGd+Q(Fm9oIKBWUKv=;JnImL5c^<(% z_txcgAUj5U7wb3hI*=e!ym$%EVP(se!?%X2(%hNt85IY?W`S^zn0LW~$MLe+>Ey1RyK{{RRkG0oyq1;&T8JVn0b% z>ic#~01a$AgCr0?LBe6TBg0C3ujiI*TAP;VQI7Jcwyel-6TX(G=co#$1bA15uCn8;7TJR)#z9tLS@2 z44STz$_H&mu)-ooc>nj7FmSZhRtgJjm#VFhGXi2yV+&k#V=Ph%iDZ&e%dceElkk9l z!U&iJ*^e#6??<`$8;;KwW)94LD;^P0I^{fsF$tPK2LKGPt%8@(APz^q zF=&WqWy|YEem&Vzyl(i@e)#bxv;aOdvZ#VODBtlmv9d)JPzK1YXdtfPwf$o96r>YZ zM1dkq0*$8JdGhqO(Q3>kch;3o82tQ=8r|Q$XCD<`tg&(I<9?z4v@Ggr>sCT$9uX9; zx8e8y!x2Ci0A>Kzf(eXs7}ptgy*^gYzkH8F7=f>rG8D@0=n_k{l*Nn5T7oZy`OHFy zR6!41hsnca)6!ak5sIcTTi{J{3xD=`gP7qU^q5Z29+CtNW`nd2KXHm9zObQs*x3lG zmc&O(eUFxa|G}SQ=>B$DU)7L!9ZIt zO;5Eq3ijJFRH}dO`pg`Fepc3Uo|?F2*n+mzEcSBBv!vmU4b_c5rcEk>$^y|GDSezV`vtpi+RF z3!xJ|ope63U`AbnZE({Z@ox6&)1Nn2%lr`<1Dy*B!nu&Mg9%2h5RODYR<2Uj`94dQ zEX`Xy2Gy;?`S?|fT&R-5kRk}eK)HpF)1`3dPdfrAEJ8d?SJV(w3+En|KK?Y_u#c1_ zUX_&S7YiwOKV>pCDDwfM1+KGV#jh$}{3^E#&Y3@O25QDG4r-k<%og{s;F?&nWC@Cl zsin?p<~a*N9Fa(m1bM9 za*mdbMe>>-b9gQqe*CA6fQjZlmQ*knx%#*<1qbrt8fIDjGzQuZw$?n!Q$vL@X_u{y z81p7m@JcGDANcL|9bN_|arM>Lkfy&g{MtP}me-WKwiO8FX z1+;YOa*`#VeeQV=b1d%yx`1~I?r{n&xs4$I^I}m-8Y6LS-eP?6WY*I$_nYqC=jtm;uIjs15Dhc#y;UYyFKlCvDTQL*h-DzyJ4;nHVAWyE?r+ zg`R3)RyLOsX(T~Nt$CRJhFehj=Yfn#Ec1AwnD%%NiWI#ZmtEl4;p-?^uu$cyw-TP_ zy}-$a<-+?y1PVRHtj4R4&kZ3@m2=dSyAj$%*#Te2;o$y0-u_KDReW>EaFhj}c?5`) zq3?NdFsxXMzCLh}do7wJYgTjz2On8DsfG&8f&PFCL0mpbxnHdNtGE{!? zW~_dX^Np%BOe)?cCJ&mADe4{>vg&}RR;W;s7le1=nzH4At>U{-=Nl~gHEY#Qa0y~+ zG)~3`jbr`rYOo$dhcZ`5Cv14%{i=*8T*AVV1sg5vsuIrt*rz5<9`-CF-PghjYu@}( z=0EltO%kVz3&h2?0yYeIc*lFf7Px6ZDz_~%2gxG|!Y(=sv8}F-QOh+cgVA$$Cfxtq zi~uwyF;rDbx#O!BmN6vdv8qu$weDq^KgvKWp!CVMoQHRr#A~a5a%Y}rI7I(G?KEB) z^^eV*^{sk2uzm2c5MaXZfx9nXoScpf8+Q(XUjoGe218YbL+t5(@zIZj&vu?w2f}Jze3qT0qM+K?2eO6FP&E|);^p*+8u!)1{eQ>^ zFtM40jT<*{PoBVifUL|S<`Quz<_|oOykE{Jp$D;^C`96%%Mwl_P?~;-TM{B==U4wu zi4rAIg|x4z4-~G$?mPGUd0ZNxAZ@akWS{K^Tg+PLGY(JO2>v!b-`rcb9)3j}{&+-r zwMnMt_Jhrk%_3KVa7wutC9a~Ow(^Yk-~1zb z%2tjp=_iJd$D4sU!I*Jcj%Oh&?6v+`me=PIJt*BMI&WR2g#IO`bRfzP(1xb6i|r zf%6TUrDNwV7$*3otzohXgpxChByV@{Fee|G0wvUXCYFTlgAb55i0Mb3?_GDtbu;G6 zmtTWQT2&L1P#**fDxzJy2sj>l^%2er$}Yo)jFQ6m+OlO!bP<4%4hc*u=XOBa*Qj}i zdM3e5(E^d^xC=I<%HA20o+;e61FW`!i5)r%O5QiLBsfip8OYk{fyNKH9cY;!K-O<) z6I1|($@lYY&GEJCs4<5d5O+kCTW`&LQ}K?(RWfw=2t0DA5>2aj3rQAx@XWA+eeU@e zuNpM|iPvDHSv}JHQ3|4Ap)2nnv|5ZC@h>VMmv?bU=FeZ?jW?wn@K;m6)-@84 zbxMKoCBhTW|Jp;uJ}AcP&=aB=Wa9Vxu^EJ|t6KT6>@;RxVo z!!|)XV6!lJu$$l}N-*V^+pL8+5;@P*BFh8UAFoEM$DeT4guGc=!HRjPlaP=o3na3@ zfWcR+Sjjzsoqb|qn(eExFfvL!Psi~Ga$Po54El@pSfN6NoJO1-Fi8A4A3Zzdohhjx z&PjTRw*(Icub$_M@(~HMXR6ty3Br`T?`b`OkS{@O8{`R0${(UEJfrV`6b@g+x5YtZh=u&CiUdrJ z9^hFNTOSXo*sl!~MG+9Z*WN24V(-0SZ-@o4A*g`#8UhI=bm=HH5YiLUNUx+Pw9pZ0 z)~okk;(ou`lT0>Sl7N7In)lf!%)9KnJ3Djc{O5GGg0&~5Vdau+6TJtqA+kS&wsDI1 z@Z(QTbkmuToR)$?8Z|H^^&c?!pa1-qYfo6z#1SLAMaL*jAc7Aex9c{jl}KFY>u+>% z#vNPl!_P0jLV5YpJ>)OEg&3fL(dGkLT^%u1Gu1SJYE^r@I4YA2~85}1s$@%6ADD_jAZoQ`yaX%FQ^l$ z*luBZ#>Ekc!qt#^I?I-?xcqW^#61gy?IPx2l#R|LGkW>Z;SWCS!JbpOs}fh$CFJxI8ybIs5g>08{(coT{QYh<T{l+UvoE^?jt7@q{#qMa&o;?I5HFnD>)Vg)+34xQvaRPA(Q!jo>_uhM7lVj~= zQuV-6i~xfX%M(#WAON?d`Cl*W*y(nCjcy=AePPBlAuFMQG+k|%k%pT3LHZhN179g} z#jyPGvdGBFiC!5;o(dFt?Dw8{@+s?;wl=lu-hHn-&V<4i@FxUGQTK@}$mY#k@LGgL zxbGF+*W_RPEJNeTj{f4WUdQX9Ek}xnw$VkCFM?2}Y13!+?$htWnw0{e)z3cf3%%im zPWU|6BQC|pC0a{V14I1=D5W&0Cn6R2B1FhvBsi3Br=03ihZHA0ijeX{FR6-m;0{XT zuzx?gam2d&?|;Bmbiy5%bpZ@@|KKC98mX)%Qfp!zM!t>yh%n$D|`GD_9^9;Zpu^mQ7FCN_-c6y z%JKd{&k){o&%fXt9G1h7VIv?;EKun52rY!*QM_{omv5vk_G8Xpapu%hPo=sy&<27C z9H5<}qz*T9UN3o#SgI_1dV;(|-BRM4F1pwqt+)dvS#hT)Op=gZ^2}g60J(+@_dVkb zd-7Z4tP9$o?WsVy^L~ zufOd7u(82HgnWS|h-4|?5&m-B-ur-cK^Qw!dda1i3e~XzgRsFJaz&Ep*t%+3v^W>z z5toromus*kS^XAJ8qA&dm9qdAHz!((?IjyRk;N!D>sYrHQ+hQZnebNL-M8ZDh<0zY>Ork z*^21knm&QW*Z)RV+lI_bPUiUk_KeD#q~xiZd6Ou_Swrs!P6eve$JjTK#4CPvr=_a1 z5Hn6hP9JXu>EVYTMV?|gh*y#~qdRvj;SghKL_R*n}*x z5M0%OJcy^T-no)P0`NzT_WxHsD&nz-SpKXakg-#zJM`Ql_ubN=<0m~olNxi}AKe9d zLfO0W6!?s-0BhBd{1yJKC&V}}1ElzD+`7Hl==dq|x$MdL>b$I;XZ{L9>HQ820?Km$ zWz*)(5G~s|QuDEKB84n<+#q1ck_dF6YUFp~^;j30L}_3K8Xq{BWkP{$E<;mieHuy5 z11C*(W_{s@sOv#Ss2ZPDen|ce>koAs;KTp0Tle?1x1sgvWOwN|U=W>DQCF+;*d-EL zh{p&%8`jG(#!)?i%Q%$6vqw**)(DH_l|gFHzlx!7f?5vWlKr4rrg_(Kj zJouaSxee|Arz1dBO?+m^{a7Q;SH({`^?u;g65}V5(AFkT2|csiSYocAK*a=z6BlvO zl95ja#zi(EwUb=47B5^VmK^3@?&DP&^hj}&gO`E$K@--? zEw|iiBYqU%BYgc>BT^!S*d<0=?$267Z0Yi5S66AMOBYoG3sFu;8pO2qim%)O%NM>z ztVG*$`N|%TswLb+0cExVN)GxzW5z6NA#7wo0{Nws0DrH$?go&H^ct+JkkANp`*hM1 zt>8a!q3?pKHGy04VAq;JWUK1TOK`UR#9L+Ai!wNS-f-s6JOW16ITb2j`W4laTPpEW z#QEZvPW%*czE(d9aLO~qtCgx*Xc1A-t=s~2A!827a85|C{uN7rog{z)2B9>dF1(jN z13rP0ja+gDvWmw9jB}0jCpiYLxg>`{tIwU$g!5c(j$2@hbI+@DYOcTj25^nuzWCBB zIPr>cjl`RgQ7cJ4BkDc^vUm&Em@NHjfAWSa9@P#dOxA&Z$lmb8{8XQDxflBeZ`!%% zKz}aR*U~H3xA>Efe0{q2%P+s;iN{6`1`aUcO++R=m_HBzF{83}CF4$a+%aR;97sJo zSH&cvk%mP1Y$)HP(kr!bao8i>itNpjQ33=L;Wj=6IUowDxu}3e8%y|yJTUaRt^FV_dzkjYDM{m zJ_OfX>spZK5(W9x)1A38VO0`~dkf2K`*!k0;1%3|;1H(~%GTQ}ue=&(d+9KLS@^j2 z0aCK(WGR8Ia1y;`buR5c?HO0b?g|8TVhWr8`g{sEZohDPHc)lUz>wh7)%E#_TvK}o zT>H#P=L`O6=c3Mz@j3|XNLU*-l%w>PJrW@skm8VGBN1e5bjw$mf5%Rpr1CYMNJL*NX{4L3x7p znI{4+Kp{^DcSesH>*})0O|VIIe(nVUDO4E*9c!-%0a+?u!9c9t{?oRdbL3?2u5eI0 znowe_{>Oj*^WU$tH=Hm&3#jrL9QoX&<(#Si&$+Vpk8A&(uW1_!>y+_d)~|ogHiJOU z7WP|s^zq6p6LxEFzV)^%*>m!Yrp@pMhx5zPt@{V3oqoFO#aCZ_ZKX7nq++$$hS?l7 z86PxqaS4gnU4Mh?9Z0S&cVJ1%8X<-YX#0BMBC88W^X6wut|#=9UEX}lc`J|?*@~qX zWug^b@zkqhx5CSUl0&K>BVHERt5avdu`@*^vDbD^hocUu%z$k1{ zQS{H6@)Y%_o;CBOi{4N2CSjjir0BuJ-|wfNegY|Q(uTV6D1f8L8i%m6b5^^Wkh*p2 z4jm$%K+mi@SDwIZJgQ3 zx@{cZ3l8d!DN-oY`S;(y{Q7oKrq6^t1yzG0PVcvP^VaRo%k-K0JkhJSwwIExws*IU z%&-6X?~Ks+Kgq1svm3kuc3zeq1qDdz;v{>022lmS3#!uSGqwgI50M~j{BUHYY^W?u zMojmFXOaDh-P%)6J>%3}a5oaROFS^!{}kwFJ|kA zzY|OH@h6_r|Eqg-PK$E~3{r8C@rf#qlD(x3H+9F1ieHSMQx%U=Xl2G*VY9$;QJI6C zYK*t)-FO8%^Wp}y(!>1!pkbi*E4t7qzDZA_QF?b(ox~4}EoQ#-%DhRYJVpGS+XvM* zmQ&CqXxR!f!$4Fh*o2Kk+r;#J((_a2aNKaiji3Oz(@_zyWrCBq-CJ32@s&lzF>B7e z2OfCX)e1~mjqwvEiKi2H!yB;s`yYTcwuiD7sQ!Z&F7{%c`}mVjz47K-{K|}L=@wp1B28MxF(__->|8wh=UVU@Eg`BayuWdABppw^YxyE-H?LT}H z52ypY3wBaGX)zvMdDT@mvakQw*Is`E-y~>0JtJGF-R4k1L17dTZ@&5VamTqR8&RYW z8LGlh5R}kAa0k{kA{aVH64>gM%fdv*$lB*Jf|t1rWeD3#vVA(c+O%1-&wGEtmFy}7 ztvvUKN)u>C2dm6WW}ZMQK2)RC{ncEq_@;`2i%4+ld|bnsKidf4?`PzlWe{#qV#TSu zRE5p*E~p+?DNHalzJxW!3-q<=0>J5tEwPcwCN8fT;lN7veK8{DBE8zW?z@ zeL?+i%ayiXS--lzk?qB;V?z6vU;p#)m$9c0UI8;?=wvYE?_ry1phAb1X`dkD?jeAF2eO2rKvG{hwR$-VB%kIK?Iq!Hs@OJ}6mSbLP$`x3g<+&uZR$gjqj}x6|8T=EY^~_WxLwdCAPd z4hK_cMK#7QinEp8RgG39H!JQ(%?QKwnGGlZEF(aPMB*c86)^y_5u(udnR z-Ol>LdW!=gKgWe$T#^vGFbX3~v6NVJyLaz_`&qm6r)pdI>Xv;!we<~MkeCH;v2tS@ zqvorVpIf=TwOtE>Xq2f>C`dF#XD65;Ns`^~`M0v|rW>#C3gMEfs-)gv7 zJNQFmLl2MHp zjF|JYVMF;z0jWNt(|pFHS3=ci3y&WVJR>m=9kTO!b;cr*d9_`;T2I*0BNLIk<{uL> zeF8FZ_9!b`BjcurR1dN=j{Gdw=ZW-k^q*MDG_76;oV7 zdW`jC_OoIE;{b9kS-QM!TNe{Bcf0@o2PHNtHagH1dRMse#7Oj_)0xrMrlW5?c>J!SB#C_)SPY~V(j#< ztUIsjB)Zq1VvVzLBA*_G=54Qe+UaNDjews+^vZY$lFJ}1RMXgrY*+HNb(^-teW0&H zu;Ma|wsyj^e8+i%Js2JiPe1#dQwzb?j=Z(#7LbNm0ytxg@pliivULMBAbFX9Cw@gJ zFEtoVK0{YN78tyH-*+}(vZ0bIpLYiZ zcPyzqt73KP`b>*o?K5t*&xm-1R!CJ}Ecfa4wNLLQUFOAM(WvX!9$2P(wS(n>4A;t4T4?Q%*S*FQXS85YhYd+17M!`?@m>Xv9flsztRzH?PF|wPjNYPM;5d)im%>Z+!C&6dsf5OKXwFE zsBhu<6-AfTz$sEvtbfVGsn3kiN2Tpu;U&woRKpQmQddD zq?1k}9}zMR)GMw;Y3Z47bm^-77OdkykT2V z&1l8(?m#WcqWgNmV%N*`^(4_H2(fR!fph@jPL?Wvf!FOjcCfx|E6!~&j@&uTA!%4S zr{<`_V9WRXc(Q+r^+hJ=lcNJBD#8{7D^lY!SCo~)Px#3bhxf0b_uy#NrmA&DHT(-B? zV=_5D?r0B#77|m6m+ikFXB+fO_(S+g(`zP zxN7GZD<+5#Fua~b?4psBlJ@qy?_nL*>#@!T;aBJn+1X~A88FBs@3}(%2UR1gi^VXuWW}^i?!y;Ut%SmW{=eOUY51%+`iqm%;C)m;c<5+zZ{o#odCr`B& zM9@#vjn184kkY;MQ)2U3YiLnmO)LSP<<*TNe_k_2%`G+mq@kHAjY_Bj3kF5B9J*}% zmTGTs8?SbOCp*Vi->uMKYa{1w+`RdPz@R3hQZZf6B^9amqjNWfZl+Vx@AKxSe zRegeddd&6tXg2+9GCH}*xU43DxlJbKxgP=P7mW^&%`Ra7VC#eRE4|&gbGQ8^YQmOn z5U{J98GuvbYM=3WK7*sgDN&1})`8UnuBSkVL{H6;rwZ36(jPiTia&^%Rls6F;Rb~} zkBG<^y9(G;wN~@k^2Mn~T{9VnYj!tmK-3*7kbP;p<)Agswm<6l*LQQc1WH=Y<#k zlf*}OGDx~G)NVYe2Gv=1qH1tO^OwC0#UzJ8$*~VkX61$Y|Gb9=pyL(43+Oca7{JBnG z5}prtqVl-3!3D1mAf-RVL5~heI^QqKXJmrUm^9^!4%=73Q+QBh_>4+Y(#p`4=++cY zfmS0Dl@s9SOME_@<@4Dhb)K#ckMkM1%4c+na=PG$c(Zei$>8KahDSa;F{Ge$jea5x zua2R%eSg~0kCvn?&RL&XzGKUdom^=LFTR`jwSCv_d#A^%2L)uSF7*#(#HQBtpSKRL z9&Xg~h+Q%XwO zq$$%d)~2MUAtjN(lM(~2$`IlZ@t9==u?6LB>ORUfy*33tU1O{OL~i@cv(G!XnlO+? zjT#frhz|z)%qy;RalB{AckI}S3((lhbBQ0}wpH(K`4pJ86<;I@5#G*;=2_PNVlzg9bkGXA!het59iFtVua732%W#Td z7YEhv+qcg`b2XZ*K}vg*a(1-;Sc)gw?snE$X9)mNsL}Rc@)fVz=bwLxTrTVe@uonz zA&LtgN}V8hQH_WFL0>e}qamD7^G3}rX;`_aR%gZJ7W)JiC@}%f-#@g`z_8C3#ghlP z8mcUeTZ<$hRB7p&iSc>e=Eve!-~<9IOgP(n_U;SMF1}-Ia3h5{2|m7wXdspQ1h~V2 z#&2YzLMw0zR6+*`gnhcu=aYFzF$%v>401guk+wh$zf_;$pj!+mcK)#C0pY0_CY%qo zosm9sGCHUDynwjl$E38LmUHXZ1@EoMox3UzPAV^}-<~T28Z@{W;vPjL_h!L>47D1YT&AG-L>Lj`xu}W2BwFzmVF^HrMp0%+m88sn7!o zzNnJEGgWeue`g!N?RU;Q3y@5GRE8p}q-)o&y!sma!*QRWev@s#bmv`nLwoGLsGBoB zaI&i!kbB;7=Ut?X#?c6C6dOKt5j@n{6FGw#AwD6=75Jn+0s!Ga9>1M&E(gjYun+{x zz$wuou+YqyDVOxoUQa(v=QWqptWPsT%^s~h)5=S=UJFL8gqpEgKK@yzLwNAnLqp;U z*TJ$hFlnI);bap|$RSDB`G@hVV@9V0ge2J@fUoS9T@SdE_1O2__uXcO9y{C=k%p~Q z*aRy1u2RAg&UFA5Kn7F+Sb))|3lL${1&Cb&Qb60#SS8xv$37s;XK=(-gXU%xlvp3( z+6{eD_k2!xyw6DdH&T5j75hvs$;x-`zBq7|>Ymun21fYw zUh3073V#VniLmHm{b|N+J19#tnVwqJOyZw}z94djyQ4 zX3A(-bhV|rMIY)JX00kV7ixNGXTz1}h=YderHYOw-jkm(6pTW(K5tff;bei>P zW@zP*t{^20HY&SFIokQ-5T31Mmd_Xa^j&_(*cIP?`>i0>^xhwYGdmLUs>9ZJ^my;p$rz+BU|C*!)UvV8|mQw zEr~21WfU)xaG$~oSL_l&WSDpV~DRV`7w zQrxC$IuuU5icOrcO=$B zCSp4jIB^OE+PI9mpJXowr}$qiR$x%j@)hI|v))0sh5SG(a)=39vHx|UJ@XWT6}NJB z2~ms3fk$W*$)Ul`FTLz?oS=~SIKM17gbf?fhioGWD@JSNPTpQmJ=EtlE7QzPvpdZI zX=ui%S*4YKTKTGiDnLp}3Ry~K>Al3K*Mg(ISl0c^;I#arzQJjC%}H-NJ?F%6nT;?i zVNn97@E#u;bNS$}OUpM~89r@|2(|`}VO|H~a9Yv2r>93BJ$$8tDzs{#fE@ipl(>Za zGAc#=?H#0$wATWko?rX)`br(2Ed;0jHDvLUq@3;FP(#`CDYpLTue$#`zTN%m+_=Ug zVih3zB`f7O_@(cVxFdVw~gd~AK ztupp4G(&^OR=KYeZ1tK7DYc?i@l_Rt=NLu$Aq|ZqF#<;MITgkKs@BJr-fFCQSXE2h z)J-|VY#U^JOQ`QOWA9hSk5PtOia(YZOE!0P!G|C9a83M01#P^5pcdR>p)m*sBI7S% z?#SI47txzpPpa&d^`u(Y7DPN#6TSf$L4=Qw6VELtQZv0 zeDJcOq8h3;n7Y*T4>ALbO10vOffNcIEX)426vU2mF58}?j zf8h!;EKZ>$qtt6b>%mL5?cTTdyYJb?FrJpttroTPEYQ%iqvuP{pq^7b%QEkWpS}*@ z3B+ZvJlb7&q1DRl%AN?l@AJg~mJ((xDO3suf!1CR<7F8NHiV?oB`U=Ap7>cIYH?2v zcnI5gQ{$Aa;R;&`*##H*g{im35gjF@*u|99 zEWQe=Rw}5%YWB%|KLVNuqwm4#ue*KRP&rdJKK`EQk|r6)zB6%9Ri zdN%*$fQ7>+iO2}EVq@uA^hz(%_U$`}>QB0q>C_fCbr8ZH(%1U8_RZO9MHSJOm=>hF4siRxZuMlA1Y zY{KP_YKgukP7y*Cq+B{NJ~}?|Qnob1NBV*tuDzt73|T3Vn9LADg+#arLTqHO{+}}dJ8-OomBKjk|K2&9)sM31J7z$#~+1L^#>^{_tPw~c90@bVMIp3om1l!7{QqV z0-PC;T!^$KFNFAtBW;Np3tp`p7*x*K9`mBU`F59;)!R@&zSfQ){4b_$+kqGKD@(GJ zHc}x4D4D2wh5Uk?#aFy3@Vgs=ryrhyF_-v-P(j9a2fo(%T-V;}*IAZU(0qgm(*r_% z21S`5o}%nifF?kRpCN7f1Dazg8x*e2FgSjxM~}@qeNt|#FY_M#GA=MWgDq3-fTbm@ z|6gcDw^EwpU!!^BowaPQcH})$BiZoL9zU`i8P@z@WjPRm@72d{WfQixw}n z{^b1gTVW@H!V%KBhP1SppIGuZVns&9`1*}*cBXqqWsvU9JMSjm3ab+_StX?^qaeya zHme9DbPwswZ?wO2h;R+!aS*>?lm1J_m_N!g<%LkZh3vgGbJGY_A9z9zB4#Ro(>F`g z3twB1(qe2E|_h73 za3YBH42l}pqo{oI^)s`4MkXm>LZYE>{a5&WJlCghu!0GqsOSvh75_VIWs{NdX*v0> z_u-`VajtFGZu4FU^23%V9y>fnK{JLk1z3@l1}vTnFfl9)5t1E4go6iQ${BR0xGADA zBssUcWyW4Yg98;>5vqejAlcWIi^ZMQJhSBb-wInAYhAQSx-$)p-#G#l4y!1z zWlzGD;x(1CQDynV<&UiCrpw>IGgMVF#|MucB=^~K=Alfhy)#sqA@d&45ET>0zKHD> zkkqGdKWoHO)22;7`uG#JNoGFGQtqsFyg&Q^nGr8fHMi!?JzZ|vwYw0@Df>Ode2AH! zY~Hek^e@O|3l}Z9`s!<)-4jbI$p?wD;zI+Bu?0Hs)|=tr7F!`bNZnd;sd&o)K>ulb(z3a?~#yrskXa(G4AQV@51_VsU*<*z2 zfYO};PlN*#;U#souGZvDs-e%|t)l>YZ z1uR~K%*>LeukRNFTD5BBTv@mg#VvYFu)&ixcmbEnBVG*zjK^@ipQ+ zQ~)1ycF(BzkMZv;;sA_HN?J>tR0f|5>Ntg`% zkWrSpHfaC!l~f>o>z!^8IW{99FhLNsf}qu~5xzD7U;mH>em>XVaD(JvN5aCDoiJqd z2A5oVnbR?Y`(WgvGvt>BsxTScX2vz0 znt$BXlE#xuRL~Hf*sxZ3EP6JWEo@)1LkM6Y8sG%3Fe^<74!{CGu zwR6|*2geiP8?Hu!anK%#^a_+zN?1Ofmv4ZO7CY}SnH8Gg~|@Y5KEGDG-gsVmkghHUx+6y zxi45>C~R%LV=OQMj2b=0TAtpzoSkiCD_pj$xtmbej2tzZY#3Iy08YLC;m7b0RyTPI zMG47f6bX*eqZ_QUo!{=t&dFt)DmAl6!e;AUj>(%)@Rje=?Qp%geDb zxw=xg_J{4(Yj1R6x5IXe6fVd z3Z2lS?|^#}MGbK0d-~bV?K^aEwg2+-XP)g0C6l8`Gz0K1cUnEnXEo;$kouhn1v5mF znidjw^MvT*{8LTOJ#(wi&Y!J5tX>^#_{~ULgcnc=-5M4vQE-6*a9uD0H5Y03z^NW{ zkMFl^*pijIc30bmT=B>YHSnLT^FTv;&BS<9+{;wn>FD1OsQ}7P=AAG&v@xOzAO zfr$6xL!y*c}riM=Vb)UAF;*k`MZ1`IvZhkeH=uLr6ta&h|au zja#tdFw?31_5djCowXAk6N@UNW2a8mtV%EhYVx9&!&Pr}eu2`wZQe{SGN=fUrsoU` z7||Q0iie)$3wZQ9-MYg)a2{S68;@~{r(27aF!~!d zZX`)skDi}mH9&_$+zi(c5Gp`sf7SgzRXPN!e763IH%f*;a?L3hiz8Zbl{hji0e=lFBinT>duO=g#sSRRF>cHl}tL zdYVLS9fks*dRmp@#pw>WJ^aiOvd*wb^jy#03BMg`){qr2XLUaMId(xr;DT1ztwxR- zLw#P`Z4c-xb>GI0S9zXeR>raE0u3Qx%WEB>rf?gZBqf?3{>tuJZ?^UJ+f|Gb9w__} z{+zjH3i(%tV-tLM5wZjKn4(Ab@k$Vi9NkX?kQo4ci?bC&g`YgSC$ihj{8PCj$KN<%Q znuP)oRZHErpqM<)kc%}Z8`KnXM@{+KCEg_q& z-+cSz+~iLd#2q1$wLFFnpz#0;$kaDu)*O;*3R>}(^z0(kpo(XGVX-16g@6$RF_DFF zuR_6c;)(8FSilV_o5*5a%Z~J-i!MgT0vZBIlc!Ec{|^TsFYc$G^%iN4q}DtR3_<`D zKPv_eGA8qk-{^p=uep|OGfo%u6WI`x1Wbl$vAmz9iHn8GXN!x)B*h!Il5?qt;+D9d zmEEmntBRuQRa|gG7K;Po#kF2ca$qys_m-+bzSUU!go?<gmE-ZM)%!2FWu z>hi~=Q@c|*734tl#Fzj|KB*Y?v(G+zr0;0dZpbxA;$9uOwPPo?Lu_gAS06nl!1c0+ z9)1)Z9mZM7Hi_Yh6bC#GBNr(1z(Wt!LdmW-l#?u_ciw%EI}lPO8!F-~Sa%lEJd90& zCo4$FZuvkFN_ZWAH3QTvk%nfK_}h~NkTW2P*8$qRH9JP>CnaOKnT&#jgb$7lDqg#R zU%_fVpBqX-^-7Tt!w^mvW72M)kzBfdqt|UY@6{RCo|`9k&yUMEdUCN6Hqnj(j>>8l zt#FD1KnJP>tq`~vy^rTK>KA;{z~D#x7ssV#iJ?>c2_;-h{_44K!j??p{H4KLx9?DG zpsS|eh2E&RVipVHGXDsA`&DwDP}E^0T#s7=#oz&u1Y~^tNiX<6nQB;E9I0s;{1=ON z%G56j&IMLN%@R~`@dM zvf=zrChrOdwZMn`7x1JH@aV#6StKiajo`lSljZR|KZLs|3$qyQ`=DTW9|D54W>dWdUBRa|i6 zk?|jY6_Zm~B1SIl8!2eTUp)mh^t|XDg`T^pjQn=Kp~E6`OE+$*oZ(slOGqWDbYq8U zNsPv+L&MV6ZPi<#!$r8>_k|9L@XgH1X3IKud?5NjwxH-MSf`-XhadOAmW^*-m#%N~ zzk`PkCrgaiCbm_p)@Tlqbl9L0Jc7kp#3j9iVJ4Sdeg#RSS^fm?=j5tX?XrF4p`7F= z;0|Yyl5m+|Wl6_@Ds(unz1~INN*c}2K8I9q@GA**A)T`Oi<0m3=M0rojtr=9NV4}- z7h!zNDD7CuPD?Oa{nIFDPy^bA`GCI~#my@6TGvRNj=FVSXBFMH#mq{9=}={*_}cg> z&Ok})_%QVwHk6N_Fo`UA#NQ<*rHGUbT0vT~=TM&tX@wA{Tm)?#8z9abJW`iKu9Vog zz@xUcemAmJkbDVRN=`|K0#P}luEDPlD#hT19*?aTg1^4LmPXU2O+WbHW6=*Fnn}+I zGGduKUi7e>;6dr@w%#%+c5ZYMh%Y!*FOY(FnIG5!N_D(hG^5k3PcuU+htzBnM#`I( zmTw8oD*13hT)SaGruNVD2at$Y#2HLf2wcju!t}nzY^36w;`vJk*Y%sW2v>J9d@q2o z;fU+k#c2hnOf6KJJ?ue)BHH@}ElJvftAxTfo@$YaQ)flqiqR^u^g0b!}G z_q3k$>YMW|1_q}dJJIw!Q94EwH(>Q zCtz7IOV5#>HRh2CePCkvu>omU%*ve*oyBHMO?9nkm7be_>Ex6~s7!s6{y8di&Gy}} zVm<;`hlO^%Z^}dQtV1<{vmd5sH~=r8Emh0Y?YudJL=N~Yh zp94BZOwm@EbLnf-#lqjrV)3czV)49DMxhW(>h*$FMsY)=m2;%) zd&USO(H~J%*H(`z(E-E=fK$W^V4_m46qu;ydKLC%x{+$w%$#}VndBZ17&`&BA08P4 zPC+w}2lYCM;gw(tzH*S&97P{BK&^f|b@mv++&IW4xZ|7)fk&Tk!igXzh3RD>Xq-ai=cT+?;UW7U;UPS0`?tHVnw@vt zu&8mNNhIzDr(A7Pno|iv@fVO%&gVP#44J=z{lDgQn)_*lvci*aPAe}J=K(gH=lVug zsN~{{wosC4onvxj0Yx1;gX>)u8C{Tuew*ZhJKfX^qiB&nIaWA z0MY*8+JV%GhY7J=7^Dz9fhx{}V&XGDbR`zF8S%MnoMcGluXU)Mu%+in&zj6*bY|WO zbmu>v+haZ@6jagd0{`W7xE=*p1+&Ht)7!x!&^3JI%zuB`-wmlFS zpFae!=m1I&S@rxyNa^!MKifjKE^1r5%>@?_UB&W5ECPezC}H7|H@Ck92-h(^^WP#dQrHmC8XL&j&>4|OWGAsmDVf()Bx*PO8rEyG?CK%VaEeY0OWW=p# zUqRbV3{^5XLgnotF8Eu2l_6pC$BKUv7hHN*HD4{h9%ld}#rB+ruk{@PqmU@7OKK*h zeZp98CQiphwS#D13VfK+zQ2~Zny8?M`1nMUJjf#{%lmBS=ci1Y!48L-gR+?sYJqIj z%H6vUvOyjPtsZ>nVXH%_SEnJ!8*jQ9A07&VSS#S*)QA0x?UsaTuos2NBPQ@5#5at# zP&ip0!jWt^#jx|)uywm%%<6Ulu`kR^{ASlKSe#~engME%qM`Yu zW}cd(iWk9IV~C$hRYDVg5fjjH0aeHm7-I0dz!L+WOstUU#(++&$*5J+qS9dX!rpB> zU%omqqVkLf`m8PAd@tqchsR$ueCgN~iHOX#fRy|f*0<#;xt*pZ9utspvTtm5UZLkt zyz$G{`MlC~H%&|N!KGguD!{3#Rxu8hAQ_2?;zJK0U~ z2t_z%j$Cv_&^B)EiAl*wd?*L_?aWzoZ{W~~aUV7zc${*qn~ziXfhIRd8zRDVbiNL!$o$}~<@!Bmjz%E0)vf*R%_ zcWm+iCXFeS>XRe2aP8S6!tV3?IxVjldxt(>XQOb<`ko8oPVi3|yg1f+v3`Vm!wtNU z?D~gf95V?eWUg{eSN1ZB{Dz&;Z&8=2%fmDBOUgHojYvOXEJ=N-K5Tj+@^@r{f~wfn z;%%Zw)fKSxq=>V@&*Pav7r*c!rnDxY5a*3%%B4i zcn5|x9uzSmJcCTQqDB@16JitEJLDu?`we+0eE?FCj9Bv2MywO9Zt2ir`V5t$4_Qf) zrITq8w<}#62ww5n6HiSy^Z0>N1i6Ubk0rq4YVVK!Ult6u^+AK}nU^#pLUluj+3~_* z*kH32)W5CKfH&e|QE9ZIP{?q_KQZ*fODRQBTIIW5jPH6IqoD54X5E2?1|wkPp8A`L zqPo6XL?w+CLaS2!5k*BpS}{?PI6cm_5EaDFlEEp|nhHtAmY@d640%WV^w`zZm|0}= zUw$D=67H#xB1nfW&TCRyv}hrYJ#4Pf^HSr;jWz|Tf5V;fH*9(P>qMpS0o_I>Q1${PJd4zZP>g`^Lyb@xo~&Hd z>cw}Ke}aM`a0J+D*+=*Bvc!c z+#tyc9Jcnh?b~g~^kq>W%?V$(VWaJQeZG?ADKI4Asleqh7Tfi<=i0v7P;6B}S(}Nb z{5Uw0z^F5Zhu`2II&48C{7{51q)1-*tvNAAjm@moiy~?ICO7s^8xvg}+oi`=54fHJ z8hT#5V5@L#`T717BEd4aN?Gn84@`0s3$L4+yf~wD!`2<22BjX08>GrHWlB{@zWr7- z84|HHt&pvbsFA$@tNtwgkgNi_!3Gk0)9ktPJ9O;mwca^@?RD2poHUiy%_fsVy|PG& z%zf_p7sU0VNt0urdG$1)@*5r*b=hT?+eVTkU<1q|Q+QCw{IVvUB!v0` z-43LS@YVJ0cTVvjn5IpeQVPVRmI%zUcGIi)d3VP4#5P{fRo*!qK%Rff`xR6D$#<)2vTO@~_r`mWCwoiZ?J)UtTt z%-MydlN0h^U6|T>Tw-GojSirj3dlUgFMfVhl8xKjut2`r;KTM6S%xDyJ&Vbb_QCzl z%*_W=_^s{!wy&-|Mi&i}$^z+Q@1Ql|n zjvS14jmD&X8k~XgP7kRbWEvW*5Sjf(nSlvu=_-a|!-jI!h?A_j1A80Lihy4{&v9t?vRiSUB$IfnB2uA|Mza^Q zG9F?kE1=lIxCxKohR&x*S6Q1ZQW!oWJS+mHK?B<6B>(00L)W_<+({n6M_7cg3;xn) zKEh03Ecee^r35RA@S<@dLZ^R7^P$TZCT58+#oy%I{A(t~A3Xt+1n${+O7+tF^*R!DKMbDI;I}KO} z{HG5NHlwq}+Ys3eqZn04qLs9Ty9+1=c!6Td>q7+^TrhYM5sqk&ooFSrCv+&34_O`@ zNgv#=Sn>$GgyMcVbG8>+-PHaT6#i6*6Y~MyJ}eXT9=N{Go4f6f{%1I;AgU%vnE+J-q+ls97QgT`#rBm}jp`d=W^$foXABJTTOOZM zvZ338Rmb{^OGAdb24}nh;YSY+AFwRx_aKyJs>n_3J#aQdzoZOOW^Rfbe3z^)F0Hmb zX^w3+wrts&n3mOjLE?=wGMf6YdU;mNn)Nl*Zmwvev8MJ0(|T}6?YEWxb?q1@0VS*w zflDKjGO{5{zFHxSwoP)Bky)0U-F$+Xt}q}=K~+#XC?Bk1H%3_JSZurpc1DnAZ6p;)M+g!UAs6nf7sI4*yMCq z6!3zNg9D?3{*_lZIIp{Hw$)cH{Yk_2)>h2IXf-Q3^|Wz#o8$sj-4>@Jg;~+6cEHke zq-Rafqs(kl(fV^oMOG%ZQfOsX7(tj4w@mgG&PgVDHKW*l@l2&kJH0%*`tpJ1+3r>#n!@W_WQhuY{rQwPNUdV!AexL{YYU^>JKbPyh z`s3`p?d`1ZZXFZaAXon-2~BWx@y~ets|-46Gi>Pr*E<9~DS8*7XHCze%q&ae`8f%S z1_*P**M)d4bbvTo5Fd?65o*Dk0(pw4WR3x$c)dzKK^tH}XM)m&7}N^pefb1rb+h;;|VkZrKn zXT8}%yFJL|+;!LAAYR92-Y11qkPYDOe1yxH|87^II|A=~l152aRLGGT4GsCB4y_kqYdE#(lS%CaXGEXO*P1FeNwzSNV3|_xI1k60u4h zsC0ajRlq5sra%?E2&RNd0(lA}1uUyi(9r`z7AIs1H`B~bvpdZIHA~b?QnO7BQo>gW zM)R3ef>Zj@14BQV8$nqsD?_$2Y8wxCGI=K))DA0F06HA)TAuFgDrcN;WPN4pQ0O7T zRsPA@iAcl>sy1$_lt#bVsR!9AXX&}nv!mxr&!C=DrdZ`691*Kjd|0EfAreObk&xY; zgCGK=Z?-g)XrVyK@Pt!GC-zv8m9?f^K@}f|cqMemU-^izFXVc}(255U00ji#8HFxI zl7-rqJh?17Klj3{Dfg9`T~50pLp^q(aup5+!d;L1g>9bbibT2i!H8=W#PX; z)&f`XA~OIQAwUpw17(60PHo;|Eo)Ub8~G())wCjMDhZeHU8klMYQXg`n`*$S6c)ud z>?iMfZoQJ~=okN+G>qbND~d0xE<;~-kC{8YtFgJK5>%;0h0u!V`cs1Oo4aX=If9eS z`)UEH_N@Be(@#I+#g|?|L3iSbcDHj#0&u~L25^asPXvru$dHh8x>+n}Jh&hsF?r(T zX{Zpr=7o5N-hKKBEwSmk>8AE{=D~*^;S8=9pcVLq#=!ZABXC9*JAZi{r^XNdAUj*p z%xIi~qfn&ygB7`re9f}9Fd_siDx_0a;^WyW-w~mvl9Gl zf*P=wQUk7|wEaDm#+MQ@*s28z4w!z0?$%( zSv&%@40vI?|Ka;8ASJs~!71Sb!V?6coWhiL@WX3sSajYoqY|rZ5X6?IDd!3fSP*R@ zaA})$qmJqqyfijhSefQ*2ZK;mMkqLKe0mPnmTN~Y%_~`}nXr{PTluz)t2>#$D`eD; zK3KgE?NR&VTzlwz5!;(u2Z6R89~rUq?A4#lkKVAMTuWQkR;?=708!rO0&?2G?Bx$zu5pCPH^&hKPnK&DBXGn-#RtNLq|J$t+E=iRT zVt+{fLmZGQZBMb_suUKe0WrrEobBw%-}a1Aa`JCQtt*OdsD>()llCQJ6W-~cDG`-2 z^dzQG-s$;9g^O>wo-DRzEM6oR^vvJ_`eZUl;7Ja6VJF2bg(8l!GFE9_hMin|4?pra z;yfvB(cM8}xRAL9fP+>@UdgFxxcpJa$_uTWv&oemI&@@H#3Rr*LTPw_9GMlTS9dMK zR1HZAwT$@zs?da_6|Z}Dc}`PI^GHtslN>N2w#uI^R&L3#BZMh(M^F^0$2@%0iLp8) zAO$ZKzB(^9Br=UZ0U}-MOyy8LC#j*ZqS^oQg{jc?x313MV}TbxBDId+9%L@V_pygAp}V$?U{- zx>Kh+oSy1!+Fal_W-K>{mF4E;!#zMM7}P;B5S7BB*!V6;sR5~=w1d+2y^T%p8S7p) z@VM3it;IL(CpTb$T^Xfc`R~>s1${-4MfIn={+_M$`jhg$1X&}l{utw>`eVxQbRw4* z79~=uvh>)ukOBfR9Gqf)SDEEq5a&smwPO7CZ8No6Db2`N(NnyQ`^D1uJ% zjUBTjN}%d@3RA*SVXgCHQbsR|fInLpZ)Fe@r>un^O^~5YaZZx!5ssYQ1R_I;5BrE`H;*@jTWSPDe#IPW&*{Fh@5-btnh&1W=X4F}$nwy_=(n%kF)I*4wfI<3mxS>kcGJj=h z3qr|~*El60Rf$j*VTy9^(RpPzOo(m_J0gG-wxbSoIA*H7k!Fcr_R_dmP#B$EG-@9? zz_Q`7NBbuA`Z@;Br`iot+P<$@rDmQqgrf?NEh;XiVU-s&JlS})m6CJ`#52!!*5`HO%(I%~m&MJ&DQ<#F5wg^2 zZ=Em8dgKhj327&7~K*Q>k%RY5BfGW^}u zfX4dMek-8Nhc)2$0b~6OW?~A{>ra*UMfDeC{95dlJDqfSZ*=L36Al{>vi7n0!TA%5 zmE?(qX5;`D*x>*%7=o3|m7EG)k!7oGyLOr?qyh07pz&j81r6vK zhXTPbC;`tj2pG4G+GQ*L_mx*)7h@{{hCTV<{^&mEjD)YpNqgTB?FP>#3 z#tv=!(0s3w6Iu*X!Ywub)Eu=wAZ2COHfCN=c&Y`MG!-4fMlFw%|8fJb8uFLzHLW9H z1uT%uidjy;Vt8fD>qIN2Y*l{gBXd$4Pbwlsty1VQ?}A4-RGZ<)%twmH*XwV*iKzl4 zf`hS}weceA{~~P(2uejEC=g!6i#yo`%ne5-m=Y`zUuBFSG=MgzYN+zJze(P8iUp$v zB!vaufCL4T!s11)YSzt5HJw^h>L~{>VnP=4s`fPQb5H{f#kp zq54~>0)F?qBzt7Om^hM|ATomm#~pt>)#pj!IKtNt7=m(;jELjFbj4*Xf7UD^_z(}) zQocfXpbVa$x=M(3@S&pjKl}(H!Pi3WfKuN|AuJHSf`A0A^Q^n>zQ_7=Yn$%9^KLg> z6S*5{TPinQ-|RfBOHAVwozyrbTT}jOsL~ogF;0>G%{Mf;*`(aY6qvv{9K9bqUR9ni zS+O0Q(h;55C&QQ68>0rqGZ`0Um=!5xu|A*z;>s!!tg&B8$ADl4--c6qyRJ9znn^lw zO0!lgztw^R4J(Vbac>7m*##(9yr9GNKVSuQ9`(PQYk%A@ix;VeE!$gL2gEv1dI0s1 z($M<>J@R@k^z7*QBI8GgDe;X6aGOw|L~OPzfDV*^M~y0#h4eI2m1zc^FkPw46$Dtt zn0N%Kgwr^wU(h*y=iT8S^wi|gz6)25UKW>_m6ugiwq@7e?YsBw-22_$?}?ZFQA3p$ zuWXt?HeFCPw9Q9I-O0KS?HQg!5ScIy%0Qvv6WP`#rKD0j6;?pH0A`$7!^;aD z4zZROUvi0aE6XN%wEtMtEU<;%eO*drfn1;W?kg8yZh*|VEjZ=m8;lY=Kp+y!0zJWG z*7^AtxGm}aV-)HEaPX zmbO;#S88PVDVQl3)mW+)^TEVVoniDNpn2S12tC^KB?KJRgBUMR&!k|E4FfJ zEB7|r)xhM00A|5?)CoFVux9P=I_i9cvsZG)`3epQs{}9Wn9$b4r3a9P9@Ton7Bdo> zmUsEMmCC?`W>2~Kg{#>|l?OKU3np*LKl(0e)_;kTtd(ZZjA-CWvj8yxR>KyrEGjD5 zu%R4nn55g1?HBQk$j6xF#8DRTZ60~gKprOQbVfGR}CO?lh%P-r|4$p4#G3a%(R&nUXGTBIT!{krFj@^_4_y;XiH!qb%MkAUA2 z*Aa%QS0$$qJ?He6(TKx;K?CewZtZy6n{T}{CSV*ILUukFuu{^}MMDT$Wn^V@e%Odn z?b~Ind8}r< zG&E1H2~r1!P+r*aJ0a;nf9}-{Cvw$=S?rL>Jipsu4h5di)<%?5;HFu%lsxD zH8|pw{!5z;SaPl3^7|)*yfQ21vqkZPmM4E1pSv)%@T;WNr;SDr9H;gzO3F4%VGfTy z$}c&ypjbk}fht!3(?Bf0v@(%OL6v-}0m}>%7V%270kY{*SarnnvBU5gqU_u}{I#Y` zQ=zzU29z^o0VOVm^^WTl?fG9X95QSK)#{Hs?sywdXw|9}_{9%7(AZE)xQ!!yld>1Q zR%tJwE;(77AOkjg;4&cy#>o^M@?uINCSiDBpy}BRQ}}#h4l% zvqn7n9|D0<`=IAhb}JLD06U~A&`RqM{WDGj-#Wh2*M8~^r$Ij>HnGS&n)DQrB6+~~}Rp$&_ zfk!CHD~|dAmX~-X+JHI%>(DGGkGrsb88_3VDu~rh_=(e5!pRCa!@l?0Yp)~7MR-C? zY(hv_1U3uX#n=llV97PrE@3;qVQKSdL{jEAGb@)UU^F>w!fijde#OrjLl{~k{M(@- z#-5wFyw-2O8b2qQ1+ByzaDbT`u&c_yT2`$FG>ZOdl>EJdf{ii)sahE&H&*FFZ&l9x zWcJw9U1jHtlg4sp-m0^1X>zWQ2pkC2?10;L%C z0v|Yh@)X0u2b{7(RV_+CBr1(lvZ3X#Xk%<;JBa^UyLKHw7MWc*GAzBx7_>TSgRT6& zfGQM#AI@ytd&xQe39TlkH5;2ut=pp!tduKqo=PyQs)yvV$8O;tKQvoz`iDH|uZv3fUn@i5RJIHm2+Xxp7=GAlbOVSjpG!VON zm+|$HM<1`U7gQF!gKscAB)G`WF9f{&1IE4ndY6kXy2QzIYJupktY^p@FY zEEyk{k@)Wp`(5M)L=D(isR7r&S|jOt$xZtUS{pe{ZBO|Nf5k$lyeV{`8G%$d z^W)M_4kgNbeCu!Q{!*#_eolAI^#@I_2noCV@+%I>5aDBU-gzxaF7fK?UC=hmW`5B9izH>^+XsPAbz%+c{r4YrKE(sPY9N>G?X2&9WB|(* zt$?cHwd=2(p00`l168;PDtl$>jPL~PEKan7v|N>ekRl(eCJ?}4;p1{)b+mx6A#eSG z@{bH!vE0~m5{SW6VyNoW>5kfY5eboe{l>5jh9TgahZ<*PT>Qh2Jm$n2>;;lKi3lwA zz%s4S1GaLu)9j*2K#Hc(`9rS`pdPBMjUpe@n?j3J9aK_Z$)SYm4?y2N+1NMV_#xai;1>#k z^Ha?bY5H&s1vbz}9(|0wOc*`idZ!!uUfYBCdgopDAXYQ`WbuMlA*bY&RMIRz^4JsN z#d_X(=Sk{ga0>Gl7r;GOcn1bQ^}ZU~(;#KVDbbS%PO-q%VScnQ1uLjONC}@Q+qCtT zIp%H|GXz>b94(0M>=Sgq|6UtaAm6S}+Lx@ZmUWc_RPi?4$$2Ji*I4EPA-C_^xqZkFy^6I)yB)yp_qV z#4L+GaQLzWB~zpRHO*DW`6lEP6vNm-D;r>mJ`l8W1uP*>y`fsSY3s;^5xe$%FT|{s zfqF{@W@)ryMY!|idM~T`TuA@1bRz^cZ{FOM9lRuKzpR5zz~TjRL^O$N;>uYiCl(;@aFcn;I`pfqOo=BHXnTWF~XE`^)dCpgdw9F z1Vh`lZAao12m`l6JOg1G$Wv?*ov(99&S;!sZCY_kgsB=hWkS{O!72C*9{aBbtDyH8-{*6z!TIRR==3 zf<=8$2@jbAI_h&zu5s%k~m12k|0%u>{~XLiyvGKnL0`mR%~s>)svj>ZOGh`IB> zdhh)YZ|ijXX{VolK)lO#F+A{|d+$@apx_XaBtQ%Zt?ta{KU<9NgB1tH`+7TJR`^$t zZ3+L12dg=D@ii4i=NNIehy2yP8bxQBxhZa`dT|1&@TTZ$Y?8`}{$?Q60^{ctqr$~U z4hk$SU4y`K&9&FrgdNwB;u;dh;zxnqv;HEp?N(ktr1&ph=nx^I6Pjm;kg_$P6?xZX zYm{L+U_cn?I1ba2;kJCVNF_^EmaTx4>^!wd^*eD2sDk4Rj>tV~QnB)8$9)2*`XadF zsKu!6EA8y{z$wiD4+y6;v(+5f%9d$cK&m!`a>79^IC4OEbZ{5f@^oicZLn2S&a#d` zjc6}DVtNcMXoal$y8x?(Y*poMF(N3w(fC}`T$TRl?4)f3-tXF7J6hE#TLD`y&xvbH z)vfudTXyc&XeHVMjaDX79U-)0^|7X)JsgW4ee4Mv>)hpcXC8tq&XIdaP+E54kz9Idp>s z$e_8PRmFdepEHc_2(!Y!BEZ;6m{m`+_TrNUL9bQbfE5T<1uh{%US0ivcizbJF_brj z4y5W}ta;E_|BCXa*ec!>fhyTAmA|m@xqYBN0tC?Fk`@W$BjE`Q0!fWtd!q}p@abp0 z+gOo`G@ z^ftn0U^vUt3XYpvq68}yR~6c1z=|nhi3+Dokg{p~M3~Zha#u-8Z|OD9)QnWKR?Tc_ zu-4?TU=v)r8lJ5D+{W#lxZs5^zJiV%A~QW2;A7kH4Og z+J!8cT$_X?WRSaNQ|k#yN(VS5z1OldByP-D5YO)ftWlAf*hw1&=69YQzx7*%R!+dO z$yQpt;(Xbr?f5nwg0)xk7OZg=KADluchq6Tf*?7U*v%r*Oqx8^ne+D2OE1Sh1rHe? zIJxf^190DR%3PZ5kXZY?mgf`i`P4Jdy80^XD{YN)TC{*kazHSUfu~?anAMLVDwmzA zy@-DWN!Pm@8^ph&s+v_v``?ON{)MYq;hY#SOMYctdyE`eQ3UEoZ|k1QyQwA zIK{>fKh;qYS#zV4#Xfb=I0dUIELn5L85SbUKmByAW&nLy-=e@rmD7aOt);4^xeuatMcH8amfABG3p2Qkk|I5}U zZM!vg2E7nl^bx*(!Y740;l1qn%D$*C?|3xdRPgdi;~^z-D?&q6S^>ksHF#DEVWcP4~E_yBT5 zZHXdX->}{%!6^+@PMoR%Ri+;Wma_42xhIWYwJLM9DF1;fn@2k87pteAt2_lx!EInW zHwCU#X_t_y21UF-Cu+-wOfDSjZIpSSqRM>60|B?vra)34)B2mjV2dAJ|}tS-hCRapnMLk2?U{79fWiB zT$s>oLVDxTseKkFaHiht>;Nvr-3xlgAl3ElcaOGIT15FXZTd{O&7>*QF1_?J8&^5= zOts6UJ|hacT2y(|2YKe%=a9KzSp<{TVyUOx)!-q+ar59{(=Lze{M?JP=gg-MaHsT) z$^=btQP0;SH{g$P#@_j=nynJ7`m1VI>tC-;so8pXu?UZO$SD7#O= zG%?X6NCdbgE$#QqT)ipSwCvioo194a!@#l#(}tJU3WXZ&6&z~x^-v9aWM^#jOGCEm_ej(@^QV{_3fK(z8Re!s>NC;$2lV;GZ{W| z6i`KEmT*^3GWgy9VFf9{sao`YfIEThE3%4Pk6+bfNF-k3HhD@61oZ?d!6|so7mMRX zsycp9NLX?v+{uPe|Hs{VfJbp8ec!(Hp3m={eXs4a@9eX2IOhbIoPz)f5Qt>JV1mIU z119I3bIv*E97T{oB$1;;js}x+HWu^!dQ01C&CIS=0iXTp>1UZ8c4ue0yXs&6s_JS+ zNA#EpQrbRuMJUmhuJDwYM#Ve&v`#h^wM~cHl)M9&?2zOiefA%SO{?bThkSsV9m32< zvpu!$5Zy%q!j>KaUznvw&^77823V&~oyj+P-G4?!vjMTW{EAtWGJ3_-CF1puE(=tF zK~`)HKS0&o@{`w}ICnu=WLU8eA4--5fW`YGKb-F#zU#F?BzWv2Ta_;!Kb`j8KP}Ld zi=v;=B(hoxYq?RAreYXl5@*Yn-KjVHpP>feyYIdKP0epvJHvGVJAlvESN`&sXY=PT zFnFlS^h2Qmni%aYC6-dU9CL=^@S>gQ#v~wH@+(-}N*P0@IGg#K{0ju%aT3%v zp$fZ^KY^-5WXhZD2To0o+V$G-Er|A8oo53~CZ9?fPN8t zDp6KWkV3O*Etg!JGH6twAZ4m?j#Ge8$$}&_fUg$#b$o%B8*(LrE%RYb%+i3xfyOK+ z&(d^Nlo+qR080i=kE0*7Vj5t&Fe~P+-4rx>jYw;X(Mk#i${Jy2Z{ER66jb4SCb4Je zo~K6~2%8>#;%Fq2 zsfLdnO~xIIG;#RMoIRIJ^*nju1&FS zEwX-cv3bzUM~|JT`E6}#Q`D|gPuzX%q$%(O!y@+#SzwYdRb=w8*nvS|dk)5kN)+#Z z;8OC4C{>rPJs`!Dl3=MF0xP1rYxf=sJkIpQ9~otS4!Xo%^K41OWOJoj#JpsZP&J+F zAn7D9*rsusyzMw`S=TvhZr!;nWXc37!71^Cs8>%V3VeNwx9=@MSiq zpO7hD=`qveM;--96uA4ubbS|p{l zqI5p5T5|@1P^M-!HFjcbN}x_oIBsQ==edO<%#+f$RO)ZrcxdnVrC~?jH?X z8nZY^61Mc{cu7{GL_rzZBwd26*$|hYOq(PDOXeZ3%t;!PQw%Cz1+AJ*U;R`sPhHA> zn^d()*7prRP5%5dv#EhVp7ydVMne0TPd#lde?ck@7+g5@P|rC z6M1yK2pvM1HNhA3&#E;M)QboZr%*3wxi2eJlvSB>5sYURc={=bLGXf%LHTe*WRzBA z3?H+UEr*DehA*9p*&`G&?mQAOp#d8;?X#bl2A|A<(5 zHc$MIbufqb0rM)KCjhN?`cSngW~A*veaPzXRYB5=x&TBi`C^<0rvq*^PxE zz&B|79#at_MjZ)6m8n9)1GB}sSq${5e1(cqcby=YSRFE^3^z!}E@`a4!%Bfr!|8hT z?88Dl$}ti1(lwp%Huvc}fO&$~QJj#nrJC)QQva5R+I{N$8-v%q*K}^!RBq zB{*e*l*TFPa9(|Zl&M{{%GFAk1FfHZAr!jZrtNKr;0ri7pE5{F?zdcTz;=_owLOIc zv*Ov7?hrZ9eWiO(cWEloieWVY%M4)2tPpx73=6;t5UrSm8mdgRlBqj&H6?H(Re5BJ z;!+KR#eID?K0SD6*-7jAt=W@t#ClaIgWCQyiV#vzrSpnEbY0PI;iiWVf5OHSsCsf} zg=2?a1u{qrC;O}3cMY5sYn|MIs@f#})v8k$S0Ty-e;sNE6*p|es3IXDzOF#fs#s_V zslr5=CQ5Mg(})rS0sSO=M*oX^F;Z8qUQ3!x+4R)?y()2?`W3QGF#Cg?tnJw!BwxHT zR~s+B|NqVYAaOCT$Hjh@P(l4jsG?M?EThcS`QFy$5h^kA_Dbt#mmO75!pLLgDpgIh zgzWUt5+yM=(z!Qq+&CgWh+)Oi@>a5!$-l$pm?NGv})aslYE^}8lPuM@VmAFPyJgYi@!Vf z?y=(`0{ExytKR7!{>_B&JqM3rN!k`q0b%0z`^T_o*%MrCci1(2?8;3xoD##8S2Tl} zkuFdrF$D>Tn|w-)HCPMO=1Li+H+!^q=~89D`*0fM4Jg)l}F5pwsenB)=X$iD06u z`Fo;h#l_))r~*cf(x9a6*>sNWEemH#l`7l4M=t>>lnHu<-F{(1ox65_+hd~Jz9Mg5 zeCZ`p0VS)MugIQy{4Sml^r2`B9+_x0e}wTkBZ`QVpqPH^PdmlkRe5d@E4E@sSChDY zio$>pt1vHA<+NB49GlMd4u4xGEoxK5K&iZIeyP*TZpc7036N~#b!kw1g8F@zO@0}4 z+eXjVfhwUwC}-CWXE-PthD@QdmM&Y#S1>}HSK~~r+I9IMDxW~6fF~3$ zL0ZNXuY zW#W`L{lxF*1Szay6pm<~t=o5P+qFj!idU0NnIPpwD4@#4zL?JlJC9ds}?QpbU`Ad|t&RC_^bD zt4$G;UIAN9h7}-S$?`p3O|)X73ScpT&t1Cu@19Fl@kutJ#sfye1-2)F4%H=pP#f@t8a{wkyKR@EtsS zM9dXzc*c(W3d#YaSZv>le>BkT!4c~w`-4yzaIp1bS5+AB6omoHB_yt++tKj*?e*bZ z@BCMLl5&3*n^MJo;dT8{K|Rzu!J6NOic($Zr@&eg)PKI|9CvI3ARt$++_neAqbn61 zDW!$@AR`Qi^XvKyq=OC77)_EWX3Uz?;QPkp_}Q+>!eL5v^&c=8U!UZ?6MtmfxiU_3 z!ju~}ZIP<8BDM@SOQ_f|i@=ty1c-3?zY~2+fgfm`;>ye@M4-{kNEIo@r^mh<7>%7* zr0c%0$=s-wJ7bV%pla#Xy>AU;m&5I<@;SC8pw?l@i(MA(IdP6B5|Kytoj7Is{Sx7n zXL+w!#iDR{MHiuwY#@~ak6)58DJMvI5lZxMJWiRq+SK7T4evlG7kEk%m9S@0){?xk z59CS&Tec@MAJ*&y1F+~K)mJ9U>t6LuvI0S?_(~Th!}3qBWES!2#~CPSCG-kAO1PCq zs|#1I<{7z0ZJoxJj_h|&$rQMif~rWh;Uno5@T|U@6;83YTDyhJ`~yc%;Ge-;E`LI- z5GWC@z=bjJPjYcY1G2-WLN>H|@uip8^|f)6W`Z^3UEt`Gh!S=J^J@HrNq)BW0KZuL zD_h`^Z;a(E8i_8YYPzX^cseTn($9eAhK)*7frfl>idq4>oQ)*Vhs03CGA9t|j#fY4 zvF=2864ys5jjdJ$fA86Nv4o`y1IA{49Q&Ge=r>##(2D)1@?>gC#SX|vS@X+&^sMa zazDWQ;pX{6zC_S|ym-lzf4f(4E4GYBX4@_NeaFQw^jJ}R*pg98BHkFj`6(jK*p{Fb zF=fv_tsnGRa`4oT+Lz)Br^M-(D38KXgF>8s!l%S|7T5|Lr~H#Ctvt0lHFd0kQ+ALt zl{UwwO81XYeh?&Okd&-%`TBJ?*a`@U4|TZjqMNamjA^+K$i-0ITht7XTo#QLK6q?-JQ045ps7-)s@MwSK0)qcrSt!At3 zY1%LDI5V6?BcMv76{5tSh!yh1Uvi}~$ zmZ2IOoi7qWG20HEy0DA;n&Q{dKPV;)^d*vH-s#tFB0O_N29kvo{2z$tq^L#r|k?&chQ*OJA9!oM0rb zpMhAh@#0q&J7ReAE7U@ynBQutB~?LPQL4-dkCU(;y;M*iZLxVGwR|7DXm|)aYo@Yh zbzh7?T@hTn`0Lm_nqfu?U=z$edp{?B&ovo7CIjVLraot0bs3* z+CUzAvt})@WZ0yvSD*eQ1g?o##|%Vf@knz)ls_VdpU`EL6aRX0-+5$6;gpgqFHT8b zdgo=^eouil7!zQ`hK6j*+j5p_2rss!Y7uJl1+a{Rw)3BAyRh)6HK%^Oz}?#TlvuE$ zA4FFq;!|!5drgoM6WR|*X|*O=PDIkiq(npdK`1})gj&`J)(l&rt1$qd4VU`S^3?;8JxK6-=WNCk( zHfChnXuxvPE17sEVA<%^sdGOr*>)ggY{VboO%Nz1wxAXH6*QnqqEu}bD3EG8^{Hml z-|4a7=-CSr%r(&p#g0rpQMBUXDF1CccJ=PtKYjWPb?erb`s$zzZRoI(yd{|&e;>Wd z(6GQ$FWS}Eqz_mT!#=G81`XxAgdQT-N69GA)dZkT-NJLxZ%nyKQ>GEuc=gp+^+jw4 zI1)>hE<0-UH~@=6aNGu?;~vJk6KP$aWnCGqh?PoQXGi-Qo`{v+(LO5?E9<1~7k(RW zt;4Uxsa+#=;-7a@s73cma!haIcV*K<8+X=EPU>d%961IJ9tK*0 z9ndR=jEb0Ghx2OY8Kx+?7K}2kMOJB10zE^-E7PE4Q@K+2}}ozUP5Pyzv?6o1Cok2-J9cK?YnD*>>0eBB$m zf85Y2-YcjbgSzK!fQ2dOX@U3y)#x(^Xij>?gwfoJx#UW(T+xcTiobB$y6vIUcRWv^ z7T0&rbt(f8w4z!vb{emQsIbcLBp?V)raaYn60-2Sw(}dz*+>#QtV*Mm7<=NNFwrV) zg;%b|uh0)`Bi0K%Vf`*!5zaAH2-2l{Gptl;&}#A0{ ziF)7^+PZxQt7{M|JUN)?=AHAPr%s<{J3q>zvipNmvuPD72N>#~ef~M?aqtap+Psx( z{&?PvTm5vwTXB7;b-st%(O$N)I$R{4iJ<2dv3l8d{olk}<-Lr}WKb%~D1D;}beyA% z5>YD3D6!_33hFL-2xM9=TfP#a>i|!ob6`ZH}Gu7zhB-m_pby zgfCeVMJl`VhZto5(YEFeJ4AM$nKfsga4S6E&YwvA8I4n*l?hd18IsV`eyL}h-Ts@O z8n{)_E4UT=Mm3$H>`8$ta0-8jIysFkdRxxhfXF-jet!5AE*dd?HBO;n&^8*RG)~c( zqM&@?6e1u{<;5wb{j}-+1VAbQp-}0jlD9#CD^etZJ3DvpOilAk#9Z&kcF*SHaBN^! z0$^#h;=nIpC6`_)z|vNS7$Ht>C4ePprFpkZ8_lf*s(59N#XAE%J6<`_YRlf3&~Xv} zGb%=fXmRfKiBbV6Rsn-eFezp}DHgZ^dv8#)o%j^yS?87Ne2<7sBO;HVJ1^@EK`TwH zByNRd@rQ_s2P5@j>%0O<3ruxFQR_Es#s!3VTsSyb7D=H@*cuP-Q1Q?b&-~>tP8B3) zP=g&ica!y`RO&`p=zn@1ah5yRKg#p*pV-p4fVjA?3p&rU$P|_bk`k2X%Fg9K78Td; zZCAwV@>uIaf2G4&5sW^kINqT=@k%~66FT2{@n88FYafY!?cj zJa~hmPDrj0C}gw6ESw$+sz~2Os9{*RLD)^c{lZ4G*PT6o!A$mpQh`&hPCpZ*1gFxD zOeKJnw%)~_*Ul&#jna%jt6WnL8yqSDo=jzK>Uk#+*ip$h2I2Nk+vXGR+_21c=jKCk zte@9_EqcR_T)G2wm-=!ECdIHA#01Q811yzp5jedPi^v98XU_e&Y{$WGW^DZ1kZn(m zI;fThVtuh%3hy7mDHW4qMb(Cshycg9oNmA{mLzHpPOL!1gBTU3-D_ zbpknHxhN^nYze{KU_f0e1mgZuJKB4;vO3=@zSPoDYS?;-l`6ILo^|-QgjUv$zdzpp zy0O_uZtF-1>qJeJI)a~*GD=V?0Q$~G1=fx~@*gHnn)2$a$#`Un;Zth3TlZcd2oxK+ z#?pfwQ>K-v;`oL56QBTyhCuD!yAPjU|A9mD6-Z*^=^{mfS6KIpNUf@R6z^}E?NIHGK;8UVG^05DjH}7u>z|4Y*dD2lc~xRf&;MgidP0il%2eO z(WYGhH1?Q@Q=k>5taIg*jZ6uj(nhk_%m$fK9zUAc*wQ&pCZ)+#QaI%^WkTbWp^D={ zN^5L6(E8k_=k4$WG&m3{KvcpC4WtEfHRnCVpGk~d=CkMrlmq?vu7IWc&B?O@1T0~} zjG(6}sL~9}4Xxr`!5Xk+<_NbkoqCVox5Yfl3_e6{Qj_u+6$hC_w@kCKBSPCu3dGll4O`WX(&L)h+@^D%1f*cW_x_#-{^n+ z6u%hO`Vn0rxR3!c#ujHvr+sZoMQ|0Hg=9ehd&sP(5h35@qhcY0g%9KsnGv>=* zkkXE%Oi*P4%aA^&>=LulHnQgL!kQ5xromc|OSx#V;=X?RgAYEGz$jT6BAZD%8_gdI z7AMiBZWFMEs)<%sn;D|HWPJ$BtqKc$trBK7N3(W#d^k z%+fqp21^DmF<=EmuYCCfwKGtMt}rhT9XVQW^2%q1veccuJ2$DBjOhh$VqFG~KH!P0 z2_Q)lCmKzBs?!RU{s+TC1UT7j8c9U)IYm--34j~CEAz0m=Pq8>XeG`-9k)W<_(SeQ z00R-#2^5Tm@h1#XJu)(zTK($4&o>SYc#xhqj;Q48)C(v5%E`5!*2yAxhd( zh})NM@cF<09nFcgFPP{;tbV>`-CF2b5lqCYmx@@C3V6J-b-0k$_MUB?lEE@;H~9;{ zjZ^z4nu&j5Di5E{KA==YsjiH(t`nu&X6tZyOIjTR8WdF6+%@d!r+-J8;*4K>@zz^! zi<{Ta6TSS(KdC27HCiY$s|m>G#MEbq-7{M}zseM)>IiC<$|SgsDGTYm{&jc7yVP07J+rcm!-=Ng}yW zDpsASlWWvly!w(QrBbA}JlAV=wQ1`YY}p3@#q%joM!NX@#L6|3C^Sxi=_w;qqTgJZ zlozB3ngothsRbz~BKSg()Syz}-*x?U+fCX53(QRlv)lkH-YcllKLu#TI3@-xJH0|W zkS1Z-;FL61dSyea6DLnjn!l{Zv~?xNt<5?l{Dc0>U+B8%&z%-~icWZNiX;k{RP*U7 zg9wiS$b}~XN(GH#o_AQRaw@RU$P7dTKss_T2JcX>L-%GGwsz~`lMo#7qHAvDj9a;? zrc|D!F6h2}2gtRffRaZhtIdWrs2XPi(IY zFv(+n@WDrY`ws#{=w!lDpM3h6|HsFENcZNOHEY$O+gT;IadWg9>(ggg%nJm#{VeOc zC>wYWX#%Zsh}MoZ!r{spK19`EC)$;L+~!?JPm3GSMyxOkg;)uHI zHx*9unJ~sa_1;XsrIgOb#fn%_RuoH{i*s+(ow#}H7Cu1zTVzWO8$Qxk1t)C#?;AB? zzbcd=*heW{%A%smN|h?()N;iACrzFPo-(owpNqD91hHDFbU1qitIa_mR$9=hwc*%If%3Tr6v;GJ5%7ZtEzUeSBk`X{`27q~_t3v8pody{*<`)$`6j^e{sM zUQm6J{;X29`ak~h4_QsX8U*4{yh3f7HEa2=S6}nRWc3hy^zkS7he?T9xQKDzi%gw9 zqXMk1#tBG)LvO;QDX;z8zPlxRqA}1k{EDKGDfHsJ`P7`@*SRbHm>wQFrCfiSPsLLz zddGuPhfkj?I8hapR<3&jRd6Nb5ozTB2OzLT$}T<=FpCsH+#sX~N|V5Jd~A9vLFzyE zjjA|$*@itaCr`$fnUuP6||WGVrqn9}r#AQZ36aZghk%mk@GJbr;ARDkegQ}Q+x zuz`gyFk-9mC)!+p*LH8bHE-VbTnXUi7q*flSvH0Ra(OXJB?_8=#b}!TKrd$50gH*j z^w4M}ov7`wQvnOBjUx3`(POl4Vgr^>o#?tISu(D_d3Z~JMF$WLvUkDmbKeOF% zCCU&j`rLER>7SN^m;UjOp1sv(!AvkdM%sY=DcJY+-Y%uXagL$S(duWKC=HLEKje*A z#b)|B=5=ef?b^Stx7L34Pc)0D7xEqnwglK97FA1-UDbf2)wn>mb(tdH6R zV9B;(q@xp?p!YZrKcz6ph>>GRGAEJYzRoCvUi{U3?JTLa%{K<>$U<+9$#LS1GV0c2XFlBQDUI_=#2JL*I z|GICctX&xuUw$@loT4|R2~_#Vsl;Kac#og9MzIymQ4d$rVkSHs|w^>o;(HY**X;tGACXtK{vgQ#`va_B2uf3ws#~setcV2jiEc zy587-_arbHr`A$sNx0#|B>u6MiY@6WPeJ0}80F`@8|71Mm-j_yf$2`9tIj?Z;1J5Sr{;e?7$qPMktyG*sDe>hOuvS;ubv-G~E<2!)vA@Pe@CA$ zkTMm%6A}C)$baR3Z8vG&e?Wj`_y(oNbO-7#^^aDJOJcxE;8u*I&}2l3h8mp?3#fzp(BI`NV#&A-y_d%x zIdS~#g@dPm+;;TL{HPtB7DQDWzv9y#bDnQM*W)u>jSC|C=%|=eX9cR9XeBHL!A!AG z`}rdNy6ro6V}a`cht}IKyzm09By<$jmgqNX$)cc0*~Q0;u454v)pb~7#c|Yz&3pjI zJ!_z-8TkD3?n!qae)thT#3E1}kBkM~%LREZG}w`&N4s?Gu76q|lq+8WG{k?!fTAP; zZu_%5j{9ohnIobhd`jb#$dLr6wBIjeO0;K<$$kY@B;_hga+QK7$P{T&pcQYiGeIkS z^~9Z<&&1UHQ{Si;hHm}$=v^OA*i~Tc`iAqi3|+o4GJ406BS-0B)Pm>-(G@nopV+{n zVd!(3XddZ}z(LB3P>INt4d)@^MzCn{`Ac==IF zNbr`pm8%;NsT4CZb@FZhHUiEzL+obNta+V4Oc5d@eBicuAx8H)))9VZqt0Ax%R>LR zdVS3=u) zbtYN}TKVEu&E|OatjDo{*#=bg+3@M`^*awA*EN})Xhpb(9BlqDO)p)#q{?{WSBGPG z+<@W z#JRy&Zr-x5HICP4_jV{384)X0yrQEbR%m+_vGS$@#%8c$Ubo%PujFmq{1-0Z+wH%_w&B(GpPa$r%p}L{fD$8~1p{i>sEL{A z?%FxH^~jXy?b*GTZ>^13$F{=k`%LQKKmYl!w(UDHzMz$aIOi=`jI=Up?0CThw%tQ& z-pX?^b3BsqGcqDRbFuN_amo{-LaYjm-|+OvSS6L@PC%w`=+QXvw5NNn{Yy_uOm9>8 zMUEedf8ZCCs`-pp+D^k;B2Da4UpNI?VcANs+u`?9I3<*duAn8KPbr+TIsFoQ{1TBV z41TfvH4$*)lvc=EOS^)Uf3@#K3O{hehA*jaey;Dl8P52+e^GO1KqJC1?dy@#nDt z$VU#4;*vG4o}eSp?}Dk**9#i?A@ zk>YBrUlpZl@2&VZ!&9EZjZV7vMWAQV^YkbEkD)>U3tNS>_R?j_v6Z}YEX*?i)@Prm zuUWHpgNBXXemg!fo)2)I@uGyInh$g4v+)ON87+-P7U(?%@Hsy?h1A63lt-4%U%Fgp zZuB3A5SH5X`<@Zc^ay`_V8mx5*5?|(>Fddn9T#p~xOva6eFs);-u~>cohlU&s3O;b zI5IxK)^iIDUYvkap7m2=rV5!tA^71_+V98nOQR=J22x^{+sKqRETuq7JELqKza$Y# z!;`7HeW`aF7C2GE7ZMTFPTS_|hn%-$yJugIrXOE-h!e9CNR~HOP+J0~OVAd>Vwl9J zNJGF9%g6I-Pqffz#mr=W3bzu#(r5){MeaTP?7%Hgkzb@TTBBd?w`OnbVOCI*$BS2= zhFSosY-oiiP|!-al`C4I(&Y~`l0OmE0AxBDAK|jZ$~SJ>%rYEG_I2pk1#Ke@%@b0z zxGnyU6;0rYr8;049|L`u1_m`Ons*uIda*u(fGOl{O8?z z^&66`&h^1cN-_9@DhdtV-C|vXSdCEyh}1q-9%6+vO%tn_&#e7E>$;ow`HLM}d;d4? zz-vY&rTo^>GAc@Srn&Val!~o>WnZdO$r#Jze3ZFF9uJe0nNJV1c?V`e&t83t6)*AE zzde_-et?~+DY0+~<3(fsGrN*=Q%QW5d**`t0kt9*uBjA6;8K_gbxpB*(c zV)yKAhoWLn#vD6MevXpK8#ieD%bqn=r>s*(rb?gi&?{2b+bygyaTQSIpHGQ$0Pe-U z<<;x-!}Lw$_Y<7r)lWvc2~_}AVt-&V=#@wl zuUI}_v{Lkn`6l$r#;r`WvUvij?3a$M*;H-7ZBO^#(rfN&L_nZQ&`LzZ)eUIpR&H)U zq!QT_Aw^n~kmuz8H*}6pSg~^Tcn_IE+pzagXo-?IcAoy-?@X;lktMSABp3nbq8K24 zKk3QM(cAn$6-#{u*Z44lh+FULs@4AKD89rxuNpOLk$}O6x&E59k$M|hT%|sr?BQuu zbckxMYJ=eJY8OHxR!7TPWGTo#RuHS0H>_>HqBT}l?7!k-j7myJf~^x(tkd=5y@2ky(FsFg*G08cM8Vz;C)exc--Hy*M z1&CAlD9)Vu;lzoP$`HJxLc`+9ka#gNsBsF}q^&z}?4{w`;xhwr53+c_g z`T%CTJOwkWsgo?*0Xe>=~z{CX<2uOJmD!ww3XhjpDu=C?V${S}99jiHl*1%dV zyDDu?YTa(r`6ezn;lm#WZQM)=lr(5Qkj{BC=B;vUK8Sw0BwOn0C!%<{{y5&$cu z{y;Ttw5h{%lBuNuOQRL@kO?W~6R(0+nqI|w0?%JKc=CrFc8Ub1rh^Q zaZ3}ed~qugC?QtyoTKi9YuTy|8Guf8M6C(g+7)%gdMiFp*Qws~ zlt3r7&lgk?wP({Jz6Ay2TkK2ath@x73N2Yube()sO7Y0(;HC7b!sI`0uTmKZmq#f* zf3}0t`6sGbM~Z3pS{$ynSo<b*8EHV^_6I3`%ul zo@){HB>Ewx|IGwoJ|hUIGBy(-fK{jNcOQQAQGkGj4b!jxAO?=$rpyW^d`j=d<$K_i zK$SB@WxD>9GyUE@q)Eg|vY0efIdKXJr5JVfIa{9|5vvwY5z^|o^p71EPmbI!IK?a7 zBJLEY-!BlHGN8(3d2b*%Wg}Bh2&YUPZt8YZ?b|@X9i9R}C06x68L=9*;r1T2qB&=sv1CSMFI1@ubLDqi1u9LxUEN*vTCR0&!gJM}~83>IJP z{?mX>-IhkNjB0=50tpafa;^h!xCEQBH)@?hWtd*6lle?QXB3iUbT64&ym|^|b`lU6Hf^^X028?{drqh?WLr{&LgUbtfCK~1UriU;=t zSV_>U!~rZB8mBYR<_`=It(>c_9B37gClH*HhQp!ue6_UjyZ`e-H{C!gV>=v?co8_uhAY zkuyLQS?+w7N=nEt%Wdk`tN+J8{fYl#4Nlwk9i`e5sq7>|v+#${Fd`s6m*uXKxNrGy z6|su)6tEp-o$sR}R@7Ni1#F9YeSkUQVn4JFCqSg@t^P76yem@&diKtc@xALix2i5A}E-T;cvwXw;BO==1 z6sD;(EL9*l5Wk-vkfMJaAf=W~iSCjRyu>(6kP_9$s|!fEdHj+@s3hS@t9m;y0Sbw+ z$rW_gM{Rtf&H1CYyHalr{L+tO!WQ_YkxO?-axu%6C@2ie4X`ja68wR#xfWu&@G6!J zQ$^gx8n9$uiF!t4NaB#76;NfOl{0Q7CZ7;13|gd2%tBPO zYwkKiD#Qx06^uwjg}|k_I6A6R=Wb5Dl%AARmiXTt(Ri+t#f#8&@>(2>Q5~315 zg?Iv0Nb9Zx2VWntRV}~j8lG{`ie0e^sx+Sx*B>|~Q040P!vlc!;PJIS@s&iOHIgTZ zA|ZnUv_gY9amq}e5KU-fQhJ?~E0c2SUagk3qUJ#J4z1NqRj-Z>gmNN6zzOSie>h;}zSzS=V?irf8Z2%=K`RjuaX#4GfWoa%&ivWXO8oG$%<7kM1M+BN z#!g`W2%9=$V-DgM*w|9i&9-?C!<%gGfaR9Ivr zYD#rDRE5=~k`k1PN=i58s9otF2Sz6o>GiaH13=(<#Sg~Nuw&4z<=|vjehX<)r0#&ZAKO0VIs6t@7EZzEhiZ68y4<56Y63I54a-~!{FJ0r5 zhANFy^q%iLiiBlT{`r(x>AWU_Di5C$ZK;DP!l!h!#TQO#kTNy4R^y4(yMa(ZfDIR% z2oeY?MXuZ6zXfs;=TCFSc6+`sOFyZ8eBB`$$DLiLd)0Ia`avs`TLl)nQcy)RiB)2> zlH?qfXyG5Ng!^MzX{eI86$aSK=sn|?tc}lZ^`ey@H=v-En0!gP0Rb#uXqARKK`ur1 z^2+cvnKEV3K%);@wrYz;Vod2J;20euU*Uj0Y0;{+{-o{Top=5-&9e`zz#J+3*aHNl zP;Tfz1epsW?3{-->dPkk(a`OxfbCpWX9;3;wv%<*voi=)^)#`HNgsFMzv%;Hw?|b+ zT}P?NQ6!*tnqBEzs7gv?Fe*w#aax!CKIj~(iyUMhwPVMbX&5%dFjL-L0rxM9Dlj2P zXm8%K_5b|OpUuIAeY329SuuCsLLtQ$E~I5yTAmI*#UIv-`28e1T}(LTdGP!RpGukQ z50Da1$mRn_KODFHsh;aAPFTb4C))KVASHYX4IsfO_@)P^T$0jta7w&4f>UBA3!l;% z>EiVBPo_lO2}1E|rums5W%Kws)vVUQqLa0X)=JwKJekVhL|bDVJgUQIO&x(Gn@e|VbIzcXwoa0Dl%=5ECDPe-_sJ(0@0iX zw_-LXWU$+~l{m4P)yJs5!k)pN>{cOG{<#%U6%bl^vjKmxpcSY{xT<=Mnom9Tw5gOh ze&;{$Vn0Kya0<~yl#3#C&gVflQU^cy@I%|@_1o_}+Kd%ae2a#yPK7D3N#1fm*_wcI zCz8~zkFI+Q*bed3S!$_J;3&(13uqRjvesi>()acYAHeA>5-JiXRfu)GiYG^%Wxsu` zE2C5%gDGQS=OREf_VoJta^pj0}QLd-~wQ^@R@AI>#izy{yZO=d>m-!|h@^s_*f z6Q_7)o?B)zCIn6MDS;}KjP~cCe>6^+@hMSRyz2Ors5PzS63CRnq|lA7WXgt9DFZ2A z2!;N)0fZArQiDnXe%JYOpO?23O=7tg z+KjvlIu?;f>vGS8<>&!=0}X@Ooci02zrx*UPo1UFo-G$USf?9U$EzkJR~*U}7yFqN z^H0}XebOhb$fx2Cz7ZE=)KNcD);dvBh1Je=@g!7CQaS2Bop<&I6-^Ma*WXCTK4R>5 zi93!g6f9wgss|#@;5bdoZcKa!*RJ0HBJuT^UBu#rrp;Rt#-dK6@MUl_4QC^l;)(bZ zN+qmHY&KYx1am<~4OP%gKiL#E*B?@eY?@Go*zP+J`>$Rr`Yhcflu88L#3_L)51&FO z#8WE&IHjS=iBnof8SyE54T=Pil1wuLs?5lg)|@ttsx@uWWXkL4^952iEU0jxrp+xE155{ej-NRYIbLCRYB@ zN{k;(taRK;po&+|oJ@pPPER0nTc9c)t-NKIL>x@CGNDQnEAgv4gI40-5U6sx0g+J}s7k_2q(ijt(D~KZUZaGC^TV9syih7O zQDPJjYP1=*t#2{SZ{B)z#kxV(`ef_kAhkw`to0M$dWcmn;W8ja+<|n~N!R;*vL~&> ze~mlvfss&A*i%Qno?7-xj{4=1Do6eHIxEh;*qL5pQ_HU1ddU4@6_7beX`}uFhhPIx zcox49_84v{NRHR^;mzNK0O6&wGo1tqzyIpOb#`zJx~Qs z2~@cjrm(sGbbJcex|y1;v;GK9nei!HA6S*Dc}vlbTpTekVzcB?i0e;;Ju#nBI3@al zDJ^75^C`c6zl0j=7YJ6J_aKY-=m6DY=#Oh^w}CGrGn zw8H3ON^4IbP^HmIeBj~<6o-SPSO~X5e1IyARtQ%Lf>z4tOzUhw6b?ND620+8I#=Bd zy`ugb#nNAT=_UV5M6+klIcD5Mv>E%|V+@=)aT0c*aq5X2#NAg8v}@DUa^MTSt#chb zS?iUoLwa}M>~RO)WkW;PM|+|t$v;#H6$f*AKr^>>q?D(QdJ|8M`asWazjLko2b>8N zC~c;9{``q{7Q<{H`z24Fyigk~heeB*;TS{^(3wB{aF+Z%>>R$BCY^ls+I6CeEO}#d zM#_n#OZO&OoxS2WPh5_2Mp&51Y4TfKM4^-erviymX{eGVA>5KAGGQP3as7$kUL^PA zsZ+6s;qeEl`p@a1RZRCKUbVGp~^p*@*kNJoJxX5`Q=ciZZ~zli3l$6 z*bOQ=h30i4xC6iy=fWDv#@ktV`#JQokl@YW;W@*|7nC4K$ z1-a+Qbx|afKl98pDc0Waz5hPD_<>W}K_q)8rIkW+zYfV2tVm)x@Rjk3SgEY_rq+q- z3Kw*8MeOI+f!9*}Tq*ma_0&^w2VS=hW)*U09S%|n6{pzkm#wLKT9-XJ>bI9$k6aQe zmc7cKXLtmQvs%?+x&h)sYG~P`IOD?r}>mnDi25z zqOupG5Rmfv{Sxsh8<{de3S$Fp=ATT7V&v7-maa@nJGBzBCOjaeIfYi*rY6@K-qied zY;pjThN0DKBH27BeA&Dm;ggT7AAc-r+^!YFx6W#}XI}g88GYBRUb|*ZBrX{l3dI(hrk3Z(dV8ZP689Dxw!dVUpU2_ z_Z6Z-Qh3bdLY2++hvb?#1^BwT{u2Ctf>Wr70Qi&(PJvdQB#MOKl*BR;aEjoRH!>w| zC0>P3iApq;WI#COU{YF9Yn)0Nq!J^P4K;WR?krg}KYaFp!<%PaJ-hebjWZAKTzq){ z#>0EpZ(cfaYVWEudsiIXFzrCZ#ORe1w}wxN3}3uv)hdbuIGcY6bN+OIn5CalKQ#xs zD+IIr1C}sW-RI^&aI68#bOyq(G+>$ZN}PcFBW&@ZVDFo}S0&?6_nKPcXsQP>paH0)m=FwTcl!3O!5H zQ+QFw*KANFK7>GUN}$TW>rbarxZ;!vRjxRN1`w+?IXH!$u@|GznSM?_l>k+a4G_U8 zCrF_iMQ6Ht{A^?j4J@iyYi6ykwE{PpNFpX>fRqg;Y?!iS=CD)yR^7Srd3+Nglq<>A)#=@u1t9e;G%m8;hPebVi0 zw?d$>P~qSV88cFjo{bT8(2x{C_$;;SW%CqF4#!nfb%I-h>7&U{oIHu@X8yBaAyrp2 zzRbn>)2=@gr{XD8NyDl^cQXyM-z=!;u1U6D`;S_!uj1B^+o-GJf=G*c{uTLqX9 zs8cMI6VTxXG|>vT41WSu!mSLsPwgQ(0fF5Ty?xHS1-*LrOP?X*U;p}7TT(h2k_bEJ z*>R7O>?lIG%or(%k67WzVjTdn-?^y?v z*h$ca4k>}0Rg56d}`-%mV3W_(H_@&Z+wOkt>-$}nj%gomKmoHlaVA+~0cxkkf0~51S z4_JXPEEBC56g@^luY_CiYNuCTv=XQidgVncf85Ge&O$OyooK~e^+Ht=Xoacf3#tGt z5g+781WF=S;s%t^u=W8up-OVsAy(QAh){!5{2}aVr8nd{C?i(xv;31vq}b}c`}VI@ zr(VghQUwYI<;0j0M)wVgWCI-PbJTv{8nvD594F=;%ii>Sm9dq4>UkL zZ8ai*tq(u?c*?YyKvLxT4P;kR1)ct9ca?#IhRXS!yOrM+Wy{>Kb&UBIm-7#2F|p1v z_xyj-{MHjX7Cyx^7Mv2Ol6mfjQXwhY_2(a_B%8vI>rYcEVO0jDLfGS%`U+0*YKEwA zgwixr>3lz84K#7)_`)fnRDN(uLzUKn0#dyC2! zXPtF-lXY*Kb$>SrtB>v;xcwMmI+uK>&FR% zVd-8HdX-$X(!(SNrYF!BT4AdQR2keV9<9U~C=`6{6rd#Fk3Fn2tyOI3XnAA5#Vn5xBy72Eqb+Ip z*81VKxR`eniYcjtim%k#WVjxTPbE~$RKc}47dIN#PD{6nRo~VBo^GelWlo|w=gwbP zGOTp-=B)+~9l_`z*QA$Y;qw93WD)Q}^P6MAF$U9?t=rZ{MxiHV4KM4bFfDAK479^j z_qn8T>cIoW;}UO2W#W`jDiI|tKoKr%LRlvgI8GtUzW5ZK=>;jf-%q>#JUEqzPl+=} z$EU>aC$_YWPua+n6Qt078lk``@j)eW`nfSFRIaFB8RSyKLS=z(8y~Mh+ z(!yE676$jCt@}Hz`}?d12Y486Pb@%qwV|&*gjh;PY;(+BV!rAhbQg7}pDcYsM%X}RD zj0v#ijb~|sDIMjCS+4#-r!&wOy%MJEn#V3v!a%EdPoS7Oyn3@Nm|dz)AWf_zl(Q49 zn5axwgImQX1j_VI0)v*iR(IJ`xq?JH((Tw5 z>acgeMOD4_eJjRZlp_s6N-jlWyp`bn^CVQ9sG(BmsZvPMKa%QiEwmmSbv`h*2m40l z%$3`AOaJ%63$peWabPww>*({2ow|^+jz9MG*I$S8Hg3|K&n#ZL0(Ast@i8nYunCtP zm*uyxK+uyFD^+G$mgkep`6P)n3^66bn3>En`K0s4p2Qg&RM}mB0c=Mlem|hf7fvB} zzCu*m^`~*lm+Q~z_jB+mg;SDB;fqh%amt$>h6dA4KVLYdp~?lPy!Fq82$*516oZs# z`{*?ttlLYiJK-Lv+TekzU0$doXw70elg1rU?mr= z=u+w1c);>xT!^XQL@SeCna)6sRyrrpnP?G+Cs3mmGf>dV<_6R{8J~csB~%DRX$V>| z^MzaK+;!I!ivZn#uGxSlR5{V=NhlMD92tt3=!i3_&ur*7HtpiSa43PIPvX~8a?OXQ z6bf9Kpb&w|MJl<1$`vfI^6s}7o8H>@#1~k_#k^{4_*=lUoQnFiEmisVOG8yDc+AnC zUBY?ffsUUz`Q?{iu|ZW>sWMP15+|^!7=_DMu8@~*TUPLgKmPH>7hn9U^4B9rk0Yxb z4H;j7VOC-6y@W${Voyc*LV&O%#!_595n*Z1w% zf*IrM1A(6hrv$3F8h_&YV^-rjka_M2Qu)lL&`~N^N+o^_8%{x2&Fpk1RQU~2sj8u3 z$2xFI<@@=-DHWo^W)_^{6;r|H_e&K{8GK4WN|Pzrfk2h8hCs-aR`2-PmMmMgcT-yr zRN?)LR7)!EZBcfhascjs{NV7V6AQ<7{^IOD;7k##$9LAo{iL7@Z{GQn`>$R&x@pz0 z1+%-x?wWq`@b;g7x=*;uPsGZDaSv`?K63H+_VJ_oQ1?=r6R=zeS7OXEorL;{G{e&L zii3E}@=LFzS6%&qPP9UZOkxFWxuO-ui2^Kd+{)DxD6Cw}9;YWz6DwD=LW~h)nt!w+ zxgy2+6=uZB1**Kn%5(#Ym}3cx;0LZKe0_53hP5}YC(0j_EAtcl7OoiR9)Ca>Z`1I1 zecey8&;NX1$s??Kn>}v-t53AZl6Bw}3-6!K{loiryo$&B zC(EfutEBpSTb++aS2MdBe&1LZG7`Xg_St89^y~vvtyvq1!sIhVK5_RI4i0gG8ef5G z<;j`sHVj)>L2H_W1u3TZb zZH~d)w{Eso2Oq(2~=Z{P|KuUYAOoRfb z;z7!r+9$eNt8NaoKG#Z~sWo^0+~a!&cwmTFm9!Psoiz%x?h>)ucl*lbqucx3`*Dm7 zssNpz9^5%|aKrI^i_RTeuzz>>y?g!wRVL56bM@$rOUK6yX}@fF__7rVO(U0iV4_$e z!etht~clm|WqZ zRGAW>ilP}XJC;*XpOBqOu1->gHK<$Y_+ykeZr;KoDI29C4|DAJNq`QEtx%rm)pI|d zrxY+{gvrvZ{!LBiUSnK=Dop9pr7KXd5LG5fk6FBAIixI0)@-(m^A?iz=38%(2H&nj zCo&9KaX{tp(*l z6PQ2YQ$ne1P~|a>;uri1RGA6tu25xW{Yj>i@F~nlAybm|=WzWcf+{ag1r(z4<@ejL ze%+WMeP>ObxGpjRFM7O!@~ofII3<3+l;IT0QxvHgnQ~=PS~F{1t+ltPbTfwmsJe1$ znv$cN3)RjA-k6kHXn#8rLo4pyzRPEpUp_w8300uaqlZMFPF?Ib_U9zYqa7mtD&b) z95ZTQudUJB04yVJl?biOpq0d}G+L!BXceFv5WsQ+7%@WwU=IJU;Md0#30z6$urm>RM;pdc1!ur<$hnsT_Z(ZsJO# z#*A~`1PiIyL7s#bh!1;yF-6g$G<*n4maT+sjT}7|tZ{x(pP{^P{RWLl6eL7N?W}+P z^Is;n(jVjC%{SkwTdzK!1l?H8y=U)!eh7xe?de-?->_PpGMN|jD7vU;(I%BLW&iZG z92q|z)U(s^!!hLk;LBqw>JQrvWR|8CPU$EW(qyJm*j#_&lNX%Qem|U|K$VwIVR`yn z>MNlEQ4UZllTX1_g*|zBlXCBXN?W!>FPb}Z-pr}rR4n!Hm!JRQ{eKtA{9%!7A4@Bq z>(eSlv(uV+pDxGBO$F&YOE;|0wI~Xyu?lni8N2cON8+M2l$a-o86mH(xt5CGO^; z$9FcwJ-Tf}qWd?_JbGY1Y5R=r?VW3jY`O6) z=>!{Q#RC=$)Z-PD{^Zrku(V5%yt4JmS^&;AP=SLX8#8nO!$<4fysnI_yngppF^0Qx za8`z1PlKS$AEbZpwU_?>*WMkPEtoxX!JL_ds%bm1YIg13C_WLe1M z^b)K1LKfl{NYV|6IEWh%8NsMCgI3~27pM}n60=Z<72GO7Hz0t8Au7ZQs7gR9A6i0` z1LiBrWM}lowvFp${P4{JncwVEEBo@^#b$L0u3jS3yeVUBisiTZ_U=Ztz*ef)ss&bc z)$&_o2dkf1V72FoM69fX|BQ?II034T6j$EAQw>#p+6(=xE8|qw$AegB$1*fn=0SxD zo4}!upZUvQzW5?@?K<`P_8SQC311z-o-C5t!c0c)>eX+cKkVz^A1}Y$s!cnfjVes+ znMm@+-~ax9t{;B!rI(sEYr!X3uz(1l#<@Lx&%3rnRV|*qRkfV+dlcO~v}Dxa5(~N) zZC5QzwPK%CE1j!tXqIx2E) z#OhURSBKM9EL*x{@uJbg1~so+txQPX>SYVmEFV-kG<(^CpO(z`QR#vohvomUV(_P5 zg?v&V%Uj=nm8H!$*}K%r(dWBdee37y`fc{+UuA4oF=LYo85)(((4buU@5-jHQ~L92 z#XqT9{L?DMJ}q6~!_oylDpTOoa)rP6rflKws#j>&ywUJM{bo&_ynNYG6r%}J=u)j$ zO^=^u4Wg56AZ5}ht=L7?FIl=gD!i+8wU2dmq*?%&2&zD<<(~BQZE^Sa-?$KY?exUQ zch<-Ke zPA%(Ku2k%c+F_seteazT&!SO7N^BThVtS|GdS7O#Q@+UctC#h6f7=HSjws)Ss$Sbq zVT3BORMk3CG66wAlh`LxXx)lU7k40|_lI(;gbKAgRSWA}SL@OcwdU*AQtKy|ZF9*O zC;9xj=MwD?Wy29Xb+5eg3I&&%wP=Muki>Q3P;jg5J9iZ-T*UTa=iBH1{`W53dH_I( zKlOy6X&pLsp=7%AlPouG-KIUCM7jm4a5w8Ifn7APON%dqGB&7~d2E|P%X$^vI=tle zkzt#Mg{>VBI;m~J9(8lIsFtHqm3%eI7pPIOShb3!I<;>zY3!(om5cZ9jPBCB-Un~L z5mqE;)$*a8TQyoVbHeVeo6r4l+Jq{62uyhXnEa`XQUwTAdv@>K5V>~YtSM8+j_BOB zS%+3lE0qbYP^#FMVIdVu7OYsZK*bUTz6#4%sbsE-p*f^gE0eonm4bE3=lr_(=Y_Jp zS*hs9UFzkP*1J)`zD-t^Ziou_>te#_V^B{U`R_7widl!xDUwq?`(9Oe2ZW&&3 z%dnDw{>C9C*AFTYF(5R&Z}BC)iq7d$WPGcFgB$1VRy${#>e(Aq$Xq7qli=K+g%-@& zxYpNWhYt)7Uk##a#oP_56s%A@yPkfPOXaChA|KPzGc$wAmMBu8RMF~R zmF?W78Ex*g2}|eC+7P*B-`>4mZk4>C751KgVr9AkeL)rSd-C{^jcZoSnmDp;<2sef z6fKndi%g%qJEBkLU0bkP7mgl2sM+`RDwhkbULm+v#R840=4(?kSHA{%W^^nZF)%cG zc-W3nVRYTX?ja*u7OGP=bJb!w7EB-K$8V$6)NkY9(PiaSCn`j`9R>H!w6sptQq^k{ ziY$E*7n{zhqEmn7aqK%rDRp+I`cma};Qdp@l-QkWx-v)OTuLJn6$+$2t-iy*|KI;r zukkG_s#xqcY{Y0X`t*Ov!86bNrQ%nW%9pSB(MKOs)t1oJhaY{!@+$xcR}~f)PAbAu zt=qP@eUZ0szx~eekz@GemaW_QB#tuM+&FpcaFgm~Di+S%xN`PB-xomrF76o;H7In) z$go|bO6?w9YRAY@;r)tF>l8eqb)mt{3w5iPr{0$tOBZ;*V3s%YWPCGE`ge-ve7|Xx z?3@hA^-jSoZ)f@VjiBtG)UF&hq*sT9GbgQGvH1A0qo+@u{Nc=Lw%ECNfsIQq;D@|? z`SR6k>`!vtbp46!BO0-bddiiRV%GR=au3q04J&I09ykTY=QW?1L;HBo-w646Fs!#x&g(P_YRrUC3t+>LVdr__jS>a z^JI7jvb>kfXxjkfaQ!>A&Kgby-HP8rt{~hDsblXiQ~ui?b#Wza>joC5-$t|y0?liNWvU#Kt#jj=S1(`uZNN|#*LzDqGzCx6{1Py0!1+xC7K~lHI9tS>pXW-AI+sy*R+TJJmkt z6TnkQ_sWqYmlHMopLyYh7a&<=tvkyLH*e7ztf3Kg!fjZ!+BcvQZx=3Jic<>!!UM4H zK#bnK(fpxOrOWb3>fg#TVUm7q_Y7g*xh3kmibX30XQ^8@Yp1$-`!@~3?3vQOF!s-y ze#JHpF0pMy*v?UOJX3c>|1kAEs`cwN zs9UWmgP8c_FylNwd4Z$rVtxfYr)yfyIQ!$8EH7rM^kk6}!rmr6QdEGJ@YnMvj zw9*%?t7hq5H`l<%`KERXrp@XaGPgScxMIuu6kk0cbp7BGkR4PIc;VVmN<1J9G}$<$ z#Ej0to$KbQT_#h5idlL#EFe0^eC_sK{s!f9)hUysO^v+W>nlULUz4E0%~ZdQZ(Dd; z$0BpP1~2Ln0&+ztPoW5q|G6Vbd zUbbwxCQ~Mp(%Lv4r+m;Tpi1j`H2=(5GgdFGvn#Sy)XJ9kFAR^nKI8uRDVGlpI={Ei z#r^$no)~-Q?39O>=Rdv`{^0t?t0%`kzP&2${=vAPuEZJTY6CzRbzi34Vl5jhJ?%a-TT7F$N_{+kd;hr7VEI(re zY1%Y|>0Oe!EfYg#0)w?>7=EhIwf&00trm6*nbWxl@Pr{Zyk*d!W@@+@^se9KZ(J!S zlfQALT&_6Pp?2=?zsgqk%PhSc=EJp)_%I1&rpZijosFJfN6<>F?jMSv&F@~6$vmTT z2orls$KbvV^LDSBvsIPM^~+^o{(l>mzD5aTA$_HypI0xPyS7J0s#GY|scp;ty}F6` zj2St6!uYW?C0P^3jTrg9S-^K+eb_fP=xlasQ1dUnEL-C9p z;OJZ3Pazb>z_1po)7sX|U87`{uS2r6tX<*g!TmN}^qYTs|Df6$nAngiw2lw3k*Cml zsMj^;$pcL5LhEs{uUavmdw(Kdd?|I-cBx`YgH)ym`BZMZQ?ZZPgo%^E9TP7CKh||? z^;gop`4$KT+>lZTd(tIGI3v~9!6{tFqz4oU4$sU9x{x3WUcvq^G{H%AQ{F6HrM#F3vqR>aKzjZ_ycR~|5(1;*6$=!0EwvGGY zD>!h5l|Vt!pg)lV@$eL1JD@oCj9tC5Pf;9tOM4cb)u~9o#s!;wovTtvMtnO?dIf|v zshqodXpWjCvwvSPM>h{(37pYy1Dgg7X%;l9rH5^G4PMa;&@YN%$uBC{8lmiVQB$HD zIk~2P@yYFiy41;4s^F)^3*{L-Y_RranPdvIN)}Fu&L26XQPhfVbLY*PIi>Xv2Rc5! zHUhwUban2%^HXn~8F%%_kc$WUUD(_2!v3L`V~5{7G4a;P$#;KT@bm4hagXk3^hwqM zYpnl^Yr^Z-;k#H z5zGl~g64HCvIM`%;1V8(HU?D~@n=i-HX+WUF30Tf_3X;F9Cp7Fjo_1YQ^B zFpV4DGPDGJiv-~`0G>v)3c@uC_oUP4qWa~tRV|hkoa)o|`wQpJ{N{nl`2ecO5_y1A z)LLLwWU0AIt~g2_V7_=LiOm=no0gds*5;>FVj&x2$%?AO1yxO_)2#fZlzJak>xojj z)O~XNq4NpilXs_)LJmmMV|Nu+?E1>qvwhxt8&b45zCJPrH*bk%bt*K9>@^nGlMyYH ziscc+JQprn^7hBOZv)w&S&)yz&s6l>^H3O|w9%~#jc5@xtho}g&UN#BQzA?C5?{2bk=w*0>63Of^L-nZ6R$fBq;6U{cbgjd zI@QVFzE&O@;yJuU(8RWdW_HBIRAgz7kd?iQ;zUA00s8puw|ne)-4CcEIPB~$!JTU5 z%$xDehBYfspFSO6a`pHLv(Q9CQxC1)O~=}_sbeOMZntR3QkeMo@xvF-X?b#Q=NqT` z-McU*hS`)_iG?Z!L+tv*G85*MI)$o@&W=3EsPX?aJ8$J6BJb zI(6d0#mj8XL@tgKftP_?`YH5t=_l3CE?uD=p#tR!)5BMf8#DUrG9iVsz1_P(9%f7Q zuoAkrIbb$|P{0Jkf#((k!Kh%E=5-04(V_78)`hS)uu0Ttew(Lr-TbY;$=j%6?wTdl za91myqfY6Z7-=#S32h6>l$+A7uuQ@k z9g2WuOw0LQgBNs-pR3GRV#hLvfeHAXIm0>TZu#H&-GXs|fT!F*$J%+mDVecR<*XP> zW7`%HXM$6vIJ0SJ32iCS4>UwlL7~T}1D^N*VvA^FqmFMK)T3VB1|FcPRXS(88u|J+ zDLA!bVPqfDL@pnnnclI8!lsr=MexYnOmAGH4G7icYxixQ1{Jf1<^8NynSw2ARhTnr z!i2H^io6NmPx9-6yGX!h!%SrE5crL#4zl&4ndEH%P1)4na0sb0A( zw5r8Fs}c5D?b7MVa_>?*7n2jT!rBC|z75M>IV3YozhQ-}?Q7;3)U*J~e?q&$Oz&A; zip=jGLO2ZbQkW6s3lmp}50c{Xki@^Dx~0L(@PYJgQm|>|T=-kQE1$JO!+t}8Hh<8il1Na|kLz^oL8LCLb-s9^u1!ZhoBNvzDN4c4)?F)hL=pv5_3JFK~ z^e-0Czxeur#T90aOyF5OGBzzAZt!KMQbls~>E3zyij^jl((W&mLtx{)riWbzt1pLDx>tCE=Vh zN^D&96T2(kzy9$4HQaiEbE|u|uO8gF=K6)>b0!a%w_qW&SDGKpas@2?I2_0W>gUxx z;6$s%ix;wNOQ4NKKXU-F1);DR7zGTQmAymAkzi=%bty8lV-b}9 zm{w}4FvQKP<}6n*BLn(%NOnEM6$@vAOqtGM(kEI}%gsEg8OF+mEHDT{nR=3#2YRx} z^y5_~B(ET&OjKT(w0Z*D<~DDc@OYca?P2zE@vh(HYg8#m)#903Rfog{5qO1dY4I^- zN(7BpgbvYzE_uArMG?ul-GXO!E;6M<;c;zMu1Nnz`PcVB{GxW5^wmN?`=(?D(FrxeGKrR`Up@z{ldse$k+o)ttW`p?Rxgof@ytos z!*-36ocACUdGAtoiCsU?eq`nU*J`S}-uc6ms?fU11EkP;=lHe2#%7CgF(0s1N8tM3 z|0g}Weq``^{|Ho-woZ6f{*wErR{rAsn{WMm&v~a5Q(C%wB?%H_@sa!>zw+*T?@yhs z>ZsGmPKP3~c&dEGiqx0ze;elivWf6>&plVPSaEVBU`b>clHn|@iX`n_|Btu#fRFOJ z(*N1rWRu-Z@{6-cHr*YA=|y!$Q`9BY5RyVn&m9Ac9Bq1E<&*y%IJMX-D>%Hf>=bY!9^YMNHgw^}ghY+}M@iI=j z=bd+fDzlxilly0V@p22k&hhDy(cZT8iP{;t&W$-PXciNb46>CcVYoA(Z9#CNve39Z2b zr=-x9N{1Be5~tMiU+OXfFUZ6N{dE0?jq5h7U%q0|oViVPwRuhTDGOT0eYS7S=SScC z_O3!)7s-@J33&JB7vJ2u^!M+23s?u=eev{>clYjCx_0gJ5~{icEUrghoBDz~??Oeu zcpzY{dtqImw~N1_-|}*Iq_I#O#DhgdBb*s>=-nt#yaHYXONbXLy-*E!K>z`Q8sK0! zP04WyaUFtTT!K`XhwW(NKv%mb#`z4+kFtkdlM-YX>1~6O#lT?Cv>vH|rraU!I#sv&1jIn1U zsuOEDArmGhwo8ffBx7xcb5oAX%pB)wY5F98$A*cyBwdq2=3zT%PY~)6V$hf&129_f zzwdZ?7hmyfpkY1i0ok8p!cUg}KtRFr5=1ZfU*u8OWJ=68A ziVg4rHo$5n78vYMiY-#;P-)*Evi<(hj{{YvLw)|CRQ>3%{wa~a;il86=E&bEX71k# z)2%m5|L8*O-@J8;4EB)msQHBw6de;cbl7mxP=FU(w!VlJ4orFd&9@LH)LUU=PHust zqxKJf_@l%%3%IfVN_{c%RHSEQHBWB^_^61t@BI%zu19`ze_YkS{TqY|NbKu3Y$nGb zP(@U7?=|JmjvUC2^vev=v}GCQ7C6t$cbT5=3QW+{)5N-8nPx}`9EPPX(sxi^q&;rs z>U8G`i3U`yoG@KR2n#KmHYrdWHOem5-)2I*7Gbi!%4-usyM7c60fM;$=}lAmSn%pc zVLV5qAmMRsPs1bm=Ae)`5 zGK|GBI+m0vL7J36ZJ7JWD4*e&k2pJvXVfcbW7rrmm0$uwDz2F1fq29(W@Zn1<0UcE zKRVeLtb1WiM|urRh#0+kJb8@x>KX1w3qUqj#`~j0|$U*(UvS-c=q7Vug`vb z=ExhQQm0Y1ip&*vuARMh@w2O6eR}uim-lXetu7PXrM7kN?v1U>st@m7zj$^9qtxOo zd{tkD`tsD5E$>CbmVjf4&JwSAI9s>9xNzRwu|E3Tuo2kD)aZ{Yfo}C`Gk&O1Sld`L zK!D*D@FJE@^uPdqK!Lw52S_On{7%#h0nvk`-^FvbCYDE$eE+KMzi z1K8U6#Sr4B$*GKC!-PbJu?}F0^Rov!nFvfM7(QG%H-(j(6(CAt`)r!pF`LYOST^$0 zrdls%6L(z@>4-Nr&JUV|mWi1b?36K9xl<-=d9o4u5SNq@Ix^gg=)!(X3hNnh{}x3= zU>zA*1uA;IUxvJ9}C{>SJ zglr-BT%ayO5)l7LRo7lB=&K8aMMHW9%V@~JqsKozc<9IhD*GIw{M^BhNa@+p2o!<| zARB2R2?-aC5E4meGIw4Tylc|8qUBj$Gl|x3?@{>S!~&BiwmlX&yfYT~h~qyFJ!N|L zA@me$6cAfXhl%{{ud4bnN~!9oME*|di2Pkcp&!#ftS-`=@SKMOB#~uh*Q>9uUB5{r zQAZCV<&LnzDNpR!aiV?6=z<*vC5t*@LAh6nDyy zS?utOU;a|C1QBjR`C{>4`BZ!S4lOV6*vjC{D+u7Je@F$<7l zCXO35h$W>Q%uGORCMX)%32EiYhU7r|hFn+Z2l%g0gzGHm8d;o86dbXgyfrGD97q4b#%c+D7^evS^8c!xZ@tY6DK?M%u|wz>BM` z$?UCyHYMA+B-XJo+CjA9SjSM00jw=qm&!Zk9$AQTgW2JZ(Z0j|3<{N(Uxl@2rr8>a ze?c_xYso}+ZWdgAZJLkbVV@NstyOpsw%3m;h#2YYIDBqv^VV%INy*%MoRTP@h6eg- z>>w+0XIsDF<2TpczH;Kujq~5!{`$LbZ(slV^mpGX6pL@}T)lSj)YXfpZ(lu43E(af zO1<&i$xk-SDR^mq?!tv_oyXs>S$*p6FiQefcW7l{65O(7`_!t5-cExm6CEHepiH$} z{N}0{ef8dqC`hX4x$+fYa6|J|H~yVY+_PivBZZ9<^sM%GjW?tAI23^i6&gMY~-h<&_#;fK)tjeM{Fki zc}<2gF}Zh+Bd(u|40L%W%Dm>R?QwSSOn@iE0tnTb?>Z~rWp2L9{Cs0wq7FkuQR3Lo zjvne!*gW7zQmN0HGmnxJPd)XtFh)T?1F#eoVB3qk-*}VtKaJXd#3r8+yW7Zl~>6_B!(mXewgJT`PpP>5(gzJB)h4zl_9`Eycc6Jnge zpDwgHasg3hSFr&uR0{95#{x$w1$l*Hg}dtD0Mp^$SxD?3@YQsPsvkq7zGnI?#B?fN z(c>^Yc1Hew(cQ!4;(>Jm;$Q^i2Lubx5Ji={BMTpD<2Qlt> zdV2r-=Snq@-e37|e)GQ+7O~hLAQRTVeeZuLo@#d&+}(Ca?3>ptjq}&V`)X!n8h1DQ zK2I!3fy=A{1+y5C3`-iw#V9o+7bCn2ohv1yPB|2sYoDE=TL75vI zBzOq20Z(k?CrA$LBPJ31qavZputqJ8(VJJ5wqlB@@#29J!+Hnh&+}YC&&FInUHHrm zw;Ai!-^=j{7n{diZ62fJqkS?dUX(byrvb3lEjQE@cj0>hGTZd@(gCviO(OT)bf z+7A5FXqRVL8(W{Zr9c5|*26DORRRPE@Yyrd4_cZKwtV9EhmG&*(0>kSrA$2~Ns&-4 zq^=?5xs>qM2&D!HHE>`CRJXP3H|%?LEg2`2k{@@kp*`Ka`o*|*W8kUPuVR|FYfl26Sixd=K`bB~<`=qbsPx)7byQWH6B84!_t66%bthzc zx&7qn(=DxS79x(XaGt4xM2>FJ!Xm~|^-na|XwME9_)Ne4qLEwmp@gdSxx^OohtHff z2U#slRkv?FZgF5t5SMT~+V2hz^My_@dEyg*PjbQiwU5aR? z7|Ic*4B>S`fUq)TeT&{fql4p^smII`hhl#$Z<%2ZC{Pt?iXOx|FehAx_bPF;U0u3< zb)^ziwWQpWP)fvtMdLU#i`?gyd0>m9PeTgP8nRs`CTOxlN9KgtAb%45hs600A)`*5 z-;kVeNF%yw=1^ZLuPi!cahi+}y9H$)1uEf2U%(b3i?uguoyGJA$GJ`r z8NG5-jTbr;LKUUp?HP*qN{v=EshVJqk)#Fa8Kl$_UW$DQ1awp|aUVhfC5#!`3+pz# zwtXc9>+wi4k5`J8H#b&+;UgMYu|_8Md!^ zuzn{6+7`t)O-eD;v%WG<7Sux~4%6qp*#woy{3}t(xe-pdmMn&%_{xMOLlmY4`K$So zl&Q_ql*VM|Au#co{t80nD*|C*k;|G%?ptcSmK3`dh3mkn;-s-hKKW;H3IRpN0P@0- z{!&=Z}Gs$*VCJx7K6H$h=^Q0I{>YNYq<%KC@8L_98;%t?Cr(Z@;(6yb?Ofr6n& zmVN7jm7p7Gj>u%f4%|2_bZn7% znCwltuEmi|4T4P zZsiHuNbiAIazb4DAyrCZ945qTCMP*f$uRaHf~r)-P zJ|W2^PCXPzNgNR!plaLNd3Ua!|NFPMg_cC6s;d{z+`fKBDovtu@Ajp8w=P<26kor+ zcN6>J(GPdsy>)s2?v?ZBw^^K}2h5VdD(^zxmo;F)Y^<-DtQ+}MQE6skB6S13VyWFk2 zjo?~snt|~)F+p1r?Lb^Sqb|s$Uvl8k%48jXh0y>H=JS=xxZPMgYE7m0%1K^?{jRGa z6w7yOy$@@!iUe)S7&}7sVJl6DH^}i%hqcz^WCJ#EmTjf6x~bU;NnSKDmBc4j0!V$y zfwu8}_QY8bIVg9dBlf|#9qRsUO`1VHf7J+Oh9}qASosQ+h7ed<;<~QFW8Eb8nHjq5 zAP309;8ba9_>lu2_TE3sV=7;OP28RJ8${uP`2ehN z`@(X_+(gL&aq1hI9UL8h{p(+Y>Akr<7Z*4FiVHY$RN=I9SnCUZs4a*0e^8tphB1&4 z2xesm*|lZqx7DKN`>==txmHeepIzWOt3UxP)>@(oJxdI7KI_u-alXT9()3+U=c*KA z@@Os0x)>kA@HHiPbrTE|;&6^TrUcrhjnSkBYbVAV8nYpIbg`6WjXE&_!#HSVHsJf% z7e?whLRE@kdalcqbYmSY!?`}wIVaRMHE<-ENPVDYc@C&daq9AbU2a6+OwDqxO*hc0 z)AX4B5(0(<82Zve-G*n6b$Y(SOZb>DK+P$()U7OziDVF>5{EnPa%_Nb+A#y-Xh6Nf zPPMt#>!k*7ge_!asax%6@F|M64;p1$x$-$-3VR?zsnnKsjm82pAo-{pqmH(7%X2p` ze}3osSqVeezCH)^SOi#M-@AA7D~pZtPw;kq`T5}wcE51z%DLrjrK?syuRald^_AR@ zT%D?x1#DSh77taNzELm z%`0?yuH0jNg$L7rSEKLdD$j-#r(}PHF~~(G1{$Z7W?cNLTQA8&2_JUGT7~HeW_9oB zXT6b=7W;7UpZxTvqW#;y|GUMn@@wC|&&-}XpP@@}C8R4KLU`c`Afwg=!jPTNJ@-~I%LQ&?&z1l z`qkjUL;U;$hy|{#o64-mx$x?1ufwqvcc;{p|N0VtLRwb~%mT1bvMyfyS~#=N&hT^L zm4KK5<&T0^_V$jj*5z}v?x0dtRV$fnaW4uc=dD{moO>g0lv0eFRxO#39%V)=g?*PC z;7}5wtBBQ2j?q@cYD&i0Rm5xRQk)3V*gCkXie#tEu_K8fO9>pBJbEadq|rmuf`?|QTCXg@HODvN02H(G!qm~8stD|TBJ=tw*sw%5GHDs zP}cZ>VOdF0QooSWTj(HCw)YHD7N{W*N`7uxxAfBa!;}K<#GM&Y6mQNN8$$M{qh8!U;X@O4_#h_ z4Ot+hK84|Q_jI2vbxJ~{m6JSq5oV{Sf>R<|3ep0((0TYhzaV}^CC8%3kqPc27&dvd zeMYcW3`iW56XG2)=p_XXO$|~;MY?$?GD330YycG1@P5FFSOwLPo+ZJ+5KTblkFsIV z64*#y2$n!V0O7_A?5wexDDOciW#m&Tgs79#?aFOxrb|_d^Mp7PDY7+F7@rJ@MrvyLJ zP$)7X-d|5q^P^Ui$6fNpmtV2=?$@uswZ!ZF7D7#_A?WC+g^(s1tO?=U3LFze zvD&2M)cC|?jn?VsKmU1mhowAj?UbnqWDx{J!cr+DJ3HThtGKJM0YY#1a*E=vIzwGx zDC>rHJ?Jp0Ykzp9MbrL1-+%I#&b)t=8X?e_QxJ6gWrIRfCrJef39bGC`X7ICFf=UO zA{hm!0j&J-kAL#?9);tNyJLDX>0Wtt_Xi(+EKGA9>^JK6~ztR{7bR47ybFdj(eU3|Qx-(XYj9|wp>4xTP7a9vx)GLeAiL#1~e>%*G;0^~F3aU~y9forQS}B$JOsb1)rMbW@!Y+OW`^c!Y<^Bjv&JczMW#R6yE% zptFf^a%{-xQ)DqBAwzYtj%81RzhiBxaRzidtI^w%>%#D;OVu${N}}vSoS*S>cs$s- zUv;vRdS~@`qp$u+^ckoOS21pDQa~;T?2S`Mi@`>I%5!DFRHYLAVdG){IEKX1Scfhr zh}bAkXMG~Mr7jKj)QGe(4xCi3Fhxh0`_co41nQqo8$En-tfnblKZD7hs;f)XPf60} zk98#ey&^B^g{5;3ef&NZKoB@xu(%&W*mSWg$xGjSYp<`LzlG3)H4X5@CnTk&Wr~Jf zt7%#b4NINH&X6J+o2Mf}VNHuBa@HX&MWe(mRE?e^UjO{(KTk2oA0fsue|0Nh@4Tl} ziNa?@f}^wL3Xb4Qk|peqXum)7nCVPUN{7Y8tG}8){@wST);}l3v?!8PoHr+_xV*@m zq{7nrhYY`P;o|H$^M2M1cF0rw_kaJ7oxOcRVlpXbc``4)q$H6bXSn*sD2VWP2*IpM z?olh6Mnxx{27A(QW)WO~Wu8BW`ts{vKOzq8FDW!GDRRbdwXo1-L7~fBb8E>mWCsoN)jW|FIHW4ku{GCO z4O`7w&MXw;d~FNIIo72b8Z(W|af=C}{>rb++@>t&DQN~~eQxN;VCQE>>z_^y9ID<; z-Jg-?GC5Hn@2^P;aI8$yP0MlKO&J0zn>7343qXRwj9O5twD~3Ob8tN)G4d2S!zm`l zX|h6W$9WD)@*mQiZB!q&=l;|TJxgx$^3pypT*G~>nCSj;qc5&2G9_|eJQ486x?ILr zr#O>H5Jx|{6(L$syvR#~P(|$m>9}BAS6H-!Vg+VFx~NUpYlin5*8 z9eJG+wp4~eOC@V&%XAOzAlUve{N=;JsYKSVr4!t700}EAPgOipXgOpbiu4}Qot{n> z2woG}x~ToZi=(r&%pJTyoq=4$%S{QieW+1Uk*JOK9+>Dq0?TuGoE9@Uqmh9G1k5Gd zQc3$bWI#SY*^@y+?HKYJZLJ^0T5eLj4rIhIUXxgeRURfJQXew>hx*i)Rd644?m(2Zg%L% zQS>9RGoL6~g#BVvOh`zwI1A-MDk^I@GNEeXPp~mszxN-oML?CnDTWPETGd5qao!^q z<{22Siwm6@y#lSUW1EMx5?(Pe#x7&b(3nvJYLlIWm0Nty$aSemFk}X66(U5SLtdDs zFv5|ES)FVYts>DdAyz*=hV<;Z{0OJgXx*fEwm20;*p82}pVkWm0eY&EjU>@U`%4dU zs7P>nuH2o3MaTg}J-#F|m=P(7b!cvpYi)|LI100&JsMv@gl1}nB1|5tRV8W1y7tQp zvrik-o)VDrri^wdh|rdih>6=TQYgeT3NXBMfmW>W^CNUPyYWg;PJ&c6#1RumLpon* zC-AsdPVyjjl~g%GAYU*)w)w4!4LSewSgQ;}gM|XwPvK6Oe2lg<$|)nrJ{c~Pze8@QwkFw#DL_3#C&f9$jv9~^G^{pBqr^#> zCpA-B;1o+!fm5yN+6ea%&n;+`wd@fQ{6m@{G5GfbL``>pa^}qE3l}dX(VSZ7kq-f= zVw@1Pi&PX1u}R?S`i-0a`d3R%IC>fT6Jv!!ge=8HLN)fL=IIU&8Ve9qpN0OwfrAQ* zN`%~o&P1H7h(Cht-Sut462I}H=?ZBpTFoWwixf0bY=9kUD-I7c{U95lX$>iA|3=n} zjzj5{6t$<4l@zt)$R$NBC%yHi2_oYC|EQ=rtz|}cMR+alSA30*iRYFv-3avIPLcem zP9J_ujMWY?c@Y<~v4sgsApQ)mj|?u_xNouwyV}PYk?WKgRoSp*PZos1$E%VeaS&C*`tSvLCY#j>Q=DX1zOE5bcG+-kmkg~Y(li1dM?0motfv- zm|>g{qsOTPae`HAW{8t$xnWMsrpa;o`ZObqKE-y|;}X$AZlE8Hb?xhB`zX$3B#fDB z;TYjz6J#8c=s&U~N;@&mFg`|?6RLQ%$c~PNNP_eUvATynkvMPKm|>VAS!{EWELL%3 zC-|XNIn%0=4OK~o2{AelFu{LBuxo$l9Ak{nqy|A<9;t4bAtOrh`Xw8wtw5pxQqw>} zCIMr1xIO9>)O`|@BFd!hKsM2-S%x5Q{fZUO0aYD1bsup;E%PN1sL?^)m*Y)9)vMdr zoc!cv3v-_ugG66Y1iw6eQ2uo7(s|jZ!x6qX`N{RK&yWmo&64I-&%Yo}q&~GpUtFrZ zcq_DO=eI9gwqlfSz?>piwZ4fegpW_*_+=VXgY2`zl}ske^Gr5QPB!v*OQVUOz3<8M z7Vs|dUT6^>1LJ*%6-PQT7Hi1p!xp2i=db*sd3daBv$Sl%JG%CKH|9Q*>Yv%v-RS5k-6uY8q*U$m)Zq#$q@1S9CGLjj;`q9SFHi#Ic~s zaUw!!yS+y!4Yw#?wZe1}%K8-3xpLE~6s3GsXO?xl?+-q1dS892UiD31{OKQuo;DqE z=zuB@(}@Vv=}dEyibm5VXzI_K?tX0g$9>d9L^t<4CMekY9NZvoBXO!x1@>kv34po#%Wqe%VI+07B2 zc2%+VD~g?0PjCgZ1X>9Vi?Q9IVJXNJ;odLVZ_u<%y?O96{yQ7C1wkORm@?|GY7?Th zOhC_?80SzLWtTo?XoP$JNRR$iNgDnH^{qS(Qj=54Xl;T&Zr{#Eer#k#yq~5ZLJ>;S z&DIa=BloZcOHNrdsW=B>id5S$D-!jS6ZG?n-IkH|(`;R|I0&Y~(rEkQDEp%OTe!!w z#NgnP5H1xEik3EZq@STLu~%pc*!`qp1se^S9OgM_T4RGWkqN0Tg?!KOWPwd$#V9_p zhwNB0|N#$;Kd_A)h?biew$} zO*A-r>L<^O0C%QQ2*XO1Cb>F>#MwozFzD*i?%RR)o)j>6a)QSCuO7Gs<6e2ZJ}=CP z;m4R{D5^&$0~HcQR)`aeoK|e(c`g%T?4vxNjqvE789WRxSY@JCSP`vHB+Pf}iPL4D z>1HD4N+6V&)PU5|B9{#n9t-mgrQr~k95+0-h=j2~)xTP? zLioJ@;m5@9V2DGOI_dP;x%nc|frKieS#h24k4RD^GX>BsSkn||$Nz$Tn{W)Yq^FFCIx)_4 z%)1?8jyQgQ;2G0LJr#>rUySUNlDfQp>)E`}5kOUKvKD2{VtN8tO_|OpXj4>eYPzv7!iluc%~?i{h8a*Ew!4my z1AHPPrldK6iRpnus}d=3exJ1v*72lxEt%HdZuNsKZSkuVFZjDVyy5M}C_LtQ;WlNl zj<~3#jHN>oQBoAPf%#BOds~fj4hmzc1U8LJ_=k?dn%2cdV#7ws-yJ#S<4VRf7Ix zlNUp$_kgu}_49Uvo}QNLOj1_)K&bJ7?g=Ud82gfMK|Vva@JJ!fO-i(gO;BC|>;m~x z)E#_Dp1#7GJq?`R=`YYN*2Mg5>$p6)O&ib7aY~6;!D} zmI@t*0Yf?zhrG97tUY;o|-ZwEsSPrp2Xp z`PH=l&!)qJ+YfRS>tB%BQB|av8Oe`vd8z522#9nuIfvvy7iG>4_(v zME`;w&ykT@EGKxRSSGo`2S3jT?V-jgVfqup5~yN`es=6gO0e5FkCAN|+RarS>nAH{ zC7K$r#FC89wrstZ?W5x(Mv_-hZe(6`%$N3Mo`5au=_bsE@HCjSUiOc<+di5aIK;xt zZv9u?ZNd6M3bl%O?Uq{4SDPvJ>cx32c4oD?l-jQy+qr;gS%z?uuG>G}n4y>3MF+Wo zG#ek|6yY(LauP^6(2A_-$U2lPYs^AOTA-Emp{UV{Do7rVkB?8#5Ff+=rDP^&I4&@| zfsdj_F|>p-)tx4#Mg$2H9l)f(6C+C1R=>A<6Fw*jNoq^r-5X!rxphVSbm!XVqI34s zk3QM6`Now_a=X|LKk%D7S6~tzeP?6a#R@?IvheRm5kW#kaVQef;s-$|Vvs<5-TUr) z(iVrrgD=e)r98WQ`O3>Xcj3&kkfqqEEVfvDg~*K&jQSU1Sds%-fE1??MVI6$9?<#w z4b#n+6wlGuZA!S)*%HO0bRT7XsOgX;l3HAh^;gs3znKnq$V4-$zkk<#6oNPZN?-ERF{8zNBmdx4BKZMH&}1{Ii5Ah9CdX zs?<=$IQ`(Aw+iBeC>l~5uUTE@y0OyZg>v_0#qEG4lq@xD&B-;U`3+3*9WXV?QO*b^ zj>=kipIrj@P_QZ9u^?<@?${A20fS*BWsVtUjTCZvKCr{2u1eHYBwzq^NDZ`Q=A!-( zG5Sgq5u=`KN%C1qjw8?Q^LjL^ zn&CteKauEOJiu;(r<6s4z$R7^R5^UU!b8b#U+?|;bTS4j@9WJOz7#Z^SLmD?2uIxk zHL8bkl^rrX#(O|s*vPsRoxlsgXiFVwvZ$8WKB9=}-qkb;oZ4LD$&ilr9)V95&8R+2 zXYDZR;anC!O-Xf12^hkpK*!Gy9lK&m3fF2VcRyr7}< z<$PqqN;L|@{>oBUl2Nc0T~_2gVVpyhmt9Fp_<@h!!^tk8N}v_;LHv`7Rd0k$FZbbe z$Wka1$WK8V<14l}^4XFONR3k*5b%VP79AbiofNg+4rB0{XP(K-&J{xuPYN_Yp|3&e zAZeb(DIRdy*Z^<6X0Eh2+w@hVl3|HTi=T#=j=8n#M2CM!hNbTh{;jKgO65vsj7#$s zljEHaEiMcl5ZrNe)L7i|?|%RL=`-56S-=RK!VqU(cHG0Fi{^Ol{1q0dLX}XdSWPidZ{584;k$1q20F)# zvM(BIzaUq)w%m2+RBsXnngI(&s{&hKmTU|2jZ+dFG6M!hIQN}6ZlstX?RG*HC8H$5 zCdTX8vCe(N-JZ!EJG?5vu_jS7Jd;-%^k z&Vg&Iy?k^}H&3Yos)QJ~5bsj#i`mDg8XY8LSajAtzx?v&A4A@gxO26GwT_l_SD@`_2u;Mb&e|x204J`S$L~Pj=0n)nIWh@l{@xyiR%L7I(x~?ldYas60^z z_fI|z3Z_u?qdC`Tk!=$F^nPVZeC@RR%`S9ZSn5Xhe))nHm%74yD~+_z402#G0}~Ib zjP;AQ*wT_?Wc|Y+VW><=)$!}RB1J)C*~4&RT+wz+^-2wK}zUTb9421K|?|e zPZo_G)|8@=b5nH0oaJ*xsmpeupDeic%vAeS%Xn!cz~P60Rm`UcatmU%+B_`UD$!+&IP0-%ZZ5zzN z9Uo8d8Ked~bMinaFn_i1oT+}WqCZ;SHzU|4$$wa^&k*u` zk#tDD8m!rHzt8zY2% zeVRVepJWsY!LKs069MZ}wBtPbF+^j%2h=1vGH4fb=br^yAtEGH{VNnJ3uz_<6rvc~0DL^C8P$9ZiwXlmQejuJrcacLog_tUeU| z|M%-(SDI5B;q2pPd3@qdd2wG~y39t(OObrZ;;*{=3ef-WZ-3hZsNuJ2Xq?6q78)F< z!(hu|qq}8BZ=Z0-e&VHbSNZA-d- zd5QCuD#Z^=qA+ZOm=RW%Kq7J$tz)Jr3YXBWG6M$B$k2(tibL4jsk)%pb=i0~+Vo6a zb%JI>ltWI)2x9F~%BE*^k`JZM)spQDeb-EAXZ>ss(E?^~S+pLtNF-<~8s~(Y8zEyY zkEhW#YHQw|n^!J>b&4(5 zFCM#k;Zv%6@b&if`$DMH*ksX%Tyg3A(K82MzjgWS%WK<~E?Fc`ZGBY|t-ve`z>>EK zRFN}$XH#cUD#|Ettnr4`FQJMw_CEc2S8p!V7}Z0M_uzAUqJzR}!gH)-5^4 z{IHRzKfL1n(2>2d*VQJ&KZklsM7dL8gpQyL4wV(6*qkW@z>wqD)*NRs6#0~hgAUGc z%?KP)5N0zm+OaN4J2S_yw9IWeb?S>cca!^f-%->kCXtv;rQsv;f`^Gd)2$tzI%XpC zarJn`%D1V~V`GJfdBS?EC~>Vz&=!Z2c+erz+aV`9VEu}PUz|Tr@;7U!0=lpU;vEoZ zh0x$1f(RMHzYdA=qy5jpIU^o<&;+MHNy3Tbg@O+4fsJ@vcJ6u=4%;*R`gJK<<;Fk! z@sDuPAy+ffSnt6_XU&fw6{UUw!GG$CVT|9{X3nrgQQ$fSQ^?duzP_XS4jbUGhe`%W z1!2=+yAG|2)PJGM0hPiZ_2zs^&nXdAR{!uNzW@G**10~=H%E=~W6BdbMKCXSjnNOl z!d*pVu3tdl1M^z&7|8)LI&jRCsg12|bDF2k2p<>q%U^bZZk#J*Y#0xD+x8v!{?LoT zjvsMga3}^FqXMWBBaork4pnBHqHbmfRAC6bb@}q;V}}k*t1OE3!vf|=cu{hICMVc& zQnYqvreRLD4qLZHV~&_-je=H~$7f{fvc`;TPIVG<3S))Jjn(ZuT|U8W9aZ3~y=G+T zGsldG@*0*t#$i&d)3i*3s8G<|bS847DZ@xGGNMD>l16I?hMJybB!jdRCS7)B<~k$6 z2pj{UnmApD$+0HcP!>%_L`#gbCRa$H^!`(a-V~e)U<+fQ zdLPlhqj;>k*#6Dk8}IF0@!E40r#{@gd|r(>o%%8?E>d2+1zK@~0G5C%nfH(QS#s5q zlpg$&PYkV!7&}vLGOo-Md_}Vh0izDn76guNjdttIC$kpTD zwu6+g^+923NYN$x4xW``PBL3gzmWLAr_+5k3?MX(BWj`ULm&;|NkJagdRZqQKA|$k7L~kgrchR~^y( z<4|vlo0v{K^7liJciH^5YJn0_b?=B3Qkhsid~)z$>G*Q%hk!;I z8=nAD!``Q;2cgYxy!kd{KUX&oezM+Qy#@4n;)$nfYU_FO%t{!2u-SooN_veLVPpO0 zfBMs(nD6ZHu{rFQL`>F~`op&HrufHr$+X0peUQa6CCJk~MHwSQTp4TvT| zN_47{bd%$?^NZaeeUXn*`R2semzT_KE?&B9Ip>vEBCpNjvb)4APd73> z8mR3hd{sadgcEArs-X(Z5}b;PBtu!Op*odht=(psP~#NdD_$8dZeFo#X_TfmrPEBu zdldfA{ISCmd8t&t`;=A{u2u%ar3s4`8#fXczqtSN3xad?FSP+8j#!h=U$7YVn%?M)6$|+}V8B4e57Lqt zb7HS3II9+_7JXzaVly#0S*(I^_mi+r&?itRuu5@?A0{)q_^W%Lny#%;DC?jJlyz!X zoxok?ArVI@2(te-7FXEiSJT1YD-l&4`7V^yeL=X$8;&XP6F>kD6qMt({p_j>q<_zby z93r#a=8%3o$8{!^waGsaqi61C25C{;vO}~Jqje1_hFLjANrPueDNKkR+`^v4Li?|c z=|ymXWt)*-cOKaf`uS(FBM%r(! z^MdiUqrrP!B`e|1QYoO7@aE&t7pr=5;l}z5OdB)25_K%rK%OOQsG3`SbUHu^s9L#w!-_+D)?YYt;M)$I0$gxceRXF4z1!C< zaEIzu7F*=kt6!hFaiue1h5BghgU9OqU8`0!#II;fnm=RG(q${eHOQ-y*J*M60pmuU1S2|^Z<*z+<+7U{a?}TQAk%58TmTjDpY#1M<6T=>BKw&sZT?|uG zjZ6xr1`}j{fmlw!nqq1+7*RDOtUe1N_rIlQ(cLrh7g zXZ?hnxy>~z=Fix^am~KBUq5~7B%+(?+$B^=#cJV#@KEjhEb&@1xVmPIbc9vgQ z{9jgH!l2->{0VVeJZ*ecDBjjr`>j6|%!b&TB4y+MUe7u87@cPQFpF3IVKL&B_sWHhOQL;zeh3 zt>^p_CD@9fPFI^pM;rQ*l$+GqAQYy*E}@EoRzMXgm4sG>C6IC)rR~}0yAF#YXmxz=3-jBi%%0OmM5nx%UZNE@$ZcXCr&c@pI>2k5hJ-3I z_*p;|Y4(ew+v_-!@7W3|gvEvh58 zBNXc^F=!=7$-yi-4E1^W&Mg_n@sSkZXg6G|X9s;TL9&81t(gW=bapHP6(8}|TF)I* zy(UH5MSDA}m^b6}snci4noTLSnzoch;66@2yL((x986fxT~NU=YGy;U`JOb3P#y1@G%e1u%3Az)D#k$4X) zCm+23->;i)>{M`s_*{iqQEWO%GC=CrcO(Nm(pz_x=>Ua4IwGp@c6}yN|A`9qvlULo z?Ke!{cU|%c%@-dWwG^N3`;5hNd)Ti$X9owzc?%Zv49VajfF5m>6%9`VMG3u|XelC6 ztkeGz=Eh%yrS$ja1m|P11 zEV7+P>k7i0@HWySI>7Q@e|MkX5G7a@rzIQo&d!_I=?vZ_KmAb zdJ6I*-8Pc|FP%SjPo;T@{cmRLwRQqn8hj2S|l7bFDz-smjC@=&&(9 z1H;_=Wrx_5MmfMOhik{HAz*<>I$rw1Vi(kT5;7$E+l9IHD;YNuN?vy_o$XbLdJ_6U zBV>t!F%bA8)R$^mVA=R+&gEDZ<&@$-C@o;{)D(>zb#!FE_oG+6C)V=jbVFsFzGR$E zP7o$bMVxLL$+#5yglNu7&Dqbk*Ll+F5~x;VKdq|t^qDh26El(d$gBjRXiQROD|1$& zm4GTWS^-tk2KeczGmq44=`;PkezV?!aABcXAw&50BccFC9+>Lb`iNldy_o&o?|$d& z>n{o<0a6&LWcCS=`Jbgv^dL@226%gq5}8XGDJ2=;MAK=K0fwsFRW_zWkM-t8%oXY- zr@~b^2*JM`P^nR6PW?ya5rVn8`p5Iu^wY#CdRzLDJFt~QyoynH2L_$_p%~=<9+NVN7-(!_8{>@=5!<8(o^gn9S^)EO10NhGplx80)QIY^q;uIYoV0~t1{Xq#;;+aF_Yspbw6WPe& zz(C0pBy%`>iT(t#L?`OU@=usG7ols>~rX*Aev=WLHP}QAcg>|KI+nzpCUk9pwGW)>(!^eeUCEQj2 z3dIVMh-|@#WH1CBkqA|gv@7ZUBW*)dQ|i~hpwzF& zU8O)(mg%!_)6ouh)e*aY9C}h-Y7ZSHXW$XXc6IDHHL9XapXVsyTF}&$)PL(u-yHAZ zqInnG^|tLV5o`9;(@*zsqV9e|p9&ruDs)nkc!*RXAdWTAgF&0NZ2kTJS*DGm1j&yM zRpzBoXDW3Il?teO`M`;v&DaN2^{L*G@!YFG6_x>-TBTx~3#bw*l~}V0oMIKn9HB8; zUVHh))DRCCgSkOA6u{b6r=&T;OhG`FoNE@H<)tp`D%>|!xp%qG0|9GsQ9GhxIV9b# ze#oE8!rLQ}g{-Jn>Lj*XQG_i8snwEkpB@LOnZ00&?Al)M*^s97wttKeV>ODwd`3*+ z&akEe3g-yk{4SwNF$3POQXzQJs@7F|30eio0GCW~C;s<0|N9%Y7^klWDGT{8abYP) zuyXOK_t)OLbrE1fZ`!+K*`fDd77#-{M0KLSPd|C%ecv*=&= z{Gia7u3b8J`p{c)2Rc_i-%kV<9atGxzB(p$<16^}@oURkrqzh?i_l3o*Qrd%R)%en+WcIsn?ncm}^{-;f>WOYI)hiBDOcsPkCHanIqUA)7erL~HI140Hb*ET~DGW47 zsFLIgp;%$n*Ux)RfvT1d`pi8#ZO3~OswBBWXjSS}cMlS^H$N$a!;kipox3}sD!1dA z%FQnnAcc$bjkn$wAcX-6$3$<=^&{-_%?ZmAM-MXT1CEfd&MVqT>0<1r%Du`Ysx>i3J~cxpovd28=KOdn_)ybH*d z{Nd>zL#yJXYN(Pbm9+i=Rpp!a_G$Y>8J|@zJzBFK>ozzgyi}kS1DoO915`0JBvf(D zs}{{6-v#j|QJy2qBJ5{n>()(jV;u-=k%fl&2r#Xi>`q2pbgnHm9-FE>o}cK35uPBd z+5}BomVV7d_ZREDx7K)Vs`6Yv*<&r)Atty#*U?s&yT35mV`CN85ATe+a&{&Q6+WrRp!k=&SSC^Z{ZFsGEDRRwA$#V8c|CB+KNEhWm)%Rrsn<90XKR=$2%ygP#7qjjf%8Dm6$U z;Vopo#Db;ER_@%k_TuS}g))V%bmaY4zBt_;NJRm9HPBFM>eNRsk()wn#QOL3xubH2 zeOp@Ew|{Z;u9(F*@9_{mo9%G zT8X>kllx`opZv#vI1T?Bb$&&l*{jXIt0#L}XjK+aWs&qx4NtO9iV|RGLX4&%UAm~0 zcPbj@yM$2#>XWrA$GfbZ?6z{e>(Y{Tpke(pGfQ6(rjUG~p<<2$>?TC(re}0geI#H_ zPj^c48ITn?7!7Mywtj1^!f4%6>$RcM^96?P#P*@PYJxk%c->@=^%WkQtGyV#jPMnu zu0$->Cu&Xxu;qyYj*N;C1wn`t0q&0; z{}h$#-S<9tXWx4yxx&+jr<143Z~+bRYf_WN-+#0<4o+>L4A5GNx$qVkfdHJmwjb8v zC0auj!%spLFgjx9D}CDb_nEmLsQS0c?Q=H2BB6>Qt%fQFyws|sN+qC*X+mSloIH8z zt=D%IB#g}*3UZ3Xo&ddN(!|j_jnnH@S-OYZx8hwxk$N}blZGwH6bKe+`{*$9^r=@8@ zB`H9xJ9G0CyA7+~`eXxC!@@Alj4a)%39cI|6;XhsqJ($pIBj#96AGIAa}+MQAg_qm zSH|nehzsn3m}J$KQjw0eR#lPYlpHuLFWjLr#aN%CRI!&0l>y4%J8c0(R8jn*BE{*K z|MQ<=;p4i5Dm6|?kP`aK%WLOeyP(30Z|?{v6tHsr;>i;qz9fMLO!@rC+b2G1*S6UH z#b@t*dEx`P!z)XQZ<GrjYx5y8rc0UVBb_1 ztE2@DuT9hU3{@o8g2ne@y%)}=(nv=&RPjRP%O#0rW2!zg$R5C2Gs%@8Ft1*|&URTfaCc2{)?RpU3l{clrV?K9;y1*&Ereqzai zQ)j>7CG9O41>3XK&Q>xFk{Y+Ge?pkcSHM?p2XKK~jxCfFvOJ>t zhUT$h;ZODLOYZdl*Z%L<|NFncr3!FHRu1!yeb7l^^^3%P5K#!iYMVWefGi#|z9)Qt z``&vWRf|TN3rOj|vPyFS2cF~5AaDXz7}gjSU0w1+Y?F7#4T|x`z-xypUfA8cpPo4R z^Okq}%=l1ItSYwC23N1<{i?ZtJ*!j_s=z5`4UMStt?O53gcvbXw4~`_H)RGXWIU)- z!7jrR{p@l>v}0X{#`)M|iz^$aZA{idXA&`tiwca5Df)s?ZM5g`RR3WUBW-}Qwk!i} zR+eE-j$vAwCU?w`P~%epn#a@q21?(SwE&S@kT&FjpPH~~1i{!UMMIy@fg-hV>82459L_cF&iP08*=D=M&)IUM32`R>Tpo;%K#d0JRlBGnBc z%+*3(fK(?6EL*X2!=l?)&SHi8=FatNm(E_ha7v&CIr?s1KD%dq!`J7IwQu?E-nEOT zH_pmAe{_%B^6r+_lLy`uU+-M|az%a2p?9})v^%#h-MXrzRX_gzi*qN1oICu6*oV)9 z`*tj-j<|B}urU3-wRzUA=c;d9IxBMw()sl5)l240TeM^uBVSytgjeOZO zMR_~*UK^`DTC$9ho+GOhF#sxlC^FV|yw*;@YD_VZEQ|4w7D(8FHqvuAHUX%rmGS!7 zIR;Ogzoq*RYD(48xBgqX1+$(QiY@7yD7U_&?EV(4f3hrmcx#3ee<%hppHmYZOT%oE zeTT-58c`adospr0B8rheKi4=lSyvRMWl}_W+J?Fg%MRAWjj|1O8ft%tuJzk^gN4R;!=YDO@TYIh} zZ|zan4yYPQ8Vc(hQEyS8>PQEt;+VVQ?E&MXu+2)A?Rb0tKJV5Jvqb8X7 zANR<+;B5-1YR4&aI2BMeXXidepK5te`2?yaZT?BswwK@in1^7YQn4z#Po?T0R4^~3 zN+qG{*s)`6Q!CO&+c5!|iAxKCEyLU#1Lh9VW@j7NBIl_()}D>n1Lx-%@hDA6(oaIw z3bD%zu`3F-E046FlBlUqbm-EakF2nE7SzQ%V4TSb9Gu}lusKx&a~|5%xvn-FHv-gRf3b^@vde8O)8%(}n0}Xjw>g z3!DN4wy#@q>D-Y!H!dFgaOalgwHxQ;U-?quMSOej=BZC!Ti=?ofA=adi!H#%`D5>F zo|oS?e)QR6?+D!a>a%y3R7bq?;zF^*k+;{h6#K54p7HhPhr|x}q_)h>Z!YlOFem@6 zxljm4+q+}=gf!R9^NT423|hVQ;*zFod1Y?X3hsj{XccN-6|9xUEDAt7CXco$8K)r} zX=?V_$0`GuVO$x9 zexwJX7UU~YQQeJyW(trbW=d;@eonSwVV*(Eqo!oY9!_hPEkHyFs8TCd!W6HDDoL&o zoG7GNs(#XNlQ!cV(idt>YNm$*~WKrs*s6CWUjCdJ?(m;w3Ey=P|Us5Ack z^r!y`Art2mu~ZgsMBK}N{nvjN7L@{3II6@;!BA{{!4I`XKozf5yjh^CQ>8LP6-yDH zg}W6m)wFlop{i^xfR(@MRfe=0s>C?&5~`RTYN%r3FoS4Ej~=ZmOwA5|UMMJLZq@?>w*%CLjYBK!!QOn8|sCwj)M@Zu@M7IT0sc}jO|3z(6KYeHY zdoM3q-k4I8?^m8`{OFaXnD|hq(1aG(MzxI(ym3)MF7V~(-t`3PHsrcZ$#UMaWj0&R zAA4KblIJn6DhiG4^8>q9HpEw_>89qmu5M2L;`qM1w=V5nSKnIdSC#4n!0mr)1Ale< z#@DN6=1)#>YRGlpzIZ(QY+E^{JjJOdT{ok|cX4g>#@V@>=M~asRzw%2y0tLj zD{e;umbhQ4xc=;?KPil|Bf5&zh+sEbr-XIUv4$!^Vj(dI#6NTGc+&Ba{!vjtz?wK; z#{_@JDa4ZJD{n1%v_rhF?f7vvyj)%@jaN*6agl+w5PwMILQ|T7!O)ayXfubOi*X`{ z&72(683#;!p~k0K^H}^Uck4x`9i%L9iaK%XDbQsf2#fc%U%7DBXP>bmK0{-=NvJ~X z+y_-1taYJSsi6wA5~L}iRb9G#W#p6>`qb>~Q@Onzs+#unY5g#203Z)(l)XT-(y-uh4d_8+x8wd%n!p^m?)XhGo)aQO8bFL) z*u9XnKmYlEQF2lK``OQa&cgt=P&*0%~+4|z)Bgcq-GG}wV#ma>7K;lI3OFT67CmR_uh->0! zc{#jCD3qv37I@n8*C(HPS}Y;n+Vc(vXQ{yD_4-wJv7^8#sZt58N-@Rj`%=5(Px2h?z zwKM<%IU9knMYS=X?%%z4+uSL+9u?-}fL6~pCCn-hE>BhtO9RyEDA1hkT9fHqmY|tz z-acdM_=Ss>Sg2PlYt?AQZ59-k{OT7!D~)wnImwd;GOyH9rQ(V400Dj3EPPcs3Q6lH z-w2&aaSBbH;BN8O$ghR!#48SU9nLGRj(1dEag2RdkR2()FaWlhZNCf#hJ<>ASobmU z#kfC{>@%QISppfYcj#tI`|3-LP%BE>hdRs(3K_(D4XsOXn3bs`QIdM5EG{t2&eE5U zbBGNvENW{ycKrCsQ)g(*vhEZs+z0zU++X|r%L{kyTeSPb#jky^>&WM?9zFZ|(KGu_ zoO}P|xsOhrKYsR$&(3{y>imVRdp`V+sk{43`v2H_5BMmqbNydVa<Z;+r_J<0N)m zu}$yly^G!@L{UM#qJ~fx5=cTqfI#%#do#WFZfr~u*toaEEs5Fg>769gd-if)Gxg@lIb`{()AZRi}_eU~na5+||-2fv(y zxdfOp^AS?it3Tc%o}mx9eG)L(CK?3;Wf?yCtZtgPUVeLAf=FWp%FCr#%yS&T&+Y8G zDO91H*?jiOgEP)L5lgK<=G1szKvlsyr`+W~8@H+Gg;TQ*Uz~aP!nA!av|;7q+_=F+gtG>_l#TQl zJJdzANVkkZuH=dt*~4vAKi}NAA*{!rJ=&Lt7r7v!LG`HeXzNIp9<%h@!n`cZ4X8`> z8#~lFZ%8Lj)r`e(Y>03SmPPw88^;AiC6OV4-Pr)7vLn1%KspCWhNb*gX|y{~#S$%q z(0WbSGR!`!&Vys}Mf zh>6N=jTR2Z3!N9JH?`eo^&``aP}1F}aBBJ3fUT9G+a`oA&ktx!_sfj%A3d@k zY@L)Z34L60BHYJDy2>Y|c!Yay1O*N}iqfNZzOYfw|8ELam~RV{MAZ+L#Fm4j6l)1Ydo7C*F1fDR()f4M}_@f`O+B7gI1jk)X?Ia!t z0aY)b#}tzy9U8TE-NvNkR2NsbhaP^|p?gXh^IP0N1MlYHSuwr}n@^5h&oT@^|JyLvJCRG0fO~p#nU(ecq zH4ZV-iMMaxL4Q%dd;AGHhegn4sIto$DwbMjq0F!V<`73z+rv zGpz_x@V%6()Nab#oZoQTTYn3x{{FK+z46AIuf2Bd+_{$)9e8okfwOaWpG;c3d(_gs zv5WU~uUYqe)%xcqtp7#r9;e!)g7`BsQC0v|W7jz4EQMSBaMIELm~w*lqsb@kn|$)V zDYBgs!?@wB&}-oTjCykosb1uO8W-bJ66I5!=!?oisR2=rAz<$B^~_+uRzm{26^wAx z+eWqxOMsd7D+<7dAziI9!Y~L@D%EEP2D&{puDnb^mD!jtTlV_N*!Rv3dGG9C+Ph~4 zzj-L|wLLDc?Y3=uT(0eLHSD+FWB!!=#|>xWt=%!#*kiZT_%rO!v)kqM{a*ZR**318 zA~9DID+N_OLPLgxv}wo-LTX}2QlUD^7OJe}6y*%T9;%{ybcpZc8s_>0N^-S?0f7xF z(CHa|thVD8k00gJ0Cp#f`|fZ^w7ipH#$cNe=R0<>D2SDSs?&m7P1x%+>DZ4OU;3{(7k@JM(og4J`o-**o}GTM_4EVYa}UI> zJsH35RN2-ui;iAca`csx7n<${ynsJ+i-1MLv>61Oq%p)EqE$O`>^Sg&90Delk(u?- zLl50F=aSx@-{LlY!i2e6owCzX+_3e?K zvUH2^_2sQ{Dt$qVr5+UM!{8jV(kXk1Q~5TrvwA->D>00PHvlK$X#rBxUm~jY$jmck z8xG4{E{akaynounPq<8JGCkL|*WWyO{OI=0>o%=f{=$aUhxYHm%StoLbzVF>rLr({ zD9p$kZbdP;JtVX#4PHetM_s6EWnmyY0VztwZ5|gw<;SV1zNJy#d68bTM&pe!TMWJD z5L=;pYXe@ZDTy^U5DGRnq6WLs$SFYMx~|;hb_xJldd=G!d{WtN~C3gjMYq z)36t92P`(I5@ntty<2WYzRQ&ZD3R;YR{OysE`PRLerp%Z*2l4p}+jfHH2uoP&bn5ikb1$D~L@`d_4&awr zG{|bHFTTV*sPZ6zVnhHriqS<^vtSKL#-Ss}fGr>iL)0*RMoDS;$mkd^Zy)$9vj~ce zP*a$3$eGo7?0@qu?%@n4Uwbcn#qs}aJSPSi({Pu^%&!=kxyzi2Hwv8MU_h$wsCi&dKPN^eZRW+N8V)W#c<$|YSt({tQXwgo9;&2+ zf{p^GxF`ixxG&`Jqg#;uSa3=xOX*mupR8UoKRc>-)*u)3fjrdvC$Tc67np@tkR^~} zE=uCrX?;kF3#)2K@yd_%q)kcoU6kvurmy-91#ZmTv zHOC$FP*oP?+{5MZ#9r;nqgOMQuhm6gP+oKJA_ScKiOMSzgWJ9VGNp#7O$m^iaj@5u8#`MX3GCwKwus?|WeUHuFpslEo|( z%wmFyf`VngSO8|QC0oRPVJr4IRqYkHCUFW-6Vud}g$1yFWd9Qrw@%u2;=PYQyGxwH ztl^B}(#~JF2tmL&$Sb7>HovenI3yHBgtE`~ZsVsveE{Nyi9T@f2tNR`h9!4kaw*U8 z`6kmJQC3V5%Ds29go;n6toR1u#3cvSKui}OxzW_x3RPrfr}oEtx#A?Gzu<&lZa4k& z6Z>yOFfeo0ocr&;zqxCN6;c|wPv8DHPA5%n0Adg<0V_06j78IsGS)!RvD#RALr#0Z z8no_c;E5HY1_ZMJHreyMa`34$FCz1UxX~x7?b|O(iE#kIFZ-W*2YVPi-2EBb4*zWW zX)y(&F(YEIF*2Dc!JA4p3&4U#+?ws7WOI#oK32{Cgqs&Ni8%$`44y-K>f{5*^ z=|PwP;)ePnwEOQe`n8h=N5e9~xrAdUmu&D}{+%BU?E2V@3~Mc84XQ-8z`9g_oHJ29 zor|Nr>eDC??3FU0lfeflSry6ECuId>4edTCpiN94*NEWmB?-P5VTY|O*~h!f(?w&l z7cN?gRo}g-Z0_7%|L!0qfB*EE{SR)4l2ApG%(?RxjEWrS-Q@|1Qx1D0BD7tQ>r=t5 zPX#(ZSr+d_5fJH9HE1d(rg$g!?^v7aU6vCG^#4j&7<9~ z`+7VzBh!alYyl%~x&R}TKM}sq^l<(ii=oz)25qYfW2jJ0cTG_cgNGs1+~`vKnJ*O% z_Z}JM!q8oiRAFVL&AsR(<>{llr26X3E4*b4xJEeaHRdm)gE{R zX8Gk;F7Pw(q#1sscng~RWrrnaMWw(RG9$g-Ut!P-<9)I`{PEF%2VMj)(%tq zgMz{&zW8*8IN@LRn!a)HjURpdaanl<UiI zHl9FT<_gd%dnl_ly^3OdE8=~NqTDOuJ&Xw}P_`#{r3~siG^A}>c(;0L4`m09iS|v8 z@UF8h3amHOm1%wh0$L9r5L7TGXUmH0?+sKHR7JkHt;d3eOB$w3NllC!80t2>X9pOQ z{@V51<;gx22VoE1QA*V(4(J@!t9@ofcWPD|po(rUi*+xF@hB&3G}1e^w|n_0eeQH? zsdw(?{9ON1GS&vSkMGr~BF1f=WfcQZC5I5A@r-`$Y2!vZH>4uB2-sQEgTbSM?k7s#y;)YdAUuIR$#Y=jq z;wg|mKu1vJ*as-%!k8BYRTz02sM1N+p;xQ-9&2B}?LMZdJn{uX?km(3U=}nAK7|p0 zM$x1@Wzq>TgPpKX98mUx;9S^;%3aS*+CFjnDa^QI|Cj^geyh7MSu(bQz<%ZGH4cmV z>8&(zD^i`fxw*4;H7h5NNQzWqC5(1oQ5owsE!Ag6x)%aq z{YS7!jp<%vB3wp>b|pFdgi&6aJi{h#rKMrFRt%vWUdlkXDZ0}3dZ?P5Nu80-vAsJK zql+GGP6>`9t2!fq1l>h()-_go`>eK$6TD;kb;}#o`g;RaqY7frZ}SN6-#f&+bK;suyg_(%72E*$A2HR{@{ z4OHRuqfv3AG|DTsmrG(_7jR^5HYz?F(!`QmQSd$0hZ#}kU^I9n2V(`gb8S3h&wX`q zz@~8_`tf7fhF(>m6b(b*>W-k4q04Lhz<~O3W4CNrd-B9dCSy!xB~&T2vOpCX6|AgE z5-Y5PWL45u@MKA1rH3jWKpsYiP{m^_S6A`6|J+57`i&wimAgWCRPg!pN-RLkS9c48 z0KFn80EFRnDFo4ETZ`}IhZQ@9&D!$P8}G6*7$d`I^)sUtd6O1IJRG!+r1w^Kx(ijV3{pUoATioc#P{mX&N5r-(wJ^K@WTYD%7LMYJJFM!4PdHDrX z8X9NMoj-5>B77ipEFucX6p}wWlhH_@Acrva$(_Du2uVr>_NjbIm*0G^$C6|B6TJeG z2%a*DB9990XyKRMCpO087~C#muWaDWmOCdMdvx}hMf*<+kdjSP76DZT@1HGH3GJVR zDhp2G!7vA^Y@tddo3h2J%RI$2h87b~+R-CNS1q1DWqff}K}JrX34dMj2%ycSzi*eAUhd>*!YI|m`><}yU{8o^W0BBQR7ATb_j4W^;*40G zG*GJ0sy=8XCgirPid?4nnyQn1l&O?ZH96D2ERG_Q-Rd(bRd1sM#D7(v9h4X4GqR^^ zevFsFKHI-t-w-r+PLJ=00}!a%J?GJ^5w0yTO4S1?;oV~UcdAVFoswhdz#u5q_(Z>i ze%;355*!@>RMG9~7E~qqga>u6jMtYTvw7LTR`=mtAxmmsp z3Bv+F#?=f&gQL7jg_Jv#v1$VfBiaUOJCdfX0y4L6wzQ0aX^XGWq~Ds1kEp1yvTbdRL+qPajSC06{CJ zk|GdAUGv6EM0s3^1(hh zYALep*WvHHgPjhcilux6&SoDv-+A82A224FJHezRPBBW^X019nmA_iF!VQ`@aBt^X zhqs@;Aj^sBp-NIJ(2D0mQYxMl`P9fj6$3+#3JX**EwnAaez4f3T~1w5m??%NyZd80#J1-z~bg%eWM4swHKm^&9J_ z_nJG)@B0K*`m1YhdqTQ@_qM+o8rqi1AV~u|Pt5R_Au8=vbSdyun?^Py_v8W2V@JBz zBzx2UjX41mQ&`9C3~8N`u2QLs0w2sV^p0F^t3oR_8Z-Qfc%mRp=;IdK%Q;fPcy8c&cx(CM&U@d*&eb!eL@8Pzz0jfYNja8YU3fFgYP{mYMLX`?vVT3Jq*bG(8`2eN6o+sCk zVd?T4Z+CChgcEYI%ET4#O6?)x60F#zxmorJz`|8nwDITV8{=0Ve(~xXNYON;x`$AO zgkbgB^}qS8<5je*`6UID1SuR=BvZmZ$f-Wo2Af0mW2$wDTsxnCPQG|0*v7B;_4Vt# zWj|U1OcpCx;coc_#VoBd80v1_yK827C&zG3By&b1eEp*7^9@2?PKpVz=H1bzHzG|a z`pnfpT>jPcwBek*{Z~^f(^WSMRP_)_btD18t$*AHN(uq`?x6yblT1NL0wgSPNI_L+$277Rt(LS=OykH8Uq5aRBT|r141`>=6-+%!6XVo^|Q| zD!q~(s;Kkp+vV}{1aE{EwV46c8G#dR)2-W^?(Y*+^-fK?w&Mx=YqZ}pdYDT;zvozD zOmf zZF&C0(mdu)tCua>wPQQO5^o7Z6sVGDWrZq@SV>l;BUVCLA;lGnRY`FL{s-(Zjp@CH zR)SU0?gpwPu{!hWTaQgUB>XDKC-DChnWbfkIf0Gy(@5Qa!MnbzvOL zFXz7`vH)bHTgTfud_+`GNNAfjZ6AO9@!$UT(VzePL6-X7di*OOFo+Wp@{?BG?q}Y~ z4hdDtg1l&!{lnrD%wxWHoSc4 z3TS19D$V;R-3yXZ0aeoZAfZZ8DhXBc$tFLz}WNgan+NWBwH`?DP zsOlV<{pV9cCUGlG#i!`5oMA4cQlF6G3qMsjr8;?fPGD`SUrDUb=x~wBkK3BquiN+p zl~Tz_sX!}>572zCm7qcmhT24LG=!j@YNPu3qz&s;U6QkN=Pm{njnPFwgeJzDHug|c z(HM%1Ni{wtS}|^|Xr(y-Z_x)RUFCYHvLjYD8I~Xm(g!G&6?z{a&o2#}l2BE>g$Mtv zh(r?(KtLq~ewy%)2cNhV`U;d+{1A>U&U|a*Yd}<`Y-zp;!q?c z9}yL8uL+d$3``JT1kp2ICWWg&7UbohOgDXK5dn(yO0veH=Zz*CWZ@D>RIAJW=Oc14 zQR|9|S7iU=B!5~aPWa6i_CJzJAE+IoqhtL8gW7lK@aSWY;Tjz}bQr)v%?{93Vh68m zV@?Tuij?wa&yk-N2qSVwunGK9;DxXR{zX0|+A7X(y+Qw?W?hyte1aw_Sv<}IOB0<6rhG(UFk@||*=3sz+Z zRg4yUsFJfjF3JK`EqVVWs{*R%WIa^zIP0NGKJTz9d#J)h=%ES&qM+)~;bYMJH7l3R zm|Rm^mS0nvS6eoAY|6-_es0P%88#$Z8K7!aaWIYfIo>2dDk`jPc6gWiG~cwrUeP^W z8bsz56}R4KG_097xYXJ9L+VpgV& zd9!4lXF*S_ZUL%nBIDxDnS99{{*K1 zEMXk9{gaOUZu*fweQrz!2nz6LwBdJPuyh|m{ZUmt(cVsW?9_>Jx0uR3`wmK+!scMZ z6-dFSWGO%{kn6?0qXF6bq+Z7o>b}8dlmEiJ7nhX%=YRg#@TDj#_&N#>V#G*4XuQlD zUkhX*WgjT>`)VOLe>*{|v1rLz!TPDIzt*1<`Jbt&tr^Q+^%dfF#29=~R8$12R+_%t ziXP79_i1mqO!BCc`v@AfY=uY;0JU7MrJN$gIzNw#Md$zJmtTUs+-}~oQ#Q;m7svo( zT@@(96;Yjs+=)=6haP?yH3f43!e08{+1z$+UOpcuLpx`t^X-4<9qefis$`a0{H{}v zT=^lHRTzp8C_$+Zqi(Z6mEilDGVqksxE+FOm2BxSWe3B9p>BXG2E5+;r)O1qsFIY5 z9>a;j{E(+l&#L6JX`xhRsA4ihGeec;D0|RY|Cl_5{O%d7)uv zz^uLd4zi$oMtyaE-%j(hjjReYWnoo9Cx%Ug2$ml&mS>C&{ zIG8e>N2m4OR1v0QRbn|6%`j2Xpvn`dTDNu$Gg3y&zI_K7JUpZ{Jyc0zC0UgsR+3d2 zpo;mGl~w6{fHEelhblbbdZ^+_kv>449nA-b<#C{_z?H$%N5h6FR%L)HeYk4HzT;w* zrC5-nr3esFs>9~6b>2#$rYKk=!U1Bfisl%c{_^Q_=W)wuR7J2V{_X`-VOj?diLkep z#iixgNpe}x8<C}da0_WmNe{! zFCAAgfo~+~I%j~4s_!y?6ifkGM0zDM0oI6ov+ty7P-PJTvVQ8ajl57R{@c+4RsN>e z2btbY7ee=sYE7Ta)G8|O*ZnT*CNM;|FoX^tJ%;%rna0-byU4FBeFacd{r5K^AV|y7 zB_XhsbV-ZA(y+UfbV*1f-HmjEbS}%%AR*l)4GJO%(v8yj-sks!XP6ykU}tvr-upf0 zeCpixF3{;I1<+Gd`^c+k-Lgu9evXB^z5bIDZVT1J{$yePXR0Vsc*;4e`2n7OZ{_tb zPKg55b*$dJqy0dsph~$B6;dnEJ-#As4l@a)Yg%KiW6Jb^alN*QlDp6s)Vk^QzbftF zy+cFcSf(z}J%10YzutyPz-hgefv_0ZvbisUABCvb1P34d)z{Hv)%~yIJDrmU-E+A> zh+y10U`{BVG{<(^@=IJ8upJ{;%**Q$eOm8BhuQs2%Y&4+{IB7$H|sC?g+73Z7PU!6 zwNbhAlAiNt%hDB>oo&WYTB(_-%WzyX9c{^>ftLP=rfA#`l9EPq^%?fT!C>T%269o6 znUwLBe}i}p(Wg0Vcz#ikPu_j+>Lc2I>~rolIOE<}6P!=PpXFuJ|Df%-$&;ODD;Eb1 zNGwQ(eD^75*q?Toh9Ec+;V&bBP^{4dn@xQ~um;7ZZH9i{xKhFx`BnPxKZ!1`027vjEi z#AT?|e-@3yW_?#$nyk?P5j^-=o}qxgiVVu(f@Se}P}HVT1yP@Ys&r11~&(}am#=(9ho;s z8jY|8*MS#Idt0d|6O01i$fot+c$I${?b+UW;u|OKAt^(UJ#P4n_RpdY!{D2gQ4c?u znyeY$zMt>q(HPPUyyDu=a!l9nNB;H;j+DA$FTmi1v9Yfn`@&rSK4qxnX4bMtzLJa{ z%9F-fyeoMA^T?|YplT!av5=iN``U-<<)F49r5fDe<*dZrY#^FC|T5JBy{f6=hAzEM`<* z>cI662-mn37rR#y$(nWwxv11)7voX}q$gR8@|FGlTu`f;O;DPBC{WbbH{b2i1`R}l>q;WjLG^rnHU$Z1smC(;QkzswpyrvMO zu6L^2QR0M{d|PU)dohNReD-&gDzBqp^XJbKRVMnsO+Nq5rZ~!x8WyPTI__;1_z$#9 z)-0WhL65LXd|z6C$15m5ou|j=XsbjHQ~d2 zCxs-%Bejtm)!xciunnfsn-rt6V%g4r3~Y( zTzVj?6ynFkyDsZTUi*&@;?5XUZ1;&RUY7~m?_9G7(6`@&+QAMSq+R|rd9KXrfJcxl zKm#d`a81-u)~IOFQ?AGaDdo(_rs?0ZZRap)mWG0_+be^F8sOCFJ&+2AjzCra(o2os zbA`+?+Gc+5zg`^BrHHBye$&reoNbWTNVup!zubLu_%}w+g!{3ISa|;rJXwRoS820z z^o^E7lFq=n#}GrN)SDfV`beKj)0pM%6}w&!D7h@=eW|((BZa6Ck8I5lxkL}w_*KLR z{px4dZlI}%moi+j#CB{Yr8e|8kt>Es8kjZ%HDP z5P8;Xgkc|cKO_R-yy5!1$&hM_-7-Lm19RDT-_b{7^1}61|JenSgRT$h9~+dXhl{X_ z0A6OIIfKB_a61%#m-!ilp@0$IHV^YL4|fW-2`=*snt@F)7l(pnQ6FS&aa1r_Z5>b$ccm@Qee2ldWR}$onOESVCS0U-B?_iycpjOvDX& zCv|0bKKb*i=I%-9)$D{I$NEnvyr(3#C#B&m`*fZBJ{|)|Axo#JK)9pI*m&F@d_vlw zoTFnW+>RRt3S886!MoptOfqnltTfPuZnG5(ifr4neK0{{yVW9eq}Ba$QZ%bi^SgAv zm#(4}zN!1;xtg-+KN1l}EzN%pxB6Y*Z0&n&yL&Z zkzA>xFO|ddwE0E=Ofu)w-^_otB8nAfOVS`jeK0upk|?M5317R2;}4mg98!D*W<=?Z z09Kqnl9w~Q!YEvARs@xUH@aVFXBXl0(d+vT{UHJ)w(!&8pJ?1~(Pw#y8|A~PE92_} z*~xUo^9}xQ-&~U8H{I04tx6!k^R|rhR!dH3+NbvtR*K@Y7BSkpzOHuZ>_g*zjNSzl zzpA;Z3TAYM?#zDKSXUkd5*9!L4LM?m9l~zaE7i_M;)s*GZbp-<44aQv8cc{_E$HW( zr9h{s2k>2mUT%n)@JfIKo(3kg!A4Lv<`gzEm57)|y&)3Z@sv2nXS+|@Yg__MA6WHt zIAJg0c2c@=Yey{4#~C6Af?daV&CFSB#WTP(9bC$zNMw4fjo*2lF;d!zDj%g$O3(_@^(-)$$bYD;+9_g*Mvy&u6AWFIV`92tsma2UgFcr z>mJLH5VJZQUh;0Kw+lZnXb`&{~LmPu6uMxj0(K|4+d|)Zp!kT+~F! zW(7eUv5Y9;4@h2|6KD7_uy#_#(^CU3nPQzd4&Bgany+g2yQ0SMO2)Dq0rT=%t&_hR z+|ju8_5A8<5CMiVRcSqpw}QR=57%yA(#K|g1(KRp$=J`YDe#a|*JraTPMwC0Yde$H z9bC=?4?<=&Ccmipjrrv*PR4LQuiSoTf{Nio7g2~A`Lq|Bo5V<#(%zRpYQcv8;V@=4 zmZ^B3iwk11+|1zGyGou}AA-Ev6i|-+99tU~nlRB`tEklmEasf@go}JBahZjh{LFR5 zDLf8SH@oiG9;5YJk4BM+gNkpjwoSAjZ|_6F9flf4WqomNs*lF>8VNSn0KU)k#_DJ- zr#ss+khb=k+0Pkwq5LK``hc9|>YY`4@_lrV>s zKrQ?&ic)~zoOKGK1E(y2FjUXnq8;j|!QK^;a7OryX_ofFDD@2fX(|X~bJisj$|$3N zlp^y|E#%>lNqb-$+^Kr)pjd}c^`}RS&+6|~VXY=P(Cn7T>g_AD#ZHF!RgUy(#_CLO zKF3)Vw0=(_*xdDiYf(kFItFbfwZqHO;H(#kB^cLl#u1{Sv2i=&B_lf5WGTi{y#~KM zSACt1A22D6OWZ+!DzOO&120;)KdWE@c3HOTxUjG*(cC}Xgek_mpVW%_+lOnUjJdX0 zFHr^tSWu&Y!LtaluD0E~zTxj4nhLo$PiB4V)%`=^)X&(aCTa1Hc*V#hWl~a@+DNh@Z@fJlUKGYG z#$&=g?r%zUO}?|wdoMulbPt1L({QA2u5@0qxylXDC86-9nL&F={*Dp>)%$m|k9@bJ zf6p0Uj;p?Ru_54!`#*(=D2NnCHg9kCjYdR}cV~;`HHvSL3pFa0Pdau{6$}nlHS&2R ztDKPs4a(Mn3CdYYi}DFlfe~cp!88h9rI#o8LzYSQ)6*#wHd$x!UAGmG>oLFRIDAr= z?vL1iu6!@fZt}dxzwDBWtV-oyN{FEG;WSc;nb9WGUj9qy8*(9Ai~||Y4$YHC62y8k zxBhIYlJ+YO<+5aK_s`j^^=!K|bd}<*;Ani%5o=wioC)7s!SwdHr?zw?Ck`G(+h^0A zV|bx(GAy@S%_=~M)mcSaLZ+@vXUaUVgY(2u{(EI8cuN?Lm?=z)joj;l`Op=t;0(8v zD%&PHqm5dR)IKq=9gRun=NcJ`+*Xq3{3mB>CDXV)fd_k?to^q?bp{U>cokK#6(lB+ z<-M}%3^v`WX67{t;#JC7@1dB5aWQ8f^FGS;DO@bt>({7n-n_1I z^=AlI6ya$W?l6B4pPe6adiWOuaH(LU_%w-${iHOc0IZrgrAI0Br}Ts zwekL2^8=yO1cUrjM6$6}MEc){Z=!x$spwVG4_^0qH-~If`EC>}P-O_f&8Opqz}3F5 za4oyu)alRFN@chD5lse_Kt;mAoAJ~0b)6gy>4qr;LwT3r^A=7p2#HCT+)N^tT%w;Pb-wq(|lhIcs0N8H?N(?nl^sY%Fo;$ zZOGARAl2i$nViVryBR=~3gU-vCc;KgWYo?4m(dtydt|Fclne{kMVC4f=bA#+nK&F~ zBY21c2nM`^{pq||lgVxS$pnFI-tC^xr_Xxx7Dl!wqfDR8b0g4+zpvUK?#%-+Rdw2$ zSbX1~185$u`GDU@J^7E{n5qArYTN*^gGng!iRff&1a0$Oz%{B2BM1VRpEB%8#2hlps|5!>}!i3d`zb|(0pVi z{9~HB=Xa8#zs|y>RRvpMCy?s6S@AvAksEvPTyZBllBJ+%zPc(w?kx>wxpjLk`;f(_ zJ{>4BeanxG9aGb-d2cn%Vv+VEER-yY4Hui{49&EPpvqIfu>8C6ia1#8bv+isyiL&V zALmK&7ah+-vG4s{5cPb(8I;E8}USQ7u?y<-h(a5-dmZVmQRRs54ORlo>lo914TFmr+61g~d{h6iq!E3=kDbK6u57CxTNl<62Hqw9W(MCZm(ve%v{DqxQ029xE|{`?u<=qqaE zp~-5wx6HhBz$NXtm>E^ARY*5P=%$}@?CEZ2;vMKMIsZfV*IDR!2m7j+z%MpO({AME z7|DH%Y|%B^=TLB&e5~LI@(FY|6*OLOhQiZel-HF5g)Y(~1xX5os0xhr3op?P^wNah zg;OQvWsw7!8zA~_m;H;O@n1eiqe3~s{5At>g)!a4rISQCU(d!|XpZw;9qzA1jya$m z|0a9|Y$iS4M-uQzMGozF78wk2Jzr1Sdg?nW%Bd|r2y*|Ll!&R{y(PM{=f`cbmUJ<;=UVJJD z$F_JTn{@TN+^t`EIM6;rht6VxE+Hnq>2WbaQbxerGv8-#x4WCsj!MHeljntU=ek6= z_}T*Vv*+^_2x->aFkNgSiYT|(7qTlvGFg`b*54{}G}XjkKBaq-zEaTtDxG|$=TZEK z0EcdFhDY-UJ+c6r4C}bQP4FkrJ#kpR*PgW>&&U)4@ZJ^a5oD&xB5;bix+!?rdmc)7 zPtYT;?giB<9M2#03u1=$2qIU2y_MrHK$YvkX_{6i0F|pf5l9=9iJ@E(cBz2_bFH=~ zfZFzQQz3e{b_(sTlNC7D3aLVWm9ywP@6U&9ay|=9r+C7{`;=*0+apBdMrQj;YQj5d zB_-K^`gNr>bq_6{TJ1zhOxHuc#As4AH7|ativc?>Yifs z4TiBCr=sUBa#X-S_{jW~nVjn}MgdPN6#eKm*LI49M*1`TaD7~0Qet~uqh6EICq^1MQ?brs%;Gh@=WB@2S*cFh|`Ts zLP;kN^o&w^G-dsKY!JJehj1(2ZGYS9dV$qv@XTGEZpm$SPz?hq$iVoXH8SoD9najO zp{W~R1q+4`6?=cKX?1}vK3r>=hBAywW8cC4uE`|x%pl7@=t6VAZS;wDcx5*SE^L@c zFR)}%AHA|@u>rh`nTo=b@9AZI@XGPGIihbq6a)qkNIe*z!aA}m9ez zb5nY_qVuiNs#xJ6ga4#+6I1p5%du$@)b|nOI<^mGH@n!=HgYMWtu>j&@SRa|0IuWh;TL z`b_hDbpLqHLG)w-hXKz#a7=R`H(7H4g@3j=otO%lM0OG&Tz}uEpddb1rOy;()2452 zg281iq{y>WJR|_WfP=BghKYCV$W1 zmQ+TWB%@k$QCfF2%HN=svZrxZ%F}lY=nbWcXI7W)z5L6%@a1-S(+_i$wnNx;`_#|V z%^AEDr*FB(iL9w>EzA?rN?#0UNj<%of?9@qGSJ`o4X}Gk8t`Rkij1`-Q3P!`Y1f-5 z#PT*v)aBdznTR<0tY|tp`Zzd=V9Ud_jwXzJ&o#rp{)o`qEr4jCSSo?3!s-o-2!_p2 z0Bz%!)Is6R_K&O8gTLW;Jx3%zwbscA2Nu{tO?P}`YReLY^g+qCPX9)fCbbW<}>&x%~KLbMl%Uovx@2#kTUnHKLDyE z?Ywgmtz$FAp#3so!bXZQPOM<^T>Q(xW1Cr9fHEf*zX=NCp>`P{C#;p)_FRfbP`X{y z{Y7AvB7=0?E-_Wwam6b}F{cVP*ZY|0=Su*VnpnW*#3mu$i|fTyD4zWC*Q3efe5>2{ zsVRCW6un((=n46(C75XWb0XIP_&l)HKrHdqvG3)f)9jb3PG6&6%hz0z${k=r=5*Uz zf#VGzj*%x(nyRuWA2_EtDP!?9mvM+4rbTJn#?uwxxixyvrXOVXq+3=juJjDCIsdQ@GFVu!coX z;6lIXe)v6>Ei#xtt`hOc{plY&-6kKWwDY4+{%TlRAdxwY&%)wz+#hP}rO?i%kOE_? z)yiKJ>299i`)hiy-lVn-Wz#{1E1`d?}T;3S$;w1y9`Fg&+2h0XLTAuy`ED39r&=(?_;+F%%;#zEOAgaBA zBJjfF!#%+*FVm|=i*3iqbB5yr`70pD`k2{9{SMDDi)d)bgUB0CbVO z0;l}_$6#R6S#XV^hDMupdv&7^hrZSM3sgTqOX`k>lu0v(jVn+Y!~hx)purEl)Tjqn zUTS1$D7U$cYnHA7s~ohJIxTen%-x_00|+Ws_M~1mFIXiJ{Xf+P|`^^`j+Z>-OIB>QJxjI zt;}wJ`+NH1tP9B?u)cwov9EUyP6Y|U4(+c73s}g{zoaycMPDtu=1aBJwMaWnKu44cl5^FT*oy;s_ z2bh5&j~NR#j#(OP^-^_q`5116MJV&Xl4g!oO8PC?I64~f;$1ja0S5`=|NQ}QyEr^$ zdiDDW4dlr6FhRdA4C#bbB?`jEaRNnCFh1p`v>e}MPPn_tf>)Vp7=869uPrD%nA2eJ zLVKiV33F9yqrv`Hu{wdX4c2#i*{qgtuTqJKyIK>~VoM6| zKxOgEr)_ufNPV#L`Qd)|VpLbZFb4AtGKT9kDM1g~^yBQBe0FuU;Za+3V7+t=czDl6D&Obi_Zu?$5||DPX|`b7Fk3_ek^U=9Dm1$ zo~X%M3{~(l56x#YEABx@7^;*yR(>l&E*9Uj#j5>OP3^^ijp962rz#vx*W=rJ?_-4} zfFS?hd?zL2Jc=j5?=dZt*G>k-PuPPD(s4r+B(H}y7JPWqp)c_ap&nzZVmuf`d=_L|gi<(q!!n z(`QOIk!1HHEBnnqnlEDIbK2TbZ!kI}OID8PfpZ`9kIol9&>jV}#w|J*Cm7-Oy!Yc73ZhPu#mP?%urOk1oBi58$Kfcslt-YYc1KdS z14;48j#RWkOm`nLO5`R1cIR8ZSe0d19b=RgcdbFF#YZ$A?xzMO^!3iMkHq;l{Ma9# zw4de4pjfTlK02D3cf~7cRVNc}*fL%8ve#T&U@DWcd;V>!7xXfO4ez|*fsF{ms(({= zNaj~V$W=^iHn8%3{9d${S-%W|4S@O&vOh$CdAO@JZj0VqI3wAY%DDzD>|w*^YQNZS z@i?$@1TCUYreXb`Gpb4ncT$CGpX*np4gs08Ps8_Wy1vh{kQ?iew}0VE-GnZ`q^yg8 z??o8sK4e#%Q9dTKuUe^)V*(rb#x<>8z-MrVa})ub7Qugo)>A=V5aXRek35r-`QVWj zN2FPY1Rf63C+s0o?||C+**R?x83fLA#QYDDb3w<^#EQ|=1NHA2*Me=&f}o?uma!9q zPl<37SVD=tSU?zi9^aM-`2Wg%d+7)a=eV%vFU;@Es`+a5t`3&@Xo(a<38!A%{U(n^ z*5@-)1Uhrta+@Xn?V|O&Um6B`(>X4pPsC1`8Uwz99Qd2K{7OykyTkaHREd+)hJ*pnMF4$e9| z1IP%=+>e2}ck>U2K@e@Ks!O3Zso0}9^_k+zWHB?sKm`zbd3;d-aXU~t zW_VkHWdF*)^c0p^vuS||C&y0q^#5Rc65-m~hP)hfc~Qy?c*yJw>5h4n(~F=p)}+-j zN7KU9p1#5*rQETkQk=bjg8h>wR0iH!IBWdM3hdQLGIS@*_KP5ISj>X&7$ z!vvS#qhZB-|RI+;W%O;iBlQZ7s$Pgt(RgAk|Rb#)XTQQEi!MnG|Fl& z>@?@(7gRxExyUqN-RKDnbv zmnhlP0Vl^v8}hQm-+4#%r*{Uti9aU~v-lGDuIA&$MX;Wk93S$WsxztQFbIh-CX+et zd?jt_W;HwrxeExe#Wd1-r>aUKL_p~j;6g4`kQ~pxRbhUHhm94I-3pWIPIOc{q>3%|J`bLhkZyf zR*k-djnY#C(HT}Z)5vS_vS@jtl`v-}&R!4M&eg5c7oWlMiK;<522rE_1x}ocy6(L1 zg?yYTTGHsN&g^2SvO4Eojuu0|CPMuEyDk7!EgZJ%>48-94uGeObBbC6NFn~!fu@BCBwn(Jj9$2-5imctlsm@G?mF) z)Y_pS^P3pr5HdWjHwx*IQ8#;)-z{6-ydZNP=gL;4vGfr2h9F*AhPo4n4*E32gXaEt zy_QqmI$V=E3g*g_awE(VZ>77R<-t=(9T*tt= zPs>EOR4S`|eznZxmBPwCB`mkh47$&c;hWKR1IlSdsa)HeKd!U7x3mk7Ru7Xzzhg8d zp!0Jt-YAZ-si+p=ZxnIqknNMc_{g79IF!j~hM9DYZoC0me|;8RWSW!mk1Q=Uj*^Ow zeBs}2dA|2a4-N^zQXhF?<*vbu0p%06NAj`2SFTqnD7<9#luyV^V%vwVn!`d!gwDA) zI2Chh97$^n1}bBOyNm3U$2&p|VzpzmR9UlUm82`un`qEkN^5?lLRvepSDWDia8Fvc z%K*;getIB<84H-hlo8o*33>q~*YllPM+;`7O2t<0;d2vl;Y4BS?}2h$r82Jtu-mp2 zeT1zINB{)&=p`0Rzzu`+rcvYQJ9=xlU|vhPHugs*WyVi|LMr=WEVXW4GM@vaCW#0S zM(OX2@JfCJy%`@qQ=*zmdY@qx_)#)91F2BJb&Z z{^J|V&Iir|qL$ZY)ek`lL|rYXx}7%ydPG-V>y067cyHVEdDPI{q3`!wTa8QpYD!F( zS`w5h6%C=S#sifZYX|4rv#ciQyk2h=by6)R|8@61fGSjcn@C`iVCSPGH0xN)SjN8| zh-up%mz^kOHYzXkNh$rPU`G5PBODVcwjKU;@RGcB(c;#J*Qi|y%!$T@9gU7;F~}<1 z`wdL^{9%;``hd>Xnfj?>v-*=Lmj#1{d6{kwKvNub+A_`cQe_zYUR0c=a{Wb<4Gh}~ zD|PfmWwIugfvu9&LM2de=#gj{AJ%eSZXxX&jBedK=RB> zh@%Mf7i>25W_^l@Vhy7FZ%cixegp| z#v zLj4 zKdyc`m4HT=17ZHMxL~xFnDPrx_6IG~*dTOdYP}o>THJp^QvScT7nRP)#=CfRy?34FIuuMfj=3u#|K}7rU?d8Qs)BensUdE`_she|#o&9}j zJ1B;|fh=cM2GP`9eyUR>M*Ye2+t@T~%qFoVlI1s)b;}g= z6k{T{c?u1dEAELtTww9{PlOXx`uvOVRqoxQJm?ZCXjm$q!fLJN_4wYi8|n3gtg`+I z(jj$^x->*js1o`ZUl>DU1`xyZ@^;$za|gRR|8$B-v9a+lj(D4njL|A9OA2SZ ziu~Z3O{iCii2F0u{HKpLmFxN;cC7kw#rN&vcknX2Fq>dF0=*D>RQTV)iU>u3EIVK#Jz`P9E24~8r{@o z1Zj2$E4IVidd3`k&&$pwn_SqbRR<=2>V~$8cohF9Og~UV`1zsTfJKqXEZh_}@)pr{ zV>pVwUoff>iX?M+Rl0Z0SOI?U`O!1dgkhNJ=tw@7xjN#c>D-6COLLmH`}pcXCaq6r zBsYlvIZ=^oNxs!9C7Nm~XW5=^-oKh_xX|40x6aN_H5JHIKVq0n_g*`lb^+LW1vwPt zu?O7hSn9w@fNx423P?m#Q6cJ~&j5R4Q5zhmAPm3(U+SmjklW$OG~5w20$j+;l$l$b zNu)Ezlz}2%9-PhRurf(P%Ra{nALkla+D?3 zBA_fM*iHINeLEq+gKqE9;X{$c63A|fmlxl>T;a;5C0Y)LJvyv5D#YE$p)t0O~(5G}R`%GbG zr*XZ|=&eet0FQ;|(;b3CAFpZ@8|%;A`oX42h8$|4;IaRH*~QhFO?kQZ{j)wSNHnNV z32j)>APk&{6}IWPK4f)I;R$~rH4f&!s5NOKk_uCNK*wJv7kj8k@92JlAHGAsm7DNN z?g}qD6oE(J+S6Y`RuH2Y#JgGRM1f?PkfT4>oOj=hnKR};0Wyke8*O0CPhoei+1R5Y z+WwcCtQ~=)=9S})E|AzySO z4-vb3Y-4QVjUHRw@oo+GwJ|=35QaGV83mDlBEFT7Vk43&VRIaCT#bo*GbZ>Ko;776R-PGj#WCZ`|9NqqzV@EG3gOBi_*l;DozH z!2sXD^yZntFTnfLA-)wC5hoy*24K_AwUkkgM969rHvV3ngbzt|U=%@Ff^^v^xuI9{ zV=qDC3KrH+R0@Vfo5y~h^cUxeWh^~tvig*!?0B9;m&=yJB6v_Eh}H!^j`YQJoeOiZ zh2XBZ~`Q_#1ub!S|bvNg_T|WJ5awYVVzGkIP7%-E3p^T~wO$9={#2q2n7h_qN zt^oAZgqCsd5rW9({A=Xrzhai*f)fm#x`tCP;l8B~>Q(df5^hcTc?R^qYuQqe<^JkZ zh18OFEnbV6cfFZfr>QQfo4T11F4j|thO@mRz^U^;dC@F;uL;!&qb5%I(YG0GySwtt-PVD%GCO-s;zx5DelDfM0T4=w^cilP zwlr_P!7R0S<&ikF;clYp?$T)Jz##H*g7@F`{yd2*{xU16OLF?8Gg0B*u~Wcxj4rIG z{K?J+`Vjz1w~i}U1SsEsaMg4kVJXp`Nku+MXbjFJ_%-~KgNjK6OPib)kadqNV%XZU z#kxK_y7;>MB3EDExv>ziVdMc}vnpQ6&Dse%%bSZ?E5(sF4<;cxO(8?;n<>_0W1?w(<6-|X~{TZet*NZ`ytag|#2 zlbb8$LTKbVA6wmjF6Uw^1Vqmh?B3HOvijH|k4P>~MWbbgk3KTOJ<(wA2){8tHh7>F zwKr8iHhH2g0m|1X2nF7<3D7#}^gzj%byuVd(dKNynYe~@LFuUweofZGm{xaN^}qdI zpO;`LgnoE9Au46jgp-fejjaWP0R>W8}I9M+yHS?90Sid zsMU5c>#8jxJXD&S+L}hBv?RZl6J3nrUs{*GlBL2wKhewx4#>sEai9HSl%abQa0)@t z5^!S@3@vY>UlIcknz!vIJxqm|=**R)r+3&l9(2^pR+dEQL$;yqEqAdmj5p5X4(I({ z+nUHJ8Dwkt#d6;%TU&!A(!bZg|DN=s%Emg2qiXGKEd5*^;|xd{Ujfvt>vrqo^4x@y zp}telOHJ!{3=!_A zwK`9u07+p*B4M{-7?{KF|HHi=8Ng0Sq}g+zfVDa z=;?K%<->ja86_gIrF2OT7cxPw1Qf%J5TsGR;M`UPx>5fGI0vuqPu+FBC;$Hl@n0t} zA1y!DkAYCGkh=F@+Hqrf`@|zZn+h#XPLwYWe-HEPk1ZvlB7A?7$?|KIgL_4hmO@`! z9G<;^M)SDZuV=zr+fNc{y114i`FX7PI#YB8;yz~__F;&leX59R`=!ul^b$r!(+dN} z1b&>x8^VGZj^)F8>>us#An zbueHtu+oGbnynRMVdVMw`O)x4%UTr&hNN#2oXhs+MaLoUdTArjI)=Z;!AgoGr|-sP z>HhV8Ww*BtM#>yG+danr@c=(V@dWe|XRxJWZBZgc$_OqG1Sf{0)lS(GFakD?Y z+VS$7J=b-@6Z8!1mJCC7(Jo4^w!=mGuU)3HN;>)9q)mNKyQ4=kSX0(Z1lr#v=_QkfR~fSz7lgee$--YlVRKJsy95f3H`Hu}43LnlEWvOWNAK6l6aRU5Ft@5|utASGJux-ZHdj*?5i$H7 zW&8_m{>)@SP&Ai@TJQ`K(28MK0#ioRLYBELZr2^d$#+y?cGsJ>FvYG zDcdUGRnMGq&;}QZFPOuUVX_rul|}ta$TZIBN&u?zdRSiEWyV?P_f^6nd0CBxsbtVv z1uGo!Uy5I-{|>pe^%@voU}>?iV0Aq;0Bz@)eS69R+%}lvFg9-pY0popMf0l4#+8gO zUZ1710xp%@X9bo85H}I!t|Oui;^sc-kF|{CZ}ly_ONyu^OB%MgKtJBx^cSK}s;m8j zOGbPwWvn-xNSug>PjlL~ytN|OgObep+o(~p`Wv?BYirhtPV!oqUh<7FXK)!P8Gf-G z*@IP*`1~ROBoPJB<^d$FTw1suE)L^iygq2cyA&;zsr#ontRJfY8UyRN*!oFVe&CFh zSf6v=>TK10JS^A?1|s5s^b{-Khil;#sKeiX86SX5m1(}>_do0~%Ugut=ShRe^eEch zWLQ$ng#p7S%qcp=&0F9?i5#~s7>>d0gOHx6A2y32ur-Q$8`xY8PO@IgSd0-gQ1Fe9 z<58ZOq|XXOWpX%~Ad6vJ_OD`qf-zu{eCEy(p?+l&ij1HLM&b-Q8G4^>8b*RQ0%QFw zZvpB<4_ey4$6X7K{Dkx(O#@~(PA&a3d_tKfE`>oPOJ#DhX{ff*F?YI+9a}h96Z_jrDeO z<)vQn)Rgt^yV{nMf6Lr1K~SnxP%^A%^t=v?SqY4s&Vid~mOG*inW8_(7R5qm zd=|U&aKAN)fqZB=i!X@5V^kR!dOVFjirrExu-iWBz(&a3XJ(jmhre2UnG@L;#yJa4_emBG`6ZLn(vx*(LnzAL2QRbBD_xV0d!I`eQ?I4WG;W(m}Bm`JCCYFI-| zt37Je8b;{5kop9OD>c$3e+Swg2{USh`+UjDu>Zy` z%Cp4k>&$jCNRL`7`AA9;L9JjpUEZtU*Sk3p_L!uBVUp5cZqL>V3)RWRMv-swK^BfP)IDqx@=ypkIg>ES4EVh zz~R)ubBb!sp-wD>f%{G=&i)0d1n@xK{E`8c#fFih;_5|Oxw{D-u~4P4*;OayR~rWw?M z36P@Ezw+e~HzOJW+IrB@CTH9NwnHG{o&A}4%Zi~lFbW$}Z<~>kcvp5CRBz5Hv1WhsPw4NsJqcDj?^8DIQuhNTo>mT-k zA#p3Gkz5|Fj9$SFM~{K!MU@8l!UeRfIo@S$+e z={WzyNNW$tcm9^mg)Nf6_btd^ZmJxmy1lJFlRSU^}m*;hWnyF$0! zejrmgph(-U1N<-;XNz0?GwZmspvNf4)dr!oQ<0F`xv#`%|8QYk7JNL&dJx*b2yh9# zAzY}<2_Ur>qxVNU>nI}!N^r=9*XDioj4svH+reJ^^qSmee;OmA4E}tD3RC|Sve+ZC z)5@z#jb&5x^jpmo8LlZHqO{z%8JsKczHPQW=a#0wZkC%rHp%~W`Sy3q|KsQ^4ASU&ReEp9PCm0|swdzBA^2RrR7Z4T6eX}S3 zKn3F2q=5w3Q>ilxKL2`sn>GcNh~MT5mHv#!*%j*aiJE)fM-Qr|Ashh$4j0)zw42V` z*}_TzHp!5Dw;3lfcu=eT_pIV;S8LL-IK-*5CK-v}eAe@LHFU=W1imo}b z6k)Jl4U08WehwRktVNsL!nrNSlht9l7F6%RFm~dYy!fpTl=p33n0fADNwf{XHvC2b-zFnW+T3&flKw~TWvdDfxsmCkh>*TrY<7fa2 zZ3Q(X2$M9LCc2fkSFT3lZdkJ>3H$=SkT7xTCPR8HiouXF(7)>veyj^$o7_CEiX(+DDp8F6y|SKDbv!MAqD+av!5UG#E$bc zp!}fT(zL6ST*{X8wvZVAo3FP~D0ln5myU~$o4eF10jEr+e#tIR5Te$UmKWtweYSr= zi<*>t_?ana0(yFKVXfR1m!~9RzxahtOkaOc`UrxAIL~Z{D8JBf#;$yx@rXNm zRZQFOiOMJ{o-=yd(fY{7y#>?+0|{&?rqF{tIQOAXI{?Sl<+)0PpFBmSl4p@PISH3; zptr$1rO$pL!}dhu-fc|!4XiSF_9sKa^G8$%OE8cES;Ygm%@_0Tv|V#-BZ>H{Pv2eU zmeOzo)76jiVepyYs06e!$^6(%-Co91%XHC6(s1k=J$K8dvY$LvJt%CEf6$LTbw_7^%;jGn7_&`6=pIjntWR%5?qgA1lj=mRBkN zmMaO{*@SG4419M$MGp3og^Sl}N5eY_rO~fUxwiE&?i?NlQf@!oPE*Yy{02_blG2Uv zq*!U{zpT#WyDTv$N#)c;$vAPw=suYBhR%LOw$KR9{t8ONf9Ju`+z?(LoQ+!~Rc{S}xaB05?xVA3H@*ju-Q2?n>%o|i+1Yz~!w+c^HY%tkA zFZ1e86q1811z^4|4H;zNLxPj_-(niz!Qpm{*{) z+Q}pL0q#s%hjj0tC?yZoGY}iu(B(dO-CK9%DckcWm@tJ}oqoi0CYQI{RzZH%42kjFYur}hci9IviumznxnHi z^hiN#j+)p=B#-F&lqQto)@#~r^f4f{uHW?VRlW>i*Cr$PvfI6!0)QX;Iw9n1fP9`yV<~zq!`H2plMGsL<Qe?JE(rL+hF1nF6FeRke}iEn>&-Uns8uF0>b?2rIvu{X7#D-w)w|}qb9x!m)6mF9 z;mbSk39I4TRsbU4;h;V{;O1g%YdYyb+TfE@Lq|pkjT+yjEXzw^ci_tLpdw6tN4BbxREbfr-Jdw(DZ_Je-sx>&=nqy?RS_xaOHA5 z)T?{52@{Amu$^?)%RCOyAn%L}=#OT(!KP}FjXyXPgY-XaNd&GO$K^@+UL4F6_bYr1D^L3w?HQ?bTd5T&~Lz=#VerzJ^^s1ZK=r5(Lp47l4yKU8o zRzSLHpuF$JqdY~}lKJ;+nmTR-;wX2Ea{seUQke{f5}AlZ^in>de8pd>3DbKe`yb>N z>a;&TrQs+JBvwYW*6?m>WKTdy*tY{v3x$uE;c~Z0w(2`C#&9pHUEBM-yMBHa1BErnc(e4N0iZ{&BY7IXgdfrj`fXty|1%fCq4}fLO9cG*j1d# zF{W`#ZGYrL?D5G_pUWbefJk6lOyn{H~PKhH{ZfGsy@-Yxv zaDZOoT>7RuT?ZyhVdJscu80V+gQ7>gsQ28*MlybI4>CbZlEYw+B!8|Vis&l+VT|iX z#&i6Er-t(&24Y((oL?3t{r$*sDSzp&uI2{2jx~S!Y0`Wo8$N~aX6nzbC#E@`4r)kYXdlotKLU zNN6?o8HXK_~2rMC2qo(+bj46=8ras&bL&ufdmx29tzpWE#_wWxKt)+kG^xv6a!imGbaO#( zkUj~4GC#|vG32rFcASQ8SY4Hs`Nz+U#CDE1=l2px4_{czNs zH{8~lB>sj|xmvRFa2^EEyy%M3rEnXuM%v(Dkljr4^#dmg`d*0*l$Y zy&pZ(q{K{hEHWsk%v28WFhGIg71w*{Fd5=y&^{=mr{EE*l@!jznDxC`8SQxeU#zlI z6npdeafi{YFyoZcSg~C+w>Mb~r~4R4;|Vu~6p5Y>;4~}d<)LvA_E$gg`K+sYH5?2y zuf^BRIHj}zSal()a-#q}19*8#UI>!y%_E+F86S#`xQ8)o= zkXm_&g|vy6=Htx@7pcv5+|)YXls9KvrtqIEiHQ*T6=SV}rRXXwmVm88HE-8QC%R3o z6CR~2bMxAFXq66C?7ZZEUieT_5iXj^_EL4mzr*N1hnfUT5D;7jP?7G@`(!ZH7oMa( z)nB1QUh?a2_YtF!j5A{OvZ|$NRznZOJq+@NY)0T8=RB8_1>-Sr2&sWF`3*SekmR2G zrX2hv-y@LX)ZlRI8w&aXYR2UEBieqK+w&?Dx>=e+iyB z1w~4ts&l0$oRJodVdN<_1!rR)U&FV$5s#Epkbhyoqpq_ik>bVTmAibYD?1~k_1Wy< zL(@Q}xT(XmxKf6mNXuj4`wL3ql7(``T9%N=R*RcUx`t_8p>|uk&FPOHyrySod|xqV zqK8WmJyh5McEV)GW_(dY^e!RYULF$x$dE+8r}>uJVMnuVj*OkASg z^|;2mNw8#9U_j;FM)&(`FGqcIjn>_H&iaAOTOzmAsXVK%Nb}w|gr(P1HeKQL%(Gxa zq4p@~7_lrVCO+>e^)9Xl%hlM-Q?s5pcZQVzyDclJ^vT_Y-_X{iT5%!xMDzO?LRyih zxm*?DlGfJ0yDETaHC3)UK{WvaK*B1h6HB(>{amlcbSL#k+GpeN7jl^VRbPY17FU0V z8{;r!)fSa)O+j$hcoy$3@3I45z4|98dbEvFlv%#FJ7dl*><6XwOP@X!PdB{RvgOjN zV-TK)Z8lG+S0e1E%ePMIgAm7Db6@1!<)_LLl%m28PIXMle)BtoYMD?R1RgBl2I+nX zIK5kaV-%8xzeV?E3;j^czFxpYe4(mk5se3N%=RI6K z^cs(F^)tKv@NM3Fuio{;?<0`YGX?ii^+SJOo+3VaM7gKOSOe^lPfVsM_Uup6Zu}TZ~z5S*RwWWx}xgLZwvN8hlZgTlpfhr#b^kvd1+V-~1YI6c$x~o23rkVOZs1Zd?xm?V7dH})yGv*` z^!J%#zcx)v@Yg6XF z5DUDt_x}oj5ad7Z9AWv%`lSHtR-D7*5?L4+`m_?k_&u|=hW{kbXytu@U+jywx8v?I zc51s~lJRqS1-XY)8Ej$$H8NV+w6`S(DTR(E-?AE0Rts7$e_(D-91VFiX z!<`QFBr8GuU)E31Ai*5kzdRk`fG+El>d!rCQfX6kletjOlD9Z7htX=^fzubJ-w)Y~ zZfr*DX3Z|xDmgcQO?c#6di6a-e;P0};pG|>$2eKJiCJ$-el7mnQTBEuik8vec%)BI z=~1Hu=$Ny{_IXK1TK_p-yT9*rH@L z=%wo&P=|QYpN0oUg9!C~sQo_|d#_R#4~B{2Vp-T}LP&^$e8fTipfzcLNVW=8b!62S%oE;z!KjxYtUrliIpQ|QM}bbt*@F%&@7#{O0&h5S6~he+dI%D1jhA@#2fpEjGa14o5RnW$cWL%7zi zD`oUv@s;3%zQ{$>iv%lb_G@GI<*#YT`{cW38kPhLevHvT71ahED~ftpm%r4JLby1x=( zLQ&K}ytCNgdsQg(x!#>-wzeyAR6**+0PRBYW}k*fQqxqfpU8YLJ|2cXv?nPlH(c|E z(8G04hxP+9zjcEdR0F(nerkhX3PGc5q9XbYGnGBye807ocXNHXE-(;&ev(6UPF^*Y z9>FkMl}B@($vbu_J3sonpFI_bZ#YdAZ^c~_&9#fR(!hb%X34wxTkmB`sCLl5Tsdu^ z>tVU{`;OQ-wTk=ei4JXV(DAk-5>HLxHcv^Yi-o_B<2ZUXbWSYfuplvga&k!{Q*yMd z_EBiS&ZydYoW|%I|v{VKPcm7uZSAl z_9M|~Oal7Nz5_AihQ~iOGt*XrHwwqBb$pkhA@dw#@s0FyX zEK1jkKiz>nELR$_wbtgd7$2(Zm5zl zF%=d29-JTudZFsxc8xv`Bt=Smm>q(m)7^7yV|w9Ebz{H&?Ov z22dr-(BYvBqNp$nvoEhBQ$9DAbe?hzd|IyELq|vV6)Bga2+MV}yRwITmTd|rQ-0=h zFr|}&kCdp-9{(X+i}x`8Vw=`HmyXCrchcYFD(r0Y`~Kuqt^a|Kzy09un&{7vv+Fno z$t3SDTIi50BWa1Ln8!z#0*OZ+40nIHsd2TKI@-rlk9{7BwtbitqFYo_;E)z8wLZ}Bm$-D?kgN(>TMeGF zcs9}gDl`4p#ol}ogr1)zytY&b?%@IbRf=asOHTT0VA^`ICUPzOe4V|7(9rq|uq(_I z;)Mo56-jVvxq@sPq~wbqo0|X}aPffKygm-I8gfn(ToDL=`8$;&pH7*oVc=aZsdgqnXlye~=y&`Q-q!H(o1toS$FayjT|V z@ww7bPj&#mzw}+H8AQ+Wg74-{Nn&~5t}KPQ>W}vGC;*VMTgb+bXG{GuY~e4-+tby8 z4+A9QOSgNu2xsqjVbVyE!lpZNj~Op0eMf)~hdUgWqk7Hn<6>$9A;@1Sp6H@UD00P2|zanB|mb%Lo}s zCVLa@jn=8#Q(nnQ1;Gni9v7wiZSYHzytyAF3qGk7@zXN;ED2IQy#jg66r5h9Oi!tM zz8+hjmHYCEMla^!xb}8ZMLkp0$-BHRXlN$)!7sUVWbRbsLHx?`{j9~s%7V=Kg<+k^ zCFe_qvbS5$94`W%UcgM%kx-oR7d$B<=3nj_O#QbPmw)i?xQSO`9kqiywiQIy4Dfb@8@724dK9dz16=6IRMT6{aH# zfloUg7HZPdg&J_r-=%wVdp&VNV=oV16B79h{|kC(*||4Vu9a+@*y`o%%oIQ{rn?En zHLY!`Wjdu)Pf8(Ze*2!K8K*|uSN3wf{WtSoTXl|NPKriPzwOWg+$Wja*ofqLFXn5p z=Mf2CK0M=68eM#dcvmWHh&T< zf0v+KpoM$Vb&9wZY_D?hy9dYpyMZM&l}&-$T-HCZES`=%`Uv zRzC)GR3M9iflQf@W^t_}m|i+(Z&S6vdq{6b-6-Y~GvV|~mV!Ye3Emd634_Jr&CDX=EfkR#ni-zRy*N+zk5&B`Q1GDL_ykhjz zNDu$C`oy_wSljRV%aRQTAo%){rj*W(t zGW$7&e<;yR%(q%=8SdxV>nEuL@&SvdTLJec%D21c|J({${c&03%m#S6d*Sn zl|=pO_6+1vjM2767NcDxO{D663XW#}lqQeO_cxU6TRdT1*6zMj>7TmtL?ny|2-nD;9{NvV6EH1F%*K)9w&t(js_ zY`w_f662ENU>`&d9Wo%wDL|O<)3gQ);a*mWZeEt7@|EI6i~pIp|K5wi86EcA3mFoG z=AGc9_~S+DgE7+?nl}^g*5cn!PEX==<@DOl0p+J2z!pjCA%iwli}<`~J&$1U00VSMTXqFQE`o`j_~AL4mm z2BLviTrqegAF zgAp<fN(EE^5is7lgS*(Vz7J`cOjWb;zXPsCn9344E3#Mi7v#En?^BKYg zP)R4vK$?{E_1Cy&-z(d(8lNq0!%F#RpWB#|KTpkEMl%n9G~i)OuVwi32i}IeFs*w- zGH~&0*%N9(_!o{>DtV8CvAz~^6JI{!Q2qFiVd(O{8~9<`G;Y3Xc&LNhel=S^;J&o$ zGZSfS2=v-YkOVME&yF_2jchMQOALeTtN^*7VR<%RA(s47Zn#19<`B+pfv0h zEkI{GUG!JY68yVruhu$dA7Lc_e%YH2eRX6n8bk%76EOCNoeX8}$1Dv3(ukr4ObC2n zrWbVa;9dKemIJFA#z&Cr;h~05$YW$knY%XQ58n`#28{G?*xC5>XN$d9dpaoDMNUj) zlkOEc19zq#9Z5d~vCT%sdGvUEBBCj^4XSw+qwO6TG=wUwmQM-eQkuwEaCh1i;tZBFsO2 z^02H&Yb%JVdb94NOv$)ou1YA0!QmOD^iIX8Y&r}_o~S#(^`t5hVY0ebGNuX&OR96% z9xz8S|s? zpAxJX>uh69i%i#TA30oNo^OUw8IG~4rkxH53{$n%DaE8ki@a2i$Cq`U`%pV0KUw6@ zwWY5Yyi-E9Ys?K2Vx~m|Jk4IFkJ65sL=e%AwkY(7b6>nE*Qj$4dvRYi78O$yJ^lAn zWIRji+h`wohiBOFs;b7l=JF(#cmR`7oG%+avme$vd?Y1;DaPv;*5>9EC^+$2T9=O% z2!7s1(3v@GqCs*f{_a`;7^IU{KJf~9JD+d#Yg;r8_$f@XEl<$PQM{#HFtW!+8%e~( zRU54m;Hdh44FpT=K_RCPj>f-9fm&HoI6o;zH|-!Ugw;&Q%DWY9a1rmP#U6Pw!JWO` zVaCeVQ5bN2D_h3+2_j!if7Z{vZ*0CEv4NHT5<2cHUOkum+fbd`T7^0))bdQMdjnXC(6#p24!fNCEj)LGJ z<7HvEK`42Ox*ohB6s`W(@eYb5HTerA<0fG|^n_yWqaOJ}bkYc6uIzI!S5OJ6mu3PBG3~~SP;Z8Di=BTv9 z_6RXs0>`>(H^$+00t9Xrx1?s*)yUsi88Qb7C`)G_s(~J1VM`H`;X+ZeTL)sf+10HC zHh~m#*9>$g7vx~<#tZlmU#qZuND4nk4p`97Y9OuxsAUya0fd!vtDqA#Mnd>_$&sXl zBb}(9itbd=nKV?GjMjBazVRNSeK*$B4Z7q;I5vW&PqX(wJzmLAGPe3ZtnDO4wsk4= z*mphCpYnrLL?SIeQp<7p^dqm1f8p`P4df{@=yj@03zqCMidu#OPrSn*cm=Bvok`S- z(_7wKCn;eH>CT913ISqMaPh$VQj5P^hpoQ0rD#VmV1i9u&I=15C@)6nGFB1T(&G)x z5DJ4~J(zbl#(o=~`C006qV_H6^d1=nT%yRHFU zw;wjwzsawKCa*wZ#3gCwXn=2k1}Ytf=jNX?y*??)!7QL(0q@QQ^a1C?ubG=ie)bab z^-zV@havX)gB<97Y-L@srPvoOR@7}PZ|Q%5s0c`r3q}ovYB-mLk(8ohPfXW3z8)%8mto`f z|Inc**KwucK-?#nTd+S~5+eN~CZWPI{%%73wf~azr(Cv{a8cBZ{-Pv@g_IdvPmXt68>DuAoJ zfpsFt3pCMlxWFfGVn8g?c!{W|^VrDd*|QAl6T2EaiijEu55;0~aHKJ2a&iqm5@3S? z={}bkK}kib8$qqx>^R8ZzPApnuHq_TrGOM;_}G;SC=ovvtV7|1zzw=C143Cq1zQaF zzs1B?cEpwju4>_W8QPfh$b z$k~NjvG@P8(*;ew4MBX!;OUyOvIkiIeh;fJ*`lbv~{OHWq5e%sW zRhA!LO9SxEF1G(QT|_w22;b(^<&jY&TubIk?G!{X2BaK0Ot)Zo^@wgw9Xn2x#u>P<2q2-1=Ob2rE;tLTS zXRMgI*+9;~Yxg2&OcY@DMeU`kQG~n!&(PpHN8d{m5$!P=C}|g7@T4U@rJ30@zM> zNSnu)_4&9w7!eY|)b=tDh7!tKTUiM2%+8yCvOF?od z&yM|Q6=b|{@NXjgJiziD4z)kIrBHzBV$bs=hGyThh~D}*257fr587-dHUud&PXfQq zFWSi4M1{#1$b$Go8X-8Q#vn7E5YpwP@2)HyGuagMCq+>?#unn6$4(-6>nZ6R(e+jqYqtE*Ch&h_NVW%ruO{25^I*RQ6h zt4q)ZY=X~)@vl_FdmjZ<9GI5?uiO>?w-d=HBuCX=Cy4QLoa?~&j150tN}@ii+YiTp zbmlPKSLiR*6g{oNTB@*d<~k9lC~jV@86=vH8EM8DtmT;-byJ{&Q4&=s8urc{xlk}3e{ytZIuK1BY*5rwPFr3)3j$(Yp&DtS?)))MtqO1^ebyf61r4%~ z8g6D{fwFkuBVL0F_$LWVb~7q~Z(zX?O9cp2Eleo&0Ok4!_6`U_#PS%H9abNaEUgvR z;Aest)S*~`xo}babDEF#XPaE9W;4TI;T`Kg$?S6P>Blq12%D}BwUzXVN~*_z?l#no zZ%o?kSJrY-L!6LH%O^dIA_0vDe6*sMhjX#c9X4NKb3=?|OhCyl zZ|mEF<4?vh$Vh55z!w>YQt}AhYR^>u4Wob?m|0hpY3B9o`!BJ4&-aaX=`$_*&O$z} zMOc?&%62LV{yBZ*vrJZE&Ah?P_{9t#YljG<=U70W*IR0ixTEpnAp4l0G~m%c#ge(e z@fV2bR0mpIN}e#75RU2n^# z#(8<1Kap-yFDn)dyp8f~ooMBR7RbTifsGqr07U76n7AiH%M^}yjh@5)K)6;PG25MxFk)s-g5Of(;EK`%tN!#c@{tB z^A%;LYp>Tu^-0*33>p4{acLjcy=1Atl8t5%_%24of67+jeOY?qoUPNc_7N&!`%`-u!mU{8eXTFOG3N ze+;Sak(r-QtHvl%IO)jw%M*b*Dpfzx#WilIv#;ZL$K%g|&=vjsF6Z)M7_hdLPq; zolQka;)+4JOnOXwoOxI+2YeIe?VW$`6@vg|nR`}{Rx6tt+)g+ok)zP5XxrT~I3TqQN!U}n$)@=P z2A|Q&0zCnEWd$`M)qOhTbvl^=T5DP@*)5tS#j zt4+}YMj;0{@vPnkDt7)mpizILa=3kn&R@PJMns~=g}%q1q>L-KDo=q3b&B>^3m3 z!|d}4&8NhAlZBvVe$Y14~!ca`FAKx6wIO zK`hRQ1=Y5n9w_w>EAL;<)Y6Iowu{`#E>}-0!~~UyD3xfquFBpr+)yyk=Sr<{$z0B? zl`${eaLons67khplnNxde=C)vP{2+{ft$gTc9U+8Jw4qYN9@*DeNXsme4CPemDy0{ zf^HpD)4&xaH0)b}4vgKPD@a5RW`jCp4rPB7_i^`Cn*TX4F(N=6w>6}R;OH3xHk&z? z-R!!*RG7d-tv4$ieYHAQWf?I`4|}Qywu6uvapW$g@{*K5*FRiA zy7ZRU&a;-^-lCF(-no5jg+jO7J7K*Pic=rU3d>536TBvFms-NjFVMtf2P9p1(IZt1 zUnfO$rJe`HX;SOLa1l|O8;pqP#6BuGIwINwD2qht@yFPyDit8=q`$l7_IHclGh3_< z$n3e>SW|&QaHU>%U$p+G7tA1L;v-*qnK8-#u+yLj4v0Gf$h#;VlV{9@;4@qG>^9D# z-Pef%890cq5++WS7@-aoTb=H+wMRN-20n8e8cH4MJ)cH@4nyHOk(d`GWqEJTScJ1d zL|GVtaon1Df<0|K#Yso)LavyKV>xzj)!>K{xyjUIPHUir9K`SdgEB&=><{9Fp3^24 zWP%V+zcuc__hT~GG%KpRhal^svW6_ba2)UrYLP>T^_rj(yy07ve&We&Ev$|f5n`hoR+>8nI=OPl;N6K9NRxL zKpr~|dfxZ5)@xrFV~IK9Do#rC2Vq*C_0l8)XW-o=fmAjSuS0HMqONHeumiX(5eA${ zae#}{nMXjVfoL=x5K^7`9)utq1zAFED=p2PSFmB8&OTg-e93FfyhLuiksLIBW%;S_ zI1vXL^mh!MpR6v*oN6xDC-4f!)PK=k2A(MybTw>l#MoHgW}$Al#?WL-q%Q~iIUZxZ zb`1NufG;@rZvi(AC~p{NU$0=Ym{-WIwAx&>4E<8MECEebemOK!D>@OiUo51k!+(|D zvZ0#@7x0rKYQumj4Y)!75`pUQ_9sDXgac~+-NU$J`7>|xLh-t|P<(SWtZHmUdCWg3 zRj~oi7>pK!)!e^b|GMrdl+fPK;@~YLU1MW#oY!+%!(Z_9uL|h;6ulEzhrWzDn?A#k zeXijD&`nsD@wx4tN*)<$Lj0#kk#J|zPoO>Gxt5DM=pVUNU8S{*Ve=R0BKON7eCBMN zr^n9>=<{{NF7%3@rw5#pcZSG(Jkc2kSG7EdDdj1?{4Pu3j`#YDc&6JF%`Zlf$E76( zxN#dK)az>bbEE$zDZQU-sigj%+%h*QXONhwWI<}LNG%=D^D93)yC9>#pIoP@Ykx6u z>=Mytns1JOj~W%7>nyuSl#PIMoBVW~Q}gY4K_bq#oNtmBi92Vf&<{L237JOi)fJ5c zO=7t@_%-c&eE31K6w+~|fKSF6Ptho0WlWFa=JQtq-8Ga@mq(L>hmd}}&Lf~4%I=r+ zlQaXh-zKlh;|th7D|Kn#R4K-Z$ogs=_lb$0S?Utp&DR|5UiLnyH|W2OXGAmQt{w3b zD#=s2QKD-a3Y^F8Lg0$npqsn^uY7(3Z#SVq=`WBOHPFEFH566*7jHX;cB+g-ZAX%n z@>Y0`;)giA<#3k?d;&0cZ3gojTSJEJcgi2L~kDu+iw1iX~vpZqW8R&#-K*+yKvV7J!c2mv;A>%t6a ziew+ZyGUjMP0#vBFKb+vPL2p z!9!{Hc4yUu9&HnVy5Y^{@oXx$&@P=NV1b_l;`oc8?n1KDp^h7cT|3g78?16Nzei}fbw; z`@`J5oR{0C9I8Na7b5*<=S}3-i1Lg#;|^o+5%p0Tt}k?Qae{Cfi*Up^k1oH;y!eCD z3$WN8XmZKbG9&B(Retf*zGrVg?YY|Isn^6QUp00P zHmqhd_-(Eyv3ZblkW=0|_|1Gfp7nU=^XXqK#!3;`*(h9-cNT z(}@X5NppaDyyMWx)uAB56Yj%@hp4Be{dy!LR` zma{CiHbkHZFrSCk+g&QD3}rEPlML9Fh5R=;Ei`w^=HH;6uXU1?92HWaw}mdqlKa7$ z0CLQphC+hzQDPA z4Uu|m<{V`GTgUL@4}()Z)yf2Y0+w*;?i=`|I-|~#sN{(4Mf^0z3rWUJV}Vz!%loP1 z2#)`fc!HV*JYswsU{tu%d@_L)p38X0a3WA)m7yFH5ekXaj%KM>7gr78S#rkf=U=lL z&Rjxxq$eBuV3Atj=d3U7#`kWmYI-Hk*?@U2SKG2leyrXRGm1rNM_2X1$wD<%qcBFI zR0DqzumGnCS}(pSea%r6d8p2@3nGI2x>YXK>z&w%Pa^a~{MAeO@ zvmF~(tZ&3;PRHf?89jkhW6c1YW^BTw4tT?JLahmm`kmJ=A$X^K$B{7WAtzsCk)H?m1|nXa7om9vW2155{!g{)3VeNa%j` znjrKU1yus~M(NLpQ@K&9oVkAl9IY#Vd92xis+@~|b3m2d#lJb#KM??x`iC2g`=lt9 zf+`#>Sd|FclKyurHSt(V)Um{!$Ku0MA}1&AY8St;9D^U(A!YsJX`7zN*jnh*15bYy z_uPNdUSOvDdi;g!M~lO!VuK!u3VdXj-$SeBIxx9>XFL?R=%r1oKS0xvb&gC)=B6E} z(yRX&)Bk`fa4P>$CF-9s{SQ-v+2JSaG2ZLHP>Gb(V;|&M`z{ZI3^q}C{EgD3VPPVa z$@FBlGLhkEvGECL6bh9t>YIR2!U$iH90vBl!f{1X!*uZM;8_?nTzdOA_{R?#A%Yg& zSf)`V(C1?R98h%zsCwCQ`nf+c-!VW{YkeP((U#9=TA}KP{g&Tv*mfL!OO6C(H}bgO zzu;GtrpL8LKPSJ1ezRY;*Y@i3JVSqC)A;$@p^7`gQOV3a9vi)4TWFVng)cCtmd$hs zUQl3*cfshuhhbQm+X`QaeD>EgwA@!{e`LJ$^RXAcO?>{^kzyAQJacAek>eYm&|r%^ zjg95vx7176(J^74dqR|dLhK$!k%Fq*Xn=aYmV~Qv5Gy@j-AJtR2~~LzD-5PIyU7&- zRf=2j^nof({R>=e%z|T$i#BV*HsA@Xr;Q}CDR80D)CaoTfvVZPs=0nxE_~+uNuh>%1^B7SpU}F#l9UM^c|Cj9{nGxf z*=J^TecOMjhq^}&z$tuPECa_EFJ46ApnpIsI*r~_I0aD!r;JdQ8>Pw#RT?|SUMZZi zrBo8A62`3wfI3u(bj;vk6e&stXBSFk3svBhf-2=)2~?#d$0f(EPl{ZSxOZT}_GSs; z)#BE_#vq3xWo&u!~lY+l>9CI#XmE#aK`0zco+d?HSr<$^RIw*I3dn{U=B9C%v?dfVGOXOD$gqS-#(8`EPa}tolQkan?Hz7&!Qjy5hcnm`%Y}tXxG; zf}8XP(Q|c$_i~^kRSu}a1yZaE7B36>7=a=HDh-gQ#v`NQXPHI%7K{8;P;XE+WFTup#jaLN{{q?5%rFhZ4zQh`%6k!|&y3Jt2jsr*8ffl@JSOzNKz zsziKNITf~0m3TNXVehcGaL2fir}T6qe6Yum#51=)iKGB9{gI&!c!s^elgt8MZyYTS zz2cKcgC5!K_fWuW2VWhbe5OCNVP*YeN!!>CPG1rG84DW)swCM-SQYa$Z>VCX8(Eb= z6*hq;ITg2sDhv)!iXZh5@9_W|g@-`icz#SSIoRdjt1xKDF!E!WYYYZKC|+4ad_3)h z>}#(ON=y@;p~fb^{Z_P1_6250nEo6^8~BolC@n*qKC};2zhAffuuq37U%ddJyAD;Y zv!KdRL#WfwS>lTSsqL;<+j{HGN%d4o(PwjQQ8$jrRQM=bxHF~bcC ztAa}7{0LNOXr=$CBtV9upcQ_UXn+D$3|$3PqzPpw0qW&;fhr!Hf-0ME6;sAsU!C4Y z4JMZ|Gc!GE|KfEkTmlxB1hbfQAqxvI0Z}uUjAwTiM(g-B?FG|pRnr#Of^&&lhzx?0 znJj8y=nJvo^<#Gqh}}Q?=pp}@$W2G04@ewAg{zDjAoQN5Im}rLfzf;vROO}t>N22~ zvM#I&A48c$iQ_Y{#b7F8C7ypCXod6_5fRB_l4l2X+JE3s_~xz5Ak$!AQKaW|*OjBP zE57;+H$&CbZj}+@fQdC@>NctR^458;o!DIb_j68`A7j-HjQ0Xn*RCXfnOy(Ojw11) z&#YS9Y`JT8)!b#no$O|$5BadV&#-J7rC*y1)NgQ$vi+OBJGgh}w6qiGe#V={sm7H( zbM`F5n2||g8G1=@%E+pWI7Nrk^J1gaLlKp zZ#kgKr2ZLMm1OoJ{TTyQ%zb0}pMoke<`@mlcw{ZA!m21%#beTu>b^l0PCE)*K8xCw zfA2l^9BkW`?FTy#8Z^Xx^w@FZCrzI*d&bN;9-iJbgp06s8$qH2hqPJGo)<7I7%oaI z0dck(p;4f9-1vzm`#f=yR-z&5@X@@W3MvF40&A}8wQ4W9S*TTezJ-FSKQrI5q!qTD zEO9H-0979~(u=E)(4lIH zJ6#X&_l=6&B@rvUVj)(HSeif;XeF@;fvW7}3Y$E@tcaDJ1y(#nAy!7H!hSLUY>Aa{ zD+$4{uZNLM!zO})Ln&Qi>!af1&Yv*I2vy5m>l${^tba(EI%d4Sh{Pd`s7^HwG@}LJD-jXdi3(i`ByG|)T>E$C`#L%s)luUDkHa= z(6zRE`y53J)o+8w)Ze%+^ybZ*$;qjvagGN?umHE0^I_}OFIeaSNEva8UNu6M!YQ7D z5vsr`BUJGOmHL+rRat533;>!WRDf2Z{>f0W3spJPzsRuI{c~b>_Kgj%6StvaTv#cH zKk!8O72yu&>YMoIe@rcjbO3d-JD%kvzr7Yy9A_Y9-D7~%4xfh*%$Lv7gg(Dnk8fJl zBqn0%$rCY>24I3JD3y^_-8)plr}z=55-(SvirQ=fRrtgF2vnJ#;Jv)XZKm8e`+DTl zAe%nMlGP%l2|o1{l!5jxyM~l0TNT1kqb7yc+q7*@4Wbbv-NsFr2#~RB#^NPjkg^gb zN|?R}u)}&IMPkQt6###`X!&ld236NQHQb?8g$7kkv!N>E4OkW5e2a*cVpZqrTR!P( z`E01=^Xb}ZEUL19yGc_&{xoZh*a4m+2_dFyleg4L;%1>p)Qp0Ja*r&6?%Au)q$$&< zO`j#uWA{~DYk6h9fa8pOR``71O9R^&sY6lfhxui zzB)ffR(1L6)l+BA%J5?Z+OjIq0EJa4VkNA~r~wMAQp5_}7lmADfOvY`5sld-8X%KP zh!s$!$}3ScCThRO8qYHLiXse#EOa=q{2{asH2KV}g?>mWA*x6ov)lM9OaU|f{NATh z)@$kt4Tm;1_|clQZ*fbs`Eeoo$v)09L z7uzV$oq=IQD>0|Jp%uy47cP7v500mH_Ut*F9BhJml*WUvzWQoVkJihEXRoVLHeU`V zcCILu_t+qKaEmglM@s^OOT@CGXLdgO`?;EyUrwQ^-33%}ZC5WQe4FNUdi#^H!B1Q{ zTl))iU?SXHTEztCEsZkU;q>#`{I0 zAtR1qOu9a$HBC4rP$leDI-H(YQ%{~qPMpe4sNjKS<5bp)Dn+RTsx+L^164qk;FOhB z5p9o-j@Did9X_xcU+Czjx(qOlH|f+VG4#=sn+siuEK0IaZluXLV&#}m{x|)l%aPB< zhiD`J=$c2ico*=WDbc8c{&Sw%64Ea1_+dOfygt2U@BNX*sx+LU8Pz|moCtu5Qc=jx zlv5!BpvWmAt-xdzr7}U)cR&0Xuo*jodJs^B)6Vi@7db7GGDWt)UNkd#!I(O*RVp^IaUF8 zv3xeza&@ZZ%SBrKKvrf^py|&)j8j04A-g+vnZ-%I@Re6y?bNv|DeD0%SKHzdSdWH4 zdO2m3_Gx|>Uhom3z@(HA;wP(z$wiKYaru~7Y+lJQnKE_yGbFx0`|PW)mU^S~n-o!$ z0*r)O_&~1Z5N)qM&ogu>6PzDLk%B7G0IyuX*==pK|AEA7H*Nw|j6)>=iUxRFsKS6; zxbR7Spi0mx3#!c90UK*pq@PTSiCVomxZ^61(mvA*fLW{OIc!^65RwIE5o^90^(-D~ z-tMUF^hZeiCP7mRKi>0n=JvvAn+lOzh^0LmTI$Hg`q5i@L~b8@XxE~HdxQ7y+m%mZ z#nabYURmpcR!Rf3C01Bnh?O=GHioMw$>Z3#F`Olv>WuM#c*34N`+OEnUok322A$Y^ zUg!3y*1f@-vX04PV2$yeDjEn^oh=KW{b*0||9({8^5fBj9uthUEKHS`?50)R`uUiq z`|W({XwZ{sQKSF+o3*s^nl)=Y2G&&9(67n6o`bUA%6WGEaPL&BYrWFORag9q^mU&} zJx`s=l*Csprtr~u^iOry91{d*3{$vc=Il9im*}W~lo6*y`V&?KRNV!olEuFQRWc0h zP^yEQqxJ;q2WJRDn|_sM;5k5OwSnc%|x8D5w(k z5417{su-61i28T&%I70D$97y3fiY1~rCXZ&oT&~}F>C6$)FphvR#TgsF7ILt&1bZIj|3M&Ca zl$U1-Ias8P9Gxa8BvJ>MXf!e07=RcHLn%ex;_ZN6%p+=dkbk?>*PpmK98Jn0vK|?e ze)aRudG5xGyu0H(pb9cSU|Z^wix0boMR0w2K$R(6g(pV)?9!FRn-6V@N&u=%;VN5J zWr8ZD0n!gNBUDKZne>wtz?c(qHcKr0g4GBY(!AwMvSn3z~BbJmIMe;Gw=Gso+i0Kes<%&TZI z`yK;o_Ws}|O~cxhit>NvQ3n9v|^-lXP466L$WC$n*y(2=|Sz9 z^z@V5HG>vlq6e~X+hQR!B7-?7C}jG~Ie9=8-EN{(JQR`sRG`YJ{vmPXmiq@<38gx? zFD!EB%;>E>j;ybAH0-UTYhR2F(bhMyp5o&@PknK?7~(SttK{hsT2g~8{|Drslm3ba zmALjXR&bCOiwsVREF<54&eL1Ny2r(=OHWTmf-sg;5=we)C&umvs{Vmd4AVjafQQCN&uf6uVT%IU$3Vk@h@P2xcmc4VChDYF# zp6*D3C%O$eTH59R`6rGdB?PhF*kls;6B1L{V`XjVIwZ%r^B48(*@t{csYu_XS#$m( zQv-jA&&xNci@du7E`T3~5Ce(f#1CGOuqveHfTJfJmSq%}8_{+7&P!k35T?(oVpTX- zk`bf?KpZe`^W*8&}yWv3?>Qk`=tx-`Rg|QJ?7rnYm11 zQZMj1(MC>$KS3%x_TiSE$D4o4VEf4*Q%ihtq}aLLT1){G1mQXo_RfCLN{1?iR@gL= zj0CE(WWem?3I$aF76wy>kO{4X3mEe&)~(+}-jO_FY<^(i8oSaTk7LiCy`O#d+19N) zu-G0$a-=8#6U#?BlcJ!?7I_V+)wgkuf_p4zn%wn$63Y+y6+gM9$WIxS65ChYT-aK6 zDGydfDcbn9HNKB|`{d>)lQzC~^U`j-YsM=6y&9S0`n6C{#X+ye<&AGSUNffNn9kZY zFL!n7Sm*V{18b}q?Xt?vdEU?_C)3k#`6!-=`4uOP6)s!1ZNGl~rpaf^$jBHpcqsTT zdGzD6aG5?m@JvF;BSfQ+4mNmbN&?Mq))N5>U)~)){KSc5Q$cksiGfvVqPkco-7cAP zDlkn7sx+iBKo#;|^?4f}_DXEO>JaGj<@M`Kc2WO?Rf+ni1VAVigEQ*H+45fd9Tpxb z;*%Wl(HFK*rN+a3Ie^(QB&cT|5fzO9yL<0`_MAe^kO#_iqlsrCbItg=c!?L9nCmEa zLN+WPri=p-9LhN8l^npIqLgvq2lETGkv(X%|HfmAKk&8uAz6V%7umVBKYzFUoTw2Z ztyIMVtxyu^^KmDIN4HKJpz6$vw@#N+zp|YF&~kC00F~ahvh9IUN zHaa11$5eZksvTS&Lt2IbiX4c;gOtZ7L|CY=>D$y>Fao*^XC#i#7kPMkjdCBu1|lwX z>%H~X+ooFX^bGmx{Kf4%cQX!|r)1fvue$349jS6a6+=rwRob}=1^rGqc%>AabD);z zj>xn#LiuxpDqOGh%(J7n#=o-kh{Muj?bjtz(U`%nSQXA2^Fl$DFgoXFkeACIf1dXTg2TA4bV1efN|7 zn&}|LH~)sh^hxXnYbqgGl&Luy`g-J+LHqY?l-RnYglQ2gL)JQ0PCRqb0P~*;DBQ|~ zR@6#TN!kQIjO(h@qo=F)?LTng!i6nccdXwKe&|r-#Gcu73Hv|4Z}oxA$|$x%e5#|% z8!O$i6Z81YkXDt1aD`29+Tl?$F|^Rlqwk!XR%y%Ac8UZl0g$>$XC_qpD!O!fc%igi zHNXAhFzydSi(m-gg8w5I={J9(Vsreho{cMJ#mKUkDo^U}ywXi0gIw6qR%OR@tUPaY z_s9c##WDNz(~G2gozE&#!8qKqbsK7@aX~aw52%8NnxG1t5~woa6c)yoQh`&pP$dsq zseh*2zsNm4XvO5}oZ9;2SFz8T#?PI;MUnm@`q?u(VDyhg1wM?#y>?*%a*7z+0SjIT zU(+UXpGR6+vZ3_fSyiQ$DT6ngB>-kqsw}9|w%}pv;qEdM1***IpT4OguJx+DhaZ}I z$iXk8R6y$NeW{;bzG4ei62(S!K`8XzpZMC6gAR*g9DLKthMdg2a$VFv#(=OYMui%& z_vHXb1;Yz3Fp>qpOW-?=fI<36S*<1&@G!Q-6B$KtF+wvssO>P~mmDKx(J1svBdvl| zitasnva>J=2~Rv>-Y$e(4E`73h;`yJ7?yT!4HERz5e;Qn{|hdL}& zh7BJ{LI{_KZ!BE|aNOxr;PVWX`3n{iheBK>5e4`rPs51U#$&bf2t$!SiZf$-sdsvY zYv9MossyS)D_9j6{mP>K4t^&c794SybKtFoJ9ot$7gojNz_X$;bVUF}!`yf{x!kfN zxM2?7sr;`EQSmAX5VQiP@`fsING~YqRRP~h!vJrh!yF7NlD4_WSR1m6}5fJlzKrB!%FYjvp+Z_?9)##Qe3@V!%EnE zY1A?r(Cl5c*9Iru+P*idSN1w4&MY13IH#|bh(T~B_N);;|D~j`$G?nu<(qxgcfLeb z+Z?-u2vluy(t7{Lx3&@<%&21slUv++}-3rgGu9}G9m`B|#YdgCc)ju7oG)kq^KOQh`?2zxsMeSY)Av zks3~UCGq*zn=|m-A2d|SFkp)jbOx@5RXq4DVw2S?{ljupI)pQ932d+}=b`Gf%+qHf zM9Hbgu=7Wb#sg=h764>;n?@94ViE@J+i!qLKdfEbk&o@zxraYQC)>Bokf0wA=uqXO zks~M)LF;_+;OZEm3eQbJl@Ke%s`w;b!A&ukbhOekmjtRn zD^cL}h}BspCe1*sC@!77&7xKeP%mA3^vJf&A>CFkdev{{W55=Z9eE%91Qmry*5!zz zKc~I`X5}ZC^;1eoLgC1X5rKs^Ei1cu<17hJKBpa1mOlyAO9@W~;eb9u3G@p3XDCSrd7>%;(unRw!c91sz>(vKNP%B zlKLE$&nq76Q{~W}MaPe)=+)G-3#!X>5U3KIvQ_^Cs+eCiCYqvDpp{T6fhuq+8>+JE zRDAx$wE=4*3(P*?FdsW`%3;Ns=T{t`zc1y&rK?x~fht~4etfZ8;NAiYq8%0-c35;& zb8Z99O+Ao~$E%k4wlE!df>aJCbj9@1g8pRC`uVe2w!gmk zm+h8VIYo*aV~Nkxjo2CKD6!|pSAIjc19li*B0)hRp(M8(4Yf<%`b=ST6&?XSjQzKB zYqx&2e7{X2L}1Mqvo+lLv|sk3s&me_GD};|KBK<&*6A0sYb$-!SW9bXb1P~qX;8IB zgR0-{Yz2h@=dn_pC;CVXYs|^t(-wu{#HVMRJqJpE%H?6ML36S{xoh}lTtX6HjVZQ| zu=<_w)Q}AcL#WHU?Exf|K8c9Z@DX9nPKVt2DGjJ{hpL41%!hrC13eC&Ne(mjIn3Do z^qk#e)<=GE?Yck}uGgZyiSPMEJ9s8KEJ@U$$~V1$U;5HrM~pQqm<0k=%nNWzL6weH zntq-WsS9Qbw<1oj0gbZYsD3 zXIaqSY02R11;U*1AK^T)NNI7UfOl*kN;ytRVFeYAohSeG0 zr6$>Z>I?^9<+!dnLTpQ?4pLtw2Y7=?$tlc4bsj*Bh>RROWElIwk${9FH8l}ygVvo3RAo~t6I6-shq=gtDm&_*5vq)o zimA=oliN*Q{))1PKpv3WFn;Uf8HMoewamyRV588X;uC3)6bm|6;|vc!6FynC$oln5&UQZflE)mc<$dMu(>m1?{g zQv|sHwJ@tXZdPxHhvVKBLaB-bE3|GIu~I{o3av`rfCx#3+6~BKl^!a^VI{39pvuG3 zr@|+T&zVvcq)_qrfCF@%$jE4(BOgX|TOTuotd1pxxuloDL^|;LX~Xs2Jo3fxU9(F~ z9^=KMHcua3Vr0GTyk%6-@pj3Mb??Qt*4`Yi{m%QZ>mNLbZ=38`C(eCTaG(q3xI9T# zHx6O-2?L`*6(@G{`c=ohGZbLLWLxvu5ZiTSpo;%){JacQZJqmWVPTnaPh2l93;N~Z z@ly`O{$btHvVrBpt*Z`BNvQf)go+B&sfx=;MxXOA^gJPY7jl;6^m^%~PMtc>m?10(1O#7!MZoG) zre*2I@3&Yr!XN@`?(7y&g`ornNe3WFRRzU?DtXdR3p;2PzWU{N1p(vB724a|wGT{0 z6JheRe#tD|dD$%_1J4>;iKHjd@HaUXy_!Pt2aFCwhai$QVBkQR#Z1aGg~&L08C2pi z$vyGNxC$;7dxZKhOd)o~1)elDmlv)$G1Jf)qMbVe`gcxk~GT7{4u*<)Xkx%=h(FR8nbyk18 z!O>)>6nwIVS^ggsP!bJu~Zyl+5$qRBo?F z&>_LTLA-OHSkE!heygJbjU$4s!$aM|fUb(#f(W!KORkVmrF)Fq~h;5qD($v?%YDv5vh8&NX|a>2Nu)S*CB_dzWnB$C5Fal$;`u z&dKm(`K_D`8z`k{;Ex`BWxacza$IT>E}uB$L^+z`&N(A=l?jWZY*>GX4R?Xa>K*F# zc^kSH^()lxQ#1f4j~-4{==%F-I7OgJMyV<=sUl;dB7>vC9AiSvVgmQZ`7MZd9~SS> z3iKh02QBbgNK+Vnl>wG~A4C2zDH35KMIzh1J^@yZeIu&WriLuah&z#;;*paThhZfH zReIh(=>SABl;Bh`RI#SODFv#eey9gkdfq>ltu(2CD#j`Ytf~-$T>%FB!Ub9ZRRp9= zl4_pJ5TuJeLE>MSU56o4Wr+`1T$t(*tC&>(JE&rs-MxFC={I}M{ASHcy=Qu2v-&Sv zwrm9(VZ+AFxD8p15HL`8kw4rtD03_~ejsVHc=@m1z}dx}=fuR3;pi#M&sb zgsb7Bk3Q+w|F!44b|p(!563%n=wNc}Bo~sIE$a0_Gp6bbPaoGX4#V`!Y{GWTdEooN z!NY`r-+KF<1q&CWPNU%AT9moL*aas{PwCxcQi6>R8SD0(!=Bad`pQnbI`6BYig~3# z6^0eYtYJi6P1B5GB*Jvs>1VLX)nJ{Y!45wWZ#@_#pvojkV3}zq4#1`sSx%aKrn(xc za94s;RYMi4sWPaNXeGl{Y9FAE1X$_=%u0_<37nPW)?3t9*A)aHUy>4P>eACy%L?Vc zzvYP3DqZFFR#$_YfLv5}Pqc5G;M6JJ<>ffH5z$^VBK@|72U;V$c$(4&s2EmCj+Mf% z&_%5NHdN8-7a^~Hi1<2S`V|#j;YrE&Q&Ljt0P^5LX*?@EEp_emw+U1!xF9!3_1!Uh z__3w>?;lw-Y}tgNq%|p@-#mQ;^<$NnY?v5srrUzIyXDQ?LzzCkQ-fyHDGbjsN=|-$ z0hfsq&iOEx*dQrSea@U}LW1V|@4mM(T%zpLe&gHl{nkz?(+!0G9$h+0eJ11u&!7Au zOg}yNWB)V`LSs}*hS=CR0uzd5Dh*ZE3u~=P*B{TNs@7CWl&TC=$@;Y60Z~E6Vtkjz zd3+M@HYmZlyQtP>Ur!|W`8B#3){N{tlB#~mY+s$Al`{RX_c66(5leWLOlFOJ{Unzz z$vz`93UxxUs#uj(Ko!y}DJ!?mo&bX#z6Lwb z2?GizKkMBnT9{E7Q`>zFb_WXY9}spdO$Z9hf*?)i{{d7%(sgPyQAORzGD~4WMEKea!M*N#2o{;uUx%O+)DOmp~oTv#sWBn-GTU`YZWU(J^72b ze@@o*|FsZS6-;$-=gJgStNPcp7mD+L<=JWr+G^=qRZO}VrM&`QeTnwgM(sT#?L$*R zdjBDS#a8}6tTjwR${bd~u2*gdp3IVV_Q@ELh*SLPU>qhY*4DOdJ3k#a9+Ok~JR1~I zgy@CJeWCCo*DD8$3zS!XtX{qPcnDc~6usaxYL0ICbFTh75~`$O#g$6K3Y?NYK=0h^ zjZUTtm5E7+8;}_57Egn94#K?JA0fQc;1>oLmKPs5k>1B9E&pN>@~RlEN=mFNhLsHF z^4!rtSUA!tfmJ1;itA#1>3o1ym8~diSP5o@Vpydm*d}?un{c)+z7+ibEE>56-KwwaSE?lKVtW<75VOvS3 zlU~qDic=o0+7n0@MZ_-;g{Q;s8#iw3-*1$bR!j)w5u*i>8%_yL<#F@LT|0NJ6p^Mf zkc7wYz=9FGW{*(SrVy43FXwzTVEwdV>i5@89fqG!ft6!RMtZt95S=BzSRUxorOR$^ z9uhuq6ks+|osWsce|d>krks!5z{bY5GT*mK*(VzZ7LJ_p;b4V7FaO19s2diWt{63Y z+&gG=>_KmzfD|i>X{NjnJ@V+W6B4QvoRUzb7_icw;^y-dcow>$k5ke#mWfowI295W z91Aye5V{E+B3px-HGl7|g8D13F_(5FDf1gpsbOqY($F*TX%R*I7Gi^c75~v!fEuw4HLS1UrejQXfYJc$8(g3U64|ZQ>R(920tEebT zQFKat%$YOql!Y}bg%)@e&m`(ZwiLY)sg7Q^ZoLX`AR#|xM|4wa%cJv-$1_c!;Dg(ikT*%D)Z{?ZnoJ1l9-$*PE1IqD^?Xy zg^IC|bA$OtUt4#G`wtp$Z|RWLK#TE1-&@hAKV73QdN=0%RF7bXFB^`7%5} zonckV158Pd2=H9*Vl~?CaC2wl8g!I{_=h}^g>6ZAsiGKr)i|a1UxHcKYmfZs`I6K>OfZpA<=>coH)OKYaLVg=%`-*@_9y%KIL(TSvc&-? zp-RuBl29d=j1s7lvXo_oDyW!LEV@deO6RmM4^@uQX?1pZ8*FqH&VK^dXs0F`vHY>8 zkOl{%4NjyP7$@iySItK*89)E}L~6WDQKSm8<-dh0b_>ItG8F%WtRl^nfAL&mM+ut^~uYj2MXaTs(DzQ zw!?JdqQ;IJPc?NyOSlIqW~*Fvg&XX1(2zILpV6zKpl~0M^Q0=U{n5u`^uF@pN1t#A zI2+7NKB<;bWl#Cd_?OohFNQrVztlU?4cTdrZq)RVaGZ|4K4>Z!L{^Nw2c>46|OD7G3k*)~*U2{fkn>pORgp01c536DIZ8=S-FJk;Q- z<|KLM$8b1N$;Q3<)rtI zB_o{@(gY~MsbZ*-i%x+mR7VCL50pu&LDpstj{A*vnd|0QTqN8qd6Yzuq#gYfA zh*hDcf>VS8NNF+Ftn<(O<;njRs_=@lOrZAZiAVLzCQY06dHI#M-g-wF)T5xP64VRz z$Evwa35yl0)^Jd4ZIlG=D%ezAJMoW40$CnA2&jVocWb@qL64zS%&8duw6KR(tA8SY zk_CKmNbzSbf2_SaLr~l)TKn*X_G?@1cfQ&u#TkprL5t%O zSPm=!E@bWcje4J{@Fif4-*3~Vt$bGw_CPoQ0D{C00fX5Hqe(9*7{d)>KN61_%O}aw z)jQ9B_EJI>3m=)o4;m5DhAiL*kH0+;5Z~rtkg)Ohg^H<2WC}+gCY5vrpiN;+5wXG> za5#Rvm55m|$r<33fGS;^MOK0IhqEs5IaJ{TWDc;z7`o+Fnq9?WRG>;RtbnTWXeD`o z=^1GeLC2jf-?2QD$$B5fxK11E^MHp&{|PV zFu;H!$5vS{Z1B#)MT<9W+_Y%?uv5$4q%aZgwbhe{uAMsEMpp$wjTCI}ojYvq7%|jP zWwvtE!3Cu-2i?Ni-iCP zdK`V@w4v(Wi^^x=DJ0n<2k1W&dgbJJUl$ht7n;+*@|JsOha#!3#vk#D&zX| z_4D)d@bh)@_pu4~HjHqa5aaZ6qJ2XgdiZ$Loa<%k6dTFLDgTK7%{xpvY$(#H$S%jF z%-kU9kBln6lf|9onX%^k8d)D|=i@XxH915_Q@$ z|5&zi6-)0QGWmSbwb7@eg*~;w$zZ*s!3Jls4OD?stbJgMxD^8>_HcZitoig9d|#3`M(B%xXozDjW3Ep%W8cG8zR^K&gKH z`qhc-aJWy$j-z}u;uk_DG79n`m-g%n`Rz+lUjlr=Ai6{Q54}!RZ$8a`vHZ1&u2qGD zN}%ck?bT`8FIQ{t>=1N!QD5Cl`)hWEhsJRWZMadRMtb|4u45`vdYyOy{6Nm10u+rJ z>DRW^`xd6wx(y=g#6V0@tB_OExuX3d&I$3?8cLgbUU3M)L@ zzx$>FRm>|1RYb-^G7CPk3ahgV9)+91S_d&dv80%yOitz`3Kdfn7Qou4Xq-mg_6;Opr#M6-vmkmF^01DbD&l-}d;l2YHUlx{D ztL98tHU8B#lLyWpGkEosVKyo|MF9f*Y`Yf?bU*US%Be%tP<3SSNXylwF1Vd@N8Y$` zoulOD<|)TYNYoH?-nwnO@(wX>c)SXZkO;{%R$!Emal%KouTYLIH?~e6ti#HohrcKV zN98jomknPqcIdwCn~)ET?K^kVKgh+!RWBldt*2%P(=tzLk9zi$;`;ORIUDG?JH&li zxZC7t=V4gBn82_-@#&EU#bmf2+meJ_xDe{+_+M=UQnX40{;=**W6+vHEo=LntmSa1 zxR=K%!v+qg2K%}!hzYmMNY@aARi{%SrNJpRRFyNSO1XcCh!U$x1clWm6;DUsq$;VW z1XM|F6R1M&1*DxHZXH_-r=M8(k%H`p5Rf4%L$ZTogm*xF=WV_ty{Oz6V!Sy@i%@v=2K=DHaNxt!WswQvoDRB>M+&Ghk9^am_;BC zg=#Nr!U4sfp=;IEsiJEYQ1un9K;WypYkx`B{#5}`vO1z; z;<`Nlyxz&b{q|@snR~*lV4zGw$KqocO%$bv`uN`aAHXNk`xbTD<^7CLNJ92vxg(SL zI`BjSHN8S`@o}rSZQlhp>3#Q*js!?1GM~q0dG?K}#)M!e{4k>=RN+V3>=q%6DQKu$ zJPbCwiveK4{geJ`Y$yV$yMx4=I0M%^iRcwvi;b>L4gL3cM&0GiRLlx=T^X*zwo*eC zXa!DH2vtl2?ui0b+#)qpNyAFz11#kM0#$kmR@~Cm)MQO!SXi)`ljS?6duj{J+M}z- ze#ju$ycWQL7EPN5C|kc|J)=?MzY$q7T#mPgih}oJTM&h(FCK;C66_mCIKAoZVWU8m zw5`-=g^GfAOL>^&7U}f?p~~^B*>fq>Kn}&0l?!p}&HZ%v{ISFK&MS4VDJX!EwRYOj z2l3DUncw-yn%C4&bzs3rCF=_B-;qu8o*;34eL}G&<>=@91CN-{W^M&Fo#dN*A|^IL z@%u56c+iTm!)K^(vS&>xS)DT>?|AX}0f`R1w#*&4VC=B+)Wm)BhR+={)Y8HdoI*a3 zsR5A~+se|?y1dDzoSTcQ8$}5!!zo-J{+@f|>^tDo*R8~v<3kBg4IvPL>{^0aZ+b8agV<9sO*Mz$t1nV~?H+N9D!RjEk@ zT1oGpTrzkhSU$)Ha7uwHR+$>Acsi9qmEsryr);Cr+MA~eKR*D3UMdG+YkVpEHck>j zE9wK7Bpa9zz)BQhEHO011sYjoe|{$7_Wg(dEmV;Qvu*oMJ$DmAlDet;4jf|1u!!K> zKvBDNS>%^-ALLL(iWDY9yC~NX5gCJ|1+%c+DH6VP`HHsfs%q3oD%O z6@rH{_bT4_B~918dF1=yoA#^8j3MMLJ$2o&tfd+d+g*zIAGD#7$6vGO@5+Cyy))wp_Lard%7SDRS z{JyXWD7bo~*a4{X0ZNLIw0;kFvR=Cs4^8kfa#b9SK6q44ri*^lD?GzMkjF;4AkXk*;X z#rlJo@G}`1=~-Dh(kH;pRO1vnJW$1KS9|}Y@+NUg1yus46sTfNN#>G-D!J&?-amDq ziUrG%P(}45qjL!jPY7DCfF96_9Dh)Wmy+yol9XoRyF~erpOsz$b!C4} z)IQeLR0n0i8ffR3NS8|Jf3*K7ss5+FC~aZer=_V?BSdNywU}TJ-rc8tbV@|NevHum zS%Fs#&jy;zrY+mldt)14A1WMICwb=BBXAm_;^PvOWu_=l4+Qe%OWG-OIPNMpnYx{7*GHwds~Z2{ZeRQI&N}y)c1Fy=FyYhN zLk4;z&SxK52Rt35iN)(6ZDBiP-1pTf>l|{ zy4tWp(_;}abPK9HRF$EuOSF_{dPZa~_)=E#5h` zuZa*EduY^H1K%Ka790!&3(mTm;mzS-lovt&<{iY>*NLqVlJJoIPt`x?VdU-OgCMO8 zt)y*bcFIzzTdVgxDFcWT0|9>ggc(vD8w9kHjGbS_)NW>&KqY7CFfDz*53wAQ!HFNJON4QI}G2Lc;MwP$)If z=mT=)$~EOw@87w#ap7bMRnR#M7Ys|V@B8PakFg0 zj3EmqynX8A2?eJlTJduK!Nc?BFI=~N1AfTzsv6GolV+t*rH@mBpsp*RM5FfsCU zZRmX0LYw|46h8H=z;^yBuGQs$#`Kv&A>lw2qNG4NJRcoM)v!JKlDFf$u)w2<3Bd%Z zWr-CDRT8IEP=(Xr8Bm1)uiB(iLzP^BSXHGsRpR{vrx;n6u1#!H!WOeASiT^jMU5T<$scAWMi zy?}cwAJZ0%6}6b4WI)V-oNfl)4GMhG`y#|YB377_)r{yVUx&fM;ZV8d6M44zsa!+l8(f{gCacS#08yG! za3^%B6SAI?F0ohWRK@g(aN(Cm%Q_e%QZ3M?n5)cQlqjY&+h82(*6zR>h9Nx;c(dFD zv*N1#^{8?jaRj2pFgK8qi`D1sEZNuO`iAM=P7V&eYUO;Kfp&IhaZbu3 z%HN!-0#y?Ir9H(>mRVF1s>lWNJ?HCUJ2%jx9#5ID5$09Z&#s#PWj~Zgfo;xiDd%<0 zwC3pp#nsV;Mr7E~-R`rPD9_~NB#Ieg>@(1&n56=zbXJvOQZb(;p+bSGk|F9qO1pSYcUInVaqq0?%ls)7w5v}7EF{si@lN6?3RCKJXyC)f%`1A%19<2V>zue{qazth? zhf}*{Dm?9~-$asJxb@XKkGLj>FyUdI)4wCvz#?D#W{P4-Vf8Z`DMu;Es3LMo#yXVs zD1+^OLXTpif=~b%%s})mW;OGZ`3&mq3v0RC`*f)0#;rRtTqPq`3REd*RRUGmR^<(= zGCn}iN@rC)Bf&~-SV?^qX&`-odT53BRR>rp5ZEHZ+&mo@*&Xk1aiFE?ZqddL4u<#f znqgM8K^BA$VRsnm&?KH&B&WPsBdL>8+b|EIAO=}?bhZA>%S*6{WFo3WD+ySN=ZX!W zN}?4Ghr>sX78Vxc0*@7$oSz-xaB7Ctkq_K0Mg%xbc0Rk^!NE=fmc%RzbMyJ*Mjc-! z3?=&wZ(&a@p7`e1NiS$GkI~-Rsl7H|d-((R;~iE^9CCVfaq&H+SOlQvGEG08T6+pEzQT0K_tq573O8Fp79|dHGk}g)w3rY z-u$-c8F$xIdv%Vspu4j6{c>t|aZBOap6k&0No$l^((93FI#A#vVqDA2NE&uGE z`3~H5IG<25D2N0+NiQE3x{O27M(y;G7o05L3-sNm(Zrx8F{I)oaf->Q#wi7=^l+*& z?;pBciB%;OJSm7uqEt6oTnbL1NJywsaEc|#+LZd_%{%w(qBA<1CK{OM2?+qoK=D16 zEL2k#xZqIf80nZ)>zqW`nq|(aMt*;ha(YzrH+E2kP_=O3VniZ!>bMWc5IQ$ibBE&m|S)x)nX!&8^} zWzO(SA7!69!al8+c|wb0@hy(W*P}=U_596rm?e{ZnQxM>&Kw4+AObNhF{3c~fhUj- zKOtyE(OQ(T6Pes-zoG@d5JaxwI0)s+3&8fE z4J%AJ2J2nA{nbz<(Mrk+X;?|9l4zBfl){LK4h{{p_I6%<=EML~9nqa&mfb-EkE4R? z4rL1h2I-%onMh`J#TvnS!uL|sj*G{i_YsrLRw{BdO^96b#3N70Nt%$wi z`jb#~!qoh%y@O&pL5PB9B|piB(Nqau%RK;9d)6+rJ86^<5#;6Wx_bFk?bXk<_szA} zS82)CFX$}C?|Gf?$8}A0>*!+f{u$eYR7mGq)HnrH*`G0r_vkB|zyFfmHS1izQ%2+W z@86G&f>$RjEa=>s(eCbc;C@+qs>JoD!YM?J7(SN4c71><>>&D@{ZMW53L6=2XHih& z98bE*3rqQ&nc(t4mcTYg)v-L-#?5X@@Hyk?NKZ|Y218z%dlIUoce?r}Rf$zq+?|T$ zAWbSAR0*77)kvs9V(W&$DFv$JqEnkx3RK;?eRr#Oe4A4xH9yfg(MU0-03#MMXeC_z z@nW${N-(H|YXxl<2*bMqitPz(veT=@F0U55z55*Y8*wUhgjwhWoAAZ%iAy~-TYWXh zBeJaG^ON&0D-%Y}jq3ld465)dAQB^^V{yVDY7{1F_4lm)B&rvI6%;M*ZDe%Z!9$0e zHr1~&NSSdV_I=LbGvtO-*;T!V((NZj+V4EHU)u?M0cEIDacx#9r{dCxzY1Q^7PPJq z0(7lFO8DxRMryBouD!WLM7wBt|IkYNt&8^O^wI;Vwzx}3KT;9(c1ywYqsLCJUbBAW z$Wg6YSA0;tul&oGAAj;G&jrdQw+JDxI>&#tDXn0{3!;X(1eukEKz^lLV$SK3o1l18G>P(F)PQD34Y!h=`do zq9Xl0&dxL6-%^*HCG0G_0|uBy$TWgk4-#4_GWMApgs2|Ix61LTk4KTOlVcU?HqY1B z&Bxc*r=-YF)wUH&WAoPSvu4jUHGJi#tRBLHcYVp91;hW$@1{O_ghQ7zwtF3%TqIyE zpE-8XxS@+D3|%m8=#oi8l3m`=-dLl(u};`Bmj(fI8Q#s8PJQ2K-ar{h;y2MELtVzx zt=qR1i;20#Hc^%J8#fbXm4noE!~F*om6GBF6ij2KC=>DejT=zOm6viS<`!0KR!kLP z;`^4`+j~VZG#ym^oYmo{%np)+_cXstQTPj9rw5$1nCWP@&CzbF)0u7dr&pXcdq2}h zKeK>)TNwKCw)Nxo?>9WSf6MLI_I|FL%i{y5D z6V+EgIA;5*xwX=5-o_q9FvnxLY3O2lB$$+{h?fy zHK~fbQ=y3gQVLGtSYRQP#i?SBx`Zl}J&9AOe-fuyVrraX0ZP?Tnp8;mX;y)COf%}9 zOsj92E=RND2`?H4%Q5J9&Upc4et&D5YRv4-&p!|cV|k(N;^u)ImU%;u%2iY@ zKG4ru+Hc)NIdt%aLbW%SYOhS!UMi_mA!@3ZDXFABiZ-A6>M9ao(FE8*P_xz%zp7!xCXgs6x9_LltZ4nT8c;rN>&Aw5SrR z>e&%1HB>2vmEs1JhLr+U*a&g)8qx;>eNVVrzvp(eW|U2B+FePR_78~7d<7R178%*W zlqN{9Zy4qLX0ZD*f3G7xzV0{!)o6ulbO;VaL)ohAUen zI+b!ike}K9J$)QzJJ@YMW4qsY*Z4!L`-WQf%JJ@TFYbk>MN@^_?aE|9|GP9mdu#vQ zgr1wecx&CHR~4utuWIQ8ks5q(|9*9W2;$U7j7{JIDNsf9nMxW8Wu2)=LatiF#B)dh zS3L<~VL<}1KJu~l<_7J3YwcY#VOWuvU(khUV8q!5=lz@gQe3B~m-f=fzh0d6P41*` zvPOTCIr6*Q_qA7N{(0dwut`DZH1{@!E1EETPPUD4>VG?~_pdpfeQgJECmDM2Dg1r` zeh$IjyCU2t$2#?*b|2M6XbST%@gH`G=A7~Cp7(ADca&s3=i_aCoR>vM`OAr<2UTj5 zih0ODeJX}3U1Ly*Q)pRAl!}SXkgh)ks#pSQs6q_r#xuBoYN!%Ob??4nQWadf5}bBE zC_O(aBcGjAz{lkqiSafgLRp1)9lRD@|y&7a?XtEkSovb$$(a0y&I z^=WB^R-RNKp$eJ@ha(rQ;w$|rR#cZ2ed-ShP6cLB(PS+qQZZBgb!~nH-bHzJkN{Pc z07n#et|x;SdIl+4qI12UmZpsr{qU@hpEPS(wu-FYP5TEgVM@S_9P{b8_3JmmS0^Y; z)R@~2Wb@nj=<#md%H)W3dA=)6E%~o3=c`s?D?01H@g8?ufhr6ua7uxyD>rXF?@%Cu zSu!Stn;NLvA2Hq`fh;N>C`0zIM>H|R5m6)(0!G|4@aW>Tn*~>{i?qXg_tj7(|0}Jk z%ApF+MlrdftYKB!Y>~BGf>ve76~%5q6}dt}l@hU%R+R!($QB`FG|3XJfGUAjaS3sO zJL6qm!be27>W8#vcM?$qX=NLPu6`1!pe=Jf>yzUX@6a~du|JsQeyh z@07M^l7Om<{j_%u|8aTRk!{1~eLTQysVJ{>cKt}o)q+z?KOeJY>$c#K5T=BjL#}S_ ziLmB%I9&#?Btn*3eh`^IF=itPuU-CY+p%#6yB+hNL_O_As&N1zsquP5X zwO?-0p;hPaQrn$5T+`*)b6LJke-cT!gw@80Pjb$8kBi^8cHP(X{XV_e_4**8{fp1n zs!>BMyXH-5tenx1%lt0AtB+;(5}Xo#KWS10dLM~&{W#9CTY`Pl6sNi*;eM0cnjZ0L z;H&I;RsB9WSyY!zaiR`nvqbMt6XSxIMS3{JOw)s^Qk<%iqpm;|VG-RZ?M=^eD2Y-P zTUCfn3<1TeQcNn=V0ow#CRGXdPob%^a#_C;q*&3cYc*6oc=+`z2Xth=Z9c_Nbu_8Q ziS%_Lc|ZRA^Zy#E5Kye>apNYG7qg8THJUzSCca{xHC{VPR&o;%EQlZkkwQ#WW@a@v zn9|(R^&2;p=dMer!q315VACnfq|Bbb*H!;}a6;Foew_}gD5<1CRUd7BpkiCp$4aGbTGDDl08GBk@dn?6J(uG#o6_2PoZu z(gPz!M^$K*5Emcmkl^t)oIMy3kN%FwuWI3@{_l_JZLfzk#aN?eLZW@WNawfwJ&k<4 z9K5`}yvmkcVtRNwZTL2|?Tv_bQzm_S>((vWwX;ZT)Tr65bFJ!$+%BR~4vpIiz^~p& ze(fET&@%&;Pk(R8$Gxpq4PQ6q4RC7V#CJ{{Ga;9M{f13&|FEY*L&K)en1xqC0V%mb zxu;dD*D6U9Xyac!C|y1%;_4OvRN3+H^qMz!#xDg^w090*A_;=W_0`(jhqXl$pXPV{ zCZ$81WBW9(9?7n)gRC1Bg|zrRue*epSl3w{CqqvmBjwOxJsFy5VcI?;* z*-3oSXe$K}_)MEu6S3GqTxytrzKs}28gwLsdh-{;N0Dpj> z#=e0jc(W!UOuGK0_pdxoNvP5zR7e(Uc6w+=yjf0qKyGG4UUpnwjwb(n>V^EQ3m0-h zD`{1g$EnJ^f2=PFRmg3IT!6(U6+%{(PQ{v)P=&$?PAO2u8fRdqFid?TYLKWxMio{S z?2BWm4K1>r(~FQ5(xgJmMTYQ$Jo&dGsoeK5Cs(goTRsI?N?_D@N@b!=$tHl|kuj<1 z8Hfn(4APrZD!0F9zX9MaTD(M0!Xu5<4#0|`>W>Ga`R~^>|AkXQ^WW7vB2y`+LQ75B zqPBW_R=>nOsHy~rOMyy&v;)?aS9)|>^uYQxr@{+>Wkmd9(BL8Jy*+cAi=x#ORc+sS zcQn|vcHKtuf7S2=FwyXcm>`-MCEN)QVMKsIaxgRZA253VgAZrSnoXDhBTHrw09ENa z+Y|Oqg=hN@-mC(uh&UVzO%<^x0#%ZiZWP_&P{_5Lx5`76+OU$D8j@m!3MbtTYN)Ev zutFh1DdG+=#|RedMk#B(AU`cXHzqgDEhqU*cDzw$%b%4; zNG1+t6JTFZ2c9FwI`jy49uwfU#oNLtFHTpyQ%97QC#zI8s~i>Tmgjo?au*aj*9F{=aT+{XTb6&beOs z{>`3V=qElVNtWx$SfS!BU2JBhboyuqOOqa#F0GJ%ySiU4KkPJ)DxRKhP>C zJ2}OBn8v=Y#-T})>+{K;{Zo8~rTTx87C0$0d}&tn=G?@?dC8~pGh7OCf-hds6cr&e z^tgXz2o*q;#3>vb5~?aQsnk#<^-sn7C!vZZ+;P7zBnksVodeJ;yPZvL)|D^+Z=ecs zK|Pl8?l`p^#un)NYQK*@{sbioIf>U7DT*+`##g3dH8+4=473j`DgJ<4J}XDpm$1TE z)vpDjxjfbXDBMT8c?_bfa4M9NN>u-=)TEM^^R%FomK@e;}s;0N0z!C zixr2fkmQ{9t4bPHRGtK?@-JPkWtlIs zBm`8&!2H?Z94^%@=_07m2PmORF|5>3#j0WADNrR1D;cg*psFx0{6dCvZo>YY*sU3X z<5PWyC%bh^cI}en(jm#IwZ^H1#-WkMLCAJSu2%zMKy+NCHA99g%5A;Wuyxd^sSXuT zjaI@37`i*riSj!l>4t%-jMbCjRzJ_X!Nq{al)8l@@qJ1gJU~*VGe{lz3by?CgWC~?x)>PwAr#@5y6I$quyfrwQSiE*T;*`KPRoK`|+)D zok_sro!@dh{*vAO_oA8FJBPG)k7@6kJiWOa6iD%G6YJFQcEX!jG*9mw%M5(S)MWD) zlSXe?JPVdMNF&MtrnHA|UkdQcS^6}@Hs z+|GbDsH(0z=V$(#ErN1tgi+ z8i&Rj$EHb6t&*JECA)S?c6%YkqfbWQn5@v5=M(o9q+4Ig3%GVAAB#ZGq>@mjm{jPH z()GtW#Ze}$DpXBrRY|ClYn(upgeo-lCC<@;h%TT?l%yDJlZeR$R3X^;L3$uV_)(_8 zf4G66N9W%OlP0%mTS4Y5Phb7hx9_V6Of)_8e}pQAVufeIsq!x!nv0Ir1m*A&API3M zkWudD;YC$j^={c7p(Cp!ib*ICdsgXVrHA-AL6lSiQ@%3M-q|Kl=1Q58N_x$I^$x*H zT|3}cN}%d3?Ujkz8%wpfH|csT!mM!7{urqJQ@`PkJOS!TZQQh_{62YykW<&LU6CGC zL_c=IR6!Pymn))vMQ}(s9Z%9SvLwVSc!W9xRPiQGX+n6&RT7GmQc@XMue^f;0XHCK z7a=_Lcd% zg&R=Ty_7z{Vzi>l`rW&?Zx!9TS$OkW*7eJps~4lMTnM~;-n$_6_yx`W?9k6M0zOFf z>X+owk;Trc$1TS42Pvp@O-)hiwh=HQ1qQqzKtPt0Y@VpdJ>>IkUCpADfX}kCQgCi7 z5i7+FD1+Kc#0p7L-VGQX?eBB;V@KnZo*D?EvRuVxPO0ow&RlPU?^5C^-?t&xo@ieu+M!2~ z>jH1r{p%KY_x5s5NYLO7u34+rq{*MX`|hX}vuen%r+GHX@M?1YT(hfTEpmOEW_mZj zlQLd=YoGS!X6-c~V2<|ce8%@V;~Y&Io%e6^*X4=Y+r)hLr~1BXXSMk(aHLBmR(`MB zuo)@^s;mSr^>6tZiaxoxx-)Z_fUIt^tCX3D1Mud}FXg`;J$kfm-3pD*XWEN{^{!O( zJmsveFVmggOyL+T8Gl@wb|bP+o?p{Pnl?nTe#~fpGpZFs?qNv3=j37>Jb1{(i##RS9Ukz#s;+F>L)Ua6PHrfI#be3+kq!=~j$FDgtix{~L5 zy)fv;rRbYQ@waYd-v08!-8)ymx_?K(DVD7orxcS)LKQg0k9+d@#`^cwceTY^7-eVCxxG66NymVN%A$YeQ+2uKY<%kgB1&1f)q9p5tg*{ z3{svccuQM1qErgNsW(ukK|0Wi`^lY=U+4C6f0z{&p65S)lL^KTk57RrbR`90cH_UCnp7oO!Y^W#9RjC3%svvx7g$3>=;A zJ22Iw7doNFp&@IEI0Eq?R7a2qP4Z^AsB!%uz7;+>_$Q91=VQXlp`g_>H;$PcQIc6uV3g@c z-k;ei^Q5E{DtS9OoJ#b3`_Bt6tEH}P`+32g&|%Zlq8aJFADQkRaB9!MTZt3oo4@9d z^D?XNW%^vm>AI0;>jT6ZS919U)^A?eP%cIa2;kuYuz2}G=lY(et;-#yQr&MbjiOlPmRY%gEQ15h=M#*9biYC0XRVQ*A}$sl@58J3o$ zAb;HYaA&*YuezN6G&0;iB{fZ2RSHy9NKjWyDin3JR>`KwPO?sN=|qjMXU=?{K3zpn zkOZ(MwGluT+mb1FJ+v8ECNGEe#f9KkOm=CT;@Uagr+=pZi0qJ0@*<|?$1EsJ+ESE$ z;6{PlmzVwT-Aa3S|02s-4OIfA@ZtXa^Tivt`=6w;O#~T~HBaSea`F|ZLT>Pb06~l> z)8Iecz-q&nnVOynFE=3EGS-PCa{(u34+O=!XOjx>nCI3abVhfNr zQ6ag4vrSLWoH=tgb^Et$+W`%La;(m-Vu#CCtb&X!Cz$#-b({#quxHKzsSZ>rlfU#z zX;TG`h&EN!sn{>@g-*VrqvD7XsG@F?en&<1QRMbh(YR`8@mKJfQ?ugMTH#Klr3mR- z-}`ERD_w4-N7t1I;KIxAaL?ZT(zyqu5JHl)9IiqQPk6fU4`XHmQYcyksHAQnQOUx} zX633i)T$jl`hEKUGKRc44279D@gK_1@SCqd*OWAM2o?YNd=NlY4yqKx$|L1M4XXkI zsr8J)9X0uCsQUWB)w@?CZWcIPPThSza%xt<$Yj^{Nls0Z92+M&>U?w#)Uq!2r{#Fn z&-ZC?HKd7bz(Fz#0-2;vmYW=Cwv6ga8|9M}4Zsjf@*0?vlPV+BNPr5_N{qM**5q0qAh|_ZrSv(NN&igdD=r6K~5iE2TuHusUmy|`fqgw1=Q76#fXXUEZ z6iZpPdfm_=U3ab&$Mv(QgTPc!Rc`!xVKM^$r}I-CjNjb9uAj|;!BYP7`^WPW)4V$o zw9>Hw2V-;nb=&A++M8!jykT_W=$_-&TZ}E{Y(L7FzWK=LWqU_0-Xq8GMZ0@W+uUW+ z24$>Xy9T34u9V!|^U9JbEWEg4*<5p@k3#H6-HPk2_T$M%24w%5^O8t!)ScwS4?5MY zQ?pjh8jKMG+dRq;C;!)#85aV3Dc5ChTr2oEyBUp1KP*p3>uVSb| z;4?$Mifws4tQqENrn_k0ET0I!t^^wB9eCsd%`$#%Icz@RH{n zV*`HG@;O=4>ty2)*U2$K2PoC0(NIi|igdU}L`D^}3!IWrCD|09l?YU+IO=k`$_f<< zRN=YGiZw)+L+7c!dZR1{xsK%Ikt>UZMpX2>ls1_EtUjh+t`~ic<+Tf+xp1dDG}JBI zCP_}sGJN{yhJ1W6apl!?!>?{ce0?_)sN!dd3k9pgp#--#jvzXKLM#1$I;8sVJJc&P z3hBhrQP&Zz2vP=V=8}GfqYnv5`XR`La%Dx-#omc`qGRItFuu?V07a{P^5i$DK5g2x zrOi4E3Z3V<=O}tthd+8Ynj-c;_~>IP?U5~<39c>9N;$*gjo+?mf1pj(8C{zyJlpF; zoeE0%NvI;Ds<2o2j*7}5l#Qq4KjMWb1~`}%(?o4{nu**eTxBC1jK5@P|Ej>(%3Y!Z z%ImKWP))k+_gX>~dXdiY{Ku1DfBgRIi{C!X zeRL-->%9Mmmd2l&Z(D1*ATIFp{K(I;{fDM`_K<5Fw*!f>D5Aoe@NRg)uTkN-#y3Kn zeHq!D+!OkGBaNSAmvLn%YwF)`upaTe5z$U^>y?w{t5gMKI!UyWVnO-TIWtYBQlExMNQW@NqRURCALD_N3h_AqJt7bhM0@zu@=^rCniss+P-~z za?;1VE%wZ?Io!$4Y_h%01}A%ChckO^OedHhX#3m6&yu}9c=L@eBS((Jbh_t6n>WG^}^M#=CbmG4zPx3FAgFVH{7Yyf(`GyF=OTn6PLChzqbAObybhC^OhGC zU6J#SHKJ_zy6(LcG3c)%+L%s(dH5u^XHi%SoOlls+kBnW78>5KSslO6cvE|2#vhlb zFP|yut-aE>Z};xS*%_9G136E|FZpAw_KOs3+k-VQ7{hJrMcFqXU$`*1`GCH~Yb7Ws zn5D#v{x8)!@7I!BN5~Q{G1e#%My4fTgu@mXiV^-gn(fxc5Dqk_T~tk6c03wd!*d&z zM}~1^zOSj3Q77xeFW4M?#qPvF`%`bZ*nH;cu=Jeg-jG0>@KD$Ih|`HKFY(}TQ{$j! z{<8|iav+52(p}^JdXmqFNddEygIAE+#cRI_s!k7?;mFV__*N7&q(hI;%z7j2`Il_sfBRXB|rXA19&q zqSCl(lz=MP4TMBsqF~=Ri^}a!OOx)Eb0FNt)S}m_-cd}Bo&Z50U2yV*EGa^T)1DiP z*axR@O>hHoY~sp;U$K1UD!N&9?$V_^S6^?pdM}Ah3>-LU@4kZ^%ge`)=s!;f&J|XV za)$qYLxC#JpDFS1W>A)2{|ukrscs!oTw04|s2hlGCNR#rTM^B1)6viLyOg##Qgktz z_HYBx;*?eJf3N`vlFpgr+$lT78KqQ06*?+HASWj)6XJT3M_SC0)bQ;o!Hbj6O-l9| zo#Z(<$>TMR>x&wft{O-h4o!v3aT0y)i9I3W=wNj#N|-!&RKCLrnbsBr;WP1GV`F1N zi9F)G6(c4tDq4()$mq~e|Bzshz<{&oe9is5OuXIpy4f#xwwZI*Z1ic9zLrLv&Gyz+ zgdsKJD7B4vq^SE@Jc@^FkY!8>?f|n|6mcT_A!A_zCEeLmZslO-$x|n?2!^cY7QhW%C0>!GGij$hMoyZR~ajUOkqeUj7lhwP6ynS03-hxBg+ z>wd4{zQae1<;;JrPh(6!iB?V~b@8ZoPl53A7_m`7A2PS)uO!50DHF!~4*y@bfLzxMu zveVAxW+wttjFOyRTHaj92wRZk*nl8x*(X)0SMxvl80sIU9HuBU1Z9aOfcu)OLkHmM zn2=I)E50;`2B~iC)4g8I^nIl$dFk&@N|~SPiSf_2kwwJNNX$h4C$gXPwgv`*k%d9JN1$ zY5%BzE`sPTx_Z^r%tB`>)@jh7;TvxZfJQDYP01dIz|TFA0-r2q?0r(^F-u|lp}%ON$~0y&qn@Dw>PD$&Pr4)ilSQPr6JRk@NP~viNmkiOr!!;s zr-v?14Hyq`UE|QKcqu8)HwWQ=L*k(*QWyvS8!mks0dvlJyH&sBw*^z-&GadlYdWHZ<1*gy-TE@pe{ z17T)+>gYN@Qlh73sR-RGDiGp$^f@6Kl;C(IX!3H;rsOZYF<@Ya_U)9bQ#Ru5Tlre` zIAHk7>z~h@^I6kbvu0!3!xEHpjH$bGMPKCq54mIAPBig7^_+w%9@hQDw!h>J(cUuD z-Z9qR+96yP1-+i+bUb?Kr57eHsRFHfOjx;L$6i*4oH@iePMkQA6F69VWr~*YaakI} z^~jc|57cluS}W75@y}V$f3Jh83t?k=c595w<)G0adwU0EIryLM@cX4{_yFCG2?B$1 zjcmYb@HefsX;JZK&z!NR6)B#aF{7KGF7CCVAW=*dR41uP&EKD zJa1n{i1-n6k4Y$oLmh_jLzd`)TwRjeODW!iGs2f-Ms3PTvdT+yPW5|>_wPhCXDaI5 z(trO_u1#1dil0#Uk>kNVz5OgwO+GAnjBb6vIrwR+6xVgNvcgn9vi6SFT+rssa%X zG0uVljPN|LM#`sdF*(PLpMXOQJrI{8=Kw5%l6pH7FaP{O`(upu8%OQKQvy?NZPs32 zM4?Uvah_g$U0bN%8A_S+>J9CMHctyx-9SVh;ymrmHKO<}9C!{v>Q+U}3hoT_PK=|~ zYu8ihnsZhLJPKJpf|?#ISWq4oI$b954em8OFlNlB^r=*z!@t?)elA(Mf<5D&1q!)m zN~EBI`}X(WQlRRG@9x~Z5_vh_>wKndc8Y13$N1By2Anafjdto{tTO?Q*FE^h%|T?&k|=~T5cN{fZo`^E9wy)`OchOQDnCG$6HK|Be_k{It&cdk zTt58927v^H6H=h(xyEE=vcx1Fk;D6Ka%<^H`@8EMYI>@3y#&|(@zFjNK$Xh2QbScS zT7~PQ6^o8!ItC?<#qf7N=Y7)0WwY1W8SbY)aW{X>`B*C_O|Nyh(A-u`9%BflfJ0itaW;NhK-G_biDI>?AUQ9 zcMS!qu0{{A+*iZ%q<|`vXDS+fm)T#$ZHqq8qR5Gir(&i3zNY=uRqs~;Rh`GLd4KAB zlcUFDW8=NOeO9eqbNa}TCppDmzZ;8{T}HaP9232m&m5|GIk?5+)S)0zg4_G8n%Cv@ zFaV8=4k@d{djE4*qDMZ?c;C;ort*l@8}^2^n>7~v+vO`(5^d<)x9`G9qVE{@&DprN z^U)SAC%d{^4)?a7>Fc!koae#d0IVc`6b7k0phXm`6A@8*IHiUvsgqQUQxv91jMoIM zfv#{hxXIrod;$kdNLB%U2@nA!f(XHkW$I$u<0xPSDbx-woVm@~Q6A0T-N1ni`vQg% zOHUer^d@FW-id0#^2F)KQpJ1EK{JXu7@`a>D>_2Ax}i9-(y7YJs;40-P5{V7_J?YE zS@sNd`$!YMHaGRu)dJt^mjfR?$p7_8>S5&{Eg| zQxx7K9CgSf^sH}Ij+U>i#DBbjBWLl_Wt;{X#4>B3st#Xz*YK>DKovhsfM0(8_Unh2 z?%mGF&$P`-J{j&i*Vk#nnG<~+O#d-vB@JrkXZ$|2+ zu;$X*;;BIP!Za3{AMeq`e9Mk@qq20Si= z3E8ZX*7X}Tc#g2n>%EJiicf}E)Uq&YJ7)2?p>t-Am^Xd!?Afi}p3%4e>loedln`!7 zMV~TxY>>^UJBe>Po74d>T#wb}MqLVNaW@VDNI#Aj|H$i<;@ZZ}u(`WQi*Hjz;uyg! z2a6Z0fGYmgW5SA$rp}!C*&G zg1MnV)YA^y<}Xly$)w2A=NVWZrl6rUBlj^{^<_IK{TB(Q~bu z89d+h1qw&ksatpSyKi}!6#J-!`ETEZVn+!MZFD!bQ@m5Rc&8WRoqNZ*yc*}yKgRvT z7|#hYUY|$#ZHzj%F)HY2RLJSb5ZkCo+?k~&l^UnYxc+nnxR3@=Mm3sPO~4me>qKUi z%lyY1+&VA?{h^pJpVJ*NryuVV?tYe}sn-AT_}SXoQ;h_Lq(g@eG~n2SJ##N!7B~ePp)!cnKDjDNNq{4u z3FZ$(2sFUUC4nlSs<4|juZ1$ntKN7j!c{{`(CRJGk^tWO?d_rjE)K?TU9~?YR(P!h z(Kt^Wq1d5p$N@ru@1&4$SFu&`3^+QuQpxl0T2g40@J}c~fZaq`ft6duRnT1cu<?2+CNUOqrMIraE2;8LpbCY79rA-(0=-A_0I?RadHLZH6F|RpJ>~k9*wlDqMu_L^ z0GCNF7O$T@_JXZRCz~Vft&Lh(9c*U4ufZw9dS<%r@N$w9CLms5f5-ss7n1>w0j{km z8J=;zHtM&c(<0 z#YK6?M!LsFxWxt^hz;Bo>%ThAdkQ1oZA83lUxsr2!o8!*5yR+{cAtQ0lEvIaz#0s? z6wnwL!hOnsZ~p_KF`W~YqXQ+7B=5(zxD?Qcs0XOTo%wKBjjml^nDB0Gn?p?w?QChh z<2j>k4fbwnx@}|Y6|1}ToID@+X!^#-6i7)+ONW-jM0%lHcc{EwyR|rdtmoYuzA%`rT*`j#bX|)wEZ@< zWB-?1s|%4Wp4tev5_`KC(qh%R7kf-v)PDS$K{G#hx9k;SH=<=T(QMS!)otuJ5r1mg zsufG%r0DA2VCUx6T-yGvjSg?GYqY)b$$iZnjT>XaGh5CY)@sqz;HBQZiTw6?`Q`UV zw82OxRLXt(nUtv1wov}=#fZBKRe+le=M8bqJtzDp9|2ql`A`tr@-fM$mSEo^!L@IK z>#OnJW8-~36C-#JBO%-(A;vQ?#w#&CfT4*G(j-PCF_PjmUZdCp_R;^7i3&X7UXXDy zCJBBy<_YUaFiCWl5$lUp#&YvJS&OCT3>Y0Sp!1^|ddv;$neVG_c@REHbDP6$ZH?QX zIo9>;@oxSuq_Y_y}#XrIF!Caw*cuFv7cw_XAr1J5F{$Ln)Q) zYjCP6W9^sB;)3d59nlq3Ct+|#X-3t>VN4Ib%cJ@7>2dBu(;@Pd=4JZ>l&4`7hv! zEc@49f8*m%#?W{L&)&w(TX*c*vwX#>x$_r%GG=U#9z83=the40?JtRiNy7@BA$PvQ zbN;(;N~n@(C80_|E3Q-rR>f!qZ$!;nm+8Rw?_It9W!|NN@WS%}nJKnu31$fqhB3jL zLcJFTxJ~o4d)Li+sQrnaw#J<-_BU2m3JROF%ZSe4V+=48J|EopNb+w}+EyJ1P$cbt zyYYKo2f_+Mb~(09^!_B#V_2g5z(lv#5}lq;bn2Yw&|Hc&$We$0d?qAg%3P|Vz$OgD zBP2A&SMjYF*nN0i7>H8_u9)&?ixmklA?}Ev5tkR7YBvE-kfKp~@q@t-z+Bz(g+bdk zjXHLyJ9l~Cu?t3ym^Jp*sk1tbUj<}zp0J|J#1(8b?mKG6%vpYZ=NdL@ga@9|Uah+I zY4hGZ`7u7wY5dB!=Zt~xhnXYK(w>55-LJ?mqS~q!Kmu( zPnV2&l+^Z%&zjrWojH5f9spvhw`|#J;K2U3B1NHzM9&T{e>O+iNw-PMKb$(OUIW1r z_VGOj=bW=0H-2LG9zB<>d1=6mnK~BY8vL1qXH0&7-uu%Q4_LaY$M#LFPwcL}dxb&$ zx&|yFmfNeZ_BGp58zU489aJK`f_g&;^7q{0-XiL|Og?R2CW=wkDm=9PR3AImp9igulzgAotIsgVx1`Zplb8&q}r~%=0TM2q8!K z-kpN)zkAFYM=wP?j*QHh@g9~fms0X`LXzXmV?uWadCvE?|J30`Pk*zT z=!C3#qzBFrwUGHg+XfuL8o-E@UYhP90MW@s#4QvTWlL%+0Vq@wU;sMUJ`9{Thzm|w zhNr73ulN{=sQ7A#tcln}3FjG=7<<#*M3B~``vtRN+3FWRS@2e$Ni!OD?Oms3yN(lp zr&2z7mx(K9u6fVpWZTgTrT|s%j(*SD+J@OkV5`S~k*(ifr~rhrF=F;4FRSA4$CXe~ zuZG2wN)$y_Ib)KnE1F?`VVh_=*v z+Ogv$>?!qrT8#LtMxAm3KP>ZNoKis*IHiUvga$v)lr7c&0DB`IM80i#k^@9FdY!v9 z5F3^xLA{De06IBq(jdjtNFt$?wGE{S%0IH9!-n(Jh>L;vd<8qa{OSF(cjP1EsR7FT zFejxRrG_erRuZb1)p}^f%-2IJQXyoWB~Vq2k^;6UDhxCk@T)NGWRi0mBn%EQM8v;b zx&J@>x{g@Y0c9SAAJQ*@Y;rIWEOe`%nfTE+}2>%=H{C>w41f8-@9`^ zd}+!&wZv{QVp@&54cm=dgXn%~>XNtSP1~{S^&sme@n`D#nzx*`>O-K4AP)3zsH*S0 z_hE}+Q`BEqwz0xa9WN~+A(Lt+O`4pWo7=WsyEZLqe3#zA`0y*r=byRJd+MUuQ(7b> z#KDn}GZw9w#K3ok*7h>1<6_pTm(D+_-cO5>TuXzF9Xnx#wQSiEs1i0{kAA0)bc?W| zn|z(qCS9hk{OFCDbGuGjss3WqH$GyC5%uoY^Q9i6MvPrJa{21++c&i`+}il)uDV29 z2$cp|2 zAi*{(`D{=jnwm+QO3TDmo)TCM5n0dXYgS`Ts}Wd4NT6b#L6>ja_5c*fsXVsIhAjTM~Qky^Fnz4aEkC4N)v8g1rEu zpddkv%B}6_nvd!^Paeb1o(KYFB$GI z`^GS7yLRib$i^0WBymFY04bf2P9?yNp$4+q*RYpidN3)NBN%^LOcHA(>$l#?xmYn{ zF{!H z09C|_@7%d{`MlfN!>ypa#_i8ZiXmk}#rrJefBsxP%c}^8%7XMuF&fM+5+!W=!6pbN z)KcwOo`G1+x&`UyPRl=Pe7Ww!>$Mut`ioxOD|H=QTnX!G?X&tk_vcN&?%mO9dV>us z${cehp_b*SbI#dwYS!;Z&`bmXGiA<<-fZP6Rr8gt^63xb)f0`L{4o66pF%}w4u7!j z=VJ1b!iGT7u;JG{-?XH_w?lq3Iwhq)+mCF}ve}g@SIU+xD;GlZ7R|qFR$%G0bTg+E ztk=7X>A3}4_Rp9r|L31qhyKS3BAQ2Q(L!}vmFqI9>*&^-R~F-=G4`!3V7sttuW{dT zTwWwcc~SNY6y_>dt4KQ$_GI92)$Gyd>%JY@4QkeZRE;T=6asFI?8TBri2J_b|~Wjx|@4B0w4i?sjEl`A)XH_3VuN$mE~O~sb7SHJ(@ z0W1q{HC4;U#d#=Z7VGsh%_BLHLA4P*laachq8yZ*V?EDx$4)4MFzC>}Rsib(SZ4nE ze<$i_r}*4MQK?-i`pXNI+U`kB>J#ey9al>GLDKS^4ve~l8isTgy0u+&H-?E`jSm*< zo~+S5bJe}}(c#Ud;lY*!?kjCgOuZg?Cpc4W+O~)5NIeumLg0yy%mAVIdYL4AcA!B% zv~OrQCLCePt`V#-`e;P;p;iJ_aBjI8$ujNf@AF)~H8W6!D%G(P=_(~-rGS+P1DZk= zb6yKo60O+F89|kFtnS{qcK%pzN;9w?Bn$pEAjQ6&gg(_MvT#P)TekNU`J%j}3db#& zo_p|^D$V<~E!SyiiH_rncK}n8VtS^Aog=)g!^rPux~RZZA)ILQspXbzpJ`vV!Ay#$(PoXU?fxrTehV1(dLVrYwcq>cK1d z#V6o$7VkK|WXEyUyY>BXXrn2UK3zE{qg27#q!g?{&!9w$D@#rV(N|K0WEKA%9=#F| zEJ_U*T>7wG6|To0kPDENXjVsE75y`Esq|2#EPPxlcCAJCU%Vs#|-xgYMb@-K|MVb(ItYJgEEqx|#b)eu&=)Z_& zy$#=I`SKN}&zOzR1)PzglV1*w5(UCc08USSJ@bDtD{#AzRN`tzZ_%t-b8sK#yeyz* z9+|(y+aHx^#Z=_M4aj{Ivs8@%vM1pqNT@PJD}o7@(2A`cgFW8eTNf^#SrxXsk~Fp# z4-3h3?Ra>yAf+GLp^y`Ve1vwqRygX=)YYNHc0`InJ6O3NX%mZOBc}IUsH+LriK;GO z7Zw(@EB5e|MD4W~bO^`!nXISfoieG|$nh1r4X@Xz?~mmK5iS+wBJ~9oyN&#IXy?hZ z>g`)wP<~_l7mashR2R%H-fmC}^_4s+_|2en88gw%6S_iyW_<*X=;3Bc(N0r}cGiz# zU8XWV>ptFLW%Z~71#G9JE3YgjP@{kU{!F%P#VZx>GPQWuY5LJ^dT}|_Bgvl>Xx3}c zpuv)J&bzn&p+lKgKbGk>UVTUL?)ss>rGnoK%$Pg>xbarCYuDi&f!9VYTNiFUO#L`j zyY(MF{_{;s^Qa;od~h^6vSiIzs6eK=9oqv&>Wfo;QnKUN8r}P}9@MJ;=;~GzO2L`5 zot0zbqI76pQ89ExQMB$M?|19Uaji=w7b&Y1+pdKw;cRFL6&jpUp$f|&Q0gP# z6xSpz(xGD~BXei=&*H^Pz;17i@oYAoqhBl4^ zE!UT?bg)^n6c+#{8w~-iCQk0!t@~#NX)pD?vS!WZylD#_fvjUihuJ(-{c%U|@t~=r zd=5=rsMJzXg`m2kQY)f=)pXHC)XS#v38(xmbZZ+J9INki*Lv%2j@8|>7JPWpRa95~ zdR~W|dx{T!V7ycc#7tc(gkl;uX}V_J1{jZgV|t?Ft=r58_9f;&tcCXi6!4hHY7x&d z`hYmdYu9g}FjSbm_n6`RuZaI$4bpu@fn%?60O+S;8m%PmGrF? zsCsz$+{W|1eZmj6@LHFR${-TKMnmQoVcEb|s(x;~yYvjmLoSU^^ zsS=$gmhL&r>?qZ9mVWe@RZ5JRd1^KrJ$f|3aL#3STC!%t65XbWcQg!n8!Gk{>pHE_ zcSC@xg$r#!RnGeEyEfIDeqV%$rQTDUgfCX2lU40ry~a$e=C&d$c|AV9L|rr zF4QO7v(Y*_<|InUkGT|yKGrS%^u)V2LgkW_St`&x3UibyZ?YVNY(D z2p(W$HlSLwW^HnRG)$3Xay}!?J8)0Z^3%y*AB+GBc?&ie0fDD+&E_pwMAeniCuLW_ zH;E`cp+%IkI4do0k(SqR8)DC74y|MikSWYemH}<{U@BCp87nPX$-SI53`lG_GSqdQ z%_pnpWl)EfRcrbjE*zG`Xh7jM8qmO?&uNFRQ%2YeY?axdzO9{M-wVB&VpxKc?6E02 z#&6&beB`5NQ=G-(9AB~Yj&Al zbHwPaA7y*bE!!vADAsyNhO9Yi)Tl9JsL(CSQlMDLP7^-sYb{6FzSd>?Xh*Vhxm4~- z_3)~o5pr&Yij_OoWsKsKRrmx1jD zHHT@rXhzPJb28b_$pCnHtW58Pj`}7MEfi8hTQZ}A1kvu{$pT7i0KxfWlDvc4e&eVR zp9Fk?MeTIuxzUv7&+W^MXFhu&(>0R(NP2Z;@#N6XZntkG7~vF)RQgkDmP+xc^c;18 zQ#}4bLIq}rke!30=ydbn@R&Mn1_l=B#N8lx$d_Zrcv9T-CREVW_0oTHbvH(cirpmX zzpoPG%jk~0%Lme3C@$JzOYe;TUhb^BF;uCpLJZJRC}X_x(*2c^m=)1B1Z)>BT1?c` z=ng<_I#>yuQh=B`EHZayKA_1VaDiFD%pu$wbv_!ul>%zQq*PBYSZLF|XRl8_$z$|h zty+DUVzU$uU!K@J^C>YyZ4pj!1k`YHhrTV9vfS_uBp4#vATY&s=jqqb(fXp zHrN(chtrb6PD=`*{Km>9tB#C0DP}?_X~Zea4*XjYoI-LWugw9qg>DCpKu z*Vsk#K{hYTJ=p4t8hr+^)bHk}7`nnq8!2-=d|;a0+i%xpI}Sntxa9`!S%c>IMSANwC#r zYKg8Bz8%tT^2Cyd)?|Uw&-cUT0e>gqP;T6xV;gg>u&LZ<+_&}m_9Ibc0g_VxE%1Et zxtjHB-*xy`L&sE}II-k{>3L9ZpmQR`LZK?`q!(Zz!vzVtx58IOV&LaoTTDe2f=RC6hS#Q{a>qs#w1a9&%CZT`G`DX|XCpe=m#O$;m*UJwk(-EezmZv3y;I#E%zT?onEw-N0W zAwM94X~366SbXtsQT(g@;JV17iSd=yOX)7P(_JTBHC_leJz6P3j(Bsw-!yYqhC}?G z0fDCm4K|2o8mT zi##Dj)Wf|P5n*28p`PKPheJ;9KJ90J!bKGFBY&MLP61CS(qKK{hN1X`=_BjJzW1n; zpz66UO%Lj^&Bm&1cBr#!Yk#MWGrLY0Tcg*o(w#;dl?%Otk^H>pkTFvmxveTnpbuE2 z02yW)wDwDfa}(_$9J+Hw=HV0T*6Ba=vz}9lyh(3GG5&MQ2R^0pSG3;EKf+ zzaN2Po2-oM9ex+;rXdzq?KS{fX8Xa-hK#L39Rb7`MB3@Ii69;o>n9Z5C!*8LG|-d1 z4MG_y%OK0yNTvB@Pf-cw@6kBq)Q&S@hndD_BaTF#@lnRnbCJHW(Whf$g5zRC;^P>h zj7yiIuUv^|T)mob?b-##_3Ibq@?jkzsKsDq8FAFLSt=R*lTgKiRb47AR4EQsl1rt{ zQhhwA!miR!Hb;&e27{{qKVm*euTXzybo`_K*|1?F+yqRqWLfilnz!W0#zIqnwp9qp z-beb+N+hZfm{p-FuBtBX?JBC&&jr6d5lzkujSN?7sZ>`%S)Z-+uG%2@_3`VEC;sP$4ZM31Wty`4W$@Wv%bA}?zCgXUawa3_RHRaETtB@dCcQA#|B^l<;H88OrQ21myH(H84V)I|I=Vr`<;e1Y zR)544hvEYBjpPm}c4&Rx5mTDf>OHV*XFZ|a=qGr$KPz+@+OmIZs@|qgE{yKevRPTE zhC{IEz^V**zQ`Fdk%$&@18C3UnEw>2*L@5{7Yl*qz%EX1=dd1f$pBR;;1r9F)o012lFL?$Q!Hv3`jgQ=aEgJw;vsQL zdR6acSW-9(khPw-Kqf9#6US_1(~gy6*e+esv12EM5vUn7B?+jfy#EtigCWC4@Qy&I zH0I``e|#9a9MbFXiL>tEa@`#&s>bN9_7wuN5~^fHRs6em)<{H@Os%ehQV6k7hyhL& zR726f9)%?@9sNfvJS0@nImqZcY1F6*%I8Q(VNRJ^{H#V7kWoH-Z{`)Q5UwR^&qVp) z@)6~uWge}FuoXs^P2o@4kw~p|zE9?}={p+TK-&M*LX|`-W-BvR1_Xp}W!bTkz7^Xx ztz*SXk!VF2Q0rK!P^F?33sCx2EJ;SnP$kidkI#@$1zN?%Mui>xE^K>tA~P~3!+){= zGfl!7=A&raxt`h#Sp@o!!oZCJK)FeX?m#E;Mv8*x&Z*db zREP3?XMd&y?(kD8^v6qDptwjtlJJSD3|?Gi@RBM5IKUtS`V3oEssH@^HJX&~F}>RG z<<*9-NH#{Ss5WAy=_uQAJbT)Lil>vaczIkZ@tWc4NPdxF%d07)>ab;uGT)EHMIx|} zK4a$MEqVz=Q?N|AJ?>B$(nmA6W1m#iw=2zFs6?5LZ=X5dBF&f9d8t<;+=y9>~Hl=?cPEo@xzXaU53D!X)~y0 zj}c!$@5JX?Ge0A|nw=}s)4+vrF*S7Lx$wE*OCU>v%mtdvpsLD>=ZS(=1S6;hu z14jmNIpkI(4IoF(oQrIh02#!ZC`u*S0m*^a%$zm1Lx)aPs#g0*t`@66iZ~%kj4{Uw zVYS4$E1s|YVfL1So%SC z1BIoDA_ge>*KZMhhyS=`=H8S;5~>gaHM%lQTKQISxcGEzd$gzXD>E;!z?f6S?bRsX z`VAX<_Uv7zY+0&$)8a-My<@>bg;v@-@}_5$u9v)p_D$dOx$0G^P^F@kger+v+Kd%D zG#OHmUX?^E86MX{l|(BUqmWR=hAK6v5{?yc%;4+QI#xz#6(4^-bbnJis3L#^l>!<$ z7A(?3bX7o8n!PTYUXs^DZ&c-?wF|RtU)S{Tu1SF>b_NF>4Gjqh3kyNviV+G(?e}Rv zX+_1J)88MY%5@z*VoK9ps|)#V6s5b^C`>C{Wr?ScPZf%E&raeV?(~Xz1=^14T6N$| z1)D_dP6Xfdz_hr^5L<=QABu;6Gf2?J*E|oS*^^sgEj1>lf5+`Nr?oNM-dGi;cPfL!2 zBkUFVX4sCxRbz*bzB*fUDt2v`t?b&pJ6t{^!)Wv;@k1Kud|9s^L_x-wu~rP!?I5nt zv7V1oiqY%8toIc$F6^olapJ2pZ%hApD3F5aAE+VplqQKp)nz)0s(MPFzb902V?ycT zLPI@TB`GY;779yvbEK=@gqiJM&pk`1YSg%?(FdgS9iPtY$WaxDAz<+0J9qEW-xHxE zm=e5zva;nX>_uPTTD6V5U84)8`X_Bc#*7`$w|dOaAL|YJf7lI=DO$;BfIbW;!USoh z0;>E983Rlit<*4Ja>q)KR(!n@tz?`;LX`{yCd8eI@azN%07+!M2@Mg`gEa?L4<@ zUKsc#kgHN(>+~5j<@mI0xvo>H;&Xw*(&ri^!iEG4Wz3Lhq2Al-N4CpAN5tFG1__l2 zVf_L9W==1)%ONMUI@D`HD10j!aO1yJ9zhOATbPNl)xN~gNzK3P+rP})2L@~R9@uC= zug|)WpiJFCtK4l=pUH#Qtm(UD_1By2Ds8a+)Om4Ed@ec*h#C!apOk1J;1#h$w7d`5 zSvvNtyWEB`!{x@zDD=mQU>htW4=fXHmP+81qFpBaDG62hQ)XQ%xuujirAGhsIK`?q z5dT>3;1q-XDi4WMAJ)jID8Rb|$1LZth_mz*+kfCNAceuinIcQV7a~6R?K^xSyoUDc zC;U$mpd+0`Lv}JIrq+^5J%m=dg6Y6Jqvn@$c~Y}hZKHFi&6ve0aR215z?Y%kWU?oy z@V(fpd$LiWhR{>85{;!GKO{x}%E96@y7=4vDF}o~{p(3rp|CVsXky^UJz1xF=BE4k zxb81=>_nXorVNhZ_dj$ndQ)nsWhPEyF(py#0jPr}BuIrCfI{6F4H|e^fdcgDPH%Mj zyZzbfo9}2+dGN5etOaJ4CHpep?+*!8%ui-1j-m9bWEfC5R)#R3kz*x&s}vk7(~Ol& z2dj>i3RO%_)~4J~8fC1^qSaa7Q9-Vs&>;&`Kx;y@@znp<-I65>yhvq(V}46_S7z0YhtRj+bLyO{;aatk&zt1gBb>QG3D$qapvb zeAkIgLV_xF>V8pW&?0$mO{?|F5Es;6oOe+M@0f&TV;oC<+dqA#ESYlVE!SnDf?oo{ zG+vk{kT`64>2|}4Htt-p&s@dxQr#|*_L8v0e`Tu6oVTUHEa`12RQ&S2r?eQ_W#-I^ zY)ejV&Wsu!0XLG8>bFh3whRmgZ_9dMUH%n|EBCW%RkcS_(Q&Fj?iYRf;}qL3sW@Ol z%W6HS<4#3jgbUW_H)pVovy;2~seqjUzN?QOoV9mbmn{y}HZIA9U$57FTAh&?CjNft zu1X2#JwYoYsFHEN6mZIvO#xJCaZ1akkfA@&3XoE9D#@iXK$VJ9GW4fH)%zJ0i)UkJ zaO$3-DR=8OA0Lec!W#HcvOyI`*!goOcz$RX-o1B^BSiZt`z1DLXYYtYmyroYtqZ!2 zld}uBgOCEGHLNk(;0!8W&qPMC*!S$+pFe+o?TPffkZr1P<#-F;h!1Y&rpXZfOxs^N z)UVe)pz+5{q0tA9Bqgfq{T;6t8Pi_>ZJ$FR)HDQXEZ%|`AnB@msI0FRJ{{>Q3o7d* z9qFq$W$JXJH$|*(rTr>)0(>2O!|*HQu7DEhfrEy8TC^x%-Pt)JK8b5X&7QcNtm^>NI9#6x(-0IE#U%6k3I>V0P+ zIwY-D>tUTYtt@$RGc`?u5ZIu<(Ai6Ml)F(z$f)S0Y~O?9WFK1#Oi$&@Z%p<;>5?%KqtR znRDf<&~rLB$*qbpdKEXX3Pa3h3xg* zJ#w34O;H0ym#%r~4sUG|eQMs-D;F`6%yY%1(r2l_sT80pRhJ5=lB_=!r&y;(Pz6Sb zhlxuip$a>|-j&CDn3L2`<@&r2+-bmeV=lK}6Bs!7+Ps&LN#>c(KxDNvZsO`jiiD=Dz=YBob93 z`bUR)NmC!HK$Ri-N8^tKeKEf2U8Vg9vK5JORWu4q?M2hZn^4w~tyrmhDw_hwn~ect zx0yn;QHGkUeMex0wo`me2JmFF*mn4cQD1yf&*-bro?`Yn*C}42ME&{=hK(5MrJ|Lb z{3)Q7-07J*Rx)WN9V@~b5~|GcD^f~YdF~$NxqHM(-&IkO{ul&2O=VmlfI!JPgGj6a ztps4HXm!Z%)T}jb)%wiB>>$^J^y}b>&9~YY14_>A%6|1o9>|0aOUjqDEQ}xmeLaT( zZ8PS4ad2He@?z0@a=?Cn9bsJ3MFx%CJ~RO0KkoK9r_K8On=!+x4O^;uPf9>fV3R(M zr@BkhOPb(RTR_r=+LN5?D0ozNGBD)A_+sj2#+Qs~Tk0{UZ`F)#UrjfR8QZ>Mh(EW= zAzxO!NhjuBg{swSjavETG%mu`xTYBL`uw-fV+<^Jb(wF$qX3}Z7$M+DrWJ7&?_iLt6TzuXbd{9C_QjO3w9%=QjGC-8`Jj0 zrtC3$bC7Bz0ZKjB!ui$t-4*XF6(_4ym&pSbI=OlIpNol?Tp&rMh>trL9Fv_pUqt{)H!cv^aEtT7PGHwH;ylgn20QcRQn)vA4t$SrX#oCt!4*h#(< zJ}k-!m{#YFoBQ<}@Wq#37Af*6Mpa5H9P>TFPlKJui8J&0_#S?{BBFmF#X~#MO8(Xa z-L?KoqDty1eJwiF$Gk<4DzjL?LEXi4e>c%I?`SaFt-&01>})W{bSVGI z%VxXPpY2w#dgClvvsL=8r?}v(?O)Agh|BV4667f$$PE}EOgL+Rm+F62?l%|M1-X*k zE`7i-DO#A^;ZiUQwuYXhp^!t8CARc@3^k>t1uR@GqhyvAuxj=n-D_+Mr^PvGvqAzZ zZeK1$vGA(2fQ7e9V34u}pa&6P%Cc53El)d@O5M!6OH^v_UR{u8SkN_Tri|1c6;=H1 zTkJ|u97i%MRVS-T?^&H^uG;Q-f|)6y>e9vd=-`!?F2#t+eEEU~s!}1SCqb1WpKi+f zW5vnPA85rgG>cO*^ru1<>spIbTBv#tL-G+%#Xwih#vVkM1F-)JCTmSn{-J1yAPws-)K=kkK9Kj*K z)=PJ>l_62}_2021s#4*5qznh@ztR*qG2YM+ghUv!71xIuWGhw)mGzg0bbpzHRGp3= z7ggR)ox7-4d*>&7tJ$(=rz7y>snhw2Nb`AmA0>{e!V^CMmKniewiZk~HV;Zp@W3(O z~G4zk<~#eJi;BU%HeK7j-b~K(nB& z*`h-?0#zz~UF%y($Lc&?KF^+?wbrd%_i50#XfV-ZY@6L{gdS{&YZm&+szOY_4bp;p z))cDKdw|9YO@L@YAEl0?f51jz;_$x+^wBC&YX;?W5p;?z!LFWqUYH)<>oVKTFYv?o zK9UZh_nyYCRx(XWj!E&Gl<=JZ0^ul4+l-eaJRk*?6g*OpNPyAKhI8HZ!`kC(>s|UW zZ`arQvAfayWaI03yA8weV&$wHMM`HcT(ZtMNBz|Vv}m7yoA+rFG)YSAN%xGQ@GeiWmP1V0wXQ3!!XD0rC8x#rHTRio!1g-DakU7}ozNx}w3 zy#l{`)Goo<2yn?dZ(a?Gxk{#{@>HzD#LhDu1H+;&T%wlhTG)X`!EVK(Pgzsmt3;=W z{v~6lo262iO;NG3%x0-l2>oesNxvRvuaPZ#k?LnxLrAjqv+HBZ}QE>SAmVEtAglPIL0zG8($cz%UWva;Az-c93jcRh-e0xZd)ieR8V4Co&mv0&rwF9y#;Z4b%>lCW-$pJIGs_U42+ z268=cU6etoI90X#u(rcG&6-n}9XRwY&O-hOfr7tclf{?hMW~iSqX}j*o|M!C`r;2)*HqG!95w%o4iqm@#$x#gK^JqAi;ocBT z}P?IvJ^A7O5`D>o5ygl2s^Z^9r9(Vb|+pgUJYl#!*4gieW?-RG~_r#!}F# zY_FLO2K5^^x%v*fT+}+TXP}l1Wq$1stv)AC2=uUB!CgAxl6|#p`5_aVe?6eLO8#VH z11kf)Vs;?vS^UuKMlO4aaH79Uwv~%3^%~o{X0KF=xhR4dZ@0}eAQU!5@b>&-r{q>5 z%6DM=*=<)Yos)#36jD@Ls3JyT%K9_Qrckp~Y`J;paf&sJ5lOD3gyrEOaSA)|o|fce zpH2kx_MJQMqktaNgiM7m3KlFRJpvk0kx%K^sSB+!8Z>AKmte82Xsr$no{%6>7wI72 zUz)#XktUOXvXMW;n#fYfl^nI%e( zAFmU#6|a2F->OcBn?nwXklout6&3viRA+ls@7{g3Sj9fDsv8w1%=iHFt zuX^X9JC$jmPd)uvP$66`kPd#=Cfgi+r*>#CZeESCt8gd`@jWNJ4;(1+P5K-Yu9I+E z1U3neMmS9Zm>S~vNK~4?M`BHrMf;m9Iv|G4!6r6`nk+ull(FQnGCZ3u@oZ|Fd~ifR z4mVxQ5T_{T9^@j8=kKmJd4qVeaK9J|>Io23JTd``isz+=t-0<3G=Z&IxLU&7N){^A z1PNt$P>B%g6I;fZW!b}0(2CM6L+Npf?v+YzCx>O$w?d7oT<@t32ltyfy);6O6j_5r z02cff_4m>~k!4x*qao)AspjDNe2z=YbspVLQrt&RYfMB@r5CCvGGQReQ+tjl4q;>W znnH8t)=ut^8`E;&@YLu(cg%8UZ`a27W!HT2fTY1Y3We{j8+&@;^=t8I%u=NcRsU|6 zN?J9{6lhECfE+Zewi&bL(%II?KIh4sclylPpc2lMssT=>21^cIkmCdir5EtxvPWRB>iNJIHc-zGs-Y-wH0Tenj*x>fC;iSPj9>lm)zTz9#n(8awyMR$L( zsOl0iz=OI!ADg{lwjVU$0GG8FwDg?HN@OT%)vkj;J+weTAMzxOchxykn$_QCvVA<~ z$n2*``$36T$|fr%v{JTddbA>M1z;JW727<<`y{O(MqRxe6@O-P_@R~n6YDzuV9w{E z!l?ll!VfkF^noggRuZs)s>t(k?%w{btrk(`G;&Ily=w~KMxkbaW%&J^MbUL4LKrj% z6==$>UG^D)K8WQIEzp!O%F(OFiYM4BGF)uS(IcgI)wY$nMo$0w%W;bZLSdPqkrU#R z2sLF>QgBZun`ZA2{>xl<0SyA1c1uSI=cwtT15IrXiUH67Ndk$ynlANjy6lL4Eca=u zA4i)mHy!G~`siQJxpHtFiDC+b>E8te6i|p?hV!NPYxr*S4Z%Z!T#C1)I9y5ImW&W8 zt`^=FpH7Acjbnq-&q~e7O2)oO!YpIng{;XUhb28MRl7;`uw(*D6?<HwuXr5K!qhr3g{F<~@I6^wo=jw{Bia3!8$_ zAB&4&l%h%{OQqDFSjtkd_S0@C{^PG?N6luQ2p*MLR7e?d(J|3Pv^sa`CL7jhEw<$T zfpHS5ESlm!U+P{R645`TjqWcI(LWMZS2}A%D(e0n^Sj`tn}nD5YmC`1ALoJ?9VKQ)>~W*FfK>um4;?-dy2ZZzhv@Sa91;fijQAm6 zh!W+yPmW0&Tlk> zekta_`2ef%eP5tQ0WcA-dudQjC;SrRnmamZ8BitB3Y?Nqwe67K@I@$m2i~b_S!wb{C;Jq`c9WV85NhS;*#yjq&y@ly~j4%WgHh@plu( z)g0%jN2rM#gbyVVO36Lpk~F}9(!-Mo>*31)4I*%-cuWc~DgKdw6;KJpIofo^v8F40 zo2_K{HMKj=XvVPjw>(ZXwLc+W*>vUcrku6XSGfq+0n~h&fpHS@^x%aHCOogEHVlbb z0=5hRLxZ=axLSJ561goygiy(9X=8&18iwQ$3KqRcW*GsNB@avG3QDvxa<7t81k>VP zq0Usf_xKJYzg=Qo!gHv!Paw-3~sK*%zw^*+jvm z!O05PoXu%@*^yHl*YDTYtYSvxZo^&ei@~~)-aY6^=otN5z%smf!=nu>PzXes8O75Q~wxsfp9Q8w$f=*RNX4&*l)ELlT#jElU z2*ffIdWBnJ-s=8(LHA<6$Phht(A|~Xzkx#X$PoP#Qb-rxQKHuL#^e#wUVkOP)2Oe1 zmrLL2u67rdT<`!NE)y+CsPKAo%53{8em;U%w2ZG=vzFQG!+RV$Y~wo$Q;ATGjPs{{vl81}|YQun9s7e{FNLQ&DD^sY#qtv67M#EN{vAP(w z^~|9b1V(7XO{`By5@~kAzz1tQY)|cralr~9P>)tYXU_Grwi`90jmPT3z8iDGIlp@3 z6A+5mr?88bb_T0oMpW;Sg zpEtqZ6I2A84#CzV#3$o>f&w9uO$+x4gaR7C2s|C>GzmvZ!KRgd;1P%;@W>&cnZwEE ztCZmw*jztOHFq=}hJRfZ$m=;v8Jr%VfR}<_AlC|z%UAkhde{Q9lDsVeSSn^2B7~}w zCBlPhN=w8oMQl*e5w*#zcW|$g$n9p(3hgFYJFE!j4qhx%SJJnF87SH8s$(TmR|YD( zzKd3mnU#Bu>pZIE`bAl2O2`j=Zch&4z$r`&{)w4`(g?{cYP!L=TYh=9bHMC#&cab5 z8jL>^@Jk0xY|d?fQ0jGLL{X84${OtYNvL~?xYJW_-#C|+LMqAn zOPTn`niUTvOJ$b$Cl|hXqy1le6iY?b6($$43*3ZM(F(C~#F_|sQ5TGf=Ih1EnfZL8 zK~=EA{c{p|B9H=l0}ZM!wbp~kg$9YSpls(!eHFfhpqiVwQ6dSYhWHc*Y99`i@Lxn^&r|O@3BL*72Vdz#GY5f9%~u7s zaAcfnu{ubMHNh>`GD2Fc3pI?e7VFeuIJh=cyoMKx!C9wUtmX=*xDFRo2H+K-xMK#` z63Aunws5s1W=Yr*ewG2V3@NR~$pV9ti6Lkh`lz7B!!ij8>U}HWUMW>$dX}K-Ug@i` zEYK|!_ex)Zg+Q+2UP)%4HWFwlbtM3+$4o|rUREO~*7R6a2*w35+Y5(sL0|t1QEOT- zq&N^jzVDxkFJ^QFpimMvC=Xw|^s`Q*+kf73sM=twRHw1H@Mu7pdhTG>J^uoDf9!>V zx95%aAAUXI@Vz@1RhP;v>rcfgA{(-hgjFe{^sG|}Qxd0S^p6!Sy(;Na{g2|5w4+!m z!k`%5<0k?T6$Fe-4YdRmj`!@{XQ#)WgNM8%_YageZ;bzZrh9!%_iUT)@mk$IxPQ}i z*N5w_AX3px4p_T9-z{`>bC^5x6QAK zr?}G2!6+Px_Uy9dc2LS8naDsNiBbFrrU(|^?4|x!4ytHn9;yssK(lB?v^*{R3K<5x zckkAfXt(peeZzKF2BhfhAX~4pV2##3f3mJG9{wbFd%;TyLJ9fOg|p`ZZBBSJL7^0} z0?>`vAVHNBcFU&MOyiNn*y3pQ5Q>BaO>^*FYpb}pjPJQ{wQ!>*3ciFwH5XjI`ZEdi z37Q1qGJL2cgc4i`CF`U{_CzS}M00^nCvlfrtUj$kOmK^J3M#D+YvB~$(kY_lhBIO~ zpG_JYBa@!XRlUu*z1^=$Som0rVW6V#%b_YFQXd>+bu-?A#C86A+SGlZe64WC14@hM1a~7 zJCUi5HW#JkOl%l~k)ACtgf6&yBU}>HQ_fPEhbm2$N{dtf0;s~Mf>uz}2xZYN-FegI zMopT~`qLCgXk0sI?mVJ@Xe=mkuN(N8=56xtRQ~Q0xIl&ouK2Bqf;WD-gNh)D2}snw zV=qP18`B=qC6xXvuDtq2qS5fR-Xcv#RhNtbKBpG=r1{%cYJnl-*Q}K+21x%MI!Gdi zc;;*rmXj{b{OWt+U>IsZN|4M2Q$kP_M3hhQp>S0|0TJKxZE8n4N%5XU zH1Cw+G=;RlCjw#snhg;O3;{-wEjLD)9j!KB5|ErIunDxE2apX;d#P`BuqT7N}0? z(aJo_Lh{&?p_M9lYlsAv?=yF(%?6)iCwz|w96xc=@AwJt!`oa|RG_RChwudqLo#13D@!yP*rRHXp~wuPp<(G#oG8y_^F|trcsQH182`Z! z?nJ*en?ecwsnI_zRAJ1U(=B30bEkHwt2)sCZxJ|HYes-I22XZ|K z$e(hG+>#wg%W*6WvB67+1po440aY@K!-K6=8|)w7S?-j)k@H4<(V zsVKpe5K%sXP%;B05K75CozzG62-D&CtjBLMI86#L0YmRU6d(iXA{CD;q9yMF4iYoe zM+lYJASfwfgCYwiVvmxHp~tMFpjC3f(#8Wxw80fLB(OASMKDlbjU@oQKtsRzfr_A$ zBnKLNDG8I&VLH8v`1Fcb?sL1u-fYLJPhtKrpVQ*g zG0916T{xT@jTBM&eysD2xNQ&bMgR2tnKtyt>SGzo2hl$fqc@RJl5s!wpR8*Irv42$ zC2cGw>*cFgl%Qgemo8gjWUKkJW5>>zYvN##39#6FS>}y%;v1n0Au50A`XMWSN9Zn7 z`D@VqBT+@f_^jzWe3&CN6xPL8N`fkCfr$ZaPv2>(-GpcU$t7j zl~0Qn>(H^2!>TnR0C?ss9~_BwOXvPC9v4_;4y`Of6$?a*R;FRV$B*w_i*bqaZXM=P zCd4)C#Y4GCK&Q&hQw;*VEGk@B+Hi?)9?SQFQrt9T8PwC?_Q~t;PemX3?OFXdW^!Md zbUtkLI+ z8T_XAhbPl3=mAUXWC^sADJ^|6OQx|D@&;+F6AEKcQZJ4sbFVbycEMNF)7s6Tl|FAp z`LF@4w7%7civ%i)78W>xNHA3%w6No>)i%x^9tVB!e~o@D?VmnA`+W}C9&v3*heT!< zdnf3irYWSioj;ad&z4L|c%knEvx0Yo%wsm(ZF&VmM3G{y96_$R&K{_H;k4Dm+u`gC z84{-?RHdAyl5r9VRdSjCFB&LI_Y8C7#*LeYJiS$0tv*?{!Vai9?k~81FbY6w^B4Iw zTIfPNbumQ$sQew6)b#@fAkn`MAyKQ|nCTP6v1(vIt8WCk0v_O<>AD9?g>WuIE|7VX%sFJ>w`7q#bzsa2&OGEDE zSSc(S>03#(qPXhGqw7~9?L&7KXJGGLDL0ZZJE|LEw~(gB);^r1*X;X{QH zkrQsthx49H;mPa~;a&;A5+OmohlP73JS@^!D(^z?UTNZiN1Lq>?vl?26chCErRa;=+(reJe?{FpUH%?v<8hVF&{f4Ako{K?~ID+^W76&A&b$YBOM= zv)le7raz785tO>wVE_8ZA1BV7A3XJYr$t%l(n2~iVrN$NLTN;hR40|C7Z6N<+JQIs zCN(C!(G|Ecg=Z+dGuBkhv5pUJ1-*Fw6u4p;ri@e4tNOR%l(e5TP zgHsGisDR~e-Z0bi7ZiXK4x!=!T|Z_BjJVPxsq05VL!l{g!xUaVfO9z`tKL`w{S@DULquRAJ1`p7=j~P(>?C zP(^6eELyS6`{~J@I~VsRoF0oCg#tP8y1OUxn-=~XEkjFxz7lR!N`+3APE7l8l4acC z*`3*tIN0l$!+L)8j*|z}v4T4x*nKVLY@N07pxYtev;Y=X(fQ!X8E%0Cwgk0z4pn?8 zB_g*m$}F0E)PtIMpdPLC!9aml`e2}jB52?TD&#=DZ-tX6QdhD9OJxSil3_Exl|B-f zBFjS7TWL6f$z=nRM*@@SFPYR^)gEs9!;Cfk7CJB3;IW^c=gA|qX8#O46@*IUgGWyS z&RrUAx1)5=8O6FxE#G})zcF8~u_*vx0RiMsi2#4>Sw~>OR6ZpwlNP|@_7F3qd?VO3 z$9bPNH_q8Ty&q{Q^hfkw#i@TcRM96L-6Z-3_UYUIi!bZZ?HUvrHF_*Kg(icfz_F<| zZ<&9;B`SZPZV`w8KOCh9dj5hGN!-6WK-GtYC3Dx(T`VZ{055#4M=LrxUhOTEodmgJ zg-D`3-=%vKu7gx>@*ucNaWwEmpD)-W(vw179u?z%M)k<#j{b=QDpWDIwP=-c81VVi zyH_KZMjomk;#P=_AEmMs%%)nel$PcBkzT{9zwe))CC`rf@S2QE7ZmR>W$>3)D-^vx zQOPTcq^56eFl&3e#k;0#^dvuJ)&LqE^gVv^(6N)-y#p8R4eslD=A+_K$`{uJ1Cyhb zq_rFJR!MAjl2#&bbu3vJ5VSHx0+leJ6u8i`ERq=P#u9>xeqi#Ft7J(ly<=tQDq=2a zr6mOFDHip{tQfv@%UZXC2fY1!eEp5Se@lPH#KfaN9)IKRm{sn`Ar|j8y;#?2KvmJs zQ;K(*Sf$61LF4LdTb9*-lTZzz~sp#b~&I{k(mt)DuT=!t4Xae)G8!y=}HPV9}5x~oM0 zTIju-3-$kwFaN$El(zGAvBeYPYZ_vJ6j*f-DYKgs1bLq3SglDAL(z#@;!epCj5e z`&Q3kts`)8=XgGpYRCexaxL8krBb{p%C}^B!8~^Sq`Obx>O(=Z_Jj_13-7e$ zY|0MN2mDu&v=X$yq~<*VL*)%`vuVOczXIAx8yOIJsuJoK_ukqv!DFVCQRLMpx)@E zXf9C{TuOl|&iu^or}! zw~}b}=FRh~5wjw8R|wvohjmJc6O;)&8tw8i`~0N>C}{LiGXlEdg&{*hjjbhQF?$j9 zAkqHEfd#-Fs25aLl4y{F0!*{}(x1;1A$LXwjTXIb%hL~;{%u361vpbmlMYeRi~c#z zl)hAIj^3G4>ZA@DbdUtQuf?j9?bn@}u|INuK*S0EWF&U8HdA|$@SwNf$%DrNUA<2& z+#51*dqi88$PWlirk6566;)S8{0bGSgea4wudDnD0aeDuR(kHb<$KuY_)%Z~l<9ohuU9?~3qM2moENWuJ{%JJ z-Sjn|4_<`qk|+vRBrHs!$_TBBcAQwM)0i)Nb+evP)LWqlLKna5pI@DL+9$w7_zwNV zWB5oqrN|lwwxj1(yX2k6W zu(F2kEF62R-IH71N@(Q&1yo_GrPab%!Lqn>=dMiI@LyCKEW-59r$nQTryCS8B^oJ? z)?MqXLx@j>s@RIUn2%CUWd^Er>HZc4Rt7!5i%kV+BD8)>DX>DB5TW%K2Xuej|Nn|h z=0CR)TD^Jw@adhCmxD%wP%yd$#n(T-SvezC4KY2!=~V7NIb8@P*jO-Pdlmw20h==W zIcGY$J|j*I-Nqx`v$Lp8*R0ti#75Y5;y?k8v3qlp5ku?-YpgGoLdij? z8JkJ%aC*EOR1wzEHM{*a+U zH3rxU$0}K|RZvSDD}BaFkq{J$xGKNmXmb^<4E%~_1~#C9yDlBGpx-eQ|^i*1I3 zj!f)~Of%*-vc~kiqBe>ELfQpYh)!Sg&coam6MJn&dK@F*&pam}NpzhH-Vex6efrO5 zMTZ(o`@>gZg|B$$L97haJ9oJLgUj3AytthBmj#su^Q-^ga1;_d3`qh(7IEs&pL8z| zC{pT_Qz4}ep<<+9iK~Q)3l0BHD5(oDMU{_rL>GfVTon~41z}zkSV69sD+;WhI*S6U zH>Y)fTVUP4-|xm3_1n*P-@Lf=%gZZ?f0^NLyx-+N*4f-P4}7aPFK^tASs8P*b*NiG z)bOqy$pa0^2oV4m)+0CqezBnNUq}XlXslv7Ivrju(8P6VdY8rNH`ruxwfmG69lkv) z*D;Gq+Jm4TJrI$wMn8>!3>!}5aXi;%^jMjGi*0&)>ulpDe%57VowQ>Zd2vjVD6`RKaD zZRDz5Q=RrL-FA4Lhxd*HM{%9r>RU?r#X%A0`YmG88LUDTVL+L&(#HTLzrp}j zpjFY1lT^Lgid}|u9nsivVLmoO>~@e-2C%fPHUSqRZ@V2oX+5Y_|Isz9rx(~{lYaZM z^mNW*KgPtPbUkKYP9l4hT>x9`owU>2^f{i|b)USPxW_)jiaFVw7p2>3o1QqpK8Fn6 z>oP(72-*s@J{xaJNI?W1PZeZONN`(wDY-*?7+5fFe=dM8a)0$J!6TpDIr_1T#fQEw zcJh~(SFxE`POQ*}zP#ajZ^D#vs*MIIbt~O9#FUa6DeB@s*Tt6nSg>U7y1IGk5@Sp0 zE*J`|kjp@a5MK`p{llfYCu;?;zDB+Fqtr?L^6I+a#kuAZWBVr&dn?8t?{p{D;mym- zhOg|u@&C*aX3Le3aojdBaMmen&4>cQpR8PB6f{U>MKIXNu>-_)LVMnf(m`uOIL~tpop|GR^ z{D8K|tyI5gq6Ng4|#E zE<-yFZ7_36K_=?@`RUx2XE?G>s5x;W3k1O~G+5rGh*^I|7o+@&sXJgoi)!8awHef6 z)cA5M=VW9ZaZSL>eMJUzDR}|cl$RxHLFn&}Xmy>83Ig!qf?YVs66W1=oY`CT@r}KI zC;m59+5Ga#mOzrVSU2lG*Wk+-}kxAEK0cOKu^cQLSks9OOt zLCkaF7|eOdPOriR9RebR5Rq1TB|w(~n2xN^bkH#aE68PWI+x{zTpg?I-qgg)qkE{o z?S+`b_wQXs4ThxW!}|&6yuX#Gr^1Td4T4RAYjIjQP<%hUhPVd-5SZjUS7cbTAj_O- z1;<&H=`^fiz203)b{s3VzJzPKPAl1MdfU;xfHQL3T$2zD`%L1KSQYxn+u4-rF{xvX z(JKYJOli?8+jfYc-!vuYr*A2xXHW?FJ8%kDf@V+9;q3jXKT<>|LR4o;ri3QAhXEp{ z){?%QkDtHtjJmPoM5O1*@KZsdrmuPbBSa28js$M?It5!}+5TYby`i&rhZ02`y)yz| zY~c1Ya&+4oA;y;Q?wiB9xrF}c9NNx_5!`NlQ2X_#NV>IK8`y5m$+nEu0c{;mFxoiy zwQ=xmYk#z@oliTvBb`?r>FnSwhMi{@JI`LLJo`F&_E~kPkHf)XYY#CdZ19}9*=wPz zw}Xezy4^=9LpyLJO~n4U{SpFC1tSwpZPeB4x1z7y-WM3@c7TFM`qH`3C!w8b$YuFTQleXFyFV|(X z;l-jOaD^^IS`GNF|LE#dCKX#UEB9vG4EtAQWThP6C?bTcETov}t;U{>m1VRXfI`x^ zbQM9NUA-nZ&~iZQ9wWY(XI*34>YAHZmU6MpL9k-CeFm?!nQ-EetOOI;2S)GBLG%MH z!55)LfJLH(+$1g-9U)m+Q3vbZieB>Sarl2WDu}81{g+42@13}QW?Iz2+JGtF32Pq< ziFx5}FMA0F6fby784^f7r zy7L7DxdNcn=gV3v>a~z7=7@4t@nS*d;mD`0PIg7sk`a zmk-&VC)&H|-8jd;{;)t(dAm1!_gDY?JmGr8v~!;INk~x`d)qf3vz;PYrae1J<~ef- zgvG%jkiOR;1Az_^(_5Hs)3SnlT$&y~JUaT!=4+RZ-@SG2>Ek<6!a|h?M7}K6zkkT~ zoU{Z|!|d?)D8px35?Ud;&c)F+V#i3tWAozlj@FsSSe5%>NR#?~x>V^lP#{zXr7d{J z$)X}g!Ku%BP2cKJQc(Z^=?W5TVKEY5T)Q}bw~1ZrkC|P4w0(7OisY2yOx2#WQS_El zf_^alR64roii^@L?t=*WDGGi_pre1TI8*4#N;z4HQ=@i<0~V%sGBhj#AvVtoPug#d zW(?dFJLO=ElYjj2h`5lj2-DYpj3YjNClCAT$1a~h?Qr!9+~O(6$t|ABIDB%8egtee zEXL+T{){bRoY;Ekgol^EVetIK0U!UvNA=@l+`Q>Ek#|FF;O^b~_a8kudG3<^{=lL3 zyIaq4t}$YHt0|6qy^fil5_mdf()ztBRH+TEw2qaT7@*#c&uwL)3 zR+B0*`PoXbTO+bZ3Y9qX@lDygjBaQ2dgadv<+=>7)uVTle(n2?sx^N`J{i;7W1pT` zDk6kCvazy=Z&T=p?z)Ouh!YY>KeRqyi^1KEE?aBBEc+eXZ`}yFlHheFXr-rn7gxth zPKz>av`M#RNqP^v^oLew^xYubE`snZE24!Me|#?90@*|Ox->A2*i|OZxBcU59)JG+ z^4(3wyPk=yyBohc`bZ1X3Ro4sM(hAoMr{rbBT4r8qd-;SZ@Qo9PUWV10-<7=?w+;o z=2%6awyho@D5s)1Z){-$fc$g+*Tttxj4PcOuNGLrTBm~*$`w;}_ZBMZwc7-1@sAHL z>&NCn3su^XvV8t9uz*s{mnF=j)RSADi3olCgAZK$v~jPc4pS$<0^jLr-RW76@N-+s>@Uo4OknD zPlxe6{avyp9LhzskV}!&c3qx%;G|}?MlPy0(vB8>GU#V0n-b0xIHk1cl|etDh^{aw z6r2(|ej@0nI8!hvLIfMZ8F3_)su$IL>zUm?fuU|OHTUPAu3hvF@E+^7w&r@9Tx%C*TRkr$ zd9FPU>B$#^iL5fNFW&-WjBwNQW+Qf&zkkt%_}f1d801}^KRg}2>oX!Dc%xW9QN34*|6w`XQl;(3YiNgyT$0OgElI=#KnXLPr1mQ{0EX3p3YC zO#G9?<-LTpaehBACDg&J1~`1yXJl_C=@6TjX4_(4cCSm5WBdAs9G??^Zu^6K=i~xW zE3HyMtDl}dxEwK`>$3}mbip1EraG<}A&Uc!83^VR-4%P=5b+bqDd|tO-W0j+aFD5O#Kux5e(}-k?ryQBq;c($ zj;=A2Juj_1e!(RmZg=20-;k)F&?}}Y@#yJ|bvidwp70|ZUh-LGfJWRhR@XpQqWbKi*S{|UDwXP|!lIf}>sM0uA zT5^REM#w+Qb{g4!aPtMTOCDM+D1uCHnkP2w-`nhq%^s}SWpIoBZF-NaGuEoC&CE}> z0V^Vumyw7%utJUiWp$!qTzRuyi7)&1GrdT!1sl#^5gpiNoxWN~^~;-QcW<0J7iu5i zHQICM5AIHNH!aJzWl4se%QKMhg_Q(&u>e^$>Z*^}Q$Z#p{`k#8^FcEvJ>s_jgjT7T*=n{%qf|8GY zTo+at$0|u=iF#ysiMOPB?GhmX1-Sw-s1Hr90IDK(mm`ys!jB^V3Fr5=pP*HrJy7H6 zZEsGrG!75p)Tel$n_BEA#4-7~+ zxAp#=&}UCBzJ7WCkKcb`Iq+aQ|;4LRzZn=5l9Kpe+| zry)F;+D0l3@4xtEqSs|DDy97VJC}2vx5xB#j~%)zW`R$FYw%^?GZ&+x})OQ(NdEQlw(H5k?m;)^Sqf zQA>hjE~~;6Mg_l0#N@@R7q_20jJ|%!E9~ULgFD(d+vZunK+rRYv6JUgd^$a50U|dd z=e~ns!6LnQ81&bl7858~vlkCeojY7F#8nhlr=`Fdhbzc6_lJk7zh3EH9o9YDA=<$| zuodJwP(UbDv`m7kI5dtv{n(I{!u0`4U3_iB{WQ^C`cc#--?Gx(r8TgT|^Sl zGDcX!juejb8$}+dMLH%`sFE*u7D8XYY~k+3A6@fEG$&5Tdp)}5&IAtLp6_<_vR_}{ zLIx>?8?f|GzrT5S&bw8lPY0hJ4c0HpzHw=xEq0|noa>$TopSAx*UzsXYEOg^$OG=W zEGm>}B>@Y^O7C0YSt(++QtBDaXQ&j{FM9d8Wkm! z$>@WZZ2Yggh2Qjvyc`&r;2Rw26Awm+Lah^x~zuOmX)Mee=t&5~rj#g?90pK7V-cOmz6_ zWBdASbtt!Kc~Pe&dA8dZ3G?n6>DBVy1!vROTRMW}!T#KiSr+b55{q;<*52$Zftwc( zL&DulP}fXCIgOSOmA13{tN)$&F2>F5ZHR*qDtO1{aQC zAep1PajX9N^B2>vJ?d~hQn92;!`-su8QqMs{`sd^V8ry5mX7@L<_Wv3s8IVrAFHr{ zc?svYJ-8eG=Jg{>uUC-DJXGOcnGFLzdh%@fj>AJHx0^q+$dt*&`;Dqe?Ma=UJxg~? zJ)WOzJreipEN}|4pYW%8&BpS8Q|0^5pJ!dU)40wxhRhc@H4L1x6aJJQr`AcbA0&#T z3g0>Iia({uCCO%p0;iN-y^zvHg)jX(La6XnN$D!+4A~KJ;FuYI3J2lE%hx-i9^fUZ zFaA(Z+HX1E(>-p2=cSq67v~>Iu=9&|@{ikeB4&SZ?2*tI|M2M0v(fYbr7bmx00ZHl z2_%A*ycZ)lB%F6=#Kk4xCE;3Lzkc(4!sWB^SB^!*`$Qz{35wkj7_-*r?EKxQ$8SE? zch#ZxHXdJ2bx}1d5LvPeRjbnCRaG6b1hnck&&jO#5-8tc&U)ckX({U;8mg4(YE`30 zpTT2mb{*9`+3bA}*s9!hP@}#-b{N`d+pt&*V1(9r71v*)8$y0YJ6i%4*JB&BG%2GLKAf-!xs&voU#Qm^5 zbknOiU}4Q6bE^(nTy@COYV?WF#{I^x69&)__cQP)gg+(ZXQe--=ldx<3Q^>1D4tqN zk+0H3-jJUHciL=<+JDpx3&KAj@cHwX$FDpCQ$7?trF@;%o6on|a{foxn2xT|owrAK z-4We=NA$2gadUhwE%v+OcJ}s;Gq?7izY}@$abVodlQGw>-n#eT!6Vag`_5f>-9}C# z2_w^2$|H{-KcOuSNF#Kq~p7n1I$(`7Xn&bRCdFki2B)$paU=JbCeo zb()stZ2B5(!tcMmWE1=QZ?8=M)#%8ht8QoZR>bnaxrMY(DfGjD0x%^^3yq)NITE(B z*!f*Kev3+0^OdSSJhwahrPG7bXq}91&-|Z!GrwO`6e?)>0Y`nl?#@)v777%&XyB+{ z_#!dBbgDS=54=DZUpz6cYEs7PQX3tT?>JUTtaUft&nL~c1u_5eQ#;DcxtFj8@0edR z)n7;Z0&JXa4;!iD?{uFUP zMKMYGQ%ZhH#{I}o8OQwu-%lvA8hGjYw(_zcq9R72LdN%-Be!^&DL4%{dHTV_M+uL9 z?z<~qeer+riN4@h=+mA_CQ+;DTrc&M`fQ6B>k)xChLLTjU4m=q)o<;O4c>a1@!d)v z!QMCSv6$2f#H_HAzAvz%twd{J!DE@el>jW`<3W{dwzz!DUeo4cY$x^{53N4LCJCw( zJ;0Q!t3&{hZPEvWn|GT3Z~5-UI!qk2c=OE%PqgOZ!#;ZopleE3ql>1 zAJMFA0mxUDBNRf5w^4F%g1_`{I5UXL>>N$=${t&_*tQ3;Ae>>*RC=*BCS6j zjfa^7P8mU!HfeP%Jf``$r5|98D{;U7WAD7ft0=QS{`*V7-g{rWtFC43Wp&kE+p5^R zqEb{)K-!9eihxp7dM^pR1VSeygcL&PHKF(3OXv{h_c`x-=biV?%)LnwZ&weK|or>=j$NhI#4{V6v;1&@OKl<@tuvY$_k;@hN$ zv_B=GKP{S+?uz>uo7@ z3#TkW^^9lQPUthzAJ5cK6{S@xP~|DB+j6z>GysjTQay30>{cMktK!><=&Of&ReY7I z8%Xg3fEudqtJb{RfZ;y;xn>MG1%C z-ijGtLlUDFjB-mvbWIf)28|*Vid=BD4(^M{{uFGPHFe;%;8gLYK8;~4n0y|B6`Pjz zFFiBtI0rX4J2glBC&f{(BbFcKBG09|mzE#SW5dDIX34%#mn2?*=qkia2X!^lmVBc zePN%b_c@t*C5n}hR-Tc3C-uCg_$Qc48OJJ=U(sjWBmxnogHuY30-RF3^r*O>!YMEA z=haWqr!OMzr$m$LbVu9|(Ii}|`x^AW|LcJdf>U0KN_;T@r>m&E-cnTi zjt;B#oj!f$p8W?Kq%1XH@ju+La4Nb_z2KDYQKcGxcoMY};z899qpS`fs%?F=s*+Y# z2da=vlr4@1U{O#Nzj0Mbp^7!kOJBAfJ1(T0*rF9TS-m|aG zpww$$|8JZbRNS|Sy(qpPAf2#io z=qBMQK>1TTw9*0tNeb8$ZM92fSNqO}&`?TMuv7}mPdS|^gZjdI}ZQq);mm|ba7Vi{Nv=Ih`)%1@S> zAigO(nrBWhJG_gE@}xfJ?bl_9_8ZuVtkNH7TGHbikDCO^3cJ85`3Y>JJknO zTXzrxr0iq*E>B&vJ? zz@njwQto2VDs%u)L)CQ^zWuUYAK#xQVZaHQJ%^{?{NZkA$gc%@m%s(Q}a#!?zaU&vh}CAL{gKbu!3^Nk>XXZym0a3M%=95F!qxNiXP z5}jDo0txFapH`pqgC_)!;8rWfd$}dKHIE0;!bAc$ZQuFUx1CA>q*y4rJc?j`3cera z2wJlEQ>uQ-i~D&^J-T2CwLc}&NfP&i@;5+2e~m~{nI?%!idIx9(uGYySgg%N5l|xf z=L%Ci-er2TA>j%VD_5>sw{!o~J^q*eRERTWtZisPSdofZqK1f*P? zl7E`obek%F=r6iqz3oz&){5GtGEl`@!Z6jNqJOSerHiUOuPOpnEvT3aX833@woMm~&Xiw|vBJcO^YW{4h;=CCao`q)IA)|Q0QT*M!EaHH6B!eyJ zO22m`XhlUQ6xoYPg)61vep)vPi8dI;LNKQ5(Ay2Ke)k)!kiw~^=)Wnbk`gKmnxgzk zlSFCQr}WY_HJ#f$WmE- z6%F@K_pJB3R0xSk@vn;hMMIT1%h1$6vRtZ?Kou>ko~_q9w9+aiBj<^_ZT<*em0mqw z`oiZw4oKOtJES}_zV*UlES+3)V&X|Ys};xK@D|S3lmS;v>?tj}?8aWfPtkW(FVq)B zTSaUgRxu~>j01ZmJ6}3K`{pQ@s;jf1rEt`-^VBFUrZIg)^p6Ur!n|L!HC6F35!GDL z&ZV>}vOVf7dEHr2MRYcZWNvIFTI)N9Ifr+Y&i~4BmgH7Po{@fk_P0j2T-Fa7t%&s6 zZ~69du95fWOa_DRtvD}1D{`HDYW{>b5AG{v7VCl)>;F;hhtlz<#HFeQPC@w-oO<;O zGT>Ld+2G2z8dB;DPKirpQ`1%G&yx5fMb%mQPwCJftvw>@NvP2dr0={y6-+iQOd$mI zR7;z}4^@?VPo~jfFoHB==9~iu54E1S`gm0P78B8;acYVrr`S}7Uw&I8ig-B1pZ`>= z)ZXC%Km%3DCQGHDO5>C-`qxiFe_!<_&>C^6qPc%QsIn`nv`ZBNRk0FP3aXTiWN6;O5cJKwz9s8jGugu0nEW!4>)8vpJCfM#M|@Yt#|gT>yMvE-w*ybVGq3#uHz|2^*;_ga~%yc-W z9h@=IP2A%qHg zQK{&kaR0FO*!<4ZUg|!TR!~6`H!&x7=dN8@%eNO3Q%d(VFXE>e6d{#U#+h^N1r~8a zPGduq-n^xEwoN>T@X@w)>9H(N$&RCMuy=~HeV~ZblBJ?GmAF(NI*Xn&I7OLlVID=V zHa`5i_MLf10$%Nv121^oS^S#n4qVq+*Hj=_3)n&(DUBZzl=D)aLAJt<0rKte-64^r zzqnZg<54E)x-0&5?=rqC_`d7lOKt&LV^oMwkq^OXjXs%LJKM6_9Yn2F_LRC@G-2-;I?n0%qR7yBqxm2oQA{9eI z{PRPV>s57_{Aj1Ct%qjOgx3dEEXCKYTR(Z_j{o$WUAh=loU5q}8tU$f=BGi*&P?gb zDVTmj_9O2WY401AoKheKKx>?Gp~_F{7FtF2qG&1wIOVY^e4#(XrU-SZOqR+IRW&+V zIILs2bt5|DBF{aX^t~#7D%jy2FK6 z%7N()jLuR`DP%^#79id+z}bs{?SW(ezmeHlo7aZ53jIFpZ-*}n!k%s)gYN@#FP6v6 znGn%AXLGS7AI*(`x%op+nV4|u`i0$(o0JTh|9oWH%-FxGS^@o{mfYGEZr;?GS{ zA)Vy9R4Vi*OK4Ax)@7%+5&jrG|89>DqJP7Q{uK#T4F+Tft9`L- zOP4KQvwd%sp$m$GETwpk7w(JTlnVE$w3H6|A^$E2WfQ!j z@E+Nkr#$u3*xn;Tp=v>N+%GCcWfA|p(4Wtx@)0V0St{|Wf>5P7>Pn?n5h}u=DpvH* z2UWOKY>Xe--fHkftsg_6Dvh34(;oV)MI5O5&8bxsIrT0oU$c6vzVSJMo0kun)cahD zd1QB2WnGg>z#n^UzgX;}mTZx8_ zI|m8(fGQ-!X|e4nDM^;fRZ_~o^YGkDoN2{DjQ{01&ccf%V-;y+PYm$iB3%gIe)Sj5 zIy!^2b+#o4b>vX#B>493S~_j;jiIZKl__WN4Qjw5&ln4>#CPshmVp$y;31F6IH8|r z=s;pUGrfPgX-PNk-j;WCqu}u2LR3<(fAfnXCq;2j(4jviNgxWqpd{ZqA6B&wja0adi2$E%V=l^Xz*zEr{hgsfgAA)N9z zd-mLY2M+z1RXW1yMFN>W)+g0ciaX)+q=F!&B7S~n$^`vX+)sq0D12@{=9!9<$cxb>!aTIr@3b7N7gT4E8Y*L@set{R zJyT2kUyAVo$e*}HG=ldnC%~rJgHD7JLo+o_Sdk*#a_ui#@AIhz$)~U&2^|kq=YfM$ zdzVF#Dfn5Apll59G%xk}pa61==k*RBI&?U3OwP4$lrm1C@~1<8(t^rOQ9-4U(4SB# z2>p?zlF%P%3oV?kS%10#J)yr)mkN%$PE;wYt2+D|sImiqE?NDh&J%+|L#)P0Q56&v zbf3EJ@#7$z?t`r;9|||hMkw2p(p>b2C#C2UVL?CTOo=DuIaA_KjeV&37`)4;e;gej zsx&(tx0HV)TP%OdgDOI=DE=vV3Ll$7L6x7Q?hz{dmA~Rr3H>iXQ)!pkNtckM6>;6~6NX*&=9i%Xz~U~qimJx_wO!}I%8dq(&7wm$aUO4a ztGxvo?_yhaP+z@e0h-BUyZ5c3skxHw2t4;qV8Ld7k(4qltNGCNo{ zf<==OPFOajZm9_u?1lI@z}ec(%~I8HmVMwXe$gZT&A;o&yuUcbgo^+5Y0kV$3iJQ! zLKTkHa(Y>U@3*}L$rXLEZ*Y25mKE!e)Y8Q== z)K#oj&VUr}B0S;)JHBrGZrYadE>Xl71LmUDUlqv==mAdLo;VkR9KqxPFGQx zYF||TV5h$+s_B}Ye!aL&CuqaH%vw9jFQr|N5$0DjogPiK+;vBH~pk zsDfjFF_%D@a;(}6$q1&XfT}H9wq`Bc{^W61rHBG4(VcMJD9e))f}ioEVn+OgK_MU& zNKUD^pTa4i>W5KJw;a`Hcvt{Xc~!nDDxgXPl=Mat5Y`{^ziJC*Q-r!yR1-u(e_7OQ+D2gg!fq7su8a}B!=8XL;th>HEi}Hz@*BglDMoH$d#;G{aD@fKPh}_A4Fs2p z)KzZZOG>TlN8w(v+agZe#@XxDh^$nOm9$)h3P{VvYzJZ9()ii7HWhIsB6U8jk%dQ!;0SM#d1QxWhVLA`4q;8g zmmW&4Q2NGYfIPBVp`Sf4OBA>?L-jmKlnLr;7l->*lT@cD9_=S2>#RI8k zqqT0*Q!PgJ9-ihi-Ows}W-SPh`? z_$(<2tQifhaI65k<)cqK90(b$Nj)Pc@$}6rhLnbhMg8rtgu;aQN0#a*Mf|HF; zvMbYbYGX9Nf^Qk}gG6h4mw}fK9udmhF)1W03=H8Z`#fkpNEjHpteCXdo@wC$XOY0| zS&p`7v2;rgAKbHJ!$f{FYz`ehoG>P*l>I54qSEa2m+N|=Ki!B*HTV#h$_@QRdM1AS zvnr&D;ZkWrg_WoZg(~G(>AEUWtH1%N*loh7FhSZmbLOEK|K-?4j{+hZP>v0-T!d2C z80nJLAfkcgk&6ix|LH60NXsxtFKsOc_F z8Gp)$Qxf`9%|1-%Pp7DSp+8m^!i0%i_8SYTisMr0L{%tM5nD#2qFS@AV^aJ8O|#%Z z<0fAF_E%EbCmRx!zc;A5@58Tt?(of+v7>xQy=v7O(27vc+Pqd16HeNk9mV)ExN~5p zg#JL8g~Lt>4cCyrAWOAuj9-zPE1=0Uy>B^DImkEw*FY%0o5E7iFqjD2I`Ld^klIhA z5=sZE4z720jc~RmIGfvw4X1f7;~X9bs2Zy-q6&zLRE!StCH?pA-?KKi-z9u;1ylS@*T(>+uCnq~KHJymT zI}KV>`5u4eR;+gwPMH*y%}&>$KT=dgbv!nO%2G+_&uCL9m&%i;sMB3>)Dv|`3UjIx zRSK$901%P@3_#VON|6ASuo7mxW$LqS(-VgKsp(8-I<4<2*xh5w>WG5_f{;0q(45*_ zV-?>`?(`RCbVjcmQd6U% zzKrvoJ9i#BxN~OmUARTI88Q3V5UnW76=KONiBPSC_59WhToWMvdCMV_L8v+{GvQeo9S;@@3`d6&jPgkSAjlqw6z z&cDw^D|*?#?kxXEBAjSOi7Fs+>&d043b=DaHVP!f@rcNoQK5H;`hr9RjcIX(hecw` zr%%g(;ozKsF=Z>LF=t${t&I@|WWXSwtJT_lU-YicGbZ;FffW2Z8Q%TwA3v-?>bQ|3 z$E4Q#smCpEA9EN`R;|KLcSCZ&wU(cwa>t5V3_Jlrz1y~Z#7&#FWG~zDOy{X!ho*%`FpK1o zV3yuo=&|w3z?rwBP7cD8i%^jyRK$mh5$FqZqa-0En@dEG0x35w<>Hhmb+BoDzsAF! zYBnqss(NGqRYIb$_mU}dR-mA`SI3YO_( zpEVmAmb4l>VdCR8f7DR*`>3e8`1w!EfBf{1O|D@U&lqsx?13j`^*lRmWGmaTnm%LJ z&Rqr5a$4skl!4vnGer93#tEW4z=lf|dIAU0)1J})L?7J(GbPPodzC>$X-W09wbBL4mLS1V5uA0?f|h*wQVtai7Mdk^wP>$@kMM}HXx_hnPiS=Pj7#Nc+;#v_-2U@<25r# z&|tR_jkM+>m7R=LYKKRLKh6iK$b+q6UtI5V3;K`b_Bo$kjlLnVc7BKKo+mPHxg-6B z>Ft=+^R$fK*QbqWnUa#)y?^p!RhtycdkPKpi%V5YXQ?Q_)C6^%rSjMm5#nD&KHWtB zBumAn2^F!R$_)TwX)(DXTZdGIKvi<2v`RN)Qmpm538|q{1}j#q+P>%D`+cShiCqWZ zw48;TJhEWRl{OLxi?IPodNUtaJFX9Wz8M$d@?`ZWGk!=V<5 zA4~V=RkOcGZ3*AXw;&n&PMB$YkC1#a^H_aF@gUa4v%oqg>WcKa1%>KGG zku^s0-G2B(2lvdM@H)fWoCZ^oWGI4NSv^lqANYD|O45)KV_vEE$?MFAbZ57!JnAC8$SgexnH$i16rgs!ksFFCtQrNMH(Es=X>50~Dyz!b%#g zv`-~An~o*@THix6q~q&5l7O>$Ajjn^5^%L1d|Iguke zxEG=D>C19`#gxz?J`0{g0)3$frK+V=&6G+@g?dr~Ql0|sQ$Hlf@T&4$rk^-d0#b3} zekJy&LPCF9nbxGJd^n}belb^MZLpPQv=F zn$-kLXj`G9-^Vf^SS5X_wj_wfMs$c~84&+O@$Yfhu&XT9f(w7ONL1v5ISbA{k{>Nz zvG702u~L1kkXxrg@U}iqL7H>8)H*;F79LoW*J?`tOYxL_rBd4`NsNxQ3g0^&gjtrT zVyj3o0^d7F7zy^6vG;Mu7%FVC911JSqe_BQCY2O6x#GaS%~J2k5M|BzEPp`AOCUn1L+s+=7mMPDLWKf0xmP=??#ljj^6nI4(E+rPB zAuQ^*K5qSv;GMaG5C!LR_viC6Ei>o+rd=<1{+8^SQ2J7l zrBWj5qWEV-)bA3JqTDl!M1)`S2@X&ts(`LzwGg>=`dC$VR^wPTk{YY6-JP9D&i;j^ zGQkP~6>4MMd%YA|NFRsR+T(^`!hDsxy)8=C~TX+f)mi$yfUSK+TR1_KK44< z2RkKxDK6DAY2c2P##YnPeRW+WqW-c}%eu8xLiV12{;wH^iur8P%Rc{h53PV>8U(NS zR2oO3b|{WjFQ*{IDfFj!O8k$F{=lwHlV^?mM^54?1nwA78h}urz^h_(k+f2Nw3LdQ zhGm2e5lZqgF6<#hCr8E!>K~{yxwmHYQBO&PF zrvjQ8eQr-3-7PgW{r#`oUiC_yB5;biX|XA=6_Pb@af&>+uKAVdUxcIXD*h>j3JjVL zsz}xYRfbj}J%3eQl~-CNeu0(&6tM-9wE9Qmp&xhjQ+8!JJw9W}(q%jL9Qdg36meCc zD7dv(3NM7#Zjj6KwlvC^z+J2z7mT!z=0cKooqXPt)<3r#C_|QrI8Z1fxd;V3g(4L2 zWWs%xCxtU*G$@{EniK=7<`n@_ZgMJ?KP5bh;`&oAl_IP!mE})Gh5mf<6!CE?;!>&5 zpK+-ee)#olHCuEalM=;<6R4VyMfc~cUMK(4pI})Fy&*^iH&Ynw zAgAzi>lfV**0}raHwU*pdwGClj;+vr91zfENxW*DKg?oZllb1Wevy;`0UQhnb_sh$ zdIHNspoQj?dI$lC@P4h{c~{NmQ{0p zz`X*GsEtCXgz-R_4o3#cIxe%MI0u|av6T+!Q7O#eq;$><8{ZCTCMp_0G`uGkPC-!P z;xs|qygW(&Df3sZ>)qv_EQdl9tmfjN6~j2USJ}*7*TA(vUG4kMeeZm~ff@fHJ4Lxv z7#wg)bJUefRUD`im0ImpMM{8`2B2iDG!IZw0X4ru`&Jn0SAHBeU_?mhZ`$;kyLRvW za_Dpg1fsqk*)(7YfkB1fR4JAVTZZIdKqvl=Ip5oH{U$HI7xA8Kgo=QaOX`C%VIh=9 zLD!kMFgHqp6vDHf_Usc)2FHS`B9l|5c#40%#rG5GBv0kfEA@@iP7k5{DV*|BR9@&$ zQdB`1C7(;B3F-up4M9D~Q3s^-21sd_3Y;Qgdc~{tnsx0T^sTb8C&67Wora;u7o;Rm z`RMyEb!&O?q{Ol`)Sxia%+ufwGncSitEN|(8Tw?U=Tp0s^EKh+gZpP(h#kQ4fPJ`B zL1`UxaZCXVSF!^fp@$Jr2-^@birrJsV}DAoGJ8}zDwf~aG%iSU*cCIrrdp@8&8Oq+ zn=6)iYj?5I1i|1K5D;7Zs`H$Wu!!7xVgAL1c}5iwD&UjO(zm68 zjGkN@nn^{lNG%O3Ee%`yD?4(e@W8%Ji?ge+@BoJ94nDD9@_8(iL^Z3AIO&v%6FnxN zw|m+Jkn~uza2g}fj2z#NmcQ6JS6RmtVi-lHsfu1=o0`k z?=9`1sSif{Cd1+jiSLCXlm${A`Md~_l7>@yGc{AOpsIWNyeK6Kl2b;9wkUr}aLTAB zsZ!sNxL@&7RQ}MP%lgwe#j3`Zr-SyLWOauWHi25`{Alh1`Qh%M60ps z*^gFlZcO^GcITh(zcis+85XxJUzwG@3GRC-Y^&r`djEW$`Ey>a`tPjnCj>u8>H&*E z`U&$A^tsGsF%+6%V^{|M>Bg(Oo<{)1y z#|o(>G;Fh-!eX^5i~n69ueW>Kyrq*rN7H!5(AyVgeL%_8&W*V!T1+2$+r-3E@rkDO zl~Qr-N|T^uc;pQ|nKcXt**GDVAH?#8MG=C=Y{Z<20GMH>cV-Sek@m#<4;=isWiOVI zL)x98`bQTr=JjVuX|eRm>Urk)p|zOoBgdrGYT5N~?*zCOL6?eEE{cB&r&tV2IhE%A z5&hFT>Pnwh5>$K<6CJqpo#>Nw|elKfi*jYv@SxdV9na~b60PD zwL@B@_y~%i#w;qZnn^M!0$ZABr@>1_2z8v${%u2#*|$%K+BY~DK_!trkGOT(bpn`t z*kqSS=|EphH!9L<3Xn1gg^$U`f8$?`2Zef7-O}fVRQQ$%q+<9}mT-Dh+)w#aUKLfe z)?bu{QYcO_cuDN@#Y@6)zVfvK?!AcKnaO zUhQ9_I-W{KDOO38Z?f}p#aNLxGEh~m?tR4Te5a8aXE96$intB^d_$F#_y{Kt3B|M1^kXWmFiljxOdoRdg3R}}txY4>uq5|W4Bhl0w=A7pbJyl+Sikt@ zu~_dOq2_n8xKz?VQOPK+s^zS}r9zq3cB!uVt%#@>AF~{33VD+U$0!_1JA0ag{8tgz z>AI*Yf+0p8^UwZ0>!&B*K|mNMnvJaJ)PYxRUz^5-_wHQ0Y55@ObU*lp>>kqJdGV;z zSQ_aX;W>jP2{m=lb^OM;4iYEyaFV1aC0ZGT?8@NI`-UY)W{xdiyWIdC?%-0C5BtuE z^AhX>K(l(DHGarvdTH9VUvl}{E$ED6rh`y_Rg+(fqwb2RtG-lN8weGVL{-V4N@9Ti zFrb^X(%g09UcJ|9$mkS5m4auUKYziVeFtjvnfMPn+GF;$hr(|K3W8aB^SrHS@Ur2i zMEe#hdD=$?q0D{JL9*e=I8Zz-c__U>ZnQQN=(9me7xrqlNnEI!Bb8IOCshobGI76H z^;0J97sjKAru>O4Z3sKvq^QCRsa%(;NH#?Ts+3Emq3ZIN>weR&SJ1JVkU6nc|FPaM zKK{^C{Ci#fYMt5*o*C8g6lNb`{5Uhz_m&T;zWMrQxW~S8C~v`5Kz`si#H~<{I@Sgt z6Z<@kuD`7}q;1>pDqFO>v9eB;6><>3C>%V8m0_f;F)@RWIiEDCw3?0pkrVhGx z&yGdMY(X87yrU(($SAcFg1WS%uPOv}+oj68S=zq;R#eoBk5&Koe~0t_;^do(;0Kk| zQUzy4b!SaOXG3!#L!#LWas8N`+4<>j;w2ff1je7BTu$$Ew0nhMpq3imyK~vX%nE4t zL68sybu~_4>(N?ze)=0I3exyK=*Tk&brCUCoQ1(}a>n*Y7~o$CL* z{^g4Cp^EEkzK1=wd0^U?Wc4^9eP|6+U0Abu*UL=dl_pfYR0k^&iT=G_pL{n9V74fl zy5Uqrys8%3tCAj7T2)C(fQ1Aovg)b|Smj4VT-_wCB9TDLw<4nT??wZA&o}!)VB(GjG|j^Z=iIA} zGVmm13B9R6pYow1;z&M(5*oiEqW|l=0lkyQng4^{fvnyweU1=RbUTk?fRq>Ui{VTO zNO?iOWA&$e?DWtSm9LO0$fmGeDlPhV!<%0~XAMS%vvP9ZY1F0o2=WV@dExUlZh!B~ z?%nHA&&#|c>}F3!_L-sJNT?~`T@6*&zFg_GYX7QH?{4Nk7QjB4z&@Y@0_qqb<-@+~ z>zA~ZXLUVm!~^RVcFFE3vNnrHo(e6QzOfT~mR*?nUct6GU=X(J@WI^$TW2lI`VgCj zW!vrcCn7M2?>1}1gU9MvVS#sNDS~Yn8xs>xTQ#fcp@RkU#yyjpSeEe<99N`7i2<@Yf@%&_Q9^E#q-fzXS{QP$ zHAsggw^zEyF}y0K0Nxxog_r2N3&b8GftiUHr;TWCtY7rURCeojrxZ})%e*FoKkdjBCD~Oe&R{FnJME;dC4g)EpjY4MSdz;>o2}P zC80l+qVk|hu_;W7N=N@RPLZWjAQcg(z3};(Nb7Df-{Ir)ieqitVEi00-T{DvJ$VoVf zrzKsr!m=&qUI+FZn+*7Yh0cz_66V@S&2MAT7+>*`>YwNl)C&ob&H3#q(-spiouxDf zxzcJ50>9!JXX(4n%4(9c6MjWIMO+`@9NK&=J}d(R`nNraqg42J1L zZd#gKW9ynRvq$|C!~v~99NKR3)|OQxcW;|JE$OcmQW@{ez94lCtY=s+Q8LUB)l@(- zo`k9Cv)c5>@Z`Eq z=BDN`+#TgZMd*BPlrIKCS)%AR3;pqL`-MYQ+HBJv(SQ{HRUK&Mw_Y3AI2BUl>lRN1 z<9=4DuTrBmd_Ont7o_|V8P=PoQt+FIv6rHX8~QUYm6xTmLVv1&BBG;?6mz5Yz0E?) z?4)O8HS0CJI5={=&$++SH*FIKj~zQIBk?MxE%mv+Ny-eR`~*aR<`+7JIbTB+^5)Pm znDr#NNOb{NB))lIKG!on@n=?2^76hC=Mdz^is{%Ej{J_BjtLM6O&^{wR$Z z^~kn0n9`J(y0Di#?oIB><6B8v$4C@BaA=J$N=9R;?ug}Qs zchR&yWrJ1fjA5MmWus4LMB!o49E}0PH3=!>D4D^7OU|VT2=EN%puNKhj6JSkp4NVs zr{xJV`rMj2ZnT-{>~!ll=#gqo3H`ANRH^76OJCzvMM0JHsG|OtY(+EaR4!Y~NK-{q zUFGww+(@7{r#|=U=|+8$MyA@&qxWaboV{o7{%?m&7GFb2Te!4#8@9yH(wm94MeRh; zM1hM5(-nWm1oZTETqKIRg)WAQ#P-bfU7ebGhd`1P;Xt)=0Ncpz#ME(I5iZ4?}@!D7<%OdeEf;%b-%AGO>OA1o{MJ_b4~B ze>uzog`Ys%#DvrG(q2R>Nd;=kA&!CV!sY;r+F7GyhRm0K^1ai~M*wj0fUAxkrwR`_ zd#6cgYfD#gsVF8|Ra+6%3H?19VH(W8zcBAQC;vArqZA9C?Bh=Q|HKJ-LUElQ!4TIIL~;GV>ZAUL@7gkR%D}&{wt-BJuS6?MRwH?-<);t%8$*bZ0A+%a z$v4gth*YLlkK`>GU}YXAos=p3c?w8!F_|io}N@ObzCG5GJg0s69zn++^>4|X02}f z;2RIBT>76002*3_2UV=JHB>2WC7rQ~)B;<+mCjo!LLi1z>Vh>|;R`%aKjDXjkQ_ut z=EUvWcl6I$pc6Ohw*Z#jEX<0AEs+z9fR_(VLS7o5D7X^?lI)APev?-W74)8T9?A>x zMMwF32xUM@>&+^t@+a@eRdr39#s7_s|6w#v2}p@ERik4Bq=Go*2L0kVQ(pZPU#{M~ z-oC}cDbJr$xlW1uy(t1pUfd74KNb4Zt0R8ftUtjitA(P7s6+d4DHD%YZ9F)PyPlFc z`MxTR&1t{D&R<^q=;cqI_^QF*D%L6AHev8sIEvKU52=>b<0N7u!Nx#@{^%UU+=Pi| z&uDv}d5wAD9Qz=Kg(E--X)oXgH6*4sHiVd-4-GLI7>CLIFWt0kAf#o=csU*gjY$Xhr5s4b_kDQF{z1%{w5O{p}S zfaH+Qz6xZcOvHO7H3c~n1S z6}PP$KQ-w_{asT6%t$zNaM!_oo3^h@Cqc<^JZpURb?Il3xMaN19hf1(aaKM^Y%zqO z(@aac@z8-CJ2qrZ?t8KHWX$m-{TXtA9Ty=!fbRny!ARF$l?hWbdbL+Y>^hEG1%4dY z;nvzUv&TI9AUh*Gv*)>~WBSS>FlBgV!g(+*m|qhTE=cVD$y1*TyM{uK92D6CWoOw1X6BriaEjCn9_JYkJ-LP>!y z&l+|QHm6|fc}Ng&GFPCy7rTW15;h7d7dJxHjpO;_U)jEHJk|`Gwr%z3+`bocP|hEG z!?rak$Hb{9NOiXN6@oeft!uxQVxr|AM6oI6-&>e>l{547-#t$0KhT+bQQ^E>T&Q|L z6ndAuCatVi)fJg3x*>1rE_uDZv!qM%G5i#4naNt^@F9P#7KDnGv%Z^=d{<7dvv8n@ z3FC${T;ZRKguX&C3KXdp+qT4t!TBQXS(vBJmSGBG3yu~%@j%!GcAq^72&4gXFS zfn!c%5haT&j)oV9GLYiT#4Hd(q{+TLh1pm zp|cgJ#6;E;pX*}~uqU8r@{s@T-@9qfn169EWN>&$E{GLcn=a*4B)?etazSE%)01ys zHnr~lJ!^ax5!U*i9SgB_zT+i(3F~j)Jh8f4dME|;Cc>t`CPyo%7ZMPgckv$tr}#6S zxhEaYqaxUHtQP%8q@~E;;c^Oby{)q~u@pPnhkk4Ocdv#An4k8-#GWTJ7zh zt=IBVy)wbT`|5UW({E(Z;7rP$x_kGY zjwv(mub-${*&494RrfHHmaX3eHRo8nU;s7J9W?sdd&|DM?t zK@@i8A;)p8=U6S&{0f8tYdLEhD*cKs(s;3y^ebY0K{(4t3J>krm<bTfLt z{OWJbzPpae5*+8|2=K(m)xAzYxXBzhJ75!B#LR>XGy2?&2WRFEJB9NuX06EV%j{mZ zP3z}xtth?4{ZOTNfC0x!g#nd#MLgfiExD@Ns((<46yvjQ-G*7qHr!pWhp1Z^IVLKJ zw9|oYSAJF`FzAK{T|djfgy(Jf0L1`}z2n0#`z^EYyN>r#JUeq=+0lNV{ML`BeuukJ zszS0hQm&C?6^YIex(7faQnh&Fo z#GG0&M!?8S8Rpddp(khb`b$Q_W$^TZj44jgg_C@i(0v^JbIxQk;<9~Q`+hViG@G|e zi%W)gIF(f^VHpl`Us-1gF(Z;b0DyQowEgKfz4pNc&sDEn>mg#2908|RrJRoC;UhR} z*dh+*_PvC3IX3E;!g{gHpE-WyfU_q@_-tFciAzQ34>pBpQ@rFXe9W`bSnRxug2w!J zf245!rB2?hp5pq#r^MMrzk-hT>)np_Qf9T-{6~-94y}9F*4}1Pl)!-p6SRGTzDQbvpSYh7*Gd7At-YA#2iJcvuYGzOBxyQtLs684Eew|F%C| z@qP`NHB<_7%~+eB9o(IbNJ8*5;@*@fX7wnGxTG3;mJ_@ z`12pG-=o)1zvBR{qSLq;F%Zfh?z0g}X;6fg_eLuwi8E!$eiG)Djqh4*eD!+MBO#VE zW%DRJe<~K`@1;5xkHQ71Xevc0tlaQMy;eO32GJ@lBfHWMJwiWnbO-Nx`z=Bl8Qsb- zH=#%|JACs6AwH%j8{p!5iVHI>k}%-nGYjWL^D7pWca~KU z$CLgbgaIM;L+{@;>KMzcyl*7#9%bOjE-jz_6{H#h%Q*fl#_)H@WJ!;zUT3Xa*p+h_ zJb)S`Qhg55KL$2s4mdufK^b^7Vk`ggQ|wTd4h?l^yEAa}hqphC_E=_+2X`PKfop`g z`5H7~HXgMtR&N>kSwgD`N1QEdUxmp3(vXRSnY9jjvQ#_uA2R+e< z7Ii!dl`LP$z6J2)0h99nBA%cHPZ5ODe}($3u~?J(Y`(-l>i0+tg{qY45rUtmH|v6w zur%&wV61PP~hs#iN2{Te8j}0GN|_I%0so;8#l%#zK6hg9QN4p#$6Xwt3m0iHWj6f+!AxsO8Z4xxG%9)cc&>Tjyy{ zeAm`l*?q6c>@Ev4XsG$gr*Nj0l&n$jo;%)pSAG0+BH@h2zr9|8C;<^XT@@HQ>^X=R z#;4%G^PBzPX;5k@`U^^1*k?-UK;+rWrVoCn=8s+fR;jTct?axN3vwMnQh?>-TId?# zzg25ful<0ag`o-2mMvQstloTgovtqLLYVEEE~xqK2D!9(kAN5ALhh#1Jsv=4M@FND z8#y%o&av-A0h4i>EMPJZW{P%oaLm z*$hZ2?u6fyiox*%q>MA=M*Li7s%R304N{7ijx!aXM?vT>sGbxl__e6%HZX zL@XwLmzEdb{^mO)I-E+FMe8O#QsHGCR6$9J8<8Dg;!}Httr*hwjJw}?Q$2R|+unG0 zSo_nlD)5T2FszDM*>Y3n{)WXpjV*$KjCI0B9WU6TuRR({$kI~KDzdb6`XKc8vFh~U z7E&#EpfLZIKW6C9V4Sn?Lg{oo-x3B~__VY1Es;h<#&$hrR;`tc?GV)_xYUI1ft!M@ zvo|g6w_^HN)Fwl`0KEO#qu0GsiGz^d(eFy_T<+N_|9PmwD@>x5DW@|m&AjmKKp(TP%z66SKbfI=~hqV+92HzW5q|E|OI#hCj$ulY5o6l=$s zePLl9YD@RJ$vYY^zNo^0lvy=UY`~5x3^>}sQ9b6L!-wd$IC9>&=cy6SNfiHuXdCpr z4HM3WK58~rWndF3C7=c|XT}@uyyo_hsG2tT`hK16dgT3=C@TC{#TR=0EaVC<0@iS5 z^Y5-B5HYSxIr3awC!^a5AJux`!sk9~*62Fcd$EEN%mN4!C?qrfSC2cB_yeQYObxxG z>G4z)`i=)*61OCo3s*3s&mAL2^!_;^>Cu`$#zrfb7U-gtaj$Ov_@~x=h6RgavL{a3 zv1@nTgcR*B$Zw@~E6jF}+^$PprGnUO2D7yN*WQXGw(QO4b6J?;!I?g2aL2b3=OgMZ zgO5@7RqO~GoAg84@TC6`o6%=TeGk^_k~qZQr%7^EW2dToUz8^$X(?6F7AxGRoT+Fo zy7qsga4IS}Wt=JUQzqzF9GvpxB4821yGN~n-v=t-t>Z<5IO`t_VBiA%qbC4Y(Bos&zj>EBHmIb-E=49bP4Jg;C z#ih7%?^S;!y=xir%d8Kv0~bC2X~TxMa0RUiz>)r~&v~lSa|HcJ1T^~Qul-t|JFc@- z7Gqd22v`g@>mpOI~&sJnV-4?sM|4apwN9Sbs6mD(|ww{F^;~#R4T`yS$1tos6^z z?kZux-5Ji2qYU1%6v36Iq4TVf4}b;W4y&(i*&*x&GaAhfzByd+iP@A)Gh?pi+MnJ2$^^N!1eE%1QpNfi~0Au#D@>TD9_w_NIPG&&Hajfu| zRQ%yo%_gFj&^}qm7$^4%Y20R>*52XcOoxo#x2C2H9X>j>@(*8T13OITdKNFJ(shX?C+4u`5SQ-iTS z7omz5?&BMA5lW?{+=!p$N$IZ@ggQ!)is4U5(65yIDH~{NHtQN3S6SIPO?nJP=hi;6 z$o*?yuH3QtWn_~nxwQv>oP9zTtOId*%sI?5rXG`;IG%Lepl&xSM5kJx&&gCZrgS># z!S`OHxcI9Ew{ku+ow?uhrwifr_5ASyTr=zjgbGsC|ETaPqU$|>6bTEnVMz$oFBpCb z&Rucfm0NGmJrApe?c#O_uy0!0_t5_BM~=D=1tqJyvz_g9r0OP&YeIjk>pECndNVEj zmy1(qDE*BkbS%^TM?3D!M{k7wAa}ct)dLP;z$LT^Ms3Lo1MWz2_T?X4QSjE)qw~^U z5PhuyBBCCr{M?M*;0|OS1~4GPXwgGXuZV`WJ9A`*Qz52O^hb3$Wc7bnEMKk8y$nTG zRxHnY{CE)|!Ar|mt^d_+to?$K2XimLh}wBj55Zd;E5eVyXa*rfZjIQN`AD1{<`l7a zQp~6brj727ap>G{*gK6n-|)T=!=lm3t-8V_YN)Ez{Mj!%jt*$jQVX+m>9S2b3Z8G& z%kVBNz_Kt)vj_}kDR0Y-5Jns>Aiy|WX2;-#iM;uCd{|TDOW()sm-=4j)@H|tO&;4^ zyN&9%Mr7kxK3FFnRGEa73sMAEBb%<1ipojZ+zG)cqdwt+6f{2zr!>tk2vXsUbXPRV zbEaIJ^64fSXDXzAs)T^zL!7H#sZE=JAX-h#o%-fC9epRqd3o166+1S+oNx#Jh`p$b zGbteJGJ{C_+UEl_fETnSMSeJu2}o&Gtc%bX5wK|T?TyqIU-MGsPR%bPenLbA)Q;%fH7#n_|J)e>6yn^Y=OnE-aj9m096_ zN}J#hot1R6`qJ4*QE&%mD^2Z3A4OAp!n|kzPEIUKy$ciS89G2`&I#&$jl&8|436c3I| z(U=%L7Isk3wVz6Bwh-U8560PNMFhE>nKGf@Lx?gF${RH{t#jXD4}RL*Lo1INs1+^5 zy}GN~k8OG-2aU<($y4|5KTx$pa)j2dWG-T1mNDc02%$enSS;kyuwnyEN%sv18c4Et zV#1SK3>67)TB5T057cCd2Woc=^{P6Ko?>Es3a4CzA|d7Gq>2ppg>w8tX@0P1;xYYV z zEU@3AzKLn&W1%xinXS|(vW#RdQ+Q&3#NKDU3QUlph7wQW>6X{thc`v~0LB#b-4{Q8 z@~uxFV>yZ)fR(|G05yo{xL546Eg5wx)&m=2U$dn9STG#1O> zhtvxLc8e4Rmm~~`(8P@7+gW#+61~x0<~lU5!`}FLGIO#ROkpHw+lWMYzih?=xPvl z2Qx8!;H#~Tp5K* zDxPV>uKq*Z$Y&%8^+2r-iAjFjORlQJ=*f!O7lKfVG7(@+M8bUmf*)>_>E~ zCzlkba>~}BEfS=BQnaB6Qp|%FKVS2cCLKjHHlWkhX26&$UaB4IIv1C(`B0T_TXyM_ zo>ZApy?k^?i*2v~9SO>sg40BcNTB;_-eS%|5!WF*>YfOOn74vE01)Jjs&($wkM~@a zXMi^9N4OxM`EZ3-ntylg%z-#%7tI@T65KzgDn1(ahZzl=9pgIL_dF!Fus<~5+h3vv zRfPWbOmepOSD`;xf5@ln(BG>L&Dpg-r3$H3hruE(_aE*ABoIYy$!im=yIH-hMAz#} zVcN!4!c?Isc;DO-g#kA%>CM^(m;V?SGrn=cOD+g@;Qn)cMkDb$hA0yxvqzbPpDqNF z@bsAoFgM!$aD|zA@CGOLEXzVJctL%HE8wybQs5jeizJIVlO-8pdBW-Dh}mIHh(iZB z2B!nhNxu@rTgE3nip7?#mCLM37*fh$+`k={!)qfl?%wNsQrpKe(`gUfx||RA6kQWJ|tUaoS6c8 zhw;zEVJ|0oAe{OLj#sLRKm&a7vF%H*A>h+Bk8g3sx@cu8L}skteZXKjAFl2O_B=Q$)( zu%#PY3(HzJqnFU1-I403AseeC7q4E~#MHAo<11g2^mIXk$J>=OmmQMte8H#rbLoc;1^I8N&@69u8E7sGzmU7GX?D?RM}HU zw#GPUdG<`&i}b#|Td&p+e%3-8K-TIvf7qnkz!5Gtzf0$# z?*F`9LQ+&)G5&|jtICZI^jRQfw|EJTKxxo&G`u96Ofpx&4c&ZB2Z;#U2S3FT<`)wj(v;$yM@aQ} zQd(Dy6f<{(^0XmS0x4Uwr9U`FAbV&N5qiyIIk;V=%!vMB-%1euJG5Txr?CFoI~!X{ z=#Q2b68f_Wex;D=CTIR1ot+*BwWOOBolx>`i#Va;iazcvemT;6aV@^BJZUx8ou?!gVS)B2CNitkDx(Tu>CJ^L z9nKPxfEOE#xLTgKrKQ3{@hb|#bhWJa+vnqW;G&~*CHie+qS|-y$lOk2sQMiWO!}{I z{YULi-dD42I8=?wjTz_@AId{0;;w3QDd=&-eLhbr2vVl!6iO6cd9TZ$ut7@4{Y>9^ zi$r1RCLMEf$_#$rPPL|;g4&W<*^_?mKkEMX-mCS+ouqderHoZd@)`W;NtGt_e;j;a z#+lh?c9=U#O?kB|}0pru-z-qW!7LhXEU1{I@p1>uDR(eU3p;{uXd z^#5hJGR{dk4QO-D3m-pC$(0`JPgZ(vWXDrUY=uS!AWksa0XyzXl!J-M)$}vOfhy&W z2|H1LF!;SMuH6mnVE;S%G0_~OU1XguAnnL6Rwl^P0{eA2omBv8Y16)HQR(k)yPSae~tlny%WoavT{RUiVcZBFjmRN;=C|=vwNQ8 z<3*UE4kLo`j~Pe(&m6ROY^ain*}Du?OH6;Q6@wA5PuBa)P|lgqtt{9?fh5n&Z|eGc z|9l=)3UG?YVY zleBu#Sz19!SbXWM|3OJuBns1V|3Zg?>tg>DY|qQ>LkH>*CaRQ03_b~q%{XUcamCQx zH&dEeF^o$zX{E}FNrI+{r*bo+0}rr{z1)ujPFvG{=eMaoM~nUv2HT6 z$S4s)C#;8K#W@mAPmmO?J#@`JPYct7yMTs<#80WI zQG|+|Ns|vAI^1kP+Kt+Z@>^t4wF~gQqEc(uz(OvpanRdx9jraHedudcIckF)8klOC6s!vMn7C$?}l=C9q(IH#wQpTy3*l8wYiN9__2%RJNwC01{f}rL8nHP{RTabJT7vaiGMg_S37$#>z zA)eIxT&!8KEuSNH^1v#^PVc3JDVj;>Z$&lfX^VCBgemSToQKxm1x1_bKhIGA0Vn^m zLfC+siz2`ODFxKaD@j*MX%Rvgu!HC;?i%47+*l&C+O{Tj%77~wV8P`IBNksCQ;(h3 zC_X|!vIs!>HOa02fVPT{ilab_#T zc)0gjJx@;`_(r7ZaN2|k8QGgRZ^@pw?Cz>9wFwovU;wk++Mi-$mIYg`@z+j@_uC+a zA3=dNd2<6s8wY=xERxzO}f>8W(baUQ7ppXBjQt*ofQbmUQ ze4do&Oa&r-Mtj!C`i0Zcai)&5KV{GgHsIH76D4UiHYt5@g{%Z=CWwRMi*Eo201cye zb7pwbd8yLRdE}FEk(_1CxNqMZsgnHMl)4TnUPO% zmhWBtBqWiUR=X_{lsS#ZBiDx7ZAR~#Qb)GKdLYiWe#`bp>$KI&d&9oarZs|D;$-Pf zJ6XD9Rl$~VC_Fz)>jg!}2}6*JXrbQ1z{|oE57Cb8pzAboJ9F#EP6VEGNYnitm4T|< z;-1gYuk!293$0>Aj*H_z_)}3XLfL^n{U0{5spR8CO2{ooFA4EfdcYzXpBjz~90h5AT z2cG)wXkKD5up3wp(q32+AjzkG13+VWxOnLEV?Z={W5bf(g@+Fm+vXvlv|q8)bvvq7 zN|Uy(Fsm28<}7^D;1s=X3-d2?=AK!6L;dHO{0E@)i#8zT(hZ8PcnI z`UMPi2C$h&jAZbRlh>u4W#5GpsO07D@LKD9@%I~E`LIf@2hzHfojd5H-PTZ-0LAcA zxVyd}2!fM^R69-+_!VbHXupXECWJ_2&&(9FBkRc?@#-8&X|Zn1OgKMvc$3s|DFcV6 zywafk9aWlM>-Od|u%*2Keg|BwNQBT>X_r3`9VFC179A=KX1hE`MiDmj%OIe*M?7e= z(8uo_xhD%4gaxnl;ZZ)a1c z)aNq1eaCsp)MGO0NoqnF!P7XhX1sJZB$vebMD{qsRGKm1L;~PuPO(G$BroYCW+eii zaCfWLxj(JziOg9Z&rERrS*?gpP!62ZcjN>Xr92Wg0n31Wz)CQYxi8O;LD0{sf3uq9 zEdraN5qo_>o`=OMnTtt%&fBzXPzgYaQ;*Pze!g^~_t@!QO6X76>E#`-&BuL(c}NER z$@)7Q_;vCxDa^monSY;)Ru4;9mEbDuN*Y>8(yE>GwcnW}?HBn*iv5Em;I_4?(}vuP zLB@rLHKd0`=x>4mltmDNV=bf+iV4M{h{4JF3NT^_G3vktmV6|+h^^t&6LzKwgTg?L z$OH^jBeFz8Q?AS~+2AQqFtO4_y1tfEvCuim|>zVuTKzLNF0XBhq z5y4=t5z}KrQD4lhImlebo)BFGd7+E=p3{EGpTlLj$kajCZdo}T+f{5kr*Mk4iK3lO zimIKnUZtpz09y8;bogEHNW`?xzfY=!@-8_VGyUghaIA9vuW;Vw78{VH)uX~)U-6MN zv|8gPt&j&P7$ZrmlKjxAiU#yk2j9S$!JgY=BXpl(jK{=UYgOtQ`00AE0UQiJ1}6)u zP1)yAk;h9tK3P8Di!qF~N5;$LqfcX~o9Vy~gOCx_;&Q)3kL%#d-~wF zb@2;;HEeV$DVgW~+nQjM0jzkKrTqvmLRb=SE6V3G$mPWk4WM{vSF$38hkHK%a zNeps;09u_sjhV%iL@ufPM^At8PQnXUHZ<)*rtm`gEd0U&-eG1W`q0Amf% zMQ25dBL+W;`+|48OPr82G?s+F$Xw7oVQ>c&#zsvYeEsfibFo?_F>)$Jg@BTzs5&{D z5T+nS^|@%Pl1!lv$W2jUV~@bQp8Y549Q}X5$va=Q2r*$mtz`SU;;z^8l2+UMIeW57 zl(f>{_@RRZ)X>p(lc9yHUYwDm#}e2?fSPrYc;yMQLSvu04=%z|4fTG4(#S`UFl9l- z`ii;0_~$el5cozT5p2yw8r1fz|9*M*NRAc zIBUW@9vH_T#Z6h@1^+H4CXW;+=cTX12MI#**c19chCI6lEd9I3z!4Rjba|j!^Bdo9 zq+!b-mkAFVR|^wu%yl#+BZ6Gfd_pVLWe~xJiDK^iy|dW36X$~F0U|s4*>u(^!hzIz zy1T2k2=%Jk4a>3-D(FMmq(0Aw3c`~W>+=wbSYM2Ap8+Wo@spfX5Tt%V`UL*e6))Ag z_rtG0{H9&sA)`{qjZROhNGuxKTO3zN4@EEtYj0u>`XIjiJ}i_ zcV>^4QbMH*gqf|(5pq&I0PzQ^Jh&9ZiF#k&p7_)GoW=z7MbQapaGXiO^Dv3HFLRvJ znD5Mb%Ky10c7Q27cd)Q(IT^lTTD_x^ zR`so<)j(&@_)2LGvVLLLDFf)zTb2ckZ&=0}NcuR#n_-C>^Qv*Dvo_PNy&jf? z0SOL3{3Bz<3W^!TJ^{UOF2`JnF*4v&I-ivI(*EU!eIoMDcslhhY)jM?hq~U9S^<)Fi$bVqkPoGuKL9!r@?*#LbfP8k(GN0DHm&P2hn5YopEhZ^g$pj(j$MTP9mH6}dv_fE(aYv5( zScrUtd;w7l-h!LK4CRq{elV1hE@nNUb)6Bw8Zd?Nym&&aM4SgRPiS^PL#Di}Z~I=f zCa?9ueOpWBOmQ~;*WT$WMMV`=YiFGnP*N!>B!CwD!wdb*z24!U<{Yb`{`2$v2b{T= zICM-#LD5hw2(%JzrC}x20UMf$jy-DjJBNxqV99?7|L)(tcJ5eucgiv;4g{F7^rB5d8nbo7r z_#stn$4c*`){f;FF*>zjhdy_>fK^P)it@G;TRT80G`L`wafRTB1!@+MdC(KqGPMbEgCL@XkUT{XhM)2i!8Rv}EV0?hw6U!~;EN?N|x8=l)iZi+J zo}k@Akl;+Mcf>)$fT$q>I+~S{)b33BAfVu+x-|N$9nGZRnVHMDVA3zRuQZSX@3<@* z(F{JzyG$ic3;uQHBC&Q@`tlcHi{_4bV&CpnM@o`~_lzGkr@Kf|(c`0SL_1vslqyLA z#lxxloqXC+UHT_Xl@`uAb7(Ged10QBupnvmn6nt&^~zEmK+m(zw*86|Kwf5iR6@HJqE?a z+z6kDGieI!Ti2}}FX<{Ksr~UegHL2xcxbkN?aJDcS;>4HKeUz>yfrq*x6`)QkdJ=o z_GpckH-GpY&H|h5ZDFX{wCUENu+V5B5Eg}E+H(p1j!J=nBPJqO(j5zf%r$+t(@3g* z>&Mf-@tE{>=SM&E9OM`Jz^iJLoMFS0{-1bmluPHsdy3?tq62+J#`^4pl)#gXP{DBD zFNILoyju64pEO20y;Gkdex0t=w6tMgXZH}ML2zBf*rWWAIYI%x8JSpq#vbb>bA%mG zKzt&lL`{yEp&n~4F!FIy80}DPfB5b?FiWq{2*;@$lgu*SWh2=H@4_U4@w`Yj@mVul zxeN1Aom_TG|I3)yvqwHOskhWB^1&@xX9IusLl%FZ8)0*>JlLO^!|x{4bLe0RwBu}3 z<{VtFs;G3252~oXc2?DLR#cW0m1&!Z&|lu2N9JAW%s9EU4E3Ma;XmNazqoMT6)^u@ z$BLxYQ_`?3}oU zZQ!U+Hhn{24JEff{m~CzZu;#FOf($Csk5q4==>axu+2Cb+95!qj2w=xRLsaC@!VWp^ zLl*m`K_9bYziaRNuIaus4`4r)-q+8}UvbAr-^YR~{$3B8i0|pm2U5{dJ`bUyeJEmm zV3XOR+$iNhMcgP4q<+zG--XZB0HHo_(Us1L$s<$nxPxOOZDgCw#7po#m@M{y)ca(7 zK&3?^qEfNY)R_g8;oIjEC1XGmbHKs_F?L@M`!x2M2slkYHNBc99fRARMQ%%<0O7%& ziF8MmmUgowTu*9@U^{h81SRZqto<^S;x5Q|XVbEQ+t-etpYaxpQsy%2Ogr}>^r zzeIh4#VR2VW+*mi=J0y~seJ`2OJcO5&&B!`q)ERdDo?3DmG-`*s6KX97o2G3Imz8)r^TIGIk43nsj^ZQc0w3%gBA`YQ*S zN-Pu!wiDuGDF_qEY^>SH_RbstwKc*ZBJM{`JyV7`W!8JSZl8MY$OYf8`7jzU16rTW zl=rzyW=62=1fpFXM>$Aj3dO zsqFYJ&P#J&155^C&C}jqxhZ^p`)_9-ud4OX48f*oVDdRoItk^6r!c;R_Mr?y*=|%g zYXUdwID1kTJzw+k7i-=2-j_9-ccBlO?>`WEDaolZj2T7_)V#BvV2km-|jGBXJE2^r5lyiWIcZK?rQ z_2;WR4XYMeOQbD=7i2O5uS|UI4(d%#EQ6e;IgMxu*Mxj%j<7?@Sj)4MZVOd?hqVi& z@gqCeQV!S8JxW>4pdn<6{*{GqkKmVQg${f8l^Zx_*q}NjEdBhv{4Q_4tkzII3l>R;Bc>)E$X5U?BNyEachW?Kc7;-Is4meiRdNQ)(;@)Wg%m7hAx zK2SYATq=cx{%&#dFF#&p`p@eU2FyM42bQuy}O zB}ik@Mr7~KB?Vh%?%0sEVR6rO3p(m;)6)LCHc#ENJ%3-pibMOivnX0IT|kQQ$zl&) z5Sic5No0?C-#+sT?}o)2!3UOYz!pO2EJO|8gAS+ZUCUBLe@XdjbV=Y|D7uHPDp{Sf zN+c*j?u;v#(1*SwAM`;L$B95{WL!Er3dQtCupwN857K&@8H(^Vq81r_?@Ak4bW~8o z+3?Y+eTIx`(<`Y$qmH;*p1WZ=T(M$?8W((EVdF@t@0)uWNcw;F&O5$}s_EnJUjiy% z=RvxNiYTBwcAv-YV^^B=Dhh&tfPjirQIOu1A|;`P-h1dt2njX0Ng$zjLJ1_01ahuG#seFZ;G1IDU-Jd;sUm5v*;z$?~WF^5M8SZ1#DW zbwV%}6w9(N7TIHnsilQE71bXVSgY!e{x{l$vszcUgz_`f!|h*Q4F2K@V&_@vA6qNN ztZqG?D_5&S`P$#Cn{=lNbjGiW{jod5T;;>zvk1}?`!3rfrS6q3u*cbGM7E*x+vij` zwBx7i$(Nx9&;%$0^x^EmIhtZXJ)j{_66gt3C3hi`JX5sf81eQcqaV4bP7e`!D1rVI zl)~ag75QRnL|JlJcv;F#9RVYXxa$A{U&sIilGxtLM+A`7p4m!F!@NX zqF8ud2-*I6%Y>}3R;Mj2Rf#HLTT21$mG{M4u0mVUn;lgm%+I#l1SRkbY5nY z!t|e3CgQfN`Hm{Mtz*5ZTh@g%Gn48`<{r|2_pEB+MlCvJVo%B?Dzlc)%AwHmc~bOc zWsS;j{5kr)iuJlb)wsud9S43te9FuPcIb$kDPFr~-O4GOX1~U&U~K@CNC+tb3qS}$ zq(Yq0Ye^R{?yyQ(a>zLPrYNO5>EM^!DSRi(a{#6y&3)q0*L12)|*7}B> z(xl@%{D~aIPpBX9<6v8Hu_@SPt}WOa%*mf<$kFNXjUjU@$DiAoEyc*U3aAaQofe7* z-8(l?XrOreb`#*4Ezn;CIX=pJO;k6PN$JK72M`OggjgXKABfRVqF8h@Ar`~MJ6l4p zuQ0Bi%vI?18(BP9rUItjrIg+|S=c$OgRTSc1A-MB8Ra=~me>*SotYyaQi-!G)on9; zKqa;zF(|AjPt`uM7!RVRKn+L%v$f`E{OOie!4TPQ{ECN&4UD1MKNRP>#}EsqnBg7 z!8qK)gsiNJ*6?7WCK~}oB7ztZXkFU`4aJTiCejn1w^k!FVMtjNjIcRan0g&-5eS3^ z-?}!EhdZ!5Q9Dd4a%}J58zCmScvkq-8RPOw0hOgirRXnUGw30?sL1!Hqf$iT?fZlg z<_+|xnaNEru!JN$pq_##g4up55Q`)21@3}h_SuofIRyw@YdEjuV%~3{YI5SaV82H= zq$yx|9@cqQkFY&aGGJUr=>d)%?FZ2D&6Dr=sn;`))@_RtzIwwJvqo`-yaP0pq71qz zBIVL099THkA_~Fmv>_lXR>iZ(V*JVlZLu}TuP{V(@4(viTd0FCB;hYONN<^T-UEs^|0RO6fJt5X?JXx_3s(;M)@vUy?E97 z4V$)RMclHz5A(uTtMjm_wSOG_dWXT!wf^;q=6yATuraa>4uWkci%YW`RmiHE{k{cE z&P!3{SufvXqkU#9uuFy6&W^6&zv7QgvtDLNpaFB$ej_)rB(SJjmx?N*i&KDbp5>tBT7f$X z0jN%Z__nK>S9SfxAfPb-0xV1d=Eu_?B_2)BAmbW}M7WO34QzrI=0F_yWx-kv~s+wl^<-Klu$W8VXvSgrd@#Ep6a>Z@(UKy91wCG9GBw~+1{(1@ZlfdajrAX&f zaI1)ar-YR?c6&vtTfv)L-vPHW@M5zXtt5(t3ccQ0X6?)nBbG!V(*(eoxcAmTEK*XE z4g_~$U!Xd3RZXaMt|Fgvpf$@W-!)_{?0jIXHBuCUki#z_yUKRW-P=exO(k+tWFGIt~7hD)3j;xR)-_E{p ztP`Xy*QKt`OKOcl=iNR|J1jqJQt0lK;}z_NnxMW}fz~#W^bwi}O7>jiCcS%CXGgFv zfXkA9jia3`dw0+y-A@k%6cMb-NzMgS9`Gt9=V-Zx_En=zLF1okmb4KdFC zZl<+bXe37EA)al{*N(1vJ^51jx>|w0MTn*BmRrFlkXe*cg5}LA5pO}*7WzF7mN^6? z;btPLHXjMEgd-&WBgFb6FnjY(Z%rIhcEe=67mI69#Mw>vvy0(t=vz<*Vv17!Q#Q9s z>mK9)sk9|XPdFO8o<)@pCXCYhl(h^QATi-mqnB(E1IVU5Q~H?tq;pW^Dfnv%3tN+OYT7kGl;Av@9XEZf?|kG?TbJ_uC%kD}aLC@h;V}meh3!AIbKo;-r$7%Wc!|3}06>IWc$Hh&0j2T>(Cod`KXFBRQm$WphACVOAxb_56rY($YSn7Md4-FgVb;v*xbaXKKdpPV<&{vpZ5a5_kexizxY zwWN#twzLZL5w)A!waw;2w88g^U7#-%8mK`)_u(T?pjtLBMr7B0q3&>yqY*e1kE5f5 zD{^N@anR2YCIDT7;08}aaKEgPELDvc(Ws?+VM7JXjtFsNbQ@dKtUTDl=< z*Y3SHq9Jr8!l<_9Em`F|fBA%2i$+bG|Jx+LPD3U)=sD)oZo^;x`j^KV|D<@3<~wc+ zni;t*D3cSiQkCZJS=I1)>oh>Z!kCn1&qcqdIaJmH)FXAfJ=e1L$6W@0{{8TFzy8th z_vs+?#`(_oowsbx;+4b=b{&Tsxf2k$%@GlK;>3xI7vn-4(GwPLY&l@^JDrBU*`~uE zgDZgKIpOdAJO)EitOOJg>m)uT6Gok-BKSSRp_>t3ky$*fL(HtyWYKc5JJ?Wo)+1G2 z*&)spS3?PkE+`;^&0>~f{i79!KjKV*_aEXIuRs)XU7Y%jtWx$GJC6Fa&mLqa(xAQw z`%GA;tn$0@A#4-kU0+MeeF*g2u_&{)@TmjF<>khO8OGW15|x6;a!0!h#UsJT{!cQX z6i`JVe-4zEZpo+j=B*w9gQ(_?Dw$#~?fb;cZr@I3@HpJcgs*b~VSba3=3#Z@;gM@e z7sA(k%1!~lWVIaW4WbGNFB}&Im1Nl(>=E{+`WH1CYyxi-xD1<=ZDreZgn6MdTuDiA zXgt_BdY2K|>{9SU-~bWaxQ~Y~FbVxD=V1?hgB8*;Z|7`@U8z0@sx@p?5-~wvB4=e>&$jxx$Haxpw(JPq9ky=6=C%Ht{MT=~5i*>Ox&-G6R90`{LL+H+3(FYElyAXFN;p*Cu z@Xn)WKhd~{#=`^S88xsXbLuK9sYypLVZk836N81|D#$f@F{lDk7?MuNOi3ilYP6c1 zY&BV*a1gy>Q3k?Rki~E%W+Sk+th)n{!$AxRYCxR^XpiM%{=J=Ta{ZJZ}z;zTpb-!H~dm58dj zu@A_fHG0z1MtIpPZNRe0crx*Je&?+7j8AlxJW$PwZ`?c zd08R3e74rK10N(H0J%%5HuyqQybPWN z^Rn=)D$RP=?>phUv3?_FE}OP^?W&D|+qQ?IC%oC5OOx(3Yu6)=%~-G;?lXMqyrEO( z4xH%s!ziC_Bc`dV{h&$B`i@J##y0Caw#~2O$;6~vP=y^kcl#{yZ`ONk`ZcCm?=da< zj_oq^&u+t}sH^8_pP`fehW_a{a_Zb^bC*n?zYOaemN;8eH}B7ln?$pRNE@{;I_BWv zP{;n&!C_NZZ0-L0+*&=xRBG@;#(bHwUeyMzh7WiQNja;P!x}&^VQHbJV|}9E0~e>) zj4B{&vtp^hk|yklI%V1Fs6R>V!AkypPz6>j`+_xz(TY8SnH6&?Z{a={bx;DZ6nTm> z6>=8svoF{k^nsni8b+tb-eCvvQhwzrb{6}KjidZHz<$s&A{CGG77q-Rx1cIKw&q@T zclg?m5-vvMo;>8~iRzMHM_Qvs_O!)c;nO__bNN|7sRGt<}t{+NHI=?@lH8F2FTY5O2 zvGUo2N>9!%-fN=oI3lu@*ycn>XZxSs@*oTd2%qxnXOqGj;1rMo7>Yvtvgwq*k-g91 zQw2d{OTwg}9&Aq@Czvy!3vO0x*b?4>CXf@RA`7;E>C)LPU^XPwEt*E&X!``n1tbD7 z4T1nSq)qzcmRm_v;+1*F*g=mFIMhb{GX1G!E|YVW`&^_Ij7{%#8TReS8MD^}>~=(j zg*&ze1l>H+{ZD8axoPLl-3WbW&ct4hj}MPI;$D}39`Y2F+%11$)v?l82^d2ODXAnN8_*Py3QosbW&N-+Id`!;b$;zZP6xx;R zeMOt_CSJ<+jW`O?eHrC@I!^EVeeZB6o*(Eq&4bucBLkN@|kR8-Ga4%zJ(Z2U4D3>)Mwvj zVoxrn8REwO*z@0g`&9en>(8EU_+^E<9kd7r=lXisbe~m$8$$MO4BFwpC1~A-Et|H0 zgx{K9@Ql9=w?YnOST=77#N@PnduX^La^Hc&F-J}uIu*NhZ}h}PtG^vQtY-Trefm`E z-KUxge&TUnzHR;8e=!Cr1EqClRhfB5L}CpfK`Q|VXDC*t)g%fFfK$NiunpnKi=dPh z;DMC}a&_IrB6Zt+fG-A*&`#2>k{oz=1((u4u);|#ha!$<5sp~@@{^fRo_)dYKz+?l zIlb{d*cp3=C5=@VeK?v!TA+JyJ)|w7Ke>L9>mB;fr|}|oboACXV5o9S5b{_bdIi;j zc1Z&IQR0k4)O3kP3pBm15%s2~dnBTAMwIs^_RWrC+|J(($G@D8M_l0R>CRTn?5Tk= z%ja}`o4*~*2zd-;ca^Jvuz*a#7U>`IH0l^6+bf)kTE;gxB%S;?vrfjYD1oNa> zDp+}twHwOw1#J(fSq`7{NB_zrG^kh=H|dY!iD3)ei;&c(wN(>}e%Sgmk0i14^G%vS zMxZmazi`}rAl{pFe79;tl!u-4gJo)Wt=6K?XFrZZ^LwQ_#rT+z@Y7XK1lMI0|$>EKe5XZy)h)*Z(Z=1`Tjj7ENK4ApYL=U z@}Dm|H17Dn{{5a_IQBl0-m+8}?KfI}uE*AG;k6d^m;F)Pv~RjO*r4KOg)m>N0oaFH zB&-(hsCB6BuvU2;hAOO1oR{`3E#_8!VX3G9NKnwoOuQuMARFR@KH=4FK@%4(;ub2$*Q z_1KkcHyYu>?8}*uO$sg-BNTfdq!XNri#-KH)I@*+4p4YvDoVmn$Y|^TER0^IT&?zG zo#Uj6$maI#gazO!p5^Tn0CeeQ6{}LdnLNw=L#yQ#T&PFruxo?BNcj9U6Yr{2_iMNG zP~H5p%Nv;OIQ>FrQ2Rh$2qwRLd~y6`9?wF52rS{z`ae`@+Oul&UQpw2hWU>y z-spoz4jn!Mj4gP3D2VGE()_mhGI+*{ zru`?q+IGNGO?y4js7Hm*yO*lfg|TJyApQ%--OG3~=`kw_(^mp=jZ4D!Kh^LsBb;g$ zjJsFy3)g97yK2|QlE1)TtYvffzvtV#G6?eij-5xavuBCsVhtvq`N?Kg@AwgWYF z3vT;hyUCta8K#Iz9e-|5sxu`|TqpMr37^_*T$(3*3fct)JJDPC6fwG?Z2R8V@{|$z zis7ha;QsGTLZ2P8C_Gp{sn1QE;Xaoc^2FCTUr z@$INt181z5x?;=fpxtW&cdiKt^$*y-e(U!2n*%oo1OqJy+7^Npj0@QWYtDv^`Qz=C zE3U^&c{Lp{d$NsQZ3_+!3EdgGW7nQA$BsSWdn5Pn2;UbHzCSeb;5NsBMO$``nzyd& z*g5rk|M7C0U$e3?F;=*T|Io7rhXepHP;Ax!qpBtjx{cD9AP=^2(|@8H?D+l5Oe?a9 zo@;9XT>%O@DqtA0I?38t6&#HUWTim_1A50xt&Qk1C=)0_CjE9>fp?*z1jmcfmK-04clOQu z=Fh{EP^T-~g;J4;@9bFP%usO`J@TEnj*=H}W>AZgVYzRphx6R}zTLd63+Zmc~ z+aNjo6FdVnM>$b0{iFDIJzi+k;eW$^eH>SPb}KGXwssIw*l{RHupOiMnKZP_n_tvJ ztA_FiS1iZ~RKoTMe_k{LuVDnIt0-+yyr?>KTZ|5yGRPPEn*N|o;_dvz$=059Z`g@~S`4=*Mc!d*dJU zQTLIJ`c1%BsNGPXo)hK`n6`M_yfrgcZ1!8dW$TWxP1|?x2#Y*&dB>hev)X07_wXIZDw zv)c~yZT$1Z+CPn@+s}X1|EZ=uvtmrPL3qAN)84(SF=C9{!IdQXw5zdH3B6$_<;UMW{!;ZwN!!lypWaG@e$qC}%D z;}xfJ$Ri3!HRNAscqt=O^mP*46Membak!0S9K*SrtS$u3lCVqjMZUhV9QWBSI$MR* zR3`w}@HHQ+4UTCkcI$&S%AC~>Qul#O5UW!m(u1boAG7V-&LhT~rkqZtYqoFK^;KF{ z;5}`3mJ!_xUxsktU8d>Vcvov!1fB! zlSuqPAzx4@>#w@=(3~H8KI@h+K3VTe4*zIxTp#2PJx9ZXmI?Aj=K*P;n{sWZO8r(u zp8u%zr>;MFxbtw$&JWk@g076KbnWlp1zcrocU6VDJ%6v;bDX-G{5)~c%oRgtuTs~@ zIjfegwx>RU69t9G=sLR4ck*Jh5n7Y$!>%KgUlsqV7xAy^1L>mZl7|lS6NbP3eV@X* z=US~y&Gv1&zQ!mqR*V?q#^|{nRREl19<1K5rE4SHY1i#l=1U&fk_=#f)7g|JH z`!-g^${~m!-9Vd%E)gzcYYkPQI(OA<`!Q=04y!tklN2qZGei+>dj&!|ctTd%f#B~H z$RU;8<-B%u&!E8RB89=A53jkGHEesAhd)`^7-w1VJkGUe`5Orr9JFfN#W(j)C=&Lm zOA94*5|j#g3aWKXx%xH|YL<>mmqJ7prvn+efDmABH*zro#tNdZ6UgEz(ckJh-KPUt zm|>SVrJNmSoI|!+AX0Y9E!707bsitP<3Mod-Ai8%oPHky3x`|u8|*&JGzd6o?Dd6K zA79$Dn;&Gis_l$AB5d`0NB0i8diemYB_=0>i+k(a!HU`-vk=DCe-in)i*kr{<%4W_ z4yY25X?o##V;*Sw?c3jUdzG^{CU0J9B?u;!knk7SHNbdKP^v|?KV=Q8(0d=*4FCzW zh~p>+%F~!JfK! z!k=_(4*xpaW|u}JVUt1uAocnJW&lNE$L&~Hji^nh_fLV%T~EGfZHn@tld%J*uXwD% zk4RWR7aDbZclr3DX#Qah+BRXOCv17pgOQ7hZkkeP#>f)mhm>10@lLpmjR6tn0`oNV z3UvwvtPJoeI3S{vTTUdgLnS_8@g1|oof)gQ^`(?~mUh1B{)#JYe7RX;3{u&$DjGo_ zg^MVX;K~U_`}VE+c)c`_Ez(V{njn6i&>!Rl`T*~Pm}79!bzI+jBX@2Ys{$8+j5B3e zDFjbe2qVl);Yq}Z0g_Rl@MxX3n5CBgQ4IG1A_8F{vJJlLpG2_(Xz@YoTCRi8tkc`f zludS~1(p*c5_0|F)dD_u8@U25z@ddcP?=*G)v#uY>#mPI1~Mlx_!KhKsDY189#)zH z^_f1mizLU_=&8A(Tq^GnQN-XaYZzlL`7>vIeUh_sG{GTP-xX)oqZi zY`cIx!ddRPWAw4TgY(2xxdPnsf4GU&CvTt-S|wfwPz^=@SdWJkg(s z!QJN$$%U7hTR}h36E6FsXoWiMY~=C%uWGITvxwCM=GwmX4%|~t*VFDGV^_5XsIWS{ z)}jIUMr|ph^H59WUj`%Y+T*z=>X95a1NUz0Kpy_Q`K+oFX*64Pd4vA*rF;umZf!Y2 zRM{}O&_}In@=;IL`wCDBR2Nc@s?9o39?A&vZdn!9B0O*rnrzBCh7`wJdV+t1_|;~S z!UNPCs$=*mQVgr>z;cc{4Gu6i#q z{)lbwWcw$`y-Ts7CnCq`ouvwKr#9!IwQOIP>k7{6raYzeeil9@_9;UA)yl9>Ax}A; zPeJb&TGUJM{{|yqL_=@M8f@iOubFl$Ye-w{R!S2%Uo?TY)^3&S#q90@LS>=@i9Iy` z;>nFE*Cp|BLSoXeSxa91vh!07z63SVuWwagROlEv({c_6pMdEB^py3;4LO3m1FldM zgEKJpEPbpMo4DyR1Jj`$q#hz^K*Tgo&qfJVo)MC2A<#k7RHy-K9nRr&2}KsH0g?#& zK-WYWbRWtnc$~Ge=Q5onOBVzXMyT{cfFckZ4evxy`H z>tqU8JUp)IU>Idxaq>}1j-C@E-O6Ek7YmHF%8F&(vOW>hwi5njT^$yDQv4A#5-Hab z)Sh7FUpf=SF5su+E4L^jjl1ob*L#wJ%9N)hwZ|V8yZN4ROrbQ{rzx zrM;h^M!*QeCR@&kcwS4*h6)lGqcwqqv{fhzr3nOOaT_#&d0pQIz@**F{=02fNfhkc zW|i8r;>~@VTkKl;;`Rm4E*W2H&X|W5jk|Bj@Aqt;qED@b+3!jLg5xCY27&{{;BZS| zTmA)Su0RoFDnY%UMpeQ}aT634)MMW=@mN7zLb0C}Nu(O4d~`<;(&(i{F{xl{(?pB{ z(YEPQ=O11~92h^i-0aaMpvE1#zw%16hB>iSS(~EFc^jJuy#hQoXUv17%Hl(8b@-Fs zLiCV0P%+IM`LEBv`5=eP$aA%u$Eq;HO&eZ{-U7fwA?6m(#zz61m^pAn^)iwT3v5hmj6uK$4v@?L9Y{$yHVny8L>9hir#)&P@& zlP^pSksQ!CtBaM!pZb7=OD~)YK7|;_Pp~AG4HL&|FOsdh$8 zQ#1Sg>lqX*;`x-Y3dTM!H2v?!{fhM`C_OKSNFE0IUQ$fJjAf zT_^@@1>1p2ss)`P(G_Ip@G6Odi&TYS8iGT8Bqr`#>6o?5p&C+#ricP$hwxCC&aD-= z16ShQPBj#UynV}*LL&xLf^2FQX{}G0*P(>uTilXIXduC+6hVXN*`BrjiNX_&C|?2S zf^djRi15shJp7vPtm@&^oTmHASR4b(&tr&43sDlk?|D@b*> zgGOa6ddvbrA&7j%dce#F(?_<&U-99Dq)N{_TGR7Wnh`+xZ zpGudlN~VNAB2u#k&tRP-T?iUr?3HPDEA4M(dIzV(-~Kh6T@Oz0_kmoXSJ700T?_@b zorLwTt_8>!{`=_bj;_52k0-P-GzbMC?>xFD1=)oZaL}bqexd-!fxJLcU}w-A*EZE1 zD3!8R(GK_rT827VDH}2xjUbvOm@EuZhK*h^L07-3j5f_&#_%$?A_f$X49hf2WRI*U zvuX;>666m0He+PT`t9HIz=^W`Dc@ODt#%&~tAVfJFkp46bscK>6f;gu$AY`u)?}1u zgbEx^vKkNqo=`zvx1zWbc^I6?B{GaiL;9t_W0)-X2jiM=k@+uDgo*mj+Kpj?Zob z6@cHxe=6AYp91fP|CCjpYG%VxpdCt)kQCm~NqWh0%E(K3-Y~e6Ag~~|=uL`qJ?C)z^kFw{FZdCg8cI$uC5VZB5SjxiqbUxh z==z}Ha3u&A0ti-bhzud$p*hNZhDH=|+wFI!*5~M^bOFW$QR0XWG2zV2BOLEFaU&Ht zCJb!ux;~6XovZ0TQ55ujYk?j@h2Ur?Dy{cbnZ^lfihM!KbIvk`OL2SZjz7X(oRugV zYNmA2V)nEo$Jn$@839}1Z*N=Ws6<8Il4Yf!d3q?tYc+NsHrFDsB z36rAE=?(Y8`&e&CcFZi*^zxt`+P@h1AbsG~sGZ%eXKo^r(^cz2qA6a4CrF-m)-8Ha z^nS!mQhvV5f6A)&Beh4mJjEG1@)hUa3PzMy@Ar4+Q|a6aKw#<2nm|w%B)8I-z&@tk z3QgctiD$wpO1XTC7Hythb7)6Thz1m16AFd4!s}|+;(xonb}o7*WZq+I{}cyFb-_(w zJ!oe11^yXU1u?;W2^mT}u$DJboP0kjM^)QcwDqjB2Ja{S#x%-AWgOHNQ~ z@xWMNF0{r6f>Br56}h9=9tEaDiCyXuEK{u5or|iwUC-Pkek{z+8pjf;kk2_7@ z)vbC6+H%E=?DuHUMZG`Zg*glP(z@qqGpf<|#d79U2xvX{;VCto?~ z_PTg-!~U&bt(a6w(EJ)wte4p`n{J&-S`6GD@eRTjKmqT|B8rm3sRyb2K^5CR*!IYXpas9Zh!0{fM9OzSc>hRJpG<6gC;TEu}7n(L5`&-4W(K6hpc}CkI5_butD-^s|8?*29P0$Gr{;?mIPv%=Ry z=RL81%U2gqtarPfxfy?MSFm3>)QKwW5}HGHM38Usi?_vrH;22J%nk{g%y{W$d_NU8 z2}?wppRWb)hddSWLQ2?U#_m#HD*lfe0l1Zu80@Z^z%=h*9Vbx5V4q`VV=SQDD&=|- zIzTW{DCmGovGH*^IT|+9?RL3(DLQgv6Dk0ErY2?xjNK@6AZuh%_EBR zK_Q`6yXO`eKe+r8^}Ygd4iJK)J7L(ZBukf}UHnQoHQs_@LSDT{QeSbww)m4%G(-}` zBh?5uSE2Sd^T*ytecgg<0TK#9<5^DWS<`BXkN{!iz19|NS|;@qb%=AwFajWawo!A> zyvg?KjZ0O}HfrHFTEHr}6cO6d+FQ!>4MQQkUf<`AvOpo=*uGBHQSP^VK8%2}e$cgm z9(CFHqQuw-!%ux?0a!T6VkmQgCuf=fb5cej%)5Z?(N7eou1#@=H30U8^+3d@N9wd4 z{_A7pkOGRMBK0v@s#!P@{bzNt#%R;+#mZ!TvP#WI3bAg()_k0BevjL=9ea2_5yq&= z;xr}h!ZE>J*d1;w-~OBA^CeFr`KMI8bbH(+{HN08DW&(r&hF(?|0ph%{;@_R8?d~f zERd`<&>}7Jk{KsZGKLH?W3W#)a|f?Al8+gww>Az~&URGF^@QV&F%JJ)VXNMW@UIhl zc#-pZCa^t@Cvm3(A~!Y+^eIN#JNN>D%CkBWyQM$egf);37?BO;0;NJjgD11O+qmd1TYJY4DX zHeG&vfwJdLs#rZxCmP9$8Vg|FH&d_$Xl%&LLMSA8yS0<5e0I|VfTAZ1DVr;9b%U&` zYJ)FOrSe|4uCMe{$w%63L|4(l0-IzyT=^QmqQ_HwoWWt%Tt8Fap>fV3Kn?N5CZGp> zfX*`)I5;pVyn+g1QY5#OB-WHnG)xmZI@hUz-Qb_atdV4-amRPwZB=K`FO}C%DuT@j z{T@%z8W4A6Mgke>4&5DW#*mX_V;m`&H!sXGE-yEd4-`yp#qLT;NxYVL&NcEgc-?)QTL#ZA z0~Nx95*vYA5}gx@K^@M(5GzzeTF!zP669ydFOL&}XZ(=z@C8#FX*Zop+fjZSc5B1u|9G>;GuPY-uZExPrvB=#@1^BfvAFRnWkWl%p;7_+6ZNS;xvLLdCKrob-(%Gw_hsb;HIXAe~Dal zZ0&ulJ*M9FV9x(!vRHcveZo&?JQ%sL(UrLUHon68XBVVgE2!9A_!KlGeznjOmCyGi z`KMG~5A0LKP5L;KJVomHu!_cBFOK3L$e=QPGHbx}w|YL4Y^7qbOU96n#<8Ae?%)wd z>?Gs-bmP)uBQdJLax2@moRo7*@;9Z@~hZc6@uopM_wiQKqg5Ne#bXY~`NQ3_-qV zLG=N)V91oPl*dU#JavJ*@H41xN9`_)mFp z>6vKuKlcwj=~5jPGDlw0`K`W^Y@5e=7^i+U&I~tVCm0vtRtt@!u)m6faCBfhNG{&N zZpDY36Njv7BD2uA)-^$$7L2`*Y*Q4__Mot$f_@eXLrvr<$SD`t3`NZpt0H*a%uyw% zfH4ayL^>)?^;7`j?n;n#oBVXbUm`w{AC{+dE-hVw0-^`a60}x#21OPMOd5yHDMP%q zK4mHZ$zDIX$d})}?v^*%ZswU)HUIW)3C*$U9=Cct`liO#ieX?F;R{H$Zly>>Ma}>M z=ASD0!aNKepLu4pufegr~Z>>j1WFmL*h|Hc>R3;xxC5s%O&!Xqnt#wjY?lCQD_1` zkleus$#mbrIR2Ay@)zM&XaA5e>~O2Aqz}$y53()H0`ljTxTpZ%dmwb4Ws@Az2e;KA zL|8^Jk;4-ejl$BQ3j7OECH#(l5ZnUQAc@=orls9h9ljAYXJ=vctz+lR9zakNKd*l_7VMFbrZIw#4&VSR)n^G1Y(HzuzKR%FE+~_ z5STYsRlQM*RTIQl2u7gas|!h_2{Umc2r^bIIv`0tmH~HV0bu#~2_AtW4vbCWF83%G z^$NxKki!+=#KivSw(DOlax@NZ}o0e;wmM3*lBrzn1`#rv@9bgki_!3K07`u z2%0_6=T6i?H=A3*i8$>;_n?^=K9o?PxD{SGsDmJI`xih9tDCS}(nqWVxEtSyaRk<5Wl5_3p_Qa8DTF(iejIwM;0N@F zfZqDPEj`PDnbr6@AMYN9Z0T?tE#u7JEd0)9d2k=MIR%~sFDy< zcTyF|p9>(9Z>K?`=Ye~)Rj~aDJ^`kN%X9UHEtZd$lMEwsi~$_dgw=}$-6nFP^KMgZ*4Elmp|zYl3jpL5j?GIAV7~i<97U*>NKvM zF%mW!7w5|PHkROiLyQwY8%KW-dUD_kISEI-Yb7{N$&*;#*yqjb;hsu+@2U|n_K@kG z80=N7i^qt1!-%e99BghJZYQAvf$N+h_|j-`h!9xd3gg;|+p!ID@y=^W7s6M+k8TY% z;g&Ee8iMF?TrffW^ne6?A_ zwG;0=wdsC-<$OMM*u$?hYlQs^prF-6;@VG6`_NA!`2d-K$aChm)gk5v_mRK!ecrB| zyyzZ30j1DC=>nevws6MCe^vFEF(kKA6=@JB4lT zw~NVaHt|C^2}p)AJ)4|KU|VF)LShw+N}!u$)B2@3FR%_h%(V(6MUq62ejYL^=3;x? zysGf2%PS>}0Ko(Z?kDn8U*jlA=f5!ywh*ck^=2kgBYEe&c@n+sC`Th;ILLHg#_6bR zM7(5KMQ@nFmzo%dzc!AL?7o+AdXRBulyPp7abc#IN|T}uXY$Qk@;Bb{)%YX37QYZY zqexcbiTKM%_}RN4J`gB$U+BcFL^9{3hML40Rca`NEJ*^gj9{c0Bu>#fge+=8t1$@y zcmL4L3`h!l(yZ^AE6@vY7Z~e5YV#RRI=GZ7<9=4%psOGXAlEdDq{b^?J=Xpw?-o!; z%yPRtLI^1;^Ps|DTOU#Hf-k^!TXcHUCP`WU%q^>`-R{H9Qwm$Hc=V$^x$LXZFg`4AOl@d)B`X6&W45eAk?A$HSO-@X1{GaVIrQD%Yp`g3TR zC+kZp;kR0SPE2)-Xo{1nW_g9am`zMYtR+U9n}iS~T%q+XIWNa zq0KE5$K?S=44=9hfB42X#Z7F1^uft7CWvB|aelJU3Mj_$-p0|c;yjfWG|9rJ2<{jD zloP$5BS&P)Tgf{DY6J|jF@{w(B45tLtyCCxNgs^M6(IHj#@UhSu)sye)sO<7lQH2! z_|7HIaVqBg>`F|1)ve!d+IiLU5zjFE7?a+*o!3v!l6#GhuNDu>lu2Qj1+m7GAw0SDNId0T+`i)RL zgaza;WF-h1f&dIx{|br5`a`fgeMc3*R1klO52ruM?aNjHnhDXyVpXP=WPWse<(5^E zabD6qxrkH<6p@R>TbBN#&$RYm^@`B+@Cd7S5@RT+5?_I%@W}ujt&Gg}E&Pf0425cs zo;4n=`*pA0)roqV25pIa#o%llR?aZI1lT(Qxf=nNj6vijKsb?B z*@|TM9|>HCbJ3A+Ghl(S<0Ttf+QW-uQaY_ZHBW#GMHY@DYCGR<`1NdwtKt zcuOfq9z~iofr1|5$OA{CnkxZxdj|{vQh-T#MSaJE&|Zxepk)ZJdXTu;{*wy7*tD^E zq_2w%rGVC0pwLsj(4=Yk+TRTQ^>H3?tESU$hw4&?NEBcdC|GSeyd8m&n>IZsoJbjB z5V-i2s6o0lRp3G8X7%aUpSa~y+{_iLdZ$$#UZjE)+1^EpLw-^{!F9-0vfx)_BI|vu ze%yq2sAp}mq^*4%eyL2bqYAa#Rd3jG_Na%V7EAb91X2Xpnr%PkTb`=l3XzIFaG%Fv zB|M_8$VGQw2@%K&vx)JMn@Ck|VfME7sy}&<^}{M6!;98%>c-)=C;SP1=w6m5Y%=SX zP!(}!0t&R=4+=nJKXTqd6V6RE&I0!PRZg~04Cn^o1@;q+LL-d{mj04KQV++&UN)6G z8ttuZ83Dsl(i!=v07o;HmI-19v~%za0q`9AQH-RRN (Y+D7iIG*oZCLbFl!V-y7 z3CB%LIV;7p(iXswSOn0^DfqW0CaM5QLE!_Q9AXQ+8S4qa@2r~QKBNg-23(1n>MiKv zfDHf`Kz2|Ea#}zdf*C<7;YzsY@CrmZU}@;(+IN4M`^1hwLxrqCj2%Tqt$o&I)LER& zX%?o#ncoV81IG@9jN4`xDyhtua$*Mx!Z*57dkJ7Zy9hBQO4sa2Ph78@vns?!K9hI3 z`g1YnuyrsYSjPzO;2M1hB`w{vhF3!R;EP}@$W}apz@^8*R$#;!H%127A?80m;fpSB zFg|=5@+J;b%l;^aoW=dVeX0TAgs0E~|I#JGeK3hi1m-3ML_+42@PjNB+l$nn%sWCZ zGma>9cJqUz!IDROGgOFbEzvjw%Sxkfbi-{^+~j1%iY4c7-07|PxEJ!jscWZUv{H6Ra-LwgmE;}P;$ZTPdu z*IoaM|LM0syre`we&y{z)QIW;6|K>@1#x>oxS`_9imcHl91y|?MTO=owxue=SRt@* zSlhF_T}8AI6{y)y8=Ig491x`9vyI({vCTQFda6OI#lPQ+UCCxnBFZc5l24-#5O8Z& zFWp;ljt2gb4h2WiC!ym_Jtx$jU{J1bi;QO_=~!V#uSWVO%o{5a9T{OpjM?eew<;l? zT6B5~?*PsrN>)OPi&RAg-A*ETpyr`(EJSV>HFx?aMhROIjGj+`;eu?ZSq7Yy!)oCe zprUE1g~WY=3bMNRa30i+*b4l_i|BdC{K^+kZOo?~a1)wgzbEaNxYieE3p^Oum4N-o zJk{NFo@$v6_RDadBDsTr{g9`;0#&YQv-bfvBLFNg1rU2gbtB>x3&VQL*k8+tX_^KL z#9&IyNr`Bo;x8?dw4MdnM>sM5NU&dpfN6!njM)f|jaH~XQJO*Fk%IsjKu95&P%x6Z zBBy}0Lt=tRj&#(YBoGOh@(dIk7%x8F#1 zLRgzhZcFEFdM#Qb{bJpAAJ7NaE9b0=5D;sCIA&&-e7@>4_f2?YA-6r`SH_vI;8(h* z!hH}h3UQ3jgr~cmN(SWI)(03dpAjWBjd_7(@k?sQbi477MtVs??`>QHMFXhB2^6@ST$XrX+Bub(ZjURQ9d zsLd?`e2XD3Zk zDI&MO(!8PSd6`-r$likNsdRdZOTs~zBSru@^w8>im=P1LktR)BCyv&r$(*XA1+&bv z%o@Jiyo)u!N`Sj@Bmj!3CY{Pri;FV0tRK2${iv+U^o>&u{(#|YKf8MQa6U1W{B8!% zDbjgd2~6|w#cU0qIypd$Qv#xBZ5(J~M)rHl!lzz#I-Yitjy&pte56s{ro1DdMu2r? zgqLnG|4pQc ztcZr|eW(q@7U%*teK2*j0M$ajhhh->1%AGqnW62l21pY}ci0dbLK|8G$_Bkv`XZ+C!2QD|Um$ z1Qi)dOX^^kfxKtMst_U~Nm6WPzXA#fE41c^;&D3mYriVwb;>iVA{l+J-qnclYwa-M zkKhid%iuK(BOh)B_*rYhQ>dwoT*xd8I3B^sM0}}RS7JglVT59oe*L*h<$A4Ew_&xl z+J3Zp!d;Am5=)tVh7rDiGjG}~m?k8oHuyDjWV12R2hsPMzoOBlKd?(v!YaY+vj*sx z(ip=H=`$^u7O@<0DD}PA6P1{DFy#AdNd?t^3O+^n+4wb?J*WDck^MRfpNb}85|Pp^ zNi5^j|#%hmg4{3U=E_y~V5sb^4Ai`NyYLuQ!4 z*a>f&SYSgiT{ylbbivakTO|AuM_EO_tQ0caGFB%J%*wGBQV+-Ba1KTtDFEvUXm9|} zkY8Gc9YBz|Pgnyen6+hS9c&AE4f>`Up&hL4kUGSB{D#DC(n=pN}XM8DUKBOwXQJbQ49bJH%z$W+#xId3DjG!729vJ~$M->=q z4ifxCproF?s)P2Y+b=e4(x&Tw=Z<|q26HOu-5+9X(e=?37h{fck8eM_>3)tG)&@C{ z@a?<~M=)kk%_DQlYGF1{Z+rlWiE~9-BQp!L5)iLkk@nU$-Ii&YSDQf1Lfhw7I(ukd zeoI05*IsI}kx2Milzu9m$7mxhJtC1P+DSCF=+84npaq&0`H~Yp8h=yNE6f500~NoLVy63q72+DAyzns6}Yq0c;SWgI{+$WTlKcpIPM&m6L<$3Ji5J3;~z={Ks_3ovNZ zkK2(}aJI?<2uGilO^~2`aC2q~QH3tSQkBU`w~2L$;1zu7?9mUk?EEIVs2Ho?2Uoz) zni=5(Ialy6a|DlLgyHFE{1|h$!=k2%`C`_15pok2D;~#JSFtDBWJpmXGeOKgYe4rT zR|O6;=nR>u0H3?a2#|0-tbl^j3F{|HzaUfTH(fj{C7lPJQ&taOj8m3~NfId?5CzUJ zoP50G)H?#VXao#Lu~bsrMpz@U0}FgzB3h7iMkTsZ!PxPtIID2%vn5YWQcS_)RB1hO zrXu4oRGq4`iANFNHo6C3VRBoV5}Mf=L^4oBdEqH3MP5)J}r^N6Hnyc6jOHVVQ4Efa3SYbV`B!jUn9Dl8Z$?nsbatICeY(NjUm=>x_f zD$oM$P>5ch$u-IPb`+buZr?IV??ty^l=@e2j7xqmPH?j>Bm4 zF6ADD*Ry_|wZLeo4D$3JhQ%i!fr2DQdWB^m;ONTSRB=L9j4w9!w@2_wW0V*xMvO-o zJ(vzdN;`Ze1|}p{-cI|v1yvAu;VkitR?|d%W{pR9wYnG_W|j$JmYHj2+}1*_{)7)I z^<(J5suxbIXEhesonj;(H7QcqY9yytr~zV>z9ODY2`g)a zJ#>pGl=n5>5l9~aBl=&?aMCi`fEFaW`cMRad?+LsJIX*4$9`tCWKt7lAlXAgjg*3# zqSP?1C&wKRAF*?B4Z>DKi->H1B_gYHzGqql0fa};0(K%u95f$ltQ>7n8R4ai6$2Mt z4&;bho}0oTf?-7&=+QMHfY2pQ?;PWi*SL>5OVLkWgc!w7iuR(=<37(qNKw0~Ix|N- zL~0Kxybar+`yld^&mE-PMbLoL(V%J#DTWqwWL+!6%Ar(+L`Do)ScZBR5{k$~n;$@O z!I0;cWmA)WGFGVafbgkLK*PotAqw#)43s+b5N#e_z?z#dCX5W@!ziIMq&~xlG{hs^ z2PkfJ9MIpc3otcAJQ0_c7US*A7qbRKVFqcCwPDU_Vdj@vX0G*vIWN#9Ru?T0&P&$Y z;u^=phO+_-E|W^RVqD!NyO?llsQ1~|c&UI$C+z}WmdZFqlmN}4C`7*O41e0#TgD5b zNT;3N|KI8nFt$EmM3i4; z864aem}R=bjKj##J-U8^?GCF5F3E~Qsmtm@-M4quyR5gQgkuGlNzt?Gr$vpAGM{YV zDE8CBC86~DE0B#Ty}vRzgQRAo`F#cm+gK8-3I(pn*szNF1sIP-c(=+@vRn z1{4sl_~|8y)zImq)}NAO1nrh9x1u#Lhtx#;fx%IL@-xdf&Z??4{DRhyad-uTLm9bG zDJNY$x%hD22tT4)y>H&5&%|S=j6j6K4UvkWMjV3;!C1M^1-BxxFJGz#L=7F5DaMLl zc?F}#Pu3yLb6LIOstGB#LIiitDZ)x1+&cEY%q!%6R*smW(pL!UYX8>OS1(1Urlzpk z3hZ7G1aFc<_H3pY>HW=cNu7)%-$+=$XcwhlqaXalj6F!7K|Io19GCbOJ_L6&z$)C~ zOTkf~h*RuC1v{bz{Ig(Qc-@9Cyh}L_TfZ?M%e;#j7eQ%BQ5AdE?FupZX<=lj!#jJQ zKep1Dl4MWbY|c>Bo*n$uHrO6e8VXoFYuRqgpD6^xglu zO*F~-TJH$B9|0ruUW3#j;VxcRl1G@#jHWX1NEg8fDK}xkT1=Be8je?q5k~5@g1Apz z`gHc-Tx<%+GH8&{;aD&3pyGqD+u{Y~BRy12L5&e5Aj^O&Q0_tf;3=3?&_Q8{L7ArC z2xmbFrc(Yyi8vkYrsHKOCT@AfMB9AQiZAhHs3AaKxm%snI@ z;VJmbf^qj(F*7<@`4r_G!YV3%-g@4c`;`KducKw!$CRc!%-b&pf~YUFZsMIF%;_6F zB)Qe--yTujrvI3P=qh3h&~DdR;A7Dl!lV>tPYn@crOa5W5k`{nWK|g;g8g? zGyZxmC}0K4eg^jvI4c_+Fa1p3Rg#qx;B)txgMNBN70?3ONas}}VXGi0&Ld1s5d?)K zMl@s33WB1I5#3Psb*5Y%giCtf8Bx&)D}CE(k+%ch5%4?$Mr7$!6x0#bGAjekpcXMI z9y@NrBxl6&3akY&1Bt?9idQ5MA>1Xw#0v0#&XnZS(bI$d%0a_5j7^hSTLFp+NzC@b zD@PkI6d{EOs|&jr`YWU%=s6~MIlky0gDZT~{S|^p%ozh0D}+6Zn5&8fK=xq@sJ0MEp#Ss}AFd}p zPYe5C;ttSJy)NsKTx;82=I;kiI7Mg#)pfsV#F9XMh_bqBguF&s*Ek8!8q$Nw{kST zm)Xg72B|;*CG}Ekf2?Ixk?4nmXO}q{HL;-U{jeY>A28xq8*wVjJh75S7^i+Sg{f{P zg5nEne%}x3!I!#*$u* z+;x`%B&K6*1h2-bF5*M|5>C4bh(@dYGK?*tvQB_EF#e;1B zLU=K<&IrvaMZ*7xPC~cQ{vqJd0s4=U4atHu7W_2kw?``0ZEIyxs+>bs zg_Jb-m&&vQL!`|eeuW|6=;i1wz;%V7pbz-!uAESm0)mek91wT#6teMxNN3zIu2~s@ zDx;6Za!2PG2R;hfjget|tiEQ{+nCn@ffZG(a!yNHO+uW%?;bn{u zvy7V5b--1xcoBjdQr?b5)i1|}aM~%z%UhHi!2B*PF)dS51P3KCC_qsBl%8;kn0_Rh zeU+B-S4)uZYFsuEjZ=<2s@N{0^~2 zOH~BNgD|R#gE~&H)=L=Q+_YbLN)u0z9>IQP17|<7czl`pV;_X+0PUt@ipV2|Sao{3 zOV$EW1gVVV0-Z<9Q7xl0L?@=8fJi0q2wp0wifiRP1|X?Se(6_*?}bY;AiM}(z*|7g zsh9G0`an-mIl7H)NaA1s9M3O2*6@e?yhA}~77oLa}wwM_T$XcmX%X@s2p zG%?|5fo4(!N=iO#TwakbOieTcq$^>H0O{>z&$4rgPz}CUqo*Vc#S5tYK?3KHGI*4x_pQXJ=KADL7=_<45-n zzLs>c;PNSf`JFYRqXYAsX~h0%oE>Xsn{1d)V8}#f%J>0l1hy9u#(=K zQw5Fudi#^B5ikP(&qM}3VnkZqgyB}NiFk#^TSBs%aV<{tF|Aj43jdzwdv$r4adme= z1_$B`b2TnHd~HpLAr^Bm30V=YoZN>#BmU^ituJ!G%t3e896+g|5;Qr5roD<{lLd9-alohS>%A z7AC4*o>^7%PH)jvLTE`OBPG6pso*UTcHWq+^hX_%tq?5=fmAWLv4bkinEliCJ%RD@ z7p^8IIl%*1{zF@fXWZ^(|D`f|QN~RTpxd!UUekl0EwA)Ep+F^-Xtrm?8}S#yahtMq zs^Aq#gi6q}I5SWZwqvnO4K&z~M4Mr6B22~9mzZf*%akbnK>862v|z%JTdxv=k@;h8T2@5$iusj6aku;X8FcZr!%co7VK*u;7D`1yzG)JOJGW z<&OM<>M~nN;o6>uO@<|4bvOm8GaQFU53Jat)0_Wk-jF~ za3X3`)4=KX0-}K7X3G#g_s7Gp%saD>L6DWOb5RYX-E8}IJ1YR6xOUQrUnd@p_&H)P zmejqbWlB=aBTTh1g{eBmzV|aL{Sc;}agrD@%CPT7Ar^q8q1i)?M#?8;{c+nXUX3aYHi1zIs}N!lI!`P(sNJRwFZFZZr<-+p``y-G`OI0g z&VOUtwQimN%Bj0H4Olko<4Hryf{{Rm0-V6JCkQ_t_#g%Fcpiio`h&x=sQ4D##p{43 z?pglY;az=W4=s#66P}oqJ5%QMYnNjW&4+!^Z4`hxF)z9uimYzJ{yn{?AfS&l5W}GIQ9~a6UD_vQg}?2y(WQ@NQu}-EXV>!|58Fvqxy(?Gt-8Z7!;35 zVnlB)k37;s?_&jh1dRXtKVet`W&d}k#Sg7Ahj_(z5ZV|6W80QFW z;UlKr_+>^?WWh`$q6iEO>ssQ41KYd71yBisksz0PzDQVbJurTdcbbjb)I90xY2KA* zs>ZXZq^>2#!dpYw8kwFj-Trd)#GN?~tcZo`2#*9^9byvy{^TLEjPvDHIW83FG zPWnrFdxO!3_~vWL7xrywMYD_~8dS87t{uq39cDQ_vQyy$+q<#`cvqfh=cYf1Wh!}} z5s$`ip6o0FP{5?vYwWl*n4g(qp8Y5R{WwfoE=lB3)^L<$FMI#~!Y#~LOz|5`ePDq`{3a*H9@+H^c8Wk>vGsu5!>tCHC|7b8 z2X#=~umc_kIe;@)gn!+OC)VdXDI-_cv9Mtg>+A1a^elQsL@m$-Fc-Y5U`g4MZd8Z} z6i|MU2_du6vgpDNXa||-Qm`9^8)<*xiMnNmg?FLii&<6-lpTH8vEXTke;s;t>FoA= z|6bbMx8=*=ITaXHcp@Xr)a2?!L5Fz+8I!4DewpRn%U(fNy>c-!-+P;%4H6RujbFkR zQ{#tYuYykuH3LwPUmjsfr9{LsMe5!+GME%FKZL1>r=8*DjJ;mV)Zd#zd%rGY1dKz7 zSJ=>jvfDCV0fK$oOwow%RcjHiFzia?Kr=AA%6kPuN%Vn1f>|oS|D~onldqm8@z9~r z9wGCd;24kk3(OuEKSJA)BZ*w1{gCTP(9p2gRa%|{LO%IWh zl8DZVz;uT~f7&5D>rUYG7kX=1p(P^(&WScN_~F8Z!S$b83pfXXy#i6fXz6 ziSEt>F<(p#bH@zQVWrGuYGQ&q5+9PF=&8u6`?Ii zdR5mr(9$^6);I#(;wR(y&t@zpLfuX>&ihDOx64b6#61%Jr64O?(y1+s2E`!2@}L>_ z2l^HZm<9q|lw+L9iSQ%W+#=~JFA*!i03b$1ZESS@*sAn4Zt4HQtsUCY8%j=3013c! z&_GHch#cn-Ox#6^Ui^zCiJ=1fk@5pTcv&wF-8>Z#CaA2);cpBQ^H?@VL{Qr zP9wRTh#Yr#N3R3Houf82iQG_6UHiAR;?B|C1I`}sgA86zzI@v$AXt%OVZ%`jLcP_6 zG=X|hqCf=aD0>(3Nb;VC2>=C%0&N@qO{m>6TATmm;a&ZC%WeNsMmzrep0fw%91k1D zEbI?x6S<+jo*M2jUne5Qoj0yPYt zT{ghC7*Z8DeDrw4cO@t;O0!@yei0#q5Rt43Ob=zk8G&R#Nl0v1*cNRDOuH+1b}8QC zSo_)0Jp)n76_7b}Ijs1$@F1%@2(qUXTLwD`V`w-|O4^Pb0|Q@AW(aMr6s9aD1 z*fz5yW+Nc?fbG8}Xx=TErd+%PZz*!XNgTgLvMq>L z9iwBmbq-(qF>(!Y>LmEye1IRt0S^GBAS;%Qv)KLw2nR0W#Cj2t;A@ClfGDs=N$f$? zgJHRFD}%=ozk>II;sD_wj#Sg`1dbBE=HuwV_Vn}O34ip22s{6bDazAV5)*@1WUPO| zPWTz;FiVkE9rnKV=oyE2<68P5{D^5`2nA>0MQkEBBGL5ro6tr|6DTc{qh`* z0NMt0<4y!!zP_zk@V#ll^ z!O_Qyu- z{^;ncEQzY_?Ci{{t1_ty@_%I}LrCL&nS#g2sCJl12|s`eJpt?0Nl#bv0o|m}wxHnv zUCDP%%s%X0N+!mx9}Vy+tr)mvAu@@u^&Mx}eNP;$p_QI&eN^K6kF0!*9Gx+!n!`V@ zCr~SIG;iVpc_0qDMB#T4Y8kVs7gm*a0d{!MQ`W8F3c`GxrU=^ob@GEyC?XJ928QHc zit`P;7i7yDrR7Q|O4cvKwSZ@Pr?Wz+aL@NMZ7tu|4XL?Bnr6bnA&H0Uo_K^#9+ARz zZG;S0{vgz#+08^&!y?0{)XnCD-|u?sIYRCH&$KsdKotK2nO(sp>YE4Cc~#Ra#99Zt z)$@Gqwpp%uy%&Td(bF$e%Mmu~x%R&!QColF9S`LCT5tbAjclcFH)curR)5#@+B4KS zM;k<@3~f!x{4G|8-nB5L`dvIA4$J>j>X&>JwM>~U#l(+D5L7iwex28Zu3#)`7% zSK_KqX+KNmM}LTw)ODQJsLCM-YT#QMI4TCLU8=Ktx%H(Qyi-ax{joBVW4V40Tpjbn z6{$S`Rm5m4;^QwbbfVG%T(lmTBYIUGnWA+C+eI49ynP6Y0&|*(~Bt{w1FiG^|&?( zbgOvB-Dqot-+9-ig|~E<2G^1YVPP@7kr6CcwRFy}5#{FR^V?OE){Rv<>$K3ME3g^r z^r&;;nSGY8Ul-rl1vgl7|4(end(ASneB(Jg?g1hW((!MJh7;<9(kYLqmoVlrfg*73 zDzJiSJT-Om_2@!%W#Z;ZPas}W^yg3wh-#MM=P^rVO7iNV;Xmh+vTxgA+KE92S8;+S zKZTS{TofFM%@I+#z^G6zVT3m1)(L}J04~buv1dnbN{h}T@0V)c$Tsn*EnQ98%OAd292Q<|Ju!Bg}M7x*kuNV(|E#d%*dN`d? z_W7?XTN;~6cL;o1G3OX{(7#jeT!slGnxPeDIe>FW53uDLip} z=LHYWi;{j*K)C3?1a)IO1eHq6NMw?m0u`$g#0FIC`E+YyijcAk_%O9tI&WqxxD6+^d9UXKyZIJPR1p+ioCiC>vt?Xkqa0*hoHlv{B)t#^Vspu)f~ zrrxBre-td>lddHLu z+W9%uGQ~)+YlI9A$F<^TEXQNLw~=T;joCWIXjYcNgu&Z*1^ek+8zzgP!wlkiMp@=1 z9}p#~7@7=8NQzk>^G|l2&4o~dI;=8J<^7(}d_He#qFTMhzBA~wzev2#jrt}}Ib=&^ zZ^=&W=5pViUQZ^zY~_#~aU?^B+`{?ES=35#3F9Tzy8wgZk5NDnrh(g0m#eqy$%Kn% zCo7vMRsjh+zDQv}A-$rf92D|9gIe!n&z^05$db$^KN0OwtIt3j+7IzUk?e7YWAITD z#-;QR;RQ7&k!9HPd0l&mkr6(&;$E>UbTuC>a(W?$J@A9Q^48>e+o zU%NRzElenETMq!`VdhJMwTW;IPTCQyxs@r#z;@w>2fC!+E8JRKuS-PH#Fa4cHf6q$ z#c0ZPj#F^H{!0jppZYC3Y}z$Qi>q?kj6_j!X!&Xvp{MI`dD{iTz!}8) zY%jet7R&E2T! zI2n6-hyWvwYCCeifns4{k#X&?j)aeMGLy&g+3P*#66F0V42@J;ZhjDm6ilwdPg5*d z6hh!ZYY&^S$KP+a@UhnDn!smiLGGt#f;R(Ee=|2$qs26ngMM50Zu`M*V_t?(CSB0P zg!>ecUdR_dXJ1*QTl0kRBbYNuui0b7l{P5fp0`EaTQlz|WL`ibh4(HNLi zj0+c-kOXeqxM3GRV@fQ`pZBAli$zsO{8{R_@`yGWcCd~+p!(5Ff7bgXr%*4P!G(t^ zzILb&*b3?)$qnu%u_w24eZz$BV`pW+fGRS6orb0#{bs1sXFeCMazZDC&JW7QQvS)? zc2?CZ&EIi_Ql*6!s1g4foFs8H>m4E`z#M7nOjP7hlm8p=gWnI!0DFDC1Dh+Xnh}z)r)8`~msa}bS_(-0(=eAGv7ZX;A!|W+~1?=I= z@e-;<;xSnO$fI`FpZ)B3URxITk~)r^>^nE`9gWnxyi+D(1-gYpc@hvlw1 zM?sPon^EmH}Qk{j>389L)n>ts3L>Z{tVyw78mM_ZaIIHaE?<2Z=lKz|5 ziTG!_pTlzy&mCQ#D?`WWA+=!PYsdrNP+Qukc~M8jZ!XK zn~q^c^w@O$?RffSsh>!}58n$S`58)!=+Vp#*)45WOyVlvXacwGbs2)EOYrnL^p{`gLeD zd{D01<}q7CA#5s5#Ql+u8_1yu>Qw^S7E=S7WvRRQC@G_-B{i)_$^sVCfE;e=9X(bK zj_YCF=-*p383pt2c9OOUF`j!25bp;K)I7TqwztWU1}`HAIt>3%N1*Xt%ylQ(ZZkD6 zEM_i~e<{mKCvbLuO#G3d&Ie>jqSfc52puV4Ug~8ZWsu%E-aBmG)*ZlGduO$UdCwcpT|1K^+5V&geKIZ!Dq{-!26>_0IQjD#a&vb0k9fwJM9}cM!H)< zdv(N3gCZVk#)~2f9Yh%R_v5Cq9clxDqbbn%oX7ZFsw8#<2l;3Ayo8(fCA@+;6pdLf zQ65MT0dE2_3$iQ2ZWjLPTnKTU*nG~%%aGVc465^RuFf}=1PJ{KF1-{De2kfz>e*gs z@fUwe?8_%lTWxtjo>SJ#%i~&UKOIyim#f0lq=2{f(9C@ ziAB=zmqtPwAv{T@9wz>zA%U8!XGY`Y1fz*3{L*Hz<3n4-`At8a;f=vPAYMTRB&)7y z{$3R;dHdy(@h{yEXneBgNIhTA3Mz5M{j95u8f1tnGbWSUd%?kaxl-qYv!N~s)f%X0 z+)Izrve$Ubp|3=ttCK?82ETy?p-@*ZXutCy#~NF9Z-j|&xBn-|@>&+3M`zuUlaOVo z+E+Y$_1TloQekKT$?PzO(=@0~m&%8Io>p`*TJ`$sq!4vbMNeWKyQ7DK;r%-)_# zPu?fl-o)Oy11eqB{kE>BCQ;un9I<-3l3;b&JC%3!qDz-^(r-8YyO`!d9^vIOI;9Q7 zrH>WpbKF$jkc+fzc6xibw`Wdj%dW599(HKm#q8e&ay?)R$!hr-9ikns96cll4T#&*!|s9 zK?p{=Z6Hx4pWZ3BwK5OMAp!cEw&!!T!GKPijWW>_*|GT$dx>w8M>X;3sBM*$pSWz` zVRSWhMMrgaYS9Yv863%rJhaS41w6#2*IcQ-yHBcNxIJ?-UkHi2Usiq$q>uImp>2v_ z+*`vYM3){hzc+PeS`#zwFInj-Q6?wt#g6ToHLgvpir`=z$YzSbYixDW?JEv|v3{{n z+Bd#=s#B|eL%&tw#9qq1Bj&~F-MmaLLc%R+(O>D9@?W~T(V`Y^V5~;6yPJoAFK}qQ zxbmWQo35!Lai`vrQBE?iVdLH|T?3p!MiS?mof+s}7X_<>jt9gfsD=p9nKk}U5B9wQ z-Qe54M3a9r7%5o9S!rl7$XG+op|w2rz)1ul@7D(L5d96msilsC(?GgH!@pD2UayO_ zx@X@s;&u}ISY`xQJ@sAK<^;#0J~|htj_iT08lPmM;ggGjiSoMu&JacI4zqIl`1jK9 zAAy=7?k4VD%_z8V?<;r%SaR3(ah;&LGSrC?T6mgk+~`8gR^ z$;;(q>=?buVmF+s{#`8ZkDCwuwOT$A*?Dfk2 z`atTd%eB>+L`rrt&GqP(eZNl8<5|2E5s`79ht7Fmb5{=n1PS6V;bTn zMcTwkx-S6yPfd}^U#NcfEhsd=x?sIWFs10m0Ue_6h~MZJ9ExC3Ymbv0O$Qy~x#ZlX z2A+mgMqowq(gMO-f}G|)7L?$P#poji>Z?-XWRD}PAE@!@VDcHF_%YlJobt4E5G=se z^=0b{s_9jaU|eOSv0}R!4J+64@ob1W1Q>*mvvIOU+A&lEF2p~7eeq+R5EhJ_A=Zt1 z1kmlEtn_&~3{rO~hmcS$ME4TSL0R|0%Hp30p|c$$OT9=__AiuW;EV*P4LWZBDZR{- z*nruUATl8UhomOzNQPVSu*UcPZ_nvv;UTOIFGzBtAyllgU|ngMMcIhy=&lZ}#nxNa zW58zxMNT#X**ZkUO@$Yto(2iS#c!K!b;VBZxvSPTR(Z7ua;&P}gWO9bo6JouveWaP_W^> z+HzM=5Zt?Yt<%d~VXK3kgb=9$M7e=bN~%*|M>B|C!;NHE zGC49*|2l*h7$i$-H^VE36DPaHVxvlNw**@g&Y??~=-4mFSHYXO)M4=7G?cr?5_}sN zAS)Qh1W?@(`&$WN@=eG~COkn)a?G%Sescned#B(up!~h_P#jv2v0<&a(f;o4Sk`xb zp@jd*0&Zh?uwH3A$`YOe{gE@Gj!~5pPrvk`!=IwCZv`yRuB`ZP5bOpI=ML8|YEz zWlxK!QU72TW~qzx2Xk<#HJve)b9CJe&QHbkf)^jaN{_2xv!su~!`sw26D{hHyJ3~Z zX&jQMmypess%bOHSbZ&R-I?El&T2IZRvEz}ZwCvL3m~hc%GIgFb~A8PKBzw_YkvId zUJ;gygUvhS+vynVIsRgMgbFD64^jI)QzREGXRL#29f5FN{zGA8G~3-4MRcAN$pfYR z78K{A(4`?01_GIgmQnP*-$f86;uiXLy)mbEqnJQKdmsz;G#w=Z!wuD~zj%Vr_78X}y`@%vi;jL|41Dk^GeY~JfH;S7khV)R$URkhiO z2@8|6&a{KA(0OVgaUX3&MfBF(SQuMv*xu=#a$^Z;cJiA_Rtz%T$qE3_KJvEnf2^p9 zC5#{?#u_}RBlS%vI%!GIhuUTcfh1nMsOIt81;MW+Dbd^CJ}x(J`slcND6u5pC75?p zhu5Q4MU8EG*{<|4e#>vuOyKqlws;I%uxiN@b~|+h#bJ*T?e#~9f8cw(Go1NQpZTn~ zL`I8En8LE|U}L0kgg-QMaza-~9?oegllB;WFa}s}=MZRubpmsv*<1{PI($>+g_ckT zS-4*jV2D%TmRNXLFyhFr_3XJ>t21!2PMS8hxT-WCzNy)lnqa3I5D!t3mi@+J!NtQ?3)C7z zK@}b!`)9&(=24&M+9#1QtU@ka3IE3D<0h~3BmO=JA(Wj+Sa3_=*oIs1ZM``j`0jCo z{-5#=um?BUymb%i*l!Gh6NB5ozx#6KDTZV8&smQcb~_scyL(wpx%1LCq|Y43lybr+ zfi(nAj?iQ6&7hvwO&TKXW{6=ic*Keg6rvVI96E&p4V!9JO7VAc(pg47^hsfxb;K?8 zS0Y^~M1eh_NOB*ExM%x{iw`j=vA}NjG{+V?1H2L@j}{!7cJtA!3?baN#q4UiMFhQC znSSX4M}4nDuuBY~&i@G_93S{VX!r@k*hM^9s5BBtD$9et6V~6GXv+KsxQ@-F%QPk& z|bHZ(8*3sNNz1!`>u!7|_?)989-HGfDj9Poj^N{K5`_JZ~+r$D^jaENI<( zRFy+(ag5OMG#!(;tLz7nzb;tC%HTdgFz(RSq+oERct5DrMUmdjo&E7ElJ^cRTYV7wH>pOsUt-w)Z@r*=Jg(!BC3Kk9$ zW(z_x?1YMIWSOu&p(;q`l>!e6$%{*zCCk7=C1(YL3#tzmi=-yrzJafSBRV}D?z_1Q zzveWtLt74Q93+9oN?9!~9G;Ez=oKSA`|mB`Q)5Skq4$rA5wviA5RMk<*FW49Q8BxBuJ^)JQCW3QIaQAbu;&dcc#@K;t$|YF)+?zM{ z+=&1jzgD*#ge{c#nct>P7*w+p2)^$|MSG^;btsSuY;yxj$!2^>G?X0jTG)#c!{HiR zh_>e2P=dby8KICmy~?;Kirx?l2JlY0{-}}V8yHm#!Vt#q)K5Vl3)@dWtL!44LI6+I zK21N~icL$=4=aBgf|FR^#F_EZvInVW;(VLp9&1zPwuh{#R{HZbmoJMF2tOKqI1(yu z!${HLa)2B!d#l`zQkI>`S)>6Y7a_7=!VM#7@AmT_!XKl3^E;iqLdwZWj!$!7Zl0S& zJ7XZV*U2^QRpM9BA!}{J9?7q9_A*=rSc8-UgY7F?QvGy4P-I;QSB4KvO?07S$!M*(;_O(Gpbu_cVsrzy>Gm;+G{f4LMfM#$`Fm zuXaE7XY%{UURfs4e)DtJ_L<^;?;pHXcnm^x6dMU%j--jOY^1vrEdN+!7bbAvPq<&# zm|Z~~OC?!lJlXe>9`Z5Clmle*47m5iTq(QRKKI_vTooz~tEeTq+qr7{uy{h*9PO;O z&t(SY6Z$KoDw7f@I12}JS2q_6lkfkf98GQESU8B8iT_LR^Aj_vdplVWGifWC+FF>o z5i_Z|o4WmvBJZ?G@#@x-Cn1hptm`U2g#>(35|I%WP_Kq%UP9|nwRm3ekY|JdA zTui*-m}DH>EL@x%?M>V)h}~S=ze+`I++39{T*Mr|J2^U7IJgmW6En$MI9Pr4%FV*f zMa(2=WB=9W>;7LOaSJm?a|>cYLAd{C$X?**2Ht*{hpV|LFgh}#(l9WbCa_VEqO0`E zePs|fI!#zZwhSnGhXdnEG%G=xr5d*MzY?t9m0Jo>BDFE;qJxO_B6cp-f)c1jwIR_U z#-J(_;yKjJwuzsSw>%+petd}ku1C1I(w+FryfSMcTL zdo|K~yx8~>3Q=# z`1x*}9Ang8R*&>-c931xR70^{et64jp|e@H&liUaT$z5fT1_x&E^~S{M?50q+5V)P zn9lQg9Kszil^-e0gmXxrH9Ma9OaFY(<|$IMI=y$zqBsp?8j-J$S~!c{&6tb-jC+D5GnyE$DX=3 zt?R_Tzi7P)e5OJ!;iC#8mO-B}w(`oNZ+KO20Y3n7z@70`%Ke0Cj}=CZRr zrMDF}nC}X!Rf$(0hln%^raG4n3w3axcU{&e8myy`&Feck{P??|=HsBw3rlvRB48-KC%M0dEP?9Fk77KG!!+0YqmJ(LO}nWByiDG z;lOj3ma0#iWNDqW|A~CTcj`Ou(+KJLcKva_I&ZaPEi!;jgvPU)QwrZSSjD8n0+H@< z*U@$Rjo}Q>PksyReK3<(^ls(s7Wf#*`K0mNtXQF@vwM$Ckp1JG`up(nWx#~cTd3fT zJYV~J!j!HIa)Ps7SXh>(|5RvrjIQl86OHeJ)`8+6hsY=WqMZV<5qS$&_~Y`?^8G_R zx7sDahHIfGufn~}!+l0W@x=@Y&xHE&cfWT`cKmT!4XK>5$8ma&1A0@Vm(!=t-2?t) z-+s?$RCJG1V{WJLi`ET8ouQ)%J9cri<$vAKwm=(Lt?>RsPpr7HJZ0Q*0epsFXxjt;CJU(yI zr(R~ATA5Z^ZQ89V-Y1{rs2)&n6~(PAuGgObc0eb#P%!h7)!ziRa4*fwPrA?Ad}gzL zmp4g42c)u1-t{_N=D?M|Tx-$+(v}^Vr$mm*Uz;03oE>nUd^&k@(EW-2DzzmVjg+0N z)>GCg&S>yb_bWdlRKvd=5r^TAupwLwEjKpr4$eTlW}x%Hqf_7E4BoD+c@sda@ET|u z-s$rS&J6`p^hovcQr#CY+A^>30m{RHWv*+A&r80$PwG^FZ3W~(yuXRjwC*=SyWKby z`euo@)Y& zS3-%7D^_LhI2l#7WZDBC2*ID?gg=XY5dIAGa*OdDZK(=0n^hwL$1T4-t=l5;zWhrt zJes|Qk7;jldVyJOzqGrs;qH@vi-kaGsQDZWL0>k2jNR0N*14B<`l zzwH7*s}^d}`f zfGUD=EHSRCk1Q3~B-$*>E8E1=|L!?{CZUGI0wjjDEozrFDgThd@Bv$J`*k6}87d|fIeddF7NJ1_Ie3(7XNAHF~ zX1_wulsafXqlVkod@R_;LU#8aZkkGU%qh6`noTbs_A}L^loM+H2KrIt*K~+?zlbw7 zl7p0g&44n;!%|mUtbQb3WW-Bl@;iJgorjOg3-$3OArKo-D>csdSH7>Eu+#jIsP#tB zW>{v3SM=@vFuhQH=|wa0D=4$QXFoIc03U`#RFxU>OXZOGF72t2G(a6lR^^GF zXP?mc37PIzMShkev{gd=~F}83&F^Z+~1sTi=Q3UZpwkU^`AbUq+Ot_LnuL;65ixj zG}09KDV`qWCyHC~ZE%QZjtH&>Vr-DDE>~{mW7}jY--~9*vf4jmfP|`0*&cP25(KK{ z=3jq~3gJyqWd}I22pz}nCy5APycIDk;Rp!%>o%1tnxzl#7NLl(-=+Jmkq;; zL`%zv!YS#EH$l6kIlW0!M}suJuM)V<&jIw(V)kyA8c)sf>NWZO%u|MYMs6j^bYaq_-mbGArsS0~48>9GzbXWpuR1MD}A^*0G+ zl8%pV)%Nc`$C`Q43>@h|lSN(cauH z62%GcZDH95jm*g5L2gMb{Qo{tk1EVZrIkQmAzlM=*`gurjT5E=dk`tmqe{epU~mX2 z9*>s^u2kPXR1y>ff$Q=;F~Q|ShjNmTec|;V+*F4Ms4Iaa*`O+t51b?1Rj0&!1i-`_ zvmz-Hx4By~(m{XoNiLfduP#`@Kreh%EV_RJk}YxKbZ??~^K_;<2?0IWtVzL%L+Y^2 zs|y*yqA+PLXjnfrUfcael2;R~V6ayvRV)6o6!M!k4D(e*)n!$I8Ds$j1O<>bXp!3r zpJKFEGzc_C8-w1N1F0VPRsWUt2VwaRDH6q)wK0w2z5nR%2~hx@GKy)hM~~xvHF*fO zas~4hQT{M2U3m~DHw=sM`SAo#4^;@3@-g$3meDYe0yJF$ifO^{i1(kVkU9uB3gED> z(1Gy@5k)<<$=JhMsnCa-tTreV1;AH(?Jx>e?W^RQU=4UpH&oJ8@zaP#%h5EzMH5vhS&(4NFr1CKe5HB_sk8x`VJ( z3rL0nErQC$rZ;$1g~7wH0QXAX%!=lO3^~U^_&J})VVcrVH0x0oV_4TC{H7f$DhwXs9uKP=i34K@6b_(f8;jx~ z_M$QbG7m6nL!Y0}D+ga5tZ2CR-|nyQ9N#NqLXOPi-TEmf7DXqlcA7c#DEuOd^PF7t z?nHcPu%Z!RlbA;5z1hOFJo!5m4Jtl7s$4>8V$#uGcB_4QG8nXkW0oD4=oMuUMj8Vb=kUqk9y$sK6iEzFl>2*#7V;nUsdqO5y(^eh()g>34~K_o+(4aT zNDfli$~#HleRJbgS)v8sqVMO0n8zQDl_5|sp~!nFOe%6XPGsY)8dxu)F~zxq`~g}5q1vE>_8SstzA zPSL3FX?zZQ)Nx=WJ>Z`f63@b@C?s z=qAmAMX>_h<7vmyGh)SbNQ+jmXk@WetOF%7K^Es?>1xB!_Tsps(J}p|`{KQUK#T!hv~m7_^f*ZlH4otr-5Y zT`f8^j2AmDweY7_L!hd<5<57wK#~1;;UCcB*Gu`pFumI;c!|ni|oO zGsw;Ynd6vLM_Eo1QUr9dBGm*hD~lw#^7}?~okkJ}LCyfYAx)*%jR+h@LFmLRe5>h0 zkp@q~07PS0STfLvgPB1BPd=)tJ+<(_X_%8t3;rTU-MBW5QkF)N^lDSm$jWAt6hM%F zNmEDFlwVdfBoJ6)%*uHs)Z;W_!cfw(2swz3tkWGSDB#f~INb9Gc!x$|fp7^aIHUiu z!9_eU2I3@>f)UJpYHlJbvMBJt9Q*s&hFLJDuNWSH^s>+9460l> z${l7fz@ve{p7;_D7!xs?Nx`YcKDC56GdR#6*p1x4Hl2NU4MBnmWK!bGenXvPJ!i(}jquz?VeF9_A1H?cQ# zFBzZ&Fu+1?>;mkR6zr%dp{RR9qcdqs0yJXa4K8(zGpFK}YwV2)IJi4-%lgtD|IkzO zqyVJE3usw_#{czVrCjNz4JMomYUDEFm`v45gsvzC3jRaDaPKt5?)b!(3x@(*#MQPt zN?%Gh`@f=%xsxvk@JFTl5MXNv+Iwg3^DjO$-xr0cazT%}U3*ugV!X^?1yj8k&^=Av zG9PiA_65n4y{o7HE3?ftH`{-SAM1+f@%%piX4DXXG4qiTe8_W1E5_ep zQPib#W)z-^5{~4>ipz~{=ZF=)Z0$*^hI8^;ASZ^4k2;puV<&mE_poIJDLiY!F$j)) zPt0ZI1CLqW8XKIdIu6tVezGVtt} z7(2hs9%ecjh#XnTTGzMCqtO`aP#Q(pR>HC~k2!Mawa`>JRg|W{R+WEsaO%OT zR9IX!3ZdF7dc0^|_S}sK1uFk0fA1!h@67BXknXpFrO;Nk$As*hAu8-EY+D zaW(fI&)BxqDFsAj@{)Vv7!?_le7!KCm3Qv6<` zfBqI??gf&f(*UatJ7Qj3lwS2!hrnXEfgk&y=L)`D3WK7#drd_tm8MBuh;IS0JS8cM z7!ek7(4SL#%tfujbLC_0pJwjjH)iTPt8#}Y@K65;do0k zUv=RjTd%R>auG_y(87dRWKpKK;bOf1A|90%1A&zGH@$?{%UC$!pumGsfG6eFY>^!* z-_zkhG2|FHqmHN35Z_uQ@XM6Zm|=_y=p~D#HjuMHEmRQVWC=wczkC7Kn`_?Cpdv7k z5a2bbNq2Cdt^SRL3;+%+^O-ez{i_A54h7SR>!s8o!XJC~fay3J!ITRk>*61)HRJn1 zB)6Q(1-5Qa@Nvc6w1BnMhHAtL=xFyrWrbQAHxc@J;qoDS5^~c~arkwO z-%oaO4-QB5DLDo)I~jgQv95;Kp~+YCu5gyX@TVE%o{LV4;hly*PHHl zp~BNaU85@LJUSK&KEW`J=ISE^z)tubNlj9Bj;bi=42##IFX}Bl77gOxvf9%^bQ@Ui zj1t!0MZiGrrlo(>+IP03&^K0ut$Ad&RVbWxYvf4<)fM4-MePeXa~Vb%gbNxJQT$D; zH34)W0UYf2EY(h63EhdyjDd>C?!^q-3jf;fiM7p<{@J%)b40Em-#T%G2d9XN>3;5N z>P+MD9l$f7jjga}Bnx>}R_I>#{+3@Ii#lN3cf;0^w z#oB03tK5PSnJ74wQ2T_2b_scZb+lGMcGg@U8l#kRfPcYTu%&Wd!SxgeD@2(Try@YT zv_;=DdOXZkykd$`>U~`MSDZ2)zXx(h7K#iQ0P5`}v*KQU;>T_W9#l#+hCPloJ<_9+ zVVp1W=1du-IBKtOeMC8@Miv9Lm~fwTUl{0G^a$tGWtO{1$b^jUk{WYTljYU|HZ^~S zf2PBH(5kn0Xw~$n?A1eQ76NEN0_h0cB6r%I8IwP6{OPR~`^1Y|;ak&{Y>TlK))T@x z${Tvf-}!Nlgb}kBL~_BVKfO!e_3J8@kN3B=q?yBl_tkRo44%?`^T^hZE4RAPL=i!G>m}9U3>#C5)zl0$ZM*+~-lTX>&%BQatC4)kvvpQ^^WY9|Mt+N3t}}2`QduU8_|)S)G`39d zk!{@UaX|dzjj^?fQ6Iv99PyV5P&=Q~dbr6kl^@0*k9+pRcFO578uAGH^BK<*w~4g?fq7DFA&alTa^ug!?~vEJ0QAzQ?`vl2a41W zu5XA7y!5t=FOaP4VYSNf^T(}!XnXRoljpJ*(>JOGKTX;R3oBv~zXkK0Rp;yqD2{oN z8Ff4Fug7VZjCSnV3vN<&TsGtVb9aae=!!z*ir7m8KWz|x*0FbNsd$wY(2POWW_J49 zNA24WIJ#GU6Sv$&R$>_+hK$q5p_Tc84ZrD|WN_(mI?}Mz;fnU9JRCoB_`vpiwIZy1 z%!Njqng^BT4=O0Nj-RfrILQw4&YCKuM%}s?5IXaD1wXkT4Yil?=#8vqM4x?aNZ|d< zXWh$jL!9n7$D6`8DWC&Tc-qbOW{ADi^oor90b6TXxdB4=Zs0WwB4s1@@JAKQ{F{^aM?;0x;fXVl4H;csY zRl3F7Vo;p>#CEx^h#XLw$DMrX?d9Ql`)#Q7roc`sV*}ZC;?q;fPmX8p=)s^Z>1;xv z`L&EUDa=y=!R;MAFX-wb$JI4?2g4IVyr$}LI;T>oW+vWQ>RSs3%dE#FWfPUt=d#Hv zZz%)+UM6Uz!|BK2G|#pY$Jm+j%+l5KSf`p7QvVp=QG;JY7(ogr0DD)fq03b^9f^JJ zKv^IFyzkxhERyZ{)DyVVo#MlVxTSC6($kb;RBzGbGhb(g4j`bc33IRh{QalG;GQCj z+kOQrnaC~9TwL~Gd$f{`GbMY8@5^0uRc5|1o@D$4#}TH;Y1kNOIYptuI|z8ezAIw2 zEWGjMZoF}4?q^)~IA5vbc31~|`}YO>g7+P&33;>J+fV$ZJXkxJ`AOk}PISu*LtDOU z2*nZ{zV6paM37)*m+eBZ0B&QLlLEpZl8y&SU{8HDoz#$sl_G-vt7v^G3)s|x_WPzB zO%Au%iX4L5Z(ofacR9gUUN+p98%yG**J6-6_D@rj8Ro4Lk{|GZlNL2-K_3@(Muf&c8q!S;LcecopTkSMjw4~gyjMld2hKe3|B3Ai7mc%Q;~>z~zQ{GG|> zwB3nkUdX8pb19~Z_or{YvVWG4tLYvBJF#U*J+z8H5ET54%y>GMs&4#{U>B~~`8gAv zcI4l1n{D<{bF1xob~UYZvt@X9^h&jvg29NwraEUr%+4yvQn`$1Gr-11G%@B~Q&6xI z*rDdNURb82d33;^mdQg}6Hr?+_(ZM7^s+#{^9kr1^$Pv}0$kwy{{Sv160;FAiTsBh zaQF{x@c+ONRHa1!-}nMnP8Qbx-}r*uG*5N4RjlxtF0QUwG*V)UyKg?Q#PfX8n2;)w zGJ(nvVIhb>An;iP5~81TVCrpvH5D9XcqD&i7{n=y8TUqZT zI@_y9t;?%cm;TG`V9IYnko|7j;DPLg+87t7efntV6N8TsI4Iyq+TgvrmX?rGPvQ`Z zZ(RbJnHAE*jSm-$f#x0S^gYUyu1lW*iKJX&epc7|TefJShC8GmYEHo)^=hyp=_feaHsKGocY#r#SB-1Rvza`Rm^__r`?G4ME-bJIa@}l##_m)Nu%_=o;ltf( zrAuP48z``*t(;rJFnhzK!94^j_~^4Udspy$J4U)=uGjn^$MK#pp2y6Ii&ss)GHf9b znG7bIg~VZ5d6}H}%aSCimq;*FqKS(=) z(Ht%$;LmOV4kr~f?vGqM3~P5IF#k{<*DNhiO$@jYABB`=8@CTqws?7c0)?X|=omwL;(RLfg6%-dUO>cHFvna-CO;ZF zKq_4rEMG=jpe?)~fxh4AP02tsqJU<u?5ux zR_THHmh}3H{DKVbm7oLI@-qYXzkx^2=PQpzDTGVoUxLR}2X_1~m1_e@CzIb%2Hu zfidMiWq-6Pp(4&A={&`QSSE2f#U(|DCWll9-$(pU@ka}wT<>?6oL@n$a-Q&RLmzjL zm{59tl76Uux_+2`z#j9U9C1gyUwkv7Oxdr~+BxDPd<_2iBDcAg2B`*)HKR2;Y!TMN z_xXg=!3W%v&Ibr1Vk3=1vO}yxjKlgddC)#O-4{lA^rFaw$o9yXd#0n->HX<-mKrnd zuMYC0R|;zi&m@8*<0OEjm~u%an?ta7VznFTs?5_3KCRrB{nnu@6Dl4+Oh=`0H4XkTJba*tbEOy%?d93G7_|^ zv^q6%*Lgg0IaN7@-6Gu@K4U#Icx$>5d>Or^dEt58df9pfy9R{iaTT)^1?mNyLu>|3 zcHy@?`x+#*VOe7FVo{?~3M&g+in?vn4b#vTN2Vl970m6!`L!ErYL&uEx$OO1Bc26r z8LyO3+!3k~Sty$*I#icb3e@LRxN78TAgWdkXSHwrYXj*PS_WRj!RGr0^;5;0M~ziw z)Z5P8mtLIdTD6-f?b7YjPq0q}?YMSGp^{>sZzx~X4!g!*1es(!` zRd~_9=zRiyI=^k+FW(%$Ex*eEvjJB^oIn-=3j-^I@jx*^Ac8mn_xA$yw)^AK&gl?o zE}#JNe+W1SaX~OcYazcmpwUnkA1A477{JjLeOQL`0!TptuN+ ziVO-Zibx502&D)~q^MG<)gK5)sz>4#bEDv5B6|=y+m}7hZAygfU+h8dU(qmXCf8rA z**6}RjZas{>h!AFQQ%3NsL^7DE=>2bAG!+;OVYx$`?HON>n{AZIL_Et@n8YGng44xPLj+)&A2@^`j6zJXe3bvaex|By?Nc1iHK3onA`-y z(ZfOdf%Q1{=>6!sH?uLbi<3#0^Pk|4Ugj$c*s7qVYR&alX&0^Dw%y0B^B5~UE78@P zapCbOBg}2<@T~>8T)EmVUDNvOqaprQe!1OF>M0Fa%Rx(I%gasU`YQAF6awwpNB!}= z@I4vgjrjBJ?^oonn-fogmz_mVMei;<&fqQ^o2PB}s%iRa+N(3wJ6ctT6L45f9Q;x*{BhRuHReV;1dKvm!h|E(;`74MZO(ADyu;;jV-|-Ix-A06=hH$7j z^0YM^%w<*AR&R~_rPOHOw%V7icfNlprBs+yvukmBWqEa827eP)IPKZVIv3t%r;XQE zou{_-pUL}G(On>3$8TEiv|CSYUWd_NS(rc(pl??+T^?WB8{DT}Tc5LFWpLWO6YgxE zrk@5E`}w4hG8Eb6yj7ozFU!Vdoevke%evF`p(ZiGEdsP(Nv}0B{UFn2)0Dyu!e=5? zBGZwtk(=(n9|mv6BU9%0gSyH8G(9KHR^)iQymy-Dj}F{e%$}$5if@&6vA-=nSsfdm z9L&3zT^E;xZ&h^hKKXs-y&F6X$DLltyvQWwMDe3;;Z z8hEr~0s{Pc4n~G}^#2sA@_1VRrMhMNZ^i5XmFV@qWU&kk%>P3H+o)xhfHiFQxz(L7 zlIsUhnw7Xs{)?wI0Lqq*))A=j}!LtB1k!p1pEdg?EY~V<+o7 z9zwe2a{IlR`>bE!1r^q3i#_X6uWpx3s{NJ=cOZ7_Z3brbD#t|{idDxsrJs(b2gYJY zdf$2mVab%W+ArbOeMJYQApkB16T{WFX5LvJyUS-$(!A@@AMueHw8NVXyfbWJ4otAV zxPLaZe#RhTS;uT1GPPCMH>5b3T$b-f(skm(S>cZ0HSFBRg2dAbbWX?1Q9%E9`>aq!lj#|x|A(%cl=IZy|C<-){>uKs z`vk59>}YlT^V!Xfry#T3;@0Plmm1N-<aKjXIhw)aOdsyu42T@4o)2;}zlb12oe z(JA1E72lmT7X1f|=M(G)Lhx`BjSNJn@E~zRVOdnod6sv_MR7stAAw`*7@59Xk=hZp zvzf9FJUGz| z=~WyNSmP~fF|y~5ry&k1!<9|DlIU`~4V>7F$VWi&?(?Mqpvs03+G#>^J7Z>IDIY9^ z*4c2!IF54P{?6cKsZnSf8WnFZcsuXoGx^6}niCZ#dDeLe?yjQlAX;dhOjG+;Z1o>r z(+r*ZkDQKSj~MM{zr0C51FLbSV47tkDqZ+-(J6q?NXzK5oaF+)rwUL{3aX3I-B(f= z{%MINEXkS7F={hm9YHgvfr4K4Co6XUbPytJ@SfF_QIA_kcL||OsKUtCt?52_gCvV} zO4Kt(%k_#5KhUV!AnmH|ZBEAMc-P^w17X)@P>W^iSPL565PCk-+Hu2}s$QvPN`EzE zZ}0HbM@9N;u&H0Hb9KWML3}j?^$DB7t`(%6npbr-E!7@BCb)Rng+zsoDA%vvBv4RT zl-%uyp^120^T2cG%ZXX5BJ079dqVwIEeRo{Muyx19yZ^Ke$%K1@=4MUCS4+5Bwl&N z8U+4>5NZA~wa{Mp{1Xb*K(VJ#7`b7`9X1qTRdgYd&^2uq;8vv$IrIYWl2lk_$*vj% zkUaRf4pk9~s?hw#RiR7Cke7){aD-()UmAqQA}lYl?!w;vMas8Cx!7$zArZo=n$8IZ zBh{S4eAI?f-13`*H$R38uw*D&4q>+5D#J8}2f%Uv?+&deseodTlwj*OujZ7Omx)Zm z-%m_a3?^u?h!Z$c#yWE6O*K60y7s57TN#tXmnOJQ09GJiSW_X`C^T?$(GI@N36nMp zJckNsWS(t?c=@A0L0L{SWgQGKm%g^dg#TuHUMHKDo=!3>-D)g z(Zak#ROyo!rgq~0e!~LLDSL(e$=>-(-U@rj=89ESZlUI7vT}v&)?5+(cFcRZitVhGL_x1b75jTWf@GqCwykeV@m*2*(IiJ&sQU7 z84)&oWY|r3Ocs5VOg;|+utGI}oXs3PFQqpQzH*v@KJXw^4vd%5CC@F29IXf%h>Bjp zchNcNB~r|RTU2YI05+FOVd#vsQxI+m0=k5Ra$FvGh?Idxzn13_5&Bf-o#!oKu@j7B zbNRPm$nry>Bo++yBk15M`&ccj>J+yaj5*~g@z~5g)v-37upV>AG=tFzNHR!&*_m$` zlX0zR{WY1x|cIf~Y{9?WvWoUVmq$}k4Af?%N=;+ch z9g;i!FV!*X7sq4{yUU3bv>M_vTAc)vmlXVTB4h*(G(E|@KkD&f_qcWN8E!Hpc$nM^ z%oGd^XB!`hff0+Y#5FbEQ!*^~Y+8erFj;834lopPXV^&v2_u2eAO2f=sQdj#s0$%E zvvcFY^3TtYF3ML;`#|Tlqqe+4=F&>_0fF3%r%kgyiI}*11>G*&LFM}oJ&ig+TaP zN&yF)GzxC!voHdt(Soa{7m(ZnO2Laui(w@SfUo}~sEC>1k;?3ZO-E*7Z6Xm?R-R%@OXC^#ysth_Yd5alKyl!e|zu7mb#J3i?V>UMMQJ@JKF?zmP3%5q@;6H3qGi@VOqGms#y&i1K zIIQ>Mw`_3@SZb(Wci%uTxZzvd%*paK&->!hxl7H~=h~l-BNg;!UY06PU@WM5A&y4m z4VCDxvqkplPhi`~Jdm3h8|?S<$C;nW<0!e^wuUX9LgK~P z>{_Iafy=qc$JdYa;OB|!BW8$dpm7YzRw?*?K7`*$95r=KKbIk8f;;1{{44g3;=xe~>GHM0A97VT!pc z*?2m9SL?H?cO8fPLdORuQ-Bb#c9P~(Qa23<((w3=^#P;Crhwh8um~bnwK-F{0WDEp zv@#cg@GJ5wHElyk!Ps8#Vkr_9Y3X_{@`4>AQjD^zC2i2AM6`M7>Nv8o$r4P^JXw!PpdOILE3kAozAxwf)%9O0wtJwoR-kg{cg_ns2?R~tS;_o938>?cAy zm)X>+XP|lU*kQ6ydS|Q0be%D+AQrH~P}8@ihVt1%{Y(O16YhRV1UYR-sR+)>}SjDr?BYrYoSQOh4At@m34dR=Ex3W1mvpMWgkZ4t<{K$(v%rs zERg6#v7mDMuTWLQ1bPBPKRzN3zMD0_*hK{F^cloBVdA>ApUu~haVvp^uxh4ufr#{z zzcw7mRa*(sD^5c&X5IPs$<=RYB(3Xt20rz?MQWqZxzsT^3YceG#J7SXpZOC(3U0(t z2R4io_*x#{K!nYdc7X?NX#*n{W!%GXB3Fm|FAbjXVW&Q$44mg@^e2MDnj=@O3PM+H zj2P|*IVCNX53WouP&XTECGs$v1W&HIKOcc zXr(uUfZ8slWFw z@ijw2$U@l4NgJpDk>Nw<@_a=uO&fh59#cvS&Fyyw!X96nh^FoFnp#=zC zPUH;2sY&`vkqqI{a1I$F5f$k2qgUdU4-tb8@B9!R6R6|k-=E8P4=q~8Uw2$LF1g)u z+_WBo^FeS0Egmw*enfZ186;*y$iqOpCo?E_Q$CPYLGpk@-vQ98=D3GZ9|W8ddD3-p zh4|))}!+K z9wj6(p2bI(nvH?QCfmcCU>`zjlOwwvMAEjfdC`i|zD`Br1*^wC*<44-|f}afLn{ zG9*oKkC1?l-@O1i7cY^XesCsGcVZVDITzm*rrtjUwI2q7eli?r^XHP|Cd~Go+IoaGv8Ak068VATL(qsuotAlg$Q5|85#@jO^A0Q?WPb@~)_7i=y;XNQYyNlcC z+2s4XcaS#Jc4?k%mY3`b`nH{HBFzSQx{gCV&E;f&`znCHN+5SLE{PK+vvxYdYH-0R z>H4rF8r&iH`aa1UFAV7CG@|vJeHS&0%T4D>fT%^Oe;SrNbLx^js0PQjC(wbJLa?|H zgYC!NuuWfd&7V<6*IoNlx@)-hdDpY+T(I}KY1S?Y%-rQ`oXLK-kYfZ5F0X~?c3ng! z6m&Q};{2juw4t&2tDOp4#_Vi%+s`l^2MDSBk})AqXuhoSGO9jn94mS~NhZ|3KHW;K z06F#Zm9aGIm|QbDfj|`-j=iQ7A&xV{bL(PPLGxw?bCkIu>$55X0+C*eWz#w5g}A2i zovV7vHEibkrl7@2FnN*JT`sP848dMYD++t5K}L?T>oK@rZ^L3FA>*@>= zQ~l!>dx5mb8rW=4VvNl~sl#;+ur>+q$@^q3G|4J_Cpx5Ep>@>O$A~ok=zy)TODT^+XHdVj3-bIQR z4@l2!E=Rv*W&8oo$n7L;@eb(itXi z4q@#*o<+^zwQa*#T;V=3&e*SmTe%#4lESLXh5uS|!oA_hV?OP@^#${`Gd#HR7o_Bu zBBgCrOTxjrh0K-+I;L$J{rIy&GzUa|O0;L4|1-_X*W~~+trQJr^n*??OM{<;jXB4A_J98rtZ zG7b-Tm#OUm=!M`LL|>8Ua)enW*^7@e zbRc?ozsoVn7^qgD9>7_-z2Q;Sq!G9jY4!~c>sG3hA6;_?tY99Z{lWC5s5l73KFnd! zOk7NUm5STx({yf@mKdA9xij*XXy@}tLLPqa6=R5=6=py00;h%Cc=!6-V?c4_QuOUW z!X0U>QdNxaoUO>0kQAsI@$$5Nlc!RR6I;f07f-dJ_q_0ZIOL?1wWeg)(sh?RqGatB zkmQ1^IZAtQ^YX{gZ&IvHRZ!3Hj>}JVoH@Q+sRorHq0)_aF)WAzcdNqQn%{}0y*ekE zam*1{~7zH63yDC3|BU4GG<^{dmHBY$kyUO85w5#MWA-Qy-Ph(c}}WpWJJJk)OSY zQo^xf3n@#EV{3PG=BI{j4*%&PWf`Nmh=5UL)$}4nQAAYX!=a0v_GI99iSE`#`S=*# z+L=9wu3kxj1CbU1f}Xa$Ll@nwF?AVGbVtruVqmt_%(dGLp~JqbbFg(x`r&$%E;-S? zK)?`0Z*a~uYW(QI3z;|t8U<&Qj_z6+sx$aZU4gb8qv{fNTGWk}bry_mM%|Ah+h+B& z!?Ubd%AJMQ3h0(pTRCzVGoc5UQA>exlqMH>o#v>^gL|B|!hzhEP392aU^R(i1Yja$ z&UA$kXJqgPR&BJX&1iXI==W93;Frjc3eM8Bq7kZfeLcD#0tF1eSffPToYE(U-K;k9 zkfe4wdPLX<PV!LQCof0zw1sn@l>GCu6Ofj{CaWt#ocw<9K zMH01&hmbTXVJ{rG&9lSob=jJUx&6nH2&gaj>iH^=O6gI^~JZ1tEX zTDxoUpg&sT=B^BdVxi1&aHS^({)O{ z74kpMvAIT(Wn47_mkp;~XO*7!kMPTy&p`D=bX}L8b(&0Mv}0mozfyZMe2Q}P^9ZMy z6eu`CI&u&xz9_O7J!TCqUhC;XAZiGb8CClOtycSz-;y;6EaAMMZxA4&YKJ2_gtx&t ztD`XLUT_s|VxwJg_V`yo_!Z?K!^Cs|{E7ug&dwt~BQ76nd&vpu@-NK6g`*)PL|4#* z{M)b?3n=jnwrqueEl_|q9%$#UPT+t* z7;_N4{tZm)8aRhf9+t`_r9dh7M^Ep~Kkn-@bD;0wmgV1`a&HE_#H)shzhK7HCU7I0mXd!+QC(s`#q< zs{I5JD$o_ARw@%%Ap^BX6r0^)N<|@dKkL^+SQ|P#;kF1nk6&lo25CwTfxKZUN+p|; z?NUI%Xfs1XNfXyt=LamYImv`KCoH-qe})Pb2l8v4`Ppqke><9@auP;VbOp-MDHDdN;@DEaE+ewja^|a0o%AExOziA zo*>M#K(D**Hd%(Kq73*feHqZD#C5)yx7dM)8!o86O=bl6m&9gbd~4ZV727z7>S|v6 zwWp|Ib$zi}>G-^Z+Pg701E57W%RCGI3QyJ4!J#l>!c72`?w{Se(`LD*m*`O&H%#vF zkMyvUydPOBE3^VD*L*C$2{P3889=(vh6|A7QMdI7Q@>DHFz#88tZF>cq&VxFT+(2u zcjh)QjKS}>_p-PSU_SyyZ9{4>!McwqZwwbEr!&#?bC^5l5*66(LC0NjNR3?#MKTVZ z?$%>C9;KWd^4%=Ua&HN}oqpP^FH;})hjpJ0s3aO)+yeG6diNb7^pxA6l!UvN2>rT! zpMv0W{rPQM zCL*aOt9$YGwo^lVQz1q3Xlb$p`?3MwXv(G zP`i#-g~)#K!mD569sH`}F~A<+5`sdfRE1@tK_qd+75=)Z`G&B&a`O0fZwvm{R#41m zWT{C&gu{~GRXyF=2!_#MDLo9~neHRq6cW2}=0Q@OfuPqKVx-ZN19^;lkr*_6ohde2 z@`MDYo6p(u8W6UArkQWLoz`Qpcto>Q{47{U|k%Qe#lH{H}UJ zG0Zp*qf-0a4@*%~ki3mu!b7jWrxVW>Y`TPoE7fot1w>0EI8To|Xe?JhLYjp^N_Rc9U-GRu8a{Jq z@VkZWc@YtYLjWBM1x^v%PxKpaXO=T2Q)*t#*a{v|D+&b^J_d5NnXvwGBz|kIV!{is~RCG0QC{ye@(EXNZ@8DAf%>5ZM>Hf*P{R2HP_G zFpo*P1m+>u9;LU{*FiM=u@%q(%j`uhgb|FFJ5tA(6^Giy){YyrT1G zq4g_{(pc-38=UdSJ#*~85)Yk6-iO*EE3o2VMzig^4vAgmKN~Dz-D|L`?%g-!KU}DAG<5P z?GGbMQ1^!-2a5ctm-G1q>vKq?f9$dGK>Sror9)@5vZd8+g&u_%Q7TL$4EiW~wGfR&ykmEJK4;Dz(nIYoZ ze73siDiLrSVZOXd-<$C$%$bPyY3(KaQ-iyw`H6J&dodBtW!l+jQM4Elyf zR;=UU{4tf$dahHbXl0cQYM*@4Bj0uP@ONG9bY08spW{-ZBQG66v$UJ1T~qQI9N)FB zGXzzWa`2$hFJnJbm9)RSQIaydYgJdUDm%yJJ?f`a371+s_r&C^E;uC)-FqqdBh5GR zXL-+)D$4pHV+|0YD{O+Wt)d)3MO8Ku@KPS~W9d$*eUa*B1iQa?Vz4#%2$rDL0t=(B zBv?iX8z5K`p`lRRjs!*@Z9dTXOgNQEv)$Q#lW!zIGNEjUI3BW+MN`OH`8+A%N!C3Y zck}5Q*)ia--cCVe3-Lp2|MB!OEX+#7Fu8XnzsTIRs>%Tj%+jG-CGQ_z>Cd3A|6Pti z&-&k_27e8{WdC*Z`VQs!$AXLDUu6QVype;Alf8kF10Fs5-w^?uZ~rc9$M1oE#0v6w zv{FWfW_tWKu8{iB$W|Hk>&=YG$L_pcL~;y3y~!;rL!ifnic^#7jn{h6K) zkAd+&2TXW>*ZO_w|FH^&|F_x-W=2M~|Dmmz)OwHEXhQg-c<|Q@eekb&;=%e_fsN?-Z zMb7)BvGUQU+uK*eiCE))Rr8^-ltj(@rS;7mOKXRRYito2 zt~b?}JPsV|A@xq;FsZ9u5UPw%h|2QC-l~+|pNr31;l=_kp8o5OZZ~fQZyg>_CGXo@ zjqJ6FCe)-8(5;F6h>W}45~7y2^7A}OT%JU!f)G$|CMPZDx+X2$vh$h4VlIB4yjPjW z?iquY;H#!K0WCMh&j5{Un+LcP^p7Ku2ORImxM!pLkYS4-XfGzGuC_9UZir z!(Q?UEP33w;23W}Wlpf1V7_p?$mHh;y#U zdTG^0!^gkK^VGPmI)e_1aEMfOb*tV6+TkcsHs~Y9D7`*UrFO4?*DSl9JUTsZg{CI@ zEx4bG0gQtzHn^y0514G_`N4)^IZH*RC@xLVIVk-Ub(e&Bv_(vH2x>l-0EA@9yOmq- zloLBm$Mnp{zW&sEs{9Gj*vYGI>%tP$kn*~9SOoxETk@v)y7aLYd6Cpv#{E+IgT{Oz zRM$t@ztr~?#SO1}nk1)!G88?Ah?IKMR;_3By3-0p=Vh?y>%Aooac0w_!RaTH?dwex z&F+Tht|rLVc+yZ=CfqwG(wS3U9MUx3vX71NiZd}%`W9kvy%`$mEtjHZy;xH-S7hV~EXQ%e2sy6o>sqwQiq)XY+E?T1jr{Ewp7b)-j z%%Dfu8eGZXJQ}O($qc$jE!pi|rQ?k<;QcxT}oz3qa3w6o%b^$DR$&%UbA< z$--^p&X+{38Ks@hG%-uk&-1M!1Es!lgFeA)n#_6eO-6B3F5AU{0QF@5h}j3CK**hPgT3 zFhm_bXw=Kj&pazD=Tz-2b7I-a)jgUm@?-b=DR_lYI+%n%sFq%1mJcDQCPFB*p#H2o zf|N7{7Neohr^qnOC25pn=6uO^IKRker7r}eeB&$)o^aX?zVfk{c$QsE=H(z!FUr!{ti+PuS=>|LD^+i_(b-8LlM_cr7Azp*-aQtyCEW3Q zUvr?zx^f{IOFgHdHpEPEi(l<_ewASM*7oSp4QWTklPQ|oBTQscZ{6ASi%?qPh<+88 z-te!7TDbBy?1Lx!k3BhRSuBcK;OrGZeW;LFWktHzhTPwxqB>@$6m{3@L?6MJ`sfXR7t4Ut?C<7TY@xZY=@{)(GunFn*|n!a@j10i z5x9&V#;p8HEw{nRdd-sLvikPCOqIY*K-BHz{NtI#K%_GOS3(kCE#b-6G2MLH@+vHr z!~oMyEtKf$kr977sXL$pvrL9F zl7U;IlUcjD)!nsL{gSaJOLQ+d+>}RG1su>JIVq_H^o|RNQyTn||Cw1!HbR@z^*3z- zY3%&m?&aUvZM*|23$rhJ#e-1{@_lICMkjk5v_F$_tr!JCpJS1^q^}R{ zYF>dJqE=JwV>zG@zwuZ2WY{*;HHX>5(YqB1bWj*1qOYu1OIy=4U1}{?cA@{Qs71CT zf#ou$=ykC_LQqw`gl$H;@TnGHA!3Pw8m=TTzL%ZOQPOHTd335UfBrry+_v5kxC+n* zjP>0HpZMt2c)AX1F`kau_!+>lmoO<-T8JVOij?7Yx4vtJu!^=Co^G7WjpD*?FhYa=BqZ%2~05`EoOjansoNO8G_tL%g`Kliswi~y|F!&C%1 z94>`8^0jgF=R7AZdj66{%&J>!C|Uizy}BX~Jvf(2br@AP^R`kkR*%)xV=iYLe=Fl!VDk`JM}RR;J0p zhi2W{Xg9i!ERF+>)rDOjDw3($620iC{se@?ES)i|MYb(40iqlhxiAVW2S!41$|RS> zKuM?~Ow_fS*VIX)B-2|D`5fMV8Zn^I_q@~uHvSX=W83o25Sy^ino=%x&A<>c7Y$c2N3_K5od&!C_f3=w1! zVgPhNO*cDk7*(RpSAr;X=nIsi|2a}ZLOv-B_vP+O3iGGlO*D9>)VOJF)6rn>SlegHFijKv6l&yL0uZzI7$fTV{(5Yti zF^7QK02^al9(%!*<1bg|Y**BnzEEckYN8}fDlq(LylNx}gLtd6vK%VU}Of`+tgFIo{ z1m=JZ*cBh6>yZ>3C@MVAOiRB480==~;Sm}xJbQ|`LSFm6gFJZ2)O zWorpMj=ca_=4mY^qUVrY*Ot*Nesb9K4I5F7u=IWEwDb>4N*{Thp9IrM*rX69-&VWS zZLEH?qBlgTHkJE|%nSg@B6BB3!DkTIrP`v&(TcQ$6wxvZnFPEsrM_+TZp4BF=7EXiM@S$3ZXo9~e3w=Qmu0M2nBnWQ+4c=&$ekJJ z?j$qW!E;jh~+^^*S zK`=AZ zdCUw%HawgYYN@?qwzD6aKW2$9!)B15yA8cD>qxz@Wk@|=TMB9Ia(S@OjM_|kzUeykQHKtDjn?AmMWHPfdAt+ZQ zG#RU{bK(BB>O=MW`6wxRs~E^I(l=To|<{xADSEN{+F7m>BSune_yFt{x(q=~R+y5Dq*~@baqG;uX^E3-gp&pDf~9fK=$X zs|N*e$p@>k%rQ)HMkq$8iXYQAEmrY|%LLM6*1a>=`Mdd&!FlmbQ|+8JyNIWJ3AbOg zo8=}YYFTN@u59Tje(7Rx8+J>}*eVQnPfu<-os^pE51_espvY{Hi33F3%Q+6RHUD0d zsOCmTKkW|VdyxBjNp+GPv&D;&Ne$uj#WYp(+k5EYQJ8Qkx33L_&I;xw3_8wA7jqZ{ zEGi=RM`qrL?$+L1{?@6a?i>S9%=yc4o57p8(RO9&Apz4IjfGxoE@eWJBn61B8k+z8 z#^mF8yovt%S_Gda_k@ykP??C_ug$dlKv5*8GzB6&#GkwhwCILJZ^=bwBeLTacei;bFclZ%yM`e5@my(iRg6gq2 zhhF2y6gf#!n#3(qnv0~zp4wY8J@I%M*V)yAwPnn!nr|N6Za$-%g$C< zn|BB;c^M2~oOE#!9gQ8o!x@dphz&u#bJ)m}EKe{P1;$^4-O{Xr*a#U7!~)YeQTVZ- zxH33LW5tI-Gj4geGa}vO#re0+;xCbqgytCEJy~(g zRX7tCq}nnqcyg^L8Vf@54hzCkB0el1nHHALS^Q=aX55pb7@sY_wP-KezKm{M2#4(D z>=Zus)eY(h*awJvjTizr2-7C`BHL!6I7G*jsnb-&bt7$8dO_B?s@VHkMQd$6Hsxw6 zs@0*Wh766~cEnI&)*yY#)1s*)2HTMs!YkKp2&F&|PpOiq=$$%gh|p+ZPWEwU3-X{Q zi9lD};$(;9@107k)Dyf8si=E?SN_OUn}@p7LU<=CKezoEY8nVr3SJp8KKgFg6L+>? ziRD~A1wa*+VcH>om1ve`i;wv_&^k3|k8Vq}l+7FHy1gwMvP&vMC%D+axqLatp&hk1 z`xoj5;sz;b`iCslyfF!6wvuYlh9*282wR17u0Mzbx2R_8xyUM{ZF?RZFdn$|=VCZe ztB>9n6l^CyvV&1(VzF1&HTH*R*>sLw;!T3o;V`vHd?r9|sV=N=XxC4 zSOd$<#K!e_e53ov#l-T%HYEre*d>%XvXc8Nr9s&|6R<*L_pw5-bFH+p!Ok64@Z%${ z=H^9>r$O7d^B{&UQaCYs;dAPAUW6RCRpvYukAWUL*RZoyi=?CDmPAekYmX9-a=2im zw)O#w7%qo41u=yj9$vEyk#A9u6k6a69KF?=Y<NzUJgATU$a#mU z%kEYm!Df;N$NLR6$0iznMaui1O>B9`7aX7N^irzu;A7@=NPBki_dff&N+9_O3nxO| z%+z~M^foJLmtzHcSkeuwYj1hwA^w01M{{!(_oUFV##C+0=eksXB}H`SBQB=>-#>L- zSkeMTN$%;JPUOq_d2c-NQSau2uNhZ(8RTdY5k8GRxHylmXSp%@Il2i%nY0!q%_pCO zog>^Du4%)2Ce?;`iOkMVfu^0{1=7!FADQt6z0E6W&RfhlKC$R z^IsI^zbMRqQJDXtu>3_~`HRBx7lq|73d`TMu>6Yx$?_M4f z(v%TN0KkA&_06a^JWmzW@b#+)rz@=CG$?U{gU|46aJYS++XYUhmGpX)TdmtW_u$E| z;pll6C1oub!owP@u4uAn9=AcMT+Tm1I^5htWNDq6Fwv4Xep{?lH6HmO z_H6=g>T_pQ#oI9sI-7>_y)nbR>=Ex#;cH^@&R&cs_LBM4+k%N!NkMdNrdnpPGKYHf zNg=MK$!xuga9yLX)eeTobv-`1amo={GGsJ!p%(RwmtI6Ql70etC^vdxjYqRhEgeoZ zm~&c}+nPHDr%6W>-A~!lVCbnu8<7hRZWlb{I7?xb8Jb0O3bRF`nL{Owv}KfvWqza|lz0h|zEfhIs%mjL zU2s1GJ!nUfM4;=a*`;hnT9t5FTKqs7vp)@~r^CtDx5Po}CHvb-N$0pPSS z2MOBGhB)~rbz49td>DCmhX#WPDCAvzI+t!1kw|P|imW#rDZE}b`jOz~ELQ1bb{i~U zYhESdSF%tbuJk;UDW%^HX5+2b6y>qS8cRhMxdAgIF;a=5+GwQsy?82}k=29-yWvt4 zD#jm^br>}lLiJu38VOxJ5`4ahx?_FjAUB$&NX2A?7)Q>c9eaG?uQETd zbD)CmZ(7(tBRsiOS1R`Y7jthJ7FV;h3kMk7-GaNjyF0<%-CY6%cb6c+2X}XO4+M9D z2iIVM0N>=v&fd>HXTS36yUwqfFN+XSvNh4|)yz|LJj&GD z_G_dK>ymDPEK$7cwDl$k+m4~|EdiF)&Y_IRfI+h%vDu(v&hGJS#_%w?sz?3(bwLAM z0w!gNWWV7K!FH$V9}DyvO(uFbQwlkn>fgOm3QSRJuH{d(49qb$C<4$wscR|5#SDkK zC51${W2XsWgoh=BWp0aIc1IQkCY?e%SHA%ai6d*UA(h!@i-l)8 zW&Qrqv$7z3MsM~DrpDOb%xATMK;3VNV&qQfh^U5%v*hnFmkY;d&5yf3w>Thi<;&xq3;i3%o#r!JL+X zRPIehI1vfm1}>RUUs&Lp@3i$d71z^@=<)f&AEgNOaiT>InMTf@Z)A?S_CE+-Dm&=& z!0{6Ut<|2W&53dIY~n0)eW`K%b!Xu^R)9B@*S^oDH*F>(U4AdPG1b1IO=grwW z_(u=H>!8}*8&O|`{49gg`1fb#UI&=>p);CYx2>6P@i|^lzwlu9c&*y3SQc%b;IAHM z3Z4wT%Zd$RjwmhjyY?@$#{5vuyHINoH6PG#;nehE~jTLn)z`3sf-U9>37U2)T%J3Bd*ozMCqa$Z(ilz`mdA6&JBMA)8TOD z&)M~|Wn1&Vr(S+0+kLse0(HuLB%2%4ec* zE27T>&pH%Y``Y7AH8mWX?V#Uk_=&`_*<|_4R7Dp$w=wiDosU;F1gE62e{*=Unea2+ z@VWCnVEDqJs;dmET4Ir^sk`Vq9<+;j&}6(JpgJB7#WlpkmL#>5+2`I`sRiqA{L1~pT)RGY^zX;TOP2A zz~My6!Ntfb89VO=+0v^frVk9T%0zn0rNR8DH*>Glv1}5tSNyKYm6Y0bS)?o5@HPsD zcex}%@ij-fku7KJ)ml=UTJTG!`T7 z(SSUmk7r|5)>&+dCx`6d&9X18%Y#*bn3tM8gK6oo)d<4@yIMY&f~)l`hm#D>=q@v9 zQjKqdF!NUViLww5yg;DZ*N3|``yOlwzKb3YMC0UhZpn24dwlFUF@hnVMZ-fnfSj>Ijk5SA?bY| z*V2I3Z)$#T1jPY#|6t)Cm+KyUVBG5eGuSt4V>$XX#1lVr*l-yc;Njg;)Mq!N%-Bptrh%cz~JqD z>|D=8GgVnZY$--^UZ%S!z5W-K9~`Cjh~@UR74NpU23G`dpHf{AXSp9SXA^Rm5`ZN5 zVRM=x#Tfg|lyx=SN=OA+)79tur2l5&MCb zUZbRqAvK|>++y36Jh7Tcd6Pg9HA-oCyD-&$TxNRQvR5!2)@cHS$f1ci{yL=jf#{Fjfxug?)i}zrWCsK z{xrI!W)z>o2a<)c@#l9eBwB8|o$S;3Rey{Z`-q z3&Y0p+fMw;u>GFvkK+G-#IpTG#ukF{9)j~wOq`g zNWGI4%nHhx+IO0a?j-*rp%HrSZm$f5ckvuV7yjsQY%9%*dp=u6 zCELQKaLYh%q1A)5zml)jA3a@dg;dC&f`U8%wci!N(_^2i;yP)6jT+ z#kpa`KQvfkRYg~tF&et9tsWX-72#-fb4 zaZfPw4hIUQ8J1#I`_m0>G_Jt2Rw0(^l}P&Gj@~0@#cR?%K^_?mG)YU3GfIHd!9>Zy z#>h|4w2f^;Ih1n_U+z&_?CBnn4o+mu)7W;+W3_n^_7v})-q991OnPi!z`7;9Ba6A5 z!?>bN4tgtzPtW(UZj_}U#I^diS0W!5o3#jWi960~X7V~8xneVvZkR@j*6^`gN0@S7 z{vsrmlkVU|PXj4npu|Q_AY&_mFyE0U-6rmi-7_as)}4AT$^Hm}D5UQF`Xt=geV;Tn zbE$fb#rIOJPmvP)?l?Wx<<8&eGj^MaM1Rmm>)i~j89h-8S2}s$40w~|B8(tF@?~No zq{@jrIY@nGO@gzpqB~O;>yGu}NJFA|T)0Fgk&=>7w6^h4czu@Wndvcyb||Wi(=ivn zD2J{e1v8yxduH?JB*-Z_+rDyqY+YWim;}4P&+KEmg9uf;$ZWr09;3BYLYFequG z^klrU`NSsckLk@xWrLqmN7Z(WI>yv!tSD9CgB&AK$oI0u4e~n0dAVt+ z9F=w;SVC0Pan_TM^Bh8p5<`PjDGXNL*sv*Qc#YnmF~rI7c$N|1@$!8y8h-*NTSM|m z(aXW-k3x%G(!Jx?7<1jup+4ZbWaRNxSB5Jh&%#ha6t;a7=zt<19rb<|9nhcgC!WbX zn%$!h-b;r1;d<9rPB@I`!NL>m8g~@qBoHUg*1GIT{QO-N>vpM93hU)O^>$k!MYqaO}UT+5HoqW%);K@89+D-<_QQSM>283#ALv!@qs1f9c=9 zYJ>kb`j?IE{|HG|>8>QL4P*L_XugRX*dC>X>M~+0P?oGOAjhOiv>h)OzYdnGn{bwq zp{IDwottPw%E`iRj^Y;Q`Hu~J6v+9 z)O&tE({q3BsU8vHDlfyh6xw#YxnbzJN8s>?Eq z9Vec+idYOd9+(wWo7*Gvk!9Q>?8X`PAfIv{dlGQ$BW$~b?c3b1^G(E#;mGf!1kRu;iY zow|2mR(ptEjqN^as&few$-(6+=PtPC^fnE-xN%wn5EEx8H;b9S53nm4tox}ck z}rM@Xt2fn6s-1 zC${h}8jlOfe65GUm-h*Dp5>>>G*2_h7yi_SsjuT~PMh=gns?)irkb5}x(@+OS3W;L zZ|y{S$O(I@5lRtaq`WiX*wQy?c)-366fO3Y*)ac9nxa~$61$bGcisr~6@mjll7!FO zq=dj(7U7J-B&T63%#yYZ-*%28mQiBzltz4ppniC3SZU#7oawkAp1ui|jHnD|)7Wd-c2h^uN^E&e7bXRY!aco z+DtfkrixO1jjY@ex+R3`5l#<2t_u}PYbpbgVRbUHCGk+yW#@6}7 z&EAdrl!bnsqAc7IBsMjJK08ysO7|m<6)(^va=oG-m%mo_JBr;Ce)H!^FUs*wk){Z> zcI{q#w{h(|u9Q;yFH@W*Nn-& zsqJG&A-1}q3;lV*5~}bNXLy!ZIDx7izNaYtr^E{hF8X!9Xn$LOb?0h~{vj)J;TKNa zV5SOPeOIoqWX>=qja9~J>{h2`h97JS7|DrQWOs#U)D{;^lu%SgbP+{4Hpb z4B;u4^N`-~*iKmdgP-qCgo2B{lO1p$wo82)g8>iORO{zobxdR`=b++JGD0O z7@XBDgs4y$0#|ExYF)lBaEKk#@>|YKa*D;i4-tsw>B1!8Eh*0Q*2?$z1kMplG0u+J zFH#C8As1GR`M#E{M#*Z+Y||?87+0j1g!P`5ju;-Zq3X(`6#pX~0_m~t6jP^bGqX?K z!pBOYd@l*dX&*Vl8crz~Bc#-UgGDL(_-lY|eOq4NJ?2|-+FaVy)p#_S+Ubg$R1q;m zyrF=#opdn7?{ejACO_4jv(#1N>3*Xkg=3|uxnp1jC_PTZCm6fqH$SULZ zX1QLd88}MI%cM+x82(U4@~zW3(Mm99)U-$VYTwkmAhEKxB}m3Nlqq8}YrZhc$ctFx zn=Yn1RV~qe;$?=Y_|2XgG%Wu7d&uSj)icf*JfAz*r}!TcqKdT&p|FmpTYP&d;NLsG z7P|4soJ!qO)?Y8Kb)_wMFTdPK!;=a`u)D}SU$Na_2iOu{FPKBypVQ0SiW#0i{s)t8Z9N39vmAEtbvja)xsjLPcd9|n_;W!sv9_beSaJKzrH?+`psDXRk$WJK*8 z>=wBDbi*oO63 zlZL`7%KL((d-`J!JMf+LA-Yrs{0%X}8?64p7bwvNrzq__6#E8nZTC(=?WmQn1hb?O z!inKp1MBraf0~FfhCoO*$YkZb@$aHh=elWP_0WE_to+&l$%ZS-2P@a)ziv`qTcWLx zUGdCHBh3XhA|fJG*2>gh1>a&8&n6v=lS$tA>4oxGn<)JQ)GQ~HfCCpRLRGsLYl)mUpmoki9SdRwq|z1PSu(ShZT)@-7qUK+OqKKk=; zp`gOGP;H*0?c375n>R6X^YgqMlZP_;kM~w;G>xTHVNl1) z37?VZjU72Ov%qa|?`Y8!>EiLbWoAD=H3HxZ8dtG@8h)z$K;KCFMV0hiL?729VfM!C z6AoN1b1;T$pNMHUu9hDFiQZH6amnZ957-cJcf+pJfgQ6IF zcY9?V(Teay6GU$8QTJBytC>+qpZkV&PgKjU#buR&zTN7fK>g)Hxsn$bn|B2Q-KLzq zcX^weBND8yk$f>96FNDykbJ`t%9UqLA93h+Z)}kS8xVMRY^GSerO7R!H8W@i#i+EOfqxBA+t7v`0<^w>d z^#aS<_$aphXbWy}CP=__Qo2&eAnCY~!h?dx81EheN_CxSoxnU^Zfs=sefQ-~UlI#} zzdfNVQ&I!#CTtU=$tK#>UY}(PG?G<09}UqSrlQ(&?EEYN`e$6xQ=HV3w{#2O^6hwC z#zIBh{0^WxFI|i#z9QuszZi79jTmlcw@BB(JvbPPbk&MtiH$C46tHt9hwog%MjF*M z`WOH$JUs;71fs@Q3|KlwAG3GwnJjtBB1rM$A=zA+Ls6+KzCmsW5@es0U1x0y-B^Et zHhJ4FFqmL(vvZ)q{Q;fgr^_9U++m~dSs5`G-fezz0oi1e;uq)2l-wBDw}i!l#Mv#l^Qf9_Z=x-B4{9kxWj z-HuISxUOSE%FfzZ!kN$m**)#-{ihNtH{atjc!LYfN5;A z&vMPez(C%rt>XIJlbRteWBpdv6OyokTwOZ81N_2Ub~nC&8A@~O_Gazf3pPR>as~9- zZi`3h7~*jbn2;0oPvo~Rj{{F!LO&0BUY}mM59p}_6?>{|0#L)4f#U; z$9|79%=ONz@BKpJe+d4u{tD&&@t*!y!9UjD0kMB2wOIaiXZ{xrqW^R@|EfCrdod8p zUvvGr`+sycnPlui-KwB-T>knL`^Truf7eM0_n$jSK`p5Nb0_JqbQe1@3+wM7->+|+ za4f99lUBc`)p}=QV{ZDpM^(n24K(t%JNj=0MJ)d;uLAk2|0tCDo4@+^OxN!f|1&F- zs=JAsmlNm!o4>dvX414abF%_<>G711g97qi& z6GKkUw=y<0H5L7I=62{d{GpoV0LS$+kI<@3bltbN1^0s8EF)=c-3y+%jz0LWWZ>cf zFeqT8!hnc3sKo#NWrNu1a5`_vzz6YSRygw&HP8Vyp+fm<#|q|+?0*>k&xwTf0OH7} z8tH|eq)KrCKV#55EvI#H!RtxQ;;&CqElo*@H48e^^gH;uzyZ=qEG>k-3nBpk4)C2a zJ_$6nY=!|r7F1%9g^ez(|DIQebqp;jS2O_8LftW{#ytJB=;CWFh0Fd(582}HX8A{KE zmjK|yrow%LN-grHr*Ml3v&$;j9v+WTO!!J_cdJ^{l1Pu=_e`@GJG=Jm#`C)bfLF@s zp#RIZO;+2}4ume(7TS=1XA#ZXmtejUy13!>&)?FP^e*?3;`#l)8*X@RuRV~0XOmqn z$G^PQ+^x~f;ca+c@$x1WL5vF;rz!+pF<-6e=>PEOiuF2&yY%7cQ$ze-G>ltZueGKh zs^+e{P=_1Y1#sN+TKJ1j&?+y7>&Dr;oYt*7e}31a4ncPwLvf%hAdc^hsuhn(=jSCn zeu-1n@jmbL*{F3_T)>CK&1P%tdM!CO(Hv6nNaD-bo>sr-<4Mp;P|GJuK_nR+?2tnc zgHyn4rD6Om%*VFZ>`C+X>`)CuVhh5?7?U1!2`5Q(lQ`8L4QT=l_!{;HqfPjVP{zwC27Wt02++dQ zK^V(6QgKvOoER10=l8=u-TQ|i+I+2-j3pJI$^5uw)P!LM)+-8zJgE1e=c%v6@Fyg! zY|CXWzNk`Wvpm_q=Dv9C&tG`w2znBq(rR0wkqHO+Z0OZ!Lr#SONupaf$QuEh+95!w zP8roqyf?WcA3VHA%t!u4I7H^sq+$EdP&y7pYmS_OpEs*7U8)t>M2Qi2W6Tl46yOP! zp7vf@fCXCILMwR~oBPw7G5A*!RE{KLlt5Vkv9{y#&$qC&polgHB}wVghR^HE2^Yn` z7RDXFISHsk5gZaT7H?JIpp%x2G-ebbtN^HfU6eJZ>ZEF{3Bw=fUk&%)7L5&+4NV}3 z5LSVa_dOVZwk+`yV$<{U&P2ob7fVJ9{hnK%SfI6nm30YGGR;#VF@q*ezyKfdzaV?a z4h3*P1^sQJ4~HSPmwfQBHtzuxCLDzNp4ZAkl{Cop_^8r|f!Iq9BzzL4R3x!o@n4hw z5a#i^hmZ%~DYeGohJgr1QmSCf^iDS1j9DB=3I65lGbEZCdwax%G|X|e;ZJTFf}}o_ zzzi6@_8WRMwGUq-zA3{T4|n9s{JEmUusI8W8OxZ@gJ#g~IkP&CAw4VxI3{!2m#Jw` zZH#5pk?O~J@3wK*@Kslp(2R>T0T2Aizd_^NQnCY7D(_4}&EM`YMA4)9=TAN^A@LwQ zaw%Am?HTu6p8La$YvK;nzCHa{w-vz#j0y^u`_>rTN(V+D2QdR-mzpiiKGTNtK8K^_Tn+^#Y@L z`WS{2GKh%*x3kCoateWF{Ng}C@OK+`&S+}rgwh_BDDz1vnk9d(y7=nE3QMb1C3Q>%rl*#aC%l|PN z2paA0y5s)uKgVPNyKk!;5hd%fjw0XbWU1kqzXDLTT)q|nDfMO{I{c+=ctu~JIcww; z{6KsfsQ~V(wRx{I(+gXRQjE+*K>L87<458ZN}vqt^3Tuel?a8T~CX6shK1*P^ZG=^ojm5`=!^lVV&OR;1W&wp2f)gtxYPw%^>Clsj zaM4gd!32I6^rb6}^md=FvFOM7FuPMYOZ`L@(fc|3Adw|#R^r31sM5cFeZ(}R5E(j1 z01}1*9}0(Lij?o(p#)Z(KN7;ixv}6#z__9Y?R>PmUgp}BLjpL9+=ks^3086jwGn$$r0+= zP(hAPaxIkpRubWlZoTKf8JI}_eI7v`i=ATuB+_6)pv@FaUOKNP1yWBxQHVu& z01Nj*>K`E$6x>0Zp%*zY5k2|YrQ|Hbuvq1U^50m4xgmvlvJQSL0ZZKS6n@I=B{)0#` zv}7?QZ!QWh@-CmWeH{8|%gA^U`a2w@x0^R5RhoNPXui~PBU*(Io+wP`NZQC`41t?1?-OWr$L zMg#sGroXH#4z%$fe$D*c9EzU_V}{lrN^kW~et=LiO8*=aL`zzl^K#AvpYi80fmTJT zz(X+X0S;@bnBM%)WieS9{ivZjSbrnDchTeA__D4?UBv94qzQv;gvgIS4+W4Sr{w*v z$T0hHHUaYXpLD{?MpCaGZnW@g%l=^!G(G7$D(v5gr+#c+I5`FWSvO)4#3Z1~KNnwJ zT!|J%;=y1sA6|R<&lnsY5gPb?&c|DZcd4v@Xir_hb=FWiTNW=hao`OZWW66v@4FT zibnquv%`>#ECG(w_@GPfg(Va{G*pFmpHs(-`VjZ?aFULbtc0N}n(8!;sChh!=o8wzdK1%9ZKAh$t!?){fP{$_wme=Y=8phO!-}N%7s+1QF?H{csT3FUHWPj+ z8etkZ0YSLw_I(mufcS}~W9kw|N#)`0Ja1mH!RbwN5Jm`N1F&~je*ZuVAP25Br z0}HF`{m>4~MTeul(k$CI8bsLGPkyexV7+aIj4dR2zD`RO4aoH1^Q-{U=DEC|yVdyb zhJ<5gQ&#W$kM%BW{2k8fpL?`3IidqQ{9T5B;SyHR$@OgY}r`i(Zr_RrL|OFMyY%6!4>j zys-Pj#K$7LYWbWG^T-nDQ{A~wR}_@z?!{h+;ix*QbX<;&>oErq~G z0g9{p{b69dGh9ERELowPx`;8L-X<~;#-B)FYwAFQRgHyy9`61DpHqsZ>+UZz(~jPWI>>p1%*Q7b@v@Df&dytFF0FHX zT?b(%|8MIBU0vdY(p~K&TMwb4aOEHF!#pUr--%u5D&g^0A;oId3~$n67}fp_qeamG%qgLq6y1Drz1A9^60#R{GQU{!P@avn zc0^2UyH|&rfh-dnG`?#sxXF!WCen2)L;bPcega>$!$4p+gUO38iYLL_U98c5+;>lc zN+jibQqGwsnkl+H`pOg?(d*=K3D>qd4Ypz9gYnUixs;Rm$J2h9XC0*ZI-=KO|J7Y0 z-fcVq^;z!cdahRk_aomES#M7MeQX1K3<)iuH&uR1qQ|hFKyEt& zdFT!TE~l(L6&>)`(^+QW=7@i8WnEw;P)egC}jdzSeWA6ZaR{vt7YqRX^6Hy6{j0 zTqga8PA|_9v7y5xg&Ervn{i-i0jHqVek?4|6w4Zf=MZ-AfAF4%2$Zzvfg?(cKRcsa z6+T`-%p0CPX;-aLOl|c}9$XgxDz4FB5G(D&sGL{jqWiUhn$SHY>@LvAA)YK<`&|lq z{?UTpc8d6vDh14F3d&CIHCpDFijs`c(JPQrPCMUtkzZY^CaebJM3q_B4mp5)J1UO! z#NCbjmF@I=1O0v>ehL^E(}%LA?-U{yB}3p}^Af+U)_L3U4hf@_OU6k$?4cs@nyUkm z`4sc0()h1HFZ98F#!{-*)P?T_BT~j6j1&>{d5re)Jw-)ji^ zrp;0H#m`sZGe+sV9WQX;7F0N7uiGzr(!TB_!vv(1{0cvqh<}w+sZ7+X5=czax8_+B z2`|XA+JiOT9mgr=$LOt zlPOoD@fW~f*utdx8r*2JkH}ulZ{3z-PDTSL)okfk8{j1MS<%&Rw4u88Y49L!q188w z4kQM{q255c7&D&KHKet=cj{v2SS>r+86Y-!ScB_^c zAfu+iwC{auD)i{;CLDXHuS+QP-fAn9OsMB)Pbs9eFq;2<+iP-z3*ZW<#|gCqdGTf4 ztC9^s)FstN{9&5_wOm`smh~;0s5L5vTq4i7IJ2tnzF?J#enX-}06;zW&|6&T>!Vql z0fR-J@`O3r#R2_GNhRN&{${HQiMPY@&-K)@&3qt0@a6lx(EiP!h*jQulF&7t(0J+; zdIIL3K}4_7b9u$^G3E0W+c3UL$@qz*A1R2mJ%#iREaFYE?ggCjz4L=Z+*VTz2T{{$ ziaRgk{3o!yrsBXIJfC+)@LL?-2s(w&PV(m1|hI;cIGMhWoKdGtc?v5S! zmn<>t?U341jJR{-HD_W)RHy63)-fC}EMk;rFZULnp&Bg0#LtTeS0_Yvi?d(wqf(JC z@a$(&gOpLZb)o^{gr)zDg&a+b{*6{79|nR*Y`GHGy#V7537JDIHZPIOIF# zW{VYcdPLrVY=CfAJC6e5*Pv5#N0C_?Sn$L}7RWBmqkdF1=W)S00A;>TYr0DEsxG!vPSd6&#O{+m$ncCeW$|m3eiT~1J3-J)DC0-qzF|h9`u&(%AEL@ zkF>+bZhohG-c1rvAIBHA?Hi9;Aipa%+pBoe+y);3DjpThMH<=-C&~6f!lhMr@jj5S zVq`|cumY>w^x#|gP4b*@b29^Nkn$puplF##*cKV>$5LNwb|Q1ryM{1nW^Aj6m4Gu; ztZ|RU>gxia=If(lou#j$bh%|TOb9at{Baff;!H(e@lIlN`vq}3?>TXo=2mCMycShu zdR^^tsCU+oU~QtbV}%px+ z)C&^pc(f(Awzb17?# zP)JD>oc>~ijm2iXT7tH{PIu`N@=;Lmfv5ORphuR;r{XGKw4U&bJ@=1U+Rsy#^qKjS zQ(Bf7L3In#SyOif=$x~iXDjQ?yK-b9m(f`^e1+07SS4|^NQ30hYp^u;1-zjhq)ZY& z78GgFytqxP(+CMLmibm{t-qEgOQk&ga`EY{iV(Es^Ym)`tZ#dc1hZFOD)H*@924&< zAnYN)nb^%$;DVzzf&wjNem&kAU-zN;JAuS^LdsV+~8)H6z6h%#0^<1S%G zD+%m8$tSrJ37MjX#=;NIZekl(T;U1*X^9WDs^CN&`Ln#EyCg0PCo4XVvZg@CEzPeq z^sig33q=<_=ePp!9BXwDfjVFE!G2&9WSu%#O8YKN`z^E<_zWb*ZYnpN^`dp*Nmi~_ zb~l1ybK0&>!OJ$OU%SKLVF{%3y*2m86MnZW^_~|Ct}R%dNl^A@_BvneU>WhcctT?m z&9!?K&EAO(6o;DyOrZ;wI@75$OJ�jem+Sl`L>G6^j<2gxd5LGfgmXC_MEF+x~AGufh@#^!G#yY?z0X9 za0<55Ob)mlS(_~({Dxd4f8h^3jS(jm~A%vnch6$(6{(jL{R-zp;bQ4}H04@sVV2v10!+nCtsZQlfG z*_>S$iE|Q=9&*9X6I`cAReSndQZWOp%kIV(GepsX#b`ZSJ+V=VK1%@yeCE=P`HV9l z^i1t-#hG&>3C$WWxd|AYYovj`5bfvru)W4SLOEuN?Yx0Vc!y11j@_6cskh<@Q*M{a zRU*sbX4$b|3FXPz1cIkz;HLZLn-1X_2nlvA?7sm{B87Jorrq|Gj8L;BNxEog7`1(< zYQ(M+!LP?)_^HM;gpwNR7Kq(s@ zBVeBae{sITz6eQAG{X{pMWdR!bB$ep(3HYKAvNr<{CTDpoXO2pAk>?Hw?IbU2ndp` z@hIj>_-x3qH_&w2YwM1-hy!_>%$x2@%F)U@&mmI%+%|x$h5N#)jYo~ae8LO!#!h|YMw1Y^WMJp6A zACP=%U(0Q@Y&hGG@7_X~5mYK~Q0dH?jB|-WxGj+HLCS4hE3@R!8sJ5XH*qiwR@3 zR{Ad2<;g-vtQ|{tZ6#*|Jrcsmtsx}E9o*j+7F4JT7ZzlB;{)jwS06DilhLR&kyzr{*-P7u&O-qm9} zB^DM`?gNLopg&VPlGj(x!TvT~|D7?fhZ^VDisHEJAg8FjQ$7_{e;MYO{hQv!NIfx$ z0p6y*WkCt=CIO^)2{AintF_xEF*Iwr#_ZGSK}Sv6ffGQZEXYOHxXLUA`I*xAso3TI z%kcQnRoWF-I%i9Fb@nIbYtcdrs*6a2HgvKzt$X)s=#u10{km^KNGSp=zda~8i3Se` zFC+1s*y5>HKPcdhuGdQVq0-o!NKcqR8P`mZOSogK(6t&hc3FB|%mA?8Hyku&SewPt zfLABLe^w3^^Xw8h-|n{=(x_=Jo*n^1ENbR>6EW+(s1v+*B9DG|5~DI`gq2^1Br*^= zh;^<+fL~yDsfZw<#Fw~+V>DfyAx5?IBj0!_!rOhPvv9kJMth>@t6rCzY!J6PO#)4o z58O)6u_AJQ4Ai_POy_i0RT9FH7GFW$^GvBLe+ATm%}ks@l>u#mC{&Zj6z9!${9Q64 zKEWx?VA%E2`;}m;3Ig1dEQZI3dXmK@>D3^~@BXb+^+2D_i`YmDg7yabqH^F@#0pJp zd#uAQjnPmh41>if(B7@6B=y&VXb5Ghd}Q#h(NP^+nsHx<3%A8UR(@J+TBs|6U~L&f z{Z=7%O3#k4CR}<~&|KB8$Ie9k1xuGMX|2$~YKfEZWX7VT0QvTKTDPX;ZvWAmnp0;% zjm|}jU=0hR?wa++CSvx^TtNhPvG>%u!c-1g7hDHDDG%r5T=wPCS{E zPQ2~Fc;{&J;x4DC+QH)PE&gmN+?ct&t1-ItHQp00bfj&;?WOpY^i5~UQO7}@t$ZjnQkU{WOtlr1w@5nw3*RH!zfpnJVSw< zGctmjDrl>Q+w!L?>sLIS9`4P89gVM)c48Vu2ZIoAXQdY666gNfW0TkXU8}gRp9YCS z8_7e<1b?FiDoTi}`_v<}eKo5}be@`NrGQn@e7+8PJ8qM4g|V(Nr&LXj_jhR9g$nyO z)Cfu0alE2pUv$biJ(FWM$G7%T%b&-gPAy%lls))7f$laU&Dqg6HWddDV7=y2BnZAM zxe%qAYiFiwzCA@UXBLvRDGE9?5LoWiOBH$Jr2fmr0@2xMvDj@RN+sDhb`#_S(-nyn z)gMKV;w{hl@5U&IME30kMyVLE^j-ExAcZIJXI9BeQIsY?zI_tEvoE z`{+QcaJzx>CeC-u=ahW3_pQGDWXZ;KKX~0m-*&C)G@s>{{=Bi_8;3AF{GvsiH~DQILOUkdT#iTW_%fKTazR8^&yF*i8Q&a%3ZK zz`ncAf>q2{U9}lJtl*>^RcOg0LuFm;)-~clCjqblYWfXm2T2&I4}?Tj5<@Wia_*aVFxC{dI2LOts<+S zBox$Vi8oLM&#$U-aL7*I2?_yH=U;$AfI=&$Ko`W?y-H9hPk#6W6iyaS9HyzFJkz3{ ztw;>B|CrAZXyt?B&0$eav&hR~zs$osePzl69%PIf4iHcbf&;6eFKu~$2$Lt_VV4M} z5am&*vyrnBRs{`?t$~!1gxxk&Ju~-3qFTdFfkc9bPZc^U!@Fs6e0Xrd&H=%DQM3@c zD6v9wZR>2=ZcS95Fjyb5_d=nbE&?F+3PaR6 z>K>FTutKYub2=8%eFE(jI{GzU99}*|2t)y^hI&^i?XC^D)n6O<5s~g;4W$N?`s%Tv*uHy&W(ssjWIod4>HMCjuyVNuS z>+U13tOfE}=$uaP?&rT8M?6~O-Ngz?cctZJq^iqcvv9%VF4Kur&KSXD0PcRncuk|u z-nrghc&6kH51r?#UT2JGV1T=j+xM;0idrqX&ngdsrfhvB>OwEsioWhiThJx(3F-5g zgDpb?v?CnVDu=%KXjI}fPllL0t9Yz+AMhZ*1dH3(o65=gDqU=~B8@h2JvC`~W4Jrf zQgxKJ^udcfU#LDm&Tl75l0WH-Dpi#RYpm+-q$7Aqmr_uumb_ZU{=v-cX#6(sFME-2 zRB{=M#uA;$=^byzk!@LZqxxGd&vF=$jDMC8A3+Kzwk;)6cq0VMY`43?p--+MZN;DZF};2-OVAtWyI3 z>^?ZI66`WcXt-I6m!^sP&i5cnvapco_r%C}!c-g)u6k}5lkUXJy@(BBB7+!x+vB&H z^|9e~7R|d%@IedE0uc|-cPNkZ5hN3WhvuZIQ7IeX!1w`5jhcq&D~gerUqQAmNclLG z;t-B@e`~?(@aJNEF}`3VZDssA;fPAPbeJhFG{3h22>M?eIq`hn(Z|4 z+DJcDgOu8A3QE9J`$#om-8pS3S$fFGaJ>eM{IKPX6de|+4h48Z-^r)XE4FldF65I; z=<{g3=^14Pr;m%kBaL8qkcfSo@8SPPApkZ{V#nIUh;E$<_ZM&D;e-vCQX1~)A63FRyI*t_`#R*2lQ-oS=J{k%J2^TM9(G*qa?a+#*!jdC~GD4Km(8`JV_ zdxY3st{TH#Jgq{-au76ERbNmv<1*TTuVco&xBk8*E1lZDls!lw*CX1@pVZadD*l6V z5?i5S{sK1K#$<#!%1)y^_u)1H{?fqKU=wOZ$`4lZuU{(H;Q{TFo62lY#POG-lNTRtC3gqL?%*7YRfblvcTX9*VYL#6GG4RGc ziu&j%|FKvq56=>>YH5k>Fq2_`+-W92)!Y7d^dTq`3|DipeJ#=K-^SEmZ&Yo{Ysyqg z4(l96+kJMO)Buv^^`{~`#xlkjwXzRzSMf-3w)|z{SDRz}RhR9YUQO^@INmv3=>GKh zA{=d(8FPyrzX8bbHo*;E&J5`hm>n(C9q;?r;w;_z4q@#u>rcfq%s?1&=ps~WBe(o~ zILAHj02Iij?g>!8z95j<>+L!WG({I3zfZr?AFyzi<`Ub`UQQc5=Ti_*{d&8I$N=yKMhCccq}^(g z3LmZ-mEBo^M)zaX9vwl#s>u}^Ox*OgF zHXIWh&nk3=J>I$n1WR6g;Vaf5;gXHy#}7|sNw*nXamMrBP6N_5Ot(y_CBpbv1o!98 z<7$=fKy}RC6c6nV4)}eXI~Y{d$LsP5=;l*3j%s=}p+j3fW=bklk8=+Q#QSseb!H8| z)X`|`i)xDsrL)WC7P+XJn*cB*J9=KsgOTIW1~b@LaI!lkOu$yL&9<}8umMr`q~V~q z`Ha_?XNQULPG)`QE>j)w!ZQ2s7~!~iVF4H%-HvUYcDKg|hwc0yK-cQ}Uaas`MTwde zRC~3?ItGb2n({o>u_72Pb}SQV-fIrU=ToG5qh&D7m>~P@iwmQt<{EEdfFdAr^~?hG zXH135>ksGUTB$AS$I_9Ca$sk?j&bPKoWv38*GsIOC_~NcMM(zb1cB(d6A)Q!7TRK2 z-@}siDci{3*jZT8~j3#QXa=sa_v9AFlHL$ z#5tP#iLf1F@)IBEdb?Ba^XM+DInJ<#((IURxrLaaq}1p0DBx`{Zzy>6wpq8Me3%R_H9w_RIx zEmcOLrxiN0ndY8#M;w_*lkOz8vnAf_0XA#cyCESOSSX^DUI6wrTc1_#+4!(Vi+7c6 z)nl8#(f(oHZd9hbR2z9kR(;iRJX*z}z|mIkIfBH)`F$OOpwRROl`gCvO!KFN8@;6n z^;o2c>Rrbitgt|;W5O9dQM2}Q`8Vg>br!7Mv@C=z@0hH=aQj9%V=d3Y9&$0EOE+f?I}l=BC;@8h$i?2)sFRn+@LsAf#N@bqce9SN zmYdnSx4~7xrHx!AzLKMRR~Wyw`f+p2L>b*TeWSTP-tnf@uyO=-JKuKr}-Lwmqd5H|J{FcHG>K1L$Z2 z9P{;=e0fZ&On@z!wXJno&-Z&-sv73^cMw@%3L~8YIa*w#030&965%-aSDSJ9<`SU= zPw$J7FpUKYF2pPBNk`W5wauy3W(}RE0@M#U2XA=&5PE62WN-BvXmty|Cgq8^cN+jJ z1GhxNN8?5B`MGYHeNL|qtm4ICCs*ilR@)R7(#Hf4>(hpM4Oa?ZX9nB87l<8O##V*= zKoX{5h%#f|@M|{oyG_##Lk%%9$ncJ=K}ec&IB(c2Og|A>S>QQ zAzy|>yqMboD#gs)1n%1^xH!2KWB2jGV#PzF;)izSTH;-QXkpGVU1xnf=_!zkpU_sV z_;z+$(T3|$!F~WGQc$7B>{25mhG)fXwQL)1hp~Pwb#XEEgn+w8wfasGVEpJvPMD(M zYl1DewFw~xgF&CM;5tUfx}hR8awAG#=&Y!5H?tgp`wFRd=GvIaE`m zUrD4{A0#9PGe#)3eWnRtMvXDnjRi8qw|FGUGO$bD@TTD{D6tin0Pl~cSUfW>a2m%k z$DFwbYVI6kCJrTlY^}DK>!_eE{b;5Y#Sg#*x%QGW&-tK4*bh4Lqb;tDMzahv#)%2IuMDFf>Jn~0jXi$AkL$CYU+_UWT3CvXX4^<5 zQW^4<2Z+9s546@%h;%gzglTa>fM{={z~N79vFP877*U|~xL z1UbuRNQ1?YD7j^6`DtLG@sjQ%H){td>hUr%&2&fsz>U?*t7b*Qf8elU&ir*v#DX-a z8uNZd8Yapq&UU5u*M&7vgmUlCE1Ow^J{-8oc+(@%;BLfmslUBzBN{T)@x1TP+Di>$ z6oa5h;h{WAD6~MmBcL#au85g20gSr_8E*si`e<4*M_~0sj%i8w7R;fghR%j&Qh;2K z&GUqWfGH#e3zTVbsR50XKbsMUyP)y5Iv$m>_CsIOU3B26BOfQ@NXQTqZN`95Bmr$h zED?~U{sV*gKQ_=Hkn1AMJjcz<+OHm?3}1Z_8u90J+AHK^rNJoIr?cKjOM|ol^hUW> zY0eyGve)WMnL+aJvzJue-1r}7{{cOmbn`q#0XeRaqSU+3D;oRH&4SkA_`=0sT;Htp zp6m<;UC9oVi#0RzEbiY2LK_+3Du;qZ1DuSC>SoygcJ^O@ClV~(K3-CFUrCTpEAbm8 z3-Ck|_ug>vp#0~PkEDrgt% z4?LEPFpral;$Qy&4Wp}=NQwUaLOI?3>XP)fjQu{ji|4zCug$ARHVn>3k@kYpUHPMP zX+S>P5#y060(Jf>Q9C{+^^IBYvF7{`K6mX58DA2%?Z4e1c$MY|A;23Ho^HxoOspdn zXT0@AC>fP9!L+X_iVP42R-WVmqAZFeRBU>xF*dv~;O&&6OE45;_62J9zXS>?#YvUekQ+fd9gVirjUTI{s?oI{7xmfMBdk!D6zNx&35T)wa#p?t3_FCc* zKSd=d zKY^iGe3|AGen2mv(b91>89lPs0IDCWg}6HysSU6+fshaA^D)X_QxtwGrqsM4eOfzv zw5Z2yxqIf7(_a7Ox%&XEc$-k9!e0E1UaR=7vkpzRn(ePVRt?_{+8XVl!^iB+owhL# zw=yawTgJl*osfV^b#ELu6f~XiINF&@^!z@dwNIMN1e)e*@q1z7V4zON4+Yg-@f#+< zB;zcQzoUS{f(Mj*oD1ZBQ?ps%W`5GI{zcJ$0WHU%UTtvZ#D@fS#Mc`zQD$q1eDhp{ z6pbCIS%=jt??}_!>XXSvbHM|&mQaVF4V8Fc6eFe(eOH1D*+YO}e4i(oO#&7Fu1yL^ z8c+gj5~|GqL*aTom!y@#Z?zbUGiSDq2yknjHU&4Z^a33GEi9{?XMkB<|BxU$_4_Fe zC0}k)u*F+>aGcN0%~*JXR`&Es!k8!CPn~Tjqcu28U1ii;3s`W)xv`b>$}6Q5e-%6X zY$^znQxRd}h}LlFc!u-J^CQiRrIiT}u^rdWo{{*cu?#P#98`SH0`J~pcuf4<|U)EwhWjM}@~@Y=$TaWph148DVmK;vLEi&6`)U1r&RpA^bAl&gsb;tA3&6g5eWzn9ui^ZWL!Qc~P}x{DCQbFdjn#ZVCQF*G z$=D9RC#ghdo;@xsE@_3amw=|K_2`J^TE1_nWLX7G^^Atf ztinP_vyb&v<~SNP&8%heE;Qcye2nS#$ITMzgQtD3S`0r8p~^iMIU7+BrVN9N%l0fM zrPljKyd!}^RjlHJAoJsS3`jDJ!u-MdgdL>nmme7Z+&a_U7{#2wOw}Q{Sj9oW7SJ$% zDa`&?1kIEQhwO>?uK{%AY`O?{1eXe3h9^W#26ib#G3kRx|W?DXx0mhHFW&6iki)6bI0#SvsjFAA#jP!>=3mNaD5db{-{(P+@Y zW^fvJvn_Q82=x~4yJ5Ne_%H8@9sq9E$c>Fs?$>Ms7x(7T&f^7$1DfGJEmM_7Rz@cd z07Czz=OMHz8?7$OjgJ*WYLXa`K1&yYyCWo8r7*guY*ln~<)D&M1#Vb+48*4}#TFq& z@_`D^4>)!f6WwmJpHZXrnsYsa-CvTj5hlLtBvQFX)>mrO2`7mCF0Vnq&gc(%ZKp$qVs!yUF&K@6TG7^K$rFaAp z7}F)>Ezgb;qH4&1r*Ub>FM4ak?e0AqlI-hY&d`c^W&66LKwR+RNZ=k05|Z2cEacs7 z(1(Q?vv84Z`8Q|TMuqTHdp%B9&7Kza=eK1h1u>QNO}l;6mJiNL_*n$aJfZTL?^g3s zrB~{(KUN~|J_D2J`+5RR1@xHpZC_dyA-`2sMD0;)(I4<2Q6}S{Fd+Z%7Aq9hvpU!E z{bX;Vz5IEW-ITP0=6#HO&S?oC=PGzY1Nb*Uwc;N?O)C-VO{2Y{@|3uaM4kQ>JyJ5r zRZ^8#kS5q+)4yoEa=j)gW@G(gRJ&1i8j*q`G0U~bR2_zfDjwH{h4*7Y#<8!AZPc+% zPQqQ*oyRaPQjJR5wAO3VIx+@(iL$>IzF;q+4Y|%KMLCUrU6L_>F-Ry!$VAZ?_~-?* zHjbiqCN|oQk5<)qZoQ_fUxR!HX1*0x9jDb**;*FEZj!VOFI}d+J%xVnus&TTq9z-g zFnp#F8#4@G6hz<`nE6m3)z`mjfc=PO-q01Mga!n;h!$ec_S~jcY(LGSzSQmz*BYL& z;x1kLcn|-@wa)QL4maKCBH_>-p=wMX^-ujkNHKXhs<=3_nC7@A zPKAP0QMJ1PVuW*R{@Yr0ydUFpe>Vcu+3FpjO&gOm-p_C^S5YCY#Ro@u2@Kb0dZ zKJOk68@OMjA(u&l39;fmqF4Jyl|<&r^rm$hp(rbG6lu;)M*6T|?<471*tslieXVa( zb-XCIWpJVkH9nHF=o4vxhoN#^9JWdFw{#3CITPC*T-DoyKfD! zC#qIxazZ(8uJ$#?Mv>a8y$RV17X;MCx*CPrfS;=$oy=C91rHC`Q?}UzaB-~3ycSC} z-{RByJ@I_prw%`H?p0;I>3)U7r_wvYy&7M*jcU@Wk8Ol4Y188*qKwb^HU!AtdTLZ^ zLm_-XBqKI>=zDyr~2o`17-9P z#U*lp&Dg0)0t#yq9Ilb8)DOZ*`gq1i^AYb<;-eMU$YiqNHI~w7?ghLLM1c zQAy6C4oZRIZ&FsYU%2zUV1maT1cVH6%t8%eUlDeokYAGg+*fpD(?(_zSCm#u+DR|wQ1Xt=i&qjO9Scp81WNY`h9oVk=*qsuTqQHFO$SY@2s%^d7^# z8q>N7n1|CFDXaz}NxRM=kqL78 zaT5a>(FlNlMoH9s*)!r@|BdHe<3wfljON23`~zZQ#j&PcX2t~CNrsmKQs7cn-le9{ z)bw$aQ7(L3Ww@Ne@ZO=oI zzakL~^QY3P7s{qPzmW@|u>&n6;sxepgs`sSU6Te?x0WG+x%DaYl-B}ngy6R9ERfY_q!$goqbM$HUn{A$oxzMe_5WC6;Au5YOq^2cQM{^2!gf>X?KMT)k9(c_*3wA( ziwr+|%o0{@BP=PU zM!T5rJxEBQIsXtSO3H-4Eji2Z(wf?Ss>ztfa!=$*O*t3y<7X*%_Hn<`IBXXmZpt?% z0Oh4<9pf&JHqWa%ZtN|%T+9=LCFe6BuQkQ;9@1c3pe@659XyHTalLda3ke?@8E$!? zv(dX=^#0s8VgR_4om7}9k3Z<%5dLw*u9ouoN43=Y!&(=LqfD)u5FvXlhgF)gHEr1v z-r47b&e(T+@qQdMD_gt2L18BKwencE9NEU;WOa9J1kf!( z;l%B22)JBtqaYgJs{v4{uK^m)aez$oWL>}|enz4v8zpo@FMtGXR~kvi)WEt01$Q?e zyLf~zT#s>^CzI#!a5L=SdZV4YZ=~6T8+i_^C#NN()Y$}IbJ2n4vO#LDMBV@KG^nT3qO zqF5rvwNpa;a8M1YC~Uf1KCZ0FMDj9Pro~*R#&X>Tm|KyFQzeo3N=;^$83kn8nysTF zVlYd8n^2bGL_WoTF4|D>J7kq~R+0=qcMDD$X~mW@&`RpSh|ht)Ei=RL(p-22lnvfw z+T}L#dIYo!c{TJ7xYhOR&FU{omyp#p@-$@WWx6fLM?bi+o0Cn4XmdRY3HB#W{WZ`( z_+3CS8*{GcOZsj@`FN}ZkR~nAzrwk=B)0J}c`cho{He~mz}TxU&_XUE1uMX=Oms9Z z?^9EM?e2a1ux5laYks-JY{SETSz5V>v0i%xT*_@i{GQb%h!27k=nZ^9|3_5n@$k>_6TiI1@p&KRBS17 z7FVfnJuCuN<5x`IAif#j2cRxWbkt|OsL|TQuJREK>)e)r+cY)PN%t3gK@mtUi*Htl z)r%tyB>}8Dbf+!RPif0WDy1d{|LH^#KsX@-sxapI&VZ7tE+;v!_Ag09DluF_`Pm`b z6~r3A^{3;-0Oh$gCA`i-X!T9j_qs-*|#`zPSe#fQx!#1#jkFWA=jBX+Kf<% z|No(|7U-oUMr#p)NvOMj)G*Ue=gIAT*M7~KB$+LvtQA%3!e@6Dw2auv!w7A6*^YQ9 z*2s`)Z0VH9xH%22jX@Z4!gnrY--D!`(Zwg6d&)0BMPs_O?}Z61Q4*C?8uCXPT!J_i z=sZq)<-pK~zUG_WZ(nJ&64DAEoW`%8lJ~uj*GSykevU2iHU_^}Od9Nq(o6aoqfF;6 zov`)Iu><{N{$NHFffy%itT7h4BZ_3#O};pR7B3PCNcamYRdTAFHA$2aX}W7oDi8ef zx1L(&7}7m(hG6s)nLfi+F$y&gl7`|SnPctPmg$^abjuRE{xVYk^sM<4eI`LefXepY z*fgNB57$&CGTJ)^)ZLlXPML@O@`W<*8}vvRuTBsK#Got*DT2>%1HR*d%{CfgCUaB0 ze~{^Gd_!KOK$jL5fDV&zH5acQD0hhbhq@@;N0;wcvhG#y9>sTQ`*Hp6osmDkr=bCs zUZXFps{i-Waf6xQQvEpOzoBWMBhFu{7Xa55n`kqV|6D13aW4w~5WukrjVR1H+~F_n zv>9`wK#^BodMn9>`N1to{Fnx5lTN(*U3-Y3Xw?q%CT0NgDt`cV{J?~LIb_e*Hy{Pj zi|3ZS!W*y>nViz#QD6^=A{K$nGCvFdEh-9pq=Gji6ZD{>N-1thT2-{$+;>RLNR!2P z*gyS$Cj^2ohlr-z|3GeF37PwG&-cukTeR4Q&%VQ6Q*~f*@@&a1^Ov^!9s`AB1#g}| zqe(&i>)?%z?pA)Bz6pwfe8Zni#_xas`=tVKGJ(8+M@^Ei=6$kU4mncN(T(q-)pRuMn68gGIN=VQi15HT0jKcf(D}PcIz&CbPh}K;7`6xAa z@#Lv*bIV$HhuInZrT5~|>Fb1bNB%s*Upx7o8v17|OLKkd$7*TjgVNy0TP4gCI$;(P z0=|?9c=!QAe>Q&;sQ=o$>`hYT*XD1O(T(J4pRC}~j>z3?9;ng8IeVOSRh`ztxlntK z(fS1F@<%BvIT;R!G3XO%{O-V?_ji3O?u?k^H*Zk$-_6}XBl4=i?lOgS`^8uiqtZa; zcwpY(6^v>&P$Prn9*_+Hk_GQDF;d=vBu{zWhK|O4%8JLxwJ#o7hs?r6#g`jn!B;M|>vPv}ysc4qzhMkOD9Z9JelS z$*GmlYyZqi7dp}sa-2^C{sT7_TTkHi#IsrdiT#~C>C#F5Xiq>M@?%C~%$d)MA9GvM z#>u>#APnV7FHU;sk?Cu>k2v}_W{#6EOZ++H9{#Ki?SE5}&un7l zkyDlq4H>sdy(T@g!3h=dzFE5+X9!e*;K{*xlG(T#Z(jT+H3{-qS7~+r$7|Z_FEu&Z zjkU{nn-4Tog#_w1f$lQ`7O3th$if0KwN+7hb9}dK%-Tr}2}R2Lbb;An!l8K5s0xeK z8q=^j%yN69ueS%Sfe0~d73e1QLc}%&iHpMH#gZ8gXwu)_?~Oh`Se}QTK}@)+NbcrZ zZ@}PR*GhMjwET6gzky&N2luaDHD0giQt$$Nc9mwG22|Xh+vCxLJxntXp?Q z0I4X^o%N8`9sEP8aQG;AMWAf2AQz!1eyd=p_|gw3OWP-(i4A%A7Y>`JCPyJx1N~!m zx|X7?4gbXKfO?M>k`zuT+{x$eOAQw%1}p?c_gA35%&zO=x3V~@XQs+)8s+6VhU~AU z_k^=GtqsaJ>1pVkggijzklvl9qUR%hHQKKPERMDS8jqc14NAN;akIc1llyCdfBg7g3;Z3V0k4JJEy$hzZxaSAFoi)aL=w^4E|toz z4$~5oxw;Re|D3}b<9c95@-=*PGp7j-szo&5e8LdQLVF62F`$C87rF&6{$RomXlbt7 zF72j$GZyJa2DSIPXR6?sF`YHaNTEn~1u4u?q0=4t<5wghY>RIXkXdLs$k(gzy=8YcU1_|d zRoVR%`yR5^2~eu7R(nrq-TQX$7AiKQaa0Yw$u{tF67{g}v;2pV-ydNp-mLV-!~V6> zKL-BSO8+wOvXr@$|6$;Pl}^&+ZtKlICC1s0d!8G4eYmHaa2CQcW&K2y<~pjz_DnTL zwb&xQOMx6abwGfF#(>X+!4g?&OG0v>FOe5|r;oU1ZXWY2f5 zUoOG^SV9TS**rE`N#k2*_Jt5!q0fQ&kZy?s4YCHjYWx(kFu|u!a z{6qzOs((9kxn#1q+P70Td!uyL}jh5X8SkU!G5=8qzyT>@hrX`Jf+C1ct z&sQ&6qmr2Ezo{;hMQ0&XRzKedr`Ma7`?5ia?$y#vtFbJVDwnMx%F)Ig{OV-`u^@!V z@jupl+Xaqgaz=2*nD$eIbwTqGz6@NT;=*edW2OngLseG&utVs(VZQHOl+_yQUtEc% zY*9X>(1P%nfBPRchfyAye`rPGfroDbC+_tB?K|>xf)6 zuW`IvD8?{Ql;hJMQPI#G_Pyj=v4q?jPJxb+i05h^JfODbg%`iDF7~~=#z183xfB!< zTjHlr<6e1Q%a(oSM48k+@63s~ILFy9TNAfEZASN8J{{Eim(P-Xf7nxw;cxG3K{IYf z{BQ3}@?jLX9O;WR_Ud;@oKJ8;dvt5fI_+9q<1V^|yLR)?9vba@yRd9YsVBK6GCG+x z!P4N>nHf55iiUj6A4IhhN07Hwh18BSwMvHKP4WL`U9OtV4&z zw43_6>ytLB1X^b4G`48uhX%3<@mpj&2^QGza?e@0L3frL?r4}R3qAer?C+r}>}vzU zxlu7U0rvlyGW<~z&nNm+o8`}vR zO|Q(#%n*0$poZXMl(bgGGG_3Ol5DnE7XwE+kezg3T5>J)s1}KbHKoP zf_D4w*k)`gMVmJMuXn4-S{E0H_a6a*C6UC_wNK&Xy*unAaWo4v&y2V#`eAPo9wK>o zKgUi-W%Ke_zr*vEaJ$ur={yMSLdMH>6LEPxZEjJ}XDZ3_w&d2T@ZIBMF`LzdOwRA{ zysHK!0bL<)?w#ZCMnIdE-hBS*3Mj(A!UswR8(GPjiCnLLW38$9l z>#fi!)|gX&cxr>~^4dBeB>%Xq#}6ptz7d1}YfD4#@yxw^qOyY1N7B0sxAn{`G$CrK zi58agJ|rKiGARMIY!rHb%SHag%{!*(E*Tw$li4Q6Hkj#HW0yh}LFG%2z!}kjk_|0Vk%zK*n zho;289ln1cfv;7(kB1yY{;NUp%IHJEag+aQ0DM=!b9JX1KobAoVcu|L|Bumx|96=G zMQG;#9p?Y_VdCDF_?)xomh2mxkNK3iTVA4b&hNBE1N4du7if;}d6Xg8vH~BEjZfE1teFREMkiFWEBe zCHU*m6NAg4C%#ullU$4bE1xa)PgmEjde$qqVpL|nvrQxg?s<&0RLYVbW=o1h0sLa} zfW(-$sX zzrF`UYmU#Oz@|pzS=uu$Oejah;i=qUU^-Bn%;&^VnVk;dv*O{LgV(zU(pD)!(1iHg zmGbu!2FTFyHdv8*2Fs@Rg)A@0FCRUEPo6R6zNv6+dggYzEqC$t!|-C$kMB8)&Xe(EpWFj(&MJh2^M?vZ%TAMVE*eh(Jz`1zjN zqOsO`((2p-bEY0lAzvxRrg~))e~|U)2a@6VzhJeV7t^z7=p4JUL*?G1Yu&xz5}6GrnoQV=WRunT?B4f_>`RTKFA& z4mj42`d#?1Td8}Bej6VabMGAWocHgWt)0~+-0|8yT^>dGA}LFK(rN$|IkB zDbC*Q&7(@Yd9h9sJSIuwuP6*WNBs@+cf}6w`5FLiom+=~zDLfv`jT+syQgR+Os&${ zzGINnKDSTxrc5oBS^FEn8%>43&7%wuzo0g1T8~kpdd1YX`EyrBoj#TTs3kGX=*Tom zybzu_@%1^8>Nl+Zk!IUbP0MPO^Svlq)0XCnBDze1*xG^WXlUS3%UMs+@SF=ep-t%s zFI>kxgYb4!w%hW}xL!eHBdujdDYSy$Ql#?*)kANpqlftIKh#4+YPTSn*WIifx% z>xNI=$gjWbHlcHzMhHxe5P&T1@b%7cKJr^SMN{c#nHu@`i+X9SuCwtaSL=oT9&1mA zTeeB~AN|~x>o1hgW&jv(Kwi?Xad!qJGPdCh-Ul1%U#ie@1Fi68PyG?;s^EB zo-Mz4di%Ha;YY^cL?G*u4|I(91O?TNWaDfO>ueu;iGTC0Yz? z4k2=H_p%`DC~m;?8$AP7y|W(=9SvLu($@`N)T@UAgi2MkfKI`v^N1ogH*0r?E7(cp z*^Jjf%=w^yYkOs(UhkDpz=?r!W`LwJ357=}yhgGPrtbUc%J5*Wvjax=2*|Ref^I85 zaja2)6U;)3Tk%BDyV~LTUAP{p+17ciE=`%qJ#O9zABw5w_fMRGVHcmHZ|#}MlarNt ze!Ha@Hi$W?$G4gxXQ!-RPaNoNJxW~?0arx6{>Gr4(K?MFFyrH^?B{wZGzC@1Lp4K8 z25Im!+v&KETDCO*47qVK-!dEaT_kGcgg!PfdTB8njtlUP9F1a5NQ1WT?HT=89KN!h zUXgFyi-)jdp7Jvqk|^hgj5yGGc@|{3R3#u6QqXKO*-#Bc?RixUf zJ-!OUuH@Afeo`C+_m)cD(pc>H(X;3kMD*xBzVURE7*b2ar^5^bbl$#_G)kX+ppU%& zJXH8%m5#Bup16Ce>8lGiF9d7RZ^#Io;eGXGy{$_Y7}J0aBvv)K?+8)MHF_M6W;FPp zy=vZGInUl(k^ya1Q(t(oavu!?BMy7tEVLb=JGR9mhl>*c>3TO1hA+;}Vy(?C5i7}M zfZdB?gv})*iW|_p84IQpseZA%pPeJ`XKqFN01qI|(gvo_Hj->297_>aZR;Aoo~iY? z6HY}J^f89f&D8u0N3Om<<3+=Pxi)do2#{iI{?<{3n`E4=@8i6?=7f;z$_^GoRET(q z<$Ubv7^{yr_(82p%tQg9=CpW#?Wg+7bq{!Qc`(;?2?vXgU-W$AIcxG(h#qSwzl`w- zAGa)nnl)N6g2{zlM$%C9A`BZa0)Y{6xD$y=Vq?!L4L$bJHA^$BVHC5t0lp6_H#QOWz?PcW?yZnx%|m2Gi5X0hBF`i9lQ1J~deE z&q=x!r|8#=G{poYb5tsoDLu@WkFFL?MIJiQ?#5?b@6T?w`g(eRs`v4xQQKjfhJ&Bz zt zBc*eurYXk0n=>t4Y3S59%MWX7&7JC9l7`YCot>!TIBygoVH*`{LfB-p%9tCqzJ7BNVQWBL##5r zATU@6cw3)ur{wv*a=riaD!&o-=x4F5#iWkkEPnUY$p?rd(D^4@iM&6GLIp)n;`0cF z|BIX;=7kO6mM;yRvsYn?&0&iYAjsC*S^5T?vs?(4J9fQ0K_s-}-R`6F?uL~sMseeB zoRznc>7NowgSIwF{0~Ar-OMASl^g`k1|}RugXDnGKET4~dxVS8<k(A{ewuXa`Q#C&ednT>@fmf6bykXb^sQwH#G3<*k+2QAA9i{IkQIlb@6Dm(fWG)>84 zUVlCm=kQ54q;^bSIPXE2-IZc@*c@;kizT0OS|X z+!z?wTvM}V{kLRJ!ptxHFXsKF+vQlC7_S>6=1|J`Oyxe8H`m0HL|pk3fo+6WA9;QG zBVVsjS95~_cCLj=K?@oEgrngK@6z1!YatRt`ql^kcJ)r(_t1(lD#)B2>-k~4MJ#hV z+G+hHj-8=gTQkv8lB^IQmSPKoKgMPHy#W--f4R5}%|A#~vk? zw5% zxvSOPsk0mr;VwzUDbaos=DIBs&kIVYsSj;;+di|40JoG%c$;2_`V#+LrRUL)V(296 ztoy(U$)eX|$>4H4Hi0dme|m<9=Rtvo5q8sAQ>g#!vw#9rT2+F8wuj}#M(=nNsTZm( zz9i+7n325JLA|Z>xdW&e$~qkiWlS!I+4b__ZJ-29;(UF5(l`A+N?x}Tk@I=olCM(l z2hQET^ipQL4dMVPG%p>qjqb9vazhvjZ~ZoWrQ;<2e!@}pdi#FYqUe4uKVamo1K;^A zNO;93P`UzcUH0OcRUx1-+L!IK(tnPiPx6eHRlfTQ=yE|w$?+QW;ND=RH1ut`b7lv|HpDugz_9}uPK&ROw&#$J9dJJu`6amO* z?n~M)5_Wsr1wjSnI;;|+mt|KRNvCzW|dzCO;+|>B>oNp6;(- z9RZUhyf>mLBvD%N03}2Bx?-_nl_~ON!BhXO9qF>CbeiQyPjo6AX?3anzrYB>qjw&o zq=SK<;(pA!8%g{~?{tVs*2EPM$j%h)CC=bD%5SUUu4 zOmMX;j)@HfNB;2^c7@*w7jqA#eZQVDM6FV-qE^{}a`d6QWJTqyuho+G=l1e8wGHhf zXEwaz@OKTAK3|Tx!kyIdOZWUIUv1xA*J0GeN7*Y zG=h+wt&^oH)SJp0L-!=^3LM{7s*12zD{f&o4aF7To|Lmcd#-XHx2gCh9|RP6lZQ%*fP(bCh}Ye|U*J7`MHD zFf)YCwA#pjJPz6ifg;+eu%&wpKBFk=6+H5-hchp`WR#ba}omtAz$h` z4wu!Gd#{HOdl{XL0T38xD-RhkF!v-0_F=vr*ciky!6FMDb4R;ye?b@CD}U|4tkjZT zPjo*Z-S0)_ZGZ~tJ6*v5r0MgjUUjLidNQ#GQi2NZrCqS)+eQyGBJRRY@&$myX(i0G zd{A)|q&`q zaS>Z>NGS7jBp(MPhf^bd%w?a3%>-TCi!(>bDZ|!|NeEtbPrwUKz-}2lZ zGY37NmLz^0;`E=gW{C4i7kc@65QU17EOhWidC7p=Z?#>9k-U*|y>hPUvzPj~FvU>( zVD9ar7M10O)Ay!I2qHfScxWzwe%^moC%<7qA~yyk^$ILJT*+H4bX=HkP(#>|2XCqS z6O69u+1Ks;d*AyvLL<~@HJ{HReo0AxzEV4YqJl#oE56SYs)xB;Ry3ep2VHrDJp@!wM-*(Q(Rw?vw6?kVdd+QKme;AZ^;a13csS5HJ+?@(b}$d^@h6wY-tQXwdMiPd>*Z>i(CP|y84>1&ZJ4@Y z@{AviO0e6GymGCr`i5bLs2}^NE$kOK5eBY=e$u^boxBXJ5o!(87kn%#ObNRh2@bQ( zmrT}*<%(U%3iX z)yi}m@->$I{q4oSEIZ@Q2L=*Bdq?z(LFF7%2D7NQ6DydLTG(2(hRtM|flpY*#lV4L zhOftO9DF3yT5-JaD1m$Eks;-M~xF2%5%)*?}FdzOk`diE0{O*y-Ldf1a3kQ>=ceL8i=RmF^No2=hk^~Oys$IA%RRQe7!ieH*ac-t{}UPF`6Os zi^o?>FV(?CbPJ(!WNzTE?GA*e(Z7*XMRxxuHH zqG>n~p0)aJ<>Pl9sa*9qy?gQ1ndO&c<LFu! zUbG98#|wwg(~H50jPrS!%GotQ$_;u{WRfSOReZT74`OBpFZ>~)w-jeD9gSIae;vO4 z*kkn(Qm$RLEl^5F?5*Nh%?c*u>DwxU$a!}Ga zJfPM{nE&6To=sc0O7oJ!zvv{I-6hmkF93>0J@Gnrw7&seId9-G>ZzRe!WlEk)@Hve zM%MI-^G_T-#{mIrK%t?-g7xm|?6JT6Z9~n!L!9^MBa`OIB&EOS%Ochgq~kASBE6fa z?Zqm$---Y2XZ%_dEz1Z>%T?1+p~N7{PHBXufAFW>}Q-TDnUB>KTDK2Y}LP2YPC0Qcm6eH3@iC*B!U((tkh}dhN>GT>EMi` zKY%0Q`rftd(@GLw8m0S$fBRVvK8H2@3sAHOYuw5q6{|p z`HGH04&lP=ivG`qpqopaYU)N#LU~XP!C=BaQDFDB!rQS@XGeik{c;mtL2s{y<}|l1 zolCe4hD3PE;|9OEjcWRRmE-2Q0ymeVh~5n4>n$$X4q zY|d!@R)?cFLj)F-(kV-byMj<~LuY@ngqP z!q8Y?{ml$Xv88Qy@P5qt7MzMKlJHw$A($(HpY_c;x@t3lf-=@D^hFYP=UU}sxbgxE z5r16gSU6`!@SZnXTY? zW#q$AnwTV99PkW*I9w0AQ*XHSi@ks^HLv)i?#aMeeM+(oT0xj^2V$pQXsr~bt|Ok< z3_QXNdWO{#r?JZ@U_k=e84=OF|3$xgF;&G>=S>!khC~VNm#eTs?dwXEVmtKBUx*9$ zP`ws!QiaEAWp1Hz1D}POoZH96V5%&#IvU>BtCWnq%0%3v{Wn=RGn{0YzDj8Q!UsB6 zlV6FKT1yNX%vy92U+(8?7&}=CiFs2?TQC6MIAn-i0;A>aR6>(AERiQ=M$Fzl?ABZ{ z?Tgv%Q3&jKvN+v1l(mbJ*Eb@Oo(h1YmejZ7pBfr;cI}_ovDC*`%%oN(Ug#D8R)TQ8_VUvgiF5fIgv=C$;N;b*1 z!WdQwCVyF;QHRV~7t52)-R}&D4CKrYD|=!Q*8eSnro&uN6z!#KNNCLTbiOxWsy(u= zICV`TZeo&eYv9Z>#>Nw9$^?*dLVN3n_-TNu9T{Fv9CJ3Nff1lRzeo!6ldiu4;tV2J z8+`-@jI$btjCeK45L*MXQHgGprC|VtjY0(sK*tY^jwjb4iUF09NOcu9G&cETw*kiA zHdRAfU%e0QrCsvM`C(&YWc}ma78^JV*vmMYO&K2J^l<+EWI_BQ2N4dVk6CNaYQHff z@p3C0#m3TRdgR@w4S7Rd%LMlYlG z0*yYnSXz-BMET6}+Q`ZCT?FrDqE`XIs{{bmBR}4{)1qfmoE<>9&Y&#C{_une0*S7r z`8W+a*4L+NPCYCM%;|f5QbVXRFjLuK3TXVfdi#>UoN3`mkT@D@Kf!OqfKh)n6kO4l z!@HXb=#kU;b0$CjDbg=7J8^SY=C%or#B9n;Lq|a`5ueUHp##tgQ%`Xhv!t-KRwEw5Td0 zXG);Nh2Wh-bwL(j&?5K6KZ-vrR-Juz%Q8WC?4mLkkw!mRkhh7qF0PYFLhuP*Q4t-? zc~F4@3uKoiOiWON2df-WYS+t3xgK@TdTy0f!Pb14ARSRJ(VU=-vs1C4L9#G_q9%Ix zsxw8Ge_e}P_%#z`*`L!uHG(;G6I(q4VReZ<{8v@w+OrXOnM1~8sx4+49Ipya{i0<3 zQ*RatvOx~lDh=2%COgK|n^!}s1TpA)h~>syiC$}<8B(0|Yl=dRdcGqg82>q`yc7j5 z#4c99@qty7Rmn8Y$38PpCKM@!#MWM8J*mKAUnQWH4qLx=!n8s1^Sl zU-G`##&FxtvCYba)|`7kJ|xO}DRC=T&ZeIW2#tI;<5sEbV}yrd(ti}$Vw4ErQO2vJ zdd^ZcBz^_k{={>>33APeKFztEFRqG_-CEgHKu-_Kn(&ncW7x+-hT$lr8q1*DO7Qk~7liY&*}x;_kAPx254(y90a%*|LmRJ$ynV!0?#5^KMk_*T02 zfUYYqIOw7m7m&jt=c8_s%fmA+1)?a1s!U)+R#FnEMyJv@+FJhT!7WPuZd#7bO#HpM zl$~)(3Y$1}WI${JcS1lCK$VoHSB$jmmoW&1Cy@op1SUx_VFWNjZc4sbswk!nxDy;_ zPxefskn`wo6sf`Y$#ny59C+orwa->aRq+y6#ix;INVe)N)l!cp=a13{2oZYndvGBD zL|QHF#vDAMb0?#6I`j`O(Z$=LK!oI8bP{8gLtQu+uoW4?y~4QRY8Vk|OXKn2ds6}` z+@q#dA_0WL#tzf~^zW4ZH4Y4nriCSebMq@Er4Z=UtIa+sDU6Z7ha$G^UUW6hqnF!& z;i<;vfyH6>?$ex_`0N`f^=#<2&^nIZMaepa4D`|-yWVdH@3wh537K_IA`D<{{K37^ zEOFYgaNBxC5>Ep;%YeJcgTYZ6MFeA5$r=O+41{7?dxUA5c>5A*YiVrq!a^i9Cy|-* zIH))UaB|ua=<8^rOGq5xlt`kf)U8^99Xf*fY(#iX8g$$P54aP@5IE7AXY&lFTQSbF ze#+K_W*aPblgMLrN$R+axdJ|~v8NYSbVRJuX^i|uNW+TlI3;@$hD_oNSfwqj_o5`_ z_rK5q(44&CNo2h|wW2ha&D*;Cwlu-d-{mNd@#LY&li(s{)+wj2tNt!K=Vjgjm-B;XuZsy{^cK<6wMPd`>JSGPP zC{79Lz+basa>WEhfjO5xIR9Hs;jt>tTo5G1ZAJU>SPE5<9mKCDQ^b=7KuyhIgUs|4 zh{uPQQb|07|DyV1eMkhBL6uKv086qIpv6q`O3{;dXNFGj&`RGupZz=&*!tk>r$o3c zvVMs4lp9^6miju`n5MgrzNW%80^@x!JY`9TnEkPP__f=gGx`J&C!;VH5&;!y;~%aQ zc^67nME8meWP)Woo91AIO>Os&2utS|v;RLG&#`RhXf}dMYWE*3cyM!Wa~aiI&|PWi82ro_^r)lW{gbFyT3-sL9~U|E2ixnr z!)PN)@sfQegsE}wr1D?~&Kxy8vZzx~O}3StO`Q66pHgym!%|pQ5e-?dM8A5<2T-z- z-<{fsv1Tqama~MZq&*Y^P)@xU9EGr4t(!(U8i>wIpf=jAbP8Wrpehe53|&slJh^7q ze*)+pp-hkW#U&!NkWw~Gzw)Ri@kaEYb^j*svjm`e3B;yLO|eVKG7ON%SIkgsMfcUI zG%((4kE}dNDKKguT6?xP3lJXbP9$~w&M1+aTFLQB#zV9b)WztjxM+k{)Mi&EIQKp_ zf2>}CtL2T&#tb7+oVAVBttvzBQl`BT5gZXh8tC>xI5wJ;KwXlq zTFjnN9QGHBokiJzX{@9gR10wzKqpVE76ny7FwRs~mX|R$855X!!9>Dy7xHeKfHhqDa}v^#c*o|Eo}cAo@kA_>B62l4bJ4IrIUMo5 zm1B5Ga2xk?_M_TyEOzZ+>%HZQ@|C|;7q$3hqYKfOQmBomVFYf&ULH*PihuFBZG5-Q zY*IpWL2GRu_#Lv7r9q1Rdp>`rP04vM!H%)?z?7od)AAfWM+-}wffQM7_=jV#ck9d# zB}JN%3romX!^`Z~@2IXJrcPo-R&eTvX7V7Q$F82A)HP&AG@bsI45hb6-e?(dO)z zDaw&&GmI*utG3V0E9Fj5%i3B8o35yyV<2pFxVo@nsJt!4U)RvuSUQA5@`(jGaD(Md zstL!Ncf1dzW1ejdW1j}L_I>+Wxbi#0v=D#KBnt&!q{=h4HP&kk0jVd9V{Dqi08AP1 zh0!!(xU}lf+(p zsq92A^n=;!N>loh7(S9w%`#RZySE2u*_7qn?O)!xDt>UfQ&(dv1Af% zOEON4)i?*o(*?^SLC9Vqur-1~BppDHYDtgu%YimeU}5c&g*-AzVNT*OIRhOpvO|2M zPXCyUqB0eshwP`HLZEB^=DmX)MHdwoiMAQEFNv5KTbF4%xbDt z9JxduB9NVsAZ93$XE+FU5UC+zLwAH7k1Ay&lC&9vMnvV+&4qNWUOwkU%gtILrG z>k8hk16xyrS9=Y?*X_)QG~KJbBvn0!v_%a@pylaCi(PSRzNfj#Z2k>V*HwCEN8lp- zeS!Li!Ab91(W+4L^Kl`&4_}-1ZPq)QEJUFnrW3Q8GnP(rrMyH?7G|!!VRH6i#`t#| ziAOb<8M_sGDC*e&Cv;%iUf^5yyKVozbAzArjNZk}Flj4}PcD!qExrQ{T)vmI^!sxv zea7hO30PjbR0a!*KU-{SoYfsfDpe{TEAT|^77#1c^A~*v2H?dQHc@91=^8pQCNV_z z1!ele{Eibb=HR#FKBVXM)YyA8Wt?Y6td1QE=02Djjky=h&-Ismi5(j+Fn#!uWBE{I zCy;YySPEyahZt6b;Ic>-Y{4S=0>~;myR>iH6V==$5O(o$j8Rzf20yw)A4JD)A0{sf zwSh69G)xNus`jK0%ZZSOU6K$Hys%?M-U*3Pl4tni0s^Oufil6eM&{8S#Hbcqrb)fk zJ$Bg)yT4I{I*n$lkiBT17_ zFBin}j@u(TBWbZ2CfR#hlf)^qmOY6MnhX(ROr{nva}??UQKpYSKf%)KNd>Ljl`@Eu z>zh@R2W6@?cu%jaw)0(2wzW5>$^sIci9C%^Jl=M_%iRm>8=3(xMrWXTtzfgAGk=-* z;2&e3O6DVqVM#lrFI_ErqUMUu6&H;5dV-h5q2pjeJx1{h?zXF4 z8OMi7D*|%{Y(Od~8u9AurO5rxQeO7SU8!D;2%#znSlllQ;0Udro#05hWW|1(3FPc6 zN__wMvk(2Xac<)eSwg0VugfuZ^SG2gJY?}5{c8zTczufqbVq4H_jYTP4T1;D))%Y0 zVp3MsA36eQwQ;nV5$Pid?E@p%M$@F&c3DMvrGHLwza}A(L&v6WVPnfKwF-cdG(i5L zm(;iC$9o}lVvU3#G(KNG_y01*mp)z4E7_HjIBk`T9R~7w7~5tD>TjMJl7t0yqeP%Q z#iF;opp0wip_~17bNj5$jlqvNiKJ*%f}zQ~<+j;ZXnZKSOOPsN@s!Zu$`HslbrsJ@QwLczk?l*wtkywH{i9 z>pHU8qC5Vb?@yc&oQfI@=Dfq@A?>_ZqJhKdq#pd!PUwLZn`puana5%CWL}Yz! zxgBa_GR!n?O?3#lX1QAGRpZ?ZpdiZC5U1j-=L{ouTPipDXA3Az-7WP4#CwXsV6$HIsM{ALBvyZ{-xrDC88$kn#8Y>7_cblks_mei6CdraFvA5x_ zZkbnYVwtVNMoBG4W!e&~{EqDnF-Q2IiB?wyrZlB?Puu$$wEu$)dYVg7=CA&1@SODk zAnvhIb97Q1GXw}4<~z+7LEVK>T6DSPmLpdm>pb=n|P@mG+dfHLQ=X+kymmof(M zac&77EI&br>$|do7lThF!Zf*RBuMpZ`wM#Pvbm`m3+_~8!VsTJ`XiGX<}KDZ$!Pf2rJL2U5@UQ`}JiOQ?^){{hI! zgt0?7u(T@ShyIr0HZScYE3FIXQP8ZY>ym=emDy*^z^c<%PR+Y%D$ESggl2qY1urWi zx4Ue({wk23yYDM~g?~EBT)6lKW|;o_-$O^k;Z+9gawQ#xHqJPU)ovIm;cu06(mo)C z(n#<}G$UMaqHmnFA3NKoAJPS+RBC9HTO95=zIglrdD=gdmH{cK`z)Z!^~iy&G|{Ag zM`>L*qV1CX^<8;KDB8_0--f}Zne_ zmsQlTSK0}W=A3I-A+=8Xcf&d4PTR3ISG}&>AXio^y0caiQzH7?_v7>LE2&?Z!`P;G znNW$>I<=SLbT=BEMxS7BPwZ%9=L*vne_%alln)ntiOTvxzQLD&ncnQ9@-<&pG)g8% zdShzB;rl4;cX&I-u;4Wojk!^=CzTqTgC@&HtrJMk;0U)$*KP?{^aM7f?}B5?Fk~UW zp%F%A<+~I8Me<`_pU=hyhhJAFVq97(C-r!EN&`Ggn1XA?Nf&Q~i}O5mV!S3X9{HU% zlGX8X4~AhnsEPnc2C|x25+)m^q%yAM|y$ z1BF2G5!D)>_z}v1I@V4`fFQe~c9yQ%OB|`nD-fScj+YMvvGjW`fwFVD(!PKc| z8ti$y!5K%c4x*(ZW3Fk1ar$3L34>L~_Y+DMGN?R7r*s{aJ3n6lFdpZ>KtlR^i~*6T(|$1inx_FO;i|3W%q}qC88` z=IqQpOl|a>M$04cNn7XO#2zO`Y$(vr)?2JYs2wj47W~!F@rzeQ*d&jvG=LH^hK)W_ znuy~wcXbLHMz;RcBuZBud5e8}pt~Zt0@ii%b@bPHJg$-6ZDk{{CklqzKyjjwP<efY zph!+YkLYm3a3(#}7|iKl0LZ|cTU({8x}4-RB9c*&1W*Hv4uKu*x&>KGY#!8vV)QU( zi`UOg8Rh`3rcumuIkOBhMRtf9Xdq$K(H1Kaf+y^>{Okd7sq~-hwRvHEb60iQV1dg z*w5_6GoNU1E}CbCCc?MLe4n?P}0z>3LVXEMGDm)mdU3r@Arzefl_72cF1Sw zu>?R{`hTu$MuwPGHKa|XdYD`a;GMH7mj^4&^Q<{&%(F3rLDgllf1PO=VR|5fiPB_J z?5M2q$P%pr%yI9UnRGvun5m zViA$7CZ*Kqv_nb^LmehH^nshy)BdUaSdaw%wWT_MKV2sHo zj;2*x>DwUn50>1ja8YdGj@A#86A4?eC@9(ulD|0n|8M8C62YybFOX3?F@uS1DG+uR zS~MRey*I)Ew2aBTf0_KFW#lw0Vd9bomXb4KI6_P`4U>=JQVp3~a_}xU7a_+df(NQE zgKJ(+DFSg0>iu?Ytsxm5%kmrr}eG!2r(dc*<*9; zc2dJ==0OF3V|lav3zEkW5aLJ3_=)oPVY64RxiM|wZ4K6n!oo8AGL&HGeZ?ggiEDIG zb7EqZL{?2FH17sV#(_<}sDEXgwm;3L$D*@7P0EccOmqz%KdUNbAxbALcE%k1DS1Ey z3gvZ02HQ_vn1ec#s=PYG37VIoY#PekFS+hF_n;N9_5deWeeq%07=@S461|zZ&K68f7ziBlG#SxC4Cv${L|ZiP zj~lj~$B+1x>9ajyOvf|X2+clvizLJ{>Q)AE*lyDx#X4t+mBAyZ*kkU$ixo)I z_45jkxFf`N(qJ|<(&M44|AgR=i)>2%kfg|(HYBpLGpWVv$WI<cLyyjzP+-Yqb?7peIWHYhblkM=*tk*>n2Y64m_z{T1WD}nxKx`9 z1)fsb;%a)4LHcT1vD-BCQ48u%zc8;j0pG4M-+fExizFa@S$|tME3J3I+R~Y1V3HAW zisYl>b)}pq*epJc?d>4kg9gj)XspH}ibNG?^~GuYqTkK{EtnE)P={XTw7J)ni`gAs zKWxrbw?w^XAv)C?COXW0Q+JwFc9lh(Hyw$>Xw00xKDj-Nk%4QIJ>;?}%vm;!FIDa~ z%Y))3LKKB%)WCtZEo&m$rNx|Yjb>uwlIF1*UW1u7f1WrBw&}66e{g9T|6BTxg&ss) zr%aYuTKxIgaD=n$pQ$V2!4l9b@K8d$$ihYZvta$M^c_t`imBUIPqa!u5(?wv4TcLKY_x@Z_6NQToey^h2ONq1m@^_ZVt^S zDy`ozjccih!P0*nDwHg*APU7KW}dRo$%(ujO6vDj6kOSuK3Pl@l9~eh=8t+w3B`WHNNwAl1`zM+XbaSFm8H^nRpBl#2Fi3}nrd~&8+l;fA zrF^|miJEr3QiE({b2rP~Bn23(LPOGE(wL5Lq%beh*QEn=jDOL0{d=z3$|YDqBtEJ8l(~&uTv8JcD$O zSuYvWL4BzNvdI4Lay%nh#Gmo8j@zf%o?5OEQv|m3-z+44zy=kZ*v6-MFYvV`oh@8r zGX^VHGK-=^V{5psn&*D)Xq`!kLaSz(nSlZsCr|99ESm#6)!53a2o9ycENy}s zh?MPaMKbM;#G8^uA#3E>fDnHOZtXHm`$kt(t3!!s54-CK+w44y_xrnobyh2wU-pn> zl*>$dPONj9R435pF zF+GB6K^xzns>oJ=YEZ1(vleQ^KnT?lJ<`%1;S#R7j7~L8W3!A%lX&J<)}ERGx9>vp zQ2UPH#_%r8^#Unk%v)8lXWd`T(vSe0^YOf6)X^}yBg~%eIc`0y`O|-CX5cNsP?M0; z2Us+&p!cA~STwVnlE-`nm~}6wwTVOzilTm1?!w;NcqtSwp0JH{@rPG3u4|rg!{Kv zGl>h>0Wv0X?4_kuW~qD8Wp1RTNi2BtT<7`_pvQF^ zJON{%Y&dqz0|{pQmIQ7H0fQ4yYAOT6j%9f_H2TER^aBMu>3a(XVjMhh^L3LdMOy^z z^{sSd?MErRW#d|tY^9p!^E#W(TqXf1zh;{%wFEuvDX5fTJfEl@vwU9)GoJTeTv0UH zu(jSM2Qxy@ipektbRw215KJW0gEI6q9G*PnOt0BEI8TZUM+b*`jaH!5nDr;dO*R0k zO@2Jy6T>2H1rRfAhFLl8)%>Xm9BlLSEu?nFzu2_}N_UZSm%$BVObZYNdO#v&hnMRk zUxBB?m{u&3riw_{!mA?CHe=#{SIy?GMqdlniDL|N%QnPhXzGqQHk;K<<@%ixt5A!W zjTct_uC%I$w*CEr6S3>Mg;BnTsO)uR%b^vZN(0fP_|jO`e9C13=1d?*{kEEl#K$2k8jiCje%7072vduo)OSJmgkT?w51rwiM^MB_v1_fUv{y*EfITk`d_jY zcbZzE4HrPEO@X5tcG*{!;0f~QT5i$Z1WT5f|I1S$Zin84P__oG?S&7DTVxzU+C*AD zw_G`Wx3R4e1!ADPjNT~`7ff5A^Orv9%z4;U=8r(UaCg4xdB3}*&?KLijDW(?(u`hT zwy?b=LC*0DmR7BWBcgxW=eH`;J5z1YhNGX~rl;HTZb6_ng6NZ&K3Kk>V_)xC{w#Ru z3mmeq-)G&Ywt;Tl zPx4(&wOV@npE)}(nCx81kIi8JUi0hwUSb0|wZ^W>_p7a!-_NylDl?iHuNyxb{x8X5 zeSQJ*+>h=5TL&LLiTW|FUKf~we~!eeBP^4Dq~IfI8{j@%hFzl{NS$ORb+QwJ8fb{NF4Ueu{2|T5t&@(sdA_ zHag!QpJ@GW^gm&ruzKnOlJ0f*XB+=}5ZwE_0{$aWZ4ed2qrWBpL!zsnuWt&yxBL&5 zJ`-oOa{nrTh#G^&aR&^JBUC>*yjT* zg)lqNsqgvZcYQx7N#3bIXM#KR5{0WD66nVy_gH;pb9u4?>Vy5~?Bm9-8r*~^umLp| zbkgOt{4$-%OgQ-Q_Dk3)ydQNPlvFSOvI6Hx;yHW#A8eXk?rndL4)Bw2NsL}@Fi!aX zy?-B%SG6bcEw6vNuPRO-0>hnQbN50<;}!TQK@M(_j&IXv_i8>RuKmjW*fx;*2{Gk9 z5md}8;eXGGw)X}9-hP2l97IAZYr6A(Zl3hm2LiKSy_4Mvew^LvNw3*W!z}6_nWNSD4-WPR}3UC=dMpVbjju#>+OI0G^SpD!?Vr$1Fm z?LD8tCbyk^zGDHWD3*txaC}GD?A3s&L$+IiCn#6bkE``_RR90^{ePyt-rpBclXbRl zASq6x?eDmoFAC>^omz_%<&5;eyagLo;N8Ve$MbtjuHu^s@RC)f|kI=l`KN zm;NBx-SnArikzRP`&eDzAEMg>Vi`07B!3{CR@ePwR{qn(VSd@4zm06%+j(8t(@-LLMQn=WEB=aQyUT3-Y)`i5~m8VJzS%wL| z)D$hE{DEtGB0a#IZsoBjFUpn}Ak{=)!-P6?0gl`XED7KFhZc|NO8y?@O@7qC7 zlG2yEx#Ccx8)aN*x%pK=GZWE7l?P7_aXv2hXBsDEk-U~M4onm47Pk^Q6SP!SPmgz+ ztvK5o0s&iSp~@T*6b4{cmC=Ndk&XO0>_4ei>Fna{5Jd@OyVTM$X#k=H(5LpqVblt$={l5$3#bB1^$SKN@L0YB8 zVyR#&aMQaQKT{6;@RjjfKhYBqUF8`l&bfKE0?p4U{DXto$BlIMIVmag#2h|2j&CX6 zX-(m#XyBHeE);tP#)v+i3*g%D@xKj6UWW@R?%yMVcoVMH>MfN`Agky?<;>Ovy*sI1 zokMm+syVUPb-h+|UQ%;n#Z-WO1HNg31z$^x=(>yqIi?R}FGrWrpURaKSalAtmWh{X z_}WIKF=>X?u-x5OqX*(b)>OX4bO8*dn0LvCe5s~VSBU6;bTUE`yjRLN-UWflu?pcXF^CbgTT+8@O^6=@a@h;1NT5yv zBS=>xWrK~q=roqncDhllZ)KEpWqqfNsdm-^re{}p z<#bj~D@*c42Z~!N zs9@=)HAEQ-MgT9v3P4YFiPrOG<7-v1AL-AfLl>)5E;E}x3V1$hQ49nzgSq#QZ1(jbW&E5NLvN^Ld zfpS=8PyQU`8l(tdRgAuk=H6FtFzrB?4#14hk3tsw>IEIld&^@=kF{(2H4G+LMY93D zdZ{4SPWYHhG)Y3f2yOvV)dSXun3tn}zo%z9>z*Ua;m;lo%vjF=Vw!Q4FX;&ly$c9p zFraUJzOHlM_y;2S_n7)4<>y4%juWAq?`!t2?R6VA=#DqGH?)ZUIAOC>m6jR;qEQ4y=Nzr4VSgi?_TpSqZ0Oi7o zj)8NVI^Za1`yHUxsAFE?je#ad09LdMj?xHe{^UHnV<%b`N(B&d=&S4DGejL37#OQk zWkv-+?xapS9KO>LcxahvJ*LM|b(PqL)=v}Hd?T3M$HB}HxtH=>APNKpH9HVS`VQN% z(VY({E6OjPED>T|;VL0B3lSwI)NnhrX8zb4!+4`eObBewc7A6g%Vs!d?Z*!TTrF4h z1>+D|5zr{#G^vAK!+9eh)ir9$YUII@w=I+Dsb+!Cb58Z+>T#+CLkpX)A`Lkc(CM3Z z$^X{~7puqBH$F=#^9+!~KZ~`4x@FM_Clw)Z;7>KE)9)*VonYE4NH!xQXl^K-f`5hz zD9aW~gx;+&x@1!H{iWnGR08tN5|4;7!VyyK^L!PHxvH(ay9W3eCM6{t@GAK@SH&gR z9xp*@icak-*fN)+PcXkipN^3@W0VmDsB}hmYY2GG(27bhkg2xmTw&L~?eg^F?53l_ zR>+K-Rf?bbNQGtRz?~3lsTVXJQhmc?6j2puly6V=v(@Y{i=!i7?aUxM|Bf=P+j*)o zg;cZe99VDccTiG$7(1g$Uv)=$1QKl@+CwbnlLSVhDGqJpuB$>=nZ6((3e)h{1AyhP z@&uSd4r05r7Hmx8FPtzke&;ix(GMi}RIatqxnUCCY61NeEr4;B3JDcx&v?GI2Uv{X zHYeteKdXKqo}SKSapi6voMr1?h-*pTOdXXa1nJOMSXwoFdrf=!DkWQ5crudid#lpm zz8pWqFqSM<)sdu6pBhCG5zS`ar3Kh>KDw0!^DLmnGP~Pxyz9+(4wgi}jc^3Pf6A2i zC$}aYVj1X^2q-%tAOU)}(&&=A&7Nr(3(A;hFZId|D#I-2m4&mK2NjJ17)A_1s^{RY?vtg{a6~8Z z2E*8D9l1=*Q^|#Ba~Zna4O57i*WNhmd|5}F1?`{ZEWtWX=G;&mc{uQ z0!?dPUSW_vj@dx@kY*?rj$erzn3 z)PpIw6}1{Ou~7|+q#F4q)4PZNRMEF+mYN`0IH|Urc*N~d>&I7C3ygM1dekmkH3dSa z9m`1Q1z&;Psat&?egV0a4QG+jh|Cs{-!ypsT2=9@*jT%E%r-Wj)4f(wZXlv~fH zgIS)>oQS&IW9j`+XG_s69;^240UMdT_Z}pYxO1)b=(3=tT(QoI?IF|Mb9=E zo1Q}E)INf!hpaVqE-(+WF2Cxa2kVS$3f>INC2kn>VYMV#-_tZETx0R;#G~p<+h%6g z@iL>`rukybv#fBR2w#wfdcu)hB`+S37D0S&Yg|(kye>8vYpryp0%sOvjk7YhQ_Y7t z5v1Wy8-#twAhm&#_PeUqHm(_5_Z+?yNjdJxme}}NmRNCJ);GH>3$pEqE5U?vRB3oi zWOC-ZSR1YWN%&LtOFdps-{aLq;!+Znd8p~ zLvYnsWRk3eWYs}KBF0awB)5(gj;m!kh%IXw&RB*lFhP3rjeC9?4nh& zV7FoX>4%hGWHg&U%?7Z3yY4!$D`Z@KC?1E?C2blUR3Q%4`f;3bbPyZv$$&}^*oI_! ziK^y7cRvkDa-gRqPVaCAx~1SAu&H6^itJg@nuc%bxVS3dE+$Zl;)b@!gr*LqDZf%!wxGeJDacB2T$Z>M;bkTW8ZchoKZ4a5!S&#@)HL=7;;k)cV^t3H~X z3T*Y~vT;VgNfum8lEB)~aG+P!9~zBqf{_L)Bvi;G0{CkPRA5y!j#Cn}Igi0H&9U-u zDFTWrjA0@|?8xZ5DloqT6Fr<=@USawdJG;%h(a_1DYzhLti%H)LuRl*2UM91MuoVR z-p|cE^^AGRO*ewAY$~_VmMU!AgM?21Q=DHRLy^<(6&o6i?uiE%LaqBpIe+RB@jFSL&STQ ztOw->QEQz(G4EZc_nLKt80zbHZ!i#0B1m*4fHhG6Lc5CPaTFv`gFW4BG7D7&90p`d z&w<^5jkek0VzJA}FaD@Q9uP|A1#R zSlhNClm#pQt)~ss3~%JRZ185CL{;mI{gC8Ru(3S<*r~L%UOFnK>Pv99OkDUKf->GVRF;57rggu7q#^ zT;&`|0q|!!$Re;4SyMH!9UAt+rL^5(T#7odxQ-4jYbd_bKHgOUR1hcX|6}Ye zNZ)e>#5j(SNWPASIpljAFFL!*slpFhQ=n^N3S? z{l!B$NgwZc1hckvWl)Zad1e6~fg^d=pr2Kw)|uDEa?j#~UzHg&pkzHNQy0Otk|*+= z_RY>2t8Yr&QCB++)?tPc(2^><&6&&fMIWSxEZlV>!;-NTlr)oqRnN_V;?6|bMc(X&Hb8(Io2N4^#xOcA%f-^b2FM{F0Afh@^2XmSJG~{$=2c z2hZernum062sybRisW{SIgG6gu9@ddUhwk3zR(YQ3NY2snhXVJ;gre*DA9404GS#{ zeKs@((;_O01X;r=F`N(G`a?2;yh?^6ezYZly3h&Ab;@4tY~3XgOXEqMTKjr1Wy zrNsvDP&VBkm<5CJ)i%b@zZgCdzt1X_YmMKc&R2M)Prf<9&UV|^kNlc2*3eBp4jNJ| zbWAet(p9Kv%8L+|<8AWHI;-0{8h)7!b(X`3;;}`82-&1eV;qI0LXm~7Z?r2?U8^=t zdw~zJcc~~1E%I*$;x`jP<6psB9Q zX@|WS45D8t<0O8pSAn3VEBF~X;X8490Z8Y4pkQpNZ5E*%#`gI3pkgo{6sk5Ra72(8 zV_HsTKc?W@2Il-M5IgV58LSSvic`b>5XP_*+(})TL9i4WqS~e16x)@>hv0+96~F(J zZ;VR@+k58{MhJg1crw0z1`qw)JA)n6?zMZKr-hB1Uk?|;u#;UmjZ`F4NG3cp9?o*=XtoydQG5L!8PHu|~r0T$yxB^C;Z5LT4!rYR5X}TD+kn zh(h%$OL+9nbW%_*8N~rSKe~XDequGVTdjU2Rza2RHgR!GNvDL47Ug7ZPNimgaHyhK zs$_3Df?C(dc}v;YZ16g~9c0D6<%(;(_J6#w;at-#O-ile%$gAL+Xcs*Lxk7lVFLG1 zId`S=S7mz?4vItxE{uD)DjO*~bI0Bpwr4_DxD9s7tSU2Sv05JyLQ~$oJYzp<{a$rf z=xMlIZBtbvc2bx96%s6P{Co;qrPo>Cjg%ho&L9^)*)luZCRjQ!cK{xpDLI~(fNBB@ z%OHBZdX>6EvDbmRo7^*8+#+3lK0BT-?salG${P28b91cV8u_{c?p#@Mf4O{=jzMpf zjiyM<4FhLgT5g`S?1|W@&UO%QJ)`@tDVpqDf;d>7^lVXu$D<%`!(1)b zQ+ZV3^`TOH!a&)nuQkEVwG{mF@r;fh&tq{RG3|sD#=rNP2&l$*yn#7u zc{`&63qb*9;KL-Qhep|!@1)5nDzS45kZOC^Dl9nW&afL&KhWBuXc8Ba_(5BBoHs5N z?V3_yuYKwP6f9p?I;*KiEgTwrx*CKtJPx7$v(E7OkMV?~wZDcIYFBYw5Ka|KclL+KeZGv$k$Q}BL zSkluzTX&%!hVcB7#jhbR(tg8VLCk`!=E}<&$_76K%dJ$U#D`U_6R-(%JuRHwiMW?^ zA5Kf~-*R7cr(nW@U$U@*eD<0|R?$*(g1&_;gND z2THk;!L+Mkx4lon+It|&ldc#)z);qjExa||h;3OS>PIZoNpc$8iHI!{bnyKK7qihS z3!`TPS3Ve6{~s3-56|d8uL)K;&ElK0iiz4u--Ua_*pv19`(6OF8!);gK!SDyY>fHG ze26Ev2r%*A zEDMD-m z7F`!NK(<0s^&(B&L44d4jIb;XdN^6ZB;|#&Wc&e_EcPChS)r;hO(`S z70io_(!RK;ITU5&<1`laOh2R7H#kTxlzby4<_>ii;-6(wLd@?} zt%|F;$Toupf=R*zUU|s+(LcHbGB3f>s|xeUfYp6YfIEomefp;_G z*%&TqyTN>uX4d}VIMFR054N!SpX`g``4btN7bfs(bv~Fia5jA+4Fr@f_+!P|wTz#} zD)Oyro=z7$=DrApt!DSTs=3HUPdP7L`NW}rEZ9b{Ii{IJUzzlkf$$J9r`j9!B!zt0 zpci*?3bB1}0iki+9AS~aIZ$*t1;+5M;?xp{V?%yV5c}a=6Cqdqj9O2>G#85zdX0juNHE zJbw5tP7!L@qi)5$!0gnUkJ?bj*rQjOj9pyo6Y_yiGy4nz9G=Q|#*Yi&0k!mgwZXfotsQFf#~m_fyM^)G!5b>5=NBvnV6IZQ5&%TX&L_uCI{9b^iAl}zFk;}C2G zKgjW6nc8VOu{W?0c|GGT#(2?MV28bc`}Fs2#FZjM{Ac=gBysa_X84C;u2VEXbEjy>NNrBOx5=aY79pKpzM$L3x2{19C$gZ^Db9lt4guCWzZ zZ}r+>TtYeejkj$bXOE>GIe!v4Q^R|EbAsktPR=mu4&<+OP8xFgYRQg}-j+X_7;sEB zR{7JrE*ngRNXG$AwDg*Zk>jkF{*w zy;1smKs=_1=A0i4mV1E-j=d}ccgzm;9J2Z9)OCChMTh--q~^9HDt9oF6ifnFlZ1TX zqaggYZJ{(9px=EZ!byH~#)Dw6{l7K{7noN0udI-j{NoaD`a;iC9k)t|>x=h4XsB?zWLo(ZUyIg59h z33vpH8T*2rmFalx?0WH01Ca5l=!tov-L5K;o%?t!a}q0fdO^*!rT{9Vi0bKA!FzadbZCBw9sz?1S7bm# zi?Q((3fJ=leUhJ~BaJ9^3d3J3COY8N!VQd4*SlEz&yX~wA-t0xv(9}(eKv}KdYf$C zgbLe5aWFNzUatf8r!7lbOTr?9`qR*`mB3lyNbu9va=D$?E`NAQk1vT7)mV+oJ71r# zs~|7|@<9$|?qn3EZ6Ik`vZwD6E~be*jSg)d)nCb4c^`hn-0$B#GDKlbC(da!NA&tl ztZ3#;V)Q%N##_KZaN6pg!K2;h0xw?ZAbwe^5%Y*20sVN_jE_YY4mSG864RJG=_5+! zEit*Emv6g%LlG&7Ec`j=f*TY@jqZSL@fA$X*Bs5Lu{}qfi;O)?7_uJyhJ_=4dgvF| zP2fljdnA9lz;}_Mc^yWUY7XjSB)9`7zvk9OtZ>D$&)O$^M?E!0x;lI?jjw8Ju2oX-L@gGhLEDL#)$|SsgUHL#aePjo81A*?Fp<}TsED6~)UeV^LUwVBX={@H`H;Ms6;iQAhQKG(>4~BG z-Y&B*g09pP>U~>VrKB^|qy0DZA{@91{(lMf+28 z;feOR#(_>4Jl;Mt%&JcUASQ_m-PBrwoeDFAXg;yL6HGa}c!FX?_p2SAtLZg-O6wVl z<=Rb7K1K-OAby?~XFxk*cZ}OQ1l6*!LRJu7^_1?GntE~OSw^>0mRbzxJt)pgw{_#a z77x_tX^qRFCo!zeUslMNB5a>8}8 z_h8VxB)og>KB$u&*#fd zyQhTtbh{0M7K*N>Rzc;lXG>nZ!)u!=F)&}3Ab?hr!Q<=s2&TfCxO6#TrTEw(E-(;h`c!!WB z%XF|o{cyPmtM*1K7nEmkqK=aOg7aGjjSeh0)IW0Arymg;hCjkrDNP+(hiyOLfmlRj4mRMnEpMul z_Jk?u3{j|f=3#x`I(2DbDir+p9#9HX*`;NL4?vBEm1%4f++Rw~QnTLNX2wPute=z? zerHgTXb`~$1Q@qE&3pf| z^%GW559pkf{|y3SyLp6HDK^;+EY0mGVquj2)P?;bPYY)>xsgcW_0B-gEzs zd)0oQ#AmGDhPPz@p}~uAk{XTTAq;-LkV1)1KW!fqs1|?rj!Xh$`w{tHG59G)*ra=> zP}H+ldWOL7a$Z}#qfGz&JOzZ#7^Lcxwt3u<0#~>IuQZiN`puof;gi81;ApSrZ$CB) znJ^FpYJx-X*%p}zc$Yc{yb$3eXy3|6M~9l?(;|bkVnh$^NA0}Ov5{6owxWnlwo1>X zY@9!r)6Bi?C$7vh2sTEm{lsM42+63>)tWHpqD8W$PYi$mt@qVUMOo$?mmFr9{ouvy zW!v*!s{}l;K3pdxD9*)rP3=$SW}A)JAi4gYC8~#bZ7|U|;x9lPO)F7m9~BRwLvT;o zTByP$zB@@>Q6{#^g)R$?h;HBF*3`UiZ0cw+3Z@$$tCmb7*9{|LwROkD6Rn*gG7hZ^ z+rgqyD{!Ks;Xg;xju|X$J$p(dnKBT9L8P-Oy{v1`?*R7Y%+Rw@;nk-Wk-Z0B-`<3< z=-{2R%*_=R1T6s-2~7gu_q@k~;&Imx5|%h_4#9G3yv4Id_?+JjoQIS05s8Y6_35VO z*Ob=yqklNWB^^@P@(C3TGAo_a4`$Zse#;QxtLWuc+zt9_hLLO%Vd5T{#-E^XrXb(= z{b6cRe1-Y%J1EqR@|D1+Sa2!QbSxvrIW-i_9Lefcu>$sGLj%AWhUq0WrC3+X$qyP8 zod zW^E-wt%;S_3O|O5Xl`C8=p)XDj;pgs1X4f%b8751$$y12FUUQ!(wScY#9!^w4MGsigc<90}Vk;kX$9rk> zOyDaoa1I=cF#g^`&AiIt!LkfxZ*-b{^M7IHX%`gM*S#?plBk`JYcThQiP9JZVrTm;km5wSSVnV zqurg&$7u6kv4mxCpnJs%1!c1;xt0KkgVScm5hz~#pU+86Y$!ut1WG>uQ14BV*K=6V zXM4Q{WBBsFD0#Mx2Iv>wnE~(c^XJ}V9e}1^wgKMo|9+vm9)MZ-@ILG6z2yF1)gVeO zfltjnEYOFkX?0}tG}`opR&LV<$BWnaXwS!He;+S*$M1f=e~;QkUk_!>Y*-dWI6%n{ z|M)pT&DRcmM}`5EMaPqU9r(W_1d0C-$>IMm)8uL+@ehE954xHZFnj-U6Zw}Wt+_w- z$?yMxNPl|^qr(B^wB$bUcQp4L|9gcFA2vUu&3NeI2$-(vR_|<7-ng(@42F1 z|DH~KFZ3s$IR|pf_3HWE_0E?qGyFp+u|WO({Z=IE1g+YGk}fOiYg0OqS??@5=g)U{ z)c8Ou#s8x}BihFj7*{r-<qP8MmL8FI3J?hoQK*>tU{sVwgBbT zwje^$0U1QYH7e*$4EKMYe!JLxKh)-FJJ6dWLc;NSmp!>~@S6)TYCxrx)69R3Iu%>- zt{JGZvtGo7ysAMer^QgSt4yvAKzD}~^dDRue7gU;r^;<9m910%eYuMT$&^=ych;XB z%D)GG7!j?1TK$(l?Ijv6b+?TE0XQNNgnzHfUO#VPSw7mD$$EeL;j|uBQXl*W{9^QH z=00*YlXl4MUhWSi`>J~InI6{Un+|}-|Ff?dX)MnuYKGU%8Zg7pky@2zzznTJ(6t)! zj|T{70Z?~1{p4G04m?Zdzh^1P%`5v|)K=`Xh`p5h_kQ>_BsbP7>Uddom~^d0r0?yw z$9z)W9x2wIRYpj{x791`v+4e{7U%sRAxoZPUkaP{H9XlApg=95mqR00pAsVnj$XLk z@1|gkzv9qu3mI}-goYewUG&+YcptD14Adza)`B+>-d`t98{2*PaPgKDK1uKm|KH19 zv_vn-lBeFt`u=V@6P2F(0zCCieHgiSM&mzoH>cG(QyHJqIf7t7aWoW+RDE9WI3>{9 zu>ppW8$ehw3mqg_$RKtkM7a9Po8%VP@|N^FVbvg-&$9*^FL{u2oM!TR)u}n@P{`_d zAPmv|j(!)bS8oI$CGNC&3dU3UW5~yPPWCRC4bJjmi(7`v)E<}?t+IhV?$+P_Oa}I4 z!0)@)$Ho~6NfK{UCLo^d-yd2Hi38G$Ypc-5KcWZ5jY|ga`~AxC$(MiZSLC>62i%UK zI*3+=Y|Fgdv{jRVF>U$&{(=$Ksq$!$FL4Y7mGd-(;4^U_@t8I_1TBV`__GTMXipRm z317a+-XiRlb}f%ehE_;fC4@Kslyou4FbzD5S^sEftnEca{fC%qPI;|u;V(X%Y#QC6 zitqzv7Oc34dFw(Vx@{J^c%w^*G>DPInbafTSs%I-b+>M3(53heECoeY5d(B7ph4Qs z50;=qRrrX3p`MJ(t97#xm(qiI%NH`>TZE^%N+mqy?z0K6SNC-~khYr33t|&beFJd1 zRCc_GU}CSL)O1ijJ&X;8&isu&?{BdFm{g!O5M#BxuvoFO{sU7-d-Ch255{E7>r<8{ zkX&kZIT@T^2Q9~I3)E9U{k!4QczKAkL;`kF5OP??SG8a%%GdoTNX1k{>N-WBE8IXj8Hb5mhG=R%BLhtCuf7fb|jQvs_BLsL6{vH&&mxaiO?{ zY!N0;t8l%9M4>uu*G9dMIt^*XQhZM}uV!6ZtEUomB)U zCgW9KG8ZZY7hWUJR??^#X&PENy`DB~qy@bD{~&paLu<U4P z2PI1o6VOpU<9(P?%z@446x->61kuBHc64}97*8_XGh*4{CD10vW(ytaBcUe=j~9OK zMA%`9{3L(6O|(T#Itjt2oJ_&-b@WlF@jR_fTB|tpT*F=_|I^CIV{EQ2x3@dSTp8W3 zQP?BtfwoC79Q--(5GXCx%*5o>V|4wgM9OoK+UWlHw9~$&kLv!DG%LhI*TV+E$*xyW zNvUURj-f<6wsOuJaIOtsy6P7!$z>_Ov~w=YRr+h}2+eq()jf^)x|lr4CB=&ht?@}3 z6eujsU^19d3krLz^@{vR4;dTV=*QX#E@%^lhy3wVT>_;hwVIz=qdPh%+WKWeh7!IU z(dmgX>D#VR?{ah01=kmn+sdqRqHyxctBL)WC3=YqxnPgW>3KEqDXBR;PzdVjyXln( zu4rq}+%Gos!&Px04CPu#rBtC$j>&f4EpnED3zoA?pW>i3EvqrK#3f$~G0L|0K`HeR zoeq@y4itriH>W`EFz1!Z;A2HgR5&1+=YHvDRWV4~H*umv+f9M%a zpYQY7$f@fooBvr{fj8K&U+8K7!SBBc2JhAMpJpw!e|oXbj^e-2Cx@%+(t^t~u;@JK1dlQ>rrxSgUTV@CSfEqobX z^f2U3H*h+2%DLgFsJYlAVp3f>C&b6D8aO+*NbwpLT=-z##*~}2Ao6BTu-Kl|Izv37 zw|>)gkS2D-KZC&K_DnBe-3%&Fuw+=nki1CDw6~f)Cfg+2oJszky}ldw1@eL@_+Nz< zm0GrQRcH)}t~eCUg_EZ}7E^Ghp6#E9vD1Hedg{8jNlsAe-^n%@PN*~bgp9pAv&?v5 zzFn+%k}7AcT`CIyWoKJJ66bi?cM-8IjC>K+sMecrx8KD0j*lI2fa}`3>tuqjx(tEz zvznh`gGSWFZd9Eq6rbv;H~H?zLAn$8vb2L-XR(hgNKuuhzOv~Q8*fu~JLY@Z{!*)} zz-gc1TwqGcl*9hmj@}z1|LFaCF>%0HNO8^L7l`}8Dm{EmFlD3qd@{fQmejfc-Kj8Y zeA!zyYsuwfq@Q=3L?xrGXeH#DTiCz*Y5{xWaIn0p4bK=?u1Ufi0kV3`~-YKQg{d8g6+ z3j~||CVJ^SHJEYPJ&^7($yROS2Q0v^qu)T8e(Y$XBfMVeEmMfvzD|53WW1R9c#u5L zlJMI2C6dDcs(k_b{yXkBjd_pHxq!OCdlRXa!avV?@H=<2!t5AN3-)=BwCQ-ZT&!P= zLweR_&%e~l%Ot~$bXhi`? zB_>nz*BvI#aXhP<@TzD2V?Ca0WhCC6T?bIEx3O%0?mvIkH4=-7(rx{AyR^ut8s(F9 zXzURdWGnrbuz5x_F^8tDavWU2PWGlsj>J2&;;%iY;jkPjz}0hF+s8(C?=4}k=LXF) zgb2_5KRoM4Q2sE1FaG|K54#>VHNY>1$?=4zUqsDnbqtoXZ9RAu<18m#+Qz$31{V>o z-scvK*gE%JM|{}w=F2jz?6f<;boJEhbz8N|K2htve*GTn!-s;=m7)FO>etNtsA7H^ zK?D>Hf7CuAg}&LOj=7pv?=}3DR6G!BZjlqDd{m}m~y(MF00A)*4KlTXPqwTE)c*)+OZ7UH4-f!}tfD-FAJ=^Q$GvM=JD+_RFcE1dAjxYM}chc#%MyJOG6Jd_7-p;?QG)_%1pbCF>@vkK> zsf_9vIB8)2M*Kv_I-~KVF~q&h+GZdh#qz!LkO6-#E=8Xf@t9;fZV|2|Ji~2?QBSN$ zRlI5CTUwj^v*LB^HR+}oR6yfL@^O4UW)%JH+#FjQ)j{aKzF{lwJL+X65n;V|Vr*a2 zNV-=7QJmJyMu1~vC(o2b%pEZV^+raOx)52@>W7syyVsA@T-m3mbM0_s5B?{p@MoX3 zwd^lMNextw2CQZbIq|+=VE1H_H6-=hV81QJ-OkFDAFMwLCdVE2Li6yjP*P0Xu3}bx zrdD+w;EM@Qoa9o}GIHk1$gNa)rUM2NV(&6@0;8@E^rCT8BxUjg<9z4YmNF*s69t(g z(J0eSTAVMUEB~$|2}wtClrk-&fN|-iEjJ3DeyK|u7Fr?_HGHl4tnb_=x>j>5ka;8C zz8U+AduQlzz$wjNVyZ_yRzbhgW!1NQ-KnSR9Jq&ulKLiH7wyO|UFV9m1=Y5(-$lLo z5k;T>X3Mj};HN({0<$@n#C#?*V9Wwt6{_J0)-vpX?(ouo5);$W=S1NSD|$7UG>ySk z=le!&Kl4;V2GG3F%)^q-aw6w~`>2Xz5#Ej{ZjOYGS{T?9i%{LHczvfXjWi_cMpCl` z3ZO6b*aNwJ3~i#B!$$5ev4KOEEPvX=7%r}d(w#TY)gHd{rqV`FeQZ%h$r=q1Lw)#fYE7Z(lwa+PhVQL67#g*pC)1NP(Vo{KW|DIK#{@^)eXo$|fK&%xOsZUekA?T=s%s364sEgIz*15 zC`hbROjOjab&7euFMG_0-iEc-n^<0&vo@;?%&XNl zVk2G7CRh{i@j|TI|Duq!u0e4cV zp%4KrIHGVloHv5EvE`3mj9BI|x{&;Q{ay=J#wc-t{4KktOlnbmcO+TFIMxiWA9?t^ zxi>v@#wv$S13~`pp%SH8UD2F&p1 z1UsT0E1-*cDc?+Bx1<}<+xzNy;VVJ98NHGvOuF+d{u3^{*SWVOW9a?x^+KyDc&{5H zrVTj-^er>gpJNSQ6xGY9-Z_J+HzPL^O8whKV-0O%3Gu#uVMnYdx@ZcHPP|uCbZD>* zL)IPcDIljlk)y>MY*Oo}%ibStT|eR5H1)OiOt2L4(w39oXF;0|mRa(z6VerkO(H3X z+Pr%-rSm?9Drq`dbf7xqY2IRzl3T^Y;t1JQni@x7v<2gKNZnqgbwnvriWG=^WhqJK zDo34q%_T}w2^I<>m5JeB_OIQ<%!jZroyBGC5ylytVQ5{$)={qigarhq>1UhJ#!uVo zyNbm(y2<9z^Lfxsc@ziV4_vm)#kzyZa|d$*EoCJ)X~4v+i`08j+mGDTuspWh<;C#&Ja#5>GYVCQ#KM-fj6s9x)>QFJ_0omvWTUzJ z@gtvc2b;4*mz_fF4)huZ{E0)R8@Br)J_V-ig@pTPkpu{y-XcUA8>y7PLg48`hF~1& zK?#$j?6gb7Az^ULh4^wApkPux$N^@jBkdZg&*cMhn>ZoSc1RIO4&B#-m-JRZ8r3Px zesoJ|R;sfreOUb*5WMD%12x?o2X}Gn9iPr3EMR~9@&@_wD4nG^cJa&uI)g}+P;DDL z{uP621ZyX+OQEEWrGGC=$c^Re1pAvl9TF)?*s#g?OT}kSi~S zViesJDv?WWq@s_!N#~s6F>SzGyz!A&-l7vkDNf`V4!91lk9I^Ul3ss2 zyyRpeWD=T`@(okwsSMqb2HT~(<32`4A|M88X`psu9OKgAoUHEG^#H)c6}kETv`eL*UY;rC6qP?|xfrgr-Sh!2;Bl@Y6PIt86ie*5B9uCNsrP?P~tv79Lv z0|-s0-iTR$+;@YR7Nw?}s*?rMr_T=N7>g&;r~a>Ki!Z?2+md;b-3uHp?D|Xu>G|fy zZfb>s8at>Gj(OJZC!3z7CM--ugLBIfHtWZ8gjt6{H}Al)tqqhzs7Pm7X02qdqgqIn zhxX=rk!e_h1081HIS*UqYxG9+qJNyHm##R`-NkCccFM~=L>|k?gN*xn0nN4#fV4v; zT^gUfU~qD#U(943MT@b``+9rY`laB2t*zZA&r^(KMkz8aNWH!XPFoX$wER$^y2PRi zgM`>K)b%(*lyJz57SP0M4tC`8wG!hTSiOeiDFDxC_3AdTD1<#*5 zvxn_rHRw_gkY`uS8L{$E&pGvg?0aorCas%%rl5%6#1NKLnoOyH42TG0OqloPmLLyt z)R}K+#MKj#kzV2%D9CWW*^_hzkJO>3n?F8IK<|ZUGBFgRtYHdqHhu+BmDW7R#ficB z+-@&0`C<2YsMA6uX~LRd(l=FQ7AutQ9kJ0lO&#X*rMjJ2|$7`(nUU76$&?ZO^z zCv*g@1`rp5x3rp-mKMQ>ZFdGH>foOeg*l%3ws9gm-7s=Q=bZ}T8GttJ z+(?mS%|N0Ree=l`Z!9ZUUA0bX`*=04Cp{-E{1>7s+^$aW=zh=uiBLs$0wN=+lEkMp zk6Ewn;2Q#!YW6xvPemLs$8Gs|Ns-kjSDiu6_7MvwcxIp4$>FcJ2Z0GWt7k9IsO__{ zhPySV0S4p5KyJv$B8!4UvK5}hPeW&9|2N~}P!Bandg633l|~Z3!J>-~)_Jc8+^sRr zNFZobJW&hvO`HkG6gz7&c%x6I$iH`}dwlz_H-x7G-C{9*!vPasqh;cn@9gw?OCNuL z)M(t?jmX3L*DH(rT2{anIRgn=>eleNY5I)u_$fGXg-FZl6e^gW;a6&kiMVPW@ct>_ z(>0|;Zu^`~!Zqqw(iWfboa!S+g=g`cE@zdNh(<@;0-rKpj($zg1Vq;P&A|P%h6gfE@|lZ+5g{lp1Qbc}4`784 zlBRsMNbI!pE>;_q_7?16e&V(XqXsCP2C}>sB-AR@m=OnPf|Z!z^0 zzz7Eyrf4F~W~cXWPJG30mn+cDt4)@=x7tM!le76%@xkIH<-hV1nwGD@sB(#n!3(?+ zh}wLb{JG?ixFIPo3WLr2AT!4A+UZnFgSC8RBnBg_ewvYOV>_AhY=*d?Mp9Jw_=&v= ziCvP8 zDt07FWH15y0p}ac4;+l$@tsLAUCWv{TA+?|;3kcwP`b@6Hrzf*Fx6`5TZzeF3@5>w zm0YLDyvBLA5%u@1Dke?RAqahYj07wY^RLmphg-`S>V?&OJca|(KEAQUFcEu7U+4fr zi}9L~@}qe26l-k!$DFSv+BZzETQd@ghwRAm#iQCa@lq@-MQIQ`d|{*^B?qn-$iGbB z7dZ0a4Xto?QaaP!od)jljd6Nit>f%bor|nm4`RuAMk4|+S_vr}s+g<@BbON-q~?{Z zc;6Jo|Kd|g?k#-7EWuJ132h`~m4XRz@(R&zxz~E)skT26|CBu|^S40yHD9}t70uDA z?k1i}$@o2yR}@_Mi~3r-;#}LvGes`7A3e;}eG5qf?+%1N!09pV1Tuhmraeg{bgc+Q zJNvHTEnpoYUrN8dOuJ`_O7t2wcv+2^LF4JRjP)G2pRJj|1=4UFf&f{wosT-uUd`^V zBU2yvdQcday|*HzGM4SENLVbC7RhUKb{sNJt!WcZYY;7FdCznxlj{8V`5HuiGfx}= ztHxu*Jyg5pj9SZIuw@=EhSxLHIDt*b)b8>T$B8;#J4`3|^NMQ-aLdh$tSnkqwYOVW z>8BUU5<}3_#Gn`p=jBIJD?j>tJg1aN57f@by2E*Jorn*~1v*@x1g{o2hLZ$qhN*>? zbII!wJ3aQ9sF|KXD`vB5=Jwjgu|E}diwS{zNpCEN)#|LnD_Nd^4(GQKR0xk>1`8?! z$pFQI{BC9x`&g*xP*?Xjp_vF0gL&|ZfCzh(*607&$N471CyzjPRyQv+NCkE?QPVZW z*T8kq&qmoG`0;TeYC+BrMcKizn-wp`{c~uUst#FtYENh`))KlsfU7T2}2qJiz+?2}3}mn^A8LI$?g+J}=NXZ+DgAO17S@z%dDWyZZf zHabl3=?Eg~%RVbqz~z6!RRDWM91tRi!?i`)$Tm|mjZP?{h-KN7s;Zg(%Or-oX=H(~ z&|{ipZ|NXTFo!`+z`Ze1U#TtMwEgI%uymMppzRYx^I$K~Bcm+3z<$XG6;qlWqbp?Q zribBuuv-k{>o5tXZ}!M;e8>phEk%I@;bVHrj6uF#bS3#|?jcI{qAR)<*feYkGJ3;djII z52vb^lbWV44Zq(lA$QW7O>!6BlzyxCt->J{yTLWHA_X(CEgDB^AJyWUY4)(h+%q=m zU6GjkCcE%rd1JmawR=RiEHEn?!S^CyuelU0=R?9O8mOwhl~%K3<)X^2A3}{pdaQ-P z=-*}_C(`vS9n(3mxG12VlHBYLYYIs?=uX7qyE1Pb19`(O0E!ugH z&eyrl{c*TIqDcJ(A3}95i2R{OteI_@xcB8&E;y>DbJY=3gvD~-;qT>oA#e0i$+SrW zy$E_3-;o@L;5KPGGr zdtoEP8e#jYbZ3QY*2SmWni*)`Rk4~jWbICDVX)}^BOI1qlF1RRZ^q@0SAuf0fetYRMZy z|1o*8QX2UpW2PwVRz-kv3LboD&khxK_v3Q2`u(J#LTE;0c=qO($z)x%YH8PanYoA) z9P9`IA7r@?HMvxY`hG$$k{+W0k;?-brfV)UC^28Z<@vSgG=>o=y~f1*Vex;l_f}zb z#@xCn#a#;&cPUof-Q8VFp}4zK+={zH@rf3vxVyW%yF2WUf31D?I{W_IoxAxw^Gh-^ zJR@(CP)HlIW#$!Qwz}^U0lc_3Ou6vL20L=^+=6Pm=f|5Cqf~Og_WxD!)GSddwOcQl z9oVJ|{v&a=>^3a;CO_5$mPLCGT|Vb0Oz^98Ta(v`Y>M{bK@;1K?KF!0)Xp5Z?}ur6 zvy`YtZ%Yl3j`#-KqXlSOdmGchk~Km`Vc<)#bC(m01)fwtjkhc_T`#C8NZG*0)yeQl z`>Az+-6Dh=FS&jNeFQd1ynQIHq^Qx*TECgY;Z4*)xmrx$kVYfj5_SfUR? zx>1-3i(m&71+eKyZlebbuMB^iaSKzy)f~h%G}Jv{!PLr?o^J$$%G7y+dM_Gwx|oI; z`{79~ibjmQ*EF!3M75q%dvN_OW-Yz0SYaXko=E}OXugCA;_q1Y-Xy+krW$sA>BUQ$ zS(A>+oj{9%3YC>zo8t`E3#L{VMw9q)l1OvDlr2a410On`IfR98b}?WNY)bwv%w&F= zRw)YXB(H>?lJVbUxRqbZ<|+LX2e}fD70*{L?2eip)5)|{mz6>+w=L?wLRnZ&5A-2T zTLC@z#!r(FlwBGE-}8D3h*2SFz`qS^K!6K@8_*gd`Ja|BN%fips83}>O`q|Og#DbAeOy(cT7wA zqjv^u1%{7QH4>z7$x_p*B^Kg=s`27b4vhs}r~riTHkaN~Cp-OcVF0z0L1YW|_rNjM z9NoPmH&?11*|DY38t9%rLc$*%YLcde0slob7?#s=nPH| zhaIo}@}HN=6e4rn_lZ6nMGA`10c>vmFag{u4DBizQkn@E=@@VI8ZnRyoVMmMh3x0~ z6V6bWmxQ|X?}Cub<^%h<7vDpF;@&meFc`x!VH}Dmg!YH#wb?z^yf6M@%~H)yXJt_G zdQBD6jRgJcEQ_vB>G0c3syZ^C+K~F`SK%6+3~nKDLFBKlmWi+-?%txTqpBk$T3A*?mEJ#AX%B1Yy5>Lu3ZVjrr zLpeg;0chISmfFoEJx6E+zTN&&dO@b<(YnxwvVD(P;u$P5ZUZbM^el8XFbh#y)s(#L zYJRyi$v+&y=n(n#%P{8Ht=Le!e9dCfi;7Au~jP=qer);2;a~;;0#`2%TbAdcA9|r zJU)%xNmwQ=u&Ne#D7I1WigdxpY?R@e%7*ENRR-@*nt#I5eJHS44Pd+r9gRgcC`$+VmlW?|6@-R0a4i*HaAo9E;jd9Dx{06cMQZKg5q_@KOmm}U+E(;V4 zc2VGlLS_q#Lb%OBB4&+?+dl5>#_aj6-#>IgT=}m_pe0-^i3L245jN!Xq>E?r%n4U#ky{Hql&0+zDcg=@aXQrcAmkHogv?1;dQdoi~hk!a^({m`(> zQ;%nLis7p)NPrHZiH3Vm(kA;I2fr6X!48tslH3bt!3yc!9qckpX%!#W##GpqLW!{2 z{YT(ux?6e}{+q!2pt$b%%IwQJv+RurtYM0EA7?rlxzxn;P4O56KSCt0Q6M&xWOZa* zdAt`}8%fxgf~qdYz~R{(alElcG(H3_3Ai!rMZ<8$KBXXZry-au_L>RV#Lq(%7v_kg zHsx}#M)JgxDEx{9L>2riraDCbI7%bn9KE2K@NKAHbL%z65Di|3%CrB$`1MN=d);m~ zOuC@J8GY`sqd+&xHBB`Unt$^j;jdb(cu9&|`@Z!~f7%vG-|NOU<#Q1pQt5L69quVa z{E@chqX-fSF{9Sr+!Wp%d()Cj?dIKx`>0EcGRWvtgr1Zmqjy8G)uL1mYtdq7zxCuf zBV&9KPG6v@5H)+MPA|6FYH0h+a9K-;LlGka2g0>gOA;C5Wpjlgo@u?Z4GpsvDN7T< zBab!`D~q8lYG9_bQLDuTr<}fk6uDRs*_j8Kp{+=wnpwG0W&N(Kz-Q*me`KsaVCjCN z1UsBMa+4EUojOgg%wa~EvENiaDLS&uA*ngS7-0BGJ6ep7C2+`yY2H#WAdIPi6a63< zng6mgyJV*+Qau;+iJw=!7VMGk!)fi8F=!S!gR+;8d0205Qa4Mp+rm^ji7yJ#0L3dz zuXN4Q(;-r-vcTv<0uGi1!wgP7Uvl)6@Wa|rtrEwme4c;z9*qBaP63$d|KreM4O-EP zL!tbL?PMSU(xJJ5N6>tVeB2_TJY~I_(KOdi6!FhKkEsx8o@uEfQXyU=y3$Dbyn#C+ zQH&k4)LwcN+yCO=G<)kBF!f!|wALo;J}qmcK&$HJ6#Q4ci^Wp{KMuT|TsJ_fhhqdP z+cN8bVbp@~X&SfG#B$CZEYAC0q-R3kT>K!z2XFAIJeoNK?Z*)!_;AEAZ>)pA_wXqe z@$!oh0r2SXIlTud1|;Dpz}})K;4eu4hXVy&8X`NPQTfdFAw6i8-oU9-uZpc}Um|0UeHH085&d??H74 z2Ht9JM568wM=<80jc7oAiVCz4(Tv0S->Ito5@{B&SYQ+dIz>$~h6Xri0C>xF>~{`p zKCjz!o3_ZYkjgb!)gB-;G$H^bo`ZY-20p7I0D4;f8*U7c>na4a*83hk31l>L03G_< z@kIzgFW)-c(l@J7lb&#*U>B7m-MiZp8)rkX@d%M9q_@f zPCV)}D8Km+HdxksS`a|81IeNXnIakj;0hT4%G(f5m~erwT>wIC`)T3;J6(YSx^wm8 z6Au8QCeVpTq(T<7ANGgkN4Wk{6@caC1SlnH@!Qe|n6z0s4U_f7@7!yj$KYuydCm9z zm8xQ!R+ZlCmbTX6=nLc;KJd-DZhY_NhxT@95JlbDM)M229x9-4)aq^Cx81kedTryq zw2a@8s$F$$smU7PybgMvZJQ}l!&z?@vnEfIh@|D`R9 zuLr<$370(QEz>Zn>o0p8quLk?H{dlHDEtqCV}krL&~qMpguZS2063ih^faW=<`3Lw zGdq%WrI)-66K>gW)2AUo2X5)LHZ*-PYg{}8e7u*2!YK-}0%qeF)A(+~u-=fCv9 ze7y+G4<1RcyS5NUZMPaJtR=C+Q@W-l= z12dJ^tyCzf9X8~{Ut)2mHd=e5i_VPkzx&$XDuo}8hMCH6&9Q-v7V7EQRV9hsxF}(j1+D7E*c{|l4t9ivr z)4oorl-2qyFgN7lONs-D_2Hp@#Y_BGq^(EESfNH^JkUg*?^Qq0to(B-gnB{PLioiK zb)9f7@?sWcnf2S*mvj6@xVHN>&+%}GVI1Ds6Y?EB3nac`DBud?iHq6(JDBT1d=q|+ z>p@1upt|NNs5xRor7e;I5C$nuT(s zMvX%VoIVZNkmnCkbq=s8O6ZV)5;*@8`fs~{KwdvEW}_nBhk&vlOlE4ZO6YMwmAO#q z^Pa8}`#}{%wUj6lys^B+QzS|ZOROFczjqL82J`M<#1?L{qIeSoeRFZWBv(~S9YquP zNE@&2PosYvKTRF0R5FDh$KA5Y zrs=2`!>-BCqq?r4A>6m*{q>$=@rOL^pI16h%K7I1bW1+@A&jGWAt_F-SB(xk(b+gRAaGS5a(}hnv8|-P%q_RS@L_Zh@5QX>(h~o}5PJLb$y`!oTo^L= zb0JK16ES!LmHdWsjklsuBPCO9lB)lRG~d@o(kj~#w0#aJXBnTw3`~jOl=bIAam+_6 zy;8y{<=(qM32!<3=5JGG#SL@NM$_A1X59u>%lnSeS>?7R5e?=@(kplA)7t&{-5LgY zC==!(-f_Sy>3Hrg7K&KiVg6oOSwS_F<30jzN$7!phj9b5d`yVj7p>HH>6E?o2K|br#kyNtTpyguA-nD~<|(Nua9Jj45Ft z#&%brg5z(R1aQ$s@gk?27%mGZ1VNY;=Kk^%*!<+YH(a<(rS~Qsid1+u28Bm;W@MjjaN?IBjpTsd#D#5$0=d2uJ6*cKZBckRF!7 z*GgtY{Ga;#6{R7f>PLSeeYV!Z8ozX@Rx#x-{<7DIh*#$~(w!ub$oYDfH}fDHweg2; z8@v$_yb$k9Z~I>ZX`XOSDvD{8REjx#1o0pYBE?AFP#=beU(=(tu@4&9>s5A51`arr zVW_rO-qXUCc0g-kykw%#c9LQ|si=WNy3Z`}bjO=l!)7Up`SdL;cTW$6w3|Xc;o9#l z8K*)k)J7U0KdFSbO@Q%hi0X*Ao(<=&t>)19u|yDg%m@DW=1(Kesx%#SIAvf(h_a%v zs2t_lU!oH3IzEzMTWYQFZE>VkHMy=^ZQbWOpKmHZ69}>P(R9fD)U8WGIRcP=L*qBs zoy{oC3K@=`XO?iO>4+5mO^mmVglP7*ndpwRXnkraMrak*|7#Ayl=AQc(nToFXTqjq z_SYDpp1fe;&Oq){o%QG9xtTw05oJ`u$JF`|$9^jc-pBs0DlI=eOxr-y{4L>(`%9id zN_+)YnJ?!2O5D1o^=k)x_#|@*-gprP3bF{)jZBOB<3n0$-5S#hE9U8<82_vwliKJ# z)R!jO?HjG(y7B+aD2^IJghk5Rpc$p9VagMJ#t#17EN?j6SdRRstbtoB4rE5Skou{WlrtJTye(t?kIvJ! zi`2QDo)oqbUQ3HyvoTVb*}Xw&G0V4*GW5#R@D-tJmW8^jqZ;Wf=CFq8jPJUOB<@o& zvot?~Mh|UhPcWvSk-M$SQ1Fj#ID4&sgp4D3m@O+|PwP4lFV53)VFDf!Gje!(0wImt zLtlG{Pv1)B3MpW-$d=+0o6yXK7uc+4Wp8okbwiL5_D$-GwsywD zZ#=xB{-v&*pr_mv4B+5irLje<3?whtZRUr+5VH0!BQc94XMJS>B6<1ZZ(W{U_(I7nl2Xdc6P6ez{$S#Jw>c~u?{*BfN;QW}t z3IkkScumxBh87gj2~IG#C~_RtpBQIHIuYo?OT|u1KZ((X-gvZUp!9pdg`t&ean*Fj z5CS4U-xGAab&Ss688hD=gF893 zj>=&fgFybM{CM7Thn?|PjPFw?U(ND-dRAmdU#v2__b#SQ>ep==q!|huXiA{grr~JYh%iL6{ z;<+cv>Rr)Ap44N@sfA*>wUB<2A3hqI^b(?r-6U>_8L}kV$Jy6bEi9bUCT0+S2So5+ zRn&uz8Zj=b#ll43r=EX&x>Sz!Rtbtz5r5y~AObI6`zwdN=f;G(q>@n;@uy}&A0!?Z zC_1CQ*XQA5H9*w7Vo%0e7-ySiHNwYLUZxWvVTkn8nRkT*GDqLKTYGC_8~sQ=u|{VB zhC{$HQ``F_&P3EF$tTGkV3T5d1!*nv$#hEQr+g+(oO*+9dbO3Y8_td`t6&_l$e5LM zCnN?kGpP@S?JoHdmh2njc!yY3q%xWnQ-*8626r5ztKVvxfJ}D2uI@zK8qL$>VBk7% z+*Q@EP=&4E3K{3kJ`j|vFkPql%PA(&JaVmIKBwlZjf`XS^$m|Jm*8?q?@yUjvqG)a zSjma$;MUOUjSl!VjeQ2LZ(|w(O*(R~HTs8=$sF)}(nbbp*!JMjdE&fq^D>OLK6S8@$MY|d8lHTz390^X7RYb2swYHOp%?dJow?8boU+8f4wU-d*FjZ(BcBAy4fk5M9@=AvRRtuY!5W7Q zE|ep*0ciHQ<>%%(%XUNa9K1E{%^!K9LUZ$HnR=P_OZw)`qQp#2d4o>)Q#%-v zZp%S%Tk#}ZjC4Lzew)ZYiih+|(%5{i^9+BKBk_yEx3X~0?bqEJ>K$MXQPtx8_eNr8 zAaY)7*i$rss#x1*AHM7`7TL5OQ(Q=owNN#8QDFE1U59Ptf86 zv9E;kVnEV>)QI21J8HK#d9aw%y3eNklI0`L~%n|8Z?aklaXcE=6KaJkL=)94qHbO_lK%*D<9ZN#iO> z&|k|w3>sD4#8#}}Br7pSle44h_Pgq$hxNr}!a;GFb}G)5F=zUbpN2SGe!1Ny3v(QB zUt(p)Pw7|TuH z-LHZXFnomzYt@+|b+GyL0HrIC`~->260m?+Yi?yB5e%*1q-n@<0Ec0F8IEskwME`! ztPuj|l*L9<=bkTF<9?Fpxg6T?IxQB(Mg85pNB5X=y`eT1Y6rNM&KKoMod*>_!z) zG_n=;{Wz|+>Z?u{BT76sJBenncN>ky5+!TEEqFJ6aDHY#DnXleQK*SYu%?PvQgq6G zxOgHfV&3PUcj~I5u&jm)BcHm9gM-VaaY@{n@w|8`Natph8bm~(t>_;%QlHBS{2 zv!w}f_FIHWKcZ+EnkcqKFx*h<1=>he;9^Du-Cp-*hw%XQ3tk_WF^FnjZ`mUOseGe| z?}T<&st{SnRDBv$nRJ!g4NV?KtO!&R^d=>_ffX1~dfP7*3JC2&{5AIqJmzed*>cNZ z(&(yae_h-|uYTa4SbRCnzX|3O(XtieY%CvWl!+t-l)g7pA*@CNO(}YULApGH_nmQ2 zX@FGQ6>Zn{K6d#-oO3m(vn4A_WNb`<%7II}+J1=!_acWKi2*dKys)opj zUBN5ZgYGhlG^hkKT~^hg{8zPgK$>9Gf%Dch?nXMkbzu@~;eS9{ob?-cX>#(`;+O zz8+6nW4yu={8MH5x+Rh_(v3+J`Rb#dy_+{DQm5Xt7pxR+(y|#r4iCR{40g9#0 z(NYdTS(g!58bCqmK+nAz@_sL?CvS?kH zVX|7Wve8^YzR?YYPm3*9L{wXhaY0=Uz&9_gZC8uENScTtJidATlvob)M@_sBB!sOlr?dPl30@~Fjt!dIA)6F~Y4 zey|TZ2En#9!kk@58KK<}9TRy-$2sdMe~9k4Exu#1V*9%p4r?}f2E8uE8ukoQXjckl z6^9<90uz1-f=zzIb zryH_4br`%H&J*WMXUuJE<9M={A|kmvq$E!9igeH3;es6U23k{vBlxsFTp|+4a5h@y ztLudF;g&NRCjOAyI42@{hL*K^PS;tiO}I%R=3sABBQ1C{ONZy^%pu{T#v? z%Y`pilh{!#Otw;rj2J6F$4<9gF1+jv+{fzqYCPZ=_ zP36apljd#)O=+ZF>$S_Mbd2q|lUMUT(6DCO%qsI;sm=txoN#O>v(irhzpK~+*UV*k zymd-}f6R>_*G*)|eX2%4uImLeY){G2a?m8He!(MLQR|OM2wW{YYs=Be1BOjkQ&&IO8ie*{n+y{7|z~o6H}L#KeyK|+K3W{>89#Nge>LJ&~;8!!dc~) z{EmC2^;!vGstUfpKwY&1v_CFikH$jUDQs}B((bl<@t-Koei+_l-c&a=`nar;xD;Js z5fuv;TI;1Z#iW1RV9PjnDat{DHB{Ua``*s>5K8#Aix#s%?txMwp7p{2aCtW;j0>l)UYcvUqT zXG+~`wu`1Y*#f2BoV)%p6&}+#u%kAs_-@&s`W4I#vfB>LvG?W6f4k0#*!-xJ+2S+g z?3dH=#?>PJVVNPHdzYd*@(!2--!(0noI2L+1@X#7THTt&*_4j=jxX&qq`vx#EAATU zh=}k~@Yc(F6-rK13|RTMrqV1r)GXcncaS8c6S4N$R1=ACMmxkAdT^FSf(UlWJnW5S z+LEOTR(Inb))0zJ=BD3>UgtY3sSKT+w`0!~MNRprcm~T}0UL~9K>eiO1;Q6&2*Fhj zHTxU8mYeX4fva&H-JywP0BC1LVNB_a1l-I_N=?1&n_}UioZ>=UD1DUN?Ad+iGovdO#7vHKQs&M>h8-U?5vp8b+@E?p|`1o!G&ugj2(Q!SjVp zO;Iy0#ZhO0d2uNN34eJVIxPB{vS0W!mcxui1eVcxq|1o1mC{1YCpWyvp)#!=MIqxO zh;IK^5Djr0{uc_5{1aAbMgvC$FVl5{N!K_;eS&v5S?N)+2uck1H*qi_3rYRM#_3>( zkr6%VoigB)eM~Zx@u>!mvP#12 zUARU2vX9m*^ZbjDX8GKpY!fxxbv}ra<%E%?CaJFBTNbQ=9869>`+3)aFw(reyFf0j zg$8)6a^0;CrU2XPz;`S0*BD7dssarwBy7ll&X&n&E$Heplp@Mzdv)-G{P?h~GJo{o z*<8*#POZ7+KJPIWj60vD$5i=N%8u6f)$WC{g?8>vQ1w1LM}cC6_C(tXv-MFuRW(i4 z$Uf!TA)dEh8P;Fz3;jc2)lN2UH4#Yd^maSMK=g%E_8aUm=HLX=0FgNS@%cX@(qI(r zW6ZC)smqQU*1A9H?aP8}y)%NdXOMAjIQYk}(2OLNBecYJxYW!(JIM69OFLJE+9t)8 z_q7H=2yTL6zb{E}SyNR$#nMhQ2-D7#SQ$!MSk{KYJ^ar}4v2A}<(;(@w2 z*5am(n5|kGg{D{|1OAtx39-5#HU@|IZZ|A&b0O+jj}DsrjP{GZ1b@C0^H7BmSK$FR z*qkc^U{v5gY)qqGZiyaRxMDafi4#EJ+C+mXW z2Q);qNx$)D=wUigqBC1{&n%db^&GF@@My8lj~dORZxE!h>b(Jl zDiNIN+lN^*7o=g~r`7lrr|15X|2_wIx3VWr&v3{|!7I?PG)&9Ks?D-!GwzYBkQrMn zc9sZ4yKg&29Kez&5+HL8c1BxP2W74>tNIRok#2$|sSy`FE)2!O)L+hpoAe!&`Z(NCg;p*sA{9;^fG>PM9Acs5iBhAx_WL} zV^@bXv3T|}oCSlm0f*db=$}a6eY+K^%$_b%pB1=ue;d+hKEq4bu~-~eM&LIY;Ary( zL!Wo0ze&6A9xrNH;d!k`>L|svKcy&7M*)gPxWj|5Rt=V zBnt~pW%|O8Lnlrlf9ic(q7&Vt`rfM(r-kRL?5Pm1p5XQMdqO)G#Kt3o@BSp#g$q)*vgd!kUk|L0^GW^l zSmwM&RjUoOV@_kB~>ew1Z_|3oc+>30@w_s2(5Vkv=wzwlBn9lXTkS>R`^Ez zGYKg0BI%wFt!>m0k;focy~lUkFdQ||(b6o+u~KVGBOa0{gF|;%h;)uTOJqe@BFY@f7a#6B^Q#IshD%e^Zj)CHx92&DO8f*mT@=Z!{6 zc5gx#2+kr+)-*>NwTUSgRQ-g>#~=9=?)B2}61AtUH4hu)ghJ~CPFpRecfjZ+3$-CW zO+ihu-Z6@M_Oa<`@M6RVOfde#LBmaAeVUV2r){kYj=MeTo05`c);&|pXDDpVtwXdm zQK|?+IeyBCq5k7;K3pzbxJi4PnyA(GqDpY=X$|Gz9V#5Nu?-J4rNP4Wf3Izk#L#V# zKV8xs!(NQ4(I9gGquGEpU0_wu-<)HoXBoUGyx9dnlz!D-xU$kefrcM-*9Ie;{mitI z7sRDWYm?E5z*2(p+md3$lRy47nO$Yh0E2V-I<>wSl7EJ@=B95@6imMjJ5OITgA0PP zW?RY%j_sN4r+MM2ab2uAE_P;0ABVLhp6r-~O@qI$4esviB1_K!oSdGM%=X!#o(~8Ur;$W;ho9a8w=>EWn^;0UGi;<9|Z$4-Z1;__Ue`JF=)q} z?;Jicu0~YJXr%gWZ0oRmT5kPVYK`VZ&v8#49K zx7w@WWS45{buRCHHHF6?>wg@+0fvPt7|0O)1v}a<*;g5I8ObQGdp$~r{zehAIe#E; z5!GS&aX^A?nXe8Rz{dX{C?z&9?{%m<%P+g>x!lg(@`bDw6Dv1RiL2J03-i ze}y^c@!(2@M*$#?g@O3#A^hK%mv0?|c^_ymN&?3Fzkz~K;4xEl$8S8i z`R<8Cg&uyIgh;?t`2s0Y0Xz^apw@?Qzz<$#pea$4v&#dt=i?a9c}krN_*1e$q#K5D zokjV2qZ{j%lSG7WGwe6YnW5L*Cr7#Get^`=rk|BGL~T!?3vqW~CdnW8I0wYM4|HcY zFp4*4zS0-SEI444@tL#|8B{lZfVBb!>B?kpU_`zNA?v(5tjJ+6pgxuQY8t495re7x z-t5LG07BVluTn>Rfe$E*Pn3%+y?;mi2ZVAEmvt5ny#GJvT6psSRHL8K$1rqRlUM*$ zaTEBOAAgD(5zrh>U?8Fh)7lSc><1PR#g9qazoX`(rIrr+Ej;-6hcDkZ>z^TosB<;d2o{ zG^4!!IOckB@p`{rnR+iRkic>ezA4lZXOOf;Bk>kC{}go()hXz;u= zZ?V@pg|a)+D%dz-^KgXlN%j&j+X}yq*@q*8puMN~_Q!1f?)`%g6=a8fIb45C&%T^( ze=B9P@`<`R_j;f(t9ZZmeL7&5?EA=D<^?xUeBYQLQa4``i0pOeJLtJT=J-`Iz>Jakz@1#JCIX-}PmG=qFt7(?MUTciA^yCr*DH$earS$E_S@^4*+(hb%?t9u zr-$gZ7lnVnwEc|u#T=bG{?Xv|`TXTDd&M35;(?EZ5ZbR_^w+t>OC*sunb)mRy?hHi zxKIaRa_pZaC`P!xZB3o~+&6b)%rGop%&utT^#^lRm#Q=m<Cr<{e$+;okT4xcxr;JwM>0Nb2Rx*4u>= zqwu)$z1iS7@BR3uL1JCBw0DsBf*bawTj1@{_nF8?#rXF8?Xf5|)u)7%%ixv!m5a^W z=EHBSwTXtscB?T3{9BH&mcYXuzqJF6kiRi#{9L|F> zIPG4mTA8YP7OnN#u&X0*3k%-tqOcAy;Ys@PZeap#pCTZ?_6< z?+OA;TIGT>AK&@j6Scn|5@o%4ckP>P0gkN29P&ZF=lz9e{jt<{b9h`1xXdM}(r20g zGwJuXyN-|Cy`0ANWCn~QKZ-LuX6VOE6@oKr$^~0OxlKq<6?jmFr>sBYUnM`66;XPu zEh{{x2P6dHy}#YJf1^metX~*}d{ytoGkGxXv_wE`o!Y$Ke||l>n6)@-@WJeNKFz&^ zd|KTkvR-N;tA9bo7>11Knt(AoGI9Dv5_haDqBcL~C7A4@`sm@scB=W+^6%WsALlpN z?I;uJSYkT}$hXP$r_%S0%9kao_a%XDvsr;)I~EdwMeBmHUhV6Mxks|!90yiRXpk<% z7oNV){qNhpZ>Q1k<&})uzC!BnbMd26?W&moKAwAU`?KHeAFfB2_w7cfGO816lCp(q zg3>#5YkZ4cJG!cKBZO~Etqgbognc}!NMx+(=+fQ%NkoJPahN+EV@Yj%kd?RIg8*03 z65Z4+gKhzVm(D(4n$1c5;iwI2-AR5-!(hRy1$SD~oH8R<+dJMrS+~2WVZ>{}d_Rd; zRi}kx=A4J=@BMk37V*qb3uv3F=z$vr&g9Lx1oUol2;*dKuv$5!QObrlm*$xMz9I0S zL0s|J>F3Q~qzX6%36c(T3$r7Ex9GNa0M%Y-Zh_wZZuuVAcTTJOpB4hI<84s(qbSJu zL5??&z^MR~Px2}vD(~g*R{`yJ=U!^8x8G8Z1nytrr&k{>#;ARO_Xc7Zy@j74HPNk1M5dKomp;2Sf%X?_zXV8l z%AvMtmyaZLon`TNhxAYw2o%X!B55j$ye$Wvw>{gOnsirV?U`fpr<%kiP^Hlpr`e=J z$|u!=Oih|i z`(n0*;MYGisQ!@-#tb=5S?QMHc(@s5G*EYwldg5fJ-sAoc>t+wfoV7=uqeeP3SIVB zcHToI{raM<_9tta;kt9ouB0>&g9S59^>fj8+;Ll903;(kawyOpJ5~B~E{>e9$=72$ z1AC{G%?)R!TPv-|14;_-wp*))6?`<$xrDavkOH$QPG(-w6QWIf`||v4PvG{s{W5~6 zj-9@*QpYjtTEXW^<85;M&Et)En{9~$aM;mc-I3Vhb~C>3-(C<1e`njzv;(%9bu$lQ zLnyCof4220A*smieQ>rMb9^Iue?<{^H1Of^P5pZ=17yDQg1-k-j;TSjTK z-k!fSed9Z>RJ+HRA$YXVL|~zsWvV|-4{); z&_A-nrgDKZViJT&Vk%_KR;aMXPicTeTRqPagE`AzsoONO@;zzQ-BFXI4 zlk?**@}{8{i=@*@&6=_~Xou!_uWSs2TdNjSP$*Z+e4n;g4xYamp8n6#vw}DH2`)ye zdtd}WM@0D4cb2|cXSO*{aaQVp)RzZlapZq~jy1wE0`BA3EcHf5-=wEa9`C;+{Igy! z$=HgRED1lgi=1InI%!!1KzKtL2{g$<-}-iHCiX6U26>u;-f9S2i49J<%6(BN4pO+? zcA6TtN}8gY{+MLZ%_0!RIZBBk+i$Q-11BCl_x5cYUe|12j?S-998My#3GB9_-?m^f z+TMKMA_T?-G}+#E$Jy2jsd|RuNjkpuSweb0UAFg|`DdEg&8|OPZCm$w#vIE~&Tc3{q z^z+!jf7JMVqLBACXZo&x>iDfK4JknjArr@_^eiK|I;SBfpo6ihUCw~JC;R~UmPwx8 z!Ll%7WOL2fP~+z}0q(kSS{4(x3M|%9F&@I+0$xB?GC6JB#ur#}F0%kWt+o8D$e!>N z%y)q6-eW{iUEfSIDXY69+4FbW;^jtPUFtC7ewkHlSxsaZ9dI6w(I`6k_+gReXBze5obvcViYis4-aK zA8UDt!WZD7@Irryi8Wq*HVju(k*k^|`dZ?}7Uy6@rWJWuh&k~nM)orGZ4pa) z7nVkR%nk>p?a^%t0D%2wi~X9wNARod-$Ws@Zu7D5!%{SF*z6}~>%9Bf@m~dz4~!k- zSAkj@P(+ZWtC(D+bFSEJdQXyUk?IDLA7$9P=b!AWhK4`4m|dYGHRYA?q6y;6)n=TLvR-|5aTvEmm?;$gRcGbl&Xt3)+xzdt@54@Ok@VIaB~goy$^9@&9y>$_3F zru;@IaC2GtHnjdY>RXT8knc(i=2w`PrRytH7Btkx?3X$ZIUdsSF5tqOb0CH~<7?iZ z>rohcJe9A{VZt^C|+LnN4v;Z_-{!ME9<=;V8n{8d4Qxo(X$Ps@}+ zMZX81A}ERZc4nH6$At)GSRqD^3c%LR6m;dI^_1`><^t& zpn}%0p$#^HIVb!I#Q1KWY%uHe*LHpqQw#dvVWW%Vt5;QR>c@eb7A?#Ms{l^-AYfg` zCpE;Q#NQeHF4p$JkcUM^wGH>nECbJg#Z5D2v77Cf%+3gH%_36&TB%2EhQ?m$q1$gV z?F^LdgPkQlOCI>6Ozino^z82Q5NK~gm;>P(QxlZJN^Vjs)e4UzGCxMKiIFY-8X0@F z_)SW~o0vo7bws=Lym6L3CHb%VFx!SidXkOY!P=jd1CJKejx#7g(8l!|NSpLN%ruuo z{j8fCgbhzKpJ+Kc)_p)ZrXcMJ>zQN+dkS*F7;$@5wTPtr#{)kLvfL0))lqQilM2Z^ zQv@>_2dQaR@$pt~);8@-s(B!@2a;i+SV9cj!VC_`LGIkDh;>%HCUdOG{xEM450%{# z&wE-+sGi)?J;hh3!JF1Jh^4a3aRJ|Fh;jhrLKQ5#YGVz9W!y~V;v`N@U}l*I0)Rz} zW0j^3=l2|2VPA9}01y{hfpS09u(I^(vJK0NC)Pk9&DE?Ud9M}|=FCg{A&&iyHsU^f z&GcU6cw$JXqMYe;8*rEyei|0I2CxkK+k-0nu83dSA=al)``f=+5w!>+z8aby$Rx+i znmN*Ls2K(6c(RoycRD%VNE5Q`|9rIIPEohM<*0Z`Q5Z+Hv0`(~tsx}U8HMwDD)(&} zu!+fGx!}TzZZI zv96i+M{<2YA?b5k-yVY$01n|JIs6|S=LH8hy_`J}^&$+A>rX;@WAxb34LORc&;7-c zD+-%Jz)}M>O+Q~qH^~`W&mnCWHV`vy>r#d<4~AoXOb*~!pHA`oIPCeCkuW>4(j!)h z7m(14F^NUa{z%ib?s0=!C|Vaw6y^_8HTFVr!AF-`jDFnjj5zyO^hT+L$S+n+G!Nv4 zvVUWhQ1SY}v5s(lT9T({&|&s7Nt-1IgXFVb_+OO0WmsIx68D=B5+K0|1b26b-~@MP zaDuzT;2NA@!QI^<*r3530?gn9*8ssixr=?y-sjx&z8~)WHc#@f*6Ql2>gw)a|2v9S zuA=V5#;0xW2snMveXMy{qRBTM17_=OB^JV|SdQnIGutmpSK4w>+6f;v3Oe8?>!Ejp zF>bxjt1}DR|5ccQmR27k`~ma%wr%2dJKGD>@Bqn$%3I|k)dq)R)@X_sLmmtoL!Scp zU)Th5&dLkhVNQ#9TNUT8+1gvZzG}9ANqCsESi#4o!FIOYlu;n$yLDl62IXvCbts4W z6tUPDQrR@HZxsbY%Xb(A3E#o9W|PtN-zg&YttFZ0Wla3+2O+`J_7|?-mXr0eDKv9p z$kOqZAY`3qSRvF1q&uQveMYPXH-<_7{#C4n1YaBUThawB%0)d+Ro1p_QQMEc$+e?4 zh{@Muw&k1JZfPz>sm>HuqEB^^dS;Ai92?3FXSMGy0WpbLmu?iiv)dMeUqe4~MURdn zhl(0R)G(l^m5KAyob(>ITt1DvMNiYtzakB&xqp!&+5%B>hQ-Hif3n2rU8CT-VjG{H znm`Mw+tY30z~RQ)C{aXD;GbyriOy$QpqwAq&W0D_KXag5pvtR#os(g{OO-|7NrUy< z?SzBVTGMm@14WL`We58*sadd=e#l%6PHQc1o`f)o9$!;dSvQnBT1slkwCxr+8T-VM5 zLHO3R?MDfjE&5_*G#cc`SWnJZUSA~q-j}IKt=|$6tX??u?9QCqs#wYOb+F}oxS}o~ z$&Y?naRNa`z$@3+XAzBa=s|uJuPK;W32VHOMN{-j3Vz3xw#<0iq{|TE6PlwJJpH-jBwsH|wIITKl)$#LY>hjtmZ)-N8c~NQjm}g|N&T?+J z?=!6(wvF3?(l$|)swyKx32;F1Vixo;J@RKKiXqdy3n1(8w3G7`uz*leZG25=7~YwO zdSR@0b8yt+jT#}hxhMql1J)_up4nW1ZZ#_=cOiO8)*Iv!IwJcJmxeb5iS8QkSBq15 z3cB=1JIWg?cxU1_s{|WN2JxRhD{$V^@i$RD4>-d@Xd0p@h^8q@kG3#eCLn1)%3*fK zF=&M~Y}nT%9Ong&SC&sEf%9J8a<+MU$u&0qg{kT@RewE#cuxU)M-l?$pE$Id<)NFJ zBE>sD7>GL4ad_f46eWT-tpygpGanBFeYxof9T}*<8u9I{M;ViABnQ9}O)k5v-r(Kf zP+sW5y=WJVpFUW-kJ^kJ`Kle^*L+oF-SYNy#x0@O5bbq&Au-eKRmN=KTK*!m zL-9sT*K`q2^oNYxo+ztj{t7Mp)DP(pR?q}xub<%U4nqsPoKN8_g6z)e-B6<%v> z^$e`cb4FLBEQi);x{q`Hy9=LUFZNTnWar}2?&>+U?J6!a=7_Z%Rme{>SbKBd9iryW zTATzcH>^XVypGSx%7)uMruu$7#NB1wihL}h-R?>)nqZviTbEFraItbgT|KQr{0{8% zX)R1+o`8fA_8{~aqSoa*&CuY|fw}!G7u}$_EI8WkJlgLhTm@?T?TJXe9&4Q}zUvQb z{g$9L>=K~Lb&tv+wo?vJ(1GuagS9^#EmCu&4@W3gM1ndnUSTK)9!Uf zIMCL$p=;UuqTke}>sJR^1>E9geL41MKU`OjB!N%Nz?W()3%x@7#JUJAbILV6u;SoB z+Y?;Txn#B_+S#L4jiucZ6`~j?fp~()Epv~smtjSUUc7yI!xs!U<{y?o@d?aK`0m~{ zHsy}Pb~gtL@JSE6L^;P#;3K8l_*jBO$kcR`Tuf%`2XPI(54)yxcJ zX2H0>jTO#h)Vt&d7JfbjX)dFDkLYC_Ubn`rq@#h{__UDO)*bzG#9}>jvn-ar`8d8o zB#k_k)gR72ML|BvKp%V|A~l*n&B=ychBVekC`x6h@Dv`*~xNu$&)onU0~+}Z)!0_rI2odv8Qcw1rjPMVUa z4Wqg_H5rXy*U0^M@eeOd%NQF?T`u41_Q5$v-g`>V%_N$y)P~s})E5Dlpg=Fq(1(bU z+&qw0*=%&?w^FCt*68!DH(u+wi~1%ZmKa%KOT)6GDde{R72kUPcHviNJ zfC2{s5Dbl1`(n*V?ks3;*W-NUF&M@*-#oJG_b#TXfbYcTXenpiyY=>|)t--gN^}2y zy}}R{f!!eaZ%TAGEo_2DZ;*}N?4yE)wt1?u^p8K|ct7s5$?0#^kXI>y;m_W;AYJoWRTB6^UmDkMD@wp>ovif<&kRa8RP zv)of)tv};KlL(OZmq8L=Qjqw}Rvh}Z@X!f3`mA4j$ z6~SVl8x0r#>OBaP)|=4mv1P}qrxbSK%O*gAZ_Vy01M;SL4W%l?qf&TtTrngx724SF z$9LxD`!;aODv0O5XH){f#_;U{WWgb`h9LP3#ej9ug5B_54-N*Gk`21S<5rokNf%3g zL{+}KMG}XVB?1g_tzj4o) zrh6J9Nq#SPzsYClFVQnPtWv6cm$2Tdp$Aj4JI3yGeBU3o@IEzDX38`>tOA3J(qjb_O1$UQ3uue30NIM={)QC?01Bu8Q-zF?as07fGkCT0!j?E!QQ#e|EIm(gun zY^my81IygRem>|aFBTC+FY!blx_JT%G;9B7y^yXv^&sMwJ>=AGp!ke?V-3>L}VT>TN9LiT|X7~#mE)O#3AanWpsHz6Q9N) zlT>9GL2{n6gAYD@XpisC6hpkQ2Y*F927fDFGeCEi)7h!}@;A30)pGZHP?gphK>4CM zR;|foXsnvtzKF|vnXgR0c1U>I8K3xVAA%2QWw&CKJgjw?aTA1cE|N0Y@SKC5(K^=~ z;8W8Iyx&mXes47I@cmUn)J zdIlv`N;riJNelcgsCzbHN2>HTJ&IHEj&;EJb5Jxj%qSFMOjN}!O5}~zYc<$q!G0dO z{~`2XxdmLwv$FfI-YKC7)-GiG_mH*FoA7Ae!iq#LT%JH2d!^CGOf=u(J981;#!vHq z=^SupdR6kK((RbJ5h0IT;9fFXX8edp_9iu=U(`!`neV^$uEQWLG(-Hza zE+V?r_-YPbXm&4YKIl*^J#cDFfVEV>jN9_8s*4)8WXwF(##RHbL?v8jE9~o+zF%QF z{_ATNe_Z$lBs;~j$v$%viZGdkrOP7CaJ}zrG-uzY7yH5$t}7HE$#7AiTI86-C;KIs z*PmX|;Gj;JMw816ZJ^-(>*GAM@@*^;8{~1JkNT}wYz{$^cEP+h(fhQGHx7uoQY4h zS)Z+j7?na?ZSi+Cq?Y;1wE0oDl$^C!Zo}9hP?5n(C0)YGMsD+NAEp9D8<(-5_6`Q*cS+`GnhMpzs&mQD@Qv-CMngGM?ohH00d4bmn@ zse*cxFnpNC(lJedw1&%FPt5qT<9t(AP4ybjcg9#mD4}s#!kQM=^pxrA1c2~|-qWk< zFQP6YV+F!^qQA8ZV07yI+5u#;{#h3o1ir@5*Hf!yp4l^O8vY<(B+N)SujSWIXk_}1 zm6^=~bA0bWq@$OdJ}(PEic0k2;CVt@_!#!+dD?mmRta(v_T%R2`LcT4xm9%7m8qOUM*Un1ilHxxdI1M8 zXL|93#*n6}ZgYX;u%lL{g6D)_dXc=8q@sm=Z}dugfGbX1_NX#$UT0Z`mU2chbGMyA zQ_sISwCD4liNDkX=%)NH4J&o@@8wQPfr)rsH9f!>zo6pMNo`%PtwQ>wk)=%+);_E8J^p7x?)a`Vy*pJo zjY$T}0#l#Cd}ommLj_&V?~k2L*bmC`9!P{(1BrHa6}%HmV298a1?=Z%^^vi{$x^Kh zOb!3@q2}P@+4KsROhW+NeglJE!91x2BT%iozM8 zqnVF3V{GcT);vE3c9O{m6MFeXIe$vGGwiG6JCuH$AycuL4D%hpZvQ_?xhPde5gl-& z`ejAx=$S??J)Nf^k}#u;F@nob{>gl|wM_17RrTF&?|P?oY%;Y!#$HESRXvOyFw#ku zYpg?5&}T^$b8~xMTZ)Ih3RZ@fH-0P*F0xa5ji6F8d^}@rDSko2jv8`af7{KG-A*g7 zMDP{>OG3n-HbMSgZ*p{pKkflBtQH?r-dMc}G98lPrj~rMQyalOj?%+Jj@)cjoH(VU z%Swzf=&7be$n2bA0~V&R!fJm8bMgDTK@m-0U>gEDcFR zj!OL0>bG8Ne+uSow#Bo^E%2UyPV+TF?S9(m#^XASKp`bJ(Wii`YP}OEs;>KmVL(%O zpQP^+(2vkRB56vq>MfRk7_tk(VKSiaNz#aw&hXMl1lyADql^x2%FGd#c&a^U^XTw^*A;p*GEcXYg#+E%BI;8 zzW~Ay1hX&o|CE2gf_g-$!XIwsIAP@PMqEUJ6^MZqo2qa5u9`k%jeTbVXjP>CMkewv zG?sH=N7>i1Z})k8;m=u1DMc*6W$=YhI*vRU-P8ndUX?_`tr@#@58`M-PLP~u{p%NcYIE&KfU}gO#{CW z0|2R5EKHcrM^!}lRgYn?0G+2CV2);S{-&qi_!sP6B>nUvN#LagM@pMY|J54?aW&L? zAss%uS?+hRu;1GtidA^+sww?0r&G(m{l;c&{)=$zw|?LN1;GzZ@BSsyU*u0OIkD$_Nm z($tgA%w-h(df86Yla8YV{+&_9ur3)Bo9Fd)t(~j;Ai(f;AZr_(15EMHv!9d}=VAg2gb|mYq=}oq-5OO{dhMbOt@exkslM+Z z#D(4Uq6r5}gf$Tf38r}(ohIDXFy-3<2rn}2geei>NtM0=M166$njqPotHy7l#V-~9v5gRt@j3vzZ)0;q7J)&Sa-y&H8B zJ)nxq8h3#2vaOKN1&q-AB=~u`Gi>?aiRKCH{UJmj(@*M%0{k?50p%%Flk4udIdEU~ zL_i=upk=WO6ZUv{^e{}5^V4$VP1H%PhiyDiQElWO6#*pLk_o``0&9nW$m(u~G?3c< zaRctB9t7DEw*5`@?qe+A)18Dcg z%~C+G^kfTA3MC8zQj5)G@^^sX|Hs%aPX&^6E&-M3+VRsnys?(&o-6zYQvRj;qvJ;& z4j;q4Y^c}GfeS^x%XTkF_;6mP!vF>N#N7$Mcr>_w;;y^#i8r-o^E|k(1RmrEOJ31p zVZv$Ntq^{^n0e9$)$#|zksE?vxAf$1ix}!R2TK=Q03`lbWHnlh?)~@Uo{r9Sf{_Uy zpCD3zX-2p3n}e&4ot*UleV(`Yq;QI9>4%GVcJ-ur8vBIPvJ!Lwa4q@}pe7pYP4(mP z*d0SGRf={Ur!$58!Tjw0q-&DJ_Cg}@{B)3{K&|WD_~j=wp*0HzkHTU9A<$@rgYTg( z{mYKeR=+HNSadg7L)UTXJFWA_a3n+m^v1V6D5Oyv zv#vblOBvo#2`D?j-ME^usO#Kh6L#_;e(%|p~5?mx3e*=zWn zccxKNz-~3tQ;z%=oJkM=PiHHI0^P)eAw4)u>WB&0nTBkU`I&o3nV;lz`b`y|(YvG{ zELf~L8ehJ)h?lDSi50N)=OEhdiDN%0-+IjMg%N~lX_`-t=Nrm z3^|nN>ZU67{VLym&r`k_z7!)F|6-~kdbi!aRKq2mguCoZ!^Y50NjGm72iJPO<-#N3 z6W$BBelCpN-G-iypa1O$f8qN}QvG$f z01^!R_Y0K}FX-0T^L+!R#DZ++rUfNBa%wzd^x_nb$xO=-6mF1StEg;*T=0vx@k30z z3G2x3^_aHfhBMb1{V;1|yn@M6H4yE#illD!2s#%H_A$;_m-J4TCGd^)UOVYRZ+CdQ zkOCtf;sy$1Fnf;<%BOYJf%$jKk>%U>fJi52v`=viUwVu=YhIPjC)E%mr?aE;)>3nob&T>{x3a0I|+A`cvP-BVM6y3INa zUgkgjB)SHObsGAPdhj*{bzeUHWNiBNHND8_0Dqjd*$Y1Krxbd>DX^FX=O)BSDoz`V z|65xx|3V~LCp%byr>oY8ozny^s7PBpN6JnEU*0zv|5@AhCVFW5wm5fD(v9g`ExXGbl>gU3ADE*aUmX-xV!rm zyjZWmM%(&-&*Fd-H=umQ*3Y{$XeHCB@F(?HumbdPqU8O(*Y!v!aL)|V{3o0I&=E_{ zUjMUFVln+3p~iCAgLJvzb*qbeLN~!<8?2;{uA-TV%}F)p=E~F$|c7*U!~Ib($^cn&YHp15-H{@dhfa()wfSO=f1Z7qL&e&lHuK!5IuPb-s^hFEAYb|?NL;+8i&Ftvh(VezE+T^ z(~Dp8jf_sPQPIwM5}{7!?_u&r+P25|+FT-^$S8u|*-ja&cx;ei( zr|q?S%^n-?SO%Eo_j3L5o0L?meFFTIW7hWIAUgwp6JwN~pZlL?y`D?|q4jCxm&E)# zu7M%L12~*B0m7nh=rDda78bsU&~f+ijLu~qg!${!GtLxu83LQg_M5LGTy~87Z)ZGl z8(;2wjabsw$fqO2HvMnJ%iXVt1Mbi^0e_5_La3os&_6{PwZ%5?Jp5kkS-NPDq(BQVGI+s z*g3qtKqCr}JN<5qNVqe(u*}cshoXKDc#rAJb{VwCW@I86@L^473%D`keZ!UK;d=&* z&O62y^B!Ve>u)=+-wP0Y;Rxw{AiEVvbls^%%+juV?FS%c!6!hP}7Fm-=nd??D;ZycbzzK~n4KEUIpS4ePUgk}xm(0g;FC zRckVnI%rXbFEm;MTO(H`X>8)D1uuTE_cmisR1#Uu?^f*smqZ^ltfeDm)a=;3alpAC zt0I$eHx}&@h*520dF64kT8Vg4f9iQ95o<8nNvMR1ubf*4D|lAy7hN<`lcPE8cE{~T zawn2%2bWW<;$ZYXw>PeO#)0EjYY9KNe}*5nIFSRKLOg=9{!c_+Z&XC&E5u#q}&l^pyW|Wn=EVv_{40zOHWNcDE+6oS^8rk9q=h%C@g{G@I|F_?5k~*?<>SW+MlIm1DF@ENZ^+MGQ zM`^}xydjWnsCkQ+|F(2ZyU`?tUjB}0pp|s()dQNT&dP*{g0%2lwh#A=;(}Lr)XvOm zm<<$MEtkwAKH(V`eAT~3ExU`+{@TztS~EZjDuT{Zs0(p7%dWGzD@6@!6b8aol3~*n z3q{O~fnK!)gI~Cy#W%IdkHqIFbv#QwW=lq+dKSE_Y%_Bxxv=q!J)mG6Ibb}T_|D-F zA%BsFCk8s%GfWRF4EwD+FykR6-heYi(m@(JzSDH_UzQVeyjuvMlBr;=0`-!LBZeukxS4-+KH4T>9ek1L`4OX(bu8pXCRi=%Y1E4@ zAM8Q_M5yEbXRosD7gPuaJ)e%WB47@eC(|rT9gOvxBfgsx@bNmTTzpQHTFazwE4KCQ z?w-l+5{1vJrJ|qYn?Wlh_AC-}<#kv}d#pWgoVAnpozbne!zr`BVJ%T~qv_27m(YE- zmxp!z^ziE4A)e}C4Z#JAyE%AHFF%x+o!K6%H@;tBO6dzVu|L<}!F|C}6xP-59@x7p5Y6UaWZ`#?IqgFFP@vEq`$)_n2%G%P~?`X((V6 zuj^}BaH*y(MPr#8Snm@MveA%Y-vD7SOnpIJDyw1l@<|Y!BAea3`OoXLwr{q-dA?Y4 zc_mWKkyhr&9#z7)Aszku1Kky!2ymPitfq}SzQ9t*|LMu^0Ny2%?35juD+E{c{?~rS zC?{FBVxNWjM0wVgv7iG?B#=xLbfCEe2~O`R#>b43bV;8W-rll)leB1M9>-590RnD3EPtS4W69Jcr7sTq3RW(a%ZH zGJGh=bA`nWllz1S=uNKEXdHDbpxRo!rBvc0wbLWBR;S?LZrGR;X>_pX*TfQ|sSruf zyi_sp4l(0w0~9~E&{k4a1?u}dCv_*aBT}|2@Yr=4p)kGuUXIXn%EBr4X%4*wK?3zo zue#KUAav|?S+wtR*8ECAhM)Hz-Q$a2H~9303?Z)a&54&V=3vO7S}wkTqV1+|@$=hVYW9vDyvPwP+lYZTdh2mjvB`}o@mY?ig5cWIo z0Y!M)q4lyR0nRY0r1|OPV}ZwP9a&5M#ui&`j;hTV@t|z(pAv~LNt)849j+n3azE9U z0!o=bJBZcRTQ~n^4-+}_H=RT}oy21p@#>p|g1os4A8af6+_Y12&+2hb$msDqT$_c7)Uj>vNk3d94}xJUNmuDT)w@v|;*1XVZ4 z$C^is>dU_rV&A`4{-!G#DI`+oHzE?JGu5p-cKXetnZ=}pt$84LSR9VF4`E7~L7Bq2 zwjUddlamZ3mbK5$B)^NQJwAtbLDI6sXZV<{pIXwtMyMSPWgphB-3@F0sV{ zwv(CpOBPG$#eOnOv=6}49Uf; zHg7O;=(7g{r*HzIUJJ*dbImJVh-6;6qq@=ImA z56WUI@^jF0qWxdc1J>66URrWOpC1BwBg}fQ4j$>kNgNe?A1L+!kkAxNn)7&l@B(D} zHHN9!>(59xWa0BWd%ab%muyV@jDqCE)TB~qi(f-Pwx2^G?jOT?V6o%^{krYs2zVK( zZ24EU)TToQo>Eh`*g!p5#Y*g-&f1Bw2^%?W@`nta8X!3ku+2e+0lBZkLhrXmyG2cF zvTajAKItpI4gIV0%l3`tOU%M{b10%wQTcfzt{%6c03Q1JP`aloKz_Un#0M5gn__D z6T}RpvINHh@n#wgnV*cyw$dXS1=Bx!<~LW`sgR`;X28OGmKATERGW79osw+btB#z~%f#cgH`GTx0N5|XtzkyMh3zY?k3$qJ^$Ih!8w}kdE?C-D zE0w-u)Pyvg4PlYF<-;YpDWKv4*_?7|!!jeG!^$aKuMi|5uydAj6+!hpElRKY9Dbd_ z?VS~iQVg%pGplUW!kBjo4MG%xO)M^PEXFEPEny;Zw z9>WSN1bl?UF^`@s0ciJL2I~FSQZH~TtnF3>!SC8TC1ptXGmF^ywb>&M@96c=o_@2s zADl7)zG;Y(qYUfOx+pg?a=KWrHox?2`kimgx4hpA!j5l#TdCVL5bZTuXIDv~#98e# z_|UKj-H^>-BZfgnbUhm?s@P>Ia?yw*x4V__=lmeyc<*;PBQB}yFu0q>=}575TE5$w zH~$MAjWtPgp~#DQjvAfNtII_tafiy0*aZge?K>nJ>kf;`CE@OHwT%BQlOi%tVt=0( zi3`^-(Yu76jav2!yq9QW)*-fR-oM=⪼nAU6AmqP-)12+^F#L`~{jue8 z$om}SvMh3pFW`seY+V7l9&n9EuTM>$hM1b;Xw|(nhj5$0q0T1*hkmm#r6&N{&^nPC zpAbgmxjkblHVs{4jSSm?rEwNzF5pf|<64w2K9!}tI&G>nx|uqoMM4JyV)R8Ny;Sv@ zM&5irjimo4)#C+@lgHL}@U~bdFPaxurww4d~}{p`_!UtWyMM zD!q2$6=FT=E)AZQ?6NPyYb7lH%zA}pj2m=1*yFy3Rt##|DRAjaW$2oiwb`~5`pmO2 zf*XLDVutABNT@)ONKzL&s*<7mq=Q={q#edG1bVS}IRWB%(`;{5FT_37Bd8}YSPI;4 z+5zLYEe$@X9Af>!lIXPdrP?gNWo~os5GCyM`#G;6>6#qW4mbGe7Pd-$KrLQ12GgBj zvFQ7I*IaY_C2eK>kcgmJ7v4>k^QWp3)yASmQFG94L|j}N=0jMOh0Jc_1_RPw?=a<) z+{fPwcr6qF)@B_xE(W@f?&f2xREm(mhUsuvwBA=GXLDzim0P5O<>e}Eo;%dvZH8pxqBGMA3`Y@I9F0_u#tSYRp z_BhHXg=(kr?mb7>BX1o;=QeE!gIv@+AJXngfTh;q5z{e=v^yFJb!ZHf-WIs|hnPHb z?7!B_mN5XV^D^iqRpu%&`UE9X&*KtN?sxwr4Ro%IvOI1rsU{U#${06WJtX;=FABJ5 zIb~I%+pKKsHB?_>Cw^1>@X8^$wryT;@{p=60#BDki=3-Pdlhbu=z6I)6xBCxy?8gF zB_k*pl3IB_E0G@TX@WUku=5w%i8u-isu5aPUTxH{n1_^uQFbLM=yS3~#A*!tTGnxn zxh^{nfIX&)9)j%;B0n1O6omr!tk8e)7^XKjr+|I|cOK(JtxqF=hZvZd2Q&y+m6g|x z%WK_6_0QU9V+EHY&gGfQk0NB&bw4>|SdPArRFC~LY8$6>r;iKQrgM-x2Lv1?&q)K_ zg!19i14Qb?MqhPTNSI%Ni;Y{@09kFK|J`i|yfVSBV|V-( zqP4cosZy>OZ!we~nzvVOm%76_RI55cIad79AAX4KPd->Pzt52(SE{z&w)3IxoYtK> zBDBKc;t-a>u3Y79tq}}CmW$s9SJtA1oQi*(pwv)f;>+yM`=*W97;>g4vQX^`M<0q0!tLY!Kt!c*_b%K`gKVD?lxDdAD&1(lWFKHy% zprmpc?k}jVIx$QHi`n<6^Sm~z=rLNsNZp>Rm&HnB#dQ0exp;}8V%Ud3Svw6>w9Dv? zbn$6{xf?*fTwItM#@Y1=Upy_``ZKqB-@lxab?KYZdA_~8V_tnQz-%U8=qP$BL7@PZ zyg~D)mvBuikA$jQ>ZylEZq#AL>FT&K8XIrzQwWcmY8oe1l6abf1 zD8iW}YQ*X|GwG0>Rs(|Rc;`H3U$>tu>}F0@(Yj=L&C2B|t-;&#Kt4MeUI|OqiPDo$Hbo+sXugLVmAle!h zktCZ%Gs=45K!+pGg+`BS}M& z2KFyGF}3*kj@-z`^O!l)ud?XnZa1H4pnd}rd%7xo*7y)g8`5CU7)Q8~ue$c0r!>h2 zQx3g+?C!hONmK02bjq5}wPJ>5O?3ba^e;OGz*E+ez%5-`Z_Ed$Zwsqs%tS)rbF{H~ zmdk;Q){Qf?_lIJG2eU-*jS{rw=`l?}j>LEkpDDB(f{NbEl_foj=up%(v0*4RA^Y-J z5N4E~s82_oDyJkM^*c@M>gFF2)3ty)wCc5EksMFf_A#2&L{mFw6HA~KCw$Ae!|b&> z3@w~xKd0CtMg>w_On%CZsa95aCj-50@y)&fvqcC_Z+R*Ta=$MF@f`KKlzEmMzucdE z++(7PkSonRbC(s57C*OTz)7%Y z*LaE9?SAj!$XVxf$jbH}CW}V1x`Xb|AeUaSFs*zzoi#mgF~a)DaEh0bDzEW;*?=cI zVt1O563UU68#}z5J%kf}Bu=efa*n8HOfTgQ!N}yszhCJoc^isU-2El94V4GmsSGyx zDZQC%wAyuynTq`d(PVYyAMG?cmNegRpUZ==+;Ror6NBMrE0o|kc#4nQuPS-=?6uhX ztD4@_$vRW|Csw*p9QOp2$;zaZ+%Bgd;>12OzuH7kPJ#QxD$gihnlQ#DiYUr*W8*}{ z7u2m~wr|6MG=<{uo#Zopk8lJFeI?HdgU36mzIXreKnggiJ*Y{l`&?$y z8i$T0&!^JTHeFZ!Bla@7+=7KK#qSptRjoaLaq{MXgGv31F0GRI&8T-yiX#~$r?>Y% z7gynKG6gnudqK3^o~22>MGyYr6qI0P%af78oyd}JY|R*V>sA3OIUxvZ8#B*Sd3zSE zM6#x7@vg#`4{dWeIUDRovQg!ADW(i9hNpD=0CxbT3B+4*zRwagG}w%hbfd?#PtuE+ z($TSb7o51I71pxvl9)lH^vmU>SG|NoNkbOWo|r=#tvSL#NYOCj{@ZmAQ<%`_F0;Fy zD|N3lin}7IsK6=J@vFGW2Ml%w+H%W4NL7WLui;1yDFe57V3>T!>L zwo0<5cc$6eam@R;IWqD}g;a=U{*QaACvd;k!fA90-Z+MbxrMUsamHt_3g;Q22UPr%uNt^751$yMHj|&Q_XC!x`NygjSG* zHB*&vEw>8DB?OC_e-$-$dtG2BNk?T~9gr+G255Av zbd1nU9hnQhmDAM^qMx7qT)e!-ln_rpto}0WyR%g|y!{k&7z9st_s_^u-@}T!Q_<^& zQRi16P^1&$B-!UlIjqdFn>~qW2^6Uv*=KklCljVmL*47I8h;7DU@LEv^HXK-eTy){ zJ7$v&J%CCfyK`j`2gb~pT$E7fadl?0K9~_l6RgmQUY?=Y7nC(@m4b3!wnfW|z%3z_ zf*dRwRlksi>7wzB6!G7y>KCq*rnsFjSAEG~ahE*awCf*XB zKUy?&NWl29)s5^L@JqP8$( zwe5&Pks;Hz>ij15{9+IB?fzn_a*f}nz`5{$asmOI#rKK`b&5Y=%AuTr$mc%Md@F0l(Z#1#*^FyOOY!_D z?)3G_G>S15J+uR9ad37)-^P)7V85zHwpwLSvl#LWe3{Rh7@i~9Qsx?TU?lcak_HX} zKUW4iivLrh5F=(v)KsIt9gm~pl#ag)J0A3ku-BI*sLV&trw17oZfXV<<3<|CkUNum zr3A?1pQb_BB*fyRNV6j2Fs4hga})EeJNM5L{%Ehyczy}xrvBByD=#riMWKDi&+KPV zUjHSwXZbR!d6WKn0#5xoT;MZNEPECAZO|$^PGcTk@*@*#Vl@l;z#BQ210i%Z~;6o=yisfkk zB$r$&N6C&mQHn{b&G2NX@9cN0w91~2lGlP)>$h|TyM1`pE8ftmz8O3^Tt zYpw`^K^hD^+Dn*2O)&nS$d*`xU08Dmm1b2hczZ6R1$Ph~(2h)^_U=zm1()IX-M^{L z+CKCiZJ9GCz5a1Zz`KBKYUOg$@Jzi%=*`t5rw-@^SY$C)&Wk)SCcw)Lp|2UR7cpWf zh@a)ZvIm8ujTe`S(|v>2!w&D6;!$^|A)4vRnNtRB?h#`;au(UKW*VD1z`~v z7zhCz*ybL^pL&}+(e)v=SIg zNr16*H!FG(^3P*&k(TQXd~=3i5X^Z3;GG@OLlpOFDeiy^4%oZ6ljj=v(&*s;79|b? z9>XifDFu}K|LVic6yRSr#e15_1H-6u4IZb0-R-;VsScq0B*g^oN*#9tO3&I@0(}7= z5IV7)h5g5^o}3{kzQI6dtr~Ff6It6Lfv(Zv8tb#>uNi{gYoI`op>Jd3`JzotT^D-T zDsbbrbBCFOC;V25p~?+5BF7hOc7hLP?lC{=o;-A!6a=-^ z&u#mbgHk|-*KUTO#v2)J0n@O|iQDgN+_L2)`DPCOBe5NuuSFW*lxc+~os#1{f2V7e$Ob_^{>L+-t{s1D> zAmYUt1*a#ay_8v?PDh1ziCdJyHCbsOi4vo!Cs(G{X=;>spc65^^v=*H-fW4nnt3yP zxH3x76SK0iT8#4o(Dx$|ZAwf2*dH2*BlTM z#J@ED@yVZ0Ug`yZsDh;T8u-MS7WKF3LxQ)(n$Ge9_<)g68@=3wTB-k< zNBuRKR|K-CJ6VMTm1Ex1ltsv~u^(aXK+`!Qd*=8)etVo&y0ES5OH%Djb&A3Fihb!7 zQrZN?q$aW7>X=GNnl&*Mo5|E>+#l}1{|{Y%85LFgzK_F-C?z1N($bA|cXu=7pma!= zAc!d4jdbTQ3_UQUN=WC>os!Zi_}|>$`*YXxdtSH}%LRL1ab9N}=W$%SdnE<~gG>^b zF}lqd^Y_7132fB{miE(PcB(N@;Lh2{38VwB^{%^oH@qS4CZcE{uCW%XF%be^{P`^X z<>rgKap)i+DPnCK%6B8X^E&}EQ<|cZAGmG{wN}V`N1Atj8#%rI>EWzHPr*o9nI4NbR5%$yPwR{dOr9o36|&Zcw`xT- z0=Zo1NN5oR|E3xExOvq~<6iUV9Zxz7m}sZfkSkgKJi2uts45M@CaJI)A5?cXVq{-j zyMGozyQevZD-T3Ya|qZZ+vi`=^PlTTX||*k_1ey~Ys7kcd)}cJ&(aFfibyu1S*l%x znWh9mlJwRT32<{kaGw!`IqrRfbT|-bu5`=?tdk)f4bRcf@;5EcD~h>v{6#a zFpY1hp;WjIy7A~Xn+rsZ1|IH*T3dzL>$cUt$4{g6X5BC@+?ZV`NHFAr1pR3$BFh;& zY??jbHlvTwqbc7z-DAmSrbmT3C1)Sw73Sx+RDgFQ*FW9961Zmm6H5BO_=>e$qI1XuwJGJ5@} zdk~TF>Q@ndLbc<4r0luc<|JUuuw%h18;7g#l6c;blINLq<@j?I2r9h;L0O(3D#%%c zyav6zreIe;8I6%L?nkGwc@U32d z93mpGt9!|dIWG@dK8mQDXgT|+5(r!&R-eUlFl)os+4WBKOKB56&`EO9Pj-~xd?ySf ztr=1Oav~X;Fsq6V3%f1Y4MMcsz42` ztIdn%#K{vpX8>&1KUhC>L&OeBHb7@ja?irV{oO3xN|`;nN1t>BC`sBVf5>2Iz|ulw zX1zSUm$xkHN(jrlF9^~s#ZYY9ydD!V+si&pCpH$Lq=9FUjyNT@FKIOqadRiSiq~r} zHWz$qA%g2I#rx}v8%be0Oe@fCQ$Ye9^2C!6HpmM8q{B zG@~~`Zm*n{+-?F`>|)YXt*=u=%j|V&YJmLpyfMe3ET@aRnS6Dk81sFu2 zli@REwSlihHL?Lp>(fk4t04N>yNdC&g!5JV9%6Xe4OCbWi$qOXspl|eV-f%Aglw@+ za;$Qn?$2=-Tf!Awmm@t-#?`*yOga=L!GgLsIG#a$JTe1Yf#UkluyFH4AO%dG>xvE97o9tv&VXzB*^T*ZRPu?`0J zkuop&Laey_s&mJT}GYlqr}#T`Cl@HHRaTz&a@21-edUy$Ewo zd#OJ&s~P>mEPofKXSi|P+o`&b=LNjB9andHe|9WPJ$D*57TPAM=CmvOnyCN=%Q90M zrJgx5)#xn7DRyig&V-hJ|LQ>KlFdAa(iOqnwS&OkEd8BN8X%5eu_LHkRD|gFU?q)m z=Yt&q%k-4uLhr8xDI>Fe`gEI(n^4M+C(mI8z`vxcjmzKv8XKEINZmrJ=@FsQ*8egg{-ubS}FlVPM+@l&7E zIbL9IUD0G#214ZRla-a8?^ZY&JROkDXHzG!*R@<7fMdp(aTVb|awjG5V59KuJB1qB zCRy9*KITs96(m`1X>p}63BplZZSlQtG6L=;N91yzS=ZcW92I&-VvWoV>w$Vk)4gZvL?R2GNQ6tOT%E z3*(`;;%8aPiV1JElzKHVU4zi#s2Npl%wtS3lDER(t&OfqhV`bR$?Ip`jzAM+-h|N? zKuiAU+IKH#dxcyD?stsGb&6 zTZ`^yiRll0UDA^;%w2ObAS4et9wTx|k|{8pb36u({(ztI#$J8YMHqy!Tj@WwDu!k^ zW0G?$CJPbCI1rM2cle-_9-xx+o50NA=s5fs327RNbNaiQoW___gjp4RW5%Nw`-P`- zylN`nU7;+sK29Ym%oeR((+lH}t;QEvab8bkvbyhkDLM;}&%rV%|40fu--sHpO|3&3 zftmO`=u?dl?Ox*cp;eK-nFvzRVwyv;bz<1}uw%<8O`E3n6E>5jVLzeJn+yL~IYhEd zQ9l5ar_MQKw-?Q)s{+1ocX-z2|LTr}NS#iiKs0T8BgfX#XJ6{0{PAUJ%ePTSJ03YS z5T%G+-6legAD1B@TH;YnbTI(677-ZIa!M!mB;BV;4*+@uf#mX)s*;UW%ep zI`iw*5GJvede1JtGWVB@$||hX{ko=3iW8Bh*Y4oMWJOD1awDdm+-vvPEGyT*#|u}K z=qzDu+8cDiymp!2+eVY`GRZw#pxLsUaaVghDnWU$-}iqr{Cr{em=BS`_lU|wUNg+x zj!9GeQr>(2!aTK{nx2zl&-LiR@QJ9AC@A#=fgLMQ+o~^Q=e;xA0|}IXLzR5w+rq6G zX7Y7F?{(LFn?2vW*$omIGp3s~ITci(lwpa&t6rM*TW+7N7=37{4!qs5U)$*K;2v+yW9 zQ6*Am1SFVD_ned0qcnPBIP=dHVKF=Z&x#0Lb4O+oh*RPX)1xnPNgGT;`U+hNy;@;2 zYSPKZY&1NzIDMt2x2s&``+fH&7o|aEIdOa=8M+Ui2k5RN}qd}+> zR3`*eT)-}``eHTtYYK>NwS%7vuqNWRIs%1$OHjNeFk9|FX8TJ-e&cZ8#<_0*ZYN9c zu$nMP#VPUdo(#&~3#k+ta&rkSx}KrYmBRHgrb>L~f_Wdin0r|nw4*zvFO`!@E5Mj9 z<&DWuEvVCU-1e@u9f=+prEL)-8q0yT9~&hSgusaL+B{6s*l(QE`yX)sMq4FGcg_tAmK{ z=TgqxXgGhm2CQ{D7ru($KzIkoJTEO*%)%@K_IO>cwH9gHoSA@eZ>C95S4oMEZ%NXV zv_{vXc4EqOdLB|>7#T?{#Q!$Ej$odDY1q|1SHKg|ns}jd%V@wbRl>1e*q9Gt?P<#? z*}Toi1m>ff+u|xTCNP`C*CVA+5J&VG1jmn zT0FXrlG8bY!se8mv&0T#c<~#xy*TmDe^g5-NW2C9jm<@m1SqCR^}WDnIsXyP($ENJ zV=p`o;w3x^7xDH~x0=goWT$$wN*w;;_X?koKaYQzyQ#G>0+T33WGHs|!R)7{d$-4F zA3|QfBT?3VgnJzF+nfMc375BT))8*w5Vz>m|CqwycG`%8*)Gk;DHVUakKf3OZ_KN| zxh8&A70J#}VqGuRpEz5hJu7w#U^c$l-Y~1;RxQ99!!R$ippc|aMH5w5#P2Woyu&%2 zi?zfI>Yg@T7ta8jurJG<(dNpc!z=1-n@wDKJBuD`$Bj|Zv3%)>%D?Qh6&(G+yztfN zbld2eziGviG$jj$WK{g4|(*%*#;ctg6a_m!#*BW4nt^!yZ4+3Qc0sL zil!1@xFMpxRTYNSdYl5K9fZ4u4XF3D@W`84$b@!>E~F!Mgv#N&lJ!QM^UIE z5)}+$iGM-0HU0{7>D~)Th@p0*Mj$g<(!t!m_p{9U2?CyOsCX_OR!vyq50uQpN%YD2 z$yRDH^JKlF_RL>}9}Ys9>x9gh?kUGO$HyPu4=F_nba|p3BopXJ#gWv^k{pEtcQp1g zY(bzn{VOK}s3#cO1h3$O1V}IKPf_>xbV`iNnhN&W*S$Q4m5q>Twu6jSdc`lNkS5+u zRam@C?eB%%M1FWjYR5fS(#y^E^Yi#1!vg-8jN*laFqwXn>>iur0j6%-3F+5?wf4TQ z)5dS02Tp!5$-vxgJxfcm-BqBc(t1|eez9F4Q8xdKNM5g8AMq?3kjG&*`z8I=(8N+vH_lyWEJ4<2ui$DauCHWXq_OOwVm zn-JCP3-)?mek&-|Z8UPsM>p0@PCh3a`C(*gKMal;6jDC_GQ!-j_bA=BS zaFeGU|4ApdJFMb*z0&fP-Hd#=~WUWid@u8UC^df@_y#(#lSpo6H6 zug{K=q`msb(8d)k^D_0io7g1nI64XoziNNlF|kR>H*YqgZ`t>r2=JAz`RdeS?=^9(b3TpJl)1NO9!!RdTeY4uXjR4aHOGH)wRuTfqC( z1wM+5R9xQ%Ibvv~2h1_;3w>O`TRFzljdt#5ZUWL?lcxm#GDqVoa1^RgI6_mP=~RSQ zRC3%TUaq^rN723$rAFcX1IGM0+tts8lMouE1e@6bggtAF31s8{#x{2EHM`(okZlX9 zGgvs@MW93;q-_=U;^C2{^;IVaW0c$lv&-2d%9x_CSw$e>9MqrH#xQ0CtZod)Sagam zPXIbCUzt20(e*Pfv;LH(W0R&VW5OCLDhB*Yzk$l%4kPnPgINp7I`Q{r>Wn<=qw_hp zAtFz`Q}-qni&dOf!@eUc&uuG%pFZtmP$Jtjy=|Dz+++3-8?V}$3J`Y;i?D#SqLo{% zE=AX^O+86xRF$A>^be{!yNO^+{LpW)sA_s*2{Gnl8{eCY!BG$0T@$z4X(fL?lMyNP zFc7RQNaeWn1THp1f&|Mwl~5*S0GP8jU$Iu=rE{2uTm& zJ4xPgd+Hu}n!t*lDOb~|cC$*kct%lJd+WYYgo)*ST9+$+*8Tj*;AbX9RM-KfiR!Y= ztulgNd!|xp%mIZTq5FgLy*=Rmj7VLsSpt9$$bH}cH#`KqfrE{M;a_$2Za{nE ziJd!$_+`xxuRa77@iX<5Zq{{%S}S#oi3i&7TN@X}r-i*Nu;%!$+~2%GHDwDFt_kiY0VVUK9= z55GidfB2A1NRf@x;hOmf=;31vD77v1H*{bxP>|*GxMST7`R}+i@~!w7zd;We^1IIo z+n@eIoNO>MlwqwCp_4#_HwG+yNOr-Kjw&Du_>uo(^=DMtgU`T^vyHj7e=j*2@RXS6 zxU#_wL*f-T6iJqs66?sKaT+Fb-q)HjYZ2kzfB=xBm_T zFk~q*M@pxFJ19Dm>)l}auezp{N^{(FBo(=MAn6XDZ3;w4JRAXLl`j@GTufl_P|uP` z+vrA_X~N%1QVrbSzL#nFJ8z~g>?TL3@5D#RJS`Qt*72OVQWj)wO*_MeHpRAWobj`F zFQ69!5`UsU0Ki7)Ksq}=ALRG%LikGT5b8k(aPWXMj}psM)wE3p-d37MsbC2@OL$l9 zc%bHUs#I*}a7=R@^Vv9d2lU{A+^GJC6D4Z-x!*ctksMt{y$xfThn$07&JJTlJ4CQ! zvsbbX?0Rpo&dj&=u{CQ(L5wo=C!cAH4_rFm9KXR5c-1Pjm+Y@4b_N6g11HO#J-5HB zsgFh?SsUGxtW-TnEWNoqhs7yPLz)x7ewErMA1R&Yt6c^B+SFH4t+R4vY3HhB6{`8s zTa4m@Qqqc)RO?t^}6#vTVEE9=aGsjJ+ZVqiu0lEB-Wm3u&vlf6bn>=j3Jq9o-8TZrD{ zYD5!Brrn68U2i4Mh)jX4VX=iZ+8~eS4q}>_wsl@Xs^v=V(TtW#z5?f#nF&~(ZJIM%~KnuDYI+gGFHg}MB=?|DCs zB6w80f3pP%V*vxNAyB~fvYv(m&EGQ~Akn@fZp?UB{pBUL0z*$ zII#O&t}%#D3(38&tD8UegzZic+D6t8DW;^tZS7~8di&o~Jw{V*04YU>09!Y0UXUSE zmnEk6Y!>l_?0=xs-Bt{$PW-1YeIq~O!x+E@tY^MfG-#3yt3dv{QNjGUA$}AKWo9bx zs6f{rE%MWEK#N>lGg#QW=4j+iT=ii_+a14P*V$$+!Mk+pVuGH}lR4a_Nuq_sOw;|w zm`Xf8lsC~D3<=xIstHXq9D$F#^)~WnT$|UN@jHI?`#8v9GCtTkS?H6OFLi9Z`HD?T z8fV%50}CE|HDI65RQ_B}#J=gjaBILQUQd-P;|qKQ7$$`ChbR#~-l$qUqg+8|zLi(; zHgi5fD)TdvKiRGsryRtvzIOXb4ZpG<;6`{EeLm3|GpX`vs?vUQ!+AAvW{I%7smKx^ zzD1r8emMP*;}ft+s=Jeay8T9K#foZ-0LF!cfR^6=SVni=TOXY?v7Jm8&g(@;#_Xp8 z@1AG*SLzCs`wYqO3Y-+QX2t8;B#-8qoR)RQnQ8cR`LN#CKE(|ry;gJOW9Q4{)^i*(2027sHLx`C zTi%mIUfHw=31?IeBUbNK?5{1eVeQTy7eid3PDr5jT%ED0-umfqOTC6>peKrw=R2P~ zQV2HhvGr=co3%YDHKP5kANcTfDJG?JMc#>5;XV!JOs;Z_%F^vXDQMDU^k2Cxz_y8T zmB*?Zj&>S|3F(h(e}LEE(n3;daf9#)OvbnM>TzXx!WP!0e3|j+dy=Jh{x4F0jgpxf zo5HYq{X%mK6Q?lnfYi>j(qMh~oTrF92;a8$I0G(wFX?T0R=y5pjAMT;O`)*m6TDJN@|1NClt;hrJg&D5DuuPtl=92ogoS?R28O{uRU1&kZ`nfRj2cjs^?AO(6 z*16JLwk-L$U}r-`YIzs>)NZ?c3J+=%$T)VL!>K71SZXRn5MG7Pwr#Ri$5J*i5B^DBGS@j$Q z4|<-}zUJgZx|BvPsTb^;WG-kQ0<9|g)pnsxmhF#fK(EUdR<+yzEte+P!vwzd znBBHf`BJy#SAmK>+ny`oCSFC)GDr5g8oHrVUY!bwFp`l(!K=hixk0Eq;W{WtNS;%eLX;gX2x@5T6Bq|M$IN!GVf)0VpWHM;cB4WtFAz-!H4n{_&J_D^8*&Wt;@Q}GuT-)1sD%Se+dvZDS5`cy1G(98t<_G5n2;lW~< znD9Vz|z}`YQN9~{{sR}SgzP;Sj;OGNj ze^2mJ@-OBPF4^vhl*DOjduzW8mbopzBLzqwmZJyrq|qZ>GOpY#Qvs(zIlQ$6AK6WI zbLx3N=sb8F5h3(P4PEU*xNpb`f)ao+er|t5rhxum(LIz(MEmPCDeU#vr5jb-WdvZX z@YO!l>^8p5(35yaZr-|rb@ug?xT_D^^n3>AMydH5&;5lm-CDx*D`XH@tu{SAG7TWVMvqm4-fq~g)w(|P|yx>&ZJkstYW{}&D zqAL2-gb;B)XPdT0=iNnl9snqv!-@AJXA1;*dZ`f@5GKhWq{ffmTslfyX)(%4v!OMRN+yZc<#g8FJNhzT8 z{MPwVcDKElN6%1+W<30KGEMXce)4l(b|3u`j$PEZ#$__8n4C&dm6U#?p3vO` zpeyOO{hwe1n6w-H({p}sG3KM6PD)slsz6z|wi>~zLD{ad07`o$r~aBYx}sm}JrT=w zq9Qa@YL#Amq*Mso`fjN@e2QafTrbTiX9h$5+ToB^{-Z4fw_j8B1^2xCyVMEQbI>DE zIRw{m-$u*hiTL`2|LrnA1eDLdF;`NPCR!rz=i29-&$!`M)Op|Ym8ZA+#q1MZqvmSZcZJfj+LQsFDtE=Oi+)|Y^tVp7mdyp-IwYzeu{Ne2 z8osExsiYwvgViq3BmBa*<7bH#5I4c!!<8QsYq{CgVX#Wj41)4hT(X8!@WwBo*%epo ztpEpp2z%^*JWGXFxTu2=;8v>1-l!`Q-eanjZMxF?-T_Y##J70c1YO$j1Z`#=D|QWe zZzENUMk*|2!|VR*ZLf%4sy>shS54)Ih7+H4bwy&}Ke)$u`BL$tC%(VF`oK$%!uziC zezRRlug0Sq_kcDbMMeWBZ`ns-(?`(E`ZW!@=wLa1`x#m5Eh~mTcj$%Z9U7x9hN(So zRho2Fd*r=^$+`}zx-;B5YNbhDhRfyww)`Y9#>xd5RvoiaZDZ!fdmCPJ4fHYDS9g2j zt7sfPRJeWM!w~jZqd|zBYVD)xISE)e*p?IYv+A0urXv<*1pn~<=X~6`4|z6hm$AVW z94_fTybnwmz+zvMmIlS5UQcvqGFNrY|5hV*^?_x)8yicHkiMLgquP1zC}Mb@NK=EF zMM_xei;r@?@2}ZP>>7`fmN!LgSGw;<$1I94i}q(Q*NucZc{jM9c(i=IZ>EO02SLr& zU=ud(?Uk0x=2|3taTHQ%f<(Uho9%+d@ksD?{I!We4EwCvd>dX~$wazOD@o{*LP=#%QP!JRMSrseg@@0GjVYXXR@FQm8r*gNh z?o4QV z-smoyBdzp&w&JTtF{AW$#`L=SOj1dXSJ^;i6Py+Jgu!-}qmm+&512oGLpaxQf_1-0 zc|W6p`i&~HTQUk)Uc`dEK;vAx10(qvpuoh&!04D|A%FHmz`8l-ECdl;$!Sp; z%861@$+J`dY7)U^b{7vFGkU-NBu2#&b?B?zj*v9oS7kB}YM=IMa~j@H2paXzL+>O3 zFB=&$Xik(EO_V6R{nDh%lPPuu5zX1}#j2UwJoNvZ6)WwP*JWN)<{TO(w?R@1cJeOV z`Yby2M2rkAig=3<7iY9Xf!^`+)B~WvPKc2b`{1j9OS0M9-W}Da26AO;3rEUEayhVx z`6Mm2YSDjmF6M>uj~LPqBo*_{7B&`X=0M`%Xru_prt*rGp$y-UWxes9exXJBGon@Z z1pD{rBDGKjAy9LYr1)F2auIe`bpdrf0WWrwu~~pK-sC1=O%rw)UggrzG(@86Y$#`9 z%oRV@)D&F1UR><8Hn89HN~ioLuM~OfAl~vqL*fAHkw5BDizUwN=EJ0qC@8NTePrcu z0n&ZD*POQDR#*mBY01O56%t;Z{itHyByAkgD-hTued@Wb_4Uoy#w0`SdLDipv`M4~ ze-YGJsR-DMivR9~JSF|T{X7E{S9-G^l^#wF`9?b6B~PQQ<+^g~iM1OQ7Ih(+bC#DH zaK56t339U)J)Bp3I0*_#dJ`*eG0D3+bhsKd7c=4NB{>8NMnJ9y^e;a_{E${s5rhyrp#gc^V=D$ zr=An(p&>~*>}t{ezKHG}Es)n;GMGUzB3$u4A3eD!fRgZWcX(t5Gi{}D3~*f&%$V)) zcaB{k!-e$nzSbPc;#)I~$CMJ}l$HHPPwFNdnf*Tb@Mbq40@zz9{7{^!55sH*@Wadf zCGfe+jmHFJ`>gDl)29wzwzxHTrC%?u9AVt~> znXLW0aDNa`^8<I5N41A`6Bm46EcgYx7CE zOCLZpr?P{uQe)iHoS*-+0&|is#!IiP4ZqZP9G#F z&todO%!5U|NS_XvVrWksr%{X0*Nc*FGj4SY1qWF80hjtFiX(4hZ zpVyTu)lM`+D7N&A!2CD0J+-GfV zTYJ`Q>69!$5CBvDmmmPpE)Bv7XQzjGCRBSoPhE|;xSX0!_{R$CEeZ+FU_X%aCl;L~ zdhTOI2GrZA zCiE6ZWsKg7A{6?AL8ZF7o`oRmwnTx(c&Z$rlZcQuy@0&G-$t6r6gY94_~H>DrE=)u zgM#Nr0m#Oq=bwq$y#I~QrYPk!UAuKMu!uS{Uf6@jq{%wj@&JdEU*MV_HR zzmdgk*q+9hWqi)nmNC-SZV`&vz_r^oO0!8fieb-7fO8t@Zna{9_=;aV4~cdR3Wvg# zi>i6&zMwrR59FvyOG2Jh@KPMj|DbhtkiD*7sr5oLNqaBuV#n+Nl`mlO3$+a!N&~9VgR3y^!sP?hf!A^%yf%G2YOwLkQ$&S2;iDOV-Pe7)7)LXJIT)<&zQ{H|rXVv$~= zU6}4&*#3vw zG)i{WIh}FS7BaA#@l!6O4$ZQ8M~Ah%sa6Lei!m5ABWkO=Uk+6fjymDaqpicfOS!cDCCyuOzuDFaW)XR{G_4AmUIyZx~RNK=A^I>wX|J6K`T$H(|#IS%ea6{W0ftm=>6^3jM=O zc@C)xt@(^m&(aT)h&lzv^vd1qbMUut>k-zj@~h#SaZ5PmF{vY_s|?uVlhx2 zuB#?IQ#qFW;`4J`_IyAR=k@b!$mFGE*M2eF;8*PO&hYEpN_DuzmtDyexg;@{i!N}= z@w!}hJ^4VND&+s+F+C>2pO~wEn(f#|Q{F(coDqG%O+y;BC=bgD{&Cu(^QbnHLX8}_ zUT2I`iG4so&Z)-$#&vh-oXv$u(}dn^G~P9EBbxVsRthO#qfV%GI*}U1C<^16iE_1i zc_iZsqng5T4k={}Rtkx{$&uT_+sHu9st=^7k4nZ8yYJJw(@tX&^?u`HCN)x2GYa~E z_6fZanP2_QzWAPXA%BPsxwxjO{XEx`@CWaUFz}H|ni(=TWB@Evm9#a-#~CLBP^7Q544~ZmV?*Xb6JAM`A zB21~qlvZ~O_N%)b@jrP9pw%9;3Q~mEerm{sG1iM`DFl4&WGyo4Pms=x3tTZjP{}Zz zm{}iY;=>*{j|$JkHCU7OG7FR`t4%Ffb=I44f9MSBV@mmKUu&wZn)(Ub0|zelCPWU( zlnPv@`bRVSCFT`Cp(_XAb#Oqirr?&9Au$&ppn$jejGM30hlSf;&mX)IkUGQOem!LBi}3MWQk%Z(ymzUp=pPiby9p%L1XOE2{KGlbf1Uf_C&JE#W%!& zO&rHFP(qGprTZTuI>nW7US{^N#xy=6FO}t@{cN6md<4$=EG?*Afu>Zz2);$HidlUIB;7Q z-NK}x|I<^K;hHv*`F&TF1SO>?jF^*VTURr1jYMHsGmwNP<$NNCz%S*G;|o(f|@ z_0EMLvJw;r(_WH=def&44x^}8A!W}Dy^MC%u*tEpt&1!S8C0|HSS8aT5@-PF$OCZW zJHCzwB|fLvI9E7L<=~bO!BVlmn}^Bm-hgyAxIAAO3Kpf{l?Rx6K+2d9FpLePjA6io z@Ke(V0Ojj+?xJot^8e9jMtfidG$cb=EAP6_@16x=9R)Z!IODF^KYhAZQvtrCO)FD= zNw|iA{ag!3M1cOuDaA&?-2wY^5Qf0tp?x#_??c#v8=g`Ti`EYP>U!?*B1YU@dS+1^ zc-T$M2+g|^@Xhyj2S+7<6`e`?ubT*Rz@pg3vnr?C$-!Im00nYkZ+LgCN`4Hoc$5qu zABfH_pJ%{q@!Cd9GYJ4Idqp^qCNc55`PWe&nzEq; ziuD~mRqi5X>ZJ5!o5Ob*%Y$Q8NN`=^e!-ikAob-r!y=zkXjH>ZQoAhRjuyUU=urOM zm{bNHNR48fnbt1(dQbX>dHGA5#`aT5G)kB0IR zJzenbI~=<4h8)cYU)>k2-kV0|CwAjJT=;!^4q{`jwib)(60@|!vPpXn2wi#S=@B(u zMwsT|;TOlF${d}B_&Yuxr$JnIAIYdXu7|f^!w?Q}tv|0@V^D@fjvqg~$Y%rKpeBBW zOSw~?dHVea*nLPLRq^ZHnzj?=wsAwg7U@4`){lF;N}e}C2N*d`fa&kuHXzZsZupnW z00&C$ygkHkO?%e8$YqY~M5Dz~&m; zF;Z2`cUZRbrhHkK2?^yLrHh2um0@Dnr6zS1hHhq()2<}SWBiQXVC&L;Q<$5dtLbtQ zo9&*#e0M1p`##h}so=Q$5AhZb5Zo!r z7Y#L0?y5Y$qh*Qu0ok^4uB!L@)NXR+ji&w0Sc*1P}{deKgPhwZ@># zSNv0RkjC#@h{rgOCV2UQ(+-U2IOSxUN9J@j=k;ahQ`11w2uL4Va1qUz=QNNL-%aLM z+qDerwjOr7%yD~5nVAX20S;}f3;Lif9S$)1(v_0A`7DM8%`5L>4DIsWd>!~%0(canjviHiPuJ1iVkJ0C^hpC( zOPV%LYJ|V|(N~V$`>;Fz=tZXy0l6gfKd=V~?(EzDNUa|NUZ_c~J~^db?9S#rjm3^r zhsJqH3_RvtlV5WrMZTQfUeNq(RD~c3XPgg1l0^xqq)tHecRIG26Y}5W#~ErrPeno6 zqh2PeP>*^w=?JsW1578u+DMQ*{b2gkgMghei1G9`r8qVczf9p1}wla+(+WNB0YV3Kv+TB#jAa z{DwREXfZi!ePjg|ug@-GJ@E~Q1FlPbT(9h3?COFvd>S?Vd?%k9pC5K)ipzADq>7pHV&kkaRytR27-o%P&?XW9>;E_n5Z!kJ10!+v#z#=5y-# zMMQk7;eEE0gPMHw7(^Wh+rQWPbo=oD4guf_-BxnFWUFue{a1g_zVJ4Q|9~nbQRQ<( z{8RIPVT|^V0El6#s<4#zhgn=um*nxmjMRGQEQNhMnshtO0f{p!0-0KjBLmB-fK}8@ zym@p4u+0K{q<4^{xy$PFS^zzTM_9!e0v>35+H+;pwyiCG>DN{-eSx68k0G(-CVoD< zcv$hfkm6-ywGXbg=ABvm84t99b(Z^y-+=SSdUx;oRn_*%rz!UoW=dB#UoLr)Sst(L zKrX#I5VtkUO&T;tuZ3^$ z){sh^e2N%YYuy{0maEd@tTdt6fxOwpXaM9XnvK^^?}-EmnVJ26f(BJx$}NbXHu#Ch z4$|Y1*l!}IUF@$?JCxqbPk-TcwPXffxqU*_DEoaY@4r6VdKI!r2=TXJsCha6_j=&# z-+9GPE=?w_N`EYg9_lRO4f|HMfokSFU$Ro`o`cgjLNnK<*WYzIq3kj|8(#R`YS3Q` z)KC@K)iNMkXfB+ewb+(O{#et~Gj+nl(3HvQ;eQ7|Eze%PRn6o-j>DMy2p;gBVy~5> zyk7XdJN8EM;CqRK8Vdf0d!}v|3M|UdsRADpgfZ$UH3>+(QSjsjg1U!o5at{TU&DdlA90rv;8#g`Z=hD+-?u8Ii2mvph?okjPa># z<-(1hS$gj7(K!Dw2+V-(6F>~Ig&gP3#|z;k=(|$+ZIM+VPHdW$+D@TPg(l!)(BNII zLy3lc9?m^bH_y|;g2JB%nk>Btfccu|dSF;CUQ*snEnfe8zs2u=>gB~tEkqLlq5Yt8 z!!3RhBYu_ri!!cMvEjagN!mY-`cugzV;|n|ZhT7O`_!K!^xO;mT@0^$4 zqLcd$(>pd_*yhDB~)x;^1--0ic#b<&aP+zhYKM~ zS`52y-dtrN`Rl7^&5HNL@?*YyGD7>A+_frP1a$uUM{JdI_bPPIN2YNLW-J+^O2$lH zcgzB}St$8|pCrq}-MrU!7*i`8hYWQSU2k(=S`t!PW-p7?PIJd_|-%3ef+}NJ>tCl{n5Ti^_MZvHZifiWUQFE%m{n6maBl^$0lio zovbh9(AQ&lyY_S;4uqO%(yTAldH@%GpAF8Iz%wZn{#sB_(HSF;=vGLv8B-%Dd_JGd z_2PTt)quI!3>)PIY8ABmFhLE?ICt{gs(ik zjw-<39RLWu5*HTPvHboCE{U)K;BudR`K6wk+%p2}ziGY-OZXVOO0dBGdpkSjqJRx-Bh7OzEap!^C+~vi)M3|0S6X`t zO9%{+-$dC!T{)t6bbb18{(S_QCZ(3u~O zLq4rM0+gEk0zXowEKj#1qMvzy|04hVQTDX2K50k*4^&(8?UXqA($Ka71%dofN?Z=) z6N{ny``t(r$yiuZ{rBZ}`#*gqo9t@z_$1eNj#=0bqb{!M-#YL~v9-1=INStC`h*Nr zuq_-pcU=R!?vgACEM2%kQ*-bRItJ;2>zgWaQSvbyu?Xr0*f7atDdT>O9% z^2XA`patRR@HaW`&-$hvGhok$SIVqDDO!?tah1MLpM_?}%r;ryE4`?mG`J&Gi3&Xi z&=Ps}%$U6P8F%zlnr9yNz+Cs;6{cfaOg1i4doE)eI9GA%6X7f>#i(tg@nbDuSdS7? zo8`V$-No{(n5;cRC9uJ8WUe#Z#E#3cv)cvEsG>G$zx%!x_Y{oM)rPz1?cRx z<~4PB57aA6gw>VR&IWagecb@hzbDOO>G?IgR}F+{m|Ab*)t# zk@OKgm)~&wflm~8cP=+rn*r6JC|6@9K%Sg^z7w%u3h@1A{^4x@l+hCb+A=$x2|Ai? zzXyK#;HXf;z1D-TSg8f_8#h2iN$6Kfw3xSTWD>VqEy;nZk@7b1MyMEyQE|a9&3z0r z&0IcgAPk>zu#vy67bVo@nMazbzPlXrS(qRngVxQM(^~3#gK-YfsZwe8SKaJG+-I-O zT6HK(XAO?`@B{28AdA;6-;GUweG><7H(eS(zI2AZ38kgR01l{d+t&3Z>*V_U-<-bx z75eRofG$+%nom8-eOACJmCy;GeiF&U3!tN*Vxu@JrWD}%ziIV+*Qwu^Ip&&rv+*vc z0xd$2CSh42)q)W{dnGG|11+piNSd>;=(y7k0G&50e%uxC?rKi3X7ozQw3lw%bHcYt zW-0u18{T%lYGeHSAp5qjur-|nki%x*i^;g4YBK?B*XjS)c2NSNd^|j(KBq}~H1DVg zQXe#IH1ZO)2yMF)+TzsFu|%brP*jUFxDLN!2{94qIx2a=96j>9SrxPhxTI`zqEqqmKOJ%3q3_B42 zgKmG1%nv|QB0!X2DUN`0&8vCx6zSoA{5RnJCq}Y?%D0WI6Wkt0)jGo?SOZ3T_Mped z)?(B3!9&sjuV0Y-H;=WzonOBoM-ol7^lG^IG7CHD{N5Xi;#i!zhOm&lYXbY&F%#Ku z?(GRzl^aD+QO5nQ6@$TB$5Tk;w~Hp}Colj>%uV#<`Gd=J%Ij$l6bgXMcBb+{UTqsW zCeW+$SDO3he%fFFiY}U0_5UAxZxs+nm$eIH!5xCT1a~L6ySrQC?jg7Z8V@c3f;0pP z!QI_m1Hql(u78u6cjle%%ztxk&dqn#)m61?uk|e1Yunl$41QU84XPDm%tPS7Dr+*4 zn`X($^W)B^M^vS))Fe%+ZTk$>@>5Sv-txBIpsGRfAa7o-&l>K%!8{&V%F^4jum`#Sy! z64e9-c!wPavE{?|cV;IH!uk3EoeXKPo>l+g+ig^yS>uNMI-KD`c(hY|4gGLjrzLd?>*J&{yK&(cUppA4Gv3OKZ^tykNSe6mLW9xjoI+r|KXNJ9EuhBJWbM=@({;{M6=kr(` zVci=LNDUynsTjmu>ByAX+EGIPmm!ENuY6}|Go)}{@!{GPXR3Ve@Os($i?V^SS?2E~ z-K=hZVf9x~pG)Zso`?Rt?`*MUT~NO0$;1;?`qPk3XIufb)g<6^-H=*F(=5OpoMZ8b zsB6*#P+J~rW^DPBNfb1T#;?*2kS$uuammU6LjObibSNi@Hyk{D5O$~Uv*!9igSrR9 zU!*?R-p#RB7*+W9KeQG3d!PLjzMrn=Zn)NlN|j%e4mh|_*3znWyZUHouo7m{_U{#+ z|MblWL9P3<1CwPu{`dPun|2KF^Pz%2U494;x+AVKy<~r%22qq8af}PNoob`1&b$wq z8NEO7)IXv&xTS;xf+1%tA*Ie$>UA&-C?u?ee*KwQH+MG)@ zV|vorrWF_JT7_ts??x3nM}7|weOlfAs86kR@q@131M6RL-oH|?yoIuw zFHHccMjuwB%=GD_#)z>^yHc$dW&4x>RWbJQ6bX|vVaymm%DELAa((gpF=)lahR8&H zAs-7DupR%dSO;YtE#Q&av^I8m$qp({_HSJ1y`2F$6!QL-m`K`_Dzlx5x}F0Oul{5k{!`Ty3`|sVYnJ zc$VjN()ah^kp)Kt-^Y{ZbB@*9r$X)d*1rGJqKHE6PL)=pT+N764PE^Psj5@*#^Fqa z>f@(33Q)LF9oGq%*_2KzC2JO})X7cNOqFcZu$LRjL7_?$#fHg|b;rs_Xe*dH%Wjs} z_08*;%knvTp^AXQ;tz_>`O5oUGj$G-m?gJZKAp9cTQ^ZUQ@&a{)nUa`Y0mAZmrG+$ zqSp)^;AAbh{tvTG_jNBIsTD*(?{Kd zqb53katy1bRVxLoX^B!i+&d8nUJFny{l&8o=?X3pk|&8WW6Tlog2!Xe^U{{tTKT%l zfAuDX;CdzJwpaK$QMmbAWnDG6e*no{=D*9++E#YodZha#$bb>?>3>?B2o&XO=jUU# zopFv+xsjh=YqhlG8VLMZK)`Wkz#j35-#Mk@##j{dC*k#bXQ@Od_{;< zzDTl_FZ>wL`0eV$xVV11B2?M8ol4at+f>bpPe!jT)PE2h^cEb+*XJ^U$KbnYS3%%S zpY>k8PyN51LAIk(FfVsrPcR3IC$0AtPNvJh^I^s$1D!a3lCz6yyzM5RJ7pYyn%I>xnLyCMzFvGD{SKmMzS$A8y&Yt#3XGNAX3j@{EWj~6`M zRkX3Mc}{%5Ibplk_2eWZf&og<>fH*E+rf;BGth zX7h7)Rth+%0xw+~W)U73U}sx5b^=7e7qg{X4tS zzv>8pI(eRWpU~*PMkC~^ccowlwt92S+s2oNfPg&hfIZL+v~D{|TZqTJ@e3O^Uy4!n z;#K0)_m|N(3xvJ=QL<~{@LSz#XkNcA&aRZx|Gl>3U-G-5IXy-Tc*{P2LHZKjKQm_! z&Y#Q66cpF`Xeu-y;NSGZC5rSvIsa#P!;2f#{@CgDW0y&8p2h#UNSPtmMiC0rn+U4n zx$|T`j;ZY=1e~U|DQW5Z|J0U0{B_vC&*024SNap#Olna%yF#sAd9{Us#Tc*bCOHB8 zuVuh#ex%nj!CiaiN}Ur`t$^Dv%-@ApC1+CpwSwheT)uLkB%7O} z^OF3sv-+^2{gTs?E$#=wzdqD%~<(7 zk!V=h)L21L2M(qG65n5O{VN?oi5L+U zPxI}&D~wCNFtwxLS&E>11Tw9cdX^{cim2If-)^{BMQ8@P7YR9xgQ|9@zPV3~w0-}t5lIF;4z6yfRaeslH{6ID~k#6uuc zf4ODx-MEVj2$8!AG2XQQn3tRW=s~TnE8+XmfK!@)`$AO*4sdp1 zFuc1jcNJIcSBG{b?du@{>r>zH@Bh6`_dgtH5FE{EcKcQG$t^fY(>xz_;9)u7`jf?E>v{R*vbdvO-;CCbdo;KzHX;;$^h%B;>?f_S3Cwo(O z0GYe12l%O&jk}u)z*QW)0Kmx+;OI`qOU9xAaI^w{mYbJ@mxqi+%ElgC2>kn6N&;Z+ zWC0)(5<>hZ)!vXteoWp+{GYFbpy5!7cuzx+SPXcb*Tca71nk$l!f;Uycu%{)4~^zl zWcl~0zPL}x@<0FjTynWds+$7vT9)=7ll`ft`Ry`AgL<&)>9;-~BGj9pU=h(=GW1U! z0lqK&?IlQp&rgQ|FWN+iVI^cL=(O*B&Hs)o;DC4i8S0Mw<4f z1D>7@(DRqs5BMl={U>{|g-EPg=s~=H{n>50|0&sTQsEjPjN3&$+z8>jn$7ffnS?x%k0Hb=Vaqkmt*Tq4|KxOSD5VCBBFa~*@8Ey z_<8TO8;A!;Q62x+BL%u%Y%8cXUGRaSScz^0kJ5q`hSyidV?k^~jQQCdkgJS!X?c-@ z>1yC=VSK9>%z*FS?aJJ3S8Y1AdcN?(^{uugtB!wgcA~3I%X^b_LG@NW3+^UGEs9Q0 zgin0x#OMIyu&d(59X7t*?_s-3wOsQ=AwQdT8b@8ClM_yrt(S;aI$2c#`J(99p);7jr%@2U|5U9oY|AXPb8ZFKVNf(H+<$`eOf7XMpLgfQ zeEDgBE|xt;j{8x}3dTHMoFk4+LtNrdc%42?}U zUDY`kA?isMGiAEPwAFc~BhW1pUmedvQq%c%07~Bwz6MVa3(p|2mt#hC#MMwCVT!p* z#28l$m}Il4;s(CwT&{_?`!!t4{O%Gzkd)Evt{A1f(Lr5m%z?MXdQ=V0XJoh;u(N9u#bJASd$FO*a|hHXQO|88hidH8M1$i&03g)r^upWJfm;`U>A>WX`^{ViF2!*Ap5m}n zLQW{xWheN_trjyN@2OvjMT2;>fkb-Boz9Ix7`oyJ2laCjErh*PADY|eSWW(2H0bZ& ztogMdm6%#bV33DYX&^<-frc#WeYUXE$dnlSN&$4tylBO0%!? zh8M-B7aJD%oCuM-uUogk&Qz^)`9*Slg{I)WaIL<(e9KH0t+>UzCJn~s!(@CBrZH@7 zOQ_fP&4B*VmU-Ys#<{wS%CX0*lt|X`eC+=5)37iO2>Ut(KE>c|nnR1>4>LCMz4V4B zvgox3N$G*Tc_-i{jA&mM&nXoXzK<&>P|plb$s5pH5eLm3VkFC7s!+-q(AqJaV$m>T zmtfdRL+M#UQL@HbFo7aqY<;R^)C(BYK!C~x$#e=W9m18>Jh@`5TG^(f8h$7@17q$y zhuSEK+88e8-$etM2No_ zNds=ysXdOqo8}is-CCVQ7Pqt$U)lWT=L5 z2u~H2UQUf?(l{USETSpQ&^A{4DV>@5?eMXWB-Br)T;ZY-n0qz~AXtmDEORqDu{AY8 z0JfB9cFE{m2*uz}h%(I+Wq)L-LJK_$gkdH7DqQ+n1WJ-k5?jFyebn?1SMd5^uEdn$ zEgC){0-Fa${uGfR3rPkSq0Q&19)a;8hZ1FzM3$?b7%>AT=?_%TJj=hu1OO)q(5_YT zhI{g>kmv1G58Z!X^nLa}hsc4h+>FxX^fENCp=;Lqxk$*_1cP2>nxl zKx*?U23$aN8&(k}uooMHY*d^*jtJy!Rk3WOzzTJxBs$mP2YC%yv84PSz+imF_+2w&sH-($ zw~O@_{5;(N7>unS!&Ei zUQ_ZC*N}IisM~MVFUdLepY1`#CG1Q{`dmZUrWgs0ECE1zc`V7H7P2bHH4DmCvRjH$ zOa#M%8g$)sgwP35BQ{Aikqf}M6|m%luz=S6oc4W>_%@x3tlA$OWN)`7 zxiCA3!jjWP@OsUFtU??+W7fbDh2h}v7CSzcALafZ)4$i|Ali#87Sh64F&c1DY4NjtQkb+XIp85|(+}xry@A zG7#0Twl9hoMHhTJlFs+%{cNnz3RNvIbl(V0zPcti5b>#o4=B_Sxx3mBAedxtfPq7g z?ZqZ{w;au!#TExk6xfwY%Q%F+$Qg63vM6T|o%=@xka-ueV_;a-KY)b;F<=IS;JvUM zwF5%d$M1%%GbG^vfWE*!pJHEXW=XXqa&|1HH<`XZQc!879XXW457$iEk;4gC2#Vhk z->SP)@>SDqIFWmm`hMdBv!Z<$AeF4WtWKpsIe5P4LHC&ga#-_=YY2#N&4s{`rh8OD zds`%FXTqw57?UEMxFRGdic(!jfet2bDLM&hxkQXCp$yls)!oTCz%y7Na1fw`C7qs^ z_)(`%c(eVCQ{j|aMH-)iW0HCeyf!)k0u_rOmzg6-$r<<$$}H8BY;@~`@)agWg{Wwj zctnfHU0Fi7htSg_nV}oWYa?KsBL>JE(h=Od)DP}`KxzEZGd27$>1Ks7DaGL7x%?-2V(iiYP_nJ`#&tKgV)qg z1MFYKiqj}U$I3o%yt2`i0%k);LgRQ`^$mU=Z91-`MTyYnpd=)oX1a`XzQq*=xDNEM zWxsnjm`0$7l{A`T?-2+6;t7L34jp}$oR zJxgcv5>kI8(#1|3jp)Rsqesk{Y?5l{R++&!+}MEm<6-_dKCp-3)6}$t5+norB?wOA zYx`F*3gt_s=PAn=`#;)UNq!NEOig9s%DK2XS2-$GrE2msqc{(UWdsgVP#NLLQVHSP z8Y)aeZy3CmBoWup1k+e}iH>}PKJiU@4ZO|dRRi91EvOgDKzuBaut-f8A(iRH_Jbcy z5l(#7v(-GXp5bB@;2nUmR{14qDfL=H5(>XegDOxIpDi8mZX!yJO_D{z4P(Rt2sWWg z3pdD9kD*Erw5%9)uOCjq?>6NOD7+w^2dh#drg^_mekIbD(FDUM9Ndfjgf}X|76-0~ zu`5dz6cInI$i56#HAk1!3@kvzh(sz7;MGb2d4z+Wdf{flm%^xYOs%@u1UKHNb+?;) zSvOKi%^cT`5|&cq@)q0*<2~w`IKAtIKPb3sq^l4vRA1_~yfpuuvtibGRHj1}{^ijH zA1vx1^?x=creMKERRNOd@~Aw}sc+xy&5$1jC;stp!RtrGdQ^eL%L#+v63`m|Y^_Ye zEFzr^Sblp-rSB>A2itT^z=L1vgvosbChibHsCnK8GXZy7S_q>8Z0junj#^^igSP>F0wT8^(qX9QbVd@hq6fsDQ%_FsHR!1XdV6|VnpfY1ukKyA7rWk6VAG`Bt$dQ_dY?+Yj9$A zuw$`CD0-?Xu;JH;zmd)`!%J5ML;4z}cC*IjrHCbJ)2RSo1N8jdQH9Ib0DTlW7l)>+ zv}6Q^5y#K!pNd@$);Ie=avIh*soBSwxzm9J2JrhZ;d^gCkWZi#OR-SV!GIpYb*WtD z6p*b9n**6Zuh*Ad8DeC;DK_b37#Eqr?r3PZnYUY&I3)S^fXT~1e%WgPIi7l^jVU8X z5FR0`B3m!S4-oa2DKLoK1D;rEVyQ2FNn4^G4e%SP&eZJ2FwP~1uJ*v9IY8U6l>W{CP`GBd7vxVDZK?VWCq2u(TH{Fm?Pn}O z$|yS>OQ;Y9hqd7kU^oY06|$zGq*6W`f&kFJP1lCK#0VZa)s{Q-3?S}gIzBJ3K-2|k z$^?IllRZ3bjbls`{y_q6a6&1$s?#V60R?%)Ta>RIrDDFf*U7pAF_((y_nPY&N)_Bx zMM|09xs5f?sUp+>!wM$FgHd$h6x{ev8lYPtty2rG=c?d-in%UfaI3VF+H1$&s~4Ch zU{f{ZtJ|3H~WqcTB|V-6u}o*pv*lWWYsqIHPDs6^8tz5M;pz9X0xD`|J-5uapSmu>F&2>Lpe7 z*^}|q@H*UPbW1dWoM`fLfRs@VwC@OojD&O8zp+FzK2aC45AUSI&3A%t&0znA6Hf{v zmmCLNSU@-sU<`+INj}&(kC1V_zBLH3#7U8YVh6mQUgOoXmD2=&i=YYy@(<`R@jIq} zSlsF4`kM5IaVVLK9|f;4UaavqBmqLeT$@C&vli?%+Giu@DpH!gvM7uai(deGeG6YC zQ>v%RRB_UufJjo-Bq>QljG0y>25_lWuM!|d zR)r167EB#YgsicV_`_mRCtJwO>sx<^Yt#B0ohBGm>j6v{M#9Sf1R_-J4~qz7qurm? z(g7DEA%|<=TeiUK5b~jp_`Kc!l%i#P#_L;uhl_}b>yH|P2Z#azlqq?Be*+>zW$2Z~ zzss7~V5mwI%r&b7KAzg80k`tsrHHJi{;CmwhbzAjqybnI$S0Ra|6$*w_8&lC$?3jo z#NTBdBCpF`Ot*vGX)rit3VYQ*2+a;celwI(Z03k0Z?R~!5r5O!j8e>CE6 zvi5MM8-@idNhdnML}t?MKc&baqxio{|G!GV_PXjLI_&fL^vS)+@i>dOrRduB{L9l}PSfO=S|1vV#na)-mv)Q-!a6zA6Q$Zj+_SPDg{Y0?qw=2&w8@)lb#r_|`_o zhLhoImHGS0=zVTLfHLYJQWtAt$sO{V%#dl6!j*nJ-s{YccKrhn+3ER>u-E-Lq5 zOELrcf^=f4!DFZI)C~kxWS-|EA`BD~2C++LeY`s4e%(9yeFQFjnXMQ`DEPoB2!L)= zoUn}3J$H(Uc+@9Z!KErh$?~=Fn%R2!vK0WNJ5Lvtm8%DTO$hw8uCoH^t=9?y3z{iC zKlmv}4!qQpk>*Iw#+7yOggKB1l^l@PX5P13s``nFfrzgluC7p@cT=y~ELp*`YKxZA zpn|2mG&8DGl81Xp!MtPdV8hNqM$qXGqJYX?VE4T+aVVwo%STZqp{Np;&C26M=YSH= zfU8rM{A{6-@ZAc?3*qop5FH2))q_Pkg9%9I6GSW_g7G009eS+k+g!EcB60I> zb=`c%X%$F!pkmqJ|5!Hn!qP{>$JuVILOYswzzsd|MB$n9%M3ipbt#@AQd#=E&$-<& zZ3cwNrPRT+2haQk9g2MZG@c}x?*yLeafzj9_pk62hdvjsmT2sS=PS>TCsK4je6zL6 z0-K`%9OF39)z&mX_bdj|N!9<>f<&kT&x1+28f;uiUwIWZN@wG!M~k&qvpDtiXXnurNJYbmfr(y4(-U<;yi-dzhQ-;5Mw0Ht+c zFL>VTJze+f5YjfS{>H(Sy(s=5h;ZZ}=2VK?JPe*?T_Pj+l7bl*MJLt$i=M0#3`Mz2 ztirPYJNr^v5MHDY+O=+)Or%%V!atqRw2PG>h-6x zbS~t^{jIu!8DfjVMfLr-DdZjL2g_{v_;a@D6?4GP(Qo&II(gAPAnOwZw<;$91b-Oy z)G=|A5nCkFFZvf3`OPpWnqKV0G_zWtlIOR9t<;BT?M&oJI}>Ma*$z@>3w~FtILGV< z7&`3F?|L`E2;(c7NKh~4rFE^Po^3Ik1{?TDN=FWw!mkOlQsww<4U1UqwMP+)yY+G?SFZ%4ozx3AJ6A8X# zkUrZJ3-TBBb&1~l(^OSuT&4Yeo3mSeHc9@iFIhHVS?$5NOZ16f3CHe63NV52g1iG~ zGgEpOH*VUgq#Ju#+YH~ZX1*KtQU%N;5(7xr8tRlZda)N36RL7b()G zXyq%?dWZ;}^eiV(a~{vyUux3^GIIC&*DW#2y2b3)!I*V9ql}kB5;<--IEL?JoHZ)Uw2}1^-C72D0vP}k*NH+I{w|UTQXTy*@%!6!m)1i zJJ>O_fMmXqb_?}lrz=+K6@~|z0gpg3%etyJ`i&cBv!2b7#hbtVH(JL@H4jp8rZthm zqYNOV0|}MSPw(bLAKkMq7Js8s9}J2H9y0Me3pO)xSM)b}am-W>`+XV4S>0jnTj%Zf z0R36Ov>D?KX6YwR$XB1i}?N4n-G~er@wn_X0Nj3^89p1cDqejhwLWT z0oK|c@rCm!g?CfeReR1xo3~k9`>A|p3oJxQigF#M@w@E{%h4^ z2hpN>d(!KNFU>(#)r9XMn}scXZqDuvC0Vtbdq5MNDZO}=%!p^2v0nR_GU`S1mh*Ln z41Lno`UaB(Nsc#FT>8RCKRFm>XLJJu_R*)y_25DjQ3)t;Od1^dP_-^4tT5xweviFx zkMMuY5NHcU_#O-~AL6*iKZg@2y>#2Kl;pka5W{QU(ceIsq3%IomJof0_iGtNOuWWA zf0UA0yFY@6s9bBOe7Gp&19fF+&}@0E_iSm*hdtTZhJIxXHU(J+5vd|UjoHKNI-!>c z%M+Rrv*-q+%C2e6S?E5gIOR~jIP67q&QtF;UBll-4)cwL3+KPex>wrFpBxWwn%`Mj z$bl)xocX4Q8zPJLN;w2s|0P2oW}GpB5(uf?s`_+ki%mqq0~4m<=O&M%4bEUfo$4y5Ie%&r;8g0K zZ4iiMg*L{BPP6OrH8q7$mw2`24cd4+ozi&3UL9L#ak73PAylr&bMbPvc`vA0;V^hN z^@rF+@0O-S{qC$C3)$@-x6Pjt@qe7>Fc5k4VolluS98hDAjjT_XuP2&;fZWMt1kUCy771Kkoo{fq` zyfG8)8}dUy|7zy@IF{M>M?BW>gqkNXd9}rv9fbX#d-1q%!yZl^n(JB_9Vfz?)v(Nz zKH5^mx=f<*E4u}m^dHV1aKCs4__k?>tsIkIG_0Q78Fi07Z#S$~>PB84IQxDL(v3l* zJ8Ul6JOi*?wCD-Ad=NbvX#FWHCs_Y6<0Q&fXz|K_+)G^H*~du^nkhDy+!n$vHl>}K zq&~1qRy2@Mwf;T%91b;!vJ;q_78jf{xSIsbxaRjEsaQWbvRDJ}e*6M-+T4EoE%`N$ zY+_+Z2lw|BUrV)%H@<|M$0RN(CXPX z{NP%-MzLAvRV&-$>|>!5J^z_)dlzN1xWf5BEjauX(#YYufAcFO(iW%R=<#Xz(~)wE zLS1)0Ax}r-an9tOPh4^fu9&s7MYdG)rs_523P~K*8nC!@6AR4+f)!IXzHHrK-4wzn z6PUZkCL*KxC3a$YQXW`Dic*z?nH_AJ_r3>J-X3e$|3zVKHb*Wd3<$L`2zZfP?pC9aEBiN{jPL4J>U zS;tv6<%aR;ob5x_ZFi2tkLjdt@k%l zJT)~LZY7MLBq_}b2{p;^iCkoO!$+x3tB#CBA@}u1#B>}K9=+0`<7%t-(GLhvM5vuc z-<^=k4%bv}T5Jy>ak#SYim#EQyJ8q|$V z1Y!jYr-{}4XftO4qHxS`D>2fB)=7rrar3sHU)WQbY|p%l43&o+nP!ZZxNmyxL={dL zYFkB57j2z|y)fex)wffBhDZu_&`oBTA||AN$7D9-p|?ehx49pU>~k|p!I)QjcjNF) zu_GJ{KjdmIwx8h_3UrNb)Ur@f=f3Z$THcQqRgT`vLh?Ouf|ilit{QK44xd<+Lz^j8 zM^$f&J!zH_Y($}@BGKIU!aSDzs%xO1D+i}LOnFw>tBif82H16D2jVS_nloH58$l&a z1qtoE`z{fdfr4~K?eoy7C_W8$f%xn~o5;$bHTSN`Ht_lKqykcftTcL&Hy&+V$~+>a z-5?3gx#jKh!Cr3>Wu69tE?r7-LrsSKUj?Q%_Q>!AUC=tP0!)y@kb&;T;urG|za8VQ zK_rJl8YiT)Kc6GrI~@7Ew;qW5B%Lbo;+H?WHfbLCWHy;4LA=D3D7s2~ z6JpI+179X88e}-f-4?sz`Yqp0TnaF3?N`3@WfSLi)R_67u@$bK$%I_z7Q z)$<}*T8)o3oKTu5mjY)dT5)Aoy3y-Rv;^AclPVeq73|&!gP@h-XLmDoQ;Yl#SeT>m zXkLU=oxnMpTvg)ka7y@H%MnM!L_v-)o6|^(y*z^??2dg@Cqw2MjcJs}lI!s-4|e35 z2;>E4<)qIATjURo6Kr>D^m^pQj7$sDK}%-X%$e&djJ1rnAzt{&YX%Rvw59VAA}5|C zGqOBFHD>c}ltT=Jk#6h8`UH9HyBJ}eF6<~IdJ*O*9$%5u%YQCZGcpk;G`3cLe5+NG z2PBH~FesEp)QIwgqS+{@g9OOQeDX6Dcz_^-p`)0_;3esnZBXZ6s3VV($~PE8oYOjk z-Pwpd*D=Am1&f9Q7WCe=VN|me?uYx)i~~`5lsKIUr2ve@LH-PcXve!ZG<;-KGP@8= zF-fPCbPXGn3a~hNhfH6VMOV(c0oG`i)n&Y@Jtd&uqqP{n^#Y36!pk%Vpz_pfJnm$+ zwCtxY`5!VP2Yl-xET)1bF*hnrV6=M;A>B>5W=MV1`p+7a!gUkO#L?%oNfFpJr05zx z3q?*yyfZct=!>-$%3vM}REpmSJ~#&LN0ecRHW8dnH2j!rr7{>|S%J_>5nVOQ4|-5) zPeuWevshcNxUGw4@E0hg;^B`0#F=+!3y7yQtxTt27gf224L!u*$USBhF*HGs2-k=_ zu<>r&`Aj78BxaCHiHH!iP)rGrXicTZ)At6cDC|-wKXu(dKSwpGp7y!ca>^&8N+d@v z5XP&>Nn=cz6Lru^;}Owx3zQRJBB373-BWaf9pNuzUf=a4sHeoZ9lbXt17{7~<+VYH zdN^ot6J|Xb5oykJI;1Mo=G!pXKd!tP9bzjh%?PWqTonvNCp-<5VSPVE3;>XXNeIW) zz3@~}Vsz5sX(xZ62_K!=L`TEej4<4?AUfiq%C1ggh)SssY@$Mg&yR|?h-Jl3oznNw z7m#96`~7V(N^jUA=8?Qkby_gJ2QN@FHsj{nuq{-nM%VCt1Jd?dwnsn2TuJ(r^{OVp z?!qNq9t!tX7;8&#?d(QL19xn{2m3>mUxh zx2WK)vxv4}pg?>o=$hdm8E!frBKZ;-hw|9SU-3}#{ce0z#+d@?r4MmYwDY>KtgEi{cyDO10b?1$7KgD zst+nsjLZ^N&$NBSQ&1kyuC+y3G~?k9fl!zYuioV~OU@x}Gf9XSe$-!`;{a%3tvZlUvAtWWcF3@(#8 z$eKXF-JOJV5W6W{_-$St=9_`E!g}}3$r_cG6eEx3SZ^Y=(S0Ce=@~~1+lW~hPmgxk zM`lvo8NwD$0avo@JKeb*h%XSsT+T!=4LLPjl_PyvXsFCXUpZ_D@z2>5#VkP1g;^X? z+Wdn@VY?ji(fw5`1IR`SPrehAAB(NL!$k^$iEXH$PQ>01yO{Vhma;L*E~PzY%ptvt zWo!t_Z9Kb47OAZ{=F=xeDzp8H3tgSEuohAz*pHvWAg^5DR~uak2zyHLiO$@LQl^ zTX`KExC&PM>dO>I0Rq`yBo@ExDM>yJC4Jv3))D^FhXx()q#r$#~WM6|Y0 z-`eL3R$@qoE-@S=`E@Ro2jwRwk3EwqSo|Gycy3NbewCMyZnq-;yFb?PynK{1DOtB#Ula$3M&W)qhBRLOy;*~%|&Cy;`Nsx0f*ZwL9UoMT%K5MhJLjr0YC$*;NxI8pn7ILp9jKaqm9QQ|W`;oic zvWgv2>nEQq`^`$_a8){-SnCX!B&UOEDq)goYmY(2?y< zedaTYwHg2g0ued|O?tVvrjHEZn1GfOFXN22;Oq3tGX1+8I7rlU1ME#f6&N!_Cpc9alz-tT$Uga6z$U->CMZC?lNSMi{*qFyu9EgosB15;zfuU? zr)n)KVe1+cD;!c1Q$I~dMt@z6=&28C#U%E#@yY8ub|k>a=ej`QCX9=btl{hz4gBeK zGc!~WPEhxZQ!6be1|5n^|7{<}<(FCRzxl zN`G;u-j)bGV;M?$Lmd-5k-)}P^hKIoSw_65SrtW!v~gK!1?RADm$Rm%*vv{mi&8Z{ z-G%55ExjTSE)c^Z0c)Z}vt?KMU}TK%tu_;5M@}!d1>bfciNiWV6p8=K57!;uVL+6g z0BDGdKV=4P78LZuF<(F_L7<4|)CBWc7FL&rYe9+pFbGn+wb+`h|U4f0%94f5!W01QN8x|=3KzbFLc zzMz3{uM-Km$<#Z1wc|_9eRziHkjJs0LcR2HbYfR#E|Sv9M3PDC%`)MJN@G(<^ls6z zxxtB0kc0p2XYP0HnA$cuT&uQyZr0a#?}8Vmns%FP%!R%>7g??PY`BPjKN!3YB4Y-H zA%DLq00!9@+d?C&u`Vzium$2Rp$e1aa}86$Yf?2hw0n&;Z?f$PvklM2%v@4%s=qao z#CuV*(W8OEMqEdM?T1H2Tg|hv-gB?7D?wF4f;x)!yH_%I2%@L=vM^_Uul5$N=AIi( zC|jDt$23{%z`cuL)L0kdebhqM3pIKFUQk-`#@*8#um4BhL(hF3VNrUmzk&I{Mw!|~c|dh&!HgFX z40`b@TUWEt8p?-^o&rVokt9j z1uZGXRg%LAQLDthem8`Jv~&5DAx@9DzRM-b2!{UXaB`Xo#`wumky`%+va#w?57^e? z9j#S}>X!H^CZyy-R0u9+LU%$G=E8AXo-olkvJ{A>mUN>SXrBSy&GXHaxo}=<&`Z(yKMvaAb{N?TG3c>`?O-5#JX_mC9ENfp~vbcfvV` zQ*8E80K~*d`e4;Wy4hon><8Zp-SxvLB?S7}chNlXzHiu?GroJ;o*S|i<^-uA&bRpE zdo6qM6m?WN$*sCG6Kv48kw$wqS`u^5o+n~k_2Itx)#Gb#%fR~B@Bg(*8ToKduf(oV(GpG8 ze)-vs#Br*6OW@+ynmHqHtWW!w!optXbSBo-45QOW{{@4b%Z*5C73%xcHUo6B%M8WP zlo}-|`30XV80C3*5J{u2wUHfd^)Eqb9!2yYobk`ztnk_x zd9Zk^H}tx6yl?Y3+&PJ8aim%|(ht@0a@MK5{)x>v%mkNIBf9!qg>Q|R3hZ!Td(E$& znTe-z%WS;wV?02j8JYBtf{{GS`qRf^ZEh5VeT-4sH|Xi6`%H!b!J#0`$AoAeWSW|D z?qQ(%_gI1`qX2e%5O+54x%a3q_gkBglI2|QH2c*S+cq6dEI{x#du`Y0Z*Ip0*@_`f zV}I7RFB`2oKW{(7;-gH}dP$lV z`1kW$QqL664-X|;Nt$hZt9YP~zM^Bo-*ZNH->!G<*?Hb%&Q|;6eWZrk!rff_l)A~$ z#@p&Q>yq0CfpCkt#IU0DL!guyC3EPu1f>-b>Zs>u+q91Ua+~dLgZ3&Rr9;j(;b$H= z2w7<5%ui8Qu|oO#$eK>hilC3)fCtqsEbi||4qXg7mrSb5qB!9379&2}ixQq`vTaL2 z*F`fOfnP$TfHLt~>ISZkh6WDB7s#A5_5Rt-;WLC)mv$~#D%6K$_u;(#(N#zGPlXlk z2k)0gv`c=LYk$IRTQsk-{r`A6%b>WHrUB#b?(P;AO>lR2C$P8^Y|-Ej3&AzGYtY~X zS=`;-H9(L+?zg%3tM?C8P{lc?XS!#)r=RZGThrlf0j%+>*$58H^>zUN>GJ^2ogB%2 zPW0@SrjN|fyuH3Uah~o840M-I=0|p~pR~6s5+rdHF7f&%|180L@+fpBgmNnO%p$d1 zhAzx!sNVE9MPQxk^D^^&G9P;zCo7shyJswXQm9$7$Aipv-y4uTr{2ZdvZ z#C&ATFy0-O>+FIFm8=K`Dv)Gw9%$Xi54N?h7C+x1A&OrS`VXm~T!h|fo%r2-_oZr% z;dU5eFFksVT}f$zV8}W%ikmr(_sLDxgK{!-v24@O(4$)7kx>9T#m%@P!*{|1eeL_OxjaATlf?rB; z0FD1XePgvbhjfU@90JWRf!m--Gg9serlP@pCyhjW0zR1-*!@1nE1JH^hV?8hr&}*4 z&AnTYvDG;VbnJ&nhGY}kWVlWKzOkM6MSwS!vnP>L35CQJIu^ViGgW1{G5GQ{{gvD` z_b+jwV+XPfUSIcebZ8t}ZiK#S-&u3d9SNf;1|>2?@AJYJ1Cs@iKLT{(^GSBn+Y z+7L;p{-6Y9*b_l3qGtI(@5^O8fdj|0^b!|qlmz$|-o?Tjz=!nXUx^5Ehe+l- zD>9+PF4Mn{+DC%LlKUv`;b-hr?Erb`-ogr8^mG;RE&(I+YyM|4b}$*vlEWi-KQ}sj z^39zc=YdZC=Z5Upj3*ouqa&8_w_Ily)4Xu!_SKDvr__@fkxIe`& z+V-yT$dszRQVGb{~XBVE=t|D(Hfqsy%y)L=Bzn^NU7z z0`V7Psk%g{K20MC4Z9h}9AFw4rw%pF*{;dd$O+rN7t3p*VBzpM!5hNjMUez;dDChb7_Q6TeO` z$*$GQNAU3bG9$t4+AIr}7d5QLgmQI_sn@K8MsX@c$7Ttyj-dDXRc&D|e$}E>4r>?N zRoLt1E?C!#zwgpadCkOW4m|^`6bHY_>igfj&4#KiLUz^4{jKt&Bei}PBP^$XGj-l| zKOgf|!svp|=ZaoyhF!dKaeh7?7`J{^!oM*~Uca-?n^@Ic86r&`)K!1%W9FlDaWIkw zHD->!YI4e>sy19Tdi{j81Db`C9(R3R*EVArhLkzEt#pCRkO&0WI^@khuNqFVs<&Sy zWUuQ-XQp`p-ypm9XLpk4N2bL=FEmj!)zdiM#SwYU*7f&kMfXmaiNc~6ZwEOurgH$y zDVimlLEF_e-4de@6DM=+QdJj)^SgufPscN92xR3&AO_LMF-pK6=3kl2WB#b z50C`6fHjF-D@blSsLM!HCoNnxTu16s4x@z2e2dsWQ4>7DH>yeevOK4#)*&B) z$W+5k;DueHG_XiH$#^Hrmnx)$V4rF_@4ZOlrb`l#Uurwp!Q%OdOqJ~?X2p2E=;MDW z4b#=Csva2Lqn1tq);GmFXSC}53#jZkg6t==@412!o;%QLRmW5H{rk}DBHQ`#{uJp6zWv8U=ro3 zBobkXrj%+9(uyeRcPCs*ub;MYU*6u_`$*EL{{ZB45&mRysF zw|BA1Sg0t>=xta+a$0yN4cf@KX`#N`k^wLwn2YiH@0)k zfJSHi)2!Gc|4C`!83s?xndBf{ii@$ak}hsf1P0GTy7^Q!JL8{9O>fh6q!3Q=LykCr zrD^IqqKLJ!2v)DG0N%$Z?ZeOz=e4Iz-mwzmOaRsw@fk?-$kf~%ZaKYkh$6!~_2TMk zx2`=+Cb@+!wYLfit+(ux)PE!yokVOb433#0@M_Mx(=SqZblCECZz$FhLMF*t2yLwo zT_mW3#s5^coOV$upH}IXNGd`GE#?6xw&AgkgCXam2)mO_#GaV5u}ea}iNtlb zqHTjf8aRpv5xw6q6JMTn4K`kJ%9~Pv>PfyO2C3z--~zS zRqRK}=p2+nbT)6DQcagzC3mX1pV*YAE527?wn}gK#@W@RuOoWS**tm%4EGQZdz3F# zyV?(3MH345Yj(P*2!e{Z-gN(p`!StcOvZ731Y^!dY;PZeV#WM$(3$6iwKJ~ z5p`~u+{#_(X>BB`E)H-%94>)(ed`dVYEqU`r?vgXV3a$Ug-S$ZFjD|VC;>Jha289T z@lh;}9rw|3|-I#;_UQD@#TzDX`Od^LvdT=aHB6z!A)1C5c< z*;++1#TOl|m~f_^KestVrE|lU_Vk?jeUBp)^?BRSD?EE#KZn~dJjp>cF@X1lM5fE0 z%<))T@-Lc{3rj?nN$tOBI*p%@LQ6b$xyBvB)FdIutSGB<_4h|`1E|lJ!F5xcSuMlRc=W7DQwNrL* zAPjcEWaoGBC5CcNAkS*Sk48l;8-g}Sak~FMp^euew}m|6_C5?bp=#Hd!%iyYNd*t| zrBt4s-+v$}V~pLWlg(7Ge|DHIwmzvvSLBDrett8UCd*D12g~XzADe5R}mo-2zW1Z7Tkh$UlkbEh73Gjm9;iK`phJJ#Xik*yG$EU3`7h z{>ie^RV9S&;;(s$-<%&LFInZ(19#Q#g4LvR;v3sgDTLQloLp3%cp`pEPij;MpY_aD zG^CpRlQ%~4@M(fyqhL5LNOE86RV3?5B5^2EQxq_q9r2!IGo-Ko$}s}xs%a+%!3z|U z=SQI0T60i_V$MqI%)UO~Dj94!Oko&rVN9x{`8d9#Y|XM~hfIKAn5MK27R#@EbEBD^ zy~)pidV;AraIj-}30eWFe^7p{*tt-Lq~L=ANkXCn-J^m2_~qZ7GORHrqmVn0?_=a> z;X~34^!A{K>cWA3zJzZ{8Sw7Zk~T|fnDgpkkvA}Ao2Ro;#D2Q{Zq;3HdgtyHiCsH}$g9);FA>_P=pMO7Gn))A*#WHw9x2v??d z3lc&!vDv2cWsojB3zMtIW?SZNW?^Prwj^lR+a-q!c`}~<>0Bt&_6HC$+v=B)nkk`+ zn!QvH+ygLuawQ=y>iN2tZGfuHu?dXCM^lv7iAoWtL$Z*LKf_=nTQEFZHW#3})6@59 zuFwow|0RS}YSaX!_ijJ>lzT(z4^(YFlqQ_y+&dBx=WJRa}+` zq1kz0p!x%g)rcoT<;yl6ir_W#>5Hm!_~qX@+jahT0So>FfzH`3X(&1PVNOrf6L!nI z_BfLSl)|oWrt|C>6M1vXqlSph|FB5LudhldIAT@B;qEg@j#lr>C^J`Tm0>;I_8_4w zNb8oOx}M%yZl^(yzf#$9e&R9K74hLOkU@I0U@KRF*&x1J$({Xz+=_AOa(h!f?19N( zcHPz~D#sP8rrC9Uts#CWEs1fja=VxD}_$Se<`STZ;8W;f_%iG`%SkZwux9&A5 zQtJk3>nsf{76E^|`w&ThWsI7p$>Oey|376`1*w$Yd(sH3pIV~4wj|WCAl!Uu($0Au z!Aqi{Fi{&SoYPGa#uAqs2y!llBTLT6`|6_9ecS$?;V)h)B1{Ag<|MVr!*5p>v85-$ zcGO?6j=c&F2RISS6aK&(Lap*aKLOGlV?-%5{Jo+8t$dAUGJ9wc*zR0!-HC^htcD<% zCguG0$FF-R3DKES|Fy$CKBHpyWmRomHYz|;oWZB4tUKxq(?7P6kc6}q*mF5US+&n@ zL*7QS$nK$eTTnqi))xP zSn#n?r3`V5pJ_gF2I?CgVRrGkjP4lZCe_7Xu`=Qn=86+lIIhzq2{HY#0Yn}b-5+3L zs`fQx7na@>Zir(3)MY}niinYsCI@3CpygR{weJe{Yn_y$s2DBUb8cEla?itSkSWkn zxb+rA;idIV7%~s681Pd~$n%+c6l!=XykbJ>DiT!*>PdA>C+_F^tps5@C0%0>8~+WY zSsQ!D^+N~?!OzUlITVz|FA1)X(??@$E7!>4E#SFn-meYqLEbw+p{5w}$d-?GE zq1Zr2T-#X2^Zs<&)6By_8YiF(TIaP}sjJrVUu)y18W=q*KK13E3SYnJ`(^_uB%&wD zLPE)%suvVTYUjg~s@9#i;*i$h9z>AN$+mY~EqkUnB@UM#nq<%{)qs@ngnXx)jn(!~ z*4w1hMwj08<8b+nrg$a_jc1=g@oY}8c~s_oSY%R~3v#NIU`pxJ>=4sX204vCQq3rZ z=IjdCs(ImMC_JUQN($uG%Pr10?Pv_Swt&d0dbqghv%e$_CNAlQUBTVbJbDg zLSs|J9i#k(0;V2!dxz+_n%Dc+8-;>=n7oszaLXd9H74z*szt0K z0>%@Oy^%%0-ade0fLDN>1)}_TRXa}W86!bRSdn;9&EhMhiC`%YXH%&?L@ z)?lTI%g4~7glhkvU!orpe)kto(*XrJbp*@B(8pfXr@wdDZ{$sqr2FnuSUA>k?1{ON z7FSg&oKes|U(W#hg#nA#%;8Ew-z83w+zPbHBea6`*bt$rep$J|AwPpd)t7mBHyaO$ zu3&@S1T^FR7!~w#g@UXwM=Y5t5>v{JO?|SZ&R2WTA0?$E7v zHwtFo_w@l;?^Nx9{P(b@BN0A$w)uX?oUZe{cB1SZBla!H8!}gnEjpi;Jd$^-hW^gX z%E(bGx=ns`QthZoZV0cpG862MhtJ%jai>*i8nx{|FSjId$@g`frtg|1dpXxDD)#|2 zb9uoUMTr*pJAMRP>4>XGeK_&LWK32E2b_l52(?K@rQr*6?yFwTGiV@Q~sP*I%CLMYe34D@MqLEP`rs*ZrYp7E#z6ylKu)7c-KVsR|W><1C!P=~buKJjp^Q7e-;EQK& zS1A&PJ5+WT_>&*(NrWdeUv8!G0VVj3^f~0hnbt}p$?Lyx--FQTnED4fy}eC&`swp$ zv5u2gKC1xZKYkC6LB6GtHeNdCspj`V{=VH8LJ~;>wO6K4^T&At(>+LYSv`k#RTmK{q@)6R$uI} zKn95SK8p$}A5LpnfOC$A^9}*3DF89_&{>?XsyjC#yIUxf zGAv5U`IaPM#zGeTF1th+uB0;|lXSmcG@4Lh7P~%G;M?~``goG-LSW)0{l%e*lqi+Y zs7&Q}45XqYf{gtJBz|$_0_IXrfc!E`gc#604We5$hCbF^N|Qfs<^P&C7@jeX;Xp@C zf^UTH4Ajw|=^vqWjP9$`)Q39K|2kzfrR8rnr=(`>2F{BP(>eC;dW}Zt^7CiVEh6I+ zFN$*>(x16A1&*)t-i(Wr8WQRva{4&FHN;Z&n?`JSIabXNh(w)5Ts~1G^8z%$7)5bO z=_eRzppX%gh!zh8dM#|0+N6(}$?L;jdTA0;^mJN5OZBs6w26{duLEz~#tL0|8T4ub z1uVmX^xa(YjH&M~hC79@OXM#!k&TbIj&>s?SSlR&0ONMXr{l87R)@W?iDJ_( zE&X1-0p&wKndny~kshfP#F3|fR1Ahvw}5k4*OoGA7ZFcoee^ntP&*!r4yU|QZ_{PD zvBW=<*65#uROm5<#2iF7G|^j=q8%qKk08;3Q>H8#!7`v*l0Y20{;;g>{;JyfqT}r0 zCx@7#cA`LW$jz3lg6 zxWkvw7hfsX+2sn?{9d=v3hEQub^jMMKrry-+KH$~gBZKG{tp z7}X{h(gyFh7yExiTaXhF)Rg~rm8qs4Vf87n46wZKo}qFRZQC3ud%kezLkC1qmWB5* zT0hJ07)b7f?;cX1_J8Ice)#k76n@o{l2KISbFaj3rwZ*&m9FIS@eW1kfrRjr$hT}1 zt4<}uIl0xI*60hbLler#e5iM|&EBEwwnmF-dH8#Kkdk2^9F%~|&-k@$t87XOEoi=N@oya8T&QCB2qw>a-=^*=@Tr zQ#f=axl&S3M9X;PTxaL;nma=5<0v>q;{ascMbfoK=n%Kmt>n_ktRRu$_^7BxnPTQy zyFs=uO4amoV)EA-9*jnLCovGvW=5b%tV~4@)Zr>bPhXLWMERsOB!L@n6B+FRO*F~C z)tsp*0rXB5y1a1Dr6tIe$Igh}vA~c@x^{F^gK@QY8Kn+%Vnu_g%bJCj!j#Ksvis6^ zQ}w~n*B6mFSdgJnlweIPopErLm^jK~{Fi-DFg9>wdLI@DEe2ci3Z-j`ov@Bu^YbcC zwDBV88;xFQ2Ds503i8&-W}mhwOMHPI-W~0Z#qq6mtfAWq6!U%iei zKaXW6v6ii-4Tk*P0s~97V3P@jjs)ZsGHQI4FUX)-lk=jP_`{_lGU~mT`-W~=&tm?M z6mvxlRPlnomn)br9L!YcZ8fP7(c;S_k^Y_d6$gPz%qG|YR5wHuNBbibJ;ro7E-k>Oa(;}ucHamf+YZSz+IF^NG+2ng~ywt+2Cxx2MKtFw^SDOg(M5UR60->D?z1 z?*LPt+Q)-(e+8EbKpVi)b4+Uf4C$LfzM29N5Skm{6Yxm#Se!>Sj6{Mv$ZbX5d0!aZ1M1@Wc~FSg;b`ST9s^wg18CG=EBGiGdDa;1q7{N0 zWq0>=FPRt4Elw6d@X>ysq&sQ-)~A0rHSN!M`X@p_;M+gmaT)&Af*^#Ew`_J4YdsZW zSO2b3{NIeDWUUy-UAW*;{GRJax6q`pP;qSGF1VRNAc(fBD3`7^8l7c%4Hue(+;bIW zpCb~J$f{ooMlA~}i+W8w5_3P2Vj{>GCu+PUS>GxFW+twaf%RX2?;*$f2)dmpg#{8K zK@d|lvIPBWionX+ePeeA*M`J?hvumq&684oGjHYf#hmG+LO(X8MNwUr9H{M;Jw%eM z<>%{|$MEcK3`c9RA!}BXkI;goNdHwfmy^0~vHP2#hv1{P7{a13Dx03MR%pOt8ok{T zq#C&InTkzsMCNDM=V!0n`)&hIhd=q@U8>swVIk(CRvn@c;6%>iZU0ons~9EbPor-8 z+rEu|_#;m8>RK_#RRCWszgmBCwX5gGdU!MJl21zXk+DzsAZz|!m%x!k1%P>IBy9QL z`KA0?5t7D{@{2=;kQz2R24po~G%f+swNH^SzBTO(h8*3wN-PHwid>X0&GMa;Ro1J} z^IaDda{)txIM-WE39lqatM^BCFnc$&F|7l;$-;C`Q#%x-?QNL-v>Qc!Y_0!&Jh9|lj^QUfE(f~cBRq0G8NNQB6~nl|sHwRtGU^cjWCWcfqE1-z8&vzi zjh?vyLeHDXAC7CMEaplwpNPNjHGZ!9`aB;kWFIBfV6NpF+-fb6n`+y7l1<P#Q02Q?k0sj{{#_yk@Ie<=+LQmXXkb{d9ijXcizND zAa;BNnc?j44CMeuzb3zv|8kgGt~oU*iOAp#OW=>h1f#QYvEm14{V|k;XfCyk$DldFOa7Ob5QN6PF)$gRixtNI z3aS~_e$1BSLMy$Y@Wq-IKn@AVBLD%0GOHQ$i zD;>zt{l}!WJrfiVI9%H|L}Ix9>%E0xyr#**dwLw7863o&7+4pX&8zT#*@!qOYeB1; zfpagi`Bspn?I+iP8_o;;Zd!z?duSOoTHk3Onk~*wna8P0)&^0I{&P)2MgFl5+jrEp z!@r+}y0dIJWf!mSYuQmZkL{l~M3T~3LER_vFF?~4Ow*S)+m;3R&Uu3>=F9x^$w(M4 z`%~MCn>pLJ)v=6$CF8DtEFrGxnwA2ONASssE2;A)tt_|i5#PwBNfQA5J}?ex#%tC@ zK$WYa^hk%$p1+U9$Ej^ZfOU!7oJt*ao{i6G$!0JUI5^7~oR6c$W?}%M7X&q?bXm>? zTq%5(*}`FBD_n)r)r0$*Ht#zDN+NaZ@06!AH)I!Ediu`)O1RHSh43$GWIH4$(~}cO93Q{hqIn`h#?K8(#(m zqrb7F{Hs0O5UAvzMO-{XF<_1epo#$<&|LmMMc+c9pb)st2xn*NWPKuYgGl>(e56Sh z`aU`3liyNGXy!b(=#lU3+Jg*(NPu2yq z-k&PJLMa0<6jtAJ9NuUCqxNE#=>SL7aky7KK3Y%qz8Jv6Urwf0I4;MGg8P;BT^xYP zN7EL@=8Enwcsm%GK@ z^#T8fU(JnN&_a)&nt@$o%!x6G>oreJJE0?!yn$>RBJc6&GYs=UU4B(n#7akeCQEO> zdtNqn@H?50jYErm>}*5vS3I!mRimlMv^Ssj_T*bwW4`KZYD>i8WKeIfvlhvm1#^Qc z^FX1np3hIWVbXZ_u=GEF0wOZFZf;!Of(Zilw>XBK^1*hCH2t@pso)V%(Xt>sU#%2Q_prvtvH4 z+qN8o#xGC`Em1N!$D)mwaf;|^O%%ELp;GH>$uAGo*JHsQ}3 zqji32}8fS`MGF_EMAdRpiEpZiX21AJ;1~{GtEEely{A*plhl7B&8=03*o`N zgy+d*yJ8n_>Mdo6#GUJGL-%d%5cyv&uj@aP$F)VTxu|+(x|($Onh*}|oIJwX3K4mT{M57v4P2p~NVL7N;0bJBce(Ck za_>>EV@vqscComOBcT~SFMz^$y;W=Zq}JYbUNx5zIGOqa6}$*4c!LNfEH$=`9ihcV zqc3CBRy?F!N&Wbvp;#BJj$b2my6;|^WK+}}-T{Mv73n?NPb_xaBsEx_mssogp2rfl zmH94h*v!^-P%bH`%FHK|M87`s_tkaqL^)aFT*D`ymhWj-ZZ#6VUE3B5O6bCZ{v59q zjdmer3C4V``qh(Hs!ZEdEXN(tr9eXXgMK%WzRTbB_VyPB+y+Kx9&2(d=-3cX_Pvpp zf2Eq=QurcY6-K})GiO!puF%5XT27B15OjF3d!>6&rdSz!$;Vg`mHc4#F6syFX~WjL z3?+SJh?$3^gTfl83AE@4mQ~tU#Lh5B(D9eWXOC4nAu4#nh>a_0fAg5}frVcc_GrlK z{CfZ-t~Dp>%$$&YT#27&l@Re)xYkn}A%<M)xCMcXU+=63hwl5AV7;mrc)zrcMk#=KTEtWd%Ecs2YH4R8+jI5nsAar{a8`2> z_IEQ9zRGmXA7PR2$@?^`-i5KCxY^!2+sLfJxfpzayQ3g-ZE0KdW9UdO_*MO zx@)dd>`R8&rmRMFDl%Z!f0<${uVD}R%y15WYnFFEMu-G$9E+Aq&&qNODkVmk9LUc6 z%=%E!?VYEm@&iiO4Gsef-ZjyPW^;dJW~n#)Sl>qebRQ|3?_1T{ag1n1lVhvMM*=R4 zr9#4}o81`hBSYsT-iP5?sQ5@}e=39{j4HE41lHX)qQy9OCPQhm`WS6fL5ej9RAuGt z8wL`X?E(68t_y}bg6!Lxg*3&D@XuvD%#i(MtuQjRw};XQ5!y+;g|+FNLs~2Kym#AJ zgLjX(AA`DY(3uC+Vnh+(D5s0w!~T)F^4hBdJR3cgUQO!k)%YJ84P>n-E3zcsH`_bb z5bf=N=&z{WA=L1PX+gOm$B6_9b!cA|N>-f3UiyPo^w zmx3cE`P{FwBx@LUTS9hh5&$-t(9WV6Jn(ZQ56WuW`Pu+g0OpK6$T!t^+OhS$50}*} zs114%@{RziA`wugqhc|gsNbzC%QU9B^l)H3T7uQjF;*i?^6Ge*2B!TDy0j1ky7pVU zsCuH>i2v`n>PMn%#N=kqCdCl9|qW44@MJB z>(e=JSA+rzWmt9!GnBr680&U)>RKi;8}}hRlYL%pNciIBztDMFZ}<7;H~zNx`?8*D zYZu_h16F*7%U%FMDpLe^tgnmn*%~F-`E_xUDqg)TV>Wzs5O~jHjo?Vtq3P*2;&vx{ zk$Wik7snyk*^|y+)nMIf$6{%;{kE`Z>ud|5FRHmpr-?V zLV^&+$0MtnA3(#v=7?9Q$>>=0A1;gMh#tQQ2>a2e&hOgtC|@J((c-r;s6?qBX^M0e zta#a+@yUQ8Ea*DkE^Uo{`DaHXasK$`^pFgB5{r3^{jDbU19z^S3To}hNRvq`6qkb0 z@NSfr){&%czNVa&q-GYSpcCYb>KOR=>kpL`$clXxO6|S8Rlese>S#jh{1KcLg{87% z&sn9%2LWEF{$}VA&fjcsJ5bVTLL1JVbjDy|Lmwg|`ZVU;1ZPV(a51DYro(pav^*S!Tg?1yrs;< zR!w*mp1NPUOLjqEHc`%8;pXFf{UD9}8b_{87EyX4*j;lmDcB`rB=Z z1OPnLZ>=?_VBu3`*gt#j6Pw7?7zLg#th)b@%&;!wLp#?TKJng zxHzM)D~@iHeyJdnf$)8RR{f4Sk5gCW=+~n;A&C8fW2K=Hw94EGSg!FaniVU8*GqZA z3jnRM&F{Nodt&%h`-u)vmlhAr1BG{tV4z@S`W;XKmP^$}W^nvNWr%O|Ul zrtw>E@(X*Je}|IZ%+B8d5sWm;eNBqqaQf62gAuM+{p-ZF<98peyYp<@LeV$l)pQU? zlezR#0d9Q+dC%H>WB~eehhcM>~E~&GKO&>F2CB-#fm>*l;VTmtg$?4#KRqjJ>H=0divwo8&@q@6|PX) z35!pv>v1_%CcGv>IzN2%oE|&)zA^P|6XjE}8yMDVym?`sc(pw5^Lu$erFBwmsag;l zxr**#QQ5-Oq=nZszgdG2FC3`PqC58z-QFpVQ6`-ot+qj|5i?^L@(96|I zfI4tZyEbw)oOY#mn7qc&m0|C9h~GxI@FK0Ns`5I_4~8Tf{>U~CBIfsAn`(eOy~=b2 zbUsU&ziWENOYWA;sJ+cau;V?Qr^#(5dw9$&Z!B~m!H_=qTXLmD z)sl(HVUKA1COLoAjG+}Wg)CeWYfcSrrY@mss&#RQ zoS=WaQ`e-zT!RO4fTJ5P9=&Bw-EbE#q{kSx_R-Kywq0w{+*P7|ajJ}s5 z>f6Q#KNH%?&m%1M;1j&`M~o>i+`tj>r1k8UKI|1{Fx1&yno#}e=>7|}X@_36TCd|V^tETKV@oo9=G5)^JRVYUWM8WWx z>g$U5_068X+kRl~{&maZO)OB<09rW{1F;*INTrth30%f>xq-2QgYT9L;X)^G zChHUY6S2Irj0=7s*ycEgmc~E?Q;2)#9}`cfEcNgYl8uwuy9&OUiGE%oFdQ-8aqfaeMt* zRVL8>jd3?f-29h%rq0*<67(j7H7`$zf+c#=aZBYPjNSWy-!S#leuhO{-y=zFf(9g_ zi*z2w!qiI&XJ_6@1nt76(oH_Cj*xkO87CUpYurjNi+raR(TePCP}SC# zHZu}#8A0Yb^BzKhh0@Vedk3tirH{Pfo}ddagQ30;zlm}6tg$buA31SE4wPK2a7w027lJ>HYN&I%fEZPfPz zg~YAe)-I`hF%S(2QHTVkM#5}CHkt`JA69KKtIu3Y0j)@|bsxQt1w{*#dQp&<#IJq6 z+x2Tnt5c~ZuNN7P`(pn-!2w^qw#uUEXfuu&d|J16F3N;$cj&MZv*}HJJ^xatB>#R zKcZlMw}uNxQh~6WWNHoLotjzxk~98Z#Mc!1+lr~n4x2C9KZ)c)k`kSA$`D)fH7SBP zneQGNqecz`e@cu2Q3M=fjk{@u3j8Z(*;#IG01vpjtO&AAz{lAYt+RDTfJ8v)qL;H|Xt> z2oisU5!xa=c->8FV=oibY{doZAK?Nv^)X6gAVx$&coyzaGEHhD}&IBU!Ty2+KSzps+@W_ad|>uP?l}M%iQY z|0XUOEL`l$JJ2L+u)dz5Z%bG)g>qe|+$EzD{!g`CHv% z)zVEwPFTNZfbYYG`@%K7JouIqO8B91VsBZu* z#y5B-HI=U~`0M>t_b6dgEBi})AiuXUiw@_yKy-fAw6*0P=D)n^Cvo#R2q|zm1$)DJ zM!ZSLd&FI$-LJe0@3f5FYKEML1=M=F=4W-4n|U9Y*|6wG?wmb?0%&u#_6|VY^s_8A zOw41J7|XJ=TEx_thq!?c7WoNKJnOSApT<{%QXArUh#g4eNXC|qIXrSaQbr_n5eLmA z^}{`#t_TgtsVGSbHM?k6FKdZBEUdMsg!k?rD1?Z(;`?h*zxk_-^agKkjhJ!|#AzgF%6ZT{kd}K8ec}#-)r@^x1b5>dwi_ zs@=oLg`IiXR9zpT_u;U!^+LCJqetC#fa_;qm=Nse4^#tiQyrMhLM0>R z{iwD(@zhy0_C^p)gU8; zr|4FyIzO?EzOwJ-T7d{o({Ge7ADJ5W{`sWgizD$5!RPLZ7yd`Fdusiv{7?xPwDih| zVzt3jX#Pv%6v7CNr>12ew#A3zw(j*Ct-8tDHtksnIa9KE$Z{vZ#`}QUUv^>cB1mDP zIOqi-jv6ryXZeHd$joY<3Wk{)9#5YTRsE>=!u4t48z`gWY_?tvgwbDz)^ip@-i5Fw zF^b`5$jHCuKg|a+&4SQoPABQ4E?rV*tk)?LfP(d;dZ37tE=w=FxuSax4jUCtq2beOK5+<^KWb z{kle9fG+cv!bY4oR3QbuKeH;R)*s8+j4{o}h>}-0#Q3JolTYbVA#*I`|N<);RZ?^cyf!SutW z!I!Y)Du@dMA>0Y-9(+6vJG-Jb6B&jhqI>se4c>90-TN(8M*iVO@}Y-_iSJLn)62yWzWZYpNo!a7xIqY#F?iMY9Cp0bm^C2%=FX+7t+IY2lmk_ z^y(1U%E27d1u@IE3cuM6j|RsyBtrR$mQBk~MQsf8#hrN%*ftZ+@dZ%LwjlyObz8>i z#p+ouMRN>N1devz5oBmL1mCGC=Q>ox{?1n4*t`Uy~1I zGIX3#`I}DjK^Wr8la9(9cR;`&@Go+wi%qEGpJ?B0fp7}z=ry8T^T1{7r(6IJz4TVy4%SAyiH^}Nr9)4hWG8mA|p3##^RtBpR0wec=9tJ+HpQ-TeRcy zoCnUNxWK}|LSY-tJiWu@?FVAwKhQYY!a3+>gJZbjA@>x$FoGdA9U~&` z0}^?GZn)&%nU^8yd7IESVyI{=OQn~3UXwFmm;tIVAu^n+%(#T*ZSOzC07@JViMYYk%0^Q_^t8r<(Y+ArKHPGbL%0`$z!`x z^+r%*!$q?0!I70^&nE~d!}3u4#R?!-6UP&R*C=(pkw&1RW-jI%yi5#kw1}1u<$Da< z#ZmNit#7rwgvvZ7*IDW^5<`=w$w;MBz}j8fYB(tP04=kG-^r<69Xw?_8V2?$zz5Kr zbCu6}v-{jm$jN_!mtZyUDB8-BJ!Oa>!sck1aMrDxvPghoP5;p0o5M4)iH<8U>iS6sC#JV`nD)i1Ud|LljZ7TfpEF&=scQXccab!jr@ zhbxO5lO+}WE~2^-16WgFcVk)CF$p`}+0-q?!9U@`us2vqJ%iRUYFxR?;xSAGU5y?2U%d^*92md}_Bzs4t^$sD4B$)g4d++9q|NKE<*3X{KdJ%B} zgC}M@@N!$Ty3BOk=@yK-=^}{Q*pR?Zza9ZW9wIEtvO5Hin&qbG7sc{U28I90XwUsY zYA9IeL!_D+u8TEIXt}Rg?@v*ELnFT!h$suh`uLmdFHn2}2en@}*<;!p^Toac5}W6H zs^9WW@ys&Qwe>L&w6|}=(Y1Yyv(|v&8&KDefXuRHCMuv9<9U_a3iO;$=YIFuv74AA zhpg@}(D5v?sz~RZhv0Vf(?1v8!u|u?O;njY)??5HbSl1MZ>X$o8-IUO&w&1f{weDx zyY>-tuG*K{9P6=Wmh*4d7&dOSl4##(jEnjqVA;_2DVRG;B}(qvFP*D&%`F6oL@bk z37uCN_nE5qVif^Bj4;4-+o z+XUAHcY?dSYj7u6fWalW6I_G42G`*34nf`|=iK|w``*9#(R+GV?dnz4wYs{{=md5%ZuhscJb58P%c_gm;J%WRXazr%`1Z$HcZ2*~i5CSQwY9esTC2yW)?556gaSd#zXUI+XBs@>YINrsUTJ%?i%Yh^Z{7BxxWS}`u@%M6j5)Wy^|HeAR@0`wuoeMFhBlgN zc=G}7aeV1jrZGB-qq_;Vp$Jnbhs9sl^1Ph!*3(8)ju>;8f+;3yukWQDC%%{o_+o7gM7#OVb6#2e2izG5m84F^xety-NHl$;0$!<_ZlJIHXb zes3}a66|gDlU(3m&-HuPJ$OZ5S3BM3rCr*nJr)Mlv3-juS!v-NiWsD=neld@?e}xW zr*dR{ayI}9v7U+l$ZP>Wtarg@A)Z5C-4g@9rGjgYjp-&R4Nq|S0K?+x>x1_o$dBTF zcZOXeymJXZu+7=PwjJpCHI%?iZFOQ=R0=2*hz$6(4*RNr7M#^V>euD~_-qIiQbpzj zL`Z9cl%@JliAhZRw%;{xT%PJ}obRwLF13}ckX}7NZ(pW;0$qv#M|xs780_~C$S46h zU9fQu=TM(%!@DQe<2u)Pk{$#>g+tqPmup=pG{_? zs^A>e%U6G=SnrJ3ea+3LENITGypN2`Y2DC$T;@LUR`0=XY^Uzt+zL zq5I*#(|H0#GIM;nha!R?o9c|?yOeig;c2dojac3ak~THeVzZfd`lI2z&wsf2q{>y7 z$g=2T13QBb{FFZj6Cm5_*6*#o+vkwmfp0?`$L-#9yLMCWKzEqDnupo{eak(I?r{F& z{72GnhaJM<-H}|TF&SKCO^q{FNm5e@@{3bFqxdeTgV?a5s~`oL&10=%QI0zx7kt2P zyI8m<%ubij;3-RG{!STo^xo-nHo?cGBv*KeqHn7m$ZfF8oTy5_xU-_g7iyh{u-LweOqe-Plu!Yt8&Lc25d268!K&HWP#s?h|uMBVSy930+KiD_Q8&g zQ?>61QBV3>IdX+(QYX!|a9X|>WFNGEmD(KMwE*+R$LV;4O5zjz#^(`yU$qd}Lyi__ zfepXEe(@H(7XM?WS=^LjB@!F%X7jSb-qmFTENjYTR`EZRmu?uya{e=UH(B8J6cMWY zF6;$J>h3r_U@0@+IS;cMxp5=3Hb2nl>v4`ZXK2YYqVS_`JDsQR`*T5h|8xRAp*@K# z+g71vmm1R=$2BIvwyqCx*yu%bnId$!Rwq-HdYs_?CY`#z=Z7xEUqk9HkFO56<^@qD zZf0M0IvQK~&_&|}nt2Xq`oKD82+S#J_@Oi{3MHMu3jmEE(;BBtL00K+Ji#L64FwGn z90>g$pP}pNU-&w|Lx^9RM0vwbf;ta(3Kwlr4afFb+h!d3%k`+|?cpE*V8O)vzWlG4 zXSSO%u&H<0d3PU)=c12cEl^A8^GHl!CWB*Ss4ox>9GhrRu=vnArl-{OJt_8Ji-SLP zJ2%1Y4K;5#!7-Qv9ct|>kkT~Ri93BO11T4}Wcp3IZ13FsCmW<({tv_cIFlJ4*cqSl0s?|Lb>3W;Qe5iJ3+#?Rp zU|H!4|9o-SZq+|KXhz%5*d8u;P%tfP%yUM5Sk?J-vFpPgEERTqP<7?#dLqa1+?{`C zebX-_KvCy~T3pjXz^AV2a;ILGHr9w>q37+wN9w@=)fmgK;m)x{j>Zx_SdIO*2ZYvV`kAuw`mx{W5<{tP`4pJW28;sa=7xP%2nF@ zJ>iu-c>-G$nAE~oScZD;ShYuUTT6|5VQ#l>+0kkh3v$?nG%{tOT>peR@&Jm)JM;vm zHk!F;W@w0Ql~qc%-+SW8H(?mM+Er%0;~`1)t8Z96kDfv_FgUgGr8SpfJ!|FYfpf8( zG=A=;@QjIrxU>7&I-j5BTf3{%-N3)#GG^*TqHo^gXu|9`1YJ|4%N0rRL#7)5C<$w^ z^tAjsT>b@l^Ien|ckm?_Te7oT#~uqZCwQ-C(EjZM)kN75dp$8KEN#*{e!^-ti{)S8 zTQ%McL&3sJu6r7GA>$wyS8eS^gAk>-5RE_^Xyr?`q0?iO1VyBL6-;EyvL+at(K0!8 z!=o$YUEBO2kM13wlnLDrK78kj`;)gszDoDx1eb6s7A>z+B?4`kb>~l-#P8idd;pYTil{fOFeCL+Z3Ue_p8`xcM7Y#6^;|tbpr1`EI1dq4hyad@z$1 z#jTwYX&ZqOXT=o}Mu(y7*hQpao!auydLa%tOsgdlVedi{j4(8H@uSSy6}FhM_iw^B z;Zj7u5XzQ&u8x>g91oHqs+#(-X?eBD@r%epP0Apnl%iubc1g7kY&PfdFJ;J!B0KfH za<3v+j4&l|kI&s%yEZV2QY>^K&`P^^{!C}eH?p0#f}(f~mb}2vYWk%cn-)`S%;>C= z)@SbN2%Uh)z)ro}fENzz@sg(yj5QP?gihI?EL4VQGk<{#bvCI7Ar7dYC1){>AxM0^ zDOimA_Tj`%5hR_LjsFb+@CO{FMI!~d|8;^-?OnRcRpQ0-oe|`uI0$%_ofO7o1LTqH zU2`*E6OnJ`*@0mv8bk1}gvX7R>Yg}+u#iF&C%N9DQ-ePl08Ll;^nl=tvO2o zd7O>MGMEYtwA1H)0b2kH9rwE|!sC`^AwP9&r!DZEwE&q>MPXA~xN#JyOseFIV zLbWnY=wk!fhOCKF*>JwK&^l8zog}KDc%jXi_?+jE$6pW^Z#)rY0AuSPlkn3wycwBW z8}7wp4;hSa23>s|W>>Fswt#Q)WqQz6=CmX#A^pc*9Jr7ZT6&%f-$XJKKufP%Z z-iBdyMvZ}pTa)8Hx~?0@#5AqBS|MdRsFL8M%PAVnaPt;)Z9e1buaB%W)8_v4T@+y{ z6d&&rKlEy9HZVYiig(9sDs_L7E2ptv?%Ivg9_Q7}D2z3qYkQHkgabOwDH0heM##3E zEV!O}31uuV+K%6O@@5WShI+{mHL$8Q*6gusbMnUFFN74qy}9cBFN7rHV0s-z&>83MQV#EyMhPFJ|(}Kvn$#@FgdiE z*>?w?(Zy&0lTNUQsYxiw4eu;@-g{Ee-*o>RAgW8Sqlq=QP`dQp%2MoJtaHHNh-O}* z(TlTX;BB7}9}=LbMCszjEUk;`ZdQk!VD1ZgLIjvZfcUY2Q;eRR$7(5*mxNpyZ->f| zDxZfhs7&#o7+f(nobq@W5-0JFk>2OS$0?I!ahaS+a?+KnnGI}UPFuyD8r^v&H+jVy6#yIR-0VXZuD zEkDi{x5E)6eApIiWDQmFNiQn>B;sfR=QIw4CCS zI?Z(#YB%a~s9(eggX=`g2;wtZYZ2(atH5-4=hDR8TmQAbcJucNv2g$6!0w1eX}@S8 z_+bX?c`N3^D5dQ^`6fV}KvGW+=WP?RpMFgaZ^y$a*PzF zSH3Q^rp27o&E22w*|C95_yLa>v-G)XU`Y(bKmbTY-8TCkRJ`Uani%Q+-qR;b1qL0! zW#B%E6eT{NO+(Uca$qkNE%GH@9%LytupY<#cplXyEb^-+xxP~x8$DTybaismW>tn( z!dx`AKECspE;MDIiAwna;e$EiscOv~Jo1quTde(AAPL36j^uJJ)fF+p6b@K-NI)s0 z{r4II)1rwNpgmwC2y>%0tyh`0cmmC|;Tfwwl(y~0N6usk-=t-4vvwFxF9Sb{l#?82 ztzxvq`GWEViPt%&R5nh1K@@5*kC%|}s)s4FMC(%LBpQE%V%QKyxw;9DD(dZI3X?{r z-K3T|P+yI%1BRK!T^P{Ih2(gkxH7z5dWnC^rMVz6a$VFBOfUVNH?2pUnT8u-&jMHY zVW^)CM`frl;68bh$t?fuOYWqIwjw>kC4PKs;6`e-gK|ENwJ6<)X&fs8Pq3^J_2sgN z(5$%}{ZxzE_|EezpeoJaX`Gu)444fvlWvk&t%MWEU}^Xb_Glm>PUo*D;46O*A&2_7 zU}auTw`wyIk@l$>1`@TeCGy^TqF5ixK}3;W_TyeZdsf)9fe0Ef`gwCnaLs#AXC*EJ&>#w(HGFI%9V?U>25|Kt_iqx1V zqTqKeut0FmhfuzAttm{ z-kF>YM@8ui1z>KaKoz`tQzZcG?J$pmsFm3%P}|-EH8>+Ax^KdAqga&E?d{kn;|2v> zBuB@H4WMN@FWw^rqt_pb5g!$>15?z*bVc~0`8{#HJJJyzBo;PGEKR!JH5?n23H;;K zRJ}GOP^^#)xZ(zFb>Rh*U`aG-;#JYTLyhC1sTd@3MTV@^d>LfZ+-lT*P7^_@qadWW z+=17Vkz~jC2@7wFC+1eITh%q@^!#VZQQi6(B)ydMyM|ms|Cj)K6aaLnBw;TfFfmX6pG*8TiCvHh#y)*=h=Rgn~ue8g9zMZ}Y{J>@zncu}DO0uzNS6$K%q4D#*~nNI07xV|R`9 zC6vs&7JOoBuHYn#gmSiyNPCOHjGG=GCf;$A?SS81m2`r;&u~xp3PlK}n1O3|Xh8T@;>9Lchn1k02ysHvOh>hDJHq86Mee7~PvaZCr?H`2 zAxzFSu-b^QWPWL;hN#E(AP&Ews2_Dz%f6d?KGuf;@YK01=0sLShF9OoAP3oCc&wzl z(C1b$Luk{Wwa!$>b*b6aza6k?at;NIOYZ{|pj06xu1TLe&^e!?fzdvEcES0k)7@gF zWCN)3qVQ|PDVaxHEd5I$*>^W4>5+73#}1mpaQ%cLg0T@0age=Z_U)<9W{tf`=4+dX6QKBxJ;BFkGRZchnGdqZ91cusum2mvPez2-mhy0=%fu_{|?xh%5 zOH}jGziEoaM>7T13opze{e0`A0boH3p0yNUAPP{7nAfV%=f)!zMhbYL(%X|s8uVR& zI)NpY-+Wynd>oeT0VOPG4$8MD`Y~hu(HL=&>AtsR;n=}}lfB!pU*@^-@*q~@Ezcw- ze#As#ES??hARFy&(y5M?;XkLLC0;ioFb#&Le_Z;4JOf|IdbHc!3QM&@O=CoDBvC9B zpqS4GU8gd-5<1NZQ^YcQb^P(|tT*OWMf9wC@+epX&vjW8YZa@D`T2xy7dJIh*m%~m4^5gG(6W{&}Fx*%V zo`6%C(1wBK(7?2`Y%nYVW>_{|Nqmp(v|QLiSN76nJ}d%!+@t;FmI;J};2u#>Axdn~4MAv(lnjf8rA{Pb|991!0>8w1}a6sMXL_6s`AMt)fbtIH<$gb`A^uG~1W1 zpL?v^|3i?ym#4{(GTaj4epQ#|%iy~u^Pse{BD;w%%O6t@H<03=R{Blqq-nQ)Y_K7W zh<+O(u7YGEG6!*fLNMnZkwA;9nRoeZ4D^g)k$ssxZ+EVi!lxiKNWJt#)`3A&^|^1Y zr}5AJ)vcTm1vxphnp1uFKe?iQxxVJ7fplC&UK|4dlStHS>u_eKm~5qC{&1UR@(b~u zW;ij6-YQu6j%ocfeczKFGeR-#%;SS|gM}oX#6jZFg#kiOVZiQ|BywCa1|!5be?A%) zuHOjSLr^6op!@(}KA+Gz#3Cf)j@HM;^0okm5JB*ExG<5F=eyxM)t` zInRh%0mr){cWOij9xfLp;Gnc(fGa;UK5HBDnts-DlZUZX8~#0T7fruy4QErk)NDX;i(y>hqfzxgb>2Z4y4ho9$JeVoXr7{IfeqEXNGIF#rN#OoOX z6b_2yE@8bx3kHXOQkX(QteNw_OP+`Oqj3S>TGsuiYX_j07JIBN@fR&<#DfNjHf~3I zTE?KkSi7y`w#q}R!hrl|w{A>TJdVHRRUc^={-GGSE<#?l~jk9#xmRdN+kn?gC)pioNwJNT#q)2J*{tziDfFKxb7T8Df5WM5CF^d0rHL)$B9UEz=NjCWs5C|Bpv>e$pUTd6HLy$a6-+`<}LYU4B5?~L(szxTqJ(Crs=YxU*9wwGLQQ;qgq}&^(*A8UhOv{<@dlm%62@ zqNKv+)$n8qxSQDGr`Yl7prU!(ysrn9jFtyy`)TZI8N#pN{GPw2gwcDc@R9H(nKJ?} zfuV?B)EAtIbvpb11h`tB(}kxE5)vc=HQ0hGI zbr>fGGP^w`zo3uCFfOyDmuQ17+bEErMKo+Ts;0M59v_|wP5aKV9xfwOReJx~Nqq85 z5If!E1OGEg9Hfi2O)%%2y1jB^zaN|p5&0mhHQquG`?rV|KlHDUHDmZC*OmrmMg!+j zB?K*!@q@7ZR-P<)ll^s~QqL@bInnWc4gW@1p?H4S3h0yl(I=iU4)HtSi;I`^8;%QX zfW%E(N{9KYzVNJd07U{&IrR18ZayG|Ahlem6CeD(qZCJycf-A7Q~s6@u9@K1WqtQ> z7(q~e@sHzRZjVsDZ><5ddS3?X%i*#Ve;IyZUD4B9;OHCJ?|llLowHJXci=I*_TbE- zelO`Tw9WCYX=K|kA(Y?;OTIp1^9MC|#%>GK1@QOJ>Y9|9*2wxd>9HvpUGvKm9HKmX z0<~xO;hPm!&b7-$V^3c+$8!Vwm;>1~4H^g#%6@l^JxDEhUr~WMGl|*L4#RlN&@K-e zM`G`9d7*f5z0raj?4-8MPDJMG>x(`+HQzJne`Wv9-HAjC%OgKK|p^mkCuVAFN}Vmap&n+|R; z+Z1JjK)0mC+C-e_KU`QA%NnVY=Oy1CibaqW31E?H)W`&9lxsj2>hOnLBmI|L>wN`2 zsQv%r43${CSfl?lu4BUYuh2v1sI~?+<~l|=A?YbE%PQ-STeOXo*q}HZaTgO1n=_zFUnwDbx8^b zs{TUZ*z)bnpD9dv7~Dd|dO$*l>sgl88^9PA+&O17KNsueb1Ga29=6bO)ESc?0}^1*L+a%h=m)O^d5PROjweH~Z)l&p#58zT&_ zr3b-@#h-~?e--ou7@m(FL5na(g@ufN*`Fbt&8dpRjmuLYohXhFa&CW;7#s6^-Wn(5 za7zRGF|$5qw{-dCbi-RT>XD*NYl-iZt5TR6zV9h{@OTS~ z@~f(@pLG537!5f}2v_~~c<$3bG{=g>+PN0%d`*D^)v336PBrGaZoH<&&0a~v=ll4{ zZ!2g=mK0Dr=I99w6tbOTG!Ne7(}wZ+(Hg zWHl>2uN89Q;A;vpD|q4?(~THtx$todviHZ6?*Bn6Av9+r=y0;9EVhgdVivZ%JtTem z%A&4fjH_Rdn04Wcu3sPqQO5f@c%|x=^h3#cKiz0qS&H5_9Egw~WswEvMV@+^>O_I< zA>jyUUe%OMw{zjF248{nltEkdAoe%Q^f-|6Oz$?L@Atb|B*b15AE+xSBrM#oI?fJj z8z=`RGhAvtt~11wzn2C48glk;7aotd`xoLY<}Q6pl5eVYniEJeJj&0P)Pa=tebF|Zbc+lNJ1Bl3zP zCml?x&GB05wpvWczps`vV5FW6-e5IsB|7qT_$#$}DrY0OH8a zsxw`wWB?22;b&szT?29pK5eqNK98{cHkgpGae+wT^C%XI0kIkl9Qh3voe&8wm%|!N z4#L%_H>=poNZqZ!c2{% zh9d0AX<)9UCP~q5Zip6AWqRwj**(8;)~Zv_WPek@w~fFheTg;0j0ItV1|r@r-d7z~_(}9SaE)Jc#@iiwt)mR}{4*lOMd=johR3)33ho57RL7FvLfl~$o;9J3$J%k2f<(`#9mtJL%0 z+w-qCNP{qERMm}Z(zop&raY=1W-6QgZ0~kX*E|#Gyl5_nw)pR#3}c)%zuXMT2oduZ zEOe(YKk?wIkh8=K(p!4PPyuI~K)=~=yx#+$H-MGlSIw@4AG7V>(8Zw4*`6?eFA zl6RQ^+czu2YS))NVfv8sIcq2(#9_2$N+xONOCk4GZ|*pMa$F}QZ`G3V(nwUSc4oBa zRgkt6MXAj&&&6Ki;~;M?&Wh{{$%razC!IHfeo?)Q_QV8WzVzqc;+|Lab9{V$J*oD2 zR|+wrbVaj^GfY9R$Mv%z=AroQX7cTs_3a_ta&-1`R1*8)c~JOuQ26co?fUcEiiq0k zeclDd`u*8tw8Sv9pETZJjN4L@#PqZ$zoQig#S2S)fqw}v(muP#kr8eGnJ)()83>#H zhR72oa-&(4!a;Fi0S3;+T@$+ z4WGVSQ|j$#XLc(gKx6D7eea3u@dY;yw>M^N9WB;0=-Eyc$NOR>MV5S}LYLx0pzD+o zN&rcj+m;j;q(|V9oOc)wCtl4P0@BQpFI4!@&c6JI6ypMLtniT9@De~Z@Q||2AK6AG zw$F|iAK$APQhg&^``*Jxp#x12HE&z3p9mQe)P?!3hkFoDX+A)YA9xhcwsvoHa;cnr^I5;GAf9mWlL7VO?TjYW_*KK2O?5uROm1>wp_$F z`b>V7BcZVtKj=84n!9d^9w6CC&u2W4o5m&zs7T~*nk zhc;-F)0jj1>gQT2RFNj0VeUNPnd6Od7#a8|Safg8fIXz^shRrQ9Mc@{M)Y)Lacle! zPG2dkMklTDjL~Cr?4r8)uO#`Ti>@r(MtkWPWu%ky1p-S}40~_LvLR zzgdwf2k4wXW+1_O(_?(d9%kGdofw@*<iwS;U^K39-2sX)rv z;IYy5820iAcMvsRQh~IKGc4wu)&aU*XsLQ?LD0X;pJ&v?L|>Fwxm>KKDy#nPw!~F1 z*WOik|6KUREEZp{^!Y1e#ttILXoqK~P%NiBD!c=wF9cB(-$#`o5X~ky52ddzEcsai>N-QOzqgKSk44N6$o3IiKOCEX?dao;l*yUfBw z1w&z~9VXS`4;1u8YcYH=LjP9Agri0)2EUBizTR%6x29!3^-_cLQJyr0kn)-F4DH05 zMb@hOt-PuPIvomaUvW$?-2{BKFG0i4j)W%QW7*8uaBej!6eD)r;dS%NAg&W+w^rSI z|A50S7{l#0CX8a84h_jCtwgX9IhX%qL{P)x$hEF+{p6+vO%L$3b}Y`ASiFW3Y!o1= z8vTlWt-+-SQ8Bw~s$7Ex_8ma4i9BS8a%tR($SUjD*c*)cbcKU;Y)Rt!PQFq7r^r4W z%!n~;qNfmfjBNQUm@x>kw2w@!`U#$e5d2n;F0vK$%Uw>nxaZ@W?>1EFwwM8`x;}aJ zLv=s3uh`H&sig$%kI>|oY{WNAZee<&@&tB(`qSJM>i>?PGUo{(8hOikz_eEEjNGhX>1k^^@Nat=HR5LoY-p} zUj5S(Ur_~DF|>DDW9|%A)`q0Lw;&`(M=d0FDl>r$mXVi(6ptQ^9ElffTsQM242Yp2 zGW+7!H&T_W(nMF;Aj{hz+_Zy)H*NfB#-@>Iu|ReevUp&O0aa&PVmON4KA8MU=B!bO zHfCsspu~@+iZSJEBu|q=@icf8BkUz5orm1l`85h<_FkR0Z<`JFgBt%-kkZ#-4K*22 z%7C5^TMdD}2QeTOh&reeC7)(<|3lu49jDVgigA?!CTMuKi&{L2l$PCaWz!*zpB#ae z>$?xq%GhxUv)}lFZGLMXQrdbv)z+GK+1t!ZC*X)S|@b}TaG0#<0PY%`0>Ftd{6*^U0?Q#h!{aa--=QV6xp6b%w3nMtRW(KB|Ns3 z5Zz#~T?BSNREoJj5_b=IVUo*N)IBJUZz9cfFf=}@va{1;m*e;EBX&kafQE7l#tuKF z-z<`VkenqYl1i*Pe4mUA3{`s6ZhPq{mLsGBu;%ZOr|R!BaV$qoMSj1JhIv=_!c>I0 zcDcOC9wn*!%qusD+Rf0{?2gS4`E6Uh3&}f>Fhb}M(O*rPJZekV%gjisD}ww*EBTXl zp)}DY0gs*~3}p3bz8L>Ux-1m0YmAsUGTEsMcd0d3JvK1)m^w14*Ni(I*8y{SWMy!{ zd39dLmal1_j28-JQXryx^$=k>xEPi4Wg-WT31|95=XNBNj3d8=J%t~|B%w-)3o4kK z3#Jn-@PZc6f@2pkppU&(oiQ|7*$xPIRT5VCs;ivsj%^~X;ebeKd`{3{{gLIY0%BbmPBvtI_6i5Hdzh~}5Kg;a#bLx&I2aIAKo?67 zJ&zC?lQ6ejEa@K%8Px$Z3D=29zagxj`%wm{2?sI}rXb7}{RKX$h=6ZYDOIZg$uTn~ z-ie4%fmx8=%3@7NGdku;*(bfXjD_eVdjtE@s+6S6tA_;eDdoE+XwkpwABeQa)elm* zwI#hcK0K>qGmfEXsxMW_O@&e*Hl)&q!A|;0q`PO2Y9{Ae;mDR~!yLvE2m`}-Y@=0R zM*S`Vf>fcCt1|U;G)MxZ2P)!)Uz7QOSNA?Ja6unw44sQ{qoO!|QgV>qMe1GB%}% zklhAzFLpEUfaGq@C)oFONuaG-NK?l+He9wbL=jCBca2KF&f*8SxXa-rv*=j_zM{ow z4uZ5b9R^`E;2_9TCUdGAu&DX@0x*4gw%2zUs!A77$k5uh6 zPKQ7ji0V!p?A?~E9Fp}!;Vqz~!W_0AkchDM=)Ve8LYPlJ4H%?Bd4@$>4cV~RiS?3) z1WhT;e&muu!nDoT>EEtNG#==uRmPUqu)cKr+Cqje-dh!N|6-a1ta|S!ndVsUfF3#N z8cIuO@YB3z>$vVIHyJ)&*cP$qL*Q{{ze)V|vv#E>PUmRe*z%;3hhmO;Xxh)zqd@~L ztP+MHkNJs&>r0bIICRK_lN~9zaN+i1*)&koCJUX=gRaRFJhqUA4wUf~^{PY59;OFP z#>SRB_}EK~)`h@?ew(xwtk8GSrkZZu9^QIaquHg;p%3^p=};0V>efHV1Q~W@;_O?& zDOMG7mo0d7^P4OH@D9thY(Em>N0Ik`Q3in;eTP;L9tTsPag{ZUCAf?zMoDVYN5*D4 z4tz%Fl6}k&&X+u};`*%Z0FFhlRUFDd)IBj=U(D7^L4`I7Xr87S=g;0yt@( zC?oLA!EF{gZ0;thWHH{hHZquA@JbjQ2Bl%r%LW;`#E(9So#&W^@}qx80L+(x zd4wf8=r!t?pNe4zVB*h`-MF=4y+OPI88-4)?jDg?S$DsbbJo%nA*QLDR0MkCa7Yxc zZ-h2Wrafa{DSz9*6=CA7_?M%hHKD^qNhvvwMZui@60&d^ZaVfbO3pdLnJQ}ms%=@ zS5?}d;RG6+tgZj>4vBt5iPBN~Q;3j48INL z@5Ro8&dcamy4Cgampt{um5Nc`N#Vgkx>3oc^lE>}Kb^X=XER;89|Sie%+W6I2X|Im z?V^cNEoD*>fqGo7PEB6#X*|^V7PyxkgxzluKjHt-U{lU90^y7P_B4}$Z%b5)6r6BnD*E6|Ja-J4X#*VKrgVm=s4#jw zTkjn<0Z!a7jms)iiil&alZi-H*{*G*klh$3OXQ>+9s}E=tn}G+Mt{0@6<7xLN_=9c zkqfvsrE5*AhpG*?;A9_mY`3}t>~CHxxQ`7tVCVRMokC>dem!rJXQoj((RI{2Tq!=A zCaRPef8T%EvK|Q7*3$1~^JavNHfy>tl=@0@G3G!Yw!_20HSBmJ+kDDFY{lZn3{~Z& zn8DKzJ)KD11w3aBrFasBX$T??mfGs_<4>>PP$6>cpj;Xe9!x%N6H3KjXXx>!wa>gW z08*ah;{7h!e%Vw{+0sLD!grDN^>0;D|7a(BWErOLCAuhwuqAr%&K2QqgclGfV%fiK zj|)9F6ZJ5619ooz{U(95Q%0K8LO1#1i6$qFP=v-E4_ehV+|)3b+k_%Nb!oRj&`Ed- zew-6+>qpdKuTJo9R!_!*GvNgE9dj#(U(kJXoz~?qqpZ7W@m|-~_m;7fGu;ySdAOJB z0*=(2dwg<+G@DS5nzTera0m5$AwH&28T|cfiHvu6l;%bQ>M>mflfQj^H0o4MO*G~` zR$n5}4Fnk1xIi<;$sP0HE0k1-Gd$9iTd9P8>z0g{B%`V7qQJX@=7$#56pI=O#Q+fa zapCADIaO>5okvT@%0Svy?TzRv@b9RHTi1JSe0He>on|gF_$%w3`?)+j)s9UWRQrc~!?OV{`a8QUyF(*Cmw!rAJ9C;rMZ;hm=4EP$Tv%X2I2y)3jIFR^xA5Z@7HXH4|!kD1h;Y9$6o9O-T8q8 zdrrit5s_vMn~xsA|HET^l=VEv5g}V4#TSBP_8~WM2y3p6=Zs&!jMdRbkx|q0O^;_d zX)NZo_4$z(%*)_A`3R5nM6gG#{wxv;)JNJ$0V=V~@e&YPA_vaEwcO*FehPBv?}7UM zmYkd_T~nNlx9$VZJnWcDImAjogNu=nDDBV5|0_h(4&>P3;72XZ)!&+lYlL0)2hFe;Vq1$jQURfsE{eWcQw3}>DZ)@ zOjCh7#Gy%tR&m~L%kA#A+sIfiVn@pb!WTzl#>-iuKj#=pWlh)`7k@~I;q2F0 zI3xLgk`nO-R~26Oe!l(nFWC)*L1sQy$O$W<=tAt5LY-Gv!7Wc^<0A1~89T$1DAh)v zcXnYghbOXM4NGf^I|0*Mt!_D{)hbI=lkY*BbJrs)55Bu2a{fSXTyr2U zrGI9aHqzLCJ_Po#OWVaTjTaz_VDahlto)&ArZY(#JQkZ$K;HLDz<*q$64m7CPv(rB z7GX~JSnnSOw(i@Vlb!hY{+NwFwod#%ORdHk$0fQnDzi(~{;_n7LXiYu(`dDA;{NNH z%rEbgBfSwChuEgcQWb8(64rPAw+A~RB{Uy!%~x|UhflqhBed}`leMX9lng7d=@R$d z15@R%R&xjrJ$+y7Sr(C(0MO=4EP2J)$__5k`Z=X+}-m9AZzmuGQ4D(qa`#W0Y&*-yr`No20WB_f# zAtWVutO-s>pagUSByBWIz$Ak$kN$O)RfheFotg`Haae(`-qQs@BbgdWNb4sDfVbzWxiZ-z5x&Rd z89TBja9>uG7GVlhV!;KwrA&`J`%iNrnWo2znWv%)n9|yWW4`_VdA=m5VU&pOH$pi? z^l%Iu+~wtrFi_doG=)4 zxo&)gfl@4$b(|2e(>xAS0%w)!A-bY(;i2%qJ4L{K*)9|63r9ZR9g}^N)KVxWgz8`| zzW!U+^5|*Rzy0T(dQDR>`C)&6sxD<`|&EOj`YTHv_5AiSv zaFoMfBgG^`NnS}v3@3~Jbsp|VHlcO(LlmfHDfj8wXQ;1OXH})B5f4&7Ak6)X>YDK5 zFuPb~ewo@9QVGfZV1Mo34o3@Jb6lFs~;Zz~=W~VQWAal12 zz~5x=k$j;pp^4^B#24o|dz_}5?~Zooue2sZ7g8oPbG_vIWUMsImR1V4(ARZo3Ux{f z_@%YTW6eI_Ye)44E;z;_*i2n<`E2=lpb~P_dOE3q7yliZu7s`!o|Yj$YZ$Ro7mx1e$Ih{rqI8Q) z9y&mMS6`|Miiz4AZ8Qr)?TuiU*5+8?kL;@x)&?aEMMN^$k!J8xCsu~9(mgLbA_hSJ z9#$UiM73v=r)(_q0#Dv##mUGczX6)vWC>$wXEae1$%J~Ft(}x z!M3uUZv2cN>T?43(xr8CD?Lg4z^{;zw)wWGj^4T&>J2xutaP7`%dl3gsa|(-%ZyIU zxGLu7mJU|548ekqps+7TeTd9q9tuJxMNJYqVH=|xSf5XY`yDU#h=72eqy(KHQdmD~ z^OK&oA`BO~{PD3_Is3y?9+vzclO3z_eaKIcB;lVvffg3!tw98@qGZgHP+e(iP-R5R zVZTX5IAiQ5*%M00BHoNu9anb`9+ox3AXj!pSvF22HqG@a)n?n~4rnQz#2I)_7YL@-=pK@=C2q}r7I9nrQgz;7&3P6XG1Qy85m&G2 zpOxS%zH0~@7YQmKvu%1QWrfx9wPu1%)sQ=NA30pQ&~Ndq+WM~i|4P)gJ#JjP*p=~u zO^W9SJ_e$mI>tuEdZW2e|BZz1Y@(yEZPe?7@6TiOjDFWz@}e@;j?wvb>V15TknHbl z#udg*_2o)r;4ZwwobcFy47fK`@A+|Rr=KKw2^jbTT+;Vhy@YQ zhc>}{r|&v~SiZSi3-i3S%`hVJGu)Fn#S*gnqwnE9XOQ}7`> zn2Em%{h1(oMJwNes|Z#RG8If87;)GK2;p?l$ps(A!Nfv`YlK<>5 za(qZB9f6Ow`-hv{F`BwrcbwkY*kaO$GcQyZH_~1(6_JdY^1UN$?R=Yk9GM;aL|RX4 zHq|S?tWBEg!T_y>2->pfDyiYk@=JXJ3@s_`AUS8oe!7>@^XWh46X$| zL5y-aYuIV3_`zhexa>o>ex-kJ+M#{DT$+sGto%OZljLXUxIEXvedx-HQU)v}mX#m68s8Q*r>mAwv;*&1RMZ9Q%%V7A z)r(Rj0I*^TE^{=@2_21JkI>Mv5ZFK?$3(gpGm%=8 zv^fHL2<8`zO30B7RZD`?P%u|uA*6k|Q!+x_KJvCWc}-iW8u1%(V|#}(O?AtF8+YVk z*`3lAQYFdJb-1JZIB)MihG_YXQfq@SIgG7<2{^a5YZWd8VtwCj+cMm3x~d-(A_r5q zYF`!1w?KjNYC$&AHiH6)PSN+sUrnp}O-umXCCqQCl6tLC{9alYVMCz$<%VrhQAx)h1!!w?=+`|Tf^4u1r9FrL+r z4!on_)BOC>^*Vmb2on`Z@guRMb0ooRCjRI`OpxVsX$F4h(A|G=@({>P#q9 zlmFewN#l9Cc$FnQ56W!=R}z$ny*rGq!ggFVWz1jtv1cWk@6!|O@-CZhv$f1@Y#y^S zxLElAaP^jPRYhC(Fd*F^-O}A4-Ca`BB_-W)=+abk~0$?|tvj z=l!4`1b57}_FQv~G3HoLVo}A(A2^rYG*>kV-P6b-yR7DAh$q(o1w#+w5y@cM)9L8v zqKP%cMD)_txY%x`{rQx-3=ib$`(*!5LjMn2cUO=aj_1g*={F5Mo6$P-@VeBhsvu)yHiF5!wxU@O{|8G7Ic)C? zGAnENv-pa@RjiTcDM4LUr4Q!xH;oOTUyVzTV0^Oy51LSOCey$~P$qX!fw~IIuaGhH zT3EmNR+)GBH7Au(Iue|&rn;nC!F|rW_xpJ;SEm*#b;eLV7UIV2$M+u|64|KMh6NqF zD@7=@Z^m%aLS0@9gnGG;_6iMFhwnJ^ovh(2P9>&VkArfhG=Q?hnx^^JVd$iTvq1P0 zCegLq4-aBBND4K9ZOd#Gs*|%`FpAqfBVi2&mog<0z;1r{#Xf75jrg&`fW&tQ=$FYl z1x}z7vyIC0)Ho~iomZAJTs!^pn;%z6UWnDwAw2A^uIeUTi$ZX%K)K$cNkQ$4nT}$` z+69zUuYF7uCcNms>pg{+oYna}4}7wO-G}o=$|uwqUGt<+3d8M83{d))TBLze?~IDv zw=8#~rav_{j@=cogm5zlkF(XqkV9Q2zUOs>x3tT z%os%!1rrM@g`s_U;P)_akZPf*XN7Jk9Qq5#zhfk2;Iz=SNllj22>P?eh!v5MwjDU=kLx>lrM4~9#$8w*GvXsLZ zj+Rf~OsF)vT)jrQV|<_c>=?+3XT@Izr;0appr`fvOem-b`E{#Q@t#w|u+)Hk6$)fu zC3dc(EQS}?u_+B-ezAsT7Lo6mpDsZ?Jr#i!hrl$)%mp4y=i%7!`!zX3N4)0I8UhBI z+vW#sQ3O+v{0@;2`3M>bXl&537Pl}z4U-uMI=oVYbhx!lirK?oiy2>!r01G`i?X`z z|4W5VIt76QtBKnaUXiUk-M?A!K;2wB$~I5+PrX)Pm9#o&!>Y)tO3L@wR%oZ5s`9&W zIf0vJpf7ok7T5MD_I~UvvcV(I#@I1ReVBqUb>N47{dcdJp~*i0(8hD$bpbFIB2-om zblN5CZtX;~Gej3U+xqyuW`++v%)wSC>?sHtzxVKVSdI2zlR0mqdW)#Vc|hi^9q(XL zhSnzX?Vr={VV_7BUVGy+iMgQKMiFLS5+C-PTzLFjP6o1hnUKsfL8*|LS+<9VP}cRE zkp^KRQ^T@vz727AY|z=LOYi0YS!B!t9_Mo*IEYtf8Xwoo7m@eT3NOv%n-$&bg=n>aA%~m>xY*C;B zaCX|||7r?q{F$j_I_M}t6|VZ1oWU~34d*dsc~z~j_TsXQDJonfrcMm<+%8Ox9e(1! z4n3ghH6l1H0tqi^eB5;uahm(a2(L%+vGkJ0Os8OLd z1o`j@&g$eeaL6$V@Y4Nhm-+<}K<@T$D3+@W`x%pEoy&dd&i=D9nq1>s1Xzb{o{ot^ zIUA;PD>SqY2?RaaCI|zrbF!Z?c+7#Q23mBE{3yj1zs>mOz&K3eT7ETRvd*>`4a8co z!I>Z~Bc;G&^>r@1s$ErXZ#*m@K;({@g1VF5RSPyj8VHr-;ql`S2Xnb(?Zj|2r@pnQ z$-faK_g{M6eixg>!8Z3DIdVZg4Xi)k{#K~2 zZ^$5h%gJG<1SW$aq=yz2=6x-2iVEWe{c%ru%#OZj7Y(xABkJF;u77|O`^Hm9@@ISGf(&J%E6RHj=ub~PXx z!07#^GXnXHlXi?*-v50s3F>!BRG_2E*4s*G(CiIL3ubQvFHD*u5v5bxpj0bH0$n}J z8<*{juS3t<1@xBHLhs^na_b{%J`=DOJKT29W<(nMbWQd}#&7_lI8KsippYwCvtBjsW6lr*^;193iMJR)`_80>s zFgU(5O{a^lIC>oO?xXzIl6X_Ad>8F1?d(D3Ui-hEO& z{0V&0SY~*gMfMQHB{VtW(%1kHT1t*!!JPuM zBZw58qy3_h`i`-(XF9yxJ>QM$2eXxpiqwk5$`{L*Q>iU1B)JgiiYya->b74Q-2;7C z_FK&W1~L>2`at9M^hdc^@vs7I`2d*!HHHR`N5)ThtApiaCwqj5P$7T}$9A(}H|uvge=& zX|N1oVqBIeGnrXwW}{xLI?)9&vu7tWp4KLu#~^C1t6@;ELVPM`*gJEmq+LHw!T~ep zz$8Rxm%PS-qGmD6Yf}g9WX(|FmEjO~xk%Mn?6H?h?%3&E($C80Zt2skWkSYQM{g=e@ZBMSC zglY`Qfbq2&Yk;bKT2ab=^->RkcThEpIsk(eO_^Muu+G<`?0l)#or2`Q5I-F0dx^}K z)7*dBUtkfUokTdYYF#v$v>xqn8Z#N1E@w5MWavTxttLLmV33hxI98`Hn8I?sTTA?N zs>`w_3jJ%>WK0JdFG0WY`w)L;-e%1BnsH>))o%dE`5#IL?BTv%@4hYwbI`T*ywN@( z8heoz6(P5_0QG0OelVB7-X9bFWN3LSF~%n@C5|adrnJ>qtas=^9r?kDpk>T@xOQN+ zjPA7+x&f`cc;B`M%~FXpuaZPmF)X4s7nYcfaVGl}$t{rLsX5JZ8GpV1?-%E-VWnPIIYP;VkKx2MD+-ms`8No-mjM%%j9{!u;(>eY%_cz2e%MkO7+&K? z3hC|5Ee?X716L$W_@9q_MC>4@;?BRulzSJS6y=#1(r4^PH5 z+kP2cUa|P_JskkG^&y~kRPsl(q~0_K)A8S}XGb~{xr=5N8K(pY^&cJrUaeY+TJbxg z4-d4F#IB%|ZIAtE!5TZllxf7YAWeZz=55h)LRI`yc0y*%d6q_2sgMt^L#w*8fRY)QZ`-CkjWq{ajziTFk<3!zQeJ zGgWNX+E5O`Ft&kG91k-_!;6MXggYH-B2QB+sXUm`- zd1asxnW8#!(R7G!NLZ|F#_>LTc3z>JbWhTHC1*?JiLGhzJE%Sdyqm>4u zOFVfNv)0^azADARuHTsnJ(YE2-1C$(rdoY=4QVhHpbcw;7&VF_p7Nv1hRkovf64rZj_DX06-;+ zFpCIZNQG$Z=A%>uR{;uudnfa0QQ{)U2Ep9XOzL%c3Au~b$))lyFI>Zw?N>!cO!9PK zD0PJXrxPm~;L7eYHhE$l0b&E~=L1*%c>0+zK)1+~FeL$Wi&&7492v>qPArk)Lfy{a zTu}hGd}AUb_Z$qC54nDhMO@+>EU_z~j54E92h4p_0(DpR`X4p?Btu}Qn@XiC{22Hcw`94WdKyZGwDI3s+WRwjVmf| z7hRo=V~jyz312L6ujL;ac<=raDxYKjOQ@(Y0)&e2@YV9!a@4s#Kd_l6qVg|~npATD zAb0WapLubRsUbAUa*;j|xj|H4^x_&MxuS!~fiRVonM~Iw8wr)IFSN^HWVQ3rOUQHC zbWYp^@zke$ZzCL6R1(+6-k@;J5S(R>`##pyvs3EEr$z!*S1yDyQ)~i;HIDEUDsA?n z#)9vdBmAU4{xEF`TV%UqS=RNruXfUrZ(Fhnc7T?pZ8jSsvf&Tw4(IdtmM)eKS6PSt_TQ20oz#L zb$*(Z$m{ySkl^0+-Qh^q$*0yi=2*GUW;CXd5p)XM85S}Er$Ff7A=LJ?;UJ8~;Lpqm znp<$z?NHjT6yZnHafrS{^X4#Ov_dj14oJx6|6wDpXI*I^`~tLT?~K#xCe^HTP1(cQ zv;I12t>!y3vgnI(fYj!I$I}0)N}s3{y?f)$1HFkYhI)4kmKGY^*dci|8jS zFjP4#Dqo8wOUAwH2FzMCQcRCX8!S!<7-D;UIFo3s(sq^z0SC~sSc!CGLYkqvG6C=tnd&i;%T^Eh3|(Mw!z}? z<-Nmk-LR<_5+nWN|tM_&ybK!Z6*r6qgop1dr9Ox0IcBHn;p# zre$K6ti&$VZg*U8bAG`eGCJkcRsRfpM>iz^J#z=Ad&Vto83bkO&dIgtd{3_fwM51$ zF7P*Ml;;DzD1y926a9vA^t?PR?>gbY<77R3l_2zqOn;jRSyyV5&Vr((!SI^ zP@i+*xm!cmpPA5on`Q2t)QQ>!x8`TNgSQ!y(lB@_X>E7hMt&FLvKop9@2{#f0;LDm z>l-=QK)wN3`U-zPx^Fvb&Nr^zvn(PdPi|}9M77TwX)J=EwsZuzYB=!S*y`PoaJ9RQ zIC&hmIi{Ass9yQd8Fn?~Fyjkd4=OQIZ7|T49-Qjf&k5=Y%G8Xd8rAT}{HRS-H|Xqv zX7lA-N+c#QJb!koG79|F@?C=&TeaTjEsKznbqs!+2e->>O-&!YWVZXt|Px$5%SPLxYRT@Z&T{uuN&~i~WaW~3q-L2S7Wn<}po3`Ek2}HLuie#PeN{j{gQkW#lrIF;jKOKgcyUZf-=sgB1 z{D11ipw4Jg2}>_K9DLmm(IVJ+<3MK}Jaw0RWo}xRddFW_=4#xj+7{j7a2gx8+Nt>w z&ojM%HJg#@RJ^tUceQ#jo|#ABt&c&>x&R^Pn7S~ImS8|WH@j|n;a)}EPYT^(43`~i zCZ%a?7&*E>(l9EVM8dMdA>T{GwPYV)Kkjn=fR`h@131Zin#vKgyq*?@L`E;>?=p8?K^vP*i6;`@R&Wkob6WO)amPRCQ_V-5CeA_m+l^S@%^Tvn zA|&Dt)KZW+p4+p-uAW^JP&pGcpR!akL87d7&X>yN+~FZMXIkhi5cOs6u_LSW&|Eq- zX;R4mS&ks4Ll1Avvm_hND(&>T9a#8N37fUOIv{loB~|X@$Zs$#sO2;xxo1snQ|n#% zV0AS-RT%)jHj+mtbj-uqTV)<-lYw_qc0H&~5zb6B5 zUuEdGfnF3{TeDz+$1n4!s$qPDRhff``DjW7JNnXGkND>YkCfGA?jgUFD^7SlxL_y4 zW78Ljf-vAw)wSjPY+^lX=TJY_R?v5*)t9LQaCvtAw+L>^AMXHFsHsd9aH^y4U;flV zRH^$RXf06X;H71bAXMb=M!IED9)ED?+*s-J&Y_bPQN^%99N4K%)e?m)^GS8yTO{$n zPx`+c5t=Of=s!nr6gQ4XX2uh1yztvn{QQ+=JMPm~Uj>OJm#bI%4LqTkT#`>y8qsG9 zS5kSzrIH&REjPsAV=cl*QD!-%~u(Ug6B_w z2uD#b6)X|ttO4}M>@_744)PKv~->HQO<PYQ!L4TjuO{Z71`{9H1F6eotdW)lg+C(bR0WFxWqHs?W>*Q(ElB-V{CE-_U|F%w` ze|YIOTDK#Cp=Fj2#YIeLC$9uh5bNK5Ucg0epvROWTl5_NHMuj+H@C@BFtb_PrqxUK z@eDIbK$XCpBF1J&nzVjRDqhT$m+^S&o+C&UY8~IK5N7ebsN!?fsa{Yr2}CxYo@C$~ zwWk5GlpzeVAk<~MZYO7(&^htciPeo7^c?hfvAGx0(N1x;6=Wr<(@5cR!4VP}hDm-} zD|?;0jZ13$G1qBl>)Qw7WB9gKLZ+lKp0aoS%s0TEC|T=Qt*Xfiq+3AC>6dzW8fgZ> zzOkivMV==aSxhE9<*n%e68x|P`-~7YgS-PpT2lc}VPcX~2uP?mqM-$yjPe0SZKTfF zW1)Dr?qjef{W>r?foK{(J!`5!vM1tRQ*f&P4V5a7&d4WO?V_YJnC+CWCsM`(<=#p; zlMe-GuBJ_l)9C5J;Ey5QdlMZys6`#5xw*(R1~o*IVhbf4Lq`mnz!O_vs{mbh|C_I{ z$+9Z~L2g~48%fb;mH6^V7zw&or}ydEw6aL7TO5^YRQU4B^0yNF@C!g&{^&fWBD=$K z^gWE)DZvtPNb3aGBT@)n`Xd38(yHyx43wJ+6*+!8nV@CBgl6*we`z-_zQ15zTh1?%pTY+54NwouFRzgoefD?oH z9n!cQ2(ABw?BABhuv50=Z55|N~u9swS}Nps`O0!Q3&oc@{IJc zJK~SI)q&2mI`{~GJQh;u^`L+!(@^*xs00Y!!buEEZoz0%D38&1#)5D6k}>bh7u;Ua z7cvK<<|?LKo}Us_Px@GGXzziCpa{w%5Bn=Wg(Zk}{<0Q@c~8F%01u&KL)yLFpEU3+ zskvaX7^P;*KeC~1wZy2S&il6b+ zdn0^GLftqS#uG{-%AqBEg85Z=2)>Xy?^pv>cw~xrmE5;(kE4E>F?d_g)65PR!bEI`t~j@{JnhV1Z^f+i zMgN%d)H1mbY2FZB&Kv9F9i3<`-B2waShfOcS@n#hq6MmPYG4ab7{qqtz^QXm8B~%$ z4tb-?qQ})!=2$EF@^e7!1}U(~P@F9jnUW9K79!AMVXk%xP(`!{qhQBPn)0g?#whC* z(Fk^*uyW}nXEn&rnDi0<`XL$FG=GU0-ZkF@@@7va5ehhD=EPI~8`>fokWAd7EdlV_< z(plfj)^;e67v}@r0UK~SB2gv{$>IF{MeL3JQ%eeN(~BUv$NcAx$)k7*HKAZ36Adz_doeo zE>#HdNd^u5NL$(rX~K6YSvR@7Xo4l#wra+90|_OiFkkCnIcz)AG5H$w5kjA@Mo>8e z&ZX5gO08{@9~^Z5D$J-nUk!dT2F}@#Sy`h2^j#}`%?(wmxzd2X>q0N!-n&PE_V_+# zQxL2cr)+;UPe|suwi9r#lIdb1h{ZP6(o?}9+&5)^JzW5&k%5A-wZ$fy;v6+An)K_s4 zHVTLZU|LYM?hVi%eUXmSB66Sp$=W!>uMv|Rg@MBF#&U4MpY*!YL&cK(wxguUIMI(S zMX&_OWjfbrJ`jE0YR*S$T?j7h;}imiU&tUg~^A zd49VrS_FB-LhN%MJ^nDtd6rU>r1_G7DJ5!LrY8;_CV>TM43NsWUNQh(BmavQfS3Uu zywvX)xi$<+@b3nD=~n%dgcrZykuBTBxAB~t*a*OxH|zYwXwy$hbBSI+j~p|))RPw3 z7I11#vDbaNkk!lZd*OgA&Sy_H@uC+0e8157Jrff2=i75<2ZB zQmZ?!shfS&#t(|ONh9J+CL+QoF#6D04qjLjV=*JZyL$)qz2?n+dhar{A!>U@s;a70 za)reI6HnLn$T7$#u-OyG^in6Mk#H6VGO7M-XQXv&^Z5Ad?%Pe`PHBn0DL%?7o^ruN z{4RCU{=Jp)rYkSXa?^+g)Y&j!d$m)c_P0ud(bij_4lj#s(a97g`M*QE!paG(H=33@ zPVIGnoP}g)U5{$Ej#sfKJ#4n6P6-ZbSxxm#61F%Fo-M?0izaVLtHl+pAlpC6B8dPV zm47NC$WWdGI&pam84sasu}=3kI}GU+H7P71nN$H{(ZN#!!SpY$dc2Wa`S~Cbb#}Fv z{VM+dizqb^Q5MUw+Wp~(d74h|rqdRiSOefjI5_V$i1XB(r+IAY(B`1=`ED@KnZBIojCfKM(oBSuag!Cz>_#tySv=yS;F_-$o_#F56 z&o&AYo*52EQ6i2$>Z_YWudhKahgAyPsyqJoE?SAp*MuY1IJkA-sDaSgdfnyu$Yixd zw4M~rv)vBSEYEp_Ppj-#9WWv%wVV5~CqyfExKzMN2BW5cbM%qv^M_35w7+T>=QLoR z&i=Duf*`jvfQaxldx!|>R?P8`ILj-Ft23R6_P*(4->L8;T=dnOq5X(c0xxwU#`oOk z9tXWw+ekV0)3A{wy=KDNTvjRz00s&$@QvQ zvK;^6t7W&j0J!Ccx;9Jf;B^hu+LrR4|#6A4y;C1vs?eMdVP4?e}iH}rJ)o#3CzoU<|LF*hOX z*X<$s$w;V))bw<)f4diyVQfi^yN%mbWC6k4U@;TDqz3B`2h5mOocN5l!pF|A{RM!| zC8P|FS4EG%bbc^1{Z>xgs(EH4d&PQP5&hq)my=EFyPb`PG)%8Lel`jUE~-rB?4dH-LxzAY(L=or+qyM1(zQ7ZRx6> z;i1!q9{{`8e8MBe9VjormmcIxnH~y5rsA{P12TG@!pA z!sV*)sBW`Fwu!arY-;k){PeDdklh(*ZLl;98atdU_J7TFo!KbSP5fd#xSfhG3GHof zrm`?!wM6veYS^vO{>!@&ydQNEaeKDT-upD^jv`<5wx&=n8>HubJEXr1-x)js4m2{1 z?uzxua9cQ5^4aCGt5--AWLr^R{Ye5|YVv?(nB3wgi#9*oW_163IbizFZW*vKSmUoW z+BFz`aK2aQ0YY7OoIDt7tT`Y*C^jCY)DX;>Vw@E*(NDdLq#&4c*u2RBaBK6>vjLY9 zlf{u&x;#lljiU>;0{qInh}O@ZuN>1~hydp5YeO2E5_AJK6@>W4HQT z91(VN?y*16YP3GE*6A(6YOFfgfAk*OG*HAE%*UQP^}zr%%J_OT4XP%EIEXZpQ$v~W z$M=07ReK+_w)s|Mgx|hh97}If8H|q`GJ6WsK7Vr%{`S4d*MyvW1u+wOj@j`)pyzL1 zTHVD3uGT*0>K(jsUxet+Own_+rZC>$ML>ixpE>avt2St-fp16qjDUU2hER(Q;SAIi zY&vmHVC<{+*obZqGLDA=J1QdoZ}XCu)4~6S3GE8QH6#$-H=>7D|w>9T@Q}UFFqMfStIC7`upvpuZ-r zU!=6;Y1}nw$?Bl>=R%NDdzs(-d$g`htvn?=J)<9=)Y^mBeJA=NlN45GDkOsV0LK?D z?(@r#xYzyPl!`gNq5+46@4|%;|2T6;9*<@<%P*e>juW9 zp>fzuGV1QAVUnrcC;!3WqClv#XMiO@lb|H`%^tX+5^>hgabxb@rhb!O>3EZa&$ptf zYn({h*H4Rl4&iS-&buy^m3bUbcn1q&Ugfv!3TnT-yCu6NlQ|{Gc~d@2F@v>VZ~okY z!Qh3ThDhdV8VZX2RDr^V9tsAIYI3Z#V(vvf7COR7m=0=@tBYaBZ^gC(qoRJw#wKfAneU^iZsKcKFW~i3)!S)&INK1I(uh*_2-zdGaVhS?cJp-m(b`Uh8FAoue zqj(TqcH%oN&bl`)e4)%Ae+v(z(!-HRuPc47@z8)q+;B;Z$cT~*FxzQz8BV}vvkd-K z?T{S%xHi=2w2eCEy!|oInR6U!&h{p7O8cPs}8m;u8HZH%OC`m@@C8I$XXX= z`yYM(V8!XxtCqO=rPoba-(;anbjsypbWvY0<7BNg()E4Anv_AN(n}rSKNH%lrdJs4 zx{#gVv4#cM{-}>LCTz65vKzrHwi?E#3bri35?UbGyN0}TI?idKPTe&57<~GnA>af- zfgNY7kEGNVT&cxVe;5F4IE?E{e&~KwFir%1 z&@pkcCiUc*B-~~vs_ziW-~u`s2F|ND3<_|+u12*Xyl$+q!yhyJ9Ei19_@&uYA4Q#^ zi19e^tUr@$eQuN#kPdKMGKIY@2W+X-5>B)Im~&^n)p;Ml1pQ zyue<-e2|UjfkYEsr&;qJzbNF)jCPR1TJLs{sSpF++=Vt7K&D*fN?ATCP~{X&0VOP9?FJjd^%|7b>sMT| z(gx%Xa0wh(S6!*+RH`EA_Cd>*EZRz*8-l<(@$MwCAMyID|EYOcikbtK=?wZF7?X{Hh*C>+4Z$6(D`T>Z(2Xw#IeChyrs!qG8G+6>*B z*9t0zLI{IdzpYyTG&Nurl_$TWEul>587VDFwjCG0i`R$mbLAOoC9grB7zM*JOl8(~ z5rS2LXVY;33uPYuF_dgBp})v-v0R_BDg^v$0Hj`_@q-)#LU>OC5dpo*DeD3BIG?fB z@CQX!Y!GB7(~h;o4N#IMlQeMe+6>@xnA*Y;IV4QPM8nk* zj;yeGE-?$ftH{ZH3Nl3|BX&u9u}6NSAbW?wiEOkXQUp&$?tq)%)tsr&g?3G)`m1)# z7K$);q9$5XXyLRR#LU4S@rxij`&==HroKyXwXa#dvvr@?dC;sysr;lMt!E6H{d+LU zliFhO(cd8=P12gdK^9_x!;xh}9hzN!IKbLu2o5)^*KA)%&G@h3rDjFrrP*f$=BOsQ$5q z(4a~x(@$}*PEww7PC49!rU)5s0(6UiEFM`(z^_`pAxmLU4}L^7@%aHKkN6dDOykQY zr^&4*%ST02?o~F8h~`Y(^~JC{_ATpQHf5l^9#8s2S})MT`0M>2!u$ae9;g03ZvDL> zAiFIIKED~vAEk2NB*qA;1`P0J_8E#dIFjlN43W))g1)PL=nk#hHU6_^C=@=+C8ow^ zXv3R|(2`6Wdq__Xh0Qs;yJH+ze1a3O!ou%8xg=${A|N52-SoyR>qD3ENSjdAtWu z>q4&WAIpz5xB$eKV=mRZU4olkv=s)E!QkXMY&O3ck-G6#n;8Wb)A(c}HZ$}7mJrav zz2gMDsx6bW>X>jqddMq==YV$SgxK?=41!AYAh_!Fa|d8nOCAbnh>}D+6vlvRM|I;5 zrs^qQXWB{@A*tFisppCp9ke5w&(uw)f5Ry=`)Nun{k`)&6axo@>I`aE%nkbw7ST#T| zYdJ9>K=Q*|lYfeY)-~DqO?Vbr*iotSf1W4#cjGy4SC@ULsLcUjqX67WwFV=hmZjBU z;k*t+dqwb|Yfg|VIvI)nFjNoh&f-g&9+<r1;X9ganWt6agJM~dNx z7yt|nsQsOGg|E4Ws&3-^yxu8M0(ef+1Kpyz8)vzi^4=MM+DdSEOlNerNYi9(t229UKk{>J zu7$w)18i&1Se{iUI`!*cUwkw-KJ`chL7YjbC3|#!$%K1AbUCVwTzgIl$1b%Tzt1*z zMqE3MD)vz+;0Jdf-GxpTRAVRkcs5ik1FPwbFb6Vcy_)sxlce&$xLzlMou4=hT+yKB zE|6tWdEO5QW-yY0W31N}+|Y-%nVSK>8PQ>mP(lH)@wjQgbAV5n3g9QA3h63mgnfKp zn>_Oe7>gBo3wX>#p3VJhw5$HtPbPv+Uy-G{-QqF#``v^Vyku38N_Xim!*R{<=Qo`F zL^A4wuHp5CUu*`p*G!#IlQaX7UyhkDxSoIW3*nqK>tDJ3a-4X%cPxM@fyG0{0bHDb z>ONbA;?X4RLJUgh(-3MY*f+VsI{${64{eTT*Sd$j{|xqY;yuSZV^lIcQV8)iKN}&=Yh1g)IxQsjfKrlI zYb-r9xi(R$0WSOXz!M+W%kJgndIFE#o)&$3Xk=t~WOx|(1NnP+xJ|purS3d6H3jkm z{@k!63HsOsr<05B1m8rcAXtfh*Zi>2)t6-BWS`r0y0#dsDQ9Nd8Sjof0;SvJAmb7& zg*HO`1e~2tNBW)HoB4Zz2wAy6*g7QDgqte&zE~Q0F$ZCpdN;dA%_Dt;<5|9PRrj}h z&gyOb(DQr73n;EdS0G6a_qpvs8rY?$38WKl(VaJ9{1a8Sgo-fBh^h$}bL^S3nz>+) z;@Yp;>hwjMdBhvW~>Vs?(R+fp2jb7ojOMci-LkK{JqiJgG-8%MXP z6XgTFJIw4;k{%bmV|jn2{|tiaO4n5bLrE4x1EB7ALsMG!Z=`aSILqg(-x z@{4q^94tl$bv8-_L;5J<+cHvNOCS$JU6TQI1yb&;lf10G0%68&^yzM8>c_u2o;`O? z2_RWK42Bu~#E^+YIId24U3v?4_+gf5F3G_&zb&(^q0h2PWEGG4;z&8wyXBa2l37kd zMgxtlBMCfVnfI{g(W3Vw9g!&9Bmv8$19xhcP=|a%*4R%&9D8-Xg<3+*7Mn{c!2;gl za8sLd@K0&2fE3a9=fbZ)W*m6Mx?B2p>1)ihe}R=VK?z#%UOC=Rv|CuwJOs@;+s!2@ zXArgyD`cA?aC|8-$=qG^Ug0da5|92klMn+haXi|@v8pr4x>gFNt#l(8U1~3^`9Me8 zJWh(<$J1;ozks7*EbPF&whleMGWoK&{Bi5?Ss25-G2`Ko1s5G71q!KxCQ&Skel6?pIQJr}t?|6Z%SAs>y8|))*n~NZio)t+)EuBE3nb5SL4N84J<^G3mQibwYh5 z906Z9VTY?@e{9!EEDvpjmX2caJ_f7LWNdA;hbyR>$SL8O(u*E8Da@@ou&~Av^QH%t z;JCqo@r3pJz7jL?IH~=TwyD{RVy;(UlhC+c%#N3?nj&vozfoA~ny4OhZ|0c=pQK8} zV4(sP!OmDsAPBaFS279pPIG5hEmu45if3ydYNxM#eTmz4Bk?=mQI?7%fEUUx#xY(e ztxsTDUlr08BBpFn*_lL0f85!37s!hAB&E^SMs0F-`>1}Yg*R#Zb6l>A=cId$Sb3pu zOjI7m=;9%Qn$4dI8hbITC*C{uUR{Wx(_Z|n?P3EDm?l2SD65;o7u`X22s36+mWBac zPfK?B3^~2nAS>RNJ8!>MpU!>~YB3mVnD#^Gax`%f(g3RhDb<7&P$_u-Z6F8mBWfoi zSgp%juh7A_(tzkVH)D6nD-%ZBx0FJ0(`S6-`wq?Q z*vGkMN|PD)O>Z3nc^A-S=vmx|%Z9C<(TiV^=$4vbXNxgbGguFVzm*2N1oG+#GxIsr z?MxQ6nlrsE*qIIGKRC1Qa2G)r%=V zJYm)C@z)W0Ws%X@2|e(=Q$jgkJ%2CwWoWR`Rr{$WFV|G9=Qfp<)s+ zeMyWlnk+d}W))fVht!fv<5nx(GLmPjh^=gG)_lt7$`!s{Ss^AW7_4@d8TbkW@0()eUI#*D{vUU3k|wp^ocCnw|y= zmre8O4p*a}vLGB`rmT$wfW^>!+-l#O;$jhHi_Q;7UYAenaD+VJ3M&2?X@x)Xt$sx8akD!C4Bafkd zCF&b@P$b=8e+L>IUdS+H#l0;Cdpb;yoNnEHkcBb4Qr&SkF@lU)X{?w;0teX=Y%_|g zCL!%5!SVcQgfaUmN@qRxr#{4w-v@;@RX`_Lp5*P_Y=Aj7Nhajoi`kN0<8_%N@o3hF$g;DE%ID24@tBpg1Mk!Z*9`JO!wyw@A{F}7Px4E^%w zp!SZ-!D27MUOvA$)wcY&iUg~B`LBk#`Mzl^?#ODKlriEWH{P{$vVewig?7c?FIh-q zb3Z7nUtJ_aE^Gmd?all;gPJ)X-ctJw@ZhX$JGkCLoPTOhFlt$;cBWXG=vyh>k2VWt zTyqVmDJAw7x*7!oeN_|DY`9{G)EZUPk+}a z;`nK131sWN(qc?#@Q30wfEDId8+iUb4RZ!CZ7701kyV%7PzvLbdoxsy*G9<-%yJR6 z**h$~r&pJa`fg&Ek!eR|CSNj06RR%Bl4^kM^xflQ0T1b~s>#eIEah^}CiIKuhC7wG z!HB5##s050ot0Z}o(xX?Og#Qho9Lb@@0I;gYK!_K1fsn0uOEggH7^$&2hmmQ9IM{T zPTnqKI`12JBu7d86xJC)2!RmHogX`{OCkoRDQ-X-99HjUmH z7n9kFPwaKG{Z_KIw;(88?mKyf1`J4|*n8OX0}fvd;^5L0zLiDsacMh!;r84i%3b9C z^7#*}(WD2?M(=-~HC%uk5-#9yzXUxht3aj&kYqVpvEF z4MwFYjp|fx?)68bZc7WlPq)MCP{Rr14?t3KVU{}TLO_cvpq!YE{Ux9{yYYm-}!t|r`YqC4<9 z2_H3nnl;70+EF&|dD&JbbcC`08}de2f0~7_tXjfkv^T?t&icyet{Cfnt>91=tMkQ| z*~97g@!8cz)o*=y+LMHReF6yX8x$bn1k*S<{_tFKH(pP&c7v0}Zz?~nN;~-&@%k_t4UG`ota{Vy}^CQ8YM`Z4#bptmE zm^V;JBpE$#1%}|h6X?<%JP$R;4*chz{~vYl7-dxWGNZS-S4nCjL9# zJpFl)0*@;{QH0m)vesP;@4^A{xV{N*UmGv3L`??)}GE2>@}| zBqCc9<*bE&V^AkP738H4=>L7YKES7v+qYov9T3Ru$ppN5bL37_k%6ag9M_}&AQS++ z`V1tX6-n5qj(cZH;g7s39z^CTqx!yAf0IgY-=b73#_a2OgcD_6?Np)|TwRuK$^uqJ z{gYXJz$IRxxCQ;)uagHhO7_>CnX`u=1G|Vsm+!PI()u@lMf|rrB;WR{sG?yoet0*~ zz%$k+fDYl`myiMJ`;={cl`efx%BThiH*t7jGReY|2$t|&Xz!nd|DQjrp?tppW}cH> zA&smJ9USeA^sN52Z1l|`nHX8{=V-e1g%F02ivxiEESrzV(@>AAZ`7P}W>kIA6O}K9Q`$mR%PAY6Cq>9y_%eEa=l3^qjM-r)c^;{x=VwME`~1^g4SbPs zhP){ty&?h&#!L?4A*l@9nSt5Rq``O!+t{*i!%0!fU00}Cdf86KWr~&!8hPC{iLC>w z%7#N$En4RvT!gkkSB%Mnk{{$gIW z^^%Q!?}&~42hV$k)r}|s?4i80|7~8_42|NEg3<&yt9BX9f-ioq15VL!?E4}l1T1Lh zDGLW&bRgqo$@R`#kvEZ}zCU+gpM>7&U!0NMg4#}AJWN*1 z4=Zo&{xJ0wUoM|j&s!HE-oa}ZykDtb^%%=_69KHg6$4*1I7}h;B*p3AdjA4(^kmC7{shpAFT8-$h-hd84g95*TT zxK6Y@5dq@j7*2An*zGBeBnmv58j^oJKN~n>CBR07%#Ct16-t1oucZi|QVyaHlCMdQ z%4q{<1s8;W!MLG_wP_P#R5GKZW{`0eN{b5uLKU%$+1JHXjuJml--W8jX+4o#!_b*R z8)j+Qz&in&2vyuS^S$2QO-+t*44fhxVo%e=Izh6)Dsz{T_d>0UI@;|DWNn`Q za_v(Dr@h2LK=lxZtFmG6xL+vSdUFtKJ4gRC{{!_HfJX?NrK;H5RwKB(6kUP-9W{&@ z77jdFT;h9`{USjJN1`XnnaffQHV}QMZbDp(=W*Z&c(*>|6Zzq!+DdZGDHcMk}A;Ksd>@_(r*?0;{JJy1JD|@b2%+K z2W!B*@KO4m!OSMU#cLO$4^svN42kG>Ot@%4-+J`GQo=NM`A7)occ3$SOBZw)19?hv zUttTo;)p;F-G0h2!_`(dOq5bZgd5G}ctVmhxMz?chxV7=!O2U+RXxY`Cn2!24rgeM zELrz!$&b6G$D(&Y)qvLaO1E^bc40#0~S*<2fSVVsOB8od4>#O|Hmj$cY@PHIYM z>(@?4$%h<7Tf&Vu=X_~VZd&(U5Qr`#F~qTRLt`~AKcvW=CoCT?v;+7ntDSifH^mpEIYJxM0)y<4!ACj~x2pTzC2098h zzc#);h>RIqA4rNMaCCin+obx{Z3G))mDy_3j``Z>_dWT$3@##m#@5RD?kh)gE}T~gSAnA${9Q>);}V& z?M2+$KdbUTpXrodc?8aiAgq9EuUm_+oy6{8@9>5xef3%sKQNXD z{|tHL`MBN<625@8)4qj(xW_-)(3B{U4oIRB)Yet5in+603ti;L0(8r zj$;A0T*bTL8yj!o2qovj3$5%lFhQlX6!oyylE3nsSoEEsk%hyW@rMgzbI;DqwFZES zgisT}BVQc?UM8njSbY4HXS^>;Pfa8^y0zCtDUfUFeFb6u+CBzF4*A zYc-rVT(wI`buJ7@=iFuVwZ?W_iY<*E5BuB$wH>!`F_SQa;i0X-1?_qt_UBP%ccAzq zW+Mj7LT8jaJCP>Ry|zx;q?jm3G9Ph#S5m-Xjn+Hhp!98NJYArcT9$sD0kpQO$bpmi%nL52ro52>o#Ausu-7@Ia}M>_$Wq2 z_XUky`m#-6G~gl9T$wpV8dV0+4mI_Ur~cdoq)sq4Lg7{Nwz@)VMn-&;_z6jt5`rz1kA5%I(`&ha(zF8A?p${@wcDX1RuT&EfMD~1G7z641FwRWb zpBEMv$DR5uM7R(nUei?+NkN^%8F{2liG9#BOl6bVO~c){w0I1?<-!^A%^)TsdZway zUyJhP;qxSsF9#lBi5ijk=O*Jyz~}OXnMvRJz4Wb+v z78gT_{E0xz&NL-bL_rl73)8tAvLr2IW04zbCCY4U>~Xq)II=4EUhS;~& z8M)Ojl6Qzo?6w@EqnfM4Hpo=_OabymNgN%W2;tGV8||{(Y&nIv9+n!y63}i_=6;sh z^pA5&4NzQNM=nkDGS7wsHtglxi+2$-0IQL3Q#YH7Xh14-gIB4-yhd(@NKRKyS&6-5 zoA{n?5mC#hV;%>3_c4!bM;blsm>(dy20F&^u+WFJ8K_%HuZTLa>Koa{n)+IN;@Ol$ zyCaqdc-7iisfH8aIeA$Cb~AtiKo4E9T;RaCeSbxklx+p`oE&+sGT_oKpeLU7T zn9RBglL31_iy^|)LOR-Q-#7H(Rx?+ihqFjJ1=jX3m;|_4kkof3BpfuA$fb{bKE=`?=nd`51PpIhc~oKzBB&k<$TLA|ZI5}w+)uKgqt zOVDqaLyYZiK1j3{j?0p+rLqKOd?JYgL8b9e`B1dhW&;Rt+0u)T0);sZufChOr1zR! z927(ZkeQk=A*fbqEH8wKFsd-}U)dTsB&Kg?I4dHVzp(7Dc-e&4%&l%haq~ex?|re> z$PgxP#oskv2${)NL@{-~b7zgFYlup<~T19_!(3x6QxDfoP`M3u+)=#e{jd zK>5y!f>>epk$OsJ96-y;YFVoW(2s-o0KN?hPwLYMuo!@?vT0#OKQ3B*tzF0}^|b)b zgZp~ho?2x3n4Tnvcun(CN*uVSN=>i-TnRF2i%!HVs#n{$fZ)1at>0#K*4WGqpidM4m!mo%uVDPG=K4N2b zkn4jLH$`mEk7ZcbZ)S0v6z=9U_$y9E;o?`3XPj6qp>B??k?6JH5oEd-|1a?0P$SkLfC(*8N)1#gp3#tXs{ z3@)lFIJn}fKVL5sggEqZmgdk5j8(K^C7M_Wu^%)&D<}hFtDMwj34R1vu@n7V?=DPE z1yO^h)qWFQE*;0&0Ac|Ux@ye6=zIodTD4(?_s$pi zxOjou;?kslveG~Slj@phRZEOBwBP`XCa{ixT0J1iLV<^D3EUBqY&Am{h0DEuyu@K;?PqNi2J|d#n~Z*ws=cHdjwam$PrF? z`k-HpV~hLMw%&1PJF%YrD-E3a-!yO~H`{NOTTaj9AD{L{){b}#-;WjWXcdecY@F;3 zj2!To7+L>0Bxqyp_&wwA$X_k~dy=$~p_!h5jVq)k-S+?sJp&#qJA?LLwf#T!{lB#T z()Z=;Z44BR9Pu>2w-ge=qg66;b;Q%gqZPEVw6RyT)iW@{`wI&QI?&_&W%4@&g6A6? z_}=v&!%9lu%l{pQq*YR4!(*WT$CU3jJslncc83{i`=#lk?*WuL8dWA-I?Ly}{U|Oc_qq(v*+Cg?hb7JbG z>166;C)|a?>y3u`-1};CS1I;v)XN1-I`>wm$i`bjm+MbM8$535acg_oXuWmm{!Y>T z^>vP7B9CYG?_}e)bVoRLvqu0pp8cLW-s@uuj^;PNxYu*5}OHV!y099Hw%r-l>MV?$!0ZBf1hfna1?44q92Cu z@YZ?L8(XLb? zvxnB{r3fk}wOp32N)b7++#`;J86EWRmhxO#6qxjvQ15DFQl9C}9N(kZ4eFldWus#| zHt$3Hu64-DK?V)ut@$M+a1wC_qthcbB7qBQJd1IIk`De^%Vdt*U_8&P?{M0sTx9mx zA7ov4W~A(ztLI6)4*oSdKO*@9#4#T^4LgE9tVZHMdaho?7RglEfUuy!d!r^i-1;YK zN5^aEN4NnlVW@9s{0{^Y)dy)E6lPKr+o*W|?qJ+FW>=(se6HKh1s!EUv!hgpQi=tD zLMZJa7CM>Z?mf02ak3S0Kj^wk+j`vaP$t>rTAGHkH;C+wcPB0zr>H##@Q%)}*H1TL zy79Hhoz*~ZbJ!~AdnylsD-PS|I+wTWF!%%O7YANP={ghbn6a=0?*F`LCQCk1SSh78 zdZm6|ZJngwciDkjhqqhLswlf{5%Cs$htZV2Kiv=QJeBr6*|vSWX5YW9^ksY*YA+5OWmD;VFO(L`-gBfy|J)hRX$|^Z1oEj@6 zbEI%TOci3bWV|+6>Z#V1y6yJn(o$A-R1~ zV7u0iAo@&6FC`TFzTaP!iju%?kPWiMDj@Ef9oRpUKU&$Bd$~u;`twpDj(f;*BXz^q z<-+X;iwW-BQ%WKCZX#jEtav+ZgQAH3BF-Zg(uvS$&t=q7<<8<`p+WOA$kkCpFPLB# z5Vu2BEIl?{>$;hs_&LaEBESs<>@^UrB(CnozA!g#5%wGQ6qZ|9d>4be`oufv^g1d? zvj(OnN#DFGLsu@F_P#QNX&MGbi_>=^@G#0AB9ngNYs^zymmHOTH5E?CF?n`Euy$2k zmsWSE%nI$&0C_WQWw+c{)3^~IKCaLKdX^vInz;nkz{O&5AGIL0uPj$@)_5=mQiJ`* zAI%iwYJ&%Hk@9a_=wQ3^gG-XX5rxkvdvJB)`Bs`Xx6EK#>8;#ZJG!r+Q&blF=b}j?& z7K!4Ehw{WkZ0NXL?@2p z`5nA@og9mng>r7ASmjEzUKE!tc3dO6b|!=x==UnkO5`bX<1Up9N^p`I3xM-z%-_lQfiCBHy-t=l`;i zTg8?d^WPHPveKgkNwOp>6TW4+1-?G&n1x}s4t5SLuEYulWa6!IHh`s6qkLwLUpn}X zU=k;ZzKGH|7k($Pyo*;s#6hLHNJ?+_Ek=yv4G91u7(Jxs;^pHawNUk~0OxVIuzLjT zgNP5fGY91{n$Ua0MxhawxBsEi&hZ|@3#pjTAIix_O%X(m#+sqxbijsaguAc#Qw}xq zBn7XPF!Va+t-FNy9Cl41P5tMk6EY(33~WWI^F8u~a+YDo`h!GsPV;IBGm=f-^<)vV z`$`1)5Pc2Fo*M;|1%vW@cPc1k6bW2BHIS)Lot&=2`Y(}fNVt^PB^NiCO87BCl?{afE={=2bE` zfh+{n&5AIU>UioiVWww$Bs_g59iL5%vv&Nec0Q$0g?F*}syOhF;Um7rC#)yaxRrt| zPE=^tC}{}K*Ic#|uGl&NTAdu1`_AoT&rerjEmwrSA#n*EGBAMlakb>;cgSRy|PK^TL~H5%44al=R1kNoXd9T`{+oo5j<57#vow*zf*@ z3Z6$Y5#5ZAeHNSH401|JQVh2th{D1^py3|O1RE}LUS;7d8={PAiriuQ>_+wRM6KFN z8*#I5fXuDPx>m#D1=QJB{>=`jM>kaJytv@dAdV+6iLX&k*K1SOA16eV(|t}SfEzmL znbrj}J#QX3o+mbDU*o}@hs1Osq=y-o*4Jw|6R=i|KU2h|+>t0DPiF|msg*HVWH#qC zn1|auYba`a-7gIpL=iR-U5lJBh}Z_J`Cbfb5PZA1=tzn|tCy_4PNB{x`FE|;nr(W@ z9qpNW;D1^T8x$xBa_J9*vtC}h3gbm2!*U{3k+U7^{}4TETPi&{Yad*!AuT+%UsFsh z;M>w~Wks8O^~*h#CNJV6Nu6t+=2cW#^XVAQA6A^m;I4~qB<`&JEr5rBi<&$;1TUFY zcMA2a2gOHi+Rbz|gL;fdnlavkYZKurONPtdE)eq7s!;BbNoNwp;99;MpN2uz z#|}or>br}RV$|TmHXO1~ZC_2znQs*s#N_9Nd*Y@k!MxCq@?m9C>ww2G>D$S`o8ST} zBzl{{IkF5W^fgAAM#DD{j*EG3w}{-okZUD=w0k63GlJz0O6;6xIi>_X>Y|ef1hzjy z%56GNez<`J#%&JjPAb2XCB@+7enK7}jnwdVy~3ukj%4JF1sP1@L?pk!rk8p%K~(M* z?|e)i2~Uuy4VY$wLfniWaJ(B+edCO-M<_8nuckInCZhK9Y&;3TM3bLb{bGhPL0yk7)j_*w>I9JZ2i?X}yJG|K;hD72 z%n`}JkjM*K?^I(Lg+-!;;%78S=LS(#iG$JUWlcM^v5L`JE5~mlIOn9<8EzDyGGxr! z>QXrzD-#pAlX}X?sb0VfZ$Hw^I%zp(I6t8i&FG#-}f?mnXNJ%#>*i8Xh2{0qf-O!J?1KB6Ane- z<<{xt>+nS*%OPPCiCV--M;TJhGSC~pjyuL1FcS`3y!zh7AW~p!2-7j8*F0vUWhC7bV;LOd-uf}wye?AUk(W*s zqb?keG3F!>XMtFX66&CXDiAHZi5PIph`eqsZ``<_-06?v$K&OAkBZ=bIppo zmp=#H<-d~z%6{j=aEYg$ZqIcJTz!o20qE=pweL58J+X|mSb!XM6K4>!$vnLSC&da47&7;bX~K{5DA8!K2dq*2uon~}jyI@*Igpv2OZWk_xcu($rdmpJoK0 z>Ua-Le|*_kr9_@U!74B_ItX*{)loT#k@a#JCxn7;PNcDgFA0#?p;iEO{{d9vq79E? z_|7WEYNRBAWtcB7>6~c|>?O?WXSoLI8y>g^3#ZH@zo&-g0$8X3`8|J7-8E;03X=eV zFU!y`7aEKEE7B2Y5S0+!n~PydR8R#;O zc;%|p5rZC>YZz8Qf%Vq9^q_aliL<8T)W7Y5Dx~TFd!ivU7Lb-kQ)PzfyxyWRf0q2{ z91jerL-#~nS-pU>JC+nXIBHZ#tsqR%E@Q;#56CV~Y?UaeNE~%7O2H0uvk#XNs(l@) zL~g)tl(-&e33eQ*D<{F6r;{GZX!S(@y`f+4MNP?(8i*zK;g&04@%S2=Qgp1L&w_0O z4&bAjtQr~0Fdk7dbmbqIHCb84j#efI?ocAyptDS?8Bn8{lfefBa7apN@pLN+aB2yz zxA!X;CV1x%Q4qXI@${*NovG~Z>aHD0XfQ?;H6!BiVIMw|dMAjbn#??ji>8j76=YW_ z8YdldMVY+yr;fKcn{urrw;_^Q+E_%hrPi;cXK}=2W}|Ab$(EJtJ3MW(yd%lE2ojEA zV8T4}lkbxDVP>lz3F8j$G!y~`&L1c%JsgcahiAP=i2(IP4hzIHW=*-VgB z552V-##`d99UADcjO!WMmr@wV+Gr28tj4xpbb+0X{Xrj1>Y8jPXX*3AZvCrryBYI1 z5RUUWB4~sjt}-l?^xi7iRCTYvfKa9Iw@I`PT_y{1il1r-YBS1)Fvd_H^(P-Lz5s@+ z`AGi@$oIxKH<1X&vtn*tc`HyrNARuIEy+W+UGeWVP zaF~QQ;#WLlH0PdSM)?w^@JfTp(9o0JWy{j%cfkW$%e&n=L)GlmYwzr;YNBR_9WE?K z0sFG$1!j*<1FPi_TJj)YIFY(W#)Zo?D`(CDqO}ea8+FC1Wem3R7eCm}KmPGm$H(<- zuJxt8MptQxb^grJrc-STOO%h8YaiV@m+c1*6HJ-=wHK0%>2=6!UMV1?%|E@yoK>YP za4|g1@YTwM9KD7s`-~DQSzbCZ}Sd8s-yUua!}bSJmDf4g(7V$o=M zbpIIpuzOxFM|&g`coyn@0xN=KALnt@a9~bZWbYM#%_odp#?3&ORI}DBA=%zXXx6bi zL03^LO6q3sZ0wa$3r4#%5O8!3gOKQz^GxV22F8xVM6`}6G$#pmNJ|jtNF)c;eN@LT zTU6i3W3jngf)1P2d6~6RYU4$MXId-bCw#X+xuy^Um@ySG6lFnSHYU1it#s)Y&P|;jmY*O@0j;b73zU6vIR#jP}W#F*-A~m^6 zVP61;#_QZ4fPcqvwC^|ml&>NrEG#wq@pm%3H%|Z)~w%5w>I97@Q!TD^99S^ zwn5`-+*ebQx#u)iSkuxZqL zPgkZ)>{`r$iRdG$e@pSe>K)uS9o)mu%h9--(pI^;)^?VmA=R2O47x=foRW#6%@Q8YdgOrL`{Pc&K}wY z^xE#iA8(!**XJ}sXfB{?%z!v%Uu!d`U#)k3`2U6{S%Dmgj1+h5mAkR<{l;UyAJ?TXkCGM8xLpQ4|!0}xq>|LXMbk?V{ zCP&WO3_Ef5c`0jJlESTp6fb^eiapo*!Ck^HK&7Xz%s_grufI z1BvMnPoHOGA-hDHhQe9T5DDBKY|RsN3f0#RVzj==w9x9Ic9Jw%TQ=keq1#Xjv{Dn^ z*+}43iOojHn?SMX)Nivk2J@_($+Q zjfhqVi2L&1^y+z7vhI87mA0Iaqxo40DUyAsxDcp%d$j9b(cHl{o+P$Vka?3sL0OWU zUz(e;dDIhBhmgGb+kvuZ^idL2_S;*MILvy@?Q!brPEk@8WaB6GgD1IUi~V6r=eZ(f zK^#=_rOw!3bE3uP^9%8?TI-#^pe%<9)vp-rKMUl!Z5mXaaF3-5TWkske}O)*0R)w7 z|1#!CR1e4T@y=hl|z_%yid5AGKc=iQAxvfF-Ux;Luzt)C-Nu2+oNM`vDNdJF} zXPj;ikKx%Xd+v;Cv3ecimBVTi}U0e$jW|MJ!8^C_n?1C~i zt*xgeMP<65I={)jbT)r~gj4W-DlA@h>GJHBwa!LES5?-ApQZPHodT`(o~RE4sUZK_?&1ox#6mj-f!DU`Rp%Eiv2+QwU9jW#7E`1$A2)X{dHIvVxG3dO30QOTCSPB)0F3sq@ayq!8W8HDxnMeN*b;b^# z+%H)D!x3`1DcyN{5Z5|gWDmZ=y^1P}YDSlbz6pyHyqHp>q{BNscrV~hRq_hu%A|o4 zVhesPdi+a&j53rJeG#mBU4&$GZ`0t?lb+uU`Bu(Q8_bIBJ}*0{lNp4qJ=*86?Hrrt zb#G~cV2*)pa0HAmZEb*@*B^tpm(#eU0w1h_Mmv|Vu7TdWrm3-Q^Gng`t?~;_st=ju zb%z(YNf%j8`K1jd82fQjSmngh9g-Mv%{snG$=XcI8sbaPby}c&|U>n2F!5t^f`dzch*nY^TFn9 zr0(C>#TQ*9kNg#xPnB|NR8F%isSg2D<7K9%{YVu`+D;C; zowR?zqMCk8!!$NcSDwMrTLuHpoL8Co(e_gW>CV7BzYJf(u~0v@Jt4dm(I8;U;N)V3 zg;KZlp9%ssRu0lL4aH3^XK?1jWdj!_Zgy-Kjmm?Rt<^F!`Y1z6Kx-Uv5M@|;{Z=fs zqGTk6_07Ey>k-DiApMvQPO4@0l*4r?@*3L8;&E?>ozXpikf9=Bqxs=Miif{}?(vMI zu#FZWNiAbJs&pF8iz8L&I@WFdgQ4u zl)x^+m{zLdm0VUcLQi#bA~qj8#eMNLWN$u-#Au)!xfdgbS;yb+9&F{Kk*6BbX+#&Q zuC>lb)zxRa5bsO4m-ul{1}7{_p0vl3Ku^#gRVu7}tn{EC?Kh1uGHP_vd1_)vGH#bUYu-B>*zA)kTK7vmYOUx7`fK=0_N7n~_JkE&VLK)mH{ieRQg z9Z-blPaKKxEE}M0+y&d8SED>BC_{C5zk&P_@>>{bKYgHMcBu+i5iY-U6=yOgjUr*= zqb$rTU_zQ2tF2KXv$iTlp@5OHGVNO$6mKd84Ks93x(!K|*&nyE%NHi0aQPLS7bS-FS*oTlIW$lC+U@!@Zy23SZAP9F63j5NcdIk!qubzE z2Dn@iZ7}tzy-}Tkk4B<}76o3A z{Gls#^d%9Sj0HAWr}_;Yqe9I`J$ytKGN(Zjj4>NHZl^yej#Y13$nBdVzdSjmVg?l zmXBx8toCHHqHGOzeg9}BNt^aN8?QVo-SHJ0mJ@gF%}C%Pf2QEy66wMKV44Z{)S6C6 z8aLF;7?-#9ymdnWTJb~U#cXsilET3t{urcKY3PXQJupohz3BqSAODk{fQ>0tw7e@w z0yjDeNQ@3AKC2&7%dJS;$57;S$9WeMw4n|ylFIe-DUoSNHI0&@&*r(Dr;w)RcL9HN zVuwhRa~!!jLURJ;ly383^^i*7PDH!OxR^r_vA9ICY@%q^QY4aTd|dke>aGF}xv=`R z3?<}dJvX_L4gv&*4pXFh`|-)2{jrK&Ve$)zj5D|*aS`FwLHL_FC(}1rDiPn8#{TA# zV2QO>JAL6$AiYdSXA!*2EQ~=E0u<56@fPBRdNmn_`W%x`8hnICR~nQhJg13~I-{Q~ z;-Vh1rVQ}B7mQn(^#J2tb7%xkt@j4bFnQqrP%~j+!7+e-&-+4+a!MJ}(d=3abtZQOHRFvx##JWUI z3v#qO*-g2lL#jDz)>L-m@}yD-_S=1i&9&BSi8(1ShREIk576G zHf!*qq*muMiKa0$TwyALYgOAdWm^HQFIs~(t>BoqCm==xkxFF=PG#6BZO}FDezLh{ zx-4!kS1css!u>ku;BQJ{jFr{qr9m}fKb>3O=GxGL_ zx4Y;1P1_!sE`y=#846jd6w;fBBG(t>Z|y6L&lrRkDXJ#W%o;8Edem2L$fV&8Wq?#Y zzedc#h{2zutMLm`{6TQLZ(j%~Z|#ZJZH8DCHS{oLwj?&WeVuE))}GA*6w1c!tqYmf zE)W$TkZThgsMRrV;pi++sG20n+;nwn`4{}q&McT~>Cdl!sFRn}(hGSh;d#8A5{S%> zw>quxIBfF|SPXy6qD!@*h4w*>b1{aaa-=Z0 z=Y^x@CfM#*V!-}h(~dN%3RObIq+T`S69Fd(rFd8rwX}$rp(N@9s6|0_;Z%n$hWbek za9wdDDNGLFoH1|mXsbrw6mLOxjXFy9#$BM-rdQ(;N{-bfYYKi9=5V(cMvFqmV!5eUu!QNB^dJRE|ZhEPBJHk~*x01oJ*~|@Ha}ORvR4iVLCNpMYz>U^l*fR1nOP!A7s29hZwTZKm46quF}2txJjHdVBjx1218-9 zx~Iq7f~Wj|U3;o_{6E8@J$qP*`3k&;L9hu<{7a~8W`AK>)TiOXu= zySVK0_QD(rou`ai5-#5N)!x4vTi{}nC;CP1+wQ_3CGG0;T^XQ`FtGD*{H*b{y;44V zi3W07m6WZ~$f&7OKIdu*9Jo;z=dn>EKkfA(sHlP=Hx~jAAdY5f0;kiVI}2*GZJ#Z^ z`}2KP-eX&}|5sNUcUVE%QkMpND0-RYg4_ajoJ=XXaOdjuX`>ZgO%TiiBOv@1e8_mZ zParq`)tdD5{1V~gd}|M2gngWpO3FSoTZ4fPmJzds@fEu$6hb9JA1Vm%Gf{XKTa14W zF&{ztjGJf}r~?#Ee+HV!>K%@<+e%N2+TM|i6H#Lf(la(9f~t}`KRgPv_Q zP+8S*6i-Q4YFEvuA3JES>?uHfsAvLti|d;++aWx1tSrWVMn2) z1~s^Q~QkyBlvii5CnaQE%lyGz2>|IQr=U7vaaJ9T;$9JM^ z{6!=`GNJ0hY@^WVr?E!(EV_Dq?R_tY)mT9%n5D3e*P96tP2sqq2WGUkZFq&9PIg7$ z)VA$Z_WMwLoxeCKubeonUb z*9bdom)X(gj00nGNVyol>F6Bc(ja0r=J;3Cj*G*oZpAN23gAo{r z?;F%J!Qz7)f{Hhvg&mhB6t)%_3sDt$`v$mlcu%+ zpA)WUs*wqa2eTZb{z!k-W9OB2Ao}zA8aV?#V)D{99ai!EXV*|me*9kFW44mq{qAsI zZa_*D5IQ?q$T&0!SzgtjeSV+{j9253^}&e!wV3UVG$+WGZnoSMC@sA>tzQ{(-oA53hdUv$1Lg0Y?F~nXV8){ki_b=VN}S z+O;8P^Ei-6MoWHKPOUSQTS$8;RFk{k?)`A;4kAC5QGUTuF5xT)F$`Tjayl8dDn>Hx zGP0b71Y~k^_(3)1S{2#tJCx!oN1UIw2|4IWJ4_TBRH06eV4EkdMltLI^3nhcW&2$ z5Ih#xuIZ}4}8jhc15@xYT1>3*`SUtw=I&K8~?^+<@(b z(2>MKbu*71n(}hd>K2;PwTAa|jOU!>3>|q!Q6Er8?EGdqf1?3K#w5y++Ea@|jVhX) z5H}6MsND4?=-xvDad8U23|J{uvO!#QINTf%bm}B(VKYZQM+M;~xGULZ8q&iCQ0o|C}n?eqKH>XU1}7 zm6feeGDL%odyc8QA!xjnjQNRX2RJm9@HD<8s?1vC5hQ&H3J!c>&%Qr&+FI7i)|F&4 zsyo()+7)`cVPjnwMqxa+!Sl;I*;>btB2Nrxsm7(bh?Q=}ivz z^i+#<@DY4lRJ*#7;IW;sAnJHckL`I&j;$^Hoq-^*3)V5TT;a+@WJn0 zc3id`ZAi`90%bliQ3qG1ql3Pyn!(dPd|@yDsAu4DumhmJx`Dls7mk&<5-j){5n9(+ zM$hPYX_``btmfigK!Q@RDW+82SO$7Y=3yQp)dx{?8&n-CUk~2N9x7vTsWKH|-Zxk> zZ5t(h7MPrm?05fn{sE)FGvG}DDd9p`4|;J3k8ojNFZH}t^@_q)f2*uh8%_xX4?U@- zxD5tMtl}bB{>W?HM3gEYN<8M#ZA(4_LxYOqw@zFpTSHST8!96@-iw-saQf=-5zp7u zmrw%}!a!#)RO}F4EzXAqa}JG+M~8a0ADdrV`_F`MV0Xnu{2VHQrf2?r;eIT-CA^T-|5Q#k0_ zN`^b&-2>-ha#~9EH$5w%{Y}of%(vFsHRc`Q-9-5Ln4Hf0rSn@1^pQYw$LW{F&DJ20 zuUM6T>vusoN=Z2$(P=4~Ck25mYK^n*-&fs9F!aEEc97$8#uK*0@oyz6UUS27D^ezq z#*Wd&^rsdf3q7F@<2+~DT1YqHyHw`1%A9O82Z!=B>JkU?G#{%Oq5}a6IEi>nr14=t z8q&!B;MC36ydEAL(S8l5B~6J|RO3j;WVsb+`_1Ab2#AE-_nO%q^JglRmL0h)fuBm! z5NOzLMKoZn0`ER)PCJfE=NbKJfVa{>tF<{&3F`(}vYx$$_*}!n>s^J$&RFPSqI?DU zU);U(b8k`Dgw+4uBo@?r>Xe^cGWqx z>zvwqt@V5sZZLvc;u#78jZ?MV-7nJor+?xR)BV@WtJ3^5%k({aj_>XY+r-oyifG$k z>u9`zazx@-#vMoEaXnk=heg87&En;uZvHF&HAkt4GI|J9ZMhKuwD^uf5kd^6NcXjQ zqyaj}8f{mpz$Hm#D_A(!Bwnj{e0*G{ZL@5N*MtJp6yz2C3iAJY(_{f}v79qMJ(g!8& z94Y+EQaIsOt_bLPvOOkTL+S0XAsT2%d=5{c*SCzTD?$mX8u6`oeBMqfHU>$G_J$uA zTv#FMFwY;(3qWDAIWN-H(c_VVINh-{n<6TCns=j!4`F1#6YZvSN{oKg(OAG7hml!a zzZONf_U;Q1-~Q)rFfA_(DQ^SduY8&9$&{ZDEi8#$jH^d5+5T z|Gttc0PEK#F1BN}bvW~INoKTJAn5X;;Sb)erGJ=I=l0#K7QBRxolW<9&-nKCOIDZy$O9)+^@>U6z4~)TC z=QG*VEEm;*6q83NL-t$(&u%2-ES{CWMUZHrrn&oYS5Y19g*)ppZpq4vOB=yE@$Zs_ zKdVN@Zib=#-RAQt=fI|zE24|dVU45?^4Z8j@arX-FULr1pu^ePt@i#A+f>`R*A=vt zlN4E95W#&SC7GAkCgwHcT!?y}j?MwDFdPISIl>`H+Kp7&vjR1?IWIMj1L!Qy)sx4M z#9PM{OA2?Om`+G*30$&(0mQaK*I*JGe?5ylMUv+wBh~32cN`;6yu(h}KwFgCT4v1J zz8}>oyCDH@8Ss)~L+@}CCd387i<=fW#06@!I=`-YS5Uy{l%cDo&hfFDAeNV|f;tpX z+!AE0;F-3C6QMPV4}%F0f936A7F*WB`BY~rZ#Q`)mlmmLH5J;HbgXWdV5ZfobK|yD`RQkd=cs&8Wo)PTFZ0CvRAZ>w;+bO!` zzsybur7`4La)#|kR+38;^ozoqJ^@;HwNDj)2DF3s6*D0HAybSgqH)F+@(JfnwOyGP z8ykCduPIfki%+yp#3x{1*^It)&TQWjliD%%Chx|~_*V{dolkHgFOPjajn^i>FCAY@ z_!{;*0OwL0>NF}A3zs2VM39Hv*Mny+o@l`B_+*JRT^H!%Pe}8d08oR3ErLz z#H`hi$*w1@c~);#QKaRwt3VKtF5!|aPqKnl4(|wAGn~dO&m~^hHP7>hOjIt(@E)E+ zL}a-xW_`snZbZLyD$J);oah{7rC)zA?TIIrI}*1@D)DIN2{>=^nq5|c6p*M}F{C(` zsY4HH$WOM!*+=IldXk7)E}2i1>ua4?jpv+Rok)NX#y5JtB<~ZjcAifZOXi*L@VOE- zrP+S5ui**y+m`gZ+!5p3 zx4BHBXh@tqi|ogBoQ;g=K=U+0238bIq)(qfp$u|TT|DxB(0upb2h5{m^b)dR=T_4Q zUcxJu!KSpn>!^jQ{_^6mVo@zYL+u40gAFYdw_N6%W~xHYDza0PbwgnIZ{sD=5MA#3 zu;IR+5vb@SRjQ7TnFGUKn!U?1#Yo`6>{V#SViDAuR_Lq}JaN&#T=H=*fB*Qp_$u8ssf;tVI^uLH>5`hkz@nx}4%oe@f|-qCizkmG;Bom z#epnh%UZXQ{jlPRfWz80vVq>T!$5x~L79HhtD~ZgR7T(VrVnO};YG;8r5QBArekDq z%98tsJ_m%5?kHB(O>*GS$lu24oX()OVg=P!U=_ABHNqs9ojRpAE;v_pz&DOJ zn-d445FvPc7)coM+cPaJCx5Vtc}Fi0Pej-n@KlKAPj{q%qX-7|`L2rJp8KOLjkBpT zs@1mr)>7Uw%D>BSiZ>17r2B^Hu}a5*whh6w5;95n_8elJBqeoCPt-iR`!CB;$=$J8rOdXdS*H-dQti!a5MAxq zLB`;Wp?J!n6Xj|&0Pkv$(T^XhaUR4*0e4rb?a&*6LDX_W{+b(#*EIczu{Zib zJUFaIpaC?EO0=K%bQjDj2L=$elp*j9EY?ai7hzzijhrbOkCRv|{PYNmOk$tgU21m^ z5ywdXHQSj`or$9;>1kcdcL_)Wd0_+4*2_a-ADDvOPE?{kagsyH^cE8vu5Hnge@ z1&JDU;ZnfX6fEeifqOZ=+uO+7NMRo8h7M~MsIe7m8$tLRR;?s;*)lbKQHOH%s=0OS z#{~B1LbLEh^k2efoDR7Q_CQ3p+wr&?4ErhuLf*U%PQZm&BT|}@&no*XaUMnI9MK3m zV>&REO(3OfBZnSzG~4M(J~5n?hkp=5k0BVuA4h8Lqk8shHR_aD>O$Hcql$VTVs#a%l4yKO9)mLnn;oQb!QYWf;qS`Ob zPNco>bhWHFh>LNNeQ2F4w0l_pyy)QHwgYMmd!C+Cg@trX4S!xK?s68|4-?+=j`VFq z2|$olF;D$oYmsWRLn?E}y^HM+HZ^Y}Y>?~9ZmCZIMDUCiY!JqY2Tv1Ia<<}(!%GIt zhI7`AXZ>BJP{CxUZbOzuICCa}^!_#oWOI&}G%zSGlniiC4yl4ku%jA8)RLrCp%?YT zcA9^dV(=I8Ic;8l+6|#$jCCsYr|{I>s;x>dV?snMFo=!h>hmi3ZUL6BehL zQ`~C^IKL)-?ZC#i8r<6Q^W4i zm(aYR@a1_rIdobb#~VbwK;SXPU}nq3X1oKyE%lf9re6(&1L0V5AK76~gaFDzHrFAGX{mq1BiqNZ~Jp>e1+ z%8aF=EgetlIJ~u#8`)9r4`Fs52Qi}Zj-1V~P zpP`10S0!ySL7w{LC6%TNeE{hNY(4{94^c>wk1GayGG%zqM}ut>^1?;`mSn!B7Eno> zokQs^KX?b#Q9FDjCxGZ#ML`y-#^>$E5glhgShE1lzO|u}riOzGuZCc`8(2ljIU3Bb z=zjgJcXjUke^A6Y{$C_QIsUgq=zpp_|D{Cef3E%iivq^^U!`lZu`_c1FXGm)j&2)e_KTAGldEoZU{lHAe_iGXr z&r^;-qD6ZP=li}`zlpvrecs+uslU%tyPCc~?@;)XgUz=(JLl`dO~@f2kk{UY{t!0DVna7S;O*`XY52TGLiIi~< zchRar7?s4H6J=6QO$rwP6qptUuUOmx^>4 z&iT__HoiYQWft;M2KfryIv*Ivgc`u>=wSRc(@Yn?b~~eRpj{1546qzAw4!MQs@VXo zVHYtWqwSx$1g5y#NI3*?$=lB$eHo{h2q^cX{E`3`La`Xtp1p;znqZr-(@$iaYfTb~ zOJ%L-Z@T!oK7jhL4ncjdwg;y6qsm9I$+HbG&exYvchp>f z+ZC9}n6ehPes`FbVh9ys6nuhGy&?fL?A>ts;40 z_VVzD*Kp)2FgKhpvl1(?^-H7{OL!28oJJ0Du@ZV4g#-Nkt35EhLx%@2OqH*%?o(US zebOZwEuWHE^~&QNz1(cgZxHR!YgGBFaPIgyj2Qa!kHP4UyXJh>h#Daz!CTpi9=Jey zqdm}!Akn-PKdQ%$T~&5eoOfcKzjl462=2cndF}Mjty7;>l%jN=sBH5=We#`ma}S^Y z_IaAw=zV8>o6pyqW`gVDY6X60|0&x$A1;p!{imz}ie?B#u6iRlBe#5r_Na< z%75P-I&FBWd_P(EdZgfbV&O>gug`eW9A4K5p|v>RY>>=QuZeyqGDyN4)!7tK@~pgp zE%vH!P8D;vzk1C!$QB(0OM2;P35`CIz?OQmMX+ z9Y4z`vTkpZ=m~R2sm-XvtfJhCCId@{}HTC&l6wE9sI%5)4@ttZ%l3%W7l>H4jIFNa+Z1>e@s=3Gr8 zgq2)zcV^u8vq1XbaV`nqHd~jOd4Zn6ue>_7b>{PDuNR*n-mE3dyv!)z_fsL1GqM(0 z!wH!zqu6jMTv+%WV(;xJ9-NG#)UTY!horR)Ug2eCDc8-Q2$siaFPVWQts9qHRA_pc zWgeiqH%IOzP-Rq7!Tu&f zu(p!5yY)BIj7#Us)g-ieCoU5!VjVrp+Z_|-fC%vq6ULdJ}>!zxr#+)2A4l1dgeGnq?ROQK(Kb6&a#TN!g6=r z!0&{!uZdA-wT#;Wzy<^j^yCIs7u>ZIu=Xn26*7kzY_wV)dAeX_v9uZXUEg|?v?8jK zR(oH>`$m?HneiG?18vNU8W*C%bOjd5^2fo6qwTO0A8x{8KnJ+vZIF(Pl{zzm(BO*VGXuj<`{J(DuZFWXBA<4)P&l$>i|5!-YjHBWNRdAu+vp~yCyn6m++r%^uhq3;DncN!#KUM1g z_Hw|MERpbZ-jRePN#>2@0=T?A-5|T|b(L0Y-VCt1{ZJ^(+ZL9Af&{Py?E7REve)ow zh?mzWS~B%#Pfi{&4~la+3Ux#~S;b+W#}IZ6#=>cbu{N&$c8>53WMf$%z+|e^Z@&Mz zfDKii9qqv!H2|^o3Xw9;TS2mkqUqW7*JLIvj{#GJfyY)aH=YtvWI~Xw9@v>*6nI~1 zcBMlfCu5uaY*TOxvZo@{T8)%NDa%jV8T|o@Mp>pIHl-HI6WFkf9uXRkjt0IRYc@;% zsV5jM?1-4C?F0ymSG2H*fO1M{*awa4ZMtdrQQ(kG-sa7z4K~6kv~Jb8VFicn@oEu) z(AFZx6|pMyrhRclomke))G&B!*tK{sqv^z2mv)jBQBtDfCd$)jo4q{9lOVAzk`9S@s6+mdIs}T%p+Ymn6@Wc2$@`@xX?8KAnOa{p!#zcWsig))g9s)5W*!jCio&G+UWd&=4C$8|@Up2F-yl&AA zyH~SrDPtfJhM^xkt-8HfBlDS~3*%XGktO?3A!3tvO>}}e8rn|U9|F?{mSrNn3b(k& z?J}?wr5~z&6vEqD4n1$Ojdsm0`OzA;*FsI?z;8-T!5>-(IanX;u{Y;*Qx!b_TP*&f zn6om#p{YDM>@WtjB5I{QRUB#{vH&YCMkDK}up^LJtYp&dL#=nNfU%z`Nj-pkCymy6 zRmZ%Mhcu>^RDobXA&`+Y=5i2Sn5J*fRywLv4|#SFBU6`;ko9=@d_o6KeFzwfhgMZl z)>I4*tr^4*pSa4p7Nyx_8W5ip(@1ylo+L4qERNM*^hUVRitvtvbcp8ZoI^_Mt7z_O z6Z#|*t4&S35B+r@<$6q59e?hu5i@t@o);2=lm`i3k&reaFTM>AUR_+}QWY29N2o;8 zWC?(q_yCx=@n`VB{WMi=1U)WQu~I%XY?=o=D(|)EXOG!1=ZWjKoGQBYy-`Ivco+&9 z94?heK$b%REKsLQegRY43M#-0`=A_`>_Lv->w(EliaHm>=Vj1Q(8xBo?_vz7+94nh z$hMg|53530S6m~|WK{s-q%kS>oKOI$DU+tTTiS7A*^~q$`bXWRgfc$^;%h+*-tY(A z!D8Vos(8|`et;z^osa!r!%@-!vxK{vH<*LkXr-%WE=sk(I}fZm*^RQ{9CEoy;fo(- z=Hbe&1H;Y_N`Lihms2Lj>>7a{Trd7T zgYYObOPo)G@VvBFGV3P$!#f`n^SJHc-M+nn@T}$b`g&3|VT8tH^UGbx)cYXQ8NNnE zGrdeFHQUEqXgo}-s~SP}l*n;_g98g_R$eP8?&fi<5sojir2Bra_nta$7W$~e1nM~U zG|*z2%$g;r?V+hkD0I7$Q`De~!ta7XP8CJkn;{z9>e$6S)9&qMjB;rEmQ`NuasP^m z*itbWXBC-?ma5v!M-!juUnnr^i(yfUG}B?@ED}xVucB>`c?q)WysNGjOTzz$N4EWy zE$naw3OCN7RQL-xtFrjbdw|nZ)yBY1gc9^rej<9q8$NQwp-bpd#p|WU?B&S|gQc&t zYO0niZuLQ2WIz(;q6F+yh@2A+gHa6Tgm3P__clZ9`GMDS>BCSesdhJU_#dUQfyuK; zM7r~0s`~VOSb>ndkljC&<*Dw96%8_x?jBp{;7?8r7@JG;W%k>X+4P5^r%i+GCzR;C z&lxW1f44?r5JCcO{X?CgNMNksR4-x!TiBdX$U*A^VLMk@g-?=!WzoZh){>UPxPB0d zGZMmdxd6N}e)*P1#hbp^G{=_LDcz^P6#+>7^IPe=oXtnsZv#(HcnO3{nTDjN+y~M$>k%ryVX(B70yYB1QPuRnmD|`F;vtH4inv@t3WTwFmY_B~w{wR9u zE!K=qgbYi_D-$F~vC7^bZP%|#VQVIEh^0zf4Hc5W1=j?SPCOCJe&0=?gYYS3y+a_5 zD_LI`neu9K?``JoNy3((Llpo>VKv6&MIHNijtdt;hXWT~!J`o$L;}lE-7!Q95dKwQ ztphCv^Nyq%$*SW0JL3>o^Z8@iWIZI)(O_?29eUg|w-nAn=P0fGwG6bQo)=cq!nTeM zzM{N=^FC5I>}!R%nJZ{ zv&M6IuB_lYc)Vhar}bcvmHf?>+aeU-{hxso^_5GeKv7ex%(bvwda5=$F1>&`B4XO6 z=uk#`9*4cS`SP2>D-z6&5C-y`sUGnQaI+ZrEaSX9$m>(u&UIvdjZ=!*oow0D!B-Sb zD6_TPtJj!$=HYGla~&q=zn{!nKRX8Q+F^Xj_X(%X6az)Z_4W-&@JC!e4AypF8b0kf zLM3zotSo?s$KFumTJ$rjx5a`H{yNsUY9m)*wHBTIXd4%%7%?l0GiQS$y&5ZOVHfSy z$&G*vQ&IMygoIp<5A{Q*>;L+=N9K!33eYz#u%TYFFVWYl3YTV4l}@e#N68q`Ud;nF z>dZR?)T304#2|2Xx@ToV;3@ba&ODr*tP3*qf%r|%L^NZ=99PLbBm&dxY^Nhw9qcgk z775$K!e`K(lfBAPV7XAp0W8;_y3{2)8CTLo^^wL+(s?P`Wgkzn`H%v7?T#DMtggs}5*6avE@R1aftt@b2D~(`Qf|-J zxjOp#pror@VB(k6JKCLv?tbKmP2q5af_{jBaje{ob59^lFiciB2uAo2XPsg~`a=wd zgn>%wBWTEkNP(OzVvt{7C{_)H5s>*##d#B_SZB z>Imqx#shb?w25kO%daa)Qrg%EhQB8&G{9#H4#9~GpR8}U!^I8moEQ$ zlVN3+w4Ih`lNe*~Vq|T_eV1rNL0<>w9yh+$=&6jk01?CcXOfhi>?I01BqyXvksKEs z&yap#ZWbd2o_f`3WsSTsqz+TltvQd#LMZt1etpl%TsueGP_MG#pH9HszfosR<8XhS zb|DHY(q|c^2Z&8}*JKMy2`MHXH6oLB?rN2FJ zew9Y?Gkk#2H!FpJaEZzKyuM5KrS>1Di8 zj*GOot`qWNNinV;byb!~o>_V8`>DACr|NXJn_>v9we`2eB*`{Mi7{NuD-0J&SEXGvj%)zL})6SBNwN1I4T9E#I>vIz^gfe2gL=3hkl%vXrVzMTr zq|1*!#=nuzP1bA!_Nc6P19Nrw0Td26^^>~$;RYp@eGunSE7lClB(=8pgW_ePLaxyI z$RjLe=E6E*RU*iKb-HrJi`nU6fjxK^V>K&Rq*1;74uPh=fwZF0LRa@=?DbpuEoy8m ze_K3lyqwFcU;SZA-$dvKu&xj}<~=STp#Pj1+`_gB1cOZ$W{pQnHGjOhTnjkKd%*Yh zC*Tzhu9e5cTp=~*@XyiPG1?#mAr`2e$BTec z29-tcG1TAetZcR@bZ)#v1#11&z!?s#pX4~S@j*o69=}{trsBNAW8|_lI}O+>JQVU? z-4~f+E`mN$LHc{(JJdtV-`Iuvs{l#f=U`Zr zJ8TQ_yNql!=c#0FeFynh^<$4QN`e)kAtA>u1`oJuGi$7WFwjvhmR}iXk+=4m^sYL! zbf^;-o#}EsLR$7(Kk;$%j&3nK75V#2#@L@yc1gsmhdi|Sv>aef+4GWPpnjQa8hueN zcvCn9Ik(iG9_KKtRM_@rV38f|8PQP>wZSgsF}Esq2)ALzN3cBJRUBa0geN{uVwlyI z%c4?yaTlIYM_%m5svE*7lHd4s1!{VTcDz=oI(uc6w-U_}k#{FTW_Hh4Aa=_P#Cs2< zK_&uAJR>!&pQLFWE318v$Q1vua@nJ9RltFaJ?w);pk+01Z)>s!E}PYsddBn2CpU|7e| zGuXQ`m?YJ>w*X&NX{e7jypoZ0npkq|gD5(Tlpdw13p9+RN_N=S@J>>zJ#^efzH+2r ziUfHUw@4obgyKxFqzJa>A;)O9YnS$wBt_F`i~cmTwnshEhy_fB$tK0p%}70v#mw%_ zO5E0Y9bUxh3K*_dNeh-E{dFHIX$f@W40Rj_Cj+t%$`i5g2h**amh&LQxQ;(rQpP^J zY`bVvi^#(*wW!{N0}+&aAmA2P$I2@00At|dtIrNdhty>|1hlS`JuP$%u(V3yyx@HuD>{I z0;@OnEdrE#^9@p`^JSY_e`((Vy;+CMV(4ZI5-<_qD!Zkxdr37J+v+iON%wK_ka~-V zjc4;s0?lC>Vq}fXO$KInQA@K88-)nJO9z7beD}d1P}S)=_7F}~-a*9`2A_Sufplu( zhc7TPFCe^H+LCHAX;8j{^d%T0E{SGJ$XLB&+UxUJ(U)hrL!#iJE#d!ZY4jNnKnvXA z<%)O#Wd)uD>Tk32JVJLMJ?p@9Y)WksUDpCy0VnOA<*9I(iizCC| zcRmNOSn~zJKpY~HzH(lA%p0MGGSI>^UiU11(!u*YJM_z-g;_lCe=%oyUuS!B*!~i$ z2sx$#Ps_RM)9dW3*YX^Iz?8M#v`=j$zy=$`0J?T~QVfrZ?7@XA#S~;%etUYDwVRze zf;ikjd#5k(eh#&Pxj^(s6E# zNn6GK;pyZePXy`wKt-SJr%OL|#z}T7hVPf#l;mWiFGw@6`*6`&MfT$j$h|}EgX>5E z5iYnx4yjX^C?L~2nnL89DUo|GfJ@=)S76F@-Zdh^QDFQD4^Wu08ql2ngf4w%cOBe? z6-v<)86LXxb0(FT(bU@AKCWJNZwH?1`*tAL2g{PX~sLZufV%96bFto^{?;NNz3o& zSS43iv3EI#+x~l3xIzW@{rtI+Woyl?6Nz$ly{29T#UK|@VvV4!I^c>yF~BO5)PL;z z0$&S@=KLRQyr1&6{}C+zF9zE=|C8?iA2|5`&YAyDKkL6_;veM_w<@t}w=)0#*Ip8Z4&4YV&c_@z&e^uIcD(O-n6UhpSNiOe=7A^VHe?RtKvo z&-{B?`5vpXskyROXq{298cpF1QxtgA!sVx%_g(%88(|OUz%3=Ohxg07?Qws@$B&7} z9TxEKtkJCQeLouftZ(IM)Y@*#WtoYZ?rReQTL7`m(ADzXM<6XQAA; z4mCP7!li;R$bkLRgXbLBoHYOCygEZ)GDiRR{lW1aV|7Q=W#p0foFBw~n`g;-F_Gi& zR2=swhu%i>(}RaQRhT1orGX~YDV=4hS`KZ~G4D+cS{O9ro<%HnCpAgRf%#J5I`8d9 zyJatXyrS!C-<`-!W9>57({xSa>>vxTr?JBgmKAC#0)L9weOF?Z~{~hiuk=SD)p#P5JPqZsh0&G^G`1{gRv7qUKV z3taHj?Rw~+!ZAXGT;MW9rZW%1rt?fWbF)O(1Wk7}qKG1dVJBh<-UcJA}??JoqUu!oAp1S9}AL-plJ~(n$i`&})TE>Rm29dFuJ9m94dPpRO0voUG zzGBkPYGGyY-maFe{0r^i`7YNNK8p2OUH9~HZjySd(#|A%(gR3mBo_gFl&Rc^_V};D zN-BS%9@nNB@4}U6)zp^dv9wA|^0xTByB+85i`h@J!l9UQ+(&kau4Xnjez4vaQv8x(Zf=yN-JLk9_ZJ`N^-_iXb2 z4W$*yD~Ej;I5e4{A%&u>4H$54Lrvq$BdFo)q%-5<0d6MnKqWbh3-Eb7t@*w+0R2a@ z0FX5y{4$4S;63tBPQ+6;TRMhFqnl#ISxvNy)c=UaM3({BWJcm}z09LiaoB0RwSyAo zHkOmRzy;QD^GZ{3#FdcUE{2aq^KK2o>6Ey++h>XMX*;cn7Fq1gKd^X&{3Zcd3WQ)F zyN_v&d)xSv<8^zsaZepwHbtQf9S77MhiH$@5-G|V6WgOwB6H7@tBcQLBb-mO`Q&3- z1Aw!cOY@|Bio;Lg!nyHaNvv0nx2v)#ltq;VPU7qw-;LXl(2=)md;T`Gma0>Yqoj9o zJCTa4c^{bZg&!X$#90Y?b<;%HRkk!Tr5l6Zhr8D^qXF1)suawvI|An3fo8}`^sNB` zFoAb4$EtsKOIB;K5QBrbTt~s|GRSQA%qC#=~ z17`u|I*Y;h0f7)QvFr8OIttM9gz(I+Drr^qvDwX^1+h2Yrd-pq2Ero7INZ{ME%-Gr z3f?9~d9Z*HmqcFY+Ts>i$RsxSjDUy~YDt|gpduK--KL7&_f%%;X11l52Mk$=7>E~x z$(J|B=5yEY9$`g)J!_`Np*F6ziPougeQFw+M=Gl;8}<6!1Ewq0L@ul)(iE}HoEnYB zn4BXu!;Y657Vn&0O}Q!ImY7UH*BoV^pvz0F+MsWB>+Hhv8l2X$cApo4S~-Zk;mVND zPO7@_7F{;kGsrqnyOvl>jkwFBgaY`hQ9!90?0-jyS>alWdV_kPkRlA4dh6*QhZlt+ zS@M?!Gcy=yz70iP>?2Hj7OhJc;+#*3Ig zH)4@A324S!1@A(ecR<9$-tTto3N!ZhUxcR>2=O;TMDZaSPA;XVa!hQH%8&ks*$0v= zz7JOdo-Sr51*ICOamsiuC0M7zC_$;K*G!`u8l$Aam{``DQ8&VAAi~IsHTC(dvYFXf zxN|#<>FnRpJQ{EivVQ>V=wb;Hs;{KspmIx5XrC7(zl_?YIRhCATa5YlC_Pt-#E?7G8o>m-=}-|BvUpk z0O5rgFa8%p$qT`;8M5FcKInyb9704vNWM&DaT@lvW|NhW2-!7(Cr42qhm%E1EX|_j za0*k+Z*07){BIyy0ZOztLOd!^He|m23SU)T96l!CX7C_3pOlMIp={^%uLC zgvEFrL{zkWCl-$>sZvqB--c`?H@ozlH7DQi;I z(E?n`8c7>0g=N~!lx!DN zAtj%TgUP0s>{GzjP?yuQFYS3HB<^YbA<;$)=sD8;0`0>SOFOo}b9pW*cRcs4FUAMw zRuW~#wwDwJ3xe*$pMt>%Zd2w_i{_%tUJdoQ;)FL()StIY`f(KVp?@Yqu@SdPR^A|H zNAHU*1b10n#Bb%B+}&o6)hrW+p>gi7eVOv=p69KR-*zFkHr%UDvEX$2?yJ-s+Xcv* zGLl=N&{OZfT7X#}7%fM-T{(8Q zOK^pw*Kp^}C@U7}8>bPFn?Ai?-W_=}gt3yw6W`HzY{fGdj0;~JC-D=od8G;W!iT?54}PjL{#8yfzjsNIeVq?)^zMveI&u z?fuEf>&58C6u?{~oXSwGW8)X@8*2}MiXTXTiU)~G%!?|v zx{DRsTn@~br;R#IH0G>K6&deh-_NcZ+)6h43$Vqpvi0NQ{7A_$Qu7?o_&S(o)$BZ41}QHZ+)Z|$ss}4cf-28D=BsPyxIaI09#cIto+mem-V%#OSp0C@T!l zUaLVKYwh`tNrr=@Xf|$OhazsC_yf}Wco4#w$wk3HVk!1t6Y3tskXDcL>aLR$`J`#a zK=5UO1iT9 zL0?>78Grc3UhNkP7yq8fgr&MO?^r6~9ZR>ch87eK5_TrA zxeYYBJ!=C|!gC(pOR6VHquAz7($+{e%5(W9I4Ot|F-2x@C~e{4YwfXgY8l(+MT5vPG`FQu+r?AyTm7~4=u}`8D*`JfWp?FTFgX#_T{w1OiaYfuGE|BR zRMuC3Y_}r@pTwVOVvlT0J$@?|ELW1_uo2FALw^OtJr#4)cGf+-Mb!i?_WE>V!+gHO zVhHQo8s`+eNhu1v?}fQ_lc*>$&WIQs1&L3RkWxhrK}QS;?})pF`Pq`+#MRe|(07Pj znopJTuA2A0<}6*?HWLt77cy{*z8rQJtq4Y^QI8^0`D8re*H+B_d*iSMv^EFHycZ2$ z60Il1xr3)Ign$f}25&P{z$WB1adDb3RpAy|EfYH83!b$Bg3>MXU%Npta;VYL4kJp%+6k9a38o4)Tn^BqTL~(=aWAuO3!rxvfJkgTI2<6=PklJw@`?*|v zz|B}V{5wsUo~9atu6%4{;%x?E>^j;*i$0$1>a%pPT9*uF=jPjnSZekC@TjkW{v)L@ zc(9%3YI__Fb#>!&7z%py`bI1vWttU{Il5zXjkdSmSvub$-707F*uOwKIlzKxiZX|^ z17%PiRHBT%j|g@vjvPGIK0aWcVsF83>0)LL%S+T+G$CtjFk?_521MK!h7yh&RaX-i zaNJ&v6v7boByBA0fAnZji`l(0!u+u4C)8MYWq1lE_*pW@E%9-LN0be}ygq$h#~3-3 zF&V~;%dm>O&GA&nG&^-NnpYTryPS$MTp&6RelT7Os(;9mGAzBEVRt)++C@vth`j9l zm1Y2OfIeH>f&V@{-9C&;*u;)hTo*k-#(p$#if9&vH)u%!lG@E}KrFl+r>u&c*>-=j z024!|s(1~Wey_X4$jtQ;oNUp?)_6>>N}2mNgXKm0Qp(F8f}0??4Lnb)KF8hzAfi@9 z;y0^T58w9@!TLbnDJ>KWOyYER6y3>8CPB`Q?yu*t<#cTjllW)`y%4$>vY2)sB*cs5 z_hpx9RqJ;q^~mg@7HDw`!hO$`j#E|jJQ-$2d!OY|vQv1TpHq0wKmkP5bfCndfU=w| zd#lmg=2w&{H7SF97rTbN)~zffgWf) zobe07*38~g@oa+IY>Gk<{~yF}f_1|&I)_c*+Lxg1ZYTB!G zy@9im?U%c%?lQ){b#|1N7sAp^;7(aUNtaDTK-{zw%=|=x+U8t!fmFC8v_;bn`t4uG zqJFkC5>c?ug6tphRa9=}+Tn zi{HtfPeCH`CfLgm?Dmz95$Nzl)@*y&TpJ^1h5~3G8@-413L?maY#U!>N0d%#7YMKA zSQ-Ye3Ak1v81YcFXx10J16L_4a_Nr(I?FjgbpO-PC8xN-&#768|-6la=AW^;!N8Y4gA7fBzL}^S`bA?@HnSH<{J{tF-x31NvW-Hkp1f9se_8 zqgvZKaccDX$r5vw@(g+t$LDz!pZ7^>2New!oy6Uq>5GkW zh+aU&1da~){5vI=aLqm55%_!Tww!pBWte3azf4c#-F`K@+BF90AO(Sdhu6cuv%lZN z-6Ut@DL-^-9_{1*sLYh3{AhAu>J3#0X{nLg&K!YBc<22Ua9Oc9Au*nwkBeQ5F;-4@ z#HB+WS{KCK9h^06sRReRB@kK~hZv+I7@(?;`bTk~E@;EnX3Z|pdP3EZ!zOX1uGJ~h zFI7n!va(s5y>6P*N2a#@DxG;d+eWsM7%}=|*$?Tf)=}k)e@jvh}7* zik+cZiF3+Ad+yi9rpTX$$bRp)@b~ZweUfx%?;B@A1rFvW6CGC6nKw=t$bi;fW6KW( zQpkJCP+3To=<@8=Y)6%He4CC1nGQ(wpdEKyv6v&J(*G1UDGHzW>u+ORsaLPx8Y`uD z((~7MpV}Su$`kM3ZE7)&;>Cu|;eg*mK)9yC=lC}LG~fya)i0F1uljZ+ zJFy)hQM`YD;2qs{PiU!}Zp)v3zl!;!esf3n>8P+-?@%ehTR+j;>Vu91t-jVCu9l2m zxOIBII({7*>d&fz?m(~wetYxChdr>BZ9<_mIYcN=Ayp;Zcdztymi`5)U-e%z7s5pu zd_-m(O=lluPTqny*;Y-S5t;U)KoMyT!|v`5t-$ZL&uzGQq$i3H&L@rBxY%$Kkg~il zi=(AGRv`Kh%tmn(Q>>=GlMHz>V%2`Xg^)g>hez6{ntqFJ_~Tsi;9TrD9JGa8d?O=r zXA~xu>*yZSo%pSfmJe?9KI*!76=N8O%%8u^@G__uJ^>u3_eX*?^e@x-gmkaJwj>?ecHBZo2=gAsoJ>-Qdwt=&L`rx{UuU+qy$CSz zYCUUnyk2Gta*~)jF3C4J_1JgusE%?jbnmhO)Q%Pf9mL!@=4wf8-0)q;94gP^VODCl zT3x5t8G2Gw7ZhEQTXEeaHcwt?A6&M_GuaAzQA@=%+sSO5QZ4334ZEeER*EYcjY~Q* zH@+bnh9ss%0U9x5*|sT27%P}0=HEI15j9^qpP^@FoCFhPD<8oyl!Sdh?&?MNEV zN6kX7N;X@YTO?PY-1+tk=0++d5z)JFaYn7lcU(>AT6U^aq7w55wLmG~0}^4G2yGSq ze5F`X^z8q-#|=hY{=cYuryxuK=4ocaKhw$* zqE|nmCl%I!2LfNnR&${BK*t5p-$`5Q<7l*(Ss*xvO=o3)s#0-y$ z9$l1lQb6g;(TAXj4@Md9PH6Zd!-juLwzz?$TK*7N!bzGFhCOHPO3_H~U*c=Q`g zH7csD3|W&h_s;EkOPU%&Ge80>(}uhNjXOo~ZSz(N{v^%&?B94kX}vTFh>B(JWvp<2 z?H$ZuaFupfQp#lwn%{7em)u)F5U=7z_D!G8S_nVbL4ryNW&NQ zD<_b9no<4t8beBn`tI-ZB&R0x=7Yd`pEbrw((_s8hn63uRTdKSY(yZi&QdEoQ?gl4 zk}j)aO}tCOVKdF7s6!eVdzg(hh32mGk7#WOQodD$Anx1=MMGwER-fI7RkR*~W9>c~ z=svwLSB>S!L?aSsc*a*smbH-tBS3$?rrjRMSrH2aMI@4xCAu4UgXdvOG+)FRf&J4{pQ2AK-eI;OFRWdJy z6MKi6OFeGX#K@n&Sv<5HD{94HgNfr33Fkkm6$FjIcg4Ir_vX_#x34#>aad>Kp&S)X zyfN!M0)>&ldF+igu4l0Q?iFX|{5Z-Yc^X?M1^6pP@fTPCiOnTa4T@E5BOew>z4{{< zs`|c(MLiHhn#cvo<(ZRV&%lC{(NvI$Rh@#>*JXt2>fVvAG`EUVYY2O00xDPmktH<8 zETi&9OcyWa?dCV(G2aPDgZQM{jV%6LHB(xC-3E6V{B4iM%0K!IEjmPKmJnJ{b!_FA zY9n6TL4|(!`VmG{3lmf$C5Ga-IjPQK0 z1;grYP-QT32ay)pNc*+54)x~j3MLBX_j|^21nytySFm zAke{edB~wiyrh-mM5S10N~TxO}2=&xqK5$&gv-(b{)$_vWf6eGHq7D}8*C zkPB}sZ0#@N|kr_j-5mf#05jl#EV*1n4uXmy2TJq z&AC}%mt@IrHSzYOA+p~dMhXs-p|V60^$+ksHd1I!#&fxZ#U&k_m1LrrfE@&1Tw9sf z!rD^Ez@nW2;7_u!emT#cQx6F-!Cp`jatunyNg4)IXqn>84N6inO$T;0oO9uE0-bIZ z=uSJqrhI_jj#u56bjUxm96>A>hsmh( z7-)@psd;${=lgBTPvfqygY|Sg9J!IJ!Ti2^xNdW*ZE}4|nrNJs0;g-f>LmCc8U=X} z+Pj9eX4Qm&YV6Cg4%jp#{3sfGCAg7XNE-CRmFrH@x?-@57)!g=BEzZT?!PO9RIxB` z9Ag@Jgod|ONv-(0W#&40h!(zBS#Wtn2odijJ5=W>NG=4=@B;B9^dQZ1{wckPr==cA ze!`UxzPKJpTo#x4RX1-hG>?^3Q;QC1r1qwgZWc&TI(|*u9y^4ld_6-HzFz;KjGnUY z^4W+#qNrr*_&GITe0jPycTH&w+wWc8p?>%MrUP%k8OI44*3-%L$LgnA^PW}nEH1nAzlYP6z`Bp_cd zF}n79SUj9VNQZ>$5QplfX*tuq9Jbiuy-KVnTCzPy36!(Y(JL?YFyU+$1GN=4S*T)j zO8W;vNZDMbqZI8WqD>>S-3IOw$no)CdUjE9l?xU)s;hOvn9AqYNSP@+VB!uQdM1$s z>m|f#1N=a0o1@)D^XMR}thH=_W$d>=bV@(`+_=t=E5_vuF%WXv^(;hKqZTF=2+3xm zKDKlYlqdDOZGtGetr#A;`|Q)+#>2lq{aEFgI!U8e2kXr}dPhj3iGX56UVGhpSp>tT z(j3ckR_&K^pQCHEh$Fp5XER<}1P6*6BXX6UM0r?Xa{}BHy_<8~Nj2g; z5N>D)`m`$s&hFg)1kGENJPCiV$70e>>v9n5DlAo(Wlg;fEBKt~dXnXPyvNM)x=EwO zVO4l)y_CbxG4@9j%LcPcZYMxT`ut78l(4=K&PO6mo+iPX;3UT-NAF2+BUwbnzyIC1 z_(V9P2%dXEyqskA`J1fon6@NsgFs(v!xMujN+uciUg06Qs~mp;+`iC*XxT8wq=x;p z)pD{^c@;5m4Lkx@@Y*xoQ5ol+v?NoWQy{zy%1Y*(7EUKW|G8d6UqM^FRYyTS)=@+NA4C9FxQ?@VYu=cNM%MvwAz*hrVixHsArV(Q*7#&oeM6eWvr$nq7dTx3jnL83G4S+XY|c zJZkv)B%FLfO*K~F&4^0LFvQhAyNp2Im=1Ec2-jmR?3=}s%_lIl5}g_-835G?tUr}z9q840DCx6Z_DliV7id>wz*Z!G#6*-~+M zA3}GDH?=*&)-Cr3K1;6b<+VBxzO_r)o$gp<@cwk^Yhv^J-Mv0dk$c4W)X)@xn{e@j z>$Z778P?T*!;DhLF(PAMDBu~8%x!82Ihbrc&w;nw>Ut-zLTh3*QD8{iRmrTho;{+P zi)661fXk;{VGh*o>hy$o$)nCm;)noW`V~^AWFrkDc)px5DN%IkM~5Zib2puD~u^B|TQT1Tcnvwh5EI(bmE zWsDL-H-&nnK{X%az!E-PJZ;~3{r@t~$(<)EoaCT9@h zQ8Aq&g7eH>zB>l?F*`!dP)c5!Y3>L+MIXK_H2Eit%ICKz?8b|O%*xRCJ_{BZp#>$@ zL@Tzq>a++#Zf`646kT=u@Y4smYjYjB;h9<}w$LJgEMt&S!rE5AijB^t50<|yR{_Zo zkqZC=yUbzo#N==QHpb6r<|QHN01l-HtFDx2ky+TLU@>=>8-L5vp8rNAZb{)N&}7U? z0kDG0QX$cGEJMVz!eN|tXDaSaNUei>tVrPn!@CO@EZl6}hux9*w4`5)m3aoVlK#@{ zg;qS9UX+2&A(vp|(Ke>6Ag;Q_8QjOC#dP#@gXT*EeBI*EwG;y>i`Dd%&8U|eT1syG z8V0`U$b3(Jn5-~dZE1j2K^mp$6wjpTnP)VT;B&=soAt1WK9pkdv~5hg4gVf|!!_Qk z7=Y=gk;h(mzxKB_wXFMZ;1J_Kf=T}!*8Gcbi18ml=`RZUU%ofie-e~`2@d^p?Z5B$ z{~8Xl6RVLI2ST_%TY%_3IxvXnm!Y z7t8fxX4u+zk|PiVxJ8w&{|Hzvpirn1qL1>2xeWhLt60s>Sz?qqa+*%s~3 zFaO-1UpM?;!pAq?m6CsM{HFA`Pjay%^egektZcHoFSah9 z+kE`JtDIB!zEk}3(nnN#fpfb*1JL6=?heGeJ0s}m>X=?Ox9%rz6Vuai9-hzNseTCi zzIgmStvTgQo32z#Itk61e0=_{&l0JvJ@-1j-*Wd{(pcG7S6=fhv!;K?5D6cb)f3XI z|0(!_jC6!`)TUNQPZ#6c_VPCM7yRpVgE_l9ov^9*b~K0NYE12M<9|`-92FLRg$&J8 zlRL4&FgeXGT{Pap6m&8drkBwCdr_t~x3WUnD>P?Q$ZkHh5f9C=tSy20dvj$8%6@$D34jo%V>0oTy+xaYRa;%z3} zw!CAh>QNZj2WA)YlfAt#l>l`r2AP$6hcTj2RoQz3F3bVd+}f7Nw4QgpIWoc#9X-MK zwf;Ta5}!C--0O`jfl!TLBV)476*l}L82 zGuqZ5XPz{Eh$iuKf(jB6tmFLbl8*`Py1m%RxGqoE)XDr{#%|p?yZ1NApUd0Gl^)}M z({`~-2d+f$f3TpjI3TSV&obYJ0dv+MC{x>*C)J?7;r1-&aD<+n~tMjJ4dpO4V*6*87{fE9SME~%E=Q;iRJT++Vw9DJl`j*$d z72r@Q`>4(e20iLB3D6jT?3Fh;>({QLRWGCXeY3R9Gl?AKp(iZXsjTQB=9X=F)upwT zS<$)f&55Xvyt>fg1;57xptcaRg|a_p3Ti*#XR4eFvUhx%VrgCV_09oR z$WY*-na&IFx)QyM3HV`b?9_xYF}?u4Zufo z_CuJYiOG_DV&s%4g%_Al(~KfxkIELip_u#?AE>*%S%y)|R2D7G$9+49;`9OY*~u8d z|NI+F#B(NGSG>Gp8g;2>XuqS+obbdBC7mGzx@zIDIwg$=r$`m# z7l;5yef>BgWCoyVHQ&`g+2R;4(roQPL4LH07JtEENOmuOkCPu%huo;sJ_~)5b?8CWZK6f_p&8Q zYBK{2ra0y6a|G&0VxbK`Ep$@o-^5%cl!-BU$}c_>%{JGAlE&O=G(VOF*|@9%um!lC zeAKT`(M!K@BQ0;O3EBYrYJp^d4S-dF)?+c6l$HPf$oC03Qd4XL>f&Sq8Gdqs0X#DP z(ay9?(lS7pgzu3Z6cS1`)}+4EzSnqHYP~_sJrz4a9Giuni>dY#P`6Coe!;9K_VjfI z^U9>v4l^tVGu4Pq@`wKGO9_+~)OC_h$X*7oJFZR<5A7ba&|gh}#w3)a*nW%XI6MhU zTJ)PHDt<`;wiqRe6%i`=-lXsA@*@a_ri+GU9i zNF=gE)O#mTy}d8gJmm~obxkTH7AO*Xlood(U(2}>$8T*WB}eC>?iFgI>i%jtUHD%U|U+E4U#JR4P|UGpAu3Gj54Y zSP{%C9;jrb&=OGP+S<9BvKYd-MT&6N(s()`0Cq-fj6vWuia_Z~{+VVzcK<>Wl0xcN z4_;;OKP!I=$5J7+p6$Yp1YIqVp6V7eNex6=h0` z4ONg~dlL?EMdD?J@i?3Y5EvCr3{J~TAAJdLgAr#Fw?!P^wHO_g@D~fQt4=LZXr##z zOiEOL=aUl({;oE&^4nMm;g%!@$Os!ICXMK`G*H6FU8G8IqPS`ADq_BdoEL-iK4Div z@sHw1%mVo0&fNmEn5PX};?x5Bwho zC;f91!q$o1#9D!{Hr&YRTHD(em<~Mq5URrSecp7W2ylRbuWm+Ux)!4==Ws((69qx* zRIt+0lGkjYTVinz3gcSycAg9oz%eeKhI)XUh`?7uTAxViKEr#2tWM!Ej1x%F`DwcB ze8`>Nl7!40=4mT%DMp$z>LvyV4!HPs_sBKa&Kw{k7BijG`Iea6PD0seqgjSHZr|lM z?Xu(mY{{trnGD{EaMK{N5oy<bXfD_Leqif7fJ!*)$TN&zu_enK+)4;Xbbavd>3_d0{W5ie-{>#;KYAG&1eD%Sl}% zPlEUjD!q4bAC!Lo?%I%L_&FMAqmhv6%?#6Hcc(T^bsu0e9lQ-WN}iLTD8(|+H?lF< z=rrPcm_sh;GuuE0AeG__V4iWwA=a23T&bY~0v&hi%2= zUhc?@v{hApq2xXDUxpO9J=jto7z2%#VPg~gsi zW}iaw=JmwLjcVlTWW_b+=sUi|rCi%ab^V!%`oaLXWv_W39|v==Hgg| z29cAKH(Za~`OtQJyqnc}G*`1aDL^FzDizOR9>HLw{D|XGIY33EjPcT3zo;RXD@Q zum=&+v3-oIX+giN;{gjK31FdogjxX8wVB!m$+URdyC4QJv1&@n3kHDIXtE(5Ko)P zCdnI5?9B8~%psiEY1E*aRyp&Ugb>~e7Z=>dVi~aK%CUVLI*k8V<_1dJISs-0}Z_pZqWz6*tAFrn*O?7z0?R0^yMqd4IaR42zA0BVATika+P%g9+4M#@=! zAnj&R5{i-%xEmPUA}JN=5?>v2gV6xltbEnqeZnjrr9>1YNBPR*dSJ%!r)P(q$Vp++ z8pxZBsWdYEH^rj*o2Q<@qWp_ie8qzQNMgI2tNhcnYJjp_U!(W^hU=ZW{dmF(4H!>s z8WA=O)JFzwuhA~$bPEH>=g}nu?lj|{E(klus;c4uP z(=2iCIKL;#F&lVq&pDi@+m8_$CmP<*?9}_edFetTIm%5c!Sn(%fhM3=G>dwPpYZY_ zgC_3CEAzwJI2At;BT1_ifs;Ls-hX?dVW&In>463|Hi8~HoLBe|9<~i%L}$VGRRXr2 zPDY^pgEMR1e3TC^SozkL-D;3$`rfdwatt2Mz+M@0g3!L|>Q*wPaGK-@7DE0P^ zpVB)AlxelEM%L<%tpR7>VqLgMGeCs!jx-~PU(eJw&A%co;uHIGpGvIQBad8y&ZO(prKQ7yxthzWv(?_Q_3d?=B&I6#p_ zKy*{&4~>*9xM_XxI!>AD-hZ`c@v;bsMs*H*efYl$X#XM~c#d5Uk}|D?)1GFE^?=a# zQsz0f`At~d1fSsc4H?_+QI6cqTycN1@g6?*vYG}%xRlpqqR=zi2V@$bBfJ3((@=4g z4S(pu+i+ADFkSZp9y3~H_}>AN|2X&duL6>P#9IDmK=N;Xn*T%N&Hrw=VP*V}k(mFl z0SOBMBh$ZSll}!H{|8(G^`CJG(|>&6{~Io0V`uuW8J=57IP6Zob#>)wt3!CPrDagA zdu-xFYmb{L<**yX@*yKn&^=INVMh@yy%RrY$pCUdssirn=oJnW!;~&XNRc9Xa7gLj z+HbyZZTAQ8eXGae`csqNFBjlGD!4Kilh*}x=R+ow@O>$Dd6ToM!+D)pV?*m~rfY2@ zOZ3Nop&I4I{aM-lm{VUD?TujBw*P4O+}mwe-{F$%{q65ohq|7$4lXjmem%wWfhf;%&9l;7@cu+ z?8kUtpdWorKZRo+V(!{o1-0AKKer1X+8^M&Lw`Sb-rjen%1gcOHW1v6U|+W%zU{Pf zc*p~Nh|fj`DE6=dc;6+Q>2uEHn z!a7}6)AnE(ddr|28#!bdSg|{KDU7uF_JJqhU89VsR4$yb35<1ZE|K|kX&vt>)LQQK z6D9wx1&4KL>rU?_U9?bgtXJ!NvDZFI+#aC6Q-aMxjfnA)u`N#pHy?r!41njACw#8}|P8KO;?Ti9$Min&3!WYjR%&64lZz?PrrNXBZJkTz?#6a3=P&2?qxH)q7(2!p8>5XDfI%|J2z*f0-1_)NZb= z`j*Je#tu!xLxL_{+$zC!**HiFGpA%RnhalZCk80x;7{@ zU)ihF@zhWE-ANf*PWgFAzwh|GVF7|)DY%#_u!C3D|5S3T4{UupzW>v{9Y+y<-ukM4 zEWgpOSFPp&X+!(%ewQy+oSsjII4XUNR1tv4V5aJ65A(RAXwBO&hloepGL?p*Jmegg zWjeEQkg9ZDCcLDcN~t>gS*#%W0)bt$Tu@yEFDLm??0siQ;v!|Z++(>p5N%1DaBo2g z{y*u7(qDSQ6jK|hqzDj7gBTSABXXG4s((7(b+cPBS(9$A9UDICLMF^$af^B+OmC3#)fLR#3=g5+M6VG@&&JKS67OS0B`=G;?du;3 zpL*Jd@&>`MEYE9Tv-L49we@+PZND%p1&;yNPn$UIa4o+g8-!x)#j zA*GFbj>8#qh|duhq2%TO5M<`>{=$V)y~r0FyP`pdlzaw=HYUOgeJiM&vA%gNuMXq9 zECx((cFvZHizS%jCKX+8%iYmcCfB&dzRA~TiEAA?Eq5tB0~ayHmsw;*YWk4h@;Y%h zVz9qT)F)$Y@24!M87J!vn)$PkuoGP|T<+98)mlUn7F!v(MNW;&xn|d2ttLT!R|t!MC%gZS z5TMX7PgOO!UgdIwb}|47dXa@2IS8Yqr}}$@j2CAUa4ENwT6VhU)G$Ove)LVGW<+^e z82jkfG36X$+G8uf3-vl&?OFKyN7_Ir4CV9rT=4Bv>&kE*Pa5 z?DCg+Z3xzzG>qlL{M&?WH^c8y@G129VIN^ZepjG)VL{0~B8T`lapDcymn*;p`aIeOe3qU_4SEnbLEQi6~!GT*LF4 zHAj|?dO}QZC0^oFSDW5J_GaZ7mRKik%WuRwz|h|FyRI3(Pu|aIU6V|lTx^F4`C?u*Y`fnxPS$co4-Sr?c8S>G z(sbK~VM&gso$<=O6JK&@qnYp%EzEo@z$WFYP)d1W3+|>T3O|@qbJ7eII4yuO0>!Sk zaE>IXKnMeq;2$Fz8jJ=8n!So_| ztY(5V9$pK^Dgx@)S4@%psaRmT381JxRE-zxlB#w-Ll<)r)2h0pzl(DPrcr;o-I*_1 za&FGVbM*8~GO1LBFFy4v&>aBd4vx8)CQ)3Tte?-5#;m?oy!T^Jwq6vXd+5dL@#Sao zN(o-zF5AbXQppYtexo+(v;zDUl196x_*Dt292d6QU=xuF(!f!5XDTmzp^P;0iA&)Z z`+D`6eoRcY~0HFqCJee9il%WVDJP&%0SHC%!(u=MEK(fb% zX1=r=`9&7>@veXp9e5LLiz;Z&Tv0dG!FN)Xl&=r;HJ}VB2X!v_i!F8<21Rcq{Kz`Z ztR5UBn}#Wtg92;StbLCJ0(2)G;CBfUP#A6kf&d4AO4KpLIs=jCiVX(j%$tK@cJc}< zIz9(juS6!ZPJOp6j8OY{Y~X0f;luTJm~viGb`Z)(m~(l04sZk1RE`brk7D@sbf;Az z;rt|+1ynh~f!z{MVJ$#$Jw`$S_^`B@Fj|On&3mG!Qqv`-Xn*=!52ut7GQeKwhG;Kr z=He}`e!=Z4db>F^(3N*JnG2J;QWX?{z##+hgEfA`mMBrXVSt}E`2_G9v@iBnGLUs7 zkaj8zlnm?>lubS2*eG+|HI08W5HS_)pRmj0F82`BO;9-npz#H~v0U!s8KfgdLqzlH z2Fv4J0-G79G;0^uk~KoHqccHuR^0pt7gl*Iqm<_oF-+OaQ)}xrdZcfw>KuG9kWv|c z!sn_#EiIV{aQk-3UZ-`OM64(EC8ZQB12gs((U-L!JS2+0e%dFC7i-;!^Mev4-I?|bVbyrB~-J*94UuHeD)9-}&Wt$qRh#OIDNf|vSvW|A@Zq7pp%t{%B z|K5mLT;!Wb$5gYal_>%j%$vx75BYJ9MmIzL#gl(qj_4snSTtgmWASl1XVpt_9nE?q z8@~D(;sm*)!RV!4)t=6KUyp19Ei5pxwwl${_5>Q34cDk$+mdfDJtH9dy2`c4Hqha} zMXdVMx(Z`k)qN>0Xwo|hl#3jlfD6%ULhcUtIoPzI zz>%gtX2Tmpa=B$IW8Dul9G}!c14U_gN23GqI_yt|eYw!6+;=icp!6?}MZz_tET?vC z?AicaLMZiIQ5IF5=@yb}n*D3AYi;6Gedx)9Yk=;#{I=p;yO01X8IS9Q*|P|YxshO< z>e;DbQIl&GEhqNYOLAGI(s{@p%@YERQ(A2gf?gAh$xXNr7~lqoZ0Gsxq5VYYk=ace zY2#Gf2hX+4-RyC$5`SU zO;P=*uM;2%%8!fRk_M@s9#Zf{Gl)!GH1*C&<|Pp8Bf8M7hp8JCWwXS#iZWwoY_y@1 z)Aw9cfop+-_R244A8acZ>l=OzPlr|T(jipezneADv*BW5z_2wF%V=+iPd+=P zK+NXYd(Nw+3NbiD98S9`Gg)Kz_uXo826{s6Lh|YJ5g>6Y7@)Vap9?d>%ckBwhBH@O znT-&UJ)nVfUf&^z%4F$@4v$Nb0gW)R;$~qy0e=ZD%~sClTmHdRX32g2jSNw5>sSbq z4ZsW(6X3r2NRD6-T^$j-lz3kS_G{$Sua|M?v=1`6$I?_<)-2|5qJ?FK2G0@kfYOLl zDHcjzS8?e*<`M9hRyp}BL%v|wpWM@Ukite^QWbS5MbxPvVCv8SOv!C4rc4=;Ct@r( zlrDFm(Y9lXXdDX*-x5af9>6p1tfV=Vdi%G=8LcaG-i541Fj zG@l1tb^O4MU|Y;YPW>i7kKUc)(3|>RT46OI;UZH5OzvceXWDuZ&E!kkBwVz>uJhVc z$;eg0iMY8&1Adm{1@84*SxyK0sr=*Q>#GReKtn^-=t0)hcatRCIM3c5vVbo)jj$c3 zJkSroEB#cnynKg#G=>FJVFpEBShVc&IKhzJ8WWR#p3b)5{V6I}eSL6I5#cuCAqSwV zt;C4=UgT~d5_UQe2`YE^gywE5oFod=c|W3G(iT6RA|IU1b33L{H4z9I{*o`q`VvNC z0FNkWasxu@Q*q>i+LctJ1+?Qr%*`?zy*^jW{$y`d(_kzE(U?K{sbP3s6+nCB1Jr40 zhnRqF-+1S0MhQ+|ip)Wf-gxgcJsU9uXbmkH7S@64QkC`Rpp+acB`*sGI)vHU|v!h(YbS0u(@KF+vAJL z9h{EOQ4^DyXn*{$=Ha8q8yzXG1X+MNMd|O@U1NdgRzL)P%?rc(MO%(|t!l}5YGvAx zR!_9PNOPVvSJl{L25!lp6;$<&fEf6yn^L!54ohijC(FrqaqW)=pq&zwgxBi9uE;+T zKdmFHooQ{T1rut^+$7u_B#aE`7DS21MAVL_Q5iLh2K)l(Gtn0;ugbRCCWGyjeLbCo znghX`1WV&&b##6}2ik=J!I47)f_kCZCILs}Xu!=VknBcE#SP6cAmkBYA{bQo6E+cw z5oRkfScH$T*Lwoqogcvo2)aYeJ!{;5m<;I!QxX1dVV|JQ?8P39K+A?+f4kG5 zN$yx>lYP!%Nc9~tK~wGChufcm&Z`j94?O2;Lr*EwpKo6Ptg=TcP`dW46O;jnb{)aG zflaS8K?@K%PzPo?;etxBBb_1kYPq@LHVYXqrXR7hQ+2M-D;@jArufX5eyKjDyh4p^ zEXVZu>C$;y)40z+%e!S!gpVy%juL|#A?V)*qgQgLJ4L=Xi-YI;cV9KTq=0(eO)tWP zFB-abjE)3Jb(WXKL}zzo^ovul@}6D^1Vu2O#;!@mntx`OLHq#Q@_`3#I0)ju zvDbOCmA(|8_Sx-UR~=uNa_&a`M#Z-Hn35ms^tOG{VZlq;MuYLfDX0zLF>gBtZISwx zc3u%`XzFdrSz}}WOjaFych&X1zf*5V_IJ!vrYBio&7!5f1me|-Y3NxwGi_xr2Gxi( z2St7s;ggS|=;HZXKHm1`_;%V*Mn+$OUv6Oo$RCD%ZJxbbUk24|6;x6m`S;{4OdDW1 zurqGU+#)!!-RWs%0vGf8+?OEAkPvV_`wh;7Ug ziSJPRPeSvY;#F-Nv+PckKNP^xOoZ?q+qVUpax0P3a&us}*qBOY{{g94&zqvScMp#jry~ljUbBDB7f8&ZoQUy@ZmEXpVwjfIi9k(q%C{1v`l0}tY~t)o z&^EX$r{QedsYk$6-%pdUUKe({6G~hKXEB%rjYZu;ebZCYbk)3#xehMTZhXrMabZ7_ z)%3KE4SF_zVM0p)*QFRn#6=25#T;m<^MN5U7FMja@}QKQ)1;?;5BRdla7U(Jz$rK< z*}cGuWQ~N)RQlTB1wy*(;XtJ8anKOUM|k6wzKUh80O_IqGw$9P=h-9&$}S|;U$H$z#XxX#hwkTcjc>9UJ;qJjCTcm z=#A`Ss?NETTRwhs; zxzxch>KaS?N`+f;%M@aB%e(&O&pSd;$YX?eYpQUh2VvcPl#|EHZ1=NrXxq3~^<>fX zQq@q%RX{FI`oy>q=tZPoEQjf-qX3akj4`rY@A(O3Mhr=P!=a5S`iVO30ZZSdAtG|5 z)?-ILs;pC8(lv; z{kb#;a!zVYWE`GB+WS)E6(bQE8K>XjYpUcd=GO@* z#Ov7^Hl2EFVjJg@e|X~wM6lcOC-K_X{OXMfRT7B$3{}&3<)Fqw-$Dm=9;+@r?O-?% z1Emj4#r?T}ytl(0TBrweO=xGEPay3S;q%MCQNl5Zp-!#34}RB6eaG(hjx`Jo0*!H2 z3nNike7dy|?+?2FmgbRksx1i$WYWrNmoO&?j;tMi1h;46E;84uUxoA1xh5COXm0qK zs#1T>czzPJ6KI9|rD(JmQw{4>r`NNYuiYLU11TWR^xVvEOBmt0Rxk*Qk~S7vw!`#y zs@*w{s9p3U_X4kUmiZ-8$6e(1P}iNHb;flmlyfhf2eAy4g_KJ)&DBY`s}Pxhv{Tdk z5K}}h%EwTWfEm}dd79B(=_!gbjz;98W)HiJ;|ZXhFg;n=Qk6dFXoK|0rb~@E62-<2 zP`z7GgIy9tVB?TISuHe^(}o2#u5ZHxUgOu;#upT~v<{J-T)!RzeGq65s#)5+vl-jD z(=Mx78j^Ad3S#%*G*S>90Em%cJuBo;VhNG_$;n8HCYe!>i1ce=ToYYO1C=rY4LQ{y zy@9U}j8wTidwjf@e|+H6;>A_NWldcIIoRGY?F|P%9O;@2T$j*qqb8pd_xC_HBla9l zVtCrU=Fa{8QOQV|3g$(afJBDAXYtBGqjGH1jt*Zo#&5(2oL1DoMAZgiR0FUpx?yT{f^DC`Cq>0sR!?LNEq7c;FiWXMH2E zKVBaWk&-qWbrTD8H(P0=OjWGYuAE zh$M1^gWS^8>e?HDHyr(=Vvu*3(D*tMB?rrQV zUwcvGE8(4Zo#)@iD=ca(ua@VX=Pp-Wd||akQ?f0>{sZ6CAM{=^)-G)=xaXC*XZUu! zyX*LmF!FW_-aPL_R+oC)+Cg!b1A1Nl@$9IZ!a}d;K>YMMvDicN;k}k{UN+oIiIe}3 z>}vVw|EFXpcLu}R61JTWKWU{gn5!o|dupvNk9kcnPrpw)hLEM#bxkP`}*Z$1b$T*R z9+%6^F*X~x|Fy?P>VYyozyr6G-&1a6l@9wyNyQ38X020tte>I)I9?fqI0Rl%236@+L)>i_m#T2DuX-YwCUVlwRW?rQeBo+M)t}7N1IpWM}qfO0l%{sOT|0m zeTH5Y9NR+s$NlN$^~P;@ub|`Wp>9RLG0s=H`gXLT<+bkt9O~CDhwGtXx616_!ynLS zb?vj3@E&f*{*p_Y z2aQ_OhvOMBm7|FRN##N~10I-$D1ciwFkXHrFFheRrHc>7bF&Lxy}(40?G}W5uqaO* ze4dIQ{Q=GB0QanZ4FdL_fF?LYX@cXAhyoD0yPLm5bs>P#y6KkVxD%Zk2XH#iuO z_xPqVd5#o%y!)c$YY@@a4rO3{%5OUb){_0OW0l6O|0sfI@Sv}kq;y`-x7?0NTg}fg z_)HPjG7QVT31LTNAHJ7bNaSML1HH!H0?Nip5FS{BFL12!Cu~hmawMO_Nu80AhQlST zXkb=+%7q8hT~IeP8R(JAIxA_&I8H0QlB9t78P52?J>zcpAQ@ILb~>Hc$DOW zyh%GzIMp(4d7Z*jOcew>SM3zws0SowD!JzssqJSgNhng79C-xa@<$LO&b_yPl!|~% z+yX7F7+N3{(~f$$`|E-H!WvB5Bvs*1}vVVYXNAe?gsqG4Wb@7Itg zj|75F6{Msfua}ou?+~^$WGmTG^@eQeBf2t>p6`Q)a*#UYfZt%Vqz^u%brKAPp0!rc-^kwQ)@phX>|)&0}$^M(k=}hxK;rOHQ!qgykqhB zbCJl&3@s3J`f*cM2v$;;VD-TT%vtXtwvfF>IL;x1;kmg@HHD9W_yU@Y6ZyI!c=tf@ z5RGqG#g9nbQ|_|ti9$zW4x>n0h{k}l#VnN1a3xyh|vYX;|pNfpF+4C1`hw%p0!SlymN7xf~s&S`2e}K@2`QeO3smp_+V@ zU-%$z5h!&eB|&?SCjxP4FrhNmRa@m2ZsH#Yw++ogK=$ha-!DL%Vxg$h`Og$jN1bNW zFX`f~MULE_K?aVXJ*~XUo?bU<3l|r{@tNb*g1IDzDa&#|?X%>z@aPg;lLRh1MVsNS zL>0JK-yc5WNL|ZN#NkmIQgCLHCHwR%^7G>;80!6rpc86P`<6h4O7I1(I-L`Mj!fUbMxnU~D3NMa?_0 zGjhhTgHdpB5f+<$xd3(-LIE((hwW!z+}1eU+QbaNaW9KPzqr%Bl_ z)${_fhE+NhC`9HZX3B))N#z83=>#(UcFwr`=_B(Dp|LMv34J(uG9gQV6pMTr^TIvs`P zVnW9Kn3(CPF9An4aJ>L5tZwpsXPZb~3#_M|mi3170QdoJ6U@@^yzIHJ5J*5Ghm+C+ z9LEZ!01msv@arI?ms9gwZyo7arr$WqdJEtL(f)q-O#g$pcM7g84A(VdV+Jd>ZQHhO z+fG(&+fG(&+qP}n&RU(`)u-#6?%n6?>Wl8Xc{6Ixs#*1oF~0YIo;UL>riiS@Syv!j zW#CLiu?M?6o2jH0%dSor#wZ7d+J8L0s8#b=rE2g>;Wn}{GA$nK1UizDMsgVg`GK7P zUp!7ez9xsg4=h=0NuU$SVV<_FOiBufk~8>Dqb{K+Oi%ImxYv<NdfMN8EP{t$6$0dtoNbzMC~qf%mQD?HoBSD0N~= z@Y3?EYsE%<^{*ch*}ntGaa!*-CWv{~LYm~X>vVd7hfUXfZUZ|$X+(-PkfHhyl39Eg ziYb0tS5q(GqZjzqB(SlPHp;)XrUqS!Hi7?8nxPxDl9p87c3QRb+os^?f|v=y!HRE9 zRz&;>0A{`8yQqEZ^;q{M@<)8KbnhZ8YIHTlc0NY26MSIeqpRa$9z?doDv3UV$$pmI zB_)ty=te}^&{@SOq8t8DMtsyZ{oSL*3UD`OfPrMeYU4`JwZz*c14Gmq>3YexwQTWpmks_Nn)VWl6*dG4$xTH#KZ=Hz z6lK+9RmrY+k+l^*F_EhsKAjsFRX}G}6hWJfWxU16yc!+dEV4E;Z~mth{ynkefxBNc z>U)8A3KI?~O>~A6t~PnNYW#%~p(uaZgZf;c>LtVV75@s$w0D~yp&75CmSn*PK=KNF z8M0Bwli#qtM;YQdu_S$(WvwJVH#dOBwI9c!u*?l@=pJnl|Lc4hSd!ZaUd%SoWKJ7Q z#u_Bs4NLJSUkM_d&m+4ShwR@L2QCH1g48XXp_~g3)Po#4Fh7dzL>dM>=!(!6kGIAe zcEj~_68%$<_9kj0&qLNtN|=-ISbPgT`!N2*WmZrKo`A#sS4`8V@SWJC;MHH-y4F?xY@PvqUXSLyikmtq>QYhQ(IWOlU2uOH6-&IG0uxZD67sTwA|NT(zVF? zAUW~EUDzRY)i`He387U&lSE1$O8!D!Ps{~cJv_^`d>+<2Zoqv|bc>kmR$3FRm$9LQ zZt#1_NIpjW8>W|nrpxJXr^D@(NRY56{n!5)GpZ$v>^9CEiIWI}607xh@s5~K63YyI+ z3S0e~tKAjUkeG9gUEXl#Olz(%FoWDuT3ScBjr9M=R$Y*;dC4C&=;c(}oJ4 zB*>^{M_h*kx6B%7ajj?}|H-I~os^FVdfA0HWBLI$ke)V(;NE2ZZE;DEr(a$figD+nkfZo#%-q8buj}K6gm`r zaT#U;klBWDNQ;Vek!#Cle0c8%gr@a_b3#^!=q-s7nvzcr;PV!)DxS+N!|BE#B*l;- zlFjn8#ee>CHc6}SQBP@RE}?1`yk?jzw$-Wl z8twTi)v%#Q=tyw0G>aT&ZW{I+YX;OC-SrP+8uZ*+(ULI^rb0Bs;J5IP$zI_U?`@eU zgBC*$1)(@J3Uz`Ua)EMn=^-6?>$$DgzHdUe%jrSSK8f^3ZTq^I6fpgsS27|rw%svJ zmKeJo$GT&YoXxyNZ$I{FvsdEl$g?8)EsLZl&)^S4Ub)kaKV7Lf0m%TDkGL2}XWM|k z{EZ_1Z%O(tmvxc0{)(jgLIWDJML4f!+9CtEj(q8GF%*%Iw+)@aIKNpI7d}>%r;rV{g5Gu$;}*74}_VMxwL8Fn{QjCiLf?I`V@ z#3Q9;nivq>8P5}@0W31Bm4KV7$M=YBw>2l0jb#O^WZTqe*y(rUQ?E3oD;doGs@e$! z8i2agTuxmYDOAR|5ua={6dg|yhawPzINAotg#T$XiQz(S!y;?xTEc{*Y^|&iC!Zjo zdt_-s(-iu6KtfaJPZS*Ad9jjlSp9UYh@yYG(vVseIb{t})`Av*VgA&edI?k8Z)J=|^g z1#ILU0&m{4NZ93jo3=S#kg&!3m%KxTqJ7fg4DuaD+boWrrmssRn>SSa)htPO!b;NR z$D$FjnO-r499$iOLgC6>8;GGmO}Uuy$bem}%NctQd`nlSWl~sY_gqba_#O=c>5=LY zUEIha5<_TWm%snI&44gX8_(w?S&}ona(QF0`hIlw`}EA-?Qh}6eVg({jESHV425>p zCI~3cpeN}XP?mDqZcQEPP+s(fFd}AW@}^6Am--shMbU@6@Z5}*u`@Oz+80aX24g?^ ztd;l>1((IpaM`j`f>vnmfMFdv%2gfyLXDR+^ng-%R`fk4X&!^)2~oC!HLNq)xCorS z`4#%Y;`P726FPk=UZZ1RGzCJT%tqT(%r8E=*o6hu*X{Lq4IJJ!MYy> zOwzz1XZ)F;g)HhzO6Hs2lX1UCBu_Z>@oQ*)^;JL&&^VLPvr0>SXo*R=#7xk`3g~Q)(d{06o)a;wdy8_ZfHxWsdn@XD zuLYZSC`F|Sf$Jm6zfISn`jjThNo#Hz87q$8Ii9Z?T{9VB)x7qD(P~FDJP56D0AAJv zop>f0=;jr_*x|1j1q9){P=GWXiC9zQ2}#nivJunS8&QBA9nce5mZD$kCpcWzeBCG% z`baVxnBif5Tw-vNPaz6-g{Hn7Bi0F={tr1abmI>6sKCV7(_dirBvINXrzpSt!CLS= zOy#3VX(EwX5u+ZN6wvD~vqQ))N_V2@IB{W=n>J0FnX*cm3A9#1CTy^$)-!-LQ%GNg z$ntqNp?*s%2UQszf85c7UTW6;C(Cl?|AhkNKUC~i)UE7%bZNqD@lLpbQxJNx#(sYQBu*72JR%NA6O6$efeSJ!TJSJzqn zNc_lN)IYVqtE1w2(Nf-TSL51LQ!1K&Z$|Z0OiKR3|4q5WgP!9Hz;|VhJzirIU2W|= z)sI|!Y^1t4c$Xi>j~e`2zyTuX_!fxXyFVPY`*1uBeg9ba z-hTM8b$HV}$dfA5RzJ;^J=g*d4?pshpFE&)q5`Yq;N5thC6wjOqN3tV<+zmZquh8x z*0Ikg;4kbWy;-!iOe-tOMPyJezTNki0Urai&tv%dVI{pe;wE|=L_WB7ruFCTc|qS} zKHx8Szdee%x#!vG9J_4!NXsG$B@N=X2*R@MLGa#2dG-$=-M7rS2cfzmHUM&^g1|xh zgSUv*fx_EM24>mFAgjQO+{;5@WX@@vaD}!SEYc~4@@6Fm_Jq&`c5Mx8SXPg81liRb zx8nXgGAg)sV2gA5F8_M<99BU5k>GS1bv(0%scv+N1XZ|qo182oKs zRihut(33gY+|BsycAZis zUz8VX?&Bb}xY|+ws`<1gHLjD;yc22F`k)8Uam$+o%EaNXX4%@C2?F;WVt!GO2m}tbRtES z=zu0;i-klmB}DUXTt z-OyNfdHITjO?dr4Mke}7Vw})+FL3p+sGQigsTkh8{TP(0)c4TZuQv7R+&Xf;7Wbel zgx=0W?EW^Nx2e@v`7Y8mr*wKeH?y@y87T-=Z$6hDYQz9`=xmF!$327faWaTV!Ma+_ zl9BOugFnLtzy3JzISq;BteQM2p9r6RuO96Wd7HeEI6s5MN)N4?aGnoyJ~-3i*M?vG zjnGfBz**<3=gxlNzuQlHrQa33L%Pv3Z8IkFB+B+ihU0KYKtF7CO_fv(Wv2?&hlgt& zpXBMiQgIJsg*Gv0C$OTW4?na-wDU+@mz=P6>R+9C-D_5sH9X@KQXVyimA4RM0CAt? zCQ=o-@;O+xtewe8`b7Lh-7FUp^(gDo zd}E{}M}VuX@K#mx#SP5!e0M=C1r7DGNE=8+EEg;6rXmkV!QSDBir(T4s+k7s+#txT zAPxesII$S}{>w0mf>P^D-42k^)d=D-#?sti{X9^C_l5nE)47G4+W|8{i0Ym?(r-PW_iG@naTEl36s-fdVN)pK8qbq3ie@+8`VUw}^fBiT64-hz5)g)y}6Rq+{U!RV{pS z`L52gYy+Yz5JA&O>!>bmh%$Em%wfR#BVhR2raG{ z4`lXZVVUhQlHQomA4p-V&TG_=k3%kFa=B)m18cc%H;urF&Ji)eVOa0X374#xcZby| z%1~W;X(<~(!o2Od^Y;5*7AeK@XR#Enq`omm92&bP`b%(Ji5jJ%@{c<|Jg3E8A@lXh z5ZUL0mtFO(L}y+~w@)un+JeNvKT0PrR4+@_1ppg01u#2cM;idiVGANoVArf(>seH+ zVBY?Xm`dI9tJO+-x6ZKl3pof+P_(J;_qE&*)(k3ICzmHVv04L4Aj zL(Z4n`@NODvV5Y`WlRGRcM^C4dxmfnbZMK#s9Gark1q`tp!z7qUd}zT`iG|x9wn4C ziHfAVWm6^F8hAp+uSHaKG$KULUZI8q##Xke#tyZ*=R&bjuCmBbsU`8Co${Hpl84T-caWj16n1m#tm*Sz4DZcpr@q9zB31sjI95+C(N0{=k=yvi(%~*J7{viD-fG$6L|Z)-%^u#Tui~O&Fdd zd3<2Ze2x$e?->tEK|>Q5hZ+n{u)*R96YqEY*$$7K-+B8l*-2_R=bVMB*Ai zFAz1fglyah)Pq5_2TzzPTvi~{j&rYCo+u#I3J6y3QcO-bzXS^ic;2xpIC0P=+k_!c z@eBziteub&PeEzv*DzFAm683F?%Yf%9q?4dyiI`Qt3YPSaE8&J7ljXxS@m=tp2{`P z+?mvLuvAqW+@BiWVPu%taOmwoyDR1wP3xjNT3*cSUp`fK72Ir<_owjs*n5VC#j%5f zJ`^?`AV~pN{w})Di{`>^Wm!()gP;vYs3B*?&*!nv8kw!#cY=6s8In@o?=w+o(Ku>S zGQ3xfcc3|?WvZh4hLJ2F2?W{9Jip^>DCF{Vj&@(c8vlaq*ZZ2e0~#b;T-%``Y_Bl~ z0us?KEJ~ws6cD0fTZy9PO5Kg4Tpwo1Y&s+l){Jt@=M$5Vi^0k?6?m~veQNir*`Tkj zm0H{+vWDtoq8~=maX7rqy;gjYMaA-lZUDDQYp6O6@4rWts=*rdx75&Pv|Tfm$6{8)5WpD1oHy>+ioPmO;VPU z;eF1u&`2K8ywHR^FC@WtebP$zJr5p#BE zfR^|wsAG2jX1p8tos7$gp=0Jh&n$LAid9HP;c0Wn6;-qy)rFjahz%0Mbx1>*89Zq@ z$uI2_*zcwMfAXjM=^F9$4tve|yKNV!GWfO#W_>BJQ<{!gm(Z6!WvUR-0rB2EoG1$~ z|9a2!g;;$C@ER$MM8fvJs;&uUsq+(eqoEYhR2=jIf=a+Q3vd-n@odZ+P!p2#NkL|p zf{gF_m?98~e=%O_lr#ybkKBak1lMQR(_c(eYx=FT@5t(L(!!?YgS8K@fV6YZp3v4b zG~Gk1cH&{%>y%N5%1cVJxxy;M)X$`uL4qSN8#d6pRw@-(4}$uM!IU#k@w} zsLF+a_!6acCwP^{#!C`s6Pthw(|{ZB{M7BP8X@Ow1iViKLpt0G!ZpXd)V1q3vu8MFpsB)v1^+F_xAzc z4SG=x#<99ekn)ifilDdq^(Qgg3P*~180ytiV|hEKJ;~VWK(v{98T|;YqpnZ1q;Zyt zwIxopl@R_tE%TcV{e%Ai15|rDur@}3(S`AWY139Hk{jaX*Mg6y&Pg?B+nlzzMpn4i z&%Ew3?wg`TZ8Q2vO~6o?Zd7T|of%?#2LNQ4%ta;Q0QjF9cehh#l$xAU zG|4#fsEMs3pQzVb_>fT&o^m1&es@?6cBz*gL63T6$WY=1Zd&TO@YBC)6q2e3>oIM0 z*dh>C@z8)KZISeL#gN;n1A*X{QM-(`TBvhdDOJH8bH~hAPy8GOGBW8NCj&vAICiIX zl3Q2a?7>0^_vHp7f!t633!2 zOb-+cm5?AH`4eXXyS_St?NuVSuA>QMyLj(|hvPQ_U7+1V82W+@gNdUXtVL_dBm}lI z__cU=D@%bI*v8~4xFFF0*-4}c`FFg}w(Vm^K3(3TAW*>&92DcvA&R$8IX+pgEkfGo z5go`17l=TYF}E2m+aR8?s3AcyFF))miCSa~;eI&2h3AuR9Q6ax^C-@=LPe!*s2vXn zy~xTZ*yE_eN`(;v*dzeCDKV2;C`$qVJb(=XO(4k@C0ktJ?Gvtm)?^xZ``{CCL9!)V z1d2_1du%a<{JmBK_{d@4G(o#=2q}m-Wc`&=Prto!S=5tmyue^4JAf28w!sNuo+A#G zfGM(9P)x6|vb?S$MW`P#vB+X%0JD8|GIzbpID0g=lTK_g=MZXU@EU^~M7h9jT0GiU zvb-xm64E__Jh*)t;=ipQD=-bD&hg_Pw_r>_WVl^UUs7&LVF;}-HKhaBI@cA^yTmQ$ z|72=VpI*)x;gwj3XdZ4RLf^rXKVie#x~di&>z}TA3Bd}NZAL?FX**50)$CVuXSZ7< z+wkJK`JZA;V8slh6P^GyX#&N`3t-@7k_=e>R|vPIOcs@fB*aY%-wxrf$}-Z-nC&6ZH|Doxieu_(aeZ& z@@GEbZ!4_v$~Z8F~BBRoW#j2;BwU07Go2*Xf0jP{33Z-_zM@DeZT6rCZs>P*;ALb;%`*5Yl) z&FqP#zUB;g+I;Dp`X218#Cs9~)*5ZYZ21A)q?+dnL2vX-39NF=q=BSlk-V$0{y<|C zkg#8v)4!sBpRqMf2a3F+h+k}^07X=DSuU}X{ijD*EOfZ}tvH3nddJz0gH+bKn;+de zBUdBJft8n$4K(vK*)u9zAY>l6I15tkHv`LUv;tK|kb*Znd1{T@P7 zt6xDdS#}(e2n;pQdRWDWLxpZd#(eRA^X4xC`1JFJm;)cx8|kZO5rnW z=b3FX@9wb&7c^rqpHu(&n4i9l^nUSmGH>}y!wAiakJ!C|Sr200vX*X@>|Nks#|liR zeCmXNQeqW_ z+YKgSwMbb99&eB4dgMyviOs~5>3irP{hp609#OrfNgk3gzrvB=!9VB$K1l-I8vt7> zNE@NL)cCd+E!hhf*TlH5(1Z>*Rm>vnsl(rv-Npt?xqU;sX0E zAv3iSn&}1|zTJWX4C!?hJ0wS^iw6rBmwK&hExDoxO3v8t(q$Rql~fpdhZss(f6QXV z_Suv9Xj9)iaP^t#^od)_^x1L|HK^X1ZV=ZH)RkKbI6fsrcM~xVQp6z`BL$8F2(dwU z_a4te`IZz<4ix*gf)iyM#yP`m@KFJn|3c$t+>Vti6Yz*8=gysSLuD#CF1+{fNf@{C zNElzt8HX4z8^OI54vuX;&Ov7_XkV_cbflMna2$f4mW=`j1{+zdGSPycN_f--*fBO} z4zicIdc=Zy<`ZT~t{4>+b531{=M`uSPDyTWVvQE1cV{E{L(hvEtZLaXbp;c8?8ytl zVzE7IPNC{Jg{y(-5o-E;LvXV+94G)c=0jQ08Z+)4sD66sZRCqDm$1Rf)P-6ZHHmzTD7Ap$JMng^R4;h0E`OvS*IbWp1h`%KVY077mcP}xXHZRg3 zb5XN~nv44gy}PfM{&_Wl=irlAq+W<|?MAf*4;~R%2sWi$SuVFvF`}jEn1`Pq`%)>F zDsc8)_@yFaW~rgXqaLrO0TF%8WhgT@1Y1{{8Z)2j!LC7#`JEG^R&*vFi{|9bNV^P67$Nqa`*gpb*AJJ8ROdzjc z9P;Nlwi6?OQs|C0*&h00-qkphW4-mwV zB>Kpvm8GGw!i=<&A#hcjM!61g%C53AXPOO!*C@U%QuKuRx~!qA)rV&<1ot+0om^l1b-1qP`UvUNa4OgjZ+tp10LjjpHkaxJh_&$ zWW_!t+8Y3c+wYj&2pWYX`_ODeb6V|Roybv`zEbc26KJ?-?5Fjd-12#BEfjOljEpiC zj>mesb2LbTG~){}H^6%z9PAg43OwitVeRytmc@vOe<#El)$jCGGj@$Q zV!u0uundGj(_=()a~h)(IJ5L57}*l_xH=OtH27>&yirmb1~sMqYD(!3O2Ln0A{*6^ zJjJ*BxsnnweW=W0X0=W)8(d2+-DXV?-COzMga>Obv&SfzEHt^)s4@kcT7Gg|8RQG) zl2!ycF^LtE)%O#(a^{5IUxz>jsd`IXNztI$pMmh;HqtWP1GKa=rXE@lXUxSadlEK_A1l5!_v%&tE7 z{{azQ+-Lr0xzPWvO8;-M$A1x`_& z@r;a2jQ>L}l%p|ex5b9KeMw!DSWZid3%{GlG~Fbd@N;*CBIt|ipe_pWGenfI_T|#0@?xpu7wUwGHfDj!*_7 zlK-5-jk$=%{Z+6xSSCTb5|cET(Q{s{0_*UA+@{95z)X`QrwhXVupH?p$hGDW1Fg7D zN=5-K=r|sL1kJ_4&b8GiJ1mAEZ>I!vpV|rKqnX4dc1_VNYLol8>JquF_cm9ZtjjJ6 zmUFb2kMx%nybGk<-?FK{ff=(AgSo+RrkU6Q&0^$T!t$FnT3E-WvF+^p0{izc$A|=D zX^%O|SaJ5bZc&Ko@d(f81hB)KlFhg{3eG^$x%MwvR`E|h_uMQgH;F}|^({zZXyFHr z8RT*K9SI4BF;#o>$1#m`XvyQFQT|oYOip9xwU;P)ea}Q#zqjR0J}3ZFww#}a{87?= za$sPNDR}oWk>###pJqtDkmjY6w`#n-vCedfa5$gzZ+XrQX(uJ+P3w$wxjo~&P5ox?; z!%0wC%_H32B6zL>ccN1b(+bV*1>(>FVuw(o+pufxtmOCW0-6ovI`KM^uG+9 zJ-)*AqDGyMp07hikrd5U7!KK=dmoVgiY(lQT%-QK+8?fUC3j} z7t-D5VB?)@9S#;0J$n%=q-Xgq35tW+`BU7Z*1d%3-H|#HaSl z_!YgXi1>cW%k;gfG2geX`ge-Tmowe&=)y%8n(Dn@THU`ZyxfWPRG4L-mzq`iUBdq8 zSBCu|*Db#|pIyeUT)c1TfXu#l`U&n2huMFRR%RU?9AEc;U!5*i_ZM+>AMx_<_HFVlK9jyySkwtaqDC32A6W--?1{Z?wOCWY7AC@uHeek+kTJlAm2 z&Z*PO{}=O(PCde!y15SiygXioi2v3-dE1MC#FkHZ3yk=g~&l% z>&tBZlib%z2I||$Avb{(zLA5&$y(q#^A2*?ohwib2FU&(TS{nxdNqdE%_|1m!tARL zo3fcU{2I%==YP2Wt|Fm&AJS+ZSpb{v^;bOd^PS{07qh1tu;d*-o{ufW(~ zbE}aoAxl3Od!u!CiLNcwjGD z)1kinQ{j=ldGY&S<%iC<{6)ZM=}nlGiY_l=n0_T5*PQEL-{;-?PrHFnhfd$mw2N8I zQ9lYakHa;tuiLMHz(4GA+a4J5Dc1Qy(LlMZ%iSyS?vT}weSVPljdL~DMsV<}oEB)T zf5NcKd8S;sSz>B}XTFXIlJWM~$ea-^aeW;kHqfV|+=&epk;S$zTd;XEq(CY0X^%lD z@qb?<6f22fN|*v@p-Yhc#b&gI@S@i4pHQmCS+Au9n~k@{`%sT*plmtCwbEC>=rI(7 z4e2;SN}SPm`~J35b9g#Ca*Vsj_(1+K5!OuayCl>?Hj9JLc4wD`C^1df6?y{8ChSP{ z-%f&#Lh0fL^Fz}eDtKw;eMri{$G!D*^_#nPY~x+yW`*nN_7DNo`wK#SVM-jFxqZc| z8+3k;cfL*m$0By=;)%C?B*Y!in)4l?XwaF^wW`2~l%KB8nORl{U_*X5z+B$;Nk`dI zQ|~{svst zN}{Qr_C~1#ud(4ujPz&cb5hBGub7Y!GOhi z3E*W7Z;(y4S(_&UP&O4rTM87s5GIYJDmT0wOeC%lGh%T@H-7c(ct|^Q+$YV7Z-a*_ ziLo)91I};fDmuh{Aysq=T|UagDJy>=Fw`Y6LRvfI7mm@PKirRr=HbV-LNcDAUkg%! zDf2Hum94~aXa8-6`c$pA&g{^NgLRm>1M#Mch0#i}knMXgreF-dvH>e z>oVyXM08Bxa&NV94+fPG*gSeXnk(3rIk+mM*u#SW$wKf=FK-p%@GYORj$OK>EKmvH z0CTfUXUuD<%g($tZ-o?AR;6TD3D3HrnhPROvb?u<2%qn*EE&DYF43>}uxaz5WdiU8 zqn+q?2V#a{IOhyJwIYI~NKfV#ij9#ffsfG>R?|g|lj{67A!~f^?~NF-FXx3fR)6IT zo@-_FD=dS_j`62OM5Xf6YwKS0wT_w;-7e=@>k)q{Rdl#gmmEK@5dcl{sK^nVK?@l} zCD3>v9{(#RLrn#D?5d_7JI}0g!twz$ z`_vvtKVha9=R(pXg#X@86y!eMbjK`#2JLuqD_Mn285@#?n-EE(2moQx(3PY_W7Oy1 z%s!$_wqU9*xkQCKJ}?cx^LXt+ozW75=WlTNB;1AvCLbSwteNM1ge^d$i{!2k(CW5E z?1QPf-#8ujCedA-quGxLR92fgd%BJPS8#h#x>_Xama=u_2z)lQ;){o8^V8WT=?xPM z-Jgm?osL913iW%uZ`=gSkauGZ`dZl8DoQ%<18osT(?bJc>3!x;rbr$a2c)zs>%0?V ziRQIh_mY6U4U%FtY4yk9{u4gYC}9lQb_Ct-?pSvonhQJ6_#CfeLB--CxQx`41q2>O z`6G3u+)yr7^(_6lKBAK4{(@P!BZ(xsTJq2jdEB5TmzWv}JcAPSXfAma9Oy*I30AW8 zeX*AX?iM{dlJ}{iK3%5QY>|a^L(fQ4;MsAo&O+OGS9kF5=>wA_1nlIZcwZ1#gFcPj zY6|0O4+?8ITr@f9W!X#cae5r8Dy{n+d32EdS=|}m3Ykittl?bi^jis->^YSuEPk*XLEbURr2*B_ z%4pTk*&t>X@^C!;IQzFtdZ?KM-C9(_i^NAsi#@RE?(}x=w3JJvmdD^GSVktiR^%f@ z`pgF|$+-grw{mPngE9Xt;)(6({#72HaHe%)-5RC9Dk);)s5@+4p`fS4D>Js^%s82Y zx}A7dL_`T?uBqVBKgLSC5oEdpF2YKpn#lv@7z_2K7|P41jTwB+$kqCOeh^oc#9kgV z@=b}L152@&Dxav=}|47X|PhTXx*ll6; zS)4xwb}}t(Wx6GCQiEAF)=uqC(ra`VUZl!jZ%|I@iyDYmodY}sO$r9#$NudPL!FIHO7&LKWt+HXE%%p`M!&)ta=H`HgdWAnWjc@!MTkq3zGpYIQoygB zCN3teml4tt`mIrADp19xQB@k^L;f`SQH(TBV9w~QttTje?^L4-nUu>joN~}2Mp1gg zZ?a!dC+(b1sz9oJ6jb)2Ez}}HvlQN=Z!SeN9!OMAK;*+Z7)sZ3LY^m`o7;w|!sdOY z99Y!9=r6}YGvI+E%ub)rXzOHHT3KPhGtFSjJS*pgQ3%kjFK%e~-ot!o#i|@L+2}tx5O7mx#V(^+d#Y)_-JVA1YU%nB zeZAtc-^)&KEdF~6iB0z_kM;{|SiS&jI_7Qk0=5=yS}UO}EKs$CLGMJ1@~Fo$fYIi%+kd7#OlqquRB5XbKH1APiTo@I;99y)hat3sF7>_{2L2MLGY z#N0q!dB0V9b?jB&996m%`lIv&M(?4~+XQwAU8vJEmsx>2+$G$8v`Z&cJfagn%yquU zS`SI7H14p?%gC!46f?P)$OG&rrj^)gu{{!}Sq332`S#mdmUyddU&NFdNh(UJo@S{k zFxte!+C`Yj;tUd#08a}q=Q8@$?>?2#3^@^b!i3?|C(~7^k1~dC)=U}#zuc)zMXx+b z9$%oBFBzu>xy`+^=+US=YHj9_X?FWE9aKLymmdypU?w4RBy>=%jQMKDwwOjGS5;Mr zP@F;g{o&G-H86^B+ZJ~+qRGA0Fv5O*=iBDjB@oEchxbpbv=@!(0wbz+8`i}J8mR`=X%CvT74uro~TlcRG_mskxY z^8uYuh>$JKKAWX!x?-mx3KvhU7p6i^;q=<0nPY$0ZrWn?u5aDej&xtTNuC(;Tl4Xd zXj|#=u$i8{KH#A=4^>UTs63kd$+s4TR`D9iR~KhF@Q4?*L4Zri-{Puc{t}g7jUa{0 zi&#uI`Xy+3>3Z}ov~}_7m+iDfys%=wNQJ(A^B5CDOFU%wGE7So%un6dS!DB)F&-WX z-Y;z`bSHE(3&HrylVKDB{T4<@z(#}UM47TP`?7ai?Fd9SX!0=A0qSB6JoB_X+xNSauFUSS(lqoY&q|$Z;LD z^!;c@O3EEEOgwbHDKkXKHDR)&-A*{b@!6-2ML^^H7=4JMjaN~xjLd6)_yL_F^wEI9 zb{XScVodEo06E4Dp?DDNJ`h|V2zC>Rx2lX(kLf9E?}UmKcqdg#76wjaNUxC9Nr8&f zI2`VGDWBjRBr^{}1^_su&V1PEemT~kz3i3Lou)^eeJ>tsB90c4pUCGHco(8g8)qaL-^T(Tns|}J46FRK2M>I}h zkduh&`4gG`ECp8Rc1c=`;QL8KL)j7O*6Olp6vjzh38 zG}ecfpQ;&)yLqKIu@yqV<8ai8q2pXzssiWHe1Fy>HJr`u0>r6`n5;O!tw>6obKR`6JJ;CRT;-8~3|O)zQH2w-iL}f4 zH5dbU^g$23oWwLk0mxp(oQh0Cil~!CRMJ|^;nz#3h7mux6dDy65=f+Dar1vJYQxRBa2=uLC1*Dx_`yp{pZqSZ5Kf2geBiY*vr^N=jNHu# ztA21SysE@cqolRj?Zn$SIZBZ%`(GY-8|ehRVIwE^tKPH|2U01VqVMqey#9$6k$>Z> zDtIb=K^{sxP}O5y&s;Ny|2)h5Mzg@ku>=ZAx^7z65^Q?V@znV#qw6`iTl+5@3l5i- zPb{S3E&D$h0|(`>K!O0OQOylBbNQsf^5xU)&@}-q8gSY0uUtavUjJ+7m7?v!t@p&D z5rl;GTocfPDv$(pS>SGzb!83&VgJddL&PWhMU@D?q&x?j4# zvegsKJ^I!9UA~p$BNB5TBNvE(0sVC%aewBV z4CRiE?WSU?d^SzgDTTe_Q`$gVBOcm1V=Kt>uL(os$n7 z$da(qqkmMX^QPMmP%_ir0r&UzFd(MH(VGhJMUh<35d}|B3CtlmXY7NQ^a7cak^qZN zkPswE8Av4I1&2x~>TU3xqDtIwwtJvRQ2FA(hej*YH#!xIDCX&-K&G+0Ee0Y@WCBW? zhlCQsjd*Z6VP~=t?(Rp}qS)H1JBR*FKe1e9OvDM@WY#CDbxsFIBp&@%QDQ_85HV_F zJQ1jD#h4Wy(EbU=oYeY8P21y#dk!KMza33a>odSp>RCX=hPpb>v!VBuQbLg0t+H*~RjX{C?TtcPDT9;`GV97@3(FGx=SNWIUhe zi|vx-PJ!IXiJbfaQJXzk%RaCt@;b62wWPSOo9_j}V)*}J!OZ+m;@*E-`2M>K=6}3+ zKO2bu-aY;=#Q*Q@B>qPq-~X38iT`9S{Fl}6f3t4>pNxmB|87bjGcyb0f8Jhb{TL6M z5x=T+^QAAkc-Bi%e|MR9qObd(H_K?Sw?6SMh|Ge)M&wb%9eo3Pliy)VNM6yX@?vx^ zo||o%vNO%m9S+~6I($#oRDA3%*XMkFz5&B6CfjUuub)^bN4J0M9^YMhueL+q7M|&s zg$yNGFQYv3rM|y=YFFHS4d2xq+Bj-&0m!ty2mI1?*k5(Du`Z0RJn!3lGIzDUC3jWr zJeq%uJioI&{KOk`eMUZNGh@xJP+A{0yVB7~edaUvudHmpTEF`Wol6U6d0}wYZf<`n zg7$bCv9jsL1n8t!X}U%0e+fC@i~uR%{O$bQf{=oY_}NC_M`!%s9{qzH&NM`%-vMx-roU=?m;*NC#2vkzN*mMR-8#Dgj^qyW_w#eX7;N)~j*G{G zZUeI8gBz2*E}k;7nMlgRNNg%Q*_hRo3K~t6}D1Ga&*Ct?}bQhLkIMTPW zH(5&6t+IN>k_$1#uWQ{yq1SD8pl9br7vq`?i;IZdaWvK$W}m+w(_ViuYw>7vUB0!y z(qJw`n)}v!mUjL|fAWZ6?e^DGE1o61!^rQ zqoE(VZ6iAQ^h_hQ&lHy;Xdb6;NUw&V#uQw}{y)035J=1yqFJS{SCcZuU#%#T#a}-x zoe5Ei#)K*T&15K10UJF`GOom#0x}NoX9VX=)EI4_OPBF^ppLnWTkN#vZNFp8uYR@2Um%2*Djpp+==3MHcfOExR;{-mc8ODzK)=4@uzg4e zKbjsp_LKj`8wL~T!Z`+U^Ucg<2j^*FRJgI+f@c?pkcPlTej_3rX!OUpBHv)v%jSbP z$|WP1t5qQ&hC|SEt1ddli)WLX?$`xGw9BG%;r5Y~$7jmDTCuu*&^K&-Urf;q;7m9^ z9lNI4YJ0^ktNxQIkb<^Sa@Jmn0L=}{+EgIu<3DUXRL;=}7JC{Me9T1IH!gQ0{#$9& zLbwuyJHV%gT&zW9?O5jB7lMWz zAOGA1!(xRQd=CjBTLY4ns4n!HRp|aQbOYr+BM9Ln5jGI+j@fdFRtE81{?|*kIJ{zE zuHgjze525a#ZbHT%RqF`wqNcK;xs$OOTRTAv#TxUMdkp$g#}J=w|h1t2kw#SSsqFh z)OK={UPvI*utJ*8kY-53>7-SRM8o4RLo3_NOqC8TbD9#t)K8V1?yjK8<@onzDQ;<+ zDxV_6v>x=e$e{K&gK(&iQ135*90|dEnv13Nds99NUEy$X8$o1AKB84LBI7dnp zQa<&NTrFSW4wWf~BN6Tmge6DHWxmkT#;QeqzT6eE8GUBXtnyg$=M9Bf_}Woj!$`W~ zTK?Q`nzxxWu7(YqroFjqJrVXwjX>vy;gUnw6%w=1xtZ;ZTwN+`*N(*IN#cQ}e4JL! z>M5h7fhT?2IGojBJMXWLaP-LvJa0~z$@mvxM8jPQElhB1u7 z3g)H}5%%@q&wIEw3tU(?q?=l?E{v_5_u`s|Dh&LOp~ZUnw*7S%0|e|gcVzG7W$O3+oT8E9Jq?EY>FRW5SoLvVVEVy6skfL?++UPQZ`et zfmnBUp|!Y1d@`!A#N2~+aR(v+a;$d75haNW%EP{*zeUJapaH*-&J9+EYaPc5)RQ!T z>u((dN7ys=KvV^wrCJhlZzCr`Thj;!6nw!%rewa3XoF#DLXeK_H&4NG%^iy#uIrmZ zDSiI@hB|M}$gb(lk(DSQ7Z6({*Y&}}HnwOK<~gc9Uvd54w4KGMvl?x(g>cSfUFOZ5 z6}xvS;4f5uc+pu=4O1nN*(;4z9K{w5tMfPEh|k5OvPtsBjyeu>F^bbEtC)rO+GX&K{=N}K|!93-?dMp`W5GZubvcW;flG7*wc7C>S z1ds&tA__*k{a}A+OqDxB4Dxycs8#Ll=bmMTq4^}BgVlK@5Vkg~i?szQpmC98o&`D% zh@E?5D5bXcV|v^H2sEb0IGI8HYt2U>4a6bV5h@|5HwJ;6!vgYw5vmDC;v~6K`Z;KZ z_Lt3Uxtf&?^RV@JKbELdSG#lzt+b=(vO-;rU@Mbagjm8~Xm%$P67mpFuY#wuiEG|^ zI2T%UK4Oz+vjVINIz#$Iq=kv;Pmxd!v-#{(=+ov0?s{iZsl(~0mR3Vzrfo1HV%z zZ5WiK(UdV*E9;vOL@R`d*_*}l^%iOs*h;+beIY|C>j!i&nxPHc^q4wGC8Z0JAeP=W z5ju4qZtXC*vE^kipNq37MXFyk%an`8=nUUna6vgE=_o7`@2%n%xQZL0H2J-&JWnNJ zRIY{TLkH(Ks=Y7Ahp8`CNcI7TI~52hU`C26v~KH75G0NiP7I=9y~Y1DH=xp0icwgN zVX@ZUC(v(TNa^nx`wi^(Ol@$y>_BFyD3d}?r!19i-jm2o80bIM{kG5Twdn^Sv@@mQ zPS;DQq{rJAybz$&c}G95*pe`RznfxMw_4;9gD$j~NrHmEw{M>YW-&n17-ILL`678t zu++Yi?55krSK^9ER7YVOaoWOd!VE~m?jYeK{Kf$q89PCC+Y^8yy+a}FKwU(4S8z&#cMP$(YvqB=L9VEit3QI`L0si!)0S zM-=czu&8bhnTVQ&n>s;4XE;4t87?16#zUcSA^b&8x?DP4W(Bi`51RtyHkL4w{pUtk z3*2Ju38XV!5?+wFP>R_RiTElFYbcbhMdL3ri<|B7j!L{uA!YzIRxsivlW$vTK0-b) z8we;tK-wKZP14~Qr||BL#(;KXfI=7&-`SRc37Xko^$bKZe6Y(wT*um{^4`MNkahJ* z@t*#NCYk>6nMMp9!{M;RpV!RHP_EmIDo8orBy{x=?;Nr87%dZXnuiK2?Uh5#N-f=( zGtov_AA!XmNgQExGW1Cb^G(D6hB-nXN6i^ii*q0tebSD}m$-V=y@2|l9eRo|Qp_8) zW^dO}9EFuZ_%ySo6%$UKByVsxCt9V}n+{>75hZyDXWbO7#<>N`7$%1F1Gd(ix}Fz_ z|GrI9>ENQ^-nUtoUxY;Y4JqTku&7`AH05TGQf3HxaB7&dp*Lp;%O5F@S6q*fNbypa zAAQf}3~q|G;FpiIUFOjcHn%3^#|LeZ$W*0}nb6V&iA3t`3do$Yw%e5^?#cGs!dexQ z9{j$FB8n6}WnsBnz-c=l68-{rY30a4%$etcGK>h<+2d$+!98=7|3~sz_GCl0H(7{{ zxiE7^C#d5=3F^^q`qZ5mZTtP3@ETc=+ zU9H7MzOcDpo(hm&m~eegsSZv((yF+(_L{+V1)q#&nmLYeu<@fAJjZ1+3uE*vL1zo0 zzI2M=0BUYhn*FBW*ei;7tO1nHqsY`BLND#C`~|3ldHWBPN=g(!=9V{p00b%dXZEGV&@_IH6W+n-878oH zK#)bWCBr5XgwxIkJA*C8z&S6*<&ixXM46ZcXBb%3 zg&g9S<)1o$=gT4ktWv7UhW$kWvVU39*LB$$<^om@4trr!$2hK{pt^WeeBYZCfo8>}C=*UQl@! z_AUz|wQAq2`J8PUk!h?aszp4#W>~>8eX3!t0`ZmT#1ect2HQ!;E-Thy$pQwY=Kq;} zdXZdbYc`^U#Gk%Pb&V{(1DTw?428k&PMi|Dg7o2zSH3QVS{ zs1hRv`@L3wcL^fgspbx~ht=OxfL`3e9HIA3^y)GqUcc_?l6Q=#I1Fx{Qu4LCScw(k zI(08P`&U3&LfV^RQG}nV6$QAlrXdFaf_BrU+`bo#_H^}L5{cg5&wF9FsIF_&aEWv{mCW;loK!TXgS%)pY4GwAwhgPf|htUVw&?j#?7atD~AQ0OU_m&zIO5PEg*Mk#Otfc0*g z28jpxAffsE9a1$v1y(w{ew8zx(kRM;!_mwkzV|OS9OLktk!SU#!x8EA-AK84t}wTo zIYv6U82YH4u-a=?n)@|%k=y-mz<5nS@&AHnvHl+fX|et&@{sw4QS_)pRFm zQOxO+s!aD5Yi%gr8?tM|hD54WNZ$+x!TaqhwtKQ%f5 zS73Rch_~C+n(mrIWKRZWJJV2yMP4|?W-t5^+lrL|!#^|k!n2k@YWT~2#P!q$EkQ0r zcLt_K2;;yR%wau|{$Q)s!Zpo5`R$?BHjgct%;8DGW))j8hdn_`d`#)i}tGD za5u)0GWO~1_!)G2)vUqu0)5H*_dnEX>TU~hhg)mhVa4^p-(JJePf-@QG3#F9T|H#V z0t2;gjrdjBzgxINuZ8)-w}>adp&r-#Z2!A0xt6W`}IPW)YZ4z))Dr31(f?r^`f1*GG{9) za#4@xc2Tfb(?fE7>_W(wdt80>HVR{$ol^=SnTM%wF7v?S*^44RuE1l6{j~SMpqtW!RAWz#e3M!vRfhn+j z&$wQ`g^7`j&@UVg#J-y1mK=m<>T+fuEEsvM#GDznhhW~jK#EF9BLq{Av%9?Y`Dq+e zD74;==`dBYS|rGLl7Q}hqdkLM)V{ujC^u#T3jxTbZfuF0`FSoZ2@C+lnQioxxDIdu z38N_W0rf+xkwlQg3n^AhU75cu=lJH6hm+yzLV@^#c!_R@R>css-ew^lHtYEdni&=F z?^CdLgBArmCnY&fHAHr8SJJmZPz`A4Ti;!>>2eV+xaaPotk^py@iawTTX57casp9* z3A=obox5SWZy&Da+(3!So6s4h6W;pBaAxRUvWJ4aCo%%8$at0lM+HIi7sYbD;Ji7o zJ4}MHi!OWFj|fHRf@1gWXzCBxwPKnv()Aj7MHOjZVqyB)M{gSXf41KXG-Gpy75(A@ zs^qxwjB)50bQjPMnWpTrxtyN~PUn`_6f$KM7w=+-c&021fw=q$@Xh|jgu$C^<;6oE z7T?N!XDDfE({dA+H_{;7Rdf|~m^C2dvuMN(Grawvh(sf#vOhg>{Bt}|h;E0xd?4q^ zxK5iEHEJa<2yU`_%MW8>2E3rA1-pW=39T}hWLtIIXDNh2q`|;F8^Di!H5f%=WG_S7JF6$tiq+__klk) zKUAQDpCbTw0w@H(We4DRWQ(BEHgpgYl>N*^DtZy9HNiNEF@b)AP#(B=I6}l`C#udS z2XGMbF}Jjyz3Q^*$isk8nrxdYdI^lacdeA;>E?9lBy}lsCC8H_lll3flde%&xrOEd zZogg|ihD`iZoHFDZ!SG6=q&$>0CUcB@N?>K3# z%bFBUMK$+|9!gPoGqwPjUxJJlY$r!+n%YWm$>Ks5z}8s`?QhFd5i)O%O&;DVJ~%YM z%<KA>y<1pFJTC}=f-LG|R{;_FE$4JwW9ZdMPKwSu*Z{F^ z0t{-Im>^a73OTnmn_+*hJ9;Eexp?^PoiXRVVM6?#L8;7smDbt3qfs>A(+?hsce)Ra znW4bb9>?Fq;sTr&mt~W*;l^`LGNq8OgH?m?t1t5@3=!QZ%{P|i5q>~(M}-yybaQTc zwUvt1%2M#;=LHmrh5^?Yq9bJ6nUKi0=UOO9uwLK)UXZ?*DNPBKqprF$q)se|(B zZ-D4NOdZ|G0?MHf%5$k+EhycA8H=N!mN22P7lE0RVS}_S#ODBVmiiUCJXy^J#*L&p zpr_pwR)<8AK}fcn8qyt@omaUJv$l+h^MPa;R3(eLsN)^+5%i98i_D5-GKH9FU&a#9 z8)0$1IfAOrQbIpqPq8=KCL@&WP3>sHu~{u9C7`d7kX-zbrT|xlUUlomr_en29BDLW zNJ6YADCS;%cmWXYzg_(Rc+3Y;Pw>QX5!bf7KP?UQC*Q^_b+A4wXnsIqnTSAGw{UIeiGUHZeJV1Kg8=BbYRg0L zP!HbRdb-}qpie83&5Xwe?)XF{8lxLOHM^a~JH@iut4hu@mb7Fe>*2*BRTr^4c`UQU z9u`Ars_+T$JX`|9SzEuuDf84XPA^}cu4pwW-@o}5`%l2pThrc@L1gl3xK+bw1P~i5 zK`u9YcJZj?PjZ!*ZAAm)w;2*miaf%%dH5#3BiMyt^dYNZ&2!lV>Exj=XE8An<;JSW z0z!dgehv1kwQ>$*xVq=n=|936gP#RLXv=Da?g;qys$MX>!0G0>j$pFvCIaK*CS37# z%9+KuRa3(@F7f3NENT9Qj?@$1fJX}Vhtv!mNszHM%r2?ModHzNK@WN{2+an>(b~?U zAD2_T*=d5)Og@|qL&e)J+1)2;qz8sR4@gYU0_D!-)LW$L-<#F$7;q>;jl&DQ8+WwZ zuL>jWy>9&KMN(sgEPfA+96_3o7wS8r3cWpBR*HUtd)DfPhO)*Gmzhpd_ z5fXLk5Hx5Bom>g6ZB_74efdFns^;Bu5h2}j_3O;ov$NMt!lf;rP&)5ls_Q1a|ISAU; zib=$?W>RgixDAvXIKl`?pSw8@g)xS`;!$W0ep3VqAAu8D^sn5Si>pt=@3^Gv8=(m! zm9sg9*t{$9)@ z2pII%vu=QOgeNV?`khtc&jr^iF>Bnn;aISiXAmY>SC!{cOT06S-7=A4v4^7DgtZBz zlOtQhFTO8DnR)dQR@m1`U0Hs!i-d&~Ffk`lLou#!+OdJcPz(5}Hix86-5}=&m=2)! zU~{Z{Nt7?kl%a*Sm?}ZnG7I!K6yYW#6ny!GpX=e=y?J;0yyK|i;10_8{dubOh_4AW zimKr{$q=eDl}4m&6M6jd7M)3FnHsD;EF{^3on3QE>3B;4*Q$c(_w}iykBk?bOGyW7~a@L5$ffYU~)V{^y*6iO;8a-;R&|H+YnX4bQsh zte$idKKJFg1W-W@i1z!CD+GV-(uF(8^#JM?c%j*_^7fP_$`s-4R8AF4S4x&$^9O4J zaKrOMkEiH$HAH1u_kjmzF3 zIZB18k<$o2+>CqcK=3H>pwzVirQ!d9z`r}DLLn@%(cUBsCwHS2UmYe47vD{p!Dfj$ zL8sTglNWFVwOZtE&rRFmv1F?eG$4#>YiD3U^!rX8D7q|v%=Ma~A|b`Jw;GCvGBm`B zk`Gr)48}Iq9S+9YX${qY?&+s+e;Dy^J4YX=CX#ntoU&GBSpgu9Fdffntmr&C0(J7vez2mXvv985eI_eaEMlE`> z+4INI8^1fGJVZ$hXe;duf`8@fn|#sV_)1J!UnX+Fh=6W+wPA#qo-I-Fr1qL#>gcI- zW?04o)|rN7+Dtb`erK3f#et+(h2ofDRUZtm*06SXH=gtu`Gf-0y;p4$AMk45@79lB z(T)@PfWsJ{5W!qZvM$EB&tGmR$sdBBt?Oz?`hH)K<7I-85_AS7(}=KCe%7R`>UJ&I zho{M;6A|mL_mN8J(?b)TGPwaujgsz!z6GX5q0|jaq|DLb`I`__L-0~wSvcGXIWESO ziRk=nOO~)4I-~L9?|#Jk=1K)vmom|`bcN$s00SyJUr>62R0KcT)DtesG#vA+I6Z45$1M%b)enmcxh^>0VVM{ncr-o$i19<*9;;Us#XNo0z>YLo?hvgXUuB^c1ikK zG3bgUVmrzK2`7j^{3jwbv%=WD-$ey+PPiws?OMSpP`P2svn_0Mds`(_jVD6i)sLW7I#Rb;675yQn+FY2GMtoR+5k)qdcFW z>A=4amAeW8W$buh*ei9)5F#QE5Q}3YvWd3b5CS4^6oNEF*K%>s)?`WJF6 zw$+`FB3@wo$XEx~u3`x#gsBO#Q|Cc)i7SQf+Zy^oe#zfB2ApG710IQcF@D#Mu<*Z> z?+b+}U0_zn6ZCVMi?*tT=T$e($fH}LNH^|2di+9Luy$U*^}Y1uhapMZK%>UeA5pZ8 z83-ypS{T3yPv31;j+Jm1T5Beyt-OnQsH=JZdD_MZ0!?jYj>CWhya%!xB_f5za$#do z*vgTsteL*39l({i-`Md-ij@TkGc%=H-H#+b39W(>9-%W#j%`#kW;?N6WAoA!A#IF~ z9oY(xv5Z#3;3q#@Qvh_nVJAO~Y{8{x!%~fwc#n=u7$Zv}0Ka9Df26sIfC8?uvr`O(zl@dLDmvXku8ITC`2hCQAh^$4H*`kkkA1n!@wRw_>!sw*9b>mR&&K3PUUDa`} zEr=!qxFT7Y1Nda|94g?VSt(wj!S+gPZ zmU@4i@M$`N(v!KQ`LY2HSifH@ShN^4-t#WGegp3Gyf6G0sF&^kAWnhpe~DB07c2d@ zQ18F){lAZT{}D3&@1%=AzcJF|Gc*4K!GF&5^Nkswh3%jG1%)5X`w!_gwlVtW2rTUX zuB?%X`KPD(f9zA3)U>qS7()G=(q)L+L?tn8JAldE@=zqR4{Q|IDwhZ@knvwKivzP? zTlic4-C&A)4A&-PUhd3`64K-aLwCI~+!l-ZRaLz>ZSlPNuF>UPL-~CDsi{>VvH9ZY zJEQE(Ve$Bs{q~^Ju=!ORp{1;% zyj`*Wqi`m}`beu#_*31t5X$Z>wOR&r5Be^%Y z)cSa9RO@SZ4&hN>%=P5!nhLc~K=2XVBMVJ-&l%--5=HSi)96Atc1|x2e;K?BRk6@E)h)btUj62p+c!GX6VDGGYLj+Oxp}P6TLG z?lSC+Te8%2EslBa9%6yp5_`c;_&q|qro|RW!DrzzvF6vz?g5jB^ z*;V;urZWML?OVA%b-Y_JRvH$;Y=Jcczj<*N!X8-5)*+CK93qq^5c3)&teZl*JT0X0 zpAN?PFB{2Z%6HwuGYlu+cZrHOqKi)}B&gz~{G}xjVgsx0| zad!*Kn;_f%?^a*r<^xk zjagz;I0=^XP`w`?RZF88ix`jtMykfanv^8$g4Jo`ga{dF;{%__bNYKvXk_EY++ms5 zKsd??&(MWB#wVgzFvgG>*0pzEbAYA=42dN6F4GI>8Wy3#6daz^oW-8fPn@mO0GoL+<~UEM{(Qe29Y4?+PCPPThUWq3S}&D0W~ud`9U>sVin1b{9`QbDcy*xIP`#2}jB21qzq>bVHs@ zAG0}bj6%7m!N&t5&A%r(GobO<$5tW47*)SQCnSrBtI{4Uk;aA?&jM0_VbXyYfpGBl zT^xnAf=*2{n)Cn}7gJOMgO0L2^%^UFd+_JiTnCuuOC@o5VUyoxOU6ukYB(8NJ@>qp zAiQm8j}YEN2a-%&i;Z!m10G8a1x0n9Mw&GdfeNAxL#Su=3;eQ`Lbe`ycNL676O&F1 zhMzgp>-7P`o1q*t$$cL2JoNJ;LqG7Vierfn!MN~Ag+7EeWwh97c%I_}6OrG+792hG z_MrjsfeJkAlkQ&aujDQ--Y|&X4TTxrw`QFle2`0S#$LmftWrykB!N)>#r(~gluyy? z2+(3P6Uo0!M*<$rTL>efU30gsIKEea@&W4X_E+Y6B9uh*y)OL{mCF_RdFe>m=TmBn zRCa5n)q#`C6CY#^qv6jaJKGM^;;fPoWUb$aLd5Y&;jA(T^?YXg$_8T9Nqs;Je=%Uw z-;&N>zY8FUu|+OLI-!f*WLO*qv}xNO?_nQFQUqF%|BBpQbw$|j{Sv2}-2L(;yrVYa z9omTr(B;8h2DWI!4NJ!zBn3*ABdkZmJccJ;v4J8$evCkfP|{J*B^jh}21j_b5aMkZ zN8e!Nvzicq4)qGu8u>*u%e(Df|3lp}TNA)Xs5$u24Vsq4NEQmMd1G#-Kt(s-fIS_p9An9NC+<0Z1M$LAub2g`~hGpy* z>*?(`vTejc-!jMF*mxRai-q2M~{>eV5PQxui z$?s9T+)c_U0*CAhodo~rF=~ef>Tl(s9FzAnZM3SNOulH$uu}09ADSFuL6TsJ z4xH7h0)X}>gajXY5-4ZBXDFH}L}rPH)`vrnm7+5mIxS*N7IoXAxn)z=Z+7U!Pi%H< z=^f1g^tbv@fUfHb<=ZtVwBNG?4%r~r#cjcu*!Wmt_~ezDWi(%;Le>bz3@ENOQ&e`> z@I@__RW_fGxuoNQc*XgE(**L{xvJ20{<6gHYF6P!bz;@^(YD3(1~tc?zqdTv$-xg^ zP=Z-InH+3QE0?fBrS=51&FIH7m7RzKk=JqN-lOzw;|r>{N?4J|Ac=;}ZoP7RNcMiD z!oCGU#>*jscl|WJ6LA@t+!z1jl>chOaa?5GuT5RI`gi3q=90XALcGtB^{u>ZRLPy3 zhncqn(JuC(A4yUr3T=o2p<9HQ3Val2RuUrt)izK=rC0+pW6|%fzBgcoHGT=J_V>x^ z;)ZqUyI;&o@nH+o$8!{SUlh++fxf7%RI^ys^E4Pg(=H9xAln81jDjM|JzO%hm;*=I zv-p;DZltxqY&rHoa)BOKU4N3V=Y)b;L4j3)^uSZyf_CT!=L89r0W*>Y+uWPClDsw7 z{k9#$+gJHrOqlqYkAswF%cV6PJCv1newQ5X?Fl%=93lL94s^k$zjiSpqtD!_(}S1hzB2W}?V?`{YF=sxfYyP38`G`hgjKZ69sO5_!?Wtb*H&m6SoZ>hiTyi9 z3#aJ=$919E!)QkQ*;T%#$z-P_1kSefTG&`er;Hu40>at|j={bw7*@C#^w5(91dwHX zV92aj_0N-F1}L6XR-+YT(Nlr%b+CAy@mK+T5Yjw7Tp+u@^yp(7c~K??$4>m62y!Hu zGDFOt4Z=w5P;hKw--d{?R>P?zFGQh6QZUPBFNV8_+urtUfPT{*YI{A9`dVKRAJ3!L zYuU%S@mJUjfOK%L^0@CcYFx!% zECz2S^njiPzF_IVhQy8HG9p5W-3+2^Jo$0O_DrI*ae=dk>6FhY)rDp1(@>W%C%{H# z&rO(2@Z`~IlF+gApCNj>tXqV4FriO41+z1l^*AtYo2yW>nmkKn!mYc}P#YrGVa^JJ zGIluT)n$3wrR;t=p|X>4-tsOu?%RRzTX;u^Y|(c`ODiEkBWLKo#R1ovaX+7u?ZR)j zC3zdq{KAMy&l>y5)JBgIRY&xeGLF9?O&$!|A_|btYcYzHp^CSd8A~@=Y1V3yrl>ZX zAf30VbKk64Cw=g<^VP$Mdyro;YvuKbn1M2lX}d?**VK9UC{3ND zm75UgT8E^umXBfn$&=LUr3qA(2#bcq^fD7ole6qYjzSco`gB{MZI8o;f)vy`Ju#mE zMpHZGzj^{O{Y;sI7)<&opvIg^rK%t8SU(%D(dBwMGmKGHt01J*AU9YNX5OgIbKiaz z_1n;Z7aKpHeT5RvVH7qW6y1`O2 z1qPL}(CBE#iJ{XVv~hd5=oBoYwkF2_+)M9>LDzGEr>NMI?oZJ9(nj|XzBRO0PPTw#@BhQReRU> zn=f{pZ2f;R=(7JGXqwpn7fsW@Ccgjupi3uUV`J;&h|j|Q&shD>xcJ{^#ee?m|KEe} z|1{kGH!`64bDV#)PzpcS|Csz)*#9v+D&TAXzo+B)cPHVWctZC7Gzm9py~h#_+kbg~ zMdVjywQ|teZV`9Q&Z8l$Fu*}gasFz<2ModpApn(o_y&GGyH$3Tou+NuU;??6PE=m} z`RJb(|Hn!OMTqc*1p9`y}&vLB-?!B;)O>!2PjaL|yiO$vl`n z=f)rPZ}M$7eXn-Ed%s_DEq-XQlosGIQP^uYOtvl_5LqJU#yQ8G&G@ z*4$cyN@GrZ=J`vu3~*@I?7}Aey|HTROwo22ec!jC~v3d+) zt3;#utQ5zYu4i*6yRp0dlC5u{@9hQ09K-_;B>rgYX(#rOO^JPgBQqS(_GeccSZo4& z(eSPp_J(p><1y^qTZtb@^o}A&Q@2^tt?Jrv%V7!k0&c%MPRyoa zT#g-qF#GcW6c&;Sn5~gnpm1;T2)9EPJBi!S<&CybHkb6)zZu$b^|<8bg(X!}DDlNY zr7vYZhI@Bo*EY9av1E*uIZ$7(vHks2-*0K}9cpg1g#a#Q>;vh@w_%)Xz(`LP+@=5# zsjMnpqJAgk?TZ1px9CPdSVI$&z#cxLpDs}qAfUU+!U<-&k_XSFH2mhbC-nV^ZJfvp zGI;E@#|Hdi#ZVvkDe)1)44*V?OUfGuq_0Q2ZmgTGa z^SwVxfU!p~pR%nl1I1UGrjedS!m4=iy|p}|z@l2F;@`JiM!ARVuB zReHn~etdKNdFN4nAN=(V#KBKhXPG^dIMZz2jt>0DZ(bqXv@3lM!kX^?`2=wiE{&gn0)Mrz@!IZ_d zEoYjsTPPUXKDbeoQX1y17%Fe>&-Kt%ZI*+1H#`5!7QS^3TXFB7zdz}Rz|l6vnSZ-z z#@_DTP8dF`hVM$wD)2bdY6)OT@yD$gF~7tY6%TKt$rcbJO$z(^VQ1%L$D_0XtDM@z zj+8I0_qnobp~EjDnwZl94_HOaC!W1}CQ5FnSpE9R!v$XU(B@O_z1Uq=kix3&^~N1q zxv)zemvhm}AV!@k)F_83!Q>#H>82R0R|7TOljXmI=PyY+@xv1OM&`RI%(pcrBr)6Q&! zSnz}Z*Hi7y;eHwAGJD1_eS1&I2nm+l`*{z)x>cY~Fx9Q_Y~R@4aSVCzKfslef_YxW zp8@m47MC>jH;B?1TJ}%h4jpsu0K4FZbgSDEXsH;+cLf)Tx(=Xqw-^svUY@wHQ+PMl z;M|mOQ_S$tRq@d8EK;KaZ|O6Qh9IxYuuAIhYx0^uS>}D#m=@6xJJov(ADLq9eX$!J zcU-fDxC!>~`1Y~q)B%Z9t1^6=jokEr(&H25-QFnr1+e;BK}E@-?3e)}8!_kX!RZIk zV`!HucS70(<6mbX7-ge}p&%I50h`Zx_TnRu%F7sn^mkrrCveaAh{s`63lfK%BU~cL zN1)IIh`JdK!;BIO^=p#7=yz zW6q$Cj&CR@LPR6~X^WDiPX!58)Lb7{xREMJ1npQ)lX+{)kin>vy&z5r=iAlV@k*&W zK}0)*+gV;=)X%VX-n6=k=ACtR=i~rvi(#sjZhulYF;o=yP>~8=3@B$)yJUGK9eZFL zUu^z1H})+5VNI$pUCiBhDI)Miw7-5{+K+li`As(1v410r4ZxAlIWBxVqB*kAFD+tdEPyP*ogd&py;XpW=&J691j`$GhX9Px`KP37@O({=O zMbeH(dY0@dkBI_DJZnT-g1$=G1>n&KI0#x50uUOgC0LHU%MXJDi^Ud(U1Xx^q$gt# zE4!<=78H2I!3M_2&Te0t$?^Jhxy)v@GWmH+FVmW3w_QWb`Z~s4k3D3TV*6{JS6`~> z?uw>Gb+g%%f!Obop|zqIR!og?*=6Kw>bes*;AC^zx3lD-{7`luGt~6g-Lj7caKORG zfL^qmNl}s9)d4l7S<_)SK1cOKT88RRik*?`-i|EF2xOZbvSpT9;6K=8Gjxm z+DCNR31I-QQ4%E5X;LHrek;f%tv|K|G5$^BM&w$sC!!~ZTJ&t>8s!-^x|&?m*&gvBh^)s z1G?ie^p=Y)SJq?>S3#cmJ0_qfp5mnW37nyCNhqUojWAMV`3PVLh9iJ|S{z6uv$e5! z!2{&)k*PS@ivVH{J__bh1-SIiAYvl|_Y(g<%4sB!zsrCfsl(}s^|=o9DGZa{<{EW? ze>*^i)II&aGcad+Duy6>dua)=WI@kfz0P8mIo)*IhkdZ?G6)u7@$O}z;>ag*OD}HC zP^h8GFxBGOsHjB_h{9n@Osm!PaUPV?BH|DIz=v{!)I3F=ht0qNvE6&>#* z?B8lN9{8N=E4UHcYQwZAs8O7krC2Zbo^!8^|D5cc8SRod33X48bF?Me;pE8ln@ZYA zPW6V>b@fj0mcuI6 zNHf*1WOgb+#uz1mHb3efZGJgRO=fzmMG3T^xd#~kw({Z!OLrT-dK{d9z8~lI$!d(G z$f)}k`5)CI>W(HZ%R)0I7dF0qy2sIEcxU}cCJcM=#4nz8d!kpoxXXDt(+*RYj_g&J z+knUf#)fae3R=?(ok=xb(#LM1rY!#f(7*n{uG3nM{||BR0Z;YY|BsilWn`r!$xOysR+2p< z$=Hm2A@5kNkK3wPhyvFN# zzUFnk4|YO{mFX3dWblq(6-h7_kZqm0tvaCVTPxy2l`j3p0cUl@clIQ1DsfvUf$hzj zXdwrm)o1l}*XRPWq*O7~X+&1*N}lyFBvKh`bfmHSYUWSm^;eZfK5=qf;T>(tkd&6yUhRccNTngKyw zJLOOh^Osi$t8&Md6b;NE_TQDIN1|k=XgXzUN$2u9jIX|nkhw&0k1D6GDWqHfXMRz- z9OXOlE=IG;I|QHJhdupzynj+QF!({|;cM=GR4b(!_vG+q+lUY1&BjzsAGYQVHM2b# zaG*|g0Xs9Bnw2w`tLpYOtf2x+Dys4TC1d?CO<`iq+NaX*OG1C#Vd*`=n@nJkmvIT& zRyYdjGGwbhh!aXoUH72>p1y4o?DFgC9?_3{@VBCAr&Si__n%XG-*m6;Ri(5@nM%Y; zgie+#_1%llbaOm=FXL6=yVP)PTIv+On~84p%%C{Klc_AAMy6>c!^eW99Uc)K`K4VF zC*mYbu1=4en@LAla|>6Ff#e7tG^^+)0o9?@+e`*gf!y@11+3&SpFmw{bB^lku^uF; zeh0`oTC3v*L%Pm+)wRLt+v&1_>IdwP*?|=ACoGxu(-4GP$3c%fZ+sq?+4376_lGx) z->ip!@~?7&)Zni zoS2d?FTWP^ZsFO7n}i8ppRKP4xn6B(DRguSTWB7Qu9!={zWGe=+s6YEJr|fdJ}y*L z3eHm>SS#XKd~xT*+SH~*sL4}o6O~>FMT1VV)osv)=O^jLlH%HRL$nlnt$07*zt7Q? zd~LlkEXl9XJX<`lpqAYQS4FRI%r59QvtQgWbs>Yl`nXi*slutMjju5;i^eRnAFuZp ztDX#Oq=De~;UCf(fLQ zW)nxn>PEaAG7fp$TiN zM+0k0ZM{!)w#%*$3gXks{8{x7gfw zqYgy1KQ+^b%5$b(I#eQE6FaqbhBu@>Nv&LN*4*-Zm(#a64TV<&s$z_pE-!AEb)Q+` zQzO@8=a+d>Xu;i#{b9b*yvM{cmmw_9r`P$n|B%AFHl zc9wzMPwdB>7nR4~UgnDu;BYp zCO$|@BVivy{;-U(XGxNxfu`VT)p52muq2(dOwEa<;XU41-O?kGI#!?}GSIJS>kHy|ce1Kbc?gSR zIn*k5m_Rd(no;q=;pH^?hz&8Hv*t_o<6ROrgI-<4BBBx|TcW$HZT5gai!H8zh^{Fa zw?wt8QX`8fmJ91B|Bbrvqpv11k60A3x)n$2D;k{3@l6dlC(-SH4p-{U49yW;+`AdA z66$Yre1kOy7jP{H6B8<^XL#O)9K3hR-2PoatSt+dPqOZV@+Hy7$K0S2qB&QsZ<@Uy zT&w%g-ARS73$GZc82Q$i{pj7(QQ6?b^i%6S51U8tY_+neeP7apQNKAk^0Be-NXgf5 z*9vK}V%^w9{OkGB%|wBtPWe}C)Ku|bKhHl(r)8ruxi$_ysh}gKx8RY}i zrEE%c0;d^@8O$1j%adp|oB9aB-Tb!%q8>z5UuEPX5TPG*JzgBOY4%Z9@n+jn_h}W? zgW*%wnSv3DvkgRC%5d|LdzN{C;U-P!{9P8}$z)A7UxPTji$K(@({7s%+D=?0>%7oFCj0@w*dX z-q^9yFVRL-8*ryhBs0qb*XkZA-Svp$bb-2}2W}Kc{WOzN7ce>Ib%5wld_4V}Mp{M5 zxzeLG2W5}Gw=%tQQ#x2w^vzKwaYmA>VS*6_kCc;>mBn0DH(2Etoj5vwa9=5$kTA7n zF}Oh)bJ!rEV2DumvQKKcvS|3r;T98vn?Vn-vkuDP*>_+)mB2dazj)iahR$08KVov= zF!u#-7C-WoGna~gzHpDP^ZZaW4oN% z`jy7Qb4$L}@|w?5t6PpRjl8}1;sx=PnByDPi}Q)G=3y!dLZ=qJ1y5-mk zWMvf7r=RGP=e@kraN)(-mtMK|my@7^rWr-5vwZi?N0j*TjePUT}9((tl_-;iy@Flr|ByfJf?N8tqOc9)n1P3@vd}g zG_)``&jWQn_&l3{D&&5g+0t32GfAZ^)c| zd#(uDeq$y(dYIm8Z}fb7kGPOfzR4dh1+>8M|sO+$Cek(kkLNIyGv>+ z>=r$)ew6%h`hAYTZowl;8)D8RR^a>$V~zTS_=&Q-*=d5<$07K>Tv5VbB$#hbLU7D(^irMV z8=s(SlJ3SEV~{Yig1wklVY3RN%J^_B_V$}&@4{J~p%sVI@!!AE@EJC{o-!9U&v^4q zr9^#C-07NhB0O=BMy=Zw*pG`{HU`Mhyn~~?v4Pd^AU!uA1+m{Xh5Wxt-js|TY@F;3 zjp2z5{yixWWT^lDPJsYY9?0+h|DW>MmDT{}DSl6Z13j0bfxWS{BYeQyg?{jR8J*xC z`RKXi%#9rAwdl8}23|CXNPK{|fAAxJ5P-P1zXJkor%6EY@N%g#zzx z#Ha_*Ul&9|e;urc@@)44x}B6Ffb##!(r|CD84R@DXBcQZ83pXd_FJ-c)&`?)z~JSO zh|$3yza9_S9z6{CW-cWH81gnu_}`JY2*7_LOH2{TqwV&)x`C8947veAtp|*Mdy;oQ z4$+l;A17~YWNsj8<4UiE_!?)_}GBLoD#bjW3bcN+c|_-6vx zudT5gZSPWw88{kP+L$85$rQPLeo2$6vAu)2jWs_z?*=RGJOSv$KP>;62=aG_W}s0_H^g7WD-fXs3(tB;GGE0Dgf74B~`O z1>hT~`dqCYA>Y-WmxmLwt34F7lh^z|M!*C8;~QXPDJ|M#2Js@K9PQ>%(2fY8+aCyW ziO~jtK>jk|-Ae{Rast{<2cd3C{Xe?D`{_{d@AchRe)h~h2!6jR2Ga>aQXAUc2lM|< z8t>bm-Q5Qx^U3Hx9kZziBP+PkemaB)v%aG)EkSFgz`PiV4H$+XOZ5AWOvt0(9J4(I z;X#lf+D`}njS~J40;IY^`{^K*Re|2Tb0ZiO?WaQl{I{cDfdmMF6DDLACxei+5oiNI z003z05E$e)`|T)PV1K|MxI#h5?QhBl=!hLvyz3iK7$=eget(1aHzn*S?Oor1f&Tmk zKyB^lVc<9ZP+Nc*`eiunYP?6Mpw6VAse@q171>?_^d78iek?Fi+-$db$g#{P^ zXmke5i;*0Fkil*Ar3|y?P{798&rpUt1DrevqXo6qVF0>9j~rlpzm3zK49NfD{=bE- zch5cu`4R2;fdB#|Xe<^KvwZ?!eza%`5dTN3J@jv0{T`A6C{nZ#AecogVUXXE;{D=H zFdi@`GH#BNA1E@n^FP*W&k(?1%r*>WObEej_ku8#AAq*rPci;MgHQks?#G(oJ<|zB z9p*#J*Z^Y~3&6~1hG3@RAegB*FlN3Pe6CPB3yqx)I?`FLPDc6U?h>D-5I#6gOY>& zRNNn15Q5o;f?&8qFmo#*sMl$twYy;eZr#_Y-jm~o0Av`AsfYe;>i3X06yO-6X*vFF zpX|W^VV2#5$Ad8u2ry<@12ASm8xSCEfW`uVFxy!W3=@g~Hx7-?K)5ktG#J3FhW#qc z0os9Z&z2KeQH8P3)Q~*XID_9MLjjVPHUvWS?3e5Fg}^)HMtSuw#E!ZS9gxq@9ZrOc;R1 z_lv1Oc=w1hX2uH?Gf{>DqJ#UHnR`=UFhDg6dYcgj@XPj9F1t4)2oQ}%Lx!M#D^A$M z`jEf*LVxrJvuXnnX4@BpAvyeQw7dHb0eD$x%q9GaMU;X=r#XgoP?*`(5I_k78l3@S zCN>}pIUEp`LZdSf%nF-8m@N~$L=lr^0{_h}+AT9MKy3tio;eu9cqTG`fVLS91K1Ym zQ6>x-c-jWoFVY03us`Z4VF2%Tr^Xh@;(wU>FhCk~zqB$uan6ZM7NB?^`nM#>9+ras zEl;xN8z9Vz??8YU5*i{60vNyOGzaKKG@65vGKjWJfVqFWW@tPe2CxIrSYANY23l4F z1mLQm(HjV6Qv<=wjex>_PtATBeQ(4aj9HKygqe~6W7ZsmS;+txL*~TLFZkQ8-OZd3 zfS92n2Vj6Dg+_B2z_Qyf&IFG~{*fw!0^;ZU1qDI8P|iO_fEg#i0BgHn2@e!bw8+9p z6c54xvbG;J^YDTHpk@eW%m4*+Y2UEH?g0Zx4Xv#XtaJZs!WjBDy||ac0p>UwA^`#@ zIy9OCO7+khEC@4s1_8tko!+)*YDm3AVAU^o#ud|Lo}L$F$;J@ z0jVT3>;@>nDBn3t`ac{-5N2635Fq)B#!x|+MH|2XI{=NRg8_9L=rjko>*zGcY-Yfi zcpS+pHd2xcM=1sEmhks$;im*`CA-xTleEeOF(&|rX^(|*hhKXLbG z0X|@#?DvhmCHsK+M~l?}tbkT~D8K_jW9I_27g~>p0fKG&1-tiV5TJjnQrRP;aJLFm zW(LeE8d3xTh$$M);o1__pZ&P=&r=G3`s@AN(!J*c!I;L>|Dw5eZvqfz$8JCXy^F@= zfHAY(z?cyV7_;;N7{jPHz&%D|s8B$vYQG4@ABH3d5NJl@=@86viy%PZI2um}1c1@n z=U~h_5B{4mwOb@1n296=V9ug3Rwy9Kv)=~XTPy|vl<}eg00V3hGzvGNe=FzO!+o#E*j0@>IJ2(&}j}R??acNDUaXGzJ8aazbNfpa6;A*Nyn|{2c_d4F~}Q6w&Ao1he2E z;0Oj3i3C7vRk1;F=G)Zpga3U zn|41P1}OR6&+yt?f($T9(OLsQ`2$+*p?{0M>{VEp1ua3Ci6{s#05l{T?xkU}+aVZw z-G4b_`G=hh!7OeE7jBIDj+u@C11udhCK8O9;|a#B)(QqNi}q7k@G^lv3PZt|O+6U1 zBOzeSh!BjK3_}3*=x9tmyp#|lIl!!b3gE+|MF+{W0!{PkEvN8~koSLwM_lw`L5hX=VHz?X4t{|50*Rx?LOTL%FyE*BRU zP9t*%15PV*OD=0;M;9A=3l0ZkduMa_HJDsZhK4q5sCzU~k%gVHB1+o+>sa~u5OoZ2 zYZrboApBqgJgox1!VaEQ+C9>pqB#WO{~9S`+w30c&PGCw)X>4+kki`S!I9I{#+l31 z-p0w+f$OTWJeQ%Bvn>~3lsiV_&L|Po{9i{2KY0(QM|emZG1y-#3O5coVLZFXxkLYd z8z-V~yT`fHThuraD{5_SV9Q}>Xzc93X=88tdvH*cp4k~3BBB2u2e*Cj30{W}9}PVi z%*P40{lOp}_>bLV+o>7&+t{`pcA%W^geXyC+r5UiPS-5W4Gj>I@4#hb>}UWNVFz0- zK5lLf7=+8-*qH;yWnyk^V2N5>D2iWq#*c`~{>SmdZ)re|964lqcwG%*yTVgg@E^M; zU?=kXw+TQT>fXJ$JIB2LKbrs$$^`y30Z489A144FB0yBu!=t5$Y%rpL5-#iTs}SMr zwQB-U8vid7@ax`IfCQk97@{U%d(Alw-L4tiBRR{#(cIL5%Ng-%dV3CAdmA`yIiS`X zgo;ujpv8?H9O<_&%lMBY{&m(5j5JZ;0WAbw^FZLN4ID2BRk?ryg&}SKe*;B&Gdq~b zvt7GEcL?t{C~~d;4Rreq*$yhA!elonke`v$yIt}2Z=lFRmK{tuS@P~u3LsR(g}QfDQEmhP6=6^O8|u!gA{h%= z)39q*QQpOGP$X~uM^F&_!Y=qDw`(VMCKv|Yv#fgs7#RWiM^q#bYKD2>T59)L_ewCb zl;s~$5jZGNWPRjr)SYnV?-~Aesr7#{9O1GH_t}0~r#myuzl)SmDJlTswlVRa5Pz*H z{AkthO@pju1r8Gxzye_YgYf>s+%B2@HA)ct9#GIOdO%e^{02o~_k4AM9KkBhpk#^E=FBJ7qONkU#6xeIj1wEjI(WMRjD z1pOtx@G}_*?`{W`pC2CW*o6vo1-6HZERX(=sK4eH39|zVzo;0_7rQ|BaxXF%{vSbq z4Rsp_g$hP!*j=c5xfhwC{YO+J4hj`+q(OI&buafKLks_iio`*o!Vux@U1LQM-;U3| zy{yOp~)|0^mKS#=A)T@Rtqe~B;{uHJU@5~`XEfco#e zzm0=J<>&c>m{94>->Arf@Bcd1ZL0--$O&=%*{`v}ZwdZ`nNTq%0P4Stb$f=laZsq> zKV2$R?Z9tTtp4C8RNNha`Y$_Yd%teupisfwe{d5jKm8jOd9LE$#tOgZ z3XX$9g*&jjjV4sF9RT$o%)?*n3Ps|eP~o2PZmS7ZrVBv*_nm_XU;Z|m;N_TqgnLj) z_ur_<(xQKyVI&S}th|T_3{bzK&XxdB|ACvf%_jK0hKO9$FY3vkc8|rhef#jgVIojakZ@hI z+g?HyJ^mgi(wO--Oe72n6b3)c0URePaR|WtXBmPaP*9NY6#8yk2~~{)!2Aap`n8@& z7!)Y)A3+aPoeKc-A6&R?xrHH6P>}HK&TcM3ozD7=`RnGD|71J-8YdEF2NeEtt6i(P z$9>zr*z}(y2=M}~Uv$8Oi~{dM+~c}!pHTUah}-kJ4TA!OXBqwwpgo%tf=sOb8z>S6 z1q$chT`ts4UIww2+gUkD8~EGAerGk6?VXIb{~&7MV7&cD5yXGQ*pQ)rxkX7hbYG0 zX~zq%u|@pb`5U}MhXC=~E5x;Ch<}JTcp=Jm5YIvUL_Q1tY{c^rpAp|h{6stx(FXAy z#P<>Z;GYTje|<(h2k|V#KX_X{M4MlqLEOK7x%0=JpU4MoHzL?+yz{r6&xpYw+5z9# zwmow@-sdG_Yg0!vWU87=(%jM!o~GuKv@~!u7B@!DGd%zD>jjFg2X&%fhbD4UNPZRc zyVv!S73WZV1nFC|+=!y-u!OaPcyV|+2gREhY(`gyjj~jzO_vQeztI`Kt6C6Rd}ZL2 zxY*jgFh2XuU@q1*nN#k>@M*d`AQ?#Ck$LyaYxx&o4n+pbTkg8!=DcfBdASW0uSsI> z_kEnD)2*B#y*SffmKoH_O*j0au&??;zux4Ai{MK;C!rjRzL&}NdI=jA4tK2$6$D&#`E8RWvqWGMD9--WNI@U3oZDOv2 zzZjIJkbCaTt*>s%MB?-~FYn_us6L^`0;!w}6lP1TV!}#qKkmhV^+ef|8LM;6DnPgm z=1za>YrL9epzy~_PtIU<%1SUie%fbt`S2Jy$d>9>b1tndrMMHNE#=5PCA@Ni#WEh6 zKKS}|tIbfu1E}YIo zqeiTK#pSk(wPFiTJ*;M9Hs4+wJN@kx4~-*}UdxH-q7d7Uudf#kyq6{-mimT$>sIqX z0O2+Lj7Q~xI5GUR&+mKQ;rG%}JRvVJih06rZPRsJvV^<8;OxC7g0l|RKR*{<)~b0BrYGs4LA6D- zmQr*o(3|wdv5VfutI#~3W!%zZ7swD51-swTiQv`W@sZ!00$>CrLns(nA&Mye7nLA| z+0=m^y3Hw~$d?~-Aa11LKokJNuiE6M2XVt-@RAG}_)81T4MnU?Esf#mTp|vJh*x3q z!TA%BD@1MfZ%Z_=l{PjvHFG53fnSKkb=A?>N)_=9_3hu%Bi>5GCE{#~q#t_3 z#fe<<2Cmzmkbua}!#A5T7|s?*j}BPSu`6M?y*)wjG7w(4na%ZUx57{K!CB_7`?add z%~QE&7}xVnMRB1EbG#RG@ld=BI4UH5&Ub>Dv55-ru57sU0TC*{!=#6)6|Ye6=BtVq zq^W3Y`QwZFXyy!D&!f_`DlMSQ@6Lo>Pr)_MGg|R(PkQ`rYC~{wYISS*O~c) zjNJo9ijt>y&z|oOs12aBBdpgxEE32Tp|UpDW9~-U+~Qdzm~!ql3#4o1a)%dKCX808 zA6I*UV)48_cP7t@a`u$5mb0^_bx)q9I>AW0Bxh50Kc~=Lj=^TBClRYFrHAHEZsZND z^t?__I?+|v%UbD2YUC^AtAnR^+Kk)dM2`5oyWF=PD9Kih;`lxzbEc;i>sVqlax%Bb zyUdg(p`5JKAbU^~4{JtcIi{WUiAv^+-03DqUnv#MG$op%iM#K;i5Q3+9hc$>4mA@n zy^f8}iuTX%OL4!#^msla?r>+6Ns>^epV8oeB&77qMw@V&pi@cD1BMB?!&wYxWo1{? zjzlYGJa@-8K06T*qom7z|2Qe39j}3Ft!8+nmc)nA48ofc!H*MZMfHvRmSFupwH;n+ zPd$lhA|6}R>dOR9|75~HZ7ELLMBJdv*4nhZrAJJ`x3QFBRKWAGGQB@{*3(4TF}qTe z(C;fKMUS9{=_o$I4G~S>&#(+(!4K5+pBnPpRs#>_#SH{({vaK`!J2<2)682*{j!pD z3e_VPq0GTkMX}$#w!%4NGBl6WU#%~dy{962F-NkG-PgEZncGp(6$=vM*N*#HQmCfA zIPJ`rw59mR!4zqIcAxFB3%CecWtgyTMAjXw<}WSnVI&#@;XXMh(iRaZ6{Ak&o%m9? zd=yeIIVL`6@BwE`_*=fMVK14WqvCqDeNB`n#n7UiKG9{Iw%G1e)#@caO-TI>gO@+$ zDh2~@x_aF$dF6LrniA_pnz!$eR8wF*b(7aYZm)wKp78(P)bKo*!BkJG>EDs9wC?j6 z{|18=8J&c#AFlenmjw151+9{DN}GP4d@Y_F9TUkvDKY=$kUL>Yf2oGY&A0QK3hz0% z2o@t}@Q8xG&}BDK;`%*{mg*OHzqU*`(mX4#UTLxNxK{cTKanm44*~C4cDvg}Sn(-o z(t#@FG8L{ywMKGQ2R@som18Xr<4KV|7gtOjyd?PI5|~<~Ht8A8x!&k654g1|T$Oqw ziJ!AxYDmAVtZH$sm+Z=<=ZKl4@#}AQl`dizsLSxXYRMX3F)xa#qrvrKt4*1yFPSqI zY4eh#8ef6M^C*tSh*k44!W|~V0t_sD~=6Tg0nB&!uO?|sp67wNw9+0u4G zQFSm*l3@@QGIP;+t6()zp-#6_oi9``$&ZaD`gNCO!eX@#5*rWrpyPL?i^&Y!`b#-Ftzo4)Y&^Yw4g z6EH2^jqk&v4cLq>3NDvx zmI=snB^Ieyzad@|5>UqAvmRaKTYmQ*8Kdpjiw`cJ8Y{pH{vom^m78WC9oVTD9l`qJ ztZbNgn1lwiJ8KJZDNoVYjvKgRL|7>wJ<21e7#mas@6a1OT|E0^MB<{t`Ux@{75np~ zKTUPGX1_(N(%9XLj3QNAruE=u@6piGnL8cKN4=bmCq;HxDX<*dz)y*QA#3h*1K7j% zK{@=H7ve&0OECmaM5TF-sYMX?Bor($rQQCY(|H?oAS(8v_Hojy^+-*XDrwK-MssI(8G;8S60Wb ztcrXi3w&@@eND3MMo8RGTF_!pTuMmXVo2PScpHRaGKWk^86TevLbw#Co7>>sPYF&T zh`&e_KZ+NxM-qREF#eg?^t@KYdQsBUnPrpnY7A^m&Lbx*dm!w?NBo$Y&N-Ha zW@lNB;XqHU2685rQ!qL4bdu6$R9K3Nu2?x=Ind18FCihVU_z~OW+Q>+V(L$MDiD#_ z&j_8*c>dWp&Mp|`c*NMfD^QZ`LJy<**NN*+h+C6LG}vZBmG zCQ$@Q`Ock)m-boR`3iQVR8i1^#LDftv~g*=wpi^to3f;6)^S1MG1!X;@3s zl=1nE$V=~Umn4`sPTwx+TGn1nw{k24-@PxdoT}x(Lna00tg)Bxmyn5`EoM@`u6d8c z?J&FAdH35?BqtXXxqkwt-19c*zr%6BtZpFKPj7^WAT%&{8Ki{%y( z;QFxf@^dFVD~-ahXjdC{cE3LqXk@EJD?D)GJDq^dDuRIW%GIau zbH(Z3sli=tbNreJ_Hsr$Z(9)EguQmLZRf{2w?L2E)v%UeF8M0TDj(D0I<}x_mW1wn z=p}7OZ(A%AAAhP5ADUon-7H&kiPs{}B|B7Kk-(ciUSJ`LjI$P3XHzrN>((tyDoo0; zy4}Xs`>MpiD&nc4X**yO`<4gJ6W=d+*~?1yIW^}GN00Q#XB!c7&|jUr17_h0 z$H_5xH5aUTJ)LHg0&HxOcp?ch*DE4x^5%HPneTTKy=XSqH8$}xjd@3B#%FvJ7v~n3 z-@rH)s62`b3`9479{qAQrh5M5d~@-sul?uj7mVl~enu0T7$+ZbG*uFW9Gy;%WUHo! zn)Z4-V`~j`K2PBom-(9i!x8i>ZQN7$GIg0t`k;E|33HRyju6L{!^7`r-?lwV^?t)Y zJZ-I9wrDNca9%$9nHvk~YsbtkOXG6_TSE%<^Nv+-&8uvmy`72peuO*@*P3DLyEbaBpNUO!zHoCf1PdPbLOhCbm4sb8q+gMO_1S*~``Ci&H3PdnnjF!|)HA&Zs` zD@WPB{9%E&y%*@Xr)Ca7jtg^CKeu&BygFy0Ds5`{&Z~OS=Wa)KAgDhHBx6Mb!OG5E z>0MDBIUG4DPo=CSl{nNFc4U*dBU>s_TzN2qr)XgKNyf<Iz_Q5Y2{+-F{cAnGVW4j^%&T6_xfAOe&(5DeKO{Hcr8t3GzK}GhD-kL4 zS$RRi_Of7U+T3|c2jlFKkwyt(ZNlo0QSgb+$d^=yg>V zH3NLoFwR4=X6hleYJp|T=W3vVAEI9wZLujvwX>={(hR|>5zbM`U59-Tqh9&>v8vWc11 zBPDXPSuW#F)xqH>w^hS6me$JyaoehIUaC7<8IW-NJyv8B#arxq4MrXj2DlM z`qX@A0<^-wuV9mTM|n0vS4nI#Dn?n3&@9k)ys0Zg_eb)UUxb=eXst*EtrtmnyM_|X zV1ke#>avQX5h(fxR^%%eez*H`Op8}}3&>uP6DoJ`s|Q&$bEY14xG!z}qWI*4z7CyR z#uNC0@+UQfc@7jj%DSVj{v-KYUc{G%(5bvvm&(Ffn%bM#Cl-%cVI{F?$6L_cym$Z% zlM%4ZmY<+nG0Y!oU4JfH0KLRwFp<(pGJU7s{)1ugcM2K?mgX8Wd>zq3Q;s=Fr|awf z5!BMOmst&iWhSoKW4k54%DKcCo~VpGC!F-cicU|y9w*k zwPN3mdd@E=&wP?xU^I9yOQI3LelIey>9x@*{!3e;TMGUUsnt}+TBrsj7JYNRpFMw0 z`&=8@f?9L#rb>H`u4=R+i4}>&*BVKhj zA2a9F5iiWtn)y0IGNVv=@3~}HNBi`>&!cUx7xceAxji>E$97s+wg^Zuzmd)V8_TGN!Ks1vec9!=}*DBE)!f5zFhmr*yv2MH~WUr#=%}s61Sl5 z#I7#N8+0ss2XRJ~jy!I@O(XG8Jjk3TdEuHs(4$PP>FUq;-w3~*zMya!RDbE*Et^|C zMa`DP&mz3uDB$CW9M$y8^RueA@v~9>)XnCZa<%5cmaK#JiLPq5+0+jt_KanWE;klZ zBaXjM!--QnkdVi0Ra?>QvtpcaYBa{^h(-`hGmP@avAE(Oqh^s60XK4s8*$(9pB2-TGK{ySGJaXRCFs&nDgs*70_GnT8`Bi;kqiDOt*Di|220w_NUo3eg-+kSc{wT0YlbytthxI0Q5B{^S*dsQ$(z}hrAs)^ z!h~EDNYX}b(P-nOyDPdz{CGc5V2g9H-I`In=h5fmxSVUu8~AQle>`nT-HNVyRW(7l z^kUQ3Z7!R;Y`8@ASYD;Z7v}Oe0&S~z=2*Lmbf%YGgbg_>!rhy0#j7eR#AQ#Y zLJ|u)p;)4uGrN8EFB419uO>9o_wei`c?ldonoMSw7aJDAB2l}uj$8&=By{E*) zY5jQ?qXW=&b`=VW&#-& z8m{xe$(GD7?We*>8kuOfjm4HU9ivOspc^Il55kxH3!T2a$s)@fhhyBRU zZjLd+SLKDS*e&1(KaTE>au-N>!#r;mFMU_?QA3-{E$Zeo4w6svp7qGASO~-jG|9c! zway>=aox)r@4{Cf;-BKoZwH%&7r^#-_AliPq1cwkl?t!es9ek&N#Dx(#_{@?J?!Dy zY2jtAiNhI^0i3m(-$TBWmyh7gvK{(Sa*c}o^ovLO!}UQ%f?pzqmTHeK&GY2fSqj@z zN>)S+9dvg;3ZCejU_bkoeW>0 zUs2^Yvu5xPuSM#kBvJYYz2UoViS3k+GFv!lvpxSvDIPZkzTa(jpy=RLk-3r zbjips2nMgwx@z3}CL=w{$awoUzcO_mS3}iLJef6%B6}k$FU3L5Dt6Dz*{DIz`)p;< zFpJ}Z?-cdat|lpj+5v%H17*@{j`m&Mk?9HSM45p4|_v$9g7TqS?lrE>hTa zz5AU=T1LKDLdS`g1`kMXIn?eNKbPF9B53jc-H}UpD&)@xS;)uwUW;|PxVKDKOkZ?w z*+^cAPgW*^MP#iMDc+%Isp{eM!H9XmP%J@2T@K{$kRJanJk za5>#?zg2lKjCRGdEVIh8%&e7b&N|2mY6wnA)CiDhFJt4+Jl`(Q|Ff+{Nl40ENfJkr z1J8iDm{IWRg)pk#C=SBeg9kh-*&elM;{=>*o^JeVO?JZV0$qejH|Pq1)keaBLm8>< zHChmx5=nCM8s@5q@n#z3)(*Gq)p#Rtl(a2HXDIF^P@_qv_Ep`dCgB&(ehECy$jvT8 z-RrFDV#pMGk#_RHb1y~a)hkVw_d)D>#1R`pe23W$yr1Zf*iSnKjf;*HEjzZxw|X$? zuh1>noemA=^qw@OOu{}HbOO@7aRbWLR(82UI00<9mao_tJ8~sI3A}nf)APKZV*ZH% zNr(7b%f*LJiJfc*r93FXVw-9c>caNZ$O=B|pCTzT+lo^vpr5HECPogvw%Fh~WQBJ} z%6#(Yd|F*Z;kt^f{aR6HV-u8FiX|b%*<{Y8Wi&q7Jc!$vS)Di$?64Ng;lEfSe*iLA zWPFPv;c=!*YgJuD$ZBRdt5rWqQkJWn9_~9uy0qJ8aIL=@GY@r!NNHR;akDJAWIlGf z0OH*GxtGwSeSl<9eY!WkxG1=2x!P*@S-M$b=|%B?{BE#rE4$l0Qm)!^tTfYjg_*@c zF7l!)<|=HIvTg^zUz62&PCm=3!QHgtl=jxfMY|$`h^3D(C9Ox zk}_fr1{?kZVkF6eLQ~)GID{-iOhY(JZeib#^Pv>)68;e^JV{;@c|lI8sa?_=TyNq_ zA$sg|NXJcXCumYY3HA?{9KADX-xwmr1rF8S@ywY$qm*h+PfgG0cc8_W@5-sZ5gFM| z7N2jNpK~OI9%)L%rdfekRPY#hNam&I%T0&}BI}ckj=!Ce&K~!+dblX=hGpSXw$UHa z7j7dZl;cL_Aa-GZ=JQgSXuWsrz7l^%6~5H*bB~R>AE&<(Sv0Tz zv5_6yt%O^UR{YL&t*V3RyBzHDaPF3JS58c6qvPpenIGW>h0E?;_QjU*`c`EN)J)6x zgJ;&x6M8GYn=^BWJ^!`xkyDw+Q;)?J>h&6Y!KC!j&;Lal_pDr;j=O z1HP$DC`%Bn`$*iB55-l>;;s#s3A6~Z9@4~H2A8r@oA1Ic8Pv?!RV*u!(vmN ztGW$zntA#!7-I0AQcIVrzs`M9_#}HKAoltb4F>9Z{3pfNSlryi$S(|tCzdo4b=Q84 zykMeLn%c9Hc{kU{NTr~GjklNY4##{|&wzTD&?O^6<)Qbj@?4FIWo7wk?iRtXaLg0) z3!|>MmxT6KA0CE^pH;tgiD|I|O4oZP`7?3BrIk}c)`fi06E)+_-gMHfEy<_b`)*Js z4vDe9{E$387MSY&M22?u)K!UZ=Gb{TkL0r-B$-181_mlSt0>q)<;bka#@!Po?=}RD zFJJrIvE(W51j%C$HCuJ__G^{7b6Cs5!mcQ@KkHFpuBG`oiv+=^-1BRVS&VtTu7to0W2@jOuC_A8X7gaxl9@d8E&`zw*P6Il;;??wadsO)Q_;)K5ts?H6M<53Z-@ z2oE{!6_Y%3A&atXIq&ipN8$)7@6w`6Em+-3V1tqGp`mW8W~Gsij%~PuXQHG+3Ar9p zJIu!`#9nYuVSX4mBd4QT)=p;MFqG+D5c;SG`>|a_XvD3Wx9VYJIF+2y|X^lDYAA9dy}&3&I~ zER34!5@)3)f`s%iXvQ(0eaV;wN+4pcmN8W_r+p*J(&aj&Th`8Dc8r$$>{+v;&2JgI zDEb*z>-@+z2(?$u1CL*McQo!Y)753qF=vK*8BNP>N_0$;7kLlJY?`O`)>E82hqKnx zGij&5L3N1hX4df#c}M=F8D$--q$N=?qn@vv2|t_4i)@Sdy^Ovjl;ysf8d0VhOa7L@ zGRaZWtCk^%e`Ih&a`G+*g!7a6;^@|ki-`Yew7#$|RBbsoZzyVQ{&neIh2d&@9zl=Z z%O^&VV;xw+JrdU6@Sk*?>O7v7et99Jt>;k(`0kHOy6KreaXg&gvINF#k>jWwu>&(} zmN?iD+ z~7)cv@TQje}z+}E;ojnq)$w~MXr-mfU%6Q6i;YM3yB*2LzT;anf-7lC}1iCaaF zoN<-bK2;Y<%)_EY?_YdJo~CTYCtPzmxcgZdYfYOz&ZebJl+u&v82eZH#gz|RwX8YP zB<^3JaBF#^;Sg{;>c{(|EdK5dfLuUX|--$=pEA{8SCbN^hy?deuEsiHwZY2#pJHo_4SwJ;9yKylzhN0Z`CKIy3@hE%@;HzO1a-k4>bwGU6e zMQo^_X8HC?=^G>FcVQ-#w{OuMvM?{4d!$_YFiwS185GkeyMB}`jHz8DOw4q8W=60x zLs6Sh`A(F)FkPthn*VD`nI5OHJk>l{4G%WdO71)(EBS}Y#~iPD3ToB{h7{j`NJfUp z44QMS?l?%9^%zWI`8x_T5a~-Xi9VYk2=bpjLMMhFjjNJc_rYP^&;2#yYoSto<*SA5 z@71uy8xB%_$vsR;aiaw<8H}}XSw>v>u#b1xNsqI+BHuphdPuv<=uaP`sST~9zJp_Q zyOdtNmSBW8zMtO1%V$eciWq!^qUFF3&9#%0$PV9nMM-tz1v)?VEqvS>%iM4FX?@MwOwIAu7R=7V+D@;N;MKGO_F`b<; z-O^>5DpSGOf1&#YS7Z=_X9wOXXgzMolE@iwrG(Kl&?s+zwT4ba!x(wu@XNXnSl*Fa zbd^QfDgJ(sRWr?4&pvuQ0i&TVA>)3PFl)w_=4Uvc;P>K&T-U;(!Nr!3bVL2aLkZ^= z5_lh-Q}^7;9SR-7*DG+p&RN#~eOkUy`|HOeuZ_PnKUMS)h3Z^@tO{L>=cZip(D?A< zLEq(|s7k4vRqs0j#vtR(Kb;djw0yalVkilpkvceT7n z9;Wjt)72Gvv)9kof21UDWMPSUNWICvz+Y7@t+zgP&zk?~7Ei9nG+*_6@rRFE6C4%V zPL}=TCARpX56^bn9_!Yp|Jo{<_Vr=BB<@?D_r8&qugObp9u+Cf6fo;zF^am-pnENt zI|76Q9nI_eq}-4}V`S5WQ{7iWsrglAyl->ng0{8y(2Ks{plD{i5Wz8UsA2Hw|+p4{lsBR^{Re|Bs--qn~vnBLyDlAh@qg69&0mfUBw|vg1UpH=4K~z zcwlXi$QP{X!&j!0yFMPR%Q*Wuo`6u`QqcIPv4LX+4m#1Ad6j`yD}rX;tl#oC`llaQ z+oYP8`47G*lH=mb4+N2=uuU>&%|b6Li+HOBS@=^*J6p8fopr)l_Oh2h>a1BRQ(oIm zsim)JTp9S#khz%uW2j_c^K58HAnBcUMlA_vgSI0kIZv|9pe-@PclcETLZN5Hl_o)| z4$)c42@ck=J#jH1_R@}{4}>Rt(yzB|g7crByhZPtx7sqb*_-Q|&#T7bO42&)o;zih z_ceomz@EvGwKsvS!;xTlUgZw}$sUCG?4F6T@p3i8NE8kWUdoako};`a)T+ z`!IOD+gt;=+xwT-;I31W0?p*3<|OmDW%Sk}Zwm-6d?j{x zy>wWdo421b=nz#MKb2Y?zneSRIWB9j(lAYf`c_#ol^5*orH$_;ubLjXICr$`?8Zod zSxMQsqkRDunXkt<-WE@KrLB3d`owoWY>*a@tj7rg>D&4ZAG}94{o3(hb=M>w-;*rH zF>NM|m*L{|*W&z`s5r|4{df{tL2PZZ=XynhUbghAKYaOkMDoSESw;TL$FFZuI?MD* zmmF>($ZV9*C?QZxB6@fDi9pWkf$9k9646*uoXaXzT+czz&v-L>pCe|m7o@m1uJf?} zczZ*si(Vl1EVYM%YgN(pY8RIexIGPAoD6(*(jUHYjEvTwJ!lB^*@})j8 z#Nh+Z4L=)m>!A#}^V52S)28GtXI{VXdOmYH+kfNU)+}DN-BqokI+odMpz&LGltV^^ zen^`uo($rD$>4GG`FzdHV1>P{@_jO8E&3Cl?;jdY`>k9cDSzmdYI8*E>X+!vilRdj zxGf{y&-JzzWySCdvdL!{NB!~#%fg52c~maQ>#=)e&yA;DKEo2UMY*9CW0l59w3E;7y@zf2?B%|@hCjS(^ThKueUH}Fc5R+G>p^z7T)yO0)}6Qcg1Ot8xaBlsXoS)2}g`09c(~t7jTt-0U>Oh{lh|=(fa&-m8v5Ipg{n*!2xJ z(4Kw*{T4;YNr~I{5Oq+>I8^E!oP|dfO)Z^L)U-PF#l>Y`J+R@OF)edmeR$*V)~x*J zlYhwV+V=+Se);Z4=XgSuTJ^GAV(``Pt=YDJZ|-;7`)<2x?Xn-!34<@wIft5~l`y*) z=#HrS75Yn3qddpE5eqNzNaRtHN0%2Yc3&QQuyn9QeYtH33fpWCIG-rcEU;)p0TPMm zLIF!e@>f_bEK=k15uLr}lI#6G|J;q_%fPzcVesJ;O_#?Wc< zkW=N+vrxJ!-Iv~)e%keJ;k&MnUH^3H*BMqjuC2ID_+Fvc{$>g=!Ne+8HL(8@hlt6biT_k>rdqV?HbkBsDWA zeM244ghPSSh(tBSq%{+Vh=TymWTC?;xU??kfW5*!rlgcsm`v_c=GJMnR_$~xYe96k zc9-_B_NZ24<-Rd(D!nWDQj%3BTawe0bCWBQ8?v90Ey znVFlzAx~-)Jrv{^C9a-+@XVh6m6gy8MvWnHXsBsa-oewOsFFz#-seOd9!*Xc1yMaJ z(vtl>_`siN;{Z+DqzWeGeQCTX?)paZ~4_c?H#tGk*Hl zRBYV0SCo&9dM!q^!542USFMN#mh{#?sLBn$_xK~jjjQiV=Wgsvg))0`Ghz-)#Jxzk zc8)^=(&bj%yRpa)_~P86YA4`ZM#FNaR;4$T2@&IDqgtcZ7(fg{TopIOjd9a-VS-`0 zagkw-;TD5sed*SU7gR48exdq>;bYauhLh@(1_Oi~#9JT~a6}^U8D(XItVCW~9Ee+S zY>NX~AJD-8qMgCm8=8Q&C=`fBB%M|pXQt_9Hl4;_!Y+e1Q$Z^THCrt~3$ru_tk`X0 zq`9al;3+S3l$AtT2`z!G5iPU?8hAyFl*FRUp)0TW31v{Q#!)SJCDi_wCK#(?(+R+* zp|WX6DNtoIMuc$yl5fJ+445WJ|6}oErPC;^zV6Ax?o7&Qo%6yx$P}1?8IA&NR1rCc zGEajmT|9f`bdw|%JhQCW1!5c?n+FvqOx4w;mQ`0aJq|#Q11$J0>a z`P?Z@b;cia35H%ZI)b@J76_L{Ch_48lUG+?|C`iSi+2wXe)HO-LTocg~ zn`mRUW?JN};n(X;Vs(wZ#8X}K6M6w)wVWQ~u$p#)YcE!P5W5|U_M(UOGEGdLY=ZwG zZ@&S8Fw!Uj5l_oD?uO30q6wF99h?!TLJ5u42x^HHN5O=(F_WZ^5ldKXqj(Qr)Fe>f3m%*INzi@_3={&mr8tfcY1nC*cbfM?_CXNZH1PLu%B&Fy zXUB?IRNovMpF8pB1HYO%=dC-(Twd$!7$dQJr;HW#H|9Rs_Op>!>LyT#yoEE$es1?y z6+$3JUVZbq+^-*dCHKcIjza3~s*J~C>R_~Ba_-~Cu}hv?w&gjRqB}+1l+p&Su|Pl7 z6oOvI(-zr2J_0)cnqoi~iMYA9%FWl=Qs-|WZqdENEpV4)<^U*JMnF+zB3ZvclL z=1QpoMkPKct1x0%7$E6$b}+DIb5^uE_+}0VaQFYxs7z=*_KnA&gOBPE-#DO7l3_`Y>~^u8~}z; zfJGwSP{1CE_(B0_<;GCJ7Ln{Wyj-aBT75wu^EDfltzY*9sRi4>RR-D6XE)83L0hIvCv6a#fX)~=bJ&CUN~Qb+H#J_;(W0t zd}aapaBr!U;TSf?O;c@(&ru;|;QRWVhsSSaBdF zTw~S8Nlc8fShL|#BZWJD{yV2{AE4wu-^fU9C~qRwq`t2jNC2P&c~taYoxwn)mCY1bZ1mJ3&^RF zJP5&g1fLWo{1N+N8)G|SYHY&qm&H)HgaN*IO-&d3E%^Z!WtZ$c3u;fis#q@GQ7mv1 zaT<166p)=bF$|dqIvH*{(bL4Y6kL2?Yt+a-SL^s6AjDE|GptT+PJcV~tO#Rok5v%e zEqQwTuh_bzlD?mdo-4jaA-ZF6gGE2}i5+?T)h@;g)WTD_vWR;@j73ymbWIVfs_&@n zs(*^S4p*YTmaZjh{c8iakj?(hf$f2(1AhyA6EOAFAFF3Ud$1r_C`QGY+G@8JSPNmM z$Mm(Dv+Ea$R5S+SkTNb0HXb!Hqqm;Zi{4*UtxO1|jk4b1tgbH# zmQ+^oHXCoNI99<9RUCmu?y0LEq%&c%uK{Y7-OL4Ek3vXLK$0tyTm^wTqFCo{P!|92 zc+^7I!85Fe0|lvD$>5DY<->K79_&BhoOXYb((e*oeqT1vqi}TE2LFjusdMtv6=#eH z;Rx+xC3)OF&7wG-5C6+O{FT~#aZj$wQa-K3$k3Q%3Hoc{dO$VoUU=%pv%E^prXtx z&SDju#i(>E{whVLY!;iYdv!D1^_+nCAqFy%k&^{A#41|r$jVS(cw=Z|_#U#=x;3;l zyoc-wn^hrIIH4*wMhX&MjW{@RNw%N{$xcXP{%*2ZNJVig-QmxO8NUwuB1x`=@E77< z5OsyV7IZx(>+S9qqO%mV5S$+zEm;d&tb-$;44@CvKV~hi7R6xaFLZTNYJ-1F3r=TY z4jV^<{Ej_*Dz;*1E;TgAejru#(?b`H4M$EbTh(&;znA_y?y8OjraY1omiPuoX&3G4&9HR;=Ca*YMxU+>jU$6naQN9cr4ev#H zWZy>bXWKQ~b@!XLnRl|Crq|T3>3uU4-$ zt?{f0Y_sll?+v```$}iL$YR0EDb568U3cq>CKaKBmY zK|8ZUC*_txKi5rV>vuZXJK;0uP24e{c#F9zI)kgCO|(di1>%KqeM}wqc->x{S25dT zSSMeMI&{dnG|1UZmKZhr8Dd&saK?yNg(#V9!dC$#cbvl+gR=wud@E^>PGfIS500FW zjrIoSwl|m%@Mj^PW^D~n{y#^8)=xoWdX#pXaWHW7)1Ai)lz>_^3f)}G!lB~04LgI- zclg;A?n1EFh_L!x@Bn;&+v~Y|bKiUY5xh@Re_-D9^%rixykpk<%N|nCHRYD)ew)j^ znmhHcSE-p+(0ix;^x@q5xhHq7PRZ2s7t|S-b8im*Ax!losNV}VeRw|!f%;7iAx`~s zj1AM{besF6>tyKP5miFxC)5O8GZKNusfkEtuG2`q3OlLr`!xl2I68D3*(3XnSYh~j`+GC69Q17t-( zsnF|od0b2*6^1Km(2FSIfX6fBD&nqA4v|FOCBqAf{s`^o93N(gZy0Gcf{hyk{NMsB z^>xfS6Tfb@3O>9x_R_>xa>#RKT@TQ+c-0Xqjz3iR`w%x&3kZTQp zzzRxu3I1xiEOC^rr6( z=}4t+yYn6Izun(@zV)grb*4e~yFJPpD;d7b$jA+RsUZv%0w|Xvg_0E6Al;5F1(NWG zeH$akBPSw)80m@}i3mrqVed-#BT_t8;TxoXkzEo@l4yBF0e}?xZ8#i>z&z4Ht)yz0 zd?X2A1v%k+C5V@q?Jz6<^Keb?MSzd4wz>2?N%7+cD= z5C1rQ^RkET<8l;lyQ;$Av<7I_oW^Hz&VuecpJ`_$%YDtY)~al`Y(U z?BN!`d#3Ev@*^4i>nP-QI~;0oXG^y9=*BI?;pi#UQA=KU*;pF*Xw#y#j(}YG>=zfD zpZn*V^2&>^6SIy z-XKlL5okl)q0;OT-8AIxa&L7D?vNOSAEYa|A-FZD3Lc;d9QOP1K$r_b@g&T|qXXA|f=?cCgRU^mLPhdqVs31S)wt6DWZ77Z;q-&%*Eq6(~ zq_?CIiT`sTBLe&aOceT{!ftSGaP7CeUh-barzIA(#C~cs;;WOsvTA8 zDxFmugg3dlw6rTh6W3Lqc1h$6!aEM^%CLWJjV#b)Rk`$Mi zB@wbEtS>fI5^Dqz78P7caYHE^<^3z+a$H%!)p{H+P(;nBoWZ&)wyWZzz=3Ig=qRqJ z^x7)+6KVQbPu=ys%OC2D2g=Wwpgmjx`se0NL&RyKO0)kh?nR&8@I zQKI!O+TdE^dd4;AQaN4N@2QR=M6C&2mwYZ z@_@rjot@m6xFA;^&Q;EAn9jC1XN6p11r1YEl`|Afo(Hg)#;5jwdqP$FO1mDL($;`| z%(CGg)_vtFlHtGgFsJ2xPCVhs`q%bdYm1^>1waeNPM8ezp4Q5yrb7; z57wR+0E}ZoL8!F&2N4|UN^_KHHP9EqU`rW)rNqrzkQeb@gJ`Q3`EEM9eBfN{QIN;$ z9`<@hF-S4V^JaM-iB@tfLiRg|#LqaK#i+A6_>mQbrQ!d;v2zjb>z>V`u1Uwu%O-d& zN6{`3!g;4q$tc>v?(gZxd-PD_6;CwByfeth&my^K0fZUn62MDdE-1)jVvY8Tcy*zs zA$M_cE|a?}mTPOTmD$wuD#uX6?{Ff$wT0c&QRHx!|MSn1SU(+DDMVwYyT5%*SbFMy z)df#Y(8OX4TRPVaFK2A)n(5G8sX-fdxYi6`&pKwe`AaKd7J_rwA=fg%)N*>sei9w| zbf7TY0y_Rme%jm+jFq{{+=*y1rY>|BdVJ7-Bbs#gRSF8nabnMRY9tw;foM?xyNLnw zR7u3iZ?`Yt7t3jRyev>2jajk9RPJ&Yx?*vc8-Df@jk-`1i)wHTMB^gm<$-{onJv01 zSQdk{c0k6T4h%B0tk*Nlak3EICzE>t@cFE5PYc0sf@g*fhsq`^s<(L|BJ zd;^h-;XL2@AAamJd}tK*$|;!|b!L1tbw%!v&eqzg!`kx{zjW?rbEmbkErGF>U0JupjL+^-1JaDl8ToJF1K}0C z-POeA$PSGtHmE{kLrQLHufDzJUhP9QLNixr=1r;D+d!|^?ks=4X+V39c(PWOTDY%%ds?-#t9m2vaBRo7E6|uHl?3SA506X z^tg0q`nvR;=||H)O23%?b^6cgp|r6NI}l^xZg^APrq{Cz3w2@LLfut571NE?P1UW} z-KKj~w^R4J?hiV>QRmb3>4ZYNPH>y!!6e2mT~s-CB1>%}J(ZQrEte*%t?rRa?1 z^e^dEAta3GMd)yY^q?%t%^RDU+}zvDnxDo|HGWJ|F6k<18SznHlGKTHtS+UNrC9X} zIAmCrT2^w&6=mpkBxgw1u5E8y7DPF6yg zVGrd5-z^T#2Hbi@(%~O*k_I45Tab3~Gu|=cj1oPStl%^Z-q2O-{ zkL$-)9O`1DKKd9x9mLg4ekknB@yuG~{jX6ysm{f0+$Lc*aHMv^1PRX*@M7b&JQWUGCG zj<`e@qi&Ba8pQi5U&uZwzDdv)#f?VGN~={gx(E^Z@prA)&iB=_Q)-m$wR*hw)Kz+< zlvS0=rCp_cr8`P9rH4wjr4|dZdV)B|nXuVqkyhapUzd1DJOaz#Q!=ezv7z$^;UVA# zJYnuOgh>%nQv7u@Kg{0E6@2W70QCHYm;IzP-<98)cU2}b+V$jVW_6r9w~_*m$U-RP zVeE~m%<5P)&QF3ejXoZV#Z-}E8Zdc^h}jY}ATMd+#nfvqDk5QB5w<{ZcfQq%B!9jL zPB-Z~b)UX3v>|%G?kV+7-9DA>M%~SNhJVX7YzS_M-LKvj)hMp7ZffHo<^Wef3(F0z zP42?X`?eL+8=6*x?pkw4@3Xz@-@Iw+nudoWT0=5TH)#x0$EGKZsV#1U0z5ptzW>Or z+rPP~s&=93$r%NHABzn?k?Y+cjh)o^{IPet8o30UhBLQw!Pg}65BbWkH8iTH-TIwH zKW9Ie-lKn`e_>jKj+U`R;l;s4`pbiB^lJ<&i?$U!U+_F$lsQnix9EWM^PE->BvNc)GVFS*^VKiA(e*OSRS$t-nk0Y(oBk zzwjWvWS=g%$pqU1PK&v+$F(jTFVtcvyuZe^Nm#WaM0G-0KnqsLia$7J85qXiN~{&A zj3)yiGM?f@lBK$<@<=7?tK3n^Dua;yGN&8a!7n{cWk*Dn=&7i`VRRFEbWK4+5bvC+ zav9G}4IH|Ia32ztH|2WrB=i3i_9eh^RM*;byJvbdYxnGX_iUQctUa(YdGxBruo-MNX}k`n52~sa5YD`A(lenJMEGJb0c=5>f>Gi7~o)2Viv5-8XVv3up(Nur3-^Ja>iO zc!ZCwTvq_&i5rmomG_80klJd!bJwl7dSr6j`fbl{Te@w);chIsedXot(RRIAi*%g5 z*0%cNH?9n3($>tHFK$@8|CVn*@SB~@VHUqUoJy8wZ@Vj~efhC(K2->O)|3Kq9AhkG zNwY5FY{|bWI3Bz@xGl6LdSlSu?tC0|h+g-7U--WGj^~}w@5MiRoV!D2y3hu3t9W(x zdU1F5R`E9P2cGvrj&j@aFl%!-DkKJJq!*3b(qRi52~V+(XA*^g-G*AMlWvzIOmEkP zw;MKM*=G1sgj1#u)62%N$L^%d+oaZr`noJ}Jv)>=Kl_`kHJdJ(z~ut2RdGFURlnI5 z8ci-WZiv$i{GV8+H3BgJG441`cl?i)3JD9~eLf07GN;*g{3ugiM#yKmESfUwKOIZVL_U@AYlXqdX zzh$wMTAf~Y&mc|ptr=*@w>%zy39*jpN!*B9LoY38rrk4c0VamK;ojrE+r8fn&Y*&L z0PW7WKXTjMAfPsMp|1aX<^{GHltRG8+YuXpc>}dLs2tsXbUSPzzV{2HksNy&785}T z=xP%~0JJmoA+pAhs0j0iSn8ZQZEk5^#DF5GI1=tbQ~-&KzFgPBuHt-VJEs^R_=7pV@W&%0bBb;*y7|?YBGbsNGw7 z*805TQ0Z{}qx>J1Ih_j~T~ePkkX~zR!>}zmN?NZrs(rrgGv$XJkJlbw>M}<2OER8P z6w7q<+w;N2C6Df2-1Pf}Gr1)nhsZBB{C$g!Lb16RQ4?%J(Pm>Yqd!mjqs_%rqSXim z&2+L<&jW6EN*6>!?`(=wV$uNXv(ov1ZeLzV$)ofU5CNz)ocPY^Q8qdn1yN~+D_~DQ z>t7JvfduCrnw{xX-awR$QgsR9Uqjf)L;4aXFVR3L8qFwl5*wUUn5<}k2d6}v5iB$t z7_LH-$xRKF5{yitQlA}+gV$VB^UR}#Jz$;jcoRg6=qo+uhPDeA*v)Gw z3{@8uO{p#+DI81bZ>_SJ}JIW0{zb z4!Qa`X+mGs)wGQW!WeNT>^7SemI{&;P=3}@)jUd8sY?C>-j}=rV)=o*=A9CLYWT9n zyau|NBd>XKxny3;ObI_RF3xr2wQ4TMz!9igqFb%@Y$oINdYo+u7I%=zkU5UXmnyz?7*f{!zP=@2GSic02RF%U~+(^18)Wdg=%rYCG$_$nN~ko z7xelBb;RN>dXP!ninq8MZ*fE3;!eCp1r2HqFVe5-7Sot3cNF<4e6f#;OfOCsXHct$ z?$*=airqv^=lv+Ct#e)}zOmI>@Fcv5(ifEWQ40FJvPZ3t8-< z-;RHGZiLNZ&UXRN`QOh2C;iA!!%@`sVOtwpJFjhA+xgkxEsa|`4>k^VPA@#N(8X&O zyS=`qrBmq?s(G!G99?fN`a$*qzuf7Ts1wmM&!Ok2Gec9NXap(JoK7?nMq(^+L1H4Y zC*eT8r+uA(4uPWkf~2=hIr z9G%-v$;*{-vduqi^%_W1|JZXdbNT#C5=*H`CTzg9WwGe%fkD;9HX9o^4GnGD_=Ycb z-_BjvEh-hNOi+|qBqKSQ$STWimv0{7*C@g6X>GpQ$!e!8fw?P-y*{_VHLORs{vXPYH7#6?fubke{|a;YWGk39d6wQjm~6@W_QcWKTgxaneuv@d7{AFJMR)mMn?}E{UQ@ zE*SG%OTwy$_XI5oBVVBr9?s#DlFiv7bClgK(t(KZkPf6~vesEo)9rm|CXAvee8RUk$?u`^EX zvB|$Hywx9n@`RcbzjqO-IXpd99+a+wy*whUHMA81^ZPZ!srIzVw4C3F7JyqeBC+nC zSY891^Y$~@T3*BI7;hWF>~LNi%w^@g7Rcp{BFpBr;*{{tb2(#x_2jhy>>K6WlDsyO z%h|KF?u?yT)xiZ@t?E{%(`vVjNP`0%#bCfWYQXyBX78D5wrLsNKYDOF3wG(f@S zCBxL`@l>{X!SIn`VgK;K;pt&f$7W_&9FDCRof6KN%#is&bW~Ug+;-sRF39t(c6`tr z4P@V9I1n#&2xA85@Vw5Td8kFSZ&?xCjm_(wiImG@lNyC&q0?4ZnPgA7;wp1{bZG%7 zaBkIfX6HlR1o&D`TYsbB*V1i{G~hy;=ExK+=}em)adBK`0VoV8B!9u^kx@Z%=iN=W zG5VIvw$8S$ZLMRSYkJhyE3A{&x&JCz$q(DU!vsJ^AyVNK@90S-G=#b6&yz4|cnd=Z z{^Lhv@bDIaa(*5yKbBqQFJKAGVNem_z>{ zz^|{lb?v5|nX!AvF1)5z#5nIu_=A;H(EHgAT=iCCo7L$Fh^Aqfz-9|p7t(tRQJS1_u=?X#N zc9UtH_h4L91S?tR?>+14b4aX4vedh(Yplj>u*};f@yEhj;*a8DNa}*kF22RyO$dJ3 z3+-Cbyh=u?9FSi^+E*eO%xkh~sTW|K=dw;%?%YyGY0;k;p&ab@3i934X<7C!yxBYix*iu^WLLOHOXPBR`sq_aJ0n4zhIc&7cq@Lp}&2K1fD<(CF&M z2DW#Q#zv6L`5;;HL9*n7WXXeS8zl2x)@lc9f?k`zuz~GP&q%gAZ*dde;y%2E&CXlg zjkmZLwT28E9=WAFNv&Kg7U-OpjCfQdDoi7TUZhiG#Pb$LJio+|$~OzK>feobZo6~x z8<}?WL(v&?&pd(^NPnk^`&eZ=jQ2sp8EIh9&&d{i8vhUijUc;e!OLX9^CPn0Wsbg( z1uv5YFXO6HEO_{vI|x@ocz|f-EouHIHvIpT*;hvQu0H36paPLBc109_CB9*0v1_i_ z63-jguGq4w?<;d(yn-9>?Xip5{%Zy^yXIV%_QIma>@+Wiu-~bI-E)vbk0ry_8`1B^ zS<%h>XSI0?9;A#$3U&vWB?i^=F$m$c8U+O2P>v{0WDy{|yjfv3L%f;nThyepMjlxC zbZ!Qf7IH@Jf*kE4ZuTh1jwapLm~kPO1f7Wc@)ozI_Ar1w7q})MCO=c`>P57LB5LS- z6y_s*z2#|9Z9A&e$6wH(S+Q;zL%>LA*VMEsNWnk|dBRd5k&Gu}Ns(B=MLcCnWnqV3 zwM6ZyBC&#tOclK|lLZZs9cLMz?K3+U?%0OvLs` z``r7KJ+bczuW8QRb|A;{?&v=I9?u?mU$hOe6j0-c0NkQ4=CYK+9U+bpTrvOzlrsRm zR4lN$oj0Ywde^J+T-FYpMLMN-@WZCtmBo}S!KnVpa1*i z<11FivWw1VnWuKALWJ-a=T=&AA>4PJU5j!XdK*E979W9!icbpYfEWoeBxAzWLJeEK z7~*8Ly%D?555Ef)Ml_d%;w&XrG7_jLXTD!*2*Ib;XkZkMbByQ90+-G$v%>$Sn%v5C~DkTSHp@|oc0bN2@yh(4q~lzlk=wcwN4r}Bq`FXsKr zLX2bo5SESYm{fSq#|c9+6T&X{$Xl$jB7ff|AZcd@B8`#RUvf8*-O;)5v<;U$dGdrO$3dWY<^XL9`v>62pBonzn{3&^jyGGOcE&sjuu3zrT#{YF^-}+zu zZsWi`Bmrw70V^Q^Dfl;+8bLn-qH@F%)gnsNs#;S1R#3E%OTDH=U(MzVZhLjF)fJ6+ zMJ zSPQ2Q@}W&p9Xbm*P0_xb0eV9v?uE;*tgluk8LXimR>UV-rHvlEFjBz72xQr@YYML z2t2po>T?C%im6C34MUOs-^m2vPI_su^wI7)q;>Jblxm)q72X=fV7RGN*!`}%D}sya z*2*aa`AS+!QI(R!LSP(PvWO6J2PN{FhH|EGP;z;#L^>svb1sk#brADhvS&!XgiH%d zNm5fzdE9~$hUcSt-TBYmZJ)6pv5U|`FBmRMNseehXUaLE;6k*hnQSyUBX=^9HkrAo zf6<)IvI$Tmc`3Y~l-HU_F@y*|fF9sUBHtXvIJmt$2*DwhKn12ujR5e$ycTCEqGL|7 z^I=wcITX2xkUr*a4drVAw1p@5`uOLEdzTK^yVlyBo>aUPN;A7#@13(Rss>L2oXz@7u^)N2E z8)e-@LlHyLq4~HT`XAx(RKCGfh@HA_YxzFB>m)(3c`D z0i8j2A{EgQTSyZ<&GXO@AgrUI+2Gl>G>j*%Nh0`2n*n-T+h8b%O}HJ0cs7y+Xkju8 z{q?6&Ko6 zTxAQ+Uqb2j@bJuHGQZ*_Qf1w6`i6AWqQM5wLXSxonOD(&Zm;31VW`hgF-Ej_R2ZCK z-g)WhhlT???KN1VC@}roNoX##N5QQfawjnvb4!Q5AN(m^9vXU&0w5<5`K>J;2u0HD zIq?LCpGXQk_`!8skMKn~yXe;8QhzYb3gc_<+OTv&b!EaCC0l!Bq_Jpl+e5V__x;Q2 z6$zg|92H-ld-<+yJ^4he^xe;GSbP6i*|mU;?cF<2Zj7wBtoIWaUvZ#amXYg%Oy1+a z7w)&tqDuLLC_v}h=N99heD-fmoch3j`4T3)lM?_X1${Q_UyP z3E>dT9tE~JOYuk?B9Kf3L8@Iqr9pXBI>d&F3f+g#PS;Zxho>)Il)az*CAaZAaJ(4Rp0jp}k6W_r9%6D%8()JTn4ifD z4tK&`cAw_9_PM{5d@?zewEo8a>oy@vSsxkN07(h}M+#WqwX@@PMi5diXW}L*g>7=E zG2)DEak!kQd!0oGNEWHwvfEUN+&T$Fa#XP*bJdH5igtxd4Z{gKZd#G&w8F%KVaZ75A7|hD)Jk##cY9&|KdozJZX+ ztxIn^W8JQDaWT6oP)g)e9lgcH;^VVg{nPO`?{1TsHH z-)wSlU6X&qM6TFW!P9LjJpOV-wJIt*i02SeuqDLF%*z;Y6h5Q3LfI~}v18-MqU6(= z?_(Y>$DfD>ZbHH+5X;jEzEe3RnV?nKZoc6!&#Va=0(k8iQb~gfiZ40DXam_fawyox zn-DdBK7?pCcl$^m+8D+$r5NyVF44L{hNNS_$c+7R?$y3@q{e=$`=Zq^?dq!au?5xM zUX+s*espUtjI%CeibW9>t6dN3VLdVw910Ib)&E0N)gP?9BfV$&h4+K%pDllI{=xM}@5j}G?|D96F%dBei!kEzqk5uW!7@-* zM^z2@nMLxs((IS%kC6aeDQXog9z{z=S(&q1EJP!SSX4#9;;NI(SIv-bPp=u;O=rx| zZZsBe)(xT&;hBU3C}{*xw|HF|e6`wP;{x9Vs^WZ$)sTqbz=+{IGq8P+JH&>=aEv)b zN32$#5;ky2JdxG1oo6PDpPZV&ozoULYXY<mhn%a9qywJl!_3p~tUz5T&W5^%KAMwG@kDl{obHf(5@Hm_kOAKb*!Gz2Ed|CA+I$WX|of4reSTrkKi@f zCDbx1v@3ZkZ%ZbvJe2RwNu&n%1Y$#9>VBbHsMnaDQZwW=oQqqn{<f2ZXuqIrOg=7YWk;%;OND&|V@Q<^we#~qxGcHH6&Lut4 zw|zUR`68o>YN}ywh4qQGwIPUjON<0EQZw6NhuO+1Zx6xNqFJ}H5%N#89$udmx8R3n zm2doqQ&joM;{Z6?Ng=I)QU6th(;WEpmu1nO*>W{OhwWrh1YyaVS-{XV_3AP0wf%)Je zMHGug?mD(`AC!~p5zUM=NGid5kx0);qfEH!E9*NG`s|+;rP8M_*QK^VraE`evh7!_ zd2HR<2I@mL+iYU&w8B`f##Sx5Y>BXF?v2MP5dq$0IFKBCaLaN}0KzKg^Q#`+!OHh6 z!7yWfyCN%g{f_Rds-YCpYJ?SA`TPQY+J_i*I=lE;&YA$ycEtDwlB|ggz0$JMGaBC* z-;_AJep&po#J2jKiK)c*65ftLM-U4z#z!n8o=c=l?3cJ7)Ss|C5q~@8!CgJN$E|xM zHwcNLSXc`wv__~^gY$wCG38LPBVY0A`baz$jK^ar8W)9U<2jEChaUR-Kw1bKm~tILJ_>U#dSgFk`kw3$NYKUEx0kw80AGTNx76{%&E4>w=?KhdlLp+lyRL{VoG@MXW7`@yo| zI{R&B$AbM=4srUItgF!NBZi+X zlno`?G()Aa=*};!-DPm(%(@`xHnrJqGq#zT*{(J-Gcz+Yv)yK9W@cvQHZwCb)40z) z-_E%+yF2@1BPx{@QYurbQoT{iQ0CLHM&!UO(ZF0Mf&tzW+Di1TsR+#O<9!>bsomwg z!09)Pb18$(!T}1Flh;qfOjNE`E#8ah%e4V<7Vm=HcNP{q^JivE=^A z|AKaZQM|vP-QRV8;k&>2e?oSD&AGqn@4ByYP=Cw*1LFNt&wtCm(7V5I-rs%xw)r>x zXMO)d^!~%TWBWJU_fOe>kiLJ~{Ri9oXZ!!v*1sXXe;+&4Uu^F$#P@gm-}Csp|KH>I z+xFk|PksMF`2IHXx8RrIg~vqqrTcwR;C~DK`^2Ewzcls#4(Pe)|AF?{zm&rN zGqg8mwMzFx@bLwTW>!!~jc6bA2Mj1Vu*)>~$peT%CH*XF2sv3w!U z=xHgnTw!tiUP;J9)#R@9o_2l9Vkj(FuF{n_m)Yi#lFBkQ;W93G{@&>2x{T_2#uE_h zt!aC-S(tcgN$slrVkw(MjOwb*J^G#MhNs++5LMUGu9x64Pmq%8#w(7=)nCw}A;z=& zOJb30>>;=@S_VON&7xY-Lol~2g9~43nc4d-xP-T=j}S+gI3po20W5r-`j$;*gBa(o zxD*>uUq>!L;eZ+|5@({BT!OA|MWJ3KWfXB{flt#xK=@1kNDsw_h zEg06gfEJXDbPu1&V&IanEPG2Cxy0m;UF%e~h@2J@cJI@Q#URd%bFmW9lxSe$o+(3m zDP)7rVJM}4E!^~u5-%EvgHlSvLp#b^>m&?|+kbH4y=%VcZ+`Yaa7=jwKOn41m*Co< z-@a;dXOLRzynvJmS&RSgq3*we(La~}{|t72F};7gp8u=j_kSPbEOh?@e*YEh{sMkb z>eS3Ee*r%_*00~9A&l4X!Nmc-t`# z#x>v+0mKgoT#rk=oDwm^fgY7l)z)OZxT;YIKnR);`@R-wK- zl|LX2iBP4v(sdRq!Qtb!GHK{}nq)LXY!0z(e|$sS5zc68hp9VnXJ9Z>53GA}Bfg-K zDJrauA0TzC-eS_;j&6FhMck1TwVCw>X8Kvskwi5z=Y7i7oBN?CJ~(Cyjz5@XH2Oiy zBe+ae>%)z;Z4)X$u!xZRB=Qs>^GqNhI4tO@Pq;p~LOT!Fu(nM5ap0OLxY7JDktuIJ zXoX0tFeM=8kD7wZr-(NXlN>E?-ua&4vb`L84P~IzkvP8n*~2Zw)j#Atn1$B>A^n?- zyOZeim`wYqtZZsKDh}s^ur|&+3p)@gBm^6whNIc5f7T}K4&h^c`ryEhJd{q2AeitO zY(H3~CuCOhL;OS2igtvM#{m0hP3vB)vk)fcAfX}>W6X5#&Q0FE+Q-iuc(zFIV1U>S zW5w6wRil8aMMD1@0KSk|Xw=!xrx>CQcFa?gusz{EXV!r>@3Z(@xIxX@*#JUE3HHyA zFo4LoOFPKh$93#`-gkNS677jim|<++Ps}y?=BaJa+F0)p3%^yUN4E4|zpp%P3T!N? zf;amvd)S=wIuN|b*TkADY=H4z$!=(kcs}X6{6ME4NIslm{jY>RitL`g@sZAS{pv*9 z_7thJIdpl!2`GOv-hFl^v=n@)yuOm!Ym459WP-j#m#*4f96ew79o+UbPpFlpaw*t? zOY?n*(1}y83B;j^P;g8B1G7^ar-!cB?#@M&q`%w}8!}*zeTB`;KK>F|gcbM>3#cW+ zXHAG8doqa8k;UKy`4&sY805s_R|c$)*l+EK*NVXageQV@+(_^>WsnOh0MIAInz;>E z3+e|;vnJJm_IEZ^9R=1aN}(IiUyX)&^K!21NN;jJYCB1h99;YAUDBrYFbGMJW-z-s zG4q-Pi<%6j(=}_vc~a6O0u|w>ux|u*#Mr{M+lRf1-ON3ZZ@DpRa+|td-&+JEiTtgR znnE{;EaV_+NX)!aX-UtsC2;9)2lAC9;htK}j{_#!PFQcDZTW$<15Sfizmsm6w#8f? z(gvJ<*J!=|hDMOpO)3&5NH;y#2bpvhBitiLRFncrqT<+ui4e zNC-&qh8r3=S4jaKvM(ygZ6^d{lKth3^2ZWPp|qlmHp%a5-01e8Viq^+;OIUby3zIrLU5gjUyT>yBb(3ytT*YJEL-N&R#NYLPelMy^U(Hd z^HB6Fx*aZ|rOmnxRJ{w#dBl|}JEi_J=Qgt48JXT%)Tk?0-$qQTi~76kmj1d8=eEmT z2ip1LXai%-(Ec0fo4%bFmWPrz8aCGcMxCY0nl3FCc$d!FBfb*&BJ3i35nk2JZIAO| z-N*Lp*2^|dFwzrP^TF+H%aG0a{=PLy`%W2{9?T_snQEtpNnpYt5GOeyEtxcsW+Tz7LRxHRL+)0G5Vh6L* z2HrtuXrjwN?@d7OUBEBi-|qnMN8rFO_Q2&CSOz(VwT6K3XNR^k>A3fh`2E?gt=Xx^ zW74O)d$(49J(zsnhmP7yJ)U>HteO!KCh0%4B1kWJgbiSwM8bPMg~Dd1o}#IkCERE| zOCslRpqmkMA9IgH?}?*jVDDx`kIhv)!I}B;VC6V>+Pm9;V})Aq<0%9h{wKVW0^I=k z-*Z|6C!0|Z0R9&=qGF@-3&L}|*9?cR+qv6or^iTS>VC~j405%owvXS)vP!R$F}b_L z@5dt3un<;Qqjzr_%oAvS=|0rAMj)~9=ozM{IMn)LCJpC-nKIF-tnqacRA=j%& zU4o6Rw)MM(9%(ae@n^t24J;zp6sT`yMZ=lU+?m}G5E|DT~ukWRie zdcUEF0@IWk<&9!Aw zbtGZbn1#TPe&xDrqLmbA#4s8E43)+C<Go!hhaAQ&ncJK6Al2R$h|^!c&t1Qr-C` z#JAiKSu548q+w|8UW3s-15uukJo1gVbN8vvG-IE{O+@AOY>P(#Ym`l|O*?|+&8%}w z5~$2m$LLx_)TWrn32tfp9g-P&@K$CP@6#PtZ0=QqlAmermUu-l=G)ll3{xh`Z%jxM9hj$)h-xss3+2F~GVn3N5Fr7zt^C2gg#AfB9(!LLT!_Ti5>QJ_WLmn)Z;5DWQYUxCn$=iI_N?=s~o zEs!R+iIoP~C-a3`Ie}m8zRMM%i7C(=hz+4D2LW@lbE3=jIeNhg^FL4EoDZEZQI&#} zf|L)c)~M?PS9&da@ ztc|WnHmI9BFYsuUsk9{;re(o(V(zv2Q~Ia*srz&KM}a4lZ}~-n$emAa0sP+7bO<#4 zwHdL9g(7}H`C@^r>m?XEsqX#vrj z2`C~7<28_(@2u8384}k<8gwKUh>%5*Y0KltdsQktCD0e-TPQz}y(ajNT8?UpO|a~< zpe)ACXE7%agsXm(t0czHXBJ$QkoC+~1nJYMwJi{bevQ7R6<^)kZ6V1LTHn*(I{jT4 z!QwOrK0+`&gk0-EU(+49wPRDajl9>j{fTp7ZS(1eG|YVE4do12BOBWef8H^A6_kYe zo^f>jqvm!$uV(ZnR5YMNoN@aMET!62h@`xNwkgjepQf^cl~18)kM1pLYa{3t{eqJX zOnWkEEMr%7kGG1XEDt$KFj}pzeSVsmDGb7}xz5OuDGZ7#0w&*wjG?l+F$FiLY%zAe z46+&;h+<^9OqFpB#B#`+Os7L2bO-h5V>T3i5;kI7P~=6kdDjNFu&_Xyl7=K_F6@qe z!*Bnn##UG)*@Bc)l;$}-F~)cVfl3CRFUXvISvNr<~w2PXAB6`UvOTZ?9BQ0Mo?Do$!_V$o(;YaRG6}Ue~bhim-8` zppRg(g(NOMOKjGMxfwEZy5O!y4ti25AgmzihgoukOby~5Uz=4_Hawhpr35Pc|>ayx&$(Z-PDv_1%!`u z>@nYP3|_-+eGoqfq3*aPy+SsTa|7OOUOayb!seI|q(F}S5vz^V5c2X>^-Sav{t%V6 z#hmj{bkVX6+_}B8^sx+J(mAs%=Em~e3{l0z7uB%dBA1+tDoPeH{-f%Eu`bp$OXL~e zIY8d>E%77j8T6Ck6D>z9M`SUZlydgNm-u$XZoFIi+xhBMJAB;XNH|llkO_U}5p4Zu zSXw{xc59Yj)Z@9_! z)dht12EQ}5>hSO?&leD6)gGK4d zdqkRa;+;Xjop;@klU;n;e`(=+#}2)K?H2>1TNmN$@FN&iL}o%yn^JH`P4+XREqb(m zQ>N7vN!ncz06(6;!*rwWNZG*GcHUlgniW0*(f~i!)$q<2J_f(je*t5pvE!;{AK$kv z&|uE2kKs%*-!qEbGS;VN?=r;N8xpp17W$5r+!=Bkh@UBM5umU-t* zPzvs;@d`ZLh+=>LP%iaIs8lk5PO=x~MRV%Zt_hq3>yKZgKG&v**dPY=WfQ?%Z`5XjrKL$hU# zh0Ecy4buQ^2IMwlUuBMKN<%*bAUKC#Jwjg5<_6EVFuQVQ12iu9DpN0jhJNO0+4;dm zd%1zf93kCRF+s|H>VDvJWX$R|BBp0b`LJAL@%;MiHWwwuB8;$Mug`c*Pa6Z2ctlhM z@H}EZ|7`KQVfwztek&d$&I{CJ@496=u|?8VwBIjv0onyfaf`LJ7)T4l@-=?E7BoOD zAJtqN%l}?~%~J`tlsGn`yR~&sG`KFvk`I2YclCbT4PXZjjE|q8vJuA`Y=k@wOn~-7 zbJ|_l^!e-pt=tp?5GKh2$W9?f&{Rew`54*c;h!!eno;9u@-K*+$R8=aq*sa~e)MFm z08xEHxBM`l+_do~rJ88+t6L{U)}8aRIRL6}W@Qc(X|5!sm5;ROPbT%BTn!}OYG0kD zyb3_mjYy4Tz818TeUX|8X-P}yB=ICXmfB3}{8svUcGtJnbvi?sA7&xzV0Viwn*+@C zAozm4kO!E>>S-#9Zt98Zos;4jyw^tmG#EfK5P3p!G1h!3yu;N^nFwxpu)0by-O@^m zp8D2A{)T`kJ+T!uOYH$rD$X-7ddaDeG8?&Zz-7CPGiVY6+F%rE4_ohE#|kXafZ3(S zQ&J0CgGT0j23&t44?cdkS^Rwa0P+3&wFUU`1P}UOZ$AM)s`-R#c{ghL!)$qjseSro zAtnMw9t)x^De&ASd=8XgpA8ZB((UmEn0{TD`ZCe~v{S;WTy8$#8#)O%@C4c`pb-&T z|D%h>52gNn;*>xGjek@fvc)8${9W_A>k(=6@b{ck4OmE1=t_K(x~5;3n{XpXQp3`1 z*@PSLrk1q%>9QuMqIMx%V46o5s@5Jjse@H`JskpCK~xV=&(wEQn=zaGk1lC%7`4ls zdt~`#`q5K7(FfLAb#C*&K1aoAkK0@Z1jmx7HEXNQFVY(^%}D1Jq|;>-RS{@u z!xIvb(FCEPZ*B>;*JS9n9$mSul4f{Os4;L7_|$z?LsEi*%@I#Fl%<_Z#L@+WA=88|2EawN!n%I?vqNtb&F> za9w>w&LHv14go{?1RoQ0O#t;AK*BPv1bf?Jg1HY{_VhXg(zv*UeH$W&ymh;8q9YvX zoRKp%O~dz>v8}8h3k?*t#1Et1-=m5mc^+v2we&f$*1KI~zD4+~FTvrFFzfNiBfXi$ zR<;8$9K z%Y!GS?qarjsk!;7o3AC4ib0!Ze5sPWY2 zf+Ou>i$$xRf)Gj-Igok&W=nhLx98yV7095RTVCD6nIz$_TZrNy>e?M59uVxyB?np1 z^|$59o&BV%1;v|+AE9sI2yd9=fL0zIL{EhRvFhy_j*4*zxRO9hX)++dP-8;a`m%a* z74_&3c5?#?Ym7z8c{@Xd^C1OQV4lB*a3p{J36=IvpXJQVg9+D0R2r_{qsk@D&WR$_ zB*2tJMr8n%W!4j-9~`l3t!*~Zj1>=f5d;7y--vSRtgfocLv4WrTew+Eh#BA`hW4cV zOsUVJa)|g*f=psv8JvL4E+5O7lmL@S&c51C3d*$s4g!kL4(YgemL*%SmYTFkRDAy_ z*G?qA!NEBP<=))oT5ODMtbX`LmOyU&4Qx$@1t%{h=$i{41Zn(s34Znl75YMqFF>%F zc+Nw13OO2cFu9t^>52yKXEpla&VHp&7aA4YEUvi2k%~5-3i|$}gSt_Kz$~;@PY^CA%xnx@%*pIf0=pire3zq5!c^6PH%}PDi+Aq(u(no^J+|6`*X#D)aPjH?3#a$TKl#K5qciUK+p^0f6*JNX+lC}uV z$fmfMYFrXeSLu-fdzgiG27J2_8KI3P#$+{gm{0*6iQhE(m<7<1XJ1vgi97G5V zWJyqVLFrlno|5de@{q3aRJ}p%>7=9gL4-FEL`$fs#DNl_4u#-At|t;3I)zRjE|$z< z0!nu1s}(e+6An5MBz7!Mr30t_SY4(U#$at$09V2mqu??Op`ImN=k zNylmg?`1Nm1|Q>@)wc6GuxUjQmao8b^ingz^Pu%SA&qPPq31}+_Ffi_`2L{(hUkwz zgo*L#%gVs*)Ael?O&3T#j1Cg<0@AmXe>SKEW9t#31RG8gnweGz_Mnv#?Kzr_ysuLqXQrfvikxvqd!BQ}R(tL}H2 zZ$FfBZWZHb*gi#v1)&{;h(;eBMsnDieab12ZdMw)#$5QJjzAY#z;DyxD`%?y2OJKA z)6pMRJKA&MMtpl`8HhQ*@WK%`*qs7ie@)K^l}(Ee{FsQ0Oxp{TJu5O zGXR?oyeD>FnAw2Lopm_Xc9DVQl?^hE8cR zAq&`Ob<6b$FdgRFtHJ>`a`q()9L{y+#?$FKvc4XZUq9u8vdI{g%QzyFmqju{nb!IU zC!z_3b1v!KJRE+e%u5+HYf=7fp(LF9EQ$?o8|?b54Zq`ND#5R_Iu$VD59p+GapymtDx%g~N#mUc4<+n9?0NQD$){QF zKX&(uvD&^{fytmqFC;BtpQ9ffA+5>#_=LH;1&{?0JtMmVuvH&TUwrfqH5fY zOc%H<+w@E7^_j4U7>pgP9^fY%GqGgvg4ovWHhv9(HQ$rJyBJyJ*iMu3VZ?-78Qr&| z0w!4qz@{!Q#~Zn;B8De`+>MY@hY9Axa|^?X=6% zszQMY5&0S_XEdWl@YZyWsFzzfLGyU-i=w=hJguy$ubn}cQYOxbQ-W1Cpsh+J2Hwih zw&IXr4xksIa4@Y3=k%73G|uzT%CF6((6X8sQMv~D0Ed(+t+hiE&z(;^nd^mA5*cQm zq~H;-U*yDgWM($BM=SV{xUC|KH6uybUypSQ=Os+%nf%1~(|v6G0{tEK7`TDYu#wWj zsK=t3Tv8~(q}uh~sX(*{@!TzIp@7M-L?B5i2VX2sjb9;`-}=yw%A;{YrvalG8$Qc& zk+TImY2ke4W;x!Z8QXV?1hZl+Vegg*c6w_9B%;SipZqSxvgy>mTq(HkI6q!Lg@tET z@A_+E2i`6CQVFBF#nW4IWHBYBa>NLs3>r#t*oLKVbmq+cMon!R0+gu|%ggMJLDY>y zcj|6u?@p7Mdv~#tZ36|%J9^-XielJXfj^vmyLN$s)Ib^<^eS9#`fabDlr@Kjq%sXe zgN&%2a;9boY%a$WN}jA+)RBp&BX;c7#m=bcK31!!gxWOnlt`zD6}7R?>Y82aqzeQz z7#=X{6u4+2GED9;T^mn#4o*&H7WDL@k0rZl)nLD9DO6TewQ zssNX@J#bB@lg!zDoZTLeZ!E7z;h2dQ@m!|5dY#lDhP^_Ss3F;~9+?m+8CemT5jpfznp4XW+wrY0$C0hDA$Q$GXA(I2A)zHM67K?0I;=Q!uPBC4_8*50`I_@^zR4Nl%!Ci4L#B#NX$ zFMKeZxsKOl=)(0}X1$&gjb?-B!0ckgMYU?X`-(^wVuobsBXOQK;gAT`p^zAbISQ(l z)ja!xH@%7wggMy^q^oA3)hi*{%q%{*$pB7U(?iKamPdo&K6nj=)0hD)FXrmk<Pd}`GU-!YCLU@rKbm{ z9LgFTthNI$-dYVFx9sky^=s`G1CG!wqrMKPZFz$8M?g8s2~5qH9?WoR$IC=HG93a=Hj{gGqqGKMpx>3Q(QQbH%k2jYF-|hD@eb$ znrbO~!Gu14e4AE_JvmO70f2*w6+g%~1v4sV+MqhYP9UqOq?kfaORO=XDc-n|=5~Kd z>70pXQ*R|hMPs4qrhZZjDAW?07Vn$L`V*e@sjqj$>nhP?ckTfgWD2L)r(aKJG_JdT zE9DO=%E+SzH|{ujyG(RW_coE0mXTnPU|L`!6{H|lXy`XCspHm@DW9mEvKqFcvO{6c z+T|#64Kf$9Zz^kZ?eJ`Hciep;UtF!Sx3+569o2j|zu?5YOuZ?7=Y6~w3Nk!I2;`AGac$vE`QY`kaBos20siJAf z!;dmt6{$xNAv;!2)4N8ZfexO=Uy2nJC5t)y?_n-0RG18VL-z3ThxS(#k>c5md&JOd zs-Zj5kB7tnNM}8@8rq@-c6_q({B$yFHs`L_VGH*a16r4JBVdO%>@D=lOKI}C@)8uO zm`<(!HGaU#Q+uL{70Pa5;T^uFNl?oZlF)r9Ujumt9+?A2R|y6>Z6byY95KpaT{m)j zOAMz^1|6s0AT!frml9oEwJZ`9scbn(k{y@bg2#@=A>&)apjqj;+L;=HHw3+4Q?3wQ zCvQ1gq*m>fwDeDH+Yh#we#B8d;d@AN!gxXMnw%R*`yeO!^C^FY9fk(7B?^`{ z8Yy{#d{D}^k<+$GeRk+rOyvSUe9ZZ)moH^N9J8cQj&NSl$^1xaVi!}YPBn?Q+gEX# z%pa6!3?Vlj7ds;;C7n4EJw9ISo|yRlernW9w4^^XOd9u)#2?tTR-`j3h)nB&x(t|6 zXC^Fjw~ieyDoBw6+Addm^x>AiGx+k*`FhBO_!HFgx4WvyOhTXVvV1M^_cBq<^JXd_ z+dqMQ9VURuKAXnSwDeKaqAW72XRFK|*_bdhAS*8aKu)K`~m)7I&ivfxz~a z*wd#OqGs{qn53a12vT8p0#1UFf&n3+hFGmNlC_XSH%`3lwgK?+w1xWEtWx7Y+P-&k zMEM2+720+%WgGs3RI{@g{-UEM;wiAlpJ2f= zn#WHRe}^s+hn=E2pdx~!<|5f2J>-T)Apebus|N?{F0u3k{83%fg_Dm z5l7nGJH9}dHXlEsD|SPGB!Hz}MWT?hWJj_~%z9qP4DEKYZZmb?rTuiKn8dZH!7bA; zsE#;RK~rp6nl9IK{uJFfQM&o;adIs!4}RhDnNlT>3%5DlW=31_ag{k=)6HHd|5&T~ zj%^l>NY`NG07|Z2`?%!19JLIlmvpwqVS#TOApa@Q90&RijjA_ew)oUV#{P0$_D}Y%kiFPKNWY=$@p_XiOT*YE0H3(=zPt2bn3he4fRNKwut7Z-RpcJI` z2{3FhELpRrK;q|Mp6|$7PBSGCDeup}l)8-AR#b%1~ic!V!v7a8gzAqlDz^?-*%!SMc?sZ;P z&8zjS=2hE*1L2L@tDChQhJb@lrKg3&IDT$F{_Rm)m7gq8ngun6%XM5Rk@i1Xml|Ib zoxq2d)8R7sOAddg^Mz*69kHVV@vYg3=Ec-HI{IUlir(0Yl2W9r|BMf{Oy8x$1sAc# zDM+78%V!mL%k`+5n6XqfT{b|V5-p9TLc|#teT((}Gxhl7{LJ393;9BQq$EvD-i9^w z$YQJBQe=yFOZEtlZuPUXkL|=I5jAqrs5s}8E4p|%DlU0^Rn-a6#qG@Y|S-$pZ%5rNLjV_NU@KACiuPE^yz*w z`qA1VDFqui0ikC)SA(O(9;0HCo*y}GF%c1AdkNpJIJOd<6be~YX=?Z7F^?yVI@!n1 zB$^EjNKUN|<40}%S)4Z~2F)ebt^rY$5_#Q~UzcusrQnNj*lyeKtBKUF10QpTNCONi z$=yXg(g(T^W5*;cufZWKo)!Yi6}oz!6_u@8v*nf}X0T9IW+uEn{lF!;MLY9h`Y77w ziuryE<}87gWUfq)G8fyiXyTDUkwKptH?~)K)mEjgc%s&r6H{oSv79_FYQG0#JqEnA z@YPC~MV&7mMW$z<;I+muQSQN>rT^^HWtud1ZO3yN{az)RLO<|i%E@abS`T{L>Cv-N zzpm7)M1Ov5Q%w8jL-g30pFnX`8AgbL?cmJuoNeH`(yNMXJGjEb)wdGKIJw}MYyPcn znb`*W0gSHYC{)prv{i~OL*u|nk+@(ZWPyy#-&Y2Y^#>e;nBdZnP?MfPvA~_cIdcK3 z=!B+dGiKt^CBBnccXVwe^C9?JG_63~1LtgW6pRqRB=e^?VAW=DyeAbo%jHGzA1<+_ zw8Ag_wpv31?u>EA)D~ujP&%>UVi?h2U&Fz!!P2EscX`+Fg$^a+m8q*RIv+lsVS`!W z9ySwS_JRZpfP!ZoTBtRe?zwWy8l>*_7Tp`rv{oA}X8l#P-?qL7`@pNoK+)d%dz58jiq>f{+{DJ9o|r^J zg#+y~LlL7msJamx-TBECfzP)R*NJ6R$d$~uXUm<~P^e4aOaF1#1sl!fB<}E|U^Xj| ztN7u-u?@+Aa#vg^UO*KwI6Ry2w#zj{db}8$u`se{p3l7%KlHm@mb|2RRQCxe0&Z^9 zUJV*p@D8N-G{3U4RY7S+Iz+$BOmd!tWM9FWJQPaik18?;hs!ZVF%$@0Q_H?${SD!q90((p~W>pQwGoZ zuy_-<8vDC)-7PBQRnaBFMaQpigMEDt47StukMN~V^b|STeqwwIQ1=1NKZY+?K?s^C ze}R-EiS8!#YZ8!h_yyaNy%44tL^|uzBjWq_=m*%pl}}Q}K`)RDUN;tt=R)};Rtp3j zi@qp2pfrtoGk2u6tyFPx_L!KcN@Ee!OE-RfC)@ zuBj#38>h77wm!d##G-YLg$g^4!Wmw*^}N{u@pnZsN@~l~%hq$5P4F%!SF#n_@&q@s zLU*wyeP*JV(%e>?;5au7Dr2?|1VHu03$WfOLny1Tt_G+%cFOexV?V z0VLoM2>X}PgwH|!U=<@V?_C^Ln}?GxjW#RAh6mgJkuu2gblj)un(!$Jh>pQ!1> z4VI0T4P{la!8W0dity`kag)Xk8UqU;e)(Dg|4J%&y51*&4jx&yBfPC8a8}WOXzs9* zGKD%N)Rlx-6LX*@0s_%%SsCU#VR=Q1&4$Z-6M{pU%GJ?fc(sEqBh-<5eVsGQ%OFv- zzBsL;{QYC$gJs6}4QMm=xUajcyV)RdV2?>YkiCgQD#dks{H^<>+q&x^=au$rqL0&v zDyr41(TEP|b)kq&4X%f<=e5MAxo1|5E_w#-8m@Bd*MTZ46$h&8BgrT&Ix%kWqj-fO zmD$8)?n{<<9-GC?%kFft6gbKQt3N8J?1`#10e3aB;pPll3mhbZ2)4x~ezbE;KSVe4 zHVeE%JBK?&H}@is>A_s00*{Efr^rEvw*d({*<%N;Qd{>>$7^B(?h2v5o^iksh>zF7 zoeZa`f~9PeU!$+qHi>_3*rE{SXf6?x1(3GDhgfO&7#%>2BQll8NhpPck>+BQc!lfk z+VAG)sOG8UwJX_H$f1)$4+EFsK{vyhGzj>>#3{TAz1ZjnJtgaXLsNrO@cE`dr?_F= z0w^%E<>PVO{beDwmY0n4d_lhLsw^sv+I;j~=kiDOqHjhpo9C~=&Atpe*?!OK-u8rR zN9&Vid#@(iN8FTgq-!3S=f zwD3bDvFbz{Em<}WirFLpSjJ|xs?tU#q>)+UChWg$Wz`!b81|>-tp6CG%&~9#5P&8K z?W>A}*FvMkA~G(#Wcv(kjwz%TH@M)FGxxk|6@}I&WYKfHRoMM>I1$Ozk@eHr*jy}9 zPzj4Gbryc1GA1)#bGinZ9f*QK1~APpQyIfJT09rAt}Wh=62iZ=T1)4;y{z_4-A$-V zkI^J8P-}9is46kHy&s6bR7R$cowqnGwwq_+s4{yF4J=Nna8%##-*=Ru!E{YG)tu*! zEi@=n(MrB|7&=cWK5Ec=i`_$Ab*5w&2m5lf#0oRM*uRaoHz9jNbtaHfp)F9dlve%G zC~VW{+OSLc6uM_d#gz0(GygBpbYV&&x0?U=dE({OJ5PQ8@sZsJL6ic1C8l{_q z1;*E8*OT#K-Kd{3B6Q>2^^h{_7d8^8+Z<1ebAW8t@l~Kx=@tj$25WWm zGvgvN&04Ti6aI)Y;2;yXu*4iImvr2fKu}Ucs_PzYui;><3#`;=5Jf}iyAUDUnFU8h zjEW&IG3$R*)iNn1ap9GG3NEJ$BTrDKS*)f=SMcoUk}hC~hM^^L^G6Fi70Keg&Qly6 zEO$f7u873aS@sLm4EbSLs0?AT70Muf*7mY=3I^D$zfUMo?!5YA*wk^`>nUw(Yv1>B z%TaY&eo6Bj$~j(9&=N)aeA*L(^)>r|{Yl5%OPP{QaAoH7>&1SX)7wX_tIV)*rjLa7MeF@m(Y{( z;e^f^p#T!|mHr%cvB`DS!Qkw}$gK3@Ki+*6`)~Z&V7obbsfYv%?qR9+kTB#$Mc=}#jR2c-{ z4;Ekd7|8DVp-PF6%r&Ep(8xK;^i~x|>bn6sPpE_u{ zqc-ARlU=vE43^&a8E=2WqtcvUdsjk#uFnm?i=VNJi{)Q-zGey0o>ff)pwX(WFSiOG zhZ%DfdT1PeO_Mn6DpnUg9e)F#I@CoVJmxi(gS~6z?QQ5=71Zjpm9s#nM1g`!q)+a@ zBFF??MVBrXd8g~v$o4IOA1r{L`&kQw-AJ#Y?Z}&)ke6R+ju*Brr=rZLUbtkY=t;j) zFxX@Dn}!X~%%WmEANyLgc3f zUE`LeWWphhYaDs`aa#rwb z?KMe zP7^E-Q^z&J593-)Ur=ZZo55n+8ce3g=9Uvtx)6QlBWbm7W6Wp&bqC~CN=a9lbK}MxjiYsBoAbr|vy(6GPqtQpaB>8EOUuDL@k}32;!b+lespCJRC?`lFO`=Fl zBiL^)Udpq!c*rdDTXcRprW1luilJvM2v+><5BDy@TZ$o68z#0CEA)~bJ+v*Lrk@?r z2ew9zDbA%u=esbrarEx1Vr|NlSz5N9+~iXsa=FJ=a#&Bp{YA0&iM7>g#>=~JSJA@T zyWz?wcxi4_d5LOtSiaULRl{3{_0epRR>9%>;(L*GvRCHwLrkGP?fZU5*_8DeGRRb8 zChH%bp0qclq8sUg?~$6Br?jmRQW(qp{*N9hrB4U`bN5p+r~41I1ZO1os$dj!Z~R!Z-;?Gl%|<|kh-)q+J^cHS1)y8P4%H3XeS!0WFWVm5+Xt1 z*P`Q;Tbwi4$Smk#Fq%Tt$5~yf9@q8Th1*vhq8_8K zqo2eN@h`^)llryYwQfF^p9-HsulcX}FPjFf`>nY*-NKm$mCz3Tk1>7`;8ZPE(3@yt zmaQJtma->^XXuYQ?Q2{xhj~q(I)O{-HJ0EOk=yWXMDJmXyno^ zp}=NY(FdT=usJT?Goox)%OH}S6uQwkpV87ibf-!Nz-LRl+Ul7SJgTcYhfw1|x3fl{ zcChweI(=|ifAt@42v0`cerT1ZiBt}&<9@0>uV1gXL=A2_bf!ESbt)B$+IizL)0CC! zLL9;=Rm;4nM^+HffQ4O^J$xp|xB6s#Yqk0lPo>W%&etze?Vw(Bhv67Tm6A3}wXC$P%wKB8wQ*dAy_qL0wp89) zMZhn#E4(-zleTQ`b8yTHWr-s}gz+RX{|GzWq0>Yt`Tb(|tkct<%chMuUR6G)0)1o2 zLa7`(Rc(RA^k)Pe^B+2mXzsoqSTbeFN`QMNC%BWy{J=<>6=Z8T9XdHbkTv23{1w=N9Xy#t)n zu4gp=WcJ;&CwmZ6va}QPxDIvrrjZ$ZVb0T2NlHFmAwm}`UqGvK(jtrwk?(Mvo*?#^ zG*6YB-*?o7T?wTT01R#BqpDc5h?XcVQ$6tgKtXKe7Rf^$EmT#W8DXqmV}*(RS8wG^Xi32 z2DNGruhn?RlP9L=eD9jXZNc3zqBa)1~X#=Q^8R{JcO33r1S`K*Opd1-JGiee+^%4A5il(9XNXC4a>ZAy}fuw9n_3 z8}^Hm_b|?X@}d zMZ%F}axdQJPpVp12Ie^rc2Vr~1P^n&OAM8*aGO%bkdt7i8uK?Y}W-?2G;) z(w-mq+%+JyztFrR#Y_4!<%uZuU@0|I^>W92i=4>9N)`%-8v9fwhL2RrzPD=VjC(ba zwX)N!W{kC=Brkb-TJfmUVvW@?W0d64^r26k{Z`?-F`!rVpZF=&3xN+<9c4XaXk$;i zhU`7%+1!J_SiN}|bR@lKeJHr^EGU`E65;kTIr>)dx-Z>?nyR@xNi{G~@>B+HCGx&) z!f-#(=o?)32zXoHo~4~-mzJne)1WWE!!N%ZuQd-8S|Pd}o}^MvJmk2ByN=4$%V?%? z4|hr0zeq>Zq;>niD?KN%ZyXvcvpYgPyw{@9uDIKNZ^|A$oB`)+^yy2o{_1BH=II0! zJ1sV*m$S9O=7#? z#98Aws$$xz{H`>0nSuoasLMZ zI6%k0kSA8Q_>T$F577|cLJH(z)(99r=rI(Zmuq!1%FBl?bj~w-pGmF#^QL(p((=@A zKVPsqJRz`}@7v@r3J;~8`hDvCr~a_eOVU!E)40?s zHWdMuqY7}GPw7&*MHfdykik50vO8Kribb|L#r+;jUQrY{x!dFV(Czl9HGA>tyuEd7 z#|j51Rc$!?mrQ>kwab02E7@BV^%a+*X`geiA5z^>=r6O|EBj&C;wye)2Qa}8Q$$JmaKVY<6;mO_?pK7~{RcAt{P8?Z?z zi%fMEPkc(mFQcGiIUL`023;CUN}@_-RHKPHot`L#7I0#JAEllsk&mcF3*|YFa-M8C z?eWT!?a53wSTWK=A+@51(Hst_tg?&Y;m|iaH?fIoi>Xjyh z7guQnjW$ur-xWO^eIfc5|NH1i!bjRu!YQo=`xweiz@9O!z#8-sl;c*+Enyu+03?IDj^0LM+`DL7-SqV1ic;^M?7+- zN5&D)j*|bu4zPO$>%muD1F{_rc=1^m@FRm3m^J({sF4|3bOi+w zg(9L>+aeUq`U{2}wnzp!B4HrI{=Nv8ZNnGEzyoYDT9p3}w1`2{H8BJLN|bP+kO_t| z@Nb-U{hmu?7H$hGr}uw7w@n`o)4b-Uuk~7gQLJq2aBNP*uGjh?vhe@Zhn&qzRsaP) zXNFuac^IsxDXe+xs1t7jCm}b0q8uM^^&CD6iZDx+G5u40u9M%>X?=WMbIF7UDh$Xpiq%3W1dxRPzz6b{a^m7R( zr@6Tik(EcLRxXCF1G8C_F@EraQb>lFc$rPWf(jEFn{)BZN_FTfcIm#p2>256sy$bM0>)`^U4XBX>mbmd?_;KqOKTz9iK{8<^0SB`+hU>}h3D;j?6Hh~4GaTtcpzC+EX%^|R+j-aMrJ*YmW=F@5#Q@5*o)O@%4i25}(uNGJ} zwM^G)yvwkUwM8T)dE`Z_*WV9|>9GJG3$zD%0{oG{YXPqJFTerJJ3|8?!T>NJBNRXo zsFRIFIDv+rYb4tQff1Bz;(XYWXOs)W1cYl)E_*K_{6Fb(9QYZ!3m;x5s!StT5YY zEG&gNr#b^na9DuRYIloP2TuCOvZZXUJ)6RctljU(*K0iPWcoW9Hi(?u$6&@HQhnGS@sKQ;ANOR_D~YC($geE6Xv7fQ#13biqyo4Y>AYXHz{y zrBC+v=`{j7`3`tfya*)28*~YXTh5|)Ht_q*2E+Ic>-dSdS7boj8y{G6VV@&VC6|YReqH!t<*d=I}etz`g+M-$B6MPu`Vb?}Eln{V?K6!TI>y z*=5|2|8D;y{zHBp4JPR=Qrxh(YA$zymjed#fuMDQ%XCgq>vM^Lkl*LW%S#dr3x9W; z@Hy)c$E(R++Q%ii=cH2W|4ww(XteTTrIk6KRz_;=jzDkMILl&Es|??hY~QZ-1eU4e zT})&Jucxb`I7xtSr156a2*}|i700`is*@vq(5M+CaeJl~0+<<4QrozQaaI}3iNJcv zmK<3KsS>sa)|~nvJ};aj3!h8-=KDom`8A8~{mF8AnJTp{Jkh^~znBT0VOl7yKfQOh zFDJWXEn7)oOHqCSIL0_ZhU16WJ~t4x&EU}I8w-quLQG{ohn`c~Xcx4niGvyn6GZG&xq99kbhFrFQ7D7(0&kIc%Ipjkoe*vAleB z?0oP^M`=mW?+@$>Bm#^l9SbM}JEU@2j(363g+p2A`>}qDHU<(->4ywQ=A?c{Sl-D?{_)dkx4ZOm-g&nqV!5ITy{`UsF zD7MaELjlzWD8s5Bi!p4aqIiEJvsnGOnDQ-SCtcz8SSmjT-6z}7ieuFDQ+k{Zmd=MR z6mBmaI})28vW|TztUbMMqpvU=uJEto*Dc8RT~L z?(WwzR<;hAsd+12zmnQ2w{q0%;bEB^WegwzYvEX4@6OhXY|7 z3uQBm2${_$iuKzZ%r={Y;0C{tjCp%;Bu+y)ms4%l;FTxLq|Q9sWb%tKQ4)C(Co}e$ zFs+DWm@tdTDz3PrK(>WJ#Vw$I_RkKE6>tTXY}Q3iAP@`EBS9LJxdZH8VBbL|+TgSn zVvhV?uwhxK!D7aE1Va>AyT$5;_y_W#FsAK5_c?)sVDf1th_ux*a;Vtha?-V`u|vw& zm>uQ<96PHvw~=Y)ZnD6Tyd3Fson5KR86s9Q zMC5^q+#0&j9YRXEMi}v&9Ff^lYG6c*$eYGpn25e;5H|d;7o=J-7r&YY+41S%u zL1;St%QGqd@#Z26MkUMBmqVV`5f}NLjB#amnjcm@qJ2aZE~D#JTj=#Fp;4{RCwxx6 zQe&@WUtGq{sK~S9@)ED$r+OGxIO{6?p8v(zn*g>^o_XW*j*gK=*XX{bk#$?LB-@g0 zIRQ_|ePIK+Lx>A0r`tFwP_8s?IYLUeaZ4|t+oZdtP}(iI4=BZ@fu1SZF3VE76uSSE zLLqJ1P5J18o$vR&BPVIU-S7W7(afvSXf((3JnwV-p6AixV%$BGsx*swKzL!S<&YwO z)KX;=aw{=7hg$DqQ9`Fja^9TN?(P5(F4Vz%5=H?NMvCm{U||spkHz011dUjne~U{W zhrmF-0c@F*`$qr_2Q(caGIL8E#m&UT2nR)qmc2dXcyV)RI!gG!WIKrv(w$Scp|hqr(FL;Ifo%k~dLr`$O8!qiWut_9L~CY$}!Jqx!zI`y5Y{rgZMlg(n6 zfAe14JMzYtz^h3#MA$?3?ubyqt+>CxQLWq*x-oiV?2f`{q}o_ADy7m8{Qgv0h^yuHcwrzt2)JNc^0&iFY|Q2-J1!Ku*~vju&s@G?#?}%ezwD~F!M-<7)k~!S7(qqWXOdvt?4jIuI?iPLX7w)ismxvZ2Qv?|uZdsJ zJl^qi$4j+8be!pMpb9dJh@JxIqO-r!U%NVUT~%&JY%|9E$*3#UCS(gy0ou9~dU`S% zOQkijoXup~MCOCpllc}(s7UR_hq-$#NGA;!*^o3W8O9|7uL{v`#p;LIXEaw=0ZGCl zVt|MzSUfz!xk?XK&K+zBsmD{|Ak+#mbwKH18tn1oJ%*mTh0~&i-voDN%2!jr(yc$(`rS4)$aWe~tW ziHIT32xgvU1a!?~g(aQ=&{+$?J09!kOrX?#N4nb0Iulq_+REKRI#W}-x)H!{fyv<* zhgTf-GAS+S!N5WJ40GRJU$cPe^dRO3OdJ@VI-oRbiVIT(pCklQSjdFSlmY*E6KYDi z?20i9Zld)5-jP@r_teIaoc$jMM`B{Z?jlPMuuh$n$u(2rUUqKirBaNnjr{+OtR)Ib z0$9T#>J&#YU5jeYjc(PEP-3|y4Nl-(m1e(x>DZ2c{3Z(xe{$pd7kFdVXP(`8C&F~M zA@n_U^Iwzsz&CE%ayU12`#r1d;^)|-pV+z+DVM_7nO_@Cm|6P72l%`a_I$pKUMMa~ znsONnLeW$jWP_sBjXE~-wBtQ}JrP6HxIVN#ygsr%YBo7cPN99G-*}_#M#qiLn_Z)c z(d1}#w6@)Hk8PV{oAWN$w$h`RWt2QpWW^(+1s7QoRzNtJ)49@Qs^|K z3l#BTTB5Cvusa1VSz1%7?x)@2t0;Qze%$@4+kim%wnNEpB}xiq-C&30&I)_F@`uV9 zh;`s%waW8&V-PB8r3PVdtbB*f1AcQJ4?Gh3bzNx_rsB<~DOqOoGc>naoY2wb!dDxUQ!+trS1l&ea{b*qu0u^DOEIxO983%Q!c znycB37pVfPqnfwT=nRKDMX@uH@OAbX;?_>Mr~bHqq|@NTtni1uBWEL0=Y^!Eo!jK1 z)WLqpI&LMNf-%fe+TEQHbw0`GGL)wc4;6<5B8?~OS@*5Wuf4Z);hW#RZ}A_#GozmT zek2@6@IJEYz{r-*^!DeczIOkT*Zyhb*1ljQB}1JkZQFIl)=MtzUcBY%4}I>E2Vb?C z1`tO4=g)p-_^vfwSC4nfNc9Uko5}bGXQ5;=d6JL|Kf!!e9 z5WgW|sip=}gQ+i>z8HPf^!2DDvUma_TS>LS%6FyGQYa0Wi{i4R4vQ0-7amJN3pxip zE+{KQD9;Yav{=w07Au#zRxVzxT;^Kaf`McyK?;MDz9A%(#QMapgfa1iSP%kd-bR8y z9GU?xivu|NK6L|(fAX%J#yrw^Tohu5H zaA`5+M|v7QwC00iBB5B4AvgyPj3h;e;^vZ1nV!VSKfnQxh&WJKf_tIQGv3Hz!!z_6 zzv{}_yvb{pJq_i!I{7`)l>c#kp}t7UDW)Y;&n(OI_r7;}S}Qi%o!*hl0eEGC?aXVY zJ$M2Y_AOnrtHEq&uhwh0u6=5TueD`?SiNBGH!m^Y>M~~2*?d>JD?c|qH~(;6D(0Jc zaj15q?RM9L`KR;m=FBslx+5%^jD}Nf?c5#ah2uGuhEb0BRm{Q*)(#u%kNfEkWAHln zg7E=aQAM(}6sy&u*_#%m%Bq$cdOVSj4COW8_u?*TiuAV+;zmdJhA1LKI zAU=sdOk>jc2mBVXm(}u*^E<#JKCMI7vYPRQ%bf& zDA=$dI+#gQD@Pt6ZULOZCK3?Q14fkH2?0lba@A z{^_s3`rs#4|5@~Gxj36`WHwLk8T{$yMK>OJNzB5#L_F(3Wa8Vzvtln%%zoKrPKr9l zY=3|y6a@4C$ahQ!%||3S4<0dpLwd~rNWk=vH0~Pr zJQx^HnXdD12;OMCRUS*3)&y1thf*IjUniN?N~xyN&~Xqnb}Jv8aHcb=2jwVCQ5o5ltRGvrTgcB(rLfBzUJf!;W%G%Xfy6N>Rm2fak|m&Kka0*l@}?T5Z!gF;ic|UQlrgV_7hWi~U(r`V9~Q0JKi6b8 zEy+4kogaMfW5&;{@g>s$k6A03uIu0bjlq3mN4#N!d;yh4&-_~20xE49E+s0}>GPnK z^%ZkIlCk9OKpTyiwH7tnJfaO4N04f;IlzhaEV+iQW`~4Mb5==~Yv!ipafZB2J6=(e zj}~hk>oHoxg+HdffkBV8QC(zRZCqu2#A?o&OO~>&U@v$Jkz%yHknij zv28(gnR%78%CcHsWnUFpRa@41oq2;aV!JkSZS;ojn~gV{Zjuw$tm$7YZ=W1@tLH+d#=W<16Ne0eKtSt2GGu2EZH#z~xYPtJXQz zIo@d)>|EbD+&RkMyw-WD)6)5d<+s*LZP5b}+Y_RSWRd^UY?^(@ejKH{9_gQPSiF9p z&Wx0J6;@7!6x4GfQ>`>flfQ1A@s+~4lk%`Qcb*$qT3a~3{?811KF$;6v1VHE51vEf z<7pnoY(g#uOen;}z5+642NJYUYgi;h9@_xlflMCBLuP&`j+}#AOsvm4oQu5x3F!aM+t_05bVJ(GxG3Q(P2E#~)9F}d>O&oN z-`pAOolv8%%xu3dsIYy#;jp(TDw)1|2QxCU91r9!0MqB{>AT*0(s0%Le{a0{W5FE4 zcD1(j$0j9l+vc@hIj_TG0S=>9?A|(=6yLg|7K9rqOY_yEQ`d{bu+JnxuP+wTs6dI; zU^L|nBH%qafqASb(_|nr&>DQzPpdI4-P<7l->6~CU>q}y8^m1(X4qyj?`G)oGAxQ> z7)}?4*xS!hAq4Is-Qi341w3?Kr3ud+Ap)uz$EOB*K+!!6dix*tk1&r2NZBdGF%{fl z1cPW^N7Xn#UgGf70(N-nSFCO7dLS$Q!fQe-p1Mv%7#LUbFxQqdnst{|9JVrCi&@G6 z(r7~UT7zc*rV=g)&h*`8-Y%}cK`SkR%Q2~@QPY^oIA$6*iMve9w5vvcu zKqt!>rQz_3Q~HJA+%HzB;?%nHE~b^#Liw^V=}#et+#>+DkBb5ReEMR%xR3^3i*Y3j za3#Mo-SF62)=y~rIV|r@dGMxXyGbhni`f=1jyufhZIf<{S13cnApiwZ|AC)Ru zi_Jz}C{p*bf*pPIPH8reM_k?=pk46(S6nT{;I!r^)v%lI+ufA-T7riV_foauD}aV+5A`%QEFUqZKgI;#AT0C*@TV; z?%QF*Jk4#iRVF%E$8c8YMt)SijvN0zo`89I_md25b>U~iFFKn-HklpEj%STp_Ec6J z%d)IOJ7u2~XM-X9;N4^s)n=~I647e2Q_`GG6+XK$34m;NN@A1%IQzocALhXsFzDtI z<<^v--xIgOZfgl<;Eq6Xrza6dKe=h()F^2Cp|0>*jXJt5DFO+ zcKGVvI51+j*Aj}JeIwP1hb@l%BQ=|G=3$FQM9lDJ-s@n z+3XKaS2Q9|12Pgh){fA3e%-T&@90@K;{3nM^jxt1_C)a~Z?C*;Ae$4bxoma!&f6}Y z5%b7FmtyzN9KE`;pM9}BIA=xQlDj_S4u9hM*`0H4S&`X(bz57xztUCjSTSBqUR1h! z>PL6Z@JWuDeP5V!KU+65Tpn&NK!pVH%zMZ+J%S9g0I<*RoRb}U5|Emw0h@u5YVx5B z0}t_qzyhyx_yz{=bEp#^kfgxiG~&hB-);|~VybBMlB((UA@xsO?(+-LtksrU4YP>Q zO#`o#Kts@qIH$i-noynt+mo#0^<1-Ub)&yf{&tCC}1Gaob`kbalMJUH92u1C$?WVqRQ zk71kf>xOSyr1=u-xA^joS>A+iPAG^h^JqYT>2~%^I+HYm3}Y^N++;AlWk=KUP{wXo z97B##$GF2dhQ)3NirXj-)ltK6!g1UoIUqj{&1^V^v(GHnR@; zFkY)yNB8*!5y0T!{t;LsQ4R~WPSY#Mlo2e8Dx7f7GS7^a@~C3uo(_(XqlL}5`@z5a z`9IwE&7p@^xYSUr-O0Qi-5+YM{rkV)&}bCIcaHq=pHF{&tiRuI;L8glN_up%F!}FY z-9LPK_ft_HG?96rvqhMrQeqoX*2`^xijlv9O7oe<9LTz?(r{`N0R-H(12jFQ z5QKbTzZYH*41Ro&=B;?A0TT%(iPE}(qbE5r9iv>VJsytK{z!XAT}aat4mwtv#F%%P z@iJJy%cND&RWa!r)6J$aVJx*j`mB0feNFg{$=Zvag)2hKW9!qyq2bugq0O;RdOqzP zcaMj@jzG)f>3!(D_yg$&;WsTOV!u;QvyfR_j}4YV_y8cT^nN`Zw<0I<>2ID#Y7n2S>>N9yYMt8kqEAdt06xV)DTSD=;F=V{_1 zZKgtq&T#VNCU}iEZ9d^?v7vlf{Hpjz;)eU< zkoucegMa$^`p}OPp%4xqV&7wC%|x*%4H&6T^3d$4|Q2sg3@zT znIO4Hde5{#ywrnlAwAw;ps&V8<4lVWBNU&s;V`xUmx=+vP|eG6h5*W$m#cszVkwe* zRMl#w$oJtFhaQ*aYK65ZK7}{n6_UqCger{v`Sa^lJWlN* zBrOhC?=aqB`lNBJ`gnDsDrwcRswh+g?f%ko({jtQ(ibE&6lH3)SDr7gkiTSnqiB)(=dmi_#$CCjW_P8w`U!IrY4GQ~BT$3Gkx3p^e$B;hj>18)_F%sAJ5g-V^) zhfqIcc4hX~7BXe&$;r)>kWGKk>8a)v30#FsTp;eL#2Xj9kzC1W$!BwxqAHY(SQMnJ z%Gyn3E^5hHNqHAw2hI)1zo5d=5Vi+=Legf1-||gP;pM{?(>V&~rBG44hHC{LXaKFy zGl^Tm+;{Z`P3eZ4;uS4g7k@B&Y|$59d-wad4npikN)G1kaHRs#4%^hJih1T$)m3xX z?jBit&AbcVd-hp2f9W^=o=e~NUis?$m^;1cN9?6Jqs_raNxK=F8eE^{6>)UFE$3#o*V3)f8lyrIW7LD!Rr~8hApGGy6x8QNk4R*k}!Wtj=MyI zmH5dFep=LHohQz>4knk0%dA(T7w&fN_V5GVuUWq)AGRE@?v{Tb{#Ja=ep>cfj-&0l zbX*cQ(VFfZh4y#Dsjfh;q75-L#^j|0g5^yLV_l54&ouAqQ zxJGf0FOM>!0qLifKq1<61=z;G*1!&Uj8FS~V+55Rw}>_1dSA5|6aaj2C6?WQQJXD~ zIsHaqJJFS)ta)lq$^|wEPQ|G@4X2#UNoQiky>!k_%x>vSFkhBVZX$(g6IB`mz85il zJR>kNcyco)5V8|C`e7$f^#zK8ZrY5A3vovz*&|D0_Nx760f@OxtGTNJU(&6KBZ7oq zv!$DMt)uC{3sIMey#;dk(u!os-l+aAs(;pcC+qKI{WB|nr#Y=nKL7z?)!lU9#r;iW z;hgjx|-LlhbMWBY0Qw2 zApsP~!R(0X(fl&ouwmPpyE~HpAAjlLxBhtW!RIEou}4ix_^O`E?i6SI^u`;ny2ZEs z*Npw*EhhcsvHn$=KJDY=CmIA^_cqg~gpxSxJgJcF;PYXJM*4jR_a#ITxpA7A#aUz) znk1PA&**oWhZx)Gp)D;)k(s7HE9N}elF25}M;CD0!z{YjW2TJylM~9sz%gJo^hpm> z-h^^gd5-=;eZxI!O?yXB$&FPbwrlBGx>Ci8M;CeCHt65yxtl4j#v%(vsT zUgj2o)7eqhnVM!+%yanpW0>K%XGOd4KJ@|r13AMS!yNm9@ZE;H?WPBftlF_PHEtf4 zc3O5?zoLA_y}QGzm?7WRx34dWF^hA5!t&WRwm*StA{H%~PV7uPjq(ESOg6|$LooPj z?M08r5wKYk^p*KJH}18ta{-&I#vnr`Z`UKY=2)D5yf9%XQ>;E5WiSzY+OcXJYmGx)YR8 z3}^IAl;9hfgf$N-%jY*wHt!4MP!%H^D8z)kFB9V)Q^LWwkS-w5J;4mJKmb}vB;0t0 z$U>0bIyh2vo6jPyWFpZn#5eRrd64M&Kt`m+yHPYBadjS8*Q@z*RSrh3zuV8g9?M>M z+2kw5!bRb|dsiLUbls}{dLr1pD4EPvwAkB*C6iwtYb$3mg*jJ>YZlDh{@t7Abo3<} zsSkO*o!7j0(E>~f7fj7F{1TSM4D|F^ZI~qb)jr_~41F>8K#u`QfNRB@+iylomUeT+ zeCd6vaiDi_?Z)1la-(Z^pgz`}!Mj2`8lSxI&bd1l-!u66;O9dR3?4QfG3^iT5B;eA zqs0?zkFR}g?WwiVi0bcF8or+7TGJzzMLh#iAzgkk$Odk3UU*jt& z?5l;w7qLZDgLM&V2n{SM6U!~)$ra3^c{f_vR#d)&y^VNq!~6iR*wU%l!;9o# z;{{{ENqgcW9ea$y?==tU%!QlOwY9a{+FiKkrnU6dn9W{a>)i2$d2Al{c+Kln1I!f| z4Lpy@R&nz)p%tfS)7K3QuX?2L{*x^3H|~sL+lo(TV|CGq|PUc%83tRIE>P zPX-MR(KQ;bTeJ2Fc8ic=@}BMR0_!nv*hZTt!B^`xoh)rWp_Df1873t?U4N5uf~Rmn zlC>rw6se(<69v5rPE(fWW`(|tsR^^v{^wJ#rbNt3K;%GK1dMI}^VwIk*s_@zmK+q2 zRMSa*dhsL#)o)w8vVU%-5sL>y3@(ta&hE~7r@=fcH<+tr+jA?j%VI1x1C>n{HsH!gv*MTsKVUfZ1j-9SyG&yPH%c~7W_<~p>i~pS|g!B#n#}e5`G%0e_e8|7^d zjGz^Sc_ts3rAx{#2%B!*#l~w(MU-Rfub7Vd@DRc@hKDDbkx#>%PPa@*?p7n08!t6L z-VVx4r>r#Ip`nMJtp~sp=g8CJ1=wP zK;{a8%#{YYspejin$G3e;)ZRr$T zrD%;|L6<0$4kH@gMqc`i;uh6Dt-T@l4Z|96WnH<9&vbnGN*~_l?pf zt&gdeP%(iBJqnYzbrci%MQw61p)5+LiizA|gHx-d8~MttdZIChsrep(UnMj@w_B0J zp^SB0X1itPl1Js8^7FD0(cz~wplwo_O0r|9W4L3q!#LJ4-XZSpV3Zs`(Q&-P*fHGu zb=bzOx@FLpp;vE)-VCjQm>$=H93R~uNjIOX4!%gtgn(l-7c+%pfPzG%I4KVh5qgzA z4%kNQmo!{FU)cyZj|?TkD7mr)gPU9-dq><{b3lC^r03K~YakUtcZgHsmp_F}WAG+H zdq}mFxP6SRaFtJQgqM;n-S~-F7mr50PPwK{UFg@kWJ7XJt@HXt{^q=?{tME+kSiJS zSDnmb`t;W1cMhj+hOpt zgTy6PRM~CKLKyr9--~#1nmJ!Qz43Z$G||4<0Y^SJIgl?m2*srFX=e@7cYimhz7G}=>sj?+iPB~ zkrQ#3S)?Bo;EHLJymWc*Xs8cjUXB_KX$R*Xhe%A~;M_x3rgIMl?{My+Eu4Eop-lQb zj^V>&IQLhM4IBgUaVmp<1vd70h7D&%Gvk?EnNt~)nic{)v!-Uxu0*X;A`&Y&na}iT`e0^z`;4j7q`IOBa*xbh&OY$@ zvKn?}MiKeBYHA+aVcG%OF0xbSXj`)tyxi>bCg~}k-cLfG4~X0`(8&{nmo%?V#X1Mb zWF?~V$eAhr6%5|y6pg{ZbBe~`B@`3{;U@)iF;7%&FJJ={zhWTzGX>7jW8?=_UOc7? zf5_8m@-00Fr^~@FN0>RxO7uJidK-??UWin!G*lWdJ?eZkzN=(b@n)=KP_X5A$q=y= z^6IR7qA({+mtgwl{m9qCkBA44V4mb1fT+) zwz)HvcpVg;NhZft=297TGB~9gRFw`65AdI1BVz}3Z+q#VQ$!g&jfMp3SuiDUUv(NZ z0yPnH-oSwFY2R%=7TwRO^5o{#Xl6CDRW039YPFr((poUV8_=1Rs`!imTaPcqOg zHcUO65U|{jwp>M&F77-C$6XP<;y5rtAS%?pnL56BWnRxg9y2@tXiBfkP*IpWY0Sx}vkZF#KLlDX zJPBmgs$8F>Ghg=W3AM!ky+}YeG%gt~zvR+y5 zUY{IMHo7+^9}=x^B~B*AG3&>j&l#R`y(zxwI_ds{$1>m^2n{6r)Pd$a*Jk-9m!&GU zD{5BFRhx*~D3V`U&MsA!sm8RjlC5;TuKZasEp#tPK4X1G{{LiC&>B#Z@nmwYc#+F& zbGy8bh&}E~IFshf49gKYTdgc}FY}tisGOHbUM3n_L8598<~~q8Qw(w*W$}bN&?Mq^ z2vyk}&fD$y>6UiIU9BnH{nxo(g~2I4Ghpyvd}gRrnteo|kdx4>c=(p|sbiSZxJpF< zTuflva>d0&)a3Un;bbHcu0U1Fx5=V4A(N(*Pxs`jvl@w>IYL#iK}KcNq)%m{nuKmz zW1Ao#S^q?Z}QL4MB%y3EjS#~D)ih~1#IJkRhBGxnhdYF2Er@2D9aTn{-%vq?xss$LA=vD z#MLMEpn3w$T+<}0gXU~ZQ4M+AH@i&q5A9AiXCnbazJPc8M#6cT%Xs}nc!r1(Na(o9 z+Cs=f$Gu9Dms?|`>p|qy^Y9$$)f5R1alVo__~s(JC6!~JzVt)0-g@iGwpu29;neJ0 zv@rGCaAoOKWnS8Eb2-(BzunCg)2H9x^uipE-R_Gc;v`mP{9@|gZckO6awfz4-e5Po zX6pFrz7We~+_qrq62nD1=SSV?QD{{cK-+UcM)~!806ji^LK0t;~)uL0khlD z#z|*0-DDZyu|ASUhsJ{w!BeQzjt9SQU|yZpT7Pp!odx$gHuMYynHC%h4x<9dcyJeX zln1AJzSqZH84<#IFq4B z0kua>pMG!FioQ5kgbdn4^9iMZr;eG)T!a5`rO|TU%oJSBE$G$U>m79Shwfg!1c?^< z9D>2`_=BY_nv0%(t;F{#b@tAi-U|bLFWRD|Xs>y*=Fj5$&Eh09i<8i-B}m>EmoJ(A z9tQfHg@Jwm4E{^Q+=HEDI?R$1|9Xjkz0`|`jdUAKM!mei5Z=F_@f@Ds7#$ezVc65R zdl3(&B^{&J&5z;c$8bY`c|$*jTBCjN{u%ukYC9bR?_btzbPS3q^Y`zAdT|^z5UzI3 zT|i<$oxg0kM*CEkv%%#Xmv2R9l@;dsouO>m2H2lTNB^LDF2$Kk$COD-lM@ruwmxk8 zmXS|p{`9cL1YiYl0!0l=h!c=4b2dz%&BWnxbem+7mMvc)g*xZEIWM?X9uike+^{e4 zZKd8>{M{`6Zq^c9*YEi3qpGWLpWfwj6CV)MVDKmYX>ac;JcHkJPQpOvEezh}pDtOl zdR2?15P`xe(o(^h^A|1#^BA{q;2Bg-LQ3y;EMB(iX~1IM5a!}l#jAGajRTPo@`OSZ zRmLB%$+5b0eDxm!hA{}w)#O1y0C*f3?-sR~K#`C4_qX*H6P*}nwzeh3#Qa5V?jlM= z8=U*orD6ggL&yH~tYTsw2HJ(`<@u$vmL-3C#~(yL+NHy*Rv#AEU>@9x8s8gujcbNINi!&$D|B1UCra{9L znkV@DOq5NfNs+5jxVh8)*Kl`Reuy@d+;e2pxr{vpAfcCm&x#xnZncf+xplpohS2S)|B8vY0 zc~hNBnl@9aJlNB?tRvjHcxuK#SA;9vc^C7Q#J4xNa_t+|-?Dh|^8P!fZeF1V;JXMa zY4;HO(oty7Dad#C(sdZL+3bjEUa#TU!EVh;IdhX?V0LH>0c zc#WJEDl6FF@{b(<;_^2;Bb zfetUm;P+aNq(nf7a}gBh2a5AU#Eaa|SmY{vaavW!fRsg^GN+41Z22!urlS;vn3w^r zLksET_GD+5gUWj=c(vgL&!c9|xH4T*q^#o)QMsGkj0#5~{*|v000g2hE`Lbg9OaAi zW0Kkx)c{SsdQ7B~kNF97>c@9wD6!qV+`{FHh07XCfWvSCd{Y3xBEWP4z&FMDo^ie* z&OeOv3#IS#0sRmLe*$s}gJPrJ5;Fh4ZbxXz{SEjXEe(S8;qb@C@ zjWN92-7xQN9B+ub8*CUGCK`sgB~VPDa1*&8i^W7{QJbZha4t&6i;1-Eg6zz<&#EOl z=fs3`S2w?-nRFWITXHavk;W}-H+k|$QN!zbi_toA7*kCqh!-imtp;@6RGR^!jh*1!gvI1pTDNSRwe+Jm+nmI@zImN+LB@2>J^9Sy6*KRcx^-nT%pH)fLH5xt zn?5lWUl)jjH|K9)%N|}3AqNe-k8=r|3(j;2ak1k(-6RG@lvvQt@n$W1R3T`;Jz^wo zqYr7Id1<4O?`8}F{jX%9byDn`&$un;;5oRBl|HBaBJ|}bQDMaB<235CqudX4NT?TB z;^5FXXlMjH+MeXF89wC^<6zF?KSDT}xt=jUdn9l$@GSe0^=SMTR|Uu($_(2t~B7k+bHU+vQV*IE$z( zV8tjTVdQlvDvKJh@Y{l_5H?{!GDUX*(g?*(fNKYJf=+=*(cCwQH<@pfZ*$(}xg~H@ z=%$zjS@C*4yfvn{n^C-g%Q>~jriaofHZLF=4;ZB&Sy0{=C2=e*xCl*Pz?LJ}4z~_( zq>QRK6wU%zgh#VP;rPdHxcT|5&);^+qP}nwsqP*ZTH{zzTZ3ZO-#hh zj=f@6W>sabs+G@%@^;b{H!qc`}!qlm^lEn#~~#i>z+*-S^bUD9fxiUAe2i% zreoM>D#G)V#U1KLGj>`%Zo>6kn!2-k<6M5@-V5$u>IX}^o z!$%!`KVO0Fxb<*ULM;$PznMWG5J-l@xK)JR(HTu?@!%Tf8+-zxtAyWXfy*rPsYjTf z9NcoNdUUSc9OxOUZRj`8T1oHBDwnDZ-1B&3mqX)gr#7b`;YeU8yhFn2vM-|HfBtOg z0-lpse5djJ>eH7s&2La!zh>J}He;RuW=2b0O{sO)*Z&GXQhTmG>ZE~}w%7VHa$Pd3 zI@i<1FUM}iga|1RFCK+{r1O!_M3>Uzqdipq^%~3|{*VL(W(<0yaw;QIbkAYCAJjNWCvY@Zq%G|({#El}x{6MuFXuz}So~C*ga_-xdpEttpBw|y1I^^$ z{@`}jt<<^kH~vx_in~ky!Ec^@o>2GL)D|F&w8&?Y909f+Nm7_g$;3tTjHUxl+RU7V ziX>6)u1#I>+bHYzU|Hoe2Qve-E~q#4YB|A~w$H|Q*EhUH&P+Z2*ZPqq3cV_;;2qL1 z@hI5A7k;;9ozT+KG*0iqfVNkY9pV& zjqT<7-H}Ze0Qj3VO!UA;?|1HUGYKZ!B3_}x2O>dV9^IeT&CQtBabmihv~y*{lWI74ICtsZg+h{H6W0Iko|KDYZ| zlSMv0!uW{6-elR6=rL*NE{ohmqX-~=b(v)V-Ha!MU|wD(b!%r)boL#fu)MPI<(5uB zIdc2Ud&UDK)Gp!|L$JBA&8KQOGKUfJjnY=7UYMQ=GU?u(PIzcpL$ayaxhGafUf#gy zs)Guu8c50$Xo8r?r9(1Gw|`w?yFNWuxR(TRIXmu3Ae!^I5tM|i2&5jC)UZ6?9jK6& zs3}3WHXrP<3mY0_7j(Ytlb)-hfJ-e7be*;G+Uhq?ir?PsF36jxclP|kZKXFViY}LY z+#F(xd~QpA&vcKC_q{%AmU_?Y>^n?df<`wkJUj)`mhG`z18r1f#$-5{j(pG?RKgX# znk%mSYA2_>J(h=@8VQ5v2V&~slG(1H#uO{#;^@f->RwN`z`#-Mia6cIMJl}$07@|T4fXBIWElcmY@Uk|s09n41UztZ>g3@Ktm>x%2 zZ_fO_ab~tAiQ1mA1so|SLel0Y>0vOKH&XTzZ1IY0KFK!qm}D(p@TjF(N!{DmA= zXsv7O==?fDBa5Z!Fi@41e)goZlS33xxu7;yXjU6s<*mc@wzL*oA?7aQf`gK%wxAh@ zE)q{(w2^gki~#0UZFBVyPl+#;aU5v@GIDUcaNBs>O#Rug#A=fu$p7Hw_r1lj#nbKr zy_uh)-}Z~w+v8NGX{LEzSIx(M4DAuFO<3C?!!f=v`CR?lQw%ODxaw@eyuuJp;v~P# zyW$2CGl&nKOEDCB;SqQh{1|-sbLq|O8V{*>epeaKT6fQT$^q?>cUEi({*B+@t=E)Z zlM7jJ=@5u?0~HZ&n5JdzEsE5;D2ux{1)?8SMmPzv%06<667O@WzMuNoXt8Gr9t^z)?H)jrC@7~ugoz63l(f5|sSEBT))u5!Ey zm$b%IXY~wU}Y5nvEJfcIL2I!ifMPtQ7VFt^DyjiQqdH z<~3;UEzrVsMKSwxFH)r-QxUOAL%QuilpdLav4&&7Rc;WW2ujVT87C^qTDg^ zbr#*UYN3Kc#-LXjFgX`Tb3zxvl|llv7XCUV=brNn^%!YPsS|#;&khu8`&T2s=Xr@K zF{S@pywq@y)6rHke%hO=_^5E}GtHG7HD2fb-*WsN|IdP$9-(@s?+X95I{~4Xy4T#d z2h!=EbJ(8Q)$QJt=8j+l?_Os<6tgTpau86VPb7P6bng3-egiWS(6z3&Gf!MUGbN_N zcl$&<$Qhq9a7<5Q!N{E%aMeyLxqR7-J2YfYv%j%=? zcIMTlj{yD)z6Bqg`^1mSf#XL^a~0Kig;+!h$F;J#%Ke2Cq&|W_QTWirj}n7{LF=Q~ zH21KoWo})TPnNR2la~m`6RU!}@Wgi-`K3~)$kGz^cKjs8+JpVu?li`PC4;GlkRJP< z$!flPlY5`{+IQOe32w9pa;U~`sjnp8|6(o@rN+%AT3Ejb8K7|=mrqE0!9aP>t6+!u zS5@+~Nfk~M(-<2`d)!Xg77+C8gRL{g+Jzv9mha=VPi&~^wSKd-tFCfor&yYQmKSAqDLey^y3*#z!)zDxUkhuPZVlOd>@UahhS@m$&LjtX> zj2zQ}COK10o>wrY(`?I_Orw)>BocyRI0P6mqG$oVoM74t?A&w5ad_{Hya>XczfWMS zZHtS@?=WZ@WSc{>B>egmAB8uxym$x%QGOSdr<5a>6&%VFAw`Wf(H_)mI8l`Gwu&6pynA;${+xr1{g~wrq53tfJ9ivqLEMe zaV35=ci+)yeI$Ed1|0{jpfvgmm*AR>C1Y}LDV;N&fRw^nL5nT^{?d+Br?E~`!qXut zw@$WcLz!c9ilP88JS?^@w-m@ykdID~lH&lPcSGnBi9TAlcEyU|SwRZ~>Uo?qzX(5j z9s!^^;0Bnj^np(ZC)W@>oi3(z?vQISbrjQ1#JHpoN#&>_K@de+j7!v-i82mTo8)Ez zB35YQ3}k944sY^vuybDjS#p#GZ?!{)4q#c5LWT&rQ5w~2=sr~u3fcWk`L6qx&*)Zh z=0yDtsLjfG;6fN0`zi(>`)e(?C(}N&F?#ja5{9>dntGBcIX)Klxh9bm`tx0evfbRB z z5=WY_VMe2sh3dgCvG?OZZXzTP2Dj>o5njVM41yn_nb{p2aqX z>kVH8R27^f2XA4A)wP)AwGLVYwt$4~S!Z0@YN;f#3`WX3;V6o?du9w`A@UrD%eub9 zSggzNQO{v_0YIR}kpW-dDGdu&d>lSHxue{88HWyw73aqtC%HF{8ow5N>+8d4*_1tK zRlG0Mmy<^-ivxuebxz*4+sMhTmP{2C(qA`q*qnl%%T0NIKZ7aDs|o@GH@wVdF5kX zOmKY}7p2@wU|O=}K;gBaVOxOQF=TG9cWG(rx6g2Cc{0D7?QdUpf^uKgt#0nUe==lL zl~N@igywi)bbBmF4O5&Pv^&+LYvcKlyhxnJXAP%ZO+OrihmhKoH_b8eGt>7r)irt4 zvXn%%f75x}@9!LF90?vdH#t8^9!We&?4M1*H}cbb5WPnZ{FPE-z>HV6h0$tM+RRWITDA#s-A_Di zW=a<5pOnX)Uv{Pb7*(0GF)=j#u^_et%QuYR= zAF>6sdzhwG&s1LWtsB|U!s*3nvM%mjswD8NxnsDj08iF6R76JcV>RD&5b z3#6MBK*%;C-KES~{#Fvjmf1{hnvYp_xX|5XY zZ(7IwL&9Heb=cS9DyblPd#!O2V;Y?7i`GwBI29*RxIl2~!y%V9w^T;>VBjG!!P@9D z5bFwzDm`<=>@1S@_fyI1aHDW1aL+AUEpL%6=)dSs^siewsKRU4ncM(0ZEM{n>%Stb zWn=4^46qcywtU+Ig&OrP^ewPez_#y^pq-_mA}_SQBW@!u6~1K`)Hc;jE4{4^tZ(lZ z@ZQHJLeXv;$L$q1!Q&N2uGq zB-o%(J3>WB@$A*8K9dSYK?xXmakj=t_kw$htlvD~x}shjd-Uwb`ea;%>*I?YYIe%p z*&A|j1F3E;U@1lby?vxTAo%L7+>E`b-?%R&8eKS`32fX)b0da*o)NBJQoyX!WR%!w zB-6!KRxM1f0)2W`Y@c1-Hw`Jms-6to`LJ6aRh-0J{0voK#W4S#iS1lS zEh2NP?g@NA!oc7|+L5zQhI{T0?z0m9R<-O?2y&HXePGj)nb+m-x96RhR$DcU9N49D z?~0B$Q8eQMOjk9tm?t)f|jQin%E@f0kw3@ zqTS=?d{-%;u25BUHE`UQz8^1v+DGs39~@KHRcbh6s(s`;gxu9s@^~h90IheE);usAi2JBsxI}U{C+o#MwU0x zGFbl&YQecUn{uJsbuwBHI$lx$SK_^H_m>kNUFtO}XlF&<)pHpKMR2Y+D3iAAeA=ia z`r-)IDYLyNRt~ejVliRjGiPYKKAmsAR?wR=k?DC6pY7sbfUapIuKi#+)Jbjo;Nb+P z?O3uyup4jm!AXH_B1d5-W;{6-rmFQ;I24W#)%95m$+vqT5Z<%>z%IihmVbV2ksr`P zI^b*dz|OE2yg`{d+dO60;ltm+TsYOt0CC@hWsCx$p7Ge$2vBpj5uK zL&t2V7(5O`>E1jQmn8}-PSotS9)>$njKnS=b@d|UJ!F+cYg#op=S*{!LYV*#Y9*It z+mm58qU+iRKUh>L;y!k%`icVDCVs?E(ARC+$7P{w&#KYdr{He&cOi0Y$g!Lo@qN9% zXR6{Tut5XPeYICGPFQcs`F;WU$6Yo}#MwpzB9S(2e_RBaRw+SBR{kC zc^oyWTF^GZyAKb)dqw1@di`Gg#$4Vqh7>3G&iC#1^9*IHJGc&d%?{GXM~x`LKXQNMM&(Y}qr##WW(b@??44YmU?3rI-{&WYPaisJ81&A) zmOZveo2y=cm_dNSQcqdd5mVZ?heBlr!>5)mk2&ew3L~rCZC!rXWKaw;gXd47w~@cd zyLUl0>UxMPn!O?)f=pTHk}dji8vY!^;X7jRfC(e^OO~Z0Z5z{Nt`;K2 zAw1E=rSb~Ot`BuWvW_6wbJ5AGGkL=goC}r*pq(z8DTVoJvBxV`tg@^Qlmp_xtbfDz zc${?_jno*I>h=W4z`^LEcT9nj?El_?1Irrsiw~yGiH~qZWc&%6jlvhP&5p|rwa0ld zK0O$`KaY0CgoW(l@)|R1eE%%KjdACozcNGA&G!%6=pb==Oh~F*vAXRjTqF_(H_<3N z+eykTrWkBlb!fl(OjU4s4uPL~5Q_$F6ioAp)AiXt$TKqDFW)tTx!QMGEhxWyr!Sg3 zXKhQ@&(0vv63Yn|TSNFPg21P**8>Ky1>NL&JhqvU%Rks;ym4hr?ywtPODl*#pbt`m9W)8ls* zih!6UuxAXXyX_)RWvfs^R}y3fhCo|Df{Y!tiL|1$bt4YJgW@i~41%s^aWgR33Wvfr zM`-jK2j#YK8y>OME{W_Qe9 zD|6x_hZF02IrJ0t2=z+6IlC zwxBgPhKqH}F92IeFcL9Qoi3$nKrWNciOyo>IKw!ivLq!}YCY+>zGWV*0vWQ?dJ#alEAEL> z9>)O~ntP|#Pz_HHj?$8lmKl=QnjU50T25zG*jrbaL3Q~BW-p4ZN{Cf66w%BBqC9`c zFn}{>0UR^>p8no!aV|PJtzO#A_ZRvu=F>*iFZV##ujGgfE`o6g!GZ223PXz>Vxt8| zwF|Wsg5%i=ePU7r?1=j4xa)fqpX%5HsRvjq;G8lVrl*4M8V_R>woBfbm&6y@%?xH{xgvOPN0mb zowcGkuZ^LLsfg*n!~W^_Khy64sGB%#mnncE_RKR(vnV>02FM+c zpp-mEckY*tU1q%44oY_S(E;APMV9;yj>6XjD8D^ z_T{mbS#sC=s~7z_I5m@Z+&O=mxN=#eFaGqk(O=y)^NOcxU;ODQ<*R8G@A%4o@zgFb zCgx&$PVQ)rO)b7MvMN=cvbxE9yQ&^PSo&6nTJHYC(S=XTCQI8z?~}MJ8W{AvtcIm< z>!&R#jWS13tso$Mh6d^qcm2asm&lznw?r+Xh1yA-T_A=!mD|YgGu*5Y4;){?Ry1fh z3jk7$h6+aC0k=hkAct6!gd|U^ss`Ez=~g4f(OrnH2u6-#BGsu2;3<;g=$}y|H2`R7 zpwj$xv`wW*P?=|?9nY$vmy$1~)*qR~9;eE%4wuNfb$?z6(f}oP<{+uoKZ7+)2d4Uo zMXCv^`j}#ZdYYJ26@>nGyp7KPCd4kr?qxLkvWC(T^UB`fS>@S2>tK}MG#wq5;R~SU zX}kLWjiCQn_kS(m|Ax^20>Hn3kTbOX0oVU0a{e_Ib7umU|3FAc$lilMo0gT8gMgNq ziGzTN;m0T$8CY3$3FswV3~elp1?|jjOn-nxFX(J+`h!{yPDTRye-!^i&@wTy5zq@8 zI!KsWnp?O)v9U4zz}m&sR_&i28vo%Eu&}cKbaylV7i|PAOh1&Yp~ruye--|F^FPLH z%0$4%#PAPl|F`-7%lYr%|6~4)1WYU(3_k$=A2cv>FmkZ`|Kp*%%hN}Dc$uHaxz?pw zTK(PZLaHOdM!MxlbjN74XQzSNkpP5yXh>61h(IntU?2fu0F9!k7(vJa@_mIZ0;Zp^ zxXqN(*78q_JT$1(LPATDk;JAzZi>d2@5uy>=g!H!H-GMP?DGV(c?z?$Ik))?C-Z8m zeUA|g^&&%_{VW*G0=$05 zN5XP|2blPtDy*#@Z?gP5gkz0rF^VY9Xk_39E5(J5^ zZ5cGntu5c8GzlzrKf36|CW1>Gw20!{@DU!HmKBCHXD@3pmXiI2IumPjR=5V>7-F^; zTZhR#kL6O4c@8J_Wh!ETOz6D@APs$hNUP)-9LS13=d>Lom2EeyFp>>zFk zcPKf5iz^b?R&YBcxxx{Q9k({_eYn2t0Avkhr#CHaZv|o^ag}#Eqap@v2Oi9&y7<|O z9@)atveR*(HgFcMf_V&QlV2_%$+v^s+f~IM4i!ov?F$W9ti6W0NoZ2AscI`(UWkqpC%>bWQYLaS(R4kq z`5A4TS17KCzU>#FN8@Sy!=nZqO^ClCf0l>@4xaUS$ z4SMGpK@A3Y5Y2kpqBGDRqFwU~ALFlonLRgemPHle737zj66mO*!mjWsZ?MQ0aWLNi zi*IoGD}?erqSjwTG}`^qcxJdPmTx-DgIzN3Jv;%8UvM_lh9K)pw$sB>)-kuMcdG^@ zLxmXJ5la`Luxcv})=qGx5pJ-=w=L)|>|;P2aK9eO3df?wU%8iRE-{}#H3PpVFsCp& zDxsYNGg|67Jpy<8Z&bt&yj(#V_yv-Xu>F5&c{r`v)UL;@>j$5Ty|@qjq_=}91>7Kd zFhtY@8~rogJ*cJ~eMQkLLd(N#UY)GBXP$r2xHO-U>@2>_Hk$=yVbg9FFX!7))GYYeQJka4%~ZiebEEiL5uOmKA=0wfR|J++&^MR_gT^^ zotg@9JmL6c$m;ebOt@R+)5Tg7uUxoWvv+IOYqsg^S}&42JUpWtay*l#s6$p6EHIcZ z8E#d}ye`#JPEG3*&#f{_D=~m&&i^*mdv+O79F(uF_INjD6wiL9Qa+ zBBNy4{pIfc&#LY<;N*L7+GhO z7;$gImfC=N)nUhPD>WeG#B}We?SGm$5b&|m4b~bta$s(Ky7yrQ^@7Lz@he3Utu&H~ zLN?yV5I1^IiHaGP8)~z$VHt^Tk^i#;@&)*!$+0rQu9y&F@}f!uLSEQxU*=&C5R3Q) z_u~Dt>-6%?Y>QwiY*q7Lh2h@B7qRZzea;F<$RUPC6x+PHpP(N4c6a{qc#mOj9; zd2}=tjKr>jbj8pg)zKl>UW*G=7n7+SwU&9mD z9pCRAp}}!8u0xj5ap+H=$x+<}F7eiVyDOY!us4}H6%Y)%Kun+;`Ka*+?E~@hcg{I~ z-rKIq=e_D~Nt(%IujwRp!;$0qg5BY990pXj(r52aX#X%)V;6p77gi$=P9qOWBTn&6 zJVhLl6oJ*N^3vUV*-?AhQF+->O_{0XQUilkI=ZQ9asorW!|+rodWB#70j%~+Fs(m? zwjWwc7g`GsM$1DO?c#ty={Er;!A|X)w`%Wodz9#eMg()p31<{+H-R~EXd#X`JptNI znskd4ahD*d4#_I=CzPLnUu2N@U_qr-upwY32d0v>8`VNPxSd2 zcu|t7^tTYw)?xs0dk&iczq$vvZ)np3M}l)40_KLhlO#(FU%Ye*5KoTu2ml^+K$x>6 zWIedEH5Fh_wze~RU#pX~9MD!O^>&|LYiv@*#-E$QWK&2n{AZN=Mwb9+J{f> z$Q+DXe3mpHED2?62@FA!_985T3F*Aq$&xm1k*aMHZ>oug5glfVpMb1M^o9wsDdF$E8StoKFU ziIkT1K#49IZ(wouW;X(&>}0J{+{mla>IQ^*JI<9ZnhhFQRNV?%`V)GG$t$F@@hb(y z==oFUtmu-HiSClWT&*JMWxjN{QbC;;wtoI)%~~rk8&|T3rv;$n=0}+3g3PKWu~4e3 zxF<#+7NkyYXN&K#dS(sDOSt#gsFOR;T~^Q3PSMV|>Q0hQ4?4o>ik#1Iy%g=2Gatpe z_2^Goz2xK{f}Nvfauk$gik%@V%*X{0^FS&feBzDycwT}Fz2GL)R>o(Kj&nBSZ6&60 z=VfyeZDppX&%NnSxkb)!KV9tHTu9S9iLyQ)bUcHx(CNmlj^Hv}r%0XAU0(vSj_fe= zO%!(_vQ0?sV9ao{eZ?V)kJ$Za$M&MIdslYld9*itY-7~C7o%#vhp|~ z=zl@HDh;oD|L9Hit!U%d9t27p{&a3MJqb;H!rfSt3Ioh@l$N9x7Jgf(&6^jNxaL}diY27Y3&TJPHw%nt5~+@K^F#gJ z8|_vhk^Nyywa^MpFH?Z)kv{-%zF1)-L8YFTU&4E=Y8V)ZA8|*`(lNDXW8TP`>y6f(=_^0_kP*w`;Ts> z#*@!ejqIgv=33`5_5HH@G;isznX4=AB68f%>@;VvFwR88B_@oh2X~L5e6?hk4C0=P zpjm4O-=H+5PtC@y_~t&wiVBNb3v*2Z%M?@523x90cU@_l{N9 z{Tn8pRDC~Cys2^1R8+FiqxuJx)(rUINyMO7@H7bKuweRodh)86a`I%Vy@W}nY~L_1 zuMXdfjv$1?u=LC9^WLZ;r9PEi(ObC(Ez~F8iaL8Fp61@OSLIo9-j6b>qgcTK{(Py| z!noVfJvo61_`ikK#?|Cnuk$(eImms!?w8xhH+O}o#;D{}FQMgVb?T4GERU1BsO6J2 z2IG_!Pij}}MiM{H7?_~|UrP)Gp;43jYZUc7XeOe{WpdLps9u3dLISj&>qp^rKvoqQ zLlbpM>UHOuPv3tiiwc~ge5s1Ne@Se3R!|@GLQ;dJe*kYuwmsiFlg(PtlR5c)9zyOw zrr=VyQ4;HBT?W-X^RT$%Z)J|@z~rY|lp~T6q)(A{Ge}Mm z`WK)%#i=C1pTaot9%h0b`i+I&=U25R)+PeG93SeBKOU~S;Cf;e=jK68$=#n;jsGzr zJj?chyCEn_za)KDq-Lw~T#`5%cUK%VJv6)Hd8JJ!ksj;b04^&|%@U@|_KBe(?Jbf% z1x*w+VQWv)5x*vdPe31&^n%7+wjc+W#MKmJQ^s{&Q1UxDL@rW%FWFxoPbD8U$m>FB zn@xmoPcj=h6c-`9u|7T2f_Rrxirg(eBy>va683G1xgk*t&y!|ETaEkWL%G2bxfRjF zD_>gz?s;)Yd@2j9DcNGIsVgep9{wbIRX%Pz6!>L2x3GPPcqe>^^onhjDTw|z^>CBS z5WX)bgJ|1hk>YA%;D(uyrr8py&9GhG}2ot=5b6qk= zsMk->Pj;uzXF8Afp>@mkqwc9>ymEerMKeOeRyn_DkvcW7F{>mUc{>93gp)DGJMlYqCOKe=bg^-^4e4Gm)mPJN z41d1fq+anti|cuw>eu+=sFj*e#jn&?WDHj|dDOFh`+zFKO@wNdcuruQahR>fIi2lX+i~i1h*KXIDTZ-4H*BI<0==YL6k^TYxy2$fg z#ji50J_Q`#Mqhs<7fq}h+?-|)KNIccV=5aJL=K9gU5s3HW!&wK49^$7aXv z>#k!edlL^)j`x_U3|L?13n-E;A!)^LW=ee@q&hNpMDg=$7x?EAA7I2en9+yn$CsU* z+lsg3u7$5*><>+QvU?+TC%+@UW6dgCzAQ*K+e^z^1d*=9t z_X*-lqyxG-Gc6M9)ehYT_>tmB-G0%&*=BzG4*INpZF?QN>78ws0ZYt9K4!7^FSG9OO$@DsGZj(0b8)wzfX7OJL;Xx_l+7u zq!XJ~1GLyH*gx=nh1J^t<_oSh5kWRJf)!Wi()G^wuH$JHtM$qE&X`Vs4~YMRtT*c& zaLE?G`XrN;-AWI9bv?q3ZwmLsWlPZD1Gcd~DogzH5I+hO%rlrJ=LgKt#QFQuC{Qg zd4FR5QbnPrUbG#e=Xmb%`>xEPSMhe-Et2mHGMS$j$332|N3GjZqAYV>K{~<48w5K{)9sX~ivm!ty5Iha2p6x(JjiB@{nC458)?Ybz!+3Yl zP7x6;6yu(ZzJS>UNIug|Ab)>hU{ zuBoDsC!Lg%M*5qE6CGTv;Hb#3_w31Qm%3<(ZmSl#Zo+cv8iYnJk(A^<$qY8QK4hSl z7-v3RVc_V=iIn0`YRG^swh-0m*kGt;$JsD5pc2r2>~BB?Dsu!aLlvqmAua0JrVVHA zze5@(ewq;C3*lcaeGP9uy6g~(wNn^M3n5NKfpGm)eFbHHX3)mXZ9KWLz5PoU_2?mP ze2vn*hD|LgQCJK)h%C54&+`=Fu|_aJ;Hh|UbyN!@*gzL26~|IhZMx~Vt% zldC%@ar{@r9nF;vW$hRenM|n)%0hV$8MTX<>$&y7MZ+mQQQ8%ykuS$g`Vi_om!iPgH?Z_!YZ9EBn|@Xc~^$Sf~3>AQ7I%+H-P4KSX7I zFTQIY4SFtPn>U!AFSnT$o$_PDR`jQ@rWdguv= z-4IO8R8|+bYqZjO7ngXmW=BQ1o3CI4(6K-GIoS<9RHEULxdm~`bh`Qv*D7H4Le_T3O{Uu_bE2xwR!K?RLYKlgti0W%GQE>EtnT-M>94PUc<}H(1d14q=j!ur0i8 zARK~;o9^?~V&FD%^?5p>#RYqjLW~<`;x#!S4Ap(KMd~YVfD66bP)0whSmRt*_^kl* zlW%Syn8J!`R7sOa7_t!}iJImCr&Rs#FL4whx3YFDR>A1nU|ktmY68OOgk)kJLRpo+ zaHLDLN7^|l`OYE$3=Trtm z!K#A6WLiUr2FMHfgeGuX(+;c-%?{fe_{fNK6fE)1uSQB>Yn7g{CUGfqI$|r<=!u*# z;BC@~@_+S-?*Y*P==O4yE-nRqz*a#n9FQgJ85~XkQUJ{9&UGMo)YP#TvK`!5z|oQR zkc~odeBlTd87Q21iXh&oY5)ypQ5;7{!z%&kkjMb{9M@ET%>}b?)GP@!l`K|A^Wg>mHA_xSpd!OM&WL`V{P4bVzhe{L5d0uW6=5UESN7 zjR3!4@6vVD(3azp>c!^a?Q{RR-)B+RQ&!VPlhmhxE;vB7fYc=^&Xu!&Djj4Oyh<%s zu-r9-Tqt*sMC#X_=llClul(k3z@Ry!1L@znEiz40=<=-(GEH%8!NbhA6_rF!;ktpRmT`ScPNk?`di_UXD)PeWlYTb0(9&o3&bHS`VI4{0Pk>fOHg2 zS3iO77`$$)oyuEWq<$P`fIh+5KngJIKe&y#6(f~P(jXE}QX%cy@bZ{mWQH=y1;*$U z2pL36&U0s!xyVMdQp~!J8rJ_B-}NnjJt!@o=KTYl?Hj>fF(k#Ls3w`Die#E>6SW{a zRki>x!usRrGBvHIksWYpx`Yfsy7`u9 zPTxRL|+WJ;$aXvrO9jhykDUW!V(#e7(wpS1W#aT?Nu@{^IY_ z3d<7v?JS!p{rkuP>TZr6o@Db%jBd}-iE8%iD(gsaFXK@xxK7K+1eU+j9^SjA+u(Ib zC0GaBmG{fD_!IBP9HaCxwivFsqt=j;%fl`KDZFpe+G#IA%?cv?D5Y9vj>RJvGZN|8CdY)bNM-YC z%e>p%NTf!DU+yEg0ln9?>cO9`hqjIL;0?XhF%W&71UjV%eq9nOtNCl`v~_?o<9|Yku#yjq5v)E|(Fw>tX1{ zc!x`p3q@Ej7k)1lksWoTR)^g`J%jh8$DN)t7EBow^I*8(JhL7g@`zzPx%Cl#`0~3D&G_uk;QA_pyYHU12tU}G&|1!5Ug3ibP74R|O z1sd8R7g#iqS2my%-z_`L3(3{Ook6h`&^u)|QDi1rOnf(nHZEqnjW{menQ@z!A-SSRTNc<~yw&(8( z@vAv*xt-WeGsftR5e{bQcInFoO&x_I9{C2>FU88%wBKU(^=UH1F6Bf>=L2(@5X)z> zXcdIwXP6EK#NGV2d!unUnCrd zeFC#*Xs#hmfr@?`K{E|8+!=N?GL|){`Yr1=AvN5V)!i$!zg)$zh@Q0UR$HuV#$!*m zCk;2#4_C9-y=nNxDq|e=s-o;1>I~P^3!Bu-o1m5q9L{pv%(Sa{F?E=*Cnqk^;*kx*4bO+COm;g+N3V&S<5J|cO*hfW!0R)IK# zRHE2Q4-d0$(rC9Jo;Mgii*s;}Kx`C-ACO7&PQ4$&AG-Juko`T)lf>3BL_VDiVdQ>Y zWP?a!qsvE>*2j&2kJKyI4HvX|fJz6c*YSC@6nM0>ETJas7SWMy-C%)*hE^L9lp}ah zfl&S8Ox2`KILF5~2uV^%QpGY&7Sk+NRI^k8)KYOwgK8`P%4|-igyE~_?y}+PT2mh@ z0qpQJK#sme%nm(E4-$)El2h9=)^nh{f$_?Ojpi z{`%llewa0R2Yy%j>v6;L^8i@(8 zTIo6>f=ql9%Q4cU*r(AW@gwPoQ_(%vbZuZhZ7RNuMm$PQxqcq|FRHgJnAP6HFj(xi z?qxnB@oz7>L|Y>bGDOA!Q4=~PLv&rYP6}tIVCv?L|HIlnMoH4O{emyswrv|-U0t?q z+je!?t}NTOZQJTHx@_0f{k-Q{FV4)I`7j^%%7|DiBCjhmcf`)$Ut6^z`a45eb)SPb z`iIN1`$5>&xJ9X2vxrfV`ejl!8v5MuZ+_f739O0lP9|76nH^6&VR>(J2R?tk{TmcWCLs*FZ+Znda zs>SzMo<9g-;W{%7&vVPh#0DK`VldtVYDAq4r6Q}r9l^14L01Dvc=|4GJv;TQ^w4IIA{m(jM1PcNh{IZ(7CRxHCgy{O0wJ*G!l*b<8;fmILE3q{rub5q>k1vdS6j zMtERyue>ru?5J@lmUoSIBgA(-dhy3{1t+WOv;uw=yxP~X(_pHsS86vhV3B!>iNsf_ z(;P);J*e=kR}{2cO_T^uv|gSD$ix+|R)Yu$kwG)}k$Z+oIjgj}t9_J!^84XK5y;*v zx0T}HUX4tX2IdbdtvVlNcRb7ndyWD*9VB7db6v>FQqfb>N~B!(r!vc4w|3d)Y+Nlv z)wxSb4_YL6I0EU0H-vdm7Z&YZnr9XcrqtLzuISBB1Rz_`Z>%x>Ia{V!5wYwf2;DF_ zBuczleaGrzTijUM5>%htG-Y+?$)IU9`FcNU5KHylAKF^5Qzzm1-4y$z<0AW(u5shO z+7;7dYEw+MUB@Kocs||ZXQk0wnf89ZB?4VwbLUg5WpTBm$`J6B#q04i%z`scvt8&0 zOT;EBR%@aC;U#~)9nG#R5+_XO`+rBOI53NKw-610 zGN+_hR+pWU<3MC>Njd!unJK}oh3~#Hjf2Y!n0g=h~Jp<=1Y0I@6=-qtI2-p?P$fzCnlMdh}KQ6q?A$KAF2yz^ckf=QpIF zd^oS08QcB-y6~dM_pJC?wPlM5e_xDx)2bT5eSGl6SLLy_fO+MczC1hf>tnN?f`YgY zW5x$;J!#aoh$Np4tqFTzNSh4@3X?Z~PQMi(YNFJ-N|222itzLkq&XMuAh3#pGy`M@ zuI(ZyUKJaCKh9yXR0ATG^>qL_1se{-O!n7_yfIt9ib&FE{b-Ch2C~5`#_VZt@su=c zK#d|T>eniOxew7;Nnb=S51up8Z;gsMFYe7ezb&5|qc&YR!aX?HhQiKFiI2cdtDu`5 zoQEoC<{U)EANE1^Q^*UZq!noDdC`;oTaeGI*Q6JHtV3*? zU*$*L?$RFT2`&a~$=oUUZ~c2ks5H}>Ath_|eLW@T|=Mt8>M@GJXE9BgYiKgR0WH&=+C##aTvlgXT!GY%Oj+J16+q+m)x z1de<2ot`)TaUKUA5>Qs6R}~{d^(zAFcz7a8q#GiBNfKnwWf%y6YJ~)|<|Gxk@byR-NxS`uOwt&if)p z*wHDP_bEs+k4-J_Kg`z&|hECciX(WGrWhweIj0#MI&F4@CLT4~Dc;sT29baGxa{ zp18hngjtelpg~`TWk+Sl+!{7=@?ac}5J`F^iYRa+*TBWh3exCe=eP~g&}0D$uWLx+ z&Cx2=5M4!@R%OK%r5(rI42u7t#d2fBqO!1?nL06ABd@5+3I-1RG;P8*H>k(nza#m@ zp}@Xf$_#}PR)=qjm!KsiveD=Pw1>U01UTW)4?Z7es4YXqW}tQh-*oT;N&TZU#zqg_ zE9F5m-#D2np7`S$b~mp!4Gt}7P?1h5v5mTjlN0?V^HO!(w&tGo)bPVRDT)(0L=ys!TC-Q%V0L#E|I_xb^{?cqhoY{qxRNo}Vg zUuAsd!HY~_y6X5*#=GWmIP%Fa@q)TFIX~QgfnyG)XiUw;cP$xNw^s4DOe#vbH-}w$ ze+tUP`KdVIatQ-XN7MQ8L1J3`!5y~Q0%k(5^^i=;>RFLz_2<~x-rj5ilK@j9 zm2HG>(IgZ-F)(v4`1c&U$oe&C%D4eNEy6mTzM0Ha-XKTN75VhPz?HFuA5;~oV~iHx6AMeVgDdbU_tiSOxv>)G;53F%-g z5X#_*Lujrqshni6_w)u>CCr~IpcaRZjLE73}9@vqEZ>kVlw8_wh{K>Nlc z{({1SoQz}=k={vG>eV1x7^pEoJ1WDPY^5R0U zPqE_qy(ibIwt1b(!kpKWO{d#0Po1^SR!JCXr@{Th93P*P;q|7D7(VAuu^HFKVmkzg zpBUmW^m6ze#-_oU)lqcqh8OD@*{@_sPRS__2UAbY^p%?RwI6}_JGzgv5_6jb+0&*j z2&EfvX9$T`c*F`PiQPXa#vfly=i;Ho(Bn4Em6d{l#QbU&vI5wSVKF1;N{O|tBgf~j zKm%Cw3?(poRUBo5y3C<87ocQl6nuo#tsWu;a2_9CAD`Xz)RTye9wax4_!C4uvndQX zUbpRoYy$U6qz5r~e*~7mrjV9OU_Bs)a{-&GLH&r+PryuUUxgaiW2Wr$g(%ZXrZVnW z#)F-?lBCnRxX4sxX09TVs%&j~@U{b?Iaz73i{cV^^ABGFclf!V)_hIS9v>YB6;2Y0 z96q~8`fFHR8g`Jyh^1=j+{Gzh8n>%)tYiAE&~32d#yyYe`Qv zFp!4NeOtsD_S#?gKaxu1H}hE$q}Hl&9OlKQe#+ZO0WsWxRxQ#z1mfWD{HUniFIyEI zpP7oBfE0}4K_g}(jh#)UG($W|FV;pWuv{I8X+^pjMMgV}D*8!u)islPs8l?Vj*4Y7GFa(7Y`aMk2?NPgApVWukG_xz*oA#zganbFT zKic}`Oa3lTIZWS7SO2}Mp4*XmT;Y#^l?;72(%fvd-70CT+55DFx45v;ImNc#I`10s zi4)+t5b?}kDt)?d*4>_*nRl`c&9E}Hv$*H**_5`jd|=8h8JAKzyixYhkh)lC60`D< zxwv1?UbnL9QGNSy;bx^*`XO?0Wi?_YBiz*3jJ(0Pjpu?1|dnnprC@p9bG- z-;7Vy575_<`CLq&_`Uh8~1(ZOhTMuX@|8;y9b6^Ln>V1LZ%$Gl!>*#Sj%L~ z+>`%R?v+T+W$Tsj4)$z{TwMe}DoVwE>m1mHeP|X)xUC^LRU{*< zxWx8ODw-l275Iymji0B{#|GG{JLFL$&oSh8d1&kii-?&)(A4b?(hb=_v z6%N=rpjzWwsppbvL(Yi}5paLbS{L8I6O&+Q{9MEeUMaOeU|y3@*#%m4;wNbLSO5wb zkN`HIgmuWXH%Bq+1k@p$N(Zp1h*zmqJ%Y;=75CBB9-#0l>H4c^4NUpIrfffuHcnS0 zHB*9$gnx4x$2Ptn^SDo5Ridfn{#U4smuEVLo9o&rH)@OL+a0!jLvlL~yRRYjhM_a` zMUoXA$4k@g2E)ZM2ixyklE0$fj-02vGB~ER)pz8n2Uh#z7Y`(4kTS=lBu{=09Rczv zb>}7&a&`z3_18Ydp~u5@IvJ9f(ke4-IOYz9ICmzmOJTXjnR43NT;Qmpxrk5cacTF< z$CK)}>+|YCP1fq?Sai~sB&~hNW?m9qLrLao)O$RK6dd3ZvU;39DO5yh07N3z=%3;l zVP_#e2IzaJnx>-XW^kR<^oD0?7Vl8hw7K=1tjbNqN~JlnWBq#)#hr!jv~-%zxlAJg zt;6}zBPe}8kd-loN$_H=^2r-l&k>O$Rai*qV8c;xYJ+}~#P@AGw%hJ1=0w#Oci9FFc zjF&ynw(ShGgq{EJKDPojp|&t2M3#Fj9Sj$X5dvG zD%fKgoH4-Lo(D-^`Ys&r&MkJhZ$z)ynr9|Mt30uv)1^PFwQs|J7(uMtxzpXlJVm@y zeE5IHFJM13W=geBr!HeLBs60+V{wK)^7QP#$H3|(w;_aPr|LoDM{Yp7@Iu?s;|yex zA*__j$pe^lxT?ds>NsCy*UCQZx`QMz(~6ka^e?3qIFQ*tIUtgA`?C9pM}X5s!h8Fk zNB*EUlaz(gme0xTGP}33C1d~QjzMPzRAFZcF1v@8w-wjo3I`f$QknBEIXO0zhsD^T zq)F@`wA&hzBtP91z?sTyqp6)j&dY-0-ho8>_~H$7AR{UB*NEfSSo3)rPA%E_ew0|Amt={3TnYXFJz^RwMAvCdhbMoi^`tgQ-AYHZFIZ{2n}9Kw#AaFDep0|Y0cR^F7dD*Q~qaCh)33`$v5q$y*v;Tvm|keBcr zWjVl$Kp<~8ooi$=-nv}f+hRaW*3ofDbaNZ(O6kh}IE?kkX7KCYY#(r~$TBhm0X?q> zAtlqvwQU;7wRHjdu~qr#t6~Ry^W#sMk#bQsPA&FRc_aA>H)_;OU@*pH{(B9WkBHG{ zL>jIcT#ZiS<62XeRR;V~c}&K!Hr~_FLK=*n#g6wy=ZtR8AUd=a3IC4vrl#}eSa`;zy~LBC`$<`llbZqhHE1p~C-eeOk(~Xc3w$d_`*OS5TXVa!!~T9N z;w$PKW1HTso#wXlSK^mlq(euCy?g^eZ@?}}cg!w!yLZRysZGifiUXA*95@0_$b=Rx z5~%Tdlh#Bc*Uo_kQgUfblgB>wo6hK6Zj zhC=*^DI}1-IgFAsYZFXE9R35lg+TTT2?Z5(g?Vw3XtBRKvN3wUlOZ|qIy%j2j+yJQ z!3P;^NE%pI4zyCB3a>G%eZ4(l=E|cq5XPD4TuXZAzTIl;zLmDqeb3FtrCQ52ugCZ3 zjP_W1Mmn^g*fUb9b<6u{Fd6f8&zny4x5{0smYQ?PQxtV0+%bco;+x0j) zfMPx|r>_TIvYce$27a_A`EEadY+03{XU$$}NXKNxG6u`hB$QTeNZ^zO#|qx%XW}eg zcFodn>j^j$#R4{|b{#(>$DZArh!I|y@k({ELB*qi9;vkA$TrOhItwSO;oU#eO5`s< zDc%)(=9VfbqGIorT;?JC~Pud@+!EXbDpzjL@waf6jrdlL+KR) z>S8LMie0wC4L9gi!A8R1Xha*i`68#&4>LGexQkizC)jwZhFh@Jh&iNq(oMba7^zGS z@oVjx`x=^xcuT8<&;Ib3iu_7}LJTKq3QrgfC+$>qAZJk_QezOd!KNNCNfIYfnck)( zZqlZvpGacuTT|_>d!KgfZtyM4eB}xhihLRU_@hW zr-+FTW`IZ7ZnDIc=V)nKbG^v%XYgkerJ+R~>P|?Y8rS<0x;-GRj;ycZmSv+wgRajf zk^@nV*9TWGlhnEzus!>_rANQo_}KY3r`6V4;whMSMbC9Xg|Z&hsrZ4R)b6wjO0SM$ zzVUE(gP<0iardgHvAwa|V@c=OGGoFpS-Z$_-=jsOyke%NJo7@0!|kfFT%h)HIj2#V z+3{&uiV(}T=Jou_wXFJalRL}T3u+TE=|9wh%R&QTJ+^|4GN8-Y6+l}LdOCyFqSDl#s+vi-2GxfP?{9!d;&37YM4LqKm)a zY*oH)b4NIH%jTcPTKM&r0E=camasz0d)K}kS5YtAAtWQ81baJ$+LsKUt{xTXsphBv zwx28OT{b=RBa1}H4BvVY0{^)^bKTze$1i9~sC+6w?NEhLXcqws`Y?i4PniE+yn^B^ zPKorhL_>IVR2dTs9Gsdl3(X)DbLl8ner5P}c%%Wv++bRD3LYe$2ITjuG44y}C>~j^ zMg-Mro%&cQQtv(*Xp$web z$YL(|eVHpkD@zur#=xcq2U{IG@TEY;A@EPPO}m#JF!vUD$e5w86aqv?gbZ{_N$N2g z(ZNNbjYtk}X4QiTiDr--Nq^2U1=8n~@e=#K5Beec-(E%bQWSX2Yn7s3IP^7hyMxAS z*I2CcvH}%!k4tk^vl-w8<87O^m_|Ab_VgK%Avz=4nUQtOnCgJYI;K=bHAKYBk)iJa zGi&Dg$e)0>RxCnPhwqR@#th~7sz3AS!sy!IT$q1J_qAz$k<TnfeCJ_}}hD0YV!i+Y;0`2#bS}Ap?eKv=nwR&#Q zT=ugR2^7B8Te{AjrwO{UBG^LXxlCN|P|u(f>790Rz5h8i`i7Bx_&HT3nIHSBp83-R zbXnsaw&TK-LS=vpBm>o@0uIjWd`&9cLd2|u>66`Rr4zQ=F`T^WC4r~rL>wGrhPrGb zwe&pF&-?FtTE#I3f6~_xM6%D&2kmLVgeHmFvCLnbzM0-m4*UG^PA0&4@s*Q$D293) zCUrLvyx5Q_I`S-}+c7D=)QcYKIxz78NO#XCH>DEz4>91Qo8YkUOe3*uZ*)Vmg7S z5Zi}LBB0{{&3ng?N4$;GAKt?GE2425#gy>Lv_dQ9qVOV)ngRPp95<1Gh)uWyPqep-Xk4ay&vld?+~#@;SBI%kL@H&ND2f`yMqt zeeG^rj*$SsJwlk(9VME*u6u6!7@hEr2aiPDS$KLFu@k?{IuyQ|c1E@iZiWMcv5<$8)DyG@cb4Ev-hrQG*S$d|(guwKyLQ9OMO2J?18gvFy z{%V?A4*#+#8HU~qU=&Yyp~}O7>8bS$LOtw`6U>%G+n1GVtEmj4_<5ZW5P_npiT2gM z9uQdGRKQ)_I5jysxpBEcu%5lDTiv$Vv?ZwQ9nGg)&+k(3*Y$;9MR%urw)^CB_4}4^ zf!q*6M>nC9b6c6^i+)MH15#<|meFt!OWE(N0HV@y(sF3zM>>~o*fT&3!M*Af;5nmR zVqUA<%8ar5WUL#uyQ90Lq1fOi!jpR;NnW*uaYB%Vc0Y2YEzB*>FXJLjZ3d>q?bBif z->-uQ$K6&axcB) zYha*eV{VG%x+N7lTq|qIQgFPQ(!42G?Or*;XC1kVP6<7 zCWd@#RLhih99#4|_+In(wS0!2q8z){%lV8>8D{B6>EJ_!0B*79Uyn{GMb(MoekG%8ZqlI5-w-TQpLexmTtppI`*+4@+hmpx~em%!I2%#MD^V~n7LoFg= z&_j8J8SQ_-2;M~Xk!Oy8M9lr!o2J#y7NL(AGoC;*RG>(vUFhv0$C3hRhLbVFFitVy zFl{zNFb#_O#13%O7LnVK4%4!k zqiB@FG?l|5uqJ&J)XKk%CA(NJN+in=e@8_wC?o&AuGDqMklQW#kRR8;70!#RqGw}y z88K+601D{aasx9;eiJ{|gZMiOBzw@q zHlq#7T4U=@{Y}3t*hSvNW)kT-85TCZ><-CPVSel#(+wR^=X+KSqWlSQnbCZ5kGnom z+}6*=%=8sAlqF28G>D2^fWDKiz}{tY(H#-f(ZgY9I(vEj{7iV{=RUF?qCTtlxW9oh z(^JA}QJ&Y;;mS@~VLGY3<32qO54q2QdwDOP0C=Z#i!}w=aovhU43&0E=U!q>3-=2m zP<>b4cf7g8<)R6aIsf9mEuIQlQbp}3v{Q*_Djqoc5odXgDB6S~a4ycne_6$ls?>MF zyOw|wS&-J~w8(vQko5_)&v2g4Y}`lSozQzA1m*vHUTTJ?Fwf!O=H|cl|@;KUYwT@!=);QZg@S(O5y;04(n3pyx*yOl36nwgu zoIRJkQ1CSCH}SzJ3|3MIPl>VgzE39E;}A4B+dh(uJUDEa*@wqQIn^+gPI2cWB8L%; zW+AZbQ+S+z?kW}JF`Jb+o0*xu&%;wzAZ?Lgq9yG(?iiNFXiU#W@ns3x9n)821?T@G z=wK0n00rRB_+t-~=m1uF6cgah$TX*`pWoF><`XdX6lht3R4S8eunXwj9Zu~PQs6De zGLp6n6Pk`?h7tbPkBuPj8GQzgQPC+&mU3hH8{uB8Xa(w&Xou5P`KZV?vdkZpHc@kM z1%~K9$JK}ny&)8^K_gK6KdEVDw8W~6RJYGkO9nrwhxKaJy_Y0!1g$YvMTb?|2=B@z zlglS(7%rI})Yt=s#b2~njGCF%`(fU?Xn>i*WutFv1{&>!k7bS-T6r|)C2L$#z>S8A zqRFe?_feTmm0FwK9&fV{=OzG10uCSL7Q|-y!2DGa2en*6BwtVsdcWMLfgwZf5b+0v z*j4g;?RsiB?=xS1ohXY#7T1%Sm4RZZpol0IPc`&5sQ+WQ%HqJN0V-Vs>6j*9HedDKw?Z^zbAzu1ovAwEJ~{$R8JPp(?;l>61bec ze>e;gGMK~==2L1@(?rR-i({KZ|HHq&Mr@IuDyl*FeMdB$pn&hfgdW#cBThjJD@lrl zc*t-ftQ>#umpEyNImXAI2x6)0fq25eJpeW|-U(aB66@}WShN7e7G_dSzZjK_%;--f zLWnwAy60aaUH!L?XO*yYN_wK+2#aG%HA~c&NLJQi4)U^%m`w^t1{ay5ZRyH?O#k#a z)t=QW(LUZ=QJ(<9orA4_WGN@pE%7*EsXw$nlZ$Ix0zdg}o|1RmTy#WGtEla)Cwo)} zKaL={{VV8P<*2$TzKCS5DpMs}-L*@1*pW??ZA0;W@a{5;X>(Mnc;mw5sCEWS1YON} zLnrGdVeTPQz}{$9AeSLmRJU>Ppt~^|Q+T9woZ&ao^Sj}!=`l-D3~#V@JW!~h?*#kBYltpvviOefBFL;D&&-N%8yj4diQ9il=q#7 zj%4?H)b)ALYnm(Rv=gXL15Iuy`@j^;-rUIHUE~$4b-7U+#uIq-M zxp*lV)Jwb0rI>t7%9#$&Gq5)^J7584wlQgzFGX? zc-T>rRa6X=Q1$Wx95E z;8K54Hyd`+O@a#v9>_y(cXIo>rfwW38(m-X!rNY0=_6BIWHU;f_h>{NZV58+j4tu* z&ylZ_SuMz7PxZx4H9g zVdp=2q5m&Jm&E@Rx@45U9iDIA>pyKG7><7(|G(p0-!9g_ysrNzoa>tv`VX9oNb5gg zE+!_Je*;?oU|Ij5TmJxB|A1WojQ@>o{eyV@3+MXh^>5GUAH3_|7}vkH`3K(mU&s2N zVAuZ~{~PW4XFnaH|AKP;>jeIN&HjyYv3}b~|7Vn|&vN4jQplBO1b=a8ZqsrK3Q}Mk z(lxP7*#=~so0zD4O%NU7`{RdcLhLQ<)dU)1eY?S=Mf`-b zPJU}a=CHOkP3mx~ZybN*u`h#U1Y*ks&9M&w#Y%Iq(;=cH!(T@yH#rNQaZH~_8;Sa; zmxD`Re!}yyU7neqLpl$a?h~F=<3Ft}zMtzkL&>V1J#v+?e=oAj{dj%1O&vDFBBtJw z_mU1+o)l69ath76uGUvps^c<0wP1F?BYwTDt2lHjZhY0;M6^_hZo0RrA>#b=Tfw1Q zRW<{_@X)N{+;@~C;Ke&@I`=@IOIu+h_{BSS1ZW6^KsX|h$*h~#!BB8Cs{DgQLqNsN z(aPXQtvV4s$NV!x3hq^bx#25tMGn~Ro2Et;ip(oU!BG!Vr$#MKtirUJ`ZTZbkQQq# z#ddKfQ(Y_f%JXV)z_r<}msbevmx#<^S|RRitXZr3ysda)R`k20yW8ojaV#IG7;J$F z(Hxfa2RRLiK7Bp1;InpT(jr$(3^uK2ZBShLhv{;@f<4k7fF=l)+g3vV_g?vrV*d9V z|DVnBpY{G9_5WWiuK)WUu{JRKX1M-i<9`?~m~V#b+oYpsW#as1xY#(p87@}t|6ds{ zw*SU(F@4wS{|m$Q58C(N8Lt1z`2CyVVrAj}M*#a@_0Ph>@!fj=#|}8}@^Hr+TH@4P z+G5>mc#2}nF#S76rzzUOR!;_7VI!eShCAk-Xbmg14G$u9iy}>gQBkLUj^ql(0o;JS z7vIUmkwNqWB>Z=SFiNd(CK!lp<{u!ES z&}4`8MR|5|8j}z}xkls{g>=Oq(G}ggn{sKc8`9R6hiX0McwJ|p-88j(ZT2~V7yAD3 zWPY{E@dH9_*p^Z|{iR<#B45@!5;hsweRPUYH+daMzW*FxPotG-lxGy z(ma}3mSlG?J&rR8K+rdSyK?cKttF!O0rKfz#)5iSmVmPZxdhu!()!3RP;LZLBy46D zZ+Ir3>)3&lVX>E;3p?9t`2~Aa@^sz=J$VNJdDOu(t?q%}2*2>HI27`Tn6?1@;YYm1 z0tMd^JNC?H|6attQuO=VK@Ah$mw;d9ftlpR3}YD=|56~-xZm$pDstlb48PbyeXji5 zo^8TtwR6w3FXZ{1y&W>zrtj&4`Z;>(_1nACV8AZ^9-?d^-lkoXT3i|K^9D0(L2Ybb zraw14Y23p*sxj>(0>Fm}q^=L4FR8z=4$GIZ2lHd|_btb25z}7-*Ip>VS_!frcf$+i z%Y-fWTj>+3D>9UVY>2iARG@jJYC&GK)9R`k-F zh^R=F4p%a~x#g4f4_mt-Tj|p#z^fIr(~99yH95$wwv)gNdm7)+JNu{;{H^wHz7>7d z@n?8*J5Y?M-V_5gEP}gk;JfKPrCKqAn7-=+(N$gp*9N37_DLgP&!+DbUNS*2eXWKb z)hcuMY`y3*)t9BWu7C)9y&yPIh_H$$+)C8y=tG^NL!G7_ebc&%$73)S21gx%rSTdf zz0h58j&mw$bZOM6-Wsg%l#rNf%tTtUd`)4kwyJkkg9=$HtNfVM7nu2&ENl{lZos0{ zfxNi}f0pyYWf|wq#2iro{lI%K-JW1-Q& zIPkU@2eUb0>}HS!gaIoD%0C0IeF8bE9P!)mYI5qY7Fe>hBlF5w*}N4PhtU|b%D`JX zKin|no4O4wgVSLrcI`JCjUKz#7-xLFnrp2eU)QwE?h@zs3*N*~OwiLaaE&heknLoL z$Tk+oHU;jjvCnmwMhx6h0(D>(fEoxy|2*~~ILwedY77cUt?Q@soyhNLB(?OJp3+4R zT?Nirbnjm~=t&$ihnR_;(QFh?0~2ULG{A<4ZO!Dqvua*O+2vs51p54pwEI1Edlh2P z<$d%Mn}DA0`y?2%YlW}bd+C0k{+^3(c@gRDh*bZm6=w2bdeaB1TyzCv?CikRKyKZ=5`l=OWK+o9y<4ln-nWPv1NKRsR%I_yi8>5q2b3y+od`PTmnQ zv$)yGrh1wcpL1+{{Ubhy(fA5Polp1FMJhsx{8km8e_?-#M|~FDU_>^|DV_;sM zRZXlAbEqR^i1&BwJRHL;|428;%ov6<7OhTErZRxd1}{8mV9cn?J3v&tV_DmrEFYfb z2Z`qKJ6XQVx|m_QRS`$k9Y#V$+r0Pz&tkqH5-;|v+Q*&spM#u5j$8YaCq{j5SmbyA zX`D6O*Rk&yWYWBr$aywbs{8%XyS$YGi*|c5HqE4zxNAp+^a4oX0l)#;t>eACx!zp* zYy&dAiyT;)`kBtdP#z>{r0~-S5&^W1+C9i$h&B*X-LQk{eCoWl2QT3TBZ~;*CW7d) zVR;>6BIU@FbhfM}Kf6-CbWx!lo zw-!`@61tT*zNgi;?6F`zJ}0SpEGH!+*;qVuBc;e5zMQo9y&?xN&&z`>>CjS0owgHS zyia#Vp*KFa>Hv_}^jx?QIMQ`mxX8+CWM^*=Y-CVV%$Xh#k8;8+agMhj*jwNHV_`2{ zw<2rzs;9oCY3!!77nySm%jlim+qlSIb;l!`ASZ|qSWYXSec#`|ZYegMR7!EhJ9=$< zn34%?6F72q#Vb~G`j|?sb@y~pIu5obOZ_X%p*Vw=Vk03Rb!G-wFKclWn+so z9X!O+C23YC?O&kQByH6w4fN=%s>bUS7Y&(YTW<{%C2i8osAfvBSgc~oidw}Y zIKhS&nb$?4o`pY525Ts}H;0L&zPuuFFE zGH(6p2Va@~_>~XQ-gDeStHxFn!R98GuGZ&VV!PG3oQR`cO*KI4H-VCbMtG&$ZAkCr zrCQ{RtFe@%iEW`6;??N*MehMFbs5eEpNKwn#~Y$nT9Gd5xtM(>|0cI zfw^wE`PyS{MO#rB-}KO`dfC&oG@d|cX46#Ptf`?DTM=tz)1=E1-Q4U3CuOW@Mv4*F z_V&#KZRBrYUS=L8ycL^!89T1t!S5gk{CQ^~=TSNuZA=0WvB}vh8&c9h;h>hPCt2r+ zKX@5FsJ(*naU_utZRBT(CJQU^&{+uXfyd>r4qB^qSSSWNkIqo1;alz8^{6U4b;5Kj zJX3m@qHgLaORP5$9!6;L)G*et*7&UF?|&VAU44Cj@Cs@c|6bnLV-q`zWD&-GzL7Yoj5YY4jLzb(=M?-L>f z%7}|5oF>HHi0l0KrRp6a8}X*d8+2!wao>fgKy!B%OU&63A-zUaQ- z)#w%Vb-^<$pK+n$)zzn^TTZZar);N+^L+6Nt<6>`$6|JHf?`P7R8i)FLPxw1tY8CZ z;K+P|B8MjOwfNgUK-+68juWzksXP5EZ7s>>Dm_I``-4zv_I8L2mI6cxniWx0tQ+#p zjHxH|1v2V~t^Wr-K+NE=0jnFpX!}@cW#}{;j)RDbs8`oRr=gG-veCe^KdqJNkij_J z`k+M1Cr)Tl$|lhQb>5=y3x8(@_zIl6LH7<;(&WAJ(h&u_!}=X8CwTv44O&<{YE#%Xo{C#$Vywa#4RUcm zcXxeE#~8vR>ov007-yfSp6E7?8A>XZhHQ53%53ZpHrGV0U>XDScSn{qJhGnLs_Q9YE$1sN zguwF`3Xi1r)05|$8^QS0A7qt3WmXckX7`a<#*?q3+qZrZJ2)b@0q%(&{vPP0i%fX9 z@Y#8zsw6{bf_jboW9oBtB;YvGxT znhgJBm*Ey>olAHk4wC-5?Ol|Z%6d`ddj%G$wgdsm$f(?G>=X0V7ui>Fu)FVw&+iSM zZu9rC8^K&gl(2jp7R-da2V>S3oEHSu2bEi#7u=6bR-)sL{=e-NE+r#ZgPX%+Z1-L8 zZO3_+T6L17WYNc|SVdVhSR(LU0NtM}v-tM}>BU#`ZruEs!*gF|0z+SMUsdu|3(+fi z6qx&;z~qsmnw7nrOdD>7opK2)V;PGQ`;AznujJ!?<1$C-*L>q$Q(ZGVgI7q?XSM{q z%#Sy#$NR!@YV5$5JWLsKMi`%xIw!)wT~W5VJz_I%j*#xOjCaTaV{(VbcUkZB?>g^@ z&xEj`{kpp=?HcU_Te@{-=i_xbQ7th$VQoO%A-;$4B#I&wz`m-W=?r3Duh(#KR--P) zVVl72ZHea)#5ojGC6Q?q?63>9ebx<8yC9G98CAUp=kSE^S9}QRNtqvLC)X&zF1qZQC=|+W7O+%uP0l-ie?s`%y9}o6W>vt zIn0JFi@0F3z-;%Z2#W=eqYD!s;)l5@ZH{G~V4pGXN1n-^+l&rM4lKtPSbC>lcCgw| zc>gdkAaYe*`}^J;hwA_O6k7Bew-5#WP%n79x114X;{Tv^syDh) z8kof{c?+K6m@x}Cxd{L6MVp;m2%8r=n)Uj-Jtv;yjN+I4Fabo;SBiE7>+zGhAY{Uk z9Y_N|30mF?43m?fBp(|`VyU|=g;o@6>)KVxrd^(T*gIgl?~0z%>?sA>Kk+G@Mslza6-YIBw_zvWK-Ngl{JkI~VZm&N3zn9czQpnBtsdpXO4S{+_lRU`3n(xmM5m)0rBmdj?|C2*-CWDQ{ra z>rpk}#9i9?kQ>QiwYjtM1JMT*ZH>r1>#q>8%>XNy?IXhV$CE!xJLdg@?R8jepr#ju z^0co#hQ&9c2c~<19&P81pE>*_)Ym2A3#EB3cJMvz^^^34*xp|`;LM%crW_H{$pZ3u z6myxA!R3Uzf2!)ajo6-G)M{~^I#ZeGz?ih_P`3d%DtsKYucu2ajg^l_+}6)0?B)M5 z5c1XK!-zfzNtXX+oetgkZPi>;1{gLfF&f6q<9>C?{&DD2Sj0=)t}5Kyq9!It<8A;1 zlk$h1yeR&1lN4IKuQ`&SuGB_M=uS`)nO^#$FG(LO(;byCDau~N#H5}=CU$3`EJdC-AS9(G#_uz7K+F}wTgADCHkYNew3GIBWd}x8N-3c}Rf0lhhz2Z6NBEp{7NTTB-TfUoyAl(w=`i#c2k7r_ct2N`llS2{X`vPjo=~cu1~GB4uLPYW`-2SA_@^ z*W>WI6NbV7V()G=Rs45~B4<`cK=4gfQ;`;|u6tPMC4uzmLueM19G@nmwk+U6DVtZm z%H%!Y*=UQn_0Te~oXQ!Pnad}!loESTJ|&+fg}wiJ>r+;{eD38D@2kxhgI>YI%fwPG zgtmuz&hP)8AdSGo=9zT6#uxUP>QzrWl#3;7TS`s$)uIfkPgzFC1eS__%**>uc#WO9 z5-;mEDEFXX-(F9%lyVkToIs7YFEm0gwrY(54BU0#?(UB^?m~5$T-Hk3rM0x~GgUJu zYaO{o*(X_@XD@T(iD-@(1S6?L9;(wt8f&0o0A<8>vGq%6`tBGc#|hD^%#t)-!)#hv zI;2U56&Qmv95iuhOmO0@;3yJnsmEimP@lcvfDKBdwfqw+I(4!-1@bz~2#Xp)%n{_BOv(N!5S;mjQ71-#=rkQ1o~-%~ zYc*w}j?h8mWO0M2a3UK=Shg=!geEfsUjS!f1Pc~-?4LqVzh)!HH1=co5}lZU8V&vd zH`;yxegU+vzyY=zZW>#-JAz#uX&L4&2EK<&HFu~b(!3Hmn868=M6bfi%1)Lm!k~k# zaO8i=geop%Vt7xhd`O<0!PHt4S_nz_8%nK7d?mQ{LU1~g+0h#-$?Ph?vj&^t)MdU@ zZ)bufYgu~OMdT2GxQ;#4ogzx-#*VDgpd-en%J;u~|qBwkzG8N;ftOo!f!^t)z5tmDN2dHPXX2NITlc zUpsIWoSvb1C`&rgs4pb~W3BF46=7Hbah=+{YAb`*TT*0RM~e7{h9W~LiY~^cBQvUx zr}Xhz%)wt@BGR*pks)YL=~<<}?7N%DP==oS_ zCB*^hXy}y{7GtwmQQt(&L@~r@dy~OC5czP7-qPOj#fF)`G?mqQ$r2wXwwMs2ucdwt zF3gnzAuTYcVTxcBnB}_f6B#A~Gn0FoR5DlCKyq~pNd)eo@O#MXzE2zi8ULKWolHlW zCb+Yaw+;S_U@Tm%=9=MeM!wIGX5j;5CE~LY$HCZP%;*NL2VgV59`{8A^n5O)pH9&B z*`V$NNQH(SbdQbDNXo(;1c!W9$VCmfpAm@yP9TJPOCIIC#E<)vTyO^-t!8$c)QX#~ zx%3$KHh-nis(V&{v-r3)OZtt04WM|fI54D@n(De)xaPwUUsUo4-gpL4FBG{7&Pg;ieW8zw?p{MG(mLPfa4y_9%L z6Qzl=^3Je5Y>&aBeu11-_|dbfj(m<~8fEi#<=9?&ANc`h;0o3!HLsKFbid}}4eoC5 zF)weRL=*&@Y8(|>lA4?b<$Bw z?GATsc^U1Z{l4e0HfD#zY$Be9%2In}X(c+9m8=Hykr$8Tiuy=yJXuv;S>bYK>#tnX zZxBUO%#mGQ*IGSo&5p6XMY%iLvn+;eLtSP0^bO0_3^TB68UK)fPPZ1T8YRDBJs;_j zz!B(2bUO4+KVq@uq^V7H7;;EljdNorO+|~c-95#@KQ{`oiTh!S!8j0pcan}YBKBpIBeqX>B^zr(vxGiRid%SKhrwQtwOUk0P1$9lynN{4wAJVo>&mVrvaRL%&CivXt0p2db&NkJtsT@@u(hdGZ#lJb#aK>kn(+NcKHoM_6XaqsE>M0o z_uIP)m0$>?FT&{eV)Q|Jw>J9gMUSc0?eSk!)+$tUqL2%Lq~A2dSNe|tk3L*t~qDAPRZC3^{38t z_18C?>mSxLO6j>B2Kut$Z39QT`a2UR*{0Xl%u!p*$(bw%uJzvTMS7>Tew(bj_BHEk zKnwi?ke0ArKoY*^EEYK!o_kwBfU_1)%Jj+w$xr*iUp>8I7vvd3d^b& zBh?vvfqO|#3|CZFPvZA3J9`2QoAU6LD|f|X-nSpz^IloYG_MT(jmo2ggp=$mKZCIGh25KaADK2|;;n{qtQGY9q}S)yAtfT4<(D z5u2a#2A!S?W|M^oW{aRVTd+!g)gemRq9{qcAnMJy^S4mT^YkI$b`#yDT69!zko0;< zCz#E`^K=&GU!tp3lfhu)=`MaB&+%#cFV#aEwB@qVZtRQ`Hr}RJMJjr&Us{v?dWN04 z>aig3{!wP9KtpY*T#x6Jd~TrLUTbIAw{}}eLbz6bjd^W08}`mX7wzgF@EtTmRnnqQ zOK#QJD;g~pfprUW-GG^{tV~p(0Gn-R#2&GSle7{J2gci7LLb^_*J_S&Q^Fq3Fr9yyyy{h zh~2ecQNmeA0L30YOU3-t4+!@`IE>@`2%SQFbjHC!aW}vsP5-GH)d*E1-4QP0O4H8{ z$=vQR4YNvAgQCj2Wlr|y9>JCSM;iJ$*#+bycd?mdlYHtV03Lpv1E(-Kr+|wXgm05d z5;{yRVSx;gtCj&ezzrzZ)9bnG6+NJx0XbkCtgdRhTv+c|8SK;b1$14Vw97ZlD`_cw zu$Sk<77uu*13>s;4pAe$VW3)u`OzH1{!|Q$0>cJ+{g;kO?Et_=0RE@^mW#*Mc2dKG zH!Zqx?uIQ_uP=$@NkY59K|4OZxIdgL#wYRrnKfxN3Oo*MCu0 zEOIu$J*Zb*3ff3e?&jvRwHpQ(3D(R(LqRSWApW4A1VS|E=dxeoKOk-x5yr@Wpt>c_ zALMP4--Q>C`k=$WQ7YLuiIg%>>NN_eUjB? zv&hDvA=Dn$J8fBVjy=cc^LqmNFjH`gC7H9otfNYE6D68EQjm#O;+g22U?$qFMUOZ& zN4;0hsW!5`Y*l7A3*EBG7RJMzc259JSopV|H`e-`*GSY)uZ`nV8?222tO z1cQEq)#x+0{BEC1;zXb1v}gOAR|RddA_x8cT)UiY@3T`TNwucAH&r_q%;vaYD6oe> zwSY}rnjTcml5FFhE|(-3BtNv?Rf7#>xII?Yp61H-w*_f1&3&R;71i2qJ#FQ!PbilU zF^aIun*+kjlf%H4;b?{oV4ndXpR3<;o(tLn0fQ|>)8Z-B+#3o3d5P|9UOS5S_qq%cK({jCu3)R502Tq> zW*{6E_0DYVTn5oHiB{6gA+3>rCXRpV+&`A)PF_B?V1c)C3Vkm^->L1IckZLPwfR^6 z@e}&SFWd4$rD7~*^OSu{So-;Wx6IYWVnRu{Xc@I|(R06LxEr*Gj$t1c@K2M5e>zP* zQ{ZO#Zuu9oZnL~Odz*Y;*8R>meQySSE=wM}BRde}MJL^sb4!rRm-Hdr0OX1xpCue| zhrOYEtJT7J^YI3TBl)aS5B{lmFED>RA|GYn#0vw?L65}ziz1{n1T z%)^Ymww94TAVd8*L7P*KWygay|3aGMgcY!d7E)i9cOlbdWJ`73bvTK!T>ZXbOE@iY zpd~|T@h@=9Aeew?paGW_&yDmFZ(95W4%O%=!qyJOnZcS>CMzp&H^7LfNF*6n1cwva zpy50ap2RK_&{dJjg;AG3Z%!qb54Eg|UU}w~u}#0(y6{6?*n>qeF-P6E2RrFD9z2+N*=_Q;uFDIXqJ+hZms@3Z5 z>Z_zaPoMXy!kwO--jpZhH5Hd`Hf=NUp6ZgE_UgXs+k|I@6V-y5zu7ce&CisAA)n_T zxsH&}9gbA_pa!Gc&-o~nr}pD;Z&e%1A1HErJh}S(BHo&xYoLix(99MqsI5y-&(xX29;dc=D9*(pcvNM!=5d*& z$7dy1VsC;eO0eZT_bFI0EG{-AX1E^b3eFVlkb3!(GuVo!&YYT9<0>T~%2F&puOP25 zkJp>y(U>i4pG=jIY!?&8Vq%HFk`?P@V#w1MQ&Y@Ztm&;L5^UF_@j-CYQt1db~ z2Ks%fvAn#9<8q5!?i{SPYUp*lbBn6@B0WIhKyMMBYX$o;(wl3@oIMR}?`m|wdCDs* z!Z;0uZDfbWeAuf%T_?j%#=SZ1dVNI60}F@k&8V^renmjsqg(l)P@9{=|NRu-NyHNcvddX&EKVE9CsFAKMayTklw_*j_h z`7K}o>(0OcfY1*J$ZU0N?*_J7*xAhXjbz(ptj)n*I~M{m$aotZq#AFNsKAblfvvf) zCo{WpV)C=yY{I##&OKi?Kkl&@Lq%m}Tyy!nxYuG-5@oSitX#R8?_Cr2Iy{>H>|L54 zc$4kItFQ~rkdgdUo5%8d9Z!l+8K07cuhA{yHhPOFG)k6y!aMWz22VZHKZiI%<`uq- zS9u*jE5MLoPD4@&r~xiuuV*^zoXrq2aE4j_l^F!b(AgZhKk;b>ubtL-AhojeLdR$*pOs%A*ouCdOz(9DZ-r>I147`qypt{;xw@Y|RFb?D0NcU-am<E*Db2ga(1QNn~?(n3P~D zzEzhjE!pJR=-cSOCcm%bZojz2^IY^u{%?H0@&7ui_vXnZ`SIFVZQkVkvXaGl>+v;3om5mqepEZDXs*qwom5sW(y9Tw_2J@@H2vECFgvdj7c)ry>Uq^Qhw1Of`Qnf8 zA{3lcof>rG=mH+;0-CFJ;0T*I!=eRlzbBR-FL1{zY19uZ&s$hYV?ONbFV3)8^S7vS zFgF~EOcrv3%4Dn}Sac1;kpx3;q#pz~Lvab;a3BKob+9)Oker2S@oyu&&TMTfIXRsK zrWspFI=_`J(A9Qqo65>BZz^`sRbT?MnK&xX#n2o`Y$ijXkNM+ss?I%MxiFUP!;we- zcIc-&fAfR#fvL$$0&DM`dE@-bcJAwAn+8Kgu~ts_@Ie#|<-qHVU?IR-P>}hSEA`gLwYXoIpj_o~ZYawEMhdSl)L(LMAr?(yip;+Kox zDf?^jc(DaK;WUSHq_d%R!7&B8Vf8YJvxRd>EZ;|fFsW7_>MBWtMM;|nNrOcx*X7h;(Wyl`HCS{$ zoa{MFy%|~27l0^t4S*d^Xz!7fX5bKx28R>0@F{R{j@qt)(gY-?^v#=ifn!= zVG_l&Bfb6#jcW7z0KbQN{an7;#?FV4URwr~D>P~?b5H}-g~L<>+y5O{i;VE56%&9B zxYn(OZhNv)u>@s*e0EX;a3`bb=wIGBy5rHk)YCn*{_I6re#5J;@4BIG1$Q+Vys^z+ z1@nfdHeH*JkA3~-4l{Qbee(LPyRvXT503v%(BWjM;qKSY6|dv&BD@)D<4ky4TF55_ zxP=UVRo7JK@IGOgXPI|d&N81~XVFw`x;z?HCWGcuq z`3fQ?rEYRTS>1qRAZvT{KJmWN`^%mz9nF8G@QuW1-RZjQi=`SL-c<=)D=V?^U*G1)i(5o6pQXMT5v-0DnB10u9urY+51xqYL&{%A)BqnoFB2NZ- zw^<7cV-BErsZ`H)Plj04@OkDu$3DU?>T2vz4J%BmEo{+DaHk3UvC^tYos>>n-QF@?bE#yoL`L%0blr?LcoipN&)DuOq$L=ZRX4s)Zym z^T)^od!&SeEYZm*s34~yeobf$>7ueIiE#L7;3ooD1sK7LJIX2!uJZO$w*EQ8f#E z4pH6K28RvgaywpD5lEWLS92tThI0)XdNpV`*O2RWg%UxA;;pO%3Ch7`!QDY2cm$sm zaE*VWni#F?(r~d0weMF}b}F3Fat16QjaaB>N=BhU+k*a?w{ zr@YVPyr4UzKP-YlenS70__Xs0m+nDvr){U>0oTs3Zk= ziMl0Xr?kX)skPIoQ^W1}YRw|uJiPxIt`cgT)5$EWE~YOK^QC-ezDoyUDqIE@to8x(4l=TeFP|8S3NNtn4 z@6L=R3&!$dV?v(noi&9kytJkS?-;73bY9b8H!w5Ne&Zria-)#1{@x>KG7KWwTvsD91W;=;5W-x_20qRU@(ePd(b4Zl3 zNqjFcD!);hILa=dwHqNdjw*OmfpV-2D;w15;xXa@iqS9daIy>=ZT=g*(6h$>@*ImY zo8vLS7HWMjkr-vZqZ92NWoHuGSzF{deN2Bye^C5$NYKR_EnU@0d=tM}xS8K3JkIZx z#2F&3ld|(HQ?r8EO&+(I2tF6VcD&G&@{n$)j_cM9>h|e)-N$BpWW^ITn`KM8rO&d{ zA`HSxS#UijTNFzfyrY(57SRHP_FR3^(j9xXH6zqvvYa`Pt^y9vbq!=r&w&QJyH>la z)DFjdufm(exWWe&nq&0%iPvK?`z3@zLRg_*lMj-0y$=^pm`8eEd; z=hnULdluRhkH64Lvx+OPs9o~yZ?8-y^SMtC|LrGd?jEeG;}1SGGe?f}oy$M>+ltB` zyqtQ`mkn$<9dOpd?;~L@mqFQxB+v|`sS20#6~U%jw(k}$*s zKR=L_%`JfEtwRn6JmvW64y0bMCAu13J4G2V9c6a{!wyZZx}mVRibU87yDf`!oIh*6 zFb^1QzS!aG@QZ77n{|U^FnqxGx^hf8LH?jKOu{>s3q1?`%Oc&LZvSS_fPctwN7hdJ zPS4|Dh4w}E<4w`;i{JNtB%SpCSvf;JdalK>$Z>1vR%I}9IwIN?`U13D6_^l+c<79z z`RQsIV5d7g80JV=2G(SPoxbo+urH}Flkc1epAK8Xs{_YD+J4^^Gl&@8JD~iTqt-ZT zF-TMRM3(vp9qm!AMe?AD1(TF3%(xnvc|Xmc=y1tvNK7~(i!0<1}V zOYEH+9{P~d1KYk^UNkvqH$@^-R$essk?qSbo>WDb9{e8FAAg5hcg%^G#+{o(!ItHZ zJob5G$ri>zH;tbJUvUQrnPP6>3!JCMOEvjlf!@QAonDjZO@Jm*0xk^&x=a|?8P(39 zPtoMQik2I(|5i03NbxWvsQ8cIf-5jSddPrKAmm`kP|i{fR&GI7HUTmgi;5WVW^iFC z@Sz62z*_GmUXw>PP=;9VJVLz0fl@><@jNT)?+Z{h&<$Z($b@Q4E)6TXAYRrlKo7H- zt3cEUn`8JY}ILugQy1I@+s_d?9c#q-Z!=w~< zXESD0m0~&7X}CP=F1<#$MmHo3mhLMZEfv+$!BUQtx(c0%1-b>&{KP#XUVx@b=_KO} z<3i(o!V`tNOU2RB(+N&dh!Q@6yT*DNl=s#WxB~aVaa$ zJk=4*YH|khTvPqQKvM|COhS=Uo3&68Eh-A}rVufO&Cu0ZqdJ`3u0hv67asy0z_~sy zXxF2!_(EV6bDx`$)HjwiZk-UL&pCB&pbNTA><60U)BuJIgez+pmt-6b@#e%6f|M7F zO9cu^2(a?Sm_iG6MH;GQ=Qz71!FJGg18z$oEeDkQ4&u{RCPNI|_<>$PIKGCY`vSrn z7`}}$=mt07fI`lMaEPH>kTw8qw=R;jGmc^c*17LD4z}EL;@{uf(gw7fldw>Gu`TTK z6`RIRm+0$Ply)>PN%bySGyS5^Uw@s>nDf-PHSGKOdymZU+avvN(s!ErYTMTS;H_UV z$e#@?JdaO7pDn;2_!8vjOD>$WkPdJQ2&8s!tQs1&I?JH@p#b4<1ed%V!GvlUn0ZvY z-H!ak!@mMY^jn$?BHR+{rUM-TJ*fak}99xYv{v#j4@j}hR?K!$3(85xoqy3@GS*W^I9RBl)0R21X+$+$1>+u=Pu`Q(9llb z&jgAUJceTl&W9rzf>xagau;*F)JGW%h(D5C`Mz44i>`NVb?pEba3(u@kX?c7l(;f! zhjd)xWl6<#NS~C#^@v`2+UgX@b_Q2`k?JV3vO8&>SY@kX;!nkogft!5=0fS~Epz&1!M21qRnLqa*o@h-VJNB_qB}$d^f*2pKaWV`A0OzoizXp0g+_X@ zPcEo&Ft`Nn$kJy72=0j!5;(-=jD;D403pP$>B^Pc7T;7Ha=vxno{#@_=z%xRZKF@> zWbcaVc{gyAf3$JqimS4>|BljkKc?ajpRVhO)~MGpX+ayVHm}y*MiSiAFJXmPv34F7 ztBk%c)^5do;IXZGDp?Dt#12X7z#9Eo#Wx#)G8`;sLg=q&$DaXbo>7X%f_U%WR$xn0 z--tucG&@d>%A*ZOAx+I3dN}e%<=5ml*aPwnb2M@69fmF-D}!5DpBgC8M^Tehz^)ne z3#gv$T&i&bS~uQNP1-Kj;?b>NYaD^qT3nRb)a+!%Ifv$t;)G*bnLc&Ot;+q*`{R5Q z-(;TYy@|ictb0J9rNvvrJMoF5UD7VY!}7!SRIx$U1HUaRT$bSclJ!7Px-*v^2#RT5 zQbUp8uHeg1bFoKbZklM9sa#fA;IQi@(I{hMr0FI5cNEj&H23KUEli}TtXlF5sKaKL z@3h%ylmYqv?(Qnht*gtp4GkGLTCTaO%O9@VX{BsyEVK4mN3F-KdaJkS2(RbG32|Ho znCF}V$ZL#kJ)A#wogC1lBlY!A>S{P=uk8Z1)y_9ZEHB#?k2&KpSH7R*Wk>z=zsaHj zpu_GcZg(M84hHR5L)k>6Zj4P|vVOl8{+cgU8S` zkZ|&8q#RgTXQh)q?vG8GckaD{{Au2ik&c7?>pJSHg6_(eP$*ua`aj`kpL={Tw{;BrAGP)b;O|JalnBS5T4Qf(7j}?YI2wwcE$F^UXJnjq~XH{I}(FnE0I;Tu)L04 zxY&3(%rlmUmC;-j2_vuS+1Wx{m=DXG7| zkv69Ja@Fi@F_wC1yLS+po-cAgg)X6ipF`@AWYmjZd`Siu26JBG%W%F1Vb_v5e3=@O z%jo*D9c8=9_%aVW&&$m0m@P}zmhgk~>3lXe3vdEFZyk`)q87ulz;jwPTCg$a<7;OW zHx{ER6b7nx5!1EW?!D#0EP0Et8CF+vhm~-6{R@84Y zS1qybxMw<@4pD@D!Sr&)MQyG=*V{N;(&K+u?W~;3%m@*e)C@M2}tl zrxF7vl?(t)?b$HN@X zCCJP{EaIZ+z}vCoF~kfoNfZ-M08?GieT7%ssaLlys%wrW{QLU!}zqO_^BG}1*igGmr1luq74!)m1sz! zHio0rg^H*+aHQAHmvZ_Qab+)W*s%oFTyt#7h z-=$@BD_=aYx3cPi-_eT;zSVilYpPCfaOW6x`k8%$hqB|f*>*(~c%8x0cS-+>I~P?{ zdpxmeh83amP~=i>+vckuUNmjs>RpScoxQHIBUTojvUO&a%O!w}!J8i~;|=Tl7t2v24w!}E!1W5tWL`id!dP<$Kw1AGVj0}_MD zhsncNv_DX7Nlh-8tR{K(K#{5s0mr3r)CljYdOPObXdz7 z#%N9-U^T;ouMGpG!E+XR=I|8POq!r6G?HS%e-ynV7zLPUNE_Mi1)JzoOKa4^q_L(O z+<+}+ix1Z9tPxT*qcz8B_=KLe*L2tPu_(2MDw3xlhKR`;5DcZyN<8Lxr(o5{{OH zirb63i~EX&!Q!38T&kGjTr3_fK2|IgcTaj8yfM^2f$A8&47!@Rpc>eI$5@~Xo{>kg z$=484c8*^s>0`dQU+48hyq_Zm81bMfjsX+&Ybq7ENM{r-*4HRN%wq%*A&9nEK5u8D zkda=yMma#wGodlX)Xqo*>`f@WVuNOsDxe7l^+Aoa6*d0Y8BRj_b3Rhci_tmjub+Bx zpD)X5EK|p(IMoUxA8INqzpTYsJAJI~qDZ#K7Rqs!TB$>K$GPQKH!obOK0WrrB1kZ! z(Y&~PF>Si%($cE7G5@6{p=dPAShJA7D8oWCy7(e6%{J^VCw=CN-F29_$3ImAjM&XK z>!~OSq}-RuBum|n$PwXSw@6?KnTR#vyWsp@Wb zcf0%CJKejHQ8X6>#g<%J5Y*>I&I{4eB~foAGztaMOf}3^bCQ#*cA9CsnRc7|%sb7y z&8N*e^N4HYQ4Jy)f0hBohWZO{@35D_G)h$yZ69zFohWGlB~Fl{Wf}>Z0U^B7F#$jf zR=)17nlaYUP?BQ}d2;fh6|KAD^QjAK0?}wr{Q_Qna0ZiGW7Y94Apb8=l$E^j#j30B zq=r)&Da0)(*KDg~b43`=EMakxK(s*8Q00V{p9Tw(OGCXAx1E~A5R^*>VZ!si1`F`~ zMU6Aiagl%qNCB;)fL2AIK*PKR8d5DlR;>&?r!_PVPX-ag^Ixiw)lxwGT(pdd91Z0v z6F`<%SeW9y43i53T&xTF!tL5zrC? z+CW)(&BGdk=kJgu!&8u~nt63OzZ{q{w3@Q5xDg)8NP(gb^cR^o)Fj%m&AXUJV0=a<0 z&>-^2c2yO0S7i`0qe1^4B4&rj%j<=hmv{RqUI5eOoJY&R%24R;f(``5o?>{pLbMsV zoU~*HUgpGH*}_L-fR_WkHe-}+qz0yfKY^P6N5l*%<(IMb7hA28wmx!aYp>$6n#!k* zP0ms)jl$G9U)yZ5mbZ>g&YoTlr0mbL(d-0w>ebeT_1BDTSrqbWDB0FVzjkf^^<#l9 zSHKsI&R9w3@0poni}o@3Wiz|2#Ll#l09X8_z3B%c)^MsOfj0w&fL~>k33d+TRcEvf z!#rvhixjkMf;%ReHRv6933#TV z*|o@d6TQu_-S)0e45<}KK@%YE3eh*5Z{~1nh|ZGE_r`(dM%4sp>^1N3FR5#h_S$O`rGu$(5hLcBUy45ysG4~G{l1XI*W08SyJQ|+6$P5P^iS6i=k zT;KDinjeh4zx#V4@p?*P*6L2Zn5W@& zqTzMCr%f2u4C)#5Gf=pud8I)yWNNro2dYL05PhCrK1?dc&mLqjTVZ4{i`y&x0;6$q z9eSt1b(V&8v(OiIs^IR3olQQ5b`=G=^7Ym{LcLaW#>9HVI=~>ILCz4pOtk|o0v#XI z?%x6Z4C=pOoXo`Gwel=^iM-t|++0K_7d1?7Em~4^nfo~wX9i2z zsF!U?uB}>3O;fhy)JkZJl9O6WteR*=HzH>HK&ggbt zuyecYjIdeMswGcL7bKu`C8D3M$u`P#`=3s%CdG7p$y1{ zh*+0=_2%|%AUYlnFs51J;$0@5JYRsyH>sg&)f0{qX~aEXtGnMHl8SvD!H%9{zrSv= z?hu|D@_@y916?;MA~I`oh$%LvY4;W8_YH6+-scZ@&H4ZH)$wqk)u4omnQzrV(I|Wm!4Q1MZI1-uJvGwGxFWqAF z*GPlYw+Ee{b7z@498u0@E9F~G2aeAX<yke!-?;gg`ZuhcJdq3|Ly~T=ubA}zrd5jV{28Qf=C1`|JsO()L((k1g8Y0kd6a*0)?{5%WK(nK=ToOdR5k95}>gH>kmx z8w_1y8JFrp0N`bl~fusl=2ym6}SQYX4e(x-$sJsY=K!ASX8BOLWO%WTkJo7V36E5$(V<^oo?5goiZU&bz-KeUr!*%die09e?CSL!O2s?pzx3_#ieJm1Gc%4s?rPrFMBFsTsd)}B zaryQtLB$tQh_~0|Z@`IoVHuZs6{m6?kKecDcdYE#pT2S7v-gbW60Mz4c68oWDtB$&|Kjme8O3B30+AF;9E`K=V58`C4h$IQ4y2fuJCj}>&U^X#>cs^TfZ^LiSISpbbbiTU zs93Bm&F4SvKUTT+VrcoT(b4(nVsv4YV6zg3U2DCW=FCr_@u%>xtKs zbH-)EKi$Son2^iu3XKKFLjR*97Eb84?nx$e!}KtEil<&+oEYZtI{MV2X&UmvMiYqPTaR{UvRVcVXh> zM1R04k!MD+itCeE8QPEEmz)^I-j>N_$BEexR!=7?7btdbM~dbmY+;PB-@rJ?Kt4fjQt03dzbt#HP<*Y65SJd%PN5$R!& z@Hnb_$N-bb(3nDj`YIx7nH&u@xtnJywEUWyBz0KaMlGaoQ=rp_j zUQ>$gqL?PPD^s-dlFc^xGty=&P;8Ut*sv2*pnAiSM;}pG2`GU;j*H&Hs6>ifs0lWW zjG-3Bp?=LUfi>=qO~u4XJmIc%WS-Wlfxc+}MX&0-q*Ir$bQ<5yV=kRxdI0rQ2F`rr?Yf?3z$oF8z zuz1I!<1AKh{ln47K;B(MOiW+Dtlh2b)qmIUVAlK*Qd`<-HGCk^A2;G=UT#-%s-+cl z%dpH1a#Pu$HT8aDgSkW6E^k(b^6HAJ=GRlx?cWeylKxtL(Rk5(DfM@d zcFiiY`Z?n}=K0io`#bt|<+}c%**PsUI?F5deSN&G_PTAR?6y#J^8L2$w)wo6->4Vz$`@Z?yk4*nF$_f38hG$UQri(E>o{0%5 zD&ADK| zAkQPTn`5ufM%&qByZdS2RrIcBBeA|5P1Od_xx>i%r0K<6)-M^DsP${+6>5*@aQIe} zM3C2sxf;cgD3|U3%@n~Jh3Em~m;2yD#LWdbbAh)qqb|!6?6YpGXl>*2KtoFt8>6P>4mDiG`tXlUxSM0FzJu5yjbX!|kjs#E} zMa^va=zWiOpgW3+EErcosBErbT-C)rx5kx&@3LC)2uE#Zw_$wo=#0{)XI0*%l&e{h zcSY*fdAE+PJM^kos_)@vsC$v(t@R@?BUgpCxGH|Gj{Dg_|K-bnj?NK@$5FJQuR)^= z(=MQ|(FM%5?~WpG3j3P9J!hk+IebA#-S}U@xN%i50T3!tz?rwXJs+g z*Ofdl@JHUKe4;FSHQY$ul&f*GLoR3qD1UEb16qG-tM;(`uyWA&q`5!!aP6pcOgUye zZhj_pw01%{VLUH9FYLW#R9xG(u8k8sxVvl63NFFj-Q5a@;GW>_?(QzZ-CZlV1_|z( zOV&R7thMEwyMKKDzT22oYjaS8$sB!DuU0($eY@|(^VO02R%Pd}^F70b1*=LWMSE$5 ziSTt3;GQD`;OOmOU)dPixL|f;P^yUECx5sqeqAyIFrI_=F~cHYBl=PU?3bED+a$= z3v<+(u|Iakk^{g)?`X1X*gf1VAMkkNXZpr?f{DLJKz-v$PA)sWme+^!4^hbu(|*zl zV&mV?*S>^Z5aXv(Y$c9yN^tp99)MmkYIA>jWc?YzU~$Q8N^)`B4WE_^jII02q4n{D z3)Q$yN;UQ|@43)uaIbt!N5;X=@fSD68|f2OHQFR+kjBGhcWRr@PE=2pPJMw%6BeK{ zBYZc)!WvS{wi(n%?{YilC>ak)iqo2ffZ~09pgaYvQpFn?9*niTNCc|$;}ja@xRC^- z;PWxBLm8s;HL0I*-46>#pLiWyZ17(XLq?x=K23T;ZT$k%9YN;!R~u*6zq%R!>EisK zSe{G&v*kJCCp(~ttP1=;`JR&iSlRz(a;{>hYHMk1XJYy`#PPSG|H1eC&Bgq`e9z&v z|L`~eN6+!!lmBi#{okI;Z&UuSp5rk+wtXb;Mb5kih~kBzZgELfOUWLl0cG(h-8D@y zR)W@E=Ns4|@lt$0{ZrkU83bIB69W!edJfttb$X>>47*3%7aI&RC7(*I%obxW z5bsvv>`$L@1f^iQyV&X|-b!)I`uv9SykkWjeFFMkR@Dpjjh}mPy&-xMAi|A1Plbo% z`N+@1vbfW|lbe)_UeTHv$#%t3Er=3jYFb2WVj8kzBuNw6bufhOerfVBM|jrRBruSR z&|AG8Vl;SNsE$;Kw92jtGit$eMpvs2ydMj6@d3AGw@3Te;Qnpl|GrRvM)!a5=>DIA z`nI-zGwS|ZbblLlle`&qbNn{yX61Y{>VET*XJO{x`2W?`O{uiTe!0!zO z|5s=F-y?s&`M(==bG=!L|F=&!fR*__*fbqlo^C1&jryKvY|*?_sT8~r;FA>b{haYJ zoLi`n6l{`Ic@89k^Kf}G??T%{{Z!^Z36|nD6fKnbVR~s>j*Z~Z5AZl)2*8Vd7a>A$BzfyhobV_`eQ8Bb`ebTt7_vCQP70*#_Ymtv}L?L8aIi}4m zp?eBPlCQl~5J!lv4wGNBY zx`lX!3_aGozG=V&LtP|`jeZTqWO%?4fBuqQd&aGn}!VaY;gV>U)D z=&~?!q^0f0&yV9BhFj9kkR@jk*;}Q~!)+!Y>ma3|yoYDIv`*cR+5g^ ztWa}$SwzD#88Muy8=1oxVhAKOc_ZWa@Ws}jO$OxHzyKX}E>vwWq{kTKO#=0e4N~sGE}q5O zC2eO1h=qpy-~PKDO6^1GBa4jrV`s*>xElSHDDctPh*0<41^PDCr9VI8qH>hdQ($V+ z`4w#a@D2h+cyT|Ylxbs27L}k&s)p60^ODa6C)rK-RK6rFYv+{g5Bm-9i%<=zz8n_} zE%KXdNF(S(2orgu8H(U)o)|i#12aU+8C3FoLineFbSlK24S5mjNWY&k%MyJ;*{JE` zTOJ!e7p{9}2$s;VL<14A6h{(QH_&nY`7wCg)x-DtiOpT22=rbUG#IXmxPIiN#Qsn3 zGL#8mT?zV}351<~ABqG+1(a{S!i}eCF~v)S+vV5%2sb&L4KhO!M{~8!_pu*523!Xi zhrc)pI1VYa@uwwFk+%(uk1JU<4@2vD3$_chffI~)s8RYX7fS@+fyTfs4A)lOabxG`YX;BX__8gv=?NALP7Q`PpEey# zm4@>Ed=*Dl`mXQ{+evjtdZNMc#V;kQN?sk5W{W(f%%acQZ*gcg$+>}`L4T+cur^s- zXsK4OlHI7!Ztyye!8ZPt+bG+#w`zPO!a}sL8rYSR>&VhKzZPo6W}RSkG*QssUKUAZ zJ}hyRkhj!OOxx;eAqg+u4eaGy6RGyeLux7cGh z|6NNa7-WuNgtx-o+XH)!)$9O;vn$#FID|1zs2oJiL|AwUo;}K@Xg64Qo)!5f=h4_E zDa0z$W{pNz9r`j#2pBgw54g8qJQzM98s)h%#0l%BoFDiBtOZWFQNJRhW|94jCa=Bo z_wMFLdJxR_ZooN`QD9R~T~8}%-)Xjn!q2M@u@>zjqJr_{l7y0(l6edx+4CtB8In~L zMB#U-O{0$QeTy3Fo;#+CbLU87xms7g+w25GlrjW9zAbP7G7GhoTtdd{%0O<}YZW??HkE8t>6tc?wl{TKYHN*_M>!&)GogMoe= zvImMsX7?Hx1HbBL$m9{$?#Q(ll<7mTQyBYK*k38_bzZ*wuKR75TzmEL4?pc+1^GW- zK3%%&=frg(ykvI62#P&0X-Q2Y=}>X`;m>sDU$6UT>D<5l#;_H*=aX;mj<^%%|9-W5 zo+3|24+Dw~pptY4%QUF05>%J?8Ip4XYCX3_Y13*z z60WJNdJLuoobnKCy_6Fqr_}=wwFq7a2GZMEvA2Uxp0xXPBKwLVM=rK$l9*~Z6>;Ic zzb(Tzc$Xq77h@5S5(ib+BKS)9v!z!+-7UEHj@B!&_wW^?d573`=)+o6@oJPHYgfeO z%)y)Rg{HkfJL&A6bK|1iYsmN^O8koO2_&8XTd4EvfOjbSlHga?4>zW%3z@8)b>5+N z-k}QKp*{Cm71Y+@o*}96Dpj`#--0oR!M*$Gz5C3u3+v<^)Z~27UWv0%=1U@#;05Vd zVg0<0Q~ZTwmPs#P;UAc$Q*g_IZk^!HfGDc95Gv`M zq*9I9X+%&%SpYs!68Y3DuNZ3dU6#50{Ob@9KhdsX{fk}3TyRIA$NMsiVUh27q^hyuKym zOA4`QQ~9Bzmy~7_MFo0zaGV|ebS5jeN9KliV`VsPv-9###-GiOd_O>d%6*Bna(uDEw&u%y!xq}D ztJhH$$W;wqXdhv-@*kg0+#l`urq6#IbX`O&p^bO0HMiHMnp(-|@BVSNt1%X4IuGr}OHbgGYp- zOGnaS1^Ka$MpHm()E9d8rd%g`?beTqfG4sCIxfFUY#zRg-ngwM(%Awb0Pb zKSw1ql1sCn2XS!>n%D`CV`bZ@xZxvu?ksE(4R&sf<3)6;S!rytcBbq^)$VFKA%(XE z;ie+ZPpiZunFem48qZ@y)wTd@xrT--knYfo2hz_bV;g*~)+Q#{jci;#yO^mC4&1o> zf)Z6REnw34!RKn4ZQNt(IfQrjaU2eRD#8Zf6&D(9W6R8xv6F^DRZz*2>Nr+PgPkq$ zt*LzYf{(H!(6CXeR1K&og+fi>@gA1ok0NsK7L^>{GoM_)g7b$lJo`Q z;jzc>!#c<}=yHL%Er^3X$n&SloK84PGW)1=nyNsUo!Tn-304siW z$g4iGUl2?@Kp;d$61*GUB8L^ujeP;g|vF-w65IY-)_jTgM$Vw1iJnk#y4th*FUI}V81yjBN3+zcz_<^#TJibF` zswB!5kQ4I5G590+iAi$5KyKtUmbOgW^rPkeka_VK=-N$SB5&~C>0F5YD^ZRO0}@Kb zm?o>!P;_^%)wj&snKN2Br$eDJIStDKPy^X3!9@PYWu4D1UWmF<^cH-464BG(+@q%k z-f5IXxuFeyYApC;MxsW_&z5C1?djLR=e>JFuN)olHScS#JFA9HU?Y1b5G=FUX~ni?u_pp?GrWL@#V=hY0?o? zSo4hV`HMG=T8Kd3rLuEGXU;DpQ6P)w*Z@4=|&kWj+G(%pps<9Qv?zTUYuPbSN z(OVUhSNM==gq75<1Y+Jd+5@tBd}cc~Ccdm)o#-?2U$$wb?_~1%xMx(QBWz>Q`o*?z z;+lXkPhi&EIU-VQOsS#5Eb^yqJ6+c}N@#gMuS3`V(&^G?%MX_347f?jFdH}of{TTj ztngc%LEjIlcDaL|NIHg~#te51Eb-b9llJRBe?~Yq6EKRdr3UHU!t;#t8&WR|xBRa6WY1buRi~X!wE1BXWJP{aF1@kvo*-K2DP*U5qr3ci#-V#_0N#4$ExAQ1_?a zE$0*FQ_P#jlJi0(D|n@k`eN*!w=>jtaw^1R3k%#K-%YTcR?hmEfq%7)VMoP%?{KU>gilMPL*ShUG1kc`t??99@aGk*%L zu7LV}qVC=y-BNjm-_%Dh(_V+V!J(W>Pv?vIaCE`kd99Crykzu3IbC`+m*pg2x`}oF%(dK#Jn+eeczOF4fjRqA$ZKz|w^W=bXhDni%*=sExJ!T2 zy8rCn8@Tk5eR%fkJFM+OZYtz+;*HtJ=pKQ+^pFPbLJp+1fG>J<<$E+x-qQE#BC9@&9^@ToQOENIXiC-T7=8ei0Rp{f9V_!p@(wxiZm zbdBz_x|?@r(0bv}gHP`mUt{e^h%G6fbnzi9SK@_{kc>yp$;OW!7~DWCcciS;A$=@EW@%5?CjexN<{N^tG=y*HBrc z)pL^jCRYd09@zBe6pQZk&nt$-{#D&2)kV~`JnN%*C7L1GSiBnM#hQ5Ko7S81r}cNn z*(bs>#M9ZePW`Gn13>ulzJtcujXkZPV9EIqSBS8)!tjfN3iRsP>~sGKNseWGBJs9& z`(k)LbuG)6s5>gWoaA~v*x`^ssH`B%6jfQbI(g$I@-XM?9R?(GHp}fz%9LjOk=Mo(~ccVS%TQ zA!9TVI9j=$kJo6LpPO^?_V6)L`@WVvUb!G91D7CX+|zt4ntY|_vZt?oD@QV_O4%C= zmNA{%B9@L;t8mhJ=n-E}xn1kWIE(IMw%ahzz_QcBVX6#n^SG0H$f|M_yFM$bGb^bp zje97?S+6zPj8G2D$7etQpfgxz*Jk>})K~`2V|zx4p52ZFu_I?rzvZxuMiw!X!v`=T zL=I|h8R*K{+B!+r_E>4JAt1&DTUIOOYV8fyEaCz71{;?J?JUB}i(9IXt5V{zMA}Oc z))2J!zaq^*;0uxWA#}M64yQ+%Wxp9;MV&PJDyNZuvzPfSxmQ)SqB}ULxnfT~WM4_R$uS5G2)X>E1%Ywmw;0E5nVQsY$oJQG0R z^`2qi7&}@*azj0COIJXItl)EM8)@-;jNN*f+G4iZ!HeU+7HO~qXtik_t3V1LBc#q0azbk&X@4Y6A$(|* zW@k4X+d`6cYWo&96~AE2c6?Ok+IG}Nrps9C_5-4M?C|txAay^WDvG2jw?AZX`>AOc z=f;&IpFUiJa{tYKpXg(ov08NY8jHDY3%34{jw}0D*-1B>f}&Px;yU~4@Zq=j*^0zO zr2$F=x7J>fkFC0gKdv7`xf4~CG0RrN&Wy^Ka=&nkRkCE2IMH=vecBt2F7~pPk(PMY z*PK=`m!Ef`Y6uT%IEmpbG$GczKBtr)%xKxIQe43xl4?kUc4RSBi@7lZ1jT$0Yr8%nVK2f@4hh z4^6+g^Xaa*x{k>YMOm5LeGkp0x%JAWccJB+Z!Jq zO-K;!IN*M%@ru%tRKwWKZSUEXn>Toy-;VAv(&PO|n6J=jVxAZIg%nVuq4KXl<_&B8 zi6s8yG5-l|lcg6n1X>z7TK=t5>YoVbt*!9K-{^zn!(Z_l=ii3@uXydPt?*m7(tm2{ z`+M>~f|Iu={RgB(_y2Er?f1g}eWCsg=by3pTde-l0{5>`{O88Ezj@jlk78tFVIyH- zW&h37SOL25A0(aM0&gs2YYsGhyW9sMCu37vXA&+BR+10Duk`zbkrlv2@@z#y{PoBo|o8tWeZr>QHDeD`c z<$9Z{^beh$e~od0_yhwYA%Pcii6Mpx8B^mmty!7=;v&rhT#+q`~rkikQPTjBb(wuP;vrzkv zC?SphceSb^{SHC39%4!25k%g~^GLb~JJc^UkEz$!f%+A`LTO8`P}V+N>kC*ng_Z=p zG}odZ8p2mWH&O3r+I+ZtywvBDKixWCj!mPQW++*?4W1_qV*&c+_#Qil0qx|xLCv{# zpEizWKIT-D`yf5iUBA1=JPOkE^i4z`x2co$y{$ysw{dsCJ=9#!Mr{~mM@(fAPr(LtWS|;Ocw=OEvwX*8Yzzy1<3kE zW>0(qAS{oYvqewn0QP`hz;@uI8C!5a!Y5<^Y|Ap{%Kc_|>7M}5 zz@j>bdWYH(^Y|gEHI)65JgRGO{h8g(BL>#k}P7n1wauf10(~9)WDge4-O6wc8eL3dqm7m z>_eq90lMlQzD_s*ewkdcrTf-Agib^QeGIPn($AK?#`f_6`t=WCZ}pA(bq@g(8z8UA zeLLXm=>7*Fzws4qy8N=&_&zy69ON~;4+%J{caNTE1Fjoh0n(e7+eh}10M+&GkrU;> zs2caL6JtOs{FW!|xUT!4JNd)P!gFw5YIGks{8cXa=KdLWR<@QOJ- zc$s&2A1wU^$PM~wdU8{NovD3pz*1dn(8L0;%BVhYA`w_+;KY?awyZO{j|RZ5 zZw;CF48X2y^^=X6cmOulf=2gw0ouzMV`gmWvcO5hxj{4XbR?h_sKUHHYC;QOyH}mU)AxW$wWa3DLuRz;lt8TdQq%enS)_C;fGUsieD zsum2hFQgV*L1CF&XBL(wfk)d)#?Fk5geQ>{&yY`dL*YUpEexqs()z`OMUruZEG})@ z&r7AWs3fc)t{{LyaGP3FqR#L8M6m_Yh)$d%8gXdyE-;RZf+&tPPALvVK}j({Q7>T@ zH%^i&rzFD4Xu{Y}051vuY0)yID6U0#kxZm2#)X?AnF+-uKVn!B95&G_iesHEw_(h7ukU~rfk48!23zO8x5x9=9S<#tl zimn)f;yPcYYqk*q2_LctmIN)cV-=rwg-M?}iw}6>>?AvL>#AuV!*+2-l2vY@M>c35 zxJEW4UZpOv%Pw(6vz4ylM2X|QL>v=F`6(X!;?CmR#V?sgcvSXm!q&;$+2-$nGJBB< z8(c9)^9@s~eDdgjLg)TW4ydv_% zC6QwZ3hKlqh>CWFDNy1FNI>$lk{ox6*I*+r6rPf|Uz8k~4;5%knF<0$$Xla#_2N7w zPN^)ZTj>)5+BzMnZyaGqZ0XuEcL8zQlD4F+sk>Bhx)dLk%y~+a@g=H?>y9O=C|iSe zt*q=ZMR_EuC|UzXnTqw8$XgRenMhkxcFE#SD6o|#5NP1zGUV$bP3TA5b9ce^J1G-% zz`2r5oM>8MW~kzvK8+BG*yNh<0uv&0cO7DoC@SZ@_!_mv>i`KlU+Jt%9<1V2Dd;7& zB+?|)N{+>>Is*zw6LdoLl9bKIO3e5q2}hLTC@I2Ab>Frno+c7UHC1U|S|SA|1vr|( z$fr1H_QMDEI(G^u%h|p8#%SbSO0M)Eo?ztNT)j8zGfA`fgfDR!DH;wml1#@H3UTcQ z=0R})VY4rBbtH48Qm7*h3TT}YG+!|=V`K^ocoG`GO{)}U)g*jqEXgT8B+SE%AW?oJ zRhG!0;G&2Z4!zgQ$q=0>PzXSo5s8D#g>om1q#i-0lo53{qv=7w#g?K8jwq~Sp~x48 zOO?nH;t>Cew%acjgtm)h2{mGGl_e@ZOyQtlUL22@Klytz#|gy|NyU`2e-SC9Q5%bx_ZdhmtYoz3jw zmxxt?Zuw2|bI8k$z%zwg#%;UqrA>N!#D@<(*fdW(+fzLo-TFQH+gKp}@bX4)cz$r= zz~~qr_?P!yVC&+~MAy3K$Zq)Urg~PMbG)OsFxM_lnI{}hK_{yAP_LNveYdP`a0Frx z;lmvURn2@TzX+b|&!qtsLeV~PE*vhJ;z~I zbT{SfVV99?VVeg`K(=4kA#BCc({tL4lD^x1*?{wfY$1B(zII`J{08H#8@Z}#0NaA5 z1I`4SoV!+da29uv+7zB|4q^(^Gg%?>PCw~ASZiV&bY5v41g@A-t~8Cz?Q<1(Ow`ZJ z9f79Tk3ua~jkGE&MJtcB-c*Y=E>vP7)pr#)71sL4nmd|%nroe-PTlrdB`iP(xyuTm z-NlziibnQk9A68?@7f8^Sf(c7M(-Juusp+Anm}_0mR5GxZ=XR2o8CSz0`nH#8fHlF z5)UR%g+1{q16LJ(Jc`v1boAD*&P{i&)>jm**F!<-WONKGuXGM8$LsEu+E!nxn5nx# zfPAKUe?DYEpIq@>)s68vt&H(?0;_)j=dR8+q#vP^)^$}PHtP6-C4R>yZO5PUumB_5u76 z7_S;s7<*`n`!q-Fp&-$;Qn#ui;M}bAUU7YaPWW;Wocx21U2vYx?y&-*yQ!9vq9oUV zc9R`8q*HiCsDJ2`psWyA6|tE*Q8C-H111_+ z{!M7}K(21cQ9;@iBq>3b6lk*mTmx4eXX50*DD*sRe z2pp8Uo>T(@9E3r?nN37y_y{QSZu=N$R)5G00ZJM8>oTJ~PK7)0_Zur~veB87?$K-_Rgwprx3jDA1(`~+~d=7Vy;{_EJ zfYJlI>3vS*hTRUi4rAy4u?K(Cp)PS-QihhmH5NV0-UTzjH`OizqBj&@`M<$Bl9#HLK5#S z{p^lHO+fH`wy5Rj^;#9E)&tzNdJVT;RkLizigjvJRbnGBwWvH!QOgB9YNJ4`A7PBk zjg>~}oWwl0Lo*K@jRD&b4y3maWDd3W>?xAiCsU|$hv&?q3pwT5u-KYVok8->LuGtiwxcB*nC<$e7weF7 z1&7P0Qa9gk)Hx11W>yV(T#OELtoW}s{)*#k9USoqZUI-{l)Xi}DI(k9Z@f-lhZ5Kox6PJcS%Du+%;MsXX`u{;9X z&p%W8biL_y{7ANk(o8S#!8MG{{8BTXN)9L6d%vZYJjmP>c|w9X54ow3ic({Hf@MarXgK7Y znY=UG{F_SiMwRJ(V+~?s4vF-j6C3oZTJsnW^!@Q1PvW!euHy>?UT-k(oWPR$Sa8H7>B-_6cW_nt~sPBdGGZJf@o z(pv{I`TD38&7z`b7VoQyo12D39pEhEaN3l7pUy?htT-5Cp6AHzBatz4*O*8-g;%j0 zpwv_Ej@XM>rhv2cbC z)NX_d2FOe-1y#PVVo!(lxu?gN&jq0kf&U}809CC9lW?dyelEa5(u%1PfObH!*4Q#%{xP>gT6%QuOIKZSBB1wc z6Q`(-P%De0U)_hs{x?CBd?U$5#1PaBIY z<%pA}iapA`9g|hU0Y7PwgRub$c3)dxssQSP4UNOj@oUyKc;1f9F*R)$x%+aT{6)ia z6izKpDcaO);j4o3ujgY<6MWv|%w54x3vG^Pyto_j#Wdj^pW7~4{Agbz-m8cIzB z8KTu%n!fVtbl9$Psk#a_YX3Yn$f<9uBwOBchQZf){SMc{6kuhjs=#<7*Sml8F+lBD ziz`V)u>d1+FONQO_(UPmhLTXuRNJ!EwM+EfQxmJ*u-^v9lan{0u)_YD9d>W2IT9;< zd|j9>OkFYPos5U~u}|@P8xPBrtm&OmIne{IvM(8AbUa82^#?cHtk;lS7r*3GJ_jj= z#(TaKo)l>Xl<_qbH^EV2X*vpS3I*uD8jfG*Z9sA7_hnL_?0l%r4-`%UFEzkWb*wX~-=aZ_K^RvVtKk&zwg^mPEf3^f23`y*mxX zJkb9o5~=gh%Sh3P^#g~9oyjwi_t)Z+RiICHyJrYSM!6e(TAmzMnowp0s(8QEjFn3j zR{s8|SJe0q1^!R_XSpAZJf=SJ%{!C!)tJ z`gm0j?m4UFqFm=W2=duM9?FzH1;ti2iQrtwTRj~z>mKm*-Yv_m!YZ`$dDFrw@+c)+ ziz~y&NRf07Ra;-?SDHzuzk8)kk)j;wGKiZrYqKln$W4>6mQ0-^y62#F8svEdwL2=R zhRbcxQNkOe7wU~_pl%zuCjg?ubvI+hSsPGnYpuiGd@DZwDDh^;FZZEtL1gr zG6hQfi#eBH=B7TjN%I>lSP}-MmVm1|BgrXWD6kbspNkHKj8RYM?Zr1T?;5@66}>7_ zI?rfJ@)zAq1}24GYKKNBREfVkN45%=L$dZ1{us7)&zizdaBzkQjA%dmP;2GF$);GL z9?N5d@}2PrO4Y}pOiTx0( zQhT4XP+A8YzDk%OLM^oAa`b>7GFdklqaB~XDo4xb z>)^#tf2)p4{JsTs@u;aIB?m@z;|9kymJiPx`gxyxRA5xE0UKxCQWQ|=fwvbzs{ucD z4pEa7xrU;}6TQelHnXQ5%Uf<7rVBw{BuZM%f@oZ$>5h>IZA6gx!upt3*^PefmMCv-}pI`IDPtAO#7dRz0YI! zR{G#}#3No08l%Owsy8KHCZ3L_oh!ao+g7j`d1kVZiZ{86E$ne3#jYGrOIk(c|1uof zLXGM}cHY6^8ZD+Mpgf=$z$GJ(C!6o-Lo${h!};iOjT?_-JY-T5xP$0nJKn-ZjW3?f zGHf6sJ1PSh)?gueXk6tir|+#1nn-2i_EPwDPvIoeVkl^3v{>LQeYkop*#|3zM@}BG zRWzJyzK_gQ=7i)!&1z`iINB`|PwQYHb=m!8xXQI}C(0L_=uTQsW9@@F4ms827_Lz} z_ji+b;UNbE3E$7ILoL5LZ9i%B8a-;DDapi!!qp02{cy=l<`ukUA>m4WJWBJwN%l;5 zw@VN4iw;|P*E)#&gFe4h+O}e{Euwy{~_0Zr)d0R;s3r+f5!BGL9YK2%75mr z@Y;-kH~7iO_7U*kI!3_%sAJ?}=J+djWqAXw|IJEDQ|H3?wFH84SQ62cbwP6SI_4VfLEAEGr}C`!U{SZ=u8h#=zhO_hkJVq{M6` zp%aL~3%DFF;|(u41o^dXjiBeff_MZwKj|6S(y6?_kW_*jD#w~Yr42w`6QVE6P{Dx1 zc*DftAo?u>%_qyIJd-e{?5+}p;~*L84{9SBLL2~_W%t$kzOV4i_88zd4!t)JH?=D- zSH|{O2KP6|>WN^GIxrQ)63n&WUsD)*bi_&+P$2OkQ4~Z_hl5)`B?w^@;PsnAe==aG zfy8`A2VVvOCkBHRBmh4S`^s6v`fR3Pzy+oP4Hbd-N#O;E*o%l5MY36aqLGmL);A|1 zJANA zrxfznZ1?xw@c*hdOl?h^oE=RKZGMON_bUhRKNR8oFDc~T$MfIh5e~rbJi`3(EswAR z-s(5lxcki2g) zxvE9g_yPw0nKo_B>pT*U%Ak>^Hf%dDKuS>?x^w@~J(sPs+$>oL zMy=MWV|?88C$bV78&7GqGd{TWI;Pu5;L|n0?c{R#TT?`b9c)SUPFPb#*4NO>v+;vh zXtQaDI`G}T5h3tzu@Wy54;{3z9`rM14#n}Z53f@|a+{)i&$CE(F*Cikt;hpx-C{cj z9kX;4KyX2amtf`TD~Zu3edm{x7$|0OdvSCUN`7dncnKe)){5?J}Th^I)iB_vn zh(}i4*SaMW=Q!*JY`QtN%+0sQSCo#JF{P!AT+7f@a_VK$ujdMYx44ND6vxSwX2l`U z$*HZ78fKF!y*9Hn2G z70*QHeLWkQg|0%UP+bV^1sju>_yaKYI_gQMn3*HBOyV~h2ONT2f+Wr8t(ouEHxHO6C3Teu!BAg$`oNJ%C_4({@k-3$}SO*Ta~+VYcNv^K}M98|)FjYS?g z7P)p1oJi125Hb++;21M;40KL}SWcFikr0r&=?`YLnxG20Js03Ps-h55N-7f`gVcy! z{*bP$55RP6{fIFS7YVHfavFRYTw!{JYM8?THwVta@)ImmV1^%D2IL!zM9-mX@mk*N zVgd+fr zLfDO$15P3Xg4;cR^_w~vt$(B``C9Nw;g`Nwzy$XGS*819l^rkJV1369DC&Y?v%0M6 z9R>sv5wF|WEf?$$f>bBxs9E-6@5y~GBPqJIrTFV4^^}Hb^26NSVMR>k%ktu@!1D?? zH&ns5R5!~7V2sVgv9Fic7!(FZSs(qwMh4M>HFRfpYscMpGl z0tq!e&gw_B3S(J6J~01pC^^sIbKLPf7Nba;=tW*cH4PgGF?vLt+G06hA!ku)*~4{* zRl(E12*DDg!YDOdlZPMQ_9Sw*kRMqR86&FneZB3ibBSwSC%Hz3pl_@%_AV=CrcZcB1bz=9tgI_|vN-^oqi) zO@?=+f54wN`K6fY2`$+>Y)sF_ybaeY2M;}(qgL7IcEtF>gmgo06g=j(cgr88W{fO^XY034bu*#EnGrsEB zOJ3@u1))bf&QXY6kad)ASNVFpkpk?q1w+hn*?hIVY@nM}*u)X&EKMUJt|}ov>Lt33 zDrdlmu!?s-t=(cKq0fs|6BOh(_1)B_iK%I_S*}^ng0azRk!5jaF}JA)5NwlUjlPH;Qh1I< z9Od@h1dfjGlp`eErl9Iz^oTVqaP#v@TCvD23~A{ZtYVfHz^ZgaqD|`p?O_pPvltnJ z$#tVbi6$Gren{5tq`p;&hb%bKhK8yFhudI|6 z=V5YVD>AXKsq)3KD7e@k=99j9K6tDXRUGdT#)M~u z7HFbiO0m(I@D+gw>H!f;y#~5@?GnSO9zt>W6z*{9_6%Jas;%I5T6?M zp}W14%|UyUE&qzz$-eLGqM4>e(W@-7s=NRrp2{t_3jOox1kZuKg!w+^2j@B>f8d%Iu-mT0c zRP;%07ybmf9`7?%+bpkqMDXRIv`;HP(P7o+@>rZx#8U3b&s|yz+w

7_Ccla=T# zGiCFYoJ+(??#cCCk_*f7%rbXoG;o!IO*3n{-3aTqy>^2>iZUBtSY8@m9vx9@wn{K258WUIfuI(2mxUP<}u00|ME_8`S+_Lxe)iZ+<~o{5mQ zQHC7Y?b#iI3r8f#Wgrb156P_d8&qq6Cz2s4=wuinQZ&ejn(q7Kd%OJD_vg5|KfrKy zcOJZv@0~GZGhowZGnQfc(Ma9%KV zaAk1m<4rFu&^E9~DBkQ-?@M6LFGtacG8AIIAf+dI(1bFq+h>_z8} z&vi8QlCU{6(lu$Izrq2qLL=Lj4b>zEDj$NLoP7;&oaCB{=Tq7e8-&j zb{GXki%CjPD)X$-_2RX8KPj0hyBM|6$?pCgy8G~G`Ww8n5!!h+A^R}N48vR?+??-H zFVmD{OH#xPAEt;>H5$AWj#^=0^?UObTWKMJc)shAgsPCz6qp?#={bCRFKBKCzWr7n z8`T?vRZv5Lt9Ja4`dfbXv4t9c`G8mP3;u7MbzJMhL`7fUe%)eiUF5wRMx=TBu*)uV6g>Ooj0fB z{v=Y?dUkr|cY#dxW1hRET7is=og1WquRqb8DN5=PvLy#SXE~N&_LD&NzHPFTc*gxC z7p0mKKjf9S0}~Bokk-W>h%hUsUzT?Fs)x_G8}N>a?}hJR9#L~(?3nC(e}T!|f4Qp( zHY3FI4yO@@8=NIPYMAA&+vFcq4iZ$xb5%W)8+|FA;h*iD!7G?$^zON`g5wHj=GNb@ z;)BYOwj@_*wLj9PT>mk6MErOSyYr6m7B9i;lBhMxQka;BC+Yb`%WMf*BLAr_ zZpD~LLv*uO%{{>5yQhKH6}B?2LWV-6qEx{puUTj@Xvd`Q-S@e67)x?d^1Q{VQ9f~g znu3~UGXS;jhFXnp{Tq6gHc*bcvmYGVL1=xeBZ4I<6#^2y`^R{>dJyG(SWT$Y9YAmH zNg4TvOSFn(V$->c((kt1>5BwhU6D7AeW=wMZ222Yo;e>6Z(4b~O_e3RO;AKBk@%3F zI=$PyP7NvcH4j@)u7skP)gC&X7N-J+jra&y+S~4U6gQJDCvYyi_-cB8Ka-hvD5?B2?`L~F9Rzxi1g==7n{;^cM*HY)a04=fm? zw)%|=tNPXXQ3-}r8#EvqGn^W1>MYh`EtQ|G8nj@!uMT>2;R-(^aD?4ba7=jgdJJ-J zqxY%*WORLG)f_0yF06mm;f|!?RqbAlW`9I+BifkaZwq|5S?q(~?smaKI_>A$3EaWB z4tY%NLCKUYc#Q8Kf!uf5FS?1j3Aph;k@Yo-o;Q_)i~Z(g;Tx=|Y?FYRCP z(s(2}rCg{R_eD81JbEB#o3)in-X}Yi52V=K8lAphcZ?^O-;#=>T(&byA?O8e&Jurv;Zc#9uPx`S0M2jX!$)_Qx(t)Yur{9110!?bUbmlXd|+nK zjLW{tQqGI3+hbgI>4fJSu8!^Fmo_Tj)n()~5)bONGnD8b2**T}2ffNbJi}B+6_96Ul{{)PvAV!-LuqP&!P`$qLc{pRUjM*>}?Ykn)afi(b}Ntw$q( z_}TndkdnT&$1mhzt^1JdVRTLLBTwsf1hl5AMjUEkDE|@z+IYXeAfB4l$ArVMfHu+FEBy zr+XD1g~q#CuGv)MJ3>vaFHrL;r7Uv`Zr_geSzBntdBW}-b=gJHrX@`LXcXH=zLr%_ zR%dRx-cmNeoZgGOK%GVhqD);zd4PWy7D-8~JL8xdDm*9LmNq3*b(^1aDH|H--l+QcLBX3W9Y=4;p(sXV-=9&y3uvmbFREaF>SE7p4xBywEx{l8-vGz2Zpq zs$k@e&T;M7UmFs?tbS2_J9(l2)Dqk(1$RU7t|Yut0Dk`v_{lmULR7U$(M3HF%y8y( z#!9lKNBHodzqBgev!M$qX)#;nnH=Fhu~-#a+}%-#+ZxQaWH`>R8dL{vSOzY+Fh$%E$!FqYSm41zG(!%P1P?&+wYeBqB@JR_#U#$=!!M*)>_5T z0`*eZ&Pv4XwY~yyX5(U2BO*h?qtaecC zmhxW${Ci@)xheb-p3Q+Ny=HXzLlw}U&98XhfG|e8RDK*x zz3$Q68S`l{cxV=yk~i3Spg*ad-Ub=CnH|v3{o)vF!*OoJ0;&7iJ;FZzQ-;cD&Qcu% zPUuw3{abXRTIpiLe!??ZbZVd(uFU{=J5jgL*iVCiNN`1xD=i!cyJ__NMUe1l_K+OR zZHNKY@PMc7pXsyb5pmDZimN#+SYIn?+Y2D(Q^wH~RC`UBbIa+cuvQ9)-Q2I$WMNGr zT)^s1%B%IY`TL}Wr_lEVTkQveN;hd(2Xk!H6E<%3%jNp4yYoeNonA@CmpFJ{^J^p< z%Lowpa6ljCgm>?Z9#Pv0quPG3JSK=N{ZyO6uW;ou$fR!{T@!T8DP$UJZ1&W9$CudIF?01A4Bj2WzkC+?lv+ z7PQg^Ck2zcA!9G9sKf)t`0|bn&h8_fIxjp7gIT}f#|=(zAh41mrrBesbff-lw!aJb z!?r3d?s&wq^sckI5DidB6JO$ZwKyN}nlxuXKf{l~DK)Q9d+@75my^4#k|S|(rbi>_ zVi+h=VG#Pk^qw-vUB~4ahC5Lb&d+oTr*8+3mJ%xF=v@VV#&-ck>Vz3q<}a;q!ok~RaTxlGXl z2zJ|=;bcF>n&ZT>8K=Mc>T(~*#;l6F8d`c4tGdo@ zB30yA|8Y27kI!7O5~@fH04@?z5ulYpEuaO8C}lT-5n14Hb{I;obLKGOKs zal9cOhMGpZw5b_?%poqytmezm5YmxxvsOri>gs8Qh!!I^e*5frYzkYh$)IIF1_5iG zPTUMmF@k>Jlt(a<>e)ZQZn+~{dYIN1*XYVHz+9{7)PQfsm`1L5hyKV9a(YbzK~(Ua zTnj$-)Y`y4p<9lt7JlPPK!#kx0(6Anpt`2McBx^)x05lkntpt`!vgF} zm}+g?z=l#+h0;AEkzYj>WM7L1f%jGQ58!j7nL}NGT_kGheyWqm@~tf|`l$1Zak%IFzY~Ux41cyw z|L+JxSxPx)a~(^w|Hu>m<{>|MLP3kqO`S&mX%zu5p=^y+TKJ#xo^WS;&zxkJ$SpLj^F@Giw|ARZHqheu zX84OK{!e+pe~kPq|HVlEC;E$??US|pzq054Xi!$jg7@|hV-tJA%mjXJU1RKD>6ZO6 zhe(5mNtR)T#D?IOV2WCo{eZuI1tW+7YL7$q3GL&`?~;>}z6P^j!3t}YJ0s7^C)fTF`iKczChzw45AsC|{idyq5U4bLn0v?y29@ z&4OESoh1TkMx@sKn~K+4=}Pb<@hi&i8XC7k#>*~KXO^owMtQr{eNSQ1PgQen`arrC zgq;@0fVD$5WPF9Xp=Wit=mn#Zitj|<7kDgUT8dK7_-F}S@{PQ#5Ne*?1?Sn!{?Z(6|B*bb3(w_nI-lTxA~2*f`wLSq8U}xR&0b{0MR}(9P6P&h&P($1u5Q?^ zv38>$PTb*FGJBSULoEM3P=iDS>io704izh>o3NuA=B2r8T$VYnAz9kKQ;M7U^NIO3 zkV$Czs(dTrH#L|0wGaJSxpHwrd`*$0)X8yaCbzfW~+9fbkn<__iYEa|O{!!4HGL2sEc~l_C3yHc{?^isNpCTNf+*Z@AS@6ej zJ(t?x+&~0#EOKmn7i@aNECxO zesaEIX859Q!8~##i`~c4EHAEjImo|&U5xl*&|)R-S#-I81i;=uC>)MmMGL$rTGcmY8ts1>CnCvJ>lzrk;g9st;x3ps!lFxfWbJV>(49M*`a+q7w9u$4#}=pr*K)9)ZgD3;c3Du4R5r0s@<)Hi?d}o6{d{jfDG%dThq_YjJ2-@7Tx5ShVSfvMfT zsl#_5^$-S8+!yC4t+Cw5FJWj_>>Kr~#x}@7{p1Ox>ws+^_Ex_w1g$;sjaOz%U-I;B z2h(jt;aY)_`gwMH)DB4C1XFq|F?Pve1ODBZrM!54=1=iqUC8c-Jd zYYX(`3XBtqH;`k*ZQweLd#%7X{PCd$s1N3o%}5Op{Wha%lDb@uWlnOe?UL3g-FR*2 zfQW(nxRs$cbNpk61MOf{2Hf%xb{%O{L=$=~m%rX4tAPvm*XL!-M;R2M-FN9@EKmrwI9?uodLlXrTBSuOc z4A~RtyRV&`UU6ZIc7xD#z`UF!Z&S0sRdFLpBPPx3H(CdGh0wnUkgefK1EvYGI3b8V z@~}A_N{H^P8mw#onw|lQE{aKB7_V&oqYmhn)(yzDC($p~DhW4`_;KzEgXK`I&DC)` z)_`2S0KzHrPB@^M3AwflpqqM*VR+@!BataPHGFs$5|a+R`0bCc{r; z@N0+e5&hTB+t{+#B=(7!(d~=w;MJ9n60kx|JF^kd>M53n@1v67^2XLlp`W4)#acJ{ zkSz?w7iM2E;o_FC9Nn$2%2jXj%*x5W%wC%OinQRM7rmb3pj3o@jDQ{R;ZtJ)X{+bd zz}xOd`ZPTzUy!F}%ROzAt-f@0R!V;{@WCQS-n_@J+tHE_*aYlvI2Dh9%bd#D(uFrg zbPt;jLl?b55J~)XP@qyez8U`wlf0N&>zj%mF1dG2Of;hVSdxcs3^Dm?jGi&dR!vU; z^{T)l0b)O9RpUS5MIwZ{fFA`lD;n8N z-KAXR22%uK$Zqfiz<9C#L+SMymh_KkqW@j#CI1(t_kXOs{u-k7r(7+Dzoa64)(AF# zEwO%!d;eZ<{XY0xx%DZ<{a2CqzXvG&|03`IDDwW#mGpn9OaFWp|5caynXAS8Srvcw zsbTt?zWY;``9J1r{c~OVPx@~B|ETYV{4e@$#{a6({A1bvQ^wXmE#$xJyMO0){Y}x! z{8t`Koc z-%(obKkXQwr~7|{)zE#ej=%36pP0!%HV??(=*BmyJQ)kiG>dG-yj=&#@_<; zzuO)D8M67~==Vhair9PtIRD~y_+#X6|MTCj1{T^sAvT}ZhtE&#|8_n2t3bKQ&nJI$ z*j{knpwmMTNX3rP`T>(fqk{{e$0X~Ka1z3c05YJDe}xA}6~pJHq{wUGPVvfWSb$XU zu(v<;wTYGH08sMLQBy?7RK{z~Dm_&UU8-p6q|&>1zf1=RKCf&i-F)GwymWh5vn5Go zwz$aBJ0TF=KsjA$8FH$L<+D*VTiy#A9*&~oP_!@CM2j8d7SK~|bvYj|)vo2wg}I&wgo-isB!G?%ze zYa~&IxzqIz4YzKOyL~1~*{5lZhf-vLhRAz4g)4d*j?P3RCuI!153t#;AvO@!3M>-E zO6Ua|mup9eN(RNiX2@;>+xZzYo&^LUSL!aeM{5rN`$ZBE*#u+*cTt4mixSLKed`y< z^VmR95NIGxpraK2DQuquc*el2;sgYpC)201EgH%F+Ym2C4hJB zlGWLzHLd#462^_5y}TcWNv>L<*G#qqK{qUv8?jzpe6=jE=0UY^4)0pzpt%E}pt%JH zZGz46M33C7(=4YzF|xi7h2o#uWv3ZVf!IXwRr+#6J-c9JF-|?zOhg^>-ScNasTA7k zt$TH5jV*#SqcHQ4%PzjqA@ZQkM&ci*Xn47M%?1>pIB{%!<;BeS_C{7u#(m5WL$h+# zvqMbYPBu@bPy?B;oHTCsv-0+52S}IPmw7KiFU2m}EhaBP7cZO|pOG(`yg>NSwAty1 zbClgpVpIIV-|``hM#&wd*^7uIp#<>u`6tlafu2A#wR~7bV7zFvpr(jmVUuQL-Hxwj z-3z~<0;mG40z?ABekqfOfevL6l@B#(7WozfS>rmBH7I8>RXnSEThfLuF+nbMZ5|g3 zUm$u*#;Y?FOS>nUbV6MGC5`t4c^aWhw9D8F_lgiW7rdLS2RKx^bLfg5%i|E=_>1VN zcOy{6?KHofA30ifrKRe0eg714?zqkzxsYo=_^$C!W|O0P&@SpO1TPCLxK(N(B_J9= z@H#qNhN))cEkHI8-miHA@LCzkJE`7HG=N=X4umNj2#x730r)OM=E^0zxUIZ!U&L*| z^%2Do#OOwxkV!*;^1l${l{RAOqm8taamYAi-D)$evvIdd7x|mLq5)m9TnPcW!lWIK8&|up>AYx!o)=Oz;59D! zP&N2dHMF3v#-XbDt+ppytiD*RS~Qv$uQIQjms+hBw3x@PF>6r-I$e z`TWvCspB1gg;rTQr>e$otW#}EFr`vb6Qk-+APgOq{VCd5pmP2xNYyjVnKxllLn*C_ zVdBb3zuvL!iL+=p?F+Lch}F4ra4SY1Ezm_YLt)IEtFFxlSp9i)xfJZ`Y|Ww*q$AS0#JIkj zK!>{7*3cp?;JZuu&(0nW#{e?jANGp&stPCd_V1nEJpuG*j-J2t+eUVF+N8O5){cxIV1vczxVG>R8SD@tVTtd9M!FC+GM9D-d8wbGfm}Y|+3a;5 zqxm0*1{+^*`k~h=rAg^J-Fj&}t=6ZI>*w<;Sm!uxHzP{BlO(CCc zo}6F7jXg}jHLbj6ce9ztK17~e1SYneX0F{YrWc#L=*Hf49H8HI%rAPZa|&OYc5WJ67J1TY%#LJJeuqpn@s3|d24Y-nPo@KPM^DwgYf9A?U?^%KujtLlb%SimwBh@u&(X1z zmmbk8JZ(9IlVep_6DI!$|ZDI#WnCf5?Ns;b&jvqU$`ZHvYJiufc}Yb zQ!?KuKNvSpoIMzo)HFB>OfcgrOA)F4n_4-sYVy4yu407g`K|4JklYB(F$(+WE=tHo z_MNe7T{~kyM~pKOjme_XsdQ;_PhGM_Ke)>g0(& zI+3_OQF{oP$?Of$xox9h27*rrno@4Jg3-CB!A{Y+glh_?dVUutHq^aNZT7d^<#^J3 zN8p*5yrOxs)kf@0lzr!Y3cqo_jY}xvD&q?Fusx=**(y`>VQPXsb@t)zeI>DlQ2K?{ zLnZc=a+qlPNZvf6LBmzlHBen1cypO`5!48Ps<+6pfa8ev4b)z0s`OUtwlgSZPe79Y z8}``_@!C)-UC5hTgs=eULZxgO3eXPKaROzyN#VDcxq^)VpyMlHKqcVX78eEX?P7*6IcfwaJ>%e7v%V@YE z-y5c<%@7T8nUOdUG392JWs{!hu{3S>eVv1Td!ln9xX3p2cJ`A<57HGhE=(?zH<2GR z5k{F&$s@D_@Z|&Omc6f+Ij+YtdxLW5yMedl?h#BM3_1jC-nO(mfV%4@bQd7#PxRQy zirIEI5<#ADJmWyG*l@pOxF=|SVZ8!mB85$Bh0{Y>^3^K)vvGdQKrL}X+i!d1VM8c< zw_!tR452l!ZEOSk^%VTd>yZPlpJo$2Q)H&(VH#5qUjQcIDn2OQ$>46#kXk7mFd%03 zL0jb}h^K&IE%;FbliG=p3C4h@3Xz5(T#~h?e2W6PsJ9J|oXR)m7kdjWA zewI+R5%gG07C#ynOrOlW?M_s!zDC@03(O;o)~Bwwg6jPJ45{2E(xy|k|8mR2TAo0A zw{lpRyP{{MT@iFa=G@0z|4q<4v*X5K9%@gaN@vc;YV=3wVs6g>Tk0 z&G@TN-;Oxjye|oV1zMez$xjU7=yW*Ywbb8!!RyC{n^m<=@{F)A?t5v9#&W7`3uw3o z71&d45q%9B2&Mi^8CVnl=xzMP+SZI##f;QPA)6;rmenW#Uiyw%7+mU%bz_HfXH64- z1r9e$xx<|@fphZ|x=hsXLzA)Z!It>^VZbMj8 z5F-xwz}hCI-F8~M!?{VZFoWqK^6rg?#;q!VQ=>L_?K}M|L`qVy4_2F{m`Tf&ICe0u zP`o$9Q%qrKVE)lRPmayJMdNTk^@frvk1e;nfNmPjh%$!(tyK+gBft3;*YGO5O?g_N zJ;(URv9UGp6YuDrp2N&3=0?>~j1wLGtI%5`TE0}X+;Z7x{QWG*S&HNI z+bwOoSLHCzZmWVHt7f24!_P|^)bC9m6gM48ceGUrU&)$3={E|a0dIOKcVvbZUkg6sIAe|2&?fKZ8Cq#LaeZc0a@Zk z+R~TYJe8zi=24C0uKh?7n6g!3ZGXRkJTS9&TT-`YaL6ke;V8nv&juiDDL1t*Uuvt7 z&HSP8c0AX*chGHCN#t6WUzfL;feB^ykrc-oYt|Zb%sZva?8~rbU*R#lKUBjlw8%Lh z8m7A4CE`OpRxB%w6F=9Qg9znC+EIEJs0g6i z9BMqx=ZYi!8Sp`{Z4Q?2Tm?I97}jJG2mcaz4NE||5n8Jz%yfZ@EAd-mX`sf?o-eBa ze7IaW63s{c62kx}yJ1P%wc{8LovV9psmJwA7SR+|grT|nEE&1M;-^Tj8})Fmx}GnY zGHaGCni7UGrbhos9}T=)Pl3EIb6Mmh9w8J(#n@;`rf{X#R+lyI$ZlXW*;Af8$Gv!w zeu!m$XI9#~~who~9V`LBpZ{2%MfDveF7Q%C*gbIvejQ`2=cmg;nUY~=h zteuc-&NA?U3b~-9kKiKLXq>r*-H!y<>^I6uAB4&8FN+x<_Xw{`Cm7d9Ruao|@`fha z4D-#Z*`cs(ZqueYP?E^UnyXEa@klR_uR50GU6#FZ_W&{)w?*{O_3(jGscQzc3b%pPfKH8H?XHrcY?^_ao!y zn;BTyKIK>}e~kTp{(Fr6GkfCqBg-dZ`1`dCpTOYn+wbT93|jt&Op3oWnlLuA)3^CV z?##69^ab=km2LXJTTT2mslf?ABWBd3mlj^|;Te)@Rj|tJ5Mn@D7Etq+Z{5S|Texpl zg8$jK*N67pJaRj0RAGii5r&C~aogSXZ?zAsDG3J49F{~9yTq6=IO*wV&IIKQzs6^h zG3?+mdd}&`85uk9^c5h;YvBY6*r;!|ha+&fZkE;Rkkffa11oh?C0BlcZ!$(@<|Eou zQQbYRg~C?4;3wxFl~fnCI;#-eEnYVR$21`zKHZ5K)G>mXlbLvu$dD^270OW!t$OCW zIZD{QmDdlQhRB$>76~dKOJ~hljH`YJC}BIrgv<)C2LhRjv4;W~B3bA2mOagLCF8Z7 z90&Wn?=H#yG7n=41|o(MGS3T;@=%5fIc25-0Vypp&V@{-U?Trx%%_{_(VKW<1pkLI zZ)fb5%C+Pr2W=uc-Fw|*9Y#jeFS`$x9(1RkU_9T~Jnes9h<{lje}h#20e}B#5&eM; z|EXok|GfVGIDLk;ke{I!e+QI5$reVozlLDY{azEFh%&>!Aj(vqum5WolYdLWfcz7r z{6C~%d`1BM15#$B{gnOvJwb<#;gdl5V=jMS%8<;Af23gixr@mkBY*n<{)Q>jF|htA zL+5kKtp5*C<#bmFC+z-eEBncf#(VC(bd~e$`HG48iir4c;nZq1@Cj7QA`SX#k6p|I zU=09RVIbR8`dtuxYklw&OJ0hUt7T*RU;X^9oUXpZ4($?sm9oai$9E3kt*ZCDD|3sw zbiZ`p?99D5$!#etENN*eF{nEqIWOgd>h0p|AE69j_Pw>;48U)`DKY>4*?0>y%gt*1 zV6B%od%!PaQ(*Ev**|@3 zl!5V6b69ab%d{Y@P8U2mtJapT{73R*Qtbg1I4FSYWv0sCd_7?5C zr7b`valQwBcy)4h6(7S7OAw{Sp^lIc!MTt&Yg+E%f&-%q*Kt9Lh5llTi?p9nm@5s; zNhpdVyuo~h5-I1St7%LTLjWwx>5j@F-)_mX=fCQw%0{h+Tm_b}coSxQJ zD*vM{(KDDsgqrkWx9p)ugM#qnalK~UrX}^_;OOQsTJNi?59>??Q?>Yg-=oO`ruqZz z@(8Bpo&_OnL)IAtdrCzaA_MrySK0_Wo%w5N8Q5nZwj>%6+Ve^6))HI~faAEHTL2uc zk>IpSbj#a^Yds^yGmr}*2R>O4VQ0Fgx{=iGL-iI&1a2I-1O=7q5%k&%;tSBc>7Y0) zWi{uqzUKp);A8YQCy%nIZnkwgpq|?^3K&2coD?JmFtr!rJiD@xa8cosG3a^&#j#gT zNmi(mnnD3JE5&$*BxOVf5dP~VLiFO9?Kg&HV>-};hbumo-k7NZh|P>^P2S%rija^zFq)tH#^%pBiVOo}IUY8DpyGQ9E>*?Hy(u?;Z8ca19j2dYj9F3*R>$T7; zlouqAKY&vhR<=A`WAzmgfp{!QQ%14}QSi?WQ7)sER|tLh5S#P6Iyi|MM8k51uoP@s zKl6d-R>sikr5r(#fV{xR$)}lRDL%tz8EGGDA0B2VSn!D0ZMLZhP93B=+#5Lfn*JS? zX7Clifam8<7WOX^@zlH(vJrT1=cL`RBK#3L%NQ{U@sREyw#Z;H*3l1;z;ooD{AR}V z9!h_-3DOo*aC!J>>F>M}WJO)uyzM#@a>3)OE>w5?*tdEKaf>3&!ghmqFT2mFJJ0pj zZ@lW8Xp4@0cf{82tQD5b)4K=wnb`|=MG)Q; z=k6Jn4l*E43c#-WNwB&xv9c+TGdJ^-)1(GrJ|SP@scGrO<589ydV!b0+%DuFOuSjRol zN8roeFkUXCe#OQsBh|lpDoEaVmaL6_P{d{Lp?@eI!Mun66bcBMBmgDk#)=_vUI`5k z`tTjmf91-?yK>w=z=aSI+2qr~MWuQTe-!zQS$;K0Gl>5X^H8xU;p?pP@h8m>cD3eW z{b-{ozTSaPUFw-EZVSuAVION$?C55BPP`VyU5&i9_ZICKprOhhqk)NZy56=T?tkxf zliAny&>n}{Q;?295SOVIZ&qs-Y?f>mTFys~uOBhdFRqb3mQz(Qh!@qDK9u=W0t7IZsSykuhbCI*y&?qr=ijIDiiC=qMaSu|KK4yW%8W;d*kCT%v zP4v^KwR?0*y2bH_(P-YXmFt;~5g#b}id@$ZBTna#?Cd1Ew(4Ft*H!dLjGZCoUTuiO zDl=PHQnKx|wlBgKKCy@sqRpZ$>HOazfUQ!*#z3D3A%TKuQOV+34l^(B4_h4fTO38# zu_hgr_FLdSf3zPu;V(a0TUz!%FjqP%8vX6=ZX=7c^s`Wgd$QK+nq^{q+j46IxCTYJ zAE=FTfyl!^3p{B8v5>&*$YJ~Bsb=SapANMLhYjl6P zFIQ{S?r`Ub0Kap{HyGDi<3WY2FI1;o0nIs|us2_QN2B0XqVVxeS;Eh+;UeD2Dp$*$ zX)>~Nt?;s~-RXR9*k4(q%7O3aW8m?Dw=xF@pJ9x3_gqV*!RZptRhW>jGa-CobL>rO z4*AUHD>rjz#Wfrq?-o-AZDX6j26@8yauez`7&mDSK+1a`nZ&JU>|$|Whi!jzyKJbjpJ9i1)JlqVMSEO4~^@q)w5rPanMVqx|kWe*^Rv?3SSYR1Hb)g@`WEG zVNz}d!d}+WnT$CTzWr*F{;~!7$YB<^*(2tJGCuzziUOR4`VM2DPXiSCic=Jzw#9qT z!$%(4yL%;h-+snu*9EtYGsElBtnEys4#=_1-W1L%;x`v_itlII1ghzWG?&K>$Y>xF>LL%o*UzT7#S-$`o!8>5E3_RJF*Dv}fvxg(g z>oUZ(C%4S(d^QF%`$6}{w~+CMg>GFArA=k#w_b(z^b6<_;uV)S9-U6<8$%_B8`x6m2o#>X2ozH|8;@3m2C-&-Q%|)wNbl zr=D7^l)h&O;|DkwC66Y7vX}b0zxrxqn=599e{PhwR+rYcEvtW=y3~C%olV@Uuj(K%a&?U1MGPO5kTS=6UZ5GmE4Z?-6WIL#3m+O_(Bk6S%yA4-!{O7(g z1YpDR1oRZM;Ul#3vbMe!*@XN6g%RDace?+whevim8CYyi3LsF48+s z7OEygf-AsYu+8R#v3L*n2zsp3T?iB9Qsbr0UqQqY^|q&dLw%lgdQ8%iOr#EQco@>e zMX%|ge2-VNIqEp_AQ4yqR--=yQOsvtG-&^@TaUf4rQxts4|hxpNrT_$5h446AodIG z3T7jmFtff-$Sp6ZZnqx3c|$58nxH1(j4(2$ckf|O&Ll@tRpepza#r}b@<^+RYE5Ge zXpQxOnT2X}r2Yn7Q{x7}ZKL<5lMernyP;_aB$!zK>eZvmcx-6L=d zdHAV665b=;lO=7RhJqa`e6jWt2m~FnPH({Sk^e!@R}>5nCbVTr4AB7^hKBT zYc7YlqXMHPOZQIq!LFZ!zn3aUX3RG2*!KsD`O}x3N#B!YN*BbdtdZwhkzUL|d5~F4 zMeDQxD}AaxW{CEvZ$Kq<-FkRIha_Q*ipzlY+pr{O+SQ{NZ5H9-E_PS5V{JtEf!u>8 z_>K)aL7GBKrD0$8EJw}uMC*zy_);6dHU!#d{aIbNSb=LVd2!unT-mURVb^3zYag~X z(MdG+fG@H~k5HeLmW?O;5TAuFG~!ZYn;v%eEc#EY;)G;Y47&NMa`BY>)K~a`RY60y zxh>#qR=}u(hM0$B0%JRKb!~$-BpzmnmKUc6UV!g5be6FhU$}YO@%V_Ib)8Tb?|(cq zum6Y`LEb~4hg*z_%nr~e8wGfVFFR;J!oVr`pmGJ<$hWtnQ~Lf+UAo75#K-Lp20An- z03sFJdaTq31~x>?{gydAcsp4I^PZ}AjA6l}@xz19L-LGKOtlFzslfAV;*JU6Rq>kl zfC0<}5y;5As7sKVuVl~aO{Uf5a7(i;J`qhcrb`Nv5!Ug6Nv#~byj%Zqp=YeQKXc0X z2Kj8p6LfJc$i{d_Py9%Lo^2=F^Y|yzd9ha!^o^dFi} zyR(F^94GC9O=usnXT2JWe5ZPEQ=x{(;nG8I5ihA`wM#WsQf4M;^U|4RrRAc1r8@B_ z`}+CB(<0VQWXRBuQ0{=2R6`F<8j^wQ2K7n5#D#n{3+Iaz{!eFL0*>YO_1&qYM57@o zq>|Y)4@pI4WynmCDXGkq5*3+eMVUj$JVq2HBvTnfXhMY&3PtK$&-uUS{r{hR``-7v zzUMmExw5Xk@4eUBYxu3T_q}g5-(ycxZt8YSBv;9+`0C%W+HqM~Su|(CztH@Xw;z}2 zU-2g|^X=JP=ya%eM)L4Re9y178MkUVUzl&Y-nNV*eYgArGnK0L4?F~`sb5|aZ(e^8 z*l<+mXoZQ`WdpJCqR-#nElU}!C_ADO$tCY`dRFg@@+*VV=$Ht6UPkwuN@E@4<(69| zx$haO(SOA^1f)f(u#BD33`+^mZ%{s5v1oTH?WdE7MlDOfzkd3~4|C<^7cNy_?TF&E zJwEz~#L}V_q9)QNHYl8a>WFB1|LXChKS+g|Tg2&jXOpKZZ{`P#>Hjp~ko=okvw!9>UYuxw7t2gh>WQx65rfX%Ryjf%}*_N9mJo8#M zanAfs!JDt@#dl!9uyH!SyCF@4D z8D*WRp*wFX6S}-7u3XeS{fhYL+>lRK@mV*?klb9w>>-CMZ|`=AS=CnFsC26j5N&)F zd1Ke^^>M$RJma}?c23iC`b$hoEVp9Yca}m8;cXv>#eMgThUBKFw(IVCGA!R06jDc~ zsLd$YHtO-h6)+{L2d@nKBzbM4L`W#dEnEu8Ss(}<3ySWV{Pp|T@hj@Gwi}w;lW&U~ zz6dOlE%VK_`Em9|#XIp|BGt-m3d;)9byHj}D_tM#sHVgU&HhREaLa#`)APpnxp&+C zVhbhR2lLf>%`-%Ap}|6jj2p$Jvo8Ei3ViBawW?Jjf$BWThicRwN$pWvN|iM&f6z zM3(0qae(9#MU4q>P77>R|H}5d#yBf_KcZR6yZnvo)ELKa5(`}c4rv7dJ z6PcGbhO`~(+x%%!-?99Vq;TX*xdRy&rjsoXbKG97P9ScM9<@)K68ieR)$*v3251 z-~C@F>yM3?bt!mW|6pu)bYah6)qMQM;HXQb^3x+%TtrhwSMN3xy}?_lRC?vuEEnt6 z^v~kUrK073b5-;0aB1j1aA|$*3NuQA?fqWY?39JWD@f*ju3Jl**vyior2}{yZ`Rme zm2on@k;WnQOyh0Sx%byA?r%JnyyCR*!5U9#4z)`%lU1cg!9)l3obs(31B}x`%eCX1 zD~cL;>pj@dCI8%1+oE$sCz@-QpH1!)vn^_MITdT0toC)ZZK!b-iOQ7@>*{gYIg`6J zuq#@pYj>AU7F zGqR3vWE(qtQ6~FwVs^IB)e`HwBNY$zG|0UHlC>8)UDr28#JINeKQbEoo=4fH)DZdyqzhdTNfar(rEJaJxw7rMQ_=mbr`^WWc+hY>Q zf*U(^I)D%xpu}p#zPplzoPA0s_@v!+rdZq^j`X{`EWv^JZ!8~$jq4km!V_#N*}rG=5H}y-&&k` zKXGOEmR(BY1B01=JlB4mHgVjeZ*^eUtL2O0nZ0taxe`yyji^V&KRXh+Vi*p&M0zwQ zGZ-ksR*C{>elxyziMc`hs)Ub z=8l(1meh{EzV=1&;xe^K*<@a}2wUqZ_p7^XMVwh`s{(yklDXQv4ezy@=e(@*in}hJ zaXR9vi1y}=+ewa_`AGaOBez{L!rt$=mv&8M1CNlLdj9?ov^{HA3<@L$5zZyW5mMI4 z>{*kM^~p#(U~l~G8j^L~t_yA#K2$#3`)h^7hR!qP1a0kdJwu4OH-Dr%^S zy?t`imm4>CL@tu+@V@vHhBp=qxi7E4ZL!|!Yr83fsui&t$m}I$iE*GxRWcZ_lGkJuk^6ANrRc*evsM z+gb4niyw|_%ja6&@4k3XHIu?6;gnw`WPGfz)9rqqbHluk)hW+p+Fa8wKi|$#ll~8~ z)BOje9tI@ZaEN&DY0W-Skbb_ZOs7^t+-K7!NwKw5`JJjwe8F35%iBGxs}%i5Ew84* z)r@sM@s-w66%PW|i`%b@OjO*dsQH8TAVDEQb@bu2m7g~qj8)mj9`0wmMKJgLh;_hc z6}f|H?8RDn4N%LJEow92k$7J^8Ru4#qY^H!o$t``qEou3Ipm_L=FG%u4@=35T)o|Q zZe<$g_uh%%5a-vw!?}mkL3EhSz{yoxqrgF~%B#qBD}7LwOb%4mBfTP#6(d63GI~}; zo_|&<8FFSnyW-6qJ(Fu$hGT9zomo~EAt`dchIbYIc(}~~`}M81LZ+P4JV^&QX)j)x znYlI8)Yg@M4dO`oWl`O0m|w)XOG>uA>_mU|gh$MxSI?}!Lsj^-Ju#)E7*4+`?v$?V zd%U?jAAEguxwU&R$LUY-Gat!kE2#5>ofh}n?{Mrr^87aYWHc9fF8f1{t>N}HFSEz1 zwl`_$WmX<4QE&^iHJ_B~TW=k1(ot+Fr?atNvqXN4+m10qy&YmFqK(sIJPxLpt--zD zs28VHmHAj_;@v*}yaOlnn}SP?cf`sJ3@UCZHXnA|67kUQoulS;xw^o0TLWsig5HNE z^o0(ZX_}s$cP^B%S$1o@i8YP>B+e-wH~rzR%xa&GYQ3F4eMXPBBxc$kZ9TZ#=k)QN zaEGJX#jWSp@RlaXp50D-@Lu9)bdZqlyzpgj+uuFArg^cu;!wG}MG4F6<{JMx&Hr(BFrlrpMMKT5VKUB}E{5sxc)Rw#$ z5!3kP)FS8gD~7|pw+{Cfs0p`dwsC>-J;yh>h0=IuHSN-7L-rQ%7>x1kQ z3Ax0vpwNdsHZvDJ`SYloW-lBG+vwp}%8$>cx>T~qUjLwf`{(fGe0QHd@r#>GGb*EI zoYpA4-^AJd`{021w0!=_qTV5{*NdiOZi)}rIViZyNWST~MzMEInH@EC{QYI`azch<>^60d84zCT=IouYhsk~i?U;LugQ@na&THDcv zAmvcEb?vu06Ia}~lp@VYbQDq3o}DaH3Uwu<*4z+$WTj;0ON>DxS#AeBZwOd?l0-|6xbC-=y8) zzeKq|zW;dSWJv2&s!Thp=g;IRGa0L`awaKU_hgM@%We;r(GtwG+d?TMR+eoJWk#(h zfyd{omC3kc}PC73Ajhr86ViQc*v&r`pjof=U1P4S}dn(!`-^_ zR^;=$T&-uXXH6|55Y>IUpZd%m%c*y$)fXru%-C`tNji2QNv%SA6>Hg;ORsXG+sSsX ziDONH2V&#)%{0F4J2WcM`MB?f<(6Bk`rr};1wwJD@i_sG=GD$;T3(#wd#vL(d@jQE zX@WIJ;}E;PPx4vk(~+Diar=pt<|e7^=K%*euaJ-xxjtnWpyD=Y4)=p z*4eeXOg9NSKS^HHs@_P}mA2z?aNcNu-}_y;PsfS-CUVV&iFZf2Tjxdb9xPFZb7&;FS%Mp&F*JuPKbX_ zeA?6W)56SMPEp!xFj6<_`N=9_)!X8xu{V2;W$Dho=lM(jX0UXAAvce~sVLRz>ULwZ zHvuX2uh&(VG{5TW!sfG=GJeyPvSmch-x-f(DR4`5 zzq8$K)8w9AkJV3XV^!5N$lod&nVp)pkN-{APoq6wTxYms#$Iy`=ty)rnDg!OkNgsf2?SaSDf6 z|MXS_TyANqd9=2>_V)MYMw6u1SvhAOuk@{~tXQ4XH^e(0a@dz|+=~AAmsIY|hbt@i z!i{o6eeWLK#rwkgaJx$sIZ?(qn%>E}-Y7%=`Bs%xVzG*M^>1yjTX+0Jkm#aKcZjzb zSHc@1Ue#U$1=IUeQAW)?d!mZC8xoYiCLAcpef z3Aqt|j99RkRQvPXb?M$oi-CKe7dC5H-|Fefsi^8KSvPykKs=zR=|bn7=~rbLF;?Hc z-+REZDzxKhhxyt!+&Pm5m%>R79Y!ruK07KGUd&yRXO*70Fz`H8;%q_eZ^^+<8}0tZ zy=5+KD~FS65_OKu2A}qJ6|cV|_atDwkaeyKuU^IWeO)?I@dd|jo4!qy{w&xNGcmJY z`@7)}nk;{Z)Nb`!>CN^<7mLmpJp(E2)Q%6C*Es73Sa>UY&U^uMo^xV1WE z<0W6aBK`84QtS4JWk0z3Lw)rP{_mSF?*{0SuF>GJGN)nZ+ne^?+SPZujJ=&+-hG-i z({+tS(>AbiuZ4O4!Ay3Gh`kXnS!6?!)i)=x%SLEC)Sq9z<{)S2pG~Td)twVJsR(b` z((vtwxBElY)}Kd9PB~Q!B}YeWG6-$Zem~ijz%#)+?%k+7*EKwxwRXg4`emDujCkWm zmMy+>YQj~AU0*bQ$rG-XB6aSTSvgWJ&UI*KL7b<9Am__eZ!7&(_I&%=XvC8HHgyxZ zMqc{XNt=nnt{>CajeL%dPyX|>!_cKhBVIMHS)DZHQ`J~}LiHWxL4TAPY3|)s=l$pA z@HJmwUO2?YnYs79%Dr7%^^Zu8l6WQNp9wX$x+$io1brEPo*&RXBH{Th(lQ%x?3^>)~lFpQiG=xnmb3)Iv3G^0bN3D+V@3*!CHuq#Dr&y7>&&l?%^`uNTYe7&tvHQ?I$ZcmKsz)Uz-V)-AR*#X(bg-qqS zLB%JU2V^`PN4`gu$CxScE3TCsPfTiFT%PsTf6FM>1MaAPxAmh*?NzsL_ViVrC^Ik1 z+gYqt^r~>Muy)baU4BM>N@18>o^r2{m78}m)cB#+%CJu>qVYa|eYRKj-JUnW7XJvg z*EECt9L;?n@h!izPvNl-|HK!I9sT^~A#Z+iJnXl0dmx)~MJYHf#QuFgo5w&#)X=9V zV%lTPn@&ARQsMb{Fmk0re1uleC5xn}fFDQQN~X<6)}$Z1kdUJsyz64!(45Tx?Nf!} zlhy=l{in}3_4lz%y%?w)%666+_$)Ipyk#CAwOx?@xIIx|Z}Sly8|R~Ziy}5V&YEuw z$tux*64HP195G>#gGY(f=3w{uja1|LX!rEo=Zyyh8-kp#hKO;0yu06_$;i=!Pa)R!(@iVjI{1>woISVlc;tjyeIgFuHaw*$5GGRlqh`(I!?z`D%d7diu6cTA$xCK?bS2EwxTY4!QpbPA zJ-)B~;qKFdkBn~vU3GA&AJ$t7k*&i9Fymj3bXD!7sykhEn-n7nJVo^fn@);-?qiqnNJ z9Ug`cwRO}j3pagJT$n(5r#?0EV|4Z2Z>brd_3mmlt*BQs@Y}{URA!L4&Q4BHQ(gJ3 z-jmd;vezPd*c;2Qt-tny#lE~yK=guq#G3UvQ7J1XHumIbQ10zcatz|Sb;)TLpf|ASh?m~&D}fKQd{m%`bXHetUK51 zGG!Zh%1b?Z`$(+OX6sK4X_J=Jz4-6aCEnBb2165BqN%3eTaIjRzVzX!vZKD1(@0bB zs>45r^vWGJ4fr)rr?T8_eRJR1#>BTEWj^d{&=~>IuIR`zj{>vaEmCKH%*@xdNjm4> zO;B|a=x|B@yei~_nDFEu;nzInx6`k^?y{VI@rk<1KE-Bb^{!*L1=pyvCuoao_+-y1 zHpb!;`D|EiH|Ma2Y+a(+Teqg;Kl(O}N#9f#9-8p>7u7Z_br1P=jz@|A___U`i{npa zZhW*Z)99D3jnA?)wV{A_G_RCAg+qEaWx?HUQ=4bYKXY!^{qF2e?(qE+bF=p0!S+)& zrlE-!Zl23Xi5OV1a>yz}RriO<$>o`chn~62?mW8PjP%ym;>)wXa5uLog=W63xD&z^ zw|q<{Pn__#i|+Vy;9{s(hU49t_x{uTm-fE70c7r7&=@|7FIkNFE}wr;f}xCLZfYb@$0@1BbrcS}C@rALwb2R*j=OGczhsrK2k z8)~cN$Ig8-Z{NBuICSGKFVj?OtJ$202JiHTl3DFn2vetzYa1DbaA3?Hh?Z zz6GPBRtru9Rs~Yx0M##6Ow92JC1~dOlv0skdoNA7EqH!$Uc2h>*NK3N4^{zgpFO$F zV@ZkI>LS=mu4*-DYV7FCY%9$=q~~B!um?v>e8SCol+IJ3Bqpwx;pd{Qx@Ft0EkO;1 zEJ~Xq^F@Y;H95RTEFyO$)eFR?=y1Mo3p(j|5{@}mSFY+_*D156xVXbwYGST{jlMQj z@9D2A9P5QL3!K`Q2b(xF7l=+%Il8Z%_AHBGz1f<*b|K+Mp8R9GHlwD?pHAP9`EZW* zaNxE3KF2plxNhDeSyxBYq*F#3)*n7V4nKdRm2Bqbq^h$~H0gJLebI7{HUlBr;grsM zf9y`>XZ+|DNx^&P>9^C2%Rl|Muej@d&&_t>6aV^Ir9#jT^3( zSjnmAWvlSNQgEAJflH9Qv!#u9{qH%J_Zdh1`P{#HPSU*W-IYw4 z45IA=r><_EU+FE%!tH-)&_68sqWoJf*;2}aRG$Cg#oZHU6rP0=+V_dao^T3#C1`s< z=(@bfg$fbB*S||Bw*|_Ei?oYFHq7gOd!!-P%wrbaB7dX5OSUUD{mQo=#(L~U`wTy_ zdYy4p!LIDTB>&Ip(*LL9wM#E3dWQ*{3FBr>xFG^hB+~_H^#AF*a&V&izb|QEboq}H zwNwgmiAx%&OqVp!=uG!&lHg4FzfaT(Qb_;06z4zg)%=_C56}Ocs3p=FU$py2SICTS z)%|bE(rR$ok+XaIpX%}lyvNn#=UNb4s@xru^3YtDxXz!jLTh+l_d`8SRxz1@Qpt`|=f)UFRz&Og2F zNLaS;emKR#Sgo#Ft4D^rzhJcBWmY23OPk#LC)_z2F1erjWBmYMR=#cKc)sSMq4d=; zVVT#}k1sY_w`dz5Xdjlz643OxBjCw0pnIG{QoM6@*R7qu$}Gvj2On&=P~Kf7G-|Et z6J;9p{o$QMQR~#Qqjh(Vu2bcTS{~K3J1?SCH%dK9Of|A@`J0AY&sTiBa$x!8Wv`dN zUS`T_y29^D+GD}VO^zGfx!qTNVm-G)^6|wJ*Q$hd)~oIn8dX&F-(4j*YNVZu2p$$GASxIW~sM}IwEp7uEYvD1ky?p#}zd9i(7W_*U*I@2oihOm;M z=52k=Z5^8zX6p9K7Ab1FjsTxQc3rFYu#``tTh|ZzgcJ@Cb z>{F_IM>)z->&Tm3!*Ny$ud`-K%aUbnV5cPKX-Yjc^yO-GJHtJs9Phx~4Zd+=&Wc7U zZ#|T^kbRYVt)hwq4vcXbMZeoz*E^iH@K9%4pq9qF%cd1Qx8!GJG}^c6tL>c#_Mf3Y zdiicW`AM8(?wWr1U&UubSxL6~`BZ8LSvB9FcgD}5+o-Tss(gO}>8{Yx3+2P+Nijhe zQ%%k82sL!-O>mYE+GEV}Gc>Cd$L^TvNO2>-%%(rR~NCGEWX9FE_rrXLQ;2x3#Bs_;IgT zp0{^imoH7R>q{?Br-mcf;)>1iihQwm+&c%Q?;`iNRdeHf3VhcUdie`v$Ua--68K>A zgSX+qrVHbrSBqXU(hKf5OW?Mxv- z{?D_LHSMgp*Jd65-_OUiHW?)(${*&wT*n*yIgbaQ7I8jN;#`J|(VqS%m3>3c=+C*T zR~nU1R$aQX)=Mey?#QcK;>~*5=Y`hRUOw$h&`wGG;?Wh56hG>9Da}e>=9|c3lGDq_ zafUJ;-W(^`)6OoRCeM9~zU5}(m7$amXS!8q-J<^2egojfCvsy|)Dv)NL^ zSLwb~o9pli+jnj2`Houn_>Ia6*8tOuU5R(h`aC=6^8r#8=Lmx5j;Eg$HCY>Yu(D68 zjP+al`RLDg6DTj}G77Oo#uZ{Yki-9ubwAYY-Qm z*JM5tFda4>W}LR}u7B6Ju?wNLPhztq49dp&4FupT;_cK?kMGH!UVL)6BXzs)Zq91A z?sj9{dn=+p->Kp}uP+&>7S=f)fuA49UqPVj1s-obs$ZYow^ij@o~3qKtetg#rufCH zRnJ!SIdx6%A6{`TY|(cy+H>@o;>3IUL&wVMi?5&cOdt8R=J&44agV&W(_1vB*8fnx z>y%)2Fw|BphM-=dx<;%!LU=^V`a!V?@6qQXA8)M5jW?+}E@{wnckcFV$=LmQUj3*u zK`{lA?J;t%?k$uaH%^|FIQRV;<(;$TpI$=ey@8oqdqUdWs&rc|UhQNHjdL*8aX(LNVW6PZMiZ%&udkwx}Dm4bLR?m)O2ID z)}8s8KjM6OGV{jH`E|0{mxCg`@;>*xnqfH`{jy=zPql~bgSl6$&3Qhte!9SytZ6gq z^s4#dWDWhqHf!SKs_04>Bgv-qjzj6=1IomoD>tbIywaVf3d1srCElo+W(W8wj$?r7OkKkQz zW{4$dYqw>G#ia_0buG`ycq-F6dnA7Wo%1@2xN^ zeixR!NuF4_X3j@B#g3(hJsXrf%%ZvQ_18M9J8g4V!U!vZUij~6IbrV+Eo#`s9yFFT z>y9%Xk+x_o?NZArmh3iDXzU`9I@>mN>l;Mr-6Uq#`2fC;#a% z?n;xqm%W4LDRmJ$MF?x_x9dmWAF7!;cDa4EN0F$+QL)6$Pu66|e?IbZR$ou?^Xtiq zOD$`XLnr&zhj~Q1O)0dl1h}mpkjvEu#Y5ly> z=$_CO*_Rd;yUf)me-Rd5>MKpf5OP=NudWR_cj9-d(+h&`p3+O<)=#B3P`t@g_4i_W zZ`4PBtvFcL`C6*eM5C}bx=ciZ^V`RM8O4IS4hyT1ukLaP`oPNswHr{dJd20Qo*sV(;;{Uw#P|MlD%FPm9{1dS=x75@T z)VFqav30N)#FM0`g2zPU-E7ZV2@;4ZcmnB|sGzo+xwGpC;f|3SMW4pxjNg8%m>|3a)MWeu{;2B@+{!bd?-|$i-Li_tVd?p%^1~0C` z%bJYeKhOL754gzkKWS7vjmmg;^gn5T|ADrHi_jR~hG%YvC(t1iWTHWV2L}kAiT1C* zm}pcQjRXLmnT8{gi3p8ICD7p|Kc;p>8lH$p=0~Ixh>%qx?MOICW|(Po0txPFWTO53 z2l6}`j!I=@(Tv~!BtIGvPo^UCqvB|Ic-xPuFBJ#VL&l|mtjH+8bQ%s)DyF``8<~#b z1B8H#OQh2XaLpc5UszwzGiKV~4Ul#;B8^N(+Cg73=*>p2B~;5o^j_WGA_n9QSl`3c4#{ixCso6g8D1y zOD1Dv0CfeZDlv~sBH|G{g1$@0l!T)pyiw>x5&`K8G;qeq7&tl|z9PajE@%r8_2X1L z9*0MGqtL00FOV?xWn4x{LHq#~#z5!7Xa}D}Vd~3x9=06;6H}--3JLWu6c_;`Q}AIJ znc|=sW_~yl8Y`$cDur>|CgbOyiPpI3j!#hKUCL6oMHu4cd`VI|mwtac?sdA9x}itEb>(ku{>?iBv!VXkQA- zFSKJ^et@=H!mklAehrWS9@Tr8GvlsdrsqLB0^{v<#_yjsVxR~*cFuUry5Wg9tS=#e z=A+Lek{OpsAY)+s9|@KNT@Ro^U}f%0#S9G-;6U*L^|u^EW8Xv~AT&?p$*z-?gW0`*{| z9r#2FCVt>>7+eCr1i&{lA5?H*s4al}@YppX<57PA{+@=F6~tOZRv=R%s*|uDSd0X= zfchbjJqg7TAX6$_mBF-@z!~HIWo8-OPJ@uC%F*bK>z3{ zj(~Vc#L56H80iaGnMy#$1wA0ZRWeL`Q0OGAZQ*ES999oV*mVQgiHrfVBH>WI0{NkS z2=oAiip~XGA~HW%U&hD3nC1+tyHsvK!;V2C!zDOKUos>}2o3HMLH#(ybIAUf+d(|1 zVC{oIz{Y(N9vjag%wYI{d;ygo4yKHZ3pfW4Uxh>X0JB8;!u-IH&~`KenyY~hE#d#D zM68_?=@@(uz7EZCK!@m9-JnrWf6w3pjb&hObTq#NJ|I&@`G6!0@v)#Aq$SpfjN*3S z7cM?WpGO3=%uEA5U_nqCZ7GaIMq>roKE^H?d|>So>(?0b!{md21kjw5F+bF1z{i3k zLg!4uU@n*+0bO74*)%Ffua@#x6qpS27~o&P+o3ebFA<%D`9WvqcHoCFxgW%2IvPU( zqhsnc5Rb5U7a|H=dWF~rB$JqN2}|S}P=3Ma1{KOi=<{I19rYVHFgOgq6dcCi<8c6z z(B}aO83XhMfHB&R01C)V1API9&rAb3ldv+N6EHb8L@iV<4BbHe6(gQw@hOB=j0~tm ztW6ULSUsR&a3X^b)ZQ3;U~?Q29_wQP{vqoIIz+<6Bj6W<*YG$Rs*?=NKt!GgF^Yu7 zTF_lgP7Lb?4bk<0@PS=RFc9W;;Quhb1mr@;#4SKqSeyu@B}9k7K4@r70oD?Vpv>a} zzYxrrX$(HFdQYRFc__>eQ*(p34}wOY2dp9E0;0j>wSaSIC?03b4~=CYdpznB0mD(T zH9;aBgI{2NC>8~M0pmjFjHjbxFy^;J48_<717Bfl88is2=opLwFEfpSo6wpYV}2;U z2l>&lewR#JqDFzqIT?C@jnhODS}y@UK!D8igV;kwWdO2=>7eZxi-e&uz5v4PpMhU8 zmIi?uX$ScNR(El9bS^Lv3_f7sXVkxd?qc$N#=4>TFN0rHCqaIUQ#ed~z!;<@bZCj# z1F!_62T)2wuriE6#QI_y?3*x;3-&?A)FNR$7&l2We*e@SfHyMSlgC5@T_d14mVv|2 zm;y2-V|@v@UCjCtG4TUp_Y!(fqM$ej=10R|Z#=kSME^i@m$0{`a&bHad1iiL&6mPH zOZavYrY;Ke12BL-4=z2#=qZR8@g)$;F!>q|9YlN*y0~;87W2EdD-eBJf(KX-$fGj#Lfr9l-03%SH1RRU@1wL>~ z_(X9z|^?Opr&Z-p}-oUHV9th?{nP@#s6>Y!>EBG{L;u^M#x z<1Zj72$;-sX4oaFr;Hi}>Nh~9L@bu4U~n<`91p_+ zE=JC<&Y9ADc9%zh$b{N?&scSF-rj`rQ z9JMzn`Y^ud$h5vdgNg|=4P=Trj|4G~vIM`7tTFe6cnJwLGYv2%#@B(~W7Y_C2(yO^ zr!BCU8hFFxWdv+(3C5+P`5@TQ68RQv-66gmd?E&y!2F09J)pzc3M8&VUrdYw-5_A| zZrDsk?F|qnMkfh?|Il^-C(#%WK^hzkDtmyUNM8n~!JaFCL;&$kAV1PlI0u7c0o9@Y z8H)F?%Yw{>NCW`LOauGCqkbG>GH4sx4nQ#aJV1IF-oV{s{3IMdK=B5gQh>rY^B5FB z<7jOY4nkno7os^7>yf@B*k{7{7f4-@IfGw=gA_<#$ed9*gPvmcG(rC$f-v_5y;`Ey z42dJk8=ROxu@7{lqBsZm#n#tI5I!(AO~T~FfN3y$4zOnfmdQM4IDLiL&x6x1WK7(L zu#fr|i1Ac(jUXq%;0TC#IJ5@J$Vo8%0Cuv_m<;n{ydB5nCn*&C5_Nviag1$&VxhW0 z2mg$D9+WmwTcyD9A#6JmCYCXR9%3J`v52YDfMzUJLs6jQ@mV(ODHE@nRz))IuzJT9PJOzj_Jfbqr9Zi%yMaCioJ z9>ge24HWE+gwYo|d;u9*HwGW54l&{anp?pV!6qca2k?vf4F!W zUtk3p1CF?&b6FBwK$#G22k~R6GbfmO4h0UhqP7b2BVuX51|mP$J;$T_6`(^jw0;US zGWKi~9Mr0+e0(OrD0zYEsFh4kOfyfkg4bc1-VkqXUAFL&KUgo|G zo5AL_;1tnygPl+GY%=7bnD`5FA)$OQWQFD~K!fE(<^nX#n#1WeG_FElY@Q4=L9rQN zOw8FqpkdFRGfJC?EkHX8mJe7W)L-ENzhL-)4N*jXR06s9imaOIU=kE z9^EU4#ENPE*VWnF_N=ut+rE8*(mJ*mtr;)32udGyaBvm;`&|XWqk__^_9q?SeQt;n zfB&T*Xd<`|PqLy?t<5Q9qBYsl(!vU7b&^0fr&&TZfkv^!o!rm%zc=~UC%{}>;pLsb S->iYTfuPuS?^e`QV*5YH%9$qs literal 0 HcmV?d00001 diff --git a/src/.vuepress/public/assets/downloads/delta.json b/src/.vuepress/public/assets/downloads/delta.json new file mode 100644 index 000000000..fe81a5181 --- /dev/null +++ b/src/.vuepress/public/assets/downloads/delta.json @@ -0,0 +1,1136 @@ +{ + "ignoreFormattingDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213901": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213902": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213903": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213904": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213905": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", + "impact": 0.5, + "descs": {} + }, + "SV-213906": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213907": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213908": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213909": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213910": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213911": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213912": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.", + "impact": 0.5, + "descs": {} + }, + "SV-213914": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213915": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213916": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213917": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213918": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213919": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213920": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213921": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213922": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213923": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213924": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213926": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.", + "impact": 0.5, + "descs": {} + }, + "SV-213927": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-251040": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + } + } + }, + "rawDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nSQL Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together, contain an overall mechanism supporting an organization's automated account management requirements." + } + }, + "SV-213901": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81847" + ], + [ + "-", + "V-67357" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy." + } + }, + "SV-213902": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account.\n\nIf the computer account of a remote computer is granted access to a SQL Server database, any service or scheduled task running as NT AUTHORITY\\SYSTEM or NT AUTHORITY\\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process." + } + }, + "SV-213903": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. \n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring SQL Server's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to SQL Server, even where the application connects to SQL Server with a standard, shared account. \n\nApplications should use temporal tables to track the changes and history of sensitive data." + } + }, + "SV-213904": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nSQL Server provides the ability for high privileged accounts to impersonate users in a database using the TRUSTWORTHY feature. This will allow members of the fixed database role to impersonate any user within the database." + } + }, + "SV-213905": { + "describe__deleted": " if input('server_audit_at_database_level_required')\n impact 0.5\n else\n impact 0.0\n desc 'Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)'\n end\n\n approved_audit_maintainers = input('approved_audit_maintainers')\n\n # The query in check-text is assumes the presence of STIG schema as supplied with\n # the STIG supplemental. The below query ( partially taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n SELECT DPE.PERMISSION_NAME AS 'PERMISSION',\n DPM.NAME AS 'ROLE MEMBER',\n DPR.NAME AS 'ROLE NAME'\n FROM SYS.DATABASE_ROLE_MEMBERS DRM\n JOIN SYS.DATABASE_PERMISSIONS DPE\n ON DRM.ROLE_PRINCIPAL_ID = DPE.GRANTEE_PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPR\n ON DRM.ROLE_PRINCIPAL_ID = DPR.PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPM\n ON DRM.MEMBER_PRINCIPAL_ID = DPM.PRINCIPAL_ID\n WHERE DPE.PERMISSION_NAME IN ( 'CONTROL', 'ALTER ANY DATABASE AUDIT' )\n OR DPM.NAME IN ('db_owner')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'List of approved audit maintainers' do\n subject { sql_session.query(query).column('role member').uniq }\n it { should match_array approved_audit_maintainers }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81851" + ], + [ + "-", + "V-67361" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)", + "__new": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)" + } + }, + "SV-213906": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213907": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213908": { + "describe__deleted": " # The query in check text is assumes the presence of STIG schema as supplied\n # with the STIG supplemental. The below query ( taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n ;WITH OBJECTS_CTE\n AS (SELECT O.NAME,\n O.TYPE_DESC,\n CASE\n WHEN O.PRINCIPAL_ID IS NULL THEN S.PRINCIPAL_ID\n ELSE O.PRINCIPAL_ID\n END AS PRINCIPAL_ID\n FROM SYS.OBJECTS O\n INNER JOIN SYS.SCHEMAS S\n ON O.SCHEMA_ID = S.SCHEMA_ID\n WHERE O.IS_MS_SHIPPED = 0)\n SELECT CTE.NAME,\n CTE.TYPE_DESC,\n DP.NAME AS OBJECTOWNER\n FROM OBJECTS_CTE CTE\n INNER JOIN SYS.DATABASE_PRINCIPALS DP\n ON CTE.PRINCIPAL_ID = DP.PRINCIPAL_ID\n ORDER BY DP.NAME,\n CTE.NAME\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe \"Authorized users for Database: #{input('db_name')}\" do\n subject { sql_session.query(query).column('objectowner').uniq }\n it { should cmp input('authorized_principals') }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81861" + ], + [ + "-", + "V-67371" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed." + } + }, + "SV-213909": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213910": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. In the event of a system failure, SQL Server must be able to bring the database back to a consistent state." + } + }, + "SV-213911": { + "describe__deleted": " query = %{\n SELECT\n COUNT(credential_id) AS count_of_ids\n FROM\n [master].sys.master_key_passwords\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'Count of `Database Master Key passwords` stored in credentials within the database' do\n subject { sql_session.query(query).row(0).column('count_of_ids') }\n its('value') { should cmp 0 }\n end ", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk." + } + }, + "SV-213912": { + "describe__deleted": " query = %(\n SELECT NAME\n FROM [master].sys.databases\n WHERE is_master_key_encrypted_by_server = 1\n AND owner_sid <> 1\n AND state = 0\n AND name = '#{input('db_name')}';\n )\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n results = sql_session.query(query)\n\n if results.empty?\n impact 0.0\n desc 'No databases require encryption hence this is not a finding'\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n For the database #{results.column('name')} verify in the System Security\n Plan that encryption of the Database Master Key using the Service Master Key\n is acceptable and approved by the Information Owner, and the encrypted data\n does not require additional protections to deter or detect DBA access.\n If not approved, this is a finding.\n\n If approved and additional protections are required, then verify the additional\n requirements are in place in accordance with the System Security Plan. These\n may include additional auditing on access of the Database Master Key with\n alerts or other automated monitoring.\n\n If the additional requirements are not in place, this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81871" + ], + [ + "-", + "V-67381" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "No databases require encryption hence this is not a finding", + "__new": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "No databases require encryption hence this is not a finding", + "check": { + "__old": "If no databases require encryption, this is not a finding.\n\nFrom the query prompt:\nSELECT name\nFROM [master].sys.databases\nWHERE is_master_key_encrypted_by_server = 1\nAND owner_sid <> 1\nAND state = 0;\n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)\n\nIf no databases are returned by the query, this is not a finding.\n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.\n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.\n\nIf the additional requirements are not in place, this is a finding.", + "__new": "If no databases require encryption, this is not a finding. \n\nFrom the query prompt: \n\nSELECT name \nFROM [master].sys.databases \nWHERE is_master_key_encrypted_by_server = 1 \nAND owner_sid <> 1 \nAND state = 0; \n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) \n\nIf no databases are returned by the query, this is not a finding. \n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. \n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. \n\nIf the additional requirements are not in place, this is a finding." + }, + "fix": { + "__old": "Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.", + "__new": "Where possible, encrypt the Database Master Key with a password known only to the application administrator.\n\nWhere not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data." + } + } + }, + "SV-213914": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality." + } + }, + "SV-213915": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81879" + ], + [ + "-", + "V-67389" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls." + } + }, + "SV-213916": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81881" + ], + [ + "-", + "V-67391" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.", + "check": { + "__old": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions are not reflective of the data, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.", + "__new": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. \n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding. \n\nIf column/field definitions are not reflective of the data, this is a finding. \n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding. \n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. \n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding." + } + } + }, + "SV-213917": { + "describe__deleted": " # The below query was taken from 2016 MSSQL STIG\n\n query = %{\n DBCC\n TRACESTATUS (3625, -1)\n GO\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'TRACEFLAG 3625' do\n subject { sql_session.query(query).rows[0] }\n its('status') { should cmp 1 }\n its('global') { should cmp 1 }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81887" + ], + [ + "-", + "V-67397" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers." + } + }, + "SV-213918": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81891" + ], + [ + "-", + "V-67401" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213919": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81893" + ], + [ + "-", + "V-67403" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213920": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81895" + ], + [ + "-", + "V-67405" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213921": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control." + } + }, + "SV-213922": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse." + } + }, + "SV-213923": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nSQL Server must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). \n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc." + } + }, + "SV-213924": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications." + } + }, + "SV-213926": { + "describe__deleted": " data_at_rest_encryption_required = input('data_at_rest_encryption_required')\n\n query = %{\n SELECT\n d.name AS [Database Name],\n CASE e.encryption_state\n WHEN 0 THEN 'No database encryption key present, no encryption'\n WHEN 1 THEN 'Unencrypted'\n WHEN 2 THEN 'Encryption in progress'\n WHEN 3 THEN 'Encrypted'\n WHEN 4 THEN 'Key change in progress'\n WHEN 5 THEN 'Decryption in progress'\n WHEN 6 THEN 'Protection change in progress'\n END AS [Encryption State]\n FROM sys.dm_database_encryption_keys e\n RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name\n WHERE d.name IN ('#{input('db_name')}')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n unless data_at_rest_encryption_required\n impact 0.0\n desc 'If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.'\n end\n\n describe \"Database: #{input('db_name')} encryption state\" do\n subject { sql_session.query(query).column('encryption state').uniq }\n it { should cmp 'Encrypted' }\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n If full-disk encryption is required, and Windows or the storage system is not\n configured for this, this is a finding.\n\n If database transparent data encryption (TDE) is called for, check whether it\n is enabled:\n In SQL Server Management Studio, Object Explorer, expand the instance and\n right-click on the database name; select properties. Select the Options page,\n State section, Encryption Enabled parameter.\n\n If the value displayed is False, this is a finding.\n\n If column encryption, done via SQL Server features, is required, review the\n definitions and contents of the relevant tables and columns.\n\n If any of the information defined as requiring cryptographic protection is not\n encrypted in a manner that provides the required level of protection, this is a\n finding.\n\n If table/column encryption and/or a separation between those who own the data\n (and can view it) and those who manage the data (but should have no access) is\n required for PII or similar types of data, use Always Encrypted. The details\n for configuring Always Encrypted are located here:\n https://msdn.microsoft.com/en-us/library/mt163865.aspx.\n\n Review the definitions and contents of the relevant tables/columns for the\n Always Encryption settings, if any of the information defined as requiring\n cryptographic protection is not encrypted this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81899" + ], + [ + "-", + "V-67409" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.", + "__new": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding." + } + }, + "SV-213927": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "SQL Server’s handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + } + }, + "SV-251040": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices." + } + } + } + } +} \ No newline at end of file diff --git a/src/.vuepress/public/assets/downloads/report b/src/.vuepress/public/assets/downloads/report new file mode 100644 index 000000000..a16403227 --- /dev/null +++ b/src/.vuepress/public/assets/downloads/report @@ -0,0 +1,10483 @@ +## Automatic Update: -> + +### New Controls: ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-230262: +Old: +``` +Verify the system-wide shared library files are group-owned by "root" +with the following command: + + $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} +\; + + If any system wide shared library file is returned and is not group-owned +by a required system account, this is a finding. + +``` + +Updated: +``` +Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. + +``` +--- +SV-230379: +Old: +``` +Verify all accounts on the system are assigned to an active system, +application, or user account. + + Obtain the list of authorized system accounts from the Information System +Security Officer (ISSO). + + Check the system accounts on the system with the following command: + + $ sudo more /etc/passwd + + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + games:x:12:100:games:/usr/games:/sbin/nologin + gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as +they do not support authorized system functions. + + If the accounts on the system do not match the provided documentation, or +accounts that do not support an authorized system function are present, this is +a finding. + +``` + +Updated: +``` +Verify that there are no unauthorized interactive user accounts with the following command: + +$ less /etc/passwd + +root:x:0:0:root:/root:/bin/bash +... +games:x:12:100:games:/usr/games:/sbin/nologin +scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash +djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash + +Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. + +Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. + +If there are unauthorized local user accounts on the system, this is a finding. + +``` +--- +SV-230470: +Old: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the +following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement +is not applicable. + + $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + + AuditBackend=LinuxAudit + + If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or +the line is commented out, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + +Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. + +$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + +AuditBackend=LinuxAudit + +If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230524: +Old: +``` +Verify the USBGuard has a policy configured with the following command: + + $ sudo usbguard list-rules + + If the command does not return results or an error is returned, ask the SA +to indicate how unauthorized peripherals are being blocked. + + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the USBGuard has a policy configured with the following command: + +$ sudo usbguard list-rules + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230548: +Old: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. + +``` +--- +SV-230559: +Old: +``` +Verify the gssproxy package has not been installed on the system with the +following commands: + + $ sudo yum list installed gssproxy + + gssproxy.x86_64 +0.8.0-14.el8 @anaconda + + If the gssproxy package is installed and is not documented with the +Information System Security Officer (ISSO) as an operational requirement, this +is a finding. + +``` + +Updated: +``` +Verify the gssproxy package has not been installed on the system with the following commands: + +$ sudo yum list installed gssproxy + +gssproxy.x86_64 0.8.0-14.el8 @anaconda + +If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. + +If NFS mounts are being used, this is not a finding. + +``` +--- +SV-244527: +Old: +``` +Check that RHEL 8 has the packages required to enabled the hardware random +number generator entropy gatherer service with the following command: + + $ sudo yum list installed rng-tools + + rng-tools.x86_64 6.8-3.el8 +@anaconda + + If the "rng-tools" package is not installed, this is a finding. + +``` + +Updated: +``` +Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. + +Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: + +$ sudo yum list installed rng-tools + +rng-tools.x86_64 6.8-3.el8 @anaconda + +If the "rng-tools" package is not installed, this is a finding. + +``` +--- +SV-244547: +Old: +``` +Verify USBGuard is installed on the operating system with the following +command: + + $ sudo yum list installed usbguard + + Installed Packages + usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + + If the USBGuard package is not installed, ask the SA to indicate how +unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify USBGuard is installed on the operating system with the following command: + +$ sudo yum list installed usbguard + +Installed Packages +usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-244548: +Old: +``` +Verify the operating system has enabled the use of the USBGuard with the +following command: + + $ sudo systemctl status usbguard.service + + usbguard.service - USBGuard daemon + Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor +preset: disabled) + Active: active (running) + + If the usbguard.service is not enabled and active, ask the SA to indicate +how unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the operating system has enabled the use of the USBGuard with the following command: + +$ sudo systemctl status usbguard.service + +usbguard.service - USBGuard daemon +Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +Active: active (running) + +If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-257258: +Old: +``` +Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. + +``` + +Updated: +``` +Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. + +Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + +StopIdleSessionSec=600 + +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-230379: +Old: +``` +Configure the system so all accounts on the system are assigned to an +active system, application, or user account. + + Remove accounts that do not support approved system activities or that +allow for a normal user to perform administrative-level actions. + + Document all authorized accounts on the system. + +``` +New: +``` +Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: + +$ sudo userdel + +``` +--- +SV-230548: +Old: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +New: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +--- +SV-257258: +Old: +``` +Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logind + +Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". + +``` +New: +``` +Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=600 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logind + +``` +--- +
+ +### Updated Impacts +
+ Click to expand. +SV-230223: +Old: 0 +New: 0.7 +--- +SV-230224: +Old: 0 +New: 0.5 +--- +SV-230230: +Old: 0 +New: 0.5 +--- +SV-230234: +Old: 0 +New: 0.7 +--- +SV-230235: +Old: 0 +New: 0.7 +--- +SV-230238: +Old: 0 +New: 0.5 +--- +SV-230239: +Old: 0 +New: 0.5 +--- +SV-230244: +Old: 0 +New: 0.5 +--- +SV-230273: +Old: 0 +New: 0.5 +--- +SV-230275: +Old: 0 +New: 0.5 +--- +SV-230285: +Old: 0 +New: 0.3 +--- +SV-230300: +Old: 0 +New: 0.5 +--- +SV-230328: +Old: 0 +New: 0.5 +--- +SV-230329: +Old: 0 +New: 0.7 +--- +SV-230332: +Old: 0 +New: 0.5 +--- +SV-230347: +Old: 0 +New: 0.5 +--- +SV-230351: +Old: 0 +New: 0.5 +--- +SV-230352: +Old: 0 +New: 0.5 +--- +SV-230354: +Old: 0 +New: 0.5 +--- +SV-230376: +Old: 0 +New: 0.5 +--- +SV-230380: +Old: 0 +New: 0.7 +--- +SV-230382: +Old: 0 +New: 0.5 +--- +SV-230385: +Old: 0.7 +New: 0.5 +--- +SV-230493: +Old: 0 +New: 0.5 +--- +SV-230502: +Old: 0 +New: 0.5 +--- +SV-230506: +Old: 0 +New: 0.5 +--- +SV-230507: +Old: 0 +New: 0.5 +--- +SV-230523: +Old: 0 +New: 0.5 +--- +SV-230530: +Old: 0 +New: 0.7 +--- +SV-230535: +Old: 0 +New: 0.5 +--- +SV-230536: +Old: 0 +New: 0.5 +--- +SV-230537: +Old: 0 +New: 0.5 +--- +SV-230538: +Old: 0 +New: 0.5 +--- +SV-230539: +Old: 0 +New: 0.5 +--- +SV-230540: +Old: 0 +New: 0.5 +--- +SV-230541: +Old: 0 +New: 0.5 +--- +SV-230542: +Old: 0 +New: 0.5 +--- +SV-230543: +Old: 0 +New: 0.5 +--- +SV-230544: +Old: 0 +New: 0.5 +--- +SV-230545: +Old: 0 +New: 0.5 +--- +SV-230546: +Old: 0 +New: 0.5 +--- +SV-230547: +Old: 0 +New: 0.5 +--- +SV-230548: +Old: 0 +New: 0.5 +--- +SV-230549: +Old: 0 +New: 0.5 +--- +SV-230550: +Old: 0 +New: 0.5 +--- +SV-230557: +Old: 0 +New: 0.5 +--- +SV-237640: +Old: 0 +New: 0.5 +--- +SV-244519: +Old: 0 +New: 0.5 +--- +SV-244521: +Old: 0 +New: 0.5 +--- +SV-244522: +Old: 0 +New: 0.5 +--- +SV-244530: +Old: 0 +New: 0.5 +--- +SV-244535: +Old: 0 +New: 0.5 +--- +SV-244536: +Old: 0 +New: 0.5 +--- +SV-244538: +Old: 0 +New: 0.5 +--- +SV-244539: +Old: 0 +New: 0.5 +--- +SV-244545: +Old: 0 +New: 0.5 +--- +SV-244546: +Old: 0 +New: 0.5 +--- +SV-244550: +Old: 0 +New: 0.5 +--- +SV-244551: +Old: 0 +New: 0.5 +--- +SV-244552: +Old: 0 +New: 0.5 +--- +SV-244553: +Old: 0 +New: 0.5 +--- +SV-244554: +Old: 0 +New: 0.5 +--- +SV-250315: +Old: 0 +New: 0.5 +--- +SV-250317: +Old: 0 +New: 0.5 +--- +SV-251710: +Old: 0 +New: 0.5 +--- +SV-251711: +Old: 0 +New: 0.5 +--- +SV-251712: +Old: 0 +New: 0.5 +--- +SV-251718: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-230226: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a graphical +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. +--- +SV-230227: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a command line +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. +--- +SV-230229: +Old: RHEL 8, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an +accepted trust anchor. +New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +--- +SV-230230: +Old: RHEL 8, for certificate-based authentication, must enforce authorized +access to the corresponding private key. +New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. +--- +SV-230231: +Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. +New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +--- +SV-230232: +Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing +algorithms for all stored passwords. +New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. +--- +SV-230234: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require authentication upon booting into single-user mode +and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. +--- +SV-230235: +Old: RHEL 8 operating systems booted with a BIOS must require +authentication upon booting into single-user and maintenance modes. +New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. +--- +SV-230236: +Old: RHEL 8 operating systems must require authentication upon booting into +rescue mode. +New: RHEL 8 operating systems must require authentication upon booting into rescue mode. +--- +SV-230237: +Old: The RHEL 8 pam_unix.so module must be configured in the password-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-230238: +Old: RHEL 8 must prevent system daemons from using Kerberos for +authentication. +New: RHEL 8 must prevent system daemons from using Kerberos for authentication. +--- +SV-230240: +Old: RHEL 8 must use a Linux Security Module configured to enforce limits +on system services. +New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. +--- +SV-230243: +Old: A sticky bit must be set on all RHEL 8 public directories to prevent +unauthorized and unintended information transferred via shared system +resources. +New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. +--- +SV-230245: +Old: The RHEL 8 /var/log/messages file must have mode 0640 or less +permissive. +New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. +--- +SV-230252: +Old: The RHEL 8 operating system must implement DoD-approved encryption to +protect the confidentiality of SSH server connections. +New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. +--- +SV-230254: +Old: The RHEL 8 operating system must implement DoD-approved encryption in +the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. +--- +SV-230255: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. +--- +SV-230256: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the GnuTLS package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. +--- +SV-230259: +Old: RHEL 8 system commands must be group-owned by root or a system +account. +New: RHEL 8 system commands must be group-owned by root or a system account. +--- +SV-230263: +Old: The RHEL 8 file integrity tool must notify the system administrator +when changes to the baseline configuration or anomalies in the operation of any +security functions are discovered within an organizationally defined frequency. +New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. +--- +SV-230264: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components from a repository without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230265: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components of local packages without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230267: +Old: RHEL 8 must enable kernel parameters to enforce discretionary access +control on symlinks. +New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. +--- +SV-230271: +Old: RHEL 8 must require users to provide a password for privilege +escalation. +New: RHEL 8 must require users to provide a password for privilege escalation. +--- +SV-230273: +Old: RHEL 8 must have the packages required for multifactor authentication + installed. +New: RHEL 8 must have the packages required for multifactor authentication installed. +--- +SV-230276: +Old: RHEL 8 must implement non-executable data to protect its memory from +unauthorized code execution. +New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. +--- +SV-230277: +Old: RHEL 8 must clear the page allocator to prevent use-after-free +attacks. +New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. +--- +SV-230280: +Old: RHEL 8 must implement address space layout randomization (ASLR) to +protect its memory from unauthorized code execution. +New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. +--- +SV-230281: +Old: YUM must remove all software components after updated versions have +been installed on RHEL 8. +New: YUM must remove all software components after updated versions have been installed on RHEL 8. +--- +SV-230285: +Old: RHEL 8 must enable the hardware random number generator entropy +gatherer service. +New: RHEL 8 must enable the hardware random number generator entropy gatherer service. +--- +SV-230286: +Old: The RHEL 8 SSH public host key files must have mode 0644 or less +permissive. +New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. +--- +SV-230288: +Old: The RHEL 8 SSH daemon must perform strict mode checking of home +directory configuration files. +New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. +--- +SV-230290: +Old: The RHEL 8 SSH daemon must not allow authentication using known host’s +authentication. +New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. +--- +SV-230291: +Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except +to fulfill documented and validated mission requirements. +New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. +--- +SV-230296: +Old: RHEL 8 must not permit direct logons to the root account using remote +access via SSH. +New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. +--- +SV-230299: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that contain user home directories. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. +--- +SV-230300: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. +--- +SV-230302: +Old: RHEL 8 must prevent code from being executed on file systems that +contain user home directories. +New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. +--- +SV-230303: +Old: RHEL 8 must prevent special devices on file systems that are used with +removable media. +New: RHEL 8 must prevent special devices on file systems that are used with removable media. +--- +SV-230304: +Old: RHEL 8 must prevent code from being executed on file systems that are +used with removable media. +New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. +--- +SV-230305: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are used with removable media. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. +--- +SV-230306: +Old: RHEL 8 must prevent code from being executed on file systems that are +imported via Network File System (NFS). +New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230307: +Old: RHEL 8 must prevent special devices on file systems that are imported +via Network File System (NFS). +New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). +--- +SV-230308: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are imported via Network File System (NFS). +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230309: +Old: Local RHEL 8 initialization files must not execute world-writable +programs. +New: Local RHEL 8 initialization files must not execute world-writable programs. +--- +SV-230316: +Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at +least two name servers must be configured. +New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. +--- +SV-230317: +Old: Executable search paths within the initialization files of all local +interactive RHEL 8 users must only contain paths that resolve to the system +default or the users home directory. +New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. +--- +SV-230318: +Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, +or an application user. +New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. +--- +SV-230319: +Old: All RHEL 8 world-writable directories must be group-owned by root, +sys, bin, or an application group. +New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. +--- +SV-230320: +Old: All RHEL 8 local interactive users must have a home directory assigned +in the /etc/passwd file. +New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. +--- +SV-230321: +Old: All RHEL 8 local interactive user home directories must have mode 0750 +or less permissive. +New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. +--- +SV-230322: +Old: All RHEL 8 local interactive user home directories must be group-owned +by the home directory owner’s primary group. +New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. +--- +SV-230323: +Old: All RHEL 8 local interactive user home directories defined in the +/etc/passwd file must exist. +New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. +--- +SV-230324: +Old: All RHEL 8 local interactive user accounts must be assigned a home +directory upon creation. +New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. +--- +SV-230325: +Old: All RHEL 8 local initialization files must have mode 0740 or less +permissive. +New: All RHEL 8 local initialization files must have mode 0740 or less permissive. +--- +SV-230328: +Old: A separate RHEL 8 filesystem must be used for user home directories +(such as /home or an equivalent). +New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). +--- +SV-230329: +Old: Unattended or automatic logon via the RHEL 8 graphical user interface +must not be allowed. +New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. +--- +SV-230331: +Old: RHEL 8 temporary user accounts must be provisioned with an expiration +time of 72 hours or less. +New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. +--- +SV-230332: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230333: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230334: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230335: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230336: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230337: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230340: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230341: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230342: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230343: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230344: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230345: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230346: +Old: RHEL 8 must limit the number of concurrent sessions to ten for all +accounts and/or account types. +New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. +--- +SV-230347: +Old: RHEL 8 must enable a user session lock until that user re-establishes +access using established identification and authentication procedures for +graphical user sessions. +New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. +--- +SV-230351: +Old: RHEL 8 must be able to initiate directly a session lock for all + connection types using smartcard when the smartcard is removed. +New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. +--- +SV-230352: +Old: RHEL 8 must automatically lock graphical user sessions after 15 +minutes of inactivity. +New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. +--- +SV-230354: +Old: RHEL 8 must prevent a user from overriding the session lock-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. +--- +SV-230355: +Old: RHEL 8 must map the authenticated identity to the user or group +account for PKI-based authentication. +New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. +--- +SV-230357: +Old: RHEL 8 must enforce password complexity by requiring that at least one +uppercase character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. +--- +SV-230358: +Old: RHEL 8 must enforce password complexity by requiring that at least one +lower-case character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. +--- +SV-230359: +Old: RHEL 8 must enforce password complexity by requiring that at least one +numeric character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. +--- +SV-230360: +Old: RHEL 8 must require the maximum number of repeating characters of the +same character class be limited to four when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. +--- +SV-230361: +Old: RHEL 8 must require the maximum number of repeating characters be +limited to three when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. +--- +SV-230363: +Old: RHEL 8 must require the change of at least 8 characters when passwords +are changed. +New: RHEL 8 must require the change of at least 8 characters when passwords are changed. +--- +SV-230364: +Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime +restriction in /etc/shadow. +New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. +--- +SV-230366: +Old: RHEL 8 user account passwords must have a 60-day maximum password +lifetime restriction. +New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. +--- +SV-230367: +Old: RHEL 8 user account passwords must be configured so that existing +passwords are restricted to a 60-day maximum lifetime. +New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. +--- +SV-230372: +Old: RHEL 8 must implement smart card logon for multifactor authentication +for access to interactive accounts. +New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. +--- +SV-230373: +Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) + must be disabled after 35 days of inactivity. +New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. +--- +SV-230378: +Old: RHEL 8 must enforce a delay of at least four seconds between logon +prompts following a failed logon attempt. +New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +--- +SV-230380: +Old: RHEL 8 must not allow accounts configured with blank or null +passwords. +New: RHEL 8 must not allow accounts configured with blank or null passwords. +--- +SV-230381: +Old: RHEL 8 must display the date and time of the last successful account +logon upon logon. +New: RHEL 8 must display the date and time of the last successful account logon upon logon. +--- +SV-230382: +Old: RHEL 8 must display the date and time of the last successful account +logon upon an SSH logon. +New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. +--- +SV-230383: +Old: RHEL 8 must define default permissions for all authenticated users in +such a way that the user can only read and modify their own files. +New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. +--- +SV-230384: +Old: RHEL 8 must set the umask value to 077 for all local interactive user +accounts. +New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. +--- +SV-230386: +Old: The RHEL 8 audit system must be configured to audit the execution of +privileged functions and prevent all software from executing at higher +privilege levels than users executing the software. +New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. +--- +SV-230388: +Old: The RHEL 8 System Administrator (SA) and Information System Security +Officer (ISSO) (at a minimum) must be alerted of an audit processing failure +event. +New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. +--- +SV-230389: +Old: The RHEL 8 Information System Security Officer (ISSO) and System +Administrator (SA) (at a minimum) must have mail aliases to be notified of an +audit processing failure. +New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. +--- +SV-230390: +Old: The RHEL 8 System must take appropriate action when an audit +processing failure occurs. +New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. +--- +SV-230392: +Old: The RHEL 8 audit system must take appropriate action when the audit +storage volume is full. +New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. +--- +SV-230394: +Old: RHEL 8 must label all off-loaded audit logs before sending them to the +central log server. +New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. +--- +SV-230396: +Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to +prevent unauthorized read access. +New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. +--- +SV-230397: +Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read +access. +New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. +--- +SV-230398: +Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized +read access. +New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. +--- +SV-230399: +Old: RHEL 8 audit log directory must be owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. +--- +SV-230400: +Old: RHEL 8 audit log directory must be group-owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. +--- +SV-230401: +Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive +to prevent unauthorized read access. +New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. +--- +SV-230402: +Old: RHEL 8 audit system must protect auditing rules from unauthorized +change. +New: RHEL 8 audit system must protect auditing rules from unauthorized change. +--- +SV-230404: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. +--- +SV-230405: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect +/etc/security/opasswd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. +--- +SV-230406: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. +--- +SV-230407: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. +--- +SV-230408: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. +--- +SV-230409: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. +--- +SV-230410: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers.d/. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. +--- +SV-230412: +Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. +--- +SV-230418: +Old: Successful/unsuccessful uses of the chage command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. +--- +SV-230419: +Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. +--- +SV-230421: +Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. +--- +SV-230422: +Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. +--- +SV-230423: +Old: Successful/unsuccessful uses of the mount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. +--- +SV-230424: +Old: Successful/unsuccessful uses of the umount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. +--- +SV-230425: +Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. +--- +SV-230426: +Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. +--- +SV-230427: +Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. +--- +SV-230428: +Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. +--- +SV-230429: +Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. +--- +SV-230430: +Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. +--- +SV-230431: +Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. +--- +SV-230432: +Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. +--- +SV-230433: +Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. +--- +SV-230434: +Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. +--- +SV-230435: +Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. +--- +SV-230436: +Old: Successful/unsuccessful uses of the pam_timestamp_check command in +RHEL 8 must generate an audit record. +New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. +--- +SV-230437: +Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. +--- +SV-230444: +Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. +--- +SV-230446: +Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. +--- +SV-230447: +Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. +--- +SV-230448: +Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. +--- +SV-230462: +Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. +--- +SV-230463: +Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. +--- +SV-230464: +Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. +--- +SV-230465: +Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. +--- +SV-230466: +Old: Successful/unsuccessful modifications to the faillock log file in RHEL +8 must generate an audit record. +New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. +--- +SV-230467: +Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. +--- +SV-230468: +Old: RHEL 8 must enable auditing of processes that start prior to the audit +daemon. +New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. +--- +SV-230469: +Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to +capture processes that start prior to the audit daemon. +New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. +--- +SV-230471: +Old: RHEL 8 must allow only the Information System Security Manager (ISSM) +(or individuals or roles appointed by the ISSM) to select which auditable +events are to be audited. +New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-230475: +Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of +audit tools. +New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. +--- +SV-230476: +Old: RHEL 8 must allocate audit record storage capacity to store at least +one week of audit records, when audit records are not immediately sent to a +central audit record storage facility. +New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. +--- +SV-230477: +Old: RHEL 8 must have the packages required for offloading audit logs +installed. +New: RHEL 8 must have the packages required for offloading audit logs installed. +--- +SV-230478: +Old: RHEL 8 must have the packages required for encrypting offloaded audit +logs installed. +New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. +--- +SV-230479: +Old: The RHEL 8 audit records must be off-loaded onto a different system or +storage media from the system being audited. +New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. +--- +SV-230480: +Old: RHEL 8 must take appropriate action when the internal event queue is +full. +New: RHEL 8 must take appropriate action when the internal event queue is full. +--- +SV-230481: +Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a +different system or media from the system being audited. +New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. +--- +SV-230482: +Old: RHEL 8 must authenticate the remote logging server for off-loading +audit logs. +New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. +--- +SV-230483: +Old: RHEL 8 must take action when allocated audit record storage volume + reaches 75 percent of the repository maximum audit record storage capacity. +New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +--- +SV-230484: +Old: RHEL 8 must securely compare internal information system clocks at +least every 24 hours with a server synchronized to an authoritative time +source, such as the United States Naval Observatory (USNO) time servers, or a +time server designated for the appropriate DoD network (NIPRNet/SIPRNet), +and/or the Global Positioning System (GPS). +New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). +--- +SV-230491: +Old: RHEL 8 must enable mitigations against processor-based +vulnerabilities. +New: RHEL 8 must enable mitigations against processor-based vulnerabilities. +--- +SV-230493: +Old: RHEL 8 must cover or disable the built-in or attached camera when not +in use. +New: RHEL 8 must cover or disable the built-in or attached camera when not in use. +--- +SV-230497: +Old: RHEL 8 must disable the transparent inter-process communication (TIPC) +protocol. +New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. +--- +SV-230500: +Old: RHEL 8 must be configured to prohibit or restrict the use of +functions, ports, protocols, and/or services, as defined in the Ports, +Protocols, and Services Management (PPSM) Category Assignments List (CAL) and +vulnerability assessments. +New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +--- +SV-230504: +Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy +for allowing connections to other systems. +New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. +--- +SV-230524: +Old: RHEL 8 must block unauthorized peripherals before establishing a +connection. +New: RHEL 8 must block unauthorized peripherals before establishing a connection. +--- +SV-230525: +Old: A firewall must be able to protect against or limit the effects of +Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting +measures on impacted network interfaces. +New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. +--- +SV-230526: +Old: All RHEL 8 networked systems must have and implement SSH to protect +the confidentiality and integrity of transmitted and received information, as +well as information during preparation for transmission. +New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. +--- +SV-230527: +Old: RHEL 8 must force a frequent session key renegotiation for SSH +connections to the server. +New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. +--- +SV-230530: +Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a +graphical user interface is installed. +New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. +--- +SV-230531: +Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be +disabled. +New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. +--- +SV-230533: +Old: The Trivial File Transfer Protocol (TFTP) server package must not be +installed if not required for RHEL 8 operational support. +New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. +--- +SV-230534: +Old: The root account must be the only account having unrestricted access +to the RHEL 8 system. +New: The root account must be the only account having unrestricted access to the RHEL 8 system. +--- +SV-230535: +Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-230536: +Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) +redirects. +New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. +--- +SV-230537: +Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) +echoes sent to a broadcast address. +New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. +--- +SV-230542: +Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by +default. +New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. +--- +SV-230543: +Old: RHEL 8 must not allow interfaces to perform Internet Control Message +Protocol (ICMP) redirects by default. +New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. +--- +SV-230544: +Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) +redirect messages. +New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. +--- +SV-230545: +Old: RHEL 8 must disable access to network bpf syscall from unprivileged +processes. +New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. +--- +SV-230551: +Old: The RHEL 8 file integrity tool must be configured to verify extended +attributes. +New: The RHEL 8 file integrity tool must be configured to verify extended attributes. +--- +SV-230552: +Old: The RHEL 8 file integrity tool must be configured to verify Access +Control Lists (ACLs). +New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). +--- +SV-230553: +Old: The graphical display manager must not be installed on RHEL 8 unless +approved. +New: The graphical display manager must not be installed on RHEL 8 unless approved. +--- +SV-230555: +Old: RHEL 8 remote X connections for interactive users must be disabled +unless to fulfill documented and validated mission requirements. +New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. +--- +SV-230556: +Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the +proxy display. +New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. +--- +SV-230557: +Old: If the Trivial File Transfer Protocol (TFTP) server is required, the +RHEL 8 TFTP daemon must be configured to operate in secure mode. +New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. +--- +SV-230558: +Old: A File Transfer Protocol (FTP) server package must not be installed +unless mission essential on RHEL 8. +New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. +--- +SV-230559: +Old: The gssproxy package must not be installed unless mission essential on +RHEL 8. +New: The gssproxy package must not be installed unless mission essential on RHEL 8. +--- +SV-230560: +Old: The iprutils package must not be installed unless mission essential on +RHEL 8. +New: The iprutils package must not be installed unless mission essential on RHEL 8. +--- +SV-230561: +Old: The tuned package must not be installed unless mission essential on +RHEL 8. +New: The tuned package must not be installed unless mission essential on RHEL 8. +--- +SV-237642: +Old: RHEL 8 must use the invoking user's password for privilege escalation +when using "sudo". +New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". +--- +SV-244519: +Old: RHEL 8 must display a banner before granting local or remote access to +the system via a graphical user logon. +New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. +--- +SV-244521: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require a unique superusers name upon booting into +single-user mode and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. +--- +SV-244523: +Old: RHEL 8 operating systems must require authentication upon booting into +emergency mode. +New: RHEL 8 operating systems must require authentication upon booting into emergency mode. +--- +SV-244524: +Old: The RHEL 8 pam_unix.so module must be configured in the system-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-244527: +Old: RHEL 8 must have the packages required to use the hardware random +number generator entropy gatherer service. +New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. +--- +SV-244530: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot/efi directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. +--- +SV-244531: +Old: All RHEL 8 local interactive user home directory files must have mode +0750 or less permissive. +New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. +--- +SV-244532: +Old: RHEL 8 must be configured so that all files and directories contained +in local interactive user home directories are group-owned by a group of which +the home directory owner is a member. +New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. +--- +SV-244533: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/system-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. +--- +SV-244534: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/password-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. +--- +SV-244535: +Old: RHEL 8 must initiate a session lock for graphical user interfaces when +the screensaver is activated. +New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. +--- +SV-244536: +Old: RHEL 8 must disable the user list at logon for graphical user +interfaces. +New: RHEL 8 must disable the user list at logon for graphical user interfaces. +--- +SV-244538: +Old: RHEL 8 must prevent a user from overriding the session idle-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. +--- +SV-244539: +Old: RHEL 8 must prevent a user from overriding the screensaver +lock-enabled setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +--- +SV-244541: +Old: RHEL 8 must not allow blank or null passwords in the password-auth +file. +New: RHEL 8 must not allow blank or null passwords in the password-auth file. +--- +SV-244542: +Old: RHEL 8 audit records must contain information to establish what type +of events occurred, the source of events, where events occurred, and the +outcome of events. +New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. +--- +SV-244543: +Old: RHEL 8 must notify the System Administrator (SA) and Information +System Security Officer (ISSO) (at a minimum) when allocated audit record +storage volume 75 percent utilization. +New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. +--- +SV-244546: +Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, +permit-by-exception policy to allow the execution of authorized software +programs. +New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +--- +SV-244550: +Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-244554: +Old: RHEL 8 must enable hardening for the Berkeley Packet Filter +Just-in-time compiler. +New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. +--- +SV-250315: +Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context + type to allow the use of a non-default faillock tally directory. +New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. +--- +SV-257258: +Old: RHEL 8 must terminate idle user sessions. +New: RHEL 8.7 and higher must terminate idle user sessions. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-230221: +Old: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + + Note: The life-cycle time spans and dates are subject to adjustment. + +``` +New: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + +``` +--- +SV-230222: +Old: +``` +Timely patching is critical for maintaining the operational + availability, confidentiality, and integrity of information technology (IT) + systems. However, failure to keep operating system and application software + patched is a common mistake made by IT professionals. New patches are released + daily, and it is often difficult for even experienced System Administrators to + keep abreast of all the new patches. When new weaknesses in an operating system + exist, patches are usually made available by the vendor to resolve the + problems. If the most recent security patches and updates are not installed, + unauthorized users may take advantage of weaknesses in the unpatched software. + The lack of prompt attention to patching could result in a system compromise. + +``` +New: +``` +Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + +``` +--- +SV-230223: +Old: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +``` +New: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + + + +``` +--- +SV-230224: +Old: +``` +RHEL 8 systems handling data requiring "data at rest" protections + must employ cryptographic mechanisms to prevent unauthorized disclosure and + modification of the information at rest. + + Selection of a cryptographic mechanism is based on the need to protect the +integrity of organizational information. The strength of the mechanism is +commensurate with the security category and/or classification of the +information. Organizations have the flexibility to either encrypt all +information on storage devices (i.e., full disk encryption) or encrypt specific +data structures (e.g., files, records, or fields). + +``` +New: +``` +RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + + + +``` +--- +SV-230225: +Old: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + +``` +--- +SV-230226: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230227: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230229: +Old: +``` +Without path validation, an informed trust decision by the relying +party cannot be made when presented with any certificate not already explicitly +trusted. + + A trust anchor is an authoritative entity represented via a public key and +associated data. It is used in the context of public key infrastructures, X.509 +digital certificates, and DNSSEC. + + When there is a chain of trust, usually the top entity to be trusted +becomes the trust anchor; it can be, for example, a Certification Authority +(CA). A certification path starts with the subject certificate and proceeds +through a number of intermediate certificates up to a trusted root certificate, +typically issued by a trusted CA. + + This requirement verifies that a certification path to an accepted trust +anchor is used for certificate validation and that the path includes status +information. Path validation is necessary for a relying party to make an +informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes +certificate revocation lists or online certificate status protocol responses. +Validation of the certificate status information is out of scope for this +requirement. + +``` +New: +``` +Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + + + +``` +--- +SV-230230: +Old: +``` +If an unauthorized user obtains access to a private key without a +passcode, that user would have unauthorized access to any system where the +associated public key has been installed. + +``` +New: +``` +If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + +``` +--- +SV-230231: +Old: +``` +Passwords need to be protected at all times, and encryption is the +standard method for protecting passwords. If passwords are not encrypted, they +can be plainly read (i.e., clear text) and easily compromised. + + Unapproved mechanisms that are used for authentication to the cryptographic +module are not verified and therefore cannot be relied upon to provide +confidentiality or integrity, and DoD data may be compromised. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD requirements. + +``` +New: +``` +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. + +``` +--- +SV-230232: +Old: +``` +The system must use a strong hashing algorithm to store the password. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230233: +Old: +``` +The system must use a strong hashing algorithm to store the password. +The system must use a sufficient number of hashing rounds to ensure the +required level of entropy. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230234: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230235: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230236: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-230237: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230238: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + The key derivation function (KDF) in Kerberos is not FIPS compatible. +Ensuring the system does not have any keytab files present prevents system +daemons from using Kerberos for authentication. A keytab is a file containing +pairs of Kerberos principals and encrypted keys. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230239: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230240: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230241: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + Policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include +load_policy to load SELinux policies, setfile to label filesystems, newrole to +switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +--- +SV-230243: +Old: +``` +Preventing unauthorized information transfers mitigates the risk of +information, including encrypted representations of information, produced by +the actions of prior users/roles (or the actions of processes acting on behalf +of prior users/roles) from being available to any current users/roles (or +current processes) that obtain access to shared system resources (e.g., +registers, main memory, hard disks) after those resources have been released +back to information systems. The control of information in shared resources is +also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information +technology product, but it can also apply to the configuration of particular +information system components that are, or use, such products. This can be +verified by acceptance/validation processes in DoD or other government agencies. + + There may be shared resources with configurable protections (e.g., files in +storage) that may be assessed on specific information system components. + +``` +New: +``` +Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +``` +--- +SV-230244: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + + RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-230245: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230246: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230247: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230248: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230249: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230250: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230251: +Old: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230252: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + + The system will attempt to use the first hash presented by the client that +matches the server list. Listing the values "strongest to weakest" is a +method to ensure the use of the strongest hash available to secure the SSH +connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230253: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not +use high-entropy sources by default. By using the SSH_USE_STRONG_RNG +environment variable the OPENSSL random generator is reseeded from /dev/random. + This setting is not recommended on computers without the hardware random +generator because insufficient entropy causes the connection to be blocked +until enough entropy is available. + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. + +``` +--- +SV-230254: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230255: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230256: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Transport Layer Security (TLS) encryption is a required security setting as +a number of known vulnerabilities have been reported against Secure Sockets +Layer (SSL) and earlier versions of TLS. Encryption of private information is +essential to ensuring data confidentiality. If private information is not +encrypted, it can be intercepted and easily read by an unauthorized party. SQL +Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all +non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 +specifies the preferred configurations for government systems. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + The GnuTLS library offers an API to access secure communications protocols. + SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto +policy defines employed algorithms in the +/etc/crypto-policies/back-ends/gnutls.config file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. + + + +``` +--- +SV-230257: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230258: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230259: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230260: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230261: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230262: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230263: +Old: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + +``` +New: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + + + +``` +--- +SV-230264: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230265: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230267: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230268: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + + By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230271: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230272: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230273: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + A privileged account is defined as an information system account with + authorizations of a privileged user. + + Remote access is access to DoD nonpublic information systems by an + authorized user (or an information system) communicating through an external, + non-organization-controlled network. Remote access methods include, for + example, dial-up, broadband, and wireless. + + This requirement only applies to components where this is specific to the + function of the device or has the concept of an organizational user (e.g., VPN, + proxy capability). This does not apply to authentication for the purpose of + configuring the device itself (management). + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +``` +--- +SV-230274: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + RHEL 8 includes multiple options for configuring certificate status +checking, but for this requirement focuses on the System Security Services +Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol +(OCSP) checking and certificate verification using a sha256 digest function. + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + + + +``` +--- +SV-230275: +Old: +``` +The use of PIV credentials facilitates standardization and reduces the + risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support + identity management and personal authentication for systems covered under + Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a + primary component of layered protection for national security systems. + +``` +New: +``` +The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +``` +--- +SV-230276: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + +``` +--- +SV-230277: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. This prevents many types of use-after-free +vulnerabilities at little performance cost. Also prevents leak of data and +detection of corrupted memory. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + + + +``` +--- +SV-230278: +Old: +``` +Syscalls are special routines in the Linux kernel, which userspace +applications ask to do privileged tasks. Invoking a system call is an +expensive operation because the processor must interrupt the currently +executing task and switch context to kernel mode and then back to userspace +after the system call completes. Virtual Syscalls map into user space a page +that contains some variables and the implementation of some system calls. This +allows the system calls to be executed in userspace to alleviate the context +switching expense. + + Virtual Syscalls provide an opportunity of attack for a user who has +control of the return instruction pointer. Disabling vsyscalls help to prevent +return oriented programming (ROP) attacks via buffer overflows and overruns. If +the system intends to run containers based on RHEL 6 components, then virtual +syscalls will need enabled so the components function properly. + +``` +New: +``` +Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + + + +``` +--- +SV-230279: +Old: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + + + +``` +--- +SV-230281: +Old: +``` +Previous versions of software components that are not removed from the +information system after updates have been installed may be exploited by +adversaries. Some information technology products may remove older versions of +software automatically from the information system. + +``` +New: +``` +Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. + +``` +--- +SV-230282: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230283: +Old: +``` +The "shosts.equiv" files are used to configure host-based +authentication for the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230284: +Old: +``` +The ".shosts" files are used to configure host-based authentication +for individual users or the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230285: +Old: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-230286: +Old: +``` +If a public host key file is modified by an unauthorized user, the SSH +service may be compromised. + +``` +New: +``` +If a public host key file is modified by an unauthorized user, the SSH service may be compromised. + +``` +--- +SV-230287: +Old: +``` +If an unauthorized user obtains the private SSH host key file, the +host could be impersonated. + +``` +New: +``` +If an unauthorized user obtains the private SSH host key file, the host could be impersonated. + +``` +--- +SV-230288: +Old: +``` +If other users have access to modify user-specific SSH configuration +files, they may be able to log on to the system as another user. + +``` +New: +``` +If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. + +``` +--- +SV-230290: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230291: +Old: +``` +Configuring these settings for the SSH daemon provides additional +assurance that remote logon via SSH will not use unused methods of +authentication, even in the event of misconfiguration elsewhere. + +``` +New: +``` +Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230292: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230293: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230294: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230295: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230296: +Old: +``` +Even though the communications channel may be encrypted, an additional +layer of security is gained by extending the policy of not logging on directly +as root. In addition, logging on with a user-specific account provides +individual accountability of actions performed on the system. + +``` +New: +``` +Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. + +``` +--- +SV-230298: +Old: +``` +Configuring RHEL 8 to implement organization-wide security +implementation guides and security checklists ensures compliance with federal +standards and establishes a common security baseline across the DoD that +reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry +settings; account, file, directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230299: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230300: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230301: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. The only legitimate +location for device files is the /dev directory located on the root partition. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. + +``` +--- +SV-230302: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230303: +Old: +``` +The "nodev" mount option causes the system not to interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230304: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230305: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230306: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary as they may be incompatible. Executing files from untrusted +file systems increases the opportunity for unprivileged users to attain +unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230307: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230308: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230309: +Old: +``` +If user start-up files execute world-writable programs, especially in +unprotected directories, they could be maliciously modified to destroy user +files or otherwise compromise the system at the user level. If the system is +compromised at the user level, it is easier to elevate privileges to eventually +compromise the system at the root and network level. + +``` +New: +``` +If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. + +``` +--- +SV-230310: +Old: +``` +Kernel core dumps may contain the full contents of system memory at +the time of the crash. Kernel core dumps may consume a considerable amount of +disk space and may result in denial of service by exhausting the available +space on the target file system partition. + + RHEL 8 installation media presents the option to enable or disable the +kdump service at the time of system installation. + +``` +New: +``` +Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. + +RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. + +``` +--- +SV-230312: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + + When the kernel invokes systemd-coredumpt to handle a core dump, it runs in +privileged mode, and will connect to the socket created by the +systemd-coredump.socket unit. This, in turn, will spawn an unprivileged +systemd-coredump@.service instance to process the core dump. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. + +``` +--- +SV-230313: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230314: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230315: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230316: +Old: +``` +To provide availability for name resolution services, multiple +redundant name servers are mandated. A failure in name resolution could lead to +the failure of security functions requiring name resolution, which may include +time synchronization, centralized authentication, and remote system logging. + +``` +New: +``` +To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. + +``` +--- +SV-230317: +Old: +``` +The executable search path (typically the PATH environment variable) +contains a list of directories for the shell to search to find executables. If +this path includes the current working directory (other than the user's home +directory), executables in these directories may be executed instead of system +commands. This variable is formatted as a colon-separated list of directories. +If there is an empty entry, such as a leading or trailing colon or two +consecutive colons, this is interpreted as the current working directory. If +deviations from the default system search path for the local interactive user +are required, they must be documented with the Information System Security +Officer (ISSO). + +``` +New: +``` +The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). + +``` +--- +SV-230318: +Old: +``` +If a world-writable directory is not owned by root, sys, bin, or an +application User Identifier (UID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230319: +Old: +``` +If a world-writable directory is not group-owned by root, sys, bin, or +an application Group Identifier (GID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230320: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230321: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-230322: +Old: +``` +If the Group Identifier (GID) of a local interactive user’s home +directory is not the same as the primary GID of the user, this would allow +unauthorized access to the user’s files, and users that share the same group +may not be able to access files that they legitimately should. + +``` +New: +``` +If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. + +``` +--- +SV-230323: +Old: +``` +If a local interactive user has a home directory defined that does not +exist, the user may be given access to the "/" directory as the current +working directory upon logon. This could create a denial of service because the +user would not be able to access their logon configuration files, and it may +give them visibility to system files they normally would not be able to access. + +``` +New: +``` +If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. + +``` +--- +SV-230324: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230325: +Old: +``` +Local initialization files are used to configure the user's shell +environment upon logon. Malicious modification of these files could compromise +accounts upon logon. + +``` +New: +``` +Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. + +``` +--- +SV-230326: +Old: +``` +Unowned files and directories may be unintentionally inherited if a +user is assigned the same User Identifier "UID" as the UID of the un-owned +files. + +``` +New: +``` +Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. + +``` +--- +SV-230327: +Old: +``` +Files without a valid group owner may be unintentionally inherited if +a group is assigned the same Group Identifier (GID) as the GID of the files +without a valid group owner. + +``` +New: +``` +Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. + +``` +--- +SV-230328: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230329: +Old: +``` +Failure to restrict system access to authenticated users negatively +impacts operating system security. + +``` +New: +``` +Failure to restrict system access to authenticated users negatively impacts operating system security. + +``` +--- +SV-230330: +Old: +``` +SSH environment options potentially allow users to bypass access +restriction in some configurations. + +``` +New: +``` +SSH environment options potentially allow users to bypass access restriction in some configurations. + +``` +--- +SV-230331: +Old: +``` +If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. To +mitigate this risk, automated termination of all temporary accounts must be set +upon account creation. + + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts without the demand for +immediacy in account activation. + + If temporary accounts are used, RHEL 8 must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + + To address access requirements, many RHEL 8 operating systems may be +integrated with enterprise-level authentication/access mechanisms that meet or +exceed access control policy requirements. + +``` +New: +``` +If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. + +``` +--- +SV-230332: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230333: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230334: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230335: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230336: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230337: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230338: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230339: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230340: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230341: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230342: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230343: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230344: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230345: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230346: +Old: +``` +Operating system management includes the ability to control the number +of users and user sessions that utilize an operating system. Limiting the +number of allowed users and sessions per user is helpful in reducing the risks +related to DoS attacks. + + This requirement addresses concurrent sessions for information system +accounts and does not address concurrent sessions by single users via multiple +system accounts. The maximum number of concurrent sessions should be defined +based on mission needs and the operational environment for each system. + +``` +New: +``` +Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +``` +--- +SV-230347: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. + + Regardless of where the session lock is determined and implemented, once +invoked, the session lock must remain in place until the user reauthenticates. +No other activity aside from reauthentication must unlock the system. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. + + + +``` +--- +SV-230351: +Old: +``` +A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but + does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be + determined. Rather than be forced to wait for a period of time to expire before + the user session can be locked, RHEL 8 needs to provide users with the ability + to manually invoke a session lock so users can secure their session if it is + necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230352: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. Rather than be forced to wait for a period of time to expire before +the user session can be locked, RHEL 8 needs to provide users with the ability +to manually invoke a session lock so users can secure their session if it is +necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230354: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-230355: +Old: +``` +Without mapping the certificate used to authenticate to the user +account, the ability to determine the identity of the individual user or group +will not be available for forensic analysis. + + There are various methods of mapping certificates to user/group accounts +for RHEL 8. For the purposes of this requirement, the check and fix will +account for Active Directory mapping. Some of the other possible methods +include joining the system to a domain and utilizing a Red Hat idM server, or a +local system mapping, where the system is not part of a domain. + +``` +New: +``` +Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. + +``` +--- +SV-230357: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require uppercase characters, without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230358: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require lower-case characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230359: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that in order to require numeric characters, without degrading +the minlen value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230360: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxclassrepeat" option sets the maximum number of allowed +same consecutive characters in the same class in the new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + +``` +--- +SV-230361: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxrepeat" option sets the maximum number of allowed same +consecutive characters in a new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. + +``` +--- +SV-230362: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "minclass" option sets the minimum number of required classes +of characters for the new password (digits, uppercase, lowercase, others). + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). + +``` +--- +SV-230363: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "difok" option sets the number of characters in a password +that must not be present in the old password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. + +``` +--- +SV-230364: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230365: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230366: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230367: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230369: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Configurations are set in the "etc/security/pwquality.conf" file. + + The "minlen", sometimes noted as minimum length, acts as a "score" of +complexity based on the credit components of the "pwquality" module. By +setting the credit components to a negative value, not only will those +components be required, they will not count towards the total "score" of +"minlen". This will enable "minlen" to require a 15-character minimum. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + +The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230370: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230371: +Old: +``` +To ensure accountability and prevent unauthenticated access, +interactive users must be identified and authenticated to prevent potential +misuse and compromise of the system. + + Interactive users include organizational employees or individuals the +organization deems to have equivalent status of employees (e.g., contractors). +Interactive users (and processes acting on behalf of users) must be uniquely +identified and authenticated to all accesses, except for the following: + + 1) Accesses explicitly identified and documented by the organization. +Organizations document specific user actions that can be performed on the +information system without identification or authentication; and + + 2) Accesses that occur through authorized use of group authenticators +without individual authentication. Organizations may require unique +identification of individuals in group accounts (e.g., shared privilege +accounts) or for detailed accountability of individual activity. + +``` +New: +``` +To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + + + +``` +--- +SV-230372: +Old: +``` +Using an authentication device, such as a Common Access Card (CAC) or +token that is separate from the information system, ensures that even if the +information system is compromised, that compromise will not affect credentials +stored on the authentication device. + + Multifactor solutions that require devices separate from information +systems gaining access include, for example, hardware tokens providing +time-based or challenge-response authenticators and smart cards such as the +U.S. Government Personal Identity Verification card and the DoD CAC. + + There are various methods of implementing multifactor authentication for +RHEL 8. Some methods include a local system multifactor account mapping or +joining the system to a domain and utilizing a Red Hat idM server or Microsoft +Windows Active Directory server. Any of these methods will require that the +client operating system handle the multifactor authentication correctly. + +``` +New: +``` +Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. + +There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. + + + +``` +--- +SV-230373: +Old: +``` +Inactive identifiers pose a risk to systems and applications because + attackers may exploit an inactive identifier and potentially obtain undetected + access to the system. Owners of inactive accounts will not notice if + unauthorized access to their user account has been obtained. + + RHEL 8 needs to track periods of inactivity and disable application + identifiers after 35 days of inactivity. + +``` +New: +``` +Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +``` +--- +SV-230374: +Old: +``` +Temporary accounts are privileged or nonprivileged accounts that are + established during pressing circumstances, such as new software or hardware + configuration or an incident response, where the need for prompt account + activation requires bypassing normal account authorization procedures. + + If any inactive temporary accounts are left enabled on the system and are + not either manually removed or automatically expired within 72 hours, the + security posture of the system will be degraded and exposed to exploitation + by unauthorized users or insider threat actors. + + Temporary accounts are different from emergency accounts. Emergency accounts, + also known as "last resort" or "break glass" accounts, are local logon accounts + enabled on the system for emergency use by authorized system administrators + to manage a system when standard logon methods are failing or not available. + + Emergency accounts are not subject to manual removal or scheduled expiration + requirements. + + The automatic expiration of temporary accounts may be extended as needed by + the circumstances but it must not be extended indefinitely. A documented + permanent account should be established for privileged users who need long-term + maintenance accounts. + +``` +New: +``` +Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. + +``` +--- +SV-230375: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that to require special characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230376: +Old: +``` +If cached authentication information is out-of-date, the validity of +the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this +requirement will be focus on the System Security Services Daemon (SSSD). By +default sssd does not cache credentials. + +``` +New: +``` +If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. + +``` +--- +SV-230377: +Old: +``` +If RHEL 8 allows the user to select passwords based on dictionary +words, this increases the chances of password compromise by increasing the +opportunity for successful guesses, and brute-force attacks. + +``` +New: +``` +If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +``` +--- +SV-230378: +Old: +``` +Configuring the operating system to implement organization-wide +security implementation guides and security checklists verifies compliance with +federal standards and establishes a common security baseline across the DoD +that reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example, registry +settings; account, file, and directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230379: +Old: +``` +Accounts providing no operational purpose provide additional +opportunities for system compromise. Unnecessary accounts include user accounts +for individuals not requiring access to the system and application accounts for +applications not installed on the system. + +``` +New: +``` +Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. + +``` +--- +SV-230380: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-230381: +Old: +``` +Providing users with feedback on when account accesses last occurred +facilitates user recognition and reporting of unauthorized account use. + +``` +New: +``` +Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230382: +Old: +``` +Providing users with feedback on when account accesses via SSH last +occurred facilitates user recognition and reporting of unauthorized account +use. + +``` +New: +``` +Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230383: +Old: +``` +Setting the most restrictive default permissions ensures that when new +accounts are created, they do not have unnecessary access. + +``` +New: +``` +Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +``` +--- +SV-230384: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230385: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230386: +Old: +``` +Misuse of privileged functions, either intentionally or +unintentionally by authorized users, or by unauthorized external entities that +have compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use of +privileged functions is one way to detect such misuse and identify the risk +from insider threats and the advanced persistent threat. + +``` +New: +``` +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + + + +``` +--- +SV-230387: +Old: +``` +Cron logging can be used to trace the successful or unsuccessful +execution of cron jobs. It can also be used to spot intrusions into the use of +the cron facility by unauthorized and malicious users. + +``` +New: +``` +Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. + +``` +--- +SV-230388: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230389: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230390: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230392: +Old: +``` +It is critical that when RHEL 8 is at risk of failing to process audit +logs as required, it takes action to mitigate the failure. Audit processing +failures include software/hardware errors; failures in the audit capturing +mechanisms; and audit storage capacity being reached or exceeded. Responses to +audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, +RHEL 8 must continue generating audit records if possible (automatically +restarting the audit service if necessary) and overwriting the oldest audit +records in a first-in-first-out manner. + + 2) If audit records are sent to a centralized collection server and +communication with this server is lost or the server fails, RHEL 8 must queue +audit records locally until communication is restored or until the audit +records are retrieved manually. Upon restoration of the connection to the +centralized collection server, action should be taken to synchronize the local +audit data with the collection server. + +``` +New: +``` +It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. + +``` +--- +SV-230393: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +``` +--- +SV-230394: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging is needed to determine who, what, and when events occur on +a system. Without this, determining root cause of an event will be much more +difficult. + + When audit logs are not labeled before they are sent to a central log +server, the audit data will not be able to be analyzed and tied back to the +correct system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. + +``` +--- +SV-230395: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging aids in making sense of who, what, and when events occur +on a system. Without this, determining root cause of an event will be much +more difficult. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +``` +--- +SV-230396: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230397: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230398: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230399: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230400: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230401: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + + + +``` +--- +SV-230402: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230403: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230404: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230405: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230406: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230407: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230408: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230409: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230410: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230411: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-230412: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "su" command allows a +user to run commands with a substitute user and group ID. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230413: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230418: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chage" command is +used to change or view user password expiry information. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230419: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chcon" command is +used to change file SELinux security context. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230421: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-agent" is a +program to hold private keys used for public key authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230422: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "passwd" command is +used to change passwords for user accounts. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230423: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" command is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230424: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "umount" command is +used to unmount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230425: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" syscall is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230426: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +"Unix_update" is a helper program for the "pam_unix" module that updates +the password for a given user. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230427: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postdrop" command creates a file in the maildrop directory and copies +its standard input to the file. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230428: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postqueue" command implements the Postfix user interface for queue +management. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230429: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "semanage" command is used to configure certain elements of SELinux +policy without requiring modification to or recompilation from policy sources. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230430: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setfiles" command is primarily used to initialize the security context +fields (extended attributes) on one or more filesystems (or parts of them). +Usually it is initially run as part of the SELinux installation process (a step +commonly known as labeling). + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230431: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "userhelper" command is not intended to be run interactively. +"Userhelper" provides a basic interface to change a user's password, gecos +information, and shell. The main difference between this program and its +traditional equivalents (passwd, chfn, chsh) is that prompts are written to +standard out to make it easy for a graphical user interface wrapper to +interface to it as a child process. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230432: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setsebool" command sets the current state of a particular SELinux +boolean or a list of booleans to a given value. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230433: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "unix_chkpwd" command is a helper program for the pam_unix module that +verifies the password of the current user. It also checks password and account +expiration dates in shadow. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230434: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-keysign" program +is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230435: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "setfacl" command is +used to set file access control lists. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230436: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "pam_timestamp_check" +command is used to check if the default timestamp is valid. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230437: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "newgrp" command is +used to change the current group ID during a login session. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230438: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230439: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230444: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "gpasswd" command is +used to administer /etc/group and /etc/gshadow. Every group can have +administrators, members and a password. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230446: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "delete_module" +command is used to unload a kernel module. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230447: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "crontab" command is +used to maintain crontab files for individual users. Crontab is the program +used to install, remove, or list the tables used to drive the cron daemon. This +is similar to the task scheduler used in other operating systems. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230448: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chsh" command is +used to change the login shell. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230449: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230455: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230456: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230462: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "sudo" command allows +a permitted user to execute a command as the superuser or another user, as +specified by the security policy. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230463: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "usermod" command +modifies the system account files to reflect the changes that are specified on +the command line. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230464: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chacl" command is +used to change the access control list of a file or directory. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230465: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "kmod" command is +used to control Linux Kernel modules. + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230466: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + + From "Pam_Faillock man" pages: Note the default directory that +pam_faillock uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230467: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230468: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230469: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + Allocating an audit_backlog_limit of sufficient size is critical in +maintaining a stable boot process. With an insufficient limit allocated, the +system is susceptible to boot failures and crashes. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +``` +--- +SV-230470: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230471: +Old: +``` +Without the capability to restrict the roles and individuals that can +select which events are audited, unauthorized personnel may be able to prevent +the auditing of critical events. Misconfigured audits may degrade the system's +performance by overwhelming the audit log. Misconfigured audits may also make +it more difficult to establish, correlate, and investigate the events relating +to an incident or identify those responsible for one. + +``` +New: +``` +Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-230472: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +``` +--- +SV-230473: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230474: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230475: +Old: +``` +Protecting the integrity of the tools used for auditing purposes is a +critical step toward ensuring the integrity of audit information. Audit +information includes all information (e.g., audit records, audit settings, and +audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + + It is not uncommon for attackers to replace the audit tools or inject code +into the existing tools with the purpose of providing the capability to hide or +erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed to +provide the capability to identify when the audit tools have been modified, +manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +New: +``` +Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +--- +SV-230476: +Old: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which +to write the audit logs, RHEL 8 needs to be able to allocate audit record +storage capacity. + + The task of allocating audit record storage capacity is usually performed +during initial installation of RHEL 8. + +``` +New: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. + +``` +--- +SV-230477: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230478: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "rsyslog-gnutls" (which is a secure +communications library implementing the SSL, TLS and DTLS protocols), and you +have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230479: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + + + +``` +--- +SV-230480: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230481: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230482: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + "Rsyslog" supported authentication modes include: + anon - anonymous authentication + x509/fingerprint - certificate fingerprint authentication + x509/certvalid - certificate validation only + x509/name - certificate validation and subject name authentication. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +"Rsyslog" supported authentication modes include: +anon - anonymous authentication +x509/fingerprint - certificate fingerprint authentication +x509/certvalid - certificate validation only +x509/name - certificate validation and subject name authentication. + + + +``` +--- +SV-230483: +Old: +``` +If security personnel are not notified immediately when storage volume + reaches 75 percent utilization, they are unable to plan for audit record + storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-230484: +Old: +``` +Inaccurate time stamps make it more difficult to correlate events and +can lead to an inaccurate analysis. Determining the correct time a particular +event occurred on a system is critical when conducting forensic analysis and +investigating system events. Sources outside the configured acceptable +allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of +time stamps for information systems with multiple system clocks and systems +connected over a network. + + Organizations should consider endpoints that may not have regular access to +the authoritative time server (e.g., mobile, teleworking, and tactical +endpoints). + + If time stamps are not consistently applied and there is no common time +reference, it is difficult to perform forensic analysis. + + Time stamps generated by the operating system include date and time. Time +is commonly expressed in Coordinated Universal Time (UTC), a modern +continuation of Greenwich Mean Time (GMT), or local time with an offset from +UTC. + + RHEL 8 utilizes the "timedatectl" command to view the status of the +"systemd-timesyncd.service". The "timedatectl" status will display the +local time, UTC, and the offset from UTC. + + Note that USNO offers authenticated NTP service to DoD and U.S. Government +agencies operating on the NIPR and SIPR networks. Visit +https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + +``` +New: +``` +Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + +RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. + +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + + + +``` +--- +SV-230487: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + The telnet service provides an unencrypted remote access service that does +not provide for the confidentiality and integrity of user passwords or the +remote session. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + +``` +--- +SV-230488: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230489: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230491: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + Kernel page-table isolation is a kernel feature that mitigates the Meltdown +security vulnerability and hardens the kernel against attempts to bypass kernel +address space layout randomization (KASLR). + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). + +``` +--- +SV-230492: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The rsh-server service provides an unencrypted remote access service that +does not provide for the confidentiality and integrity of user passwords or the +remote session and has very weak authentication. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + + + +``` +--- +SV-230493: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) +can result in subsequent compromises of organizational information. Providing +easy methods to physically disconnect from such devices after a collaborative +computing session helps to ensure participants actually carry out the +disconnect activity without having to go through complex and tedious procedures. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. + + + +``` +--- +SV-230494: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Asynchronous Transfer Mode (ATM) is a protocol operating on network, +data link, and physical layers, based on virtual circuits and virtual paths. +Disabling ATM protects the system against exploitation of any laws in its +implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. + +``` +--- +SV-230495: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Controller Area Network (CAN) is a serial communications protocol, +which was initially developed for automotive and is now also used in marine, +industrial, and medical applications. Disabling CAN protects the system against +exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230496: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Stream Control Transmission Protocol (SCTP) is a transport layer +protocol, designed to support the idea of message-oriented communication, with +several streams of messages within one connection. Disabling SCTP protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230497: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Transparent Inter-Process Communication (TIPC) protocol is designed to +provide communications between nodes in a cluster. Disabling TIPC protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230498: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Removing support for unneeded filesystem types reduces the local attack +surface of the server. + + Compressed ROM/RAM file system (or cramfs) is a read-only file system +designed for simplicity and space-efficiency. It is mainly used in embedded +and small-footprint systems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Removing support for unneeded filesystem types reduces the local attack surface of the server. + +Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. + +``` +--- +SV-230499: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time +communication. Disabling FireWire protects the system against exploitation of +any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230500: +Old: +``` +To prevent unauthorized connection of devices, unauthorized transfer +of information, or unauthorized tunneling (i.e., embedding of data types within +data types), organizations must disable or restrict unused or unnecessary +physical and logical ports/protocols on information systems. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services provided by default may not be +necessary to support essential organizational operations. Additionally, it is +sometimes convenient to provide multiple services from a single component +(e.g., VPN and IPS); however, doing so increases risk over limiting the +services provided by any one component. + + To support the requirements and principles of least functionality, the +operating system must support the organizational requirements, providing only +essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official +business or to address authorized quality-of-life issues. + +``` +New: +``` +To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. + +``` +--- +SV-230502: +Old: +``` +Automatically mounting file systems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + +``` +New: +``` +Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +``` +--- +SV-230503: +Old: +``` +USB mass storage permits easy introduction of unknown devices, thereby +facilitating malicious activity. + +``` +New: +``` +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + + + +``` +--- +SV-230504: +Old: +``` +Failure to restrict network connectivity only to authorized systems +permits inbound connections from malicious systems. It also permits outbound +connections that may facilitate exfiltration of DoD data. + + RHEL 8 incorporates the "firewalld" daemon, which allows for many +different configurations. One of these configurations is zones. Zones can be +utilized to a deny-all, allow-by-exception approach. The default "drop" zone +will drop all incoming network packets unless it is explicitly allowed by the +configuration file or is related to an outgoing network connection. + +``` +New: +``` +Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + +``` +--- +SV-230505: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-230506: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + + + +``` +--- +SV-230507: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + +``` +--- +SV-230508: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230509: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230510: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230511: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230512: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230513: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230514: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230515: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230516: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230517: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230518: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230519: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230520: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230521: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230522: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230523: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-230524: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-230525: +Old: +``` +DoS is a condition when a resource is not available for legitimate +users. When this occurs, the organization either cannot accomplish its mission +or must operate at degraded capacity. + + This requirement addresses the configuration of RHEL 8 to mitigate the +impact of DoS attacks that have occurred or are ongoing on system availability. +For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exists to limit +or, in some cases, eliminate the effects of DoS attacks (e.g., limiting +processes or establishing memory partitions). Employing increased capacity and +bandwidth, combined with service redundancy, may reduce the susceptibility to +some DoS attacks. + + Since version 0.6.0, "firewalld" has incorporated "nftables" as its +backend support. Utilizing the limit statement in "nftables" can help to +mitigate DoS attacks. + +``` +New: +``` +DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. + +``` +--- +SV-230526: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-230527: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + + Session key regeneration limits the chances of a session key becoming +compromised. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + + + +``` +--- +SV-230529: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230530: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230531: +Old: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the +console can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230532: +Old: +``` +The debug-shell requires no authentication and provides root +privileges to anyone who has physical access to the machine. While this +feature is disabled by default, masking it adds an additional layer of +assurance that it will not be enabled via a dependency in systemd. This also +prevents attackers with physical access from trivially bypassing security on +the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + +``` +New: +``` +The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +``` +--- +SV-230533: +Old: +``` +If TFTP is required for operational support (such as the transmission +of router configurations) its use must be documented with the Information +System Security Officer (ISSO), restricted to only authorized personnel, and +have access control rules established. + +``` +New: +``` +If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. + +``` +--- +SV-230534: +Old: +``` +If an account other than root also has a User Identifier (UID) of +"0", it has root authority, giving that account unrestricted access to the +entire operating system. Multiple accounts with a UID of "0" afford an +opportunity for potential intruders to guess a password for a privileged +account. + +``` +New: +``` +If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. + +``` +--- +SV-230550: +Old: +``` +If unrestricted mail relaying is permitted, unauthorized senders could +use this host as a mail relay for the purpose of sending spam or other +unauthorized activity. + +``` +New: +``` +If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. + +``` +--- +SV-230551: +Old: +``` +Extended attributes in file systems are used to contain arbitrary data +and file metadata with security implications. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230552: +Old: +``` +ACLs can provide permissions beyond those permitted through the file +mode and must be verified by file integrity tools. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230553: +Old: +``` +Internet services that are not required for system or application +processes must not be active to decrease the attack surface of the system. +Graphical display managers have a long history of security vulnerabilities and +must not be used, unless approved and documented. + +``` +New: +``` +Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + +``` +--- +SV-230554: +Old: +``` +Network interfaces in promiscuous mode allow for the capture of all +network traffic visible to the system. If unauthorized individuals can access +these applications, it may allow them to collect information such as logon IDs, +passwords, and key exchanges between systems. + + If the system is being used to perform a network troubleshooting function, +the use of these tools must be documented with the Information System Security +Officer (ISSO) and restricted to only authorized personnel. + +``` +New: +``` +Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. + +If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. + +``` +--- +SV-230555: +Old: +``` +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding. A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly requesting +X11 forwarding, which can warrant a "no" setting. + + X11 forwarding should be enabled with caution. Users with the ability to +bypass file permissions on the remote host (for the user's X11 authorization +database) can access the local X11 display through the forwarded connection. An +attacker may then be able to perform activities such as keystroke monitoring if +the ForwardX11Trusted option is also enabled. + + If X11 services are not required for the system's intended function, they +should be disabled or restricted as appropriate to the system’s needs. + +``` +New: +``` +The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. + +X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. + +``` +--- +SV-230556: +Old: +``` +When X11 forwarding is enabled, there may be additional exposure to +the server and client displays if the sshd proxy display is configured to +listen on the wildcard address. By default, sshd binds the forwarding server +to the loopback address and sets the hostname part of the DIPSLAY environment +variable to localhost. This prevents remote hosts from connecting to the proxy +display. + +``` +New: +``` +When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. + +``` +--- +SV-230557: +Old: +``` +Restricting TFTP to a specific directory prevents remote users from +copying, transferring, or overwriting system files. + +``` +New: +``` +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. + +``` +--- +SV-230558: +Old: +``` +The FTP service provides an unencrypted remote access that does not +provide for the confidentiality and integrity of user passwords or the remote +session. If a privileged user were to log on using this service, the privileged +user password could be compromised. SSH or other encrypted file transfer +methods must be used in place of this service. + +``` +New: +``` +The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. + +``` +--- +SV-230559: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The gssproxy package is a proxy for GSS API credential handling and could +expose secrets on some networks. It is not needed for normal function of the OS. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. + +``` +--- +SV-230560: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The iprutils package provides a suite of utilities to manage and configure +SCSI devices supported by the ipr SCSI storage device driver. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. + +``` +--- +SV-230561: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The tuned package contains a daemon that tunes the system settings +dynamically. It does so by monitoring the usage of several system components +periodically. Based on that information, components will then be put into lower +or higher power savings modes to adapt to the current usage. The tuned package +is not needed for normal OS operations. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. + +``` +--- +SV-237640: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-237641: +Old: +``` +The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password and confirms +your request to execute a command by checking a file, called sudoers. If the +"sudoers" file is not configured correctly, any user defined on the system +can initiate privileged actions on the target system. + +``` +New: +``` +The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. + +``` +--- +SV-237642: +Old: +``` +The sudoers security policy requires that users authenticate +themselves before they can use sudo. When sudoers requires authentication, it +validates the invoking user's credentials. If the rootpw, targetpw, or runaspw +flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the +sudoers(5) manual page. + +``` +New: +``` +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page. + +``` +--- +SV-237643: +Old: +``` +Without re-authentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the organization requires the user to +re-authenticate when using the "sudo" command. + + If the value is set to an integer less than 0, the user's time stamp will +not expire and the user will not have to re-authenticate for privileged actions +until the user's session is terminated. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +``` +--- +SV-244519: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + + +``` +--- +SV-244523: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-244524: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-244525: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-244526: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/ directory. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + + +``` +--- +SV-244527: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The rngd service feeds random data from hardware device to kernel random +device. Quality (non-predictable) random number generation is important for +several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-244528: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-244529: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-244530: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-244531: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-244532: +Old: +``` +If a local interactive user's files are group-owned by a group of +which the user is not a member, unintended users may be able to access them. + +``` +New: +``` +If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. + +``` +--- +SV-244533: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244534: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244535: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + + + +``` +--- +SV-244536: +Old: +``` +Leaving the user list enabled is a security risk since it allows +anyone with physical access to the system to enumerate known user accounts +without authenticated access to the system. + +``` +New: +``` +Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. + +``` +--- +SV-244538: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244539: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244541: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-244542: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-244543: +Old: +``` +If security personnel are not notified immediately when storage volume +reaches 75 percent utilization, they are unable to plan for audit record +storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-244544: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-244545: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244546: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244547: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244548: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244549: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-250315: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "faillock.conf" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + re-enabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250316: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "Pam_Faillock" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + reenabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250317: +Old: +``` +Routing protocol daemons are typically used on routers to exchange network + topology information with other routers. If this software is used when not required, + system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. + + All configuration files are sorted by their filename in lexicographic order, regardless + of which of the directories they reside in. If multiple files specify the same option, + the entry in the file with the lexicographically latest name will take precedence. + + Files are read from directories in the following list from top to bottom. Once a file of a + given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +--- +SV-251707: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate + testing and approvals that are part of a robust change management process. + + This requirement applies to RHEL 8 with software libraries that are accessible + and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs that execute with escalated privileges. Only + qualified and authorized individuals will be allowed to obtain access to + information system components for purposes of initiating changes, including + upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251708: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251709: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251710: +Old: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. + Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the + system security policy and supporting the isolation of code and data on which the protection is based. Security functionality + includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), + setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and + environments that require this functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-251711: +Old: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, + system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as + well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" + file allow configured users to run programs without re-authenticating. Use of these configuration + options makes it easier for one compromised account to be used to compromise other accounts. + + It is possible to include other sudoers files from within the sudoers file currently being parsed + using the #include and #includedir directives. When sudo reaches this line it will suspend + processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the + end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are + included may themselves include other files. A hard limit of 128 nested include files is enforced + to prevent include file loops. + +``` +New: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. + +``` +--- +SV-251712: +Old: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + + + +``` +--- +SV-254520: +Old: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +New: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +--- +
\ No newline at end of file diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 143ec0ecf..153cd04a9 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -12,6 +12,7 @@ author: Daniel Medina, George Dias A detailed log of the output of the command execution with additional information and metadata. [Example Log File Output](../../assets/downloads/CliProcessOutput.log) +[WHAT](../../.vuepress/public/assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json From 9a117a39fa6ff0c9026387756c09d61f5dba9a5f Mon Sep 17 00:00:00 2001 From: George M Dias Date: Thu, 5 Dec 2024 09:47:20 -0600 Subject: [PATCH 24/71] removed testing link and assets/dowloads folder Signed-off-by: George M Dias --- src/assets/downloads/CliProcessOutput.log | 1069 -- ...endor_STIG_Process_Guide_V4R1_20220815.pdf | Bin 892101 -> 0 bytes src/assets/downloads/delta.json | 1136 -- src/assets/downloads/report | 10483 ---------------- src/courses/delta/05.md | 1 - 5 files changed, 12689 deletions(-) delete mode 100644 src/assets/downloads/CliProcessOutput.log delete mode 100644 src/assets/downloads/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf delete mode 100644 src/assets/downloads/delta.json delete mode 100644 src/assets/downloads/report diff --git a/src/assets/downloads/CliProcessOutput.log b/src/assets/downloads/CliProcessOutput.log deleted file mode 100644 index 6ae8e024f..000000000 --- a/src/assets/downloads/CliProcessOutput.log +++ /dev/null @@ -1,1069 +0,0 @@ -==================== Delta Process ===================== -Date: 2024-11-26T18:06:16.889Z -Process Flags =========================================== -logLevel=info -inspecJsonFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\profile_update4delta.json -xccdfXmlFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\xccdf\SQL_Server_16\U_MS_SQL_Server_2016_Database_V2R8_Manual_STIG\U_MS_SQL_Server_2016_Database_STIG_V2R8_Manual-xccdf.xml -deltaOutputDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\delta_controls -idType=rule -runMapControls=true -controlsDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\controls - - -Mapping controls (using fuzzy logic - lower value = best match) from the old profile to the new profile - -Mapping Process =========================================================================== - New XCCDF Control: SV-213900 -* No Mapping Provided * - -Processing New Control: SV-213901 - New Control Title: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. - Best Match Candidate: SV-213764 --> SV-213901 - Matching Score: 0.0508 - -Processing New Control: SV-213902 - New Control Title: SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. - Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. - No Match Found for: SV-213774 --> SV-213902 - Matching Score: 0.83125 - -Processing New Control: SV-213903 - New Control Title: SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). - Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. - No Match Found for: SV-213774 --> SV-213903 - Matching Score: 0.7890625 - -Processing New Control: SV-213904 - New Control Title: SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. - Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. - No Match Found for: SV-213774 --> SV-213904 - Matching Score: 0.7890625 - -Processing New Control: SV-213905 - New Control Title: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. - Old Control Title: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. - Best Match Candidate: SV-213766 --> SV-213905 - Matching Score: 0.0131 - -Processing New Control: SV-213906 - New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. - Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - No Match Found for: SV-213770 --> SV-213906 - Matching Score: 0.59375 - -Processing New Control: SV-213907 - New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. - Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - No Match Found for: SV-213770 --> SV-213907 - Matching Score: 0.49395 - -Processing New Control: SV-213908 - New Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - Best Match Candidate: SV-213770 --> SV-213908 - Matching Score: 0.04478571428571428 - -Processing New Control: SV-213909 - New Control Title: The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. - Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - No Match Found for: SV-213770 --> SV-213909 - Matching Score: 0.49609375 - -Processing New Control: SV-213910 - New Control Title: In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. - Old Control Title: In the event of a system failure, SQL Server must preserve any information necessary to return to operations with least disruption to mission processes. - No Match Found for: SV-213773 --> SV-213910 - Matching Score: 0.6003999999999999 - -Processing New Control: SV-213911 - New Control Title: The Database Master Key encryption password must meet DOD password complexity requirements. - Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. - No Match Found for: SV-213779 --> SV-213911 - Matching Score: 0.7395833333333334 - -Processing New Control: SV-213912 - New Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. - Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. - Best Match Candidate: SV-213779 --> SV-213912 - Matching Score: 0.007050000000000001 - -Processing New Control: SV-213913 - New Control Title: The Certificate used for encryption must be backed up, stored offline and off-site. - Old Control Title: Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key. - No Match Found for: SV-213781 --> SV-213913 - Matching Score: 0.7708333333333334 - -Processing New Control: SV-213914 - New Control Title: SQL Server must isolate security functions from non-security functions. - Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. - No Match Found for: SV-213774 --> SV-213914 - Matching Score: 0.78125 - -Processing New Control: SV-213915 - New Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. - Old Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. - Best Match Candidate: SV-213775 --> SV-213915 - Matching Score: 0.0131 - -Processing New Control: SV-213916 - New Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. - Old Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. - Best Match Candidate: SV-213776 --> SV-213916 - Matching Score: 0.001 - -Processing New Control: SV-213917 - New Control Title: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. - Old Control Title: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. - Best Match Candidate: SV-213777 --> SV-213917 - Matching Score: 0.05291666666666667 - -Processing New Control: SV-213918 - New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. - Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. - Best Match Candidate: SV-213784 --> SV-213918 - Matching Score: 0.0131 - -Processing New Control: SV-213919 - New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. - Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. - Best Match Candidate: SV-213785 --> SV-213919 - Matching Score: 0.0131 - -Processing New Control: SV-213920 - New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. - Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. - Best Match Candidate: SV-213786 --> SV-213920 - Matching Score: 0.0131 - -Processing New Control: SV-213921 - New Control Title: SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. - Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. - No Match Found for: SV-213764 --> SV-213921 - Matching Score: 0.6171875 - -Processing New Control: SV-213922 - New Control Title: Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. - Old Control Title: SQL Server must be monitored to discover unauthorized changes to stored procedures. - No Match Found for: SV-213769 --> SV-213922 - Matching Score: 0.8359375 - -Processing New Control: SV-213923 - New Control Title: SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. - Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. - No Match Found for: SV-213770 --> SV-213923 - Matching Score: 0.8125 - -Processing New Control: SV-213924 - New Control Title: SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). - Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. - No Match Found for: SV-213764 --> SV-213924 - Matching Score: 0.796875 - -Processing New Control: SV-213926 - New Control Title: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. - Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. - Best Match Candidate: SV-213788 --> SV-213926 - Matching Score: 0.04334375 - -Processing New Control: SV-213927 - New Control Title: SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. - Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. - Duplicate Match: SV-213788 --> SV-213927 - Matching Score: 0.15120833333333333 - -Processing New Control: SV-251040 - New Control Title: SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. - Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. - No Match Found for: SV-213764 --> SV-251040 - Matching Score: 0.6484375 - -Mapping Results =========================================================================== - Old Control -> New Control - SV-213764 -> SV-213901 - SV-213766 -> SV-213905 - SV-213770 -> SV-213908 - SV-213779 -> SV-213912 - SV-213775 -> SV-213915 - SV-213776 -> SV-213916 - SV-213777 -> SV-213917 - SV-213784 -> SV-213918 - SV-213785 -> SV-213919 - SV-213786 -> SV-213920 - SV-213788 -> SV-213926 -Total Mapped Controls: 11 - -Control Counts =========================== -Total Controls Available for Delta: 43 - Total Controls Found on XCCDF: 28 - -Match Statistics ========================= - Match Controls: 11 - Possible Mismatch Controls: 0 - Duplicate Match Controls: 1 - No Match Controls: 15 - New XCDDF Controls: 1 - -Statistics Validation ============================================= -Match + Mismatch = Total Mapped Controls: (11+0=11) true - Total Processed = Total XCCDF Controls: (11+0+1+15+1=28) true - - -Updating Controls =========================================================================== -Mapping (From --> To): SV-213764 --> SV-213901 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213764.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb to reference ID SV-213901 - New control name: SV-213901.rb - -Mapping (From --> To): SV-213766 --> SV-213905 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213766.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb to reference ID SV-213905 - New control name: SV-213905.rb - -Mapping (From --> To): SV-213770 --> SV-213908 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213770.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb to reference ID SV-213908 - New control name: SV-213908.rb - -Mapping (From --> To): SV-213779 --> SV-213912 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213779.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb to reference ID SV-213912 - New control name: SV-213912.rb - -Mapping (From --> To): SV-213775 --> SV-213915 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213775.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb to reference ID SV-213915 - New control name: SV-213915.rb - -Mapping (From --> To): SV-213776 --> SV-213916 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213776.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb to reference ID SV-213916 - New control name: SV-213916.rb - -Mapping (From --> To): SV-213777 --> SV-213917 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213777.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb to reference ID SV-213917 - New control name: SV-213917.rb - -Mapping (From --> To): SV-213784 --> SV-213918 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213784.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb to reference ID SV-213918 - New control name: SV-213918.rb - -Mapping (From --> To): SV-213785 --> SV-213919 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213785.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb to reference ID SV-213919 - New control name: SV-213919.rb - -Mapping (From --> To): SV-213786 --> SV-213920 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213786.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb to reference ID SV-213920 - New control name: SV-213920.rb - -Mapping (From --> To): SV-213788 --> SV-213926 - Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb - Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213788.rb - Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb to reference ID SV-213926 - New control name: SV-213926.rb - -Update Results =========================================================================== - -## Automatic Update: -> - -### New Controls: -+ SV-213900 - SQL Server databases must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. -+ SV-213902 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. -+ SV-213903 - SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). -+ SV-213904 - SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. -+ SV-213906 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. -+ SV-213907 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. -+ SV-213909 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. -+ SV-213910 - In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. -+ SV-213911 - The Database Master Key encryption password must meet DOD password complexity requirements. -+ SV-213913 - The Certificate used for encryption must be backed up, stored offline and off-site. -+ SV-213914 - SQL Server must isolate security functions from non-security functions. -+ SV-213921 - SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. -+ SV-213922 - Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. -+ SV-213923 - SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. -+ SV-213924 - SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). -+ SV-213927 - SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. -+ SV-251040 - SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. - - -### Updated Check/Fixes: -#### Checks: -
- Click to expand. -SV-213901: -Old: -``` -Review the system documentation to determine the required levels of protection for securables in the database, by type of user. - -Review the permissions actually in place in the database. - -The database permission functions and views provided in the supplemental file Permissions.sql can help with this. - -If the actual permissions do not match the documented requirements, this is a finding. - -``` - -Updated: -``` -Review the system documentation to determine the required levels of protection for securables in the database, by type of user. - -If the database is tempdb, this is NA. - -Review the permissions actually in place in the database. - -If the actual permissions do not match the documented requirements, this is a finding. - -Use the supplemental file "Database permission assignments to users and roles.sql". - -``` ---- -SV-213905: -Old: -``` -If SQL Server Audit is not in use at the database level, this is not applicable (NA). - -Obtain the list of approved audit maintainers from the system documentation. - -Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions: -ALTER ANY DATABASE AUDIT -CONTROL ON DATABASE - -The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions: - SELECT - * - FROM - STIG.database_permissions P - WHERE - (P.[Permission] = 'ALTER ANY DATABASE AUDIT') - OR - (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE') - ; - -To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one: - SELECT * FROM STIG.members_of_database_role(); - -To see all the permissions in effect for a database principal (server role or login): - SELECT * FROM STIG.server_effective_permissions(); - -If designated personnel are not able to configure auditable events, this is a finding. - -If unapproved personnel are able to configure auditable events, this is a finding. - -``` - -Updated: -``` -Obtain the list of approved audit maintainers from the system documentation. - -Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. - -SELECT - R.name AS role_name, - RM.name AS role_member_name, - RM.type_desc -FROM sys.database_principals R -JOIN sys.database_role_members DRM ON - R.principal_id = DRM.role_principal_id -JOIN sys.database_principals RM ON - DRM.member_principal_id = RM.principal_id -WHERE R.type = 'R' - AND R.name = 'db_owner' -ORDER BY - role_member_name - -If any role memberships are not documented and authorized, this is a finding. - - -Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. - -ALTER ANY DATABASE AUDIT -CONTROL - -Use the following query to determine the roles and users that have the listed permissions: - -SELECT - PERM.permission_name, - DP.name AS principal_name, - DP.type_desc AS principal_type, - DBRM.role_member_name -FROM sys.database_permissions PERM -JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id -LEFT OUTER JOIN ( - SELECT - R.principal_id AS role_principal_id, - R.name AS role_name, - RM.name AS role_member_name - FROM sys.database_principals R - JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id - JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id - WHERE R.type = 'R' -) DBRM ON DP.principal_id = DBRM.role_principal_id -WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') -ORDER BY - permission_name, - principal_name, - role_member_name - - -If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. - -``` ---- -SV-213908: -Old: -``` -Review system documentation to identify SQL Server accounts authorized to own database objects. - -If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. - -The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination: -USE ; -GO -SELECT DISTINCT - S.[Schema/Owner] AS [Owner], - O.[Schema/Owner] AS [Schema], - O.[Securable] -FROM - STIG.database_permissions O - INNER JOIN STIG.database_permissions S - ON S.[Securable] = O.[Schema/Owner] - AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN' - AND S.[Securable Type or Class] = 'SCHEMA' -WHERE - S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... ) - -- Complete the "NOT IN" list with the names of user accounts authorized for ownership. -; -If any of the listed owners is not authorized, this is a finding. - -``` - -Updated: -``` -Review system documentation to identify SQL Server accounts authorized to own database objects. - -If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. - -The following query can be of use in making this determination: - -;with objects_cte as -(SELECT o.name, o.type_desc, - CASE - WHEN o.principal_id is null then s.principal_id - ELSE o.principal_id - END as principal_id - FROM sys.objects o - INNER JOIN sys.schemas s - ON o.schema_id = s.schema_id - WHERE o.is_ms_shipped = 0 -) -SELECT cte.name, cte.type_desc, dp.name as ObjectOwner -FROM objects_cte cte -INNER JOIN sys.database_principals dp -ON cte.principal_id = dp.principal_id -ORDER BY dp.name, cte.name - -If any of the listed owners is not authorized, this is a finding. - -``` ---- -SV-213915: -Old: -``` -Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. - -If there is no documented procedure for data movement from production to development/test, this is a finding. - -If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. - -``` - -Updated: -``` -Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding. - -``` ---- -SV-213918: -Old: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding. - -``` - -Updated: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding. - -``` ---- -SV-213919: -Old: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding. - -``` - -Updated: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding. - -``` ---- -SV-213920: -Old: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding. - -``` - -Updated: -``` -If security labeling is not required, this is not a finding. - -If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding. - -``` ---- -SV-213926: -Old: -``` -Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. - -If no information is identified as requiring such protection, this is not a finding. - -Review the configuration of SQL Server, Windows, and additional software as relevant. - -If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. - -If database transparent data encryption (TDE) is called for, check whether it is enabled: -In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter. - -If the value displayed is False, this is a finding. - -If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns. - -If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding. - -``` - -Updated: -``` -Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. - -If no information is identified as requiring such protection, this is not a finding. - -Review the configuration of SQL Server, Windows, and additional software as relevant. - -If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. - -If database transparent data encryption (TDE) is called for, check whether it is enabled: - -SELECT -DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' -WHEN 1 THEN 'Unencrypted' -WHEN 2 THEN 'Encryption in progress' -WHEN 3 THEN 'Encrypted' -WHEN 4 THEN 'Key change in progress' -WHEN 5 THEN 'Decryption in progress' -WHEN 6 THEN 'Protection change in progress' -END AS [Encryption State] -FROM sys.dm_database_encryption_keys - -For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. - -If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. - -Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. - -``` ---- -
- -#### Fixes: -
- Click to expand. -SV-213905: -Old: -``` -Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions: -USE ; -GO -CREATE ROLE DATABASE_AUDIT_MAINTAINERS; -GO -GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; -GO -(The role name used here is an example; other names may be used.) - -Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. - -Then, for each authorized database user, run the statement: -ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER ; -GO - -Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. - -``` -New: -``` -Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): - -CREATE ROLE DATABASE_AUDIT_MAINTAINERS; -GO - -GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; -GO - -Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: - -ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; -GO - -Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. - -``` ---- -SV-213908: -Old: -``` -Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. - -To change the schema owning a database object in SQL Server, use this code: -USE ; -GO -ALTER SCHEMA TRANSFER .; -GO - -Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. - -``` -New: -``` -Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. - -To change the schema owning a database object in SQL Server, use this code as an example: - -USE AdventureWorks2012; -GO -ALTER SCHEMA HumanResources TRANSFER Person.Address; -GO - -Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. - -``` ---- -SV-213915: -Old: -``` -Create and document a process for moving data from production to development/test systems and follow the process. - -Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations. - -``` -New: -``` -Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations. - -``` ---- -SV-213916: -Old: -``` -Use triggers, constraints, foreign keys, etc. to validate data input. - -Modify SQL Server to properly use the correct column data types as required in the database. - -``` -New: -``` -Use parameterized queries, constraints, foreign keys, etc. to validate data input. - -Modify SQL Server to properly use the correct column data types as required in the database. - -``` ---- -SV-213917: -Old: -``` -Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users. - -``` -New: -``` -Adjust database code to remove any information not required for explaining the error to an end user. - -Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. - -Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance. - -``` ---- -SV-213918: -Old: -``` -Develop SQL or application code or acquire a third party tool to perform data labeling. - -``` -New: -``` -Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. - -https://msdn.microsoft.com/en-us/library/dn765131.aspx - -``` ---- -SV-213919: -Old: -``` -Develop SQL or application code or acquire a third party tool to perform data labeling. - -``` -New: -``` -Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. - -https://msdn.microsoft.com/en-us/library/dn765131.aspx - -``` ---- -SV-213920: -Old: -``` -Develop SQL or application code or acquire a third party tool to perform data labeling. - -``` -New: -``` -Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. - -https://msdn.microsoft.com/en-us/library/dn765131.aspx - -``` ---- -SV-213926: -Old: -``` -Where full-disk encryption is required, configure Windows and/or the storage system to provide this. - -Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE". - -Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data". - -``` -New: -``` -Where full-disk encryption is required, configure Windows and/or the storage system to provide this. - -Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. - -Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. - -``` ---- - - -### Updated Impacts -
- Click to expand. -SV-213901: -Old: 0.5 -New: 0.7 ---- -SV-213905: -Old: 0 -New: 0.5 ---- -SV-213912: -Old: 0 -New: 0.5 ---- -SV-213918: -Old: 0 -New: 0.5 ---- -SV-213919: -Old: 0 -New: 0.5 ---- -SV-213920: -Old: 0 -New: 0.5 ---- -SV-213926: -Old: 0 -New: 0.5 ---- -
- -### Updated Titles -
- Click to expand. -SV-213901: -Old: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. -New: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. ---- -SV-213905: -Old: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. -New: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. ---- -SV-213917: -Old: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. -New: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. ---- -SV-213918: -Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. -New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. ---- -SV-213919: -Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. -New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. ---- -SV-213920: -Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. -New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. ---- -SV-213926: -Old: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. -New: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. ---- -
- -### Updated Descriptions -
- Click to expand. -SV-213901: -Old: -``` -Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies. - -Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. - -Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - -This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. - -``` -New: -``` -Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. - -Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. - -Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - -This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. - -``` ---- -SV-213905: -Old: -``` -Inspec attributes has specified that SQL Server Audit is not in use at - the database level, this is not applicable (NA) - -``` -New: -``` -Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. - -Suppression of auditing could permit an adversary to evade detection. - -Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -``` ---- -SV-213908: -Old: -``` -Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. - -Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed. - -``` -New: -``` -Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. - -Conversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed. - -``` ---- -SV-213912: -Old: -``` -No databases require encryption hence this is not a finding - -``` -New: -``` -When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account. - -``` ---- -SV-213915: -Old: -``` -The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. - -Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls. - -``` -New: -``` -Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. - -Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. - -Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls. - -``` ---- -SV-213916: -Old: -``` -Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. - -SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. - -A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. - -This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. - -``` -New: -``` -Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. - -With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. - -Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. - -This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. - -``` ---- -SV-213917: -Old: -``` -Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. - -Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system. - -Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. - -It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure. - -This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. - -``` -New: -``` -Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. - -Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. - -Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. - -``` ---- -SV-213918: -Old: -``` -Security labeling is stated as `not required` in the attributes file, - this control is not applicable - -``` -New: -``` -Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. - -Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. - -These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. - -One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. - -The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. - -``` ---- -SV-213919: -Old: -``` -Security labeling is stated as `not required` in the attributes file, - this control is not applicable - -``` -New: -``` -Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. - -Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. - -These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. - -One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. - -The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. - -``` ---- -SV-213920: -Old: -``` -Security labeling is stated as `not required` in the attributes file, - this control is not applicable - -``` -New: -``` -Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. - -Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. - -The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. - -``` ---- -SV-213926: -Old: -``` -If the application owner and Authorizing Official have - determined that encryption of data at rest is NOT required, this is not a - finding. - -``` -New: -``` -DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - -The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. - -``` ---- -
diff --git a/src/assets/downloads/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf b/src/assets/downloads/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf deleted file mode 100644 index c17a418a090e731e58c83b779279d0e7f700a64c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 892101 zcmZs=V|1pm*F9WYQ`?#vcR96f+r4Ys*3`CbcWT?VZFlPb{2r|L`S500qurLFTDt(lv>kej`Smq>=5&^%vTvKEo7 z`R6lFz4j)0y^pwZw6jk^&VtwYPEvvK1!XmcN~&Ne6}7jpVnNJF!Qh2K0QV%Qu-FA) z8e+__=;!(o5Z}G`l$zIx%ade8UACri-AO_OaKRuW-Nys!`* zH6rCr&5voncsOuT3NGPk=6R7A2|%;+VCgT8%o#}P#c+`pAC9T!U<}?vH72A%r+HD~ zb(UJZZHKgjmB*p1uLe+bJOuwkBKA-QY^8wvo@t*%iY4&)abBVPTPq;O-sp96OfiUb zfSH{}Le!@rS1U9fBjA7hf=#3h!K2aETy-dWZxqUg%f&GiZXR2sC-VY^>#MCl43-{1#v6r zq7m;%bzqEUaHQwG&l16+HxU$3<~(Y%zT*p@Sv-*lL5V}Pwu!9mH;Wk?i!B7~OvW

ne%&? zaed0nVb}v`S-O=I}ekbDpNW;GlvZf{$hC+7k#M(^%8rYdxh&i}ebm9Jq!T-eh&$$1U5Cum& zV`WokV(ovyM8t?0RZQKTi5Vqr{sk8LA1nMnR+3nkm{Hiy+Rjng-q6^T_&*9H?8HpW z_Mfo-rvIly|B(Dwvx>^Up#P0VMFl|2^}khiV&?w_`Jdhz@^~azzx4da|G&8Zo1g!kf>GJU$oan*`!D3gjOrF9|1^+=iHVp| z!qmbX_>aB+)FuBh|NpZ4f2H=Y3(^^1y@jDFU51he%}jZc+?p+Dksip_s5NOFFf=*&J7sbbzcD*a z6KXBx->36-jV)E;FSq0E_u8l0%%^)xo79TR%F5}rlV6$gIQidGHiRU3Yu^dOC>a7k zxO|)?)4H&OdPqR12Q6p9cL#Ao9toe z@r9jA=Qb&V35ivr6v8TwSe<}`>%St7hvy!tGlIop1a?qx)m>1#b^Y}iC-eV60$%Va z1?}c8!G?nst7hPP1%6Y(@EJj5XM}tiSB2<<_JN`d7k*FmeG=prU*GzLR6+tEJ0asf zN|NmnPWxBe{KYV52N5#9o-i%1>FFk?rsZYx?_dGkA;TrJqjb1>0zoiOq>CX6cp0_g z3yia;WB>>BXu`C!9qxI>)t#)lg|x*DeEwBbe*QGBEgX)eAAB2xfSu!LZXLx`v^=W< zc|JA+KHjn{oH~{GE9=@%=hg$2(gm5;cbS!vGo;+t>)k&!v*|VVi$omr*c_`U{F_Of zi&;GDIjn1~kkLfKXjrq0x`21Ed{@=PJVPdN1AZ6+MKYi*;ndU=y+NaB2sB&ewgEU_ zZ%8kMKsGM@d8|J*@e}?Bq{KN<|JPJ@?AX zMi^oMYs4{?Vabe}EW=};j#@od$<<~5BvZz@D10@r25M?Y?BQf~QV^iTx1G+jiORNf z&AxQbvv3AgmUexId+|(oc28jaa$^B|3cS6!3BR_8239}V+1=h)KiXA3*jD|t^i*7Z zB<(pfm0PI%eXL$S)qE%093S1>cQw^#Bl}e?yUnYc`R?_ZiKn}vwJDbILAefI(($=_ zoVYc8ko{ap5REarRcPRatNT50uSVf{!{0zjVF#VT%`c{eXrN94p^`fkPdDQ0geD`8_BNO@Wf}}+d zfDM?JGV265<7Ns6!2{iW4S}{5M6$?v>4bodK+1}_K@32fc>|kI+fS3aA-f`DG^l*J z*mU-ra<$xesM`7#|A3U*Mx0QW6t%GOOqrLv=+4oexXJK|@N%n-L`VHF;*uhKG=a$cL;}acyK7>jy z)MZ7Y^$lFk&93s+C9|Rp*Mbp;&H>Z*0lN}5qXGuAdsCVUMloHlxmj3%FZdLX&_Xk? z0W$g}?~K{nGH;Cw0KQ<3nJKR9l!iLENH!d{voAG-f?-vMQ;K@V)UylH_IDzAb&kjp zT%fG)f&U^q!wy^BKix7r{0@~4X|h29&9(H^1EOVYmq&*US|d|v!3Vg{hTG1*(r(kv z>{3GEUIF=-^k5x(vFN{IP^#{i>gQ9feNrhbZ=008ikD7kcXVmcYi2h~_EjflSIiL9 zmLXCQkqnU^!Z3qM)j%PUHR`BN<{DnFNgah|If%%-4^`jxMOVX^*by=2!m-=N#Q6+p zX$D`rcdssj!2V=BU1=3WCd4qEZKT2WcH(TlrgN zcaRZZ`A&VxX6cJROWo%+Z2fb6;ajtI*U=z+oFQ9ypb>~Jg0|W&&?_Z_1LkBdxD((r zAF4o*VGS9=vf$)Y^m;2Hyk_DwY;85ElKAZ{z6v)TH2YB&x1rcPP>3^ z;lSQY1Y%xN6U($2^QQ|rWdq-SW^@D`Geoa}$CvBQ(ewY>UFI;5$?+Td0pQJw^xwKAJp|>AzE{cBjw+ zoGBdI6Ckq4HRZE};=>Y5NlZi`G=GRH4JM%5JAmn>Anfd$o^eW6)KI6BPk9g(;zQ{nEYMG2AMTu5Bn&!zVdV0jZR7B9APz99a6 ze)5Px^qfI>XG92{c_C+T#>iWXO7qRK5Q6{A+Z7O#HN2+Zg-A5)L19vxO4N5p_#5QZ zOEF0fuKq(Oi2uCAEHD!MoZ$;CYmvzBinrHnFS?v5Y`C{KO-xz930pcqkvHvk#uv`h zRSr<%$`6xe;evJRfOqbSeSL3p<^1D3;`583BpnG9`@= z?6D%m1JFk_tDEOXtwi6L@?9jLEg}c-gGzF60u40RL^Pp9G%y8~T62X5+&m{N5%Ux- z(!Nuupe~$ll=RLxoX3u5CXn=)zO+V5Oz#kl@+N_@~je%8bez z@gds-_z05$ee@SK|Cno$4gUHH&$Ya?VmvL3wa5DnQsowBwb+%*@92`~a##NVZUNW> zcFDo(YYgze9l;m+OK)I}LhtXT7mK2CU_R0@{*GG!h3iel-D%#=^PaI8wl0L16H2sd zdvh+pVrYTaaB70NAz*Dv>{dM91spfXUamPHDh01rXF|Jk5x`^35k^3HD3(|hK_f*er5rKu+zCKqoC2H2ESar- z*dw1JMP!nU6S1i0xNrbt#|^PF2m@E!L^CWxrxKG_=9B?V`~f5_qa@4CpbU8kCauR09!}QK`dEg;rNog}lGHB{kd*g(A!WpB z42{iHlGB5`j4OfKgMP}7z%a3%+T*3X(Pe7@_r^B@RO3iJ6HSl-`&~XN5HGbawkr#sa-r1*oy`8ymuCbT z7$6vaUl>F9*y(Em9w2SBp~z_qm7vfLNMVp2f?sg{gTtvvsHg@Zk}8TbZiGNykKoI> z2Jkn#G#qy$RXD}Z@l^{wnlL{D*B$$`*+%1?KG?zpE}B`BBIo;PG=QK&JMqGpfiWQ? zDEVWSfcZM4?P0^neHpg;#nKuK;F&_BA(mj)6(1fawhwK`4xhB$6mHN6xGw38tC=GYbYQmPiSP4eX3VH0e0(EKH1p0uhNWxTi1e z`75P-AfIb@9~-iPG+E%^HYu8c0JjrjN=V}{GjP|Bg~qGKD%`}$>$prwx=Vs)0dfE%U?SVnYF}8!|7^UK6=q5k2A&Oo*M*VJ2yu z3Mw1Z*u7%)J;4_+mBT-VZG9ouY(HXkXQz*R5J=1lK%snK38>FZE=KoVN9NazmJ`~+ z2t>EG%QT5?e$BD6k0y!f*$iSRPiEbAPI2l{%c@Bw9HLRAbN55o7%p-*=83Ajyew1G z1--0768)8%(9CQ}H^QF;z>~7-v{-k5?#{Wpy}r=OdWtECeVHOgFI_w(FGVjH90*OG zel%J}ziexo4<|woWqYyZ)x*f6QOyoU(Ab2R3;iZ9_h)FQ3t&JhwC8}O`xJaM)a>C> z*_bWMzvEpS%$ctL_N8yO{`P32e~kR;q#t>JqYWW;NElKzU-<)F(fyK^;Mu4kZV;{{ zLu6N02xgO7fQ~a+<-xjw2Yw`?C`xFLuf&@n=T=pO>FF!Fw|n_8pX6c;_GK=CA!JCC$Q#L1mR%xkUG=q z@k;B5GOEmxmrW5ZvE{*dYA9zyygw~@`}Cwt%3gNtw8^y zdorAEG|*55u^Q6gJZpUSZ2*q;G|dweH2CWQiV}U&rAo~ZR4}I23+kiW49Buwh=9RZ zcH1YK*{wEATMbZNyGVxY(X@2l zC{!u)%UL3Yl|5Z?I!kar5`a}6@(B(K!#$7~bt#7!-ycsROahYQcEd%djpX##q)|@J z>t&SuN}RVWJqvZGf-ad`Y469hq|8^$Bw1+rlNP-(evaScsw~~~uUM$}Qn>pGBDUvp zQ?0WvJo0X$%|zKd})xaz&pnu}{oFHI%SaOcZ{ z*?`5#tMZn0#oohApNV897ftUBZ&pP@@OV;Q$qIIUk8F!eT(wg;F@y6I+UklwJtoCJ zWAd2T8s4ubT$Wz+4Ap2k-6{mb;-@w|p1VwoUQ$^J7gt)4V!i)9!J!IIqrJmXfCAcO zCD$S>k|%Mp1#i3`vtf6pWKe(xsN<Zspe(E5B=e=XZnWPJioqxedxs?p~ye`_m1KL2!Aw4)PB!>ZVO zANg8gWh%JEkT~EV2%>&t${-STqG1JTczz%zAs&52$d5`4(k!&GWvwnLOTBBLdh-ys zP_p3BJS`i7-|UT=GW?9z79A=D`)8DZNi2eL3H2 z1ClgDKY4zN=78`sqAQ(}kyNr$qd+2sdRzeAoLI^vTxn?yA6&2`f;`g_|Mf~~tf`{K zstx+8hUZ}jdZN5RqaB~_BTkiE`lSx6cZnE1fCN2PuJaN9LX2*pqFUE7shD#5Ng)P@5>z)qrRp)TeRl`z@$3z)O)pr(PAh?1+X9k2}010S;+gJij3;}2cJ;ztO8R|1v=aHXHT-e<=vy$0ZsiYQc6*G`l}B0d==P`0piZV4 zF9^Sv*vD5GjB6tw9U#81t)84$ExLf+FY9NDtgptDTbNdB{X^LC`Y=NC)H*x3Hy3l*o#LNQ_`Mx-njwz!lbMu$;0XYl z$zV_7z>yfT2cd|qiCe-5Gn^j64P_0f3_%XUWa;cHcp&fhJ>ew{p|eq$n(O!RC&tZw ztl$ZiM#rMvBO-=N2M1UGwbZRgw=qEBj|~Tpx2LO_rJ195{vW3zF29u=d9?-D1egLk z2gC)x_#BE&Ofk&IyiB`QEmZN;0~sX|wB(=e9{6$Hq@bk|i>l<6u%!~S$srfCfy)`| z7z91@?C|X0lQ|C~Y+qlPOVrykY55@!p5JIt?%~Q0X}K^@4EhXOuhU_@#W5gyJ@0&KdTd4XRQvpMe{hn}9EXD!KK%`aA zT~A>>8P%i;IJfd7xaaD~<{qq?uLUQ=$!!@ZfsPE{0L*1~x^TqYdLgVfMBue z=fi1Nk>9Pa(Qc40F629%>DCwICJ#dpHLMY>5fl+dkw(~oD50FA3YZcYHZ90yAdJX# zC?Fu{*uuTeLF}eWmXWioP&A(3U-gu0s}ZEPL+~Fk4ZYDitzK77O9YKKK8;98L%6aP zD%YG~OQ30ht6ULb8)IYK8$V%`R}dfv_8-5tV9+VBmKeDLZDjrKmmw*Z717um@g#A< zedLBo0fR#UIR$mlB!o6nt>JU2&*qS6t7r-X{1-!{tIpw_?@6XecEb^y*_PPfT(i9X zVk$pY`sc6wJa53eg=&_CKz0)dIxIUp1vC2Y-gB#oXOkhop=}~*v(apcrSjm>MhiGA z=;FbU11H-!3G+l#%=|ejrnW`mL;XQ#K)m!4fOL|qyTdH2gx0Vl%c?gYE@8tAv0nkQ z#z7=b!fU`XFj*d9rzs$kqoMHw5Qr;%BrJJFr-lz!2sQxeh2S^~VEZh+``qEm$Ncr} zo}wjFzE^}~5R?rDfe77id0Tfp0BvpAJ1gigF;)M(c*c;L&M+~@URpo>d((LZ!)h6I z4bvn5FD5mncqv#CLai59_f@R3=?}EzrIFemeb3hDlKaVxaGDJZcVy^ACN~@4ON=UQ zTDFjWL%!?f2)868EMnm}xn%wZXhtHsAvkC0-H7%77t|k4RQPD;ADbIE zLQMO$03(Kf5rGc+d9L1`#HO%v=9o2L^Uw||Btd~H(K(Sv7g8JLg@Z97jd%-dQmU%K z9IH*YC`$uKLW%P1P~|X-ltt4KL}@h916k`S8`d%gi$jWQK6y=fZTbqkVpxSS%V?2h zvjvl*rE26%1zsl_1JW zheUAea4aJ!Yh+!qWL|M*uD6S*7D48e6{S|I@ z-t1Y(MB;;7h65A$G;Q3+8CUtaF!~Fibh zeK=mDQxspiRVr`15P`f8qJ%z^*0HX5QDuaEDShU*cAlL6B0-qy6QjQz1QFPI91}^z znhFgoGOJsCKe_!#ohd;NT7?R$7JUO#Rhj4yC@TAfeARQ(Vg2<`S>Lk!jFBdY@bXmP zy_B8oyhg{2L@K#2%CLaDQ=vyrjt7(`F6aSR1iMD<{iQ={ z=&%vXMA*+Lo!_Z(Lr6@P;21uB`RHnVaPoj-d`To>3+rrMHG0B6Q6Rx>7F06rubosroWK&Kq@pS~Etj zQC9TkQg8lFh4P0VMh^oMY!S8Tsx-RU%_>R!YoRbLeo%@#!GZvJ2WW)x8JOCsiK{)5 z;IK!RmMDpOir&#LdhKh~Qc=dM+vszIA`~2&xkRX_+WcP5<=d>&J9%x?(hVg8Ni)H< zE|7qh6g@2d0huNXsnPE(poy*`CGZKZ93RUup&=Ts)nLSy_hZml>@|dO1(r?L$00#M z*AQDZT?&&D?-uQh4!ML`oLHmPyw*eB4(z;1RM(c(hgl<@-xKzy1%kMxh+#a#F2y0I zfWKkdNbu@S^C!3p2%gMmIXQ+uoH7~qa-H9KmsSQF=_6SF2AZyR*aaHZ2B|prM`*k8 z{Jbo%su{fnBLYn(aY#rim0YT5f_0fXkuAAiK^W||*9^I=n)%QGt=$=MM*>$iIoPL~ z!WvuP;Ff2p71!@;zgk}XT?9kOS@(dEUu4kc22aF2aDRf)p6p*-5-jg#&)bD3d>_&9 zZc%h$!gAx|sMKH}+-GXNPQ-G($^|)rU|WnPOgxbVbu??-2+Jhd=&|72v2S~%tjro^ z$>N5I!UF{Imbn2?)}F@yMbFOo?_;aMkB3r|iT{J|(%_&!QI&$_}7XibZ{Ud=!eOvbTM zy1qD!*B5zN^%^xXv8$U?A(YUqJhENsE}RbpYR3|3r8-V183qfmMd-j(xY@vSw~yl{NNlsdYjY0IG-T2L&UayIlp*pa~K%g)Cn`CF}yb-z7|I* z7A9cyhf8=jaR8ej^(kcW4PpXPELB*cC!=2t=74vu;fS=O>pifr@(EGBRBn_6M zv4P|GXoeNc9MQJu6D-mO_xphSG*I&iwcxIAf{346GAAdv5{@KA0_a0Rzq2iWh%?28 zL;^>Z6iwE4$!3Q@I^B6D+(Kfk?U7`sXXK2eZQ|ccQ0%oI$Aqwhnm!WSoz+=>1v5Z+ z3x!~-L08)4Gzp>@QnMUTJDB^q0XyJnl5@d)5bGbs0I%-P#YC2OnP*NxM=q&;NVA20@`kh)oAzl% zCVC|`4*0?umX?`c$t9@c{>^KB5TZyixgdZ4e4CKdH}fzy8srh(|JWUs@f07fqLi|y zBa-dZ*4a0d05gKg6)zT5{qw5&X`CjFmY{QYhx&2CukeIeJz2zOMrxaXg zvDWi~k+&_Qqp;1y@8}C&+^YRt?->Bn_nJ|&o-vJ8>uLFma-&k4kf_VE&EBm$x;7|6 zC(p{jpLJJ|4J_(rWH)$LhU^a<(-T@*poZ~<3a=sY8mWf%zUeNy7{;MdCDY)T3C#C6 zSwy5n)w(7ovWIyEIbH?m&n$?n{264tV7Hv-Xaii7!1U9_KjOH!{HGV|Ra$1ta}miE z%u`kN2zYQDp$rVYu<%cZub%9ZTFXB!rn0D6itDYfj&gaqaq|PEBRtU?uk?U$lhx)l z2XMmW83K`Cwi|wN>XrvmY~3hU;DykMDj+m<^H#HuM_(xf3(Yl+Q@&)nhT<`r7dQ+< zji%&+!2zVXq?3ajlgQ}tJtkgb57;BrTF zDSmhaVIXrO6YL4qPt=4rzD3ZJgR4x4mZ(oJv0l)W4BNoR?N$+%ov_in{CjU13=(fs zro@xs{SI7M-A6=pcVQ>pb*Nf_(u0#1j+f5UOiPPX57&paVr71!@wJ>Eai@%RSU=jJ zOuBKTZEdORdo$s1)LO)z<)D^bL)o7>64$*Z6n-U#iC}Hb6 zT5fD#jGRN`>A!IB*;MlS-H0hk!tN}KX8v65MX@o-Ky$Z67X{I4_W*C2r3u_istY|C zh%;FbQ6P?&NTfnBiO;KYXrT6?tBaEh(<#!#AEL|Zy}w1K1v3N-#}(w=U7**S*6J9S z>z~kRTr6mYWwp)h@Z#5Q$Qgd3vfn>DrdTfk=tgPqc1Y+xaAqyW(!`y{cmKUBYIqGX zY0>B0CdoQQ5;hjE`%|l>0L3ge85+>{*~RV-cy|5^4G!N1R%DC^r1Vx&bp&%hq_sC zeItRMnXE!vVs((jaz2!8xpfa%i{GF0Z+3@Ul8I9y0@NBfBl+8cSjj~BD74rOlU!DL zUfXnEnVcqll*VYHt`IC;u_q}OxXD>3xDhVnqLD@_Ndg;T(g`_&?yaxWGl{3_>4{Wa zxzMD)@pKl_*zFfwLS!Qn?HK6B^FYB;zZt;j32m+HSyT%?4N>yhAX~He)*nQ=7`ZnEz zESW0nU@$^y{J971s03O29E~;JT}xU?T&sQ=n9aVtUK9-iNaQCen6I!4B>r8_W@1TT zjX9Wj1jPc51LNQ}!M2w{*Ilqv(&Y-97LAF#+l|QLkt7z}-xE#ousdS)6^-o-zz8^f z$tXRj^6G7Xa@VIdcgyAz%kyo=nK)qj?bNH2-02K4dAH!pag#2H7{}MX+Vc371eR7= zmi%{rM}n_@;^}gFUb7UW(hjlC&i+cq)1ipst&re8QE(q=In8ky6Ru3Kyhy-m8Iomx zrC;Wv$2@Ym@5gFUMNIghN}*ueY|0$(55p9VMTc~wkG#=N-c-iib}g$)Ir*HF{F>vu zE~2yKXUxmG#;r8oYtrkdT6eJCCopmq+q~?4wmcu&iW%7+tJfMXcmn(>323aR3#CCM zjS3`wgJ@HthaV@VZG=rgFCYhvRN3mM<dqbMBkb4;T`R_ReDPgmTEUw?YhNCSngj>4i&Z$Kl(bkudTtb>zx zBbI3wnyYt>|z24 zvNY(wWdOaxvKmc_wkMNJ&T1#D$FoEpV2No{6|OBCzXna^bNd+?)q3sX{JhlT9=#MT zH)XJAz(ip#-VDr$^U^31)ou#-UPG-LW3I(65U|;THzT;=Gh zMJo$->F!BS^q1}j;&lennuTDwoAOIn5KhqQOG)F3ydpNx&xlaOlAA6?Mw+v4=uy+= zq^0tyCGj-WdYY=gDkZ!NWPJ+cysx$&CY#Q|htVV6?}w#OATxU(>!ng=nb>XjJ4$ji zMa{A{vNbwJO^o&2{k8S-8)$6Ds~^jBzT1f}wiSsl?Vcsd67(^|ZOIYRlSnX&A7tjX zo>A{AEB7NTAuPF5^*q05PO4SIyRY7l7|!g`8iVpfDZ`2mB>EWJU$SB|wOUz6$Jp{v zY_xw^uDrqetcwAi;AR<1@J zYgy`oI9B^WS#-X%%BxpzOOS%jG#nhfiueGy;O3%Uf7*k+g(*PWPyXb59k`KM-rGdV z_FUSI4i%dX7*PLy`*M`!QQr|Up>8A>Lf48DOrbcx@A4(a8{;LY;o)6ivcK5A5dJx& z=bqRc>d0CzU)RgH@bf`DYS1ZiQ|ls7ZKI!XqZ4!^%eUjhx3XVNbWZxgMxK1*2FC4^ zZq-G&?i18+g4K7(%0V;=I3c{&LN!kxi~q7RK|`3Xt_J^bLoJmn0Z+7UXH`e-WvabK zI^$)ixk)_cX{fzSL+$mGt{MZYTjg+N{dlG0sOx#ueV@>8i0#q8SsY5;($2QJu7Pc{ zoxZN}{d9CR;`bJnB&r)dt2{m&sL6YXO9#EiN#h}@+xW`IeT$t$V>t_V4h2x+zSNRbYFJ{j?dQkqy;!cVzzCK9Lf??c-(PxyJ6VOq3CHuM4waZnIH& z*XQQ_2U=nns}{=TP6;tO*;6dvMDm(jkaF4*UeIu;>F{EXZxvs#`kL$6{n&OWDzOs3 z>XFV!mcT9ZJ*PRg%Q(k-g}Y~(rEr1WYtVcG-0;$)bR4OJKzOhUdeVkNR2-=zhi|Xr z$o%~=b3YPSa!9y#enEXB&d03T$G6l}uhQu(`!;B3q@!kRBFg$%?+A0Vj;`}qS;?Wj zX0HB{%EBXCQME&HPB$}av!7KJYNR&KEt_@CL0Rp2mAQJDzEMv_V`}RyuIr>m^A)kO zssocbRm0cRWQ1J!f;__Mt1Banw@~&a=Q=_AJOLXW#^OAqWZxt?&P{_Pa$Z%8furtI zZQ*e}XgL69P?^)WUBbMX(rM1<3Tp&5&8&4e$ULju*mOP2Oy^h8St zf}3ZxHw>?OiS0nLSI4IbLVGa5JGW@d&hO@k-uR*B?_1Vt3aeM|2@zw{z#2`EB^Jk! z`UgklNYgkc-IMI=_)?1vR>0Jh8m9){ph;%vO|wkfah&VI&zk_%FXfAQN>jZkQ`=PO zud&%r`J_L{er3@dPy6Y&OA;ww_$;g?Xhg0;yPAv-s(7y zq2{jKl{wzZZ>&jHOy~rZ@|qLS#)w>&t-730c}OKcOowgmL*Ew=(K1|jy_tmR?KwQh zWCqf|Bts$x!s&}7t!QKLr`(h=uib|$e~q$y2N-V?m_Cad_6rL3s-^F!(TGnsws88q z_g?Hl^Yd}qSzguk&0@|V=WCPqXZU28vdCfAOg!sKH$1|Og9Rx^4j)JvvS6`ki4!-%DhUdra)k;lhrW>8XHka zGsL^b4kA2j&pfXdT$=!zz#9`!1T8>J>R~$9t3qHnLw~N;@!!ItBdNqzHZ`6<_N?}; ze2ds+M6qdMWO_D+5rbiZg`9kO@}{UOby>ivBDa_!wnEDy+W5XsKCRaO+bA(az|-TY zHDZ;k#-tWmZX?E45eXnvEI-Z|iG0A|b?Kf?38R+RSSTbbp9n}&kURz>c~AJ>0-m36 z8*kL?r>ggvUO8j8zuoKON4GUV37v^o@&#hiCIK%a>32!~1zy_*@@sR|2brV&7_{hp54B3QvT+K759(rvzUW?~72kCgf1w->h zz)J%id%kO@>CD`HTR*3%SrUMMxP0_mWkYo29>pW4*0i(Qyy4^dpe$v&NjG(iZomAP ztL0czPjdub%5U>pIqfhhvsi+zDHhhwW<%{|HY(M1BfoQ-`v9Y?r;Fbe{ifD+va@Q` zkB;VIH?=te&Q{y{k8$@?NY#Eh%S#6Fb+~*#Y>qhG_L$yEbVuoPZ}yzkNR9ej^b^dR zjB%kXL=b17Cg_UCjHg){`@qx2Qi-USuXQj0b8y34;hPwJj4WjF=8B(Ds{tKa3nY$- z58ijn+Q}=dg;G-ZU;vTR^BW=s^xKR;dtz{FmW7b<-&2T)0{NUL-Gs{|@8 z#O|3!$8gTNIVKBSgR$4hr0mKgvi&)>GbZg6$pU!0Rlj4&Ysi&Tyh}}%_dAl3`b%(w zqw$am1|DRVs+0seDy3>MC=iq&qqUw+Jdv=kWpv*3b?}hzJm?Z?$a77sJf@p9;xb~P zk%g&Azt9wF%>>*6LKvrY**&p)RXB5sy`ITq+q1d*!g0O00D}~>Zh~RAbMq#H=R88y zqSeBdpr;{4+d*H)W9;(~ZDA9>p#pl}#_g}R-J2Tbp)PN(%UPtXS_r_S)JMuerN(b( zH~l1*wbFItB6x8q;OtHl=c>Im?uZkwg?i1P5a_$Eu|=lR~| zaau1|JwEr{<30EpKOR@Forp$7Ag9IOn0l99%$dK&)6AtG^D#T#TS;!WamLTS9s6P9 z`?jJUl}(RLWsl+Z7p!`k*;RkbNx$>0&TZso_4MAEb@*7jh~NrTMGu(1{PD3FM+pO^KBIX8!VEaU6#{nO-0*ZDU=(%Bx4)13cXHH- zDl0ekVs@X5rq3Q(0q)k%9(0z-ctE&rS2AnxD?EJph$WB6eTNd}N@pE3Cx-sOeJVx} zHWZGLK=AZ`q z?_jO-D!S}@+Pcd*evLhRdAY8sp?^J&AKf`+u6e?%OyF6g^Z4v(`SMMXGB{6!Oh~H! zT4+Jn_wzj6t1SCcYkj2}J|*0Hozb?_-RQnJOv&4i3u4>AkJ_w`bg~(r(LCf&HPfka zcj36)2Nk^YaD8UYtN<1DjWxX%?isKth`bmMq0&hIcdhf5$<_hy7r1YAW8=AdcI}%> zTOUp_DesB5!57An4O`+au#cRzV_O}QPT02 z5WttnI&c3G-P#SJ<1$SgTQ*P8zU*1D2M{DRY3FJ{XVt?GvXv*@XV8nZx^Tit`|%s; zjSOP__9?U70fA>VZJ^9>R;f@LGX48UjW2xlH>!Ht_3$A*PYu>omr#(oqA^rOY?>#5 z_eCdGVq*e1rZU|Ckp0iPnZ>%8#o5q^*s+4*(4Bmb-on-|NK^g+h3oRjK;N!mg~THm zjGT6Se&dTG#41_o+h_ZW9QMa5GyCcs5IB`OCNRciQYlgx@8!ley`R1=iEJx)wi<7* z3J`pxBi;u^K3^laeOL#SYF<~KQ__6Zqdm5I&Kni@lNB2b7W}C>zF)>y@&Ow`qFezj z9q^>FS8zM2K6a7@UC(e_DcxHOu}a^^@X2$(3dDC$ z(Z6kV#A3itxt0xh<^_1&QH7W{)EY~@#-BgO1zwR@X#OZqLDrKj6_-^EgRNjY_0m;& zAitSUY#6`5Iq`fJ&xMQT%%GFqyiCxHcfEX!FB!PQa>Sqro087aMqkv%YT8iI#lrd= z9PhHIuT59?#9Elx)8=X+saxgZrLF(d`u4G9?9QN^Nk4zoW|`^UXmTc^haibQ-Sqn@ zd;|7tcL5V(j;Ah+$%iROgi=VJN*-I@-Hx${+IRMNpyKvf5QJ{z+51;V2xST1rw-F2U4S^f!)4H3Y8NO zeb}>+Cun#35=*gJzZ8=Rj zw^_1@>E?}7o#ln6n6%187u`=DOe-bOlq)>#ZlCf|Eb^p;!_s#~|21kwD@c8e|Pqk;z{PpGH-b?*dC&WWV}KXf96SZ8eeUTbI+! zHe0BzlFj&^w|!Y(HwQ)&Iq0NfsA+0w;cGjJv&(thi@LjaOQr9fPVfo&WqDNnD17}q zmu5CTqJ%!+(GuW4xe2ZH%9LeXnLIn%gLHZ!5nHFE0j!peEnhdn@5CD zQXvO%%s8zMrRdHD?)|Yg3d`@$k4pxDAW-d!y8v7F^?(HqEB?Q7FVOU`TXZND8~mCw zD{M)MYcZ4`oMpotCgKZRQZWPTxwvSQZ>9%b42irEz;m!?CE2zpIAWT3$WY8A3&Usj zP{>u#(XXo#_EZ)1irQBy&MwfC%$>?>2-HfXDgCVLu?%bEOlw$Nn(s?b{lX{n$F;439gw)Yp&851xvC{7SH z`u6KT-CC1o_*N+9su4VL@S`+Pcf!aW*z4*&xt|L>t3r<~Yt64|5%?_A-Sttt1|S3X zj+XiZM;a2KM#eog@4tEpMrNLz*RhUi;VZ2hq}ZuOvVSG>ZJ;u%mtuR^aLw%}xP8UB zcnhr8kJGPAdzvP5LwmXQjQ&3WF+k407&Y{}@_eRdaBW$zJ9Ify7E-aIWhF@$xb8kH8TC>6J`%E+ymVGM6 zCe7KV$nSX9Q@@fuK56l1Zuq@wbZTvM?&}S@_sVn2DR-L~Uyt0%O@$Tic?IW2x)nK9 zlKe;3TL(mC^@5`3Ru!);^Pbt}Jd-B<$PA5NVPU#?OWghLr^n7;(AJ{q8+*Xo5Lh1s zaa4w7()W0Cg?9|7IT-)&(1f=&KGj-fc=b{(n8EOB%6Gp0foc{cv`PH%J0gy0!!Yyy z{Ch(vumR?;#nW{S_=fx-V^OM+C=+M0iDu3-abdw*cEPEi?DL!I&ct5RIt?$_#6$^* zCiUycRK>O+U7&JBeg5A8>%YMj$fnFr(NbDhnGXUcAhz57vt|x z9)6&&Nt%DfGV73QqTv2Z&$c=#8nGQ8up1eVuj@H<^4|WC^2oi9PNg2a7Ep0TlziQ~ zq6tD?lA^ngTV9)IS94SEIPR-6Dm}3wCPmYCGtJGWd-P>r$8}>1OB`ED75fo*VIZ{( z6iF+I7OV6*z)V=3@yTaP*KIU-^t@kc7ozdeGLpc-KoG%}#~JW_b!k?MR~S|9y4u-~ zX|I<4VU2e_rg2@(lnHu9;doAzv3>M%hO9D&Fwh(}HRLwh<2Bt~g=XrotHJMwH~^NP zgq$t*0u@YTfrx>x{_XbP;R@sxwgJ3USHf!vXJ4Y>eba3r(*yRcO?JBvJFlm%HL`)% zDyBezIuu)ewH}shdE{7Gm<PIy3T1$`(&0xdMw(z1MkM$irH7z{nebF zZfR?uIP%cXmT6_y>8Y2xhOFZEyQFM;(0e1a%*Q#m(zReu@V4~$qZJNiKPn3@?0DH^ zlbhyMc+9i-f?e)yW#LWPmSdJXj=Ar;>{PIS+wEJf>B)W-JH4w8J69f37L@sHD+=FR zaQbm;Kxvido~+b+*Ti{Oq)GeA&L(vZB#(61_PjJ{c*1^o-}chYl!~Kii3buc^tFTrrfoN5ncJ=N52T)Jv&nnlu)T|2@=Cw>n()X&{n$#wfM{)|?u83mUyruh z1o#m6mU^)015y~m7+46&;QK>mBS5Qi--XYXXf4q)(0KRT78A}IV|DU*0kMLOJQO|wWg_46aUv0)t>a2#q4L&GQ0G0&a z4~er%hi|1ViC@Q0(c%Ox$D5}Yordb)-YLw2>Yhc~OvM_CwZ3T(OPXyc&Ze^C^$mR1 z!x7)3s&jFGc85OYIbhU$#aQHN!%K9rQvi?Y5dXJ$3gqHTO@`0rh05U z=+Zyn)7dI`{!HFK5cbo^Wsj{9(!9)+yRZF@K5;0z=$(Hkxa_oJ{#DETpRCJ%wAgY+ zxb3p#u8aF$)d!Xoxa8h&$a|zHtQVCwampVE%Wm2h+;U1ke(pu1Uv{x)?pfEuN0tRO z(%fo`qFWB-x7_yJQkFn&@+bEl1(a{t|Kd#V(tQ_3Cav=e z?Nc%nw#7G0XCJvK@QKCeZS^U>k+-M*lDKq>u;N7C^De8Blh&CRT}z%=6+JUAc>#e_ zVa0v!j?4V=13Mno_+{le7Cf{md?qfc$j$=-f zWnqV;pjA@XBr9&R-g=LnvgdGnn|W$t;I_j@9#`gEB%9DHRcjx+7X`fuQzqp?_bEPH<$kkD!2)VpFz}JG}D?i z)aEnP7nfgTZ6ao2CEp4N+@-Ce`-tt+2BuN@_TwQjnV^P;;C~zeEY2cWeWFA6B0}C7 zl3&bNk`ab0NG?8j(*D&ZGO4Xu)NW41Rj=|c z_oA2X#dn?aPdOAEvCKbiU2&O{b&i++bJ5oCM`uFo8tnQ<0`Jt>6 zfNdH6g_VKDMb}3!`t9*I&nWfWde5Wih+Fw-*L}Cer3b2NAN%d!A;~|YD0?6;s}&X1 z%F16#D;|ie&I=27?S0<9DXYr5?3QKuEou2}$(B3v$_L7l`*wNv-Se+j-g)MhztcVM zsbgNVRmpQ%@ncEZD|uB5MAzN2&s}Su4Xiva&pKpLc)~hkYe30fm&lCt?R)R^G;Yd@ z56sOgyYwLSYNNR5yhE{M&%MZ+y3oNkpN<;tvj+}=iEi$hdt|9UL6qJy@2vlxd+wz* zyo8?xrMJYp@0q9WVQh+7W@_5HFb>756k`)I)51&^N8+aOT=uOpj{fs9{;lSjkc?uD zzx?H$k3Pt$I0%bTRhkAsH9tHt5)vMxq4DwJ#mptkI1ipeJQZnty4=XpmuV3J;R{1p zCdu*UNR0CeWTQh-L!GX}*usQeSS<|(0IW6@(t=RGslpYM+x_e9U*igkQ2-+0$AEE= zRBBN5F3fk%w|Y*r`1Z9&{Cp#Ft?n|Sku_Zq1MkmVNA_B+Zw-ws-+k^+AAIrFM_>K< z{be`qcSAX6_0uMeKY#tr3WM)A2;Tjc`Ne7>lr@sTwR27W%X_O#1@2sn0Gily6~k(c ziDP(<>+^w!n+pyP&cz$Ej%B<{iiC zUkLl!iXfXM&tw&)ipv z`C)^KRIoSBvIycT{`x#N$J!w(1te{0&_Cj8HPrBujMcIiHjbpw!yTql}#ici8 z<@e0X9$1vzwJE-1Uwm`(-g_B0pV^n4a4f2^&2O+Ser{P&Eh&E@-TKnA=xpkdC$W{6 zJabQ3mR*-t+_T>L)V%PX&-Pkz{NbH1I~?+JHsz#V>F75I+aW1@xT!#txl7di+G(tT zi^loz|DIgCR~%GOWSzdlXZuC3;w|Tzh8fE^#@4VY#Qcq8JPq%H`-F6!hQ4~;essNR96;R|P zAPQzcBv;Of3@RWw=bUrS83~FxYrXT~{4;mG`+gV8g$Pw>ZBE!{pMB8h!QS}@DanK> z`0GJJMa$fs+vV9Qw^kp$08qhC_mh`zUcEF3Y8TF*UP3wpTf`e6C2US9!zT}T4l;WT#Q6};O2S0AJg zxcWeO0g{mL_U~U1tl*pa0IIFGZ_O zUS?QtBOLQE!HLVeG5dV|qC{#$@WY(ddW!q0yaAkOh?TKG&<B?rEI4kB?b%+lnOsgB z+-xYFZgJ;dDjKUuxSQ<}U&lzAvK7zRrmSFPBaZP6e#&Mm_GMECe0^*4*wUCe5p~EJ ze~9RHgdVXE^fr!HjvjMI;sIDB?SN|a!K04e!C(I7_uCJVc`+=x!2Tr`&nC0Ik*@rW z9#%h09Q~~E7r|G=5Fd92eZ$0rS05U{54eH}!N!XhbK~Q+`bS3}En#AB+S@rh8QJ-r#>Si5#2Oif>f~K8N`Rk> z2XEg(LACpc#jgMSrnYhA!#@nFxEFfZ=exh9-@K=PGW+Po=igZzGUD1|uVbjN-o@Qx zVeKQ0Y#GPiCi9I}7V5f>{^QBcF&3 zPV78E+mF*#1ZnSNc1@ARc^vhyThe1r!efwEIq905RGkcYV_MtXMPZ7qY7Qk|BMYA} z5+8AsR-xR&%d))6Ylyk64%&A3#we00D(^m3xQAAx7jdj_^Lc~a&%|_pG{i73o?O&zkSR|#p z28rC{HNxB7N`KxZ-=tb*!W=pIv6*-krJN)(C+{Q3KbkDjk@Y#SIE@A}nm z;q`(J>qkS2KYn=(&xt%{?)?Mlh9Q|}h8CHhK8v?8mEAN3`y+57++6e3zpMIys~vgF z&g>7#hX4P+09QMT2+*ek{NTLZj!^}mX=i!yf&MK7n|C0udR3%frs`Ku4c0@sAYcKr90O6TS|aBmpb6`M9Pue`9gv^&9B<090?DfEohcd-(p< zqqW`Nef8~ehaW6MjGfhB6SU9NAdKfV{dyi9KsO9dx4BwQOBmn?rl|4}hP3Wta&{nJ z)u&&*5l4?SW(udzQNK0?{#4DLMi^$4qa&kLSJb+Iu z&0Og7%aXHX?G*kzOFl;tjuE8&MCmYII0c%f|k@is~bB>Zn4)S|A zZ3{c4D5|jWN@^in+yr7{C)FfYHBFZGam00AqFdscDHq8YSvrT+bYOM$Bvma{*2565 z(fQ9p<)MY6gPeqVs%R3Y8bWD@92GM-**we#J>(5OYU!1{WM0z%KH)A|(Lhh@vr**P z3FY=zUGENNPdseCkQC2|?8HU1`=y9$x62cYFGdydNSbuKs)Vb!>&{C%udVV?R5H~q zj!E@2^{82J`sXItnxWRUXU#TF2TkofPNA+JBZVF$o!yHK-R*E5j_TF7tnAwL*S!ZU z@T?%9cWOH3e*NjsfBVtmgsn$z&Fp7C*#GKp#^$8Zd*DUz@lVIkc%H^wfR$JSEbMek zzdL{#9uYoRaeuky^mLA?2R%Hff?+ZYh(y{lxK@BL5Igw}k-Na#POXl-19*bZ`X{d7 zlcA*g_n!f0khrE_Zztus&W!= z1+zJlWQHW_W6Fxn1pYZ^(aMw+w-WT*`O{n%VVVo?z*v6d_t#i>RdRl^wN3{F17 zmXElID`*MPSrffLt1>0ER81RM*M(Cxkd(PD>crSmS@&97VC)UIxC$UWsvke}P=ti* zyt*INT)!(qU-t8iKVLc0n9}`#Bd7q857H?}x*elSaaWQJoJqGDGz*XWjjYhe?L1(X z3U>!!CG(K|jZ0D4;H3KNPrirM^2WZ!)V%gxzu$Ml+ViBXH|#6@WK7w882jY`dsB=T zyv(7o%Abu$pcpprMLeW%k>RWc|Bk0l;=X6G9fapCKOtz7ik?0D1eidTS|4zaF4pqKmV_zdQCVjFxP$@s^GnbCd>L z>`vpuzBz9DvpMGXUmVirHbcsWXMV1Kz5QZid+Wu2{r2yF|GUxg<5a`r6occ09}ZaC zV*^i`U$BK8XGcF%0&PLR;lsal5a;6(Re%x9Vdaa~+8GP&pks2YTV|oWI<;m%TsM5a zZJN8G56x}yx{G58kr!@F^ssqSSAHdv-^fg^Bx&jh@;S1&pCyqL z&W-zv%iRQ>B*hR`JxT<1igc8OluUyhWz&Vb&2d$YZjwys;>n^pv}_rzT7Z@i6bR?i z3Zw57u|@54Ssw<$)#L|Uc}uc|wPPGfA6YgDc@RKIQnmrE7@`S=U?#bv!i^_!5!F(~ z!_JB^jB*OAn1YspCF}H1mR&EtD{XIMiOOl>4!pbtr*38N#@X^NiZ%l;yqVe2a$TjQ zUJ1WFIqiR|%If09U=e5Kaq{3`;KZ>1tJjjz@pJCdW^c_f4P^PcHG;YyBWcI;28_IA zMlR&^)|81yea1E>rWURkRFbuo#NxE-gpF@b)ud}k^fyN=4xgcZeZa}UB+vpCVSxrq zlaQ}|v@tLtN>fU}&i4^4z3TO!e|O@b3Dt}ceH0xFqFmT%GB!PwrlmewcYVIjcsLiS zf8Gk3i5j%)SF2ZMV1)yl{!2n72{(+NN~aXsU@a zmFpGU!fL|m68XWp)zaee{Ax$Sg)5ARyr7sHeKU=*ca#BAfu9-zOBGwvK@+!8R5esx zD^5N^kqmiAaxNw3IP_wtI|U&N)rBn>fYiVPZ;PfJm2& zV?{Nrw0??w#UZNWR6vx8J9+p)M^QuO(PLINR-ulLVhc-|q5U~9`~B;Fb8AL`EiDX8 z+sy2u>|w*&^4#uy7~h}-uzlOfPDo$@omKDn;;%pb0Z8oAL>`zU!AicRBgYwcbY{x; z;TrwP!r2$ga{aqG{p-i?-@q#jT+u(d^Z)NV|I&XV^%sz;&@VuhzT*Olu=kJj&*~9S zJqUVoFG-zbbHbVk_Ae-s@RXI<%pv83oeV5=V5icO18bF`um^Y0D)g{*@G+DhP-bgT z7QWhe{T688C$sZ&zxvbnN9;V!85hk7!B#eG6I1i0#{*d{DTi1j(-1yaIz^9Nc2P{a z%KEvoN|w9?bV_7_JX%D%Hxi(qW$2gew-=9YJZ0P+xe}l`e_ko|ydf$csJpC9a~Cu* zL_>5{FG10cQ}#N^yMb#00^B{Z)%99V-ORd|L`zgvqqJQ>eiEdkc-a(DHboOpkP<7D zgKe&IKGabp!ML+>1PAz0OaearRN0F98kTSX=qZ#Ma5egGT-En8#f@aekh2_l15TAG z?BYmky;JIMRJ6Lt^I3AxR16a2)9^%i@gPOo%+=QR-V1uLsR-wgaJua5nXFxle2jJeVTrg_^{1rtH}^87E_g(l*D2m zWiv~3$3<2_N*v{V4UiIh}V59d3yAF~<9x!Uh{y z1{qsk{o*^efwB80>~-zz_HM)a98!V5o*e6iTti^`9k=m6fw~5^HpmeK$E(NB*a{`q zkM9S7m;Te)v-+nMNH#>yBL90#^S^P001h4&87u;5L3auf5zGVOd4Q^zd9|d3Go#z< zew{6m7G{4tVGpiQ;g-()B4pJlgB(NC=r>2u6I3#q<2pbJHI|gS-}|lkQ|zOs=!y z>d1+GWK|zt(}z}$I;ltS>Sl(d)gylFY+~=toYI7v3RZG4PF+owj{>f6(n&~^$Rq{sex@T9L%znK)lb=gk4-ws9;t~{j~!umd@q?#n} zb&?I?c; znTJ&}C&=}xA);)8o4DwiFiuG-FM6V9qzI|1%PFH}Wpj6W*2UeUZco-2TSI3ak7D%O z0jbNi!MS2)Lc)1%ZtdDj4lmzZJ4uWmWAbJlf{M^Sv7Afidmps8#IOwAnBSA#k7461 znF0$|G+eu@=zIR{QTFdYvq{aJ+=k2LAguwBF^to80B|)d>`#CAJ(=wSDeBWNO%9#$ zJBEc=kz|Ax7~A_8TYT2r?fHC__G*Fgb~y=IJ$}ErQ>7zc{lDM-`5{2jPU8q65x5N) z-0gIf8~VrPFD5U+DdhWWVc{2@?9etRokQTH%W=o+mL!oWE&)dBKUsL}vvP$^rDLct zaD_5+5}iUP9XfOVhf}QIeRZO}Zw`EQJh+#B`OELEQBhzWW{L-q9$Q@?oO#l1&LE##*<{RL-mWdIYMX4kkbJ3et1`RcYDZ7xc;k8f0)M5;S17b~jtun3 zZy>5`7|ETkv1(D(u&iN)&a1{r+OVoYN9{OTIYd@8L2C1eU+{<@Ax0~uyLymXNyT4Tz3{jyY1HMd=4r3`5oUfBcjhai~)c)JNxWcB4N!6;2Sj;wuY zhj5A>=uh3H>B9ORmaLKtff1^A*&JIu4})n}MMh$CHBDOujUHrMkgXC$gRtewkhHU9 zMZx(g@y%5q=TzC= zvGED17w}6N9xfd@dX*(jKZ(W&u`yfD^<-#i^3L6QsA*yoGIbjGDUW5vb zaT9n>>qibyY=6QN!9DVj_0=P`*Dc72{@3z=0)-M~{W(%f{d0%!aWO@wdDF zpYOi>`RhIV0RwpzeSiJl&HzqI;e|&D@?%a{EV0<@S1q5caNeyry_oUWKhJ~3c96Iu zS?*uI{wKUX;AyAKg5P#<1;4`)z;*q*KK(uZ>uK*7%f2JMp@)pVJ8nffi4Q;S6b{R| zWPc6bN9^Dd^_3ColYORN9CrM4ufrY#?{9wg`Qit+JqO+Xu^;=lgdb z=m-m|2qHtY*N8wn7drf80DpmL<8uQOcE?@aN#NDGX$D=CL$F-T7F7F3U02+WZr;cZ zN@lU*oVgMB>o+-1x7yk(6E8;ka@3WUk{&y0CkQOr{Bj>fRp!tJ2o)%bYDj-}@_uK{ zC|%jX7WTOERyj#C40*Z#?ZSk*My^Oim3IM|Ns!MvOO`+yK^ApUB?3`*4M(2Cl+_cJ zT{syCn3q^kn@Ka3Ewumxs$>MM8A0g={)H<+Ll09?K~i)%%b;&vWQ!JE1a0oBWJQ0K zld77a?j%ZQh~hbl7^)z^TOCJ{&FijlPtmc(Ft(n9#*-+W#j9pevQZGa1CtMIo2aJh zdgEnwn^e5g)UP`{B6nB!r5c(idOtm?Z7?bN!b;Ss%1HcL06!C+9@Cw0O+Q{lxLz z6J6|AOU^ImneR6f^zVm}lIdSq`hc!~{}HNs*abxzK$s_fz}1e1Wm5k*+tRIJ9 z+q-mc*C)FVp5$PO(N-2gRyIsyTchdc6ZGhC6aT9=VWmvLJUtPHxxF6B0fwN-PCn!$ zC=M3KHq93KXxNo6YR{L;o#L;$C-SR?rm~8P0uz)NX{U{L$yqZG>5L-igeAU^jH25! z^PcH>6jcd9)lE>2z^XfRWKm;ecysFy3vx>;1n77SBFgJ`IQbb~}iFT|?=UGAlva=LT}v;&zCx-w4!AlFo33rmTAHf*c79SGD7a;M%7ihs_!r*P{7Xt@ddzx1PWs# znx=;>uL#p6m&^<^m1>GMm#nE}X}efb=qB1h|HI&?G;a?@7xHMrL~NWiAx}~{TOXi4 zmo;AL6dB>8D|3}M6B3#kvSF%pmCf`l;s|ubwAJlXva<6O7p4MSl!O=a7;`|JBzglK7dxIj%j`|LrgVuE+iirb(1| za6q!NB}a!DY>YDWk6a%wd%t*8f_QO2i-)}JWV?TX3f@7g^qsN|NXwmF8+aDLGFTSB zzJEi%!O^dIEf2<+n|=pfDp-(#KQLSc{oIi06`8)evpNchf`Vq=_OAq z-Sy}F;HUJH)45a3q?3*UGjl)7lV6Ru2R>S*JX~cz+0f|q{W~u^yz(GU->K971uZ1x z0I`77SD=wbBoGL$R`u_*9j06YZDs624%-DAv3FYmwi z8j*d%N#9 zf_S!qR*a?xr|5K*boxunbiI|ZKNXR6wrVix!Dd2ko=cE0l5|sYJ~OZO(bm;6rB`~A zV~mKVu0*M8@Va(*>A9i-vUC8jK~U791PUT_DS*snSliG(WDYgDdW2 zh&!E>Jy^{E9>fgtrt_JV!71eoNee+T2>J)2a)Kcmpe2+g*0p-5c#g@vFuNg0rs;wi zj$p`F(HNGOp3q#umR7)hl!M1drazKyK)AasBBiVDnkFqoROl)iB1)ElzQd{S zk>vMCf+=@sHX}*_M~A2J*_R1UamgHzWDI{Vwqt zY;`?!6D0neeOL`PIMz2NcHzZ<3EI-sCdd}Wvq8lkHF4i}+yeL?V{7I|UzmD_YT=Sy z%kbJkGsj)O`{E~Kr|g`8=>`41L-zmq(e7jRI0F>TntL65GL2C@bGvH}cBJ@7!t%W9 zvu)Q$YccxAV4?*f2p(_e=)?aETs!d!+C>;7BIZ>{zX_i<^zv!!<4x}4O|QOo|D%WY zm|D7<;v!Cv65*U5SXmyj3IPYaKYnWh;=O^%1z0ux!^a;f6td~*Nr8ZOCnxI_D8ckE z|MB%_`^+vJM_)UIyJSXiIc&CPWTED!JjTW&7?V&5ETx^Y0|Wz*M7Z&(q8eG=l>Gk2 z)x~k{>m|p1g@-~wBAZEy9+X~@Hw3$W@#|;LUNp5d@A}2AzyIUwXRqH&HEI9#>E|aL;?DpLf(rrtNLE+o0dP1XoCo09_msvo=>qVjvZr4Vh>Tg8DWpPX{=pBI2$lc%w+i=rC0mm0rlMPOTeokI$fr zs#&TLmS`HRLg5u_5c<~Z<% z{0V^fzE%H9_IShf>7&5@p=g7XdyQ?p!BZN1Wq-5?{`-&U>q!LzQ}4&-^+u;C-|jih zv$SZbVrdMP5c!))7^W5U<$c88=~n$gQfN+Z8Ul5du(KkRMe&EKMUYQ5UnC zIihmB9O7y}kOpq@&X}SRFL5nHG((mxgQF3w>f`viF}0IiNrk7R+7XbZfm!4jOVq-M z(~0YQ&ZmJMwT>e00{Y8Y(~MWOLQM#$JF6?>S2YJ~nm9rrOhAb`LKh7)#lwJJqP7>4 z+DKHFa$+*N7GA0E*0^3x3{I(VQ&q_FE;I~Bc1>W%W{4+W5<%{czRV91Ne)i3d(xIE@N}5CdrV&>p7e zxBqYyZBIB0`##__{>zUK;aR~@X#*-wnxc*xQ$b~CM&KXA#vir?SMZ-_XA+;ybKcEb zKiKHezXR8o4?P?_B-H8dA2?}YhKq)y z+drAZDWZ#YowHEpfzlWx#E+in4I> zQO?4413f+?uB0~d)~!HQ9#cGxldL-cOQ7k6umRO0bz&^S1 zhPjG@i-oOpWf!PW@QPuAyql_MWGHH)^V`{?LZZCgN!kavVhUPs7L2&_Yr%DmEM3E@ z0VQ((mF{8=;~>TpciJEP8ui+dr9gXu3S+yH5r+9mz+?<)($XKy+D%qN~>L> zqJ1tM-`cvgy~G&pFk77GZoj@0qg8n%+;S1$VXE>eiV}vV0lsIfpv~#*6$58{`_^DW zo^+oT8n{Oj2cfBhV6P!PrKkaB&C5@pMDbF0|K#`|zuCX{Cmftjye=pLd_dWJA8t3k z*N>0P{^1XMEHGEi$U@}g6CvCbL(*w{^_w30HRI`tN?7iJ^%r2p{!hpPxdUWFBuqiA z4U?Ol5#gNved?nnmi`%ge2io1@T0Lk2WqM#4oSz*SAejBG>L5N!&NS*^Wie-Cg>0U z{yiLV0Fq(m)$cz3*~KrB;Ufpn=MxU1lW2`OCi1Wu{d~-Yxfe6L9W1P`B;v%?bTtsv z3(UkJ-N565wI?jGGP)$KU_e;db)K)?b*td32V24Iy)nM=d}>S+L%d8BuLIiysU$4E z;`|kUMx`pby8yIUR+>qwc#0~XrHbzn1Z&Qs6`Fj4B`xuksBd*u`tucTB2a-ow$%;V zr*uPKPZQ01h!q!Z7x~_)rY2VqR5dW#1NMoXFv1q)M^yAuWbI@n;0i`C-N3BU6t&{I zK~Dwn51jzE54gHWZjs@J8bRBTzC@=K8TNjek=|BBw&l&W^Qv}{YO6+0Mm4g;E)03a; z@4M?a4iEI^>fg^H&_d4AfwK^l@ko`06zU)9ENB%$)cLAS|Jdi{ecb9wKxISXo@4a= zR`GCt$Qa}O<9=Is3V?A_*C@oR4VWD6p!&C;95FcI0~f47$G-dsxxP(x4>@V+YGD^< z?GSm=m||&9oPID)zu;|uR*sFVCMX+-+E$RM_$lUHuQWv}E4#OwRc&$P#EYn?7+hRF zQ=B8|Y%JNBC-T*JX{nR0-%8nUm(u5;?S$qLMsMz-{J5MlWm#IJ`VtVBbkPtfwJ54_ zynKuyALJ%ghlujSRBA~>Ge=bm>?N@1MAaY=p2*BaG(m`OyHYaCk=Fu2S>nt0*P}V__RKSZ)1L{CAgqJmkR8HY#z^IRrg%dP! z7eicmwXD@!Q|KXT^b+(z=B288VV&7aR-Rbb>87~DP;`(bqsV%raKKm65Fom9UXz^M zISSnhJ!y!f>c&eu$%;N$hr}wHG4gVk+r=)rl;r;Yh+E~pf?C(4eu{VzBU^wB>yXm# zE!YC*C9+(Rd4DRjsum~8BgE7YA|!#y_>@lX=7pm3LXB_SATwbR=8q1#7Kqj6k-10l zoVJ1X%JLLL!~HgJa|aW9oD_M`;@tI1^-vaFIm-h^2u%N0_1j`;^{;;OC5B)F2OFQh zoQJty=#}{Y_;^2Zsg@iCH$lLD#1!KSZi)ppm#6L}y0RnS$t0n| z)A31NL`@fH$gzSh27lmk+5$UD?Je=()kT)C5Bq9$oCKWn)^tN-kz2HLyas?OBC`Z)Kk=MB;m;2||GPK1Mc@rp; zA#cKCh8DGu#iaja)0SCA!ZB^ZY6E7lJzk7tM!^kH*09C9*c-aKL(w&xr7 z4{hA)`ol8}r(JtK*|lr$AOCz{acv&B^jB~0FW+1H$6jM|%vm^+Zi0(ALk3ImYo;h~ zYiG3QxzlS;vS6(9=3b!wRV`HSz<|C+;uHW0s&oWbZvZh+vAkU;XAQFz;&U9DqD%YVBucbT69hnPf1kT#%D0IJD>!$jA~}9R)8x29UZ)yG|3=S+z%X}yXJ04 zUV*B!oFkTzWzE1(BGkHM4k8IvKEM=paCk-hN?3c>F;vAA6>LTf0C5DA5kp=}Q{-Q& z=%q@EfV^@AwTu{HvDm7L^F=)@bp=%hoIoF0G{%rEgcdX~rDaU<;Epn|mn5k@Ti8!g z)PV?xE}3M>VFRl%G{4nVUB(i2xQRea2-Cn?Z*8%tX@VM)1LGK1c{fu!z?6(rz}zD- zRn{>apeqH9A8_wr_y)6Yu#qHd2SIM(qRsYHD>YqR@Dl;l2SeNgU&WA4F=V5Vh3!-$ zR=O#gcAKJ`a@G{$RT{iN>>^OKEk7-2?hK6$Ru)NxrP*GRRB}=+CuNqX8^)&&Ii-NR z&Jg+XEkhexT~|$MQ{m6%C^N=+Bf@!b4>ml0xw7OLT+rL~%a6W0ZL{0T&fusEmwOY! z&c@anKqHB-+4Ud0k6Q#Du?&IB7hsSM_bg6h!cFX{#x_4U_owRbQD3eEynU7n;!h~L z;mG4oO9-CmAA%R8uY3BpqtEUspKj5fZF6NpvZbw!2`1PWe*+wwKiOjmG%Tb_0AWYR z5Q`D?+28gtcTrYxBm*vDsNA|~(%PWAy)0!tz#9}$Ead<TdS^;eh>lDVc|khc`m;;tfY=EE&;6t`1sMKqg42JNvBBC28Qx( zU|MEc|B$~d+e1(SpAR(GznTabO#+t!9Ith3KTSR8n5gs0$hvm7tYP7Pv^witRBU*B zq_!ljYPQ~uA4W?OQH8hgf_x`lv8{BNq!__nE_3wc*|8Xluhvdd9gaBRjmaUfcVlW3 zbL`|fptJw-o$=3>%)=O;J$o^$YlxWT&0B=iSV$H7yE^7JJAIv0*eZm)}AVG#*U(ENdaBvk7#y8+f7DYvF!wR&Uz>f=rNgN=Xy zZo4X@Nw#2f6 zKu&lFCrrTRi{1IW(y{)M;ZZ-)ZBIobY##u}1;sg2vPKiGkVOkPJ@jedJqr0DyL|I35IaiC%eW~RSUR+?v*2jJ+C^y>~^-Y zo+0UnrjMx@a82!VNo%62nvjZ1vg9i-;);OwAEXO&TqSL;q7fJV1Q748@_Nto>g!Dd z_DLxeWg}e$`_Tgo1r&tifNFQ)oy+M3DVqmW3TS4{qrceL+*7{=LgH876knb52W4HwgE_sLS{osrmxPAUJUICPMZn{G7 zL{P2Qr`;-XqWU1!%`NvFMT6lNSu zX=|u7t*KkKxg57N5b$93?DC>l@5s5_3Q0~?sb@wR@Khdg3DN19RpYDYRD~elb1NNP`v+nHozP-IH5ba!8H?p!uXL`dPX@ny!_kYR5^ZandzkX-;H8hj(&0 zM^Oy|V+4%}ldegF?yAbjhJLcT0H>~m@)8O~76;zYJAR(+ck>ne%H8LUb1$l zxE_XT8MK99@r}}Upi^EFl6uB9&cXX z-tdHb1nDXGQzsnFts~(s)fw6)uj{IXNBYmdI%#%_mS5Nf%Z)Hbgb6ruTx92F8C37E z-q<>D|35!5F*p-sO}u&3&hyVl_Rs4#n2L*L;UPp`B~3gAZd~{Vmd>V&0?k?;L zyVD$Ux6Vmg=BxtOAP;>&!MJzy+Pl6Hduse@+BRy$>< znZhWB$eZ?{Mj z(>^IBfz(U>L5ggI>4pALIN_DNWFMCMBc9Ryr1HAX$H0PN;&{UZe;IC49K&9R+R4!T z{2}9j$1g#B2jSvfD0t!i@^@2951>KI{TvuGcVcZ z>1Nc{miL1PSM_iE5tl#Y>)*gWG7`Jqt?J)aZLD}adcav(3JDE4bLte^8YKdsB|}tz z5y}N_H|+V*`p9A2-k%-+^2MouP$7IB)a^iLZNGd6@59@{6Zr2BGE8j3;lhy>$j$Gj9Kt82Q=SiX|XaVTz4!4XhjIbKo ze7txTR-QrB2by!NrV6WV1m{~Yq=Lyfgh#Am7B63drvux6vb-G@PC=AH5`)xp07MP| za%k#tiUnsW$k$8U)s65uV9W)w1OOgaHs~emj3^qS2=C%ywN}~ftcG~i>ZWRNmsUcm z3QH^SQdV&l$fVLu2g;cNw5%KW0ec;!`w@by%T-(*tS%K-brw%9UlYg!6E$>M8Cu=! zkkNulxkD3$^0K`8nmr#5l0mBde8F~p!RwO9!BY_HCcTSKtn|;C#PLCuF-A^kKkk0T zSLizXy7SN}=Mxqomh>xd=Kcge9t4@+>}S=sJOWUBxEHqZ=oOrKf_6@lT=doc)4Trj zPg%9SC!F04QE*!E{Ap4oT-)4l8GiNLfz`RF2ixu|E3kvy47)N&(0Tb1+46#!&Z`;y zo1!NVSg&4jXQrYKAO72^(|)$j3S&&vVLQLWHpDM}J^@o3G&<-s`WzSy9Wmql{xd@p zJ62WO$jU=-WY^E#d$H@6|2T2lAB~T)#RVTaW7oIRFV2Z^bWf&)6}u$$KvRQO^doyu za*q7P`n&agtoBwh5Gb1b!PzJqME-SV#ve(GYRdC27S)U2b@G8BJb>Q?_8VZI0Sj zl&XQMtPhkmUY3KB1lgSdR3J4xboYub(DK3T7z;}fiUEKVCZ!COTI`TqXRn;Fm#snW zc2G~*DHhSnRVP4>VgguGFfT=x#bjf!XhT%=<3Sh$OZ2i?oOFdHYlE3JMmFdm9YX;Q zl>;v7I!{fFhYZ$mxWqS1V z_@L?fld#5Fp>tFiM^gdR*)TUn~LH@b1Nn_Xx1yqS5HPN4h5u2oE06%gfFkF)*}5!wpdJ z0gG^Ehyt#_SGEsaxFR<)qMdLIHFF9xb`04M?l(sq#w5JP_U&gsi%q46!qev^_23Ou&7w0{4VN@ zzSu>fAxT;twUbadfmQ@7okl5OpxjQ@KyR4qFG{?cXG}|&y!b|TRY*#`dvYrwxy@12js^jzvV$vc@sl>w+QK^KM%?xOpAwU5nzkM!!l`>1x)QFo42Uw8U=mt9kmxYf10JdE z!I@R(GYaXl5&#cX+d$H_fwPCbpaoPD?x~}$vN~#P##v3aq_HiwqKVE+b&AdL%^I-P zE!(PBY!zFM@=dgI1y;!jvNon7<;vajJV>d7(6V`&xcLyxKw$}(y3Ja>5!Q(TJS z)lfCVZ1p%JvFa4nU6z$u-q>ttin1Vvz>&TKmRAp(htIAdkp?O&r6y^AaGOm2s1(aPi3V3$-@ zIrGW)XiI9Op=}WNybc^w|MAnA|N87Jh*w{Jd*Y0hCysdC!p`dq2AinichB~kVo%## z%Ja{fbx&I+!2hSF^VZ6{lGUZ?+exW)H$1PPxEF%FBO?67=W=ISF6TBAZj@MS7H!qb z_R1xg{W*!|h{AD-xErWNj-t~=P{)nE6OmGqTwfP;C!fkMgeo0&R|!xZDf_9)F;LSH zlg7Oh+rk8O(dnJ%bWK!k3tHI)&g}>QK*OM_gh=(zU?qb~H@yh1*ikGe8f7k_DwMVwBWuISMv3ZW zkQ0+-jWk|*kVK%X$kSC-pOt136Y^ct23VPcmWk!o%0&n5vV(5UQ9TAuBf!+rg}qFE z(cOC^iESw~!F6UrEcMEzi_*jdRa9y&uj+wbIk3%1N1Om1;_8|FCOfW}?t5e5!Lm8V z8aPt$ns#8y!L~({)yQ@a{qIlyvg<$o`?D_$4;d1UnK7ZZNs#42i3JlD80p|y7s1Bi z6y`iE%NU|0M$Tz=D6@!Y{MP+*54Sw-&qV8AckAD7Ba#N-TjAi&oBDebq3@osR~Fm} z1d~&io@WSghisz`ScR>>)6YJ5V{D1~^4pVt`J3@4KiKX+<7PvSgj?*|5$wL08va+XY>#r?1sOcJJE%+zGI=Qhum zl?{|$)82NCR^qROU(864z1t8)Cpxa5DIX6`9d%DC zNMW(On!SkshqQJk)&SWBo4YoHH6DMgJjKcq6_FyXX%)eVi>Jy zb<}~bV38u8MY0$Yta_1X1FKllMbNrC^Opb^ux$!s7vRzSfQFLHz*QY!IZ%o%pgTZd2Gtr~Q$teK(_}+*@d6yY zpzs%6RD(XL?H)SFaknf}8qpcO#MEiPHi|z=5O+dw3r)+^)!vOym51`Rf#Oma5Mac8 zpjE@B_hU5+$gZn;1m@SEuZDG3uAtvT(BPMx;jWRlkTckcB-|BlzIr1801?=ejQ@p0~jHodJYcUvZ$v9k*cp=A&=vY))Zm9SEl? z8)p8p`?yzV3<4?`(m;ybSzJ9}?0ndqd4_V;0Cn>iPG)B3;7l=ESi11+Vc^=>1^w$< z{TrA;LpS(D|87$MI&W(_K>x^lu#vx zcJ}=HKAXKqX?uRAe*FUmUgu-a({<+Poo7cZ#-LG|^!xrrsk z{*qK5;a#t!Ms5-$P*Ab{-GjBm~vgCO{*0?a)1|Y|SAC1JiH1i{m^oYqv(UZP zVU!Tf%1iwxUmV=K-$bm;hwauaI25JVPc7*$U(fsEYwL=damb_JA3SAj>gRxsvBh06 zM$w|PqYFnXPf~(e;dk*j!Nvzjr#V>p#A=(d>ROz%i6U(A)%7wH?|3St9KprVl<10y z-tz8c&Fx{X_AW<}@2aR`itFi;P9Otm!bKpZx!MI7DWa79D9yO7aEhUv3f47x#_Ph; zszS5cyt5~0DZ?<)1}zG-Z_bdXgb1tYDOlo)5I>7l5G{b){{+A}W0FD{1@rVF}R=oz8%x|v45tmP(@&|<4y#C5R&9GF!6>L}l z(yVPLUw?J%yS=BN9QthU!4p`P0XFa$@v1S(=fKIMw{zLsYZsm_pVL25>feqaNe~V* zz3zE1e-);OuU9SzqE6e{;mjPboucx;u?UtF4ujqb1onrIIefd%)ITH+o&xyTw6wP3 zq8acKEH3Vay8pNT{gtK76)XGr<2FIxn>#dZHTy`zQGrtOg$C!GX=s^2cZZ0&W$jRz z6JX0&zTud(O4F_|baiOH+9NH`GbNwQ&$?PVc)Pnx(@=LkH^)bPnVgYr4(R3j;XfjwKT&D?_!JNS-IpbXR&EPbzAO$-*<;vjl=*Ba| zk!<6se&vzAs%Ie~qsfn7$w_EniTXgc2Z3$}R8X5uK=gzC8YB-&CtyAfj|`G~;5>m! z1=b5z>Cx(G*qFvBMqvU)7sJvkYzZyGTn3Xego~blRkGmpo~wmz=kto(b=g#DJ_)$5 zhnEmvoL4qKojp7jlv03=z71+IMrxt6 zGMk_*qr)@`7`B7~h7OVOgESXxBCxVGs$!Lt)QY|=+l#j9*_sR&@eS=+jtt4c(>Fj~ z{^^f2V85;G8Grcnh`}ia-RIiMllPDWVXx}zFHi0H%JRt1*jKOhHqP8bR%F;OK7_ew zj6H9P!rq9ne01;Xo2{@X;N$TI20Adl*?#@JZEZ5>-Fo2Gn17h}K?`#%96&#ejrs2* zE}d(LASbh+&C5UPFJB&Z#Cbr!@b&HkyLNr?2Hp=Hpqn`c>AVx?j-@qPr1v?i=GjU(xHbUM8%B7}(ido{-a+!zO4LNntcP;i zfuHM|+v2Fm4dX>dYWQ&l+W3mn%f&;US<@f{h2j~N+K$rHIxA~|=L8ixL<77Q>CwPo z!9!K#ugrjTKf0_2gt(~WQ47_$ZSuUGasqzFi4ss6Pq0L5c|fkr@$j5Wb$hQeE; z$+qEx=88UlPdXf3kyg#YVDjt6ImVZen!{PQpPZzb8O8 z;>Mc_Q1;#|E0ee8#1|<7Wf5+|8y@O(ZhDWsxXD~q=8#_Rl-lP6ZaLy%F9}o*qfX#Q zkpeEb3rk~DW51+YYPtQEzl=!)!FR04@`_ui03~ApV zB&u#TLEHgj1yJVw^^eE@U&`JBI?nT27tVp6wkf6I#4L+h!_3Ugg3-)qKpKstkw(nS z%w&cn4m;p9j^mh_ZP_w2CypIEagy)u&%ViR&)@Uk+qJ%>C0nwVB|Wp>{qFrhT$mD{ zXaa6=coH{-Yb9z+Xx3JmwvsH-_;WEAW(ptQD!P599C@@I#nsPOKyH8Uv<>+-cyjM3 z216l8stM`=s_?m!%rZ$fhqgLA0OPl_>)MWn-eu}eq7jdFD``q+>+Aa z`H>QishXzC6`C|fwZYjdmq}_jzxr)>Nm>mZMWw4+rar1#@tJ#i6KtGy<1_jt=Vhb& zK|QLQg!A!=eE2rpo`g$I@RtI|0D?!4f*dA&bem`8mcn=Ulz+It^t}U~sV(-Q&Gw-k z&e6STL)-16JKan6x|i%O9Qs?`ie1&yJIY5kH!R&&}QKJrQT*oKN_>noRUC|$O( zaB6ez=vUs6ZQjw{zKQ+d4U#psC#`3zV_=VG=%9D-NZ$DA^5xf>*RQX9d%bu1W83f- zFn85XoKucpQcYfj?Spn?f5!3y+TKr`Q(FQn_88hfC|Yy4Yi!NH6Uy|GjLwhY z@D;%QWo#EO@Sfb!apQ;6@syVt@=T7Vi7aePpjJTO@1h7v3Qo9aQOvGgdr-Q|Psr|_ z=bm}y)yM?lmi?CjX=RN|UtP#o8(T$^dZKKcCaa7iM9$21Kf33;cQF&WyB-ayKu#m~ z-oAZGi`@0^+}MJ{Q;5ezL93k)D*R7%ZByUtJB*) zG&isDjco8w>?&G*CV$x__vDOs^*;O3&jUkygX8=1$G-}Ue3U;1F@Nt>EPJPTY+cQ= z&+PTn#*%SI{o0JWmFmI)QFbfe)1b;M6PXHND-lc5Qw5n)LxETyU@BZRg;QiJRCsEY zIc=E@YfC0~l}sM?5A4-U!E-=9vL7Z1>Y?-c;fo-R@$`K%_~!JA)w$8HJ@ZEQ>l>Go zkcX=gj8OWF7t{^VtNq!2)`C81dYRCi52QGbI*TT>YAgY<(iKVKB(fA#xm}zZ()wC0 z1q0@yF;i&FTsEo9>xI6qYGPCC>b>PdUxd2;RzJSGVaf8^sa2(u>w?pt6s*{pyW)^{ z`C-@ee#hwcqE-9LSMM@bO=dPO&FNaJ3wDdL>I|+Ds>l+P%!{PxEv@S{BfCY@yX51$ z1^FLvE%mdv4j7zlzRnFXOmt~0mR-017;@$k@*lr{O(;=5;SZx~n)g50`ph#geGAs@ zzwqHz)^d)xn9eOG$VO<2szg%4_MJ7~-u2u*mxkPVANc{eqq`p59J+Tw`S7Z3-3l*} z${@-sAPSbMY#3j&8?JjtPn-t613XX+(FX2`w)NWmdv|{N0seIVJK!PD6=@(@qmrof z#uA2?WlsB2bNXS z_n-W#e|Y%gcVKvHNOeE=dgMo24mv`Wuf$;IBvAk3g;p$F}$x?L%Bl`Yr+Uc3# z$iC(kdol_tC=`r@80qCFg+wVqc61i$6+3Be8ac+!q&qlbJ4fge)4U3@U21eF^iHM1 zA?IXD$u2qGAx?G*5(~7 zV<-6eiMisWY+*vS6z7vuv!tv{slYB*$cQvidTaUcHgC^%Fs}xkJ50ua9t?sYPxl62 z=bQOGD=G(<7B+UIWqGSAD)(>SJ}}-tFxm%WfmZpua?ujO*71l2UStyjIZ-4&b!OxF}Aqx55 z|4icRv0UAY(O8Bim8wXi$TF3wHGEY$N!?FYl=Bp-hGxyZZ-QT6b$)wx4Eb&bLEgOv zc_?>`_ii{n9t>NiB5EoLnr^VE6l+TV^kQUmA|p0M@ya~rAD&Bw()6Fdc})aEw1KH> z4}OA_l&svkmlm>^iemWUbbTN_hzFSOpi*O!Ml2;h-;l^~j zRRIAeiymJnp@n1&KM(8YVG6|f0zsUQ5s}S|%;UuR>5)a;*k%K%C!JX-iz^gG^>58zJ7enGEU$gHV03e4 z>B#PVXV09tu>H`k>)+md=fid1KDu}R(Zg%^9`8Q)t)pSJdvFKvWVA!4)kBw{Ni#y9 z1{1KpGi8ID%6dN4+A2A8eY)6?EfkkZSjD`gN?CllG$M=kqL(|j&d%s9)R~xz%avI!WT5l`3WdA-2g-i8JojGT~8 z9a4=SFt_g37ffUpWuE`~U^t#emIlD;ilpkI$s1paFuW4U=c%39MYXTYPyEfF!s75M zp}v41bg=dQg*chLsOz0C&ObL#!c#(6a1Z3puq9?^7URbC;J3Ftw@-B=4-X^Ax@%|4 z9^K8ne9og#N7AJxlD3AV@8$xBN|cjC5D^&Cfh8N(et789ji;8Z_=3ST0NCb5f{5ce zs9G>R1E&$Xq7=S3Uhe8#(X;NW5Bat#bLGdd=aNqzV!#A@^>y3SzQSc&GK>4DG=*Jd zY0LJMs9B{ld_Fh6fQ>2SQ3}|ULLMQ=!+69(pGe>nF|&o_Y+*`{Fd>H@?dL@oOED!< zT#c4hqu~Vk_-s~^pOfTc#s>tkes(nADu)r7%ZTz*!zObSdnd~4G>O%kxMFE!Kp5%g z$N7agzlh`)(lRB%*PU zvcC24I}mGo?KY5de*!Kf7*Mnfylu`Oc6V%oFip5+fS&`TiGgq)B_9r-Xzg94Gx|)b zbel+>EtTa8=mAz@DLYv-Xdu7S{*8}oXaW54R|KNBVxaAa2GIFjs3@A=ph+DtQt9BY2T;Lo1klX zXYL##ilsEvc&(AB?!xlxokeTcetPPe-_Bp0#0*bhERN+xrzl>H61))3`LEY8#+=%t z*Ad`N{q7|;M^;HPbil8kC2@#kDHpF4eSOn=>r4ys{cfmNH_p}Gzm<35NFJFTO_jSy zx(1@Ildh-;i<5K?FNbR;u-2i;xPA}47y*_x?U?=Ji*fNd@$8j*uy-a3y+T_vL=_|m zEbI4tQa|2h42&BpH^KEpHg&+V<_foShp=l~`otmM=-!$o`->ajAQKf1l_p!t%;Bcw zvEuU?2?dPg0xmX>o#NwDeLQlufRHP~2ZV_MQCyxd4vJD9FD3&wr&vy0UEzJZzM#vc z4aunmVj{dSv!w)ha>N9`2>n-CtQaRPtlmcN@Cb@Dm|SU+o0pi$PIhsLJ~1m-^qN>bXH6o}a_T*?f-12fQMHl;`mjXz`Rho$fibN+f+(w*dr$!bks2y3_$>PlSJBrE; zG`}d($4h{3$}b@LI3zEdlq%z-O4%7gj+@WT<}l#(Sjpt89aVIyyKInTC2JoD_|I^`151#q$VxBTUGBuN-UP*I_ z)cD!6q1!jS*U!`;KW;@Hueo)$_U^UNzI`PL#CVb{K+rWons6fBqfaXb6hUhI)2{}t z1sr^E>_SorbQ`F3a}op3(Q}PuBxNaC8H(fR_Fp}i+fu0utkBo)f`PVj`5|@xcF)@L z8eqhYorKp*M*pFz+#ET#4!PRO13!JBgDb4I7h-P;lBz6&?poo5wyi1Y92l!A4aX%1S5yct1qj1j)T#$ zsp9SRyRL(5>CQJd9zDMQ{s-%BU%#^PlTYqkx&`}wxB|cV;ZbMl3P{Cem zGGRc>ED#cd+=P5ibV!oq6D5_p&4EBZRp}`h{>n81TJl-&q68HZP{m**3wwDOrpd=) zV}3Ma_@ut_ZIWKQ@6!H`$-#K09Qq%kzL%n`crj82zj63=Lm7eJI5hA;#DYJA#CYeF}Rn8EH;*#T!oh-e2)pheiCGx|^$hU)!Z?)dKRQ%riS$Hm& zqAnvCnlXy1h!itqCjqYDE1Z3RLJPh!To0dqO_<77)QmHPCc4bd)R%#+2U%4RMiQR7 zcZOk8j7G#*t99nh^g<{I4U7~To$DntJfMdu;&z%jTh1xI(-g8d?;-D%C}EGult z$;eT0972knPw{Z#Qi%)G2=k!kxLJ$yB?+Y(Y>67vkjkjFF^hGiEMAiLKYX%jZBN_4SpWE?ne*r% z3w{J3$bE>OhHE~WaaO;PGqlavu{m|>7)0KK|D^4$>jKQ{J{{esrn_b2Og=u1k&?m1 zJ4MuxO;MbxC{I`WRU9iZ#z{{smoqA)bf+@e!jI0;QR+PE+Dt`>o&(>AIpy^<{G2Kc zxz{CYGIL6#q+&6xP{hn*(R^H*otlzKPjE8hb;&Phaic1&tQxy~sH)Iov4|vQlealA zuo0$wMj$*)!j|ESz1Um z_Ry4NFNO=?w+z4fZ+<}eF5o!}Z{d$m!Eoa-dU*lJJ@;}LUu4D`s_CXix~LLQVSW6! zjO#ai-`%W1zFCgkt$uj5HCMK`=BXOG{GS?Es#0S09$Q4!jscdFC%+ z&;0JS*kqPH*!=a6sDd6|w$HzwM3cE_x)Qpf0tAKxk?zpdV_3ODUHD;o-(~gaVcy8L z%)veB{a`yhW9&P^Z~Tf?^{H)S54dNzx;D5Q*BY~7Z)A#!O~PYw8ii6TS9%0-6&7ZH zKtGUYXv>myxMeL4QHhpNs>cUp@!68NfC`tdrRK=VE)l^c0+_`F)ucwdv@J_js%5yD z(b?RXN*$q0lhj}#G^Y|PwMqHnXlTOQsy) zcQ(J1*}K)$chEF`!8moxvhq7t-0N-?D@V=BkH=m9eD5v@h30W-&|qWLv!=$f3Y!uR{hWsf!<9<56kYN!XZ$Tn2|LFe+2aJk@K0;QKVR8;C<7B>+!U_$}xrj_Jlg z-4D2$g?R|NtQ?;~J-AvoF&+7JqupDNZK24eWPMqRsulX5dGT7v>V;7Q%vE4w2_ez@ z4_p9f6<4=~YU?#=wmA{u_Z~hbk_7_35yh1eTJd@;fxq%i{iVyUdsjlpok8Tb^ZRSA z2Va+U4M}Ng9bQv`(N@Isv-?Ii0CHe0_{?u#PvoZYO(CAtBbInDLfgOnDPr?iGeBVe z^NWcDekRjgLDh%g;%Uh)ICc9hS!b2ygG}j)ZfZs}u?v>G>cMly;q&^zqw@BRDS;79 z&wAVN7mf*#)a?V!UD1j|<;%CUyzy12?+rm(s559O%Mf~G1REI+RPk{}{ z67v;_L3LuDGBF!2NBnpvKiMU~4Mr+p^uO8aFQyt%rXtx#aI+lCN|i}?G9$W zl@yf3=Wt^J{G=iYu|`TQmGhhuDIUvq)J%aP9$b!8)5mrF+gu$VS2Zp>f9%qgBZrVj zH+Ss%pr$2o^9&^3LDhcz?X@fCj_rAHXZFa!jfakH2O9U)$B46TEHtsx(6U|E307(M z)0ZH$$Y_UHlp}}Zj9nxo1z8CpZgi<2s=g^&c6H}V1 zYWLfV^^$aQqK^gF6H0Pn8Wbn)Up}oMOPwNGh&=C-Vp+>2YSunjDOew+8Thy}|NFAWXFpj~t5hSbN z`Fu{mLz(doTF#W)X6;2^@ibyqWso>ynBl zCQh!ws4KzPA&QZ4_}GItS8s+dg=HEcq1^so%B$7ENT`j@6nthWFc zcX-AydJe4fz|q1vxx+j5Rqpr}vxI0Clk(D3&4pPt9$T)4pRJ$;wY0uG-Bg)rtXSP_ zr|tInYELF;T_(QS^MDioaG2P zJT6nH$dO2cB2Jlr6r_fivliBg!s-=aeVMp+drFBmvQQgapiT@KNzFc4Q-;>d!Q1fB zxg30%j9wxnz@4s6iK$g5Oy!H-ZM2RBC55VZCpRph#@DzcHP)0yH{WL#GU<%s=BdKL zjXC27?ciQG1ZgQ}bYo|AM-G8k64;UeuAtFU zb?w&IETI}Lvp0{#lHy3p09o6K=anbYvOm~#ZgBGb=UxU0pD-?tyK&=5z}1P_2RQ{b z;c?gm3<+>mT-b_F6619BV8_jrv~h&C>UzRAUl;szx9F!Up`R}Dez<1%`ew+TkHN?+ zcnC((mPS%7P^@ao2LAF~WO$wc{p-W>pF-$LBQ$W^d zQ)RmD@$ok|tY?~h#%i#;ybdcf(bz8K=v^QZ02LfuVbcaC678m}@owk%G)lT21n$$* zQg+BXvd=!YAB0i$b(JQ)icZ3d7?R9E~8q<)`K6o z4&(5#vkOEjbD~6-lt^DFOH+~6YJbO6pnpA>%oHy>#)wYH5-V~gk|GHYa8=HYZ;-`x zY7?3@kqx@Y0@15}(VR*fwlbBNBTsaT;&Q1At3-*_;uJt&K50QYGopqcRml%;)hFgM zUUrcGnk$P88VE2RF>w>EV!TGmX0w@eu`#c8jlE-I))MdoIm+vYX(xzxW`H_^5?n`5 zfcvF(|R5rBT{N|_o;Jy9`?Wt}*{Qlsnlh6F;zukTCU}9obR0Nh} zY6Z(>j=Y;IO7r9_ym3AI$J=?2&bW~CT;zJ{H#e$Mvr;gUOsuXIaJ2}px^V6h^r(Q+ zo8KX)zeQ&6A#2~+x@PScWAE%yrxukLRl`S#gft2;0QEt3S{_L#S^e%haN-iDhpbJz zECWFBH~=AB+M!FJa0eM?`q(Fu#_E@p1n-KL%<%!Rs)IW|7`y;u1Z6Ib9y5c9>-eeq zCGUrNS7lWUXdM+&O^(@;m+i_AI9&DluF?!iRXVrVFYj>hi$rnx?ATg0wZzQNfq{dD zTa%#;Y6S*DjFAu(P|(vDQBGbQjJN?;RaRk%j+ZZI=871F;`u>UY?g|ofLUTq$KcA1 zwS%8H%EqkuO|tYXcd_5*v7~v@bMgz#mfWnYI*TL2>a<&(>CW7&RCiidu07LZ$@H4@ z3bTB9&Qy1LR$(DSV;+8Q)4&HiDkj!z2-sY;+%Mtfiyh?^a{ApD5p=VCyza)Sm>eg7`mn(yk#4l zzy``9Jmne7Hm8p5Fb|=$ZNL>U_JK_;DqWEvHJ<z?Ql+J2f^KO0LIoZ%bIWzK^YZBpy}jrA3ru*5K|ye zuF#Vz^|T@x3FhTj}Pl(OpCPTZPEyDYx#2hsvOGR}lDPAoDT68-P0|&Q zQ%9b)Jz%e}8=NYkRVFlQlzM|jq|1O2x2|9yIJUKX)hYk@F>C)*-3$^5F_=Y*QblL4w%GF4W!)6h`Bh zv{UEB6>nmcsW5UcD6^BqF7RF;s@voEp`7}aH-1KXm%jg}*Are@NKc_y2`mSml_s_L z;llFtK6v8}^3uyVg079GL2)HkIBaPz-Tyj>+{yX=lpZ-LLoRymTsT9o5`zlMk*-t_%GkgI%`!P22KO@IMEeR(tnsM)z5uub4*8 zKIPqUR@`MyT<1;PmXF_-^@DBNtb6!){_u{{p^xeY)|54LX1TM?I+IOp%+y+7bZ<#~ z!9`y9bj}0gcRwekK!hojV9GTFv|Z;d_OTadGsCkPQ3ZTVnT!^o6S7$(mxOEAD2-~Z zMq%@$S41ulMMmi(lO6NPS&{tUt2oEJBzp?Zn-cE~PtJ%;$qG-*j=>a1#+Sq=)g;DN zVdBck2}L|oDC|`UHbEO6PV4MnuFde!q^f`-sYpw-Gs81jF@6OlOG>dzY3Xt{tnf5E za;lu=)rw#f>K8GJq|7`v(IQPWi<6|(a497wRmrn!RT{ZOrPMk6#lDK3VDGx3iLIcl z2U)$Y|D0y<3Q)5k+7j+W(7tNNkAXZ5lFN)eV6T1B-VM(QN8gFefx~bo0=}qiVvlpM zJHcTm6jez(mRW~CLrs%_p)_%dKYCsVDVYuHQ`8wJE^qgTtZ)V6=sPKf!AN$AAhqfI zcfce@_MNGKwHVT8`m^)SS(5~b5gkI^XCTd-rb#X1+Lj?h4Ea zVI~IQ7hv*s`xcO_o}C+s6KAmv?JRXg3XO2;>S^qJJ9=hBv)PhWlkc6|EMbxKFMUZ)ABG3!&4J5poD-K4iG%*7&{4HxU-(hF4l zpo-p|t8{VaS1}e>@M8+42?dgrN--m-Rtjy#1wz$4re!`hBL?S-P4-3MJPRrtnk8j?d;>etE|6x4 zr8YVV#;|?~uFA$PG!jFp3^Ok#OGQoe-S# zdB{6?JY(V{Fe2bm12k0B69A$yP)*qkD)~W4sz;uZpV4>5cY=BX>O2r%fn*4rQgz=k zb@y=~X~Qi^)%69CkjIy$QY|kMnyB-t)Y>;bvn)NUYrACYyJ47`(T{G^H?G4gGR|E5 zDi}1f)jpaAOw^l5nz~p{UU|=FpX~#icjUs?NF>(4R~K{DB~(c;nVXx)Da1*upr?0`X$g|gG zeH8=J>@i)(R`uW!AXJ-|p8>I_e%T(?^7rs{1%v{oAjIkUc!jNP*fhQaa3x=|M>T;) zjsiOuY)>?!d;ck@;4h)c1SJ$aPd`CFiW*$QlQ}x;8Qj;he3MY7@>#ewX{1JTY=b(| zOL_&Cj}>|mOc8woQnf`GQsYYXDdn7)a$!=QG#QqUr4mkoPNQ}>77ElaW3`J2uEj~- zh@_mwnCwM(_dG)S0&2#K^z4^Oo&{J}1m3d{m$ex0j>YCg;j*8@WG1T1BS~qIvHXNs z>{su;<))_qw5$|-CW{zUvUA0-{)>U(K&6cin^-pZ^K2Koa`|SDK;2@B>86QTtDU^DQ_7 z==#3Y_I>f@`#Hu?a$-4laf4Yr^)46#8agh(6bR;8fGcg?TO_sP>aBfwK?7Z$1r9Sb zQwuC~h|0o;VETb07nNs^zJc;h#bafb{hF z^`lQ=rk}hHFV7sX-!E!1XvBFYMnf8<*^FOXW^+@+fFJ=2?o?uUfdpHs!W7G5VI`Lb zlP)nXQwS4FmR+hSZt4C@A}4~Bu^8iBl$^f^Q#>azFN_$POU-|U?0tzGe3=lKkIP$x z%bSA_%){qLU<()Hi{S5n6PuANC|;PL`t9=(pM1Je&LF4q=`P~DN+rHpg>w;JZ?@1| zZOjTS(anr3(NLYN*fervw^!Ha(>7YUH9BgOiIrq(Dw^I8zQ;f-g>9p4;2?M@KgHG4 zV)aYC`ro)h1+Zw<0*M*atKGnPeu^s<$RYTF#krb7Xc0`bd2;v}B zUW6A0K#a`RRI;>HV66aUjjm~?0j^Z7@HZ5BBV9d4RFplzRnw!px`!vDzB>_*+(?Cb z6@fv|L7b`^1LkbnJTCBFcqKel4bM=;G8WVHg-m@FN7n%6#x!wItO+p1&IC?6Q5Ax( zPgj*-In)zZj=IYmlm$I$;Bq#$Up=}T^&&w1uD{eyyn!#zeM!EsVr^B`isAIOG3(e@ zz}r+!!Oj-~vp{Bb0oGVh;eUnAe|rZG!KcsDG6ip+!i+b3RX=qR_{nJ%BQm8f%ODOJ z=+y>N4tsH>n&6;@0ixikHM6?2B<<`{Gb>-y6w9x~#D|ShBE}KdPtHyjOuF^p6atZx{7&!90+;|@^ z3HW{)#E2pxu~%ZL_BA} zMXfjDie$+_2>~|gS(JowDKncCRmR8G$Ov^BYEYU|Vy4^0NlI!MFxWHu(MpAS`i&fg zVg+>@gtP!Bkl{Q<*VFI!39gQS>=B@aiZxKF+7n-hktY*T_{+hA*0HnT+^gyS%rf)| zc&lnV-<^KjJn&)mpQQ^3HNk|!7Et=6Lr7EqUU23?Wx4emX!_tgpH7b~ZNdnkN;H9q zA3QWoJw&Dgv>;FtvPH=1YQP&=T?=oaSUmw%BY1bvl+AQaD@hJinZLu;9pl59gzt`F zk?R>(E_FuXUL`9_h}r?7rW&mKdDDnOqFhUcuNk7M$eI;Xd1PHnJ`P2&Qoi}i_pe;dy2 zZ!emDQ&c+!DqvVQKqFy<5!S#Z^#CycQPYEe`k+I+e{8Yf)1YMWr!Rw_1Ni0zM>Z!> zwHB4Rz@q8OHVx)!U5t5taa2f)cd(=V5@Hqy=i^awxmc8or6A|&7(pG=FD4@=_8*^E z5{e+LGUdUXuGO5MxtO)D;|=80eRDJ;Gm49BJ^%COGpP|QV;l!LeEZb+=a~yQW0}>+ z?8Bw0g}KS}&jva_U*3@}jrEx@Ep|e=J{hir6{%taDc;T^!=^aErPRu3<=n(_Zfs8~ zr^lnHb;-57B%O=|W{;`;V1#uDRre2}S*`|H6GPDI=&!hX`ZIy%3IzNA4Ogh0CR)(I zz8>N;h9Dvn5?GEH`aU!cthEljWA1r-@;%eUXT^)Hq@;X*Y<9JM$yb?6c3Q#N8*FgE zV5H`6U^;YQc1wASpQg?ss9T_n&{TEsunf&KT>~T{!2_Eb=;z5=XzA<0#veTdRdDt- zLE;0nSOf)%E25%gG4c8H*PFfvT%AaMZ~~9ktE+7>_`j0nc|=tYPEkcw*HI+RbY(A9 z-AU4PP)r?=jKk3MQe<6Z2(wUjauh8LMIFSXqI(}r4M82iaM&lW&7_y+^0SLFAsKDO z46W{?=ky(_=9QV_Z+n(Z60-HQ9NzGk6Q0gS@4y5xP;MFlORL@5fg=WpR6|*pC;xxy z)l(EbJ^Oxr3#TDaT%e?bi(_bbQ$^!4i!$A-RJgfV7b~LO#U3b-=SX7<~N^?R|Q&bYF z!o6^#Dk8olAsM-P`-h?B9gDD^>NAnE*LPYRO^X(M`{wY0arn+($yd!QwlRZdj#Wgm zh}oGM4UnJHSPYcV!i?`TvwF>xa#0+R75xUDSuH3n&9{w!sPGVKc{FrH2V^jKWsT0l zItB=MztpS$0as|rg1aGFyPo_ju(&ybS~L$G082@I@3^*Y3PkkXYgL2m3mLhFIHxzs zQ|eo_$ujnlqVH2QmSy;`zUps8W&YVa$33A`qB0w%0UT{JJamvzXd9`T2BNxwtZPOe zV=G9N;cTMoTEOTJaK%tIa-mphI`GO4l6H)wDqKwZ(}nAGk8cC6F!zszbnMK1|#OZ8neX%kb?Ow~7%O$}IG zHCdM*OQxN>ebL`o!t(~;988@$0sn1!?MAGx!qzvIziN!?*Ql!XBU_fHHdg3rYLi?J z+sJZg1B?&|GB69QOCWM+;Pv=F)T>|r{^^1E>s#d$+aJg9j)MM;1(lObqRgpKw|Y~7 z4$+W7%atz97Kaz8aH+JILbcS(=X?1;(;{R^@L4i!DknlP@851L>q4gbS1(+!o5w}Y z9R5Tj7<%m$q_q{9J<&b?_1*>Zk(n9f%;}Z|^BbbVkPGL(uW6p18~GJaiX1<^nM@se z?FHo1W$)+7y@cOp5dYmN#M?MnyOOUL@+=C4keep0#@=PB|n|B%-_mQpsZn?3?gEXJCRFbqF( zw6Z@-Z>)*!F85wmDjZ?*VGy2zeP`%pvbV4rmmIsw%F8bGBVJqBUNzvAcr@g2?d zVdLb%jFFw*uFvx7*5u~4==n;Ahz%sSDibbGys*tdDOD#1#VN&7hKrPvujIOgq)Z{s zB_m{r5;I5(HWs^($-Xz{&zq4+kv(5-HOrUGn}gIfAjeM(%$?UgZys{`G%|ClebM5& z#fy-$7m&u@sTUUR7pRauM~-nMZ$^Y8Ye(0)TW_PvnC`3bRgR;}cNkTn;#RbqdV2i*`u1rbg}T=Kf~zOS zN>BPL^ppRO_Xu3{V7i_;#S&a$VB(RpMHNrDu#OX5s$LuwO5gbHssK;v9QRF z`3sOUXOWYq+ZRRDg@q%hFCq=SOaHoX4?}_+o;}JIcm3`U$g0V9Auh;^1&T$08d;;F zxf$`fQc{^!XlKW^W(o2oi|h1pEmlmon-?+*4H6kkU<Pb2J2V6nnLO=B6paf{4Ml$uv<0bIect15jjS?oS>^SC+3Ow|P;3>sEB@Idbb!eo*HZP$}UA-t*_ zBQL>9i}CVusv4$M^>9!^$pR4K^-VZU14#?T&7rg}{^q;7AMaRxJ}Z2DR`KJF%-eU0 z)%Mq@3O)Q2=<{L!$k22Vl+8p_J;7WH_73nh1=<>=p`mHj2Y982F0J5dP+XBr)dXW1 zQ5E3IJ-y>ASAPBu)8#U>L4f1=%%ykCBUep*O~0W;cYQvYJ5jVq9qXU2%b6NXcIceL zIquOaCs?Bo9Y!xW;GZ)J@wof{B~Za9^QSKgfs{Ua8a86CzMVDW+Y-roCeU{*1}I8d z>~K)!ln54gnFwtfY^MfaBZ?~KgcV7m3!v|kCKPg_T7^m1I?I=a&DkShBBu|3Az_a^ z{}NK$ip*RbSQOK;a1nCuB69Lv+oI^YMbXIV%Se6S(!Yl7WC)R?vxm5{!53dW-&9*h zO9CN`SAcEiL^QC&8-eD^i)b_w>I~Q(7q!ifuQtS%8B+pUszWDd^Yk(F%(VJXv-%D` zEmQya7BKVVL5EcEDnmhqJ}|igudOHEO6cbg!&!-1H^86xwehAg2F^$G^{cvB6|REF1<;-v*z zTmAQsk-fL>KJ!W(nP0?Lx5EvTsH>ouDyZ5b8b7PNZeaWAeRO*&Y@PHyvk(wz7`&ir zEB}iisqURFh>lHhupFbcuF(O!*OK0wmOWMiVILq1g}V&=a6pcS7Wsd%Uh$S(7foH2 zjGc!cHMFb+pp45K&aWKyx(jpyesQX@$8T=43u`qn>|fYxqxYy2p~5(hIY2p@;41y{l`)F2L=oj?wm+W%?h zRK?K#kw4NRIsUA?Wz8Aw#fw?g%8}mYH~LOZvrj4th4SxCsK~86Y9lw-YTjIAd|L zJTNCg{os4#$45x*^yIUPl39{UzOoBI3uJqet{moFbdC?)W=?){Hc=~<)vf~_v8oI9 z>1V}Fp#-Pg+~jI_w^Ll6Ca(57#>a>`8HN^h&REbhfabHqixJK;=sdv&_Fu)7VB)%D z;+kyYB1lBR2nf2?qNN8yL!YZ0wN#ElBQwcp^b9e#F3X&+VF1&hNrkIX6N6fqUr|c5 z+#&_D)WChK)KeWbZ^n3tC#)%KE^-d-uX^V%?wG#_&91I* zTl&H)+xSf6)c!BH#DUnkUz9lg^q71Vz1Su#5fhut0zWGOn5zW}QjwljVVC8l%555P zW~MWqA{3;ThbDJGL@e0EfdvhEmHR)>uRXvoHR{)5^~*b;{dwvI_hc4&2`yRU2Vg*I zf|$j@Bk6;uptZ=HD5(9k>{UUGs30qEPV1z8`4JVkNq6m( z6$~le`IjDCh#@C}S3ew5=*3L~VI@s40wqg>DJ=WQsxL2njqaeIeHDZ5rh#^@tzhUH zp{0it4NgEJnp;{)S89vv7!ST}`1yt(xsr?AD0+A?@7wPhyT&wZrHQF%q)Iv=%$KI> zh6NA-Oqk8Zi6SpwAA(TnAHGG32Rol#m;j@AaF1cBn_<*I)>X1~ReW)YEu(zq&Z!6~ zO)VRB9{Pw}RyYQ?$Z1v&j2(!0@_r+OTX z>VVGkU&WPTeS;CRE6-91QV!yRTs_+?Af&4m8EQpdn#HA6`m6@CR3hgI zNhA(|tt;<&Gqrk!vHo2&UtshwtchVx@(ZZ`?}&PO8vcqa@EC+-)n9N0G$e>;Is#!U z&e6{tQ@N>w3Y?uK%C}qkN9HROzQ&5l^^=MM9;eXAX<4dWc2YHdM$xfVQPdY`g7DA- zDQp5$UBuLM;Z&UzT{lAy)6TMFmUB*w036hTY4G(UKr12eu%sqZF3QwRGaD`ngRXa>1D4HscwwlW?p)jn6t{qGOWT@4!?HEYsJhjf7&g(rk1D=}=7 zG1QLN`rY{hY>C%Z*ViyO`A+Znq|uI?y|P299(v(5q`nz?^}g5V)`rhRE}TVX&i2la z?3fphoP_&e`{*mLd@Q3Om-m0^Q*Nnp%A^0J=fzr8bgx6N&aFw7rb*HZq6kv(i_XYt zO3UpIb$zJFovc_r>l`@*0k2O&SPrR&_NqsKjExT1pYCX$PSl^y6MmU0pgq-7L_M7< z{C{wD4mGqN-wCWLQ~zObWO5CE;#%T!PO7kWs?cu}*7ePm>&k}O-rT%`Y>nm>8-!hN zfT^Ht^t8NVGd;7Sb=mYsJKiS?=nOEsR&^#TI*95H7$$(t8d>Noshb3X0a$ZfzxB9h zcy&BcP82vGg9&g&P&WZdhNfvpZ;r~!1PW*AYVY++HQ$}fNA7eW-vGcWu3xKK_eo(q zNx+aav1CIm`8ZkDL)CR8Yl`FKUa}@1(xp)^((jSk?{1I2`RQ{n$;h;Nrm};nYXycO zMOrEpS0tn;E<8GKsLB#nOsK(YZv3ES@?hq&0dZaat04Vb+U8$6fXfYNyC$$XS;{J5 z$@fMynz0EUl5L`jPT+T3h+Aw(vG%^q+ zpquz_xI!mXfB!t~)&ECa4P8ZBtY2^iZf_Zbr|kV7`q$)jZYy4-h+?^QqQ?ojI7D6cfkbm*Vvm7%;Ok)-h$Z3Qc!k{~nOLf?xcdhbUzf#6REPeRSs*lAYH{ z6=XqznAB7vkQej$jd*g}-iv<=4dp9C)5=;1f;^yE0!s6v%GQr!vb>32W9ZFMPB72W z{YHYd$iH$VZM>CP)8t#b3;Ysc^{i?;l`(ebU&R#|W`cp0VF=|QffodbE~V4^WYfDL z$3z9rlOq=(1421`Q#o>3HgO7=Ikw5OlAb-1@g0zXXl?tjsO5w1miK1Ay1-#@8GL}Zo{kg0fIexS2uSv}@zd_D^fn40*`tn~po_!HH3=Wue%jUkcNkc_$?rOGS zGUZ_g=|ZbC*2%}-+x2A#;&mFf`-V@t$4(jh4#99(J9Sh(wog8NP&#oCT>I1$r-6J9 zJYi7Z!!#Jyf)+Gi;JAMLoN@xZ;AVlQu2^~;d>y9bM0JUuOCR0)GeFQ(CcV!roKy zx<>etKFzXn7f_h={b%GAACisc!}@xVyOzTZ0F7s-@^fQ3yi-I zWa^Dg>o*^HY6b$Td8EEN+L@XLZ=F*I)b_ioN^_K_K!ck_wA3!p)-%T3i~tv^^$-g-u~4gkQNr# zOyjv(6iE(Cna5X@@&!#;QrhazM@K&Cr`j9kRh!_%*MMj5@G;-&qlAL8=OheuQ<SyUb#(J3L%>`36<0^h{a`k7$vU(T z!Vc2Mj@bH-nL3U;hqtBnH}-9tq-6^!Zb5`R%i7o?(wta!W?s9_ zUQZF^vLxj^WiwaaMzFxRpa@u4$vFJQ6D>dAD7$g27;@(k=v%*Asg z0iv-6Yib12AYD<%71vXkp=V!a{N{N~3SFN-+2!$O${&lk&)r;B+!pqGq@fZyaD439 z*Q(|ck(v9*na7Rusg19tAO~lE?5S^ydKUShy^QdeVqS!w8;7#IM3h2GVs=8<{wuSf z1uzzMx;x(o<(hM9pQ?X{a_E?1_=;rUhIAOcx57dbT0!_WLF8_NW%1Yvcn5Yj@*zmW zIRh<$5_W|!j~d;JDrmrD9$jzEpe;IpYUmOG5?-_LKm`LzB)qKP)BYD_ZvmENp0*V|MSM#{r3O8 z?|#SeGWX%(fP)Or#r3;>=XC}c@3e|zYeL%=3rfP2Os zj?Vs)78=^z>(x96V252j;GEoG7epJKyKG>?uyjenmKjGI?)Z4D802HmDMXo>xyBnh zh8a2qo4AJAv67s4nZ_&R5i*n^BICFBXsOj)t)1zeL!~}k2 z#m~3nlp@&1+AYP-!+G@W?d1#sC0*?;Ipa-kC@$dzbu80bq!$@RrZ3_I>iUNn1|=H! zmn5|g#I^Og747y_;Y7eUZIB}A{$CXp{xG|7A6t7I7H4qdrz^%7ic!EmsAnWfz?KJw zRKDUHK9cKb3m&SI2-a~|JxAhzeNo5$doMt%u9egg&mJZDv;5sx_}hO`;kP>9_OoYA z1%x7>xY5<}<6o+OvLh}&A%rd88@4+mNLc=%reHlW4sx#nCv{${@ww zEZ$^AlALM8$|7UVCxqyIp8fl1=Sv@UY9>|mp-CFr3=GG?OBfIG?rFaV8PZ8 zI63^`!E#~NU%=jhr@F$GUBJ&8>4%Bi2mIgav9Gy~J1-o(k&sR{F0!sjz~R?XAOEU2 z{b$#7X62zjS%%vuR>vq?*xBiesdm2zJTupAFb|LU$cEunyN^);gdaoQc}D3;w=_kX zBBO8Yu%Rv0hMH!{t_J(gl3iy?ud?9?&8TI@?)kQ?QY%KTJ+Hu;m5Brs{A$U_G-u>k zb3mjiGiQ_-^D9B4f|F!G2xVrxX#QTpgW(+F?E!)~HTO{Z;(>s8kyui|bf$Y7GV^uW zLKAi+)<8Cl0vlSMJ-5V;Q|QReuw{VqS8dLzHDcH3vdVOMK)3RYdBw(9R#K}i-O`rX zSYCU6%Q-rjl2+zZeLO&XgNFsQx=+U;OvjjQlPdhm-EXCL5HqLpYsZ8o%&M;_#h<#D zITv-)B^SNdUS&3%{@>OWOWTFhmTXpvaVRhFLru;eN}RvvP)jhRLU26zsCWt3+M|r7 zJziyZ1%-XhC+?0BM3q`S3v=gJM3P^Wr-fB2!wK}@Xybq6*?vh3uO~*NB?da;ufHU& zULZyNrVLAuIn3ujYiO^n?$5&susAst(s^ z4@p1FlDvlbUnnMs$%8t=60&LV=kxD!>Ou2SfZW5G^pHkj4u<9FzkiRsm@}#1@+a z5TNr*D}0~N6h4~_e>z@Hygf<~1FvV>p4}77ObRx4h8tL#fZMFklISxkkyU~Fqb<7t zn;qQyEE!pr^fVKu6z-$=1G=1QT|t4qN3H?4(1clrE2^b?rmiDx$N6JL9YU+{Fpt8$ z!L_4K5_qljyHp?YYv>JYJf6L^2a9!^=nVH%Mb_FYw(;vfw9N;lAzUr zR5>sEho{L(6jidbO{|@DpoJ;lT0bk?^X1cdBr_t3 zw*sjLe8o|L;;=w=0yb_D(sd!?b>7uYnVU~GUVaj!J&qRV4;e3hB1Dt_y{;g)#My_s z;vjKA(@UBFC`m>Qj6>HXtKV}7`p7wAwO4t9;ut5R>RWqvmyELS7=AI@ZM^ahPWdrT zRbSM)ag6$o$qg&mfoJax3S#+otRQP@CgfT$-va@UwBTck%o%moT#+@}7f7M(N+6|R zI3U9d+0X`zJX7eG0X1-o3>o!kU#rawHg8Fq9*dc|?N7|s6GRV^<%k!%o=$l^pBD7@ zrRiBL0zpfkS+7s8w%}C&@4^FE6&d$97H!!@X3Tn1X1x(xrpK<-}VtJ@=ML@m)u%bOHR@Iu^ygO2U zB0$oIJRsNFUYh0{ckTZgXJAX7vSrg)g`jJ(w8znuIO?v23l!;{zHm<*MX-pAcGRKa zwr$hxfW+!ELlbX_7n66d!r9`|)tl?u_SNNzf^BT#VaaH>D8_A39B+-E%eS$#Z%(yD zoyv71MmmT)+a%sUU*3{TJla2Ss*!kmmuGJnU}KzUXO!(^mS$%WVQc2)U_iXNCs!2Q zzB_Em;N>;%r{r$sh!IqGnGVzV#-p6Zg9z>NlpOY{I~FWCcP_wVTEL;;+Gh3^9^|g zMpU&8GiSNsHv{JjUp!2_H{wIQUP};zWa!eX<8xC1^N&0xC$bGJKZfIwAyZ+-mY8$P z%~@GEJ;B{FWr@kP5u?O{CbVLR!S@5h!Gxb`#7!_^W}4x+WPuVgMV~NGme!-X!cpfW^#&?qcyeBs%?R?12Xf`IA@ znXaPU>aA`GkRZ209aq~_+}xqvw_$zP#^JG?m&BId;kMR;>rz!4f@=5q2+#W|Zju#M z56%@C76!%w{ujuGtUxrz74%`UuHYC0TYJRuD9HhUgM3x#$*8ttpHqA-qqCEnHsx*D z@u{U#jP{&OQp5LxjKu*(f3T1H&Ql!UHq9?S3}-T&>~nM zAs3i2vn*IyQpP#-H*U zxLX*ja5{J*-&We|CF}|k_xP3{O;BIp79aGe>I&9ep;mQ~`^UOXDCS~C77@{j zts@^frhQCJdfzqrH+In`Nt+UzW*KSQ4SeXkuk0<9H)3oycFwe7m0@avv;nHCW!ApG zSPFhHq<(N<;SQ>^!>)jnodpZ?0 zel?UJju6C+*RP%&wJFP_C0l$)5-yp8EKW-KB0gYW7Jwn+MPA)*XT+)FI1 zBkdgHzxk2!m(Proi{uzotfRxZ*nH`XQ1g8K{IAGvZ z>7YZ|IS_6Uz3p0%|B?IOGIoR|cVtC0$bF^zp+jMTFRH$YD*C@l=>J_;kQ{>2h7BX2 zMF0z-jf3f1`YQMJ7Hrs9*xr&P5lXi0C~EG^YuH-ed8Bm1akk=wuXJzqy8QsLxSwoe=Z)lUTO)`UV`o5Jq@>bq>C<_ac_#>s9()%HY| zO3#d(c<^L5L2S9+pL*d$(AmT6GY2TdL&38NzrHhps;>qs4kDE-t{56NJ-XiAX2Z8>e#h1rv4G!IkfWYF_~nVYkV*0`to#+PT; zwkbCp*mUUhy@f0!)Cc_Zre+CuUXh7YnmIKOyeuPHE*PGs9{DD;3M-mVNtwl~xtzI) zxO>AH1aX!i@GZjI9pa&QZY=2K(~u2YDa$O)A-yqURFNzQZl*aB!B~}gv>JVv0&7P3 zqMz(CGZaHtUm!dN9wYcm8#bI=tjDouraJNpfoYht65XPB=VymZIFW+*29U={BB+Mc zbFpM&Ao~Tj^w{TT7$q4~%MD5nCC9Yp1xU9bmjNPQz&QV775(>O`&aG3DwD)Nl{fI? z4CQ!a>%o!(9Zdtu)3fz=3FTcvIPqNcjMzH;WG@mBPM_P%sXa`~Z5MAo36lX#Sv$6B zV}sqLMPa$YwjLHAhq(Xa{>6s2YHt{mrrH@4I@@2l^LXwp!S_v1&Z+^}b*iuT-UD3u z2tSII{#QCrujlP&jn%k$$c2QHQO-);*lNDnV+POIq&Nz?A@ zZhtb@K6^Ls#74V2$0Fx1-0?=IdX;0#cZDnP~GHZU0_6OqAGnK5Pe7`z!_)5u7VO!-!1nS z>jdx?;LZ5XgyGSvH;?9Dqp0BCKL`J-Kdv^kiM3~w6dDvE>I!aYM%2_5<|Z3AF`iAw zE_5d)@%AD<2N@wjOb{ zyhcWWEA}OmuwM*(28QY)wzQ9grXCsApwc+^YFsIcz^i|)L`3C{y+}wSK9$Mn;lZc5y*r=L$ zgq#3kSEE>xX+sdA2e$%xPK4||lD+=0u(qSTr_=A&*{sc*m>c&-H|?y?6pM33jq1*( zvzKeSy7*JqeTnJRTSt61Rjz0*`tdISj(Hj64oQPDz4Ao6c?6~cE$!_@7olii1dTm+e`T|LB)z1M- zRz))Pmg>(5gq1Du*c&%7=RUfQnnO>GCtV6lkX7Mu_OUg^8#Bd@tw zyb(n;^M<&3XL62si&Uw!9;Jo*2w+k&b85l<0-Hw;21w}@#3qK+9Z68E z%V^0j-H{p76!Itg&m4;41!`$X!zEU2kBjg$ujPhE(`|VBP?9u1SvlW+HsCBUv7!cJ zs{-j3gf&Y9~Va==BHrcuP>iqVLKmK(&Ol($J@ZbN^#FQFKl5k*! z#45JuMleGBM;?tBxvX-|*vYT$M(QXo!elV-megc&s9$T^uHB zaZ1I&8M?}hY#{hlj&%#+;bs$e4qZ2uNVJn30G8(29NRCF{TtD>SQ z`ox9w%eRxe&IZOre<`kUm2{R}oIZEu>D8@0ZL+o?7Efn=n`uqa$7{8^<0G+sCtXe* zw4AyTIXA76)Fl=d6;SdOK6P8Y>W+phj}>j(w(-otyEBtj`7uK$q~qt(CN44WUuSgh zbT5wk7~~LX&Sx#vI@3epe}7Ns#Hl@>Ed6rm)zHSvwX%ajqE61ht%|qA`d36F64FLz z#J8SqKQz!#zFw3hEA}lb@~V>g)^GLF9%U&{QKda3;JL7k!j+Irca;wT4n+i~KmwWk z4R{lQxeW(qrs4!ocs@wl7c1KtSe9ShnOM6o!71Gl7YXy61h!JnsXF7Mg89rav+*W2 zL@vcU?PF65wYAso_3N7JTe>D7zQhpxOm?9KuhfcHY+|3j!Z?`1Pr;mkA?MGZe)ie- zKM4FI4J|naRsrCmLj`8TuffL0fLFQ-ihHhodIfv-QQWgJ-={-TV*VyE{|txVa{_Mn zkBRx~#KY#93HOIj{I(t{TViT&Mb81x8J6#8S!Bnf=6t=355MJXq3Cy?ee;hcX6CNJ z)|6;thfu7I4i7xG;-*2)Z|qhK#;GMG!qCxi@b)Q5YpPL@%A@)OFkU!LAVLeI0#?H{ zfws%FwA>-n_dCW2d7pfh>^3F z>{@KgaA3`@6m@%SZ9)BZap!S`tTQK57?7;&3@%go7fX|BDkBqI>g(v^=S$btx@X7O z9okv(=?6N!hl8a>e;vCJK+I`|2Fg>_t?{z0;dO(N!tPN)WD>t`Jj%sGdtM_&| zbT%2!PKv(xz0UgTkO)_u0}6|F(YJ4>CCe7;RLaV9X%yem(u4-3Pia14vs({s-PXJI z;-e#-=hVfU>inzJ?EH1~60L`DBecoDjj@ZN%X;zu;?soX7nXy+?gvT00XC1M#BvfT zdr+e=>xY5cQ&iimN*XOvHu_c{O|0)ol4T<6GGi^{6NhiCQX@<M?5l zu!H0h92Bi`Rc7IoW7l^URu{Rt2Rgc!*)iqd<{5DTo@W>_lI&?hH=fYcA>sSw&X4Aa zLtSS!?>RVncXp*Q!s1<=XY_W zy{jv7Oq+*~^ycX?*B7tD25z?eWMGaYK{AMkooB(#fswK)J$JQL#Pl=5ipN`Gz4R>1Yp{wp~iI5kXhG#Nz+Wxn7bADDhDK}K$ryhBjZ!p&>-&TV5SR0I@e zQ4+m4#nH^tD*Nmm^or{=;ZdgK6sx`u>q55bDo=9_OJT0O536KPMXy&qjQ#siS0L4} zCA~N~hX_0MOic591XWLpI z=@_kQh@ly0Hr+Nj#Y%|$e2}O#IM!mm#^TIEOGqq;<)zB^Oz^s`NZrY z;ss)z$+~*DFq;u`&xyz9pWTdkHRE&pK}cl&a$PqX`0eIw2{g`@lpBksE7Gi*sUT+fq}O8&fBq5}d#gUTmhI ztkn;gv+_1oHpy4s!R9We?VPu~*{sC($5>0cGTl#8Zyb~>$XvH7TIADsfuu{R9#9&t zL3RosFi*IwND(D@iP_LYZSJNu_ThF3INC=v;-H;!*W3UW>RY$fFQ+jqOHy2~Zrr>5 z!u)L6{zHMS*h(LzXpYeuFFHtWxYf__B)2?Ow=wrRRd<`_?6=6?{ar@2H=6mz2D zi^NG!=8w(IZ8^Fx!NEl5{_t8#ZeplH87$cpSaT$}`gDrqylUHpu!N*ltNxguX0*AL z^LVTwD##)<$k)w1GQVhdpzv%^^~q1x_~|(YmDWk?q}e04H=e#weBoB%smt+QSJFCm z`yTJg*uOij?^xdPt?@^vHXWMi%I-KArs~FW2dprvrW42=z%+7g(VFqR{}+ zNPy@%fBj7daX;yz(>V1JwG0RJH?FBaxcUdzB`Z#;Dt0SBwqK>6;BB0d!cuHwsg4R7 zryZ;N_)R^*Z9SB9`giEtGmNOw`hrAb|IF3wBx6bxIXBJ{K~YM&f0Zsb zV;MbTxntgk-*9jpUTNeED?%Gij5DLk*;V37sdHqDb-AK{xE9r<>JX2jr|qnF*NlI{~?}z-S@2AQ*?9|x9>iu^WHzq+yd-b3D%T!a2t#r{dRX<*?4ffgHIqQ zztux}maD$SR81iJ80otDF_KT{K8vG0jPnD(38Zs`LYGwG5=!bPoJ{|gi&!7i)f03r zs4o}cw?^KqL2RqPg#8-16CpLua5K09Srbikh+f^{C#)%4E85w!W%yq2%b0!udM{Z=OiQ1j>bSq~aIox9nC3uKWo>I*I7>`d zN}E%o5)7p>`npzcFXm^h^1wg-{Cm-61=J#mb&atV?RnBIRjTHXKYQ=+{;C(#o%crS zHn;hRYJ9)_?k{;|qMVB6WXblVns%KJJ`0EmTH8@h5a$VE|IC!=@?hM=?c4|VO6H%- zpUy~L&uJ0QH#a5QJKp0{S%fG?UrDcrvX@?umET1K*^_aus4G=Bi7+71Ni;@kZKRi+ zC1*JeBNQPFkZ*j+t^SKmjLtHaf0-gdlb_R><5wN?rMr<^ajHW}Sd%*L7-V#7{yVpiC>);PLV+tO>6Q}RByPu$n~H8Gz$b;JMR-AW`# zkOrZziMOaGG6nU;0%UN5c%ghW;Xm^<^up~dLl;BPP0eUEW>gU%R^0MT+%nB5xh75# zC6cYOwL2O9F~9%&GDJN8{d@Z#SJOKWoRzlk)U)Tid8Avpr`fY|?AQrrl;EkiBetGA zx7a41nk%r>2B^*^g{WtjM_20@QrOaV-GrPK;qjDW;cDM>UGH4GvhBD$GNrvR3WEzb z`KX2jDpFNJPV(fK0s9mZT^Fb>g3~VVRO~<3baSTW;q%nlr{T|LL!Um0hT5oY6Gyo= zMBJLH-c+L5n4@UTXlkixZIntkDTM25Yuj=~tr@Cy*{z+W>oboxHVLx_2_7eQHlcf7U>Yrx1T;)xobyJ=cbZlCp0YPPyQZ1P2X(VyDp$n?b@BB!?;J2uFIIS$~r%9ivD|whuNqByRyQyW}BHGL7#5c2#tF z9~=uk>PN#`CUnE<|I5%r-#arw*_7E{P_?go5mRrCKZ8<|7r*IIm;cdvN zy~Hg$XdV<(zOJ!ncmSpc4jl5Hh4Fi_W9ql&K0t9-=sM`Fwpn8tsb?Pt5P%Uax({%2 z^Z6wP{FSDD*6dWsaO|)nrdHUw*V@o4SGYzkb`6-iOnG%L;?C8OH*;;oTf`0$^DoFK zOk9{>%s(gV>g9dn?dIt_;g4qn@6G0Vh1nw36S#pnLxLM9Kz?%Xi~-Lvdbyd`pTAzU z+}sT(oso^#_e))T!U{+3zX0y>o4+jv{BBFnwgZ)do($Lb9j7&wYvs6;@^gEUOiEJJ z)B}LCyjxBNw4P$t?l(!$Fw5KjYUlH%djus@4N?v2%B6fWwQ?_Pn!M}p04&8fhlEw@ zuX4oWe9^c7%oA{y8ZK~}2KJubdg4M$|Mir?ON@(sCRh4&FQ3!v@3G#w&E@#<^b@DF zdk!`n?`b)DvT@fodC&2U8@o1b>FLQzx@Wc+bTuv;?y%}p>RxU&JEdNJ zVVC)V^*0EvZhv17>Z|2E0*{i3Z%^=)l_Mz{S*`&@biK|TvEvdQYEE%dA+I(m^xn!B=-=L(U)VUtXO*7 zdXMrx56LyMuA0vBn$B<(-G6q<|A8(1ky-K$C4HH9LGIQIo=w*o;^X#tN}E)%kFeVp zY1gtLTKy1olo(d|!by+1DNpfDcxAAf2I#HlJ;fdVVr`nbMzgi*;E~d^r;_`-_-9YC zcW?7a&!DE~SH%knRkvT^lA|%dg$!CEn~;ztK;%(X)OdSGJ8MKfta(%#`m5 zY}y6);P9HPh;)8wq4&Pl>=4KAZVszlxmC?M!_uWoD82KMIm*N>@4<-s>ev9^XG33t*FS6w4i2~J0<8_ z3IY;hFHGKj?+aTC8We?61dE&U3L$bw{H29^>Pqt!+6}qHqkzYEB4%z&iPzZ3qr=U= zc?)P0eG9FMc)I{&5yVAeuJP&pz~_%6u3pG9Hv7iZCBg*m9}uYWD*=T85HoVmjLccr zGc?z_y_e3pB&^HuVWBC!UjW z2$MGQ4(N@8PSR68ZP)msey7ykneDf;H{8(C_jk>0_i4Dnmvz~s*R1f5jZp0mRCJ-m z(G}OQxrScALwv_uIOZ+71qv>`@gk+QpQavQDSG|o2jiuiGpkjV;*t&9a(V{DU6(rw z>uZzi4kpM)f@N1hAEk&6dbRfYG+pt~46v1F;U&my?1ya#vtbY^Z#3Z!Z~2B$xuRxs z>*0aJ_a5IofA)~M?vjw~#9W0eMcx=CY>g0gMoKqkG;K0Ls*f!lqv~56lB+(l5B`H?&<9RQI(iXoQJ)`7%WIA^Qnl7z5krr! zhh<0LB5y{?wiOgRdWtOF6w3_?a?1}~8z=UkzP{YtBfBT+ijU zk%p8ybEd|OEk|||xG{#bauerZJJ;{7Uay8S;{J_j;_+UxSrL!lzCwi}1ZRzkf+89|~6DsXYT-WQb>GM|g zqHloY$!Y1Ls}FfJpW?~)`HJ@>Y7eEUcLWyJd1R!@_paZ8;+h{Cy0#TFTWWO@KO@4w zt_-V${Pm6Ht-?BGno<_Jz9Fbx||-xUjc!c`L2$t`v<4kq2Q>G@>ZDkIyJl9)XP(~t+9Xf@=_yfdoH{?3QgF#_|?j_%Ge^G zLMxklLrlLV+f9M?I6tB;GQ4j3E-^bl`|09EE9|4!P-={sY9p3XpI-%4$Qnwv72P8@ z*XY&L!r6NPQzL1_i;Ki7020q$zXmq&n2ZxdLA=2~Soh)mi0K+69#$fW>Dg4oo*ka6 zO;;Ja#~X2L^m#%f?gBf)CD(+Of2jXOPIc#>K3)3LQp3E$GW5NNPv#oiHt4+fnJYih z#j6C>2zjFkM*_F`rDnEAE_QA|z21-($;&>(6Ow3yyP70V1~&AEDbEB7PsBF#2Pk`2 zN2?6O+TvR-Cbl2`z|O%-mKV@a>#yAcjxJyv+zOGZ&NbLeo^uj*1aI8mGWnDxZw00upxo|PzuCL4ElAW* z+R=GnuxH}Q@R@-v4J|pzx!xt}(g>l1UDXoYIpiQY!>+%_Qck+m54mVBIyRoCv<-p` z%xS*j*L=gR;25Gv6SX~IqIKaSNxY_tnHSQejX!m|<=RaD#ko=Op`Bq;kymb}e`-W& zRn*DDwKp$HCvPYl+X9PazJe?^Ki@yPrVzO@k>cHfqFz5x*=6ATEch0Z>l^at2;5Fz z#bJNtPJeZ$zotF7tuT8}>(3sZG3xD3(aONmqd!xs7@51jpk#bTO>!z}kLWn-sXi6b zHpE5BuHA|3%zfwYqsLlhNgMQ>iCeN7T?x8J)INIVIBcsJFF@{5V9m#$mBKC{lk ztHOwrY00a#=2g1+RXcFfSDDhkTcU@;1P%s5ug>p2_~92bY_e@wslZVUsAbk3a%)hd zDWT@>tFJxmiLK0ajxM7XLJB<%e*nlxIl_~X4gKCVd&4y+!rQw1nht+v6Yo{N4eCy- zwCoS*x|#a{5tN2%+JaR3eB>uQG+lfxsJvInIYc!|m*6FsVAqf0uEa;Y0-Q!9w*=B_ z5SIbU2y7Vi6dtDLsj@e$JO5(h)a2!e@^oKGS)jN$f30YD|DJ32&zu?BTfe?EO_UlV zFAY@4J=7gs&0e;qi=zQ{GzeE`2=qL~<1jFRe+v#HG)aV3FMt63V5I_;^_6!A$d3og z4+Ylm39jEAtk(LB8bl;uc^JH?}jqa?8oQOj+A5FQ&s_=~vv&nIUkzG23Ql*wA5LgSygnj@@^1G$UL6%Tm6Xb;Pv?WL*t|rb6OQL`9zJ!@vGy z;_PeA&(`A<8?a&9sL*4IR#LKbDL!_zWi#W+#6$k@#c+byO@PHmj#5Awa0o8c6$T@+ zt{^;pOrC~s(6!D!zf<_)zAy1QQ=##5U{K(NYe1_o^DHvtf!|(cL?taK4V@Bx)}s{H zXzo3R_JCO1u^pLW-F>6D6;^5Xn^BP@US!}_VnM02a8K5^vsP~w4Njld<0e`)uAvKCLN@FPuim(r79HDskSkPt%D1pD_LTLt`H9j)l?{Q) zT>|wf>}#0XAztGhKoA`9h^KS{*F$do8Lk4E0z(Tx#5Gc=UVFe_ve~b^TE4sSDKRkf zVo&G#1bMZW<}BvIE2r=F3)^d=vjbBr6Vjylk+LcuRU=EY(@op$+;9<-3`0GPLPZov zVBL)X;SI3OJt4jT#PO@^6zOTUAp8NUb`e`D%x`#LXv1kdENI-vQ*Q88r~_;Bywf;o z1rFOgJ;w&3UW`P(z7g8H+4R_E#}oTJXP-1Zda~~Avr}i!sZ&A`~wRFWk z&-N<-WEhfbUUlQ4!r|Q3^R)QHs*QQlU9ntQ&Tp(%gf%D_1?7LY@%h#@iI%q^ruBlq z_99<3faYvnwhzAvXdD)Z&-+LQD2aK&#YGdus1w)5!8O#0lItWWhmF;0=M;VCNL;mK z>dw!%siBFNn;-{u1$B%e3={Z5u+u>gw&YNx z4FSZ9Tw;PYexnrZA+o_?n@EmS^RGyN^D#NLlM9{cSHuiiZX~XClbG$ef5UVBY4pT| z(8%&@Ae<2O7_u^r$*93{LkgUcip|`zmYVSKg`rOIIeO2J%q}pp;s_nta?p!Jbn=SY{ZWk%6PCNuyS)tWKEf8URjj1Jy^UkK)%aY zwOgRrDNya_sg7Vn2Tm!u>)@j z5WS+6k=t;XEUEg?RFOdg7zDF7UwvAj>`dJt+IK^FZX|KTx z$LC^C@Re@Qr_&|V&+BK16GtAL+c!5Gw)Kd!d=E^>VPNYoyA@P@Hc`5zrbAn|A+1Qo z`JLTLr=p|)h2*z-R>r|4$<3!j)rVr%o%U<(p(_u1v>)ZR9QA9x$P*1Pi_SVE9R1p2 z0N5NOPb^xp1;E{n~Jge=-R>J&ZAE;V%D*2#PHG>o+FftaAC}XN#2c?y0+iko|Mc#NPK*S@?vH)q&MI$yc?*%WSA#2 zNw69GwXR+hGk~)e>S~sF+dDNH@#0D3%!7iWVizkXS9^9E^jII;vbn%ySLs1>4UUjEQYfQOATBSeQQS} zL}!aTb~GMR4@_y#Ue7+=7jxo>*Rj3ytEVF-E|gwBncs5eW^(gU`0#tzU*{^OsER39 z<*2iI2TX#&EL}i0*obr;!-qExP0{+LzFv?wLL|M;v-YfCFFl>T$~bi-E^lj3gz$Ik}HI zHr6g|s7sgc<&_))MW3tbr^)+Z2<9Q{2AMXoS(LN3;B%u-odfL{W$N$P{w7huRR=bC zSLQ`(gehA!e{^+R8e8Mre%Y(-e8Ad^0#TP|#U9JxB1&Az@WZRle4d4SqCL0F&I1#B zyg4<=9O;PsViSkxKYyW*T^n93R2MdTFWwM6=cn-d?{yu`XmJ+wDqFS;5&Y+2%E%wK{2+Z9fh&QZ3m zv0r>|8JSd!lkwfN%7C)UDG_TXRF}OcXk)%>94#)~KO^jrT6iY%@;3P?&X9&+4MTM4 z8Na3;AI%Z{aMoWPR+SxS^Qq1H&FaOmYALHQb-54IJU%?Ku`Rq|uYRQHd!H(%unPv= z0_6xzGtAV0FFGcWjr$76BgFj$>$WNPYvo%~BBHy@rf<+Kw(nx4pHj*l0P|oYn&FrmhJV@4pGHtxYE=7ii5Thl|}-O zf$5tYcW*YZb+e*p;Ru5S#+aF??-;Q}-|MsQTz>N>{WVr0?|o)yLG?vx-2uDv4KXoE z$hG@)K3z`6m9nbIZ3_i>c&$0D(vg#8>11D2?Dp(Q%KW3q$*VcUQ-sN)XmI91OM;1= zAf0Cx3W_`h(WFpJZ^&a1|AMJlhFs~Z(luDB?;fYe5!vtyfHPRo zMK)|1%uBIDv}8uFwDSDw7nTb%`}!F1YyoMVnVZF@0%iAGGe2EwvXvKUzec)KvZCU% z(uO9lvZ90NX$2mVqZUO6*o|1Y54x6|@t2LeS0pa-b^M8|xBlV|SRVbtbjPlrmaqQM zj_)UJ2~{*N^^E$RQ2@2%D59O9DZt$j$`o(~xmvK?uR%~CfO~u+(iXOasCRi+Z|5W0 zTej6#x{*_}-c!8IQ@hz)yU$B`nkydQiI97B695;s*vKIwubJ{&AmKx+4iX(Xhu8PI zH(Z1Z4e9xyAhT{!FgOY^ePL}!?koRka}7)Y{|Rc9RGzBNliq`nXvqgjqnLL}5cvg! zd-_O@1c^6?*T{++B>PWqzIgM{%hzcyh}wIvHdVHi2bXO2spt>Zj?(J7>GcQb^6kD& zM?ICDKLvXJ62xRwq}rv2e?tk4(X^+uREdwsBkQBTbp6gglSwJh4Q(BOT{%ZIhd&e3ZOzZo3Ne)_;;ZpveByq1T&fBYwIGH^Qp4 zURrEJ-|~Qx?>P~I%8I6{DD~ zi$gU!)?UjJOCvY+aAX~SaB*=h&vC2FeBZ@5P`Ex!sxH_fsn}Vz+H09*6z)bIKJpq~ z-En{QB-Uiik|TP)MPAuOqpt>C{l0Uu52Ue^5Hy1Xhn2LV@6BVc-XmsS5RY(ydqorr z&wltF-@rNK+f~-z{IK%nbHd*c&^x1f zZ=Z6XPB4gBG}~daTu?N`eZ1`dURQV@{*~Mmk~M~UeM+`9&}Q&Fy)u2j?DmBBy(hjy z*W=As|KMuGTg}ae%vo2Eq07lM;Z?!_)A^Lt5Z3cEElYvjiY4bB##QZg~bpFHJ zySgHez+ZdUv;R|9Z!qVty)zzu_d&pur)3p+zC1^FJysExL;y4paBs}5AcJ_QQ9j{W z_&n1OUT3D(zyJQ~pH|TpnR0%1^1HKe?qU#p@9&NVc16| zX;lWCAWEtxQhS+Ma{*T^u4a&-IO-zQm=~lii)L742r{=T?NTE@uyoK5%5=$Yj$41} zE01ckob60SKMpUT3JgU*w)TLVIN(bNhdjl@u*dg;IRg$dEw;DdmYgLup6W?VQ>1gz zfSvwpr&J+&hP%~Pal7BZ|2E!SP5WU zc|u;{9y}tL+(bQVmLomMnIW>FDot5ZBM*^*XPF)+-ipc3$@6^ip#07KuxH}|#A_8n z+$L{%|KSaByC}MU))oHT3lf0E|!1QcZOxI7|c}| z89~kuX9j)8G;^0^uo}uM*8ldmi%iS{%pKzBz7?ySV?J8N`2B}}xjcHWvVQ*xvnU9$ z5mMmHuR=oNGII()I^@diHQ&5w$LK6h!3KV1Z-{!F+k66>INbQ)tgom;1M0 z$u6|;yeq|Dt8rl+pd11Njf?@34}-mc@gCbKSm?YvG;x;{sLlp853Y!)|JXhCYj%d8 ze3yNeST{1`FD^7sxje8@!4XxM#jg61ztlV>%rH62x=cou@1%>n!rMl9l?P#1w}NBQ zbV4~gKeEWwz|1+)l~rZS7p`{5q6UhVSp;|Phm#ipEfLO_keE1B6fS`H74Rdb;^uXS zbpG(YJuSnTQ(z0*e`J&}s*JfJeMZG<=OAOp73a>&d2Ux@#a9646VrAAum6 zw8N!V=-cNqy=pBTVvWuHDU4KC0BEjRdiJq8pIK^K8}B`tL+^E9#TeK}LM7zHlsGbL zz>PO{V0C68Ry;UPQN!iUJVw&2o_ zx>|VpNl>`@>k!hKyn0xL*C{TL2$is}qdP<+i$ z`SDeKKL$wOcS;t>55;tx`HCO+SE{#OLb_>2=8r)>pYiDiNrI&jUQXq5p86nH)9uxK z(Mxj~Vq2$-YV!!c;!P!&=K9TlHM2<9K7k!r1FFE?$7E4W&ywYI z{?a9#-~RTKufMZ!pq12WKm2UDp|!w)QEf#n#uSakG#QG-tkH8y2c}x5@Ob*HV)jAg zqdN)2vt1DRF0f*74g61UKpy6Qtt;{<#2fxjaurSPqUWaw;_{;@#jP7L52phjKk~G9 zj?A=$8Zk2A4JFt$ouv_>%ggqWE{ff9Effxk?^ z2i4Fn!^)+`ks*d+$ch%S(#~AAO?CdsMKfQHeRz>)?q*E3o=^hTpYd)w=h<+cDLc-P z?_tO{ndVj{?l={{vCkw{^;i4EPn=VOBqwZQ8!aQt%)`Y#)%^kDTNtOgkg2K$sp_+g zrb|ri6;O7e3r6@3AaoEiaR|CMb%Py;oK_0#B7rTaNsBzFJIT62kRLi23I<~jTtvWq z(wzLa{YI#s;FkCD=x-~VKY85w3li8Xi4w1edxBh`wLZb?b`#W>K~ zEp3fy@OvNVo#+|IsRt1#UYFU|FC&wa21o9E{*$h;1K*Y!=D^h=U`wBwX6lh=!4tue z!^%0>)m?vVJZJWC`1E+h+&vLN+$2ao48TiBb^p^FUU1CxzxoVY>l}(Z(MQF{c1j9;~UVYvBuuP5fabMx1C{IdxmUiG0;KKz#AnQX_5wPH3H zxYr_1i`=bnYfK#DR<8Pa!`h&^hv6?D``^EvLA*Ljyd_093$rsOrT_GXeucUsPs4XL zu&^*(s0YAZBwUI=aP9g1`uk(tCo^^vQ{sdKYi9=!dk0v-L)%pjvl@L~wk{hkTLpS< z@t|g%zBET3+}J)Y^jkA4H=RHHtzpCNb2k8J5jf~gT{B$-)vK-J8G#_UMt-etesW~! z!ptoTFIV@>^}N!({A!pNox=+Egw5Y#kHK%`If;b*cUA8XE!{COPf0qdo}pqJkPD%ZXA}t%}+f(d7-FTw!)TU z;1mfKF``Dy7^bJ^xmRfAxb8Ke*Ek5-7PkvZz zNHKH_wP$4*)1>+o)K!H6r^tkoYw65Rh|_y9lZjNprxO9M9s*mKc=P%N26Es93tkTY zp|0MdouGh7j^DewLXo{IE%H>vyYRtR5E~x7d-MNm?>(TKI@7gLCo`FxOeT{|8c9g# z9o(%hOO_?MsCUV7?;ZEvd+!w+Fc3--0!c_hDj_6*>p+%;O?5<=RNcX{_)pZ9r#dOE~|_X97SjbYQ4aXDTbmkeN8NnUQZRF-d{ zg)(IU+plQzx1B?zq>hadr%qfpd+PN!7SSyz%6nknICM5FyNaWUuyzRp?$p`68p#)$ zYZ9>5Zjz8*g2X{0L>>pwC;QF>SI2w7f=NT>!z&v66PatOHY{bvQ~#}2O98C zj?u4*BV}2e(0-!K3yIm09=|&$Y)i3!V^cuG$H7fM2R5Fb=UTW}U+33y$#26IujWg* zwK1jLG@G@POgAA3&`46ypeBf(7Z@NCO#YZ`>XOOzLhc=wac+JMjOmfNip@oV_jyY8!i;^Lsv(%^~; zztU1|X0|*v`%ST0omZpIYg*|R|DquHd4BkOY1VU`L~hLcKGi3swYS_5-Jn=me;D%@ zEIlJ72~kJ;ZY5NeTREv2uHjDlJZH~B)biE}6W*eQoayMe**{|T#Ea{!WgmTfWz9M* zi{kIl0XkOz!_pu1sDQe#B0R#yWrv;9u^Qp za%Gu|v%p^H65~jM_wvybMD@zC&?H;RlNU3*51#4){fMv6`sIr)8G-<+Lx4b%YRe5a z`~6!BDFT2JUHlUlGCVNHkS;0VD5}}gJX@zAJ2C%*ANQOY`{vZoMKb{Km{a+9t9oV&`#HNzNMz2YR$P>(iX#gXu+|XQS6C zuB9!y_Pf~nYnIy0t92Vfww$IXwmOyW@!9#4ckRysO#rE$@j~}O)k)v_i%=T6^7C%U zz1Os(l~~hwTiMtJ9tmk<7mN;BxIt*ydWMW8TgY+V5GRCk%KB^Sx@*`seKVPog79G8 zH*=1lx%TW(Ph4?@E#HH$j2F3OgSwL;&#`e$d)eA;-|2DmTcs5hJpGq9 z_#&?<*uEKJ?OJ(D%h!BozqPia9UuK@_RLaSK6_t1>KHW3BkUxDlRu>aEqw?Wz1I zsj-MIh(~Mo)34I@|I`kXjJ%dOIO}yABL#ij`esa#rnp4&G=8httgkL@zcg~j-rbGk zljdD`AiU+4y6m!{q071KtmpRIg7P2XJ9)l+3Bk4Z)^moYqaiy!b4bft;VXVl_-fu~ z5mn!;Pu=DpTbCG;*I3YYdbLaOORQx7=I@j>dtNX^@T)fYRBsP%ct5!D!@#;vLmCc7 zZ921l`+D_+%C+^gI5HJzH;E@gcePzqovLAL@j`N#vn>n6?IhB>+$;JbioxT>wW zWNf+&cq$wua{6uaDU9X`-uSgo!)F1_-v)ttz5Kh#t=BxNk76u1H*VWfL+T$`(iep; z%Z)BEy9&}j%1hmwma|*mdL*gkaIPpt__A=heN2E)Lu=6HPyIF?0`I+N>q%brr<{y^ zjyazM?Y!vSb}GE(w6W+TWojke+askl_t@Rj1&y1SPCjhmdafv$ElmbjC%A>z@RI62 zJo`h}>;#Dqe)Qg_Uw~BV@X^lWrv_h}&xCZ{?I&!R`gII9wg~lQ@TwK?_4Q~MCC4{w zikb34bQ!yam|yFRo*wlXyX8joHgEjZ`p9>bmhTLRMu4YN)^mxJJ zf@ft?SullINM}8~)!*rH=Z0};DB}G2)RoKTQ)z*Yl6scBnQkbd7;-TL6LiWnQM{8X zmCXs%s8acwVkceE8iwDzrQ+{TPN6xv^8txV1o4)7eTlVeinU9oz`cm?<$Vim>b$s5Z+Q9 zP*bljXz(c68Qy#-wE4Ji!zuJnAx{pC1UxEyFbs8qL;=@o@}15iWJ4T>LCmmg?oH>w zkLTHV%(LMK@5Te(OQGD7q4M&B`Efgaol==k(tmFqDqtrCI%eg#Z~V|>^C5lfaktHw^^CT9 zGD<}m!m#n0zV&ig*|+vy8B7mxQd9J??r)6|KFiD{Tw#i%G>xwS?@9(so4uVq9P)FZ7X2`->15-pu0IqGb>bGDPRhATC$ zqSLD0Ej&GREWA92>K3U=+T&ev#;X$63MG=W9$U^B+Kx&Ze-Kt7aO*Z~>@se=sH)v- z6A>xN34Gb{C3e7y)XhGd4wffwNQ>Xl7TfySLUn4)hi7zKb}xyIdC_^kJl|08S#{Zg z7EE!C+g=s1xz4Y?PMTBh)$pDtPyx*(jtj+NWh2=o3fqSy0Lk9jd_@n{gwV3-EJi$d zZ}{1>{wtrRPko!;_i5bhzhOg2TT}R!#*`1rGWOM1e7D!Pv2vb771+ExYTE&0#rscE zRPL2;M{M4a@XprE4;w@onw4(LUf?}FPq})9p94G9mysOF&dv*b|6A>*Lz0Fcooh~t z>o3b1+mV0Mw|44V+Lg8Eg@s3)eRHV_uf4~1UmH8>73JZo_LgglxPk({0#hTw_8Ess z4Ln_*Z+zRUE1b=qT`n;O!gio$bAO8Hdq6B)K?N5OYPe3a*fq9Z9B~#RM|-3b6;*Jn zSekl)TQWoB#gn*H)O$U6m~wy6Fxr#wXkZsH-D~Qu0h|DwXQo6t#Kweu`OhT_pOSVE z+ma6Y-)ut$iR6E=!JJMbjp;ZsePpD2L)Z0?;rq#bJsZM9oVgAt=si3`YxVo(*5@TMP%DW#OgXzi)L z=(W8Q86kbcH=M*gQDzK1#Nm0)A049|leQOBe!VZOW&1ptzoB7Y#NLw<^hU*dE_UP0 zldq#k^Ml&La=yyW|0XBGJ0oj{CmkcpJ%q7tBu&47toNkOegvyo8?*6 z9Ne)j z3$hJo)the`xA&@A(4C5Ld)LtcAusufo3xJ}^^T*b;it|kH^y!WbrKu4)`}YBs;qGk zRUv<9?V4nxh~RpJL9Jv}Z+&fnj803naqxU)DF;vkNEa3q7tov`aV0CPG*+m9IA`Hy>SFNz<0`v>p^8DW2|^&ofKr$y)8zoXn4|(iMIvPW zi^rT?{j#aa6T`+>laFSnNRJ-g|Kof-6xw}a2Fx=*^xewGRGop|v@4ej92}PMoZP@< z%aYZi{0#^+N!P3@;$Tj+Yv$Q|pcWx@6m|%~>H6^4;X&f)(axF;dvA{s+rBuo!d_w} z2({$JIY{$4F66{&pkyuhe(QuHRgB`&#OY7ZA9e~@?;2FAPTU(*^Swv)A$j?CZmpLL zZ5?u0tJdqz)fmiiE#%z}-z|qUl^dM0V}%(3*1_`suwT2}O+#BB7u2@TGOW~Z=KAn1@c z{Rl>ATJHCTZGFlO-TdMUlB$d3sLJM3y0Xs%@y-00GD%AH*@5dv+RuO-d%2ynOqVZK z*NF73wt`Z7O|z}CKp9sFD{y<}{s#xXU9n8Zqh-_hady1$C05cK_htrWNcd)6O^ex+ zuh?+?gvva=vWly$;prOClxL;L0Z$rT%A^S1x_+~AawvbKGkml&nV9(!+4UJ>42lMe zR6TQ64NenDpZ4EAuqC<32y)KXB3o5W77_0O?uB2QCQ+-XL?calZD#Pp-kX`j_k+5+ zz4q>NXKH&l};0p zQJJvyX1`ysY47n{qeOJ>&Xsmvpcw>zxRq;;zyl-j5?6C&6p7&K*rgx4zt_ZjbA5uH z!W#mr&ILB#1v~(ziiB~tb%XdwyX69}^i#LCL&i;?Q9RBiwh#0GW{7bhSy~5S7m(Ar}}P0Dr2{? zac|((1BUINXt#W<*|<-)@l(&XFMKwC=C^r&;Kq+)cYfkoS#R#4`!jR(%e-Y6%4Xwf z#SLYM)1sUbB4gj)lD6j)USi?PB0r0uqGugL7wNN?8uK{uEi2v9SLhR-rYa1Do0iA} zB=zshoA-O}IHB8g&TD(GVN;(=d57DEA&Mru0*T$BVYL zzG=%~NkUw-S z*H>{NR4wnmZ}#+`*=VSd$HE8-G{8I6aCEgCw@OPz3TR|j^Zv4Hf6VRM2{Qx96W4PH zSU{5G|M~+0Q{B)VK?;M(e!=lZDH)#9fBS$?k%|j)1qnoc9>`LBixehEB@$bJ&P)<_ zCP}^jp8eeu=8G2(baeO|y`OyY&zQ;n@&ewc-}gYFb&L?ZKE1ruQfnb82CX-u zT}(F+=u+*R6bl(IZ~dn5;`rgrwsItaxdHp+>6cWc9qya1N*jI@H{B9coi^;esM>T` zx#^(C_MhJHD>kDT9rL%Z4KG~gpTJ5evrlNGgf>%xwmK(%xjZ8CDUs2PCwtR7gc_Gf zi;3l>#v7_i{FncS#>GbvMmw0$v1h1#Zr!y0?t+JCWGLo#)Q|UPc@HzBNTm3h` zAKdo7wg38+I!`-aFPg7jo)YL?5D`=vVa)Q7WhC%p*01&SSf=x)gr#cA!6N=u%zNj; z-#&-NTSLV`e!{N*pohHWnrz`-@GRALQCP0`J4b|-pM%d3T&eP!yIyTmin6=Lnl4Sj zPtxRVg79>@QS#x*_xg!5n)T-9&Q5fhC&nS!i!z81mOiK>Pm-x%zK~?r%TD z5JD3wew-M&ID4aZ>PFP)UGIs>Y$xMOOn1&IrPkUQZ>0hENV%iaCXw)cmTNWDDgX5~ z+MX$5&!OXCsU;pkrEe_M+p~+8EDieLle4h+_h)ZU5(6W%Q|)(#*4P;wB=OGLeDFz< zLxfeSc1r){e7<*9$jQEACwq@5L)Ai0Z+&=SK=SUmf*)L)uPNF(wA*ir$+92{xF_7+ zK51w>7W&@#S2Y>0O5-ItZ+n)%6V|jheb;BvE$;+ZWQW(}hgB7LRq<>K9JyugqUyv&UY=`w z6S+}!E(vYUF&mgcSxY2_1!5Owpt~_j5SXrts|-wUNlf38o4BPkrma3=^Cpk#O@57g z*Y7wSx$U@9>boyFr9EjE`e$y^>dZq6UYY2NXZP?EfGiG1Z6b$$K*Z@<3? z>o75cB;r_5LCfnFQfHTB9xZ}x;mxJ{Ix51M+Gsm{hJ`u{v)kCJB%v;ZE|fYc)jB^P z;-PWmp4;%<^$+e<12asHBO$w$A6q|U*&kar$i$p3`di`n-*^rFHj)Av8gZ(V82R+U z^{nB}@PYosa~Ba}K^UMckPnJIY>| z$6K_*SX}-!0+YTmpkE)_*i+1Y|2+P?>!S;c&9!V%666X5CKzq1ZDnP@s=?vm@dh$+T-utMm`P6+F z*8E|@mXCc)H6GD?MOQ&^7W?u&z5Uz9t)Dlx1wL{a>*9M>1Q7uAP1HHS77 z`&Xvcy`R77v+9;Fsx!8xDN^*7p1h?7rxo6A%e})^`=xP`HvxL>+4!?d&gay~9X6rc z6m6HqP3QERZ;`B_MW=!qFNf9r>>OIja0?WN`l1GLy!&)GXvv+GESC_TD8WWu2nZbA zkb|~9raE>7%K)p_J5CIa6JLJQwPdC9s&&r8W5hGh&Vy(@csLFp{^04(Pd;x~EAx2l zc(FLgk;J-ZU0(v4K zLUWE1DOVt0`>H8b07VN}DOy~w5dHfHZ{*#*89g+bd*n=lIp;;TOo0T5 zy|R)jDduYGxT<=zdeNkrG-qUJvW*v5*4_XGa`PO!~ZI}FaomW)vU*VNC&n0M~G;o27&-2`Q&vRdyFL{#@ zPWPyEPkuMG__MmoueW)X=LFT)WbgY(k)QRVm`O`?;}>|+QYF+JqfM%cnXl#)YIvnu zix|FBq3=93(;*?;SY8&hb!+VAP2o+Y>F?Au|FC`6`8_GEDav@&QpvIxxi2r$uBJx2 zu+x1R>9MlfRzc}@r?UMhJ-ctYX54%YHv$Sk?i;@|H2#RPg0b|vSMgbC!cMwRu#JIN zv%l>8*on{19JUi_F~gMMoXC-+@#LA9pG8+yU_>&yQEXjfF)#(*IKm=$J~)#@6U60q zOf)4dtR2~06)?Y3#4uubhLgdZ8RQ_U;fh)S*aKG{`im*x%`=w6U7?E%HmpUb&H%BH zJ#;5>s5^ytu$e?y5jRN00tPUfloXzT)-%QQr26`8^%X`CAcJA5Wg`PWOiZ>DL;G)^ zPap4(>$?+k?o7Tdbso#fh^#N$y~qa5jB;>;gIBrGPMk!O#x9~LGV9wu`2Nrcf#LR8 zM0wpFvnSSBS^F}WL0jJ}eRFgt-|u&AyWO^1+qP|+@7lJuwr$(CZChL0-16z?_k8EC zd*_~$Oy*{iIl0LzdHrq8W)queHoN5qek&}pZloTs4l@F+aC z2kr8Ezlr?VJClHHee0^oJVooQZetwf98W>A-E&0hCUi~k@>-rTX%)114c|{lEi0mX zQTf+TGf)Y}V39FKCvm8@TDqxsZ{r(|xEH;HU>ic58X%TB={uXZZ>v6tya(swHVU!o zC*W!76+D7fin8#z|0&NB&Z6;WEcGFYD`qJPM#b8Ki2LMsw*Z%sV7$c)d$6psM74Mv ztDfJ|%>V2)okG}3-x@JV+I|AHzE5CC*W1|I(<(-HLl#*RD*0NN<@$!3O_p}tXi0cv z&^08_unj+$HD^_Y_bg+nN?hu>3fg5{X<;d+A}Y9R zeN7dKo2EmBvRq0*(Fz^W6|Jm-#O5eT?R-fh-=^QA&xzIcNUQ!6Q^SK&8@R=u*A8n- zlcnXkF08cmN^NTll*3e%+qis->|Kl0ZM_VX+3{hxWsBuzkMpMMR^3xp$yGzk6&G0u zC`i6JPh}ZDDC`f!)2|diF}zPYQOq`}2^g9ePENPV&u3Cx$Ti ztUd(Wb{gFk7_qEog2dyjSq$_CWAK;+I5K`3zDDSb-K?39!%aIvEq7kAmgOq0`-ip2 zS>DE#008xEgKCksRpknml}$6eF^r1daS^p)#0q^&UeAM|p`HA{sjwGg#0$ai(GqKP z7WB1M+4^4r?Y)390(COTOf*{Mx3k}v#l7ETYsBNcqey37KpOGK$X0dgCgp=xulu5j>7uX(ebf;wv@rep)lH?S-%_OPBJnxw)fS z9XhSv#rv=2+7emMyd+d?-7h7{u=2U%3TO+)%{+sy9nQqMTZef<{S?26x!Xr5Dn=%C z=(P7Q|Du+>oo%_{4Z5-W-ZDyKliW@xj#wv`dS5E~ZgszP^&Cf4oRhQ-_l4~3xGHTs zYlQFxj}(SPLncq(KvPew{R@vNzDszM(X{dZj%mefkk(%e?j?ZFER|DA@!M}b6JJfx z&dG#)npRJS7e|ACN0;r?XMso`HL3c6BcQW^_dUt{tGnyj^wadHW46#Gw!yLT{;E0y z@5a*2r)u3-pyyv$+rPH5>wvOnD$DhS3abVw6j$`NBPAfRdG$-T@ioE+DRbdfEl2Ombl&|63B{x=l0J?3RLMIeoD? ztcO9v{#$pC!TM+}OOt*j?v*?^@#y8BiNi8tNY`C3aq>kuTH-8)W$a{Ttf6y>?WV_cigLuXI75}f%QN9Y%#E`)!gvN^n;kc0HTUJqj0^g! zuvVNb7la5)o{t{9GXB$GnK<#;Rqs_m$sW+$e5B6<<~s(I(@O{IM_%pwJiKf(t(k(` zNEe(hY?^S)PfbRmH7DJUv(AR2R`Xqk!vWrGiQW|dQ%y(6v#aWcTxcE~bvLrEbv-)r z3FK^Z?8_k=D>ucbjk_;gsRpJlvVOe09Gs$AprOVoVy5h- zTvxM>u%W2Z)gYxzZ}PEHS-D+|-ceZ84syCQ4cMf05w2uew{nO;%vqdh+J*Q7MH7>$ zks`c>nw*|eb_;{_KXcwKHGMP`rIEpbOM>z?O^uq~b zNIz|#U>U6R)u0GmachYff`BPG0het;Pri({7T>=auCIE1eF};y5p#OhpbFG7oXTqF zdBo!O0K)(Vtwu(Xzp~UW*4LXHqE39|L#VySsFRr)8VfAbEy{p>G-cZgSSa%HP$92h!kk-hRC z)U*E8w4E}W3>r@1qp;(ySo0aKxxxs5Yd*xLg+Nz8f~TcqDq4~GUq_5s?Qq+5F5xA& z;)ClKw{*-_=Og}sIowoaf3)Tyt8}}NU2#`PIv!vUM zIJqX6Iqpc}2&3+Uhs`Idr^W(-GAW)lJA4%-SjZYvvTmV-CA zIEz9XC5;^GXts4K;2#Ex>4=dqM zQ91PUA2i6V*UX_;a-&w*j#|ipP`}qaQu@u5V_YF*5g1kzT+Mdgjv`hUXHDdoc-)*a z2`xGHuKEyqg||^twT^f4?&heksgEN8^SU@AMbZNdVac!>Ix!WAc#=qOskM6&nGDw@ z5IKEu2MdF+%|Cf{FBB%`4M=uMSs!ULp6T;QNC!Ue{lQj+rF@;Y^%M)!BZJ!$+#?IU zDw=irnqRya?yX3{{$aC52M+G~=Wm5+EpQN~e^UH$fjId$e#cF%T6dX)pn#%D0m3CI z&h#0JNvy@@y%8D@>g#PE&}kmC+gIJZ*xd@F8QZQpTK2VF#v$d(n-d-ZYW7IW($mig zV(KKHOaGikMc&oP`QXDIG%h9@RI3;<1*_ch<{orcG9D2#V>f;ued*0KTj>f+f+W%@yu z8%4D;Lc!HCg8O!)YDI+z^Gu(`oPp9P^Kq{puUZQEt@zR2zAv87pEGOmHK*%eOMUM8 z;ez5P@0}Epx~xw!$mS#uxXz+HybM$8-aZ|P+9(;~Y8z7V$VX5{)_6X6X!Se>rYh-h zQJ>4`0Zf?m0(7Gc)7MS=qO=VNI)gGA!*aqkYg*Z$cKtgFM|qVEsr{L<4VaLeRy-$} z^ayefn|HFC)$1`%#JazFe^SvK-eqHa^M86jG7pmG>t%O}X7}pq-p2G;=bG{Uq2mX6 z1jz$&H~Qlbe7Q9jrp1P1ESJ6_={%9PvgJ2R@oOH~0U8_BzIOaPhD#k6Mb(eq?sdHN zZye(Rvx7<|Ls!PHxHBx2(dQS#cXOteB;QSk!_#ck?O4x&h5|}C+zNreMe`fugIE<< zO7w)aMAM>^KskcewzXn!bg8(R;LrH*4ZtR4f*O(cyE=xPT+%#urToN6BiOkQ3xpOv zg(8+aJIhIZCTw4m6g@PWMB_~!xa^bg>OZW`6VD!*$*-tVDlM+W;JyXbF$tcTu*{I=!padWGa;91 zb&(BeaRYM}$=t%ysg2Pse96ovU2t1U;L%&iA!E&M(A0^O>b_Hy9co&uiO>2F;%fW z^MH}9nD+z>T0KQYp|^%JpUD5JcVgMj9CCaML~@9&w1J>OVscM_u@{=l1C0yC&+V9u z@qYfb`E)+A;|o#{(R5{B$_3B??! zW0R(9f=X10kQ<70V30ShtO_05ih>6+k2*bhdcu{&@+qD)o3Xe1ZFc1+rd{kVr{mS- zh|lk$rRC7$)M^xptE3*8R*4F>sGlPscT&#RB8F`godFnKp-5dJXIU7-pcAE-yL<*T$E~r-{nVhyESAUhcUapFPu?^yePs8^3jocw}4K z*(RrjHI6soxU>S0jxw|=N`wthFLa(ASq&*3N27K~y}flb7wHr$HcgaO(c2B}tXlC1WsW z6DTEBQFa2CiFQ|)cPU3*+wVkS=>_7TJ*chDM(o64;oU=p)MJ>kG6^a$3aU!M!$ z)5Y7`^Y5#9-lFFpZ?4m!v7hIlBnG#fs-tdJU#?${ww9%p!xK#!{)4W783+JrgUYf| z!5T*r%Z9BEmOP#5ppq8*IL1>~cs&0l?s%L|uIK3)g|+Q>yTas@e)BewH$>(n2$WH^ z+D;Y+iaHFg-iQy=2mQvhGTuu^Za?-EFq+gjyiD?PhAMQsa*KY=!HHe#h z@2<1|o{8N;=yvgW{0^?eFWh2ozCS|Yt8YX{59>LkV3Y-oI-yMzaTOoA)Z*C6@F~P| z@E5CKPRoY#_CyoSM&*Yku7_K$v6@N|=|hbKP|bj**hZ@Yf*6+2*hXkaL?WZv+?t#7 z+ujmywQ%rqZ~m0 zcKJ*Jh*}EW(`OV-l9-V7VFbbOOuj}oCK8vZTzLQ<6?Rqs^|`dp=eSSFbNcnfkLdL| zq9}rW*%MysL{4W%#7o*UEImXoKX34y+Vp@Vf?IM>Db<`>mQ{hE(Of2bxORb2n;ILQ znF$*m?)ErWdVN&{UwyKRG$_=}{R$Qx5)}Q#N8~}+rq`07QB&V1mK4#4DvOH;^0#_j<{fM-Kw2On`<|d z^0Czoq0muyZ3Y^l0FJMVFI7if7+yLdR$^s>GQ4oo<(|$r8_*O#T;2S{`j)D9l@1z@ zB&1sv$b|Q9OIkgf%F9=oH{;dX0JmOP)qXPbj`(o)rXcd8(*x6vHa#*vG~({0!Hj5W(J6c6y!2b z6O09RsPn1}-iv-k^zQZ?pP`8sQg#T+RV5Kb9wCnYs}LbAD{5LnLzKFiqN=2V(Sy7| z!@uX=4>K!xPVF;Dpq<8lZS?qknPmQs-459v*6&!`X?3Q3LY$@Ja%h1(JBm9E@FL?I zEL4Z!Erik28rMBCXc|;NH)0cw?_WvPj)c8>dcq};QNgw*&2chtLqf=dnp7d(XbYJu zCX~5-2=lh~xK5#|CRH|@cGjLu%}DXCE_AFegt5vlM4417t4AuU4uZ(w=+i^Cp_eac zAKJVJ*ess`K?^`!Mk~;#KZoGHa_Z1pE9X}$mn@ZPUN5#~VN9)>aGNVNobw4bm^ufz zo81_`{0TZp_2Lm)1j~@Hmo5C4U07A8z681eF%9a>9@4uAXMth8oqmBh&oYWx%EvCh zUqDm*pcEVd;!hPC_zWqFqnk6ea8w5`islkuTop&|qKaifK0A`9?Q!2@`WWNT(CTga zO09evsz^*SddV`6=xg0Z&)k;OYf03V*4b3#@z(hw`yHq-P1&?7)&L}&jaohG3F8HT zftB0_w=L8RqAZ#TIvl(sda?Q--~XDa&(!PAF7QXr^*R_fv%8A-#96)TqRCEF*w441 zqO4&0>n9L5d^dJTVL;UAALk$FF9{}LsAzJAmbzB?GRD1hS>8HD8~k&s_)f6pBQmFf z)6p&T_uSC*nMoml3{UD&KH<<|tPNzvgdDLhDG0c}MJ*w)-4tVjtAh+4&dyjQk1CH! zO3=n1m{FoUevc$bGi5R{ACFs}V%#O+I1+tWMHqJ(NuJJ!NTW-Fh~9??LpHUKrAXNK z5^WvJS5|qcUN!Sd)lM5*+Gb07h3IB4y;m+-WZq1JGC^R*;wa0sUs@2|G~Ff$bWPXX z7b^eVo^7uNK+?JnJKNjf{msrls~+>+Tyq2EzcGv{hFkNL8Mhi5B1GcgLa=F~v21hm1-L2fVAz zx@*(7WHdGHHK>V<4D+X}l-P74XpbZawfk9#G(`J9)xIyaGGC8H5_Ko=>~C_NT{~ju z@AX=N#<+?5V*xkmRo0t$eA>IdM6AdfY6dsMUK&R=XdRTe=EBp9Rcz`M90uEFr1f6} z|Hds@*W6UoSMIT-Eg0V12*^$S^uG2lj$wl5jRS7L-=T1`H>R!@=CjiDdVnccd;wL? zPJ!#n@_SF?ncb#-uc*33$fv^3_+9-8MO;*o|7=ZEoSmQ+H3Q(xEW$+;_x@&`{mqzG zJ|?=ctPQR^nyW+1plb6|z|7+cHDEqmH=hW+5^Kh^@aw6;K@HslCsZOHWKl&pH|1Dk}~PJblk%#OHZ;w9a-775fS9tP25>`2DkfV-iQa?V|JF3aDg{R`;b2_ z>zfi07uW+SF7jX~5I!5TyMvCR1d>=GY^{4baa6Y-c_O_43ax~;Iatj$St30F`xp91 z-r*pWP(6c+g=>O_xbDIg*OyG4FAyMq~E{7%C6**X$`~5U;>xu!qE%{ zudikF7H{vasR;{O>HDdRN?U~Zb80H1PH<{tTKbI2acSy*30FxCGi>hB$-ie=(2!lf{^jZuu-zA9sIDC8_Ho8K6R?bvv@-&1 z%qXZ+_ptW&DA_R|83k4elL^I`(*LM$tx(Aeyq#i0MnTW03n%?Vgilaygs>eISZpI~ zUc$OfwI+WBL_A_K;RTUo+wbxEHShh?Hn(%NP}aRdxkQmQjagnQRx*n~y~zCY?Ylko z`)#&la~_Q!M1|QU9BYGpE{DmT+TM|(sd4+n(+ff%{<((6DhC-{t)y#Xrn*lp)uuEs zHKBi~8*!tANpf*bm^1wB1_ zo2UwqihQzYZQVB#K)7$Jstd4i#t_Ls3rIj04&U81<-m2TQhd7DKy? z_>5C7F__a_%3zKoT054d80PTX=#u^!;f#w+CNJYn?86F;&Y&PDJ`JnuvLyD?Ibdh+ zMh*@^X0WX5J_Mbk*r>7P(<6T@;I~!64XILj=Vi zP%=Z8aNZI?dw;%^#!=Z}Symtb9Fs2f(Rn2HMI2OKG~iK!XW4BCHzy)$U$T54krJ6p zy_j)){TtUO7>z1jau6Z$3sY=jn*`sN*`D`(#wE9YFAoxR-e=ImgS191X;`LaWu9_I zD%ZknDj$dWEJP-Y_Z17Ffhwmgf}XD4P3~wMkmEUiex`1tuXo%Kfnz-`34j*X*Btuy z9%*XG39zDE*5ip0RuLC}!WF7VI z^kOlLaSjovJg}fIGqQXmX@d7X#<{7-56lRYh}nv`p`|G4@;SP^5Gqhz363haYb2Zh z>g)X2Ul|d1$pVT3$!~9=u?b2yQlo>3piqJsp{SDR>B$AQM#i_nMjvhYWerx-q z;r1lYy_ehLy?vFon`dw@k}r)UgWc!jO$lL>)f;?U7+D2eGeC){nkI!Tuv%_3z#RA* z;E3QPX@a1qDa^QpsfuS-c&kBeOlS1b?wYu{7I+-`@?h#|6jJMs@S=h=#23IJvR@A5 z!-$?_2qBvQ-afEQ=%jpjlu$(95bQW|-xrX_1^XRY>wNG2}*az1P=HY9PG~-g*)$FJ>Og4>T1iuieu#*Mzh2$4NVk)tg{+ zZb#p`uA{_$&3z&E`i-5?YN>;BN8~1<8i^E6O?Y+Pi#$qW38P&7iJV00);JchG#Y>Y z=!@@T6kvsHBw9EWCaBNW*a>}OOH4!Wk z0@OT2#m$1#$SOFKl``?l1e@Y(>u^RL=41I@mSs)GUAVS30%P1$2im25xciqXA`tngVlW$b~@V)oFJAK`|UEBHv=x&SJ>UM_U)=|D2@O(JA zbK%tU+Wz2HyD=|FYBnZJi^z)k$E*F^)O{n&>?|Rzn1xeo4d~48JMw_OOVUMkxP1(e zT9t6Q;Wg#V1=YyU(+j8`jCnyo$RxR%0TsGVltKpQ_Asq$8aLjm7&k0?AgpnU!Ps&a zmqb=q1B;D0Rs+;bYF398RcxyxL%cWhQ{Agl6M_JF7$%l2fI5ZyE|pO zGrwhg90rpT@OPWJ5;gyx9Z>#EJVKd(ft7GImXMgwU_Htqu;FN292|PB_s@*hO(nkB za?Z`UC5HOW^{vwRO{mlA+AM(8hiqI>GN`n=UJ+rl-5@w1<22i#SPV=AWeI!A*wgR> z&D|J~@Apg_!NmX`B6E%|>-Kag0ZO;)3$^Zk-p=m(GK$IGV)GkIOhA@Kqb-S&3dKCa z#zXKSrJ)WsEb-;~`)iz^&e=Y^$YE8vtsYL#S#?ppEwnyXp68P#yRhGixe@b(zFrU+ zt-AenB^1&(OorOqqI}!iiBK6Q+?phUK8{+)C!_(QnI{Ze73CqM7^)L28T@!>HPuO7 zW5RtVzmf)R_iK&y_Rm_=Lt|-9?#*vasO_hjQL_}y%5Nk5lXg*}AaoTAjC5F4%uF>x zEU&RwaOuQA8tMYAE%TLqXDg3a?}}zS+?$icyHj@3>vuW5csczSLeI%?@!d2SmN9Yy z@lWY9c$o2~W1b2>x}5V|8g-|aVIAGRq+<5HW`kJ=Hp%$`pdo5hADc9rc@O2a)lux; zY+jGny};H3V>)Mi{b5IFGpa?b5N|7=l4`G%V6tda3Ik%W#FX2^<(PfT8oKmqxx9!$ z`^;X`>-$jltCV?kCw0_=Tp(+Wt{JhS1%VcF)6yfHV08A>vy4~_gJ`#nI!S%jmMb44 z#!1!Wk>gShNto2?=k@k?T#lSSw1E@>j9B;?>&o=i8sfb>!82Qql*!&s!TYXCEC}2?-X&KmkIG} zi~BW}uGRqF*13k`8p#v`At01g<=APF^aVyFs=))xW}FrRteKHj&Smm573kI)sB8S{ zF8ll5!nsH4FGA8YDMfBD0LN(Mg?$qY+>acgw)fe`NoSv+3eL=Udm71K{+w!{5B;}t3BlhRK~In zG7c9+iUe3nvR7K^ilV%6wS)tw5pTt^E%Loo^TSH{+%u>b_Ig_ zjYm|YQYi;b;O3BoUSqXBZKJ--BLEUAS1~p$qvK(8ks`@?J&!kFYw11Tg4J_8{=tVq ziVTx?gq`D9*GiaDHb`LLc@PR`#@xfB!6MO@6$NT}!}H!&H&exH17zeHC)mHHn-S<~ zO{8D{t(4yrw3lIP+nYlrp<&z2 zLb~}fP|gLY%Q;0LzILB+ZHwN5A~fYA2(#iyZnJP8HaL+L!zU*DJqfG#S2j_H5O?U! z?4bN>yg*Xxadec;&HPVVhPmWiG#FWHyJPzq#9+#4W%jGVv7GMBQCa7zcc|B=_;s*+ z6vl4nW>#`}-h$dg5Dd)fSo{!BoD7+L+hS@uNO`+N12!*1C6|}kZVLT({?o0-K2c-By_W1 zD8%aV@FrKIYlE;d5B*?XKdlvqBCq&3$^>J|?1Z+LT@VPublR!a2?6*5EsF>W#ZsPz zonsUGlqVp{5Fg_eQ}$IO@VtJH85gIq!aK_L4GDHi%$a8 z1Ut1KX0H?H@hWF534k~coAUlD$o`Vw|9PE`qUXh#xG)s-Z)`(7e(XC!|u4PQ-olF*&-naenflD~_;GTt@_2m&o*;Md(vPR`sgy&&rFb z98VX2bn!FH){yFbi?Jj=@noP4b_pChcx($9xx#Vq+WNTuKIX^Gd{kZc5p)@PFGvsQ z3@bFya8LMjcmiP|U9QPE=>di~Dseh#MLD$+V@(S@6=`WPTciN6DMw?EiK*pHc2+;9Km_^X~?tW${GQ)txAE6TNv z|6H1&WS2~S)tdeqB+Gm;JAjg%BooPlJMraFM-1nP0nVj7_*MEG-5(R5Ai1 z2x{0$Ls+Tom$ zRV@dekuKp}-#qnXmTf~3wYZMgUAvyxCEkxoqJiE;}K^{0>)P0=bk-HTl1`$H)uzFi<5^$HG=_B zaPKiQALZ)-U-^AsgtPOmC-1AOg{?+mkTzfra4kNj7~ucf8zUaVHE;g}$L?B(#y(ohBA|!EzdlWTH^8?aeP=;7M78yfbBFRIjdt2Hd6VT6?S5pwFixh*Naf*1 zIw&I|)9!#hIu}s;RWX;{gxJ>oDr7q-A!pm^Z0)XD553{?gJ0CiQ>q{4qquQ2t_!!9 zV@m5_nZq;y1Y|b>H4~;(#ZcBDTV5#08d;5Ru`0*!TTh*oFTQ5bwD5q}|6($d!864k zWR(ILn$bfU7tK3C8B+ve$SS)XFXa|(5M@L$n$hamrHWuz#hOMUZ7?|_7(F}7plKk2Y%_nAw(kS_%BQ*?E2aT^1XsX#>|sPVc@_w>fN4)K zj&TZ8IJA(iN9Cy5oSP9YCO$<8pl(WZ-sNJozoW!)z*+XphYWH7dZVv1ntS_dRIx&RA8V(I1A2( zFa}{ASv2uqGHMp8CUK-aE&Zaq11T#^B+DwAq&VnTD#LSxKt2vYp=zlFjkIz5kp`jC zC|)V`Mc6u=rnQHCk_S?b?h!F)LD%3?;;8)#mVE7xdyigeORftr2dv8+;6t@zD;yrfilZ(2TFE-_PcfR*y_&h z@*Z$IF^8V+%E(-jmmp+-h4Td4r%7Pp;}?mfiK~6X zLB}!mZ!4s}+Y+D?<<;IcKEOA*z>n={&!+o5U{qSsoXol=d5(=0P(oEQRyZvR;S`=& zz4ApHy1L`+&d9%Xd12FXfCoIJ0EJ)(P+0dHE$>`B+Si=Fia8A}+zb=9pX{#%EXdDY zeEWU~n*lk3LxEijKrR1Nhd#LyN0TMtKWanXK^Y!c0M19pH+K*_ctY(uUi6s}wjO_7 zMi7-yg{8~lWjE*IjZIKICv|XZaWJJYwYxIKy3B})%QER_j;sbG;Lv)VNgOYtr{5Mx zx>pp$QPB%!;;%dB5x`TNWtKDf`D3IJ@u6E%7mrOZBo!eM>59bz7sM`^KzHy1Jv6Ef zYgF!2oRi?3%bwHZ;k9MZ2*lXD=E#IQphp6To08rbnJlA!t>7HVMkdyA`A%;Ku+EWd6TNs zqxCvo$~Zh+F^6=l-D1~c(r6#QP1PbKmTHwQ<>x5U$%Gt4E2GM`-cUN_U&N@IZd{|3 zEvLSsa6|&hno}MD6NWlBiA0-}cEx(T+=v~aGN&8xgz&Q{i=v$ZzXdL4UN6#*TYut6 zomq?ltESoW7u7m7b9VPVf3#Q{S~zeWk=!W+vY=%2;6}$uyyW`2`IcKf@qMF`?BQL-_pDfzK31mzfbk=R$vc0pa#7N_|SDQ<>ZqJ}gQPvS#%8kX5Rpfxu45D?+Mgh;#9B!~codziTG3R(1J}{#7q#%XCC@e1 z>ri2x)92<=5t2!kgBwB}3|D>`5Vw1S*Kz&baqLpcY?w#x=UA4UwjnQ*OVX|_=;JRO zA&pChP5y@V*E4p@7@A7KBU5mijY}?oY`@W}3_E=-+ z;hlAkP767$mJV^K8wjRn*oL&KGp9yJe&!>9xeaUm3 zC*E&0=bm)sUbSbC+}@!AU~cr5RrIb!^bV(b_XhGzcXiIL1;&mPcBXBAu&8tJC@=9h zJX3XSc!jH9LNeY%&fh~VAwsD}@KxkvR(Y^!f8)_*XO!jmXsoU#GTYPN7`i%s-tIPnzYiFZ_eT<@THws6Ouj0lMF7ZhlRFEh7n_j3+%=qG5?kGm}=v2 z6LDgMMX;Cak+CIzTG&F{q7a&&x+`(!`VuIO1`YuAs` z`qXjlwm5Ho(*Hmm1YhUbZ|;VB{f3?MFDTNnbMCB6?#m_bO}gGq{>9tg#kH`y4@B)N zydL~8=H1i$uW&c{5of&UE+?vz8^FYA^;Y_qC*Z>dV2LP*OTaBI!N99K3(AP5LLK&NP?L0oiiQI?~#@90sihZEL;gI{{p@NIYh>k zPwpEqJ5B-i&M%BVx?8JH?P;uNM^_y*wXpT3&yo0@Yy0L0Y$4RY0b^oo?BwidVrcW< z$PQo$!^lX$K=9vyhlhY(#lzl&fL=o$U}<9HOhB*f0&xDnJCZhrWoL>ulm^Z)a`jY(n7d=wbpxFKlOR=csINXk2{}_I9==w$20`1oSc{wq`%nnb_GlnOF(v#Vo9UsKU^T{YO^B#K_Lr zgn*9^=6?_G4t$vnnT0ldKl;g^dzYS^B?yd867~mKK|leC0T~_&CJakK@n@EVD@r1X z#0UTqNg^N!AS!Td^%5E9JZXFU*4A|!+?u-F$$!l;yk_3Nyq1ywxm4AcYkgfNDEIU^ zK)$z-8G4PG8|fJ*8`32(5)-ybOjzSD$w*tnkD1~>8c0uKMK3X?&4|Eb#9+=br0I|% zZ)N+Z>=xvd_)3EdCBXsn-Wwe1lHEE|bnRR|dE}4emhWPSe&f%xJ`#J`p~Ofr0zX{R zkdf+tPXiJZz}jU|GAP`lXxslX&hv@Jh(!(&sgEc{j3m^u%vWBjO^8TOrZ~!OsO=Q# zTx`^^N80lE(;j)Qwl@h|S)G43ifKo2Tjfkn+viXxWY{!^ZviDI3I0{ohhNhgpqFngm*~hFeCrs%!Ocg8)Y`0KOwecOh<0;1Q;N(^@bBB?Xy3}wC zKvTV{$sy*+hm&kr9sBgx%JPi zj{#&vLj=r11ZXYcp#fRGUg63yoh?I!UA6I=+uO}$u_feq6>_?EO?-N~V)Qb^!T5@p zF|y7xr`0pRTk|Dh8y9>@vuQR&eL7@yYQ)ym2yvb5i7oTJWcMw7y4O#7mrQ+r(m}UI z?)T|<$Be1&=z(YSPK^ycZ|V0I_)7tmjP3Le*~_GEVQ-3|-?B6wJY)ZLT%Jb7H$$Q+ zCL1P4^gw+P&%L?ClUAJWR^725gX(~E$p7rl5i$}*#*nz~9X+q($sYV14YjLv`I&Xe2$-Q1~#Ed?D=^d2c^P_6X5#WgMGmg z8zeZ6U>x`LVn(8ci%Jg>nb4}x*P9_efnDyoUQBc@j-){`@De!Sjs~{g-?8j&! zT)%{OEWJ=PTm#@$--ZAhA*z>rjzu*0Gqs+G*L zVXZEENKyDwP4>2QiDTy~&*at1;#Hc~y*RaVX1WWv{!GsR>6>yjr{v@wysefom^nR< zS7VdP={iL6%8kJ+?$#NzYZznA8fr1hCNb$5{>fjgmsBbJyF|**)sN6;^I!R+)98D_ zU$J=fR?ii%W9)3dX8}9exDOmL}0y15V)C= z{D`-MY-J0O#VyUg7pzAN&otD(B_17(e8S5W=3y0ibjQjTz91GOwbfk)pB zUSwbKA5SX7vp|&B7pk=?qKg$&0uf$8!6JyvK7JlkwSzh0zQ?S;@O7C>fP_CWp0}Qw zdr>#n@QtdUE-PvqF@T1Vc{wZWD;zUdA8S`1%V!zJ_a4^w-c}eQO9WcxQ1#5giz#HZ zIktJq`cE=f3jgDOgMRzx3!&W$xy0HAmwKR6|c!#KRvQ8ED+8+^{yejCNGpJ$D$pq7o_2@JIwARe-5xk5U*E z1UN~g8RMA6Np3#~CKKlWYrNbsRGR2IL3v_Oc2NOi{)})K>EAGec?2!QEPUHCuc-#H zfN6{{4vy9oQ_?i{=1d?IB#ZMTOP287%Gm9?Gzd-qC_gxQ?7Kq775|Xl>jM_IE%!#V zjCKB9+^96-3t8*fa6Fb#gm7dM?I~RD=g^DnM0emHpS3bmID;^O=b*oZ_cE4!J;K)H zDbw$l!qeEYTUqcpoFH}6C^Fv_S~8fjCY~SV@>uiJQPE>$)~%9 zjFBjgG=W9I`a|+MyYf^tDC|@}DIgqonEoYoL8Mo|+@V(^I8;$j+8FnFHlESY7%MmX zcY5|KVt9a|M>nm}m;_S}$fm&A3-hl&Yv<;Cx(iycQvXT?fsj6CeAF=**BT&Zdz2kg zc?AM&o@owzp%jYvh5h^JxEgR2;!@2dauLL@<5n6T#{aC8?*mjE^~C-^EQd1ldJQH) ziqoilLlOn~R!s@c_Ew8?NjM4+d1K~v6*9G_Q?frc`zsd~^B|xL&WrZ`7)aU3!;k)L zU9SF;Y1YqsL(&O(v9H%Hk&84AQ>QN%0ljLlX$DcyhO8r@iUY43?D8Yg^Qf(c8M6x3 zHG8J8z_o%a#{(PZl=6ZCAy_&q8z2(ni74cRn!0Sc(p9v<{kx_ZdxUTUMq%0D!>Chz z!?6tsggMDs7wogGw?qHm4-z~O8>|r63)}&7gl?Z^7+@z;wHZXT@kTS1`D@OLY)K^m zgP9^;gqNYNEKZ_u#XlDFvALD!iV7lG*GI?vFnD^+F5Qf$z+ab)L`N3mJxZUBa)EQh3DC&!{0H%Ip zZWFvPm7z*2CAnOQ|0;>I3iTz&ae8v7E6gvE{o-D@82MTM3p^_i*tZytEh+vs_NN$m zpQ)%Wo)mRnwt?PYNS_~=hEI-p35GfKyXQWyp>SjUlt2j~$hn~a2@(bh3;Cpz$5L6b z{i01eg>tGG_k9@qg(KX1Lc8z3&(cMMr`!)dyX)<)hHe4R$IH#m(BDg!8*5F!*V=$h ze=<0$w`$_Lb=zHrjcVO=cZ6% zC(zQ!FbLtG72F$(9P+Z4xDjJ;iZ;AjgBe>5A@D&!o^ER26Ppn8znr>}>Y*PaQNG>p zvvY#mvS3yLLnk8lVv&YMll{k~OK75dthYs&G_Yk_L2WPp{l4-YdF&63*>+f~bv!DX%wRFZWYA2nbA#bE-+U)B^SQey z7}fui!)?*4*iEn7#GhXG+#e(8W3|5~78)~iF-g)7g+MsA_*XrrILG2n?aXZXbkWw% z^G|wZjt!gX`5PM554{Gr(c6P=LY{cW_6S5fWkzzUgnJuL32R)+(dSLym4GRf|@ zPbvNBcheixwrjd3?OgR(CS?7 zC=9lwDRACsfOHXkaj;O@_y1+)cjFcWYjU%h(va=anEOQ;fCCg9`2#+M&y-_&qGd@Y za)S~yH=#pKMz0Bh8Wp4iVj92k7cxm#3Lb%l=GtJd!6XJ9^#g%ufH?p4kAB!XB@6{lKm;(B~oyUzQp@~nI%R~$Pze$qOxbuyk)5SUNRVV$Em#xh<<-AHFinz9antdabCkK2pa4e!lN? z|F9hU$9L8C_I@|5=$rkdx!nI#!U&l;Q0-(R;9KPTJyo?iy@rw~MkRLic;U1?C$=T_{(t&x_>n*Q#w%yGC)p**RMC175a=o?w*SO0k04vjZaiuuhgI19+ z0gA()j1g6r{VrpLYu(P6vN%v1Xoz6A%6&_8wVPNvFPli8Hd^#~m-DsmJ>BUPh-iG7 zSLt%OdeBhBhy6pf_($>NIgf*my+kc8hgGB7eeDud*UM)pk?;MDS&kjJzSqmcgr?Ah zzOWf{3pTzYT=&yoZWyGIdcFpgY%<PeeYP zJ@7P<*V~04a?d`SNNlE)k_z1)Q|;h-ME~ktzXkn6NCIAK7aUa`bsCG-IQ3dOi}AYqR~I57oXL z7O%{vtHU`_P*x&=Z;w~5F_@PFEXG@t$pY=gn&(|cgAr(8p1Y%qQ9a8~f&+!&aluXb zY}gs_SO}~}<~@yPi?(ZB1pR1u$hy@w{afa~H|$8&@l@k?2Q-nM$XOCU z0!?9xP_k2SrPlG0V4Fjd{G0D0Sw7*e@MU~bo5`u-HSMO>W5oHF;G^btn_3# zb1@ySQPeB$wj+}~GUUqV`x+u>^3L_zyFEpIVE2x9(4VT#OI|gxDV`J(2J0s2SSeFK9pG#q-v!X>jU*W;ERN*h|Mw?Sl50}vMaRNZ-tM6o>!;Z?xz;ryh zQ|HABkJBU9syW-X`;PF!aiT?W$d~8WYO`b4d|+*>2Bh_J%gKms|HR*V>E6TEyZbb7 zCG-G7h_%smWCwWeEP4!nHYvNni(ibDUSnVz8If$7Ggz)#mz2KPaF*-0ETo#FFWX11 zTedAk|GjE_yHS{lkYmRXVN|S1x&$rHUmgF_=PTwbo0mWuNyf4EgK2DgnVgHdn20Iw z9+2Tg$d@RaLP1EK9%L9I(xV#%3EfVYmAy1?{M_3Y%raZ+@C!)g@KhjAzwL{>u&uTq z#!$!P`+A21t9Fn{rYB~RjP?mtT@DM&L!5!*20^*qn)rOI8;5;U>^RPkv?*6cJ0dSO zK;5lqf4`*zKJm)~ogb_Z`2qtuq;2E&opT0e7Kq2Rd`< zp$`|6>m~oC@$$5O?luC~rbe?(U=x#zTj98s_bUR({qxE5G-!?;rs<-LTgU{&VSksV zs3udx^&%HERfrOgNRC_tro|xU+0^;mK0P%Qz}r4XLO=EgzKMxM6>752tfuCq%JlDG zqW=G&)oKB-_0MaXh-u_<$WZx+5gEz95xjkH_reh;E{qsRN#=hYYg#&{Z= zdht{>YH0p1Gd$Mw$_(35uQ8gsaL!8;>=+8K@7#I z9A;x{PAFBAZ0Y3WKV~#G-?dCxu2e0+IQBG_8*<0S(jwK97?Pzf^$+sazqYJWk@e0F`^8lJ_(P`pTV0y4i&j`YJS{UAWBF0fJj5$@<}>--AqL>~!-ir%0uEI!`Sm>a&+EVDt3Jl@-wzT`@XxKqy=ExgE*M*`MHROc zgg)-6vOUsOo%U$OBU>Q8@;ew?dOY9L%(7qB?|$=W%%YUwg+x-Lf=eJrTuF5bJQl%X z2&mf&a$0>-59hjsyTmOlG;jI2c}(&IXYu|7&US4oZ*PBXGWjF2nx*ng5bf9p^uko| zCAKcIw4e;zcR*AeivOKaN~9#Guq-HKfwKDyUg288 z*RhO-UA^FXH^j_~2|F>4n#kn9TZ711PEZus_<9gYl^Yq=6^v~NVb6@n zi=FIpwGzqM`|jRqOf`MuMX%k2f61{*#UB)-%;bO2C#j+~Jf-`-)5K@FfI^)MsB(P& z{17$lZ85x`{JNp)K|$iQ*%gvw(k=fN9Kar*xZ9~`8oHKmLwGb61ZRC&$`8FVA5$ci-o+8I$8%C`9cGf-X08|66jP% z&NXO|r|EM<_tSCsg>w}~&Ip&A|21W`SAx(;>4Kv(*#T}VWrPsVec zb$@wloy@6=eIEdEE}WWCoi7(9MYHR8_kWRku!Av%D5*w@}9PS^7;C_<D_aiOQ2I?Xm8FanEP4$Sq(BZ!)J!fJizeJm}1 z=E#vdwC{sW(7H`AFn>kn)IPh634(RD45RA%VaOwO#s*b5e8-gEjbz#{=>H1hG$)wp z9F3{{qjCI@HhGwNUp}R@DG4&jq2({Qvomnko#$6;BlHDhz^oMeDVd=Fm?I+ki^;pc z+1vg+3^)|RV>zlM>QD&JmUj#uGOh->ZwFky)QCT=$IHRgw!YIW1(U1CAOTF7PHWj+ z`K69##q)Nat>Ka%xzuz0j|@RF+b*wHI>x$7fj8nE-**{5M-3P8NhJXSKIfYTG)18O zJ61yXMACSJG#VVi0=^nBTVlCjGv99)C-5n51w?q4-G*5J;qGwV0?l^WEv1DY%I@?? z$UoreddzYy#e8>HTyHPj(- zO^uIEal7Pw$Nn#hU*#yw;|}1NAZQdFb#7MzmneE>4sIy{>BPjr6cUKGT42?&nZ`0A zByuZHv%8@r`<14Nv*=D zE0hNhQA0pb%*Az@p+zV^qlF9-Ih&4|&AMD^$Z84HFVu@{^Omd;aEKR2A4RVcu1b@U zI|T4x(J-ZP1dgODX)uk5MyA1Ajm^Ds1}=xTZ!<`fV4Ou5L)3_-q=at^ z;_HS;-GA(>1dMmd>(SFJ$DT?{gsA-+K*RJxT;thxq^5k8GY5(8Qqw1Lc0Nk&r<#v) zfMaNJkrSaSZt=T49&rEt(K`$J#ORp_`NNMpavGkf zycP6^V3E+V`^~>3?bdi(r|<*b2@?xaM>gq5K!26r$e~VhR0pHlz_va*sN(yO7vGA; zgxwCty{5)MjT;jwIx!^@9n_WF|K z;CVftGUy`H551-9iCnnGH9c6~db|K9Shs(bFwHT4{0bh3VH{?L#FQP;=+;GM;(BJ5 zO)-*htdNfukK@*qGy&nVXk7ekj}_bQfK3azGA&Egk6;XC6Y+|G+vKrZy43c#tqzTE z9)w^Ro;LuRJ&apYX6FJb2t~Tflge-8cfkJk2k_bJb=ghkyo7pY^;G`WC-&oC3sDiEx|;j=|S<f@!Shd?^>*c;zg-PG={>yC}?PT)8H+-d-lIGNO6`VVdxK!9|mn3F-W;6V^OvxQTT*Uvv?q+baMtY%ap@(hTIny@59mXGE33{9< zo7A=Hjq%9T_H1+!pIx3U=0rN!L~Vb74_}3}-FBz!YDZNTAg_LUU+C$D1aCyB9mepz334@mK$S2es%#?h(Rc&Mr8>fj-fP4oI z;3{>&J7sv3>BxAF!+zN!2F{nflXA?loqpwgtvs3Dm^rj}kqb0D@(YS>1WhOK%NL|i z)D6Ls6%dYySq{*21HaaS`+=s@;%yQl_sR@A9uLd<1#nUxo@=_(YjIw5R*E3_BTS#X z^o}l{iBbKv^YkA=8JmU@s{$SOUVEGb%HbaTmB~-zhlT_r7=b|T`ZofNgqJ(xK zn;6aSON97Jr`&qwR!!(;rqXzj|1Gly*D@RZ$f!_H_Yn7}B9gI9<8CCeohJL?^s4L# z?6d&$qYS)(VW&LAz+h%`f#k))TpyII|ANxAiMyd%(dZ9S zSJDYUCu?F9sjVSQdZx!ru3>w*t;zizj?PC(QR|Riouv%p`ajK->mLwdC%j}@?12q+ z<#mZ(E`{(AjZo%U+ z)L}RPYKXz_C>oON%%t*bzh6ZQ!oc9-ahXBq5SX^S@3G(~Ow8#GyU+Hvh|yD+(Nl<- z3>AcGj{e7BKyG+^w1&n%#~@{7IJha7+Zr!mtx8prlC6qOCPv!1i<`!ObPq(d zpJwJfeZeIOh!D4_0QJ3WGG@4C$5ZivjB%8We|+DD8Qj3tr%ua~^xmXS2)YV% z2ShXhELL>R^$XnZwLSaWVPf=9;Y@(Y>97G27EM*>cMuVrts2+fErU_%wrne4o!I$!=HWZ@z33Sr|0!tMN z@@pMQY_8)>8CuB5yYC7w|8@Mu%)%EkL_K6KMk09pxmYoLb6p_qh?yQeRPV*Sq8Ol=TCugT$XdjPj5n z7ON;>h6W>m<(3Ow^Ygw^z&!aAys`+Jx9UEwaNxo>w{+yxK+;L!w$vdZcO+_-<=j-q z8P|X2Rm#VGU{`m8+?b$Lm(X#Jf2WiXiUW0lP3P}M0C!&L~wjW)`ox8XF zm?V29igjzFrL^9$82e)RE{$>NuKykzrlsDs(1Y`Ze2BE0YpsjQCfNO+qKZ|0c&*F=Us{t6qM}R82I21TENzI!dW3}^9 zg&Oon+e0|e#h`hqO8e;@?zf_%SW^pLcb!J;=OMyKF*0rZe&UUJicXinH$&dX`BDE(35aZQdPs3E>#wmnLpwzF5mv#Q2m(hK z4iOk#MY6Io`ioY(wSXJxiZWqr2kara4nzMJX$HDQqUM2`0!lCSJ1XA|&jI!3)E zHoA8s=wPho1RuoRAgu3qRye2M8Zpjq@Ffq^UzKO2=sAmg1<;Nu(=?H%_V9wptg;!P zz6laY#F1rXn0$;B;ya>eWa{2Zi|~FtPmSOO#zykR+t7W1fLhHk2;D=BH?=-3Hyl3~ zHlgCL%Rbxxx|$yfvy6KXqCnbf$5P>Ra+}O)K4Yu4>{KrmS*glziky@>C-N(}J&2@& zO_ug;p&Zic(<@@3;j+GQhu7Q`{MZ5g2!5Y6q1zX&2A32e$jn?z<_W?r+K^oPl*%8fPYNC=9Y0 zXSvWxpY>+r;r&^W2sA-d4eK;KppQL+u@I}+1H-kD*15O;waG zCdZmXm2|n_;@vYTDoN##`pdneSfzB1p~akA@`6SjAyQ8r&)!uN+juq?DiW)E%mN=M zVT7mx=NgNrbb$|oPe6n#io{2~=iJ!It#$b3en%zx7_M8RQY!%DD;ieG(tu>w0B96ovmaMHoWWb=rq_95v z0cxKoqd|WMZE(Zs-?BZK-xM~p=>evphCyQRJvX@}JxF)+ZtVlR zg98vlaew1U@OoZ2i6Mn{0toDN9pG-Z`kG5KBc!smU8%!(3LvC9RV!1oP!zJ)J+1yL z+1-!L+by_W!Lwytw(TyK5nGO7cX!h*8u)d8*B8OHwab2dZceiUgVsGW(U`?YLEvWr z8H%Ab$^*X_8NhUJxLd$P^BL8)-e|?8Jlw?8boXY>L#JM~UW1GJMS2gpngBo@^Za;4 zpk8rv@{hbCJNc!_+meOe+?K*m0`jMaFYzJpzRY-ZA1?GT z>F&NS%Xb$#^`&?qo}~zOkn~^m=aXK)cK0B<+AST-dGU~^6i`jv0}sb$ zFQKE7EoqmFqA8|Y-qlaq1NwYy9OH?&r==+LhQBnY0pu@-1<%{^^FPXR%|3DhdC!Cc zgqG1FlC2(m?^&rqK&|ePQBj(k@B0-TIRnOt_#nP6Bw{!4G*6F38bXUkW(U9L4HK2g z*LGjGN5WQYe@Z`J_ZLFhauxb%^Cf975!deS@q)=O)7EtQ7wsGrf4>{e1{`+rj}4K9 zZ12Yv4$DPcUTX-~AQwoA5%Q2Lmc7={zK9F9H!SEy>ADaY1BAFI>39Du@@+almv?`p zF+8egVfA}hEU5-BdYl#s!n=fG)tzrc!{;ZNUp#B%9eyMxy7AbD<%pp3{*F}N-c#5! zb;&GvOhdu_YP?FRAx#b1R%*YfaLRMcFRB)!p?v)Saz!)4r? z?GIM=iWaLHlM(i5hMH{OlG5#lBxn4s#NyEG7-%tgfobCJNemOJHg}5d-|ih#$1x8) zu+SaYvdt~O0w!>Ahf=fqEp53A#Q46eXz?0eTS^AM4}#YuyI?s5+)mmB;betVx}VhI zKmE=-`1D;p%ca)wmy=yNM&&6AihMH&R?LSJz8}0GY9tDQmsz9|k#j_F+~KTFxY`4| zdJX2I8&8D#FKSgf04UZry_cdM=iD$EBJdQAT!Z{wN}Wg$oC9S@1j3e{h&dzldEY{&7W}w_PKA%2N(g{xd4|4~E!W0aeD<8AJ^0N(^v(AU zh52q85Sjf`Z|n!Bw#YVG;_;6{G2fvIdMH&1Z`s0>q9xjr(8zk85%*ZK7yQiM~2%rs)77il4wB zh1_o8#cv?kr@3GDEtbQIlX%x}MI6#JKo=Clul5k>W9wVjqXUNFm-x4IJG#g_@**v- ztdE_HH1O9x4xLJb5|IuZ8gXx|tq*a1tRvRXwpi_Lmp5b$_ zfz3uwMMW|%wV9R-(;$wJh59|88V8@fA&||ohIXV+Axz`~l~1di$!)^Z;My*}qaJ%FW&=9G%n;L5Ui#m- zr^>gwv1fPO0EcX%x%>cuv?Ef;4(_wZA9H3?Vv_^pLevgau%;?ly9JtYpo11GQqOSq zd=p>T_31y(?vs$rAo(yt0u(Fh5l6L$>iU^Oc25c{3~?x?MonJ~;9g=pGQ7psd;Uek zasp9J>r4J7Oz9UIF=#d)n!z(s6-Cl#IWW?E(_|rtt~Jz+FEP@=VU*Y%7XOB#w6j|o zXG_MyKKk$G5dx0;?Y9vymZb`==g8K)JdCa?cAg= zY!<}kz{Zec@Mz%K=*Gw(mOiV&cE&wh(x>+wW~#uN!tbkolm7kp(L~c??QHe~9y6vVUUG@&JFuH{&hut$Ao78TTS%n@w77Qom|1 zZp28*5dmz9>6Ty5aUlBqz(EX9>UfWdZR!+s1ygfskEfHP3V|@m+I@r7<71v7$|eln zr#l(_*Q>re1U2={DM%FNbpmYjbHyymMqO;WWQ3^tE`a?NAoQizq~6R3mj*3Z;u`8P zk!#A(M9U|qBgQYCUm?caqSOb&fyF&r_W8z^9n5s+g%a#d+)!WSMYb+TwQeOTW~E{i z5%m#+_ue0Je=fQ<+0-SPr;f#5LzcdD!!tIbf^*Bw5jr1LR6PbQ3Z+t`7F7!}KV14B zYV#|sdyNC-uH6EV0u^2;jrBJ@6)g&#I0On^_t@P?gj?C^p5ky|X*S23wm7xdj~Jnq z^n3iTLS>vRJ$HtILcv!)AXrI##qWEB!=mdjmGL``L3Q)v0Yc^M-|ClxOpSzzy+;a&2M z?Vmn!`)IF;%Deo%cXE_Fkt{p{OJIk zDWi(7v%qIayqw{&dt$hl+8^vBvp;u{GOgHZhSDoRR-wl5q(rzzv3w+@4VbGzIN~N+ zN>q4*F&N<7a}9fO99RH?1=r)9 z8HYD(AHfgLg^;CL>TBKour80yTL?J3?~k|~doXB{aTGS49thATAd5yK(fl{qSV83w z=NF>x_7Osn^_dc-7N`ifpihzAa+kK>RNw$>HW920I-^RW7ilxbw)^2yBE!?{a89n# zNUsceSd{-<@^-XP7M1TOm^klDctisf(#d6>nUE52ws6xMikN`_7;H-Ax?qcsLGN@@ z(!6CK;pgXg*MRg(;Jd~&if8d%iRR@h+W)q%#~=D=vihp?WcRp_b+~f_Xj0k1D>UJG z^R&`)Lg%-luYWCA&BWH*W!b}O@3P$A{}if&OnsTOzRlgpvcCdHalZugR>^;PV7@{h zQ#K(XJ$2kog%(7r0et#+4^OkrX~MdMfe+QHiWHNwOrWPB^DEeyqA7Z1`VN85u!I($ z$Hy$o<7i#kJaqAOVVZw}gB@9B<3reA#H=PRM|Y9rDJ+U@$PR&KaLsOGw@{+P;^Bt0 zoNYUpYTdN<>}g=@t?N&Om!V|WO9Y_x_vrOAhw_DqKe*Pg;+7*>fa*2J>#Azlw(m-4M@~9n z>Ux?J_Iuo0Pv;Avk`1IJf|&#POy4n1+;To_xLOgR7Qqk2Eu6kiqly)MUW`rnltz0o zvUwsPse}+4-|di^-XtuKV0<`UNNI=kkm6D@1DO(m=D*$+%ig@LjR9JY?H!#kgJ;Lr zl>|(`K@9}3hBd_S6cs_SNS%MP;g@!+)A1bT9?;JFDC2in@AxGt8&QhI*{`+$VTCM4 zj07IK-p=8-@D^0!IZi=J_hQ@gOwUbsc-H2g1S5rf9DA5(d=AOpP>sm4fbhgtDtJWD z z*R<)AI7tg~%V4hBUBr_zv@H=E9UGpmH!>?+W{*8Mi~)rbRrQ~ zYBhgWItDtFC|;zOqQnGEv5ofcoV$b9-einSQJA16!ewlal92a$$QH4;>lyu$00K*N zje#rHq=1-*A-8}Q*fyBuTP76O5E%nElcHfp_mi|iK-a-Hs<QgreH{F z=dnVEqfYKe=>JHIrWsfOMP}7@^NR9&%a3}*3xxEv@sB~kW#6So$A66`;IsyYC4NZV zB1GaCkQe+zz~KxKCLD*Uihck`%rk2~OcJlw zfu)nZTuAzN%z{#l#Z}|Elk!aL<0Y=}1KDwwIOTx836rR2RMtY+<~=4rUdk4D|6A6jMj5@C4o^luQ4OU3*5u`g;D<z_e4$CjMXmv9>KM+R?%`>Uj}<{Oz;Mp6T zmT2#$<|_BZPhk`ePa99XNCD0xA4u$n%t|a}PHrYOhhP(Qz*V{G{mj9sEY~eEvz1KN zWC|NwlU?`0>VH3nVEYI5NE}ERrEK=&4jJrPTA6lMhP5LrLlxBP36SCFaM*QoDIyj9 zZnd*9pP|naY^+96SwUGyaL^#}3HBMocX{G=y!&arUq`9!yKfFhr^G|T zYP2<))(~`6Bg4%vF$RNa@Qz#{15zWBxsx-u3JNIW+}qH7;H9>w*}y1yJm~@Ayb40D zHntM=Ey+EzB)Q*mmqUP|8>D$dX^z_PdGWzHs(L8sF8o=O`|} z;(f)yRE}TpUntQ09!%X`M;sOs+|KE#wYp=q(RJ(7$9iY7SxqE0RyeV4WNvKGAB^%R z@Oeerqi>NIQM5V9!oPu-HDJSg#+%%vcuJR@E3_~2B$VUW2%IRi=v;Kkd2u zK2+^bsXnW9*vjEFXcaKAYUeZ1eE29$er0%Tq`xuJ^OIa#qN>~7%Jcs^u8r~T^Gj+1 zf?;)ai>$-r3ws(M(mUO38WmWA1H%vHKP_RKu<_D5Y>FAPg<VlR(8#%40m)0b_w)f>hxmH0Z zY~y)qX7I`YHUh&V>joE}KzeS~J1X>ZxTz?710WLbf?Z2_lhK z@>~A+m`>t*;xpc&y7h;@cT2#A0NGEBBVc>n_|{rKPXoS$>yW-N^v{gIPiAci<%uW@Ru8~X=mTjSd|wPzz@{|)f-~125Vr8UEEn!_s%8JxCFMs;Jy&|l>RCz|@#VDw1O^OpC zr+#k56b34MX;Jco)ibIj7m1k~~-GhMIG3wKx{D3tl4N~J>Q}%V!OuM$B zva_TDh3W$^93};Tk9M9iFzasa0u>`YA(9m~FC~)ZGt{}kX*>X|%sqCGP8{F*z8+u4 z?-nK}{5lvfV4>PHmB{^(D+v|-nOV@U3d54*fN31DOThM9N_vwwO&G{-Rl>&yx#kTWRT8NZ;HgS-eFGz?^aZY_5rYuM|mZ#y+l{T5to1+*_ zU^X?y14SSUNe#G+rIsix1_~`w<99|miq#w7MuN;{af=R5myh9pW@aR|O^4iZ?NF~Z z)RDh-Omn)d3h6zErO#pQq#r=fU+FiW*k}_^jDB9(mI%I7RnwyzWJxr-<0um z2E0FPQ_|M2qvil<(`oQ}A{I&EzAXnij8oi%40r@|PHrUJP^t@%V)xd0I+)9p@TYvh zW^CN#O-A#;Bw~*|oYV2_Z_WiLZdCgmqtVv~^l>DxYWbwMOJC%*OpWXzC>dB&y;@Xb zJ0-iPf0ax7JEq(i!(C6HgQ~f$GX)O#OW%&rQv-ZH%V=wqTj3oek2Px?+9~ACU1tJ> z3IBMSbu}dwrF@1mJA9is2Z8(SVR9!7UU2Xu&*y_L0|UsGxZT2hcNO&w(LB&}_YjDrUX%krW%YH3yh$U#Ta{OUoVvb)c#;#5`f<|c zIOM2V_xH^HWqrIeh-ckSnS*!9m20u(I?;pt5FwW~$AS?d4z(llKgZLp2T$%ZpHU1X ze5dNV0bR4?l+KZH7UN3&SK`#P*9KoHN*MM_B_N3a^&|aM`0%=y82RfzeD%OJk%hyD z9heUWgWkBOGR+}=4rC{_+9#qRE)SS!wP&JQhUs~j_YpC22dR)Ho}=vY$pBO;$bk>q zU4jqpm+?}67Rq8gB?vZg;+s_L3CXX489C!a2uyla;9&4E52P0Hmii+;kG;oP+*G$} zvG=64m-lwY!MOg>Q%n5MC>3yNnXQ^_9G5mJV)_{p;-qav@=?C=47yfz0|t)_=jstp z1QtF-w6QSyL7d~hS~3WgDiqnr95h4SOl8<_@yqj`WRI6OY@w)eoSaB`(UNMxkDYr@ z;lmoWx2yr5J|Vci`Dvy zEV*JZ<6JXfXNH@6++j5}CCE-gIA*+JaZJ9TAQ)3p8>2~dST&4``M3?Dhh$$@ZD)i} zhV*$T0O8g5;=SSTgHdtQb69Enp2kGlFArY-W*C zM8;MR&k5w`cDha9b_Ei?(Txj;w{Jgz=o>N`OO3fpMH!k3u!qyYK-h^+6^%f$b63`T zH+<3k)+9>LbkfeM@pNnlgkS6jh7IV2Fgd+Q^8?j3#UdKF9u*{vRJKEp0-P3c_H`yH z{6_*myGhujcAyp6sk|Mt^9icA+!~4yB%J zgJVuG_pN4iovJQ}!4nZEK+c!Yn#||ww+z)75PirTLQu?dhUvB^0u!CX98NkFu1@cM zdl;M_5wGVI110suJl%TMpwRj`z2@Ooxx%L_tB<0;36|Jd-LX_EF29IF4aA+FhZJ>? zQvwNYB<((0?EB9c=qlMGuF#trArT2XH;s@VtD;)-H-U3utipX$$w4jC=Oc((#=%pF z^R0_b3a!#&bY8?1Rkden_Mp)QdT00?GIsl$x=J+Yb-mMoAYG>MMSj<6-DDoCAq_`61q_Zivt1nF=neRko>xq(Aed#txdW%*$lP zMgsvpNCSePSWT!DvKw~BfDK`|;}8-5V;41ybVPby5Yc?=9ug(w8+OFA_i?7~I^EC| z_Mo8D1NtEZi*Wm;{|DbdAip;#!^nNVx{oME3t-2gFE|(55b%coFuqaFKujBE4)ejk zkZ{J_y~AO67XjXAn~Vmj5DXWP4>UWf3Ns%I8VyUruRpC!&msehPJ-BEgtfp{E5tvRVKfLePyC z2)5D!_{KmFwsaM&#r_}6u1_qKeVD~sbQhEqZ@M@GNxV{LU|Ql8k|E_$ZeP6^01?KK8~Q+4uXQ*-iY&VdUkM(u;3(@ z=i51Rv2LnYzug}KIRE?$z%~qfYZQfdohQkEO05^i)u&Pj@62Bsp@TRO>wF)9WcQ;N{ zRWTqe{t>OLkWmLsA8zjSKX8X+TV>urbY~cBLh7Dz=9w(HF$TFEODZdQ(3q>(M|_i+ z4GpCm29b3jiRebk@eom(EGlS($WGIykKoz@)vtdA3l<`YxMOF*V6)MJS{z7zI)H1A zw4;^Xg6ZVxXPf~olIO0u1xh;70tvz@qFE%AyY^boVSGegYKoKkIavtB z6~*ocMmeo5Tf2Af>6lAro&6sSXRfH@tcX6QAFCz|88sb0HQO04ZsQ^+uva z;6b456U}xP)ng!R2!A@6BVf!aCOPNPqweL`M@2j#461@ z5HC;PSY4B7!=k;+HP@h^0q{T4ti|(f+d(`|NfbJ)hKZ^wdXDgCF@U>FH(=qq5xk>7 zl5F4!=F9~P$A%S#QNvkCY+W{R7f?2#WI<~H!UWXECHxzLk+K(RBiqx3_<|OYlbAnx zJO%~u2?`2>XQ+B>HJn|PA%-sL}}5tLkOPi^vj-g$?$2;Bx`};L=KkwpK0`$8w}r2|ssvFs&w`4p z+TQ=Ngr$_{Pd(;@+u-ET`Yf(&$-SCP^tQizZNG9>&9N8pbh0h5H&?^2Fv+B{S4@J_6ykq0&I-Fb34TA{9M9Qr? z-;kMTShNh<2l1;LZR)1R3)0@dVG6meNLhRA+J*YSfeEPvNlA<(wwrE9SH9tUE~HI? z9%sG5lj4sP`JN;uQ0v%1q*u7v9o_< zsKW>rf)-Nw9=Bww6edAKU>NS@jglYoP`DhA${lrr{+%22Uz%?oe5eVwHcFYB;=I6R z6~jJ!#3=t%Wbxx~6L@^rZlZbF=FFAV8vSABpy;V<^Ki2kneqGio8_D9Z@7UG=B_n^ zjMZb{3ngFjE<=4r{WzR~sfkzp4Ft{*5mTmq&C0)QIj_43DkLBfh$a^B^a?`>*{ipXI70AxRMjb`{2xH9k3ad0 z{3%R1%@V>@$XSR=2hl zVfO(!Q#GOgB1NGm(yo#piit$b2yBUN;3c4rXTv9kj}C3Z#vNfJ@E0h4X$nn^;zNoe z+1=N2_7V8&)~zFv%{@Dq6`&vWEPAB}b5rygtQy`zOj>S-n_@XZKvNM8WPh()zkb;8 z5#Z7p4S0>5H4iXF4X9zZ(;DWj`*MN%j6cgK6rvl=^3uzl8P9L$ifM*sbgx6W1yrj4 zMPp6%{0r?ki$poj;&yZ$;<+dTK4jQ%ckM`jQ+$Kwg5e)!O@oX81}SrlW`UYx$?|Nd zfJ5xbe=hR})X<%G-qob(BX#RFpgv2WI%DAkLq3g@>A)(5r^X|8Ca|Z^@)4}X!KG%; zmuZPtklZQ@6C}4d1C=un9J>n{m{L9#En<>$n?;xS`x$-{j==960kZjG$@yb&q^B!5 zRZ&U(DP#LR8axg)3>4Ace%~w;|B!$NWcqtX;Qm+Vq(%9&PESBglMLFUgVx zVPY|R0`^8&1-wo6D=r7l0smO-I(In|j0-6jDBds+(;Whe%8b0Tczf=@zp=YZci&rA z0bO|YNze3WY~5113W5=rn&#(noAOQ{I|i=~4zyvzN0Nl)ZjjV15?!w>R*amNX_iX? zwSYh)T@=R-eITp@t&{r{-A8a?@l~l>4QrHfU_FfY235r}8y$xx#WO|>1!x%wq^t+{ z$zv8lnu^FJu@r@ZuyspOTx0r5ovQXk^r!`=ajFI18d$ z)CyvpXGcHLYdmFyGq?ClQZh>vU;ql&M5uB+N0J%Wf501z27viS_dNg)9@%hU4;V(~ ziQaxZ#p=E~gO4(I*DPbqwNgC(Rl0$z&E0eK+Djcf`JWMWf&0Jy23JR|a8^9uBR%ig zyN`b^xf{eQjxQ0Loz|FL)FV?pg{O`u#q+|#x+$oT7J3Ro6~cd(d%9IR3)1^)yM{?l+&-P+1NXkD+#y2zB%S- zy4A9Ko?B-{3g}`aN#HA!$zD@!fwvCAXa?HK#EM2+`APrvs z+kH+pmYv;t^rCT3bqT^HwuaqAC<`!BZoSnD%tPyGxgt%y*|>2du0PhjD2q=%odB-b zomT9=%`2|BlAa(RxDkW{!Uy?`(4dFz8oNjyTtH19Y2N?!L8vDUSkO=O6u1JF#t1QX z_*bPFZR!T`0&8#NKMIugk6JN=2nv=$?%_Kb`+6bg-%K{C$LoNgWrz@=?2!4+O|i4X zu2M*FU>aaHs!@q;i_txD^gAlviJEaFgPWO~C7lYB&4cBD7>aR5P0$Wc$w|(_RXbzm ztkPGfTY>14Epts-7B-xv23@?>6h`Z-UAwsfJno61`;RnxRG&3BqOH*lr@9AdSYVTW zlpyCqu7%^5(ICwnlpre>On$o5xN%eeRrm(v62IcArG4>8Z`;milg+T_sWLC8iQj65km5bpvN{(=eqm&Z(zc6hhxO~iQE>T2x`jVLt_a_Y|HsocS@Eltu_v35!MXy0a(J2VIwf&0-28VEYJc( zVeoWuBY4*6Ic5l99pnbq0RflFRjS~Aq#eFt!{S4pkb+94rz5*$5H@W>ctSm)JhUh# z%#)L4BDu%&f4h(JLUN*>94iUc%PlhkYzSmRjbJ}`;>dQqa~NWLkNJ~fw`qA9=~PX; zlALMTtXT`KM~|T@R_e0l)`p$)aI@wV8SzX5ri~&GaawX|v|Hd);BqJe%)oeSHl`eO zlss|PEkwjHDrpVkFGo+&0?ROrM^6XzBQ_@I!mvSyIgx9vSh*4wEZoIRD$glo5a{fJ z$by4e@BpDfJHzM9bx~JLt>6K~8AzHi?><;xrDT`T6{Hqz3{qk_p)2^JW>KV24Cv1B;M9$&9O+c=UHQ0>tAI$C;M72~6&eZ%(kGikltc_h z`cbt!5=o(i9JnS3A_DsZvWt9~zWoR4E5pCThL3#wiKoEk1s;#4Aj-@_niVy#p(D8b zFBFmukQgv0H&4-Z*Ilm{0(ju}LtcB`^{55_SI(u8R|5wP<`j%3US!^43`6HvXQyV( zS}bKrZ^4WLd(ZJNb?ki3Ip;VB1n!`TU}-}{U^vi!{APdvIhUfhiacbWJEcw^>IoN+ z3LlPVW6^6Zraee(|Goc1zTw_6yYMbzr!XKoGCU^59;{fg5(_uOp}^V2QYvrWfD~q) z;7t`OT4JIPfk&c)-W)va*6OzfK3TXW)ehoG(UW*ulBYa<#>~K3#3U(Fv?%n0EXG(J zf$rm8XbR8yfddB}^APnxhlxP>Csnp=*;4yp*_auVefxy_1vCGvsnhU0yHCN-tktpM zTw?LVwZOsNefPc1TC~JI1%5+VkTJy0LOBKxVnj4J@W2y^J=Jf}kazi;*+Phi zxQ^EW-Y2f7himd zhQP22=^ln#h9nX|ILMK~YlqH75FvP%EM1N^;Zh^KUqD+d))dx zzyQ2?APm8TBv{6{8-Y%d8qn_bjPp#L9iXZdBhH&IpYx4p2ds`3Tt>pH8#WNm!Gq&j zcX%lv&P9WGn|buQ!HcL5T|gA+S0jWPQDmMD=trWNoDQN!b)3@&h6P^YV#SNQ&m!M} zgR$K-y9#y~U>Mkjgl+9i{2f9>XgN6r(eZlnrUOXkCAzm>J-08;ITyelCJaKJ_Yo-{cgbfAOKw~r z9XpZOd)&ae`kHG{j^N5Z{$xC83eP3z4{W8*wb;3-LM1w*u@Af=sFFZtHuotC11nqJ zix}h>E{7wuSh3>tj++iTXs`OHj%B8db9o<4JX z%N7AqxNm_a4IXvSiGe*Nr;HY`#P!v{6|Co?-2hs+ebQ|@cc znzeD?HL1_I$Wkzk6)8cvs}0?RFmTngB15POB(Oji8GH1)Sn}nFYh(vZ#Jqvw?U)({l~b!!8D^j6s8|C;j+So>(y_h7-ky5 z--7ps&NDI&Un`0!!7YS8{h=d(_+{2jnfCRVciw~QFfn(E`zf=}WX9*lvVoGsJfp#8#q&Y2+HKr}#B;?@0yUtKmK~aVOnI#Z61q77E4{N`{t_&>t zOmtYoVe@}n0HYXu>nyH3x27NAmM2GpzG)2tfEEmwUxB7}_0TGD1|lWMvJ^h{o;F9= z!U8D>ERuh!7Z82lML8TY9mr;UTaQuG8=kW5Cw%1 z-#2@{GKbd015x}_c}_7R2@Re-Foy&0M+9xG#zg%=(4fz zzE4hNJnWX!KB>XnDRvXq9}#NK(QjaQ}}R0R%4| z0GKxlD$r4eiXjmBZ7C}Q5~Ei zlZ2!=of4Xz7kJAVsw$|cNTlM$(f)w3habyLDF$-m^*015G;R8fl*LOR)&OpiV5vsP zwe>S?SlW>%h#!N2A}KuB>n>SW>&>1iQcq#)NVDY)ksj0o5=IMPfsM@)FDx(?Ef$jy zd7^N3yzvje|0j%qS#VBF%J`N@Z%kSP3`2=U4Yf?5SICt;Wr& z@IhjbocrCp`S@6fbK&zx7P0ZZi+^w5K5mnAr?|`1#5WfHdXh$f@dqi#LjlLa^J1d1 zdZ~VU4W6d^;X3;mCZ$SU-MPzaI;F9daJY%rPKrwJah@g*m&r-I2}=Yp49Nx;`wDEK z?;s6hc99092v3$?P7D6~Lsh|Q#dV#|cy{0=ZvFJLG>DIa9?>STV8^Y&!CKk|+zwL` zP&yulfBh@bl;#wcUcdrr6GsF!OnE)Iui#FSI2_w&_K_nDVc;l{9>|cj6uy5!AjHTP zPw9}98)A_XN0V}zrN^Vmo;wOZ{$oeL{Bq8*NWNHdsr2?#RkN(Ft>J5F($_$Y7QdNrWF!{Gfj_@UunGd+Q(Fm9oIKBWUKv=;JnImL5c^<(% z_txcgAUj5U7wb3hI*=e!ym$%EVP(se!?%X2(%hNt85IY?W`S^zn0LW~$MLe+>Ey1RyK{{RRkG0oyq1;&T8JVn0b% z>ic#~01a$AgCr0?LBe6TBg0C3ujiI*TAP;VQI7Jcwyel-6TX(G=co#$1bA15uCn8;7TJR)#z9tLS@2 z44STz$_H&mu)-ooc>nj7FmSZhRtgJjm#VFhGXi2yV+&k#V=Ph%iDZ&e%dceElkk9l z!U&iJ*^e#6??<`$8;;KwW)94LD;^P0I^{fsF$tPK2LKGPt%8@(APz^q zF=&WqWy|YEem&Vzyl(i@e)#bxv;aOdvZ#VODBtlmv9d)JPzK1YXdtfPwf$o96r>YZ zM1dkq0*$8JdGhqO(Q3>kch;3o82tQ=8r|Q$XCD<`tg&(I<9?z4v@Ggr>sCT$9uX9; zx8e8y!x2Ci0A>Kzf(eXs7}ptgy*^gYzkH8F7=f>rG8D@0=n_k{l*Nn5T7oZy`OHFy zR6!41hsnca)6!ak5sIcTTi{J{3xD=`gP7qU^q5Z29+CtNW`nd2KXHm9zObQs*x3lG zmc&O(eUFxa|G}SQ=>B$DU)7L!9ZIt zO;5Eq3ijJFRH}dO`pg`Fepc3Uo|?F2*n+mzEcSBBv!vmU4b_c5rcEk>$^y|GDSezV`vtpi+RF z3!xJ|ope63U`AbnZE({Z@ox6&)1Nn2%lr`<1Dy*B!nu&Mg9%2h5RODYR<2Uj`94dQ zEX`Xy2Gy;?`S?|fT&R-5kRk}eK)HpF)1`3dPdfrAEJ8d?SJV(w3+En|KK?Y_u#c1_ zUX_&S7YiwOKV>pCDDwfM1+KGV#jh$}{3^E#&Y3@O25QDG4r-k<%og{s;F?&nWC@Cl zsin?p<~a*N9Fa(m1bM9 za*mdbMe>>-b9gQqe*CA6fQjZlmQ*knx%#*<1qbrt8fIDjGzQuZw$?n!Q$vL@X_u{y z81p7m@JcGDANcL|9bN_|arM>Lkfy&g{MtP}me-WKwiO8FX z1+;YOa*`#VeeQV=b1d%yx`1~I?r{n&xs4$I^I}m-8Y6LS-eP?6WY*I$_nYqC=jtm;uIjs15Dhc#y;UYyFKlCvDTQL*h-DzyJ4;nHVAWyE?r+ zg`R3)RyLOsX(T~Nt$CRJhFehj=Yfn#Ec1AwnD%%NiWI#ZmtEl4;p-?^uu$cyw-TP_ zy}-$a<-+?y1PVRHtj4R4&kZ3@m2=dSyAj$%*#Te2;o$y0-u_KDReW>EaFhj}c?5`) zq3?NdFsxXMzCLh}do7wJYgTjz2On8DsfG&8f&PFCL0mpbxnHdNtGE{!? zW~_dX^Np%BOe)?cCJ&mADe4{>vg&}RR;W;s7le1=nzH4At>U{-=Nl~gHEY#Qa0y~+ zG)~3`jbr`rYOo$dhcZ`5Cv14%{i=*8T*AVV1sg5vsuIrt*rz5<9`-CF-PghjYu@}( z=0EltO%kVz3&h2?0yYeIc*lFf7Px6ZDz_~%2gxG|!Y(=sv8}F-QOh+cgVA$$Cfxtq zi~uwyF;rDbx#O!BmN6vdv8qu$weDq^KgvKWp!CVMoQHRr#A~a5a%Y}rI7I(G?KEB) z^^eV*^{sk2uzm2c5MaXZfx9nXoScpf8+Q(XUjoGe218YbL+t5(@zIZj&vu?w2f}Jze3qT0qM+K?2eO6FP&E|);^p*+8u!)1{eQ>^ zFtM40jT<*{PoBVifUL|S<`Quz<_|oOykE{Jp$D;^C`96%%Mwl_P?~;-TM{B==U4wu zi4rAIg|x4z4-~G$?mPGUd0ZNxAZ@akWS{K^Tg+PLGY(JO2>v!b-`rcb9)3j}{&+-r zwMnMt_Jhrk%_3KVa7wutC9a~Ow(^Yk-~1zb z%2tjp=_iJd$D4sU!I*Jcj%Oh&?6v+`me=PIJt*BMI&WR2g#IO`bRfzP(1xb6i|r zf%6TUrDNwV7$*3otzohXgpxChByV@{Fee|G0wvUXCYFTlgAb55i0Mb3?_GDtbu;G6 zmtTWQT2&L1P#**fDxzJy2sj>l^%2er$}Yo)jFQ6m+OlO!bP<4%4hc*u=XOBa*Qj}i zdM3e5(E^d^xC=I<%HA20o+;e61FW`!i5)r%O5QiLBsfip8OYk{fyNKH9cY;!K-O<) z6I1|($@lYY&GEJCs4<5d5O+kCTW`&LQ}K?(RWfw=2t0DA5>2aj3rQAx@XWA+eeU@e zuNpM|iPvDHSv}JHQ3|4Ap)2nnv|5ZC@h>VMmv?bU=FeZ?jW?wn@K;m6)-@84 zbxMKoCBhTW|Jp;uJ}AcP&=aB=Wa9Vxu^EJ|t6KT6>@;RxVo z!!|)XV6!lJu$$l}N-*V^+pL8+5;@P*BFh8UAFoEM$DeT4guGc=!HRjPlaP=o3na3@ zfWcR+Sjjzsoqb|qn(eExFfvL!Psi~Ga$Po54El@pSfN6NoJO1-Fi8A4A3Zzdohhjx z&PjTRw*(Icub$_M@(~HMXR6ty3Br`T?`b`OkS{@O8{`R0${(UEJfrV`6b@g+x5YtZh=u&CiUdrJ z9^hFNTOSXo*sl!~MG+9Z*WN24V(-0SZ-@o4A*g`#8UhI=bm=HH5YiLUNUx+Pw9pZ0 z)~okk;(ou`lT0>Sl7N7In)lf!%)9KnJ3Djc{O5GGg0&~5Vdau+6TJtqA+kS&wsDI1 z@Z(QTbkmuToR)$?8Z|H^^&c?!pa1-qYfo6z#1SLAMaL*jAc7Aex9c{jl}KFY>u+>% z#vNPl!_P0jLV5YpJ>)OEg&3fL(dGkLT^%u1Gu1SJYE^r@I4YA2~85}1s$@%6ADD_jAZoQ`yaX%FQ^l$ z*luBZ#>Ekc!qt#^I?I-?xcqW^#61gy?IPx2l#R|LGkW>Z;SWCS!JbpOs}fh$CFJxI8ybIs5g>08{(coT{QYh<T{l+UvoE^?jt7@q{#qMa&o;?I5HFnD>)Vg)+34xQvaRPA(Q!jo>_uhM7lVj~= zQuV-6i~xfX%M(#WAON?d`Cl*W*y(nCjcy=AePPBlAuFMQG+k|%k%pT3LHZhN179g} z#jyPGvdGBFiC!5;o(dFt?Dw8{@+s?;wl=lu-hHn-&V<4i@FxUGQTK@}$mY#k@LGgL zxbGF+*W_RPEJNeTj{f4WUdQX9Ek}xnw$VkCFM?2}Y13!+?$htWnw0{e)z3cf3%%im zPWU|6BQC|pC0a{V14I1=D5W&0Cn6R2B1FhvBsi3Br=03ihZHA0ijeX{FR6-m;0{XT zuzx?gam2d&?|;Bmbiy5%bpZ@@|KKC98mX)%Qfp!zM!t>yh%n$D|`GD_9^9;Zpu^mQ7FCN_-c6y z%JKd{&k){o&%fXt9G1h7VIv?;EKun52rY!*QM_{omv5vk_G8Xpapu%hPo=sy&<27C z9H5<}qz*T9UN3o#SgI_1dV;(|-BRM4F1pwqt+)dvS#hT)Op=gZ^2}g60J(+@_dVkb zd-7Z4tP9$o?WsVy^L~ zufOd7u(82HgnWS|h-4|?5&m-B-ur-cK^Qw!dda1i3e~XzgRsFJaz&Ep*t%+3v^W>z z5toromus*kS^XAJ8qA&dm9qdAHz!((?IjyRk;N!D>sYrHQ+hQZnebNL-M8ZDh<0zY>Ork z*^21knm&QW*Z)RV+lI_bPUiUk_KeD#q~xiZd6Ou_Swrs!P6eve$JjTK#4CPvr=_a1 z5Hn6hP9JXu>EVYTMV?|gh*y#~qdRvj;SghKL_R*n}*x z5M0%OJcy^T-no)P0`NzT_WxHsD&nz-SpKXakg-#zJM`Ql_ubN=<0m~olNxi}AKe9d zLfO0W6!?s-0BhBd{1yJKC&V}}1ElzD+`7Hl==dq|x$MdL>b$I;XZ{L9>HQ820?Km$ zWz*)(5G~s|QuDEKB84n<+#q1ck_dF6YUFp~^;j30L}_3K8Xq{BWkP{$E<;mieHuy5 z11C*(W_{s@sOv#Ss2ZPDen|ce>koAs;KTp0Tle?1x1sgvWOwN|U=W>DQCF+;*d-EL zh{p&%8`jG(#!)?i%Q%$6vqw**)(DH_l|gFHzlx!7f?5vWlKr4rrg_(Kj zJouaSxee|Arz1dBO?+m^{a7Q;SH({`^?u;g65}V5(AFkT2|csiSYocAK*a=z6BlvO zl95ja#zi(EwUb=47B5^VmK^3@?&DP&^hj}&gO`E$K@--? zEw|iiBYqU%BYgc>BT^!S*d<0=?$267Z0Yi5S66AMOBYoG3sFu;8pO2qim%)O%NM>z ztVG*$`N|%TswLb+0cExVN)GxzW5z6NA#7wo0{Nws0DrH$?go&H^ct+JkkANp`*hM1 zt>8a!q3?pKHGy04VAq;JWUK1TOK`UR#9L+Ai!wNS-f-s6JOW16ITb2j`W4laTPpEW z#QEZvPW%*czE(d9aLO~qtCgx*Xc1A-t=s~2A!827a85|C{uN7rog{z)2B9>dF1(jN z13rP0ja+gDvWmw9jB}0jCpiYLxg>`{tIwU$g!5c(j$2@hbI+@DYOcTj25^nuzWCBB zIPr>cjl`RgQ7cJ4BkDc^vUm&Em@NHjfAWSa9@P#dOxA&Z$lmb8{8XQDxflBeZ`!%% zKz}aR*U~H3xA>Efe0{q2%P+s;iN{6`1`aUcO++R=m_HBzF{83}CF4$a+%aR;97sJo zSH&cvk%mP1Y$)HP(kr!bao8i>itNpjQ33=L;Wj=6IUowDxu}3e8%y|yJTUaRt^FV_dzkjYDM{m zJ_OfX>spZK5(W9x)1A38VO0`~dkf2K`*!k0;1%3|;1H(~%GTQ}ue=&(d+9KLS@^j2 z0aCK(WGR8Ia1y;`buR5c?HO0b?g|8TVhWr8`g{sEZohDPHc)lUz>wh7)%E#_TvK}o zT>H#P=L`O6=c3Mz@j3|XNLU*-l%w>PJrW@skm8VGBN1e5bjw$mf5%Rpr1CYMNJL*NX{4L3x7p znI{4+Kp{^DcSesH>*})0O|VIIe(nVUDO4E*9c!-%0a+?u!9c9t{?oRdbL3?2u5eI0 znowe_{>Oj*^WU$tH=Hm&3#jrL9QoX&<(#Si&$+Vpk8A&(uW1_!>y+_d)~|ogHiJOU z7WP|s^zq6p6LxEFzV)^%*>m!Yrp@pMhx5zPt@{V3oqoFO#aCZ_ZKX7nq++$$hS?l7 z86PxqaS4gnU4Mh?9Z0S&cVJ1%8X<-YX#0BMBC88W^X6wut|#=9UEX}lc`J|?*@~qX zWug^b@zkqhx5CSUl0&K>BVHERt5avdu`@*^vDbD^hocUu%z$k1{ zQS{H6@)Y%_o;CBOi{4N2CSjjir0BuJ-|wfNegY|Q(uTV6D1f8L8i%m6b5^^Wkh*p2 z4jm$%K+mi@SDwIZJgQ3 zx@{cZ3l8d!DN-oY`S;(y{Q7oKrq6^t1yzG0PVcvP^VaRo%k-K0JkhJSwwIExws*IU z%&-6X?~Ks+Kgq1svm3kuc3zeq1qDdz;v{>022lmS3#!uSGqwgI50M~j{BUHYY^W?u zMojmFXOaDh-P%)6J>%3}a5oaROFS^!{}kwFJ|kA zzY|OH@h6_r|Eqg-PK$E~3{r8C@rf#qlD(x3H+9F1ieHSMQx%U=Xl2G*VY9$;QJI6C zYK*t)-FO8%^Wp}y(!>1!pkbi*E4t7qzDZA_QF?b(ox~4}EoQ#-%DhRYJVpGS+XvM* zmQ&CqXxR!f!$4Fh*o2Kk+r;#J((_a2aNKaiji3Oz(@_zyWrCBq-CJ32@s&lzF>B7e z2OfCX)e1~mjqwvEiKi2H!yB;s`yYTcwuiD7sQ!Z&F7{%c`}mVjz47K-{K|}L=@wp1B28MxF(__->|8wh=UVU@Eg`BayuWdABppw^YxyE-H?LT}H z52ypY3wBaGX)zvMdDT@mvakQw*Is`E-y~>0JtJGF-R4k1L17dTZ@&5VamTqR8&RYW z8LGlh5R}kAa0k{kA{aVH64>gM%fdv*$lB*Jf|t1rWeD3#vVA(c+O%1-&wGEtmFy}7 ztvvUKN)u>C2dm6WW}ZMQK2)RC{ncEq_@;`2i%4+ld|bnsKidf4?`PzlWe{#qV#TSu zRE5p*E~p+?DNHalzJxW!3-q<=0>J5tEwPcwCN8fT;lN7veK8{DBE8zW?z@ zeL?+i%ayiXS--lzk?qB;V?z6vU;p#)m$9c0UI8;?=wvYE?_ry1phAb1X`dkD?jeAF2eO2rKvG{hwR$-VB%kIK?Iq!Hs@OJ}6mSbLP$`x3g<+&uZR$gjqj}x6|8T=EY^~_WxLwdCAPd z4hK_cMK#7QinEp8RgG39H!JQ(%?QKwnGGlZEF(aPMB*c86)^y_5u(udnR z-Ol>LdW!=gKgWe$T#^vGFbX3~v6NVJyLaz_`&qm6r)pdI>Xv;!we<~MkeCH;v2tS@ zqvorVpIf=TwOtE>Xq2f>C`dF#XD65;Ns`^~`M0v|rW>#C3gMEfs-)gv7 zJNQFmLl2MHp zjF|JYVMF;z0jWNt(|pFHS3=ci3y&WVJR>m=9kTO!b;cr*d9_`;T2I*0BNLIk<{uL> zeF8FZ_9!b`BjcurR1dN=j{Gdw=ZW-k^q*MDG_76;oV7 zdW`jC_OoIE;{b9kS-QM!TNe{Bcf0@o2PHNtHagH1dRMse#7Oj_)0xrMrlW5?c>J!SB#C_)SPY~V(j#< ztUIsjB)Zq1VvVzLBA*_G=54Qe+UaNDjews+^vZY$lFJ}1RMXgrY*+HNb(^-teW0&H zu;Ma|wsyj^e8+i%Js2JiPe1#dQwzb?j=Z(#7LbNm0ytxg@pliivULMBAbFX9Cw@gJ zFEtoVK0{YN78tyH-*+}(vZ0bIpLYiZ zcPyzqt73KP`b>*o?K5t*&xm-1R!CJ}Ecfa4wNLLQUFOAM(WvX!9$2P(wS(n>4A;t4T4?Q%*S*FQXS85YhYd+17M!`?@m>Xv9flsztRzH?PF|wPjNYPM;5d)im%>Z+!C&6dsf5OKXwFE zsBhu<6-AfTz$sEvtbfVGsn3kiN2Tpu;U&woRKpQmQddD zq?1k}9}zMR)GMw;Y3Z47bm^-77OdkykT2V z&1l8(?m#WcqWgNmV%N*`^(4_H2(fR!fph@jPL?Wvf!FOjcCfx|E6!~&j@&uTA!%4S zr{<`_V9WRXc(Q+r^+hJ=lcNJBD#8{7D^lY!SCo~)Px#3bhxf0b_uy#NrmA&DHT(-B? zV=_5D?r0B#77|m6m+ikFXB+fO_(S+g(`zP zxN7GZD<+5#Fua~b?4psBlJ@qy?_nL*>#@!T;aBJn+1X~A88FBs@3}(%2UR1gi^VXuWW}^i?!y;Ut%SmW{=eOUY51%+`iqm%;C)m;c<5+zZ{o#odCr`B& zM9@#vjn184kkY;MQ)2U3YiLnmO)LSP<<*TNe_k_2%`G+mq@kHAjY_Bj3kF5B9J*}% zmTGTs8?SbOCp*Vi->uMKYa{1w+`RdPz@R3hQZZf6B^9amqjNWfZl+Vx@AKxSe zRegeddd&6tXg2+9GCH}*xU43DxlJbKxgP=P7mW^&%`Ra7VC#eRE4|&gbGQ8^YQmOn z5U{J98GuvbYM=3WK7*sgDN&1})`8UnuBSkVL{H6;rwZ36(jPiTia&^%Rls6F;Rb~} zkBG<^y9(G;wN~@k^2Mn~T{9VnYj!tmK-3*7kbP;p<)Agswm<6l*LQQc1WH=Y<#k zlf*}OGDx~G)NVYe2Gv=1qH1tO^OwC0#UzJ8$*~VkX61$Y|Gb9=pyL(43+Oca7{JBnG z5}prtqVl-3!3D1mAf-RVL5~heI^QqKXJmrUm^9^!4%=73Q+QBh_>4+Y(#p`4=++cY zfmS0Dl@s9SOME_@<@4Dhb)K#ckMkM1%4c+na=PG$c(Zei$>8KahDSa;F{Ge$jea5x zua2R%eSg~0kCvn?&RL&XzGKUdom^=LFTR`jwSCv_d#A^%2L)uSF7*#(#HQBtpSKRL z9&Xg~h+Q%XwO zq$$%d)~2MUAtjN(lM(~2$`IlZ@t9==u?6LB>ORUfy*33tU1O{OL~i@cv(G!XnlO+? zjT#frhz|z)%qy;RalB{AckI}S3((lhbBQ0}wpH(K`4pJ86<;I@5#G*;=2_PNVlzg9bkGXA!het59iFtVua732%W#Td z7YEhv+qcg`b2XZ*K}vg*a(1-;Sc)gw?snE$X9)mNsL}Rc@)fVz=bwLxTrTVe@uonz zA&LtgN}V8hQH_WFL0>e}qamD7^G3}rX;`_aR%gZJ7W)JiC@}%f-#@g`z_8C3#ghlP z8mcUeTZ<$hRB7p&iSc>e=Eve!-~<9IOgP(n_U;SMF1}-Ia3h5{2|m7wXdspQ1h~V2 z#&2YzLMw0zR6+*`gnhcu=aYFzF$%v>401guk+wh$zf_;$pj!+mcK)#C0pY0_CY%qo zosm9sGCHUDynwjl$E38LmUHXZ1@EoMox3UzPAV^}-<~T28Z@{W;vPjL_h!L>47D1YT&AG-L>Lj`xu}W2BwFzmVF^HrMp0%+m88sn7!o zzNnJEGgWeue`g!N?RU;Q3y@5GRE8p}q-)o&y!sma!*QRWev@s#bmv`nLwoGLsGBoB zaI&i!kbB;7=Ut?X#?c6C6dOKt5j@n{6FGw#AwD6=75Jn+0s!Ga9>1M&E(gjYun+{x zz$wuou+YqyDVOxoUQa(v=QWqptWPsT%^s~h)5=S=UJFL8gqpEgKK@yzLwNAnLqp;U z*TJ$hFlnI);bap|$RSDB`G@hVV@9V0ge2J@fUoS9T@SdE_1O2__uXcO9y{C=k%p~Q z*aRy1u2RAg&UFA5Kn7F+Sb))|3lL${1&Cb&Qb60#SS8xv$37s;XK=(-gXU%xlvp3( z+6{eD_k2!xyw6DdH&T5j75hvs$;x-`zBq7|>Ymun21fYw zUh3073V#VniLmHm{b|N+J19#tnVwqJOyZw}z94djyQ4 zX3A(-bhV|rMIY)JX00kV7ixNGXTz1}h=YderHYOw-jkm(6pTW(K5tff;bei>P zW@zP*t{^20HY&SFIokQ-5T31Mmd_Xa^j&_(*cIP?`>i0>^xhwYGdmLUs>9ZJ^my;p$rz+BU|C*!)UvV8|mQw zEr~21WfU)xaG$~oSL_l&WSDpV~DRV`7w zQrxC$IuuU5icOrcO=$B zCSp4jIB^OE+PI9mpJXowr}$qiR$x%j@)hI|v))0sh5SG(a)=39vHx|UJ@XWT6}NJB z2~ms3fk$W*$)Ul`FTLz?oS=~SIKM17gbf?fhioGWD@JSNPTpQmJ=EtlE7QzPvpdZI zX=ui%S*4YKTKTGiDnLp}3Ry~K>Al3K*Mg(ISl0c^;I#arzQJjC%}H-NJ?F%6nT;?i zVNn97@E#u;bNS$}OUpM~89r@|2(|`}VO|H~a9Yv2r>93BJ$$8tDzs{#fE@ipl(>Za zGAc#=?H#0$wATWko?rX)`br(2Ed;0jHDvLUq@3;FP(#`CDYpLTue$#`zTN%m+_=Ug zVih3zB`f7O_@(cVxFdVw~gd~AK ztupp4G(&^OR=KYeZ1tK7DYc?i@l_Rt=NLu$Aq|ZqF#<;MITgkKs@BJr-fFCQSXE2h z)J-|VY#U^JOQ`QOWA9hSk5PtOia(YZOE!0P!G|C9a83M01#P^5pcdR>p)m*sBI7S% z?#SI47txzpPpa&d^`u(Y7DPN#6TSf$L4=Qw6VELtQZv0 zeDJcOq8h3;n7Y*T4>ALbO10vOffNcIEX)426vU2mF58}?j zf8h!;EKZ>$qtt6b>%mL5?cTTdyYJb?FrJpttroTPEYQ%iqvuP{pq^7b%QEkWpS}*@ z3B+ZvJlb7&q1DRl%AN?l@AJg~mJ((xDO3suf!1CR<7F8NHiV?oB`U=Ap7>cIYH?2v zcnI5gQ{$Aa;R;&`*##H*g{im35gjF@*u|99 zEWQe=Rw}5%YWB%|KLVNuqwm4#ue*KRP&rdJKK`EQk|r6)zB6%9Ri zdN%*$fQ7>+iO2}EVq@uA^hz(%_U$`}>QB0q>C_fCbr8ZH(%1U8_RZO9MHSJOm=>hF4siRxZuMlA1Y zY{KP_YKgukP7y*Cq+B{NJ~}?|Qnob1NBV*tuDzt73|T3Vn9LADg+#arLTqHO{+}}dJ8-OomBKjk|K2&9)sM31J7z$#~+1L^#>^{_tPw~c90@bVMIp3om1l!7{QqV z0-PC;T!^$KFNFAtBW;Np3tp`p7*x*K9`mBU`F59;)!R@&zSfQ){4b_$+kqGKD@(GJ zHc}x4D4D2wh5Uk?#aFy3@Vgs=ryrhyF_-v-P(j9a2fo(%T-V;}*IAZU(0qgm(*r_% z21S`5o}%nifF?kRpCN7f1Dazg8x*e2FgSjxM~}@qeNt|#FY_M#GA=MWgDq3-fTbm@ z|6gcDw^EwpU!!^BowaPQcH})$BiZoL9zU`i8P@z@WjPRm@72d{WfQixw}n z{^b1gTVW@H!V%KBhP1SppIGuZVns&9`1*}*cBXqqWsvU9JMSjm3ab+_StX?^qaeya zHme9DbPwswZ?wO2h;R+!aS*>?lm1J_m_N!g<%LkZh3vgGbJGY_A9z9zB4#Ro(>F`g z3twB1(qe2E|_h73 za3YBH42l}pqo{oI^)s`4MkXm>LZYE>{a5&WJlCghu!0GqsOSvh75_VIWs{NdX*v0> z_u-`VajtFGZu4FU^23%V9y>fnK{JLk1z3@l1}vTnFfl9)5t1E4go6iQ${BR0xGADA zBssUcWyW4Yg98;>5vqejAlcWIi^ZMQJhSBb-wInAYhAQSx-$)p-#G#l4y!1z zWlzGD;x(1CQDynV<&UiCrpw>IGgMVF#|MucB=^~K=Alfhy)#sqA@d&45ET>0zKHD> zkkqGdKWoHO)22;7`uG#JNoGFGQtqsFyg&Q^nGr8fHMi!?JzZ|vwYw0@Df>Ode2AH! zY~Hek^e@O|3l}Z9`s!<)-4jbI$p?wD;zI+Bu?0Hs)|=tr7F!`bNZnd;sd&o)K>ulb(z3a?~#yrskXa(G4AQV@51_VsU*<*z2 zfYO};PlN*#;U#souGZvDs-e%|t)l>YZ z1uR~K%*>LeukRNFTD5BBTv@mg#VvYFu)&ixcmbEnBVG*zjK^@ipQ+ zQ~)1ycF(BzkMZv;;sA_HN?J>tR0f|5>Ntg`% zkWrSpHfaC!l~f>o>z!^8IW{99FhLNsf}qu~5xzD7U;mH>em>XVaD(JvN5aCDoiJqd z2A5oVnbR?Y`(WgvGvt>BsxTScX2vz0 znt$BXlE#xuRL~Hf*sxZ3EP6JWEo@)1LkM6Y8sG%3Fe^<74!{CGu zwR6|*2geiP8?Hu!anK%#^a_+zN?1Ofmv4ZO7CY}SnH8Gg~|@Y5KEGDG-gsVmkghHUx+6y zxi45>C~R%LV=OQMj2b=0TAtpzoSkiCD_pj$xtmbej2tzZY#3Iy08YLC;m7b0RyTPI zMG47f6bX*eqZ_QUo!{=t&dFt)DmAl6!e;AUj>(%)@Rje=?Qp%geDb zxw=xg_J{4(Yj1R6x5IXe6fVd z3Z2lS?|^#}MGbK0d-~bV?K^aEwg2+-XP)g0C6l8`Gz0K1cUnEnXEo;$kouhn1v5mF znidjw^MvT*{8LTOJ#(wi&Y!J5tX>^#_{~ULgcnc=-5M4vQE-6*a9uD0H5Y03z^NW{ zkMFl^*pijIc30bmT=B>YHSnLT^FTv;&BS<9+{;wn>FD1OsQ}7P=AAG&v@xOzAO zfr$6xL!y*c}riM=Vb)UAF;*k`MZ1`IvZhkeH=uLr6ta&h|au zja#tdFw?31_5djCowXAk6N@UNW2a8mtV%EhYVx9&!&Pr}eu2`wZQe{SGN=fUrsoU` z7||Q0iie)$3wZQ9-MYg)a2{S68;@~{r(27aF!~!d zZX`)skDi}mH9&_$+zi(c5Gp`sf7SgzRXPN!e763IH%f*;a?L3hiz8Zbl{hji0e=lFBinT>duO=g#sSRRF>cHl}tL zdYVLS9fks*dRmp@#pw>WJ^aiOvd*wb^jy#03BMg`){qr2XLUaMId(xr;DT1ztwxR- zLw#P`Z4c-xb>GI0S9zXeR>raE0u3Qx%WEB>rf?gZBqf?3{>tuJZ?^UJ+f|Gb9w__} z{+zjH3i(%tV-tLM5wZjKn4(Ab@k$Vi9NkX?kQo4ci?bC&g`YgSC$ihj{8PCj$KN<%Q znuP)oRZHErpqM<)kc%}Z8`KnXM@{+KCEg_q& z-+cSz+~iLd#2q1$wLFFnpz#0;$kaDu)*O;*3R>}(^z0(kpo(XGVX-16g@6$RF_DFF zuR_6c;)(8FSilV_o5*5a%Z~J-i!MgT0vZBIlc!Ec{|^TsFYc$G^%iN4q}DtR3_<`D zKPv_eGA8qk-{^p=uep|OGfo%u6WI`x1Wbl$vAmz9iHn8GXN!x)B*h!Il5?qt;+D9d zmEEmntBRuQRa|gG7K;Po#kF2ca$qys_m-+bzSUU!go?<gmE-ZM)%!2FWu z>hi~=Q@c|*734tl#Fzj|KB*Y?v(G+zr0;0dZpbxA;$9uOwPPo?Lu_gAS06nl!1c0+ z9)1)Z9mZM7Hi_Yh6bC#GBNr(1z(Wt!LdmW-l#?u_ciw%EI}lPO8!F-~Sa%lEJd90& zCo4$FZuvkFN_ZWAH3QTvk%nfK_}h~NkTW2P*8$qRH9JP>CnaOKnT&#jgb$7lDqg#R zU%_fVpBqX-^-7Tt!w^mvW72M)kzBfdqt|UY@6{RCo|`9k&yUMEdUCN6Hqnj(j>>8l zt#FD1KnJP>tq`~vy^rTK>KA;{z~D#x7ssV#iJ?>c2_;-h{_44K!j??p{H4KLx9?DG zpsS|eh2E&RVipVHGXDsA`&DwDP}E^0T#s7=#oz&u1Y~^tNiX<6nQB;E9I0s;{1=ON z%G56j&IMLN%@R~`@dM zvf=zrChrOdwZMn`7x1JH@aV#6StKiajo`lSljZR|KZLs|3$qyQ`=DTW9|D54W>dWdUBRa|i6 zk?|jY6_Zm~B1SIl8!2eTUp)mh^t|XDg`T^pjQn=Kp~E6`OE+$*oZ(slOGqWDbYq8U zNsPv+L&MV6ZPi<#!$r8>_k|9L@XgH1X3IKud?5NjwxH-MSf`-XhadOAmW^*-m#%N~ zzk`PkCrgaiCbm_p)@Tlqbl9L0Jc7kp#3j9iVJ4Sdeg#RSS^fm?=j5tX?XrF4p`7F= z;0|Yyl5m+|Wl6_@Ds(unz1~INN*c}2K8I9q@GA**A)T`Oi<0m3=M0rojtr=9NV4}- z7h!zNDD7CuPD?Oa{nIFDPy^bA`GCI~#my@6TGvRNj=FVSXBFMH#mq{9=}={*_}cg> z&Ok})_%QVwHk6N_Fo`UA#NQ<*rHGUbT0vT~=TM&tX@wA{Tm)?#8z9abJW`iKu9Vog zz@xUcemAmJkbDVRN=`|K0#P}luEDPlD#hT19*?aTg1^4LmPXU2O+WbHW6=*Fnn}+I zGGduKUi7e>;6dr@w%#%+c5ZYMh%Y!*FOY(FnIG5!N_D(hG^5k3PcuU+htzBnM#`I( zmTw8oD*13hT)SaGruNVD2at$Y#2HLf2wcju!t}nzY^36w;`vJk*Y%sW2v>J9d@q2o z;fU+k#c2hnOf6KJJ?ue)BHH@}ElJvftAxTfo@$YaQ)flqiqR^u^g0b!}G z_q3k$>YMW|1_q}dJJIw!Q94EwH(>Q zCtz7IOV5#>HRh2CePCkvu>omU%*ve*oyBHMO?9nkm7be_>Ex6~s7!s6{y8di&Gy}} zVm<;`hlO^%Z^}dQtV1<{vmd5sH~=r8Emh0Y?YudJL=N~Yh zp94BZOwm@EbLnf-#lqjrV)3czV)49DMxhW(>h*$FMsY)=m2;%) zd&USO(H~J%*H(`z(E-E=fK$W^V4_m46qu;ydKLC%x{+$w%$#}VndBZ17&`&BA08P4 zPC+w}2lYCM;gw(tzH*S&97P{BK&^f|b@mv++&IW4xZ|7)fk&Tk!igXzh3RD>Xq-ai=cT+?;UW7U;UPS0`?tHVnw@vt zu&8mNNhIzDr(A7Pno|iv@fVO%&gVP#44J=z{lDgQn)_*lvci*aPAe}J=K(gH=lVug zsN~{{wosC4onvxj0Yx1;gX>)u8C{Tuew*ZhJKfX^qiB&nIaWA z0MY*8+JV%GhY7J=7^Dz9fhx{}V&XGDbR`zF8S%MnoMcGluXU)Mu%+in&zj6*bY|WO zbmu>v+haZ@6jagd0{`W7xE=*p1+&Ht)7!x!&^3JI%zuB`-wmlFS zpFae!=m1I&S@rxyNa^!MKifjKE^1r5%>@?_UB&W5ECPezC}H7|H@Ck92-h(^^WP#dQrHmC8XL&j&>4|OWGAsmDVf()Bx*PO8rEyG?CK%VaEeY0OWW=p# zUqRbV3{^5XLgnotF8Eu2l_6pC$BKUv7hHN*HD4{h9%ld}#rB+ruk{@PqmU@7OKK*h zeZp98CQiphwS#D13VfK+zQ2~Zny8?M`1nMUJjf#{%lmBS=ci1Y!48L-gR+?sYJqIj z%H6vUvOyjPtsZ>nVXH%_SEnJ!8*jQ9A07&VSS#S*)QA0x?UsaTuos2NBPQ@5#5at# zP&ip0!jWt^#jx|)uywm%%<6Ulu`kR^{ASlKSe#~engME%qM`Yu zW}cd(iWk9IV~C$hRYDVg5fjjH0aeHm7-I0dz!L+WOstUU#(++&$*5J+qS9dX!rpB> zU%omqqVkLf`m8PAd@tqchsR$ueCgN~iHOX#fRy|f*0<#;xt*pZ9utspvTtm5UZLkt zyz$G{`MlC~H%&|N!KGguD!{3#Rxu8hAQ_2?;zJK0U~ z2t_z%j$Cv_&^B)EiAl*wd?*L_?aWzoZ{W~~aUV7zc${*qn~ziXfhIRd8zRDVbiNL!$o$}~<@!Bmjz%E0)vf*R%_ zcWm+iCXFeS>XRe2aP8S6!tV3?IxVjldxt(>XQOb<`ko8oPVi3|yg1f+v3`Vm!wtNU z?D~gf95V?eWUg{eSN1ZB{Dz&;Z&8=2%fmDBOUgHojYvOXEJ=N-K5Tj+@^@r{f~wfn z;%%Zw)fKSxq=>V@&*Pav7r*c!rnDxY5a*3%%B4i zcn5|x9uzSmJcCTQqDB@16JitEJLDu?`we+0eE?FCj9Bv2MywO9Zt2ir`V5t$4_Qf) zrITq8w<}#62ww5n6HiSy^Z0>N1i6Ubk0rq4YVVK!Ult6u^+AK}nU^#pLUluj+3~_* z*kH32)W5CKfH&e|QE9ZIP{?q_KQZ*fODRQBTIIW5jPH6IqoD54X5E2?1|wkPp8A`L zqPo6XL?w+CLaS2!5k*BpS}{?PI6cm_5EaDFlEEp|nhHtAmY@d640%WV^w`zZm|0}= zUw$D=67H#xB1nfW&TCRyv}hrYJ#4Pf^HSr;jWz|Tf5V;fH*9(P>qMpS0o_I>Q1${PJd4zZP>g`^Lyb@xo~&Hd z>cw}Ke}aM`a0J+D*+=*Bvc!c z+#tyc9Jcnh?b~g~^kq>W%?V$(VWaJQeZG?ADKI4Asleqh7Tfi<=i0v7P;6B}S(}Nb z{5Uw0z^F5Zhu`2II&48C{7{51q)1-*tvNAAjm@moiy~?ICO7s^8xvg}+oi`=54fHJ z8hT#5V5@L#`T717BEd4aN?Gn84@`0s3$L4+yf~wD!`2<22BjX08>GrHWlB{@zWr7- z84|HHt&pvbsFA$@tNtwgkgNi_!3Gk0)9ktPJ9O;mwca^@?RD2poHUiy%_fsVy|PG& z%zf_p7sU0VNt0urdG$1)@*5r*b=hT?+eVTkU<1q|Q+QCw{IVvUB!v0` z-43LS@YVJ0cTVvjn5IpeQVPVRmI%zUcGIi)d3VP4#5P{fRo*!qK%Rff`xR6D$#<)2vTO@~_r`mWCwoiZ?J)UtTt z%-MydlN0h^U6|T>Tw-GojSirj3dlUgFMfVhl8xKjut2`r;KTM6S%xDyJ&Vbb_QCzl z%*_W=_^s{!wy&-|Mi&i}$^z+Q@1Ql|n zjvS14jmD&X8k~XgP7kRbWEvW*5Sjf(nSlvu=_-a|!-jI!h?A_j1A80Lihy4{&v9t?vRiSUB$IfnB2uA|Mza^Q zG9F?kE1=lIxCxKohR&x*S6Q1ZQW!oWJS+mHK?B<6B>(00L)W_<+({n6M_7cg3;xn) zKEh03Ecee^r35RA@S<@dLZ^R7^P$TZCT58+#oy%I{A(t~A3Xt+1n${+O7+tF^*R!DKMbDI;I}KO} z{HG5NHlwq}+Ys3eqZn04qLs9Ty9+1=c!6Td>q7+^TrhYM5sqk&ooFSrCv+&34_O`@ zNgv#=Sn>$GgyMcVbG8>+-PHaT6#i6*6Y~MyJ}eXT9=N{Go4f6f{%1I;AgU%vnE+J-q+ls97QgT`#rBm}jp`d=W^$foXABJTTOOZM zvZ338Rmb{^OGAdb24}nh;YSY+AFwRx_aKyJs>n_3J#aQdzoZOOW^Rfbe3z^)F0Hmb zX^w3+wrts&n3mOjLE?=wGMf6YdU;mNn)Nl*Zmwvev8MJ0(|T}6?YEWxb?q1@0VS*w zflDKjGO{5{zFHxSwoP)Bky)0U-F$+Xt}q}=K~+#XC?Bk1H%3_JSZurpc1DnAZ6p;)M+g!UAs6nf7sI4*yMCq z6!3zNg9D?3{*_lZIIp{Hw$)cH{Yk_2)>h2IXf-Q3^|Wz#o8$sj-4>@Jg;~+6cEHke zq-Rafqs(kl(fV^oMOG%ZQfOsX7(tj4w@mgG&PgVDHKW*l@l2&kJH0%*`tpJ1+3r>#n!@W_WQhuY{rQwPNUdV!AexL{YYU^>JKbPyh z`s3`p?d`1ZZXFZaAXon-2~BWx@y~ets|-46Gi>Pr*E<9~DS8*7XHCze%q&ae`8f%S z1_*P**M)d4bbvTo5Fd?65o*Dk0(pw4WR3x$c)dzKK^tH}XM)m&7}N^pefb1rb+h;;|VkZrKn zXT8}%yFJL|+;!LAAYR92-Y11qkPYDOe1yxH|87^II|A=~l152aRLGGT4GsCB4y_kqYdE#(lS%CaXGEXO*P1FeNwzSNV3|_xI1k60u4h zsC0ajRlq5sra%?E2&RNd0(lA}1uUyi(9r`z7AIs1H`B~bvpdZIHA~b?QnO7BQo>gW zM)R3ef>Zj@14BQV8$nqsD?_$2Y8wxCGI=K))DA0F06HA)TAuFgDrcN;WPN4pQ0O7T zRsPA@iAcl>sy1$_lt#bVsR!9AXX&}nv!mxr&!C=DrdZ`691*Kjd|0EfAreObk&xY; zgCGK=Z?-g)XrVyK@Pt!GC-zv8m9?f^K@}f|cqMemU-^izFXVc}(255U00ji#8HFxI zl7-rqJh?17Klj3{Dfg9`T~50pLp^q(aup5+!d;L1g>9bbibT2i!H8=W#PX; z)&f`XA~OIQAwUpw17(60PHo;|Eo)Ub8~G())wCjMDhZeHU8klMYQXg`n`*$S6c)ud z>?iMfZoQJ~=okN+G>qbND~d0xE<;~-kC{8YtFgJK5>%;0h0u!V`cs1Oo4aX=If9eS z`)UEH_N@Be(@#I+#g|?|L3iSbcDHj#0&u~L25^asPXvru$dHh8x>+n}Jh&hsF?r(T zX{Zpr=7o5N-hKKBEwSmk>8AE{=D~*^;S8=9pcVLq#=!ZABXC9*JAZi{r^XNdAUj*p z%xIi~qfn&ygB7`re9f}9Fd_siDx_0a;^WyW-w~mvl9Gl zf*P=wQUk7|wEaDm#+MQ@*s28z4w!z0?$%( zSv&%@40vI?|Ka;8ASJs~!71Sb!V?6coWhiL@WX3sSajYoqY|rZ5X6?IDd!3fSP*R@ zaA})$qmJqqyfijhSefQ*2ZK;mMkqLKe0mPnmTN~Y%_~`}nXr{PTluz)t2>#$D`eD; zK3KgE?NR&VTzlwz5!;(u2Z6R89~rUq?A4#lkKVAMTuWQkR;?=708!rO0&?2G?Bx$zu5pCPH^&hKPnK&DBXGn-#RtNLq|J$t+E=iRT zVt+{fLmZGQZBMb_suUKe0WrrEobBw%-}a1Aa`JCQtt*OdsD>()llCQJ6W-~cDG`-2 z^dzQG-s$;9g^O>wo-DRzEM6oR^vvJ_`eZUl;7Ja6VJF2bg(8l!GFE9_hMin|4?pra z;yfvB(cM8}xRAL9fP+>@UdgFxxcpJa$_uTWv&oemI&@@H#3Rr*LTPw_9GMlTS9dMK zR1HZAwT$@zs?da_6|Z}Dc}`PI^GHtslN>N2w#uI^R&L3#BZMh(M^F^0$2@%0iLp8) zAO$ZKzB(^9Br=UZ0U}-MOyy8LC#j*ZqS^oQg{jc?x313MV}TbxBDId+9%L@V_pygAp}V$?U{- zx>Kh+oSy1!+Fal_W-K>{mF4E;!#zMM7}P;B5S7BB*!V6;sR5~=w1d+2y^T%p8S7p) z@VM3it;IL(CpTb$T^Xfc`R~>s1${-4MfIn={+_M$`jhg$1X&}l{utw>`eVxQbRw4* z79~=uvh>)ukOBfR9Gqf)SDEEq5a&smwPO7CZ8No6Db2`N(NnyQ`^D1uJ% zjUBTjN}%d@3RA*SVXgCHQbsR|fInLpZ)Fe@r>un^O^~5YaZZx!5ssYQ1R_I;5BrE`H;*@jTWSPDe#IPW&*{Fh@5-btnh&1W=X4F}$nwy_=(n%kF)I*4wfI<3mxS>kcGJj=h z3qr|~*El60Rf$j*VTy9^(RpPzOo(m_J0gG-wxbSoIA*H7k!Fcr_R_dmP#B$EG-@9? zz_Q`7NBbuA`Z@;Br`iot+P<$@rDmQqgrf?NEh;XiVU-s&JlS})m6CJ`#52!!*5`HO%(I%~m&MJ&DQ<#F5wg^2 zZ=Em8dgKhj327&7~K*Q>k%RY5BfGW^}u zfX4dMek-8Nhc)2$0b~6OW?~A{>ra*UMfDeC{95dlJDqfSZ*=L36Al{>vi7n0!TA%5 zmE?(qX5;`D*x>*%7=o3|m7EG)k!7oGyLOr?qyh07pz&j81r6vK zhXTPbC;`tj2pG4G+GQ*L_mx*)7h@{{hCTV<{^&mEjD)YpNqgTB?FP>#3 z#tv=!(0s3w6Iu*X!Ywub)Eu=wAZ2COHfCN=c&Y`MG!-4fMlFw%|8fJb8uFLzHLW9H z1uT%uidjy;Vt8fD>qIN2Y*l{gBXd$4Pbwlsty1VQ?}A4-RGZ<)%twmH*XwV*iKzl4 zf`hS}weceA{~~P(2uejEC=g!6i#yo`%ne5-m=Y`zUuBFSG=MgzYN+zJze(P8iUp$v zB!vaufCL4T!s11)YSzt5HJw^h>L~{>VnP=4s`fPQb5H{f#kp zq54~>0)F?qBzt7Om^hM|ATomm#~pt>)#pj!IKtNt7=m(;jELjFbj4*Xf7UD^_z(}) zQocfXpbVa$x=M(3@S&pjKl}(H!Pi3WfKuN|AuJHSf`A0A^Q^n>zQ_7=Yn$%9^KLg> z6S*5{TPinQ-|RfBOHAVwozyrbTT}jOsL~ogF;0>G%{Mf;*`(aY6qvv{9K9bqUR9ni zS+O0Q(h;55C&QQ68>0rqGZ`0Um=!5xu|A*z;>s!!tg&B8$ADl4--c6qyRJ9znn^lw zO0!lgztw^R4J(Vbac>7m*##(9yr9GNKVSuQ9`(PQYk%A@ix;VeE!$gL2gEv1dI0s1 z($M<>J@R@k^z7*QBI8GgDe;X6aGOw|L~OPzfDV*^M~y0#h4eI2m1zc^FkPw46$Dtt zn0N%Kgwr^wU(h*y=iT8S^wi|gz6)25UKW>_m6ugiwq@7e?YsBw-22_$?}?ZFQA3p$ zuWXt?HeFCPw9Q9I-O0KS?HQg!5ScIy%0Qvv6WP`#rKD0j6;?pH0A`$7!^;aD z4zZROUvi0aE6XN%wEtMtEU<;%eO*drfn1;W?kg8yZh*|VEjZ=m8;lY=Kp+y!0zJWG z*7^AtxGm}aV-)HEaPX zmbO;#S88PVDVQl3)mW+)^TEVVoniDNpn2S12tC^KB?KJRgBUMR&!k|E4FfJ zEB7|r)xhM00A|5?)CoFVux9P=I_i9cvsZG)`3epQs{}9Wn9$b4r3a9P9@Ton7Bdo> zmUsEMmCC?`W>2~Kg{#>|l?OKU3np*LKl(0e)_;kTtd(ZZjA-CWvj8yxR>KyrEGjD5 zu%R4nn55g1?HBQk$j6xF#8DRTZ60~gKprOQbVfGR}CO?lh%P-r|4$p4#G3a%(R&nUXGTBIT!{krFj@^_4_y;XiH!qb%MkAUA2 z*Aa%QS0$$qJ?He6(TKx;K?CewZtZy6n{T}{CSV*ILUukFuu{^}MMDT$Wn^V@e%Odn z?b~Ind8}r< zG&E1H2~r1!P+r*aJ0a;nf9}-{Cvw$=S?rL>Jipsu4h5di)<%?5;HFu%lsxD zH8|pw{!5z;SaPl3^7|)*yfQ21vqkZPmM4E1pSv)%@T;WNr;SDr9H;gzO3F4%VGfTy z$}c&ypjbk}fht!3(?Bf0v@(%OL6v-}0m}>%7V%270kY{*SarnnvBU5gqU_u}{I#Y` zQ=zzU29z^o0VOVm^^WTl?fG9X95QSK)#{Hs?sywdXw|9}_{9%7(AZE)xQ!!yld>1Q zR%tJwE;(77AOkjg;4&cy#>o^M@?uINCSiDBpy}BRQ}}#h4l% zvqn7n9|D0<`=IAhb}JLD06U~A&`RqM{WDGj-#Wh2*M8~^r$Ij>HnGS&n)DQrB6+~~}Rp$&_ zfk!CHD~|dAmX~-X+JHI%>(DGGkGrsb88_3VDu~rh_=(e5!pRCa!@l?0Yp)~7MR-C? zY(hv_1U3uX#n=llV97PrE@3;qVQKSdL{jEAGb@)UU^F>w!fijde#OrjLl{~k{M(@- z#-5wFyw-2O8b2qQ1+ByzaDbT`u&c_yT2`$FG>ZOdl>EJdf{ii)sahE&H&*FFZ&l9x zWcJw9U1jHtlg4sp-m0^1X>zWQ2pkC2?10;L%C z0v|Yh@)X0u2b{7(RV_+CBr1(lvZ3X#Xk%<;JBa^UyLKHw7MWc*GAzBx7_>TSgRT6& zfGQM#AI@ytd&xQe39TlkH5;2ut=pp!tduKqo=PyQs)yvV$8O;tKQvoz`iDH|uZv3fUn@i5RJIHm2+Xxp7=GAlbOVSjpG!VON zm+|$HM<1`U7gQF!gKscAB)G`WF9f{&1IE4ndY6kXy2QzIYJupktY^p@FY zEEyk{k@)Wp`(5M)L=D(isR7r&S|jOt$xZtUS{pe{ZBO|Nf5k$lyeV{`8G%$d z^W)M_4kgNbeCu!Q{!*#_eolAI^#@I_2noCV@+%I>5aDBU-gzxaF7fK?UC=hmW`5B9izH>^+XsPAbz%+c{r4YrKE(sPY9N>G?X2&9WB|(* zt$?cHwd=2(p00`l168;PDtl$>jPL~PEKan7v|N>ekRl(eCJ?}4;p1{)b+mx6A#eSG z@{bH!vE0~m5{SW6VyNoW>5kfY5eboe{l>5jh9TgahZ<*PT>Qh2Jm$n2>;;lKi3lwA zz%s4S1GaLu)9j*2K#Hc(`9rS`pdPBMjUpe@n?j3J9aK_Z$)SYm4?y2N+1NMV_#xai;1>#k z^Ha?bY5H&s1vbz}9(|0wOc*`idZ!!uUfYBCdgopDAXYQ`WbuMlA*bY&RMIRz^4JsN z#d_X(=Sk{ga0>Gl7r;GOcn1bQ^}ZU~(;#KVDbbS%PO-q%VScnQ1uLjONC}@Q+qCtT zIp%H|GXz>b94(0M>=Sgq|6UtaAm6S}+Lx@ZmUWc_RPi?4$$2Ji*I4EPA-C_^xqZkFy^6I)yB)yp_qV z#4L+GaQLzWB~zpRHO*DW`6lEP6vNm-D;r>mJ`l8W1uP*>y`fsSY3s;^5xe$%FT|{s zfqF{@W@)ryMY!|idM~T`TuA@1bRz^cZ{FOM9lRuKzpR5zz~TjRL^O$N;>uYiCl(;@aFcn;I`pfqOo=BHXnTWF~XE`^)dCpgdw9F z1Vh`lZAao12m`l6JOg1G$Wv?*ov(99&S;!sZCY_kgsB=hWkS{O!72C*9{aBbtDyH8-{*6z!TIRR==3 zf<=8$2@jbAI_h&zu5s%k~m12k|0%u>{~XLiyvGKnL0`mR%~s>)svj>ZOGh`IB> zdhh)YZ|ijXX{VolK)lO#F+A{|d+$@apx_XaBtQ%Zt?ta{KU<9NgB1tH`+7TJR`^$t zZ3+L12dg=D@ii4i=NNIehy2yP8bxQBxhZa`dT|1&@TTZ$Y?8`}{$?Q60^{ctqr$~U z4hk$SU4y`K&9&FrgdNwB;u;dh;zxnqv;HEp?N(ktr1&ph=nx^I6Pjm;kg_$P6?xZX zYm{L+U_cn?I1ba2;kJCVNF_^EmaTx4>^!wd^*eD2sDk4Rj>tV~QnB)8$9)2*`XadF zsKu!6EA8y{z$wiD4+y6;v(+5f%9d$cK&m!`a>79^IC4OEbZ{5f@^oicZLn2S&a#d` zjc6}DVtNcMXoal$y8x?(Y*poMF(N3w(fC}`T$TRl?4)f3-tXF7J6hE#TLD`y&xvbH z)vfudTXyc&XeHVMjaDX79U-)0^|7X)JsgW4ee4Mv>)hpcXC8tq&XIdaP+E54kz9Idp>s z$e_8PRmFdepEHc_2(!Y!BEZ;6m{m`+_TrNUL9bQbfE5T<1uh{%US0ivcizbJF_brj z4y5W}ta;E_|BCXa*ec!>fhyTAmA|m@xqYBN0tC?Fk`@W$BjE`Q0!fWtd!q}p@abp0 z+gOo`G@ z^ftn0U^vUt3XYpvq68}yR~6c1z=|nhi3+Dokg{p~M3~Zha#u-8Z|OD9)QnWKR?Tc_ zu-4?TU=v)r8lJ5D+{W#lxZs5^zJiV%A~QW2;A7kH4Og z+J!8cT$_X?WRSaNQ|k#yN(VS5z1OldByP-D5YO)ftWlAf*hw1&=69YQzx7*%R!+dO z$yQpt;(Xbr?f5nwg0)xk7OZg=KADluchq6Tf*?7U*v%r*Oqx8^ne+D2OE1Sh1rHe? zIJxf^190DR%3PZ5kXZY?mgf`i`P4Jdy80^XD{YN)TC{*kazHSUfu~?anAMLVDwmzA zy@-DWN!Pm@8^ph&s+v_v``?ON{)MYq;hY#SOMYctdyE`eQ3UEoZ|k1QyQwA zIK{>fKh;qYS#zV4#Xfb=I0dUIELn5L85SbUKmByAW&nLy-=e@rmD7aOt);4^xeuatMcH8amfABG3p2Qkk|I5}U zZM!vg2E7nl^bx*(!Y740;l1qn%D$*C?|3xdRPgdi;~^z-D?&q6S^>ksHF#DEVWcP4~E_yBT5 zZHXdX->}{%!6^+@PMoR%Ri+;Wma_42xhIWYwJLM9DF1;fn@2k87pteAt2_lx!EInW zHwCU#X_t_y21UF-Cu+-wOfDSjZIpSSqRM>60|B?vra)34)B2mjV2dAJ|}tS-hCRapnMLk2?U{79fWiB zT$s>oLVDxTseKkFaHiht>;Nvr-3xlgAl3ElcaOGIT15FXZTd{O&7>*QF1_?J8&^5= zOts6UJ|hacT2y(|2YKe%=a9KzSp<{TVyUOx)!-q+ar59{(=Lze{M?JP=gg-MaHsT) z$^=btQP0;SH{g$P#@_j=nynJ7`m1VI>tC-;so8pXu?UZO$SD7#O= zG%?X6NCdbgE$#QqT)ipSwCvioo194a!@#l#(}tJU3WXZ&6&z~x^-v9aWM^#jOGCEm_ej(@^QV{_3fK(z8Re!s>NC;$2lV;GZ{W| z6i`KEmT*^3GWgy9VFf9{sao`YfIEThE3%4Pk6+bfNF-k3HhD@61oZ?d!6|so7mMRX zsycp9NLX?v+{uPe|Hs{VfJbp8ec!(Hp3m={eXs4a@9eX2IOhbIoPz)f5Qt>JV1mIU z119I3bIv*E97T{oB$1;;js}x+HWu^!dQ01C&CIS=0iXTp>1UZ8c4ue0yXs&6s_JS+ zNA#EpQrbRuMJUmhuJDwYM#Ve&v`#h^wM~cHl)M9&?2zOiefA%SO{?bThkSsV9m32< zvpu!$5Zy%q!j>KaUznvw&^77823V&~oyj+P-G4?!vjMTW{EAtWGJ3_-CF1puE(=tF zK~`)HKS0&o@{`w}ICnu=WLU8eA4--5fW`YGKb-F#zU#F?BzWv2Ta_;!Kb`j8KP}Ld zi=v;=B(hoxYq?RAreYXl5@*Yn-KjVHpP>feyYIdKP0epvJHvGVJAlvESN`&sXY=PT zFnFlS^h2Qmni%aYC6-dU9CL=^@S>gQ#v~wH@+(-}N*P0@IGg#K{0ju%aT3%v zp$fZ^KY^-5WXhZD2To0o+V$G-Er|A8oo53~CZ9?fPN8t zDp6KWkV3O*Etg!JGH6twAZ4m?j#Ge8$$}&_fUg$#b$o%B8*(LrE%RYb%+i3xfyOK+ z&(d^Nlo+qR080i=kE0*7Vj5t&Fe~P+-4rx>jYw;X(Mk#i${Jy2Z{ER66jb4SCb4Je zo~K6~2%8>#;%Fq2 zsfLdnO~xIIG;#RMoIRIJ^*nju1&FS zEwX-cv3bzUM~|JT`E6}#Q`D|gPuzX%q$%(O!y@+#SzwYdRb=w8*nvS|dk)5kN)+#Z z;8OC4C{>rPJs`!Dl3=MF0xP1rYxf=sJkIpQ9~otS4!Xo%^K41OWOJoj#JpsZP&J+F zAn7D9*rsusyzMw`S=TvhZr!;nWXc37!71^Cs8>%V3VeNwx9=@MSiq zpO7hD=`qveM;--96uA4ubbS|p{l zqI5p5T5|@1P^M-!HFjcbN}x_oIBsQ==edO<%#+f$RO)ZrcxdnVrC~?jH?X z8nZY^61Mc{cu7{GL_rzZBwd26*$|hYOq(PDOXeZ3%t;!PQw%Cz1+AJ*U;R`sPhHA> zn^d()*7prRP5%5dv#EhVp7ydVMne0TPd#lde?ck@7+g5@P|rC z6M1yK2pvM1HNhA3&#E;M)QboZr%*3wxi2eJlvSB>5sYURc={=bLGXf%LHTe*WRzBA z3?H+UEr*DehA*9p*&`G&?mQAOp#d8;?X#bl2A|A<(5 zHc$MIbufqb0rM)KCjhN?`cSngW~A*veaPzXRYB5=x&TBi`C^<0rvq*^PxE zz&B|79#at_MjZ)6m8n9)1GB}sSq${5e1(cqcby=YSRFE^3^z!}E@`a4!%Bfr!|8hT z?88Dl$}ti1(lwp%Huvc}fO&$~QJj#nrJC)QQva5R+I{N$8-v%q*K}^!RBq zB{*e*l*TFPa9(|Zl&M{{%GFAk1FfHZAr!jZrtNKr;0ri7pE5{F?zdcTz;=_owLOIc zv*Ov7?hrZ9eWiO(cWEloieWVY%M4)2tPpx73=6;t5UrSm8mdgRlBqj&H6?H(Re5BJ z;!+KR#eID?K0SD6*-7jAt=W@t#ClaIgWCQyiV#vzrSpnEbY0PI;iiWVf5OHSsCsf} zg=2?a1u{qrC;O}3cMY5sYn|MIs@f#})v8k$S0Ty-e;sNE6*p|es3IXDzOF#fs#s_V zslr5=CQ5Mg(})rS0sSO=M*oX^F;Z8qUQ3!x+4R)?y()2?`W3QGF#Cg?tnJw!BwxHT zR~s+B|NqVYAaOCT$Hjh@P(l4jsG?M?EThcS`QFy$5h^kA_Dbt#mmO75!pLLgDpgIh zgzWUt5+yM=(z!Qq+&CgWh+)Oi@>a5!$-l$pm?NGv})aslYE^}8lPuM@VmAFPyJgYi@!Vf z?y=(`0{ExytKR7!{>_B&JqM3rN!k`q0b%0z`^T_o*%MrCci1(2?8;3xoD##8S2Tl} zkuFdrF$D>Tn|w-)HCPMO=1Li+H+!^q=~89D`*0fM4Jg)l}F5pwsenB)=X$iD06u z`Fo;h#l_))r~*cf(x9a6*>sNWEemH#l`7l4M=t>>lnHu<-F{(1ox65_+hd~Jz9Mg5 zeCZ`p0VS)MugIQy{4Sml^r2`B9+_x0e}wTkBZ`QVpqPH^PdmlkRe5d@E4E@sSChDY zio$>pt1vHA<+NB49GlMd4u4xGEoxK5K&iZIeyP*TZpc7036N~#b!kw1g8F@zO@0}4 z+eXjVfhwUwC}-CWXE-PthD@QdmM&Y#S1>}HSK~~r+I9IMDxW~6fF~3$ zL0ZNXuY zW#W`L{lxF*1Szay6pm<~t=o5P+qFj!idU0NnIPpwD4@#4zL?JlJC9ds}?QpbU`Ad|t&RC_^bD zt4$G;UIAN9h7}-S$?`p3O|)X73ScpT&t1Cu@19Fl@kutJ#sfye1-2)F4%H=pP#f@t8a{wkyKR@EtsS zM9dXzc*c(W3d#YaSZv>le>BkT!4c~w`-4yzaIp1bS5+AB6omoHB_yt++tKj*?e*bZ z@BCMLl5&3*n^MJo;dT8{K|Rzu!J6NOic($Zr@&eg)PKI|9CvI3ARt$++_neAqbn61 zDW!$@AR`Qi^XvKyq=OC77)_EWX3Uz?;QPkp_}Q+>!eL5v^&c=8U!UZ?6MtmfxiU_3 z!ju~}ZIP<8BDM@SOQ_f|i@=ty1c-3?zY~2+fgfm`;>ye@M4-{kNEIo@r^mh<7>%7* zr0c%0$=s-wJ7bV%pla#Xy>AU;m&5I<@;SC8pw?l@i(MA(IdP6B5|Kytoj7Is{Sx7n zXL+w!#iDR{MHiuwY#@~ak6)58DJMvI5lZxMJWiRq+SK7T4evlG7kEk%m9S@0){?xk z59CS&Tec@MAJ*&y1F+~K)mJ9U>t6LuvI0S?_(~Th!}3qBWES!2#~CPSCG-kAO1PCq zs|#1I<{7z0ZJoxJj_h|&$rQMif~rWh;Uno5@T|U@6;83YTDyhJ`~yc%;Ge-;E`LI- z5GWC@z=bjJPjYcY1G2-WLN>H|@uip8^|f)6W`Z^3UEt`Gh!S=J^J@HrNq)BW0KZuL zD_h`^Z;a(E8i_8YYPzX^cseTn($9eAhK)*7frfl>idq4>oQ)*Vhs03CGA9t|j#fY4 zvF=2864ys5jjdJ$fA86Nv4o`y1IA{49Q&Ge=r>##(2D)1@?>gC#SX|vS@X+&^sMa zazDWQ;pX{6zC_S|ym-lzf4f(4E4GYBX4@_NeaFQw^jJ}R*pg98BHkFj`6(jK*p{Fb zF=fv_tsnGRa`4oT+Lz)Br^M-(D38KXgF>8s!l%S|7T5|Lr~H#Ctvt0lHFd0kQ+ALt zl{UwwO81XYeh?&Okd&-%`TBJ?*a`@U4|TZjqMNamjA^+K$i-0ITht7XTo#QLK6q?-JQ045ps7-)s@MwSK0)qcrSt!At3 zY1%LDI5V6?BcMv76{5tSh!yh1Uvi}~$ zmZ2IOoi7qWG20HEy0DA;n&Q{dKPV;)^d*vH-s#tFB0O_N29kvo{2z$tq^L#r|k?&chQ*OJA9!oM0rb zpMhAh@#0q&J7ReAE7U@ynBQutB~?LPQL4-dkCU(;y;M*iZLxVGwR|7DXm|)aYo@Yh zbzh7?T@hTn`0Lm_nqfu?U=z$edp{?B&ovo7CIjVLraot0bs3* z+CUzAvt})@WZ0yvSD*eQ1g?o##|%Vf@knz)ls_VdpU`EL6aRX0-+5$6;gpgqFHT8b zdgo=^eouil7!zQ`hK6j*+j5p_2rss!Y7uJl1+a{Rw)3BAyRh)6HK%^Oz}?#TlvuE$ zA4FFq;!|!5drgoM6WR|*X|*O=PDIkiq(npdK`1})gj&`J)(l&rt1$qd4VU`S^3?;8JxK6-=WNCk( zHfChnXuxvPE17sEVA<%^sdGOr*>)ggY{VboO%Nz1wxAXH6*QnqqEu}bD3EG8^{Hml z-|4a7=-CSr%r(&p#g0rpQMBUXDF1CccJ=PtKYjWPb?erb`s$zzZRoI(yd{|&e;>Wd z(6GQ$FWS}Eqz_mT!#=G81`XxAgdQT-N69GA)dZkT-NJLxZ%nyKQ>GEuc=gp+^+jw4 zI1)>hE<0-UH~@=6aNGu?;~vJk6KP$aWnCGqh?PoQXGi-Qo`{v+(LO5?E9<1~7k(RW zt;4Uxsa+#=;-7a@s73cma!haIcV*K<8+X=EPU>d%961IJ9tK*0 z9ndR=jEb0Ghx2OY8Kx+?7K}2kMOJB10zE^-E7PE4Q@K+2}}ozUP5Pyzv?6o1Cok2-J9cK?YnD*>>0eBB$m zf85Y2-YcjbgSzK!fQ2dOX@U3y)#x(^Xij>?gwfoJx#UW(T+xcTiobB$y6vIUcRWv^ z7T0&rbt(f8w4z!vb{emQsIbcLBp?V)raaYn60-2Sw(}dz*+>#QtV*Mm7<=NNFwrV) zg;%b|uh0)`Bi0K%Vf`*!5zaAH2-2l{Gptl;&}#A0{ ziF)7^+PZxQt7{M|JUN)?=AHAPr%s<{J3q>zvipNmvuPD72N>#~ef~M?aqtap+Psx( z{&?PvTm5vwTXB7;b-st%(O$N)I$R{4iJ<2dv3l8d{olk}<-Lr}WKb%~D1D;}beyA% z5>YD3D6!_33hFL-2xM9=TfP#a>i|!ob6`ZH}Gu7zhB-m_pby zgfCeVMJl`VhZto5(YEFeJ4AM$nKfsga4S6E&YwvA8I4n*l?hd18IsV`eyL}h-Ts@O z8n{)_E4UT=Mm3$H>`8$ta0-8jIysFkdRxxhfXF-jet!5AE*dd?HBO;n&^8*RG)~c( zqM&@?6e1u{<;5wb{j}-+1VAbQp-}0jlD9#CD^etZJ3DvpOilAk#9Z&kcF*SHaBN^! z0$^#h;=nIpC6`_)z|vNS7$Ht>C4ePprFpkZ8_lf*s(59N#XAE%J6<`_YRlf3&~Xv} zGb%=fXmRfKiBbV6Rsn-eFezp}DHgZ^dv8#)o%j^yS?87Ne2<7sBO;HVJ1^@EK`TwH zByNRd@rQ_s2P5@j>%0O<3ruxFQR_Es#s!3VTsSyb7D=H@*cuP-Q1Q?b&-~>tP8B3) zP=g&ica!y`RO&`p=zn@1ah5yRKg#p*pV-p4fVjA?3p&rU$P|_bk`k2X%Fg9K78Td; zZCAwV@>uIaf2G4&5sW^kINqT=@k%~66FT2{@n88FYafY!?cj zJa~hmPDrj0C}gw6ESw$+sz~2Os9{*RLD)^c{lZ4G*PT6o!A$mpQh`&hPCpZ*1gFxD zOeKJnw%)~_*Ul&#jna%jt6WnL8yqSDo=jzK>Uk#+*ip$h2I2Nk+vXGR+_21c=jKCk zte@9_EqcR_T)G2wm-=!ECdIHA#01Q811yzp5jedPi^v98XU_e&Y{$WGW^DZ1kZn(m zI;fThVtuh%3hy7mDHW4qMb(Cshycg9oNmA{mLzHpPOL!1gBTU3-D_ zbpknHxhN^nYze{KU_f0e1mgZuJKB4;vO3=@zSPoDYS?;-l`6ILo^|-QgjUv$zdzpp zy0O_uZtF-1>qJeJI)a~*GD=V?0Q$~G1=fx~@*gHnn)2$a$#`Un;Zth3TlZcd2oxK+ z#?pfwQ>K-v;`oL56QBTyhCuD!yAPjU|A9mD6-Z*^=^{mfS6KIpNUf@R6z^}E?NIHGK;8UVG^05DjH}7u>z|4Y*dD2lc~xRf&;MgidP0il%2eO z(WYGhH1?Q@Q=k>5taIg*jZ6uj(nhk_%m$fK9zUAc*wQ&pCZ)+#QaI%^WkTbWp^D={ zN^5L6(E8k_=k4$WG&m3{KvcpC4WtEfHRnCVpGk~d=CkMrlmq?vu7IWc&B?O@1T0~} zjG(6}sL~9}4Xxr`!5Xk+<_NbkoqCVox5Yfl3_e6{Qj_u+6$hC_w@kCKBSPCu3dGll4O`WX(&L)h+@^D%1f*cW_x_#-{^n+ z6u%hO`Vn0rxR3!c#ujHvr+sZoMQ|0Hg=9ehd&sP(5h35@qhcY0g%9KsnGv>=* zkkXE%Oi*P4%aA^&>=LulHnQgL!kQ5xromc|OSx#V;=X?RgAYEGz$jT6BAZD%8_gdI z7AMiBZWFMEs)<%sn;D|HWPJ$BtqKc$trBK7N3(W#d^k z%+fqp21^DmF<=EmuYCCfwKGtMt}rhT9XVQW^2%q1veccuJ2$DBjOhh$VqFG~KH!P0 z2_Q)lCmKzBs?!RU{s+TC1UT7j8c9U)IYm--34j~CEAz0m=Pq8>XeG`-9k)W<_(SeQ z00R-#2^5Tm@h1#XJu)(zTK($4&o>SYc#xhqj;Q48)C(v5%E`5!*2yAxhd( zh})NM@cF<09nFcgFPP{;tbV>`-CF2b5lqCYmx@@C3V6J-b-0k$_MUB?lEE@;H~9;{ zjZ^z4nu&j5Di5E{KA==YsjiH(t`nu&X6tZyOIjTR8WdF6+%@d!r+-J8;*4K>@zz^! zi<{Ta6TSS(KdC27HCiY$s|m>G#MEbq-7{M}zseM)>IiC<$|SgsDGTYm{&jc7yVP07J+rcm!-=Ng}yW zDpsASlWWvly!w(QrBbA}JlAV=wQ1`YY}p3@#q%joM!NX@#L6|3C^Sxi=_w;qqTgJZ zlozB3ngothsRbz~BKSg()Syz}-*x?U+fCX53(QRlv)lkH-YcllKLu#TI3@-xJH0|W zkS1Z-;FL61dSyea6DLnjn!l{Zv~?xNt<5?l{Dc0>U+B8%&z%-~icWZNiX;k{RP*U7 zg9wiS$b}~XN(GH#o_AQRaw@RU$P7dTKss_T2JcX>L-%GGwsz~`lMo#7qHAvDj9a;? zrc|D!F6h2}2gtRffRaZhtIdWrs2XPi(IY zFv(+n@WDrY`ws#{=w!lDpM3h6|HsFENcZNOHEY$O+gT;IadWg9>(ggg%nJm#{VeOc zC>wYWX#%Zsh}MoZ!r{spK19`EC)$;L+~!?JPm3GSMyxOkg;)uHI zHx*9unJ~sa_1;XsrIgOb#fn%_RuoH{i*s+(ow#}H7Cu1zTVzWO8$Qxk1t)C#?;AB? zzbcd=*heW{%A%smN|h?()N;iACrzFPo-(owpNqD91hHDFbU1qitIa_mR$9=hwc*%If%3Tr6v;GJ5%7ZtEzUeSBk`X{`27q~_t3v8pody{*<`)$`6j^e{sM zUQm6J{;X29`ak~h4_QsX8U*4{yh3f7HEa2=S6}nRWc3hy^zkS7he?T9xQKDzi%gw9 zqXMk1#tBG)LvO;QDX;z8zPlxRqA}1k{EDKGDfHsJ`P7`@*SRbHm>wQFrCfiSPsLLz zddGuPhfkj?I8hapR<3&jRd6Nb5ozTB2OzLT$}T<=FpCsH+#sX~N|V5Jd~A9vLFzyE zjjA|$*@itaCr`$fnUuP6||WGVrqn9}r#AQZ36aZghk%mk@GJbr;ARDkegQ}Q+x zuz`gyFk-9mC)!+p*LH8bHE-VbTnXUi7q*flSvH0Ra(OXJB?_8=#b}!TKrd$50gH*j z^w4M}ov7`wQvnOBjUx3`(POl4Vgr^>o#?tISu(D_d3Z~JMF$WLvUkDmbKeOF% zCCU&j`rLER>7SN^m;UjOp1sv(!AvkdM%sY=DcJY+-Y%uXagL$S(duWKC=HLEKje*A z#b)|B=5=ef?b^Stx7L34Pc)0D7xEqnwglK97FA1-UDbf2)wn>mb(tdH6R zV9B;(q@xp?p!YZrKcz6ph>>GRGAEJYzRoCvUi{U3?JTLa%{K<>$U<+9$#LS1GV0c2XFlBQDUI_=#2JL*I z|GICctX&xuUw$@loT4|R2~_#Vsl;Kac#og9MzIymQ4d$rVkSHs|w^>o;(HY**X;tGACXtK{vgQ#`va_B2uf3ws#~setcV2jiEc zy587-_arbHr`A$sNx0#|B>u6MiY@6WPeJ0}80F`@8|71Mm-j_yf$2`9tIj?Z;1J5Sr{;e?7$qPMktyG*sDe>hOuvS;ubv-G~E<2!)vA@Pe@CA$ zkTMm%6A}C)$baR3Z8vG&e?Wj`_y(oNbO-7#^^aDJOJcxE;8u*I&}2l3h8mp?3#fzp(BI`NV#&A-y_d%x zIdS~#g@dPm+;;TL{HPtB7DQDWzv9y#bDnQM*W)u>jSC|C=%|=eX9cR9XeBHL!A!AG z`}rdNy6ro6V}a`cht}IKyzm09By<$jmgqNX$)cc0*~Q0;u454v)pb~7#c|Yz&3pjI zJ!_z-8TkD3?n!qae)thT#3E1}kBkM~%LREZG}w`&N4s?Gu76q|lq+8WG{k?!fTAP; zZu_%5j{9ohnIobhd`jb#$dLr6wBIjeO0;K<$$kY@B;_hga+QK7$P{T&pcQYiGeIkS z^~9Z<&&1UHQ{Si;hHm}$=v^OA*i~Tc`iAqi3|+o4GJ406BS-0B)Pm>-(G@nopV+{n zVd!(3XddZ}z(LB3P>INt4d)@^MzCn{`Ac==IF zNbr`pm8%;NsT4CZb@FZhHUiEzL+obNta+V4Oc5d@eBicuAx8H)))9VZqt0Ax%R>LR zdVS3=u) zbtYN}TKVEu&E|OatjDo{*#=bg+3@M`^*awA*EN})Xhpb(9BlqDO)p)#q{?{WSBGPG z+<@W z#JRy&Zr-x5HICP4_jV{384)X0yrQEbR%m+_vGS$@#%8c$Ubo%PujFmq{1-0Z+wH%_w&B(GpPa$r%p}L{fD$8~1p{i>sEL{A z?%FxH^~jXy?b*GTZ>^13$F{=k`%LQKKmYl!w(UDHzMz$aIOi=`jI=Up?0CThw%tQ& z-pX?^b3BsqGcqDRbFuN_amo{-LaYjm-|+OvSS6L@PC%w`=+QXvw5NNn{Yy_uOm9>8 zMUEedf8ZCCs`-pp+D^k;B2Da4UpNI?VcANs+u`?9I3<*duAn8KPbr+TIsFoQ{1TBV z41TfvH4$*)lvc=EOS^)Uf3@#K3O{hehA*jaey;Dl8P52+e^GO1KqJC1?dy@#nDt z$VU#4;*vG4o}eSp?}Dk**9#i?A@ zk>YBrUlpZl@2&VZ!&9EZjZV7vMWAQV^YkbEkD)>U3tNS>_R?j_v6Z}YEX*?i)@Prm zuUWHpgNBXXemg!fo)2)I@uGyInh$g4v+)ON87+-P7U(?%@Hsy?h1A63lt-4%U%Fgp zZuB3A5SH5X`<@Zc^ay`_V8mx5*5?|(>Fddn9T#p~xOva6eFs);-u~>cohlU&s3O;b zI5IxK)^iIDUYvkap7m2=rV5!tA^71_+V98nOQR=J22x^{+sKqRETuq7JELqKza$Y# z!;`7HeW`aF7C2GE7ZMTFPTS_|hn%-$yJugIrXOE-h!e9CNR~HOP+J0~OVAd>Vwl9J zNJGF9%g6I-Pqffz#mr=W3bzu#(r5){MeaTP?7%Hgkzb@TTBBd?w`OnbVOCI*$BS2= zhFSosY-oiiP|!-al`C4I(&Y~`l0OmE0AxBDAK|jZ$~SJ>%rYEG_I2pk1#Ke@%@b0z zxGnyU6;0rYr8;049|L`u1_m`Ons*uIda*u(fGOl{O8?z z^&66`&h^1cN-_9@DhdtV-C|vXSdCEyh}1q-9%6+vO%tn_&#e7E>$;ow`HLM}d;d4? zz-vY&rTo^>GAc@Srn&Val!~o>WnZdO$r#Jze3ZFF9uJe0nNJV1c?V`e&t83t6)*AE zzde_-et?~+DY0+~<3(fsGrN*=Q%QW5d**`t0kt9*uBjA6;8K_gbxpB*(c zV)yKAhoWLn#vD6MevXpK8#ieD%bqn=r>s*(rb?gi&?{2b+bygyaTQSIpHGQ$0Pe-U z<<;x-!}Lw$_Y<7r)lWvc2~_}AVt-&V=#@wl zuUI}_v{Lkn`6l$r#;r`WvUvij?3a$M*;H-7ZBO^#(rfN&L_nZQ&`LzZ)eUIpR&H)U zq!QT_Aw^n~kmuz8H*}6pSg~^Tcn_IE+pzagXo-?IcAoy-?@X;lktMSABp3nbq8K24 zKk3QM(cAn$6-#{u*Z44lh+FULs@4AKD89rxuNpOLk$}O6x&E59k$M|hT%|sr?BQuu zbckxMYJ=eJY8OHxR!7TPWGTo#RuHS0H>_>HqBT}l?7!k-j7myJf~^x(tkd=5y@2ky(FsFg*G08cM8Vz;C)exc--Hy*M z1&CAlD9)Vu;lzoP$`HJxLc`+9ka#gNsBsF}q^&z}?4{w`;xhwr53+c_g z`T%CTJOwkWsgo?*0Xe>=~z{CX<2uOJmD!ww3XhjpDu=C?V${S}99jiHl*1%dV zyDDu?YTa(r`6ezn;lm#WZQM)=lr(5Qkj{BC=B;vUK8Sw0BwOn0C!%<{{y5&$cu z{y;Ttw5h{%lBuNuOQRL@kO?W~6R(0+nqI|w0?%JKc=CrFc8Ub1rh^Q zaZ3}ed~qugC?QtyoTKi9YuTy|8Guf8M6C(g+7)%gdMiFp*Qws~ zlt3r7&lgk?wP({Jz6Ay2TkK2ath@x73N2Yube()sO7Y0(;HC7b!sI`0uTmKZmq#f* zf3}0t`6sGbM~Z3pS{$ynSo<b*8EHV^_6I3`%ul zo@){HB>Ewx|IGwoJ|hUIGBy(-fK{jNcOQQAQGkGj4b!jxAO?=$rpyW^d`j=d<$K_i zK$SB@WxD>9GyUE@q)Eg|vY0efIdKXJr5JVfIa{9|5vvwY5z^|o^p71EPmbI!IK?a7 zBJLEY-!BlHGN8(3d2b*%Wg}Bh2&YUPZt8YZ?b|@X9i9R}C06x68L=9*;r1T2qB&=sv1CSMFI1@ubLDqi1u9LxUEN*vTCR0&!gJM}~83>IJP z{?mX>-IhkNjB0=50tpafa;^h!xCEQBH)@?hWtd*6lle?QXB3iUbT64&ym|^|b`lU6Hf^^X028?{drqh?WLr{&LgUbtfCK~1UriU;=t zSV_>U!~rZB8mBYR<_`=It(>c_9B37gClH*HhQp!ue6_UjyZ`e-H{C!gV>=v?co8_uhAY zkuyLQS?+w7N=nEt%Wdk`tN+J8{fYl#4Nlwk9i`e5sq7>|v+#${Fd`s6m*uXKxNrGy z6|su)6tEp-o$sR}R@7Ni1#F9YeSkUQVn4JFCqSg@t^P76yem@&diKtc@xALix2i5A}E-T;cvwXw;BO==1 z6sD;(EL9*l5Wk-vkfMJaAf=W~iSCjRyu>(6kP_9$s|!fEdHj+@s3hS@t9m;y0Sbw+ z$rW_gM{Rtf&H1CYyHalr{L+tO!WQ_YkxO?-axu%6C@2ie4X`ja68wR#xfWu&@G6!J zQ$^gx8n9$uiF!t4NaB#76;NfOl{0Q7CZ7;13|gd2%tBPO zYwkKiD#Qx06^uwjg}|k_I6A6R=Wb5Dl%AARmiXTt(Ri+t#f#8&@>(2>Q5~315 zg?Iv0Nb9Zx2VWntRV}~j8lG{`ie0e^sx+Sx*B>|~Q040P!vlc!;PJIS@s&iOHIgTZ zA|ZnUv_gY9amq}e5KU-fQhJ?~E0c2SUagk3qUJ#J4z1NqRj-Z>gmNN6zzOSie>h;}zSzS=V?irf8Z2%=K`RjuaX#4GfWoa%&ivWXO8oG$%<7kM1M+BN z#!g`W2%9=$V-DgM*w|9i&9-?C!<%gGfaR9Ivr zYD#rDRE5=~k`k1PN=i58s9otF2Sz6o>GiaH13=(<#Sg~Nuw&4z<=|vjehX<)r0#&ZAKO0VIs6t@7EZzEhiZ68y4<56Y63I54a-~!{FJ0r5 zhANFy^q%iLiiBlT{`r(x>AWU_Di5C$ZK;DP!l!h!#TQO#kTNy4R^y4(yMa(ZfDIR% z2oeY?MXuZ6zXfs;=TCFSc6+`sOFyZ8eBB`$$DLiLd)0Ia`avs`TLl)nQcy)RiB)2> zlH?qfXyG5Ng!^MzX{eI86$aSK=sn|?tc}lZ^`ey@H=v-En0!gP0Rb#uXqARKK`ur1 z^2+cvnKEV3K%);@wrYz;Vod2J;20euU*Uj0Y0;{+{-o{Top=5-&9e`zz#J+3*aHNl zP;Tfz1epsW?3{-->dPkk(a`OxfbCpWX9;3;wv%<*voi=)^)#`HNgsFMzv%;Hw?|b+ zT}P?NQ6!*tnqBEzs7gv?Fe*w#aax!CKIj~(iyUMhwPVMbX&5%dFjL-L0rxM9Dlj2P zXm8%K_5b|OpUuIAeY329SuuCsLLtQ$E~I5yTAmI*#UIv-`28e1T}(LTdGP!RpGukQ z50Da1$mRn_KODFHsh;aAPFTb4C))KVASHYX4IsfO_@)P^T$0jta7w&4f>UBA3!l;% z>EiVBPo_lO2}1E|rums5W%Kws)vVUQqLa0X)=JwKJekVhL|bDVJgUQIO&x(Gn@e|VbIzcXwoa0Dl%=5ECDPe-_sJ(0@0iX zw_-LXWU$+~l{m4P)yJs5!k)pN>{cOG{<#%U6%bl^vjKmxpcSY{xT<=Mnom9Tw5gOh ze&;{$Vn0Kya0<~yl#3#C&gVflQU^cy@I%|@_1o_}+Kd%ae2a#yPK7D3N#1fm*_wcI zCz8~zkFI+Q*bed3S!$_J;3&(13uqRjvesi>()acYAHeA>5-JiXRfu)GiYG^%Wxsu` zE2C5%gDGQS=OREf_VoJta^pj0}QLd-~wQ^@R@AI>#izy{yZO=d>m-!|h@^s_*f z6Q_7)o?B)zCIn6MDS;}KjP~cCe>6^+@hMSRyz2Ors5PzS63CRnq|lA7WXgt9DFZ2A z2!;N)0fZArQiDnXe%JYOpO?23O=7tg z+KjvlIu?;f>vGS8<>&!=0}X@Ooci02zrx*UPo1UFo-G$USf?9U$EzkJR~*U}7yFqN z^H0}XebOhb$fx2Cz7ZE=)KNcD);dvBh1Je=@g!7CQaS2Bop<&I6-^Ma*WXCTK4R>5 zi93!g6f9wgss|#@;5bdoZcKa!*RJ0HBJuT^UBu#rrp;Rt#-dK6@MUl_4QC^l;)(bZ zN+qmHY&KYx1am<~4OP%gKiL#E*B?@eY?@Go*zP+J`>$Rr`Yhcflu88L#3_L)51&FO z#8WE&IHjS=iBnof8SyE54T=Pil1wuLs?5lg)|@ttsx@uWWXkL4^952iEU0jxrp+xE155{ej-NRYIbLCRYB@ zN{k;(taRK;po&+|oJ@pPPER0nTc9c)t-NKIL>x@CGNDQnEAgv4gI40-5U6sx0g+J}s7k_2q(ijt(D~KZUZaGC^TV9syih7O zQDPJjYP1=*t#2{SZ{B)z#kxV(`ef_kAhkw`to0M$dWcmn;W8ja+<|n~N!R;*vL~&> ze~mlvfss&A*i%Qno?7-xj{4=1Do6eHIxEh;*qL5pQ_HU1ddU4@6_7beX`}uFhhPIx zcox49_84v{NRHR^;mzNK0O6&wGo1tqzyIpOb#`zJx~Qs z2~@cjrm(sGbbJcex|y1;v;GK9nei!HA6S*Dc}vlbTpTekVzcB?i0e;;Ju#nBI3@al zDJ^75^C`c6zl0j=7YJ6J_aKY-=m6DY=#Oh^w}CGrGn zw8H3ON^4IbP^HmIeBj~<6o-SPSO~X5e1IyARtQ%Lf>z4tOzUhw6b?ND620+8I#=Bd zy`ugb#nNAT=_UV5M6+klIcD5Mv>E%|V+@=)aT0c*aq5X2#NAg8v}@DUa^MTSt#chb zS?iUoLwa}M>~RO)WkW;PM|+|t$v;#H6$f*AKr^>>q?D(QdJ|8M`asWazjLko2b>8N zC~c;9{``q{7Q<{H`z24Fyigk~heeB*;TS{^(3wB{aF+Z%>>R$BCY^ls+I6CeEO}#d zM#_n#OZO&OoxS2WPh5_2Mp&51Y4TfKM4^-erviymX{eGVA>5KAGGQP3as7$kUL^PA zsZ+6s;qeEl`p@a1RZRCKUbVGp~^p*@*kNJoJxX5`Q=ciZZ~zli3l$6 z*bOQ=h30i4xC6iy=fWDv#@ktV`#JQokl@YW;W@*|7nC4K$ z1-a+Qbx|afKl98pDc0Waz5hPD_<>W}K_q)8rIkW+zYfV2tVm)x@Rjk3SgEY_rq+q- z3Kw*8MeOI+f!9*}Tq*ma_0&^w2VS=hW)*U09S%|n6{pzkm#wLKT9-XJ>bI9$k6aQe zmc7cKXLtmQvs%?+x&h)sYG~P`IOD?r}>mnDi25z zqOupG5Rmfv{Sxsh8<{de3S$Fp=ATT7V&v7-maa@nJGBzBCOjaeIfYi*rY6@K-qied zY;pjThN0DKBH27BeA&Dm;ggT7AAc-r+^!YFx6W#}XI}g88GYBRUb|*ZBrX{l3dI(hrk3Z(dV8ZP689Dxw!dVUpU2_ z_Z6Z-Qh3bdLY2++hvb?#1^BwT{u2Ctf>Wr70Qi&(PJvdQB#MOKl*BR;aEjoRH!>w| zC0>P3iApq;WI#COU{YF9Yn)0Nq!J^P4K;WR?krg}KYaFp!<%PaJ-hebjWZAKTzq){ z#>0EpZ(cfaYVWEudsiIXFzrCZ#ORe1w}wxN3}3uv)hdbuIGcY6bN+OIn5CalKQ#xs zD+IIr1C}sW-RI^&aI68#bOyq(G+>$ZN}PcFBW&@ZVDFo}S0&?6_nKPcXsQP>paH0)m=FwTcl!3O!5H zQ+QFw*KANFK7>GUN}$TW>rbarxZ;!vRjxRN1`w+?IXH!$u@|GznSM?_l>k+a4G_U8 zCrF_iMQ6Ht{A^?j4J@iyYi6ykwE{PpNFpX>fRqg;Y?!iS=CD)yR^7Srd3+Nglq<>A)#=@u1t9e;G%m8;hPebVi0 zw?d$>P~qSV88cFjo{bT8(2x{C_$;;SW%CqF4#!nfb%I-h>7&U{oIHu@X8yBaAyrp2 zzRbn>)2=@gr{XD8NyDl^cQXyM-z=!;u1U6D`;S_!uj1B^+o-GJf=G*c{uTLqX9 zs8cMI6VTxXG|>vT41WSu!mSLsPwgQ(0fF5Ty?xHS1-*LrOP?X*U;p}7TT(h2k_bEJ z*>R7O>?lIG%or(%k67WzVjTdn-?^y?v z*h$ca4k>}0Rg56d}`-%mV3W_(H_@&Z+wOkt>-$}nj%gomKmoHlaVA+~0cxkkf0~51S z4_JXPEEBC56g@^luY_CiYNuCTv=XQidgVncf85Ge&O$OyooK~e^+Ht=Xoacf3#tGt z5g+781WF=S;s%t^u=W8up-OVsAy(QAh){!5{2}aVr8nd{C?i(xv;31vq}b}c`}VI@ zr(VghQUwYI<;0j0M)wVgWCI-PbJTv{8nvD594F=;%ii>Sm9dq4>UkL zZ8ai*tq(u?c*?YyKvLxT4P;kR1)ct9ca?#IhRXS!yOrM+Wy{>Kb&UBIm-7#2F|p1v z_xyj-{MHjX7Cyx^7Mv2Ol6mfjQXwhY_2(a_B%8vI>rYcEVO0jDLfGS%`U+0*YKEwA zgwixr>3lz84K#7)_`)fnRDN(uLzUKn0#dyC2! zXPtF-lXY*Kb$>SrtB>v;xcwMmI+uK>&FR% zVd-8HdX-$X(!(SNrYF!BT4AdQR2keV9<9U~C=`6{6rd#Fk3Fn2tyOI3XnAA5#Vn5xBy72Eqb+Ip z*81VKxR`eniYcjtim%k#WVjxTPbE~$RKc}47dIN#PD{6nRo~VBo^GelWlo|w=gwbP zGOTp-=B)+~9l_`z*QA$Y;qw93WD)Q}^P6MAF$U9?t=rZ{MxiHV4KM4bFfDAK479^j z_qn8T>cIoW;}UO2W#W`jDiI|tKoKr%LRlvgI8GtUzW5ZK=>;jf-%q>#JUEqzPl+=} z$EU>aC$_YWPua+n6Qt078lk``@j)eW`nfSFRIaFB8RSyKLS=z(8y~Mh+ z(!yE676$jCt@}Hz`}?d12Y486Pb@%qwV|&*gjh;PY;(+BV!rAhbQg7}pDcYsM%X}RD zj0v#ijb~|sDIMjCS+4#-r!&wOy%MJEn#V3v!a%EdPoS7Oyn3@Nm|dz)AWf_zl(Q49 zn5axwgImQX1j_VI0)v*iR(IJ`xq?JH((Tw5 z>acgeMOD4_eJjRZlp_s6N-jlWyp`bn^CVQ9sG(BmsZvPMKa%QiEwmmSbv`h*2m40l z%$3`AOaJ%63$peWabPww>*({2ow|^+jz9MG*I$S8Hg3|K&n#ZL0(Ast@i8nYunCtP zm*uyxK+uyFD^+G$mgkep`6P)n3^66bn3>En`K0s4p2Qg&RM}mB0c=Mlem|hf7fvB} zzCu*m^`~*lm+Q~z_jB+mg;SDB;fqh%amt$>h6dA4KVLYdp~?lPy!Fq82$*516oZs# z`{*?ttlLYiJK-Lv+TekzU0$doXw70elg1rU?mr= z=u+w1c);>xT!^XQL@SeCna)6sRyrrpnP?G+Cs3mmGf>dV<_6R{8J~csB~%DRX$V>| z^MzaK+;!I!ivZn#uGxSlR5{V=NhlMD92tt3=!i3_&ur*7HtpiSa43PIPvX~8a?OXQ z6bf9Kpb&w|MJl<1$`vfI^6s}7o8H>@#1~k_#k^{4_*=lUoQnFiEmisVOG8yDc+AnC zUBY?ffsUUz`Q?{iu|ZW>sWMP15+|^!7=_DMu8@~*TUPLgKmPH>7hn9U^4B9rk0Yxb z4H;j7VOC-6y@W${Voyc*LV&O%#!_595n*Z1w% zf*IrM1A(6hrv$3F8h_&YV^-rjka_M2Qu)lL&`~N^N+o^_8%{x2&Fpk1RQU~2sj8u3 z$2xFI<@@=-DHWo^W)_^{6;r|H_e&K{8GK4WN|Pzrfk2h8hCs-aR`2-PmMmMgcT-yr zRN?)LR7)!EZBcfhascjs{NV7V6AQ<7{^IOD;7k##$9LAo{iL7@Z{GQn`>$R&x@pz0 z1+%-x?wWq`@b;g7x=*;uPsGZDaSv`?K63H+_VJ_oQ1?=r6R=zeS7OXEorL;{G{e&L zii3E}@=LFzS6%&qPP9UZOkxFWxuO-ui2^Kd+{)DxD6Cw}9;YWz6DwD=LW~h)nt!w+ zxgy2+6=uZB1**Kn%5(#Ym}3cx;0LZKe0_53hP5}YC(0j_EAtcl7OoiR9)Ca>Z`1I1 zecey8&;NX1$s??Kn>}v-t53AZl6Bw}3-6!K{loiryo$&B zC(EfutEBpSTb++aS2MdBe&1LZG7`Xg_St89^y~vvtyvq1!sIhVK5_RI4i0gG8ef5G z<;j`sHVj)>L2H_W1u3TZb zZH~d)w{Eso2Oq(2~=Z{P|KuUYAOoRfb z;z7!r+9$eNt8NaoKG#Z~sWo^0+~a!&cwmTFm9!Psoiz%x?h>)ucl*lbqucx3`*Dm7 zssNpz9^5%|aKrI^i_RTeuzz>>y?g!wRVL56bM@$rOUK6yX}@fF__7rVO(U0iV4_$e z!etht~clm|WqZ zRGAW>ilP}XJC;*XpOBqOu1->gHK<$Y_+ykeZr;KoDI29C4|DAJNq`QEtx%rm)pI|d zrxY+{gvrvZ{!LBiUSnK=Dop9pr7KXd5LG5fk6FBAIixI0)@-(m^A?iz=38%(2H&nj zCo&9KaX{tp(*l z6PQ2YQ$ne1P~|a>;uri1RGA6tu25xW{Yj>i@F~nlAybm|=WzWcf+{ag1r(z4<@ejL ze%+WMeP>ObxGpjRFM7O!@~ofII3<3+l;IT0QxvHgnQ~=PS~F{1t+ltPbTfwmsJe1$ znv$cN3)RjA-k6kHXn#8rLo4pyzRPEpUp_w8300uaqlZMFPF?Ib_U9zYqa7mtD&b) z95ZTQudUJB04yVJl?biOpq0d}G+L!BXceFv5WsQ+7%@WwU=IJU;Md0#30z6$urm>RM;pdc1!ur<$hnsT_Z(ZsJO# z#*A~`1PiIyL7s#bh!1;yF-6g$G<*n4maT+sjT}7|tZ{x(pP{^P{RWLl6eL7N?W}+P z^Is;n(jVjC%{SkwTdzK!1l?H8y=U)!eh7xe?de-?->_PpGMN|jD7vU;(I%BLW&iZG z92q|z)U(s^!!hLk;LBqw>JQrvWR|8CPU$EW(qyJm*j#_&lNX%Qem|U|K$VwIVR`yn z>MNlEQ4UZllTX1_g*|zBlXCBXN?W!>FPb}Z-pr}rR4n!Hm!JRQ{eKtA{9%!7A4@Bq z>(eSlv(uV+pDxGBO$F&YOE;|0wI~Xyu?lni8N2cON8+M2l$a-o86mH(xt5CGO^; z$9FcwJ-Tf}qWd?_JbGY1Y5R=r?VW3jY`O6) z=>!{Q#RC=$)Z-PD{^Zrku(V5%yt4JmS^&;AP=SLX8#8nO!$<4fysnI_yngppF^0Qx za8`z1PlKS$AEbZpwU_?>*WMkPEtoxX!JL_ds%bm1YIg13C_WLe1M z^b)K1LKfl{NYV|6IEWh%8NsMCgI3~27pM}n60=Z<72GO7Hz0t8Au7ZQs7gR9A6i0` z1LiBrWM}lowvFp${P4{JncwVEEBo@^#b$L0u3jS3yeVUBisiTZ_U=Ztz*ef)ss&bc z)$&_o2dkf1V72FoM69fX|BQ?II034T6j$EAQw>#p+6(=xE8|qw$AegB$1*fn=0SxD zo4}!upZUvQzW5?@?K<`P_8SQC311z-o-C5t!c0c)>eX+cKkVz^A1}Y$s!cnfjVes+ znMm@+-~ax9t{;B!rI(sEYr!X3uz(1l#<@Lx&%3rnRV|*qRkfV+dlcO~v}Dxa5(~N) zZC5QzwPK%CE1j!tXqIx2E) z#OhURSBKM9EL*x{@uJbg1~so+txQPX>SYVmEFV-kG<(^CpO(z`QR#vohvomUV(_P5 zg?v&V%Uj=nm8H!$*}K%r(dWBdee37y`fc{+UuA4oF=LYo85)(((4buU@5-jHQ~L92 z#XqT9{L?DMJ}q6~!_oylDpTOoa)rP6rflKws#j>&ywUJM{bo&_ynNYG6r%}J=u)j$ zO^=^u4Wg56AZ5}ht=L7?FIl=gD!i+8wU2dmq*?%&2&zD<<(~BQZE^Sa-?$KY?exUQ zch<-Ke zPA%(Ku2k%c+F_seteazT&!SO7N^BThVtS|GdS7O#Q@+UctC#h6f7=HSjws)Ss$Sbq zVT3BORMk3CG66wAlh`LxXx)lU7k40|_lI(;gbKAgRSWA}SL@OcwdU*AQtKy|ZF9*O zC;9xj=MwD?Wy29Xb+5eg3I&&%wP=Muki>Q3P;jg5J9iZ-T*UTa=iBH1{`W53dH_I( zKlOy6X&pLsp=7%AlPouG-KIUCM7jm4a5w8Ifn7APON%dqGB&7~d2E|P%X$^vI=tle zkzt#Mg{>VBI;m~J9(8lIsFtHqm3%eI7pPIOShb3!I<;>zY3!(om5cZ9jPBCB-Un~L z5mqE;)$*a8TQyoVbHeVeo6r4l+Jq{62uyhXnEa`XQUwTAdv@>K5V>~YtSM8+j_BOB zS%+3lE0qbYP^#FMVIdVu7OYsZK*bUTz6#4%sbsE-p*f^gE0eonm4bE3=lr_(=Y_Jp zS*hs9UFzkP*1J)`zD-t^Ziou_>te#_V^B{U`R_7widl!xDUwq?`(9Oe2ZW&&3 z%dnDw{>C9C*AFTYF(5R&Z}BC)iq7d$WPGcFgB$1VRy${#>e(Aq$Xq7qli=K+g%-@& zxYpNWhYt)7Uk##a#oP_56s%A@yPkfPOXaChA|KPzGc$wAmMBu8RMF~R zmF?W78Ex*g2}|eC+7P*B-`>4mZk4>C751KgVr9AkeL)rSd-C{^jcZoSnmDp;<2sef z6fKndi%g%qJEBkLU0bkP7mgl2sM+`RDwhkbULm+v#R840=4(?kSHA{%W^^nZF)%cG zc-W3nVRYTX?ja*u7OGP=bJb!w7EB-K$8V$6)NkY9(PiaSCn`j`9R>H!w6sptQq^k{ ziY$E*7n{zhqEmn7aqK%rDRp+I`cma};Qdp@l-QkWx-v)OTuLJn6$+$2t-iy*|KI;r zukkG_s#xqcY{Y0X`t*Ov!86bNrQ%nW%9pSB(MKOs)t1oJhaY{!@+$xcR}~f)PAbAu zt=qP@eUZ0szx~eekz@GemaW_QB#tuM+&FpcaFgm~Di+S%xN`PB-xomrF76o;H7In) z$go|bO6?w9YRAY@;r)tF>l8eqb)mt{3w5iPr{0$tOBZ;*V3s%YWPCGE`ge-ve7|Xx z?3@hA^-jSoZ)f@VjiBtG)UF&hq*sT9GbgQGvH1A0qo+@u{Nc=Lw%ECNfsIQq;D@|? z`SR6k>`!vtbp46!BO0-bddiiRV%GR=au3q04J&I09ykTY=QW?1L;HBo-w646Fs!#x&g(P_YRrUC3t+>LVdr__jS>a z^JI7jvb>kfXxjkfaQ!>A&Kgby-HP8rt{~hDsblXiQ~ui?b#Wza>joC5-$t|y0?liNWvU#Kt#jj=S1(`uZNN|#*LzDqGzCx6{1Py0!1+xC7K~lHI9tS>pXW-AI+sy*R+TJJmkt z6TnkQ_sWqYmlHMopLyYh7a&<=tvkyLH*e7ztf3Kg!fjZ!+BcvQZx=3Jic<>!!UM4H zK#bnK(fpxOrOWb3>fg#TVUm7q_Y7g*xh3kmibX30XQ^8@Yp1$-`!@~3?3vQOF!s-y ze#JHpF0pMy*v?UOJX3c>|1kAEs`cwN zs9UWmgP8c_FylNwd4Z$rVtxfYr)yfyIQ!$8EH7rM^kk6}!rmr6QdEGJ@YnMvj zw9*%?t7hq5H`l<%`KERXrp@XaGPgScxMIuu6kk0cbp7BGkR4PIc;VVmN<1J9G}$<$ z#Ej0to$KbQT_#h5idlL#EFe0^eC_sK{s!f9)hUysO^v+W>nlULUz4E0%~ZdQZ(Dd; z$0BpP1~2Ln0&+ztPoW5q|G6Vbd zUbbwxCQ~Mp(%Lv4r+m;Tpi1j`H2=(5GgdFGvn#Sy)XJ9kFAR^nKI8uRDVGlpI={Ei z#r^$no)~-Q?39O>=Rdv`{^0t?t0%`kzP&2${=vAPuEZJTY6CzRbzi34Vl5jhJ?%a-TT7F$N_{+kd;hr7VEI(re zY1%Y|>0Oe!EfYg#0)w?>7=EhIwf&00trm6*nbWxl@Pr{Zyk*d!W@@+@^se9KZ(J!S zlfQALT&_6Pp?2=?zsgqk%PhSc=EJp)_%I1&rpZijosFJfN6<>F?jMSv&F@~6$vmTT z2orls$KbvV^LDSBvsIPM^~+^o{(l>mzD5aTA$_HypI0xPyS7J0s#GY|scp;ty}F6` zj2St6!uYW?C0P^3jTrg9S-^K+eb_fP=xlasQ1dUnEL-C9p z;OJZ3Pazb>z_1po)7sX|U87`{uS2r6tX<*g!TmN}^qYTs|Df6$nAngiw2lw3k*Cml zsMj^;$pcL5LhEs{uUavmdw(Kdd?|I-cBx`YgH)ym`BZMZQ?ZZPgo%^E9TP7CKh||? z^;gop`4$KT+>lZTd(tIGI3v~9!6{tFqz4oU4$sU9x{x3WUcvq^G{H%AQ{F6HrM#F3vqR>aKzjZ_ycR~|5(1;*6$=!0EwvGGY zD>!h5l|Vt!pg)lV@$eL1JD@oCj9tC5Pf;9tOM4cb)u~9o#s!;wovTtvMtnO?dIf|v zshqodXpWjCvwvSPM>h{(37pYy1Dgg7X%;l9rH5^G4PMa;&@YN%$uBC{8lmiVQB$HD zIk~2P@yYFiy41;4s^F)^3*{L-Y_RranPdvIN)}Fu&L26XQPhfVbLY*PIi>Xv2Rc5! zHUhwUban2%^HXn~8F%%_kc$WUUD(_2!v3L`V~5{7G4a;P$#;KT@bm4hagXk3^hwqM zYpnl^Yr^Z-;k#H z5zGl~g64HCvIM`%;1V8(HU?D~@n=i-HX+WUF30Tf_3X;F9Cp7Fjo_1YQ^B zFpV4DGPDGJiv-~`0G>v)3c@uC_oUP4qWa~tRV|hkoa)o|`wQpJ{N{nl`2ecO5_y1A z)LLLwWU0AIt~g2_V7_=LiOm=no0gds*5;>FVj&x2$%?AO1yxO_)2#fZlzJak>xojj z)O~XNq4NpilXs_)LJmmMV|Nu+?E1>qvwhxt8&b45zCJPrH*bk%bt*K9>@^nGlMyYH ziscc+JQprn^7hBOZv)w&S&)yz&s6l>^H3O|w9%~#jc5@xtho}g&UN#BQzA?C5?{2bk=w*0>63Of^L-nZ6R$fBq;6U{cbgjd zI@QVFzE&O@;yJuU(8RWdW_HBIRAgz7kd?iQ;zUA00s8puw|ne)-4CcEIPB~$!JTU5 z%$xDehBYfspFSO6a`pHLv(Q9CQxC1)O~=}_sbeOMZntR3QkeMo@xvF-X?b#Q=NqT` z-McU*hS`)_iG?Z!L+tv*G85*MI)$o@&W=3EsPX?aJ8$J6BJb zI(6d0#mj8XL@tgKftP_?`YH5t=_l3CE?uD=p#tR!)5BMf8#DUrG9iVsz1_P(9%f7Q zuoAkrIbb$|P{0Jkf#((k!Kh%E=5-04(V_78)`hS)uu0Ttew(Lr-TbY;$=j%6?wTdl za91myqfY6Z7-=#S32h6>l$+A7uuQ@k z9g2WuOw0LQgBNs-pR3GRV#hLvfeHAXIm0>TZu#H&-GXs|fT!F*$J%+mDVecR<*XP> zW7`%HXM$6vIJ0SJ32iCS4>UwlL7~T}1D^N*VvA^FqmFMK)T3VB1|FcPRXS(88u|J+ zDLA!bVPqfDL@pnnnclI8!lsr=MexYnOmAGH4G7icYxixQ1{Jf1<^8NynSw2ARhTnr z!i2H^io6NmPx9-6yGX!h!%SrE5crL#4zl&4ndEH%P1)4na0sb0A( zw5r8Fs}c5D?b7MVa_>?*7n2jT!rBC|z75M>IV3YozhQ-}?Q7;3)U*J~e?q&$Oz&A; zip=jGLO2ZbQkW6s3lmp}50c{Xki@^Dx~0L(@PYJgQm|>|T=-kQE1$JO!+t}8Hh<8il1Na|kLz^oL8LCLb-s9^u1!ZhoBNvzDN4c4)?F)hL=pv5_3JFK~ z^e-0Czxeur#T90aOyF5OGBzzAZt!KMQbls~>E3zyij^jl((W&mLtx{)riWbzt1pLDx>tCE=Vh zN^D&96T2(kzy9$4HQaiEbE|u|uO8gF=K6)>b0!a%w_qW&SDGKpas@2?I2_0W>gUxx z;6$s%ix;wNOQ4NKKXU-F1);DR7zGTQmAymAkzi=%bty8lV-b}9 zm{w}4FvQKP<}6n*BLn(%NOnEM6$@vAOqtGM(kEI}%gsEg8OF+mEHDT{nR=3#2YRx} z^y5_~B(ET&OjKT(w0Z*D<~DDc@OYca?P2zE@vh(HYg8#m)#903Rfog{5qO1dY4I^- zN(7BpgbvYzE_uArMG?ul-GXO!E;6M<;c;zMu1Nnz`PcVB{GxW5^wmN?`=(?D(FrxeGKrR`Up@z{ldse$k+o)ttW`p?Rxgof@ytos z!*-36ocACUdGAtoiCsU?eq`nU*J`S}-uc6ms?fU11EkP;=lHe2#%7CgF(0s1N8tM3 z|0g}Weq``^{|Ho-woZ6f{*wErR{rAsn{WMm&v~a5Q(C%wB?%H_@sa!>zw+*T?@yhs z>ZsGmPKP3~c&dEGiqx0ze;elivWf6>&plVPSaEVBU`b>clHn|@iX`n_|Btu#fRFOJ z(*N1rWRu-Z@{6-cHr*YA=|y!$Q`9BY5RyVn&m9Ac9Bq1E<&*y%IJMX-D>%Hf>=bY!9^YMNHgw^}ghY+}M@iI=j z=bd+fDzlxilly0V@p22k&hhDy(cZT8iP{;t&W$-PXciNb46>CcVYoA(Z9#CNve39Z2b zr=-x9N{1Be5~tMiU+OXfFUZ6N{dE0?jq5h7U%q0|oViVPwRuhTDGOT0eYS7S=SScC z_O3!)7s-@J33&JB7vJ2u^!M+23s?u=eev{>clYjCx_0gJ5~{icEUrghoBDz~??Oeu zcpzY{dtqImw~N1_-|}*Iq_I#O#DhgdBb*s>=-nt#yaHYXONbXLy-*E!K>z`Q8sK0! zP04WyaUFtTT!K`XhwW(NKv%mb#`z4+kFtkdlM-YX>1~6O#lT?Cv>vH|rraU!I#sv&1jIn1U zsuOEDArmGhwo8ffBx7xcb5oAX%pB)wY5F98$A*cyBwdq2=3zT%PY~)6V$hf&129_f zzwdZ?7hmyfpkY1i0ok8p!cUg}KtRFr5=1ZfU*u8OWJ=68A ziVg4rHo$5n78vYMiY-#;P-)*Evi<(hj{{YvLw)|CRQ>3%{wa~a;il86=E&bEX71k# z)2%m5|L8*O-@J8;4EB)msQHBw6de;cbl7mxP=FU(w!VlJ4orFd&9@LH)LUU=PHust zqxKJf_@l%%3%IfVN_{c%RHSEQHBWB^_^61t@BI%zu19`ze_YkS{TqY|NbKu3Y$nGb zP(@U7?=|JmjvUC2^vev=v}GCQ7C6t$cbT5=3QW+{)5N-8nPx}`9EPPX(sxi^q&;rs z>U8G`i3U`yoG@KR2n#KmHYrdWHOem5-)2I*7Gbi!%4-usyM7c60fM;$=}lAmSn%pc zVLV5qAmMRsPs1bm=Ae)`5 zGK|GBI+m0vL7J36ZJ7JWD4*e&k2pJvXVfcbW7rrmm0$uwDz2F1fq29(W@Zn1<0UcE zKRVeLtb1WiM|urRh#0+kJb8@x>KX1w3qUqj#`~j0|$U*(UvS-c=q7Vug`vb z=ExhQQm0Y1ip&*vuARMh@w2O6eR}uim-lXetu7PXrM7kN?v1U>st@m7zj$^9qtxOo zd{tkD`tsD5E$>CbmVjf4&JwSAI9s>9xNzRwu|E3Tuo2kD)aZ{Yfo}C`Gk&O1Sld`L zK!D*D@FJE@^uPdqK!Lw52S_On{7%#h0nvk`-^FvbCYDE$eE+KMzi z1K8U6#Sr4B$*GKC!-PbJu?}F0^Rov!nFvfM7(QG%H-(j(6(CAt`)r!pF`LYOST^$0 zrdls%6L(z@>4-Nr&JUV|mWi1b?36K9xl<-=d9o4u5SNq@Ix^gg=)!(X3hNnh{}x3= zU>zA*1uA;IUxvJ9}C{>SJ zglr-BT%ayO5)l7LRo7lB=&K8aMMHW9%V@~JqsKozc<9IhD*GIw{M^BhNa@+p2o!<| zARB2R2?-aC5E4meGIw4Tylc|8qUBj$Gl|x3?@{>S!~&BiwmlX&yfYT~h~qyFJ!N|L zA@me$6cAfXhl%{{ud4bnN~!9oME*|di2Pkcp&!#ftS-`=@SKMOB#~uh*Q>9uUB5{r zQAZCV<&LnzDNpR!aiV?6=z<*vC5t*@LAh6nDyy zS?utOU;a|C1QBjR`C{>4`BZ!S4lOV6*vjC{D+u7Je@F$<7l zCXO35h$W>Q%uGORCMX)%32EiYhU7r|hFn+Z2l%g0gzGHm8d;o86dbXgyfrGD97q4b#%c+D7^evS^8c!xZ@tY6DK?M%u|wz>BM` z$?UCyHYMA+B-XJo+CjA9SjSM00jw=qm&!Zk9$AQTgW2JZ(Z0j|3<{N(Uxl@2rr8>a ze?c_xYso}+ZWdgAZJLkbVV@NstyOpsw%3m;h#2YYIDBqv^VV%INy*%MoRTP@h6eg- z>>w+0XIsDF<2TpczH;Kujq~5!{`$LbZ(slV^mpGX6pL@}T)lSj)YXfpZ(lu43E(af zO1<&i$xk-SDR^mq?!tv_oyXs>S$*p6FiQefcW7l{65O(7`_!t5-cExm6CEHepiH$} z{N}0{ef8dqC`hX4x$+fYa6|J|H~yVY+_PivBZZ9<^sM%GjW?tAI23^i6&gMY~-h<&_#;fK)tjeM{Fki zc}<2gF}Zh+Bd(u|40L%W%Dm>R?QwSSOn@iE0tnTb?>Z~rWp2L9{Cs0wq7FkuQR3Lo zjvne!*gW7zQmN0HGmnxJPd)XtFh)T?1F#eoVB3qk-*}VtKaJXd#3r8+yW7Zl~>6_B!(mXewgJT`PpP>5(gzJB)h4zl_9`Eycc6Jnge zpDwgHasg3hSFr&uR0{95#{x$w1$l*Hg}dtD0Mp^$SxD?3@YQsPsvkq7zGnI?#B?fN z(c>^Yc1Hew(cQ!4;(>Jm;$Q^i2Lubx5Ji={BMTpD<2Qlt> zdV2r-=Snq@-e37|e)GQ+7O~hLAQRTVeeZuLo@#d&+}(Ca?3>ptjq}&V`)X!n8h1DQ zK2I!3fy=A{1+y5C3`-iw#V9o+7bCn2ohv1yPB|2sYoDE=TL75vI zBzOq20Z(k?CrA$LBPJ31qavZputqJ8(VJJ5wqlB@@#29J!+Hnh&+}YC&&FInUHHrm zw;Ai!-^=j{7n{diZ62fJqkS?dUX(byrvb3lEjQE@cj0>hGTZd@(gCviO(OT)bf z+7A5FXqRVL8(W{Zr9c5|*26DORRRPE@Yyrd4_cZKwtV9EhmG&*(0>kSrA$2~Ns&-4 zq^=?5xs>qM2&D!HHE>`CRJXP3H|%?LEg2`2k{@@kp*`Ka`o*|*W8kUPuVR|FYfl26Sixd=K`bB~<`=qbsPx)7byQWH6B84!_t66%bthzc zx&7qn(=DxS79x(XaGt4xM2>FJ!Xm~|^-na|XwME9_)Ne4qLEwmp@gdSxx^OohtHff z2U#slRkv?FZgF5t5SMT~+V2hz^My_@dEyg*PjbQiwU5aR? z7|Ic*4B>S`fUq)TeT&{fql4p^smII`hhl#$Z<%2ZC{Pt?iXOx|FehAx_bPF;U0u3< zb)^ziwWQpWP)fvtMdLU#i`?gyd0>m9PeTgP8nRs`CTOxlN9KgtAb%45hs600A)`*5 z-;kVeNF%yw=1^ZLuPi!cahi+}y9H$)1uEf2U%(b3i?uguoyGJA$GJ`r z8NG5-jTbr;LKUUp?HP*qN{v=EshVJqk)#Fa8Kl$_UW$DQ1awp|aUVhfC5#!`3+pz# zwtXc9>+wi4k5`J8H#b&+;UgMYu|_8Md!^ zuzn{6+7`t)O-eD;v%WG<7Sux~4%6qp*#woy{3}t(xe-pdmMn&%_{xMOLlmY4`K$So zl&Q_ql*VM|Au#co{t80nD*|C*k;|G%?ptcSmK3`dh3mkn;-s-hKKW;H3IRpN0P@0- z{!&=Z}Gs$*VCJx7K6H$h=^Q0I{>YNYq<%KC@8L_98;%t?Cr(Z@;(6yb?Ofr6n& zmVN7jm7p7Gj>u%f4%|2_bZn7% znCwltuEmi|4T4P zZsiHuNbiAIazb4DAyrCZ945qTCMP*f$uRaHf~r)-P zJ|W2^PCXPzNgNR!plaLNd3Ua!|NFPMg_cC6s;d{z+`fKBDovtu@Ajp8w=P<26kor+ zcN6>J(GPdsy>)s2?v?ZBw^^K}2h5VdD(^zxmo;F)Y^<-DtQ+}MQE6skB6S13VyWFk2 zjo?~snt|~)F+p1r?Lb^Sqb|s$Uvl8k%48jXh0y>H=JS=xxZPMgYE7m0%1K^?{jRGa z6w7yOy$@@!iUe)S7&}7sVJl6DH^}i%hqcz^WCJ#EmTjf6x~bU;NnSKDmBc4j0!V$y zfwu8}_QY8bIVg9dBlf|#9qRsUO`1VHf7J+Oh9}qASosQ+h7ed<;<~QFW8Eb8nHjq5 zAP309;8ba9_>lu2_TE3sV=7;OP28RJ8${uP`2ehN z`@(X_+(gL&aq1hI9UL8h{p(+Y>Akr<7Z*4FiVHY$RN=I9SnCUZs4a*0e^8tphB1&4 z2xesm*|lZqx7DKN`>==txmHeepIzWOt3UxP)>@(oJxdI7KI_u-alXT9()3+U=c*KA z@@Os0x)>kA@HHiPbrTE|;&6^TrUcrhjnSkBYbVAV8nYpIbg`6WjXE&_!#HSVHsJf% z7e?whLRE@kdalcqbYmSY!?`}wIVaRMHE<-ENPVDYc@C&daq9AbU2a6+OwDqxO*hc0 z)AX4B5(0(<82Zve-G*n6b$Y(SOZb>DK+P$()U7OziDVF>5{EnPa%_Nb+A#y-Xh6Nf zPPMt#>!k*7ge_!asax%6@F|M64;p1$x$-$-3VR?zsnnKsjm82pAo-{pqmH(7%X2p` ze}3osSqVeezCH)^SOi#M-@AA7D~pZtPw;kq`T5}wcE51z%DLrjrK?syuRald^_AR@ zT%D?x1#DSh77taNzELm z%`0?yuH0jNg$L7rSEKLdD$j-#r(}PHF~~(G1{$Z7W?cNLTQA8&2_JUGT7~HeW_9oB zXT6b=7W;7UpZxTvqW#;y|GUMn@@wC|&&-}XpP@@}C8R4KLU`c`Afwg=!jPTNJ@-~I%LQ&?&z1l z`qkjUL;U;$hy|{#o64-mx$x?1ufwqvcc;{p|N0VtLRwb~%mT1bvMyfyS~#=N&hT^L zm4KK5<&T0^_V$jj*5z}v?x0dtRV$fnaW4uc=dD{moO>g0lv0eFRxO#39%V)=g?*PC z;7}5wtBBQ2j?q@cYD&i0Rm5xRQk)3V*gCkXie#tEu_K8fO9>pBJbEadq|rmuf`?|QTCXg@HODvN02H(G!qm~8stD|TBJ=tw*sw%5GHDs zP}cZ>VOdF0QooSWTj(HCw)YHD7N{W*N`7uxxAfBa!;}K<#GM&Y6mQNN8$$M{qh8!U;X@O4_#h_ z4Ot+hK84|Q_jI2vbxJ~{m6JSq5oV{Sf>R<|3ep0((0TYhzaV}^CC8%3kqPc27&dvd zeMYcW3`iW56XG2)=p_XXO$|~;MY?$?GD330YycG1@P5FFSOwLPo+ZJ+5KTblkFsIV z64*#y2$n!V0O7_A?5wexDDOciW#m&Tgs79#?aFOxrb|_d^Mp7PDY7+F7@rJ@MrvyLJ zP$)7X-d|5q^P^Ui$6fNpmtV2=?$@uswZ!ZF7D7#_A?WC+g^(s1tO?=U3LFze zvD&2M)cC|?jn?VsKmU1mhowAj?UbnqWDx{J!cr+DJ3HThtGKJM0YY#1a*E=vIzwGx zDC>rHJ?Jp0Ykzp9MbrL1-+%I#&b)t=8X?e_QxJ6gWrIRfCrJef39bGC`X7ICFf=UO zA{hm!0j&J-kAL#?9);tNyJLDX>0Wtt_Xi(+EKGA9>^JK6~ztR{7bR47ybFdj(eU3|Qx-(XYj9|wp>4xTP7a9vx)GLeAiL#1~e>%*G;0^~F3aU~y9forQS}B$JOsb1)rMbW@!Y+OW`^c!Y<^Bjv&JczMW#R6yE% zptFf^a%{-xQ)DqBAwzYtj%81RzhiBxaRzidtI^w%>%#D;OVu${N}}vSoS*S>cs$s- zUv;vRdS~@`qp$u+^ckoOS21pDQa~;T?2S`Mi@`>I%5!DFRHYLAVdG){IEKX1Scfhr zh}bAkXMG~Mr7jKj)QGe(4xCi3Fhxh0`_co41nQqo8$En-tfnblKZD7hs;f)XPf60} zk98#ey&^B^g{5;3ef&NZKoB@xu(%&W*mSWg$xGjSYp<`LzlG3)H4X5@CnTk&Wr~Jf zt7%#b4NINH&X6J+o2Mf}VNHuBa@HX&MWe(mRE?e^UjO{(KTk2oA0fsue|0Nh@4Tl} ziNa?@f}^wL3Xb4Qk|peqXum)7nCVPUN{7Y8tG}8){@wST);}l3v?!8PoHr+_xV*@m zq{7nrhYY`P;o|H$^M2M1cF0rw_kaJ7oxOcRVlpXbc``4)q$H6bXSn*sD2VWP2*IpM z?olh6Mnxx{27A(QW)WO~Wu8BW`ts{vKOzq8FDW!GDRRbdwXo1-L7~fBb8E>mWCsoN)jW|FIHW4ku{GCO z4O`7w&MXw;d~FNIIo72b8Z(W|af=C}{>rb++@>t&DQN~~eQxN;VCQE>>z_^y9ID<; z-Jg-?GC5Hn@2^P;aI8$yP0MlKO&J0zn>7343qXRwj9O5twD~3Ob8tN)G4d2S!zm`l zX|h6W$9WD)@*mQiZB!q&=l;|TJxgx$^3pypT*G~>nCSj;qc5&2G9_|eJQ486x?ILr zr#O>H5Jx|{6(L$syvR#~P(|$m>9}BAS6H-!Vg+VFx~NUpYlin5*8 z9eJG+wp4~eOC@V&%XAOzAlUve{N=;JsYKSVr4!t700}EAPgOipXgOpbiu4}Qot{n> z2woG}x~ToZi=(r&%pJTyoq=4$%S{QieW+1Uk*JOK9+>Dq0?TuGoE9@Uqmh9G1k5Gd zQc3$bWI#SY*^@y+?HKYJZLJ^0T5eLj4rIhIUXxgeRURfJQXew>hx*i)Rd644?m(2Zg%L% zQS>9RGoL6~g#BVvOh`zwI1A-MDk^I@GNEeXPp~mszxN-oML?CnDTWPETGd5qao!^q z<{22Siwm6@y#lSUW1EMx5?(Pe#x7&b(3nvJYLlIWm0Nty$aSemFk}X66(U5SLtdDs zFv5|ES)FVYts>DdAyz*=hV<;Z{0OJgXx*fEwm20;*p82}pVkWm0eY&EjU>@U`%4dU zs7P>nuH2o3MaTg}J-#F|m=P(7b!cvpYi)|LI100&JsMv@gl1}nB1|5tRV8W1y7tQp zvrik-o)VDrri^wdh|rdih>6=TQYgeT3NXBMfmW>W^CNUPyYWg;PJ&c6#1RumLpon* zC-AsdPVyjjl~g%GAYU*)w)w4!4LSewSgQ;}gM|XwPvK6Oe2lg<$|)nrJ{c~Pze8@QwkFw#DL_3#C&f9$jv9~^G^{pBqr^#> zCpA-B;1o+!fm5yN+6ea%&n;+`wd@fQ{6m@{G5GfbL``>pa^}qE3l}dX(VSZ7kq-f= zVw@1Pi&PX1u}R?S`i-0a`d3R%IC>fT6Jv!!ge=8HLN)fL=IIU&8Ve9qpN0OwfrAQ* zN`%~o&P1H7h(Cht-Sut462I}H=?ZBpTFoWwixf0bY=9kUD-I7c{U95lX$>iA|3=n} zjzj5{6t$<4l@zt)$R$NBC%yHi2_oYC|EQ=rtz|}cMR+alSA30*iRYFv-3avIPLcem zP9J_ujMWY?c@Y<~v4sgsApQ)mj|?u_xNouwyV}PYk?WKgRoSp*PZos1$E%VeaS&C*`tSvLCY#j>Q=DX1zOE5bcG+-kmkg~Y(li1dM?0motfv- zm|>g{qsOTPae`HAW{8t$xnWMsrpa;o`ZObqKE-y|;}X$AZlE8Hb?xhB`zX$3B#fDB z;TYjz6J#8c=s&U~N;@&mFg`|?6RLQ%$c~PNNP_eUvATynkvMPKm|>VAS!{EWELL%3 zC-|XNIn%0=4OK~o2{AelFu{LBuxo$l9Ak{nqy|A<9;t4bAtOrh`Xw8wtw5pxQqw>} zCIMr1xIO9>)O`|@BFd!hKsM2-S%x5Q{fZUO0aYD1bsup;E%PN1sL?^)m*Y)9)vMdr zoc!cv3v-_ugG66Y1iw6eQ2uo7(s|jZ!x6qX`N{RK&yWmo&64I-&%Yo}q&~GpUtFrZ zcq_DO=eI9gwqlfSz?>piwZ4fegpW_*_+=VXgY2`zl}ske^Gr5QPB!v*OQVUOz3<8M z7Vs|dUT6^>1LJ*%6-PQT7Hi1p!xp2i=db*sd3daBv$Sl%JG%CKH|9Q*>Yv%v-RS5k-6uY8q*U$m)Zq#$q@1S9CGLjj;`q9SFHi#Ic~s zaUw!!yS+y!4Yw#?wZe1}%K8-3xpLE~6s3GsXO?xl?+-q1dS892UiD31{OKQuo;DqE z=zuB@(}@Vv=}dEyibm5VXzI_K?tX0g$9>d9L^t<4CMekY9NZvoBXO!x1@>kv34po#%Wqe%VI+07B2 zc2%+VD~g?0PjCgZ1X>9Vi?Q9IVJXNJ;odLVZ_u<%y?O96{yQ7C1wkORm@?|GY7?Th zOhC_?80SzLWtTo?XoP$JNRR$iNgDnH^{qS(Qj=54Xl;T&Zr{#Eer#k#yq~5ZLJ>;S z&DIa=BloZcOHNrdsW=B>id5S$D-!jS6ZG?n-IkH|(`;R|I0&Y~(rEkQDEp%OTe!!w z#NgnP5H1xEik3EZq@STLu~%pc*!`qp1se^S9OgM_T4RGWkqN0Tg?!KOWPwd$#V9_p zhwNB0|N#$;Kd_A)h?biew$} zO*A-r>L<^O0C%QQ2*XO1Cb>F>#MwozFzD*i?%RR)o)j>6a)QSCuO7Gs<6e2ZJ}=CP z;m4R{D5^&$0~HcQR)`aeoK|e(c`g%T?4vxNjqvE789WRxSY@JCSP`vHB+Pf}iPL4D z>1HD4N+6V&)PU5|B9{#n9t-mgrQr~k95+0-h=j2~)xTP? zLioJ@;m5@9V2DGOI_dP;x%nc|frKieS#h24k4RD^GX>BsSkn||$Nz$Tn{W)Yq^FFCIx)_4 z%)1?8jyQgQ;2G0LJr#>rUySUNlDfQp>)E`}5kOUKvKD2{VtN8tO_|OpXj4>eYPzv7!iluc%~?i{h8a*Ew!4my z1AHPPrldK6iRpnus}d=3exJ1v*72lxEt%HdZuNsKZSkuVFZjDVyy5M}C_LtQ;WlNl zj<~3#jHN>oQBoAPf%#BOds~fj4hmzc1U8LJ_=k?dn%2cdV#7ws-yJ#S<4VRf7Ix zlNUp$_kgu}_49Uvo}QNLOj1_)K&bJ7?g=Ud82gfMK|Vva@JJ!fO-i(gO;BC|>;m~x z)E#_Dp1#7GJq?`R=`YYN*2Mg5>$p6)O&ib7aY~6;!D} zmI@t*0Yf?zhrG97tUY;o|-ZwEsSPrp2Xp z`PH=l&!)qJ+YfRS>tB%BQB|av8Oe`vd8z522#9nuIfvvy7iG>4_(v zME`;w&ykT@EGKxRSSGo`2S3jT?V-jgVfqup5~yN`es=6gO0e5FkCAN|+RarS>nAH{ zC7K$r#FC89wrstZ?W5x(Mv_-hZe(6`%$N3Mo`5au=_bsE@HCjSUiOc<+di5aIK;xt zZv9u?ZNd6M3bl%O?Uq{4SDPvJ>cx32c4oD?l-jQy+qr;gS%z?uuG>G}n4y>3MF+Wo zG#ek|6yY(LauP^6(2A_-$U2lPYs^AOTA-Emp{UV{Do7rVkB?8#5Ff+=rDP^&I4&@| zfsdj_F|>p-)tx4#Mg$2H9l)f(6C+C1R=>A<6Fw*jNoq^r-5X!rxphVSbm!XVqI34s zk3QM6`Now_a=X|LKk%D7S6~tzeP?6a#R@?IvheRm5kW#kaVQef;s-$|Vvs<5-TUr) z(iVrrgD=e)r98WQ`O3>Xcj3&kkfqqEEVfvDg~*K&jQSU1Sds%-fE1??MVI6$9?<#w z4b#n+6wlGuZA!S)*%HO0bRT7XsOgX;l3HAh^;gs3znKnq$V4-$zkk<#6oNPZN?-ERF{8zNBmdx4BKZMH&}1{Ii5Ah9CdX zs?<=$IQ`(Aw+iBeC>l~5uUTE@y0OyZg>v_0#qEG4lq@xD&B-;U`3+3*9WXV?QO*b^ zj>=kipIrj@P_QZ9u^?<@?${A20fS*BWsVtUjTCZvKCr{2u1eHYBwzq^NDZ`Q=A!-( zG5Sgq5u=`KN%C1qjw8?Q^LjL^ zn&CteKauEOJiu;(r<6s4z$R7^R5^UU!b8b#U+?|;bTS4j@9WJOz7#Z^SLmD?2uIxk zHL8bkl^rrX#(O|s*vPsRoxlsgXiFVwvZ$8WKB9=}-qkb;oZ4LD$&ilr9)V95&8R+2 zXYDZR;anC!O-Xf12^hkpK*!Gy9lK&m3fF2VcRyr7}< z<$PqqN;L|@{>oBUl2Nc0T~_2gVVpyhmt9Fp_<@h!!^tk8N}v_;LHv`7Rd0k$FZbbe z$Wka1$WK8V<14l}^4XFONR3k*5b%VP79AbiofNg+4rB0{XP(K-&J{xuPYN_Yp|3&e zAZeb(DIRdy*Z^<6X0Eh2+w@hVl3|HTi=T#=j=8n#M2CM!hNbTh{;jKgO65vsj7#$s zljEHaEiMcl5ZrNe)L7i|?|%RL=`-56S-=RK!VqU(cHG0Fi{^Ol{1q0dLX}XdSWPidZ{584;k$1q20F)# zvM(BIzaUq)w%m2+RBsXnngI(&s{&hKmTU|2jZ+dFG6M!hIQN}6ZlstX?RG*HC8H$5 zCdTX8vCe(N-JZ!EJG?5vu_jS7Jd;-%^k z&Vg&Iy?k^}H&3Yos)QJ~5bsj#i`mDg8XY8LSajAtzx?v&A4A@gxO26GwT_l_SD@`_2u;Mb&e|x204J`S$L~Pj=0n)nIWh@l{@xyiR%L7I(x~?ldYas60^z z_fI|z3Z_u?qdC`Tk!=$F^nPVZeC@RR%`S9ZSn5Xhe))nHm%74yD~+_z402#G0}~Ib zjP;AQ*wT_?Wc|Y+VW><=)$!}RB1J)C*~4&RT+wz+^-2wK}zUTb9421K|?|e zPZo_G)|8@=b5nH0oaJ*xsmpeupDeic%vAeS%Xn!cz~P60Rm`UcatmU%+B_`UD$!+&IP0-%ZZ5zzN z9Uo8d8Ked~bMinaFn_i1oT+}WqCZ;SHzU|4$$wa^&k*u` zk#tDD8m!rHzt8zY2% zeVRVepJWsY!LKs069MZ}wBtPbF+^j%2h=1vGH4fb=br^yAtEGH{VNnJ3uz_<6rvc~0DL^C8P$9ZiwXlmQejuJrcacLog_tUeU| z|M%-(SDI5B;q2pPd3@qdd2wG~y39t(OObrZ;;*{=3ef-WZ-3hZsNuJ2Xq?6q78)F< z!(hu|qq}8BZ=Z0-e&VHbSNZA-d- zd5QCuD#Z^=qA+ZOm=RW%Kq7J$tz)Jr3YXBWG6M$B$k2(tibL4jsk)%pb=i0~+Vo6a zb%JI>ltWI)2x9F~%BE*^k`JZM)spQDeb-EAXZ>ss(E?^~S+pLtNF-<~8s~(Y8zEyY zkEhW#YHQw|n^!J>b&4(5 zFCM#k;Zv%6@b&if`$DMH*ksX%Tyg3A(K82MzjgWS%WK<~E?Fc`ZGBY|t-ve`z>>EK zRFN}$XH#cUD#|Ettnr4`FQJMw_CEc2S8p!V7}Z0M_uzAUqJzR}!gH)-5^4 z{IHRzKfL1n(2>2d*VQJ&KZklsM7dL8gpQyL4wV(6*qkW@z>wqD)*NRs6#0~hgAUGc z%?KP)5N0zm+OaN4J2S_yw9IWeb?S>cca!^f-%->kCXtv;rQsv;f`^Gd)2$tzI%XpC zarJn`%D1V~V`GJfdBS?EC~>Vz&=!Z2c+erz+aV`9VEu}PUz|Tr@;7U!0=lpU;vEoZ zh0x$1f(RMHzYdA=qy5jpIU^o<&;+MHNy3Tbg@O+4fsJ@vcJ6u=4%;*R`gJK<<;Fk! z@sDuPAy+ffSnt6_XU&fw6{UUw!GG$CVT|9{X3nrgQQ$fSQ^?duzP_XS4jbUGhe`%W z1!2=+yAG|2)PJGM0hPiZ_2zs^&nXdAR{!uNzW@G**10~=H%E=~W6BdbMKCXSjnNOl z!d*pVu3tdl1M^z&7|8)LI&jRCsg12|bDF2k2p<>q%U^bZZk#J*Y#0xD+x8v!{?LoT zjvsMga3}^FqXMWBBaork4pnBHqHbmfRAC6bb@}q;V}}k*t1OE3!vf|=cu{hICMVc& zQnYqvreRLD4qLZHV~&_-je=H~$7f{fvc`;TPIVG<3S))Jjn(ZuT|U8W9aZ3~y=G+T zGsldG@*0*t#$i&d)3i*3s8G<|bS847DZ@xGGNMD>l16I?hMJybB!jdRCS7)B<~k$6 z2pj{UnmApD$+0HcP!>%_L`#gbCRa$H^!`(a-V~e)U<+fQ zdLPlhqj;>k*#6Dk8}IF0@!E40r#{@gd|r(>o%%8?E>d2+1zK@~0G5C%nfH(QS#s5q zlpg$&PYkV!7&}vLGOo-Md_}Vh0izDn76guNjdttIC$kpTD zwu6+g^+923NYN$x4xW``PBL3gzmWLAr_+5k3?MX(BWj`ULm&;|NkJagdRZqQKA|$k7L~kgrchR~^y( z<4|vlo0v{K^7liJciH^5YJn0_b?=B3Qkhsid~)z$>G*Q%hk!;I z8=nAD!``Q;2cgYxy!kd{KUX&oezM+Qy#@4n;)$nfYU_FO%t{!2u-SooN_veLVPpO0 zfBMs(nD6ZHu{rFQL`>F~`op&HrufHr$+X0peUQa6CCJk~MHwSQTp4TvT| zN_47{bd%$?^NZaeeUXn*`R2semzT_KE?&B9Ip>vEBCpNjvb)4APd73> z8mR3hd{sadgcEArs-X(Z5}b;PBtu!Op*odht=(psP~#NdD_$8dZeFo#X_TfmrPEBu zdldfA{ISCmd8t&t`;=A{u2u%ar3s4`8#fXczqtSN3xad?FSP+8j#!h=U$7YVn%?M)6$|+}V8B4e57Lqt zb7HS3II9+_7JXzaVly#0S*(I^_mi+r&?itRuu5@?A0{)q_^W%Lny#%;DC?jJlyz!X zoxok?ArVI@2(te-7FXEiSJT1YD-l&4`7V^yeL=X$8;&XP6F>kD6qMt({p_j>q<_zby z93r#a=8%3o$8{!^waGsaqi61C25C{;vO}~Jqje1_hFLjANrPueDNKkR+`^v4Li?|c z=|ymXWt)*-cOKaf`uS(FBM%r(! z^MdiUqrrP!B`e|1QYoO7@aE&t7pr=5;l}z5OdB)25_K%rK%OOQsG3`SbUHu^s9L#w!-_+D)?YYt;M)$I0$gxceRXF4z1!C< zaEIzu7F*=kt6!hFaiue1h5BghgU9OqU8`0!#II;fnm=RG(q${eHOQ-y*J*M60pmuU1S2|^Z<*z+<+7U{a?}TQAk%58TmTjDpY#1M<6T=>BKw&sZT?|uG zjZ6xr1`}j{fmlw!nqq1+7*RDOtUe1N_rIlQ(cLrh7g zXZ?hnxy>~z=Fix^am~KBUq5~7B%+(?+$B^=#cJV#@KEjhEb&@1xVmPIbc9vgQ z{9jgH!l2->{0VVeJZ*ecDBjjr`>j6|%!b&TB4y+MUe7u87@cPQFpF3IVKL&B_sWHhOQL;zeh3 zt>^p_CD@9fPFI^pM;rQ*l$+GqAQYy*E}@EoRzMXgm4sG>C6IC)rR~}0yAF#YXmxz=3-jBi%%0OmM5nx%UZNE@$ZcXCr&c@pI>2k5hJ-3I z_*p;|Y4(ew+v_-!@7W3|gvEvh58 zBNXc^F=!=7$-yi-4E1^W&Mg_n@sSkZXg6G|X9s;TL9&81t(gW=bapHP6(8}|TF)I* zy(UH5MSDA}m^b6}snci4noTLSnzoch;66@2yL((x986fxT~NU=YGy;U`JOb3P#y1@G%e1u%3Az)D#k$4X) zCm+23->;i)>{M`s_*{iqQEWO%GC=CrcO(Nm(pz_x=>Ua4IwGp@c6}yN|A`9qvlULo z?Ke!{cU|%c%@-dWwG^N3`;5hNd)Ti$X9owzc?%Zv49VajfF5m>6%9`VMG3u|XelC6 ztkeGz=Eh%yrS$ja1m|P11 zEV7+P>k7i0@HWySI>7Q@e|MkX5G7a@rzIQo&d!_I=?vZ_KmAb zdJ6I*-8Pc|FP%SjPo;T@{cmRLwRQqn8hj2S|l7bFDz-smjC@=&&(9 z1H;_=Wrx_5MmfMOhik{HAz*<>I$rw1Vi(kT5;7$E+l9IHD;YNuN?vy_o$XbLdJ_6U zBV>t!F%bA8)R$^mVA=R+&gEDZ<&@$-C@o;{)D(>zb#!FE_oG+6C)V=jbVFsFzGR$E zP7o$bMVxLL$+#5yglNu7&Dqbk*Ll+F5~x;VKdq|t^qDh26El(d$gBjRXiQROD|1$& zm4GTWS^-tk2KeczGmq44=`;PkezV?!aABcXAw&50BccFC9+>Lb`iNldy_o&o?|$d& z>n{o<0a6&LWcCS=`Jbgv^dL@226%gq5}8XGDJ2=;MAK=K0fwsFRW_zWkM-t8%oXY- zr@~b^2*JM`P^nR6PW?ya5rVn8`p5Iu^wY#CdRzLDJFt~QyoynH2L_$_p%~=<9+NVN7-(!_8{>@=5!<8(o^gn9S^)EO10NhGplx80)QIY^q;uIYoV0~t1{Xq#;;+aF_Yspbw6WPe& zz(C0pBy%`>iT(t#L?`OU@=usG7ols>~rX*Aev=WLHP}QAcg>|KI+nzpCUk9pwGW)>(!^eeUCEQj2 z3dIVMh-|@#WH1CBkqA|gv@7ZUBW*)dQ|i~hpwzF& zU8O)(mg%!_)6ouh)e*aY9C}h-Y7ZSHXW$XXc6IDHHL9XapXVsyTF}&$)PL(u-yHAZ zqInnG^|tLV5o`9;(@*zsqV9e|p9&ruDs)nkc!*RXAdWTAgF&0NZ2kTJS*DGm1j&yM zRpzBoXDW3Il?teO`M`;v&DaN2^{L*G@!YFG6_x>-TBTx~3#bw*l~}V0oMIKn9HB8; zUVHh))DRCCgSkOA6u{b6r=&T;OhG`FoNE@H<)tp`D%>|!xp%qG0|9GsQ9GhxIV9b# ze#oE8!rLQ}g{-Jn>Lj*XQG_i8snwEkpB@LOnZ00&?Al)M*^s97wttKeV>ODwd`3*+ z&akEe3g-yk{4SwNF$3POQXzQJs@7F|30eio0GCW~C;s<0|N9%Y7^klWDGT{8abYP) zuyXOK_t)OLbrE1fZ`!+K*`fDd77#-{M0KLSPd|C%ecv*=&= z{Gia7u3b8J`p{c)2Rc_i-%kV<9atGxzB(p$<16^}@oURkrqzh?i_l3o*Qrd%R)%en+WcIsn?ncm}^{-;f>WOYI)hiBDOcsPkCHanIqUA)7erL~HI140Hb*ET~DGW47 zsFLIgp;%$n*Ux)RfvT1d`pi8#ZO3~OswBBWXjSS}cMlS^H$N$a!;kipox3}sD!1dA z%FQnnAcc$bjkn$wAcX-6$3$<=^&{-_%?ZmAM-MXT1CEfd&MVqT>0<1r%Du`Ysx>i3J~cxpovd28=KOdn_)ybH*d z{Nd>zL#yJXYN(Pbm9+i=Rpp!a_G$Y>8J|@zJzBFK>ozzgyi}kS1DoO915`0JBvf(D zs}{{6-v#j|QJy2qBJ5{n>()(jV;u-=k%fl&2r#Xi>`q2pbgnHm9-FE>o}cK35uPBd z+5}BomVV7d_ZREDx7K)Vs`6Yv*<&r)Atty#*U?s&yT35mV`CN85ATe+a&{&Q6+WrRp!k=&SSC^Z{ZFsGEDRRwA$#V8c|CB+KNEhWm)%Rrsn<90XKR=$2%ygP#7qjjf%8Dm6$U z;Vopo#Db;ER_@%k_TuS}g))V%bmaY4zBt_;NJRm9HPBFM>eNRsk()wn#QOL3xubH2 zeOp@Ew|{Z;u9(F*@9_{mo9%G zT8X>kllx`opZv#vI1T?Bb$&&l*{jXIt0#L}XjK+aWs&qx4NtO9iV|RGLX4&%UAm~0 zcPbj@yM$2#>XWrA$GfbZ?6z{e>(Y{Tpke(pGfQ6(rjUG~p<<2$>?TC(re}0geI#H_ zPj^c48ITn?7!7Mywtj1^!f4%6>$RcM^96?P#P*@PYJxk%c->@=^%WkQtGyV#jPMnu zu0$->Cu&Xxu;qyYj*N;C1wn`t0q&0; z{}h$#-S<9tXWx4yxx&+jr<143Z~+bRYf_WN-+#0<4o+>L4A5GNx$qVkfdHJmwjb8v zC0auj!%spLFgjx9D}CDb_nEmLsQS0c?Q=H2BB6>Qt%fQFyws|sN+qC*X+mSloIH8z zt=D%IB#g}*3UZ3Xo&ddN(!|j_jnnH@S-OYZx8hwxk$N}blZGwH6bKe+`{*$9^r=@8@ zB`H9xJ9G0CyA7+~`eXxC!@@Alj4a)%39cI|6;XhsqJ($pIBj#96AGIAa}+MQAg_qm zSH|nehzsn3m}J$KQjw0eR#lPYlpHuLFWjLr#aN%CRI!&0l>y4%J8c0(R8jn*BE{*K z|MQ<=;p4i5Dm6|?kP`aK%WLOeyP(30Z|?{v6tHsr;>i;qz9fMLO!@rC+b2G1*S6UH z#b@t*dEx`P!z)XQZ<GrjYx5y8rc0UVBb_1 ztE2@DuT9hU3{@o8g2ne@y%)}=(nv=&RPjRP%O#0rW2!zg$R5C2Gs%@8Ft1*|&URTfaCc2{)?RpU3l{clrV?K9;y1*&Ereqzai zQ)j>7CG9O41>3XK&Q>xFk{Y+Ge?pkcSHM?p2XKK~jxCfFvOJ>t zhUT$h;ZODLOYZdl*Z%L<|NFncr3!FHRu1!yeb7l^^^3%P5K#!iYMVWefGi#|z9)Qt z``&vWRf|TN3rOj|vPyFS2cF~5AaDXz7}gjSU0w1+Y?F7#4T|x`z-xypUfA8cpPo4R z^Okq}%=l1ItSYwC23N1<{i?ZtJ*!j_s=z5`4UMStt?O53gcvbXw4~`_H)RGXWIU)- z!7jrR{p@l>v}0X{#`)M|iz^$aZA{idXA&`tiwca5Df)s?ZM5g`RR3WUBW-}Qwk!i} zR+eE-j$vAwCU?w`P~%epn#a@q21?(SwE&S@kT&FjpPH~~1i{!UMMIy@fg-hV>82459L_cF&iP08*=D=M&)IUM32`R>Tpo;%K#d0JRlBGnBc z%+*3(fK(?6EL*X2!=l?)&SHi8=FatNm(E_ha7v&CIr?s1KD%dq!`J7IwQu?E-nEOT zH_pmAe{_%B^6r+_lLy`uU+-M|az%a2p?9})v^%#h-MXrzRX_gzi*qN1oICu6*oV)9 z`*tj-j<|B}urU3-wRzUA=c;d9IxBMw()sl5)l240TeM^uBVSytgjeOZO zMR_~*UK^`DTC$9ho+GOhF#sxlC^FV|yw*;@YD_VZEQ|4w7D(8FHqvuAHUX%rmGS!7 zIR;Ogzoq*RYD(48xBgqX1+$(QiY@7yD7U_&?EV(4f3hrmcx#3ee<%hppHmYZOT%oE zeTT-58c`adospr0B8rheKi4=lSyvRMWl}_W+J?Fg%MRAWjj|1O8ft%tuJzk^gN4R;!=YDO@TYIh} zZ|zan4yYPQ8Vc(hQEyS8>PQEt;+VVQ?E&MXu+2)A?Rb0tKJV5Jvqb8X7 zANR<+;B5-1YR4&aI2BMeXXidepK5te`2?yaZT?BswwK@in1^7YQn4z#Po?T0R4^~3 zN+qG{*s)`6Q!CO&+c5!|iAxKCEyLU#1Lh9VW@j7NBIl_()}D>n1Lx-%@hDA6(oaIw z3bD%zu`3F-E046FlBlUqbm-EakF2nE7SzQ%V4TSb9Gu}lusKx&a~|5%xvn-FHv-gRf3b^@vde8O)8%(}n0}Xjw>g z3!DN4wy#@q>D-Y!H!dFgaOalgwHxQ;U-?quMSOej=BZC!Ti=?ofA=adi!H#%`D5>F zo|oS?e)QR6?+D!a>a%y3R7bq?;zF^*k+;{h6#K54p7HhPhr|x}q_)h>Z!YlOFem@6 zxljm4+q+}=gf!R9^NT423|hVQ;*zFod1Y?X3hsj{XccN-6|9xUEDAt7CXco$8K)r} zX=?V_$0`GuVO$x9 zexwJX7UU~YQQeJyW(trbW=d;@eonSwVV*(Eqo!oY9!_hPEkHyFs8TCd!W6HDDoL&o zoG7GNs(#XNlQ!cV(idt>YNm$*~WKrs*s6CWUjCdJ?(m;w3Ey=P|Us5Ack z^r!y`Art2mu~ZgsMBK}N{nvjN7L@{3II6@;!BA{{!4I`XKozf5yjh^CQ>8LP6-yDH zg}W6m)wFlop{i^xfR(@MRfe=0s>C?&5~`RTYN%r3FoS4Ej~=ZmOwA5|UMMJLZq@?>w*%CLjYBK!!QOn8|sCwj)M@Zu@M7IT0sc}jO|3z(6KYeHY zdoM3q-k4I8?^m8`{OFaXnD|hq(1aG(MzxI(ym3)MF7V~(-t`3PHsrcZ$#UMaWj0&R zAA4KblIJn6DhiG4^8>q9HpEw_>89qmu5M2L;`qM1w=V5nSKnIdSC#4n!0mr)1Ale< z#@DN6=1)#>YRGlpzIZ(QY+E^{JjJOdT{ok|cX4g>#@V@>=M~asRzw%2y0tLj zD{e;umbhQ4xc=;?KPil|Bf5&zh+sEbr-XIUv4$!^Vj(dI#6NTGc+&Ba{!vjtz?wK; z#{_@JDa4ZJD{n1%v_rhF?f7vvyj)%@jaN*6agl+w5PwMILQ|T7!O)ayXfubOi*X`{ z&72(683#;!p~k0K^H}^Uck4x`9i%L9iaK%XDbQsf2#fc%U%7DBXP>bmK0{-=NvJ~X z+y_-1taYJSsi6wA5~L}iRb9G#W#p6>`qb>~Q@Onzs+#unY5g#203Z)(l)XT-(y-uh4d_8+x8wd%n!p^m?)XhGo)aQO8bFL) z*u9XnKmYlEQF2lK``OQa&cgt=P&*0%~+4|z)Bgcq-GG}wV#ma>7K;lI3OFT67CmR_uh->0! zc{#jCD3qv37I@n8*C(HPS}Y;n+Vc(vXQ{yD_4-wJv7^8#sZt58N-@Rj`%=5(Px2h?z zwKM<%IU9knMYS=X?%%z4+uSL+9u?-}fL6~pCCn-hE>BhtO9RyEDA1hkT9fHqmY|tz z-acdM_=Ss>Sg2PlYt?AQZ59-k{OT7!D~)wnImwd;GOyH9rQ(V400Dj3EPPcs3Q6lH z-w2&aaSBbH;BN8O$ghR!#48SU9nLGRj(1dEag2RdkR2()FaWlhZNCf#hJ<>ASobmU z#kfC{>@%QISppfYcj#tI`|3-LP%BE>hdRs(3K_(D4XsOXn3bs`QIdM5EG{t2&eE5U zbBGNvENW{ycKrCsQ)g(*vhEZs+z0zU++X|r%L{kyTeSPb#jky^>&WM?9zFZ|(KGu_ zoO}P|xsOhrKYsR$&(3{y>imVRdp`V+sk{43`v2H_5BMmqbNydVa<Z;+r_J<0N)m zu}$yly^G!@L{UM#qJ~fx5=cTqfI#%#do#WFZfr~u*toaEEs5Fg>769gd-if)Gxg@lIb`{()AZRi}_eU~na5+||-2fv(y zxdfOp^AS?it3Tc%o}mx9eG)L(CK?3;Wf?yCtZtgPUVeLAf=FWp%FCr#%yS&T&+Y8G zDO91H*?jiOgEP)L5lgK<=G1szKvlsyr`+W~8@H+Gg;TQ*Uz~aP!nA!av|;7q+_=F+gtG>_l#TQl zJJdzANVkkZuH=dt*~4vAKi}NAA*{!rJ=&Lt7r7v!LG`HeXzNIp9<%h@!n`cZ4X8`> z8#~lFZ%8Lj)r`e(Y>03SmPPw88^;AiC6OV4-Pr)7vLn1%KspCWhNb*gX|y{~#S$%q z(0WbSGR!`!&Vys}Mf zh>6N=jTR2Z3!N9JH?`eo^&``aP}1F}aBBJ3fUT9G+a`oA&ktx!_sfj%A3d@k zY@L)Z34L60BHYJDy2>Y|c!Yay1O*N}iqfNZzOYfw|8ELam~RV{MAZ+L#Fm4j6l)1Ydo7C*F1fDR()f4M}_@f`O+B7gI1jk)X?Ia!t z0aY)b#}tzy9U8TE-NvNkR2NsbhaP^|p?gXh^IP0N1MlYHSuwr}n@^5h&oT@^|JyLvJCRG0fO~p#nU(ecq zH4ZV-iMMaxL4Q%dd;AGHhegn4sIto$DwbMjq0F!V<`73z+rv zGpz_x@V%6()Nab#oZoQTTYn3x{{FK+z46AIuf2Bd+_{$)9e8okfwOaWpG;c3d(_gs zv5WU~uUYqe)%xcqtp7#r9;e!)g7`BsQC0v|W7jz4EQMSBaMIELm~w*lqsb@kn|$)V zDYBgs!?@wB&}-oTjCykosb1uO8W-bJ66I5!=!?oisR2=rAz<$B^~_+uRzm{26^wAx z+eWqxOMsd7D+<7dAziI9!Y~L@D%EEP2D&{puDnb^mD!jtTlV_N*!Rv3dGG9C+Ph~4 zzj-L|wLLDc?Y3=uT(0eLHSD+FWB!!=#|>xWt=%!#*kiZT_%rO!v)kqM{a*ZR**318 zA~9DID+N_OLPLgxv}wo-LTX}2QlUD^7OJe}6y*%T9;%{ybcpZc8s_>0N^-S?0f7xF z(CHa|thVD8k00gJ0Cp#f`|fZ^w7ipH#$cNe=R0<>D2SDSs?&m7P1x%+>DZ4OU;3{(7k@JM(og4J`o-**o}GTM_4EVYa}UI> zJsH35RN2-ui;iAca`csx7n<${ynsJ+i-1MLv>61Oq%p)EqE$O`>^Sg&90Delk(u?- zLl50F=aSx@-{LlY!i2e6owCzX+_3e?K zvUH2^_2sQ{Dt$qVr5+UM!{8jV(kXk1Q~5TrvwA->D>00PHvlK$X#rBxUm~jY$jmck z8xG4{E{akaynounPq<8JGCkL|*WWyO{OI=0>o%=f{=$aUhxYHm%StoLbzVF>rLr({ zD9p$kZbdP;JtVX#4PHetM_s6EWnmyY0VztwZ5|gw<;SV1zNJy#d68bTM&pe!TMWJD z5L=;pYXe@ZDTy^U5DGRnq6WLs$SFYMx~|;hb_xJldd=G!d{WtN~C3gjMYq z)36t92P`(I5@ntty<2WYzRQ&ZD3R;YR{OysE`PRLerp%Z*2l4p}+jfHH2uoP&bn5ikb1$D~L@`d_4&awr zG{|bHFTTV*sPZ6zVnhHriqS<^vtSKL#-Ss}fGr>iL)0*RMoDS;$mkd^Zy)$9vj~ce zP*a$3$eGo7?0@qu?%@n4Uwbcn#qs}aJSPSi({Pu^%&!=kxyzi2Hwv8MU_h$wsCi&dKPN^eZRW+N8V)W#c<$|YSt({tQXwgo9;&2+ zf{p^GxF`ixxG&`Jqg#;uSa3=xOX*mupR8UoKRc>-)*u)3fjrdvC$Tc67np@tkR^~} zE=uCrX?;kF3#)2K@yd_%q)kcoU6kvurmy-91#ZmTv zHOC$FP*oP?+{5MZ#9r;nqgOMQuhm6gP+oKJA_ScKiOMSzgWJ9VGNp#7O$m^iaj@5u8#`MX3GCwKwus?|WeUHuFpslEo|( z%wmFyf`VngSO8|QC0oRPVJr4IRqYkHCUFW-6Vud}g$1yFWd9Qrw@%u2;=PYQyGxwH ztl^B}(#~JF2tmL&$Sb7>HovenI3yHBgtE`~ZsVsveE{Nyi9T@f2tNR`h9!4kaw*U8 z`6kmJQC3V5%Ds29go;n6toR1u#3cvSKui}OxzW_x3RPrfr}oEtx#A?Gzu<&lZa4k& z6Z>yOFfeo0ocr&;zqxCN6;c|wPv8DHPA5%n0Adg<0V_06j78IsGS)!RvD#RALr#0Z z8no_c;E5HY1_ZMJHreyMa`34$FCz1UxX~x7?b|O(iE#kIFZ-W*2YVPi-2EBb4*zWW zX)y(&F(YEIF*2Dc!JA4p3&4U#+?ws7WOI#oK32{Cgqs&Ni8%$`44y-K>f{5*^ z=|PwP;)ePnwEOQe`n8h=N5e9~xrAdUmu&D}{+%BU?E2V@3~Mc84XQ-8z`9g_oHJ29 zor|Nr>eDC??3FU0lfeflSry6ECuId>4edTCpiN94*NEWmB?-P5VTY|O*~h!f(?w&l z7cN?gRo}g-Z0_7%|L!0qfB*EE{SR)4l2ApG%(?RxjEWrS-Q@|1Qx1D0BD7tQ>r=t5 zPX#(ZSr+d_5fJH9HE1d(rg$g!?^v7aU6vCG^#4j&7<9~ z`+7VzBh!alYyl%~x&R}TKM}sq^l<(ii=oz)25qYfW2jJ0cTG_cgNGs1+~`vKnJ*O% z_Z}JM!q8oiRAFVL&AsR(<>{llr26X3E4*b4xJEeaHRdm)gE{R zX8Gk;F7Pw(q#1sscng~RWrrnaMWw(RG9$g-Ut!P-<9)I`{PEF%2VMj)(%tq zgMz{&zW8*8IN@LRn!a)HjURpdaanl<UiI zHl9FT<_gd%dnl_ly^3OdE8=~NqTDOuJ&Xw}P_`#{r3~siG^A}>c(;0L4`m09iS|v8 z@UF8h3amHOm1%wh0$L9r5L7TGXUmH0?+sKHR7JkHt;d3eOB$w3NllC!80t2>X9pOQ z{@V51<;gx22VoE1QA*V(4(J@!t9@ofcWPD|po(rUi*+xF@hB&3G}1e^w|n_0eeQH? zsdw(?{9ON1GS&vSkMGr~BF1f=WfcQZC5I5A@r-`$Y2!vZH>4uB2-sQEgTbSM?k7s#y;)YdAUuIR$#Y=jq z;wg|mKu1vJ*as-%!k8BYRTz02sM1N+p;xQ-9&2B}?LMZdJn{uX?km(3U=}nAK7|p0 zM$x1@Wzq>TgPpKX98mUx;9S^;%3aS*+CFjnDa^QI|Cj^geyh7MSu(bQz<%ZGH4cmV z>8&(zD^i`fxw*4;H7h5NNQzWqC5(1oQ5owsE!Ag6x)%aq z{YS7!jp<%vB3wp>b|pFdgi&6aJi{h#rKMrFRt%vWUdlkXDZ0}3dZ?P5Nu80-vAsJK zql+GGP6>`9t2!fq1l>h()-_go`>eK$6TD;kb;}#o`g;RaqY7frZ}SN6-#f&+bK;suyg_(%72E*$A2HR{@{ z4OHRuqfv3AG|DTsmrG(_7jR^5HYz?F(!`QmQSd$0hZ#}kU^I9n2V(`gb8S3h&wX`q zz@~8_`tf7fhF(>m6b(b*>W-k4q04Lhz<~O3W4CNrd-B9dCSy!xB~&T2vOpCX6|AgE z5-Y5PWL45u@MKA1rH3jWKpsYiP{m^_S6A`6|J+57`i&wimAgWCRPg!pN-RLkS9c48 z0KFn80EFRnDFo4ETZ`}IhZQ@9&D!$P8}G6*7$d`I^)sUtd6O1IJRG!+r1w^Kx(ijV3{pUoATioc#P{mX&N5r-(wJ^K@WTYD%7LMYJJFM!4PdHDrX z8X9NMoj-5>B77ipEFucX6p}wWlhH_@Acrva$(_Du2uVr>_NjbIm*0G^$C6|B6TJeG z2%a*DB9990XyKRMCpO087~C#muWaDWmOCdMdvx}hMf*<+kdjSP76DZT@1HGH3GJVR zDhp2G!7vA^Y@tddo3h2J%RI$2h87b~+R-CNS1q1DWqff}K}JrX34dMj2%ycSzi*eAUhd>*!YI|m`><}yU{8o^W0BBQR7ATb_j4W^;*40G zG*GJ0sy=8XCgirPid?4nnyQn1l&O?ZH96D2ERG_Q-Rd(bRd1sM#D7(v9h4X4GqR^^ zevFsFKHI-t-w-r+PLJ=00}!a%J?GJ^5w0yTO4S1?;oV~UcdAVFoswhdz#u5q_(Z>i ze%;355*!@>RMG9~7E~qqga>u6jMtYTvw7LTR`=mtAxmmsp z3Bv+F#?=f&gQL7jg_Jv#v1$VfBiaUOJCdfX0y4L6wzQ0aX^XGWq~Ds1kEp1yvTbdRL+qPajSC06{CJ zk|GdAUGv6EM0s3^1(hh zYALep*WvHHgPjhcilux6&SoDv-+A82A224FJHezRPBBW^X019nmA_iF!VQ`@aBt^X zhqs@;Aj^sBp-NIJ(2D0mQYxMl`P9fj6$3+#3JX**EwnAaez4f3T~1w5m??%NyZd80#J1-z~bg%eWM4swHKm^&9J_ z_nJG)@B0K*`m1YhdqTQ@_qM+o8rqi1AV~u|Pt5R_Au8=vbSdyun?^Py_v8W2V@JBz zBzx2UjX41mQ&`9C3~8N`u2QLs0w2sV^p0F^t3oR_8Z-Qfc%mRp=;IdK%Q;fPcy8c&cx(CM&U@d*&eb!eL@8Pzz0jfYNja8YU3fFgYP{mYMLX`?vVT3Jq*bG(8`2eN6o+sCk zVd?T4Z+CChgcEYI%ET4#O6?)x60F#zxmorJz`|8nwDITV8{=0Ve(~xXNYON;x`$AO zgkbgB^}qS8<5je*`6UID1SuR=BvZmZ$f-Wo2Af0mW2$wDTsxnCPQG|0*v7B;_4Vt# zWj|U1OcpCx;coc_#VoBd80v1_yK827C&zG3By&b1eEp*7^9@2?PKpVz=H1bzHzG|a z`pnfpT>jPcwBek*{Z~^f(^WSMRP_)_btD18t$*AHN(uq`?x6yblT1NL0wgSPNI_L+$277Rt(LS=OykH8Uq5aRBT|r141`>=6-+%!6XVo^|Q| zD!q~(s;Kkp+vV}{1aE{EwV46c8G#dR)2-W^?(Y*+^-fK?w&Mx=YqZ}pdYDT;zvozD zOmf zZF&C0(mdu)tCua>wPQQO5^o7Z6sVGDWrZq@SV>l;BUVCLA;lGnRY`FL{s-(Zjp@CH zR)SU0?gpwPu{!hWTaQgUB>XDKC-DChnWbfkIf0Gy(@5Qa!MnbzvOL zFXz7`vH)bHTgTfud_+`GNNAfjZ6AO9@!$UT(VzePL6-X7di*OOFo+Wp@{?BG?q}Y~ z4hdDtg1l&!{lnrD%wxWHoSc4 z3TS19D$V;R-3yXZ0aeoZAfZZ8DhXBc$tFLz}WNgan+NWBwH`?DP zsOlV<{pV9cCUGlG#i!`5oMA4cQlF6G3qMsjr8;?fPGD`SUrDUb=x~wBkK3BquiN+p zl~Tz_sX!}>572zCm7qcmhT24LG=!j@YNPu3qz&s;U6QkN=Pm{njnPFwgeJzDHug|c z(HM%1Ni{wtS}|^|Xr(y-Z_x)RUFCYHvLjYD8I~Xm(g!G&6?z{a&o2#}l2BE>g$Mtv zh(r?(KtLq~ewy%)2cNhV`U;d+{1A>U&U|a*Yd}<`Y-zp;!q?c z9}yL8uL+d$3``JT1kp2ICWWg&7UbohOgDXK5dn(yO0veH=Zz*CWZ@D>RIAJW=Oc14 zQR|9|S7iU=B!5~aPWa6i_CJzJAE+IoqhtL8gW7lK@aSWY;Tjz}bQr)v%?{93Vh68m zV@?Tuij?wa&yk-N2qSVwunGK9;DxXR{zX0|+A7X(y+Qw?W?hyte1aw_Sv<}IOB0<6rhG(UFk@||*=3sz+Z zRg4yUsFJfjF3JK`EqVVWs{*R%WIa^zIP0NGKJTz9d#J)h=%ES&qM+)~;bYMJH7l3R zm|Rm^mS0nvS6eoAY|6-_es0P%88#$Z8K7!aaWIYfIo>2dDk`jPc6gWiG~cwrUeP^W z8bsz56}R4KG_097xYXJ9L+VpgV& zd9!4lXF*S_ZUL%nBIDxDnS99{{*K1 zEMXk9{gaOUZu*fweQrz!2nz6LwBdJPuyh|m{ZUmt(cVsW?9_>Jx0uR3`wmK+!scMZ z6-dFSWGO%{kn6?0qXF6bq+Z7o>b}8dlmEiJ7nhX%=YRg#@TDj#_&N#>V#G*4XuQlD zUkhX*WgjT>`)VOLe>*{|v1rLz!TPDIzt*1<`Jbt&tr^Q+^%dfF#29=~R8$12R+_%t ziXP79_i1mqO!BCc`v@AfY=uY;0JU7MrJN$gIzNw#Md$zJmtTUs+-}~oQ#Q;m7svo( zT@@(96;Yjs+=)=6haP?yH3f43!e08{+1z$+UOpcuLpx`t^X-4<9qefis$`a0{H{}v zT=^lHRTzp8C_$+Zqi(Z6mEilDGVqksxE+FOm2BxSWe3B9p>BXG2E5+;r)O1qsFIY5 z9>a;j{E(+l&#L6JX`xhRsA4ihGeec;D0|RY|Cl_5{O%d7)uv zz^uLd4zi$oMtyaE-%j(hjjReYWnoo9Cx%Ug2$ml&mS>C&{ zIG8e>N2m4OR1v0QRbn|6%`j2Xpvn`dTDNu$Gg3y&zI_K7JUpZ{Jyc0zC0UgsR+3d2 zpo;mGl~w6{fHEelhblbbdZ^+_kv>449nA-b<#C{_z?H$%N5h6FR%L)HeYk4HzT;w* zrC5-nr3esFs>9~6b>2#$rYKk=!U1Bfisl%c{_^Q_=W)wuR7J2V{_X`-VOj?diLkep z#iixgNpe}x8<C}da0_WmNe{! zFCAAgfo~+~I%j~4s_!y?6ifkGM0zDM0oI6ov+ty7P-PJTvVQ8ajl57R{@c+4RsN>e z2btbY7ee=sYE7Ta)G8|O*ZnT*CNM;|FoX^tJ%;%rna0-byU4FBeFacd{r5K^AV|y7 zB_XhsbV-ZA(y+UfbV*1f-HmjEbS}%%AR*l)4GJO%(v8yj-sks!XP6ykU}tvr-upf0 zeCpixF3{;I1<+Gd`^c+k-Lgu9evXB^z5bIDZVT1J{$yePXR0Vsc*;4e`2n7OZ{_tb zPKg55b*$dJqy0dsph~$B6;dnEJ-#As4l@a)Yg%KiW6Jb^alN*QlDp6s)Vk^QzbftF zy+cFcSf(z}J%10YzutyPz-hgefv_0ZvbisUABCvb1P34d)z{Hv)%~yIJDrmU-E+A> zh+y10U`{BVG{<(^@=IJ8upJ{;%**Q$eOm8BhuQs2%Y&4+{IB7$H|sC?g+73Z7PU!6 zwNbhAlAiNt%hDB>oo&WYTB(_-%WzyX9c{^>ftLP=rfA#`l9EPq^%?fT!C>T%269o6 znUwLBe}i}p(Wg0Vcz#ikPu_j+>Lc2I>~rolIOE<}6P!=PpXFuJ|Df%-$&;ODD;Eb1 zNGwQ(eD^75*q?Toh9Ec+;V&bBP^{4dn@xQ~um;7ZZH9i{xKhFx`BnPxKZ!1`027vjEi z#AT?|e-@3yW_?#$nyk?P5j^-=o}qxgiVVu(f@Se}P}HVT1yP@Ys&r11~&(}am#=(9ho;s z8jY|8*MS#Idt0d|6O01i$fot+c$I${?b+UW;u|OKAt^(UJ#P4n_RpdY!{D2gQ4c?u znyeY$zMt>q(HPPUyyDu=a!l9nNB;H;j+DA$FTmi1v9Yfn`@&rSK4qxnX4bMtzLJa{ z%9F-fyeoMA^T?|YplT!av5=iN``U-<<)F49r5fDe<*dZrY#^FC|T5JBy{f6=hAzEM`<* z>cI662-mn37rR#y$(nWwxv11)7voX}q$gR8@|FGlTu`f;O;DPBC{WbbH{b2i1`R}l>q;WjLG^rnHU$Z1smC(;QkzswpyrvMO zu6L^2QR0M{d|PU)dohNReD-&gDzBqp^XJbKRVMnsO+Nq5rZ~!x8WyPTI__;1_z$#9 z)-0WhL65LXd|z6C$15m5ou|j=XsbjHQ~d2 zCxs-%Bejtm)!xciunnfsn-rt6V%g4r3~Y( zTzVj?6ynFkyDsZTUi*&@;?5XUZ1;&RUY7~m?_9G7(6`@&+QAMSq+R|rd9KXrfJcxl zKm#d`a81-u)~IOFQ?AGaDdo(_rs?0ZZRap)mWG0_+be^F8sOCFJ&+2AjzCra(o2os zbA`+?+Gc+5zg`^BrHHBye$&reoNbWTNVup!zubLu_%}w+g!{3ISa|;rJXwRoS820z z^o^E7lFq=n#}GrN)SDfV`beKj)0pM%6}w&!D7h@=eW|((BZa6Ck8I5lxkL}w_*KLR z{px4dZlI}%moi+j#CB{Yr8e|8kt>Es8kjZ%HDP z5P8;Xgkc|cKO_R-yy5!1$&hM_-7-Lm19RDT-_b{7^1}61|JenSgRT$h9~+dXhl{X_ z0A6OIIfKB_a61%#m-!ilp@0$IHV^YL4|fW-2`=*snt@F)7l(pnQ6FS&aa1r_Z5>b$ccm@Qee2ldWR}$onOESVCS0U-B?_iycpjOvDX& zCv|0bKKb*i=I%-9)$D{I$NEnvyr(3#C#B&m`*fZBJ{|)|Axo#JK)9pI*m&F@d_vlw zoTFnW+>RRt3S886!MoptOfqnltTfPuZnG5(ifr4neK0{{yVW9eq}Ba$QZ%bi^SgAv zm#(4}zN!1;xtg-+KN1l}EzN%pxB6Y*Z0&n&yL&Z zkzA>xFO|ddwE0E=Ofu)w-^_otB8nAfOVS`jeK0upk|?M5317R2;}4mg98!D*W<=?Z z09Kqnl9w~Q!YEvARs@xUH@aVFXBXl0(d+vT{UHJ)w(!&8pJ?1~(Pw#y8|A~PE92_} z*~xUo^9}xQ-&~U8H{I04tx6!k^R|rhR!dH3+NbvtR*K@Y7BSkpzOHuZ>_g*zjNSzl zzpA;Z3TAYM?#zDKSXUkd5*9!L4LM?m9l~zaE7i_M;)s*GZbp-<44aQv8cc{_E$HW( zr9h{s2k>2mUT%n)@JfIKo(3kg!A4Lv<`gzEm57)|y&)3Z@sv2nXS+|@Yg__MA6WHt zIAJg0c2c@=Yey{4#~C6Af?daV&CFSB#WTP(9bC$zNMw4fjo*2lF;d!zDj%g$O3(_@^(-)$$bYD;+9_g*Mvy&u6AWFIV`92tsma2UgFcr z>mJLH5VJZQUh;0Kw+lZnXb`&{~LmPu6uMxj0(K|4+d|)Zp!kT+~F! zW(7eUv5Y9;4@h2|6KD7_uy#_#(^CU3nPQzd4&Bgany+g2yQ0SMO2)Dq0rT=%t&_hR z+|ju8_5A8<5CMiVRcSqpw}QR=57%yA(#K|g1(KRp$=J`YDe#a|*JraTPMwC0Yde$H z9bC=?4?<=&Ccmipjrrv*PR4LQuiSoTf{Nio7g2~A`Lq|Bo5V<#(%zRpYQcv8;V@=4 zmZ^B3iwk11+|1zGyGou}AA-Ev6i|-+99tU~nlRB`tEklmEasf@go}JBahZjh{LFR5 zDLf8SH@oiG9;5YJk4BM+gNkpjwoSAjZ|_6F9flf4WqomNs*lF>8VNSn0KU)k#_DJ- zr#ss+khb=k+0Pkwq5LK``hc9|>YY`4@_lrV>s zKrQ?&ic)~zoOKGK1E(y2FjUXnq8;j|!QK^;a7OryX_ofFDD@2fX(|X~bJisj$|$3N zlp^y|E#%>lNqb-$+^Kr)pjd}c^`}RS&+6|~VXY=P(Cn7T>g_AD#ZHF!RgUy(#_CLO zKF3)Vw0=(_*xdDiYf(kFItFbfwZqHO;H(#kB^cLl#u1{Sv2i=&B_lf5WGTi{y#~KM zSACt1A22D6OWZ+!DzOO&120;)KdWE@c3HOTxUjG*(cC}Xgek_mpVW%_+lOnUjJdX0 zFHr^tSWu&Y!LtaluD0E~zTxj4nhLo$PiB4V)%`=^)X&(aCTa1Hc*V#hWl~a@+DNh@Z@fJlUKGYG z#$&=g?r%zUO}?|wdoMulbPt1L({QA2u5@0qxylXDC86-9nL&F={*Dp>)%$m|k9@bJ zf6p0Uj;p?Ru_54!`#*(=D2NnCHg9kCjYdR}cV~;`HHvSL3pFa0Pdau{6$}nlHS&2R ztDKPs4a(Mn3CdYYi}DFlfe~cp!88h9rI#o8LzYSQ)6*#wHd$x!UAGmG>oLFRIDAr= z?vL1iu6!@fZt}dxzwDBWtV-oyN{FEG;WSc;nb9WGUj9qy8*(9Ai~||Y4$YHC62y8k zxBhIYlJ+YO<+5aK_s`j^^=!K|bd}<*;Ani%5o=wioC)7s!SwdHr?zw?Ck`G(+h^0A zV|bx(GAy@S%_=~M)mcSaLZ+@vXUaUVgY(2u{(EI8cuN?Lm?=z)joj;l`Op=t;0(8v zD%&PHqm5dR)IKq=9gRun=NcJ`+*Xq3{3mB>CDXV)fd_k?to^q?bp{U>cokK#6(lB+ z<-M}%3^v`WX67{t;#JC7@1dB5aWQ8f^FGS;DO@bt>({7n-n_1I z^=AlI6ya$W?l6B4pPe6adiWOuaH(LU_%w-${iHOc0IZrgrAI0Br}Ts zwekL2^8=yO1cUrjM6$6}MEc){Z=!x$spwVG4_^0qH-~If`EC>}P-O_f&8Opqz}3F5 za4oyu)alRFN@chD5lse_Kt;mAoAJ~0b)6gy>4qr;LwT3r^A=7p2#HCT+)N^tT%w;Pb-wq(|lhIcs0N8H?N(?nl^sY%Fo;$ zZOGARAl2i$nViVryBR=~3gU-vCc;KgWYo?4m(dtydt|Fclne{kMVC4f=bA#+nK&F~ zBY21c2nM`^{pq||lgVxS$pnFI-tC^xr_Xxx7Dl!wqfDR8b0g4+zpvUK?#%-+Rdw2$ zSbX1~185$u`GDU@J^7E{n5qArYTN*^gGng!iRff&1a0$Oz%{B2BM1VRpEB%8#2hlps|5!>}!i3d`zb|(0pVi z{9~HB=Xa8#zs|y>RRvpMCy?s6S@AvAksEvPTyZBllBJ+%zPc(w?kx>wxpjLk`;f(_ zJ{>4BeanxG9aGb-d2cn%Vv+VEER-yY4Hui{49&EPpvqIfu>8C6ia1#8bv+isyiL&V zALmK&7ah+-vG4s{5cPb(8I;E8}USQ7u?y<-h(a5-dmZVmQRRs54ORlo>lo914TFmr+61g~d{h6iq!E3=kDbK6u57CxTNl<62Hqw9W(MCZm(ve%v{DqxQ029xE|{`?u<=qqaE zp~-5wx6HhBz$NXtm>E^ARY*5P=%$}@?CEZ2;vMKMIsZfV*IDR!2m7j+z%MpO({AME z7|DH%Y|%B^=TLB&e5~LI@(FY|6*OLOhQiZel-HF5g)Y(~1xX5os0xhr3op?P^wNah zg;OQvWsw7!8zA~_m;H;O@n1eiqe3~s{5At>g)!a4rISQCU(d!|XpZw;9qzA1jya$m z|0a9|Y$iS4M-uQzMGozF78wk2Jzr1Sdg?nW%Bd|r2y*|Ll!&R{y(PM{=f`cbmUJ<;=UVJJD z$F_JTn{@TN+^t`EIM6;rht6VxE+Hnq>2WbaQbxerGv8-#x4WCsj!MHeljntU=ek6= z_}T*Vv*+^_2x->aFkNgSiYT|(7qTlvGFg`b*54{}G}XjkKBaq-zEaTtDxG|$=TZEK z0EcdFhDY-UJ+c6r4C}bQP4FkrJ#kpR*PgW>&&U)4@ZJ^a5oD&xB5;bix+!?rdmc)7 zPtYT;?giB<9M2#03u1=$2qIU2y_MrHK$YvkX_{6i0F|pf5l9=9iJ@E(cBz2_bFH=~ zfZFzQQz3e{b_(sTlNC7D3aLVWm9ywP@6U&9ay|=9r+C7{`;=*0+apBdMrQj;YQj5d zB_-K^`gNr>bq_6{TJ1zhOxHuc#As4AH7|ativc?>Yifs z4TiBCr=sUBa#X-S_{jW~nVjn}MgdPN6#eKm*LI49M*1`TaD7~0Qet~uqh6EICq^1MQ?brs%;Gh@=WB@2S*cFh|`Ts zLP;kN^o&w^G-dsKY!JJehj1(2ZGYS9dV$qv@XTGEZpm$SPz?hq$iVoXH8SoD9najO zp{W~R1q+4`6?=cKX?1}vK3r>=hBAywW8cC4uE`|x%pl7@=t6VAZS;wDcx5*SE^L@c zFR)}%AHA|@u>rh`nTo=b@9AZI@XGPGIihbq6a)qkNIe*z!aA}m9ez zb5nY_qVuiNs#xJ6ga4#+6I1p5%du$@)b|nOI<^mGH@n!=HgYMWtu>j&@SRa|0IuWh;TL z`b_hDbpLqHLG)w-hXKz#a7=R`H(7H4g@3j=otO%lM0OG&Tz}uEpddb1rOy;()2452 zg281iq{y>WJR|_WfP=BghKYCV$W1 zmQ+TWB%@k$QCfF2%HN=svZrxZ%F}lY=nbWcXI7W)z5L6%@a1-S(+_i$wnNx;`_#|V z%^AEDr*FB(iL9w>EzA?rN?#0UNj<%of?9@qGSJ`o4X}Gk8t`Rkij1`-Q3P!`Y1f-5 z#PT*v)aBdznTR<0tY|tp`Zzd=V9Ud_jwXzJ&o#rp{)o`qEr4jCSSo?3!s-o-2!_p2 z0Bz%!)Is6R_K&O8gTLW;Jx3%zwbscA2Nu{tO?P}`YReLY^g+qCPX9)fCbbW<}>&x%~KLbMl%Uovx@2#kTUnHKLDyE z?Ywgmtz$FAp#3so!bXZQPOM<^T>Q(xW1Cr9fHEf*zX=NCp>`P{C#;p)_FRfbP`X{y z{Y7AvB7=0?E-_Wwam6b}F{cVP*ZY|0=Su*VnpnW*#3mu$i|fTyD4zWC*Q3efe5>2{ zsVRCW6un((=n46(C75XWb0XIP_&l)HKrHdqvG3)f)9jb3PG6&6%hz0z${k=r=5*Uz zf#VGzj*%x(nyRuWA2_EtDP!?9mvM+4rbTJn#?uwxxixyvrXOVXq+3=juJjDCIsdQ@GFVu!coX z;6lIXe)v6>Ei#xtt`hOc{plY&-6kKWwDY4+{%TlRAdxwY&%)wz+#hP}rO?i%kOE_? z)yiKJ>299i`)hiy-lVn-Wz#{1E1`d?}T;3S$;w1y9`Fg&+2h0XLTAuy`ED39r&=(?_;+F%%;#zEOAgaBA zBJjfF!#%+*FVm|=i*3iqbB5yr`70pD`k2{9{SMDDi)d)bgUB0CbVO z0;l}_$6#R6S#XV^hDMupdv&7^hrZSM3sgTqOX`k>lu0v(jVn+Y!~hx)purEl)Tjqn zUTS1$D7U$cYnHA7s~ohJIxTen%-x_00|+Ws_M~1mFIXiJ{Xf+P|`^^`j+Z>-OIB>QJxjI zt;}wJ`+NH1tP9B?u)cwov9EUyP6Y|U4(+c73s}g{zoaycMPDtu=1aBJwMaWnKu44cl5^FT*oy;s_ z2bh5&j~NR#j#(OP^-^_q`5116MJV&Xl4g!oO8PC?I64~f;$1ja0S5`=|NQ}QyEr^$ zdiDDW4dlr6FhRdA4C#bbB?`jEaRNnCFh1p`v>e}MPPn_tf>)Vp7=869uPrD%nA2eJ zLVKiV33F9yqrv`Hu{wdX4c2#i*{qgtuTqJKyIK>~VoM6| zKxOgEr)_ufNPV#L`Qd)|VpLbZFb4AtGKT9kDM1g~^yBQBe0FuU;Za+3V7+t=czDl6D&Obi_Zu?$5||DPX|`b7Fk3_ek^U=9Dm1$ zo~X%M3{~(l56x#YEABx@7^;*yR(>l&E*9Uj#j5>OP3^^ijp962rz#vx*W=rJ?_-4} zfFS?hd?zL2Jc=j5?=dZt*G>k-PuPPD(s4r+B(H}y7JPWqp)c_ap&nzZVmuf`d=_L|gi<(q!!n z(`QOIk!1HHEBnnqnlEDIbK2TbZ!kI}OID8PfpZ`9kIol9&>jV}#w|J*Cm7-Oy!Yc73ZhPu#mP?%urOk1oBi58$Kfcslt-YYc1KdS z14;48j#RWkOm`nLO5`R1cIR8ZSe0d19b=RgcdbFF#YZ$A?xzMO^!3iMkHq;l{Ma9# zw4de4pjfTlK02D3cf~7cRVNc}*fL%8ve#T&U@DWcd;V>!7xXfO4ez|*fsF{ms(({= zNaj~V$W=^iHn8%3{9d${S-%W|4S@O&vOh$CdAO@JZj0VqI3wAY%DDzD>|w*^YQNZS z@i?$@1TCUYreXb`Gpb4ncT$CGpX*np4gs08Ps8_Wy1vh{kQ?iew}0VE-GnZ`q^yg8 z??o8sK4e#%Q9dTKuUe^)V*(rb#x<>8z-MrVa})ub7Qugo)>A=V5aXRek35r-`QVWj zN2FPY1Rf63C+s0o?||C+**R?x83fLA#QYDDb3w<^#EQ|=1NHA2*Me=&f}o?uma!9q zPl<37SVD=tSU?zi9^aM-`2Wg%d+7)a=eV%vFU;@Es`+a5t`3&@Xo(a<38!A%{U(n^ z*5@-)1Uhrta+@Xn?V|O&Um6B`(>X4pPsC1`8Uwz99Qd2K{7OykyTkaHREd+)hJ*pnMF4$e9| z1IP%=+>e2}ck>U2K@e@Ks!O3Zso0}9^_k+zWHB?sKm`zbd3;d-aXU~t zW_VkHWdF*)^c0p^vuS||C&y0q^#5Rc65-m~hP)hfc~Qy?c*yJw>5h4n(~F=p)}+-j zN7KU9p1#5*rQETkQk=bjg8h>wR0iH!IBWdM3hdQLGIS@*_KP5ISj>X&7$ z!vvS#qhZB-|RI+;W%O;iBlQZ7s$Pgt(RgAk|Rb#)XTQQEi!MnG|Fl& z>@?@(7gRxExyUqN-RKDnbv zmnhlP0Vl^v8}hQm-+4#%r*{Uti9aU~v-lGDuIA&$MX;Wk93S$WsxztQFbIh-CX+et zd?jt_W;HwrxeExe#Wd1-r>aUKL_p~j;6g4`kQ~pxRbhUHhm94I-3pWIPIOc{q>3%|J`bLhkZyf zR*k-djnY#C(HT}Z)5vS_vS@jtl`v-}&R!4M&eg5c7oWlMiK;<522rE_1x}ocy6(L1 zg?yYTTGHsN&g^2SvO4Eojuu0|CPMuEyDk7!EgZJ%>48-94uGeObBbC6NFn~!fu@BCBwn(Jj9$2-5imctlsm@G?mF) z)Y_pS^P3pr5HdWjHwx*IQ8#;)-z{6-ydZNP=gL;4vGfr2h9F*AhPo4n4*E32gXaEt zy_QqmI$V=E3g*g_awE(VZ>77R<-t=(9T*tt= zPs>EOR4S`|eznZxmBPwCB`mkh47$&c;hWKR1IlSdsa)HeKd!U7x3mk7Ru7Xzzhg8d zp!0Jt-YAZ-si+p=ZxnIqknNMc_{g79IF!j~hM9DYZoC0me|;8RWSW!mk1Q=Uj*^Ow zeBs}2dA|2a4-N^zQXhF?<*vbu0p%06NAj`2SFTqnD7<9#luyV^V%vwVn!`d!gwDA) zI2Chh97$^n1}bBOyNm3U$2&p|VzpzmR9UlUm82`un`qEkN^5?lLRvepSDWDia8Fvc z%K*;getIB<84H-hlo8o*33>q~*YllPM+;`7O2t<0;d2vl;Y4BS?}2h$r82Jtu-mp2 zeT1zINB{)&=p`0Rzzu`+rcvYQJ9=xlU|vhPHugs*WyVi|LMr=WEVXW4GM@vaCW#0S zM(OX2@JfCJy%`@qQ=*zmdY@qx_)#)91F2BJb&Z z{^J|V&Iir|qL$ZY)ek`lL|rYXx}7%ydPG-V>y067cyHVEdDPI{q3`!wTa8QpYD!F( zS`w5h6%C=S#sifZYX|4rv#ciQyk2h=by6)R|8@61fGSjcn@C`iVCSPGH0xN)SjN8| zh-up%mz^kOHYzXkNh$rPU`G5PBODVcwjKU;@RGcB(c;#J*Qi|y%!$T@9gU7;F~}<1 z`wdL^{9%;``hd>Xnfj?>v-*=Lmj#1{d6{kwKvNub+A_`cQe_zYUR0c=a{Wb<4Gh}~ zD|PfmWwIugfvu9&LM2de=#gj{AJ%eSZXxX&jBedK=RB> zh@%Mf7i>25W_^l@Vhy7FZ%cixegp| z#v zLj4 zKdyc`m4HT=17ZHMxL~xFnDPrx_6IG~*dTOdYP}o>THJp^QvScT7nRP)#=CfRy?34FIuuMfj=3u#|K}7rU?d8Qs)BensUdE`_she|#o&9}j zJ1B;|fh=cM2GP`9eyUR>M*Ye2+t@T~%qFoVlI1s)b;}g= z6k{T{c?u1dEAELtTww9{PlOXx`uvOVRqoxQJm?ZCXjm$q!fLJN_4wYi8|n3gtg`+I z(jj$^x->*js1o`ZUl>DU1`xyZ@^;$za|gRR|8$B-v9a+lj(D4njL|A9OA2SZ ziu~Z3O{iCii2F0u{HKpLmFxN;cC7kw#rN&vcknX2Fq>dF0=*D>RQTV)iU>u3EIVK#Jz`P9E24~8r{@o z1Zj2$E4IVidd3`k&&$pwn_SqbRR<=2>V~$8cohF9Og~UV`1zsTfJKqXEZh_}@)pr{ zV>pVwUoff>iX?M+Rl0Z0SOI?U`O!1dgkhNJ=tw@7xjN#c>D-6COLLmH`}pcXCaq6r zBsYlvIZ=^oNxs!9C7Nm~XW5=^-oKh_xX|40x6aN_H5JHIKVq0n_g*`lb^+LW1vwPt zu?O7hSn9w@fNx423P?m#Q6cJ~&j5R4Q5zhmAPm3(U+SmjklW$OG~5w20$j+;l$l$b zNu)Ezlz}2%9-PhRurf(P%Ra{nALkla+D?3 zBA_fM*iHINeLEq+gKqE9;X{$c63A|fmlxl>T;a;5C0Y)LJvyv5D#YE$p)t0O~(5G}R`%GbG zr*XZ|=&eet0FQ;|(;b3CAFpZ@8|%;A`oX42h8$|4;IaRH*~QhFO?kQZ{j)wSNHnNV z32j)>APk&{6}IWPK4f)I;R$~rH4f&!s5NOKk_uCNK*wJv7kj8k@92JlAHGAsm7DNN z?g}qD6oE(J+S6Y`RuH2Y#JgGRM1f?PkfT4>oOj=hnKR};0Wyke8*O0CPhoei+1R5Y z+WwcCtQ~=)=9S})E|AzySO z4-vb3Y-4QVjUHRw@oo+GwJ|=35QaGV83mDlBEFT7Vk43&VRIaCT#bo*GbZ>Ko;776R-PGj#WCZ`|9NqqzV@EG3gOBi_*l;DozH z!2sXD^yZntFTnfLA-)wC5hoy*24K_AwUkkgM969rHvV3ngbzt|U=%@Ff^^v^xuI9{ zV=qDC3KrH+R0@Vfo5y~h^cUxeWh^~tvig*!?0B9;m&=yJB6v_Eh}H!^j`YQJoeOiZ zh2XBZ~`Q_#1ub!S|bvNg_T|WJ5awYVVzGkIP7%-E3p^T~wO$9={#2q2n7h_qN zt^oAZgqCsd5rW9({A=Xrzhai*f)fm#x`tCP;l8B~>Q(df5^hcTc?R^qYuQqe<^JkZ zh18OFEnbV6cfFZfr>QQfo4T11F4j|thO@mRz^U^;dC@F;uL;!&qb5%I(YG0GySwtt-PVD%GCO-s;zx5DelDfM0T4=w^cilP zwlr_P!7R0S<&ikF;clYp?$T)Jz##H*g7@F`{yd2*{xU16OLF?8Gg0B*u~Wcxj4rIG z{K?J+`Vjz1w~i}U1SsEsaMg4kVJXp`Nku+MXbjFJ_%-~KgNjK6OPib)kadqNV%XZU z#kxK_y7;>MB3EDExv>ziVdMc}vnpQ6&Dse%%bSZ?E5(sF4<;cxO(8?;n<>_0W1?w(<6-|X~{TZet*NZ`ytag|#2 zlbb8$LTKbVA6wmjF6Uw^1Vqmh?B3HOvijH|k4P>~MWbbgk3KTOJ<(wA2){8tHh7>F zwKr8iHhH2g0m|1X2nF7<3D7#}^gzj%byuVd(dKNynYe~@LFuUweofZGm{xaN^}qdI zpO;`LgnoE9Au46jgp-fejjaWP0R>W8}I9M+yHS?90Sid zsMU5c>#8jxJXD&S+L}hBv?RZl6J3nrUs{*GlBL2wKhewx4#>sEai9HSl%abQa0)@t z5^!S@3@vY>UlIcknz!vIJxqm|=**R)r+3&l9(2^pR+dEQL$;yqEqAdmj5p5X4(I({ z+nUHJ8Dwkt#d6;%TU&!A(!bZg|DN=s%Emg2qiXGKEd5*^;|xd{Ujfvt>vrqo^4x@y zp}telOHJ!{3=!_A zwK`9u07+p*B4M{-7?{KF|HHi=8Ng0Sq}g+zfVDa z=;?K%<->ja86_gIrF2OT7cxPw1Qf%J5TsGR;M`UPx>5fGI0vuqPu+FBC;$Hl@n0t} zA1y!DkAYCGkh=F@+Hqrf`@|zZn+h#XPLwYWe-HEPk1ZvlB7A?7$?|KIgL_4hmO@`! z9G<;^M)SDZuV=zr+fNc{y114i`FX7PI#YB8;yz~__F;&leX59R`=!ul^b$r!(+dN} z1b&>x8^VGZj^)F8>>us#An zbueHtu+oGbnynRMVdVMw`O)x4%UTr&hNN#2oXhs+MaLoUdTArjI)=Z;!AgoGr|-sP z>HhV8Ww*BtM#>yG+danr@c=(V@dWe|XRxJWZBZgc$_OqG1Sf{0)lS(GFakD?Y z+VS$7J=b-@6Z8!1mJCC7(Jo4^w!=mGuU)3HN;>)9q)mNKyQ4=kSX0(Z1lr#v=_QkfR~fSz7lgee$--YlVRKJsy95f3H`Hu}43LnlEWvOWNAK6l6aRU5Ft@5|utASGJux-ZHdj*?5i$H7 zW&8_m{>)@SP&Ai@TJQ`K(28MK0#ioRLYBELZr2^d$#+y?cGsJ>FvYG zDcdUGRnMGq&;}QZFPOuUVX_rul|}ta$TZIBN&u?zdRSiEWyV?P_f^6nd0CBxsbtVv z1uGo!Uy5I-{|>pe^%@voU}>?iV0Aq;0Bz@)eS69R+%}lvFg9-pY0popMf0l4#+8gO zUZ1710xp%@X9bo85H}I!t|Oui;^sc-kF|{CZ}ly_ONyu^OB%MgKtJBx^cSK}s;m8j zOGbPwWvn-xNSug>PjlL~ytN|OgObep+o(~p`Wv?BYirhtPV!oqUh<7FXK)!P8Gf-G z*@IP*`1~ROBoPJB<^d$FTw1suE)L^iygq2cyA&;zsr#ontRJfY8UyRN*!oFVe&CFh zSf6v=>TK10JS^A?1|s5s^b{-Khil;#sKeiX86SX5m1(}>_do0~%Ugut=ShRe^eEch zWLQ$ng#p7S%qcp=&0F9?i5#~s7>>d0gOHx6A2y32ur-Q$8`xY8PO@IgSd0-gQ1Fe9 z<58ZOq|XXOWpX%~Ad6vJ_OD`qf-zu{eCEy(p?+l&ij1HLM&b-Q8G4^>8b*RQ0%QFw zZvpB<4_ey4$6X7K{Dkx(O#@~(PA&a3d_tKfE`>oPOJ#DhX{ff*F?YI+9a}h96Z_jrDeO z<)vQn)Rgt^yV{nMf6Lr1K~SnxP%^A%^t=v?SqY4s&Vid~mOG*inW8_(7R5qm zd=|U&aKAN)fqZB=i!X@5V^kR!dOVFjirrExu-iWBz(&a3XJ(jmhre2UnG@L;#yJa4_emBG`6ZLn(vx*(LnzAL2QRbBD_xV0d!I`eQ?I4WG;W(m}Bm`JCCYFI-| zt37Je8b;{5kop9OD>c$3e+Swg2{USh`+UjDu>Zy` z%Cp4k>&$jCNRL`7`AA9;L9JjpUEZtU*Sk3p_L!uBVUp5cZqL>V3)RWRMv-swK^BfP)IDqx@=ypkIg>ES4EVh zz~R)ubBb!sp-wD>f%{G=&i)0d1n@xK{E`8c#fFih;_5|Oxw{D-u~4P4*;OayR~rWw?M z36P@Ezw+e~HzOJW+IrB@CTH9NwnHG{o&A}4%Zi~lFbW$}Z<~>kcvp5CRBz5Hv1WhsPw4NsJqcDj?^8DIQuhNTo>mT-k zA#p3Gkz5|Fj9$SFM~{K!MU@8l!UeRfIo@S$+e z={WzyNNW$tcm9^mg)Nf6_btd^ZmJxmy1lJFlRSU^}m*;hWnyF$0! zejrmgph(-U1N<-;XNz0?GwZmspvNf4)dr!oQ<0F`xv#`%|8QYk7JNL&dJx*b2yh9# zAzY}<2_Ur>qxVNU>nI}!N^r=9*XDioj4svH+reJ^^qSmee;OmA4E}tD3RC|Sve+ZC z)5@z#jb&5x^jpmo8LlZHqO{z%8JsKczHPQW=a#0wZkC%rHp%~W`Sy3q|KsQ^4ASU&ReEp9PCm0|swdzBA^2RrR7Z4T6eX}S3 zKn3F2q=5w3Q>ilxKL2`sn>GcNh~MT5mHv#!*%j*aiJE)fM-Qr|Ashh$4j0)zw42V` z*}_TzHp!5Dw;3lfcu=eT_pIV;S8LL-IK-*5CK-v}eAe@LHFU=W1imo}b z6k)Jl4U08WehwRktVNsL!nrNSlht9l7F6%RFm~dYy!fpTl=p33n0fADNwf{XHvC2b-zFnW+T3&flKw~TWvdDfxsmCkh>*TrY<7fa2 zZ3Q(X2$M9LCc2fkSFT3lZdkJ>3H$=SkT7xTCPR8HiouXF(7)>veyj^$o7_CEiX(+DDp8F6y|SKDbv!MAqD+av!5UG#E$bc zp!}fT(zL6ST*{X8wvZVAo3FP~D0ln5myU~$o4eF10jEr+e#tIR5Te$UmKWtweYSr= zi<*>t_?ana0(yFKVXfR1m!~9RzxahtOkaOc`UrxAIL~Z{D8JBf#;$yx@rXNm zRZQFOiOMJ{o-=yd(fY{7y#>?+0|{&?rqF{tIQOAXI{?Sl<+)0PpFBmSl4p@PISH3; zptr$1rO$pL!}dhu-fc|!4XiSF_9sKa^G8$%OE8cES;Ygm%@_0Tv|V#-BZ>H{Pv2eU zmeOzo)76jiVepyYs06e!$^6(%-Co91%XHC6(s1k=J$K8dvY$LvJt%CEf6$LTbw_7^%;jGn7_&`6=pIjntWR%5?qgA1lj=mRBkN zmMaO{*@SG4419M$MGp3og^Sl}N5eY_rO~fUxwiE&?i?NlQf@!oPE*Yy{02_blG2Uv zq*!U{zpT#WyDTv$N#)c;$vAPw=suYBhR%LOw$KR9{t8ONf9Ju`+z?(LoQ+!~Rc{S}xaB05?xVA3H@*ju-Q2?n>%o|i+1Yz~!w+c^HY%tkA zFZ1e86q1811z^4|4H;zNLxPj_-(niz!Qpm{*{) z+Q}pL0q#s%hjj0tC?yZoGY}iu(B(dO-CK9%DckcWm@tJ}oqoi0CYQI{RzZH%42kjFYur}hci9IviumznxnHi z^hiN#j+)p=B#-F&lqQto)@#~r^f4f{uHW?VRlW>i*Cr$PvfI6!0)QX;Iw9n1fP9`yV<~zq!`H2plMGsL<Qe?JE(rL+hF1nF6FeRke}iEn>&-Uns8uF0>b?2rIvu{X7#D-w)w|}qb9x!m)6mF9 z;mbSk39I4TRsbU4;h;V{;O1g%YdYyb+TfE@Lq|pkjT+yjEXzw^ci_tLpdw6tN4BbxREbfr-Jdw(DZ_Je-sx>&=nqy?RS_xaOHA5 z)T?{52@{Amu$^?)%RCOyAn%L}=#OT(!KP}FjXyXPgY-XaNd&GO$K^@+UL4F6_bYr1D^L3w?HQ?bTd5T&~Lz=#VerzJ^^s1ZK=r5(Lp47l4yKU8o zRzSLHpuF$JqdY~}lKJ;+nmTR-;wX2Ea{seUQke{f5}AlZ^in>de8pd>3DbKe`yb>N z>a;&TrQs+JBvwYW*6?m>WKTdy*tY{v3x$uE;c~Z0w(2`C#&9pHUEBM-yMBHa1BErnc(e4N0iZ{&BY7IXgdfrj`fXty|1%fCq4}fLO9cG*j1d# zF{W`#ZGYrL?D5G_pUWbefJk6lOyn{H~PKhH{ZfGsy@-Yxv zaDZOoT>7RuT?ZyhVdJscu80V+gQ7>gsQ28*MlybI4>CbZlEYw+B!8|Vis&l+VT|iX z#&i6Er-t(&24Y((oL?3t{r$*sDSzp&uI2{2jx~S!Y0`Wo8$N~aX6nzbC#E@`4r)kYXdlotKLU zNN6?o8HXK_~2rMC2qo(+bj46=8ras&bL&ufdmx29tzpWE#_wWxKt)+kG^xv6a!imGbaO#( zkUj~4GC#|vG32rFcASQ8SY4Hs`Nz+U#CDE1=l2px4_{czNs zH{8~lB>sj|xmvRFa2^EEyy%M3rEnXuM%v(Dkljr4^#dmg`d*0*l$Y zy&pZ(q{K{hEHWsk%v28WFhGIg71w*{Fd5=y&^{=mr{EE*l@!jznDxC`8SQxeU#zlI z6npdeafi{YFyoZcSg~C+w>Mb~r~4R4;|Vu~6p5Y>;4~}d<)LvA_E$gg`K+sYH5?2y zuf^BRIHj}zSal()a-#q}19*8#UI>!y%_E+F86S#`xQ8)o= zkXm_&g|vy6=Htx@7pcv5+|)YXls9KvrtqIEiHQ*T6=SV}rRXXwmVm88HE-8QC%R3o z6CR~2bMxAFXq66C?7ZZEUieT_5iXj^_EL4mzr*N1hnfUT5D;7jP?7G@`(!ZH7oMa( z)nB1QUh?a2_YtF!j5A{OvZ|$NRznZOJq+@NY)0T8=RB8_1>-Sr2&sWF`3*SekmR2G zrX2hv-y@LX)ZlRI8w&aXYR2UEBieqK+w&?Dx>=e+iyB z1w~4ts&l0$oRJodVdN<_1!rR)U&FV$5s#Epkbhyoqpq_ik>bVTmAibYD?1~k_1Wy< zL(@Q}xT(XmxKf6mNXuj4`wL3ql7(``T9%N=R*RcUx`t_8p>|uk&FPOHyrySod|xqV zqK8WmJyh5McEV)GW_(dY^e!RYULF$x$dE+8r}>uJVMnuVj*OkASg z^|;2mNw8#9U_j;FM)&(`FGqcIjn>_H&iaAOTOzmAsXVK%Nb}w|gr(P1HeKQL%(Gxa zq4p@~7_lrVCO+>e^)9Xl%hlM-Q?s5pcZQVzyDclJ^vT_Y-_X{iT5%!xMDzO?LRyih zxm*?DlGfJ0yDETaHC3)UK{WvaK*B1h6HB(>{amlcbSL#k+GpeN7jl^VRbPY17FU0V z8{;r!)fSa)O+j$hcoy$3@3I45z4|98dbEvFlv%#FJ7dl*><6XwOP@X!PdB{RvgOjN zV-TK)Z8lG+S0e1E%ePMIgAm7Db6@1!<)_LLl%m28PIXMle)BtoYMD?R1RgBl2I+nX zIK5kaV-%8xzeV?E3;j^czFxpYe4(mk5se3N%=RI6K z^cs(F^)tKv@NM3Fuio{;?<0`YGX?ii^+SJOo+3VaM7gKOSOe^lPfVsM_Uup6Zu}TZ~z5S*RwWWx}xgLZwvN8hlZgTlpfhr#b^kvd1+V-~1YI6c$x~o23rkVOZs1Zd?xm?V7dH})yGv*` z^!J%#zcx)v@Yg6XF z5DUDt_x}oj5ad7Z9AWv%`lSHtR-D7*5?L4+`m_?k_&u|=hW{kbXytu@U+jywx8v?I zc51s~lJRqS1-XY)8Ej$$H8NV+w6`S(DTR(E-?AE0Rts7$e_(D-91VFiX z!<`QFBr8GuU)E31Ai*5kzdRk`fG+El>d!rCQfX6kletjOlD9Z7htX=^fzubJ-w)Y~ zZfr*DX3Z|xDmgcQO?c#6di6a-e;P0};pG|>$2eKJiCJ$-el7mnQTBEuik8vec%)BI z=~1Hu=$Ny{_IXK1TK_p-yT9*rH@L z=%wo&P=|QYpN0oUg9!C~sQo_|d#_R#4~B{2Vp-T}LP&^$e8fTipfzcLNVW=8b!62S%oE;z!KjxYtUrliIpQ|QM}bbt*@F%&@7#{O0&h5S6~he+dI%D1jhA@#2fpEjGa14o5RnW$cWL%7zi zD`oUv@s;3%zQ{$>iv%lb_G@GI<*#YT`{cW38kPhLevHvT71ahED~ftpm%r4JLby1x=( zLQ&K}ytCNgdsQg(x!#>-wzeyAR6**+0PRBYW}k*fQqxqfpU8YLJ|2cXv?nPlH(c|E z(8G04hxP+9zjcEdR0F(nerkhX3PGc5q9XbYGnGBye807ocXNHXE-(;&ev(6UPF^*Y z9>FkMl}B@($vbu_J3sonpFI_bZ#YdAZ^c~_&9#fR(!hb%X34wxTkmB`sCLl5Tsdu^ z>tVU{`;OQ-wTk=ei4JXV(DAk-5>HLxHcv^Yi-o_B<2ZUXbWSYfuplvga&k!{Q*yMd z_EBiS&ZydYoW|%I|v{VKPcm7uZSAl z_9M|~Oal7Nz5_AihQ~iOGt*XrHwwqBb$pkhA@dw#@s0FyX zEK1jkKiz>nELR$_wbtgd7$2(Zm5zl zF%=d29-JTudZFsxc8xv`Bt=Smm>q(m)7^7yV|w9Ebz{H&?Ov z22dr-(BYvBqNp$nvoEhBQ$9DAbe?hzd|IyELq|vV6)Bga2+MV}yRwITmTd|rQ-0=h zFr|}&kCdp-9{(X+i}x`8Vw=`HmyXCrchcYFD(r0Y`~Kuqt^a|Kzy09un&{7vv+Fno z$t3SDTIi50BWa1Ln8!z#0*OZ+40nIHsd2TKI@-rlk9{7BwtbitqFYo_;E)z8wLZ}Bm$-D?kgN(>TMeGF zcs9}gDl`4p#ol}ogr1)zytY&b?%@IbRf=asOHTT0VA^`ICUPzOe4V|7(9rq|uq(_I z;)Mo56-jVvxq@sPq~wbqo0|X}aPffKygm-I8gfn(ToDL=`8$;&pH7*oVc=aZsdgqnXlye~=y&`Q-q!H(o1toS$FayjT|V z@ww7bPj&#mzw}+H8AQ+Wg74-{Nn&~5t}KPQ>W}vGC;*VMTgb+bXG{GuY~e4-+tby8 z4+A9QOSgNu2xsqjVbVyE!lpZNj~Op0eMf)~hdUgWqk7Hn<6>$9A;@1Sp6H@UD00P2|zanB|mb%Lo}s zCVLa@jn=8#Q(nnQ1;Gni9v7wiZSYHzytyAF3qGk7@zXN;ED2IQy#jg66r5h9Oi!tM zz8+hjmHYCEMla^!xb}8ZMLkp0$-BHRXlN$)!7sUVWbRbsLHx?`{j9~s%7V=Kg<+k^ zCFe_qvbS5$94`W%UcgM%kx-oR7d$B<=3nj_O#QbPmw)i?xQSO`9kqiywiQIy4Dfb@8@724dK9dz16=6IRMT6{aH# zfloUg7HZPdg&J_r-=%wVdp&VNV=oV16B79h{|kC(*||4Vu9a+@*y`o%%oIQ{rn?En zHLY!`Wjdu)Pf8(Ze*2!K8K*|uSN3wf{WtSoTXl|NPKriPzwOWg+$Wja*ofqLFXn5p z=Mf2CK0M=68eM#dcvmWHh&T< zf0v+KpoM$Vb&9wZY_D?hy9dYpyMZM&l}&-$T-HCZES`=%`Uv zRzC)GR3M9iflQf@W^t_}m|i+(Z&S6vdq{6b-6-Y~GvV|~mV!Ye3Emd634_Jr&CDX=EfkR#ni-zRy*N+zk5&B`Q1GDL_ykhjz zNDu$C`oy_wSljRV%aRQTAo%){rj*W(t zGW$7&e<;yR%(q%=8SdxV>nEuL@&SvdTLJec%D21c|J({${c&03%m#S6d*Sn zl|=pO_6+1vjM2767NcDxO{D663XW#}lqQeO_cxU6TRdT1*6zMj>7TmtL?ny|2-nD;9{NvV6EH1F%*K)9w&t(js_ zY`w_f662ENU>`&d9Wo%wDL|O<)3gQ);a*mWZeEt7@|EI6i~pIp|K5wi86EcA3mFoG z=AGc9_~S+DgE7+?nl}^g*5cn!PEX==<@DOl0p+J2z!pjCA%iwli}<`~J&$1U00VSMTXqFQE`o`j_~AL4mm z2BLviTrqegAF zgAp<fN(EE^5is7lgS*(Vz7J`cOjWb;zXPsCn9344E3#Mi7v#En?^BKYg zP)R4vK$?{E_1Cy&-z(d(8lNq0!%F#RpWB#|KTpkEMl%n9G~i)OuVwi32i}IeFs*w- zGH~&0*%N9(_!o{>DtV8CvAz~^6JI{!Q2qFiVd(O{8~9<`G;Y3Xc&LNhel=S^;J&o$ zGZSfS2=v-YkOVME&yF_2jchMQOALeTtN^*7VR<%RA(s47Zn#19<`B+pfv0h zEkI{GUG!JY68yVruhu$dA7Lc_e%YH2eRX6n8bk%76EOCNoeX8}$1Dv3(ukr4ObC2n zrWbVa;9dKemIJFA#z&Cr;h~05$YW$knY%XQ58n`#28{G?*xC5>XN$d9dpaoDMNUj) zlkOEc19zq#9Z5d~vCT%sdGvUEBBCj^4XSw+qwO6TG=wUwmQM-eQkuwEaCh1i;tZBFsO2 z^02H&Yb%JVdb94NOv$)ou1YA0!QmOD^iIX8Y&r}_o~S#(^`t5hVY0ebGNuX&OR96% z9xz8S|s? zpAxJX>uh69i%i#TA30oNo^OUw8IG~4rkxH53{$n%DaE8ki@a2i$Cq`U`%pV0KUw6@ zwWY5Yyi-E9Ys?K2Vx~m|Jk4IFkJ65sL=e%AwkY(7b6>nE*Qj$4dvRYi78O$yJ^lAn zWIRji+h`wohiBOFs;b7l=JF(#cmR`7oG%+avme$vd?Y1;DaPv;*5>9EC^+$2T9=O% z2!7s1(3v@GqCs*f{_a`;7^IU{KJf~9JD+d#Yg;r8_$f@XEl<$PQM{#HFtW!+8%e~( zRU54m;Hdh44FpT=K_RCPj>f-9fm&HoI6o;zH|-!Ugw;&Q%DWY9a1rmP#U6Pw!JWO` zVaCeVQ5bN2D_h3+2_j!if7Z{vZ*0CEv4NHT5<2cHUOkum+fbd`T7^0))bdQMdjnXC(6#p24!fNCEj)LGJ z<7HvEK`42Ox*ohB6s`W(@eYb5HTerA<0fG|^n_yWqaOJ}bkYc6uIzI!S5OJ6mu3PBG3~~SP;Z8Di=BTv9 z_6RXs0>`>(H^$+00t9Xrx1?s*)yUsi88Qb7C`)G_s(~J1VM`H`;X+ZeTL)sf+10HC zHh~m#*9>$g7vx~<#tZlmU#qZuND4nk4p`97Y9OuxsAUya0fd!vtDqA#Mnd>_$&sXl zBb}(9itbd=nKV?GjMjBazVRNSeK*$B4Z7q;I5vW&PqX(wJzmLAGPe3ZtnDO4wsk4= z*mphCpYnrLL?SIeQp<7p^dqm1f8p`P4df{@=yj@03zqCMidu#OPrSn*cm=Bvok`S- z(_7wKCn;eH>CT913ISqMaPh$VQj5P^hpoQ0rD#VmV1i9u&I=15C@)6nGFB1T(&G)x z5DJ4~J(zbl#(o=~`C006qV_H6^d1=nT%yRHFU zw;wjwzsawKCa*wZ#3gCwXn=2k1}Ytf=jNX?y*??)!7QL(0q@QQ^a1C?ubG=ie)bab z^-zV@havX)gB<97Y-L@srPvoOR@7}PZ|Q%5s0c`r3q}ovYB-mLk(8ohPfXW3z8)%8mto`f z|Inc**KwucK-?#nTd+S~5+eN~CZWPI{%%73wf~azr(Cv{a8cBZ{-Pv@g_IdvPmXt68>DuAoJ zfpsFt3pCMlxWFfGVn8g?c!{W|^VrDd*|QAl6T2EaiijEu55;0~aHKJ2a&iqm5@3S? z={}bkK}kib8$qqx>^R8ZzPApnuHq_TrGOM;_}G;SC=ovvtV7|1zzw=C143Cq1zQaF zzs1B?cEpwju4>_W8QPfh$b z$k~NjvG@P8(*;ew4MBX!;OUyOvIkiIeh;fJ*`lbv~{OHWq5e%sW zRhA!LO9SxEF1G(QT|_w22;b(^<&jY&TubIk?G!{X2BaK0Ot)Zo^@wgw9Xn2x#u>P<2q2-1=Ob2rE;tLTS zXRMgI*+9;~Yxg2&OcY@DMeU`kQG~n!&(PpHN8d{m5$!P=C}|g7@T4U@rJ30@zM> zNSnu)_4&9w7!eY|)b=tDh7!tKTUiM2%+8yCvOF?od z&yM|Q6=b|{@NXjgJiziD4z)kIrBHzBV$bs=hGyThh~D}*257fr587-dHUud&PXfQq zFWSi4M1{#1$b$Go8X-8Q#vn7E5YpwP@2)HyGuagMCq+>?#unn6$4(-6>nZ6R(e+jqYqtE*Ch&h_NVW%ruO{25^I*RQ6h zt4q)ZY=X~)@vl_FdmjZ<9GI5?uiO>?w-d=HBuCX=Cy4QLoa?~&j150tN}@ii+YiTp zbmlPKSLiR*6g{oNTB@*d<~k9lC~jV@86=vH8EM8DtmT;-byJ{&Q4&=s8urc{xlk}3e{ytZIuK1BY*5rwPFr3)3j$(Yp&DtS?)))MtqO1^ebyf61r4%~ z8g6D{fwFkuBVL0F_$LWVb~7q~Z(zX?O9cp2Eleo&0Ok4!_6`U_#PS%H9abNaEUgvR z;Aest)S*~`xo}babDEF#XPaE9W;4TI;T`Kg$?S6P>Blq12%D}BwUzXVN~*_z?l#no zZ%o?kSJrY-L!6LH%O^dIA_0vDe6*sMhjX#c9X4NKb3=?|OhCyl zZ|mEF<4?vh$Vh55z!w>YQt}AhYR^>u4Wob?m|0hpY3B9o`!BJ4&-aaX=`$_*&O$z} zMOc?&%62LV{yBZ*vrJZE&Ah?P_{9t#YljG<=U70W*IR0ixTEpnAp4l0G~m%c#ge(e z@fV2bR0mpIN}e#75RU2n^# z#(8<1Kap-yFDn)dyp8f~ooMBR7RbTifsGqr07U76n7AiH%M^}yjh@5)K)6;PG25MxFk)s-g5Of(;EK`%tN!#c@{tB z^A%;LYp>Tu^-0*33>p4{acLjcy=1Atl8t5%_%24of67+jeOY?qoUPNc_7N&!`%`-u!mU{8eXTFOG3N ze+;Sak(r-QtHvl%IO)jw%M*b*Dpfzx#WilIv#;ZL$K%g|&=vjsF6Z)M7_hdLPq; zolQka;)+4JOnOXwoOxI+2YeIe?VW$`6@vg|nR`}{Rx6tt+)g+ok)zP5XxrT~I3TqQN!U}n$)@=P z2A|Q&0zCnEWd$`M)qOhTbvl^=T5DP@*)5tS#j zt4+}YMj;0{@vPnkDt7)mpizILa=3kn&R@PJMns~=g}%q1q>L-KDo=q3b&B>^3m3 z!|d}4&8NhAlZBvVe$Y14~!ca`FAKx6wIO zK`hRQ1=Y5n9w_w>EAL;<)Y6Iowu{`#E>}-0!~~UyD3xfquFBpr+)yyk=Sr<{$z0B? zl`${eaLons67khplnNxde=C)vP{2+{ft$gTc9U+8Jw4qYN9@*DeNXsme4CPemDy0{ zf^HpD)4&xaH0)b}4vgKPD@a5RW`jCp4rPB7_i^`Cn*TX4F(N=6w>6}R;OH3xHk&z? z-R!!*RG7d-tv4$ieYHAQWf?I`4|}Qywu6uvapW$g@{*K5*FRiA zy7ZRU&a;-^-lCF(-no5jg+jO7J7K*Pic=rU3d>536TBvFms-NjFVMtf2P9p1(IZt1 zUnfO$rJe`HX;SOLa1l|O8;pqP#6BuGIwINwD2qht@yFPyDit8=q`$l7_IHclGh3_< z$n3e>SW|&QaHU>%U$p+G7tA1L;v-*qnK8-#u+yLj4v0Gf$h#;VlV{9@;4@qG>^9D# z-Pef%890cq5++WS7@-aoTb=H+wMRN-20n8e8cH4MJ)cH@4nyHOk(d`GWqEJTScJ1d zL|GVtaon1Df<0|K#Yso)LavyKV>xzj)!>K{xyjUIPHUir9K`SdgEB&=><{9Fp3^24 zWP%V+zcuc__hT~GG%KpRhal^svW6_ba2)UrYLP>T^_rj(yy07ve&We&Ev$|f5n`hoR+>8nI=OPl;N6K9NRxL zKpr~|dfxZ5)@xrFV~IK9Do#rC2Vq*C_0l8)XW-o=fmAjSuS0HMqONHeumiX(5eA${ zae#}{nMXjVfoL=x5K^7`9)utq1zAFED=p2PSFmB8&OTg-e93FfyhLuiksLIBW%;S_ zI1vXL^mh!MpR6v*oN6xDC-4f!)PK=k2A(MybTw>l#MoHgW}$Al#?WL-q%Q~iIUZxZ zb`1NufG;@rZvi(AC~p{NU$0=Ym{-WIwAx&>4E<8MECEebemOK!D>@OiUo51k!+(|D zvZ0#@7x0rKYQumj4Y)!75`pUQ_9sDXgac~+-NU$J`7>|xLh-t|P<(SWtZHmUdCWg3 zRj~oi7>pK!)!e^b|GMrdl+fPK;@~YLU1MW#oY!+%!(Z_9uL|h;6ulEzhrWzDn?A#k zeXijD&`nsD@wx4tN*)<$Lj0#kk#J|zPoO>Gxt5DM=pVUNU8S{*Ve=R0BKON7eCBMN zr^n9>=<{{NF7%3@rw5#pcZSG(Jkc2kSG7EdDdj1?{4Pu3j`#YDc&6JF%`Zlf$E76( zxN#dK)az>bbEE$zDZQU-sigj%+%h*QXONhwWI<}LNG%=D^D93)yC9>#pIoP@Ykx6u z>=Mytns1JOj~W%7>nyuSl#PIMoBVW~Q}gY4K_bq#oNtmBi92Vf&<{L237JOi)fJ5c zO=7t@_%-c&eE31K6w+~|fKSF6Ptho0WlWFa=JQtq-8Ga@mq(L>hmd}}&Lf~4%I=r+ zlQaXh-zKlh;|th7D|Kn#R4K-Z$ogs=_lb$0S?Utp&DR|5UiLnyH|W2OXGAmQt{w3b zD#=s2QKD-a3Y^F8Lg0$npqsn^uY7(3Z#SVq=`WBOHPFEFH566*7jHX;cB+g-ZAX%n z@>Y0`;)giA<#3k?d;&0cZ3gojTSJEJcgi2L~kDu+iw1iX~vpZqW8R&#-K*+yKvV7J!c2mv;A>%t6a ziew+ZyGUjMP0#vBFKb+vPL2p z!9!{Hc4yUu9&HnVy5Y^{@oXx$&@P=NV1b_l;`oc8?n1KDp^h7cT|3g78?16Nzei}fbw; z`@`J5oR{0C9I8Na7b5*<=S}3-i1Lg#;|^o+5%p0Tt}k?Qae{Cfi*Up^k1oH;y!eCD z3$WN8XmZKbG9&B(Retf*zGrVg?YY|Isn^6QUp00P zHmqhd_-(Eyv3ZblkW=0|_|1Gfp7nU=^XXqK#!3;`*(h9-cNT z(}@X5NppaDyyMWx)uAB56Yj%@hp4Be{dy!LR` zma{CiHbkHZFrSCk+g&QD3}rEPlML9Fh5R=;Ei`w^=HH;6uXU1?92HWaw}mdqlKa7$ z0CLQphC+hzQDPA z4Uu|m<{V`GTgUL@4}()Z)yf2Y0+w*;?i=`|I-|~#sN{(4Mf^0z3rWUJV}Vz!%loP1 z2#)`fc!HV*JYswsU{tu%d@_L)p38X0a3WA)m7yFH5ekXaj%KM>7gr78S#rkf=U=lL z&Rjxxq$eBuV3Atj=d3U7#`kWmYI-Hk*?@U2SKG2leyrXRGm1rNM_2X1$wD<%qcBFI zR0DqzumGnCS}(pSea%r6d8p2@3nGI2x>YXK>z&w%Pa^a~{MAeO@ zvmF~(tZ&3;PRHf?89jkhW6c1YW^BTw4tT?JLahmm`kmJ=A$X^K$B{7WAtzsCk)H?m1|nXa7om9vW2155{!g{)3VeNa%j` znjrKU1yus~M(NLpQ@K&9oVkAl9IY#Vd92xis+@~|b3m2d#lJb#KM??x`iC2g`=lt9 zf+`#>Sd|FclKyurHSt(V)Um{!$Ku0MA}1&AY8St;9D^U(A!YsJX`7zN*jnh*15bYy z_uPNdUSOvDdi;g!M~lO!VuK!u3VdXj-$SeBIxx9>XFL?R=%r1oKS0xvb&gC)=B6E} z(yRX&)Bk`fa4P>$CF-9s{SQ-v+2JSaG2ZLHP>Gb(V;|&M`z{ZI3^q}C{EgD3VPPVa z$@FBlGLhkEvGECL6bh9t>YIR2!U$iH90vBl!f{1X!*uZM;8_?nTzdOA_{R?#A%Yg& zSf)`V(C1?R98h%zsCwCQ`nf+c-!VW{YkeP((U#9=TA}KP{g&Tv*mfL!OO6C(H}bgO zzu;GtrpL8LKPSJ1ezRY;*Y@i3JVSqC)A;$@p^7`gQOV3a9vi)4TWFVng)cCtmd$hs zUQl3*cfshuhhbQm+X`QaeD>EgwA@!{e`LJ$^RXAcO?>{^kzyAQJacAek>eYm&|r%^ zjg95vx7176(J^74dqR|dLhK$!k%Fq*Xn=aYmV~Qv5Gy@j-AJtR2~~LzD-5PIyU7&- zRf=2j^nof({R>=e%z|T$i#BV*HsA@Xr;Q}CDR80D)CaoTfvVZPs=0nxE_~+uNuh>%1^B7SpU}F#l9UM^c|Cj9{nGxf z*=J^TecOMjhq^}&z$tuPECa_EFJ46ApnpIsI*r~_I0aD!r;JdQ8>Pw#RT?|SUMZZi zrBo8A62`3wfI3u(bj;vk6e&stXBSFk3svBhf-2=)2~?#d$0f(EPl{ZSxOZT}_GSs; z)#BE_#vq3xWo&u!~lY+l>9CI#XmE#aK`0zco+d?HSr<$^RIw*I3dn{U=B9C%v?dfVGOXOD$gqS-#(8`EPa}tolQkan?Hz7&!Qjy5hcnm`%Y}tXxG; zf}8XP(Q|c$_i~^kRSu}a1yZaE7B36>7=a=HDh-gQ#v`NQXPHI%7K{8;P;XE+WFTup#jaLN{{q?5%rFhZ4zQh`%6k!|&y3Jt2jsr*8ffl@JSOzNKz zsziKNITf~0m3TNXVehcGaL2fir}T6qe6Yum#51=)iKGB9{gI&!c!s^elgt8MZyYTS zz2cKcgC5!K_fWuW2VWhbe5OCNVP*YeN!!>CPG1rG84DW)swCM-SQYa$Z>VCX8(Eb= z6*hq;ITg2sDhv)!iXZh5@9_W|g@-`icz#SSIoRdjt1xKDF!E!WYYYZKC|+4ad_3)h z>}#(ON=y@;p~fb^{Z_P1_6250nEo6^8~BolC@n*qKC};2zhAffuuq37U%ddJyAD;Y zv!KdRL#WfwS>lTSsqL;<+j{HGN%d4o(PwjQQ8$jrRQM=bxHF~bcC ztAa}7{0LNOXr=$CBtV9upcQ_UXn+D$3|$3PqzPpw0qW&;fhr!Hf-0ME6;sAsU!C4Y z4JMZ|Gc!GE|KfEkTmlxB1hbfQAqxvI0Z}uUjAwTiM(g-B?FG|pRnr#Of^&&lhzx?0 znJj8y=nJvo^<#Gqh}}Q?=pp}@$W2G04@ewAg{zDjAoQN5Im}rLfzf;vROO}t>N22~ zvM#I&A48c$iQ_Y{#b7F8C7ypCXod6_5fRB_l4l2X+JE3s_~xz5Ak$!AQKaW|*OjBP zE57;+H$&CbZj}+@fQdC@>NctR^458;o!DIb_j68`A7j-HjQ0Xn*RCXfnOy(Ojw11) z&#YS9Y`JT8)!b#no$O|$5BadV&#-J7rC*y1)NgQ$vi+OBJGgh}w6qiGe#V={sm7H( zbM`F5n2||g8G1=@%E+pWI7Nrk^J1gaLlKp zZ#kgKr2ZLMm1OoJ{TTyQ%zb0}pMoke<`@mlcw{ZA!m21%#beTu>b^l0PCE)*K8xCw zfA2l^9BkW`?FTy#8Z^Xx^w@FZCrzI*d&bN;9-iJbgp06s8$qH2hqPJGo)<7I7%oaI z0dck(p;4f9-1vzm`#f=yR-z&5@X@@W3MvF40&A}8wQ4W9S*TTezJ-FSKQrI5q!qTD zEO9H-0979~(u=E)(4lIH zJ6#X&_l=6&B@rvUVj)(HSeif;XeF@;fvW7}3Y$E@tcaDJ1y(#nAy!7H!hSLUY>Aa{ zD+$4{uZNLM!zO})Ln&Qi>!af1&Yv*I2vy5m>l${^tba(EI%d4Sh{Pd`s7^HwG@}LJD-jXdi3(i`ByG|)T>E$C`#L%s)luUDkHa= z(6zRE`y53J)o+8w)Ze%+^ybZ*$;qjvagGN?umHE0^I_}OFIeaSNEva8UNu6M!YQ7D z5vsr`BUJGOmHL+rRat533;>!WRDf2Z{>f0W3spJPzsRuI{c~b>_Kgj%6StvaTv#cH zKk!8O72yu&>YMoIe@rcjbO3d-JD%kvzr7Yy9A_Y9-D7~%4xfh*%$Lv7gg(Dnk8fJl zBqn0%$rCY>24I3JD3y^_-8)plr}z=55-(SvirQ=fRrtgF2vnJ#;Jv)XZKm8e`+DTl zAe%nMlGP%l2|o1{l!5jxyM~l0TNT1kqb7yc+q7*@4Wbbv-NsFr2#~RB#^NPjkg^gb zN|?R}u)}&IMPkQt6###`X!&ld236NQHQb?8g$7kkv!N>E4OkW5e2a*cVpZqrTR!P( z`E01=^Xb}ZEUL19yGc_&{xoZh*a4m+2_dFyleg4L;%1>p)Qp0Ja*r&6?%Au)q$$&< zO`j#uWA{~DYk6h9fa8pOR``71O9R^&sY6lfhxui zzB)ffR(1L6)l+BA%J5?Z+OjIq0EJa4VkNA~r~wMAQp5_}7lmADfOvY`5sld-8X%KP zh!s$!$}3ScCThRO8qYHLiXse#EOa=q{2{asH2KV}g?>mWA*x6ov)lM9OaU|f{NATh z)@$kt4Tm;1_|clQZ*fbs`Eeoo$v)09L z7uzV$oq=IQD>0|Jp%uy47cP7v500mH_Ut*F9BhJml*WUvzWQoVkJihEXRoVLHeU`V zcCILu_t+qKaEmglM@s^OOT@CGXLdgO`?;EyUrwQ^-33%}ZC5WQe4FNUdi#^H!B1Q{ zTl))iU?SXHTEztCEsZkU;q>#`{I0 zAtR1qOu9a$HBC4rP$leDI-H(YQ%{~qPMpe4sNjKS<5bp)Dn+RTsx+L^164qk;FOhB z5p9o-j@Did9X_xcU+Czjx(qOlH|f+VG4#=sn+siuEK0IaZluXLV&#}m{x|)l%aPB< zhiD`J=$c2ico*=WDbc8c{&Sw%64Ea1_+dOfygt2U@BNX*sx+LU8Pz|moCtu5Qc=jx zlv5!BpvWmAt-xdzr7}U)cR&0Xuo*jodJs^B)6Vi@7db7GGDWt)UNkd#!I(O*RVp^IaUF8 zv3xeza&@ZZ%SBrKKvrf^py|&)j8j04A-g+vnZ-%I@Re6y?bNv|DeD0%SKHzdSdWH4 zdO2m3_Gx|>Uhom3z@(HA;wP(z$wiKYaru~7Y+lJQnKE_yGbFx0`|PW)mU^S~n-o!$ z0*r)O_&~1Z5N)qM&ogu>6PzDLk%B7G0IyuX*==pK|AEA7H*Nw|j6)>=iUxRFsKS6; zxbR7Spi0mx3#!c90UK*pq@PTSiCVomxZ^61(mvA*fLW{OIc!^65RwIE5o^90^(-D~ z-tMUF^hZeiCP7mRKi>0n=JvvAn+lOzh^0LmTI$Hg`q5i@L~b8@XxE~HdxQ7y+m%mZ z#nabYURmpcR!Rf3C01Bnh?O=GHioMw$>Z3#F`Olv>WuM#c*34N`+OEnUok322A$Y^ zUg!3y*1f@-vX04PV2$yeDjEn^oh=KW{b*0||9({8^5fBj9uthUEKHS`?50)R`uUiq z`|W({XwZ{sQKSF+o3*s^nl)=Y2G&&9(67n6o`bUA%6WGEaPL&BYrWFORag9q^mU&} zJx`s=l*Csprtr~u^iOry91{d*3{$vc=Il9im*}W~lo6*y`V&?KRNV!olEuFQRWc0h zP^yEQqxJ;q2WJRDn|_sM;5k5OwSnc%|x8D5w(k z5417{su-61i28T&%I70D$97y3fiY1~rCXZ&oT&~}F>C6$)FphvR#TgsF7ILt&1bZIj|3M&Ca zl$U1-Ias8P9Gxa8BvJ>MXf!e07=RcHLn%ex;_ZN6%p+=dkbk?>*PpmK98Jn0vK|?e ze)aRudG5xGyu0H(pb9cSU|Z^wix0boMR0w2K$R(6g(pV)?9!FRn-6V@N&u=%;VN5J zWr8ZD0n!gNBUDKZne>wtz?c(qHcKr0g4GBY(!AwMvSn3z~BbJmIMe;Gw=Gso+i0Kes<%&TZI z`yK;o_Ws}|O~cxhit>NvQ3n9v|^-lXP466L$WC$n*y(2=|Sz9 z^z@V5HG>vlq6e~X+hQR!B7-?7C}jG~Ie9=8-EN{(JQR`sRG`YJ{vmPXmiq@<38gx? zFD!EB%;>E>j;ybAH0-UTYhR2F(bhMyp5o&@PknK?7~(SttK{hsT2g~8{|Drslm3ba zmALjXR&bCOiwsVREF<54&eL1Ny2r(=OHWTmf-sg;5=we)C&umvs{Vmd4AVjafQQCN&uf6uVT%IU$3Vk@h@P2xcmc4VChDYF# zp6*D3C%O$eTH59R`6rGdB?PhF*kls;6B1L{V`XjVIwZ%r^B48(*@t{csYu_XS#$m( zQv-jA&&xNci@du7E`T3~5Ce(f#1CGOuqveHfTJfJmSq%}8_{+7&P!k35T?(oVpTX- zk`bf?KpZe`^W*8&}yWv3?>Qk`=tx-`Rg|QJ?7rnYm11 zQZMj1(MC>$KS3%x_TiSE$D4o4VEf4*Q%ihtq}aLLT1){G1mQXo_RfCLN{1?iR@gL= zj0CE(WWem?3I$aF76wy>kO{4X3mEe&)~(+}-jO_FY<^(i8oSaTk7LiCy`O#d+19N) zu-G0$a-=8#6U#?BlcJ!?7I_V+)wgkuf_p4zn%wn$63Y+y6+gM9$WIxS65ChYT-aK6 zDGydfDcbn9HNKB|`{d>)lQzC~^U`j-YsM=6y&9S0`n6C{#X+ye<&AGSUNffNn9kZY zFL!n7Sm*V{18b}q?Xt?vdEU?_C)3k#`6!-=`4uOP6)s!1ZNGl~rpaf^$jBHpcqsTT zdGzD6aG5?m@JvF;BSfQ+4mNmbN&?Mq))N5>U)~)){KSc5Q$cksiGfvVqPkco-7cAP zDlkn7sx+iBKo#;|^?4f}_DXEO>JaGj<@M`Kc2WO?Rf+ni1VAVigEQ*H+45fd9Tpxb z;*%Wl(HFK*rN+a3Ie^(QB&cT|5fzO9yL<0`_MAe^kO#_iqlsrCbItg=c!?L9nCmEa zLN+WPri=p-9LhN8l^npIqLgvq2lETGkv(X%|HfmAKk&8uAz6V%7umVBKYzFUoTw2Z ztyIMVtxyu^^KmDIN4HKJpz6$vw@#N+zp|YF&~kC00F~ahvh9IUN zHaa11$5eZksvTS&Lt2IbiX4c;gOtZ7L|CY=>D$y>Fao*^XC#i#7kPMkjdCBu1|lwX z>%H~X+ooFX^bGmx{Kf4%cQX!|r)1fvue$349jS6a6+=rwRob}=1^rGqc%>AabD);z zj>xn#LiuxpDqOGh%(J7n#=o-kh{Muj?bjtz(U`%nSQXA2^Fl$DFgoXFkeACIf1dXTg2TA4bV1efN|7 zn&}|LH~)sh^hxXnYbqgGl&Luy`g-J+LHqY?l-RnYglQ2gL)JQ0PCRqb0P~*;DBQ|~ zR@6#TN!kQIjO(h@qo=F)?LTng!i6nccdXwKe&|r-#Gcu73Hv|4Z}oxA$|$x%e5#|% z8!O$i6Z81YkXDt1aD`29+Tl?$F|^Rlqwk!XR%y%Ac8UZl0g$>$XC_qpD!O!fc%igi zHNXAhFzydSi(m-gg8w5I={J9(Vsreho{cMJ#mKUkDo^U}ywXi0gIw6qR%OR@tUPaY z_s9c##WDNz(~G2gozE&#!8qKqbsK7@aX~aw52%8NnxG1t5~woa6c)yoQh`&pP$dsq zseh*2zsNm4XvO5}oZ9;2SFz8T#?PI;MUnm@`q?u(VDyhg1wM?#y>?*%a*7z+0SjIT zU(+UXpGR6+vZ3_fSyiQ$DT6ngB>-kqsw}9|w%}pv;qEdM1***IpT4OguJx+DhaZ}I z$iXk8R6y$NeW{;bzG4ei62(S!K`8XzpZMC6gAR*g9DLKthMdg2a$VFv#(=OYMui%& z_vHXb1;Yz3Fp>qpOW-?=fI<36S*<1&@G!Q-6B$KtF+wvssO>P~mmDKx(J1svBdvl| zitasnva>J=2~Rv>-Y$e(4E`73h;`yJ7?yT!4HERz5e;Qn{|hdL}& zh7BJ{LI{_KZ!BE|aNOxr;PVWX`3n{iheBK>5e4`rPs51U#$&bf2t$!SiZf$-sdsvY zYv9MossyS)D_9j6{mP>K4t^&c794SybKtFoJ9ot$7gojNz_X$;bVUF}!`yf{x!kfN zxM2?7sr;`EQSmAX5VQiP@`fsING~YqRRP~h!vJrh!yF7NlD4_WSR1m6}5fJlzKrB!%FYjvp+Z_?9)##Qe3@V!%EnE zY1A?r(Cl5c*9Iru+P*idSN1w4&MY13IH#|bh(T~B_N);;|D~j`$G?nu<(qxgcfLeb z+Z?-u2vluy(t7{Lx3&@<%&21slUv++}-3rgGu9}G9m`B|#YdgCc)ju7oG)kq^KOQh`?2zxsMeSY)Av zks3~UCGq*zn=|m-A2d|SFkp)jbOx@5RXq4DVw2S?{ljupI)pQ932d+}=b`Gf%+qHf zM9Hbgu=7Wb#sg=h764>;n?@94ViE@J+i!qLKdfEbk&o@zxraYQC)>Bokf0wA=uqXO zks~M)LF;_+;OZEm3eQbJl@Ke%s`w;b!A&ukbhOekmjtRn zD^cL}h}BspCe1*sC@!77&7xKeP%mA3^vJf&A>CFkdev{{W55=Z9eE%91Qmry*5!zz zKc~I`X5}ZC^;1eoLgC1X5rKs^Ei1cu<17hJKBpa1mOlyAO9@W~;eb9u3G@p3XDCSrd7>%;(unRw!c91sz>(vKNP%B zlKLE$&nq76Q{~W}MaPe)=+)G-3#!X>5U3KIvQ_^Cs+eCiCYqvDpp{T6fhuq+8>+JE zRDAx$wE=4*3(P*?FdsW`%3;Ns=T{t`zc1y&rK?x~fht~4etfZ8;NAiYq8%0-c35;& zb8Z99O+Ao~$E%k4wlE!df>aJCbj9@1g8pRC`uVe2w!gmk zm+h8VIYo*aV~Nkxjo2CKD6!|pSAIjc19li*B0)hRp(M8(4Yf<%`b=ST6&?XSjQzKB zYqx&2e7{X2L}1Mqvo+lLv|sk3s&me_GD};|KBK<&*6A0sYb$-!SW9bXb1P~qX;8IB zgR0-{Yz2h@=dn_pC;CVXYs|^t(-wu{#HVMRJqJpE%H?6ML36S{xoh}lTtX6HjVZQ| zu=<_w)Q}AcL#WHU?Exf|K8c9Z@DX9nPKVt2DGjJ{hpL41%!hrC13eC&Ne(mjIn3Do z^qk#e)<=GE?Yck}uGgZyiSPMEJ9s8KEJ@U$$~V1$U;5HrM~pQqm<0k=%nNWzL6weH zntq-WsS9Qbw<1oj0gbZYsD3 zXIaqSY02R11;U*1AK^T)NNI7UfOl*kN;ytRVFeYAohSeG0 zr6$>Z>I?^9<+!dnLTpQ?4pLtw2Y7=?$tlc4bsj*Bh>RROWElIwk${9FH8l}ygVvo3RAo~t6I6-shq=gtDm&_*5vq)o zimA=oliN*Q{))1PKpv3WFn;Uf8HMoewamyRV588X;uC3)6bm|6;|vc!6FynC$oln5&UQZflE)mc<$dMu(>m1?{g zQv|sHwJ@tXZdPxHhvVKBLaB-bE3|GIu~I{o3av`rfCx#3+6~BKl^!a^VI{39pvuG3 zr@|+T&zVvcq)_qrfCF@%$jE4(BOgX|TOTuotd1pxxuloDL^|;LX~Xs2Jo3fxU9(F~ z9^=KMHcua3Vr0GTyk%6-@pj3Mb??Qt*4`Yi{m%QZ>mNLbZ=38`C(eCTaG(q3xI9T# zHx6O-2?L`*6(@G{`c=ohGZbLLWLxvu5ZiTSpo;%){JacQZJqmWVPTnaPh2l93;N~Z z@ly`O{$btHvVrBpt*Z`BNvQf)go+B&sfx=;MxXOA^gJPY7jl;6^m^%~PMtc>m?10(1O#7!MZoG) zre*2I@3&Yr!XN@`?(7y&g`ornNe3WFRRzU?DtXdR3p;2PzWU{N1p(vB724a|wGT{0 z6JheRe#tD|dD$%_1J4>;iKHjd@HaUXy_!Pt2aFCwhai$QVBkQR#Z1aGg~&L08C2pi z$vyGNxC$;7dxZKhOd)o~1)elDmlv)$G1Jf)qMbVe`gcxk~GT7{4u*<)Xkx%=h(FR8nbyk18 z!O>)>6nwIVS^ggsP!bJu~Zyl+5$qRBo?F z&>_LTLA-OHSkE!heygJbjU$4s!$aM|fUb(#f(W!KORkVmrF)Fq~h;5qD($v?%YDv5vh8&NX|a>2Nu)S*CB_dzWnB$C5Fal$;`u z&dKm(`K_D`8z`k{;Ex`BWxacza$IT>E}uB$L^+z`&N(A=l?jWZY*>GX4R?Xa>K*F# zc^kSH^()lxQ#1f4j~-4{==%F-I7OgJMyV<=sUl;dB7>vC9AiSvVgmQZ`7MZd9~SS> z3iKh02QBbgNK+Vnl>wG~A4C2zDH35KMIzh1J^@yZeIu&WriLuah&z#;;*paThhZfH zReIh(=>SABl;Bh`RI#SODFv#eey9gkdfq>ltu(2CD#j`Ytf~-$T>%FB!Ub9ZRRp9= zl4_pJ5TuJeLE>MSU56o4Wr+`1T$t(*tC&>(JE&rs-MxFC={I}M{ASHcy=Qu2v-&Sv zwrm9(VZ+AFxD8p15HL`8kw4rtD03_~ejsVHc=@m1z}dx}=fuR3;pi#M&sb zgsb7Bk3Q+w|F!44b|p(!563%n=wNc}Bo~sIE$a0_Gp6bbPaoGX4#V`!Y{GWTdEooN z!NY`r-+KF<1q&CWPNU%AT9moL*aas{PwCxcQi6>R8SD0(!=Bad`pQnbI`6BYig~3# z6^0eYtYJi6P1B5GB*Jvs>1VLX)nJ{Y!45wWZ#@_#pvojkV3}zq4#1`sSx%aKrn(xc za94s;RYMi4sWPaNXeGl{Y9FAE1X$_=%u0_<37nPW)?3t9*A)aHUy>4P>eACy%L?Vc zzvYP3DqZFFR#$_YfLv5}Pqc5G;M6JJ<>ffH5z$^VBK@|72U;V$c$(4&s2EmCj+Mf% z&_%5NHdN8-7a^~Hi1<2S`V|#j;YrE&Q&Ljt0P^5LX*?@EEp_emw+U1!xF9!3_1!Uh z__3w>?;lw-Y}tgNq%|p@-#mQ;^<$NnY?v5srrUzIyXDQ?LzzCkQ-fyHDGbjsN=|-$ z0hfsq&iOEx*dQrSea@U}LW1V|@4mM(T%zpLe&gHl{nkz?(+!0G9$h+0eJ11u&!7Au zOg}yNWB)V`LSs}*hS=CR0uzd5Dh*ZE3u~=P*B{TNs@7CWl&TC=$@;Y60Z~E6Vtkjz zd3+M@HYmZlyQtP>Ur!|W`8B#3){N{tlB#~mY+s$Al`{RX_c66(5leWLOlFOJ{Unzz z$vz`93UxxUs#uj(Ko!y}DJ!?mo&bX#z6Lwb z2?GizKkMBnT9{E7Q`>zFb_WXY9}spdO$Z9hf*?)i{{d7%(sgPyQAORzGD~4WMEKea!M*N#2o{;uUx%O+)DOmp~oTv#sWBn-GTU`YZWU(J^72b ze@@o*|FsZS6-;$-=gJgStNPcp7mD+L<=JWr+G^=qRZO}VrM&`QeTnwgM(sT#?L$*R zdjBDS#a8}6tTjwR${bd~u2*gdp3IVV_Q@ELh*SLPU>qhY*4DOdJ3k#a9+Ok~JR1~I zgy@CJeWCCo*DD8$3zS!XtX{qPcnDc~6usaxYL0ICbFTh75~`$O#g$6K3Y?NYK=0h^ zjZUTtm5E7+8;}_57Egn94#K?JA0fQc;1>oLmKPs5k>1B9E&pN>@~RlEN=mFNhLsHF z^4!rtSUA!tfmJ1;itA#1>3o1ym8~diSP5o@Vpydm*d}?un{c)+z7+ibEE>56-KwwaSE?lKVtW<75VOvS3 zlU~qDic=o0+7n0@MZ_-;g{Q;s8#iw3-*1$bR!j)w5u*i>8%_yL<#F@LT|0NJ6p^Mf zkc7wYz=9FGW{*(SrVy43FXwzTVEwdV>i5@89fqG!ft6!RMtZt95S=BzSRUxorOR$^ z9uhuq6ks+|osWsce|d>krks!5z{bY5GT*mK*(VzZ7LJ_p;b4V7FaO19s2diWt{63Y z+&gG=>_KmzfD|i>X{NjnJ@V+W6B4QvoRUzb7_icw;^y-dcow>$k5ke#mWfowI295W z91Aye5V{E+B3px-HGl7|g8D13F_(5FDf1gpsbOqY($F*TX%R*I7Gi^c75~v!fEuw4HLS1UrejQXfYJc$8(g3U64|ZQ>R(920tEebT zQFKat%$YOql!Y}bg%)@e&m`(ZwiLY)sg7Q^ZoLX`AR#|xM|4wa%cJv-$1_c!;Dg(ikT*%D)Z{?ZnoJ1l9-$*PE1IqD^?Xy zg^IC|bA$OtUt4#G`wtp$Z|RWLK#TE1-&@hAKV73QdN=0%RF7bXFB^`7%5} zonckV158Pd2=H9*Vl~?CaC2wl8g!I{_=h}^g>6ZAsiGKr)i|a1UxHcKYmfZs`I6K>OfZpA<=>coH)OKYaLVg=%`-*@_9y%KIL(TSvc&-? zp-RuBl29d=j1s7lvXo_oDyW!LEV@deO6RmM4^@uQX?1pZ8*FqH&VK^dXs0F`vHY>8 zkOl{%4NjyP7$@iySItK*89)E}L~6WDQKSm8<-dh0b_>ItG8F%WtRl^nfAL&mM+ut^~uYj2MXaTs(DzQ zw!?JdqQ;IJPc?NyOSlIqW~*Fvg&XX1(2zILpV6zKpl~0M^Q0=U{n5u`^uF@pN1t#A zI2+7NKB<;bWl#Cd_?OohFNQrVztlU?4cTdrZq)RVaGZ|4K4>Z!L{^Nw2c>46|OD7G3k*)~*U2{fkn>pORgp01c536DIZ8=S-FJk;Q- z<|KLM$8b1N$;Q3<)rtI zB_o{@(gY~MsbZ*-i%x+mR7VCL50pu&LDpstj{A*vnd|0QTqN8qd6Yzuq#gYfA zh*hDcf>VS8NNF+Ftn<(O<;njRs_=@lOrZAZiAVLzCQY06dHI#M-g-wF)T5xP64VRz z$Evwa35yl0)^Jd4ZIlG=D%ezAJMoW40$CnA2&jVocWb@qL64zS%&8duw6KR(tA8SY zk_CKmNbzSbf2_SaLr~l)TKn*X_G?@1cfQ&u#TkprL5t%O zSPm=!E@bWcje4J{@Fif4-*3~Vt$bGw_CPoQ0D{C00fX5Hqe(9*7{d)>KN61_%O}aw z)jQ9B_EJI>3m=)o4;m5DhAiL*kH0+;5Z~rtkg)Ohg^H<2WC}+gCY5vrpiN;+5wXG> za5#Rvm55m|$r<33fGS;^MOK0IhqEs5IaJ{TWDc;z7`o+Fnq9?WRG>;RtbnTWXeD`o z=^1GeLC2jf-?2QD$$B5fxK11E^MHp&{|PV zFu;H!$5vS{Z1B#)MT<9W+_Y%?uv5$4q%aZgwbhe{uAMsEMpp$wjTCI}ojYvq7%|jP zWwvtE!3Cu-2i?Ni-iCP zdK`V@w4v(Wi^^x=DJ0n<2k1W&dgbJJUl$ht7n;+*@|JsOha#!3#vk#D&zX| z_4D)d@bh)@_pu4~HjHqa5aaZ6qJ2XgdiZ$Loa<%k6dTFLDgTK7%{xpvY$(#H$S%jF z%-kU9kBln6lf|9onX%^k8d)D|=i@XxH915_Q@$ z|5&zi6-)0QGWmSbwb7@eg*~;w$zZ*s!3Jls4OD?stbJgMxD^8>_HcZitoig9d|#3`M(B%xXozDjW3Ep%W8cG8zR^K&gKH z`qhc-aJWy$j-z}u;uk_DG79n`m-g%n`Rz+lUjlr=Ai6{Q54}!RZ$8a`vHZ1&u2qGD zN}%ck?bT`8FIQ{t>=1N!QD5Cl`)hWEhsJRWZMadRMtb|4u45`vdYyOy{6Nm10u+rJ z>DRW^`xd6wx(y=g#6V0@tB_OExuX3d&I$3?8cLgbUU3M)L@ zzx$>FRm>|1RYb-^G7CPk3ahgV9)+91S_d&dv80%yOitz`3Kdfn7Qou4Xq-mg_6;Opr#M6-vmkmF^01DbD&l-}d;l2YHUlx{D ztL98tHU8B#lLyWpGkEosVKyo|MF9f*Y`Yf?bU*US%Be%tP<3SSNXylwF1Vd@N8Y$` zoulOD<|)TYNYoH?-nwnO@(wX>c)SXZkO;{%R$!Emal%KouTYLIH?~e6ti#HohrcKV zN98jomknPqcIdwCn~)ET?K^kVKgh+!RWBldt*2%P(=tzLk9zi$;`;ORIUDG?JH&li zxZC7t=V4gBn82_-@#&EU#bmf2+meJ_xDe{+_+M=UQnX40{;=**W6+vHEo=LntmSa1 zxR=K%!v+qg2K%}!hzYmMNY@aARi{%SrNJpRRFyNSO1XcCh!U$x1clWm6;DUsq$;VW z1XM|F6R1M&1*DxHZXH_-r=M8(k%H`p5Rf4%L$ZTogm*xF=WV_ty{Oz6V!Sy@i%@v=2K=DHaNxt!WswQvoDRB>M+&Ghk9^am_;BC zg=#Nr!U4sfp=;IEsiJEYQ1un9K;WypYkx`B{#5}`vO1z; z;<`Nlyxz&b{q|@snR~*lV4zGw$KqocO%$bv`uN`aAHXNk`xbTD<^7CLNJ92vxg(SL zI`BjSHN8S`@o}rSZQlhp>3#Q*js!?1GM~q0dG?K}#)M!e{4k>=RN+V3>=q%6DQKu$ zJPbCwiveK4{geJ`Y$yV$yMx4=I0M%^iRcwvi;b>L4gL3cM&0GiRLlx=T^X*zwo*eC zXa!DH2vtl2?ui0b+#)qpNyAFz11#kM0#$kmR@~Cm)MQO!SXi)`ljS?6duj{J+M}z- ze#ju$ycWQL7EPN5C|kc|J)=?MzY$q7T#mPgih}oJTM&h(FCK;C66_mCIKAoZVWU8m zw5`-=g^GfAOL>^&7U}f?p~~^B*>fq>Kn}&0l?!p}&HZ%v{ISFK&MS4VDJX!EwRYOj z2l3DUncw-yn%C4&bzs3rCF=_B-;qu8o*;34eL}G&<>=@91CN-{W^M&Fo#dN*A|^IL z@%u56c+iTm!)K^(vS&>xS)DT>?|AX}0f`R1w#*&4VC=B+)Wm)BhR+={)Y8HdoI*a3 zsR5A~+se|?y1dDzoSTcQ8$}5!!zo-J{+@f|>^tDo*R8~v<3kBg4IvPL>{^0aZ+b8agV<9sO*Mz$t1nV~?H+N9D!RjEk@ zT1oGpTrzkhSU$)Ha7uwHR+$>Acsi9qmEsryr);Cr+MA~eKR*D3UMdG+YkVpEHck>j zE9wK7Bpa9zz)BQhEHO011sYjoe|{$7_Wg(dEmV;Qvu*oMJ$DmAlDet;4jf|1u!!K> zKvBDNS>%^-ALLL(iWDY9yC~NX5gCJ|1+%c+DH6VP`HHsfs%q3oD%O z6@rH{_bT4_B~918dF1=yoA#^8j3MMLJ$2o&tfd+d+g*zIAGD#7$6vGO@5+Cyy))wp_Lard%7SDRS z{JyXWD7bo~*a4{X0ZNLIw0;kFvR=Cs4^8kfa#b9SK6q44ri*^lD?GzMkjF;4AkXk*;X z#rlJo@G}`1=~-Dh(kH;pRO1vnJW$1KS9|}Y@+NUg1yus46sTfNN#>G-D!J&?-amDq ziUrG%P(}45qjL!jPY7DCfF96_9Dh)Wmy+yol9XoRyF~erpOsz$b!C4} z)IQeLR0n0i8ffR3NS8|Jf3*K7ss5+FC~aZer=_V?BSdNywU}TJ-rc8tbV@|NevHum zS%Fs#&jy;zrY+mldt)14A1WMICwb=BBXAm_;^PvOWu_=l4+Qe%OWG-OIPNMpnYx{7*GHwds~Z2{ZeRQI&N}y)c1Fy=FyYhN zLk4;z&SxK52Rt35iN)(6ZDBiP-1pTf>l|{ zy4tWp(_;}abPK9HRF$EuOSF_{dPZa~_)=E#5h` zuZa*EduY^H1K%Ka790!&3(mTm;mzS-lovt&<{iY>*NLqVlJJoIPt`x?VdU-OgCMO8 zt)y*bcFIzzTdVgxDFcWT0|9>ggc(vD8w9kHjGbS_)NW>&KqY7CFfDz*53wAQ!HFNJON4QI}G2Lc;MwP$)If z=mT=)$~EOw@87w#ap7bMRnR#M7Ys|V@B8PakFg0 zj3EmqynX8A2?eJlTJduK!Nc?BFI=~N1AfTzsv6GolV+t*rH@mBpsp*RM5FfsCU zZRmX0LYw|46h8H=z;^yBuGQs$#`Kv&A>lw2qNG4NJRcoM)v!JKlDFf$u)w2<3Bd%Z zWr-CDRT8IEP=(Xr8Bm1)uiB(iLzP^BSXHGsRpR{vrx;n6u1#!H!WOeASiT^jMU5T<$scAWMi zy?}cwAJZ0%6}6b4WI)V-oNfl)4GMhG`y#|YB377_)r{yVUx&fM;ZV8d6M44zsa!+l8(f{gCacS#08yG! za3^%B6SAI?F0ohWRK@g(aN(Cm%Q_e%QZ3M?n5)cQlqjY&+h82(*6zR>h9Nx;c(dFD zv*N1#^{8?jaRj2pFgK8qi`D1sEZNuO`iAM=P7V&eYUO;Kfp&IhaZbu3 z%HN!-0#y?Ir9H(>mRVF1s>lWNJ?HCUJ2%jx9#5ID5$09Z&#s#PWj~Zgfo;xiDd%<0 zwC3pp#nsV;Mr7E~-R`rPD9_~NB#Ieg>@(1&n56=zbXJvOQZb(;p+bSGk|F9qO1pSYcUInVaqq0?%ls)7w5v}7EF{si@lN6?3RCKJXyC)f%`1A%19<2V>zue{qazth? zhf}*{Dm?9~-$asJxb@XKkGLj>FyUdI)4wCvz#?D#W{P4-Vf8Z`DMu;Es3LMo#yXVs zD1+^OLXTpif=~b%%s})mW;OGZ`3&mq3v0RC`*f)0#;rRtTqPq`3REd*RRUGmR^<(= zGCn}iN@rC)Bf&~-SV?^qX&`-odT53BRR>rp5ZEHZ+&mo@*&Xk1aiFE?ZqddL4u<#f znqgM8K^BA$VRsnm&?KH&B&WPsBdL>8+b|EIAO=}?bhZA>%S*6{WFo3WD+ySN=ZX!W zN}?4Ghr>sX78Vxc0*@7$oSz-xaB7Ctkq_K0Mg%xbc0Rk^!NE=fmc%RzbMyJ*Mjc-! z3?=&wZ(&a@p7`e1NiS$GkI~-Rsl7H|d-((R;~iE^9CCVfaq&H+SOlQvGEG08T6+pEzQT0K_tq573O8Fp79|dHGk}g)w3rY z-u$-c8F$xIdv%Vspu4j6{c>t|aZBOap6k&0No$l^((93FI#A#vVqDA2NE&uGE z`3~H5IG<25D2N0+NiQE3x{O27M(y;G7o05L3-sNm(Zrx8F{I)oaf->Q#wi7=^l+*& z?;pBciB%;OJSm7uqEt6oTnbL1NJywsaEc|#+LZd_%{%w(qBA<1CK{OM2?+qoK=D16 zEL2k#xZqIf80nZ)>zqW`nq|(aMt*;ha(YzrH+E2kP_=O3VniZ!>bMWc5IQ$ibBE&m|S)x)nX!&8^} zWzO(SA7!69!al8+c|wb0@hy(W*P}=U_596rm?e{ZnQxM>&Kw4+AObNhF{3c~fhUj- zKOtyE(OQ(T6Pes-zoG@d5JaxwI0)s+3&8fE z4J%AJ2J2nA{nbz<(Mrk+X;?|9l4zBfl){LK4h{{p_I6%<=EML~9nqa&mfb-EkE4R? z4rL1h2I-%onMh`J#TvnS!uL|sj*G{i_YsrLRw{BdO^96b#3N70Nt%$wi z`jb#~!qoh%y@O&pL5PB9B|piB(Nqau%RK;9d)6+rJ86^<5#;6Wx_bFk?bXk<_szA} zS82)CFX$}C?|Gf?$8}A0>*!+f{u$eYR7mGq)HnrH*`G0r_vkB|zyFfmHS1izQ%2+W z@86G&f>$RjEa=>s(eCbc;C@+qs>JoD!YM?J7(SN4c71><>>&D@{ZMW53L6=2XHih& z98bE*3rqQ&nc(t4mcTYg)v-L-#?5X@@Hyk?NKZ|Y218z%dlIUoce?r}Rf$zq+?|T$ zAWbSAR0*77)kvs9V(W&$DFv$JqEnkx3RK;?eRr#Oe4A4xH9yfg(MU0-03#MMXeC_z z@nW${N-(H|YXxl<2*bMqitPz(veT=@F0U55z55*Y8*wUhgjwhWoAAZ%iAy~-TYWXh zBeJaG^ON&0D-%Y}jq3ld465)dAQB^^V{yVDY7{1F_4lm)B&rvI6%;M*ZDe%Z!9$0e zHr1~&NSSdV_I=LbGvtO-*;T!V((NZj+V4EHU)u?M0cEIDacx#9r{dCxzY1Q^7PPJq z0(7lFO8DxRMryBouD!WLM7wBt|IkYNt&8^O^wI;Vwzx}3KT;9(c1ywYqsLCJUbBAW z$Wg6YSA0;tul&oGAAj;G&jrdQw+JDxI>&#tDXn0{3!;X(1eukEKz^lLV$SK3o1l18G>P(F)PQD34Y!h=`do zq9Xl0&dxL6-%^*HCG0G_0|uBy$TWgk4-#4_GWMApgs2|Ix61LTk4KTOlVcU?HqY1B z&Bxc*r=-YF)wUH&WAoPSvu4jUHGJi#tRBLHcYVp91;hW$@1{O_ghQ7zwtF3%TqIyE zpE-8XxS@+D3|%m8=#oi8l3m`=-dLl(u};`Bmj(fI8Q#s8PJQ2K-ar{h;y2MELtVzx zt=qR1i;20#Hc^%J8#fbXm4noE!~F*om6GBF6ij2KC=>DejT=zOm6viS<`!0KR!kLP z;`^4`+j~VZG#ym^oYmo{%np)+_cXstQTPj9rw5$1nCWP@&CzbF)0u7dr&pXcdq2}h zKeK>)TNwKCw)Nxo?>9WSf6MLI_I|FL%i{y5D z6V+EgIA;5*xwX=5-o_q9FvnxLY3O2lB$$+{h?fy zHK~fbQ=y3gQVLGtSYRQP#i?SBx`Zl}J&9AOe-fuyVrraX0ZP?Tnp8;mX;y)COf%}9 zOsj92E=RND2`?H4%Q5J9&Upc4et&D5YRv4-&p!|cV|k(N;^u)ImU%;u%2iY@ zKG4ru+Hc)NIdt%aLbW%SYOhS!UMi_mA!@3ZDXFABiZ-A6>M9ao(FE8*P_xz%zp7!xCXgs6x9_LltZ4nT8c;rN>&Aw5SrR z>e&%1HB>2vmEs1JhLr+U*a&g)8qx;>eNVVrzvp(eW|U2B+FePR_78~7d<7R178%*W zlqN{9Zy4qLX0ZD*f3G7xzV0{!)o6ulbO;VaL)ohAUen zI+b!ike}K9J$)QzJJ@YMW4qsY*Z4!L`-WQf%JJ@TFYbk>MN@^_?aE|9|GP9mdu#vQ zgr1wecx&CHR~4utuWIQ8ks5q(|9*9W2;$U7j7{JIDNsf9nMxW8Wu2)=LatiF#B)dh zS3L<~VL<}1KJu~l<_7J3YwcY#VOWuvU(khUV8q!5=lz@gQe3B~m-f=fzh0d6P41*` zvPOTCIr6*Q_qA7N{(0dwut`DZH1{@!E1EETPPUD4>VG?~_pdpfeQgJECmDM2Dg1r` zeh$IjyCU2t$2#?*b|2M6XbST%@gH`G=A7~Cp7(ADca&s3=i_aCoR>vM`OAr<2UTj5 zih0ODeJX}3U1Ly*Q)pRAl!}SXkgh)ks#pSQs6q_r#xuBoYN!%Ob??4nQWadf5}bBE zC_O(aBcGjAz{lkqiSafgLRp1)9lRD@|y&7a?XtEkSovb$$(a0y&I z^=WB^R-RNKp$eJ@ha(rQ;w$|rR#cZ2ed-ShP6cLB(PS+qQZZBgb!~nH-bHzJkN{Pc z07n#et|x;SdIl+4qI12UmZpsr{qU@hpEPS(wu-FYP5TEgVM@S_9P{b8_3JmmS0^Y; z)R@~2Wb@nj=<#md%H)W3dA=)6E%~o3=c`s?D?01H@g8?ufhr6ua7uxyD>rXF?@%Cu zSu!Stn;NLvA2Hq`fh;N>C`0zIM>H|R5m6)(0!G|4@aW>Tn*~>{i?qXg_tj7(|0}Jk z%ApF+MlrdftYKB!Y>~BGf>ve76~%5q6}dt}l@hU%R+R!($QB`FG|3XJfGUAjaS3sO zJL6qm!be27>W8#vcM?$qX=NLPu6`1!pe=Jf>yzUX@6a~du|JsQeyh z@07M^l7Om<{j_%u|8aTRk!{1~eLTQysVJ{>cKt}o)q+z?KOeJY>$c#K5T=BjL#}S_ ziLmB%I9&#?Btn*3eh`^IF=itPuU-CY+p%#6yB+hNL_O_As&N1zsquP5X zwO?-0p;hPaQrn$5T+`*)b6LJke-cT!gw@80Pjb$8kBi^8cHP(X{XV_e_4**8{fp1n zs!>BMyXH-5tenx1%lt0AtB+;(5}Xo#KWS10dLM~&{W#9CTY`Pl6sNi*;eM0cnjZ0L z;H&I;RsB9WSyY!zaiR`nvqbMt6XSxIMS3{JOw)s^Qk<%iqpm;|VG-RZ?M=^eD2Y-P zTUCfn3<1TeQcNn=V0ow#CRGXdPob%^a#_C;q*&3cYc*6oc=+`z2Xth=Z9c_Nbu_8Q ziS%_Lc|ZRA^Zy#E5Kye>apNYG7qg8THJUzSCca{xHC{VPR&o;%EQlZkkwQ#WW@a@v zn9|(R^&2;p=dMer!q315VACnfq|Bbb*H!;}a6;Foew_}gD5<1CRUd7BpkiCp$4aGbTGDDl08GBk@dn?6J(uG#o6_2PoZu z(gPz!M^$K*5Emcmkl^t)oIMy3kN%FwuWI3@{_l_JZLfzk#aN?eLZW@WNawfwJ&k<4 z9K5`}yvmkcVtRNwZTL2|?Tv_bQzm_S>((vWwX;ZT)Tr65bFJ!$+%BR~4vpIiz^~p& ze(fET&@%&;Pk(R8$Gxpq4PQ6q4RC7V#CJ{{Ga;9M{f13&|FEY*L&K)en1xqC0V%mb zxu;dD*D6U9Xyac!C|y1%;_4OvRN3+H^qMz!#xDg^w090*A_;=W_0`(jhqXl$pXPV{ zCZ$81WBW9(9?7n)gRC1Bg|zrRue*epSl3w{CqqvmBjwOxJsFy5VcI?;* z*-3oSXe$K}_)MEu6S3GqTxytrzKs}28gwLsdh-{;N0Dpj> z#=e0jc(W!UOuGK0_pdxoNvP5zR7e(Uc6w+=yjf0qKyGG4UUpnwjwb(n>V^EQ3m0-h zD`{1g$EnJ^f2=PFRmg3IT!6(U6+%{(PQ{v)P=&$?PAO2u8fRdqFid?TYLKWxMio{S z?2BWm4K1>r(~FQ5(xgJmMTYQ$Jo&dGsoeK5Cs(goTRsI?N?_D@N@b!=$tHl|kuj<1 z8Hfn(4APrZD!0F9zX9MaTD(M0!Xu5<4#0|`>W>Ga`R~^>|AkXQ^WW7vB2y`+LQ75B zqPBW_R=>nOsHy~rOMyy&v;)?aS9)|>^uYQxr@{+>Wkmd9(BL8Jy*+cAi=x#ORc+sS zcQn|vcHKtuf7S2=FwyXcm>`-MCEN)QVMKsIaxgRZA253VgAZrSnoXDhBTHrw09ENa z+Y|Oqg=hN@-mC(uh&UVzO%<^x0#%ZiZWP_&P{_5Lx5`76+OU$D8j@m!3MbtTYN)Ev zutFh1DdG+=#|RedMk#B(AU`cXHzqgDEhqU*cDzw$%b%4; zNG1+t6JTFZ2c9FwI`jy49uwfU#oNLtFHTpyQ%97QC#zI8s~i>Tmgjo?au*aj*9F{=aT+{XTb6&beOs z{>`3V=qElVNtWx$SfS!BU2JBhboyuqOOqa#F0GJ%ySiU4KkPJ)DxRKhP>C zJ2}OBn8v=Y#-T})>+{K;{Zo8~rTTx87C0$0d}&tn=G?@?dC8~pGh7OCf-hds6cr&e z^tgXz2o*q;#3>vb5~?aQsnk#<^-sn7C!vZZ+;P7zBnksVodeJ;yPZvL)|D^+Z=ecs zK|Pl8?l`p^#un)NYQK*@{sbioIf>U7DT*+`##g3dH8+4=473j`DgJ<4J}XDpm$1TE z)vpDjxjfbXDBMT8c?_bfa4M9NN>u-=)TEM^^R%FomK@e;}s;0N0z!C zixr2fkmQ{9t4bPHRGtK?@-JPkWtlIs zBm`8&!2H?Z94^%@=_07m2PmORF|5>3#j0WADNrR1D;cg*psFx0{6dCvZo>YY*sU3X z<5PWyC%bh^cI}en(jm#IwZ^H1#-WkMLCAJSu2%zMKy+NCHA99g%5A;Wuyxd^sSXuT zjaI@37`i*riSj!l>4t%-jMbCjRzJ_X!Nq{al)8l@@qJ1gJU~*VGe{lz3by?CgWC~?x)>PwAr#@5y6I$quyfrwQSiE*T;*`KPRoK`|+)D zok_sro!@dh{*vAO_oA8FJBPG)k7@6kJiWOa6iD%G6YJFQcEX!jG*9mw%M5(S)MWD) zlSXe?JPVdMNF&MtrnHA|UkdQcS^6}@Hs z+|GbDsH(0z=V$(#ErN1tgi+ z8i&Rj$EHb6t&*JECA)S?c6%YkqfbWQn5@v5=M(o9q+4Ig3%GVAAB#ZGq>@mjm{jPH z()GtW#Ze}$DpXBrRY|ClYn(upgeo-lCC<@;h%TT?l%yDJlZeR$R3X^;L3$uV_)(_8 zf4G66N9W%OlP0%mTS4Y5Phb7hx9_V6Of)_8e}pQAVufeIsq!x!nv0Ir1m*A&API3M zkWudD;YC$j^={c7p(Cp!ib*ICdsgXVrHA-AL6lSiQ@%3M-q|Kl=1Q58N_x$I^$x*H zT|3}cN}%d3?Ujkz8%wpfH|csT!mM!7{urqJQ@`PkJOS!TZQQh_{62YykW<&LU6CGC zL_c=IR6!Pymn))vMQ}(s9Z%9SvLwVSc!W9xRPiQGX+n6&RT7GmQc@XMue^f;0XHCK z7a=_Lcd% zg&R=Ty_7z{Vzi>l`rW&?Zx!9TS$OkW*7eJps~4lMTnM~;-n$_6_yx`W?9k6M0zOFf z>X+owk;Trc$1TS42Pvp@O-)hiwh=HQ1qQqzKtPt0Y@VpdJ>>IkUCpADfX}kCQgCi7 z5i7+FD1+Kc#0p7L-VGQX?eBB;V@KnZo*D?EvRuVxPO0ow&RlPU?^5C^-?t&xo@ieu+M!2~ z>jH1r{p%KY_x5s5NYLO7u34+rq{*MX`|hX}vuen%r+GHX@M?1YT(hfTEpmOEW_mZj zlQLd=YoGS!X6-c~V2<|ce8%@V;~Y&Io%e6^*X4=Y+r)hLr~1BXXSMk(aHLBmR(`MB zuo)@^s;mSr^>6tZiaxoxx-)Z_fUIt^tCX3D1Mud}FXg`;J$kfm-3pD*XWEN{^{!O( zJmsveFVmggOyL+T8Gl@wb|bP+o?p{Pnl?nTe#~fpGpZFs?qNv3=j37>Jb1{(i##RS9Ukz#s;+F>L)Ua6PHrfI#be3+kq!=~j$FDgtix{~L5 zy)fv;rRbYQ@waYd-v08!-8)ymx_?K(DVD7orxcS)LKQg0k9+d@#`^cwceTY^7-eVCxxG66NymVN%A$YeQ+2uKY<%kgB1&1f)q9p5tg*{ z3{svccuQM1qErgNsW(ukK|0Wi`^lY=U+4C6f0z{&p65S)lL^KTk57RrbR`90cH_UCnp7oO!Y^W#9RjC3%svvx7g$3>=;A zJ22Iw7doNFp&@IEI0Eq?R7a2qP4Z^AsB!%uz7;+>_$Q91=VQXlp`g_>H;$PcQIc6uV3g@c z-k;ei^Q5E{DtS9OoJ#b3`_Bt6tEH}P`+32g&|%Zlq8aJFADQkRaB9!MTZt3oo4@9d z^D?XNW%^vm>AI0;>jT6ZS919U)^A?eP%cIa2;kuYuz2}G=lY(et;-#yQr&MbjiOlPmRY%gEQ15h=M#*9biYC0XRVQ*A}$sl@58J3o$ zAb;HYaA&*YuezN6G&0;iB{fZ2RSHy9NKjWyDin3JR>`KwPO?sN=|qjMXU=?{K3zpn zkOZ(MwGluT+mb1FJ+v8ECNGEe#f9KkOm=CT;@Uagr+=pZi0qJ0@*<|?$1EsJ+ESE$ z;6{PlmzVwT-Aa3S|02s-4OIfA@ZtXa^Tivt`=6w;O#~T~HBaSea`F|ZLT>Pb06~l> z)8Iecz-q&nnVOynFE=3EGS-PCa{(u34+O=!XOjx>nCI3abVhfNr zQ6ag4vrSLWoH=tgb^Et$+W`%La;(m-Vu#CCtb&X!Cz$#-b({#quxHKzsSZ>rlfU#z zX;TG`h&EN!sn{>@g-*VrqvD7XsG@F?en&<1QRMbh(YR`8@mKJfQ?ugMTH#Klr3mR- z-}`ERD_w4-N7t1I;KIxAaL?ZT(zyqu5JHl)9IiqQPk6fU4`XHmQYcyksHAQnQOUx} zX633i)T$jl`hEKUGKRc44279D@gK_1@SCqd*OWAM2o?YNd=NlY4yqKx$|L1M4XXkI zsr8J)9X0uCsQUWB)w@?CZWcIPPThSza%xt<$Yj^{Nls0Z92+M&>U?w#)Uq!2r{#Fn z&-ZC?HKd7bz(Fz#0-2;vmYW=Cwv6ga8|9M}4Zsjf@*0?vlPV+BNPr5_N{qM**5q0qAh|_ZrSv(NN&igdD=r6K~5iE2TuHusUmy|`fqgw1=Q76#fXXUEZ z6iZpPdfm_=U3ab&$Mv(QgTPc!Rc`!xVKM^$r}I-CjNjb9uAj|;!BYP7`^WPW)4V$o zw9>Hw2V-;nb=&A++M8!jykT_W=$_-&TZ}E{Y(L7FzWK=LWqU_0-Xq8GMZ0@W+uUW+ z24$>Xy9T34u9V!|^U9JbEWEg4*<5p@k3#H6-HPk2_T$M%24w%5^O8t!)ScwS4?5MY zQ?pjh8jKMG+dRq;C;!)#85aV3Dc5ChTr2oEyBUp1KP*p3>uVSb| z;4?$Mifws4tQqENrn_k0ET0I!t^^wB9eCsd%`$#%Icz@RH{n zV*`HG@;O=4>ty2)*U2$K2PoC0(NIi|igdU}L`D^}3!IWrCD|09l?YU+IO=k`$_f<< zRN=YGiZw)+L+7c!dZR1{xsK%Ikt>UZMpX2>ls1_EtUjh+t`~ic<+Tf+xp1dDG}JBI zCP_}sGJN{yhJ1W6apl!?!>?{ce0?_)sN!dd3k9pgp#--#jvzXKLM#1$I;8sVJJc&P z3hBhrQP&Zz2vP=V=8}GfqYnv5`XR`La%Dx-#omc`qGRItFuu?V07a{P^5i$DK5g2x zrOi4E3Z3V<=O}tthd+8Ynj-c;_~>IP?U5~<39c>9N;$*gjo+?mf1pj(8C{zyJlpF; zoeE0%NvI;Ds<2o2j*7}5l#Qq4KjMWb1~`}%(?o4{nu**eTxBC1jK5@P|Ej>(%3Y!Z z%ImKWP))k+_gX>~dXdiY{Ku1DfBgRIi{C!X zeRL-->%9Mmmd2l&Z(D1*ATIFp{K(I;{fDM`_K<5Fw*!f>D5Aoe@NRg)uTkN-#y3Kn zeHq!D+!OkGBaNSAmvLn%YwF)`upaTe5z$U^>y?w{t5gMKI!UyWVnO-TIWtYBQlExMNQW@NqRURCALD_N3h_AqJt7bhM0@zu@=^rCniss+P-~z za?;1VE%wZ?Io!$4Y_h%01}A%ChckO^OedHhX#3m6&yu}9c=L@eBS((Jbh_t6n>WG^}^M#=CbmG4zPx3FAgFVH{7Yyf(`GyF=OTn6PLChzqbAObybhC^OhGC zU6J#SHKJ_zy6(LcG3c)%+L%s(dH5u^XHi%SoOlls+kBnW78>5KSslO6cvE|2#vhlb zFP|yut-aE>Z};xS*%_9G136E|FZpAw_KOs3+k-VQ7{hJrMcFqXU$`*1`GCH~Yb7Ws zn5D#v{x8)!@7I!BN5~Q{G1e#%My4fTgu@mXiV^-gn(fxc5Dqk_T~tk6c03wd!*d&z zM}~1^zOSj3Q77xeFW4M?#qPvF`%`bZ*nH;cu=Jeg-jG0>@KD$Ih|`HKFY(}TQ{$j! z{<8|iav+52(p}^JdXmqFNddEygIAE+#cRI_s!k7?;mFV__*N7&q(hI;%z7j2`Il_sfBRXB|rXA19&q zqSCl(lz=MP4TMBsqF~=Ri^}a!OOx)Eb0FNt)S}m_-cd}Bo&Z50U2yV*EGa^T)1DiP z*axR@O>hHoY~sp;U$K1UD!N&9?$V_^S6^?pdM}Ah3>-LU@4kZ^%ge`)=s!;f&J|XV za)$qYLxC#JpDFS1W>A)2{|ukrscs!oTw04|s2hlGCNR#rTM^B1)6viLyOg##Qgktz z_HYBx;*?eJf3N`vlFpgr+$lT78KqQ06*?+HASWj)6XJT3M_SC0)bQ;o!Hbj6O-l9| zo#Z(<$>TMR>x&wft{O-h4o!v3aT0y)i9I3W=wNj#N|-!&RKCLrnbsBr;WP1GV`F1N zi9F)G6(c4tDq4()$mq~e|Bzshz<{&oe9is5OuXIpy4f#xwwZI*Z1ic9zLrLv&Gyz+ zgdsKJD7B4vq^SE@Jc@^FkY!8>?f|n|6mcT_A!A_zCEeLmZslO-$x|n?2!^cY7QhW%C0>!GGij$hMoyZR~ajUOkqeUj7lhwP6ynS03-hxBg+ z>wd4{zQae1<;;JrPh(6!iB?V~b@8ZoPl53A7_m`7A2PS)uO!50DHF!~4*y@bfLzxMu zveVAxW+wttjFOyRTHaj92wRZk*nl8x*(X)0SMxvl80sIU9HuBU1Z9aOfcu)OLkHmM zn2=I)E50;`2B~iC)4g8I^nIl$dFk&@N|~SPiSf_2kwwJNNX$h4C$gXPwgv`*k%d9JN1$ zY5%BzE`sPTx_Z^r%tB`>)@jh7;TvxZfJQDYP01dIz|TFA0-r2q?0r(^F-u|lp}%ON$~0y&qn@Dw>PD$&Pr4)ilSQPr6JRk@NP~viNmkiOr!!;s zr-v?14Hyq`UE|QKcqu8)HwWQ=L*k(*QWyvS8!mks0dvlJyH&sBw*^z-&GadlYdWHZ<1*gy-TE@pe{ z17T)+>gYN@Qlh73sR-RGDiGp$^f@6Kl;C(IX!3H;rsOZYF<@Ya_U)9bQ#Ru5Tlre` zIAHk7>z~h@^I6kbvu0!3!xEHpjH$bGMPKCq54mIAPBig7^_+w%9@hQDw!h>J(cUuD z-Z9qR+96yP1-+i+bUb?Kr57eHsRFHfOjx;L$6i*4oH@iePMkQA6F69VWr~*YaakI} z^~jc|57cluS}W75@y}V$f3Jh83t?k=c595w<)G0adwU0EIryLM@cX4{_yFCG2?B$1 zjcmYb@HefsX;JZK&z!NR6)B#aF{7KGF7CCVAW=*dR41uP&EKD zJa1n{i1-n6k4Y$oLmh_jLzd`)TwRjeODW!iGs2f-Ms3PTvdT+yPW5|>_wPhCXDaI5 z(trO_u1#1dil0#Uk>kNVz5OgwO+GAnjBb6vIrwR+6xVgNvcgn9vi6SFT+rssa%X zG0uVljPN|LM#`sdF*(PLpMXOQJrI{8=Kw5%l6pH7FaP{O`(upu8%OQKQvy?NZPs32 zM4?Uvah_g$U0bN%8A_S+>J9CMHctyx-9SVh;ymrmHKO<}9C!{v>Q+U}3hoT_PK=|~ zYu8ihnsZhLJPKJpf|?#ISWq4oI$b954em8OFlNlB^r=*z!@t?)elA(Mf<5D&1q!)m zN~EBI`}X(WQlRRG@9x~Z5_vh_>wKndc8Y13$N1By2Anafjdto{tTO?Q*FE^h%|T?&k|=~T5cN{fZo`^E9wy)`OchOQDnCG$6HK|Be_k{It&cdk zTt58927v^H6H=h(xyEE=vcx1Fk;D6Ka%<^H`@8EMYI>@3y#&|(@zFjNK$Xh2QbScS zT7~PQ6^o8!ItC?<#qf7N=Y7)0WwY1W8SbY)aW{X>`B*C_O|Nyh(A-u`9%BflfJ0itaW;NhK-G_biDI>?AUQ9 zcMS!qu0{{A+*iZ%q<|`vXDS+fm)T#$ZHqq8qR5Gir(&i3zNY=uRqs~;Rh`GLd4KAB zlcUFDW8=NOeO9eqbNa}TCppDmzZ;8{T}HaP9232m&m5|GIk?5+)S)0zg4_G8n%Cv@ zFaV8=4k@d{djE4*qDMZ?c;C;ort*l@8}^2^n>7~v+vO`(5^d<)x9`G9qVE{@&DprN z^U)SAC%d{^4)?a7>Fc!koae#d0IVc`6b7k0phXm`6A@8*IHiUvsgqQUQxv91jMoIM zfv#{hxXIrod;$kdNLB%U2@nA!f(XHkW$I$u<0xPSDbx-woVm@~Q6A0T-N1ni`vQg% zOHUer^d@FW-id0#^2F)KQpJ1EK{JXu7@`a>D>_2Ax}i9-(y7YJs;40-P5{V7_J?YE zS@sNd`$!YMHaGRu)dJt^mjfR?$p7_8>S5&{Eg| zQxx7K9CgSf^sH}Ij+U>i#DBbjBWLl_Wt;{X#4>B3st#Xz*YK>DKovhsfM0(8_Unh2 z?%mGF&$P`-J{j&i*Vk#nnG<~+O#d-vB@JrkXZ$|2+ zu;$X*;;BIP!Za3{AMeq`e9Mk@qq20Si= z3E8ZX*7X}Tc#g2n>%EJiicf}E)Uq&YJ7)2?p>t-Am^Xd!?Afi}p3%4e>loedln`!7 zMV~TxY>>^UJBe>Po74d>T#wb}MqLVNaW@VDNI#Aj|H$i<;@ZZ}u(`WQi*Hjz;uyg! z2a6Z0fGYmgW5SA$rp}!C*&G zg1MnV)YA^y<}Xly$)w2A=NVWZrl6rUBlj^{^<_IK{TB(Q~bu z89d+h1qw&ksatpSyKi}!6#J-!`ETEZVn+!MZFD!bQ@m5Rc&8WRoqNZ*yc*}yKgRvT z7|#hYUY|$#ZHzj%F)HY2RLJSb5ZkCo+?k~&l^UnYxc+nnxR3@=Mm3sPO~4me>qKUi z%lyY1+&VA?{h^pJpVJ*NryuVV?tYe}sn-AT_}SXoQ;h_Lq(g@eG~n2SJ##N!7B~ePp)!cnKDjDNNq{4u z3FZ$(2sFUUC4nlSs<4|juZ1$ntKN7j!c{{`(CRJGk^tWO?d_rjE)K?TU9~?YR(P!h z(Kt^Wq1d5p$N@ru@1&4$SFu&`3^+QuQpxl0T2g40@J}c~fZaq`ft6duRnT1cu<?2+CNUOqrMIraE2;8LpbCY79rA-(0=-A_0I?RadHLZH6F|RpJ>~k9*wlDqMu_L^ z0GCNF7O$T@_JXZRCz~Vft&Lh(9c*U4ufZw9dS<%r@N$w9CLms5f5-ss7n1>w0j{km z8J=;zHtM&c(<0 z#YK6?M!LsFxWxt^hz;Bo>%ThAdkQ1oZA83lUxsr2!o8!*5yR+{cAtQ0lEvIaz#0s? z6wnwL!hOnsZ~p_KF`W~YqXQ+7B=5(zxD?Qcs0XOTo%wKBjjml^nDB0Gn?p?w?QChh z<2j>k4fbwnx@}|Y6|1}ToID@+X!^#-6i7)+ONW-jM0%lHcc{EwyR|rdtmoYuzA%`rT*`j#bX|)wEZ@< zWB-?1s|%4Wp4tev5_`KC(qh%R7kf-v)PDS$K{G#hx9k;SH=<=T(QMS!)otuJ5r1mg zsufG%r0DA2VCUx6T-yGvjSg?GYqY)b$$iZnjT>XaGh5CY)@sqz;HBQZiTw6?`Q`UV zw82OxRLXt(nUtv1wov}=#fZBKRe+le=M8bqJtzDp9|2ql`A`tr@-fM$mSEo^!L@IK z>#OnJW8-~36C-#JBO%-(A;vQ?#w#&CfT4*G(j-PCF_PjmUZdCp_R;^7i3&X7UXXDy zCJBBy<_YUaFiCWl5$lUp#&YvJS&OCT3>Y0Sp!1^|ddv;$neVG_c@REHbDP6$ZH?QX zIo9>;@oxSuq_Y_y}#XrIF!Caw*cuFv7cw_XAr1J5F{$Ln)Q) zYjCP6W9^sB;)3d59nlq3Ct+|#X-3t>VN4Ib%cJ@7>2dBu(;@Pd=4JZ>l&4`7hv! zEc@49f8*m%#?W{L&)&w(TX*c*vwX#>x$_r%GG=U#9z83=the40?JtRiNy7@BA$PvQ zbN;(;N~n@(C80_|E3Q-rR>f!qZ$!;nm+8Rw?_It9W!|NN@WS%}nJKnu31$fqhB3jL zLcJFTxJ~o4d)Li+sQrnaw#J<-_BU2m3JROF%ZSe4V+=48J|EopNb+w}+EyJ1P$cbt zyYYKo2f_+Mb~(09^!_B#V_2g5z(lv#5}lq;bn2Yw&|Hc&$We$0d?qAg%3P|Vz$OgD zBP2A&SMjYF*nN0i7>H8_u9)&?ixmklA?}Ev5tkR7YBvE-kfKp~@q@t-z+Bz(g+bdk zjXHLyJ9l~Cu?t3ym^Jp*sk1tbUj<}zp0J|J#1(8b?mKG6%vpYZ=NdL@ga@9|Uah+I zY4hGZ`7u7wY5dB!=Zt~xhnXYK(w>55-LJ?mqS~q!Kmu( zPnV2&l+^Z%&zjrWojH5f9spvhw`|#J;K2U3B1NHzM9&T{e>O+iNw-PMKb$(OUIW1r z_VGOj=bW=0H-2LG9zB<>d1=6mnK~BY8vL1qXH0&7-uu%Q4_LaY$M#LFPwcL}dxb&$ zx&|yFmfNeZ_BGp58zU489aJK`f_g&;^7q{0-XiL|Og?R2CW=wkDm=9PR3AImp9igulzgAotIsgVx1`Zplb8&q}r~%=0TM2q8!K z-kpN)zkAFYM=wP?j*QHh@g9~fms0X`LXzXmV?uWadCvE?|J30`Pk*zT z=!C3#qzBFrwUGHg+XfuL8o-E@UYhP90MW@s#4QvTWlL%+0Vq@wU;sMUJ`9{Thzm|w zhNr73ulN{=sQ7A#tcln}3FjG=7<<#*M3B~``vtRN+3FWRS@2e$Ni!OD?Oms3yN(lp zr&2z7mx(K9u6fVpWZTgTrT|s%j(*SD+J@OkV5`S~k*(ifr~rhrF=F;4FRSA4$CXe~ zuZG2wN)$y_Ib)KnE1F?`VVh_=*v z+Ogv$>?!qrT8#LtMxAm3KP>ZNoKis*IHiUvga$v)lr7c&0DB`IM80i#k^@9FdY!v9 z5F3^xLA{De06IBq(jdjtNFt$?wGE{S%0IH9!-n(Jh>L;vd<8qa{OSF(cjP1EsR7FT zFejxRrG_erRuZb1)p}^f%-2IJQXyoWB~Vq2k^;6UDhxCk@T)NGWRi0mBn%EQM8v;b zx&J@>x{g@Y0c9SAAJQ*@Y;rIWEOe`%nfTE+}2>%=H{C>w41f8-@9`^ zd}+!&wZv{QVp@&54cm=dgXn%~>XNtSP1~{S^&sme@n`D#nzx*`>O-K4AP)3zsH*S0 z_hE}+Q`BEqwz0xa9WN~+A(Lt+O`4pWo7=WsyEZLqe3#zA`0y*r=byRJd+MUuQ(7b> z#KDn}GZw9w#K3ok*7h>1<6_pTm(D+_-cO5>TuXzF9Xnx#wQSiEs1i0{kAA0)bc?W| zn|z(qCS9hk{OFCDbGuGjss3WqH$GyC5%uoY^Q9i6MvPrJa{21++c&i`+}il)uDV29 z2$cp|2 zAi*{(`D{=jnwm+QO3TDmo)TCM5n0dXYgS`Ts}Wd4NT6b#L6>ja_5c*fsXVsIhAjTM~Qky^Fnz4aEkC4N)v8g1rEu zpddkv%B}6_nvd!^Paeb1o(KYFB$GI z`^GS7yLRib$i^0WBymFY04bf2P9?yNp$4+q*RYpidN3)NBN%^LOcHA(>$l#?xmYn{ zF{!H z09C|_@7%d{`MlfN!>ypa#_i8ZiXmk}#rrJefBsxP%c}^8%7XMuF&fM+5+!W=!6pbN z)KcwOo`G1+x&`UyPRl=Pe7Ww!>$Mut`ioxOD|H=QTnX!G?X&tk_vcN&?%mO9dV>us z${cehp_b*SbI#dwYS!;Z&`bmXGiA<<-fZP6Rr8gt^63xb)f0`L{4o66pF%}w4u7!j z=VJ1b!iGT7u;JG{-?XH_w?lq3Iwhq)+mCF}ve}g@SIU+xD;GlZ7R|qFR$%G0bTg+E ztk=7X>A3}4_Rp9r|L31qhyKS3BAQ2Q(L!}vmFqI9>*&^-R~F-=G4`!3V7sttuW{dT zTwWwcc~SNY6y_>dt4KQ$_GI92)$Gyd>%JY@4QkeZRE;T=6asFI?8TBri2J_b|~Wjx|@4B0w4i?sjEl`A)XH_3VuN$mE~O~sb7SHJ(@ z0W1q{HC4;U#d#=Z7VGsh%_BLHLA4P*laachq8yZ*V?EDx$4)4MFzC>}Rsib(SZ4nE ze<$i_r}*4MQK?-i`pXNI+U`kB>J#ey9al>GLDKS^4ve~l8isTgy0u+&H-?E`jSm*< zo~+S5bJe}}(c#Ud;lY*!?kjCgOuZg?Cpc4W+O~)5NIeumLg0yy%mAVIdYL4AcA!B% zv~OrQCLCePt`V#-`e;P;p;iJ_aBjI8$ujNf@AF)~H8W6!D%G(P=_(~-rGS+P1DZk= zb6yKo60O+F89|kFtnS{qcK%pzN;9w?Bn$pEAjQ6&gg(_MvT#P)TekNU`J%j}3db#& zo_p|^D$V<~E!SyiiH_rncK}n8VtS^Aog=)g!^rPux~RZZA)ILQspXbzpJ`vV!Ay#$(PoXU?fxrTehV1(dLVrYwcq>cK1d z#V6o$7VkK|WXEyUyY>BXXrn2UK3zE{qg27#q!g?{&!9w$D@#rV(N|K0WEKA%9=#F| zEJ_U*T>7wG6|To0kPDENXjVsE75y`Esq|2#EPPxlcCAJCU%Vs#|-xgYMb@-K|MVb(ItYJgEEqx|#b)eu&=)Z_& zy$#=I`SKN}&zOzR1)PzglV1*w5(UCc08USSJ@bDtD{#AzRN`tzZ_%t-b8sK#yeyz* z9+|(y+aHx^#Z=_M4aj{Ivs8@%vM1pqNT@PJD}o7@(2A`cgFW8eTNf^#SrxXsk~Fp# z4-3h3?Ra>yAf+GLp^y`Ve1vwqRygX=)YYNHc0`InJ6O3NX%mZOBc}IUsH+LriK;GO z7Zw(@EB5e|MD4W~bO^`!nXISfoieG|$nh1r4X@Xz?~mmK5iS+wBJ~9oyN&#IXy?hZ z>g`)wP<~_l7mashR2R%H-fmC}^_4s+_|2en88gw%6S_iyW_<*X=;3Bc(N0r}cGiz# zU8XWV>ptFLW%Z~71#G9JE3YgjP@{kU{!F%P#VZx>GPQWuY5LJ^dT}|_Bgvl>Xx3}c zpuv)J&bzn&p+lKgKbGk>UVTUL?)ss>rGnoK%$Pg>xbarCYuDi&f!9VYTNiFUO#L`j zyY(MF{_{;s^Qa;od~h^6vSiIzs6eK=9oqv&>Wfo;QnKUN8r}P}9@MJ;=;~GzO2L`5 zot0zbqI76pQ89ExQMB$M?|19Uaji=w7b&Y1+pdKw;cRFL6&jpUp$f|&Q0gP# z6xSpz(xGD~BXei=&*H^Pz;17i@oYAoqhBl4^ zE!UT?bg)^n6c+#{8w~-iCQk0!t@~#NX)pD?vS!WZylD#_fvjUihuJ(-{c%U|@t~=r zd=5=rsMJzXg`m2kQY)f=)pXHC)XS#v38(xmbZZ+J9INki*Lv%2j@8|>7JPWpRa95~ zdR~W|dx{T!V7ycc#7tc(gkl;uX}V_J1{jZgV|t?Ft=r58_9f;&tcCXi6!4hHY7x&d z`hYmdYu9g}FjSbm_n6`RuZaI$4bpu@fn%?60O+S;8m%PmGrF? zsCsz$+{W|1eZmj6@LHFR${-TKMnmQoVcEb|s(x;~yYvjmLoSU^^ zsS=$gmhL&r>?qZ9mVWe@RZ5JRd1^KrJ$f|3aL#3STC!%t65XbWcQg!n8!Gk{>pHE_ zcSC@xg$r#!RnGeEyEfIDeqV%$rQTDUgfCX2lU40ry~a$e=C&d$c|AV9L|rr zF4QO7v(Y*_<|InUkGT|yKGrS%^u)V2LgkW_St`&x3UibyZ?YVNY(D z2p(W$HlSLwW^HnRG)$3Xay}!?J8)0Z^3%y*AB+GBc?&ie0fDD+&E_pwMAeniCuLW_ zH;E`cp+%IkI4do0k(SqR8)DC74y|MikSWYemH}<{U@BCp87nPX$-SI53`lG_GSqdQ z%_pnpWl)EfRcrbjE*zG`Xh7jM8qmO?&uNFRQ%2YeY?axdzO9{M-wVB&VpxKc?6E02 z#&6&beB`5NQ=G-(9AB~Yj&Al zbHwPaA7y*bE!!vADAsyNhO9Yi)Tl9JsL(CSQlMDLP7^-sYb{6FzSd>?Xh*Vhxm4~- z_3)~o5pr&Yij_OoWsKsKRrmx1jD zHHT@rXhzPJb28b_$pCnHtW58Pj`}7MEfi8hTQZ}A1kvu{$pT7i0KxfWlDvc4e&eVR zp9Fk?MeTIuxzUv7&+W^MXFhu&(>0R(NP2Z;@#N6XZntkG7~vF)RQgkDmP+xc^c;18 zQ#}4bLIq}rke!30=ydbn@R&Mn1_l=B#N8lx$d_Zrcv9T-CREVW_0oTHbvH(cirpmX zzpoPG%jk~0%Lme3C@$JzOYe;TUhb^BF;uCpLJZJRC}X_x(*2c^m=)1B1Z)>BT1?c` z=ng<_I#>yuQh=B`EHZayKA_1VaDiFD%pu$wbv_!ul>%zQq*PBYSZLF|XRl8_$z$|h zty+DUVzU$uU!K@J^C>YyZ4pj!1k`YHhrTV9vfS_uBp4#vATY&s=jqqb(fXp zHrN(chtrb6PD=`*{Km>9tB#C0DP}?_X~Zea4*XjYoI-LWugw9qg>DCpKu z*Vsk#K{hYTJ=p4t8hr+^)bHk}7`nnq8!2-=d|;a0+i%xpI}Sntxa9`!S%c>IMSANwC#r zYKg8Bz8%tT^2Cyd)?|Uw&-cUT0e>gqP;T6xV;gg>u&LZ<+_&}m_9Ibc0g_VxE%1Et zxtjHB-*xy`L&sE}II-k{>3L9ZpmQR`LZK?`q!(Zz!vzVtx58IOV&LaoTTDe2f=RC6hS#Q{a>qs#w1a9&%CZT`G`DX|XCpe=m#O$;m*UJwk(-EezmZv3y;I#E%zT?onEw-N0W zAwM94X~366SbXtsQT(g@;JV17iSd=yOX)7P(_JTBHC_leJz6P3j(Bsw-!yYqhC}?G z0fDCm4K|2o8mT zi##Dj)Wf|P5n*28p`PKPheJ;9KJ90J!bKGFBY&MLP61CS(qKK{hN1X`=_BjJzW1n; zpz66UO%Lj^&Bm&1cBr#!Yk#MWGrLY0Tcg*o(w#;dl?%Otk^H>pkTFvmxveTnpbuE2 z02yW)wDwDfa}(_$9J+Hw=HV0T*6Ba=vz}9lyh(3GG5&MQ2R^0pSG3;EKf+ zzaN2Po2-oM9ex+;rXdzq?KS{fX8Xa-hK#L39Rb7`MB3@Ii69;o>n9Z5C!*8LG|-d1 z4MG_y%OK0yNTvB@Pf-cw@6kBq)Q&S@hndD_BaTF#@lnRnbCJHW(Whf$g5zRC;^P>h zj7yiIuUv^|T)mob?b-##_3Ibq@?jkzsKsDq8FAFLSt=R*lTgKiRb47AR4EQsl1rt{ zQhhwA!miR!Hb;&e27{{qKVm*euTXzybo`_K*|1?F+yqRqWLfilnz!W0#zIqnwp9qp z-beb+N+hZfm{p-FuBtBX?JBC&&jr6d5lzkujSN?7sZ>`%S)Z-+uG%2@_3`VEC;sP$4ZM31Wty`4W$@Wv%bA}?zCgXUawa3_RHRaETtB@dCcQA#|B^l<;H88OrQ21myH(H84V)I|I=Vr`<;e1Y zR)544hvEYBjpPm}c4&Rx5mTDf>OHV*XFZ|a=qGr$KPz+@+OmIZs@|qgE{yKevRPTE zhC{IEz^V**zQ`Fdk%$&@18C3UnEw>2*L@5{7Yl*qz%EX1=dd1f$pBR;;1r9F)o012lFL?$Q!Hv3`jgQ=aEgJw;vsQL zdR6acSW-9(khPw-Kqf9#6US_1(~gy6*e+esv12EM5vUn7B?+jfy#EtigCWC4@Qy&I zH0I``e|#9a9MbFXiL>tEa@`#&s>bN9_7wuN5~^fHRs6em)<{H@Os%ehQV6k7hyhL& zR726f9)%?@9sNfvJS0@nImqZcY1F6*%I8Q(VNRJ^{H#V7kWoH-Z{`)Q5UwR^&qVp) z@)6~uWge}FuoXs^P2o@4kw~p|zE9?}={p+TK-&M*LX|`-W-BvR1_Xp}W!bTkz7^Xx ztz*SXk!VF2Q0rK!P^F?33sCx2EJ;SnP$kidkI#@$1zN?%Mui>xE^K>tA~P~3!+){= zGfl!7=A&raxt`h#Sp@o!!oZCJK)FeX?m#E;Mv8*x&Z*db zREP3?XMd&y?(kD8^v6qDptwjtlJJSD3|?Gi@RBM5IKUtS`V3oEssH@^HJX&~F}>RG z<<*9-NH#{Ss5WAy=_uQAJbT)Lil>vaczIkZ@tWc4NPdxF%d07)>ab;uGT)EHMIx|} zK4a$MEqVz=Q?N|AJ?>B$(nmA6W1m#iw=2zFs6?5LZ=X5dBF&f9d8t<;+=y9>~Hl=?cPEo@xzXaU53D!X)~y0 zj}c!$@5JX?Ge0A|nw=}s)4+vrF*S7Lx$wE*OCU>v%mtdvpsLD>=ZS(=1S6;hu z14jmNIpkI(4IoF(oQrIh02#!ZC`u*S0m*^a%$zm1Lx)aPs#g0*t`@66iZ~%kj4{Uw zVYS4$E1s|YVfL1So%SC z1BIoDA_ge>*KZMhhyS=`=H8S;5~>gaHM%lQTKQISxcGEzd$gzXD>E;!z?f6S?bRsX z`VAX<_Uv7zY+0&$)8a-My<@>bg;v@-@}_5$u9v)p_D$dOx$0G^P^F@kger+v+Kd%D zG#OHmUX?^E86MX{l|(BUqmWR=hAK6v5{?yc%;4+QI#xz#6(4^-bbnJis3L#^l>!<$ z7A(?3bX7o8n!PTYUXs^DZ&c-?wF|RtU)S{Tu1SF>b_NF>4Gjqh3kyNviV+G(?e}Rv zX+_1J)88MY%5@z*VoK9ps|)#V6s5b^C`>C{Wr?ScPZf%E&raeV?(~Xz1=^14T6N$| z1)D_dP6Xfdz_hr^5L<=QABu;6Gf2?J*E|oS*^^sgEj1>lf5+`Nr?oNM-dGi;cPfL!2 zBkUFVX4sCxRbz*bzB*fUDt2v`t?b&pJ6t{^!)Wv;@k1Kud|9s^L_x-wu~rP!?I5nt zv7V1oiqY%8toIc$F6^olapJ2pZ%hApD3F5aAE+VplqQKp)nz)0s(MPFzb902V?ycT zLPI@TB`GY;779yvbEK=@gqiJM&pk`1YSg%?(FdgS9iPtY$WaxDAz<+0J9qEW-xHxE zm=e5zva;nX>_uPTTD6V5U84)8`X_Bc#*7`$w|dOaAL|YJf7lI=DO$;BfIbW;!USoh z0;>E983Rlit<*4Ja>q)KR(!n@tz?`;LX`{yCd8eI@azN%07+!M2@Mg`gEa?L4<@ zUKsc#kgHN(>+~5j<@mI0xvo>H;&Xw*(&ri^!iEG4Wz3Lhq2Al-N4CpAN5tFG1__l2 zVf_L9W==1)%ONMUI@D`HD10j!aO1yJ9zhOATbPNl)xN~gNzK3P+rP})2L@~R9@uC= zug|)WpiJFCtK4l=pUH#Qtm(UD_1By2Ds8a+)Om4Ed@ec*h#C!apOk1J;1#h$w7d`5 zSvvNtyWEB`!{x@zDD=mQU>htW4=fXHmP+81qFpBaDG62hQ)XQ%xuujirAGhsIK`?q z5dT>3;1q-XDi4WMAJ)jID8Rb|$1LZth_mz*+kfCNAceuinIcQV7a~6R?K^xSyoUDc zC;U$mpd+0`Lv}JIrq+^5J%m=dg6Y6Jqvn@$c~Y}hZKHFi&6ve0aR215z?Y%kWU?oy z@V(fpd$LiWhR{>85{;!GKO{x}%E96@y7=4vDF}o~{p(3rp|CVsXky^UJz1xF=BE4k zxb81=>_nXorVNhZ_dj$ndQ)nsWhPEyF(py#0jPr}BuIrCfI{6F4H|e^fdcgDPH%Mj zyZzbfo9}2+dGN5etOaJ4CHpep?+*!8%ui-1j-m9bWEfC5R)#R3kz*x&s}vk7(~Ol& z2dj>i3RO%_)~4J~8fC1^qSaa7Q9-Vs&>;&`Kx;y@@znp<-I65>yhvq(V}46_S7z0YhtRj+bLyO{;aatk&zt1gBb>QG3D$qapvb zeAkIgLV_xF>V8pW&?0$mO{?|F5Es;6oOe+M@0f&TV;oC<+dqA#ESYlVE!SnDf?oo{ zG+vk{kT`64>2|}4Htt-p&s@dxQr#|*_L8v0e`Tu6oVTUHEa`12RQ&S2r?eQ_W#-I^ zY)ejV&Wsu!0XLG8>bFh3whRmgZ_9dMUH%n|EBCW%RkcS_(Q&Fj?iYRf;}qL3sW@Ol z%W6HS<4#3jgbUW_H)pVovy;2~seqjUzN?QOoV9mbmn{y}HZIA9U$57FTAh&?CjNft zu1X2#JwYoYsFHEN6mZIvO#xJCaZ1akkfA@&3XoE9D#@iXK$VJ9GW4fH)%zJ0i)UkJ zaO$3-DR=8OA0Lec!W#HcvOyI`*!goOcz$RX-o1B^BSiZt`z1DLXYYtYmyroYtqZ!2 zld}uBgOCEGHLNk(;0!8W&qPMC*!S$+pFe+o?TPffkZr1P<#-F;h!1Y&rpXZfOxs^N z)UVe)pz+5{q0tA9Bqgfq{T;6t8Pi_>ZJ$FR)HDQXEZ%|`AnB@msI0FRJ{{>Q3o7d* z9qFq$W$JXJH$|*(rTr>)0(>2O!|*HQu7DEhfrEy8TC^x%-Pt)JK8b5X&7QcNtm^>NI9#6x(-0IE#U%6k3I>V0P+ zIwY-D>tUTYtt@$RGc`?u5ZIu<(Ai6Ml)F(z$f)S0Y~O?9WFK1#Oi$&@Z%p<;>5?%KqtR znRDf<&~rLB$*qbpdKEXX3Pa3h3xg* zJ#w34O;H0ym#%r~4sUG|eQMs-D;F`6%yY%1(r2l_sT80pRhJ5=lB_=!r&y;(Pz6Sb zhlxuip$a>|-j&CDn3L2`<@&r2+-bmeV=lK}6Bs!7+Ps&LN#>c(KxDNvZsO`jiiD=Dz=YBob93 z`bUR)NmC!HK$Ri-N8^tKeKEf2U8Vg9vK5JORWu4q?M2hZn^4w~tyrmhDw_hwn~ect zx0yn;QHGkUeMex0wo`me2JmFF*mn4cQD1yf&*-bro?`Yn*C}42ME&{=hK(5MrJ|Lb z{3)Q7-07J*Rx)WN9V@~b5~|GcD^f~YdF~$NxqHM(-&IkO{ul&2O=VmlfI!JPgGj6a ztps4HXm!Z%)T}jb)%wiB>>$^J^y}b>&9~YY14_>A%6|1o9>|0aOUjqDEQ}xmeLaT( zZ8PS4ad2He@?z0@a=?Cn9bsJ3MFx%CJ~RO0KkoK9r_K8On=!+x4O^;uPf9>fV3R(M zr@BkhOPb(RTR_r=+LN5?D0ozNGBD)A_+sj2#+Qs~Tk0{UZ`F)#UrjfR8QZ>Mh(EW= zAzxO!NhjuBg{swSjavETG%mu`xTYBL`uw-fV+<^Jb(wF$qX3}Z7$M+DrWJ7&?_iLt6TzuXbd{9C_QjO3w9%=QjGC-8`Jj0 zrtC3$bC7Bz0ZKjB!ui$t-4*XF6(_4ym&pSbI=OlIpNol?Tp&rMh>trL9Fv_pUqt{)H!cv^aEtT7PGHwH;ylgn20QcRQn)vA4t$SrX#oCt!4*h#(< zJ}k-!m{#YFoBQ<}@Wq#37Af*6Mpa5H9P>TFPlKJui8J&0_#S?{BBFmF#X~#MO8(Xa z-L?KoqDty1eJwiF$Gk<4DzjL?LEXi4e>c%I?`SaFt-&01>})W{bSVGI z%VxXPpY2w#dgClvvsL=8r?}v(?O)Agh|BV4667f$$PE}EOgL+Rm+F62?l%|M1-X*k zE`7i-DO#A^;ZiUQwuYXhp^!t8CARc@3^k>t1uR@GqhyvAuxj=n-D_+Mr^PvGvqAzZ zZeK1$vGA(2fQ7e9V34u}pa&6P%Cc53El)d@O5M!6OH^v_UR{u8SkN_Tri|1c6;=H1 zTkJ|u97i%MRVS-T?^&H^uG;Q-f|)6y>e9vd=-`!?F2#t+eEEU~s!}1SCqb1WpKi+f zW5vnPA85rgG>cO*^ru1<>spIbTBv#tL-G+%#Xwih#vVkM1F-)JCTmSn{-J1yAPws-)K=kkK9Kj*K z)=PJ>l_62}_2021s#4*5qznh@ztR*qG2YM+ghUv!71xIuWGhw)mGzg0bbpzHRGp3= z7ggR)ox7-4d*>&7tJ$(=rz7y>snhw2Nb`AmA0>{e!V^CMmKniewiZk~HV;Zp@W3(O z~G4zk<~#eJi;BU%HeK7j-b~K(nB& z*`h-?0#zz~UF%y($Lc&?KF^+?wbrd%_i50#XfV-ZY@6L{gdS{&YZm&+szOY_4bp;p z))cDKdw|9YO@L@YAEl0?f51jz;_$x+^wBC&YX;?W5p;?z!LFWqUYH)<>oVKTFYv?o zK9UZh_nyYCRx(XWj!E&Gl<=JZ0^ul4+l-eaJRk*?6g*OpNPyAKhI8HZ!`kC(>s|UW zZ`arQvAfayWaI03yA8weV&$wHMM`HcT(ZtMNBz|Vv}m7yoA+rFG)YSAN%xGQ@GeiWmP1V0wXQ3!!XD0rC8x#rHTRio!1g-DakU7}ozNx}w3 zy#l{`)Goo<2yn?dZ(a?Gxk{#{@>HzD#LhDu1H+;&T%wlhTG)X`!EVK(Pgzsmt3;=W z{v~6lo262iO;NG3%x0-l2>oesNxvRvuaPZ#k?LnxLrAjqv+HBZ}QE>SAmVEtAglPIL0zG8($cz%UWva;Az-c93jcRh-e0xZd)ieR8V4Co&mv0&rwF9y#;Z4b%>lCW-$pJIGs_U42+ z268=cU6etoI90X#u(rcG&6-n}9XRwY&O-hOfr7tclf{?hMW~iSqX}j*o|M!C`r;2)*HqG!95w%o4iqm@#$x#gK^JqAi;ocBT z}P?IvJ^A7O5`D>o5ygl2s^Z^9r9(Vb|+pgUJYl#!*4gieW?-RG~_r#!}F# zY_FLO2K5^^x%v*fT+}+TXP}l1Wq$1stv)AC2=uUB!CgAxl6|#p`5_aVe?6eLO8#VH z11kf)Vs;?vS^UuKMlO4aaH79Uwv~%3^%~o{X0KF=xhR4dZ@0}eAQU!5@b>&-r{q>5 z%6DM=*=<)Yos)#36jD@Ls3JyT%K9_Qrckp~Y`J;paf&sJ5lOD3gyrEOaSA)|o|fce zpH2kx_MJQMqktaNgiM7m3KlFRJpvk0kx%K^sSB+!8Z>AKmte82Xsr$no{%6>7wI72 zUz)#XktUOXvXMW;n#fYfl^nI%e( zAFmU#6|a2F->OcBn?nwXklout6&3viRA+ls@7{g3Sj9fDsv8w1%=iHFt zuX^X9JC$jmPd)uvP$66`kPd#=Cfgi+r*>#CZeESCt8gd`@jWNJ4;(1+P5K-Yu9I+E z1U3neMmS9Zm>S~vNK~4?M`BHrMf;m9Iv|G4!6r6`nk+ull(FQnGCZ3u@oZ|Fd~ifR z4mVxQ5T_{T9^@j8=kKmJd4qVeaK9J|>Io23JTd``isz+=t-0<3G=Z&IxLU&7N){^A z1PNt$P>B%g6I;fZW!b}0(2CM6L+Npf?v+YzCx>O$w?d7oT<@t32ltyfy);6O6j_5r z02cff_4m>~k!4x*qao)AspjDNe2z=YbspVLQrt&RYfMB@r5CCvGGQReQ+tjl4q;>W znnH8t)=ut^8`E;&@YLu(cg%8UZ`a27W!HT2fTY1Y3We{j8+&@;^=t8I%u=NcRsU|6 zN?J9{6lhECfE+Zewi&bL(%II?KIh4sclylPpc2lMssT=>21^cIkmCdir5EtxvPWRB>iNJIHc-zGs-Y-wH0Tenj*x>fC;iSPj9>lm)zTz9#n(8awyMR$L( zsOl0iz=OI!ADg{lwjVU$0GG8FwDg?HN@OT%)vkj;J+weTAMzxOchxykn$_QCvVA<~ z$n2*``$36T$|fr%v{JTddbA>M1z;JW727<<`y{O(MqRxe6@O-P_@R~n6YDzuV9w{E z!l?ll!VfkF^noggRuZs)s>t(k?%w{btrk(`G;&Ily=w~KMxkbaW%&J^MbUL4LKrj% z6==$>UG^D)K8WQIEzp!O%F(OFiYM4BGF)uS(IcgI)wY$nMo$0w%W;bZLSdPqkrU#R z2sLF>QgBZun`ZA2{>xl<0SyA1c1uSI=cwtT15IrXiUH67Ndk$ynlANjy6lL4Eca=u zA4i)mHy!G~`siQJxpHtFiDC+b>E8te6i|p?hV!NPYxr*S4Z%Z!T#C1)I9y5ImW&W8 zt`^=FpH7Acjbnq-&q~e7O2)oO!YpIng{;XUhb28MRl7;`uw(*D6?<HwuXr5K!qhr3g{F<~@I6^wo=jw{Bia3!8$_ zAB&4&l%h%{OQqDFSjtkd_S0@C{^PG?N6luQ2p*MLR7e?d(J|3Pv^sa`CL7jhEw<$T zfpHS5ESlm!U+P{R645`TjqWcI(LWMZS2}A%D(e0n^Sj`tn}nD5YmC`1ALoJ?9VKQ)>~W*FfK>um4;?-dy2ZZzhv@Sa91;fijQAm6 zh!W+yPmW0&Tlk> zekta_`2ef%eP5tQ0WcA-dudQjC;SrRnmamZ8BitB3Y?Nqwe67K@I@$m2i~b_S!wb{C;Jq`c9WV85NhS;*#yjq&y@ly~j4%WgHh@plu( z)g0%jN2rM#gbyVVO36Lpk~F}9(!-Mo>*31)4I*%-cuWc~DgKdw6;KJpIofo^v8F40 zo2_K{HMKj=XvVPjw>(ZXwLc+W*>vUcrku6XSGfq+0n~h&fpHS@^x%aHCOogEHVlbb z0=5hRLxZ=axLSJ561goygiy(9X=8&18iwQ$3KqRcW*GsNB@avG3QDvxa<7t81k>VP zq0Usf_xKJYzg=Qo!gHv!Paw-3~sK*%zw^*+jvm z!O05PoXu%@*^yHl*YDTYtYSvxZo^&ei@~~)-aY6^=otN5z%smf!=nu>PzXes8O75Q~wxsfp9Q8w$f=*RNX4&*l)ELlT#jElU z2*ffIdWBnJ-s=8(LHA<6$Phht(A|~Xzkx#X$PoP#Qb-rxQKHuL#^e#wUVkOP)2Oe1 zmrLL2u67rdT<`!NE)y+CsPKAo%53{8em;U%w2ZG=vzFQG!+RV$Y~wo$Q;ATGjPs{{vl81}|YQun9s7e{FNLQ&DD^sY#qtv67M#EN{vAP(w z^~|9b1V(7XO{`By5@~kAzz1tQY)|cralr~9P>)tYXU_Grwi`90jmPT3z8iDGIlp@3 z6A+5mr?88bb_T0oMpW;Sg zpEtqZ6I2A84#CzV#3$o>f&w9uO$+x4gaR7C2s|C>GzmvZ!KRgd;1P%;@W>&cnZwEE ztCZmw*jztOHFq=}hJRfZ$m=;v8Jr%VfR}<_AlC|z%UAkhde{Q9lDsVeSSn^2B7~}w zCBlPhN=w8oMQl*e5w*#zcW|$g$n9p(3hgFYJFE!j4qhx%SJJnF87SH8s$(TmR|YD( zzKd3mnU#Bu>pZIE`bAl2O2`j=Zch&4z$r`&{)w4`(g?{cYP!L=TYh=9bHMC#&cab5 z8jL>^@Jk0xY|d?fQ0jGLL{X84${OtYNvL~?xYJW_-#C|+LMqAn zOPTn`niUTvOJ$b$Cl|hXqy1le6iY?b6($$43*3ZM(F(C~#F_|sQ5TGf=Ih1EnfZL8 zK~=EA{c{p|B9H=l0}ZM!wbp~kg$9YSpls(!eHFfhpqiVwQ6dSYhWHc*Y99`i@Lxn^&r|O@3BL*72Vdz#GY5f9%~u7s zaAcfnu{ubMHNh>`GD2Fc3pI?e7VFeuIJh=cyoMKx!C9wUtmX=*xDFRo2H+K-xMK#` z63Aunws5s1W=Yr*ewG2V3@NR~$pV9ti6Lkh`lz7B!!ij8>U}HWUMW>$dX}K-Ug@i` zEYK|!_ex)Zg+Q+2UP)%4HWFwlbtM3+$4o|rUREO~*7R6a2*w35+Y5(sL0|t1QEOT- zq&N^jzVDxkFJ^QFpimMvC=Xw|^s`Q*+kf73sM=twRHw1H@Mu7pdhTG>J^uoDf9!>V zx95%aAAUXI@Vz@1RhP;v>rcfgA{(-hgjFe{^sG|}Qxd0S^p6!Sy(;Na{g2|5w4+!m z!k`%5<0k?T6$Fe-4YdRmj`!@{XQ#)WgNM8%_YageZ;bzZrh9!%_iUT)@mk$IxPQ}i z*N5w_AX3px4p_T9-z{`>bC^5x6QAK zr?}G2!6+Px_Uy9dc2LS8naDsNiBbFrrU(|^?4|x!4ytHn9;yssK(lB?v^*{R3K<5x zckkAfXt(peeZzKF2BhfhAX~4pV2##3f3mJG9{wbFd%;TyLJ9fOg|p`ZZBBSJL7^0} z0?>`vAVHNBcFU&MOyiNn*y3pQ5Q>BaO>^*FYpb}pjPJQ{wQ!>*3ciFwH5XjI`ZEdi z37Q1qGJL2cgc4i`CF`U{_CzS}M00^nCvlfrtUj$kOmK^J3M#D+YvB~$(kY_lhBIO~ zpG_JYBa@!XRlUu*z1^=$Som0rVW6V#%b_YFQXd>+bu-?A#C86A+SGlZe64WC14@hM1a~7 zJCUi5HW#JkOl%l~k)ACtgf6&yBU}>HQ_fPEhbm2$N{dtf0;s~Mf>uz}2xZYN-FegI zMopT~`qLCgXk0sI?mVJ@Xe=mkuN(N8=56xtRQ~Q0xIl&ouK2Bqf;WD-gNh)D2}snw zV=qP18`B=qC6xXvuDtq2qS5fR-Xcv#RhNtbKBpG=r1{%cYJnl-*Q}K+21x%MI!Gdi zc;;*rmXj{b{OWt+U>IsZN|4M2Q$kP_M3hhQp>S0|0TJKxZE8n4N%5XU zH1Cw+G=;RlCjw#snhg;O3;{-wEjLD)9j!KB5|ErIunDxE2apX;d#P`BuqT7N}0? z(aJo_Lh{&?p_M9lYlsAv?=yF(%?6)iCwz|w96xc=@AwJt!`oa|RG_RChwudqLo#13D@!yP*rRHXp~wuPp<(G#oG8y_^F|trcsQH182`Z! z?nJ*en?ecwsnI_zRAJ1U(=B30bEkHwt2)sCZxJ|HYes-I22XZ|K z$e(hG+>#wg%W*6WvB67+1po440aY@K!-K6=8|)w7S?-j)k@H4<(V zsVKpe5K%sXP%;B05K75CozzG62-D&CtjBLMI86#L0YmRU6d(iXA{CD;q9yMF4iYoe zM+lYJASfwfgCYwiVvmxHp~tMFpjC3f(#8Wxw80fLB(OASMKDlbjU@oQKtsRzfr_A$ zBnKLNDG8I&VLH8v`1Fcb?sL1u-fYLJPhtKrpVQ*g zG0916T{xT@jTBM&eysD2xNQ&bMgR2tnKtyt>SGzo2hl$fqc@RJl5s!wpR8*Irv42$ zC2cGw>*cFgl%Qgemo8gjWUKkJW5>>zYvN##39#6FS>}y%;v1n0Au50A`XMWSN9Zn7 z`D@VqBT+@f_^jzWe3&CN6xPL8N`fkCfr$ZaPv2>(-GpcU$t7j zl~0Qn>(H^2!>TnR0C?ss9~_BwOXvPC9v4_;4y`Of6$?a*R;FRV$B*w_i*bqaZXM=P zCd4)C#Y4GCK&Q&hQw;*VEGk@B+Hi?)9?SQFQrt9T8PwC?_Q~t;PemX3?OFXdW^!Md zbUtkLI+ z8T_XAhbPl3=mAUXWC^sADJ^|6OQx|D@&;+F6AEKcQZJ4sbFVbycEMNF)7s6Tl|FAp z`LF@4w7%7civ%i)78W>xNHA3%w6No>)i%x^9tVB!e~o@D?VmnA`+W}C9&v3*heT!< zdnf3irYWSioj;ad&z4L|c%knEvx0Yo%wsm(ZF&VmM3G{y96_$R&K{_H;k4Dm+u`gC z84{-?RHdAyl5r9VRdSjCFB&LI_Y8C7#*LeYJiS$0tv*?{!Vai9?k~81FbY6w^B4Iw zTIfPNbumQ$sQew6)b#@fAkn`MAyKQ|nCTP6v1(vIt8WCk0v_O<>AD9?g>WuIE|7VX%sFJ>w`7q#bzsa2&OGEDE zSSc(S>03#(qPXhGqw7~9?L&7KXJGGLDL0ZZJE|LEw~(gB);^r1*X;X{QH zkrQsthx49H;mPa~;a&;A5+OmohlP73JS@^!D(^z?UTNZiN1Lq>?vl?26chCErRa;=+(reJe?{FpUH%?v<8hVF&{f4Ako{K?~ID+^W76&A&b$YBOM= zv)le7raz785tO>wVE_8ZA1BV7A3XJYr$t%l(n2~iVrN$NLTN;hR40|C7Z6N<+JQIs zCN(C!(G|Ecg=Z+dGuBkhv5pUJ1-*Fw6u4p;ri@e4tNOR%l(e5TP zgHsGisDR~e-Z0bi7ZiXK4x!=!T|Z_BjJVPxsq05VL!l{g!xUaVfO9z`tKL`w{S@DULquRAJ1`p7=j~P(>?C zP(^6eELyS6`{~J@I~VsRoF0oCg#tP8y1OUxn-=~XEkjFxz7lR!N`+3APE7l8l4acC z*`3*tIN0l$!+L)8j*|z}v4T4x*nKVLY@N07pxYtev;Y=X(fQ!X8E%0Cwgk0z4pn?8 zB_g*m$}F0E)PtIMpdPLC!9aml`e2}jB52?TD&#=DZ-tX6QdhD9OJxSil3_Exl|B-f zBFjS7TWL6f$z=nRM*@@SFPYR^)gEs9!;Cfk7CJB3;IW^c=gA|qX8#O46@*IUgGWyS z&RrUAx1)5=8O6FxE#G})zcF8~u_*vx0RiMsi2#4>Sw~>OR6ZpwlNP|@_7F3qd?VO3 z$9bPNH_q8Ty&q{Q^hfkw#i@TcRM96L-6Z-3_UYUIi!bZZ?HUvrHF_*Kg(icfz_F<| zZ<&9;B`SZPZV`w8KOCh9dj5hGN!-6WK-GtYC3Dx(T`VZ{055#4M=LrxUhOTEodmgJ zg-D`3-=%vKu7gx>@*ucNaWwEmpD)-W(vw179u?z%M)k<#j{b=QDpWDIwP=-c81VVi zyH_KZMjomk;#P=_AEmMs%%)nel$PcBkzT{9zwe))CC`rf@S2QE7ZmR>W$>3)D-^vx zQOPTcq^56eFl&3e#k;0#^dvuJ)&LqE^gVv^(6N)-y#p8R4eslD=A+_K$`{uJ1Cyhb zq_rFJR!MAjl2#&bbu3vJ5VSHx0+leJ6u8i`ERq=P#u9>xeqi#Ft7J(ly<=tQDq=2a zr6mOFDHip{tQfv@%UZXC2fY1!eEp5Se@lPH#KfaN9)IKRm{sn`Ar|j8y;#?2KvmJs zQ;K(*Sf$61LF4LdTb9*-lTZzz~sp#b~&I{k(mt)DuT=!t4Xae)G8!y=}HPV9}5x~oM0 zTIju-3-$kwFaN$El(zGAvBeYPYZ_vJ6j*f-DYKgs1bLq3SglDAL(z#@;!epCj5e z`&Q3kts`)8=XgGpYRCexaxL8krBb{p%C}^B!8~^Sq`Obx>O(=Z_Jj_13-7e$ zY|0MN2mDu&v=X$yq~<*VL*)%`vuVOczXIAx8yOIJsuJoK_ukqv!DFVCQRLMpx)@E zXf9C{TuOl|&iu^or}! zw~}b}=FRh~5wjw8R|wvohjmJc6O;)&8tw8i`~0N>C}{LiGXlEdg&{*hjjbhQF?$j9 zAkqHEfd#-Fs25aLl4y{F0!*{}(x1;1A$LXwjTXIb%hL~;{%u361vpbmlMYeRi~c#z zl)hAIj^3G4>ZA@DbdUtQuf?j9?bn@}u|INuK*S0EWF&U8HdA|$@SwNf$%DrNUA<2& z+#51*dqi88$PWlirk6566;)S8{0bGSgea4wudDnD0aeDuR(kHb<$KuY_)%Z~l<9ohuU9?~3qM2moENWuJ{%JJ z-Sjn|4_<`qk|+vRBrHs!$_TBBcAQwM)0i)Nb+evP)LWqlLKna5pI@DL+9$w7_zwNV zWB5oqrN|lwwxj1(yX2k6W zu(F2kEF62R-IH71N@(Q&1yo_GrPab%!Lqn>=dMiI@LyCKEW-59r$nQTryCS8B^oJ? z)?MqXLx@j>s@RIUn2%CUWd^Er>HZc4Rt7!5i%kV+BD8)>DX>DB5TW%K2Xuej|Nn|h z=0CR)TD^Jw@adhCmxD%wP%yd$#n(T-SvezC4KY2!=~V7NIb8@P*jO-Pdlmw20h==W zIcGY$J|j*I-Nqx`v$Lp8*R0ti#75Y5;y?k8v3qlp5ku?-YpgGoLdij? z8JkJ%aC*EOR1wzEHM{*a+U zH3rxU$0}K|RZvSDD}BaFkq{J$xGKNmXmb^<4E%~_1~#C9yDlBGpx-eQ|^i*1I3 zj!f)~Of%*-vc~kiqBe>ELfQpYh)!Sg&coam6MJn&dK@F*&pam}NpzhH-Vex6efrO5 zMTZ(o`@>gZg|B$$L97haJ9oJLgUj3AytthBmj#su^Q-^ga1;_d3`qh(7IEs&pL8z| zC{pT_Qz4}ep<<+9iK~Q)3l0BHD5(oDMU{_rL>GfVTon~41z}zkSV69sD+;WhI*S6U zH>Y)fTVUP4-|xm3_1n*P-@Lf=%gZZ?f0^NLyx-+N*4f-P4}7aPFK^tASs8P*b*NiG z)bOqy$pa0^2oV4m)+0CqezBnNUq}XlXslv7Ivrju(8P6VdY8rNH`ruxwfmG69lkv) z*D;Gq+Jm4TJrI$wMn8>!3>!}5aXi;%^jMjGi*0&)>ulpDe%57VowQ>Zd2vjVD6`RKaD zZRDz5Q=RrL-FA4Lhxd*HM{%9r>RU?r#X%A0`YmG88LUDTVL+L&(#HTLzrp}j zpjFY1lT^Lgid}|u9nsivVLmoO>~@e-2C%fPHUSqRZ@V2oX+5Y_|Isz9rx(~{lYaZM z^mNW*KgPtPbUkKYP9l4hT>x9`owU>2^f{i|b)USPxW_)jiaFVw7p2>3o1QqpK8Fn6 z>oP(72-*s@J{xaJNI?W1PZeZONN`(wDY-*?7+5fFe=dM8a)0$J!6TpDIr_1T#fQEw zcJh~(SFxE`POQ*}zP#ajZ^D#vs*MIIbt~O9#FUa6DeB@s*Tt6nSg>U7y1IGk5@Sp0 zE*J`|kjp@a5MK`p{llfYCu;?;zDB+Fqtr?L^6I+a#kuAZWBVr&dn?8t?{p{D;mym- zhOg|u@&C*aX3Le3aojdBaMmen&4>cQpR8PB6f{U>MKIXNu>-_)LVMnf(m`uOIL~tpop|GR^ z{D8K|tyI5gq6Ng4|#E zE<-yFZ7_36K_=?@`RUx2XE?G>s5x;W3k1O~G+5rGh*^I|7o+@&sXJgoi)!8awHef6 z)cA5M=VW9ZaZSL>eMJUzDR}|cl$RxHLFn&}Xmy>83Ig!qf?YVs66W1=oY`CT@r}KI zC;m59+5Ga#mOzrVSU2lG*Wk+-}kxAEK0cOKu^cQLSks9OOt zLCkaF7|eOdPOriR9RebR5Rq1TB|w(~n2xN^bkH#aE68PWI+x{zTpg?I-qgg)qkE{o z?S+`b_wQXs4ThxW!}|&6yuX#Gr^1Td4T4RAYjIjQP<%hUhPVd-5SZjUS7cbTAj_O- z1;<&H=`^fiz203)b{s3VzJzPKPAl1MdfU;xfHQL3T$2zD`%L1KSQYxn+u4-rF{xvX z(JKYJOli?8+jfYc-!vuYr*A2xXHW?FJ8%kDf@V+9;q3jXKT<>|LR4o;ri3QAhXEp{ z){?%QkDtHtjJmPoM5O1*@KZsdrmuPbBSa28js$M?It5!}+5TYby`i&rhZ02`y)yz| zY~c1Ya&+4oA;y;Q?wiB9xrF}c9NNx_5!`NlQ2X_#NV>IK8`y5m$+nEu0c{;mFxoiy zwQ=xmYk#z@oliTvBb`?r>FnSwhMi{@JI`LLJo`F&_E~kPkHf)XYY#CdZ19}9*=wPz zw}Xezy4^=9LpyLJO~n4U{SpFC1tSwpZPeB4x1z7y-WM3@c7TFM`qH`3C!w8b$YuFTQleXFyFV|(X z;l-jOaD^^IS`GNF|LE#dCKX#UEB9vG4EtAQWThP6C?bTcETov}t;U{>m1VRXfI`x^ zbQM9NUA-nZ&~iZQ9wWY(XI*34>YAHZmU6MpL9k-CeFm?!nQ-EetOOI;2S)GBLG%MH z!55)LfJLH(+$1g-9U)m+Q3vbZieB>Sarl2WDu}81{g+42@13}QW?Iz2+JGtF32Pq< ziFx5}FMA0F6fby784^f7r zy7L7DxdNcn=gV3v>a~z7=7@4t@nS*d;mD`0PIg7sk`a zmk-&VC)&H|-8jd;{;)t(dAm1!_gDY?JmGr8v~!;INk~x`d)qf3vz;PYrae1J<~ef- zgvG%jkiOR;1Az_^(_5Hs)3SnlT$&y~JUaT!=4+RZ-@SG2>Ek<6!a|h?M7}K6zkkT~ zoU{Z|!|d?)D8px35?Ud;&c)F+V#i3tWAozlj@FsSSe5%>NR#?~x>V^lP#{zXr7d{J z$)X}g!Ku%BP2cKJQc(Z^=?W5TVKEY5T)Q}bw~1ZrkC|P4w0(7OisY2yOx2#WQS_El zf_^alR64roii^@L?t=*WDGGi_pre1TI8*4#N;z4HQ=@i<0~V%sGBhj#AvVtoPug#d zW(?dFJLO=ElYjj2h`5lj2-DYpj3YjNClCAT$1a~h?Qr!9+~O(6$t|ABIDB%8egtee zEXL+T{){bRoY;Ekgol^EVetIK0U!UvNA=@l+`Q>Ek#|FF;O^b~_a8kudG3<^{=lL3 zyIaq4t}$YHt0|6qy^fil5_mdf()ztBRH+TEw2qaT7@*#c&uwL)3 zR+B0*`PoXbTO+bZ3Y9qX@lDygjBaQ2dgadv<+=>7)uVTle(n2?sx^N`J{i;7W1pT` zDk6kCvazy=Z&T=p?z)Ouh!YY>KeRqyi^1KEE?aBBEc+eXZ`}yFlHheFXr-rn7gxth zPKz>av`M#RNqP^v^oLew^xYubE`snZE24!Me|#?90@*|Ox->A2*i|OZxBcU59)JG+ z^4(3wyPk=yyBohc`bZ1X3Ro4sM(hAoMr{rbBT4r8qd-;SZ@Qo9PUWV10-<7=?w+;o z=2%6awyho@D5s)1Z){-$fc$g+*Tttxj4PcOuNGLrTBm~*$`w;}_ZBMZwc7-1@sAHL z>&NCn3su^XvV8t9uz*s{mnF=j)RSADi3olCgAZK$v~jPc4pS$<0^jLr-RW76@N-+s>@Uo4OknD zPlxe6{avyp9LhzskV}!&c3qx%;G|}?MlPy0(vB8>GU#V0n-b0xIHk1cl|etDh^{aw z6r2(|ej@0nI8!hvLIfMZ8F3_)su$IL>zUm?fuU|OHTUPAu3hvF@E+^7w&r@9Tx%C*TRkr$ zd9FPU>B$#^iL5fNFW&-WjBwNQW+Qf&zkkt%_}f1d801}^KRg}2>oX!Dc%xW9QN34*|6w`XQl;(3YiNgyT$0OgElI=#KnXLPr1mQ{0EX3p3YC zO#G9?<-LTpaehBACDg&J1~`1yXJl_C=@6TjX4_(4cCSm5WBdAs9G??^Zu^6K=i~xW zE3HyMtDl}dxEwK`>$3}mbip1EraG<}A&Uc!83^VR-4%P=5b+bqDd|tO-W0j+aFD5O#Kux5e(}-k?ryQBq;c($ zj;=A2Juj_1e!(RmZg=20-;k)F&?}}Y@#yJ|bvidwp70|ZUh-LGfJWRhR@XpQqWbKi*S{|UDwXP|!lIf}>sM0uA zT5^REM#w+Qb{g4!aPtMTOCDM+D1uCHnkP2w-`nhq%^s}SWpIoBZF-NaGuEoC&CE}> z0V^Vumyw7%utJUiWp$!qTzRuyi7)&1GrdT!1sl#^5gpiNoxWN~^~;-QcW<0J7iu5i zHQICM5AIHNH!aJzWl4se%QKMhg_Q(&u>e^$>Z*^}Q$Z#p{`k#8^FcEvJ>s_jgjT7T*=n{%qf|8GY zTo+at$0|u=iF#ysiMOPB?GhmX1-Sw-s1Hr90IDK(mm`ys!jB^V3Fr5=pP*HrJy7H6 zZEsGrG!75p)Tel$n_BEA#4-7~+ zxAp#=&}UCBzJ7WCkKcb`Iq+aQ|;4LRzZn=5l9Kpe+| zry)F;+D0l3@4xtEqSs|DDy97VJC}2vx5xB#j~%)zW`R$FYw%^?GZ&+x})OQ(NdEQlw(H5k?m;)^Sqf zQA>hjE~~;6Mg_l0#N@@R7q_20jJ|%!E9~ULgFD(d+vZunK+rRYv6JUgd^$a50U|dd z=e~ns!6LnQ81&bl7858~vlkCeojY7F#8nhlr=`Fdhbzc6_lJk7zh3EH9o9YDA=<$| zuodJwP(UbDv`m7kI5dtv{n(I{!u0`4U3_iB{WQ^C`cc#--?Gx(r8TgT|^Sl zGDcX!juejb8$}+dMLH%`sFE*u7D8XYY~k+3A6@fEG$&5Tdp)}5&IAtLp6_<_vR_}{ zLIx>?8?f|GzrT5S&bw8lPY0hJ4c0HpzHw=xEq0|noa>$TopSAx*UzsXYEOg^$OG=W zEGm>}B>@Y^O7C0YSt(++QtBDaXQ&j{FM9d8Wkm! z$>@WZZ2Yggh2Qjvyc`&r;2Rw26Awm+Lah^x~zuOmX)Mee=t&5~rj#g?90pK7V-cOmz6_ zWBdASbtt!Kc~Pe&dA8dZ3G?n6>DBVy1!vROTRMW}!T#KiSr+b55{q;<*52$Zftwc( zL&DulP}fXCIgOSOmA13{tN)$&F2>F5ZHR*qDtO1{aQC zAep1PajX9N^B2>vJ?d~hQn92;!`-su8QqMs{`sd^V8ry5mX7@L<_Wv3s8IVrAFHr{ zc?svYJ-8eG=Jg{>uUC-DJXGOcnGFLzdh%@fj>AJHx0^q+$dt*&`;Dqe?Ma=UJxg~? zJ)WOzJreipEN}|4pYW%8&BpS8Q|0^5pJ!dU)40wxhRhc@H4L1x6aJJQr`AcbA0&#T z3g0>Iia({uCCO%p0;iN-y^zvHg)jX(La6XnN$D!+4A~KJ;FuYI3J2lE%hx-i9^fUZ zFaA(Z+HX1E(>-p2=cSq67v~>Iu=9&|@{ikeB4&SZ?2*tI|M2M0v(fYbr7bmx00ZHl z2_%A*ycZ)lB%F6=#Kk4xCE;3Lzkc(4!sWB^SB^!*`$Qz{35wkj7_-*r?EKxQ$8SE? zch#ZxHXdJ2bx}1d5LvPeRjbnCRaG6b1hnck&&jO#5-8tc&U)ckX({U;8mg4(YE`30 zpTT2mb{*9`+3bA}*s9!hP@}#-b{N`d+pt&*V1(9r71v*)8$y0YJ6i%4*JB&BG%2GLKAf-!xs&voU#Qm^5 zbknOiU}4Q6bE^(nTy@COYV?WF#{I^x69&)__cQP)gg+(ZXQe--=ldx<3Q^>1D4tqN zk+0H3-jJUHciL=<+JDpx3&KAj@cHwX$FDpCQ$7?trF@;%o6on|a{foxn2xT|owrAK z-4We=NA$2gadUhwE%v+OcJ}s;Gq?7izY}@$abVodlQGw>-n#eT!6Vag`_5f>-9}C# z2_w^2$|H{-KcOuSNF#Kq~p7n1I$(`7Xn&bRCdFki2B)$paU=JbCeo zb()stZ2B5(!tcMmWE1=QZ?8=M)#%8ht8QoZR>bnaxrMY(DfGjD0x%^^3yq)NITE(B z*!f*Kev3+0^OdSSJhwahrPG7bXq}91&-|Z!GrwO`6e?)>0Y`nl?#@)v777%&XyB+{ z_#!dBbgDS=54=DZUpz6cYEs7PQX3tT?>JUTtaUft&nL~c1u_5eQ#;DcxtFj8@0edR z)n7;Z0&JXa4;!iD?{uFUP zMKMYGQ%ZhH#{I}o8OQwu-%lvA8hGjYw(_zcq9R72LdN%-Be!^&DL4%{dHTV_M+uL9 z?z<~qeer+riN4@h=+mA_CQ+;DTrc&M`fQ6B>k)xChLLTjU4m=q)o<;O4c>a1@!d)v z!QMCSv6$2f#H_HAzAvz%twd{J!DE@el>jW`<3W{dwzz!DUeo4cY$x^{53N4LCJCw( zJ;0Q!t3&{hZPEvWn|GT3Z~5-UI!qk2c=OE%PqgOZ!#;ZopleE3ql>1 zAJMFA0mxUDBNRf5w^4F%g1_`{I5UXL>>N$=${t&_*tQ3;Ae>>*RC=*BCS6j zjfa^7P8mU!HfeP%Jf``$r5|98D{;U7WAD7ft0=QS{`*V7-g{rWtFC43Wp&kE+p5^R zqEb{)K-!9eihxp7dM^pR1VSeygcL&PHKF(3OXv{h_c`x-=biV?%)LnwZ&weK|or>=j$NhI#4{V6v;1&@OKl<@tuvY$_k;@hN$ zv_B=GKP{S+?uz>uo7@ z3#TkW^^9lQPUthzAJ5cK6{S@xP~|DB+j6z>GysjTQay30>{cMktK!><=&Of&ReY7I z8%Xg3fEudqtJb{RfZ;y;xn>MG1%C z-ijGtLlUDFjB-mvbWIf)28|*Vid=BD4(^M{{uFGPHFe;%;8gLYK8;~4n0y|B6`Pjz zFFiBtI0rX4J2glBC&f{(BbFcKBG09|mzE#SW5dDIX34%#mn2?*=qkia2X!^lmVBc zePN%b_c@t*C5n}hR-Tc3C-uCg_$Qc48OJJ=U(sjWBmxnogHuY30-RF3^r*O>!YMEA z=haWqr!OMzr$m$LbVu9|(Ii}|`x^AW|LcJdf>U0KN_;T@r>m&E-cnTi zjt;B#oj!f$p8W?Kq%1XH@ju+La4Nb_z2KDYQKcGxcoMY};z899qpS`fs%?F=s*+Y# z2da=vlr4@1U{O#Nzj0Mbp^7!kOJBAfJ1(T0*rF9TS-m|aG zpww$$|8JZbRNS|Sy(qpPAf2#io z=qBMQK>1TTw9*0tNeb8$ZM92fSNqO}&`?TMuv7}mPdS|^gZjdI}ZQq);mm|ba7Vi{Nv=Ih`)%1@S> zAigO(nrBWhJG_gE@}xfJ?bl_9_8ZuVtkNH7TGHbikDCO^3cJ85`3Y>JJknO zTXzrxr0iq*E>B&vJ? zz@njwQto2VDs%u)L)CQ^zWuUYAK#xQVZaHQJ%^{?{NZkA$gc%@m%s(Q}a#!?zaU&vh}CAL{gKbu!3^Nk>XXZym0a3M%=95F!qxNiXP z5}jDo0txFapH`pqgC_)!;8rWfd$}dKHIE0;!bAc$ZQuFUx1CA>q*y4rJc?j`3cera z2wJlEQ>uQ-i~D&^J-T2CwLc}&NfP&i@;5+2e~m~{nI?%!idIx9(uGYySgg%N5l|xf z=L%Ci-er2TA>j%VD_5>sw{!o~J^q*eRERTWtZisPSdofZqK1f*P? zl7E`obek%F=r6iqz3oz&){5GtGEl`@!Z6jNqJOSerHiUOuPOpnEvT3aX833@woMm~&Xiw|vBJcO^YW{4h;=CCao`q)IA)|Q0QT*M!EaHH6B!eyJ zO22m`XhlUQ6xoYPg)61vep)vPi8dI;LNKQ5(Ay2Ke)k)!kiw~^=)Wnbk`gKmnxgzk zlSFCQr}WY_HJ#f$WmE- z6%F@K_pJB3R0xSk@vn;hMMIT1%h1$6vRtZ?Kou>ko~_q9w9+aiBj<^_ZT<*em0mqw z`oiZw4oKOtJES}_zV*UlES+3)V&X|Ys};xK@D|S3lmS;v>?tj}?8aWfPtkW(FVq)B zTSaUgRxu~>j01ZmJ6}3K`{pQ@s;jf1rEt`-^VBFUrZIg)^p6Ur!n|L!HC6F35!GDL z&ZV>}vOVf7dEHr2MRYcZWNvIFTI)N9Ifr+Y&i~4BmgH7Po{@fk_P0j2T-Fa7t%&s6 zZ~69du95fWOa_DRtvD}1D{`HDYW{>b5AG{v7VCl)>;F;hhtlz<#HFeQPC@w-oO<;O zGT>Ld+2G2z8dB;DPKirpQ`1%G&yx5fMb%mQPwCJftvw>@NvP2dr0={y6-+iQOd$mI zR7;z}4^@?VPo~jfFoHB==9~iu54E1S`gm0P78B8;acYVrr`S}7Uw&I8ig-B1pZ`>= z)ZXC%Km%3DCQGHDO5>C-`qxiFe_!<_&>C^6qPc%QsIn`nv`ZBNRk0FP3aXTiWN6;O5cJKwz9s8jGugu0nEW!4>)8vpJCfM#M|@Yt#|gT>yMvE-w*ybVGq3#uHz|2^*;_ga~%yc-W z9h@=IP2A%qHg zQK{&kaR0FO*!<4ZUg|!TR!~6`H!&x7=dN8@%eNO3Q%d(VFXE>e6d{#U#+h^N1r~8a zPGduq-n^xEwoN>T@X@w)>9H(N$&RCMuy=~HeV~ZblBJ?GmAF(NI*Xn&I7OLlVID=V zHa`5i_MLf10$%Nv121^oS^S#n4qVq+*Hj=_3)n&(DUBZzl=D)aLAJt<0rKte-64^r zzqnZg<54E)x-0&5?=rqC_`d7lOKt&LV^oMwkq^OXjXs%LJKM6_9Yn2F_LRC@G-2-;I?n0%qR7yBqxm2oQA{9eI z{PRPV>s57_{Aj1Ct%qjOgx3dEEXCKYTR(Z_j{o$WUAh=loU5q}8tU$f=BGi*&P?gb zDVTmj_9O2WY401AoKheKKx>?Gp~_F{7FtF2qG&1wIOVY^e4#(XrU-SZOqR+IRW&+V zIILs2bt5|DBF{aX^t~#7D%jy2FK6 z%7N()jLuR`DP%^#79id+z}bs{?SW(ezmeHlo7aZ53jIFpZ-*}n!k%s)gYN@#FP6v6 znGn%AXLGS7AI*(`x%op+nV4|u`i0$(o0JTh|9oWH%-FxGS^@o{mfYGEZr;?GS{ zA)Vy9R4Vi*OK4Ax)@7%+5&jrG|89>DqJP7Q{uK#T4F+Tft9`L- zOP4KQvwd%sp$m$GETwpk7w(JTlnVE$w3H6|A^$E2WfQ!j z@E+Nkr#$u3*xn;Tp=v>N+%GCcWfA|p(4Wtx@)0V0St{|Wf>5P7>Pn?n5h}u=DpvH* z2UWOKY>Xe--fHkftsg_6Dvh34(;oV)MI5O5&8bxsIrT0oU$c6vzVSJMo0kun)cahD zd1QB2WnGg>z#n^UzgX;}mTZx8_ zI|m8(fGQ-!X|e4nDM^;fRZ_~o^YGkDoN2{DjQ{01&ccf%V-;y+PYm$iB3%gIe)Sj5 zIy!^2b+#o4b>vX#B>493S~_j;jiIZKl__WN4Qjw5&ln4>#CPshmVp$y;31F6IH8|r z=s;pUGrfPgX-PNk-j;WCqu}u2LR3<(fAfnXCq;2j(4jviNgxWqpd{ZqA6B&wja0adi2$E%V=l^Xz*zEr{hgsfgAA)N9z zd-mLY2M+z1RXW1yMFN>W)+g0ciaX)+q=F!&B7S~n$^`vX+)sq0D12@{=9!9<$cxb>!aTIr@3b7N7gT4E8Y*L@set{R zJyT2kUyAVo$e*}HG=ldnC%~rJgHD7JLo+o_Sdk*#a_ui#@AIhz$)~U&2^|kq=YfM$ zdzVF#Dfn5Apll59G%xk}pa61==k*RBI&?U3OwP4$lrm1C@~1<8(t^rOQ9-4U(4SB# z2>p?zlF%P%3oV?kS%10#J)yr)mkN%$PE;wYt2+D|sImiqE?NDh&J%+|L#)P0Q56&v zbf3EJ@#7$z?t`r;9|||hMkw2p(p>b2C#C2UVL?CTOo=DuIaA_KjeV&37`)4;e;gej zsx&(tx0HV)TP%OdgDOI=DE=vV3Ll$7L6x7Q?hz{dmA~Rr3H>iXQ)!pkNtckM6>;6~6NX*&=9i%Xz~U~qimJx_wO!}I%8dq(&7wm$aUO4a ztGxvo?_yhaP+z@e0h-BUyZ5c3skxHw2t4;qV8Ld7k(4qltNGCNo{ zf<==OPFOajZm9_u?1lI@z}ec(%~I8HmVMwXe$gZT&A;o&yuUcbgo^+5Y0kV$3iJQ! zLKTkHa(Y>U@3*}L$rXLEZ*Y25mKE!e)Y8Q== z)K#oj&VUr}B0S;)JHBrGZrYadE>Xl71LmUDUlqv==mAdLo;VkR9KqxPFGQx zYF||TV5h$+s_B}Ye!aL&CuqaH%vw9jFQr|N5$0DjogPiK+;vBH~pk zsDfjFF_%D@a;(}6$q1&XfT}H9wq`Bc{^W61rHBG4(VcMJD9e))f}ioEVn+OgK_MU& zNKUD^pTa4i>W5KJw;a`Hcvt{Xc~!nDDxgXPl=Mat5Y`{^ziJC*Q-r!yR1-u(e_7OQ+D2gg!fq7su8a}B!=8XL;th>HEi}Hz@*BglDMoH$d#;G{aD@fKPh}_A4Fs2p z)KzZZOG>TlN8w(v+agZe#@XxDh^$nOm9$)h3P{VvYzJZ9()ii7HWhIsB6U8jk%dQ!;0SM#d1QxWhVLA`4q;8g zmmW&4Q2NGYfIPBVp`Sf4OBA>?L-jmKlnLr;7l->*lT@cD9_=S2>#RI8k zqqT0*Q!PgJ9-ihi-Ows}W-SPh`? z_$(<2tQifhaI65k<)cqK90(b$Nj)Pc@$}6rhLnbhMg8rtgu;aQN0#a*Mf|HF; zvMbYbYGX9Nf^Qk}gG6h4mw}fK9udmhF)1W03=H8Z`#fkpNEjHpteCXdo@wC$XOY0| zS&p`7v2;rgAKbHJ!$f{FYz`ehoG>P*l>I54qSEa2m+N|=Ki!B*HTV#h$_@QRdM1AS zvnr&D;ZkWrg_WoZg(~G(>AEUWtH1%N*loh7FhSZmbLOEK|K-?4j{+hZP>v0-T!d2C z80nJLAfkcgk&6ix|LH60NXsxtFKsOc_F z8Gp)$Qxf`9%|1-%Pp7DSp+8m^!i0%i_8SYTisMr0L{%tM5nD#2qFS@AV^aJ8O|#%Z z<0fAF_E%EbCmRx!zc;A5@58Tt?(of+v7>xQy=v7O(27vc+Pqd16HeNk9mV)ExN~5p zg#JL8g~Lt>4cCyrAWOAuj9-zPE1=0Uy>B^DImkEw*FY%0o5E7iFqjD2I`Ld^klIhA z5=sZE4z720jc~RmIGfvw4X1f7;~X9bs2Zy-q6&zLRE!StCH?pA-?KKi-z9u;1ylS@*T(>+uCnq~KHJymT zI}KV>`5u4eR;+gwPMH*y%}&>$KT=dgbv!nO%2G+_&uCL9m&%i;sMB3>)Dv|`3UjIx zRSK$901%P@3_#VON|6ASuo7mxW$LqS(-VgKsp(8-I<4<2*xh5w>WG5_f{;0q(45*_ zV-?>`?(`RCbVjcmQd6U% zzKrvoJ9i#BxN~OmUARTI88Q3V5UnW76=KONiBPSC_59WhToWMvdCMV_L8v+{GvQeo9S;@@3`d6&jPgkSAjlqw6z z&cDw^D|*?#?kxXEBAjSOi7Fs+>&d043b=DaHVP!f@rcNoQK5H;`hr9RjcIX(hecw` zr%%g(;ozKsF=Z>LF=t${t&I@|WWXSwtJT_lU-YicGbZ;FffW2Z8Q%TwA3v-?>bQ|3 z$E4Q#smCpEA9EN`R;|KLcSCZ&wU(cwa>t5V3_Jlrz1y~Z#7&#FWG~zDOy{X!ho*%`FpK1o zV3yuo=&|w3z?rwBP7cD8i%^jyRK$mh5$FqZqa-0En@dEG0x35w<>Hhmb+BoDzsAF! zYBnqss(NGqRYIb$_mU}dR-mA`SI3YO_( zpEVmAmb4l>VdCR8f7DR*`>3e8`1w!EfBf{1O|D@U&lqsx?13j`^*lRmWGmaTnm%LJ z&Rqr5a$4skl!4vnGer93#tEW4z=lf|dIAU0)1J})L?7J(GbPPodzC>$X-W09wbBL4mLS1V5uA0?f|h*wQVtai7Mdk^wP>$@kMM}HXx_hnPiS=Pj7#Nc+;#v_-2U@<25r# z&|tR_jkM+>m7R=LYKKRLKh6iK$b+q6UtI5V3;K`b_Bo$kjlLnVc7BKKo+mPHxg-6B z>Ft=+^R$fK*QbqWnUa#)y?^p!RhtycdkPKpi%V5YXQ?Q_)C6^%rSjMm5#nD&KHWtB zBumAn2^F!R$_)TwX)(DXTZdGIKvi<2v`RN)Qmpm538|q{1}j#q+P>%D`+cShiCqWZ zw48;TJhEWRl{OLxi?IPodNUtaJFX9Wz8M$d@?`ZWGk!=V<5 zA4~V=RkOcGZ3*AXw;&n&PMB$YkC1#a^H_aF@gUa4v%oqg>WcKa1%>KGG zku^s0-G2B(2lvdM@H)fWoCZ^oWGI4NSv^lqANYD|O45)KV_vEE$?MFAbZ57!JnAC8$SgexnH$i16rgs!ksFFCtQrNMH(Es=X>50~Dyz!b%#g zv`-~An~o*@THix6q~q&5l7O>$Ajjn^5^%L1d|Iguke zxEG=D>C19`#gxz?J`0{g0)3$frK+V=&6G+@g?dr~Ql0|sQ$Hlf@T&4$rk^-d0#b3} zekJy&LPCF9nbxGJd^n}belb^MZLpPQv=F zn$-kLXj`G9-^Vf^SS5X_wj_wfMs$c~84&+O@$Yfhu&XT9f(w7ONL1v5ISbA{k{>Nz zvG702u~L1kkXxrg@U}iqL7H>8)H*;F79LoW*J?`tOYxL_rBd4`NsNxQ3g0^&gjtrT zVyj3o0^d7F7zy^6vG;Mu7%FVC911JSqe_BQCY2O6x#GaS%~J2k5M|BzEPp`AOCUn1L+s+=7mMPDLWKf0xmP=??#ljj^6nI4(E+rPB zAuQ^*K5qSv;GMaG5C!LR_viC6Ei>o+rd=<1{+8^SQ2J7l zrBWj5qWEV-)bA3JqTDl!M1)`S2@X&ts(`LzwGg>=`dC$VR^wPTk{YY6-JP9D&i;j^ zGQkP~6>4MMd%YA|NFRsR+T(^`!hDsxy)8=C~TX+f)mi$yfUSK+TR1_KK44< z2RkKxDK6DAY2c2P##YnPeRW+WqW-c}%eu8xLiV12{;wH^iur8P%Rc{h53PV>8U(NS zR2oO3b|{WjFQ*{IDfFj!O8k$F{=lwHlV^?mM^54?1nwA78h}urz^h_(k+f2Nw3LdQ zhGm2e5lZqgF6<#hCr8E!>K~{yxwmHYQBO&PF zrvjQ8eQr-3-7PgW{r#`oUiC_yB5;biX|XA=6_Pb@af&>+uKAVdUxcIXD*h>j3JjVL zsz}xYRfbj}J%3eQl~-CNeu0(&6tM-9wE9Qmp&xhjQ+8!JJw9W}(q%jL9Qdg36meCc zD7dv(3NM7#Zjj6KwlvC^z+J2z7mT!z=0cKooqXPt)<3r#C_|QrI8Z1fxd;V3g(4L2 zWWs%xCxtU*G$@{EniK=7<`n@_ZgMJ?KP5bh;`&oAl_IP!mE})Gh5mf<6!CE?;!>&5 zpK+-ee)#olHCuEalM=;<6R4VyMfc~cUMK(4pI})Fy&*^iH&Ynw zAgAzi>lfV**0}raHwU*pdwGClj;+vr91zfENxW*DKg?oZllb1Wevy;`0UQhnb_sh$ zdIHNspoQj?dI$lC@P4h{c~{NmQ{0p zz`X*GsEtCXgz-R_4o3#cIxe%MI0u|av6T+!Q7O#eq;$><8{ZCTCMp_0G`uGkPC-!P z;xs|qygW(&Df3sZ>)qv_EQdl9tmfjN6~j2USJ}*7*TA(vUG4kMeeZm~ff@fHJ4Lxv z7#wg)bJUefRUD`im0ImpMM{8`2B2iDG!IZw0X4ru`&Jn0SAHBeU_?mhZ`$;kyLRvW za_Dpg1fsqk*)(7YfkB1fR4JAVTZZIdKqvl=Ip5oH{U$HI7xA8Kgo=QaOX`C%VIh=9 zLD!kMFgHqp6vDHf_Usc)2FHS`B9l|5c#40%#rG5GBv0kfEA@@iP7k5{DV*|BR9@&$ zQdB`1C7(;B3F-up4M9D~Q3s^-21sd_3Y;Qgdc~{tnsx0T^sTb8C&67Wora;u7o;Rm z`RMyEb!&O?q{Ol`)Sxia%+ufwGncSitEN|(8Tw?U=Tp0s^EKh+gZpP(h#kQ4fPJ`B zL1`UxaZCXVSF!^fp@$Jr2-^@birrJsV}DAoGJ8}zDwf~aG%iSU*cCIrrdp@8&8Oq+ zn=6)iYj?5I1i|1K5D;7Zs`H$Wu!!7xVgAL1c}5iwD&UjO(zm68 zjGkN@nn^{lNG%O3Ee%`yD?4(e@W8%Ji?ge+@BoJ94nDD9@_8(iL^Z3AIO&v%6FnxN zw|m+Jkn~uza2g}fj2z#NmcQ6JS6RmtVi-lHsfu1=o0`k z?=9`1sSif{Cd1+jiSLCXlm${A`Md~_l7>@yGc{AOpsIWNyeK6Kl2b;9wkUr}aLTAB zsZ!sNxL@&7RQ}MP%lgwe#j3`Zr-SyLWOauWHi25`{Alh1`Qh%M60ps z*^gFlZcO^GcITh(zcis+85XxJUzwG@3GRC-Y^&r`djEW$`Ey>a`tPjnCj>u8>H&*E z`U&$A^tsGsF%+6%V^{|M>Bg(Oo<{)1y z#|o(>G;Fh-!eX^5i~n69ueW>Kyrq*rN7H!5(AyVgeL%_8&W*V!T1+2$+r-3E@rkDO zl~Qr-N|T^uc;pQ|nKcXt**GDVAH?#8MG=C=Y{Z<20GMH>cV-Sek@m#<4;=isWiOVI zL)x98`bQTr=JjVuX|eRm>Urk)p|zOoBgdrGYT5N~?*zCOL6?eEE{cB&r&tV2IhE%A z5&hFT>Pnwh5>$K<6CJqpo#>Nw|elKfi*jYv@SxdV9na~b60PD zwL@B@_y~%i#w;qZnn^M!0$ZABr@>1_2z8v${%u2#*|$%K+BY~DK_!trkGOT(bpn`t z*kqSS=|EphH!9L<3Xn1gg^$U`f8$?`2Zef7-O}fVRQQ$%q+<9}mT-Dh+)w#aUKLfe z)?bu{QYcO_cuDN@#Y@6)zVfvK?!AcKnaO zUhQ9_I-W{KDOO38Z?f}p#aNLxGEh~m?tR4Te5a8aXE96$intB^d_$F#_y{Kt3B|M1^kXWmFiljxOdoRdg3R}}txY4>uq5|W4Bhl0w=A7pbJyl+Sikt@ zu~_dOq2_n8xKz?VQOPK+s^zS}r9zq3cB!uVt%#@>AF~{33VD+U$0!_1JA0ag{8tgz z>AI*Yf+0p8^UwZ0>!&B*K|mNMnvJaJ)PYxRUz^5-_wHQ0Y55@ObU*lp>>kqJdGV;z zSQ_aX;W>jP2{m=lb^OM;4iYEyaFV1aC0ZGT?8@NI`-UY)W{xdiyWIdC?%-0C5BtuE z^AhX>K(l(DHGarvdTH9VUvl}{E$ED6rh`y_Rg+(fqwb2RtG-lN8weGVL{-V4N@9Ti zFrb^X(%g09UcJ|9$mkS5m4auUKYziVeFtjvnfMPn+GF;$hr(|K3W8aB^SrHS@Ur2i zMEe#hdD=$?q0D{JL9*e=I8Zz-c__U>ZnQQN=(9me7xrqlNnEI!Bb8IOCshobGI76H z^;0J97sjKAru>O4Z3sKvq^QCRsa%(;NH#?Ts+3Emq3ZIN>weR&SJ1JVkU6nc|FPaM zKK{^C{Ci#fYMt5*o*C8g6lNb`{5Uhz_m&T;zWMrQxW~S8C~v`5Kz`si#H~<{I@Sgt z6Z<@kuD`7}q;1>pDqFO>v9eB;6><>3C>%V8m0_f;F)@RWIiEDCw3?0pkrVhGx z&yGdMY(X87yrU(($SAcFg1WS%uPOv}+oj68S=zq;R#eoBk5&Koe~0t_;^do(;0Kk| zQUzy4b!SaOXG3!#L!#LWas8N`+4<>j;w2ff1je7BTu$$Ew0nhMpq3imyK~vX%nE4t zL68sybu~_4>(N?ze)=0I3exyK=*Tk&brCUCoQ1(}a>n*Y7~o$CL* z{^g4Cp^EEkzK1=wd0^U?Wc4^9eP|6+U0Abu*UL=dl_pfYR0k^&iT=G_pL{n9V74fl zy5Uqrys8%3tCAj7T2)C(fQ1Aovg)b|Smj4VT-_wCB9TDLw<4nT??wZA&o}!)VB(GjG|j^Z=iIA} zGVmm13B9R6pYow1;z&M(5*oiEqW|l=0lkyQng4^{fvnyweU1=RbUTk?fRq>Ui{VTO zNO?iOWA&$e?DWtSm9LO0$fmGeDlPhV!<%0~XAMS%vvP9ZY1F0o2=WV@dExUlZh!B~ z?%nHA&&#|c>}F3!_L-sJNT?~`T@6*&zFg_GYX7QH?{4Nk7QjB4z&@Y@0_qqb<-@+~ z>zA~ZXLUVm!~^RVcFFE3vNnrHo(e6QzOfT~mR*?nUct6GU=X(J@WI^$TW2lI`VgCj zW!vrcCn7M2?>1}1gU9MvVS#sNDS~Yn8xs>xTQ#fcp@RkU#yyjpSeEe<99N`7i2<@Yf@%&_Q9^E#q-fzXS{QP$ zHAsggw^zEyF}y0K0Nxxog_r2N3&b8GftiUHr;TWCtY7rURCeojrxZ})%e*FoKkdjBCD~Oe&R{FnJME;dC4g)EpjY4MSdz;>o2}P zC80l+qVk|hu_;W7N=N@RPLZWjAQcg(z3};(Nb7Df-{Ir)ieqitVEi00-T{DvJ$VoVf zrzKsr!m=&qUI+FZn+*7Yh0cz_66V@S&2MAT7+>*`>YwNl)C&ob&H3#q(-spiouxDf zxzcJ50>9!JXX(4n%4(9c6MjWIMO+`@9NK&=J}d(R`nNraqg42J1L zZd#gKW9ynRvq$|C!~v~99NKR3)|OQxcW;|JE$OcmQW@{ez94lCtY=s+Q8LUB)l@(- zo`k9Cv)c5>@Z`Eq z=BDN`+#TgZMd*BPlrIKCS)%AR3;pqL`-MYQ+HBJv(SQ{HRUK&Mw_Y3AI2BUl>lRN1 z<9=4DuTrBmd_Ont7o_|V8P=PoQt+FIv6rHX8~QUYm6xTmLVv1&BBG;?6mz5Yz0E?) z?4)O8HS0CJI5={=&$++SH*FIKj~zQIBk?MxE%mv+Ny-eR`~*aR<`+7JIbTB+^5)Pm znDr#NNOb{NB))lIKG!on@n=?2^76hC=Mdz^is{%Ej{J_BjtLM6O&^{wR$Z z^~kn0n9`J(y0Di#?oIB><6B8v$4C@BaA=J$N=9R;?ug}Qs zchR&yWrJ1fjA5MmWus4LMB!o49E}0PH3=!>D4D^7OU|VT2=EN%puNKhj6JSkp4NVs zr{xJV`rMj2ZnT-{>~!ll=#gqo3H`ANRH^76OJCzvMM0JHsG|OtY(+EaR4!Y~NK-{q zUFGww+(@7{r#|=U=|+8$MyA@&qxWaboV{o7{%?m&7GFb2Te!4#8@9yH(wm94MeRh; zM1hM5(-nWm1oZTETqKIRg)WAQ#P-bfU7ebGhd`1P;Xt)=0Ncpz#ME(I5iZ4?}@!D7<%OdeEf;%b-%AGO>OA1o{MJ_b4~B ze>uzog`Ys%#DvrG(q2R>Nd;=kA&!CV!sY;r+F7GyhRm0K^1ai~M*wj0fUAxkrwR`_ zd#6cgYfD#gsVF8|Ra+6%3H?19VH(W8zcBAQC;vArqZA9C?Bh=Q|HKJ-LUElQ!4TIIL~;GV>ZAUL@7gkR%D}&{wt-BJuS6?MRwH?-<);t%8$*bZ0A+%a z$v4gth*YLlkK`>GU}YXAos=p3c?w8!F_|io}N@ObzCG5GJg0s69zn++^>4|X02}f z;2RIBT>76002*3_2UV=JHB>2WC7rQ~)B;<+mCjo!LLi1z>Vh>|;R`%aKjDXjkQ_ut z=EUvWcl6I$pc6Ohw*Z#jEX<0AEs+z9fR_(VLS7o5D7X^?lI)APev?-W74)8T9?A>x zMMwF32xUM@>&+^t@+a@eRdr39#s7_s|6w#v2}p@ERik4Bq=Go*2L0kVQ(pZPU#{M~ z-oC}cDbJr$xlW1uy(t1pUfd74KNb4Zt0R8ftUtjitA(P7s6+d4DHD%YZ9F)PyPlFc z`MxTR&1t{D&R<^q=;cqI_^QF*D%L6AHev8sIEvKU52=>b<0N7u!Nx#@{^%UU+=Pi| z&uDv}d5wAD9Qz=Kg(E--X)oXgH6*4sHiVd-4-GLI7>CLIFWt0kAf#o=csU*gjY$Xhr5s4b_kDQF{z1%{w5O{p}S zfaH+Qz6xZcOvHO7H3c~n1S z6}PP$KQ-w_{asT6%t$zNaM!_oo3^h@Cqc<^JZpURb?Il3xMaN19hf1(aaKM^Y%zqO z(@aac@z8-CJ2qrZ?t8KHWX$m-{TXtA9Ty=!fbRny!ARF$l?hWbdbL+Y>^hEG1%4dY z;nvzUv&TI9AUh*Gv*)>~WBSS>FlBgV!g(+*m|qhTE=cVD$y1*TyM{uK92D6CWoOw1X6BriaEjCn9_JYkJ-LP>!y z&l+|QHm6|fc}Ng&GFPCy7rTW15;h7d7dJxHjpO;_U)jEHJk|`Gwr%z3+`bocP|hEG z!?rak$Hb{9NOiXN6@oeft!uxQVxr|AM6oI6-&>e>l{547-#t$0KhT+bQQ^E>T&Q|L z6ndAuCatVi)fJg3x*>1rE_uDZv!qM%G5i#4naNt^@F9P#7KDnGv%Z^=d{<7dvv8n@ z3FC${T;ZRKguX&C3KXdp+qT4t!TBQXS(vBJmSGBG3yu~%@j%!GcAq^72&4gXFS zfn!c%5haT&j)oV9GLYiT#4Hd(q{+TLh1pm zp|cgJ#6;E;pX*}~uqU8r@{s@T-@9qfn169EWN>&$E{GLcn=a*4B)?etazSE%)01ys zHnr~lJ!^ax5!U*i9SgB_zT+i(3F~j)Jh8f4dME|;Cc>t`CPyo%7ZMPgckv$tr}#6S zxhEaYqaxUHtQP%8q@~E;;c^Oby{)q~u@pPnhkk4Ocdv#An4k8-#GWTJ7zh zt=IBVy)wbT`|5UW({E(Z;7rP$x_kGY zjwv(mub-${*&494RrfHHmaX3eHRo8nU;s7J9W?sdd&|DM?t zK@@i8A;)p8=U6S&{0f8tYdLEhD*cKs(s;3y^ebY0K{(4t3J>krm<bTfLt z{OWJbzPpae5*+8|2=K(m)xAzYxXBzhJ75!B#LR>XGy2?&2WRFEJB9NuX06EV%j{mZ zP3z}xtth?4{ZOTNfC0x!g#nd#MLgfiExD@Ns((<46yvjQ-G*7qHr!pWhp1Z^IVLKJ zw9|oYSAJF`FzAK{T|djfgy(Jf0L1`}z2n0#`z^EYyN>r#JUeq=+0lNV{ML`BeuukJ zszS0hQm&C?6^YIex(7faQnh&Fo z#GG0&M!?8S8Rpddp(khb`b$Q_W$^TZj44jgg_C@i(0v^JbIxQk;<9~Q`+hViG@G|e zi%W)gIF(f^VHpl`Us-1gF(Z;b0DyQowEgKfz4pNc&sDEn>mg#2908|RrJRoC;UhR} z*dh+*_PvC3IX3E;!g{gHpE-WyfU_q@_-tFciAzQ34>pBpQ@rFXe9W`bSnRxug2w!J zf245!rB2?hp5pq#r^MMrzk-hT>)np_Qf9T-{6~-94y}9F*4}1Pl)!-p6SRGTzDQbvpSYh7*Gd7At-YA#2iJcvuYGzOBxyQtLs684Eew|F%C| z@qP`NHB<_7%~+eB9o(IbNJ8*5;@*@fX7wnGxTG3;mJ_@ z`12pG-=o)1zvBR{qSLq;F%Zfh?z0g}X;6fg_eLuwi8E!$eiG)Djqh4*eD!+MBO#VE zW%DRJe<~K`@1;5xkHQ71Xevc0tlaQMy;eO32GJ@lBfHWMJwiWnbO-Nx`z=Bl8Qsb- zH=#%|JACs6AwH%j8{p!5iVHI>k}%-nGYjWL^D7pWca~KU z$CLgbgaIM;L+{@;>KMzcyl*7#9%bOjE-jz_6{H#h%Q*fl#_)H@WJ!;zUT3Xa*p+h_ zJb)S`Qhg55KL$2s4mdufK^b^7Vk`ggQ|wTd4h?l^yEAa}hqphC_E=_+2X`PKfop`g z`5H7~HXgMtR&N>kSwgD`N1QEdUxmp3(vXRSnY9jjvQ#_uA2R+e< z7Ii!dl`LP$z6J2)0h99nBA%cHPZ5ODe}($3u~?J(Y`(-l>i0+tg{qY45rUtmH|v6w zur%&wV61PP~hs#iN2{Te8j}0GN|_I%0so;8#l%#zK6hg9QN4p#$6Xwt3m0iHWj6f+!AxsO8Z4xxG%9)cc&>Tjyy{ zeAm`l*?q6c>@Ev4XsG$gr*Nj0l&n$jo;%)pSAG0+BH@h2zr9|8C;<^XT@@HQ>^X=R z#;4%G^PBzPX;5k@`U^^1*k?-UK;+rWrVoCn=8s+fR;jTct?axN3vwMnQh?>-TId?# zzg25ful<0ag`o-2mMvQstloTgovtqLLYVEEE~xqK2D!9(kAN5ALhh#1Jsv=4M@FND z8#y%o&av-A0h4i>EMPJZW{P%oaLm z*$hZ2?u6fyiox*%q>MA=M*Li7s%R304N{7ijx!aXM?vT>sGbxl__e6%HZX zL@XwLmzEdb{^mO)I-E+FMe8O#QsHGCR6$9J8<8Dg;!}Httr*hwjJw}?Q$2R|+unG0 zSo_nlD)5T2FszDM*>Y3n{)WXpjV*$KjCI0B9WU6TuRR({$kI~KDzdb6`XKc8vFh~U z7E&#EpfLZIKW6C9V4Sn?Lg{oo-x3B~__VY1Es;h<#&$hrR;`tc?GV)_xYUI1ft!M@ zvo|g6w_^HN)Fwl`0KEO#qu0GsiGz^d(eFy_T<+N_|9PmwD@>x5DW@|m&AjmKKp(TP%z66SKbfI=~hqV+92HzW5q|E|OI#hCj$ulY5o6l=$s zePLl9YD@RJ$vYY^zNo^0lvy=UY`~5x3^>}sQ9b6L!-wd$IC9>&=cy6SNfiHuXdCpr z4HM3WK58~rWndF3C7=c|XT}@uyyo_hsG2tT`hK16dgT3=C@TC{#TR=0EaVC<0@iS5 z^Y5-B5HYSxIr3awC!^a5AJux`!sk9~*62Fcd$EEN%mN4!C?qrfSC2cB_yeQYObxxG z>G4z)`i=)*61OCo3s*3s&mAL2^!_;^>Cu`$#zrfb7U-gtaj$Ov_@~x=h6RgavL{a3 zv1@nTgcR*B$Zw@~E6jF}+^$PprGnUO2D7yN*WQXGw(QO4b6J?;!I?g2aL2b3=OgMZ zgO5@7RqO~GoAg84@TC6`o6%=TeGk^_k~qZQr%7^EW2dToUz8^$X(?6F7AxGRoT+Fo zy7qsga4IS}Wt=JUQzqzF9GvpxB4821yGN~n-v=t-t>Z<5IO`t_VBiA%qbC4Y(Bos&zj>EBHmIb-E=49bP4Jg;C z#ih7%?^S;!y=xir%d8Kv0~bC2X~TxMa0RUiz>)r~&v~lSa|HcJ1T^~Qul-t|JFc@- z7Gqd22v`g@>mpOI~&sJnV-4?sM|4apwN9Sbs6mD(|ww{F^;~#R4T`yS$1tos6^z z?kZux-5Ji2qYU1%6v36Iq4TVf4}b;W4y&(i*&*x&GaAhfzByd+iP@A)Gh?pi+MnJ2$^^N!1eE%1QpNfi~0Au#D@>TD9_w_NIPG&&Hajfu| zRQ%yo%_gFj&^}qm7$^4%Y20R>*52XcOoxo#x2C2H9X>j>@(*8T13OITdKNFJ(shX?C+4u`5SQ-iTS z7omz5?&BMA5lW?{+=!p$N$IZ@ggQ!)is4U5(65yIDH~{NHtQN3S6SIPO?nJP=hi;6 z$o*?yuH3QtWn_~nxwQv>oP9zTtOId*%sI?5rXG`;IG%Lepl&xSM5kJx&&gCZrgS># z!S`OHxcI9Ew{ku+ow?uhrwifr_5ASyTr=zjgbGsC|ETaPqU$|>6bTEnVMz$oFBpCb z&Rucfm0NGmJrApe?c#O_uy0!0_t5_BM~=D=1tqJyvz_g9r0OP&YeIjk>pECndNVEj zmy1(qDE*BkbS%^TM?3D!M{k7wAa}ct)dLP;z$LT^Ms3Lo1MWz2_T?X4QSjE)qw~^U z5PhuyBBCCr{M?M*;0|OS1~4GPXwgGXuZV`WJ9A`*Qz52O^hb3$Wc7bnEMKk8y$nTG zRxHnY{CE)|!Ar|mt^d_+to?$K2XimLh}wBj55Zd;E5eVyXa*rfZjIQN`AD1{<`l7a zQp~6brj727ap>G{*gK6n-|)T=!=lm3t-8V_YN)Ez{Mj!%jt*$jQVX+m>9S2b3Z8G& z%kVBNz_Kt)vj_}kDR0Y-5Jns>Aiy|WX2;-#iM;uCd{|TDOW()sm-=4j)@H|tO&;4^ zyN&9%Mr7kxK3FFnRGEa73sMAEBb%<1ipojZ+zG)cqdwt+6f{2zr!>tk2vXsUbXPRV zbEaIJ^64fSXDXzAs)T^zL!7H#sZE=JAX-h#o%-fC9epRqd3o166+1S+oNx#Jh`p$b zGbteJGJ{C_+UEl_fETnSMSeJu2}o&Gtc%bX5wK|T?TyqIU-MGsPR%bPenLbA)Q;%fH7#n_|J)e>6yn^Y=OnE-aj9m096_ zN}J#hot1R6`qJ4*QE&%mD^2Z3A4OAp!n|kzPEIUKy$ciS89G2`&I#&$jl&8|436c3I| z(U=%L7Isk3wVz6Bwh-U8560PNMFhE>nKGf@Lx?gF${RH{t#jXD4}RL*Lo1INs1+^5 zy}GN~k8OG-2aU<($y4|5KTx$pa)j2dWG-T1mNDc02%$enSS;kyuwnyEN%sv18c4Et zV#1SK3>67)TB5T057cCd2Woc=^{P6Ko?>Es3a4CzA|d7Gq>2ppg>w8tX@0P1;xYYV z zEU@3AzKLn&W1%xinXS|(vW#RdQ+Q&3#NKDU3QUlph7wQW>6X{thc`v~0LB#b-4{Q8 z@~uxFV>yZ)fR(|G05yo{xL546Eg5wx)&m=2U$dn9STG#1O> zhtvxLc8e4Rmm~~`(8P@7+gW#+61~x0<~lU5!`}FLGIO#ROkpHw+lWMYzih?=xPvl z2Qx8!;H#~Tp5K* zDxPV>uKq*Z$Y&%8^+2r-iAjFjORlQJ=*f!O7lKfVG7(@+M8bUmf*)>_>E~ zCzlkba>~}BEfS=BQnaB6Qp|%FKVS2cCLKjHHlWkhX26&$UaB4IIv1C(`B0T_TXyM_ zo>ZApy?k^?i*2v~9SO>sg40BcNTB;_-eS%|5!WF*>YfOOn74vE01)Jjs&($wkM~@a zXMi^9N4OxM`EZ3-ntylg%z-#%7tI@T65KzgDn1(ahZzl=9pgIL_dF!Fus<~5+h3vv zRfPWbOmepOSD`;xf5@ln(BG>L&Dpg-r3$H3hruE(_aE*ABoIYy$!im=yIH-hMAz#} zVcN!4!c?Isc;DO-g#kA%>CM^(m;V?SGrn=cOD+g@;Qn)cMkDb$hA0yxvqzbPpDqNF z@bsAoFgM!$aD|zA@CGOLEXzVJctL%HE8wybQs5jeizJIVlO-8pdBW-Dh}mIHh(iZB z2B!nhNxu@rTgE3nip7?#mCLM37*fh$+`k={!)qfl?%wNsQrpKe(`gUfx||RA6kQWJ|tUaoS6c8 zhw;zEVJ|0oAe{OLj#sLRKm&a7vF%H*A>h+Bk8g3sx@cu8L}skteZXKjAFl2O_B=Q$)( zu%#PY3(HzJqnFU1-I403AseeC7q4E~#MHAo<11g2^mIXk$J>=OmmQMte8H#rbLoc;1^I8N&@69u8E7sGzmU7GX?D?RM}HU zw#GPUdG<`&i}b#|Td&p+e%3-8K-TIvf7qnkz!5Gtzf0$# z?*F`9LQ+&)G5&|jtICZI^jRQfw|EJTKxxo&G`u96Ofpx&4c&ZB2Z;#U2S3FT<`)wj(v;$yM@aQ} zQd(Dy6f<{(^0XmS0x4Uwr9U`FAbV&N5qiyIIk;V=%!vMB-%1euJG5Txr?CFoI~!X{ z=#Q2b68f_Wex;D=CTIR1ot+*BwWOOBolx>`i#Va;iazcvemT;6aV@^BJZUx8ou?!gVS)B2CNitkDx(Tu>CJ^L z9nKPxfEOE#xLTgKrKQ3{@hb|#bhWJa+vnqW;G&~*CHie+qS|-y$lOk2sQMiWO!}{I z{YULi-dD42I8=?wjTz_@AId{0;;w3QDd=&-eLhbr2vVl!6iO6cd9TZ$ut7@4{Y>9^ zi$r1RCLMEf$_#$rPPL|;g4&W<*^_?mKkEMX-mCS+ouqderHoZd@)`W;NtGt_e;j;a z#+lh?c9=U#O?kB|}0pru-z-qW!7LhXEU1{I@p1>uDR(eU3p;{uXd z^#5hJGR{dk4QO-D3m-pC$(0`JPgZ(vWXDrUY=uS!AWksa0XyzXl!J-M)$}vOfhy&W z2|H1LF!;SMuH6mnVE;S%G0_~OU1XguAnnL6Rwl^P0{eA2omBv8Y16)HQR(k)yPSae~tlny%WoavT{RUiVcZBFjmRN;=C|=vwNQ8 z<3*UE4kLo`j~Pe(&m6ROY^ain*}Du?OH6;Q6@wA5PuBa)P|lgqtt{9?fh5n&Z|eGc z|9l=)3UG?YVY zleBu#Sz19!SbXWM|3OJuBns1V|3Zg?>tg>DY|qQ>LkH>*CaRQ03_b~q%{XUcamCQx zH&dEeF^o$zX{E}FNrI+{r*bo+0}rr{z1)ujPFvG{=eMaoM~nUv2HT6 z$S4s)C#;8K#W@mAPmmO?J#@`JPYct7yMTs<#80WI zQG|+|Ns|vAI^1kP+Kt+Z@>^t4wF~gQqEc(uz(OvpanRdx9jraHedudcIckF)8klOC6s!vMn7C$?}l=C9q(IH#wQpTy3*l8wYiN9__2%RJNwC01{f}rL8nHP{RTabJT7vaiGMg_S37$#>z zA)eIxT&!8KEuSNH^1v#^PVc3JDVj;>Z$&lfX^VCBgemSToQKxm1x1_bKhIGA0Vn^m zLfC+siz2`ODFxKaD@j*MX%Rvgu!HC;?i%47+*l&C+O{Tj%77~wV8P`IBNksCQ;(h3 zC_X|!vIs!>HOa02fVPT{ilab_#T zc)0gjJx@;`_(r7ZaN2|k8QGgRZ^@pw?Cz>9wFwovU;wk++Mi-$mIYg`@z+j@_uC+a zA3=dNd2<6s8wY=xERxzO}f>8W(baUQ7ppXBjQt*ofQbmUQ ze4do&Oa&r-Mtj!C`i0Zcai)&5KV{GgHsIH76D4UiHYt5@g{%Z=CWwRMi*Eo201cye zb7pwbd8yLRdE}FEk(_1CxNqMZsgnHMl)4TnUPO% zmhWBtBqWiUR=X_{lsS#ZBiDx7ZAR~#Qb)GKdLYiWe#`bp>$KI&d&9oarZs|D;$-Pf zJ6XD9Rl$~VC_Fz)>jg!}2}6*JXrbQ1z{|oE57Cb8pzAboJ9F#EP6VEGNYnitm4T|< z;-1gYuk!293$0>Aj*H_z_)}3XLfL^n{U0{5spR8CO2{ooFA4EfdcYzXpBjz~90h5AT z2cG)wXkKD5up3wp(q32+AjzkG13+VWxOnLEV?Z={W5bf(g@+Fm+vXvlv|q8)bvvq7 zN|Uy(Fsm28<}7^D;1s=X3-d2?=AK!6L;dHO{0E@)i#8zT(hZ8PcnI z`UMPi2C$h&jAZbRlh>u4W#5GpsO07D@LKD9@%I~E`LIf@2hzHfojd5H-PTZ-0LAcA zxVyd}2!fM^R69-+_!VbHXupXECWJ_2&&(9FBkRc?@#-8&X|Zn1OgKMvc$3s|DFcV6 zywafk9aWlM>-Od|u%*2Keg|BwNQBT>X_r3`9VFC179A=KX1hE`MiDmj%OIe*M?7e= z(8uo_xhD%4gaxnl;ZZ)a1c z)aNq1eaCsp)MGO0NoqnF!P7XhX1sJZB$vebMD{qsRGKm1L;~PuPO(G$BroYCW+eii zaCfWLxj(JziOg9Z&rERrS*?gpP!62ZcjN>Xr92Wg0n31Wz)CQYxi8O;LD0{sf3uq9 zEdraN5qo_>o`=OMnTtt%&fBzXPzgYaQ;*Pze!g^~_t@!QO6X76>E#`-&BuL(c}NER z$@)7Q_;vCxDa^monSY;)Ru4;9mEbDuN*Y>8(yE>GwcnW}?HBn*iv5Em;I_4?(}vuP zLB@rLHKd0`=x>4mltmDNV=bf+iV4M{h{4JF3NT^_G3vktmV6|+h^^t&6LzKwgTg?L z$OH^jBeFz8Q?AS~+2AQqFtO4_y1tfEvCuim|>zVuTKzLNF0XBhq z5y4=t5z}KrQD4lhImlebo)BFGd7+E=p3{EGpTlLj$kajCZdo}T+f{5kr*Mk4iK3lO zimIKnUZtpz09y8;bogEHNW`?xzfY=!@-8_VGyUghaIA9vuW;Vw78{VH)uX~)U-6MN zv|8gPt&j&P7$ZrmlKjxAiU#yk2j9S$!JgY=BXpl(jK{=UYgOtQ`00AE0UQiJ1}6)u zP1)yAk;h9tK3P8Di!qF~N5;$LqfcX~o9Vy~gOCx_;&Q)3kL%#d-~wF zb@2;;HEeV$DVgW~+nQjM0jzkKrTqvmLRb=SE6V3G$mPWk4WM{vSF$38hkHK%a zNeps;09u_sjhV%iL@ufPM^At8PQnXUHZ<)*rtm`gEd0U&-eG1W`q0Amf% zMQ25dBL+W;`+|48OPr82G?s+F$Xw7oVQ>c&#zsvYeEsfibFo?_F>)$Jg@BTzs5&{D z5T+nS^|@%Pl1!lv$W2jUV~@bQp8Y549Q}X5$va=Q2r*$mtz`SU;;z^8l2+UMIeW57 zl(f>{_@RRZ)X>p(lc9yHUYwDm#}e2?fSPrYc;yMQLSvu04=%z|4fTG4(#S`UFl9l- z`ii;0_~$el5cozT5p2yw8r1fz|9*M*NRAc zIBUW@9vH_T#Z6h@1^+H4CXW;+=cTX12MI#**c19chCI6lEd9I3z!4Rjba|j!^Bdo9 zq+!b-mkAFVR|^wu%yl#+BZ6Gfd_pVLWe~xJiDK^iy|dW36X$~F0U|s4*>u(^!hzIz zy1T2k2=%Jk4a>3-D(FMmq(0Aw3c`~W>+=wbSYM2Ap8+Wo@spfX5Tt%V`UL*e6))Ag z_rtG0{H9&sA)`{qjZROhNGuxKTO3zN4@EEtYj0u>`XIjiJ}i_ zcV>^4QbMH*gqf|(5pq&I0PzQ^Jh&9ZiF#k&p7_)GoW=z7MbQapaGXiO^Dv3HFLRvJ znD5Mb%Ky10c7Q27cd)Q(IT^lTTD_x^ zR`so<)j(&@_)2LGvVLLLDFf)zTb2ckZ&=0}NcuR#n_-C>^Qv*Dvo_PNy&jf? z0SOL3{3Bz<3W^!TJ^{UOF2`JnF*4v&I-ivI(*EU!eIoMDcslhhY)jM?hq~U9S^<)Fi$bVqkPoGuKL9!r@?*#LbfP8k(GN0DHm&P2hn5YopEhZ^g$pj(j$MTP9mH6}dv_fE(aYv5( zScrUtd;w7l-h!LK4CRq{elV1hE@nNUb)6Bw8Zd?Nym&&aM4SgRPiS^PL#Di}Z~I=f zCa?9ueOpWBOmQ~;*WT$WMMV`=YiFGnP*N!>B!CwD!wdb*z24!U<{Yb`{`2$v2b{T= zICM-#LD5hw2(%JzrC}x20UMf$jy-DjJBNxqV99?7|L)(tcJ5eucgiv;4g{F7^rB5d8nbo7r z_#stn$4c*`){f;FF*>zjhdy_>fK^P)it@G;TRT80G`L`wafRTB1!@+MdC(KqGPMbEgCL@XkUT{XhM)2i!8Rv}EV0?hw6U!~;EN?N|x8=l)iZi+J zo}k@Akl;+Mcf>)$fT$q>I+~S{)b33BAfVu+x-|N$9nGZRnVHMDVA3zRuQZSX@3<@* z(F{JzyG$ic3;uQHBC&Q@`tlcHi{_4bV&CpnM@o`~_lzGkr@Kf|(c`0SL_1vslqyLA z#lxxloqXC+UHT_Xl@`uAb7(Ged10QBupnvmn6nt&^~zEmK+m(zw*86|Kwf5iR6@HJqE?a z+z6kDGieI!Ti2}}FX<{Ksr~UegHL2xcxbkN?aJDcS;>4HKeUz>yfrq*x6`)QkdJ=o z_GpckH-GpY&H|h5ZDFX{wCUENu+V5B5Eg}E+H(p1j!J=nBPJqO(j5zf%r$+t(@3g* z>&Mf-@tE{>=SM&E9OM`Jz^iJLoMFS0{-1bmluPHsdy3?tq62+J#`^4pl)#gXP{DBD zFNILoyju64pEO20y;Gkdex0t=w6tMgXZH}ML2zBf*rWWAIYI%x8JSpq#vbb>bA%mG zKzt&lL`{yEp&n~4F!FIy80}DPfB5b?FiWq{2*;@$lgu*SWh2=H@4_U4@w`Yj@mVul zxeN1Aom_TG|I3)yvqwHOskhWB^1&@xX9IusLl%FZ8)0*>JlLO^!|x{4bLe0RwBu}3 z<{VtFs;G3252~oXc2?DLR#cW0m1&!Z&|lu2N9JAW%s9EU4E3Ma;XmNazqoMT6)^u@ z$BLxYQ_`?3}oU zZQ!U+Hhn{24JEff{m~CzZu;#FOf($Csk5q4==>axu+2Cb+95!qj2w=xRLsaC@!VWp^ zLl*m`K_9bYziaRNuIaus4`4r)-q+8}UvbAr-^YR~{$3B8i0|pm2U5{dJ`bUyeJEmm zV3XOR+$iNhMcgP4q<+zG--XZB0HHo_(Us1L$s<$nxPxOOZDgCw#7po#m@M{y)ca(7 zK&3?^qEfNY)R_g8;oIjEC1XGmbHKs_F?L@M`!x2M2slkYHNBc99fRARMQ%%<0O7%& ziF8MmmUgowTu*9@U^{h81SRZqto<^S;x5Q|XVbEQ+t-etpYaxpQsy%2Ogr}>^r zzeIh4#VR2VW+*mi=J0y~seJ`2OJcO5&&B!`q)ERdDo?3DmG-`*s6KX97o2G3Imz8)r^TIGIk43nsj^ZQc0w3%gBA`YQ*S zN-Pu!wiDuGDF_qEY^>SH_RbstwKc*ZBJM{`JyV7`W!8JSZl8MY$OYf8`7jzU16rTW zl=rzyW=62=1fpFXM>$Aj3dO zsqFYJ&P#J&155^C&C}jqxhZ^p`)_9-ud4OX48f*oVDdRoItk^6r!c;R_Mr?y*=|%g zYXUdwID1kTJzw+k7i-=2-j_9-ccBlO?>`WEDaolZj2T7_)V#BvV2km-|jGBXJE2^r5lyiWIcZK?rQ z_2;WR4XYMeOQbD=7i2O5uS|UI4(d%#EQ6e;IgMxu*Mxj%j<7?@Sj)4MZVOd?hqVi& z@gqCeQV!S8JxW>4pdn<6{*{GqkKmVQg${f8l^Zx_*q}NjEdBhv{4Q_4tkzII3l>R;Bc>)E$X5U?BNyEachW?Kc7;-Is4meiRdNQ)(;@)Wg%m7hAx zK2SYATq=cx{%&#dFF#&p`p@eU2FyM42bQuy}O zB}ik@Mr7~KB?Vh%?%0sEVR6rO3p(m;)6)LCHc#ENJ%3-pibMOivnX0IT|kQQ$zl&) z5Sic5No0?C-#+sT?}o)2!3UOYz!pO2EJO|8gAS+ZUCUBLe@XdjbV=Y|D7uHPDp{Sf zN+c*j?u;v#(1*SwAM`;L$B95{WL!Er3dQtCupwN857K&@8H(^Vq81r_?@Ak4bW~8o z+3?Y+eTIx`(<`Y$qmH;*p1WZ=T(M$?8W((EVdF@t@0)uWNcw;F&O5$}s_EnJUjiy% z=RvxNiYTBwcAv-YV^^B=Dhh&tfPjirQIOu1A|;`P-h1dt2njX0Ng$zjLJ1_01ahuG#seFZ;G1IDU-Jd;sUm5v*;z$?~WF^5M8SZ1#DW zbwV%}6w9(N7TIHnsilQE71bXVSgY!e{x{l$vszcUgz_`f!|h*Q4F2K@V&_@vA6qNN ztZqG?D_5&S`P$#Cn{=lNbjGiW{jod5T;;>zvk1}?`!3rfrS6q3u*cbGM7E*x+vij` zwBx7i$(Nx9&;%$0^x^EmIhtZXJ)j{_66gt3C3hi`JX5sf81eQcqaV4bP7e`!D1rVI zl)~ag75QRnL|JlJcv;F#9RVYXxa$A{U&sIilGxtLM+A`7p4m!F!@NX zqF8ud2-*I6%Y>}3R;Mj2Rf#HLTT21$mG{M4u0mVUn;lgm%+I#l1SRkbY5nY z!t|e3CgQfN`Hm{Mtz*5ZTh@g%Gn48`<{r|2_pEB+MlCvJVo%B?Dzlc)%AwHmc~bOc zWsS;j{5kr)iuJlb)wsud9S43te9FuPcIb$kDPFr~-O4GOX1~U&U~K@CNC+tb3qS}$ zq(Yq0Ye^R{?yyQ(a>zLPrYNO5>EM^!DSRi(a{#6y&3)q0*L12)|*7}B> z(xl@%{D~aIPpBX9<6v8Hu_@SPt}WOa%*mf<$kFNXjUjU@$DiAoEyc*U3aAaQofe7* z-8(l?XrOreb`#*4Ezn;CIX=pJO;k6PN$JK72M`OggjgXKABfRVqF8h@Ar`~MJ6l4p zuQ0Bi%vI?18(BP9rUItjrIg+|S=c$OgRTSc1A-MB8Ra=~me>*SotYyaQi-!G)on9; zKqa;zF(|AjPt`uM7!RVRKn+L%v$f`E{OOie!4TPQ{ECN&4UD1MKNRP>#}EsqnBg7 z!8qK)gsiNJ*6?7WCK~}oB7ztZXkFU`4aJTiCejn1w^k!FVMtjNjIcRan0g&-5eS3^ z-?}!EhdZ!5Q9Dd4a%}J58zCmScvkq-8RPOw0hOgirRXnUGw30?sL1!Hqf$iT?fZlg z<_+|xnaNEru!JN$pq_##g4up55Q`)21@3}h_SuofIRyw@YdEjuV%~3{YI5SaV82H= zq$yx|9@cqQkFY&aGGJUr=>d)%?FZ2D&6Dr=sn;`))@_RtzIwwJvqo`-yaP0pq71qz zBIVL099THkA_~Fmv>_lXR>iZ(V*JVlZLu}TuP{V(@4(viTd0FCB;hYONN<^T-UEs^|0RO6fJt5X?JXx_3s(;M)@vUy?E97 z4V$)RMclHz5A(uTtMjm_wSOG_dWXT!wf^;q=6yATuraa>4uWkci%YW`RmiHE{k{cE z&P!3{SufvXqkU#9uuFy6&W^6&zv7QgvtDLNpaFB$ej_)rB(SJjmx?N*i&KDbp5>tBT7f$X z0jN%Z__nK>S9SfxAfPb-0xV1d=Eu_?B_2)BAmbW}M7WO34QzrI=0F_yWx-kv~s+wl^<-Klu$W8VXvSgrd@#Ep6a>Z@(UKy91wCG9GBw~+1{(1@ZlfdajrAX&f zaI1)ar-YR?c6&vtTfv)L-vPHW@M5zXtt5(t3ccQ0X6?)nBbG!V(*(eoxcAmTEK*XE z4g_~$U!Xd3RZXaMt|Fgvpf$@W-!)_{?0jIXHBuCUki#z_yUKRW-P=exO(k+tWFGIt~7hD)3j;xR)-_E{p ztP`Xy*QKt`OKOcl=iNR|J1jqJQt0lK;}z_NnxMW}fz~#W^bwi}O7>jiCcS%CXGgFv zfXkA9jia3`dw0+y-A@k%6cMb-NzMgS9`Gt9=V-Zx_En=zLF1okmb4KdFC zZl<+bXe37EA)al{*N(1vJ^51jx>|w0MTn*BmRrFlkXe*cg5}LA5pO}*7WzF7mN^6? z;btPLHXjMEgd-&WBgFb6FnjY(Z%rIhcEe=67mI69#Mw>vvy0(t=vz<*Vv17!Q#Q9s z>mK9)sk9|XPdFO8o<)@pCXCYhl(h^QATi-mqnB(E1IVU5Q~H?tq;pW^Dfnv%3tN+OYT7kGl;Av@9XEZf?|kG?TbJ_uC%kD}aLC@h;V}meh3!AIbKo;-r$7%Wc!|3}06>IWc$Hh&0j2T>(Cod`KXFBRQm$WphACVOAxb_56rY($YSn7Md4-FgVb;v*xbaXKKdpPV<&{vpZ5a5_kexizxY zwWN#twzLZL5w)A!waw;2w88g^U7#-%8mK`)_u(T?pjtLBMr7B0q3&>yqY*e1kE5f5 zD{^N@anR2YCIDT7;08}aaKEgPELDvc(Ws?+VM7JXjtFsNbQ@dKtUTDl=< z*Y3SHq9Jr8!l<_9Em`F|fBA%2i$+bG|Jx+LPD3U)=sD)oZo^;x`j^KV|D<@3<~wc+ zni;t*D3cSiQkCZJS=I1)>oh>Z!kCn1&qcqdIaJmH)FXAfJ=e1L$6W@0{{8TFzy8th z_vs+?#`(_oowsbx;+4b=b{&Tsxf2k$%@GlK;>3xI7vn-4(GwPLY&l@^JDrBU*`~uE zgDZgKIpOdAJO)EitOOJg>m)uT6Gok-BKSSRp_>t3ky$*fL(HtyWYKc5JJ?Wo)+1G2 z*&)spS3?PkE+`;^&0>~f{i79!KjKV*_aEXIuRs)XU7Y%jtWx$GJC6Fa&mLqa(xAQw z`%GA;tn$0@A#4-kU0+MeeF*g2u_&{)@TmjF<>khO8OGW15|x6;a!0!h#UsJT{!cQX z6i`JVe-4zEZpo+j=B*w9gQ(_?Dw$#~?fb;cZr@I3@HpJcgs*b~VSba3=3#Z@;gM@e z7sA(k%1!~lWVIaW4WbGNFB}&Im1Nl(>=E{+`WH1CYyxi-xD1<=ZDreZgn6MdTuDiA zXgt_BdY2K|>{9SU-~bWaxQ~Y~FbVxD=V1?hgB8*;Z|7`@U8z0@sx@p?5-~wvB4=e>&$jxx$Haxpw(JPq9ky=6=C%Ht{MT=~5i*>Ox&-G6R90`{LL+H+3(FYElyAXFN;p*Cu z@Xn)WKhd~{#=`^S88xsXbLuK9sYypLVZk836N81|D#$f@F{lDk7?MuNOi3ilYP6c1 zY&BV*a1gy>Q3k?Rki~E%W+Sk+th)n{!$AxRYCxR^XpiM%{=J=Ta{ZJZ}z;zTpb-!H~dm58dj zu@A_fHG0z1MtIpPZNRe0crx*Je&?+7j8AlxJW$PwZ`?c zd08R3e74rK10N(H0J%%5HuyqQybPWN z^Rn=)D$RP=?>phUv3?_FE}OP^?W&D|+qQ?IC%oC5OOx(3Yu6)=%~-G;?lXMqyrEO( z4xH%s!ziC_Bc`dV{h&$B`i@J##y0Caw#~2O$;6~vP=y^kcl#{yZ`ONk`ZcCm?=da< zj_oq^&u+t}sH^8_pP`fehW_a{a_Zb^bC*n?zYOaemN;8eH}B7ln?$pRNE@{;I_BWv zP{;n&!C_NZZ0-L0+*&=xRBG@;#(bHwUeyMzh7WiQNja;P!x}&^VQHbJV|}9E0~e>) zj4B{&vtp^hk|yklI%V1Fs6R>V!AkypPz6>j`+_xz(TY8SnH6&?Z{a={bx;DZ6nTm> z6>=8svoF{k^nsni8b+tb-eCvvQhwzrb{6}KjidZHz<$s&A{CGG77q-Rx1cIKw&q@T zclg?m5-vvMo;>8~iRzMHM_Qvs_O!)c;nO__bNN|7sRGt<}t{+NHI=?@lH8F2FTY5O2 zvGUo2N>9!%-fN=oI3lu@*ycn>XZxSs@*oTd2%qxnXOqGj;1rMo7>Yvtvgwq*k-g91 zQw2d{OTwg}9&Aq@Czvy!3vO0x*b?4>CXf@RA`7;E>C)LPU^XPwEt*E&X!``n1tbD7 z4T1nSq)qzcmRm_v;+1*F*g=mFIMhb{GX1G!E|YVW`&^_Ij7{%#8TReS8MD^}>~=(j zg*&ze1l>H+{ZD8axoPLl-3WbW&ct4hj}MPI;$D}39`Y2F+%11$)v?l82^d2ODXAnN8_*Py3QosbW&N-+Id`!;b$;zZP6xx;R zeMOt_CSJ<+jW`O?eHrC@I!^EVeeZB6o*(Eq&4bucBLkN@|kR8-Ga4%zJ(Z2U4D3>)Mwvj zVoxrn8REwO*z@0g`&9en>(8EU_+^E<9kd7r=lXisbe~m$8$$MO4BFwpC1~A-Et|H0 zgx{K9@Ql9=w?YnOST=77#N@PnduX^La^Hc&F-J}uIu*NhZ}h}PtG^vQtY-Trefm`E z-KUxge&TUnzHR;8e=!Cr1EqClRhfB5L}CpfK`Q|VXDC*t)g%fFfK$NiunpnKi=dPh z;DMC}a&_IrB6Zt+fG-A*&`#2>k{oz=1((u4u);|#ha!$<5sp~@@{^fRo_)dYKz+?l zIlb{d*cp3=C5=@VeK?v!TA+JyJ)|w7Ke>L9>mB;fr|}|oboACXV5o9S5b{_bdIi;j zc1Z&IQR0k4)O3kP3pBm15%s2~dnBTAMwIs^_RWrC+|J(($G@D8M_l0R>CRTn?5Tk= z%ja}`o4*~*2zd-;ca^Jvuz*a#7U>`IH0l^6+bf)kTE;gxB%S;?vrfjYD1oNa> zDp+}twHwOw1#J(fSq`7{NB_zrG^kh=H|dY!iD3)ei;&c(wN(>}e%Sgmk0i14^G%vS zMxZmazi`}rAl{pFe79;tl!u-4gJo)Wt=6K?XFrZZ^LwQ_#rT+z@Y7XK1lMI0|$>EKe5XZy)h)*Z(Z=1`Tjj7ENK4ApYL=U z@}Dm|H17Dn{{5a_IQBl0-m+8}?KfI}uE*AG;k6d^m;F)Pv~RjO*r4KOg)m>N0oaFH zB&-(hsCB6BuvU2;hAOO1oR{`3E#_8!VX3G9NKnwoOuQuMARFR@KH=4FK@%4(;ub2$*Q z_1KkcHyYu>?8}*uO$sg-BNTfdq!XNri#-KH)I@*+4p4YvDoVmn$Y|^TER0^IT&?zG zo#Uj6$maI#gazO!p5^Tn0CeeQ6{}LdnLNw=L#yQ#T&PFruxo?BNcj9U6Yr{2_iMNG zP~H5p%Nv;OIQ>FrQ2Rh$2qwRLd~y6`9?wF52rS{z`ae`@+Oul&UQpw2hWU>y z-spoz4jn!Mj4gP3D2VGE()_mhGI+*{ zru`?q+IGNGO?y4js7Hm*yO*lfg|TJyApQ%--OG3~=`kw_(^mp=jZ4D!Kh^LsBb;g$ zjJsFy3)g97yK2|QlE1)TtYvffzvtV#G6?eij-5xavuBCsVhtvq`N?Kg@AwgWYF z3vT;hyUCta8K#Iz9e-|5sxu`|TqpMr37^_*T$(3*3fct)JJDPC6fwG?Z2R8V@{|$z zis7ha;QsGTLZ2P8C_Gp{sn1QE;Xaoc^2FCTUr z@$INt181z5x?;=fpxtW&cdiKt^$*y-e(U!2n*%oo1OqJy+7^Npj0@QWYtDv^`Qz=C zE3U^&c{Lp{d$NsQZ3_+!3EdgGW7nQA$BsSWdn5Pn2;UbHzCSeb;5NsBMO$``nzyd& z*g5rk|M7C0U$e3?F;=*T|Io7rhXepHP;Ax!qpBtjx{cD9AP=^2(|@8H?D+l5Oe?a9 zo@;9XT>%O@DqtA0I?38t6&#HUWTim_1A50xt&Qk1C=)0_CjE9>fp?*z1jmcfmK-04clOQu z=Fh{EP^T-~g;J4;@9bFP%usO`J@TEnj*=H}W>AZgVYzRphx6R}zTLd63+Zmc~ z+aNjo6FdVnM>$b0{iFDIJzi+k;eW$^eH>SPb}KGXwssIw*l{RHupOiMnKZP_n_tvJ ztA_FiS1iZ~RKoTMe_k{LuVDnIt0-+yyr?>KTZ|5yGRPPEn*N|o;_dvz$=059Z`g@~S`4=*Mc!d*dJU zQTLIJ`c1%BsNGPXo)hK`n6`M_yfrgcZ1!8dW$TWxP1|?x2#Y*&dB>hev)X07_wXIZDw zv)c~yZT$1Z+CPn@+s}X1|EZ=uvtmrPL3qAN)84(SF=C9{!IdQXw5zdH3B6$_<;UMW{!;ZwN!!lypWaG@e$qC}%D z;}xfJ$Ri3!HRNAscqt=O^mP*46Membak!0S9K*SrtS$u3lCVqjMZUhV9QWBSI$MR* zR3`w}@HHQ+4UTCkcI$&S%AC~>Qul#O5UW!m(u1boAG7V-&LhT~rkqZtYqoFK^;KF{ z;5}`3mJ!_xUxsktU8d>Vcvov!1fB! zlSuqPAzx4@>#w@=(3~H8KI@h+K3VTe4*zIxTp#2PJx9ZXmI?Aj=K*P;n{sWZO8r(u zp8u%zr>;MFxbtw$&JWk@g076KbnWlp1zcrocU6VDJ%6v;bDX-G{5)~c%oRgtuTs~@ zIjfegwx>RU69t9G=sLR4ck*Jh5n7Y$!>%KgUlsqV7xAy^1L>mZl7|lS6NbP3eV@X* z=US~y&Gv1&zQ!mqR*V?q#^|{nRREl19<1K5rE4SHY1i#l=1U&fk_=#f)7g|JH z`!-g^${~m!-9Vd%E)gzcYYkPQI(OA<`!Q=04y!tklN2qZGei+>dj&!|ctTd%f#B~H z$RU;8<-B%u&!E8RB89=A53jkGHEesAhd)`^7-w1VJkGUe`5Orr9JFfN#W(j)C=&Lm zOA94*5|j#g3aWKXx%xH|YL<>mmqJ7prvn+efDmABH*zro#tNdZ6UgEz(ckJh-KPUt zm|>SVrJNmSoI|!+AX0Y9E!707bsitP<3Mod-Ai8%oPHky3x`|u8|*&JGzd6o?Dd6K zA79$Dn;&Gis_l$AB5d`0NB0i8diemYB_=0>i+k(a!HU`-vk=DCe-in)i*kr{<%4W_ z4yY25X?o##V;*Sw?c3jUdzG^{CU0J9B?u;!knk7SHNbdKP^v|?KV=Q8(0d=*4FCzW zh~p>+%F~!JfK! z!k=_(4*xpaW|u}JVUt1uAocnJW&lNE$L&~Hji^nh_fLV%T~EGfZHn@tld%J*uXwD% zk4RWR7aDbZclr3DX#Qah+BRXOCv17pgOQ7hZkkeP#>f)mhm>10@lLpmjR6tn0`oNV z3UvwvtPJoeI3S{vTTUdgLnS_8@g1|oof)gQ^`(?~mUh1B{)#JYe7RX;3{u&$DjGo_ zg^MVX;K~U_`}VE+c)c`_Ez(V{njn6i&>!Rl`T*~Pm}79!bzI+jBX@2Ys{$8+j5B3e zDFjbe2qVl);Yq}Z0g_Rl@MxX3n5CBgQ4IG1A_8F{vJJlLpG2_(Xz@YoTCRi8tkc`f zludS~1(p*c5_0|F)dD_u8@U25z@ddcP?=*G)v#uY>#mPI1~Mlx_!KhKsDY189#)zH z^_f1mizLU_=&8A(Tq^GnQN-XaYZzlL`7>vIeUh_sG{GTP-xX)oqZi zY`cIx!ddRPWAw4TgY(2xxdPnsf4GU&CvTt-S|wfwPz^=@SdWJkg(s z!QJN$$%U7hTR}h36E6FsXoWiMY~=C%uWGITvxwCM=GwmX4%|~t*VFDGV^_5XsIWS{ z)}jIUMr|ph^H59WUj`%Y+T*z=>X95a1NUz0Kpy_Q`K+oFX*64Pd4vA*rF;umZf!Y2 zRM{}O&_}In@=;IL`wCDBR2Nc@s?9o39?A&vZdn!9B0O*rnrzBCh7`wJdV+t1_|;~S z!UNPCs$=*mQVgr>z;cc{4Gu6i#q z{)lbwWcw$`y-Ts7CnCq`ouvwKr#9!IwQOIP>k7{6raYzeeil9@_9;UA)yl9>Ax}A; zPeJb&TGUJM{{|yqL_=@M8f@iOubFl$Ye-w{R!S2%Uo?TY)^3&S#q90@LS>=@i9Iy` z;>nFE*Cp|BLSoXeSxa91vh!07z63SVuWwagROlEv({c_6pMdEB^py3;4LO3m1FldM zgEKJpEPbpMo4DyR1Jj`$q#hz^K*Tgo&qfJVo)MC2A<#k7RHy-K9nRr&2}KsH0g?#& zK-WYWbRWtnc$~Ge=Q5onOBVzXMyT{cfFckZ4evxy`H z>tqU8JUp)IU>Idxaq>}1j-C@E-O6Ek7YmHF%8F&(vOW>hwi5njT^$yDQv4A#5-Hab z)Sh7FUpf=SF5su+E4L^jjl1ob*L#wJ%9N)hwZ|V8yZN4ROrbQ{rzx zrM;h^M!*QeCR@&kcwS4*h6)lGqcwqqv{fhzr3nOOaT_#&d0pQIz@**F{=02fNfhkc zW|i8r;>~@VTkKl;;`Rm4E*W2H&X|W5jk|Bj@Aqt;qED@b+3!jLg5xCY27&{{;BZS| zTmA)Su0RoFDnY%UMpeQ}aT634)MMW=@mN7zLb0C}Nu(O4d~`<;(&(i{F{xl{(?pB{ z(YEPQ=O11~92h^i-0aaMpvE1#zw%16hB>iSS(~EFc^jJuy#hQoXUv17%Hl(8b@-Fs zLiCV0P%+IM`LEBv`5=eP$aA%u$Eq;HO&eZ{-U7fwA?6m(#zz61m^pAn^)iwT3v5hmj6uK$4v@?L9Y{$yHVny8L>9hir#)&P@& zlP^pSksQ!CtBaM!pZb7=OD~)YK7|;_Pp~AG4HL&|FOsdh$8 zQ#1Sg>lqX*;`x-Y3dTM!H2v?!{fhM`C_OKSNFE0IUQ$fJjAf zT_^@@1>1p2ss)`P(G_Ip@G6Odi&TYS8iGT8Bqr`#>6o?5p&C+#ricP$hwxCC&aD-= z16ShQPBj#UynV}*LL&xLf^2FQX{}G0*P(>uTilXIXduC+6hVXN*`BrjiNX_&C|?2S zf^djRi15shJp7vPtm@&^oTmHASR4b(&tr&43sDlk?|D@b*> zgGOa6ddvbrA&7j%dce#F(?_<&U-99Dq)N{_TGR7Wnh`+xZ zpGudlN~VNAB2u#k&tRP-T?iUr?3HPDEA4M(dIzV(-~Kh6T@Oz0_kmoXSJ700T?_@b zorLwTt_8>!{`=_bj;_52k0-P-GzbMC?>xFD1=)oZaL}bqexd-!fxJLcU}w-A*EZE1 zD3!8R(GK_rT827VDH}2xjUbvOm@EuZhK*h^L07-3j5f_&#_%$?A_f$X49hf2WRI*U zvuX;>666m0He+PT`t9HIz=^W`Dc@ODt#%&~tAVfJFkp46bscK>6f;gu$AY`u)?}1u zgbEx^vKkNqo=`zvx1zWbc^I6?B{GaiL;9t_W0)-X2jiM=k@+uDgo*mj+Kpj?Zob z6@cHxe=6AYp91fP|CCjpYG%VxpdCt)kQCm~NqWh0%E(K3-Y~e6Ag~~|=uL`qJ?C)z^kFw{FZdCg8cI$uC5VZB5SjxiqbUxh z==z}Ha3u&A0ti-bhzud$p*hNZhDH=|+wFI!*5~M^bOFW$QR0XWG2zV2BOLEFaU&Ht zCJb!ux;~6XovZ0TQ55ujYk?j@h2Ur?Dy{cbnZ^lfihM!KbIvk`OL2SZjz7X(oRugV zYNmA2V)nEo$Jn$@839}1Z*N=Ws6<8Il4Yf!d3q?tYc+NsHrFDsB z36rAE=?(Y8`&e&CcFZi*^zxt`+P@h1AbsG~sGZ%eXKo^r(^cz2qA6a4CrF-m)-8Ha z^nS!mQhvV5f6A)&Beh4mJjEG1@)hUa3PzMy@Ar4+Q|a6aKw#<2nm|w%B)8I-z&@tk z3QgctiD$wpO1XTC7Hythb7)6Thz1m16AFd4!s}|+;(xonb}o7*WZq+I{}cyFb-_(w zJ!oe11^yXU1u?;W2^mT}u$DJboP0kjM^)QcwDqjB2Ja{S#x%-AWgOHNQ~ z@xWMNF0{r6f>Br56}h9=9tEaDiCyXuEK{u5or|iwUC-Pkek{z+8pjf;kk2_7@ z)vbC6+H%E=?DuHUMZG`Zg*glP(z@qqGpf<|#d79U2xvX{;VCto?~ z_PTg-!~U&bt(a6w(EJ)wte4p`n{J&-S`6GD@eRTjKmqT|B8rm3sRyb2K^5CR*!IYXpas9Zh!0{fM9OzSc>hRJpG<6gC;TEu}7n(L5`&-4W(K6hpc}CkI5_butD-^s|8?*29P0$Gr{;?mIPv%=Ry z=RL81%U2gqtarPfxfy?MSFm3>)QKwW5}HGHM38Usi?_vrH;22J%nk{g%y{W$d_NU8 z2}?wppRWb)hddSWLQ2?U#_m#HD*lfe0l1Zu80@Z^z%=h*9Vbx5V4q`VV=SQDD&=|- zIzTW{DCmGovGH*^IT|+9?RL3(DLQgv6Dk0ErY2?xjNK@6AZuh%_EBR zK_Q`6yXO`eKe+r8^}Ygd4iJK)J7L(ZBukf}UHnQoHQs_@LSDT{QeSbww)m4%G(-}` zBh?5uSE2Sd^T*ytecgg<0TK#9<5^DWS<`BXkN{!iz19|NS|;@qb%=AwFajWawo!A> zyvg?KjZ0O}HfrHFTEHr}6cO6d+FQ!>4MQQkUf<`AvOpo=*uGBHQSP^VK8%2}e$cgm z9(CFHqQuw-!%ux?0a!T6VkmQgCuf=fb5cej%)5Z?(N7eou1#@=H30U8^+3d@N9wd4 z{_A7pkOGRMBK0v@s#!P@{bzNt#%R;+#mZ!TvP#WI3bAg()_k0BevjL=9ea2_5yq&= z;xr}h!ZE>J*d1;w-~OBA^CeFr`KMI8bbH(+{HN08DW&(r&hF(?|0ph%{;@_R8?d~f zERd`<&>}7Jk{KsZGKLH?W3W#)a|f?Al8+gww>Az~&URGF^@QV&F%JJ)VXNMW@UIhl zc#-pZCa^t@Cvm3(A~!Y+^eIN#JNN>D%CkBWyQM$egf);37?BO;0;NJjgD11O+qmd1TYJY4DX zHeG&vfwJdLs#rZxCmP9$8Vg|FH&d_$Xl%&LLMSA8yS0<5e0I|VfTAZ1DVr;9b%U&` zYJ)FOrSe|4uCMe{$w%63L|4(l0-IzyT=^QmqQ_HwoWWt%Tt8Fap>fV3Kn?N5CZGp> zfX*`)I5;pVyn+g1QY5#OB-WHnG)xmZI@hUz-Qb_atdV4-amRPwZB=K`FO}C%DuT@j z{T@%z8W4A6Mgke>4&5DW#*mX_V;m`&H!sXGE-yEd4-`yp#qLT;NxYVL&NcEgc-?)QTL#ZA z0~Nx95*vYA5}gx@K^@M(5GzzeTF!zP669ydFOL&}XZ(=z@C8#FX*Zop+fjZSc5B1u|9G>;GuPY-uZExPrvB=#@1^BfvAFRnWkWl%p;7_+6ZNS;xvLLdCKrob-(%Gw_hsb;HIXAe~Dal zZ0&ulJ*M9FV9x(!vRHcveZo&?JQ%sL(UrLUHon68XBVVgE2!9A_!KlGeznjOmCyGi z`KMG~5A0LKP5L;KJVomHu!_cBFOK3L$e=QPGHbx}w|YL4Y^7qbOU96n#<8Ae?%)wd z>?Gs-bmP)uBQdJLax2@moRo7*@;9Z@~hZc6@uopM_wiQKqg5Ne#bXY~`NQ3_-qV zLG=N)V91oPl*dU#JavJ*@H41xN9`_)mFp z>6vKuKlcwj=~5jPGDlw0`K`W^Y@5e=7^i+U&I~tVCm0vtRtt@!u)m6faCBfhNG{&N zZpDY36Njv7BD2uA)-^$$7L2`*Y*Q4__Mot$f_@eXLrvr<$SD`t3`NZpt0H*a%uyw% zfH4ayL^>)?^;7`j?n;n#oBVXbUm`w{AC{+dE-hVw0-^`a60}x#21OPMOd5yHDMP%q zK4mHZ$zDIX$d})}?v^*%ZswU)HUIW)3C*$U9=Cct`liO#ieX?F;R{H$Zly>>Ma}>M z=ASD0!aNKepLu4pufegr~Z>>j1WFmL*h|Hc>R3;xxC5s%O&!Xqnt#wjY?lCQD_1` zkleus$#mbrIR2Ay@)zM&XaA5e>~O2Aqz}$y53()H0`ljTxTpZ%dmwb4Ws@Az2e;KA zL|8^Jk;4-ejl$BQ3j7OECH#(l5ZnUQAc@=orls9h9ljAYXJ=vctz+lR9zakNKd*l_7VMFbrZIw#4&VSR)n^G1Y(HzuzKR%FE+~_ z5STYsRlQM*RTIQl2u7gas|!h_2{Umc2r^bIIv`0tmH~HV0bu#~2_AtW4vbCWF83%G z^$NxKki!+=#KivSw(DOlax@NZ}o0e;wmM3*lBrzn1`#rv@9bgki_!3K07`u z2%0_6=T6i?H=A3*i8$>;_n?^=K9o?PxD{SGsDmJI`xih9tDCS}(nqWVxEtSyaRk<5Wl5_3p_Qa8DTF(iejIwM;0N@F zfZqDPEj`PDnbr6@AMYN9Z0T?tE#u7JEd0)9d2k=MIR%~sFDy< zcTyF|p9>(9Z>K?`=Ye~)Rj~aDJ^`kN%X9UHEtZd$lMEwsi~$_dgw=}$-6nFP^KMgZ*4Elmp|zYl3jpL5j?GIAV7~i<97U*>NKvM zF%mW!7w5|PHkROiLyQwY8%KW-dUD_kISEI-Yb7{N$&*;#*yqjb;hsu+@2U|n_K@kG z80=N7i^qt1!-%e99BghJZYQAvf$N+h_|j-`h!9xd3gg;|+p!ID@y=^W7s6M+k8TY% z;g&Ee8iMF?TrffW^ne6?A_ zwG;0=wdsC-<$OMM*u$?hYlQs^prF-6;@VG6`_NA!`2d-K$aChm)gk5v_mRK!ecrB| zyyzZ30j1DC=>nevws6MCe^vFEF(kKA6=@JB4lT zw~NVaHt|C^2}p)AJ)4|KU|VF)LShw+N}!u$)B2@3FR%_h%(V(6MUq62ejYL^=3;x? zysGf2%PS>}0Ko(Z?kDn8U*jlA=f5!ywh*ck^=2kgBYEe&c@n+sC`Th;ILLHg#_6bR zM7(5KMQ@nFmzo%dzc!AL?7o+AdXRBulyPp7abc#IN|T}uXY$Qk@;Bb{)%YX37QYZY zqexcbiTKM%_}RN4J`gB$U+BcFL^9{3hML40Rca`NEJ*^gj9{c0Bu>#fge+=8t1$@y zcmL4L3`h!l(yZ^AE6@vY7Z~e5YV#RRI=GZ7<9=4%psOGXAlEdDq{b^?J=Xpw?-o!; z%yPRtLI^1;^Ps|DTOU#Hf-k^!TXcHUCP`WU%q^>`-R{H9Qwm$Hc=V$^x$LXZFg`4AOl@d)B`X6&W45eAk?A$HSO-@X1{GaVIrQD%Yp`g3TR zC+kZp;kR0SPE2)-Xo{1nW_g9am`zMYtR+U9n}iS~T%q+XIWNa zq0KE5$K?S=44=9hfB42X#Z7F1^uft7CWvB|aelJU3Mj_$-p0|c;yjfWG|9rJ2<{jD zloP$5BS&P)Tgf{DY6J|jF@{w(B45tLtyCCxNgs^M6(IHj#@UhSu)sye)sO<7lQH2! z_|7HIaVqBg>`F|1)ve!d+IiLU5zjFE7?a+*o!3v!l6#GhuNDu>lu2Qj1+m7GAw0SDNId0T+`i)RL zgaza;WF-h1f&dIx{|br5`a`fgeMc3*R1klO52ruM?aNjHnhDXyVpXP=WPWse<(5^E zabD6qxrkH<6p@R>TbBN#&$RYm^@`B+@Cd7S5@RT+5?_I%@W}ujt&Gg}E&Pf0425cs zo;4n=`*pA0)roqV25pIa#o%llR?aZI1lT(Qxf=nNj6vijKsb?B z*@|TM9|>HCbJ3A+Ghl(S<0Ttf+QW-uQaY_ZHBW#GMHY@DYCGR<`1NdwtKt zcuOfq9z~iofr1|5$OA{CnkxZxdj|{vQh-T#MSaJE&|Zxepk)ZJdXTu;{*wy7*tD^E zq_2w%rGVC0pwLsj(4=Yk+TRTQ^>H3?tESU$hw4&?NEBcdC|GSeyd8m&n>IZsoJbjB z5V-i2s6o0lRp3G8X7%aUpSa~y+{_iLdZ$$#UZjE)+1^EpLw-^{!F9-0vfx)_BI|vu ze%yq2sAp}mq^*4%eyL2bqYAa#Rd3jG_Na%V7EAb91X2Xpnr%PkTb`=l3XzIFaG%Fv zB|M_8$VGQw2@%K&vx)JMn@Ck|VfME7sy}&<^}{M6!;98%>c-)=C;SP1=w6m5Y%=SX zP!(}!0t&R=4+=nJKXTqd6V6RE&I0!PRZg~04Cn^o1@;q+LL-d{mj04KQV++&UN)6G z8ttuZ83Dsl(i!=v07o;HmI-19v~%za0q`9AQH-RRN (Y+D7iIG*oZCLbFl!V-y7 z3CB%LIV;7p(iXswSOn0^DfqW0CaM5QLE!_Q9AXQ+8S4qa@2r~QKBNg-23(1n>MiKv zfDHf`Kz2|Ea#}zdf*C<7;YzsY@CrmZU}@;(+IN4M`^1hwLxrqCj2%Tqt$o&I)LER& zX%?o#ncoV81IG@9jN4`xDyhtua$*Mx!Z*57dkJ7Zy9hBQO4sa2Ph78@vns?!K9hI3 z`g1YnuyrsYSjPzO;2M1hB`w{vhF3!R;EP}@$W}apz@^8*R$#;!H%127A?80m;fpSB zFg|=5@+J;b%l;^aoW=dVeX0TAgs0E~|I#JGeK3hi1m-3ML_+42@PjNB+l$nn%sWCZ zGma>9cJqUz!IDROGgOFbEzvjw%Sxkfbi-{^+~j1%iY4c7-07|PxEJ!jscWZUv{H6Ra-LwgmE;}P;$ZTPdu z*IoaM|LM0syre`we&y{z)QIW;6|K>@1#x>oxS`_9imcHl91y|?MTO=owxue=SRt@* zSlhF_T}8AI6{y)y8=Ig491x`9vyI({vCTQFda6OI#lPQ+UCCxnBFZc5l24-#5O8Z& zFWp;ljt2gb4h2WiC!ym_Jtx$jU{J1bi;QO_=~!V#uSWVO%o{5a9T{OpjM?eew<;l? zT6B5~?*PsrN>)OPi&RAg-A*ETpyr`(EJSV>HFx?aMhROIjGj+`;eu?ZSq7Yy!)oCe zprUE1g~WY=3bMNRa30i+*b4l_i|BdC{K^+kZOo?~a1)wgzbEaNxYieE3p^Oum4N-o zJk{NFo@$v6_RDadBDsTr{g9`;0#&YQv-bfvBLFNg1rU2gbtB>x3&VQL*k8+tX_^KL z#9&IyNr`Bo;x8?dw4MdnM>sM5NU&dpfN6!njM)f|jaH~XQJO*Fk%IsjKu95&P%x6Z zBBy}0Lt=tRj&#(YBoGOh@(dIk7%x8F#1 zLRgzhZcFEFdM#Qb{bJpAAJ7NaE9b0=5D;sCIA&&-e7@>4_f2?YA-6r`SH_vI;8(h* z!hH}h3UQ3jgr~cmN(SWI)(03dpAjWBjd_7(@k?sQbi477MtVs??`>QHMFXhB2^6@ST$XrX+Bub(ZjURQ9d zsLd?`e2XD3Zk zDI&MO(!8PSd6`-r$likNsdRdZOTs~zBSru@^w8>im=P1LktR)BCyv&r$(*XA1+&bv z%o@Jiyo)u!N`Sj@Bmj!3CY{Pri;FV0tRK2${iv+U^o>&u{(#|YKf8MQa6U1W{B8!% zDbjgd2~6|w#cU0qIypd$Qv#xBZ5(J~M)rHl!lzz#I-Yitjy&pte56s{ro1DdMu2r? zgqLnG|4pQc ztcZr|eW(q@7U%*teK2*j0M$ajhhh->1%AGqnW62l21pY}ci0dbLK|8G$_Bkv`XZ+C!2QD|Um$ z1Qi)dOX^^kfxKtMst_U~Nm6WPzXA#fE41c^;&D3mYriVwb;>iVA{l+J-qnclYwa-M zkKhid%iuK(BOh)B_*rYhQ>dwoT*xd8I3B^sM0}}RS7JglVT59oe*L*h<$A4Ew_&xl z+J3Zp!d;Am5=)tVh7rDiGjG}~m?k8oHuyDjWV12R2hsPMzoOBlKd?(v!YaY+vj*sx z(ip=H=`$^u7O@<0DD}PA6P1{DFy#AdNd?t^3O+^n+4wb?J*WDck^MRfpNb}85|Pp^ zNi5^j|#%hmg4{3U=E_y~V5sb^4Ai`NyYLuQ!4 z*a>f&SYSgiT{ylbbivakTO|AuM_EO_tQ0caGFB%J%*wGBQV+-Ba1KTtDFEvUXm9|} zkY8Gc9YBz|Pgnyen6+hS9c&AE4f>`Up&hL4kUGSB{D#DC(n=pN}XM8DUKBOwXQJbQ49bJH%z$W+#xId3DjG!729vJ~$M->=q z4ifxCproF?s)P2Y+b=e4(x&Tw=Z<|q26HOu-5+9X(e=?37h{fck8eM_>3)tG)&@C{ z@a?<~M=)kk%_DQlYGF1{Z+rlWiE~9-BQp!L5)iLkk@nU$-Ii&YSDQf1Lfhw7I(ukd zeoI05*IsI}kx2Milzu9m$7mxhJtC1P+DSCF=+84npaq&0`H~Yp8h=yNE6f500~NoLVy63q72+DAyzns6}Yq0c;SWgI{+$WTlKcpIPM&m6L<$3Ji5J3;~z={Ks_3ovNZ zkK2(}aJI?<2uGilO^~2`aC2q~QH3tSQkBU`w~2L$;1zu7?9mUk?EEIVs2Ho?2Uoz) zni=5(Ialy6a|DlLgyHFE{1|h$!=k2%`C`_15pok2D;~#JSFtDBWJpmXGeOKgYe4rT zR|O6;=nR>u0H3?a2#|0-tbl^j3F{|HzaUfTH(fj{C7lPJQ&taOj8m3~NfId?5CzUJ zoP50G)H?#VXao#Lu~bsrMpz@U0}FgzB3h7iMkTsZ!PxPtIID2%vn5YWQcS_)RB1hO zrXu4oRGq4`iANFNHo6C3VRBoV5}Mf=L^4oBdEqH3MP5)J}r^N6Hnyc6jOHVVQ4Efa3SYbV`B!jUn9Dl8Z$?nsbatICeY(NjUm=>x_f zD$oM$P>5ch$u-IPb`+buZr?IV??ty^l=@e2j7xqmPH?j>Bm4 zF6ADD*Ry_|wZLeo4D$3JhQ%i!fr2DQdWB^m;ONTSRB=L9j4w9!w@2_wW0V*xMvO-o zJ(vzdN;`Ze1|}p{-cI|v1yvAu;VkitR?|d%W{pR9wYnG_W|j$JmYHj2+}1*_{)7)I z^<(J5suxbIXEhesonj;(H7QcqY9yytr~zV>z9ODY2`g)a zJ#>pGl=n5>5l9~aBl=&?aMCi`fEFaW`cMRad?+LsJIX*4$9`tCWKt7lAlXAgjg*3# zqSP?1C&wKRAF*?B4Z>DKi->H1B_gYHzGqql0fa};0(K%u95f$ltQ>7n8R4ai6$2Mt z4&;bho}0oTf?-7&=+QMHfY2pQ?;PWi*SL>5OVLkWgc!w7iuR(=<37(qNKw0~Ix|N- zL~0Kxybar+`yld^&mE-PMbLoL(V%J#DTWqwWL+!6%Ar(+L`Do)ScZBR5{k$~n;$@O z!I0;cWmA)WGFGVafbgkLK*PotAqw#)43s+b5N#e_z?z#dCX5W@!ziIMq&~xlG{hs^ z2PkfJ9MIpc3otcAJQ0_c7US*A7qbRKVFqcCwPDU_Vdj@vX0G*vIWN#9Ru?T0&P&$Y z;u^=phO+_-E|W^RVqD!NyO?llsQ1~|c&UI$C+z}WmdZFqlmN}4C`7*O41e0#TgD5b zNT;3N|KI8nFt$EmM3i4; z864aem}R=bjKj##J-U8^?GCF5F3E~Qsmtm@-M4quyR5gQgkuGlNzt?Gr$vpAGM{YV zDE8CBC86~DE0B#Ty}vRzgQRAo`F#cm+gK8-3I(pn*szNF1sIP-c(=+@vRn z1{4sl_~|8y)zImq)}NAO1nrh9x1u#Lhtx#;fx%IL@-xdf&Z??4{DRhyad-uTLm9bG zDJNY$x%hD22tT4)y>H&5&%|S=j6j6K4UvkWMjV3;!C1M^1-BxxFJGz#L=7F5DaMLl zc?F}#Pu3yLb6LIOstGB#LIiitDZ)x1+&cEY%q!%6R*smW(pL!UYX8>OS1(1Urlzpk z3hZ7G1aFc<_H3pY>HW=cNu7)%-$+=$XcwhlqaXalj6F!7K|Io19GCbOJ_L6&z$)C~ zOTkf~h*RuC1v{bz{Ig(Qc-@9Cyh}L_TfZ?M%e;#j7eQ%BQ5AdE?FupZX<=lj!#jJQ zKep1Dl4MWbY|c>Bo*n$uHrO6e8VXoFYuRqgpD6^xglu zO*F~-TJH$B9|0ruUW3#j;VxcRl1G@#jHWX1NEg8fDK}xkT1=Be8je?q5k~5@g1Apz z`gHc-Tx<%+GH8&{;aD&3pyGqD+u{Y~BRy12L5&e5Aj^O&Q0_tf;3=3?&_Q8{L7ArC z2xmbFrc(Yyi8vkYrsHKOCT@AfMB9AQiZAhHs3AaKxm%snI@ z;VJmbf^qj(F*7<@`4r_G!YV3%-g@4c`;`KducKw!$CRc!%-b&pf~YUFZsMIF%;_6F zB)Qe--yTujrvI3P=qh3h&~DdR;A7Dl!lV>tPYn@crOa5W5k`{nWK|g;g8g? zGyZxmC}0K4eg^jvI4c_+Fa1p3Rg#qx;B)txgMNBN70?3ONas}}VXGi0&Ld1s5d?)K zMl@s33WB1I5#3Psb*5Y%giCtf8Bx&)D}CE(k+%ch5%4?$Mr7$!6x0#bGAjekpcXMI z9y@NrBxl6&3akY&1Bt?9idQ5MA>1Xw#0v0#&XnZS(bI$d%0a_5j7^hSTLFp+NzC@b zD@PkI6d{EOs|&jr`YWU%=s6~MIlky0gDZT~{S|^p%ozh0D}+6Zn5&8fK=xq@sJ0MEp#Ss}AFd}p zPYe5C;ttSJy)NsKTx;82=I;kiI7Mg#)pfsV#F9XMh_bqBguF&s*Ek8!8q$Nw{kST zm)Xg72B|;*CG}Ekf2?Ixk?4nmXO}q{HL;-U{jeY>A28xq8*wVjJh75S7^i+Sg{f{P zg5nEne%}x3!I!#*$u* z+;x`%B&K6*1h2-bF5*M|5>C4bh(@dYGK?*tvQB_EF#e;1B zLU=K<&IrvaMZ*7xPC~cQ{vqJd0s4=U4atHu7W_2kw?``0ZEIyxs+>bs zg_Jb-m&&vQL!`|eeuW|6=;i1wz;%V7pbz-!uAESm0)mek91wT#6teMxNN3zIu2~s@ zDx;6Za!2PG2R;hfjget|tiEQ{+nCn@ffZG(a!yNHO+uW%?;bn{u zvy7V5b--1xcoBjdQr?b5)i1|}aM~%z%UhHi!2B*PF)dS51P3KCC_qsBl%8;kn0_Rh zeU+B-S4)uZYFsuEjZ=<2s@N{0^~2 zOH~BNgD|R#gE~&H)=L=Q+_YbLN)u0z9>IQP17|<7czl`pV;_X+0PUt@ipV2|Sao{3 zOV$EW1gVVV0-Z<9Q7xl0L?@=8fJi0q2wp0wifiRP1|X?Se(6_*?}bY;AiM}(z*|7g zsh9G0`an-mIl7H)NaA1s9M3O2*6@e?yhA}~77oLa}wwM_T$XcmX%X@s2p zG%?|5fo4(!N=iO#TwakbOieTcq$^>H0O{>z&$4rgPz}CUqo*Vc#S5tYK?3KHGI*4x_pQXJ=KADL7=_<45-n zzLs>c;PNSf`JFYRqXYAsX~h0%oE>Xsn{1d)V8}#f%J>0l1hy9u#(=K zQw5Fudi#^B5ikP(&qM}3VnkZqgyB}NiFk#^TSBs%aV<{tF|Aj43jdzwdv$r4adme= z1_$B`b2TnHd~HpLAr^Bm30V=YoZN>#BmU^ituJ!G%t3e896+g|5;Qr5roD<{lLd9-alohS>%A z7AC4*o>^7%PH)jvLTE`OBPG6pso*UTcHWq+^hX_%tq?5=fmAWLv4bkinEliCJ%RD@ z7p^8IIl%*1{zF@fXWZ^(|D`f|QN~RTpxd!UUekl0EwA)Ep+F^-Xtrm?8}S#yahtMq zs^Aq#gi6q}I5SWZwqvnO4K&z~M4Mr6B22~9mzZf*%akbnK>862v|z%JTdxv=k@;h8T2@5$iusj6aku;X8FcZr!%co7VK*u;7D`1yzG)JOJGW z<&OM<>M~nN;o6>uO@<|4bvOm8GaQFU53Jat)0_Wk-jF~ za3X3`)4=KX0-}K7X3G#g_s7Gp%saD>L6DWOb5RYX-E8}IJ1YR6xOUQrUnd@p_&H)P zmejqbWlB=aBTTh1g{eBmzV|aL{Sc;}agrD@%CPT7Ar^q8q1i)?M#?8;{c+nXUX3aYHi1zIs}N!lI!`P(sNJRwFZFZZr<-+p``y-G`OI0g z&VOUtwQimN%Bj0H4Olko<4Hryf{{Rm0-V6JCkQ_t_#g%Fcpiio`h&x=sQ4D##p{43 z?pglY;az=W4=s#66P}oqJ5%QMYnNjW&4+!^Z4`hxF)z9uimYzJ{yn{?AfS&l5W}GIQ9~a6UD_vQg}?2y(WQ@NQu}-EXV>!|58Fvqxy(?Gt-8Z7!;35 zVnlB)k37;s?_&jh1dRXtKVet`W&d}k#Sg7Ahj_(z5ZV|6W80QFW z;UlKr_+>^?WWh`$q6iEO>ssQ41KYd71yBisksz0PzDQVbJurTdcbbjb)I90xY2KA* zs>ZXZq^>2#!dpYw8kwFj-Trd)#GN?~tcZo`2#*9^9byvy{^TLEjPvDHIW83FG zPWnrFdxO!3_~vWL7xrywMYD_~8dS87t{uq39cDQ_vQyy$+q<#`cvqfh=cYf1Wh!}} z5s$`ip6o0FP{5?vYwWl*n4g(qp8Y5R{WwfoE=lB3)^L<$FMI#~!Y#~LOz|5`ePDq`{3a*H9@+H^c8Wk>vGsu5!>tCHC|7b8 z2X#=~umc_kIe;@)gn!+OC)VdXDI-_cv9Mtg>+A1a^elQsL@m$-Fc-Y5U`g4MZd8Z} z6i|MU2_du6vgpDNXa||-Qm`9^8)<*xiMnNmg?FLii&<6-lpTH8vEXTke;s;t>FoA= z|6bbMx8=*=ITaXHcp@Xr)a2?!L5Fz+8I!4DewpRn%U(fNy>c-!-+P;%4H6RujbFkR zQ{#tYuYykuH3LwPUmjsfr9{LsMe5!+GME%FKZL1>r=8*DjJ;mV)Zd#zd%rGY1dKz7 zSJ=>jvfDCV0fK$oOwow%RcjHiFzia?Kr=AA%6kPuN%Vn1f>|oS|D~onldqm8@z9~r z9wGCd;24kk3(OuEKSJA)BZ*w1{gCTP(9p2gRa%|{LO%IWh zl8DZVz;uT~f7&5D>rUYG7kX=1p(P^(&WScN_~F8Z!S$b83pfXXy#i6fXz6 ziSEt>F<(p#bH@zQVWrGuYGQ&q5+9PF=&8u6`?Ii zdR5mr(9$^6);I#(;wR(y&t@zpLfuX>&ihDOx64b6#61%Jr64O?(y1+s2E`!2@}L>_ z2l^HZm<9q|lw+L9iSQ%W+#=~JFA*!i03b$1ZESS@*sAn4Zt4HQtsUCY8%j=3013c! z&_GHch#cn-Ox#6^Ui^zCiJ=1fk@5pTcv&wF-8>Z#CaA2);cpBQ^H?@VL{Qr zP9wRTh#Yr#N3R3Houf82iQG_6UHiAR;?B|C1I`}sgA86zzI@v$AXt%OVZ%`jLcP_6 zG=X|hqCf=aD0>(3Nb;VC2>=C%0&N@qO{m>6TATmm;a&ZC%WeNsMmzrep0fw%91k1D zEbI?x6S<+jo*M2jUne5Qoj0yPYt zT{ghC7*Z8DeDrw4cO@t;O0!@yei0#q5Rt43Ob=zk8G&R#Nl0v1*cNRDOuH+1b}8QC zSo_)0Jp)n76_7b}Ijs1$@F1%@2(qUXTLwD`V`w-|O4^Pb0|Q@AW(aMr6s9aD1 z*fz5yW+Nc?fbG8}Xx=TErd+%PZz*!XNgTgLvMq>L z9iwBmbq-(qF>(!Y>LmEye1IRt0S^GBAS;%Qv)KLw2nR0W#Cj2t;A@ClfGDs=N$f$? zgJHRFD}%=ozk>II;sD_wj#Sg`1dbBE=HuwV_Vn}O34ip22s{6bDazAV5)*@1WUPO| zPWTz;FiVkE9rnKV=oyE2<68P5{D^5`2nA>0MQkEBBGL5ro6tr|6DTc{qh`* z0NMt0<4y!!zP_zk@V#ll^ z!O_Qyu- z{^;ncEQzY_?Ci{{t1_ty@_%I}LrCL&nS#g2sCJl12|s`eJpt?0Nl#bv0o|m}wxHnv zUCDP%%s%X0N+!mx9}Vy+tr)mvAu@@u^&Mx}eNP;$p_QI&eN^K6kF0!*9Gx+!n!`V@ zCr~SIG;iVpc_0qDMB#T4Y8kVs7gm*a0d{!MQ`W8F3c`GxrU=^ob@GEyC?XJ928QHc zit`P;7i7yDrR7Q|O4cvKwSZ@Pr?Wz+aL@NMZ7tu|4XL?Bnr6bnA&H0Uo_K^#9+ARz zZG;S0{vgz#+08^&!y?0{)XnCD-|u?sIYRCH&$KsdKotK2nO(sp>YE4Cc~#Ra#99Zt z)$@Gqwpp%uy%&Td(bF$e%Mmu~x%R&!QColF9S`LCT5tbAjclcFH)curR)5#@+B4KS zM;k<@3~f!x{4G|8-nB5L`dvIA4$J>j>X&>JwM>~U#l(+D5L7iwex28Zu3#)`7% zSK_KqX+KNmM}LTw)ODQJsLCM-YT#QMI4TCLU8=Ktx%H(Qyi-ax{joBVW4V40Tpjbn z6{$S`Rm5m4;^QwbbfVG%T(lmTBYIUGnWA+C+eI49ynP6Y0&|*(~Bt{w1FiG^|&?( zbgOvB-Dqot-+9-ig|~E<2G^1YVPP@7kr6CcwRFy}5#{FR^V?OE){Rv<>$K3ME3g^r z^r&;;nSGY8Ul-rl1vgl7|4(end(ASneB(Jg?g1hW((!MJh7;<9(kYLqmoVlrfg*73 zDzJiSJT-Om_2@!%W#Z;ZPas}W^yg3wh-#MM=P^rVO7iNV;Xmh+vTxgA+KE92S8;+S zKZTS{TofFM%@I+#z^G6zVT3m1)(L}J04~buv1dnbN{h}T@0V)c$Tsn*EnQ98%OAd292Q<|Ju!Bg}M7x*kuNV(|E#d%*dN`d? z_W7?XTN;~6cL;o1G3OX{(7#jeT!slGnxPeDIe>FW53uDLip} z=LHYWi;{j*K)C3?1a)IO1eHq6NMw?m0u`$g#0FIC`E+YyijcAk_%O9tI&WqxxD6+^d9UXKyZIJPR1p+ioCiC>vt?Xkqa0*hoHlv{B)t#^Vspu)f~ zrrxBre-td>lddHLu z+W9%uGQ~)+YlI9A$F<^TEXQNLw~=T;joCWIXjYcNgu&Z*1^ek+8zzgP!wlkiMp@=1 z9}p#~7@7=8NQzk>^G|l2&4o~dI;=8J<^7(}d_He#qFTMhzBA~wzev2#jrt}}Ib=&^ zZ^=&W=5pViUQZ^zY~_#~aU?^B+`{?ES=35#3F9Tzy8wgZk5NDnrh(g0m#eqy$%Kn% zCo7vMRsjh+zDQv}A-$rf92D|9gIe!n&z^05$db$^KN0OwtIt3j+7IzUk?e7YWAITD z#-;QR;RQ7&k!9HPd0l&mkr6(&;$E>UbTuC>a(W?$J@A9Q^48>e+o zU%NRzElenETMq!`VdhJMwTW;IPTCQyxs@r#z;@w>2fC!+E8JRKuS-PH#Fa4cHf6q$ z#c0ZPj#F^H{!0jppZYC3Y}z$Qi>q?kj6_j!X!&Xvp{MI`dD{iTz!}8) zY%jet7R&E2T! zI2n6-hyWvwYCCeifns4{k#X&?j)aeMGLy&g+3P*#66F0V42@J;ZhjDm6ilwdPg5*d z6hh!ZYY&^S$KP+a@UhnDn!smiLGGt#f;R(Ee=|2$qs26ngMM50Zu`M*V_t?(CSB0P zg!>ecUdR_dXJ1*QTl0kRBbYNuui0b7l{P5fp0`EaTQlz|WL`ibh4(HNLi zj0+c-kOXeqxM3GRV@fQ`pZBAli$zsO{8{R_@`yGWcCd~+p!(5Ff7bgXr%*4P!G(t^ zzILb&*b3?)$qnu%u_w24eZz$BV`pW+fGRS6orb0#{bs1sXFeCMazZDC&JW7QQvS)? zc2?CZ&EIi_Ql*6!s1g4foFs8H>m4E`z#M7nOjP7hlm8p=gWnI!0DFDC1Dh+Xnh}z)r)8`~msa}bS_(-0(=eAGv7ZX;A!|W+~1?=I= z@e-;<;xSnO$fI`FpZ)B3URxITk~)r^>^nE`9gWnxyi+D(1-gYpc@hvlw1 zM?sPon^EmH}Qk{j>389L)n>ts3L>Z{tVyw78mM_ZaIIHaE?<2Z=lKz|5 ziTG!_pTlzy&mCQ#D?`WWA+=!PYsdrNP+Qukc~M8jZ!XK zn~q^c^w@O$?RffSsh>!}58n$S`58)!=+Vp#*)45WOyVlvXacwGbs2)EOYrnL^p{`gLeD zd{D01<}q7CA#5s5#Ql+u8_1yu>Qw^S7E=S7WvRRQC@G_-B{i)_$^sVCfE;e=9X(bK zj_YCF=-*p383pt2c9OOUF`j!25bp;K)I7TqwztWU1}`HAIt>3%N1*Xt%ylQ(ZZkD6 zEM_i~e<{mKCvbLuO#G3d&Ie>jqSfc52puV4Ug~8ZWsu%E-aBmG)*ZlGduO$UdCwcpT|1K^+5V&geKIZ!Dq{-!26>_0IQjD#a&vb0k9fwJM9}cM!H)< zdv(N3gCZVk#)~2f9Yh%R_v5Cq9clxDqbbn%oX7ZFsw8#<2l;3Ayo8(fCA@+;6pdLf zQ65MT0dE2_3$iQ2ZWjLPTnKTU*nG~%%aGVc465^RuFf}=1PJ{KF1-{De2kfz>e*gs z@fUwe?8_%lTWxtjo>SJ#%i~&UKOIyim#f0lq=2{f(9C@ ziAB=zmqtPwAv{T@9wz>zA%U8!XGY`Y1fz*3{L*Hz<3n4-`At8a;f=vPAYMTRB&)7y z{$3R;dHdy(@h{yEXneBgNIhTA3Mz5M{j95u8f1tnGbWSUd%?kaxl-qYv!N~s)f%X0 z+)Izrve$Ubp|3=ttCK?82ETy?p-@*ZXutCy#~NF9Z-j|&xBn-|@>&+3M`zuUlaOVo z+E+Y$_1TloQekKT$?PzO(=@0~m&%8Io>p`*TJ`$sq!4vbMNeWKyQ7DK;r%-)_# zPu?fl-o)Oy11eqB{kE>BCQ;un9I<-3l3;b&JC%3!qDz-^(r-8YyO`!d9^vIOI;9Q7 zrH>WpbKF$jkc+fzc6xibw`Wdj%dW599(HKm#q8e&ay?)R$!hr-9ikns96cll4T#&*!|s9 zK?p{=Z6Hx4pWZ3BwK5OMAp!cEw&!!T!GKPijWW>_*|GT$dx>w8M>X;3sBM*$pSWz` zVRSWhMMrgaYS9Yv863%rJhaS41w6#2*IcQ-yHBcNxIJ?-UkHi2Usiq$q>uImp>2v_ z+*`vYM3){hzc+PeS`#zwFInj-Q6?wt#g6ToHLgvpir`=z$YzSbYixDW?JEv|v3{{n z+Bd#=s#B|eL%&tw#9qq1Bj&~F-MmaLLc%R+(O>D9@?W~T(V`Y^V5~;6yPJoAFK}qQ zxbmWQo35!Lai`vrQBE?iVdLH|T?3p!MiS?mof+s}7X_<>jt9gfsD=p9nKk}U5B9wQ z-Qe54M3a9r7%5o9S!rl7$XG+op|w2rz)1ul@7D(L5d96msilsC(?GgH!@pD2UayO_ zx@X@s;&u}ISY`xQJ@sAK<^;#0J~|htj_iT08lPmM;ggGjiSoMu&JacI4zqIl`1jK9 zAAy=7?k4VD%_z8V?<;r%SaR3(ah;&LGSrC?T6mgk+~`8gR^ z$;;(q>=?buVmF+s{#`8ZkDCwuwOT$A*?Dfk2 z`atTd%eB>+L`rrt&GqP(eZNl8<5|2E5s`79ht7Fmb5{=n1PS6V;bTn zMcTwkx-S6yPfd}^U#NcfEhsd=x?sIWFs10m0Ue_6h~MZJ9ExC3Ymbv0O$Qy~x#ZlX z2A+mgMqowq(gMO-f}G|)7L?$P#poji>Z?-XWRD}PAE@!@VDcHF_%YlJobt4E5G=se z^=0b{s_9jaU|eOSv0}R!4J+64@ob1W1Q>*mvvIOU+A&lEF2p~7eeq+R5EhJ_A=Zt1 z1kmlEtn_&~3{rO~hmcS$ME4TSL0R|0%Hp30p|c$$OT9=__AiuW;EV*P4LWZBDZR{- z*nruUATl8UhomOzNQPVSu*UcPZ_nvv;UTOIFGzBtAyllgU|ngMMcIhy=&lZ}#nxNa zW58zxMNT#X**ZkUO@$Yto(2iS#c!K!b;VBZxvSPTR(Z7ua;&P}gWO9bo6JouveWaP_W^> z+HzM=5Zt?Yt<%d~VXK3kgb=9$M7e=bN~%*|M>B|C!;NHE zGC49*|2l*h7$i$-H^VE36DPaHVxvlNw**@g&Y??~=-4mFSHYXO)M4=7G?cr?5_}sN zAS)Qh1W?@(`&$WN@=eG~COkn)a?G%Sescned#B(up!~h_P#jv2v0<&a(f;o4Sk`xb zp@jd*0&Zh?uwH3A$`YOe{gE@Gj!~5pPrvk`!=IwCZv`yRuB`ZP5bOpI=ML8|YEz zWlxK!QU72TW~qzx2Xk<#HJve)b9CJe&QHbkf)^jaN{_2xv!su~!`sw26D{hHyJ3~Z zX&jQMmypess%bOHSbZ&R-I?El&T2IZRvEz}ZwCvL3m~hc%GIgFb~A8PKBzw_YkvId zUJ;gygUvhS+vynVIsRgMgbFD64^jI)QzREGXRL#29f5FN{zGA8G~3-4MRcAN$pfYR z78K{A(4`?01_GIgmQnP*-$f86;uiXLy)mbEqnJQKdmsz;G#w=Z!wuD~zj%Vr_78X}y`@%vi;jL|41Dk^GeY~JfH;S7khV)R$URkhiO z2@8|6&a{KA(0OVgaUX3&MfBF(SQuMv*xu=#a$^Z;cJiA_Rtz%T$qE3_KJvEnf2^p9 zC5#{?#u_}RBlS%vI%!GIhuUTcfh1nMsOIt81;MW+Dbd^CJ}x(J`slcND6u5pC75?p zhu5Q4MU8EG*{<|4e#>vuOyKqlws;I%uxiN@b~|+h#bJ*T?e#~9f8cw(Go1NQpZTn~ zL`I8En8LE|U}L0kgg-QMaza-~9?oegllB;WFa}s}=MZRubpmsv*<1{PI($>+g_ckT zS-4*jV2D%TmRNXLFyhFr_3XJ>t21!2PMS8hxT-WCzNy)lnqa3I5D!t3mi@+J!NtQ?3)C7z zK@}b!`)9&(=24&M+9#1QtU@ka3IE3D<0h~3BmO=JA(Wj+Sa3_=*oIs1ZM``j`0jCo z{-5#=um?BUymb%i*l!Gh6NB5ozx#6KDTZV8&smQcb~_scyL(wpx%1LCq|Y43lybr+ zfi(nAj?iQ6&7hvwO&TKXW{6=ic*Keg6rvVI96E&p4V!9JO7VAc(pg47^hsfxb;K?8 zS0Y^~M1eh_NOB*ExM%x{iw`j=vA}NjG{+V?1H2L@j}{!7cJtA!3?baN#q4UiMFhQC znSSX4M}4nDuuBY~&i@G_93S{VX!r@k*hM^9s5BBtD$9et6V~6GXv+KsxQ@-F%QPk& z|bHZ(8*3sNNz1!`>u!7|_?)989-HGfDj9Poj^N{K5`_JZ~+r$D^jaENI<( zRFy+(ag5OMG#!(;tLz7nzb;tC%HTdgFz(RSq+oERct5DrMUmdjo&E7ElJ^cRTYV7wH>pOsUt-w)Z@r*=Jg(!BC3Kk9$ zW(z_x?1YMIWSOu&p(;q`l>!e6$%{*zCCk7=C1(YL3#tzmi=-yrzJafSBRV}D?z_1Q zzveWtLt74Q93+9oN?9!~9G;Ez=oKSA`|mB`Q)5Skq4$rA5wviA5RMk<*FW49Q8BxBuJ^)JQCW3QIaQAbu;&dcc#@K;t$|YF)+?zM{ z+=&1jzgD*#ge{c#nct>P7*w+p2)^$|MSG^;btsSuY;yxj$!2^>G?X0jTG)#c!{HiR zh_>e2P=dby8KICmy~?;Kirx?l2JlY0{-}}V8yHm#!Vt#q)K5Vl3)@dWtL!44LI6+I zK21N~icL$=4=aBgf|FR^#F_EZvInVW;(VLp9&1zPwuh{#R{HZbmoJMF2tOKqI1(yu z!${HLa)2B!d#l`zQkI>`S)>6Y7a_7=!VM#7@AmT_!XKl3^E;iqLdwZWj!$!7Zl0S& zJ7XZV*U2^QRpM9BA!}{J9?7q9_A*=rSc8-UgY7F?QvGy4P-I;QSB4KvO?07S$!M*(;_O(Gpbu_cVsrzy>Gm;+G{f4LMfM#$`Fm zuXaE7XY%{UURfs4e)DtJ_L<^;?;pHXcnm^x6dMU%j--jOY^1vrEdN+!7bbAvPq<&# zm|Z~~OC?!lJlXe>9`Z5Clmle*47m5iTq(QRKKI_vTooz~tEeTq+qr7{uy{h*9PO;O z&t(SY6Z$KoDw7f@I12}JS2q_6lkfkf98GQESU8B8iT_LR^Aj_vdplVWGifWC+FF>o z5i_Z|o4WmvBJZ?G@#@x-Cn1hptm`U2g#>(35|I%WP_Kq%UP9|nwRm3ekY|JdA zTui*-m}DH>EL@x%?M>V)h}~S=ze+`I++39{T*Mr|J2^U7IJgmW6En$MI9Pr4%FV*f zMa(2=WB=9W>;7LOaSJm?a|>cYLAd{C$X?**2Ht*{hpV|LFgh}#(l9WbCa_VEqO0`E zePs|fI!#zZwhSnGhXdnEG%G=xr5d*MzY?t9m0Jo>BDFE;qJxO_B6cp-f)c1jwIR_U z#-J(_;yKjJwuzsSw>%+petd}ku1C1I(w+FryfSMcTL zdo|K~yx8~>3Q=# z`1x*}9Ang8R*&>-c931xR70^{et64jp|e@H&liUaT$z5fT1_x&E^~S{M?50q+5V)P zn9lQg9Kszil^-e0gmXxrH9Ma9OaFY(<|$IMI=y$zqBsp?8j-J$S~!c{&6tb-jC+D5GnyE$DX=3 zt?R_Tzi7P)e5OJ!;iC#8mO-B}w(`oNZ+KO20Y3n7z@70`%Ke0Cj}=CZRr zrMDF}nC}X!Rf$(0hln%^raG4n3w3axcU{&e8myy`&Feck{P??|=HsBw3rlvRB48-KC%M0dEP?9Fk77KG!!+0YqmJ(LO}nWByiDG z;lOj3ma0#iWNDqW|A~CTcj`Ou(+KJLcKva_I&ZaPEi!;jgvPU)QwrZSSjD8n0+H@< z*U@$Rjo}Q>PksyReK3<(^ls(s7Wf#*`K0mNtXQF@vwM$Ckp1JG`up(nWx#~cTd3fT zJYV~J!j!HIa)Ps7SXh>(|5RvrjIQl86OHeJ)`8+6hsY=WqMZV<5qS$&_~Y`?^8G_R zx7sDahHIfGufn~}!+l0W@x=@Y&xHE&cfWT`cKmT!4XK>5$8ma&1A0@Vm(!=t-2?t) z-+s?$RCJG1V{WJLi`ET8ouQ)%J9cri<$vAKwm=(Lt?>RsPpr7HJZ0Q*0epsFXxjt;CJU(yI zr(R~ATA5Z^ZQ89V-Y1{rs2)&n6~(PAuGgObc0eb#P%!h7)!ziRa4*fwPrA?Ad}gzL zmp4g42c)u1-t{_N=D?M|Tx-$+(v}^Vr$mm*Uz;03oE>nUd^&k@(EW-2DzzmVjg+0N z)>GCg&S>yb_bWdlRKvd=5r^TAupwLwEjKpr4$eTlW}x%Hqf_7E4BoD+c@sda@ET|u z-s$rS&J6`p^hovcQr#CY+A^>30m{RHWv*+A&r80$PwG^FZ3W~(yuXRjwC*=SyWKby z`euo@)Y& zS3-%7D^_LhI2l#7WZDBC2*ID?gg=XY5dIAGa*OdDZK(=0n^hwL$1T4-t=l5;zWhrt zJes|Qk7;jldVyJOzqGrs;qH@vi-kaGsQDZWL0>k2jNR0N*14B<`l zzwH7*s}^d}`f zfGUD=EHSRCk1Q3~B-$*>E8E1=|L!?{CZUGI0wjjDEozrFDgThd@Bv$J`*k6}87d|fIeddF7NJ1_Ie3(7XNAHF~ zX1_wulsafXqlVkod@R_;LU#8aZkkGU%qh6`noTbs_A}L^loM+H2KrIt*K~+?zlbw7 zl7p0g&44n;!%|mUtbQb3WW-Bl@;iJgorjOg3-$3OArKo-D>csdSH7>Eu+#jIsP#tB zW>{v3SM=@vFuhQH=|wa0D=4$QXFoIc03U`#RFxU>OXZOGF72t2G(a6lR^^GF zXP?mc37PIzMShkev{gd=~F}83&F^Z+~1sTi=Q3UZpwkU^`AbUq+Ot_LnuL;65ixj zG}09KDV`qWCyHC~ZE%QZjtH&>Vr-DDE>~{mW7}jY--~9*vf4jmfP|`0*&cP25(KK{ z=3jq~3gJyqWd}I22pz}nCy5APycIDk;Rp!%>o%1tnxzl#7NLl(-=+Jmkq;; zL`%zv!YS#EH$l6kIlW0!M}suJuM)V<&jIw(V)kyA8c)sf>NWZO%u|MYMs6j^bYaq_-mbGArsS0~48>9GzbXWpuR1MD}A^*0G+ zl8%pV)%Nc`$C`Q43>@h|lSN(cauH z62%GcZDH95jm*g5L2gMb{Qo{tk1EVZrIkQmAzlM=*`gurjT5E=dk`tmqe{epU~mX2 z9*>s^u2kPXR1y>ff$Q=;F~Q|ShjNmTec|;V+*F4Ms4Iaa*`O+t51b?1Rj0&!1i-`_ zvmz-Hx4By~(m{XoNiLfduP#`@Kreh%EV_RJk}YxKbZ??~^K_;<2?0IWtVzL%L+Y^2 zs|y*yqA+PLXjnfrUfcael2;R~V6ayvRV)6o6!M!k4D(e*)n!$I8Ds$j1O<>bXp!3r zpJKFEGzc_C8-w1N1F0VPRsWUt2VwaRDH6q)wK0w2z5nR%2~hx@GKy)hM~~xvHF*fO zas~4hQT{M2U3m~DHw=sM`SAo#4^;@3@-g$3meDYe0yJF$ifO^{i1(kVkU9uB3gED> z(1Gy@5k)<<$=JhMsnCa-tTreV1;AH(?Jx>e?W^RQU=4UpH&oJ8@zaP#%h5EzMH5vhS&(4NFr1CKe5HB_sk8x`VJ( z3rL0nErQC$rZ;$1g~7wH0QXAX%!=lO3^~U^_&J})VVcrVH0x0oV_4TC{H7f$DhwXs9uKP=i34K@6b_(f8;jx~ z_M$QbG7m6nL!Y0}D+ga5tZ2CR-|nyQ9N#NqLXOPi-TEmf7DXqlcA7c#DEuOd^PF7t z?nHcPu%Z!RlbA;5z1hOFJo!5m4Jtl7s$4>8V$#uGcB_4QG8nXkW0oD4=oMuUMj8Vb=kUqk9y$sK6iEzFl>2*#7V;nUsdqO5y(^eh()g>34~K_o+(4aT zNDfli$~#HleRJbgS)v8sqVMO0n8zQDl_5|sp~!nFOe%6XPGsY)8dxu)F~zxq`~g}5q1vE>_8SstzA zPSL3FX?zZQ)Nx=WJ>Z`f63@b@C?s z=qAmAMX>_h<7vmyGh)SbNQ+jmXk@WetOF%7K^Es?>1xB!_Tsps(J}p|`{KQUK#T!hv~m7_^f*ZlH4otr-5Y zT`f8^j2AmDweY7_L!hd<5<57wK#~1;;UCcB*Gu`pFumI;c!|ni|oO zGsw;Ynd6vLM_Eo1QUr9dBGm*hD~lw#^7}?~okkJ}LCyfYAx)*%jR+h@LFmLRe5>h0 zkp@q~07PS0STfLvgPB1BPd=)tJ+<(_X_%8t3;rTU-MBW5QkF)N^lDSm$jWAt6hM%F zNmEDFlwVdfBoJ6)%*uHs)Z;W_!cfw(2swz3tkWGSDB#f~INb9Gc!x$|fp7^aIHUiu z!9_eU2I3@>f)UJpYHlJbvMBJt9Q*s&hFLJDuNWSH^s>+9460l> z${l7fz@ve{p7;_D7!xs?Nx`YcKDC56GdR#6*p1x4Hl2NU4MBnmWK!bGenXvPJ!i(}jquz?VeF9_A1H?cQ# zFBzZ&Fu+1?>;mkR6zr%dp{RR9qcdqs0yJXa4K8(zGpFK}YwV2)IJi4-%lgtD|IkzO zqyVJE3usw_#{czVrCjNz4JMomYUDEFm`v45gsvzC3jRaDaPKt5?)b!(3x@(*#MQPt zN?%Gh`@f=%xsxvk@JFTl5MXNv+Iwg3^DjO$-xr0cazT%}U3*ugV!X^?1yj8k&^=Av zG9PiA_65n4y{o7HE3?ftH`{-SAM1+f@%%piX4DXXG4qiTe8_W1E5_ep zQPib#W)z-^5{~4>ipz~{=ZF=)Z0$*^hI8^;ASZ^4k2;puV<&mE_poIJDLiY!F$j)) zPt0ZI1CLqW8XKIdIu6tVezGVtt} z7(2hs9%ecjh#XnTTGzMCqtO`aP#Q(pR>HC~k2!Mawa`>JRg|W{R+WEsaO%OT zR9IX!3ZdF7dc0^|_S}sK1uFk0fA1!h@67BXknXpFrO;Nk$As*hAu8-EY+D zaW(fI&)BxqDFsAj@{)Vv7!?_le7!KCm3Qv6<` zfBqI??gf&f(*UatJ7Qj3lwS2!hrnXEfgk&y=L)`D3WK7#drd_tm8MBuh;IS0JS8cM z7!ek7(4SL#%tfujbLC_0pJwjjH)iTPt8#}Y@K65;do0k zUv=RjTd%R>auG_y(87dRWKpKK;bOf1A|90%1A&zGH@$?{%UC$!pumGsfG6eFY>^!* z-_zkhG2|FHqmHN35Z_uQ@XM6Zm|=_y=p~D#HjuMHEmRQVWC=wczkC7Kn`_?Cpdv7k z5a2bbNq2Cdt^SRL3;+%+^O-ez{i_A54h7SR>!s8o!XJC~fay3J!ITRk>*61)HRJn1 zB)6Q(1-5Qa@Nvc6w1BnMhHAtL=xFyrWrbQAHxc@J;qoDS5^~c~arkwO z-%oaO4-QB5DLDo)I~jgQv95;Kp~+YCu5gyX@TVE%o{LV4;hly*PHHl zp~BNaU85@LJUSK&KEW`J=ISE^z)tubNlj9Bj;bi=42##IFX}Bl77gOxvf9%^bQ@Ui zj1t!0MZiGrrlo(>+IP03&^K0ut$Ad&RVbWxYvf4<)fM4-MePeXa~Vb%gbNxJQT$D; zH34)W0UYf2EY(h63EhdyjDd>C?!^q-3jf;fiM7p<{@J%)b40Em-#T%G2d9XN>3;5N z>P+MD9l$f7jjga}Bnx>}R_I>#{+3@Ii#lN3cf;0^w z#oB03tK5PSnJ74wQ2T_2b_scZb+lGMcGg@U8l#kRfPcYTu%&Wd!SxgeD@2(Try@YT zv_;=DdOXZkykd$`>U~`MSDZ2)zXx(h7K#iQ0P5`}v*KQU;>T_W9#l#+hCPloJ<_9+ zVVp1W=1du-IBKtOeMC8@Miv9Lm~fwTUl{0G^a$tGWtO{1$b^jUk{WYTljYU|HZ^~S zf2PBH(5kn0Xw~$n?A1eQ76NEN0_h0cB6r%I8IwP6{OPR~`^1Y|;ak&{Y>TlK))T@x z${Tvf-}!Nlgb}kBL~_BVKfO!e_3J8@kN3B=q?yBl_tkRo44%?`^T^hZE4RAPL=i!G>m}9U3>#C5)zl0$ZM*+~-lTX>&%BQatC4)kvvpQ^^WY9|Mt+N3t}}2`QduU8_|)S)G`39d zk!{@UaX|dzjj^?fQ6Iv99PyV5P&=Q~dbr6kl^@0*k9+pRcFO578uAGH^BK<*w~4g?fq7DFA&alTa^ug!?~vEJ0QAzQ?`vl2a41W zu5XA7y!5t=FOaP4VYSNf^T(}!XnXRoljpJ*(>JOGKTX;R3oBv~zXkK0Rp;yqD2{oN z8Ff4Fug7VZjCSnV3vN<&TsGtVb9aae=!!z*ir7m8KWz|x*0FbNsd$wY(2POWW_J49 zNA24WIJ#GU6Sv$&R$>_+hK$q5p_Tc84ZrD|WN_(mI?}Mz;fnU9JRCoB_`vpiwIZy1 z%!Njqng^BT4=O0Nj-RfrILQw4&YCKuM%}s?5IXaD1wXkT4Yil?=#8vqM4x?aNZ|d< zXWh$jL!9n7$D6`8DWC&Tc-qbOW{ADi^oor90b6TXxdB4=Zs0WwB4s1@@JAKQ{F{^aM?;0x;fXVl4H;csY zRl3F7Vo;p>#CEx^h#XLw$DMrX?d9Ql`)#Q7roc`sV*}ZC;?q;fPmX8p=)s^Z>1;xv z`L&EUDa=y=!R;MAFX-wb$JI4?2g4IVyr$}LI;T>oW+vWQ>RSs3%dE#FWfPUt=d#Hv zZz%)+UM6Uz!|BK2G|#pY$Jm+j%+l5KSf`p7QvVp=QG;JY7(ogr0DD)fq03b^9f^JJ zKv^IFyzkxhERyZ{)DyVVo#MlVxTSC6($kb;RBzGbGhb(g4j`bc33IRh{QalG;GQCj z+kOQrnaC~9TwL~Gd$f{`GbMY8@5^0uRc5|1o@D$4#}TH;Y1kNOIYptuI|z8ezAIw2 zEWGjMZoF}4?q^)~IA5vbc31~|`}YO>g7+P&33;>J+fV$ZJXkxJ`AOk}PISu*LtDOU z2*nZ{zV6paM37)*m+eBZ0B&QLlLEpZl8y&SU{8HDoz#$sl_G-vt7v^G3)s|x_WPzB zO%Au%iX4L5Z(ofacR9gUUN+p98%yG**J6-6_D@rj8Ro4Lk{|GZlNL2-K_3@(Muf&c8q!S;LcecopTkSMjw4~gyjMld2hKe3|B3Ai7mc%Q;~>z~zQ{GG|> zwB3nkUdX8pb19~Z_or{YvVWG4tLYvBJF#U*J+z8H5ET54%y>GMs&4#{U>B~~`8gAv zcI4l1n{D<{bF1xob~UYZvt@X9^h&jvg29NwraEUr%+4yvQn`$1Gr-11G%@B~Q&6xI z*rDdNURb82d33;^mdQg}6Hr?+_(ZM7^s+#{^9kr1^$Pv}0$kwy{{Sv160;FAiTsBh zaQF{x@c+ONRHa1!-}nMnP8Qbx-}r*uG*5N4RjlxtF0QUwG*V)UyKg?Q#PfX8n2;)w zGJ(nvVIhb>An;iP5~81TVCrpvH5D9XcqD&i7{n=y8TUqZT zI@_y9t;?%cm;TG`V9IYnko|7j;DPLg+87t7efntV6N8TsI4Iyq+TgvrmX?rGPvQ`Z zZ(RbJnHAE*jSm-$f#x0S^gYUyu1lW*iKJX&epc7|TefJShC8GmYEHo)^=hyp=_feaHsKGocY#r#SB-1Rvza`Rm^__r`?G4ME-bJIa@}l##_m)Nu%_=o;ltf( zrAuP48z``*t(;rJFnhzK!94^j_~^4Udspy$J4U)=uGjn^$MK#pp2y6Ii&ss)GHf9b znG7bIg~VZ5d6}H}%aSCimq;*FqKS(=) z(Ht%$;LmOV4kr~f?vGqM3~P5IF#k{<*DNhiO$@jYABB`=8@CTqws?7c0)?X|=omwL;(RLfg6%-dUO>cHFvna-CO;ZF zKq_4rEMG=jpe?)~fxh4AP02tsqJU<u?5ux zR_THHmh}3H{DKVbm7oLI@-qYXzkx^2=PQpzDTGVoUxLR}2X_1~m1_e@CzIb%2Hu zfidMiWq-6Pp(4&A={&`QSSE2f#U(|DCWll9-$(pU@ka}wT<>?6oL@n$a-Q&RLmzjL zm{59tl76Uux_+2`z#j9U9C1gyUwkv7Oxdr~+BxDPd<_2iBDcAg2B`*)HKR2;Y!TMN z_xXg=!3W%v&Ibr1Vk3=1vO}yxjKlgddC)#O-4{lA^rFaw$o9yXd#0n->HX<-mKrnd zuMYC0R|;zi&m@8*<0OEjm~u%an?ta7VznFTs?5_3KCRrB{nnu@6Dl4+Oh=`0H4XkTJba*tbEOy%?d93G7_|^ zv^q6%*Lgg0IaN7@-6Gu@K4U#Icx$>5d>Or^dEt58df9pfy9R{iaTT)^1?mNyLu>|3 zcHy@?`x+#*VOe7FVo{?~3M&g+in?vn4b#vTN2Vl970m6!`L!ErYL&uEx$OO1Bc26r z8LyO3+!3k~Sty$*I#icb3e@LRxN78TAgWdkXSHwrYXj*PS_WRj!RGr0^;5;0M~ziw z)Z5P8mtLIdTD6-f?b7YjPq0q}?YMSGp^{>sZzx~X4!g!*1es(!` zRd~_9=zRiyI=^k+FW(%$Ex*eEvjJB^oIn-=3j-^I@jx*^Ac8mn_xA$yw)^AK&gl?o zE}#JNe+W1SaX~OcYazcmpwUnkA1A477{JjLeOQL`0!TptuN+ ziVO-Zibx502&D)~q^MG<)gK5)sz>4#bEDv5B6|=y+m}7hZAygfU+h8dU(qmXCf8rA z**6}RjZas{>h!AFQQ%3NsL^7DE=>2bAG!+;OVYx$`?HON>n{AZIL_Et@n8YGng44xPLj+)&A2@^`j6zJXe3bvaex|By?Nc1iHK3onA`-y z(ZfOdf%Q1{=>6!sH?uLbi<3#0^Pk|4Ugj$c*s7qVYR&alX&0^Dw%y0B^B5~UE78@P zapCbOBg}2<@T~>8T)EmVUDNvOqaprQe!1OF>M0Fa%Rx(I%gasU`YQAF6awwpNB!}= z@I4vgjrjBJ?^oonn-fogmz_mVMei;<&fqQ^o2PB}s%iRa+N(3wJ6ctT6L45f9Q;x*{BhRuHReV;1dKvm!h|E(;`74MZO(ADyu;;jV-|-Ix-A06=hH$7j z^0YM^%w<*AR&R~_rPOHOw%V7icfNlprBs+yvukmBWqEa827eP)IPKZVIv3t%r;XQE zou{_-pUL}G(On>3$8TEiv|CSYUWd_NS(rc(pl??+T^?WB8{DT}Tc5LFWpLWO6YgxE zrk@5E`}w4hG8Eb6yj7ozFU!Vdoevke%evF`p(ZiGEdsP(Nv}0B{UFn2)0Dyu!e=5? zBGZwtk(=(n9|mv6BU9%0gSyH8G(9KHR^)iQymy-Dj}F{e%$}$5if@&6vA-=nSsfdm z9L&3zT^E;xZ&h^hKKXs-y&F6X$DLltyvQWwMDe3;;Z z8hEr~0s{Pc4n~G}^#2sA@_1VRrMhMNZ^i5XmFV@qWU&kk%>P3H+o)xhfHiFQxz(L7 zlIsUhnw7Xs{)?wI0Lqq*))A=j}!LtB1k!p1pEdg?EY~V<+o7 z9zwe2a{IlR`>bE!1r^q3i#_X6uWpx3s{NJ=cOZ7_Z3brbD#t|{idDxsrJs(b2gYJY zdf$2mVab%W+ArbOeMJYQApkB16T{WFX5LvJyUS-$(!A@@AMueHw8NVXyfbWJ4otAV zxPLaZe#RhTS;uT1GPPCMH>5b3T$b-f(skm(S>cZ0HSFBRg2dAbbWX?1Q9%E9`>aq!lj#|x|A(%cl=IZy|C<-){>uKs z`vk59>}YlT^V!Xfry#T3;@0Plmm1N-<aKjXIhw)aOdsyu42T@4o)2;}zlb12oe z(JA1E72lmT7X1f|=M(G)Lhx`BjSNJn@E~zRVOdnod6sv_MR7stAAw`*7@59Xk=hZp zvzf9FJUGz| z=~WyNSmP~fF|y~5ry&k1!<9|DlIU`~4V>7F$VWi&?(?Mqpvs03+G#>^J7Z>IDIY9^ z*4c2!IF54P{?6cKsZnSf8WnFZcsuXoGx^6}niCZ#dDeLe?yjQlAX;dhOjG+;Z1o>r z(+r*ZkDQKSj~MM{zr0C51FLbSV47tkDqZ+-(J6q?NXzK5oaF+)rwUL{3aX3I-B(f= z{%MINEXkS7F={hm9YHgvfr4K4Co6XUbPytJ@SfF_QIA_kcL||OsKUtCt?52_gCvV} zO4Kt(%k_#5KhUV!AnmH|ZBEAMc-P^w17X)@P>W^iSPL565PCk-+Hu2}s$QvPN`EzE zZ}0HbM@9N;u&H0Hb9KWML3}j?^$DB7t`(%6npbr-E!7@BCb)Rng+zsoDA%vvBv4RT zl-%uyp^120^T2cG%ZXX5BJ079dqVwIEeRo{Muyx19yZ^Ke$%K1@=4MUCS4+5Bwl&N z8U+4>5NZA~wa{Mp{1Xb*K(VJ#7`b7`9X1qTRdgYd&^2uq;8vv$IrIYWl2lk_$*vj% zkUaRf4pk9~s?hw#RiR7Cke7){aD-()UmAqQA}lYl?!w;vMas8Cx!7$zArZo=n$8IZ zBh{S4eAI?f-13`*H$R38uw*D&4q>+5D#J8}2f%Uv?+&deseodTlwj*OujZ7Omx)Zm z-%m_a3?^u?h!Z$c#yWE6O*K60y7s57TN#tXmnOJQ09GJiSW_X`C^T?$(GI@N36nMp zJckNsWS(t?c=@A0L0L{SWgQGKm%g^dg#TuHUMHKDo=!3>-D)g z(Zak#ROyo!rgq~0e!~LLDSL(e$=>-(-U@rj=89ESZlUI7vT}v&)?5+(cFcRZitVhGL_x1b75jTWf@GqCwykeV@m*2*(IiJ&sQU7 z84)&oWY|r3Ocs5VOg;|+utGI}oXs3PFQqpQzH*v@KJXw^4vd%5CC@F29IXf%h>Bjp zchNcNB~r|RTU2YI05+FOVd#vsQxI+m0=k5Ra$FvGh?Idxzn13_5&Bf-o#!oKu@j7B zbNRPm$nry>Bo++yBk15M`&ccj>J+yaj5*~g@z~5g)v-37upV>AG=tFzNHR!&*_m$` zlX0zR{WY1x|cIf~Y{9?WvWoUVmq$}k4Af?%N=;+ch z9g;i!FV!*X7sq4{yUU3bv>M_vTAc)vmlXVTB4h*(G(E|@KkD&f_qcWN8E!Hpc$nM^ z%oGd^XB!`hff0+Y#5FbEQ!*^~Y+8erFj;834lopPXV^&v2_u2eAO2f=sQdj#s0$%E zvvcFY^3TtYF3ML;`#|Tlqqe+4=F&>_0fF3%r%kgyiI}*11>G*&LFM}oJ&ig+TaP zN&yF)GzxC!voHdt(Soa{7m(ZnO2Laui(w@SfUo}~sEC>1k;?3ZO-E*7Z6Xm?R-R%@OXC^#ysth_Yd5alKyl!e|zu7mb#J3i?V>UMMQJ@JKF?zmP3%5q@;6H3qGi@VOqGms#y&i1K zIIQ>Mw`_3@SZb(Wci%uTxZzvd%*paK&->!hxl7H~=h~l-BNg;!UY06PU@WM5A&y4m z4VCDxvqkplPhi`~Jdm3h8|?S<$C;nW<0!e^wuUX9LgK~P z>{_Iafy=qc$JdYa;OB|!BW8$dpm7YzRw?*?K7`*$95r=KKbIk8f;;1{{44g3;=xe~>GHM0A97VT!pc z*?2m9SL?H?cO8fPLdORuQ-Bb#c9P~(Qa23<((w3=^#P;Crhwh8um~bnwK-F{0WDEp zv@#cg@GJ5wHElyk!Ps8#Vkr_9Y3X_{@`4>AQjD^zC2i2AM6`M7>Nv8o$r4P^JXw!PpdOILE3kAozAxwf)%9O0wtJwoR-kg{cg_ns2?R~tS;_o938>?cAy zm)X>+XP|lU*kQ6ydS|Q0be%D+AQrH~P}8@ihVt1%{Y(O16YhRV1UYR-sR+)>}SjDr?BYrYoSQOh4At@m34dR=Ex3W1mvpMWgkZ4t<{K$(v%rs zERg6#v7mDMuTWLQ1bPBPKRzN3zMD0_*hK{F^cloBVdA>ApUu~haVvp^uxh4ufr#{z zzcw7mRa*(sD^5c&X5IPs$<=RYB(3Xt20rz?MQWqZxzsT^3YceG#J7SXpZOC(3U0(t z2R4io_*x#{K!nYdc7X?NX#*n{W!%GXB3Fm|FAbjXVW&Q$44mg@^e2MDnj=@O3PM+H zj2P|*IVCNX53WouP&XTECGs$v1W&HIKOcc zXr(uUfZ8slWFw z@ijw2$U@l4NgJpDk>Nw<@_a=uO&fh59#cvS&Fyyw!X96nh^FoFnp#=zC zPUH;2sY&`vkqqI{a1I$F5f$k2qgUdU4-tb8@B9!R6R6|k-=E8P4=q~8Uw2$LF1g)u z+_WBo^FeS0Egmw*enfZ186;*y$iqOpCo?E_Q$CPYLGpk@-vQ98=D3GZ9|W8ddD3-p zh4|))}!+K z9wj6(p2bI(nvH?QCfmcCU>`zjlOwwvMAEjfdC`i|zD`Br1*^wC*<44-|f}afLn{ zG9*oKkC1?l-@O1i7cY^XesCsGcVZVDITzm*rrtjUwI2q7eli?r^XHP|Cd~Go+IoaGv8Ak068VATL(qsuotAlg$Q5|85#@jO^A0Q?WPb@~)_7i=y;XNQYyNlcC z+2s4XcaS#Jc4?k%mY3`b`nH{HBFzSQx{gCV&E;f&`znCHN+5SLE{PK+vvxYdYH-0R z>H4rF8r&iH`aa1UFAV7CG@|vJeHS&0%T4D>fT%^Oe;SrNbLx^js0PQjC(wbJLa?|H zgYC!NuuWfd&7V<6*IoNlx@)-hdDpY+T(I}KY1S?Y%-rQ`oXLK-kYfZ5F0X~?c3ng! z6m&Q};{2juw4t&2tDOp4#_Vi%+s`l^2MDSBk})AqXuhoSGO9jn94mS~NhZ|3KHW;K z06F#Zm9aGIm|QbDfj|`-j=iQ7A&xV{bL(PPLGxw?bCkIu>$55X0+C*eWz#w5g}A2i zovV7vHEibkrl7@2FnN*JT`sP848dMYD++t5K}L?T>oK@rZ^L3FA>*@>= zQ~l!>dx5mb8rW=4VvNl~sl#;+ur>+q$@^q3G|4J_Cpx5Ep>@>O$A~ok=zy)TODT^+XHdVj3-bIQR z4@l2!E=Rv*W&8oo$n7L;@eb(itXi z4q@#*o<+^zwQa*#T;V=3&e*SmTe%#4lESLXh5uS|!oA_hV?OP@^#${`Gd#HR7o_Bu zBBgCrOTxjrh0K-+I;L$J{rIy&GzUa|O0;L4|1-_X*W~~+trQJr^n*??OM{<;jXB4A_J98rtZ zG7b-Tm#OUm=!M`LL|>8Ua)enW*^7@e zbRc?ozsoVn7^qgD9>7_-z2Q;Sq!G9jY4!~c>sG3hA6;_?tY99Z{lWC5s5l73KFnd! zOk7NUm5STx({yf@mKdA9xij*XXy@}tLLPqa6=R5=6=py00;h%Cc=!6-V?c4_QuOUW z!X0U>QdNxaoUO>0kQAsI@$$5Nlc!RR6I;f07f-dJ_q_0ZIOL?1wWeg)(sh?RqGatB zkmQ1^IZAtQ^YX{gZ&IvHRZ!3Hj>}JVoH@Q+sRorHq0)_aF)WAzcdNqQn%{}0y*ekE zam*1{~7zH63yDC3|BU4GG<^{dmHBY$kyUO85w5#MWA-Qy-Ph(c}}WpWJJJk)OSY zQo^xf3n@#EV{3PG=BI{j4*%&PWf`Nmh=5UL)$}4nQAAYX!=a0v_GI99iSE`#`S=*# z+L=9wu3kxj1CbU1f}Xa$Ll@nwF?AVGbVtruVqmt_%(dGLp~JqbbFg(x`r&$%E;-S? zK)?`0Z*a~uYW(QI3z;|t8U<&Qj_z6+sx$aZU4gb8qv{fNTGWk}bry_mM%|Ah+h+B& z!?Ubd%AJMQ3h0(pTRCzVGoc5UQA>exlqMH>o#v>^gL|B|!hzhEP392aU^R(i1Yja$ z&UA$kXJqgPR&BJX&1iXI==W93;Frjc3eM8Bq7kZfeLcD#0tF1eSffPToYE(U-K;k9 zkfe4wdPLX<PV!LQCof0zw1sn@l>GCu6Ofj{CaWt#ocw<9K zMH01&hmbTXVJ{rG&9lSob=jJUx&6nH2&gaj>iH^=O6gI^~JZ1tEX zTDxoUpg&sT=B^BdVxi1&aHS^({)O{ z74kpMvAIT(Wn47_mkp;~XO*7!kMPTy&p`D=bX}L8b(&0Mv}0mozfyZMe2Q}P^9ZMy z6eu`CI&u&xz9_O7J!TCqUhC;XAZiGb8CClOtycSz-;y;6EaAMMZxA4&YKJ2_gtx&t ztD`XLUT_s|VxwJg_V`yo_!Z?K!^Cs|{E7ug&dwt~BQ76nd&vpu@-NK6g`*)PL|4#* z{M)b?3n=jnwrqueEl_|q9%$#UPT+t* z7;_N4{tZm)8aRhf9+t`_r9dh7M^Ep~Kkn-@bD;0wmgV1`a&HE_#H)shzhK7HCU7I0mXd!+QC(s`#q< zs{I5JD$o_ARw@%%Ap^BX6r0^)N<|@dKkL^+SQ|P#;kF1nk6&lo25CwTfxKZUN+p|; z?NUI%Xfs1XNfXyt=LamYImv`KCoH-qe})Pb2l8v4`Ppqke><9@auP;VbOp-MDHDdN;@DEaE+ewja^|a0o%AExOziA zo*>M#K(D**Hd%(Kq73*feHqZD#C5)yx7dM)8!o86O=bl6m&9gbd~4ZV727z7>S|v6 zwWp|Ib$zi}>G-^Z+Pg701E57W%RCGI3QyJ4!J#l>!c72`?w{Se(`LD*m*`O&H%#vF zkMyvUydPOBE3^VD*L*C$2{P3889=(vh6|A7QMdI7Q@>DHFz#88tZF>cq&VxFT+(2u zcjh)QjKS}>_p-PSU_SyyZ9{4>!McwqZwwbEr!&#?bC^5l5*66(LC0NjNR3?#MKTVZ z?$%>C9;KWd^4%=Ua&HN}oqpP^FH;})hjpJ0s3aO)+yeG6diNb7^pxA6l!UvN2>rT! zpMv0W{rPQM zCL*aOt9$YGwo^lVQz1q3Xlb$p`?3MwXv(G zP`i#-g~)#K!mD569sH`}F~A<+5`sdfRE1@tK_qd+75=)Z`G&B&a`O0fZwvm{R#41m zWT{C&gu{~GRXyF=2!_#MDLo9~neHRq6cW2}=0Q@OfuPqKVx-ZN19^;lkr*_6ohde2 z@`MDYo6p(u8W6UArkQWLoz`Qpcto>Q{47{U|k%Qe#lH{H}UJ zG0Zp*qf-0a4@*%~ki3mu!b7jWrxVW>Y`TPoE7fot1w>0EI8To|Xe?JhLYjp^N_Rc9U-GRu8a{Jq z@VkZWc@YtYLjWBM1x^v%PxKpaXO=T2Q)*t#*a{v|D+&b^J_d5NnXvwGBz|kIV!{is~RCG0QC{ye@(EXNZ@8DAf%>5ZM>Hf*P{R2HP_G zFpo*P1m+>u9;LU{*FiM=u@%q(%j`uhgb|FFJ5tA(6^Giy){YyrT1G zq4g_{(pc-38=UdSJ#*~85)Yk6-iO*EE3o2VMzig^4vAgmKN~Dz-D|L`?%g-!KU}DAG<5P z?GGbMQ1^!-2a5ctm-G1q>vKq?f9$dGK>Sror9)@5vZd8+g&u_%Q7TL$4EiW~wGfR&ykmEJK4;Dz(nIYoZ ze73siDiLrSVZOXd-<$C$%$bPyY3(KaQ-iyw`H6J&dodBtW!l+jQM4Elyf zR;=UU{4tf$dahHbXl0cQYM*@4Bj0uP@ONG9bY08spW{-ZBQG66v$UJ1T~qQI9N)FB zGXzzWa`2$hFJnJbm9)RSQIaydYgJdUDm%yJJ?f`a371+s_r&C^E;uC)-FqqdBh5GR zXL-+)D$4pHV+|0YD{O+Wt)d)3MO8Ku@KPS~W9d$*eUa*B1iQa?Vz4#%2$rDL0t=(B zBv?iX8z5K`p`lRRjs!*@Z9dTXOgNQEv)$Q#lW!zIGNEjUI3BW+MN`OH`8+A%N!C3Y zck}5Q*)ia--cCVe3-Lp2|MB!OEX+#7Fu8XnzsTIRs>%Tj%+jG-CGQ_z>Cd3A|6Pti z&-&k_27e8{WdC*Z`VQs!$AXLDUu6QVype;Alf8kF10Fs5-w^?uZ~rc9$M1oE#0v6w zv{FWfW_tWKu8{iB$W|Hk>&=YG$L_pcL~;y3y~!;rL!ifnic^#7jn{h6K) zkAd+&2TXW>*ZO_w|FH^&|F_x-W=2M~|Dmmz)OwHEXhQg-c<|Q@eekb&;=%e_fsN?-Z zMb7)BvGUQU+uK*eiCE))Rr8^-ltj(@rS;7mOKXRRYito2 zt~b?}JPsV|A@xq;FsZ9u5UPw%h|2QC-l~+|pNr31;l=_kp8o5OZZ~fQZyg>_CGXo@ zjqJ6FCe)-8(5;F6h>W}45~7y2^7A}OT%JU!f)G$|CMPZDx+X2$vh$h4VlIB4yjPjW z?iquY;H#!K0WCMh&j5{Un+LcP^p7Ku2ORImxM!pLkYS4-XfGzGuC_9UZir z!(Q?UEP33w;23W}Wlpf1V7_p?$mHh;y#U zdTG^0!^gkK^VGPmI)e_1aEMfOb*tV6+TkcsHs~Y9D7`*UrFO4?*DSl9JUTsZg{CI@ zEx4bG0gQtzHn^y0514G_`N4)^IZH*RC@xLVIVk-Ub(e&Bv_(vH2x>l-0EA@9yOmq- zloLBm$Mnp{zW&sEs{9Gj*vYGI>%tP$kn*~9SOoxETk@v)y7aLYd6Cpv#{E+IgT{Oz zRM$t@ztr~?#SO1}nk1)!G88?Ah?IKMR;_3By3-0p=Vh?y>%Aooac0w_!RaTH?dwex z&F+Tht|rLVc+yZ=CfqwG(wS3U9MUx3vX71NiZd}%`W9kvy%`$mEtjHZy;xH-S7hV~EXQ%e2sy6o>sqwQiq)XY+E?T1jr{Ewp7b)-j z%%Dfu8eGZXJQ}O($qc$jE!pi|rQ?k<;QcxT}oz3qa3w6o%b^$DR$&%UbA< z$--^p&X+{38Ks@hG%-uk&-1M!1Es!lgFeA)n#_6eO-6B3F5AU{0QF@5h}j3CK**hPgT3 zFhm_bXw=Kj&pazD=Tz-2b7I-a)jgUm@?-b=DR_lYI+%n%sFq%1mJcDQCPFB*p#H2o zf|N7{7Neohr^qnOC25pn=6uO^IKRker7r}eeB&$)o^aX?zVfk{c$QsE=H(z!FUr!{ti+PuS=>|LD^+i_(b-8LlM_cr7Azp*-aQtyCEW3Q zUvr?zx^f{IOFgHdHpEPEi(l<_ewASM*7oSp4QWTklPQ|oBTQscZ{6ASi%?qPh<+88 z-te!7TDbBy?1Lx!k3BhRSuBcK;OrGZeW;LFWktHzhTPwxqB>@$6m{3@L?6MJ`sfXR7t4Ut?C<7TY@xZY=@{)(GunFn*|n!a@j10i z5x9&V#;p8HEw{nRdd-sLvikPCOqIY*K-BHz{NtI#K%_GOS3(kCE#b-6G2MLH@+vHr z!~oMyEtKf$kr977sXL$pvrL9F zl7U;IlUcjD)!nsL{gSaJOLQ+d+>}RG1su>JIVq_H^o|RNQyTn||Cw1!HbR@z^*3z- zY3%&m?&aUvZM*|23$rhJ#e-1{@_lICMkjk5v_F$_tr!JCpJS1^q^}R{ zYF>dJqE=JwV>zG@zwuZ2WY{*;HHX>5(YqB1bWj*1qOYu1OIy=4U1}{?cA@{Qs71CT zf#ou$=ykC_LQqw`gl$H;@TnGHA!3Pw8m=TTzL%ZOQPOHTd335UfBrry+_v5kxC+n* zjP>0HpZMt2c)AX1F`kau_!+>lmoO<-T8JVOij?7Yx4vtJu!^=Co^G7WjpD*?FhYa=BqZ%2~05`EoOjansoNO8G_tL%g`Kliswi~y|F!&C%1 z94>`8^0jgF=R7AZdj66{%&J>!C|Uizy}BX~Jvf(2br@AP^R`kkR*%)xV=iYLe=Fl!VDk`JM}RR;J0p zhi2W{Xg9i!ERF+>)rDOjDw3($620iC{se@?ES)i|MYb(40iqlhxiAVW2S!41$|RS> zKuM?~Ow_fS*VIX)B-2|D`5fMV8Zn^I_q@~uHvSX=W83o25Sy^ino=%x&A<>c7Y$c2N3_K5od&!C_f3=w1! zVgPhNO*cDk7*(RpSAr;X=nIsi|2a}ZLOv-B_vP+O3iGGlO*D9>)VOJF)6rn>SlegHFijKv6l&yL0uZzI7$fTV{(5Yti zF^7QK02^al9(%!*<1bg|Y**BnzEEckYN8}fDlq(LylNx}gLtd6vK%VU}Of`+tgFIo{ z1m=JZ*cBh6>yZ>3C@MVAOiRB480==~;Sm}xJbQ|`LSFm6gFJZ2)O zWorpMj=ca_=4mY^qUVrY*Ot*Nesb9K4I5F7u=IWEwDb>4N*{Thp9IrM*rX69-&VWS zZLEH?qBlgTHkJE|%nSg@B6BB3!DkTIrP`v&(TcQ$6wxvZnFPEsrM_+TZp4BF=7EXiM@S$3ZXo9~e3w=Qmu0M2nBnWQ+4c=&$ekJJ z?j$qW!E;jh~+^^*S zK`=AZ zdCUw%HawgYYN@?qwzD6aKW2$9!)B15yA8cD>qxz@Wk@|=TMB9Ia(S@OjM_|kzUeykQHKtDjn?AmMWHPfdAt+ZQ zG#RU{bK(BB>O=MW`6wxRs~E^I(l=To|<{xADSEN{+F7m>BSune_yFt{x(q=~R+y5Dq*~@baqG;uX^E3-gp&pDf~9fK=$X zs|N*e$p@>k%rQ)HMkq$8iXYQAEmrY|%LLM6*1a>=`Mdd&!FlmbQ|+8JyNIWJ3AbOg zo8=}YYFTN@u59Tje(7Rx8+J>}*eVQnPfu<-os^pE51_espvY{Hi33F3%Q+6RHUD0d zsOCmTKkW|VdyxBjNp+GPv&D;&Ne$uj#WYp(+k5EYQJ8Qkx33L_&I;xw3_8wA7jqZ{ zEGi=RM`qrL?$+L1{?@6a?i>S9%=yc4o57p8(RO9&Apz4IjfGxoE@eWJBn61B8k+z8 z#^mF8yovt%S_Gda_k@ykP??C_ug$dlKv5*8GzB6&#GkwhwCILJZ^=bwBeLTacei;bFclZ%yM`e5@my(iRg6gq2 zhhF2y6gf#!n#3(qnv0~zp4wY8J@I%M*V)yAwPnn!nr|N6Za$-%g$C< zn|BB;c^M2~oOE#!9gQ8o!x@dphz&u#bJ)m}EKe{P1;$^4-O{Xr*a#U7!~)YeQTVZ- zxH33LW5tI-Gj4geGa}vO#re0+;xCbqgytCEJy~(g zRX7tCq}nnqcyg^L8Vf@54hzCkB0el1nHHALS^Q=aX55pb7@sY_wP-KezKm{M2#4(D z>=Zus)eY(h*awJvjTizr2-7C`BHL!6I7G*jsnb-&bt7$8dO_B?s@VHkMQd$6Hsxw6 zs@0*Wh766~cEnI&)*yY#)1s*)2HTMs!YkKp2&F&|PpOiq=$$%gh|p+ZPWEwU3-X{Q zi9lD};$(;9@107k)Dyf8si=E?SN_OUn}@p7LU<=CKezoEY8nVr3SJp8KKgFg6L+>? ziRD~A1wa*+VcH>om1ve`i;wv_&^k3|k8Vq}l+7FHy1gwMvP&vMC%D+axqLatp&hk1 z`xoj5;sz;b`iCslyfF!6wvuYlh9*282wR17u0Mzbx2R_8xyUM{ZF?RZFdn$|=VCZe ztB>9n6l^CyvV&1(VzF1&HTH*R*>sLw;!T3o;V`vHd?r9|sV=N=XxC4 zSOd$<#K!e_e53ov#l-T%HYEre*d>%XvXc8Nr9s&|6R<*L_pw5-bFH+p!Ok64@Z%${ z=H^9>r$O7d^B{&UQaCYs;dAPAUW6RCRpvYukAWUL*RZoyi=?CDmPAekYmX9-a=2im zw)O#w7%qo41u=yj9$vEyk#A9u6k6a69KF?=Y<NzUJgATU$a#mU z%kEYm!Df;N$NLR6$0iznMaui1O>B9`7aX7N^irzu;A7@=NPBki_dff&N+9_O3nxO| z%+z~M^foJLmtzHcSkeuwYj1hwA^w01M{{!(_oUFV##C+0=eksXB}H`SBQB=>-#>L- zSkeMTN$%;JPUOq_d2c-NQSau2uNhZ(8RTdY5k8GRxHylmXSp%@Il2i%nY0!q%_pCO zog>^Du4%)2Ce?;`iOkMVfu^0{1=7!FADQt6z0E6W&RfhlKC$R z^IsI^zbMRqQJDXtu>3_~`HRBx7lq|73d`TMu>6Yx$?_M4f z(v%TN0KkA&_06a^JWmzW@b#+)rz@=CG$?U{gU|46aJYS++XYUhmGpX)TdmtW_u$E| z;pll6C1oub!owP@u4uAn9=AcMT+Tm1I^5htWNDq6Fwv4Xep{?lH6HmO z_H6=g>T_pQ#oI9sI-7>_y)nbR>=Ex#;cH^@&R&cs_LBM4+k%N!NkMdNrdnpPGKYHf zNg=MK$!xuga9yLX)eeTobv-`1amo={GGsJ!p%(RwmtI6Ql70etC^vdxjYqRhEgeoZ zm~&c}+nPHDr%6W>-A~!lVCbnu8<7hRZWlb{I7?xb8Jb0O3bRF`nL{Owv}KfvWqza|lz0h|zEfhIs%mjL zU2s1GJ!nUfM4;=a*`;hnT9t5FTKqs7vp)@~r^CtDx5Po}CHvb-N$0pPSS z2MOBGhB)~rbz49td>DCmhX#WPDCAvzI+t!1kw|P|imW#rDZE}b`jOz~ELQ1bb{i~U zYhESdSF%tbuJk;UDW%^HX5+2b6y>qS8cRhMxdAgIF;a=5+GwQsy?82}k=29-yWvt4 zD#jm^br>}lLiJu38VOxJ5`4ahx?_FjAUB$&NX2A?7)Q>c9eaG?uQETd zbD)CmZ(7(tBRsiOS1R`Y7jthJ7FV;h3kMk7-GaNjyF0<%-CY6%cb6c+2X}XO4+M9D z2iIVM0N>=v&fd>HXTS36yUwqfFN+XSvNh4|)yz|LJj&GD z_G_dK>ymDPEK$7cwDl$k+m4~|EdiF)&Y_IRfI+h%vDu(v&hGJS#_%w?sz?3(bwLAM z0w!gNWWV7K!FH$V9}DyvO(uFbQwlkn>fgOm3QSRJuH{d(49qb$C<4$wscR|5#SDkK zC51${W2XsWgoh=BWp0aIc1IQkCY?e%SHA%ai6d*UA(h!@i-l)8 zW&Qrqv$7z3MsM~DrpDOb%xATMK;3VNV&qQfh^U5%v*hnFmkY;d&5yf3w>Thi<;&xq3;i3%o#r!JL+X zRPIehI1vfm1}>RUUs&Lp@3i$d71z^@=<)f&AEgNOaiT>InMTf@Z)A?S_CE+-Dm&=& z!0{6Ut<|2W&53dIY~n0)eW`K%b!Xu^R)9B@*S^oDH*F>(U4AdPG1b1IO=grwW z_(u=H>!8}*8&O|`{49gg`1fb#UI&=>p);CYx2>6P@i|^lzwlu9c&*y3SQc%b;IAHM z3Z4wT%Zd$RjwmhjyY?@$#{5vuyHINoH6PG#;nehE~jTLn)z`3sf-U9>37U2)T%J3Bd*ozMCqa$Z(ilz`mdA6&JBMA)8TOD z&)M~|Wn1&Vr(S+0+kLse0(HuLB%2%4ec* zE27T>&pH%Y``Y7AH8mWX?V#Uk_=&`_*<|_4R7Dp$w=wiDosU;F1gE62e{*=Unea2+ z@VWCnVEDqJs;dmET4Ir^sk`Vq9<+;j&}6(JpgJB7#WlpkmL#>5+2`I`sRiqA{L1~pT)RGY^zX;TOP2A zz~My6!Ntfb89VO=+0v^frVk9T%0zn0rNR8DH*>Glv1}5tSNyKYm6Y0bS)?o5@HPsD zcex}%@ij-fku7KJ)ml=UTJTG!`T7 z(SSUmk7r|5)>&+dCx`6d&9X18%Y#*bn3tM8gK6oo)d<4@yIMY&f~)l`hm#D>=q@v9 zQjKqdF!NUViLww5yg;DZ*N3|``yOlwzKb3YMC0UhZpn24dwlFUF@hnVMZ-fnfSj>Ijk5SA?bY| z*V2I3Z)$#T1jPY#|6t)Cm+KyUVBG5eGuSt4V>$XX#1lVr*l-yc;Njg;)Mq!N%-Bptrh%cz~JqD z>|D=8GgVnZY$--^UZ%S!z5W-K9~`Cjh~@UR74NpU23G`dpHf{AXSp9SXA^Rm5`ZN5 zVRM=x#Tfg|lyx=SN=OA+)79tur2l5&MCb zUZbRqAvK|>++y36Jh7Tcd6Pg9HA-oCyD-&$TxNRQvR5!2)@cHS$f1ci{yL=jf#{Fjfxug?)i}zrWCsK z{xrI!W)z>o2a<)c@#l9eBwB8|o$S;3Rey{Z`-q z3&Y0p+fMw;u>GFvkK+G-#IpTG#ukF{9)j~wOq`g zNWGI4%nHhx+IO0a?j-*rp%HrSZm$f5ckvuV7yjsQY%9%*dp=u6 zCELQKaLYh%q1A)5zml)jA3a@dg;dC&f`U8%wci!N(_^2i;yP)6jT+ z#kpa`KQvfkRYg~tF&et9tsWX-72#-fb4 zaZfPw4hIUQ8J1#I`_m0>G_Jt2Rw0(^l}P&Gj@~0@#cR?%K^_?mG)YU3GfIHd!9>Zy z#>h|4w2f^;Ih1n_U+z&_?CBnn4o+mu)7W;+W3_n^_7v})-q991OnPi!z`7;9Ba6A5 z!?>bN4tgtzPtW(UZj_}U#I^diS0W!5o3#jWi960~X7V~8xneVvZkR@j*6^`gN0@S7 z{vsrmlkVU|PXj4npu|Q_AY&_mFyE0U-6rmi-7_as)}4AT$^Hm}D5UQF`Xt=geV;Tn zbE$fb#rIOJPmvP)?l?Wx<<8&eGj^MaM1Rmm>)i~j89h-8S2}s$40w~|B8(tF@?~No zq{@jrIY@nGO@gzpqB~O;>yGu}NJFA|T)0Fgk&=>7w6^h4czu@Wndvcyb||Wi(=ivn zD2J{e1v8yxduH?JB*-Z_+rDyqY+YWim;}4P&+KEmg9uf;$ZWr09;3BYLYFequG z^klrU`NSsckLk@xWrLqmN7Z(WI>yv!tSD9CgB&AK$oI0u4e~n0dAVt+ z9F=w;SVC0Pan_TM^Bh8p5<`PjDGXNL*sv*Qc#YnmF~rI7c$N|1@$!8y8h-*NTSM|m z(aXW-k3x%G(!Jx?7<1jup+4ZbWaRNxSB5Jh&%#ha6t;a7=zt<19rb<|9nhcgC!WbX zn%$!h-b;r1;d<9rPB@I`!NL>m8g~@qBoHUg*1GIT{QO-N>vpM93hU)O^>$k!MYqaO}UT+5HoqW%);K@89+D-<_QQSM>283#ALv!@qs1f9c=9 zYJ>kb`j?IE{|HG|>8>QL4P*L_XugRX*dC>X>M~+0P?oGOAjhOiv>h)OzYdnGn{bwq zp{IDwottPw%E`iRj^Y;Q`Hu~J6v+9 z)O&tE({q3BsU8vHDlfyh6xw#YxnbzJN8s>?Eq z9Vec+idYOd9+(wWo7*Gvk!9Q>?8X`PAfIv{dlGQ$BW$~b?c3b1^G(E#;mGf!1kRu;iY zow|2mR(ptEjqN^as&few$-(6+=PtPC^fnE-xN%wn5EEx8H;b9S53nm4tox}ck z}rM@Xt2fn6s-1 zC${h}8jlOfe65GUm-h*Dp5>>>G*2_h7yi_SsjuT~PMh=gns?)irkb5}x(@+OS3W;L zZ|y{S$O(I@5lRtaq`WiX*wQy?c)-366fO3Y*)ac9nxa~$61$bGcisr~6@mjll7!FO zq=dj(7U7J-B&T63%#yYZ-*%28mQiBzltz4ppniC3SZU#7oawkAp1ui|jHnD|)7Wd-c2h^uN^E&e7bXRY!aco z+DtfkrixO1jjY@ex+R3`5l#<2t_u}PYbpbgVRbUHCGk+yW#@6}7 z&EAdrl!bnsqAc7IBsMjJK08ysO7|m<6)(^va=oG-m%mo_JBr;Ce)H!^FUs*wk){Z> zcI{q#w{h(|u9Q;yFH@W*Nn-& zsqJG&A-1}q3;lV*5~}bNXLy!ZIDx7izNaYtr^E{hF8X!9Xn$LOb?0h~{vj)J;TKNa zV5SOPeOIoqWX>=qja9~J>{h2`h97JS7|DrQWOs#U)D{;^lu%SgbP+{4Hpb z4B;u4^N`-~*iKmdgP-qCgo2B{lO1p$wo82)g8>iORO{zobxdR`=b++JGD0O z7@XBDgs4y$0#|ExYF)lBaEKk#@>|YKa*D;i4-tsw>B1!8Eh*0Q*2?$z1kMplG0u+J zFH#C8As1GR`M#E{M#*Z+Y||?87+0j1g!P`5ju;-Zq3X(`6#pX~0_m~t6jP^bGqX?K z!pBOYd@l*dX&*Vl8crz~Bc#-UgGDL(_-lY|eOq4NJ?2|-+FaVy)p#_S+Ubg$R1q;m zyrF=#opdn7?{ejACO_4jv(#1N>3*Xkg=3|uxnp1jC_PTZCm6fqH$SULZ zX1QLd88}MI%cM+x82(U4@~zW3(Mm99)U-$VYTwkmAhEKxB}m3Nlqq8}YrZhc$ctFx zn=Yn1RV~qe;$?=Y_|2XgG%Wu7d&uSj)icf*JfAz*r}!TcqKdT&p|FmpTYP&d;NLsG z7P|4soJ!qO)?Y8Kb)_wMFTdPK!;=a`u)D}SU$Na_2iOu{FPKBypVQ0SiW#0i{s)t8Z9N39vmAEtbvja)xsjLPcd9|n_;W!sv9_beSaJKzrH?+`psDXRk$WJK*8 z>=wBDbi*oO63 zlZL`7%KL((d-`J!JMf+LA-Yrs{0%X}8?64p7bwvNrzq__6#E8nZTC(=?WmQn1hb?O z!inKp1MBraf0~FfhCoO*$YkZb@$aHh=elWP_0WE_to+&l$%ZS-2P@a)ziv`qTcWLx zUGdCHBh3XhA|fJG*2>gh1>a&8&n6v=lS$tA>4oxGn<)JQ)GQ~HfCCpRLRGsLYl)mUpmoki9SdRwq|z1PSu(ShZT)@-7qUK+OqKKk=; zp`gOGP;H*0?c375n>R6X^YgqMlZP_;kM~w;G>xTHVNl1) z37?VZjU72Ov%qa|?`Y8!>EiLbWoAD=H3HxZ8dtG@8h)z$K;KCFMV0hiL?729VfM!C z6AoN1b1;T$pNMHUu9hDFiQZH6amnZ957-cJcf+pJfgQ6IF zcY9?V(Teay6GU$8QTJBytC>+qpZkV&PgKjU#buR&zTN7fK>g)Hxsn$bn|B2Q-KLzq zcX^weBND8yk$f>96FNDykbJ`t%9UqLA93h+Z)}kS8xVMRY^GSerO7R!H8W@i#i+EOfqxBA+t7v`0<^w>d z^#aS<_$aphXbWy}CP=__Qo2&eAnCY~!h?dx81EheN_CxSoxnU^Zfs=sefQ-~UlI#} zzdfNVQ&I!#CTtU=$tK#>UY}(PG?G<09}UqSrlQ(&?EEYN`e$6xQ=HV3w{#2O^6hwC z#zIBh{0^WxFI|i#z9QuszZi79jTmlcw@BB(JvbPPbk&MtiH$C46tHt9hwog%MjF*M z`WOH$JUs;71fs@Q3|KlwAG3GwnJjtBB1rM$A=zA+Ls6+KzCmsW5@es0U1x0y-B^Et zHhJ4FFqmL(vvZ)q{Q;fgr^_9U++m~dSs5`G-fezz0oi1e;uq)2l-wBDw}i!l#Mv#l^Qf9_Z=x-B4{9kxWj z-HuISxUOSE%FfzZ!kN$m**)#-{ihNtH{atjc!LYfN5;A z&vMPez(C%rt>XIJlbRteWBpdv6OyokTwOZ81N_2Ub~nC&8A@~O_Gazf3pPR>as~9- zZi`3h7~*jbn2;0oPvo~Rj{{F!LO&0BUY}mM59p}_6?>{|0#L)4f#U; z$9|79%=ONz@BKpJe+d4u{tD&&@t*!y!9UjD0kMB2wOIaiXZ{xrqW^R@|EfCrdod8p zUvvGr`+sycnPlui-KwB-T>knL`^Truf7eM0_n$jSK`p5Nb0_JqbQe1@3+wM7->+|+ za4f99lUBc`)p}=QV{ZDpM^(n24K(t%JNj=0MJ)d;uLAk2|0tCDo4@+^OxN!f|1&F- zs=JAsmlNm!o4>dvX414abF%_<>G711g97qi& z6GKkUw=y<0H5L7I=62{d{GpoV0LS$+kI<@3bltbN1^0s8EF)=c-3y+%jz0LWWZ>cf zFeqT8!hnc3sKo#NWrNu1a5`_vzz6YSRygw&HP8Vyp+fm<#|q|+?0*>k&xwTf0OH7} z8tH|eq)KrCKV#55EvI#H!RtxQ;;&CqElo*@H48e^^gH;uzyZ=qEG>k-3nBpk4)C2a zJ_$6nY=!|r7F1%9g^ez(|DIQebqp;jS2O_8LftW{#ytJB=;CWFh0Fd(582}HX8A{KE zmjK|yrow%LN-grHr*Ml3v&$;j9v+WTO!!J_cdJ^{l1Pu=_e`@GJG=Jm#`C)bfLF@s zp#RIZO;+2}4ume(7TS=1XA#ZXmtejUy13!>&)?FP^e*?3;`#l)8*X@RuRV~0XOmqn z$G^PQ+^x~f;ca+c@$x1WL5vF;rz!+pF<-6e=>PEOiuF2&yY%7cQ$ze-G>ltZueGKh zs^+e{P=_1Y1#sN+TKJ1j&?+y7>&Dr;oYt*7e}31a4ncPwLvf%hAdc^hsuhn(=jSCn zeu-1n@jmbL*{F3_T)>CK&1P%tdM!CO(Hv6nNaD-bo>sr-<4Mp;P|GJuK_nR+?2tnc zgHyn4rD6Om%*VFZ>`C+X>`)CuVhh5?7?U1!2`5Q(lQ`8L4QT=l_!{;HqfPjVP{zwC27Wt02++dQ zK^V(6QgKvOoER10=l8=u-TQ|i+I+2-j3pJI$^5uw)P!LM)+-8zJgE1e=c%v6@Fyg! zY|CXWzNk`Wvpm_q=Dv9C&tG`w2znBq(rR0wkqHO+Z0OZ!Lr#SONupaf$QuEh+95!w zP8roqyf?WcA3VHA%t!u4I7H^sq+$EdP&y7pYmS_OpEs*7U8)t>M2Qi2W6Tl46yOP! zp7vf@fCXCILMwR~oBPw7G5A*!RE{KLlt5Vkv9{y#&$qC&polgHB}wVghR^HE2^Yn` z7RDXFISHsk5gZaT7H?JIpp%x2G-ebbtN^HfU6eJZ>ZEF{3Bw=fUk&%)7L5&+4NV}3 z5LSVa_dOVZwk+`yV$<{U&P2ob7fVJ9{hnK%SfI6nm30YGGR;#VF@q*ezyKfdzaV?a z4h3*P1^sQJ4~HSPmwfQBHtzuxCLDzNp4ZAkl{Cop_^8r|f!Iq9BzzL4R3x!o@n4hw z5a#i^hmZ%~DYeGohJgr1QmSCf^iDS1j9DB=3I65lGbEZCdwax%G|X|e;ZJTFf}}o_ zzzi6@_8WRMwGUq-zA3{T4|n9s{JEmUusI8W8OxZ@gJ#g~IkP&CAw4VxI3{!2m#Jw` zZH#5pk?O~J@3wK*@Kslp(2R>T0T2Aizd_^NQnCY7D(_4}&EM`YMA4)9=TAN^A@LwQ zaw%Am?HTu6p8La$YvK;nzCHa{w-vz#j0y^u`_>rTN(V+D2QdR-mzpiiKGTNtK8K^_Tn+^#Y@L z`WS{2GKh%*x3kCoateWF{Ng}C@OK+`&S+}rgwh_BDDz1vnk9d(y7=nE3QMb1C3Q>%rl*#aC%l|PN z2paA0y5s)uKgVPNyKk!;5hd%fjw0XbWU1kqzXDLTT)q|nDfMO{I{c+=ctu~JIcww; z{6KsfsQ~V(wRx{I(+gXRQjE+*K>L87<458ZN}vqt^3Tuel?a8T~CX6shK1*P^ZG=^ojm5`=!^lVV&OR;1W&wp2f)gtxYPw%^>Clsj zaM4gd!32I6^rb6}^md=FvFOM7FuPMYOZ`L@(fc|3Adw|#R^r31sM5cFeZ(}R5E(j1 z01}1*9}0(Lij?o(p#)Z(KN7;ixv}6#z__9Y?R>PmUgp}BLjpL9+=ks^3086jwGn$$r0+= zP(hAPaxIkpRubWlZoTKf8JI}_eI7v`i=ATuB+_6)pv@FaUOKNP1yWBxQHVu& z01Nj*>K`E$6x>0Zp%*zY5k2|YrQ|Hbuvq1U^50m4xgmvlvJQSL0ZZKS6n@I=B{)0#` zv}7?QZ!QWh@-CmWeH{8|%gA^U`a2w@x0^R5RhoNPXui~PBU*(Io+wP`NZQC`41t?1?-OWr$L zMg#sGroXH#4z%$fe$D*c9EzU_V}{lrN^kW~et=LiO8*=aL`zzl^K#AvpYi80fmTJT zz(X+X0S;@bnBM%)WieS9{ivZjSbrnDchTeA__D4?UBv94qzQv;gvgIS4+W4Sr{w*v z$T0hHHUaYXpLD{?MpCaGZnW@g%l=^!G(G7$D(v5gr+#c+I5`FWSvO)4#3Z1~KNnwJ zT!|J%;=y1sA6|R<&lnsY5gPb?&c|DZcd4v@Xir_hb=FWiTNW=hao`OZWW66v@4FT zibnquv%`>#ECG(w_@GPfg(Va{G*pFmpHs(-`VjZ?aFULbtc0N}n(8!;sChh!=o8wzdK1%9ZKAh$t!?){fP{$_wme=Y=8phO!-}N%7s+1QF?H{csT3FUHWPj+ z8etkZ0YSLw_I(mufcS}~W9kw|N#)`0Ja1mH!RbwN5Jm`N1F&~je*ZuVAP25Br z0}HF`{m>4~MTeul(k$CI8bsLGPkyexV7+aIj4dR2zD`RO4aoH1^Q-{U=DEC|yVdyb zhJ<5gQ&#W$kM%BW{2k8fpL?`3IidqQ{9T5B;SyHR$@OgY}r`i(Zr_RrL|OFMyY%6!4>j zys-Pj#K$7LYWbWG^T-nDQ{A~wR}_@z?!{h+;ix*QbX<;&>oErq~G z0g9{p{b69dGh9ERELowPx`;8L-X<~;#-B)FYwAFQRgHyy9`61DpHqsZ>+UZz(~jPWI>>p1%*Q7b@v@Df&dytFF0FHX zT?b(%|8MIBU0vdY(p~K&TMwb4aOEHF!#pUr--%u5D&g^0A;oId3~$n67}fp_qeamG%qgLq6y1Drz1A9^60#R{GQU{!P@avn zc0^2UyH|&rfh-dnG`?#sxXF!WCen2)L;bPcega>$!$4p+gUO38iYLL_U98c5+;>lc zN+jibQqGwsnkl+H`pOg?(d*=K3D>qd4Ypz9gYnUixs;Rm$J2h9XC0*ZI-=KO|J7Y0 z-fcVq^;z!cdahRk_aomES#M7MeQX1K3<)iuH&uR1qQ|hFKyEt& zdFT!TE~l(L6&>)`(^+QW=7@i8WnEw;P)egC}jdzSeWA6ZaR{vt7YqRX^6Hy6{j0 zTqga8PA|_9v7y5xg&Ervn{i-i0jHqVek?4|6w4Zf=MZ-AfAF4%2$Zzvfg?(cKRcsa z6+T`-%p0CPX;-aLOl|c}9$XgxDz4FB5G(D&sGL{jqWiUhn$SHY>@LvAA)YK<`&|lq z{?UTpc8d6vDh14F3d&CIHCpDFijs`c(JPQrPCMUtkzZY^CaebJM3q_B4mp5)J1UO! z#NCbjmF@I=1O0v>ehL^E(}%LA?-U{yB}3p}^Af+U)_L3U4hf@_OU6k$?4cs@nyUkm z`4sc0()h1HFZ98F#!{-*)P?T_BT~j6j1&>{d5re)Jw-)ji^ zrp;0H#m`sZGe+sV9WQX;7F0N7uiGzr(!TB_!vv(1{0cvqh<}w+sZ7+X5=czax8_+B z2`|XA+JiOT9mgr=$LOt zlPOoD@fW~f*utdx8r*2JkH}ulZ{3z-PDTSL)okfk8{j1MS<%&Rw4u88Y49L!q188w z4kQM{q255c7&D&KHKet=cj{v2SS>r+86Y-!ScB_^c zAfu+iwC{auD)i{;CLDXHuS+QP-fAn9OsMB)Pbs9eFq;2<+iP-z3*ZW<#|gCqdGTf4 ztC9^s)FstN{9&5_wOm`smh~;0s5L5vTq4i7IJ2tnzF?J#enX-}06;zW&|6&T>!Vql z0fR-J@`O3r#R2_GNhRN&{${HQiMPY@&-K)@&3qt0@a6lx(EiP!h*jQulF&7t(0J+; zdIIL3K}4_7b9u$^G3E0W+c3UL$@qz*A1R2mJ%#iREaFYE?ggCjz4L=Z+*VTz2T{{$ ziaRgk{3o!yrsBXIJfC+)@LL?-2s(w&PV(m1|hI;cIGMhWoKdGtc?v5S! zmn<>t?U341jJR{-HD_W)RHy63)-fC}EMk;rFZULnp&Bg0#LtTeS0_Yvi?d(wqf(JC z@a$(&gOpLZb)o^{gr)zDg&a+b{*6{79|nR*Y`GHGy#V7537JDIHZPIOIF# zW{VYcdPLrVY=CfAJC6e5*Pv5#N0C_?Sn$L}7RWBmqkdF1=W)S00A;>TYr0DEsxG!vPSd6&#O{+m$ncCeW$|m3eiT~1J3-J)DC0-qzF|h9`u&(%AEL@ zkF>+bZhohG-c1rvAIBHA?Hi9;Aipa%+pBoe+y);3DjpThMH<=-C&~6f!lhMr@jj5S zVq`|cumY>w^x#|gP4b*@b29^Nkn$puplF##*cKV>$5LNwb|Q1ryM{1nW^Aj6m4Gu; ztZ|RU>gxia=If(lou#j$bh%|TOb9at{Baff;!H(e@lIlN`vq}3?>TXo=2mCMycShu zdR^^tsCU+oU~QtbV}%px+ z)C&^pc(f(Awzb17?# zP)JD>oc>~ijm2iXT7tH{PIu`N@=;Lmfv5ORphuR;r{XGKw4U&bJ@=1U+Rsy#^qKjS zQ(Bf7L3In#SyOif=$x~iXDjQ?yK-b9m(f`^e1+07SS4|^NQ30hYp^u;1-zjhq)ZY& z78GgFytqxP(+CMLmibm{t-qEgOQk&ga`EY{iV(Es^Ym)`tZ#dc1hZFOD)H*@924&< zAnYN)nb^%$;DVzzf&wjNem&kAU-zN;JAuS^LdsV+~8)H6z6h%#0^<1S%G zD+%m8$tSrJ37MjX#=;NIZekl(T;U1*X^9WDs^CN&`Ln#EyCg0PCo4XVvZg@CEzPeq z^sig33q=<_=ePp!9BXwDfjVFE!G2&9WSu%#O8YKN`z^E<_zWb*ZYnpN^`dp*Nmi~_ zb~l1ybK0&>!OJ$OU%SKLVF{%3y*2m86MnZW^_~|Ct}R%dNl^A@_BvneU>WhcctT?m z&9!?K&EAO(6o;DyOrZ;wI@75$OJ�jem+Sl`L>G6^j<2gxd5LGfgmXC_MEF+x~AGufh@#^!G#yY?z0X9 za0<55Ob)mlS(_~({Dxd4f8h^3jS(jm~A%vnch6$(6{(jL{R-zp;bQ4}H04@sVV2v10!+nCtsZQlfG z*_>S$iE|Q=9&*9X6I`cAReSndQZWOp%kIV(GepsX#b`ZSJ+V=VK1%@yeCE=P`HV9l z^i1t-#hG&>3C$WWxd|AYYovj`5bfvru)W4SLOEuN?Yx0Vc!y11j@_6cskh<@Q*M{a zRU*sbX4$b|3FXPz1cIkz;HLZLn-1X_2nlvA?7sm{B87Jorrq|Gj8L;BNxEog7`1(< zYQ(M+!LP?)_^HM;gpwNR7Kq(s@ zBVeBae{sITz6eQAG{X{pMWdR!bB$ep(3HYKAvNr<{CTDpoXO2pAk>?Hw?IbU2ndp` z@hIj>_-x3qH_&w2YwM1-hy!_>%$x2@%F)U@&mmI%+%|x$h5N#)jYo~ae8LO!#!h|YMw1Y^WMJp6A zACP=%U(0Q@Y&hGG@7_X~5mYK~Q0dH?jB|-WxGj+HLCS4hE3@R!8sJ5XH*qiwR@3 zR{Ad2<;g-vtQ|{tZ6#*|Jrcsmtsx}E9o*j+7F4JT7ZzlB;{)jwS06DilhLR&kyzr{*-P7u&O-qm9} zB^DM`?gNLopg&VPlGj(x!TvT~|D7?fhZ^VDisHEJAg8FjQ$7_{e;MYO{hQv!NIfx$ z0p6y*WkCt=CIO^)2{AintF_xEF*Iwr#_ZGSK}Sv6ffGQZEXYOHxXLUA`I*xAso3TI z%kcQnRoWF-I%i9Fb@nIbYtcdrs*6a2HgvKzt$X)s=#u10{km^KNGSp=zda~8i3Se` zFC+1s*y5>HKPcdhuGdQVq0-o!NKcqR8P`mZOSogK(6t&hc3FB|%mA?8Hyku&SewPt zfLABLe^w3^^Xw8h-|n{=(x_=Jo*n^1ENbR>6EW+(s1v+*B9DG|5~DI`gq2^1Br*^= zh;^<+fL~yDsfZw<#Fw~+V>DfyAx5?IBj0!_!rOhPvv9kJMth>@t6rCzY!J6PO#)4o z58O)6u_AJQ4Ai_POy_i0RT9FH7GFW$^GvBLe+ATm%}ks@l>u#mC{&Zj6z9!${9Q64 zKEWx?VA%E2`;}m;3Ig1dEQZI3dXmK@>D3^~@BXb+^+2D_i`YmDg7yabqH^F@#0pJp zd#uAQjnPmh41>if(B7@6B=y&VXb5Ghd}Q#h(NP^+nsHx<3%A8UR(@J+TBs|6U~L&f z{Z=7%O3#k4CR}<~&|KB8$Ie9k1xuGMX|2$~YKfEZWX7VT0QvTKTDPX;ZvWAmnp0;% zjm|}jU=0hR?wa++CSvx^TtNhPvG>%u!c-1g7hDHDDG%r5T=wPCS{E zPQ2~Fc;{&J;x4DC+QH)PE&gmN+?ct&t1-ItHQp00bfj&;?WOpY^i5~UQO7}@t$ZjnQkU{WOtlr1w@5nw3*RH!zfpnJVSw< zGctmjDrl>Q+w!L?>sLIS9`4P89gVM)c48Vu2ZIoAXQdY666gNfW0TkXU8}gRp9YCS z8_7e<1b?FiDoTi}`_v<}eKo5}be@`NrGQn@e7+8PJ8qM4g|V(Nr&LXj_jhR9g$nyO z)Cfu0alE2pUv$biJ(FWM$G7%T%b&-gPAy%lls))7f$laU&Dqg6HWddDV7=y2BnZAM zxe%qAYiFiwzCA@UXBLvRDGE9?5LoWiOBH$Jr2fmr0@2xMvDj@RN+sDhb`#_S(-nyn z)gMKV;w{hl@5U&IME30kMyVLE^j-ExAcZIJXI9BeQIsY?zI_tEvoE z`{+QcaJzx>CeC-u=ahW3_pQGDWXZ;KKX~0m-*&C)G@s>{{=Bi_8;3AF{GvsiH~DQILOUkdT#iTW_%fKTazR8^&yF*i8Q&a%3ZK zz`ncAf>q2{U9}lJtl*>^RcOg0LuFm;)-~clCjqblYWfXm2T2&I4}?Tj5<@Wia_*aVFxC{dI2LOts<+S zBox$Vi8oLM&#$U-aL7*I2?_yH=U;$AfI=&$Ko`W?y-H9hPk#6W6iyaS9HyzFJkz3{ ztw;>B|CrAZXyt?B&0$eav&hR~zs$osePzl69%PIf4iHcbf&;6eFKu~$2$Lt_VV4M} z5am&*vyrnBRs{`?t$~!1gxxk&Ju~-3qFTdFfkc9bPZc^U!@Fs6e0Xrd&H=%DQM3@c zD6v9wZR>2=ZcS95Fjyb5_d=nbE&?F+3PaR6 z>K>FTutKYub2=8%eFE(jI{GzU99}*|2t)y^hI&^i?XC^D)n6O<5s~g;4W$N?`s%Tv*uHy&W(ssjWIod4>HMCjuyVNuS z>+U13tOfE}=$uaP?&rT8M?6~O-Ngz?cctZJq^iqcvv9%VF4Kur&KSXD0PcRncuk|u z-nrghc&6kH51r?#UT2JGV1T=j+xM;0idrqX&ngdsrfhvB>OwEsioWhiThJx(3F-5g zgDpb?v?CnVDu=%KXjI}fPllL0t9Yz+AMhZ*1dH3(o65=gDqU=~B8@h2JvC`~W4Jrf zQgxKJ^udcfU#LDm&Tl75l0WH-Dpi#RYpm+-q$7Aqmr_uumb_ZU{=v-cX#6(sFME-2 zRB{=M#uA;$=^byzk!@LZqxxGd&vF=$jDMC8A3+Kzwk;)6cq0VMY`43?p--+MZN;DZF};2-OVAtWyI3 z>^?ZI66`WcXt-I6m!^sP&i5cnvapco_r%C}!c-g)u6k}5lkUXJy@(BBB7+!x+vB&H z^|9e~7R|d%@IedE0uc|-cPNkZ5hN3WhvuZIQ7IeX!1w`5jhcq&D~gerUqQAmNclLG z;t-B@e`~?(@aJNEF}`3VZDssA;fPAPbeJhFG{3h22>M?eIq`hn(Z|4 z+DJcDgOu8A3QE9J`$#om-8pS3S$fFGaJ>eM{IKPX6de|+4h48Z-^r)XE4FldF65I; z=<{g3=^14Pr;m%kBaL8qkcfSo@8SPPApkZ{V#nIUh;E$<_ZM&D;e-vCQX1~)A63FRyI*t_`#R*2lQ-oS=J{k%J2^TM9(G*qa?a+#*!jdC~GD4Km(8`JV_ zdxY3st{TH#Jgq{-au76ERbNmv<1*TTuVco&xBk8*E1lZDls!lw*CX1@pVZadD*l6V z5?i5S{sK1K#$<#!%1)y^_u)1H{?fqKU=wOZ$`4lZuU{(H;Q{TFo62lY#POG-lNTRtC3gqL?%*7YRfblvcTX9*VYL#6GG4RGc ziu&j%|FKvq56=>>YH5k>Fq2_`+-W92)!Y7d^dTq`3|DipeJ#=K-^SEmZ&Yo{Ysyqg z4(l96+kJMO)Buv^^`{~`#xlkjwXzRzSMf-3w)|z{SDRz}RhR9YUQO^@INmv3=>GKh zA{=d(8FPyrzX8bbHo*;E&J5`hm>n(C9q;?r;w;_z4q@#u>rcfq%s?1&=ps~WBe(o~ zILAHj02Iij?g>!8z95j<>+L!WG({I3zfZr?AFyzi<`Ub`UQQc5=Ti_*{d&8I$N=yKMhCccq}^(g z3LmZ-mEBo^M)zaX9vwl#s>u}^Ox*OgF zHXIWh&nk3=J>I$n1WR6g;Vaf5;gXHy#}7|sNw*nXamMrBP6N_5Ot(y_CBpbv1o!98 z<7$=fKy}RC6c6nV4)}eXI~Y{d$LsP5=;l*3j%s=}p+j3fW=bklk8=+Q#QSseb!H8| z)X`|`i)xDsrL)WC7P+XJn*cB*J9=KsgOTIW1~b@LaI!lkOu$yL&9<}8umMr`q~V~q z`Ha_?XNQULPG)`QE>j)w!ZQ2s7~!~iVF4H%-HvUYcDKg|hwc0yK-cQ}Uaas`MTwde zRC~3?ItGb2n({o>u_72Pb}SQV-fIrU=ToG5qh&D7m>~P@iwmQt<{EEdfFdAr^~?hG zXH135>ksGUTB$AS$I_9Ca$sk?j&bPKoWv38*GsIOC_~NcMM(zb1cB(d6A)Q!7TRK2 z-@}siDci{3*jZT8~j3#QXa=sa_v9AFlHL$ z#5tP#iLf1F@)IBEdb?Ba^XM+DInJ<#((IURxrLaaq}1p0DBx`{Zzy>6wpq8Me3%R_H9w_RIx zEmcOLrxiN0ndY8#M;w_*lkOz8vnAf_0XA#cyCESOSSX^DUI6wrTc1_#+4!(Vi+7c6 z)nl8#(f(oHZd9hbR2z9kR(;iRJX*z}z|mIkIfBH)`F$OOpwRROl`gCvO!KFN8@;6n z^;o2c>Rrbitgt|;W5O9dQM2}Q`8Vg>br!7Mv@C=z@0hH=aQj9%V=d3Y9&$0EOE+f?I}l=BC;@8h$i?2)sFRn+@LsAf#N@bqce9SN zmYdnSx4~7xrHx!AzLKMRR~Wyw`f+p2L>b*TeWSTP-tnf@uyO=-JKuKr}-Lwmqd5H|J{FcHG>K1L$Z2 z9P{;=e0fZ&On@z!wXJno&-Z&-sv73^cMw@%3L~8YIa*w#030&965%-aSDSJ9<`SU= zPw$J7FpUKYF2pPBNk`W5wauy3W(}RE0@M#U2XA=&5PE62WN-BvXmty|Cgq8^cN+jJ z1GhxNN8?5B`MGYHeNL|qtm4ICCs*ilR@)R7(#Hf4>(hpM4Oa?ZX9nB87l<8O##V*= zKoX{5h%#f|@M|{oyG_##Lk%%9$ncJ=K}ec&IB(c2Og|A>S>QQ zAzy|>yqMboD#gs)1n%1^xH!2KWB2jGV#PzF;)izSTH;-QXkpGVU1xnf=_!zkpU_sV z_;z+$(T3|$!F~WGQc$7B>{25mhG)fXwQL)1hp~Pwb#XEEgn+w8wfasGVEpJvPMD(M zYl1DewFw~xgF&CM;5tUfx}hR8awAG#=&Y!5H?tgp`wFRd=GvIaE`m zUrD4{A0#9PGe#)3eWnRtMvXDnjRi8qw|FGUGO$bD@TTD{D6tin0Pl~cSUfW>a2m%k z$DFwbYVI6kCJrTlY^}DK>!_eE{b;5Y#Sg#*x%QGW&-tK4*bh4Lqb;tDMzahv#)%2IuMDFf>Jn~0jXi$AkL$CYU+_UWT3CvXX4^<5 zQW^4<2Z+9s546@%h;%gzglTa>fM{={z~N79vFP877*U|~xL z1UbuRNQ1?YD7j^6`DtLG@sjQ%H){td>hUr%&2&fsz>U?*t7b*Qf8elU&ir*v#DX-a z8uNZd8Yapq&UU5u*M&7vgmUlCE1Ow^J{-8oc+(@%;BLfmslUBzBN{T)@x1TP+Di>$ z6oa5h;h{WAD6~MmBcL#au85g20gSr_8E*si`e<4*M_~0sj%i8w7R;fghR%j&Qh;2K z&GUqWfGH#e3zTVbsR50XKbsMUyP)y5Iv$m>_CsIOU3B26BOfQ@NXQTqZN`95Bmr$h zED?~U{sV*gKQ_=Hkn1AMJjcz<+OHm?3}1Z_8u90J+AHK^rNJoIr?cKjOM|ol^hUW> zY0eyGve)WMnL+aJvzJue-1r}7{{cOmbn`q#0XeRaqSU+3D;oRH&4SkA_`=0sT;Htp zp6m<;UC9oVi#0RzEbiY2LK_+3Du;qZ1DuSC>SoygcJ^O@ClV~(K3-CFUrCTpEAbm8 z3-Ck|_ug>vp#0~PkEDrgt% z4?LEPFpral;$Qy&4Wp}=NQwUaLOI?3>XP)fjQu{ji|4zCug$ARHVn>3k@kYpUHPMP zX+S>P5#y060(Jf>Q9C{+^^IBYvF7{`K6mX58DA2%?Z4e1c$MY|A;23Ho^HxoOspdn zXT0@AC>fP9!L+X_iVP42R-WVmqAZFeRBU>xF*dv~;O&&6OE45;_62J9zXS>?#YvUekQ+fd9gVirjUTI{s?oI{7xmfMBdk!D6zNx&35T)wa#p?t3_FCc* zKSd=d zKY^iGe3|AGen2mv(b91>89lPs0IDCWg}6HysSU6+fshaA^D)X_QxtwGrqsM4eOfzv zw5Z2yxqIf7(_a7Ox%&XEc$-k9!e0E1UaR=7vkpzRn(ePVRt?_{+8XVl!^iB+owhL# zw=yawTgJl*osfV^b#ELu6f~XiINF&@^!z@dwNIMN1e)e*@q1z7V4zON4+Yg-@f#+< zB;zcQzoUS{f(Mj*oD1ZBQ?ps%W`5GI{zcJ$0WHU%UTtvZ#D@fS#Mc`zQD$q1eDhp{ z6pbCIS%=jt??}_!>XXSvbHM|&mQaVF4V8Fc6eFe(eOH1D*+YO}e4i(oO#&7Fu1yL^ z8c+gj5~|GqL*aTom!y@#Z?zbUGiSDq2yknjHU&4Z^a33GEi9{?XMkB<|BxU$_4_Fe zC0}k)u*F+>aGcN0%~*JXR`&Es!k8!CPn~Tjqcu28U1ii;3s`W)xv`b>$}6Q5e-%6X zY$^znQxRd}h}LlFc!u-J^CQiRrIiT}u^rdWo{{*cu?#P#98`SH0`J~pcuf4<|U)EwhWjM}@~@Y=$TaWph148DVmK;vLEi&6`)U1r&RpA^bAl&gsb;tA3&6g5eWzn9ui^ZWL!Qc~P}x{DCQbFdjn#ZVCQF*G z$=D9RC#ghdo;@xsE@_3amw=|K_2`J^TE1_nWLX7G^^Atf ztinP_vyb&v<~SNP&8%heE;Qcye2nS#$ITMzgQtD3S`0r8p~^iMIU7+BrVN9N%l0fM zrPljKyd!}^RjlHJAoJsS3`jDJ!u-MdgdL>nmme7Z+&a_U7{#2wOw}Q{Sj9oW7SJ$% zDa`&?1kIEQhwO>?uK{%AY`O?{1eXe3h9^W#26ib#G3kRx|W?DXx0mhHFW&6iki)6bI0#SvsjFAA#jP!>=3mNaD5db{-{(P+@Y zW^fvJvn_Q82=x~4yJ5Ne_%H8@9sq9E$c>Fs?$>Ms7x(7T&f^7$1DfGJEmM_7Rz@cd z07Czz=OMHz8?7$OjgJ*WYLXa`K1&yYyCWo8r7*guY*ln~<)D&M1#Vb+48*4}#TFq& z@_`D^4>)!f6WwmJpHZXrnsYsa-CvTj5hlLtBvQFX)>mrO2`7mCF0Vnq&gc(%ZKp$qVs!yUF&K@6TG7^K$rFaAp z7}F)>Ezgb;qH4&1r*Ub>FM4ak?e0AqlI-hY&d`c^W&66LKwR+RNZ=k05|Z2cEacs7 z(1(Q?vv84Z`8Q|TMuqTHdp%B9&7Kza=eK1h1u>QNO}l;6mJiNL_*n$aJfZTL?^g3s zrB~{(KUN~|J_D2J`+5RR1@xHpZC_dyA-`2sMD0;)(I4<2Q6}S{Fd+Z%7Aq9hvpU!E z{bX;Vz5IEW-ITP0=6#HO&S?oC=PGzY1Nb*Uwc;N?O)C-VO{2Y{@|3uaM4kQ>JyJ5r zRZ^8#kS5q+)4yoEa=j)gW@G(gRJ&1i8j*q`G0U~bR2_zfDjwH{h4*7Y#<8!AZPc+% zPQqQ*oyRaPQjJR5wAO3VIx+@(iL$>IzF;q+4Y|%KMLCUrU6L_>F-Ry!$VAZ?_~-?* zHjbiqCN|oQk5<)qZoQ_fUxR!HX1*0x9jDb**;*FEZj!VOFI}d+J%xVnus&TTq9z-g zFnp#F8#4@G6hz<`nE6m3)z`mjfc=PO-q01Mga!n;h!$ec_S~jcY(LGSzSQmz*BYL& z;x1kLcn|-@wa)QL4maKCBH_>-p=wMX^-ujkNHKXhs<=3_nC7@A zPKAP0QMJ1PVuW*R{@Yr0ydUFpe>Vcu+3FpjO&gOm-p_C^S5YCY#Ro@u2@Kb0dZ zKJOk68@OMjA(u&l39;fmqF4Jyl|<&r^rm$hp(rbG6lu;)M*6T|?<471*tslieXVa( zb-XCIWpJVkH9nHF=o4vxhoN#^9JWdFw{#3CITPC*T-DoyKfD! zC#qIxazZ(8uJ$#?Mv>a8y$RV17X;MCx*CPrfS;=$oy=C91rHC`Q?}UzaB-~3ycSC} z-{RByJ@I_prw%`H?p0;I>3)U7r_wvYy&7M*jcU@Wk8Ol4Y188*qKwb^HU!AtdTLZ^ zLm_-XBqKI>=zDyr~2o`17-9P z#U*lp&Dg0)0t#yq9Ilb8)DOZ*`gq1i^AYb<;-eMU$YiqNHI~w7?ghLLM1c zQAy6C4oZRIZ&FsYU%2zUV1maT1cVH6%t8%eUlDeokYAGg+*fpD(?(_zSCm#u+DR|wQ1Xt=i&qjO9Scp81WNY`h9oVk=*qsuTqQHFO$SY@2s%^d7^# z8q>N7n1|CFDXaz}NxRM=kqL78 zaT5a>(FlNlMoH9s*)!r@|BdHe<3wfljON23`~zZQ#j&PcX2t~CNrsmKQs7cn-le9{ z)bw$aQ7(L3Ww@Ne@ZO=oI zzakL~^QY3P7s{qPzmW@|u>&n6;sxepgs`sSU6Te?x0WG+x%DaYl-B}ngy6R9ERfY_q!$goqbM$HUn{A$oxzMe_5WC6;Au5YOq^2cQM{^2!gf>X?KMT)k9(c_*3wA( ziwr+|%o0{@BP=PU zM!T5rJxEBQIsXtSO3H-4Eji2Z(wf?Ss>ztfa!=$*O*t3y<7X*%_Hn<`IBXXmZpt?% z0Oh4<9pf&JHqWa%ZtN|%T+9=LCFe6BuQkQ;9@1c3pe@659XyHTalLda3ke?@8E$!? zv(dX=^#0s8VgR_4om7}9k3Z<%5dLw*u9ouoN43=Y!&(=LqfD)u5FvXlhgF)gHEr1v z-r47b&e(T+@qQdMD_gt2L18BKwencE9NEU;WOa9J1kf!( z;l%B22)JBtqaYgJs{v4{uK^m)aez$oWL>}|enz4v8zpo@FMtGXR~kvi)WEt01$Q?e zyLf~zT#s>^CzI#!a5L=SdZV4YZ=~6T8+i_^C#NN()Y$}IbJ2n4vO#LDMBV@KG^nT3qO zqF5rvwNpa;a8M1YC~Uf1KCZ0FMDj9Pro~*R#&X>Tm|KyFQzeo3N=;^$83kn8nysTF zVlYd8n^2bGL_WoTF4|D>J7kq~R+0=qcMDD$X~mW@&`RpSh|ht)Ei=RL(p-22lnvfw z+T}L#dIYo!c{TJ7xYhOR&FU{omyp#p@-$@WWx6fLM?bi+o0Cn4XmdRY3HB#W{WZ`( z_+3CS8*{GcOZsj@`FN}ZkR~nAzrwk=B)0J}c`cho{He~mz}TxU&_XUE1uMX=Oms9Z z?^9EM?e2a1ux5laYks-JY{SETSz5V>v0i%xT*_@i{GQb%h!27k=nZ^9|3_5n@$k>_6TiI1@p&KRBS17 z7FVfnJuCuN<5x`IAif#j2cRxWbkt|OsL|TQuJREK>)e)r+cY)PN%t3gK@mtUi*Htl z)r%tyB>}8Dbf+!RPif0WDy1d{|LH^#KsX@-sxapI&VZ7tE+;v!_Ag09DluF_`Pm`b z6~r3A^{3;-0Oh$gCA`i-X!T9j_qs-*|#`zPSe#fQx!#1#jkFWA=jBX+Kf<% z|No(|7U-oUMr#p)NvOMj)G*Ue=gIAT*M7~KB$+LvtQA%3!e@6Dw2auv!w7A6*^YQ9 z*2s`)Z0VH9xH%22jX@Z4!gnrY--D!`(Zwg6d&)0BMPs_O?}Z61Q4*C?8uCXPT!J_i z=sZq)<-pK~zUG_WZ(nJ&64DAEoW`%8lJ~uj*GSykevU2iHU_^}Od9Nq(o6aoqfF;6 zov`)Iu><{N{$NHFffy%itT7h4BZ_3#O};pR7B3PCNcamYRdTAFHA$2aX}W7oDi8ef zx1L(&7}7m(hG6s)nLfi+F$y&gl7`|SnPctPmg$^abjuRE{xVYk^sM<4eI`LefXepY z*fgNB57$&CGTJ)^)ZLlXPML@O@`W<*8}vvRuTBsK#Got*DT2>%1HR*d%{CfgCUaB0 ze~{^Gd_!KOK$jL5fDV&zH5acQD0hhbhq@@;N0;wcvhG#y9>sTQ`*Hp6osmDkr=bCs zUZXFps{i-Waf6xQQvEpOzoBWMBhFu{7Xa55n`kqV|6D13aW4w~5WukrjVR1H+~F_n zv>9`wK#^BodMn9>`N1to{Fnx5lTN(*U3-Y3Xw?q%CT0NgDt`cV{J?~LIb_e*Hy{Pj zi|3ZS!W*y>nViz#QD6^=A{K$nGCvFdEh-9pq=Gji6ZD{>N-1thT2-{$+;>RLNR!2P z*gyS$Cj^2ohlr-z|3GeF37PwG&-cukTeR4Q&%VQ6Q*~f*@@&a1^Ov^!9s`AB1#g}| zqe(&i>)?%z?pA)Bz6pwfe8Zni#_xas`=tVKGJ(8+M@^Ei=6$kU4mncN(T(q-)pRuMn68gGIN=VQi15HT0jKcf(D}PcIz&CbPh}K;7`6xAa z@#Lv*bIV$HhuInZrT5~|>Fb1bNB%s*Upx7o8v17|OLKkd$7*TjgVNy0TP4gCI$;(P z0=|?9c=!QAe>Q&;sQ=o$>`hYT*XD1O(T(J4pRC}~j>z3?9;ng8IeVOSRh`ztxlntK z(fS1F@<%BvIT;R!G3XO%{O-V?_ji3O?u?k^H*Zk$-_6}XBl4=i?lOgS`^8uiqtZa; zcwpY(6^v>&P$Prn9*_+Hk_GQDF;d=vBu{zWhK|O4%8JLxwJ#o7hs?r6#g`jn!B;M|>vPv}ysc4qzhMkOD9Z9JelS z$*GmlYyZqi7dp}sa-2^C{sT7_TTkHi#IsrdiT#~C>C#F5Xiq>M@?%C~%$d)MA9GvM z#>u>#APnV7FHU;sk?Cu>k2v}_W{#6EOZ++H9{#Ki?SE5}&un7l zkyDlq4H>sdy(T@g!3h=dzFE5+X9!e*;K{*xlG(T#Z(jT+H3{-qS7~+r$7|Z_FEu&Z zjkU{nn-4Tog#_w1f$lQ`7O3th$if0KwN+7hb9}dK%-Tr}2}R2Lbb;An!l8K5s0xeK z8q=^j%yN69ueS%Sfe0~d73e1QLc}%&iHpMH#gZ8gXwu)_?~Oh`Se}QTK}@)+NbcrZ zZ@}PR*GhMjwET6gzky&N2luaDHD0giQt$$Nc9mwG22|Xh+vCxLJxntXp?Q z0I4X^o%N8`9sEP8aQG;AMWAf2AQz!1eyd=p_|gw3OWP-(i4A%A7Y>`JCPyJx1N~!m zx|X7?4gbXKfO?M>k`zuT+{x$eOAQw%1}p?c_gA35%&zO=x3V~@XQs+)8s+6VhU~AU z_k^=GtqsaJ>1pVkggijzklvl9qUR%hHQKKPERMDS8jqc14NAN;akIc1llyCdfBg7g3;Z3V0k4JJEy$hzZxaSAFoi)aL=w^4E|toz z4$~5oxw;Re|D3}b<9c95@-=*PGp7j-szo&5e8LdQLVF62F`$C87rF&6{$RomXlbt7 zF72j$GZyJa2DSIPXR6?sF`YHaNTEn~1u4u?q0=4t<5wghY>RIXkXdLs$k(gzy=8YcU1_|d zRoVR%`yR5^2~eu7R(nrq-TQX$7AiKQaa0Yw$u{tF67{g}v;2pV-ydNp-mLV-!~V6> zKL-BSO8+wOvXr@$|6$;Pl}^&+ZtKlICC1s0d!8G4eYmHaa2CQcW&K2y<~pjz_DnTL zwb&xQOMx6abwGfF#(>X+!4g?&OG0v>FOe5|r;oU1ZXWY2f5 zUoOG^SV9TS**rE`N#k2*_Jt5!q0fQ&kZy?s4YCHjYWx(kFu|u!a z{6qzOs((9kxn#1q+P70Td!uyL}jh5X8SkU!G5=8qzyT>@hrX`Jf+C1ct z&sQ&6qmr2Ezo{;hMQ0&XRzKedr`Ma7`?5ia?$y#vtFbJVDwnMx%F)Ig{OV-`u^@!V z@jupl+Xaqgaz=2*nD$eIbwTqGz6@NT;=*edW2OngLseG&utVs(VZQHOl+_yQUtEc% zY*9X>(1P%nfBPRchfyAye`rPGfroDbC+_tB?K|>xf)6 zuW`IvD8?{Ql;hJMQPI#G_Pyj=v4q?jPJxb+i05h^JfODbg%`iDF7~~=#z183xfB!< zTjHlr<6e1Q%a(oSM48k+@63s~ILFy9TNAfEZASN8J{{Eim(P-Xf7nxw;cxG3K{IYf z{BQ3}@?jLX9O;WR_Ud;@oKJ8;dvt5fI_+9q<1V^|yLR)?9vba@yRd9YsVBK6GCG+x z!P4N>nHf55iiUj6A4IhhN07Hwh18BSwMvHKP4WL`U9OtV4&z zw43_6>ytLB1X^b4G`48uhX%3<@mpj&2^QGza?e@0L3frL?r4}R3qAer?C+r}>}vzU zxlu7U0rvlyGW<~z&nNm+o8`}vR zO|Q(#%n*0$poZXMl(bgGGG_3Ol5DnE7XwE+kezg3T5>J)s1}KbHKoP zf_D4w*k)`gMVmJMuXn4-S{E0H_a6a*C6UC_wNK&Xy*unAaWo4v&y2V#`eAPo9wK>o zKgUi-W%Ke_zr*vEaJ$ur={yMSLdMH>6LEPxZEjJ}XDZ3_w&d2T@ZIBMF`LzdOwRA{ zysHK!0bL<)?w#ZCMnIdE-hBS*3Mj(A!UswR8(GPjiCnLLW38$9l z>#fi!)|gX&cxr>~^4dBeB>%Xq#}6ptz7d1}YfD4#@yxw^qOyY1N7B0sxAn{`G$CrK zi58agJ|rKiGARMIY!rHb%SHag%{!*(E*Tw$li4Q6Hkj#HW0yh}LFG%2z!}kjk_|0Vk%zK*n zho;289ln1cfv;7(kB1yY{;NUp%IHJEag+aQ0DM=!b9JX1KobAoVcu|L|Bumx|96=G zMQG;#9p?Y_VdCDF_?)xomh2mxkNK3iTVA4b&hNBE1N4du7if;}d6Xg8vH~BEjZfE1teFREMkiFWEBe zCHU*m6NAg4C%#ullU$4bE1xa)PgmEjde$qqVpL|nvrQxg?s<&0RLYVbW=o1h0sLa} zfW(-$sX zzrF`UYmU#Oz@|pzS=uu$Oejah;i=qUU^-Bn%;&^VnVk;dv*O{LgV(zU(pD)!(1iHg zmGbu!2FTFyHdv8*2Fs@Rg)A@0FCRUEPo6R6zNv6+dggYzEqC$t!|-C$kMB8)&Xe(EpWFj(&MJh2^M?vZ%TAMVE*eh(Jz`1zjN zqOsO`((2p-bEY0lAzvxRrg~))e~|U)2a@6VzhJeV7t^z7=p4JUL*?G1Yu&xz5}6GrnoQV=WRunT?B4f_>`RTKFA& z4mj42`d#?1Td8}Bej6VabMGAWocHgWt)0~+-0|8yT^>dGA}LFK(rN$|IkB zDbC*Q&7(@Yd9h9sJSIuwuP6*WNBs@+cf}6w`5FLiom+=~zDLfv`jT+syQgR+Os&${ zzGINnKDSTxrc5oBS^FEn8%>43&7%wuzo0g1T8~kpdd1YX`EyrBoj#TTs3kGX=*Tom zybzu_@%1^8>Nl+Zk!IUbP0MPO^Svlq)0XCnBDze1*xG^WXlUS3%UMs+@SF=ep-t%s zFI>kxgYb4!w%hW}xL!eHBdujdDYSy$Ql#?*)kANpqlftIKh#4+YPTSn*WIifx% z>xNI=$gjWbHlcHzMhHxe5P&T1@b%7cKJr^SMN{c#nHu@`i+X9SuCwtaSL=oT9&1mA zTeeB~AN|~x>o1hgW&jv(Kwi?Xad!qJGPdCh-Ul1%U#ie@1Fi68PyG?;s^EB zo-Mz4di%Ha;YY^cL?G*u4|I(91O?TNWaDfO>ueu;iGTC0Yz? z4k2=H_p%`DC~m;?8$AP7y|W(=9SvLu($@`N)T@UAgi2MkfKI`v^N1ogH*0r?E7(cp z*^Jjf%=w^yYkOs(UhkDpz=?r!W`LwJ357=}yhgGPrtbUc%J5*Wvjax=2*|Ref^I85 zaja2)6U;)3Tk%BDyV~LTUAP{p+17ciE=`%qJ#O9zABw5w_fMRGVHcmHZ|#}MlarNt ze!Ha@Hi$W?$G4gxXQ!-RPaNoNJxW~?0arx6{>Gr4(K?MFFyrH^?B{wZGzC@1Lp4K8 z25Im!+v&KETDCO*47qVK-!dEaT_kGcgg!PfdTB8njtlUP9F1a5NQ1WT?HT=89KN!h zUXgFyi-)jdp7Jvqk|^hgj5yGGc@|{3R3#u6QqXKO*-#Bc?RixUf zJ-!OUuH@Afeo`C+_m)cD(pc>H(X;3kMD*xBzVURE7*b2ar^5^bbl$#_G)kX+ppU%& zJXH8%m5#Bup16Ce>8lGiF9d7RZ^#Io;eGXGy{$_Y7}J0aBvv)K?+8)MHF_M6W;FPp zy=vZGInUl(k^ya1Q(t(oavu!?BMy7tEVLb=JGR9mhl>*c>3TO1hA+;}Vy(?C5i7}M zfZdB?gv})*iW|_p84IQpseZA%pPeJ`XKqFN01qI|(gvo_Hj->297_>aZR;Aoo~iY? z6HY}J^f89f&D8u0N3Om<<3+=Pxi)do2#{iI{?<{3n`E4=@8i6?=7f;z$_^GoRET(q z<$Ubv7^{yr_(82p%tQg9=CpW#?Wg+7bq{!Qc`(;?2?vXgU-W$AIcxG(h#qSwzl`w- zAGa)nnl)N6g2{zlM$%C9A`BZa0)Y{6xD$y=Vq?!L4L$bJHA^$BVHC5t0lp6_H#QOWz?PcW?yZnx%|m2Gi5X0hBF`i9lQ1J~deE z&q=x!r|8#=G{poYb5tsoDLu@WkFFL?MIJiQ?#5?b@6T?w`g(eRs`v4xQQKjfhJ&Bz zt zBc*eurYXk0n=>t4Y3S59%MWX7&7JC9l7`YCot>!TIBygoVH*`{LfB-p%9tCqzJ7BNVQWBL##5r zATU@6cw3)ur{wv*a=riaD!&o-=x4F5#iWkkEPnUY$p?rd(D^4@iM&6GLIp)n;`0cF z|BIX;=7kO6mM;yRvsYn?&0&iYAjsC*S^5T?vs?(4J9fQ0K_s-}-R`6F?uL~sMseeB zoRznc>7NowgSIwF{0~Ar-OMASl^g`k1|}RugXDnGKET4~dxVS8<k(A{ewuXa`Q#C&ednT>@fmf6bykXb^sQwH#G3<*k+2QAA9i{IkQIlb@6Dm(fWG)>84 zUVlCm=kQ54q;^bSIPXE2-IZc@*c@;kizT0OS|X z+!z?wTvM}V{kLRJ!ptxHFXsKF+vQlC7_S>6=1|J`Oyxe8H`m0HL|pk3fo+6WA9;QG zBVVsjS95~_cCLj=K?@oEgrngK@6z1!YatRt`ql^kcJ)r(_t1(lD#)B2>-k~4MJ#hV z+G+hHj-8=gTQkv8lB^IQmSPKoKgMPHy#W--f4R5}%|A#~vk? zw5% zxvSOPsk0mr;VwzUDbaos=DIBs&kIVYsSj;;+di|40JoG%c$;2_`V#+LrRUL)V(296 ztoy(U$)eX|$>4H4Hi0dme|m<9=Rtvo5q8sAQ>g#!vw#9rT2+F8wuj}#M(=nNsTZm( zz9i+7n325JLA|Z>xdW&e$~qkiWlS!I+4b__ZJ-29;(UF5(l`A+N?x}Tk@I=olCM(l z2hQET^ipQL4dMVPG%p>qjqb9vazhvjZ~ZoWrQ;<2e!@}pdi#FYqUe4uKVamo1K;^A zNO;93P`UzcUH0OcRUx1-+L!IK(tnPiPx6eHRlfTQ=yE|w$?+QW;ND=RH1ut`b7lv|HpDugz_9}uPK&ROw&#$J9dJJu`6amO* z?n~M)5_Wsr1wjSnI;;|+mt|KRNvCzW|dzCO;+|>B>oNp6;(- z9RZUhyf>mLBvD%N03}2Bx?-_nl_~ON!BhXO9qF>CbeiQyPjo6AX?3anzrYB>qjw&o zq=SK<;(pA!8%g{~?{tVs*2EPM$j%h)CC=bD%5SUUu4 zOmMX;j)@HfNB;2^c7@*w7jqA#eZQVDM6FV-qE^{}a`d6QWJTqyuho+G=l1e8wGHhf zXEwaz@OKTAK3|Tx!kyIdOZWUIUv1xA*J0GeN7*Y zG=h+wt&^oH)SJp0L-!=^3LM{7s*12zD{f&o4aF7To|Lmcd#-XHx2gCh9|RP6lZQ%*fP(bCh}Ye|U*J7`MHD zFf)YCwA#pjJPz6ifg;+eu%&wpKBFk=6+H5-hchp`WR#ba}omtAz$h` z4wu!Gd#{HOdl{XL0T38xD-RhkF!v-0_F=vr*ciky!6FMDb4R;ye?b@CD}U|4tkjZT zPjo*Z-S0)_ZGZ~tJ6*v5r0MgjUUjLidNQ#GQi2NZrCqS)+eQyGBJRRY@&$myX(i0G zd{A)|q&`q zaS>Z>NGS7jBp(MPhf^bd%w?a3%>-TCi!(>bDZ|!|NeEtbPrwUKz-}2lZ zGY37NmLz^0;`E=gW{C4i7kc@65QU17EOhWidC7p=Z?#>9k-U*|y>hPUvzPj~FvU>( zVD9ar7M10O)Ay!I2qHfScxWzwe%^moC%<7qA~yyk^$ILJT*+H4bX=HkP(#>|2XCqS z6O69u+1Ks;d*AyvLL<~@HJ{HReo0AxzEV4YqJl#oE56SYs)xB;Ry3ep2VHrDJp@!wM-*(Q(Rw?vw6?kVdd+QKme;AZ^;a13csS5HJ+?@(b}$d^@h6wY-tQXwdMiPd>*Z>i(CP|y84>1&ZJ4@Y z@{AviO0e6GymGCr`i5bLs2}^NE$kOK5eBY=e$u^boxBXJ5o!(87kn%#ObNRh2@bQ( zmrT}*<%(U%3iX z)yi}m@->$I{q4oSEIZ@Q2L=*Bdq?z(LFF7%2D7NQ6DydLTG(2(hRtM|flpY*#lV4L zhOftO9DF3yT5-JaD1m$Eks;-M~xF2%5%)*?}FdzOk`diE0{O*y-Ldf1a3kQ>=ceL8i=RmF^No2=hk^~Oys$IA%RRQe7!ieH*ac-t{}UPF`6Os zi^o?>FV(?CbPJ(!WNzTE?GA*e(Z7*XMRxxuHH zqG>n~p0)aJ<>Pl9sa*9qy?gQ1ndO&c<LFu! zUbG98#|wwg(~H50jPrS!%GotQ$_;u{WRfSOReZT74`OBpFZ>~)w-jeD9gSIae;vO4 z*kkn(Qm$RLEl^5F?5*Nh%?c*u>DwxU$a!}Ga zJfPM{nE&6To=sc0O7oJ!zvv{I-6hmkF93>0J@Gnrw7&seId9-G>ZzRe!WlEk)@Hve zM%MI-^G_T-#{mIrK%t?-g7xm|?6JT6Z9~n!L!9^MBa`OIB&EOS%Ochgq~kASBE6fa z?Zqm$---Y2XZ%_dEz1Z>%T?1+p~N7{PHBXufAFW>}Q-TDnUB>KTDK2Y}LP2YPC0Qcm6eH3@iC*B!U((tkh}dhN>GT>EMi` zKY%0Q`rftd(@GLw8m0S$fBRVvK8H2@3sAHOYuw5q6{|p z`HGH04&lP=ivG`qpqopaYU)N#LU~XP!C=BaQDFDB!rQS@XGeik{c;mtL2s{y<}|l1 zolCe4hD3PE;|9OEjcWRRmE-2Q0ymeVh~5n4>n$$X4q zY|d!@R)?cFLj)F-(kV-byMj<~LuY@ngqP z!q8Y?{ml$Xv88Qy@P5qt7MzMKlJHw$A($(HpY_c;x@t3lf-=@D^hFYP=UU}sxbgxE z5r16gSU6`!@SZnXTY? zW#q$AnwTV99PkW*I9w0AQ*XHSi@ks^HLv)i?#aMeeM+(oT0xj^2V$pQXsr~bt|Ok< z3_QXNdWO{#r?JZ@U_k=e84=OF|3$xgF;&G>=S>!khC~VNm#eTs?dwXEVmtKBUx*9$ zP`ws!QiaEAWp1Hz1D}POoZH96V5%&#IvU>BtCWnq%0%3v{Wn=RGn{0YzDj8Q!UsB6 zlV6FKT1yNX%vy92U+(8?7&}=CiFs2?TQC6MIAn-i0;A>aR6>(AERiQ=M$Fzl?ABZ{ z?Tgv%Q3&jKvN+v1l(mbJ*Eb@Oo(h1YmejZ7pBfr;cI}_ovDC*`%%oN(Ug#D8R)TQ8_VUvgiF5fIgv=C$;N;b*1 z!WdQwCVyF;QHRV~7t52)-R}&D4CKrYD|=!Q*8eSnro&uN6z!#KNNCLTbiOxWsy(u= zICV`TZeo&eYv9Z>#>Nw9$^?*dLVN3n_-TNu9T{Fv9CJ3Nff1lRzeo!6ldiu4;tV2J z8+`-@jI$btjCeK45L*MXQHgGprC|VtjY0(sK*tY^jwjb4iUF09NOcu9G&cETw*kiA zHdRAfU%e0QrCsvM`C(&YWc}ma78^JV*vmMYO&K2J^l<+EWI_BQ2N4dVk6CNaYQHff z@p3C0#m3TRdgR@w4S7Rd%LMlYlG z0*yYnSXz-BMET6}+Q`ZCT?FrDqE`XIs{{bmBR}4{)1qfmoE<>9&Y&#C{_une0*S7r z`8W+a*4L+NPCYCM%;|f5QbVXRFjLuK3TXVfdi#>UoN3`mkT@D@Kf!OqfKh)n6kO4l z!@HXb=#kU;b0$CjDbg=7J8^SY=C%or#B9n;Lq|a`5ueUHp##tgQ%`Xhv!t-KRwEw5Td0 zXG);Nh2Wh-bwL(j&?5K6KZ-vrR-Juz%Q8WC?4mLkkw!mRkhh7qF0PYFLhuP*Q4t-? zc~F4@3uKoiOiWON2df-WYS+t3xgK@TdTy0f!Pb14ARSRJ(VU=-vs1C4L9#G_q9%Ix zsxw8Ge_e}P_%#z`*`L!uHG(;G6I(q4VReZ<{8v@w+OrXOnM1~8sx4+49Ipya{i0<3 zQ*RatvOx~lDh=2%COgK|n^!}s1TpA)h~>syiC$}<8B(0|Yl=dRdcGqg82>q`yc7j5 z#4c99@qty7Rmn8Y$38PpCKM@!#MWM8J*mKAUnQWH4qLx=!n8s1^Sl zU-G`##&FxtvCYba)|`7kJ|xO}DRC=T&ZeIW2#tI;<5sEbV}yrd(ti}$Vw4ErQO2vJ zdd^ZcBz^_k{={>>33APeKFztEFRqG_-CEgHKu-_Kn(&ncW7x+-hT$lr8q1*DO7Qk~7liY&*}x;_kAPx254(y90a%*|LmRJ$ynV!0?#5^KMk_*T02 zfUYYqIOw7m7m&jt=c8_s%fmA+1)?a1s!U)+R#FnEMyJv@+FJhT!7WPuZd#7bO#HpM zl$~)(3Y$1}WI${JcS1lCK$VoHSB$jmmoW&1Cy@op1SUx_VFWNjZc4sbswk!nxDy;_ zPxefskn`wo6sf`Y$#ny59C+orwa->aRq+y6#ix;INVe)N)l!cp=a13{2oZYndvGBD zL|QHF#vDAMb0?#6I`j`O(Z$=LK!oI8bP{8gLtQu+uoW4?y~4QRY8Vk|OXKn2ds6}` z+@q#dA_0WL#tzf~^zW4ZH4Y4nriCSebMq@Er4Z=UtIa+sDU6Z7ha$G^UUW6hqnF!& z;i<;vfyH6>?$ex_`0N`f^=#<2&^nIZMaepa4D`|-yWVdH@3wh537K_IA`D<{{K37^ zEOFYgaNBxC5>Ep;%YeJcgTYZ6MFeA5$r=O+41{7?dxUA5c>5A*YiVrq!a^i9Cy|-* zIH))UaB|ua=<8^rOGq5xlt`kf)U8^99Xf*fY(#iX8g$$P54aP@5IE7AXY&lFTQSbF ze#+K_W*aPblgMLrN$R+axdJ|~v8NYSbVRJuX^i|uNW+TlI3;@$hD_oNSfwqj_o5`_ z_rK5q(44&CNo2h|wW2ha&D*;Cwlu-d-{mNd@#LY&li(s{)+wj2tNt!K=Vjgjm-B;XuZsy{^cK<6wMPd`>JSGPP zC{79Lz+basa>WEhfjO5xIR9Hs;jt>tTo5G1ZAJU>SPE5<9mKCDQ^b=7KuyhIgUs|4 zh{uPQQb|07|DyV1eMkhBL6uKv086qIpv6q`O3{;dXNFGj&`RGupZz=&*!tk>r$o3c zvVMs4lp9^6miju`n5MgrzNW%80^@x!JY`9TnEkPP__f=gGx`J&C!;VH5&;!y;~%aQ zc^67nME8meWP)Woo91AIO>Os&2utS|v;RLG&#`RhXf}dMYWE*3cyM!Wa~aiI&|PWi82ro_^r)lW{gbFyT3-sL9~U|E2ixnr z!)PN)@sfQegsE}wr1D?~&Kxy8vZzx~O}3StO`Q66pHgym!%|pQ5e-?dM8A5<2T-z- z-<{fsv1Tqama~MZq&*Y^P)@xU9EGr4t(!(U8i>wIpf=jAbP8Wrpehe53|&slJh^7q ze*)+pp-hkW#U&!NkWw~Gzw)Ri@kaEYb^j*svjm`e3B;yLO|eVKG7ON%SIkgsMfcUI zG%((4kE}dNDKKguT6?xP3lJXbP9$~w&M1+aTFLQB#zV9b)WztjxM+k{)Mi&EIQKp_ zf2>}CtL2T&#tb7+oVAVBttvzBQl`BT5gZXh8tC>xI5wJ;KwXlq zTFjnN9QGHBokiJzX{@9gR10wzKqpVE76ny7FwRs~mX|R$855X!!9>Dy7xHeKfHhqDa}v^#c*o|Eo}cAo@kA_>B62l4bJ4IrIUMo5 zm1B5Ga2xk?_M_TyEOzZ+>%HZQ@|C|;7q$3hqYKfOQmBomVFYf&ULH*PihuFBZG5-Q zY*IpWL2GRu_#Lv7r9q1Rdp>`rP04vM!H%)?z?7od)AAfWM+-}wffQM7_=jV#ck9d# zB}JN%3romX!^`Z~@2IXJrcPo-R&eTvX7V7Q$F82A)HP&AG@bsI45hb6-e?(dO)z zDaw&&GmI*utG3V0E9Fj5%i3B8o35yyV<2pFxVo@nsJt!4U)RvuSUQA5@`(jGaD(Md zstL!Ncf1dzW1ejdW1j}L_I>+Wxbi#0v=D#KBnt&!q{=h4HP&kk0jVd9V{Dqi08AP1 zh0!!(xU}lf+(p zsq92A^n=;!N>loh7(S9w%`#RZySE2u*_7qn?O)!xDt>UfQ&(dv1Af% zOEON4)i?*o(*?^SLC9Vqur-1~BppDHYDtgu%YimeU}5c&g*-AzVNT*OIRhOpvO|2M zPXCyUqB0eshwP`HLZEB^=DmX)MHdwoiMAQEFNv5KTbF4%xbDt z9JxduB9NVsAZ93$XE+FU5UC+zLwAH7k1Ay&lC&9vMnvV+&4qNWUOwkU%gtILrG z>k8hk16xyrS9=Y?*X_)QG~KJbBvn0!v_%a@pylaCi(PSRzNfj#Z2k>V*HwCEN8lp- zeS!Li!Ab91(W+4L^Kl`&4_}-1ZPq)QEJUFnrW3Q8GnP(rrMyH?7G|!!VRH6i#`t#| ziAOb<8M_sGDC*e&Cv;%iUf^5yyKVozbAzArjNZk}Flj4}PcD!qExrQ{T)vmI^!sxv zea7hO30PjbR0a!*KU-{SoYfsfDpe{TEAT|^77#1c^A~*v2H?dQHc@91=^8pQCNV_z z1!ele{Eibb=HR#FKBVXM)YyA8Wt?Y6td1QE=02Djjky=h&-Ismi5(j+Fn#!uWBE{I zCy;YySPEyahZt6b;Ic>-Y{4S=0>~;myR>iH6V==$5O(o$j8Rzf20yw)A4JD)A0{sf zwSh69G)xNus`jK0%ZZSOU6K$Hys%?M-U*3Pl4tni0s^Oufil6eM&{8S#Hbcqrb)fk zJ$Bg)yT4I{I*n$lkiBT17_ zFBin}j@u(TBWbZ2CfR#hlf)^qmOY6MnhX(ROr{nva}??UQKpYSKf%)KNd>Ljl`@Eu z>zh@R2W6@?cu%jaw)0(2wzW5>$^sIci9C%^Jl=M_%iRm>8=3(xMrWXTtzfgAGk=-* z;2&e3O6DVqVM#lrFI_ErqUMUu6&H;5dV-h5q2pjeJx1{h?zXF4 z8OMi7D*|%{Y(Od~8u9AurO5rxQeO7SU8!D;2%#znSlllQ;0Udro#05hWW|1(3FPc6 zN__wMvk(2Xac<)eSwg0VugfuZ^SG2gJY?}5{c8zTczufqbVq4H_jYTP4T1;D))%Y0 zVp3MsA36eQwQ;nV5$Pid?E@p%M$@F&c3DMvrGHLwza}A(L&v6WVPnfKwF-cdG(i5L zm(;iC$9o}lVvU3#G(KNG_y01*mp)z4E7_HjIBk`T9R~7w7~5tD>TjMJl7t0yqeP%Q z#iF;opp0wip_~17bNj5$jlqvNiKJ*%f}zQ~<+j;ZXnZKSOOPsN@s!Zu$`HslbrsJ@QwLczk?l*wtkywH{i9 z>pHU8qC5Vb?@yc&oQfI@=Dfq@A?>_ZqJhKdq#pd!PUwLZn`puana5%CWL}Yz! zxgBa_GR!n?O?3#lX1QAGRpZ?ZpdiZC5U1j-=L{ouTPipDXA3Az-7WP4#CwXsV6$HIsM{ALBvyZ{-xrDC88$kn#8Y>7_cblks_mei6CdraFvA5x_ zZkbnYVwtVNMoBG4W!e&~{EqDnF-Q2IiB?wyrZlB?Puu$$wEu$)dYVg7=CA&1@SODk zAnvhIb97Q1GXw}4<~z+7LEVK>T6DSPmLpdm>pb=n|P@mG+dfHLQ=X+kymmof(M zac&77EI&br>$|do7lThF!Zf*RBuMpZ`wM#Pvbm`m3+_~8!VsTJ`XiGX<}KDZ$!Pf2rJL2U5@UQ`}JiOQ?^){{hI! zgt0?7u(T@ShyIr0HZScYE3FIXQP8ZY>ym=emDy*^z^c<%PR+Y%D$ESggl2qY1urWi zx4Ue({wk23yYDM~g?~EBT)6lKW|;o_-$O^k;Z+9gawQ#xHqJPU)ovIm;cu06(mo)C z(n#<}G$UMaqHmnFA3NKoAJPS+RBC9HTO95=zIglrdD=gdmH{cK`z)Z!^~iy&G|{Ag zM`>L*qV1CX^<8;KDB8_0--f}Zne_ zmsQlTSK0}W=A3I-A+=8Xcf&d4PTR3ISG}&>AXio^y0caiQzH7?_v7>LE2&?Z!`P;G znNW$>I<=SLbT=BEMxS7BPwZ%9=L*vne_%alln)ntiOTvxzQLD&ncnQ9@-<&pG)g8% zdShzB;rl4;cX&I-u;4Wojk!^=CzTqTgC@&HtrJMk;0U)$*KP?{^aM7f?}B5?Fk~UW zp%F%A<+~I8Me<`_pU=hyhhJAFVq97(C-r!EN&`Ggn1XA?Nf&Q~i}O5mV!S3X9{HU% zlGX8X4~AhnsEPnc2C|x25+)m^q%yAM|y$ z1BF2G5!D)>_z}v1I@V4`fFQe~c9yQ%OB|`nD-fScj+YMvvGjW`fwFVD(!PKc| z8ti$y!5K%c4x*(ZW3Fk1ar$3L34>L~_Y+DMGN?R7r*s{aJ3n6lFdpZ>KtlR^i~*6T(|$1inx_FO;i|3W%q}qC88` z=IqQpOl|a>M$04cNn7XO#2zO`Y$(vr)?2JYs2wj47W~!F@rzeQ*d&jvG=LH^hK)W_ znuy~wcXbLHMz;RcBuZBud5e8}pt~Zt0@ii%b@bPHJg$-6ZDk{{CklqzKyjjwP<efY zph!+YkLYm3a3(#}7|iKl0LZ|cTU({8x}4-RB9c*&1W*Hv4uKu*x&>KGY#!8vV)QU( zi`UOg8Rh`3rcumuIkOBhMRtf9Xdq$K(H1Kaf+y^>{Okd7sq~-hwRvHEb60iQV1dg z*w5_6GoNU1E}CbCCc?MLe4n?P}0z>3LVXEMGDm)mdU3r@Arzefl_72cF1Sw zu>?R{`hTu$MuwPGHKa|XdYD`a;GMH7mj^4&^Q<{&%(F3rLDgllf1PO=VR|5fiPB_J z?5M2q$P%pr%yI9UnRGvun5m zViA$7CZ*Kqv_nb^LmehH^nshy)BdUaSdaw%wWT_MKV2sHo zj;2*x>DwUn50>1ja8YdGj@A#86A4?eC@9(ulD|0n|8M8C62YybFOX3?F@uS1DG+uR zS~MRey*I)Ew2aBTf0_KFW#lw0Vd9bomXb4KI6_P`4U>=JQVp3~a_}xU7a_+df(NQE zgKJ(+DFSg0>iu?Ytsxm5%kmrr}eG!2r(dc*<*9; zc2dJ==0OF3V|lav3zEkW5aLJ3_=)oPVY64RxiM|wZ4K6n!oo8AGL&HGeZ?ggiEDIG zb7EqZL{?2FH17sV#(_<}sDEXgwm;3L$D*@7P0EccOmqz%KdUNbAxbALcE%k1DS1Ey z3gvZ02HQ_vn1ec#s=PYG37VIoY#PekFS+hF_n;N9_5deWeeq%07=@S461|zZ&K68f7ziBlG#SxC4Cv${L|ZiP zj~lj~$B+1x>9ajyOvf|X2+clvizLJ{>Q)AE*lyDx#X4t+mBAyZ*kkU$ixo)I z_45jkxFf`N(qJ|<(&M44|AgR=i)>2%kfg|(HYBpLGpWVv$WI<cLyyjzP+-Yqb?7peIWHYhblkM=*tk*>n2Y64m_z{T1WD}nxKx`9 z1)fsb;%a)4LHcT1vD-BCQ48u%zc8;j0pG4M-+fExizFa@S$|tME3J3I+R~Y1V3HAW zisYl>b)}pq*epJc?d>4kg9gj)XspH}ibNG?^~GuYqTkK{EtnE)P={XTw7J)ni`gAs zKWxrbw?w^XAv)C?COXW0Q+JwFc9lh(Hyw$>Xw00xKDj-Nk%4QIJ>;?}%vm;!FIDa~ z%Y))3LKKB%)WCtZEo&m$rNx|Yjb>uwlIF1*UW1u7f1WrBw&}66e{g9T|6BTxg&ss) zr%aYuTKxIgaD=n$pQ$V2!4l9b@K8d$$ihYZvta$M^c_t`imBUIPqa!u5(?wv4TcLKY_x@Z_6NQToey^h2ONq1m@^_ZVt^S zDy`ozjccih!P0*nDwHg*APU7KW}dRo$%(ujO6vDj6kOSuK3Pl@l9~eh=8t+w3B`WHNNwAl1`zM+XbaSFm8H^nRpBl#2Fi3}nrd~&8+l;fA zrF^|miJEr3QiE({b2rP~Bn23(LPOGE(wL5Lq%beh*QEn=jDOL0{d=z3$|YDqBtEJ8l(~&uTv8JcD$O zSuYvWL4BzNvdI4Lay%nh#Gmo8j@zf%o?5OEQv|m3-z+44zy=kZ*v6-MFYvV`oh@8r zGX^VHGK-=^V{5psn&*D)Xq`!kLaSz(nSlZsCr|99ESm#6)!53a2o9ycENy}s zh?MPaMKbM;#G8^uA#3E>fDnHOZtXHm`$kt(t3!!s54-CK+w44y_xrnobyh2wU-pn> zl*>$dPONj9R435pF zF+GB6K^xzns>oJ=YEZ1(vleQ^KnT?lJ<`%1;S#R7j7~L8W3!A%lX&J<)}ERGx9>vp zQ2UPH#_%r8^#Unk%v)8lXWd`T(vSe0^YOf6)X^}yBg~%eIc`0y`O|-CX5cNsP?M0; z2Us+&p!cA~STwVnlE-`nm~}6wwTVOzilTm1?!w;NcqtSwp0JH{@rPG3u4|rg!{Kv zGl>h>0Wv0X?4_kuW~qD8Wp1RTNi2BtT<7`_pvQF^ zJON{%Y&dqz0|{pQmIQ7H0fQ4yYAOT6j%9f_H2TER^aBMu>3a(XVjMhh^L3LdMOy^z z^{sSd?MErRW#d|tY^9p!^E#W(TqXf1zh;{%wFEuvDX5fTJfEl@vwU9)GoJTeTv0UH zu(jSM2Qxy@ipektbRw215KJW0gEI6q9G*PnOt0BEI8TZUM+b*`jaH!5nDr;dO*R0k zO@2Jy6T>2H1rRfAhFLl8)%>Xm9BlLSEu?nFzu2_}N_UZSm%$BVObZYNdO#v&hnMRk zUxBB?m{u&3riw_{!mA?CHe=#{SIy?GMqdlniDL|N%QnPhXzGqQHk;K<<@%ixt5A!W zjTct_uC%I$w*CEr6S3>Mg;BnTsO)uR%b^vZN(0fP_|jO`e9C13=1d?*{kEEl#K$2k8jiCje%7072vduo)OSJmgkT?w51rwiM^MB_v1_fUv{y*EfITk`d_jY zcbZzE4HrPEO@X5tcG*{!;0f~QT5i$Z1WT5f|I1S$Zin84P__oG?S&7DTVxzU+C*AD zw_G`Wx3R4e1!ADPjNT~`7ff5A^Orv9%z4;U=8r(UaCg4xdB3}*&?KLijDW(?(u`hT zwy?b=LC*0DmR7BWBcgxW=eH`;J5z1YhNGX~rl;HTZb6_ng6NZ&K3Kk>V_)xC{w#Ru z3mmeq-)G&Ywt;Tl zPx4(&wOV@npE)}(nCx81kIi8JUi0hwUSb0|wZ^W>_p7a!-_NylDl?iHuNyxb{x8X5 zeSQJ*+>h=5TL&LLiTW|FUKf~we~!eeBP^4Dq~IfI8{j@%hFzl{NS$ORb+QwJ8fb{NF4Ueu{2|T5t&@(sdA_ zHag!QpJ@GW^gm&ruzKnOlJ0f*XB+=}5ZwE_0{$aWZ4ed2qrWBpL!zsnuWt&yxBL&5 zJ`-oOa{nrTh#G^&aR&^JBUC>*yjT* zg)lqNsqgvZcYQx7N#3bIXM#KR5{0WD66nVy_gH;pb9u4?>Vy5~?Bm9-8r*~^umLp| zbkgOt{4$-%OgQ-Q_Dk3)ydQNPlvFSOvI6Hx;yHW#A8eXk?rndL4)Bw2NsL}@Fi!aX zy?-B%SG6bcEw6vNuPRO-0>hnQbN50<;}!TQK@M(_j&IXv_i8>RuKmjW*fx;*2{Gk9 z5md}8;eXGGw)X}9-hP2l97IAZYr6A(Zl3hm2LiKSy_4Mvew^LvNw3*W!z}6_nWNSD4-WPR}3UC=dMpVbjju#>+OI0G^SpD!?Vr$1Fm z?LD8tCbyk^zGDHWD3*txaC}GD?A3s&L$+IiCn#6bkE``_RR90^{ePyt-rpBclXbRl zASq6x?eDmoFAC>^omz_%<&5;eyagLo;N8Ve$MbtjuHu^s@RC)f|kI=l`KN zm;NBx-SnArikzRP`&eDzAEMg>Vi`07B!3{CR@ePwR{qn(VSd@4zm06%+j(8t(@-LLMQn=WEB=aQyUT3-Y)`i5~m8VJzS%wL| z)D$hE{DEtGB0a#IZsoBjFUpn}Ak{=)!-P6?0gl`XED7KFhZc|NO8y?@O@7qC7 zlG2yEx#Ccx8)aN*x%pK=GZWE7l?P7_aXv2hXBsDEk-U~M4onm47Pk^Q6SP!SPmgz+ ztvK5o0s&iSp~@T*6b4{cmC=Ndk&XO0>_4ei>Fna{5Jd@OyVTM$X#k=H(5LpqVblt$={l5$3#bB1^$SKN@L0YB8 zVyR#&aMQaQKT{6;@RjjfKhYBqUF8`l&bfKE0?p4U{DXto$BlIMIVmag#2h|2j&CX6 zX-(m#XyBHeE);tP#)v+i3*g%D@xKj6UWW@R?%yMVcoVMH>MfN`Agky?<;>Ovy*sI1 zokMm+syVUPb-h+|UQ%;n#Z-WO1HNg31z$^x=(>yqIi?R}FGrWrpURaKSalAtmWh{X z_}WIKF=>X?u-x5OqX*(b)>OX4bO8*dn0LvCe5s~VSBU6;bTUE`yjRLN-UWflu?pcXF^CbgTT+8@O^6=@a@h;1NT5yv zBS=>xWrK~q=roqncDhllZ)KEpWqqfNsdm-^re{}p z<#bj~D@*c42Z~!N zs9@=)HAEQ-MgT9v3P4YFiPrOG<7-v1AL-AfLl>)5E;E}x3V1$hQ49nzgSq#QZ1(jbW&E5NLvN^Ld zfpS=8PyQU`8l(tdRgAuk=H6FtFzrB?4#14hk3tsw>IEIld&^@=kF{(2H4G+LMY93D zdZ{4SPWYHhG)Y3f2yOvV)dSXun3tn}zo%z9>z*Ua;m;lo%vjF=Vw!Q4FX;&ly$c9p zFraUJzOHlM_y;2S_n7)4<>y4%juWAq?`!t2?R6VA=#DqGH?)ZUIAOC>m6jR;qEQ4y=Nzr4VSgi?_TpSqZ0Oi7o zj)8NVI^Za1`yHUxsAFE?je#ad09LdMj?xHe{^UHnV<%b`N(B&d=&S4DGejL37#OQk zWkv-+?xapS9KO>LcxahvJ*LM|b(PqL)=v}Hd?T3M$HB}HxtH=>APNKpH9HVS`VQN% z(VY({E6OjPED>T|;VL0B3lSwI)NnhrX8zb4!+4`eObBewc7A6g%Vs!d?Z*!TTrF4h z1>+D|5zr{#G^vAK!+9eh)ir9$YUII@w=I+Dsb+!Cb58Z+>T#+CLkpX)A`Lkc(CM3Z z$^X{~7puqBH$F=#^9+!~KZ~`4x@FM_Clw)Z;7>KE)9)*VonYE4NH!xQXl^K-f`5hz zD9aW~gx;+&x@1!H{iWnGR08tN5|4;7!VyyK^L!PHxvH(ay9W3eCM6{t@GAK@SH&gR z9xp*@icak-*fN)+PcXkipN^3@W0VmDsB}hmYY2GG(27bhkg2xmTw&L~?eg^F?53l_ zR>+K-Rf?bbNQGtRz?~3lsTVXJQhmc?6j2puly6V=v(@Y{i=!i7?aUxM|Bf=P+j*)o zg;cZe99VDccTiG$7(1g$Uv)=$1QKl@+CwbnlLSVhDGqJpuB$>=nZ6((3e)h{1AyhP z@&uSd4r05r7Hmx8FPtzke&;ix(GMi}RIatqxnUCCY61NeEr4;B3JDcx&v?GI2Uv{X zHYeteKdXKqo}SKSapi6voMr1?h-*pTOdXXa1nJOMSXwoFdrf=!DkWQ5crudid#lpm zz8pWqFqSM<)sdu6pBhCG5zS`ar3Kh>KDw0!^DLmnGP~Pxyz9+(4wgi}jc^3Pf6A2i zC$}aYVj1X^2q-%tAOU)}(&&=A&7Nr(3(A;hFZId|D#I-2m4&mK2NjJ17)A_1s^{RY?vtg{a6~8Z z2E*8D9l1=*Q^|#Ba~Zna4O57i*WNhmd|5}F1?`{ZEWtWX=G;&mc{uQ z0!?dPUSW_vj@dx@kY*?rj$erzn3 z)PpIw6}1{Ou~7|+q#F4q)4PZNRMEF+mYN`0IH|Urc*N~d>&I7C3ygM1dekmkH3dSa z9m`1Q1z&;Psat&?egV0a4QG+jh|Cs{-!ypsT2=9@*jT%E%r-Wj)4f(wZXlv~fH zgIS)>oQS&IW9j`+XG_s69;^240UMdT_Z}pYxO1)b=(3=tT(QoI?IF|Mb9=E zo1Q}E)INf!hpaVqE-(+WF2Cxa2kVS$3f>INC2kn>VYMV#-_tZETx0R;#G~p<+h%6g z@iL>`rukybv#fBR2w#wfdcu)hB`+S37D0S&Yg|(kye>8vYpryp0%sOvjk7YhQ_Y7t z5v1Wy8-#twAhm&#_PeUqHm(_5_Z+?yNjdJxme}}NmRNCJ);GH>3$pEqE5U?vRB3oi zWOC-ZSR1YWN%&LtOFdps-{aLq;!+Znd8p~ zLvYnsWRk3eWYs}KBF0awB)5(gj;m!kh%IXw&RB*lFhP3rjeC9?4nh& zV7FoX>4%hGWHg&U%?7Z3yY4!$D`Z@KC?1E?C2blUR3Q%4`f;3bbPyZv$$&}^*oI_! ziK^y7cRvkDa-gRqPVaCAx~1SAu&H6^itJg@nuc%bxVS3dE+$Zl;)b@!gr*LqDZf%!wxGeJDacB2T$Z>M;bkTW8ZchoKZ4a5!S&#@)HL=7;;k)cV^t3H~X z3T*Y~vT;VgNfum8lEB)~aG+P!9~zBqf{_L)Bvi;G0{CkPRA5y!j#Cn}Igi0H&9U-u zDFTWrjA0@|?8xZ5DloqT6Fr<=@USawdJG;%h(a_1DYzhLti%H)LuRl*2UM91MuoVR z-p|cE^^AGRO*ewAY$~_VmMU!AgM?21Q=DHRLy^<(6&o6i?uiE%LaqBpIe+RB@jFSL&STQ ztOw->QEQz(G4EZc_nLKt80zbHZ!i#0B1m*4fHhG6Lc5CPaTFv`gFW4BG7D7&90p`d z&w<^5jkek0VzJA}FaD@Q9uP|A1#R zSlhNClm#pQt)~ss3~%JRZ185CL{;mI{gC8Ru(3S<*r~L%UOFnK>Pv99OkDUKf->GVRF;57rggu7q#^ zT;&`|0q|!!$Re;4SyMH!9UAt+rL^5(T#7odxQ-4jYbd_bKHgOUR1hcX|6}Ye zNZ)e>#5j(SNWPASIpljAFFL!*slpFhQ=n^N3S? z{l!B$NgwZc1hckvWl)Zad1e6~fg^d=pr2Kw)|uDEa?j#~UzHg&pkzHNQy0Otk|*+= z_RY>2t8Yr&QCB++)?tPc(2^><&6&&fMIWSxEZlV>!;-NTlr)oqRnN_V;?6|bMc(X&Hb8(Io2N4^#xOcA%f-^b2FM{F0Afh@^2XmSJG~{$=2c z2hZernum062sybRisW{SIgG6gu9@ddUhwk3zR(YQ3NY2snhXVJ;gre*DA9404GS#{ zeKs@((;_O01X;r=F`N(G`a?2;yh?^6ezYZly3h&Ab;@4tY~3XgOXEqMTKjr1Wy zrNsvDP&VBkm<5CJ)i%b@zZgCdzt1X_YmMKc&R2M)Prf<9&UV|^kNlc2*3eBp4jNJ| zbWAet(p9Kv%8L+|<8AWHI;-0{8h)7!b(X`3;;}`82-&1eV;qI0LXm~7Z?r2?U8^=t zdw~zJcc~~1E%I*$;x`jP<6psB9Q zX@|WS45D8t<0O8pSAn3VEBF~X;X8490Z8Y4pkQpNZ5E*%#`gI3pkgo{6sk5Ra72(8 zV_HsTKc?W@2Il-M5IgV58LSSvic`b>5XP_*+(})TL9i4WqS~e16x)@>hv0+96~F(J zZ;VR@+k58{MhJg1crw0z1`qw)JA)n6?zMZKr-hB1Uk?|;u#;UmjZ`F4NG3cp9?o*=XtoydQG5L!8PHu|~r0T$yxB^C;Z5LT4!rYR5X}TD+kn zh(h%$OL+9nbW%_*8N~rSKe~XDequGVTdjU2Rza2RHgR!GNvDL47Ug7ZPNimgaHyhK zs$_3Df?C(dc}v;YZ16g~9c0D6<%(;(_J6#w;at-#O-ile%$gAL+Xcs*Lxk7lVFLG1 zId`S=S7mz?4vItxE{uD)DjO*~bI0Bpwr4_DxD9s7tSU2Sv05JyLQ~$oJYzp<{a$rf z=xMlIZBtbvc2bx96%s6P{Co;qrPo>Cjg%ho&L9^)*)luZCRjQ!cK{xpDLI~(fNBB@ z%OHBZdX>6EvDbmRo7^*8+#+3lK0BT-?salG${P28b91cV8u_{c?p#@Mf4O{=jzMpf zjiyM<4FhLgT5g`S?1|W@&UO%QJ)`@tDVpqDf;d>7^lVXu$D<%`!(1)b zQ+ZV3^`TOH!a&)nuQkEVwG{mF@r;fh&tq{RG3|sD#=rNP2&l$*yn#7u zc{`&63qb*9;KL-Qhep|!@1)5nDzS45kZOC^Dl9nW&afL&KhWBuXc8Ba_(5BBoHs5N z?V3_yuYKwP6f9p?I;*KiEgTwrx*CKtJPx7$v(E7OkMV?~wZDcIYFBYw5Ka|KclL+KeZGv$k$Q}BL zSkluzTX&%!hVcB7#jhbR(tg8VLCk`!=E}<&$_76K%dJ$U#D`U_6R-(%JuRHwiMW?^ zA5Kf~-*R7cr(nW@U$U@*eD<0|R?$*(g1&_;gND z2THk;!L+Mkx4lon+It|&ldc#)z);qjExa||h;3OS>PIZoNpc$8iHI!{bnyKK7qihS z3!`TPS3Ve6{~s3-56|d8uL)K;&ElK0iiz4u--Ua_*pv19`(6OF8!);gK!SDyY>fHG ze26Ev2r%*A zEDMD-m z7F`!NK(<0s^&(B&L44d4jIb;XdN^6ZB;|#&Wc&e_EcPChS)r;hO(`S z70io_(!RK;ITU5&<1`laOh2R7H#kTxlzby4<_>ii;-6(wLd@?} zt%|F;$Toupf=R*zUU|s+(LcHbGB3f>s|xeUfYp6YfIEomefp;_G z*%&TqyTN>uX4d}VIMFR054N!SpX`g``4btN7bfs(bv~Fia5jA+4Fr@f_+!P|wTz#} zD)Oyro=z7$=DrApt!DSTs=3HUPdP7L`NW}rEZ9b{Ii{IJUzzlkf$$J9r`j9!B!zt0 zpci*?3bB1}0iki+9AS~aIZ$*t1;+5M;?xp{V?%yV5c}a=6Cqdqj9O2>G#85zdX0juNHE zJbw5tP7!L@qi)5$!0gnUkJ?bj*rQjOj9pyo6Y_yiGy4nz9G=Q|#*Yi&0k!mgwZXfotsQFf#~m_fyM^)G!5b>5=NBvnV6IZQ5&%TX&L_uCI{9b^iAl}zFk;}C2G zKgjW6nc8VOu{W?0c|GGT#(2?MV28bc`}Fs2#FZjM{Ac=gBysa_X84C;u2VEXbEjy>NNrBOx5=aY79pKpzM$L3x2{19C$gZ^Db9lt4guCWzZ zZ}r+>TtYeejkj$bXOE>GIe!v4Q^R|EbAsktPR=mu4&<+OP8xFgYRQg}-j+X_7;sEB zR{7JrE*ngRNXG$AwDg*Zk>jkF{*w zy;1smKs=_1=A0i4mV1E-j=d}ccgzm;9J2Z9)OCChMTh--q~^9HDt9oF6ifnFlZ1TX zqaggYZJ{(9px=EZ!byH~#)Dw6{l7K{7noN0udI-j{NoaD`a;iC9k)t|>x=h4XsB?zWLo(ZUyIg59h z33vpH8T*2rmFalx?0WH01Ca5l=!tov-L5K;o%?t!a}q0fdO^*!rT{9Vi0bKA!FzadbZCBw9sz?1S7bm# zi?Q((3fJ=leUhJ~BaJ9^3d3J3COY8N!VQd4*SlEz&yX~wA-t0xv(9}(eKv}KdYf$C zgbLe5aWFNzUatf8r!7lbOTr?9`qR*`mB3lyNbu9va=D$?E`NAQk1vT7)mV+oJ71r# zs~|7|@<9$|?qn3EZ6Ik`vZwD6E~be*jSg)d)nCb4c^`hn-0$B#GDKlbC(da!NA&tl ztZ3#;V)Q%N##_KZaN6pg!K2;h0xw?ZAbwe^5%Y*20sVN_jE_YY4mSG864RJG=_5+! zEit*Emv6g%LlG&7Ec`j=f*TY@jqZSL@fA$X*Bs5Lu{}qfi;O)?7_uJyhJ_=4dgvF| zP2fljdnA9lz;}_Mc^yWUY7XjSB)9`7zvk9OtZ>D$&)O$^M?E!0x;lI?jjw8Ju2oX-L@gGhLEDL#)$|SsgUHL#aePjo81A*?Fp<}TsED6~)UeV^LUwVBX={@H`H;Ms6;iQAhQKG(>4~BG z-Y&B*g09pP>U~>VrKB^|qy0DZA{@91{(lMf+28 z;feOR#(_>4Jl;Mt%&JcUASQ_m-PBrwoeDFAXg;yL6HGa}c!FX?_p2SAtLZg-O6wVl z<=Rb7K1K-OAby?~XFxk*cZ}OQ1l6*!LRJu7^_1?GntE~OSw^>0mRbzxJt)pgw{_#a z77x_tX^qRFCo!zeUslMNB5a>8}8 z_h8VxB)og>KB$u&*#fd zyQhTtbh{0M7K*N>Rzc;lXG>nZ!)u!=F)&}3Ab?hr!Q<=s2&TfCxO6#TrTEw(E-(;h`c!!WB z%XF|o{cyPmtM*1K7nEmkqK=aOg7aGjjSeh0)IW0Arymg;hCjkrDNP+(hiyOLfmlRj4mRMnEpMul z_Jk?u3{j|f=3#x`I(2DbDir+p9#9HX*`;NL4?vBEm1%4f++Rw~QnTLNX2wPute=z? zerHgTXb`~$1Q@qE&3pf| z^%GW559pkf{|y3SyLp6HDK^;+EY0mGVquj2)P?;bPYY)>xsgcW_0B-gEzs zd)0oQ#AmGDhPPz@p}~uAk{XTTAq;-LkV1)1KW!fqs1|?rj!Xh$`w{tHG59G)*ra=> zP}H+ldWOL7a$Z}#qfGz&JOzZ#7^Lcxwt3u<0#~>IuQZiN`puof;gi81;ApSrZ$CB) znJ^FpYJx-X*%p}zc$Yc{yb$3eXy3|6M~9l?(;|bkVnh$^NA0}Ov5{6owxWnlwo1>X zY@9!r)6Bi?C$7vh2sTEm{lsM42+63>)tWHpqD8W$PYi$mt@qVUMOo$?mmFr9{ouvy zW!v*!s{}l;K3pdxD9*)rP3=$SW}A)JAi4gYC8~#bZ7|U|;x9lPO)F7m9~BRwLvT;o zTByP$zB@@>Q6{#^g)R$?h;HBF*3`UiZ0cw+3Z@$$tCmb7*9{|LwROkD6Rn*gG7hZ^ z+rgqyD{!Ks;Xg;xju|X$J$p(dnKBT9L8P-Oy{v1`?*R7Y%+Rw@;nk-Wk-Z0B-`<3< z=-{2R%*_=R1T6s-2~7gu_q@k~;&Imx5|%h_4#9G3yv4Id_?+JjoQIS05s8Y6_35VO z*Ob=yqklNWB^^@P@(C3TGAo_a4`$Zse#;QxtLWuc+zt9_hLLO%Vd5T{#-E^XrXb(= z{b6cRe1-Y%J1EqR@|D1+Sa2!QbSxvrIW-i_9Lefcu>$sGLj%AWhUq0WrC3+X$qyP8 zod zW^E-wt%;S_3O|O5Xl`C8=p)XDj;pgs1X4f%b8751$$y12FUUQ!(wScY#9!^w4MGsigc<90}Vk;kX$9rk> zOyDaoa1I=cF#g^`&AiIt!LkfxZ*-b{^M7IHX%`gM*S#?plBk`JYcThQiP9JZVrTm;km5wSSVnV zqurg&$7u6kv4mxCpnJs%1!c1;xt0KkgVScm5hz~#pU+86Y$!ut1WG>uQ14BV*K=6V zXM4Q{WBBsFD0#Mx2Iv>wnE~(c^XJ}V9e}1^wgKMo|9+vm9)MZ-@ILG6z2yF1)gVeO zfltjnEYOFkX?0}tG}`opR&LV<$BWnaXwS!He;+S*$M1f=e~;QkUk_!>Y*-dWI6%n{ z|M)pT&DRcmM}`5EMaPqU9r(W_1d0C-$>IMm)8uL+@ehE954xHZFnj-U6Zw}Wt+_w- z$?yMxNPl|^qr(B^wB$bUcQp4L|9gcFA2vUu&3NeI2$-(vR_|<7-ng(@42F1 z|DH~KFZ3s$IR|pf_3HWE_0E?qGyFp+u|WO({Z=IE1g+YGk}fOiYg0OqS??@5=g)U{ z)c8Ou#s8x}BihFj7*{r-<qP8MmL8FI3J?hoQK*>tU{sVwgBbT zwje^$0U1QYH7e*$4EKMYe!JLxKh)-FJJ6dWLc;NSmp!>~@S6)TYCxrx)69R3Iu%>- zt{JGZvtGo7ysAMer^QgSt4yvAKzD}~^dDRue7gU;r^;<9m910%eYuMT$&^=ych;XB z%D)GG7!j?1TK$(l?Ijv6b+?TE0XQNNgnzHfUO#VPSw7mD$$EeL;j|uBQXl*W{9^QH z=00*YlXl4MUhWSi`>J~InI6{Un+|}-|Ff?dX)MnuYKGU%8Zg7pky@2zzznTJ(6t)! zj|T{70Z?~1{p4G04m?Zdzh^1P%`5v|)K=`Xh`p5h_kQ>_BsbP7>Uddom~^d0r0?yw z$9z)W9x2wIRYpj{x791`v+4e{7U%sRAxoZPUkaP{H9XlApg=95mqR00pAsVnj$XLk z@1|gkzv9qu3mI}-goYewUG&+YcptD14Adza)`B+>-d`t98{2*PaPgKDK1uKm|KH19 zv_vn-lBeFt`u=V@6P2F(0zCCieHgiSM&mzoH>cG(QyHJqIf7t7aWoW+RDE9WI3>{9 zu>ppW8$ehw3mqg_$RKtkM7a9Po8%VP@|N^FVbvg-&$9*^FL{u2oM!TR)u}n@P{`_d zAPmv|j(!)bS8oI$CGNC&3dU3UW5~yPPWCRC4bJjmi(7`v)E<}?t+IhV?$+P_Oa}I4 z!0)@)$Ho~6NfK{UCLo^d-yd2Hi38G$Ypc-5KcWZ5jY|ga`~AxC$(MiZSLC>62i%UK zI*3+=Y|Fgdv{jRVF>U$&{(=$Ksq$!$FL4Y7mGd-(;4^U_@t8I_1TBV`__GTMXipRm z317a+-XiRlb}f%ehE_;fC4@Kslyou4FbzD5S^sEftnEca{fC%qPI;|u;V(X%Y#QC6 zitqzv7Oc34dFw(Vx@{J^c%w^*G>DPInbafTSs%I-b+>M3(53heECoeY5d(B7ph4Qs z50;=qRrrX3p`MJ(t97#xm(qiI%NH`>TZE^%N+mqy?z0K6SNC-~khYr33t|&beFJd1 zRCc_GU}CSL)O1ijJ&X;8&isu&?{BdFm{g!O5M#BxuvoFO{sU7-d-Ch255{E7>r<8{ zkX&kZIT@T^2Q9~I3)E9U{k!4QczKAkL;`kF5OP??SG8a%%GdoTNX1k{>N-WBE8IXj8Hb5mhG=R%BLhtCuf7fb|jQvs_BLsL6{vH&&mxaiO?{ zY!N0;t8l%9M4>uu*G9dMIt^*XQhZM}uV!6ZtEUomB)U zCgW9KG8ZZY7hWUJR??^#X&PENy`DB~qy@bD{~&paLu<U4P z2PI1o6VOpU<9(P?%z@446x->61kuBHc64}97*8_XGh*4{CD10vW(ytaBcUe=j~9OK zMA%`9{3L(6O|(T#Itjt2oJ_&-b@WlF@jR_fTB|tpT*F=_|I^CIV{EQ2x3@dSTp8W3 zQP?BtfwoC79Q--(5GXCx%*5o>V|4wgM9OoK+UWlHw9~$&kLv!DG%LhI*TV+E$*xyW zNvUURj-f<6wsOuJaIOtsy6P7!$z>_Ov~w=YRr+h}2+eq()jf^)x|lr4CB=&ht?@}3 z6eujsU^19d3krLz^@{vR4;dTV=*QX#E@%^lhy3wVT>_;hwVIz=qdPh%+WKWeh7!IU z(dmgX>D#VR?{ah01=kmn+sdqRqHyxctBL)WC3=YqxnPgW>3KEqDXBR;PzdVjyXln( zu4rq}+%Gos!&Px04CPu#rBtC$j>&f4EpnED3zoA?pW>i3EvqrK#3f$~G0L|0K`HeR zoeq@y4itriH>W`EFz1!Z;A2HgR5&1+=YHvDRWV4~H*umv+f9M%a zpYQY7$f@fooBvr{fj8K&U+8K7!SBBc2JhAMpJpw!e|oXbj^e-2Cx@%+(t^t~u;@JK1dlQ>rrxSgUTV@CSfEqobX z^f2U3H*h+2%DLgFsJYlAVp3f>C&b6D8aO+*NbwpLT=-z##*~}2Ao6BTu-Kl|Izv37 zw|>)gkS2D-KZC&K_DnBe-3%&Fuw+=nki1CDw6~f)Cfg+2oJszky}ldw1@eL@_+Nz< zm0GrQRcH)}t~eCUg_EZ}7E^Ghp6#E9vD1Hedg{8jNlsAe-^n%@PN*~bgp9pAv&?v5 zzFn+%k}7AcT`CIyWoKJJ66bi?cM-8IjC>K+sMecrx8KD0j*lI2fa}`3>tuqjx(tEz zvznh`gGSWFZd9Eq6rbv;H~H?zLAn$8vb2L-XR(hgNKuuhzOv~Q8*fu~JLY@Z{!*)} zz-gc1TwqGcl*9hmj@}z1|LFaCF>%0HNO8^L7l`}8Dm{EmFlD3qd@{fQmejfc-Kj8Y zeA!zyYsuwfq@Q=3L?xrGXeH#DTiCz*Y5{xWaIn0p4bK=?u1Ufi0kV3`~-YKQg{d8g6+ z3j~||CVJ^SHJEYPJ&^7($yROS2Q0v^qu)T8e(Y$XBfMVeEmMfvzD|53WW1R9c#u5L zlJMI2C6dDcs(k_b{yXkBjd_pHxq!OCdlRXa!avV?@H=<2!t5AN3-)=BwCQ-ZT&!P= zLweR_&%e~l%Ot~$bXhi`? zB_>nz*BvI#aXhP<@TzD2V?Ca0WhCC6T?bIEx3O%0?mvIkH4=-7(rx{AyR^ut8s(F9 zXzURdWGnrbuz5x_F^8tDavWU2PWGlsj>J2&;;%iY;jkPjz}0hF+s8(C?=4}k=LXF) zgb2_5KRoM4Q2sE1FaG|K54#>VHNY>1$?=4zUqsDnbqtoXZ9RAu<18m#+Qz$31{V>o z-scvK*gE%JM|{}w=F2jz?6f<;boJEhbz8N|K2htve*GTn!-s;=m7)FO>etNtsA7H^ zK?D>Hf7CuAg}&LOj=7pv?=}3DR6G!BZjlqDd{m}m~y(MF00A)*4KlTXPqwTE)c*)+OZ7UH4-f!}tfD-FAJ=^Q$GvM=JD+_RFcE1dAjxYM}chc#%MyJOG6Jd_7-p;?QG)_%1pbCF>@vkK> zsf_9vIB8)2M*Kv_I-~KVF~q&h+GZdh#qz!LkO6-#E=8Xf@t9;fZV|2|Ji~2?QBSN$ zRlI5CTUwj^v*LB^HR+}oR6yfL@^O4UW)%JH+#FjQ)j{aKzF{lwJL+X65n;V|Vr*a2 zNV-=7QJmJyMu1~vC(o2b%pEZV^+raOx)52@>W7syyVsA@T-m3mbM0_s5B?{p@MoX3 zwd^lMNextw2CQZbIq|+=VE1H_H6-=hV81QJ-OkFDAFMwLCdVE2Li6yjP*P0Xu3}bx zrdD+w;EM@Qoa9o}GIHk1$gNa)rUM2NV(&6@0;8@E^rCT8BxUjg<9z4YmNF*s69t(g z(J0eSTAVMUEB~$|2}wtClrk-&fN|-iEjJ3DeyK|u7Fr?_HGHl4tnb_=x>j>5ka;8C zz8U+AduQlzz$wjNVyZ_yRzbhgW!1NQ-KnSR9Jq&ulKLiH7wyO|UFV9m1=Y5(-$lLo z5k;T>X3Mj};HN({0<$@n#C#?*V9Wwt6{_J0)-vpX?(ouo5);$W=S1NSD|$7UG>ySk z=le!&Kl4;V2GG3F%)^q-aw6w~`>2Xz5#Ej{ZjOYGS{T?9i%{LHczvfXjWi_cMpCl` z3ZO6b*aNwJ3~i#B!$$5ev4KOEEPvX=7%r}d(w#TY)gHd{rqV`FeQZ%h$r=q1Lw)#fYE7Z(lwa+PhVQL67#g*pC)1NP(Vo{KW|DIK#{@^)eXo$|fK&%xOsZUekA?T=s%s364sEgIz*15 zC`hbROjOjab&7euFMG_0-iEc-n^<0&vo@;?%&XNl zVk2G7CRh{i@j|TI|Duq!u0e4cV zp%4KrIHGVloHv5EvE`3mj9BI|x{&;Q{ay=J#wc-t{4KktOlnbmcO+TFIMxiWA9?t^ zxi>v@#wv$S13~`pp%SH8UD2F&p1 z1UsT0E1-*cDc?+Bx1<}<+xzNy;VVJ98NHGvOuF+d{u3^{*SWVOW9a?x^+KyDc&{5H zrVTj-^er>gpJNSQ6xGY9-Z_J+HzPL^O8whKV-0O%3Gu#uVMnYdx@ZcHPP|uCbZD>* zL)IPcDIljlk)y>MY*Oo}%ibStT|eR5H1)OiOt2L4(w39oXF;0|mRa(z6VerkO(H3X z+Pr%-rSm?9Drq`dbf7xqY2IRzl3T^Y;t1JQni@x7v<2gKNZnqgbwnvriWG=^WhqJK zDo34q%_T}w2^I<>m5JeB_OIQ<%!jZroyBGC5ylytVQ5{$)={qigarhq>1UhJ#!uVo zyNbm(y2<9z^Lfxsc@ziV4_vm)#kzyZa|d$*EoCJ)X~4v+i`08j+mGDTuspWh<;C#&Ja#5>GYVCQ#KM-fj6s9x)>QFJ_0omvWTUzJ z@gtvc2b;4*mz_fF4)huZ{E0)R8@Br)J_V-ig@pTPkpu{y-XcUA8>y7PLg48`hF~1& zK?#$j?6gb7Az^ULh4^wApkPux$N^@jBkdZg&*cMhn>ZoSc1RIO4&B#-m-JRZ8r3Px zesoJ|R;sfreOUb*5WMD%12x?o2X}Gn9iPr3EMR~9@&@_wD4nG^cJa&uI)g}+P;DDL z{uP621ZyX+OQEEWrGGC=$c^Re1pAvl9TF)?*s#g?OT}kSi~S zViesJDv?WWq@s_!N#~s6F>SzGyz!A&-l7vkDNf`V4!91lk9I^Ul3ss2 zyyRpeWD=T`@(okwsSMqb2HT~(<32`4A|M88X`psu9OKgAoUHEG^#H)c6}kETv`eL*UY;rC6qP?|xfrgr-Sh!2;Bl@Y6PIt86ie*5B9uCNsrP?P~tv79Lv z0|-s0-iTR$+;@YR7Nw?}s*?rMr_T=N7>g&;r~a>Ki!Z?2+md;b-3uHp?D|Xu>G|fy zZfb>s8at>Gj(OJZC!3z7CM--ugLBIfHtWZ8gjt6{H}Al)tqqhzs7Pm7X02qdqgqIn zhxX=rk!e_h1081HIS*UqYxG9+qJNyHm##R`-NkCccFM~=L>|k?gN*xn0nN4#fV4v; zT^gUfU~qD#U(943MT@b``+9rY`laB2t*zZA&r^(KMkz8aNWH!XPFoX$wER$^y2PRi zgM`>K)b%(*lyJz57SP0M4tC`8wG!hTSiOeiDFDxC_3AdTD1<#*5 zvxn_rHRw_gkY`uS8L{$E&pGvg?0aorCas%%rl5%6#1NKLnoOyH42TG0OqloPmLLyt z)R}K+#MKj#kzV2%D9CWW*^_hzkJO>3n?F8IK<|ZUGBFgRtYHdqHhu+BmDW7R#ficB z+-@&0`C<2YsMA6uX~LRd(l=FQ7AutQ9kJ0lO&#X*rMjJ2|$7`(nUU76$&?ZO^z zCv*g@1`rp5x3rp-mKMQ>ZFdGH>foOeg*l%3ws9gm-7s=Q=bZ}T8GttJ z+(?mS%|N0Ree=l`Z!9ZUUA0bX`*=04Cp{-E{1>7s+^$aW=zh=uiBLs$0wN=+lEkMp zk6Ewn;2Q#!YW6xvPemLs$8Gs|Ns-kjSDiu6_7MvwcxIp4$>FcJ2Z0GWt7k9IsO__{ zhPySV0S4p5KyJv$B8!4UvK5}hPeW&9|2N~}P!Bandg633l|~Z3!J>-~)_Jc8+^sRr zNFZobJW&hvO`HkG6gz7&c%x6I$iH`}dwlz_H-x7G-C{9*!vPasqh;cn@9gw?OCNuL z)M(t?jmX3L*DH(rT2{anIRgn=>eleNY5I)u_$fGXg-FZl6e^gW;a6&kiMVPW@ct>_ z(>0|;Zu^`~!Zqqw(iWfboa!S+g=g`cE@zdNh(<@;0-rKpj($zg1Vq;P&A|P%h6gfE@|lZ+5g{lp1Qbc}4`784 zlBRsMNbI!pE>;_q_7?16e&V(XqXsCP2C}>sB-AR@m=OnPf|Z!z^0 zzz7Eyrf4F~W~cXWPJG30mn+cDt4)@=x7tM!le76%@xkIH<-hV1nwGD@sB(#n!3(?+ zh}wLb{JG?ixFIPo3WLr2AT!4A+UZnFgSC8RBnBg_ewvYOV>_AhY=*d?Mp9Jw_=&v= ziCvP8 zDt07FWH15y0p}ac4;+l$@tsLAUCWv{TA+?|;3kcwP`b@6Hrzf*Fx6`5TZzeF3@5>w zm0YLDyvBLA5%u@1Dke?RAqahYj07wY^RLmphg-`S>V?&OJca|(KEAQUFcEu7U+4fr zi}9L~@}qe26l-k!$DFSv+BZzETQd@ghwRAm#iQCa@lq@-MQIQ`d|{*^B?qn-$iGbB z7dZ0a4Xto?QaaP!od)jljd6Nit>f%bor|nm4`RuAMk4|+S_vr}s+g<@BbON-q~?{Z zc;6Jo|Kd|g?k#-7EWuJ132h`~m4XRz@(R&zxz~E)skT26|CBu|^S40yHD9}t70uDA z?k1i}$@o2yR}@_Mi~3r-;#}LvGes`7A3e;}eG5qf?+%1N!09pV1Tuhmraeg{bgc+Q zJNvHTEnpoYUrN8dOuJ`_O7t2wcv+2^LF4JRjP)G2pRJj|1=4UFf&f{wosT-uUd`^V zBU2yvdQcday|*HzGM4SENLVbC7RhUKb{sNJt!WcZYY;7FdCznxlj{8V`5HuiGfx}= ztHxu*Jyg5pj9SZIuw@=EhSxLHIDt*b)b8>T$B8;#J4`3|^NMQ-aLdh$tSnkqwYOVW z>8BUU5<}3_#Gn`p=jBIJD?j>tJg1aN57f@by2E*Jorn*~1v*@x1g{o2hLZ$qhN*>? zbII!wJ3aQ9sF|KXD`vB5=Jwjgu|E}diwS{zNpCEN)#|LnD_Nd^4(GQKR0xk>1`8?! z$pFQI{BC9x`&g*xP*?Xjp_vF0gL&|ZfCzh(*607&$N471CyzjPRyQv+NCkE?QPVZW z*T8kq&qmoG`0;TeYC+BrMcKizn-wp`{c~uUst#FtYENh`))KlsfU7T2}2qJiz+?2}3}mn^A8LI$?g+J}=NXZ+DgAO17S@z%dDWyZZf zHabl3=?Eg~%RVbqz~z6!RRDWM91tRi!?i`)$Tm|mjZP?{h-KN7s;Zg(%Or-oX=H(~ z&|{ipZ|NXTFo!`+z`Ze1U#TtMwEgI%uymMppzRYx^I$K~Bcm+3z<$XG6;qlWqbp?Q zribBuuv-k{>o5tXZ}!M;e8>phEk%I@;bVHrj6uF#bS3#|?jcI{qAR)<*feYkGJ3;djII z52vb^lbWV44Zq(lA$QW7O>!6BlzyxCt->J{yTLWHA_X(CEgDB^AJyWUY4)(h+%q=m zU6GjkCcE%rd1JmawR=RiEHEn?!S^CyuelU0=R?9O8mOwhl~%K3<)X^2A3}{pdaQ-P z=-*}_C(`vS9n(3mxG12VlHBYLYYIs?=uX7qyE1Pb19`(O0E!ugH z&eyrl{c*TIqDcJ(A3}95i2R{OteI_@xcB8&E;y>DbJY=3gvD~-;qT>oA#e0i$+SrW zy$E_3-;o@L;5KPGGr zdtoEP8e#jYbZ3QY*2SmWni*)`Rk4~jWbICDVX)}^BOI1qlF1RRZ^q@0SAuf0fetYRMZy z|1o*8QX2UpW2PwVRz-kv3LboD&khxK_v3Q2`u(J#LTE;0c=qO($z)x%YH8PanYoA) z9P9`IA7r@?HMvxY`hG$$k{+W0k;?-brfV)UC^28Z<@vSgG=>o=y~f1*Vex;l_f}zb z#@xCn#a#;&cPUof-Q8VFp}4zK+={zH@rf3vxVyW%yF2WUf31D?I{W_IoxAxw^Gh-^ zJR@(CP)HlIW#$!Qwz}^U0lc_3Ou6vL20L=^+=6Pm=f|5Cqf~Og_WxD!)GSddwOcQl z9oVJ|{v&a=>^3a;CO_5$mPLCGT|Vb0Oz^98Ta(v`Y>M{bK@;1K?KF!0)Xp5Z?}ur6 zvy`YtZ%Yl3j`#-KqXlSOdmGchk~Km`Vc<)#bC(m01)fwtjkhc_T`#C8NZG*0)yeQl z`>Az+-6Dh=FS&jNeFQd1ynQIHq^Qx*TECgY;Z4*)xmrx$kVYfj5_SfUR? zx>1-3i(m&71+eKyZlebbuMB^iaSKzy)f~h%G}Jv{!PLr?o^J$$%G7y+dM_Gwx|oI; z`{79~ibjmQ*EF!3M75q%dvN_OW-Yz0SYaXko=E}OXugCA;_q1Y-Xy+krW$sA>BUQ$ zS(A>+oj{9%3YC>zo8t`E3#L{VMw9q)l1OvDlr2a410On`IfR98b}?WNY)bwv%w&F= zRw)YXB(H>?lJVbUxRqbZ<|+LX2e}fD70*{L?2eip)5)|{mz6>+w=L?wLRnZ&5A-2T zTLC@z#!r(FlwBGE-}8D3h*2SFz`qS^K!6K@8_*gd`Ja|BN%fips83}>O`q|Og#DbAeOy(cT7wA zqjv^u1%{7QH4>z7$x_p*B^Kg=s`27b4vhs}r~riTHkaN~Cp-OcVF0z0L1YW|_rNjM z9NoPmH&?11*|DY38t9%rLc$*%YLcde0slob7?#s=nPH| zhaIo}@}HN=6e4rn_lZ6nMGA`10c>vmFag{u4DBizQkn@E=@@VI8ZnRyoVMmMh3x0~ z6V6bWmxQ|X?}Cub<^%h<7vDpF;@&meFc`x!VH}Dmg!YH#wb?z^yf6M@%~H)yXJt_G zdQBD6jRgJcEQ_vB>G0c3syZ^C+K~F`SK%6+3~nKDLFBKlmWi+-?%txTqpBk$T3A*?mEJ#AX%B1Yy5>Lu3ZVjrr zLpeg;0chISmfFoEJx6E+zTN&&dO@b<(YnxwvVD(P;u$P5ZUZbM^el8XFbh#y)s(#L zYJRyi$v+&y=n(n#%P{8Ht=Le!e9dCfi;7Au~jP=qer);2;a~;;0#`2%TbAdcA9|r zJU)%xNmwQ=u&Ne#D7I1WigdxpY?R@e%7*ENRR-@*nt#I5eJHS44Pd+r9gRgcC`$+VmlW?|6@-R0a4i*HaAo9E;jd9Dx{06cMQZKg5q_@KOmm}U+E(;V4 zc2VGlLS_q#Lb%OBB4&+?+dl5>#_aj6-#>IgT=}m_pe0-^i3L245jN!Xq>E?r%n4U#ky{Hql&0+zDcg=@aXQrcAmkHogv?1;dQdoi~hk!a^({m`(> zQ;%nLis7p)NPrHZiH3Vm(kA;I2fr6X!48tslH3bt!3yc!9qckpX%!#W##GpqLW!{2 z{YT(ux?6e}{+q!2pt$b%%IwQJv+RurtYM0EA7?rlxzxn;P4O56KSCt0Q6M&xWOZa* zdAt`}8%fxgf~qdYz~R{(alElcG(H3_3Ai!rMZ<8$KBXXZry-au_L>RV#Lq(%7v_kg zHsx}#M)JgxDEx{9L>2riraDCbI7%bn9KE2K@NKAHbL%z65Di|3%CrB$`1MN=d);m~ zOuC@J8GY`sqd+&xHBB`Unt$^j;jdb(cu9&|`@Z!~f7%vG-|NOU<#Q1pQt5L69quVa z{E@chqX-fSF{9Sr+!Wp%d()Cj?dIKx`>0EcGRWvtgr1Zmqjy8G)uL1mYtdq7zxCuf zBV&9KPG6v@5H)+MPA|6FYH0h+a9K-;LlGka2g0>gOA;C5Wpjlgo@u?Z4GpsvDN7T< zBab!`D~q8lYG9_bQLDuTr<}fk6uDRs*_j8Kp{+=wnpwG0W&N(Kz-Q*me`KsaVCjCN z1UsBMa+4EUojOgg%wa~EvENiaDLS&uA*ngS7-0BGJ6ep7C2+`yY2H#WAdIPi6a63< zng6mgyJV*+Qau;+iJw=!7VMGk!)fi8F=!S!gR+;8d0205Qa4Mp+rm^ji7yJ#0L3dz zuXN4Q(;-r-vcTv<0uGi1!wgP7Uvl)6@Wa|rtrEwme4c;z9*qBaP63$d|KreM4O-EP zL!tbL?PMSU(xJJ5N6>tVeB2_TJY~I_(KOdi6!FhKkEsx8o@uEfQXyU=y3$Dbyn#C+ zQH&k4)LwcN+yCO=G<)kBF!f!|wALo;J}qmcK&$HJ6#Q4ci^Wp{KMuT|TsJ_fhhqdP z+cN8bVbp@~X&SfG#B$CZEYAC0q-R3kT>K!z2XFAIJeoNK?Z*)!_;AEAZ>)pA_wXqe z@$!oh0r2SXIlTud1|;Dpz}})K;4eu4hXVy&8X`NPQTfdFAw6i8-oU9-uZpc}Um|0UeHH085&d??H74 z2Ht9JM568wM=<80jc7oAiVCz4(Tv0S->Ito5@{B&SYQ+dIz>$~h6Xri0C>xF>~{`p zKCjz!o3_ZYkjgb!)gB-;G$H^bo`ZY-20p7I0D4;f8*U7c>na4a*83hk31l>L03G_< z@kIzgFW)-c(l@J7lb&#*U>B7m-MiZp8)rkX@d%M9q_@f zPCV)}D8Km+HdxksS`a|81IeNXnIakj;0hT4%G(f5m~erwT>wIC`)T3;J6(YSx^wm8 z6Au8QCeVpTq(T<7ANGgkN4Wk{6@caC1SlnH@!Qe|n6z0s4U_f7@7!yj$KYuydCm9z zm8xQ!R+ZlCmbTX6=nLc;KJd-DZhY_NhxT@95JlbDM)M229x9-4)aq^Cx81kedTryq zw2a@8s$F$$smU7PybgMvZJQ}l!&z?@vnEfIh@|D`R9 zuLr<$370(QEz>Zn>o0p8quLk?H{dlHDEtqCV}krL&~qMpguZS2063ih^faW=<`3Lw zGdq%WrI)-66K>gW)2AUo2X5)LHZ*-PYg{}8e7u*2!YK-}0%qeF)A(+~u-=fCv9 ze7y+G4<1RcyS5NUZMPaJtR=C+Q@W-l= z12dJ^tyCzf9X8~{Ut)2mHd=e5i_VPkzx&$XDuo}8hMCH6&9Q-v7V7EQRV9hsxF}(j1+D7E*c{|l4t9ivr z)4oorl-2qyFgN7lONs-D_2Hp@#Y_BGq^(EESfNH^JkUg*?^Qq0to(B-gnB{PLioiK zb)9f7@?sWcnf2S*mvj6@xVHN>&+%}GVI1Ds6Y?EB3nac`DBud?iHq6(JDBT1d=q|+ z>p@1upt|NNs5xRor7e;I5C$nuT(s zMvX%VoIVZNkmnCkbq=s8O6ZV)5;*@8`fs~{KwdvEW}_nBhk&vlOlE4ZO6YMwmAO#q z^Pa8}`#}{%wUj6lys^B+QzS|ZOROFczjqL82J`M<#1?L{qIeSoeRFZWBv(~S9YquP zNE@&2PosYvKTRF0R5FDh$KA5Y zrs=2`!>-BCqq?r4A>6m*{q>$=@rOL^pI16h%K7I1bW1+@A&jGWAt_F-SB(xk(b+gRAaGS5a(}hnv8|-P%q_RS@L_Zh@5QX>(h~o}5PJLb$y`!oTo^L= zb0JK16ES!LmHdWsjklsuBPCO9lB)lRG~d@o(kj~#w0#aJXBnTw3`~jOl=bIAam+_6 zy;8y{<=(qM32!<3=5JGG#SL@NM$_A1X59u>%lnSeS>?7R5e?=@(kplA)7t&{-5LgY zC==!(-f_Sy>3Hrg7K&KiVg6oOSwS_F<30jzN$7!phj9b5d`yVj7p>HH>6E?o2K|br#kyNtTpyguA-nD~<|(Nua9Jj45Ft z#&%brg5z(R1aQ$s@gk?27%mGZ1VNY;=Kk^%*!<+YH(a<(rS~Qsid1+u28Bm;W@MjjaN?IBjpTsd#D#5$0=d2uJ6*cKZBckRF!7 z*GgtY{Ga;#6{R7f>PLSeeYV!Z8ozX@Rx#x-{<7DIh*#$~(w!ub$oYDfH}fDHweg2; z8@v$_yb$k9Z~I>ZX`XOSDvD{8REjx#1o0pYBE?AFP#=beU(=(tu@4&9>s5A51`arr zVW_rO-qXUCc0g-kykw%#c9LQ|si=WNy3Z`}bjO=l!)7Up`SdL;cTW$6w3|Xc;o9#l z8K*)k)J7U0KdFSbO@Q%hi0X*Ao(<=&t>)19u|yDg%m@DW=1(Kesx%#SIAvf(h_a%v zs2t_lU!oH3IzEzMTWYQFZE>VkHMy=^ZQbWOpKmHZ69}>P(R9fD)U8WGIRcP=L*qBs zoy{oC3K@=`XO?iO>4+5mO^mmVglP7*ndpwRXnkraMrak*|7#Ayl=AQc(nToFXTqjq z_SYDpp1fe;&Oq){o%QG9xtTw05oJ`u$JF`|$9^jc-pBs0DlI=eOxr-y{4L>(`%9id zN_+)YnJ?!2O5D1o^=k)x_#|@*-gprP3bF{)jZBOB<3n0$-5S#hE9U8<82_vwliKJ# z)R!jO?HjG(y7B+aD2^IJghk5Rpc$p9VagMJ#t#17EN?j6SdRRstbtoB4rE5Skou{WlrtJTye(t?kIvJ! zi`2QDo)oqbUQ3HyvoTVb*}Xw&G0V4*GW5#R@D-tJmW8^jqZ;Wf=CFq8jPJUOB<@o& zvot?~Mh|UhPcWvSk-M$SQ1Fj#ID4&sgp4D3m@O+|PwP4lFV53)VFDf!Gje!(0wImt zLtlG{Pv1)B3MpW-$d=+0o6yXK7uc+4Wp8okbwiL5_D$-GwsywD zZ#=xB{-v&*pr_mv4B+5irLje<3?whtZRUr+5VH0!BQc94XMJS>B6<1ZZ(W{U_(I7nl2Xdc6P6ez{$S#Jw>c~u?{*BfN;QW}t z3IkkScumxBh87gj2~IG#C~_RtpBQIHIuYo?OT|u1KZ((X-gvZUp!9pdg`t&ean*Fj z5CS4U-xGAab&Ss688hD=gF893 zj>=&fgFybM{CM7Thn?|PjPFw?U(ND-dRAmdU#v2__b#SQ>ep==q!|huXiA{grr~JYh%iL6{ z;<+cv>Rr)Ap44N@sfA*>wUB<2A3hqI^b(?r-6U>_8L}kV$Jy6bEi9bUCT0+S2So5+ zRn&uz8Zj=b#ll43r=EX&x>Sz!Rtbtz5r5y~AObI6`zwdN=f;G(q>@n;@uy}&A0!?Z zC_1CQ*XQA5H9*w7Vo%0e7-ySiHNwYLUZxWvVTkn8nRkT*GDqLKTYGC_8~sQ=u|{VB zhC{$HQ``F_&P3EF$tTGkV3T5d1!*nv$#hEQr+g+(oO*+9dbO3Y8_td`t6&_l$e5LM zCnN?kGpP@S?JoHdmh2njc!yY3q%xWnQ-*8626r5ztKVvxfJ}D2uI@zK8qL$>VBk7% z+*Q@EP=&4E3K{3kJ`j|vFkPql%PA(&JaVmIKBwlZjf`XS^$m|Jm*8?q?@yUjvqG)a zSjma$;MUOUjSl!VjeQ2LZ(|w(O*(R~HTs8=$sF)}(nbbp*!JMjdE&fq^D>OLK6S8@$MY|d8lHTz390^X7RYb2swYHOp%?dJow?8boU+8f4wU-d*FjZ(BcBAy4fk5M9@=AvRRtuY!5W7Q zE|ep*0ciHQ<>%%(%XUNa9K1E{%^!K9LUZ$HnR=P_OZw)`qQp#2d4o>)Q#%-v zZp%S%Tk#}ZjC4Lzew)ZYiih+|(%5{i^9+BKBk_yEx3X~0?bqEJ>K$MXQPtx8_eNr8 zAaY)7*i$rss#x1*AHM7`7TL5OQ(Q=owNN#8QDFE1U59Ptf86 zv9E;kVnEV>)QI21J8HK#d9aw%y3eNklI0`L~%n|8Z?aklaXcE=6KaJkL=)94qHbO_lK%*D<9ZN#iO> z&|k|w3>sD4#8#}}Br7pSle44h_Pgq$hxNr}!a;GFb}G)5F=zUbpN2SGe!1Ny3v(QB zUt(p)Pw7|TuH z-LHZXFnomzYt@+|b+GyL0HrIC`~->260m?+Yi?yB5e%*1q-n@<0Ec0F8IEskwME`! ztPuj|l*L9<=bkTF<9?Fpxg6T?IxQB(Mg85pNB5X=y`eT1Y6rNM&KKoMod*>_!z) zG_n=;{Wz|+>Z?u{BT76sJBenncN>ky5+!TEEqFJ6aDHY#DnXleQK*SYu%?PvQgq6G zxOgHfV&3PUcj~I5u&jm)BcHm9gM-VaaY@{n@w|8`Natph8bm~(t>_;%QlHBS{2 zv!w}f_FIHWKcZ+EnkcqKFx*h<1=>he;9^Du-Cp-*hw%XQ3tk_WF^FnjZ`mUOseGe| z?}T<&st{SnRDBv$nRJ!g4NV?KtO!&R^d=>_ffX1~dfP7*3JC2&{5AIqJmzed*>cNZ z(&(yae_h-|uYTa4SbRCnzX|3O(XtieY%CvWl!+t-l)g7pA*@CNO(}YULApGH_nmQ2 zX@FGQ6>Zn{K6d#-oO3m(vn4A_WNb`<%7II}+J1=!_acWKi2*dKys)opj zUBN5ZgYGhlG^hkKT~^hg{8zPgK$>9Gf%Dch?nXMkbzu@~;eS9{ob?-cX>#(`;+O zz8+6nW4yu={8MH5x+Rh_(v3+J`Rb#dy_+{DQm5Xt7pxR+(y|#r4iCR{40g9#0 z(NYdTS(g!58bCqmK+nAz@_sL?CvS?kH zVX|7Wve8^YzR?YYPm3*9L{wXhaY0=Uz&9_gZC8uENScTtJidATlvob)M@_sBB!sOlr?dPl30@~Fjt!dIA)6F~Y4 zey|TZ2En#9!kk@58KK<}9TRy-$2sdMe~9k4Exu#1V*9%p4r?}f2E8uE8ukoQXjckl z6^9<90uz1-f=zzIb zryH_4br`%H&J*WMXUuJE<9M={A|kmvq$E!9igeH3;es6U23k{vBlxsFTp|+4a5h@y ztLudF;g&NRCjOAyI42@{hL*K^PS;tiO}I%R=3sABBQ1C{ONZy^%pu{T#v? z%Y`pilh{!#Otw;rj2J6F$4<9gF1+jv+{fzqYCPZ=_ zP36apljd#)O=+ZF>$S_Mbd2q|lUMUT(6DCO%qsI;sm=txoN#O>v(irhzpK~+*UV*k zymd-}f6R>_*G*)|eX2%4uImLeY){G2a?m8He!(MLQR|OM2wW{YYs=Be1BOjkQ&&IO8ie*{n+y{7|z~o6H}L#KeyK|+K3W{>89#Nge>LJ&~;8!!dc~) z{EmC2^;!vGstUfpKwY&1v_CFikH$jUDQs}B((bl<@t-Koei+_l-c&a=`nar;xD;Js z5fuv;TI;1Z#iW1RV9PjnDat{DHB{Ua``*s>5K8#Aix#s%?txMwp7p{2aCtW;j0>l)UYcvUqT zXG+~`wu`1Y*#f2BoV)%p6&}+#u%kAs_-@&s`W4I#vfB>LvG?W6f4k0#*!-xJ+2S+g z?3dH=#?>PJVVNPHdzYd*@(!2--!(0noI2L+1@X#7THTt&*_4j=jxX&qq`vx#EAATU zh=}k~@Yc(F6-rK13|RTMrqV1r)GXcncaS8c6S4N$R1=ACMmxkAdT^FSf(UlWJnW5S z+LEOTR(Inb))0zJ=BD3>UgtY3sSKT+w`0!~MNRprcm~T}0UL~9K>eiO1;Q6&2*Fhj zHTxU8mYeX4fva&H-JywP0BC1LVNB_a1l-I_N=?1&n_}UioZ>=UD1DUN?Ad+iGovdO#7vHKQs&M>h8-U?5vp8b+@E?p|`1o!G&ugj2(Q!SjVp zO;Iy0#ZhO0d2uNN34eJVIxPB{vS0W!mcxui1eVcxq|1o1mC{1YCpWyvp)#!=MIqxO zh;IK^5Djr0{uc_5{1aAbMgvC$FVl5{N!K_;eS&v5S?N)+2uck1H*qi_3rYRM#_3>( zkr6%VoigB)eM~Zx@u>!mvP#12 zUARU2vX9m*^ZbjDX8GKpY!fxxbv}ra<%E%?CaJFBTNbQ=9869>`+3)aFw(reyFf0j zg$8)6a^0;CrU2XPz;`S0*BD7dssarwBy7ll&X&n&E$Heplp@Mzdv)-G{P?h~GJo{o z*<8*#POZ7+KJPIWj60vD$5i=N%8u6f)$WC{g?8>vQ1w1LM}cC6_C(tXv-MFuRW(i4 z$Uf!TA)dEh8P;Fz3;jc2)lN2UH4#Yd^maSMK=g%E_8aUm=HLX=0FgNS@%cX@(qI(r zW6ZC)smqQU*1A9H?aP8}y)%NdXOMAjIQYk}(2OLNBecYJxYW!(JIM69OFLJE+9t)8 z_q7H=2yTL6zb{E}SyNR$#nMhQ2-D7#SQ$!MSk{KYJ^ar}4v2A}<(;(@w2 z*5am(n5|kGg{D{|1OAtx39-5#HU@|IZZ|A&b0O+jj}DsrjP{GZ1b@C0^H7BmSK$FR z*qkc^U{v5gY)qqGZiyaRxMDafi4#EJ+C+mXW z2Q);qNx$)D=wUigqBC1{&n%db^&GF@@My8lj~dORZxE!h>b(Jl zDiNIN+lN^*7o=g~r`7lrr|15X|2_wIx3VWr&v3{|!7I?PG)&9Ks?D-!GwzYBkQrMn zc9sZ4yKg&29Kez&5+HL8c1BxP2W74>tNIRok#2$|sSy`FE)2!O)L+hpoAe!&`Z(NCg;p*sA{9;^fG>PM9Acs5iBhAx_WL} zV^@bXv3T|}oCSlm0f*db=$}a6eY+K^%$_b%pB1=ue;d+hKEq4bu~-~eM&LIY;Ary( zL!Wo0ze&6A9xrNH;d!k`>L|svKcy&7M*)gPxWj|5Rt=V zBnt~pW%|O8Lnlrlf9ic(q7&Vt`rfM(r-kRL?5Pm1p5XQMdqO)G#Kt3o@BSp#g$q)*vgd!kUk|L0^GW^l zSmwM&RjUoOV@_kB~>ew1Z_|3oc+>30@w_s2(5Vkv=wzwlBn9lXTkS>R`^Ez zGYKg0BI%wFt!>m0k;focy~lUkFdQ||(b6o+u~KVGBOa0{gF|;%h;)uTOJqe@BFY@f7a#6B^Q#IshD%e^Zj)CHx92&DO8f*mT@=Z!{6 zc5gx#2+kr+)-*>NwTUSgRQ-g>#~=9=?)B2}61AtUH4hu)ghJ~CPFpRecfjZ+3$-CW zO+ihu-Z6@M_Oa<`@M6RVOfde#LBmaAeVUV2r){kYj=MeTo05`c);&|pXDDpVtwXdm zQK|?+IeyBCq5k7;K3pzbxJi4PnyA(GqDpY=X$|Gz9V#5Nu?-J4rNP4Wf3Izk#L#V# zKV8xs!(NQ4(I9gGquGEpU0_wu-<)HoXBoUGyx9dnlz!D-xU$kefrcM-*9Ie;{mitI z7sRDWYm?E5z*2(p+md3$lRy47nO$Yh0E2V-I<>wSl7EJ@=B95@6imMjJ5OITgA0PP zW?RY%j_sN4r+MM2ab2uAE_P;0ABVLhp6r-~O@qI$4esviB1_K!oSdGM%=X!#o(~8Ur;$W;ho9a8w=>EWn^;0UGi;<9|Z$4-Z1;__Ue`JF=)q} z?;Jicu0~YJXr%gWZ0oRmT5kPVYK`VZ&v8#49K zx7w@WWS45{buRCHHHF6?>wg@+0fvPt7|0O)1v}a<*;g5I8ObQGdp$~r{zehAIe#E; z5!GS&aX^A?nXe8Rz{dX{C?z&9?{%m<%P+g>x!lg(@`bDw6Dv1RiL2J03-i ze}y^c@!(2@M*$#?g@O3#A^hK%mv0?|c^_ymN&?3Fzkz~K;4xEl$8S8i z`R<8Cg&uyIgh;?t`2s0Y0Xz^apw@?Qzz<$#pea$4v&#dt=i?a9c}krN_*1e$q#K5D zokjV2qZ{j%lSG7WGwe6YnW5L*Cr7#Get^`=rk|BGL~T!?3vqW~CdnW8I0wYM4|HcY zFp4*4zS0-SEI444@tL#|8B{lZfVBb!>B?kpU_`zNA?v(5tjJ+6pgxuQY8t495re7x z-t5LG07BVluTn>Rfe$E*Pn3%+y?;mi2ZVAEmvt5ny#GJvT6psSRHL8K$1rqRlUM*$ zaTEBOAAgD(5zrh>U?8Fh)7lSc><1PR#g9qazoX`(rIrr+Ej;-6hcDkZ>z^TosB<;d2o{ zG^4!!IOckB@p`{rnR+iRkic>ezA4lZXOOf;Bk>kC{}go()hXz;u= zZ?V@pg|a)+D%dz-^KgXlN%j&j+X}yq*@q*8puMN~_Q!1f?)`%g6=a8fIb45C&%T^( ze=B9P@`<`R_j;f(t9ZZmeL7&5?EA=D<^?xUeBYQLQa4``i0pOeJLtJT=J-`Iz>Jakz@1#JCIX-}PmG=qFt7(?MUTciA^yCr*DH$earS$E_S@^4*+(hb%?t9u zr-$gZ7lnVnwEc|u#T=bG{?Xv|`TXTDd&M35;(?EZ5ZbR_^w+t>OC*sunb)mRy?hHi zxKIaRa_pZaC`P!xZB3o~+&6b)%rGop%&utT^#^lRm#Q=m<Cr<{e$+;okT4xcxr;JwM>0Nb2Rx*4u>= zqwu)$z1iS7@BR3uL1JCBw0DsBf*bawTj1@{_nF8?#rXF8?Xf5|)u)7%%ixv!m5a^W z=EHBSwTXtscB?T3{9BH&mcYXuzqJF6kiRi#{9L|F> zIPG4mTA8YP7OnN#u&X0*3k%-tqOcAy;Ys@PZeap#pCTZ?_6< z?+OA;TIGT>AK&@j6Scn|5@o%4ckP>P0gkN29P&ZF=lz9e{jt<{b9h`1xXdM}(r20g zGwJuXyN-|Cy`0ANWCn~QKZ-LuX6VOE6@oKr$^~0OxlKq<6?jmFr>sBYUnM`66;XPu zEh{{x2P6dHy}#YJf1^metX~*}d{ytoGkGxXv_wE`o!Y$Ke||l>n6)@-@WJeNKFz&^ zd|KTkvR-N;tA9bo7>11Knt(AoGI9Dv5_haDqBcL~C7A4@`sm@scB=W+^6%WsALlpN z?I;uJSYkT}$hXP$r_%S0%9kao_a%XDvsr;)I~EdwMeBmHUhV6Mxks|!90yiRXpk<% z7oNV){qNhpZ>Q1k<&})uzC!BnbMd26?W&moKAwAU`?KHeAFfB2_w7cfGO816lCp(q zg3>#5YkZ4cJG!cKBZO~Etqgbognc}!NMx+(=+fQ%NkoJPahN+EV@Yj%kd?RIg8*03 z65Z4+gKhzVm(D(4n$1c5;iwI2-AR5-!(hRy1$SD~oH8R<+dJMrS+~2WVZ>{}d_Rd; zRi}kx=A4J=@BMk37V*qb3uv3F=z$vr&g9Lx1oUol2;*dKuv$5!QObrlm*$xMz9I0S zL0s|J>F3Q~qzX6%36c(T3$r7Ex9GNa0M%Y-Zh_wZZuuVAcTTJOpB4hI<84s(qbSJu zL5??&z^MR~Px2}vD(~g*R{`yJ=U!^8x8G8Z1nytrr&k{>#;ARO_Xc7Zy@j74HPNk1M5dKomp;2Sf%X?_zXV8l z%AvMtmyaZLon`TNhxAYw2o%X!B55j$ye$Wvw>{gOnsirV?U`fpr<%kiP^Hlpr`e=J z$|u!=Oih|i z`(n0*;MYGisQ!@-#tb=5S?QMHc(@s5G*EYwldg5fJ-sAoc>t+wfoV7=uqeeP3SIVB zcHToI{raM<_9tta;kt9ouB0>&g9S59^>fj8+;Ll903;(kawyOpJ5~B~E{>e9$=72$ z1AC{G%?)R!TPv-|14;_-wp*))6?`<$xrDavkOH$QPG(-w6QWIf`||v4PvG{s{W5~6 zj-9@*QpYjtTEXW^<85;M&Et)En{9~$aM;mc-I3Vhb~C>3-(C<1e`njzv;(%9bu$lQ zLnyCof4220A*smieQ>rMb9^Iue?<{^H1Of^P5pZ=17yDQg1-k-j;TSjTK z-k!fSed9Z>RJ+HRA$YXVL|~zsWvV|-4{); z&_A-nrgDKZViJT&Vk%_KR;aMXPicTeTRqPagE`AzsoONO@;zzQ-BFXI4 zlk?**@}{8{i=@*@&6=_~Xou!_uWSs2TdNjSP$*Z+e4n;g4xYamp8n6#vw}DH2`)ye zdtd}WM@0D4cb2|cXSO*{aaQVp)RzZlapZq~jy1wE0`BA3EcHf5-=wEa9`C;+{Igy! z$=HgRED1lgi=1InI%!!1KzKtL2{g$<-}-iHCiX6U26>u;-f9S2i49J<%6(BN4pO+? zcA6TtN}8gY{+MLZ%_0!RIZBBk+i$Q-11BCl_x5cYUe|12j?S-998My#3GB9_-?m^f z+TMKMA_T?-G}+#E$Jy2jsd|RuNjkpuSweb0UAFg|`DdEg&8|OPZCm$w#vIE~&Tc3{q z^z+!jf7JMVqLBACXZo&x>iDfK4JknjArr@_^eiK|I;SBfpo6ihUCw~JC;R~UmPwx8 z!Ll%7WOL2fP~+z}0q(kSS{4(x3M|%9F&@I+0$xB?GC6JB#ur#}F0%kWt+o8D$e!>N z%y)q6-eW{iUEfSIDXY69+4FbW;^jtPUFtC7ewkHlSxsaZ9dI6w(I`6k_+gReXBze5obvcViYis4-aK zA8UDt!WZD7@Irryi8Wq*HVju(k*k^|`dZ?}7Uy6@rWJWuh&k~nM)orGZ4pa) z7nVkR%nk>p?a^%t0D%2wi~X9wNARod-$Ws@Zu7D5!%{SF*z6}~>%9Bf@m~dz4~!k- zSAkj@P(+ZWtC(D+bFSEJdQXyUk?IDLA7$9P=b!AWhK4`4m|dYGHRYA?q6y;6)n=TLvR-|5aTvEmm?;$gRcGbl&Xt3)+xzdt@54@Ok@VIaB~goy$^9@&9y>$_3F zru;@IaC2GtHnjdY>RXT8knc(i=2w`PrRytH7Btkx?3X$ZIUdsSF5tqOb0CH~<7?iZ z>rohcJe9A{VZt^C|+LnN4v;Z_-{!ME9<=;V8n{8d4Qxo(X$Ps@}+ zMZX81A}ERZc4nH6$At)GSRqD^3c%LR6m;dI^_1`><^t& zpn}%0p$#^HIVb!I#Q1KWY%uHe*LHpqQw#dvVWW%Vt5;QR>c@eb7A?#Ms{l^-AYfg` zCpE;Q#NQeHF4p$JkcUM^wGH>nECbJg#Z5D2v77Cf%+3gH%_36&TB%2EhQ?m$q1$gV z?F^LdgPkQlOCI>6Ozino^z82Q5NK~gm;>P(QxlZJN^Vjs)e4UzGCxMKiIFY-8X0@F z_)SW~o0vo7bws=Lym6L3CHb%VFx!SidXkOY!P=jd1CJKejx#7g(8l!|NSpLN%ruuo z{j8fCgbhzKpJ+Kc)_p)ZrXcMJ>zQN+dkS*F7;$@5wTPtr#{)kLvfL0))lqQilM2Z^ zQv@>_2dQaR@$pt~);8@-s(B!@2a;i+SV9cj!VC_`LGIkDh;>%HCUdOG{xEM450%{# z&wE-+sGi)?J;hh3!JF1Jh^4a3aRJ|Fh;jhrLKQ5#YGVz9W!y~V;v`N@U}l*I0)Rz} zW0j^3=l2|2VPA9}01y{hfpS09u(I^(vJK0NC)Pk9&DE?Ud9M}|=FCg{A&&iyHsU^f z&GcU6cw$JXqMYe;8*rEyei|0I2CxkK+k-0nu83dSA=al)``f=+5w!>+z8aby$Rx+i znmN*Ls2K(6c(RoycRD%VNE5Q`|9rIIPEohM<*0Z`Q5Z+Hv0`(~tsx}U8HMwDD)(&} zu!+fGx!}TzZZI zv96i+M{<2YA?b5k-yVY$01n|JIs6|S=LH8hy_`J}^&$+A>rX;@WAxb34LORc&;7-c zD+-%Jz)}M>O+Q~qH^~`W&mnCWHV`vy>r#d<4~AoXOb*~!pHA`oIPCeCkuW>4(j!)h z7m(14F^NUa{z%ib?s0=!C|Vaw6y^_8HTFVr!AF-`jDFnjj5zyO^hT+L$S+n+G!Nv4 zvVUWhQ1SY}v5s(lT9T({&|&s7Nt-1IgXFVb_+OO0WmsIx68D=B5+K0|1b26b-~@MP zaDuzT;2NA@!QI^<*r3530?gn9*8ssixr=?y-sjx&z8~)WHc#@f*6Ql2>gw)a|2v9S zuA=V5#;0xW2snMveXMy{qRBTM17_=OB^JV|SdQnIGutmpSK4w>+6f;v3Oe8?>!Ejp zF>bxjt1}DR|5ccQmR27k`~ma%wr%2dJKGD>@Bqn$%3I|k)dq)R)@X_sLmmtoL!Scp zU)Th5&dLkhVNQ#9TNUT8+1gvZzG}9ANqCsESi#4o!FIOYlu;n$yLDl62IXvCbts4W z6tUPDQrR@HZxsbY%Xb(A3E#o9W|PtN-zg&YttFZ0Wla3+2O+`J_7|?-mXr0eDKv9p z$kOqZAY`3qSRvF1q&uQveMYPXH-<_7{#C4n1YaBUThawB%0)d+Ro1p_QQMEc$+e?4 zh{@Muw&k1JZfPz>sm>HuqEB^^dS;Ai92?3FXSMGy0WpbLmu?iiv)dMeUqe4~MURdn zhl(0R)G(l^m5KAyob(>ITt1DvMNiYtzakB&xqp!&+5%B>hQ-Hif3n2rU8CT-VjG{H znm`Mw+tY30z~RQ)C{aXD;GbyriOy$QpqwAq&W0D_KXag5pvtR#os(g{OO-|7NrUy< z?SzBVTGMm@14WL`We58*sadd=e#l%6PHQc1o`f)o9$!;dSvQnBT1slkwCxr+8T-VM5 zLHO3R?MDfjE&5_*G#cc`SWnJZUSA~q-j}IKt=|$6tX??u?9QCqs#wYOb+F}oxS}o~ z$&Y?naRNa`z$@3+XAzBa=s|uJuPK;W32VHOMN{-j3Vz3xw#<0iq{|TE6PlwJJpH-jBwsH|wIITKl)$#LY>hjtmZ)-N8c~NQjm}g|N&T?+J z?=!6(wvF3?(l$|)swyKx32;F1Vixo;J@RKKiXqdy3n1(8w3G7`uz*leZG25=7~YwO zdSR@0b8yt+jT#}hxhMql1J)_up4nW1ZZ#_=cOiO8)*Iv!IwJcJmxeb5iS8QkSBq15 z3cB=1JIWg?cxU1_s{|WN2JxRhD{$V^@i$RD4>-d@Xd0p@h^8q@kG3#eCLn1)%3*fK zF=&M~Y}nT%9Ong&SC&sEf%9J8a<+MU$u&0qg{kT@RewE#cuxU)M-l?$pE$Id<)NFJ zBE>sD7>GL4ad_f46eWT-tpygpGanBFeYxof9T}*<8u9I{M;ViABnQ9}O)k5v-r(Kf zP+sW5y=WJVpFUW-kJ^kJ`Kle^*L+oF-SYNy#x0@O5bbq&Au-eKRmN=KTK*!m zL-9sT*K`q2^oNYxo+ztj{t7Mp)DP(pR?q}xub<%U4nqsPoKN8_g6z)e-B6<%v> z^$e`cb4FLBEQi);x{q`Hy9=LUFZNTnWar}2?&>+U?J6!a=7_Z%Rme{>SbKBd9iryW zTATzcH>^XVypGSx%7)uMruu$7#NB1wihL}h-R?>)nqZviTbEFraItbgT|KQr{0{8% zX)R1+o`8fA_8{~aqSoa*&CuY|fw}!G7u}$_EI8WkJlgLhTm@?T?TJXe9&4Q}zUvQb z{g$9L>=K~Lb&tv+wo?vJ(1GuagS9^#EmCu&4@W3gM1ndnUSTK)9!Uf zIMCL$p=;UuqTke}>sJR^1>E9geL41MKU`OjB!N%Nz?W()3%x@7#JUJAbILV6u;SoB z+Y?;Txn#B_+S#L4jiucZ6`~j?fp~()Epv~smtjSUUc7yI!xs!U<{y?o@d?aK`0m~{ zHsy}Pb~gtL@JSE6L^;P#;3K8l_*jBO$kcR`Tuf%`2XPI(54)yxcJ zX2H0>jTO#h)Vt&d7JfbjX)dFDkLYC_Ubn`rq@#h{__UDO)*bzG#9}>jvn-ar`8d8o zB#k_k)gR72ML|BvKp%V|A~l*n&B=ychBVekC`x6h@Dv`*~xNu$&)onU0~+}Z)!0_rI2odv8Qcw1rjPMVUa z4Wqg_H5rXy*U0^M@eeOd%NQF?T`u41_Q5$v-g`>V%_N$y)P~s})E5Dlpg=Fq(1(bU z+&qw0*=%&?w^FCt*68!DH(u+wi~1%ZmKa%KOT)6GDde{R72kUPcHviNJ zfC2{s5Dbl1`(n*V?ks3;*W-NUF&M@*-#oJG_b#TXfbYcTXenpiyY=>|)t--gN^}2y zy}}R{f!!eaZ%TAGEo_2DZ;*}N?4yE)wt1?u^p8K|ct7s5$?0#^kXI>y;m_W;AYJoWRTB6^UmDkMD@wp>ovif<&kRa8RP zv)of)tv};KlL(OZmq8L=Qjqw}Rvh}Z@X!f3`mA4j$ z6~SVl8x0r#>OBaP)|=4mv1P}qrxbSK%O*gAZ_Vy01M;SL4W%l?qf&TtTrngx724SF z$9LxD`!;aODv0O5XH){f#_;U{WWgb`h9LP3#ej9ug5B_54-N*Gk`21S<5rokNf%3g zL{+}KMG}XVB?1g_tzj4o) zrh6J9Nq#SPzsYClFVQnPtWv6cm$2Tdp$Aj4JI3yGeBU3o@IEzDX38`>tOA3J(qjb_O1$UQ3uue30NIM={)QC?01Bu8Q-zF?as07fGkCT0!j?E!QQ#e|EIm(gun zY^my81IygRem>|aFBTC+FY!blx_JT%G;9B7y^yXv^&sMwJ>=AGp!ke?V-3>L}VT>TN9LiT|X7~#mE)O#3AanWpsHz6Q9N) zlT>9GL2{n6gAYD@XpisC6hpkQ2Y*F927fDFGeCEi)7h!}@;A30)pGZHP?gphK>4CM zR;|foXsnvtzKF|vnXgR0c1U>I8K3xVAA%2QWw&CKJgjw?aTA1cE|N0Y@SKC5(K^=~ z;8W8Iyx&mXes47I@cmUn)J zdIlv`N;riJNelcgsCzbHN2>HTJ&IHEj&;EJb5Jxj%qSFMOjN}!O5}~zYc<$q!G0dO z{~`2XxdmLwv$FfI-YKC7)-GiG_mH*FoA7Ae!iq#LT%JH2d!^CGOf=u(J981;#!vHq z=^SupdR6kK((RbJ5h0IT;9fFXX8edp_9iu=U(`!`neV^$uEQWLG(-Hza zE+V?r_-YPbXm&4YKIl*^J#cDFfVEV>jN9_8s*4)8WXwF(##RHbL?v8jE9~o+zF%QF z{_ATNe_Z$lBs;~j$v$%viZGdkrOP7CaJ}zrG-uzY7yH5$t}7HE$#7AiTI86-C;KIs z*PmX|;Gj;JMw816ZJ^-(>*GAM@@*^;8{~1JkNT}wYz{$^cEP+h(fhQGHx7uoQY4h zS)Z+j7?na?ZSi+Cq?Y;1wE0oDl$^C!Zo}9hP?5n(C0)YGMsD+NAEp9D8<(-5_6`Q*cS+`GnhMpzs&mQD@Qv-CMngGM?ohH00d4bmn@ zse*cxFnpNC(lJedw1&%FPt5qT<9t(AP4ybjcg9#mD4}s#!kQM=^pxrA1c2~|-qWk< zFQP6YV+F!^qQA8ZV07yI+5u#;{#h3o1ir@5*Hf!yp4l^O8vY<(B+N)SujSWIXk_}1 zm6^=~bA0bWq@$OdJ}(PEic0k2;CVt@_!#!+dD?mmRta(v_T%R2`LcT4xm9%7m8qOUM*Un1ilHxxdI1M8 zXL|93#*n6}ZgYX;u%lL{g6D)_dXc=8q@sm=Z}dugfGbX1_NX#$UT0Z`mU2chbGMyA zQ_sISwCD4liNDkX=%)NH4J&o@@8wQPfr)rsH9f!>zo6pMNo`%PtwQ>wk)=%+);_E8J^p7x?)a`Vy*pJo zjY$T}0#l#Cd}ommLj_&V?~k2L*bmC`9!P{(1BrHa6}%HmV298a1?=Z%^^vi{$x^Kh zOb!3@q2}P@+4KsROhW+NeglJE!91x2BT%iozM8 zqnVF3V{GcT);vE3c9O{m6MFeXIe$vGGwiG6JCuH$AycuL4D%hpZvQ_?xhPde5gl-& z`ejAx=$S??J)Nf^k}#u;F@nob{>gl|wM_17RrTF&?|P?oY%;Y!#$HESRXvOyFw#ku zYpg?5&}T^$b8~xMTZ)Ih3RZ@fH-0P*F0xa5ji6F8d^}@rDSko2jv8`af7{KG-A*g7 zMDP{>OG3n-HbMSgZ*p{pKkflBtQH?r-dMc}G98lPrj~rMQyalOj?%+Jj@)cjoH(VU z%Swzf=&7be$n2bA0~V&R!fJm8bMgDTK@m-0U>gEDcFR zj!OL0>bG8Ne+uSow#Bo^E%2UyPV+TF?S9(m#^XASKp`bJ(Wii`YP}OEs;>KmVL(%O zpQP^+(2vkRB56vq>MfRk7_tk(VKSiaNz#aw&hXMl1lyADql^x2%FGd#c&a^U^XTw^*A;p*GEcXYg#+E%BI;8 zzW~Ay1hX&o|CE2gf_g-$!XIwsIAP@PMqEUJ6^MZqo2qa5u9`k%jeTbVXjP>CMkewv zG?sH=N7>i1Z})k8;m=u1DMc*6W$=YhI*vRU-P8ndUX?_`tr@#@58`M-PLP~u{p%NcYIE&KfU}gO#{CW z0|2R5EKHcrM^!}lRgYn?0G+2CV2);S{-&qi_!sP6B>nUvN#LagM@pMY|J54?aW&L? zAss%uS?+hRu;1GtidA^+sww?0r&G(m{l;c&{)=$zw|?LN1;GzZ@BSsyU*u0OIkD$_Nm z($tgA%w-h(df86Yla8YV{+&_9ur3)Bo9Fd)t(~j;Ai(f;AZr_(15EMHv!9d}=VAg2gb|mYq=}oq-5OO{dhMbOt@exkslM+Z z#D(4Uq6r5}gf$Tf38r}(ohIDXFy-3<2rn}2geei>NtM0=M166$njqPotHy7l#V-~9v5gRt@j3vzZ)0;q7J)&Sa-y&H8B zJ)nxq8h3#2vaOKN1&q-AB=~u`Gi>?aiRKCH{UJmj(@*M%0{k?50p%%Flk4udIdEU~ zL_i=upk=WO6ZUv{^e{}5^V4$VP1H%PhiyDiQElWO6#*pLk_o``0&9nW$m(u~G?3c< zaRctB9t7DEw*5`@?qe+A)18Dcg z%~C+G^kfTA3MC8zQj5)G@^^sX|Hs%aPX&^6E&-M3+VRsnys?(&o-6zYQvRj;qvJ;& z4j;q4Y^c}GfeS^x%XTkF_;6mP!vF>N#N7$Mcr>_w;;y^#i8r-o^E|k(1RmrEOJ31p zVZv$Ntq^{^n0e9$)$#|zksE?vxAf$1ix}!R2TK=Q03`lbWHnlh?)~@Uo{r9Sf{_Uy zpCD3zX-2p3n}e&4ot*UleV(`Yq;QI9>4%GVcJ-ur8vBIPvJ!Lwa4q@}pe7pYP4(mP z*d0SGRf={Ur!$58!Tjw0q-&DJ_Cg}@{B)3{K&|WD_~j=wp*0HzkHTU9A<$@rgYTg( z{mYKeR=+HNSadg7L)UTXJFWA_a3n+m^v1V6D5Oyv zv#vblOBvo#2`D?j-ME^usO#Kh6L#_;e(%|p~5?mx3e*=zWn zccxKNz-~3tQ;z%=oJkM=PiHHI0^P)eAw4)u>WB&0nTBkU`I&o3nV;lz`b`y|(YvG{ zELf~L8ehJ)h?lDSi50N)=OEhdiDN%0-+IjMg%N~lX_`-t=Nrm z3^|nN>ZU67{VLym&r`k_z7!)F|6-~kdbi!aRKq2mguCoZ!^Y50NjGm72iJPO<-#N3 z6W$BBelCpN-G-iypa1O$f8qN}QvG$f z01^!R_Y0K}FX-0T^L+!R#DZ++rUfNBa%wzd^x_nb$xO=-6mF1StEg;*T=0vx@k30z z3G2x3^_aHfhBMb1{V;1|yn@M6H4yE#illD!2s#%H_A$;_m-J4TCGd^)UOVYRZ+CdQ zkOCtf;sy$1Fnf;<%BOYJf%$jKk>%U>fJi52v`=viUwVu=YhIPjC)E%mr?aE;)>3nob&T>{x3a0I|+A`cvP-BVM6y3INa zUgkgjB)SHObsGAPdhj*{bzeUHWNiBNHND8_0Dqjd*$Y1Krxbd>DX^FX=O)BSDoz`V z|65xx|3V~LCp%byr>oY8ozny^s7PBpN6JnEU*0zv|5@AhCVFW5wm5fD(v9g`ExXGbl>gU3ADE*aUmX-xV!rm zyjZWmM%(&-&*Fd-H=umQ*3Y{$XeHCB@F(?HumbdPqU8O(*Y!v!aL)|V{3o0I&=E_{ zUjMUFVln+3p~iCAgLJvzb*qbeLN~!<8?2;{uA-TV%}F)p=E~F$|c7*U!~Ib($^cn&YHp15-H{@dhfa()wfSO=f1Z7qL&e&lHuK!5IuPb-s^hFEAYb|?NL;+8i&Ftvh(VezE+T^ z(~Dp8jf_sPQPIwM5}{7!?_u&r+P25|+FT-^$S8u|*-ja&cx;ei( zr|q?S%^n-?SO%Eo_j3L5o0L?meFFTIW7hWIAUgwp6JwN~pZlL?y`D?|q4jCxm&E)# zu7M%L12~*B0m7nh=rDda78bsU&~f+ijLu~qg!${!GtLxu83LQg_M5LGTy~87Z)ZGl z8(;2wjabsw$fqO2HvMnJ%iXVt1Mbi^0e_5_La3os&_6{PwZ%5?Jp5kkS-NPDq(BQVGI+s z*g3qtKqCr}JN<5qNVqe(u*}cshoXKDc#rAJb{VwCW@I86@L^473%D`keZ!UK;d=&* z&O62y^B!Ve>u)=+-wP0Y;Rxw{AiEVvbls^%%+juV?FS%c!6!hP}7Fm-=nd??D;ZycbzzK~n4KEUIpS4ePUgk}xm(0g;FC zRckVnI%rXbFEm;MTO(H`X>8)D1uuTE_cmisR1#Uu?^f*smqZ^ltfeDm)a=;3alpAC zt0I$eHx}&@h*520dF64kT8Vg4f9iQ95o<8nNvMR1ubf*4D|lAy7hN<`lcPE8cE{~T zawn2%2bWW<;$ZYXw>PeO#)0EjYY9KNe}*5nIFSRKLOg=9{!c_+Z&XC&E5u#q}&l^pyW|Wn=EVv_{40zOHWNcDE+6oS^8rk9q=h%C@g{G@I|F_?5k~*?<>SW+MlIm1DF@ENZ^+MGQ zM`^}xydjWnsCkQ+|F(2ZyU`?tUjB}0pp|s()dQNT&dP*{g0%2lwh#A=;(}Lr)XvOm zm<<$MEtkwAKH(V`eAT~3ExU`+{@TztS~EZjDuT{Zs0(p7%dWGzD@6@!6b8aol3~*n z3q{O~fnK!)gI~Cy#W%IdkHqIFbv#QwW=lq+dKSE_Y%_Bxxv=q!J)mG6Ibb}T_|D-F zA%BsFCk8s%GfWRF4EwD+FykR6-heYi(m@(JzSDH_UzQVeyjuvMlBr;=0`-!LBZeukxS4-+KH4T>9ek1L`4OX(bu8pXCRi=%Y1E4@ zAM8Q_M5yEbXRosD7gPuaJ)e%WB47@eC(|rT9gOvxBfgsx@bNmTTzpQHTFazwE4KCQ z?w-l+5{1vJrJ|qYn?Wlh_AC-}<#kv}d#pWgoVAnpozbne!zr`BVJ%T~qv_27m(YE- zmxp!z^ziE4A)e}C4Z#JAyE%AHFF%x+o!K6%H@;tBO6dzVu|L<}!F|C}6xP-59@x7p5Y6UaWZ`#?IqgFFP@vEq`$)_n2%G%P~?`X((V6 zuj^}BaH*y(MPr#8Snm@MveA%Y-vD7SOnpIJDyw1l@<|Y!BAea3`OoXLwr{q-dA?Y4 zc_mWKkyhr&9#z7)Aszku1Kky!2ymPitfq}SzQ9t*|LMu^0Ny2%?35juD+E{c{?~rS zC?{FBVxNWjM0wVgv7iG?B#=xLbfCEe2~O`R#>b43bV;8W-rll)leB1M9>-590RnD3EPtS4W69Jcr7sTq3RW(a%ZH zGJGh=bA`nWllz1S=uNKEXdHDbpxRo!rBvc0wbLWBR;S?LZrGR;X>_pX*TfQ|sSruf zyi_sp4l(0w0~9~E&{k4a1?u}dCv_*aBT}|2@Yr=4p)kGuUXIXn%EBr4X%4*wK?3zo zue#KUAav|?S+wtR*8ECAhM)Hz-Q$a2H~9303?Z)a&54&V=3vO7S}wkTqV1+|@$=hVYW9vDyvPwP+lYZTdh2mjvB`}o@mY?ig5cWIo z0Y!M)q4lyR0nRY0r1|OPV}ZwP9a&5M#ui&`j;hTV@t|z(pAv~LNt)849j+n3azE9U z0!o=bJBZcRTQ~n^4-+}_H=RT}oy21p@#>p|g1os4A8af6+_Y12&+2hb$msDqT$_c7)Uj>vNk3d94}xJUNmuDT)w@v|;*1XVZ4 z$C^is>dU_rV&A`4{-!G#DI`+oHzE?JGu5p-cKXetnZ=}pt$84LSR9VF4`E7~L7Bq2 zwjUddlamZ3mbK5$B)^NQJwAtbLDI6sXZV<{pIXwtMyMSPWgphB-3@F0sV{ zwv(CpOBPG$#eOnOv=6}49Uf; zHg7O;=(7g{r*HzIUJJ*dbImJVh-6;6qq@=ImA z56WUI@^jF0qWxdc1J>66URrWOpC1BwBg}fQ4j$>kNgNe?A1L+!kkAxNn)7&l@B(D} zHHN9!>(59xWa0BWd%ab%muyV@jDqCE)TB~qi(f-Pwx2^G?jOT?V6o%^{krYs2zVK( zZ24EU)TToQo>Eh`*g!p5#Y*g-&f1Bw2^%?W@`nta8X!3ku+2e+0lBZkLhrXmyG2cF zvTajAKItpI4gIV0%l3`tOU%M{b10%wQTcfzt{%6c03Q1JP`aloKz_Un#0M5gn__D z6T}RpvINHh@n#wgnV*cyw$dXS1=Bx!<~LW`sgR`;X28OGmKATERGW79osw+btB#z~%f#cgH`GTx0N5|XtzkyMh3zY?k3$qJ^$Ih!8w}kdE?C-D zE0w-u)Pyvg4PlYF<-;YpDWKv4*_?7|!!jeG!^$aKuMi|5uydAj6+!hpElRKY9Dbd_ z?VS~iQVg%pGplUW!kBjo4MG%xO)M^PEXFEPEny;Zw z9>WSN1bl?UF^`@s0ciJL2I~FSQZH~TtnF3>!SC8TC1ptXGmF^ywb>&M@96c=o_@2s zADl7)zG;Y(qYUfOx+pg?a=KWrHox?2`kimgx4hpA!j5l#TdCVL5bZTuXIDv~#98e# z_|UKj-H^>-BZfgnbUhm?s@P>Ia?yw*x4V__=lmeyc<*;PBQB}yFu0q>=}575TE5$w zH~$MAjWtPgp~#DQjvAfNtII_tafiy0*aZge?K>nJ>kf;`CE@OHwT%BQlOi%tVt=0( zi3`^-(Yu76jav2!yq9QW)*-fR-oM=⪼nAU6AmqP-)12+^F#L`~{jue8 z$om}SvMh3pFW`seY+V7l9&n9EuTM>$hM1b;Xw|(nhj5$0q0T1*hkmm#r6&N{&^nPC zpAbgmxjkblHVs{4jSSm?rEwNzF5pf|<64w2K9!}tI&G>nx|uqoMM4JyV)R8Ny;Sv@ zM&5irjimo4)#C+@lgHL}@U~bdFPaxurww4d~}{p`_!UtWyMM zD!q2$6=FT=E)AZQ?6NPyYb7lH%zA}pj2m=1*yFy3Rt##|DRAjaW$2oiwb`~5`pmO2 zf*XLDVutABNT@)ONKzL&s*<7mq=Q={q#edG1bVS}IRWB%(`;{5FT_37Bd8}YSPI;4 z+5zLYEe$@X9Af>!lIXPdrP?gNWo~os5GCyM`#G;6>6#qW4mbGe7Pd-$KrLQ12GgBj zvFQ7I*IaY_C2eK>kcgmJ7v4>k^QWp3)yASmQFG94L|j}N=0jMOh0Jc_1_RPw?=a<) z+{fPwcr6qF)@B_xE(W@f?&f2xREm(mhUsuvwBA=GXLDzim0P5O<>e}Eo;%dvZH8pxqBGMA3`Y@I9F0_u#tSYRp z_BhHXg=(kr?mb7>BX1o;=QeE!gIv@+AJXngfTh;q5z{e=v^yFJb!ZHf-WIs|hnPHb z?7!B_mN5XV^D^iqRpu%&`UE9X&*KtN?sxwr4Ro%IvOI1rsU{U#${06WJtX;=FABJ5 zIb~I%+pKKsHB?_>Cw^1>@X8^$wryT;@{p=60#BDki=3-Pdlhbu=z6I)6xBCxy?8gF zB_k*pl3IB_E0G@TX@WUku=5w%i8u-isu5aPUTxH{n1_^uQFbLM=yS3~#A*!tTGnxn zxh^{nfIX&)9)j%;B0n1O6omr!tk8e)7^XKjr+|I|cOK(JtxqF=hZvZd2Q&y+m6g|x z%WK_6_0QU9V+EHY&gGfQk0NB&bw4>|SdPArRFC~LY8$6>r;iKQrgM-x2Lv1?&q)K_ zg!19i14Qb?MqhPTNSI%Ni;Y{@09kFK|J`i|yfVSBV|V-( zqP4cosZy>OZ!we~nzvVOm%76_RI55cIad79AAX4KPd->Pzt52(SE{z&w)3IxoYtK> zBDBKc;t-a>u3Y79tq}}CmW$s9SJtA1oQi*(pwv)f;>+yM`=*W97;>g4vQX^`M<0q0!tLY!Kt!c*_b%K`gKVD?lxDdAD&1(lWFKHy% zprmpc?k}jVIx$QHi`n<6^Sm~z=rLNsNZp>Rm&HnB#dQ0exp;}8V%Ud3Svw6>w9Dv? zbn$6{xf?*fTwItM#@Y1=Upy_``ZKqB-@lxab?KYZdA_~8V_tnQz-%U8=qP$BL7@PZ zyg~D)mvBuikA$jQ>ZylEZq#AL>FT&K8XIrzQwWcmY8oe1l6abf1 zD8iW}YQ*X|GwG0>Rs(|Rc;`H3U$>tu>}F0@(Yj=L&C2B|t-;&#Kt4MeUI|OqiPDo$Hbo+sXugLVmAle!h zktCZ%Gs=45K!+pGg+`BS}M& z2KFyGF}3*kj@-z`^O!l)ud?XnZa1H4pnd}rd%7xo*7y)g8`5CU7)Q8~ue$c0r!>h2 zQx3g+?C!hONmK02bjq5}wPJ>5O?3ba^e;OGz*E+ez%5-`Z_Ed$Zwsqs%tS)rbF{H~ zmdk;Q){Qf?_lIJG2eU-*jS{rw=`l?}j>LEkpDDB(f{NbEl_foj=up%(v0*4RA^Y-J z5N4E~s82_oDyJkM^*c@M>gFF2)3ty)wCc5EksMFf_A#2&L{mFw6HA~KCw$Ae!|b&> z3@w~xKd0CtMg>w_On%CZsa95aCj-50@y)&fvqcC_Z+R*Ta=$MF@f`KKlzEmMzucdE z++(7PkSonRbC(s57C*OTz)7%Y z*LaE9?SAj!$XVxf$jbH}CW}V1x`Xb|AeUaSFs*zzoi#mgF~a)DaEh0bDzEW;*?=cI zVt1O563UU68#}z5J%kf}Bu=efa*n8HOfTgQ!N}yszhCJoc^isU-2El94V4GmsSGyx zDZQC%wAyuynTq`d(PVYyAMG?cmNegRpUZ==+;Ror6NBMrE0o|kc#4nQuPS-=?6uhX ztD4@_$vRW|Csw*p9QOp2$;zaZ+%Bgd;>12OzuH7kPJ#QxD$gihnlQ#DiYUr*W8*}{ z7u2m~wr|6MG=<{uo#Zopk8lJFeI?HdgU36mzIXreKnggiJ*Y{l`&?$y z8i$T0&!^JTHeFZ!Bla@7+=7KK#qSptRjoaLaq{MXgGv31F0GRI&8T-yiX#~$r?>Y% z7gynKG6gnudqK3^o~22>MGyYr6qI0P%af78oyd}JY|R*V>sA3OIUxvZ8#B*Sd3zSE zM6#x7@vg#`4{dWeIUDRovQg!ADW(i9hNpD=0CxbT3B+4*zRwagG}w%hbfd?#PtuE+ z($TSb7o51I71pxvl9)lH^vmU>SG|NoNkbOWo|r=#tvSL#NYOCj{@ZmAQ<%`_F0;Fy zD|N3lin}7IsK6=J@vFGW2Ml%w+H%W4NL7WLui;1yDFe57V3>T!>L zwo0<5cc$6eam@R;IWqD}g;a=U{*QaACvd;k!fA90-Z+MbxrMUsamHt_3g;Q22UPr%uNt^751$yMHj|&Q_XC!x`NygjSG* zHB*&vEw>8DB?OC_e-$-$dtG2BNk?T~9gr+G255Av zbd1nU9hnQhmDAM^qMx7qT)e!-ln_rpto}0WyR%g|y!{k&7z9st_s_^u-@}T!Q_<^& zQRi16P^1&$B-!UlIjqdFn>~qW2^6Uv*=KklCljVmL*47I8h;7DU@LEv^HXK-eTy){ zJ7$v&J%CCfyK`j`2gb~pT$E7fadl?0K9~_l6RgmQUY?=Y7nC(@m4b3!wnfW|z%3z_ zf*dRwRlksi>7wzB6!G7y>KCq*rnsFjSAEG~ahE*awCf*XB zKUy?&NWl29)s5^L@JqP8$( zwe5&Pks;Hz>ij15{9+IB?fzn_a*f}nz`5{$asmOI#rKK`b&5Y=%AuTr$mc%Md@F0l(Z#1#*^FyOOY!_D z?)3G_G>S15J+uR9ad37)-^P)7V85zHwpwLSvl#LWe3{Rh7@i~9Qsx?TU?lcak_HX} zKUW4iivLrh5F=(v)KsIt9gm~pl#ag)J0A3ku-BI*sLV&trw17oZfXV<<3<|CkUNum zr3A?1pQb_BB*fyRNV6j2Fs4hga})EeJNM5L{%Ehyczy}xrvBByD=#riMWKDi&+KPV zUjHSwXZbR!d6WKn0#5xoT;MZNEPECAZO|$^PGcTk@*@*#Vl@l;z#BQ210i%Z~;6o=yisfkk zB$r$&N6C&mQHn{b&G2NX@9cN0w91~2lGlP)>$h|TyM1`pE8ftmz8O3^Tt zYpw`^K^hD^+Dn*2O)&nS$d*`xU08Dmm1b2hczZ6R1$Ph~(2h)^_U=zm1()IX-M^{L z+CKCiZJ9GCz5a1Zz`KBKYUOg$@Jzi%=*`t5rw-@^SY$C)&Wk)SCcw)Lp|2UR7cpWf zh@a)ZvIm8ujTe`S(|v>2!w&D6;!$^|A)4vRnNtRB?h#`;au(UKW*VD1z`~v z7zhCz*ybL^pL&}+(e)v=SIg zNr16*H!FG(^3P*&k(TQXd~=3i5X^Z3;GG@OLlpOFDeiy^4%oZ6ljj=v(&*s;79|b? z9>XifDFu}K|LVic6yRSr#e15_1H-6u4IZb0-R-;VsScq0B*g^oN*#9tO3&I@0(}7= z5IV7)h5g5^o}3{kzQI6dtr~Ff6It6Lfv(Zv8tb#>uNi{gYoI`op>Jd3`JzotT^D-T zDsbbrbBCFOC;V25p~?+5BF7hOc7hLP?lC{=o;-A!6a=-^ z&u#mbgHk|-*KUTO#v2)J0n@O|iQDgN+_L2)`DPCOBe5NuuSFW*lxc+~os#1{f2V7e$Ob_^{>L+-t{s1D> zAmYUt1*a#ay_8v?PDh1ziCdJyHCbsOi4vo!Cs(G{X=;>spc65^^v=*H-fW4nnt3yP zxH3x76SK0iT8#4o(Dx$|ZAwf2*dH2*BlTM z#J@ED@yVZ0Ug`yZsDh;T8u-MS7WKF3LxQ)(n$Ge9_<)g68@=3wTB-k< zNBuRKR|K-CJ6VMTm1Ex1ltsv~u^(aXK+`!Qd*=8)etVo&y0ES5OH%Djb&A3Fihb!7 zQrZN?q$aW7>X=GNnl&*Mo5|E>+#l}1{|{Y%85LFgzK_F-C?z1N($bA|cXu=7pma!= zAc!d4jdbTQ3_UQUN=WC>os!Zi_}|>$`*YXxdtSH}%LRL1ab9N}=W$%SdnE<~gG>^b zF}lqd^Y_7132fB{miE(PcB(N@;Lh2{38VwB^{%^oH@qS4CZcE{uCW%XF%be^{P`^X z<>rgKap)i+DPnCK%6B8X^E&}EQ<|cZAGmG{wN}V`N1Atj8#%rI>EWzHPr*o9nI4NbR5%$yPwR{dOr9o36|&Zcw`xT- z0=Zo1NN5oR|E3xExOvq~<6iUV9Zxz7m}sZfkSkgKJi2uts45M@CaJI)A5?cXVq{-j zyMGozyQevZD-T3Ya|qZZ+vi`=^PlTTX||*k_1ey~Ys7kcd)}cJ&(aFfibyu1S*l%x znWh9mlJwRT32<{kaGw!`IqrRfbT|-bu5`=?tdk)f4bRcf@;5EcD~h>v{6#a zFpY1hp;WjIy7A~Xn+rsZ1|IH*T3dzL>$cUt$4{g6X5BC@+?ZV`NHFAr1pR3$BFh;& zY??jbHlvTwqbc7z-DAmSrbmT3C1)Sw73Sx+RDgFQ*FW9961Zmm6H5BO_=>e$qI1XuwJGJ5@} zdk~TF>Q@ndLbc<4r0luc<|JUuuw%h18;7g#l6c;blINLq<@j?I2r9h;L0O(3D#%%c zyav6zreIe;8I6%L?nkGwc@U32d z93mpGt9!|dIWG@dK8mQDXgT|+5(r!&R-eUlFl)os+4WBKOKB56&`EO9Pj-~xd?ySf ztr=1Oav~X;Fsq6V3%f1Y4MMcsz42` ztIdn%#K{vpX8>&1KUhC>L&OeBHb7@ja?irV{oO3xN|`;nN1t>BC`sBVf5>2Iz|ulw zX1zSUm$xkHN(jrlF9^~s#ZYY9ydD!V+si&pCpH$Lq=9FUjyNT@FKIOqadRiSiq~r} zHWz$qA%g2I#rx}v8%be0Oe@fCQ$Ye9^2C!6HpmM8q{B zG@~~`Zm*n{+-?F`>|)YXt*=u=%j|V&YJmLpyfMe3ET@aRnS6Dk81sFu2 zli@REwSlihHL?Lp>(fk4t04N>yNdC&g!5JV9%6Xe4OCbWi$qOXspl|eV-f%Aglw@+ za;$Qn?$2=-Tf!Awmm@t-#?`*yOga=L!GgLsIG#a$JTe1Yf#UkluyFH4AO%dG>xvE97o9tv&VXzB*^T*ZRPu?`0J zkuop&Laey_s&mJT}GYlqr}#T`Cl@HHRaTz&a@21-edUy$Ewo zd#OJ&s~P>mEPofKXSi|P+o`&b=LNjB9andHe|9WPJ$D*57TPAM=CmvOnyCN=%Q90M zrJgx5)#xn7DRyig&V-hJ|LQ>KlFdAa(iOqnwS&OkEd8BN8X%5eu_LHkRD|gFU?q)m z=Yt&q%k-4uLhr8xDI>Fe`gEI(n^4M+C(mI8z`vxcjmzKv8XKEINZmrJ=@FsQ*8egg{-ubS}FlVPM+@l&7E zIbL9IUD0G#214ZRla-a8?^ZY&JROkDXHzG!*R@<7fMdp(aTVb|awjG5V59KuJB1qB zCRy9*KITs96(m`1X>p}63BplZZSlQtG6L=;N91yzS=ZcW92I&-VvWoV>w$Vk)4gZvL?R2GNQ6tOT%E z3*(`;;%8aPiV1JElzKHVU4zi#s2Npl%wtS3lDER(t&OfqhV`bR$?Ip`jzAM+-h|N? zKuiAU+IKH#dxcyD?stsGb&6 zTZ`^yiRll0UDA^;%w2ObAS4et9wTx|k|{8pb36u({(ztI#$J8YMHqy!Tj@WwDu!k^ zW0G?$CJPbCI1rM2cle-_9-xx+o50NA=s5fs327RNbNaiQoW___gjp4RW5%Nw`-P`- zylN`nU7;+sK29Ym%oeR((+lH}t;QEvab8bkvbyhkDLM;}&%rV%|40fu--sHpO|3&3 zftmO`=u?dl?Ox*cp;eK-nFvzRVwyv;bz<1}uw%<8O`E3n6E>5jVLzeJn+yL~IYhEd zQ9l5ar_MQKw-?Q)s{+1ocX-z2|LTr}NS#iiKs0T8BgfX#XJ6{0{PAUJ%ePTSJ03YS z5T%G+-6legAD1B@TH;YnbTI(677-ZIa!M!mB;BV;4*+@uf#mX)s*;UW%ep zI`iw*5GJvede1JtGWVB@$||hX{ko=3iW8Bh*Y4oMWJOD1awDdm+-vvPEGyT*#|u}K z=qzDu+8cDiymp!2+eVY`GRZw#pxLsUaaVghDnWU$-}iqr{Cr{em=BS`_lU|wUNg+x zj!9GeQr>(2!aTK{nx2zl&-LiR@QJ9AC@A#=fgLMQ+o~^Q=e;xA0|}IXLzR5w+rq6G zX7Y7F?{(LFn?2vW*$omIGp3s~ITci(lwpa&t6rM*TW+7N7=37{4!qs5U)$*K;2v+yW9 zQ6*Am1SFVD_ned0qcnPBIP=dHVKF=Z&x#0Lb4O+oh*RPX)1xnPNgGT;`U+hNy;@;2 zYSPKZY&1NzIDMt2x2s&``+fH&7o|aEIdOa=8M+Ui2k5RN}qd}+> zR3`*eT)-}``eHTtYYK>NwS%7vuqNWRIs%1$OHjNeFk9|FX8TJ-e&cZ8#<_0*ZYN9c zu$nMP#VPUdo(#&~3#k+ta&rkSx}KrYmBRHgrb>L~f_Wdin0r|nw4*zvFO`!@E5Mj9 z<&DWuEvVCU-1e@u9f=+prEL)-8q0yT9~&hSgusaL+B{6s*l(QE`yX)sMq4FGcg_tAmK{ z=TgqxXgGhm2CQ{D7ru($KzIkoJTEO*%)%@K_IO>cwH9gHoSA@eZ>C95S4oMEZ%NXV zv_{vXc4EqOdLB|>7#T?{#Q!$Ej$odDY1q|1SHKg|ns}jd%V@wbRl>1e*q9Gt?P<#? z*}Toi1m>ff+u|xTCNP`C*CVA+5J&VG1jmn zT0FXrlG8bY!se8mv&0T#c<~#xy*TmDe^g5-NW2C9jm<@m1SqCR^}WDnIsXyP($ENJ zV=p`o;w3x^7xDH~x0=goWT$$wN*w;;_X?koKaYQzyQ#G>0+T33WGHs|!R)7{d$-4F zA3|QfBT?3VgnJzF+nfMc375BT))8*w5Vz>m|CqwycG`%8*)Gk;DHVUakKf3OZ_KN| zxh8&A70J#}VqGuRpEz5hJu7w#U^c$l-Y~1;RxQ99!!R$ippc|aMH5w5#P2Woyu&%2 zi?zfI>Yg@T7ta8jurJG<(dNpc!z=1-n@wDKJBuD`$Bj|Zv3%)>%D?Qh6&(G+yztfN zbld2eziGviG$jj$WK{g4|(*%*#;ctg6a_m!#*BW4nt^!yZ4+3Qc0sL zil!1@xFMpxRTYNSdYl5K9fZ4u4XF3D@W`84$b@!>E~F!Mgv#N&lJ!QM^UIE z5)}+$iGM-0HU0{7>D~)Th@p0*Mj$g<(!t!m_p{9U2?CyOsCX_OR!vyq50uQpN%YD2 z$yRDH^JKlF_RL>}9}Ys9>x9gh?kUGO$HyPu4=F_nba|p3BopXJ#gWv^k{pEtcQp1g zY(bzn{VOK}s3#cO1h3$O1V}IKPf_>xbV`iNnhN&W*S$Q4m5q>Twu6jSdc`lNkS5+u zRam@C?eB%%M1FWjYR5fS(#y^E^Yi#1!vg-8jN*laFqwXn>>iur0j6%-3F+5?wf4TQ z)5dS02Tp!5$-vxgJxfcm-BqBc(t1|eez9F4Q8xdKNM5g8AMq?3kjG&*`z8I=(8N+vH_lyWEJ4<2ui$DauCHWXq_OOwVm zn-JCP3-)?mek&-|Z8UPsM>p0@PCh3a`C(*gKMal;6jDC_GQ!-j_bA=BS zaFeGU|4ApdJFMb*z0&fP-Hd#=~WUWid@u8UC^df@_y#(#lSpo6H6 zug{K=q`msb(8d)k^D_0io7g1nI64XoziNNlF|kR>H*YqgZ`t>r2=JAz`RdeS?=^9(b3TpJl)1NO9!!RdTeY4uXjR4aHOGH)wRuTfqC( z1wM+5R9xQ%Ibvv~2h1_;3w>O`TRFzljdt#5ZUWL?lcxm#GDqVoa1^RgI6_mP=~RSQ zRC3%TUaq^rN723$rAFcX1IGM0+tts8lMouE1e@6bggtAF31s8{#x{2EHM`(okZlX9 zGgvs@MW93;q-_=U;^C2{^;IVaW0c$lv&-2d%9x_CSw$e>9MqrH#xQ0CtZod)Sagam zPXIbCUzt20(e*Pfv;LH(W0R&VW5OCLDhB*Yzk$l%4kPnPgINp7I`Q{r>Wn<=qw_hp zAtFz`Q}-qni&dOf!@eUc&uuG%pFZtmP$Jtjy=|Dz+++3-8?V}$3J`Y;i?D#SqLo{% zE=AX^O+86xRF$A>^be{!yNO^+{LpW)sA_s*2{Gnl8{eCY!BG$0T@$z4X(fL?lMyNP zFc7RQNaeWn1THp1f&|Mwl~5*S0GP8jU$Iu=rE{2uTm& zJ4xPgd+Hu}n!t*lDOb~|cC$*kct%lJd+WYYgo)*ST9+$+*8Tj*;AbX9RM-KfiR!Y= ztulgNd!|xp%mIZTq5FgLy*=Rmj7VLsSpt9$$bH}cH#`KqfrE{M;a_$2Za{nE ziJd!$_+`xxuRa77@iX<5Zq{{%S}S#oi3i&7TN@X}r-i*Nu;%!$+~2%GHDwDFt_kiY0VVUK9= z55GidfB2A1NRf@x;hOmf=;31vD77v1H*{bxP>|*GxMST7`R}+i@~!w7zd;We^1IIo z+n@eIoNO>MlwqwCp_4#_HwG+yNOr-Kjw&Du_>uo(^=DMtgU`T^vyHj7e=j*2@RXS6 zxU#_wL*f-T6iJqs66?sKaT+Fb-q)HjYZ2kzfB=xBm_T zFk~q*M@pxFJ19Dm>)l}auezp{N^{(FBo(=MAn6XDZ3;w4JRAXLl`j@GTufl_P|uP` z+vrA_X~N%1QVrbSzL#nFJ8z~g>?TL3@5D#RJS`Qt*72OVQWj)wO*_MeHpRAWobj`F zFQ69!5`UsU0Ki7)Ksq}=ALRG%LikGT5b8k(aPWXMj}psM)wE3p-d37MsbC2@OL$l9 zc%bHUs#I*}a7=R@^Vv9d2lU{A+^GJC6D4Z-x!*ctksMt{y$xfThn$07&JJTlJ4CQ! zvsbbX?0Rpo&dj&=u{CQ(L5wo=C!cAH4_rFm9KXR5c-1Pjm+Y@4b_N6g11HO#J-5HB zsgFh?SsUGxtW-TnEWNoqhs7yPLz)x7ewErMA1R&Yt6c^B+SFH4t+R4vY3HhB6{`8s zTa4m@Qqqc)RO?t^}6#vTVEE9=aGsjJ+ZVqiu0lEB-Wm3u&vlf6bn>=j3Jq9o-8TZrD{ zYD5!Brrn68U2i4Mh)jX4VX=iZ+8~eS4q}>_wsl@Xs^v=V(TtW#z5?f#nF&~(ZJIM%~KnuDYI+gGFHg}MB=?|DCs zB6w80f3pP%V*vxNAyB~fvYv(m&EGQ~Akn@fZp?UB{pBUL0z*$ zII#O&t}%#D3(38&tD8UegzZic+D6t8DW;^tZS7~8di&o~Jw{V*04YU>09!Y0UXUSE zmnEk6Y!>l_?0=xs-Bt{$PW-1YeIq~O!x+E@tY^MfG-#3yt3dv{QNjGUA$}AKWo9bx zs6f{rE%MWEK#N>lGg#QW=4j+iT=ii_+a14P*V$$+!Mk+pVuGH}lR4a_Nuq_sOw;|w zm`Xf8lsC~D3<=xIstHXq9D$F#^)~WnT$|UN@jHI?`#8v9GCtTkS?H6OFLi9Z`HD?T z8fV%50}CE|HDI65RQ_B}#J=gjaBILQUQd-P;|qKQ7$$`ChbR#~-l$qUqg+8|zLi(; zHgi5fD)TdvKiRGsryRtvzIOXb4ZpG<;6`{EeLm3|GpX`vs?vUQ!+AAvW{I%7smKx^ zzD1r8emMP*;}ft+s=Jeay8T9K#foZ-0LF!cfR^6=SVni=TOXY?v7Jm8&g(@;#_Xp8 z@1AG*SLzCs`wYqO3Y-+QX2t8;B#-8qoR)RQnQ8cR`LN#CKE(|ry;gJOW9Q4{)^i*(2027sHLx`C zTi%mIUfHw=31?IeBUbNK?5{1eVeQTy7eid3PDr5jT%ED0-umfqOTC6>peKrw=R2P~ zQV2HhvGr=co3%YDHKP5kANcTfDJG?JMc#>5;XV!JOs;Z_%F^vXDQMDU^k2Cxz_y8T zmB*?Zj&>S|3F(h(e}LEE(n3;daf9#)OvbnM>TzXx!WP!0e3|j+dy=Jh{x4F0jgpxf zo5HYq{X%mK6Q?lnfYi>j(qMh~oTrF92;a8$I0G(wFX?T0R=y5pjAMT;O`)*m6TDJN@|1NClt;hrJg&D5DuuPtl=92ogoS?R28O{uRU1&kZ`nfRj2cjs^?AO(6 z*16JLwk-L$U}r-`YIzs>)NZ?c3J+=%$T)VL!>K71SZXRn5MG7Pwr#Ri$5J*i5B^DBGS@j$Q z4|<-}zUJgZx|BvPsTb^;WG-kQ0<9|g)pnsxmhF#fK(EUdR<+yzEte+P!vwzd znBBHf`BJy#SAmK>+ny`oCSFC)GDr5g8oHrVUY!bwFp`l(!K=hixk0Eq;W{WtNS;%eLX;gX2x@5T6Bq|M$IN!GVf)0VpWHM;cB4WtFAz-!H4n{_&J_D^8*&Wt;@Q}GuT-)1sD%Se+dvZDS5`cy1G(98t<_G5n2;lW~< znD9Vz|z}`YQN9~{{sR}SgzP;Sj;OGNj ze^2mJ@-OBPF4^vhl*DOjduzW8mbopzBLzqwmZJyrq|qZ>GOpY#Qvs(zIlQ$6AK6WI zbLx3N=sb8F5h3(P4PEU*xNpb`f)ao+er|t5rhxum(LIz(MEmPCDeU#vr5jb-WdvZX z@YO!l>^8p5(35yaZr-|rb@ug?xT_D^^n3>AMydH5&;5lm-CDx*D`XH@tu{SAG7TWVMvqm4-fq~g)w(|P|yx>&ZJkstYW{}&D zqAL2-gb;B)XPdT0=iNnl9snqv!-@AJXA1;*dZ`f@5GKhWq{ffmTslfyX)(%4v!OMRN+yZc<#g8FJNhzT8 z{MPwVcDKElN6%1+W<30KGEMXce)4l(b|3u`j$PEZ#$__8n4C&dm6U#?p3vO` zpeyOO{hwe1n6w-H({p}sG3KM6PD)slsz6z|wi>~zLD{ad07`o$r~aBYx}sm}JrT=w zq9Qa@YL#Amq*Mso`fjN@e2QafTrbTiX9h$5+ToB^{-Z4fw_j8B1^2xCyVMEQbI>DE zIRw{m-$u*hiTL`2|LrnA1eDLdF;`NPCR!rz=i29-&$!`M)Op|Ym8ZA+#q1MZqvmSZcZJfj+LQsFDtE=Oi+)|Y^tVp7mdyp-IwYzeu{Ne2 z8osExsiYwvgViq3BmBa*<7bH#5I4c!!<8QsYq{CgVX#Wj41)4hT(X8!@WwBo*%epo ztpEpp2z%^*JWGXFxTu2=;8v>1-l!`Q-eanjZMxF?-T_Y##J70c1YO$j1Z`#=D|QWe zZzENUMk*|2!|VR*ZLf%4sy>shS54)Ih7+H4bwy&}Ke)$u`BL$tC%(VF`oK$%!uziC zezRRlug0Sq_kcDbMMeWBZ`ns-(?`(E`ZW!@=wLa1`x#m5Eh~mTcj$%Z9U7x9hN(So zRho2Fd*r=^$+`}zx-;B5YNbhDhRfyww)`Y9#>xd5RvoiaZDZ!fdmCPJ4fHYDS9g2j zt7sfPRJeWM!w~jZqd|zBYVD)xISE)e*p?IYv+A0urXv<*1pn~<=X~6`4|z6hm$AVW z94_fTybnwmz+zvMmIlS5UQcvqGFNrY|5hV*^?_x)8yicHkiMLgquP1zC}Mb@NK=EF zMM_xei;r@?@2}ZP>>7`fmN!LgSGw;<$1I94i}q(Q*NucZc{jM9c(i=IZ>EO02SLr& zU=ud(?Uk0x=2|3taTHQ%f<(Uho9%+d@ksD?{I!We4EwCvd>dX~$wazOD@o{*LP=#%QP!JRMSrseg@@0GjVYXXR@FQm8r*gNh z?o4QV z-smoyBdzp&w&JTtF{AW$#`L=SOj1dXSJ^;i6Py+Jgu!-}qmm+&512oGLpaxQf_1-0 zc|W6p`i&~HTQUk)Uc`dEK;vAx10(qvpuoh&!04D|A%FHmz`8l-ECdl;$!Sp; z%861@$+J`dY7)U^b{7vFGkU-NBu2#&b?B?zj*v9oS7kB}YM=IMa~j@H2paXzL+>O3 zFB=&$Xik(EO_V6R{nDh%lPPuu5zX1}#j2UwJoNvZ6)WwP*JWN)<{TO(w?R@1cJeOV z`Yby2M2rkAig=3<7iY9Xf!^`+)B~WvPKc2b`{1j9OS0M9-W}Da26AO;3rEUEayhVx z`6Mm2YSDjmF6M>uj~LPqBo*_{7B&`X=0M`%Xru_prt*rGp$y-UWxes9exXJBGon@Z z1pD{rBDGKjAy9LYr1)F2auIe`bpdrf0WWrwu~~pK-sC1=O%rw)UggrzG(@86Y$#`9 z%oRV@)D&F1UR><8Hn89HN~ioLuM~OfAl~vqL*fAHkw5BDizUwN=EJ0qC@8NTePrcu z0n&ZD*POQDR#*mBY01O56%t;Z{itHyByAkgD-hTued@Wb_4Uoy#w0`SdLDipv`M4~ ze-YGJsR-DMivR9~JSF|T{X7E{S9-G^l^#wF`9?b6B~PQQ<+^g~iM1OQ7Ih(+bC#DH zaK56t339U)J)Bp3I0*_#dJ`*eG0D3+bhsKd7c=4NB{>8NMnJ9y^e;a_{E${s5rhyrp#gc^V=D$ zr=An(p&>~*>}t{ezKHG}Es)n;GMGUzB3$u4A3eD!fRgZWcX(t5Gi{}D3~*f&%$V)) zcaB{k!-e$nzSbPc;#)I~$CMJ}l$HHPPwFNdnf*Tb@Mbq40@zz9{7{^!55sH*@Wadf zCGfe+jmHFJ`>gDl)29wzwzxHTrC%?u9AVt~> znXLW0aDNa`^8<I5N41A`6Bm46EcgYx7CE zOCLZpr?P{uQe)iHoS*-+0&|is#!IiP4ZqZP9G#F z&todO%!5U|NS_XvVrWksr%{X0*Nc*FGj4SY1qWF80hjtFiX(4hZ zpVyTu)lM`+D7N&A!2CD0J+-GfV zTYJ`Q>69!$5CBvDmmmPpE)Bv7XQzjGCRBSoPhE|;xSX0!_{R$CEeZ+FU_X%aCl;L~ zdhTOI2GrZA zCiE6ZWsKg7A{6?AL8ZF7o`oRmwnTx(c&Z$rlZcQuy@0&G-$t6r6gY94_~H>DrE=)u zgM#Nr0m#Oq=bwq$y#I~QrYPk!UAuKMu!uS{Uf6@jq{%wj@&JdEU*MV_HR zzmdgk*q+9hWqi)nmNC-SZV`&vz_r^oO0!8fieb-7fO8t@Zna{9_=;aV4~cdR3Wvg# zi>i6&zMwrR59FvyOG2Jh@KPMj|DbhtkiD*7sr5oLNqaBuV#n+Nl`mlO3$+a!N&~9VgR3y^!sP?hf!A^%yf%G2YOwLkQ$&S2;iDOV-Pe7)7)LXJIT)<&zQ{H|rXVv$~= zU6}4&*#3vw zG)i{WIh}FS7BaA#@l!6O4$ZQ8M~Ah%sa6Lei!m5ABWkO=Uk+6fjymDaqpicfOS!cDCCyuOzuDFaW)XR{G_4AmUIyZx~RNK=A^I>wX|J6K`T$H(|#IS%ea6{W0ftm=>6^3jM=O zc@C)xt@(^m&(aT)h&lzv^vd1qbMUut>k-zj@~h#SaZ5PmF{vY_s|?uVlhx2 zuB#?IQ#qFW;`4J`_IyAR=k@b!$mFGE*M2eF;8*PO&hYEpN_DuzmtDyexg;@{i!N}= z@w!}hJ^4VND&+s+F+C>2pO~wEn(f#|Q{F(coDqG%O+y;BC=bgD{&Cu(^QbnHLX8}_ zUT2I`iG4so&Z)-$#&vh-oXv$u(}dn^G~P9EBbxVsRthO#qfV%GI*}U1C<^16iE_1i zc_iZsqng5T4k={}Rtkx{$&uT_+sHu9st=^7k4nZ8yYJJw(@tX&^?u`HCN)x2GYa~E z_6fZanP2_QzWAPXA%BPsxwxjO{XEx`@CWaUFz}H|ni(=TWB@Evm9#a-#~CLBP^7Q544~ZmV?*Xb6JAM`A zB21~qlvZ~O_N%)b@jrP9pw%9;3Q~mEerm{sG1iM`DFl4&WGyo4Pms=x3tTZjP{}Zz zm{}iY;=>*{j|$JkHCU7OG7FR`t4%Ffb=I44f9MSBV@mmKUu&wZn)(Ub0|zelCPWU( zlnPv@`bRVSCFT`Cp(_XAb#Oqirr?&9Au$&ppn$jejGM30hlSf;&mX)IkUGQOem!LBi}3MWQk%Z(ymzUp=pPiby9p%L1XOE2{KGlbf1Uf_C&JE#W%!& zO&rHFP(qGprTZTuI>nW7US{^N#xy=6FO}t@{cN6md<4$=EG?*Afu>Zz2);$HidlUIB;7Q z-NK}x|I<^K;hHv*`F&TF1SO>?jF^*VTURr1jYMHsGmwNP<$NNCz%S*G;|o(f|@ z_0EMLvJw;r(_WH=def&44x^}8A!W}Dy^MC%u*tEpt&1!S8C0|HSS8aT5@-PF$OCZW zJHCzwB|fLvI9E7L<=~bO!BVlmn}^Bm-hgyAxIAAO3Kpf{l?Rx6K+2d9FpLePjA6io z@Ke(V0Ojj+?xJot^8e9jMtfidG$cb=EAP6_@16x=9R)Z!IODF^KYhAZQvtrCO)FD= zNw|iA{ag!3M1cOuDaA&?-2wY^5Qf0tp?x#_??c#v8=g`Ti`EYP>U!?*B1YU@dS+1^ zc-T$M2+g|^@Xhyj2S+7<6`e`?ubT*Rz@pg3vnr?C$-!Im00nYkZ+LgCN`4Hoc$5qu zABfH_pJ%{q@!Cd9GYJ4Idqp^qCNc55`PWe&nzEq; ziuD~mRqi5X>ZJ5!o5Ob*%Y$Q8NN`=^e!-ikAob-r!y=zkXjH>ZQoAhRjuyUU=urOM zm{bNHNR48fnbt1(dQbX>dHGA5#`aT5G)kB0IR zJzenbI~=<4h8)cYU)>k2-kV0|CwAjJT=;!^4q{`jwib)(60@|!vPpXn2wi#S=@B(u zMwsT|;TOlF${d}B_&Yuxr$JnIAIYdXu7|f^!w?Q}tv|0@V^D@fjvqg~$Y%rKpeBBW zOSw~?dHVea*nLPLRq^ZHnzj?=wsAwg7U@4`){lF;N}e}C2N*d`fa&kuHXzZsZupnW z00&C$ygkHkO?%e8$YqY~M5Dz~&m; zF;Z2`cUZRbrhHkK2?^yLrHh2um0@Dnr6zS1hHhq()2<}SWBiQXVC&L;Q<$5dtLbtQ zo9&*#e0M1p`##h}so=Q$5AhZb5Zo!r z7Y#L0?y5Y$qh*Qu0ok^4uB!L@)NXR+ji&w0Sc*1P}{deKgPhwZ@># zSNv0RkjC#@h{rgOCV2UQ(+-U2IOSxUN9J@j=k;ahQ`11w2uL4Va1qUz=QNNL-%aLM z+qDerwjOr7%yD~5nVAX20S;}f3;Lif9S$)1(v_0A`7DM8%`5L>4DIsWd>!~%0(canjviHiPuJ1iVkJ0C^hpC( zOPV%LYJ|V|(N~V$`>;Fz=tZXy0l6gfKd=V~?(EzDNUa|NUZ_c~J~^db?9S#rjm3^r zhsJqH3_RvtlV5WrMZTQfUeNq(RD~c3XPgg1l0^xqq)tHecRIG26Y}5W#~ErrPeno6 zqh2PeP>*^w=?JsW1578u+DMQ*{b2gkgMghei1G9`r8qVczf9p1}wla+(+WNB0YV3Kv+TB#jAa z{DwREXfZi!ePjg|ug@-GJ@E~Q1FlPbT(9h3?COFvd>S?Vd?%k9pC5K)ipzADq>7pHV&kkaRytR27-o%P&?XW9>;E_n5Z!kJ10!+v#z#=5y-# zMMQk7;eEE0gPMHw7(^Wh+rQWPbo=oD4guf_-BxnFWUFue{a1g_zVJ4Q|9~nbQRQ<( z{8RIPVT|^V0El6#s<4#zhgn=um*nxmjMRGQEQNhMnshtO0f{p!0-0KjBLmB-fK}8@ zym@p4u+0K{q<4^{xy$PFS^zzTM_9!e0v>35+H+;pwyiCG>DN{-eSx68k0G(-CVoD< zcv$hfkm6-ywGXbg=ABvm84t99b(Z^y-+=SSdUx;oRn_*%rz!UoW=dB#UoLr)Sst(L zKrX#I5VtkUO&T;tuZ3^$ z){sh^e2N%YYuy{0maEd@tTdt6fxOwpXaM9XnvK^^?}-EmnVJ26f(BJx$}NbXHu#Ch z4$|Y1*l!}IUF@$?JCxqbPk-TcwPXffxqU*_DEoaY@4r6VdKI!r2=TXJsCha6_j=&# z-+9GPE=?w_N`EYg9_lRO4f|HMfokSFU$Ro`o`cgjLNnK<*WYzIq3kj|8(#R`YS3Q` z)KC@K)iNMkXfB+ewb+(O{#et~Gj+nl(3HvQ;eQ7|Eze%PRn6o-j>DMy2p;gBVy~5> zyk7XdJN8EM;CqRK8Vdf0d!}v|3M|UdsRADpgfZ$UH3>+(QSjsjg1U!o5at{TU&DdlA90rv;8#g`Z=hD+-?u8Ii2mvph?okjPa># z<-(1hS$gj7(K!Dw2+V-(6F>~Ig&gP3#|z;k=(|$+ZIM+VPHdW$+D@TPg(l!)(BNII zLy3lc9?m^bH_y|;g2JB%nk>Btfccu|dSF;CUQ*snEnfe8zs2u=>gB~tEkqLlq5Yt8 z!!3RhBYu_ri!!cMvEjagN!mY-`cugzV;|n|ZhT7O`_!K!^xO;mT@0^$4 zqLcd$(>pd_*yhDB~)x;^1--0ic#b<&aP+zhYKM~ zS`52y-dtrN`Rl7^&5HNL@?*YyGD7>A+_frP1a$uUM{JdI_bPPIN2YNLW-J+^O2$lH zcgzB}St$8|pCrq}-MrU!7*i`8hYWQSU2k(=S`t!PW-p7?PIJd_|-%3ef+}NJ>tCl{n5Ti^_MZvHZifiWUQFE%m{n6maBl^$0lio zovbh9(AQ&lyY_S;4uqO%(yTAldH@%GpAF8Iz%wZn{#sB_(HSF;=vGLv8B-%Dd_JGd z_2PTt)quI!3>)PIY8ABmFhLE?ICt{gs(ik zjw-<39RLWu5*HTPvHboCE{U)K;BudR`K6wk+%p2}ziGY-OZXVOO0dBGdpkSjqJRx-Bh7OzEap!^C+~vi)M3|0S6X`t zO9%{+-$dC!T{)t6bbb18{(S_QCZ(3u~O zLq4rM0+gEk0zXowEKj#1qMvzy|04hVQTDX2K50k*4^&(8?UXqA($Ka71%dofN?Z=) z6N{ny``t(r$yiuZ{rBZ}`#*gqo9t@z_$1eNj#=0bqb{!M-#YL~v9-1=INStC`h*Nr zuq_-pcU=R!?vgACEM2%kQ*-bRItJ;2>zgWaQSvbyu?Xr0*f7atDdT>O9% z^2XA`patRR@HaW`&-$hvGhok$SIVqDDO!?tah1MLpM_?}%r;ryE4`?mG`J&Gi3&Xi z&=Ps}%$U6P8F%zlnr9yNz+Cs;6{cfaOg1i4doE)eI9GA%6X7f>#i(tg@nbDuSdS7? zo8`V$-No{(n5;cRC9uJ8WUe#Z#E#3cv)cvEsG>G$zx%!x_Y{oM)rPz1?cRx z<~4PB57aA6gw>VR&IWagecb@hzbDOO>G?IgR}F+{m|Ab*)t# zk@OKgm)~&wflm~8cP=+rn*r6JC|6@9K%Sg^z7w%u3h@1A{^4x@l+hCb+A=$x2|Ai? zzXyK#;HXf;z1D-TSg8f_8#h2iN$6Kfw3xSTWD>VqEy;nZk@7b1MyMEyQE|a9&3z0r z&0IcgAPk>zu#vy67bVo@nMazbzPlXrS(qRngVxQM(^~3#gK-YfsZwe8SKaJG+-I-O zT6HK(XAO?`@B{28AdA;6-;GUweG><7H(eS(zI2AZ38kgR01l{d+t&3Z>*V_U-<-bx z75eRofG$+%nom8-eOACJmCy;GeiF&U3!tN*Vxu@JrWD}%ziIV+*Qwu^Ip&&rv+*vc z0xd$2CSh42)q)W{dnGG|11+piNSd>;=(y7k0G&50e%uxC?rKi3X7ozQw3lw%bHcYt zW-0u18{T%lYGeHSAp5qjur-|nki%x*i^;g4YBK?B*XjS)c2NSNd^|j(KBq}~H1DVg zQXe#IH1ZO)2yMF)+TzsFu|%brP*jUFxDLN!2{94qIx2a=96j>9SrxPhxTI`zqEqqmKOJ%3q3_B42 zgKmG1%nv|QB0!X2DUN`0&8vCx6zSoA{5RnJCq}Y?%D0WI6Wkt0)jGo?SOZ3T_Mped z)?(B3!9&sjuV0Y-H;=WzonOBoM-ol7^lG^IG7CHD{N5Xi;#i!zhOm&lYXbY&F%#Ku z?(GRzl^aD+QO5nQ6@$TB$5Tk;w~Hp}Colj>%uV#<`Gd=J%Ij$l6bgXMcBb+{UTqsW zCeW+$SDO3he%fFFiY}U0_5UAxZxs+nm$eIH!5xCT1a~L6ySrQC?jg7Z8V@c3f;0pP z!QI_m1Hql(u78u6cjle%%ztxk&dqn#)m61?uk|e1Yunl$41QU84XPDm%tPS7Dr+*4 zn`X($^W)B^M^vS))Fe%+ZTk$>@>5Sv-txBIpsGRfAa7o-&l>K%!8{&V%F^4jum`#Sy! z64e9-c!wPavE{?|cV;IH!uk3EoeXKPo>l+g+ig^yS>uNMI-KD`c(hY|4gGLjrzLd?>*J&{yK&(cUppA4Gv3OKZ^tykNSe6mLW9xjoI+r|KXNJ9EuhBJWbM=@({;{M6=kr(` zVci=LNDUynsTjmu>ByAX+EGIPmm!ENuY6}|Go)}{@!{GPXR3Ve@Os($i?V^SS?2E~ z-K=hZVf9x~pG)Zso`?Rt?`*MUT~NO0$;1;?`qPk3XIufb)g<6^-H=*F(=5OpoMZ8b zsB6*#P+J~rW^DPBNfb1T#;?*2kS$uuammU6LjObibSNi@Hyk{D5O$~Uv*!9igSrR9 zU!*?R-p#RB7*+W9KeQG3d!PLjzMrn=Zn)NlN|j%e4mh|_*3znWyZUHouo7m{_U{#+ z|MblWL9P3<1CwPu{`dPun|2KF^Pz%2U494;x+AVKy<~r%22qq8af}PNoob`1&b$wq z8NEO7)IXv&xTS;xf+1%tA*Ie$>UA&-C?u?ee*KwQH+MG)@ zV|vorrWF_JT7_ts??x3nM}7|weOlfAs86kR@q@131M6RL-oH|?yoIuw zFHHccMjuwB%=GD_#)z>^yHc$dW&4x>RWbJQ6bX|vVaymm%DELAa((gpF=)lahR8&H zAs-7DupR%dSO;YtE#Q&av^I8m$qp({_HSJ1y`2F$6!QL-m`K`_Dzlx5x}F0Oul{5k{!`Ty3`|sVYnJ zc$VjN()ah^kp)Kt-^Y{ZbB@*9r$X)d*1rGJqKHE6PL)=pT+N764PE^Psj5@*#^Fqa z>f@(33Q)LF9oGq%*_2KzC2JO})X7cNOqFcZu$LRjL7_?$#fHg|b;rs_Xe*dH%Wjs} z_08*;%knvTp^AXQ;tz_>`O5oUGj$G-m?gJZKAp9cTQ^ZUQ@&a{)nUa`Y0mAZmrG+$ zqSp)^;AAbh{tvTG_jNBIsTD*(?{Kd zqb53katy1bRVxLoX^B!i+&d8nUJFny{l&8o=?X3pk|&8WW6Tlog2!Xe^U{{tTKT%l zfAuDX;CdzJwpaK$QMmbAWnDG6e*no{=D*9++E#YodZha#$bb>?>3>?B2o&XO=jUU# zopFv+xsjh=YqhlG8VLMZK)`Wkz#j35-#Mk@##j{dC*k#bXQ@Od_{;< zzDTl_FZ>wL`0eV$xVV11B2?M8ol4at+f>bpPe!jT)PE2h^cEb+*XJ^U$KbnYS3%%S zpY>k8PyN51LAIk(FfVsrPcR3IC$0AtPNvJh^I^s$1D!a3lCz6yyzM5RJ7pYyn%I>xnLyCMzFvGD{SKmMzS$A8y&Yt#3XGNAX3j@{EWj~6`M zRkX3Mc}{%5Ibplk_2eWZf&og<>fH*E+rf;BGth zX7h7)Rth+%0xw+~W)U73U}sx5b^=7e7qg{X4tS zzv>8pI(eRWpU~*PMkC~^ccowlwt92S+s2oNfPg&hfIZL+v~D{|TZqTJ@e3O^Uy4!n z;#K0)_m|N(3xvJ=QL<~{@LSz#XkNcA&aRZx|Gl>3U-G-5IXy-Tc*{P2LHZKjKQm_! z&Y#Q66cpF`Xeu-y;NSGZC5rSvIsa#P!;2f#{@CgDW0y&8p2h#UNSPtmMiC0rn+U4n zx$|T`j;ZY=1e~U|DQW5Z|J0U0{B_vC&*024SNap#Olna%yF#sAd9{Us#Tc*bCOHB8 zuVuh#ex%nj!CiaiN}Ur`t$^Dv%-@ApC1+CpwSwheT)uLkB%7O} z^OF3sv-+^2{gTs?E$#=wzdqD%~<(7 zk!V=h)L21L2M(qG65n5O{VN?oi5L+U zPxI}&D~wCNFtwxLS&E>11Tw9cdX^{cim2If-)^{BMQ8@P7YR9xgQ|9@zPV3~w0-}t5lIF;4z6yfRaeslH{6ID~k#6uuc zf4ODx-MEVj2$8!AG2XQQn3tRW=s~TnE8+XmfK!@)`$AO*4sdp1 zFuc1jcNJIcSBG{b?du@{>r>zH@Bh6`_dgtH5FE{EcKcQG$t^fY(>xz_;9)u7`jf?E>v{R*vbdvO-;CCbdo;KzHX;;$^h%B;>?f_S3Cwo(O z0GYe12l%O&jk}u)z*QW)0Kmx+;OI`qOU9xAaI^w{mYbJ@mxqi+%ElgC2>kn6N&;Z+ zWC0)(5<>hZ)!vXteoWp+{GYFbpy5!7cuzx+SPXcb*Tca71nk$l!f;Uycu%{)4~^zl zWcl~0zPL}x@<0FjTynWds+$7vT9)=7ll`ft`Ry`AgL<&)>9;-~BGj9pU=h(=GW1U! z0lqK&?IlQp&rgQ|FWN+iVI^cL=(O*B&Hs)o;DC4i8S0Mw<4f z1D>7@(DRqs5BMl={U>{|g-EPg=s~=H{n>50|0&sTQsEjPjN3&$+z8>jn$7ffnS?x%k0Hb=Vaqkmt*Tq4|KxOSD5VCBBFa~*@8Ey z_<8TO8;A!;Q62x+BL%u%Y%8cXUGRaSScz^0kJ5q`hSyidV?k^~jQQCdkgJS!X?c-@ z>1yC=VSK9>%z*FS?aJJ3S8Y1AdcN?(^{uugtB!wgcA~3I%X^b_LG@NW3+^UGEs9Q0 zgin0x#OMIyu&d(59X7t*?_s-3wOsQ=AwQdT8b@8ClM_yrt(S;aI$2c#`J(99p);7jr%@2U|5U9oY|AXPb8ZFKVNf(H+<$`eOf7XMpLgfQ zeEDgBE|xt;j{8x}3dTHMoFk4+LtNrdc%42?}U zUDY`kA?isMGiAEPwAFc~BhW1pUmedvQq%c%07~Bwz6MVa3(p|2mt#hC#MMwCVT!p* z#28l$m}Il4;s(CwT&{_?`!!t4{O%Gzkd)Evt{A1f(Lr5m%z?MXdQ=V0XJoh;u(N9u#bJASd$FO*a|hHXQO|88hidH8M1$i&03g)r^upWJfm;`U>A>WX`^{ViF2!*Ap5m}n zLQW{xWheN_trjyN@2OvjMT2;>fkb-Boz9Ix7`oyJ2laCjErh*PADY|eSWW(2H0bZ& ztogMdm6%#bV33DYX&^<-frc#WeYUXE$dnlSN&$4tylBO0%!? zh8M-B7aJD%oCuM-uUogk&Qz^)`9*Slg{I)WaIL<(e9KH0t+>UzCJn~s!(@CBrZH@7 zOQ_fP&4B*VmU-Ys#<{wS%CX0*lt|X`eC+=5)37iO2>Ut(KE>c|nnR1>4>LCMz4V4B zvgox3N$G*Tc_-i{jA&mM&nXoXzK<&>P|plb$s5pH5eLm3VkFC7s!+-q(AqJaV$m>T zmtfdRL+M#UQL@HbFo7aqY<;R^)C(BYK!C~x$#e=W9m18>Jh@`5TG^(f8h$7@17q$y zhuSEK+88e8-$etM2No_ zNds=ysXdOqo8}is-CCVQ7Pqt$U)lWT=L5 z2u~H2UQUf?(l{USETSpQ&^A{4DV>@5?eMXWB-Br)T;ZY-n0qz~AXtmDEORqDu{AY8 z0JfB9cFE{m2*uz}h%(I+Wq)L-LJK_$gkdH7DqQ+n1WJ-k5?jFyebn?1SMd5^uEdn$ zEgC){0-Fa${uGfR3rPkSq0Q&19)a;8hZ1FzM3$?b7%>AT=?_%TJj=hu1OO)q(5_YT zhI{g>kmv1G58Z!X^nLa}hsc4h+>FxX^fENCp=;Lqxk$*_1cP2>nxl zKx*?U23$aN8&(k}uooMHY*d^*jtJy!Rk3WOzzTJxBs$mP2YC%yv84PSz+imF_+2w&sH-($ zw~O@_{5;(N7>unS!&Ei zUQ_ZC*N}IisM~MVFUdLepY1`#CG1Q{`dmZUrWgs0ECE1zc`V7H7P2bHH4DmCvRjH$ zOa#M%8g$)sgwP35BQ{Aikqf}M6|m%luz=S6oc4W>_%@x3tlA$OWN)`7 zxiCA3!jjWP@OsUFtU??+W7fbDh2h}v7CSzcALafZ)4$i|Ali#87Sh64F&c1DY4NjtQkb+XIp85|(+}xry@A zG7#0Twl9hoMHhTJlFs+%{cNnz3RNvIbl(V0zPcti5b>#o4=B_Sxx3mBAedxtfPq7g z?ZqZ{w;au!#TExk6xfwY%Q%F+$Qg63vM6T|o%=@xka-ueV_;a-KY)b;F<=IS;JvUM zwF5%d$M1%%GbG^vfWE*!pJHEXW=XXqa&|1HH<`XZQc!879XXW457$iEk;4gC2#Vhk z->SP)@>SDqIFWmm`hMdBv!Z<$AeF4WtWKpsIe5P4LHC&ga#-_=YY2#N&4s{`rh8OD zds`%FXTqw57?UEMxFRGdic(!jfet2bDLM&hxkQXCp$yls)!oTCz%y7Na1fw`C7qs^ z_)(`%c(eVCQ{j|aMH-)iW0HCeyf!)k0u_rOmzg6-$r<<$$}H8BY;@~`@)agWg{Wwj zctnfHU0Fi7htSg_nV}oWYa?KsBL>JE(h=Od)DP}`KxzEZGd27$>1Ks7DaGL7x%?-2V(iiYP_nJ`#&tKgV)qg z1MFYKiqj}U$I3o%yt2`i0%k);LgRQ`^$mU=Z91-`MTyYnpd=)oX1a`XzQq*=xDNEM zWxsnjm`0$7l{A`T?-2+6;t7L34jp}$oR zJxgcv5>kI8(#1|3jp)Rsqesk{Y?5l{R++&!+}MEm<6-_dKCp-3)6}$t5+norB?wOA zYx`F*3gt_s=PAn=`#;)UNq!NEOig9s%DK2XS2-$GrE2msqc{(UWdsgVP#NLLQVHSP z8Y)aeZy3CmBoWup1k+e}iH>}PKJiU@4ZO|dRRi91EvOgDKzuBaut-f8A(iRH_Jbcy z5l(#7v(-GXp5bB@;2nUmR{14qDfL=H5(>XegDOxIpDi8mZX!yJO_D{z4P(Rt2sWWg z3pdD9kD*Erw5%9)uOCjq?>6NOD7+w^2dh#drg^_mekIbD(FDUM9Ndfjgf}X|76-0~ zu`5dz6cInI$i56#HAk1!3@kvzh(sz7;MGb2d4z+Wdf{flm%^xYOs%@u1UKHNb+?;) zSvOKi%^cT`5|&cq@)q0*<2~w`IKAtIKPb3sq^l4vRA1_~yfpuuvtibGRHj1}{^ijH zA1vx1^?x=creMKERRNOd@~Aw}sc+xy&5$1jC;stp!RtrGdQ^eL%L#+v63`m|Y^_Ye zEFzr^Sblp-rSB>A2itT^z=L1vgvosbChibHsCnK8GXZy7S_q>8Z0junj#^^igSP>F0wT8^(qX9QbVd@hq6fsDQ%_FsHR!1XdV6|VnpfY1ukKyA7rWk6VAG`Bt$dQ_dY?+Yj9$A zuw$`CD0-?Xu;JH;zmd)`!%J5ML;4z}cC*IjrHCbJ)2RSo1N8jdQH9Ib0DTlW7l)>+ zv}6Q^5y#K!pNd@$);Ie=avIh*soBSwxzm9J2JrhZ;d^gCkWZi#OR-SV!GIpYb*WtD z6p*b9n**6Zuh*Ad8DeC;DK_b37#Eqr?r3PZnYUY&I3)S^fXT~1e%WgPIi7l^jVU8X z5FR0`B3m!S4-oa2DKLoK1D;rEVyQ2FNn4^G4e%SP&eZJ2FwP~1uJ*v9IY8U6l>W{CP`GBd7vxVDZK?VWCq2u(TH{Fm?Pn}O z$|yS>OQ;Y9hqd7kU^oY06|$zGq*6W`f&kFJP1lCK#0VZa)s{Q-3?S}gIzBJ3K-2|k z$^?IllRZ3bjbls`{y_q6a6&1$s?#V60R?%)Ta>RIrDDFf*U7pAF_((y_nPY&N)_Bx zMM|09xs5f?sUp+>!wM$FgHd$h6x{ev8lYPtty2rG=c?d-in%UfaI3VF+H1$&s~4Ch zU{f{ZtJ|3H~WqcTB|V-6u}o*pv*lWWYsqIHPDs6^8tz5M;pz9X0xD`|J-5uapSmu>F&2>Lpe7 z*^}|q@H*UPbW1dWoM`fLfRs@VwC@OojD&O8zp+FzK2aC45AUSI&3A%t&0znA6Hf{v zmmCLNSU@-sU<`+INj}&(kC1V_zBLH3#7U8YVh6mQUgOoXmD2=&i=YYy@(<`R@jIq} zSlsF4`kM5IaVVLK9|f;4UaavqBmqLeT$@C&vli?%+Giu@DpH!gvM7uai(deGeG6YC zQ>v%RRB_UufJjo-Bq>QljG0y>25_lWuM!|d zR)r167EB#YgsicV_`_mRCtJwO>sx<^Yt#B0ohBGm>j6v{M#9Sf1R_-J4~qz7qurm? z(g7DEA%|<=TeiUK5b~jp_`Kc!l%i#P#_L;uhl_}b>yH|P2Z#azlqq?Be*+>zW$2Z~ zzss7~V5mwI%r&b7KAzg80k`tsrHHJi{;CmwhbzAjqybnI$S0Ra|6$*w_8&lC$?3jo z#NTBdBCpF`Ot*vGX)rit3VYQ*2+a;celwI(Z03k0Z?R~!5r5O!j8e>CE6 zvi5MM8-@idNhdnML}t?MKc&baqxio{|G!GV_PXjLI_&fL^vS)+@i>dOrRduB{L9l}PSfO=S|1vV#na)-mv)Q-!a6zA6Q$Zj+_SPDg{Y0?qw=2&w8@)lb#r_|`_o zhLhoImHGS0=zVTLfHLYJQWtAt$sO{V%#dl6!j*nJ-s{YccKrhn+3ER>u-E-Lq5 zOELrcf^=f4!DFZI)C~kxWS-|EA`BD~2C++LeY`s4e%(9yeFQFjnXMQ`DEPoB2!L)= zoUn}3J$H(Uc+@9Z!KErh$?~=Fn%R2!vK0WNJ5Lvtm8%DTO$hw8uCoH^t=9?y3z{iC zKlmv}4!qQpk>*Iw#+7yOggKB1l^l@PX5P13s``nFfrzgluC7p@cT=y~ELp*`YKxZA zpn|2mG&8DGl81Xp!MtPdV8hNqM$qXGqJYX?VE4T+aVVwo%STZqp{Np;&C26M=YSH= zfU8rM{A{6-@ZAc?3*qop5FH2))q_Pkg9%9I6GSW_g7G009eS+k+g!EcB60I> zb=`c%X%$F!pkmqJ|5!Hn!qP{>$JuVILOYswzzsd|MB$n9%M3ipbt#@AQd#=E&$-<& zZ3cwNrPRT+2haQk9g2MZG@c}x?*yLeafzj9_pk62hdvjsmT2sS=PS>TCsK4je6zL6 z0-K`%9OF39)z&mX_bdj|N!9<>f<&kT&x1+28f;uiUwIWZN@wG!M~k&qvpDtiXXnurNJYbmfr(y4(-U<;yi-dzhQ-;5Mw0Ht+c zFL>VTJze+f5YjfS{>H(Sy(s=5h;ZZ}=2VK?JPe*?T_Pj+l7bl*MJLt$i=M0#3`Mz2 ztirPYJNr^v5MHDY+O=+)Or%%V!atqRw2PG>h-6x zbS~t^{jIu!8DfjVMfLr-DdZjL2g_{v_;a@D6?4GP(Qo&II(gAPAnOwZw<;$91b-Oy z)G=|A5nCkFFZvf3`OPpWnqKV0G_zWtlIOR9t<;BT?M&oJI}>Ma*$z@>3w~FtILGV< z7&`3F?|L`E2;(c7NKh~4rFE^Po^3Ik1{?TDN=FWw!mkOlQsww<4U1UqwMP+)yY+G?SFZ%4ozx3AJ6A8X# zkUrZJ3-TBBb&1~l(^OSuT&4Yeo3mSeHc9@iFIhHVS?$5NOZ16f3CHe63NV52g1iG~ zGgEpOH*VUgq#Ju#+YH~ZX1*KtQU%N;5(7xr8tRlZda)N36RL7b()G zXyq%?dWZ;}^eiV(a~{vyUux3^GIIC&*DW#2y2b3)!I*V9ql}kB5;<--IEL?JoHZ)Uw2}1^-C72D0vP}k*NH+I{w|UTQXTy*@%!6!m)1i zJJ>O_fMmXqb_?}lrz=+K6@~|z0gpg3%etyJ`i&cBv!2b7#hbtVH(JL@H4jp8rZthm zqYNOV0|}MSPw(bLAKkMq7Js8s9}J2H9y0Me3pO)xSM)b}am-W>`+XV4S>0jnTj%Zf z0R36Ov>D?KX6YwR$XB1i}?N4n-G~er@wn_X0Nj3^89p1cDqejhwLWT z0oK|c@rCm!g?CfeReR1xo3~k9`>A|p3oJxQigF#M@w@E{%h4^ z2hpN>d(!KNFU>(#)r9XMn}scXZqDuvC0Vtbdq5MNDZO}=%!p^2v0nR_GU`S1mh*Ln z41Lno`UaB(Nsc#FT>8RCKRFm>XLJJu_R*)y_25DjQ3)t;Od1^dP_-^4tT5xweviFx zkMMuY5NHcU_#O-~AL6*iKZg@2y>#2Kl;pka5W{QU(ceIsq3%IomJof0_iGtNOuWWA zf0UA0yFY@6s9bBOe7Gp&19fF+&}@0E_iSm*hdtTZhJIxXHU(J+5vd|UjoHKNI-!>c z%M+Rrv*-q+%C2e6S?E5gIOR~jIP67q&QtF;UBll-4)cwL3+KPex>wrFpBxWwn%`Mj z$bl)xocX4Q8zPJLN;w2s|0P2oW}GpB5(uf?s`_+ki%mqq0~4m<=O&M%4bEUfo$4y5Ie%&r;8g0K zZ4iiMg*L{BPP6OrH8q7$mw2`24cd4+ozi&3UL9L#ak73PAylr&bMbPvc`vA0;V^hN z^@rF+@0O-S{qC$C3)$@-x6Pjt@qe7>Fc5k4VolluS98hDAjjT_XuP2&;fZWMt1kUCy771Kkoo{fq` zyfG8)8}dUy|7zy@IF{M>M?BW>gqkNXd9}rv9fbX#d-1q%!yZl^n(JB_9Vfz?)v(Nz zKH5^mx=f<*E4u}m^dHV1aKCs4__k?>tsIkIG_0Q78Fi07Z#S$~>PB84IQxDL(v3l* zJ8Ul6JOi*?wCD-Ad=NbvX#FWHCs_Y6<0Q&fXz|K_+)G^H*~du^nkhDy+!n$vHl>}K zq&~1qRy2@Mwf;T%91b;!vJ;q_78jf{xSIsbxaRjEsaQWbvRDJ}e*6M-+T4EoE%`N$ zY+_+Z2lw|BUrV)%H@<|M$0RN(CXPX z{NP%-MzLAvRV&-$>|>!5J^z_)dlzN1xWf5BEjauX(#YYufAcFO(iW%R=<#Xz(~)wE zLS1)0Ax}r-an9tOPh4^fu9&s7MYdG)rs_523P~K*8nC!@6AR4+f)!IXzHHrK-4wzn z6PUZkCL*KxC3a$YQXW`Dic*z?nH_AJ_r3>J-X3e$|3zVKHb*Wd3<$L`2zZfP?pC9aEBiN{jPL4J>U zS;tv6<%aR;ob5x_ZFi2tkLjdt@k%l zJT)~LZY7MLBq_}b2{p;^iCkoO!$+x3tB#CBA@}u1#B>}K9=+0`<7%t-(GLhvM5vuc z-<^=k4%bv}T5Jy>ak#SYim#EQyJ8q|$V z1Y!jYr-{}4XftO4qHxS`D>2fB)=7rrar3sHU)WQbY|p%l43&o+nP!ZZxNmyxL={dL zYFkB57j2z|y)fex)wffBhDZu_&`oBTA||AN$7D9-p|?ehx49pU>~k|p!I)QjcjNF) zu_GJ{KjdmIwx8h_3UrNb)Ur@f=f3Z$THcQqRgT`vLh?Ouf|ilit{QK44xd<+Lz^j8 zM^$f&J!zH_Y($}@BGKIU!aSDzs%xO1D+i}LOnFw>tBif82H16D2jVS_nloH58$l&a z1qtoE`z{fdfr4~K?eoy7C_W8$f%xn~o5;$bHTSN`Ht_lKqykcftTcL&Hy&+V$~+>a z-5?3gx#jKh!Cr3>Wu69tE?r7-LrsSKUj?Q%_Q>!AUC=tP0!)y@kb&;T;urG|za8VQ zK_rJl8YiT)Kc6GrI~@7Ew;qW5B%Lbo;+H?WHfbLCWHy;4LA=D3D7s2~ z6JpI+179X88e}-f-4?sz`Yqp0TnaF3?N`3@WfSLi)R_67u@$bK$%I_z7Q z)$<}*T8)o3oKTu5mjY)dT5)Aoy3y-Rv;^AclPVeq73|&!gP@h-XLmDoQ;Yl#SeT>m zXkLU=oxnMpTvg)ka7y@H%MnM!L_v-)o6|^(y*z^??2dg@Cqw2MjcJs}lI!s-4|e35 z2;>E4<)qIATjURo6Kr>D^m^pQj7$sDK}%-X%$e&djJ1rnAzt{&YX%Rvw59VAA}5|C zGqOBFHD>c}ltT=Jk#6h8`UH9HyBJ}eF6<~IdJ*O*9$%5u%YQCZGcpk;G`3cLe5+NG z2PBH~FesEp)QIwgqS+{@g9OOQeDX6Dcz_^-p`)0_;3esnZBXZ6s3VV($~PE8oYOjk z-Pwpd*D=Am1&f9Q7WCe=VN|me?uYx)i~~`5lsKIUr2ve@LH-PcXve!ZG<;-KGP@8= zF-fPCbPXGn3a~hNhfH6VMOV(c0oG`i)n&Y@Jtd&uqqP{n^#Y36!pk%Vpz_pfJnm$+ zwCtxY`5!VP2Yl-xET)1bF*hnrV6=M;A>B>5W=MV1`p+7a!gUkO#L?%oNfFpJr05zx z3q?*yyfZct=!>-$%3vM}REpmSJ~#&LN0ecRHW8dnH2j!rr7{>|S%J_>5nVOQ4|-5) zPeuWevshcNxUGw4@E0hg;^B`0#F=+!3y7yQtxTt27gf224L!u*$USBhF*HGs2-k=_ zu<>r&`Aj78BxaCHiHH!iP)rGrXicTZ)At6cDC|-wKXu(dKSwpGp7y!ca>^&8N+d@v z5XP&>Nn=cz6Lru^;}Owx3zQRJBB373-BWaf9pNuzUf=a4sHeoZ9lbXt17{7~<+VYH zdN^ot6J|Xb5oykJI;1Mo=G!pXKd!tP9bzjh%?PWqTonvNCp-<5VSPVE3;>XXNeIW) zz3@~}Vsz5sX(xZ62_K!=L`TEej4<4?AUfiq%C1ggh)SssY@$Mg&yR|?h-Jl3oznNw z7m#96`~7V(N^jUA=8?Qkby_gJ2QN@FHsj{nuq{-nM%VCt1Jd?dwnsn2TuJ(r^{OVp z?!qNq9t!tX7;8&#?d(QL19xn{2m3>mUxh zx2WK)vxv4}pg?>o=$hdm8E!frBKZ;-hw|9SU-3}#{ce0z#+d@?r4MmYwDY>KtgEi{cyDO10b?1$7KgD zst+nsjLZ^N&$NBSQ&1kyuC+y3G~?k9fl!zYuioV~OU@x}Gf9XSe$-!`;{a%3tvZlUvAtWWcF3@(#8 z$eKXF-JOJV5W6W{_-$St=9_`E!g}}3$r_cG6eEx3SZ^Y=(S0Ce=@~~1+lW~hPmgxk zM`lvo8NwD$0avo@JKeb*h%XSsT+T!=4LLPjl_PyvXsFCXUpZ_D@z2>5#VkP1g;^X? z+Wdn@VY?ji(fw5`1IR`SPrehAAB(NL!$k^$iEXH$PQ>01yO{Vhma;L*E~PzY%ptvt zWo!t_Z9Kb47OAZ{=F=xeDzp8H3tgSEuohAz*pHvWAg^5DR~uak2zyHLiO$@LQl^ zTX`KExC&PM>dO>I0Rq`yBo@ExDM>yJC4Jv3))D^FhXx()q#r$#~WM6|Y0 z-`eL3R$@qoE-@S=`E@Ro2jwRwk3EwqSo|Gycy3NbewCMyZnq-;yFb?PynK{1DOtB#Ula$3M&W)qhBRLOy;*~%|&Cy;`Nsx0f*ZwL9UoMT%K5MhJLjr0YC$*;NxI8pn7ILp9jKaqm9QQ|W`;oic zvWgv2>nEQq`^`$_a8){-SnCX!B&UOEDq)goYmY(2?y< zedaTYwHg2g0ued|O?tVvrjHEZn1GfOFXN22;Oq3tGX1+8I7rlU1ME#f6&N!_Cpc9alz-tT$Uga6z$U->CMZC?lNSMi{*qFyu9EgosB15;zfuU? zr)n)KVe1+cD;!c1Q$I~dMt@z6=&28C#U%E#@yY8ub|k>a=ej`QCX9=btl{hz4gBeK zGc!~WPEhxZQ!6be1|5n^|7{<}<(FCRzxl zN`G;u-j)bGV;M?$Lmd-5k-)}P^hKIoSw_65SrtW!v~gK!1?RADm$Rm%*vv{mi&8Z{ z-G%55ExjTSE)c^Z0c)Z}vt?KMU}TK%tu_;5M@}!d1>bfciNiWV6p8=K57!;uVL+6g z0BDGdKV=4P78LZuF<(F_L7<4|)CBWc7FL&rYe9+pFbGn+wb+`h|U4f0%94f5!W01QN8x|=3KzbFLc zzMz3{uM-Km$<#Z1wc|_9eRziHkjJs0LcR2HbYfR#E|Sv9M3PDC%`)MJN@G(<^ls6z zxxtB0kc0p2XYP0HnA$cuT&uQyZr0a#?}8Vmns%FP%!R%>7g??PY`BPjKN!3YB4Y-H zA%DLq00!9@+d?C&u`Vzium$2Rp$e1aa}86$Yf?2hw0n&;Z?f$PvklM2%v@4%s=qao z#CuV*(W8OEMqEdM?T1H2Tg|hv-gB?7D?wF4f;x)!yH_%I2%@L=vM^_Uul5$N=AIi( zC|jDt$23{%z`cuL)L0kdebhqM3pIKFUQk-`#@*8#um4BhL(hF3VNrUmzk&I{Mw!|~c|dh&!HgFX z40`b@TUWEt8p?-^o&rVokt9j z1uZGXRg%LAQLDthem8`Jv~&5DAx@9DzRM-b2!{UXaB`Xo#`wumky`%+va#w?57^e? z9j#S}>X!H^CZyy-R0u9+LU%$G=E8AXo-olkvJ{A>mUN>SXrBSy&GXHaxo}=<&`Z(yKMvaAb{N?TG3c>`?O-5#JX_mC9ENfp~vbcfvV` zQ*8E80K~*d`e4;Wy4hon><8Zp-SxvLB?S7}chNlXzHiu?GroJ;o*S|i<^-uA&bRpE zdo6qM6m?WN$*sCG6Kv48kw$wqS`u^5o+n~k_2Itx)#Gb#%fR~B@Bg(*8ToKduf(oV(GpG8 ze)-vs#Br*6OW@+ynmHqHtWW!w!optXbSBo-45QOW{{@4b%Z*5C73%xcHUo6B%M8WP zlo}-|`30XV80C3*5J{u2wUHfd^)Eqb9!2yYobk`ztnk_x zd9Zk^H}tx6yl?Y3+&PJ8aim%|(ht@0a@MK5{)x>v%mkNIBf9!qg>Q|R3hZ!Td(E$& znTe-z%WS;wV?02j8JYBtf{{GS`qRf^ZEh5VeT-4sH|Xi6`%H!b!J#0`$AoAeWSW|D z?qQ(%_gI1`qX2e%5O+54x%a3q_gkBglI2|QH2c*S+cq6dEI{x#du`Y0Z*Ip0*@_`f zV}I7RFB`2oKW{(7;-gH}dP$lV z`1kW$QqL664-X|;Nt$hZt9YP~zM^Bo-*ZNH->!G<*?Hb%&Q|;6eWZrk!rff_l)A~$ z#@p&Q>yq0CfpCkt#IU0DL!guyC3EPu1f>-b>Zs>u+q91Ua+~dLgZ3&Rr9;j(;b$H= z2w7<5%ui8Qu|oO#$eK>hilC3)fCtqsEbi||4qXg7mrSb5qB!9379&2}ixQq`vTaL2 z*F`fOfnP$TfHLt~>ISZkh6WDB7s#A5_5Rt-;WLC)mv$~#D%6K$_u;(#(N#zGPlXlk z2k)0gv`c=LYk$IRTQsk-{r`A6%b>WHrUB#b?(P;AO>lR2C$P8^Y|-Ej3&AzGYtY~X zS=`;-H9(L+?zg%3tM?C8P{lc?XS!#)r=RZGThrlf0j%+>*$58H^>zUN>GJ^2ogB%2 zPW0@SrjN|fyuH3Uah~o840M-I=0|p~pR~6s5+rdHF7f&%|180L@+fpBgmNnO%p$d1 zhAzx!sNVE9MPQxk^D^^&G9P;zCo7shyJswXQm9$7$Aipv-y4uTr{2ZdvZ z#C&ATFy0-O>+FIFm8=K`Dv)Gw9%$Xi54N?h7C+x1A&OrS`VXm~T!h|fo%r2-_oZr% z;dU5eFFksVT}f$zV8}W%ikmr(_sLDxgK{!-v24@O(4$)7kx>9T#m%@P!*{|1eeL_OxjaATlf?rB; z0FD1XePgvbhjfU@90JWRf!m--Gg9serlP@pCyhjW0zR1-*!@1nE1JH^hV?8hr&}*4 z&AnTYvDG;VbnJ&nhGY}kWVlWKzOkM6MSwS!vnP>L35CQJIu^ViGgW1{G5GQ{{gvD` z_b+jwV+XPfUSIcebZ8t}ZiK#S-&u3d9SNf;1|>2?@AJYJ1Cs@iKLT{(^GSBn+Y z+7L;p{-6Y9*b_l3qGtI(@5^O8fdj|0^b!|qlmz$|-o?Tjz=!nXUx^5Ehe+l- zD>9+PF4Mn{+DC%LlKUv`;b-hr?Erb`-ogr8^mG;RE&(I+YyM|4b}$*vlEWi-KQ}sj z^39zc=YdZC=Z5Upj3*ouqa&8_w_Ily)4Xu!_SKDvr__@fkxIe`& z+V-yT$dszRQVGb{~XBVE=t|D(Hfqsy%y)L=Bzn^NU7z z0`V7Psk%g{K20MC4Z9h}9AFw4rw%pF*{;dd$O+rN7t3p*VBzpM!5hNjMUez;dDChb7_Q6TeO` z$*$GQNAU3bG9$t4+AIr}7d5QLgmQI_sn@K8MsX@c$7Ttyj-dDXRc&D|e$}E>4r>?N zRoLt1E?C!#zwgpadCkOW4m|^`6bHY_>igfj&4#KiLUz^4{jKt&Bei}PBP^$XGj-l| zKOgf|!svp|=ZaoyhF!dKaeh7?7`J{^!oM*~Uca-?n^@Ic86r&`)K!1%W9FlDaWIkw zHD->!YI4e>sy19Tdi{j81Db`C9(R3R*EVArhLkzEt#pCRkO&0WI^@khuNqFVs<&Sy zWUuQ-XQp`p-ypm9XLpk4N2bL=FEmj!)zdiM#SwYU*7f&kMfXmaiNc~6ZwEOurgH$y zDVimlLEF_e-4de@6DM=+QdJj)^SgufPscN92xR3&AO_LMF-pK6=3kl2WB#b z50C`6fHjF-D@blSsLM!HCoNnxTu16s4x@z2e2dsWQ4>7DH>yeevOK4#)*&B) z$W+5k;DueHG_XiH$#^Hrmnx)$V4rF_@4ZOlrb`l#Uurwp!Q%OdOqJ~?X2p2E=;MDW z4b#=Csva2Lqn1tq);GmFXSC}53#jZkg6t==@412!o;%QLRmW5H{rk}DBHQ`#{uJp6zWv8U=ro3 zBobkXrj%+9(uyeRcPCs*ub;MYU*6u_`$*EL{{ZB45&mRysF zw|BA1Sg0t>=xta+a$0yN4cf@KX`#N`k^wLwn2YiH@0)k zfJSHi)2!Gc|4C`!83s?xndBf{ii@$ak}hsf1P0GTy7^Q!JL8{9O>fh6q!3Q=LykCr zrD^IqqKLJ!2v)DG0N%$Z?ZeOz=e4Iz-mwzmOaRsw@fk?-$kf~%ZaKYkh$6!~_2TMk zx2`=+Cb@+!wYLfit+(ux)PE!yokVOb433#0@M_Mx(=SqZblCECZz$FhLMF*t2yLwo zT_mW3#s5^coOV$upH}IXNGd`GE#?6xw&AgkgCXam2)mO_#GaV5u}ea}iNtlb zqHTjf8aRpv5xw6q6JMTn4K`kJ%9~Pv>PfyO2C3z--~zS zRqRK}=p2+nbT)6DQcagzC3mX1pV*YAE527?wn}gK#@W@RuOoWS**tm%4EGQZdz3F# zyV?(3MH345Yj(P*2!e{Z-gN(p`!StcOvZ731Y^!dY;PZeV#WM$(3$6iwKJ~ z5p`~u+{#_(X>BB`E)H-%94>)(ed`dVYEqU`r?vgXV3a$Ug-S$ZFjD|VC;>Jha289T z@lh;}9rw|3|-I#;_UQD@#TzDX`Od^LvdT=aHB6z!A)1C5c< z*;++1#TOl|m~f_^KestVrE|lU_Vk?jeUBp)^?BRSD?EE#KZn~dJjp>cF@X1lM5fE0 z%<))T@-Lc{3rj?nN$tOBI*p%@LQ6b$xyBvB)FdIutSGB<_4h|`1E|lJ!F5xcSuMlRc=W7DQwNrL* zAPjcEWaoGBC5CcNAkS*Sk48l;8-g}Sak~FMp^euew}m|6_C5?bp=#Hd!%iyYNd*t| zrBt4s-+v$}V~pLWlg(7Ge|DHIwmzvvSLBDrett8UCd*D12g~XzADe5R}mo-2zW1Z7Tkh$UlkbEh73Gjm9;iK`phJJ#Xik*yG$EU3`7h z{>ie^RV9S&;;(s$-<%&LFInZ(19#Q#g4LvR;v3sgDTLQloLp3%cp`pEPij;MpY_aD zG^CpRlQ%~4@M(fyqhL5LNOE86RV3?5B5^2EQxq_q9r2!IGo-Ko$}s}xs%a+%!3z|U z=SQI0T60i_V$MqI%)UO~Dj94!Oko&rVN9x{`8d9#Y|XM~hfIKAn5MK27R#@EbEBD^ zy~)pidV;AraIj-}30eWFe^7p{*tt-Lq~L=ANkXCn-J^m2_~qZ7GORHrqmVn0?_=a> z;X~34^!A{K>cWA3zJzZ{8Sw7Zk~T|fnDgpkkvA}Ao2Ro;#D2Q{Zq;3HdgtyHiCsH}$g9);FA>_P=pMO7Gn))A*#WHw9x2v??d z3lc&!vDv2cWsojB3zMtIW?SZNW?^Prwj^lR+a-q!c`}~<>0Bt&_6HC$+v=B)nkk`+ zn!QvH+ygLuawQ=y>iN2tZGfuHu?dXCM^lv7iAoWtL$Z*LKf_=nTQEFZHW#3})6@59 zuFwow|0RS}YSaX!_ijJ>lzT(z4^(YFlqQ_y+&dBx=WJRa}+` zq1kz0p!x%g)rcoT<;yl6ir_W#>5Hm!_~qX@+jahT0So>FfzH`3X(&1PVNOrf6L!nI z_BfLSl)|oWrt|C>6M1vXqlSph|FB5LudhldIAT@B;qEg@j#lr>C^J`Tm0>;I_8_4w zNb8oOx}M%yZl^(yzf#$9e&R9K74hLOkU@I0U@KRF*&x1J$({Xz+=_AOa(h!f?19N( zcHPz~D#sP8rrC9Uts#CWEs1fja=VxD}_$Se<`STZ;8W;f_%iG`%SkZwux9&A5 zQtJk3>nsf{76E^|`w&ThWsI7p$>Oey|376`1*w$Yd(sH3pIV~4wj|WCAl!Uu($0Au z!Aqi{Fi{&SoYPGa#uAqs2y!llBTLT6`|6_9ecS$?;V)h)B1{Ag<|MVr!*5p>v85-$ zcGO?6j=c&F2RISS6aK&(Lap*aKLOGlV?-%5{Jo+8t$dAUGJ9wc*zR0!-HC^htcD<% zCguG0$FF-R3DKES|Fy$CKBHpyWmRomHYz|;oWZB4tUKxq(?7P6kc6}q*mF5US+&n@ zL*7QS$nK$eTTnqi))xP zSn#n?r3`V5pJ_gF2I?CgVRrGkjP4lZCe_7Xu`=Qn=86+lIIhzq2{HY#0Yn}b-5+3L zs`fQx7na@>Zir(3)MY}niinYsCI@3CpygR{weJe{Yn_y$s2DBUb8cEla?itSkSWkn zxb+rA;idIV7%~s681Pd~$n%+c6l!=XykbJ>DiT!*>PdA>C+_F^tps5@C0%0>8~+WY zSsQ!D^+N~?!OzUlITVz|FA1)X(??@$E7!>4E#SFn-meYqLEbw+p{5w}$d-?GE zq1Zr2T-#X2^Zs<&)6By_8YiF(TIaP}sjJrVUu)y18W=q*KK13E3SYnJ`(^_uB%&wD zLPE)%suvVTYUjg~s@9#i;*i$h9z>AN$+mY~EqkUnB@UM#nq<%{)qs@ngnXx)jn(!~ z*4w1hMwj08<8b+nrg$a_jc1=g@oY}8c~s_oSY%R~3v#NIU`pxJ>=4sX204vCQq3rZ z=IjdCs(ImMC_JUQN($uG%Pr10?Pv_Swt&d0dbqghv%e$_CNAlQUBTVbJbDg zLSs|J9i#k(0;V2!dxz+_n%Dc+8-;>=n7oszaLXd9H74z*szt0K z0>%@Oy^%%0-ade0fLDN>1)}_TRXa}W86!bRSdn;9&EhMhiC`%YXH%&?L@ z)?lTI%g4~7glhkvU!orpe)kto(*XrJbp*@B(8pfXr@wdDZ{$sqr2FnuSUA>k?1{ON z7FSg&oKes|U(W#hg#nA#%;8Ew-z83w+zPbHBea6`*bt$rep$J|AwPpd)t7mBHyaO$ zu3&@S1T^FR7!~w#g@UXwM=Y5t5>v{JO?|SZ&R2WTA0?$E7v zHwtFo_w@l;?^Nx9{P(b@BN0A$w)uX?oUZe{cB1SZBla!H8!}gnEjpi;Jd$^-hW^gX z%E(bGx=ns`QthZoZV0cpG862MhtJ%jai>*i8nx{|FSjId$@g`frtg|1dpXxDD)#|2 zb9uoUMTr*pJAMRP>4>XGeK_&LWK32E2b_l52(?K@rQr*6?yFwTGiV@Q~sP*I%CLMYe34D@MqLEP`rs*ZrYp7E#z6ylKu)7c-KVsR|W><1C!P=~buKJjp^Q7e-;EQK& zS1A&PJ5+WT_>&*(NrWdeUv8!G0VVj3^f~0hnbt}p$?Lyx--FQTnED4fy}eC&`swp$ zv5u2gKC1xZKYkC6LB6GtHeNdCspj`V{=VH8LJ~;>wO6K4^T&At(>+LYSv`k#RTmK{q@)6R$uI} zKn95SK8p$}A5LpnfOC$A^9}*3DF89_&{>?XsyjC#yIUxf zGAv5U`IaPM#zGeTF1th+uB0;|lXSmcG@4Lh7P~%G;M?~``goG-LSW)0{l%e*lqi+Y zs7&Q}45XqYf{gtJBz|$_0_IXrfc!E`gc#604We5$hCbF^N|Qfs<^P&C7@jeX;Xp@C zf^UTH4Ajw|=^vqWjP9$`)Q39K|2kzfrR8rnr=(`>2F{BP(>eC;dW}Zt^7CiVEh6I+ zFN$*>(x16A1&*)t-i(Wr8WQRva{4&FHN;Z&n?`JSIabXNh(w)5Ts~1G^8z%$7)5bO z=_eRzppX%gh!zh8dM#|0+N6(}$?L;jdTA0;^mJN5OZBs6w26{duLEz~#tL0|8T4ub z1uVmX^xa(YjH&M~hC79@OXM#!k&TbIj&>s?SSlR&0ONMXr{l87R)@W?iDJ_( zE&X1-0p&wKndny~kshfP#F3|fR1Ahvw}5k4*OoGA7ZFcoee^ntP&*!r4yU|QZ_{PD zvBW=<*65#uROm5<#2iF7G|^j=q8%qKk08;3Q>H8#!7`v*l0Y20{;;g>{;JyfqT}r0 zCx@7#cA`LW$jz3lg6 zxWkvw7hfsX+2sn?{9d=v3hEQub^jMMKrry-+KH$~gBZKG{tp z7}X{h(gyFh7yExiTaXhF)Rg~rm8qs4Vf87n46wZKo}qFRZQC3ud%kezLkC1qmWB5* zT0hJ07)b7f?;cX1_J8Ice)#k76n@o{l2KISbFaj3rwZ*&m9FIS@eW1kfrRjr$hT}1 zt4<}uIl0xI*60hbLler#e5iM|&EBEwwnmF-dH8#Kkdk2^9F%~|&-k@$t87XOEoi=N@oya8T&QCB2qw>a-=^*=@Tr zQ#f=axl&S3M9X;PTxaL;nma=5<0v>q;{ascMbfoK=n%Kmt>n_ktRRu$_^7BxnPTQy zyFs=uO4amoV)EA-9*jnLCovGvW=5b%tV~4@)Zr>bPhXLWMERsOB!L@n6B+FRO*F~C z)tsp*0rXB5y1a1Dr6tIe$Igh}vA~c@x^{F^gK@QY8Kn+%Vnu_g%bJCj!j#Ksvis6^ zQ}w~n*B6mFSdgJnlweIPopErLm^jK~{Fi-DFg9>wdLI@DEe2ci3Z-j`ov@Bu^YbcC zwDBV88;xFQ2Ds503i8&-W}mhwOMHPI-W~0Z#qq6mtfAWq6!U%iei zKaXW6v6ii-4Tk*P0s~97V3P@jjs)ZsGHQI4FUX)-lk=jP_`{_lGU~mT`-W~=&tm?M z6mvxlRPlnomn)br9L!YcZ8fP7(c;S_k^Y_d6$gPz%qG|YR5wHuNBbibJ;ro7E-k>Oa(;}ucHamf+YZSz+IF^NG+2ng~ywt+2Cxx2MKtFw^SDOg(M5UR60->D?z1 z?*LPt+Q)-(e+8EbKpVi)b4+Uf4C$LfzM29N5Skm{6Yxm#Se!>Sj6{Mv$ZbX5d0!aZ1M1@Wc~FSg;b`ST9s^wg18CG=EBGiGdDa;1q7{N0 zWq0>=FPRt4Elw6d@X>ysq&sQ-)~A0rHSN!M`X@p_;M+gmaT)&Af*^#Ew`_J4YdsZW zSO2b3{NIeDWUUy-UAW*;{GRJax6q`pP;qSGF1VRNAc(fBD3`7^8l7c%4Hue(+;bIW zpCb~J$f{ooMlA~}i+W8w5_3P2Vj{>GCu+PUS>GxFW+twaf%RX2?;*$f2)dmpg#{8K zK@d|lvIPBWionX+ePeeA*M`J?hvumq&684oGjHYf#hmG+LO(X8MNwUr9H{M;Jw%eM z<>%{|$MEcK3`c9RA!}BXkI;goNdHwfmy^0~vHP2#hv1{P7{a13Dx03MR%pOt8ok{T zq#C&InTkzsMCNDM=V!0n`)&hIhd=q@U8>swVIk(CRvn@c;6%>iZU0ons~9EbPor-8 z+rEu|_#;m8>RK_#RRCWszgmBCwX5gGdU!MJl21zXk+DzsAZz|!m%x!k1%P>IBy9QL z`KA0?5t7D{@{2=;kQz2R24po~G%f+swNH^SzBTO(h8*3wN-PHwid>X0&GMa;Ro1J} z^IaDda{)txIM-WE39lqatM^BCFnc$&F|7l;$-;C`Q#%x-?QNL-v>Qc!Y_0!&Jh9|lj^QUfE(f~cBRq0G8NNQB6~nl|sHwRtGU^cjWCWcfqE1-z8&vzi zjh?vyLeHDXAC7CMEaplwpNPNjHGZ!9`aB;kWFIBfV6NpF+-fb6n`+y7l1<P#Q02Q?k0sj{{#_yk@Ie<=+LQmXXkb{d9ijXcizND zAa;BNnc?j44CMeuzb3zv|8kgGt~oU*iOAp#OW=>h1f#QYvEm14{V|k;XfCyk$DldFOa7Ob5QN6PF)$gRixtNI z3aS~_e$1BSLMy$Y@Wq-IKn@AVBLD%0GOHQ$i zD;>zt{l}!WJrfiVI9%H|L}Ix9>%E0xyr#**dwLw7863o&7+4pX&8zT#*@!qOYeB1; zfpagi`Bspn?I+iP8_o;;Zd!z?duSOoTHk3Onk~*wna8P0)&^0I{&P)2MgFl5+jrEp z!@r+}y0dIJWf!mSYuQmZkL{l~M3T~3LER_vFF?~4Ow*S)+m;3R&Uu3>=F9x^$w(M4 z`%~MCn>pLJ)v=6$CF8DtEFrGxnwA2ONASssE2;A)tt_|i5#PwBNfQA5J}?ex#%tC@ zK$WYa^hk%$p1+U9$Ej^ZfOU!7oJt*ao{i6G$!0JUI5^7~oR6c$W?}%M7X&q?bXm>? zTq%5(*}`FBD_n)r)r0$*Ht#zDN+NaZ@06!AH)I!Ediu`)O1RHSh43$GWIH4$(~}cO93Q{hqIn`h#?K8(#(m zqrb7F{Hs0O5UAvzMO-{XF<_1epo#$<&|LmMMc+c9pb)st2xn*NWPKuYgGl>(e56Sh z`aU`3liyNGXy!b(=#lU3+Jg*(NPu2yq z-k&PJLMa0<6jtAJ9NuUCqxNE#=>SL7aky7KK3Y%qz8Jv6Urwf0I4;MGg8P;BT^xYP zN7EL@=8Enwcsm%GK@ z^#T8fU(JnN&_a)&nt@$o%!x6G>oreJJE0?!yn$>RBJc6&GYs=UU4B(n#7akeCQEO> zdtNqn@H?50jYErm>}*5vS3I!mRimlMv^Ssj_T*bwW4`KZYD>i8WKeIfvlhvm1#^Qc z^FX1np3hIWVbXZ_u=GEF0wOZFZf;!Of(Zilw>XBK^1*hCH2t@pso)V%(Xt>sU#%2Q_prvtvH4 z+qN8o#xGC`Em1N!$D)mwaf;|^O%%ELp;GH>$uAGo*JHsQ}3 zqji32}8fS`MGF_EMAdRpiEpZiX21AJ;1~{GtEEely{A*plhl7B&8=03*o`N zgy+d*yJ8n_>Mdo6#GUJGL-%d%5cyv&uj@aP$F)VTxu|+(x|($Onh*}|oIJwX3K4mT{M57v4P2p~NVL7N;0bJBce(Ck za_>>EV@vqscComOBcT~SFMz^$y;W=Zq}JYbUNx5zIGOqa6}$*4c!LNfEH$=`9ihcV zqc3CBRy?F!N&Wbvp;#BJj$b2my6;|^WK+}}-T{Mv73n?NPb_xaBsEx_mssogp2rfl zmH94h*v!^-P%bH`%FHK|M87`s_tkaqL^)aFT*D`ymhWj-ZZ#6VUE3B5O6bCZ{v59q zjdmer3C4V``qh(Hs!ZEdEXN(tr9eXXgMK%WzRTbB_VyPB+y+Kx9&2(d=-3cX_Pvpp zf2Eq=QurcY6-K})GiO!puF%5XT27B15OjF3d!>6&rdSz!$;Vg`mHc4#F6syFX~WjL z3?+SJh?$3^gTfl83AE@4mQ~tU#Lh5B(D9eWXOC4nAu4#nh>a_0fAg5}frVcc_GrlK z{CfZ-t~Dp>%$$&YT#27&l@Re)xYkn}A%<M)xCMcXU+=63hwl5AV7;mrc)zrcMk#=KTEtWd%Ecs2YH4R8+jI5nsAar{a8`2> z_IEQ9zRGmXA7PR2$@?^`-i5KCxY^!2+sLfJxfpzayQ3g-ZE0KdW9UdO_*MO zx@)dd>`R8&rmRMFDl%Z!f0<${uVD}R%y15WYnFFEMu-G$9E+Aq&&qNODkVmk9LUc6 z%=%E!?VYEm@&iiO4Gsef-ZjyPW^;dJW~n#)Sl>qebRQ|3?_1T{ag1n1lVhvMM*=R4 zr9#4}o81`hBSYsT-iP5?sQ5@}e=39{j4HE41lHX)qQy9OCPQhm`WS6fL5ej9RAuGt z8wL`X?E(68t_y}bg6!Lxg*3&D@XuvD%#i(MtuQjRw};XQ5!y+;g|+FNLs~2Kym#AJ zgLjX(AA`DY(3uC+Vnh+(D5s0w!~T)F^4hBdJR3cgUQO!k)%YJ84P>n-E3zcsH`_bb z5bf=N=&z{WA=L1PX+gOm$B6_9b!cA|N>-f3UiyPo^w zmx3cE`P{FwBx@LUTS9hh5&$-t(9WV6Jn(ZQ56WuW`Pu+g0OpK6$T!t^+OhS$50}*} zs114%@{RziA`wugqhc|gsNbzC%QU9B^l)H3T7uQjF;*i?^6Ge*2B!TDy0j1ky7pVU zsCuH>i2v`n>PMn%#N=kqCdCl9|qW44@MJB z>(e=JSA+rzWmt9!GnBr680&U)>RKi;8}}hRlYL%pNciIBztDMFZ}<7;H~zNx`?8*D zYZu_h16F*7%U%FMDpLe^tgnmn*%~F-`E_xUDqg)TV>Wzs5O~jHjo?Vtq3P*2;&vx{ zk$Wik7snyk*^|y+)nMIf$6{%;{kE`Z>ud|5FRHmpr-?V zLV^&+$0MtnA3(#v=7?9Q$>>=0A1;gMh#tQQ2>a2e&hOgtC|@J((c-r;s6?qBX^M0e zta#a+@yUQ8Ea*DkE^Uo{`DaHXasK$`^pFgB5{r3^{jDbU19z^S3To}hNRvq`6qkb0 z@NSfr){&%czNVa&q-GYSpcCYb>KOR=>kpL`$clXxO6|S8Rlese>S#jh{1KcLg{87% z&sn9%2LWEF{$}VA&fjcsJ5bVTLL1JVbjDy|Lmwg|`ZVU;1ZPV(a51DYro(pav^*S!Tg?1yrs;< zR!w*mp1NPUOLjqEHc`%8;pXFf{UD9}8b_{87EyX4*j;lmDcB`rB=Z z1OPnLZ>=?_VBu3`*gt#j6Pw7?7zLg#th)b@%&;!wLp#?TKJng zxHzM)D~@iHeyJdnf$)8RR{f4Sk5gCW=+~n;A&C8fW2K=Hw94EGSg!FaniVU8*GqZA z3jnRM&F{Nodt&%h`-u)vmlhAr1BG{tV4z@S`W;XKmP^$}W^nvNWr%O|Ul zrtw>E@(X*Je}|IZ%+B8d5sWm;eNBqqaQf62gAuM+{p-ZF<98peyYp<@LeV$l)pQU? zlezR#0d9Q+dC%H>WB~eehhcM>~E~&GKO&>F2CB-#fm>*l;VTmtg$?4#KRqjJ>H=0divwo8&@q@6|PX) z35!pv>v1_%CcGv>IzN2%oE|&)zA^P|6XjE}8yMDVym?`sc(pw5^Lu$erFBwmsag;l zxr**#QQ5-Oq=nZszgdG2FC3`PqC58z-QFpVQ6`-ot+qj|5i?^L@(96|I zfI4tZyEbw)oOY#mn7qc&m0|C9h~GxI@FK0Ns`5I_4~8Tf{>U~CBIfsAn`(eOy~=b2 zbUsU&ziWENOYWA;sJ+cau;V?Qr^#(5dw9$&Z!B~m!H_=qTXLmD z)sl(HVUKA1COLoAjG+}Wg)CeWYfcSrrY@mss&#RQ zoS=WaQ`e-zT!RO4fTJ5P9=&Bw-EbE#q{kSx_R-Kywq0w{+*P7|ajJ}s5 z>f6Q#KNH%?&m%1M;1j&`M~o>i+`tj>r1k8UKI|1{Fx1&yno#}e=>7|}X@_36TCd|V^tETKV@oo9=G5)^JRVYUWM8WWx z>g$U5_068X+kRl~{&maZO)OB<09rW{1F;*INTrth30%f>xq-2QgYT9L;X)^G zChHUY6S2Irj0=7s*ycEgmc~E?Q;2)#9}`cfEcNgYl8uwuy9&OUiGE%oFdQ-8aqfaeMt* zRVL8>jd3?f-29h%rq0*<67(j7H7`$zf+c#=aZBYPjNSWy-!S#leuhO{-y=zFf(9g_ zi*z2w!qiI&XJ_6@1nt76(oH_Cj*xkO87CUpYurjNi+raR(TePCP}SC# zHZu}#8A0Yb^BzKhh0@Vedk3tirH{Pfo}ddagQ30;zlm}6tg$buA31SE4wPK2a7w027lJ>HYN&I%fEZPfPz zg~YAe)-I`hF%S(2QHTVkM#5}CHkt`JA69KKtIu3Y0j)@|bsxQt1w{*#dQp&<#IJq6 z+x2Tnt5c~ZuNN7P`(pn-!2w^qw#uUEXfuu&d|J16F3N;$cj&MZv*}HJJ^xatB>#R zKcZlMw}uNxQh~6WWNHoLotjzxk~98Z#Mc!1+lr~n4x2C9KZ)c)k`kSA$`D)fH7SBP zneQGNqecz`e@cu2Q3M=fjk{@u3j8Z(*;#IG01vpjtO&AAz{lAYt+RDTfJ8v)qL;H|Xt> z2oisU5!xa=c->8FV=oibY{doZAK?Nv^)X6gAVx$&coyzaGEHhD}&IBU!Ty2+KSzps+@W_ad|>uP?l}M%iQY z|0XUOEL`l$JJ2L+u)dz5Z%bG)g>qe|+$EzD{!g`CHv% z)zVEwPFTNZfbYYG`@%K7JouIqO8B91VsBZu* z#y5B-HI=U~`0M>t_b6dgEBi})AiuXUiw@_yKy-fAw6*0P=D)n^Cvo#R2q|zm1$)DJ zM!ZSLd&FI$-LJe0@3f5FYKEML1=M=F=4W-4n|U9Y*|6wG?wmb?0%&u#_6|VY^s_8A zOw41J7|XJ=TEx_thq!?c7WoNKJnOSApT<{%QXArUh#g4eNXC|qIXrSaQbr_n5eLmA z^}{`#t_TgtsVGSbHM?k6FKdZBEUdMsg!k?rD1?Z(;`?h*zxk_-^agKkjhJ!|#AzgF%6ZT{kd}K8ec}#-)r@^x1b5>dwi_ zs@=oLg`IiXR9zpT_u;U!^+LCJqetC#fa_;qm=Nse4^#tiQyrMhLM0>R z{iwD(@zhy0_C^p)gU8; zr|4FyIzO?EzOwJ-T7d{o({Ge7ADJ5W{`sWgizD$5!RPLZ7yd`Fdusiv{7?xPwDih| zVzt3jX#Pv%6v7CNr>12ew#A3zw(j*Ct-8tDHtksnIa9KE$Z{vZ#`}QUUv^>cB1mDP zIOqi-jv6ryXZeHd$joY<3Wk{)9#5YTRsE>=!u4t48z`gWY_?tvgwbDz)^ip@-i5Fw zF^b`5$jHCuKg|a+&4SQoPABQ4E?rV*tk)?LfP(d;dZ37tE=w=FxuSax4jUCtq2beOK5+<^KWb z{kle9fG+cv!bY4oR3QbuKeH;R)*s8+j4{o}h>}-0#Q3JolTYbVA#*I`|N<);RZ?^cyf!SutW z!I!Y)Du@dMA>0Y-9(+6vJG-Jb6B&jhqI>se4c>90-TN(8M*iVO@}Y-_iSJLn)62yWzWZYpNo!a7xIqY#F?iMY9Cp0bm^C2%=FX+7t+IY2lmk_ z^y(1U%E27d1u@IE3cuM6j|RsyBtrR$mQBk~MQsf8#hrN%*ftZ+@dZ%LwjlyObz8>i z#p+ouMRN>N1devz5oBmL1mCGC=Q>ox{?1n4*t`Uy~1I zGIX3#`I}DjK^Wr8la9(9cR;`&@Go+wi%qEGpJ?B0fp7}z=ry8T^T1{7r(6IJz4TVy4%SAyiH^}Nr9)4hWG8mA|p3##^RtBpR0wec=9tJ+HpQ-TeRcy zoCnUNxWK}|LSY-tJiWu@?FVAwKhQYY!a3+>gJZbjA@>x$FoGdA9U~&` z0}^?GZn)&%nU^8yd7IESVyI{=OQn~3UXwFmm;tIVAu^n+%(#T*ZSOzC07@JViMYYk%0^Q_^t8r<(Y+ArKHPGbL%0`$z!`x z^+r%*!$q?0!I70^&nE~d!}3u4#R?!-6UP&R*C=(pkw&1RW-jI%yi5#kw1}1u<$Da< z#ZmNit#7rwgvvZ7*IDW^5<`=w$w;MBz}j8fYB(tP04=kG-^r<69Xw?_8V2?$zz5Kr zbCu6}v-{jm$jN_!mtZyUDB8-BJ!Oa>!sck1aMrDxvPghoP5;p0o5M4)iH<8U>iS6sC#JV`nD)i1Ud|LljZ7TfpEF&=scQXccab!jr@ zhbxO5lO+}WE~2^-16WgFcVk)CF$p`}+0-q?!9U@`us2vqJ%iRUYFxR?;xSAGU5y?2U%d^*92md}_Bzs4t^$sD4B$)g4d++9q|NKE<*3X{KdJ%B} zgC}M@@N!$Ty3BOk=@yK-=^}{Q*pR?Zza9ZW9wIEtvO5Hin&qbG7sc{U28I90XwUsY zYA9IeL!_D+u8TEIXt}Rg?@v*ELnFT!h$suh`uLmdFHn2}2en@}*<;!p^Toac5}W6H zs^9WW@ys&Qwe>L&w6|}=(Y1Yyv(|v&8&KDefXuRHCMuv9<9U_a3iO;$=YIFuv74AA zhpg@}(D5v?sz~RZhv0Vf(?1v8!u|u?O;njY)??5HbSl1MZ>X$o8-IUO&w&1f{weDx zyY>-tuG*K{9P6=Wmh*4d7&dOSl4##(jEnjqVA;_2DVRG;B}(qvFP*D&%`F6oL@bk z37uCN_nE5qVif^Bj4;4-+o z+XUAHcY?dSYj7u6fWalW6I_G42G`*34nf`|=iK|w``*9#(R+GV?dnz4wYs{{=md5%ZuhscJb58P%c_gm;J%WRXazr%`1Z$HcZ2*~i5CSQwY9esTC2yW)?556gaSd#zXUI+XBs@>YINrsUTJ%?i%Yh^Z{7BxxWS}`u@%M6j5)Wy^|HeAR@0`wuoeMFhBlgN zc=G}7aeV1jrZGB-qq_;Vp$Jnbhs9sl^1Ph!*3(8)ju>;8f+;3yukWQDC%%{o_+o7gM7#OVb6#2e2izG5m84F^xety-NHl$;0$!<_ZlJIHXb zes3}a66|gDlU(3m&-HuPJ$OZ5S3BM3rCr*nJr)Mlv3-juS!v-NiWsD=neld@?e}xW zr*dR{ayI}9v7U+l$ZP>Wtarg@A)Z5C-4g@9rGjgYjp-&R4Nq|S0K?+x>x1_o$dBTF zcZOXeymJXZu+7=PwjJpCHI%?iZFOQ=R0=2*hz$6(4*RNr7M#^V>euD~_-qIiQbpzj zL`Z9cl%@JliAhZRw%;{xT%PJ}obRwLF13}ckX}7NZ(pW;0$qv#M|xs780_~C$S46h zU9fQu=TM(%!@DQe<2u)Pk{$#>g+tqPmup=pG{_? zs^A>e%U6G=SnrJ3ea+3LENITGypN2`Y2DC$T;@LUR`0=XY^Uzt+zL zq5I*#(|H0#GIM;nha!R?o9c|?yOeig;c2dojac3ak~THeVzZfd`lI2z&wsf2q{>y7 z$g=2T13QBb{FFZj6Cm5_*6*#o+vkwmfp0?`$L-#9yLMCWKzEqDnupo{eak(I?r{F& z{72GnhaJM<-H}|TF&SKCO^q{FNm5e@@{3bFqxdeTgV?a5s~`oL&10=%QI0zx7kt2P zyI8m<%ubij;3-RG{!STo^xo-nHo?cGBv*KeqHn7m$ZfF8oTy5_xU-_g7iyh{u-LweOqe-Plu!Yt8&Lc25d268!K&HWP#s?h|uMBVSy930+KiD_Q8&g zQ?>61QBV3>IdX+(QYX!|a9X|>WFNGEmD(KMwE*+R$LV;4O5zjz#^(`yU$qd}Lyi__ zfepXEe(@H(7XM?WS=^LjB@!F%X7jSb-qmFTENjYTR`EZRmu?uya{e=UH(B8J6cMWY zF6;$J>h3r_U@0@+IS;cMxp5=3Hb2nl>v4`ZXK2YYqVS_`JDsQR`*T5h|8xRAp*@K# z+g71vmm1R=$2BIvwyqCx*yu%bnId$!Rwq-HdYs_?CY`#z=Z7xEUqk9HkFO56<^@qD zZf0M0IvQK~&_&|}nt2Xq`oKD82+S#J_@Oi{3MHMu3jmEE(;BBtL00K+Ji#L64FwGn z90>g$pP}pNU-&w|Lx^9RM0vwbf;ta(3Kwlr4afFb+h!d3%k`+|?cpE*V8O)vzWlG4 zXSSO%u&H<0d3PU)=c12cEl^A8^GHl!CWB*Ss4ox>9GhrRu=vnArl-{OJt_8Ji-SLP zJ2%1Y4K;5#!7-Qv9ct|>kkT~Ri93BO11T4}Wcp3IZ13FsCmW<({tv_cIFlJ4*cqSl0s?|Lb>3W;Qe5iJ3+#?Rp zU|H!4|9o-SZq+|KXhz%5*d8u;P%tfP%yUM5Sk?J-vFpPgEERTqP<7?#dLqa1+?{`C zebX-_KvCy~T3pjXz^AV2a;ILGHr9w>q37+wN9w@=)fmgK;m)x{j>Zx_SdIO*2ZYvV`kAuw`mx{W5<{tP`4pJW28;sa=7xP%2nF@ zJ>iu-c>-G$nAE~oScZD;ShYuUTT6|5VQ#l>+0kkh3v$?nG%{tOT>peR@&Jm)JM;vm zHk!F;W@w0Ql~qc%-+SW8H(?mM+Er%0;~`1)t8Z96kDfv_FgUgGr8SpfJ!|FYfpf8( zG=A=;@QjIrxU>7&I-j5BTf3{%-N3)#GG^*TqHo^gXu|9`1YJ|4%N0rRL#7)5C<$w^ z^tAjsT>b@l^Ien|ckm?_Te7oT#~uqZCwQ-C(EjZM)kN75dp$8KEN#*{e!^-ti{)S8 zTQ%McL&3sJu6r7GA>$wyS8eS^gAk>-5RE_^Xyr?`q0?iO1VyBL6-;EyvL+at(K0!8 z!=o$YUEBO2kM13wlnLDrK78kj`;)gszDoDx1eb6s7A>z+B?4`kb>~l-#P8idd;pYTil{fOFeCL+Z3Ue_p8`xcM7Y#6^;|tbpr1`EI1dq4hyad@z$1 z#jTwYX&ZqOXT=o}Mu(y7*hQpao!auydLa%tOsgdlVedi{j4(8H@uSSy6}FhM_iw^B z;Zj7u5XzQ&u8x>g91oHqs+#(-X?eBD@r%epP0Apnl%iubc1g7kY&PfdFJ;J!B0KfH za<3v+j4&l|kI&s%yEZV2QY>^K&`P^^{!C}eH?p0#f}(f~mb}2vYWk%cn-)`S%;>C= z)@SbN2%Uh)z)ro}fENzz@sg(yj5QP?gihI?EL4VQGk<{#bvCI7Ar7dYC1){>AxM0^ zDOimA_Tj`%5hR_LjsFb+@CO{FMI!~d|8;^-?OnRcRpQ0-oe|`uI0$%_ofO7o1LTqH zU2`*E6OnJ`*@0mv8bk1}gvX7R>Yg}+u#iF&C%N9DQ-ePl08Ll;^nl=tvO2o zd7O>MGMEYtwA1H)0b2kH9rwE|!sC`^AwP9&r!DZEwE&q>MPXA~xN#JyOseFIV zLbWnY=wk!fhOCKF*>JwK&^l8zog}KDc%jXi_?+jE$6pW^Z#)rY0AuSPlkn3wycwBW z8}7wp4;hSa23>s|W>>Fswt#Q)WqQz6=CmX#A^pc*9Jr7ZT6&%f-$XJKKufP%Z z-iBdyMvZ}pTa)8Hx~?0@#5AqBS|MdRsFL8M%PAVnaPt;)Z9e1buaB%W)8_v4T@+y{ z6d&&rKlEy9HZVYiig(9sDs_L7E2ptv?%Ivg9_Q7}D2z3qYkQHkgabOwDH0heM##3E zEV!O}31uuV+K%6O@@5WShI+{mHL$8Q*6gusbMnUFFN74qy}9cBFN7rHV0s-z&>83MQV#EyMhPFJ|(}Kvn$#@FgdiE z*>?w?(Zy&0lTNUQsYxiw4eu;@-g{Ee-*o>RAgW8Sqlq=QP`dQp%2MoJtaHHNh-O}* z(TlTX;BB7}9}=LbMCszjEUk;`ZdQk!VD1ZgLIjvZfcUY2Q;eRR$7(5*mxNpyZ->f| zDxZfhs7&#o7+f(nobq@W5-0JFk>2OS$0?I!ahaS+a?+KnnGI}UPFuyD8r^v&H+jVy6#yIR-0VXZuD zEkDi{x5E)6eApIiWDQmFNiQn>B;sfR=QIw4CCS zI?Z(#YB%a~s9(eggX=`g2;wtZYZ2(atH5-4=hDR8TmQAbcJucNv2g$6!0w1eX}@S8 z_+bX?c`N3^D5dQ^`6fV}KvGW+=WP?RpMFgaZ^y$a*PzF zSH3Q^rp27o&E22w*|C95_yLa>v-G)XU`Y(bKmbTY-8TCkRJ`Uani%Q+-qR;b1qL0! zW#B%E6eT{NO+(Uca$qkNE%GH@9%LytupY<#cplXyEb^-+xxP~x8$DTybaismW>tn( z!dx`AKECspE;MDIiAwna;e$EiscOv~Jo1quTde(AAPL36j^uJJ)fF+p6b@K-NI)s0 z{r4II)1rwNpgmwC2y>%0tyh`0cmmC|;Tfwwl(y~0N6usk-=t-4vvwFxF9Sb{l#?82 ztzxvq`GWEViPt%&R5nh1K@@5*kC%|}s)s4FMC(%LBpQE%V%QKyxw;9DD(dZI3X?{r z-K3T|P+yI%1BRK!T^P{Ih2(gkxH7z5dWnC^rMVz6a$VFBOfUVNH?2pUnT8u-&jMHY zVW^)CM`frl;68bh$t?fuOYWqIwjw>kC4PKs;6`e-gK|ENwJ6<)X&fs8Pq3^J_2sgN z(5$%}{ZxzE_|EezpeoJaX`Gu)444fvlWvk&t%MWEU}^Xb_Glm>PUo*D;46O*A&2_7 zU}auTw`wyIk@l$>1`@TeCGy^TqF5ixK}3;W_TyeZdsf)9fe0Ef`gwCnaLs#AXC*EJ&>#w(HGFI%9V?U>25|Kt_iqx1V zqTqKeut0FmhfuzAttm{ z-kF>YM@8ui1z>KaKoz`tQzZcG?J$pmsFm3%P}|-EH8>+Ax^KdAqga&E?d{kn;|2v> zBuB@H4WMN@FWw^rqt_pb5g!$>15?z*bVc~0`8{#HJJJyzBo;PGEKR!JH5?n23H;;K zRJ}GOP^^#)xZ(zFb>Rh*U`aG-;#JYTLyhC1sTd@3MTV@^d>LfZ+-lT*P7^_@qadWW z+=17Vkz~jC2@7wFC+1eITh%q@^!#VZQQi6(B)ydMyM|ms|Cj)K6aaLnBw;TfFfmX6pG*8TiCvHh#y)*=h=Rgn~ue8g9zMZ}Y{J>@zncu}DO0uzNS6$K%q4D#*~nNI07xV|R`9 zC6vs&7JOoBuHYn#gmSiyNPCOHjGG=GCf;$A?SS81m2`r;&u~xp3PlK}n1O3|Xh8T@;>9Lchn1k02ysHvOh>hDJHq86Mee7~PvaZCr?H`2 zAxzFSu-b^QWPWL;hN#E(AP&Ews2_Dz%f6d?KGuf;@YK01=0sLShF9OoAP3oCc&wzl z(C1b$Luk{Wwa!$>b*b6aza6k?at;NIOYZ{|pj06xu1TLe&^e!?fzdvEcES0k)7@gF zWCN)3qVQ|PDVaxHEd5I$*>^W4>5+73#}1mpaQ%cLg0T@0age=Z_U)<9W{tf`=4+dX6QKBxJ;BFkGRZchnGdqZ91cusum2mvPez2-mhy0=%fu_{|?xh%5 zOH}jGziEoaM>7T13opze{e0`A0boH3p0yNUAPP{7nAfV%=f)!zMhbYL(%X|s8uVR& zI)NpY-+Wynd>oeT0VOPG4$8MD`Y~hu(HL=&>AtsR;n=}}lfB!pU*@^-@*q~@Ezcw- ze#As#ES??hARFy&(y5M?;XkLLC0;ioFb#&Le_Z;4JOf|IdbHc!3QM&@O=CoDBvC9B zpqS4GU8gd-5<1NZQ^YcQb^P(|tT*OWMf9wC@+epX&vjW8YZa@D`T2xy7dJIh*m%~m4^5gG(6W{&}Fx*%V zo`6%C(1wBK(7?2`Y%nYVW>_{|Nqmp(v|QLiSN76nJ}d%!+@t;FmI;J};2u#>Axdn~4MAv(lnjf8rA{Pb|991!0>8w1}a6sMXL_6s`AMt)fbtIH<$gb`A^uG~1W1 zpL?v^|3i?ym#4{(GTaj4epQ#|%iy~u^Pse{BD;w%%O6t@H<03=R{Blqq-nQ)Y_K7W zh<+O(u7YGEG6!*fLNMnZkwA;9nRoeZ4D^g)k$ssxZ+EVi!lxiKNWJt#)`3A&^|^1Y zr}5AJ)vcTm1vxphnp1uFKe?iQxxVJ7fplC&UK|4dlStHS>u_eKm~5qC{&1UR@(b~u zW;ij6-YQu6j%ocfeczKFGeR-#%;SS|gM}oX#6jZFg#kiOVZiQ|BywCa1|!5be?A%) zuHOjSLr^6op!@(}KA+Gz#3Cf)j@HM;^0okm5JB*ExG<5F=eyxM)t` zInRh%0mr){cWOij9xfLp;Gnc(fGa;UK5HBDnts-DlZUZX8~#0T7fruy4QErk)NDX;i(y>hqfzxgb>2Z4y4ho9$JeVoXr7{IfeqEXNGIF#rN#OoOX z6b_2yE@8bx3kHXOQkX(QteNw_OP+`Oqj3S>TGsuiYX_j07JIBN@fR&<#DfNjHf~3I zTE?KkSi7y`w#q}R!hrl|w{A>TJdVHRRUc^={-GGSE<#?l~jk9#xmRdN+kn?gC)pioNwJNT#q)2J*{tziDfFKxb7T8Df5WM5CF^d0rHL)$B9UEz=NjCWs5C|Bpv>e$pUTd6HLy$a6-+`<}LYU4B5?~L(szxTqJ(Crs=YxU*9wwGLQQ;qgq}&^(*A8UhOv{<@dlm%62@ zqNKv+)$n8qxSQDGr`Yl7prU!(ysrn9jFtyy`)TZI8N#pN{GPw2gwcDc@R9H(nKJ?} zfuV?B)EAtIbvpb11h`tB(}kxE5)vc=HQ0hGI zbr>fGGP^w`zo3uCFfOyDmuQ17+bEErMKo+Ts;0M59v_|wP5aKV9xfwOReJx~Nqq85 z5If!E1OGEg9Hfi2O)%%2y1jB^zaN|p5&0mhHQquG`?rV|KlHDUHDmZC*OmrmMg!+j zB?K*!@q@7ZR-P<)ll^s~QqL@bInnWc4gW@1p?H4S3h0yl(I=iU4)HtSi;I`^8;%QX zfW%E(N{9KYzVNJd07U{&IrR18ZayG|Ahlem6CeD(qZCJycf-A7Q~s6@u9@K1WqtQ> z7(q~e@sHzRZjVsDZ><5ddS3?X%i*#Ve;IyZUD4B9;OHCJ?|llLowHJXci=I*_TbE- zelO`Tw9WCYX=K|kA(Y?;OTIp1^9MC|#%>GK1@QOJ>Y9|9*2wxd>9HvpUGvKm9HKmX z0<~xO;hPm!&b7-$V^3c+$8!Vwm;>1~4H^g#%6@l^JxDEhUr~WMGl|*L4#RlN&@K-e zM`G`9d7*f5z0raj?4-8MPDJMG>x(`+HQzJne`Wv9-HAjC%OgKK|p^mkCuVAFN}Vmap&n+|R; z+Z1JjK)0mC+C-e_KU`QA%NnVY=Oy1CibaqW31E?H)W`&9lxsj2>hOnLBmI|L>wN`2 zsQv%r43${CSfl?lu4BUYuh2v1sI~?+<~l|=A?YbE%PQ-STeOXo*q}HZaTgO1n=_zFUnwDbx8^b zs{TUZ*z)bnpD9dv7~Dd|dO$*l>sgl88^9PA+&O17KNsueb1Ga29=6bO)ESc?0}^1*L+a%h=m)O^d5PROjweH~Z)l&p#58zT&_ zr3b-@#h-~?e--ou7@m(FL5na(g@ufN*`Fbt&8dpRjmuLYohXhFa&CW;7#s6^-Wn(5 za7zRGF|$5qw{-dCbi-RT>XD*NYl-iZt5TR6zV9h{@OTS~ z@~f(@pLG537!5f}2v_~~c<$3bG{=g>+PN0%d`*D^)v336PBrGaZoH<&&0a~v=ll4{ zZ!2g=mK0Dr=I99w6tbOTG!Ne7(}wZ+(Hg zWHl>2uN89Q;A;vpD|q4?(~THtx$todviHZ6?*Bn6Av9+r=y0;9EVhgdVivZ%JtTem z%A&4fjH_Rdn04Wcu3sPqQO5f@c%|x=^h3#cKiz0qS&H5_9Egw~WswEvMV@+^>O_I< zA>jyUUe%OMw{zjF248{nltEkdAoe%Q^f-|6Oz$?L@Atb|B*b15AE+xSBrM#oI?fJj z8z=`RGhAvtt~11wzn2C48glk;7aotd`xoLY<}Q6pl5eVYniEJeJj&0P)Pa=tebF|Zbc+lNJ1Bl3zP zCml?x&GB05wpvWczps`vV5FW6-e5IsB|7qT_$#$}DrY0OH8a zsxw`wWB?22;b&szT?29pK5eqNK98{cHkgpGae+wT^C%XI0kIkl9Qh3voe&8wm%|!N z4#L%_H>=poNZqZ!c2{% zh9d0AX<)9UCP~q5Zip6AWqRwj**(8;)~Zv_WPek@w~fFheTg;0j0ItV1|r@r-d7z~_(}9SaE)Jc#@iiwt)mR}{4*lOMd=johR3)33ho57RL7FvLfl~$o;9J3$J%k2f<(`#9mtJL%0 z+w-qCNP{qERMm}Z(zop&raY=1W-6QgZ0~kX*E|#Gyl5_nw)pR#3}c)%zuXMT2oduZ zEOe(YKk?wIkh8=K(p!4PPyuI~K)=~=yx#+$H-MGlSIw@4AG7V>(8Zw4*`6?eFA zl6RQ^+czu2YS))NVfv8sIcq2(#9_2$N+xONOCk4GZ|*pMa$F}QZ`G3V(nwUSc4oBa zRgkt6MXAj&&&6Ki;~;M?&Wh{{$%razC!IHfeo?)Q_QV8WzVzqc;+|Lab9{V$J*oD2 zR|+wrbVaj^GfY9R$Mv%z=AroQX7cTs_3a_ta&-1`R1*8)c~JOuQ26co?fUcEiiq0k zeclDd`u*8tw8Sv9pETZJjN4L@#PqZ$zoQig#S2S)fqw}v(muP#kr8eGnJ)()83>#H zhR72oa-&(4!a;Fi0S3;+T@$+ z4WGVSQ|j$#XLc(gKx6D7eea3u@dY;yw>M^N9WB;0=-Eyc$NOR>MV5S}LYLx0pzD+o zN&rcj+m;j;q(|V9oOc)wCtl4P0@BQpFI4!@&c6JI6ypMLtniT9@De~Z@Q||2AK6AG zw$F|iAK$APQhg&^``*Jxp#x12HE&z3p9mQe)P?!3hkFoDX+A)YA9xhcwsvoHa;cnr^I5;GAf9mWlL7VO?TjYW_*KK2O?5uROm1>wp_$F z`b>V7BcZVtKj=84n!9d^9w6CC&u2W4o5m&zs7T~*nk zhc;-F)0jj1>gQT2RFNj0VeUNPnd6Od7#a8|Safg8fIXz^shRrQ9Mc@{M)Y)Lacle! zPG2dkMklTDjL~Cr?4r8)uO#`Ti>@r(MtkWPWu%ky1p-S}40~_LvLR zzgdwf2k4wXW+1_O(_?(d9%kGdofw@*<iwS;U^K39-2sX)rv z;IYy5820iAcMvsRQh~IKGc4wu)&aU*XsLQ?LD0X;pJ&v?L|>Fwxm>KKDy#nPw!~F1 z*WOik|6KUREEZp{^!Y1e#ttILXoqK~P%NiBD!c=wF9cB(-$#`o5X~ky52ddzEcsai>N-QOzqgKSk44N6$o3IiKOCEX?dao;l*yUfBw z1w&z~9VXS`4;1u8YcYH=LjP9Agri0)2EUBizTR%6x29!3^-_cLQJyr0kn)-F4DH05 zMb@hOt-PuPIvomaUvW$?-2{BKFG0i4j)W%QW7*8uaBej!6eD)r;dS%NAg&W+w^rSI z|A50S7{l#0CX8a84h_jCtwgX9IhX%qL{P)x$hEF+{p6+vO%L$3b}Y`ASiFW3Y!o1= z8vTlWt-+-SQ8Bw~s$7Ex_8ma4i9BS8a%tR($SUjD*c*)cbcKU;Y)Rt!PQFq7r^r4W z%!n~;qNfmfjBNQUm@x>kw2w@!`U#$e5d2n;F0vK$%Uw>nxaZ@W?>1EFwwM8`x;}aJ zLv=s3uh`H&sig$%kI>|oY{WNAZee<&@&tB(`qSJM>i>?PGUo{(8hOikz_eEEjNGhX>1k^^@Nat=HR5LoY-p} zUj5S(Ur_~DF|>DDW9|%A)`q0Lw;&`(M=d0FDl>r$mXVi(6ptQ^9ElffTsQM242Yp2 zGW+7!H&T_W(nMF;Aj{hz+_Zy)H*NfB#-@>Iu|ReevUp&O0aa&PVmON4KA8MU=B!bO zHfCsspu~@+iZSJEBu|q=@icf8BkUz5orm1l`85h<_FkR0Z<`JFgBt%-kkZ#-4K*22 z%7C5^TMdD}2QeTOh&reeC7)(<|3lu49jDVgigA?!CTMuKi&{L2l$PCaWz!*zpB#ae z>$?xq%GhxUv)}lFZGLMXQrdbv)z+GK+1t!ZC*X)S|@b}TaG0#<0PY%`0>Ftd{6*^U0?Q#h!{aa--=QV6xp6b%w3nMtRW(KB|Ns3 z5Zz#~T?BSNREoJj5_b=IVUo*N)IBJUZz9cfFf=}@va{1;m*e;EBX&kafQE7l#tuKF z-z<`VkenqYl1i*Pe4mUA3{`s6ZhPq{mLsGBu;%ZOr|R!BaV$qoMSj1JhIv=_!c>I0 zcDcOC9wn*!%qusD+Rf0{?2gS4`E6Uh3&}f>Fhb}M(O*rPJZekV%gjisD}ww*EBTXl zp)}DY0gs*~3}p3bz8L>Ux-1m0YmAsUGTEsMcd0d3JvK1)m^w14*Ni(I*8y{SWMy!{ zd39dLmal1_j28-JQXryx^$=k>xEPi4Wg-WT31|95=XNBNj3d8=J%t~|B%w-)3o4kK z3#Jn-@PZc6f@2pkppU&(oiQ|7*$xPIRT5VCs;ivsj%^~X;ebeKd`{3{{gLIY0%BbmPBvtI_6i5Hdzh~}5Kg;a#bLx&I2aIAKo?67 zJ&zC?lQ6ejEa@K%8Px$Z3D=29zagxj`%wm{2?sI}rXb7}{RKX$h=6ZYDOIZg$uTn~ z-ie4%fmx8=%3@7NGdku;*(bfXjD_eVdjtE@s+6S6tA_;eDdoE+XwkpwABeQa)elm* zwI#hcK0K>qGmfEXsxMW_O@&e*Hl)&q!A|;0q`PO2Y9{Ae;mDR~!yLvE2m`}-Y@=0R zM*S`Vf>fcCt1|U;G)MxZ2P)!)Uz7QOSNA?Ja6unw44sQ{qoO!|QgV>qMe1GB%}% zklhAzFLpEUfaGq@C)oFONuaG-NK?l+He9wbL=jCBca2KF&f*8SxXa-rv*=j_zM{ow z4uZ5b9R^`E;2_9TCUdGAu&DX@0x*4gw%2zUs!A77$k5uh6 zPKQ7ji0V!p?A?~E9Fp}!;Vqz~!W_0AkchDM=)Ve8LYPlJ4H%?Bd4@$>4cV~RiS?3) z1WhT;e&muu!nDoT>EEtNG#==uRmPUqu)cKr+Cqje-dh!N|6-a1ta|S!ndVsUfF3#N z8cIuO@YB3z>$vVIHyJ)&*cP$qL*Q{{ze)V|vv#E>PUmRe*z%;3hhmO;Xxh)zqd@~L ztP+MHkNJs&>r0bIICRK_lN~9zaN+i1*)&koCJUX=gRaRFJhqUA4wUf~^{PY59;OFP z#>SRB_}EK~)`h@?ew(xwtk8GSrkZZu9^QIaquHg;p%3^p=};0V>efHV1Q~W@;_O?& zDOMG7mo0d7^P4OH@D9thY(Em>N0Ik`Q3in;eTP;L9tTsPag{ZUCAf?zMoDVYN5*D4 z4tz%Fl6}k&&X+u};`*%Z0FFhlRUFDd)IBj=U(D7^L4`I7Xr87S=g;0yt@( zC?oLA!EF{gZ0;thWHH{hHZquA@JbjQ2Bl%r%LW;`#E(9So#&W^@}qx80L+(x zd4wf8=r!t?pNe4zVB*h`-MF=4y+OPI88-4)?jDg?S$DsbbJo%nA*QLDR0MkCa7Yxc zZ-h2Wrafa{DSz9*6=CA7_?M%hHKD^qNhvvwMZui@60&d^ZaVfbO3pdLnJQ}ms%=@ zS5?}d;RG6+tgZj>4vBt5iPBN~Q;3j48INL z@5Ro8&dcamy4Cgampt{um5Nc`N#Vgkx>3oc^lE>}Kb^X=XER;89|Sie%+W6I2X|Im z?V^cNEoD*>fqGo7PEB6#X*|^V7PyxkgxzluKjHt-U{lU90^y7P_B4}$Z%b5)6r6BnD*E6|Ja-J4X#*VKrgVm=s4#jw zTkjn<0Z!a7jms)iiil&alZi-H*{*G*klh$3OXQ>+9s}E=tn}G+Mt{0@6<7xLN_=9c zkqfvsrE5*AhpG*?;A9_mY`3}t>~CHxxQ`7tVCVRMokC>dem!rJXQoj((RI{2Tq!=A zCaRPef8T%EvK|Q7*3$1~^JavNHfy>tl=@0@G3G!Yw!_20HSBmJ+kDDFY{lZn3{~Z& zn8DKzJ)KD11w3aBrFasBX$T??mfGs_<4>>PP$6>cpj;Xe9!x%N6H3KjXXx>!wa>gW z08*ah;{7h!e%Vw{+0sLD!grDN^>0;D|7a(BWErOLCAuhwuqAr%&K2QqgclGfV%fiK zj|)9F6ZJ5619ooz{U(95Q%0K8LO1#1i6$qFP=v-E4_ehV+|)3b+k_%Nb!oRj&`Ed- zew-6+>qpdKuTJo9R!_!*GvNgE9dj#(U(kJXoz~?qqpZ7W@m|-~_m;7fGu;ySdAOJB z0*=(2dwg<+G@DS5nzTera0m5$AwH&28T|cfiHvu6l;%bQ>M>mflfQj^H0o4MO*G~` zR$n5}4Fnk1xIi<;$sP0HE0k1-Gd$9iTd9P8>z0g{B%`V7qQJX@=7$#56pI=O#Q+fa zapCADIaO>5okvT@%0Svy?TzRv@b9RHTi1JSe0He>on|gF_$%w3`?)+j)s9UWRQrc~!?OV{`a8QUyF(*Cmw!rAJ9C;rMZ;hm=4EP$Tv%X2I2y)3jIFR^xA5Z@7HXH4|!kD1h;Y9$6o9O-T8q8 zdrrit5s_vMn~xsA|HET^l=VEv5g}V4#TSBP_8~WM2y3p6=Zs&!jMdRbkx|q0O^;_d zX)NZo_4$z(%*)_A`3R5nM6gG#{wxv;)JNJ$0V=V~@e&YPA_vaEwcO*FehPBv?}7UM zmYkd_T~nNlx9$VZJnWcDImAjogNu=nDDBV5|0_h(4&>P3;72XZ)!&+lYlL0)2hFe;Vq1$jQURfsE{eWcQw3}>DZ)@ zOjCh7#Gy%tR&m~L%kA#A+sIfiVn@pb!WTzl#>-iuKj#=pWlh)`7k@~I;q2F0 zI3xLgk`nO-R~26Oe!l(nFWC)*L1sQy$O$W<=tAt5LY-Gv!7Wc^<0A1~89T$1DAh)v zcXnYghbOXM4NGf^I|0*Mt!_D{)hbI=lkY*BbJrs)55Bu2a{fSXTyr2U zrGI9aHqzLCJ_Po#OWVaTjTaz_VDahlto)&ArZY(#JQkZ$K;HLDz<*q$64m7CPv(rB z7GX~JSnnSOw(i@Vlb!hY{+NwFwod#%ORdHk$0fQnDzi(~{;_n7LXiYu(`dDA;{NNH z%rEbgBfSwChuEgcQWb8(64rPAw+A~RB{Uy!%~x|UhflqhBed}`leMX9lng7d=@R$d z15@R%R&xjrJ$+y7Sr(C(0MO=4EP2J)$__5k`Z=X+}-m9AZzmuGQ4D(qa`#W0Y&*-yr`No20WB_f# zAtWVutO-s>pagUSByBWIz$Ak$kN$O)RfheFotg`Haae(`-qQs@BbgdWNb4sDfVbzWxiZ-z5x&Rd z89TBja9>uG7GVlhV!;KwrA&`J`%iNrnWo2znWv%)n9|yWW4`_VdA=m5VU&pOH$pi? z^l%Iu+~wtrFi_doG=)4 zxo&)gfl@4$b(|2e(>xAS0%w)!A-bY(;i2%qJ4L{K*)9|63r9ZR9g}^N)KVxWgz8`| zzW!U+^5|*Rzy0T(dQDR>`C)&6sxD<`|&EOj`YTHv_5AiSv zaFoMfBgG^`NnS}v3@3~Jbsp|VHlcO(LlmfHDfj8wXQ;1OXH})B5f4&7Ak6)X>YDK5 zFuPb~ewo@9QVGfZV1Mo34o3@Jb6lFs~;Zz~=W~VQWAal12 zz~5x=k$j;pp^4^B#24o|dz_}5?~Zooue2sZ7g8oPbG_vIWUMsImR1V4(ARZo3Ux{f z_@%YTW6eI_Ye)44E;z;_*i2n<`E2=lpb~P_dOE3q7yliZu7s`!o|Yj$YZ$Ro7mx1e$Ih{rqI8Q) z9y&mMS6`|Miiz4AZ8Qr)?TuiU*5+8?kL;@x)&?aEMMN^$k!J8xCsu~9(mgLbA_hSJ z9#$UiM73v=r)(_q0#Dv##mUGczX6)vWC>$wXEae1$%J~Ft(}x z!M3uUZv2cN>T?43(xr8CD?Lg4z^{;zw)wWGj^4T&>J2xutaP7`%dl3gsa|(-%ZyIU zxGLu7mJU|548ekqps+7TeTd9q9tuJxMNJYqVH=|xSf5XY`yDU#h=72eqy(KHQdmD~ z^OK&oA`BO~{PD3_Is3y?9+vzclO3z_eaKIcB;lVvffg3!tw98@qGZgHP+e(iP-R5R zVZTX5IAiQ5*%M00BHoNu9anb`9+ox3AXj!pSvF22HqG@a)n?n~4rnQz#2I)_7YL@-=pK@=C2q}r7I9nrQgz;7&3P6XG1Qy85m&G2 zpOxS%zH0~@7YQmKvu%1QWrfx9wPu1%)sQ=NA30pQ&~Ndq+WM~i|4P)gJ#JjP*p=~u zO^W9SJ_e$mI>tuEdZW2e|BZz1Y@(yEZPe?7@6TiOjDFWz@}e@;j?wvb>V15TknHbl z#udg*_2o)r;4ZwwobcFy47fK`@A+|Rr=KKw2^jbTT+;Vhy@YQ zhc>}{r|&v~SiZSi3-i3S%`hVJGu)Fn#S*gnqwnE9XOQ}7`> zn2Em%{h1(oMJwNes|Z#RG8If87;)GK2;p?l$ps(A!Nfv`YlK<>5 za(qZB9f6Ow`-hv{F`BwrcbwkY*kaO$GcQyZH_~1(6_JdY^1UN$?R=Yk9GM;aL|RX4 zHq|S?tWBEg!T_y>2->pfDyiYk@=JXJ3@s_`AUS8oe!7>@^XWh46X$| zL5y-aYuIV3_`zhexa>o>ex-kJ+M#{DT$+sGto%OZljLXUxIEXvedx-HQU)v}mX#m68s8Q*r>mAwv;*&1RMZ9Q%%V7A z)r(Rj0I*^TE^{=@2_21JkI>Mv5ZFK?$3(gpGm%=8 zv^fHL2<8`zO30B7RZD`?P%u|uA*6k|Q!+x_KJvCWc}-iW8u1%(V|#}(O?AtF8+YVk z*`3lAQYFdJb-1JZIB)MihG_YXQfq@SIgG7<2{^a5YZWd8VtwCj+cMm3x~d-(A_r5q zYF`!1w?KjNYC$&AHiH6)PSN+sUrnp}O-umXCCqQCl6tLC{9alYVMCz$<%VrhQAx)h1!!w?=+`|Tf^4u1r9FrL+r z4!on_)BOC>^*Vmb2on`Z@guRMb0ooRCjRI`OpxVsX$F4h(A|G=@({>P#q9 zlmFewN#l9Cc$FnQ56W!=R}z$ny*rGq!ggFVWz1jtv1cWk@6!|O@-CZhv$f1@Y#y^S zxLElAaP^jPRYhC(Fd*F^-O}A4-Ca`BB_-W)=+abk~0$?|tvj z=l!4`1b57}_FQv~G3HoLVo}A(A2^rYG*>kV-P6b-yR7DAh$q(o1w#+w5y@cM)9L8v zqKP%cMD)_txY%x`{rQx-3=ib$`(*!5LjMn2cUO=aj_1g*={F5Mo6$P-@VeBhsvu)yHiF5!wxU@O{|8G7Ic)C? zGAnENv-pa@RjiTcDM4LUr4Q!xH;oOTUyVzTV0^Oy51LSOCey$~P$qX!fw~IIuaGhH zT3EmNR+)GBH7Au(Iue|&rn;nC!F|rW_xpJ;SEm*#b;eLV7UIV2$M+u|64|KMh6NqF zD@7=@Z^m%aLS0@9gnGG;_6iMFhwnJ^ovh(2P9>&VkArfhG=Q?hnx^^JVd$iTvq1P0 zCegLq4-aBBND4K9ZOd#Gs*|%`FpAqfBVi2&mog<0z;1r{#Xf75jrg&`fW&tQ=$FYl z1x}z7vyIC0)Ho~iomZAJTs!^pn;%z6UWnDwAw2A^uIeUTi$ZX%K)K$cNkQ$4nT}$` z+69zUuYF7uCcNms>pg{+oYna}4}7wO-G}o=$|uwqUGt<+3d8M83{d))TBLze?~IDv zw=8#~rav_{j@=cogm5zlkF(XqkV9Q2zUOs>x3tT z%os%!1rrM@g`s_U;P)_akZPf*XN7Jk9Qq5#zhfk2;Iz=SNllj22>P?eh!v5MwjDU=kLx>lrM4~9#$8w*GvXsLZ zj+Rf~OsF)vT)jrQV|<_c>=?+3XT@Izr;0appr`fvOem-b`E{#Q@t#w|u+)Hk6$)fu zC3dc(EQS}?u_+B-ezAsT7Lo6mpDsZ?Jr#i!hrl$)%mp4y=i%7!`!zX3N4)0I8UhBI z+vW#sQ3O+v{0@;2`3M>bXl&537Pl}z4U-uMI=oVYbhx!lirK?oiy2>!r01G`i?X`z z|4W5VIt76QtBKnaUXiUk-M?A!K;2wB$~I5+PrX)Pm9#o&!>Y)tO3L@wR%oZ5s`9&W zIf0vJpf7ok7T5MD_I~UvvcV(I#@I1ReVBqUb>N47{dcdJp~*i0(8hD$bpbFIB2-om zblN5CZtX;~Gej3U+xqyuW`++v%)wSC>?sHtzxVKVSdI2zlR0mqdW)#Vc|hi^9q(XL zhSnzX?Vr={VV_7BUVGy+iMgQKMiFLS5+C-PTzLFjP6o1hnUKsfL8*|LS+<9VP}cRE zkp^KRQ^T@vz727AY|z=LOYi0YS!B!t9_Mo*IEYtf8Xwoo7m@eT3NOv%n-$&bg=n>aA%~m>xY*C;B zaCX|||7r?q{F$j_I_M}t6|VZ1oWU~34d*dsc~z~j_TsXQDJonfrcMm<+%8Ox9e(1! z4n3ghH6l1H0tqi^eB5;uahm(a2(L%+vGkJ0Os8OLd z1o`j@&g$eeaL6$V@Y4Nhm-+<}K<@T$D3+@W`x%pEoy&dd&i=D9nq1>s1Xzb{o{ot^ zIUA;PD>SqY2?RaaCI|zrbF!Z?c+7#Q23mBE{3yj1zs>mOz&K3eT7ETRvd*>`4a8co z!I>Z~Bc;G&^>r@1s$ErXZ#*m@K;({@g1VF5RSPyj8VHr-;ql`S2Xnb(?Zj|2r@pnQ z$-faK_g{M6eixg>!8Z3DIdVZg4Xi)k{#K~2 zZ^$5h%gJG<1SW$aq=yz2=6x-2iVEWe{c%ru%#OZj7Y(xABkJF;u77|O`^Hm9@@ISGf(&J%E6RHj=ub~PXx z!07#^GXnXHlXi?*-v50s3F>!BRG_2E*4s*G(CiIL3ubQvFHD*u5v5bxpj0bH0$n}J z8<*{juS3t<1@xBHLhs^na_b{%J`=DOJKT29W<(nMbWQd}#&7_lI8KsippYwCvtBjsW6lr*^;193iMJR)`_80>s zFgU(5O{a^lIC>oO?xXzIl6X_Ad>8F1?d(D3Ui-hEO& z{0V&0SY~*gMfMQHB{VtW(%1kHT1t*!!JPuM zBZw58qy3_h`i`-(XF9yxJ>QM$2eXxpiqwk5$`{L*Q>iU1B)JgiiYya->b74Q-2;7C z_FK&W1~L>2`at9M^hdc^@vs7I`2d*!HHHR`N5)ThtApiaCwqj5P$7T}$9A(}H|uvge=& zX|N1oVqBIeGnrXwW}{xLI?)9&vu7tWp4KLu#~^C1t6@;ELVPM`*gJEmq+LHw!T~ep zz$8Rxm%PS-qGmD6Yf}g9WX(|FmEjO~xk%Mn?6H?h?%3&E($C80Zt2skWkSYQM{g=e@ZBMSC zglY`Qfbq2&Yk;bKT2ab=^->RkcThEpIsk(eO_^Muu+G<`?0l)#or2`Q5I-F0dx^}K z)7*dBUtkfUokTdYYF#v$v>xqn8Z#N1E@w5MWavTxttLLmV33hxI98`Hn8I?sTTA?N zs>`w_3jJ%>WK0JdFG0WY`w)L;-e%1BnsH>))o%dE`5#IL?BTv%@4hYwbI`T*ywN@( z8heoz6(P5_0QG0OelVB7-X9bFWN3LSF~%n@C5|adrnJ>qtas=^9r?kDpk>T@xOQN+ zjPA7+x&f`cc;B`M%~FXpuaZPmF)X4s7nYcfaVGl}$t{rLsX5JZ8GpV1?-%E-VWnPIIYP;VkKx2MD+-ms`8No-mjM%%j9{!u;(>eY%_cz2e%MkO7+&K? z3hC|5Ee?X716L$W_@9q_MC>4@;?BRulzSJS6y=#1(r4^PH5 z+kP2cUa|P_JskkG^&y~kRPsl(q~0_K)A8S}XGb~{xr=5N8K(pY^&cJrUaeY+TJbxg z4-d4F#IB%|ZIAtE!5TZllxf7YAWeZz=55h)LRI`yc0y*%d6q_2sgMt^L#w*8fRY)QZ`-CkjWq{ajziTFk<3!zQeJ zGgWNX+E5O`Ft&kG91k-_!;6MXggYH-B2QB+sXUm`- zd1asxnW8#!(R7G!NLZ|F#_>LTc3z>JbWhTHC1*?JiLGhzJE%Sdyqm>4u zOFVfNv)0^azADARuHTsnJ(YE2-1C$(rdoY=4QVhHpbcw;7&VF_p7Nv1hRkovf64rZj_DX06-;+ zFpCIZNQG$Z=A%>uR{;uudnfa0QQ{)U2Ep9XOzL%c3Au~b$))lyFI>Zw?N>!cO!9PK zD0PJXrxPm~;L7eYHhE$l0b&E~=L1*%c>0+zK)1+~FeL$Wi&&7492v>qPArk)Lfy{a zTu}hGd}AUb_Z$qC54nDhMO@+>EU_z~j54E92h4p_0(DpR`X4p?Btu}Qn@XiC{22Hcw`94WdKyZGwDI3s+WRwjVmf| z7hRo=V~jyz312L6ujL;ac<=raDxYKjOQ@(Y0)&e2@YV9!a@4s#Kd_l6qVg|~npATD zAb0WapLubRsUbAUa*;j|xj|H4^x_&MxuS!~fiRVonM~Iw8wr)IFSN^HWVQ3rOUQHC zbWYp^@zke$ZzCL6R1(+6-k@;J5S(R>`##pyvs3EEr$z!*S1yDyQ)~i;HIDEUDsA?n z#)9vdBmAU4{xEF`TV%UqS=RNruXfUrZ(Fhnc7T?pZ8jSsvf&Tw4(IdtmM)eKS6PSt_TQ20oz#L zb$*(Z$m{ySkl^0+-Qh^q$*0yi=2*GUW;CXd5p)XM85S}Er$Ff7A=LJ?;UJ8~;Lpqm znp<$z?NHjT6yZnHafrS{^X4#Ov_dj14oJx6|6wDpXI*I^`~tLT?~K#xCe^HTP1(cQ zv;I12t>!y3vgnI(fYj!I$I}0)N}s3{y?f)$1HFkYhI)4kmKGY^*dci|8jS zFjP4#Dqo8wOUAwH2FzMCQcRCX8!S!<7-D;UIFo3s(sq^z0SC~sSc!CGLYkqvG6C=tnd&i;%T^Eh3|(Mw!z}? z<-Nmk-LR<_5+nWN|tM_&ybK!Z6*r6qgop1dr9Ox0IcBHn;p# zre$K6ti&$VZg*U8bAG`eGCJkcRsRfpM>iz^J#z=Ad&Vto83bkO&dIgtd{3_fwM51$ zF7P*Ml;;DzD1y926a9vA^t?PR?>gbY<77R3l_2zqOn;jRSyyV5&Vr((!SI^ zP@i+*xm!cmpPA5on`Q2t)QQ>!x8`TNgSQ!y(lB@_X>E7hMt&FLvKop9@2{#f0;LDm z>l-=QK)wN3`U-zPx^Fvb&Nr^zvn(PdPi|}9M77TwX)J=EwsZuzYB=!S*y`PoaJ9RQ zIC&hmIi{Ass9yQd8Fn?~Fyjkd4=OQIZ7|T49-Qjf&k5=Y%G8Xd8rAT}{HRS-H|Xqv zX7lA-N+c#QJb!koG79|F@?C=&TeaTjEsKznbqs!+2e->>O-&!YWVZXt|Px$5%SPLxYRT@Z&T{uuN&~i~WaW~3q-L2S7Wn<}po3`Ek2}HLuie#PeN{j{gQkW#lrIF;jKOKgcyUZf-=sgB1 z{D11ipw4Jg2}>_K9DLmm(IVJ+<3MK}Jaw0RWo}xRddFW_=4#xj+7{j7a2gx8+Nt>w z&ojM%HJg#@RJ^tUceQ#jo|#ABt&c&>x&R^Pn7S~ImS8|WH@j|n;a)}EPYT^(43`~i zCZ%a?7&*E>(l9EVM8dMdA>T{GwPYV)Kkjn=fR`h@131Zin#vKgyq*?@L`E;>?=p8?K^vP*i6;`@R&Wkob6WO)amPRCQ_V-5CeA_m+l^S@%^Tvn zA|&Dt)KZW+p4+p-uAW^JP&pGcpR!akL87d7&X>yN+~FZMXIkhi5cOs6u_LSW&|Eq- zX;R4mS&ks4Ll1Avvm_hND(&>T9a#8N37fUOIv{loB~|X@$Zs$#sO2;xxo1snQ|n#% zV0AS-RT%)jHj+mtbj-uqTV)<-lYw_qc0H&~5zb6B5 zUuEdGfnF3{TeDz+$1n4!s$qPDRhff``DjW7JNnXGkND>YkCfGA?jgUFD^7SlxL_y4 zW78Ljf-vAw)wSjPY+^lX=TJY_R?v5*)t9LQaCvtAw+L>^AMXHFsHsd9aH^y4U;flV zRH^$RXf06X;H71bAXMb=M!IED9)ED?+*s-J&Y_bPQN^%99N4K%)e?m)^GS8yTO{$n zPx`+c5t=Of=s!nr6gQ4XX2uh1yztvn{QQ+=JMPm~Uj>OJm#bI%4LqTkT#`>y8qsG9 zS5kSzrIH&REjPsAV=cl*QD!-%~u(Ug6B_w z2uD#b6)X|ttO4}M>@_744)PKv~->HQO<PYQ!L4TjuO{Z71`{9H1F6eotdW)lg+C(bR0WFxWqHs?W>*Q(ElB-V{CE-_U|F%w` ze|YIOTDK#Cp=Fj2#YIeLC$9uh5bNK5Ucg0epvROWTl5_NHMuj+H@C@BFtb_PrqxUK z@eDIbK$XCpBF1J&nzVjRDqhT$m+^S&o+C&UY8~IK5N7ebsN!?fsa{Yr2}CxYo@C$~ zwWk5GlpzeVAk<~MZYO7(&^htciPeo7^c?hfvAGx0(N1x;6=Wr<(@5cR!4VP}hDm-} zD|?;0jZ13$G1qBl>)Qw7WB9gKLZ+lKp0aoS%s0TEC|T=Qt*Xfiq+3AC>6dzW8fgZ> zzOkivMV==aSxhE9<*n%e68x|P`-~7YgS-PpT2lc}VPcX~2uP?mqM-$yjPe0SZKTfF zW1)Dr?qjef{W>r?foK{(J!`5!vM1tRQ*f&P4V5a7&d4WO?V_YJnC+CWCsM`(<=#p; zlMe-GuBJ_l)9C5J;Ey5QdlMZys6`#5xw*(R1~o*IVhbf4Lq`mnz!O_vs{mbh|C_I{ z$+9Z~L2g~48%fb;mH6^V7zw&or}ydEw6aL7TO5^YRQU4B^0yNF@C!g&{^&fWBD=$K z^gWE)DZvtPNb3aGBT@)n`Xd38(yHyx43wJ+6*+!8nV@CBgl6*we`z-_zQ15zTh1?%pTY+54NwouFRzgoefD?oH z9n!cQ2(ABw?BABhuv50=Z55|N~u9swS}Nps`O0!Q3&oc@{IJc zJK~SI)q&2mI`{~GJQh;u^`L+!(@^*xs00Y!!buEEZoz0%D38&1#)5D6k}>bh7u;Ua z7cvK<<|?LKo}Us_Px@GGXzziCpa{w%5Bn=Wg(Zk}{<0Q@c~8F%01u&KL)yLFpEU3+ zskvaX7^P;*KeC~1wZy2S&il6b+ zdn0^GLftqS#uG{-%AqBEg85Z=2)>Xy?^pv>cw~xrmE5;(kE4E>F?d_g)65PR!bEI`t~j@{JnhV1Z^f+i zMgN%d)H1mbY2FZB&Kv9F9i3<`-B2waShfOcS@n#hq6MmPYG4ab7{qqtz^QXm8B~%$ z4tb-?qQ})!=2$EF@^e7!1}U(~P@F9jnUW9K79!AMVXk%xP(`!{qhQBPn)0g?#whC* z(Fk^*uyW}nXEn&rnDi0<`XL$FG=GU0-ZkF@@@7va5ehhD=EPI~8`>fokWAd7EdlV_< z(plfj)^;e67v}@r0UK~SB2gv{$>IF{MeL3JQ%eeN(~BUv$NcAx$)k7*HKAZ36Adz_doeo zE>#HdNd^u5NL$(rX~K6YSvR@7Xo4l#wra+90|_OiFkkCnIcz)AG5H$w5kjA@Mo>8e z&ZX5gO08{@9~^Z5D$J-nUk!dT2F}@#Sy`h2^j#}`%?(wmxzd2X>q0N!-n&PE_V_+# zQxL2cr)+;UPe|suwi9r#lIdb1h{ZP6(o?}9+&5)^JzW5&k%5A-wZ$fy;v6+An)K_s4 zHVTLZU|LYM?hVi%eUXmSB66Sp$=W!>uMv|Rg@MBF#&U4MpY*!YL&cK(wxguUIMI(S zMX&_OWjfbrJ`jE0YR*S$T?j7h;}imiU&tUg~^A zd49VrS_FB-LhN%MJ^nDtd6rU>r1_G7DJ5!LrY8;_CV>TM43NsWUNQh(BmavQfS3Uu zywvX)xi$<+@b3nD=~n%dgcrZykuBTBxAB~t*a*OxH|zYwXwy$hbBSI+j~p|))RPw3 z7I11#vDbaNkk!lZd*OgA&Sy_H@uC+0e8157Jrff2=i75<2ZB zQmZ?!shfS&#t(|ONh9J+CL+QoF#6D04qjLjV=*JZyL$)qz2?n+dhar{A!>U@s;a70 za)reI6HnLn$T7$#u-OyG^in6Mk#H6VGO7M-XQXv&^Z5Ad?%Pe`PHBn0DL%?7o^ruN z{4RCU{=Jp)rYkSXa?^+g)Y&j!d$m)c_P0ud(bij_4lj#s(a97g`M*QE!paG(H=33@ zPVIGnoP}g)U5{$Ej#sfKJ#4n6P6-ZbSxxm#61F%Fo-M?0izaVLtHl+pAlpC6B8dPV zm47NC$WWdGI&pam84sasu}=3kI}GU+H7P71nN$H{(ZN#!!SpY$dc2Wa`S~Cbb#}Fv z{VM+dizqb^Q5MUw+Wp~(d74h|rqdRiSOefjI5_V$i1XB(r+IAY(B`1=`ED@KnZBIojCfKM(oBSuag!Cz>_#tySv=yS;F_-$o_#F56 z&o&AYo*52EQ6i2$>Z_YWudhKahgAyPsyqJoE?SAp*MuY1IJkA-sDaSgdfnyu$Yixd zw4M~rv)vBSEYEp_Ppj-#9WWv%wVV5~CqyfExKzMN2BW5cbM%qv^M_35w7+T>=QLoR z&i=Duf*`jvfQaxldx!|>R?P8`ILj-Ft23R6_P*(4->L8;T=dnOq5X(c0xxwU#`oOk z9tXWw+ekV0)3A{wy=KDNTvjRz00s&$@QvQ zvK;^6t7W&j0J!Ccx;9Jf;B^hu+LrR4|#6A4y;C1vs?eMdVP4?e}iH}rJ)o#3CzoU<|LF*hOX z*X<$s$w;V))bw<)f4diyVQfi^yN%mbWC6k4U@;TDqz3B`2h5mOocN5l!pF|A{RM!| zC8P|FS4EG%bbc^1{Z>xgs(EH4d&PQP5&hq)my=EFyPb`PG)%8Lel`jUE~-rB?4dH-LxzAY(L=or+qyM1(zQ7ZRx6> z;i1!q9{{`8e8MBe9VjormmcIxnH~y5rsA{P12TG@!pA z!sV*)sBW`Fwu!arY-;k){PeDdklh(*ZLl;98atdU_J7TFo!KbSP5fd#xSfhG3GHof zrm`?!wM6veYS^vO{>!@&ydQNEaeKDT-upD^jv`<5wx&=n8>HubJEXr1-x)js4m2{1 z?uzxua9cQ5^4aCGt5--AWLr^R{Ye5|YVv?(nB3wgi#9*oW_163IbizFZW*vKSmUoW z+BFz`aK2aQ0YY7OoIDt7tT`Y*C^jCY)DX;>Vw@E*(NDdLq#&4c*u2RBaBK6>vjLY9 zlf{u&x;#lljiU>;0{qInh}O@ZuN>1~hydp5YeO2E5_AJK6@>W4HQT z91(VN?y*16YP3GE*6A(6YOFfgfAk*OG*HAE%*UQP^}zr%%J_OT4XP%EIEXZpQ$v~W z$M=07ReK+_w)s|Mgx|hh97}If8H|q`GJ6WsK7Vr%{`S4d*MyvW1u+wOj@j`)pyzL1 zTHVD3uGT*0>K(jsUxet+Own_+rZC>$ML>ixpE>avt2St-fp16qjDUU2hER(Q;SAIi zY&vmHVC<{+*obZqGLDA=J1QdoZ}XCu)4~6S3GE8QH6#$-H=>7D|w>9T@Q}UFFqMfStIC7`upvpuZ-r zU!=6;Y1}nw$?Bl>=R%NDdzs(-d$g`htvn?=J)<9=)Y^mBeJA=NlN45GDkOsV0LK?D z?(@r#xYzyPl!`gNq5+46@4|%;|2T6;9*<@<%P*e>juW9 zp>fzuGV1QAVUnrcC;!3WqClv#XMiO@lb|H`%^tX+5^>hgabxb@rhb!O>3EZa&$ptf zYn({h*H4Rl4&iS-&buy^m3bUbcn1q&Ugfv!3TnT-yCu6NlQ|{Gc~d@2F@v>VZ~okY z!Qh3ThDhdV8VZX2RDr^V9tsAIYI3Z#V(vvf7COR7m=0=@tBYaBZ^gC(qoRJw#wKfAneU^iZsKcKFW~i3)!S)&INK1I(uh*_2-zdGaVhS?cJp-m(b`Uh8FAoue zqj(TqcH%oN&bl`)e4)%Ae+v(z(!-HRuPc47@z8)q+;B;Z$cT~*FxzQz8BV}vvkd-K z?T{S%xHi=2w2eCEy!|oInR6U!&h{p7O8cPs}8m;u8HZH%OC`m@@C8I$XXX= z`yYM(V8!XxtCqO=rPoba-(;anbjsypbWvY0<7BNg()E4Anv_AN(n}rSKNH%lrdJs4 zx{#gVv4#cM{-}>LCTz65vKzrHwi?E#3bri35?UbGyN0}TI?idKPTe&57<~GnA>af- zfgNY7kEGNVT&cxVe;5F4IE?E{e&~KwFir%1 z&@pkcCiUc*B-~~vs_ziW-~u`s2F|ND3<_|+u12*Xyl$+q!yhyJ9Ei19_@&uYA4Q#^ zi19e^tUr@$eQuN#kPdKMGKIY@2W+X-5>B)Im~&^n)p;Ml1pQ zyue<-e2|UjfkYEsr&;qJzbNF)jCPR1TJLs{sSpF++=Vt7K&D*fN?ATCP~{X&0VOP9?FJjd^%|7b>sMT| z(gx%Xa0wh(S6!*+RH`EA_Cd>*EZRz*8-l<(@$MwCAMyID|EYOcikbtK=?wZF7?X{Hh*C>+4Z$6(D`T>Z(2Xw#IeChyrs!qG8G+6>*B z*9t0zLI{IdzpYyTG&Nurl_$TWEul>587VDFwjCG0i`R$mbLAOoC9grB7zM*JOl8(~ z5rS2LXVY;33uPYuF_dgBp})v-v0R_BDg^v$0Hj`_@q-)#LU>OC5dpo*DeD3BIG?fB z@CQX!Y!GB7(~h;o4N#IMlQeMe+6>@xnA*Y;IV4QPM8nk* zj;yeGE-?$ftH{ZH3Nl3|BX&u9u}6NSAbW?wiEOkXQUp&$?tq)%)tsr&g?3G)`m1)# z7K$);q9$5XXyLRR#LU4S@rxij`&==HroKyXwXa#dvvr@?dC;sysr;lMt!E6H{d+LU zliFhO(cd8=P12gdK^9_x!;xh}9hzN!IKbLu2o5)^*KA)%&G@h3rDjFrrP*f$=BOsQ$5q z(4a~x(@$}*PEww7PC49!rU)5s0(6UiEFM`(z^_`pAxmLU4}L^7@%aHKkN6dDOykQY zr^&4*%ST02?o~F8h~`Y(^~JC{_ATpQHf5l^9#8s2S})MT`0M>2!u$ae9;g03ZvDL> zAiFIIKED~vAEk2NB*qA;1`P0J_8E#dIFjlN43W))g1)PL=nk#hHU6_^C=@=+C8ow^ zXv3R|(2`6Wdq__Xh0Qs;yJH+ze1a3O!ou%8xg=${A|N52-SoyR>qD3ENSjdAtWu z>q4&WAIpz5xB$eKV=mRZU4olkv=s)E!QkXMY&O3ck-G6#n;8Wb)A(c}HZ$}7mJrav zz2gMDsx6bW>X>jqddMq==YV$SgxK?=41!AYAh_!Fa|d8nOCAbnh>}D+6vlvRM|I;5 zrs^qQXWB{@A*tFisppCp9ke5w&(uw)f5Ry=`)Nun{k`)&6axo@>I`aE%nkbw7ST#T| zYdJ9>K=Q*|lYfeY)-~DqO?Vbr*iotSf1W4#cjGy4SC@ULsLcUjqX67WwFV=hmZjBU z;k*t+dqwb|Yfg|VIvI)nFjNoh&f-g&9+<r1;X9ganWt6agJM~dNx z7yt|nsQsOGg|E4Ws&3-^yxu8M0(ef+1Kpyz8)vzi^4=MM+DdSEOlNerNYi9(t229UKk{>J zu7$w)18i&1Se{iUI`!*cUwkw-KJ`chL7YjbC3|#!$%K1AbUCVwTzgIl$1b%Tzt1*z zMqE3MD)vz+;0Jdf-GxpTRAVRkcs5ik1FPwbFb6Vcy_)sxlce&$xLzlMou4=hT+yKB zE|6tWdEO5QW-yY0W31N}+|Y-%nVSK>8PQ>mP(lH)@wjQgbAV5n3g9QA3h63mgnfKp zn>_Oe7>gBo3wX>#p3VJhw5$HtPbPv+Uy-G{-QqF#``v^Vyku38N_Xim!*R{<=Qo`F zL^A4wuHp5CUu*`p*G!#IlQaX7UyhkDxSoIW3*nqK>tDJ3a-4X%cPxM@fyG0{0bHDb z>ONbA;?X4RLJUgh(-3MY*f+VsI{${64{eTT*Sd$j{|xqY;yuSZV^lIcQV8)iKN}&=Yh1g)IxQsjfKrlI zYb-r9xi(R$0WSOXz!M+W%kJgndIFE#o)&$3Xk=t~WOx|(1NnP+xJ|purS3d6H3jkm z{@k!63HsOsr<05B1m8rcAXtfh*Zi>2)t6-BWS`r0y0#dsDQ9Nd8Sjof0;SvJAmb7& zg*HO`1e~2tNBW)HoB4Zz2wAy6*g7QDgqte&zE~Q0F$ZCpdN;dA%_Dt;<5|9PRrj}h z&gyOb(DQr73n;EdS0G6a_qpvs8rY?$38WKl(VaJ9{1a8Sgo-fBh^h$}bL^S3nz>+) z;@Yp;>hwjMdBhvW~>Vs?(R+fp2jb7ojOMci-LkK{JqiJgG-8%MXP z6XgTFJIw4;k{%bmV|jn2{|tiaO4n5bLrE4x1EB7ALsMG!Z=`aSILqg(-x z@{4q^94tl$bv8-_L;5J<+cHvNOCS$JU6TQI1yb&;lf10G0%68&^yzM8>c_u2o;`O? z2_RWK42Bu~#E^+YIId24U3v?4_+gf5F3G_&zb&(^q0h2PWEGG4;z&8wyXBa2l37kd zMgxtlBMCfVnfI{g(W3Vw9g!&9Bmv8$19xhcP=|a%*4R%&9D8-Xg<3+*7Mn{c!2;gl za8sLd@K0&2fE3a9=fbZ)W*m6Mx?B2p>1)ihe}R=VK?z#%UOC=Rv|CuwJOs@;+s!2@ zXArgyD`cA?aC|8-$=qG^Ug0da5|92klMn+haXi|@v8pr4x>gFNt#l(8U1~3^`9Me8 zJWh(<$J1;ozks7*EbPF&whleMGWoK&{Bi5?Ss25-G2`Ko1s5G71q!KxCQ&Skel6?pIQJr}t?|6Z%SAs>y8|))*n~NZio)t+)EuBE3nb5SL4N84J<^G3mQibwYh5 z906Z9VTY?@e{9!EEDvpjmX2caJ_f7LWNdA;hbyR>$SL8O(u*E8Da@@ou&~Av^QH%t z;JCqo@r3pJz7jL?IH~=TwyD{RVy;(UlhC+c%#N3?nj&vozfoA~ny4OhZ|0c=pQK8} zV4(sP!OmDsAPBaFS279pPIG5hEmu45if3ydYNxM#eTmz4Bk?=mQI?7%fEUUx#xY(e ztxsTDUlr08BBpFn*_lL0f85!37s!hAB&E^SMs0F-`>1}Yg*R#Zb6l>A=cId$Sb3pu zOjI7m=;9%Qn$4dI8hbITC*C{uUR{Wx(_Z|n?P3EDm?l2SD65;o7u`X22s36+mWBac zPfK?B3^~2nAS>RNJ8!>MpU!>~YB3mVnD#^Gax`%f(g3RhDb<7&P$_u-Z6F8mBWfoi zSgp%juh7A_(tzkVH)D6nD-%ZBx0FJ0(`S6-`wq?Q z*vGkMN|PD)O>Z3nc^A-S=vmx|%Z9C<(TiV^=$4vbXNxgbGguFVzm*2N1oG+#GxIsr z?MxQ6nlrsE*qIIGKRC1Qa2G)r%=V zJYm)C@z)W0Ws%X@2|e(=Q$jgkJ%2CwWoWR`Rr{$WFV|G9=Qfp<)s+ zeMyWlnk+d}W))fVht!fv<5nx(GLmPjh^=gG)_lt7$`!s{Ss^AW7_4@d8TbkW@0()eUI#*D{vUU3k|wp^ocCnw|y= zmre8O4p*a}vLGB`rmT$wfW^>!+-l#O;$jhHi_Q;7UYAenaD+VJ3M&2?X@x)Xt$sx8akD!C4Bafkd zCF&b@P$b=8e+L>IUdS+H#l0;Cdpb;yoNnEHkcBb4Qr&SkF@lU)X{?w;0teX=Y%_|g zCL!%5!SVcQgfaUmN@qRxr#{4w-v@;@RX`_Lp5*P_Y=Aj7Nhajoi`kN0<8_%N@o3hF$g;DE%ID24@tBpg1Mk!Z*9`JO!wyw@A{F}7Px4E^%w zp!SZ-!D27MUOvA$)wcY&iUg~B`LBk#`Mzl^?#ODKlriEWH{P{$vVewig?7c?FIh-q zb3Z7nUtJ_aE^Gmd?all;gPJ)X-ctJw@ZhX$JGkCLoPTOhFlt$;cBWXG=vyh>k2VWt zTyqVmDJAw7x*7!oeN_|DY`9{G)EZUPk+}a z;`nK131sWN(qc?#@Q30wfEDId8+iUb4RZ!CZ7701kyV%7PzvLbdoxsy*G9<-%yJR6 z**h$~r&pJa`fg&Ek!eR|CSNj06RR%Bl4^kM^xflQ0T1b~s>#eIEah^}CiIKuhC7wG z!HB5##s050ot0Z}o(xX?Og#Qho9Lb@@0I;gYK!_K1fsn0uOEggH7^$&2hmmQ9IM{T zPTnqKI`12JBu7d86xJC)2!RmHogX`{OCkoRDQ-X-99HjUmH z7n9kFPwaKG{Z_KIw;(88?mKyf1`J4|*n8OX0}fvd;^5L0zLiDsacMh!;r84i%3b9C z^7#*}(WD2?M(=-~HC%uk5-#9yzXUxht3aj&kYqVpvEF z4MwFYjp|fx?)68bZc7WlPq)MCP{Rr14?t3KVU{}TLO_cvpq!YE{Ux9{yYYm-}!t|r`YqC4<9 z2_H3nnl;70+EF&|dD&JbbcC`08}de2f0~7_tXjfkv^T?t&icyet{Cfnt>91=tMkQ| z*~97g@!8cz)o*=y+LMHReF6yX8x$bn1k*S<{_tFKH(pP&c7v0}Zz?~nN;~-&@%k_t4UG`ota{Vy}^CQ8YM`Z4#bptmE zm^V;JBpE$#1%}|h6X?<%JP$R;4*chz{~vYl7-dxWGNZS-S4nCjL9# zJpFl)0*@;{QH0m)vesP;@4^A{xV{N*UmGv3L`??)}GE2>@}| zBqCc9<*bE&V^AkP738H4=>L7YKES7v+qYov9T3Ru$ppN5bL37_k%6ag9M_}&AQS++ z`V1tX6-n5qj(cZH;g7s39z^CTqx!yAf0IgY-=b73#_a2OgcD_6?Np)|TwRuK$^uqJ z{gYXJz$IRxxCQ;)uagHhO7_>CnX`u=1G|Vsm+!PI()u@lMf|rrB;WR{sG?yoet0*~ zz%$k+fDYl`myiMJ`;={cl`efx%BThiH*t7jGReY|2$t|&Xz!nd|DQjrp?tppW}cH> zA&smJ9USeA^sN52Z1l|`nHX8{=V-e1g%F02ivxiEESrzV(@>AAZ`7P}W>kIA6O}K9Q`$mR%PAY6Cq>9y_%eEa=l3^qjM-r)c^;{x=VwME`~1^g4SbPs zhP){ty&?h&#!L?4A*l@9nSt5Rq``O!+t{*i!%0!fU00}Cdf86KWr~&!8hPC{iLC>w z%7#N$En4RvT!gkkSB%Mnk{{$gIW z^^%Q!?}&~42hV$k)r}|s?4i80|7~8_42|NEg3<&yt9BX9f-ioq15VL!?E4}l1T1Lh zDGLW&bRgqo$@R`#kvEZ}zCU+gpM>7&U!0NMg4#}AJWN*1 z4=Zo&{xJ0wUoM|j&s!HE-oa}ZykDtb^%%=_69KHg6$4*1I7}h;B*p3AdjA4(^kmC7{shpAFT8-$h-hd84g95*TT zxK6Y@5dq@j7*2An*zGBeBnmv58j^oJKN~n>CBR07%#Ct16-t1oucZi|QVyaHlCMdQ z%4q{<1s8;W!MLG_wP_P#R5GKZW{`0eN{b5uLKU%$+1JHXjuJml--W8jX+4o#!_b*R z8)j+Qz&in&2vyuS^S$2QO-+t*44fhxVo%e=Izh6)Dsz{T_d>0UI@;|DWNn`Q za_v(Dr@h2LK=lxZtFmG6xL+vSdUFtKJ4gRC{{!_HfJX?NrK;H5RwKB(6kUP-9W{&@ z77jdFT;h9`{USjJN1`XnnaffQHV}QMZbDp(=W*Z&c(*>|6Zzq!+DdZGDHcMk}A;Ksd>@_(r*?0;{JJy1JD|@b2%+K z2W!B*@KO4m!OSMU#cLO$4^svN42kG>Ot@%4-+J`GQo=NM`A7)occ3$SOBZw)19?hv zUttTo;)p;F-G0h2!_`(dOq5bZgd5G}ctVmhxMz?chxV7=!O2U+RXxY`Cn2!24rgeM zELrz!$&b6G$D(&Y)qvLaO1E^bc40#0~S*<2fSVVsOB8od4>#O|Hmj$cY@PHIYM z>(@?4$%h<7Tf&Vu=X_~VZd&(U5Qr`#F~qTRLt`~AKcvW=CoCT?v;+7ntDSifH^mpEIYJxM0)y<4!ACj~x2pTzC2098h zzc#);h>RIqA4rNMaCCin+obx{Z3G))mDy_3j``Z>_dWT$3@##m#@5RD?kh)gE}T~gSAnA${9Q>);}V& z?M2+$KdbUTpXrodc?8aiAgq9EuUm_+oy6{8@9>5xef3%sKQNXD z{|tHL`MBN<625@8)4qj(xW_-)(3B{U4oIRB)Yet5in+603ti;L0(8r zj$;A0T*bTL8yj!o2qovj3$5%lFhQlX6!oyylE3nsSoEEsk%hyW@rMgzbI;DqwFZES zgisT}BVQc?UM8njSbY4HXS^>;Pfa8^y0zCtDUfUFeFb6u+CBzF4*A zYc-rVT(wI`buJ7@=iFuVwZ?W_iY<*E5BuB$wH>!`F_SQa;i0X-1?_qt_UBP%ccAzq zW+Mj7LT8jaJCP>Ry|zx;q?jm3G9Ph#S5m-Xjn+Hhp!98NJYArcT9$sD0kpQO$bpmi%nL52ro52>o#Ausu-7@Ia}M>_$Wq2 z_XUky`m#-6G~gl9T$wpV8dV0+4mI_Ur~cdoq)sq4Lg7{Nwz@)VMn-&;_z6jt5`rz1kA5%I(`&ha(zF8A?p${@wcDX1RuT&EfMD~1G7z641FwRWb zpBEMv$DR5uM7R(nUei?+NkN^%8F{2liG9#BOl6bVO~c){w0I1?<-!^A%^)TsdZway zUyJhP;qxSsF9#lBi5ijk=O*Jyz~}OXnMvRJz4Wb+v z78gT_{E0xz&NL-bL_rl73)8tAvLr2IW04zbCCY4U>~Xq)II=4EUhS;~& z8M)Ojl6Qzo?6w@EqnfM4Hpo=_OabymNgN%W2;tGV8||{(Y&nIv9+n!y63}i_=6;sh z^pA5&4NzQNM=nkDGS7wsHtglxi+2$-0IQL3Q#YH7Xh14-gIB4-yhd(@NKRKyS&6-5 zoA{n?5mC#hV;%>3_c4!bM;blsm>(dy20F&^u+WFJ8K_%HuZTLa>Koa{n)+IN;@Ol$ zyCaqdc-7iisfH8aIeA$Cb~AtiKo4E9T;RaCeSbxklx+p`oE&+sGT_oKpeLU7T zn9RBglL31_iy^|)LOR-Q-#7H(Rx?+ihqFjJ1=jX3m;|_4kkof3BpfuA$fb{bKE=`?=nd`51PpIhc~oKzBB&k<$TLA|ZI5}w+)uKgqt zOVDqaLyYZiK1j3{j?0p+rLqKOd?JYgL8b9e`B1dhW&;Rt+0u)T0);sZufChOr1zR! z927(ZkeQk=A*fbqEH8wKFsd-}U)dTsB&Kg?I4dHVzp(7Dc-e&4%&l%haq~ex?|re> z$PgxP#oskv2${)NL@{-~b7zgFYlup<~T19_!(3x6QxDfoP`M3u+)=#e{jd zK>5y!f>>epk$OsJ96-y;YFVoW(2s-o0KN?hPwLYMuo!@?vT0#OKQ3B*tzF0}^|b)b zgZp~ho?2x3n4Tnvcun(CN*uVSN=>i-TnRF2i%!HVs#n{$fZ)1at>0#K*4WGqpidM4m!mo%uVDPG=K4N2b zkn4jLH$`mEk7ZcbZ)S0v6z=9U_$y9E;o?`3XPj6qp>B??k?6JH5oEd-|1a?0P$SkLfC(*8N)1#gp3#tXs{ z3@)lFIJn}fKVL5sggEqZmgdk5j8(K^C7M_Wu^%)&D<}hFtDMwj34R1vu@n7V?=DPE z1yO^h)qWFQE*;0&0Ac|Ux@ye6=zIodTD4(?_s$pi zxOjou;?kslveG~Slj@phRZEOBwBP`XCa{ixT0J1iLV<^D3EUBqY&Am{h0DEuyu@K;?PqNi2J|d#n~Z*ws=cHdjwam$PrF? z`k-HpV~hLMw%&1PJF%YrD-E3a-!yO~H`{NOTTaj9AD{L{){b}#-;WjWXcdecY@F;3 zj2!To7+L>0Bxqyp_&wwA$X_k~dy=$~p_!h5jVq)k-S+?sJp&#qJA?LLwf#T!{lB#T z()Z=;Z44BR9Pu>2w-ge=qg66;b;Q%gqZPEVw6RyT)iW@{`wI&QI?&_&W%4@&g6A6? z_}=v&!%9lu%l{pQq*YR4!(*WT$CU3jJslncc83{i`=#lk?*WuL8dWA-I?Ly}{U|Oc_qq(v*+Cg?hb7JbG z>166;C)|a?>y3u`-1};CS1I;v)XN1-I`>wm$i`bjm+MbM8$535acg_oXuWmm{!Y>T z^>vP7B9CYG?_}e)bVoRLvqu0pp8cLW-s@uuj^;PNxYu*5}OHV!y099Hw%r-l>MV?$!0ZBf1hfna1?44q92Cu z@YZ?L8(XLb? zvxnB{r3fk}wOp32N)b7++#`;J86EWRmhxO#6qxjvQ15DFQl9C}9N(kZ4eFldWus#| zHt$3Hu64-DK?V)ut@$M+a1wC_qthcbB7qBQJd1IIk`De^%Vdt*U_8&P?{M0sTx9mx zA7ov4W~A(ztLI6)4*oSdKO*@9#4#T^4LgE9tVZHMdaho?7RglEfUuy!d!r^i-1;YK zN5^aEN4NnlVW@9s{0{^Y)dy)E6lPKr+o*W|?qJ+FW>=(se6HKh1s!EUv!hgpQi=tD zLMZJa7CM>Z?mf02ak3S0Kj^wk+j`vaP$t>rTAGHkH;C+wcPB0zr>H##@Q%)}*H1TL zy79Hhoz*~ZbJ!~AdnylsD-PS|I+wTWF!%%O7YANP={ghbn6a=0?*F`LCQCk1SSh78 zdZm6|ZJngwciDkjhqqhLswlf{5%Cs$htZV2Kiv=QJeBr6*|vSWX5YW9^ksY*YA+5OWmD;VFO(L`-gBfy|J)hRX$|^Z1oEj@6 zbEI%TOci3bWV|+6>Z#V1y6yJn(o$A-R1~ zV7u0iAo@&6FC`TFzTaP!iju%?kPWiMDj@Ef9oRpUKU&$Bd$~u;`twpDj(f;*BXz^q z<-+X;iwW-BQ%WKCZX#jEtav+ZgQAH3BF-Zg(uvS$&t=q7<<8<`p+WOA$kkCpFPLB# z5Vu2BEIl?{>$;hs_&LaEBESs<>@^UrB(CnozA!g#5%wGQ6qZ|9d>4be`oufv^g1d? zvj(OnN#DFGLsu@F_P#QNX&MGbi_>=^@G#0AB9ngNYs^zymmHOTH5E?CF?n`Euy$2k zmsWSE%nI$&0C_WQWw+c{)3^~IKCaLKdX^vInz;nkz{O&5AGIL0uPj$@)_5=mQiJ`* zAI%iwYJ&%Hk@9a_=wQ3^gG-XX5rxkvdvJB)`Bs`Xx6EK#>8;#ZJG!r+Q&blF=b}j?& z7K!4Ehw{WkZ0NXL?@2p z`5nA@og9mng>r7ASmjEzUKE!tc3dO6b|!=x==UnkO5`bX<1Up9N^p`I3xM-z%-_lQfiCBHy-t=l`;i zTg8?d^WPHPveKgkNwOp>6TW4+1-?G&n1x}s4t5SLuEYulWa6!IHh`s6qkLwLUpn}X zU=k;ZzKGH|7k($Pyo*;s#6hLHNJ?+_Ek=yv4G91u7(Jxs;^pHawNUk~0OxVIuzLjT zgNP5fGY91{n$Ua0MxhawxBsEi&hZ|@3#pjTAIix_O%X(m#+sqxbijsaguAc#Qw}xq zBn7XPF!Va+t-FNy9Cl41P5tMk6EY(33~WWI^F8u~a+YDo`h!GsPV;IBGm=f-^<)vV z`$`1)5Pc2Fo*M;|1%vW@cPc1k6bW2BHIS)Lot&=2`Y(}fNVt^PB^NiCO87BCl?{afE={=2bE` zfh+{n&5AIU>UioiVWww$Bs_g59iL5%vv&Nec0Q$0g?F*}syOhF;Um7rC#)yaxRrt| zPE=^tC}{}K*Ic#|uGl&NTAdu1`_AoT&rerjEmwrSA#n*EGBAMlakb>;cgSRy|PK^TL~H5%44al=R1kNoXd9T`{+oo5j<57#vow*zf*@ z3Z6$Y5#5ZAeHNSH401|JQVh2th{D1^py3|O1RE}LUS;7d8={PAiriuQ>_+wRM6KFN z8*#I5fXuDPx>m#D1=QJB{>=`jM>kaJytv@dAdV+6iLX&k*K1SOA16eV(|t}SfEzmL znbrj}J#QX3o+mbDU*o}@hs1Osq=y-o*4Jw|6R=i|KU2h|+>t0DPiF|msg*HVWH#qC zn1|auYba`a-7gIpL=iR-U5lJBh}Z_J`Cbfb5PZA1=tzn|tCy_4PNB{x`FE|;nr(W@ z9qpNW;D1^T8x$xBa_J9*vtC}h3gbm2!*U{3k+U7^{}4TETPi&{Yad*!AuT+%UsFsh z;M>w~Wks8O^~*h#CNJV6Nu6t+=2cW#^XVAQA6A^m;I4~qB<`&JEr5rBi<&$;1TUFY zcMA2a2gOHi+Rbz|gL;fdnlavkYZKurONPtdE)eq7s!;BbNoNwp;99;MpN2uz z#|}or>br}RV$|TmHXO1~ZC_2znQs*s#N_9Nd*Y@k!MxCq@?m9C>ww2G>D$S`o8ST} zBzl{{IkF5W^fgAAM#DD{j*EG3w}{-okZUD=w0k63GlJz0O6;6xIi>_X>Y|ef1hzjy z%56GNez<`J#%&JjPAb2XCB@+7enK7}jnwdVy~3ukj%4JF1sP1@L?pk!rk8p%K~(M* z?|e)i2~Uuy4VY$wLfniWaJ(B+edCO-M<_8nuckInCZhK9Y&;3TM3bLb{bGhPL0yk7)j_*w>I9JZ2i?X}yJG|K;hD72 z%n`}JkjM*K?^I(Lg+-!;;%78S=LS(#iG$JUWlcM^v5L`JE5~mlIOn9<8EzDyGGxr! z>QXrzD-#pAlX}X?sb0VfZ$Hw^I%zp(I6t8i&FG#-}f?mnXNJ%#>*i8Xh2{0qf-O!J?1KB6Ane- z<<{xt>+nS*%OPPCiCV--M;TJhGSC~pjyuL1FcS`3y!zh7AW~p!2-7j8*F0vUWhC7bV;LOd-uf}wye?AUk(W*s zqb?keG3F!>XMtFX66&CXDiAHZi5PIph`eqsZ``<_-06?v$K&OAkBZ=bIppo zmp=#H<-d~z%6{j=aEYg$ZqIcJTz!o20qE=pweL58J+X|mSb!XM6K4>!$vnLSC&da47&7;bX~K{5DA8!K2dq*2uon~}jyI@*Igpv2OZWk_xcu($rdmpJoK0 z>Ua-Le|*_kr9_@U!74B_ItX*{)loT#k@a#JCxn7;PNcDgFA0#?p;iEO{{d9vq79E? z_|7WEYNRBAWtcB7>6~c|>?O?WXSoLI8y>g^3#ZH@zo&-g0$8X3`8|J7-8E;03X=eV zFU!y`7aEKEE7B2Y5S0+!n~PydR8R#;O zc;%|p5rZC>YZz8Qf%Vq9^q_aliL<8T)W7Y5Dx~TFd!ivU7Lb-kQ)PzfyxyWRf0q2{ z91jerL-#~nS-pU>JC+nXIBHZ#tsqR%E@Q;#56CV~Y?UaeNE~%7O2H0uvk#XNs(l@) zL~g)tl(-&e33eQ*D<{F6r;{GZX!S(@y`f+4MNP?(8i*zK;g&04@%S2=Qgp1L&w_0O z4&bAjtQr~0Fdk7dbmbqIHCb84j#efI?ocAyptDS?8Bn8{lfefBa7apN@pLN+aB2yz zxA!X;CV1x%Q4qXI@${*NovG~Z>aHD0XfQ?;H6!BiVIMw|dMAjbn#??ji>8j76=YW_ z8YdldMVY+yr;fKcn{urrw;_^Q+E_%hrPi;cXK}=2W}|Ab$(EJtJ3MW(yd%lE2ojEA zV8T4}lkbxDVP>lz3F8j$G!y~`&L1c%JsgcahiAP=i2(IP4hzIHW=*-VgB z552V-##`d99UADcjO!WMmr@wV+Gr28tj4xpbb+0X{Xrj1>Y8jPXX*3AZvCrryBYI1 z5RUUWB4~sjt}-l?^xi7iRCTYvfKa9Iw@I`PT_y{1il1r-YBS1)Fvd_H^(P-Lz5s@+ z`AGi@$oIxKH<1X&vtn*tc`HyrNARuIEy+W+UGeWVP zaF~QQ;#WLlH0PdSM)?w^@JfTp(9o0JWy{j%cfkW$%e&n=L)GlmYwzr;YNBR_9WE?K z0sFG$1!j*<1FPi_TJj)YIFY(W#)Zo?D`(CDqO}ea8+FC1Wem3R7eCm}KmPGm$H(<- zuJxt8MptQxb^grJrc-STOO%h8YaiV@m+c1*6HJ-=wHK0%>2=6!UMV1?%|E@yoK>YP za4|g1@YTwM9KD7s`-~DQSzbCZ}Sd8s-yUua!}bSJmDf4g(7V$o=M zbpIIpuzOxFM|&g`coyn@0xN=KALnt@a9~bZWbYM#%_odp#?3&ORI}DBA=%zXXx6bi zL03^LO6q3sZ0wa$3r4#%5O8!3gOKQz^GxV22F8xVM6`}6G$#pmNJ|jtNF)c;eN@LT zTU6i3W3jngf)1P2d6~6RYU4$MXId-bCw#X+xuy^Um@ySG6lFnSHYU1it#s)Y&P|;jmY*O@0j;b73zU6vIR#jP}W#F*-A~m^6 zVP61;#_QZ4fPcqvwC^|ml&>NrEG#wq@pm%3H%|Z)~w%5w>I97@Q!TD^99S^ zwn5`-+*ebQx#u)iSkuxZqL zPgkZ)>{`r$iRdG$e@pSe>K)uS9o)mu%h9--(pI^;)^?VmA=R2O47x=foRW#6%@Q8YdgOrL`{Pc&K}wY z^xE#iA8(!**XJ}sXfB{?%z!v%Uu!d`U#)k3`2U6{S%Dmgj1+h5mAkR<{l;UyAJ?TXkCGM8xLpQ4|!0}xq>|LXMbk?V{ zCP&WO3_Ef5c`0jJlESTp6fb^eiapo*!Ck^HK&7Xz%s_grufI z1BvMnPoHOGA-hDHhQe9T5DDBKY|RsN3f0#RVzj==w9x9Ic9Jw%TQ=keq1#Xjv{Dn^ z*+}43iOojHn?SMX)Nivk2J@_($+Q zjfhqVi2L&1^y+z7vhI87mA0Iaqxo40DUyAsxDcp%d$j9b(cHl{o+P$Vka?3sL0OWU zUz(e;dDIhBhmgGb+kvuZ^idL2_S;*MILvy@?Q!brPEk@8WaB6GgD1IUi~V6r=eZ(f zK^#=_rOw!3bE3uP^9%8?TI-#^pe%<9)vp-rKMUl!Z5mXaaF3-5TWkske}O)*0R)w7 z|1#!CR1e4T@y=hl|z_%yid5AGKc=iQAxvfF-Ux;Luzt)C-Nu2+oNM`vDNdJF} zXPj;ikKx%Xd+v;Cv3ecimBVTi}U0e$jW|MJ!8^C_n?1C~i zt*xgeMP<65I={)jbT)r~gj4W-DlA@h>GJHBwa!LES5?-ApQZPHodT`(o~RE4sUZK_?&1ox#6mj-f!DU`Rp%Eiv2+QwU9jW#7E`1$A2)X{dHIvVxG3dO30QOTCSPB)0F3sq@ayq!8W8HDxnMeN*b;b^# z+%H)D!x3`1DcyN{5Z5|gWDmZ=y^1P}YDSlbz6pyHyqHp>q{BNscrV~hRq_hu%A|o4 zVhesPdi+a&j53rJeG#mBU4&$GZ`0t?lb+uU`Bu(Q8_bIBJ}*0{lNp4qJ=*86?Hrrt zb#G~cV2*)pa0HAmZEb*@*B^tpm(#eU0w1h_Mmv|Vu7TdWrm3-Q^Gng`t?~;_st=ju zb%z(YNf%j8`K1jd82fQjSmngh9g-Mv%{snG$=XcI8sbaPby}c&|U>n2F!5t^f`dzch*nY^TFn9 zr0(C>#TQ*9kNg#xPnB|NR8F%isSg2D<7K9%{YVu`+D;C; zowR?zqMCk8!!$NcSDwMrTLuHpoL8Co(e_gW>CV7BzYJf(u~0v@Jt4dm(I8;U;N)V3 zg;KZlp9%ssRu0lL4aH3^XK?1jWdj!_Zgy-Kjmm?Rt<^F!`Y1z6Kx-Uv5M@|;{Z=fs zqGTk6_07Ey>k-DiApMvQPO4@0l*4r?@*3L8;&E?>ozXpikf9=Bqxs=Miif{}?(vMI zu#FZWNiAbJs&pF8iz8L&I@WFdgQ4u zl)x^+m{zLdm0VUcLQi#bA~qj8#eMNLWN$u-#Au)!xfdgbS;yb+9&F{Kk*6BbX+#&Q zuC>lb)zxRa5bsO4m-ul{1}7{_p0vl3Ku^#gRVu7}tn{EC?Kh1uGHP_vd1_)vGH#bUYu-B>*zA)kTK7vmYOUx7`fK=0_N7n~_JkE&VLK)mH{ieRQg z9Z-blPaKKxEE}M0+y&d8SED>BC_{C5zk&P_@>>{bKYgHMcBu+i5iY-U6=yOgjUr*= zqb$rTU_zQ2tF2KXv$iTlp@5OHGVNO$6mKd84Ks93x(!K|*&nyE%NHi0aQPLS7bS-FS*oTlIW$lC+U@!@Zy23SZAP9F63j5NcdIk!qubzE z2Dn@iZ7}tzy-}Tkk4B<}76o3A z{Gls#^d%9Sj0HAWr}_;Yqe9I`J$ytKGN(Zjj4>NHZl^yej#Y13$nBdVzdSjmVg?l zmXBx8toCHHqHGOzeg9}BNt^aN8?QVo-SHJ0mJ@gF%}C%Pf2QEy66wMKV44Z{)S6C6 z8aLF;7?-#9ymdnWTJb~U#cXsilET3t{urcKY3PXQJupohz3BqSAODk{fQ>0tw7e@w z0yjDeNQ@3AKC2&7%dJS;$57;S$9WeMw4n|ylFIe-DUoSNHI0&@&*r(Dr;w)RcL9HN zVuwhRa~!!jLURJ;ly383^^i*7PDH!OxR^r_vA9ICY@%q^QY4aTd|dke>aGF}xv=`R z3?<}dJvX_L4gv&*4pXFh`|-)2{jrK&Ve$)zj5D|*aS`FwLHL_FC(}1rDiPn8#{TA# zV2QO>JAL6$AiYdSXA!*2EQ~=E0u<56@fPBRdNmn_`W%x`8hnICR~nQhJg13~I-{Q~ z;-Vh1rVQ}B7mQn(^#J2tb7%xkt@j4bFnQqrP%~j+!7+e-&-+4+a!MJ}(d=3abtZQOHRFvx##JWUI z3v#qO*-g2lL#jDz)>L-m@}yD-_S=1i&9&BSi8(1ShREIk576G zHf!*qq*muMiKa0$TwyALYgOAdWm^HQFIs~(t>BoqCm==xkxFF=PG#6BZO}FDezLh{ zx-4!kS1css!u>ku;BQJ{jFr{qr9m}fKb>3O=GxGL_ zx4Y;1P1_!sE`y=#846jd6w;fBBG(t>Z|y6L&lrRkDXJ#W%o;8Edem2L$fV&8Wq?#Y zzedc#h{2zutMLm`{6TQLZ(j%~Z|#ZJZH8DCHS{oLwj?&WeVuE))}GA*6w1c!tqYmf zE)W$TkZThgsMRrV;pi++sG20n+;nwn`4{}q&McT~>Cdl!sFRn}(hGSh;d#8A5{S%> zw>quxIBfF|SPXy6qD!@*h4w*>b1{aaa-=Z0 z=Y^x@CfM#*V!-}h(~dN%3RObIq+T`S69Fd(rFd8rwX}$rp(N@9s6|0_;Z%n$hWbek za9wdDDNGLFoH1|mXsbrw6mLOxjXFy9#$BM-rdQ(;N{-bfYYKi9=5V(cMvFqmV!5eUu!QNB^dJRE|ZhEPBJHk~*x01oJ*~|@Ha}ORvR4iVLCNpMYz>U^l*fR1nOP!A7s29hZwTZKm46quF}2txJjHdVBjx1218-9 zx~Iq7f~Wj|U3;o_{6E8@J$qP*`3k&;L9hu<{7a~8W`AK>)TiOXu= zySVK0_QD(rou`ai5-#5N)!x4vTi{}nC;CP1+wQ_3CGG0;T^XQ`FtGD*{H*b{y;44V zi3W07m6WZ~$f&7OKIdu*9Jo;z=dn>EKkfA(sHlP=Hx~jAAdY5f0;kiVI}2*GZJ#Z^ z`}2KP-eX&}|5sNUcUVE%QkMpND0-RYg4_ajoJ=XXaOdjuX`>ZgO%TiiBOv@1e8_mZ zParq`)tdD5{1V~gd}|M2gngWpO3FSoTZ4fPmJzds@fEu$6hb9JA1Vm%Gf{XKTa14W zF&{ztjGJf}r~?#Ee+HV!>K%@<+e%N2+TM|i6H#Lf(la(9f~t}`KRgPv_Q zP+8S*6i-Q4YFEvuA3JES>?uHfsAvLti|d;++aWx1tSrWVMn2) z1~s^Q~QkyBlvii5CnaQE%lyGz2>|IQr=U7vaaJ9T;$9JM^ z{6!=`GNJ0hY@^WVr?E!(EV_Dq?R_tY)mT9%n5D3e*P96tP2sqq2WGUkZFq&9PIg7$ z)VA$Z_WMwLoxeCKubeonUb z*9bdom)X(gj00nGNVyol>F6Bc(ja0r=J;3Cj*G*oZpAN23gAo{r z?;F%J!Qz7)f{Hhvg&mhB6t)%_3sDt$`v$mlcu%+ zpA)WUs*wqa2eTZb{z!k-W9OB2Ao}zA8aV?#V)D{99ai!EXV*|me*9kFW44mq{qAsI zZa_*D5IQ?q$T&0!SzgtjeSV+{j9253^}&e!wV3UVG$+WGZnoSMC@sA>tzQ{(-oA53hdUv$1Lg0Y?F~nXV8){ki_b=VN}S z+O;8P^Ei-6MoWHKPOUSQTS$8;RFk{k?)`A;4kAC5QGUTuF5xT)F$`Tjayl8dDn>Hx zGP0b71Y~k^_(3)1S{2#tJCx!oN1UIw2|4IWJ4_TBRH06eV4EkdMltLI^3nhcW&2$ z5Ih#xuIZ}4}8jhc15@xYT1>3*`SUtw=I&K8~?^+<@(b z(2>MKbu*71n(}hd>K2;PwTAa|jOU!>3>|q!Q6Er8?EGdqf1?3K#w5y++Ea@|jVhX) z5H}6MsND4?=-xvDad8U23|J{uvO!#QINTf%bm}B(VKYZQM+M;~xGULZ8q&iCQ0o|C}n?eqKH>XU1}7 zm6feeGDL%odyc8QA!xjnjQNRX2RJm9@HD<8s?1vC5hQ&H3J!c>&%Qr&+FI7i)|F&4 zsyo()+7)`cVPjnwMqxa+!Sl;I*;>btB2Nrxsm7(bh?Q=}ivz z^i+#<@DY4lRJ*#7;IW;sAnJHckL`I&j;$^Hoq-^*3)V5TT;a+@WJn0 zc3id`ZAi`90%bliQ3qG1ql3Pyn!(dPd|@yDsAu4DumhmJx`Dls7mk&<5-j){5n9(+ zM$hPYX_``btmfigK!Q@RDW+82SO$7Y=3yQp)dx{?8&n-CUk~2N9x7vTsWKH|-Zxk> zZ5t(h7MPrm?05fn{sE)FGvG}DDd9p`4|;J3k8ojNFZH}t^@_q)f2*uh8%_xX4?U@- zxD5tMtl}bB{>W?HM3gEYN<8M#ZA(4_LxYOqw@zFpTSHST8!96@-iw-saQf=-5zp7u zmrw%}!a!#)RO}F4EzXAqa}JG+M~8a0ADdrV`_F`MV0Xnu{2VHQrf2?r;eIT-CA^T-|5Q#k0_ zN`^b&-2>-ha#~9EH$5w%{Y}of%(vFsHRc`Q-9-5Ln4Hf0rSn@1^pQYw$LW{F&DJ20 zuUM6T>vusoN=Z2$(P=4~Ck25mYK^n*-&fs9F!aEEc97$8#uK*0@oyz6UUS27D^ezq z#*Wd&^rsdf3q7F@<2+~DT1YqHyHw`1%A9O82Z!=B>JkU?G#{%Oq5}a6IEi>nr14=t z8q&!B;MC36ydEAL(S8l5B~6J|RO3j;WVsb+`_1Ab2#AE-_nO%q^JglRmL0h)fuBm! z5NOzLMKoZn0`ER)PCJfE=NbKJfVa{>tF<{&3F`(}vYx$$_*}!n>s^J$&RFPSqI?DU zU);U(b8k`Dgw+4uBo@?r>Xe^cGWqx z>zvwqt@V5sZZLvc;u#78jZ?MV-7nJor+?xR)BV@WtJ3^5%k({aj_>XY+r-oyifG$k z>u9`zazx@-#vMoEaXnk=heg87&En;uZvHF&HAkt4GI|J9ZMhKuwD^uf5kd^6NcXjQ zqyaj}8f{mpz$Hm#D_A(!Bwnj{e0*G{ZL@5N*MtJp6yz2C3iAJY(_{f}v79qMJ(g!8& z94Y+EQaIsOt_bLPvOOkTL+S0XAsT2%d=5{c*SCzTD?$mX8u6`oeBMqfHU>$G_J$uA zTv#FMFwY;(3qWDAIWN-H(c_VVINh-{n<6TCns=j!4`F1#6YZvSN{oKg(OAG7hml!a zzZONf_U;Q1-~Q)rFfA_(DQ^SduY8&9$&{ZDEi8#$jH^d5+5T z|Gttc0PEK#F1BN}bvW~INoKTJAn5X;;Sb)erGJ=I=l0#K7QBRxolW<9&-nKCOIDZy$O9)+^@>U6z4~)TC z=QG*VEEm;*6q83NL-t$(&u%2-ES{CWMUZHrrn&oYS5Y19g*)ppZpq4vOB=yE@$Zs_ zKdVN@Zib=#-RAQt=fI|zE24|dVU45?^4Z8j@arX-FULr1pu^ePt@i#A+f>`R*A=vt zlN4E95W#&SC7GAkCgwHcT!?y}j?MwDFdPISIl>`H+Kp7&vjR1?IWIMj1L!Qy)sx4M z#9PM{OA2?Om`+G*30$&(0mQaK*I*JGe?5ylMUv+wBh~32cN`;6yu(h}KwFgCT4v1J zz8}>oyCDH@8Ss)~L+@}CCd387i<=fW#06@!I=`-YS5Uy{l%cDo&hfFDAeNV|f;tpX z+!AE0;F-3C6QMPV4}%F0f936A7F*WB`BY~rZ#Q`)mlmmLH5J;HbgXWdV5ZfobK|yD`RQkd=cs&8Wo)PTFZ0CvRAZ>w;+bO!` zzsybur7`4La)#|kR+38;^ozoqJ^@;HwNDj)2DF3s6*D0HAybSgqH)F+@(JfnwOyGP z8ykCduPIfki%+yp#3x{1*^It)&TQWjliD%%Chx|~_*V{dolkHgFOPjajn^i>FCAY@ z_!{;*0OwL0>NF}A3zs2VM39Hv*Mny+o@l`B_+*JRT^H!%Pe}8d08oR3ErLz z#H`hi$*w1@c~);#QKaRwt3VKtF5!|aPqKnl4(|wAGn~dO&m~^hHP7>hOjIt(@E)E+ zL}a-xW_`snZbZLyD$J);oah{7rC)zA?TIIrI}*1@D)DIN2{>=^nq5|c6p*M}F{C(` zsY4HH$WOM!*+=IldXk7)E}2i1>ua4?jpv+Rok)NX#y5JtB<~ZjcAifZOXi*L@VOE- zrP+S5ui**y+m`gZ+!5p3 zx4BHBXh@tqi|ogBoQ;g=K=U+0238bIq)(qfp$u|TT|DxB(0upb2h5{m^b)dR=T_4Q zUcxJu!KSpn>!^jQ{_^6mVo@zYL+u40gAFYdw_N6%W~xHYDza0PbwgnIZ{sD=5MA#3 zu;IR+5vb@SRjQ7TnFGUKn!U?1#Yo`6>{V#SViDAuR_Lq}JaN&#T=H=*fB*Qp_$u8ssf;tVI^uLH>5`hkz@nx}4%oe@f|-qCizkmG;Bom z#epnh%UZXQ{jlPRfWz80vVq>T!$5x~L79HhtD~ZgR7T(VrVnO};YG;8r5QBArekDq z%98tsJ_m%5?kHB(O>*GS$lu24oX()OVg=P!U=_ABHNqs9ojRpAE;v_pz&DOJ zn-d445FvPc7)coM+cPaJCx5Vtc}Fi0Pej-n@KlKAPj{q%qX-7|`L2rJp8KOLjkBpT zs@1mr)>7Uw%D>BSiZ>17r2B^Hu}a5*whh6w5;95n_8elJBqeoCPt-iR`!CB;$=$J8rOdXdS*H-dQti!a5MAxq zLB`;Wp?J!n6Xj|&0Pkv$(T^XhaUR4*0e4rb?a&*6LDX_W{+b(#*EIczu{Zib zJUFaIpaC?EO0=K%bQjDj2L=$elp*j9EY?ai7hzzijhrbOkCRv|{PYNmOk$tgU21m^ z5ywdXHQSj`or$9;>1kcdcL_)Wd0_+4*2_a-ADDvOPE?{kagsyH^cE8vu5Hnge@ z1&JDU;ZnfX6fEeifqOZ=+uO+7NMRo8h7M~MsIe7m8$tLRR;?s;*)lbKQHOH%s=0OS z#{~B1LbLEh^k2efoDR7Q_CQ3p+wr&?4ErhuLf*U%PQZm&BT|}@&no*XaUMnI9MK3m zV>&REO(3OfBZnSzG~4M(J~5n?hkp=5k0BVuA4h8Lqk8shHR_aD>O$Hcql$VTVs#a%l4yKO9)mLnn;oQb!QYWf;qS`Ob zPNco>bhWHFh>LNNeQ2F4w0l_pyy)QHwgYMmd!C+Cg@trX4S!xK?s68|4-?+=j`VFq z2|$olF;D$oYmsWRLn?E}y^HM+HZ^Y}Y>?~9ZmCZIMDUCiY!JqY2Tv1Ia<<}(!%GIt zhI7`AXZ>BJP{CxUZbOzuICCa}^!_#oWOI&}G%zSGlniiC4yl4ku%jA8)RLrCp%?YT zcA9^dV(=I8Ic;8l+6|#$jCCsYr|{I>s;x>dV?snMFo=!h>hmi3ZUL6BehL zQ`~C^IKL)-?ZC#i8r<6Q^W4i zm(aYR@a1_rIdobb#~VbwK;SXPU}nq3X1oKyE%lf9re6(&1L0V5AK76~gaFDzHrFAGX{mq1BiqNZ~Jp>e1+ z%8aF=EgetlIJ~u#8`)9r4`Fs52Qi}Zj-1V~P zpP`10S0!ySL7w{LC6%TNeE{hNY(4{94^c>wk1GayGG%zqM}ut>^1?;`mSn!B7Eno> zokQs^KX?b#Q9FDjCxGZ#ML`y-#^>$E5glhgShE1lzO|u}riOzGuZCc`8(2ljIU3Bb z=zjgJcXjUke^A6Y{$C_QIsUgq=zpp_|D{Cef3E%iivq^^U!`lZu`_c1FXGm)j&2)e_KTAGldEoZU{lHAe_iGXr z&r^;-qD6ZP=li}`zlpvrecs+uslU%tyPCc~?@;)XgUz=(JLl`dO~@f2kk{UY{t!0DVna7S;O*`XY52TGLiIi~< zchRar7?s4H6J=6QO$rwP6qptUuUOmx^>4 z&iT__HoiYQWft;M2KfryIv*Ivgc`u>=wSRc(@Yn?b~~eRpj{1546qzAw4!MQs@VXo zVHYtWqwSx$1g5y#NI3*?$=lB$eHo{h2q^cX{E`3`La`Xtp1p;znqZr-(@$iaYfTb~ zOJ%L-Z@T!oK7jhL4ncjdwg;y6qsm9I$+HbG&exYvchp>f z+ZC9}n6ehPes`FbVh9ys6nuhGy&?fL?A>ts;40 z_VVzD*Kp)2FgKhpvl1(?^-H7{OL!28oJJ0Du@ZV4g#-Nkt35EhLx%@2OqH*%?o(US zebOZwEuWHE^~&QNz1(cgZxHR!YgGBFaPIgyj2Qa!kHP4UyXJh>h#Daz!CTpi9=Jey zqdm}!Akn-PKdQ%$T~&5eoOfcKzjl462=2cndF}Mjty7;>l%jN=sBH5=We#`ma}S^Y z_IaAw=zV8>o6pyqW`gVDY6X60|0&x$A1;p!{imz}ie?B#u6iRlBe#5r_Na< z%75P-I&FBWd_P(EdZgfbV&O>gug`eW9A4K5p|v>RY>>=QuZeyqGDyN4)!7tK@~pgp zE%vH!P8D;vzk1C!$QB(0OM2;P35`CIz?OQmMX+ z9Y4z`vTkpZ=m~R2sm-XvtfJhCCId@{}HTC&l6wE9sI%5)4@ttZ%l3%W7l>H4jIFNa+Z1>e@s=3Gr8 zgq2)zcV^u8vq1XbaV`nqHd~jOd4Zn6ue>_7b>{PDuNR*n-mE3dyv!)z_fsL1GqM(0 z!wH!zqu6jMTv+%WV(;xJ9-NG#)UTY!horR)Ug2eCDc8-Q2$siaFPVWQts9qHRA_pc zWgeiqH%IOzP-Rq7!Tu&f zu(p!5yY)BIj7#Us)g-ieCoU5!VjVrp+Z_|-fC%vq6ULdJ}>!zxr#+)2A4l1dgeGnq?ROQK(Kb6&a#TN!g6=r z!0&{!uZdA-wT#;Wzy<^j^yCIs7u>ZIu=Xn26*7kzY_wV)dAeX_v9uZXUEg|?v?8jK zR(oH>`$m?HneiG?18vNU8W*C%bOjd5^2fo6qwTO0A8x{8KnJ+vZIF(Pl{zzm(BO*VGXuj<`{J(DuZFWXBA<4)P&l$>i|5!-YjHBWNRdAu+vp~yCyn6m++r%^uhq3;DncN!#KUM1g z_Hw|MERpbZ-jRePN#>2@0=T?A-5|T|b(L0Y-VCt1{ZJ^(+ZL9Af&{Py?E7REve)ow zh?mzWS~B%#Pfi{&4~la+3Ux#~S;b+W#}IZ6#=>cbu{N&$c8>53WMf$%z+|e^Z@&Mz zfDKii9qqv!H2|^o3Xw9;TS2mkqUqW7*JLIvj{#GJfyY)aH=YtvWI~Xw9@v>*6nI~1 zcBMlfCu5uaY*TOxvZo@{T8)%NDa%jV8T|o@Mp>pIHl-HI6WFkf9uXRkjt0IRYc@;% zsV5jM?1-4C?F0ymSG2H*fO1M{*awa4ZMtdrQQ(kG-sa7z4K~6kv~Jb8VFicn@oEu) z(AFZx6|pMyrhRclomke))G&B!*tK{sqv^z2mv)jBQBtDfCd$)jo4q{9lOVAzk`9S@s6+mdIs}T%p+Ymn6@Wc2$@`@xX?8KAnOa{p!#zcWsig))g9s)5W*!jCio&G+UWd&=4C$8|@Up2F-yl&AA zyH~SrDPtfJhM^xkt-8HfBlDS~3*%XGktO?3A!3tvO>}}e8rn|U9|F?{mSrNn3b(k& z?J}?wr5~z&6vEqD4n1$Ojdsm0`OzA;*FsI?z;8-T!5>-(IanX;u{Y;*Qx!b_TP*&f zn6om#p{YDM>@WtjB5I{QRUB#{vH&YCMkDK}up^LJtYp&dL#=nNfU%z`Nj-pkCymy6 zRmZ%Mhcu>^RDobXA&`+Y=5i2Sn5J*fRywLv4|#SFBU6`;ko9=@d_o6KeFzwfhgMZl z)>I4*tr^4*pSa4p7Nyx_8W5ip(@1ylo+L4qERNM*^hUVRitvtvbcp8ZoI^_Mt7z_O z6Z#|*t4&S35B+r@<$6q59e?hu5i@t@o);2=lm`i3k&reaFTM>AUR_+}QWY29N2o;8 zWC?(q_yCx=@n`VB{WMi=1U)WQu~I%XY?=o=D(|)EXOG!1=ZWjKoGQBYy-`Ivco+&9 z94?heK$b%REKsLQegRY43M#-0`=A_`>_Lv->w(EliaHm>=Vj1Q(8xBo?_vz7+94nh z$hMg|53530S6m~|WK{s-q%kS>oKOI$DU+tTTiS7A*^~q$`bXWRgfc$^;%h+*-tY(A z!D8Vos(8|`et;z^osa!r!%@-!vxK{vH<*LkXr-%WE=sk(I}fZm*^RQ{9CEoy;fo(- z=Hbe&1H;Y_N`Lihms2Lj>>7a{Trd7T zgYYObOPo)G@VvBFGV3P$!#f`n^SJHc-M+nn@T}$b`g&3|VT8tH^UGbx)cYXQ8NNnE zGrdeFHQUEqXgo}-s~SP}l*n;_g98g_R$eP8?&fi<5sojir2Bra_nta$7W$~e1nM~U zG|*z2%$g;r?V+hkD0I7$Q`De~!ta7XP8CJkn;{z9>e$6S)9&qMjB;rEmQ`NuasP^m z*itbWXBC-?ma5v!M-!juUnnr^i(yfUG}B?@ED}xVucB>`c?q)WysNGjOTzz$N4EWy zE$naw3OCN7RQL-xtFrjbdw|nZ)yBY1gc9^rej<9q8$NQwp-bpd#p|WU?B&S|gQc&t zYO0niZuLQ2WIz(;q6F+yh@2A+gHa6Tgm3P__clZ9`GMDS>BCSesdhJU_#dUQfyuK; zM7r~0s`~VOSb>ndkljC&<*Dw96%8_x?jBp{;7?8r7@JG;W%k>X+4P5^r%i+GCzR;C z&lxW1f44?r5JCcO{X?CgNMNksR4-x!TiBdX$U*A^VLMk@g-?=!WzoZh){>UPxPB0d zGZMmdxd6N}e)*P1#hbp^G{=_LDcz^P6#+>7^IPe=oXtnsZv#(HcnO3{nTDjN+y~M$>k%ryVX(B70yYB1QPuRnmD|`F;vtH4inv@t3WTwFmY_B~w{wR9u zE!K=qgbYi_D-$F~vC7^bZP%|#VQVIEh^0zf4Hc5W1=j?SPCOCJe&0=?gYYS3y+a_5 zD_LI`neu9K?``JoNy3((Llpo>VKv6&MIHNijtdt;hXWT~!J`o$L;}lE-7!Q95dKwQ ztphCv^Nyq%$*SW0JL3>o^Z8@iWIZI)(O_?29eUg|w-nAn=P0fGwG6bQo)=cq!nTeM zzM{N=^FC5I>}!R%nJZ{ zv&M6IuB_lYc)Vhar}bcvmHf?>+aeU-{hxso^_5GeKv7ex%(bvwda5=$F1>&`B4XO6 z=uk#`9*4cS`SP2>D-z6&5C-y`sUGnQaI+ZrEaSX9$m>(u&UIvdjZ=!*oow0D!B-Sb zD6_TPtJj!$=HYGla~&q=zn{!nKRX8Q+F^Xj_X(%X6az)Z_4W-&@JC!e4AypF8b0kf zLM3zotSo?s$KFumTJ$rjx5a`H{yNsUY9m)*wHBTIXd4%%7%?l0GiQS$y&5ZOVHfSy z$&G*vQ&IMygoIp<5A{Q*>;L+=N9K!33eYz#u%TYFFVWYl3YTV4l}@e#N68q`Ud;nF z>dZR?)T304#2|2Xx@ToV;3@ba&ODr*tP3*qf%r|%L^NZ=99PLbBm&dxY^Nhw9qcgk z775$K!e`K(lfBAPV7XAp0W8;_y3{2)8CTLo^^wL+(s?P`Wgkzn`H%v7?T#DMtggs}5*6avE@R1aftt@b2D~(`Qf|-J zxjOp#pror@VB(k6JKCLv?tbKmP2q5af_{jBaje{ob59^lFiciB2uAo2XPsg~`a=wd zgn>%wBWTEkNP(OzVvt{7C{_)H5s>*##d#B_SZB z>Imqx#shb?w25kO%daa)Qrg%EhQB8&G{9#H4#9~GpR8}U!^I8moEQ$ zlVN3+w4Ih`lNe*~Vq|T_eV1rNL0<>w9yh+$=&6jk01?CcXOfhi>?I01BqyXvksKEs z&yap#ZWbd2o_f`3WsSTsqz+TltvQd#LMZt1etpl%TsueGP_MG#pH9HszfosR<8XhS zb|DHY(q|c^2Z&8}*JKMy2`MHXH6oLB?rN2FJ zew9Y?Gkk#2H!FpJaEZzKyuM5KrS>1Di8 zj*GOot`qWNNinV;byb!~o>_V8`>DACr|NXJn_>v9we`2eB*`{Mi7{NuD-0J&SEXGvj%)zL})6SBNwN1I4T9E#I>vIz^gfe2gL=3hkl%vXrVzMTr zq|1*!#=nuzP1bA!_Nc6P19Nrw0Td26^^>~$;RYp@eGunSE7lClB(=8pgW_ePLaxyI z$RjLe=E6E*RU*iKb-HrJi`nU6fjxK^V>K&Rq*1;74uPh=fwZF0LRa@=?DbpuEoy8m ze_K3lyqwFcU;SZA-$dvKu&xj}<~=STp#Pj1+`_gB1cOZ$W{pQnHGjOhTnjkKd%*Yh zC*Tzhu9e5cTp=~*@XyiPG1?#mAr`2e$BTec z29-tcG1TAetZcR@bZ)#v1#11&z!?s#pX4~S@j*o69=}{trsBNAW8|_lI}O+>JQVU? z-4~f+E`mN$LHc{(JJdtV-`Iuvs{l#f=U`Zr zJ8TQ_yNql!=c#0FeFynh^<$4QN`e)kAtA>u1`oJuGi$7WFwjvhmR}iXk+=4m^sYL! zbf^;-o#}EsLR$7(Kk;$%j&3nK75V#2#@L@yc1gsmhdi|Sv>aef+4GWPpnjQa8hueN zcvCn9Ik(iG9_KKtRM_@rV38f|8PQP>wZSgsF}Esq2)ALzN3cBJRUBa0geN{uVwlyI z%c4?yaTlIYM_%m5svE*7lHd4s1!{VTcDz=oI(uc6w-U_}k#{FTW_Hh4Aa=_P#Cs2< zK_&uAJR>!&pQLFWE318v$Q1vua@nJ9RltFaJ?w);pk+01Z)>s!E}PYsddBn2CpU|7e| zGuXQ`m?YJ>w*X&NX{e7jypoZ0npkq|gD5(Tlpdw13p9+RN_N=S@J>>zJ#^efzH+2r ziUfHUw@4obgyKxFqzJa>A;)O9YnS$wBt_F`i~cmTwnshEhy_fB$tK0p%}70v#mw%_ zO5E0Y9bUxh3K*_dNeh-E{dFHIX$f@W40Rj_Cj+t%$`i5g2h**amh&LQxQ;(rQpP^J zY`bVvi^#(*wW!{N0}+&aAmA2P$I2@00At|dtIrNdhty>|1hlS`JuP$%u(V3yyx@HuD>{I z0;@OnEdrE#^9@p`^JSY_e`((Vy;+CMV(4ZI5-<_qD!Zkxdr37J+v+iON%wK_ka~-V zjc4;s0?lC>Vq}fXO$KInQA@K88-)nJO9z7beD}d1P}S)=_7F}~-a*9`2A_Sufplu( zhc7TPFCe^H+LCHAX;8j{^d%T0E{SGJ$XLB&+UxUJ(U)hrL!#iJE#d!ZY4jNnKnvXA z<%)O#Wd)uD>Tk32JVJLMJ?p@9Y)WksUDpCy0VnOA<*9I(iizCC| zcRmNOSn~zJKpY~HzH(lA%p0MGGSI>^UiU11(!u*YJM_z-g;_lCe=%oyUuS!B*!~i$ z2sx$#Ps_RM)9dW3*YX^Iz?8M#v`=j$zy=$`0J?T~QVfrZ?7@XA#S~;%etUYDwVRze zf;ikjd#5k(eh#&Pxj^(s6E# zNn6GK;pyZePXy`wKt-SJr%OL|#z}T7hVPf#l;mWiFGw@6`*6`&MfT$j$h|}EgX>5E z5iYnx4yjX^C?L~2nnL89DUo|GfJ@=)S76F@-Zdh^QDFQD4^Wu08ql2ngf4w%cOBe? z6-v<)86LXxb0(FT(bU@AKCWJNZwH?1`*tAL2g{PX~sLZufV%96bFto^{?;NNz3o& zSS43iv3EI#+x~l3xIzW@{rtI+Woyl?6Nz$ly{29T#UK|@VvV4!I^c>yF~BO5)PL;z z0$&S@=KLRQyr1&6{}C+zF9zE=|C8?iA2|5`&YAyDKkL6_;veM_w<@t}w=)0#*Ip8Z4&4YV&c_@z&e^uIcD(O-n6UhpSNiOe=7A^VHe?RtKvo z&-{B?`5vpXskyROXq{298cpF1QxtgA!sVx%_g(%88(|OUz%3=Ohxg07?Qws@$B&7} z9TxEKtkJCQeLouftZ(IM)Y@*#WtoYZ?rReQTL7`m(ADzXM<6XQAA; z4mCP7!li;R$bkLRgXbLBoHYOCygEZ)GDiRR{lW1aV|7Q=W#p0foFBw~n`g;-F_Gi& zR2=swhu%i>(}RaQRhT1orGX~YDV=4hS`KZ~G4D+cS{O9ro<%HnCpAgRf%#J5I`8d9 zyJatXyrS!C-<`-!W9>57({xSa>>vxTr?JBgmKAC#0)L9weOF?Z~{~hiuk=SD)p#P5JPqZsh0&G^G`1{gRv7qUKV z3taHj?Rw~+!ZAXGT;MW9rZW%1rt?fWbF)O(1Wk7}qKG1dVJBh<-UcJA}??JoqUu!oAp1S9}AL-plJ~(n$i`&})TE>Rm29dFuJ9m94dPpRO0voUG zzGBkPYGGyY-maFe{0r^i`7YNNK8p2OUH9~HZjySd(#|A%(gR3mBo_gFl&Rc^_V};D zN-BS%9@nNB@4}U6)zp^dv9wA|^0xTByB+85i`h@J!l9UQ+(&kau4Xnjez4vaQv8x(Zf=yN-JLk9_ZJ`N^-_iXb2 z4W$*yD~Ej;I5e4{A%&u>4H$54Lrvq$BdFo)q%-5<0d6MnKqWbh3-Eb7t@*w+0R2a@ z0FX5y{4$4S;63tBPQ+6;TRMhFqnl#ISxvNy)c=UaM3({BWJcm}z09LiaoB0RwSyAo zHkOmRzy;QD^GZ{3#FdcUE{2aq^KK2o>6Ey++h>XMX*;cn7Fq1gKd^X&{3Zcd3WQ)F zyN_v&d)xSv<8^zsaZepwHbtQf9S77MhiH$@5-G|V6WgOwB6H7@tBcQLBb-mO`Q&3- z1Aw!cOY@|Bio;Lg!nyHaNvv0nx2v)#ltq;VPU7qw-;LXl(2=)md;T`Gma0>Yqoj9o zJCTa4c^{bZg&!X$#90Y?b<;%HRkk!Tr5l6Zhr8D^qXF1)suawvI|An3fo8}`^sNB` zFoAb4$EtsKOIB;K5QBrbTt~s|GRSQA%qC#=~ z17`u|I*Y;h0f7)QvFr8OIttM9gz(I+Drr^qvDwX^1+h2Yrd-pq2Ero7INZ{ME%-Gr z3f?9~d9Z*HmqcFY+Ts>i$RsxSjDUy~YDt|gpduK--KL7&_f%%;X11l52Mk$=7>E~x z$(J|B=5yEY9$`g)J!_`Np*F6ziPougeQFw+M=Gl;8}<6!1Ewq0L@ul)(iE}HoEnYB zn4BXu!;Y657Vn&0O}Q!ImY7UH*BoV^pvz0F+MsWB>+Hhv8l2X$cApo4S~-Zk;mVND zPO7@_7F{;kGsrqnyOvl>jkwFBgaY`hQ9!90?0-jyS>alWdV_kPkRlA4dh6*QhZlt+ zS@M?!Gcy=yz70iP>?2Hj7OhJc;+#*3Ig zH)4@A324S!1@A(ecR<9$-tTto3N!ZhUxcR>2=O;TMDZaSPA;XVa!hQH%8&ks*$0v= zz7JOdo-Sr51*ICOamsiuC0M7zC_$;K*G!`u8l$Aam{``DQ8&VAAi~IsHTC(dvYFXf zxN|#<>FnRpJQ{EivVQ>V=wb;Hs;{KspmIx5XrC7(zl_?YIRhCATa5YlC_Pt-#E?7G8o>m-=}-|BvUpk z0O5rgFa8%p$qT`;8M5FcKInyb9704vNWM&DaT@lvW|NhW2-!7(Cr42qhm%E1EX|_j za0*k+Z*07){BIyy0ZOztLOd!^He|m23SU)T96l!CX7C_3pOlMIp={^%uLC zgvEFrL{zkWCl-$>sZvqB--c`?H@ozlH7DQi;I z(E?n`8c7>0g=N~!lx!DN zAtj%TgUP0s>{GzjP?yuQFYS3HB<^YbA<;$)=sD8;0`0>SOFOo}b9pW*cRcs4FUAMw zRuW~#wwDwJ3xe*$pMt>%Zd2w_i{_%tUJdoQ;)FL()StIY`f(KVp?@Yqu@SdPR^A|H zNAHU*1b10n#Bb%B+}&o6)hrW+p>gi7eVOv=p69KR-*zFkHr%UDvEX$2?yJ-s+Xcv* zGLl=N&{OZfT7X#}7%fM-T{(8Q zOK^pw*Kp^}C@U7}8>bPFn?Ai?-W_=}gt3yw6W`HzY{fGdj0;~JC-D=od8G;W!iT?54}PjL{#8yfzjsNIeVq?)^zMveI&u z?fuEf>&58C6u?{~oXSwGW8)X@8*2}MiXTXTiU)~G%!?|v zx{DRsTn@~br;R#IH0G>K6&deh-_NcZ+)6h43$Vqpvi0NQ{7A_$Qu7?o_&S(o)$BZ41}QHZ+)Z|$ss}4cf-28D=BsPyxIaI09#cIto+mem-V%#OSp0C@T!l zUaLVKYwh`tNrr=@Xf|$OhazsC_yf}Wco4#w$wk3HVk!1t6Y3tskXDcL>aLR$`J`#a zK=5UO1iT9 zL0?>78Grc3UhNkP7yq8fgr&MO?^r6~9ZR>ch87eK5_TrA zxeYYBJ!=C|!gC(pOR6VHquAz7($+{e%5(W9I4Ot|F-2x@C~e{4YwfXgY8l(+MT5vPG`FQu+r?AyTm7~4=u}`8D*`JfWp?FTFgX#_T{w1OiaYfuGE|BR zRMuC3Y_}r@pTwVOVvlT0J$@?|ELW1_uo2FALw^OtJr#4)cGf+-Mb!i?_WE>V!+gHO zVhHQo8s`+eNhu1v?}fQ_lc*>$&WIQs1&L3RkWxhrK}QS;?})pF`Pq`+#MRe|(07Pj znopJTuA2A0<}6*?HWLt77cy{*z8rQJtq4Y^QI8^0`D8re*H+B_d*iSMv^EFHycZ2$ z60Il1xr3)Ign$f}25&P{z$WB1adDb3RpAy|EfYH83!b$Bg3>MXU%Npta;VYL4kJp%+6k9a38o4)Tn^BqTL~(=aWAuO3!rxvfJkgTI2<6=PklJw@`?*|v zz|B}V{5wsUo~9atu6%4{;%x?E>^j;*i$0$1>a%pPT9*uF=jPjnSZekC@TjkW{v)L@ zc(9%3YI__Fb#>!&7z%py`bI1vWttU{Il5zXjkdSmSvub$-707F*uOwKIlzKxiZX|^ z17%PiRHBT%j|g@vjvPGIK0aWcVsF83>0)LL%S+T+G$CtjFk?_521MK!h7yh&RaX-i zaNJ&v6v7boByBA0fAnZji`l(0!u+u4C)8MYWq1lE_*pW@E%9-LN0be}ygq$h#~3-3 zF&V~;%dm>O&GA&nG&^-NnpYTryPS$MTp&6RelT7Os(;9mGAzBEVRt)++C@vth`j9l zm1Y2OfIeH>f&V@{-9C&;*u;)hTo*k-#(p$#if9&vH)u%!lG@E}KrFl+r>u&c*>-=j z024!|s(1~Wey_X4$jtQ;oNUp?)_6>>N}2mNgXKm0Qp(F8f}0??4Lnb)KF8hzAfi@9 z;y0^T58w9@!TLbnDJ>KWOyYER6y3>8CPB`Q?yu*t<#cTjllW)`y%4$>vY2)sB*cs5 z_hpx9RqJ;q^~mg@7HDw`!hO$`j#E|jJQ-$2d!OY|vQv1TpHq0wKmkP5bfCndfU=w| zd#lmg=2w&{H7SF97rTbN)~zffgWf) zobe07*38~g@oa+IY>Gk<{~yF}f_1|&I)_c*+Lxg1ZYTB!G zy@9im?U%c%?lQ){b#|1N7sAp^;7(aUNtaDTK-{zw%=|=x+U8t!fmFC8v_;bn`t4uG zqJFkC5>c?ug6tphRa9=}+Tn zi{HtfPeCH`CfLgm?Dmz95$Nzl)@*y&TpJ^1h5~3G8@-413L?maY#U!>N0d%#7YMKA zSQ-Ye3Ak1v81YcFXx10J16L_4a_Nr(I?FjgbpO-PC8xN-&#768|-6la=AW^;!N8Y4gA7fBzL}^S`bA?@HnSH<{J{tF-x31NvW-Hkp1f9se_8 zqgvZKaccDX$r5vw@(g+t$LDz!pZ7^>2New!oy6Uq>5GkW zh+aU&1da~){5vI=aLqm55%_!Tww!pBWte3azf4c#-F`K@+BF90AO(Sdhu6cuv%lZN z-6Ut@DL-^-9_{1*sLYh3{AhAu>J3#0X{nLg&K!YBc<22Ua9Oc9Au*nwkBeQ5F;-4@ z#HB+WS{KCK9h^06sRReRB@kK~hZv+I7@(?;`bTk~E@;EnX3Z|pdP3EZ!zOX1uGJ~h zFI7n!va(s5y>6P*N2a#@DxG;d+eWsM7%}=|*$?Tf)=}k)e@jvh}7* zik+cZiF3+Ad+yi9rpTX$$bRp)@b~ZweUfx%?;B@A1rFvW6CGC6nKw=t$bi;fW6KW( zQpkJCP+3To=<@8=Y)6%He4CC1nGQ(wpdEKyv6v&J(*G1UDGHzW>u+ORsaLPx8Y`uD z((~7MpV}Su$`kM3ZE7)&;>Cu|;eg*mK)9yC=lC}LG~fya)i0F1uljZ+ zJFy)hQM`YD;2qs{PiU!}Zp)v3zl!;!esf3n>8P+-?@%ehTR+j;>Vu91t-jVCu9l2m zxOIBII({7*>d&fz?m(~wetYxChdr>BZ9<_mIYcN=Ayp;Zcdztymi`5)U-e%z7s5pu zd_-m(O=lluPTqny*;Y-S5t;U)KoMyT!|v`5t-$ZL&uzGQq$i3H&L@rBxY%$Kkg~il zi=(AGRv`Kh%tmn(Q>>=GlMHz>V%2`Xg^)g>hez6{ntqFJ_~Tsi;9TrD9JGa8d?O=r zXA~xu>*yZSo%pSfmJe?9KI*!76=N8O%%8u^@G__uJ^>u3_eX*?^e@x-gmkaJwj>?ecHBZo2=gAsoJ>-Qdwt=&L`rx{UuU+qy$CSz zYCUUnyk2Gta*~)jF3C4J_1JgusE%?jbnmhO)Q%Pf9mL!@=4wf8-0)q;94gP^VODCl zT3x5t8G2Gw7ZhEQTXEeaHcwt?A6&M_GuaAzQA@=%+sSO5QZ4334ZEeER*EYcjY~Q* zH@+bnh9ss%0U9x5*|sT27%P}0=HEI15j9^qpP^@FoCFhPD<8oyl!Sdh?&?MNEV zN6kX7N;X@YTO?PY-1+tk=0++d5z)JFaYn7lcU(>AT6U^aq7w55wLmG~0}^4G2yGSq ze5F`X^z8q-#|=hY{=cYuryxuK=4ocaKhw$* zqE|nmCl%I!2LfNnR&${BK*t5p-$`5Q<7l*(Ss*xvO=o3)s#0-y$ z9$l1lQb6g;(TAXj4@Md9PH6Zd!-juLwzz?$TK*7N!bzGFhCOHPO3_H~U*c=Q`g zH7csD3|W&h_s;EkOPU%&Ge80>(}uhNjXOo~ZSz(N{v^%&?B94kX}vTFh>B(JWvp<2 z?H$ZuaFupfQp#lwn%{7em)u)F5U=7z_D!G8S_nVbL4ryNW&NQ zD<_b9no<4t8beBn`tI-ZB&R0x=7Yd`pEbrw((_s8hn63uRTdKSY(yZi&QdEoQ?gl4 zk}j)aO}tCOVKdF7s6!eVdzg(hh32mGk7#WOQodD$Anx1=MMGwER-fI7RkR*~W9>c~ z=svwLSB>S!L?aSsc*a*smbH-tBS3$?rrjRMSrH2aMI@4xCAu4UgXdvOG+)FRf&J4{pQ2AK-eI;OFRWdJy z6MKi6OFeGX#K@n&Sv<5HD{94HgNfr33Fkkm6$FjIcg4Ir_vX_#x34#>aad>Kp&S)X zyfN!M0)>&ldF+igu4l0Q?iFX|{5Z-Yc^X?M1^6pP@fTPCiOnTa4T@E5BOew>z4{{< zs`|c(MLiHhn#cvo<(ZRV&%lC{(NvI$Rh@#>*JXt2>fVvAG`EUVYY2O00xDPmktH<8 zETi&9OcyWa?dCV(G2aPDgZQM{jV%6LHB(xC-3E6V{B4iM%0K!IEjmPKmJnJ{b!_FA zY9n6TL4|(!`VmG{3lmf$C5Ga-IjPQK0 z1;grYP-QT32ay)pNc*+54)x~j3MLBX_j|^21nytySFm zAke{edB~wiyrh-mM5S10N~TxO}2=&xqK5$&gv-(b{)$_vWf6eGHq7D}8*C zkPB}sZ0#@N|kr_j-5mf#05jl#EV*1n4uXmy2TJq z&AC}%mt@IrHSzYOA+p~dMhXs-p|V60^$+ksHd1I!#&fxZ#U&k_m1LrrfE@&1Tw9sf z!rD^Ez@nW2;7_u!emT#cQx6F-!Cp`jatunyNg4)IXqn>84N6inO$T;0oO9uE0-bIZ z=uSJqrhI_jj#u56bjUxm96>A>hsmh( z7-)@psd;${=lgBTPvfqygY|Sg9J!IJ!Ti2^xNdW*ZE}4|nrNJs0;g-f>LmCc8U=X} z+Pj9eX4Qm&YV6Cg4%jp#{3sfGCAg7XNE-CRmFrH@x?-@57)!g=BEzZT?!PO9RIxB` z9Ag@Jgod|ONv-(0W#&40h!(zBS#Wtn2odijJ5=W>NG=4=@B;B9^dQZ1{wckPr==cA ze!`UxzPKJpTo#x4RX1-hG>?^3Q;QC1r1qwgZWc&TI(|*u9y^4ld_6-HzFz;KjGnUY z^4W+#qNrr*_&GITe0jPycTH&w+wWc8p?>%MrUP%k8OI44*3-%L$LgnA^PW}nEH1nAzlYP6z`Bp_cd zF}n79SUj9VNQZ>$5QplfX*tuq9Jbiuy-KVnTCzPy36!(Y(JL?YFyU+$1GN=4S*T)j zO8W;vNZDMbqZI8WqD>>S-3IOw$no)CdUjE9l?xU)s;hOvn9AqYNSP@+VB!uQdM1$s z>m|f#1N=a0o1@)D^XMR}thH=_W$d>=bV@(`+_=t=E5_vuF%WXv^(;hKqZTF=2+3xm zKDKlYlqdDOZGtGetr#A;`|Q)+#>2lq{aEFgI!U8e2kXr}dPhj3iGX56UVGhpSp>tT z(j3ckR_&K^pQCHEh$Fp5XER<}1P6*6BXX6UM0r?Xa{}BHy_<8~Nj2g; z5N>D)`m`$s&hFg)1kGENJPCiV$70e>>v9n5DlAo(Wlg;fEBKt~dXnXPyvNM)x=EwO zVO4l)y_CbxG4@9j%LcPcZYMxT`ut78l(4=K&PO6mo+iPX;3UT-NAF2+BUwbnzyIC1 z_(V9P2%dXEyqskA`J1fon6@NsgFs(v!xMujN+uciUg06Qs~mp;+`iC*XxT8wq=x;p z)pD{^c@;5m4Lkx@@Y*xoQ5ol+v?NoWQy{zy%1Y*(7EUKW|G8d6UqM^FRYyTS)=@+NA4C9FxQ?@VYu=cNM%MvwAz*hrVixHsArV(Q*7#&oeM6eWvr$nq7dTx3jnL83G4S+XY|c zJZkv)B%FLfO*K~F&4^0LFvQhAyNp2Im=1Ec2-jmR?3=}s%_lIl5}g_-835G?tUr}z9q840DCx6Z_DliV7id>wz*Z!G#6*-~+M zA3}GDH?=*&)-Cr3K1;6b<+VBxzO_r)o$gp<@cwk^Yhv^J-Mv0dk$c4W)X)@xn{e@j z>$Z778P?T*!;DhLF(PAMDBu~8%x!82Ihbrc&w;nw>Ut-zLTh3*QD8{iRmrTho;{+P zi)661fXk;{VGh*o>hy$o$)nCm;)noW`V~^AWFrkDc)px5DN%IkM~5Zib2puD~u^B|TQT1Tcnvwh5EI(bmE zWsDL-H-&nnK{X%az!E-PJZ;~3{r@t~$(<)EoaCT9@h zQ8Aq&g7eH>zB>l?F*`!dP)c5!Y3>L+MIXK_H2Eit%ICKz?8b|O%*xRCJ_{BZp#>$@ zL@Tzq>a++#Zf`646kT=u@Y4smYjYjB;h9<}w$LJgEMt&S!rE5AijB^t50<|yR{_Zo zkqZC=yUbzo#N==QHpb6r<|QHN01l-HtFDx2ky+TLU@>=>8-L5vp8rNAZb{)N&}7U? z0kDG0QX$cGEJMVz!eN|tXDaSaNUei>tVrPn!@CO@EZl6}hux9*w4`5)m3aoVlK#@{ zg;qS9UX+2&A(vp|(Ke>6Ag;Q_8QjOC#dP#@gXT*EeBI*EwG;y>i`Dd%&8U|eT1syG z8V0`U$b3(Jn5-~dZE1j2K^mp$6wjpTnP)VT;B&=soAt1WK9pkdv~5hg4gVf|!!_Qk z7=Y=gk;h(mzxKB_wXFMZ;1J_Kf=T}!*8Gcbi18ml=`RZUU%ofie-e~`2@d^p?Z5B$ z{~8Xl6RVLI2ST_%TY%_3IxvXnm!Y z7t8fxX4u+zk|PiVxJ8w&{|Hzvpirn1qL1>2xeWhLt60s>Sz?qqa+*%s~3 zFaO-1UpM?;!pAq?m6CsM{HFA`Pjay%^egektZcHoFSah9 z+kE`JtDIB!zEk}3(nnN#fpfb*1JL6=?heGeJ0s}m>X=?Ox9%rz6Vuai9-hzNseTCi zzIgmStvTgQo32z#Itk61e0=_{&l0JvJ@-1j-*Wd{(pcG7S6=fhv!;K?5D6cb)f3XI z|0(!_jC6!`)TUNQPZ#6c_VPCM7yRpVgE_l9ov^9*b~K0NYE12M<9|`-92FLRg$&J8 zlRL4&FgeXGT{Pap6m&8drkBwCdr_t~x3WUnD>P?Q$ZkHh5f9C=tSy20dvj$8%6@$D34jo%V>0oTy+xaYRa;%z3} zw!CAh>QNZj2WA)YlfAt#l>l`r2AP$6hcTj2RoQz3F3bVd+}f7Nw4QgpIWoc#9X-MK zwf;Ta5}!C--0O`jfl!TLBV)476*l}L82 zGuqZ5XPz{Eh$iuKf(jB6tmFLbl8*`Py1m%RxGqoE)XDr{#%|p?yZ1NApUd0Gl^)}M z({`~-2d+f$f3TpjI3TSV&obYJ0dv+MC{x>*C)J?7;r1-&aD<+n~tMjJ4dpO4V*6*87{fE9SME~%E=Q;iRJT++Vw9DJl`j*$d z72r@Q`>4(e20iLB3D6jT?3Fh;>({QLRWGCXeY3R9Gl?AKp(iZXsjTQB=9X=F)upwT zS<$)f&55Xvyt>fg1;57xptcaRg|a_p3Ti*#XR4eFvUhx%VrgCV_09oR z$WY*-na&IFx)QyM3HV`b?9_xYF}?u4Zufo z_CuJYiOG_DV&s%4g%_Al(~KfxkIELip_u#?AE>*%S%y)|R2D7G$9+49;`9OY*~u8d z|NI+F#B(NGSG>Gp8g;2>XuqS+obbdBC7mGzx@zIDIwg$=r$`m# z7l;5yef>BgWCoyVHQ&`g+2R;4(roQPL4LH07JtEENOmuOkCPu%huo;sJ_~)5b?8CWZK6f_p&8Q zYBK{2ra0y6a|G&0VxbK`Ep$@o-^5%cl!-BU$}c_>%{JGAlE&O=G(VOF*|@9%um!lC zeAKT`(M!K@BQ0;O3EBYrYJp^d4S-dF)?+c6l$HPf$oC03Qd4XL>f&Sq8Gdqs0X#DP z(ay9?(lS7pgzu3Z6cS1`)}+4EzSnqHYP~_sJrz4a9Giuni>dY#P`6Coe!;9K_VjfI z^U9>v4l^tVGu4Pq@`wKGO9_+~)OC_h$X*7oJFZR<5A7ba&|gh}#w3)a*nW%XI6MhU zTJ)PHDt<`;wiqRe6%i`=-lXsA@*@a_ri+GU9i zNF=gE)O#mTy}d8gJmm~obxkTH7AO*Xlood(U(2}>$8T*WB}eC>?iFgI>i%jtUHD%U|U+E4U#JR4P|UGpAu3Gj54Y zSP{%C9;jrb&=OGP+S<9BvKYd-MT&6N(s()`0Cq-fj6vWuia_Z~{+VVzcK<>Wl0xcN z4_;;OKP!I=$5J7+p6$Yp1YIqVp6V7eNex6=h0` z4ONg~dlL?EMdD?J@i?3Y5EvCr3{J~TAAJdLgAr#Fw?!P^wHO_g@D~fQt4=LZXr##z zOiEOL=aUl({;oE&^4nMm;g%!@$Os!ICXMK`G*H6FU8G8IqPS`ADq_BdoEL-iK4Div z@sHw1%mVo0&fNmEn5PX};?x5Bwho zC;f91!q$o1#9D!{Hr&YRTHD(em<~Mq5URrSecp7W2ylRbuWm+Ux)!4==Ws((69qx* zRIt+0lGkjYTVinz3gcSycAg9oz%eeKhI)XUh`?7uTAxViKEr#2tWM!Ej1x%F`DwcB ze8`>Nl7!40=4mT%DMp$z>LvyV4!HPs_sBKa&Kw{k7BijG`Iea6PD0seqgjSHZr|lM z?Xu(mY{{trnGD{EaMK{N5oy<bXfD_Leqif7fJ!*)$TN&zu_enK+)4;Xbbavd>3_d0{W5ie-{>#;KYAG&1eD%Sl}% zPlEUjD!q4bAC!Lo?%I%L_&FMAqmhv6%?#6Hcc(T^bsu0e9lQ-WN}iLTD8(|+H?lF< z=rrPcm_sh;GuuE0AeG__V4iWwA=a23T&bY~0v&hi%2= zUhc?@v{hApq2xXDUxpO9J=jto7z2%#VPg~gsi zW}iaw=JmwLjcVlTWW_b+=sUi|rCi%ab^V!%`oaLXWv_W39|v==Hgg| z29cAKH(Za~`OtQJyqnc}G*`1aDL^FzDizOR9>HLw{D|XGIY33EjPcT3zo;RXD@Q zum=&+v3-oIX+giN;{gjK31FdogjxX8wVB!m$+URdyC4QJv1&@n3kHDIXtE(5Ko)P zCdnI5?9B8~%psiEY1E*aRyp&Ugb>~e7Z=>dVi~aK%CUVLI*k8V<_1dJISs-0}Z_pZqWz6*tAFrn*O?7z0?R0^yMqd4IaR42zA0BVATika+P%g9+4M#@=! zAnj&R5{i-%xEmPUA}JN=5?>v2gV6xltbEnqeZnjrr9>1YNBPR*dSJ%!r)P(q$Vp++ z8pxZBsWdYEH^rj*o2Q<@qWp_ie8qzQNMgI2tNhcnYJjp_U!(W^hU=ZW{dmF(4H!>s z8WA=O)JFzwuhA~$bPEH>=g}nu?lj|{E(klus;c4uP z(=2iCIKL;#F&lVq&pDi@+m8_$CmP<*?9}_edFetTIm%5c!Sn(%fhM3=G>dwPpYZY_ zgC_3CEAzwJI2At;BT1_ifs;Ls-hX?dVW&In>463|Hi8~HoLBe|9<~i%L}$VGRRXr2 zPDY^pgEMR1e3TC^SozkL-D;3$`rfdwatt2Mz+M@0g3!L|>Q*wPaGK-@7DE0P^ zpVB)AlxelEM%L<%tpR7>VqLgMGeCs!jx-~PU(eJw&A%co;uHIGpGvIQBad8y&ZO(prKQ7yxthzWv(?_Q_3d?=B&I6#p_ zKy*{&4~>*9xM_XxI!>AD-hZ`c@v;bsMs*H*efYl$X#XM~c#d5Uk}|D?)1GFE^?=a# zQsz0f`At~d1fSsc4H?_+QI6cqTycN1@g6?*vYG}%xRlpqqR=zi2V@$bBfJ3((@=4g z4S(pu+i+ADFkSZp9y3~H_}>AN|2X&duL6>P#9IDmK=N;Xn*T%N&Hrw=VP*V}k(mFl z0SOBMBh$ZSll}!H{|8(G^`CJG(|>&6{~Io0V`uuW8J=57IP6Zob#>)wt3!CPrDagA zdu-xFYmb{L<**yX@*yKn&^=INVMh@yy%RrY$pCUdssirn=oJnW!;~&XNRc9Xa7gLj z+HbyZZTAQ8eXGae`csqNFBjlGD!4Kilh*}x=R+ow@O>$Dd6ToM!+D)pV?*m~rfY2@ zOZ3Nop&I4I{aM-lm{VUD?TujBw*P4O+}mwe-{F$%{q65ohq|7$4lXjmem%wWfhf;%&9l;7@cu+ z?8kUtpdWorKZRo+V(!{o1-0AKKer1X+8^M&Lw`Sb-rjen%1gcOHW1v6U|+W%zU{Pf zc*p~Nh|fj`DE6=dc;6+Q>2uEHn z!a7}6)AnE(ddr|28#!bdSg|{KDU7uF_JJqhU89VsR4$yb35<1ZE|K|kX&vt>)LQQK z6D9wx1&4KL>rU?_U9?bgtXJ!NvDZFI+#aC6Q-aMxjfnA)u`N#pHy?r!41njACw#8}|P8KO;?Ti9$Min&3!WYjR%&64lZz?PrrNXBZJkTz?#6a3=P&2?qxH)q7(2!p8>5XDfI%|J2z*f0-1_)NZb= z`j*Je#tu!xLxL_{+$zC!**HiFGpA%RnhalZCk80x;7{@ zU)ihF@zhWE-ANf*PWgFAzwh|GVF7|)DY%#_u!C3D|5S3T4{UupzW>v{9Y+y<-ukM4 zEWgpOSFPp&X+!(%ewQy+oSsjII4XUNR1tv4V5aJ65A(RAXwBO&hloepGL?p*Jmegg zWjeEQkg9ZDCcLDcN~t>gS*#%W0)bt$Tu@yEFDLm??0siQ;v!|Z++(>p5N%1DaBo2g z{y*u7(qDSQ6jK|hqzDj7gBTSABXXG4s((7(b+cPBS(9$A9UDICLMF^$af^B+OmC3#)fLR#3=g5+M6VG@&&JKS67OS0B`=G;?du;3 zpL*Jd@&>`MEYE9Tv-L49we@+PZND%p1&;yNPn$UIa4o+g8-!x)#j zA*GFbj>8#qh|duhq2%TO5M<`>{=$V)y~r0FyP`pdlzaw=HYUOgeJiM&vA%gNuMXq9 zECx((cFvZHizS%jCKX+8%iYmcCfB&dzRA~TiEAA?Eq5tB0~ayHmsw;*YWk4h@;Y%h zVz9qT)F)$Y@24!M87J!vn)$PkuoGP|T<+98)mlUn7F!v(MNW;&xn|d2ttLT!R|t!MC%gZS z5TMX7PgOO!UgdIwb}|47dXa@2IS8Yqr}}$@j2CAUa4ENwT6VhU)G$Ove)LVGW<+^e z82jkfG36X$+G8uf3-vl&?OFKyN7_Ir4CV9rT=4Bv>&kE*Pa5 z?DCg+Z3xzzG>qlL{M&?WH^c8y@G129VIN^ZepjG)VL{0~B8T`lapDcymn*;p`aIeOe3qU_4SEnbLEQi6~!GT*LF4 zHAj|?dO}QZC0^oFSDW5J_GaZ7mRKik%WuRwz|h|FyRI3(Pu|aIU6V|lTx^F4`C?u*Y`fnxPS$co4-Sr?c8S>G z(sbK~VM&gso$<=O6JK&@qnYp%EzEo@z$WFYP)d1W3+|>T3O|@qbJ7eII4yuO0>!Sk zaE>IXKnMeq;2$Fz8jJ=8n!So_| ztY(5V9$pK^Dgx@)S4@%psaRmT381JxRE-zxlB#w-Ll<)r)2h0pzl(DPrcr;o-I*_1 za&FGVbM*8~GO1LBFFy4v&>aBd4vx8)CQ)3Tte?-5#;m?oy!T^Jwq6vXd+5dL@#Sao zN(o-zF5AbXQppYtexo+(v;zDUl196x_*Dt292d6QU=xuF(!f!5XDTmzp^P;0iA&)Z z`+D`6eoRcY~0HFqCJee9il%WVDJP&%0SHC%!(u=MEK(fb% zX1=r=`9&7>@veXp9e5LLiz;Z&Tv0dG!FN)Xl&=r;HJ}VB2X!v_i!F8<21Rcq{Kz`Z ztR5UBn}#Wtg92;StbLCJ0(2)G;CBfUP#A6kf&d4AO4KpLIs=jCiVX(j%$tK@cJc}< zIz9(juS6!ZPJOp6j8OY{Y~X0f;luTJm~viGb`Z)(m~(l04sZk1RE`brk7D@sbf;Az z;rt|+1ynh~f!z{MVJ$#$Jw`$S_^`B@Fj|On&3mG!Qqv`-Xn*=!52ut7GQeKwhG;Kr z=He}`e!=Z4db>F^(3N*JnG2J;QWX?{z##+hgEfA`mMBrXVSt}E`2_G9v@iBnGLUs7 zkaj8zlnm?>lubS2*eG+|HI08W5HS_)pRmj0F82`BO;9-npz#H~v0U!s8KfgdLqzlH z2Fv4J0-G79G;0^uk~KoHqccHuR^0pt7gl*Iqm<_oF-+OaQ)}xrdZcfw>KuG9kWv|c z!sn_#EiIV{aQk-3UZ-`OM64(EC8ZQB12gs((U-L!JS2+0e%dFC7i-;!^Mev4-I?|bVbyrB~-J*94UuHeD)9-}&Wt$qRh#OIDNf|vSvW|A@Zq7pp%t{%B z|K5mLT;!Wb$5gYal_>%j%$vx75BYJ9MmIzL#gl(qj_4snSTtgmWASl1XVpt_9nE?q z8@~D(;sm*)!RV!4)t=6KUyp19Ei5pxwwl${_5>Q34cDk$+mdfDJtH9dy2`c4Hqha} zMXdVMx(Z`k)qN>0Xwo|hl#3jlfD6%ULhcUtIoPzI zz>%gtX2Tmpa=B$IW8Dul9G}!c14U_gN23GqI_yt|eYw!6+;=icp!6?}MZz_tET?vC z?AicaLMZiIQ5IF5=@yb}n*D3AYi;6Gedx)9Yk=;#{I=p;yO01X8IS9Q*|P|YxshO< z>e;DbQIl&GEhqNYOLAGI(s{@p%@YERQ(A2gf?gAh$xXNr7~lqoZ0Gsxq5VYYk=ace zY2#Gf2hX+4-RyC$5`SU zO;P=*uM;2%%8!fRk_M@s9#Zf{Gl)!GH1*C&<|Pp8Bf8M7hp8JCWwXS#iZWwoY_y@1 z)Aw9cfop+-_R244A8acZ>l=OzPlr|T(jipezneADv*BW5z_2wF%V=+iPd+=P zK+NXYd(Nw+3NbiD98S9`Gg)Kz_uXo826{s6Lh|YJ5g>6Y7@)Vap9?d>%ckBwhBH@O znT-&UJ)nVfUf&^z%4F$@4v$Nb0gW)R;$~qy0e=ZD%~sClTmHdRX32g2jSNw5>sSbq z4ZsW(6X3r2NRD6-T^$j-lz3kS_G{$Sua|M?v=1`6$I?_<)-2|5qJ?FK2G0@kfYOLl zDHcjzS8?e*<`M9hRyp}BL%v|wpWM@Ukite^QWbS5MbxPvVCv8SOv!C4rc4=;Ct@r( zlrDFm(Y9lXXdDX*-x5af9>6p1tfV=Vdi%G=8LcaG-i541Fj zG@l1tb^O4MU|Y;YPW>i7kKUc)(3|>RT46OI;UZH5OzvceXWDuZ&E!kkBwVz>uJhVc z$;eg0iMY8&1Adm{1@84*SxyK0sr=*Q>#GReKtn^-=t0)hcatRCIM3c5vVbo)jj$c3 zJkSroEB#cnynKg#G=>FJVFpEBShVc&IKhzJ8WWR#p3b)5{V6I}eSL6I5#cuCAqSwV zt;C4=UgT~d5_UQe2`YE^gywE5oFod=c|W3G(iT6RA|IU1b33L{H4z9I{*o`q`VvNC z0FNkWasxu@Q*q>i+LctJ1+?Qr%*`?zy*^jW{$y`d(_kzE(U?K{sbP3s6+nCB1Jr40 zhnRqF-+1S0MhQ+|ip)Wf-gxgcJsU9uXbmkH7S@64QkC`Rpp+acB`*sGI)vHU|v!h(YbS0u(@KF+vAJL z9h{EOQ4^DyXn*{$=Ha8q8yzXG1X+MNMd|O@U1NdgRzL)P%?rc(MO%(|t!l}5YGvAx zR!_9PNOPVvSJl{L25!lp6;$<&fEf6yn^L!54ohijC(FrqaqW)=pq&zwgxBi9uE;+T zKdmFHooQ{T1rut^+$7u_B#aE`7DS21MAVL_Q5iLh2K)l(Gtn0;ugbRCCWGyjeLbCo znghX`1WV&&b##6}2ik=J!I47)f_kCZCILs}Xu!=VknBcE#SP6cAmkBYA{bQo6E+cw z5oRkfScH$T*Lwoqogcvo2)aYeJ!{;5m<;I!QxX1dVV|JQ?8P39K+A?+f4kG5 zN$yx>lYP!%Nc9~tK~wGChufcm&Z`j94?O2;Lr*EwpKo6Ptg=TcP`dW46O;jnb{)aG zflaS8K?@K%PzPo?;etxBBb_1kYPq@LHVYXqrXR7hQ+2M-D;@jArufX5eyKjDyh4p^ zEXVZu>C$;y)40z+%e!S!gpVy%juL|#A?V)*qgQgLJ4L=Xi-YI;cV9KTq=0(eO)tWP zFB-abjE)3Jb(WXKL}zzo^ovul@}6D^1Vu2O#;!@mntx`OLHq#Q@_`3#I0)ju zvDbOCmA(|8_Sx-UR~=uNa_&a`M#Z-Hn35ms^tOG{VZlq;MuYLfDX0zLF>gBtZISwx zc3u%`XzFdrSz}}WOjaFych&X1zf*5V_IJ!vrYBio&7!5f1me|-Y3NxwGi_xr2Gxi( z2St7s;ggS|=;HZXKHm1`_;%V*Mn+$OUv6Oo$RCD%ZJxbbUk24|6;x6m`S;{4OdDW1 zurqGU+#)!!-RWs%0vGf8+?OEAkPvV_`wh;7Ug ziSJPRPeSvY;#F-Nv+PckKNP^xOoZ?q+qVUpax0P3a&us}*qBOY{{g94&zqvScMp#jry~ljUbBDB7f8&ZoQUy@ZmEXpVwjfIi9k(q%C{1v`l0}tY~t)o z&^EX$r{QedsYk$6-%pdUUKe({6G~hKXEB%rjYZu;ebZCYbk)3#xehMTZhXrMabZ7_ z)%3KE4SF_zVM0p)*QFRn#6=25#T;m<^MN5U7FMja@}QKQ)1;?;5BRdla7U(Jz$rK< z*}cGuWQ~N)RQlTB1wy*(;XtJ8anKOUM|k6wzKUh80O_IqGw$9P=h-9&$}S|;U$H$z#XxX#hwkTcjc>9UJ;qJjCTcm z=#A`Ss?NETTRwhs; zxzxch>KaS?N`+f;%M@aB%e(&O&pSd;$YX?eYpQUh2VvcPl#|EHZ1=NrXxq3~^<>fX zQq@q%RX{FI`oy>q=tZPoEQjf-qX3akj4`rY@A(O3Mhr=P!=a5S`iVO30ZZSdAtG|5 z)?-ILs;pC8(lv; z{kb#;a!zVYWE`GB+WS)E6(bQE8K>XjYpUcd=GO@* z#Ov7^Hl2EFVjJg@e|X~wM6lcOC-K_X{OXMfRT7B$3{}&3<)Fqw-$Dm=9;+@r?O-?% z1Emj4#r?T}ytl(0TBrweO=xGEPay3S;q%MCQNl5Zp-!#34}RB6eaG(hjx`Jo0*!H2 z3nNike7dy|?+?2FmgbRksx1i$WYWrNmoO&?j;tMi1h;46E;84uUxoA1xh5COXm0qK zs#1T>czzPJ6KI9|rD(JmQw{4>r`NNYuiYLU11TWR^xVvEOBmt0Rxk*Qk~S7vw!`#y zs@*w{s9p3U_X4kUmiZ-8$6e(1P}iNHb;flmlyfhf2eAy4g_KJ)&DBY`s}Pxhv{Tdk z5K}}h%EwTWfEm}dd79B(=_!gbjz;98W)HiJ;|ZXhFg;n=Qk6dFXoK|0rb~@E62-<2 zP`z7GgIy9tVB?TISuHe^(}o2#u5ZHxUgOu;#upT~v<{J-T)!RzeGq65s#)5+vl-jD z(=Mx78j^Ad3S#%*G*S>90Em%cJuBo;VhNG_$;n8HCYe!>i1ce=ToYYO1C=rY4LQ{y zy@9U}j8wTidwjf@e|+H6;>A_NWldcIIoRGY?F|P%9O;@2T$j*qqb8pd_xC_HBla9l zVtCrU=Fa{8QOQV|3g$(afJBDAXYtBGqjGH1jt*Zo#&5(2oL1DoMAZgiR0FUpx?yT{f^DC`Cq>0sR!?LNEq7c;FiWXMH2E zKVBaWk&-qWbrTD8H(P0=OjWGYuAE zh$M1^gWS^8>e?HDHyr(=Vvu*3(D*tMB?rrQV zUwcvGE8(4Zo#)@iD=ca(ua@VX=Pp-Wd||akQ?f0>{sZ6CAM{=^)-G)=xaXC*XZUu! zyX*LmF!FW_-aPL_R+oC)+Cg!b1A1Nl@$9IZ!a}d;K>YMMvDicN;k}k{UN+oIiIe}3 z>}vVw|EFXpcLu}R61JTWKWU{gn5!o|dupvNk9kcnPrpw)hLEM#bxkP`}*Z$1b$T*R z9+%6^F*X~x|Fy?P>VYyozyr6G-&1a6l@9wyNyQ38X020tte>I)I9?fqI0Rl%236@+L)>i_m#T2DuX-YwCUVlwRW?rQeBo+M)t}7N1IpWM}qfO0l%{sOT|0m zeTH5Y9NR+s$NlN$^~P;@ub|`Wp>9RLG0s=H`gXLT<+bkt9O~CDhwGtXx616_!ynLS zb?vj3@E&f*{*p_Y z2aQ_OhvOMBm7|FRN##N~10I-$D1ciwFkXHrFFheRrHc>7bF&Lxy}(40?G}W5uqaO* ze4dIQ{Q=GB0QanZ4FdL_fF?LYX@cXAhyoD0yPLm5bs>P#y6KkVxD%Zk2XH#iuO z_xPqVd5#o%y!)c$YY@@a4rO3{%5OUb){_0OW0l6O|0sfI@Sv}kq;y`-x7?0NTg}fg z_)HPjG7QVT31LTNAHJ7bNaSML1HH!H0?Nip5FS{BFL12!Cu~hmawMO_Nu80AhQlST zXkb=+%7q8hT~IeP8R(JAIxA_&I8H0QlB9t78P52?J>zcpAQ@ILb~>Hc$DOW zyh%GzIMp(4d7Z*jOcew>SM3zws0SowD!JzssqJSgNhng79C-xa@<$LO&b_yPl!|~% z+yX7F7+N3{(~f$$`|E-H!WvB5Bvs*1}vVVYXNAe?gsqG4Wb@7Itg zj|75F6{Msfua}ou?+~^$WGmTG^@eQeBf2t>p6`Q)a*#UYfZt%Vqz^u%brKAPp0!rc-^kwQ)@phX>|)&0}$^M(k=}hxK;rOHQ!qgykqhB zbCJl&3@s3J`f*cM2v$;;VD-TT%vtXtwvfF>IL;x1;kmg@HHD9W_yU@Y6ZyI!c=tf@ z5RGqG#g9nbQ|_|ti9$zW4x>n0h{k}l#VnN1a3xyh|vYX;|pNfpF+4C1`hw%p0!SlymN7xf~s&S`2e}K@2`QeO3smp_+V@ zU-%$z5h!&eB|&?SCjxP4FrhNmRa@m2ZsH#Yw++ogK=$ha-!DL%Vxg$h`Og$jN1bNW zFX`f~MULE_K?aVXJ*~XUo?bU<3l|r{@tNb*g1IDzDa&#|?X%>z@aPg;lLRh1MVsNS zL>0JK-yc5WNL|ZN#NkmIQgCLHCHwR%^7G>;80!6rpc86P`<6h4O7I1(I-L`Mj!fUbMxnU~D3NMa?_0 zGjhhTgHdpB5f+<$xd3(-LIE((hwW!z+}1eU+QbaNaW9KPzqr%Bl_ z)${_fhE+NhC`9HZX3B))N#z83=>#(UcFwr`=_B(Dp|LMv34J(uG9gQV6pMTr^TIvs`P zVnW9Kn3(CPF9An4aJ>L5tZwpsXPZb~3#_M|mi3170QdoJ6U@@^yzIHJ5J*5Ghm+C+ z9LEZ!01msv@arI?ms9gwZyo7arr$WqdJEtL(f)q-O#g$pcM7g84A(VdV+Jd>ZQHhO z+fG(&+fG(&+qP}n&RU(`)u-#6?%n6?>Wl8Xc{6Ixs#*1oF~0YIo;UL>riiS@Syv!j zW#CLiu?M?6o2jH0%dSor#wZ7d+J8L0s8#b=rE2g>;Wn}{GA$nK1UizDMsgVg`GK7P zUp!7ez9xsg4=h=0NuU$SVV<_FOiBufk~8>Dqb{K+Oi%ImxYv<NdfMN8EP{t$6$0dtoNbzMC~qf%mQD?HoBSD0N~= z@Y3?EYsE%<^{*ch*}ntGaa!*-CWv{~LYm~X>vVd7hfUXfZUZ|$X+(-PkfHhyl39Eg ziYb0tS5q(GqZjzqB(SlPHp;)XrUqS!Hi7?8nxPxDl9p87c3QRb+os^?f|v=y!HRE9 zRz&;>0A{`8yQqEZ^;q{M@<)8KbnhZ8YIHTlc0NY26MSIeqpRa$9z?doDv3UV$$pmI zB_)ty=te}^&{@SOq8t8DMtsyZ{oSL*3UD`OfPrMeYU4`JwZz*c14Gmq>3YexwQTWpmks_Nn)VWl6*dG4$xTH#KZ=Hz z6lK+9RmrY+k+l^*F_EhsKAjsFRX}G}6hWJfWxU16yc!+dEV4E;Z~mth{ynkefxBNc z>U)8A3KI?~O>~A6t~PnNYW#%~p(uaZgZf;c>LtVV75@s$w0D~yp&75CmSn*PK=KNF z8M0Bwli#qtM;YQdu_S$(WvwJVH#dOBwI9c!u*?l@=pJnl|Lc4hSd!ZaUd%SoWKJ7Q z#u_Bs4NLJSUkM_d&m+4ShwR@L2QCH1g48XXp_~g3)Po#4Fh7dzL>dM>=!(!6kGIAe zcEj~_68%$<_9kj0&qLNtN|=-ISbPgT`!N2*WmZrKo`A#sS4`8V@SWJC;MHH-y4F?xY@PvqUXSLyikmtq>QYhQ(IWOlU2uOH6-&IG0uxZD67sTwA|NT(zVF? zAUW~EUDzRY)i`He387U&lSE1$O8!D!Ps{~cJv_^`d>+<2Zoqv|bc>kmR$3FRm$9LQ zZt#1_NIpjW8>W|nrpxJXr^D@(NRY56{n!5)GpZ$v>^9CEiIWI}607xh@s5~K63YyI+ z3S0e~tKAjUkeG9gUEXl#Olz(%FoWDuT3ScBjr9M=R$Y*;dC4C&=;c(}oJ4 zB*>^{M_h*kx6B%7ajj?}|H-I~os^FVdfA0HWBLI$ke)V(;NE2ZZE;DEr(a$figD+nkfZo#%-q8buj}K6gm`r zaT#U;klBWDNQ;Vek!#Cle0c8%gr@a_b3#^!=q-s7nvzcr;PV!)DxS+N!|BE#B*l;- zlFjn8#ee>CHc6}SQBP@RE}?1`yk?jzw$-Wl z8twTi)v%#Q=tyw0G>aT&ZW{I+YX;OC-SrP+8uZ*+(ULI^rb0Bs;J5IP$zI_U?`@eU zgBC*$1)(@J3Uz`Ua)EMn=^-6?>$$DgzHdUe%jrSSK8f^3ZTq^I6fpgsS27|rw%svJ zmKeJo$GT&YoXxyNZ$I{FvsdEl$g?8)EsLZl&)^S4Ub)kaKV7Lf0m%TDkGL2}XWM|k z{EZ_1Z%O(tmvxc0{)(jgLIWDJML4f!+9CtEj(q8GF%*%Iw+)@aIKNpI7d}>%r;rV{g5Gu$;}*74}_VMxwL8Fn{QjCiLf?I`V@ z#3Q9;nivq>8P5}@0W31Bm4KV7$M=YBw>2l0jb#O^WZTqe*y(rUQ?E3oD;doGs@e$! z8i2agTuxmYDOAR|5ua={6dg|yhawPzINAotg#T$XiQz(S!y;?xTEc{*Y^|&iC!Zjo zdt_-s(-iu6KtfaJPZS*Ad9jjlSp9UYh@yYG(vVseIb{t})`Av*VgA&edI?k8Z)J=|^g z1#ILU0&m{4NZ93jo3=S#kg&!3m%KxTqJ7fg4DuaD+boWrrmssRn>SSa)htPO!b;NR z$D$FjnO-r499$iOLgC6>8;GGmO}Uuy$bem}%NctQd`nlSWl~sY_gqba_#O=c>5=LY zUEIha5<_TWm%snI&44gX8_(w?S&}ona(QF0`hIlw`}EA-?Qh}6eVg({jESHV425>p zCI~3cpeN}XP?mDqZcQEPP+s(fFd}AW@}^6Am--shMbU@6@Z5}*u`@Oz+80aX24g?^ ztd;l>1((IpaM`j`f>vnmfMFdv%2gfyLXDR+^ng-%R`fk4X&!^)2~oC!HLNq)xCorS z`4#%Y;`P726FPk=UZZ1RGzCJT%tqT(%r8E=*o6hu*X{Lq4IJJ!MYy> zOwzz1XZ)F;g)HhzO6Hs2lX1UCBu_Z>@oQ*)^;JL&&^VLPvr0>SXo*R=#7xk`3g~Q)(d{06o)a;wdy8_ZfHxWsdn@XD zuLYZSC`F|Sf$Jm6zfISn`jjThNo#Hz87q$8Ii9Z?T{9VB)x7qD(P~FDJP56D0AAJv zop>f0=;jr_*x|1j1q9){P=GWXiC9zQ2}#nivJunS8&QBA9nce5mZD$kCpcWzeBCG% z`baVxnBif5Tw-vNPaz6-g{Hn7Bi0F={tr1abmI>6sKCV7(_dirBvINXrzpSt!CLS= zOy#3VX(EwX5u+ZN6wvD~vqQ))N_V2@IB{W=n>J0FnX*cm3A9#1CTy^$)-!-LQ%GNg z$ntqNp?*s%2UQszf85c7UTW6;C(Cl?|AhkNKUC~i)UE7%bZNqD@lLpbQxJNx#(sYQBu*72JR%NA6O6$efeSJ!TJSJzqn zNc_lN)IYVqtE1w2(Nf-TSL51LQ!1K&Z$|Z0OiKR3|4q5WgP!9Hz;|VhJzirIU2W|= z)sI|!Y^1t4c$Xi>j~e`2zyTuX_!fxXyFVPY`*1uBeg9ba z-hTM8b$HV}$dfA5RzJ;^J=g*d4?pshpFE&)q5`Yq;N5thC6wjOqN3tV<+zmZquh8x z*0Ikg;4kbWy;-!iOe-tOMPyJezTNki0Urai&tv%dVI{pe;wE|=L_WB7ruFCTc|qS} zKHx8Szdee%x#!vG9J_4!NXsG$B@N=X2*R@MLGa#2dG-$=-M7rS2cfzmHUM&^g1|xh zgSUv*fx_EM24>mFAgjQO+{;5@WX@@vaD}!SEYc~4@@6Fm_Jq&`c5Mx8SXPg81liRb zx8nXgGAg)sV2gA5F8_M<99BU5k>GS1bv(0%scv+N1XZ|qo182oKs zRihut(33gY+|BsycAZis zUz8VX?&Bb}xY|+ws`<1gHLjD;yc22F`k)8Uam$+o%EaNXX4%@C2?F;WVt!GO2m}tbRtES z=zu0;i-klmB}DUXTt z-OyNfdHITjO?dr4Mke}7Vw})+FL3p+sGQigsTkh8{TP(0)c4TZuQv7R+&Xf;7Wbel zgx=0W?EW^Nx2e@v`7Y8mr*wKeH?y@y87T-=Z$6hDYQz9`=xmF!$327faWaTV!Ma+_ zl9BOugFnLtzy3JzISq;BteQM2p9r6RuO96Wd7HeEI6s5MN)N4?aGnoyJ~-3i*M?vG zjnGfBz**<3=gxlNzuQlHrQa33L%Pv3Z8IkFB+B+ihU0KYKtF7CO_fv(Wv2?&hlgt& zpXBMiQgIJsg*Gv0C$OTW4?na-wDU+@mz=P6>R+9C-D_5sH9X@KQXVyimA4RM0CAt? zCQ=o-@;O+xtewe8`b7Lh-7FUp^(gDo zd}E{}M}VuX@K#mx#SP5!e0M=C1r7DGNE=8+EEg;6rXmkV!QSDBir(T4s+k7s+#txT zAPxesII$S}{>w0mf>P^D-42k^)d=D-#?sti{X9^C_l5nE)47G4+W|8{i0Ym?(r-PW_iG@naTEl36s-fdVN)pK8qbq3ie@+8`VUw}^fBiT64-hz5)g)y}6Rq+{U!RV{pS z`L52gYy+Yz5JA&O>!>bmh%$Em%wfR#BVhR2raG{ z4`lXZVVUhQlHQomA4p-V&TG_=k3%kFa=B)m18cc%H;urF&Ji)eVOa0X374#xcZby| z%1~W;X(<~(!o2Od^Y;5*7AeK@XR#Enq`omm92&bP`b%(Ji5jJ%@{c<|Jg3E8A@lXh z5ZUL0mtFO(L}y+~w@)un+JeNvKT0PrR4+@_1ppg01u#2cM;idiVGANoVArf(>seH+ zVBY?Xm`dI9tJO+-x6ZKl3pof+P_(J;_qE&*)(k3ICzmHVv04L4Aj zL(Z4n`@NODvV5Y`WlRGRcM^C4dxmfnbZMK#s9Gark1q`tp!z7qUd}zT`iG|x9wn4C ziHfAVWm6^F8hAp+uSHaKG$KULUZI8q##Xke#tyZ*=R&bjuCmBbsU`8Co${Hpl84T-caWj16n1m#tm*Sz4DZcpr@q9zB31sjI95+C(N0{=k=yvi(%~*J7{viD-fG$6L|Z)-%^u#Tui~O&Fdd zd3<2Ze2x$e?->tEK|>Q5hZ+n{u)*R96YqEY*$$7K-+B8l*-2_R=bVMB*Ai zFAz1fglyah)Pq5_2TzzPTvi~{j&rYCo+u#I3J6y3QcO-bzXS^ic;2xpIC0P=+k_!c z@eBziteub&PeEzv*DzFAm683F?%Yf%9q?4dyiI`Qt3YPSaE8&J7ljXxS@m=tp2{`P z+?mvLuvAqW+@BiWVPu%taOmwoyDR1wP3xjNT3*cSUp`fK72Ir<_owjs*n5VC#j%5f zJ`^?`AV~pN{w})Di{`>^Wm!()gP;vYs3B*?&*!nv8kw!#cY=6s8In@o?=w+o(Ku>S zGQ3xfcc3|?WvZh4hLJ2F2?W{9Jip^>DCF{Vj&@(c8vlaq*ZZ2e0~#b;T-%``Y_Bl~ z0us?KEJ~ws6cD0fTZy9PO5Kg4Tpwo1Y&s+l){Jt@=M$5Vi^0k?6?m~veQNir*`Tkj zm0H{+vWDtoq8~=maX7rqy;gjYMaA-lZUDDQYp6O6@4rWts=*rdx75&Pv|Tfm$6{8)5WpD1oHy>+ioPmO;VPU z;eF1u&`2K8ywHR^FC@WtebP$zJr5p#BE zfR^|wsAG2jX1p8tos7$gp=0Jh&n$LAid9HP;c0Wn6;-qy)rFjahz%0Mbx1>*89Zq@ z$uI2_*zcwMfAXjM=^F9$4tve|yKNV!GWfO#W_>BJQ<{!gm(Z6!WvUR-0rB2EoG1$~ z|9a2!g;;$C@ER$MM8fvJs;&uUsq+(eqoEYhR2=jIf=a+Q3vd-n@odZ+P!p2#NkL|p zf{gF_m?98~e=%O_lr#ybkKBak1lMQR(_c(eYx=FT@5t(L(!!?YgS8K@fV6YZp3v4b zG~Gk1cH&{%>y%N5%1cVJxxy;M)X$`uL4qSN8#d6pRw@-(4}$uM!IU#k@w} zsLF+a_!6acCwP^{#!C`s6Pthw(|{ZB{M7BP8X@Ow1iViKLpt0G!ZpXd)V1q3vu8MFpsB)v1^+F_xAzc z4SG=x#<99ekn)ifilDdq^(Qgg3P*~180ytiV|hEKJ;~VWK(v{98T|;YqpnZ1q;Zyt zwIxopl@R_tE%TcV{e%Ai15|rDur@}3(S`AWY139Hk{jaX*Mg6y&Pg?B+nlzzMpn4i z&%Ew3?wg`TZ8Q2vO~6o?Zd7T|of%?#2LNQ4%ta;Q0QjF9cehh#l$xAU zG|4#fsEMs3pQzVb_>fT&o^m1&es@?6cBz*gL63T6$WY=1Zd&TO@YBC)6q2e3>oIM0 z*dh>C@z8)KZISeL#gN;n1A*X{QM-(`TBvhdDOJH8bH~hAPy8GOGBW8NCj&vAICiIX zl3Q2a?7>0^_vHp7f!t633!2 zOb-+cm5?AH`4eXXyS_St?NuVSuA>QMyLj(|hvPQ_U7+1V82W+@gNdUXtVL_dBm}lI z__cU=D@%bI*v8~4xFFF0*-4}c`FFg}w(Vm^K3(3TAW*>&92DcvA&R$8IX+pgEkfGo z5go`17l=TYF}E2m+aR8?s3AcyFF))miCSa~;eI&2h3AuR9Q6ax^C-@=LPe!*s2vXn zy~xTZ*yE_eN`(;v*dzeCDKV2;C`$qVJb(=XO(4k@C0ktJ?Gvtm)?^xZ``{CCL9!)V z1d2_1du%a<{JmBK_{d@4G(o#=2q}m-Wc`&=Prto!S=5tmyue^4JAf28w!sNuo+A#G zfGM(9P)x6|vb?S$MW`P#vB+X%0JD8|GIzbpID0g=lTK_g=MZXU@EU^~M7h9jT0GiU zvb-xm64E__Jh*)t;=ipQD=-bD&hg_Pw_r>_WVl^UUs7&LVF;}-HKhaBI@cA^yTmQ$ z|72=VpI*)x;gwj3XdZ4RLf^rXKVie#x~di&>z}TA3Bd}NZAL?FX**50)$CVuXSZ7< z+wkJK`JZA;V8slh6P^GyX#&N`3t-@7k_=e>R|vPIOcs@fB*aY%-wxrf$}-Z-nC&6ZH|Doxieu_(aeZ& z@@GEbZ!4_v$~Z8F~BBRoW#j2;BwU07Go2*Xf0jP{33Z-_zM@DeZT6rCZs>P*;ALb;%`*5Yl) z&FqP#zUB;g+I;Dp`X218#Cs9~)*5ZYZ21A)q?+dnL2vX-39NF=q=BSlk-V$0{y<|C zkg#8v)4!sBpRqMf2a3F+h+k}^07X=DSuU}X{ijD*EOfZ}tvH3nddJz0gH+bKn;+de zBUdBJft8n$4K(vK*)u9zAY>l6I15tkHv`LUv;tK|kb*Znd1{T@P7 zt6xDdS#}(e2n;pQdRWDWLxpZd#(eRA^X4xC`1JFJm;)cx8|kZO5rnW z=b3FX@9wb&7c^rqpHu(&n4i9l^nUSmGH>}y!wAiakJ!C|Sr200vX*X@>|Nks#|liR zeCmXNQeqW_ z+YKgSwMbb99&eB4dgMyviOs~5>3irP{hp609#OrfNgk3gzrvB=!9VB$K1l-I8vt7> zNE@NL)cCd+E!hhf*TlH5(1Z>*Rm>vnsl(rv-Npt?xqU;sX0E zAv3iSn&}1|zTJWX4C!?hJ0wS^iw6rBmwK&hExDoxO3v8t(q$Rql~fpdhZss(f6QXV z_Suv9Xj9)iaP^t#^od)_^x1L|HK^X1ZV=ZH)RkKbI6fsrcM~xVQp6z`BL$8F2(dwU z_a4te`IZz<4ix*gf)iyM#yP`m@KFJn|3c$t+>Vti6Yz*8=gysSLuD#CF1+{fNf@{C zNElzt8HX4z8^OI54vuX;&Ov7_XkV_cbflMna2$f4mW=`j1{+zdGSPycN_f--*fBO} z4zicIdc=Zy<`ZT~t{4>+b531{=M`uSPDyTWVvQE1cV{E{L(hvEtZLaXbp;c8?8ytl zVzE7IPNC{Jg{y(-5o-E;LvXV+94G)c=0jQ08Z+)4sD66sZRCqDm$1Rf)P-6ZHHmzTD7Ap$JMng^R4;h0E`OvS*IbWp1h`%KVY077mcP}xXHZRg3 zb5XN~nv44gy}PfM{&_Wl=irlAq+W<|?MAf*4;~R%2sWi$SuVFvF`}jEn1`Pq`%)>F zDsc8)_@yFaW~rgXqaLrO0TF%8WhgT@1Y1{{8Z)2j!LC7#`JEG^R&*vFi{|9bNV^P67$Nqa`*gpb*AJJ8ROdzjc z9P;Nlwi6?OQs|C0*&h00-qkphW4-mwV zB>Kpvm8GGw!i=<&A#hcjM!61g%C53AXPOO!*C@U%QuKuRx~!qA)rV&<1ot+0om^l1b-1qP`UvUNa4OgjZ+tp10LjjpHkaxJh_&$ zWW_!t+8Y3c+wYj&2pWYX`_ODeb6V|Roybv`zEbc26KJ?-?5Fjd-12#BEfjOljEpiC zj>mesb2LbTG~){}H^6%z9PAg43OwitVeRytmc@vOe<#El)$jCGGj@$Q zV!u0uundGj(_=()a~h)(IJ5L57}*l_xH=OtH27>&yirmb1~sMqYD(!3O2Ln0A{*6^ zJjJ*BxsnnweW=W0X0=W)8(d2+-DXV?-COzMga>Obv&SfzEHt^)s4@kcT7Gg|8RQG) zl2!ycF^LtE)%O#(a^{5IUxz>jsd`IXNztI$pMmh;HqtWP1GKa=rXE@lXUxSadlEK_A1l5!_v%&tE7 z{{azQ+-Lr0xzPWvO8;-M$A1x`_& z@r;a2jQ>L}l%p|ex5b9KeMw!DSWZid3%{GlG~Fbd@N;*CBIt|ipe_pWGenfI_T|#0@?xpu7wUwGHfDj!*_7 zlK-5-jk$=%{Z+6xSSCTb5|cET(Q{s{0_*UA+@{95z)X`QrwhXVupH?p$hGDW1Fg7D zN=5-K=r|sL1kJ_4&b8GiJ1mAEZ>I!vpV|rKqnX4dc1_VNYLol8>JquF_cm9ZtjjJ6 zmUFb2kMx%nybGk<-?FK{ff=(AgSo+RrkU6Q&0^$T!t$FnT3E-WvF+^p0{izc$A|=D zX^%O|SaJ5bZc&Ko@d(f81hB)KlFhg{3eG^$x%MwvR`E|h_uMQgH;F}|^({zZXyFHr z8RT*K9SI4BF;#o>$1#m`XvyQFQT|oYOip9xwU;P)ea}Q#zqjR0J}3ZFww#}a{87?= za$sPNDR}oWk>###pJqtDkmjY6w`#n-vCedfa5$gzZ+XrQX(uJ+P3w$wxjo~&P5ox?; z!%0wC%_H32B6zL>ccN1b(+bV*1>(>FVuw(o+pufxtmOCW0-6ovI`KM^uG+9 zJ-)*AqDGyMp07hikrd5U7!KK=dmoVgiY(lQT%-QK+8?fUC3j} z7t-D5VB?)@9S#;0J$n%=q-Xgq35tW+`BU7Z*1d%3-H|#HaSl z_!YgXi1>cW%k;gfG2geX`ge-Tmowe&=)y%8n(Dn@THU`ZyxfWPRG4L-mzq`iUBdq8 zSBCu|*Db#|pIyeUT)c1TfXu#l`U&n2huMFRR%RU?9AEc;U!5*i_ZM+>AMx_<_HFVlK9jyySkwtaqDC32A6W--?1{Z?wOCWY7AC@uHeek+kTJlAm2 z&Z*PO{}=O(PCde!y15SiygXioi2v3-dE1MC#FkHZ3yk=g~&l% z>&tBZlib%z2I||$Avb{(zLA5&$y(q#^A2*?ohwib2FU&(TS{nxdNqdE%_|1m!tARL zo3fcU{2I%==YP2Wt|Fm&AJS+ZSpb{v^;bOd^PS{07qh1tu;d*-o{ufW(~ zbE}aoAxl3Od!u!CiLNcwjGD z)1kinQ{j=ldGY&S<%iC<{6)ZM=}nlGiY_l=n0_T5*PQEL-{;-?PrHFnhfd$mw2N8I zQ9lYakHa;tuiLMHz(4GA+a4J5Dc1Qy(LlMZ%iSyS?vT}weSVPljdL~DMsV<}oEB)T zf5NcKd8S;sSz>B}XTFXIlJWM~$ea-^aeW;kHqfV|+=&epk;S$zTd;XEq(CY0X^%lD z@qb?<6f22fN|*v@p-Yhc#b&gI@S@i4pHQmCS+Au9n~k@{`%sT*plmtCwbEC>=rI(7 z4e2;SN}SPm`~J35b9g#Ca*Vsj_(1+K5!OuayCl>?Hj9JLc4wD`C^1df6?y{8ChSP{ z-%f&#Lh0fL^Fz}eDtKw;eMri{$G!D*^_#nPY~x+yW`*nN_7DNo`wK#SVM-jFxqZc| z8+3k;cfL*m$0By=;)%C?B*Y!in)4l?XwaF^wW`2~l%KB8nORl{U_*X5z+B$;Nk`dI zQ|~{svst zN}{Qr_C~1#ud(4ujPz&cb5hBGub7Y!GOhi z3E*W7Z;(y4S(_&UP&O4rTM87s5GIYJDmT0wOeC%lGh%T@H-7c(ct|^Q+$YV7Z-a*_ ziLo)91I};fDmuh{Aysq=T|UagDJy>=Fw`Y6LRvfI7mm@PKirRr=HbV-LNcDAUkg%! zDf2Hum94~aXa8-6`c$pA&g{^NgLRm>1M#Mch0#i}knMXgreF-dvH>e z>oVyXM08Bxa&NV94+fPG*gSeXnk(3rIk+mM*u#SW$wKf=FK-p%@GYORj$OK>EKmvH z0CTfUXUuD<%g($tZ-o?AR;6TD3D3HrnhPROvb?u<2%qn*EE&DYF43>}uxaz5WdiU8 zqn+q?2V#a{IOhyJwIYI~NKfV#ij9#ffsfG>R?|g|lj{67A!~f^?~NF-FXx3fR)6IT zo@-_FD=dS_j`62OM5Xf6YwKS0wT_w;-7e=@>k)q{Rdl#gmmEK@5dcl{sK^nVK?@l} zCD3>v9{(#RLrn#D?5d_7JI}0g!twz$ z`_vvtKVha9=R(pXg#X@86y!eMbjK`#2JLuqD_Mn285@#?n-EE(2moQx(3PY_W7Oy1 z%s!$_wqU9*xkQCKJ}?cx^LXt+ozW75=WlTNB;1AvCLbSwteNM1ge^d$i{!2k(CW5E z?1QPf-#8ujCedA-quGxLR92fgd%BJPS8#h#x>_Xama=u_2z)lQ;){o8^V8WT=?xPM z-Jgm?osL913iW%uZ`=gSkauGZ`dZl8DoQ%<18osT(?bJc>3!x;rbr$a2c)zs>%0?V ziRQIh_mY6U4U%FtY4yk9{u4gYC}9lQb_Ct-?pSvonhQJ6_#CfeLB--CxQx`41q2>O z`6G3u+)yr7^(_6lKBAK4{(@P!BZ(xsTJq2jdEB5TmzWv}JcAPSXfAma9Oy*I30AW8 zeX*AX?iM{dlJ}{iK3%5QY>|a^L(fQ4;MsAo&O+OGS9kF5=>wA_1nlIZcwZ1#gFcPj zY6|0O4+?8ITr@f9W!X#cae5r8Dy{n+d32EdS=|}m3Ykittl?bi^jis->^YSuEPk*XLEbURr2*B_ z%4pTk*&t>X@^C!;IQzFtdZ?KM-C9(_i^NAsi#@RE?(}x=w3JJvmdD^GSVktiR^%f@ z`pgF|$+-grw{mPngE9Xt;)(6({#72HaHe%)-5RC9Dk);)s5@+4p`fS4D>Js^%s82Y zx}A7dL_`T?uBqVBKgLSC5oEdpF2YKpn#lv@7z_2K7|P41jTwB+$kqCOeh^oc#9kgV z@=b}L152@&Dxav=}|47X|PhTXx*ll6; zS)4xwb}}t(Wx6GCQiEAF)=uqC(ra`VUZl!jZ%|I@iyDYmodY}sO$r9#$NudPL!FIHO7&LKWt+HXE%%p`M!&)ta=H`HgdWAnWjc@!MTkq3zGpYIQoygB zCN3teml4tt`mIrADp19xQB@k^L;f`SQH(TBV9w~QttTje?^L4-nUu>joN~}2Mp1gg zZ?a!dC+(b1sz9oJ6jb)2Ez}}HvlQN=Z!SeN9!OMAK;*+Z7)sZ3LY^m`o7;w|!sdOY z99Y!9=r6}YGvI+E%ub)rXzOHHT3KPhGtFSjJS*pgQ3%kjFK%e~-ot!o#i|@L+2}tx5O7mx#V(^+d#Y)_-JVA1YU%nB zeZAtc-^)&KEdF~6iB0z_kM;{|SiS&jI_7Qk0=5=yS}UO}EKs$CLGMJ1@~Fo$fYIi%+kd7#OlqquRB5XbKH1APiTo@I;99y)hat3sF7>_{2L2MLGY z#N0q!dB0V9b?jB&996m%`lIv&M(?4~+XQwAU8vJEmsx>2+$G$8v`Z&cJfagn%yquU zS`SI7H14p?%gC!46f?P)$OG&rrj^)gu{{!}Sq332`S#mdmUyddU&NFdNh(UJo@S{k zFxte!+C`Yj;tUd#08a}q=Q8@$?>?2#3^@^b!i3?|C(~7^k1~dC)=U}#zuc)zMXx+b z9$%oBFBzu>xy`+^=+US=YHj9_X?FWE9aKLymmdypU?w4RBy>=%jQMKDwwOjGS5;Mr zP@F;g{o&G-H86^B+ZJ~+qRGA0Fv5O*=iBDjB@oEchxbpbv=@!(0wbz+8`i}J8mR`=X%CvT74uro~TlcRG_mskxY z^8uYuh>$JKKAWX!x?-mx3KvhU7p6i^;q=<0nPY$0ZrWn?u5aDej&xtTNuC(;Tl4Xd zXj|#=u$i8{KH#A=4^>UTs63kd$+s4TR`D9iR~KhF@Q4?*L4Zri-{Puc{t}g7jUa{0 zi&#uI`Xy+3>3Z}ov~}_7m+iDfys%=wNQJ(A^B5CDOFU%wGE7So%un6dS!DB)F&-WX z-Y;z`bSHE(3&HrylVKDB{T4<@z(#}UM47TP`?7ai?Fd9SX!0=A0qSB6JoB_X+xNSauFUSS(lqoY&q|$Z;LD z^!;c@O3EEEOgwbHDKkXKHDR)&-A*{b@!6-2ML^^H7=4JMjaN~xjLd6)_yL_F^wEI9 zb{XScVodEo06E4Dp?DDNJ`h|V2zC>Rx2lX(kLf9E?}UmKcqdg#76wjaNUxC9Nr8&f zI2`VGDWBjRBr^{}1^_su&V1PEemT~kz3i3Lou)^eeJ>tsB90c4pUCGHco(8g8)qaL-^T(Tns|}J46FRK2M>I}h zkduh&`4gG`ECp8Rc1c=`;QL8KL)j7O*6Olp6vjzh38 zG}ecfpQ;&)yLqKIu@yqV<8ai8q2pXzssiWHe1Fy>HJr`u0>r6`n5;O!tw>6obKR`6JJ;CRT;-8~3|O)zQH2w-iL}f4 zH5dbU^g$23oWwLk0mxp(oQh0Cil~!CRMJ|^;nz#3h7mux6dDy65=f+Dar1vJYQxRBa2=uLC1*Dx_`yp{pZqSZ5Kf2geBiY*vr^N=jNHu# ztA21SysE@cqolRj?Zn$SIZBZ%`(GY-8|ehRVIwE^tKPH|2U01VqVMqey#9$6k$>Z> zDtIb=K^{sxP}O5y&s;Ny|2)h5Mzg@ku>=ZAx^7z65^Q?V@znV#qw6`iTl+5@3l5i- zPb{S3E&D$h0|(`>K!O0OQOylBbNQsf^5xU)&@}-q8gSY0uUtavUjJ+7m7?v!t@p&D z5rl;GTocfPDv$(pS>SGzb!83&VgJddL&PWhMU@D?q&x?j4# zvegsKJ^I!9UA~p$BNB5TBNvE(0sVC%aewBV z4CRiE?WSU?d^SzgDTTe_Q`$gVBOcm1V=Kt>uL(os$n7 z$da(qqkmMX^QPMmP%_ir0r&UzFd(MH(VGhJMUh<35d}|B3CtlmXY7NQ^a7cak^qZN zkPswE8Av4I1&2x~>TU3xqDtIwwtJvRQ2FA(hej*YH#!xIDCX&-K&G+0Ee0Y@WCBW? zhlCQsjd*Z6VP~=t?(Rp}qS)H1JBR*FKe1e9OvDM@WY#CDbxsFIBp&@%QDQ_85HV_F zJQ1jD#h4Wy(EbU=oYeY8P21y#dk!KMza33a>odSp>RCX=hPpb>v!VBuQbLg0t+H*~RjX{C?TtcPDT9;`GV97@3(FGx=SNWIUhe zi|vx-PJ!IXiJbfaQJXzk%RaCt@;b62wWPSOo9_j}V)*}J!OZ+m;@*E-`2M>K=6}3+ zKO2bu-aY;=#Q*Q@B>qPq-~X38iT`9S{Fl}6f3t4>pNxmB|87bjGcyb0f8Jhb{TL6M z5x=T+^QAAkc-Bi%e|MR9qObd(H_K?Sw?6SMh|Ge)M&wb%9eo3Pliy)VNM6yX@?vx^ zo||o%vNO%m9S+~6I($#oRDA3%*XMkFz5&B6CfjUuub)^bN4J0M9^YMhueL+q7M|&s zg$yNGFQYv3rM|y=YFFHS4d2xq+Bj-&0m!ty2mI1?*k5(Du`Z0RJn!3lGIzDUC3jWr zJeq%uJioI&{KOk`eMUZNGh@xJP+A{0yVB7~edaUvudHmpTEF`Wol6U6d0}wYZf<`n zg7$bCv9jsL1n8t!X}U%0e+fC@i~uR%{O$bQf{=oY_}NC_M`!%s9{qzH&NM`%-vMx-roU=?m;*NC#2vkzN*mMR-8#Dgj^qyW_w#eX7;N)~j*G{G zZUeI8gBz2*E}k;7nMlgRNNg%Q*_hRo3K~t6}D1Ga&*Ct?}bQhLkIMTPW zH(5&6t+IN>k_$1#uWQ{yq1SD8pl9br7vq`?i;IZdaWvK$W}m+w(_ViuYw>7vUB0!y z(qJw`n)}v!mUjL|fAWZ6?e^DGE1o61!^rQ zqoE(VZ6iAQ^h_hQ&lHy;Xdb6;NUw&V#uQw}{y)035J=1yqFJS{SCcZuU#%#T#a}-x zoe5Ei#)K*T&15K10UJF`GOom#0x}NoX9VX=)EI4_OPBF^ppLnWTkN#vZNFp8uYR@2Um%2*Djpp+==3MHcfOExR;{-mc8ODzK)=4@uzg4e zKbjsp_LKj`8wL~T!Z`+U^Ucg<2j^*FRJgI+f@c?pkcPlTej_3rX!OUpBHv)v%jSbP z$|WP1t5qQ&hC|SEt1ddli)WLX?$`xGw9BG%;r5Y~$7jmDTCuu*&^K&-Urf;q;7m9^ z9lNI4YJ0^ktNxQIkb<^Sa@Jmn0L=}{+EgIu<3DUXRL;=}7JC{Me9T1IH!gQ0{#$9& zLbwuyJHV%gT&zW9?O5jB7lMWz zAOGA1!(xRQd=CjBTLY4ns4n!HRp|aQbOYr+BM9Ln5jGI+j@fdFRtE81{?|*kIJ{zE zuHgjze525a#ZbHT%RqF`wqNcK;xs$OOTRTAv#TxUMdkp$g#}J=w|h1t2kw#SSsqFh z)OK={UPvI*utJ*8kY-53>7-SRM8o4RLo3_NOqC8TbD9#t)K8V1?yjK8<@onzDQ;<+ zDxV_6v>x=e$e{K&gK(&iQ135*90|dEnv13Nds99NUEy$X8$o1AKB84LBI7dnp zQa<&NTrFSW4wWf~BN6Tmge6DHWxmkT#;QeqzT6eE8GUBXtnyg$=M9Bf_}Woj!$`W~ zTK?Q`nzxxWu7(YqroFjqJrVXwjX>vy;gUnw6%w=1xtZ;ZTwN+`*N(*IN#cQ}e4JL! z>M5h7fhT?2IGojBJMXWLaP-LvJa0~z$@mvxM8jPQElhB1u7 z3g)H}5%%@q&wIEw3tU(?q?=l?E{v_5_u`s|Dh&LOp~ZUnw*7S%0|e|gcVzG7W$O3+oT8E9Jq?EY>FRW5SoLvVVEVy6skfL?++UPQZ`et zfmnBUp|!Y1d@`!A#N2~+aR(v+a;$d75haNW%EP{*zeUJapaH*-&J9+EYaPc5)RQ!T z>u((dN7ys=KvV^wrCJhlZzCr`Thj;!6nw!%rewa3XoF#DLXeK_H&4NG%^iy#uIrmZ zDSiI@hB|M}$gb(lk(DSQ7Z6({*Y&}}HnwOK<~gc9Uvd54w4KGMvl?x(g>cSfUFOZ5 z6}xvS;4f5uc+pu=4O1nN*(;4z9K{w5tMfPEh|k5OvPtsBjyeu>F^bbEtC)rO+GX&K{=N}K|!93-?dMp`W5GZubvcW;flG7*wc7C>S z1ds&tA__*k{a}A+OqDxB4Dxycs8#Ll=bmMTq4^}BgVlK@5Vkg~i?szQpmC98o&`D% zh@E?5D5bXcV|v^H2sEb0IGI8HYt2U>4a6bV5h@|5HwJ;6!vgYw5vmDC;v~6K`Z;KZ z_Lt3Uxtf&?^RV@JKbELdSG#lzt+b=(vO-;rU@Mbagjm8~Xm%$P67mpFuY#wuiEG|^ zI2T%UK4Oz+vjVINIz#$Iq=kv;Pmxd!v-#{(=+ov0?s{iZsl(~0mR3Vzrfo1HV%z zZ5WiK(UdV*E9;vOL@R`d*_*}l^%iOs*h;+beIY|C>j!i&nxPHc^q4wGC8Z0JAeP=W z5ju4qZtXC*vE^kipNq37MXFyk%an`8=nUUna6vgE=_o7`@2%n%xQZL0H2J-&JWnNJ zRIY{TLkH(Ks=Y7Ahp8`CNcI7TI~52hU`C26v~KH75G0NiP7I=9y~Y1DH=xp0icwgN zVX@ZUC(v(TNa^nx`wi^(Ol@$y>_BFyD3d}?r!19i-jm2o80bIM{kG5Twdn^Sv@@mQ zPS;DQq{rJAybz$&c}G95*pe`RznfxMw_4;9gD$j~NrHmEw{M>YW-&n17-ILL`678t zu++Yi?55krSK^9ER7YVOaoWOd!VE~m?jYeK{Kf$q89PCC+Y^8yy+a}FKwU(4S8z&#cMP$(YvqB=L9VEit3QI`L0si!)0S zM-=czu&8bhnTVQ&n>s;4XE;4t87?16#zUcSA^b&8x?DP4W(Bi`51RtyHkL4w{pUtk z3*2Ju38XV!5?+wFP>R_RiTElFYbcbhMdL3ri<|B7j!L{uA!YzIRxsivlW$vTK0-b) z8we;tK-wKZP14~Qr||BL#(;KXfI=7&-`SRc37Xko^$bKZe6Y(wT*um{^4`MNkahJ* z@t*#NCYk>6nMMp9!{M;RpV!RHP_EmIDo8orBy{x=?;Nr87%dZXnuiK2?Uh5#N-f=( zGtov_AA!XmNgQExGW1Cb^G(D6hB-nXN6i^ii*q0tebSD}m$-V=y@2|l9eRo|Qp_8) zW^dO}9EFuZ_%ySo6%$UKByVsxCt9V}n+{>75hZyDXWbO7#<>N`7$%1F1Gd(ix}Fz_ z|GrI9>ENQ^-nUtoUxY;Y4JqTku&7`AH05TGQf3HxaB7&dp*Lp;%O5F@S6q*fNbypa zAAQf}3~q|G;FpiIUFOjcHn%3^#|LeZ$W*0}nb6V&iA3t`3do$Yw%e5^?#cGs!dexQ z9{j$FB8n6}WnsBnz-c=l68-{rY30a4%$etcGK>h<+2d$+!98=7|3~sz_GCl0H(7{{ zxiE7^C#d5=3F^^q`qZ5mZTtP3@ETc=+ zU9H7MzOcDpo(hm&m~eegsSZv((yF+(_L{+V1)q#&nmLYeu<@fAJjZ1+3uE*vL1zo0 zzI2M=0BUYhn*FBW*ei;7tO1nHqsY`BLND#C`~|3ldHWBPN=g(!=9V{p00b%dXZEGV&@_IH6W+n-878oH zK#)bWCBr5XgwxIkJA*C8z&S6*<&ixXM46ZcXBb%3 zg&g9S<)1o$=gT4ktWv7UhW$kWvVU39*LB$$<^om@4trr!$2hK{pt^WeeBYZCfo8>}C=*UQl@! z_AUz|wQAq2`J8PUk!h?aszp4#W>~>8eX3!t0`ZmT#1ect2HQ!;E-Thy$pQwY=Kq;} zdXZdbYc`^U#Gk%Pb&V{(1DTw?428k&PMi|Dg7o2zSH3QVS{ zs1hRv`@L3wcL^fgspbx~ht=OxfL`3e9HIA3^y)GqUcc_?l6Q=#I1Fx{Qu4LCScw(k zI(08P`&U3&LfV^RQG}nV6$QAlrXdFaf_BrU+`bo#_H^}L5{cg5&wF9FsIF_&aEWv{mCW;loK!TXgS%)pY4GwAwhgPf|htUVw&?j#?7atD~AQ0OU_m&zIO5PEg*Mk#Otfc0*g z28jpxAffsE9a1$v1y(w{ew8zx(kRM;!_mwkzV|OS9OLktk!SU#!x8EA-AK84t}wTo zIYv6U82YH4u-a=?n)@|%k=y-mz<5nS@&AHnvHl+fX|et&@{sw4QS_)pRFm zQOxO+s!aD5Yi%gr8?tM|hD54WNZ$+x!TaqhwtKQ%f5 zS73Rch_~C+n(mrIWKRZWJJV2yMP4|?W-t5^+lrL|!#^|k!n2k@YWT~2#P!q$EkQ0r zcLt_K2;;yR%wau|{$Q)s!Zpo5`R$?BHjgct%;8DGW))j8hdn_`d`#)i}tGD za5u)0GWO~1_!)G2)vUqu0)5H*_dnEX>TU~hhg)mhVa4^p-(JJePf-@QG3#F9T|H#V z0t2;gjrdjBzgxINuZ8)-w}>adp&r-#Z2!A0xt6W`}IPW)YZ4z))Dr31(f?r^`f1*GG{9) za#4@xc2Tfb(?fE7>_W(wdt80>HVR{$ol^=SnTM%wF7v?S*^44RuE1l6{j~SMpqtW!RAWz#e3M!vRfhn+j z&$wQ`g^7`j&@UVg#J-y1mK=m<>T+fuEEsvM#GDznhhW~jK#EF9BLq{Av%9?Y`Dq+e zD74;==`dBYS|rGLl7Q}hqdkLM)V{ujC^u#T3jxTbZfuF0`FSoZ2@C+lnQioxxDIdu z38N_W0rf+xkwlQg3n^AhU75cu=lJH6hm+yzLV@^#c!_R@R>css-ew^lHtYEdni&=F z?^CdLgBArmCnY&fHAHr8SJJmZPz`A4Ti;!>>2eV+xaaPotk^py@iawTTX57casp9* z3A=obox5SWZy&Da+(3!So6s4h6W;pBaAxRUvWJ4aCo%%8$at0lM+HIi7sYbD;Ji7o zJ4}MHi!OWFj|fHRf@1gWXzCBxwPKnv()Aj7MHOjZVqyB)M{gSXf41KXG-Gpy75(A@ zs^qxwjB)50bQjPMnWpTrxtyN~PUn`_6f$KM7w=+-c&021fw=q$@Xh|jgu$C^<;6oE z7T?N!XDDfE({dA+H_{;7Rdf|~m^C2dvuMN(Grawvh(sf#vOhg>{Bt}|h;E0xd?4q^ zxK5iEHEJa<2yU`_%MW8>2E3rA1-pW=39T}hWLtIIXDNh2q`|;F8^Di!H5f%=WG_S7JF6$tiq+__klk) zKUAQDpCbTw0w@H(We4DRWQ(BEHgpgYl>N*^DtZy9HNiNEF@b)AP#(B=I6}l`C#udS z2XGMbF}Jjyz3Q^*$isk8nrxdYdI^lacdeA;>E?9lBy}lsCC8H_lll3flde%&xrOEd zZogg|ihD`iZoHFDZ!SG6=q&$>0CUcB@N?>K3# z%bFBUMK$+|9!gPoGqwPjUxJJlY$r!+n%YWm$>Ks5z}8s`?QhFd5i)O%O&;DVJ~%YM z%<KA>y<1pFJTC}=f-LG|R{;_FE$4JwW9ZdMPKwSu*Z{F^ z0t{-Im>^a73OTnmn_+*hJ9;Eexp?^PoiXRVVM6?#L8;7smDbt3qfs>A(+?hsce)Ra znW4bb9>?Fq;sTr&mt~W*;l^`LGNq8OgH?m?t1t5@3=!QZ%{P|i5q>~(M}-yybaQTc zwUvt1%2M#;=LHmrh5^?Yq9bJ6nUKi0=UOO9uwLK)UXZ?*DNPBKqprF$q)se|(B zZ-D4NOdZ|G0?MHf%5$k+EhycA8H=N!mN22P7lE0RVS}_S#ODBVmiiUCJXy^J#*L&p zpr_pwR)<8AK}fcn8qyt@omaUJv$l+h^MPa;R3(eLsN)^+5%i98i_D5-GKH9FU&a#9 z8)0$1IfAOrQbIpqPq8=KCL@&WP3>sHu~{u9C7`d7kX-zbrT|xlUUlomr_en29BDLW zNJ6YADCS;%cmWXYzg_(Rc+3Y;Pw>QX5!bf7KP?UQC*Q^_b+A4wXnsIqnTSAGw{UIeiGUHZeJV1Kg8=BbYRg0L zP!HbRdb-}qpie83&5Xwe?)XF{8lxLOHM^a~JH@iut4hu@mb7Fe>*2*BRTr^4c`UQU z9u`Ars_+T$JX`|9SzEuuDf84XPA^}cu4pwW-@o}5`%l2pThrc@L1gl3xK+bw1P~i5 zK`u9YcJZj?PjZ!*ZAAm)w;2*miaf%%dH5#3BiMyt^dYNZ&2!lV>Exj=XE8An<;JSW z0z!dgehv1kwQ>$*xVq=n=|936gP#RLXv=Da?g;qys$MX>!0G0>j$pFvCIaK*CS37# z%9+KuRa3(@F7f3NENT9Qj?@$1fJX}Vhtv!mNszHM%r2?ModHzNK@WN{2+an>(b~?U zAD2_T*=d5)Og@|qL&e)J+1)2;qz8sR4@gYU0_D!-)LW$L-<#F$7;q>;jl&DQ8+WwZ zuL>jWy>9&KMN(sgEPfA+96_3o7wS8r3cWpBR*HUtd)DfPhO)*Gmzhpd_ z5fXLk5Hx5Bom>g6ZB_74efdFns^;Bu5h2}j_3O;ov$NMt!lf;rP&)5ls_Q1a|ISAU; zib=$?W>RgixDAvXIKl`?pSw8@g)xS`;!$W0ep3VqAAu8D^sn5Si>pt=@3^Gv8=(m! zm9sg9*t{$9)@ z2pII%vu=QOgeNV?`khtc&jr^iF>Bnn;aISiXAmY>SC!{cOT06S-7=A4v4^7DgtZBz zlOtQhFTO8DnR)dQR@m1`U0Hs!i-d&~Ffk`lLou#!+OdJcPz(5}Hix86-5}=&m=2)! zU~{Z{Nt7?kl%a*Sm?}ZnG7I!K6yYW#6ny!GpX=e=y?J;0yyK|i;10_8{dubOh_4AW zimKr{$q=eDl}4m&6M6jd7M)3FnHsD;EF{^3on3QE>3B;4*Q$c(_w}iykBk?bOGyW7~a@L5$ffYU~)V{^y*6iO;8a-;R&|H+YnX4bQsh zte$idKKJFg1W-W@i1z!CD+GV-(uF(8^#JM?c%j*_^7fP_$`s-4R8AF4S4x&$^9O4J zaKrOMkEiH$HAH1u_kjmzF3 zIZB18k<$o2+>CqcK=3H>pwzVirQ!d9z`r}DLLn@%(cUBsCwHS2UmYe47vD{p!Dfj$ zL8sTglNWFVwOZtE&rRFmv1F?eG$4#>YiD3U^!rX8D7q|v%=Ma~A|b`Jw;GCvGBm`B zk`Gr)48}Iq9S+9YX${qY?&+s+e;Dy^J4YX=CX#ntoU&GBSpgu9Fdffntmr&C0(J7vez2mXvv985eI_eaEMlE`> z+4INI8^1fGJVZ$hXe;duf`8@fn|#sV_)1J!UnX+Fh=6W+wPA#qo-I-Fr1qL#>gcI- zW?04o)|rN7+Dtb`erK3f#et+(h2ofDRUZtm*06SXH=gtu`Gf-0y;p4$AMk45@79lB z(T)@PfWsJ{5W!qZvM$EB&tGmR$sdBBt?Oz?`hH)K<7I-85_AS7(}=KCe%7R`>UJ&I zho{M;6A|mL_mN8J(?b)TGPwaujgsz!z6GX5q0|jaq|DLb`I`__L-0~wSvcGXIWESO ziRk=nOO~)4I-~L9?|#Jk=1K)vmom|`bcN$s00SyJUr>62R0KcT)DtesG#vA+I6Z45$1M%b)enmcxh^>0VVM{ncr-o$i19<*9;;Us#XNo0z>YLo?hvgXUuB^c1ikK zG3bgUVmrzK2`7j^{3jwbv%=WD-$ey+PPiws?OMSpP`P2svn_0Mds`(_jVD6i)sLW7I#Rb;675yQn+FY2GMtoR+5k)qdcFW z>A=4amAeW8W$buh*ei9)5F#QE5Q}3YvWd3b5CS4^6oNEF*K%>s)?`WJF6 zw$+`FB3@wo$XEx~u3`x#gsBO#Q|Cc)i7SQf+Zy^oe#zfB2ApG710IQcF@D#Mu<*Z> z?+b+}U0_zn6ZCVMi?*tT=T$e($fH}LNH^|2di+9Luy$U*^}Y1uhapMZK%>UeA5pZ8 z83-ypS{T3yPv31;j+Jm1T5Beyt-OnQsH=JZdD_MZ0!?jYj>CWhya%!xB_f5za$#do z*vgTsteL*39l({i-`Md-ij@TkGc%=H-H#+b39W(>9-%W#j%`#kW;?N6WAoA!A#IF~ z9oY(xv5Z#3;3q#@Qvh_nVJAO~Y{8{x!%~fwc#n=u7$Zv}0Ka9Df26sIfC8?uvr`O(zl@dLDmvXku8ITC`2hCQAh^$4H*`kkkA1n!@wRw_>!sw*9b>mR&&K3PUUDa`} zEr=!qxFT7Y1Nda|94g?VSt(wj!S+gPZ zmU@4i@M$`N(v!KQ`LY2HSifH@ShN^4-t#WGegp3Gyf6G0sF&^kAWnhpe~DB07c2d@ zQ18F){lAZT{}D3&@1%=AzcJF|Gc*4K!GF&5^Nkswh3%jG1%)5X`w!_gwlVtW2rTUX zuB?%X`KPD(f9zA3)U>qS7()G=(q)L+L?tn8JAldE@=zqR4{Q|IDwhZ@knvwKivzP? zTlic4-C&A)4A&-PUhd3`64K-aLwCI~+!l-ZRaLz>ZSlPNuF>UPL-~CDsi{>VvH9ZY zJEQE(Ve$Bs{q~^Ju=!ORp{1;% zyj`*Wqi`m}`beu#_*31t5X$Z>wOR&r5Be^%Y z)cSa9RO@SZ4&hN>%=P5!nhLc~K=2XVBMVJ-&l%--5=HSi)96Atc1|x2e;K?BRk6@E)h)btUj62p+c!GX6VDGGYLj+Oxp}P6TLG z?lSC+Te8%2EslBa9%6yp5_`c;_&q|qro|RW!DrzzvF6vz?g5jB^ z*;V;urZWML?OVA%b-Y_JRvH$;Y=Jcczj<*N!X8-5)*+CK93qq^5c3)&teZl*JT0X0 zpAN?PFB{2Z%6HwuGYlu+cZrHOqKi)}B&gz~{G}xjVgsx0| zad!*Kn;_f%?^a*r<^xk zjagz;I0=^XP`w`?RZF88ix`jtMykfanv^8$g4Jo`ga{dF;{%__bNYKvXk_EY++ms5 zKsd??&(MWB#wVgzFvgG>*0pzEbAYA=42dN6F4GI>8Wy3#6daz^oW-8fPn@mO0GoL+<~UEM{(Qe29Y4?+PCPPThUWq3S}&D0W~ud`9U>sVin1b{9`QbDcy*xIP`#2}jB21qzq>bVHs@ zAG0}bj6%7m!N&t5&A%r(GobO<$5tW47*)SQCnSrBtI{4Uk;aA?&jM0_VbXyYfpGBl zT^xnAf=*2{n)Cn}7gJOMgO0L2^%^UFd+_JiTnCuuOC@o5VUyoxOU6ukYB(8NJ@>qp zAiQm8j}YEN2a-%&i;Z!m10G8a1x0n9Mw&GdfeNAxL#Su=3;eQ`Lbe`ycNL676O&F1 zhMzgp>-7P`o1q*t$$cL2JoNJ;LqG7Vierfn!MN~Ag+7EeWwh97c%I_}6OrG+792hG z_MrjsfeJkAlkQ&aujDQ--Y|&X4TTxrw`QFle2`0S#$LmftWrykB!N)>#r(~gluyy? z2+(3P6Uo0!M*<$rTL>efU30gsIKEea@&W4X_E+Y6B9uh*y)OL{mCF_RdFe>m=TmBn zRCa5n)q#`C6CY#^qv6jaJKGM^;;fPoWUb$aLd5Y&;jA(T^?YXg$_8T9Nqs;Je=%Uw z-;&N>zY8FUu|+OLI-!f*WLO*qv}xNO?_nQFQUqF%|BBpQbw$|j{Sv2}-2L(;yrVYa z9omTr(B;8h2DWI!4NJ!zBn3*ABdkZmJccJ;v4J8$evCkfP|{J*B^jh}21j_b5aMkZ zN8e!Nvzicq4)qGu8u>*u%e(Df|3lp}TNA)Xs5$u24Vsq4NEQmMd1G#-Kt(s-fIS_p9An9NC+<0Z1M$LAub2g`~hGpy* z>*?(`vTejc-!jMF*mxRai-q2M~{>eV5PQxui z$?s9T+)c_U0*CAhodo~rF=~ef>Tl(s9FzAnZM3SNOulH$uu}09ADSFuL6TsJ z4xH7h0)X}>gajXY5-4ZBXDFH}L}rPH)`vrnm7+5mIxS*N7IoXAxn)z=Z+7U!Pi%H< z=^f1g^tbv@fUfHb<=ZtVwBNG?4%r~r#cjcu*!Wmt_~ezDWi(%;Le>bz3@ENOQ&e`> z@I@__RW_fGxuoNQc*XgE(**L{xvJ20{<6gHYF6P!bz;@^(YD3(1~tc?zqdTv$-xg^ zP=Z-InH+3QE0?fBrS=51&FIH7m7RzKk=JqN-lOzw;|r>{N?4J|Ac=;}ZoP7RNcMiD z!oCGU#>*jscl|WJ6LA@t+!z1jl>chOaa?5GuT5RI`gi3q=90XALcGtB^{u>ZRLPy3 zhncqn(JuC(A4yUr3T=o2p<9HQ3Val2RuUrt)izK=rC0+pW6|%fzBgcoHGT=J_V>x^ z;)ZqUyI;&o@nH+o$8!{SUlh++fxf7%RI^ys^E4Pg(=H9xAln81jDjM|JzO%hm;*=I zv-p;DZltxqY&rHoa)BOKU4N3V=Y)b;L4j3)^uSZyf_CT!=L89r0W*>Y+uWPClDsw7 z{k9#$+gJHrOqlqYkAswF%cV6PJCv1newQ5X?Fl%=93lL94s^k$zjiSpqtD!_(}S1hzB2W}?V?`{YF=sxfYyP38`G`hgjKZ69sO5_!?Wtb*H&m6SoZ>hiTyi9 z3#aJ=$919E!)QkQ*;T%#$z-P_1kSefTG&`er;Hu40>at|j={bw7*@C#^w5(91dwHX zV92aj_0N-F1}L6XR-+YT(Nlr%b+CAy@mK+T5Yjw7Tp+u@^yp(7c~K??$4>m62y!Hu zGDFOt4Z=w5P;hKw--d{?R>P?zFGQh6QZUPBFNV8_+urtUfPT{*YI{A9`dVKRAJ3!L zYuU%S@mJUjfOK%L^0@CcYFx!% zECz2S^njiPzF_IVhQy8HG9p5W-3+2^Jo$0O_DrI*ae=dk>6FhY)rDp1(@>W%C%{H# z&rO(2@Z`~IlF+gApCNj>tXqV4FriO41+z1l^*AtYo2yW>nmkKn!mYc}P#YrGVa^JJ zGIluT)n$3wrR;t=p|X>4-tsOu?%RRzTX;u^Y|(c`ODiEkBWLKo#R1ovaX+7u?ZR)j zC3zdq{KAMy&l>y5)JBgIRY&xeGLF9?O&$!|A_|btYcYzHp^CSd8A~@=Y1V3yrl>ZX zAf30VbKk64Cw=g<^VP$Mdyro;YvuKbn1M2lX}d?**VK9UC{3ND zm75UgT8E^umXBfn$&=LUr3qA(2#bcq^fD7ole6qYjzSco`gB{MZI8o;f)vy`Ju#mE zMpHZGzj^{O{Y;sI7)<&opvIg^rK%t8SU(%D(dBwMGmKGHt01J*AU9YNX5OgIbKiaz z_1n;Z7aKpHeT5RvVH7qW6y1`O2 z1qPL}(CBE#iJ{XVv~hd5=oBoYwkF2_+)M9>LDzGEr>NMI?oZJ9(nj|XzBRO0PPTw#@BhQReRU> zn=f{pZ2f;R=(7JGXqwpn7fsW@Ccgjupi3uUV`J;&h|j|Q&shD>xcJ{^#ee?m|KEe} z|1{kGH!`64bDV#)PzpcS|Csz)*#9v+D&TAXzo+B)cPHVWctZC7Gzm9py~h#_+kbg~ zMdVjywQ|teZV`9Q&Z8l$Fu*}gasFz<2ModpApn(o_y&GGyH$3Tou+NuU;??6PE=m} z`RJb(|Hn!OMTqc*1p9`y}&vLB-?!B;)O>!2PjaL|yiO$vl`n z=f)rPZ}M$7eXn-Ed%s_DEq-XQlosGIQP^uYOtvl_5LqJU#yQ8G&G@ z*4$cyN@GrZ=J`vu3~*@I?7}Aey|HTROwo22ec!jC~v3d+) zt3;#utQ5zYu4i*6yRp0dlC5u{@9hQ09K-_;B>rgYX(#rOO^JPgBQqS(_GeccSZo4& z(eSPp_J(p><1y^qTZtb@^o}A&Q@2^tt?Jrv%V7!k0&c%MPRyoa zT#g-qF#GcW6c&;Sn5~gnpm1;T2)9EPJBi!S<&CybHkb6)zZu$b^|<8bg(X!}DDlNY zr7vYZhI@Bo*EY9av1E*uIZ$7(vHks2-*0K}9cpg1g#a#Q>;vh@w_%)Xz(`LP+@=5# zsjMnpqJAgk?TZ1px9CPdSVI$&z#cxLpDs}qAfUU+!U<-&k_XSFH2mhbC-nV^ZJfvp zGI;E@#|Hdi#ZVvkDe)1)44*V?OUfGuq_0Q2ZmgTGa z^SwVxfU!p~pR%nl1I1UGrjedS!m4=iy|p}|z@l2F;@`JiM!ARVuB zReHn~etdKNdFN4nAN=(V#KBKhXPG^dIMZz2jt>0DZ(bqXv@3lM!kX^?`2=wiE{&gn0)Mrz@!IZ_d zEoYjsTPPUXKDbeoQX1y17%Fe>&-Kt%ZI*+1H#`5!7QS^3TXFB7zdz}Rz|l6vnSZ-z z#@_DTP8dF`hVM$wD)2bdY6)OT@yD$gF~7tY6%TKt$rcbJO$z(^VQ1%L$D_0XtDM@z zj+8I0_qnobp~EjDnwZl94_HOaC!W1}CQ5FnSpE9R!v$XU(B@O_z1Uq=kix3&^~N1q zxv)zemvhm}AV!@k)F_83!Q>#H>82R0R|7TOljXmI=PyY+@xv1OM&`RI%(pcrBr)6Q&! zSnz}Z*Hi7y;eHwAGJD1_eS1&I2nm+l`*{z)x>cY~Fx9Q_Y~R@4aSVCzKfslef_YxW zp8@m47MC>jH;B?1TJ}%h4jpsu0K4FZbgSDEXsH;+cLf)Tx(=Xqw-^svUY@wHQ+PMl z;M|mOQ_S$tRq@d8EK;KaZ|O6Qh9IxYuuAIhYx0^uS>}D#m=@6xJJov(ADLq9eX$!J zcU-fDxC!>~`1Y~q)B%Z9t1^6=jokEr(&H25-QFnr1+e;BK}E@-?3e)}8!_kX!RZIk zV`!HucS70(<6mbX7-ge}p&%I50h`Zx_TnRu%F7sn^mkrrCveaAh{s`63lfK%BU~cL zN1)IIh`JdK!;BIO^=p#7=yz zW6q$Cj&CR@LPR6~X^WDiPX!58)Lb7{xREMJ1npQ)lX+{)kin>vy&z5r=iAlV@k*&W zK}0)*+gV;=)X%VX-n6=k=ACtR=i~rvi(#sjZhulYF;o=yP>~8=3@B$)yJUGK9eZFL zUu^z1H})+5VNI$pUCiBhDI)Miw7-5{+K+li`As(1v410r4ZxAlIWBxVqB*kAFD+tdEPyP*ogd&py;XpW=&J691j`$GhX9Px`KP37@O({=O zMbeH(dY0@dkBI_DJZnT-g1$=G1>n&KI0#x50uUOgC0LHU%MXJDi^Ud(U1Xx^q$gt# zE4!<=78H2I!3M_2&Te0t$?^Jhxy)v@GWmH+FVmW3w_QWb`Z~s4k3D3TV*6{JS6`~> z?uw>Gb+g%%f!Obop|zqIR!og?*=6Kw>bes*;AC^zx3lD-{7`luGt~6g-Lj7caKORG zfL^qmNl}s9)d4l7S<_)SK1cOKT88RRik*?`-i|EF2xOZbvSpT9;6K=8Gjxm z+DCNR31I-QQ4%E5X;LHrek;f%tv|K|G5$^BM&w$sC!!~ZTJ&t>8s!-^x|&?m*&gvBh^)s z1G?ie^p=Y)SJq?>S3#cmJ0_qfp5mnW37nyCNhqUojWAMV`3PVLh9iJ|S{z6uv$e5! z!2{&)k*PS@ivVH{J__bh1-SIiAYvl|_Y(g<%4sB!zsrCfsl(}s^|=o9DGZa{<{EW? ze>*^i)II&aGcad+Duy6>dua)=WI@kfz0P8mIo)*IhkdZ?G6)u7@$O}z;>ag*OD}HC zP^h8GFxBGOsHjB_h{9n@Osm!PaUPV?BH|DIz=v{!)I3F=ht0qNvE6&>#* z?B8lN9{8N=E4UHcYQwZAs8O7krC2Zbo^!8^|D5cc8SRod33X48bF?Me;pE8ln@ZYA zPW6V>b@fj0mcuI6 zNHf*1WOgb+#uz1mHb3efZGJgRO=fzmMG3T^xd#~kw({Z!OLrT-dK{d9z8~lI$!d(G z$f)}k`5)CI>W(HZ%R)0I7dF0qy2sIEcxU}cCJcM=#4nz8d!kpoxXXDt(+*RYj_g&J z+knUf#)fae3R=?(ok=xb(#LM1rY!#f(7*n{uG3nM{||BR0Z;YY|BsilWn`r!$xOysR+2p< z$=Hm2A@5kNkK3wPhyvFN# zzUFnk4|YO{mFX3dWblq(6-h7_kZqm0tvaCVTPxy2l`j3p0cUl@clIQ1DsfvUf$hzj zXdwrm)o1l}*XRPWq*O7~X+&1*N}lyFBvKh`bfmHSYUWSm^;eZfK5=qf;T>(tkd&6yUhRccNTngKyw zJLOOh^Osi$t8&Md6b;NE_TQDIN1|k=XgXzUN$2u9jIX|nkhw&0k1D6GDWqHfXMRz- z9OXOlE=IG;I|QHJhdupzynj+QF!({|;cM=GR4b(!_vG+q+lUY1&BjzsAGYQVHM2b# zaG*|g0Xs9Bnw2w`tLpYOtf2x+Dys4TC1d?CO<`iq+NaX*OG1C#Vd*`=n@nJkmvIT& zRyYdjGGwbhh!aXoUH72>p1y4o?DFgC9?_3{@VBCAr&Si__n%XG-*m6;Ri(5@nM%Y; zgie+#_1%llbaOm=FXL6=yVP)PTIv+On~84p%%C{Klc_AAMy6>c!^eW99Uc)K`K4VF zC*mYbu1=4en@LAla|>6Ff#e7tG^^+)0o9?@+e`*gf!y@11+3&SpFmw{bB^lku^uF; zeh0`oTC3v*L%Pm+)wRLt+v&1_>IdwP*?|=ACoGxu(-4GP$3c%fZ+sq?+4376_lGx) z->ip!@~?7&)Zni zoS2d?FTWP^ZsFO7n}i8ppRKP4xn6B(DRguSTWB7Qu9!={zWGe=+s6YEJr|fdJ}y*L z3eHm>SS#XKd~xT*+SH~*sL4}o6O~>FMT1VV)osv)=O^jLlH%HRL$nlnt$07*zt7Q? zd~LlkEXl9XJX<`lpqAYQS4FRI%r59QvtQgWbs>Yl`nXi*slutMjju5;i^eRnAFuZp ztDX#Oq=De~;UCf(fLQ zW)nxn>PEaAG7fp$TiN zM+0k0ZM{!)w#%*$3gXks{8{x7gfw zqYgy1KQ+^b%5$b(I#eQE6FaqbhBu@>Nv&LN*4*-Zm(#a64TV<&s$z_pE-!AEb)Q+` zQzO@8=a+d>Xu;i#{b9b*yvM{cmmw_9r`P$n|B%AFHl zc9wzMPwdB>7nR4~UgnDu;BYp zCO$|@BVivy{;-U(XGxNxfu`VT)p52muq2(dOwEa<;XU41-O?kGI#!?}GSIJS>kHy|ce1Kbc?gSR zIn*k5m_Rd(no;q=;pH^?hz&8Hv*t_o<6ROrgI-<4BBBx|TcW$HZT5gai!H8zh^{Fa zw?wt8QX`8fmJ91B|Bbrvqpv11k60A3x)n$2D;k{3@l6dlC(-SH4p-{U49yW;+`AdA z66$Yre1kOy7jP{H6B8<^XL#O)9K3hR-2PoatSt+dPqOZV@+Hy7$K0S2qB&QsZ<@Uy zT&w%g-ARS73$GZc82Q$i{pj7(QQ6?b^i%6S51U8tY_+neeP7apQNKAk^0Be-NXgf5 z*9vK}V%^w9{OkGB%|wBtPWe}C)Ku|bKhHl(r)8ruxi$_ysh}gKx8RY}i zrEE%c0;d^@8O$1j%adp|oB9aB-Tb!%q8>z5UuEPX5TPG*JzgBOY4%Z9@n+jn_h}W? zgW*%wnSv3DvkgRC%5d|LdzN{C;U-P!{9P8}$z)A7UxPTji$K(@({7s%+D=?0>%7oFCj0@w*dX z-q^9yFVRL-8*ryhBs0qb*XkZA-Svp$bb-2}2W}Kc{WOzN7ce>Ib%5wld_4V}Mp{M5 zxzeLG2W5}Gw=%tQQ#x2w^vzKwaYmA>VS*6_kCc;>mBn0DH(2Etoj5vwa9=5$kTA7n zF}Oh)bJ!rEV2DumvQKKcvS|3r;T98vn?Vn-vkuDP*>_+)mB2dazj)iahR$08KVov= zF!u#-7C-WoGna~gzHpDP^ZZaW4oN% z`jy7Qb4$L}@|w?5t6PpRjl8}1;sx=PnByDPi}Q)G=3y!dLZ=qJ1y5-mk zWMvf7r=RGP=e@kraN)(-mtMK|my@7^rWr-5vwZi?N0j*TjePUT}9((tl_-;iy@Flr|ByfJf?N8tqOc9)n1P3@vd}g zG_)``&jWQn_&l3{D&&5g+0t32GfAZ^)c| zd#(uDeq$y(dYIm8Z}fb7kGPOfzR4dh1+>8M|sO+$Cek(kkLNIyGv>+ z>=r$)ew6%h`hAYTZowl;8)D8RR^a>$V~zTS_=&Q-*=d5<$07K>Tv5VbB$#hbLU7D(^irMV z8=s(SlJ3SEV~{Yig1wklVY3RN%J^_B_V$}&@4{J~p%sVI@!!AE@EJC{o-!9U&v^4q zr9^#C-07NhB0O=BMy=Zw*pG`{HU`Mhyn~~?v4Pd^AU!uA1+m{Xh5Wxt-js|TY@F;3 zjp2z5{yixWWT^lDPJsYY9?0+h|DW>MmDT{}DSl6Z13j0bfxWS{BYeQyg?{jR8J*xC z`RKXi%#9rAwdl8}23|CXNPK{|fAAxJ5P-P1zXJkor%6EY@N%g#zzx z#Ha_*Ul&9|e;urc@@)44x}B6Ffb##!(r|CD84R@DXBcQZ83pXd_FJ-c)&`?)z~JSO zh|$3yza9_S9z6{CW-cWH81gnu_}`JY2*7_LOH2{TqwV&)x`C8947veAtp|*Mdy;oQ z4$+l;A17~YWNsj8<4UiE_!?)_}GBLoD#bjW3bcN+c|_-6vx zudT5gZSPWw88{kP+L$85$rQPLeo2$6vAu)2jWs_z?*=RGJOSv$KP>;62=aG_W}s0_H^g7WD-fXs3(tB;GGE0Dgf74B~`O z1>hT~`dqCYA>Y-WmxmLwt34F7lh^z|M!*C8;~QXPDJ|M#2Js@K9PQ>%(2fY8+aCyW ziO~jtK>jk|-Ae{Rast{<2cd3C{Xe?D`{_{d@AchRe)h~h2!6jR2Ga>aQXAUc2lM|< z8t>bm-Q5Qx^U3Hx9kZziBP+PkemaB)v%aG)EkSFgz`PiV4H$+XOZ5AWOvt0(9J4(I z;X#lf+D`}njS~J40;IY^`{^K*Re|2Tb0ZiO?WaQl{I{cDfdmMF6DDLACxei+5oiNI z003z05E$e)`|T)PV1K|MxI#h5?QhBl=!hLvyz3iK7$=eget(1aHzn*S?Oor1f&Tmk zKyB^lVc<9ZP+Nc*`eiunYP?6Mpw6VAse@q171>?_^d78iek?Fi+-$db$g#{P^ zXmke5i;*0Fkil*Ar3|y?P{798&rpUt1DrevqXo6qVF0>9j~rlpzm3zK49NfD{=bE- zch5cu`4R2;fdB#|Xe<^KvwZ?!eza%`5dTN3J@jv0{T`A6C{nZ#AecogVUXXE;{D=H zFdi@`GH#BNA1E@n^FP*W&k(?1%r*>WObEej_ku8#AAq*rPci;MgHQks?#G(oJ<|zB z9p*#J*Z^Y~3&6~1hG3@RAegB*FlN3Pe6CPB3yqx)I?`FLPDc6U?h>D-5I#6gOY>& zRNNn15Q5o;f?&8qFmo#*sMl$twYy;eZr#_Y-jm~o0Av`AsfYe;>i3X06yO-6X*vFF zpX|W^VV2#5$Ad8u2ry<@12ASm8xSCEfW`uVFxy!W3=@g~Hx7-?K)5ktG#J3FhW#qc z0os9Z&z2KeQH8P3)Q~*XID_9MLjjVPHUvWS?3e5Fg}^)HMtSuw#E!ZS9gxq@9ZrOc;R1 z_lv1Oc=w1hX2uH?Gf{>DqJ#UHnR`=UFhDg6dYcgj@XPj9F1t4)2oQ}%Lx!M#D^A$M z`jEf*LVxrJvuXnnX4@BpAvyeQw7dHb0eD$x%q9GaMU;X=r#XgoP?*`(5I_k78l3@S zCN>}pIUEp`LZdSf%nF-8m@N~$L=lr^0{_h}+AT9MKy3tio;eu9cqTG`fVLS91K1Ym zQ6>x-c-jWoFVY03us`Z4VF2%Tr^Xh@;(wU>FhCk~zqB$uan6ZM7NB?^`nM#>9+ras zEl;xN8z9Vz??8YU5*i{60vNyOGzaKKG@65vGKjWJfVqFWW@tPe2CxIrSYANY23l4F z1mLQm(HjV6Qv<=wjex>_PtATBeQ(4aj9HKygqe~6W7ZsmS;+txL*~TLFZkQ8-OZd3 zfS92n2Vj6Dg+_B2z_Qyf&IFG~{*fw!0^;ZU1qDI8P|iO_fEg#i0BgHn2@e!bw8+9p z6c54xvbG;J^YDTHpk@eW%m4*+Y2UEH?g0Zx4Xv#XtaJZs!WjBDy||ac0p>UwA^`#@ zIy9OCO7+khEC@4s1_8tko!+)*YDm3AVAU^o#ud|Lo}L$F$;J@ z0jVT3>;@>nDBn3t`ac{-5N2635Fq)B#!x|+MH|2XI{=NRg8_9L=rjko>*zGcY-Yfi zcpS+pHd2xcM=1sEmhks$;im*`CA-xTleEeOF(&|rX^(|*hhKXLbG z0X|@#?DvhmCHsK+M~l?}tbkT~D8K_jW9I_27g~>p0fKG&1-tiV5TJjnQrRP;aJLFm zW(LeE8d3xTh$$M);o1__pZ&P=&r=G3`s@AN(!J*c!I;L>|Dw5eZvqfz$8JCXy^F@= zfHAY(z?cyV7_;;N7{jPHz&%D|s8B$vYQG4@ABH3d5NJl@=@86viy%PZI2um}1c1@n z=U~h_5B{4mwOb@1n296=V9ug3Rwy9Kv)=~XTPy|vl<}eg00V3hGzvGNe=FzO!+o#E*j0@>IJ2(&}j}R??acNDUaXGzJ8aazbNfpa6;A*Nyn|{2c_d4F~}Q6w&Ao1he2E z;0Oj3i3C7vRk1;F=G)Zpga3U zn|41P1}OR6&+yt?f($T9(OLsQ`2$+*p?{0M>{VEp1ua3Ci6{s#05l{T?xkU}+aVZw z-G4b_`G=hh!7OeE7jBIDj+u@C11udhCK8O9;|a#B)(QqNi}q7k@G^lv3PZt|O+6U1 zBOzeSh!BjK3_}3*=x9tmyp#|lIl!!b3gE+|MF+{W0!{PkEvN8~koSLwM_lw`L5hX=VHz?X4t{|50*Rx?LOTL%FyE*BRU zP9t*%15PV*OD=0;M;9A=3l0ZkduMa_HJDsZhK4q5sCzU~k%gVHB1+o+>sa~u5OoZ2 zYZrboApBqgJgox1!VaEQ+C9>pqB#WO{~9S`+w30c&PGCw)X>4+kki`S!I9I{#+l31 z-p0w+f$OTWJeQ%Bvn>~3lsiV_&L|Po{9i{2KY0(QM|emZG1y-#3O5coVLZFXxkLYd z8z-V~yT`fHThuraD{5_SV9Q}>Xzc93X=88tdvH*cp4k~3BBB2u2e*Cj30{W}9}PVi z%*P40{lOp}_>bLV+o>7&+t{`pcA%W^geXyC+r5UiPS-5W4Gj>I@4#hb>}UWNVFz0- zK5lLf7=+8-*qH;yWnyk^V2N5>D2iWq#*c`~{>SmdZ)re|964lqcwG%*yTVgg@E^M; zU?=kXw+TQT>fXJ$JIB2LKbrs$$^`y30Z489A144FB0yBu!=t5$Y%rpL5-#iTs}SMr zwQB-U8vid7@ax`IfCQk97@{U%d(Alw-L4tiBRR{#(cIL5%Ng-%dV3CAdmA`yIiS`X zgo;ujpv8?H9O<_&%lMBY{&m(5j5JZ;0WAbw^FZLN4ID2BRk?ryg&}SKe*;B&Gdq~b zvt7GEcL?t{C~~d;4Rreq*$yhA!elonke`v$yIt}2Z=lFRmK{tuS@P~u3LsR(g}QfDQEmhP6=6^O8|u!gA{h%= z)39q*QQpOGP$X~uM^F&_!Y=qDw`(VMCKv|Yv#fgs7#RWiM^q#bYKD2>T59)L_ewCb zl;s~$5jZGNWPRjr)SYnV?-~Aesr7#{9O1GH_t}0~r#myuzl)SmDJlTswlVRa5Pz*H z{AkthO@pju1r8Gxzye_YgYf>s+%B2@HA)ct9#GIOdO%e^{02o~_k4AM9KkBhpk#^E=FBJ7qONkU#6xeIj1wEjI(WMRjD z1pOtx@G}_*?`{W`pC2CW*o6vo1-6HZERX(=sK4eH39|zVzo;0_7rQ|BaxXF%{vSbq z4Rsp_g$hP!*j=c5xfhwC{YO+J4hj`+q(OI&buafKLks_iio`*o!Vux@U1LQM-;U3| zy{yOp~)|0^mKS#=A)T@Rtqe~B;{uHJU@5~`XEfco#e zzm0=J<>&c>m{94>->Arf@Bcd1ZL0--$O&=%*{`v}ZwdZ`nNTq%0P4Stb$f=laZsq> zKV2$R?Z9tTtp4C8RNNha`Y$_Yd%teupisfwe{d5jKm8jOd9LE$#tOgZ z3XX$9g*&jjjV4sF9RT$o%)?*n3Ps|eP~o2PZmS7ZrVBv*_nm_XU;Z|m;N_TqgnLj) z_ur_<(xQKyVI&S}th|T_3{bzK&XxdB|ACvf%_jK0hKO9$FY3vkc8|rhef#jgVIojakZ@hI z+g?HyJ^mgi(wO--Oe72n6b3)c0URePaR|WtXBmPaP*9NY6#8yk2~~{)!2Aap`n8@& z7!)Y)A3+aPoeKc-A6&R?xrHH6P>}HK&TcM3ozD7=`RnGD|71J-8YdEF2NeEtt6i(P z$9>zr*z}(y2=M}~Uv$8Oi~{dM+~c}!pHTUah}-kJ4TA!OXBqwwpgo%tf=sOb8z>S6 z1q$chT`ts4UIww2+gUkD8~EGAerGk6?VXIb{~&7MV7&cD5yXGQ*pQ)rxkX7hbYG0 zX~zq%u|@pb`5U}MhXC=~E5x;Ch<}JTcp=Jm5YIvUL_Q1tY{c^rpAp|h{6stx(FXAy z#P<>Z;GYTje|<(h2k|V#KX_X{M4MlqLEOK7x%0=JpU4MoHzL?+yz{r6&xpYw+5z9# zwmow@-sdG_Yg0!vWU87=(%jM!o~GuKv@~!u7B@!DGd%zD>jjFg2X&%fhbD4UNPZRc zyVv!S73WZV1nFC|+=!y-u!OaPcyV|+2gREhY(`gyjj~jzO_vQeztI`Kt6C6Rd}ZL2 zxY*jgFh2XuU@q1*nN#k>@M*d`AQ?#Ck$LyaYxx&o4n+pbTkg8!=DcfBdASW0uSsI> z_kEnD)2*B#y*SffmKoH_O*j0au&??;zux4Ai{MK;C!rjRzL&}NdI=jA4tK2$6$D&#`E8RWvqWGMD9--WNI@U3oZDOv2 zzZjIJkbCaTt*>s%MB?-~FYn_us6L^`0;!w}6lP1TV!}#qKkmhV^+ef|8LM;6DnPgm z=1za>YrL9epzy~_PtIU<%1SUie%fbt`S2Jy$d>9>b1tndrMMHNE#=5PCA@Ni#WEh6 zKKS}|tIbfu1E}YIo zqeiTK#pSk(wPFiTJ*;M9Hs4+wJN@kx4~-*}UdxH-q7d7Uudf#kyq6{-mimT$>sIqX z0O2+Lj7Q~xI5GUR&+mKQ;rG%}JRvVJih06rZPRsJvV^<8;OxC7g0l|RKR*{<)~b0BrYGs4LA6D- zmQr*o(3|wdv5VfutI#~3W!%zZ7swD51-swTiQv`W@sZ!00$>CrLns(nA&Mye7nLA| z+0=m^y3Hw~$d?~-Aa11LKokJNuiE6M2XVt-@RAG}_)81T4MnU?Esf#mTp|vJh*x3q z!TA%BD@1MfZ%Z_=l{PjvHFG53fnSKkb=A?>N)_=9_3hu%Bi>5GCE{#~q#t_3 z#fe<<2Cmzmkbua}!#A5T7|s?*j}BPSu`6M?y*)wjG7w(4na%ZUx57{K!CB_7`?add z%~QE&7}xVnMRB1EbG#RG@ld=BI4UH5&Ub>Dv55-ru57sU0TC*{!=#6)6|Ye6=BtVq zq^W3Y`QwZFXyy!D&!f_`DlMSQ@6Lo>Pr)_MGg|R(PkQ`rYC~{wYISS*O~c) zjNJo9ijt>y&z|oOs12aBBdpgxEE32Tp|UpDW9~-U+~Qdzm~!ql3#4o1a)%dKCX808 zA6I*UV)48_cP7t@a`u$5mb0^_bx)q9I>AW0Bxh50Kc~=Lj=^TBClRYFrHAHEZsZND z^t?__I?+|v%UbD2YUC^AtAnR^+Kk)dM2`5oyWF=PD9Kih;`lxzbEc;i>sVqlax%Bb zyUdg(p`5JKAbU^~4{JtcIi{WUiAv^+-03DqUnv#MG$op%iM#K;i5Q3+9hc$>4mA@n zy^f8}iuTX%OL4!#^msla?r>+6Ns>^epV8oeB&77qMw@V&pi@cD1BMB?!&wYxWo1{? zjzlYGJa@-8K06T*qom7z|2Qe39j}3Ft!8+nmc)nA48ofc!H*MZMfHvRmSFupwH;n+ zPd$lhA|6}R>dOR9|75~HZ7ELLMBJdv*4nhZrAJJ`x3QFBRKWAGGQB@{*3(4TF}qTe z(C;fKMUS9{=_o$I4G~S>&#(+(!4K5+pBnPpRs#>_#SH{({vaK`!J2<2)682*{j!pD z3e_VPq0GTkMX}$#w!%4NGBl6WU#%~dy{962F-NkG-PgEZncGp(6$=vM*N*#HQmCfA zIPJ`rw59mR!4zqIcAxFB3%CecWtgyTMAjXw<}WSnVI&#@;XXMh(iRaZ6{Ak&o%m9? zd=yeIIVL`6@BwE`_*=fMVK14WqvCqDeNB`n#n7UiKG9{Iw%G1e)#@caO-TI>gO@+$ zDh2~@x_aF$dF6LrniA_pnz!$eR8wF*b(7aYZm)wKp78(P)bKo*!BkJG>EDs9wC?j6 z{|18=8J&c#AFlenmjw151+9{DN}GP4d@Y_F9TUkvDKY=$kUL>Yf2oGY&A0QK3hz0% z2o@t}@Q8xG&}BDK;`%*{mg*OHzqU*`(mX4#UTLxNxK{cTKanm44*~C4cDvg}Sn(-o z(t#@FG8L{ywMKGQ2R@som18Xr<4KV|7gtOjyd?PI5|~<~Ht8A8x!&k654g1|T$Oqw ziJ!AxYDmAVtZH$sm+Z=<=ZKl4@#}AQl`dizsLSxXYRMX3F)xa#qrvrKt4*1yFPSqI zY4eh#8ef6M^C*tSh*k44!W|~V0t_sD~=6Tg0nB&!uO?|sp67wNw9+0u4G zQFSm*l3@@QGIP;+t6()zp-#6_oi9``$&ZaD`gNCO!eX@#5*rWrpyPL?i^&Y!`b#-Ftzo4)Y&^Yw4g z6EH2^jqk&v4cLq>3NDvx zmI=snB^Ieyzad@|5>UqAvmRaKTYmQ*8Kdpjiw`cJ8Y{pH{vom^m78WC9oVTD9l`qJ ztZbNgn1lwiJ8KJZDNoVYjvKgRL|7>wJ<21e7#mas@6a1OT|E0^MB<{t`Ux@{75np~ zKTUPGX1_(N(%9XLj3QNAruE=u@6piGnL8cKN4=bmCq;HxDX<*dz)y*QA#3h*1K7j% zK{@=H7ve&0OECmaM5TF-sYMX?Bor($rQQCY(|H?oAS(8v_Hojy^+-*XDrwK-MssI(8G;8S60Wb ztcrXi3w&@@eND3MMo8RGTF_!pTuMmXVo2PScpHRaGKWk^86TevLbw#Co7>>sPYF&T zh`&e_KZ+NxM-qREF#eg?^t@KYdQsBUnPrpnY7A^m&Lbx*dm!w?NBo$Y&N-Ha zW@lNB;XqHU2685rQ!qL4bdu6$R9K3Nu2?x=Ind18FCihVU_z~OW+Q>+V(L$MDiD#_ z&j_8*c>dWp&Mp|`c*NMfD^QZ`LJy<**NN*+h+C6LG}vZBmG zCQ$@Q`Ock)m-boR`3iQVR8i1^#LDftv~g*=wpi^to3f;6)^S1MG1!X;@3s zl=1nE$V=~Umn4`sPTwx+TGn1nw{k24-@PxdoT}x(Lna00tg)Bxmyn5`EoM@`u6d8c z?J&FAdH35?BqtXXxqkwt-19c*zr%6BtZpFKPj7^WAT%&{8Ki{%y( z;QFxf@^dFVD~-ahXjdC{cE3LqXk@EJD?D)GJDq^dDuRIW%GIau zbH(Z3sli=tbNreJ_Hsr$Z(9)EguQmLZRf{2w?L2E)v%UeF8M0TDj(D0I<}x_mW1wn z=p}7OZ(A%AAAhP5ADUon-7H&kiPs{}B|B7Kk-(ciUSJ`LjI$P3XHzrN>((tyDoo0; zy4}Xs`>MpiD&nc4X**yO`<4gJ6W=d+*~?1yIW^}GN00Q#XB!c7&|jUr17_h0 z$H_5xH5aUTJ)LHg0&HxOcp?ch*DE4x^5%HPneTTKy=XSqH8$}xjd@3B#%FvJ7v~n3 z-@rH)s62`b3`9479{qAQrh5M5d~@-sul?uj7mVl~enu0T7$+ZbG*uFW9Gy;%WUHo! zn)Z4-V`~j`K2PBom-(9i!x8i>ZQN7$GIg0t`k;E|33HRyju6L{!^7`r-?lwV^?t)Y zJZ-I9wrDNca9%$9nHvk~YsbtkOXG6_TSE%<^Nv+-&8uvmy`72peuO*@*P3DLyEbaBpNUO!zHoCf1PdPbLOhCbm4sb8q+gMO_1S*~``Ci&H3PdnnjF!|)HA&Zs` zD@WPB{9%E&y%*@Xr)Ca7jtg^CKeu&BygFy0Ds5`{&Z~OS=Wa)KAgDhHBx6Mb!OG5E z>0MDBIUG4DPo=CSl{nNFc4U*dBU>s_TzN2qr)XgKNyf<Iz_Q5Y2{+-F{cAnGVW4j^%&T6_xfAOe&(5DeKO{Hcr8t3GzK}GhD-kL4 zS$RRi_Of7U+T3|c2jlFKkwyt(ZNlo0QSgb+$d^=yg>V zH3NLoFwR4=X6hleYJp|T=W3vVAEI9wZLujvwX>={(hR|>5zbM`U59-Tqh9&>v8vWc11 zBPDXPSuW#F)xqH>w^hS6me$JyaoehIUaC7<8IW-NJyv8B#arxq4MrXj2DlM z`qX@A0<^-wuV9mTM|n0vS4nI#Dn?n3&@9k)ys0Zg_eb)UUxb=eXst*EtrtmnyM_|X zV1ke#>avQX5h(fxR^%%eez*H`Op8}}3&>uP6DoJ`s|Q&$bEY14xG!z}qWI*4z7CyR z#uNC0@+UQfc@7jj%DSVj{v-KYUc{G%(5bvvm&(Ffn%bM#Cl-%cVI{F?$6L_cym$Z% zlM%4ZmY<+nG0Y!oU4JfH0KLRwFp<(pGJU7s{)1ugcM2K?mgX8Wd>zq3Q;s=Fr|awf z5!BMOmst&iWhSoKW4k54%DKcCo~VpGC!F-cicU|y9w*k zwPN3mdd@E=&wP?xU^I9yOQI3LelIey>9x@*{!3e;TMGUUsnt}+TBrsj7JYNRpFMw0 z`&=8@f?9L#rb>H`u4=R+i4}>&*BVKhj zA2a9F5iiWtn)y0IGNVv=@3~}HNBi`>&!cUx7xceAxji>E$97s+wg^Zuzmd)V8_TGN!Ks1vec9!=}*DBE)!f5zFhmr*yv2MH~WUr#=%}s61Sl5 z#I7#N8+0ss2XRJ~jy!I@O(XG8Jjk3TdEuHs(4$PP>FUq;-w3~*zMya!RDbE*Et^|C zMa`DP&mz3uDB$CW9M$y8^RueA@v~9>)XnCZa<%5cmaK#JiLPq5+0+jt_KanWE;klZ zBaXjM!--QnkdVi0Ra?>QvtpcaYBa{^h(-`hGmP@avAE(Oqh^s60XK4s8*$(9pB2-TGK{ySGJaXRCFs&nDgs*70_GnT8`Bi;kqiDOt*Di|220w_NUo3eg-+kSc{wT0YlbytthxI0Q5B{^S*dsQ$(z}hrAs)^ z!h~EDNYX}b(P-nOyDPdz{CGc5V2g9H-I`In=h5fmxSVUu8~AQle>`nT-HNVyRW(7l z^kUQ3Z7!R;Y`8@ASYD;Z7v}Oe0&S~z=2*Lmbf%YGgbg_>!rhy0#j7eR#AQ#Y zLJ|u)p;)4uGrN8EFB419uO>9o_wei`c?ldonoMSw7aJDAB2l}uj$8&=By{E*) zY5jQ?qXW=&b`=VW&#-& z8m{xe$(GD7?We*>8kuOfjm4HU9ivOspc^Il55kxH3!T2a$s)@fhhyBRU zZjLd+SLKDS*e&1(KaTE>au-N>!#r;mFMU_?QA3-{E$Zeo4w6svp7qGASO~-jG|9c! zway>=aox)r@4{Cf;-BKoZwH%&7r^#-_AliPq1cwkl?t!es9ek&N#Dx(#_{@?J?!Dy zY2jtAiNhI^0i3m(-$TBWmyh7gvK{(Sa*c}o^ovLO!}UQ%f?pzqmTHeK&GY2fSqj@z zN>)S+9dvg;3ZCejU_bkoeW>0 zUs2^Yvu5xPuSM#kBvJYYz2UoViS3k+GFv!lvpxSvDIPZkzTa(jpy=RLk-3r zbjips2nMgwx@z3}CL=w{$awoUzcO_mS3}iLJef6%B6}k$FU3L5Dt6Dz*{DIz`)p;< zFpJ}Z?-cdat|lpj+5v%H17*@{j`m&Mk?9HSM45p4|_v$9g7TqS?lrE>hTa zz5AU=T1LKDLdS`g1`kMXIn?eNKbPF9B53jc-H}UpD&)@xS;)uwUW;|PxVKDKOkZ?w z*+^cAPgW*^MP#iMDc+%Isp{eM!H9XmP%J@2T@K{$kRJanJk za5>#?zg2lKjCRGdEVIh8%&e7b&N|2mY6wnA)CiDhFJt4+Jl`(Q|Ff+{Nl40ENfJkr z1J8iDm{IWRg)pk#C=SBeg9kh-*&elM;{=>*o^JeVO?JZV0$qejH|Pq1)keaBLm8>< zHChmx5=nCM8s@5q@n#z3)(*Gq)p#Rtl(a2HXDIF^P@_qv_Ep`dCgB&(ehECy$jvT8 z-RrFDV#pMGk#_RHb1y~a)hkVw_d)D>#1R`pe23W$yr1Zf*iSnKjf;*HEjzZxw|X$? zuh1>noemA=^qw@OOu{}HbOO@7aRbWLR(82UI00<9mao_tJ8~sI3A}nf)APKZV*ZH% zNr(7b%f*LJiJfc*r93FXVw-9c>caNZ$O=B|pCTzT+lo^vpr5HECPogvw%Fh~WQBJ} z%6#(Yd|F*Z;kt^f{aR6HV-u8FiX|b%*<{Y8Wi&q7Jc!$vS)Di$?64Ng;lEfSe*iLA zWPFPv;c=!*YgJuD$ZBRdt5rWqQkJWn9_~9uy0qJ8aIL=@GY@r!NNHR;akDJAWIlGf z0OH*GxtGwSeSl<9eY!WkxG1=2x!P*@S-M$b=|%B?{BE#rE4$l0Qm)!^tTfYjg_*@c zF7l!)<|=HIvTg^zUz62&PCm=3!QHgtl=jxfMY|$`h^3D(C9Ox zk}_fr1{?kZVkF6eLQ~)GID{-iOhY(JZeib#^Pv>)68;e^JV{;@c|lI8sa?_=TyNq_ zA$sg|NXJcXCumYY3HA?{9KADX-xwmr1rF8S@ywY$qm*h+PfgG0cc8_W@5-sZ5gFM| z7N2jNpK~OI9%)L%rdfekRPY#hNam&I%T0&}BI}ckj=!Ce&K~!+dblX=hGpSXw$UHa z7j7dZl;cL_Aa-GZ=JQgSXuWsrz7l^%6~5H*bB~R>AE&<(Sv0Tz zv5_6yt%O^UR{YL&t*V3RyBzHDaPF3JS58c6qvPpenIGW>h0E?;_QjU*`c`EN)J)6x zgJ;&x6M8GYn=^BWJ^!`xkyDw+Q;)?J>h&6Y!KC!j&;Lal_pDr;j=O z1HP$DC`%Bn`$*iB55-l>;;s#s3A6~Z9@4~H2A8r@oA1Ic8Pv?!RV*u!(vmN ztGW$zntA#!7-I0AQcIVrzs`M9_#}HKAoltb4F>9Z{3pfNSlryi$S(|tCzdo4b=Q84 zykMeLn%c9Hc{kU{NTr~GjklNY4##{|&wzTD&?O^6<)Qbj@?4FIWo7wk?iRtXaLg0) z3!|>MmxT6KA0CE^pH;tgiD|I|O4oZP`7?3BrIk}c)`fi06E)+_-gMHfEy<_b`)*Js z4vDe9{E$387MSY&M22?u)K!UZ=Gb{TkL0r-B$-181_mlSt0>q)<;bka#@!Po?=}RD zFJJrIvE(W51j%C$HCuJ__G^{7b6Cs5!mcQ@KkHFpuBG`oiv+=^-1BRVS&VtTu7to0W2@jOuC_A8X7gaxl9@d8E&`zw*P6Il;;??wadsO)Q_;)K5ts?H6M<53Z-@ z2oE{!6_Y%3A&atXIq&ipN8$)7@6w`6Em+-3V1tqGp`mW8W~Gsij%~PuXQHG+3Ar9p zJIu!`#9nYuVSX4mBd4QT)=p;MFqG+D5c;SG`>|a_XvD3Wx9VYJIF+2y|X^lDYAA9dy}&3&I~ zER34!5@)3)f`s%iXvQ(0eaV;wN+4pcmN8W_r+p*J(&aj&Th`8Dc8r$$>{+v;&2JgI zDEb*z>-@+z2(?$u1CL*McQo!Y)753qF=vK*8BNP>N_0$;7kLlJY?`O`)>E82hqKnx zGij&5L3N1hX4df#c}M=F8D$--q$N=?qn@vv2|t_4i)@Sdy^Ovjl;ysf8d0VhOa7L@ zGRaZWtCk^%e`Ih&a`G+*g!7a6;^@|ki-`Yew7#$|RBbsoZzyVQ{&neIh2d&@9zl=Z z%O^&VV;xw+JrdU6@Sk*?>O7v7et99Jt>;k(`0kHOy6KreaXg&gvINF#k>jWwu>&(} zmN?iD+ z~7)cv@TQje}z+}E;ojnq)$w~MXr-mfU%6Q6i;YM3yB*2LzT;anf-7lC}1iCaaF zoN<-bK2;Y<%)_EY?_YdJo~CTYCtPzmxcgZdYfYOz&ZebJl+u&v82eZH#gz|RwX8YP zB<^3JaBF#^;Sg{;>c{(|EdK5dfLuUX|--$=pEA{8SCbN^hy?deuEsiHwZY2#pJHo_4SwJ;9yKylzhN0Z`CKIy3@hE%@;HzO1a-k4>bwGU6e zMQo^_X8HC?=^G>FcVQ-#w{OuMvM?{4d!$_YFiwS185GkeyMB}`jHz8DOw4q8W=60x zLs6Sh`A(F)FkPthn*VD`nI5OHJk>l{4G%WdO71)(EBS}Y#~iPD3ToB{h7{j`NJfUp z44QMS?l?%9^%zWI`8x_T5a~-Xi9VYk2=bpjLMMhFjjNJc_rYP^&;2#yYoSto<*SA5 z@71uy8xB%_$vsR;aiaw<8H}}XSw>v>u#b1xNsqI+BHuphdPuv<=uaP`sST~9zJp_Q zyOdtNmSBW8zMtO1%V$eciWq!^qUFF3&9#%0$PV9nMM-tz1v)?VEqvS>%iM4FX?@MwOwIAu7R=7V+D@;N;MKGO_F`b<; z-O^>5DpSGOf1&#YS7Z=_X9wOXXgzMolE@iwrG(Kl&?s+zwT4ba!x(wu@XNXnSl*Fa zbd^QfDgJ(sRWr?4&pvuQ0i&TVA>)3PFl)w_=4Uvc;P>K&T-U;(!Nr!3bVL2aLkZ^= z5_lh-Q}^7;9SR-7*DG+p&RN#~eOkUy`|HOeuZ_PnKUMS)h3Z^@tO{L>=cZip(D?A< zLEq(|s7k4vRqs0j#vtR(Kb;djw0yalVkilpkvceT7n z9;Wjt)72Gvv)9kof21UDWMPSUNWICvz+Y7@t+zgP&zk?~7Ei9nG+*_6@rRFE6C4%V zPL}=TCARpX56^bn9_!Yp|Jo{<_Vr=BB<@?D_r8&qugObp9u+Cf6fo;zF^am-pnENt zI|76Q9nI_eq}-4}V`S5WQ{7iWsrglAyl->ng0{8y(2Ks{plD{i5Wz8UsA2Hw|+p4{lsBR^{Re|Bs--qn~vnBLyDlAh@qg69&0mfUBw|vg1UpH=4K~z zcwlXi$QP{X!&j!0yFMPR%Q*Wuo`6u`QqcIPv4LX+4m#1Ad6j`yD}rX;tl#oC`llaQ z+oYP8`47G*lH=mb4+N2=uuU>&%|b6Li+HOBS@=^*J6p8fopr)l_Oh2h>a1BRQ(oIm zsim)JTp9S#khz%uW2j_c^K58HAnBcUMlA_vgSI0kIZv|9pe-@PclcETLZN5Hl_o)| z4$)c42@ck=J#jH1_R@}{4}>Rt(yzB|g7crByhZPtx7sqb*_-Q|&#T7bO42&)o;zih z_ceomz@EvGwKsvS!;xTlUgZw}$sUCG?4F6T@p3i8NE8kWUdoako};`a)T+ z`!IOD+gt;=+xwT-;I31W0?p*3<|OmDW%Sk}Zwm-6d?j{x zy>wWdo421b=nz#MKb2Y?zneSRIWB9j(lAYf`c_#ol^5*orH$_;ubLjXICr$`?8Zod zSxMQsqkRDunXkt<-WE@KrLB3d`owoWY>*a@tj7rg>D&4ZAG}94{o3(hb=M>w-;*rH zF>NM|m*L{|*W&z`s5r|4{df{tL2PZZ=XynhUbghAKYaOkMDoSESw;TL$FFZuI?MD* zmmF>($ZV9*C?QZxB6@fDi9pWkf$9k9646*uoXaXzT+czz&v-L>pCe|m7o@m1uJf?} zczZ*si(Vl1EVYM%YgN(pY8RIexIGPAoD6(*(jUHYjEvTwJ!lB^*@})j8 z#Nh+Z4L=)m>!A#}^V52S)28GtXI{VXdOmYH+kfNU)+}DN-BqokI+odMpz&LGltV^^ zen^`uo($rD$>4GG`FzdHV1>P{@_jO8E&3Cl?;jdY`>k9cDSzmdYI8*E>X+!vilRdj zxGf{y&-JzzWySCdvdL!{NB!~#%fg52c~maQ>#=)e&yA;DKEo2UMY*9CW0l59w3E;7y@zf2?B%|@hCjS(^ThKueUH}Fc5R+G>p^z7T)yO0)}6Qcg1Ot8xaBlsXoS)2}g`09c(~t7jTt-0U>Oh{lh|=(fa&-m8v5Ipg{n*!2xJ z(4Kw*{T4;YNr~I{5Oq+>I8^E!oP|dfO)Z^L)U-PF#l>Y`J+R@OF)edmeR$*V)~x*J zlYhwV+V=+Se);Z4=XgSuTJ^GAV(``Pt=YDJZ|-;7`)<2x?Xn-!34<@wIft5~l`y*) z=#HrS75Yn3qddpE5eqNzNaRtHN0%2Yc3&QQuyn9QeYtH33fpWCIG-rcEU;)p0TPMm zLIF!e@>f_bEK=k15uLr}lI#6G|J;q_%fPzcVesJ;O_#?Wc< zkW=N+vrxJ!-Iv~)e%keJ;k&MnUH^3H*BMqjuC2ID_+Fvc{$>g=!Ne+8HL(8@hlt6biT_k>rdqV?HbkBsDWA zeM244ghPSSh(tBSq%{+Vh=TymWTC?;xU??kfW5*!rlgcsm`v_c=GJMnR_$~xYe96k zc9-_B_NZ24<-Rd(D!nWDQj%3BTawe0bCWBQ8?v90Ey znVFlzAx~-)Jrv{^C9a-+@XVh6m6gy8MvWnHXsBsa-oewOsFFz#-seOd9!*Xc1yMaJ z(vtl>_`siN;{Z+DqzWeGeQCTX?)paZ~4_c?H#tGk*Hl zRBYV0SCo&9dM!q^!542USFMN#mh{#?sLBn$_xK~jjjQiV=Wgsvg))0`Ghz-)#Jxzk zc8)^=(&bj%yRpa)_~P86YA4`ZM#FNaR;4$T2@&IDqgtcZ7(fg{TopIOjd9a-VS-`0 zagkw-;TD5sed*SU7gR48exdq>;bYauhLh@(1_Oi~#9JT~a6}^U8D(XItVCW~9Ee+S zY>NX~AJD-8qMgCm8=8Q&C=`fBB%M|pXQt_9Hl4;_!Y+e1Q$Z^THCrt~3$ru_tk`X0 zq`9al;3+S3l$AtT2`z!G5iPU?8hAyFl*FRUp)0TW31v{Q#!)SJCDi_wCK#(?(+R+* zp|WX6DNtoIMuc$yl5fJ+445WJ|6}oErPC;^zV6Ax?o7&Qo%6yx$P}1?8IA&NR1rCc zGEajmT|9f`bdw|%JhQCW1!5c?n+FvqOx4w;mQ`0aJq|#Q11$J0>a z`P?Z@b;cia35H%ZI)b@J76_L{Ch_48lUG+?|C`iSi+2wXe)HO-LTocg~ zn`mRUW?JN};n(X;Vs(wZ#8X}K6M6w)wVWQ~u$p#)YcE!P5W5|U_M(UOGEGdLY=ZwG zZ@&S8Fw!Uj5l_oD?uO30q6wF99h?!TLJ5u42x^HHN5O=(F_WZ^5ldKXqj(Qr)Fe>f3m%*INzi@_3={&mr8tfcY1nC*cbfM?_CXNZH1PLu%B&Fy zXUB?IRNovMpF8pB1HYO%=dC-(Twd$!7$dQJr;HW#H|9Rs_Op>!>LyT#yoEE$es1?y z6+$3JUVZbq+^-*dCHKcIjza3~s*J~C>R_~Ba_-~Cu}hv?w&gjRqB}+1l+p&Su|Pl7 z6oOvI(-zr2J_0)cnqoi~iMYA9%FWl=Qs-|WZqdENEpV4)<^U*JMnF+zB3ZvclL z=1QpoMkPKct1x0%7$E6$b}+DIb5^uE_+}0VaQFYxs7z=*_KnA&gOBPE-#DO7l3_`Y>~^u8~}z; zfJGwSP{1CE_(B0_<;GCJ7Ln{Wyj-aBT75wu^EDfltzY*9sRi4>RR-D6XE)83L0hIvCv6a#fX)~=bJ&CUN~Qb+H#J_;(W0t zd}aapaBr!U;TSf?O;c@(&ru;|;QRWVhsSSaBdF zTw~S8Nlc8fShL|#BZWJD{yV2{AE4wu-^fU9C~qRwq`t2jNC2P&c~taYoxwn)mCY1bZ1mJ3&^RF zJP5&g1fLWo{1N+N8)G|SYHY&qm&H)HgaN*IO-&d3E%^Z!WtZ$c3u;fis#q@GQ7mv1 zaT<166p)=bF$|dqIvH*{(bL4Y6kL2?Yt+a-SL^s6AjDE|GptT+PJcV~tO#Rok5v%e zEqQwTuh_bzlD?mdo-4jaA-ZF6gGE2}i5+?T)h@;g)WTD_vWR;@j73ymbWIVfs_&@n zs(*^S4p*YTmaZjh{c8iakj?(hf$f2(1AhyA6EOAFAFF3Ud$1r_C`QGY+G@8JSPNmM z$Mm(Dv+Ea$R5S+SkTNb0HXb!Hqqm;Zi{4*UtxO1|jk4b1tgbH# zmQ+^oHXCoNI99<9RUCmu?y0LEq%&c%uK{Y7-OL4Ek3vXLK$0tyTm^wTqFCo{P!|92 zc+^7I!85Fe0|lvD$>5DY<->K79_&BhoOXYb((e*oeqT1vqi}TE2LFjusdMtv6=#eH z;Rx+xC3)OF&7wG-5C6+O{FT~#aZj$wQa-K3$k3Q%3Hoc{dO$VoUU=%pv%E^prXtx z&SDju#i(>E{whVLY!;iYdv!D1^_+nCAqFy%k&^{A#41|r$jVS(cw=Z|_#U#=x;3;l zyoc-wn^hrIIH4*wMhX&MjW{@RNw%N{$xcXP{%*2ZNJVig-QmxO8NUwuB1x`=@E77< z5OsyV7IZx(>+S9qqO%mV5S$+zEm;d&tb-$;44@CvKV~hi7R6xaFLZTNYJ-1F3r=TY z4jV^<{Ej_*Dz;*1E;TgAejru#(?b`H4M$EbTh(&;znA_y?y8OjraY1omiPuoX&3G4&9HR;=Ca*YMxU+>jU$6naQN9cr4ev#H zWZy>bXWKQ~b@!XLnRl|Crq|T3>3uU4-$ zt?{f0Y_sll?+v```$}iL$YR0EDb568U3cq>CKaKBmY zK|8ZUC*_txKi5rV>vuZXJK;0uP24e{c#F9zI)kgCO|(di1>%KqeM}wqc->x{S25dT zSSMeMI&{dnG|1UZmKZhr8Dd&saK?yNg(#V9!dC$#cbvl+gR=wud@E^>PGfIS500FW zjrIoSwl|m%@Mj^PW^D~n{y#^8)=xoWdX#pXaWHW7)1Ai)lz>_^3f)}G!lB~04LgI- zclg;A?n1EFh_L!x@Bn;&+v~Y|bKiUY5xh@Re_-D9^%rixykpk<%N|nCHRYD)ew)j^ znmhHcSE-p+(0ix;^x@q5xhHq7PRZ2s7t|S-b8im*Ax!losNV}VeRw|!f%;7iAx`~s zj1AM{besF6>tyKP5miFxC)5O8GZKNusfkEtuG2`q3OlLr`!xl2I68D3*(3XnSYh~j`+GC69Q17t-( zsnF|od0b2*6^1Km(2FSIfX6fBD&nqA4v|FOCBqAf{s`^o93N(gZy0Gcf{hyk{NMsB z^>xfS6Tfb@3O>9x_R_>xa>#RKT@TQ+c-0Xqjz3iR`w%x&3kZTQp zzzRxu3I1xiEOC^rr6( z=}4t+yYn6Izun(@zV)grb*4e~yFJPpD;d7b$jA+RsUZv%0w|Xvg_0E6Al;5F1(NWG zeH$akBPSw)80m@}i3mrqVed-#BT_t8;TxoXkzEo@l4yBF0e}?xZ8#i>z&z4Ht)yz0 zd?X2A1v%k+C5V@q?Jz6<^Keb?MSzd4wz>2?N%7+cD= z5C1rQ^RkET<8l;lyQ;$Av<7I_oW^Hz&VuecpJ`_$%YDtY)~al`Y(U z?BN!`d#3Ev@*^4i>nP-QI~;0oXG^y9=*BI?;pi#UQA=KU*;pF*Xw#y#j(}YG>=zfD zpZn*V^2&>^6SIy z-XKlL5okl)q0;OT-8AIxa&L7D?vNOSAEYa|A-FZD3Lc;d9QOP1K$r_b@g&T|qXXA|f=?cCgRU^mLPhdqVs31S)wt6DWZ77Z;q-&%*Eq6(~ zq_?CIiT`sTBLe&aOceT{!ftSGaP7CeUh-barzIA(#C~cs;;WOsvTA8 zDxFmugg3dlw6rTh6W3Lqc1h$6!aEM^%CLWJjV#b)Rk`$Mi zB@wbEtS>fI5^Dqz78P7caYHE^<^3z+a$H%!)p{H+P(;nBoWZ&)wyWZzz=3Ig=qRqJ z^x7)+6KVQbPu=ys%OC2D2g=Wwpgmjx`se0NL&RyKO0)kh?nR&8@I zQKI!O+TdE^dd4;AQaN4N@2QR=M6C&2mwYZ z@_@rjot@m6xFA;^&Q;EAn9jC1XN6p11r1YEl`|Afo(Hg)#;5jwdqP$FO1mDL($;`| z%(CGg)_vtFlHtGgFsJ2xPCVhs`q%bdYm1^>1waeNPM8ezp4Q5yrb7; z57wR+0E}ZoL8!F&2N4|UN^_KHHP9EqU`rW)rNqrzkQeb@gJ`Q3`EEM9eBfN{QIN;$ z9`<@hF-S4V^JaM-iB@tfLiRg|#LqaK#i+A6_>mQbrQ!d;v2zjb>z>V`u1Uwu%O-d& zN6{`3!g;4q$tc>v?(gZxd-PD_6;CwByfeth&my^K0fZUn62MDdE-1)jVvY8Tcy*zs zA$M_cE|a?}mTPOTmD$wuD#uX6?{Ff$wT0c&QRHx!|MSn1SU(+DDMVwYyT5%*SbFMy z)df#Y(8OX4TRPVaFK2A)n(5G8sX-fdxYi6`&pKwe`AaKd7J_rwA=fg%)N*>sei9w| zbf7TY0y_Rme%jm+jFq{{+=*y1rY>|BdVJ7-Bbs#gRSF8nabnMRY9tw;foM?xyNLnw zR7u3iZ?`Yt7t3jRyev>2jajk9RPJ&Yx?*vc8-Df@jk-`1i)wHTMB^gm<$-{onJv01 zSQdk{c0k6T4h%B0tk*Nlak3EICzE>t@cFE5PYc0sf@g*fhsq`^s<(L|BJ zd;^h-;XL2@AAamJd}tK*$|;!|b!L1tbw%!v&eqzg!`kx{zjW?rbEmbkErGF>U0JupjL+^-1JaDl8ToJF1K}0C z-POeA$PSGtHmE{kLrQLHufDzJUhP9QLNixr=1r;D+d!|^?ks=4X+V39c(PWOTDY%%ds?-#t9m2vaBRo7E6|uHl?3SA506X z^tg0q`nvR;=||H)O23%?b^6cgp|r6NI}l^xZg^APrq{Cz3w2@LLfut571NE?P1UW} z-KKj~w^R4J?hiV>QRmb3>4ZYNPH>y!!6e2mT~s-CB1>%}J(ZQrEte*%t?rRa?1 z^e^dEAta3GMd)yY^q?%t%^RDU+}zvDnxDo|HGWJ|F6k<18SznHlGKTHtS+UNrC9X} zIAmCrT2^w&6=mpkBxgw1u5E8y7DPF6yg zVGrd5-z^T#2Hbi@(%~O*k_I45Tab3~Gu|=cj1oPStl%^Z-q2O-{ zkL$-)9O`1DKKd9x9mLg4ekknB@yuG~{jX6ysm{f0+$Lc*aHMv^1PRX*@M7b&JQWUGCG zj<`e@qi&Ba8pQi5U&uZwzDdv)#f?VGN~={gx(E^Z@prA)&iB=_Q)-m$wR*hw)Kz+< zlvS0=rCp_cr8`P9rH4wjr4|dZdV)B|nXuVqkyhapUzd1DJOaz#Q!=ezv7z$^;UVA# zJYnuOgh>%nQv7u@Kg{0E6@2W70QCHYm;IzP-<98)cU2}b+V$jVW_6r9w~_*m$U-RP zVeE~m%<5P)&QF3ejXoZV#Z-}E8Zdc^h}jY}ATMd+#nfvqDk5QB5w<{ZcfQq%B!9jL zPB-Z~b)UX3v>|%G?kV+7-9DA>M%~SNhJVX7YzS_M-LKvj)hMp7ZffHo<^Wef3(F0z zP42?X`?eL+8=6*x?pkw4@3Xz@-@Iw+nudoWT0=5TH)#x0$EGKZsV#1U0z5ptzW>Or z+rPP~s&=93$r%NHABzn?k?Y+cjh)o^{IPet8o30UhBLQw!Pg}65BbWkH8iTH-TIwH zKW9Ie-lKn`e_>jKj+U`R;l;s4`pbiB^lJ<&i?$U!U+_F$lsQnix9EWM^PE->BvNc)GVFS*^VKiA(e*OSRS$t-nk0Y(oBk zzwjWvWS=g%$pqU1PK&v+$F(jTFVtcvyuZe^Nm#WaM0G-0KnqsLia$7J85qXiN~{&A zj3)yiGM?f@lBK$<@<=7?tK3n^Dua;yGN&8a!7n{cWk*Dn=&7i`VRRFEbWK4+5bvC+ zav9G}4IH|Ia32ztH|2WrB=i3i_9eh^RM*;byJvbdYxnGX_iUQctUa(YdGxBruo-MNX}k`n52~sa5YD`A(lenJMEGJb0c=5>f>Gi7~o)2Viv5-8XVv3up(Nur3-^Ja>iO zc!ZCwTvq_&i5rmomG_80klJd!bJwl7dSr6j`fbl{Te@w);chIsedXot(RRIAi*%g5 z*0%cNH?9n3($>tHFK$@8|CVn*@SB~@VHUqUoJy8wZ@Vj~efhC(K2->O)|3Kq9AhkG zNwY5FY{|bWI3Bz@xGl6LdSlSu?tC0|h+g-7U--WGj^~}w@5MiRoV!D2y3hu3t9W(x zdU1F5R`E9P2cGvrj&j@aFl%!-DkKJJq!*3b(qRi52~V+(XA*^g-G*AMlWvzIOmEkP zw;MKM*=G1sgj1#u)62%N$L^%d+oaZr`noJ}Jv)>=Kl_`kHJdJ(z~ut2RdGFURlnI5 z8ci-WZiv$i{GV8+H3BgJG441`cl?i)3JD9~eLf07GN;*g{3ugiM#yKmESfUwKOIZVL_U@AYlXqdX zzh$wMTAf~Y&mc|ptr=*@w>%zy39*jpN!*B9LoY38rrk4c0VamK;ojrE+r8fn&Y*&L z0PW7WKXTjMAfPsMp|1aX<^{GHltRG8+YuXpc>}dLs2tsXbUSPzzV{2HksNy&785}T z=xP%~0JJmoA+pAhs0j0iSn8ZQZEk5^#DF5GI1=tbQ~-&KzFgPBuHt-VJEs^R_=7pV@W&%0bBb;*y7|?YBGbsNGw7 z*805TQ0Z{}qx>J1Ih_j~T~ePkkX~zR!>}zmN?NZrs(rrgGv$XJkJlbw>M}<2OER8P z6w7q<+w;N2C6Df2-1Pf}Gr1)nhsZBB{C$g!Lb16RQ4?%J(Pm>Yqd!mjqs_%rqSXim z&2+L<&jW6EN*6>!?`(=wV$uNXv(ov1ZeLzV$)ofU5CNz)ocPY^Q8qdn1yN~+D_~DQ z>t7JvfduCrnw{xX-awR$QgsR9Uqjf)L;4aXFVR3L8qFwl5*wUUn5<}k2d6}v5iB$t z7_LH-$xRKF5{yitQlA}+gV$VB^UR}#Jz$;jcoRg6=qo+uhPDeA*v)Gw z3{@8uO{p#+DI81bZ>_SJ}JIW0{zb z4!Qa`X+mGs)wGQW!WeNT>^7SemI{&;P=3}@)jUd8sY?C>-j}=rV)=o*=A9CLYWT9n zyau|NBd>XKxny3;ObI_RF3xr2wQ4TMz!9igqFb%@Y$oINdYo+u7I%=zkU5UXmnyz?7*f{!zP=@2GSic02RF%U~+(^18)Wdg=%rYCG$_$nN~ko z7xelBb;RN>dXP!ninq8MZ*fE3;!eCp1r2HqFVe5-7Sot3cNF<4e6f#;OfOCsXHct$ z?$*=airqv^=lv+Ct#e)}zOmI>@Fcv5(ifEWQ40FJvPZ3t8-< z-;RHGZiLNZ&UXRN`QOh2C;iA!!%@`sVOtwpJFjhA+xgkxEsa|`4>k^VPA@#N(8X&O zyS=`qrBmq?s(G!G99?fN`a$*qzuf7Ts1wmM&!Ok2Gec9NXap(JoK7?nMq(^+L1H4Y zC*eT8r+uA(4uPWkf~2=hIr z9G%-v$;*{-vduqi^%_W1|JZXdbNT#C5=*H`CTzg9WwGe%fkD;9HX9o^4GnGD_=Ycb z-_BjvEh-hNOi+|qBqKSQ$STWimv0{7*C@g6X>GpQ$!e!8fw?P-y*{_VHLORs{vXPYH7#6?fubke{|a;YWGk39d6wQjm~6@W_QcWKTgxaneuv@d7{AFJMR)mMn?}E{UQ@ zE*SG%OTwy$_XI5oBVVBr9?s#DlFiv7bClgK(t(KZkPf6~vesEo)9rm|CXAvee8RUk$?u`^EX zvB|$Hywx9n@`RcbzjqO-IXpd99+a+wy*whUHMA81^ZPZ!srIzVw4C3F7JyqeBC+nC zSY891^Y$~@T3*BI7;hWF>~LNi%w^@g7Rcp{BFpBr;*{{tb2(#x_2jhy>>K6WlDsyO z%h|KF?u?yT)xiZ@t?E{%(`vVjNP`0%#bCfWYQXyBX78D5wrLsNKYDOF3wG(f@S zCBxL`@l>{X!SIn`VgK;K;pt&f$7W_&9FDCRof6KN%#is&bW~Ug+;-sRF39t(c6`tr z4P@V9I1n#&2xA85@Vw5Td8kFSZ&?xCjm_(wiImG@lNyC&q0?4ZnPgA7;wp1{bZG%7 zaBkIfX6HlR1o&D`TYsbB*V1i{G~hy;=ExK+=}em)adBK`0VoV8B!9u^kx@Z%=iN=W zG5VIvw$8S$ZLMRSYkJhyE3A{&x&JCz$q(DU!vsJ^AyVNK@90S-G=#b6&yz4|cnd=Z z{^Lhv@bDIaa(*5yKbBqQFJKAGVNem_z>{ zz^|{lb?v5|nX!AvF1)5z#5nIu_=A;H(EHgAT=iCCo7L$Fh^Aqfz-9|p7t(tRQJS1_u=?X#N zc9UtH_h4L91S?tR?>+14b4aX4vedh(Yplj>u*};f@yEhj;*a8DNa}*kF22RyO$dJ3 z3+-Cbyh=u?9FSi^+E*eO%xkh~sTW|K=dw;%?%YyGY0;k;p&ab@3i934X<7C!yxBYix*iu^WLLOHOXPBR`sq_aJ0n4zhIc&7cq@Lp}&2K1fD<(CF&M z2DW#Q#zv6L`5;;HL9*n7WXXeS8zl2x)@lc9f?k`zuz~GP&q%gAZ*dde;y%2E&CXlg zjkmZLwT28E9=WAFNv&Kg7U-OpjCfQdDoi7TUZhiG#Pb$LJio+|$~OzK>feobZo6~x z8<}?WL(v&?&pd(^NPnk^`&eZ=jQ2sp8EIh9&&d{i8vhUijUc;e!OLX9^CPn0Wsbg( z1uv5YFXO6HEO_{vI|x@ocz|f-EouHIHvIpT*;hvQu0H36paPLBc109_CB9*0v1_i_ z63-jguGq4w?<;d(yn-9>?Xip5{%Zy^yXIV%_QIma>@+Wiu-~bI-E)vbk0ry_8`1B^ zS<%h>XSI0?9;A#$3U&vWB?i^=F$m$c8U+O2P>v{0WDy{|yjfv3L%f;nThyepMjlxC zbZ!Qf7IH@Jf*kE4ZuTh1jwapLm~kPO1f7Wc@)ozI_Ar1w7q})MCO=c`>P57LB5LS- z6y_s*z2#|9Z9A&e$6wH(S+Q;zL%>LA*VMEsNWnk|dBRd5k&Gu}Ns(B=MLcCnWnqV3 zwM6ZyBC&#tOclK|lLZZs9cLMz?K3+U?%0OvLs` z``r7KJ+bczuW8QRb|A;{?&v=I9?u?mU$hOe6j0-c0NkQ4=CYK+9U+bpTrvOzlrsRm zR4lN$oj0Ywde^J+T-FYpMLMN-@WZCtmBo}S!KnVpa1*i z<11FivWw1VnWuKALWJ-a=T=&AA>4PJU5j!XdK*E979W9!icbpYfEWoeBxAzWLJeEK z7~*8Ly%D?555Ef)Ml_d%;w&XrG7_jLXTD!*2*Ib;XkZkMbByQ90+-G$v%>$Sn%v5C~DkTSHp@|oc0bN2@yh(4q~lzlk=wcwN4r}Bq`FXsKr zLX2bo5SESYm{fSq#|c9+6T&X{$Xl$jB7ff|AZcd@B8`#RUvf8*-O;)5v<;U$dGdrO$3dWY<^XL9`v>62pBonzn{3&^jyGGOcE&sjuu3zrT#{YF^-}+zu zZsWi`Bmrw70V^Q^Dfl;+8bLn-qH@F%)gnsNs#;S1R#3E%OTDH=U(MzVZhLjF)fJ6+ zMJ zSPQ2Q@}W&p9Xbm*P0_xb0eV9v?uE;*tgluk8LXimR>UV-rHvlEFjBz72xQr@YYML z2t2po>T?C%im6C34MUOs-^m2vPI_su^wI7)q;>Jblxm)q72X=fV7RGN*!`}%D}sya z*2*aa`AS+!QI(R!LSP(PvWO6J2PN{FhH|EGP;z;#L^>svb1sk#brADhvS&!XgiH%d zNm5fzdE9~$hUcSt-TBYmZJ)6pv5U|`FBmRMNseehXUaLE;6k*hnQSyUBX=^9HkrAo zf6<)IvI$Tmc`3Y~l-HU_F@y*|fF9sUBHtXvIJmt$2*DwhKn12ujR5e$ycTCEqGL|7 z^I=wcITX2xkUr*a4drVAw1p@5`uOLEdzTK^yVlyBo>aUPN;A7#@13(Rss>L2oXz@7u^)N2E z8)e-@LlHyLq4~HT`XAx(RKCGfh@HA_YxzFB>m)(3c`D z0i8j2A{EgQTSyZ<&GXO@AgrUI+2Gl>G>j*%Nh0`2n*n-T+h8b%O}HJ0cs7y+Xkju8 z{q?6&Ko6 zTxAQ+Uqb2j@bJuHGQZ*_Qf1w6`i6AWqQM5wLXSxonOD(&Zm;31VW`hgF-Ej_R2ZCK z-g)WhhlT???KN1VC@}roNoX##N5QQfawjnvb4!Q5AN(m^9vXU&0w5<5`K>J;2u0HD zIq?LCpGXQk_`!8skMKn~yXe;8QhzYb3gc_<+OTv&b!EaCC0l!Bq_Jpl+e5V__x;Q2 z6$zg|92H-ld-<+yJ^4he^xe;GSbP6i*|mU;?cF<2Zj7wBtoIWaUvZ#amXYg%Oy1+a z7w)&tqDuLLC_v}h=N99heD-fmoch3j`4T3)lM?_X1${Q_UyP z3E>dT9tE~JOYuk?B9Kf3L8@Iqr9pXBI>d&F3f+g#PS;Zxho>)Il)az*CAaZAaJ(4Rp0jp}k6W_r9%6D%8()JTn4ifD z4tK&`cAw_9_PM{5d@?zewEo8a>oy@vSsxkN07(h}M+#WqwX@@PMi5diXW}L*g>7=E zG2)DEak!kQd!0oGNEWHwvfEUN+&T$Fa#XP*bJdH5igtxd4Z{gKZd#G&w8F%KVaZ75A7|hD)Jk##cY9&|KdozJZX+ ztxIn^W8JQDaWT6oP)g)e9lgcH;^VVg{nPO`?{1TsHH z-)wSlU6X&qM6TFW!P9LjJpOV-wJIt*i02SeuqDLF%*z;Y6h5Q3LfI~}v18-MqU6(= z?_(Y>$DfD>ZbHH+5X;jEzEe3RnV?nKZoc6!&#Va=0(k8iQb~gfiZ40DXam_fawyox zn-DdBK7?pCcl$^m+8D+$r5NyVF44L{hNNS_$c+7R?$y3@q{e=$`=Zq^?dq!au?5xM zUX+s*espUtjI%CeibW9>t6dN3VLdVw910Ib)&E0N)gP?9BfV$&h4+K%pDllI{=xM}@5j}G?|D96F%dBei!kEzqk5uW!7@-* zM^z2@nMLxs((IS%kC6aeDQXog9z{z=S(&q1EJP!SSX4#9;;NI(SIv-bPp=u;O=rx| zZZsBe)(xT&;hBU3C}{*xw|HF|e6`wP;{x9Vs^WZ$)sTqbz=+{IGq8P+JH&>=aEv)b zN32$#5;ky2JdxG1oo6PDpPZV&ozoULYXY<mhn%a9qywJl!_3p~tUz5T&W5^%KAMwG@kDl{obHf(5@Hm_kOAKb*!Gz2Ed|CA+I$WX|of4reSTrkKi@f zCDbx1v@3ZkZ%ZbvJe2RwNu&n%1Y$#9>VBbHsMnaDQZwW=oQqqn{<f2ZXuqIrOg=7YWk;%;OND&|V@Q<^we#~qxGcHH6&Lut4 zw|zUR`68o>YN}ywh4qQGwIPUjON<0EQZw6NhuO+1Zx6xNqFJ}H5%N#89$udmx8R3n zm2doqQ&joM;{Z6?Ng=I)QU6th(;WEpmu1nO*>W{OhwWrh1YyaVS-{XV_3AP0wf%)Je zMHGug?mD(`AC!~p5zUM=NGid5kx0);qfEH!E9*NG`s|+;rP8M_*QK^VraE`evh7!_ zd2HR<2I@mL+iYU&w8B`f##Sx5Y>BXF?v2MP5dq$0IFKBCaLaN}0KzKg^Q#`+!OHh6 z!7yWfyCN%g{f_Rds-YCpYJ?SA`TPQY+J_i*I=lE;&YA$ycEtDwlB|ggz0$JMGaBC* z-;_AJep&po#J2jKiK)c*65ftLM-U4z#z!n8o=c=l?3cJ7)Ss|C5q~@8!CgJN$E|xM zHwcNLSXc`wv__~^gY$wCG38LPBVY0A`baz$jK^ar8W)9U<2jEChaUR-Kw1bKm~tILJ_>U#dSgFk`kw3$NYKUEx0kw80AGTNx76{%&E4>w=?KhdlLp+lyRL{VoG@MXW7`@yo| zI{R&B$AbM=4srUItgF!NBZi+X zlno`?G()Aa=*};!-DPm(%(@`xHnrJqGq#zT*{(J-Gcz+Yv)yK9W@cvQHZwCb)40z) z-_E%+yF2@1BPx{@QYurbQoT{iQ0CLHM&!UO(ZF0Mf&tzW+Di1TsR+#O<9!>bsomwg z!09)Pb18$(!T}1Flh;qfOjNE`E#8ah%e4V<7Vm=HcNP{q^JivE=^A z|AKaZQM|vP-QRV8;k&>2e?oSD&AGqn@4ByYP=Cw*1LFNt&wtCm(7V5I-rs%xw)r>x zXMO)d^!~%TWBWJU_fOe>kiLJ~{Ri9oXZ!!v*1sXXe;+&4Uu^F$#P@gm-}Csp|KH>I z+xFk|PksMF`2IHXx8RrIg~vqqrTcwR;C~DK`^2Ewzcls#4(Pe)|AF?{zm&rN zGqg8mwMzFx@bLwTW>!!~jc6bA2Mj1Vu*)>~$peT%CH*XF2sv3w!U z=xHgnTw!tiUP;J9)#R@9o_2l9Vkj(FuF{n_m)Yi#lFBkQ;W93G{@&>2x{T_2#uE_h zt!aC-S(tcgN$slrVkw(MjOwb*J^G#MhNs++5LMUGu9x64Pmq%8#w(7=)nCw}A;z=& zOJb30>>;=@S_VON&7xY-Lol~2g9~43nc4d-xP-T=j}S+gI3po20W5r-`j$;*gBa(o zxD*>uUq>!L;eZ+|5@({BT!OA|MWJ3KWfXB{flt#xK=@1kNDsw_h zEg06gfEJXDbPu1&V&IanEPG2Cxy0m;UF%e~h@2J@cJI@Q#URd%bFmW9lxSe$o+(3m zDP)7rVJM}4E!^~u5-%EvgHlSvLp#b^>m&?|+kbH4y=%VcZ+`Yaa7=jwKOn41m*Co< z-@a;dXOLRzynvJmS&RSgq3*we(La~}{|t72F};7gp8u=j_kSPbEOh?@e*YEh{sMkb z>eS3Ee*r%_*00~9A&l4X!Nmc-t`# z#x>v+0mKgoT#rk=oDwm^fgY7l)z)OZxT;YIKnR);`@R-wK- zl|LX2iBP4v(sdRq!Qtb!GHK{}nq)LXY!0z(e|$sS5zc68hp9VnXJ9Z>53GA}Bfg-K zDJrauA0TzC-eS_;j&6FhMck1TwVCw>X8Kvskwi5z=Y7i7oBN?CJ~(Cyjz5@XH2Oiy zBe+ae>%)z;Z4)X$u!xZRB=Qs>^GqNhI4tO@Pq;p~LOT!Fu(nM5ap0OLxY7JDktuIJ zXoX0tFeM=8kD7wZr-(NXlN>E?-ua&4vb`L84P~IzkvP8n*~2Zw)j#Atn1$B>A^n?- zyOZeim`wYqtZZsKDh}s^ur|&+3p)@gBm^6whNIc5f7T}K4&h^c`ryEhJd{q2AeitO zY(H3~CuCOhL;OS2igtvM#{m0hP3vB)vk)fcAfX}>W6X5#&Q0FE+Q-iuc(zFIV1U>S zW5w6wRil8aMMD1@0KSk|Xw=!xrx>CQcFa?gusz{EXV!r>@3Z(@xIxX@*#JUE3HHyA zFo4LoOFPKh$93#`-gkNS677jim|<++Ps}y?=BaJa+F0)p3%^yUN4E4|zpp%P3T!N? zf;amvd)S=wIuN|b*TkADY=H4z$!=(kcs}X6{6ME4NIslm{jY>RitL`g@sZAS{pv*9 z_7thJIdpl!2`GOv-hFl^v=n@)yuOm!Ym459WP-j#m#*4f96ew79o+UbPpFlpaw*t? zOY?n*(1}y83B;j^P;g8B1G7^ar-!cB?#@M&q`%w}8!}*zeTB`;KK>F|gcbM>3#cW+ zXHAG8doqa8k;UKy`4&sY805s_R|c$)*l+EK*NVXageQV@+(_^>WsnOh0MIAInz;>E z3+e|;vnJJm_IEZ^9R=1aN}(IiUyX)&^K!21NN;jJYCB1h99;YAUDBrYFbGMJW-z-s zG4q-Pi<%6j(=}_vc~a6O0u|w>ux|u*#Mr{M+lRf1-ON3ZZ@DpRa+|td-&+JEiTtgR znnE{;EaV_+NX)!aX-UtsC2;9)2lAC9;htK}j{_#!PFQcDZTW$<15Sfizmsm6w#8f? z(gvJ<*J!=|hDMOpO)3&5NH;y#2bpvhBitiLRFncrqT<+ui4e zNC-&qh8r3=S4jaKvM(ygZ6^d{lKth3^2ZWPp|qlmHp%a5-01e8Viq^+;OIUby3zIrLU5gjUyT>yBb(3ytT*YJEL-N&R#NYLPelMy^U(Hd z^HB6Fx*aZ|rOmnxRJ{w#dBl|}JEi_J=Qgt48JXT%)Tk?0-$qQTi~76kmj1d8=eEmT z2ip1LXai%-(Ec0fo4%bFmWPrz8aCGcMxCY0nl3FCc$d!FBfb*&BJ3i35nk2JZIAO| z-N*Lp*2^|dFwzrP^TF+H%aG0a{=PLy`%W2{9?T_snQEtpNnpYt5GOeyEtxcsW+Tz7LRxHRL+)0G5Vh6L* z2HrtuXrjwN?@d7OUBEBi-|qnMN8rFO_Q2&CSOz(VwT6K3XNR^k>A3fh`2E?gt=Xx^ zW74O)d$(49J(zsnhmP7yJ)U>HteO!KCh0%4B1kWJgbiSwM8bPMg~Dd1o}#IkCERE| zOCslRpqmkMA9IgH?}?*jVDDx`kIhv)!I}B;VC6V>+Pm9;V})Aq<0%9h{wKVW0^I=k z-*Z|6C!0|Z0R9&=qGF@-3&L}|*9?cR+qv6or^iTS>VC~j405%owvXS)vP!R$F}b_L z@5dt3un<;Qqjzr_%oAvS=|0rAMj)~9=ozM{IMn)LCJpC-nKIF-tnqacRA=j%& zU4o6Rw)MM(9%(ae@n^t24J;zp6sT`yMZ=lU+?m}G5E|DT~ukWRie zdcUEF0@IWk<&9!Aw zbtGZbn1#TPe&xDrqLmbA#4s8E43)+C<Go!hhaAQ&ncJK6Al2R$h|^!c&t1Qr-C` z#JAiKSu548q+w|8UW3s-15uukJo1gVbN8vvG-IE{O+@AOY>P(#Ym`l|O*?|+&8%}w z5~$2m$LLx_)TWrn32tfp9g-P&@K$CP@6#PtZ0=QqlAmermUu-l=G)ll3{xh`Z%jxM9hj$)h-xss3+2F~GVn3N5Fr7zt^C2gg#AfB9(!LLT!_Ti5>QJ_WLmn)Z;5DWQYUxCn$=iI_N?=s~o zEs!R+iIoP~C-a3`Ie}m8zRMM%i7C(=hz+4D2LW@lbE3=jIeNhg^FL4EoDZEZQI&#} zf|L)c)~M?PS9&da@ ztc|WnHmI9BFYsuUsk9{;re(o(V(zv2Q~Ia*srz&KM}a4lZ}~-n$emAa0sP+7bO<#4 zwHdL9g(7}H`C@^r>m?XEsqX#vrj z2`C~7<28_(@2u8384}k<8gwKUh>%5*Y0KltdsQktCD0e-TPQz}y(ajNT8?UpO|a~< zpe)ACXE7%agsXm(t0czHXBJ$QkoC+~1nJYMwJi{bevQ7R6<^)kZ6V1LTHn*(I{jT4 z!QwOrK0+`&gk0-EU(+49wPRDajl9>j{fTp7ZS(1eG|YVE4do12BOBWef8H^A6_kYe zo^f>jqvm!$uV(ZnR5YMNoN@aMET!62h@`xNwkgjepQf^cl~18)kM1pLYa{3t{eqJX zOnWkEEMr%7kGG1XEDt$KFj}pzeSVsmDGb7}xz5OuDGZ7#0w&*wjG?l+F$FiLY%zAe z46+&;h+<^9OqFpB#B#`+Os7L2bO-h5V>T3i5;kI7P~=6kdDjNFu&_Xyl7=K_F6@qe z!*Bnn##UG)*@Bc)l;$}-F~)cVfl3CRFUXvISvNr<~w2PXAB6`UvOTZ?9BQ0Mo?Do$!_V$o(;YaRG6}Ue~bhim-8` zppRg(g(NOMOKjGMxfwEZy5O!y4ti25AgmzihgoukOby~5Uz=4_Hawhpr35Pc|>ayx&$(Z-PDv_1%!`u z>@nYP3|_-+eGoqfq3*aPy+SsTa|7OOUOayb!seI|q(F}S5vz^V5c2X>^-Sav{t%V6 z#hmj{bkVX6+_}B8^sx+J(mAs%=Em~e3{l0z7uB%dBA1+tDoPeH{-f%Eu`bp$OXL~e zIY8d>E%77j8T6Ck6D>z9M`SUZlydgNm-u$XZoFIi+xhBMJAB;XNH|llkO_U}5p4Zu zSXw{xc59Yj)Z@9_! z)dht12EQ}5>hSO?&leD6)gGK4d zdqkRa;+;Xjop;@klU;n;e`(=+#}2)K?H2>1TNmN$@FN&iL}o%yn^JH`P4+XREqb(m zQ>N7vN!ncz06(6;!*rwWNZG*GcHUlgniW0*(f~i!)$q<2J_f(je*t5pvE!;{AK$kv z&|uE2kKs%*-!qEbGS;VN?=r;N8xpp17W$5r+!=Bkh@UBM5umU-t* zPzvs;@d`ZLh+=>LP%iaIs8lk5PO=x~MRV%Zt_hq3>yKZgKG&v**dPY=WfQ?%Z`5XjrKL$hU# zh0Ecy4buQ^2IMwlUuBMKN<%*bAUKC#Jwjg5<_6EVFuQVQ12iu9DpN0jhJNO0+4;dm zd%1zf93kCRF+s|H>VDvJWX$R|BBp0b`LJAL@%;MiHWwwuB8;$Mug`c*Pa6Z2ctlhM z@H}EZ|7`KQVfwztek&d$&I{CJ@496=u|?8VwBIjv0onyfaf`LJ7)T4l@-=?E7BoOD zAJtqN%l}?~%~J`tlsGn`yR~&sG`KFvk`I2YclCbT4PXZjjE|q8vJuA`Y=k@wOn~-7 zbJ|_l^!e-pt=tp?5GKh2$W9?f&{Rew`54*c;h!!eno;9u@-K*+$R8=aq*sa~e)MFm z08xEHxBM`l+_do~rJ88+t6L{U)}8aRIRL6}W@Qc(X|5!sm5;ROPbT%BTn!}OYG0kD zyb3_mjYy4Tz818TeUX|8X-P}yB=ICXmfB3}{8svUcGtJnbvi?sA7&xzV0Viwn*+@C zAozm4kO!E>>S-#9Zt98Zos;4jyw^tmG#EfK5P3p!G1h!3yu;N^nFwxpu)0by-O@^m zp8D2A{)T`kJ+T!uOYH$rD$X-7ddaDeG8?&Zz-7CPGiVY6+F%rE4_ohE#|kXafZ3(S zQ&J0CgGT0j23&t44?cdkS^Rwa0P+3&wFUU`1P}UOZ$AM)s`-R#c{ghL!)$qjseSro zAtnMw9t)x^De&ASd=8XgpA8ZB((UmEn0{TD`ZCe~v{S;WTy8$#8#)O%@C4c`pb-&T z|D%h>52gNn;*>xGjek@fvc)8${9W_A>k(=6@b{ck4OmE1=t_K(x~5;3n{XpXQp3`1 z*@PSLrk1q%>9QuMqIMx%V46o5s@5Jjse@H`JskpCK~xV=&(wEQn=zaGk1lC%7`4ls zdt~`#`q5K7(FfLAb#C*&K1aoAkK0@Z1jmx7HEXNQFVY(^%}D1Jq|;>-RS{@u z!xIvb(FCEPZ*B>;*JS9n9$mSul4f{Os4;L7_|$z?LsEi*%@I#Fl%<_Z#L@+WA=88|2EawN!n%I?vqNtb&F> za9w>w&LHv14go{?1RoQ0O#t;AK*BPv1bf?Jg1HY{_VhXg(zv*UeH$W&ymh;8q9YvX zoRKp%O~dz>v8}8h3k?*t#1Et1-=m5mc^+v2we&f$*1KI~zD4+~FTvrFFzfNiBfXi$ zR<;8$9K z%Y!GS?qarjsk!;7o3AC4ib0!Ze5sPWY2 zf+Ou>i$$xRf)Gj-Igok&W=nhLx98yV7095RTVCD6nIz$_TZrNy>e?M59uVxyB?np1 z^|$59o&BV%1;v|+AE9sI2yd9=fL0zIL{EhRvFhy_j*4*zxRO9hX)++dP-8;a`m%a* z74_&3c5?#?Ym7z8c{@Xd^C1OQV4lB*a3p{J36=IvpXJQVg9+D0R2r_{qsk@D&WR$_ zB*2tJMr8n%W!4j-9~`l3t!*~Zj1>=f5d;7y--vSRtgfocLv4WrTew+Eh#BA`hW4cV zOsUVJa)|g*f=psv8JvL4E+5O7lmL@S&c51C3d*$s4g!kL4(YgemL*%SmYTFkRDAy_ z*G?qA!NEBP<=))oT5ODMtbX`LmOyU&4Qx$@1t%{h=$i{41Zn(s34Znl75YMqFF>%F zc+Nw13OO2cFu9t^>52yKXEpla&VHp&7aA4YEUvi2k%~5-3i|$}gSt_Kz$~;@PY^CA%xnx@%*pIf0=pire3zq5!c^6PH%}PDi+Aq(u(no^J+|6`*X#D)aPjH?3#a$TKl#K5qciUK+p^0f6*JNX+lC}uV z$fmfMYFrXeSLu-fdzgiG27J2_8KI3P#$+{gm{0*6iQhE(m<7<1XJ1vgi97G5V zWJyqVLFrlno|5de@{q3aRJ}p%>7=9gL4-FEL`$fs#DNl_4u#-At|t;3I)zRjE|$z< z0!nu1s}(e+6An5MBz7!Mr30t_SY4(U#$at$09V2mqu??Op`ImN=k zNylmg?`1Nm1|Q>@)wc6GuxUjQmao8b^ingz^Pu%SA&qPPq31}+_Ffi_`2L{(hUkwz zgo*L#%gVs*)Ael?O&3T#j1Cg<0@AmXe>SKEW9t#31RG8gnweGz_Mnv#?Kzr_ysuLqXQrfvikxvqd!BQ}R(tL}H2 zZ$FfBZWZHb*gi#v1)&{;h(;eBMsnDieab12ZdMw)#$5QJjzAY#z;DyxD`%?y2OJKA z)6pMRJKA&MMtpl`8HhQ*@WK%`*qs7ie@)K^l}(Ee{FsQ0Oxp{TJu5O zGXR?oyeD>FnAw2Lopm_Xc9DVQl?^hE8cR zAq&`Ob<6b$FdgRFtHJ>`a`q()9L{y+#?$FKvc4XZUq9u8vdI{g%QzyFmqju{nb!IU zC!z_3b1v!KJRE+e%u5+HYf=7fp(LF9EQ$?o8|?b54Zq`ND#5R_Iu$VD59p+GapymtDx%g~N#mUc4<+n9?0NQD$){QF zKX&(uvD&^{fytmqFC;BtpQ9ffA+5>#_=LH;1&{?0JtMmVuvH&TUwrfqH5fY zOc%H<+w@E7^_j4U7>pgP9^fY%GqGgvg4ovWHhv9(HQ$rJyBJyJ*iMu3VZ?-78Qr&| z0w!4qz@{!Q#~Zn;B8De`+>MY@hY9Axa|^?X=6% zszQMY5&0S_XEdWl@YZyWsFzzfLGyU-i=w=hJguy$ubn}cQYOxbQ-W1Cpsh+J2Hwih zw&IXr4xksIa4@Y3=k%73G|uzT%CF6((6X8sQMv~D0Ed(+t+hiE&z(;^nd^mA5*cQm zq~H;-U*yDgWM($BM=SV{xUC|KH6uybUypSQ=Os+%nf%1~(|v6G0{tEK7`TDYu#wWj zsK=t3Tv8~(q}uh~sX(*{@!TzIp@7M-L?B5i2VX2sjb9;`-}=yw%A;{YrvalG8$Qc& zk+TImY2ke4W;x!Z8QXV?1hZl+Vegg*c6w_9B%;SipZqSxvgy>mTq(HkI6q!Lg@tET z@A_+E2i`6CQVFBF#nW4IWHBYBa>NLs3>r#t*oLKVbmq+cMon!R0+gu|%ggMJLDY>y zcj|6u?@p7Mdv~#tZ36|%J9^-XielJXfj^vmyLN$s)Ib^<^eS9#`fabDlr@Kjq%sXe zgN&%2a;9boY%a$WN}jA+)RBp&BX;c7#m=bcK31!!gxWOnlt`zD6}7R?>Y82aqzeQz z7#=X{6u4+2GED9;T^mn#4o*&H7WDL@k0rZl)nLD9DO6TewQ zssNX@J#bB@lg!zDoZTLeZ!E7z;h2dQ@m!|5dY#lDhP^_Ss3F;~9+?m+8CemT5jpfznp4XW+wrY0$C0hDA$Q$GXA(I2A)zHM67K?0I;=Q!uPBC4_8*50`I_@^zR4Nl%!Ci4L#B#NX$ zFMKeZxsKOl=)(0}X1$&gjb?-B!0ckgMYU?X`-(^wVuobsBXOQK;gAT`p^zAbISQ(l z)ja!xH@%7wggMy^q^oA3)hi*{%q%{*$pB7U(?iKamPdo&K6nj=)0hD)FXrmk<Pd}`GU-!YCLU@rKbm{ z9LgFTthNI$-dYVFx9sky^=s`G1CG!wqrMKPZFz$8M?g8s2~5qH9?WoR$IC=HG93a=Hj{gGqqGKMpx>3Q(QQbH%k2jYF-|hD@eb$ znrbO~!Gu14e4AE_JvmO70f2*w6+g%~1v4sV+MqhYP9UqOq?kfaORO=XDc-n|=5~Kd z>70pXQ*R|hMPs4qrhZZjDAW?07Vn$L`V*e@sjqj$>nhP?ckTfgWD2L)r(aKJG_JdT zE9DO=%E+SzH|{ujyG(RW_coE0mXTnPU|L`!6{H|lXy`XCspHm@DW9mEvKqFcvO{6c z+T|#64Kf$9Zz^kZ?eJ`Hciep;UtF!Sx3+569o2j|zu?5YOuZ?7=Y6~w3Nk!I2;`AGac$vE`QY`kaBos20siJAf z!;dmt6{$xNAv;!2)4N8ZfexO=Uy2nJC5t)y?_n-0RG18VL-z3ThxS(#k>c5md&JOd zs-Zj5kB7tnNM}8@8rq@-c6_q({B$yFHs`L_VGH*a16r4JBVdO%>@D=lOKI}C@)8uO zm`<(!HGaU#Q+uL{70Pa5;T^uFNl?oZlF)r9Ujumt9+?A2R|y6>Z6byY95KpaT{m)j zOAMz^1|6s0AT!frml9oEwJZ`9scbn(k{y@bg2#@=A>&)apjqj;+L;=HHw3+4Q?3wQ zCvQ1gq*m>fwDeDH+Yh#we#B8d;d@AN!gxXMnw%R*`yeO!^C^FY9fk(7B?^`{ z8Yy{#d{D}^k<+$GeRk+rOyvSUe9ZZ)moH^N9J8cQj&NSl$^1xaVi!}YPBn?Q+gEX# z%pa6!3?Vlj7ds;;C7n4EJw9ISo|yRlernW9w4^^XOd9u)#2?tTR-`j3h)nB&x(t|6 zXC^Fjw~ieyDoBw6+Addm^x>AiGx+k*`FhBO_!HFgx4WvyOhTXVvV1M^_cBq<^JXd_ z+dqMQ9VURuKAXnSwDeKaqAW72XRFK|*_bdhAS*8aKu)K`~m)7I&ivfxz~a z*wd#OqGs{qn53a12vT8p0#1UFf&n3+hFGmNlC_XSH%`3lwgK?+w1xWEtWx7Y+P-&k zMEM2+720+%WgGs3RI{@g{-UEM;wiAlpJ2f= zn#WHRe}^s+hn=E2pdx~!<|5f2J>-T)Apebus|N?{F0u3k{83%fg_Dm z5l7nGJH9}dHXlEsD|SPGB!Hz}MWT?hWJj_~%z9qP4DEKYZZmb?rTuiKn8dZH!7bA; zsE#;RK~rp6nl9IK{uJFfQM&o;adIs!4}RhDnNlT>3%5DlW=31_ag{k=)6HHd|5&T~ zj%^l>NY`NG07|Z2`?%!19JLIlmvpwqVS#TOApa@Q90&RijjA_ew)oUV#{P0$_D}Y%kiFPKNWY=$@p_XiOT*YE0H3(=zPt2bn3he4fRNKwut7Z-RpcJI` z2{3FhELpRrK;q|Mp6|$7PBSGCDeup}l)8-AR#b%1~ic!V!v7a8gzAqlDz^?-*%!SMc?sZ;P z&8zjS=2hE*1L2L@tDChQhJb@lrKg3&IDT$F{_Rm)m7gq8ngun6%XM5Rk@i1Xml|Ib zoxq2d)8R7sOAddg^Mz*69kHVV@vYg3=Ec-HI{IUlir(0Yl2W9r|BMf{Oy8x$1sAc# zDM+78%V!mL%k`+5n6XqfT{b|V5-p9TLc|#teT((}Gxhl7{LJ393;9BQq$EvD-i9^w z$YQJBQe=yFOZEtlZuPUXkL|=I5jAqrs5s}8E4p|%DlU0^Rn-a6#qG@Y|S-$pZ%5rNLjV_NU@KACiuPE^yz*w z`qA1VDFqui0ikC)SA(O(9;0HCo*y}GF%c1AdkNpJIJOd<6be~YX=?Z7F^?yVI@!n1 zB$^EjNKUN|<40}%S)4Z~2F)ebt^rY$5_#Q~UzcusrQnNj*lyeKtBKUF10QpTNCONi z$=yXg(g(T^W5*;cufZWKo)!Yi6}oz!6_u@8v*nf}X0T9IW+uEn{lF!;MLY9h`Y77w ziuryE<}87gWUfq)G8fyiXyTDUkwKptH?~)K)mEjgc%s&r6H{oSv79_FYQG0#JqEnA z@YPC~MV&7mMW$z<;I+muQSQN>rT^^HWtud1ZO3yN{az)RLO<|i%E@abS`T{L>Cv-N zzpm7)M1Ov5Q%w8jL-g30pFnX`8AgbL?cmJuoNeH`(yNMXJGjEb)wdGKIJw}MYyPcn znb`*W0gSHYC{)prv{i~OL*u|nk+@(ZWPyy#-&Y2Y^#>e;nBdZnP?MfPvA~_cIdcK3 z=!B+dGiKt^CBBnccXVwe^C9?JG_63~1LtgW6pRqRB=e^?VAW=DyeAbo%jHGzA1<+_ zw8Ag_wpv31?u>EA)D~ujP&%>UVi?h2U&Fz!!P2EscX`+Fg$^a+m8q*RIv+lsVS`!W z9ySwS_JRZpfP!ZoTBtRe?zwWy8l>*_7Tp`rv{oA}X8l#P-?qL7`@pNoK+)d%dz58jiq>f{+{DJ9o|r^J zg#+y~LlL7msJamx-TBECfzP)R*NJ6R$d$~uXUm<~P^e4aOaF1#1sl!fB<}E|U^Xj| ztN7u-u?@+Aa#vg^UO*KwI6Ry2w#zj{db}8$u`se{p3l7%KlHm@mb|2RRQCxe0&Z^9 zUJV*p@D8N-G{3U4RY7S+Iz+$BOmd!tWM9FWJQPaik18?;hs!ZVF%$@0Q_H?${SD!q90((p~W>pQwGoZ zuy_-<8vDC)-7PBQRnaBFMaQpigMEDt47StukMN~V^b|STeqwwIQ1=1NKZY+?K?s^C ze}R-EiS8!#YZ8!h_yyaNy%44tL^|uzBjWq_=m*%pl}}Q}K`)RDUN;tt=R)};Rtp3j zi@qp2pfrtoGk2u6tyFPx_L!KcN@Ee!OE-RfC)@ zuBj#38>h77wm!d##G-YLg$g^4!Wmw*^}N{u@pnZsN@~l~%hq$5P4F%!SF#n_@&q@s zLU*wyeP*JV(%e>?;5au7Dr2?|1VHu03$WfOLny1Tt_G+%cFOexV?V z0VLoM2>X}PgwH|!U=<@V?_C^Ln}?GxjW#RAh6mgJkuu2gblj)un(!$Jh>pQ!1> z4VI0T4P{la!8W0dity`kag)Xk8UqU;e)(Dg|4J%&y51*&4jx&yBfPC8a8}WOXzs9* zGKD%N)Rlx-6LX*@0s_%%SsCU#VR=Q1&4$Z-6M{pU%GJ?fc(sEqBh-<5eVsGQ%OFv- zzBsL;{QYC$gJs6}4QMm=xUajcyV)RdV2?>YkiCgQD#dks{H^<>+q&x^=au$rqL0&v zDyr41(TEP|b)kq&4X%f<=e5MAxo1|5E_w#-8m@Bd*MTZ46$h&8BgrT&Ix%kWqj-fO zmD$8)?n{<<9-GC?%kFft6gbKQt3N8J?1`#10e3aB;pPll3mhbZ2)4x~ezbE;KSVe4 zHVeE%JBK?&H}@is>A_s00*{Efr^rEvw*d({*<%N;Qd{>>$7^B(?h2v5o^iksh>zF7 zoeZa`f~9PeU!$+qHi>_3*rE{SXf6?x1(3GDhgfO&7#%>2BQll8NhpPck>+BQc!lfk z+VAG)sOG8UwJX_H$f1)$4+EFsK{vyhGzj>>#3{TAz1ZjnJtgaXLsNrO@cE`dr?_F= z0w^%E<>PVO{beDwmY0n4d_lhLsw^sv+I;j~=kiDOqHjhpo9C~=&Atpe*?!OK-u8rR zN9&Vid#@(iN8FTgq-!3S=f zwD3bDvFbz{Em<}WirFLpSjJ|xs?tU#q>)+UChWg$Wz`!b81|>-tp6CG%&~9#5P&8K z?W>A}*FvMkA~G(#Wcv(kjwz%TH@M)FGxxk|6@}I&WYKfHRoMM>I1$Ozk@eHr*jy}9 zPzj4Gbryc1GA1)#bGinZ9f*QK1~APpQyIfJT09rAt}Wh=62iZ=T1)4;y{z_4-A$-V zkI^J8P-}9is46kHy&s6bR7R$cowqnGwwq_+s4{yF4J=Nna8%##-*=Ru!E{YG)tu*! zEi@=n(MrB|7&=cWK5Ec=i`_$Ab*5w&2m5lf#0oRM*uRaoHz9jNbtaHfp)F9dlve%G zC~VW{+OSLc6uM_d#gz0(GygBpbYV&&x0?U=dE({OJ5PQ8@sZsJL6ic1C8l{_q z1;*E8*OT#K-Kd{3B6Q>2^^h{_7d8^8+Z<1ebAW8t@l~Kx=@tj$25WWm zGvgvN&04Ti6aI)Y;2;yXu*4iImvr2fKu}Ucs_PzYui;><3#`;=5Jf}iyAUDUnFU8h zjEW&IG3$R*)iNn1ap9GG3NEJ$BTrDKS*)f=SMcoUk}hC~hM^^L^G6Fi70Keg&Qly6 zEO$f7u873aS@sLm4EbSLs0?AT70Muf*7mY=3I^D$zfUMo?!5YA*wk^`>nUw(Yv1>B z%TaY&eo6Bj$~j(9&=N)aeA*L(^)>r|{Yl5%OPP{QaAoH7>&1SX)7wX_tIV)*rjLa7MeF@m(Y{( z;e^f^p#T!|mHr%cvB`DS!Qkw}$gK3@Ki+*6`)~Z&V7obbsfYv%?qR9+kTB#$Mc=}#jR2c-{ z4;Ekd7|8DVp-PF6%r&Ep(8xK;^i~x|>bn6sPpE_u{ zqc-ARlU=vE43^&a8E=2WqtcvUdsjk#uFnm?i=VNJi{)Q-zGey0o>ff)pwX(WFSiOG zhZ%DfdT1PeO_Mn6DpnUg9e)F#I@CoVJmxi(gS~6z?QQ5=71Zjpm9s#nM1g`!q)+a@ zBFF??MVBrXd8g~v$o4IOA1r{L`&kQw-AJ#Y?Z}&)ke6R+ju*Brr=rZLUbtkY=t;j) zFxX@Dn}!X~%%WmEANyLgc3f zUE`LeWWphhYaDs`aa#rwb z?KMe zP7^E-Q^z&J593-)Ur=ZZo55n+8ce3g=9Uvtx)6QlBWbm7W6Wp&bqC~CN=a9lbK}MxjiYsBoAbr|vy(6GPqtQpaB>8EOUuDL@k}32;!b+lespCJRC?`lFO`=Fl zBiL^)Udpq!c*rdDTXcRprW1luilJvM2v+><5BDy@TZ$o68z#0CEA)~bJ+v*Lrk@?r z2ew9zDbA%u=esbrarEx1Vr|NlSz5N9+~iXsa=FJ=a#&Bp{YA0&iM7>g#>=~JSJA@T zyWz?wcxi4_d5LOtSiaULRl{3{_0epRR>9%>;(L*GvRCHwLrkGP?fZU5*_8DeGRRb8 zChH%bp0qclq8sUg?~$6Br?jmRQW(qp{*N9hrB4U`bN5p+r~41I1ZO1os$dj!Z~R!Z-;?Gl%|<|kh-)q+J^cHS1)y8P4%H3XeS!0WFWVm5+Xt1 z*P`Q;Tbwi4$Smk#Fq%Tt$5~yf9@q8Th1*vhq8_8K zqo2eN@h`^)llryYwQfF^p9-HsulcX}FPjFf`>nY*-NKm$mCz3Tk1>7`;8ZPE(3@yt zmaQJtma->^XXuYQ?Q2{xhj~q(I)O{-HJ0EOk=yWXMDJmXyno^ zp}=NY(FdT=usJT?Goox)%OH}S6uQwkpV87ibf-!Nz-LRl+Ul7SJgTcYhfw1|x3fl{ zcChweI(=|ifAt@42v0`cerT1ZiBt}&<9@0>uV1gXL=A2_bf!ESbt)B$+IizL)0CC! zLL9;=Rm;4nM^+HffQ4O^J$xp|xB6s#Yqk0lPo>W%&etze?Vw(Bhv67Tm6A3}wXC$P%wKB8wQ*dAy_qL0wp89) zMZhn#E4(-zleTQ`b8yTHWr-s}gz+RX{|GzWq0>Yt`Tb(|tkct<%chMuUR6G)0)1o2 zLa7`(Rc(RA^k)Pe^B+2mXzsoqSTbeFN`QMNC%BWy{J=<>6=Z8T9XdHbkTv23{1w=N9Xy#t)n zu4gp=WcJ;&CwmZ6va}QPxDIvrrjZ$ZVb0T2NlHFmAwm}`UqGvK(jtrwk?(Mvo*?#^ zG*6YB-*?o7T?wTT01R#BqpDc5h?XcVQ$6tgKtXKe7Rf^$EmT#W8DXqmV}*(RS8wG^Xi32 z2DNGruhn?RlP9L=eD9jXZNc3zqBa)1~X#=Q^8R{JcO33r1S`K*Opd1-JGiee+^%4A5il(9XNXC4a>ZAy}fuw9n_3 z8}^Hm_b|?X@}d zMZ%F}axdQJPpVp12Ie^rc2Vr~1P^n&OAM8*aGO%bkdt7i8uK?Y}W-?2G;) z(w-mq+%+JyztFrR#Y_4!<%uZuU@0|I^>W92i=4>9N)`%-8v9fwhL2RrzPD=VjC(ba zwX)N!W{kC=Brkb-TJfmUVvW@?W0d64^r26k{Z`?-F`!rVpZF=&3xN+<9c4XaXk$;i zhU`7%+1!J_SiN}|bR@lKeJHr^EGU`E65;kTIr>)dx-Z>?nyR@xNi{G~@>B+HCGx&) z!f-#(=o?)32zXoHo~4~-mzJne)1WWE!!N%ZuQd-8S|Pd}o}^MvJmk2ByN=4$%V?%? z4|hr0zeq>Zq;>niD?KN%ZyXvcvpYgPyw{@9uDIKNZ^|A$oB`)+^yy2o{_1BH=II0! zJ1sV*m$S9O=7#? z#98Aws$$xz{H`>0nSuoasLMZ zI6%k0kSA8Q_>T$F577|cLJH(z)(99r=rI(Zmuq!1%FBl?bj~w-pGmF#^QL(p((=@A zKVPsqJRz`}@7v@r3J;~8`hDvCr~a_eOVU!E)40?s zHWdMuqY7}GPw7&*MHfdykik50vO8Kribb|L#r+;jUQrY{x!dFV(Czl9HGA>tyuEd7 z#|j51Rc$!?mrQ>kwab02E7@BV^%a+*X`geiA5z^>=r6O|EBj&C;wye)2Qa}8Q$$JmaKVY<6;mO_?pK7~{RcAt{P8?Z?z zi%fMEPkc(mFQcGiIUL`023;CUN}@_-RHKPHot`L#7I0#JAEllsk&mcF3*|YFa-M8C z?eWT!?a53wSTWK=A+@51(Hst_tg?&Y;m|iaH?fIoi>Xjyh z7guQnjW$ur-xWO^eIfc5|NH1i!bjRu!YQo=`xweiz@9O!z#8-sl;c*+Enyu+03?IDj^0LM+`DL7-SqV1ic;^M?7+- zN5&D)j*|bu4zPO$>%muD1F{_rc=1^m@FRm3m^J({sF4|3bOi+w zg(9L>+aeUq`U{2}wnzp!B4HrI{=Nv8ZNnGEzyoYDT9p3}w1`2{H8BJLN|bP+kO_t| z@Nb-U{hmu?7H$hGr}uw7w@n`o)4b-Uuk~7gQLJq2aBNP*uGjh?vhe@Zhn&qzRsaP) zXNFuac^IsxDXe+xs1t7jCm}b0q8uM^^&CD6iZDx+G5u40u9M%>X?=WMbIF7UDh$Xpiq%3W1dxRPzz6b{a^m7R( zr@6Tik(EcLRxXCF1G8C_F@EraQb>lFc$rPWf(jEFn{)BZN_FTfcIm#p2>256sy$bM0>)`^U4XBX>mbmd?_;KqOKTz9iK{8<^0SB`+hU>}h3D;j?6Hh~4GaTtcpzC+EX%^|R+j-aMrJ*YmW=F@5#Q@5*o)O@%4i25}(uNGJ} zwM^G)yvwkUwM8T)dE`Z_*WV9|>9GJG3$zD%0{oG{YXPqJFTerJJ3|8?!T>NJBNRXo zsFRIFIDv+rYb4tQff1Bz;(XYWXOs)W1cYl)E_*K_{6Fb(9QYZ!3m;x5s!StT5YY zEG&gNr#b^na9DuRYIloP2TuCOvZZXUJ)6RctljU(*K0iPWcoW9Hi(?u$6&@HQhnGS@sKQ;ANOR_D~YC($geE6Xv7fQ#13biqyo4Y>AYXHz{y zrBC+v=`{j7`3`tfya*)28*~YXTh5|)Ht_q*2E+Ic>-dSdS7boj8y{G6VV@&VC6|YReqH!t<*d=I}etz`g+M-$B6MPu`Vb?}Eln{V?K6!TI>y z*=5|2|8D;y{zHBp4JPR=Qrxh(YA$zymjed#fuMDQ%XCgq>vM^Lkl*LW%S#dr3x9W; z@Hy)c$E(R++Q%ii=cH2W|4ww(XteTTrIk6KRz_;=jzDkMILl&Es|??hY~QZ-1eU4e zT})&Jucxb`I7xtSr156a2*}|i700`is*@vq(5M+CaeJl~0+<<4QrozQaaI}3iNJcv zmK<3KsS>sa)|~nvJ};aj3!h8-=KDom`8A8~{mF8AnJTp{Jkh^~znBT0VOl7yKfQOh zFDJWXEn7)oOHqCSIL0_ZhU16WJ~t4x&EU}I8w-quLQG{ohn`c~Xcx4niGvyn6GZG&xq99kbhFrFQ7D7(0&kIc%Ipjkoe*vAleB z?0oP^M`=mW?+@$>Bm#^l9SbM}JEU@2j(363g+p2A`>}qDHU<(->4ywQ=A?c{Sl-D?{_)dkx4ZOm-g&nqV!5ITy{`UsF zD7MaELjlzWD8s5Bi!p4aqIiEJvsnGOnDQ-SCtcz8SSmjT-6z}7ieuFDQ+k{Zmd=MR z6mBmaI})28vW|TztUbMMqpvU=uJEto*Dc8RT~L z?(WwzR<;hAsd+12zmnQ2w{q0%;bEB^WegwzYvEX4@6OhXY|7 z3uQBm2${_$iuKzZ%r={Y;0C{tjCp%;Bu+y)ms4%l;FTxLq|Q9sWb%tKQ4)C(Co}e$ zFs+DWm@tdTDz3PrK(>WJ#Vw$I_RkKE6>tTXY}Q3iAP@`EBS9LJxdZH8VBbL|+TgSn zVvhV?uwhxK!D7aE1Va>AyT$5;_y_W#FsAK5_c?)sVDf1th_ux*a;Vtha?-V`u|vw& zm>uQ<96PHvw~=Y)ZnD6Tyd3Fson5KR86s9Q zMC5^q+#0&j9YRXEMi}v&9Ff^lYG6c*$eYGpn25e;5H|d;7o=J-7r&YY+41S%u zL1;St%QGqd@#Z26MkUMBmqVV`5f}NLjB#amnjcm@qJ2aZE~D#JTj=#Fp;4{RCwxx6 zQe&@WUtGq{sK~S9@)ED$r+OGxIO{6?p8v(zn*g>^o_XW*j*gK=*XX{bk#$?LB-@g0 zIRQ_|ePIK+Lx>A0r`tFwP_8s?IYLUeaZ4|t+oZdtP}(iI4=BZ@fu1SZF3VE76uSSE zLLqJ1P5J18o$vR&BPVIU-S7W7(afvSXf((3JnwV-p6AixV%$BGsx*swKzL!S<&YwO z)KX;=aw{=7hg$DqQ9`Fja^9TN?(P5(F4Vz%5=H?NMvCm{U||spkHz011dUjne~U{W zhrmF-0c@F*`$qr_2Q(caGIL8E#m&UT2nR)qmc2dXcyV)RI!gG!WIKrv(w$Scp|hqr(FL;Ifo%k~dLr`$O8!qiWut_9L~CY$}!Jqx!zI`y5Y{rgZMlg(n6 zfAe14JMzYtz^h3#MA$?3?ubyqt+>CxQLWq*x-oiV?2f`{q}o_ADy7m8{Qgv0h^yuHcwrzt2)JNc^0&iFY|Q2-J1!Ku*~vju&s@G?#?}%ezwD~F!M-<7)k~!S7(qqWXOdvt?4jIuI?iPLX7w)ismxvZ2Qv?|uZdsJ zJl^qi$4j+8be!pMpb9dJh@JxIqO-r!U%NVUT~%&JY%|9E$*3#UCS(gy0ou9~dU`S% zOQkijoXup~MCOCpllc}(s7UR_hq-$#NGA;!*^o3W8O9|7uL{v`#p;LIXEaw=0ZGCl zVt|MzSUfz!xk?XK&K+zBsmD{|Ak+#mbwKH18tn1oJ%*mTh0~&i-voDN%2!jr(yc$(`rS4)$aWe~tW ziHIT32xgvU1a!?~g(aQ=&{+$?J09!kOrX?#N4nb0Iulq_+REKRI#W}-x)H!{fyv<* zhgTf-GAS+S!N5WJ40GRJU$cPe^dRO3OdJ@VI-oRbiVIT(pCklQSjdFSlmY*E6KYDi z?20i9Zld)5-jP@r_teIaoc$jMM`B{Z?jlPMuuh$n$u(2rUUqKirBaNnjr{+OtR)Ib z0$9T#>J&#YU5jeYjc(PEP-3|y4Nl-(m1e(x>DZ2c{3Z(xe{$pd7kFdVXP(`8C&F~M zA@n_U^Iwzsz&CE%ayU12`#r1d;^)|-pV+z+DVM_7nO_@Cm|6P72l%`a_I$pKUMMa~ znsONnLeW$jWP_sBjXE~-wBtQ}JrP6HxIVN#ygsr%YBo7cPN99G-*}_#M#qiLn_Z)c z(d1}#w6@)Hk8PV{oAWN$w$h`RWt2QpWW^(+1s7QoRzNtJ)49@Qs^|K z3l#BTTB5Cvusa1VSz1%7?x)@2t0;Qze%$@4+kim%wnNEpB}xiq-C&30&I)_F@`uV9 zh;`s%waW8&V-PB8r3PVdtbB*f1AcQJ4?Gh3bzNx_rsB<~DOqOoGc>naoY2wb!dDxUQ!+trS1l&ea{b*qu0u^DOEIxO983%Q!c znycB37pVfPqnfwT=nRKDMX@uH@OAbX;?_>Mr~bHqq|@NTtni1uBWEL0=Y^!Eo!jK1 z)WLqpI&LMNf-%fe+TEQHbw0`GGL)wc4;6<5B8?~OS@*5Wuf4Z);hW#RZ}A_#GozmT zek2@6@IJEYz{r-*^!DeczIOkT*Zyhb*1ljQB}1JkZQFIl)=MtzUcBY%4}I>E2Vb?C z1`tO4=g)p-_^vfwSC4nfNc9Uko5}bGXQ5;=d6JL|Kf!!e9 z5WgW|sip=}gQ+i>z8HPf^!2DDvUma_TS>LS%6FyGQYa0Wi{i4R4vQ0-7amJN3pxip zE+{KQD9;Yav{=w07Au#zRxVzxT;^Kaf`McyK?;MDz9A%(#QMapgfa1iSP%kd-bR8y z9GU?xivu|NK6L|(fAX%J#yrw^Tohu5H zaA`5+M|v7QwC00iBB5B4AvgyPj3h;e;^vZ1nV!VSKfnQxh&WJKf_tIQGv3Hz!!z_6 zzv{}_yvb{pJq_i!I{7`)l>c#kp}t7UDW)Y;&n(OI_r7;}S}Qi%o!*hl0eEGC?aXVY zJ$M2Y_AOnrtHEq&uhwh0u6=5TueD`?SiNBGH!m^Y>M~~2*?d>JD?c|qH~(;6D(0Jc zaj15q?RM9L`KR;m=FBslx+5%^jD}Nf?c5#ah2uGuhEb0BRm{Q*)(#u%kNfEkWAHln zg7E=aQAM(}6sy&u*_#%m%Bq$cdOVSj4COW8_u?*TiuAV+;zmdJhA1LKI zAU=sdOk>jc2mBVXm(}u*^E<#JKCMI7vYPRQ%bf& zDA=$dI+#gQD@Pt6ZULOZCK3?Q14fkH2?0lba@A z{^_s3`rs#4|5@~Gxj36`WHwLk8T{$yMK>OJNzB5#L_F(3Wa8Vzvtln%%zoKrPKr9l zY=3|y6a@4C$ahQ!%||3S4<0dpLwd~rNWk=vH0~Pr zJQx^HnXdD12;OMCRUS*3)&y1thf*IjUniN?N~xyN&~Xqnb}Jv8aHcb=2jwVCQ5o5ltRGvrTgcB(rLfBzUJf!;W%G%Xfy6N>Rm2fak|m&Kka0*l@}?T5Z!gF;ic|UQlrgV_7hWi~U(r`V9~Q0JKi6b8 zEy+4kogaMfW5&;{@g>s$k6A03uIu0bjlq3mN4#N!d;yh4&-_~20xE49E+s0}>GPnK z^%ZkIlCk9OKpTyiwH7tnJfaO4N04f;IlzhaEV+iQW`~4Mb5==~Yv!ipafZB2J6=(e zj}~hk>oHoxg+HdffkBV8QC(zRZCqu2#A?o&OO~>&U@v$Jkz%yHknij zv28(gnR%78%CcHsWnUFpRa@41oq2;aV!JkSZS;ojn~gV{Zjuw$tm$7YZ=W1@tLH+d#=W<16Ne0eKtSt2GGu2EZH#z~xYPtJXQz zIo@d)>|EbD+&RkMyw-WD)6)5d<+s*LZP5b}+Y_RSWRd^UY?^(@ejKH{9_gQPSiF9p z&Wx0J6;@7!6x4GfQ>`>flfQ1A@s+~4lk%`Qcb*$qT3a~3{?811KF$;6v1VHE51vEf z<7pnoY(g#uOen;}z5+642NJYUYgi;h9@_xlflMCBLuP&`j+}#AOsvm4oQu5x3F!aM+t_05bVJ(GxG3Q(P2E#~)9F}d>O&oN z-`pAOolv8%%xu3dsIYy#;jp(TDw)1|2QxCU91r9!0MqB{>AT*0(s0%Le{a0{W5FE4 zcD1(j$0j9l+vc@hIj_TG0S=>9?A|(=6yLg|7K9rqOY_yEQ`d{bu+JnxuP+wTs6dI; zU^L|nBH%qafqASb(_|nr&>DQzPpdI4-P<7l->6~CU>q}y8^m1(X4qyj?`G)oGAxQ> z7)}?4*xS!hAq4Is-Qi341w3?Kr3ud+Ap)uz$EOB*K+!!6dix*tk1&r2NZBdGF%{fl z1cPW^N7Xn#UgGf70(N-nSFCO7dLS$Q!fQe-p1Mv%7#LUbFxQqdnst{|9JVrCi&@G6 z(r7~UT7zc*rV=g)&h*`8-Y%}cK`SkR%Q2~@QPY^oIA$6*iMve9w5vvcu zKqt!>rQz_3Q~HJA+%HzB;?%nHE~b^#Liw^V=}#et+#>+DkBb5ReEMR%xR3^3i*Y3j za3#Mo-SF62)=y~rIV|r@dGMxXyGbhni`f=1jyufhZIf<{S13cnApiwZ|AC)Ru zi_Jz}C{p*bf*pPIPH8reM_k?=pk46(S6nT{;I!r^)v%lI+ufA-T7riV_foauD}aV+5A`%QEFUqZKgI;#AT0C*@TV; z?%QF*Jk4#iRVF%E$8c8YMt)SijvN0zo`89I_md25b>U~iFFKn-HklpEj%STp_Ec6J z%d)IOJ7u2~XM-X9;N4^s)n=~I647e2Q_`GG6+XK$34m;NN@A1%IQzocALhXsFzDtI z<<^v--xIgOZfgl<;Eq6Xrza6dKe=h()F^2Cp|0>*jXJt5DFO+ zcKGVvI51+j*Aj}JeIwP1hb@l%BQ=|G=3$FQM9lDJ-s@n z+3XKaS2Q9|12Pgh){fA3e%-T&@90@K;{3nM^jxt1_C)a~Z?C*;Ae$4bxoma!&f6}Y z5%b7FmtyzN9KE`;pM9}BIA=xQlDj_S4u9hM*`0H4S&`X(bz57xztUCjSTSBqUR1h! z>PL6Z@JWuDeP5V!KU+65Tpn&NK!pVH%zMZ+J%S9g0I<*RoRb}U5|Emw0h@u5YVx5B z0}t_qzyhyx_yz{=bEp#^kfgxiG~&hB-);|~VybBMlB((UA@xsO?(+-LtksrU4YP>Q zO#`o#Kts@qIH$i-noynt+mo#0^<1-Ub)&yf{&tCC}1Gaob`kbalMJUH92u1C$?WVqRQ zk71kf>xOSyr1=u-xA^joS>A+iPAG^h^JqYT>2~%^I+HYm3}Y^N++;AlWk=KUP{wXo z97B##$GF2dhQ)3NirXj-)ltK6!g1UoIUqj{&1^V^v(GHnR@; zFkY)yNB8*!5y0T!{t;LsQ4R~WPSY#Mlo2e8Dx7f7GS7^a@~C3uo(_(XqlL}5`@z5a z`9IwE&7p@^xYSUr-O0Qi-5+YM{rkV)&}bCIcaHq=pHF{&tiRuI;L8glN_up%F!}FY z-9LPK_ft_HG?96rvqhMrQeqoX*2`^xijlv9O7oe<9LTz?(r{`N0R-H(12jFQ z5QKbTzZYH*41Ro&=B;?A0TT%(iPE}(qbE5r9iv>VJsytK{z!XAT}aat4mwtv#F%%P z@iJJy%cND&RWa!r)6J$aVJx*j`mB0feNFg{$=Zvag)2hKW9!qyq2bugq0O;RdOqzP zcaMj@jzG)f>3!(D_yg$&;WsTOV!u;QvyfR_j}4YV_y8cT^nN`Zw<0I<>2ID#Y7n2S>>N9yYMt8kqEAdt06xV)DTSD=;F=V{_1 zZKgtq&T#VNCU}iEZ9d^?v7vlf{Hpjz;)eU< zkoucegMa$^`p}OPp%4xqV&7wC%|x*%4H&6T^3d$4|Q2sg3@zT znIO4Hde5{#ywrnlAwAw;ps&V8<4lVWBNU&s;V`xUmx=+vP|eG6h5*W$m#cszVkwe* zRMl#w$oJtFhaQ*aYK65ZK7}{n6_UqCger{v`Sa^lJWlN* zBrOhC?=aqB`lNBJ`gnDsDrwcRswh+g?f%ko({jtQ(ibE&6lH3)SDr7gkiTSnqiB)(=dmi_#$CCjW_P8w`U!IrY4GQ~BT$3Gkx3p^e$B;hj>18)_F%sAJ5g-V^) zhfqIcc4hX~7BXe&$;r)>kWGKk>8a)v30#FsTp;eL#2Xj9kzC1W$!BwxqAHY(SQMnJ z%Gyn3E^5hHNqHAw2hI)1zo5d=5Vi+=Legf1-||gP;pM{?(>V&~rBG44hHC{LXaKFy zGl^Tm+;{Z`P3eZ4;uS4g7k@B&Y|$59d-wad4npikN)G1kaHRs#4%^hJih1T$)m3xX z?jBit&AbcVd-hp2f9W^=o=e~NUis?$m^;1cN9?6Jqs_raNxK=F8eE^{6>)UFE$3#o*V3)f8lyrIW7LD!Rr~8hApGGy6x8QNk4R*k}!Wtj=MyI zmH5dFep=LHohQz>4knk0%dA(T7w&fN_V5GVuUWq)AGRE@?v{Tb{#Ja=ep>cfj-&0l zbX*cQ(VFfZh4y#Dsjfh;q75-L#^j|0g5^yLV_l54&ouAqQ zxJGf0FOM>!0qLifKq1<61=z;G*1!&Uj8FS~V+55Rw}>_1dSA5|6aaj2C6?WQQJXD~ zIsHaqJJFS)ta)lq$^|wEPQ|G@4X2#UNoQiky>!k_%x>vSFkhBVZX$(g6IB`mz85il zJR>kNcyco)5V8|C`e7$f^#zK8ZrY5A3vovz*&|D0_Nx760f@OxtGTNJU(&6KBZ7oq zv!$DMt)uC{3sIMey#;dk(u!os-l+aAs(;pcC+qKI{WB|nr#Y=nKL7z?)!lU9#r;iW z;hgjx|-LlhbMWBY0Qw2 zApsP~!R(0X(fl&ouwmPpyE~HpAAjlLxBhtW!RIEou}4ix_^O`E?i6SI^u`;ny2ZEs z*Npw*EhhcsvHn$=KJDY=CmIA^_cqg~gpxSxJgJcF;PYXJM*4jR_a#ITxpA7A#aUz) znk1PA&**oWhZx)Gp)D;)k(s7HE9N}elF25}M;CD0!z{YjW2TJylM~9sz%gJo^hpm> z-h^^gd5-=;eZxI!O?yXB$&FPbwrlBGx>Ci8M;CeCHt65yxtl4j#v%(vsT zUgj2o)7eqhnVM!+%yanpW0>K%XGOd4KJ@|r13AMS!yNm9@ZE;H?WPBftlF_PHEtf4 zc3O5?zoLA_y}QGzm?7WRx34dWF^hA5!t&WRwm*StA{H%~PV7uPjq(ESOg6|$LooPj z?M08r5wKYk^p*KJH}18ta{-&I#vnr`Z`UKY=2)D5yf9%XQ>;E5WiSzY+OcXJYmGx)YR8 z3}^IAl;9hfgf$N-%jY*wHt!4MP!%H^D8z)kFB9V)Q^LWwkS-w5J;4mJKmb}vB;0t0 z$U>0bIyh2vo6jPyWFpZn#5eRrd64M&Kt`m+yHPYBadjS8*Q@z*RSrh3zuV8g9?M>M z+2kw5!bRb|dsiLUbls}{dLr1pD4EPvwAkB*C6iwtYb$3mg*jJ>YZlDh{@t7Abo3<} zsSkO*o!7j0(E>~f7fj7F{1TSM4D|F^ZI~qb)jr_~41F>8K#u`QfNRB@+iylomUeT+ zeCd6vaiDi_?Z)1la-(Z^pgz`}!Mj2`8lSxI&bd1l-!u66;O9dR3?4QfG3^iT5B;eA zqs0?zkFR}g?WwiVi0bcF8or+7TGJzzMLh#iAzgkk$Odk3UU*jt& z?5l;w7qLZDgLM&V2n{SM6U!~)$ra3^c{f_vR#d)&y^VNq!~6iR*wU%l!;9o# z;{{{ENqgcW9ea$y?==tU%!QlOwY9a{+FiKkrnU6dn9W{a>)i2$d2Al{c+Kln1I!f| z4Lpy@R&nz)p%tfS)7K3QuX?2L{*x^3H|~sL+lo(TV|CGq|PUc%83tRIE>P zPX-MR(KQ;bTeJ2Fc8ic=@}BMR0_!nv*hZTt!B^`xoh)rWp_Df1873t?U4N5uf~Rmn zlC>rw6se(<69v5rPE(fWW`(|tsR^^v{^wJ#rbNt3K;%GK1dMI}^VwIk*s_@zmK+q2 zRMSa*dhsL#)o)w8vVU%-5sL>y3@(ta&hE~7r@=fcH<+tr+jA?j%VI1x1C>n{HsH!gv*MTsKVUfZ1j-9SyG&yPH%c~7W_<~p>i~pS|g!B#n#}e5`G%0e_e8|7^d zjGz^Sc_ts3rAx{#2%B!*#l~w(MU-Rfub7Vd@DRc@hKDDbkx#>%PPa@*?p7n08!t6L z-VVx4r>r#Ip`nMJtp~sp=g8CJ1=wP zK;{a8%#{YYspejin$G3e;)ZRr$T zrD%;|L6<0$4kH@gMqc`i;uh6Dt-T@l4Z|96WnH<9&vbnGN*~_l?pf zt&gdeP%(iBJqnYzbrci%MQw61p)5+LiizA|gHx-d8~MttdZIChsrep(UnMj@w_B0J zp^SB0X1itPl1Js8^7FD0(cz~wplwo_O0r|9W4L3q!#LJ4-XZSpV3Zs`(Q&-P*fHGu zb=bzOx@FLpp;vE)-VCjQm>$=H93R~uNjIOX4!%gtgn(l-7c+%pfPzG%I4KVh5qgzA z4%kNQmo!{FU)cyZj|?TkD7mr)gPU9-dq><{b3lC^r03K~YakUtcZgHsmp_F}WAG+H zdq}mFxP6SRaFtJQgqM;n-S~-F7mr50PPwK{UFg@kWJ7XJt@HXt{^q=?{tME+kSiJS zSDnmb`t;W1cMhj+hOpt zgTy6PRM~CKLKyr9--~#1nmJ!Qz43Z$G||4<0Y^SJIgl?m2*srFX=e@7cYimhz7G}=>sj?+iPB~ zkrQ#3S)?Bo;EHLJymWc*Xs8cjUXB_KX$R*Xhe%A~;M_x3rgIMl?{My+Eu4Eop-lQb zj^V>&IQLhM4IBgUaVmp<1vd70h7D&%Gvk?EnNt~)nic{)v!-Uxu0*X;A`&Y&na}iT`e0^z`;4j7q`IOBa*xbh&OY$@ zvKn?}MiKeBYHA+aVcG%OF0xbSXj`)tyxi>bCg~}k-cLfG4~X0`(8&{nmo%?V#X1Mb zWF?~V$eAhr6%5|y6pg{ZbBe~`B@`3{;U@)iF;7%&FJJ={zhWTzGX>7jW8?=_UOc7? zf5_8m@-00Fr^~@FN0>RxO7uJidK-??UWin!G*lWdJ?eZkzN=(b@n)=KP_X5A$q=y= z^6IR7qA({+mtgwl{m9qCkBA44V4mb1fT+) zwz)HvcpVg;NhZft=297TGB~9gRFw`65AdI1BVz}3Z+q#VQ$!g&jfMp3SuiDUUv(NZ z0yPnH-oSwFY2R%=7TwRO^5o{#Xl6CDRW039YPFr((poUV8_=1Rs`!imTaPcqOg zHcUO65U|{jwp>M&F77-C$6XP<;y5rtAS%?pnL56BWnRxg9y2@tXiBfkP*IpWY0Sx}vkZF#KLlDX zJPBmgs$8F>Ghg=W3AM!ky+}YeG%gt~zvR+y5 zUY{IMHo7+^9}=x^B~B*AG3&>j&l#R`y(zxwI_ds{$1>m^2n{6r)Pd$a*Jk-9m!&GU zD{5BFRhx*~D3V`U&MsA!sm8RjlC5;TuKZasEp#tPK4X1G{{LiC&>B#Z@nmwYc#+F& zbGy8bh&}E~IFshf49gKYTdgc}FY}tisGOHbUM3n_L8598<~~q8Qw(w*W$}bN&?Mq^ z2vyk}&fD$y>6UiIU9BnH{nxo(g~2I4Ghpyvd}gRrnteo|kdx4>c=(p|sbiSZxJpF< zTuflva>d0&)a3Un;bbHcu0U1Fx5=V4A(N(*Pxs`jvl@w>IYL#iK}KcNq)%m{nuKmz zW1Ao#S^q?Z}QL4MB%y3EjS#~D)ih~1#IJkRhBGxnhdYF2Er@2D9aTn{-%vq?xss$LA=vD z#MLMEpn3w$T+<}0gXU~ZQ4M+AH@i&q5A9AiXCnbazJPc8M#6cT%Xs}nc!r1(Na(o9 z+Cs=f$Gu9Dms?|`>p|qy^Y9$$)f5R1alVo__~s(JC6!~JzVt)0-g@iGwpu29;neJ0 zv@rGCaAoOKWnS8Eb2-(BzunCg)2H9x^uipE-R_Gc;v`mP{9@|gZckO6awfz4-e5Po zX6pFrz7We~+_qrq62nD1=SSV?QD{{cK-+UcM)~!806ji^LK0t;~)uL0khlD z#z|*0-DDZyu|ASUhsJ{w!BeQzjt9SQU|yZpT7Pp!odx$gHuMYynHC%h4x<9dcyJeX zln1AJzSqZH84<#IFq4B z0kua>pMG!FioQ5kgbdn4^9iMZr;eG)T!a5`rO|TU%oJSBE$G$U>m79Shwfg!1c?^< z9D>2`_=BY_nv0%(t;F{#b@tAi-U|bLFWRD|Xs>y*=Fj5$&Eh09i<8i-B}m>EmoJ(A z9tQfHg@Jwm4E{^Q+=HEDI?R$1|9Xjkz0`|`jdUAKM!mei5Z=F_@f@Ds7#$ezVc65R zdl3(&B^{&J&5z;c$8bY`c|$*jTBCjN{u%ukYC9bR?_btzbPS3q^Y`zAdT|^z5UzI3 zT|i<$oxg0kM*CEkv%%#Xmv2R9l@;dsouO>m2H2lTNB^LDF2$Kk$COD-lM@ruwmxk8 zmXS|p{`9cL1YiYl0!0l=h!c=4b2dz%&BWnxbem+7mMvc)g*xZEIWM?X9uike+^{e4 zZKd8>{M{`6Zq^c9*YEi3qpGWLpWfwj6CV)MVDKmYX>ac;JcHkJPQpOvEezh}pDtOl zdR2?15P`xe(o(^h^A|1#^BA{q;2Bg-LQ3y;EMB(iX~1IM5a!}l#jAGajRTPo@`OSZ zRmLB%$+5b0eDxm!hA{}w)#O1y0C*f3?-sR~K#`C4_qX*H6P*}nwzeh3#Qa5V?jlM= z8=U*orD6ggL&yH~tYTsw2HJ(`<@u$vmL-3C#~(yL+NHy*Rv#AEU>@9x8s8gujcbNINi!&$D|B1UCra{9L znkV@DOq5NfNs+5jxVh8)*Kl`Reuy@d+;e2pxr{vpAfcCm&x#xnZncf+xplpohS2S)|B8vY0 zc~hNBnl@9aJlNB?tRvjHcxuK#SA;9vc^C7Q#J4xNa_t+|-?Dh|^8P!fZeF1V;JXMa zY4;HO(oty7Dad#C(sdZL+3bjEUa#TU!EVh;IdhX?V0LH>0c zc#WJEDl6FF@{b(<;_^2;Bb zfetUm;P+aNq(nf7a}gBh2a5AU#Eaa|SmY{vaavW!fRsg^GN+41Z22!urlS;vn3w^r zLksET_GD+5gUWj=c(vgL&!c9|xH4T*q^#o)QMsGkj0#5~{*|v000g2hE`Lbg9OaAi zW0Kkx)c{SsdQ7B~kNF97>c@9wD6!qV+`{FHh07XCfWvSCd{Y3xBEWP4z&FMDo^ie* z&OeOv3#IS#0sRmLe*$s}gJPrJ5;Fh4ZbxXz{SEjXEe(S8;qb@C@ zjWN92-7xQN9B+ub8*CUGCK`sgB~VPDa1*&8i^W7{QJbZha4t&6i;1-Eg6zz<&#EOl z=fs3`S2w?-nRFWITXHavk;W}-H+k|$QN!zbi_toA7*kCqh!-imtp;@6RGR^!jh*1!gvI1pTDNSRwe+Jm+nmI@zImN+LB@2>J^9Sy6*KRcx^-nT%pH)fLH5xt zn?5lWUl)jjH|K9)%N|}3AqNe-k8=r|3(j;2ak1k(-6RG@lvvQt@n$W1R3T`;Jz^wo zqYr7Id1<4O?`8}F{jX%9byDn`&$un;;5oRBl|HBaBJ|}bQDMaB<235CqudX4NT?TB z;^5FXXlMjH+MeXF89wC^<6zF?KSDT}xt=jUdn9l$@GSe0^=SMTR|Uu($_(2t~B7k+bHU+vQV*IE$z( zV8tjTVdQlvDvKJh@Y{l_5H?{!GDUX*(g?*(fNKYJf=+=*(cCwQH<@pfZ*$(}xg~H@ z=%$zjS@C*4yfvn{n^C-g%Q>~jriaofHZLF=4;ZB&Sy0{=C2=e*xCl*Pz?LJ}4z~_( zq>QRK6wU%zgh#VP;rPdHxcT|5&);^+qP}nwsqP*ZTH{zzTZ3ZO-#hh zj=f@6W>sabs+G@%@^;b{H!qc`}!qlm^lEn#~~#i>z+*-S^bUD9fxiUAe2i% zreoM>D#G)V#U1KLGj>`%Zo>6kn!2-k<6M5@-V5$u>IX}^o z!$%!`KVO0Fxb<*ULM;$PznMWG5J-l@xK)JR(HTu?@!%Tf8+-zxtAyWXfy*rPsYjTf z9NcoNdUUSc9OxOUZRj`8T1oHBDwnDZ-1B&3mqX)gr#7b`;YeU8yhFn2vM-|HfBtOg z0-lpse5djJ>eH7s&2La!zh>J}He;RuW=2b0O{sO)*Z&GXQhTmG>ZE~}w%7VHa$Pd3 zI@i<1FUM}iga|1RFCK+{r1O!_M3>Uzqdipq^%~3|{*VL(W(<0yaw;QIbkAYCAJjNWCvY@Zq%G|({#El}x{6MuFXuz}So~C*ga_-xdpEttpBw|y1I^^$ z{@`}jt<<^kH~vx_in~ky!Ec^@o>2GL)D|F&w8&?Y909f+Nm7_g$;3tTjHUxl+RU7V ziX>6)u1#I>+bHYzU|Hoe2Qve-E~q#4YB|A~w$H|Q*EhUH&P+Z2*ZPqq3cV_;;2qL1 z@hI5A7k;;9ozT+KG*0iqfVNkY9pV& zjqT<7-H}Ze0Qj3VO!UA;?|1HUGYKZ!B3_}x2O>dV9^IeT&CQtBabmihv~y*{lWI74ICtsZg+h{H6W0Iko|KDYZ| zlSMv0!uW{6-elR6=rL*NE{ohmqX-~=b(v)V-Ha!MU|wD(b!%r)boL#fu)MPI<(5uB zIdc2Ud&UDK)Gp!|L$JBA&8KQOGKUfJjnY=7UYMQ=GU?u(PIzcpL$ayaxhGafUf#gy zs)Guu8c50$Xo8r?r9(1Gw|`w?yFNWuxR(TRIXmu3Ae!^I5tM|i2&5jC)UZ6?9jK6& zs3}3WHXrP<3mY0_7j(Ytlb)-hfJ-e7be*;G+Uhq?ir?PsF36jxclP|kZKXFViY}LY z+#F(xd~QpA&vcKC_q{%AmU_?Y>^n?df<`wkJUj)`mhG`z18r1f#$-5{j(pG?RKgX# znk%mSYA2_>J(h=@8VQ5v2V&~slG(1H#uO{#;^@f->RwN`z`#-Mia6cIMJl}$07@|T4fXBIWElcmY@Uk|s09n41UztZ>g3@Ktm>x%2 zZ_fO_ab~tAiQ1mA1so|SLel0Y>0vOKH&XTzZ1IY0KFK!qm}D(p@TjF(N!{DmA= zXsv7O==?fDBa5Z!Fi@41e)goZlS33xxu7;yXjU6s<*mc@wzL*oA?7aQf`gK%wxAh@ zE)q{(w2^gki~#0UZFBVyPl+#;aU5v@GIDUcaNBs>O#Rug#A=fu$p7Hw_r1lj#nbKr zy_uh)-}Z~w+v8NGX{LEzSIx(M4DAuFO<3C?!!f=v`CR?lQw%ODxaw@eyuuJp;v~P# zyW$2CGl&nKOEDCB;SqQh{1|-sbLq|O8V{*>epeaKT6fQT$^q?>cUEi({*B+@t=E)Z zlM7jJ=@5u?0~HZ&n5JdzEsE5;D2ux{1)?8SMmPzv%06<667O@WzMuNoXt8Gr9t^z)?H)jrC@7~ugoz63l(f5|sSEBT))u5!Ey zm$b%IXY~wU}Y5nvEJfcIL2I!ifMPtQ7VFt^DyjiQqdH z<~3;UEzrVsMKSwxFH)r-QxUOAL%QuilpdLav4&&7Rc;WW2ujVT87C^qTDg^ zbr#*UYN3Kc#-LXjFgX`Tb3zxvl|llv7XCUV=brNn^%!YPsS|#;&khu8`&T2s=Xr@K zF{S@pywq@y)6rHke%hO=_^5E}GtHG7HD2fb-*WsN|IdP$9-(@s?+X95I{~4Xy4T#d z2h!=EbJ(8Q)$QJt=8j+l?_Os<6tgTpau86VPb7P6bng3-egiWS(6z3&Gf!MUGbN_N zcl$&<$Qhq9a7<5Q!N{E%aMeyLxqR7-J2YfYv%j%=? zcIMTlj{yD)z6Bqg`^1mSf#XL^a~0Kig;+!h$F;J#%Ke2Cq&|W_QTWirj}n7{LF=Q~ zH21KoWo})TPnNR2la~m`6RU!}@Wgi-`K3~)$kGz^cKjs8+JpVu?li`PC4;GlkRJP< z$!flPlY5`{+IQOe32w9pa;U~`sjnp8|6(o@rN+%AT3Ejb8K7|=mrqE0!9aP>t6+!u zS5@+~Nfk~M(-<2`d)!Xg77+C8gRL{g+Jzv9mha=VPi&~^wSKd-tFCfor&yYQmKSAqDLey^y3*#z!)zDxUkhuPZVlOd>@UahhS@m$&LjtX> zj2zQ}COK10o>wrY(`?I_Orw)>BocyRI0P6mqG$oVoM74t?A&w5ad_{Hya>XczfWMS zZHtS@?=WZ@WSc{>B>egmAB8uxym$x%QGOSdr<5a>6&%VFAw`Wf(H_)mI8l`Gwu&6pynA;${+xr1{g~wrq53tfJ9ivqLEMe zaV35=ci+)yeI$Ed1|0{jpfvgmm*AR>C1Y}LDV;N&fRw^nL5nT^{?d+Br?E~`!qXut zw@$WcLz!c9ilP88JS?^@w-m@ykdID~lH&lPcSGnBi9TAlcEyU|SwRZ~>Uo?qzX(5j z9s!^^;0Bnj^np(ZC)W@>oi3(z?vQISbrjQ1#JHpoN#&>_K@de+j7!v-i82mTo8)Ez zB35YQ3}k944sY^vuybDjS#p#GZ?!{)4q#c5LWT&rQ5w~2=sr~u3fcWk`L6qx&*)Zh z=0yDtsLjfG;6fN0`zi(>`)e(?C(}N&F?#ja5{9>dntGBcIX)Klxh9bm`tx0evfbRB z z5=WY_VMe2sh3dgCvG?OZZXzTP2Dj>o5njVM41yn_nb{p2aqX z>kVH8R27^f2XA4A)wP)AwGLVYwt$4~S!Z0@YN;f#3`WX3;V6o?du9w`A@UrD%eub9 zSggzNQO{v_0YIR}kpW-dDGdu&d>lSHxue{88HWyw73aqtC%HF{8ow5N>+8d4*_1tK zRlG0Mmy<^-ivxuebxz*4+sMhTmP{2C(qA`q*qnl%%T0NIKZ7aDs|o@GH@wVdF5kX zOmKY}7p2@wU|O=}K;gBaVOxOQF=TG9cWG(rx6g2Cc{0D7?QdUpf^uKgt#0nUe==lL zl~N@igywi)bbBmF4O5&Pv^&+LYvcKlyhxnJXAP%ZO+OrihmhKoH_b8eGt>7r)irt4 zvXn%%f75x}@9!LF90?vdH#t8^9!We&?4M1*H}cbb5WPnZ{FPE-z>HV6h0$tM+RRWITDA#s-A_Di zW=a<5pOnX)Uv{Pb7*(0GF)=j#u^_et%QuYR= zAF>6sdzhwG&s1LWtsB|U!s*3nvM%mjswD8NxnsDj08iF6R76JcV>RD&5b z3#6MBK*%;C-KES~{#Fvjmf1{hnvYp_xX|5XY zZ(7IwL&9Heb=cS9DyblPd#!O2V;Y?7i`GwBI29*RxIl2~!y%V9w^T;>VBjG!!P@9D z5bFwzDm`<=>@1S@_fyI1aHDW1aL+AUEpL%6=)dSs^siewsKRU4ncM(0ZEM{n>%Stb zWn=4^46qcywtU+Ig&OrP^ewPez_#y^pq-_mA}_SQBW@!u6~1K`)Hc;jE4{4^tZ(lZ z@ZQHJLeXv;$L$q1!Q&N2uGq zB-o%(J3>WB@$A*8K9dSYK?xXmakj=t_kw$htlvD~x}shjd-Uwb`ea;%>*I?YYIe%p z*&A|j1F3E;U@1lby?vxTAo%L7+>E`b-?%R&8eKS`32fX)b0da*o)NBJQoyX!WR%!w zB-6!KRxM1f0)2W`Y@c1-Hw`Jms-6to`LJ6aRh-0J{0voK#W4S#iS1lS zEh2NP?g@NA!oc7|+L5zQhI{T0?z0m9R<-O?2y&HXePGj)nb+m-x96RhR$DcU9N49D z?~0B$Q8eQMOjk9tm?t)f|jQin%E@f0kw3@ zqTS=?d{-%;u25BUHE`UQz8^1v+DGs39~@KHRcbh6s(s`;gxu9s@^~h90IheE);usAi2JBsxI}U{C+o#MwU0x zGFbl&YQecUn{uJsbuwBHI$lx$SK_^H_m>kNUFtO}XlF&<)pHpKMR2Y+D3iAAeA=ia z`r-)IDYLyNRt~ejVliRjGiPYKKAmsAR?wR=k?DC6pY7sbfUapIuKi#+)Jbjo;Nb+P z?O3uyup4jm!AXH_B1d5-W;{6-rmFQ;I24W#)%95m$+vqT5Z<%>z%IihmVbV2ksr`P zI^b*dz|OE2yg`{d+dO60;ltm+TsYOt0CC@hWsCx$p7Ge$2vBpj5uK zL&t2V7(5O`>E1jQmn8}-PSotS9)>$njKnS=b@d|UJ!F+cYg#op=S*{!LYV*#Y9*It z+mm58qU+iRKUh>L;y!k%`icVDCVs?E(ARC+$7P{w&#KYdr{He&cOi0Y$g!Lo@qN9% zXR6{Tut5XPeYICGPFQcs`F;WU$6Yo}#MwpzB9S(2e_RBaRw+SBR{kC zc^oyWTF^GZyAKb)dqw1@di`Gg#$4Vqh7>3G&iC#1^9*IHJGc&d%?{GXM~x`LKXQNMM&(Y}qr##WW(b@??44YmU?3rI-{&WYPaisJ81&A) zmOZveo2y=cm_dNSQcqdd5mVZ?heBlr!>5)mk2&ew3L~rCZC!rXWKaw;gXd47w~@cd zyLUl0>UxMPn!O?)f=pTHk}dji8vY!^;X7jRfC(e^OO~Z0Z5z{Nt`;K2 zAw1E=rSb~Ot`BuWvW_6wbJ5AGGkL=goC}r*pq(z8DTVoJvBxV`tg@^Qlmp_xtbfDz zc${?_jno*I>h=W4z`^LEcT9nj?El_?1Irrsiw~yGiH~qZWc&%6jlvhP&5p|rwa0ld zK0O$`KaY0CgoW(l@)|R1eE%%KjdACozcNGA&G!%6=pb==Oh~F*vAXRjTqF_(H_<3N z+eykTrWkBlb!fl(OjU4s4uPL~5Q_$F6ioAp)AiXt$TKqDFW)tTx!QMGEhxWyr!Sg3 zXKhQ@&(0vv63Yn|TSNFPg21P**8>Ky1>NL&JhqvU%Rks;ym4hr?ywtPODl*#pbt`m9W)8ls* zih!6UuxAXXyX_)RWvfs^R}y3fhCo|Df{Y!tiL|1$bt4YJgW@i~41%s^aWgR33Wvfr zM`-jK2j#YK8y>OME{W_Qe9 zD|6x_hZF02IrJ0t2=z+6IlC zwxBgPhKqH}F92IeFcL9Qoi3$nKrWNciOyo>IKw!ivLq!}YCY+>zGWV*0vWQ?dJ#alEAEL> z9>)O~ntP|#Pz_HHj?$8lmKl=QnjU50T25zG*jrbaL3Q~BW-p4ZN{Cf66w%BBqC9`c zFn}{>0UR^>p8no!aV|PJtzO#A_ZRvu=F>*iFZV##ujGgfE`o6g!GZ223PXz>Vxt8| zwF|Wsg5%i=ePU7r?1=j4xa)fqpX%5HsRvjq;G8lVrl*4M8V_R>woBfbm&6y@%?xH{xgvOPN0mb zowcGkuZ^LLsfg*n!~W^_Khy64sGB%#mnncE_RKR(vnV>02FM+c zpp-mEckY*tU1q%44oY_S(E;APMV9;yj>6XjD8D^ z_T{mbS#sC=s~7z_I5m@Z+&O=mxN=#eFaGqk(O=y)^NOcxU;ODQ<*R8G@A%4o@zgFb zCgx&$PVQ)rO)b7MvMN=cvbxE9yQ&^PSo&6nTJHYC(S=XTCQI8z?~}MJ8W{AvtcIm< z>!&R#jWS13tso$Mh6d^qcm2asm&lznw?r+Xh1yA-T_A=!mD|YgGu*5Y4;){?Ry1fh z3jk7$h6+aC0k=hkAct6!gd|U^ss`Ez=~g4f(OrnH2u6-#BGsu2;3<;g=$}y|H2`R7 zpwj$xv`wW*P?=|?9nY$vmy$1~)*qR~9;eE%4wuNfb$?z6(f}oP<{+uoKZ7+)2d4Uo zMXCv^`j}#ZdYYJ26@>nGyp7KPCd4kr?qxLkvWC(T^UB`fS>@S2>tK}MG#wq5;R~SU zX}kLWjiCQn_kS(m|Ax^20>Hn3kTbOX0oVU0a{e_Ib7umU|3FAc$lilMo0gT8gMgNq ziGzTN;m0T$8CY3$3FswV3~elp1?|jjOn-nxFX(J+`h!{yPDTRye-!^i&@wTy5zq@8 zI!KsWnp?O)v9U4zz}m&sR_&i28vo%Eu&}cKbaylV7i|PAOh1&Yp~ruye--|F^FPLH z%0$4%#PAPl|F`-7%lYr%|6~4)1WYU(3_k$=A2cv>FmkZ`|Kp*%%hN}Dc$uHaxz?pw zTK(PZLaHOdM!MxlbjN74XQzSNkpP5yXh>61h(IntU?2fu0F9!k7(vJa@_mIZ0;Zp^ zxXqN(*78q_JT$1(LPATDk;JAzZi>d2@5uy>=g!H!H-GMP?DGV(c?z?$Ik))?C-Z8m zeUA|g^&&%_{VW*G0=$05 zN5XP|2blPtDy*#@Z?gP5gkz0rF^VY9Xk_39E5(J5^ zZ5cGntu5c8GzlzrKf36|CW1>Gw20!{@DU!HmKBCHXD@3pmXiI2IumPjR=5V>7-F^; zTZhR#kL6O4c@8J_Wh!ETOz6D@APs$hNUP)-9LS13=d>Lom2EeyFp>>zFk zcPKf5iz^b?R&YBcxxx{Q9k({_eYn2t0Avkhr#CHaZv|o^ag}#Eqap@v2Oi9&y7<|O z9@)atveR*(HgFcMf_V&QlV2_%$+v^s+f~IM4i!ov?F$W9ti6W0NoZ2AscI`(UWkqpC%>bWQYLaS(R4kq z`5A4TS17KCzU>#FN8@Sy!=nZqO^ClCf0l>@4xaUS$ z4SMGpK@A3Y5Y2kpqBGDRqFwU~ALFlonLRgemPHle737zj66mO*!mjWsZ?MQ0aWLNi zi*IoGD}?erqSjwTG}`^qcxJdPmTx-DgIzN3Jv;%8UvM_lh9K)pw$sB>)-kuMcdG^@ zLxmXJ5la`Luxcv})=qGx5pJ-=w=L)|>|;P2aK9eO3df?wU%8iRE-{}#H3PpVFsCp& zDxsYNGg|67Jpy<8Z&bt&yj(#V_yv-Xu>F5&c{r`v)UL;@>j$5Ty|@qjq_=}91>7Kd zFhtY@8~rogJ*cJ~eMQkLLd(N#UY)GBXP$r2xHO-U>@2>_Hk$=yVbg9FFX!7))GYYeQJka4%~ZiebEEiL5uOmKA=0wfR|J++&^MR_gT^^ zotg@9JmL6c$m;ebOt@R+)5Tg7uUxoWvv+IOYqsg^S}&42JUpWtay*l#s6$p6EHIcZ z8E#d}ye`#JPEG3*&#f{_D=~m&&i^*mdv+O79F(uF_INjD6wiL9Qa+ zBBNy4{pIfc&#LY<;N*L7+GhO z7;$gImfC=N)nUhPD>WeG#B}We?SGm$5b&|m4b~bta$s(Ky7yrQ^@7Lz@he3Utu&H~ zLN?yV5I1^IiHaGP8)~z$VHt^Tk^i#;@&)*!$+0rQu9y&F@}f!uLSEQxU*=&C5R3Q) z_u~Dt>-6%?Y>QwiY*q7Lh2h@B7qRZzea;F<$RUPC6x+PHpP(N4c6a{qc#mOj9; zd2}=tjKr>jbj8pg)zKl>UW*G=7n7+SwU&9mD z9pCRAp}}!8u0xj5ap+H=$x+<}F7eiVyDOY!us4}H6%Y)%Kun+;`Ka*+?E~@hcg{I~ z-rKIq=e_D~Nt(%IujwRp!;$0qg5BY990pXj(r52aX#X%)V;6p77gi$=P9qOWBTn&6 zJVhLl6oJ*N^3vUV*-?AhQF+->O_{0XQUilkI=ZQ9asorW!|+rodWB#70j%~+Fs(m? zwjWwc7g`GsM$1DO?c#ty={Er;!A|X)w`%Wodz9#eMg()p31<{+H-R~EXd#X`JptNI znskd4ahD*d4#_I=CzPLnUu2N@U_qr-upwY32d0v>8`VNPxSd2 zcu|t7^tTYw)?xs0dk&iczq$vvZ)np3M}l)40_KLhlO#(FU%Ye*5KoTu2ml^+K$x>6 zWIedEH5Fh_wze~RU#pX~9MD!O^>&|LYiv@*#-E$QWK&2n{AZN=Mwb9+J{f> z$Q+DXe3mpHED2?62@FA!_985T3F*Aq$&xm1k*aMHZ>oug5glfVpMb1M^o9wsDdF$E8StoKFU ziIkT1K#49IZ(wouW;X(&>}0J{+{mla>IQ^*JI<9ZnhhFQRNV?%`V)GG$t$F@@hb(y z==oFUtmu-HiSClWT&*JMWxjN{QbC;;wtoI)%~~rk8&|T3rv;$n=0}+3g3PKWu~4e3 zxF<#+7NkyYXN&K#dS(sDOSt#gsFOR;T~^Q3PSMV|>Q0hQ4?4o>ik#1Iy%g=2Gatpe z_2^Goz2xK{f}Nvfauk$gik%@V%*X{0^FS&feBzDycwT}Fz2GL)R>o(Kj&nBSZ6&60 z=VfyeZDppX&%NnSxkb)!KV9tHTu9S9iLyQ)bUcHx(CNmlj^Hv}r%0XAU0(vSj_fe= zO%!(_vQ0?sV9ao{eZ?V)kJ$Za$M&MIdslYld9*itY-7~C7o%#vhp|~ z=zl@HDh;oD|L9Hit!U%d9t27p{&a3MJqb;H!rfSt3Ioh@l$N9x7Jgf(&6^jNxaL}diY27Y3&TJPHw%nt5~+@K^F#gJ z8|_vhk^Nyywa^MpFH?Z)kv{-%zF1)-L8YFTU&4E=Y8V)ZA8|*`(lNDXW8TP`>y6f(=_^0_kP*w`;Ts> z#*@!ejqIgv=33`5_5HH@G;isznX4=AB68f%>@;VvFwR88B_@oh2X~L5e6?hk4C0=P zpjm4O-=H+5PtC@y_~t&wiVBNb3v*2Z%M?@523x90cU@_l{N9 z{Tn8pRDC~Cys2^1R8+FiqxuJx)(rUINyMO7@H7bKuweRodh)86a`I%Vy@W}nY~L_1 zuMXdfjv$1?u=LC9^WLZ;r9PEi(ObC(Ez~F8iaL8Fp61@OSLIo9-j6b>qgcTK{(Py| z!noVfJvo61_`ikK#?|Cnuk$(eImms!?w8xhH+O}o#;D{}FQMgVb?T4GERU1BsO6J2 z2IG_!Pij}}MiM{H7?_~|UrP)Gp;43jYZUc7XeOe{WpdLps9u3dLISj&>qp^rKvoqQ zLlbpM>UHOuPv3tiiwc~ge5s1Ne@Se3R!|@GLQ;dJe*kYuwmsiFlg(PtlR5c)9zyOw zrr=VyQ4;HBT?W-X^RT$%Z)J|@z~rY|lp~T6q)(A{Ge}Mm z`WK)%#i=C1pTaot9%h0b`i+I&=U25R)+PeG93SeBKOU~S;Cf;e=jK68$=#n;jsGzr zJj?chyCEn_za)KDq-Lw~T#`5%cUK%VJv6)Hd8JJ!ksj;b04^&|%@U@|_KBe(?Jbf% z1x*w+VQWv)5x*vdPe31&^n%7+wjc+W#MKmJQ^s{&Q1UxDL@rW%FWFxoPbD8U$m>FB zn@xmoPcj=h6c-`9u|7T2f_Rrxirg(eBy>va683G1xgk*t&y!|ETaEkWL%G2bxfRjF zD_>gz?s;)Yd@2j9DcNGIsVgep9{wbIRX%Pz6!>L2x3GPPcqe>^^onhjDTw|z^>CBS z5WX)bgJ|1hk>YA%;D(uyrr8py&9GhG}2ot=5b6qk= zsMk->Pj;uzXF8Afp>@mkqwc9>ymEerMKeOeRyn_DkvcW7F{>mUc{>93gp)DGJMlYqCOKe=bg^-^4e4Gm)mPJN z41d1fq+anti|cuw>eu+=sFj*e#jn&?WDHj|dDOFh`+zFKO@wNdcuruQahR>fIi2lX+i~i1h*KXIDTZ-4H*BI<0==YL6k^TYxy2$fg z#ji50J_Q`#Mqhs<7fq}h+?-|)KNIccV=5aJL=K9gU5s3HW!&wK49^$7aXv z>#k!edlL^)j`x_U3|L?13n-E;A!)^LW=ee@q&hNpMDg=$7x?EAA7I2en9+yn$CsU* z+lsg3u7$5*><>+QvU?+TC%+@UW6dgCzAQ*K+e^z^1d*=9t z_X*-lqyxG-Gc6M9)ehYT_>tmB-G0%&*=BzG4*INpZF?QN>78ws0ZYt9K4!7^FSG9OO$@DsGZj(0b8)wzfX7OJL;Xx_l+7u zq!XJ~1GLyH*gx=nh1J^t<_oSh5kWRJf)!Wi()G^wuH$JHtM$qE&X`Vs4~YMRtT*c& zaLE?G`XrN;-AWI9bv?q3ZwmLsWlPZD1Gcd~DogzH5I+hO%rlrJ=LgKt#QFQuC{Qg zd4FR5QbnPrUbG#e=Xmb%`>xEPSMhe-Et2mHGMS$j$332|N3GjZqAYV>K{~<48w5K{)9sX~ivm!ty5Iha2p6x(JjiB@{nC458)?Ybz!+3Yl zP7x6;6yu(ZzJS>UNIug|Ab)>hU{ zuBoDsC!Lg%M*5qE6CGTv;Hb#3_w31Qm%3<(ZmSl#Zo+cv8iYnJk(A^<$qY8QK4hSl z7-v3RVc_V=iIn0`YRG^swh-0m*kGt;$JsD5pc2r2>~BB?Dsu!aLlvqmAua0JrVVHA zze5@(ewq;C3*lcaeGP9uy6g~(wNn^M3n5NKfpGm)eFbHHX3)mXZ9KWLz5PoU_2?mP ze2vn*hD|LgQCJK)h%C54&+`=Fu|_aJ;Hh|UbyN!@*gzL26~|IhZMx~Vt% zldC%@ar{@r9nF;vW$hRenM|n)%0hV$8MTX<>$&y7MZ+mQQQ8%ykuS$g`Vi_om!iPgH?Z_!YZ9EBn|@Xc~^$Sf~3>AQ7I%+H-P4KSX7I zFTQIY4SFtPn>U!AFSnT$o$_PDR`jQ@rWdguv= z-4IO8R8|+bYqZjO7ngXmW=BQ1o3CI4(6K-GIoS<9RHEULxdm~`bh`Qv*D7H4Le_T3O{Uu_bE2xwR!K?RLYKlgti0W%GQE>EtnT-M>94PUc<}H(1d14q=j!ur0i8 zARK~;o9^?~V&FD%^?5p>#RYqjLW~<`;x#!S4Ap(KMd~YVfD66bP)0whSmRt*_^kl* zlW%Syn8J!`R7sOa7_t!}iJImCr&Rs#FL4whx3YFDR>A1nU|ktmY68OOgk)kJLRpo+ zaHLDLN7^|l`OYE$3=Trtm z!K#A6WLiUr2FMHfgeGuX(+;c-%?{fe_{fNK6fE)1uSQB>Yn7g{CUGfqI$|r<=!u*# z;BC@~@_+S-?*Y*P==O4yE-nRqz*a#n9FQgJ85~XkQUJ{9&UGMo)YP#TvK`!5z|oQR zkc~odeBlTd87Q21iXh&oY5)ypQ5;7{!z%&kkjMb{9M@ET%>}b?)GP@!l`K|A^Wg>mHA_xSpd!OM&WL`V{P4bVzhe{L5d0uW6=5UESN7 zjR3!4@6vVD(3azp>c!^a?Q{RR-)B+RQ&!VPlhmhxE;vB7fYc=^&Xu!&Djj4Oyh<%s zu-r9-Tqt*sMC#X_=llClul(k3z@Ry!1L@znEiz40=<=-(GEH%8!NbhA6_rF!;ktpRmT`ScPNk?`di_UXD)PeWlYTb0(9&o3&bHS`VI4{0Pk>fOHg2 zS3iO77`$$)oyuEWq<$P`fIh+5KngJIKe&y#6(f~P(jXE}QX%cy@bZ{mWQH=y1;*$U z2pL36&U0s!xyVMdQp~!J8rJ_B-}NnjJt!@o=KTYl?Hj>fF(k#Ls3w`Die#E>6SW{a zRki>x!usRrGBvHIksWYpx`Yfsy7`u9 zPTxRL|+WJ;$aXvrO9jhykDUW!V(#e7(wpS1W#aT?Nu@{^IY_ z3d<7v?JS!p{rkuP>TZr6o@Db%jBd}-iE8%iD(gsaFXK@xxK7K+1eU+j9^SjA+u(Ib zC0GaBmG{fD_!IBP9HaCxwivFsqt=j;%fl`KDZFpe+G#IA%?cv?D5Y9vj>RJvGZN|8CdY)bNM-YC z%e>p%NTf!DU+yEg0ln9?>cO9`hqjIL;0?XhF%W&71UjV%eq9nOtNCl`v~_?o<9|Yku#yjq5v)E|(Fw>tX1{ zc!x`p3q@Ej7k)1lksWoTR)^g`J%jh8$DN)t7EBow^I*8(JhL7g@`zzPx%Cl#`0~3D&G_uk;QA_pyYHU12tU}G&|1!5Ug3ibP74R|O z1sd8R7g#iqS2my%-z_`L3(3{Ook6h`&^u)|QDi1rOnf(nHZEqnjW{menQ@z!A-SSRTNc<~yw&(8( z@vAv*xt-WeGsftR5e{bQcInFoO&x_I9{C2>FU88%wBKU(^=UH1F6Bf>=L2(@5X)z> zXcdIwXP6EK#NGV2d!unUnCrd zeFC#*Xs#hmfr@?`K{E|8+!=N?GL|){`Yr1=AvN5V)!i$!zg)$zh@Q0UR$HuV#$!*m zCk;2#4_C9-y=nNxDq|e=s-o;1>I~P^3!Bu-o1m5q9L{pv%(Sa{F?E=*Cnqk^;*kx*4bO+COm;g+N3V&S<5J|cO*hfW!0R)IK# zRHE2Q4-d0$(rC9Jo;Mgii*s;}Kx`C-ACO7&PQ4$&AG-Juko`T)lf>3BL_VDiVdQ>Y zWP?a!qsvE>*2j&2kJKyI4HvX|fJz6c*YSC@6nM0>ETJas7SWMy-C%)*hE^L9lp}ah zfl&S8Ox2`KILF5~2uV^%QpGY&7Sk+NRI^k8)KYOwgK8`P%4|-igyE~_?y}+PT2mh@ z0qpQJK#sme%nm(E4-$)El2h9=)^nh{f$_?Ojpi z{`%llewa0R2Yy%j>v6;L^8i@(8 zTIo6>f=ql9%Q4cU*r(AW@gwPoQ_(%vbZuZhZ7RNuMm$PQxqcq|FRHgJnAP6HFj(xi z?qxnB@oz7>L|Y>bGDOA!Q4=~PLv&rYP6}tIVCv?L|HIlnMoH4O{emyswrv|-U0t?q z+je!?t}NTOZQJTHx@_0f{k-Q{FV4)I`7j^%%7|DiBCjhmcf`)$Ut6^z`a45eb)SPb z`iIN1`$5>&xJ9X2vxrfV`ejl!8v5MuZ+_f739O0lP9|76nH^6&VR>(J2R?tk{TmcWCLs*FZ+Znda zs>SzMo<9g-;W{%7&vVPh#0DK`VldtVYDAq4r6Q}r9l^14L01Dvc=|4GJv;TQ^w4IIA{m(jM1PcNh{IZ(7CRxHCgy{O0wJ*G!l*b<8;fmILE3q{rub5q>k1vdS6j zMtERyue>ru?5J@lmUoSIBgA(-dhy3{1t+WOv;uw=yxP~X(_pHsS86vhV3B!>iNsf_ z(;P);J*e=kR}{2cO_T^uv|gSD$ix+|R)Yu$kwG)}k$Z+oIjgj}t9_J!^84XK5y;*v zx0T}HUX4tX2IdbdtvVlNcRb7ndyWD*9VB7db6v>FQqfb>N~B!(r!vc4w|3d)Y+Nlv z)wxSb4_YL6I0EU0H-vdm7Z&YZnr9XcrqtLzuISBB1Rz_`Z>%x>Ia{V!5wYwf2;DF_ zBuczleaGrzTijUM5>%htG-Y+?$)IU9`FcNU5KHylAKF^5Qzzm1-4y$z<0AW(u5shO z+7;7dYEw+MUB@Kocs||ZXQk0wnf89ZB?4VwbLUg5WpTBm$`J6B#q04i%z`scvt8&0 zOT;EBR%@aC;U#~)9nG#R5+_XO`+rBOI53NKw-610 zGN+_hR+pWU<3MC>Njd!unJK}oh3~#Hjf2Y!n0g=h~Jp<=1Y0I@6=-qtI2-p?P$fzCnlMdh}KQ6q?A$KAF2yz^ckf=QpIF zd^oS08QcB-y6~dM_pJC?wPlM5e_xDx)2bT5eSGl6SLLy_fO+MczC1hf>tnN?f`YgY zW5x$;J!#aoh$Np4tqFTzNSh4@3X?Z~PQMi(YNFJ-N|222itzLkq&XMuAh3#pGy`M@ zuI(ZyUKJaCKh9yXR0ATG^>qL_1se{-O!n7_yfIt9ib&FE{b-Ch2C~5`#_VZt@su=c zK#d|T>eniOxew7;Nnb=S51up8Z;gsMFYe7ezb&5|qc&YR!aX?HhQiKFiI2cdtDu`5 zoQEoC<{U)EANE1^Q^*UZq!noDdC`;oTaeGI*Q6JHtV3*? zU*$*L?$RFT2`&a~$=oUUZ~c2ks5H}>Ath_|eLW@T|=Mt8>M@GJXE9BgYiKgR0WH&=+C##aTvlgXT!GY%Oj+J16+q+m)x z1de<2ot`)TaUKUA5>Qs6R}~{d^(zAFcz7a8q#GiBNfKnwWf%y6YJ~)|<|Gxk@byR-NxS`uOwt&if)p z*wHDP_bEs+k4-J_Kg`z&|hECciX(WGrWhweIj0#MI&F4@CLT4~Dc;sT29baGxa{ zp18hngjtelpg~`TWk+Sl+!{7=@?ac}5J`F^iYRa+*TBWh3exCe=eP~g&}0D$uWLx+ z&Cx2=5M4!@R%OK%r5(rI42u7t#d2fBqO!1?nL06ABd@5+3I-1RG;P8*H>k(nza#m@ zp}@Xf$_#}PR)=qjm!KsiveD=Pw1>U01UTW)4?Z7es4YXqW}tQh-*oT;N&TZU#zqg_ zE9F5m-#D2np7`S$b~mp!4Gt}7P?1h5v5mTjlN0?V^HO!(w&tGo)bPVRDT)(0L=ys!TC-Q%V0L#E|I_xb^{?cqhoY{qxRNo}Vg zUuAsd!HY~_y6X5*#=GWmIP%Fa@q)TFIX~QgfnyG)XiUw;cP$xNw^s4DOe#vbH-}w$ ze+tUP`KdVIatQ-XN7MQ8L1J3`!5y~Q0%k(5^^i=;>RFLz_2<~x-rj5ilK@j9 zm2HG>(IgZ-F)(v4`1c&U$oe&C%D4eNEy6mTzM0Ha-XKTN75VhPz?HFuA5;~oV~iHx6AMeVgDdbU_tiSOxv>)G;53F%-g z5X#_*Lujrqshni6_w)u>CCr~IpcaRZjLE73}9@vqEZ>kVlw8_wh{K>Nlc z{({1SoQz}=k={vG>eV1x7^pEoJ1WDPY^5R0U zPqE_qy(ibIwt1b(!kpKWO{d#0Po1^SR!JCXr@{Th93P*P;q|7D7(VAuu^HFKVmkzg zpBUmW^m6ze#-_oU)lqcqh8OD@*{@_sPRS__2UAbY^p%?RwI6}_JGzgv5_6jb+0&*j z2&EfvX9$T`c*F`PiQPXa#vfly=i;Ho(Bn4Em6d{l#QbU&vI5wSVKF1;N{O|tBgf~j zKm%Cw3?(poRUBo5y3C<87ocQl6nuo#tsWu;a2_9CAD`Xz)RTye9wax4_!C4uvndQX zUbpRoYy$U6qz5r~e*~7mrjV9OU_Bs)a{-&GLH&r+PryuUUxgaiW2Wr$g(%ZXrZVnW z#)F-?lBCnRxX4sxX09TVs%&j~@U{b?Iaz73i{cV^^ABGFclf!V)_hIS9v>YB6;2Y0 z96q~8`fFHR8g`Jyh^1=j+{Gzh8n>%)tYiAE&~32d#yyYe`Qv zFp!4NeOtsD_S#?gKaxu1H}hE$q}Hl&9OlKQe#+ZO0WsWxRxQ#z1mfWD{HUniFIyEI zpP7oBfE0}4K_g}(jh#)UG($W|FV;pWuv{I8X+^pjMMgV}D*8!u)islPs8l?Vj*4Y7GFa(7Y`aMk2?NPgApVWukG_xz*oA#zganbFT zKic}`Oa3lTIZWS7SO2}Mp4*XmT;Y#^l?;72(%fvd-70CT+55DFx45v;ImNc#I`10s zi4)+t5b?}kDt)?d*4>_*nRl`c&9E}Hv$*H**_5`jd|=8h8JAKzyixYhkh)lC60`D< zxwv1?UbnL9QGNSy;bx^*`XO?0Wi?_YBiz*3jJ(0Pjpu?1|dnnprC@p9bG- z-;7Vy575_<`CLq&_`Uh8~1(ZOhTMuX@|8;y9b6^Ln>V1LZ%$Gl!>*#Sj%L~ z+>`%R?v+T+W$Tsj4)$z{TwMe}DoVwE>m1mHeP|X)xUC^LRU{*< zxWx8ODw-l275Iymji0B{#|GG{JLFL$&oSh8d1&kii-?&)(A4b?(hb=_v z6%N=rpjzWwsppbvL(Yi}5paLbS{L8I6O&+Q{9MEeUMaOeU|y3@*#%m4;wNbLSO5wb zkN`HIgmuWXH%Bq+1k@p$N(Zp1h*zmqJ%Y;=75CBB9-#0l>H4c^4NUpIrfffuHcnS0 zHB*9$gnx4x$2Ptn^SDo5Ridfn{#U4smuEVLo9o&rH)@OL+a0!jLvlL~yRRYjhM_a` zMUoXA$4k@g2E)ZM2ixyklE0$fj-02vGB~ER)pz8n2Uh#z7Y`(4kTS=lBu{=09Rczv zb>}7&a&`z3_18Ydp~u5@IvJ9f(ke4-IOYz9ICmzmOJTXjnR43NT;Qmpxrk5cacTF< z$CK)}>+|YCP1fq?Sai~sB&~hNW?m9qLrLao)O$RK6dd3ZvU;39DO5yh07N3z=%3;l zVP_#e2IzaJnx>-XW^kR<^oD0?7Vl8hw7K=1tjbNqN~JlnWBq#)#hr!jv~-%zxlAJg zt;6}zBPe}8kd-loN$_H=^2r-l&k>O$Rai*qV8c;xYJ+}~#P@AGw%hJ1=0w#Oci9FFc zjF&ynw(ShGgq{EJKDPojp|&t2M3#Fj9Sj$X5dvG zD%fKgoH4-Lo(D-^`Ys&r&MkJhZ$z)ynr9|Mt30uv)1^PFwQs|J7(uMtxzpXlJVm@y zeE5IHFJM13W=geBr!HeLBs60+V{wK)^7QP#$H3|(w;_aPr|LoDM{Yp7@Iu?s;|yex zA*__j$pe^lxT?ds>NsCy*UCQZx`QMz(~6ka^e?3qIFQ*tIUtgA`?C9pM}X5s!h8Fk zNB*EUlaz(gme0xTGP}33C1d~QjzMPzRAFZcF1v@8w-wjo3I`f$QknBEIXO0zhsD^T zq)F@`wA&hzBtP91z?sTyqp6)j&dY-0-ho8>_~H$7AR{UB*NEfSSo3)rPA%E_ew0|Amt={3TnYXFJz^RwMAvCdhbMoi^`tgQ-AYHZFIZ{2n}9Kw#AaFDep0|Y0cR^F7dD*Q~qaCh)33`$v5q$y*v;Tvm|keBcr zWjVl$Kp<~8ooi$=-nv}f+hRaW*3ofDbaNZ(O6kh}IE?kkX7KCYY#(r~$TBhm0X?q> zAtlqvwQU;7wRHjdu~qr#t6~Ry^W#sMk#bQsPA&FRc_aA>H)_;OU@*pH{(B9WkBHG{ zL>jIcT#ZiS<62XeRR;V~c}&K!Hr~_FLK=*n#g6wy=ZtR8AUd=a3IC4vrl#}eSa`;zy~LBC`$<`llbZqhHE1p~C-eeOk(~Xc3w$d_`*OS5TXVa!!~T9N z;w$PKW1HTso#wXlSK^mlq(euCy?g^eZ@?}}cg!w!yLZRysZGifiUXA*95@0_$b=Rx z5~%Tdlh#Bc*Uo_kQgUfblgB>wo6hK6Zj zhC=*^DI}1-IgFAsYZFXE9R35lg+TTT2?Z5(g?Vw3XtBRKvN3wUlOZ|qIy%j2j+yJQ z!3P;^NE%pI4zyCB3a>G%eZ4(l=E|cq5XPD4TuXZAzTIl;zLmDqeb3FtrCQ52ugCZ3 zjP_W1Mmn^g*fUb9b<6u{Fd6f8&zny4x5{0smYQ?PQxtV0+%bco;+x0j) zfMPx|r>_TIvYce$27a_A`EEadY+03{XU$$}NXKNxG6u`hB$QTeNZ^zO#|qx%XW}eg zcFodn>j^j$#R4{|b{#(>$DZArh!I|y@k({ELB*qi9;vkA$TrOhItwSO;oU#eO5`s< zDc%)(=9VfbqGIorT;?JC~Pud@+!EXbDpzjL@waf6jrdlL+KR) z>S8LMie0wC4L9gi!A8R1Xha*i`68#&4>LGexQkizC)jwZhFh@Jh&iNq(oMba7^zGS z@oVjx`x=^xcuT8<&;Ib3iu_7}LJTKq3QrgfC+$>qAZJk_QezOd!KNNCNfIYfnck)( zZqlZvpGacuTT|_>d!KgfZtyM4eB}xhihLRU_@hW zr-+FTW`IZ7ZnDIc=V)nKbG^v%XYgkerJ+R~>P|?Y8rS<0x;-GRj;ycZmSv+wgRajf zk^@nV*9TWGlhnEzus!>_rANQo_}KY3r`6V4;whMSMbC9Xg|Z&hsrZ4R)b6wjO0SM$ zzVUE(gP<0iardgHvAwa|V@c=OGGoFpS-Z$_-=jsOyke%NJo7@0!|kfFT%h)HIj2#V z+3{&uiV(}T=Jou_wXFJalRL}T3u+TE=|9wh%R&QTJ+^|4GN8-Y6+l}LdOCyFqSDl#s+vi-2GxfP?{9!d;&37YM4LqKm)a zY*oH)b4NIH%jTcPTKM&r0E=camasz0d)K}kS5YtAAtWQ81baJ$+LsKUt{xTXsphBv zwx28OT{b=RBa1}H4BvVY0{^)^bKTze$1i9~sC+6w?NEhLXcqws`Y?i4PniE+yn^B^ zPKorhL_>IVR2dTs9Gsdl3(X)DbLl8ner5P}c%%Wv++bRD3LYe$2ITjuG44y}C>~j^ zMg-Mro%&cQQtv(*Xp$web z$YL(|eVHpkD@zur#=xcq2U{IG@TEY;A@EPPO}m#JF!vUD$e5w86aqv?gbZ{_N$N2g z(ZNNbjYtk}X4QiTiDr--Nq^2U1=8n~@e=#K5Beec-(E%bQWSX2Yn7s3IP^7hyMxAS z*I2CcvH}%!k4tk^vl-w8<87O^m_|Ab_VgK%Avz=4nUQtOnCgJYI;K=bHAKYBk)iJa zGi&Dg$e)0>RxCnPhwqR@#th~7sz3AS!sy!IT$q1J_qAz$k<TnfeCJ_}}hD0YV!i+Y;0`2#bS}Ap?eKv=nwR&#Q zT=ugR2^7B8Te{AjrwO{UBG^LXxlCN|P|u(f>790Rz5h8i`i7Bx_&HT3nIHSBp83-R zbXnsaw&TK-LS=vpBm>o@0uIjWd`&9cLd2|u>66`Rr4zQ=F`T^WC4r~rL>wGrhPrGb zwe&pF&-?FtTE#I3f6~_xM6%D&2kmLVgeHmFvCLnbzM0-m4*UG^PA0&4@s*Q$D293) zCUrLvyx5Q_I`S-}+c7D=)QcYKIxz78NO#XCH>DEz4>91Qo8YkUOe3*uZ*)Vmg7S z5Zi}LBB0{{&3ng?N4$;GAKt?GE2425#gy>Lv_dQ9qVOV)ngRPp95<1Gh)uWyPqep-Xk4ay&vld?+~#@;SBI%kL@H&ND2f`yMqt zeeG^rj*$SsJwlk(9VME*u6u6!7@hEr2aiPDS$KLFu@k?{IuyQ|c1E@iZiWMcv5<$8)DyG@cb4Ev-hrQG*S$d|(guwKyLQ9OMO2J?18gvFy z{%V?A4*#+#8HU~qU=&Yyp~}O7>8bS$LOtw`6U>%G+n1GVtEmj4_<5ZW5P_npiT2gM z9uQdGRKQ)_I5jysxpBEcu%5lDTiv$Vv?ZwQ9nGg)&+k(3*Y$;9MR%urw)^CB_4}4^ zf!q*6M>nC9b6c6^i+)MH15#<|meFt!OWE(N0HV@y(sF3zM>>~o*fT&3!M*Af;5nmR zVqUA<%8ar5WUL#uyQ90Lq1fOi!jpR;NnW*uaYB%Vc0Y2YEzB*>FXJLjZ3d>q?bBif z->-uQ$K6&axcB) zYha*eV{VG%x+N7lTq|qIQgFPQ(!42G?Or*;XC1kVP6<7 zCWd@#RLhih99#4|_+In(wS0!2q8z){%lV8>8D{B6>EJ_!0B*79Uyn{GMb(MoekG%8ZqlI5-w-TQpLexmTtppI`*+4@+hmpx~em%!I2%#MD^V~n7LoFg= z&_j8J8SQ_-2;M~Xk!Oy8M9lr!o2J#y7NL(AGoC;*RG>(vUFhv0$C3hRhLbVFFitVy zFl{zNFb#_O#13%O7LnVK4%4!k zqiB@FG?l|5uqJ&J)XKk%CA(NJN+in=e@8_wC?o&AuGDqMklQW#kRR8;70!#RqGw}y z88K+601D{aasx9;eiJ{|gZMiOBzw@q zHlq#7T4U=@{Y}3t*hSvNW)kT-85TCZ><-CPVSel#(+wR^=X+KSqWlSQnbCZ5kGnom z+}6*=%=8sAlqF28G>D2^fWDKiz}{tY(H#-f(ZgY9I(vEj{7iV{=RUF?qCTtlxW9oh z(^JA}QJ&Y;;mS@~VLGY3<32qO54q2QdwDOP0C=Z#i!}w=aovhU43&0E=U!q>3-=2m zP<>b4cf7g8<)R6aIsf9mEuIQlQbp}3v{Q*_Djqoc5odXgDB6S~a4ycne_6$ls?>MF zyOw|wS&-J~w8(vQko5_)&v2g4Y}`lSozQzA1m*vHUTTJ?Fwf!O=H|cl|@;KUYwT@!=);QZg@S(O5y;04(n3pyx*yOl36nwgu zoIRJkQ1CSCH}SzJ3|3MIPl>VgzE39E;}A4B+dh(uJUDEa*@wqQIn^+gPI2cWB8L%; zW+AZbQ+S+z?kW}JF`Jb+o0*xu&%;wzAZ?Lgq9yG(?iiNFXiU#W@ns3x9n)821?T@G z=wK0n00rRB_+t-~=m1uF6cgah$TX*`pWoF><`XdX6lht3R4S8eunXwj9Zu~PQs6De zGLp6n6Pk`?h7tbPkBuPj8GQzgQPC+&mU3hH8{uB8Xa(w&Xou5P`KZV?vdkZpHc@kM z1%~K9$JK}ny&)8^K_gK6KdEVDw8W~6RJYGkO9nrwhxKaJy_Y0!1g$YvMTb?|2=B@z zlglS(7%rI})Yt=s#b2~njGCF%`(fU?Xn>i*WutFv1{&>!k7bS-T6r|)C2L$#z>S8A zqRFe?_feTmm0FwK9&fV{=OzG10uCSL7Q|-y!2DGa2en*6BwtVsdcWMLfgwZf5b+0v z*j4g;?RsiB?=xS1ohXY#7T1%Sm4RZZpol0IPc`&5sQ+WQ%HqJN0V-Vs>6j*9HedDKw?Z^zbAzu1ovAwEJ~{$R8JPp(?;l>61bec ze>e;gGMK~==2L1@(?rR-i({KZ|HHq&Mr@IuDyl*FeMdB$pn&hfgdW#cBThjJD@lrl zc*t-ftQ>#umpEyNImXAI2x6)0fq25eJpeW|-U(aB66@}WShN7e7G_dSzZjK_%;--f zLWnwAy60aaUH!L?XO*yYN_wK+2#aG%HA~c&NLJQi4)U^%m`w^t1{ay5ZRyH?O#k#a z)t=QW(LUZ=QJ(<9orA4_WGN@pE%7*EsXw$nlZ$Ix0zdg}o|1RmTy#WGtEla)Cwo)} zKaL={{VV8P<*2$TzKCS5DpMs}-L*@1*pW??ZA0;W@a{5;X>(Mnc;mw5sCEWS1YON} zLnrGdVeTPQz}{$9AeSLmRJU>Ppt~^|Q+T9woZ&ao^Sj}!=`l-D3~#V@JW!~h?*#kBYltpvviOefBFL;D&&-N%8yj4diQ9il=q#7 zj%4?H)b)ALYnm(Rv=gXL15Iuy`@j^;-rUIHUE~$4b-7U+#uIq-M zxp*lV)Jwb0rI>t7%9#$&Gq5)^J7584wlQgzFGX? zc-T>rRa6X=Q1$Wx95E z;8K54Hyd`+O@a#v9>_y(cXIo>rfwW38(m-X!rNY0=_6BIWHU;f_h>{NZV58+j4tu* z&ylZ_SuMz7PxZx4H9g zVdp=2q5m&Jm&E@Rx@45U9iDIA>pyKG7><7(|G(p0-!9g_ysrNzoa>tv`VX9oNb5gg zE+!_Je*;?oU|Ij5TmJxB|A1WojQ@>o{eyV@3+MXh^>5GUAH3_|7}vkH`3K(mU&s2N zVAuZ~{~PW4XFnaH|AKP;>jeIN&HjyYv3}b~|7Vn|&vN4jQplBO1b=a8ZqsrK3Q}Mk z(lxP7*#=~so0zD4O%NU7`{RdcLhLQ<)dU)1eY?S=Mf`-b zPJU}a=CHOkP3mx~ZybN*u`h#U1Y*ks&9M&w#Y%Iq(;=cH!(T@yH#rNQaZH~_8;Sa; zmxD`Re!}yyU7neqLpl$a?h~F=<3Ft}zMtzkL&>V1J#v+?e=oAj{dj%1O&vDFBBtJw z_mU1+o)l69ath76uGUvps^c<0wP1F?BYwTDt2lHjZhY0;M6^_hZo0RrA>#b=Tfw1Q zRW<{_@X)N{+;@~C;Ke&@I`=@IOIu+h_{BSS1ZW6^KsX|h$*h~#!BB8Cs{DgQLqNsN z(aPXQtvV4s$NV!x3hq^bx#25tMGn~Ro2Et;ip(oU!BG!Vr$#MKtirUJ`ZTZbkQQq# z#ddKfQ(Y_f%JXV)z_r<}msbevmx#<^S|RRitXZr3ysda)R`k20yW8ojaV#IG7;J$F z(Hxfa2RRLiK7Bp1;InpT(jr$(3^uK2ZBShLhv{;@f<4k7fF=l)+g3vV_g?vrV*d9V z|DVnBpY{G9_5WWiuK)WUu{JRKX1M-i<9`?~m~V#b+oYpsW#as1xY#(p87@}t|6ds{ zw*SU(F@4wS{|m$Q58C(N8Lt1z`2CyVVrAj}M*#a@_0Ph>@!fj=#|}8}@^Hr+TH@4P z+G5>mc#2}nF#S76rzzUOR!;_7VI!eShCAk-Xbmg14G$u9iy}>gQBkLUj^ql(0o;JS z7vIUmkwNqWB>Z=SFiNd(CK!lp<{u!ES z&}4`8MR|5|8j}z}xkls{g>=Oq(G}ggn{sKc8`9R6hiX0McwJ|p-88j(ZT2~V7yAD3 zWPY{E@dH9_*p^Z|{iR<#B45@!5;hsweRPUYH+daMzW*FxPotG-lxGy z(ma}3mSlG?J&rR8K+rdSyK?cKttF!O0rKfz#)5iSmVmPZxdhu!()!3RP;LZLBy46D zZ+Ir3>)3&lVX>E;3p?9t`2~Aa@^sz=J$VNJdDOu(t?q%}2*2>HI27`Tn6?1@;YYm1 z0tMd^JNC?H|6attQuO=VK@Ah$mw;d9ftlpR3}YD=|56~-xZm$pDstlb48PbyeXji5 zo^8TtwR6w3FXZ{1y&W>zrtj&4`Z;>(_1nACV8AZ^9-?d^-lkoXT3i|K^9D0(L2Ybb zraw14Y23p*sxj>(0>Fm}q^=L4FR8z=4$GIZ2lHd|_btb25z}7-*Ip>VS_!frcf$+i z%Y-fWTj>+3D>9UVY>2iARG@jJYC&GK)9R`k-F zh^R=F4p%a~x#g4f4_mt-Tj|p#z^fIr(~99yH95$wwv)gNdm7)+JNu{;{H^wHz7>7d z@n?8*J5Y?M-V_5gEP}gk;JfKPrCKqAn7-=+(N$gp*9N37_DLgP&!+DbUNS*2eXWKb z)hcuMY`y3*)t9BWu7C)9y&yPIh_H$$+)C8y=tG^NL!G7_ebc&%$73)S21gx%rSTdf zz0h58j&mw$bZOM6-Wsg%l#rNf%tTtUd`)4kwyJkkg9=$HtNfVM7nu2&ENl{lZos0{ zfxNi}f0pyYWf|wq#2iro{lI%K-JW1-Q& zIPkU@2eUb0>}HS!gaIoD%0C0IeF8bE9P!)mYI5qY7Fe>hBlF5w*}N4PhtU|b%D`JX zKin|no4O4wgVSLrcI`JCjUKz#7-xLFnrp2eU)QwE?h@zs3*N*~OwiLaaE&heknLoL z$Tk+oHU;jjvCnmwMhx6h0(D>(fEoxy|2*~~ILwedY77cUt?Q@soyhNLB(?OJp3+4R zT?Nirbnjm~=t&$ihnR_;(QFh?0~2ULG{A<4ZO!Dqvua*O+2vs51p54pwEI1Edlh2P z<$d%Mn}DA0`y?2%YlW}bd+C0k{+^3(c@gRDh*bZm6=w2bdeaB1TyzCv?CikRKyKZ=5`l=OWK+o9y<4ln-nWPv1NKRsR%I_yi8>5q2b3y+od`PTmnQ zv$)yGrh1wcpL1+{{Ubhy(fA5Polp1FMJhsx{8km8e_?-#M|~FDU_>^|DV_;sM zRZXlAbEqR^i1&BwJRHL;|428;%ov6<7OhTErZRxd1}{8mV9cn?J3v&tV_DmrEFYfb z2Z`qKJ6XQVx|m_QRS`$k9Y#V$+r0Pz&tkqH5-;|v+Q*&spM#u5j$8YaCq{j5SmbyA zX`D6O*Rk&yWYWBr$aywbs{8%XyS$YGi*|c5HqE4zxNAp+^a4oX0l)#;t>eACx!zp* zYy&dAiyT;)`kBtdP#z>{r0~-S5&^W1+C9i$h&B*X-LQk{eCoWl2QT3TBZ~;*CW7d) zVR;>6BIU@FbhfM}Kf6-CbWx!lo zw-!`@61tT*zNgi;?6F`zJ}0SpEGH!+*;qVuBc;e5zMQo9y&?xN&&z`>>CjS0owgHS zyia#Vp*KFa>Hv_}^jx?QIMQ`mxX8+CWM^*=Y-CVV%$Xh#k8;8+agMhj*jwNHV_`2{ zw<2rzs;9oCY3!!77nySm%jlim+qlSIb;l!`ASZ|qSWYXSec#`|ZYegMR7!EhJ9=$< zn34%?6F72q#Vb~G`j|?sb@y~pIu5obOZ_X%p*Vw=Vk03Rb!G-wFKclWn+so z9X!O+C23YC?O&kQByH6w4fN=%s>bUS7Y&(YTW<{%C2i8osAfvBSgc~oidw}Y zIKhS&nb$?4o`pY525Ts}H;0L&zPuuFFE zGH(6p2Va@~_>~XQ-gDeStHxFn!R98GuGZ&VV!PG3oQR`cO*KI4H-VCbMtG&$ZAkCr zrCQ{RtFe@%iEW`6;??N*MehMFbs5eEpNKwn#~Y$nT9Gd5xtM(>|0cI zfw^wE`PyS{MO#rB-}KO`dfC&oG@d|cX46#Ptf`?DTM=tz)1=E1-Q4U3CuOW@Mv4*F z_V&#KZRBrYUS=L8ycL^!89T1t!S5gk{CQ^~=TSNuZA=0WvB}vh8&c9h;h>hPCt2r+ zKX@5FsJ(*naU_utZRBT(CJQU^&{+uXfyd>r4qB^qSSSWNkIqo1;alz8^{6U4b;5Kj zJX3m@qHgLaORP5$9!6;L)G*et*7&UF?|&VAU44Cj@Cs@c|6bnLV-q`zWD&-GzL7Yoj5YY4jLzb(=M?-L>f z%7}|5oF>HHi0l0KrRp6a8}X*d8+2!wao>fgKy!B%OU&63A-zUaQ- z)#w%Vb-^<$pK+n$)zzn^TTZZar);N+^L+6Nt<6>`$6|JHf?`P7R8i)FLPxw1tY8CZ z;K+P|B8MjOwfNgUK-+68juWzksXP5EZ7s>>Dm_I``-4zv_I8L2mI6cxniWx0tQ+#p zjHxH|1v2V~t^Wr-K+NE=0jnFpX!}@cW#}{;j)RDbs8`oRr=gG-veCe^KdqJNkij_J z`k+M1Cr)Tl$|lhQb>5=y3x8(@_zIl6LH7<;(&WAJ(h&u_!}=X8CwTv44O&<{YE#%Xo{C#$Vywa#4RUcm zcXxeE#~8vR>ov007-yfSp6E7?8A>XZhHQ53%53ZpHrGV0U>XDScSn{qJhGnLs_Q9YE$1sN zguwF`3Xi1r)05|$8^QS0A7qt3WmXckX7`a<#*?q3+qZrZJ2)b@0q%(&{vPP0i%fX9 z@Y#8zsw6{bf_jboW9oBtB;YvGxT znhgJBm*Ey>olAHk4wC-5?Ol|Z%6d`ddj%G$wgdsm$f(?G>=X0V7ui>Fu)FVw&+iSM zZu9rC8^K&gl(2jp7R-da2V>S3oEHSu2bEi#7u=6bR-)sL{=e-NE+r#ZgPX%+Z1-L8 zZO3_+T6L17WYNc|SVdVhSR(LU0NtM}v-tM}>BU#`ZruEs!*gF|0z+SMUsdu|3(+fi z6qx&;z~qsmnw7nrOdD>7opK2)V;PGQ`;AznujJ!?<1$C-*L>q$Q(ZGVgI7q?XSM{q z%#Sy#$NR!@YV5$5JWLsKMi`%xIw!)wT~W5VJz_I%j*#xOjCaTaV{(VbcUkZB?>g^@ z&xEj`{kpp=?HcU_Te@{-=i_xbQ7th$VQoO%A-;$4B#I&wz`m-W=?r3Duh(#KR--P) zVVl72ZHea)#5ojGC6Q?q?63>9ebx<8yC9G98CAUp=kSE^S9}QRNtqvLC)X&zF1qZQC=|+W7O+%uP0l-ie?s`%y9}o6W>vt zIn0JFi@0F3z-;%Z2#W=eqYD!s;)l5@ZH{G~V4pGXN1n-^+l&rM4lKtPSbC>lcCgw| zc>gdkAaYe*`}^J;hwA_O6k7Bew-5#WP%n79x114X;{Tv^syDh) z8kof{c?+K6m@x}Cxd{L6MVp;m2%8r=n)Uj-Jtv;yjN+I4Fabo;SBiE7>+zGhAY{Uk z9Y_N|30mF?43m?fBp(|`VyU|=g;o@6>)KVxrd^(T*gIgl?~0z%>?sA>Kk+G@Mslza6-YIBw_zvWK-Ngl{JkI~VZm&N3zn9czQpnBtsdpXO4S{+_lRU`3n(xmM5m)0rBmdj?|C2*-CWDQ{ra z>rpk}#9i9?kQ>QiwYjtM1JMT*ZH>r1>#q>8%>XNy?IXhV$CE!xJLdg@?R8jepr#ju z^0co#hQ&9c2c~<19&P81pE>*_)Ym2A3#EB3cJMvz^^^34*xp|`;LM%crW_H{$pZ3u z6myxA!R3Uzf2!)ajo6-G)M{~^I#ZeGz?ih_P`3d%DtsKYucu2ajg^l_+}6)0?B)M5 z5c1XK!-zfzNtXX+oetgkZPi>;1{gLfF&f6q<9>C?{&DD2Sj0=)t}5Kyq9!It<8A;1 zlk$h1yeR&1lN4IKuQ`&SuGB_M=uS`)nO^#$FG(LO(;byCDau~N#H5}=CU$3`EJdC-AS9(G#_uz7K+F}wTgADCHkYNew3GIBWd}x8N-3c}Rf0lhhz2Z6NBEp{7NTTB-TfUoyAl(w=`i#c2k7r_ct2N`llS2{X`vPjo=~cu1~GB4uLPYW`-2SA_@^ z*W>WI6NbV7V()G=Rs45~B4<`cK=4gfQ;`;|u6tPMC4uzmLueM19G@nmwk+U6DVtZm z%H%!Y*=UQn_0Te~oXQ!Pnad}!loESTJ|&+fg}wiJ>r+;{eD38D@2kxhgI>YI%fwPG zgtmuz&hP)8AdSGo=9zT6#uxUP>QzrWl#3;7TS`s$)uIfkPgzFC1eS__%**>uc#WO9 z5-;mEDEFXX-(F9%lyVkToIs7YFEm0gwrY(54BU0#?(UB^?m~5$T-Hk3rM0x~GgUJu zYaO{o*(X_@XD@T(iD-@(1S6?L9;(wt8f&0o0A<8>vGq%6`tBGc#|hD^%#t)-!)#hv zI;2U56&Qmv95iuhOmO0@;3yJnsmEimP@lcvfDKBdwfqw+I(4!-1@bz~2#Xp)%n{_BOv(N!5S;mjQ71-#=rkQ1o~-%~ zYc*w}j?h8mWO0M2a3UK=Shg=!geEfsUjS!f1Pc~-?4LqVzh)!HH1=co5}lZU8V&vd zH`;yxegU+vzyY=zZW>#-JAz#uX&L4&2EK<&HFu~b(!3Hmn868=M6bfi%1)Lm!k~k# zaO8i=geop%Vt7xhd`O<0!PHt4S_nz_8%nK7d?mQ{LU1~g+0h#-$?Ph?vj&^t)MdU@ zZ)bufYgu~OMdT2GxQ;#4ogzx-#*VDgpd-en%J;u~|qBwkzG8N;ftOo!f!^t)z5tmDN2dHPXX2NITlc zUpsIWoSvb1C`&rgs4pb~W3BF46=7Hbah=+{YAb`*TT*0RM~e7{h9W~LiY~^cBQvUx zr}Xhz%)wt@BGR*pks)YL=~<<}?7N%DP==oS_ zCB*^hXy}y{7GtwmQQt(&L@~r@dy~OC5czP7-qPOj#fF)`G?mqQ$r2wXwwMs2ucdwt zF3gnzAuTYcVTxcBnB}_f6B#A~Gn0FoR5DlCKyq~pNd)eo@O#MXzE2zi8ULKWolHlW zCb+Yaw+;S_U@Tm%=9=MeM!wIGX5j;5CE~LY$HCZP%;*NL2VgV59`{8A^n5O)pH9&B z*`V$NNQH(SbdQbDNXo(;1c!W9$VCmfpAm@yP9TJPOCIIC#E<)vTyO^-t!8$c)QX#~ zx%3$KHh-nis(V&{v-r3)OZtt04WM|fI54D@n(De)xaPwUUsUo4-gpL4FBG{7&Pg;ieW8zw?p{MG(mLPfa4y_9%L z6Qzl=^3Je5Y>&aBeu11-_|dbfj(m<~8fEi#<=9?&ANc`h;0o3!HLsKFbid}}4eoC5 zF)weRL=*&@Y8(|>lA4?b<$Bw z?GATsc^U1Z{l4e0HfD#zY$Be9%2In}X(c+9m8=Hykr$8Tiuy=yJXuv;S>bYK>#tnX zZxBUO%#mGQ*IGSo&5p6XMY%iLvn+;eLtSP0^bO0_3^TB68UK)fPPZ1T8YRDBJs;_j zz!B(2bUO4+KVq@uq^V7H7;;EljdNorO+|~c-95#@KQ{`oiTh!S!8j0pcan}YBKBpIBeqX>B^zr(vxGiRid%SKhrwQtwOUk0P1$9lynN{4wAJVo>&mVrvaRL%&CivXt0p2db&NkJtsT@@u(hdGZ#lJb#aK>kn(+NcKHoM_6XaqsE>M0o z_uIP)m0$>?FT&{eV)Q|Jw>J9gMUSc0?eSk!)+$tUqL2%Lq~A2dSNe|tk3L*t~qDAPRZC3^{38t z_18C?>mSxLO6j>B2Kut$Z39QT`a2UR*{0Xl%u!p*$(bw%uJzvTMS7>Tew(bj_BHEk zKnwi?ke0ArKoY*^EEYK!o_kwBfU_1)%Jj+w$xr*iUp>8I7vvd3d^b& zBh?vvfqO|#3|CZFPvZA3J9`2QoAU6LD|f|X-nSpz^IloYG_MT(jmo2ggp=$mKZCIGh25KaADK2|;;n{qtQGY9q}S)yAtfT4<(D z5u2a#2A!S?W|M^oW{aRVTd+!g)gemRq9{qcAnMJy^S4mT^YkI$b`#yDT69!zko0;< zCz#E`^K=&GU!tp3lfhu)=`MaB&+%#cFV#aEwB@qVZtRQ`Hr}RJMJjr&Us{v?dWN04 z>aig3{!wP9KtpY*T#x6Jd~TrLUTbIAw{}}eLbz6bjd^W08}`mX7wzgF@EtTmRnnqQ zOK#QJD;g~pfprUW-GG^{tV~p(0Gn-R#2&GSle7{J2gci7LLb^_*J_S&Q^Fq3Fr9yyyy{h zh~2ecQNmeA0L30YOU3-t4+!@`IE>@`2%SQFbjHC!aW}vsP5-GH)d*E1-4QP0O4H8{ z$=vQR4YNvAgQCj2Wlr|y9>JCSM;iJ$*#+bycd?mdlYHtV03Lpv1E(-Kr+|wXgm05d z5;{yRVSx;gtCj&ezzrzZ)9bnG6+NJx0XbkCtgdRhTv+c|8SK;b1$14Vw97ZlD`_cw zu$Sk<77uu*13>s;4pAe$VW3)u`OzH1{!|Q$0>cJ+{g;kO?Et_=0RE@^mW#*Mc2dKG zH!Zqx?uIQ_uP=$@NkY59K|4OZxIdgL#wYRrnKfxN3Oo*MCu0 zEOIu$J*Zb*3ff3e?&jvRwHpQ(3D(R(LqRSWApW4A1VS|E=dxeoKOk-x5yr@Wpt>c_ zALMP4--Q>C`k=$WQ7YLuiIg%>>NN_eUjB? zv&hDvA=Dn$J8fBVjy=cc^LqmNFjH`gC7H9otfNYE6D68EQjm#O;+g22U?$qFMUOZ& zN4;0hsW!5`Y*l7A3*EBG7RJMzc259JSopV|H`e-`*GSY)uZ`nV8?222tO z1cQEq)#x+0{BEC1;zXb1v}gOAR|RddA_x8cT)UiY@3T`TNwucAH&r_q%;vaYD6oe> zwSY}rnjTcml5FFhE|(-3BtNv?Rf7#>xII?Yp61H-w*_f1&3&R;71i2qJ#FQ!PbilU zF^aIun*+kjlf%H4;b?{oV4ndXpR3<;o(tLn0fQ|>)8Z-B+#3o3d5P|9UOS5S_qq%cK({jCu3)R502Tq> zW*{6E_0DYVTn5oHiB{6gA+3>rCXRpV+&`A)PF_B?V1c)C3Vkm^->L1IckZLPwfR^6 z@e}&SFWd4$rD7~*^OSu{So-;Wx6IYWVnRu{Xc@I|(R06LxEr*Gj$t1c@K2M5e>zP* zQ{ZO#Zuu9oZnL~Odz*Y;*8R>meQySSE=wM}BRde}MJL^sb4!rRm-Hdr0OX1xpCue| zhrOYEtJT7J^YI3TBl)aS5B{lmFED>RA|GYn#0vw?L65}ziz1{n1T z%)^Ymww94TAVd8*L7P*KWygay|3aGMgcY!d7E)i9cOlbdWJ`73bvTK!T>ZXbOE@iY zpd~|T@h@=9Aeew?paGW_&yDmFZ(95W4%O%=!qyJOnZcS>CMzp&H^7LfNF*6n1cwva zpy50ap2RK_&{dJjg;AG3Z%!qb54Eg|UU}w~u}#0(y6{6?*n>qeF-P6E2RrFD9z2+N*=_Q;uFDIXqJ+hZms@3Z5 z>Z_zaPoMXy!kwO--jpZhH5Hd`Hf=NUp6ZgE_UgXs+k|I@6V-y5zu7ce&CisAA)n_T zxsH&}9gbA_pa!Gc&-o~nr}pD;Z&e%1A1HErJh}S(BHo&xYoLix(99MqsI5y-&(xX29;dc=D9*(pcvNM!=5d*& z$7dy1VsC;eO0eZT_bFI0EG{-AX1E^b3eFVlkb3!(GuVo!&YYT9<0>T~%2F&puOP25 zkJp>y(U>i4pG=jIY!?&8Vq%HFk`?P@V#w1MQ&Y@Ztm&;L5^UF_@j-CYQt1db~ z2Ks%fvAn#9<8q5!?i{SPYUp*lbBn6@B0WIhKyMMBYX$o;(wl3@oIMR}?`m|wdCDs* z!Z;0uZDfbWeAuf%T_?j%#=SZ1dVNI60}F@k&8V^renmjsqg(l)P@9{=|NRu-NyHNcvddX&EKVE9CsFAKMayTklw_*j_h z`7K}o>(0OcfY1*J$ZU0N?*_J7*xAhXjbz(ptj)n*I~M{m$aotZq#AFNsKAblfvvf) zCo{WpV)C=yY{I##&OKi?Kkl&@Lq%m}Tyy!nxYuG-5@oSitX#R8?_Cr2Iy{>H>|L54 zc$4kItFQ~rkdgdUo5%8d9Z!l+8K07cuhA{yHhPOFG)k6y!aMWz22VZHKZiI%<`uq- zS9u*jE5MLoPD4@&r~xiuuV*^zoXrq2aE4j_l^F!b(AgZhKk;b>ubtL-AhojeLdR$*pOs%A*ouCdOz(9DZ-r>I147`qypt{;xw@Y|RFb?D0NcU-am<E*Db2ga(1QNn~?(n3P~D zzEzhjE!pJR=-cSOCcm%bZojz2^IY^u{%?H0@&7ui_vXnZ`SIFVZQkVkvXaGl>+v;3om5mqepEZDXs*qwom5sW(y9Tw_2J@@H2vECFgvdj7c)ry>Uq^Qhw1Of`Qnf8 zA{3lcof>rG=mH+;0-CFJ;0T*I!=eRlzbBR-FL1{zY19uZ&s$hYV?ONbFV3)8^S7vS zFgF~EOcrv3%4Dn}Sac1;kpx3;q#pz~Lvab;a3BKob+9)Oker2S@oyu&&TMTfIXRsK zrWspFI=_`J(A9Qqo65>BZz^`sRbT?MnK&xX#n2o`Y$ijXkNM+ss?I%MxiFUP!;we- zcIc-&fAfR#fvL$$0&DM`dE@-bcJAwAn+8Kgu~ts_@Ie#|<-qHVU?IR-P>}hSEA`gLwYXoIpj_o~ZYawEMhdSl)L(LMAr?(yip;+Kox zDf?^jc(DaK;WUSHq_d%R!7&B8Vf8YJvxRd>EZ;|fFsW7_>MBWtMM;|nNrOcx*X7h;(Wyl`HCS{$ zoa{MFy%|~27l0^t4S*d^Xz!7fX5bKx28R>0@F{R{j@qt)(gY-?^v#=ifn!= zVG_l&Bfb6#jcW7z0KbQN{an7;#?FV4URwr~D>P~?b5H}-g~L<>+y5O{i;VE56%&9B zxYn(OZhNv)u>@s*e0EX;a3`bb=wIGBy5rHk)YCn*{_I6re#5J;@4BIG1$Q+Vys^z+ z1@nfdHeH*JkA3~-4l{Qbee(LPyRvXT503v%(BWjM;qKSY6|dv&BD@)D<4ky4TF55_ zxP=UVRo7JK@IGOgXPI|d&N81~XVFw`x;z?HCWGcuq z`3fQ?rEYRTS>1qRAZvT{KJmWN`^%mz9nF8G@QuW1-RZjQi=`SL-c<=)D=V?^U*G1)i(5o6pQXMT5v-0DnB10u9urY+51xqYL&{%A)BqnoFB2NZ- zw^<7cV-BErsZ`H)Plj04@OkDu$3DU?>T2vz4J%BmEo{+DaHk3UvC^tYos>>n-QF@?bE#yoL`L%0blr?LcoipN&)DuOq$L=ZRX4s)Zym z^T)^od!&SeEYZm*s34~yeobf$>7ueIiE#L7;3ooD1sK7LJIX2!uJZO$w*EQ8f#E z4pH6K28RvgaywpD5lEWLS92tThI0)XdNpV`*O2RWg%UxA;;pO%3Ch7`!QDY2cm$sm zaE*VWni#F?(r~d0weMF}b}F3Fat16QjaaB>N=BhU+k*a?w{ zr@YVPyr4UzKP-YlenS70__Xs0m+nDvr){U>0oTs3Zk= ziMl0Xr?kX)skPIoQ^W1}YRw|uJiPxIt`cgT)5$EWE~YOK^QC-ezDoyUDqIE@to8x(4l=TeFP|8S3NNtn4 z@6L=R3&!$dV?v(noi&9kytJkS?-;73bY9b8H!w5Ne&Zria-)#1{@x>KG7KWwTvsD91W;=;5W-x_20qRU@(ePd(b4Zl3 zNqjFcD!);hILa=dwHqNdjw*OmfpV-2D;w15;xXa@iqS9daIy>=ZT=g*(6h$>@*ImY zo8vLS7HWMjkr-vZqZ92NWoHuGSzF{deN2Bye^C5$NYKR_EnU@0d=tM}xS8K3JkIZx z#2F&3ld|(HQ?r8EO&+(I2tF6VcD&G&@{n$)j_cM9>h|e)-N$BpWW^ITn`KM8rO&d{ zA`HSxS#UijTNFzfyrY(57SRHP_FR3^(j9xXH6zqvvYa`Pt^y9vbq!=r&w&QJyH>la z)DFjdufm(exWWe&nq&0%iPvK?`z3@zLRg_*lMj-0y$=^pm`8eEd; z=hnULdluRhkH64Lvx+OPs9o~yZ?8-y^SMtC|LrGd?jEeG;}1SGGe?f}oy$M>+ltB` zyqtQ`mkn$<9dOpd?;~L@mqFQxB+v|`sS20#6~U%jw(k}$*s zKR=L_%`JfEtwRn6JmvW64y0bMCAu13J4G2V9c6a{!wyZZx}mVRibU87yDf`!oIh*6 zFb^1QzS!aG@QZ77n{|U^FnqxGx^hf8LH?jKOu{>s3q1?`%Oc&LZvSS_fPctwN7hdJ zPS4|Dh4w}E<4w`;i{JNtB%SpCSvf;JdalK>$Z>1vR%I}9IwIN?`U13D6_^l+c<79z z`RQsIV5d7g80JV=2G(SPoxbo+urH}Flkc1epAK8Xs{_YD+J4^^Gl&@8JD~iTqt-ZT zF-TMRM3(vp9qm!AMe?AD1(TF3%(xnvc|Xmc=y1tvNK7~(i!0<1}V zOYEH+9{P~d1KYk^UNkvqH$@^-R$essk?qSbo>WDb9{e8FAAg5hcg%^G#+{o(!ItHZ zJob5G$ri>zH;tbJUvUQrnPP6>3!JCMOEvjlf!@QAonDjZO@Jm*0xk^&x=a|?8P(39 zPtoMQik2I(|5i03NbxWvsQ8cIf-5jSddPrKAmm`kP|i{fR&GI7HUTmgi;5WVW^iFC z@Sz62z*_GmUXw>PP=;9VJVLz0fl@><@jNT)?+Z{h&<$Z($b@Q4E)6TXAYRrlKo7H- zt3cEUn`8JY}ILugQy1I@+s_d?9c#q-Z!=w~< zXESD0m0~&7X}CP=F1<#$MmHo3mhLMZEfv+$!BUQtx(c0%1-b>&{KP#XUVx@b=_KO} z<3i(o!V`tNOU2RB(+N&dh!Q@6yT*DNl=s#WxB~aVaa$ zJk=4*YH|khTvPqQKvM|COhS=Uo3&68Eh-A}rVufO&Cu0ZqdJ`3u0hv67asy0z_~sy zXxF2!_(EV6bDx`$)HjwiZk-UL&pCB&pbNTA><60U)BuJIgez+pmt-6b@#e%6f|M7F zO9cu^2(a?Sm_iG6MH;GQ=Qz71!FJGg18z$oEeDkQ4&u{RCPNI|_<>$PIKGCY`vSrn z7`}}$=mt07fI`lMaEPH>kTw8qw=R;jGmc^c*17LD4z}EL;@{uf(gw7fldw>Gu`TTK z6`RIRm+0$Ply)>PN%bySGyS5^Uw@s>nDf-PHSGKOdymZU+avvN(s!ErYTMTS;H_UV z$e#@?JdaO7pDn;2_!8vjOD>$WkPdJQ2&8s!tQs1&I?JH@p#b4<1ed%V!GvlUn0ZvY z-H!ak!@mMY^jn$?BHR+{rUM-TJ*fak}99xYv{v#j4@j}hR?K!$3(85xoqy3@GS*W^I9RBl)0R21X+$+$1>+u=Pu`Q(9llb z&jgAUJceTl&W9rzf>xagau;*F)JGW%h(D5C`Mz44i>`NVb?pEba3(u@kX?c7l(;f! zhjd)xWl6<#NS~C#^@v`2+UgX@b_Q2`k?JV3vO8&>SY@kX;!nkogft!5=0fS~Epz&1!M21qRnLqa*o@h-VJNB_qB}$d^f*2pKaWV`A0OzoizXp0g+_X@ zPcEo&Ft`Nn$kJy72=0j!5;(-=jD;D403pP$>B^Pc7T;7Ha=vxno{#@_=z%xRZKF@> zWbcaVc{gyAf3$JqimS4>|BljkKc?ajpRVhO)~MGpX+ayVHm}y*MiSiAFJXmPv34F7 ztBk%c)^5do;IXZGDp?Dt#12X7z#9Eo#Wx#)G8`;sLg=q&$DaXbo>7X%f_U%WR$xn0 z--tucG&@d>%A*ZOAx+I3dN}e%<=5ml*aPwnb2M@69fmF-D}!5DpBgC8M^Tehz^)ne z3#gv$T&i&bS~uQNP1-Kj;?b>NYaD^qT3nRb)a+!%Ifv$t;)G*bnLc&Ot;+q*`{R5Q z-(;TYy@|ictb0J9rNvvrJMoF5UD7VY!}7!SRIx$U1HUaRT$bSclJ!7Px-*v^2#RT5 zQbUp8uHeg1bFoKbZklM9sa#fA;IQi@(I{hMr0FI5cNEj&H23KUEli}TtXlF5sKaKL z@3h%ylmYqv?(Qnht*gtp4GkGLTCTaO%O9@VX{BsyEVK4mN3F-KdaJkS2(RbG32|Ho znCF}V$ZL#kJ)A#wogC1lBlY!A>S{P=uk8Z1)y_9ZEHB#?k2&KpSH7R*Wk>z=zsaHj zpu_GcZg(M84hHR5L)k>6Zj4P|vVOl8{+cgU8S` zkZ|&8q#RgTXQh)q?vG8GckaD{{Au2ik&c7?>pJSHg6_(eP$*ua`aj`kpL={Tw{;BrAGP)b;O|JalnBS5T4Qf(7j}?YI2wwcE$F^UXJnjq~XH{I}(FnE0I;Tu)L04 zxY&3(%rlmUmC;-j2_vuS+1Wx{m=DXG7| zkv69Ja@Fi@F_wC1yLS+po-cAgg)X6ipF`@AWYmjZd`Siu26JBG%W%F1Vb_v5e3=@O z%jo*D9c8=9_%aVW&&$m0m@P}zmhgk~>3lXe3vdEFZyk`)q87ulz;jwPTCg$a<7;OW zHx{ER6b7nx5!1EW?!D#0EP0Et8CF+vhm~-6{R@84Y zS1qybxMw<@4pD@D!Sr&)MQyG=*V{N;(&K+u?W~;3%m@*e)C@M2}tl zrxF7vl?(t)?b$HN@X zCCJP{EaIZ+z}vCoF~kfoNfZ-M08?GieT7%ssaLlys%wrW{QLU!}zqO_^BG}1*igGmr1luq74!)m1sz! zHio0rg^H*+aHQAHmvZ_Qab+)W*s%oFTyt#7h z-=$@BD_=aYx3cPi-_eT;zSVilYpPCfaOW6x`k8%$hqB|f*>*(~c%8x0cS-+>I~P?{ zdpxmeh83amP~=i>+vckuUNmjs>RpScoxQHIBUTojvUO&a%O!w}!J8i~;|=Tl7t2v24w!}E!1W5tWL`id!dP<$Kw1AGVj0}_MD zhsncNv_DX7Nlh-8tR{K(K#{5s0mr3r)CljYdOPObXdz7 z#%N9-U^T;ouMGpG!E+XR=I|8POq!r6G?HS%e-ynV7zLPUNE_Mi1)JzoOKa4^q_L(O z+<+}+ix1Z9tPxT*qcz8B_=KLe*L2tPu_(2MDw3xlhKR`;5DcZyN<8Lxr(o5{{OH zirb63i~EX&!Q!38T&kGjTr3_fK2|IgcTaj8yfM^2f$A8&47!@Rpc>eI$5@~Xo{>kg z$=484c8*^s>0`dQU+48hyq_Zm81bMfjsX+&Ybq7ENM{r-*4HRN%wq%*A&9nEK5u8D zkda=yMma#wGodlX)Xqo*>`f@WVuNOsDxe7l^+Aoa6*d0Y8BRj_b3Rhci_tmjub+Bx zpD)X5EK|p(IMoUxA8INqzpTYsJAJI~qDZ#K7Rqs!TB$>K$GPQKH!obOK0WrrB1kZ! z(Y&~PF>Si%($cE7G5@6{p=dPAShJA7D8oWCy7(e6%{J^VCw=CN-F29_$3ImAjM&XK z>!~OSq}-RuBum|n$PwXSw@6?KnTR#vyWsp@Wb zcf0%CJKejHQ8X6>#g<%J5Y*>I&I{4eB~foAGztaMOf}3^bCQ#*cA9CsnRc7|%sb7y z&8N*e^N4HYQ4Jy)f0hBohWZO{@35D_G)h$yZ69zFohWGlB~Fl{Wf}>Z0U^B7F#$jf zR=)17nlaYUP?BQ}d2;fh6|KAD^QjAK0?}wr{Q_Qna0ZiGW7Y94Apb8=l$E^j#j30B zq=r)&Da0)(*KDg~b43`=EMakxK(s*8Q00V{p9Tw(OGCXAx1E~A5R^*>VZ!si1`F`~ zMU6Aiagl%qNCB;)fL2AIK*PKR8d5DlR;>&?r!_PVPX-ag^Ixiw)lxwGT(pdd91Z0v z6F`<%SeW9y43i53T&xTF!tL5zrC? z+CW)(&BGdk=kJgu!&8u~nt63OzZ{q{w3@Q5xDg)8NP(gb^cR^o)Fj%m&AXUJV0=a<0 z&>-^2c2yO0S7i`0qe1^4B4&rj%j<=hmv{RqUI5eOoJY&R%24R;f(``5o?>{pLbMsV zoU~*HUgpGH*}_L-fR_WkHe-}+qz0yfKY^P6N5l*%<(IMb7hA28wmx!aYp>$6n#!k* zP0ms)jl$G9U)yZ5mbZ>g&YoTlr0mbL(d-0w>ebeT_1BDTSrqbWDB0FVzjkf^^<#l9 zSHKsI&R9w3@0poni}o@3Wiz|2#Ll#l09X8_z3B%c)^MsOfj0w&fL~>k33d+TRcEvf z!#rvhixjkMf;%ReHRv6933#TV z*|o@d6TQu_-S)0e45<}KK@%YE3eh*5Z{~1nh|ZGE_r`(dM%4sp>^1N3FR5#h_S$O`rGu$(5hLcBUy45ysG4~G{l1XI*W08SyJQ|+6$P5P^iS6i=k zT;KDinjeh4zx#V4@p?*P*6L2Zn5W@& zqTzMCr%f2u4C)#5Gf=pud8I)yWNNro2dYL05PhCrK1?dc&mLqjTVZ4{i`y&x0;6$q z9eSt1b(V&8v(OiIs^IR3olQQ5b`=G=^7Ym{LcLaW#>9HVI=~>ILCz4pOtk|o0v#XI z?%x6Z4C=pOoXo`Gwel=^iM-t|++0K_7d1?7Em~4^nfo~wX9i2z zsF!U?uB}>3O;fhy)JkZJl9O6WteR*=HzH>HK&ggbt zuyecYjIdeMswGcL7bKu`C8D3M$u`P#`=3s%CdG7p$y1{ zh*+0=_2%|%AUYlnFs51J;$0@5JYRsyH>sg&)f0{qX~aEXtGnMHl8SvD!H%9{zrSv= z?hu|D@_@y916?;MA~I`oh$%LvY4;W8_YH6+-scZ@&H4ZH)$wqk)u4omnQzrV(I|Wm!4Q1MZI1-uJvGwGxFWqAF z*GPlYw+Ee{b7z@498u0@E9F~G2aeAX<yke!-?;gg`ZuhcJdq3|Ly~T=ubA}zrd5jV{28Qf=C1`|JsO()L((k1g8Y0kd6a*0)?{5%WK(nK=ToOdR5k95}>gH>kmx z8w_1y8JFrp0N`bl~fusl=2ym6}SQYX4e(x-$sJsY=K!ASX8BOLWO%WTkJo7V36E5$(V<^oo?5goiZU&bz-KeUr!*%die09e?CSL!O2s?pzx3_#ieJm1Gc%4s?rPrFMBFsTsd)}B zaryQtLB$tQh_~0|Z@`IoVHuZs6{m6?kKecDcdYE#pT2S7v-gbW60Mz4c68oWDtB$&|Kjme8O3B30+AF;9E`K=V58`C4h$IQ4y2fuJCj}>&U^X#>cs^TfZ^LiSISpbbbiTU zs93Bm&F4SvKUTT+VrcoT(b4(nVsv4YV6zg3U2DCW=FCr_@u%>xtKs zbH-)EKi$Son2^iu3XKKFLjR*97Eb84?nx$e!}KtEil<&+oEYZtI{MV2X&UmvMiYqPTaR{UvRVcVXh> zM1R04k!MD+itCeE8QPEEmz)^I-j>N_$BEexR!=7?7btdbM~dbmY+;PB-@rJ?Kt4fjQt03dzbt#HP<*Y65SJd%PN5$R!& z@Hnb_$N-bb(3nDj`YIx7nH&u@xtnJywEUWyBz0KaMlGaoQ=rp_j zUQ>$gqL?PPD^s-dlFc^xGty=&P;8Ut*sv2*pnAiSM;}pG2`GU;j*H&Hs6>ifs0lWW zjG-3Bp?=LUfi>=qO~u4XJmIc%WS-Wlfxc+}MX&0-q*Ir$bQ<5yV=kRxdI0rQ2F`rr?Yf?3z$oF8z zuz1I!<1AKh{ln47K;B(MOiW+Dtlh2b)qmIUVAlK*Qd`<-HGCk^A2;G=UT#-%s-+cl z%dpH1a#Pu$HT8aDgSkW6E^k(b^6HAJ=GRlx?cWeylKxtL(Rk5(DfM@d zcFiiY`Z?n}=K0io`#bt|<+}c%**PsUI?F5deSN&G_PTAR?6y#J^8L2$w)wo6->4Vz$`@Z?yk4*nF$_f38hG$UQri(E>o{0%5 zD&ADK| zAkQPTn`5ufM%&qByZdS2RrIcBBeA|5P1Od_xx>i%r0K<6)-M^DsP${+6>5*@aQIe} zM3C2sxf;cgD3|U3%@n~Jh3Em~m;2yD#LWdbbAh)qqb|!6?6YpGXl>*2KtoFt8>6P>4mDiG`tXlUxSM0FzJu5yjbX!|kjs#E} zMa^va=zWiOpgW3+EErcosBErbT-C)rx5kx&@3LC)2uE#Zw_$wo=#0{)XI0*%l&e{h zcSY*fdAE+PJM^kos_)@vsC$v(t@R@?BUgpCxGH|Gj{Dg_|K-bnj?NK@$5FJQuR)^= z(=MQ|(FM%5?~WpG3j3P9J!hk+IebA#-S}U@xN%i50T3!tz?rwXJs+g z*Ofdl@JHUKe4;FSHQY$ul&f*GLoR3qD1UEb16qG-tM;(`uyWA&q`5!!aP6pcOgUye zZhj_pw01%{VLUH9FYLW#R9xG(u8k8sxVvl63NFFj-Q5a@;GW>_?(QzZ-CZlV1_|z( zOV&R7thMEwyMKKDzT22oYjaS8$sB!DuU0($eY@|(^VO02R%Pd}^F70b1*=LWMSE$5 ziSTt3;GQD`;OOmOU)dPixL|f;P^yUECx5sqeqAyIFrI_=F~cHYBl=PU?3bED+a$= z3v<+(u|Iakk^{g)?`X1X*gf1VAMkkNXZpr?f{DLJKz-v$PA)sWme+^!4^hbu(|*zl zV&mV?*S>^Z5aXv(Y$c9yN^tp99)MmkYIA>jWc?YzU~$Q8N^)`B4WE_^jII02q4n{D z3)Q$yN;UQ|@43)uaIbt!N5;X=@fSD68|f2OHQFR+kjBGhcWRr@PE=2pPJMw%6BeK{ zBYZc)!WvS{wi(n%?{YilC>ak)iqo2ffZ~09pgaYvQpFn?9*niTNCc|$;}ja@xRC^- z;PWxBLm8s;HL0I*-46>#pLiWyZ17(XLq?x=K23T;ZT$k%9YN;!R~u*6zq%R!>EisK zSe{G&v*kJCCp(~ttP1=;`JR&iSlRz(a;{>hYHMk1XJYy`#PPSG|H1eC&Bgq`e9z&v z|L`~eN6+!!lmBi#{okI;Z&UuSp5rk+wtXb;Mb5kih~kBzZgELfOUWLl0cG(h-8D@y zR)W@E=Ns4|@lt$0{ZrkU83bIB69W!edJfttb$X>>47*3%7aI&RC7(*I%obxW z5bsvv>`$L@1f^iQyV&X|-b!)I`uv9SykkWjeFFMkR@Dpjjh}mPy&-xMAi|A1Plbo% z`N+@1vbfW|lbe)_UeTHv$#%t3Er=3jYFb2WVj8kzBuNw6bufhOerfVBM|jrRBruSR z&|AG8Vl;SNsE$;Kw92jtGit$eMpvs2ydMj6@d3AGw@3Te;Qnpl|GrRvM)!a5=>DIA z`nI-zGwS|ZbblLlle`&qbNn{yX61Y{>VET*XJO{x`2W?`O{uiTe!0!zO z|5s=F-y?s&`M(==bG=!L|F=&!fR*__*fbqlo^C1&jryKvY|*?_sT8~r;FA>b{haYJ zoLi`n6l{`Ic@89k^Kf}G??T%{{Z!^Z36|nD6fKnbVR~s>j*Z~Z5AZl)2*8Vd7a>A$BzfyhobV_`eQ8Bb`ebTt7_vCQP70*#_Ymtv}L?L8aIi}4m zp?eBPlCQl~5J!lv4wGNBY zx`lX!3_aGozG=V&LtP|`jeZTqWO%?4fBuqQd&aGn}!VaY;gV>U)D z=&~?!q^0f0&yV9BhFj9kkR@jk*;}Q~!)+!Y>ma3|yoYDIv`*cR+5g^ ztWa}$SwzD#88Muy8=1oxVhAKOc_ZWa@Ws}jO$OxHzyKX}E>vwWq{kTKO#=0e4N~sGE}q5O zC2eO1h=qpy-~PKDO6^1GBa4jrV`s*>xElSHDDctPh*0<41^PDCr9VI8qH>hdQ($V+ z`4w#a@D2h+cyT|Ylxbs27L}k&s)p60^ODa6C)rK-RK6rFYv+{g5Bm-9i%<=zz8n_} zE%KXdNF(S(2orgu8H(U)o)|i#12aU+8C3FoLineFbSlK24S5mjNWY&k%MyJ;*{JE` zTOJ!e7p{9}2$s;VL<14A6h{(QH_&nY`7wCg)x-DtiOpT22=rbUG#IXmxPIiN#Qsn3 zGL#8mT?zV}351<~ABqG+1(a{S!i}eCF~v)S+vV5%2sb&L4KhO!M{~8!_pu*523!Xi zhrc)pI1VYa@uwwFk+%(uk1JU<4@2vD3$_chffI~)s8RYX7fS@+fyTfs4A)lOabxG`YX;BX__8gv=?NALP7Q`PpEey# zm4@>Ed=*Dl`mXQ{+evjtdZNMc#V;kQN?sk5W{W(f%%acQZ*gcg$+>}`L4T+cur^s- zXsK4OlHI7!Ztyye!8ZPt+bG+#w`zPO!a}sL8rYSR>&VhKzZPo6W}RSkG*QssUKUAZ zJ}hyRkhj!OOxx;eAqg+u4eaGy6RGyeLux7cGh z|6NNa7-WuNgtx-o+XH)!)$9O;vn$#FID|1zs2oJiL|AwUo;}K@Xg64Qo)!5f=h4_E zDa0z$W{pNz9r`j#2pBgw54g8qJQzM98s)h%#0l%BoFDiBtOZWFQNJRhW|94jCa=Bo z_wMFLdJxR_ZooN`QD9R~T~8}%-)Xjn!q2M@u@>zjqJr_{l7y0(l6edx+4CtB8In~L zMB#U-O{0$QeTy3Fo;#+CbLU87xms7g+w25GlrjW9zAbP7G7GhoTtdd{%0O<}YZW??HkE8t>6tc?wl{TKYHN*_M>!&)GogMoe= zvImMsX7?Hx1HbBL$m9{$?#Q(ll<7mTQyBYK*k38_bzZ*wuKR75TzmEL4?pc+1^GW- zK3%%&=frg(ykvI62#P&0X-Q2Y=}>X`;m>sDU$6UT>D<5l#;_H*=aX;mj<^%%|9-W5 zo+3|24+Dw~pptY4%QUF05>%J?8Ip4XYCX3_Y13*z z60WJNdJLuoobnKCy_6Fqr_}=wwFq7a2GZMEvA2Uxp0xXPBKwLVM=rK$l9*~Z6>;Ic zzb(Tzc$Xq77h@5S5(ib+BKS)9v!z!+-7UEHj@B!&_wW^?d573`=)+o6@oJPHYgfeO z%)y)Rg{HkfJL&A6bK|1iYsmN^O8koO2_&8XTd4EvfOjbSlHga?4>zW%3z@8)b>5+N z-k}QKp*{Cm71Y+@o*}96Dpj`#--0oR!M*$Gz5C3u3+v<^)Z~27UWv0%=1U@#;05Vd zVg0<0Q~ZTwmPs#P;UAc$Q*g_IZk^!HfGDc95Gv`M zq*9I9X+%&%SpYs!68Y3DuNZ3dU6#50{Ob@9KhdsX{fk}3TyRIA$NMsiVUh27q^hyuKym zOA4`QQ~9Bzmy~7_MFo0zaGV|ebS5jeN9KliV`VsPv-9###-GiOd_O>d%6*Bna(uDEw&u%y!xq}D ztJhH$$W;wqXdhv-@*kg0+#l`urq6#IbX`O&p^bO0HMiHMnp(-|@BVSNt1%X4IuGr}OHbgGYp- zOGnaS1^Ka$MpHm()E9d8rd%g`?beTqfG4sCIxfFUY#zRg-ngwM(%Awb0Pb zKSw1ql1sCn2XS!>n%D`CV`bZ@xZxvu?ksE(4R&sf<3)6;S!rytcBbq^)$VFKA%(XE z;ie+ZPpiZunFem48qZ@y)wTd@xrT--knYfo2hz_bV;g*~)+Q#{jci;#yO^mC4&1o> zf)Z6REnw34!RKn4ZQNt(IfQrjaU2eRD#8Zf6&D(9W6R8xv6F^DRZz*2>Nr+PgPkq$ zt*LzYf{(H!(6CXeR1K&og+fi>@gA1ok0NsK7L^>{GoM_)g7b$lJo`Q z;jzc>!#c<}=yHL%Er^3X$n&SloK84PGW)1=nyNsUo!Tn-304siW z$g4iGUl2?@Kp;d$61*GUB8L^ujeP;g|vF-w65IY-)_jTgM$Vw1iJnk#y4th*FUI}V81yjBN3+zcz_<^#TJibF` zswB!5kQ4I5G590+iAi$5KyKtUmbOgW^rPkeka_VK=-N$SB5&~C>0F5YD^ZRO0}@Kb zm?o>!P;_^%)wj&snKN2Br$eDJIStDKPy^X3!9@PYWu4D1UWmF<^cH-464BG(+@q%k z-f5IXxuFeyYApC;MxsW_&z5C1?djLR=e>JFuN)olHScS#JFA9HU?Y1b5G=FUX~ni?u_pp?GrWL@#V=hY0?o? zSo4hV`HMG=T8Kd3rLuEGXU;DpQ6P)w*Z@4=|&kWj+G(%pps<9Qv?zTUYuPbSN z(OVUhSNM==gq75<1Y+Jd+5@tBd}cc~Ccdm)o#-?2U$$wb?_~1%xMx(QBWz>Q`o*?z z;+lXkPhi&EIU-VQOsS#5Eb^yqJ6+c}N@#gMuS3`V(&^G?%MX_347f?jFdH}of{TTj ztngc%LEjIlcDaL|NIHg~#te51Eb-b9llJRBe?~Yq6EKRdr3UHU!t;#t8&WR|xBRa6WY1buRi~X!wE1BXWJP{aF1@kvo*-K2DP*U5qr3ci#-V#_0N#4$ExAQ1_?a zE$0*FQ_P#jlJi0(D|n@k`eN*!w=>jtaw^1R3k%#K-%YTcR?hmEfq%7)VMoP%?{KU>gilMPL*ShUG1kc`t??99@aGk*%L zu7LV}qVC=y-BNjm-_%Dh(_V+V!J(W>Pv?vIaCE`kd99Crykzu3IbC`+m*pg2x`}oF%(dK#Jn+eeczOF4fjRqA$ZKz|w^W=bXhDni%*=sExJ!T2 zy8rCn8@Tk5eR%fkJFM+OZYtz+;*HtJ=pKQ+^pFPbLJp+1fG>J<<$E+x-qQE#BC9@&9^@ToQOENIXiC-T7=8ei0Rp{f9V_!p@(wxiZm zbdBz_x|?@r(0bv}gHP`mUt{e^h%G6fbnzi9SK@_{kc>yp$;OW!7~DWCcciS;A$=@EW@%5?CjexN<{N^tG=y*HBrc z)pL^jCRYd09@zBe6pQZk&nt$-{#D&2)kV~`JnN%*C7L1GSiBnM#hQ5Ko7S81r}cNn z*(bs>#M9ZePW`Gn13>ulzJtcujXkZPV9EIqSBS8)!tjfN3iRsP>~sGKNseWGBJs9& z`(k)LbuG)6s5>gWoaA~v*x`^ssH`B%6jfQbI(g$I@-XM?9R?(GHp}fz%9LjOk=Mo(~ccVS%TQ zA!9TVI9j=$kJo6LpPO^?_V6)L`@WVvUb!G91D7CX+|zt4ntY|_vZt?oD@QV_O4%C= zmNA{%B9@L;t8mhJ=n-E}xn1kWIE(IMw%ahzz_QcBVX6#n^SG0H$f|M_yFM$bGb^bp zje97?S+6zPj8G2D$7etQpfgxz*Jk>})K~`2V|zx4p52ZFu_I?rzvZxuMiw!X!v`=T zL=I|h8R*K{+B!+r_E>4JAt1&DTUIOOYV8fyEaCz71{;?J?JUB}i(9IXt5V{zMA}Oc z))2J!zaq^*;0uxWA#}M64yQ+%Wxp9;MV&PJDyNZuvzPfSxmQ)SqB}ULxnfT~WM4_R$uS5G2)X>E1%Ywmw;0E5nVQsY$oJQG0R z^`2qi7&}@*azj0COIJXItl)EM8)@-;jNN*f+G4iZ!HeU+7HO~qXtik_t3V1LBc#q0azbk&X@4Y6A$(|* zW@k4X+d`6cYWo&96~AE2c6?Ok+IG}Nrps9C_5-4M?C|txAay^WDvG2jw?AZX`>AOc z=f;&IpFUiJa{tYKpXg(ov08NY8jHDY3%34{jw}0D*-1B>f}&Px;yU~4@Zq=j*^0zO zr2$F=x7J>fkFC0gKdv7`xf4~CG0RrN&Wy^Ka=&nkRkCE2IMH=vecBt2F7~pPk(PMY z*PK=`m!Ef`Y6uT%IEmpbG$GczKBtr)%xKxIQe43xl4?kUc4RSBi@7lZ1jT$0Yr8%nVK2f@4hh z4^6+g^Xaa*x{k>YMOm5LeGkp0x%JAWccJB+Z!Jq zO-K;!IN*M%@ru%tRKwWKZSUEXn>Toy-;VAv(&PO|n6J=jVxAZIg%nVuq4KXl<_&B8 zi6s8yG5-l|lcg6n1X>z7TK=t5>YoVbt*!9K-{^zn!(Z_l=ii3@uXydPt?*m7(tm2{ z`+M>~f|Iu={RgB(_y2Er?f1g}eWCsg=by3pTde-l0{5>`{O88Ezj@jlk78tFVIyH- zW&h37SOL25A0(aM0&gs2YYsGhyW9sMCu37vXA&+BR+10Duk`zbkrlv2@@z#y{PoBo|o8tWeZr>QHDeD`c z<$9Z{^beh$e~od0_yhwYA%Pcii6Mpx8B^mmty!7=;v&rhT#+q`~rkikQPTjBb(wuP;vrzkv zC?SphceSb^{SHC39%4!25k%g~^GLb~JJc^UkEz$!f%+A`LTO8`P}V+N>kC*ng_Z=p zG}odZ8p2mWH&O3r+I+ZtywvBDKixWCj!mPQW++*?4W1_qV*&c+_#Qil0qx|xLCv{# zpEizWKIT-D`yf5iUBA1=JPOkE^i4z`x2co$y{$ysw{dsCJ=9#!Mr{~mM@(fAPr(LtWS|;Ocw=OEvwX*8Yzzy1<3kE zW>0(qAS{oYvqewn0QP`hz;@uI8C!5a!Y5<^Y|Ap{%Kc_|>7M}5 zz@j>bdWYH(^Y|gEHI)65JgRGO{h8g(BL>#k}P7n1wauf10(~9)WDge4-O6wc8eL3dqm7m z>_eq90lMlQzD_s*ewkdcrTf-Agib^QeGIPn($AK?#`f_6`t=WCZ}pA(bq@g(8z8UA zeLLXm=>7*Fzws4qy8N=&_&zy69ON~;4+%J{caNTE1Fjoh0n(e7+eh}10M+&GkrU;> zs2caL6JtOs{FW!|xUT!4JNd)P!gFw5YIGks{8cXa=KdLWR<@QOJ- zc$s&2A1wU^$PM~wdU8{NovD3pz*1dn(8L0;%BVhYA`w_+;KY?awyZO{j|RZ5 zZw;CF48X2y^^=X6cmOulf=2gw0ouzMV`gmWvcO5hxj{4XbR?h_sKUHHYC;QOyH}mU)AxW$wWa3DLuRz;lt8TdQq%enS)_C;fGUsieD zsum2hFQgV*L1CF&XBL(wfk)d)#?Fk5geQ>{&yY`dL*YUpEexqs()z`OMUruZEG})@ z&r7AWs3fc)t{{LyaGP3FqR#L8M6m_Yh)$d%8gXdyE-;RZf+&tPPALvVK}j({Q7>T@ zH%^i&rzFD4Xu{Y}051vuY0)yID6U0#kxZm2#)X?AnF+-uKVn!B95&G_iesHEw_(h7ukU~rfk48!23zO8x5x9=9S<#tl zimn)f;yPcYYqk*q2_LctmIN)cV-=rwg-M?}iw}6>>?AvL>#AuV!*+2-l2vY@M>c35 zxJEW4UZpOv%Pw(6vz4ylM2X|QL>v=F`6(X!;?CmR#V?sgcvSXm!q&;$+2-$nGJBB< z8(c9)^9@s~eDdgjLg)TW4ydv_% zC6QwZ3hKlqh>CWFDNy1FNI>$lk{ox6*I*+r6rPf|Uz8k~4;5%knF<0$$Xla#_2N7w zPN^)ZTj>)5+BzMnZyaGqZ0XuEcL8zQlD4F+sk>Bhx)dLk%y~+a@g=H?>y9O=C|iSe zt*q=ZMR_EuC|UzXnTqw8$XgRenMhkxcFE#SD6o|#5NP1zGUV$bP3TA5b9ce^J1G-% zz`2r5oM>8MW~kzvK8+BG*yNh<0uv&0cO7DoC@SZ@_!_mv>i`KlU+Jt%9<1V2Dd;7& zB+?|)N{+>>Is*zw6LdoLl9bKIO3e5q2}hLTC@I2Ab>Frno+c7UHC1U|S|SA|1vr|( z$fr1H_QMDEI(G^u%h|p8#%SbSO0M)Eo?ztNT)j8zGfA`fgfDR!DH;wml1#@H3UTcQ z=0R})VY4rBbtH48Qm7*h3TT}YG+!|=V`K^ocoG`GO{)}U)g*jqEXgT8B+SE%AW?oJ zRhG!0;G&2Z4!zgQ$q=0>PzXSo5s8D#g>om1q#i-0lo53{qv=7w#g?K8jwq~Sp~x48 zOO?nH;t>Cew%acjgtm)h2{mGGl_e@ZOyQtlUL22@Klytz#|gy|NyU`2e-SC9Q5%bx_ZdhmtYoz3jw zmxxt?Zuw2|bI8k$z%zwg#%;UqrA>N!#D@<(*fdW(+fzLo-TFQH+gKp}@bX4)cz$r= zz~~qr_?P!yVC&+~MAy3K$Zq)Urg~PMbG)OsFxM_lnI{}hK_{yAP_LNveYdP`a0Frx z;lmvURn2@TzX+b|&!qtsLeV~PE*vhJ;z~I zbT{SfVV99?VVeg`K(=4kA#BCc({tL4lD^x1*?{wfY$1B(zII`J{08H#8@Z}#0NaA5 z1I`4SoV!+da29uv+7zB|4q^(^Gg%?>PCw~ASZiV&bY5v41g@A-t~8Cz?Q<1(Ow`ZJ z9f79Tk3ua~jkGE&MJtcB-c*Y=E>vP7)pr#)71sL4nmd|%nroe-PTlrdB`iP(xyuTm z-NlziibnQk9A68?@7f8^Sf(c7M(-Juusp+Anm}_0mR5GxZ=XR2o8CSz0`nH#8fHlF z5)UR%g+1{q16LJ(Jc`v1boAD*&P{i&)>jm**F!<-WONKGuXGM8$LsEu+E!nxn5nx# zfPAKUe?DYEpIq@>)s68vt&H(?0;_)j=dR8+q#vP^)^$}PHtP6-C4R>yZO5PUumB_5u76 z7_S;s7<*`n`!q-Fp&-$;Qn#ui;M}bAUU7YaPWW;Wocx21U2vYx?y&-*yQ!9vq9oUV zc9R`8q*HiCsDJ2`psWyA6|tE*Q8C-H111_+ z{!M7}K(21cQ9;@iBq>3b6lk*mTmx4eXX50*DD*sRe z2pp8Uo>T(@9E3r?nN37y_y{QSZu=N$R)5G00ZJM8>oTJ~PK7)0_Zur~veB87?$K-_Rgwprx3jDA1(`~+~d=7Vy;{_EJ zfYJlI>3vS*hTRUi4rAy4u?K(Cp)PS-QihhmH5NV0-UTzjH`OizqBj&@`M<$Bl9#HLK5#S z{p^lHO+fH`wy5Rj^;#9E)&tzNdJVT;RkLizigjvJRbnGBwWvH!QOgB9YNJ4`A7PBk zjg>~}oWwl0Lo*K@jRD&b4y3maWDd3W>?xAiCsU|$hv&?q3pwT5u-KYVok8->LuGtiwxcB*nC<$e7weF7 z1&7P0Qa9gk)Hx11W>yV(T#OELtoW}s{)*#k9USoqZUI-{l)Xi}DI(k9Z@f-lhZ5Kox6PJcS%Du+%;MsXX`u{;9X z&p%W8biL_y{7ANk(o8S#!8MG{{8BTXN)9L6d%vZYJjmP>c|w9X54ow3ic({Hf@MarXgK7Y znY=UG{F_SiMwRJ(V+~?s4vF-j6C3oZTJsnW^!@Q1PvW!euHy>?UT-k(oWPR$Sa8H7>B-_6cW_nt~sPBdGGZJf@o z(pv{I`TD38&7z`b7VoQyo12D39pEhEaN3l7pUy?htT-5Cp6AHzBatz4*O*8-g;%j0 zpwv_Ej@XM>rhv2cbC z)NX_d2FOe-1y#PVVo!(lxu?gN&jq0kf&U}809CC9lW?dyelEa5(u%1PfObH!*4Q#%{xP>gT6%QuOIKZSBB1wc z6Q`(-P%De0U)_hs{x?CBd?U$5#1PaBIY z<%pA}iapA`9g|hU0Y7PwgRub$c3)dxssQSP4UNOj@oUyKc;1f9F*R)$x%+aT{6)ia z6izKpDcaO);j4o3ujgY<6MWv|%w54x3vG^Pyto_j#Wdj^pW7~4{Agbz-m8cIzB z8KTu%n!fVtbl9$Psk#a_YX3Yn$f<9uBwOBchQZf){SMc{6kuhjs=#<7*Sml8F+lBD ziz`V)u>d1+FONQO_(UPmhLTXuRNJ!EwM+EfQxmJ*u-^v9lan{0u)_YD9d>W2IT9;< zd|j9>OkFYPos5U~u}|@P8xPBrtm&OmIne{IvM(8AbUa82^#?cHtk;lS7r*3GJ_jj= z#(TaKo)l>Xl<_qbH^EV2X*vpS3I*uD8jfG*Z9sA7_hnL_?0l%r4-`%UFEzkWb*wX~-=aZ_K^RvVtKk&zwg^mPEf3^f23`y*mxX zJkb9o5~=gh%Sh3P^#g~9oyjwi_t)Z+RiICHyJrYSM!6e(TAmzMnowp0s(8QEjFn3j zR{s8|SJe0q1^!R_XSpAZJf=SJ%{!C!)tJ z`gm0j?m4UFqFm=W2=duM9?FzH1;ti2iQrtwTRj~z>mKm*-Yv_m!YZ`$dDFrw@+c)+ ziz~y&NRf07Ra;-?SDHzuzk8)kk)j;wGKiZrYqKln$W4>6mQ0-^y62#F8svEdwL2=R zhRbcxQNkOe7wU~_pl%zuCjg?ubvI+hSsPGnYpuiGd@DZwDDh^;FZZEtL1gr zG6hQfi#eBH=B7TjN%I>lSP}-MmVm1|BgrXWD6kbspNkHKj8RYM?Zr1T?;5@66}>7_ zI?rfJ@)zAq1}24GYKKNBREfVkN45%=L$dZ1{us7)&zizdaBzkQjA%dmP;2GF$);GL z9?N5d@}2PrO4Y}pOiTx0( zQhT4XP+A8YzDk%OLM^oAa`b>7GFdklqaB~XDo4xb z>)^#tf2)p4{JsTs@u;aIB?m@z;|9kymJiPx`gxyxRA5xE0UKxCQWQ|=fwvbzs{ucD z4pEa7xrU;}6TQelHnXQ5%Uf<7rVBw{BuZM%f@oZ$>5h>IZA6gx!upt3*^PefmMCv-}pI`IDPtAO#7dRz0YI! zR{G#}#3No08l%Owsy8KHCZ3L_oh!ao+g7j`d1kVZiZ{86E$ne3#jYGrOIk(c|1uof zLXGM}cHY6^8ZD+Mpgf=$z$GJ(C!6o-Lo${h!};iOjT?_-JY-T5xP$0nJKn-ZjW3?f zGHf6sJ1PSh)?gueXk6tir|+#1nn-2i_EPwDPvIoeVkl^3v{>LQeYkop*#|3zM@}BG zRWzJyzK_gQ=7i)!&1z`iINB`|PwQYHb=m!8xXQI}C(0L_=uTQsW9@@F4ms827_Lz} z_ji+b;UNbE3E$7ILoL5LZ9i%B8a-;DDapi!!qp02{cy=l<`ukUA>m4WJWBJwN%l;5 zw@VN4iw;|P*E)#&gFe4h+O}e{Euwy{~_0Zr)d0R;s3r+f5!BGL9YK2%75mr z@Y;-kH~7iO_7U*kI!3_%sAJ?}=J+djWqAXw|IJEDQ|H3?wFH84SQ62cbwP6SI_4VfLEAEGr}C`!U{SZ=u8h#=zhO_hkJVq{M6` zp%aL~3%DFF;|(u41o^dXjiBeff_MZwKj|6S(y6?_kW_*jD#w~Yr42w`6QVE6P{Dx1 zc*DftAo?u>%_qyIJd-e{?5+}p;~*L84{9SBLL2~_W%t$kzOV4i_88zd4!t)JH?=D- zSH|{O2KP6|>WN^GIxrQ)63n&WUsD)*bi_&+P$2OkQ4~Z_hl5)`B?w^@;PsnAe==aG zfy8`A2VVvOCkBHRBmh4S`^s6v`fR3Pzy+oP4Hbd-N#O;E*o%l5MY36aqLGmL);A|1 zJANA zrxfznZ1?xw@c*hdOl?h^oE=RKZGMON_bUhRKNR8oFDc~T$MfIh5e~rbJi`3(EswAR z-s(5lxcki2g) zxvE9g_yPw0nKo_B>pT*U%Ak>^Hf%dDKuS>?x^w@~J(sPs+$>oL zMy=MWV|?88C$bV78&7GqGd{TWI;Pu5;L|n0?c{R#TT?`b9c)SUPFPb#*4NO>v+;vh zXtQaDI`G}T5h3tzu@Wy54;{3z9`rM14#n}Z53f@|a+{)i&$CE(F*Cikt;hpx-C{cj z9kX;4KyX2amtf`TD~Zu3edm{x7$|0OdvSCUN`7dncnKe)){5?J}Th^I)iB_vn zh(}i4*SaMW=Q!*JY`QtN%+0sQSCo#JF{P!AT+7f@a_VK$ujdMYx44ND6vxSwX2l`U z$*HZ78fKF!y*9Hn2G z70*QHeLWkQg|0%UP+bV^1sju>_yaKYI_gQMn3*HBOyV~h2ONT2f+Wr8t(ouEHxHO6C3Teu!BAg$`oNJ%C_4({@k-3$}SO*Ta~+VYcNv^K}M98|)FjYS?g z7P)p1oJi125Hb++;21M;40KL}SWcFikr0r&=?`YLnxG20Js03Ps-h55N-7f`gVcy! z{*bP$55RP6{fIFS7YVHfavFRYTw!{JYM8?THwVta@)ImmV1^%D2IL!zM9-mX@mk*N zVgd+fr zLfDO$15P3Xg4;cR^_w~vt$(B``C9Nw;g`Nwzy$XGS*819l^rkJV1369DC&Y?v%0M6 z9R>sv5wF|WEf?$$f>bBxs9E-6@5y~GBPqJIrTFV4^^}Hb^26NSVMR>k%ktu@!1D?? zH&ns5R5!~7V2sVgv9Fic7!(FZSs(qwMh4M>HFRfpYscMpGl z0tq!e&gw_B3S(J6J~01pC^^sIbKLPf7Nba;=tW*cH4PgGF?vLt+G06hA!ku)*~4{* zRl(E12*DDg!YDOdlZPMQ_9Sw*kRMqR86&FneZB3ibBSwSC%Hz3pl_@%_AV=CrcZcB1bz=9tgI_|vN-^oqi) zO@?=+f54wN`K6fY2`$+>Y)sF_ybaeY2M;}(qgL7IcEtF>gmgo06g=j(cgr88W{fO^XY034bu*#EnGrsEB zOJ3@u1))bf&QXY6kad)ASNVFpkpk?q1w+hn*?hIVY@nM}*u)X&EKMUJt|}ov>Lt33 zDrdlmu!?s-t=(cKq0fs|6BOh(_1)B_iK%I_S*}^ng0azRk!5jaF}JA)5NwlUjlPH;Qh1I< z9Od@h1dfjGlp`eErl9Iz^oTVqaP#v@TCvD23~A{ZtYVfHz^ZgaqD|`p?O_pPvltnJ z$#tVbi6$Gren{5tq`p;&hb%bKhK8yFhudI|6 z=V5YVD>AXKsq)3KD7e@k=99j9K6tDXRUGdT#)M~u z7HFbiO0m(I@D+gw>H!f;y#~5@?GnSO9zt>W6z*{9_6%Jas;%I5T6?M zp}W14%|UyUE&qzz$-eLGqM4>e(W@-7s=NRrp2{t_3jOox1kZuKg!w+^2j@B>f8d%Iu-mT0c zRP;%07ybmf9`7?%+bpkqMDXRIv`;HP(P7o+@>rZx#8U3b&s|yz+w

7_Ccla=T# zGiCFYoJ+(??#cCCk_*f7%rbXoG;o!IO*3n{-3aTqy>^2>iZUBtSY8@m9vx9@wn{K258WUIfuI(2mxUP<}u00|ME_8`S+_Lxe)iZ+<~o{5mQ zQHC7Y?b#iI3r8f#Wgrb156P_d8&qq6Cz2s4=wuinQZ&ejn(q7Kd%OJD_vg5|KfrKy zcOJZv@0~GZGhowZGnQfc(Ma9%KV zaAk1m<4rFu&^E9~DBkQ-?@M6LFGtacG8AIIAf+dI(1bFq+h>_z8} z&vi8QlCU{6(lu$Izrq2qLL=Lj4b>zEDj$NLoP7;&oaCB{=Tq7e8-&j zb{GXki%CjPD)X$-_2RX8KPj0hyBM|6$?pCgy8G~G`Ww8n5!!h+A^R}N48vR?+??-H zFVmD{OH#xPAEt;>H5$AWj#^=0^?UObTWKMJc)shAgsPCz6qp?#={bCRFKBKCzWr7n z8`T?vRZv5Lt9Ja4`dfbXv4t9c`G8mP3;u7MbzJMhL`7fUe%)eiUF5wRMx=TBu*)uV6g>Ooj0fB z{v=Y?dUkr|cY#dxW1hRET7is=og1WquRqb8DN5=PvLy#SXE~N&_LD&NzHPFTc*gxC z7p0mKKjf9S0}~Bokk-W>h%hUsUzT?Fs)x_G8}N>a?}hJR9#L~(?3nC(e}T!|f4Qp( zHY3FI4yO@@8=NIPYMAA&+vFcq4iZ$xb5%W)8+|FA;h*iD!7G?$^zON`g5wHj=GNb@ z;)BYOwj@_*wLj9PT>mk6MErOSyYr6m7B9i;lBhMxQka;BC+Yb`%WMf*BLAr_ zZpD~LLv*uO%{{>5yQhKH6}B?2LWV-6qEx{puUTj@Xvd`Q-S@e67)x?d^1Q{VQ9f~g znu3~UGXS;jhFXnp{Tq6gHc*bcvmYGVL1=xeBZ4I<6#^2y`^R{>dJyG(SWT$Y9YAmH zNg4TvOSFn(V$->c((kt1>5BwhU6D7AeW=wMZ222Yo;e>6Z(4b~O_e3RO;AKBk@%3F zI=$PyP7NvcH4j@)u7skP)gC&X7N-J+jra&y+S~4U6gQJDCvYyi_-cB8Ka-hvD5?B2?`L~F9Rzxi1g==7n{;^cM*HY)a04=fm? zw)%|=tNPXXQ3-}r8#EvqGn^W1>MYh`EtQ|G8nj@!uMT>2;R-(^aD?4ba7=jgdJJ-J zqxY%*WORLG)f_0yF06mm;f|!?RqbAlW`9I+BifkaZwq|5S?q(~?smaKI_>A$3EaWB z4tY%NLCKUYc#Q8Kf!uf5FS?1j3Aph;k@Yo-o;Q_)i~Z(g;Tx=|Y?FYRCP z(s(2}rCg{R_eD81JbEB#o3)in-X}Yi52V=K8lAphcZ?^O-;#=>T(&byA?O8e&Jurv;Zc#9uPx`S0M2jX!$)_Qx(t)Yur{9110!?bUbmlXd|+nK zjLW{tQqGI3+hbgI>4fJSu8!^Fmo_Tj)n()~5)bONGnD8b2**T}2ffNbJi}B+6_96Ul{{)PvAV!-LuqP&!P`$qLc{pRUjM*>}?Ykn)afi(b}Ntw$q( z_}TndkdnT&$1mhzt^1JdVRTLLBTwsf1hl5AMjUEkDE|@z+IYXeAfB4l$ArVMfHu+FEBy zr+XD1g~q#CuGv)MJ3>vaFHrL;r7Uv`Zr_geSzBntdBW}-b=gJHrX@`LXcXH=zLr%_ zR%dRx-cmNeoZgGOK%GVhqD);zd4PWy7D-8~JL8xdDm*9LmNq3*b(^1aDH|H--l+QcLBX3W9Y=4;p(sXV-=9&y3uvmbFREaF>SE7p4xBywEx{l8-vGz2Zpq zs$k@e&T;M7UmFs?tbS2_J9(l2)Dqk(1$RU7t|Yut0Dk`v_{lmULR7U$(M3HF%y8y( z#!9lKNBHodzqBgev!M$qX)#;nnH=Fhu~-#a+}%-#+ZxQaWH`>R8dL{vSOzY+Fh$%E$!FqYSm41zG(!%P1P?&+wYeBqB@JR_#U#$=!!M*)>_5T z0`*eZ&Pv4XwY~yyX5(U2BO*h?qtaecC zmhxW${Ci@)xheb-p3Q+Ny=HXzLlw}U&98XhfG|e8RDK*x zz3$Q68S`l{cxV=yk~i3Spg*ad-Ub=CnH|v3{o)vF!*OoJ0;&7iJ;FZzQ-;cD&Qcu% zPUuw3{abXRTIpiLe!??ZbZVd(uFU{=J5jgL*iVCiNN`1xD=i!cyJ__NMUe1l_K+OR zZHNKY@PMc7pXsyb5pmDZimN#+SYIn?+Y2D(Q^wH~RC`UBbIa+cuvQ9)-Q2I$WMNGr zT)^s1%B%IY`TL}Wr_lEVTkQveN;hd(2Xk!H6E<%3%jNp4yYoeNonA@CmpFJ{^J^p< z%Lowpa6ljCgm>?Z9#Pv0quPG3JSK=N{ZyO6uW;ou$fR!{T@!T8DP$UJZ1&W9$CudIF?01A4Bj2WzkC+?lv+ z7PQg^Ck2zcA!9G9sKf)t`0|bn&h8_fIxjp7gIT}f#|=(zAh41mrrBesbff-lw!aJb z!?r3d?s&wq^sckI5DidB6JO$ZwKyN}nlxuXKf{l~DK)Q9d+@75my^4#k|S|(rbi>_ zVi+h=VG#Pk^qw-vUB~4ahC5Lb&d+oTr*8+3mJ%xF=v@VV#&-ck>Vz3q<}a;q!ok~RaTxlGXl z2zJ|=;bcF>n&ZT>8K=Mc>T(~*#;l6F8d`c4tGdo@ zB30yA|8Y27kI!7O5~@fH04@?z5ulYpEuaO8C}lT-5n14Hb{I;obLKGOKs zal9cOhMGpZw5b_?%poqytmezm5YmxxvsOri>gs8Qh!!I^e*5frYzkYh$)IIF1_5iG zPTUMmF@k>Jlt(a<>e)ZQZn+~{dYIN1*XYVHz+9{7)PQfsm`1L5hyKV9a(YbzK~(Ua zTnj$-)Y`y4p<9lt7JlPPK!#kx0(6Anpt`2McBx^)x05lkntpt`!vgF} zm}+g?z=l#+h0;AEkzYj>WM7L1f%jGQ58!j7nL}NGT_kGheyWqm@~tf|`l$1Zak%IFzY~Ux41cyw z|L+JxSxPx)a~(^w|Hu>m<{>|MLP3kqO`S&mX%zu5p=^y+TKJ#xo^WS;&zxkJ$SpLj^F@Giw|ARZHqheu zX84OK{!e+pe~kPq|HVlEC;E$??US|pzq054Xi!$jg7@|hV-tJA%mjXJU1RKD>6ZO6 zhe(5mNtR)T#D?IOV2WCo{eZuI1tW+7YL7$q3GL&`?~;>}z6P^j!3t}YJ0s7^C)fTF`iKczChzw45AsC|{idyq5U4bLn0v?y29@ z&4OESoh1TkMx@sKn~K+4=}Pb<@hi&i8XC7k#>*~KXO^owMtQr{eNSQ1PgQen`arrC zgq;@0fVD$5WPF9Xp=Wit=mn#Zitj|<7kDgUT8dK7_-F}S@{PQ#5Ne*?1?Sn!{?Z(6|B*bb3(w_nI-lTxA~2*f`wLSq8U}xR&0b{0MR}(9P6P&h&P($1u5Q?^ zv38>$PTb*FGJBSULoEM3P=iDS>io704izh>o3NuA=B2r8T$VYnAz9kKQ;M7U^NIO3 zkV$Czs(dTrH#L|0wGaJSxpHwrd`*$0)X8yaCbzfW~+9fbkn<__iYEa|O{!!4HGL2sEc~l_C3yHc{?^isNpCTNf+*Z@AS@6ej zJ(t?x+&~0#EOKmn7i@aNECxO zesaEIX859Q!8~##i`~c4EHAEjImo|&U5xl*&|)R-S#-I81i;=uC>)MmMGL$rTGcmY8ts1>CnCvJ>lzrk;g9st;x3ps!lFxfWbJV>(49M*`a+q7w9u$4#}=pr*K)9)ZgD3;c3Du4R5r0s@<)Hi?d}o6{d{jfDG%dThq_YjJ2-@7Tx5ShVSfvMfT zsl#_5^$-S8+!yC4t+Cw5FJWj_>>Kr~#x}@7{p1Ox>ws+^_Ex_w1g$;sjaOz%U-I;B z2h(jt;aY)_`gwMH)DB4C1XFq|F?Pve1ODBZrM!54=1=iqUC8c-Jd zYYX(`3XBtqH;`k*ZQweLd#%7X{PCd$s1N3o%}5Op{Wha%lDb@uWlnOe?UL3g-FR*2 zfQW(nxRs$cbNpk61MOf{2Hf%xb{%O{L=$=~m%rX4tAPvm*XL!-M;R2M-FN9@EKmrwI9?uodLlXrTBSuOc z4A~RtyRV&`UU6ZIc7xD#z`UF!Z&S0sRdFLpBPPx3H(CdGh0wnUkgefK1EvYGI3b8V z@~}A_N{H^P8mw#onw|lQE{aKB7_V&oqYmhn)(yzDC($p~DhW4`_;KzEgXK`I&DC)` z)_`2S0KzHrPB@^M3AwflpqqM*VR+@!BataPHGFs$5|a+R`0bCc{r; z@N0+e5&hTB+t{+#B=(7!(d~=w;MJ9n60kx|JF^kd>M53n@1v67^2XLlp`W4)#acJ{ zkSz?w7iM2E;o_FC9Nn$2%2jXj%*x5W%wC%OinQRM7rmb3pj3o@jDQ{R;ZtJ)X{+bd zz}xOd`ZPTzUy!F}%ROzAt-f@0R!V;{@WCQS-n_@J+tHE_*aYlvI2Dh9%bd#D(uFrg zbPt;jLl?b55J~)XP@qyez8U`wlf0N&>zj%mF1dG2Of;hVSdxcs3^Dm?jGi&dR!vU; z^{T)l0b)O9RpUS5MIwZ{fFA`lD;n8N z-KAXR22%uK$Zqfiz<9C#L+SMymh_KkqW@j#CI1(t_kXOs{u-k7r(7+Dzoa64)(AF# zEwO%!d;eZ<{XY0xx%DZ<{a2CqzXvG&|03`IDDwW#mGpn9OaFWp|5caynXAS8Srvcw zsbTt?zWY;``9J1r{c~OVPx@~B|ETYV{4e@$#{a6({A1bvQ^wXmE#$xJyMO0){Y}x! z{8t`Koc z-%(obKkXQwr~7|{)zE#ej=%36pP0!%HV??(=*BmyJQ)kiG>dG-yj=&#@_<; zzuO)D8M67~==Vhair9PtIRD~y_+#X6|MTCj1{T^sAvT}ZhtE&#|8_n2t3bKQ&nJI$ z*j{knpwmMTNX3rP`T>(fqk{{e$0X~Ka1z3c05YJDe}xA}6~pJHq{wUGPVvfWSb$XU zu(v<;wTYGH08sMLQBy?7RK{z~Dm_&UU8-p6q|&>1zf1=RKCf&i-F)GwymWh5vn5Go zwz$aBJ0TF=KsjA$8FH$L<+D*VTiy#A9*&~oP_!@CM2j8d7SK~|bvYj|)vo2wg}I&wgo-isB!G?%ze zYa~&IxzqIz4YzKOyL~1~*{5lZhf-vLhRAz4g)4d*j?P3RCuI!153t#;AvO@!3M>-E zO6Ua|mup9eN(RNiX2@;>+xZzYo&^LUSL!aeM{5rN`$ZBE*#u+*cTt4mixSLKed`y< z^VmR95NIGxpraK2DQuquc*el2;sgYpC)201EgH%F+Ym2C4hJB zlGWLzHLd#462^_5y}TcWNv>L<*G#qqK{qUv8?jzpe6=jE=0UY^4)0pzpt%E}pt%JH zZGz46M33C7(=4YzF|xi7h2o#uWv3ZVf!IXwRr+#6J-c9JF-|?zOhg^>-ScNasTA7k zt$TH5jV*#SqcHQ4%PzjqA@ZQkM&ci*Xn47M%?1>pIB{%!<;BeS_C{7u#(m5WL$h+# zvqMbYPBu@bPy?B;oHTCsv-0+52S}IPmw7KiFU2m}EhaBP7cZO|pOG(`yg>NSwAty1 zbClgpVpIIV-|``hM#&wd*^7uIp#<>u`6tlafu2A#wR~7bV7zFvpr(jmVUuQL-Hxwj z-3z~<0;mG40z?ABekqfOfevL6l@B#(7WozfS>rmBH7I8>RXnSEThfLuF+nbMZ5|g3 zUm$u*#;Y?FOS>nUbV6MGC5`t4c^aWhw9D8F_lgiW7rdLS2RKx^bLfg5%i|E=_>1VN zcOy{6?KHofA30ifrKRe0eg714?zqkzxsYo=_^$C!W|O0P&@SpO1TPCLxK(N(B_J9= z@H#qNhN))cEkHI8-miHA@LCzkJE`7HG=N=X4umNj2#x730r)OM=E^0zxUIZ!U&L*| z^%2Do#OOwxkV!*;^1l${l{RAOqm8taamYAi-D)$evvIdd7x|mLq5)m9TnPcW!lWIK8&|up>AYx!o)=Oz;59D! zP&N2dHMF3v#-XbDt+ppytiD*RS~Qv$uQIQjms+hBw3x@PF>6r-I$e z`TWvCspB1gg;rTQr>e$otW#}EFr`vb6Qk-+APgOq{VCd5pmP2xNYyjVnKxllLn*C_ zVdBb3zuvL!iL+=p?F+Lch}F4ra4SY1Ezm_YLt)IEtFFxlSp9i)xfJZ`Y|Ww*q$AS0#JIkj zK!>{7*3cp?;JZuu&(0nW#{e?jANGp&stPCd_V1nEJpuG*j-J2t+eUVF+N8O5){cxIV1vczxVG>R8SD@tVTtd9M!FC+GM9D-d8wbGfm}Y|+3a;5 zqxm0*1{+^*`k~h=rAg^J-Fj&}t=6ZI>*w<;Sm!uxHzP{BlO(CCc zo}6F7jXg}jHLbj6ce9ztK17~e1SYneX0F{YrWc#L=*Hf49H8HI%rAPZa|&OYc5WJ67J1TY%#LJJeuqpn@s3|d24Y-nPo@KPM^DwgYf9A?U?^%KujtLlb%SimwBh@u&(X1z zmmbk8JZ(9IlVep_6DI!$|ZDI#WnCf5?Ns;b&jvqU$`ZHvYJiufc}Yb zQ!?KuKNvSpoIMzo)HFB>OfcgrOA)F4n_4-sYVy4yu407g`K|4JklYB(F$(+WE=tHo z_MNe7T{~kyM~pKOjme_XsdQ;_PhGM_Ke)>g0(& zI+3_OQF{oP$?Of$xox9h27*rrno@4Jg3-CB!A{Y+glh_?dVUutHq^aNZT7d^<#^J3 zN8p*5yrOxs)kf@0lzr!Y3cqo_jY}xvD&q?Fusx=**(y`>VQPXsb@t)zeI>DlQ2K?{ zLnZc=a+qlPNZvf6LBmzlHBen1cypO`5!48Ps<+6pfa8ev4b)z0s`OUtwlgSZPe79Y z8}``_@!C)-UC5hTgs=eULZxgO3eXPKaROzyN#VDcxq^)VpyMlHKqcVX78eEX?P7*6IcfwaJ>%e7v%V@YE z-y5c<%@7T8nUOdUG392JWs{!hu{3S>eVv1Td!ln9xX3p2cJ`A<57HGhE=(?zH<2GR z5k{F&$s@D_@Z|&Omc6f+Ij+YtdxLW5yMedl?h#BM3_1jC-nO(mfV%4@bQd7#PxRQy zirIEI5<#ADJmWyG*l@pOxF=|SVZ8!mB85$Bh0{Y>^3^K)vvGdQKrL}X+i!d1VM8c< zw_!tR452l!ZEOSk^%VTd>yZPlpJo$2Q)H&(VH#5qUjQcIDn2OQ$>46#kXk7mFd%03 zL0jb}h^K&IE%;FbliG=p3C4h@3Xz5(T#~h?e2W6PsJ9J|oXR)m7kdjWA zewI+R5%gG07C#ynOrOlW?M_s!zDC@03(O;o)~Bwwg6jPJ45{2E(xy|k|8mR2TAo0A zw{lpRyP{{MT@iFa=G@0z|4q<4v*X5K9%@gaN@vc;YV=3wVs6g>Tk0 z&G@TN-;Oxjye|oV1zMez$xjU7=yW*Ywbb8!!RyC{n^m<=@{F)A?t5v9#&W7`3uw3o z71&d45q%9B2&Mi^8CVnl=xzMP+SZI##f;QPA)6;rmenW#Uiyw%7+mU%bz_HfXH64- z1r9e$xx<|@fphZ|x=hsXLzA)Z!It>^VZbMj8 z5F-xwz}hCI-F8~M!?{VZFoWqK^6rg?#;q!VQ=>L_?K}M|L`qVy4_2F{m`Tf&ICe0u zP`o$9Q%qrKVE)lRPmayJMdNTk^@frvk1e;nfNmPjh%$!(tyK+gBft3;*YGO5O?g_N zJ;(URv9UGp6YuDrp2N&3=0?>~j1wLGtI%5`TE0}X+;Z7x{QWG*S&HNI z+bwOoSLHCzZmWVHt7f24!_P|^)bC9m6gM48ceGUrU&)$3={E|a0dIOKcVvbZUkg6sIAe|2&?fKZ8Cq#LaeZc0a@Zk z+R~TYJe8zi=24C0uKh?7n6g!3ZGXRkJTS9&TT-`YaL6ke;V8nv&juiDDL1t*Uuvt7 z&HSP8c0AX*chGHCN#t6WUzfL;feB^ykrc-oYt|Zb%sZva?8~rbU*R#lKUBjlw8%Lh z8m7A4CE`OpRxB%w6F=9Qg9znC+EIEJs0g6i z9BMqx=ZYi!8Sp`{Z4Q?2Tm?I97}jJG2mcaz4NE||5n8Jz%yfZ@EAd-mX`sf?o-eBa ze7IaW63s{c62kx}yJ1P%wc{8LovV9psmJwA7SR+|grT|nEE&1M;-^Tj8})Fmx}GnY zGHaGCni7UGrbhos9}T=)Pl3EIb6Mmh9w8J(#n@;`rf{X#R+lyI$ZlXW*;Af8$Gv!w zeu!m$XI9#~~who~9V`LBpZ{2%MfDveF7Q%C*gbIvejQ`2=cmg;nUY~=h zteuc-&NA?U3b~-9kKiKLXq>r*-H!y<>^I6uAB4&8FN+x<_Xw{`Cm7d9Ruao|@`fha z4D-#Z*`cs(ZqueYP?E^UnyXEa@klR_uR50GU6#FZ_W&{)w?*{O_3(jGscQzc3b%pPfKH8H?XHrcY?^_ao!y zn;BTyKIK>}e~kTp{(Fr6GkfCqBg-dZ`1`dCpTOYn+wbT93|jt&Op3oWnlLuA)3^CV z?##69^ab=km2LXJTTT2mslf?ABWBd3mlj^|;Te)@Rj|tJ5Mn@D7Etq+Z{5S|Texpl zg8$jK*N67pJaRj0RAGii5r&C~aogSXZ?zAsDG3J49F{~9yTq6=IO*wV&IIKQzs6^h zG3?+mdd}&`85uk9^c5h;YvBY6*r;!|ha+&fZkE;Rkkffa11oh?C0BlcZ!$(@<|Eou zQQbYRg~C?4;3wxFl~fnCI;#-eEnYVR$21`zKHZ5K)G>mXlbLvu$dD^270OW!t$OCW zIZD{QmDdlQhRB$>76~dKOJ~hljH`YJC}BIrgv<)C2LhRjv4;W~B3bA2mOagLCF8Z7 z90&Wn?=H#yG7n=41|o(MGS3T;@=%5fIc25-0Vypp&V@{-U?Trx%%_{_(VKW<1pkLI zZ)fb5%C+Pr2W=uc-Fw|*9Y#jeFS`$x9(1RkU_9T~Jnes9h<{lje}h#20e}B#5&eM; z|EXok|GfVGIDLk;ke{I!e+QI5$reVozlLDY{azEFh%&>!Aj(vqum5WolYdLWfcz7r z{6C~%d`1BM15#$B{gnOvJwb<#;gdl5V=jMS%8<;Af23gixr@mkBY*n<{)Q>jF|htA zL+5kKtp5*C<#bmFC+z-eEBncf#(VC(bd~e$`HG48iir4c;nZq1@Cj7QA`SX#k6p|I zU=09RVIbR8`dtuxYklw&OJ0hUt7T*RU;X^9oUXpZ4($?sm9oai$9E3kt*ZCDD|3sw zbiZ`p?99D5$!#etENN*eF{nEqIWOgd>h0p|AE69j_Pw>;48U)`DKY>4*?0>y%gt*1 zV6B%od%!PaQ(*Ev**|@3 zl!5V6b69ab%d{Y@P8U2mtJapT{73R*Qtbg1I4FSYWv0sCd_7?5C zr7b`valQwBcy)4h6(7S7OAw{Sp^lIc!MTt&Yg+E%f&-%q*Kt9Lh5llTi?p9nm@5s; zNhpdVyuo~h5-I1St7%LTLjWwx>5j@F-)_mX=fCQw%0{h+Tm_b}coSxQJ zD*vM{(KDDsgqrkWx9p)ugM#qnalK~UrX}^_;OOQsTJNi?59>??Q?>Yg-=oO`ruqZz z@(8Bpo&_OnL)IAtdrCzaA_MrySK0_Wo%w5N8Q5nZwj>%6+Ve^6))HI~faAEHTL2uc zk>IpSbj#a^Yds^yGmr}*2R>O4VQ0Fgx{=iGL-iI&1a2I-1O=7q5%k&%;tSBc>7Y0) zWi{uqzUKp);A8YQCy%nIZnkwgpq|?^3K&2coD?JmFtr!rJiD@xa8cosG3a^&#j#gT zNmi(mnnD3JE5&$*BxOVf5dP~VLiFO9?Kg&HV>-};hbumo-k7NZh|P>^P2S%rija^zFq)tH#^%pBiVOo}IUY8DpyGQ9E>*?Hy(u?;Z8ca19j2dYj9F3*R>$T7; zlouqAKY&vhR<=A`WAzmgfp{!QQ%14}QSi?WQ7)sER|tLh5S#P6Iyi|MM8k51uoP@s zKl6d-R>sikr5r(#fV{xR$)}lRDL%tz8EGGDA0B2VSn!D0ZMLZhP93B=+#5Lfn*JS? zX7Clifam8<7WOX^@zlH(vJrT1=cL`RBK#3L%NQ{U@sREyw#Z;H*3l1;z;ooD{AR}V z9!h_-3DOo*aC!J>>F>M}WJO)uyzM#@a>3)OE>w5?*tdEKaf>3&!ghmqFT2mFJJ0pj zZ@lW8Xp4@0cf{82tQD5b)4K=wnb`|=MG)Q; z=k6Jn4l*E43c#-WNwB&xv9c+TGdJ^-)1(GrJ|SP@scGrO<589ydV!b0+%DuFOuSjRol zN8roeFkUXCe#OQsBh|lpDoEaVmaL6_P{d{Lp?@eI!Mun66bcBMBmgDk#)=_vUI`5k z`tTjmf91-?yK>w=z=aSI+2qr~MWuQTe-!zQS$;K0Gl>5X^H8xU;p?pP@h8m>cD3eW z{b-{ozTSaPUFw-EZVSuAVION$?C55BPP`VyU5&i9_ZICKprOhhqk)NZy56=T?tkxf zliAny&>n}{Q;?295SOVIZ&qs-Y?f>mTFys~uOBhdFRqb3mQz(Qh!@qDK9u=W0t7IZsSykuhbCI*y&?qr=ijIDiiC=qMaSu|KK4yW%8W;d*kCT%v zP4v^KwR?0*y2bH_(P-YXmFt;~5g#b}id@$ZBTna#?Cd1Ew(4Ft*H!dLjGZCoUTuiO zDl=PHQnKx|wlBgKKCy@sqRpZ$>HOazfUQ!*#z3D3A%TKuQOV+34l^(B4_h4fTO38# zu_hgr_FLdSf3zPu;V(a0TUz!%FjqP%8vX6=ZX=7c^s`Wgd$QK+nq^{q+j46IxCTYJ zAE=FTfyl!^3p{B8v5>&*$YJ~Bsb=SapANMLhYjl6P zFIQ{S?r`Ub0Kap{HyGDi<3WY2FI1;o0nIs|us2_QN2B0XqVVxeS;Eh+;UeD2Dp$*$ zX)>~Nt?;s~-RXR9*k4(q%7O3aW8m?Dw=xF@pJ9x3_gqV*!RZptRhW>jGa-CobL>rO z4*AUHD>rjz#Wfrq?-o-AZDX6j26@8yauez`7&mDSK+1a`nZ&JU>|$|Whi!jzyKJbjpJ9i1)JlqVMSEO4~^@q)w5rPanMVqx|kWe*^Rv?3SSYR1Hb)g@`WEG zVNz}d!d}+WnT$CTzWr*F{;~!7$YB<^*(2tJGCuzziUOR4`VM2DPXiSCic=Jzw#9qT z!$%(4yL%;h-+snu*9EtYGsElBtnEys4#=_1-W1L%;x`v_itlII1ghzWG?&K>$Y>xF>LL%o*UzT7#S-$`o!8>5E3_RJF*Dv}fvxg(g z>oUZ(C%4S(d^QF%`$6}{w~+CMg>GFArA=k#w_b(z^b6<_;uV)S9-U6<8$%_B8`x6m2o#>X2ozH|8;@3m2C-&-Q%|)wNbl zr=D7^l)h&O;|DkwC66Y7vX}b0zxrxqn=599e{PhwR+rYcEvtW=y3~C%olV@Uuj(K%a&?U1MGPO5kTS=6UZ5GmE4Z?-6WIL#3m+O_(Bk6S%yA4-!{O7(g z1YpDR1oRZM;Ul#3vbMe!*@XN6g%RDace?+whevim8CYyi3LsF48+s z7OEygf-AsYu+8R#v3L*n2zsp3T?iB9Qsbr0UqQqY^|q&dLw%lgdQ8%iOr#EQco@>e zMX%|ge2-VNIqEp_AQ4yqR--=yQOsvtG-&^@TaUf4rQxts4|hxpNrT_$5h446AodIG z3T7jmFtff-$Sp6ZZnqx3c|$58nxH1(j4(2$ckf|O&Ll@tRpepza#r}b@<^+RYE5Ge zXpQxOnT2X}r2Yn7Q{x7}ZKL<5lMernyP;_aB$!zK>eZvmcx-6L=d zdHAV665b=;lO=7RhJqa`e6jWt2m~FnPH({Sk^e!@R}>5nCbVTr4AB7^hKBT zYc7YlqXMHPOZQIq!LFZ!zn3aUX3RG2*!KsD`O}x3N#B!YN*BbdtdZwhkzUL|d5~F4 zMeDQxD}AaxW{CEvZ$Kq<-FkRIha_Q*ipzlY+pr{O+SQ{NZ5H9-E_PS5V{JtEf!u>8 z_>K)aL7GBKrD0$8EJw}uMC*zy_);6dHU!#d{aIbNSb=LVd2!unT-mURVb^3zYag~X z(MdG+fG@H~k5HeLmW?O;5TAuFG~!ZYn;v%eEc#EY;)G;Y47&NMa`BY>)K~a`RY60y zxh>#qR=}u(hM0$B0%JRKb!~$-BpzmnmKUc6UV!g5be6FhU$}YO@%V_Ib)8Tb?|(cq zum6Y`LEb~4hg*z_%nr~e8wGfVFFR;J!oVr`pmGJ<$hWtnQ~Lf+UAo75#K-Lp20An- z03sFJdaTq31~x>?{gydAcsp4I^PZ}AjA6l}@xz19L-LGKOtlFzslfAV;*JU6Rq>kl zfC0<}5y;5As7sKVuVl~aO{Uf5a7(i;J`qhcrb`Nv5!Ug6Nv#~byj%Zqp=YeQKXc0X z2Kj8p6LfJc$i{d_Py9%Lo^2=F^Y|yzd9ha!^o^dFi} zyR(F^94GC9O=usnXT2JWe5ZPEQ=x{(;nG8I5ihA`wM#WsQf4M;^U|4RrRAc1r8@B_ z`}+CB(<0VQWXRBuQ0{=2R6`F<8j^wQ2K7n5#D#n{3+Iaz{!eFL0*>YO_1&qYM57@o zq>|Y)4@pI4WynmCDXGkq5*3+eMVUj$JVq2HBvTnfXhMY&3PtK$&-uUS{r{hR``-7v zzUMmExw5Xk@4eUBYxu3T_q}g5-(ycxZt8YSBv;9+`0C%W+HqM~Su|(CztH@Xw;z}2 zU-2g|^X=JP=ya%eM)L4Re9y178MkUVUzl&Y-nNV*eYgArGnK0L4?F~`sb5|aZ(e^8 z*l<+mXoZQ`WdpJCqR-#nElU}!C_ADO$tCY`dRFg@@+*VV=$Ht6UPkwuN@E@4<(69| zx$haO(SOA^1f)f(u#BD33`+^mZ%{s5v1oTH?WdE7MlDOfzkd3~4|C<^7cNy_?TF&E zJwEz~#L}V_q9)QNHYl8a>WFB1|LXChKS+g|Tg2&jXOpKZZ{`P#>Hjp~ko=okvw!9>UYuxw7t2gh>WQx65rfX%Ryjf%}*_N9mJo8#M zanAfs!JDt@#dl!9uyH!SyCF@4D z8D*WRp*wFX6S}-7u3XeS{fhYL+>lRK@mV*?klb9w>>-CMZ|`=AS=CnFsC26j5N&)F zd1Ke^^>M$RJma}?c23iC`b$hoEVp9Yca}m8;cXv>#eMgThUBKFw(IVCGA!R06jDc~ zsLd$YHtO-h6)+{L2d@nKBzbM4L`W#dEnEu8Ss(}<3ySWV{Pp|T@hj@Gwi}w;lW&U~ zz6dOlE%VK_`Em9|#XIp|BGt-m3d;)9byHj}D_tM#sHVgU&HhREaLa#`)APpnxp&+C zVhbhR2lLf>%`-%Ap}|6jj2p$Jvo8Ei3ViBawW?Jjf$BWThicRwN$pWvN|iM&f6z zM3(0qae(9#MU4q>P77>R|H}5d#yBf_KcZR6yZnvo)ELKa5(`}c4rv7dJ z6PcGbhO`~(+x%%!-?99Vq;TX*xdRy&rjsoXbKG97P9ScM9<@)K68ieR)$*v3251 z-~C@F>yM3?bt!mW|6pu)bYah6)qMQM;HXQb^3x+%TtrhwSMN3xy}?_lRC?vuEEnt6 z^v~kUrK073b5-;0aB1j1aA|$*3NuQA?fqWY?39JWD@f*ju3Jl**vyior2}{yZ`Rme zm2on@k;WnQOyh0Sx%byA?r%JnyyCR*!5U9#4z)`%lU1cg!9)l3obs(31B}x`%eCX1 zD~cL;>pj@dCI8%1+oE$sCz@-QpH1!)vn^_MITdT0toC)ZZK!b-iOQ7@>*{gYIg`6J zuq#@pYj>AU7F zGqR3vWE(qtQ6~FwVs^IB)e`HwBNY$zG|0UHlC>8)UDr28#JINeKQbEoo=4fH)DZdyqzhdTNfar(rEJaJxw7rMQ_=mbr`^WWc+hY>Q zf*U(^I)D%xpu}p#zPplzoPA0s_@v!+rdZq^j`X{`EWv^JZ!8~$jq4km!V_#N*}rG=5H}y-&&k` zKXGOEmR(BY1B01=JlB4mHgVjeZ*^eUtL2O0nZ0taxe`yyji^V&KRXh+Vi*p&M0zwQ zGZ-ksR*C{>elxyziMc`hs)Ub z=8l(1meh{EzV=1&;xe^K*<@a}2wUqZ_p7^XMVwh`s{(yklDXQv4ezy@=e(@*in}hJ zaXR9vi1y}=+ewa_`AGaOBez{L!rt$=mv&8M1CNlLdj9?ov^{HA3<@L$5zZyW5mMI4 z>{*kM^~p#(U~l~G8j^L~t_yA#K2$#3`)h^7hR!qP1a0kdJwu4OH-Dr%^S zy?t`imm4>CL@tu+@V@vHhBp=qxi7E4ZL!|!Yr83fsui&t$m}I$iE*GxRWcZ_lGkJuk^6ANrRc*evsM z+gb4niyw|_%ja6&@4k3XHIu?6;gnw`WPGfz)9rqqbHluk)hW+p+Fa8wKi|$#ll~8~ z)BOje9tI@ZaEN&DY0W-Skbb_ZOs7^t+-K7!NwKw5`JJjwe8F35%iBGxs}%i5Ew84* z)r@sM@s-w66%PW|i`%b@OjO*dsQH8TAVDEQb@bu2m7g~qj8)mj9`0wmMKJgLh;_hc z6}f|H?8RDn4N%LJEow92k$7J^8Ru4#qY^H!o$t``qEou3Ipm_L=FG%u4@=35T)o|Q zZe<$g_uh%%5a-vw!?}mkL3EhSz{yoxqrgF~%B#qBD}7LwOb%4mBfTP#6(d63GI~}; zo_|&<8FFSnyW-6qJ(Fu$hGT9zomo~EAt`dchIbYIc(}~~`}M81LZ+P4JV^&QX)j)x znYlI8)Yg@M4dO`oWl`O0m|w)XOG>uA>_mU|gh$MxSI?}!Lsj^-Ju#)E7*4+`?v$?V zd%U?jAAEguxwU&R$LUY-Gat!kE2#5>ofh}n?{Mrr^87aYWHc9fF8f1{t>N}HFSEz1 zwl`_$WmX<4QE&^iHJ_B~TW=k1(ot+Fr?atNvqXN4+m10qy&YmFqK(sIJPxLpt--zD zs28VHmHAj_;@v*}yaOlnn}SP?cf`sJ3@UCZHXnA|67kUQoulS;xw^o0TLWsig5HNE z^o0(ZX_}s$cP^B%S$1o@i8YP>B+e-wH~rzR%xa&GYQ3F4eMXPBBxc$kZ9TZ#=k)QN zaEGJX#jWSp@RlaXp50D-@Lu9)bdZqlyzpgj+uuFArg^cu;!wG}MG4F6<{JMx&Hr(BFrlrpMMKT5VKUB}E{5sxc)Rw#$ z5!3kP)FS8gD~7|pw+{Cfs0p`dwsC>-J;yh>h0=IuHSN-7L-rQ%7>x1kQ z3Ax0vpwNdsHZvDJ`SYloW-lBG+vwp}%8$>cx>T~qUjLwf`{(fGe0QHd@r#>GGb*EI zoYpA4-^AJd`{021w0!=_qTV5{*NdiOZi)}rIViZyNWST~MzMEInH@EC{QYI`azch<>^60d84zCT=IouYhsk~i?U;LugQ@na&THDcv zAmvcEb?vu06Ia}~lp@VYbQDq3o}DaH3Uwu<*4z+$WTj;0ON>DxS#AeBZwOd?l0-|6xbC-=y8) zzeKq|zW;dSWJv2&s!Thp=g;IRGa0L`awaKU_hgM@%We;r(GtwG+d?TMR+eoJWk#(h zfyd{omC3kc}PC73Ajhr86ViQc*v&r`pjof=U1P4S}dn(!`-^_ zR^;=$T&-uXXH6|55Y>IUpZd%m%c*y$)fXru%-C`tNji2QNv%SA6>Hg;ORsXG+sSsX ziDONH2V&#)%{0F4J2WcM`MB?f<(6Bk`rr};1wwJD@i_sG=GD$;T3(#wd#vL(d@jQE zX@WIJ;}E;PPx4vk(~+Diar=pt<|e7^=K%*euaJ-xxjtnWpyD=Y4)=p z*4eeXOg9NSKS^HHs@_P}mA2z?aNcNu-}_y;PsfS-CUVV&iFZf2Tjxdb9xPFZb7&;FS%Mp&F*JuPKbX_ zeA?6W)56SMPEp!xFj6<_`N=9_)!X8xu{V2;W$Dho=lM(jX0UXAAvce~sVLRz>ULwZ zHvuX2uh&(VG{5TW!sfG=GJeyPvSmch-x-f(DR4`5 zzq8$K)8w9AkJV3XV^!5N$lod&nVp)pkN-{APoq6wTxYms#$Iy`=ty)rnDg!OkNgsf2?SaSDf6 z|MXS_TyANqd9=2>_V)MYMw6u1SvhAOuk@{~tXQ4XH^e(0a@dz|+=~AAmsIY|hbt@i z!i{o6eeWLK#rwkgaJx$sIZ?(qn%>E}-Y7%=`Bs%xVzG*M^>1yjTX+0Jkm#aKcZjzb zSHc@1Ue#U$1=IUeQAW)?d!mZC8xoYiCLAcpef z3Aqt|j99RkRQvPXb?M$oi-CKe7dC5H-|Fefsi^8KSvPykKs=zR=|bn7=~rbLF;?Hc z-+REZDzxKhhxyt!+&Pm5m%>R79Y!ruK07KGUd&yRXO*70Fz`H8;%q_eZ^^+<8}0tZ zy=5+KD~FS65_OKu2A}qJ6|cV|_atDwkaeyKuU^IWeO)?I@dd|jo4!qy{w&xNGcmJY z`@7)}nk;{Z)Nb`!>CN^<7mLmpJp(E2)Q%6C*Es73Sa>UY&U^uMo^xV1WE z<0W6aBK`84QtS4JWk0z3Lw)rP{_mSF?*{0SuF>GJGN)nZ+ne^?+SPZujJ=&+-hG-i z({+tS(>AbiuZ4O4!Ay3Gh`kXnS!6?!)i)=x%SLEC)Sq9z<{)S2pG~Td)twVJsR(b` z((vtwxBElY)}Kd9PB~Q!B}YeWG6-$Zem~ijz%#)+?%k+7*EKwxwRXg4`emDujCkWm zmMy+>YQj~AU0*bQ$rG-XB6aSTSvgWJ&UI*KL7b<9Am__eZ!7&(_I&%=XvC8HHgyxZ zMqc{XNt=nnt{>CajeL%dPyX|>!_cKhBVIMHS)DZHQ`J~}LiHWxL4TAPY3|)s=l$pA z@HJmwUO2?YnYs79%Dr7%^^Zu8l6WQNp9wX$x+$io1brEPo*&RXBH{Th(lQ%x?3^>)~lFpQiG=xnmb3)Iv3G^0bN3D+V@3*!CHuq#Dr&y7>&&l?%^`uNTYe7&tvHQ?I$ZcmKsz)Uz-V)-AR*#X(bg-qqS zLB%JU2V^`PN4`gu$CxScE3TCsPfTiFT%PsTf6FM>1MaAPxAmh*?NzsL_ViVrC^Ik1 z+gYqt^r~>Muy)baU4BM>N@18>o^r2{m78}m)cB#+%CJu>qVYa|eYRKj-JUnW7XJvg z*EECt9L;?n@h!izPvNl-|HK!I9sT^~A#Z+iJnXl0dmx)~MJYHf#QuFgo5w&#)X=9V zV%lTPn@&ARQsMb{Fmk0re1uleC5xn}fFDQQN~X<6)}$Z1kdUJsyz64!(45Tx?Nf!} zlhy=l{in}3_4lz%y%?w)%666+_$)Ipyk#CAwOx?@xIIx|Z}Sly8|R~Ziy}5V&YEuw z$tux*64HP195G>#gGY(f=3w{uja1|LX!rEo=Zyyh8-kp#hKO;0yu06_$;i=!Pa)R!(@iVjI{1>woISVlc;tjyeIgFuHaw*$5GGRlqh`(I!?z`D%d7diu6cTA$xCK?bS2EwxTY4!QpbPA zJ-)B~;qKFdkBn~vU3GA&AJ$t7k*&i9Fymj3bXD!7sykhEn-n7nJVo^fn@);-?qiqnNJ z9Ug`cwRO}j3pagJT$n(5r#?0EV|4Z2Z>brd_3mmlt*BQs@Y}{URA!L4&Q4BHQ(gJ3 z-jmd;vezPd*c;2Qt-tny#lE~yK=guq#G3UvQ7J1XHumIbQ10zcatz|Sb;)TLpf|ASh?m~&D}fKQd{m%`bXHetUK51 zGG!Zh%1b?Z`$(+OX6sK4X_J=Jz4-6aCEnBb2165BqN%3eTaIjRzVzX!vZKD1(@0bB zs>45r^vWGJ4fr)rr?T8_eRJR1#>BTEWj^d{&=~>IuIR`zj{>vaEmCKH%*@xdNjm4> zO;B|a=x|B@yei~_nDFEu;nzInx6`k^?y{VI@rk<1KE-Bb^{!*L1=pyvCuoao_+-y1 zHpb!;`D|EiH|Ma2Y+a(+Teqg;Kl(O}N#9f#9-8p>7u7Z_br1P=jz@|A___U`i{npa zZhW*Z)99D3jnA?)wV{A_G_RCAg+qEaWx?HUQ=4bYKXY!^{qF2e?(qE+bF=p0!S+)& zrlE-!Zl23Xi5OV1a>yz}RriO<$>o`chn~62?mW8PjP%ym;>)wXa5uLog=W63xD&z^ zw|q<{Pn__#i|+Vy;9{s(hU49t_x{uTm-fE70c7r7&=@|7FIkNFE}wr;f}xCLZfYb@$0@1BbrcS}C@rALwb2R*j=OGczhsrK2k z8)~cN$Ig8-Z{NBuICSGKFVj?OtJ$202JiHTl3DFn2vetzYa1DbaA3?Hh?Z zz6GPBRtru9Rs~Yx0M##6Ow92JC1~dOlv0skdoNA7EqH!$Uc2h>*NK3N4^{zgpFO$F zV@ZkI>LS=mu4*-DYV7FCY%9$=q~~B!um?v>e8SCol+IJ3Bqpwx;pd{Qx@Ft0EkO;1 zEJ~Xq^F@Y;H95RTEFyO$)eFR?=y1Mo3p(j|5{@}mSFY+_*D156xVXbwYGST{jlMQj z@9D2A9P5QL3!K`Q2b(xF7l=+%Il8Z%_AHBGz1f<*b|K+Mp8R9GHlwD?pHAP9`EZW* zaNxE3KF2plxNhDeSyxBYq*F#3)*n7V4nKdRm2Bqbq^h$~H0gJLebI7{HUlBr;grsM zf9y`>XZ+|DNx^&P>9^C2%Rl|Muej@d&&_t>6aV^Ir9#jT^3( zSjnmAWvlSNQgEAJflH9Qv!#u9{qH%J_Zdh1`P{#HPSU*W-IYw4 z45IA=r><_EU+FE%!tH-)&_68sqWoJf*;2}aRG$Cg#oZHU6rP0=+V_dao^T3#C1`s< z=(@bfg$fbB*S||Bw*|_Ei?oYFHq7gOd!!-P%wrbaB7dX5OSUUD{mQo=#(L~U`wTy_ zdYy4p!LIDTB>&Ip(*LL9wM#E3dWQ*{3FBr>xFG^hB+~_H^#AF*a&V&izb|QEboq}H zwNwgmiAx%&OqVp!=uG!&lHg4FzfaT(Qb_;06z4zg)%=_C56}Ocs3p=FU$py2SICTS z)%|bE(rR$ok+XaIpX%}lyvNn#=UNb4s@xru^3YtDxXz!jLTh+l_d`8SRxz1@Qpt`|=f)UFRz&Og2F zNLaS;emKR#Sgo#Ft4D^rzhJcBWmY23OPk#LC)_z2F1erjWBmYMR=#cKc)sSMq4d=; zVVT#}k1sY_w`dz5Xdjlz643OxBjCw0pnIG{QoM6@*R7qu$}Gvj2On&=P~Kf7G-|Et z6J;9p{o$QMQR~#Qqjh(Vu2bcTS{~K3J1?SCH%dK9Of|A@`J0AY&sTiBa$x!8Wv`dN zUS`T_y29^D+GD}VO^zGfx!qTNVm-G)^6|wJ*Q$hd)~oIn8dX&F-(4j*YNVZu2p$$GASxIW~sM}IwEp7uEYvD1ky?p#}zd9i(7W_*U*I@2oihOm;M z=52k=Z5^8zX6p9K7Ab1FjsTxQc3rFYu#``tTh|ZzgcJ@Cb z>{F_IM>)z->&Tm3!*Ny$ud`-K%aUbnV5cPKX-Yjc^yO-GJHtJs9Phx~4Zd+=&Wc7U zZ#|T^kbRYVt)hwq4vcXbMZeoz*E^iH@K9%4pq9qF%cd1Qx8!GJG}^c6tL>c#_Mf3Y zdiicW`AM8(?wWr1U&UubSxL6~`BZ8LSvB9FcgD}5+o-Tss(gO}>8{Yx3+2P+Nijhe zQ%%k82sL!-O>mYE+GEV}Gc>Cd$L^TvNO2>-%%(rR~NCGEWX9FE_rrXLQ;2x3#Bs_;IgT zp0{^imoH7R>q{?Br-mcf;)>1iihQwm+&c%Q?;`iNRdeHf3VhcUdie`v$Ua--68K>A zgSX+qrVHbrSBqXU(hKf5OW?Mxv- z{?D_LHSMgp*Jd65-_OUiHW?)(${*&wT*n*yIgbaQ7I8jN;#`J|(VqS%m3>3c=+C*T zR~nU1R$aQX)=Mey?#QcK;>~*5=Y`hRUOw$h&`wGG;?Wh56hG>9Da}e>=9|c3lGDq_ zafUJ;-W(^`)6OoRCeM9~zU5}(m7$amXS!8q-J<^2egojfCvsy|)Dv)NL^ zSLwb~o9pli+jnj2`Houn_>Ia6*8tOuU5R(h`aC=6^8r#8=Lmx5j;Eg$HCY>Yu(D68 zjP+al`RLDg6DTj}G77Oo#uZ{Yki-9ubwAYY-Qm z*JM5tFda4>W}LR}u7B6Ju?wNLPhztq49dp&4FupT;_cK?kMGH!UVL)6BXzs)Zq91A z?sj9{dn=+p->Kp}uP+&>7S=f)fuA49UqPVj1s-obs$ZYow^ij@o~3qKtetg#rufCH zRnJ!SIdx6%A6{`TY|(cy+H>@o;>3IUL&wVMi?5&cOdt8R=J&44agV&W(_1vB*8fnx z>y%)2Fw|BphM-=dx<;%!LU=^V`a!V?@6qQXA8)M5jW?+}E@{wnckcFV$=LmQUj3*u zK`{lA?J;t%?k$uaH%^|FIQRV;<(;$TpI$=ey@8oqdqUdWs&rc|UhQNHjdL*8aX(LNVW6PZMiZ%&udkwx}Dm4bLR?m)O2ID z)}8s8KjM6OGV{jH`E|0{mxCg`@;>*xnqfH`{jy=zPql~bgSl6$&3Qhte!9SytZ6gq z^s4#dWDWhqHf!SKs_04>Bgv-qjzj6=1IomoD>tbIywaVf3d1srCElo+W(W8wj$?r7OkKkQz zW{4$dYqw>G#ia_0buG`ycq-F6dnA7Wo%1@2xN^ zeixR!NuF4_X3j@B#g3(hJsXrf%%ZvQ_18M9J8g4V!U!vZUij~6IbrV+Eo#`s9yFFT z>y9%Xk+x_o?NZArmh3iDXzU`9I@>mN>l;Mr-6Uq#`2fC;#a% z?n;xqm%W4LDRmJ$MF?x_x9dmWAF7!;cDa4EN0F$+QL)6$Pu66|e?IbZR$ou?^Xtiq zOD$`XLnr&zhj~Q1O)0dl1h}mpkjvEu#Y5ly> z=$_CO*_Rd;yUf)me-Rd5>MKpf5OP=NudWR_cj9-d(+h&`p3+O<)=#B3P`t@g_4i_W zZ`4PBtvFcL`C6*eM5C}bx=ciZ^V`RM8O4IS4hyT1ukLaP`oPNswHr{dJd20Qo*sV(;;{Uw#P|MlD%FPm9{1dS=x75@T z)VFqav30N)#FM0`g2zPU-E7ZV2@;4ZcmnB|sGzo+xwGpC;f|3SMW4pxjNg8%m>|3a)MWeu{;2B@+{!bd?-|$i-Li_tVd?p%^1~0C` z%bJYeKhOL754gzkKWS7vjmmg;^gn5T|ADrHi_jR~hG%YvC(t1iWTHWV2L}kAiT1C* zm}pcQjRXLmnT8{gi3p8ICD7p|Kc;p>8lH$p=0~Ixh>%qx?MOICW|(Po0txPFWTO53 z2l6}`j!I=@(Tv~!BtIGvPo^UCqvB|Ic-xPuFBJ#VL&l|mtjH+8bQ%s)DyF``8<~#b z1B8H#OQh2XaLpc5UszwzGiKV~4Ul#;B8^N(+Cg73=*>p2B~;5o^j_WGA_n9QSl`3c4#{ixCso6g8D1y zOD1Dv0CfeZDlv~sBH|G{g1$@0l!T)pyiw>x5&`K8G;qeq7&tl|z9PajE@%r8_2X1L z9*0MGqtL00FOV?xWn4x{LHq#~#z5!7Xa}D}Vd~3x9=06;6H}--3JLWu6c_;`Q}AIJ znc|=sW_~yl8Y`$cDur>|CgbOyiPpI3j!#hKUCL6oMHu4cd`VI|mwtac?sdA9x}itEb>(ku{>?iBv!VXkQA- zFSKJ^et@=H!mklAehrWS9@Tr8GvlsdrsqLB0^{v<#_yjsVxR~*cFuUry5Wg9tS=#e z=A+Lek{OpsAY)+s9|@KNT@Ro^U}f%0#S9G-;6U*L^|u^EW8Xv~AT&?p$*z-?gW0`*{| z9r#2FCVt>>7+eCr1i&{lA5?H*s4al}@YppX<57PA{+@=F6~tOZRv=R%s*|uDSd0X= zfchbjJqg7TAX6$_mBF-@z!~HIWo8-OPJ@uC%F*bK>z3{ zj(~Vc#L56H80iaGnMy#$1wA0ZRWeL`Q0OGAZQ*ES999oV*mVQgiHrfVBH>WI0{NkS z2=oAiip~XGA~HW%U&hD3nC1+tyHsvK!;V2C!zDOKUos>}2o3HMLH#(ybIAUf+d(|1 zVC{oIz{Y(N9vjag%wYI{d;ygo4yKHZ3pfW4Uxh>X0JB8;!u-IH&~`KenyY~hE#d#D zM68_?=@@(uz7EZCK!@m9-JnrWf6w3pjb&hObTq#NJ|I&@`G6!0@v)#Aq$SpfjN*3S z7cM?WpGO3=%uEA5U_nqCZ7GaIMq>roKE^H?d|>So>(?0b!{md21kjw5F+bF1z{i3k zLg!4uU@n*+0bO74*)%Ffua@#x6qpS27~o&P+o3ebFA<%D`9WvqcHoCFxgW%2IvPU( zqhsnc5Rb5U7a|H=dWF~rB$JqN2}|S}P=3Ma1{KOi=<{I19rYVHFgOgq6dcCi<8c6z z(B}aO83XhMfHB&R01C)V1API9&rAb3ldv+N6EHb8L@iV<4BbHe6(gQw@hOB=j0~tm ztW6ULSUsR&a3X^b)ZQ3;U~?Q29_wQP{vqoIIz+<6Bj6W<*YG$Rs*?=NKt!GgF^Yu7 zTF_lgP7Lb?4bk<0@PS=RFc9W;;Quhb1mr@;#4SKqSeyu@B}9k7K4@r70oD?Vpv>a} zzYxrrX$(HFdQYRFc__>eQ*(p34}wOY2dp9E0;0j>wSaSIC?03b4~=CYdpznB0mD(T zH9;aBgI{2NC>8~M0pmjFjHjbxFy^;J48_<717Bfl88is2=opLwFEfpSo6wpYV}2;U z2l>&lewR#JqDFzqIT?C@jnhODS}y@UK!D8igV;kwWdO2=>7eZxi-e&uz5v4PpMhU8 zmIi?uX$ScNR(El9bS^Lv3_f7sXVkxd?qc$N#=4>TFN0rHCqaIUQ#ed~z!;<@bZCj# z1F!_62T)2wuriE6#QI_y?3*x;3-&?A)FNR$7&l2We*e@SfHyMSlgC5@T_d14mVv|2 zm;y2-V|@v@UCjCtG4TUp_Y!(fqM$ej=10R|Z#=kSME^i@m$0{`a&bHad1iiL&6mPH zOZavYrY;Ke12BL-4=z2#=qZR8@g)$;F!>q|9YlN*y0~;87W2EdD-eBJf(KX-$fGj#Lfr9l-03%SH1RRU@1wL>~ z_(X9z|^?Opr&Z-p}-oUHV9th?{nP@#s6>Y!>EBG{L;u^M#x z<1Zj72$;-sX4oaFr;Hi}>Nh~9L@bu4U~n<`91p_+ zE=JC<&Y9ADc9%zh$b{N?&scSF-rj`rQ z9JMzn`Y^ud$h5vdgNg|=4P=Trj|4G~vIM`7tTFe6cnJwLGYv2%#@B(~W7Y_C2(yO^ zr!BCU8hFFxWdv+(3C5+P`5@TQ68RQv-66gmd?E&y!2F09J)pzc3M8&VUrdYw-5_A| zZrDsk?F|qnMkfh?|Il^-C(#%WK^hzkDtmyUNM8n~!JaFCL;&$kAV1PlI0u7c0o9@Y z8H)F?%Yw{>NCW`LOauGCqkbG>GH4sx4nQ#aJV1IF-oV{s{3IMdK=B5gQh>rY^B5FB z<7jOY4nkno7os^7>yf@B*k{7{7f4-@IfGw=gA_<#$ed9*gPvmcG(rC$f-v_5y;`Ey z42dJk8=ROxu@7{lqBsZm#n#tI5I!(AO~T~FfN3y$4zOnfmdQM4IDLiL&x6x1WK7(L zu#fr|i1Ac(jUXq%;0TC#IJ5@J$Vo8%0Cuv_m<;n{ydB5nCn*&C5_Nviag1$&VxhW0 z2mg$D9+WmwTcyD9A#6JmCYCXR9%3J`v52YDfMzUJLs6jQ@mV(ODHE@nRz))IuzJT9PJOzj_Jfbqr9Zi%yMaCioJ z9>ge24HWE+gwYo|d;u9*HwGW54l&{anp?pV!6qca2k?vf4F!W zUtk3p1CF?&b6FBwK$#G22k~R6GbfmO4h0UhqP7b2BVuX51|mP$J;$T_6`(^jw0;US zGWKi~9Mr0+e0(OrD0zYEsFh4kOfyfkg4bc1-VkqXUAFL&KUgo|G zo5AL_;1tnygPl+GY%=7bnD`5FA)$OQWQFD~K!fE(<^nX#n#1WeG_FElY@Q4=L9rQN zOw8FqpkdFRGfJC?EkHX8mJe7W)L-ENzhL-)4N*jXR06s9imaOIU=kE z9^EU4#ENPE*VWnF_N=ut+rE8*(mJ*mtr;)32udGyaBvm;`&|XWqk__^_9q?SeQt;n zfB&T*Xd<`|PqLy?t<5Q9qBYsl(!vU7b&^0fr&&TZfkv^!o!rm%zc=~UC%{}>;pLsb S->iYTfuPuS?^e`QV*5YH%9$qs diff --git a/src/assets/downloads/delta.json b/src/assets/downloads/delta.json deleted file mode 100644 index fe81a5181..000000000 --- a/src/assets/downloads/delta.json +++ /dev/null @@ -1,1136 +0,0 @@ -{ - "ignoreFormattingDiff": { - "addedControlIDs": [ - "SV-213913" - ], - "removedControlIDs": [], - "renamedControlIDs": {}, - "changedControlIDs": [ - "SV-213900", - "SV-213901", - "SV-213902", - "SV-213903", - "SV-213904", - "SV-213905", - "SV-213906", - "SV-213907", - "SV-213908", - "SV-213909", - "SV-213910", - "SV-213911", - "SV-213912", - "SV-213914", - "SV-213915", - "SV-213916", - "SV-213917", - "SV-213918", - "SV-213919", - "SV-213920", - "SV-213921", - "SV-213922", - "SV-213923", - "SV-213924", - "SV-213926", - "SV-213927", - "SV-251040" - ], - "addedControls": { - "SV-213913": { - "tags": { - "check_id": "C-15131r952219_chk", - "severity": "medium", - "gid": "V-213913", - "rid": "SV-213913r952219_rule", - "stig_id": "SQL6-D0-001800", - "gtitle": "SRG-APP-000231-DB-000154", - "fix_id": "F-15129r951656_fix", - "documentable": false, - "legacy": [ - "SV-93795", - "V-79089" - ], - "cci": [ - "CCI-001199" - ], - "nist": [ - "SC-28" - ] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "id": "SV-213913", - "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", - "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", - "impact": 0.5, - "descs": { - "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", - "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." - } - } - }, - "changedControls": { - "SV-213900": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213901": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213902": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213903": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213904": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213905": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", - "impact": 0.5, - "descs": {} - }, - "SV-213906": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213907": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213908": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213909": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213910": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213911": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213912": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.", - "impact": 0.5, - "descs": {} - }, - "SV-213914": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213915": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213916": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213917": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213918": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", - "impact": 0.5, - "descs": {} - }, - "SV-213919": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", - "impact": 0.5, - "descs": {} - }, - "SV-213920": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", - "impact": 0.5, - "descs": {} - }, - "SV-213921": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213922": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213923": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213924": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-213926": { - "tags": { - "documentable": false, - "legacy": [] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "desc": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.", - "impact": 0.5, - "descs": {} - }, - "SV-213927": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - }, - "SV-251040": { - "tags": { - "documentable": false - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "descs": {} - } - } - }, - "rawDiff": { - "addedControlIDs": [ - "SV-213913" - ], - "removedControlIDs": [], - "renamedControlIDs": {}, - "changedControlIDs": [ - "SV-213900", - "SV-213901", - "SV-213902", - "SV-213903", - "SV-213904", - "SV-213905", - "SV-213906", - "SV-213907", - "SV-213908", - "SV-213909", - "SV-213910", - "SV-213911", - "SV-213912", - "SV-213914", - "SV-213915", - "SV-213916", - "SV-213917", - "SV-213918", - "SV-213919", - "SV-213920", - "SV-213921", - "SV-213922", - "SV-213923", - "SV-213924", - "SV-213926", - "SV-213927", - "SV-251040" - ], - "addedControls": { - "SV-213913": { - "tags": { - "check_id": "C-15131r952219_chk", - "severity": "medium", - "gid": "V-213913", - "rid": "SV-213913r952219_rule", - "stig_id": "SQL6-D0-001800", - "gtitle": "SRG-APP-000231-DB-000154", - "fix_id": "F-15129r951656_fix", - "documentable": false, - "legacy": [ - "SV-93795", - "V-79089" - ], - "cci": [ - "CCI-001199" - ], - "nist": [ - "SC-28" - ] - }, - "refs": [ - "DPMS Target MS SQL Server 2016 Database" - ], - "id": "SV-213913", - "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", - "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", - "impact": 0.5, - "descs": { - "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", - "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." - } - } - }, - "changedControls": { - "SV-213900": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nSQL Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together, contain an overall mechanism supporting an organization's automated account management requirements." - } - }, - "SV-213901": { - "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81847" - ], - [ - "-", - "V-67357" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy." - } - }, - "SV-213902": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account.\n\nIf the computer account of a remote computer is granted access to a SQL Server database, any service or scheduled task running as NT AUTHORITY\\SYSTEM or NT AUTHORITY\\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process." - } - }, - "SV-213903": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. \n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring SQL Server's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to SQL Server, even where the application connects to SQL Server with a standard, shared account. \n\nApplications should use temporal tables to track the changes and history of sensitive data." - } - }, - "SV-213904": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nSQL Server provides the ability for high privileged accounts to impersonate users in a database using the TRUSTWORTHY feature. This will allow members of the fixed database role to impersonate any user within the database." - } - }, - "SV-213905": { - "describe__deleted": " if input('server_audit_at_database_level_required')\n impact 0.5\n else\n impact 0.0\n desc 'Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)'\n end\n\n approved_audit_maintainers = input('approved_audit_maintainers')\n\n # The query in check-text is assumes the presence of STIG schema as supplied with\n # the STIG supplemental. The below query ( partially taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n SELECT DPE.PERMISSION_NAME AS 'PERMISSION',\n DPM.NAME AS 'ROLE MEMBER',\n DPR.NAME AS 'ROLE NAME'\n FROM SYS.DATABASE_ROLE_MEMBERS DRM\n JOIN SYS.DATABASE_PERMISSIONS DPE\n ON DRM.ROLE_PRINCIPAL_ID = DPE.GRANTEE_PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPR\n ON DRM.ROLE_PRINCIPAL_ID = DPR.PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPM\n ON DRM.MEMBER_PRINCIPAL_ID = DPM.PRINCIPAL_ID\n WHERE DPE.PERMISSION_NAME IN ( 'CONTROL', 'ALTER ANY DATABASE AUDIT' )\n OR DPM.NAME IN ('db_owner')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'List of approved audit maintainers' do\n subject { sql_session.query(query).column('role member').uniq }\n it { should match_array approved_audit_maintainers }\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81851" - ], - [ - "-", - "V-67361" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)", - "__new": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)" - } - }, - "SV-213906": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." - } - }, - "SV-213907": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." - } - }, - "SV-213908": { - "describe__deleted": " # The query in check text is assumes the presence of STIG schema as supplied\n # with the STIG supplemental. The below query ( taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n ;WITH OBJECTS_CTE\n AS (SELECT O.NAME,\n O.TYPE_DESC,\n CASE\n WHEN O.PRINCIPAL_ID IS NULL THEN S.PRINCIPAL_ID\n ELSE O.PRINCIPAL_ID\n END AS PRINCIPAL_ID\n FROM SYS.OBJECTS O\n INNER JOIN SYS.SCHEMAS S\n ON O.SCHEMA_ID = S.SCHEMA_ID\n WHERE O.IS_MS_SHIPPED = 0)\n SELECT CTE.NAME,\n CTE.TYPE_DESC,\n DP.NAME AS OBJECTOWNER\n FROM OBJECTS_CTE CTE\n INNER JOIN SYS.DATABASE_PRINCIPALS DP\n ON CTE.PRINCIPAL_ID = DP.PRINCIPAL_ID\n ORDER BY DP.NAME,\n CTE.NAME\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe \"Authorized users for Database: #{input('db_name')}\" do\n subject { sql_session.query(query).column('objectowner').uniq }\n it { should cmp input('authorized_principals') }\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81861" - ], - [ - "-", - "V-67371" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed." - } - }, - "SV-213909": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." - } - }, - "SV-213910": { - "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. In the event of a system failure, SQL Server must be able to bring the database back to a consistent state." - } - }, - "SV-213911": { - "describe__deleted": " query = %{\n SELECT\n COUNT(credential_id) AS count_of_ids\n FROM\n [master].sys.master_key_passwords\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'Count of `Database Master Key passwords` stored in credentials within the database' do\n subject { sql_session.query(query).row(0).column('count_of_ids') }\n its('value') { should cmp 0 }\n end ", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk." - } - }, - "SV-213912": { - "describe__deleted": " query = %(\n SELECT NAME\n FROM [master].sys.databases\n WHERE is_master_key_encrypted_by_server = 1\n AND owner_sid <> 1\n AND state = 0\n AND name = '#{input('db_name')}';\n )\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n results = sql_session.query(query)\n\n if results.empty?\n impact 0.0\n desc 'No databases require encryption hence this is not a finding'\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n For the database #{results.column('name')} verify in the System Security\n Plan that encryption of the Database Master Key using the Service Master Key\n is acceptable and approved by the Information Owner, and the encrypted data\n does not require additional protections to deter or detect DBA access.\n If not approved, this is a finding.\n\n If approved and additional protections are required, then verify the additional\n requirements are in place in accordance with the System Security Plan. These\n may include additional auditing on access of the Database Master Key with\n alerts or other automated monitoring.\n\n If the additional requirements are not in place, this is a finding.\"\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81871" - ], - [ - "-", - "V-67381" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "No databases require encryption hence this is not a finding", - "__new": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "No databases require encryption hence this is not a finding", - "check": { - "__old": "If no databases require encryption, this is not a finding.\n\nFrom the query prompt:\nSELECT name\nFROM [master].sys.databases\nWHERE is_master_key_encrypted_by_server = 1\nAND owner_sid <> 1\nAND state = 0;\n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)\n\nIf no databases are returned by the query, this is not a finding.\n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.\n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.\n\nIf the additional requirements are not in place, this is a finding.", - "__new": "If no databases require encryption, this is not a finding. \n\nFrom the query prompt: \n\nSELECT name \nFROM [master].sys.databases \nWHERE is_master_key_encrypted_by_server = 1 \nAND owner_sid <> 1 \nAND state = 0; \n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) \n\nIf no databases are returned by the query, this is not a finding. \n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. \n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. \n\nIf the additional requirements are not in place, this is a finding." - }, - "fix": { - "__old": "Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.", - "__new": "Where possible, encrypt the Database Master Key with a password known only to the application administrator.\n\nWhere not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data." - } - } - }, - "SV-213914": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality." - } - }, - "SV-213915": { - "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81879" - ], - [ - "-", - "V-67389" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls." - } - }, - "SV-213916": { - "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81881" - ], - [ - "-", - "V-67391" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.", - "check": { - "__old": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions are not reflective of the data, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.", - "__new": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. \n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding. \n\nIf column/field definitions are not reflective of the data, this is a finding. \n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding. \n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. \n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding." - } - } - }, - "SV-213917": { - "describe__deleted": " # The below query was taken from 2016 MSSQL STIG\n\n query = %{\n DBCC\n TRACESTATUS (3625, -1)\n GO\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'TRACEFLAG 3625' do\n subject { sql_session.query(query).rows[0] }\n its('status') { should cmp 1 }\n its('global') { should cmp 1 }\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81887" - ], - [ - "-", - "V-67397" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers." - } - }, - "SV-213918": { - "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81891" - ], - [ - "-", - "V-67401" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", - "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" - } - }, - "SV-213919": { - "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81893" - ], - [ - "-", - "V-67403" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", - "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" - } - }, - "SV-213920": { - "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81895" - ], - [ - "-", - "V-67405" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", - "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" - } - }, - "SV-213921": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control." - } - }, - "SV-213922": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse." - } - }, - "SV-213923": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nSQL Server must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). \n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc." - } - }, - "SV-213924": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications." - } - }, - "SV-213926": { - "describe__deleted": " data_at_rest_encryption_required = input('data_at_rest_encryption_required')\n\n query = %{\n SELECT\n d.name AS [Database Name],\n CASE e.encryption_state\n WHEN 0 THEN 'No database encryption key present, no encryption'\n WHEN 1 THEN 'Unencrypted'\n WHEN 2 THEN 'Encryption in progress'\n WHEN 3 THEN 'Encrypted'\n WHEN 4 THEN 'Key change in progress'\n WHEN 5 THEN 'Decryption in progress'\n WHEN 6 THEN 'Protection change in progress'\n END AS [Encryption State]\n FROM sys.dm_database_encryption_keys e\n RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name\n WHERE d.name IN ('#{input('db_name')}')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n unless data_at_rest_encryption_required\n impact 0.0\n desc 'If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.'\n end\n\n describe \"Database: #{input('db_name')} encryption state\" do\n subject { sql_session.query(query).column('encryption state').uniq }\n it { should cmp 'Encrypted' }\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n If full-disk encryption is required, and Windows or the storage system is not\n configured for this, this is a finding.\n\n If database transparent data encryption (TDE) is called for, check whether it\n is enabled:\n In SQL Server Management Studio, Object Explorer, expand the instance and\n right-click on the database name; select properties. Select the Options page,\n State section, Encryption Enabled parameter.\n\n If the value displayed is False, this is a finding.\n\n If column encryption, done via SQL Server features, is required, review the\n definitions and contents of the relevant tables and columns.\n\n If any of the information defined as requiring cryptographic protection is not\n encrypted in a manner that provides the required level of protection, this is a\n finding.\n\n If table/column encryption and/or a separation between those who own the data\n (and can view it) and those who manage the data (but should have no access) is\n required for PII or similar types of data, use Always Encrypted. The details\n for configuring Always Encrypted are located here:\n https://msdn.microsoft.com/en-us/library/mt163865.aspx.\n\n Review the definitions and contents of the relevant tables/columns for the\n Always Encryption settings, if any of the information defined as requiring\n cryptographic protection is not encrypted this is a finding.\"\n end", - "tags": { - "documentable": { - "__old": null, - "__new": false - }, - "legacy": [ - [ - "-", - "SV-81899" - ], - [ - "-", - "V-67409" - ], - [ - " " - ], - [ - " " - ] - ] - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "desc": { - "__old": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.", - "__new": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." - }, - "impact": { - "__old": 0, - "__new": 0.5 - }, - "descs": { - "default__deleted": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding." - } - }, - "SV-213927": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "SQL Server’s handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." - } - }, - "SV-251040": { - "describe__deleted": "", - "tags": { - "documentable": { - "__old": null, - "__new": false - } - }, - "refs": [ - [ - "+", - "DPMS Target MS SQL Server 2016 Database" - ] - ], - "descs": { - "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices." - } - } - } - } -} \ No newline at end of file diff --git a/src/assets/downloads/report b/src/assets/downloads/report deleted file mode 100644 index a16403227..000000000 --- a/src/assets/downloads/report +++ /dev/null @@ -1,10483 +0,0 @@ -## Automatic Update: -> - -### New Controls: -+ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. - - -### Updated Check/Fixes: -#### Checks: -
- Click to expand. -SV-230262: -Old: -``` -Verify the system-wide shared library files are group-owned by "root" -with the following command: - - $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} -\; - - If any system wide shared library file is returned and is not group-owned -by a required system account, this is a finding. - -``` - -Updated: -``` -Verify the system-wide shared library files are group-owned by "root" with the following command: - -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; - -If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. - -``` ---- -SV-230379: -Old: -``` -Verify all accounts on the system are assigned to an active system, -application, or user account. - - Obtain the list of authorized system accounts from the Information System -Security Officer (ISSO). - - Check the system accounts on the system with the following command: - - $ sudo more /etc/passwd - - root:x:0:0:root:/root:/bin/bash - bin:x:1:1:bin:/bin:/sbin/nologin - daemon:x:2:2:daemon:/sbin:/sbin/nologin - sync:x:5:0:sync:/sbin:/bin/sync - shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown - halt:x:7:0:halt:/sbin:/sbin/halt - games:x:12:100:games:/usr/games:/sbin/nologin - gopher:x:13:30:gopher:/var/gopher:/sbin/nologin - - Accounts such as "games" and "gopher" are not authorized accounts as -they do not support authorized system functions. - - If the accounts on the system do not match the provided documentation, or -accounts that do not support an authorized system function are present, this is -a finding. - -``` - -Updated: -``` -Verify that there are no unauthorized interactive user accounts with the following command: - -$ less /etc/passwd - -root:x:0:0:root:/root:/bin/bash -... -games:x:12:100:games:/usr/games:/sbin/nologin -scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash -djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash - -Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. - -Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. - -If there are unauthorized local user accounts on the system, this is a finding. - -``` ---- -SV-230470: -Old: -``` -Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the -following commands: - - Note: If the USBGuard daemon is not installed and enabled, this requirement -is not applicable. - - $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf - - AuditBackend=LinuxAudit - - If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or -the line is commented out, this is a finding. - -``` - -Updated: -``` -Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: - -Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. - -$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf - -AuditBackend=LinuxAudit - -If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-230524: -Old: -``` -Verify the USBGuard has a policy configured with the following command: - - $ sudo usbguard list-rules - - If the command does not return results or an error is returned, ask the SA -to indicate how unauthorized peripherals are being blocked. - - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` -Verify the USBGuard has a policy configured with the following command: - -$ sudo usbguard list-rules - -If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-230548: -Old: -``` -Verify RHEL 8 disables the use of user namespaces with the following commands: - -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -$ sudo sysctl user.max_user_namespaces - -user.max_user_namespaces = 0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 - -If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding. - -``` - -Updated: -``` -Verify RHEL 8 disables the use of user namespaces with the following commands: - -$ sudo sysctl user.max_user_namespaces - -user.max_user_namespaces = 0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 - -If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding. - -If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. - -``` ---- -SV-230559: -Old: -``` -Verify the gssproxy package has not been installed on the system with the -following commands: - - $ sudo yum list installed gssproxy - - gssproxy.x86_64 -0.8.0-14.el8 @anaconda - - If the gssproxy package is installed and is not documented with the -Information System Security Officer (ISSO) as an operational requirement, this -is a finding. - -``` - -Updated: -``` -Verify the gssproxy package has not been installed on the system with the following commands: - -$ sudo yum list installed gssproxy - -gssproxy.x86_64 0.8.0-14.el8 @anaconda - -If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. - -If NFS mounts are being used, this is not a finding. - -``` ---- -SV-244527: -Old: -``` -Check that RHEL 8 has the packages required to enabled the hardware random -number generator entropy gatherer service with the following command: - - $ sudo yum list installed rng-tools - - rng-tools.x86_64 6.8-3.el8 -@anaconda - - If the "rng-tools" package is not installed, this is a finding. - -``` - -Updated: -``` -Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. - -Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: - -$ sudo yum list installed rng-tools - -rng-tools.x86_64 6.8-3.el8 @anaconda - -If the "rng-tools" package is not installed, this is a finding. - -``` ---- -SV-244547: -Old: -``` -Verify USBGuard is installed on the operating system with the following -command: - - $ sudo yum list installed usbguard - - Installed Packages - usbguard.x86_64 0.7.8-7.el8 @ol8_appstream - - If the USBGuard package is not installed, ask the SA to indicate how -unauthorized peripherals are being blocked. - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` -Verify USBGuard is installed on the operating system with the following command: - -$ sudo yum list installed usbguard - -Installed Packages -usbguard.x86_64 0.7.8-7.el8 @ol8_appstream - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-244548: -Old: -``` -Verify the operating system has enabled the use of the USBGuard with the -following command: - - $ sudo systemctl status usbguard.service - - usbguard.service - USBGuard daemon - Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor -preset: disabled) - Active: active (running) - - If the usbguard.service is not enabled and active, ask the SA to indicate -how unauthorized peripherals are being blocked. - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` -Verify the operating system has enabled the use of the USBGuard with the following command: - -$ sudo systemctl status usbguard.service - -usbguard.service - USBGuard daemon -Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) -Active: active (running) - -If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-257258: -Old: -``` -Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: - - $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf - - StopIdleSessionSec=900 - -If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. - -``` - -Updated: -``` -Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. - -Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: - -$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf - -StopIdleSessionSec=600 - -If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. - -``` ---- -
- -#### Fixes: -
- Click to expand. -SV-230379: -Old: -``` -Configure the system so all accounts on the system are assigned to an -active system, application, or user account. - - Remove accounts that do not support approved system activities or that -allow for a normal user to perform administrative-level actions. - - Document all authorized accounts on the system. - -``` -New: -``` -Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: - -$ sudo userdel - -``` ---- -SV-230548: -Old: -``` -Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: - -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -user.max_user_namespaces = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --system - -``` -New: -``` -Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: - -user.max_user_namespaces = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --system - -``` ---- -SV-257258: -Old: -``` -Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: - - StopIdleSessionSec=900 - -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - - $ sudo systemctl restart systemd-logind - -Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". - -``` -New: -``` -Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: - -StopIdleSessionSec=600 - -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - -$ sudo systemctl restart systemd-logind - -``` ---- -
- -### Updated Impacts -
- Click to expand. -SV-230223: -Old: 0 -New: 0.7 ---- -SV-230224: -Old: 0 -New: 0.5 ---- -SV-230230: -Old: 0 -New: 0.5 ---- -SV-230234: -Old: 0 -New: 0.7 ---- -SV-230235: -Old: 0 -New: 0.7 ---- -SV-230238: -Old: 0 -New: 0.5 ---- -SV-230239: -Old: 0 -New: 0.5 ---- -SV-230244: -Old: 0 -New: 0.5 ---- -SV-230273: -Old: 0 -New: 0.5 ---- -SV-230275: -Old: 0 -New: 0.5 ---- -SV-230285: -Old: 0 -New: 0.3 ---- -SV-230300: -Old: 0 -New: 0.5 ---- -SV-230328: -Old: 0 -New: 0.5 ---- -SV-230329: -Old: 0 -New: 0.7 ---- -SV-230332: -Old: 0 -New: 0.5 ---- -SV-230347: -Old: 0 -New: 0.5 ---- -SV-230351: -Old: 0 -New: 0.5 ---- -SV-230352: -Old: 0 -New: 0.5 ---- -SV-230354: -Old: 0 -New: 0.5 ---- -SV-230376: -Old: 0 -New: 0.5 ---- -SV-230380: -Old: 0 -New: 0.7 ---- -SV-230382: -Old: 0 -New: 0.5 ---- -SV-230385: -Old: 0.7 -New: 0.5 ---- -SV-230493: -Old: 0 -New: 0.5 ---- -SV-230502: -Old: 0 -New: 0.5 ---- -SV-230506: -Old: 0 -New: 0.5 ---- -SV-230507: -Old: 0 -New: 0.5 ---- -SV-230523: -Old: 0 -New: 0.5 ---- -SV-230530: -Old: 0 -New: 0.7 ---- -SV-230535: -Old: 0 -New: 0.5 ---- -SV-230536: -Old: 0 -New: 0.5 ---- -SV-230537: -Old: 0 -New: 0.5 ---- -SV-230538: -Old: 0 -New: 0.5 ---- -SV-230539: -Old: 0 -New: 0.5 ---- -SV-230540: -Old: 0 -New: 0.5 ---- -SV-230541: -Old: 0 -New: 0.5 ---- -SV-230542: -Old: 0 -New: 0.5 ---- -SV-230543: -Old: 0 -New: 0.5 ---- -SV-230544: -Old: 0 -New: 0.5 ---- -SV-230545: -Old: 0 -New: 0.5 ---- -SV-230546: -Old: 0 -New: 0.5 ---- -SV-230547: -Old: 0 -New: 0.5 ---- -SV-230548: -Old: 0 -New: 0.5 ---- -SV-230549: -Old: 0 -New: 0.5 ---- -SV-230550: -Old: 0 -New: 0.5 ---- -SV-230557: -Old: 0 -New: 0.5 ---- -SV-237640: -Old: 0 -New: 0.5 ---- -SV-244519: -Old: 0 -New: 0.5 ---- -SV-244521: -Old: 0 -New: 0.5 ---- -SV-244522: -Old: 0 -New: 0.5 ---- -SV-244530: -Old: 0 -New: 0.5 ---- -SV-244535: -Old: 0 -New: 0.5 ---- -SV-244536: -Old: 0 -New: 0.5 ---- -SV-244538: -Old: 0 -New: 0.5 ---- -SV-244539: -Old: 0 -New: 0.5 ---- -SV-244545: -Old: 0 -New: 0.5 ---- -SV-244546: -Old: 0 -New: 0.5 ---- -SV-244550: -Old: 0 -New: 0.5 ---- -SV-244551: -Old: 0 -New: 0.5 ---- -SV-244552: -Old: 0 -New: 0.5 ---- -SV-244553: -Old: 0 -New: 0.5 ---- -SV-244554: -Old: 0 -New: 0.5 ---- -SV-250315: -Old: 0 -New: 0.5 ---- -SV-250317: -Old: 0 -New: 0.5 ---- -SV-251710: -Old: 0 -New: 0.5 ---- -SV-251711: -Old: 0 -New: 0.5 ---- -SV-251712: -Old: 0 -New: 0.5 ---- -SV-251718: -Old: 0 -New: 0.5 ---- -
- -### Updated Titles -
- Click to expand. -SV-230226: -Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent -Banner before granting local or remote access to the system via a graphical -user logon. -New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. ---- -SV-230227: -Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent -Banner before granting local or remote access to the system via a command line -user logon. -New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. ---- -SV-230229: -Old: RHEL 8, for PKI-based authentication, must validate certificates by -constructing a certification path (which includes status information) to an -accepted trust anchor. -New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. ---- -SV-230230: -Old: RHEL 8, for certificate-based authentication, must enforce authorized -access to the corresponding private key. -New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. ---- -SV-230231: -Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved -cryptographic hashing algorithm. -New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. ---- -SV-230232: -Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing -algorithms for all stored passwords. -New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. ---- -SV-230234: -Old: RHEL 8 operating systems booted with United Extensible Firmware -Interface (UEFI) must require authentication upon booting into single-user mode -and maintenance. -New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. ---- -SV-230235: -Old: RHEL 8 operating systems booted with a BIOS must require -authentication upon booting into single-user and maintenance modes. -New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. ---- -SV-230236: -Old: RHEL 8 operating systems must require authentication upon booting into -rescue mode. -New: RHEL 8 operating systems must require authentication upon booting into rescue mode. ---- -SV-230237: -Old: The RHEL 8 pam_unix.so module must be configured in the password-auth -file to use a FIPS 140-2 approved cryptographic hashing algorithm for system -authentication. -New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ---- -SV-230238: -Old: RHEL 8 must prevent system daemons from using Kerberos for -authentication. -New: RHEL 8 must prevent system daemons from using Kerberos for authentication. ---- -SV-230240: -Old: RHEL 8 must use a Linux Security Module configured to enforce limits -on system services. -New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. ---- -SV-230243: -Old: A sticky bit must be set on all RHEL 8 public directories to prevent -unauthorized and unintended information transferred via shared system -resources. -New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. ---- -SV-230245: -Old: The RHEL 8 /var/log/messages file must have mode 0640 or less -permissive. -New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. ---- -SV-230252: -Old: The RHEL 8 operating system must implement DoD-approved encryption to -protect the confidentiality of SSH server connections. -New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. ---- -SV-230254: -Old: The RHEL 8 operating system must implement DoD-approved encryption in -the OpenSSL package. -New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. ---- -SV-230255: -Old: The RHEL 8 operating system must implement DoD-approved TLS encryption -in the OpenSSL package. -New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. ---- -SV-230256: -Old: The RHEL 8 operating system must implement DoD-approved TLS encryption -in the GnuTLS package. -New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. ---- -SV-230259: -Old: RHEL 8 system commands must be group-owned by root or a system -account. -New: RHEL 8 system commands must be group-owned by root or a system account. ---- -SV-230263: -Old: The RHEL 8 file integrity tool must notify the system administrator -when changes to the baseline configuration or anomalies in the operation of any -security functions are discovered within an organizationally defined frequency. -New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. ---- -SV-230264: -Old: RHEL 8 must prevent the installation of software, patches, service -packs, device drivers, or operating system components from a repository without -verification they have been digitally signed using a certificate that is issued -by a Certificate Authority (CA) that is recognized and approved by the -organization. -New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. ---- -SV-230265: -Old: RHEL 8 must prevent the installation of software, patches, service -packs, device drivers, or operating system components of local packages without -verification they have been digitally signed using a certificate that is issued -by a Certificate Authority (CA) that is recognized and approved by the -organization. -New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. ---- -SV-230267: -Old: RHEL 8 must enable kernel parameters to enforce discretionary access -control on symlinks. -New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. ---- -SV-230271: -Old: RHEL 8 must require users to provide a password for privilege -escalation. -New: RHEL 8 must require users to provide a password for privilege escalation. ---- -SV-230273: -Old: RHEL 8 must have the packages required for multifactor authentication - installed. -New: RHEL 8 must have the packages required for multifactor authentication installed. ---- -SV-230276: -Old: RHEL 8 must implement non-executable data to protect its memory from -unauthorized code execution. -New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. ---- -SV-230277: -Old: RHEL 8 must clear the page allocator to prevent use-after-free -attacks. -New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. ---- -SV-230280: -Old: RHEL 8 must implement address space layout randomization (ASLR) to -protect its memory from unauthorized code execution. -New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. ---- -SV-230281: -Old: YUM must remove all software components after updated versions have -been installed on RHEL 8. -New: YUM must remove all software components after updated versions have been installed on RHEL 8. ---- -SV-230285: -Old: RHEL 8 must enable the hardware random number generator entropy -gatherer service. -New: RHEL 8 must enable the hardware random number generator entropy gatherer service. ---- -SV-230286: -Old: The RHEL 8 SSH public host key files must have mode 0644 or less -permissive. -New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. ---- -SV-230288: -Old: The RHEL 8 SSH daemon must perform strict mode checking of home -directory configuration files. -New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. ---- -SV-230290: -Old: The RHEL 8 SSH daemon must not allow authentication using known host’s -authentication. -New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. ---- -SV-230291: -Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except -to fulfill documented and validated mission requirements. -New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. ---- -SV-230296: -Old: RHEL 8 must not permit direct logons to the root account using remote -access via SSH. -New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. ---- -SV-230299: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that contain user home directories. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. ---- -SV-230300: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on the /boot directory. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. ---- -SV-230302: -Old: RHEL 8 must prevent code from being executed on file systems that -contain user home directories. -New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. ---- -SV-230303: -Old: RHEL 8 must prevent special devices on file systems that are used with -removable media. -New: RHEL 8 must prevent special devices on file systems that are used with removable media. ---- -SV-230304: -Old: RHEL 8 must prevent code from being executed on file systems that are -used with removable media. -New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. ---- -SV-230305: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that are used with removable media. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. ---- -SV-230306: -Old: RHEL 8 must prevent code from being executed on file systems that are -imported via Network File System (NFS). -New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). ---- -SV-230307: -Old: RHEL 8 must prevent special devices on file systems that are imported -via Network File System (NFS). -New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). ---- -SV-230308: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that are imported via Network File System (NFS). -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). ---- -SV-230309: -Old: Local RHEL 8 initialization files must not execute world-writable -programs. -New: Local RHEL 8 initialization files must not execute world-writable programs. ---- -SV-230316: -Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at -least two name servers must be configured. -New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. ---- -SV-230317: -Old: Executable search paths within the initialization files of all local -interactive RHEL 8 users must only contain paths that resolve to the system -default or the users home directory. -New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. ---- -SV-230318: -Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, -or an application user. -New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. ---- -SV-230319: -Old: All RHEL 8 world-writable directories must be group-owned by root, -sys, bin, or an application group. -New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. ---- -SV-230320: -Old: All RHEL 8 local interactive users must have a home directory assigned -in the /etc/passwd file. -New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. ---- -SV-230321: -Old: All RHEL 8 local interactive user home directories must have mode 0750 -or less permissive. -New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. ---- -SV-230322: -Old: All RHEL 8 local interactive user home directories must be group-owned -by the home directory owner’s primary group. -New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. ---- -SV-230323: -Old: All RHEL 8 local interactive user home directories defined in the -/etc/passwd file must exist. -New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. ---- -SV-230324: -Old: All RHEL 8 local interactive user accounts must be assigned a home -directory upon creation. -New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. ---- -SV-230325: -Old: All RHEL 8 local initialization files must have mode 0740 or less -permissive. -New: All RHEL 8 local initialization files must have mode 0740 or less permissive. ---- -SV-230328: -Old: A separate RHEL 8 filesystem must be used for user home directories -(such as /home or an equivalent). -New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). ---- -SV-230329: -Old: Unattended or automatic logon via the RHEL 8 graphical user interface -must not be allowed. -New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. ---- -SV-230331: -Old: RHEL 8 temporary user accounts must be provisioned with an expiration -time of 72 hours or less. -New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. ---- -SV-230332: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. ---- -SV-230333: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. ---- -SV-230334: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230335: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230336: -Old: RHEL 8 must automatically lock an account until the locked account is -released by an administrator when three unsuccessful logon attempts occur -during a 15-minute time period. -New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230337: -Old: RHEL 8 must automatically lock an account until the locked account is -released by an administrator when three unsuccessful logon attempts occur -during a 15-minute time period. -New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230340: -Old: RHEL 8 must prevent system messages from being presented when three -unsuccessful logon attempts occur. -New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. ---- -SV-230341: -Old: RHEL 8 must prevent system messages from being presented when three -unsuccessful logon attempts occur. -New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. ---- -SV-230342: -Old: RHEL 8 must log user name information when unsuccessful logon attempts -occur. -New: RHEL 8 must log user name information when unsuccessful logon attempts occur. ---- -SV-230343: -Old: RHEL 8 must log user name information when unsuccessful logon attempts -occur. -New: RHEL 8 must log user name information when unsuccessful logon attempts occur. ---- -SV-230344: -Old: RHEL 8 must include root when automatically locking an account until -the locked account is released by an administrator when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230345: -Old: RHEL 8 must include root when automatically locking an account until -the locked account is released by an administrator when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230346: -Old: RHEL 8 must limit the number of concurrent sessions to ten for all -accounts and/or account types. -New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. ---- -SV-230347: -Old: RHEL 8 must enable a user session lock until that user re-establishes -access using established identification and authentication procedures for -graphical user sessions. -New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. ---- -SV-230351: -Old: RHEL 8 must be able to initiate directly a session lock for all - connection types using smartcard when the smartcard is removed. -New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. ---- -SV-230352: -Old: RHEL 8 must automatically lock graphical user sessions after 15 -minutes of inactivity. -New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. ---- -SV-230354: -Old: RHEL 8 must prevent a user from overriding the session lock-delay -setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. ---- -SV-230355: -Old: RHEL 8 must map the authenticated identity to the user or group -account for PKI-based authentication. -New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. ---- -SV-230357: -Old: RHEL 8 must enforce password complexity by requiring that at least one -uppercase character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. ---- -SV-230358: -Old: RHEL 8 must enforce password complexity by requiring that at least one -lower-case character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. ---- -SV-230359: -Old: RHEL 8 must enforce password complexity by requiring that at least one -numeric character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. ---- -SV-230360: -Old: RHEL 8 must require the maximum number of repeating characters of the -same character class be limited to four when passwords are changed. -New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. ---- -SV-230361: -Old: RHEL 8 must require the maximum number of repeating characters be -limited to three when passwords are changed. -New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. ---- -SV-230363: -Old: RHEL 8 must require the change of at least 8 characters when passwords -are changed. -New: RHEL 8 must require the change of at least 8 characters when passwords are changed. ---- -SV-230364: -Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime -restriction in /etc/shadow. -New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. ---- -SV-230366: -Old: RHEL 8 user account passwords must have a 60-day maximum password -lifetime restriction. -New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. ---- -SV-230367: -Old: RHEL 8 user account passwords must be configured so that existing -passwords are restricted to a 60-day maximum lifetime. -New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. ---- -SV-230372: -Old: RHEL 8 must implement smart card logon for multifactor authentication -for access to interactive accounts. -New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. ---- -SV-230373: -Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) - must be disabled after 35 days of inactivity. -New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. ---- -SV-230378: -Old: RHEL 8 must enforce a delay of at least four seconds between logon -prompts following a failed logon attempt. -New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. ---- -SV-230380: -Old: RHEL 8 must not allow accounts configured with blank or null -passwords. -New: RHEL 8 must not allow accounts configured with blank or null passwords. ---- -SV-230381: -Old: RHEL 8 must display the date and time of the last successful account -logon upon logon. -New: RHEL 8 must display the date and time of the last successful account logon upon logon. ---- -SV-230382: -Old: RHEL 8 must display the date and time of the last successful account -logon upon an SSH logon. -New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. ---- -SV-230383: -Old: RHEL 8 must define default permissions for all authenticated users in -such a way that the user can only read and modify their own files. -New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. ---- -SV-230384: -Old: RHEL 8 must set the umask value to 077 for all local interactive user -accounts. -New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. ---- -SV-230386: -Old: The RHEL 8 audit system must be configured to audit the execution of -privileged functions and prevent all software from executing at higher -privilege levels than users executing the software. -New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. ---- -SV-230388: -Old: The RHEL 8 System Administrator (SA) and Information System Security -Officer (ISSO) (at a minimum) must be alerted of an audit processing failure -event. -New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. ---- -SV-230389: -Old: The RHEL 8 Information System Security Officer (ISSO) and System -Administrator (SA) (at a minimum) must have mail aliases to be notified of an -audit processing failure. -New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. ---- -SV-230390: -Old: The RHEL 8 System must take appropriate action when an audit -processing failure occurs. -New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. ---- -SV-230392: -Old: The RHEL 8 audit system must take appropriate action when the audit -storage volume is full. -New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. ---- -SV-230394: -Old: RHEL 8 must label all off-loaded audit logs before sending them to the -central log server. -New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. ---- -SV-230396: -Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to -prevent unauthorized read access. -New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. ---- -SV-230397: -Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read -access. -New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. ---- -SV-230398: -Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized -read access. -New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. ---- -SV-230399: -Old: RHEL 8 audit log directory must be owned by root to prevent -unauthorized read access. -New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. ---- -SV-230400: -Old: RHEL 8 audit log directory must be group-owned by root to prevent -unauthorized read access. -New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. ---- -SV-230401: -Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive -to prevent unauthorized read access. -New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. ---- -SV-230402: -Old: RHEL 8 audit system must protect auditing rules from unauthorized -change. -New: RHEL 8 audit system must protect auditing rules from unauthorized change. ---- -SV-230404: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/shadow. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. ---- -SV-230405: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect -/etc/security/opasswd. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. ---- -SV-230406: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/passwd. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. ---- -SV-230407: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/gshadow. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. ---- -SV-230408: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/group. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. ---- -SV-230409: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/sudoers. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. ---- -SV-230410: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/sudoers.d/. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. ---- -SV-230412: -Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate -an audit record. -New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. ---- -SV-230418: -Old: Successful/unsuccessful uses of the chage command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. ---- -SV-230419: -Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. ---- -SV-230421: -Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate -an audit record. -New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. ---- -SV-230422: -Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. ---- -SV-230423: -Old: Successful/unsuccessful uses of the mount command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. ---- -SV-230424: -Old: Successful/unsuccessful uses of the umount command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. ---- -SV-230425: -Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. ---- -SV-230426: -Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. ---- -SV-230427: -Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. ---- -SV-230428: -Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. ---- -SV-230429: -Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. ---- -SV-230430: -Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. ---- -SV-230431: -Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. ---- -SV-230432: -Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. ---- -SV-230433: -Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. ---- -SV-230434: -Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. ---- -SV-230435: -Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. ---- -SV-230436: -Old: Successful/unsuccessful uses of the pam_timestamp_check command in -RHEL 8 must generate an audit record. -New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. ---- -SV-230437: -Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. ---- -SV-230444: -Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. ---- -SV-230446: -Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 -must generate an audit record. -New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. ---- -SV-230447: -Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. ---- -SV-230448: -Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. ---- -SV-230462: -Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. ---- -SV-230463: -Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. ---- -SV-230464: -Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. ---- -SV-230465: -Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. ---- -SV-230466: -Old: Successful/unsuccessful modifications to the faillock log file in RHEL -8 must generate an audit record. -New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. ---- -SV-230467: -Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 -must generate an audit record. -New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. ---- -SV-230468: -Old: RHEL 8 must enable auditing of processes that start prior to the audit -daemon. -New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. ---- -SV-230469: -Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to -capture processes that start prior to the audit daemon. -New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. ---- -SV-230471: -Old: RHEL 8 must allow only the Information System Security Manager (ISSM) -(or individuals or roles appointed by the ISSM) to select which auditable -events are to be audited. -New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. ---- -SV-230475: -Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of -audit tools. -New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. ---- -SV-230476: -Old: RHEL 8 must allocate audit record storage capacity to store at least -one week of audit records, when audit records are not immediately sent to a -central audit record storage facility. -New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. ---- -SV-230477: -Old: RHEL 8 must have the packages required for offloading audit logs -installed. -New: RHEL 8 must have the packages required for offloading audit logs installed. ---- -SV-230478: -Old: RHEL 8 must have the packages required for encrypting offloaded audit -logs installed. -New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. ---- -SV-230479: -Old: The RHEL 8 audit records must be off-loaded onto a different system or -storage media from the system being audited. -New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. ---- -SV-230480: -Old: RHEL 8 must take appropriate action when the internal event queue is -full. -New: RHEL 8 must take appropriate action when the internal event queue is full. ---- -SV-230481: -Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a -different system or media from the system being audited. -New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. ---- -SV-230482: -Old: RHEL 8 must authenticate the remote logging server for off-loading -audit logs. -New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. ---- -SV-230483: -Old: RHEL 8 must take action when allocated audit record storage volume - reaches 75 percent of the repository maximum audit record storage capacity. -New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ---- -SV-230484: -Old: RHEL 8 must securely compare internal information system clocks at -least every 24 hours with a server synchronized to an authoritative time -source, such as the United States Naval Observatory (USNO) time servers, or a -time server designated for the appropriate DoD network (NIPRNet/SIPRNet), -and/or the Global Positioning System (GPS). -New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). ---- -SV-230491: -Old: RHEL 8 must enable mitigations against processor-based -vulnerabilities. -New: RHEL 8 must enable mitigations against processor-based vulnerabilities. ---- -SV-230493: -Old: RHEL 8 must cover or disable the built-in or attached camera when not -in use. -New: RHEL 8 must cover or disable the built-in or attached camera when not in use. ---- -SV-230497: -Old: RHEL 8 must disable the transparent inter-process communication (TIPC) -protocol. -New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. ---- -SV-230500: -Old: RHEL 8 must be configured to prohibit or restrict the use of -functions, ports, protocols, and/or services, as defined in the Ports, -Protocols, and Services Management (PPSM) Category Assignments List (CAL) and -vulnerability assessments. -New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. ---- -SV-230504: -Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy -for allowing connections to other systems. -New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. ---- -SV-230524: -Old: RHEL 8 must block unauthorized peripherals before establishing a -connection. -New: RHEL 8 must block unauthorized peripherals before establishing a connection. ---- -SV-230525: -Old: A firewall must be able to protect against or limit the effects of -Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting -measures on impacted network interfaces. -New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. ---- -SV-230526: -Old: All RHEL 8 networked systems must have and implement SSH to protect -the confidentiality and integrity of transmitted and received information, as -well as information during preparation for transmission. -New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. ---- -SV-230527: -Old: RHEL 8 must force a frequent session key renegotiation for SSH -connections to the server. -New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. ---- -SV-230530: -Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a -graphical user interface is installed. -New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. ---- -SV-230531: -Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be -disabled. -New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. ---- -SV-230533: -Old: The Trivial File Transfer Protocol (TFTP) server package must not be -installed if not required for RHEL 8 operational support. -New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. ---- -SV-230534: -Old: The root account must be the only account having unrestricted access -to the RHEL 8 system. -New: The root account must be the only account having unrestricted access to the RHEL 8 system. ---- -SV-230535: -Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) -redirect messages from being accepted. -New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. ---- -SV-230536: -Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) -redirects. -New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. ---- -SV-230537: -Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) -echoes sent to a broadcast address. -New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. ---- -SV-230542: -Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by -default. -New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. ---- -SV-230543: -Old: RHEL 8 must not allow interfaces to perform Internet Control Message -Protocol (ICMP) redirects by default. -New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. ---- -SV-230544: -Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) -redirect messages. -New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. ---- -SV-230545: -Old: RHEL 8 must disable access to network bpf syscall from unprivileged -processes. -New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. ---- -SV-230551: -Old: The RHEL 8 file integrity tool must be configured to verify extended -attributes. -New: The RHEL 8 file integrity tool must be configured to verify extended attributes. ---- -SV-230552: -Old: The RHEL 8 file integrity tool must be configured to verify Access -Control Lists (ACLs). -New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). ---- -SV-230553: -Old: The graphical display manager must not be installed on RHEL 8 unless -approved. -New: The graphical display manager must not be installed on RHEL 8 unless approved. ---- -SV-230555: -Old: RHEL 8 remote X connections for interactive users must be disabled -unless to fulfill documented and validated mission requirements. -New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. ---- -SV-230556: -Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the -proxy display. -New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. ---- -SV-230557: -Old: If the Trivial File Transfer Protocol (TFTP) server is required, the -RHEL 8 TFTP daemon must be configured to operate in secure mode. -New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. ---- -SV-230558: -Old: A File Transfer Protocol (FTP) server package must not be installed -unless mission essential on RHEL 8. -New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. ---- -SV-230559: -Old: The gssproxy package must not be installed unless mission essential on -RHEL 8. -New: The gssproxy package must not be installed unless mission essential on RHEL 8. ---- -SV-230560: -Old: The iprutils package must not be installed unless mission essential on -RHEL 8. -New: The iprutils package must not be installed unless mission essential on RHEL 8. ---- -SV-230561: -Old: The tuned package must not be installed unless mission essential on -RHEL 8. -New: The tuned package must not be installed unless mission essential on RHEL 8. ---- -SV-237642: -Old: RHEL 8 must use the invoking user's password for privilege escalation -when using "sudo". -New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". ---- -SV-244519: -Old: RHEL 8 must display a banner before granting local or remote access to -the system via a graphical user logon. -New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. ---- -SV-244521: -Old: RHEL 8 operating systems booted with United Extensible Firmware -Interface (UEFI) must require a unique superusers name upon booting into -single-user mode and maintenance. -New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. ---- -SV-244523: -Old: RHEL 8 operating systems must require authentication upon booting into -emergency mode. -New: RHEL 8 operating systems must require authentication upon booting into emergency mode. ---- -SV-244524: -Old: The RHEL 8 pam_unix.so module must be configured in the system-auth -file to use a FIPS 140-2 approved cryptographic hashing algorithm for system -authentication. -New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ---- -SV-244527: -Old: RHEL 8 must have the packages required to use the hardware random -number generator entropy gatherer service. -New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. ---- -SV-244530: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on the /boot/efi directory. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. ---- -SV-244531: -Old: All RHEL 8 local interactive user home directory files must have mode -0750 or less permissive. -New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. ---- -SV-244532: -Old: RHEL 8 must be configured so that all files and directories contained -in local interactive user home directories are group-owned by a group of which -the home directory owner is a member. -New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. ---- -SV-244533: -Old: RHEL 8 must configure the use of the pam_faillock.so module in the -/etc/pam.d/system-auth file. -New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. ---- -SV-244534: -Old: RHEL 8 must configure the use of the pam_faillock.so module in the -/etc/pam.d/password-auth file. -New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. ---- -SV-244535: -Old: RHEL 8 must initiate a session lock for graphical user interfaces when -the screensaver is activated. -New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. ---- -SV-244536: -Old: RHEL 8 must disable the user list at logon for graphical user -interfaces. -New: RHEL 8 must disable the user list at logon for graphical user interfaces. ---- -SV-244538: -Old: RHEL 8 must prevent a user from overriding the session idle-delay -setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. ---- -SV-244539: -Old: RHEL 8 must prevent a user from overriding the screensaver -lock-enabled setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. ---- -SV-244541: -Old: RHEL 8 must not allow blank or null passwords in the password-auth -file. -New: RHEL 8 must not allow blank or null passwords in the password-auth file. ---- -SV-244542: -Old: RHEL 8 audit records must contain information to establish what type -of events occurred, the source of events, where events occurred, and the -outcome of events. -New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. ---- -SV-244543: -Old: RHEL 8 must notify the System Administrator (SA) and Information -System Security Officer (ISSO) (at a minimum) when allocated audit record -storage volume 75 percent utilization. -New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. ---- -SV-244546: -Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, -permit-by-exception policy to allow the execution of authorized software -programs. -New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. ---- -SV-244550: -Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) -redirect messages from being accepted. -New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. ---- -SV-244554: -Old: RHEL 8 must enable hardening for the Berkeley Packet Filter -Just-in-time compiler. -New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. ---- -SV-250315: -Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context - type to allow the use of a non-default faillock tally directory. -New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. ---- -SV-257258: -Old: RHEL 8 must terminate idle user sessions. -New: RHEL 8.7 and higher must terminate idle user sessions. ---- -
- -### Updated Descriptions -
- Click to expand. -SV-230221: -Old: -``` -An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. - - Note: The life-cycle time spans and dates are subject to adjustment. - -``` -New: -``` -An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. -Note: The life-cycle time spans and dates are subject to adjustment. - -``` ---- -SV-230222: -Old: -``` -Timely patching is critical for maintaining the operational - availability, confidentiality, and integrity of information technology (IT) - systems. However, failure to keep operating system and application software - patched is a common mistake made by IT professionals. New patches are released - daily, and it is often difficult for even experienced System Administrators to - keep abreast of all the new patches. When new weaknesses in an operating system - exist, patches are usually made available by the vendor to resolve the - problems. If the most recent security patches and updates are not installed, - unauthorized users may take advantage of weaknesses in the unpatched software. - The lack of prompt attention to patching could result in a system compromise. - -``` -New: -``` -Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. - -``` ---- -SV-230223: -Old: -``` -Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - -``` -New: -``` -Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - - - -``` ---- -SV-230224: -Old: -``` -RHEL 8 systems handling data requiring "data at rest" protections - must employ cryptographic mechanisms to prevent unauthorized disclosure and - modification of the information at rest. - - Selection of a cryptographic mechanism is based on the need to protect the -integrity of organizational information. The strength of the mechanism is -commensurate with the security category and/or classification of the -information. Organizations have the flexibility to either encrypt all -information on storage devices (i.e., full disk encryption) or encrypt specific -data structures (e.g., files, records, or fields). - -``` -New: -``` -RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - - - -``` ---- -SV-230225: -Old: -``` -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -``` -New: -``` -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - - - -``` ---- -SV-230226: -Old: -``` -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - "You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details." - -``` -New: -``` -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - - -``` ---- -SV-230227: -Old: -``` -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - "You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details." - -``` -New: -``` -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - - -``` ---- -SV-230229: -Old: -``` -Without path validation, an informed trust decision by the relying -party cannot be made when presented with any certificate not already explicitly -trusted. - - A trust anchor is an authoritative entity represented via a public key and -associated data. It is used in the context of public key infrastructures, X.509 -digital certificates, and DNSSEC. - - When there is a chain of trust, usually the top entity to be trusted -becomes the trust anchor; it can be, for example, a Certification Authority -(CA). A certification path starts with the subject certificate and proceeds -through a number of intermediate certificates up to a trusted root certificate, -typically issued by a trusted CA. - - This requirement verifies that a certification path to an accepted trust -anchor is used for certificate validation and that the path includes status -information. Path validation is necessary for a relying party to make an -informed trust decision when presented with any certificate not already -explicitly trusted. Status information for certification paths includes -certificate revocation lists or online certificate status protocol responses. -Validation of the certificate status information is out of scope for this -requirement. - -``` -New: -``` -Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. - -A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. - -When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. - -This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. - - - -``` ---- -SV-230230: -Old: -``` -If an unauthorized user obtains access to a private key without a -passcode, that user would have unauthorized access to any system where the -associated public key has been installed. - -``` -New: -``` -If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. - -``` ---- -SV-230231: -Old: -``` -Passwords need to be protected at all times, and encryption is the -standard method for protecting passwords. If passwords are not encrypted, they -can be plainly read (i.e., clear text) and easily compromised. - - Unapproved mechanisms that are used for authentication to the cryptographic -module are not verified and therefore cannot be relied upon to provide -confidentiality or integrity, and DoD data may be compromised. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD requirements. - -``` -New: -``` -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. - -``` ---- -SV-230232: -Old: -``` -The system must use a strong hashing algorithm to store the password. - - Passwords need to be protected at all times, and encryption is the standard -method for protecting passwords. If passwords are not encrypted, they can be -plainly read (i.e., clear text) and easily compromised. - -``` -New: -``` -The system must use a strong hashing algorithm to store the password. - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -``` ---- -SV-230233: -Old: -``` -The system must use a strong hashing algorithm to store the password. -The system must use a sufficient number of hashing rounds to ensure the -required level of entropy. - - Passwords need to be protected at all times, and encryption is the standard -method for protecting passwords. If passwords are not encrypted, they can be -plainly read (i.e., clear text) and easily compromised. - -``` -New: -``` -The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -``` ---- -SV-230234: -Old: -``` -If the system does not require valid authentication before it boots -into single-user or maintenance mode, anyone who invokes single-user or -maintenance mode is granted privileged access to all files on the system. GRUB -2 is the default boot loader for RHEL 8 and is designed to require a password -to boot into single-user mode or make modifications to the boot menu. - -``` -New: -``` -If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -``` ---- -SV-230235: -Old: -``` -If the system does not require valid authentication before it boots -into single-user or maintenance mode, anyone who invokes single-user or -maintenance mode is granted privileged access to all files on the system. GRUB -2 is the default boot loader for RHEL 8 and is designed to require a password -to boot into single-user mode or make modifications to the boot menu. - -``` -New: -``` -If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -``` ---- -SV-230236: -Old: -``` -If the system does not require valid root authentication before it -boots into emergency or rescue mode, anyone who invokes emergency or rescue -mode is granted privileged access to all files on the system. - -``` -New: -``` -If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. - -``` ---- -SV-230237: -Old: -``` -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230238: -Old: -``` -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - The key derivation function (KDF) in Kerberos is not FIPS compatible. -Ensuring the system does not have any keytab files present prevents system -daemons from using Kerberos for authentication. A keytab is a file containing -pairs of Kerberos principals and encrypted keys. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230239: -Old: -``` -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - Currently, Kerberos does not utilize FIPS 140-2 cryptography. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -Currently, Kerberos does not utilize FIPS 140-2 cryptography. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230240: -Old: -``` -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - This requirement applies to operating systems performing security function -verification/testing and/or systems and environments that require this -functionality. - -``` -New: -``` -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-230241: -Old: -``` -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - Policycoreutils contains the policy core utilities that are required for -basic operation of an SELinux-enabled system. These utilities include -load_policy to load SELinux policies, setfile to label filesystems, newrole to -switch roles, and run_init to run /etc/init.d scripts in the proper context. - -``` -New: -``` -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. - -``` ---- -SV-230243: -Old: -``` -Preventing unauthorized information transfers mitigates the risk of -information, including encrypted representations of information, produced by -the actions of prior users/roles (or the actions of processes acting on behalf -of prior users/roles) from being available to any current users/roles (or -current processes) that obtain access to shared system resources (e.g., -registers, main memory, hard disks) after those resources have been released -back to information systems. The control of information in shared resources is -also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information -technology product, but it can also apply to the configuration of particular -information system components that are, or use, such products. This can be -verified by acceptance/validation processes in DoD or other government agencies. - - There may be shared resources with configurable protections (e.g., files in -storage) that may be assessed on specific information system components. - -``` -New: -``` -Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - -This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. - -``` ---- -SV-230244: -Old: -``` -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - - Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - - RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` -New: -``` -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - - -``` ---- -SV-230245: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230246: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230247: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230248: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230249: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230250: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230251: -Old: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - - -``` ---- -SV-230252: -Old: -``` -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The SSH -configuration file has no effect on the ciphers, MACs, or algorithms unless -specifically defined in the /etc/sysconfig/sshd file. The employed algorithms -can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - - The system will attempt to use the first hash presented by the client that -matches the server list. Listing the values "strongest to weakest" is a -method to ensure the use of the strongest hash available to secure the SSH -connection. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - - -``` ---- -SV-230253: -Old: -``` -The most important characteristic of a random number generator is its -randomness, namely its ability to deliver random numbers that are impossible to -predict. Entropy in computer security is associated with the unpredictability -of a source of randomness. The random source with high entropy tends to -achieve a uniform distribution of random values. Random number generators are -one of the most important building blocks of cryptosystems. - - The SSH implementation in RHEL8 uses the OPENSSL library, which does not -use high-entropy sources by default. By using the SSH_USE_STRONG_RNG -environment variable the OPENSSL random generator is reseeded from /dev/random. - This setting is not recommended on computers without the hardware random -generator because insufficient entropy causes the connection to be blocked -until enough entropy is available. - -``` -New: -``` -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. - -``` ---- -SV-230254: -Old: -``` -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The employed -algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config -file. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - - -``` ---- -SV-230255: -Old: -``` -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The employed -algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config -file. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - - -``` ---- -SV-230256: -Old: -``` -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Transport Layer Security (TLS) encryption is a required security setting as -a number of known vulnerabilities have been reported against Secure Sockets -Layer (SSL) and earlier versions of TLS. Encryption of private information is -essential to ensuring data confidentiality. If private information is not -encrypted, it can be intercepted and easily read by an unauthorized party. SQL -Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all -non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 -specifies the preferred configurations for government systems. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - The GnuTLS library offers an API to access secure communications protocols. - SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto -policy defines employed algorithms in the -/etc/crypto-policies/back-ends/gnutls.config file. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. - - - -``` ---- -SV-230257: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230258: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230259: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230260: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230261: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230262: -Old: -``` -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230263: -Old: -``` -Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - -Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. - -This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. - -RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - -``` -New: -``` -Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - -Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. - -This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. - -RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - - - -``` ---- -SV-230264: -Old: -``` -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the software -has not been tampered with and that it has been provided by a trusted vendor. - - Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. - - Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This verifies the -software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The -operating system should not have to verify the software again. This requirement -does not mandate DoD certificates for this purpose; however, the certificate -used to verify the software must be from an approved CA. - -``` -New: -``` -Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - -``` ---- -SV-230265: -Old: -``` -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the software -has not been tampered with and that it has been provided by a trusted vendor. - - Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. - - Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This verifies the -software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The -operating system should not have to verify the software again. This requirement -does not mandate DoD certificates for this purpose; however, the certificate -used to verify the software must be from an approved CA. - -``` -New: -``` -Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - -``` ---- -SV-230267: -Old: -``` -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` -New: -``` -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - - - -``` ---- -SV-230268: -Old: -``` -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - - By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - - /etc/sysctl.d/*.conf - /run/sysctl.d/*.conf - /usr/local/lib/sysctl.d/*.conf - /usr/lib/sysctl.d/*.conf - /lib/sysctl.d/*.conf - /etc/sysctl.conf - -``` -New: -``` -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - - - -``` ---- -SV-230271: -Old: -``` -Without reauthentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the user reauthenticate. - -``` -New: -``` -Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - - -``` ---- -SV-230272: -Old: -``` -Without reauthentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the user reauthenticate. - -``` -New: -``` -Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - - -``` ---- -SV-230273: -Old: -``` -Using an authentication device, such as a DoD Common Access Card (CAC) - or token that is separate from the information system, ensures that even if the - information system is compromised, credentials stored on the authentication - device will not be affected. - - Multifactor solutions that require devices separate from information - systems gaining access include, for example, hardware tokens providing - time-based or challenge-response authenticators and smart cards such as the - U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - - A privileged account is defined as an information system account with - authorizations of a privileged user. - - Remote access is access to DoD nonpublic information systems by an - authorized user (or an information system) communicating through an external, - non-organization-controlled network. Remote access methods include, for - example, dial-up, broadband, and wireless. - - This requirement only applies to components where this is specific to the - function of the device or has the concept of an organizational user (e.g., VPN, - proxy capability). This does not apply to authentication for the purpose of - configuring the device itself (management). - -``` -New: -``` -Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -``` ---- -SV-230274: -Old: -``` -Using an authentication device, such as a DoD Common Access Card (CAC) - or token that is separate from the information system, ensures that even if the - information system is compromised, credentials stored on the authentication - device will not be affected. - - Multifactor solutions that require devices separate from information - systems gaining access include, for example, hardware tokens providing - time-based or challenge-response authenticators and smart cards such as the - U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - - RHEL 8 includes multiple options for configuring certificate status -checking, but for this requirement focuses on the System Security Services -Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol -(OCSP) checking and certificate verification using a sha256 digest function. - -``` -New: -``` -Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - -RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. - - - -``` ---- -SV-230275: -Old: -``` -The use of PIV credentials facilitates standardization and reduces the - risk of unauthorized access. - - The DoD has mandated the use of the Common Access Card (CAC) to support - identity management and personal authentication for systems covered under - Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a - primary component of layered protection for national security systems. - -``` -New: -``` -The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. - -The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. - -``` ---- -SV-230276: -Old: -``` -Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can be either hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - -``` -New: -``` -Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks. - -``` ---- -SV-230277: -Old: -``` -Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can be either hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Poisoning writes an arbitrary value to freed pages, so any modification or -reference to that page after being freed or before being initialized will be -detected and prevented. This prevents many types of use-after-free -vulnerabilities at little performance cost. Also prevents leak of data and -detection of corrupted memory. - -``` -New: -``` -Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - - - -``` ---- -SV-230278: -Old: -``` -Syscalls are special routines in the Linux kernel, which userspace -applications ask to do privileged tasks. Invoking a system call is an -expensive operation because the processor must interrupt the currently -executing task and switch context to kernel mode and then back to userspace -after the system call completes. Virtual Syscalls map into user space a page -that contains some variables and the implementation of some system calls. This -allows the system calls to be executed in userspace to alleviate the context -switching expense. - - Virtual Syscalls provide an opportunity of attack for a user who has -control of the return instruction pointer. Disabling vsyscalls help to prevent -return oriented programming (ROP) attacks via buffer overflows and overruns. If -the system intends to run containers based on RHEL 6 components, then virtual -syscalls will need enabled so the components function properly. - -``` -New: -``` -Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. - -Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. - - - -``` ---- -SV-230279: -Old: -``` -Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - -SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - -``` -New: -``` -Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - -SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - - - -``` ---- -SV-230281: -Old: -``` -Previous versions of software components that are not removed from the -information system after updates have been installed may be exploited by -adversaries. Some information technology products may remove older versions of -software automatically from the information system. - -``` -New: -``` -Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. - -``` ---- -SV-230282: -Old: -``` -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - This requirement applies to operating systems performing security function -verification/testing and/or systems and environments that require this -functionality. - -``` -New: -``` -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-230283: -Old: -``` -The "shosts.equiv" files are used to configure host-based -authentication for the system via SSH. Host-based authentication is not -sufficient for preventing unauthorized access to the system, as it does not -require interactive identification and authentication of a connection request, -or for the use of two-factor authentication. - -``` -New: -``` -The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - -``` ---- -SV-230284: -Old: -``` -The ".shosts" files are used to configure host-based authentication -for individual users or the system via SSH. Host-based authentication is not -sufficient for preventing unauthorized access to the system, as it does not -require interactive identification and authentication of a connection request, -or for the use of two-factor authentication. - -``` -New: -``` -The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - -``` ---- -SV-230285: -Old: -``` -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). - -``` -New: -``` -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). - -``` ---- -SV-230286: -Old: -``` -If a public host key file is modified by an unauthorized user, the SSH -service may be compromised. - -``` -New: -``` -If a public host key file is modified by an unauthorized user, the SSH service may be compromised. - -``` ---- -SV-230287: -Old: -``` -If an unauthorized user obtains the private SSH host key file, the -host could be impersonated. - -``` -New: -``` -If an unauthorized user obtains the private SSH host key file, the host could be impersonated. - -``` ---- -SV-230288: -Old: -``` -If other users have access to modify user-specific SSH configuration -files, they may be able to log on to the system as another user. - -``` -New: -``` -If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. - -``` ---- -SV-230290: -Old: -``` -Configuring this setting for the SSH daemon provides additional -assurance that remote logon via SSH will require a password, even in the event -of misconfiguration elsewhere. - -``` -New: -``` -Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. - -``` ---- -SV-230291: -Old: -``` -Configuring these settings for the SSH daemon provides additional -assurance that remote logon via SSH will not use unused methods of -authentication, even in the event of misconfiguration elsewhere. - -``` -New: -``` -Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. - -``` ---- -SV-230292: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230293: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230294: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230295: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230296: -Old: -``` -Even though the communications channel may be encrypted, an additional -layer of security is gained by extending the policy of not logging on directly -as root. In addition, logging on with a user-specific account provides -individual accountability of actions performed on the system. - -``` -New: -``` -Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. - -``` ---- -SV-230298: -Old: -``` -Configuring RHEL 8 to implement organization-wide security -implementation guides and security checklists ensures compliance with federal -standards and establishes a common security baseline across the DoD that -reflects the most restrictive security posture consistent with operational -requirements. - - Configuration settings are the set of parameters that can be changed in -hardware, software, or firmware components of the system that affect the -security posture and/or functionality of the system. Security-related -parameters are those parameters impacting the security state of the system, -including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example: registry -settings; account, file, directory permission settings; and settings for -functions, ports, protocols, services, and remote connections. - -``` -New: -``` -Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -``` ---- -SV-230299: -Old: -``` -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230300: -Old: -``` -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230301: -Old: -``` -The "nodev" mount option causes the system to not interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. The only legitimate -location for device files is the /dev directory located on the root partition. - -``` -New: -``` -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. - -``` ---- -SV-230302: -Old: -``` -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary files, as they may be incompatible. Executing files from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - -``` -New: -``` -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230303: -Old: -``` -The "nodev" mount option causes the system not to interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. - -``` -New: -``` -The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230304: -Old: -``` -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary files, as they may be incompatible. Executing files from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - -``` -New: -``` -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230305: -Old: -``` -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230306: -Old: -``` -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary as they may be incompatible. Executing files from untrusted -file systems increases the opportunity for unprivileged users to attain -unauthorized administrative access. - -``` -New: -``` -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230307: -Old: -``` -The "nodev" mount option causes the system to not interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. - -``` -New: -``` -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230308: -Old: -``` -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230309: -Old: -``` -If user start-up files execute world-writable programs, especially in -unprotected directories, they could be maliciously modified to destroy user -files or otherwise compromise the system at the user level. If the system is -compromised at the user level, it is easier to elevate privileges to eventually -compromise the system at the root and network level. - -``` -New: -``` -If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. - -``` ---- -SV-230310: -Old: -``` -Kernel core dumps may contain the full contents of system memory at -the time of the crash. Kernel core dumps may consume a considerable amount of -disk space and may result in denial of service by exhausting the available -space on the target file system partition. - - RHEL 8 installation media presents the option to enable or disable the -kdump service at the time of system installation. - -``` -New: -``` -Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. - -RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. - -``` ---- -SV-230312: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - - When the kernel invokes systemd-coredumpt to handle a core dump, it runs in -privileged mode, and will connect to the socket created by the -systemd-coredump.socket unit. This, in turn, will spawn an unprivileged -systemd-coredump@.service instance to process the core dump. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. - -``` ---- -SV-230313: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230314: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230315: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230316: -Old: -``` -To provide availability for name resolution services, multiple -redundant name servers are mandated. A failure in name resolution could lead to -the failure of security functions requiring name resolution, which may include -time synchronization, centralized authentication, and remote system logging. - -``` -New: -``` -To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. - -``` ---- -SV-230317: -Old: -``` -The executable search path (typically the PATH environment variable) -contains a list of directories for the shell to search to find executables. If -this path includes the current working directory (other than the user's home -directory), executables in these directories may be executed instead of system -commands. This variable is formatted as a colon-separated list of directories. -If there is an empty entry, such as a leading or trailing colon or two -consecutive colons, this is interpreted as the current working directory. If -deviations from the default system search path for the local interactive user -are required, they must be documented with the Information System Security -Officer (ISSO). - -``` -New: -``` -The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). - -``` ---- -SV-230318: -Old: -``` -If a world-writable directory is not owned by root, sys, bin, or an -application User Identifier (UID), unauthorized users may be able to modify -files created by others. - - The only authorized public directories are those temporary directories -supplied with the system or those designed to be temporary file repositories. -The setting is normally reserved for directories used by the system and by -users for temporary file storage, (e.g., /tmp), and for directories requiring -global read/write access. - -``` -New: -``` -If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. - -``` ---- -SV-230319: -Old: -``` -If a world-writable directory is not group-owned by root, sys, bin, or -an application Group Identifier (GID), unauthorized users may be able to modify -files created by others. - - The only authorized public directories are those temporary directories -supplied with the system or those designed to be temporary file repositories. -The setting is normally reserved for directories used by the system and by -users for temporary file storage, (e.g., /tmp), and for directories requiring -global read/write access. - -``` -New: -``` -If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. - -``` ---- -SV-230320: -Old: -``` -If local interactive users are not assigned a valid home directory, -there is no place for the storage and control of files they should own. - -``` -New: -``` -If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -``` ---- -SV-230321: -Old: -``` -Excessive permissions on local interactive user home directories may -allow unauthorized access to user files by other users. - -``` -New: -``` -Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. - -``` ---- -SV-230322: -Old: -``` -If the Group Identifier (GID) of a local interactive user’s home -directory is not the same as the primary GID of the user, this would allow -unauthorized access to the user’s files, and users that share the same group -may not be able to access files that they legitimately should. - -``` -New: -``` -If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. - -``` ---- -SV-230323: -Old: -``` -If a local interactive user has a home directory defined that does not -exist, the user may be given access to the "/" directory as the current -working directory upon logon. This could create a denial of service because the -user would not be able to access their logon configuration files, and it may -give them visibility to system files they normally would not be able to access. - -``` -New: -``` -If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. - -``` ---- -SV-230324: -Old: -``` -If local interactive users are not assigned a valid home directory, -there is no place for the storage and control of files they should own. - -``` -New: -``` -If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -``` ---- -SV-230325: -Old: -``` -Local initialization files are used to configure the user's shell -environment upon logon. Malicious modification of these files could compromise -accounts upon logon. - -``` -New: -``` -Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -``` ---- -SV-230326: -Old: -``` -Unowned files and directories may be unintentionally inherited if a -user is assigned the same User Identifier "UID" as the UID of the un-owned -files. - -``` -New: -``` -Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. - -``` ---- -SV-230327: -Old: -``` -Files without a valid group owner may be unintentionally inherited if -a group is assigned the same Group Identifier (GID) as the GID of the files -without a valid group owner. - -``` -New: -``` -Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. - -``` ---- -SV-230328: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230329: -Old: -``` -Failure to restrict system access to authenticated users negatively -impacts operating system security. - -``` -New: -``` -Failure to restrict system access to authenticated users negatively impacts operating system security. - -``` ---- -SV-230330: -Old: -``` -SSH environment options potentially allow users to bypass access -restriction in some configurations. - -``` -New: -``` -SSH environment options potentially allow users to bypass access restriction in some configurations. - -``` ---- -SV-230331: -Old: -``` -If temporary user accounts remain active when no longer needed or for -an excessive period, these accounts may be used to gain unauthorized access. To -mitigate this risk, automated termination of all temporary accounts must be set -upon account creation. - - Temporary accounts are established as part of normal account activation -procedures when there is a need for short-term accounts without the demand for -immediacy in account activation. - - If temporary accounts are used, RHEL 8 must be configured to automatically -terminate these types of accounts after a DoD-defined time period of 72 hours. - - To address access requirements, many RHEL 8 operating systems may be -integrated with enterprise-level authentication/access mechanisms that meet or -exceed access control policy requirements. - -``` -New: -``` -If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. - -Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. - -If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. - -To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. - -``` ---- -SV-230332: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230333: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230334: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230335: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230336: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230337: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230338: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230339: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230340: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230341: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230342: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - - -``` ---- -SV-230343: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230344: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - - -``` ---- -SV-230345: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230346: -Old: -``` -Operating system management includes the ability to control the number -of users and user sessions that utilize an operating system. Limiting the -number of allowed users and sessions per user is helpful in reducing the risks -related to DoS attacks. - - This requirement addresses concurrent sessions for information system -accounts and does not address concurrent sessions by single users via multiple -system accounts. The maximum number of concurrent sessions should be defined -based on mission needs and the operational environment for each system. - -``` -New: -``` -Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. - -``` ---- -SV-230347: -Old: -``` -A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. - - Regardless of where the session lock is determined and implemented, once -invoked, the session lock must remain in place until the user reauthenticates. -No other activity aside from reauthentication must unlock the system. - -``` -New: -``` -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - - - -``` ---- -SV-230351: -Old: -``` -A session lock is a temporary action taken when a user stops work and - moves away from the immediate physical vicinity of the information system but - does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be - determined. Rather than be forced to wait for a period of time to expire before - the user session can be locked, RHEL 8 needs to provide users with the ability - to manually invoke a session lock so users can secure their session if it is - necessary to temporarily vacate the immediate physical vicinity. - -``` -New: -``` -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - - -``` ---- -SV-230352: -Old: -``` -A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. Rather than be forced to wait for a period of time to expire before -the user session can be locked, RHEL 8 needs to provide users with the ability -to manually invoke a session lock so users can secure their session if it is -necessary to temporarily vacate the immediate physical vicinity. - -``` -New: -``` -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - - -``` ---- -SV-230354: -Old: -``` -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - - -``` ---- -SV-230355: -Old: -``` -Without mapping the certificate used to authenticate to the user -account, the ability to determine the identity of the individual user or group -will not be available for forensic analysis. - - There are various methods of mapping certificates to user/group accounts -for RHEL 8. For the purposes of this requirement, the check and fix will -account for Active Directory mapping. Some of the other possible methods -include joining the system to a domain and utilizing a Red Hat idM server, or a -local system mapping, where the system is not part of a domain. - -``` -New: -``` -Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. - -There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. - -``` ---- -SV-230357: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. -Note that in order to require uppercase characters, without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230358: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. -Note that in order to require lower-case characters without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230359: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Note that in order to require numeric characters, without degrading -the minlen value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230360: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "maxclassrepeat" option sets the maximum number of allowed -same consecutive characters in the same class in the new password. - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. - -``` ---- -SV-230361: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "maxrepeat" option sets the maximum number of allowed same -consecutive characters in a new password. - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. - -``` ---- -SV-230362: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "minclass" option sets the minimum number of required classes -of characters for the new password (digits, uppercase, lowercase, others). - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). - -``` ---- -SV-230363: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "difok" option sets the number of characters in a password -that must not be present in the old password. - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. - -``` ---- -SV-230364: -Old: -``` -Enforcing a minimum password lifetime helps to prevent repeated -password changes to defeat the password reuse or history enforcement -requirement. If users are allowed to immediately and continually change their -password, the password could be repeatedly changed in a short period of time to -defeat the organization's policy regarding password reuse. - -``` -New: -``` -Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. - -``` ---- -SV-230365: -Old: -``` -Enforcing a minimum password lifetime helps to prevent repeated -password changes to defeat the password reuse or history enforcement -requirement. If users are allowed to immediately and continually change their -password, the password could be repeatedly changed in a short period of time to -defeat the organization's policy regarding password reuse. - -``` -New: -``` -Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. - -``` ---- -SV-230366: -Old: -``` -Any password, no matter how complex, can eventually be cracked. -Therefore, passwords need to be changed periodically. If RHEL 8 does not limit -the lifetime of passwords and force users to change their passwords, there is -the risk that RHEL 8 passwords could be compromised. - -``` -New: -``` -Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. - -``` ---- -SV-230367: -Old: -``` -Any password, no matter how complex, can eventually be cracked. -Therefore, passwords need to be changed periodically. If RHEL 8 does not limit -the lifetime of passwords and force users to change their passwords, there is -the risk that RHEL 8 passwords could be compromised. - -``` -New: -``` -Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. - -``` ---- -SV-230369: -Old: -``` -The shorter the password, the lower the number of possible -combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a -password in resisting attempts at guessing and brute-force attacks. Password -length is one factor of several that helps to determine strength and how long -it takes to crack a password. Use of more characters in a password helps to -increase exponentially the time and/or resources required to compromise the -password. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Configurations are set in the "etc/security/pwquality.conf" file. - - The "minlen", sometimes noted as minimum length, acts as a "score" of -complexity based on the credit components of the "pwquality" module. By -setting the credit components to a negative value, not only will those -components be required, they will not count towards the total "score" of -"minlen". This will enable "minlen" to require a 15-character minimum. - - The DoD minimum password requirement is 15 characters. - -``` -New: -``` -The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. - -The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. - -The DoD minimum password requirement is 15 characters. - -``` ---- -SV-230370: -Old: -``` -The shorter the password, the lower the number of possible -combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a -password in resisting attempts at guessing and brute-force attacks. Password -length is one factor of several that helps to determine strength and how long -it takes to crack a password. Use of more characters in a password helps to -increase exponentially the time and/or resources required to compromise the -password. - - The DoD minimum password requirement is 15 characters. - -``` -New: -``` -The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -The DoD minimum password requirement is 15 characters. - -``` ---- -SV-230371: -Old: -``` -To ensure accountability and prevent unauthenticated access, -interactive users must be identified and authenticated to prevent potential -misuse and compromise of the system. - - Interactive users include organizational employees or individuals the -organization deems to have equivalent status of employees (e.g., contractors). -Interactive users (and processes acting on behalf of users) must be uniquely -identified and authenticated to all accesses, except for the following: - - 1) Accesses explicitly identified and documented by the organization. -Organizations document specific user actions that can be performed on the -information system without identification or authentication; and - - 2) Accesses that occur through authorized use of group authenticators -without individual authentication. Organizations may require unique -identification of individuals in group accounts (e.g., shared privilege -accounts) or for detailed accountability of individual activity. - -``` -New: -``` -To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: - -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and - -2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - - - -``` ---- -SV-230372: -Old: -``` -Using an authentication device, such as a Common Access Card (CAC) or -token that is separate from the information system, ensures that even if the -information system is compromised, that compromise will not affect credentials -stored on the authentication device. - - Multifactor solutions that require devices separate from information -systems gaining access include, for example, hardware tokens providing -time-based or challenge-response authenticators and smart cards such as the -U.S. Government Personal Identity Verification card and the DoD CAC. - - There are various methods of implementing multifactor authentication for -RHEL 8. Some methods include a local system multifactor account mapping or -joining the system to a domain and utilizing a Red Hat idM server or Microsoft -Windows Active Directory server. Any of these methods will require that the -client operating system handle the multifactor authentication correctly. - -``` -New: -``` -Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. - -There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. - - - -``` ---- -SV-230373: -Old: -``` -Inactive identifiers pose a risk to systems and applications because - attackers may exploit an inactive identifier and potentially obtain undetected - access to the system. Owners of inactive accounts will not notice if - unauthorized access to their user account has been obtained. - - RHEL 8 needs to track periods of inactivity and disable application - identifiers after 35 days of inactivity. - -``` -New: -``` -Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. - -``` ---- -SV-230374: -Old: -``` -Temporary accounts are privileged or nonprivileged accounts that are - established during pressing circumstances, such as new software or hardware - configuration or an incident response, where the need for prompt account - activation requires bypassing normal account authorization procedures. - - If any inactive temporary accounts are left enabled on the system and are - not either manually removed or automatically expired within 72 hours, the - security posture of the system will be degraded and exposed to exploitation - by unauthorized users or insider threat actors. - - Temporary accounts are different from emergency accounts. Emergency accounts, - also known as "last resort" or "break glass" accounts, are local logon accounts - enabled on the system for emergency use by authorized system administrators - to manage a system when standard logon methods are failing or not available. - - Emergency accounts are not subject to manual removal or scheduled expiration - requirements. - - The automatic expiration of temporary accounts may be extended as needed by - the circumstances but it must not be extended indefinitely. A documented - permanent account should be established for privileged users who need long-term - maintenance accounts. - -``` -New: -``` -Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. - -Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. - -The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. - -``` ---- -SV-230375: -Old: -``` -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Note that to require special characters without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230376: -Old: -``` -If cached authentication information is out-of-date, the validity of -the authentication information may be questionable. - -RHEL 8 includes multiple options for configuring authentication, but this -requirement will be focus on the System Security Services Daemon (SSSD). By -default sssd does not cache credentials. - -``` -New: -``` -If cached authentication information is out-of-date, the validity of the authentication information may be questionable. - -RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. - -``` ---- -SV-230377: -Old: -``` -If RHEL 8 allows the user to select passwords based on dictionary -words, this increases the chances of password compromise by increasing the -opportunity for successful guesses, and brute-force attacks. - -``` -New: -``` -If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - -``` ---- -SV-230378: -Old: -``` -Configuring the operating system to implement organization-wide -security implementation guides and security checklists verifies compliance with -federal standards and establishes a common security baseline across the DoD -that reflects the most restrictive security posture consistent with operational -requirements. - - Configuration settings are the set of parameters that can be changed in -hardware, software, or firmware components of the system that affect the -security posture and/or functionality of the system. Security-related -parameters are those parameters impacting the security state of the system, -including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example, registry -settings; account, file, and directory permission settings; and settings for -functions, ports, protocols, services, and remote connections. - -``` -New: -``` -Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -``` ---- -SV-230379: -Old: -``` -Accounts providing no operational purpose provide additional -opportunities for system compromise. Unnecessary accounts include user accounts -for individuals not requiring access to the system and application accounts for -applications not installed on the system. - -``` -New: -``` -Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. - -``` ---- -SV-230380: -Old: -``` -If an account has an empty password, anyone could log on and run -commands with the privileges of that account. Accounts with empty passwords -should never be used in operational environments. - -``` -New: -``` -If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. - -``` ---- -SV-230381: -Old: -``` -Providing users with feedback on when account accesses last occurred -facilitates user recognition and reporting of unauthorized account use. - -``` -New: -``` -Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. - -``` ---- -SV-230382: -Old: -``` -Providing users with feedback on when account accesses via SSH last -occurred facilitates user recognition and reporting of unauthorized account -use. - -``` -New: -``` -Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. - -``` ---- -SV-230383: -Old: -``` -Setting the most restrictive default permissions ensures that when new -accounts are created, they do not have unnecessary access. - -``` -New: -``` -Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. - -``` ---- -SV-230384: -Old: -``` -The umask controls the default access mode assigned to newly created -files. A umask of 077 limits new files to mode 600 or less permissive. Although -umask can be represented as a four-digit number, the first digit representing -special access modes is typically ignored or required to be "0". This -requirement applies to the globally configured system defaults and the local -interactive user defaults for each account on the system. - -``` -New: -``` -The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. - -``` ---- -SV-230385: -Old: -``` -The umask controls the default access mode assigned to newly created -files. A umask of 077 limits new files to mode 600 or less permissive. Although -umask can be represented as a four-digit number, the first digit representing -special access modes is typically ignored or required to be "0". This -requirement applies to the globally configured system defaults and the local -interactive user defaults for each account on the system. - -``` -New: -``` -The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. - -``` ---- -SV-230386: -Old: -``` -Misuse of privileged functions, either intentionally or -unintentionally by authorized users, or by unauthorized external entities that -have compromised information system accounts, is a serious and ongoing concern -and can have significant adverse impacts on organizations. Auditing the use of -privileged functions is one way to detect such misuse and identify the risk -from insider threats and the advanced persistent threat. - -``` -New: -``` -Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - - - -``` ---- -SV-230387: -Old: -``` -Cron logging can be used to trace the successful or unsuccessful -execution of cron jobs. It can also be used to spot intrusions into the use of -the cron facility by unauthorized and malicious users. - -``` -New: -``` -Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. - -``` ---- -SV-230388: -Old: -``` -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230389: -Old: -``` -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230390: -Old: -``` -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230392: -Old: -``` -It is critical that when RHEL 8 is at risk of failing to process audit -logs as required, it takes action to mitigate the failure. Audit processing -failures include software/hardware errors; failures in the audit capturing -mechanisms; and audit storage capacity being reached or exceeded. Responses to -audit failure depend upon the nature of the failure mode. - - When availability is an overriding concern, other approved actions in -response to an audit failure are as follows: - - 1) If the failure was caused by the lack of audit record storage capacity, -RHEL 8 must continue generating audit records if possible (automatically -restarting the audit service if necessary) and overwriting the oldest audit -records in a first-in-first-out manner. - - 2) If audit records are sent to a centralized collection server and -communication with this server is lost or the server fails, RHEL 8 must queue -audit records locally until communication is restored or until the audit -records are retrieved manually. Upon restoration of the connection to the -centralized collection server, action should be taken to synchronize the local -audit data with the collection server. - -``` -New: -``` -It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. - -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: - -1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. - -2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. - -``` ---- -SV-230393: -Old: -``` -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - -``` -New: -``` -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -``` ---- -SV-230394: -Old: -``` -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Enriched logging is needed to determine who, what, and when events occur on -a system. Without this, determining root cause of an event will be much more -difficult. - - When audit logs are not labeled before they are sent to a central log -server, the audit data will not be able to be analyzed and tied back to the -correct system. - -``` -New: -``` -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. - -When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. - -``` ---- -SV-230395: -Old: -``` -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Enriched logging aids in making sense of who, what, and when events occur -on a system. Without this, determining root cause of an event will be much -more difficult. - -``` -New: -``` -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. - -``` ---- -SV-230396: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - - -``` ---- -SV-230397: -Old: -``` -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - - -``` ---- -SV-230398: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - - -``` ---- -SV-230399: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - - -``` ---- -SV-230400: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - - -``` ---- -SV-230401: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - - - -``` ---- -SV-230402: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - - In immutable mode, unauthorized users cannot execute changes to the audit -system to potentially hide malicious activity and then put the audit rules -back. A system reboot would be noticeable and a system administrator could -then investigate the unauthorized changes. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - -In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - - -``` ---- -SV-230403: -Old: -``` -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - - In immutable mode, unauthorized users cannot execute changes to the audit -system to potentially hide malicious activity and then put the audit rules -back. A system reboot would be noticeable and a system administrator could -then investigate the unauthorized changes. - -``` -New: -``` -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - -In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - - -``` ---- -SV-230404: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230405: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230406: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230407: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230408: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230409: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230410: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - - - -``` ---- -SV-230411: -Old: -``` -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Associating event types with detected events in RHEL 8 audit logs provides -a means of investigating an attack, recognizing resource utilization or -capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` -New: -``` -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - - -``` ---- -SV-230412: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "su" command allows a -user to run commands with a substitute user and group ID. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230413: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -"Setxattr" is a system call used to set an extended attribute value. -"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. -"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. -"Removexattr" is a system call that removes extended attributes. -"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. -"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -"Setxattr" is a system call used to set an extended attribute value. -"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. -"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. -"Removexattr" is a system call that removes extended attributes. -"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. -"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230418: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chage" command is -used to change or view user password expiry information. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230419: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chcon" command is -used to change file SELinux security context. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230421: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "ssh-agent" is a -program to hold private keys used for public key authentication. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230422: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "passwd" command is -used to change passwords for user accounts. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230423: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "mount" command is -used to mount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230424: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "umount" command is -used to unmount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230425: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "mount" syscall is -used to mount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230426: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -"Unix_update" is a helper program for the "pam_unix" module that updates -the password for a given user. It is not intended to be run directly from the -command line and logs a security violation if done so. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230427: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "postdrop" command creates a file in the maildrop directory and copies -its standard input to the file. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230428: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "postqueue" command implements the Postfix user interface for queue -management. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230429: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "semanage" command is used to configure certain elements of SELinux -policy without requiring modification to or recompilation from policy sources. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230430: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "setfiles" command is primarily used to initialize the security context -fields (extended attributes) on one or more filesystems (or parts of them). -Usually it is initially run as part of the SELinux installation process (a step -commonly known as labeling). - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230431: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "userhelper" command is not intended to be run interactively. -"Userhelper" provides a basic interface to change a user's password, gecos -information, and shell. The main difference between this program and its -traditional equivalents (passwd, chfn, chsh) is that prompts are written to -standard out to make it easy for a graphical user interface wrapper to -interface to it as a child process. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230432: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "setsebool" command sets the current state of a particular SELinux -boolean or a list of booleans to a given value. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230433: -Old: -``` -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "unix_chkpwd" command is a helper program for the pam_unix module that -verifies the password of the current user. It also checks password and account -expiration dates in shadow. It is not intended to be run directly from the -command line and logs a security violation if done so. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230434: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "ssh-keysign" program -is an SSH helper program for host-based authentication. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230435: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "setfacl" command is -used to set file access control lists. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230436: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "pam_timestamp_check" -command is used to check if the default timestamp is valid. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230437: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "newgrp" command is -used to change the current group ID during a login session. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230438: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230439: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. - -The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. -The "rmdir" system call removes empty directories. -The "renameat" system call renames a file, moving it between directories if required. -The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. - -The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. -The "rmdir" system call removes empty directories. -The "renameat" system call renames a file, moving it between directories if required. -The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230444: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "gpasswd" command is -used to administer /etc/group and /etc/gshadow. Every group can have -administrators, members and a password. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230446: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "delete_module" -command is used to unload a kernel module. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230447: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "crontab" command is -used to maintain crontab files for individual users. Crontab is the program -used to install, remove, or list the tables used to drive the cron daemon. This -is similar to the task scheduler used in other operating systems. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230448: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chsh" command is -used to change the login shell. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230449: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -The "creat" system call is used to open and possibly create a file or device. -The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". -The "openat" system call opens a file specified by a relative pathname. -The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -The "creat" system call is used to open and possibly create a file or device. -The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". -The "openat" system call opens a file specified by a relative pathname. -The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230455: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. - -The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. -The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. -The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. - -The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. -The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. -The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230456: -Old: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. - -The "fchmod" system call is used to change permissions of a file. -The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. - -The "fchmod" system call is used to change permissions of a file. -The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - - -``` ---- -SV-230462: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "sudo" command allows -a permitted user to execute a command as the superuser or another user, as -specified by the security policy. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230463: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "usermod" command -modifies the system account files to reflect the changes that are specified on -the command line. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230464: -Old: -``` -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chacl" command is -used to change the access control list of a file or directory. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - -``` ---- -SV-230465: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "kmod" command is -used to control Linux Kernel modules. - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - - - -``` ---- -SV-230466: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - - From "Pam_Faillock man" pages: Note the default directory that -pam_faillock uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - - -``` ---- -SV-230467: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - - - -``` ---- -SV-230468: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - - - -``` ---- -SV-230469: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - Allocating an audit_backlog_limit of sufficient size is critical in -maintaining a stable boot process. With an insufficient limit allocated, the -system is susceptible to boot failures and crashes. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. - -``` ---- -SV-230470: -Old: -``` -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - - - -``` ---- -SV-230471: -Old: -``` -Without the capability to restrict the roles and individuals that can -select which events are audited, unauthorized personnel may be able to prevent -the auditing of critical events. Misconfigured audits may degrade the system's -performance by overwhelming the audit log. Misconfigured audits may also make -it more difficult to establish, correlate, and investigate the events relating -to an incident or identify those responsible for one. - -``` -New: -``` -Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -``` ---- -SV-230472: -Old: -``` -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -``` ---- -SV-230473: -Old: -``` -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - - -``` ---- -SV-230474: -Old: -``` -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - - -``` ---- -SV-230475: -Old: -``` -Protecting the integrity of the tools used for auditing purposes is a -critical step toward ensuring the integrity of audit information. Audit -information includes all information (e.g., audit records, audit settings, and -audit reports) needed to successfully audit information system activity. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - It is not uncommon for attackers to replace the audit tools or inject code -into the existing tools with the purpose of providing the capability to hide or -erase system activity from the audit logs. - - To address this risk, audit tools must be cryptographically signed to -provide the capability to identify when the audit tools have been modified, -manipulated, or replaced. An example is a checksum hash of the file or files. - -``` -New: -``` -Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. - -To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. - -``` ---- -SV-230476: -Old: -``` -To ensure RHEL 8 systems have a sufficient storage capacity in which -to write the audit logs, RHEL 8 needs to be able to allocate audit record -storage capacity. - - The task of allocating audit record storage capacity is usually performed -during initial installation of RHEL 8. - -``` -New: -``` -To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. - -The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. - -``` ---- -SV-230477: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - -``` ---- -SV-230478: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "rsyslog-gnutls" (which is a secure -communications library implementing the SSL, TLS and DTLS protocols), and you -have a method to securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - -``` ---- -SV-230479: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - - - -``` ---- -SV-230480: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - - -``` ---- -SV-230481: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - - -``` ---- -SV-230482: -Old: -``` -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - "Rsyslog" supported authentication modes include: - anon - anonymous authentication - x509/fingerprint - certificate fingerprint authentication - x509/certvalid - certificate validation only - x509/name - certificate validation and subject name authentication. - -``` -New: -``` -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -"Rsyslog" supported authentication modes include: -anon - anonymous authentication -x509/fingerprint - certificate fingerprint authentication -x509/certvalid - certificate validation only -x509/name - certificate validation and subject name authentication. - - - -``` ---- -SV-230483: -Old: -``` -If security personnel are not notified immediately when storage volume - reaches 75 percent utilization, they are unable to plan for audit record - storage capacity expansion. - -``` -New: -``` -If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. - -``` ---- -SV-230484: -Old: -``` -Inaccurate time stamps make it more difficult to correlate events and -can lead to an inaccurate analysis. Determining the correct time a particular -event occurred on a system is critical when conducting forensic analysis and -investigating system events. Sources outside the configured acceptable -allowance (drift) may be inaccurate. - - Synchronizing internal information system clocks provides uniformity of -time stamps for information systems with multiple system clocks and systems -connected over a network. - - Organizations should consider endpoints that may not have regular access to -the authoritative time server (e.g., mobile, teleworking, and tactical -endpoints). - - If time stamps are not consistently applied and there is no common time -reference, it is difficult to perform forensic analysis. - - Time stamps generated by the operating system include date and time. Time -is commonly expressed in Coordinated Universal Time (UTC), a modern -continuation of Greenwich Mean Time (GMT), or local time with an offset from -UTC. - - RHEL 8 utilizes the "timedatectl" command to view the status of the -"systemd-timesyncd.service". The "timedatectl" status will display the -local time, UTC, and the offset from UTC. - - Note that USNO offers authenticated NTP service to DoD and U.S. Government -agencies operating on the NIPR and SIPR networks. Visit -https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. - -``` -New: -``` -Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. - -Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. - -Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). - -If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. - -Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. - -RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. - -Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. - - - -``` ---- -SV-230487: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - - The telnet service provides an unencrypted remote access service that does -not provide for the confidentiality and integrity of user passwords or the -remote session. - - If a privileged user were to log on using this service, the privileged user -password could be compromised. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - -``` ---- -SV-230488: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -``` ---- -SV-230489: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -``` ---- -SV-230491: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - - Kernel page-table isolation is a kernel feature that mitigates the Meltdown -security vulnerability and hardens the kernel against attempts to bypass kernel -address space layout randomization (KASLR). - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). - -``` ---- -SV-230492: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The rsh-server service provides an unencrypted remote access service that -does not provide for the confidentiality and integrity of user passwords or the -remote session and has very weak authentication. - - If a privileged user were to log on using this service, the privileged user -password could be compromised. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - - - -``` ---- -SV-230493: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect from collaborative computing devices (i.e., cameras) -can result in subsequent compromises of organizational information. Providing -easy methods to physically disconnect from such devices after a collaborative -computing session helps to ensure participants actually carry out the -disconnect activity without having to go through complex and tedious procedures. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. - - - -``` ---- -SV-230494: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Asynchronous Transfer Mode (ATM) is a protocol operating on network, -data link, and physical layers, based on virtual circuits and virtual paths. -Disabling ATM protects the system against exploitation of any laws in its -implementation. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. - -``` ---- -SV-230495: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Controller Area Network (CAN) is a serial communications protocol, -which was initially developed for automotive and is now also used in marine, -industrial, and medical applications. Disabling CAN protects the system against -exploitation of any flaws in its implementation. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230496: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Stream Control Transmission Protocol (SCTP) is a transport layer -protocol, designed to support the idea of message-oriented communication, with -several streams of messages within one connection. Disabling SCTP protects the -system against exploitation of any flaws in its implementation. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230497: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Transparent Inter-Process Communication (TIPC) protocol is designed to -provide communications between nodes in a cluster. Disabling TIPC protects the -system against exploitation of any flaws in its implementation. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230498: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Removing support for unneeded filesystem types reduces the local attack -surface of the server. - - Compressed ROM/RAM file system (or cramfs) is a read-only file system -designed for simplicity and space-efficiency. It is mainly used in embedded -and small-footprint systems. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Removing support for unneeded filesystem types reduces the local attack surface of the server. - -Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. - -``` ---- -SV-230499: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time -communication. Disabling FireWire protects the system against exploitation of -any flaws in its implementation. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230500: -Old: -``` -To prevent unauthorized connection of devices, unauthorized transfer -of information, or unauthorized tunneling (i.e., embedding of data types within -data types), organizations must disable or restrict unused or unnecessary -physical and logical ports/protocols on information systems. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services provided by default may not be -necessary to support essential organizational operations. Additionally, it is -sometimes convenient to provide multiple services from a single component -(e.g., VPN and IPS); however, doing so increases risk over limiting the -services provided by any one component. - - To support the requirements and principles of least functionality, the -operating system must support the organizational requirements, providing only -essential capabilities and limiting the use of ports, protocols, and/or -services to only those required, authorized, and approved to conduct official -business or to address authorized quality-of-life issues. - -``` -New: -``` -To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. - -``` ---- -SV-230502: -Old: -``` -Automatically mounting file systems permits easy introduction of -unknown devices, thereby facilitating malicious activity. - -``` -New: -``` -Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -``` ---- -SV-230503: -Old: -``` -USB mass storage permits easy introduction of unknown devices, thereby -facilitating malicious activity. - -``` -New: -``` -USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - - - -``` ---- -SV-230504: -Old: -``` -Failure to restrict network connectivity only to authorized systems -permits inbound connections from malicious systems. It also permits outbound -connections that may facilitate exfiltration of DoD data. - - RHEL 8 incorporates the "firewalld" daemon, which allows for many -different configurations. One of these configurations is zones. Zones can be -utilized to a deny-all, allow-by-exception approach. The default "drop" zone -will drop all incoming network packets unless it is explicitly allowed by the -configuration file or is related to an outgoing network connection. - -``` -New: -``` -Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. - -RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. - -``` ---- -SV-230505: -Old: -``` -"Firewalld" provides an easy and effective way to block/limit remote -access to the system via ports, services, and protocols. - - Remote access services, such as those providing remote access to network -devices and information systems, which lack automated control capabilities, -increase risk and make remote user access management difficult at best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement -action if the audit reveals unauthorized activity. Automated control of remote -access sessions allows organizations to ensure ongoing compliance with remote -access policies by enforcing connection rules of remote access applications on -a variety of information system components (e.g., servers, workstations, -notebook computers, smartphones, and tablets). - -``` -New: -``` -"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. - -Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - -``` ---- -SV-230506: -Old: -``` -Without protection of communications with wireless peripherals, -confidentiality and integrity may be compromised because unprotected -communications can be intercepted and either read, altered, or used to -compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., -wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless -peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and -Near Field Communications [NFC]) present a unique challenge by creating an -open, unsecured port on a computer. Wireless peripherals must meet DoD -requirements for wireless data transmission and be approved for use by the -Authorizing Official (AO). Even though some wireless peripherals, such as mice -and pointing devices, do not ordinarily carry information that need to be -protected, modification of communications with these wireless peripherals may -be used to compromise the RHEL 8 operating system. Communication paths outside -the physical protection of a controlled boundary are exposed to the possibility -of interception and modification. - - Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing -physical barriers to wireless radio frequencies) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are -employed, then logical means (cryptography) do not have to be employed, and -vice versa. If the wireless peripheral is only passing telemetry data, -encryption of the data may not be required. - -``` -New: -``` -Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - -This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - - - -``` ---- -SV-230507: -Old: -``` -Without protection of communications with wireless peripherals, -confidentiality and integrity may be compromised because unprotected -communications can be intercepted and either read, altered, or used to -compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., -wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless -peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and -Near Field Communications [NFC]) present a unique challenge by creating an -open, unsecured port on a computer. Wireless peripherals must meet DoD -requirements for wireless data transmission and be approved for use by the -Authorizing Official (AO). Even though some wireless peripherals, such as mice -and pointing devices, do not ordinarily carry information that need to be -protected, modification of communications with these wireless peripherals may -be used to compromise the RHEL 8 operating system. Communication paths outside -the physical protection of a controlled boundary are exposed to the possibility -of interception and modification. - - Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing -physical barriers to wireless radio frequencies) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are -employed, then logical means (cryptography) do not have to be employed, and -vice versa. If the wireless peripheral is only passing telemetry data, -encryption of the data may not be required. - -``` -New: -``` -Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - -This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - -``` ---- -SV-230508: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230509: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230510: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230511: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230512: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230513: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230514: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230515: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230516: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230517: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230518: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230519: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230520: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230521: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230522: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230523: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - - -``` ---- -SV-230524: -Old: -``` -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-230525: -Old: -``` -DoS is a condition when a resource is not available for legitimate -users. When this occurs, the organization either cannot accomplish its mission -or must operate at degraded capacity. - - This requirement addresses the configuration of RHEL 8 to mitigate the -impact of DoS attacks that have occurred or are ongoing on system availability. -For each system, known and potential DoS attacks must be identified and -solutions for each type implemented. A variety of technologies exists to limit -or, in some cases, eliminate the effects of DoS attacks (e.g., limiting -processes or establishing memory partitions). Employing increased capacity and -bandwidth, combined with service redundancy, may reduce the susceptibility to -some DoS attacks. - - Since version 0.6.0, "firewalld" has incorporated "nftables" as its -backend support. Utilizing the limit statement in "nftables" can help to -mitigate DoS attacks. - -``` -New: -``` -DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. - -This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. - -Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. - -``` ---- -SV-230526: -Old: -``` -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - -``` -New: -``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - - - -``` ---- -SV-230527: -Old: -``` -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - - Session key regeneration limits the chances of a session key becoming -compromised. - -``` -New: -``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -Session key regeneration limits the chances of a session key becoming compromised. - - - -``` ---- -SV-230529: -Old: -``` -A locally logged-on user, who presses Ctrl-Alt-Delete when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` -A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230530: -Old: -``` -A locally logged-on user, who presses Ctrl-Alt-Delete, when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` -A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230531: -Old: -``` -A locally logged-on user who presses Ctrl-Alt-Delete when at the -console can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` -A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230532: -Old: -``` -The debug-shell requires no authentication and provides root -privileges to anyone who has physical access to the machine. While this -feature is disabled by default, masking it adds an additional layer of -assurance that it will not be enabled via a dependency in systemd. This also -prevents attackers with physical access from trivially bypassing security on -the machine through valid troubleshooting configurations and gaining root -access when the system is rebooted. - -``` -New: -``` -The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - -``` ---- -SV-230533: -Old: -``` -If TFTP is required for operational support (such as the transmission -of router configurations) its use must be documented with the Information -System Security Officer (ISSO), restricted to only authorized personnel, and -have access control rules established. - -``` -New: -``` -If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. - -``` ---- -SV-230534: -Old: -``` -If an account other than root also has a User Identifier (UID) of -"0", it has root authority, giving that account unrestricted access to the -entire operating system. Multiple accounts with a UID of "0" afford an -opportunity for potential intruders to guess a password for a privileged -account. - -``` -New: -``` -If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. - -``` ---- -SV-230550: -Old: -``` -If unrestricted mail relaying is permitted, unauthorized senders could -use this host as a mail relay for the purpose of sending spam or other -unauthorized activity. - -``` -New: -``` -If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. - -``` ---- -SV-230551: -Old: -``` -Extended attributes in file systems are used to contain arbitrary data -and file metadata with security implications. - - RHEL 8 installation media come with a file integrity tool, Advanced -Intrusion Detection Environment (AIDE). - -``` -New: -``` -Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. - -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). - -``` ---- -SV-230552: -Old: -``` -ACLs can provide permissions beyond those permitted through the file -mode and must be verified by file integrity tools. - - RHEL 8 installation media come with a file integrity tool, Advanced -Intrusion Detection Environment (AIDE). - -``` -New: -``` -ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. - -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). - -``` ---- -SV-230553: -Old: -``` -Internet services that are not required for system or application -processes must not be active to decrease the attack surface of the system. -Graphical display managers have a long history of security vulnerabilities and -must not be used, unless approved and documented. - -``` -New: -``` -Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. - -``` ---- -SV-230554: -Old: -``` -Network interfaces in promiscuous mode allow for the capture of all -network traffic visible to the system. If unauthorized individuals can access -these applications, it may allow them to collect information such as logon IDs, -passwords, and key exchanges between systems. - - If the system is being used to perform a network troubleshooting function, -the use of these tools must be documented with the Information System Security -Officer (ISSO) and restricted to only authorized personnel. - -``` -New: -``` -Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. - -If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. - -``` ---- -SV-230555: -Old: -``` -The security risk of using X11 forwarding is that the client's X11 -display server may be exposed to attack when the SSH client requests -forwarding. A system administrator may have a stance in which they want to -protect clients that may expose themselves to attack by unwittingly requesting -X11 forwarding, which can warrant a "no" setting. - - X11 forwarding should be enabled with caution. Users with the ability to -bypass file permissions on the remote host (for the user's X11 authorization -database) can access the local X11 display through the forwarded connection. An -attacker may then be able to perform activities such as keystroke monitoring if -the ForwardX11Trusted option is also enabled. - - If X11 services are not required for the system's intended function, they -should be disabled or restricted as appropriate to the system’s needs. - -``` -New: -``` -The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. - -X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. - -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. - -``` ---- -SV-230556: -Old: -``` -When X11 forwarding is enabled, there may be additional exposure to -the server and client displays if the sshd proxy display is configured to -listen on the wildcard address. By default, sshd binds the forwarding server -to the loopback address and sets the hostname part of the DIPSLAY environment -variable to localhost. This prevents remote hosts from connecting to the proxy -display. - -``` -New: -``` -When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. - -``` ---- -SV-230557: -Old: -``` -Restricting TFTP to a specific directory prevents remote users from -copying, transferring, or overwriting system files. - -``` -New: -``` -Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. - -``` ---- -SV-230558: -Old: -``` -The FTP service provides an unencrypted remote access that does not -provide for the confidentiality and integrity of user passwords or the remote -session. If a privileged user were to log on using this service, the privileged -user password could be compromised. SSH or other encrypted file transfer -methods must be used in place of this service. - -``` -New: -``` -The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. - -``` ---- -SV-230559: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The gssproxy package is a proxy for GSS API credential handling and could -expose secrets on some networks. It is not needed for normal function of the OS. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. - -``` ---- -SV-230560: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The iprutils package provides a suite of utilities to manage and configure -SCSI devices supported by the ipr SCSI storage device driver. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. - -``` ---- -SV-230561: -Old: -``` -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The tuned package contains a daemon that tunes the system settings -dynamically. It does so by monitoring the usage of several system components -periodically. Based on that information, components will then be put into lower -or higher power savings modes to adapt to the current usage. The tuned package -is not needed for normal OS operations. - -``` -New: -``` -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. - -``` ---- -SV-237640: -Old: -``` -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - Currently, Kerberos does not utilize FIPS 140-2 cryptography. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -Currently, Kerberos does not utilize FIPS 140-2 cryptography. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-237641: -Old: -``` -The sudo command allows a user to execute programs with elevated -(administrator) privileges. It prompts the user for their password and confirms -your request to execute a command by checking a file, called sudoers. If the -"sudoers" file is not configured correctly, any user defined on the system -can initiate privileged actions on the target system. - -``` -New: -``` -The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. - -``` ---- -SV-237642: -Old: -``` -The sudoers security policy requires that users authenticate -themselves before they can use sudo. When sudoers requires authentication, it -validates the invoking user's credentials. If the rootpw, targetpw, or runaspw -flags are defined and not disabled, by default the operating system will prompt -the invoking user for the "root" user password. - For more information on each of the listed configurations, reference the -sudoers(5) manual page. - -``` -New: -``` -The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page. - -``` ---- -SV-237643: -Old: -``` -Without re-authentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the organization requires the user to -re-authenticate when using the "sudo" command. - - If the value is set to an integer less than 0, the user's time stamp will -not expire and the user will not have to re-authenticate for privileged actions -until the user's session is terminated. - -``` -New: -``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -``` ---- -SV-244519: -Old: -``` -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - -``` -New: -``` -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - - - -``` ---- -SV-244523: -Old: -``` -If the system does not require valid root authentication before it -boots into emergency or rescue mode, anyone who invokes emergency or rescue -mode is granted privileged access to all files on the system. - -``` -New: -``` -If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. - -``` ---- -SV-244524: -Old: -``` -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-244525: -Old: -``` -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` -New: -``` -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - - -``` ---- -SV-244526: -Old: -``` -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The SSH -configuration file has no effect on the ciphers, MACs, or algorithms unless -specifically defined in the /etc/sysconfig/sshd file. The employed algorithms -can be viewed in the /etc/crypto-policies/back-ends/ directory. - -``` -New: -``` -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. - - - -``` ---- -SV-244527: -Old: -``` -The most important characteristic of a random number generator is its -randomness, namely its ability to deliver random numbers that are impossible to -predict. Entropy in computer security is associated with the unpredictability -of a source of randomness. The random source with high entropy tends to -achieve a uniform distribution of random values. Random number generators are -one of the most important building blocks of cryptosystems. - - The rngd service feeds random data from hardware device to kernel random -device. Quality (non-predictable) random number generation is important for -several security functions (i.e., ciphers). - -``` -New: -``` -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). - -``` ---- -SV-244528: -Old: -``` -Configuring this setting for the SSH daemon provides additional -assurance that remote logon via SSH will require a password, even in the event -of misconfiguration elsewhere. - -``` -New: -``` -Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. - -``` ---- -SV-244529: -Old: -``` -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-244530: -Old: -``` -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-244531: -Old: -``` -Excessive permissions on local interactive user home directories may -allow unauthorized access to user files by other users. - -``` -New: -``` -Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. - -``` ---- -SV-244532: -Old: -``` -If a local interactive user's files are group-owned by a group of -which the user is not a member, unintended users may be able to access them. - -``` -New: -``` -If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. - -``` ---- -SV-244533: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - The preauth argument must be used when the module is called before the -modules which ask for the user credentials such as the password. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. -The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - - -``` ---- -SV-244534: -Old: -``` -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - The preauth argument must be used when the module is called before the -modules which ask for the user credentials such as the password. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. -The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - - -``` ---- -SV-244535: -Old: -``` -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - -``` -New: -``` -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - - - -``` ---- -SV-244536: -Old: -``` -Leaving the user list enabled is a security risk since it allows -anyone with physical access to the system to enumerate known user accounts -without authenticated access to the system. - -``` -New: -``` -Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. - -``` ---- -SV-244538: -Old: -``` -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - - -``` ---- -SV-244539: -Old: -``` -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - - -``` ---- -SV-244541: -Old: -``` -If an account has an empty password, anyone could log on and run -commands with the privileges of that account. Accounts with empty passwords -should never be used in operational environments. - -``` -New: -``` -If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. - -``` ---- -SV-244542: -Old: -``` -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Associating event types with detected events in RHEL 8 audit logs provides -a means of investigating an attack, recognizing resource utilization or -capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` -New: -``` -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - - -``` ---- -SV-244543: -Old: -``` -If security personnel are not notified immediately when storage volume -reaches 75 percent utilization, they are unable to plan for audit record -storage capacity expansion. - -``` -New: -``` -If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. - -``` ---- -SV-244544: -Old: -``` -"Firewalld" provides an easy and effective way to block/limit remote -access to the system via ports, services, and protocols. - - Remote access services, such as those providing remote access to network -devices and information systems, which lack automated control capabilities, -increase risk and make remote user access management difficult at best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement -action if the audit reveals unauthorized activity. Automated control of remote -access sessions allows organizations to ensure ongoing compliance with remote -access policies by enforcing connection rules of remote access applications on -a variety of information system components (e.g., servers, workstations, -notebook computers, smartphones, and tablets). - -``` -New: -``` -"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. - -Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - -``` ---- -SV-244545: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - - -``` ---- -SV-244546: -Old: -``` -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - - -``` ---- -SV-244547: -Old: -``` -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-244548: -Old: -``` -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-244549: -Old: -``` -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - -``` -New: -``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - - - -``` ---- -SV-250315: -Old: -``` -By limiting the number of failed logon attempts, the risk of - unauthorized system access via user password guessing, otherwise known as - brute-force attacks, is reduced. Limits are imposed by locking the account. - - From "faillock.conf" man pages: Note that the default directory that - "pam_faillock" uses is usually cleared on system boot so the access will be - re-enabled after system reboot. If that is undesirable, a different tally - directory must be set with the "dir" option. - - SELinux, enforcing a targeted policy, will require any non-default tally - directory's security context type to match the default directory's security - context type. Without updating the security context type, the pam_faillock - module will not write failed login attempts to the non-default tally directory. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. - -SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. - -``` ---- -SV-250316: -Old: -``` -By limiting the number of failed logon attempts, the risk of - unauthorized system access via user password guessing, otherwise known as - brute-force attacks, is reduced. Limits are imposed by locking the account. - - From "Pam_Faillock" man pages: Note that the default directory that - "pam_faillock" uses is usually cleared on system boot so the access will be - reenabled after system reboot. If that is undesirable, a different tally - directory must be set with the "dir" option. - - SELinux, enforcing a targeted policy, will require any non-default tally - directory's security context type to match the default directory's security - context type. Without updating the security context type, the pam_faillock - module will not write failed login attempts to the non-default tally directory. - -``` -New: -``` -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. - -SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. - -``` ---- -SV-250317: -Old: -``` -Routing protocol daemons are typically used on routers to exchange network - topology information with other routers. If this software is used when not required, - system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. - - All configuration files are sorted by their filename in lexicographic order, regardless - of which of the directories they reside in. If multiple files specify the same option, - the entry in the file with the lexicographically latest name will take precedence. - - Files are read from directories in the following list from top to bottom. Once a file of a - given filename is loaded, any file of the same name in subsequent directories is ignored. - - /etc/sysctl.d/*.conf - /run/sysctl.d/*.conf - /usr/local/lib/sysctl.d/*.conf - /usr/lib/sysctl.d/*.conf - /lib/sysctl.d/*.conf - /etc/sysctl.conf - -``` -New: -``` -Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` ---- -SV-251707: -Old: -``` -If RHEL 8 were to allow any user to make changes to software libraries, - then those changes might be implemented without undergoing the appropriate - testing and approvals that are part of a robust change management process. - - This requirement applies to RHEL 8 with software libraries that are accessible - and configurable, as in the case of interpreted languages. Software libraries - also include privileged programs that execute with escalated privileges. Only - qualified and authorized individuals will be allowed to obtain access to - information system components for purposes of initiating changes, including - upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251708: -Old: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251709: -Old: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` -New: -``` -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251710: -Old: -``` -Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. - Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the - system security policy and supporting the isolation of code and data on which the protection is based. Security functionality - includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), - setting events to be audited, and setting intrusion detection parameters. - - This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and - environments that require this functionality. - -``` -New: -``` -Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-251711: -Old: -``` -The "sudo" command allows authorized users to run programs (including shells) as other users, - system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as - well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" - file allow configured users to run programs without re-authenticating. Use of these configuration - options makes it easier for one compromised account to be used to compromise other accounts. - - It is possible to include other sudoers files from within the sudoers file currently being parsed - using the #include and #includedir directives. When sudo reaches this line it will suspend - processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the - end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are - included may themselves include other files. A hard limit of 128 nested include files is enforced - to prevent include file loops. - -``` -New: -``` -The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. - -It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. - -``` ---- -SV-251712: -Old: -``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -``` -New: -``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - - - -``` ---- -SV-254520: -Old: -``` -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. - -``` -New: -``` -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. - -``` ---- -
\ No newline at end of file diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 153cd04a9..143ec0ecf 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -12,7 +12,6 @@ author: Daniel Medina, George Dias A detailed log of the output of the command execution with additional information and metadata. [Example Log File Output](../../assets/downloads/CliProcessOutput.log) -[WHAT](../../.vuepress/public/assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json From 103c4bb50844ebf19a3fc5082e78a5c7fa2ef037 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 15:31:09 -0600 Subject: [PATCH 25/71] udpates to grammer, spelling and clarity with reading and copilot Signed-off-by: Aaron Lippold --- src/courses/delta/02.md | 16 ++-- src/courses/delta/03.md | 47 +++++----- src/courses/delta/04.md | 59 +++++++------ src/courses/delta/05.md | 29 +++--- src/courses/delta/06.md | 171 +++--------------------------------- src/courses/delta/07.md | 14 ++- src/courses/delta/README.md | 20 +++-- 7 files changed, 118 insertions(+), 238 deletions(-) diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index f50ef1c56..83d63d375 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -5,24 +5,26 @@ title: 2. Delta Process Requirements author: Daniel Medina, George Dias --- -## 2.1 Requirements: -To conduct the delta process, the following are needed: +## 2.1 Requirements -1. An inspec profile +To conduct the delta process, the following items are needed: + +1. An InSpec profile a. Clone or download an existing profile from a repository source to your local environment. b. See [What is an InSpec Profile](../beginner/02.md#what-is-an-inspec-profile) for additional information. 2. A guidance file (XCCDF) a. Download either a DISA STIG or a CIS Benchmark from the appropriate site. ::: note Using Generated Profile Stubs -Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to generate a skeleton profile structure based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. +Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to create a skeleton profile structure based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. -For more information on this command, refer to the documentation for [`inspec_profile`](https://saf-cli.mitre.org/#inspec-profile) +For more information on this command, refer to the documentation for [`inspec_profile`](https://saf-cli.mitre.org/#inspec-profile). -This command is synonymous with the Chef InSpec [Initialize a new profile](../beginner/03.md#creating-the-profile), but it uses the XCCDF content to configure (generate) the profile controls metadata and [supporting structure](../beginner/02.md#the-structure-of-an-inspec-profile). +This command is similar to the Chef InSpec [Initialize a new profile](../beginner/03.md#creating-the-profile), but it uses the XCCDF content to configure (generate) the profile controls metadata and [supporting structure](../beginner/02.md#the-structure-of-an-inspec-profile). ::: The [Delta CLI Tools section](./03.md#31-cli-tools) covers specific requirements for both the `delta` and `update_controls4delta` commands. ## 2.2 Glossary of Terms -For definition of terms used within the Delta Process reference [Terms & Definitions](../profile-dev-test/27.md#terms--definitions) + +For definitions of terms used within the Delta Process, refer to [Terms & Definitions](../profile-dev-test/27.md#terms--definitions). diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 90678a352..e50705798 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -7,42 +7,46 @@ author: Daniel Medina, George Dias ## 3.1 CLI Tools -The delta process consists of either or both of the following commands: -1. Updates Controls for Delta (`update_controls4delta`) +The delta process consists of one or both of the following commands: + +1. Update Controls for Delta (`update_controls4delta`) 2. Delta (`delta`) -::: note About Inspec Profiles -When referring to inspec profiles, there are distinctions: -Inspec profile repository: contains the controls, code, etc. -Inspec profile file: JSON formatted file containing profile summary, used as input for the delta process. +::: note About InSpec Profiles +When referring to InSpec profiles, there are distinctions: + +- InSpec profile repository: Contains the controls, code, etc. +- InSpec profile file: A JSON formatted file containing a profile summary, used as input for the delta process. ::: ### 3.2 Update Controls for Delta -The `update_controls4delta` process is used to prepare profile controls from one [SRG](./02.md#glossary-of-terms) or [STIG/CIS](./02.md#glossary-of-terms) benchmark baseline to another. The controls are updated based on guidance provided by the appropriate Extendible Configuration Checklist Description Format ([XCCDF](./02.md#glossary-of-terms)). +The `update_controls4delta` process is used to prepare profile controls from one [SRG](./02.md#glossary-of-terms) or [STIG/CIS](./02.md#glossary-of-terms) benchmark baseline to another. The controls are updated based on guidance provided by the appropriate Extensible Configuration Checklist Description Format ([XCCDF](./02.md#glossary-of-terms)). -The `update_controls4delta` process may be the only command needed as it specifically updates existing controls from one baseline to another, refer to [use cases for running delta](./04.html#use-cases-for-running-delta). +The `update_controls4delta` process may be the only command needed as it specifically updates existing controls from one baseline to another. Refer to [use cases for running delta](./04.html#use-cases-for-running-delta). The process of preparing controls from one baseline to another (baseline X to Y) consists of: -1. The directory where baseline X controls are located is provided. -3. An InSpec json formatted file containing all baseline X controls is provided or generated. - a - The json file is generated using the [inspec or cinc-auditor] json CLI command -3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site. - a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls. - b - If there is no mapping found, then the `delta` process must be invoked to convert the baselines ([see use cases](./04.html#use-cases-for-running-delta)) +1. Providing the directory where baseline X controls are located. +2. Providing or generating an InSpec JSON formatted file containing all baseline X controls. + - The JSON file is generated using the [InSpec or Cinc-Auditor] JSON CLI command. +3. Providing an XCCDF file containing the new baseline Y guidance. The file is obtained from the appropriate site. + - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It often includes a field (legacy) indicating the control's previous name(s). The process uses this field to map old control names to the new controls. + - If no mapping is found, then the `delta` process must be invoked to convert the baselines ([see use cases](./04.html#use-cases-for-running-delta)). -You can invoke the command as such: -``` +You can invoke the command as follows: + +```sh saf generate update_controls4delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -c baseline_X_controls_directory ``` Additional capabilities can be obtained using the `-h or --help` flag on the `update_controls4delta` command as such: -``` + +```sh saf generate update_controls4delta --help ``` -Renaming of controls can be done either by guidance rules (rule ID, default) or using the group ID. When using rule ID legacy fields contained within the XCCDF are used for identifying the proper mapping for the controls. +Renaming of controls can be done either by guidance rules (rule ID, default) or using the group ID. When using rule ID legacy fields contained within the XCCDF are used for identifying the proper mapping for the controls. If there is no way to trace controls in baseline X to its corresponding controls in baseline Y, then `update_controls4delta` will not update any controls (no mapping). @@ -59,9 +63,11 @@ The `delta` process extends the capabilities of the `update_controls4delta` proc
You can invoke the command as such: -``` + +```sh saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` +
::: tip Optional Fuzzy Matching Flags @@ -69,7 +75,8 @@ The `-M` and `-c` flags can be removed if not using fuzzy matching feature. ::: Additional capabilities can be obtained using the `-h or --help` flag on the `delta` command as such: -``` + +```sh saf generate delta --help ``` diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 15f91d3ce..7a0ac8117 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -7,47 +7,50 @@ author: Daniel Medina, George Dias ## 4.1 Use Cases for Running Delta -There are several situations that warrant the use of the delta process. These are broken down in the following use cases: +There are several situations that warrant the use of the delta process. These are broken down into the following use cases: -[Use Case 1](#use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) -[Use Case 2](#use-case-2) - Update control IDs based on group ID (run update controls) -[Use Case 3](#use-case-3) - Update controls but create a backup (run update controls) -[Use Case 4](#use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) -[Use Case 5](#use-case-5) - Generate stubs for new controls found in XCCDF (run Delta w/o fuzzy matching) +[Use Case 1](#411-use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) +[Use Case 2](#412-use-case-2) - Update control IDs based on group ID (run update controls) +[Use Case 3](#413-use-case-3) - Update controls but create a backup (run update controls) +[Use Case 4](#414-use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) +[Use Case 5](#415-use-case-5) - Generate stubs for new controls found in XCCDF (run Delta without fuzzy matching) ### 4.1.1 Use Case 1 -Updated guidances sometimes modify the control identification (IDs) values of a given control. -To make these modification from baseline X to baseline Y the update controls process with the -provided XCCDF guidance. The process checks if the new guidance changes the control numbers -and updates them if necessary. -Process: Run `update_controls4delta` +Updated guidance sometimes modifies the control identification (ID) values of a given control. To make these modifications from baseline X to baseline Y, use the update controls process with the provided XCCDF guidance. The process checks if the new guidance changes the control numbers and updates them if necessary. + +**Process:** Run `update_controls4delta` ### 4.1.2 Use Case 2 -If there isn't any mapping between baseline X and Y using the default rule identification (rule Id) -for the control, it may be necessary to index the controls based on controls group identifications -(group Id). Running the update controls with the group Id may be required to provide a -mapping from baseline X to Y. -Process: Run `update_controls4delta` +If there isn't any mapping between baseline X and Y using the default rule identification (rule ID) for the control, it may be necessary to index the controls based on control group identifications (group ID). Running the update controls with the group ID may be required to provide a mapping from baseline X to Y. + +**Process:** Run `update_controls4delta` ### 4.1.3 Use Case 3 -Like Use Case 1 and 2 updates controls in baseline X with new controls identified in baseline Y -based on selected indexed identification but backup controls that are modified. -Process: Run `update_controls4delta` +Similar to Use Cases 1 and 2, this use case updates controls in baseline X with new controls identified in baseline Y based on selected indexed identification but also creates a backup of the modified controls. + +**Process:** Run `update_controls4delta` ### 4.1.4 Use Case 4 -Running update controls may result in no controls being updated / no mappings were found from -baseline X to baseline Y. This could be due to there being too many revisions / releases between -the two baselines creating no way to map between them. In this case, we have no alternative -but to use Delta with fuzzy matching. -Process: Run `delta` +Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to there being too many revisions or releases between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. + +**Process:** Run `delta` ### 4.1.5 Use Case 5 -Most often the new guidances contain new controls that weren't previously defined, in this -case running the delta process generates the control stubs with all metadata, minus the -describe block (code) content. -Process: Run `delta` \ No newline at end of file +New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. + +**Process:** Run `delta` + +### Suggested Enhancements for Education and Training + +1. **Examples and Scenarios:** Provide real-world examples and scenarios for each use case to help students understand the practical applications. +2. **Interactive Exercises:** Include interactive exercises where students can practice running the commands (`update_controls4delta` and `delta`) in a controlled environment. +3. **Visual Aids:** Use flowcharts or diagrams to visually represent the processes described in each use case. +4. **Quizzes:** Add quizzes at the end of each section to reinforce learning and ensure comprehension. +5. **Glossary:** Include a glossary of terms used in the document to help students familiarize themselves with the terminology. +6. **Step-by-Step Guides:** Provide detailed, step-by-step guides for running the commands, including screenshots or terminal outputs to illustrate the expected results. +7. **Discussion Questions:** Add discussion questions at the end of each section to encourage critical thinking and group discussions. diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 143ec0ecf..e868bb1f2 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -6,39 +6,38 @@ author: Daniel Medina, George Dias --- ## 5.1 Logging Capabilities of Delta - ### 5.1.1 CLIProcessOutput.log -A detailed log of the output of the command execution with additional information and metadata. +This log provides a detailed output of the command execution, including additional information and metadata. [Example Log File Output](../../assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json -Automatically generated and outputted to the same directory as the outputted profile controls, this JSON file summarizes the results of the delta process. +This JSON file is automatically generated and saved in the same directory as the outputted profile controls. It summarizes the results of the delta process. + +The results are summarized at the top of the report according to the type of change: -Results are summarized at the top of the report according to the type of change: -1. addedControlIDs: A list of new controls added to the profile -2. removedControlIDs: A list of controls removed from the profile -3. renamedControlIDs: A list of controls that had their IDs change -4. changedControlIDs: A list of controls with changes to the metadata +1. **addedControlIDs**: A list of new controls added to the profile. +2. **removedControlIDs**: A list of controls removed from the profile. +3. **renamedControlIDs**: A list of controls that had their IDs changed. +4. **changedControlIDs**: A list of controls with changes to the metadata. -Details of the changes are given afterwards as follows: +Details of the changes are provided afterwards as follows: -1. addedControls: The contents of each control that was added to the profile -2. changedControls: The parts of each control that were modified / replaced during the command execution +1. **addedControls**: The contents of each control that was added to the profile. +2. **changedControls**: The parts of each control that were modified or replaced during the command execution. [Example delta.json file](../../assets/downloads/delta.json) ### 5.1.3 Report Markdown File (.md) -Specified by the report flag (`-r`), generates a markdown formatted report of the same information found in the delta.json file. +Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. [Example Report Markdown File](../../assets/downloads/report) - ## 5.2 Logging Capabilities of Update Controls -The logging output of `update_controls4delta` provides information on which controls were found to require a name change, as well as additional statistics on skipped controls +The logging output of `update_controls4delta` provides information on which controls were found to require a name change, as well as additional statistics on skipped controls. -![Example Output from update_controls4delta](../../assets/img/update_controls4delta_output.png) \ No newline at end of file +![Example Output from update_controls4delta](../../assets/img/update_controls4delta_output.png) diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md index 077b08f6e..c74b8cafc 100644 --- a/src/courses/delta/06.md +++ b/src/courses/delta/06.md @@ -7,329 +7,186 @@ author: Daniel Medina, George Dias ## 6.1 InSpec Delta Formatting Process -Before performing delta process, it's beneficial to use a common format. Follow these steps: +Before performing the delta process, it's beneficial to use a common format. Follow these steps: -### 6.1.1 Preparing the Profile Before Running Delta Process +### 6.1.1 Preparing the Profile Before Running the Delta Process -1. **Run Rubocop:** Install the Rubocop gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. +1. **Run RuboCop:** Install the RuboCop gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list rubocop`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `rubocop -a ./controls`. -::: details Rubocop Configuration File (rubocop.yml) -``` -AllCops: +::: details RuboCop Configuration File (rubocop.yml) +```ruby +AllCops: NewCops: enable - Exclude: - - "libraries/**/*" - Layout/LineLength: - Max: 1500 - AllowURI: true - IgnoreCopDirectives: true - Naming/FileName: - Enabled: false - Metrics/BlockLength: - Max: 1000 - Lint/ConstantDefinitionInBlock: - Enabled: false - # Required for Profiles as it can introduce profile errors - Style/NumericPredicate: - Enabled: false - Style/WordArray: - Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)" - Enabled: false - Style/RedundantPercentQ: - Enabled: true - Style/NestedParenthesizedCalls: - Enabled: false - Style/TrailingCommaInHashLiteral: - Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral" - Enabled: true - EnforcedStyleForMultiline: no_comma - Style/TrailingCommaInArrayLiteral: - Enabled: true - EnforcedStyleForMultiline: no_comma - Style/BlockDelimiters: - Enabled: false - Lint/AmbiguousBlockAssociation: - Enabled: false - Metrics/BlockNesting: - Enabled: false - Lint/ShadowingOuterLocalVariable: - Enabled: false - Style/FormatStringToken: - Enabled: false - Style/FrozenStringLiteralComment: - Enabled: false - -# The following cops were added to RuboCop, but are not configured. - -# Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. +# The following cops were added to RuboCop, but are not configured. Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. +# Please also note that you can opt-in to new cops by default by adding this to your config: # For more information: https://docs.rubocop.org/rubocop/versioning.html - Gemspec/DateAssignment: # new in 1.10 - Enabled: true - Gemspec/RequireMFA: # new in 1.23 - Enabled: true - Layout/LineEndStringConcatenationIndentation: # new in 1.18 - Enabled: true - Layout/SpaceBeforeBrackets: # new in 1.7 - Enabled: true - Lint/AmbiguousAssignment: # new in 1.7 - Enabled: true - Lint/AmbiguousOperatorPrecedence: # new in 1.21 - Enabled: true - Lint/AmbiguousRange: # new in 1.19 - Enabled: true - Lint/DeprecatedConstants: # new in 1.8 - Enabled: true - Lint/DuplicateBranch: # new in 1.3 - Enabled: true - Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 - Enabled: true - Lint/EmptyBlock: # new in 1.1 - Enabled: true - Lint/EmptyClass: # new in 1.3 - Enabled: true - Lint/EmptyInPattern: # new in 1.16 - Enabled: true - Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 - Enabled: true - Lint/LambdaWithoutLiteralBlock: # new in 1.8 - Enabled: true - Lint/NoReturnInBeginEndBlocks: # new in 1.2 - Enabled: true - Lint/NumberedParameterAssignment: # new in 1.9 - Enabled: true - Lint/OrAssignmentToConstant: # new in 1.9 - Enabled: true - Lint/RedundantDirGlobSort: # new in 1.8 - Enabled: true - Lint/RequireRelativeSelfPath: # new in 1.22 - Enabled: true - Lint/SymbolConversion: # new in 1.9 - Enabled: true - Lint/ToEnumArguments: # new in 1.1 - Enabled: true - Lint/TripleQuotes: # new in 1.9 - Enabled: true - Lint/UnexpectedBlockArity: # new in 1.5 - Enabled: true - Lint/UnmodifiedReduceAccumulator: # new in 1.1 - Enabled: true - Lint/UselessRuby2Keywords: # new in 1.23 - Enabled: true - Naming/BlockForwarding: # new in 1.24 - Enabled: true - Security/IoMethods: # new in 1.22 - Enabled: true - Style/ArgumentsForwarding: # new in 1.1 - Enabled: true - Style/CollectionCompact: # new in 1.2 - Enabled: true - Style/DocumentDynamicEvalDefinition: # new in 1.1 - Enabled: true - Style/EndlessMethod: # new in 1.8 - Enabled: true - Style/FileRead: # new in 1.24 - Enabled: true - Style/FileWrite: # new in 1.24 - Enabled: true - Style/HashConversion: # new in 1.10 - Enabled: true - Style/HashExcept: # new in 1.7 - Enabled: true - Style/IfWithBooleanLiteralBranches: # new in 1.9 - Enabled: true - Style/InPatternThen: # new in 1.16 - Enabled: true - Style/MapToHash: # new in 1.24 - Enabled: true - Style/MultilineInPatternThen: # new in 1.16 - Enabled: true - Style/NegatedIfElseCondition: # new in 1.2 - Enabled: true - Style/NilLambda: # new in 1.3 - Enabled: true - Style/NumberedParameters: # new in 1.22 - Enabled: true - Style/NumberedParametersLimit: # new in 1.22 - Enabled: true - Style/OpenStructUse: # new in 1.23 - Enabled: true - Style/QuotedSymbols: # new in 1.16 - Enabled: true - Style/RedundantArgument: # new in 1.4 - Enabled: true - Style/RedundantSelfAssignmentBranch: # new in 1.19 - Enabled: true - Style/SelectByRegexp: # new in 1.22 - Enabled: true - Style/StringChars: # new in 1.12 - Enabled: true - Style/SwapValues: # new in 1.1 - Enabled: true ``` + ::: ## 6.2 Testing Commands Upon completion of the delta process, you may want to test the correctness of the new and updated controls. -### 6.2.1 Linting and validating controls: +### 6.2.1 Linting and validating controls The current available commands for testing are: -``` +```sh bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile bundle exec rake lint # Run RuboCop bundle exec rake lint:autocorrect # Autocorrect RuboCop offenses (only when it's safe) bundle exec rake lint:autocorrect_all # Autocorrect RuboCop offenses (safe and unsafe) bundle exec rake pre_commit_checks # Ensure the controls are ready to be committed into the repo ``` +
:::note Profile Controls Formatting -In the past, cookstyle format was used. However, support for cookstyle formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence rubocop is preferred. -::: \ No newline at end of file +In the past, `cookstyle` format was used. However, support for `cookstyle` formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence `rubocop` is preferred. +::: diff --git a/src/courses/delta/07.md b/src/courses/delta/07.md index 937364d41..22c790025 100644 --- a/src/courses/delta/07.md +++ b/src/courses/delta/07.md @@ -18,7 +18,17 @@ author: Daniel Medina, George Dias Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it replaces the 'control metadata' using the content from the supplied XCCDF guidance document. This applies to controls that map from baseline X to baseline Y. -## 7.2 Additional Resources +## 7.3 Additional Resources - **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. \ No newline at end of file +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` or `cinc-auditor json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. + +## 7.4 Educational Enhancements + +To enhance understanding and learning, consider the following steps: + +- **Hands-on Practice:** Encourage students to practice downloading and unzipping the profile, and identifying the `xccdf.xml` file. +- **Step-by-Step Guide:** Provide a detailed, step-by-step guide on how to run the `inspec json` or `cinc-auditor json` command. +- **Interactive Sessions:** Conduct interactive sessions where students can ask questions and get real-time assistance. +- **Quizzes and Assessments:** Include quizzes and assessments to test students' understanding of the material. +- **Additional Reading:** Recommend additional reading materials and resources for students who want to delve deeper into the subject. diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md index a9dc44591..991f55b1b 100644 --- a/src/courses/delta/README.md +++ b/src/courses/delta/README.md @@ -4,17 +4,19 @@ next: 02.md title: Delta Process Developer Class author: Daniel Medina, George Dias --- -## 1.1 Class Overview -The purpose of this class is to outline how the delta process can be used to facilitate changes to inspec profile baselines. Often, it can be used to create a new baseline profile from older revisions of the same baseline. +## 1.1 Class Overview -### 1.1.1 Class Objectives: +The purpose of this class is to demonstrate how the MITRE SAF Delta tool can be used to facilitate changes to InSpec profile baselines. This process is often utilized to create a new baseline profile from older revisions of the same baseline. + +### 1.1.1 Class Objectives By the end of this class, you should be able to: -- Know the requirements for conducting the delta process -- Understand the purpose of the SAF Delta process tools, `update_controls4delta` and `delta` -- Use these tools to update inspec profiles -- Understand how and where to apply these tools in different situations (Use Cases) + +- Identify the requirements for conducting the delta process +- Understand the purpose and functionality of the SAF Delta process tools: `update_controls4delta` and `delta` +- Utilize these tools to update InSpec profiles +- Determine how and where to apply these tools in various scenarios (Use Cases) - Use the delta fuzzy matching system to map controls between two profiles -- Be familiar with the delta process logging capabilities and generated artifacts -- Know how to format Inspec profile controls before and/or after executing delta commands \ No newline at end of file +- Become familiar with the delta process logging capabilities and the artifacts it generates +- Format InSpec profile controls appropriately before and/or after executing delta commands From 44d46186ec3b4e9260739257f5dade50b42f83ae Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 15:38:33 -0600 Subject: [PATCH 26/71] removed unneeded breaks from files and minor formatting Signed-off-by: Aaron Lippold --- src/courses/delta/02.md | 4 ++-- src/courses/delta/03.md | 3 --- src/courses/delta/06.md | 2 -- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 83d63d375..ab2b3d388 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -9,10 +9,10 @@ author: Daniel Medina, George Dias To conduct the delta process, the following items are needed: -1. An InSpec profile +1. An InSpec profile: a. Clone or download an existing profile from a repository source to your local environment. b. See [What is an InSpec Profile](../beginner/02.md#what-is-an-inspec-profile) for additional information. -2. A guidance file (XCCDF) +2. A guidance file (XCCDF): a. Download either a DISA STIG or a CIS Benchmark from the appropriate site. ::: note Using Generated Profile Stubs diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index e50705798..939d01a0e 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -60,7 +60,6 @@ The `delta` process extends the capabilities of the `update_controls4delta` proc b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control 3. Detailed logging a - report file (.md), mapping statistics (CliProcessOutput.log) -
You can invoke the command as such: @@ -68,8 +67,6 @@ You can invoke the command as such: saf generate delta -X ./baseline_Y_xccdf_guidance_file.xml -J baseline_X_summary.json -o new_baseline_Y_controls_directory -M -c baseline_X_controls_directory ``` -
- ::: tip Optional Fuzzy Matching Flags The `-M` and `-c` flags can be removed if not using fuzzy matching feature. ::: diff --git a/src/courses/delta/06.md b/src/courses/delta/06.md index c74b8cafc..b1cabe291 100644 --- a/src/courses/delta/06.md +++ b/src/courses/delta/06.md @@ -185,8 +185,6 @@ The current available commands for testing are: bundle exec rake pre_commit_checks # Ensure the controls are ready to be committed into the repo ``` -
- :::note Profile Controls Formatting In the past, `cookstyle` format was used. However, support for `cookstyle` formatted profiles is limited and is geared more towards Chef cookbooks. Profile controls are written in ruby code, hence `rubocop` is preferred. ::: From ad98f33d0833627982bc27112b625e1304f1cc9e Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 15:50:54 -0600 Subject: [PATCH 27/71] fixed links to sections, added return, and suggestions for what else is needed. Signed-off-by: Aaron Lippold --- src/courses/delta/03.md | 1 - src/courses/delta/04.md | 24 +++++++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 939d01a0e..0ee4cce16 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -81,7 +81,6 @@ For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) - [saf generate delta](https://saf-cli.mitre.org/#delta) -
::: warning Delta Process Limitations The Delta process has been tested using DISA XCCDF STIG Benchmark Guidances only. diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 7a0ac8117..6ed4def1d 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -9,11 +9,15 @@ author: Daniel Medina, George Dias There are several situations that warrant the use of the delta process. These are broken down into the following use cases: -[Use Case 1](#411-use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) -[Use Case 2](#412-use-case-2) - Update control IDs based on group ID (run update controls) -[Use Case 3](#413-use-case-3) - Update controls but create a backup (run update controls) -[Use Case 4](#414-use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) -[Use Case 5](#415-use-case-5) - Generate stubs for new controls found in XCCDF (run Delta without fuzzy matching) +1. [Use Case 1](#411-use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) + +2. [Use Case 2](#412-use-case-2) - Update control IDs based on group ID (run update controls) + +3. [Use Case 3](#413-use-case-3) - Update controls but create a backup (run update controls) + +4. [Use Case 4](#414-use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) + +5. [Use Case 5](#415-use-case-5) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) ### 4.1.1 Use Case 1 @@ -21,30 +25,40 @@ Updated guidance sometimes modifies the control identification (ID) values of a **Process:** Run `update_controls4delta` +[return to top](#41-use-cases-for-running-delta) + ### 4.1.2 Use Case 2 If there isn't any mapping between baseline X and Y using the default rule identification (rule ID) for the control, it may be necessary to index the controls based on control group identifications (group ID). Running the update controls with the group ID may be required to provide a mapping from baseline X to Y. **Process:** Run `update_controls4delta` +[return to top](#41-use-cases-for-running-delta) + ### 4.1.3 Use Case 3 Similar to Use Cases 1 and 2, this use case updates controls in baseline X with new controls identified in baseline Y based on selected indexed identification but also creates a backup of the modified controls. **Process:** Run `update_controls4delta` +[return to top](#41-use-cases-for-running-delta) + ### 4.1.4 Use Case 4 Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to there being too many revisions or releases between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. **Process:** Run `delta` +[return to top](#41-use-cases-for-running-delta) + ### 4.1.5 Use Case 5 New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. **Process:** Run `delta` +[return to top](#41-use-cases-for-running-delta) + ### Suggested Enhancements for Education and Training 1. **Examples and Scenarios:** Provide real-world examples and scenarios for each use case to help students understand the practical applications. From ccf6e02541a38f7f67f4316b3205c03b5a7daa44 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 16:08:42 -0600 Subject: [PATCH 28/71] renamed the delta report to acutally call it a markdown file Signed-off-by: Aaron Lippold --- .../public/assets/downloads/{report => delta_report.md} | 0 src/courses/delta/05.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename src/.vuepress/public/assets/downloads/{report => delta_report.md} (100%) diff --git a/src/.vuepress/public/assets/downloads/report b/src/.vuepress/public/assets/downloads/delta_report.md similarity index 100% rename from src/.vuepress/public/assets/downloads/report rename to src/.vuepress/public/assets/downloads/delta_report.md diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index e868bb1f2..ff2cd5283 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -34,7 +34,7 @@ Details of the changes are provided afterwards as follows: Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -[Example Report Markdown File](../../assets/downloads/report) +[Example Report Markdown File](../../assets/downloads/delta_report.md) ## 5.2 Logging Capabilities of Update Controls From a0446ef8ae5701e454de9d79cd5fa4a972054090 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 16:17:04 -0600 Subject: [PATCH 29/71] seeing if I can get the downloads to work Signed-off-by: Aaron Lippold --- src/assets/downloads/delta.json | 1136 +++ src/assets/downloads/delta_report.md | 10483 +++++++++++++++++++++++++ 2 files changed, 11619 insertions(+) create mode 100644 src/assets/downloads/delta.json create mode 100644 src/assets/downloads/delta_report.md diff --git a/src/assets/downloads/delta.json b/src/assets/downloads/delta.json new file mode 100644 index 000000000..fe81a5181 --- /dev/null +++ b/src/assets/downloads/delta.json @@ -0,0 +1,1136 @@ +{ + "ignoreFormattingDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213901": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213902": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213903": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213904": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213905": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", + "impact": 0.5, + "descs": {} + }, + "SV-213906": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213907": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213908": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213909": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213910": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213911": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213912": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.", + "impact": 0.5, + "descs": {} + }, + "SV-213914": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213915": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213916": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213917": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213918": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213919": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213920": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code.", + "impact": 0.5, + "descs": {} + }, + "SV-213921": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213922": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213923": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213924": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-213926": { + "tags": { + "documentable": false, + "legacy": [] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "desc": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.", + "impact": 0.5, + "descs": {} + }, + "SV-213927": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + }, + "SV-251040": { + "tags": { + "documentable": false + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "descs": {} + } + } + }, + "rawDiff": { + "addedControlIDs": [ + "SV-213913" + ], + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ + "SV-213900", + "SV-213901", + "SV-213902", + "SV-213903", + "SV-213904", + "SV-213905", + "SV-213906", + "SV-213907", + "SV-213908", + "SV-213909", + "SV-213910", + "SV-213911", + "SV-213912", + "SV-213914", + "SV-213915", + "SV-213916", + "SV-213917", + "SV-213918", + "SV-213919", + "SV-213920", + "SV-213921", + "SV-213922", + "SV-213923", + "SV-213924", + "SV-213926", + "SV-213927", + "SV-251040" + ], + "addedControls": { + "SV-213913": { + "tags": { + "check_id": "C-15131r952219_chk", + "severity": "medium", + "gid": "V-213913", + "rid": "SV-213913r952219_rule", + "stig_id": "SQL6-D0-001800", + "gtitle": "SRG-APP-000231-DB-000154", + "fix_id": "F-15129r951656_fix", + "documentable": false, + "legacy": [ + "SV-93795", + "V-79089" + ], + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "refs": [ + "DPMS Target MS SQL Server 2016 Database" + ], + "id": "SV-213913", + "title": "The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.", + "desc": "Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.", + "impact": 0.5, + "descs": { + "check": "If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.\n\nReview procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. \n\nIf the procedures or evidence does not exist, this is a finding. \n\nIf the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. \n\nIf procedures do not indicate access restrictions to the Certificate backup, this is a finding.", + "fix": "Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate.\n\nBACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' \nWITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); \n\nAs this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text." + } + } + }, + "changedControls": { + "SV-213900": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nSQL Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together, contain an overall mechanism supporting an organization's automated account management requirements." + } + }, + "SV-213901": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81847" + ], + [ + "-", + "V-67357" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy." + } + }, + "SV-213902": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account.\n\nIf the computer account of a remote computer is granted access to a SQL Server database, any service or scheduled task running as NT AUTHORITY\\SYSTEM or NT AUTHORITY\\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process." + } + }, + "SV-213903": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. \n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring SQL Server's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to SQL Server, even where the application connects to SQL Server with a standard, shared account. \n\nApplications should use temporal tables to track the changes and history of sensitive data." + } + }, + "SV-213904": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nSQL Server provides the ability for high privileged accounts to impersonate users in a database using the TRUSTWORTHY feature. This will allow members of the fixed database role to impersonate any user within the database." + } + }, + "SV-213905": { + "describe__deleted": " if input('server_audit_at_database_level_required')\n impact 0.5\n else\n impact 0.0\n desc 'Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)'\n end\n\n approved_audit_maintainers = input('approved_audit_maintainers')\n\n # The query in check-text is assumes the presence of STIG schema as supplied with\n # the STIG supplemental. The below query ( partially taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n SELECT DPE.PERMISSION_NAME AS 'PERMISSION',\n DPM.NAME AS 'ROLE MEMBER',\n DPR.NAME AS 'ROLE NAME'\n FROM SYS.DATABASE_ROLE_MEMBERS DRM\n JOIN SYS.DATABASE_PERMISSIONS DPE\n ON DRM.ROLE_PRINCIPAL_ID = DPE.GRANTEE_PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPR\n ON DRM.ROLE_PRINCIPAL_ID = DPR.PRINCIPAL_ID\n JOIN SYS.DATABASE_PRINCIPALS DPM\n ON DRM.MEMBER_PRINCIPAL_ID = DPM.PRINCIPAL_ID\n WHERE DPE.PERMISSION_NAME IN ( 'CONTROL', 'ALTER ANY DATABASE AUDIT' )\n OR DPM.NAME IN ('db_owner')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'List of approved audit maintainers' do\n subject { sql_session.query(query).column('role member').uniq }\n it { should match_array approved_audit_maintainers }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81851" + ], + [ + "-", + "V-67361" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)", + "__new": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Inspec attributes has specified that SQL Server Audit is not in use at\n the database level, this is not applicable (NA)" + } + }, + "SV-213906": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213907": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213908": { + "describe__deleted": " # The query in check text is assumes the presence of STIG schema as supplied\n # with the STIG supplemental. The below query ( taken from 2016 MSSQL STIG)\n # will work without STIG supplemental schema.\n\n query = %{\n ;WITH OBJECTS_CTE\n AS (SELECT O.NAME,\n O.TYPE_DESC,\n CASE\n WHEN O.PRINCIPAL_ID IS NULL THEN S.PRINCIPAL_ID\n ELSE O.PRINCIPAL_ID\n END AS PRINCIPAL_ID\n FROM SYS.OBJECTS O\n INNER JOIN SYS.SCHEMAS S\n ON O.SCHEMA_ID = S.SCHEMA_ID\n WHERE O.IS_MS_SHIPPED = 0)\n SELECT CTE.NAME,\n CTE.TYPE_DESC,\n DP.NAME AS OBJECTOWNER\n FROM OBJECTS_CTE CTE\n INNER JOIN SYS.DATABASE_PRINCIPALS DP\n ON CTE.PRINCIPAL_ID = DP.PRINCIPAL_ID\n ORDER BY DP.NAME,\n CTE.NAME\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe \"Authorized users for Database: #{input('db_name')}\" do\n subject { sql_session.query(query).column('objectowner').uniq }\n it { should cmp input('authorized_principals') }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81861" + ], + [ + "-", + "V-67371" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed." + } + }, + "SV-213909": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "If SQL Server were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations." + } + }, + "SV-213910": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. In the event of a system failure, SQL Server must be able to bring the database back to a consistent state." + } + }, + "SV-213911": { + "describe__deleted": " query = %{\n SELECT\n COUNT(credential_id) AS count_of_ids\n FROM\n [master].sys.master_key_passwords\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'Count of `Database Master Key passwords` stored in credentials within the database' do\n subject { sql_session.query(query).row(0).column('count_of_ids') }\n its('value') { should cmp 0 }\n end ", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk." + } + }, + "SV-213912": { + "describe__deleted": " query = %(\n SELECT NAME\n FROM [master].sys.databases\n WHERE is_master_key_encrypted_by_server = 1\n AND owner_sid <> 1\n AND state = 0\n AND name = '#{input('db_name')}';\n )\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n results = sql_session.query(query)\n\n if results.empty?\n impact 0.0\n desc 'No databases require encryption hence this is not a finding'\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n For the database #{results.column('name')} verify in the System Security\n Plan that encryption of the Database Master Key using the Service Master Key\n is acceptable and approved by the Information Owner, and the encrypted data\n does not require additional protections to deter or detect DBA access.\n If not approved, this is a finding.\n\n If approved and additional protections are required, then verify the additional\n requirements are in place in accordance with the System Security Plan. These\n may include additional auditing on access of the Database Master Key with\n alerts or other automated monitoring.\n\n If the additional requirements are not in place, this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81871" + ], + [ + "-", + "V-67381" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "No databases require encryption hence this is not a finding", + "__new": "When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "No databases require encryption hence this is not a finding", + "check": { + "__old": "If no databases require encryption, this is not a finding.\n\nFrom the query prompt:\nSELECT name\nFROM [master].sys.databases\nWHERE is_master_key_encrypted_by_server = 1\nAND owner_sid <> 1\nAND state = 0;\n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)\n\nIf no databases are returned by the query, this is not a finding.\n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.\n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.\n\nIf the additional requirements are not in place, this is a finding.", + "__new": "If no databases require encryption, this is not a finding. \n\nFrom the query prompt: \n\nSELECT name \nFROM [master].sys.databases \nWHERE is_master_key_encrypted_by_server = 1 \nAND owner_sid <> 1 \nAND state = 0; \n(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) \n\nIf no databases are returned by the query, this is not a finding. \n\nFor any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. \n\nIf approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. \n\nIf the additional requirements are not in place, this is a finding." + }, + "fix": { + "__old": "Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.", + "__new": "Where possible, encrypt the Database Master Key with a password known only to the application administrator.\n\nWhere not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data." + } + } + }, + "SV-213914": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality." + } + }, + "SV-213915": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81879" + ], + [ + "-", + "V-67389" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls." + } + }, + "SV-213916": { + "describe__deleted": " describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81881" + ], + [ + "-", + "V-67391" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.", + "check": { + "__old": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions are not reflective of the data, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.", + "__new": "Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. \n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding. \n\nIf column/field definitions are not reflective of the data, this is a finding. \n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding. \n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. \n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding." + } + } + }, + "SV-213917": { + "describe__deleted": " # The below query was taken from 2016 MSSQL STIG\n\n query = %{\n DBCC\n TRACESTATUS (3625, -1)\n GO\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n describe 'TRACEFLAG 3625' do\n subject { sql_session.query(query).rows[0] }\n its('status') { should cmp 1 }\n its('global') { should cmp 1 }\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81887" + ], + [ + "-", + "V-67397" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers." + } + }, + "SV-213918": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81891" + ], + [ + "-", + "V-67401" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213919": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81893" + ], + [ + "-", + "V-67403" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213920": { + "describe__deleted": " if input('security_labeling_required')\n impact 0.5\n else\n impact 0.0\n desc 'Security labeling is stated as `not required` in the attributes file,\n this control is not applicable'\n end\n describe 'Test has no automation procedure, checks must be performed manually' do\n skip 'This check must be performed manually'\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81895" + ], + [ + "-", + "V-67405" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable", + "__new": "Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "Security labeling is stated as `not required` in the attributes file,\n this control is not applicable" + } + }, + "SV-213921": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control." + } + }, + "SV-213922": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse." + } + }, + "SV-213923": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nSQL Server must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). \n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc." + } + }, + "SV-213924": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications." + } + }, + "SV-213926": { + "describe__deleted": " data_at_rest_encryption_required = input('data_at_rest_encryption_required')\n\n query = %{\n SELECT\n d.name AS [Database Name],\n CASE e.encryption_state\n WHEN 0 THEN 'No database encryption key present, no encryption'\n WHEN 1 THEN 'Unencrypted'\n WHEN 2 THEN 'Encryption in progress'\n WHEN 3 THEN 'Encrypted'\n WHEN 4 THEN 'Key change in progress'\n WHEN 5 THEN 'Decryption in progress'\n WHEN 6 THEN 'Protection change in progress'\n END AS [Encryption State]\n FROM sys.dm_database_encryption_keys e\n RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name\n WHERE d.name IN ('#{input('db_name')}')\n }\n\n sql_session = mssql_session(user: input('user'),\n password: input('password'),\n host: input('host'),\n instance: input('instance'),\n port: input('port'),\n db_name: input('db_name'))\n\n unless data_at_rest_encryption_required\n impact 0.0\n desc 'If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.'\n end\n\n describe \"Database: #{input('db_name')} encryption state\" do\n subject { sql_session.query(query).column('encryption state').uniq }\n it { should cmp 'Encrypted' }\n end\n\n describe 'The following checks must be performed manually' do\n skip \"The following checks must be performed manually:\n If full-disk encryption is required, and Windows or the storage system is not\n configured for this, this is a finding.\n\n If database transparent data encryption (TDE) is called for, check whether it\n is enabled:\n In SQL Server Management Studio, Object Explorer, expand the instance and\n right-click on the database name; select properties. Select the Options page,\n State section, Encryption Enabled parameter.\n\n If the value displayed is False, this is a finding.\n\n If column encryption, done via SQL Server features, is required, review the\n definitions and contents of the relevant tables and columns.\n\n If any of the information defined as requiring cryptographic protection is not\n encrypted in a manner that provides the required level of protection, this is a\n finding.\n\n If table/column encryption and/or a separation between those who own the data\n (and can view it) and those who manage the data (but should have no access) is\n required for PII or similar types of data, use Always Encrypted. The details\n for configuring Always Encrypted are located here:\n https://msdn.microsoft.com/en-us/library/mt163865.aspx.\n\n Review the definitions and contents of the relevant tables/columns for the\n Always Encryption settings, if any of the information defined as requiring\n cryptographic protection is not encrypted this is a finding.\"\n end", + "tags": { + "documentable": { + "__old": null, + "__new": false + }, + "legacy": [ + [ + "-", + "SV-81899" + ], + [ + "-", + "V-67409" + ], + [ + " " + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "desc": { + "__old": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.", + "__new": "DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, + "descs": { + "default__deleted": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding." + } + }, + "SV-213927": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "SQL Server’s handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides." + } + }, + "SV-251040": { + "describe__deleted": "", + "tags": { + "documentable": { + "__old": null, + "__new": false + } + }, + "refs": [ + [ + "+", + "DPMS Target MS SQL Server 2016 Database" + ] + ], + "descs": { + "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices." + } + } + } + } +} \ No newline at end of file diff --git a/src/assets/downloads/delta_report.md b/src/assets/downloads/delta_report.md new file mode 100644 index 000000000..a16403227 --- /dev/null +++ b/src/assets/downloads/delta_report.md @@ -0,0 +1,10483 @@ +## Automatic Update: -> + +### New Controls: ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-230262: +Old: +``` +Verify the system-wide shared library files are group-owned by "root" +with the following command: + + $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} +\; + + If any system wide shared library file is returned and is not group-owned +by a required system account, this is a finding. + +``` + +Updated: +``` +Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. + +``` +--- +SV-230379: +Old: +``` +Verify all accounts on the system are assigned to an active system, +application, or user account. + + Obtain the list of authorized system accounts from the Information System +Security Officer (ISSO). + + Check the system accounts on the system with the following command: + + $ sudo more /etc/passwd + + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + games:x:12:100:games:/usr/games:/sbin/nologin + gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as +they do not support authorized system functions. + + If the accounts on the system do not match the provided documentation, or +accounts that do not support an authorized system function are present, this is +a finding. + +``` + +Updated: +``` +Verify that there are no unauthorized interactive user accounts with the following command: + +$ less /etc/passwd + +root:x:0:0:root:/root:/bin/bash +... +games:x:12:100:games:/usr/games:/sbin/nologin +scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash +djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash + +Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. + +Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. + +If there are unauthorized local user accounts on the system, this is a finding. + +``` +--- +SV-230470: +Old: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the +following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement +is not applicable. + + $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + + AuditBackend=LinuxAudit + + If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or +the line is commented out, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + +Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. + +$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + +AuditBackend=LinuxAudit + +If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230524: +Old: +``` +Verify the USBGuard has a policy configured with the following command: + + $ sudo usbguard list-rules + + If the command does not return results or an error is returned, ask the SA +to indicate how unauthorized peripherals are being blocked. + + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the USBGuard has a policy configured with the following command: + +$ sudo usbguard list-rules + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230548: +Old: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. + +``` +--- +SV-230559: +Old: +``` +Verify the gssproxy package has not been installed on the system with the +following commands: + + $ sudo yum list installed gssproxy + + gssproxy.x86_64 +0.8.0-14.el8 @anaconda + + If the gssproxy package is installed and is not documented with the +Information System Security Officer (ISSO) as an operational requirement, this +is a finding. + +``` + +Updated: +``` +Verify the gssproxy package has not been installed on the system with the following commands: + +$ sudo yum list installed gssproxy + +gssproxy.x86_64 0.8.0-14.el8 @anaconda + +If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. + +If NFS mounts are being used, this is not a finding. + +``` +--- +SV-244527: +Old: +``` +Check that RHEL 8 has the packages required to enabled the hardware random +number generator entropy gatherer service with the following command: + + $ sudo yum list installed rng-tools + + rng-tools.x86_64 6.8-3.el8 +@anaconda + + If the "rng-tools" package is not installed, this is a finding. + +``` + +Updated: +``` +Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. + +Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: + +$ sudo yum list installed rng-tools + +rng-tools.x86_64 6.8-3.el8 @anaconda + +If the "rng-tools" package is not installed, this is a finding. + +``` +--- +SV-244547: +Old: +``` +Verify USBGuard is installed on the operating system with the following +command: + + $ sudo yum list installed usbguard + + Installed Packages + usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + + If the USBGuard package is not installed, ask the SA to indicate how +unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify USBGuard is installed on the operating system with the following command: + +$ sudo yum list installed usbguard + +Installed Packages +usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-244548: +Old: +``` +Verify the operating system has enabled the use of the USBGuard with the +following command: + + $ sudo systemctl status usbguard.service + + usbguard.service - USBGuard daemon + Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor +preset: disabled) + Active: active (running) + + If the usbguard.service is not enabled and active, ask the SA to indicate +how unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the operating system has enabled the use of the USBGuard with the following command: + +$ sudo systemctl status usbguard.service + +usbguard.service - USBGuard daemon +Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +Active: active (running) + +If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-257258: +Old: +``` +Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. + +``` + +Updated: +``` +Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. + +Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + +StopIdleSessionSec=600 + +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-230379: +Old: +``` +Configure the system so all accounts on the system are assigned to an +active system, application, or user account. + + Remove accounts that do not support approved system activities or that +allow for a normal user to perform administrative-level actions. + + Document all authorized accounts on the system. + +``` +New: +``` +Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: + +$ sudo userdel + +``` +--- +SV-230548: +Old: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +New: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +--- +SV-257258: +Old: +``` +Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logind + +Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". + +``` +New: +``` +Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=600 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logind + +``` +--- +
+ +### Updated Impacts +
+ Click to expand. +SV-230223: +Old: 0 +New: 0.7 +--- +SV-230224: +Old: 0 +New: 0.5 +--- +SV-230230: +Old: 0 +New: 0.5 +--- +SV-230234: +Old: 0 +New: 0.7 +--- +SV-230235: +Old: 0 +New: 0.7 +--- +SV-230238: +Old: 0 +New: 0.5 +--- +SV-230239: +Old: 0 +New: 0.5 +--- +SV-230244: +Old: 0 +New: 0.5 +--- +SV-230273: +Old: 0 +New: 0.5 +--- +SV-230275: +Old: 0 +New: 0.5 +--- +SV-230285: +Old: 0 +New: 0.3 +--- +SV-230300: +Old: 0 +New: 0.5 +--- +SV-230328: +Old: 0 +New: 0.5 +--- +SV-230329: +Old: 0 +New: 0.7 +--- +SV-230332: +Old: 0 +New: 0.5 +--- +SV-230347: +Old: 0 +New: 0.5 +--- +SV-230351: +Old: 0 +New: 0.5 +--- +SV-230352: +Old: 0 +New: 0.5 +--- +SV-230354: +Old: 0 +New: 0.5 +--- +SV-230376: +Old: 0 +New: 0.5 +--- +SV-230380: +Old: 0 +New: 0.7 +--- +SV-230382: +Old: 0 +New: 0.5 +--- +SV-230385: +Old: 0.7 +New: 0.5 +--- +SV-230493: +Old: 0 +New: 0.5 +--- +SV-230502: +Old: 0 +New: 0.5 +--- +SV-230506: +Old: 0 +New: 0.5 +--- +SV-230507: +Old: 0 +New: 0.5 +--- +SV-230523: +Old: 0 +New: 0.5 +--- +SV-230530: +Old: 0 +New: 0.7 +--- +SV-230535: +Old: 0 +New: 0.5 +--- +SV-230536: +Old: 0 +New: 0.5 +--- +SV-230537: +Old: 0 +New: 0.5 +--- +SV-230538: +Old: 0 +New: 0.5 +--- +SV-230539: +Old: 0 +New: 0.5 +--- +SV-230540: +Old: 0 +New: 0.5 +--- +SV-230541: +Old: 0 +New: 0.5 +--- +SV-230542: +Old: 0 +New: 0.5 +--- +SV-230543: +Old: 0 +New: 0.5 +--- +SV-230544: +Old: 0 +New: 0.5 +--- +SV-230545: +Old: 0 +New: 0.5 +--- +SV-230546: +Old: 0 +New: 0.5 +--- +SV-230547: +Old: 0 +New: 0.5 +--- +SV-230548: +Old: 0 +New: 0.5 +--- +SV-230549: +Old: 0 +New: 0.5 +--- +SV-230550: +Old: 0 +New: 0.5 +--- +SV-230557: +Old: 0 +New: 0.5 +--- +SV-237640: +Old: 0 +New: 0.5 +--- +SV-244519: +Old: 0 +New: 0.5 +--- +SV-244521: +Old: 0 +New: 0.5 +--- +SV-244522: +Old: 0 +New: 0.5 +--- +SV-244530: +Old: 0 +New: 0.5 +--- +SV-244535: +Old: 0 +New: 0.5 +--- +SV-244536: +Old: 0 +New: 0.5 +--- +SV-244538: +Old: 0 +New: 0.5 +--- +SV-244539: +Old: 0 +New: 0.5 +--- +SV-244545: +Old: 0 +New: 0.5 +--- +SV-244546: +Old: 0 +New: 0.5 +--- +SV-244550: +Old: 0 +New: 0.5 +--- +SV-244551: +Old: 0 +New: 0.5 +--- +SV-244552: +Old: 0 +New: 0.5 +--- +SV-244553: +Old: 0 +New: 0.5 +--- +SV-244554: +Old: 0 +New: 0.5 +--- +SV-250315: +Old: 0 +New: 0.5 +--- +SV-250317: +Old: 0 +New: 0.5 +--- +SV-251710: +Old: 0 +New: 0.5 +--- +SV-251711: +Old: 0 +New: 0.5 +--- +SV-251712: +Old: 0 +New: 0.5 +--- +SV-251718: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-230226: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a graphical +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. +--- +SV-230227: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a command line +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. +--- +SV-230229: +Old: RHEL 8, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an +accepted trust anchor. +New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +--- +SV-230230: +Old: RHEL 8, for certificate-based authentication, must enforce authorized +access to the corresponding private key. +New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. +--- +SV-230231: +Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. +New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +--- +SV-230232: +Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing +algorithms for all stored passwords. +New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. +--- +SV-230234: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require authentication upon booting into single-user mode +and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. +--- +SV-230235: +Old: RHEL 8 operating systems booted with a BIOS must require +authentication upon booting into single-user and maintenance modes. +New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. +--- +SV-230236: +Old: RHEL 8 operating systems must require authentication upon booting into +rescue mode. +New: RHEL 8 operating systems must require authentication upon booting into rescue mode. +--- +SV-230237: +Old: The RHEL 8 pam_unix.so module must be configured in the password-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-230238: +Old: RHEL 8 must prevent system daemons from using Kerberos for +authentication. +New: RHEL 8 must prevent system daemons from using Kerberos for authentication. +--- +SV-230240: +Old: RHEL 8 must use a Linux Security Module configured to enforce limits +on system services. +New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. +--- +SV-230243: +Old: A sticky bit must be set on all RHEL 8 public directories to prevent +unauthorized and unintended information transferred via shared system +resources. +New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. +--- +SV-230245: +Old: The RHEL 8 /var/log/messages file must have mode 0640 or less +permissive. +New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. +--- +SV-230252: +Old: The RHEL 8 operating system must implement DoD-approved encryption to +protect the confidentiality of SSH server connections. +New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. +--- +SV-230254: +Old: The RHEL 8 operating system must implement DoD-approved encryption in +the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. +--- +SV-230255: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. +--- +SV-230256: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the GnuTLS package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. +--- +SV-230259: +Old: RHEL 8 system commands must be group-owned by root or a system +account. +New: RHEL 8 system commands must be group-owned by root or a system account. +--- +SV-230263: +Old: The RHEL 8 file integrity tool must notify the system administrator +when changes to the baseline configuration or anomalies in the operation of any +security functions are discovered within an organizationally defined frequency. +New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. +--- +SV-230264: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components from a repository without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230265: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components of local packages without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230267: +Old: RHEL 8 must enable kernel parameters to enforce discretionary access +control on symlinks. +New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. +--- +SV-230271: +Old: RHEL 8 must require users to provide a password for privilege +escalation. +New: RHEL 8 must require users to provide a password for privilege escalation. +--- +SV-230273: +Old: RHEL 8 must have the packages required for multifactor authentication + installed. +New: RHEL 8 must have the packages required for multifactor authentication installed. +--- +SV-230276: +Old: RHEL 8 must implement non-executable data to protect its memory from +unauthorized code execution. +New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. +--- +SV-230277: +Old: RHEL 8 must clear the page allocator to prevent use-after-free +attacks. +New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. +--- +SV-230280: +Old: RHEL 8 must implement address space layout randomization (ASLR) to +protect its memory from unauthorized code execution. +New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. +--- +SV-230281: +Old: YUM must remove all software components after updated versions have +been installed on RHEL 8. +New: YUM must remove all software components after updated versions have been installed on RHEL 8. +--- +SV-230285: +Old: RHEL 8 must enable the hardware random number generator entropy +gatherer service. +New: RHEL 8 must enable the hardware random number generator entropy gatherer service. +--- +SV-230286: +Old: The RHEL 8 SSH public host key files must have mode 0644 or less +permissive. +New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. +--- +SV-230288: +Old: The RHEL 8 SSH daemon must perform strict mode checking of home +directory configuration files. +New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. +--- +SV-230290: +Old: The RHEL 8 SSH daemon must not allow authentication using known host’s +authentication. +New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. +--- +SV-230291: +Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except +to fulfill documented and validated mission requirements. +New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. +--- +SV-230296: +Old: RHEL 8 must not permit direct logons to the root account using remote +access via SSH. +New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. +--- +SV-230299: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that contain user home directories. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. +--- +SV-230300: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. +--- +SV-230302: +Old: RHEL 8 must prevent code from being executed on file systems that +contain user home directories. +New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. +--- +SV-230303: +Old: RHEL 8 must prevent special devices on file systems that are used with +removable media. +New: RHEL 8 must prevent special devices on file systems that are used with removable media. +--- +SV-230304: +Old: RHEL 8 must prevent code from being executed on file systems that are +used with removable media. +New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. +--- +SV-230305: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are used with removable media. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. +--- +SV-230306: +Old: RHEL 8 must prevent code from being executed on file systems that are +imported via Network File System (NFS). +New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230307: +Old: RHEL 8 must prevent special devices on file systems that are imported +via Network File System (NFS). +New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). +--- +SV-230308: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are imported via Network File System (NFS). +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230309: +Old: Local RHEL 8 initialization files must not execute world-writable +programs. +New: Local RHEL 8 initialization files must not execute world-writable programs. +--- +SV-230316: +Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at +least two name servers must be configured. +New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. +--- +SV-230317: +Old: Executable search paths within the initialization files of all local +interactive RHEL 8 users must only contain paths that resolve to the system +default or the users home directory. +New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. +--- +SV-230318: +Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, +or an application user. +New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. +--- +SV-230319: +Old: All RHEL 8 world-writable directories must be group-owned by root, +sys, bin, or an application group. +New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. +--- +SV-230320: +Old: All RHEL 8 local interactive users must have a home directory assigned +in the /etc/passwd file. +New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. +--- +SV-230321: +Old: All RHEL 8 local interactive user home directories must have mode 0750 +or less permissive. +New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. +--- +SV-230322: +Old: All RHEL 8 local interactive user home directories must be group-owned +by the home directory owner’s primary group. +New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. +--- +SV-230323: +Old: All RHEL 8 local interactive user home directories defined in the +/etc/passwd file must exist. +New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. +--- +SV-230324: +Old: All RHEL 8 local interactive user accounts must be assigned a home +directory upon creation. +New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. +--- +SV-230325: +Old: All RHEL 8 local initialization files must have mode 0740 or less +permissive. +New: All RHEL 8 local initialization files must have mode 0740 or less permissive. +--- +SV-230328: +Old: A separate RHEL 8 filesystem must be used for user home directories +(such as /home or an equivalent). +New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). +--- +SV-230329: +Old: Unattended or automatic logon via the RHEL 8 graphical user interface +must not be allowed. +New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. +--- +SV-230331: +Old: RHEL 8 temporary user accounts must be provisioned with an expiration +time of 72 hours or less. +New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. +--- +SV-230332: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230333: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230334: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230335: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230336: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230337: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230340: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230341: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230342: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230343: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230344: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230345: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230346: +Old: RHEL 8 must limit the number of concurrent sessions to ten for all +accounts and/or account types. +New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. +--- +SV-230347: +Old: RHEL 8 must enable a user session lock until that user re-establishes +access using established identification and authentication procedures for +graphical user sessions. +New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. +--- +SV-230351: +Old: RHEL 8 must be able to initiate directly a session lock for all + connection types using smartcard when the smartcard is removed. +New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. +--- +SV-230352: +Old: RHEL 8 must automatically lock graphical user sessions after 15 +minutes of inactivity. +New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. +--- +SV-230354: +Old: RHEL 8 must prevent a user from overriding the session lock-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. +--- +SV-230355: +Old: RHEL 8 must map the authenticated identity to the user or group +account for PKI-based authentication. +New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. +--- +SV-230357: +Old: RHEL 8 must enforce password complexity by requiring that at least one +uppercase character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. +--- +SV-230358: +Old: RHEL 8 must enforce password complexity by requiring that at least one +lower-case character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. +--- +SV-230359: +Old: RHEL 8 must enforce password complexity by requiring that at least one +numeric character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. +--- +SV-230360: +Old: RHEL 8 must require the maximum number of repeating characters of the +same character class be limited to four when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. +--- +SV-230361: +Old: RHEL 8 must require the maximum number of repeating characters be +limited to three when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. +--- +SV-230363: +Old: RHEL 8 must require the change of at least 8 characters when passwords +are changed. +New: RHEL 8 must require the change of at least 8 characters when passwords are changed. +--- +SV-230364: +Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime +restriction in /etc/shadow. +New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. +--- +SV-230366: +Old: RHEL 8 user account passwords must have a 60-day maximum password +lifetime restriction. +New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. +--- +SV-230367: +Old: RHEL 8 user account passwords must be configured so that existing +passwords are restricted to a 60-day maximum lifetime. +New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. +--- +SV-230372: +Old: RHEL 8 must implement smart card logon for multifactor authentication +for access to interactive accounts. +New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. +--- +SV-230373: +Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) + must be disabled after 35 days of inactivity. +New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. +--- +SV-230378: +Old: RHEL 8 must enforce a delay of at least four seconds between logon +prompts following a failed logon attempt. +New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +--- +SV-230380: +Old: RHEL 8 must not allow accounts configured with blank or null +passwords. +New: RHEL 8 must not allow accounts configured with blank or null passwords. +--- +SV-230381: +Old: RHEL 8 must display the date and time of the last successful account +logon upon logon. +New: RHEL 8 must display the date and time of the last successful account logon upon logon. +--- +SV-230382: +Old: RHEL 8 must display the date and time of the last successful account +logon upon an SSH logon. +New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. +--- +SV-230383: +Old: RHEL 8 must define default permissions for all authenticated users in +such a way that the user can only read and modify their own files. +New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. +--- +SV-230384: +Old: RHEL 8 must set the umask value to 077 for all local interactive user +accounts. +New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. +--- +SV-230386: +Old: The RHEL 8 audit system must be configured to audit the execution of +privileged functions and prevent all software from executing at higher +privilege levels than users executing the software. +New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. +--- +SV-230388: +Old: The RHEL 8 System Administrator (SA) and Information System Security +Officer (ISSO) (at a minimum) must be alerted of an audit processing failure +event. +New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. +--- +SV-230389: +Old: The RHEL 8 Information System Security Officer (ISSO) and System +Administrator (SA) (at a minimum) must have mail aliases to be notified of an +audit processing failure. +New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. +--- +SV-230390: +Old: The RHEL 8 System must take appropriate action when an audit +processing failure occurs. +New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. +--- +SV-230392: +Old: The RHEL 8 audit system must take appropriate action when the audit +storage volume is full. +New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. +--- +SV-230394: +Old: RHEL 8 must label all off-loaded audit logs before sending them to the +central log server. +New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. +--- +SV-230396: +Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to +prevent unauthorized read access. +New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. +--- +SV-230397: +Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read +access. +New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. +--- +SV-230398: +Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized +read access. +New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. +--- +SV-230399: +Old: RHEL 8 audit log directory must be owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. +--- +SV-230400: +Old: RHEL 8 audit log directory must be group-owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. +--- +SV-230401: +Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive +to prevent unauthorized read access. +New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. +--- +SV-230402: +Old: RHEL 8 audit system must protect auditing rules from unauthorized +change. +New: RHEL 8 audit system must protect auditing rules from unauthorized change. +--- +SV-230404: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. +--- +SV-230405: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect +/etc/security/opasswd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. +--- +SV-230406: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. +--- +SV-230407: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. +--- +SV-230408: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. +--- +SV-230409: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. +--- +SV-230410: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers.d/. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. +--- +SV-230412: +Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. +--- +SV-230418: +Old: Successful/unsuccessful uses of the chage command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. +--- +SV-230419: +Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. +--- +SV-230421: +Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. +--- +SV-230422: +Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. +--- +SV-230423: +Old: Successful/unsuccessful uses of the mount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. +--- +SV-230424: +Old: Successful/unsuccessful uses of the umount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. +--- +SV-230425: +Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. +--- +SV-230426: +Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. +--- +SV-230427: +Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. +--- +SV-230428: +Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. +--- +SV-230429: +Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. +--- +SV-230430: +Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. +--- +SV-230431: +Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. +--- +SV-230432: +Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. +--- +SV-230433: +Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. +--- +SV-230434: +Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. +--- +SV-230435: +Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. +--- +SV-230436: +Old: Successful/unsuccessful uses of the pam_timestamp_check command in +RHEL 8 must generate an audit record. +New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. +--- +SV-230437: +Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. +--- +SV-230444: +Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. +--- +SV-230446: +Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. +--- +SV-230447: +Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. +--- +SV-230448: +Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. +--- +SV-230462: +Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. +--- +SV-230463: +Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. +--- +SV-230464: +Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. +--- +SV-230465: +Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. +--- +SV-230466: +Old: Successful/unsuccessful modifications to the faillock log file in RHEL +8 must generate an audit record. +New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. +--- +SV-230467: +Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. +--- +SV-230468: +Old: RHEL 8 must enable auditing of processes that start prior to the audit +daemon. +New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. +--- +SV-230469: +Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to +capture processes that start prior to the audit daemon. +New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. +--- +SV-230471: +Old: RHEL 8 must allow only the Information System Security Manager (ISSM) +(or individuals or roles appointed by the ISSM) to select which auditable +events are to be audited. +New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-230475: +Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of +audit tools. +New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. +--- +SV-230476: +Old: RHEL 8 must allocate audit record storage capacity to store at least +one week of audit records, when audit records are not immediately sent to a +central audit record storage facility. +New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. +--- +SV-230477: +Old: RHEL 8 must have the packages required for offloading audit logs +installed. +New: RHEL 8 must have the packages required for offloading audit logs installed. +--- +SV-230478: +Old: RHEL 8 must have the packages required for encrypting offloaded audit +logs installed. +New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. +--- +SV-230479: +Old: The RHEL 8 audit records must be off-loaded onto a different system or +storage media from the system being audited. +New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. +--- +SV-230480: +Old: RHEL 8 must take appropriate action when the internal event queue is +full. +New: RHEL 8 must take appropriate action when the internal event queue is full. +--- +SV-230481: +Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a +different system or media from the system being audited. +New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. +--- +SV-230482: +Old: RHEL 8 must authenticate the remote logging server for off-loading +audit logs. +New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. +--- +SV-230483: +Old: RHEL 8 must take action when allocated audit record storage volume + reaches 75 percent of the repository maximum audit record storage capacity. +New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +--- +SV-230484: +Old: RHEL 8 must securely compare internal information system clocks at +least every 24 hours with a server synchronized to an authoritative time +source, such as the United States Naval Observatory (USNO) time servers, or a +time server designated for the appropriate DoD network (NIPRNet/SIPRNet), +and/or the Global Positioning System (GPS). +New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). +--- +SV-230491: +Old: RHEL 8 must enable mitigations against processor-based +vulnerabilities. +New: RHEL 8 must enable mitigations against processor-based vulnerabilities. +--- +SV-230493: +Old: RHEL 8 must cover or disable the built-in or attached camera when not +in use. +New: RHEL 8 must cover or disable the built-in or attached camera when not in use. +--- +SV-230497: +Old: RHEL 8 must disable the transparent inter-process communication (TIPC) +protocol. +New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. +--- +SV-230500: +Old: RHEL 8 must be configured to prohibit or restrict the use of +functions, ports, protocols, and/or services, as defined in the Ports, +Protocols, and Services Management (PPSM) Category Assignments List (CAL) and +vulnerability assessments. +New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +--- +SV-230504: +Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy +for allowing connections to other systems. +New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. +--- +SV-230524: +Old: RHEL 8 must block unauthorized peripherals before establishing a +connection. +New: RHEL 8 must block unauthorized peripherals before establishing a connection. +--- +SV-230525: +Old: A firewall must be able to protect against or limit the effects of +Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting +measures on impacted network interfaces. +New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. +--- +SV-230526: +Old: All RHEL 8 networked systems must have and implement SSH to protect +the confidentiality and integrity of transmitted and received information, as +well as information during preparation for transmission. +New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. +--- +SV-230527: +Old: RHEL 8 must force a frequent session key renegotiation for SSH +connections to the server. +New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. +--- +SV-230530: +Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a +graphical user interface is installed. +New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. +--- +SV-230531: +Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be +disabled. +New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. +--- +SV-230533: +Old: The Trivial File Transfer Protocol (TFTP) server package must not be +installed if not required for RHEL 8 operational support. +New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. +--- +SV-230534: +Old: The root account must be the only account having unrestricted access +to the RHEL 8 system. +New: The root account must be the only account having unrestricted access to the RHEL 8 system. +--- +SV-230535: +Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-230536: +Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) +redirects. +New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. +--- +SV-230537: +Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) +echoes sent to a broadcast address. +New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. +--- +SV-230542: +Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by +default. +New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. +--- +SV-230543: +Old: RHEL 8 must not allow interfaces to perform Internet Control Message +Protocol (ICMP) redirects by default. +New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. +--- +SV-230544: +Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) +redirect messages. +New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. +--- +SV-230545: +Old: RHEL 8 must disable access to network bpf syscall from unprivileged +processes. +New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. +--- +SV-230551: +Old: The RHEL 8 file integrity tool must be configured to verify extended +attributes. +New: The RHEL 8 file integrity tool must be configured to verify extended attributes. +--- +SV-230552: +Old: The RHEL 8 file integrity tool must be configured to verify Access +Control Lists (ACLs). +New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). +--- +SV-230553: +Old: The graphical display manager must not be installed on RHEL 8 unless +approved. +New: The graphical display manager must not be installed on RHEL 8 unless approved. +--- +SV-230555: +Old: RHEL 8 remote X connections for interactive users must be disabled +unless to fulfill documented and validated mission requirements. +New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. +--- +SV-230556: +Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the +proxy display. +New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. +--- +SV-230557: +Old: If the Trivial File Transfer Protocol (TFTP) server is required, the +RHEL 8 TFTP daemon must be configured to operate in secure mode. +New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. +--- +SV-230558: +Old: A File Transfer Protocol (FTP) server package must not be installed +unless mission essential on RHEL 8. +New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. +--- +SV-230559: +Old: The gssproxy package must not be installed unless mission essential on +RHEL 8. +New: The gssproxy package must not be installed unless mission essential on RHEL 8. +--- +SV-230560: +Old: The iprutils package must not be installed unless mission essential on +RHEL 8. +New: The iprutils package must not be installed unless mission essential on RHEL 8. +--- +SV-230561: +Old: The tuned package must not be installed unless mission essential on +RHEL 8. +New: The tuned package must not be installed unless mission essential on RHEL 8. +--- +SV-237642: +Old: RHEL 8 must use the invoking user's password for privilege escalation +when using "sudo". +New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". +--- +SV-244519: +Old: RHEL 8 must display a banner before granting local or remote access to +the system via a graphical user logon. +New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. +--- +SV-244521: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require a unique superusers name upon booting into +single-user mode and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. +--- +SV-244523: +Old: RHEL 8 operating systems must require authentication upon booting into +emergency mode. +New: RHEL 8 operating systems must require authentication upon booting into emergency mode. +--- +SV-244524: +Old: The RHEL 8 pam_unix.so module must be configured in the system-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-244527: +Old: RHEL 8 must have the packages required to use the hardware random +number generator entropy gatherer service. +New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. +--- +SV-244530: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot/efi directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. +--- +SV-244531: +Old: All RHEL 8 local interactive user home directory files must have mode +0750 or less permissive. +New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. +--- +SV-244532: +Old: RHEL 8 must be configured so that all files and directories contained +in local interactive user home directories are group-owned by a group of which +the home directory owner is a member. +New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. +--- +SV-244533: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/system-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. +--- +SV-244534: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/password-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. +--- +SV-244535: +Old: RHEL 8 must initiate a session lock for graphical user interfaces when +the screensaver is activated. +New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. +--- +SV-244536: +Old: RHEL 8 must disable the user list at logon for graphical user +interfaces. +New: RHEL 8 must disable the user list at logon for graphical user interfaces. +--- +SV-244538: +Old: RHEL 8 must prevent a user from overriding the session idle-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. +--- +SV-244539: +Old: RHEL 8 must prevent a user from overriding the screensaver +lock-enabled setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +--- +SV-244541: +Old: RHEL 8 must not allow blank or null passwords in the password-auth +file. +New: RHEL 8 must not allow blank or null passwords in the password-auth file. +--- +SV-244542: +Old: RHEL 8 audit records must contain information to establish what type +of events occurred, the source of events, where events occurred, and the +outcome of events. +New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. +--- +SV-244543: +Old: RHEL 8 must notify the System Administrator (SA) and Information +System Security Officer (ISSO) (at a minimum) when allocated audit record +storage volume 75 percent utilization. +New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. +--- +SV-244546: +Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, +permit-by-exception policy to allow the execution of authorized software +programs. +New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +--- +SV-244550: +Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-244554: +Old: RHEL 8 must enable hardening for the Berkeley Packet Filter +Just-in-time compiler. +New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. +--- +SV-250315: +Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context + type to allow the use of a non-default faillock tally directory. +New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. +--- +SV-257258: +Old: RHEL 8 must terminate idle user sessions. +New: RHEL 8.7 and higher must terminate idle user sessions. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-230221: +Old: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + + Note: The life-cycle time spans and dates are subject to adjustment. + +``` +New: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + +``` +--- +SV-230222: +Old: +``` +Timely patching is critical for maintaining the operational + availability, confidentiality, and integrity of information technology (IT) + systems. However, failure to keep operating system and application software + patched is a common mistake made by IT professionals. New patches are released + daily, and it is often difficult for even experienced System Administrators to + keep abreast of all the new patches. When new weaknesses in an operating system + exist, patches are usually made available by the vendor to resolve the + problems. If the most recent security patches and updates are not installed, + unauthorized users may take advantage of weaknesses in the unpatched software. + The lack of prompt attention to patching could result in a system compromise. + +``` +New: +``` +Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + +``` +--- +SV-230223: +Old: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +``` +New: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + + + +``` +--- +SV-230224: +Old: +``` +RHEL 8 systems handling data requiring "data at rest" protections + must employ cryptographic mechanisms to prevent unauthorized disclosure and + modification of the information at rest. + + Selection of a cryptographic mechanism is based on the need to protect the +integrity of organizational information. The strength of the mechanism is +commensurate with the security category and/or classification of the +information. Organizations have the flexibility to either encrypt all +information on storage devices (i.e., full disk encryption) or encrypt specific +data structures (e.g., files, records, or fields). + +``` +New: +``` +RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + + + +``` +--- +SV-230225: +Old: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + +``` +--- +SV-230226: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230227: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230229: +Old: +``` +Without path validation, an informed trust decision by the relying +party cannot be made when presented with any certificate not already explicitly +trusted. + + A trust anchor is an authoritative entity represented via a public key and +associated data. It is used in the context of public key infrastructures, X.509 +digital certificates, and DNSSEC. + + When there is a chain of trust, usually the top entity to be trusted +becomes the trust anchor; it can be, for example, a Certification Authority +(CA). A certification path starts with the subject certificate and proceeds +through a number of intermediate certificates up to a trusted root certificate, +typically issued by a trusted CA. + + This requirement verifies that a certification path to an accepted trust +anchor is used for certificate validation and that the path includes status +information. Path validation is necessary for a relying party to make an +informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes +certificate revocation lists or online certificate status protocol responses. +Validation of the certificate status information is out of scope for this +requirement. + +``` +New: +``` +Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + + + +``` +--- +SV-230230: +Old: +``` +If an unauthorized user obtains access to a private key without a +passcode, that user would have unauthorized access to any system where the +associated public key has been installed. + +``` +New: +``` +If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + +``` +--- +SV-230231: +Old: +``` +Passwords need to be protected at all times, and encryption is the +standard method for protecting passwords. If passwords are not encrypted, they +can be plainly read (i.e., clear text) and easily compromised. + + Unapproved mechanisms that are used for authentication to the cryptographic +module are not verified and therefore cannot be relied upon to provide +confidentiality or integrity, and DoD data may be compromised. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD requirements. + +``` +New: +``` +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. + +``` +--- +SV-230232: +Old: +``` +The system must use a strong hashing algorithm to store the password. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230233: +Old: +``` +The system must use a strong hashing algorithm to store the password. +The system must use a sufficient number of hashing rounds to ensure the +required level of entropy. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230234: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230235: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230236: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-230237: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230238: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + The key derivation function (KDF) in Kerberos is not FIPS compatible. +Ensuring the system does not have any keytab files present prevents system +daemons from using Kerberos for authentication. A keytab is a file containing +pairs of Kerberos principals and encrypted keys. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230239: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230240: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230241: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + Policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include +load_policy to load SELinux policies, setfile to label filesystems, newrole to +switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +--- +SV-230243: +Old: +``` +Preventing unauthorized information transfers mitigates the risk of +information, including encrypted representations of information, produced by +the actions of prior users/roles (or the actions of processes acting on behalf +of prior users/roles) from being available to any current users/roles (or +current processes) that obtain access to shared system resources (e.g., +registers, main memory, hard disks) after those resources have been released +back to information systems. The control of information in shared resources is +also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information +technology product, but it can also apply to the configuration of particular +information system components that are, or use, such products. This can be +verified by acceptance/validation processes in DoD or other government agencies. + + There may be shared resources with configurable protections (e.g., files in +storage) that may be assessed on specific information system components. + +``` +New: +``` +Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +``` +--- +SV-230244: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + + RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-230245: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230246: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230247: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230248: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230249: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230250: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230251: +Old: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230252: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + + The system will attempt to use the first hash presented by the client that +matches the server list. Listing the values "strongest to weakest" is a +method to ensure the use of the strongest hash available to secure the SSH +connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230253: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not +use high-entropy sources by default. By using the SSH_USE_STRONG_RNG +environment variable the OPENSSL random generator is reseeded from /dev/random. + This setting is not recommended on computers without the hardware random +generator because insufficient entropy causes the connection to be blocked +until enough entropy is available. + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. + +``` +--- +SV-230254: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230255: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230256: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Transport Layer Security (TLS) encryption is a required security setting as +a number of known vulnerabilities have been reported against Secure Sockets +Layer (SSL) and earlier versions of TLS. Encryption of private information is +essential to ensuring data confidentiality. If private information is not +encrypted, it can be intercepted and easily read by an unauthorized party. SQL +Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all +non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 +specifies the preferred configurations for government systems. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + The GnuTLS library offers an API to access secure communications protocols. + SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto +policy defines employed algorithms in the +/etc/crypto-policies/back-ends/gnutls.config file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. + + + +``` +--- +SV-230257: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230258: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230259: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230260: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230261: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230262: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230263: +Old: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + +``` +New: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + + + +``` +--- +SV-230264: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230265: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230267: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230268: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + + By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230271: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230272: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230273: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + A privileged account is defined as an information system account with + authorizations of a privileged user. + + Remote access is access to DoD nonpublic information systems by an + authorized user (or an information system) communicating through an external, + non-organization-controlled network. Remote access methods include, for + example, dial-up, broadband, and wireless. + + This requirement only applies to components where this is specific to the + function of the device or has the concept of an organizational user (e.g., VPN, + proxy capability). This does not apply to authentication for the purpose of + configuring the device itself (management). + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +``` +--- +SV-230274: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + RHEL 8 includes multiple options for configuring certificate status +checking, but for this requirement focuses on the System Security Services +Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol +(OCSP) checking and certificate verification using a sha256 digest function. + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + + + +``` +--- +SV-230275: +Old: +``` +The use of PIV credentials facilitates standardization and reduces the + risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support + identity management and personal authentication for systems covered under + Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a + primary component of layered protection for national security systems. + +``` +New: +``` +The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +``` +--- +SV-230276: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + +``` +--- +SV-230277: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. This prevents many types of use-after-free +vulnerabilities at little performance cost. Also prevents leak of data and +detection of corrupted memory. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + + + +``` +--- +SV-230278: +Old: +``` +Syscalls are special routines in the Linux kernel, which userspace +applications ask to do privileged tasks. Invoking a system call is an +expensive operation because the processor must interrupt the currently +executing task and switch context to kernel mode and then back to userspace +after the system call completes. Virtual Syscalls map into user space a page +that contains some variables and the implementation of some system calls. This +allows the system calls to be executed in userspace to alleviate the context +switching expense. + + Virtual Syscalls provide an opportunity of attack for a user who has +control of the return instruction pointer. Disabling vsyscalls help to prevent +return oriented programming (ROP) attacks via buffer overflows and overruns. If +the system intends to run containers based on RHEL 6 components, then virtual +syscalls will need enabled so the components function properly. + +``` +New: +``` +Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + + + +``` +--- +SV-230279: +Old: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + + + +``` +--- +SV-230281: +Old: +``` +Previous versions of software components that are not removed from the +information system after updates have been installed may be exploited by +adversaries. Some information technology products may remove older versions of +software automatically from the information system. + +``` +New: +``` +Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. + +``` +--- +SV-230282: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230283: +Old: +``` +The "shosts.equiv" files are used to configure host-based +authentication for the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230284: +Old: +``` +The ".shosts" files are used to configure host-based authentication +for individual users or the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230285: +Old: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-230286: +Old: +``` +If a public host key file is modified by an unauthorized user, the SSH +service may be compromised. + +``` +New: +``` +If a public host key file is modified by an unauthorized user, the SSH service may be compromised. + +``` +--- +SV-230287: +Old: +``` +If an unauthorized user obtains the private SSH host key file, the +host could be impersonated. + +``` +New: +``` +If an unauthorized user obtains the private SSH host key file, the host could be impersonated. + +``` +--- +SV-230288: +Old: +``` +If other users have access to modify user-specific SSH configuration +files, they may be able to log on to the system as another user. + +``` +New: +``` +If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. + +``` +--- +SV-230290: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230291: +Old: +``` +Configuring these settings for the SSH daemon provides additional +assurance that remote logon via SSH will not use unused methods of +authentication, even in the event of misconfiguration elsewhere. + +``` +New: +``` +Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230292: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230293: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230294: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230295: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230296: +Old: +``` +Even though the communications channel may be encrypted, an additional +layer of security is gained by extending the policy of not logging on directly +as root. In addition, logging on with a user-specific account provides +individual accountability of actions performed on the system. + +``` +New: +``` +Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. + +``` +--- +SV-230298: +Old: +``` +Configuring RHEL 8 to implement organization-wide security +implementation guides and security checklists ensures compliance with federal +standards and establishes a common security baseline across the DoD that +reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry +settings; account, file, directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230299: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230300: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230301: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. The only legitimate +location for device files is the /dev directory located on the root partition. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. + +``` +--- +SV-230302: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230303: +Old: +``` +The "nodev" mount option causes the system not to interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230304: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230305: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230306: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary as they may be incompatible. Executing files from untrusted +file systems increases the opportunity for unprivileged users to attain +unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230307: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230308: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230309: +Old: +``` +If user start-up files execute world-writable programs, especially in +unprotected directories, they could be maliciously modified to destroy user +files or otherwise compromise the system at the user level. If the system is +compromised at the user level, it is easier to elevate privileges to eventually +compromise the system at the root and network level. + +``` +New: +``` +If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. + +``` +--- +SV-230310: +Old: +``` +Kernel core dumps may contain the full contents of system memory at +the time of the crash. Kernel core dumps may consume a considerable amount of +disk space and may result in denial of service by exhausting the available +space on the target file system partition. + + RHEL 8 installation media presents the option to enable or disable the +kdump service at the time of system installation. + +``` +New: +``` +Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. + +RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. + +``` +--- +SV-230312: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + + When the kernel invokes systemd-coredumpt to handle a core dump, it runs in +privileged mode, and will connect to the socket created by the +systemd-coredump.socket unit. This, in turn, will spawn an unprivileged +systemd-coredump@.service instance to process the core dump. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. + +``` +--- +SV-230313: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230314: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230315: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230316: +Old: +``` +To provide availability for name resolution services, multiple +redundant name servers are mandated. A failure in name resolution could lead to +the failure of security functions requiring name resolution, which may include +time synchronization, centralized authentication, and remote system logging. + +``` +New: +``` +To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. + +``` +--- +SV-230317: +Old: +``` +The executable search path (typically the PATH environment variable) +contains a list of directories for the shell to search to find executables. If +this path includes the current working directory (other than the user's home +directory), executables in these directories may be executed instead of system +commands. This variable is formatted as a colon-separated list of directories. +If there is an empty entry, such as a leading or trailing colon or two +consecutive colons, this is interpreted as the current working directory. If +deviations from the default system search path for the local interactive user +are required, they must be documented with the Information System Security +Officer (ISSO). + +``` +New: +``` +The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). + +``` +--- +SV-230318: +Old: +``` +If a world-writable directory is not owned by root, sys, bin, or an +application User Identifier (UID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230319: +Old: +``` +If a world-writable directory is not group-owned by root, sys, bin, or +an application Group Identifier (GID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230320: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230321: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-230322: +Old: +``` +If the Group Identifier (GID) of a local interactive user’s home +directory is not the same as the primary GID of the user, this would allow +unauthorized access to the user’s files, and users that share the same group +may not be able to access files that they legitimately should. + +``` +New: +``` +If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. + +``` +--- +SV-230323: +Old: +``` +If a local interactive user has a home directory defined that does not +exist, the user may be given access to the "/" directory as the current +working directory upon logon. This could create a denial of service because the +user would not be able to access their logon configuration files, and it may +give them visibility to system files they normally would not be able to access. + +``` +New: +``` +If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. + +``` +--- +SV-230324: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230325: +Old: +``` +Local initialization files are used to configure the user's shell +environment upon logon. Malicious modification of these files could compromise +accounts upon logon. + +``` +New: +``` +Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. + +``` +--- +SV-230326: +Old: +``` +Unowned files and directories may be unintentionally inherited if a +user is assigned the same User Identifier "UID" as the UID of the un-owned +files. + +``` +New: +``` +Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. + +``` +--- +SV-230327: +Old: +``` +Files without a valid group owner may be unintentionally inherited if +a group is assigned the same Group Identifier (GID) as the GID of the files +without a valid group owner. + +``` +New: +``` +Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. + +``` +--- +SV-230328: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230329: +Old: +``` +Failure to restrict system access to authenticated users negatively +impacts operating system security. + +``` +New: +``` +Failure to restrict system access to authenticated users negatively impacts operating system security. + +``` +--- +SV-230330: +Old: +``` +SSH environment options potentially allow users to bypass access +restriction in some configurations. + +``` +New: +``` +SSH environment options potentially allow users to bypass access restriction in some configurations. + +``` +--- +SV-230331: +Old: +``` +If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. To +mitigate this risk, automated termination of all temporary accounts must be set +upon account creation. + + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts without the demand for +immediacy in account activation. + + If temporary accounts are used, RHEL 8 must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + + To address access requirements, many RHEL 8 operating systems may be +integrated with enterprise-level authentication/access mechanisms that meet or +exceed access control policy requirements. + +``` +New: +``` +If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. + +``` +--- +SV-230332: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230333: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230334: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230335: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230336: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230337: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230338: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230339: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230340: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230341: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230342: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230343: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230344: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230345: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230346: +Old: +``` +Operating system management includes the ability to control the number +of users and user sessions that utilize an operating system. Limiting the +number of allowed users and sessions per user is helpful in reducing the risks +related to DoS attacks. + + This requirement addresses concurrent sessions for information system +accounts and does not address concurrent sessions by single users via multiple +system accounts. The maximum number of concurrent sessions should be defined +based on mission needs and the operational environment for each system. + +``` +New: +``` +Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +``` +--- +SV-230347: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. + + Regardless of where the session lock is determined and implemented, once +invoked, the session lock must remain in place until the user reauthenticates. +No other activity aside from reauthentication must unlock the system. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. + + + +``` +--- +SV-230351: +Old: +``` +A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but + does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be + determined. Rather than be forced to wait for a period of time to expire before + the user session can be locked, RHEL 8 needs to provide users with the ability + to manually invoke a session lock so users can secure their session if it is + necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230352: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. Rather than be forced to wait for a period of time to expire before +the user session can be locked, RHEL 8 needs to provide users with the ability +to manually invoke a session lock so users can secure their session if it is +necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230354: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-230355: +Old: +``` +Without mapping the certificate used to authenticate to the user +account, the ability to determine the identity of the individual user or group +will not be available for forensic analysis. + + There are various methods of mapping certificates to user/group accounts +for RHEL 8. For the purposes of this requirement, the check and fix will +account for Active Directory mapping. Some of the other possible methods +include joining the system to a domain and utilizing a Red Hat idM server, or a +local system mapping, where the system is not part of a domain. + +``` +New: +``` +Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. + +``` +--- +SV-230357: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require uppercase characters, without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230358: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require lower-case characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230359: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that in order to require numeric characters, without degrading +the minlen value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230360: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxclassrepeat" option sets the maximum number of allowed +same consecutive characters in the same class in the new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + +``` +--- +SV-230361: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxrepeat" option sets the maximum number of allowed same +consecutive characters in a new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. + +``` +--- +SV-230362: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "minclass" option sets the minimum number of required classes +of characters for the new password (digits, uppercase, lowercase, others). + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). + +``` +--- +SV-230363: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "difok" option sets the number of characters in a password +that must not be present in the old password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. + +``` +--- +SV-230364: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230365: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230366: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230367: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230369: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Configurations are set in the "etc/security/pwquality.conf" file. + + The "minlen", sometimes noted as minimum length, acts as a "score" of +complexity based on the credit components of the "pwquality" module. By +setting the credit components to a negative value, not only will those +components be required, they will not count towards the total "score" of +"minlen". This will enable "minlen" to require a 15-character minimum. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + +The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230370: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230371: +Old: +``` +To ensure accountability and prevent unauthenticated access, +interactive users must be identified and authenticated to prevent potential +misuse and compromise of the system. + + Interactive users include organizational employees or individuals the +organization deems to have equivalent status of employees (e.g., contractors). +Interactive users (and processes acting on behalf of users) must be uniquely +identified and authenticated to all accesses, except for the following: + + 1) Accesses explicitly identified and documented by the organization. +Organizations document specific user actions that can be performed on the +information system without identification or authentication; and + + 2) Accesses that occur through authorized use of group authenticators +without individual authentication. Organizations may require unique +identification of individuals in group accounts (e.g., shared privilege +accounts) or for detailed accountability of individual activity. + +``` +New: +``` +To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + + + +``` +--- +SV-230372: +Old: +``` +Using an authentication device, such as a Common Access Card (CAC) or +token that is separate from the information system, ensures that even if the +information system is compromised, that compromise will not affect credentials +stored on the authentication device. + + Multifactor solutions that require devices separate from information +systems gaining access include, for example, hardware tokens providing +time-based or challenge-response authenticators and smart cards such as the +U.S. Government Personal Identity Verification card and the DoD CAC. + + There are various methods of implementing multifactor authentication for +RHEL 8. Some methods include a local system multifactor account mapping or +joining the system to a domain and utilizing a Red Hat idM server or Microsoft +Windows Active Directory server. Any of these methods will require that the +client operating system handle the multifactor authentication correctly. + +``` +New: +``` +Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. + +There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. + + + +``` +--- +SV-230373: +Old: +``` +Inactive identifiers pose a risk to systems and applications because + attackers may exploit an inactive identifier and potentially obtain undetected + access to the system. Owners of inactive accounts will not notice if + unauthorized access to their user account has been obtained. + + RHEL 8 needs to track periods of inactivity and disable application + identifiers after 35 days of inactivity. + +``` +New: +``` +Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +``` +--- +SV-230374: +Old: +``` +Temporary accounts are privileged or nonprivileged accounts that are + established during pressing circumstances, such as new software or hardware + configuration or an incident response, where the need for prompt account + activation requires bypassing normal account authorization procedures. + + If any inactive temporary accounts are left enabled on the system and are + not either manually removed or automatically expired within 72 hours, the + security posture of the system will be degraded and exposed to exploitation + by unauthorized users or insider threat actors. + + Temporary accounts are different from emergency accounts. Emergency accounts, + also known as "last resort" or "break glass" accounts, are local logon accounts + enabled on the system for emergency use by authorized system administrators + to manage a system when standard logon methods are failing or not available. + + Emergency accounts are not subject to manual removal or scheduled expiration + requirements. + + The automatic expiration of temporary accounts may be extended as needed by + the circumstances but it must not be extended indefinitely. A documented + permanent account should be established for privileged users who need long-term + maintenance accounts. + +``` +New: +``` +Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. + +``` +--- +SV-230375: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that to require special characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230376: +Old: +``` +If cached authentication information is out-of-date, the validity of +the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this +requirement will be focus on the System Security Services Daemon (SSSD). By +default sssd does not cache credentials. + +``` +New: +``` +If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. + +``` +--- +SV-230377: +Old: +``` +If RHEL 8 allows the user to select passwords based on dictionary +words, this increases the chances of password compromise by increasing the +opportunity for successful guesses, and brute-force attacks. + +``` +New: +``` +If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +``` +--- +SV-230378: +Old: +``` +Configuring the operating system to implement organization-wide +security implementation guides and security checklists verifies compliance with +federal standards and establishes a common security baseline across the DoD +that reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example, registry +settings; account, file, and directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230379: +Old: +``` +Accounts providing no operational purpose provide additional +opportunities for system compromise. Unnecessary accounts include user accounts +for individuals not requiring access to the system and application accounts for +applications not installed on the system. + +``` +New: +``` +Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. + +``` +--- +SV-230380: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-230381: +Old: +``` +Providing users with feedback on when account accesses last occurred +facilitates user recognition and reporting of unauthorized account use. + +``` +New: +``` +Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230382: +Old: +``` +Providing users with feedback on when account accesses via SSH last +occurred facilitates user recognition and reporting of unauthorized account +use. + +``` +New: +``` +Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230383: +Old: +``` +Setting the most restrictive default permissions ensures that when new +accounts are created, they do not have unnecessary access. + +``` +New: +``` +Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +``` +--- +SV-230384: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230385: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230386: +Old: +``` +Misuse of privileged functions, either intentionally or +unintentionally by authorized users, or by unauthorized external entities that +have compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use of +privileged functions is one way to detect such misuse and identify the risk +from insider threats and the advanced persistent threat. + +``` +New: +``` +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + + + +``` +--- +SV-230387: +Old: +``` +Cron logging can be used to trace the successful or unsuccessful +execution of cron jobs. It can also be used to spot intrusions into the use of +the cron facility by unauthorized and malicious users. + +``` +New: +``` +Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. + +``` +--- +SV-230388: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230389: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230390: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230392: +Old: +``` +It is critical that when RHEL 8 is at risk of failing to process audit +logs as required, it takes action to mitigate the failure. Audit processing +failures include software/hardware errors; failures in the audit capturing +mechanisms; and audit storage capacity being reached or exceeded. Responses to +audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, +RHEL 8 must continue generating audit records if possible (automatically +restarting the audit service if necessary) and overwriting the oldest audit +records in a first-in-first-out manner. + + 2) If audit records are sent to a centralized collection server and +communication with this server is lost or the server fails, RHEL 8 must queue +audit records locally until communication is restored or until the audit +records are retrieved manually. Upon restoration of the connection to the +centralized collection server, action should be taken to synchronize the local +audit data with the collection server. + +``` +New: +``` +It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. + +``` +--- +SV-230393: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +``` +--- +SV-230394: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging is needed to determine who, what, and when events occur on +a system. Without this, determining root cause of an event will be much more +difficult. + + When audit logs are not labeled before they are sent to a central log +server, the audit data will not be able to be analyzed and tied back to the +correct system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. + +``` +--- +SV-230395: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging aids in making sense of who, what, and when events occur +on a system. Without this, determining root cause of an event will be much +more difficult. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +``` +--- +SV-230396: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230397: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230398: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230399: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230400: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230401: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + + + +``` +--- +SV-230402: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230403: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230404: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230405: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230406: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230407: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230408: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230409: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230410: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230411: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-230412: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "su" command allows a +user to run commands with a substitute user and group ID. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230413: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230418: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chage" command is +used to change or view user password expiry information. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230419: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chcon" command is +used to change file SELinux security context. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230421: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-agent" is a +program to hold private keys used for public key authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230422: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "passwd" command is +used to change passwords for user accounts. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230423: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" command is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230424: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "umount" command is +used to unmount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230425: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" syscall is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230426: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +"Unix_update" is a helper program for the "pam_unix" module that updates +the password for a given user. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230427: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postdrop" command creates a file in the maildrop directory and copies +its standard input to the file. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230428: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postqueue" command implements the Postfix user interface for queue +management. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230429: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "semanage" command is used to configure certain elements of SELinux +policy without requiring modification to or recompilation from policy sources. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230430: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setfiles" command is primarily used to initialize the security context +fields (extended attributes) on one or more filesystems (or parts of them). +Usually it is initially run as part of the SELinux installation process (a step +commonly known as labeling). + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230431: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "userhelper" command is not intended to be run interactively. +"Userhelper" provides a basic interface to change a user's password, gecos +information, and shell. The main difference between this program and its +traditional equivalents (passwd, chfn, chsh) is that prompts are written to +standard out to make it easy for a graphical user interface wrapper to +interface to it as a child process. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230432: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setsebool" command sets the current state of a particular SELinux +boolean or a list of booleans to a given value. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230433: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "unix_chkpwd" command is a helper program for the pam_unix module that +verifies the password of the current user. It also checks password and account +expiration dates in shadow. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230434: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-keysign" program +is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230435: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "setfacl" command is +used to set file access control lists. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230436: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "pam_timestamp_check" +command is used to check if the default timestamp is valid. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230437: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "newgrp" command is +used to change the current group ID during a login session. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230438: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230439: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230444: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "gpasswd" command is +used to administer /etc/group and /etc/gshadow. Every group can have +administrators, members and a password. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230446: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "delete_module" +command is used to unload a kernel module. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230447: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "crontab" command is +used to maintain crontab files for individual users. Crontab is the program +used to install, remove, or list the tables used to drive the cron daemon. This +is similar to the task scheduler used in other operating systems. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230448: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chsh" command is +used to change the login shell. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230449: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230455: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230456: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230462: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "sudo" command allows +a permitted user to execute a command as the superuser or another user, as +specified by the security policy. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230463: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "usermod" command +modifies the system account files to reflect the changes that are specified on +the command line. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230464: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chacl" command is +used to change the access control list of a file or directory. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230465: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "kmod" command is +used to control Linux Kernel modules. + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230466: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + + From "Pam_Faillock man" pages: Note the default directory that +pam_faillock uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230467: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230468: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230469: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + Allocating an audit_backlog_limit of sufficient size is critical in +maintaining a stable boot process. With an insufficient limit allocated, the +system is susceptible to boot failures and crashes. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +``` +--- +SV-230470: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230471: +Old: +``` +Without the capability to restrict the roles and individuals that can +select which events are audited, unauthorized personnel may be able to prevent +the auditing of critical events. Misconfigured audits may degrade the system's +performance by overwhelming the audit log. Misconfigured audits may also make +it more difficult to establish, correlate, and investigate the events relating +to an incident or identify those responsible for one. + +``` +New: +``` +Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-230472: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +``` +--- +SV-230473: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230474: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230475: +Old: +``` +Protecting the integrity of the tools used for auditing purposes is a +critical step toward ensuring the integrity of audit information. Audit +information includes all information (e.g., audit records, audit settings, and +audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + + It is not uncommon for attackers to replace the audit tools or inject code +into the existing tools with the purpose of providing the capability to hide or +erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed to +provide the capability to identify when the audit tools have been modified, +manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +New: +``` +Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +--- +SV-230476: +Old: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which +to write the audit logs, RHEL 8 needs to be able to allocate audit record +storage capacity. + + The task of allocating audit record storage capacity is usually performed +during initial installation of RHEL 8. + +``` +New: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. + +``` +--- +SV-230477: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230478: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "rsyslog-gnutls" (which is a secure +communications library implementing the SSL, TLS and DTLS protocols), and you +have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230479: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + + + +``` +--- +SV-230480: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230481: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230482: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + "Rsyslog" supported authentication modes include: + anon - anonymous authentication + x509/fingerprint - certificate fingerprint authentication + x509/certvalid - certificate validation only + x509/name - certificate validation and subject name authentication. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +"Rsyslog" supported authentication modes include: +anon - anonymous authentication +x509/fingerprint - certificate fingerprint authentication +x509/certvalid - certificate validation only +x509/name - certificate validation and subject name authentication. + + + +``` +--- +SV-230483: +Old: +``` +If security personnel are not notified immediately when storage volume + reaches 75 percent utilization, they are unable to plan for audit record + storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-230484: +Old: +``` +Inaccurate time stamps make it more difficult to correlate events and +can lead to an inaccurate analysis. Determining the correct time a particular +event occurred on a system is critical when conducting forensic analysis and +investigating system events. Sources outside the configured acceptable +allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of +time stamps for information systems with multiple system clocks and systems +connected over a network. + + Organizations should consider endpoints that may not have regular access to +the authoritative time server (e.g., mobile, teleworking, and tactical +endpoints). + + If time stamps are not consistently applied and there is no common time +reference, it is difficult to perform forensic analysis. + + Time stamps generated by the operating system include date and time. Time +is commonly expressed in Coordinated Universal Time (UTC), a modern +continuation of Greenwich Mean Time (GMT), or local time with an offset from +UTC. + + RHEL 8 utilizes the "timedatectl" command to view the status of the +"systemd-timesyncd.service". The "timedatectl" status will display the +local time, UTC, and the offset from UTC. + + Note that USNO offers authenticated NTP service to DoD and U.S. Government +agencies operating on the NIPR and SIPR networks. Visit +https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + +``` +New: +``` +Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + +RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. + +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + + + +``` +--- +SV-230487: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + The telnet service provides an unencrypted remote access service that does +not provide for the confidentiality and integrity of user passwords or the +remote session. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + +``` +--- +SV-230488: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230489: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230491: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + Kernel page-table isolation is a kernel feature that mitigates the Meltdown +security vulnerability and hardens the kernel against attempts to bypass kernel +address space layout randomization (KASLR). + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). + +``` +--- +SV-230492: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The rsh-server service provides an unencrypted remote access service that +does not provide for the confidentiality and integrity of user passwords or the +remote session and has very weak authentication. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + + + +``` +--- +SV-230493: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) +can result in subsequent compromises of organizational information. Providing +easy methods to physically disconnect from such devices after a collaborative +computing session helps to ensure participants actually carry out the +disconnect activity without having to go through complex and tedious procedures. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. + + + +``` +--- +SV-230494: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Asynchronous Transfer Mode (ATM) is a protocol operating on network, +data link, and physical layers, based on virtual circuits and virtual paths. +Disabling ATM protects the system against exploitation of any laws in its +implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. + +``` +--- +SV-230495: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Controller Area Network (CAN) is a serial communications protocol, +which was initially developed for automotive and is now also used in marine, +industrial, and medical applications. Disabling CAN protects the system against +exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230496: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Stream Control Transmission Protocol (SCTP) is a transport layer +protocol, designed to support the idea of message-oriented communication, with +several streams of messages within one connection. Disabling SCTP protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230497: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Transparent Inter-Process Communication (TIPC) protocol is designed to +provide communications between nodes in a cluster. Disabling TIPC protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230498: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Removing support for unneeded filesystem types reduces the local attack +surface of the server. + + Compressed ROM/RAM file system (or cramfs) is a read-only file system +designed for simplicity and space-efficiency. It is mainly used in embedded +and small-footprint systems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Removing support for unneeded filesystem types reduces the local attack surface of the server. + +Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. + +``` +--- +SV-230499: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time +communication. Disabling FireWire protects the system against exploitation of +any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230500: +Old: +``` +To prevent unauthorized connection of devices, unauthorized transfer +of information, or unauthorized tunneling (i.e., embedding of data types within +data types), organizations must disable or restrict unused or unnecessary +physical and logical ports/protocols on information systems. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services provided by default may not be +necessary to support essential organizational operations. Additionally, it is +sometimes convenient to provide multiple services from a single component +(e.g., VPN and IPS); however, doing so increases risk over limiting the +services provided by any one component. + + To support the requirements and principles of least functionality, the +operating system must support the organizational requirements, providing only +essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official +business or to address authorized quality-of-life issues. + +``` +New: +``` +To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. + +``` +--- +SV-230502: +Old: +``` +Automatically mounting file systems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + +``` +New: +``` +Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +``` +--- +SV-230503: +Old: +``` +USB mass storage permits easy introduction of unknown devices, thereby +facilitating malicious activity. + +``` +New: +``` +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + + + +``` +--- +SV-230504: +Old: +``` +Failure to restrict network connectivity only to authorized systems +permits inbound connections from malicious systems. It also permits outbound +connections that may facilitate exfiltration of DoD data. + + RHEL 8 incorporates the "firewalld" daemon, which allows for many +different configurations. One of these configurations is zones. Zones can be +utilized to a deny-all, allow-by-exception approach. The default "drop" zone +will drop all incoming network packets unless it is explicitly allowed by the +configuration file or is related to an outgoing network connection. + +``` +New: +``` +Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + +``` +--- +SV-230505: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-230506: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + + + +``` +--- +SV-230507: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + +``` +--- +SV-230508: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230509: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230510: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230511: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230512: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230513: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230514: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230515: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230516: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230517: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230518: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230519: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230520: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230521: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230522: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230523: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-230524: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-230525: +Old: +``` +DoS is a condition when a resource is not available for legitimate +users. When this occurs, the organization either cannot accomplish its mission +or must operate at degraded capacity. + + This requirement addresses the configuration of RHEL 8 to mitigate the +impact of DoS attacks that have occurred or are ongoing on system availability. +For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exists to limit +or, in some cases, eliminate the effects of DoS attacks (e.g., limiting +processes or establishing memory partitions). Employing increased capacity and +bandwidth, combined with service redundancy, may reduce the susceptibility to +some DoS attacks. + + Since version 0.6.0, "firewalld" has incorporated "nftables" as its +backend support. Utilizing the limit statement in "nftables" can help to +mitigate DoS attacks. + +``` +New: +``` +DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. + +``` +--- +SV-230526: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-230527: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + + Session key regeneration limits the chances of a session key becoming +compromised. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + + + +``` +--- +SV-230529: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230530: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230531: +Old: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the +console can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230532: +Old: +``` +The debug-shell requires no authentication and provides root +privileges to anyone who has physical access to the machine. While this +feature is disabled by default, masking it adds an additional layer of +assurance that it will not be enabled via a dependency in systemd. This also +prevents attackers with physical access from trivially bypassing security on +the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + +``` +New: +``` +The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +``` +--- +SV-230533: +Old: +``` +If TFTP is required for operational support (such as the transmission +of router configurations) its use must be documented with the Information +System Security Officer (ISSO), restricted to only authorized personnel, and +have access control rules established. + +``` +New: +``` +If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. + +``` +--- +SV-230534: +Old: +``` +If an account other than root also has a User Identifier (UID) of +"0", it has root authority, giving that account unrestricted access to the +entire operating system. Multiple accounts with a UID of "0" afford an +opportunity for potential intruders to guess a password for a privileged +account. + +``` +New: +``` +If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. + +``` +--- +SV-230550: +Old: +``` +If unrestricted mail relaying is permitted, unauthorized senders could +use this host as a mail relay for the purpose of sending spam or other +unauthorized activity. + +``` +New: +``` +If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. + +``` +--- +SV-230551: +Old: +``` +Extended attributes in file systems are used to contain arbitrary data +and file metadata with security implications. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230552: +Old: +``` +ACLs can provide permissions beyond those permitted through the file +mode and must be verified by file integrity tools. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230553: +Old: +``` +Internet services that are not required for system or application +processes must not be active to decrease the attack surface of the system. +Graphical display managers have a long history of security vulnerabilities and +must not be used, unless approved and documented. + +``` +New: +``` +Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + +``` +--- +SV-230554: +Old: +``` +Network interfaces in promiscuous mode allow for the capture of all +network traffic visible to the system. If unauthorized individuals can access +these applications, it may allow them to collect information such as logon IDs, +passwords, and key exchanges between systems. + + If the system is being used to perform a network troubleshooting function, +the use of these tools must be documented with the Information System Security +Officer (ISSO) and restricted to only authorized personnel. + +``` +New: +``` +Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. + +If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. + +``` +--- +SV-230555: +Old: +``` +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding. A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly requesting +X11 forwarding, which can warrant a "no" setting. + + X11 forwarding should be enabled with caution. Users with the ability to +bypass file permissions on the remote host (for the user's X11 authorization +database) can access the local X11 display through the forwarded connection. An +attacker may then be able to perform activities such as keystroke monitoring if +the ForwardX11Trusted option is also enabled. + + If X11 services are not required for the system's intended function, they +should be disabled or restricted as appropriate to the system’s needs. + +``` +New: +``` +The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. + +X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. + +``` +--- +SV-230556: +Old: +``` +When X11 forwarding is enabled, there may be additional exposure to +the server and client displays if the sshd proxy display is configured to +listen on the wildcard address. By default, sshd binds the forwarding server +to the loopback address and sets the hostname part of the DIPSLAY environment +variable to localhost. This prevents remote hosts from connecting to the proxy +display. + +``` +New: +``` +When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. + +``` +--- +SV-230557: +Old: +``` +Restricting TFTP to a specific directory prevents remote users from +copying, transferring, or overwriting system files. + +``` +New: +``` +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. + +``` +--- +SV-230558: +Old: +``` +The FTP service provides an unencrypted remote access that does not +provide for the confidentiality and integrity of user passwords or the remote +session. If a privileged user were to log on using this service, the privileged +user password could be compromised. SSH or other encrypted file transfer +methods must be used in place of this service. + +``` +New: +``` +The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. + +``` +--- +SV-230559: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The gssproxy package is a proxy for GSS API credential handling and could +expose secrets on some networks. It is not needed for normal function of the OS. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. + +``` +--- +SV-230560: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The iprutils package provides a suite of utilities to manage and configure +SCSI devices supported by the ipr SCSI storage device driver. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. + +``` +--- +SV-230561: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The tuned package contains a daemon that tunes the system settings +dynamically. It does so by monitoring the usage of several system components +periodically. Based on that information, components will then be put into lower +or higher power savings modes to adapt to the current usage. The tuned package +is not needed for normal OS operations. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. + +``` +--- +SV-237640: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-237641: +Old: +``` +The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password and confirms +your request to execute a command by checking a file, called sudoers. If the +"sudoers" file is not configured correctly, any user defined on the system +can initiate privileged actions on the target system. + +``` +New: +``` +The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. + +``` +--- +SV-237642: +Old: +``` +The sudoers security policy requires that users authenticate +themselves before they can use sudo. When sudoers requires authentication, it +validates the invoking user's credentials. If the rootpw, targetpw, or runaspw +flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the +sudoers(5) manual page. + +``` +New: +``` +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page. + +``` +--- +SV-237643: +Old: +``` +Without re-authentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the organization requires the user to +re-authenticate when using the "sudo" command. + + If the value is set to an integer less than 0, the user's time stamp will +not expire and the user will not have to re-authenticate for privileged actions +until the user's session is terminated. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +``` +--- +SV-244519: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + + +``` +--- +SV-244523: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-244524: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-244525: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-244526: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/ directory. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + + +``` +--- +SV-244527: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The rngd service feeds random data from hardware device to kernel random +device. Quality (non-predictable) random number generation is important for +several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-244528: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-244529: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-244530: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-244531: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-244532: +Old: +``` +If a local interactive user's files are group-owned by a group of +which the user is not a member, unintended users may be able to access them. + +``` +New: +``` +If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. + +``` +--- +SV-244533: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244534: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244535: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + + + +``` +--- +SV-244536: +Old: +``` +Leaving the user list enabled is a security risk since it allows +anyone with physical access to the system to enumerate known user accounts +without authenticated access to the system. + +``` +New: +``` +Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. + +``` +--- +SV-244538: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244539: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244541: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-244542: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-244543: +Old: +``` +If security personnel are not notified immediately when storage volume +reaches 75 percent utilization, they are unable to plan for audit record +storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-244544: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-244545: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244546: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244547: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244548: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244549: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-250315: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "faillock.conf" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + re-enabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250316: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "Pam_Faillock" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + reenabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250317: +Old: +``` +Routing protocol daemons are typically used on routers to exchange network + topology information with other routers. If this software is used when not required, + system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. + + All configuration files are sorted by their filename in lexicographic order, regardless + of which of the directories they reside in. If multiple files specify the same option, + the entry in the file with the lexicographically latest name will take precedence. + + Files are read from directories in the following list from top to bottom. Once a file of a + given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +--- +SV-251707: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate + testing and approvals that are part of a robust change management process. + + This requirement applies to RHEL 8 with software libraries that are accessible + and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs that execute with escalated privileges. Only + qualified and authorized individuals will be allowed to obtain access to + information system components for purposes of initiating changes, including + upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251708: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251709: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251710: +Old: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. + Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the + system security policy and supporting the isolation of code and data on which the protection is based. Security functionality + includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), + setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and + environments that require this functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-251711: +Old: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, + system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as + well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" + file allow configured users to run programs without re-authenticating. Use of these configuration + options makes it easier for one compromised account to be used to compromise other accounts. + + It is possible to include other sudoers files from within the sudoers file currently being parsed + using the #include and #includedir directives. When sudo reaches this line it will suspend + processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the + end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are + included may themselves include other files. A hard limit of 128 nested include files is enforced + to prevent include file loops. + +``` +New: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. + +``` +--- +SV-251712: +Old: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + + + +``` +--- +SV-254520: +Old: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +New: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +--- +
\ No newline at end of file From b57f1b357ea1db531bdabb320f5439a384d1f755 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 16:23:02 -0600 Subject: [PATCH 30/71] still playing with the downloads Signed-off-by: Aaron Lippold --- .../public/assets/downloads/delta_report.md | 999 +++++++++++++----- src/courses/delta/05.md | 4 +- 2 files changed, 717 insertions(+), 286 deletions(-) diff --git a/src/.vuepress/public/assets/downloads/delta_report.md b/src/.vuepress/public/assets/downloads/delta_report.md index a16403227..90c09ed3f 100644 --- a/src/.vuepress/public/assets/downloads/delta_report.md +++ b/src/.vuepress/public/assets/downloads/delta_report.md @@ -1,20 +1,22 @@ -## Automatic Update: -> +## Automatic Update -### New Controls: -+ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. +### New Controls ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + +### Updated Check/Fixes + +#### Checks -### Updated Check/Fixes: -#### Checks:
Click to expand. SV-230262: -Old: +Old: ``` Verify the system-wide shared library files are group-owned by "root" with the following command: - $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} + sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; If any system wide shared library file is returned and is not group-owned @@ -24,6 +26,7 @@ by a required system account, this is a finding. Updated: ``` + Verify the system-wide shared library files are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; @@ -33,8 +36,9 @@ If any system wide shared library file is returned and is not group-owned by a r ``` --- SV-230379: -Old: +Old: ``` + Verify all accounts on the system are assigned to an active system, application, or user account. @@ -65,6 +69,7 @@ a finding. Updated: ``` + Verify that there are no unauthorized interactive user accounts with the following command: $ less /etc/passwd @@ -86,6 +91,7 @@ If there are unauthorized local user accounts on the system, this is a finding. SV-230470: Old: ``` + Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: @@ -103,6 +109,7 @@ the line is commented out, this is a finding. Updated: ``` + Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. @@ -120,6 +127,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-230524: Old: ``` + Verify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules @@ -134,6 +142,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules @@ -151,6 +160,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-230548: Old: ``` + Verify RHEL 8 disables the use of user namespaces with the following commands: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. @@ -175,6 +185,7 @@ If conflicting results are returned, this is a finding. Updated: ``` + Verify RHEL 8 disables the use of user namespaces with the following commands: $ sudo sysctl user.max_user_namespaces @@ -200,6 +211,7 @@ If the use of namespaces is operationally required and documented with the ISSM, SV-230559: Old: ``` + Verify the gssproxy package has not been installed on the system with the following commands: @@ -216,6 +228,7 @@ is a finding. Updated: ``` + Verify the gssproxy package has not been installed on the system with the following commands: $ sudo yum list installed gssproxy @@ -231,6 +244,7 @@ If NFS mounts are being used, this is not a finding. SV-244527: Old: ``` + Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -245,6 +259,7 @@ number generator entropy gatherer service with the following command: Updated: ``` + Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -260,6 +275,7 @@ If the "rng-tools" package is not installed, this is a finding. SV-244547: Old: ``` + Verify USBGuard is installed on the operating system with the following command: @@ -277,6 +293,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify USBGuard is installed on the operating system with the following command: $ sudo yum list installed usbguard @@ -294,6 +311,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-244548: Old: ``` + Verify the operating system has enabled the use of the USBGuard with the following command: @@ -313,6 +331,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify the operating system has enabled the use of the USBGuard with the following command: $ sudo systemctl status usbguard.service @@ -334,6 +353,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-257258: Old: ``` + Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf @@ -346,6 +366,7 @@ If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. Updated: ``` + Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: @@ -366,6 +387,7 @@ If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. SV-230379: Old: ``` + Configure the system so all accounts on the system are assigned to an active system, application, or user account. @@ -377,6 +399,7 @@ allow for a normal user to perform administrative-level actions. ``` New: ``` + Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: $ sudo userdel @@ -386,6 +409,7 @@ $ sudo userdel SV-230548: Old: ``` + Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. @@ -407,11 +431,12 @@ $ sudo sysctl --system ``` New: ``` + Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: user.max_user_namespaces = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -428,19 +453,21 @@ $ sudo sysctl --system SV-257258: Old: ``` + Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=900 The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - $ sudo systemctl restart systemd-logind + sudo systemctl restart systemd-logind Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". ``` New: ``` + Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=600 @@ -1823,18 +1850,20 @@ New: RHEL 8.7 and higher must terminate idle user sessions. SV-230221: Old: ``` + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . Note: The life-cycle time spans and dates are subject to adjustment. ``` New: ``` + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . Note: The life-cycle time spans and dates are subject to adjustment. ``` @@ -1842,6 +1871,7 @@ Note: The life-cycle time spans and dates are subject to adjustment. SV-230222: Old: ``` + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software @@ -1856,6 +1886,7 @@ Timely patching is critical for maintaining the operational ``` New: ``` + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. ``` @@ -1863,6 +1894,7 @@ Timely patching is critical for maintaining the operational availability, confid SV-230223: Old: ``` + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. @@ -1872,19 +1904,19 @@ The fips=1 kernel option needs to be added to the kernel command line during sys ``` New: ``` + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - - ``` --- SV-230224: Old: ``` + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. @@ -1899,17 +1931,17 @@ data structures (e.g., files, records, or fields). ``` New: ``` + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - - ``` --- SV-230225: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -1937,6 +1969,7 @@ Use the following verbiage for operating systems that have severe limitations on ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -1961,13 +1994,12 @@ Use the following verbiage for operating systems that have severe limitations on "I've read & consent to terms in IS user agreem't." - - ``` --- SV-230226: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -2010,6 +2042,7 @@ Agreement for details." ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -2030,13 +2063,12 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - ``` --- SV-230227: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -2079,6 +2111,7 @@ Agreement for details." ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -2099,13 +2132,12 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - ``` --- SV-230229: Old: ``` + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. @@ -2132,6 +2164,7 @@ requirement. ``` New: ``` + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. @@ -2140,13 +2173,12 @@ When there is a chain of trust, usually the top entity to be trusted becomes the This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. - - ``` --- SV-230230: Old: ``` + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. @@ -2154,6 +2186,7 @@ associated public key has been installed. ``` New: ``` + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. ``` @@ -2161,6 +2194,7 @@ If an unauthorized user obtains access to a private key without a passcode, that SV-230231: Old: ``` + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2175,6 +2209,7 @@ access cryptographic modules utilize authentication that meets DoD requirements. ``` New: ``` + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2186,6 +2221,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230232: Old: ``` + The system must use a strong hashing algorithm to store the password. Passwords need to be protected at all times, and encryption is the standard @@ -2195,6 +2231,7 @@ plainly read (i.e., clear text) and easily compromised. ``` New: ``` + The system must use a strong hashing algorithm to store the password. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2204,6 +2241,7 @@ Passwords need to be protected at all times, and encryption is the standard meth SV-230233: Old: ``` + The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. @@ -2215,6 +2253,7 @@ plainly read (i.e., clear text) and easily compromised. ``` New: ``` + The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2224,6 +2263,7 @@ Passwords need to be protected at all times, and encryption is the standard meth SV-230234: Old: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB @@ -2233,6 +2273,7 @@ to boot into single-user mode or make modifications to the boot menu. ``` New: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. ``` @@ -2240,6 +2281,7 @@ If the system does not require valid authentication before it boots into single- SV-230235: Old: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB @@ -2249,6 +2291,7 @@ to boot into single-user mode or make modifications to the boot menu. ``` New: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. ``` @@ -2256,6 +2299,7 @@ If the system does not require valid authentication before it boots into single- SV-230236: Old: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. @@ -2263,6 +2307,7 @@ mode is granted privileged access to all files on the system. ``` New: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. ``` @@ -2270,6 +2315,7 @@ If the system does not require valid root authentication before it boots into em SV-230237: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2285,9 +2331,10 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. @@ -2296,6 +2343,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230238: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2316,6 +2364,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -2329,6 +2378,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230239: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2346,6 +2396,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -2359,6 +2410,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230240: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -2375,6 +2427,7 @@ functionality. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. @@ -2384,6 +2437,7 @@ This requirement applies to operating systems performing security function verif SV-230241: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -2401,6 +2455,7 @@ switch roles, and run_init to run /etc/init.d scripts in the proper context. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. @@ -2410,6 +2465,7 @@ Policycoreutils contains the policy core utilities that are required for basic o SV-230243: Old: ``` + Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf @@ -2430,6 +2486,7 @@ storage) that may be assessed on specific information system components. ``` New: ``` + Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -2441,6 +2498,7 @@ There may be shared resources with configurable protections (e.g., files in stor SV-230244: Old: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. @@ -2450,19 +2508,19 @@ Terminating an unresponsive SSH session within a short time period reduces the w ``` New: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - ``` --- SV-230245: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2478,6 +2536,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2487,6 +2546,7 @@ The structure and content of error messages must be carefully considered by the SV-230246: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2502,6 +2562,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2511,6 +2572,7 @@ The structure and content of error messages must be carefully considered by the SV-230247: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2526,6 +2588,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2535,6 +2598,7 @@ The structure and content of error messages must be carefully considered by the SV-230248: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2550,6 +2614,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2559,6 +2624,7 @@ The structure and content of error messages must be carefully considered by the SV-230249: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2574,6 +2640,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2583,6 +2650,7 @@ The structure and content of error messages must be carefully considered by the SV-230250: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2598,6 +2666,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2607,11 +2676,13 @@ The structure and content of error messages must be carefully considered by the SV-230251: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2622,13 +2693,12 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - ``` --- SV-230252: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2655,6 +2725,7 @@ connection. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2665,13 +2736,12 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - ``` --- SV-230253: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability @@ -2689,6 +2759,7 @@ until enough entropy is available. ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. @@ -2698,6 +2769,7 @@ The SSH implementation in RHEL8 uses the OPENSSL library, which does not use hig SV-230254: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2718,6 +2790,7 @@ file. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2726,13 +2799,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - ``` --- SV-230255: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2753,6 +2825,7 @@ file. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2761,13 +2834,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - ``` --- SV-230256: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2793,6 +2865,7 @@ policy defines employed algorithms in the ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. @@ -2801,13 +2874,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. - - ``` --- SV-230257: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2823,6 +2895,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2832,6 +2905,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230258: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2847,6 +2921,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2856,6 +2931,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230259: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2871,6 +2947,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2880,6 +2957,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230260: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2895,6 +2973,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2904,6 +2983,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230261: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2919,6 +2999,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2928,6 +3009,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230262: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2943,6 +3025,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2952,6 +3035,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230263: Old: ``` + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -2965,6 +3049,7 @@ RHEL 8 comes with many optional software packages. A file integrity tool called ``` New: ``` + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -2975,13 +3060,12 @@ This capability must take into account operational requirements for availability RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - - ``` --- SV-230264: Old: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3001,6 +3085,7 @@ used to verify the software must be from an approved CA. ``` New: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -3012,6 +3097,7 @@ Verifying the authenticity of the software prior to installation validates the i SV-230265: Old: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3031,6 +3117,7 @@ used to verify the software must be from an approved CA. ``` New: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -3042,6 +3129,7 @@ Verifying the authenticity of the software prior to installation validates the i SV-230267: Old: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3059,6 +3147,7 @@ The sysctl --system command will load settings from all system configuration fil ``` New: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3073,13 +3162,12 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf - - ``` --- SV-230268: Old: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3098,6 +3186,7 @@ Discretionary Access Control (DAC) is based on the notion that individual users ``` New: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3112,13 +3201,12 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf - - ``` --- SV-230271: Old: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3128,17 +3216,17 @@ capability, it is critical the user reauthenticate. ``` New: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - ``` --- SV-230272: Old: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3148,17 +3236,17 @@ capability, it is critical the user reauthenticate. ``` New: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - ``` --- SV-230273: Old: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication @@ -3185,6 +3273,7 @@ Using an authentication device, such as a DoD Common Access Card (CAC) ``` New: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. @@ -3200,6 +3289,7 @@ This requirement only applies to components where this is specific to the functi SV-230274: Old: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication @@ -3218,19 +3308,19 @@ Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol ``` New: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. - - ``` --- SV-230275: Old: ``` + The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. @@ -3242,6 +3332,7 @@ The use of PIV credentials facilitates standardization and reduces the ``` New: ``` + The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. @@ -3251,6 +3342,7 @@ The DoD has mandated the use of the Common Access Card (CAC) to support identity SV-230276: Old: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data @@ -3263,6 +3355,7 @@ hardware providing the greater strength of mechanism. ``` New: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. @@ -3272,6 +3365,7 @@ Examples of attacks are buffer overflow attacks. SV-230277: Old: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data @@ -3288,17 +3382,17 @@ detection of corrupted memory. ``` New: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - - ``` --- SV-230278: Old: ``` + Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently @@ -3317,17 +3411,17 @@ syscalls will need enabled so the components function properly. ``` New: ``` + Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. - - ``` --- SV-230279: Old: ``` + Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. @@ -3337,19 +3431,19 @@ SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued S ``` New: ``` + Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - - ``` --- SV-230281: Old: ``` + Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of @@ -3358,6 +3452,7 @@ software automatically from the information system. ``` New: ``` + Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. ``` @@ -3365,6 +3460,7 @@ Previous versions of software components that are not removed from the informati SV-230282: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -3381,6 +3477,7 @@ functionality. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. @@ -3390,6 +3487,7 @@ This requirement applies to operating systems performing security function verif SV-230283: Old: ``` + The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not @@ -3399,6 +3497,7 @@ or for the use of two-factor authentication. ``` New: ``` + The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. ``` @@ -3406,6 +3505,7 @@ The "shosts.equiv" files are used to configure host-based authentication for the SV-230284: Old: ``` + The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not @@ -3415,6 +3515,7 @@ or for the use of two-factor authentication. ``` New: ``` + The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. ``` @@ -3422,6 +3523,7 @@ The ".shosts" files are used to configure host-based authentication for individu SV-230285: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). @@ -3429,6 +3531,7 @@ The rngd service feeds random data from hardware device to kernel random device. ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). @@ -3438,12 +3541,14 @@ The rngd service feeds random data from hardware device to kernel random device. SV-230286: Old: ``` + If a public host key file is modified by an unauthorized user, the SSH service may be compromised. ``` New: ``` + If a public host key file is modified by an unauthorized user, the SSH service may be compromised. ``` @@ -3451,12 +3556,14 @@ If a public host key file is modified by an unauthorized user, the SSH service m SV-230287: Old: ``` + If an unauthorized user obtains the private SSH host key file, the host could be impersonated. ``` New: ``` + If an unauthorized user obtains the private SSH host key file, the host could be impersonated. ``` @@ -3464,12 +3571,14 @@ If an unauthorized user obtains the private SSH host key file, the host could be SV-230288: Old: ``` + If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. ``` New: ``` + If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. ``` @@ -3477,6 +3586,7 @@ If other users have access to modify user-specific SSH configuration files, they SV-230290: Old: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. @@ -3484,6 +3594,7 @@ of misconfiguration elsewhere. ``` New: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. ``` @@ -3491,6 +3602,7 @@ Configuring this setting for the SSH daemon provides additional assurance that r SV-230291: Old: ``` + Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. @@ -3498,6 +3610,7 @@ authentication, even in the event of misconfiguration elsewhere. ``` New: ``` + Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. ``` @@ -3505,12 +3618,14 @@ Configuring these settings for the SSH daemon provides additional assurance that SV-230292: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3518,12 +3633,14 @@ The use of separate file systems for different paths can protect the system from SV-230293: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3531,12 +3648,14 @@ The use of separate file systems for different paths can protect the system from SV-230294: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3544,12 +3663,14 @@ The use of separate file systems for different paths can protect the system from SV-230295: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3557,6 +3678,7 @@ The use of separate file systems for different paths can protect the system from SV-230296: Old: ``` + Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides @@ -3565,6 +3687,7 @@ individual accountability of actions performed on the system. ``` New: ``` + Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. ``` @@ -3572,6 +3695,7 @@ Even though the communications channel may be encrypted, an additional layer of SV-230298: Old: ``` + Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that @@ -3590,6 +3714,7 @@ functions, ports, protocols, services, and remote connections. ``` New: ``` + Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. @@ -3599,6 +3724,7 @@ Configuration settings are the set of parameters that can be changed in hardware SV-230299: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3608,6 +3734,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3615,6 +3742,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230300: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3624,6 +3752,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3631,6 +3760,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230301: Old: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3640,6 +3770,7 @@ location for device files is the /dev directory located on the root partition. ``` New: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. ``` @@ -3647,6 +3778,7 @@ The "nodev" mount option causes the system to not interpret character or block s SV-230302: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from @@ -3656,6 +3788,7 @@ attain unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3663,6 +3796,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230303: Old: ``` + The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3671,6 +3805,7 @@ users to attain unauthorized administrative access. ``` New: ``` + The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3678,6 +3813,7 @@ The "nodev" mount option causes the system not to interpret character or block s SV-230304: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from @@ -3687,6 +3823,7 @@ attain unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3694,6 +3831,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230305: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3703,6 +3841,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3710,6 +3849,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230306: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted @@ -3719,6 +3859,7 @@ unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3726,6 +3867,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230307: Old: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3734,6 +3876,7 @@ users to attain unauthorized administrative access. ``` New: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3741,6 +3884,7 @@ The "nodev" mount option causes the system to not interpret character or block s SV-230308: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3750,6 +3894,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3757,6 +3902,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230309: Old: ``` + If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is @@ -3766,6 +3912,7 @@ compromise the system at the root and network level. ``` New: ``` + If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. ``` @@ -3773,6 +3920,7 @@ If user start-up files execute world-writable programs, especially in unprotecte SV-230310: Old: ``` + Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available @@ -3784,6 +3932,7 @@ kdump service at the time of system installation. ``` New: ``` + Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. @@ -3793,6 +3942,7 @@ RHEL 8 installation media presents the option to enable or disable the kdump ser SV-230312: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3806,22 +3956,24 @@ generally useful only for developers trying to debug problems. When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged -systemd-coredump@.service instance to process the core dump. + instance to process the core dump. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged instance to process the core dump. ``` --- SV-230313: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3835,6 +3987,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3844,6 +3997,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230314: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3857,6 +4011,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3866,6 +4021,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230315: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3879,6 +4035,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3888,6 +4045,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230316: Old: ``` + To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include @@ -3896,6 +4054,7 @@ time synchronization, centralized authentication, and remote system logging. ``` New: ``` + To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. ``` @@ -3903,6 +4062,7 @@ To provide availability for name resolution services, multiple redundant name se SV-230317: Old: ``` + The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home @@ -3917,6 +4077,7 @@ Officer (ISSO). ``` New: ``` + The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). ``` @@ -3924,6 +4085,7 @@ The executable search path (typically the PATH environment variable) contains a SV-230318: Old: ``` + If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. @@ -3937,6 +4099,7 @@ global read/write access. ``` New: ``` + If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. @@ -3946,6 +4109,7 @@ The only authorized public directories are those temporary directories supplied SV-230319: Old: ``` + If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. @@ -3959,6 +4123,7 @@ global read/write access. ``` New: ``` + If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. @@ -3968,12 +4133,14 @@ The only authorized public directories are those temporary directories supplied SV-230320: Old: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` New: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` @@ -3981,12 +4148,14 @@ If local interactive users are not assigned a valid home directory, there is no SV-230321: Old: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` New: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` @@ -3994,6 +4163,7 @@ Excessive permissions on local interactive user home directories may allow unaut SV-230322: Old: ``` + If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group @@ -4002,6 +4172,7 @@ may not be able to access files that they legitimately should. ``` New: ``` + If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. ``` @@ -4009,6 +4180,7 @@ If the Group Identifier (GID) of a local interactive user’s home directory is SV-230323: Old: ``` + If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the @@ -4018,6 +4190,7 @@ give them visibility to system files they normally would not be able to access. ``` New: ``` + If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. ``` @@ -4025,12 +4198,14 @@ If a local interactive user has a home directory defined that does not exist, th SV-230324: Old: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` New: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` @@ -4038,6 +4213,7 @@ If local interactive users are not assigned a valid home directory, there is no SV-230325: Old: ``` + Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. @@ -4045,6 +4221,7 @@ accounts upon logon. ``` New: ``` + Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. ``` @@ -4052,6 +4229,7 @@ Local initialization files are used to configure the user's shell environment up SV-230326: Old: ``` + Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. @@ -4059,6 +4237,7 @@ files. ``` New: ``` + Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. ``` @@ -4066,6 +4245,7 @@ Unowned files and directories may be unintentionally inherited if a user is assi SV-230327: Old: ``` + Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. @@ -4073,6 +4253,7 @@ without a valid group owner. ``` New: ``` + Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. ``` @@ -4080,12 +4261,14 @@ Files without a valid group owner may be unintentionally inherited if a group is SV-230328: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -4093,12 +4276,14 @@ The use of separate file systems for different paths can protect the system from SV-230329: Old: ``` + Failure to restrict system access to authenticated users negatively impacts operating system security. ``` New: ``` + Failure to restrict system access to authenticated users negatively impacts operating system security. ``` @@ -4106,12 +4291,14 @@ Failure to restrict system access to authenticated users negatively impacts oper SV-230330: Old: ``` + SSH environment options potentially allow users to bypass access restriction in some configurations. ``` New: ``` + SSH environment options potentially allow users to bypass access restriction in some configurations. ``` @@ -4119,6 +4306,7 @@ SSH environment options potentially allow users to bypass access restriction in SV-230331: Old: ``` + If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set @@ -4138,6 +4326,7 @@ exceed access control policy requirements. ``` New: ``` + If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. @@ -4151,6 +4340,7 @@ To address access requirements, many RHEL 8 operating systems may be integrated SV-230332: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4167,19 +4357,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230333: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4198,19 +4388,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230334: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4227,19 +4417,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230335: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4258,19 +4448,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230336: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4287,19 +4477,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230337: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4318,19 +4508,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230338: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4347,19 +4537,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230339: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4378,19 +4568,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230340: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4407,19 +4597,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230341: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4438,19 +4628,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230342: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4473,6 +4663,7 @@ etc.) users to allow the centralized platform to solely manage user lockout. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. @@ -4481,13 +4672,12 @@ From "Pam_Faillock" man pages: Note that the default directory that "pam_failloc In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - ``` --- SV-230343: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4506,19 +4696,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230344: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4541,6 +4731,7 @@ etc.) users to allow the centralized platform to solely manage user lockout. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. @@ -4549,13 +4740,12 @@ From "Pam_Faillock" man pages: Note that the default directory that "pam_failloc In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - ``` --- SV-230345: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4574,19 +4764,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230346: Old: ``` + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks @@ -4600,6 +4790,7 @@ based on mission needs and the operational environment for each system. ``` New: ``` + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. @@ -4609,6 +4800,7 @@ This requirement addresses concurrent sessions for information system accounts a SV-230347: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4623,19 +4815,19 @@ No other activity aside from reauthentication must unlock the system. ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - - ``` --- SV-230351: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4649,17 +4841,17 @@ A session lock is a temporary action taken when a user stops work and ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - ``` --- SV-230352: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4673,17 +4865,17 @@ necessary to temporarily vacate the immediate physical vicinity. ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - ``` --- SV-230354: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -4704,6 +4896,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -4712,13 +4905,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-230355: Old: ``` + Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. @@ -4732,6 +4924,7 @@ local system mapping, where the system is not part of a domain. ``` New: ``` + Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. @@ -4741,6 +4934,7 @@ There are various methods of mapping certificates to user/group accounts for RHE SV-230357: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4759,6 +4953,7 @@ Note that in order to require uppercase characters, without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4770,6 +4965,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th SV-230358: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4788,6 +4984,7 @@ Note that in order to require lower-case characters without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4799,6 +4996,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th SV-230359: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4817,6 +5015,7 @@ the minlen value, the credit value must be expressed as a negative number in ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4828,6 +5027,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note SV-230360: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4845,6 +5045,7 @@ same consecutive characters in the same class in the new password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4856,6 +5057,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230361: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4873,6 +5075,7 @@ consecutive characters in a new password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4884,6 +5087,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230362: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4901,6 +5105,7 @@ of characters for the new password (digits, uppercase, lowercase, others). ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4912,6 +5117,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230363: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4929,6 +5135,7 @@ that must not be present in the old password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4940,6 +5147,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230364: Old: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their @@ -4949,6 +5157,7 @@ defeat the organization's policy regarding password reuse. ``` New: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. ``` @@ -4956,6 +5165,7 @@ Enforcing a minimum password lifetime helps to prevent repeated password changes SV-230365: Old: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their @@ -4965,6 +5175,7 @@ defeat the organization's policy regarding password reuse. ``` New: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. ``` @@ -4972,6 +5183,7 @@ Enforcing a minimum password lifetime helps to prevent repeated password changes SV-230366: Old: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is @@ -4980,6 +5192,7 @@ the risk that RHEL 8 passwords could be compromised. ``` New: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. ``` @@ -4987,6 +5200,7 @@ Any password, no matter how complex, can eventually be cracked. Therefore, passw SV-230367: Old: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is @@ -4995,6 +5209,7 @@ the risk that RHEL 8 passwords could be compromised. ``` New: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. ``` @@ -5002,6 +5217,7 @@ Any password, no matter how complex, can eventually be cracked. Therefore, passw SV-230369: Old: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5026,6 +5242,7 @@ components be required, they will not count towards the total "score" of ``` New: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -5041,6 +5258,7 @@ The DoD minimum password requirement is 15 characters. SV-230370: Old: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5056,6 +5274,7 @@ password. ``` New: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -5067,6 +5286,7 @@ The DoD minimum password requirement is 15 characters. SV-230371: Old: ``` + To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -5088,6 +5308,7 @@ accounts) or for detailed accountability of individual activity. ``` New: ``` + To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: @@ -5096,13 +5317,12 @@ Interactive users include organizational employees or individuals the organizati 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - - ``` --- SV-230372: Old: ``` + Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials @@ -5122,19 +5342,19 @@ client operating system handle the multifactor authentication correctly. ``` New: ``` + Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. - - ``` --- SV-230373: Old: ``` + Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if @@ -5146,6 +5366,7 @@ Inactive identifiers pose a risk to systems and applications because ``` New: ``` + Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. @@ -5155,6 +5376,7 @@ RHEL 8 needs to track periods of inactivity and disable application identifiers SV-230374: Old: ``` + Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account @@ -5181,6 +5403,7 @@ Temporary accounts are privileged or nonprivileged accounts that are ``` New: ``` + Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. @@ -5192,6 +5415,7 @@ The automatic expiration of temporary accounts may be extended as needed by the SV-230375: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -5210,6 +5434,7 @@ complexity. Note that to require special characters without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -5221,6 +5446,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note SV-230376: Old: ``` + If cached authentication information is out-of-date, the validity of the authentication information may be questionable. @@ -5231,6 +5457,7 @@ default sssd does not cache credentials. ``` New: ``` + If cached authentication information is out-of-date, the validity of the authentication information may be questionable. RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. @@ -5240,6 +5467,7 @@ RHEL 8 includes multiple options for configuring authentication, but this requir SV-230377: Old: ``` + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. @@ -5247,6 +5475,7 @@ opportunity for successful guesses, and brute-force attacks. ``` New: ``` + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. ``` @@ -5254,6 +5483,7 @@ If RHEL 8 allows the user to select passwords based on dictionary words, this in SV-230378: Old: ``` + Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD @@ -5272,6 +5502,7 @@ functions, ports, protocols, services, and remote connections. ``` New: ``` + Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. @@ -5281,6 +5512,7 @@ Configuration settings are the set of parameters that can be changed in hardware SV-230379: Old: ``` + Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for @@ -5289,6 +5521,7 @@ applications not installed on the system. ``` New: ``` + Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. ``` @@ -5296,6 +5529,7 @@ Accounts providing no operational purpose provide additional opportunities for s SV-230380: Old: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -5303,6 +5537,7 @@ should never be used in operational environments. ``` New: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ``` @@ -5310,12 +5545,14 @@ If an account has an empty password, anyone could log on and run commands with t SV-230381: Old: ``` + Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. ``` New: ``` + Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. ``` @@ -5323,6 +5560,7 @@ Providing users with feedback on when account accesses last occurred facilitates SV-230382: Old: ``` + Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. @@ -5330,6 +5568,7 @@ use. ``` New: ``` + Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. ``` @@ -5337,12 +5576,14 @@ Providing users with feedback on when account accesses via SSH last occurred fac SV-230383: Old: ``` + Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. ``` New: ``` + Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. ``` @@ -5350,6 +5591,7 @@ Setting the most restrictive default permissions ensures that when new accounts SV-230384: Old: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing @@ -5360,6 +5602,7 @@ interactive user defaults for each account on the system. ``` New: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. ``` @@ -5367,6 +5610,7 @@ The umask controls the default access mode assigned to newly created files. A um SV-230385: Old: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing @@ -5377,6 +5621,7 @@ interactive user defaults for each account on the system. ``` New: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. ``` @@ -5384,6 +5629,7 @@ The umask controls the default access mode assigned to newly created files. A um SV-230386: Old: ``` + Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern @@ -5394,15 +5640,15 @@ from insider threats and the advanced persistent threat. ``` New: ``` -Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. ``` --- SV-230387: Old: ``` + Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. @@ -5410,6 +5656,7 @@ the cron facility by unauthorized and malicious users. ``` New: ``` + Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. ``` @@ -5417,6 +5664,7 @@ Cron logging can be used to trace the successful or unsuccessful execution of cr SV-230388: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5434,6 +5682,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5445,6 +5694,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230389: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5462,6 +5712,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5473,6 +5724,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230390: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5490,6 +5742,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5501,6 +5754,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230392: Old: ``` + It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing @@ -5525,9 +5779,10 @@ audit data with the collection server. ``` New: ``` + It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. @@ -5538,6 +5793,7 @@ When availability is an overriding concern, other approved actions in response t SV-230393: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5551,6 +5807,7 @@ filenames involved, and access control or flow control rules invoked. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5560,6 +5817,7 @@ Audit record content that may be necessary to satisfy this requirement includes, SV-230394: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5581,6 +5839,7 @@ correct system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5594,6 +5853,7 @@ When audit logs are not labeled before they are sent to a central log server, th SV-230395: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5611,6 +5871,7 @@ more difficult. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5622,6 +5883,7 @@ Enriched logging aids in making sense of who, what, and when events occur on a s SV-230396: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -5637,17 +5899,17 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - ``` --- SV-230397: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -5663,17 +5925,17 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - ``` --- SV-230398: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5683,17 +5945,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230399: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5703,17 +5965,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230400: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5723,17 +5985,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230401: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5743,17 +6005,17 @@ settings, audit reports) needed to successfully audit RHEL 8 system activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - - ``` --- SV-230402: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5768,19 +6030,19 @@ then investigate the unauthorized changes. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - ``` --- SV-230403: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5795,19 +6057,19 @@ then investigate the unauthorized changes. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - ``` --- SV-230404: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5819,17 +6081,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230405: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5841,17 +6103,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230406: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5863,17 +6125,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230407: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5885,17 +6147,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230408: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5907,17 +6169,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230409: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5929,17 +6191,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230410: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5951,17 +6213,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230411: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5979,19 +6241,19 @@ capacity thresholds, or identifying an improperly configured RHEL 8 system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - ``` --- SV-230412: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6010,19 +6272,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230413: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6041,9 +6303,10 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). +Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. @@ -6056,13 +6319,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230418: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6081,19 +6343,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230419: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6112,19 +6374,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230421: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6143,19 +6405,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230422: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6174,19 +6436,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230423: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6205,19 +6467,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230424: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6236,19 +6498,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230425: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6267,19 +6529,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230426: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6299,19 +6561,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230427: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6330,19 +6592,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230428: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6361,19 +6623,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230429: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6392,19 +6654,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230430: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6425,19 +6687,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230431: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6460,19 +6722,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230432: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6491,19 +6753,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230433: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6524,19 +6786,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230434: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6555,19 +6817,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230435: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6586,19 +6848,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230436: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6617,19 +6879,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230437: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6648,19 +6910,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230438: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. @@ -6672,6 +6934,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. @@ -6680,13 +6943,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230439: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. @@ -6703,6 +6965,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. @@ -6716,13 +6979,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230444: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6742,19 +7004,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230446: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6773,19 +7035,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230447: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6806,19 +7068,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230448: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6837,19 +7099,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230449: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. @@ -6866,9 +7128,10 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". @@ -6879,13 +7142,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230455: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. @@ -6901,6 +7163,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. @@ -6913,13 +7176,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230456: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. @@ -6934,6 +7196,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. @@ -6945,13 +7208,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230462: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6971,19 +7233,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230463: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -7003,19 +7265,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230464: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -7034,19 +7296,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230465: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7079,6 +7341,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. @@ -7091,17 +7354,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230466: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7138,6 +7400,7 @@ directory must be set with the "dir" option. ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -7156,13 +7419,12 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230467: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7194,6 +7456,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -7206,17 +7469,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230468: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7253,6 +7515,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7267,17 +7530,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230469: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7297,6 +7559,7 @@ system is susceptible to boot failures and crashes. ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7310,6 +7573,7 @@ Allocating an audit_backlog_limit of sufficient size is critical in maintaining SV-230470: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7346,6 +7610,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7360,17 +7625,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230471: Old: ``` + Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's @@ -7381,6 +7645,7 @@ to an incident or identify those responsible for one. ``` New: ``` + Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ``` @@ -7388,6 +7653,7 @@ Without the capability to restrict the roles and individuals that can select whi SV-230472: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7405,6 +7671,7 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -7416,6 +7683,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud SV-230473: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7433,19 +7701,19 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - ``` --- SV-230474: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7463,19 +7731,19 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - ``` --- SV-230475: Old: ``` + Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and @@ -7497,6 +7765,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files. ``` New: ``` + Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. @@ -7510,6 +7779,7 @@ To address this risk, audit tools must be cryptographically signed to provide th SV-230476: Old: ``` + To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. @@ -7520,6 +7790,7 @@ during initial installation of RHEL 8. ``` New: ``` + To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. @@ -7529,6 +7800,7 @@ The task of allocating audit record storage capacity is usually performed during SV-230477: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7556,6 +7828,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7574,6 +7847,7 @@ Note that a port number was given as there is no standard port for RELP. SV-230478: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7601,6 +7875,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7619,6 +7894,7 @@ Note that a port number was given as there is no standard port for RELP. SV-230479: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7646,6 +7922,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7659,13 +7936,12 @@ TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. - - ``` --- SV-230480: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7682,19 +7958,19 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - ``` --- SV-230481: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7711,19 +7987,19 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - ``` --- SV-230482: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7746,6 +8022,7 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7758,13 +8035,12 @@ x509/fingerprint - certificate fingerprint authentication x509/certvalid - certificate validation only x509/name - certificate validation and subject name authentication. - - ``` --- SV-230483: Old: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -7772,6 +8048,7 @@ If security personnel are not notified immediately when storage volume ``` New: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. ``` @@ -7779,6 +8056,7 @@ If security personnel are not notified immediately when storage volume reaches 7 SV-230484: Old: ``` + Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and @@ -7807,11 +8085,12 @@ local time, UTC, and the offset from UTC. Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit -https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + for more information. ``` New: ``` + Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. @@ -7824,15 +8103,14 @@ Time stamps generated by the operating system include date and time. Time is com RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. -Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. - - +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit for more information. ``` --- SV-230487: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7863,6 +8141,7 @@ password could be compromised. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7880,6 +8159,7 @@ If a privileged user were to log on using this service, the privileged user pass SV-230488: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7903,6 +8183,7 @@ disabled is to not have the capability installed. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7916,6 +8197,7 @@ Verify the operating system is configured to disable non-essential capabilities. SV-230489: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7939,6 +8221,7 @@ disabled is to not have the capability installed. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7952,6 +8235,7 @@ Verify the operating system is configured to disable non-essential capabilities. SV-230491: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7979,6 +8263,7 @@ address space layout randomization (KASLR). ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7994,6 +8279,7 @@ Kernel page-table isolation is a kernel feature that mitigates the Meltdown secu SV-230492: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8015,6 +8301,7 @@ password could be compromised. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -8023,13 +8310,12 @@ The rsh-server service provides an unencrypted remote access service that does n If a privileged user were to log on using this service, the privileged user password could be compromised. - - ``` --- SV-230493: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8045,17 +8331,17 @@ disconnect activity without having to go through complex and tedious procedures. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. - - ``` --- SV-230494: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8072,6 +8358,7 @@ implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8083,6 +8370,7 @@ The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data li SV-230495: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8099,6 +8387,7 @@ exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8110,6 +8399,7 @@ The Controller Area Network (CAN) is a serial communications protocol, which was SV-230496: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8126,6 +8416,7 @@ system against exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8137,6 +8428,7 @@ The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, d SV-230497: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8152,6 +8444,7 @@ system against exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8163,6 +8456,7 @@ The Transparent Inter-Process Communication (TIPC) protocol is designed to provi SV-230498: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8179,6 +8473,7 @@ and small-footprint systems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Removing support for unneeded filesystem types reduces the local attack surface of the server. @@ -8190,6 +8485,7 @@ Compressed ROM/RAM file system (or cramfs) is a read-only file system designed f SV-230499: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8203,6 +8499,7 @@ any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. @@ -8212,6 +8509,7 @@ The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time commu SV-230500: Old: ``` + To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary @@ -8233,6 +8531,7 @@ business or to address authorized quality-of-life issues. ``` New: ``` + To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. @@ -8244,12 +8543,14 @@ To support the requirements and principles of least functionality, the operating SV-230502: Old: ``` + Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` New: ``` + Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` @@ -8257,21 +8558,22 @@ Automatically mounting file systems permits easy introduction of unknown devices SV-230503: Old: ``` + USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` New: ``` -USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` --- SV-230504: Old: ``` + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. @@ -8285,6 +8587,7 @@ configuration file or is related to an outgoing network connection. ``` New: ``` + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. @@ -8294,6 +8597,7 @@ RHEL 8 incorporates the "firewalld" daemon, which allows for many different conf SV-230505: Old: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -8316,6 +8620,7 @@ notebook computers, smartphones, and tablets). ``` New: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. @@ -8329,6 +8634,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if SV-230506: Old: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to @@ -8358,19 +8664,19 @@ encryption of the data may not be required. ``` New: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - - ``` --- SV-230507: Old: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to @@ -8400,6 +8706,7 @@ encryption of the data may not be required. ``` New: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -8411,6 +8718,7 @@ Protecting the confidentiality and integrity of communications with wireless per SV-230508: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8436,6 +8744,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8449,6 +8758,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230509: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8472,6 +8782,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8483,6 +8794,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230510: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8508,6 +8820,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8521,6 +8834,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230511: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8546,6 +8860,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8559,6 +8874,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230512: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8582,6 +8898,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8593,6 +8910,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230513: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8618,6 +8936,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8631,6 +8950,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230514: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8656,6 +8976,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8669,6 +8990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230515: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8694,6 +9016,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8707,6 +9030,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230516: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8732,6 +9056,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8745,6 +9070,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230517: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8770,6 +9096,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8783,6 +9110,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230518: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8808,6 +9136,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8821,6 +9150,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230519: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8846,6 +9176,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8859,6 +9190,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230520: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8884,6 +9216,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8897,6 +9230,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230521: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8922,6 +9256,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8935,6 +9270,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230522: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8960,6 +9296,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8973,6 +9310,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230523: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -9000,6 +9338,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -9010,13 +9349,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-230524: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. @@ -9039,6 +9377,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. @@ -9052,6 +9391,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-230525: Old: ``` + DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. @@ -9072,6 +9412,7 @@ mitigate DoS attacks. ``` New: ``` + DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. @@ -9083,6 +9424,7 @@ Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend supp SV-230526: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -9103,19 +9445,19 @@ not have to be employed, and vice versa. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ``` --- SV-230527: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -9139,21 +9481,21 @@ compromised. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Session key regeneration limits the chances of a session key becoming compromised. - - ``` --- SV-230529: Old: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9164,6 +9506,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9171,6 +9514,7 @@ A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can r SV-230530: Old: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9181,6 +9525,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9188,6 +9533,7 @@ A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can SV-230531: Old: ``` + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9198,6 +9544,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9205,6 +9552,7 @@ A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reb SV-230532: Old: ``` + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of @@ -9216,6 +9564,7 @@ access when the system is rebooted. ``` New: ``` + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. ``` @@ -9223,6 +9572,7 @@ The debug-shell requires no authentication and provides root privileges to anyon SV-230533: Old: ``` + If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and @@ -9231,6 +9581,7 @@ have access control rules established. ``` New: ``` + If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. ``` @@ -9238,6 +9589,7 @@ If TFTP is required for operational support (such as the transmission of router SV-230534: Old: ``` + If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an @@ -9247,6 +9599,7 @@ account. ``` New: ``` + If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. ``` @@ -9254,6 +9607,7 @@ If an account other than root also has a User Identifier (UID) of "0", it has ro SV-230550: Old: ``` + If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. @@ -9261,6 +9615,7 @@ unauthorized activity. ``` New: ``` + If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. ``` @@ -9268,6 +9623,7 @@ If unrestricted mail relaying is permitted, unauthorized senders could use this SV-230551: Old: ``` + Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. @@ -9277,6 +9633,7 @@ Intrusion Detection Environment (AIDE). ``` New: ``` + Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). @@ -9286,6 +9643,7 @@ RHEL 8 installation media come with a file integrity tool, Advanced Intrusion De SV-230552: Old: ``` + ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. @@ -9295,6 +9653,7 @@ Intrusion Detection Environment (AIDE). ``` New: ``` + ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). @@ -9304,6 +9663,7 @@ RHEL 8 installation media come with a file integrity tool, Advanced Intrusion De SV-230553: Old: ``` + Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and @@ -9312,6 +9672,7 @@ must not be used, unless approved and documented. ``` New: ``` + Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. ``` @@ -9319,6 +9680,7 @@ Internet services that are not required for system or application processes must SV-230554: Old: ``` + Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, @@ -9331,6 +9693,7 @@ Officer (ISSO) and restricted to only authorized personnel. ``` New: ``` + Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. @@ -9340,6 +9703,7 @@ If the system is being used to perform a network troubleshooting function, the u SV-230555: Old: ``` + The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to @@ -9358,6 +9722,7 @@ should be disabled or restricted as appropriate to the system’s needs. ``` New: ``` + The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. @@ -9369,6 +9734,7 @@ If X11 services are not required for the system's intended function, they should SV-230556: Old: ``` + When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server @@ -9379,6 +9745,7 @@ display. ``` New: ``` + When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. ``` @@ -9386,12 +9753,14 @@ When X11 forwarding is enabled, there may be additional exposure to the server a SV-230557: Old: ``` + Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. ``` New: ``` + Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. ``` @@ -9399,6 +9768,7 @@ Restricting TFTP to a specific directory prevents remote users from copying, tra SV-230558: Old: ``` + The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged @@ -9408,6 +9778,7 @@ methods must be used in place of this service. ``` New: ``` + The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. ``` @@ -9415,6 +9786,7 @@ The FTP service provides an unencrypted remote access that does not provide for SV-230559: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9432,6 +9804,7 @@ expose secrets on some networks. It is not needed for normal function of the OS. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9443,6 +9816,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose SV-230560: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9460,6 +9834,7 @@ SCSI devices supported by the ipr SCSI storage device driver. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9471,6 +9846,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI SV-230561: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9491,6 +9867,7 @@ is not needed for normal OS operations. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9502,6 +9879,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. SV-237640: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9519,6 +9897,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -9532,6 +9911,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-237641: Old: ``` + The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the @@ -9541,6 +9921,7 @@ can initiate privileged actions on the target system. ``` New: ``` + The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. ``` @@ -9548,6 +9929,7 @@ The sudo command allows a user to execute programs with elevated (administrator) SV-237642: Old: ``` + The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw @@ -9559,7 +9941,8 @@ sudoers(5) manual page. ``` New: ``` -The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. + +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page. ``` @@ -9567,6 +9950,7 @@ For more information on each of the listed configurations, reference the sudoers SV-237643: Old: ``` + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -9581,7 +9965,8 @@ until the user's session is terminated. ``` New: ``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -9592,6 +9977,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex SV-244519: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -9603,17 +9989,17 @@ with human users and are not required when such human interfaces do not exist. ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - - ``` --- SV-244523: Old: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. @@ -9621,6 +10007,7 @@ mode is granted privileged access to all files on the system. ``` New: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. ``` @@ -9628,6 +10015,7 @@ If the system does not require valid root authentication before it boots into em SV-244524: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9643,9 +10031,10 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. @@ -9654,6 +10043,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-244525: Old: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. @@ -9663,19 +10053,19 @@ RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_ ``` New: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - ``` --- SV-244526: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -9697,6 +10087,7 @@ can be viewed in the /etc/crypto-policies/back-ends/ directory. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -9705,13 +10096,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. - - ``` --- SV-244527: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability @@ -9726,6 +10116,7 @@ several security functions (i.e., ciphers). ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). @@ -9735,6 +10126,7 @@ The rngd service feeds random data from hardware device to kernel random device. SV-244528: Old: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. @@ -9742,6 +10134,7 @@ of misconfiguration elsewhere. ``` New: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. ``` @@ -9749,12 +10142,14 @@ Configuring this setting for the SSH daemon provides additional assurance that r SV-244529: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -9762,6 +10157,7 @@ The use of separate file systems for different paths can protect the system from SV-244530: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -9771,6 +10167,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -9778,12 +10175,14 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-244531: Old: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` New: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` @@ -9791,12 +10190,14 @@ Excessive permissions on local interactive user home directories may allow unaut SV-244532: Old: ``` + If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. ``` New: ``` + If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. ``` @@ -9804,6 +10205,7 @@ If a local interactive user's files are group-owned by a group of which the user SV-244533: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -9824,6 +10226,7 @@ modules which ask for the user credentials such as the password. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. @@ -9831,13 +10234,12 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - ``` --- SV-244534: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -9858,6 +10260,7 @@ modules which ask for the user credentials such as the password. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. @@ -9865,13 +10268,12 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - ``` --- SV-244535: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9885,17 +10287,17 @@ determined and/or controlled. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. - - ``` --- SV-244536: Old: ``` + Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. @@ -9903,6 +10305,7 @@ without authenticated access to the system. ``` New: ``` + Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. ``` @@ -9910,6 +10313,7 @@ Leaving the user list enabled is a security risk since it allows anyone with phy SV-244538: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9930,6 +10334,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -9938,13 +10343,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-244539: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9965,6 +10369,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -9973,13 +10378,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-244541: Old: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -9987,6 +10391,7 @@ should never be used in operational environments. ``` New: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ``` @@ -9994,6 +10399,7 @@ If an account has an empty password, anyone could log on and run commands with t SV-244542: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -10011,19 +10417,19 @@ capacity thresholds, or identifying an improperly configured RHEL 8 system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - ``` --- SV-244543: Old: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -10031,6 +10437,7 @@ storage capacity expansion. ``` New: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. ``` @@ -10038,6 +10445,7 @@ If security personnel are not notified immediately when storage volume reaches 7 SV-244544: Old: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -10059,6 +10467,7 @@ notebook computers, smartphones, and tablets). ``` New: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. @@ -10071,6 +10480,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if SV-244545: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -10098,6 +10508,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -10108,13 +10519,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-244546: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -10142,6 +10552,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -10152,13 +10563,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-244547: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, @@ -10179,6 +10589,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. @@ -10190,6 +10601,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-244548: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. @@ -10212,6 +10624,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. @@ -10225,6 +10638,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-244549: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -10245,19 +10659,19 @@ not have to be employed, and vice versa. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ``` --- SV-250315: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -10275,6 +10689,7 @@ By limiting the number of failed logon attempts, the risk of ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. @@ -10286,6 +10701,7 @@ SELinux, enforcing a targeted policy, will require any non-default tally directo SV-250316: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -10303,6 +10719,7 @@ By limiting the number of failed logon attempts, the risk of ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. @@ -10314,6 +10731,7 @@ SELinux, enforcing a targeted policy, will require any non-default tally directo SV-250317: Old: ``` + Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -10337,6 +10755,7 @@ Routing protocol daemons are typically used on routers to exchange network ``` New: ``` + Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. @@ -10352,6 +10771,7 @@ The sysctl --system command will load settings from all system configuration fil SV-251707: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -10366,6 +10786,7 @@ If RHEL 8 were to allow any user to make changes to software libraries, ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10375,11 +10796,13 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251708: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10389,11 +10812,13 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251709: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10403,6 +10828,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251710: Old: ``` + Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality @@ -10415,6 +10841,7 @@ Without verification of the security functions, security functions may not opera ``` New: ``` + Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. @@ -10424,6 +10851,7 @@ This requirement applies to the RHEL 8 operating system performing security func SV-251711: Old: ``` + The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" @@ -10440,6 +10868,7 @@ The "sudo" command allows authorized users to run programs (including shells) as ``` New: ``` + The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. @@ -10449,6 +10878,7 @@ It is possible to include other sudoers files from within the sudoers file curre SV-251712: Old: ``` + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -10456,17 +10886,17 @@ When operating systems provide the capability to escalate a functional capabilit ``` New: ``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. ``` --- SV-254520: Old: ``` + Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. @@ -10474,10 +10904,11 @@ Privileged functions include, for example, establishing accounts, performing sys ``` New: ``` -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - + +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. ``` --- -
\ No newline at end of file + diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index ff2cd5283..d0a7f8b15 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -28,13 +28,13 @@ Details of the changes are provided afterwards as follows: 1. **addedControls**: The contents of each control that was added to the profile. 2. **changedControls**: The parts of each control that were modified or replaced during the command execution. -[Example delta.json file](../../assets/downloads/delta.json) +[Example delta.json file](/assets/downloads/delta.json) ### 5.1.3 Report Markdown File (.md) Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -[Example Report Markdown File](../../assets/downloads/delta_report.md) +[Example Report Markdown File](/assets/downloads/delta_report.md) ## 5.2 Logging Capabilities of Update Controls From 496ef41debe8a2ecf13ce79f5549ea85c18a37a0 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 17:11:57 -0600 Subject: [PATCH 31/71] still playing with the downloads Signed-off-by: Aaron Lippold --- .../{delta_report.md => delta_report} | 0 src/public/CliProcessOutput.log | 1069 +++++++++++++++++ ...endor_STIG_Process_Guide_V4R1_20220815.pdf | Bin 0 -> 892101 bytes src/{assets/downloads => public}/delta.json | 0 .../delta_report.md => public/delta_report} | 999 ++++++++++----- 5 files changed, 1784 insertions(+), 284 deletions(-) rename src/.vuepress/public/assets/downloads/{delta_report.md => delta_report} (100%) create mode 100644 src/public/CliProcessOutput.log create mode 100644 src/public/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf rename src/{assets/downloads => public}/delta.json (100%) rename src/{assets/downloads/delta_report.md => public/delta_report} (99%) diff --git a/src/.vuepress/public/assets/downloads/delta_report.md b/src/.vuepress/public/assets/downloads/delta_report similarity index 100% rename from src/.vuepress/public/assets/downloads/delta_report.md rename to src/.vuepress/public/assets/downloads/delta_report diff --git a/src/public/CliProcessOutput.log b/src/public/CliProcessOutput.log new file mode 100644 index 000000000..6ae8e024f --- /dev/null +++ b/src/public/CliProcessOutput.log @@ -0,0 +1,1069 @@ +==================== Delta Process ===================== +Date: 2024-11-26T18:06:16.889Z +Process Flags =========================================== +logLevel=info +inspecJsonFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\profile_update4delta.json +xccdfXmlFile=d:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\xccdf\SQL_Server_16\U_MS_SQL_Server_2016_Database_V2R8_Manual_STIG\U_MS_SQL_Server_2016_Database_STIG_V2R8_Manual-xccdf.xml +deltaOutputDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\delta_controls +idType=rule +runMapControls=true +controlsDir=D:\2-SourceCode\InSpec\InSpec_Profiles\Profiles_Code\SQL\microsoft-sql-server-2014-database-stig-baseline\controls + + +Mapping controls (using fuzzy logic - lower value = best match) from the old profile to the new profile + +Mapping Process =========================================================================== + New XCCDF Control: SV-213900 +* No Mapping Provided * + +Processing New Control: SV-213901 + New Control Title: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + Best Match Candidate: SV-213764 --> SV-213901 + Matching Score: 0.0508 + +Processing New Control: SV-213902 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213902 + Matching Score: 0.83125 + +Processing New Control: SV-213903 + New Control Title: SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213903 + Matching Score: 0.7890625 + +Processing New Control: SV-213904 + New Control Title: SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213904 + Matching Score: 0.7890625 + +Processing New Control: SV-213905 + New Control Title: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. + Old Control Title: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. + Best Match Candidate: SV-213766 --> SV-213905 + Matching Score: 0.0131 + +Processing New Control: SV-213906 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213906 + Matching Score: 0.59375 + +Processing New Control: SV-213907 + New Control Title: SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213907 + Matching Score: 0.49395 + +Processing New Control: SV-213908 + New Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + Best Match Candidate: SV-213770 --> SV-213908 + Matching Score: 0.04478571428571428 + +Processing New Control: SV-213909 + New Control Title: The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213909 + Matching Score: 0.49609375 + +Processing New Control: SV-213910 + New Control Title: In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. + Old Control Title: In the event of a system failure, SQL Server must preserve any information necessary to return to operations with least disruption to mission processes. + No Match Found for: SV-213773 --> SV-213910 + Matching Score: 0.6003999999999999 + +Processing New Control: SV-213911 + New Control Title: The Database Master Key encryption password must meet DOD password complexity requirements. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + No Match Found for: SV-213779 --> SV-213911 + Matching Score: 0.7395833333333334 + +Processing New Control: SV-213912 + New Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Old Control Title: The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified. + Best Match Candidate: SV-213779 --> SV-213912 + Matching Score: 0.007050000000000001 + +Processing New Control: SV-213913 + New Control Title: The Certificate used for encryption must be backed up, stored offline and off-site. + Old Control Title: Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key. + No Match Found for: SV-213781 --> SV-213913 + Matching Score: 0.7708333333333334 + +Processing New Control: SV-213914 + New Control Title: SQL Server must isolate security functions from non-security functions. + Old Control Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data. + No Match Found for: SV-213774 --> SV-213914 + Matching Score: 0.78125 + +Processing New Control: SV-213915 + New Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Old Control Title: Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. + Best Match Candidate: SV-213775 --> SV-213915 + Matching Score: 0.0131 + +Processing New Control: SV-213916 + New Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Old Control Title: SQL Server must check the validity of all data inputs except those specifically identified by the organization. + Best Match Candidate: SV-213776 --> SV-213916 + Matching Score: 0.001 + +Processing New Control: SV-213917 + New Control Title: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Old Control Title: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + Best Match Candidate: SV-213777 --> SV-213917 + Matching Score: 0.05291666666666667 + +Processing New Control: SV-213918 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. + Best Match Candidate: SV-213784 --> SV-213918 + Matching Score: 0.0131 + +Processing New Control: SV-213919 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. + Best Match Candidate: SV-213785 --> SV-213919 + Matching Score: 0.0131 + +Processing New Control: SV-213920 + New Control Title: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Old Control Title: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. + Best Match Candidate: SV-213786 --> SV-213920 + Matching Score: 0.0131 + +Processing New Control: SV-213921 + New Control Title: SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213921 + Matching Score: 0.6171875 + +Processing New Control: SV-213922 + New Control Title: Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. + Old Control Title: SQL Server must be monitored to discover unauthorized changes to stored procedures. + No Match Found for: SV-213769 --> SV-213922 + Matching Score: 0.8359375 + +Processing New Control: SV-213923 + New Control Title: SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. + Old Control Title: Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership. + No Match Found for: SV-213770 --> SV-213923 + Matching Score: 0.8125 + +Processing New Control: SV-213924 + New Control Title: SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-213924 + Matching Score: 0.796875 + +Processing New Control: SV-213926 + New Control Title: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Best Match Candidate: SV-213788 --> SV-213926 + Matching Score: 0.04334375 + +Processing New Control: SV-213927 + New Control Title: SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. + Old Control Title: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. + Duplicate Match: SV-213788 --> SV-213927 + Matching Score: 0.15120833333333333 + +Processing New Control: SV-251040 + New Control Title: SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + Old Control Title: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. + No Match Found for: SV-213764 --> SV-251040 + Matching Score: 0.6484375 + +Mapping Results =========================================================================== + Old Control -> New Control + SV-213764 -> SV-213901 + SV-213766 -> SV-213905 + SV-213770 -> SV-213908 + SV-213779 -> SV-213912 + SV-213775 -> SV-213915 + SV-213776 -> SV-213916 + SV-213777 -> SV-213917 + SV-213784 -> SV-213918 + SV-213785 -> SV-213919 + SV-213786 -> SV-213920 + SV-213788 -> SV-213926 +Total Mapped Controls: 11 + +Control Counts =========================== +Total Controls Available for Delta: 43 + Total Controls Found on XCCDF: 28 + +Match Statistics ========================= + Match Controls: 11 + Possible Mismatch Controls: 0 + Duplicate Match Controls: 1 + No Match Controls: 15 + New XCDDF Controls: 1 + +Statistics Validation ============================================= +Match + Mismatch = Total Mapped Controls: (11+0=11) true + Total Processed = Total XCCDF Controls: (11+0+1+15+1=28) true + + +Updating Controls =========================================================================== +Mapping (From --> To): SV-213764 --> SV-213901 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213764.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213764.rb to reference ID SV-213901 + New control name: SV-213901.rb + +Mapping (From --> To): SV-213766 --> SV-213905 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213766.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213766.rb to reference ID SV-213905 + New control name: SV-213905.rb + +Mapping (From --> To): SV-213770 --> SV-213908 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213770.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213770.rb to reference ID SV-213908 + New control name: SV-213908.rb + +Mapping (From --> To): SV-213779 --> SV-213912 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213779.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213779.rb to reference ID SV-213912 + New control name: SV-213912.rb + +Mapping (From --> To): SV-213775 --> SV-213915 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213775.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213775.rb to reference ID SV-213915 + New control name: SV-213915.rb + +Mapping (From --> To): SV-213776 --> SV-213916 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213776.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213776.rb to reference ID SV-213916 + New control name: SV-213916.rb + +Mapping (From --> To): SV-213777 --> SV-213917 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213777.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213777.rb to reference ID SV-213917 + New control name: SV-213917.rb + +Mapping (From --> To): SV-213784 --> SV-213918 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213784.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213784.rb to reference ID SV-213918 + New control name: SV-213918.rb + +Mapping (From --> To): SV-213785 --> SV-213919 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213785.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213785.rb to reference ID SV-213919 + New control name: SV-213919.rb + +Mapping (From --> To): SV-213786 --> SV-213920 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213786.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213786.rb to reference ID SV-213920 + New control name: SV-213920.rb + +Mapping (From --> To): SV-213788 --> SV-213926 + Processing control: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb + Processed control: \microsoft-sql-server-2014-database-stig-baseline\mapped_controls\SV-213788.rb + Mapped control file: \microsoft-sql-server-2014-database-stig-baseline\controls\SV-213788.rb to reference ID SV-213926 + New control name: SV-213926.rb + +Update Results =========================================================================== + +## Automatic Update: -> + +### New Controls: ++ SV-213900 - SQL Server databases must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. ++ SV-213902 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. ++ SV-213903 - SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). ++ SV-213904 - SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. ++ SV-213906 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers. ++ SV-213907 - SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server. ++ SV-213909 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users. ++ SV-213910 - In the event of a system failure, hardware loss or disk failure, SQL Server must be able to restore necessary databases with least disruption to mission processes. ++ SV-213911 - The Database Master Key encryption password must meet DOD password complexity requirements. ++ SV-213913 - The Certificate used for encryption must be backed up, stored offline and off-site. ++ SV-213914 - SQL Server must isolate security functions from non-security functions. ++ SV-213921 - SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. ++ SV-213922 - Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only. ++ SV-213923 - SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status. ++ SV-213924 - SQL Server must enforce access restrictions associated with changes to the configuration of the database(s). ++ SV-213927 - SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. ++ SV-251040 - SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-213901: +Old: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +Review the permissions actually in place in the database. + +The database permission functions and views provided in the supplemental file Permissions.sql can help with this. + +If the actual permissions do not match the documented requirements, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine the required levels of protection for securables in the database, by type of user. + +If the database is tempdb, this is NA. + +Review the permissions actually in place in the database. + +If the actual permissions do not match the documented requirements, this is a finding. + +Use the supplemental file "Database permission assignments to users and roles.sql". + +``` +--- +SV-213905: +Old: +``` +If SQL Server Audit is not in use at the database level, this is not applicable (NA). + +Obtain the list of approved audit maintainers from the system documentation. + +Review the database roles and individual users that have the following permissions, both of which enable the ability to maintain audit definitions: +ALTER ANY DATABASE AUDIT +CONTROL ON DATABASE + +The functions and views provided in the supplemental file Permissions.sql can assist in this review. In the following, "STIG" stands for the schema where you have deployed these views and functions. To see which logins and server roles have been granted these permissions: + SELECT + * + FROM + STIG.database_permissions P + WHERE + (P.[Permission] = 'ALTER ANY DATABASE AUDIT') + OR + (P.[Permission] = 'CONTROL' AND P.[Securable Type or Class] = 'DATABASE') + ; + +To see what users and database roles inherit these permissions from the database roles reported by the previous query, repeat the following for each one: + SELECT * FROM STIG.members_of_database_role(); + +To see all the permissions in effect for a database principal (server role or login): + SELECT * FROM STIG.server_effective_permissions(); + +If designated personnel are not able to configure auditable events, this is a finding. + +If unapproved personnel are able to configure auditable events, this is a finding. + +``` + +Updated: +``` +Obtain the list of approved audit maintainers from the system documentation. + +Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. + +SELECT + R.name AS role_name, + RM.name AS role_member_name, + RM.type_desc +FROM sys.database_principals R +JOIN sys.database_role_members DRM ON + R.principal_id = DRM.role_principal_id +JOIN sys.database_principals RM ON + DRM.member_principal_id = RM.principal_id +WHERE R.type = 'R' + AND R.name = 'db_owner' +ORDER BY + role_member_name + +If any role memberships are not documented and authorized, this is a finding. + + +Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. + +ALTER ANY DATABASE AUDIT +CONTROL + +Use the following query to determine the roles and users that have the listed permissions: + +SELECT + PERM.permission_name, + DP.name AS principal_name, + DP.type_desc AS principal_type, + DBRM.role_member_name +FROM sys.database_permissions PERM +JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id +LEFT OUTER JOIN ( + SELECT + R.principal_id AS role_principal_id, + R.name AS role_name, + RM.name AS role_member_name + FROM sys.database_principals R + JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id + JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id + WHERE R.type = 'R' +) DBRM ON DP.principal_id = DBRM.role_principal_id +WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') +ORDER BY + permission_name, + principal_name, + role_member_name + + +If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. + +``` +--- +SV-213908: +Old: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The view STIG.database_permissions, included in the supplemental file, Permissions.sql, can be of use in making this determination: +USE ; +GO +SELECT DISTINCT + S.[Schema/Owner] AS [Owner], + O.[Schema/Owner] AS [Schema], + O.[Securable] +FROM + STIG.database_permissions O + INNER JOIN STIG.database_permissions S + ON S.[Securable] = O.[Schema/Owner] + AND O.[Securable Type or Class] = 'OBJECT_OR_COLUMN' + AND S.[Securable Type or Class] = 'SCHEMA' +WHERE + S.[Schema/Owner] NOT IN ('dbo', 'sys', 'INFORMATION_SCHEMA' ... ) + -- Complete the "NOT IN" list with the names of user accounts authorized for ownership. +; +If any of the listed owners is not authorized, this is a finding. + +``` + +Updated: +``` +Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +The following query can be of use in making this determination: + +;with objects_cte as +(SELECT o.name, o.type_desc, + CASE + WHEN o.principal_id is null then s.principal_id + ELSE o.principal_id + END as principal_id + FROM sys.objects o + INNER JOIN sys.schemas s + ON o.schema_id = s.schema_id + WHERE o.is_ms_shipped = 0 +) +SELECT cte.name, cte.type_desc, dp.name as ObjectOwner +FROM objects_cte cte +INNER JOIN sys.database_principals dp +ON cte.principal_id = dp.principal_id +ORDER BY dp.name, cte.name + +If any of the listed owners is not authorized, this is a finding. + +``` +--- +SV-213915: +Old: +``` +Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. + +If there is no documented procedure for data movement from production to development/test, this is a finding. + +If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. + +``` + +Updated: +``` +Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding. + +``` +--- +SV-213918: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding. + +``` +--- +SV-213919: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding. + +``` +--- +SV-213920: +Old: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in transmission, this is a finding. + +``` + +Updated: +``` +If security labeling is not required, this is not a finding. + +If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding. + +``` +--- +SV-213926: +Old: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: +In SQL Server Management Studio, Object Explorer, expand the instance and right-click on the database name; select properties. Select the Options page, State section, Encryption Enabled parameter. + +If the value displayed is False, this is a finding. + +If column encryption, done via SQL Server features, is required, review the definitions and contents of the relevant tables and columns. + +If any of the information defined as requiring cryptographic protection is not encrypted in a manner that provides the required level of protection, this is a finding. + +``` + +Updated: +``` +Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. + +If no information is identified as requiring such protection, this is not a finding. + +Review the configuration of SQL Server, Windows, and additional software as relevant. + +If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. + +If database transparent data encryption (TDE) is called for, check whether it is enabled: + +SELECT +DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' +WHEN 1 THEN 'Unencrypted' +WHEN 2 THEN 'Encryption in progress' +WHEN 3 THEN 'Encrypted' +WHEN 4 THEN 'Key change in progress' +WHEN 5 THEN 'Decryption in progress' +WHEN 6 THEN 'Protection change in progress' +END AS [Encryption State] +FROM sys.dm_database_encryption_keys + +For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. + +If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-213905: +Old: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions: +USE ; +GO +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO +(The role name used here is an example; other names may be used.) + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. + +Then, for each authorized database user, run the statement: +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER ; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +New: +``` +Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): + +CREATE ROLE DATABASE_AUDIT_MAINTAINERS; +GO + +GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; +GO + +Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: + +ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; +GO + +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. + +``` +--- +SV-213908: +Old: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code: +USE ; +GO +ALTER SCHEMA TRANSFER .; +GO + +Caution: this can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +New: +``` +Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. + +To change the schema owning a database object in SQL Server, use this code as an example: + +USE AdventureWorks2012; +GO +ALTER SCHEMA HumanResources TRANSFER Person.Address; +GO + +Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. + +``` +--- +SV-213915: +Old: +``` +Create and document a process for moving data from production to development/test systems and follow the process. + +Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in unsecured locations. + +``` +New: +``` +Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations. + +``` +--- +SV-213916: +Old: +``` +Use triggers, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +New: +``` +Use parameterized queries, constraints, foreign keys, etc. to validate data input. + +Modify SQL Server to properly use the correct column data types as required in the database. + +``` +--- +SV-213917: +Old: +``` +Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users. + +``` +New: +``` +Adjust database code to remove any information not required for explaining the error to an end user. + +Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. + +Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance. + +``` +--- +SV-213918: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213919: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213920: +Old: +``` +Develop SQL or application code or acquire a third party tool to perform data labeling. + +``` +New: +``` +Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. + +https://msdn.microsoft.com/en-us/library/dn765131.aspx + +``` +--- +SV-213926: +Old: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, deploy the necessary stack of certificates and keys, and set the Encryption Enabled to True. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 TDE". + +Where column encryption is required, deploy the necessary stack of certificates and keys, and enable encryption on the columns in question. For guidance from the Microsoft Developer Network on how to do this, perform a web search for "SQL Server 2014 Encrypt a Column of Data". + +``` +New: +``` +Where full-disk encryption is required, configure Windows and/or the storage system to provide this. + +Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. + +Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. + +``` +--- + + +### Updated Impacts +
+ Click to expand. +SV-213901: +Old: 0.5 +New: 0.7 +--- +SV-213905: +Old: 0 +New: 0.5 +--- +SV-213912: +Old: 0 +New: 0.5 +--- +SV-213918: +Old: 0 +New: 0.5 +--- +SV-213919: +Old: 0 +New: 0.5 +--- +SV-213920: +Old: 0 +New: 0.5 +--- +SV-213926: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-213901: +Old: SQL Server must enforce approved authorizations for logical access to information and database-level system resources in accordance with applicable access control policies. +New: SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +--- +SV-213905: +Old: Where SQL Server Audit is in use at the database level, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the database level. +New: SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-213917: +Old: The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +New: SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. +--- +SV-213918: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in storage. +--- +SV-213919: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in process. +--- +SV-213920: +Old: When supporting applications that require security labeling of data, SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +New: SQL Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission. +--- +SV-213926: +Old: SQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +New: SQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-213901: +Old: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the database and all its contents. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including SQL Server databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes SQL Server. If SQL Server is not configured to follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +New: +``` +Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. + +Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + +This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy. + +``` +--- +SV-213905: +Old: +``` +Inspec attributes has specified that SQL Server Audit is not in use at + the database level, this is not applicable (NA) + +``` +New: +``` +Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. + +Suppression of auditing could permit an adversary to evade detection. + +Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-213908: +Old: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +New: +``` +Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. + +Conversely, if critical tables or other objects in SQL Server rely on unauthorized owner accounts, these objects may be lost when an account is removed. + +``` +--- +SV-213912: +Old: +``` +No databases require encryption hence this is not a finding + +``` +New: +``` +When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account. + +``` +--- +SV-213915: +Old: +``` +The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, so copies of sensitive data are not misplaced or left in a temporary location without the proper controls. + +``` +New: +``` +Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. + +Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. + +Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls. + +``` +--- +SV-213916: +Old: +``` +Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. + +A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. + +With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. + +Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. + +``` +--- +SV-213917: +Old: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for end-user troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. "ABGQ is not a valid widget code" would be appropriate; but "The INSERT statement conflicted with the FOREIGN KEY constraint "WidgetTransactionFK". The conflict occurred in database "DB7", table "dbo.WidgetMaster", column 'WidgetCode'" would not, as it reveals too much about the database structure. + +This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered. + +``` +New: +``` +Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. + +Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. + +Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + +``` +--- +SV-213918: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213919: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. + +These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. + +One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213920: +Old: +``` +Security labeling is stated as `not required` in the attributes file, + this control is not applicable + +``` +New: +``` +Without the association of security labels to information, there is no basis for SQL Server to make security-related access-control decisions. + +Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. + +The mechanism used to support security labeling may be a feature of SQL Server, a third-party product, or custom application code. + +``` +--- +SV-213926: +Old: +``` +If the application owner and Authorizing Official have + determined that encryption of data at rest is NOT required, this is not a + finding. + +``` +New: +``` +DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to SQL Server or implemented via additional software or operating system/file system settings, as appropriate to the situation. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. + +``` +--- +
diff --git a/src/public/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf b/src/public/U_Vendor_STIG_Process_Guide_V4R1_20220815.pdf new file mode 100644 index 0000000000000000000000000000000000000000..c17a418a090e731e58c83b779279d0e7f700a64c GIT binary patch literal 892101 zcmZs=V|1pm*F9WYQ`?#vcR96f+r4Ys*3`CbcWT?VZFlPb{2r|L`S500qurLFTDt(lv>kej`Smq>=5&^%vTvKEo7 z`R6lFz4j)0y^pwZw6jk^&VtwYPEvvK1!XmcN~&Ne6}7jpVnNJF!Qh2K0QV%Qu-FA) z8e+__=;!(o5Z}G`l$zIx%ade8UACri-AO_OaKRuW-Nys!`* zH6rCr&5voncsOuT3NGPk=6R7A2|%;+VCgT8%o#}P#c+`pAC9T!U<}?vH72A%r+HD~ zb(UJZZHKgjmB*p1uLe+bJOuwkBKA-QY^8wvo@t*%iY4&)abBVPTPq;O-sp96OfiUb zfSH{}Le!@rS1U9fBjA7hf=#3h!K2aETy-dWZxqUg%f&GiZXR2sC-VY^>#MCl43-{1#v6r zq7m;%bzqEUaHQwG&l16+HxU$3<~(Y%zT*p@Sv-*lL5V}Pwu!9mH;Wk?i!B7~OvW

ne%&? zaed0nVb}v`S-O=I}ekbDpNW;GlvZf{$hC+7k#M(^%8rYdxh&i}ebm9Jq!T-eh&$$1U5Cum& zV`WokV(ovyM8t?0RZQKTi5Vqr{sk8LA1nMnR+3nkm{Hiy+Rjng-q6^T_&*9H?8HpW z_Mfo-rvIly|B(Dwvx>^Up#P0VMFl|2^}khiV&?w_`Jdhz@^~azzx4da|G&8Zo1g!kf>GJU$oan*`!D3gjOrF9|1^+=iHVp| z!qmbX_>aB+)FuBh|NpZ4f2H=Y3(^^1y@jDFU51he%}jZc+?p+Dksip_s5NOFFf=*&J7sbbzcD*a z6KXBx->36-jV)E;FSq0E_u8l0%%^)xo79TR%F5}rlV6$gIQidGHiRU3Yu^dOC>a7k zxO|)?)4H&OdPqR12Q6p9cL#Ao9toe z@r9jA=Qb&V35ivr6v8TwSe<}`>%St7hvy!tGlIop1a?qx)m>1#b^Y}iC-eV60$%Va z1?}c8!G?nst7hPP1%6Y(@EJj5XM}tiSB2<<_JN`d7k*FmeG=prU*GzLR6+tEJ0asf zN|NmnPWxBe{KYV52N5#9o-i%1>FFk?rsZYx?_dGkA;TrJqjb1>0zoiOq>CX6cp0_g z3yia;WB>>BXu`C!9qxI>)t#)lg|x*DeEwBbe*QGBEgX)eAAB2xfSu!LZXLx`v^=W< zc|JA+KHjn{oH~{GE9=@%=hg$2(gm5;cbS!vGo;+t>)k&!v*|VVi$omr*c_`U{F_Of zi&;GDIjn1~kkLfKXjrq0x`21Ed{@=PJVPdN1AZ6+MKYi*;ndU=y+NaB2sB&ewgEU_ zZ%8kMKsGM@d8|J*@e}?Bq{KN<|JPJ@?AX zMi^oMYs4{?Vabe}EW=};j#@od$<<~5BvZz@D10@r25M?Y?BQf~QV^iTx1G+jiORNf z&AxQbvv3AgmUexId+|(oc28jaa$^B|3cS6!3BR_8239}V+1=h)KiXA3*jD|t^i*7Z zB<(pfm0PI%eXL$S)qE%093S1>cQw^#Bl}e?yUnYc`R?_ZiKn}vwJDbILAefI(($=_ zoVYc8ko{ap5REarRcPRatNT50uSVf{!{0zjVF#VT%`c{eXrN94p^`fkPdDQ0geD`8_BNO@Wf}}+d zfDM?JGV265<7Ns6!2{iW4S}{5M6$?v>4bodK+1}_K@32fc>|kI+fS3aA-f`DG^l*J z*mU-ra<$xesM`7#|A3U*Mx0QW6t%GOOqrLv=+4oexXJK|@N%n-L`VHF;*uhKG=a$cL;}acyK7>jy z)MZ7Y^$lFk&93s+C9|Rp*Mbp;&H>Z*0lN}5qXGuAdsCVUMloHlxmj3%FZdLX&_Xk? z0W$g}?~K{nGH;Cw0KQ<3nJKR9l!iLENH!d{voAG-f?-vMQ;K@V)UylH_IDzAb&kjp zT%fG)f&U^q!wy^BKix7r{0@~4X|h29&9(H^1EOVYmq&*US|d|v!3Vg{hTG1*(r(kv z>{3GEUIF=-^k5x(vFN{IP^#{i>gQ9feNrhbZ=008ikD7kcXVmcYi2h~_EjflSIiL9 zmLXCQkqnU^!Z3qM)j%PUHR`BN<{DnFNgah|If%%-4^`jxMOVX^*by=2!m-=N#Q6+p zX$D`rcdssj!2V=BU1=3WCd4qEZKT2WcH(TlrgN zcaRZZ`A&VxX6cJROWo%+Z2fb6;ajtI*U=z+oFQ9ypb>~Jg0|W&&?_Z_1LkBdxD((r zAF4o*VGS9=vf$)Y^m;2Hyk_DwY;85ElKAZ{z6v)TH2YB&x1rcPP>3^ z;lSQY1Y%xN6U($2^QQ|rWdq-SW^@D`Geoa}$CvBQ(ewY>UFI;5$?+Td0pQJw^xwKAJp|>AzE{cBjw+ zoGBdI6Ckq4HRZE};=>Y5NlZi`G=GRH4JM%5JAmn>Anfd$o^eW6)KI6BPk9g(;zQ{nEYMG2AMTu5Bn&!zVdV0jZR7B9APz99a6 ze)5Px^qfI>XG92{c_C+T#>iWXO7qRK5Q6{A+Z7O#HN2+Zg-A5)L19vxO4N5p_#5QZ zOEF0fuKq(Oi2uCAEHD!MoZ$;CYmvzBinrHnFS?v5Y`C{KO-xz930pcqkvHvk#uv`h zRSr<%$`6xe;evJRfOqbSeSL3p<^1D3;`583BpnG9`@= z?6D%m1JFk_tDEOXtwi6L@?9jLEg}c-gGzF60u40RL^Pp9G%y8~T62X5+&m{N5%Ux- z(!Nuupe~$ll=RLxoX3u5CXn=)zO+V5Oz#kl@+N_@~je%8bez z@gds-_z05$ee@SK|Cno$4gUHH&$Ya?VmvL3wa5DnQsowBwb+%*@92`~a##NVZUNW> zcFDo(YYgze9l;m+OK)I}LhtXT7mK2CU_R0@{*GG!h3iel-D%#=^PaI8wl0L16H2sd zdvh+pVrYTaaB70NAz*Dv>{dM91spfXUamPHDh01rXF|Jk5x`^35k^3HD3(|hK_f*er5rKu+zCKqoC2H2ESar- z*dw1JMP!nU6S1i0xNrbt#|^PF2m@E!L^CWxrxKG_=9B?V`~f5_qa@4CpbU8kCauR09!}QK`dEg;rNog}lGHB{kd*g(A!WpB z42{iHlGB5`j4OfKgMP}7z%a3%+T*3X(Pe7@_r^B@RO3iJ6HSl-`&~XN5HGbawkr#sa-r1*oy`8ymuCbT z7$6vaUl>F9*y(Em9w2SBp~z_qm7vfLNMVp2f?sg{gTtvvsHg@Zk}8TbZiGNykKoI> z2Jkn#G#qy$RXD}Z@l^{wnlL{D*B$$`*+%1?KG?zpE}B`BBIo;PG=QK&JMqGpfiWQ? zDEVWSfcZM4?P0^neHpg;#nKuK;F&_BA(mj)6(1fawhwK`4xhB$6mHN6xGw38tC=GYbYQmPiSP4eX3VH0e0(EKH1p0uhNWxTi1e z`75P-AfIb@9~-iPG+E%^HYu8c0JjrjN=V}{GjP|Bg~qGKD%`}$>$prwx=Vs)0dfE%U?SVnYF}8!|7^UK6=q5k2A&Oo*M*VJ2yu z3Mw1Z*u7%)J;4_+mBT-VZG9ouY(HXkXQz*R5J=1lK%snK38>FZE=KoVN9NazmJ`~+ z2t>EG%QT5?e$BD6k0y!f*$iSRPiEbAPI2l{%c@Bw9HLRAbN55o7%p-*=83Ajyew1G z1--0768)8%(9CQ}H^QF;z>~7-v{-k5?#{Wpy}r=OdWtECeVHOgFI_w(FGVjH90*OG zel%J}ziexo4<|woWqYyZ)x*f6QOyoU(Ab2R3;iZ9_h)FQ3t&JhwC8}O`xJaM)a>C> z*_bWMzvEpS%$ctL_N8yO{`P32e~kR;q#t>JqYWW;NElKzU-<)F(fyK^;Mu4kZV;{{ zLu6N02xgO7fQ~a+<-xjw2Yw`?C`xFLuf&@n=T=pO>FF!Fw|n_8pX6c;_GK=CA!JCC$Q#L1mR%xkUG=q z@k;B5GOEmxmrW5ZvE{*dYA9zyygw~@`}Cwt%3gNtw8^y zdorAEG|*55u^Q6gJZpUSZ2*q;G|dweH2CWQiV}U&rAo~ZR4}I23+kiW49Buwh=9RZ zcH1YK*{wEATMbZNyGVxY(X@2l zC{!u)%UL3Yl|5Z?I!kar5`a}6@(B(K!#$7~bt#7!-ycsROahYQcEd%djpX##q)|@J z>t&SuN}RVWJqvZGf-ad`Y469hq|8^$Bw1+rlNP-(evaScsw~~~uUM$}Qn>pGBDUvp zQ?0WvJo0X$%|zKd})xaz&pnu}{oFHI%SaOcZ{ z*?`5#tMZn0#oohApNV897ftUBZ&pP@@OV;Q$qIIUk8F!eT(wg;F@y6I+UklwJtoCJ zWAd2T8s4ubT$Wz+4Ap2k-6{mb;-@w|p1VwoUQ$^J7gt)4V!i)9!J!IIqrJmXfCAcO zCD$S>k|%Mp1#i3`vtf6pWKe(xsN<Zspe(E5B=e=XZnWPJioqxedxs?p~ye`_m1KL2!Aw4)PB!>ZVO zANg8gWh%JEkT~EV2%>&t${-STqG1JTczz%zAs&52$d5`4(k!&GWvwnLOTBBLdh-ys zP_p3BJS`i7-|UT=GW?9z79A=D`)8DZNi2eL3H2 z1ClgDKY4zN=78`sqAQ(}kyNr$qd+2sdRzeAoLI^vTxn?yA6&2`f;`g_|Mf~~tf`{K zstx+8hUZ}jdZN5RqaB~_BTkiE`lSx6cZnE1fCN2PuJaN9LX2*pqFUE7shD#5Ng)P@5>z)qrRp)TeRl`z@$3z)O)pr(PAh?1+X9k2}010S;+gJij3;}2cJ;ztO8R|1v=aHXHT-e<=vy$0ZsiYQc6*G`l}B0d==P`0piZV4 zF9^Sv*vD5GjB6tw9U#81t)84$ExLf+FY9NDtgptDTbNdB{X^LC`Y=NC)H*x3Hy3l*o#LNQ_`Mx-njwz!lbMu$;0XYl z$zV_7z>yfT2cd|qiCe-5Gn^j64P_0f3_%XUWa;cHcp&fhJ>ew{p|eq$n(O!RC&tZw ztl$ZiM#rMvBO-=N2M1UGwbZRgw=qEBj|~Tpx2LO_rJ195{vW3zF29u=d9?-D1egLk z2gC)x_#BE&Ofk&IyiB`QEmZN;0~sX|wB(=e9{6$Hq@bk|i>l<6u%!~S$srfCfy)`| z7z91@?C|X0lQ|C~Y+qlPOVrykY55@!p5JIt?%~Q0X}K^@4EhXOuhU_@#W5gyJ@0&KdTd4XRQvpMe{hn}9EXD!KK%`aA zT~A>>8P%i;IJfd7xaaD~<{qq?uLUQ=$!!@ZfsPE{0L*1~x^TqYdLgVfMBue z=fi1Nk>9Pa(Qc40F629%>DCwICJ#dpHLMY>5fl+dkw(~oD50FA3YZcYHZ90yAdJX# zC?Fu{*uuTeLF}eWmXWioP&A(3U-gu0s}ZEPL+~Fk4ZYDitzK77O9YKKK8;98L%6aP zD%YG~OQ30ht6ULb8)IYK8$V%`R}dfv_8-5tV9+VBmKeDLZDjrKmmw*Z717um@g#A< zedLBo0fR#UIR$mlB!o6nt>JU2&*qS6t7r-X{1-!{tIpw_?@6XecEb^y*_PPfT(i9X zVk$pY`sc6wJa53eg=&_CKz0)dIxIUp1vC2Y-gB#oXOkhop=}~*v(apcrSjm>MhiGA z=;FbU11H-!3G+l#%=|ejrnW`mL;XQ#K)m!4fOL|qyTdH2gx0Vl%c?gYE@8tAv0nkQ z#z7=b!fU`XFj*d9rzs$kqoMHw5Qr;%BrJJFr-lz!2sQxeh2S^~VEZh+``qEm$Ncr} zo}wjFzE^}~5R?rDfe77id0Tfp0BvpAJ1gigF;)M(c*c;L&M+~@URpo>d((LZ!)h6I z4bvn5FD5mncqv#CLai59_f@R3=?}EzrIFemeb3hDlKaVxaGDJZcVy^ACN~@4ON=UQ zTDFjWL%!?f2)868EMnm}xn%wZXhtHsAvkC0-H7%77t|k4RQPD;ADbIE zLQMO$03(Kf5rGc+d9L1`#HO%v=9o2L^Uw||Btd~H(K(Sv7g8JLg@Z97jd%-dQmU%K z9IH*YC`$uKLW%P1P~|X-ltt4KL}@h916k`S8`d%gi$jWQK6y=fZTbqkVpxSS%V?2h zvjvl*rE26%1zsl_1JW zheUAea4aJ!Yh+!qWL|M*uD6S*7D48e6{S|I@ z-t1Y(MB;;7h65A$G;Q3+8CUtaF!~Fibh zeK=mDQxspiRVr`15P`f8qJ%z^*0HX5QDuaEDShU*cAlL6B0-qy6QjQz1QFPI91}^z znhFgoGOJsCKe_!#ohd;NT7?R$7JUO#Rhj4yC@TAfeARQ(Vg2<`S>Lk!jFBdY@bXmP zy_B8oyhg{2L@K#2%CLaDQ=vyrjt7(`F6aSR1iMD<{iQ={ z=&%vXMA*+Lo!_Z(Lr6@P;21uB`RHnVaPoj-d`To>3+rrMHG0B6Q6Rx>7F06rubosroWK&Kq@pS~Etj zQC9TkQg8lFh4P0VMh^oMY!S8Tsx-RU%_>R!YoRbLeo%@#!GZvJ2WW)x8JOCsiK{)5 z;IK!RmMDpOir&#LdhKh~Qc=dM+vszIA`~2&xkRX_+WcP5<=d>&J9%x?(hVg8Ni)H< zE|7qh6g@2d0huNXsnPE(poy*`CGZKZ93RUup&=Ts)nLSy_hZml>@|dO1(r?L$00#M z*AQDZT?&&D?-uQh4!ML`oLHmPyw*eB4(z;1RM(c(hgl<@-xKzy1%kMxh+#a#F2y0I zfWKkdNbu@S^C!3p2%gMmIXQ+uoH7~qa-H9KmsSQF=_6SF2AZyR*aaHZ2B|prM`*k8 z{Jbo%su{fnBLYn(aY#rim0YT5f_0fXkuAAiK^W||*9^I=n)%QGt=$=MM*>$iIoPL~ z!WvuP;Ff2p71!@;zgk}XT?9kOS@(dEUu4kc22aF2aDRf)p6p*-5-jg#&)bD3d>_&9 zZc%h$!gAx|sMKH}+-GXNPQ-G($^|)rU|WnPOgxbVbu??-2+Jhd=&|72v2S~%tjro^ z$>N5I!UF{Imbn2?)}F@yMbFOo?_;aMkB3r|iT{J|(%_&!QI&$_}7XibZ{Ud=!eOvbTM zy1qD!*B5zN^%^xXv8$U?A(YUqJhENsE}RbpYR3|3r8-V183qfmMd-j(xY@vSw~yl{NNlsdYjY0IG-T2L&UayIlp*pa~K%g)Cn`CF}yb-z7|I* z7A9cyhf8=jaR8ej^(kcW4PpXPELB*cC!=2t=74vu;fS=O>pifr@(EGBRBn_6M zv4P|GXoeNc9MQJu6D-mO_xphSG*I&iwcxIAf{346GAAdv5{@KA0_a0Rzq2iWh%?28 zL;^>Z6iwE4$!3Q@I^B6D+(Kfk?U7`sXXK2eZQ|ccQ0%oI$Aqwhnm!WSoz+=>1v5Z+ z3x!~-L08)4Gzp>@QnMUTJDB^q0XyJnl5@d)5bGbs0I%-P#YC2OnP*NxM=q&;NVA20@`kh)oAzl% zCVC|`4*0?umX?`c$t9@c{>^KB5TZyixgdZ4e4CKdH}fzy8srh(|JWUs@f07fqLi|y zBa-dZ*4a0d05gKg6)zT5{qw5&X`CjFmY{QYhx&2CukeIeJz2zOMrxaXg zvDWi~k+&_Qqp;1y@8}C&+^YRt?->Bn_nJ|&o-vJ8>uLFma-&k4kf_VE&EBm$x;7|6 zC(p{jpLJJ|4J_(rWH)$LhU^a<(-T@*poZ~<3a=sY8mWf%zUeNy7{;MdCDY)T3C#C6 zSwy5n)w(7ovWIyEIbH?m&n$?n{264tV7Hv-Xaii7!1U9_KjOH!{HGV|Ra$1ta}miE z%u`kN2zYQDp$rVYu<%cZub%9ZTFXB!rn0D6itDYfj&gaqaq|PEBRtU?uk?U$lhx)l z2XMmW83K`Cwi|wN>XrvmY~3hU;DykMDj+m<^H#HuM_(xf3(Yl+Q@&)nhT<`r7dQ+< zji%&+!2zVXq?3ajlgQ}tJtkgb57;BrTF zDSmhaVIXrO6YL4qPt=4rzD3ZJgR4x4mZ(oJv0l)W4BNoR?N$+%ov_in{CjU13=(fs zro@xs{SI7M-A6=pcVQ>pb*Nf_(u0#1j+f5UOiPPX57&paVr71!@wJ>Eai@%RSU=jJ zOuBKTZEdORdo$s1)LO)z<)D^bL)o7>64$*Z6n-U#iC}Hb6 zT5fD#jGRN`>A!IB*;MlS-H0hk!tN}KX8v65MX@o-Ky$Z67X{I4_W*C2r3u_istY|C zh%;FbQ6P?&NTfnBiO;KYXrT6?tBaEh(<#!#AEL|Zy}w1K1v3N-#}(w=U7**S*6J9S z>z~kRTr6mYWwp)h@Z#5Q$Qgd3vfn>DrdTfk=tgPqc1Y+xaAqyW(!`y{cmKUBYIqGX zY0>B0CdoQQ5;hjE`%|l>0L3ge85+>{*~RV-cy|5^4G!N1R%DC^r1Vx&bp&%hq_sC zeItRMnXE!vVs((jaz2!8xpfa%i{GF0Z+3@Ul8I9y0@NBfBl+8cSjj~BD74rOlU!DL zUfXnEnVcqll*VYHt`IC;u_q}OxXD>3xDhVnqLD@_Ndg;T(g`_&?yaxWGl{3_>4{Wa zxzMD)@pKl_*zFfwLS!Qn?HK6B^FYB;zZt;j32m+HSyT%?4N>yhAX~He)*nQ=7`ZnEz zESW0nU@$^y{J971s03O29E~;JT}xU?T&sQ=n9aVtUK9-iNaQCen6I!4B>r8_W@1TT zjX9Wj1jPc51LNQ}!M2w{*Ilqv(&Y-97LAF#+l|QLkt7z}-xE#ousdS)6^-o-zz8^f z$tXRj^6G7Xa@VIdcgyAz%kyo=nK)qj?bNH2-02K4dAH!pag#2H7{}MX+Vc371eR7= zmi%{rM}n_@;^}gFUb7UW(hjlC&i+cq)1ipst&re8QE(q=In8ky6Ru3Kyhy-m8Iomx zrC;Wv$2@Ym@5gFUMNIghN}*ueY|0$(55p9VMTc~wkG#=N-c-iib}g$)Ir*HF{F>vu zE~2yKXUxmG#;r8oYtrkdT6eJCCopmq+q~?4wmcu&iW%7+tJfMXcmn(>323aR3#CCM zjS3`wgJ@HthaV@VZG=rgFCYhvRN3mM<dqbMBkb4;T`R_ReDPgmTEUw?YhNCSngj>4i&Z$Kl(bkudTtb>zx zBbI3wnyYt>|z24 zvNY(wWdOaxvKmc_wkMNJ&T1#D$FoEpV2No{6|OBCzXna^bNd+?)q3sX{JhlT9=#MT zH)XJAz(ip#-VDr$^U^31)ou#-UPG-LW3I(65U|;THzT;=Gh zMJo$->F!BS^q1}j;&lennuTDwoAOIn5KhqQOG)F3ydpNx&xlaOlAA6?Mw+v4=uy+= zq^0tyCGj-WdYY=gDkZ!NWPJ+cysx$&CY#Q|htVV6?}w#OATxU(>!ng=nb>XjJ4$ji zMa{A{vNbwJO^o&2{k8S-8)$6Ds~^jBzT1f}wiSsl?Vcsd67(^|ZOIYRlSnX&A7tjX zo>A{AEB7NTAuPF5^*q05PO4SIyRY7l7|!g`8iVpfDZ`2mB>EWJU$SB|wOUz6$Jp{v zY_xw^uDrqetcwAi;AR<1@J zYgy`oI9B^WS#-X%%BxpzOOS%jG#nhfiueGy;O3%Uf7*k+g(*PWPyXb59k`KM-rGdV z_FUSI4i%dX7*PLy`*M`!QQr|Up>8A>Lf48DOrbcx@A4(a8{;LY;o)6ivcK5A5dJx& z=bqRc>d0CzU)RgH@bf`DYS1ZiQ|ls7ZKI!XqZ4!^%eUjhx3XVNbWZxgMxK1*2FC4^ zZq-G&?i18+g4K7(%0V;=I3c{&LN!kxi~q7RK|`3Xt_J^bLoJmn0Z+7UXH`e-WvabK zI^$)ixk)_cX{fzSL+$mGt{MZYTjg+N{dlG0sOx#ueV@>8i0#q8SsY5;($2QJu7Pc{ zoxZN}{d9CR;`bJnB&r)dt2{m&sL6YXO9#EiN#h}@+xW`IeT$t$V>t_V4h2x+zSNRbYFJ{j?dQkqy;!cVzzCK9Lf??c-(PxyJ6VOq3CHuM4waZnIH& z*XQQ_2U=nns}{=TP6;tO*;6dvMDm(jkaF4*UeIu;>F{EXZxvs#`kL$6{n&OWDzOs3 z>XFV!mcT9ZJ*PRg%Q(k-g}Y~(rEr1WYtVcG-0;$)bR4OJKzOhUdeVkNR2-=zhi|Xr z$o%~=b3YPSa!9y#enEXB&d03T$G6l}uhQu(`!;B3q@!kRBFg$%?+A0Vj;`}qS;?Wj zX0HB{%EBXCQME&HPB$}av!7KJYNR&KEt_@CL0Rp2mAQJDzEMv_V`}RyuIr>m^A)kO zssocbRm0cRWQ1J!f;__Mt1Banw@~&a=Q=_AJOLXW#^OAqWZxt?&P{_Pa$Z%8furtI zZQ*e}XgL69P?^)WUBbMX(rM1<3Tp&5&8&4e$ULju*mOP2Oy^h8St zf}3ZxHw>?OiS0nLSI4IbLVGa5JGW@d&hO@k-uR*B?_1Vt3aeM|2@zw{z#2`EB^Jk! z`UgklNYgkc-IMI=_)?1vR>0Jh8m9){ph;%vO|wkfah&VI&zk_%FXfAQN>jZkQ`=PO zud&%r`J_L{er3@dPy6Y&OA;ww_$;g?Xhg0;yPAv-s(7y zq2{jKl{wzZZ>&jHOy~rZ@|qLS#)w>&t-730c}OKcOowgmL*Ew=(K1|jy_tmR?KwQh zWCqf|Bts$x!s&}7t!QKLr`(h=uib|$e~q$y2N-V?m_Cad_6rL3s-^F!(TGnsws88q z_g?Hl^Yd}qSzguk&0@|V=WCPqXZU28vdCfAOg!sKH$1|Og9Rx^4j)JvvS6`ki4!-%DhUdra)k;lhrW>8XHka zGsL^b4kA2j&pfXdT$=!zz#9`!1T8>J>R~$9t3qHnLw~N;@!!ItBdNqzHZ`6<_N?}; ze2ds+M6qdMWO_D+5rbiZg`9kO@}{UOby>ivBDa_!wnEDy+W5XsKCRaO+bA(az|-TY zHDZ;k#-tWmZX?E45eXnvEI-Z|iG0A|b?Kf?38R+RSSTbbp9n}&kURz>c~AJ>0-m36 z8*kL?r>ggvUO8j8zuoKON4GUV37v^o@&#hiCIK%a>32!~1zy_*@@sR|2brV&7_{hp54B3QvT+K759(rvzUW?~72kCgf1w->h zz)J%id%kO@>CD`HTR*3%SrUMMxP0_mWkYo29>pW4*0i(Qyy4^dpe$v&NjG(iZomAP ztL0czPjdub%5U>pIqfhhvsi+zDHhhwW<%{|HY(M1BfoQ-`v9Y?r;Fbe{ifD+va@Q` zkB;VIH?=te&Q{y{k8$@?NY#Eh%S#6Fb+~*#Y>qhG_L$yEbVuoPZ}yzkNR9ej^b^dR zjB%kXL=b17Cg_UCjHg){`@qx2Qi-USuXQj0b8y34;hPwJj4WjF=8B(Ds{tKa3nY$- z58ijn+Q}=dg;G-ZU;vTR^BW=s^xKR;dtz{FmW7b<-&2T)0{NUL-Gs{|@8 z#O|3!$8gTNIVKBSgR$4hr0mKgvi&)>GbZg6$pU!0Rlj4&Ysi&Tyh}}%_dAl3`b%(w zqw$am1|DRVs+0seDy3>MC=iq&qqUw+Jdv=kWpv*3b?}hzJm?Z?$a77sJf@p9;xb~P zk%g&Azt9wF%>>*6LKvrY**&p)RXB5sy`ITq+q1d*!g0O00D}~>Zh~RAbMq#H=R88y zqSeBdpr;{4+d*H)W9;(~ZDA9>p#pl}#_g}R-J2Tbp)PN(%UPtXS_r_S)JMuerN(b( zH~l1*wbFItB6x8q;OtHl=c>Im?uZkwg?i1P5a_$Eu|=lR~| zaau1|JwEr{<30EpKOR@Forp$7Ag9IOn0l99%$dK&)6AtG^D#T#TS;!WamLTS9s6P9 z`?jJUl}(RLWsl+Z7p!`k*;RkbNx$>0&TZso_4MAEb@*7jh~NrTMGu(1{PD3FM+pO^KBIX8!VEaU6#{nO-0*ZDU=(%Bx4)13cXHH- zDl0ekVs@X5rq3Q(0q)k%9(0z-ctE&rS2AnxD?EJph$WB6eTNd}N@pE3Cx-sOeJVx} zHWZGLK=AZ`q z?_jO-D!S}@+Pcd*evLhRdAY8sp?^J&AKf`+u6e?%OyF6g^Z4v(`SMMXGB{6!Oh~H! zT4+Jn_wzj6t1SCcYkj2}J|*0Hozb?_-RQnJOv&4i3u4>AkJ_w`bg~(r(LCf&HPfka zcj36)2Nk^YaD8UYtN<1DjWxX%?isKth`bmMq0&hIcdhf5$<_hy7r1YAW8=AdcI}%> zTOUp_DesB5!57An4O`+au#cRzV_O}QPT02 z5WttnI&c3G-P#SJ<1$SgTQ*P8zU*1D2M{DRY3FJ{XVt?GvXv*@XV8nZx^Tit`|%s; zjSOP__9?U70fA>VZJ^9>R;f@LGX48UjW2xlH>!Ht_3$A*PYu>omr#(oqA^rOY?>#5 z_eCdGVq*e1rZU|Ckp0iPnZ>%8#o5q^*s+4*(4Bmb-on-|NK^g+h3oRjK;N!mg~THm zjGT6Se&dTG#41_o+h_ZW9QMa5GyCcs5IB`OCNRciQYlgx@8!ley`R1=iEJx)wi<7* z3J`pxBi;u^K3^laeOL#SYF<~KQ__6Zqdm5I&Kni@lNB2b7W}C>zF)>y@&Ow`qFezj z9q^>FS8zM2K6a7@UC(e_DcxHOu}a^^@X2$(3dDC$ z(Z6kV#A3itxt0xh<^_1&QH7W{)EY~@#-BgO1zwR@X#OZqLDrKj6_-^EgRNjY_0m;& zAitSUY#6`5Iq`fJ&xMQT%%GFqyiCxHcfEX!FB!PQa>Sqro087aMqkv%YT8iI#lrd= z9PhHIuT59?#9Elx)8=X+saxgZrLF(d`u4G9?9QN^Nk4zoW|`^UXmTc^haibQ-Sqn@ zd;|7tcL5V(j;Ah+$%iROgi=VJN*-I@-Hx${+IRMNpyKvf5QJ{z+51;V2xST1rw-F2U4S^f!)4H3Y8NO zeb}>+Cun#35=*gJzZ8=Rj zw^_1@>E?}7o#ln6n6%187u`=DOe-bOlq)>#ZlCf|Eb^p;!_s#~|21kwD@c8e|Pqk;z{PpGH-b?*dC&WWV}KXf96SZ8eeUTbI+! zHe0BzlFj&^w|!Y(HwQ)&Iq0NfsA+0w;cGjJv&(thi@LjaOQr9fPVfo&WqDNnD17}q zmu5CTqJ%!+(GuW4xe2ZH%9LeXnLIn%gLHZ!5nHFE0j!peEnhdn@5CD zQXvO%%s8zMrRdHD?)|Yg3d`@$k4pxDAW-d!y8v7F^?(HqEB?Q7FVOU`TXZND8~mCw zD{M)MYcZ4`oMpotCgKZRQZWPTxwvSQZ>9%b42irEz;m!?CE2zpIAWT3$WY8A3&Usj zP{>u#(XXo#_EZ)1irQBy&MwfC%$>?>2-HfXDgCVLu?%bEOlw$Nn(s?b{lX{n$F;439gw)Yp&851xvC{7SH z`u6KT-CC1o_*N+9su4VL@S`+Pcf!aW*z4*&xt|L>t3r<~Yt64|5%?_A-Sttt1|S3X zj+XiZM;a2KM#eog@4tEpMrNLz*RhUi;VZ2hq}ZuOvVSG>ZJ;u%mtuR^aLw%}xP8UB zcnhr8kJGPAdzvP5LwmXQjQ&3WF+k407&Y{}@_eRdaBW$zJ9Ify7E-aIWhF@$xb8kH8TC>6J`%E+ymVGM6 zCe7KV$nSX9Q@@fuK56l1Zuq@wbZTvM?&}S@_sVn2DR-L~Uyt0%O@$Tic?IW2x)nK9 zlKe;3TL(mC^@5`3Ru!);^Pbt}Jd-B<$PA5NVPU#?OWghLr^n7;(AJ{q8+*Xo5Lh1s zaa4w7()W0Cg?9|7IT-)&(1f=&KGj-fc=b{(n8EOB%6Gp0foc{cv`PH%J0gy0!!Yyy z{Ch(vumR?;#nW{S_=fx-V^OM+C=+M0iDu3-abdw*cEPEi?DL!I&ct5RIt?$_#6$^* zCiUycRK>O+U7&JBeg5A8>%YMj$fnFr(NbDhnGXUcAhz57vt|x z9)6&&Nt%DfGV73QqTv2Z&$c=#8nGQ8up1eVuj@H<^4|WC^2oi9PNg2a7Ep0TlziQ~ zq6tD?lA^ngTV9)IS94SEIPR-6Dm}3wCPmYCGtJGWd-P>r$8}>1OB`ED75fo*VIZ{( z6iF+I7OV6*z)V=3@yTaP*KIU-^t@kc7ozdeGLpc-KoG%}#~JW_b!k?MR~S|9y4u-~ zX|I<4VU2e_rg2@(lnHu9;doAzv3>M%hO9D&Fwh(}HRLwh<2Bt~g=XrotHJMwH~^NP zgq$t*0u@YTfrx>x{_XbP;R@sxwgJ3USHf!vXJ4Y>eba3r(*yRcO?JBvJFlm%HL`)% zDyBezIuu)ewH}shdE{7Gm<PIy3T1$`(&0xdMw(z1MkM$irH7z{nebF zZfR?uIP%cXmT6_y>8Y2xhOFZEyQFM;(0e1a%*Q#m(zReu@V4~$qZJNiKPn3@?0DH^ zlbhyMc+9i-f?e)yW#LWPmSdJXj=Ar;>{PIS+wEJf>B)W-JH4w8J69f37L@sHD+=FR zaQbm;Kxvido~+b+*Ti{Oq)GeA&L(vZB#(61_PjJ{c*1^o-}chYl!~Kii3buc^tFTrrfoN5ncJ=N52T)Jv&nnlu)T|2@=Cw>n()X&{n$#wfM{)|?u83mUyruh z1o#m6mU^)015y~m7+46&;QK>mBS5Qi--XYXXf4q)(0KRT78A}IV|DU*0kMLOJQO|wWg_46aUv0)t>a2#q4L&GQ0G0&a z4~er%hi|1ViC@Q0(c%Ox$D5}Yordb)-YLw2>Yhc~OvM_CwZ3T(OPXyc&Ze^C^$mR1 z!x7)3s&jFGc85OYIbhU$#aQHN!%K9rQvi?Y5dXJ$3gqHTO@`0rh05U z=+Zyn)7dI`{!HFK5cbo^Wsj{9(!9)+yRZF@K5;0z=$(Hkxa_oJ{#DETpRCJ%wAgY+ zxb3p#u8aF$)d!Xoxa8h&$a|zHtQVCwampVE%Wm2h+;U1ke(pu1Uv{x)?pfEuN0tRO z(%fo`qFWB-x7_yJQkFn&@+bEl1(a{t|Kd#V(tQ_3Cav=e z?Nc%nw#7G0XCJvK@QKCeZS^U>k+-M*lDKq>u;N7C^De8Blh&CRT}z%=6+JUAc>#e_ zVa0v!j?4V=13Mno_+{le7Cf{md?qfc$j$=-f zWnqV;pjA@XBr9&R-g=LnvgdGnn|W$t;I_j@9#`gEB%9DHRcjx+7X`fuQzqp?_bEPH<$kkD!2)VpFz}JG}D?i z)aEnP7nfgTZ6ao2CEp4N+@-Ce`-tt+2BuN@_TwQjnV^P;;C~zeEY2cWeWFA6B0}C7 zl3&bNk`ab0NG?8j(*D&ZGO4Xu)NW41Rj=|c z_oA2X#dn?aPdOAEvCKbiU2&O{b&i++bJ5oCM`uFo8tnQ<0`Jt>6 zfNdH6g_VKDMb}3!`t9*I&nWfWde5Wih+Fw-*L}Cer3b2NAN%d!A;~|YD0?6;s}&X1 z%F16#D;|ie&I=27?S0<9DXYr5?3QKuEou2}$(B3v$_L7l`*wNv-Se+j-g)MhztcVM zsbgNVRmpQ%@ncEZD|uB5MAzN2&s}Su4Xiva&pKpLc)~hkYe30fm&lCt?R)R^G;Yd@ z56sOgyYwLSYNNR5yhE{M&%MZ+y3oNkpN<;tvj+}=iEi$hdt|9UL6qJy@2vlxd+wz* zyo8?xrMJYp@0q9WVQh+7W@_5HFb>756k`)I)51&^N8+aOT=uOpj{fs9{;lSjkc?uD zzx?H$k3Pt$I0%bTRhkAsH9tHt5)vMxq4DwJ#mptkI1ipeJQZnty4=XpmuV3J;R{1p zCdu*UNR0CeWTQh-L!GX}*usQeSS<|(0IW6@(t=RGslpYM+x_e9U*igkQ2-+0$AEE= zRBBN5F3fk%w|Y*r`1Z9&{Cp#Ft?n|Sku_Zq1MkmVNA_B+Zw-ws-+k^+AAIrFM_>K< z{be`qcSAX6_0uMeKY#tr3WM)A2;Tjc`Ne7>lr@sTwR27W%X_O#1@2sn0Gily6~k(c ziDP(<>+^w!n+pyP&cz$Ej%B<{iiC zUkLl!iXfXM&tw&)ipv z`C)^KRIoSBvIycT{`x#N$J!w(1te{0&_Cj8HPrBujMcIiHjbpw!yTql}#ici8 z<@e0X9$1vzwJE-1Uwm`(-g_B0pV^n4a4f2^&2O+Ser{P&Eh&E@-TKnA=xpkdC$W{6 zJabQ3mR*-t+_T>L)V%PX&-Pkz{NbH1I~?+JHsz#V>F75I+aW1@xT!#txl7di+G(tT zi^loz|DIgCR~%GOWSzdlXZuC3;w|Tzh8fE^#@4VY#Qcq8JPq%H`-F6!hQ4~;essNR96;R|P zAPQzcBv;Of3@RWw=bUrS83~FxYrXT~{4;mG`+gV8g$Pw>ZBE!{pMB8h!QS}@DanK> z`0GJJMa$fs+vV9Qw^kp$08qhC_mh`zUcEF3Y8TF*UP3wpTf`e6C2US9!zT}T4l;WT#Q6};O2S0AJg zxcWeO0g{mL_U~U1tl*pa0IIFGZ_O zUS?QtBOLQE!HLVeG5dV|qC{#$@WY(ddW!q0yaAkOh?TKG&<B?rEI4kB?b%+lnOsgB z+-xYFZgJ;dDjKUuxSQ<}U&lzAvK7zRrmSFPBaZP6e#&Mm_GMECe0^*4*wUCe5p~EJ ze~9RHgdVXE^fr!HjvjMI;sIDB?SN|a!K04e!C(I7_uCJVc`+=x!2Tr`&nC0Ik*@rW z9#%h09Q~~E7r|G=5Fd92eZ$0rS05U{54eH}!N!XhbK~Q+`bS3}En#AB+S@rh8QJ-r#>Si5#2Oif>f~K8N`Rk> z2XEg(LACpc#jgMSrnYhA!#@nFxEFfZ=exh9-@K=PGW+Po=igZzGUD1|uVbjN-o@Qx zVeKQ0Y#GPiCi9I}7V5f>{^QBcF&3 zPV78E+mF*#1ZnSNc1@ARc^vhyThe1r!efwEIq905RGkcYV_MtXMPZ7qY7Qk|BMYA} z5+8AsR-xR&%d))6Ylyk64%&A3#we00D(^m3xQAAx7jdj_^Lc~a&%|_pG{i73o?O&zkSR|#p z28rC{HNxB7N`KxZ-=tb*!W=pIv6*-krJN)(C+{Q3KbkDjk@Y#SIE@A}nm z;q`(J>qkS2KYn=(&xt%{?)?Mlh9Q|}h8CHhK8v?8mEAN3`y+57++6e3zpMIys~vgF z&g>7#hX4P+09QMT2+*ek{NTLZj!^}mX=i!yf&MK7n|C0udR3%frs`Ku4c0@sAYcKr90O6TS|aBmpb6`M9Pue`9gv^&9B<090?DfEohcd-(p< zqqW`Nef8~ehaW6MjGfhB6SU9NAdKfV{dyi9KsO9dx4BwQOBmn?rl|4}hP3Wta&{nJ z)u&&*5l4?SW(udzQNK0?{#4DLMi^$4qa&kLSJb+Iu z&0Og7%aXHX?G*kzOFl;tjuE8&MCmYII0c%f|k@is~bB>Zn4)S|A zZ3{c4D5|jWN@^in+yr7{C)FfYHBFZGam00AqFdscDHq8YSvrT+bYOM$Bvma{*2565 z(fQ9p<)MY6gPeqVs%R3Y8bWD@92GM-**we#J>(5OYU!1{WM0z%KH)A|(Lhh@vr**P z3FY=zUGENNPdseCkQC2|?8HU1`=y9$x62cYFGdydNSbuKs)Vb!>&{C%udVV?R5H~q zj!E@2^{82J`sXItnxWRUXU#TF2TkofPNA+JBZVF$o!yHK-R*E5j_TF7tnAwL*S!ZU z@T?%9cWOH3e*NjsfBVtmgsn$z&Fp7C*#GKp#^$8Zd*DUz@lVIkc%H^wfR$JSEbMek zzdL{#9uYoRaeuky^mLA?2R%Hff?+ZYh(y{lxK@BL5Igw}k-Na#POXl-19*bZ`X{d7 zlcA*g_n!f0khrE_Zztus&W!= z1+zJlWQHW_W6Fxn1pYZ^(aMw+w-WT*`O{n%VVVo?z*v6d_t#i>RdRl^wN3{F17 zmXElID`*MPSrffLt1>0ER81RM*M(Cxkd(PD>crSmS@&97VC)UIxC$UWsvke}P=ti* zyt*INT)!(qU-t8iKVLc0n9}`#Bd7q857H?}x*elSaaWQJoJqGDGz*XWjjYhe?L1(X z3U>!!CG(K|jZ0D4;H3KNPrirM^2WZ!)V%gxzu$Ml+ViBXH|#6@WK7w882jY`dsB=T zyv(7o%Abu$pcpprMLeW%k>RWc|Bk0l;=X6G9fapCKOtz7ik?0D1eidTS|4zaF4pqKmV_zdQCVjFxP$@s^GnbCd>L z>`vpuzBz9DvpMGXUmVirHbcsWXMV1Kz5QZid+Wu2{r2yF|GUxg<5a`r6occ09}ZaC zV*^i`U$BK8XGcF%0&PLR;lsal5a;6(Re%x9Vdaa~+8GP&pks2YTV|oWI<;m%TsM5a zZJN8G56x}yx{G58kr!@F^ssqSSAHdv-^fg^Bx&jh@;S1&pCyqL z&W-zv%iRQ>B*hR`JxT<1igc8OluUyhWz&Vb&2d$YZjwys;>n^pv}_rzT7Z@i6bR?i z3Zw57u|@54Ssw<$)#L|Uc}uc|wPPGfA6YgDc@RKIQnmrE7@`S=U?#bv!i^_!5!F(~ z!_JB^jB*OAn1YspCF}H1mR&EtD{XIMiOOl>4!pbtr*38N#@X^NiZ%l;yqVe2a$TjQ zUJ1WFIqiR|%If09U=e5Kaq{3`;KZ>1tJjjz@pJCdW^c_f4P^PcHG;YyBWcI;28_IA zMlR&^)|81yea1E>rWURkRFbuo#NxE-gpF@b)ud}k^fyN=4xgcZeZa}UB+vpCVSxrq zlaQ}|v@tLtN>fU}&i4^4z3TO!e|O@b3Dt}ceH0xFqFmT%GB!PwrlmewcYVIjcsLiS zf8Gk3i5j%)SF2ZMV1)yl{!2n72{(+NN~aXsU@a zmFpGU!fL|m68XWp)zaee{Ax$Sg)5ARyr7sHeKU=*ca#BAfu9-zOBGwvK@+!8R5esx zD^5N^kqmiAaxNw3IP_wtI|U&N)rBn>fYiVPZ;PfJm2& zV?{Nrw0??w#UZNWR6vx8J9+p)M^QuO(PLINR-ulLVhc-|q5U~9`~B;Fb8AL`EiDX8 z+sy2u>|w*&^4#uy7~h}-uzlOfPDo$@omKDn;;%pb0Z8oAL>`zU!AicRBgYwcbY{x; z;TrwP!r2$ga{aqG{p-i?-@q#jT+u(d^Z)NV|I&XV^%sz;&@VuhzT*Olu=kJj&*~9S zJqUVoFG-zbbHbVk_Ae-s@RXI<%pv83oeV5=V5icO18bF`um^Y0D)g{*@G+DhP-bgT z7QWhe{T688C$sZ&zxvbnN9;V!85hk7!B#eG6I1i0#{*d{DTi1j(-1yaIz^9Nc2P{a z%KEvoN|w9?bV_7_JX%D%Hxi(qW$2gew-=9YJZ0P+xe}l`e_ko|ydf$csJpC9a~Cu* zL_>5{FG10cQ}#N^yMb#00^B{Z)%99V-ORd|L`zgvqqJQ>eiEdkc-a(DHboOpkP<7D zgKe&IKGabp!ML+>1PAz0OaearRN0F98kTSX=qZ#Ma5egGT-En8#f@aekh2_l15TAG z?BYmky;JIMRJ6Lt^I3AxR16a2)9^%i@gPOo%+=QR-V1uLsR-wgaJua5nXFxle2jJeVTrg_^{1rtH}^87E_g(l*D2m zWiv~3$3<2_N*v{V4UiIh}V59d3yAF~<9x!Uh{y z1{qsk{o*^efwB80>~-zz_HM)a98!V5o*e6iTti^`9k=m6fw~5^HpmeK$E(NB*a{`q zkM9S7m;Te)v-+nMNH#>yBL90#^S^P001h4&87u;5L3auf5zGVOd4Q^zd9|d3Go#z< zew{6m7G{4tVGpiQ;g-()B4pJlgB(NC=r>2u6I3#q<2pbJHI|gS-}|lkQ|zOs=!y z>d1+GWK|zt(}z}$I;ltS>Sl(d)gylFY+~=toYI7v3RZG4PF+owj{>f6(n&~^$Rq{sex@T9L%znK)lb=gk4-ws9;t~{j~!umd@q?#n} zb&?I?c; znTJ&}C&=}xA);)8o4DwiFiuG-FM6V9qzI|1%PFH}Wpj6W*2UeUZco-2TSI3ak7D%O z0jbNi!MS2)Lc)1%ZtdDj4lmzZJ4uWmWAbJlf{M^Sv7Afidmps8#IOwAnBSA#k7461 znF0$|G+eu@=zIR{QTFdYvq{aJ+=k2LAguwBF^to80B|)d>`#CAJ(=wSDeBWNO%9#$ zJBEc=kz|Ax7~A_8TYT2r?fHC__G*Fgb~y=IJ$}ErQ>7zc{lDM-`5{2jPU8q65x5N) z-0gIf8~VrPFD5U+DdhWWVc{2@?9etRokQTH%W=o+mL!oWE&)dBKUsL}vvP$^rDLct zaD_5+5}iUP9XfOVhf}QIeRZO}Zw`EQJh+#B`OELEQBhzWW{L-q9$Q@?oO#l1&LE##*<{RL-mWdIYMX4kkbJ3et1`RcYDZ7xc;k8f0)M5;S17b~jtun3 zZy>5`7|ETkv1(D(u&iN)&a1{r+OVoYN9{OTIYd@8L2C1eU+{<@Ax0~uyLymXNyT4Tz3{jyY1HMd=4r3`5oUfBcjhai~)c)JNxWcB4N!6;2Sj;wuY zhj5A>=uh3H>B9ORmaLKtff1^A*&JIu4})n}MMh$CHBDOujUHrMkgXC$gRtewkhHU9 zMZx(g@y%5q=TzC= zvGED17w}6N9xfd@dX*(jKZ(W&u`yfD^<-#i^3L6QsA*yoGIbjGDUW5vb zaT9n>>qibyY=6QN!9DVj_0=P`*Dc72{@3z=0)-M~{W(%f{d0%!aWO@wdDF zpYOi>`RhIV0RwpzeSiJl&HzqI;e|&D@?%a{EV0<@S1q5caNeyry_oUWKhJ~3c96Iu zS?*uI{wKUX;AyAKg5P#<1;4`)z;*q*KK(uZ>uK*7%f2JMp@)pVJ8nffi4Q;S6b{R| zWPc6bN9^Dd^_3ColYORN9CrM4ufrY#?{9wg`Qit+JqO+Xu^;=lgdb z=m-m|2qHtY*N8wn7drf80DpmL<8uQOcE?@aN#NDGX$D=CL$F-T7F7F3U02+WZr;cZ zN@lU*oVgMB>o+-1x7yk(6E8;ka@3WUk{&y0CkQOr{Bj>fRp!tJ2o)%bYDj-}@_uK{ zC|%jX7WTOERyj#C40*Z#?ZSk*My^Oim3IM|Ns!MvOO`+yK^ApUB?3`*4M(2Cl+_cJ zT{syCn3q^kn@Ka3Ewumxs$>MM8A0g={)H<+Ll09?K~i)%%b;&vWQ!JE1a0oBWJQ0K zld77a?j%ZQh~hbl7^)z^TOCJ{&FijlPtmc(Ft(n9#*-+W#j9pevQZGa1CtMIo2aJh zdgEnwn^e5g)UP`{B6nB!r5c(idOtm?Z7?bN!b;Ss%1HcL06!C+9@Cw0O+Q{lxLz z6J6|AOU^ImneR6f^zVm}lIdSq`hc!~{}HNs*abxzK$s_fz}1e1Wm5k*+tRIJ9 z+q-mc*C)FVp5$PO(N-2gRyIsyTchdc6ZGhC6aT9=VWmvLJUtPHxxF6B0fwN-PCn!$ zC=M3KHq93KXxNo6YR{L;o#L;$C-SR?rm~8P0uz)NX{U{L$yqZG>5L-igeAU^jH25! z^PcH>6jcd9)lE>2z^XfRWKm;ecysFy3vx>;1n77SBFgJ`IQbb~}iFT|?=UGAlva=LT}v;&zCx-w4!AlFo33rmTAHf*c79SGD7a;M%7ihs_!r*P{7Xt@ddzx1PWs# znx=;>uL#p6m&^<^m1>GMm#nE}X}efb=qB1h|HI&?G;a?@7xHMrL~NWiAx}~{TOXi4 zmo;AL6dB>8D|3}M6B3#kvSF%pmCf`l;s|ubwAJlXva<6O7p4MSl!O=a7;`|JBzglK7dxIj%j`|LrgVuE+iirb(1| za6q!NB}a!DY>YDWk6a%wd%t*8f_QO2i-)}JWV?TX3f@7g^qsN|NXwmF8+aDLGFTSB zzJEi%!O^dIEf2<+n|=pfDp-(#KQLSc{oIi06`8)evpNchf`Vq=_OAq z-Sy}F;HUJH)45a3q?3*UGjl)7lV6Ru2R>S*JX~cz+0f|q{W~u^yz(GU->K971uZ1x z0I`77SD=wbBoGL$R`u_*9j06YZDs624%-DAv3FYmwi z8j*d%N#9 zf_S!qR*a?xr|5K*boxunbiI|ZKNXR6wrVix!Dd2ko=cE0l5|sYJ~OZO(bm;6rB`~A zV~mKVu0*M8@Va(*>A9i-vUC8jK~U791PUT_DS*snSliG(WDYgDdW2 zh&!E>Jy^{E9>fgtrt_JV!71eoNee+T2>J)2a)Kcmpe2+g*0p-5c#g@vFuNg0rs;wi zj$p`F(HNGOp3q#umR7)hl!M1drazKyK)AasBBiVDnkFqoROl)iB1)ElzQd{S zk>vMCf+=@sHX}*_M~A2J*_R1UamgHzWDI{Vwqt zY;`?!6D0neeOL`PIMz2NcHzZ<3EI-sCdd}Wvq8lkHF4i}+yeL?V{7I|UzmD_YT=Sy z%kbJkGsj)O`{E~Kr|g`8=>`41L-zmq(e7jRI0F>TntL65GL2C@bGvH}cBJ@7!t%W9 zvu)Q$YccxAV4?*f2p(_e=)?aETs!d!+C>;7BIZ>{zX_i<^zv!!<4x}4O|QOo|D%WY zm|D7<;v!Cv65*U5SXmyj3IPYaKYnWh;=O^%1z0ux!^a;f6td~*Nr8ZOCnxI_D8ckE z|MB%_`^+vJM_)UIyJSXiIc&CPWTED!JjTW&7?V&5ETx^Y0|Wz*M7Z&(q8eG=l>Gk2 z)x~k{>m|p1g@-~wBAZEy9+X~@Hw3$W@#|;LUNp5d@A}2AzyIUwXRqH&HEI9#>E|aL;?DpLf(rrtNLE+o0dP1XoCo09_msvo=>qVjvZr4Vh>Tg8DWpPX{=pBI2$lc%w+i=rC0mm0rlMPOTeokI$fr zs#&TLmS`HRLg5u_5c<~Z<% z{0V^fzE%H9_IShf>7&5@p=g7XdyQ?p!BZN1Wq-5?{`-&U>q!LzQ}4&-^+u;C-|jih zv$SZbVrdMP5c!))7^W5U<$c88=~n$gQfN+Z8Ul5du(KkRMe&EKMUYQ5UnC zIihmB9O7y}kOpq@&X}SRFL5nHG((mxgQF3w>f`viF}0IiNrk7R+7XbZfm!4jOVq-M z(~0YQ&ZmJMwT>e00{Y8Y(~MWOLQM#$JF6?>S2YJ~nm9rrOhAb`LKh7)#lwJJqP7>4 z+DKHFa$+*N7GA0E*0^3x3{I(VQ&q_FE;I~Bc1>W%W{4+W5<%{czRV91Ne)i3d(xIE@N}5CdrV&>p7e zxBqYyZBIB0`##__{>zUK;aR~@X#*-wnxc*xQ$b~CM&KXA#vir?SMZ-_XA+;ybKcEb zKiKHezXR8o4?P?_B-H8dA2?}YhKq)y z+drAZDWZ#YowHEpfzlWx#E+in4I> zQO?4413f+?uB0~d)~!HQ9#cGxldL-cOQ7k6umRO0bz&^S1 zhPjG@i-oOpWf!PW@QPuAyql_MWGHH)^V`{?LZZCgN!kavVhUPs7L2&_Yr%DmEM3E@ z0VQ((mF{8=;~>TpciJEP8ui+dr9gXu3S+yH5r+9mz+?<)($XKy+D%qN~>L> zqJ1tM-`cvgy~G&pFk77GZoj@0qg8n%+;S1$VXE>eiV}vV0lsIfpv~#*6$58{`_^DW zo^+oT8n{Oj2cfBhV6P!PrKkaB&C5@pMDbF0|K#`|zuCX{Cmftjye=pLd_dWJA8t3k z*N>0P{^1XMEHGEi$U@}g6CvCbL(*w{^_w30HRI`tN?7iJ^%r2p{!hpPxdUWFBuqiA z4U?Ol5#gNved?nnmi`%ge2io1@T0Lk2WqM#4oSz*SAejBG>L5N!&NS*^Wie-Cg>0U z{yiLV0Fq(m)$cz3*~KrB;Ufpn=MxU1lW2`OCi1Wu{d~-Yxfe6L9W1P`B;v%?bTtsv z3(UkJ-N565wI?jGGP)$KU_e;db)K)?b*td32V24Iy)nM=d}>S+L%d8BuLIiysU$4E z;`|kUMx`pby8yIUR+>qwc#0~XrHbzn1Z&Qs6`Fj4B`xuksBd*u`tucTB2a-ow$%;V zr*uPKPZQ01h!q!Z7x~_)rY2VqR5dW#1NMoXFv1q)M^yAuWbI@n;0i`C-N3BU6t&{I zK~Dwn51jzE54gHWZjs@J8bRBTzC@=K8TNjek=|BBw&l&W^Qv}{YO6+0Mm4g;E)03a; z@4M?a4iEI^>fg^H&_d4AfwK^l@ko`06zU)9ENB%$)cLAS|Jdi{ecb9wKxISXo@4a= zR`GCt$Qa}O<9=Is3V?A_*C@oR4VWD6p!&C;95FcI0~f47$G-dsxxP(x4>@V+YGD^< z?GSm=m||&9oPID)zu;|uR*sFVCMX+-+E$RM_$lUHuQWv}E4#OwRc&$P#EYn?7+hRF zQ=B8|Y%JNBC-T*JX{nR0-%8nUm(u5;?S$qLMsMz-{J5MlWm#IJ`VtVBbkPtfwJ54_ zynKuyALJ%ghlujSRBA~>Ge=bm>?N@1MAaY=p2*BaG(m`OyHYaCk=Fu2S>nt0*P}V__RKSZ)1L{CAgqJmkR8HY#z^IRrg%dP! z7eicmwXD@!Q|KXT^b+(z=B288VV&7aR-Rbb>87~DP;`(bqsV%raKKm65Fom9UXz^M zISSnhJ!y!f>c&eu$%;N$hr}wHG4gVk+r=)rl;r;Yh+E~pf?C(4eu{VzBU^wB>yXm# zE!YC*C9+(Rd4DRjsum~8BgE7YA|!#y_>@lX=7pm3LXB_SATwbR=8q1#7Kqj6k-10l zoVJ1X%JLLL!~HgJa|aW9oD_M`;@tI1^-vaFIm-h^2u%N0_1j`;^{;;OC5B)F2OFQh zoQJty=#}{Y_;^2Zsg@iCH$lLD#1!KSZi)ppm#6L}y0RnS$t0n| z)A31NL`@fH$gzSh27lmk+5$UD?Je=()kT)C5Bq9$oCKWn)^tN-kz2HLyas?OBC`Z)Kk=MB;m;2||GPK1Mc@rp; zA#cKCh8DGu#iaja)0SCA!ZB^ZY6E7lJzk7tM!^kH*09C9*c-aKL(w&xr7 z4{hA)`ol8}r(JtK*|lr$AOCz{acv&B^jB~0FW+1H$6jM|%vm^+Zi0(ALk3ImYo;h~ zYiG3QxzlS;vS6(9=3b!wRV`HSz<|C+;uHW0s&oWbZvZh+vAkU;XAQFz;&U9DqD%YVBucbT69hnPf1kT#%D0IJD>!$jA~}9R)8x29UZ)yG|3=S+z%X}yXJ04 zUV*B!oFkTzWzE1(BGkHM4k8IvKEM=paCk-hN?3c>F;vAA6>LTf0C5DA5kp=}Q{-Q& z=%q@EfV^@AwTu{HvDm7L^F=)@bp=%hoIoF0G{%rEgcdX~rDaU<;Epn|mn5k@Ti8!g z)PV?xE}3M>VFRl%G{4nVUB(i2xQRea2-Cn?Z*8%tX@VM)1LGK1c{fu!z?6(rz}zD- zRn{>apeqH9A8_wr_y)6Yu#qHd2SIM(qRsYHD>YqR@Dl;l2SeNgU&WA4F=V5Vh3!-$ zR=O#gcAKJ`a@G{$RT{iN>>^OKEk7-2?hK6$Ru)NxrP*GRRB}=+CuNqX8^)&&Ii-NR z&Jg+XEkhexT~|$MQ{m6%C^N=+Bf@!b4>ml0xw7OLT+rL~%a6W0ZL{0T&fusEmwOY! z&c@anKqHB-+4Ud0k6Q#Du?&IB7hsSM_bg6h!cFX{#x_4U_owRbQD3eEynU7n;!h~L z;mG4oO9-CmAA%R8uY3BpqtEUspKj5fZF6NpvZbw!2`1PWe*+wwKiOjmG%Tb_0AWYR z5Q`D?+28gtcTrYxBm*vDsNA|~(%PWAy)0!tz#9}$Ead<TdS^;eh>lDVc|khc`m;;tfY=EE&;6t`1sMKqg42JNvBBC28Qx( zU|MEc|B$~d+e1(SpAR(GznTabO#+t!9Ith3KTSR8n5gs0$hvm7tYP7Pv^witRBU*B zq_!ljYPQ~uA4W?OQH8hgf_x`lv8{BNq!__nE_3wc*|8Xluhvdd9gaBRjmaUfcVlW3 zbL`|fptJw-o$=3>%)=O;J$o^$YlxWT&0B=iSV$H7yE^7JJAIv0*eZm)}AVG#*U(ENdaBvk7#y8+f7DYvF!wR&Uz>f=rNgN=Xy zZo4X@Nw#2f6 zKu&lFCrrTRi{1IW(y{)M;ZZ-)ZBIobY##u}1;sg2vPKiGkVOkPJ@jedJqr0DyL|I35IaiC%eW~RSUR+?v*2jJ+C^y>~^-Y zo+0UnrjMx@a82!VNo%62nvjZ1vg9i-;);OwAEXO&TqSL;q7fJV1Q748@_Nto>g!Dd z_DLxeWg}e$`_Tgo1r&tifNFQ)oy+M3DVqmW3TS4{qrceL+*7{=LgH876knb52W4HwgE_sLS{osrmxPAUJUICPMZn{G7 zL{P2Qr`;-XqWU1!%`NvFMT6lNSu zX=|u7t*KkKxg57N5b$93?DC>l@5s5_3Q0~?sb@wR@Khdg3DN19RpYDYRD~elb1NNP`v+nHozP-IH5ba!8H?p!uXL`dPX@ny!_kYR5^ZandzkX-;H8hj(&0 zM^Oy|V+4%}ldegF?yAbjhJLcT0H>~m@)8O~76;zYJAR(+ck>ne%H8LUb1$l zxE_XT8MK99@r}}Upi^EFl6uB9&cXX z-tdHb1nDXGQzsnFts~(s)fw6)uj{IXNBYmdI%#%_mS5Nf%Z)Hbgb6ruTx92F8C37E z-q<>D|35!5F*p-sO}u&3&hyVl_Rs4#n2L*L;UPp`B~3gAZd~{Vmd>V&0?k?;L zyVD$Ux6Vmg=BxtOAP;>&!MJzy+Pl6Hduse@+BRy$>< znZhWB$eZ?{Mj z(>^IBfz(U>L5ggI>4pALIN_DNWFMCMBc9Ryr1HAX$H0PN;&{UZe;IC49K&9R+R4!T z{2}9j$1g#B2jSvfD0t!i@^@2951>KI{TvuGcVcZ z>1Nc{miL1PSM_iE5tl#Y>)*gWG7`Jqt?J)aZLD}adcav(3JDE4bLte^8YKdsB|}tz z5y}N_H|+V*`p9A2-k%-+^2MouP$7IB)a^iLZNGd6@59@{6Zr2BGE8j3;lhy>$j$Gj9Kt82Q=SiX|XaVTz4!4XhjIbKo ze7txTR-QrB2by!NrV6WV1m{~Yq=Lyfgh#Am7B63drvux6vb-G@PC=AH5`)xp07MP| za%k#tiUnsW$k$8U)s65uV9W)w1OOgaHs~emj3^qS2=C%ywN}~ftcG~i>ZWRNmsUcm z3QH^SQdV&l$fVLu2g;cNw5%KW0ec;!`w@by%T-(*tS%K-brw%9UlYg!6E$>M8Cu=! zkkNulxkD3$^0K`8nmr#5l0mBde8F~p!RwO9!BY_HCcTSKtn|;C#PLCuF-A^kKkk0T zSLizXy7SN}=Mxqomh>xd=Kcge9t4@+>}S=sJOWUBxEHqZ=oOrKf_6@lT=doc)4Trj zPg%9SC!F04QE*!E{Ap4oT-)4l8GiNLfz`RF2ixu|E3kvy47)N&(0Tb1+46#!&Z`;y zo1!NVSg&4jXQrYKAO72^(|)$j3S&&vVLQLWHpDM}J^@o3G&<-s`WzSy9Wmql{xd@p zJ62WO$jU=-WY^E#d$H@6|2T2lAB~T)#RVTaW7oIRFV2Z^bWf&)6}u$$KvRQO^doyu za*q7P`n&agtoBwh5Gb1b!PzJqME-SV#ve(GYRdC27S)U2b@G8BJb>Q?_8VZI0Sj zl&XQMtPhkmUY3KB1lgSdR3J4xboYub(DK3T7z;}fiUEKVCZ!COTI`TqXRn;Fm#snW zc2G~*DHhSnRVP4>VgguGFfT=x#bjf!XhT%=<3Sh$OZ2i?oOFdHYlE3JMmFdm9YX;Q zl>;v7I!{fFhYZ$mxWqS1V z_@L?fld#5Fp>tFiM^gdR*)TUn~LH@b1Nn_Xx1yqS5HPN4h5u2oE06%gfFkF)*}5!wpdJ z0gG^Ehyt#_SGEsaxFR<)qMdLIHFF9xb`04M?l(sq#w5JP_U&gsi%q46!qev^_23Ou&7w0{4VN@ zzSu>fAxT;twUbadfmQ@7okl5OpxjQ@KyR4qFG{?cXG}|&y!b|TRY*#`dvYrwxy@12js^jzvV$vc@sl>w+QK^KM%?xOpAwU5nzkM!!l`>1x)QFo42Uw8U=mt9kmxYf10JdE z!I@R(GYaXl5&#cX+d$H_fwPCbpaoPD?x~}$vN~#P##v3aq_HiwqKVE+b&AdL%^I-P zE!(PBY!zFM@=dgI1y;!jvNon7<;vajJV>d7(6V`&xcLyxKw$}(y3Ja>5!Q(TJS z)lfCVZ1p%JvFa4nU6z$u-q>ttin1Vvz>&TKmRAp(htIAdkp?O&r6y^AaGOm2s1(aPi3V3$-@ zIrGW)XiI9Op=}WNybc^w|MAnA|N87Jh*w{Jd*Y0hCysdC!p`dq2AinichB~kVo%## z%Ja{fbx&I+!2hSF^VZ6{lGUZ?+exW)H$1PPxEF%FBO?67=W=ISF6TBAZj@MS7H!qb z_R1xg{W*!|h{AD-xErWNj-t~=P{)nE6OmGqTwfP;C!fkMgeo0&R|!xZDf_9)F;LSH zlg7Oh+rk8O(dnJ%bWK!k3tHI)&g}>QK*OM_gh=(zU?qb~H@yh1*ikGe8f7k_DwMVwBWuISMv3ZW zkQ0+-jWk|*kVK%X$kSC-pOt136Y^ct23VPcmWk!o%0&n5vV(5UQ9TAuBf!+rg}qFE z(cOC^iESw~!F6UrEcMEzi_*jdRa9y&uj+wbIk3%1N1Om1;_8|FCOfW}?t5e5!Lm8V z8aPt$ns#8y!L~({)yQ@a{qIlyvg<$o`?D_$4;d1UnK7ZZNs#42i3JlD80p|y7s1Bi z6y`iE%NU|0M$Tz=D6@!Y{MP+*54Sw-&qV8AckAD7Ba#N-TjAi&oBDebq3@osR~Fm} z1d~&io@WSghisz`ScR>>)6YJ5V{D1~^4pVt`J3@4KiKX+<7PvSgj?*|5$wL08va+XY>#r?1sOcJJE%+zGI=Qhum zl?{|$)82NCR^qROU(864z1t8)Cpxa5DIX6`9d%DC zNMW(On!SkshqQJk)&SWBo4YoHH6DMgJjKcq6_FyXX%)eVi>Jy zb<}~bV38u8MY0$Yta_1X1FKllMbNrC^Opb^ux$!s7vRzSfQFLHz*QY!IZ%o%pgTZd2Gtr~Q$teK(_}+*@d6yY zpzs%6RD(XL?H)SFaknf}8qpcO#MEiPHi|z=5O+dw3r)+^)!vOym51`Rf#Oma5Mac8 zpjE@B_hU5+$gZn;1m@SEuZDG3uAtvT(BPMx;jWRlkTckcB-|BlzIr1801?=ejQ@p0~jHodJYcUvZ$v9k*cp=A&=vY))Zm9SEl? z8)p8p`?yzV3<4?`(m;ybSzJ9}?0ndqd4_V;0Cn>iPG)B3;7l=ESi11+Vc^=>1^w$< z{TrA;LpS(D|87$MI&W(_K>x^lu#vx zcJ}=HKAXKqX?uRAe*FUmUgu-a({<+Poo7cZ#-LG|^!xrrsk z{*qK5;a#t!Ms5-$P*Ab{-GjBm~vgCO{*0?a)1|Y|SAC1JiH1i{m^oYqv(UZP zVU!Tf%1iwxUmV=K-$bm;hwauaI25JVPc7*$U(fsEYwL=damb_JA3SAj>gRxsvBh06 zM$w|PqYFnXPf~(e;dk*j!Nvzjr#V>p#A=(d>ROz%i6U(A)%7wH?|3St9KprVl<10y z-tz8c&Fx{X_AW<}@2aR`itFi;P9Otm!bKpZx!MI7DWa79D9yO7aEhUv3f47x#_Ph; zszS5cyt5~0DZ?<)1}zG-Z_bdXgb1tYDOlo)5I>7l5G{b){{+A}W0FD{1@rVF}R=oz8%x|v45tmP(@&|<4y#C5R&9GF!6>L}l z(yVPLUw?J%yS=BN9QthU!4p`P0XFa$@v1S(=fKIMw{zLsYZsm_pVL25>feqaNe~V* zz3zE1e-);OuU9SzqE6e{;mjPboucx;u?UtF4ujqb1onrIIefd%)ITH+o&xyTw6wP3 zq8acKEH3Vay8pNT{gtK76)XGr<2FIxn>#dZHTy`zQGrtOg$C!GX=s^2cZZ0&W$jRz z6JX0&zTud(O4F_|baiOH+9NH`GbNwQ&$?PVc)Pnx(@=LkH^)bPnVgYr4(R3j;XfjwKT&D?_!JNS-IpbXR&EPbzAO$-*<;vjl=*Ba| zk!<6se&vzAs%Ie~qsfn7$w_EniTXgc2Z3$}R8X5uK=gzC8YB-&CtyAfj|`G~;5>m! z1=b5z>Cx(G*qFvBMqvU)7sJvkYzZyGTn3Xego~blRkGmpo~wmz=kto(b=g#DJ_)$5 zhnEmvoL4qKojp7jlv03=z71+IMrxt6 zGMk_*qr)@`7`B7~h7OVOgESXxBCxVGs$!Lt)QY|=+l#j9*_sR&@eS=+jtt4c(>Fj~ z{^^f2V85;G8Grcnh`}ia-RIiMllPDWVXx}zFHi0H%JRt1*jKOhHqP8bR%F;OK7_ew zj6H9P!rq9ne01;Xo2{@X;N$TI20Adl*?#@JZEZ5>-Fo2Gn17h}K?`#%96&#ejrs2* zE}d(LASbh+&C5UPFJB&Z#Cbr!@b&HkyLNr?2Hp=Hpqn`c>AVx?j-@qPr1v?i=GjU(xHbUM8%B7}(ido{-a+!zO4LNntcP;i zfuHM|+v2Fm4dX>dYWQ&l+W3mn%f&;US<@f{h2j~N+K$rHIxA~|=L8ixL<77Q>CwPo z!9!K#ugrjTKf0_2gt(~WQ47_$ZSuUGasqzFi4ss6Pq0L5c|fkr@$j5Wb$hQeE; z$+qEx=88UlPdXf3kyg#YVDjt6ImVZen!{PQpPZzb8O8 z;>Mc_Q1;#|E0ee8#1|<7Wf5+|8y@O(ZhDWsxXD~q=8#_Rl-lP6ZaLy%F9}o*qfX#Q zkpeEb3rk~DW51+YYPtQEzl=!)!FR04@`_ui03~ApV zB&u#TLEHgj1yJVw^^eE@U&`JBI?nT27tVp6wkf6I#4L+h!_3Ugg3-)qKpKstkw(nS z%w&cn4m;p9j^mh_ZP_w2CypIEagy)u&%ViR&)@Uk+qJ%>C0nwVB|Wp>{qFrhT$mD{ zXaa6=coH{-Yb9z+Xx3JmwvsH-_;WEAW(ptQD!P599C@@I#nsPOKyH8Uv<>+-cyjM3 z216l8stM`=s_?m!%rZ$fhqgLA0OPl_>)MWn-eu}eq7jdFD``q+>+Aa z`H>QishXzC6`C|fwZYjdmq}_jzxr)>Nm>mZMWw4+rar1#@tJ#i6KtGy<1_jt=Vhb& zK|QLQg!A!=eE2rpo`g$I@RtI|0D?!4f*dA&bem`8mcn=Ulz+It^t}U~sV(-Q&Gw-k z&e6STL)-16JKan6x|i%O9Qs?`ie1&yJIY5kH!R&&}QKJrQT*oKN_>noRUC|$O( zaB6ez=vUs6ZQjw{zKQ+d4U#psC#`3zV_=VG=%9D-NZ$DA^5xf>*RQX9d%bu1W83f- zFn85XoKucpQcYfj?Spn?f5!3y+TKr`Q(FQn_88hfC|Yy4Yi!NH6Uy|GjLwhY z@D;%QWo#EO@Sfb!apQ;6@syVt@=T7Vi7aePpjJTO@1h7v3Qo9aQOvGgdr-Q|Psr|_ z=bm}y)yM?lmi?CjX=RN|UtP#o8(T$^dZKKcCaa7iM9$21Kf33;cQF&WyB-ayKu#m~ z-oAZGi`@0^+}MJ{Q;5ezL93k)D*R7%ZByUtJB*) zG&isDjco8w>?&G*CV$x__vDOs^*;O3&jUkygX8=1$G-}Ue3U;1F@Nt>EPJPTY+cQ= z&+PTn#*%SI{o0JWmFmI)QFbfe)1b;M6PXHND-lc5Qw5n)LxETyU@BZRg;QiJRCsEY zIc=E@YfC0~l}sM?5A4-U!E-=9vL7Z1>Y?-c;fo-R@$`K%_~!JA)w$8HJ@ZEQ>l>Go zkcX=gj8OWF7t{^VtNq!2)`C81dYRCi52QGbI*TT>YAgY<(iKVKB(fA#xm}zZ()wC0 z1q0@yF;i&FTsEo9>xI6qYGPCC>b>PdUxd2;RzJSGVaf8^sa2(u>w?pt6s*{pyW)^{ z`C-@ee#hwcqE-9LSMM@bO=dPO&FNaJ3wDdL>I|+Ds>l+P%!{PxEv@S{BfCY@yX51$ z1^FLvE%mdv4j7zlzRnFXOmt~0mR-017;@$k@*lr{O(;=5;SZx~n)g50`ph#geGAs@ zzwqHz)^d)xn9eOG$VO<2szg%4_MJ7~-u2u*mxkPVANc{eqq`p59J+Tw`S7Z3-3l*} z${@-sAPSbMY#3j&8?JjtPn-t613XX+(FX2`w)NWmdv|{N0seIVJK!PD6=@(@qmrof z#uA2?WlsB2bNXS z_n-W#e|Y%gcVKvHNOeE=dgMo24mv`Wuf$;IBvAk3g;p$F}$x?L%Bl`Yr+Uc3# z$iC(kdol_tC=`r@80qCFg+wVqc61i$6+3Be8ac+!q&qlbJ4fge)4U3@U21eF^iHM1 zA?IXD$u2qGAx?G*5(~7 zV<-6eiMisWY+*vS6z7vuv!tv{slYB*$cQvidTaUcHgC^%Fs}xkJ50ua9t?sYPxl62 z=bQOGD=G(<7B+UIWqGSAD)(>SJ}}-tFxm%WfmZpua?ujO*71l2UStyjIZ-4&b!OxF}Aqx55 z|4icRv0UAY(O8Bim8wXi$TF3wHGEY$N!?FYl=Bp-hGxyZZ-QT6b$)wx4Eb&bLEgOv zc_?>`_ii{n9t>NiB5EoLnr^VE6l+TV^kQUmA|p0M@ya~rAD&Bw()6Fdc})aEw1KH> z4}OA_l&svkmlm>^iemWUbbTN_hzFSOpi*O!Ml2;h-;l^~j zRRIAeiymJnp@n1&KM(8YVG6|f0zsUQ5s}S|%;UuR>5)a;*k%K%C!JX-iz^gG^>58zJ7enGEU$gHV03e4 z>B#PVXV09tu>H`k>)+md=fid1KDu}R(Zg%^9`8Q)t)pSJdvFKvWVA!4)kBw{Ni#y9 z1{1KpGi8ID%6dN4+A2A8eY)6?EfkkZSjD`gN?CllG$M=kqL(|j&d%s9)R~xz%avI!WT5l`3WdA-2g-i8JojGT~8 z9a4=SFt_g37ffUpWuE`~U^t#emIlD;ilpkI$s1paFuW4U=c%39MYXTYPyEfF!s75M zp}v41bg=dQg*chLsOz0C&ObL#!c#(6a1Z3puq9?^7URbC;J3Ftw@-B=4-X^Ax@%|4 z9^K8ne9og#N7AJxlD3AV@8$xBN|cjC5D^&Cfh8N(et789ji;8Z_=3ST0NCb5f{5ce zs9G>R1E&$Xq7=S3Uhe8#(X;NW5Bat#bLGdd=aNqzV!#A@^>y3SzQSc&GK>4DG=*Jd zY0LJMs9B{ld_Fh6fQ>2SQ3}|ULLMQ=!+69(pGe>nF|&o_Y+*`{Fd>H@?dL@oOED!< zT#c4hqu~Vk_-s~^pOfTc#s>tkes(nADu)r7%ZTz*!zObSdnd~4G>O%kxMFE!Kp5%g z$N7agzlh`)(lRB%*PU zvcC24I}mGo?KY5de*!Kf7*Mnfylu`Oc6V%oFip5+fS&`TiGgq)B_9r-Xzg94Gx|)b zbel+>EtTa8=mAz@DLYv-Xdu7S{*8}oXaW54R|KNBVxaAa2GIFjs3@A=ph+DtQt9BY2T;Lo1klX zXYL##ilsEvc&(AB?!xlxokeTcetPPe-_Bp0#0*bhERN+xrzl>H61))3`LEY8#+=%t z*Ad`N{q7|;M^;HPbil8kC2@#kDHpF4eSOn=>r4ys{cfmNH_p}Gzm<35NFJFTO_jSy zx(1@Ildh-;i<5K?FNbR;u-2i;xPA}47y*_x?U?=Ji*fNd@$8j*uy-a3y+T_vL=_|m zEbI4tQa|2h42&BpH^KEpHg&+V<_foShp=l~`otmM=-!$o`->ajAQKf1l_p!t%;Bcw zvEuU?2?dPg0xmX>o#NwDeLQlufRHP~2ZV_MQCyxd4vJD9FD3&wr&vy0UEzJZzM#vc z4aunmVj{dSv!w)ha>N9`2>n-CtQaRPtlmcN@Cb@Dm|SU+o0pi$PIhsLJ~1m-^qN>bXH6o}a_T*?f-12fQMHl;`mjXz`Rho$fibN+f+(w*dr$!bks2y3_$>PlSJBrE; zG`}d($4h{3$}b@LI3zEdlq%z-O4%7gj+@WT<}l#(Sjpt89aVIyyKInTC2JoD_|I^`151#q$VxBTUGBuN-UP*I_ z)cD!6q1!jS*U!`;KW;@Hueo)$_U^UNzI`PL#CVb{K+rWons6fBqfaXb6hUhI)2{}t z1sr^E>_SorbQ`F3a}op3(Q}PuBxNaC8H(fR_Fp}i+fu0utkBo)f`PVj`5|@xcF)@L z8eqhYorKp*M*pFz+#ET#4!PRO13!JBgDb4I7h-P;lBz6&?poo5wyi1Y92l!A4aX%1S5yct1qj1j)T#$ zsp9SRyRL(5>CQJd9zDMQ{s-%BU%#^PlTYqkx&`}wxB|cV;ZbMl3P{Cem zGGRc>ED#cd+=P5ibV!oq6D5_p&4EBZRp}`h{>n81TJl-&q68HZP{m**3wwDOrpd=) zV}3Ma_@ut_ZIWKQ@6!H`$-#K09Qq%kzL%n`crj82zj63=Lm7eJI5hA;#DYJA#CYeF}Rn8EH;*#T!oh-e2)pheiCGx|^$hU)!Z?)dKRQ%riS$Hm& zqAnvCnlXy1h!itqCjqYDE1Z3RLJPh!To0dqO_<77)QmHPCc4bd)R%#+2U%4RMiQR7 zcZOk8j7G#*t99nh^g<{I4U7~To$DntJfMdu;&z%jTh1xI(-g8d?;-D%C}EGult z$;eT0972knPw{Z#Qi%)G2=k!kxLJ$yB?+Y(Y>67vkjkjFF^hGiEMAiLKYX%jZBN_4SpWE?ne*r% z3w{J3$bE>OhHE~WaaO;PGqlavu{m|>7)0KK|D^4$>jKQ{J{{esrn_b2Og=u1k&?m1 zJ4MuxO;MbxC{I`WRU9iZ#z{{smoqA)bf+@e!jI0;QR+PE+Dt`>o&(>AIpy^<{G2Kc zxz{CYGIL6#q+&6xP{hn*(R^H*otlzKPjE8hb;&Phaic1&tQxy~sH)Iov4|vQlealA zuo0$wMj$*)!j|ESz1Um z_Ry4NFNO=?w+z4fZ+<}eF5o!}Z{d$m!Eoa-dU*lJJ@;}LUu4D`s_CXix~LLQVSW6! zjO#ai-`%W1zFCgkt$uj5HCMK`=BXOG{GS?Es#0S09$Q4!jscdFC%+ z&;0JS*kqPH*!=a6sDd6|w$HzwM3cE_x)Qpf0tAKxk?zpdV_3ODUHD;o-(~gaVcy8L z%)veB{a`yhW9&P^Z~Tf?^{H)S54dNzx;D5Q*BY~7Z)A#!O~PYw8ii6TS9%0-6&7ZH zKtGUYXv>myxMeL4QHhpNs>cUp@!68NfC`tdrRK=VE)l^c0+_`F)ucwdv@J_js%5yD z(b?RXN*$q0lhj}#G^Y|PwMqHnXlTOQsy) zcQ(J1*}K)$chEF`!8moxvhq7t-0N-?D@V=BkH=m9eD5v@h30W-&|qWLv!=$f3Y!uR{hWsf!<9<56kYN!XZ$Tn2|LFe+2aJk@K0;QKVR8;C<7B>+!U_$}xrj_Jlg z-4D2$g?R|NtQ?;~J-AvoF&+7JqupDNZK24eWPMqRsulX5dGT7v>V;7Q%vE4w2_ez@ z4_p9f6<4=~YU?#=wmA{u_Z~hbk_7_35yh1eTJd@;fxq%i{iVyUdsjlpok8Tb^ZRSA z2Va+U4M}Ng9bQv`(N@Isv-?Ii0CHe0_{?u#PvoZYO(CAtBbInDLfgOnDPr?iGeBVe z^NWcDekRjgLDh%g;%Uh)ICc9hS!b2ygG}j)ZfZs}u?v>G>cMly;q&^zqw@BRDS;79 z&wAVN7mf*#)a?V!UD1j|<;%CUyzy12?+rm(s559O%Mf~G1REI+RPk{}{ z67v;_L3LuDGBF!2NBnpvKiMU~4Mr+p^uO8aFQyt%rXtx#aI+lCN|i}?G9$W zl@yf3=Wt^J{G=iYu|`TQmGhhuDIUvq)J%aP9$b!8)5mrF+gu$VS2Zp>f9%qgBZrVj zH+Ss%pr$2o^9&^3LDhcz?X@fCj_rAHXZFa!jfakH2O9U)$B46TEHtsx(6U|E307(M z)0ZH$$Y_UHlp}}Zj9nxo1z8CpZgi<2s=g^&c6H}V1 zYWLfV^^$aQqK^gF6H0Pn8Wbn)Up}oMOPwNGh&=C-Vp+>2YSunjDOew+8Thy}|NFAWXFpj~t5hSbN z`Fu{mLz(doTF#W)X6;2^@ibyqWso>ynBl zCQh!ws4KzPA&QZ4_}GItS8s+dg=HEcq1^so%B$7ENT`j@6nthWFc zcX-AydJe4fz|q1vxx+j5Rqpr}vxI0Clk(D3&4pPt9$T)4pRJ$;wY0uG-Bg)rtXSP_ zr|tInYELF;T_(QS^MDioaG2P zJT6nH$dO2cB2Jlr6r_fivliBg!s-=aeVMp+drFBmvQQgapiT@KNzFc4Q-;>d!Q1fB zxg30%j9wxnz@4s6iK$g5Oy!H-ZM2RBC55VZCpRph#@DzcHP)0yH{WL#GU<%s=BdKL zjXC27?ciQG1ZgQ}bYo|AM-G8k64;UeuAtFU zb?w&IETI}Lvp0{#lHy3p09o6K=anbYvOm~#ZgBGb=UxU0pD-?tyK&=5z}1P_2RQ{b z;c?gm3<+>mT-b_F6619BV8_jrv~h&C>UzRAUl;szx9F!Up`R}Dez<1%`ew+TkHN?+ zcnC((mPS%7P^@ao2LAF~WO$wc{p-W>pF-$LBQ$W^d zQ)RmD@$ok|tY?~h#%i#;ybdcf(bz8K=v^QZ02LfuVbcaC678m}@owk%G)lT21n$$* zQg+BXvd=!YAB0i$b(JQ)icZ3d7?R9E~8q<)`K6o z4&(5#vkOEjbD~6-lt^DFOH+~6YJbO6pnpA>%oHy>#)wYH5-V~gk|GHYa8=HYZ;-`x zY7?3@kqx@Y0@15}(VR*fwlbBNBTsaT;&Q1At3-*_;uJt&K50QYGopqcRml%;)hFgM zUUrcGnk$P88VE2RF>w>EV!TGmX0w@eu`#c8jlE-I))MdoIm+vYX(xzxW`H_^5?n`5 zfcvF(|R5rBT{N|_o;Jy9`?Wt}*{Qlsnlh6F;zukTCU}9obR0Nh} zY6Z(>j=Y;IO7r9_ym3AI$J=?2&bW~CT;zJ{H#e$Mvr;gUOsuXIaJ2}px^V6h^r(Q+ zo8KX)zeQ&6A#2~+x@PScWAE%yrxukLRl`S#gft2;0QEt3S{_L#S^e%haN-iDhpbJz zECWFBH~=AB+M!FJa0eM?`q(Fu#_E@p1n-KL%<%!Rs)IW|7`y;u1Z6Ib9y5c9>-eeq zCGUrNS7lWUXdM+&O^(@;m+i_AI9&DluF?!iRXVrVFYj>hi$rnx?ATg0wZzQNfq{dD zTa%#;Y6S*DjFAu(P|(vDQBGbQjJN?;RaRk%j+ZZI=871F;`u>UY?g|ofLUTq$KcA1 zwS%8H%EqkuO|tYXcd_5*v7~v@bMgz#mfWnYI*TL2>a<&(>CW7&RCiidu07LZ$@H4@ z3bTB9&Qy1LR$(DSV;+8Q)4&HiDkj!z2-sY;+%Mtfiyh?^a{ApD5p=VCyza)Sm>eg7`mn(yk#4l zzy``9Jmne7Hm8p5Fb|=$ZNL>U_JK_;DqWEvHJ<z?Ql+J2f^KO0LIoZ%bIWzK^YZBpy}jrA3ru*5K|ye zuF#Vz^|T@x3FhTj}Pl(OpCPTZPEyDYx#2hsvOGR}lDPAoDT68-P0|&Q zQ%9b)Jz%e}8=NYkRVFlQlzM|jq|1O2x2|9yIJUKX)hYk@F>C)*-3$^5F_=Y*QblL4w%GF4W!)6h`Bh zv{UEB6>nmcsW5UcD6^BqF7RF;s@voEp`7}aH-1KXm%jg}*Are@NKc_y2`mSml_s_L z;llFtK6v8}^3uyVg079GL2)HkIBaPz-Tyj>+{yX=lpZ-LLoRymTsT9o5`zlMk*-t_%GkgI%`!P22KO@IMEeR(tnsM)z5uub4*8 zKIPqUR@`MyT<1;PmXF_-^@DBNtb6!){_u{{p^xeY)|54LX1TM?I+IOp%+y+7bZ<#~ z!9`y9bj}0gcRwekK!hojV9GTFv|Z;d_OTadGsCkPQ3ZTVnT!^o6S7$(mxOEAD2-~Z zMq%@$S41ulMMmi(lO6NPS&{tUt2oEJBzp?Zn-cE~PtJ%;$qG-*j=>a1#+Sq=)g;DN zVdBck2}L|oDC|`UHbEO6PV4MnuFde!q^f`-sYpw-Gs81jF@6OlOG>dzY3Xt{tnf5E za;lu=)rw#f>K8GJq|7`v(IQPWi<6|(a497wRmrn!RT{ZOrPMk6#lDK3VDGx3iLIcl z2U)$Y|D0y<3Q)5k+7j+W(7tNNkAXZ5lFN)eV6T1B-VM(QN8gFefx~bo0=}qiVvlpM zJHcTm6jez(mRW~CLrs%_p)_%dKYCsVDVYuHQ`8wJE^qgTtZ)V6=sPKf!AN$AAhqfI zcfce@_MNGKwHVT8`m^)SS(5~b5gkI^XCTd-rb#X1+Lj?h4Ea zVI~IQ7hv*s`xcO_o}C+s6KAmv?JRXg3XO2;>S^qJJ9=hBv)PhWlkc6|EMbxKFMUZ)ABG3!&4J5poD-K4iG%*7&{4HxU-(hF4l zpo-p|t8{VaS1}e>@M8+42?dgrN--m-Rtjy#1wz$4re!`hBL?S-P4-3MJPRrtnk8j?d;>etE|6x4 zr8YVV#;|?~uFA$PG!jFp3^Ok#OGQoe-S# zdB{6?JY(V{Fe2bm12k0B69A$yP)*qkD)~W4sz;uZpV4>5cY=BX>O2r%fn*4rQgz=k zb@y=~X~Qi^)%69CkjIy$QY|kMnyB-t)Y>;bvn)NUYrACYyJ47`(T{G^H?G4gGR|E5 zDi}1f)jpaAOw^l5nz~p{UU|=FpX~#icjUs?NF>(4R~K{DB~(c;nVXx)Da1*upr?0`X$g|gG zeH8=J>@i)(R`uW!AXJ-|p8>I_e%T(?^7rs{1%v{oAjIkUc!jNP*fhQaa3x=|M>T;) zjsiOuY)>?!d;ck@;4h)c1SJ$aPd`CFiW*$QlQ}x;8Qj;he3MY7@>#ewX{1JTY=b(| zOL_&Cj}>|mOc8woQnf`GQsYYXDdn7)a$!=QG#QqUr4mkoPNQ}>77ElaW3`J2uEj~- zh@_mwnCwM(_dG)S0&2#K^z4^Oo&{J}1m3d{m$ex0j>YCg;j*8@WG1T1BS~qIvHXNs z>{su;<))_qw5$|-CW{zUvUA0-{)>U(K&6cin^-pZ^K2Koa`|SDK;2@B>86QTtDU^DQ_7 z==#3Y_I>f@`#Hu?a$-4laf4Yr^)46#8agh(6bR;8fGcg?TO_sP>aBfwK?7Z$1r9Sb zQwuC~h|0o;VETb07nNs^zJc;h#bafb{hF z^`lQ=rk}hHFV7sX-!E!1XvBFYMnf8<*^FOXW^+@+fFJ=2?o?uUfdpHs!W7G5VI`Lb zlP)nXQwS4FmR+hSZt4C@A}4~Bu^8iBl$^f^Q#>azFN_$POU-|U?0tzGe3=lKkIP$x z%bSA_%){qLU<()Hi{S5n6PuANC|;PL`t9=(pM1Je&LF4q=`P~DN+rHpg>w;JZ?@1| zZOjTS(anr3(NLYN*fervw^!Ha(>7YUH9BgOiIrq(Dw^I8zQ;f-g>9p4;2?M@KgHG4 zV)aYC`ro)h1+Zw<0*M*atKGnPeu^s<$RYTF#krb7Xc0`bd2;v}B zUW6A0K#a`RRI;>HV66aUjjm~?0j^Z7@HZ5BBV9d4RFplzRnw!px`!vDzB>_*+(?Cb z6@fv|L7b`^1LkbnJTCBFcqKel4bM=;G8WVHg-m@FN7n%6#x!wItO+p1&IC?6Q5Ax( zPgj*-In)zZj=IYmlm$I$;Bq#$Up=}T^&&w1uD{eyyn!#zeM!EsVr^B`isAIOG3(e@ zz}r+!!Oj-~vp{Bb0oGVh;eUnAe|rZG!KcsDG6ip+!i+b3RX=qR_{nJ%BQm8f%ODOJ z=+y>N4tsH>n&6;@0ixikHM6?2B<<`{Gb>-y6w9x~#D|ShBE}KdPtHyjOuF^p6atZx{7&!90+;|@^ z3HW{)#E2pxu~%ZL_BA} zMXfjDie$+_2>~|gS(JowDKncCRmR8G$Ov^BYEYU|Vy4^0NlI!MFxWHu(MpAS`i&fg zVg+>@gtP!Bkl{Q<*VFI!39gQS>=B@aiZxKF+7n-hktY*T_{+hA*0HnT+^gyS%rf)| zc&lnV-<^KjJn&)mpQQ^3HNk|!7Et=6Lr7EqUU23?Wx4emX!_tgpH7b~ZNdnkN;H9q zA3QWoJw&Dgv>;FtvPH=1YQP&=T?=oaSUmw%BY1bvl+AQaD@hJinZLu;9pl59gzt`F zk?R>(E_FuXUL`9_h}r?7rW&mKdDDnOqFhUcuNk7M$eI;Xd1PHnJ`P2&Qoi}i_pe;dy2 zZ!emDQ&c+!DqvVQKqFy<5!S#Z^#CycQPYEe`k+I+e{8Yf)1YMWr!Rw_1Ni0zM>Z!> zwHB4Rz@q8OHVx)!U5t5taa2f)cd(=V5@Hqy=i^awxmc8or6A|&7(pG=FD4@=_8*^E z5{e+LGUdUXuGO5MxtO)D;|=80eRDJ;Gm49BJ^%COGpP|QV;l!LeEZb+=a~yQW0}>+ z?8Bw0g}KS}&jva_U*3@}jrEx@Ep|e=J{hir6{%taDc;T^!=^aErPRu3<=n(_Zfs8~ zr^lnHb;-57B%O=|W{;`;V1#uDRre2}S*`|H6GPDI=&!hX`ZIy%3IzNA4Ogh0CR)(I zz8>N;h9Dvn5?GEH`aU!cthEljWA1r-@;%eUXT^)Hq@;X*Y<9JM$yb?6c3Q#N8*FgE zV5H`6U^;YQc1wASpQg?ss9T_n&{TEsunf&KT>~T{!2_Eb=;z5=XzA<0#veTdRdDt- zLE;0nSOf)%E25%gG4c8H*PFfvT%AaMZ~~9ktE+7>_`j0nc|=tYPEkcw*HI+RbY(A9 z-AU4PP)r?=jKk3MQe<6Z2(wUjauh8LMIFSXqI(}r4M82iaM&lW&7_y+^0SLFAsKDO z46W{?=ky(_=9QV_Z+n(Z60-HQ9NzGk6Q0gS@4y5xP;MFlORL@5fg=WpR6|*pC;xxy z)l(EbJ^Oxr3#TDaT%e?bi(_bbQ$^!4i!$A-RJgfV7b~LO#U3b-=SX7<~N^?R|Q&bYF z!o6^#Dk8olAsM-P`-h?B9gDD^>NAnE*LPYRO^X(M`{wY0arn+($yd!QwlRZdj#Wgm zh}oGM4UnJHSPYcV!i?`TvwF>xa#0+R75xUDSuH3n&9{w!sPGVKc{FrH2V^jKWsT0l zItB=MztpS$0as|rg1aGFyPo_ju(&ybS~L$G082@I@3^*Y3PkkXYgL2m3mLhFIHxzs zQ|eo_$ujnlqVH2QmSy;`zUps8W&YVa$33A`qB0w%0UT{JJamvzXd9`T2BNxwtZPOe zV=G9N;cTMoTEOTJaK%tIa-mphI`GO4l6H)wDqKwZ(}nAGk8cC6F!zszbnMK1|#OZ8neX%kb?Ow~7%O$}IG zHCdM*OQxN>ebL`o!t(~;988@$0sn1!?MAGx!qzvIziN!?*Ql!XBU_fHHdg3rYLi?J z+sJZg1B?&|GB69QOCWM+;Pv=F)T>|r{^^1E>s#d$+aJg9j)MM;1(lObqRgpKw|Y~7 z4$+W7%atz97Kaz8aH+JILbcS(=X?1;(;{R^@L4i!DknlP@851L>q4gbS1(+!o5w}Y z9R5Tj7<%m$q_q{9J<&b?_1*>Zk(n9f%;}Z|^BbbVkPGL(uW6p18~GJaiX1<^nM@se z?FHo1W$)+7y@cOp5dYmN#M?MnyOOUL@+=C4keep0#@=PB|n|B%-_mQpsZn?3?gEXJCRFbqF( zw6Z@-Z>)*!F85wmDjZ?*VGy2zeP`%pvbV4rmmIsw%F8bGBVJqBUNzvAcr@g2?d zVdLb%jFFw*uFvx7*5u~4==n;Ahz%sSDibbGys*tdDOD#1#VN&7hKrPvujIOgq)Z{s zB_m{r5;I5(HWs^($-Xz{&zq4+kv(5-HOrUGn}gIfAjeM(%$?UgZys{`G%|ClebM5& z#fy-$7m&u@sTUUR7pRauM~-nMZ$^Y8Ye(0)TW_PvnC`3bRgR;}cNkTn;#RbqdV2i*`u1rbg}T=Kf~zOS zN>BPL^ppRO_Xu3{V7i_;#S&a$VB(RpMHNrDu#OX5s$LuwO5gbHssK;v9QRF z`3sOUXOWYq+ZRRDg@q%hFCq=SOaHoX4?}_+o;}JIcm3`U$g0V9Auh;^1&T$08d;;F zxf$`fQc{^!XlKW^W(o2oi|h1pEmlmon-?+*4H6kkU<Pb2J2V6nnLO=B6paf{4Ml$uv<0bIect15jjS?oS>^SC+3Ow|P;3>sEB@Idbb!eo*HZP$}UA-t*_ zBQL>9i}CVusv4$M^>9!^$pR4K^-VZU14#?T&7rg}{^q;7AMaRxJ}Z2DR`KJF%-eU0 z)%Mq@3O)Q2=<{L!$k22Vl+8p_J;7WH_73nh1=<>=p`mHj2Y982F0J5dP+XBr)dXW1 zQ5E3IJ-y>ASAPBu)8#U>L4f1=%%ykCBUep*O~0W;cYQvYJ5jVq9qXU2%b6NXcIceL zIquOaCs?Bo9Y!xW;GZ)J@wof{B~Za9^QSKgfs{Ua8a86CzMVDW+Y-roCeU{*1}I8d z>~K)!ln54gnFwtfY^MfaBZ?~KgcV7m3!v|kCKPg_T7^m1I?I=a&DkShBBu|3Az_a^ z{}NK$ip*RbSQOK;a1nCuB69Lv+oI^YMbXIV%Se6S(!Yl7WC)R?vxm5{!53dW-&9*h zO9CN`SAcEiL^QC&8-eD^i)b_w>I~Q(7q!ifuQtS%8B+pUszWDd^Yk(F%(VJXv-%D` zEmQya7BKVVL5EcEDnmhqJ}|igudOHEO6cbg!&!-1H^86xwehAg2F^$G^{cvB6|REF1<;-v*z zTmAQsk-fL>KJ!W(nP0?Lx5EvTsH>ouDyZ5b8b7PNZeaWAeRO*&Y@PHyvk(wz7`&ir zEB}iisqURFh>lHhupFbcuF(O!*OK0wmOWMiVILq1g}V&=a6pcS7Wsd%Uh$S(7foH2 zjGc!cHMFb+pp45K&aWKyx(jpyesQX@$8T=43u`qn>|fYxqxYy2p~5(hIY2p@;41y{l`)F2L=oj?wm+W%?h zRK?K#kw4NRIsUA?Wz8Aw#fw?g%8}mYH~LOZvrj4th4SxCsK~86Y9lw-YTjIAd|L zJTNCg{os4#$45x*^yIUPl39{UzOoBI3uJqet{moFbdC?)W=?){Hc=~<)vf~_v8oI9 z>1V}Fp#-Pg+~jI_w^Ll6Ca(57#>a>`8HN^h&REbhfabHqixJK;=sdv&_Fu)7VB)%D z;+kyYB1lBR2nf2?qNN8yL!YZ0wN#ElBQwcp^b9e#F3X&+VF1&hNrkIX6N6fqUr|c5 z+#&_D)WChK)KeWbZ^n3tC#)%KE^-d-uX^V%?wG#_&91I* zTl&H)+xSf6)c!BH#DUnkUz9lg^q71Vz1Su#5fhut0zWGOn5zW}QjwljVVC8l%555P zW~MWqA{3;ThbDJGL@e0EfdvhEmHR)>uRXvoHR{)5^~*b;{dwvI_hc4&2`yRU2Vg*I zf|$j@Bk6;uptZ=HD5(9k>{UUGs30qEPV1z8`4JVkNq6m( z6$~le`IjDCh#@C}S3ew5=*3L~VI@s40wqg>DJ=WQsxL2njqaeIeHDZ5rh#^@tzhUH zp{0it4NgEJnp;{)S89vv7!ST}`1yt(xsr?AD0+A?@7wPhyT&wZrHQF%q)Iv=%$KI> zh6NA-Oqk8Zi6SpwAA(TnAHGG32Rol#m;j@AaF1cBn_<*I)>X1~ReW)YEu(zq&Z!6~ zO)VRB9{Pw}RyYQ?$Z1v&j2(!0@_r+OTX z>VVGkU&WPTeS;CRE6-91QV!yRTs_+?Af&4m8EQpdn#HA6`m6@CR3hgI zNhA(|tt;<&Gqrk!vHo2&UtshwtchVx@(ZZ`?}&PO8vcqa@EC+-)n9N0G$e>;Is#!U z&e6{tQ@N>w3Y?uK%C}qkN9HROzQ&5l^^=MM9;eXAX<4dWc2YHdM$xfVQPdY`g7DA- zDQp5$UBuLM;Z&UzT{lAy)6TMFmUB*w036hTY4G(UKr12eu%sqZF3QwRGaD`ngRXa>1D4HscwwlW?p)jn6t{qGOWT@4!?HEYsJhjf7&g(rk1D=}=7 zG1QLN`rY{hY>C%Z*ViyO`A+Znq|uI?y|P299(v(5q`nz?^}g5V)`rhRE}TVX&i2la z?3fphoP_&e`{*mLd@Q3Om-m0^Q*Nnp%A^0J=fzr8bgx6N&aFw7rb*HZq6kv(i_XYt zO3UpIb$zJFovc_r>l`@*0k2O&SPrR&_NqsKjExT1pYCX$PSl^y6MmU0pgq-7L_M7< z{C{wD4mGqN-wCWLQ~zObWO5CE;#%T!PO7kWs?cu}*7ePm>&k}O-rT%`Y>nm>8-!hN zfT^Ht^t8NVGd;7Sb=mYsJKiS?=nOEsR&^#TI*95H7$$(t8d>Noshb3X0a$ZfzxB9h zcy&BcP82vGg9&g&P&WZdhNfvpZ;r~!1PW*AYVY++HQ$}fNA7eW-vGcWu3xKK_eo(q zNx+aav1CIm`8ZkDL)CR8Yl`FKUa}@1(xp)^((jSk?{1I2`RQ{n$;h;Nrm};nYXycO zMOrEpS0tn;E<8GKsLB#nOsK(YZv3ES@?hq&0dZaat04Vb+U8$6fXfYNyC$$XS;{J5 z$@fMynz0EUl5L`jPT+T3h+Aw(vG%^q+ zpquz_xI!mXfB!t~)&ECa4P8ZBtY2^iZf_Zbr|kV7`q$)jZYy4-h+?^QqQ?ojI7D6cfkbm*Vvm7%;Ok)-h$Z3Qc!k{~nOLf?xcdhbUzf#6REPeRSs*lAYH{ z6=XqznAB7vkQej$jd*g}-iv<=4dp9C)5=;1f;^yE0!s6v%GQr!vb>32W9ZFMPB72W z{YHYd$iH$VZM>CP)8t#b3;Ysc^{i?;l`(ebU&R#|W`cp0VF=|QffodbE~V4^WYfDL z$3z9rlOq=(1421`Q#o>3HgO7=Ikw5OlAb-1@g0zXXl?tjsO5w1miK1Ay1-#@8GL}Zo{kg0fIexS2uSv}@zd_D^fn40*`tn~po_!HH3=Wue%jUkcNkc_$?rOGS zGUZ_g=|ZbC*2%}-+x2A#;&mFf`-V@t$4(jh4#99(J9Sh(wog8NP&#oCT>I1$r-6J9 zJYi7Z!!#Jyf)+Gi;JAMLoN@xZ;AVlQu2^~;d>y9bM0JUuOCR0)GeFQ(CcV!roKy zx<>etKFzXn7f_h={b%GAACisc!}@xVyOzTZ0F7s-@^fQ3yi-I zWa^Dg>o*^HY6b$Td8EEN+L@XLZ=F*I)b_ioN^_K_K!ck_wA3!p)-%T3i~tv^^$-g-u~4gkQNr# zOyjv(6iE(Cna5X@@&!#;QrhazM@K&Cr`j9kRh!_%*MMj5@G;-&qlAL8=OheuQ<SyUb#(J3L%>`36<0^h{a`k7$vU(T z!Vc2Mj@bH-nL3U;hqtBnH}-9tq-6^!Zb5`R%i7o?(wta!W?s9_ zUQZF^vLxj^WiwaaMzFxRpa@u4$vFJQ6D>dAD7$g27;@(k=v%*Asg z0iv-6Yib12AYD<%71vXkp=V!a{N{N~3SFN-+2!$O${&lk&)r;B+!pqGq@fZyaD439 z*Q(|ck(v9*na7Rusg19tAO~lE?5S^ydKUShy^QdeVqS!w8;7#IM3h2GVs=8<{wuSf z1uzzMx;x(o<(hM9pQ?X{a_E?1_=;rUhIAOcx57dbT0!_WLF8_NW%1Yvcn5Yj@*zmW zIRh<$5_W|!j~d;JDrmrD9$jzEpe;IpYUmOG5?-_LKm`LzB)qKP)BYD_ZvmENp0*V|MSM#{r3O8 z?|#SeGWX%(fP)Or#r3;>=XC}c@3e|zYeL%=3rfP2Os zj?Vs)78=^z>(x96V252j;GEoG7epJKyKG>?uyjenmKjGI?)Z4D802HmDMXo>xyBnh zh8a2qo4AJAv67s4nZ_&R5i*n^BICFBXsOj)t)1zeL!~}k2 z#m~3nlp@&1+AYP-!+G@W?d1#sC0*?;Ipa-kC@$dzbu80bq!$@RrZ3_I>iUNn1|=H! zmn5|g#I^Og747y_;Y7eUZIB}A{$CXp{xG|7A6t7I7H4qdrz^%7ic!EmsAnWfz?KJw zRKDUHK9cKb3m&SI2-a~|JxAhzeNo5$doMt%u9egg&mJZDv;5sx_}hO`;kP>9_OoYA z1%x7>xY5<}<6o+OvLh}&A%rd88@4+mNLc=%reHlW4sx#nCv{${@ww zEZ$^AlALM8$|7UVCxqyIp8fl1=Sv@UY9>|mp-CFr3=GG?OBfIG?rFaV8PZ8 zI63^`!E#~NU%=jhr@F$GUBJ&8>4%Bi2mIgav9Gy~J1-o(k&sR{F0!sjz~R?XAOEU2 z{b$#7X62zjS%%vuR>vq?*xBiesdm2zJTupAFb|LU$cEunyN^);gdaoQc}D3;w=_kX zBBO8Yu%Rv0hMH!{t_J(gl3iy?ud?9?&8TI@?)kQ?QY%KTJ+Hu;m5Brs{A$U_G-u>k zb3mjiGiQ_-^D9B4f|F!G2xVrxX#QTpgW(+F?E!)~HTO{Z;(>s8kyui|bf$Y7GV^uW zLKAi+)<8Cl0vlSMJ-5V;Q|QReuw{VqS8dLzHDcH3vdVOMK)3RYdBw(9R#K}i-O`rX zSYCU6%Q-rjl2+zZeLO&XgNFsQx=+U;OvjjQlPdhm-EXCL5HqLpYsZ8o%&M;_#h<#D zITv-)B^SNdUS&3%{@>OWOWTFhmTXpvaVRhFLru;eN}RvvP)jhRLU26zsCWt3+M|r7 zJziyZ1%-XhC+?0BM3q`S3v=gJM3P^Wr-fB2!wK}@Xybq6*?vh3uO~*NB?da;ufHU& zULZyNrVLAuIn3ujYiO^n?$5&susAst(s^ z4@p1FlDvlbUnnMs$%8t=60&LV=kxD!>Ou2SfZW5G^pHkj4u<9FzkiRsm@}#1@+a z5TNr*D}0~N6h4~_e>z@Hygf<~1FvV>p4}77ObRx4h8tL#fZMFklISxkkyU~Fqb<7t zn;qQyEE!pr^fVKu6z-$=1G=1QT|t4qN3H?4(1clrE2^b?rmiDx$N6JL9YU+{Fpt8$ z!L_4K5_qljyHp?YYv>JYJf6L^2a9!^=nVH%Mb_FYw(;vfw9N;lAzUr zR5>sEho{L(6jidbO{|@DpoJ;lT0bk?^X1cdBr_t3 zw*sjLe8o|L;;=w=0yb_D(sd!?b>7uYnVU~GUVaj!J&qRV4;e3hB1Dt_y{;g)#My_s z;vjKA(@UBFC`m>Qj6>HXtKV}7`p7wAwO4t9;ut5R>RWqvmyELS7=AI@ZM^ahPWdrT zRbSM)ag6$o$qg&mfoJax3S#+otRQP@CgfT$-va@UwBTck%o%moT#+@}7f7M(N+6|R zI3U9d+0X`zJX7eG0X1-o3>o!kU#rawHg8Fq9*dc|?N7|s6GRV^<%k!%o=$l^pBD7@ zrRiBL0zpfkS+7s8w%}C&@4^FE6&d$97H!!@X3Tn1X1x(xrpK<-}VtJ@=ML@m)u%bOHR@Iu^ygO2U zB0$oIJRsNFUYh0{ckTZgXJAX7vSrg)g`jJ(w8znuIO?v23l!;{zHm<*MX-pAcGRKa zwr$hxfW+!ELlbX_7n66d!r9`|)tl?u_SNNzf^BT#VaaH>D8_A39B+-E%eS$#Z%(yD zoyv71MmmT)+a%sUU*3{TJla2Ss*!kmmuGJnU}KzUXO!(^mS$%WVQc2)U_iXNCs!2Q zzB_Em;N>;%r{r$sh!IqGnGVzV#-p6Zg9z>NlpOY{I~FWCcP_wVTEL;;+Gh3^9^|g zMpU&8GiSNsHv{JjUp!2_H{wIQUP};zWa!eX<8xC1^N&0xC$bGJKZfIwAyZ+-mY8$P z%~@GEJ;B{FWr@kP5u?O{CbVLR!S@5h!Gxb`#7!_^W}4x+WPuVgMV~NGme!-X!cpfW^#&?qcyeBs%?R?12Xf`IA@ znXaPU>aA`GkRZ209aq~_+}xqvw_$zP#^JG?m&BId;kMR;>rz!4f@=5q2+#W|Zju#M z56%@C76!%w{ujuGtUxrz74%`UuHYC0TYJRuD9HhUgM3x#$*8ttpHqA-qqCEnHsx*D z@u{U#jP{&OQp5LxjKu*(f3T1H&Ql!UHq9?S3}-T&>~nM zAs3i2vn*IyQpP#-H*U zxLX*ja5{J*-&We|CF}|k_xP3{O;BIp79aGe>I&9ep;mQ~`^UOXDCS~C77@{j zts@^frhQCJdfzqrH+In`Nt+UzW*KSQ4SeXkuk0<9H)3oycFwe7m0@avv;nHCW!ApG zSPFhHq<(N<;SQ>^!>)jnodpZ?0 zel?UJju6C+*RP%&wJFP_C0l$)5-yp8EKW-KB0gYW7Jwn+MPA)*XT+)FI1 zBkdgHzxk2!m(Proi{uzotfRxZ*nH`XQ1g8K{IAGvZ z>7YZ|IS_6Uz3p0%|B?IOGIoR|cVtC0$bF^zp+jMTFRH$YD*C@l=>J_;kQ{>2h7BX2 zMF0z-jf3f1`YQMJ7Hrs9*xr&P5lXi0C~EG^YuH-ed8Bm1akk=wuXJzqy8QsLxSwoe=Z)lUTO)`UV`o5Jq@>bq>C<_ac_#>s9()%HY| zO3#d(c<^L5L2S9+pL*d$(AmT6GY2TdL&38NzrHhps;>qs4kDE-t{56NJ-XiAX2Z8>e#h1rv4G!IkfWYF_~nVYkV*0`to#+PT; zwkbCp*mUUhy@f0!)Cc_Zre+CuUXh7YnmIKOyeuPHE*PGs9{DD;3M-mVNtwl~xtzI) zxO>AH1aX!i@GZjI9pa&QZY=2K(~u2YDa$O)A-yqURFNzQZl*aB!B~}gv>JVv0&7P3 zqMz(CGZaHtUm!dN9wYcm8#bI=tjDouraJNpfoYht65XPB=VymZIFW+*29U={BB+Mc zbFpM&Ao~Tj^w{TT7$q4~%MD5nCC9Yp1xU9bmjNPQz&QV775(>O`&aG3DwD)Nl{fI? z4CQ!a>%o!(9Zdtu)3fz=3FTcvIPqNcjMzH;WG@mBPM_P%sXa`~Z5MAo36lX#Sv$6B zV}sqLMPa$YwjLHAhq(Xa{>6s2YHt{mrrH@4I@@2l^LXwp!S_v1&Z+^}b*iuT-UD3u z2tSII{#QCrujlP&jn%k$$c2QHQO-);*lNDnV+POIq&Nz?A@ zZhtb@K6^Ls#74V2$0Fx1-0?=IdX;0#cZDnP~GHZU0_6OqAGnK5Pe7`z!_)5u7VO!-!1nS z>jdx?;LZ5XgyGSvH;?9Dqp0BCKL`J-Kdv^kiM3~w6dDvE>I!aYM%2_5<|Z3AF`iAw zE_5d)@%AD<2N@wjOb{ zyhcWWEA}OmuwM*(28QY)wzQ9grXCsApwc+^YFsIcz^i|)L`3C{y+}wSK9$Mn;lZc5y*r=L$ zgq#3kSEE>xX+sdA2e$%xPK4||lD+=0u(qSTr_=A&*{sc*m>c&-H|?y?6pM33jq1*( zvzKeSy7*JqeTnJRTSt61Rjz0*`tdISj(Hj64oQPDz4Ao6c?6~cE$!_@7olii1dTm+e`T|LB)z1M- zRz))Pmg>(5gq1Du*c&%7=RUfQnnO>GCtV6lkX7Mu_OUg^8#Bd@tw zyb(n;^M<&3XL62si&Uw!9;Jo*2w+k&b85l<0-Hw;21w}@#3qK+9Z68E z%V^0j-H{p76!Itg&m4;41!`$X!zEU2kBjg$ujPhE(`|VBP?9u1SvlW+HsCBUv7!cJ zs{-j3gf&Y9~Va==BHrcuP>iqVLKmK(&Ol($J@ZbN^#FQFKl5k*! z#45JuMleGBM;?tBxvX-|*vYT$M(QXo!elV-megc&s9$T^uHB zaZ1I&8M?}hY#{hlj&%#+;bs$e4qZ2uNVJn30G8(29NRCF{TtD>SQ z`ox9w%eRxe&IZOre<`kUm2{R}oIZEu>D8@0ZL+o?7Efn=n`uqa$7{8^<0G+sCtXe* zw4AyTIXA76)Fl=d6;SdOK6P8Y>W+phj}>j(w(-otyEBtj`7uK$q~qt(CN44WUuSgh zbT5wk7~~LX&Sx#vI@3epe}7Ns#Hl@>Ed6rm)zHSvwX%ajqE61ht%|qA`d36F64FLz z#J8SqKQz!#zFw3hEA}lb@~V>g)^GLF9%U&{QKda3;JL7k!j+Irca;wT4n+i~KmwWk z4R{lQxeW(qrs4!ocs@wl7c1KtSe9ShnOM6o!71Gl7YXy61h!JnsXF7Mg89rav+*W2 zL@vcU?PF65wYAso_3N7JTe>D7zQhpxOm?9KuhfcHY+|3j!Z?`1Pr;mkA?MGZe)ie- zKM4FI4J|naRsrCmLj`8TuffL0fLFQ-ihHhodIfv-QQWgJ-={-TV*VyE{|txVa{_Mn zkBRx~#KY#93HOIj{I(t{TViT&Mb81x8J6#8S!Bnf=6t=355MJXq3Cy?ee;hcX6CNJ z)|6;thfu7I4i7xG;-*2)Z|qhK#;GMG!qCxi@b)Q5YpPL@%A@)OFkU!LAVLeI0#?H{ zfws%FwA>-n_dCW2d7pfh>^3F z>{@KgaA3`@6m@%SZ9)BZap!S`tTQK57?7;&3@%go7fX|BDkBqI>g(v^=S$btx@X7O z9okv(=?6N!hl8a>e;vCJK+I`|2Fg>_t?{z0;dO(N!tPN)WD>t`Jj%sGdtM_&| zbT%2!PKv(xz0UgTkO)_u0}6|F(YJ4>CCe7;RLaV9X%yem(u4-3Pia14vs({s-PXJI z;-e#-=hVfU>inzJ?EH1~60L`DBecoDjj@ZN%X;zu;?soX7nXy+?gvT00XC1M#BvfT zdr+e=>xY5cQ&iimN*XOvHu_c{O|0)ol4T<6GGi^{6NhiCQX@<M?5l zu!H0h92Bi`Rc7IoW7l^URu{Rt2Rgc!*)iqd<{5DTo@W>_lI&?hH=fYcA>sSw&X4Aa zLtSS!?>RVncXp*Q!s1<=XY_W zy{jv7Oq+*~^ycX?*B7tD25z?eWMGaYK{AMkooB(#fswK)J$JQL#Pl=5ipN`Gz4R>1Yp{wp~iI5kXhG#Nz+Wxn7bADDhDK}K$ryhBjZ!p&>-&TV5SR0I@e zQ4+m4#nH^tD*Nmm^or{=;ZdgK6sx`u>q55bDo=9_OJT0O536KPMXy&qjQ#siS0L4} zCA~N~hX_0MOic591XWLpI z=@_kQh@ly0Hr+Nj#Y%|$e2}O#IM!mm#^TIEOGqq;<)zB^Oz^s`NZrY z;ss)z$+~*DFq;u`&xyz9pWTdkHRE&pK}cl&a$PqX`0eIw2{g`@lpBksE7Gi*sUT+fq}O8&fBq5}d#gUTmhI ztkn;gv+_1oHpy4s!R9We?VPu~*{sC($5>0cGTl#8Zyb~>$XvH7TIADsfuu{R9#9&t zL3RosFi*IwND(D@iP_LYZSJNu_ThF3INC=v;-H;!*W3UW>RY$fFQ+jqOHy2~Zrr>5 z!u)L6{zHMS*h(LzXpYeuFFHtWxYf__B)2?Ow=wrRRd<`_?6=6?{ar@2H=6mz2D zi^NG!=8w(IZ8^Fx!NEl5{_t8#ZeplH87$cpSaT$}`gDrqylUHpu!N*ltNxguX0*AL z^LVTwD##)<$k)w1GQVhdpzv%^^~q1x_~|(YmDWk?q}e04H=e#weBoB%smt+QSJFCm z`yTJg*uOij?^xdPt?@^vHXWMi%I-KArs~FW2dprvrW42=z%+7g(VFqR{}+ zNPy@%fBj7daX;yz(>V1JwG0RJH?FBaxcUdzB`Z#;Dt0SBwqK>6;BB0d!cuHwsg4R7 zryZ;N_)R^*Z9SB9`giEtGmNOw`hrAb|IF3wBx6bxIXBJ{K~YM&f0Zsb zV;MbTxntgk-*9jpUTNeED?%Gij5DLk*;V37sdHqDb-AK{xE9r<>JX2jr|qnF*NlI{~?}z-S@2AQ*?9|x9>iu^WHzq+yd-b3D%T!a2t#r{dRX<*?4ffgHIqQ zztux}maD$SR81iJ80otDF_KT{K8vG0jPnD(38Zs`LYGwG5=!bPoJ{|gi&!7i)f03r zs4o}cw?^KqL2RqPg#8-16CpLua5K09Srbikh+f^{C#)%4E85w!W%yq2%b0!udM{Z=OiQ1j>bSq~aIox9nC3uKWo>I*I7>`d zN}E%o5)7p>`npzcFXm^h^1wg-{Cm-61=J#mb&atV?RnBIRjTHXKYQ=+{;C(#o%crS zHn;hRYJ9)_?k{;|qMVB6WXblVns%KJJ`0EmTH8@h5a$VE|IC!=@?hM=?c4|VO6H%- zpUy~L&uJ0QH#a5QJKp0{S%fG?UrDcrvX@?umET1K*^_aus4G=Bi7+71Ni;@kZKRi+ zC1*JeBNQPFkZ*j+t^SKmjLtHaf0-gdlb_R><5wN?rMr<^ajHW}Sd%*L7-V#7{yVpiC>);PLV+tO>6Q}RByPu$n~H8Gz$b;JMR-AW`# zkOrZziMOaGG6nU;0%UN5c%ghW;Xm^<^up~dLl;BPP0eUEW>gU%R^0MT+%nB5xh75# zC6cYOwL2O9F~9%&GDJN8{d@Z#SJOKWoRzlk)U)Tid8Avpr`fY|?AQrrl;EkiBetGA zx7a41nk%r>2B^*^g{WtjM_20@QrOaV-GrPK;qjDW;cDM>UGH4GvhBD$GNrvR3WEzb z`KX2jDpFNJPV(fK0s9mZT^Fb>g3~VVRO~<3baSTW;q%nlr{T|LL!Um0hT5oY6Gyo= zMBJLH-c+L5n4@UTXlkixZIntkDTM25Yuj=~tr@Cy*{z+W>oboxHVLx_2_7eQHlcf7U>Yrx1T;)xobyJ=cbZlCp0YPPyQZ1P2X(VyDp$n?b@BB!?;J2uFIIS$~r%9ivD|whuNqByRyQyW}BHGL7#5c2#tF z9~=uk>PN#`CUnE<|I5%r-#arw*_7E{P_?go5mRrCKZ8<|7r*IIm;cdvN zy~Hg$XdV<(zOJ!ncmSpc4jl5Hh4Fi_W9ql&K0t9-=sM`Fwpn8tsb?Pt5P%Uax({%2 z^Z6wP{FSDD*6dWsaO|)nrdHUw*V@o4SGYzkb`6-iOnG%L;?C8OH*;;oTf`0$^DoFK zOk9{>%s(gV>g9dn?dIt_;g4qn@6G0Vh1nw36S#pnLxLM9Kz?%Xi~-Lvdbyd`pTAzU z+}sT(oso^#_e))T!U{+3zX0y>o4+jv{BBFnwgZ)do($Lb9j7&wYvs6;@^gEUOiEJJ z)B}LCyjxBNw4P$t?l(!$Fw5KjYUlH%djus@4N?v2%B6fWwQ?_Pn!M}p04&8fhlEw@ zuX4oWe9^c7%oA{y8ZK~}2KJubdg4M$|Mir?ON@(sCRh4&FQ3!v@3G#w&E@#<^b@DF zdk!`n?`b)DvT@fodC&2U8@o1b>FLQzx@Wc+bTuv;?y%}p>RxU&JEdNJ zVVC)V^*0EvZhv17>Z|2E0*{i3Z%^=)l_Mz{S*`&@biK|TvEvdQYEE%dA+I(m^xn!B=-=L(U)VUtXO*7 zdXMrx56LyMuA0vBn$B<(-G6q<|A8(1ky-K$C4HH9LGIQIo=w*o;^X#tN}E)%kFeVp zY1gtLTKy1olo(d|!by+1DNpfDcxAAf2I#HlJ;fdVVr`nbMzgi*;E~d^r;_`-_-9YC zcW?7a&!DE~SH%knRkvT^lA|%dg$!CEn~;ztK;%(X)OdSGJ8MKfta(%#`m5 zY}y6);P9HPh;)8wq4&Pl>=4KAZVszlxmC?M!_uWoD82KMIm*N>@4<-s>ev9^XG33t*FS6w4i2~J0<8_ z3IY;hFHGKj?+aTC8We?61dE&U3L$bw{H29^>Pqt!+6}qHqkzYEB4%z&iPzZ3qr=U= zc?)P0eG9FMc)I{&5yVAeuJP&pz~_%6u3pG9Hv7iZCBg*m9}uYWD*=T85HoVmjLccr zGc?z_y_e3pB&^HuVWBC!UjW z2$MGQ4(N@8PSR68ZP)msey7ykneDf;H{8(C_jk>0_i4Dnmvz~s*R1f5jZp0mRCJ-m z(G}OQxrScALwv_uIOZ+71qv>`@gk+QpQavQDSG|o2jiuiGpkjV;*t&9a(V{DU6(rw z>uZzi4kpM)f@N1hAEk&6dbRfYG+pt~46v1F;U&my?1ya#vtbY^Z#3Z!Z~2B$xuRxs z>*0aJ_a5IofA)~M?vjw~#9W0eMcx=CY>g0gMoKqkG;K0Ls*f!lqv~56lB+(l5B`H?&<9RQI(iXoQJ)`7%WIA^Qnl7z5krr! zhh<0LB5y{?wiOgRdWtOF6w3_?a?1}~8z=UkzP{YtBfBT+ijU zk%p8ybEd|OEk|||xG{#bauerZJJ;{7Uay8S;{J_j;_+UxSrL!lzCwi}1ZRzkf+89|~6DsXYT-WQb>GM|g zqHloY$!Y1Ls}FfJpW?~)`HJ@>Y7eEUcLWyJd1R!@_paZ8;+h{Cy0#TFTWWO@KO@4w zt_-V${Pm6Ht-?BGno<_Jz9Fbx||-xUjc!c`L2$t`v<4kq2Q>G@>ZDkIyJl9)XP(~t+9Xf@=_yfdoH{?3QgF#_|?j_%Ge^G zLMxklLrlLV+f9M?I6tB;GQ4j3E-^bl`|09EE9|4!P-={sY9p3XpI-%4$Qnwv72P8@ z*XY&L!r6NPQzL1_i;Ki7020q$zXmq&n2ZxdLA=2~Soh)mi0K+69#$fW>Dg4oo*ka6 zO;;Ja#~X2L^m#%f?gBf)CD(+Of2jXOPIc#>K3)3LQp3E$GW5NNPv#oiHt4+fnJYih z#j6C>2zjFkM*_F`rDnEAE_QA|z21-($;&>(6Ow3yyP70V1~&AEDbEB7PsBF#2Pk`2 zN2?6O+TvR-Cbl2`z|O%-mKV@a>#yAcjxJyv+zOGZ&NbLeo^uj*1aI8mGWnDxZw00upxo|PzuCL4ElAW* z+R=GnuxH}Q@R@-v4J|pzx!xt}(g>l1UDXoYIpiQY!>+%_Qck+m54mVBIyRoCv<-p` z%xS*j*L=gR;25Gv6SX~IqIKaSNxY_tnHSQejX!m|<=RaD#ko=Op`Bq;kymb}e`-W& zRn*DDwKp$HCvPYl+X9PazJe?^Ki@yPrVzO@k>cHfqFz5x*=6ATEch0Z>l^at2;5Fz z#bJNtPJeZ$zotF7tuT8}>(3sZG3xD3(aONmqd!xs7@51jpk#bTO>!z}kLWn-sXi6b zHpE5BuHA|3%zfwYqsLlhNgMQ>iCeN7T?x8J)INIVIBcsJFF@{5V9m#$mBKC{lk ztHOwrY00a#=2g1+RXcFfSDDhkTcU@;1P%s5ug>p2_~92bY_e@wslZVUsAbk3a%)hd zDWT@>tFJxmiLK0ajxM7XLJB<%e*nlxIl_~X4gKCVd&4y+!rQw1nht+v6Yo{N4eCy- zwCoS*x|#a{5tN2%+JaR3eB>uQG+lfxsJvInIYc!|m*6FsVAqf0uEa;Y0-Q!9w*=B_ z5SIbU2y7Vi6dtDLsj@e$JO5(h)a2!e@^oKGS)jN$f30YD|DJ32&zu?BTfe?EO_UlV zFAY@4J=7gs&0e;qi=zQ{GzeE`2=qL~<1jFRe+v#HG)aV3FMt63V5I_;^_6!A$d3og z4+Ylm39jEAtk(LB8bl;uc^JH?}jqa?8oQOj+A5FQ&s_=~vv&nIUkzG23Ql*wA5LgSygnj@@^1G$UL6%Tm6Xb;Pv?WL*t|rb6OQL`9zJ!@vGy z;_PeA&(`A<8?a&9sL*4IR#LKbDL!_zWi#W+#6$k@#c+byO@PHmj#5Awa0o8c6$T@+ zt{^;pOrC~s(6!D!zf<_)zAy1QQ=##5U{K(NYe1_o^DHvtf!|(cL?taK4V@Bx)}s{H zXzo3R_JCO1u^pLW-F>6D6;^5Xn^BP@US!}_VnM02a8K5^vsP~w4Njld<0e`)uAvKCLN@FPuim(r79HDskSkPt%D1pD_LTLt`H9j)l?{Q) zT>|wf>}#0XAztGhKoA`9h^KS{*F$do8Lk4E0z(Tx#5Gc=UVFe_ve~b^TE4sSDKRkf zVo&G#1bMZW<}BvIE2r=F3)^d=vjbBr6Vjylk+LcuRU=EY(@op$+;9<-3`0GPLPZov zVBL)X;SI3OJt4jT#PO@^6zOTUAp8NUb`e`D%x`#LXv1kdENI-vQ*Q88r~_;Bywf;o z1rFOgJ;w&3UW`P(z7g8H+4R_E#}oTJXP-1Zda~~Avr}i!sZ&A`~wRFWk z&-N<-WEhfbUUlQ4!r|Q3^R)QHs*QQlU9ntQ&Tp(%gf%D_1?7LY@%h#@iI%q^ruBlq z_99<3faYvnwhzAvXdD)Z&-+LQD2aK&#YGdus1w)5!8O#0lItWWhmF;0=M;VCNL;mK z>dw!%siBFNn;-{u1$B%e3={Z5u+u>gw&YNx z4FSZ9Tw;PYexnrZA+o_?n@EmS^RGyN^D#NLlM9{cSHuiiZX~XClbG$ef5UVBY4pT| z(8%&@Ae<2O7_u^r$*93{LkgUcip|`zmYVSKg`rOIIeO2J%q}pp;s_nta?p!Jbn=SY{ZWk%6PCNuyS)tWKEf8URjj1Jy^UkK)%aY zwOgRrDNya_sg7Vn2Tm!u>)@j z5WS+6k=t;XEUEg?RFOdg7zDF7UwvAj>`dJt+IK^FZX|KTx z$LC^C@Re@Qr_&|V&+BK16GtAL+c!5Gw)Kd!d=E^>VPNYoyA@P@Hc`5zrbAn|A+1Qo z`JLTLr=p|)h2*z-R>r|4$<3!j)rVr%o%U<(p(_u1v>)ZR9QA9x$P*1Pi_SVE9R1p2 z0N5NOPb^xp1;E{n~Jge=-R>J&ZAE;V%D*2#PHG>o+FftaAC}XN#2c?y0+iko|Mc#NPK*S@?vH)q&MI$yc?*%WSA#2 zNw69GwXR+hGk~)e>S~sF+dDNH@#0D3%!7iWVizkXS9^9E^jII;vbn%ySLs1>4UUjEQYfQOATBSeQQS} zL}!aTb~GMR4@_y#Ue7+=7jxo>*Rj3ytEVF-E|gwBncs5eW^(gU`0#tzU*{^OsER39 z<*2iI2TX#&EL}i0*obr;!-qExP0{+LzFv?wLL|M;v-YfCFFl>T$~bi-E^lj3gz$Ik}HI zHr6g|s7sgc<&_))MW3tbr^)+Z2<9Q{2AMXoS(LN3;B%u-odfL{W$N$P{w7huRR=bC zSLQ`(gehA!e{^+R8e8Mre%Y(-e8Ad^0#TP|#U9JxB1&Az@WZRle4d4SqCL0F&I1#B zyg4<=9O;PsViSkxKYyW*T^n93R2MdTFWwM6=cn-d?{yu`XmJ+wDqFS;5&Y+2%E%wK{2+Z9fh&QZ3m zv0r>|8JSd!lkwfN%7C)UDG_TXRF}OcXk)%>94#)~KO^jrT6iY%@;3P?&X9&+4MTM4 z8Na3;AI%Z{aMoWPR+SxS^Qq1H&FaOmYALHQb-54IJU%?Ku`Rq|uYRQHd!H(%unPv= z0_6xzGtAV0FFGcWjr$76BgFj$>$WNPYvo%~BBHy@rf<+Kw(nx4pHj*l0P|oYn&FrmhJV@4pGHtxYE=7ii5Thl|}-O zf$5tYcW*YZb+e*p;Ru5S#+aF??-;Q}-|MsQTz>N>{WVr0?|o)yLG?vx-2uDv4KXoE z$hG@)K3z`6m9nbIZ3_i>c&$0D(vg#8>11D2?Dp(Q%KW3q$*VcUQ-sN)XmI91OM;1= zAf0Cx3W_`h(WFpJZ^&a1|AMJlhFs~Z(luDB?;fYe5!vtyfHPRo zMK)|1%uBIDv}8uFwDSDw7nTb%`}!F1YyoMVnVZF@0%iAGGe2EwvXvKUzec)KvZCU% z(uO9lvZ90NX$2mVqZUO6*o|1Y54x6|@t2LeS0pa-b^M8|xBlV|SRVbtbjPlrmaqQM zj_)UJ2~{*N^^E$RQ2@2%D59O9DZt$j$`o(~xmvK?uR%~CfO~u+(iXOasCRi+Z|5W0 zTej6#x{*_}-c!8IQ@hz)yU$B`nkydQiI97B695;s*vKIwubJ{&AmKx+4iX(Xhu8PI zH(Z1Z4e9xyAhT{!FgOY^ePL}!?koRka}7)Y{|Rc9RGzBNliq`nXvqgjqnLL}5cvg! zd-_O@1c^6?*T{++B>PWqzIgM{%hzcyh}wIvHdVHi2bXO2spt>Zj?(J7>GcQb^6kD& zM?ICDKLvXJ62xRwq}rv2e?tk4(X^+uREdwsBkQBTbp6gglSwJh4Q(BOT{%ZIhd&e3ZOzZo3Ne)_;;ZpveByq1T&fBYwIGH^Qp4 zURrEJ-|~Qx?>P~I%8I6{DD~ zi$gU!)?UjJOCvY+aAX~SaB*=h&vC2FeBZ@5P`Ex!sxH_fsn}Vz+H09*6z)bIKJpq~ z-En{QB-Uiik|TP)MPAuOqpt>C{l0Uu52Ue^5Hy1Xhn2LV@6BVc-XmsS5RY(ydqorr z&wltF-@rNK+f~-z{IK%nbHd*c&^x1f zZ=Z6XPB4gBG}~daTu?N`eZ1`dURQV@{*~Mmk~M~UeM+`9&}Q&Fy)u2j?DmBBy(hjy z*W=As|KMuGTg}ae%vo2Eq07lM;Z?!_)A^Lt5Z3cEElYvjiY4bB##QZg~bpFHJ zySgHez+ZdUv;R|9Z!qVty)zzu_d&pur)3p+zC1^FJysExL;y4paBs}5AcJ_QQ9j{W z_&n1OUT3D(zyJQ~pH|TpnR0%1^1HKe?qU#p@9&NVc16| zX;lWCAWEtxQhS+Ma{*T^u4a&-IO-zQm=~lii)L742r{=T?NTE@uyoK5%5=$Yj$41} zE01ckob60SKMpUT3JgU*w)TLVIN(bNhdjl@u*dg;IRg$dEw;DdmYgLup6W?VQ>1gz zfSvwpr&J+&hP%~Pal7BZ|2E!SP5WU zc|u;{9y}tL+(bQVmLomMnIW>FDot5ZBM*^*XPF)+-ipc3$@6^ip#07KuxH}|#A_8n z+$L{%|KSaByC}MU))oHT3lf0E|!1QcZOxI7|c}| z89~kuX9j)8G;^0^uo}uM*8ldmi%iS{%pKzBz7?ySV?J8N`2B}}xjcHWvVQ*xvnU9$ z5mMmHuR=oNGII()I^@diHQ&5w$LK6h!3KV1Z-{!F+k66>INbQ)tgom;1M0 z$u6|;yeq|Dt8rl+pd11Njf?@34}-mc@gCbKSm?YvG;x;{sLlp853Y!)|JXhCYj%d8 ze3yNeST{1`FD^7sxje8@!4XxM#jg61ztlV>%rH62x=cou@1%>n!rMl9l?P#1w}NBQ zbV4~gKeEWwz|1+)l~rZS7p`{5q6UhVSp;|Phm#ipEfLO_keE1B6fS`H74Rdb;^uXS zbpG(YJuSnTQ(z0*e`J&}s*JfJeMZG<=OAOp73a>&d2Ux@#a9646VrAAum6 zw8N!V=-cNqy=pBTVvWuHDU4KC0BEjRdiJq8pIK^K8}B`tL+^E9#TeK}LM7zHlsGbL zz>PO{V0C68Ry;UPQN!iUJVw&2o_ zx>|VpNl>`@>k!hKyn0xL*C{TL2$is}qdP<+i$ z`SDeKKL$wOcS;t>55;tx`HCO+SE{#OLb_>2=8r)>pYiDiNrI&jUQXq5p86nH)9uxK z(Mxj~Vq2$-YV!!c;!P!&=K9TlHM2<9K7k!r1FFE?$7E4W&ywYI z{?a9#-~RTKufMZ!pq12WKm2UDp|!w)QEf#n#uSakG#QG-tkH8y2c}x5@Ob*HV)jAg zqdN)2vt1DRF0f*74g61UKpy6Qtt;{<#2fxjaurSPqUWaw;_{;@#jP7L52phjKk~G9 zj?A=$8Zk2A4JFt$ouv_>%ggqWE{ff9Effxk?^ z2i4Fn!^)+`ks*d+$ch%S(#~AAO?CdsMKfQHeRz>)?q*E3o=^hTpYd)w=h<+cDLc-P z?_tO{ndVj{?l={{vCkw{^;i4EPn=VOBqwZQ8!aQt%)`Y#)%^kDTNtOgkg2K$sp_+g zrb|ri6;O7e3r6@3AaoEiaR|CMb%Py;oK_0#B7rTaNsBzFJIT62kRLi23I<~jTtvWq z(wzLa{YI#s;FkCD=x-~VKY85w3li8Xi4w1edxBh`wLZb?b`#W>K~ zEp3fy@OvNVo#+|IsRt1#UYFU|FC&wa21o9E{*$h;1K*Y!=D^h=U`wBwX6lh=!4tue z!^%0>)m?vVJZJWC`1E+h+&vLN+$2ao48TiBb^p^FUU1CxzxoVY>l}(Z(MQF{c1j9;~UVYvBuuP5fabMx1C{IdxmUiG0;KKz#AnQX_5wPH3H zxYr_1i`=bnYfK#DR<8Pa!`h&^hv6?D``^EvLA*Ljyd_093$rsOrT_GXeucUsPs4XL zu&^*(s0YAZBwUI=aP9g1`uk(tCo^^vQ{sdKYi9=!dk0v-L)%pjvl@L~wk{hkTLpS< z@t|g%zBET3+}J)Y^jkA4H=RHHtzpCNb2k8J5jf~gT{B$-)vK-J8G#_UMt-etesW~! z!ptoTFIV@>^}N!({A!pNox=+Egw5Y#kHK%`If;b*cUA8XE!{COPf0qdo}pqJkPD%ZXA}t%}+f(d7-FTw!)TU z;1mfKF``Dy7^bJ^xmRfAxb8Ke*Ek5-7PkvZz zNHKH_wP$4*)1>+o)K!H6r^tkoYw65Rh|_y9lZjNprxO9M9s*mKc=P%N26Es93tkTY zp|0MdouGh7j^DewLXo{IE%H>vyYRtR5E~x7d-MNm?>(TKI@7gLCo`FxOeT{|8c9g# z9o(%hOO_?MsCUV7?;ZEvd+!w+Fc3--0!c_hDj_6*>p+%;O?5<=RNcX{_)pZ9r#dOE~|_X97SjbYQ4aXDTbmkeN8NnUQZRF-d{ zg)(IU+plQzx1B?zq>hadr%qfpd+PN!7SSyz%6nknICM5FyNaWUuyzRp?$p`68p#)$ zYZ9>5Zjz8*g2X{0L>>pwC;QF>SI2w7f=NT>!z&v66PatOHY{bvQ~#}2O98C zj?u4*BV}2e(0-!K3yIm09=|&$Y)i3!V^cuG$H7fM2R5Fb=UTW}U+33y$#26IujWg* zwK1jLG@G@POgAA3&`46ypeBf(7Z@NCO#YZ`>XOOzLhc=wac+JMjOmfNip@oV_jyY8!i;^Lsv(%^~; zztU1|X0|*v`%ST0omZpIYg*|R|DquHd4BkOY1VU`L~hLcKGi3swYS_5-Jn=me;D%@ zEIlJ72~kJ;ZY5NeTREv2uHjDlJZH~B)biE}6W*eQoayMe**{|T#Ea{!WgmTfWz9M* zi{kIl0XkOz!_pu1sDQe#B0R#yWrv;9u^Qp za%Gu|v%p^H65~jM_wvybMD@zC&?H;RlNU3*51#4){fMv6`sIr)8G-<+Lx4b%YRe5a z`~6!BDFT2JUHlUlGCVNHkS;0VD5}}gJX@zAJ2C%*ANQOY`{vZoMKb{Km{a+9t9oV&`#HNzNMz2YR$P>(iX#gXu+|XQS6C zuB9!y_Pf~nYnIy0t92Vfww$IXwmOyW@!9#4ckRysO#rE$@j~}O)k)v_i%=T6^7C%U zz1Os(l~~hwTiMtJ9tmk<7mN;BxIt*ydWMW8TgY+V5GRCk%KB^Sx@*`seKVPog79G8 zH*=1lx%TW(Ph4?@E#HH$j2F3OgSwL;&#`e$d)eA;-|2DmTcs5hJpGq9 z_#&?<*uEKJ?OJ(D%h!BozqPia9UuK@_RLaSK6_t1>KHW3BkUxDlRu>aEqw?Wz1I zsj-MIh(~Mo)34I@|I`kXjJ%dOIO}yABL#ij`esa#rnp4&G=8httgkL@zcg~j-rbGk zljdD`AiU+4y6m!{q071KtmpRIg7P2XJ9)l+3Bk4Z)^moYqaiy!b4bft;VXVl_-fu~ z5mn!;Pu=DpTbCG;*I3YYdbLaOORQx7=I@j>dtNX^@T)fYRBsP%ct5!D!@#;vLmCc7 zZ921l`+D_+%C+^gI5HJzH;E@gcePzqovLAL@j`N#vn>n6?IhB>+$;JbioxT>wW zWNf+&cq$wua{6uaDU9X`-uSgo!)F1_-v)ttz5Kh#t=BxNk76u1H*VWfL+T$`(iep; z%Z)BEy9&}j%1hmwma|*mdL*gkaIPpt__A=heN2E)Lu=6HPyIF?0`I+N>q%brr<{y^ zjyazM?Y!vSb}GE(w6W+TWojke+askl_t@Rj1&y1SPCjhmdafv$ElmbjC%A>z@RI62 zJo`h}>;#Dqe)Qg_Uw~BV@X^lWrv_h}&xCZ{?I&!R`gII9wg~lQ@TwK?_4Q~MCC4{w zikb34bQ!yam|yFRo*wlXyX8joHgEjZ`p9>bmhTLRMu4YN)^mxJJ zf@ft?SullINM}8~)!*rH=Z0};DB}G2)RoKTQ)z*Yl6scBnQkbd7;-TL6LiWnQM{8X zmCXs%s8acwVkceE8iwDzrQ+{TPN6xv^8txV1o4)7eTlVeinU9oz`cm?<$Vim>b$s5Z+Q9 zP*bljXz(c68Qy#-wE4Ji!zuJnAx{pC1UxEyFbs8qL;=@o@}15iWJ4T>LCmmg?oH>w zkLTHV%(LMK@5Te(OQGD7q4M&B`Efgaol==k(tmFqDqtrCI%eg#Z~V|>^C5lfaktHw^^CT9 zGD<}m!m#n0zV&ig*|+vy8B7mxQd9J??r)6|KFiD{Tw#i%G>xwS?@9(so4uVq9P)FZ7X2`->15-pu0IqGb>bGDPRhATC$ zqSLD0Ej&GREWA92>K3U=+T&ev#;X$63MG=W9$U^B+Kx&Ze-Kt7aO*Z~>@se=sH)v- z6A>xN34Gb{C3e7y)XhGd4wffwNQ>Xl7TfySLUn4)hi7zKb}xyIdC_^kJl|08S#{Zg z7EE!C+g=s1xz4Y?PMTBh)$pDtPyx*(jtj+NWh2=o3fqSy0Lk9jd_@n{gwV3-EJi$d zZ}{1>{wtrRPko!;_i5bhzhOg2TT}R!#*`1rGWOM1e7D!Pv2vb771+ExYTE&0#rscE zRPL2;M{M4a@XprE4;w@onw4(LUf?}FPq})9p94G9mysOF&dv*b|6A>*Lz0Fcooh~t z>o3b1+mV0Mw|44V+Lg8Eg@s3)eRHV_uf4~1UmH8>73JZo_LgglxPk({0#hTw_8Ess z4Ln_*Z+zRUE1b=qT`n;O!gio$bAO8Hdq6B)K?N5OYPe3a*fq9Z9B~#RM|-3b6;*Jn zSekl)TQWoB#gn*H)O$U6m~wy6Fxr#wXkZsH-D~Qu0h|DwXQo6t#Kweu`OhT_pOSVE z+ma6Y-)ut$iR6E=!JJMbjp;ZsePpD2L)Z0?;rq#bJsZM9oVgAt=si3`YxVo(*5@TMP%DW#OgXzi)L z=(W8Q86kbcH=M*gQDzK1#Nm0)A049|leQOBe!VZOW&1ptzoB7Y#NLw<^hU*dE_UP0 zldq#k^Ml&La=yyW|0XBGJ0oj{CmkcpJ%q7tBu&47toNkOegvyo8?*6 z9Ne)j z3$hJo)the`xA&@A(4C5Ld)LtcAusufo3xJ}^^T*b;it|kH^y!WbrKu4)`}YBs;qGk zRUv<9?V4nxh~RpJL9Jv}Z+&fnj803naqxU)DF;vkNEa3q7tov`aV0CPG*+m9IA`Hy>SFNz<0`v>p^8DW2|^&ofKr$y)8zoXn4|(iMIvPW zi^rT?{j#aa6T`+>laFSnNRJ-g|Kof-6xw}a2Fx=*^xewGRGop|v@4ej92}PMoZP@< z%aYZi{0#^+N!P3@;$Tj+Yv$Q|pcWx@6m|%~>H6^4;X&f)(axF;dvA{s+rBuo!d_w} z2({$JIY{$4F66{&pkyuhe(QuHRgB`&#OY7ZA9e~@?;2FAPTU(*^Swv)A$j?CZmpLL zZ5?u0tJdqz)fmiiE#%z}-z|qUl^dM0V}%(3*1_`suwT2}O+#BB7u2@TGOW~Z=KAn1@c z{Rl>ATJHCTZGFlO-TdMUlB$d3sLJM3y0Xs%@y-00GD%AH*@5dv+RuO-d%2ynOqVZK z*NF73wt`Z7O|z}CKp9sFD{y<}{s#xXU9n8Zqh-_hady1$C05cK_htrWNcd)6O^ex+ zuh?+?gvva=vWly$;prOClxL;L0Z$rT%A^S1x_+~AawvbKGkml&nV9(!+4UJ>42lMe zR6TQ64NenDpZ4EAuqC<32y)KXB3o5W77_0O?uB2QCQ+-XL?calZD#Pp-kX`j_k+5+ zz4q>NXKH&l};0p zQJJvyX1`ysY47n{qeOJ>&Xsmvpcw>zxRq;;zyl-j5?6C&6p7&K*rgx4zt_ZjbA5uH z!W#mr&ILB#1v~(ziiB~tb%XdwyX69}^i#LCL&i;?Q9RBiwh#0GW{7bhSy~5S7m(Ar}}P0Dr2{? zac|((1BUINXt#W<*|<-)@l(&XFMKwC=C^r&;Kq+)cYfkoS#R#4`!jR(%e-Y6%4Xwf z#SLYM)1sUbB4gj)lD6j)USi?PB0r0uqGugL7wNN?8uK{uEi2v9SLhR-rYa1Do0iA} zB=zshoA-O}IHB8g&TD(GVN;(=d57DEA&Mru0*T$BVYL zzG=%~NkUw-S z*H>{NR4wnmZ}#+`*=VSd$HE8-G{8I6aCEgCw@OPz3TR|j^Zv4Hf6VRM2{Qx96W4PH zSU{5G|M~+0Q{B)VK?;M(e!=lZDH)#9fBS$?k%|j)1qnoc9>`LBixehEB@$bJ&P)<_ zCP}^jp8eeu=8G2(baeO|y`OyY&zQ;n@&ewc-}gYFb&L?ZKE1ruQfnb82CX-u zT}(F+=u+*R6bl(IZ~dn5;`rgrwsItaxdHp+>6cWc9qya1N*jI@H{B9coi^;esM>T` zx#^(C_MhJHD>kDT9rL%Z4KG~gpTJ5evrlNGgf>%xwmK(%xjZ8CDUs2PCwtR7gc_Gf zi;3l>#v7_i{FncS#>GbvMmw0$v1h1#Zr!y0?t+JCWGLo#)Q|UPc@HzBNTm3h` zAKdo7wg38+I!`-aFPg7jo)YL?5D`=vVa)Q7WhC%p*01&SSf=x)gr#cA!6N=u%zNj; z-#&-NTSLV`e!{N*pohHWnrz`-@GRALQCP0`J4b|-pM%d3T&eP!yIyTmin6=Lnl4Sj zPtxRVg79>@QS#x*_xg!5n)T-9&Q5fhC&nS!i!z81mOiK>Pm-x%zK~?r%TD z5JD3wew-M&ID4aZ>PFP)UGIs>Y$xMOOn1&IrPkUQZ>0hENV%iaCXw)cmTNWDDgX5~ z+MX$5&!OXCsU;pkrEe_M+p~+8EDieLle4h+_h)ZU5(6W%Q|)(#*4P;wB=OGLeDFz< zLxfeSc1r){e7<*9$jQEACwq@5L)Ai0Z+&=SK=SUmf*)L)uPNF(wA*ir$+92{xF_7+ zK51w>7W&@#S2Y>0O5-ItZ+n)%6V|jheb;BvE$;+ZWQW(}hgB7LRq<>K9JyugqUyv&UY=`w z6S+}!E(vYUF&mgcSxY2_1!5Owpt~_j5SXrts|-wUNlf38o4BPkrma3=^Cpk#O@57g z*Y7wSx$U@9>boyFr9EjE`e$y^>dZq6UYY2NXZP?EfGiG1Z6b$$K*Z@<3? z>o75cB;r_5LCfnFQfHTB9xZ}x;mxJ{Ix51M+Gsm{hJ`u{v)kCJB%v;ZE|fYc)jB^P z;-PWmp4;%<^$+e<12asHBO$w$A6q|U*&kar$i$p3`di`n-*^rFHj)Av8gZ(V82R+U z^{nB}@PYosa~Ba}K^UMckPnJIY>| z$6K_*SX}-!0+YTmpkE)_*i+1Y|2+P?>!S;c&9!V%666X5CKzq1ZDnP@s=?vm@dh$+T-utMm`P6+F z*8E|@mXCc)H6GD?MOQ&^7W?u&z5Uz9t)Dlx1wL{a>*9M>1Q7uAP1HHS77 z`&Xvcy`R77v+9;Fsx!8xDN^*7p1h?7rxo6A%e})^`=xP`HvxL>+4!?d&gay~9X6rc z6m6HqP3QERZ;`B_MW=!qFNf9r>>OIja0?WN`l1GLy!&)GXvv+GESC_TD8WWu2nZbA zkb|~9raE>7%K)p_J5CIa6JLJQwPdC9s&&r8W5hGh&Vy(@csLFp{^04(Pd;x~EAx2l zc(FLgk;J-ZU0(v4K zLUWE1DOVt0`>H8b07VN}DOy~w5dHfHZ{*#*89g+bd*n=lIp;;TOo0T5 zy|R)jDduYGxT<=zdeNkrG-qUJvW*v5*4_XGa`PO!~ZI}FaomW)vU*VNC&n0M~G;o27&-2`Q&vRdyFL{#@ zPWPyEPkuMG__MmoueW)X=LFT)WbgY(k)QRVm`O`?;}>|+QYF+JqfM%cnXl#)YIvnu zix|FBq3=93(;*?;SY8&hb!+VAP2o+Y>F?Au|FC`6`8_GEDav@&QpvIxxi2r$uBJx2 zu+x1R>9MlfRzc}@r?UMhJ-ctYX54%YHv$Sk?i;@|H2#RPg0b|vSMgbC!cMwRu#JIN zv%l>8*on{19JUi_F~gMMoXC-+@#LA9pG8+yU_>&yQEXjfF)#(*IKm=$J~)#@6U60q zOf)4dtR2~06)?Y3#4uubhLgdZ8RQ_U;fh)S*aKG{`im*x%`=w6U7?E%HmpUb&H%BH zJ#;5>s5^ytu$e?y5jRN00tPUfloXzT)-%QQr26`8^%X`CAcJA5Wg`PWOiZ>DL;G)^ zPap4(>$?+k?o7Tdbso#fh^#N$y~qa5jB;>;gIBrGPMk!O#x9~LGV9wu`2Nrcf#LR8 zM0wpFvnSSBS^F}WL0jJ}eRFgt-|u&AyWO^1+qP|+@7lJuwr$(CZChL0-16z?_k8EC zd*_~$Oy*{iIl0LzdHrq8W)queHoN5qek&}pZloTs4l@F+aC z2kr8Ezlr?VJClHHee0^oJVooQZetwf98W>A-E&0hCUi~k@>-rTX%)114c|{lEi0mX zQTf+TGf)Y}V39FKCvm8@TDqxsZ{r(|xEH;HU>ic58X%TB={uXZZ>v6tya(swHVU!o zC*W!76+D7fin8#z|0&NB&Z6;WEcGFYD`qJPM#b8Ki2LMsw*Z%sV7$c)d$6psM74Mv ztDfJ|%>V2)okG}3-x@JV+I|AHzE5CC*W1|I(<(-HLl#*RD*0NN<@$!3O_p}tXi0cv z&^08_unj+$HD^_Y_bg+nN?hu>3fg5{X<;d+A}Y9R zeN7dKo2EmBvRq0*(Fz^W6|Jm-#O5eT?R-fh-=^QA&xzIcNUQ!6Q^SK&8@R=u*A8n- zlcnXkF08cmN^NTll*3e%+qis->|Kl0ZM_VX+3{hxWsBuzkMpMMR^3xp$yGzk6&G0u zC`i6JPh}ZDDC`f!)2|diF}zPYQOq`}2^g9ePENPV&u3Cx$Ti ztUd(Wb{gFk7_qEog2dyjSq$_CWAK;+I5K`3zDDSb-K?39!%aIvEq7kAmgOq0`-ip2 zS>DE#008xEgKCksRpknml}$6eF^r1daS^p)#0q^&UeAM|p`HA{sjwGg#0$ai(GqKP z7WB1M+4^4r?Y)390(COTOf*{Mx3k}v#l7ETYsBNcqey37KpOGK$X0dgCgp=xulu5j>7uX(ebf;wv@rep)lH?S-%_OPBJnxw)fS z9XhSv#rv=2+7emMyd+d?-7h7{u=2U%3TO+)%{+sy9nQqMTZef<{S?26x!Xr5Dn=%C z=(P7Q|Du+>oo%_{4Z5-W-ZDyKliW@xj#wv`dS5E~ZgszP^&Cf4oRhQ-_l4~3xGHTs zYlQFxj}(SPLncq(KvPew{R@vNzDszM(X{dZj%mefkk(%e?j?ZFER|DA@!M}b6JJfx z&dG#)npRJS7e|ACN0;r?XMso`HL3c6BcQW^_dUt{tGnyj^wadHW46#Gw!yLT{;E0y z@5a*2r)u3-pyyv$+rPH5>wvOnD$DhS3abVw6j$`NBPAfRdG$-T@ioE+DRbdfEl2Ombl&|63B{x=l0J?3RLMIeoD? ztcO9v{#$pC!TM+}OOt*j?v*?^@#y8BiNi8tNY`C3aq>kuTH-8)W$a{Ttf6y>?WV_cigLuXI75}f%QN9Y%#E`)!gvN^n;kc0HTUJqj0^g! zuvVNb7la5)o{t{9GXB$GnK<#;Rqs_m$sW+$e5B6<<~s(I(@O{IM_%pwJiKf(t(k(` zNEe(hY?^S)PfbRmH7DJUv(AR2R`Xqk!vWrGiQW|dQ%y(6v#aWcTxcE~bvLrEbv-)r z3FK^Z?8_k=D>ucbjk_;gsRpJlvVOe09Gs$AprOVoVy5h- zTvxM>u%W2Z)gYxzZ}PEHS-D+|-ceZ84syCQ4cMf05w2uew{nO;%vqdh+J*Q7MH7>$ zks`c>nw*|eb_;{_KXcwKHGMP`rIEpbOM>z?O^uq~b zNIz|#U>U6R)u0GmachYff`BPG0het;Pri({7T>=auCIE1eF};y5p#OhpbFG7oXTqF zdBo!O0K)(Vtwu(Xzp~UW*4LXHqE39|L#VySsFRr)8VfAbEy{p>G-cZgSSa%HP$92h!kk-hRC z)U*E8w4E}W3>r@1qp;(ySo0aKxxxs5Yd*xLg+Nz8f~TcqDq4~GUq_5s?Qq+5F5xA& z;)ClKw{*-_=Og}sIowoaf3)Tyt8}}NU2#`PIv!vUM zIJqX6Iqpc}2&3+Uhs`Idr^W(-GAW)lJA4%-SjZYvvTmV-CA zIEz9XC5;^GXts4K;2#Ex>4=dqM zQ91PUA2i6V*UX_;a-&w*j#|ipP`}qaQu@u5V_YF*5g1kzT+Mdgjv`hUXHDdoc-)*a z2`xGHuKEyqg||^twT^f4?&heksgEN8^SU@AMbZNdVac!>Ix!WAc#=qOskM6&nGDw@ z5IKEu2MdF+%|Cf{FBB%`4M=uMSs!ULp6T;QNC!Ue{lQj+rF@;Y^%M)!BZJ!$+#?IU zDw=irnqRya?yX3{{$aC52M+G~=Wm5+EpQN~e^UH$fjId$e#cF%T6dX)pn#%D0m3CI z&h#0JNvy@@y%8D@>g#PE&}kmC+gIJZ*xd@F8QZQpTK2VF#v$d(n-d-ZYW7IW($mig zV(KKHOaGikMc&oP`QXDIG%h9@RI3;<1*_ch<{orcG9D2#V>f;ued*0KTj>f+f+W%@yu z8%4D;Lc!HCg8O!)YDI+z^Gu(`oPp9P^Kq{puUZQEt@zR2zAv87pEGOmHK*%eOMUM8 z;ez5P@0}Epx~xw!$mS#uxXz+HybM$8-aZ|P+9(;~Y8z7V$VX5{)_6X6X!Se>rYh-h zQJ>4`0Zf?m0(7Gc)7MS=qO=VNI)gGA!*aqkYg*Z$cKtgFM|qVEsr{L<4VaLeRy-$} z^ayefn|HFC)$1`%#JazFe^SvK-eqHa^M86jG7pmG>t%O}X7}pq-p2G;=bG{Uq2mX6 z1jz$&H~Qlbe7Q9jrp1P1ESJ6_={%9PvgJ2R@oOH~0U8_BzIOaPhD#k6Mb(eq?sdHN zZye(Rvx7<|Ls!PHxHBx2(dQS#cXOteB;QSk!_#ck?O4x&h5|}C+zNreMe`fugIE<< zO7w)aMAM>^KskcewzXn!bg8(R;LrH*4ZtR4f*O(cyE=xPT+%#urToN6BiOkQ3xpOv zg(8+aJIhIZCTw4m6g@PWMB_~!xa^bg>OZW`6VD!*$*-tVDlM+W;JyXbF$tcTu*{I=!padWGa;91 zb&(BeaRYM}$=t%ysg2Pse96ovU2t1U;L%&iA!E&M(A0^O>b_Hy9co&uiO>2F;%fW z^MH}9nD+z>T0KQYp|^%JpUD5JcVgMj9CCaML~@9&w1J>OVscM_u@{=l1C0yC&+V9u z@qYfb`E)+A;|o#{(R5{B$_3B??! zW0R(9f=X10kQ<70V30ShtO_05ih>6+k2*bhdcu{&@+qD)o3Xe1ZFc1+rd{kVr{mS- zh|lk$rRC7$)M^xptE3*8R*4F>sGlPscT&#RB8F`godFnKp-5dJXIU7-pcAE-yL<*T$E~r-{nVhyESAUhcUapFPu?^yePs8^3jocw}4K z*(RrjHI6soxU>S0jxw|=N`wthFLa(ASq&*3N27K~y}flb7wHr$HcgaO(c2B}tXlC1WsW z6DTEBQFa2CiFQ|)cPU3*+wVkS=>_7TJ*chDM(o64;oU=p)MJ>kG6^a$3aU!M!$ z)5Y7`^Y5#9-lFFpZ?4m!v7hIlBnG#fs-tdJU#?${ww9%p!xK#!{)4W783+JrgUYf| z!5T*r%Z9BEmOP#5ppq8*IL1>~cs&0l?s%L|uIK3)g|+Q>yTas@e)BewH$>(n2$WH^ z+D;Y+iaHFg-iQy=2mQvhGTuu^Za?-EFq+gjyiD?PhAMQsa*KY=!HHe#h z@2<1|o{8N;=yvgW{0^?eFWh2ozCS|Yt8YX{59>LkV3Y-oI-yMzaTOoA)Z*C6@F~P| z@E5CKPRoY#_CyoSM&*Yku7_K$v6@N|=|hbKP|bj**hZ@Yf*6+2*hXkaL?WZv+?t#7 z+ujmywQ%rqZ~m0 zcKJ*Jh*}EW(`OV-l9-V7VFbbOOuj}oCK8vZTzLQ<6?Rqs^|`dp=eSSFbNcnfkLdL| zq9}rW*%MysL{4W%#7o*UEImXoKX34y+Vp@Vf?IM>Db<`>mQ{hE(Of2bxORb2n;ILQ znF$*m?)ErWdVN&{UwyKRG$_=}{R$Qx5)}Q#N8~}+rq`07QB&V1mK4#4DvOH;^0#_j<{fM-Kw2On`<|d z^0Czoq0muyZ3Y^l0FJMVFI7if7+yLdR$^s>GQ4oo<(|$r8_*O#T;2S{`j)D9l@1z@ zB&1sv$b|Q9OIkgf%F9=oH{;dX0JmOP)qXPbj`(o)rXcd8(*x6vHa#*vG~({0!Hj5W(J6c6y!2b z6O09RsPn1}-iv-k^zQZ?pP`8sQg#T+RV5Kb9wCnYs}LbAD{5LnLzKFiqN=2V(Sy7| z!@uX=4>K!xPVF;Dpq<8lZS?qknPmQs-459v*6&!`X?3Q3LY$@Ja%h1(JBm9E@FL?I zEL4Z!Erik28rMBCXc|;NH)0cw?_WvPj)c8>dcq};QNgw*&2chtLqf=dnp7d(XbYJu zCX~5-2=lh~xK5#|CRH|@cGjLu%}DXCE_AFegt5vlM4417t4AuU4uZ(w=+i^Cp_eac zAKJVJ*ess`K?^`!Mk~;#KZoGHa_Z1pE9X}$mn@ZPUN5#~VN9)>aGNVNobw4bm^ufz zo81_`{0TZp_2Lm)1j~@Hmo5C4U07A8z681eF%9a>9@4uAXMth8oqmBh&oYWx%EvCh zUqDm*pcEVd;!hPC_zWqFqnk6ea8w5`islkuTop&|qKaifK0A`9?Q!2@`WWNT(CTga zO09evsz^*SddV`6=xg0Z&)k;OYf03V*4b3#@z(hw`yHq-P1&?7)&L}&jaohG3F8HT zftB0_w=L8RqAZ#TIvl(sda?Q--~XDa&(!PAF7QXr^*R_fv%8A-#96)TqRCEF*w441 zqO4&0>n9L5d^dJTVL;UAALk$FF9{}LsAzJAmbzB?GRD1hS>8HD8~k&s_)f6pBQmFf z)6p&T_uSC*nMoml3{UD&KH<<|tPNzvgdDLhDG0c}MJ*w)-4tVjtAh+4&dyjQk1CH! zO3=n1m{FoUevc$bGi5R{ACFs}V%#O+I1+tWMHqJ(NuJJ!NTW-Fh~9??LpHUKrAXNK z5^WvJS5|qcUN!Sd)lM5*+Gb07h3IB4y;m+-WZq1JGC^R*;wa0sUs@2|G~Ff$bWPXX z7b^eVo^7uNK+?JnJKNjf{msrls~+>+Tyq2EzcGv{hFkNL8Mhi5B1GcgLa=F~v21hm1-L2fVAz zx@*(7WHdGHHK>V<4D+X}l-P74XpbZawfk9#G(`J9)xIyaGGC8H5_Ko=>~C_NT{~ju z@AX=N#<+?5V*xkmRo0t$eA>IdM6AdfY6dsMUK&R=XdRTe=EBp9Rcz`M90uEFr1f6} z|Hds@*W6UoSMIT-Eg0V12*^$S^uG2lj$wl5jRS7L-=T1`H>R!@=CjiDdVnccd;wL? zPJ!#n@_SF?ncb#-uc*33$fv^3_+9-8MO;*o|7=ZEoSmQ+H3Q(xEW$+;_x@&`{mqzG zJ|?=ctPQR^nyW+1plb6|z|7+cHDEqmH=hW+5^Kh^@aw6;K@HslCsZOHWKl&pH|1Dk}~PJblk%#OHZ;w9a-775fS9tP25>`2DkfV-iQa?V|JF3aDg{R`;b2_ z>zfi07uW+SF7jX~5I!5TyMvCR1d>=GY^{4baa6Y-c_O_43ax~;Iatj$St30F`xp91 z-r*pWP(6c+g=>O_xbDIg*OyG4FAyMq~E{7%C6**X$`~5U;>xu!qE%{ zudikF7H{vasR;{O>HDdRN?U~Zb80H1PH<{tTKbI2acSy*30FxCGi>hB$-ie=(2!lf{^jZuu-zA9sIDC8_Ho8K6R?bvv@-&1 z%qXZ+_ptW&DA_R|83k4elL^I`(*LM$tx(Aeyq#i0MnTW03n%?Vgilaygs>eISZpI~ zUc$OfwI+WBL_A_K;RTUo+wbxEHShh?Hn(%NP}aRdxkQmQjagnQRx*n~y~zCY?Ylko z`)#&la~_Q!M1|QU9BYGpE{DmT+TM|(sd4+n(+ff%{<((6DhC-{t)y#Xrn*lp)uuEs zHKBi~8*!tANpf*bm^1wB1_ zo2UwqihQzYZQVB#K)7$Jstd4i#t_Ls3rIj04&U81<-m2TQhd7DKy? z_>5C7F__a_%3zKoT054d80PTX=#u^!;f#w+CNJYn?86F;&Y&PDJ`JnuvLyD?Ibdh+ zMh*@^X0WX5J_Mbk*r>7P(<6T@;I~!64XILj=Vi zP%=Z8aNZI?dw;%^#!=Z}Symtb9Fs2f(Rn2HMI2OKG~iK!XW4BCHzy)$U$T54krJ6p zy_j)){TtUO7>z1jau6Z$3sY=jn*`sN*`D`(#wE9YFAoxR-e=ImgS191X;`LaWu9_I zD%ZknDj$dWEJP-Y_Z17Ffhwmgf}XD4P3~wMkmEUiex`1tuXo%Kfnz-`34j*X*Btuy z9%*XG39zDE*5ip0RuLC}!WF7VI z^kOlLaSjovJg}fIGqQXmX@d7X#<{7-56lRYh}nv`p`|G4@;SP^5Gqhz363haYb2Zh z>g)X2Ul|d1$pVT3$!~9=u?b2yQlo>3piqJsp{SDR>B$AQM#i_nMjvhYWerx-q z;r1lYy_ehLy?vFon`dw@k}r)UgWc!jO$lL>)f;?U7+D2eGeC){nkI!Tuv%_3z#RA* z;E3QPX@a1qDa^QpsfuS-c&kBeOlS1b?wYu{7I+-`@?h#|6jJMs@S=h=#23IJvR@A5 z!-$?_2qBvQ-afEQ=%jpjlu$(95bQW|-xrX_1^XRY>wNG2}*az1P=HY9PG~-g*)$FJ>Og4>T1iuieu#*Mzh2$4NVk)tg{+ zZb#p`uA{_$&3z&E`i-5?YN>;BN8~1<8i^E6O?Y+Pi#$qW38P&7iJV00);JchG#Y>Y z=!@@T6kvsHBw9EWCaBNW*a>}OOH4!Wk z0@OT2#m$1#$SOFKl``?l1e@Y(>u^RL=41I@mSs)GUAVS30%P1$2im25xciqXA`tngVlW$b~@V)oFJAK`|UEBHv=x&SJ>UM_U)=|D2@O(JA zbK%tU+Wz2HyD=|FYBnZJi^z)k$E*F^)O{n&>?|Rzn1xeo4d~48JMw_OOVUMkxP1(e zT9t6Q;Wg#V1=YyU(+j8`jCnyo$RxR%0TsGVltKpQ_Asq$8aLjm7&k0?AgpnU!Ps&a zmqb=q1B;D0Rs+;bYF398RcxyxL%cWhQ{Agl6M_JF7$%l2fI5ZyE|pO zGrwhg90rpT@OPWJ5;gyx9Z>#EJVKd(ft7GImXMgwU_Htqu;FN292|PB_s@*hO(nkB za?Z`UC5HOW^{vwRO{mlA+AM(8hiqI>GN`n=UJ+rl-5@w1<22i#SPV=AWeI!A*wgR> z&D|J~@Apg_!NmX`B6E%|>-Kag0ZO;)3$^Zk-p=m(GK$IGV)GkIOhA@Kqb-S&3dKCa z#zXKSrJ)WsEb-;~`)iz^&e=Y^$YE8vtsYL#S#?ppEwnyXp68P#yRhGixe@b(zFrU+ zt-AenB^1&(OorOqqI}!iiBK6Q+?phUK8{+)C!_(QnI{Ze73CqM7^)L28T@!>HPuO7 zW5RtVzmf)R_iK&y_Rm_=Lt|-9?#*vasO_hjQL_}y%5Nk5lXg*}AaoTAjC5F4%uF>x zEU&RwaOuQA8tMYAE%TLqXDg3a?}}zS+?$icyHj@3>vuW5csczSLeI%?@!d2SmN9Yy z@lWY9c$o2~W1b2>x}5V|8g-|aVIAGRq+<5HW`kJ=Hp%$`pdo5hADc9rc@O2a)lux; zY+jGny};H3V>)Mi{b5IFGpa?b5N|7=l4`G%V6tda3Ik%W#FX2^<(PfT8oKmqxx9!$ z`^;X`>-$jltCV?kCw0_=Tp(+Wt{JhS1%VcF)6yfHV08A>vy4~_gJ`#nI!S%jmMb44 z#!1!Wk>gShNto2?=k@k?T#lSSw1E@>j9B;?>&o=i8sfb>!82Qql*!&s!TYXCEC}2?-X&KmkIG} zi~BW}uGRqF*13k`8p#v`At01g<=APF^aVyFs=))xW}FrRteKHj&Smm573kI)sB8S{ zF8ll5!nsH4FGA8YDMfBD0LN(Mg?$qY+>acgw)fe`NoSv+3eL=Udm71K{+w!{5B;}t3BlhRK~In zG7c9+iUe3nvR7K^ilV%6wS)tw5pTt^E%Loo^TSH{+%u>b_Ig_ zjYm|YQYi;b;O3BoUSqXBZKJ--BLEUAS1~p$qvK(8ks`@?J&!kFYw11Tg4J_8{=tVq ziVTx?gq`D9*GiaDHb`LLc@PR`#@xfB!6MO@6$NT}!}H!&H&exH17zeHC)mHHn-S<~ zO{8D{t(4yrw3lIP+nYlrp<&z2 zLb~}fP|gLY%Q;0LzILB+ZHwN5A~fYA2(#iyZnJP8HaL+L!zU*DJqfG#S2j_H5O?U! z?4bN>yg*Xxadec;&HPVVhPmWiG#FWHyJPzq#9+#4W%jGVv7GMBQCa7zcc|B=_;s*+ z6vl4nW>#`}-h$dg5Dd)fSo{!BoD7+L+hS@uNO`+N12!*1C6|}kZVLT({?o0-K2c-By_W1 zD8%aV@FrKIYlE;d5B*?XKdlvqBCq&3$^>J|?1Z+LT@VPublR!a2?6*5EsF>W#ZsPz zonsUGlqVp{5Fg_eQ}$IO@VtJH85gIq!aK_L4GDHi%$a8 z1Ut1KX0H?H@hWF534k~coAUlD$o`Vw|9PE`qUXh#xG)s-Z)`(7e(XC!|u4PQ-olF*&-naenflD~_;GTt@_2m&o*;Md(vPR`sgy&&rFb z98VX2bn!FH){yFbi?Jj=@noP4b_pChcx($9xx#Vq+WNTuKIX^Gd{kZc5p)@PFGvsQ z3@bFya8LMjcmiP|U9QPE=>di~Dseh#MLD$+V@(S@6=`WPTciN6DMw?EiK*pHc2+;9Km_^X~?tW${GQ)txAE6TNv z|6H1&WS2~S)tdeqB+Gm;JAjg%BooPlJMraFM-1nP0nVj7_*MEG-5(R5Ai1 z2x{0$Ls+Tom$ zRV@dekuKp}-#qnXmTf~3wYZMgUAvyxCEkxoqJiE;}K^{0>)P0=bk-HTl1`$H)uzFi<5^$HG=_B zaPKiQALZ)-U-^AsgtPOmC-1AOg{?+mkTzfra4kNj7~ucf8zUaVHE;g}$L?B(#y(ohBA|!EzdlWTH^8?aeP=;7M78yfbBFRIjdt2Hd6VT6?S5pwFixh*Naf*1 zIw&I|)9!#hIu}s;RWX;{gxJ>oDr7q-A!pm^Z0)XD553{?gJ0CiQ>q{4qquQ2t_!!9 zV@m5_nZq;y1Y|b>H4~;(#ZcBDTV5#08d;5Ru`0*!TTh*oFTQ5bwD5q}|6($d!864k zWR(ILn$bfU7tK3C8B+ve$SS)XFXa|(5M@L$n$hamrHWuz#hOMUZ7?|_7(F}7plKk2Y%_nAw(kS_%BQ*?E2aT^1XsX#>|sPVc@_w>fN4)K zj&TZ8IJA(iN9Cy5oSP9YCO$<8pl(WZ-sNJozoW!)z*+XphYWH7dZVv1ntS_dRIx&RA8V(I1A2( zFa}{ASv2uqGHMp8CUK-aE&Zaq11T#^B+DwAq&VnTD#LSxKt2vYp=zlFjkIz5kp`jC zC|)V`Mc6u=rnQHCk_S?b?h!F)LD%3?;;8)#mVE7xdyigeORftr2dv8+;6t@zD;yrfilZ(2TFE-_PcfR*y_&h z@*Z$IF^8V+%E(-jmmp+-h4Td4r%7Pp;}?mfiK~6X zLB}!mZ!4s}+Y+D?<<;IcKEOA*z>n={&!+o5U{qSsoXol=d5(=0P(oEQRyZvR;S`=& zz4ApHy1L`+&d9%Xd12FXfCoIJ0EJ)(P+0dHE$>`B+Si=Fia8A}+zb=9pX{#%EXdDY zeEWU~n*lk3LxEijKrR1Nhd#LyN0TMtKWanXK^Y!c0M19pH+K*_ctY(uUi6s}wjO_7 zMi7-yg{8~lWjE*IjZIKICv|XZaWJJYwYxIKy3B})%QER_j;sbG;Lv)VNgOYtr{5Mx zx>pp$QPB%!;;%dB5x`TNWtKDf`D3IJ@u6E%7mrOZBo!eM>59bz7sM`^KzHy1Jv6Ef zYgF!2oRi?3%bwHZ;k9MZ2*lXD=E#IQphp6To08rbnJlA!t>7HVMkdyA`A%;Ku+EWd6TNs zqxCvo$~Zh+F^6=l-D1~c(r6#QP1PbKmTHwQ<>x5U$%Gt4E2GM`-cUN_U&N@IZd{|3 zEvLSsa6|&hno}MD6NWlBiA0-}cEx(T+=v~aGN&8xgz&Q{i=v$ZzXdL4UN6#*TYut6 zomq?ltESoW7u7m7b9VPVf3#Q{S~zeWk=!W+vY=%2;6}$uyyW`2`IcKf@qMF`?BQL-_pDfzK31mzfbk=R$vc0pa#7N_|SDQ<>ZqJ}gQPvS#%8kX5Rpfxu45D?+Mgh;#9B!~codziTG3R(1J}{#7q#%XCC@e1 z>ri2x)92<=5t2!kgBwB}3|D>`5Vw1S*Kz&baqLpcY?w#x=UA4UwjnQ*OVX|_=;JRO zA&pChP5y@V*E4p@7@A7KBU5mijY}?oY`@W}3_E=-+ z;hlAkP767$mJV^K8wjRn*oL&KGp9yJe&!>9xeaUm3 zC*E&0=bm)sUbSbC+}@!AU~cr5RrIb!^bV(b_XhGzcXiIL1;&mPcBXBAu&8tJC@=9h zJX3XSc!jH9LNeY%&fh~VAwsD}@KxkvR(Y^!f8)_*XO!jmXsoU#GTYPN7`i%s-tIPnzYiFZ_eT<@THws6Ouj0lMF7ZhlRFEh7n_j3+%=qG5?kGm}=v2 z6LDgMMX;Cak+CIzTG&F{q7a&&x+`(!`VuIO1`YuAs` z`qXjlwm5Ho(*Hmm1YhUbZ|;VB{f3?MFDTNnbMCB6?#m_bO}gGq{>9tg#kH`y4@B)N zydL~8=H1i$uW&c{5of&UE+?vz8^FYA^;Y_qC*Z>dV2LP*OTaBI!N99K3(AP5LLK&NP?L0oiiQI?~#@90sihZEL;gI{{p@NIYh>k zPwpEqJ5B-i&M%BVx?8JH?P;uNM^_y*wXpT3&yo0@Yy0L0Y$4RY0b^oo?BwidVrcW< z$PQo$!^lX$K=9vyhlhY(#lzl&fL=o$U}<9HOhB*f0&xDnJCZhrWoL>ulm^Z)a`jY(n7d=wbpxFKlOR=csINXk2{}_I9==w$20`1oSc{wq`%nnb_GlnOF(v#Vo9UsKU^T{YO^B#K_Lr zgn*9^=6?_G4t$vnnT0ldKl;g^dzYS^B?yd867~mKK|leC0T~_&CJakK@n@EVD@r1X z#0UTqNg^N!AS!Td^%5E9JZXFU*4A|!+?u-F$$!l;yk_3Nyq1ywxm4AcYkgfNDEIU^ zK)$z-8G4PG8|fJ*8`32(5)-ybOjzSD$w*tnkD1~>8c0uKMK3X?&4|Eb#9+=br0I|% zZ)N+Z>=xvd_)3EdCBXsn-Wwe1lHEE|bnRR|dE}4emhWPSe&f%xJ`#J`p~Ofr0zX{R zkdf+tPXiJZz}jU|GAP`lXxslX&hv@Jh(!(&sgEc{j3m^u%vWBjO^8TOrZ~!OsO=Q# zTx`^^N80lE(;j)Qwl@h|S)G43ifKo2Tjfkn+viXxWY{!^ZviDI3I0{ohhNhgpqFngm*~hFeCrs%!Ocg8)Y`0KOwecOh<0;1Q;N(^@bBB?Xy3}wC zKvTV{$sy*+hm&kr9sBgx%JPi zj{#&vLj=r11ZXYcp#fRGUg63yoh?I!UA6I=+uO}$u_feq6>_?EO?-N~V)Qb^!T5@p zF|y7xr`0pRTk|Dh8y9>@vuQR&eL7@yYQ)ym2yvb5i7oTJWcMw7y4O#7mrQ+r(m}UI z?)T|<$Be1&=z(YSPK^ycZ|V0I_)7tmjP3Le*~_GEVQ-3|-?B6wJY)ZLT%Jb7H$$Q+ zCL1P4^gw+P&%L?ClUAJWR^725gX(~E$p7rl5i$}*#*nz~9X+q($sYV14YjLv`I&Xe2$-Q1~#Ed?D=^d2c^P_6X5#WgMGmg z8zeZ6U>x`LVn(8ci%Jg>nb4}x*P9_efnDyoUQBc@j-){`@De!Sjs~{g-?8j&! zT)%{OEWJ=PTm#@$--ZAhA*z>rjzu*0Gqs+G*L zVXZEENKyDwP4>2QiDTy~&*at1;#Hc~y*RaVX1WWv{!GsR>6>yjr{v@wysefom^nR< zS7VdP={iL6%8kJ+?$#NzYZznA8fr1hCNb$5{>fjgmsBbJyF|**)sN6;^I!R+)98D_ zU$J=fR?ii%W9)3dX8}9exDOmL}0y15V)C= z{D`-MY-J0O#VyUg7pzAN&otD(B_17(e8S5W=3y0ibjQjTz91GOwbfk)pB zUSwbKA5SX7vp|&B7pk=?qKg$&0uf$8!6JyvK7JlkwSzh0zQ?S;@O7C>fP_CWp0}Qw zdr>#n@QtdUE-PvqF@T1Vc{wZWD;zUdA8S`1%V!zJ_a4^w-c}eQO9WcxQ1#5giz#HZ zIktJq`cE=f3jgDOgMRzx3!&W$xy0HAmwKR6|c!#KRvQ8ED+8+^{yejCNGpJ$D$pq7o_2@JIwARe-5xk5U*E z1UN~g8RMA6Np3#~CKKlWYrNbsRGR2IL3v_Oc2NOi{)})K>EAGec?2!QEPUHCuc-#H zfN6{{4vy9oQ_?i{=1d?IB#ZMTOP287%Gm9?Gzd-qC_gxQ?7Kq775|Xl>jM_IE%!#V zjCKB9+^96-3t8*fa6Fb#gm7dM?I~RD=g^DnM0emHpS3bmID;^O=b*oZ_cE4!J;K)H zDbw$l!qeEYTUqcpoFH}6C^Fv_S~8fjCY~SV@>uiJQPE>$)~%9 zjFBjgG=W9I`a|+MyYf^tDC|@}DIgqonEoYoL8Mo|+@V(^I8;$j+8FnFHlESY7%MmX zcY5|KVt9a|M>nm}m;_S}$fm&A3-hl&Yv<;Cx(iycQvXT?fsj6CeAF=**BT&Zdz2kg zc?AM&o@owzp%jYvh5h^JxEgR2;!@2dauLL@<5n6T#{aC8?*mjE^~C-^EQd1ldJQH) ziqoilLlOn~R!s@c_Ew8?NjM4+d1K~v6*9G_Q?frc`zsd~^B|xL&WrZ`7)aU3!;k)L zU9SF;Y1YqsL(&O(v9H%Hk&84AQ>QN%0ljLlX$DcyhO8r@iUY43?D8Yg^Qf(c8M6x3 zHG8J8z_o%a#{(PZl=6ZCAy_&q8z2(ni74cRn!0Sc(p9v<{kx_ZdxUTUMq%0D!>Chz z!?6tsggMDs7wogGw?qHm4-z~O8>|r63)}&7gl?Z^7+@z;wHZXT@kTS1`D@OLY)K^m zgP9^;gqNYNEKZ_u#XlDFvALD!iV7lG*GI?vFnD^+F5Qf$z+ab)L`N3mJxZUBa)EQh3DC&!{0H%Ip zZWFvPm7z*2CAnOQ|0;>I3iTz&ae8v7E6gvE{o-D@82MTM3p^_i*tZytEh+vs_NN$m zpQ)%Wo)mRnwt?PYNS_~=hEI-p35GfKyXQWyp>SjUlt2j~$hn~a2@(bh3;Cpz$5L6b z{i01eg>tGG_k9@qg(KX1Lc8z3&(cMMr`!)dyX)<)hHe4R$IH#m(BDg!8*5F!*V=$h ze=<0$w`$_Lb=zHrjcVO=cZ6% zC(zQ!FbLtG72F$(9P+Z4xDjJ;iZ;AjgBe>5A@D&!o^ER26Ppn8znr>}>Y*PaQNG>p zvvY#mvS3yLLnk8lVv&YMll{k~OK75dthYs&G_Yk_L2WPp{l4-YdF&63*>+f~bv!DX%wRFZWYA2nbA#bE-+U)B^SQey z7}fui!)?*4*iEn7#GhXG+#e(8W3|5~78)~iF-g)7g+MsA_*XrrILG2n?aXZXbkWw% z^G|wZjt!gX`5PM554{Gr(c6P=LY{cW_6S5fWkzzUgnJuL32R)+(dSLym4GRf|@ zPbvNBcheixwrjd3?OgR(CS?7 zC=9lwDRACsfOHXkaj;O@_y1+)cjFcWYjU%h(va=anEOQ;fCCg9`2#+M&y-_&qGd@Y za)S~yH=#pKMz0Bh8Wp4iVj92k7cxm#3Lb%l=GtJd!6XJ9^#g%ufH?p4kAB!XB@6{lKm;(B~oyUzQp@~nI%R~$Pze$qOxbuyk)5SUNRVV$Em#xh<<-AHFinz9antdabCkK2pa4e!lN? z|F9hU$9L8C_I@|5=$rkdx!nI#!U&l;Q0-(R;9KPTJyo?iy@rw~MkRLic;U1?C$=T_{(t&x_>n*Q#w%yGC)p**RMC175a=o?w*SO0k04vjZaiuuhgI19+ z0gA()j1g6r{VrpLYu(P6vN%v1Xoz6A%6&_8wVPNvFPli8Hd^#~m-DsmJ>BUPh-iG7 zSLt%OdeBhBhy6pf_($>NIgf*my+kc8hgGB7eeDud*UM)pk?;MDS&kjJzSqmcgr?Ah zzOWf{3pTzYT=&yoZWyGIdcFpgY%<PeeYP zJ@7P<*V~04a?d`SNNlE)k_z1)Q|;h-ME~ktzXkn6NCIAK7aUa`bsCG-IQ3dOi}AYqR~I57oXL z7O%{vtHU`_P*x&=Z;w~5F_@PFEXG@t$pY=gn&(|cgAr(8p1Y%qQ9a8~f&+!&aluXb zY}gs_SO}~}<~@yPi?(ZB1pR1u$hy@w{afa~H|$8&@l@k?2Q-nM$XOCU z0!?9xP_k2SrPlG0V4Fjd{G0D0Sw7*e@MU~bo5`u-HSMO>W5oHF;G^btn_3# zb1@ySQPeB$wj+}~GUUqV`x+u>^3L_zyFEpIVE2x9(4VT#OI|gxDV`J(2J0s2SSeFK9pG#q-v!X>jU*W;ERN*h|Mw?Sl50}vMaRNZ-tM6o>!;Z?xz;ryh zQ|HABkJBU9syW-X`;PF!aiT?W$d~8WYO`b4d|+*>2Bh_J%gKms|HR*V>E6TEyZbb7 zCG-G7h_%smWCwWeEP4!nHYvNni(ibDUSnVz8If$7Ggz)#mz2KPaF*-0ETo#FFWX11 zTedAk|GjE_yHS{lkYmRXVN|S1x&$rHUmgF_=PTwbo0mWuNyf4EgK2DgnVgHdn20Iw z9+2Tg$d@RaLP1EK9%L9I(xV#%3EfVYmAy1?{M_3Y%raZ+@C!)g@KhjAzwL{>u&uTq z#!$!P`+A21t9Fn{rYB~RjP?mtT@DM&L!5!*20^*qn)rOI8;5;U>^RPkv?*6cJ0dSO zK;5lqf4`*zKJm)~ogb_Z`2qtuq;2E&opT0e7Kq2Rd`< zp$`|6>m~oC@$$5O?luC~rbe?(U=x#zTj98s_bUR({qxE5G-!?;rs<-LTgU{&VSksV zs3udx^&%HERfrOgNRC_tro|xU+0^;mK0P%Qz}r4XLO=EgzKMxM6>752tfuCq%JlDG zqW=G&)oKB-_0MaXh-u_<$WZx+5gEz95xjkH_reh;E{qsRN#=hYYg#&{Z= zdht{>YH0p1Gd$Mw$_(35uQ8gsaL!8;>=+8K@7#I z9A;x{PAFBAZ0Y3WKV~#G-?dCxu2e0+IQBG_8*<0S(jwK97?Pzf^$+sazqYJWk@e0F`^8lJ_(P`pTV0y4i&j`YJS{UAWBF0fJj5$@<}>--AqL>~!-ir%0uEI!`Sm>a&+EVDt3Jl@-wzT`@XxKqy=ExgE*M*`MHROc zgg)-6vOUsOo%U$OBU>Q8@;ew?dOY9L%(7qB?|$=W%%YUwg+x-Lf=eJrTuF5bJQl%X z2&mf&a$0>-59hjsyTmOlG;jI2c}(&IXYu|7&US4oZ*PBXGWjF2nx*ng5bf9p^uko| zCAKcIw4e;zcR*AeivOKaN~9#Guq-HKfwKDyUg288 z*RhO-UA^FXH^j_~2|F>4n#kn9TZ711PEZus_<9gYl^Yq=6^v~NVb6@n zi=FIpwGzqM`|jRqOf`MuMX%k2f61{*#UB)-%;bO2C#j+~Jf-`-)5K@FfI^)MsB(P& z{17$lZ85x`{JNp)K|$iQ*%gvw(k=fN9Kar*xZ9~`8oHKmLwGb61ZRC&$`8FVA5$ci-o+8I$8%C`9cGf-X08|66jP% z&NXO|r|EM<_tSCsg>w}~&Ip&A|21W`SAx(;>4Kv(*#T}VWrPsVec zb$@wloy@6=eIEdEE}WWCoi7(9MYHR8_kWRku!Av%D5*w@}9PS^7;C_<D_aiOQ2I?Xm8FanEP4$Sq(BZ!)J!fJizeJm}1 z=E#vdwC{sW(7H`AFn>kn)IPh634(RD45RA%VaOwO#s*b5e8-gEjbz#{=>H1hG$)wp z9F3{{qjCI@HhGwNUp}R@DG4&jq2({Qvomnko#$6;BlHDhz^oMeDVd=Fm?I+ki^;pc z+1vg+3^)|RV>zlM>QD&JmUj#uGOh->ZwFky)QCT=$IHRgw!YIW1(U1CAOTF7PHWj+ z`K69##q)Nat>Ka%xzuz0j|@RF+b*wHI>x$7fj8nE-**{5M-3P8NhJXSKIfYTG)18O zJ61yXMACSJG#VVi0=^nBTVlCjGv99)C-5n51w?q4-G*5J;qGwV0?l^WEv1DY%I@?? z$UoreddzYy#e8>HTyHPj(- zO^uIEal7Pw$Nn#hU*#yw;|}1NAZQdFb#7MzmneE>4sIy{>BPjr6cUKGT42?&nZ`0A zByuZHv%8@r`<14Nv*=D zE0hNhQA0pb%*Az@p+zV^qlF9-Ih&4|&AMD^$Z84HFVu@{^Omd;aEKR2A4RVcu1b@U zI|T4x(J-ZP1dgODX)uk5MyA1Ajm^Ds1}=xTZ!<`fV4Ou5L)3_-q=at^ z;_HS;-GA(>1dMmd>(SFJ$DT?{gsA-+K*RJxT;thxq^5k8GY5(8Qqw1Lc0Nk&r<#v) zfMaNJkrSaSZt=T49&rEt(K`$J#ORp_`NNMpavGkf zycP6^V3E+V`^~>3?bdi(r|<*b2@?xaM>gq5K!26r$e~VhR0pHlz_va*sN(yO7vGA; zgxwCty{5)MjT;jwIx!^@9n_WF|K z;CVftGUy`H551-9iCnnGH9c6~db|K9Shs(bFwHT4{0bh3VH{?L#FQP;=+;GM;(BJ5 zO)-*htdNfukK@*qGy&nVXk7ekj}_bQfK3azGA&Egk6;XC6Y+|G+vKrZy43c#tqzTE z9)w^Ro;LuRJ&apYX6FJb2t~Tflge-8cfkJk2k_bJb=ghkyo7pY^;G`WC-&oC3sDiEx|;j=|S<f@!Shd?^>*c;zg-PG={>yC}?PT)8H+-d-lIGNO6`VVdxK!9|mn3F-W;6V^OvxQTT*Uvv?q+baMtY%ap@(hTIny@59mXGE33{9< zo7A=Hjq%9T_H1+!pIx3U=0rN!L~Vb74_}3}-FBz!YDZNTAg_LUU+C$D1aCyB9mepz334@mK$S2es%#?h(Rc&Mr8>fj-fP4oI z;3{>&J7sv3>BxAF!+zN!2F{nflXA?loqpwgtvs3Dm^rj}kqb0D@(YS>1WhOK%NL|i z)D6Ls6%dYySq{*21HaaS`+=s@;%yQl_sR@A9uLd<1#nUxo@=_(YjIw5R*E3_BTS#X z^o}l{iBbKv^YkA=8JmU@s{$SOUVEGb%HbaTmB~-zhlT_r7=b|T`ZofNgqJ(xK zn;6aSON97Jr`&qwR!!(;rqXzj|1Gly*D@RZ$f!_H_Yn7}B9gI9<8CCeohJL?^s4L# z?6d&$qYS)(VW&LAz+h%`f#k))TpyII|ANxAiMyd%(dZ9S zSJDYUCu?F9sjVSQdZx!ru3>w*t;zizj?PC(QR|Riouv%p`ajK->mLwdC%j}@?12q+ z<#mZ(E`{(AjZo%U+ z)L}RPYKXz_C>oON%%t*bzh6ZQ!oc9-ahXBq5SX^S@3G(~Ow8#GyU+Hvh|yD+(Nl<- z3>AcGj{e7BKyG+^w1&n%#~@{7IJha7+Zr!mtx8prlC6qOCPv!1i<`!ObPq(d zpJwJfeZeIOh!D4_0QJ3WGG@4C$5ZivjB%8We|+DD8Qj3tr%ua~^xmXS2)YV% z2ShXhELL>R^$XnZwLSaWVPf=9;Y@(Y>97G27EM*>cMuVrts2+fErU_%wrne4o!I$!=HWZ@z33Sr|0!tMN z@@pMQY_8)>8CuB5yYC7w|8@Mu%)%EkL_K6KMk09pxmYoLb6p_qh?yQeRPV*Sq8Ol=TCugT$XdjPj5n z7ON;>h6W>m<(3Ow^Ygw^z&!aAys`+Jx9UEwaNxo>w{+yxK+;L!w$vdZcO+_-<=j-q z8P|X2Rm#VGU{`m8+?b$Lm(X#Jf2WiXiUW0lP3P}M0C!&L~wjW)`ox8XF zm?V29igjzFrL^9$82e)RE{$>NuKykzrlsDs(1Y`Ze2BE0YpsjQCfNO+qKZ|0c&*F=Us{t6qM}R82I21TENzI!dW3}^9 zg&Oon+e0|e#h`hqO8e;@?zf_%SW^pLcb!J;=OMyKF*0rZe&UUJicXinH$&dX`BDE(35aZQdPs3E>#wmnLpwzF5mv#Q2m(hK z4iOk#MY6Io`ioY(wSXJxiZWqr2kara4nzMJX$HDQqUM2`0!lCSJ1XA|&jI!3)E zHoA8s=wPho1RuoRAgu3qRye2M8Zpjq@Ffq^UzKO2=sAmg1<;Nu(=?H%_V9wptg;!P zz6laY#F1rXn0$;B;ya>eWa{2Zi|~FtPmSOO#zykR+t7W1fLhHk2;D=BH?=-3Hyl3~ zHlgCL%Rbxxx|$yfvy6KXqCnbf$5P>Ra+}O)K4Yu4>{KrmS*glziky@>C-N(}J&2@& zO_ug;p&Zic(<@@3;j+GQhu7Q`{MZ5g2!5Y6q1zX&2A32e$jn?z<_W?r+K^oPl*%8fPYNC=9Y0 zXSvWxpY>+r;r&^W2sA-d4eK;KppQL+u@I}+1H-kD*15O;waG zCdZmXm2|n_;@vYTDoN##`pdneSfzB1p~akA@`6SjAyQ8r&)!uN+juq?DiW)E%mN=M zVT7mx=NgNrbb$|oPe6n#io{2~=iJ!It#$b3en%zx7_M8RQY!%DD;ieG(tu>w0B96ovmaMHoWWb=rq_95v z0cxKoqd|WMZE(Zs-?BZK-xM~p=>evphCyQRJvX@}JxF)+ZtVlR zg98vlaew1U@OoZ2i6Mn{0toDN9pG-Z`kG5KBc!smU8%!(3LvC9RV!1oP!zJ)J+1yL z+1-!L+by_W!Lwytw(TyK5nGO7cX!h*8u)d8*B8OHwab2dZceiUgVsGW(U`?YLEvWr z8H%Ab$^*X_8NhUJxLd$P^BL8)-e|?8Jlw?8boXY>L#JM~UW1GJMS2gpngBo@^Za;4 zpk8rv@{hbCJNc!_+meOe+?K*m0`jMaFYzJpzRY-ZA1?GT z>F&NS%Xb$#^`&?qo}~zOkn~^m=aXK)cK0B<+AST-dGU~^6i`jv0}sb$ zFQKE7EoqmFqA8|Y-qlaq1NwYy9OH?&r==+LhQBnY0pu@-1<%{^^FPXR%|3DhdC!Cc zgqG1FlC2(m?^&rqK&|ePQBj(k@B0-TIRnOt_#nP6Bw{!4G*6F38bXUkW(U9L4HK2g z*LGjGN5WQYe@Z`J_ZLFhauxb%^Cf975!deS@q)=O)7EtQ7wsGrf4>{e1{`+rj}4K9 zZ12Yv4$DPcUTX-~AQwoA5%Q2Lmc7={zK9F9H!SEy>ADaY1BAFI>39Du@@+almv?`p zF+8egVfA}hEU5-BdYl#s!n=fG)tzrc!{;ZNUp#B%9eyMxy7AbD<%pp3{*F}N-c#5! zb;&GvOhdu_YP?FRAx#b1R%*YfaLRMcFRB)!p?v)Saz!)4r? z?GIM=iWaLHlM(i5hMH{OlG5#lBxn4s#NyEG7-%tgfobCJNemOJHg}5d-|ih#$1x8) zu+SaYvdt~O0w!>Ahf=fqEp53A#Q46eXz?0eTS^AM4}#YuyI?s5+)mmB;betVx}VhI zKmE=-`1D;p%ca)wmy=yNM&&6AihMH&R?LSJz8}0GY9tDQmsz9|k#j_F+~KTFxY`4| zdJX2I8&8D#FKSgf04UZry_cdM=iD$EBJdQAT!Z{wN}Wg$oC9S@1j3e{h&dzldEY{&7W}w_PKA%2N(g{xd4|4~E!W0aeD<8AJ^0N(^v(AU zh52q85Sjf`Z|n!Bw#YVG;_;6{G2fvIdMH&1Z`s0>q9xjr(8zk85%*ZK7yQiM~2%rs)77il4wB zh1_o8#cv?kr@3GDEtbQIlX%x}MI6#JKo=Clul5k>W9wVjqXUNFm-x4IJG#g_@**v- ztdE_HH1O9x4xLJb5|IuZ8gXx|tq*a1tRvRXwpi_Lmp5b$_ zfz3uwMMW|%wV9R-(;$wJh59|88V8@fA&||ohIXV+Axz`~l~1di$!)^Z;My*}qaJ%FW&=9G%n;L5Ui#m- zr^>gwv1fPO0EcX%x%>cuv?Ef;4(_wZA9H3?Vv_^pLevgau%;?ly9JtYpo11GQqOSq zd=p>T_31y(?vs$rAo(yt0u(Fh5l6L$>iU^Oc25c{3~?x?MonJ~;9g=pGQ7psd;Uek zasp9J>r4J7Oz9UIF=#d)n!z(s6-Cl#IWW?E(_|rtt~Jz+FEP@=VU*Y%7XOB#w6j|o zXG_MyKKk$G5dx0;?Y9vymZb`==g8K)JdCa?cAg= zY!<}kz{Zec@Mz%K=*Gw(mOiV&cE&wh(x>+wW~#uN!tbkolm7kp(L~c??QHe~9y6vVUUG@&JFuH{&hut$Ao78TTS%n@w77Qom|1 zZp28*5dmz9>6Ty5aUlBqz(EX9>UfWdZR!+s1ygfskEfHP3V|@m+I@r7<71v7$|eln zr#l(_*Q>re1U2={DM%FNbpmYjbHyymMqO;WWQ3^tE`a?NAoQizq~6R3mj*3Z;u`8P zk!#A(M9U|qBgQYCUm?caqSOb&fyF&r_W8z^9n5s+g%a#d+)!WSMYb+TwQeOTW~E{i z5%m#+_ue0Je=fQ<+0-SPr;f#5LzcdD!!tIbf^*Bw5jr1LR6PbQ3Z+t`7F7!}KV14B zYV#|sdyNC-uH6EV0u^2;jrBJ@6)g&#I0On^_t@P?gj?C^p5ky|X*S23wm7xdj~Jnq z^n3iTLS>vRJ$HtILcv!)AXrI##qWEB!=mdjmGL``L3Q)v0Yc^M-|ClxOpSzzy+;a&2M z?Vmn!`)IF;%Deo%cXE_Fkt{p{OJIk zDWi(7v%qIayqw{&dt$hl+8^vBvp;u{GOgHZhSDoRR-wl5q(rzzv3w+@4VbGzIN~N+ zN>q4*F&N<7a}9fO99RH?1=r)9 z8HYD(AHfgLg^;CL>TBKour80yTL?J3?~k|~doXB{aTGS49thATAd5yK(fl{qSV83w z=NF>x_7Osn^_dc-7N`ifpihzAa+kK>RNw$>HW920I-^RW7ilxbw)^2yBE!?{a89n# zNUsceSd{-<@^-XP7M1TOm^klDctisf(#d6>nUE52ws6xMikN`_7;H-Ax?qcsLGN@@ z(!6CK;pgXg*MRg(;Jd~&if8d%iRR@h+W)q%#~=D=vihp?WcRp_b+~f_Xj0k1D>UJG z^R&`)Lg%-luYWCA&BWH*W!b}O@3P$A{}if&OnsTOzRlgpvcCdHalZugR>^;PV7@{h zQ#K(XJ$2kog%(7r0et#+4^OkrX~MdMfe+QHiWHNwOrWPB^DEeyqA7Z1`VN85u!I($ z$Hy$o<7i#kJaqAOVVZw}gB@9B<3reA#H=PRM|Y9rDJ+U@$PR&KaLsOGw@{+P;^Bt0 zoNYUpYTdN<>}g=@t?N&Om!V|WO9Y_x_vrOAhw_DqKe*Pg;+7*>fa*2J>#Azlw(m-4M@~9n z>Ux?J_Iuo0Pv;Avk`1IJf|&#POy4n1+;To_xLOgR7Qqk2Eu6kiqly)MUW`rnltz0o zvUwsPse}+4-|di^-XtuKV0<`UNNI=kkm6D@1DO(m=D*$+%ig@LjR9JY?H!#kgJ;Lr zl>|(`K@9}3hBd_S6cs_SNS%MP;g@!+)A1bT9?;JFDC2in@AxGt8&QhI*{`+$VTCM4 zj07IK-p=8-@D^0!IZi=J_hQ@gOwUbsc-H2g1S5rf9DA5(d=AOpP>sm4fbhgtDtJWD z z*R<)AI7tg~%V4hBUBr_zv@H=E9UGpmH!>?+W{*8Mi~)rbRrQ~ zYBhgWItDtFC|;zOqQnGEv5ofcoV$b9-einSQJA16!ewlal92a$$QH4;>lyu$00K*N zje#rHq=1-*A-8}Q*fyBuTP76O5E%nElcHfp_mi|iK-a-Hs<QgreH{F z=dnVEqfYKe=>JHIrWsfOMP}7@^NR9&%a3}*3xxEv@sB~kW#6So$A66`;IsyYC4NZV zB1GaCkQe+zz~KxKCLD*Uihck`%rk2~OcJlw zfu)nZTuAzN%z{#l#Z}|Elk!aL<0Y=}1KDwwIOTx836rR2RMtY+<~=4rUdk4D|6A6jMj5@C4o^luQ4OU3*5u`g;D<z_e4$CjMXmv9>KM+R?%`>Uj}<{Oz;Mp6T zmT2#$<|_BZPhk`ePa99XNCD0xA4u$n%t|a}PHrYOhhP(Qz*V{G{mj9sEY~eEvz1KN zWC|NwlU?`0>VH3nVEYI5NE}ERrEK=&4jJrPTA6lMhP5LrLlxBP36SCFaM*QoDIyj9 zZnd*9pP|naY^+96SwUGyaL^#}3HBMocX{G=y!&arUq`9!yKfFhr^G|T zYP2<))(~`6Bg4%vF$RNa@Qz#{15zWBxsx-u3JNIW+}qH7;H9>w*}y1yJm~@Ayb40D zHntM=Ey+EzB)Q*mmqUP|8>D$dX^z_PdGWzHs(L8sF8o=O`|} z;(f)yRE}TpUntQ09!%X`M;sOs+|KE#wYp=q(RJ(7$9iY7SxqE0RyeV4WNvKGAB^%R z@Oeerqi>NIQM5V9!oPu-HDJSg#+%%vcuJR@E3_~2B$VUW2%IRi=v;Kkd2u zK2+^bsXnW9*vjEFXcaKAYUeZ1eE29$er0%Tq`xuJ^OIa#qN>~7%Jcs^u8r~T^Gj+1 zf?;)ai>$-r3ws(M(mUO38WmWA1H%vHKP_RKu<_D5Y>FAPg<VlR(8#%40m)0b_w)f>hxmH0Z zY~y)qX7I`YHUh&V>joE}KzeS~J1X>ZxTz?710WLbf?Z2_lhK z@>~A+m`>t*;xpc&y7h;@cT2#A0NGEBBVc>n_|{rKPXoS$>yW-N^v{gIPiAci<%uW@Ru8~X=mTjSd|wPzz@{|)f-~125Vr8UEEn!_s%8JxCFMs;Jy&|l>RCz|@#VDw1O^OpC zr+#k56b34MX;Jco)ibIj7m1k~~-GhMIG3wKx{D3tl4N~J>Q}%V!OuM$B zva_TDh3W$^93};Tk9M9iFzasa0u>`YA(9m~FC~)ZGt{}kX*>X|%sqCGP8{F*z8+u4 z?-nK}{5lvfV4>PHmB{^(D+v|-nOV@U3d54*fN31DOThM9N_vwwO&G{-Rl>&yx#kTWRT8NZ;HgS-eFGz?^aZY_5rYuM|mZ#y+l{T5to1+*_ zU^X?y14SSUNe#G+rIsix1_~`w<99|miq#w7MuN;{af=R5myh9pW@aR|O^4iZ?NF~Z z)RDh-Omn)d3h6zErO#pQq#r=fU+FiW*k}_^jDB9(mI%I7RnwyzWJxr-<0um z2E0FPQ_|M2qvil<(`oQ}A{I&EzAXnij8oi%40r@|PHrUJP^t@%V)xd0I+)9p@TYvh zW^CN#O-A#;Bw~*|oYV2_Z_WiLZdCgmqtVv~^l>DxYWbwMOJC%*OpWXzC>dB&y;@Xb zJ0-iPf0ax7JEq(i!(C6HgQ~f$GX)O#OW%&rQv-ZH%V=wqTj3oek2Px?+9~ACU1tJ> z3IBMSbu}dwrF@1mJA9is2Z8(SVR9!7UU2Xu&*y_L0|UsGxZT2hcNO&w(LB&}_YjDrUX%krW%YH3yh$U#Ta{OUoVvb)c#;#5`f<|c zIOM2V_xH^HWqrIeh-ckSnS*!9m20u(I?;pt5FwW~$AS?d4z(llKgZLp2T$%ZpHU1X ze5dNV0bR4?l+KZH7UN3&SK`#P*9KoHN*MM_B_N3a^&|aM`0%=y82RfzeD%OJk%hyD z9heUWgWkBOGR+}=4rC{_+9#qRE)SS!wP&JQhUs~j_YpC22dR)Ho}=vY$pBO;$bk>q zU4jqpm+?}67Rq8gB?vZg;+s_L3CXX489C!a2uyla;9&4E52P0Hmii+;kG;oP+*G$} zvG=64m-lwY!MOg>Q%n5MC>3yNnXQ^_9G5mJV)_{p;-qav@=?C=47yfz0|t)_=jstp z1QtF-w6QSyL7d~hS~3WgDiqnr95h4SOl8<_@yqj`WRI6OY@w)eoSaB`(UNMxkDYr@ z;lmoWx2yr5J|Vci`Dvy zEV*JZ<6JXfXNH@6++j5}CCE-gIA*+JaZJ9TAQ)3p8>2~dST&4``M3?Dhh$$@ZD)i} zhV*$T0O8g5;=SSTgHdtQb69Enp2kGlFArY-W*C zM8;MR&k5w`cDha9b_Ei?(Txj;w{Jgz=o>N`OO3fpMH!k3u!qyYK-h^+6^%f$b63`T zH+<3k)+9>LbkfeM@pNnlgkS6jh7IV2Fgd+Q^8?j3#UdKF9u*{vRJKEp0-P3c_H`yH z{6_*myGhujcAyp6sk|Mt^9icA+!~4yB%J zgJVuG_pN4iovJQ}!4nZEK+c!Yn#||ww+z)75PirTLQu?dhUvB^0u!CX98NkFu1@cM zdl;M_5wGVI110suJl%TMpwRj`z2@Ooxx%L_tB<0;36|Jd-LX_EF29IF4aA+FhZJ>? zQvwNYB<((0?EB9c=qlMGuF#trArT2XH;s@VtD;)-H-U3utipX$$w4jC=Oc((#=%pF z^R0_b3a!#&bY8?1Rkden_Mp)QdT00?GIsl$x=J+Yb-mMoAYG>MMSj<6-DDoCAq_`61q_Zivt1nF=neRko>xq(Aed#txdW%*$lP zMgsvpNCSePSWT!DvKw~BfDK`|;}8-5V;41ybVPby5Yc?=9ug(w8+OFA_i?7~I^EC| z_Mo8D1NtEZi*Wm;{|DbdAip;#!^nNVx{oME3t-2gFE|(55b%coFuqaFKujBE4)ejk zkZ{J_y~AO67XjXAn~Vmj5DXWP4>UWf3Ns%I8VyUruRpC!&msehPJ-BEgtfp{E5tvRVKfLePyC z2)5D!_{KmFwsaM&#r_}6u1_qKeVD~sbQhEqZ@M@GNxV{LU|Ql8k|E_$ZeP6^01?KK8~Q+4uXQ*-iY&VdUkM(u;3(@ z=i51Rv2LnYzug}KIRE?$z%~qfYZQfdohQkEO05^i)u&Pj@62Bsp@TRO>wF)9WcQ;N{ zRWTqe{t>OLkWmLsA8zjSKX8X+TV>urbY~cBLh7Dz=9w(HF$TFEODZdQ(3q>(M|_i+ z4GpCm29b3jiRebk@eom(EGlS($WGIykKoz@)vtdA3l<`YxMOF*V6)MJS{z7zI)H1A zw4;^Xg6ZVxXPf~olIO0u1xh;70tvz@qFE%AyY^boVSGegYKoKkIavtB z6~*ocMmeo5Tf2Af>6lAro&6sSXRfH@tcX6QAFCz|88sb0HQO04ZsQ^+uva z;6b456U}xP)ng!R2!A@6BVf!aCOPNPqweL`M@2j#461@ z5HC;PSY4B7!=k;+HP@h^0q{T4ti|(f+d(`|NfbJ)hKZ^wdXDgCF@U>FH(=qq5xk>7 zl5F4!=F9~P$A%S#QNvkCY+W{R7f?2#WI<~H!UWXECHxzLk+K(RBiqx3_<|OYlbAnx zJO%~u2?`2>XQ+B>HJn|PA%-sL}}5tLkOPi^vj-g$?$2;Bx`};L=KkwpK0`$8w}r2|ssvFs&w`4p z+TQ=Ngr$_{Pd(;@+u-ET`Yf(&$-SCP^tQizZNG9>&9N8pbh0h5H&?^2Fv+B{S4@J_6ykq0&I-Fb34TA{9M9Qr? z-;kMTShNh<2l1;LZR)1R3)0@dVG6meNLhRA+J*YSfeEPvNlA<(wwrE9SH9tUE~HI? z9%sG5lj4sP`JN;uQ0v%1q*u7v9o_< zsKW>rf)-Nw9=Bww6edAKU>NS@jglYoP`DhA${lrr{+%22Uz%?oe5eVwHcFYB;=I6R z6~jJ!#3=t%Wbxx~6L@^rZlZbF=FFAV8vSABpy;V<^Ki2kneqGio8_D9Z@7UG=B_n^ zjMZb{3ngFjE<=4r{WzR~sfkzp4Ft{*5mTmq&C0)QIj_43DkLBfh$a^B^a?`>*{ipXI70AxRMjb`{2xH9k3ad0 z{3%R1%@V>@$XSR=2hl zVfO(!Q#GOgB1NGm(yo#piit$b2yBUN;3c4rXTv9kj}C3Z#vNfJ@E0h4X$nn^;zNoe z+1=N2_7V8&)~zFv%{@Dq6`&vWEPAB}b5rygtQy`zOj>S-n_@XZKvNM8WPh()zkb;8 z5#Z7p4S0>5H4iXF4X9zZ(;DWj`*MN%j6cgK6rvl=^3uzl8P9L$ifM*sbgx6W1yrj4 zMPp6%{0r?ki$poj;&yZ$;<+dTK4jQ%ckM`jQ+$Kwg5e)!O@oX81}SrlW`UYx$?|Nd zfJ5xbe=hR})X<%G-qob(BX#RFpgv2WI%DAkLq3g@>A)(5r^X|8Ca|Z^@)4}X!KG%; zmuZPtklZQ@6C}4d1C=un9J>n{m{L9#En<>$n?;xS`x$-{j==960kZjG$@yb&q^B!5 zRZ&U(DP#LR8axg)3>4Ace%~w;|B!$NWcqtX;Qm+Vq(%9&PESBglMLFUgVx zVPY|R0`^8&1-wo6D=r7l0smO-I(In|j0-6jDBds+(;Whe%8b0Tczf=@zp=YZci&rA z0bO|YNze3WY~5113W5=rn&#(noAOQ{I|i=~4zyvzN0Nl)ZjjV15?!w>R*amNX_iX? zwSYh)T@=R-eITp@t&{r{-A8a?@l~l>4QrHfU_FfY235r}8y$xx#WO|>1!x%wq^t+{ z$zv8lnu^FJu@r@ZuyspOTx0r5ovQXk^r!`=ajFI18d$ z)CyvpXGcHLYdmFyGq?ClQZh>vU;ql&M5uB+N0J%Wf501z27viS_dNg)9@%hU4;V(~ ziQaxZ#p=E~gO4(I*DPbqwNgC(Rl0$z&E0eK+Djcf`JWMWf&0Jy23JR|a8^9uBR%ig zyN`b^xf{eQjxQ0Loz|FL)FV?pg{O`u#q+|#x+$oT7J3Ro6~cd(d%9IR3)1^)yM{?l+&-P+1NXkD+#y2zB%S- zy4A9Ko?B-{3g}`aN#HA!$zD@!fwvCAXa?HK#EM2+`APrvs z+kH+pmYv;t^rCT3bqT^HwuaqAC<`!BZoSnD%tPyGxgt%y*|>2du0PhjD2q=%odB-b zomT9=%`2|BlAa(RxDkW{!Uy?`(4dFz8oNjyTtH19Y2N?!L8vDUSkO=O6u1JF#t1QX z_*bPFZR!T`0&8#NKMIugk6JN=2nv=$?%_Kb`+6bg-%K{C$LoNgWrz@=?2!4+O|i4X zu2M*FU>aaHs!@q;i_txD^gAlviJEaFgPWO~C7lYB&4cBD7>aR5P0$Wc$w|(_RXbzm ztkPGfTY>14Epts-7B-xv23@?>6h`Z-UAwsfJno61`;RnxRG&3BqOH*lr@9AdSYVTW zlpyCqu7%^5(ICwnlpre>On$o5xN%eeRrm(v62IcArG4>8Z`;milg+T_sWLC8iQj65km5bpvN{(=eqm&Z(zc6hhxO~iQE>T2x`jVLt_a_Y|HsocS@Eltu_v35!MXy0a(J2VIwf&0-28VEYJc( zVeoWuBY4*6Ic5l99pnbq0RflFRjS~Aq#eFt!{S4pkb+94rz5*$5H@W>ctSm)JhUh# z%#)L4BDu%&f4h(JLUN*>94iUc%PlhkYzSmRjbJ}`;>dQqa~NWLkNJ~fw`qA9=~PX; zlALMTtXT`KM~|T@R_e0l)`p$)aI@wV8SzX5ri~&GaawX|v|Hd);BqJe%)oeSHl`eO zlss|PEkwjHDrpVkFGo+&0?ROrM^6XzBQ_@I!mvSyIgx9vSh*4wEZoIRD$glo5a{fJ z$by4e@BpDfJHzM9bx~JLt>6K~8AzHi?><;xrDT`T6{Hqz3{qk_p)2^JW>KV24Cv1B;M9$&9O+c=UHQ0>tAI$C;M72~6&eZ%(kGikltc_h z`cbt!5=o(i9JnS3A_DsZvWt9~zWoR4E5pCThL3#wiKoEk1s;#4Aj-@_niVy#p(D8b zFBFmukQgv0H&4-Z*Ilm{0(ju}LtcB`^{55_SI(u8R|5wP<`j%3US!^43`6HvXQyV( zS}bKrZ^4WLd(ZJNb?ki3Ip;VB1n!`TU}-}{U^vi!{APdvIhUfhiacbWJEcw^>IoN+ z3LlPVW6^6Zraee(|Goc1zTw_6yYMbzr!XKoGCU^59;{fg5(_uOp}^V2QYvrWfD~q) z;7t`OT4JIPfk&c)-W)va*6OzfK3TXW)ehoG(UW*ulBYa<#>~K3#3U(Fv?%n0EXG(J zf$rm8XbR8yfddB}^APnxhlxP>Csnp=*;4yp*_auVefxy_1vCGvsnhU0yHCN-tktpM zTw?LVwZOsNefPc1TC~JI1%5+VkTJy0LOBKxVnj4J@W2y^J=Jf}kazi;*+Phi zxQ^EW-Y2f7himd zhQP22=^ln#h9nX|ILMK~YlqH75FvP%EM1N^;Zh^KUqD+d))dx zzyQ2?APm8TBv{6{8-Y%d8qn_bjPp#L9iXZdBhH&IpYx4p2ds`3Tt>pH8#WNm!Gq&j zcX%lv&P9WGn|buQ!HcL5T|gA+S0jWPQDmMD=trWNoDQN!b)3@&h6P^YV#SNQ&m!M} zgR$K-y9#y~U>Mkjgl+9i{2f9>XgN6r(eZlnrUOXkCAzm>J-08;ITyelCJaKJ_Yo-{cgbfAOKw~r z9XpZOd)&ae`kHG{j^N5Z{$xC83eP3z4{W8*wb;3-LM1w*u@Af=sFFZtHuotC11nqJ zix}h>E{7wuSh3>tj++iTXs`OHj%B8db9o<4JX z%N7AqxNm_a4IXvSiGe*Nr;HY`#P!v{6|Co?-2hs+ebQ|@cc znzeD?HL1_I$Wkzk6)8cvs}0?RFmTngB15POB(Oji8GH1)Sn}nFYh(vZ#Jqvw?U)({l~b!!8D^j6s8|C;j+So>(y_h7-ky5 z--7ps&NDI&Un`0!!7YS8{h=d(_+{2jnfCRVciw~QFfn(E`zf=}WX9*lvVoGsJfp#8#q&Y2+HKr}#B;?@0yUtKmK~aVOnI#Z61q77E4{N`{t_&>t zOmtYoVe@}n0HYXu>nyH3x27NAmM2GpzG)2tfEEmwUxB7}_0TGD1|lWMvJ^h{o;F9= z!U8D>ERuh!7Z82lML8TY9mr;UTaQuG8=kW5Cw%1 z-#2@{GKbd015x}_c}_7R2@Re-Foy&0M+9xG#zg%=(4fz zzE4hNJnWX!KB>XnDRvXq9}#NK(QjaQ}}R0R%4| z0GKxlD$r4eiXjmBZ7C}Q5~Ei zlZ2!=of4Xz7kJAVsw$|cNTlM$(f)w3habyLDF$-m^*015G;R8fl*LOR)&OpiV5vsP zwe>S?SlW>%h#!N2A}KuB>n>SW>&>1iQcq#)NVDY)ksj0o5=IMPfsM@)FDx(?Ef$jy zd7^N3yzvje|0j%qS#VBF%J`N@Z%kSP3`2=U4Yf?5SICt;Wr& z@IhjbocrCp`S@6fbK&zx7P0ZZi+^w5K5mnAr?|`1#5WfHdXh$f@dqi#LjlLa^J1d1 zdZ~VU4W6d^;X3;mCZ$SU-MPzaI;F9daJY%rPKrwJah@g*m&r-I2}=Yp49Nx;`wDEK z?;s6hc99092v3$?P7D6~Lsh|Q#dV#|cy{0=ZvFJLG>DIa9?>STV8^Y&!CKk|+zwL` zP&yulfBh@bl;#wcUcdrr6GsF!OnE)Iui#FSI2_w&_K_nDVc;l{9>|cj6uy5!AjHTP zPw9}98)A_XN0V}zrN^Vmo;wOZ{$oeL{Bq8*NWNHdsr2?#RkN(Ft>J5F($_$Y7QdNrWF!{Gfj_@UunGd+Q(Fm9oIKBWUKv=;JnImL5c^<(% z_txcgAUj5U7wb3hI*=e!ym$%EVP(se!?%X2(%hNt85IY?W`S^zn0LW~$MLe+>Ey1RyK{{RRkG0oyq1;&T8JVn0b% z>ic#~01a$AgCr0?LBe6TBg0C3ujiI*TAP;VQI7Jcwyel-6TX(G=co#$1bA15uCn8;7TJR)#z9tLS@2 z44STz$_H&mu)-ooc>nj7FmSZhRtgJjm#VFhGXi2yV+&k#V=Ph%iDZ&e%dceElkk9l z!U&iJ*^e#6??<`$8;;KwW)94LD;^P0I^{fsF$tPK2LKGPt%8@(APz^q zF=&WqWy|YEem&Vzyl(i@e)#bxv;aOdvZ#VODBtlmv9d)JPzK1YXdtfPwf$o96r>YZ zM1dkq0*$8JdGhqO(Q3>kch;3o82tQ=8r|Q$XCD<`tg&(I<9?z4v@Ggr>sCT$9uX9; zx8e8y!x2Ci0A>Kzf(eXs7}ptgy*^gYzkH8F7=f>rG8D@0=n_k{l*Nn5T7oZy`OHFy zR6!41hsnca)6!ak5sIcTTi{J{3xD=`gP7qU^q5Z29+CtNW`nd2KXHm9zObQs*x3lG zmc&O(eUFxa|G}SQ=>B$DU)7L!9ZIt zO;5Eq3ijJFRH}dO`pg`Fepc3Uo|?F2*n+mzEcSBBv!vmU4b_c5rcEk>$^y|GDSezV`vtpi+RF z3!xJ|ope63U`AbnZE({Z@ox6&)1Nn2%lr`<1Dy*B!nu&Mg9%2h5RODYR<2Uj`94dQ zEX`Xy2Gy;?`S?|fT&R-5kRk}eK)HpF)1`3dPdfrAEJ8d?SJV(w3+En|KK?Y_u#c1_ zUX_&S7YiwOKV>pCDDwfM1+KGV#jh$}{3^E#&Y3@O25QDG4r-k<%og{s;F?&nWC@Cl zsin?p<~a*N9Fa(m1bM9 za*mdbMe>>-b9gQqe*CA6fQjZlmQ*knx%#*<1qbrt8fIDjGzQuZw$?n!Q$vL@X_u{y z81p7m@JcGDANcL|9bN_|arM>Lkfy&g{MtP}me-WKwiO8FX z1+;YOa*`#VeeQV=b1d%yx`1~I?r{n&xs4$I^I}m-8Y6LS-eP?6WY*I$_nYqC=jtm;uIjs15Dhc#y;UYyFKlCvDTQL*h-DzyJ4;nHVAWyE?r+ zg`R3)RyLOsX(T~Nt$CRJhFehj=Yfn#Ec1AwnD%%NiWI#ZmtEl4;p-?^uu$cyw-TP_ zy}-$a<-+?y1PVRHtj4R4&kZ3@m2=dSyAj$%*#Te2;o$y0-u_KDReW>EaFhj}c?5`) zq3?NdFsxXMzCLh}do7wJYgTjz2On8DsfG&8f&PFCL0mpbxnHdNtGE{!? zW~_dX^Np%BOe)?cCJ&mADe4{>vg&}RR;W;s7le1=nzH4At>U{-=Nl~gHEY#Qa0y~+ zG)~3`jbr`rYOo$dhcZ`5Cv14%{i=*8T*AVV1sg5vsuIrt*rz5<9`-CF-PghjYu@}( z=0EltO%kVz3&h2?0yYeIc*lFf7Px6ZDz_~%2gxG|!Y(=sv8}F-QOh+cgVA$$Cfxtq zi~uwyF;rDbx#O!BmN6vdv8qu$weDq^KgvKWp!CVMoQHRr#A~a5a%Y}rI7I(G?KEB) z^^eV*^{sk2uzm2c5MaXZfx9nXoScpf8+Q(XUjoGe218YbL+t5(@zIZj&vu?w2f}Jze3qT0qM+K?2eO6FP&E|);^p*+8u!)1{eQ>^ zFtM40jT<*{PoBVifUL|S<`Quz<_|oOykE{Jp$D;^C`96%%Mwl_P?~;-TM{B==U4wu zi4rAIg|x4z4-~G$?mPGUd0ZNxAZ@akWS{K^Tg+PLGY(JO2>v!b-`rcb9)3j}{&+-r zwMnMt_Jhrk%_3KVa7wutC9a~Ow(^Yk-~1zb z%2tjp=_iJd$D4sU!I*Jcj%Oh&?6v+`me=PIJt*BMI&WR2g#IO`bRfzP(1xb6i|r zf%6TUrDNwV7$*3otzohXgpxChByV@{Fee|G0wvUXCYFTlgAb55i0Mb3?_GDtbu;G6 zmtTWQT2&L1P#**fDxzJy2sj>l^%2er$}Yo)jFQ6m+OlO!bP<4%4hc*u=XOBa*Qj}i zdM3e5(E^d^xC=I<%HA20o+;e61FW`!i5)r%O5QiLBsfip8OYk{fyNKH9cY;!K-O<) z6I1|($@lYY&GEJCs4<5d5O+kCTW`&LQ}K?(RWfw=2t0DA5>2aj3rQAx@XWA+eeU@e zuNpM|iPvDHSv}JHQ3|4Ap)2nnv|5ZC@h>VMmv?bU=FeZ?jW?wn@K;m6)-@84 zbxMKoCBhTW|Jp;uJ}AcP&=aB=Wa9Vxu^EJ|t6KT6>@;RxVo z!!|)XV6!lJu$$l}N-*V^+pL8+5;@P*BFh8UAFoEM$DeT4guGc=!HRjPlaP=o3na3@ zfWcR+Sjjzsoqb|qn(eExFfvL!Psi~Ga$Po54El@pSfN6NoJO1-Fi8A4A3Zzdohhjx z&PjTRw*(Icub$_M@(~HMXR6ty3Br`T?`b`OkS{@O8{`R0${(UEJfrV`6b@g+x5YtZh=u&CiUdrJ z9^hFNTOSXo*sl!~MG+9Z*WN24V(-0SZ-@o4A*g`#8UhI=bm=HH5YiLUNUx+Pw9pZ0 z)~okk;(ou`lT0>Sl7N7In)lf!%)9KnJ3Djc{O5GGg0&~5Vdau+6TJtqA+kS&wsDI1 z@Z(QTbkmuToR)$?8Z|H^^&c?!pa1-qYfo6z#1SLAMaL*jAc7Aex9c{jl}KFY>u+>% z#vNPl!_P0jLV5YpJ>)OEg&3fL(dGkLT^%u1Gu1SJYE^r@I4YA2~85}1s$@%6ADD_jAZoQ`yaX%FQ^l$ z*luBZ#>Ekc!qt#^I?I-?xcqW^#61gy?IPx2l#R|LGkW>Z;SWCS!JbpOs}fh$CFJxI8ybIs5g>08{(coT{QYh<T{l+UvoE^?jt7@q{#qMa&o;?I5HFnD>)Vg)+34xQvaRPA(Q!jo>_uhM7lVj~= zQuV-6i~xfX%M(#WAON?d`Cl*W*y(nCjcy=AePPBlAuFMQG+k|%k%pT3LHZhN179g} z#jyPGvdGBFiC!5;o(dFt?Dw8{@+s?;wl=lu-hHn-&V<4i@FxUGQTK@}$mY#k@LGgL zxbGF+*W_RPEJNeTj{f4WUdQX9Ek}xnw$VkCFM?2}Y13!+?$htWnw0{e)z3cf3%%im zPWU|6BQC|pC0a{V14I1=D5W&0Cn6R2B1FhvBsi3Br=03ihZHA0ijeX{FR6-m;0{XT zuzx?gam2d&?|;Bmbiy5%bpZ@@|KKC98mX)%Qfp!zM!t>yh%n$D|`GD_9^9;Zpu^mQ7FCN_-c6y z%JKd{&k){o&%fXt9G1h7VIv?;EKun52rY!*QM_{omv5vk_G8Xpapu%hPo=sy&<27C z9H5<}qz*T9UN3o#SgI_1dV;(|-BRM4F1pwqt+)dvS#hT)Op=gZ^2}g60J(+@_dVkb zd-7Z4tP9$o?WsVy^L~ zufOd7u(82HgnWS|h-4|?5&m-B-ur-cK^Qw!dda1i3e~XzgRsFJaz&Ep*t%+3v^W>z z5toromus*kS^XAJ8qA&dm9qdAHz!((?IjyRk;N!D>sYrHQ+hQZnebNL-M8ZDh<0zY>Ork z*^21knm&QW*Z)RV+lI_bPUiUk_KeD#q~xiZd6Ou_Swrs!P6eve$JjTK#4CPvr=_a1 z5Hn6hP9JXu>EVYTMV?|gh*y#~qdRvj;SghKL_R*n}*x z5M0%OJcy^T-no)P0`NzT_WxHsD&nz-SpKXakg-#zJM`Ql_ubN=<0m~olNxi}AKe9d zLfO0W6!?s-0BhBd{1yJKC&V}}1ElzD+`7Hl==dq|x$MdL>b$I;XZ{L9>HQ820?Km$ zWz*)(5G~s|QuDEKB84n<+#q1ck_dF6YUFp~^;j30L}_3K8Xq{BWkP{$E<;mieHuy5 z11C*(W_{s@sOv#Ss2ZPDen|ce>koAs;KTp0Tle?1x1sgvWOwN|U=W>DQCF+;*d-EL zh{p&%8`jG(#!)?i%Q%$6vqw**)(DH_l|gFHzlx!7f?5vWlKr4rrg_(Kj zJouaSxee|Arz1dBO?+m^{a7Q;SH({`^?u;g65}V5(AFkT2|csiSYocAK*a=z6BlvO zl95ja#zi(EwUb=47B5^VmK^3@?&DP&^hj}&gO`E$K@--? zEw|iiBYqU%BYgc>BT^!S*d<0=?$267Z0Yi5S66AMOBYoG3sFu;8pO2qim%)O%NM>z ztVG*$`N|%TswLb+0cExVN)GxzW5z6NA#7wo0{Nws0DrH$?go&H^ct+JkkANp`*hM1 zt>8a!q3?pKHGy04VAq;JWUK1TOK`UR#9L+Ai!wNS-f-s6JOW16ITb2j`W4laTPpEW z#QEZvPW%*czE(d9aLO~qtCgx*Xc1A-t=s~2A!827a85|C{uN7rog{z)2B9>dF1(jN z13rP0ja+gDvWmw9jB}0jCpiYLxg>`{tIwU$g!5c(j$2@hbI+@DYOcTj25^nuzWCBB zIPr>cjl`RgQ7cJ4BkDc^vUm&Em@NHjfAWSa9@P#dOxA&Z$lmb8{8XQDxflBeZ`!%% zKz}aR*U~H3xA>Efe0{q2%P+s;iN{6`1`aUcO++R=m_HBzF{83}CF4$a+%aR;97sJo zSH&cvk%mP1Y$)HP(kr!bao8i>itNpjQ33=L;Wj=6IUowDxu}3e8%y|yJTUaRt^FV_dzkjYDM{m zJ_OfX>spZK5(W9x)1A38VO0`~dkf2K`*!k0;1%3|;1H(~%GTQ}ue=&(d+9KLS@^j2 z0aCK(WGR8Ia1y;`buR5c?HO0b?g|8TVhWr8`g{sEZohDPHc)lUz>wh7)%E#_TvK}o zT>H#P=L`O6=c3Mz@j3|XNLU*-l%w>PJrW@skm8VGBN1e5bjw$mf5%Rpr1CYMNJL*NX{4L3x7p znI{4+Kp{^DcSesH>*})0O|VIIe(nVUDO4E*9c!-%0a+?u!9c9t{?oRdbL3?2u5eI0 znowe_{>Oj*^WU$tH=Hm&3#jrL9QoX&<(#Si&$+Vpk8A&(uW1_!>y+_d)~|ogHiJOU z7WP|s^zq6p6LxEFzV)^%*>m!Yrp@pMhx5zPt@{V3oqoFO#aCZ_ZKX7nq++$$hS?l7 z86PxqaS4gnU4Mh?9Z0S&cVJ1%8X<-YX#0BMBC88W^X6wut|#=9UEX}lc`J|?*@~qX zWug^b@zkqhx5CSUl0&K>BVHERt5avdu`@*^vDbD^hocUu%z$k1{ zQS{H6@)Y%_o;CBOi{4N2CSjjir0BuJ-|wfNegY|Q(uTV6D1f8L8i%m6b5^^Wkh*p2 z4jm$%K+mi@SDwIZJgQ3 zx@{cZ3l8d!DN-oY`S;(y{Q7oKrq6^t1yzG0PVcvP^VaRo%k-K0JkhJSwwIExws*IU z%&-6X?~Ks+Kgq1svm3kuc3zeq1qDdz;v{>022lmS3#!uSGqwgI50M~j{BUHYY^W?u zMojmFXOaDh-P%)6J>%3}a5oaROFS^!{}kwFJ|kA zzY|OH@h6_r|Eqg-PK$E~3{r8C@rf#qlD(x3H+9F1ieHSMQx%U=Xl2G*VY9$;QJI6C zYK*t)-FO8%^Wp}y(!>1!pkbi*E4t7qzDZA_QF?b(ox~4}EoQ#-%DhRYJVpGS+XvM* zmQ&CqXxR!f!$4Fh*o2Kk+r;#J((_a2aNKaiji3Oz(@_zyWrCBq-CJ32@s&lzF>B7e z2OfCX)e1~mjqwvEiKi2H!yB;s`yYTcwuiD7sQ!Z&F7{%c`}mVjz47K-{K|}L=@wp1B28MxF(__->|8wh=UVU@Eg`BayuWdABppw^YxyE-H?LT}H z52ypY3wBaGX)zvMdDT@mvakQw*Is`E-y~>0JtJGF-R4k1L17dTZ@&5VamTqR8&RYW z8LGlh5R}kAa0k{kA{aVH64>gM%fdv*$lB*Jf|t1rWeD3#vVA(c+O%1-&wGEtmFy}7 ztvvUKN)u>C2dm6WW}ZMQK2)RC{ncEq_@;`2i%4+ld|bnsKidf4?`PzlWe{#qV#TSu zRE5p*E~p+?DNHalzJxW!3-q<=0>J5tEwPcwCN8fT;lN7veK8{DBE8zW?z@ zeL?+i%ayiXS--lzk?qB;V?z6vU;p#)m$9c0UI8;?=wvYE?_ry1phAb1X`dkD?jeAF2eO2rKvG{hwR$-VB%kIK?Iq!Hs@OJ}6mSbLP$`x3g<+&uZR$gjqj}x6|8T=EY^~_WxLwdCAPd z4hK_cMK#7QinEp8RgG39H!JQ(%?QKwnGGlZEF(aPMB*c86)^y_5u(udnR z-Ol>LdW!=gKgWe$T#^vGFbX3~v6NVJyLaz_`&qm6r)pdI>Xv;!we<~MkeCH;v2tS@ zqvorVpIf=TwOtE>Xq2f>C`dF#XD65;Ns`^~`M0v|rW>#C3gMEfs-)gv7 zJNQFmLl2MHp zjF|JYVMF;z0jWNt(|pFHS3=ci3y&WVJR>m=9kTO!b;cr*d9_`;T2I*0BNLIk<{uL> zeF8FZ_9!b`BjcurR1dN=j{Gdw=ZW-k^q*MDG_76;oV7 zdW`jC_OoIE;{b9kS-QM!TNe{Bcf0@o2PHNtHagH1dRMse#7Oj_)0xrMrlW5?c>J!SB#C_)SPY~V(j#< ztUIsjB)Zq1VvVzLBA*_G=54Qe+UaNDjews+^vZY$lFJ}1RMXgrY*+HNb(^-teW0&H zu;Ma|wsyj^e8+i%Js2JiPe1#dQwzb?j=Z(#7LbNm0ytxg@pliivULMBAbFX9Cw@gJ zFEtoVK0{YN78tyH-*+}(vZ0bIpLYiZ zcPyzqt73KP`b>*o?K5t*&xm-1R!CJ}Ecfa4wNLLQUFOAM(WvX!9$2P(wS(n>4A;t4T4?Q%*S*FQXS85YhYd+17M!`?@m>Xv9flsztRzH?PF|wPjNYPM;5d)im%>Z+!C&6dsf5OKXwFE zsBhu<6-AfTz$sEvtbfVGsn3kiN2Tpu;U&woRKpQmQddD zq?1k}9}zMR)GMw;Y3Z47bm^-77OdkykT2V z&1l8(?m#WcqWgNmV%N*`^(4_H2(fR!fph@jPL?Wvf!FOjcCfx|E6!~&j@&uTA!%4S zr{<`_V9WRXc(Q+r^+hJ=lcNJBD#8{7D^lY!SCo~)Px#3bhxf0b_uy#NrmA&DHT(-B? zV=_5D?r0B#77|m6m+ikFXB+fO_(S+g(`zP zxN7GZD<+5#Fua~b?4psBlJ@qy?_nL*>#@!T;aBJn+1X~A88FBs@3}(%2UR1gi^VXuWW}^i?!y;Ut%SmW{=eOUY51%+`iqm%;C)m;c<5+zZ{o#odCr`B& zM9@#vjn184kkY;MQ)2U3YiLnmO)LSP<<*TNe_k_2%`G+mq@kHAjY_Bj3kF5B9J*}% zmTGTs8?SbOCp*Vi->uMKYa{1w+`RdPz@R3hQZZf6B^9amqjNWfZl+Vx@AKxSe zRegeddd&6tXg2+9GCH}*xU43DxlJbKxgP=P7mW^&%`Ra7VC#eRE4|&gbGQ8^YQmOn z5U{J98GuvbYM=3WK7*sgDN&1})`8UnuBSkVL{H6;rwZ36(jPiTia&^%Rls6F;Rb~} zkBG<^y9(G;wN~@k^2Mn~T{9VnYj!tmK-3*7kbP;p<)Agswm<6l*LQQc1WH=Y<#k zlf*}OGDx~G)NVYe2Gv=1qH1tO^OwC0#UzJ8$*~VkX61$Y|Gb9=pyL(43+Oca7{JBnG z5}prtqVl-3!3D1mAf-RVL5~heI^QqKXJmrUm^9^!4%=73Q+QBh_>4+Y(#p`4=++cY zfmS0Dl@s9SOME_@<@4Dhb)K#ckMkM1%4c+na=PG$c(Zei$>8KahDSa;F{Ge$jea5x zua2R%eSg~0kCvn?&RL&XzGKUdom^=LFTR`jwSCv_d#A^%2L)uSF7*#(#HQBtpSKRL z9&Xg~h+Q%XwO zq$$%d)~2MUAtjN(lM(~2$`IlZ@t9==u?6LB>ORUfy*33tU1O{OL~i@cv(G!XnlO+? zjT#frhz|z)%qy;RalB{AckI}S3((lhbBQ0}wpH(K`4pJ86<;I@5#G*;=2_PNVlzg9bkGXA!het59iFtVua732%W#Td z7YEhv+qcg`b2XZ*K}vg*a(1-;Sc)gw?snE$X9)mNsL}Rc@)fVz=bwLxTrTVe@uonz zA&LtgN}V8hQH_WFL0>e}qamD7^G3}rX;`_aR%gZJ7W)JiC@}%f-#@g`z_8C3#ghlP z8mcUeTZ<$hRB7p&iSc>e=Eve!-~<9IOgP(n_U;SMF1}-Ia3h5{2|m7wXdspQ1h~V2 z#&2YzLMw0zR6+*`gnhcu=aYFzF$%v>401guk+wh$zf_;$pj!+mcK)#C0pY0_CY%qo zosm9sGCHUDynwjl$E38LmUHXZ1@EoMox3UzPAV^}-<~T28Z@{W;vPjL_h!L>47D1YT&AG-L>Lj`xu}W2BwFzmVF^HrMp0%+m88sn7!o zzNnJEGgWeue`g!N?RU;Q3y@5GRE8p}q-)o&y!sma!*QRWev@s#bmv`nLwoGLsGBoB zaI&i!kbB;7=Ut?X#?c6C6dOKt5j@n{6FGw#AwD6=75Jn+0s!Ga9>1M&E(gjYun+{x zz$wuou+YqyDVOxoUQa(v=QWqptWPsT%^s~h)5=S=UJFL8gqpEgKK@yzLwNAnLqp;U z*TJ$hFlnI);bap|$RSDB`G@hVV@9V0ge2J@fUoS9T@SdE_1O2__uXcO9y{C=k%p~Q z*aRy1u2RAg&UFA5Kn7F+Sb))|3lL${1&Cb&Qb60#SS8xv$37s;XK=(-gXU%xlvp3( z+6{eD_k2!xyw6DdH&T5j75hvs$;x-`zBq7|>Ymun21fYw zUh3073V#VniLmHm{b|N+J19#tnVwqJOyZw}z94djyQ4 zX3A(-bhV|rMIY)JX00kV7ixNGXTz1}h=YderHYOw-jkm(6pTW(K5tff;bei>P zW@zP*t{^20HY&SFIokQ-5T31Mmd_Xa^j&_(*cIP?`>i0>^xhwYGdmLUs>9ZJ^my;p$rz+BU|C*!)UvV8|mQw zEr~21WfU)xaG$~oSL_l&WSDpV~DRV`7w zQrxC$IuuU5icOrcO=$B zCSp4jIB^OE+PI9mpJXowr}$qiR$x%j@)hI|v))0sh5SG(a)=39vHx|UJ@XWT6}NJB z2~ms3fk$W*$)Ul`FTLz?oS=~SIKM17gbf?fhioGWD@JSNPTpQmJ=EtlE7QzPvpdZI zX=ui%S*4YKTKTGiDnLp}3Ry~K>Al3K*Mg(ISl0c^;I#arzQJjC%}H-NJ?F%6nT;?i zVNn97@E#u;bNS$}OUpM~89r@|2(|`}VO|H~a9Yv2r>93BJ$$8tDzs{#fE@ipl(>Za zGAc#=?H#0$wATWko?rX)`br(2Ed;0jHDvLUq@3;FP(#`CDYpLTue$#`zTN%m+_=Ug zVih3zB`f7O_@(cVxFdVw~gd~AK ztupp4G(&^OR=KYeZ1tK7DYc?i@l_Rt=NLu$Aq|ZqF#<;MITgkKs@BJr-fFCQSXE2h z)J-|VY#U^JOQ`QOWA9hSk5PtOia(YZOE!0P!G|C9a83M01#P^5pcdR>p)m*sBI7S% z?#SI47txzpPpa&d^`u(Y7DPN#6TSf$L4=Qw6VELtQZv0 zeDJcOq8h3;n7Y*T4>ALbO10vOffNcIEX)426vU2mF58}?j zf8h!;EKZ>$qtt6b>%mL5?cTTdyYJb?FrJpttroTPEYQ%iqvuP{pq^7b%QEkWpS}*@ z3B+ZvJlb7&q1DRl%AN?l@AJg~mJ((xDO3suf!1CR<7F8NHiV?oB`U=Ap7>cIYH?2v zcnI5gQ{$Aa;R;&`*##H*g{im35gjF@*u|99 zEWQe=Rw}5%YWB%|KLVNuqwm4#ue*KRP&rdJKK`EQk|r6)zB6%9Ri zdN%*$fQ7>+iO2}EVq@uA^hz(%_U$`}>QB0q>C_fCbr8ZH(%1U8_RZO9MHSJOm=>hF4siRxZuMlA1Y zY{KP_YKgukP7y*Cq+B{NJ~}?|Qnob1NBV*tuDzt73|T3Vn9LADg+#arLTqHO{+}}dJ8-OomBKjk|K2&9)sM31J7z$#~+1L^#>^{_tPw~c90@bVMIp3om1l!7{QqV z0-PC;T!^$KFNFAtBW;Np3tp`p7*x*K9`mBU`F59;)!R@&zSfQ){4b_$+kqGKD@(GJ zHc}x4D4D2wh5Uk?#aFy3@Vgs=ryrhyF_-v-P(j9a2fo(%T-V;}*IAZU(0qgm(*r_% z21S`5o}%nifF?kRpCN7f1Dazg8x*e2FgSjxM~}@qeNt|#FY_M#GA=MWgDq3-fTbm@ z|6gcDw^EwpU!!^BowaPQcH})$BiZoL9zU`i8P@z@WjPRm@72d{WfQixw}n z{^b1gTVW@H!V%KBhP1SppIGuZVns&9`1*}*cBXqqWsvU9JMSjm3ab+_StX?^qaeya zHme9DbPwswZ?wO2h;R+!aS*>?lm1J_m_N!g<%LkZh3vgGbJGY_A9z9zB4#Ro(>F`g z3twB1(qe2E|_h73 za3YBH42l}pqo{oI^)s`4MkXm>LZYE>{a5&WJlCghu!0GqsOSvh75_VIWs{NdX*v0> z_u-`VajtFGZu4FU^23%V9y>fnK{JLk1z3@l1}vTnFfl9)5t1E4go6iQ${BR0xGADA zBssUcWyW4Yg98;>5vqejAlcWIi^ZMQJhSBb-wInAYhAQSx-$)p-#G#l4y!1z zWlzGD;x(1CQDynV<&UiCrpw>IGgMVF#|MucB=^~K=Alfhy)#sqA@d&45ET>0zKHD> zkkqGdKWoHO)22;7`uG#JNoGFGQtqsFyg&Q^nGr8fHMi!?JzZ|vwYw0@Df>Ode2AH! zY~Hek^e@O|3l}Z9`s!<)-4jbI$p?wD;zI+Bu?0Hs)|=tr7F!`bNZnd;sd&o)K>ulb(z3a?~#yrskXa(G4AQV@51_VsU*<*z2 zfYO};PlN*#;U#souGZvDs-e%|t)l>YZ z1uR~K%*>LeukRNFTD5BBTv@mg#VvYFu)&ixcmbEnBVG*zjK^@ipQ+ zQ~)1ycF(BzkMZv;;sA_HN?J>tR0f|5>Ntg`% zkWrSpHfaC!l~f>o>z!^8IW{99FhLNsf}qu~5xzD7U;mH>em>XVaD(JvN5aCDoiJqd z2A5oVnbR?Y`(WgvGvt>BsxTScX2vz0 znt$BXlE#xuRL~Hf*sxZ3EP6JWEo@)1LkM6Y8sG%3Fe^<74!{CGu zwR6|*2geiP8?Hu!anK%#^a_+zN?1Ofmv4ZO7CY}SnH8Gg~|@Y5KEGDG-gsVmkghHUx+6y zxi45>C~R%LV=OQMj2b=0TAtpzoSkiCD_pj$xtmbej2tzZY#3Iy08YLC;m7b0RyTPI zMG47f6bX*eqZ_QUo!{=t&dFt)DmAl6!e;AUj>(%)@Rje=?Qp%geDb zxw=xg_J{4(Yj1R6x5IXe6fVd z3Z2lS?|^#}MGbK0d-~bV?K^aEwg2+-XP)g0C6l8`Gz0K1cUnEnXEo;$kouhn1v5mF znidjw^MvT*{8LTOJ#(wi&Y!J5tX>^#_{~ULgcnc=-5M4vQE-6*a9uD0H5Y03z^NW{ zkMFl^*pijIc30bmT=B>YHSnLT^FTv;&BS<9+{;wn>FD1OsQ}7P=AAG&v@xOzAO zfr$6xL!y*c}riM=Vb)UAF;*k`MZ1`IvZhkeH=uLr6ta&h|au zja#tdFw?31_5djCowXAk6N@UNW2a8mtV%EhYVx9&!&Pr}eu2`wZQe{SGN=fUrsoU` z7||Q0iie)$3wZQ9-MYg)a2{S68;@~{r(27aF!~!d zZX`)skDi}mH9&_$+zi(c5Gp`sf7SgzRXPN!e763IH%f*;a?L3hiz8Zbl{hji0e=lFBinT>duO=g#sSRRF>cHl}tL zdYVLS9fks*dRmp@#pw>WJ^aiOvd*wb^jy#03BMg`){qr2XLUaMId(xr;DT1ztwxR- zLw#P`Z4c-xb>GI0S9zXeR>raE0u3Qx%WEB>rf?gZBqf?3{>tuJZ?^UJ+f|Gb9w__} z{+zjH3i(%tV-tLM5wZjKn4(Ab@k$Vi9NkX?kQo4ci?bC&g`YgSC$ihj{8PCj$KN<%Q znuP)oRZHErpqM<)kc%}Z8`KnXM@{+KCEg_q& z-+cSz+~iLd#2q1$wLFFnpz#0;$kaDu)*O;*3R>}(^z0(kpo(XGVX-16g@6$RF_DFF zuR_6c;)(8FSilV_o5*5a%Z~J-i!MgT0vZBIlc!Ec{|^TsFYc$G^%iN4q}DtR3_<`D zKPv_eGA8qk-{^p=uep|OGfo%u6WI`x1Wbl$vAmz9iHn8GXN!x)B*h!Il5?qt;+D9d zmEEmntBRuQRa|gG7K;Po#kF2ca$qys_m-+bzSUU!go?<gmE-ZM)%!2FWu z>hi~=Q@c|*734tl#Fzj|KB*Y?v(G+zr0;0dZpbxA;$9uOwPPo?Lu_gAS06nl!1c0+ z9)1)Z9mZM7Hi_Yh6bC#GBNr(1z(Wt!LdmW-l#?u_ciw%EI}lPO8!F-~Sa%lEJd90& zCo4$FZuvkFN_ZWAH3QTvk%nfK_}h~NkTW2P*8$qRH9JP>CnaOKnT&#jgb$7lDqg#R zU%_fVpBqX-^-7Tt!w^mvW72M)kzBfdqt|UY@6{RCo|`9k&yUMEdUCN6Hqnj(j>>8l zt#FD1KnJP>tq`~vy^rTK>KA;{z~D#x7ssV#iJ?>c2_;-h{_44K!j??p{H4KLx9?DG zpsS|eh2E&RVipVHGXDsA`&DwDP}E^0T#s7=#oz&u1Y~^tNiX<6nQB;E9I0s;{1=ON z%G56j&IMLN%@R~`@dM zvf=zrChrOdwZMn`7x1JH@aV#6StKiajo`lSljZR|KZLs|3$qyQ`=DTW9|D54W>dWdUBRa|i6 zk?|jY6_Zm~B1SIl8!2eTUp)mh^t|XDg`T^pjQn=Kp~E6`OE+$*oZ(slOGqWDbYq8U zNsPv+L&MV6ZPi<#!$r8>_k|9L@XgH1X3IKud?5NjwxH-MSf`-XhadOAmW^*-m#%N~ zzk`PkCrgaiCbm_p)@Tlqbl9L0Jc7kp#3j9iVJ4Sdeg#RSS^fm?=j5tX?XrF4p`7F= z;0|Yyl5m+|Wl6_@Ds(unz1~INN*c}2K8I9q@GA**A)T`Oi<0m3=M0rojtr=9NV4}- z7h!zNDD7CuPD?Oa{nIFDPy^bA`GCI~#my@6TGvRNj=FVSXBFMH#mq{9=}={*_}cg> z&Ok})_%QVwHk6N_Fo`UA#NQ<*rHGUbT0vT~=TM&tX@wA{Tm)?#8z9abJW`iKu9Vog zz@xUcemAmJkbDVRN=`|K0#P}luEDPlD#hT19*?aTg1^4LmPXU2O+WbHW6=*Fnn}+I zGGduKUi7e>;6dr@w%#%+c5ZYMh%Y!*FOY(FnIG5!N_D(hG^5k3PcuU+htzBnM#`I( zmTw8oD*13hT)SaGruNVD2at$Y#2HLf2wcju!t}nzY^36w;`vJk*Y%sW2v>J9d@q2o z;fU+k#c2hnOf6KJJ?ue)BHH@}ElJvftAxTfo@$YaQ)flqiqR^u^g0b!}G z_q3k$>YMW|1_q}dJJIw!Q94EwH(>Q zCtz7IOV5#>HRh2CePCkvu>omU%*ve*oyBHMO?9nkm7be_>Ex6~s7!s6{y8di&Gy}} zVm<;`hlO^%Z^}dQtV1<{vmd5sH~=r8Emh0Y?YudJL=N~Yh zp94BZOwm@EbLnf-#lqjrV)3czV)49DMxhW(>h*$FMsY)=m2;%) zd&USO(H~J%*H(`z(E-E=fK$W^V4_m46qu;ydKLC%x{+$w%$#}VndBZ17&`&BA08P4 zPC+w}2lYCM;gw(tzH*S&97P{BK&^f|b@mv++&IW4xZ|7)fk&Tk!igXzh3RD>Xq-ai=cT+?;UW7U;UPS0`?tHVnw@vt zu&8mNNhIzDr(A7Pno|iv@fVO%&gVP#44J=z{lDgQn)_*lvci*aPAe}J=K(gH=lVug zsN~{{wosC4onvxj0Yx1;gX>)u8C{Tuew*ZhJKfX^qiB&nIaWA z0MY*8+JV%GhY7J=7^Dz9fhx{}V&XGDbR`zF8S%MnoMcGluXU)Mu%+in&zj6*bY|WO zbmu>v+haZ@6jagd0{`W7xE=*p1+&Ht)7!x!&^3JI%zuB`-wmlFS zpFae!=m1I&S@rxyNa^!MKifjKE^1r5%>@?_UB&W5ECPezC}H7|H@Ck92-h(^^WP#dQrHmC8XL&j&>4|OWGAsmDVf()Bx*PO8rEyG?CK%VaEeY0OWW=p# zUqRbV3{^5XLgnotF8Eu2l_6pC$BKUv7hHN*HD4{h9%ld}#rB+ruk{@PqmU@7OKK*h zeZp98CQiphwS#D13VfK+zQ2~Zny8?M`1nMUJjf#{%lmBS=ci1Y!48L-gR+?sYJqIj z%H6vUvOyjPtsZ>nVXH%_SEnJ!8*jQ9A07&VSS#S*)QA0x?UsaTuos2NBPQ@5#5at# zP&ip0!jWt^#jx|)uywm%%<6Ulu`kR^{ASlKSe#~engME%qM`Yu zW}cd(iWk9IV~C$hRYDVg5fjjH0aeHm7-I0dz!L+WOstUU#(++&$*5J+qS9dX!rpB> zU%omqqVkLf`m8PAd@tqchsR$ueCgN~iHOX#fRy|f*0<#;xt*pZ9utspvTtm5UZLkt zyz$G{`MlC~H%&|N!KGguD!{3#Rxu8hAQ_2?;zJK0U~ z2t_z%j$Cv_&^B)EiAl*wd?*L_?aWzoZ{W~~aUV7zc${*qn~ziXfhIRd8zRDVbiNL!$o$}~<@!Bmjz%E0)vf*R%_ zcWm+iCXFeS>XRe2aP8S6!tV3?IxVjldxt(>XQOb<`ko8oPVi3|yg1f+v3`Vm!wtNU z?D~gf95V?eWUg{eSN1ZB{Dz&;Z&8=2%fmDBOUgHojYvOXEJ=N-K5Tj+@^@r{f~wfn z;%%Zw)fKSxq=>V@&*Pav7r*c!rnDxY5a*3%%B4i zcn5|x9uzSmJcCTQqDB@16JitEJLDu?`we+0eE?FCj9Bv2MywO9Zt2ir`V5t$4_Qf) zrITq8w<}#62ww5n6HiSy^Z0>N1i6Ubk0rq4YVVK!Ult6u^+AK}nU^#pLUluj+3~_* z*kH32)W5CKfH&e|QE9ZIP{?q_KQZ*fODRQBTIIW5jPH6IqoD54X5E2?1|wkPp8A`L zqPo6XL?w+CLaS2!5k*BpS}{?PI6cm_5EaDFlEEp|nhHtAmY@d640%WV^w`zZm|0}= zUw$D=67H#xB1nfW&TCRyv}hrYJ#4Pf^HSr;jWz|Tf5V;fH*9(P>qMpS0o_I>Q1${PJd4zZP>g`^Lyb@xo~&Hd z>cw}Ke}aM`a0J+D*+=*Bvc!c z+#tyc9Jcnh?b~g~^kq>W%?V$(VWaJQeZG?ADKI4Asleqh7Tfi<=i0v7P;6B}S(}Nb z{5Uw0z^F5Zhu`2II&48C{7{51q)1-*tvNAAjm@moiy~?ICO7s^8xvg}+oi`=54fHJ z8hT#5V5@L#`T717BEd4aN?Gn84@`0s3$L4+yf~wD!`2<22BjX08>GrHWlB{@zWr7- z84|HHt&pvbsFA$@tNtwgkgNi_!3Gk0)9ktPJ9O;mwca^@?RD2poHUiy%_fsVy|PG& z%zf_p7sU0VNt0urdG$1)@*5r*b=hT?+eVTkU<1q|Q+QCw{IVvUB!v0` z-43LS@YVJ0cTVvjn5IpeQVPVRmI%zUcGIi)d3VP4#5P{fRo*!qK%Rff`xR6D$#<)2vTO@~_r`mWCwoiZ?J)UtTt z%-MydlN0h^U6|T>Tw-GojSirj3dlUgFMfVhl8xKjut2`r;KTM6S%xDyJ&Vbb_QCzl z%*_W=_^s{!wy&-|Mi&i}$^z+Q@1Ql|n zjvS14jmD&X8k~XgP7kRbWEvW*5Sjf(nSlvu=_-a|!-jI!h?A_j1A80Lihy4{&v9t?vRiSUB$IfnB2uA|Mza^Q zG9F?kE1=lIxCxKohR&x*S6Q1ZQW!oWJS+mHK?B<6B>(00L)W_<+({n6M_7cg3;xn) zKEh03Ecee^r35RA@S<@dLZ^R7^P$TZCT58+#oy%I{A(t~A3Xt+1n${+O7+tF^*R!DKMbDI;I}KO} z{HG5NHlwq}+Ys3eqZn04qLs9Ty9+1=c!6Td>q7+^TrhYM5sqk&ooFSrCv+&34_O`@ zNgv#=Sn>$GgyMcVbG8>+-PHaT6#i6*6Y~MyJ}eXT9=N{Go4f6f{%1I;AgU%vnE+J-q+ls97QgT`#rBm}jp`d=W^$foXABJTTOOZM zvZ338Rmb{^OGAdb24}nh;YSY+AFwRx_aKyJs>n_3J#aQdzoZOOW^Rfbe3z^)F0Hmb zX^w3+wrts&n3mOjLE?=wGMf6YdU;mNn)Nl*Zmwvev8MJ0(|T}6?YEWxb?q1@0VS*w zflDKjGO{5{zFHxSwoP)Bky)0U-F$+Xt}q}=K~+#XC?Bk1H%3_JSZurpc1DnAZ6p;)M+g!UAs6nf7sI4*yMCq z6!3zNg9D?3{*_lZIIp{Hw$)cH{Yk_2)>h2IXf-Q3^|Wz#o8$sj-4>@Jg;~+6cEHke zq-Rafqs(kl(fV^oMOG%ZQfOsX7(tj4w@mgG&PgVDHKW*l@l2&kJH0%*`tpJ1+3r>#n!@W_WQhuY{rQwPNUdV!AexL{YYU^>JKbPyh z`s3`p?d`1ZZXFZaAXon-2~BWx@y~ets|-46Gi>Pr*E<9~DS8*7XHCze%q&ae`8f%S z1_*P**M)d4bbvTo5Fd?65o*Dk0(pw4WR3x$c)dzKK^tH}XM)m&7}N^pefb1rb+h;;|VkZrKn zXT8}%yFJL|+;!LAAYR92-Y11qkPYDOe1yxH|87^II|A=~l152aRLGGT4GsCB4y_kqYdE#(lS%CaXGEXO*P1FeNwzSNV3|_xI1k60u4h zsC0ajRlq5sra%?E2&RNd0(lA}1uUyi(9r`z7AIs1H`B~bvpdZIHA~b?QnO7BQo>gW zM)R3ef>Zj@14BQV8$nqsD?_$2Y8wxCGI=K))DA0F06HA)TAuFgDrcN;WPN4pQ0O7T zRsPA@iAcl>sy1$_lt#bVsR!9AXX&}nv!mxr&!C=DrdZ`691*Kjd|0EfAreObk&xY; zgCGK=Z?-g)XrVyK@Pt!GC-zv8m9?f^K@}f|cqMemU-^izFXVc}(255U00ji#8HFxI zl7-rqJh?17Klj3{Dfg9`T~50pLp^q(aup5+!d;L1g>9bbibT2i!H8=W#PX; z)&f`XA~OIQAwUpw17(60PHo;|Eo)Ub8~G())wCjMDhZeHU8klMYQXg`n`*$S6c)ud z>?iMfZoQJ~=okN+G>qbND~d0xE<;~-kC{8YtFgJK5>%;0h0u!V`cs1Oo4aX=If9eS z`)UEH_N@Be(@#I+#g|?|L3iSbcDHj#0&u~L25^asPXvru$dHh8x>+n}Jh&hsF?r(T zX{Zpr=7o5N-hKKBEwSmk>8AE{=D~*^;S8=9pcVLq#=!ZABXC9*JAZi{r^XNdAUj*p z%xIi~qfn&ygB7`re9f}9Fd_siDx_0a;^WyW-w~mvl9Gl zf*P=wQUk7|wEaDm#+MQ@*s28z4w!z0?$%( zSv&%@40vI?|Ka;8ASJs~!71Sb!V?6coWhiL@WX3sSajYoqY|rZ5X6?IDd!3fSP*R@ zaA})$qmJqqyfijhSefQ*2ZK;mMkqLKe0mPnmTN~Y%_~`}nXr{PTluz)t2>#$D`eD; zK3KgE?NR&VTzlwz5!;(u2Z6R89~rUq?A4#lkKVAMTuWQkR;?=708!rO0&?2G?Bx$zu5pCPH^&hKPnK&DBXGn-#RtNLq|J$t+E=iRT zVt+{fLmZGQZBMb_suUKe0WrrEobBw%-}a1Aa`JCQtt*OdsD>()llCQJ6W-~cDG`-2 z^dzQG-s$;9g^O>wo-DRzEM6oR^vvJ_`eZUl;7Ja6VJF2bg(8l!GFE9_hMin|4?pra z;yfvB(cM8}xRAL9fP+>@UdgFxxcpJa$_uTWv&oemI&@@H#3Rr*LTPw_9GMlTS9dMK zR1HZAwT$@zs?da_6|Z}Dc}`PI^GHtslN>N2w#uI^R&L3#BZMh(M^F^0$2@%0iLp8) zAO$ZKzB(^9Br=UZ0U}-MOyy8LC#j*ZqS^oQg{jc?x313MV}TbxBDId+9%L@V_pygAp}V$?U{- zx>Kh+oSy1!+Fal_W-K>{mF4E;!#zMM7}P;B5S7BB*!V6;sR5~=w1d+2y^T%p8S7p) z@VM3it;IL(CpTb$T^Xfc`R~>s1${-4MfIn={+_M$`jhg$1X&}l{utw>`eVxQbRw4* z79~=uvh>)ukOBfR9Gqf)SDEEq5a&smwPO7CZ8No6Db2`N(NnyQ`^D1uJ% zjUBTjN}%d@3RA*SVXgCHQbsR|fInLpZ)Fe@r>un^O^~5YaZZx!5ssYQ1R_I;5BrE`H;*@jTWSPDe#IPW&*{Fh@5-btnh&1W=X4F}$nwy_=(n%kF)I*4wfI<3mxS>kcGJj=h z3qr|~*El60Rf$j*VTy9^(RpPzOo(m_J0gG-wxbSoIA*H7k!Fcr_R_dmP#B$EG-@9? zz_Q`7NBbuA`Z@;Br`iot+P<$@rDmQqgrf?NEh;XiVU-s&JlS})m6CJ`#52!!*5`HO%(I%~m&MJ&DQ<#F5wg^2 zZ=Em8dgKhj327&7~K*Q>k%RY5BfGW^}u zfX4dMek-8Nhc)2$0b~6OW?~A{>ra*UMfDeC{95dlJDqfSZ*=L36Al{>vi7n0!TA%5 zmE?(qX5;`D*x>*%7=o3|m7EG)k!7oGyLOr?qyh07pz&j81r6vK zhXTPbC;`tj2pG4G+GQ*L_mx*)7h@{{hCTV<{^&mEjD)YpNqgTB?FP>#3 z#tv=!(0s3w6Iu*X!Ywub)Eu=wAZ2COHfCN=c&Y`MG!-4fMlFw%|8fJb8uFLzHLW9H z1uT%uidjy;Vt8fD>qIN2Y*l{gBXd$4Pbwlsty1VQ?}A4-RGZ<)%twmH*XwV*iKzl4 zf`hS}weceA{~~P(2uejEC=g!6i#yo`%ne5-m=Y`zUuBFSG=MgzYN+zJze(P8iUp$v zB!vaufCL4T!s11)YSzt5HJw^h>L~{>VnP=4s`fPQb5H{f#kp zq54~>0)F?qBzt7Om^hM|ATomm#~pt>)#pj!IKtNt7=m(;jELjFbj4*Xf7UD^_z(}) zQocfXpbVa$x=M(3@S&pjKl}(H!Pi3WfKuN|AuJHSf`A0A^Q^n>zQ_7=Yn$%9^KLg> z6S*5{TPinQ-|RfBOHAVwozyrbTT}jOsL~ogF;0>G%{Mf;*`(aY6qvv{9K9bqUR9ni zS+O0Q(h;55C&QQ68>0rqGZ`0Um=!5xu|A*z;>s!!tg&B8$ADl4--c6qyRJ9znn^lw zO0!lgztw^R4J(Vbac>7m*##(9yr9GNKVSuQ9`(PQYk%A@ix;VeE!$gL2gEv1dI0s1 z($M<>J@R@k^z7*QBI8GgDe;X6aGOw|L~OPzfDV*^M~y0#h4eI2m1zc^FkPw46$Dtt zn0N%Kgwr^wU(h*y=iT8S^wi|gz6)25UKW>_m6ugiwq@7e?YsBw-22_$?}?ZFQA3p$ zuWXt?HeFCPw9Q9I-O0KS?HQg!5ScIy%0Qvv6WP`#rKD0j6;?pH0A`$7!^;aD z4zZROUvi0aE6XN%wEtMtEU<;%eO*drfn1;W?kg8yZh*|VEjZ=m8;lY=Kp+y!0zJWG z*7^AtxGm}aV-)HEaPX zmbO;#S88PVDVQl3)mW+)^TEVVoniDNpn2S12tC^KB?KJRgBUMR&!k|E4FfJ zEB7|r)xhM00A|5?)CoFVux9P=I_i9cvsZG)`3epQs{}9Wn9$b4r3a9P9@Ton7Bdo> zmUsEMmCC?`W>2~Kg{#>|l?OKU3np*LKl(0e)_;kTtd(ZZjA-CWvj8yxR>KyrEGjD5 zu%R4nn55g1?HBQk$j6xF#8DRTZ60~gKprOQbVfGR}CO?lh%P-r|4$p4#G3a%(R&nUXGTBIT!{krFj@^_4_y;XiH!qb%MkAUA2 z*Aa%QS0$$qJ?He6(TKx;K?CewZtZy6n{T}{CSV*ILUukFuu{^}MMDT$Wn^V@e%Odn z?b~Ind8}r< zG&E1H2~r1!P+r*aJ0a;nf9}-{Cvw$=S?rL>Jipsu4h5di)<%?5;HFu%lsxD zH8|pw{!5z;SaPl3^7|)*yfQ21vqkZPmM4E1pSv)%@T;WNr;SDr9H;gzO3F4%VGfTy z$}c&ypjbk}fht!3(?Bf0v@(%OL6v-}0m}>%7V%270kY{*SarnnvBU5gqU_u}{I#Y` zQ=zzU29z^o0VOVm^^WTl?fG9X95QSK)#{Hs?sywdXw|9}_{9%7(AZE)xQ!!yld>1Q zR%tJwE;(77AOkjg;4&cy#>o^M@?uINCSiDBpy}BRQ}}#h4l% zvqn7n9|D0<`=IAhb}JLD06U~A&`RqM{WDGj-#Wh2*M8~^r$Ij>HnGS&n)DQrB6+~~}Rp$&_ zfk!CHD~|dAmX~-X+JHI%>(DGGkGrsb88_3VDu~rh_=(e5!pRCa!@l?0Yp)~7MR-C? zY(hv_1U3uX#n=llV97PrE@3;qVQKSdL{jEAGb@)UU^F>w!fijde#OrjLl{~k{M(@- z#-5wFyw-2O8b2qQ1+ByzaDbT`u&c_yT2`$FG>ZOdl>EJdf{ii)sahE&H&*FFZ&l9x zWcJw9U1jHtlg4sp-m0^1X>zWQ2pkC2?10;L%C z0v|Yh@)X0u2b{7(RV_+CBr1(lvZ3X#Xk%<;JBa^UyLKHw7MWc*GAzBx7_>TSgRT6& zfGQM#AI@ytd&xQe39TlkH5;2ut=pp!tduKqo=PyQs)yvV$8O;tKQvoz`iDH|uZv3fUn@i5RJIHm2+Xxp7=GAlbOVSjpG!VON zm+|$HM<1`U7gQF!gKscAB)G`WF9f{&1IE4ndY6kXy2QzIYJupktY^p@FY zEEyk{k@)Wp`(5M)L=D(isR7r&S|jOt$xZtUS{pe{ZBO|Nf5k$lyeV{`8G%$d z^W)M_4kgNbeCu!Q{!*#_eolAI^#@I_2noCV@+%I>5aDBU-gzxaF7fK?UC=hmW`5B9izH>^+XsPAbz%+c{r4YrKE(sPY9N>G?X2&9WB|(* zt$?cHwd=2(p00`l168;PDtl$>jPL~PEKan7v|N>ekRl(eCJ?}4;p1{)b+mx6A#eSG z@{bH!vE0~m5{SW6VyNoW>5kfY5eboe{l>5jh9TgahZ<*PT>Qh2Jm$n2>;;lKi3lwA zz%s4S1GaLu)9j*2K#Hc(`9rS`pdPBMjUpe@n?j3J9aK_Z$)SYm4?y2N+1NMV_#xai;1>#k z^Ha?bY5H&s1vbz}9(|0wOc*`idZ!!uUfYBCdgopDAXYQ`WbuMlA*bY&RMIRz^4JsN z#d_X(=Sk{ga0>Gl7r;GOcn1bQ^}ZU~(;#KVDbbS%PO-q%VScnQ1uLjONC}@Q+qCtT zIp%H|GXz>b94(0M>=Sgq|6UtaAm6S}+Lx@ZmUWc_RPi?4$$2Ji*I4EPA-C_^xqZkFy^6I)yB)yp_qV z#4L+GaQLzWB~zpRHO*DW`6lEP6vNm-D;r>mJ`l8W1uP*>y`fsSY3s;^5xe$%FT|{s zfqF{@W@)ryMY!|idM~T`TuA@1bRz^cZ{FOM9lRuKzpR5zz~TjRL^O$N;>uYiCl(;@aFcn;I`pfqOo=BHXnTWF~XE`^)dCpgdw9F z1Vh`lZAao12m`l6JOg1G$Wv?*ov(99&S;!sZCY_kgsB=hWkS{O!72C*9{aBbtDyH8-{*6z!TIRR==3 zf<=8$2@jbAI_h&zu5s%k~m12k|0%u>{~XLiyvGKnL0`mR%~s>)svj>ZOGh`IB> zdhh)YZ|ijXX{VolK)lO#F+A{|d+$@apx_XaBtQ%Zt?ta{KU<9NgB1tH`+7TJR`^$t zZ3+L12dg=D@ii4i=NNIehy2yP8bxQBxhZa`dT|1&@TTZ$Y?8`}{$?Q60^{ctqr$~U z4hk$SU4y`K&9&FrgdNwB;u;dh;zxnqv;HEp?N(ktr1&ph=nx^I6Pjm;kg_$P6?xZX zYm{L+U_cn?I1ba2;kJCVNF_^EmaTx4>^!wd^*eD2sDk4Rj>tV~QnB)8$9)2*`XadF zsKu!6EA8y{z$wiD4+y6;v(+5f%9d$cK&m!`a>79^IC4OEbZ{5f@^oicZLn2S&a#d` zjc6}DVtNcMXoal$y8x?(Y*poMF(N3w(fC}`T$TRl?4)f3-tXF7J6hE#TLD`y&xvbH z)vfudTXyc&XeHVMjaDX79U-)0^|7X)JsgW4ee4Mv>)hpcXC8tq&XIdaP+E54kz9Idp>s z$e_8PRmFdepEHc_2(!Y!BEZ;6m{m`+_TrNUL9bQbfE5T<1uh{%US0ivcizbJF_brj z4y5W}ta;E_|BCXa*ec!>fhyTAmA|m@xqYBN0tC?Fk`@W$BjE`Q0!fWtd!q}p@abp0 z+gOo`G@ z^ftn0U^vUt3XYpvq68}yR~6c1z=|nhi3+Dokg{p~M3~Zha#u-8Z|OD9)QnWKR?Tc_ zu-4?TU=v)r8lJ5D+{W#lxZs5^zJiV%A~QW2;A7kH4Og z+J!8cT$_X?WRSaNQ|k#yN(VS5z1OldByP-D5YO)ftWlAf*hw1&=69YQzx7*%R!+dO z$yQpt;(Xbr?f5nwg0)xk7OZg=KADluchq6Tf*?7U*v%r*Oqx8^ne+D2OE1Sh1rHe? zIJxf^190DR%3PZ5kXZY?mgf`i`P4Jdy80^XD{YN)TC{*kazHSUfu~?anAMLVDwmzA zy@-DWN!Pm@8^ph&s+v_v``?ON{)MYq;hY#SOMYctdyE`eQ3UEoZ|k1QyQwA zIK{>fKh;qYS#zV4#Xfb=I0dUIELn5L85SbUKmByAW&nLy-=e@rmD7aOt);4^xeuatMcH8amfABG3p2Qkk|I5}U zZM!vg2E7nl^bx*(!Y740;l1qn%D$*C?|3xdRPgdi;~^z-D?&q6S^>ksHF#DEVWcP4~E_yBT5 zZHXdX->}{%!6^+@PMoR%Ri+;Wma_42xhIWYwJLM9DF1;fn@2k87pteAt2_lx!EInW zHwCU#X_t_y21UF-Cu+-wOfDSjZIpSSqRM>60|B?vra)34)B2mjV2dAJ|}tS-hCRapnMLk2?U{79fWiB zT$s>oLVDxTseKkFaHiht>;Nvr-3xlgAl3ElcaOGIT15FXZTd{O&7>*QF1_?J8&^5= zOts6UJ|hacT2y(|2YKe%=a9KzSp<{TVyUOx)!-q+ar59{(=Lze{M?JP=gg-MaHsT) z$^=btQP0;SH{g$P#@_j=nynJ7`m1VI>tC-;so8pXu?UZO$SD7#O= zG%?X6NCdbgE$#QqT)ipSwCvioo194a!@#l#(}tJU3WXZ&6&z~x^-v9aWM^#jOGCEm_ej(@^QV{_3fK(z8Re!s>NC;$2lV;GZ{W| z6i`KEmT*^3GWgy9VFf9{sao`YfIEThE3%4Pk6+bfNF-k3HhD@61oZ?d!6|so7mMRX zsycp9NLX?v+{uPe|Hs{VfJbp8ec!(Hp3m={eXs4a@9eX2IOhbIoPz)f5Qt>JV1mIU z119I3bIv*E97T{oB$1;;js}x+HWu^!dQ01C&CIS=0iXTp>1UZ8c4ue0yXs&6s_JS+ zNA#EpQrbRuMJUmhuJDwYM#Ve&v`#h^wM~cHl)M9&?2zOiefA%SO{?bThkSsV9m32< zvpu!$5Zy%q!j>KaUznvw&^77823V&~oyj+P-G4?!vjMTW{EAtWGJ3_-CF1puE(=tF zK~`)HKS0&o@{`w}ICnu=WLU8eA4--5fW`YGKb-F#zU#F?BzWv2Ta_;!Kb`j8KP}Ld zi=v;=B(hoxYq?RAreYXl5@*Yn-KjVHpP>feyYIdKP0epvJHvGVJAlvESN`&sXY=PT zFnFlS^h2Qmni%aYC6-dU9CL=^@S>gQ#v~wH@+(-}N*P0@IGg#K{0ju%aT3%v zp$fZ^KY^-5WXhZD2To0o+V$G-Er|A8oo53~CZ9?fPN8t zDp6KWkV3O*Etg!JGH6twAZ4m?j#Ge8$$}&_fUg$#b$o%B8*(LrE%RYb%+i3xfyOK+ z&(d^Nlo+qR080i=kE0*7Vj5t&Fe~P+-4rx>jYw;X(Mk#i${Jy2Z{ER66jb4SCb4Je zo~K6~2%8>#;%Fq2 zsfLdnO~xIIG;#RMoIRIJ^*nju1&FS zEwX-cv3bzUM~|JT`E6}#Q`D|gPuzX%q$%(O!y@+#SzwYdRb=w8*nvS|dk)5kN)+#Z z;8OC4C{>rPJs`!Dl3=MF0xP1rYxf=sJkIpQ9~otS4!Xo%^K41OWOJoj#JpsZP&J+F zAn7D9*rsusyzMw`S=TvhZr!;nWXc37!71^Cs8>%V3VeNwx9=@MSiq zpO7hD=`qveM;--96uA4ubbS|p{l zqI5p5T5|@1P^M-!HFjcbN}x_oIBsQ==edO<%#+f$RO)ZrcxdnVrC~?jH?X z8nZY^61Mc{cu7{GL_rzZBwd26*$|hYOq(PDOXeZ3%t;!PQw%Cz1+AJ*U;R`sPhHA> zn^d()*7prRP5%5dv#EhVp7ydVMne0TPd#lde?ck@7+g5@P|rC z6M1yK2pvM1HNhA3&#E;M)QboZr%*3wxi2eJlvSB>5sYURc={=bLGXf%LHTe*WRzBA z3?H+UEr*DehA*9p*&`G&?mQAOp#d8;?X#bl2A|A<(5 zHc$MIbufqb0rM)KCjhN?`cSngW~A*veaPzXRYB5=x&TBi`C^<0rvq*^PxE zz&B|79#at_MjZ)6m8n9)1GB}sSq${5e1(cqcby=YSRFE^3^z!}E@`a4!%Bfr!|8hT z?88Dl$}ti1(lwp%Huvc}fO&$~QJj#nrJC)QQva5R+I{N$8-v%q*K}^!RBq zB{*e*l*TFPa9(|Zl&M{{%GFAk1FfHZAr!jZrtNKr;0ri7pE5{F?zdcTz;=_owLOIc zv*Ov7?hrZ9eWiO(cWEloieWVY%M4)2tPpx73=6;t5UrSm8mdgRlBqj&H6?H(Re5BJ z;!+KR#eID?K0SD6*-7jAt=W@t#ClaIgWCQyiV#vzrSpnEbY0PI;iiWVf5OHSsCsf} zg=2?a1u{qrC;O}3cMY5sYn|MIs@f#})v8k$S0Ty-e;sNE6*p|es3IXDzOF#fs#s_V zslr5=CQ5Mg(})rS0sSO=M*oX^F;Z8qUQ3!x+4R)?y()2?`W3QGF#Cg?tnJw!BwxHT zR~s+B|NqVYAaOCT$Hjh@P(l4jsG?M?EThcS`QFy$5h^kA_Dbt#mmO75!pLLgDpgIh zgzWUt5+yM=(z!Qq+&CgWh+)Oi@>a5!$-l$pm?NGv})aslYE^}8lPuM@VmAFPyJgYi@!Vf z?y=(`0{ExytKR7!{>_B&JqM3rN!k`q0b%0z`^T_o*%MrCci1(2?8;3xoD##8S2Tl} zkuFdrF$D>Tn|w-)HCPMO=1Li+H+!^q=~89D`*0fM4Jg)l}F5pwsenB)=X$iD06u z`Fo;h#l_))r~*cf(x9a6*>sNWEemH#l`7l4M=t>>lnHu<-F{(1ox65_+hd~Jz9Mg5 zeCZ`p0VS)MugIQy{4Sml^r2`B9+_x0e}wTkBZ`QVpqPH^PdmlkRe5d@E4E@sSChDY zio$>pt1vHA<+NB49GlMd4u4xGEoxK5K&iZIeyP*TZpc7036N~#b!kw1g8F@zO@0}4 z+eXjVfhwUwC}-CWXE-PthD@QdmM&Y#S1>}HSK~~r+I9IMDxW~6fF~3$ zL0ZNXuY zW#W`L{lxF*1Szay6pm<~t=o5P+qFj!idU0NnIPpwD4@#4zL?JlJC9ds}?QpbU`Ad|t&RC_^bD zt4$G;UIAN9h7}-S$?`p3O|)X73ScpT&t1Cu@19Fl@kutJ#sfye1-2)F4%H=pP#f@t8a{wkyKR@EtsS zM9dXzc*c(W3d#YaSZv>le>BkT!4c~w`-4yzaIp1bS5+AB6omoHB_yt++tKj*?e*bZ z@BCMLl5&3*n^MJo;dT8{K|Rzu!J6NOic($Zr@&eg)PKI|9CvI3ARt$++_neAqbn61 zDW!$@AR`Qi^XvKyq=OC77)_EWX3Uz?;QPkp_}Q+>!eL5v^&c=8U!UZ?6MtmfxiU_3 z!ju~}ZIP<8BDM@SOQ_f|i@=ty1c-3?zY~2+fgfm`;>ye@M4-{kNEIo@r^mh<7>%7* zr0c%0$=s-wJ7bV%pla#Xy>AU;m&5I<@;SC8pw?l@i(MA(IdP6B5|Kytoj7Is{Sx7n zXL+w!#iDR{MHiuwY#@~ak6)58DJMvI5lZxMJWiRq+SK7T4evlG7kEk%m9S@0){?xk z59CS&Tec@MAJ*&y1F+~K)mJ9U>t6LuvI0S?_(~Th!}3qBWES!2#~CPSCG-kAO1PCq zs|#1I<{7z0ZJoxJj_h|&$rQMif~rWh;Uno5@T|U@6;83YTDyhJ`~yc%;Ge-;E`LI- z5GWC@z=bjJPjYcY1G2-WLN>H|@uip8^|f)6W`Z^3UEt`Gh!S=J^J@HrNq)BW0KZuL zD_h`^Z;a(E8i_8YYPzX^cseTn($9eAhK)*7frfl>idq4>oQ)*Vhs03CGA9t|j#fY4 zvF=2864ys5jjdJ$fA86Nv4o`y1IA{49Q&Ge=r>##(2D)1@?>gC#SX|vS@X+&^sMa zazDWQ;pX{6zC_S|ym-lzf4f(4E4GYBX4@_NeaFQw^jJ}R*pg98BHkFj`6(jK*p{Fb zF=fv_tsnGRa`4oT+Lz)Br^M-(D38KXgF>8s!l%S|7T5|Lr~H#Ctvt0lHFd0kQ+ALt zl{UwwO81XYeh?&Okd&-%`TBJ?*a`@U4|TZjqMNamjA^+K$i-0ITht7XTo#QLK6q?-JQ045ps7-)s@MwSK0)qcrSt!At3 zY1%LDI5V6?BcMv76{5tSh!yh1Uvi}~$ zmZ2IOoi7qWG20HEy0DA;n&Q{dKPV;)^d*vH-s#tFB0O_N29kvo{2z$tq^L#r|k?&chQ*OJA9!oM0rb zpMhAh@#0q&J7ReAE7U@ynBQutB~?LPQL4-dkCU(;y;M*iZLxVGwR|7DXm|)aYo@Yh zbzh7?T@hTn`0Lm_nqfu?U=z$edp{?B&ovo7CIjVLraot0bs3* z+CUzAvt})@WZ0yvSD*eQ1g?o##|%Vf@knz)ls_VdpU`EL6aRX0-+5$6;gpgqFHT8b zdgo=^eouil7!zQ`hK6j*+j5p_2rss!Y7uJl1+a{Rw)3BAyRh)6HK%^Oz}?#TlvuE$ zA4FFq;!|!5drgoM6WR|*X|*O=PDIkiq(npdK`1})gj&`J)(l&rt1$qd4VU`S^3?;8JxK6-=WNCk( zHfChnXuxvPE17sEVA<%^sdGOr*>)ggY{VboO%Nz1wxAXH6*QnqqEu}bD3EG8^{Hml z-|4a7=-CSr%r(&p#g0rpQMBUXDF1CccJ=PtKYjWPb?erb`s$zzZRoI(yd{|&e;>Wd z(6GQ$FWS}Eqz_mT!#=G81`XxAgdQT-N69GA)dZkT-NJLxZ%nyKQ>GEuc=gp+^+jw4 zI1)>hE<0-UH~@=6aNGu?;~vJk6KP$aWnCGqh?PoQXGi-Qo`{v+(LO5?E9<1~7k(RW zt;4Uxsa+#=;-7a@s73cma!haIcV*K<8+X=EPU>d%961IJ9tK*0 z9ndR=jEb0Ghx2OY8Kx+?7K}2kMOJB10zE^-E7PE4Q@K+2}}ozUP5Pyzv?6o1Cok2-J9cK?YnD*>>0eBB$m zf85Y2-YcjbgSzK!fQ2dOX@U3y)#x(^Xij>?gwfoJx#UW(T+xcTiobB$y6vIUcRWv^ z7T0&rbt(f8w4z!vb{emQsIbcLBp?V)raaYn60-2Sw(}dz*+>#QtV*Mm7<=NNFwrV) zg;%b|uh0)`Bi0K%Vf`*!5zaAH2-2l{Gptl;&}#A0{ ziF)7^+PZxQt7{M|JUN)?=AHAPr%s<{J3q>zvipNmvuPD72N>#~ef~M?aqtap+Psx( z{&?PvTm5vwTXB7;b-st%(O$N)I$R{4iJ<2dv3l8d{olk}<-Lr}WKb%~D1D;}beyA% z5>YD3D6!_33hFL-2xM9=TfP#a>i|!ob6`ZH}Gu7zhB-m_pby zgfCeVMJl`VhZto5(YEFeJ4AM$nKfsga4S6E&YwvA8I4n*l?hd18IsV`eyL}h-Ts@O z8n{)_E4UT=Mm3$H>`8$ta0-8jIysFkdRxxhfXF-jet!5AE*dd?HBO;n&^8*RG)~c( zqM&@?6e1u{<;5wb{j}-+1VAbQp-}0jlD9#CD^etZJ3DvpOilAk#9Z&kcF*SHaBN^! z0$^#h;=nIpC6`_)z|vNS7$Ht>C4ePprFpkZ8_lf*s(59N#XAE%J6<`_YRlf3&~Xv} zGb%=fXmRfKiBbV6Rsn-eFezp}DHgZ^dv8#)o%j^yS?87Ne2<7sBO;HVJ1^@EK`TwH zByNRd@rQ_s2P5@j>%0O<3ruxFQR_Es#s!3VTsSyb7D=H@*cuP-Q1Q?b&-~>tP8B3) zP=g&ica!y`RO&`p=zn@1ah5yRKg#p*pV-p4fVjA?3p&rU$P|_bk`k2X%Fg9K78Td; zZCAwV@>uIaf2G4&5sW^kINqT=@k%~66FT2{@n88FYafY!?cj zJa~hmPDrj0C}gw6ESw$+sz~2Os9{*RLD)^c{lZ4G*PT6o!A$mpQh`&hPCpZ*1gFxD zOeKJnw%)~_*Ul&#jna%jt6WnL8yqSDo=jzK>Uk#+*ip$h2I2Nk+vXGR+_21c=jKCk zte@9_EqcR_T)G2wm-=!ECdIHA#01Q811yzp5jedPi^v98XU_e&Y{$WGW^DZ1kZn(m zI;fThVtuh%3hy7mDHW4qMb(Cshycg9oNmA{mLzHpPOL!1gBTU3-D_ zbpknHxhN^nYze{KU_f0e1mgZuJKB4;vO3=@zSPoDYS?;-l`6ILo^|-QgjUv$zdzpp zy0O_uZtF-1>qJeJI)a~*GD=V?0Q$~G1=fx~@*gHnn)2$a$#`Un;Zth3TlZcd2oxK+ z#?pfwQ>K-v;`oL56QBTyhCuD!yAPjU|A9mD6-Z*^=^{mfS6KIpNUf@R6z^}E?NIHGK;8UVG^05DjH}7u>z|4Y*dD2lc~xRf&;MgidP0il%2eO z(WYGhH1?Q@Q=k>5taIg*jZ6uj(nhk_%m$fK9zUAc*wQ&pCZ)+#QaI%^WkTbWp^D={ zN^5L6(E8k_=k4$WG&m3{KvcpC4WtEfHRnCVpGk~d=CkMrlmq?vu7IWc&B?O@1T0~} zjG(6}sL~9}4Xxr`!5Xk+<_NbkoqCVox5Yfl3_e6{Qj_u+6$hC_w@kCKBSPCu3dGll4O`WX(&L)h+@^D%1f*cW_x_#-{^n+ z6u%hO`Vn0rxR3!c#ujHvr+sZoMQ|0Hg=9ehd&sP(5h35@qhcY0g%9KsnGv>=* zkkXE%Oi*P4%aA^&>=LulHnQgL!kQ5xromc|OSx#V;=X?RgAYEGz$jT6BAZD%8_gdI z7AMiBZWFMEs)<%sn;D|HWPJ$BtqKc$trBK7N3(W#d^k z%+fqp21^DmF<=EmuYCCfwKGtMt}rhT9XVQW^2%q1veccuJ2$DBjOhh$VqFG~KH!P0 z2_Q)lCmKzBs?!RU{s+TC1UT7j8c9U)IYm--34j~CEAz0m=Pq8>XeG`-9k)W<_(SeQ z00R-#2^5Tm@h1#XJu)(zTK($4&o>SYc#xhqj;Q48)C(v5%E`5!*2yAxhd( zh})NM@cF<09nFcgFPP{;tbV>`-CF2b5lqCYmx@@C3V6J-b-0k$_MUB?lEE@;H~9;{ zjZ^z4nu&j5Di5E{KA==YsjiH(t`nu&X6tZyOIjTR8WdF6+%@d!r+-J8;*4K>@zz^! zi<{Ta6TSS(KdC27HCiY$s|m>G#MEbq-7{M}zseM)>IiC<$|SgsDGTYm{&jc7yVP07J+rcm!-=Ng}yW zDpsASlWWvly!w(QrBbA}JlAV=wQ1`YY}p3@#q%joM!NX@#L6|3C^Sxi=_w;qqTgJZ zlozB3ngothsRbz~BKSg()Syz}-*x?U+fCX53(QRlv)lkH-YcllKLu#TI3@-xJH0|W zkS1Z-;FL61dSyea6DLnjn!l{Zv~?xNt<5?l{Dc0>U+B8%&z%-~icWZNiX;k{RP*U7 zg9wiS$b}~XN(GH#o_AQRaw@RU$P7dTKss_T2JcX>L-%GGwsz~`lMo#7qHAvDj9a;? zrc|D!F6h2}2gtRffRaZhtIdWrs2XPi(IY zFv(+n@WDrY`ws#{=w!lDpM3h6|HsFENcZNOHEY$O+gT;IadWg9>(ggg%nJm#{VeOc zC>wYWX#%Zsh}MoZ!r{spK19`EC)$;L+~!?JPm3GSMyxOkg;)uHI zHx*9unJ~sa_1;XsrIgOb#fn%_RuoH{i*s+(ow#}H7Cu1zTVzWO8$Qxk1t)C#?;AB? zzbcd=*heW{%A%smN|h?()N;iACrzFPo-(owpNqD91hHDFbU1qitIa_mR$9=hwc*%If%3Tr6v;GJ5%7ZtEzUeSBk`X{`27q~_t3v8pody{*<`)$`6j^e{sM zUQm6J{;X29`ak~h4_QsX8U*4{yh3f7HEa2=S6}nRWc3hy^zkS7he?T9xQKDzi%gw9 zqXMk1#tBG)LvO;QDX;z8zPlxRqA}1k{EDKGDfHsJ`P7`@*SRbHm>wQFrCfiSPsLLz zddGuPhfkj?I8hapR<3&jRd6Nb5ozTB2OzLT$}T<=FpCsH+#sX~N|V5Jd~A9vLFzyE zjjA|$*@itaCr`$fnUuP6||WGVrqn9}r#AQZ36aZghk%mk@GJbr;ARDkegQ}Q+x zuz`gyFk-9mC)!+p*LH8bHE-VbTnXUi7q*flSvH0Ra(OXJB?_8=#b}!TKrd$50gH*j z^w4M}ov7`wQvnOBjUx3`(POl4Vgr^>o#?tISu(D_d3Z~JMF$WLvUkDmbKeOF% zCCU&j`rLER>7SN^m;UjOp1sv(!AvkdM%sY=DcJY+-Y%uXagL$S(duWKC=HLEKje*A z#b)|B=5=ef?b^Stx7L34Pc)0D7xEqnwglK97FA1-UDbf2)wn>mb(tdH6R zV9B;(q@xp?p!YZrKcz6ph>>GRGAEJYzRoCvUi{U3?JTLa%{K<>$U<+9$#LS1GV0c2XFlBQDUI_=#2JL*I z|GICctX&xuUw$@loT4|R2~_#Vsl;Kac#og9MzIymQ4d$rVkSHs|w^>o;(HY**X;tGACXtK{vgQ#`va_B2uf3ws#~setcV2jiEc zy587-_arbHr`A$sNx0#|B>u6MiY@6WPeJ0}80F`@8|71Mm-j_yf$2`9tIj?Z;1J5Sr{;e?7$qPMktyG*sDe>hOuvS;ubv-G~E<2!)vA@Pe@CA$ zkTMm%6A}C)$baR3Z8vG&e?Wj`_y(oNbO-7#^^aDJOJcxE;8u*I&}2l3h8mp?3#fzp(BI`NV#&A-y_d%x zIdS~#g@dPm+;;TL{HPtB7DQDWzv9y#bDnQM*W)u>jSC|C=%|=eX9cR9XeBHL!A!AG z`}rdNy6ro6V}a`cht}IKyzm09By<$jmgqNX$)cc0*~Q0;u454v)pb~7#c|Yz&3pjI zJ!_z-8TkD3?n!qae)thT#3E1}kBkM~%LREZG}w`&N4s?Gu76q|lq+8WG{k?!fTAP; zZu_%5j{9ohnIobhd`jb#$dLr6wBIjeO0;K<$$kY@B;_hga+QK7$P{T&pcQYiGeIkS z^~9Z<&&1UHQ{Si;hHm}$=v^OA*i~Tc`iAqi3|+o4GJ406BS-0B)Pm>-(G@nopV+{n zVd!(3XddZ}z(LB3P>INt4d)@^MzCn{`Ac==IF zNbr`pm8%;NsT4CZb@FZhHUiEzL+obNta+V4Oc5d@eBicuAx8H)))9VZqt0Ax%R>LR zdVS3=u) zbtYN}TKVEu&E|OatjDo{*#=bg+3@M`^*awA*EN})Xhpb(9BlqDO)p)#q{?{WSBGPG z+<@W z#JRy&Zr-x5HICP4_jV{384)X0yrQEbR%m+_vGS$@#%8c$Ubo%PujFmq{1-0Z+wH%_w&B(GpPa$r%p}L{fD$8~1p{i>sEL{A z?%FxH^~jXy?b*GTZ>^13$F{=k`%LQKKmYl!w(UDHzMz$aIOi=`jI=Up?0CThw%tQ& z-pX?^b3BsqGcqDRbFuN_amo{-LaYjm-|+OvSS6L@PC%w`=+QXvw5NNn{Yy_uOm9>8 zMUEedf8ZCCs`-pp+D^k;B2Da4UpNI?VcANs+u`?9I3<*duAn8KPbr+TIsFoQ{1TBV z41TfvH4$*)lvc=EOS^)Uf3@#K3O{hehA*jaey;Dl8P52+e^GO1KqJC1?dy@#nDt z$VU#4;*vG4o}eSp?}Dk**9#i?A@ zk>YBrUlpZl@2&VZ!&9EZjZV7vMWAQV^YkbEkD)>U3tNS>_R?j_v6Z}YEX*?i)@Prm zuUWHpgNBXXemg!fo)2)I@uGyInh$g4v+)ON87+-P7U(?%@Hsy?h1A63lt-4%U%Fgp zZuB3A5SH5X`<@Zc^ay`_V8mx5*5?|(>Fddn9T#p~xOva6eFs);-u~>cohlU&s3O;b zI5IxK)^iIDUYvkap7m2=rV5!tA^71_+V98nOQR=J22x^{+sKqRETuq7JELqKza$Y# z!;`7HeW`aF7C2GE7ZMTFPTS_|hn%-$yJugIrXOE-h!e9CNR~HOP+J0~OVAd>Vwl9J zNJGF9%g6I-Pqffz#mr=W3bzu#(r5){MeaTP?7%Hgkzb@TTBBd?w`OnbVOCI*$BS2= zhFSosY-oiiP|!-al`C4I(&Y~`l0OmE0AxBDAK|jZ$~SJ>%rYEG_I2pk1#Ke@%@b0z zxGnyU6;0rYr8;049|L`u1_m`Ons*uIda*u(fGOl{O8?z z^&66`&h^1cN-_9@DhdtV-C|vXSdCEyh}1q-9%6+vO%tn_&#e7E>$;ow`HLM}d;d4? zz-vY&rTo^>GAc@Srn&Val!~o>WnZdO$r#Jze3ZFF9uJe0nNJV1c?V`e&t83t6)*AE zzde_-et?~+DY0+~<3(fsGrN*=Q%QW5d**`t0kt9*uBjA6;8K_gbxpB*(c zV)yKAhoWLn#vD6MevXpK8#ieD%bqn=r>s*(rb?gi&?{2b+bygyaTQSIpHGQ$0Pe-U z<<;x-!}Lw$_Y<7r)lWvc2~_}AVt-&V=#@wl zuUI}_v{Lkn`6l$r#;r`WvUvij?3a$M*;H-7ZBO^#(rfN&L_nZQ&`LzZ)eUIpR&H)U zq!QT_Aw^n~kmuz8H*}6pSg~^Tcn_IE+pzagXo-?IcAoy-?@X;lktMSABp3nbq8K24 zKk3QM(cAn$6-#{u*Z44lh+FULs@4AKD89rxuNpOLk$}O6x&E59k$M|hT%|sr?BQuu zbckxMYJ=eJY8OHxR!7TPWGTo#RuHS0H>_>HqBT}l?7!k-j7myJf~^x(tkd=5y@2ky(FsFg*G08cM8Vz;C)exc--Hy*M z1&CAlD9)Vu;lzoP$`HJxLc`+9ka#gNsBsF}q^&z}?4{w`;xhwr53+c_g z`T%CTJOwkWsgo?*0Xe>=~z{CX<2uOJmD!ww3XhjpDu=C?V${S}99jiHl*1%dV zyDDu?YTa(r`6ezn;lm#WZQM)=lr(5Qkj{BC=B;vUK8Sw0BwOn0C!%<{{y5&$cu z{y;Ttw5h{%lBuNuOQRL@kO?W~6R(0+nqI|w0?%JKc=CrFc8Ub1rh^Q zaZ3}ed~qugC?QtyoTKi9YuTy|8Guf8M6C(g+7)%gdMiFp*Qws~ zlt3r7&lgk?wP({Jz6Ay2TkK2ath@x73N2Yube()sO7Y0(;HC7b!sI`0uTmKZmq#f* zf3}0t`6sGbM~Z3pS{$ynSo<b*8EHV^_6I3`%ul zo@){HB>Ewx|IGwoJ|hUIGBy(-fK{jNcOQQAQGkGj4b!jxAO?=$rpyW^d`j=d<$K_i zK$SB@WxD>9GyUE@q)Eg|vY0efIdKXJr5JVfIa{9|5vvwY5z^|o^p71EPmbI!IK?a7 zBJLEY-!BlHGN8(3d2b*%Wg}Bh2&YUPZt8YZ?b|@X9i9R}C06x68L=9*;r1T2qB&=sv1CSMFI1@ubLDqi1u9LxUEN*vTCR0&!gJM}~83>IJP z{?mX>-IhkNjB0=50tpafa;^h!xCEQBH)@?hWtd*6lle?QXB3iUbT64&ym|^|b`lU6Hf^^X028?{drqh?WLr{&LgUbtfCK~1UriU;=t zSV_>U!~rZB8mBYR<_`=It(>c_9B37gClH*HhQp!ue6_UjyZ`e-H{C!gV>=v?co8_uhAY zkuyLQS?+w7N=nEt%Wdk`tN+J8{fYl#4Nlwk9i`e5sq7>|v+#${Fd`s6m*uXKxNrGy z6|su)6tEp-o$sR}R@7Ni1#F9YeSkUQVn4JFCqSg@t^P76yem@&diKtc@xALix2i5A}E-T;cvwXw;BO==1 z6sD;(EL9*l5Wk-vkfMJaAf=W~iSCjRyu>(6kP_9$s|!fEdHj+@s3hS@t9m;y0Sbw+ z$rW_gM{Rtf&H1CYyHalr{L+tO!WQ_YkxO?-axu%6C@2ie4X`ja68wR#xfWu&@G6!J zQ$^gx8n9$uiF!t4NaB#76;NfOl{0Q7CZ7;13|gd2%tBPO zYwkKiD#Qx06^uwjg}|k_I6A6R=Wb5Dl%AARmiXTt(Ri+t#f#8&@>(2>Q5~315 zg?Iv0Nb9Zx2VWntRV}~j8lG{`ie0e^sx+Sx*B>|~Q040P!vlc!;PJIS@s&iOHIgTZ zA|ZnUv_gY9amq}e5KU-fQhJ?~E0c2SUagk3qUJ#J4z1NqRj-Z>gmNN6zzOSie>h;}zSzS=V?irf8Z2%=K`RjuaX#4GfWoa%&ivWXO8oG$%<7kM1M+BN z#!g`W2%9=$V-DgM*w|9i&9-?C!<%gGfaR9Ivr zYD#rDRE5=~k`k1PN=i58s9otF2Sz6o>GiaH13=(<#Sg~Nuw&4z<=|vjehX<)r0#&ZAKO0VIs6t@7EZzEhiZ68y4<56Y63I54a-~!{FJ0r5 zhANFy^q%iLiiBlT{`r(x>AWU_Di5C$ZK;DP!l!h!#TQO#kTNy4R^y4(yMa(ZfDIR% z2oeY?MXuZ6zXfs;=TCFSc6+`sOFyZ8eBB`$$DLiLd)0Ia`avs`TLl)nQcy)RiB)2> zlH?qfXyG5Ng!^MzX{eI86$aSK=sn|?tc}lZ^`ey@H=v-En0!gP0Rb#uXqARKK`ur1 z^2+cvnKEV3K%);@wrYz;Vod2J;20euU*Uj0Y0;{+{-o{Top=5-&9e`zz#J+3*aHNl zP;Tfz1epsW?3{-->dPkk(a`OxfbCpWX9;3;wv%<*voi=)^)#`HNgsFMzv%;Hw?|b+ zT}P?NQ6!*tnqBEzs7gv?Fe*w#aax!CKIj~(iyUMhwPVMbX&5%dFjL-L0rxM9Dlj2P zXm8%K_5b|OpUuIAeY329SuuCsLLtQ$E~I5yTAmI*#UIv-`28e1T}(LTdGP!RpGukQ z50Da1$mRn_KODFHsh;aAPFTb4C))KVASHYX4IsfO_@)P^T$0jta7w&4f>UBA3!l;% z>EiVBPo_lO2}1E|rums5W%Kws)vVUQqLa0X)=JwKJekVhL|bDVJgUQIO&x(Gn@e|VbIzcXwoa0Dl%=5ECDPe-_sJ(0@0iX zw_-LXWU$+~l{m4P)yJs5!k)pN>{cOG{<#%U6%bl^vjKmxpcSY{xT<=Mnom9Tw5gOh ze&;{$Vn0Kya0<~yl#3#C&gVflQU^cy@I%|@_1o_}+Kd%ae2a#yPK7D3N#1fm*_wcI zCz8~zkFI+Q*bed3S!$_J;3&(13uqRjvesi>()acYAHeA>5-JiXRfu)GiYG^%Wxsu` zE2C5%gDGQS=OREf_VoJta^pj0}QLd-~wQ^@R@AI>#izy{yZO=d>m-!|h@^s_*f z6Q_7)o?B)zCIn6MDS;}KjP~cCe>6^+@hMSRyz2Ors5PzS63CRnq|lA7WXgt9DFZ2A z2!;N)0fZArQiDnXe%JYOpO?23O=7tg z+KjvlIu?;f>vGS8<>&!=0}X@Ooci02zrx*UPo1UFo-G$USf?9U$EzkJR~*U}7yFqN z^H0}XebOhb$fx2Cz7ZE=)KNcD);dvBh1Je=@g!7CQaS2Bop<&I6-^Ma*WXCTK4R>5 zi93!g6f9wgss|#@;5bdoZcKa!*RJ0HBJuT^UBu#rrp;Rt#-dK6@MUl_4QC^l;)(bZ zN+qmHY&KYx1am<~4OP%gKiL#E*B?@eY?@Go*zP+J`>$Rr`Yhcflu88L#3_L)51&FO z#8WE&IHjS=iBnof8SyE54T=Pil1wuLs?5lg)|@ttsx@uWWXkL4^952iEU0jxrp+xE155{ej-NRYIbLCRYB@ zN{k;(taRK;po&+|oJ@pPPER0nTc9c)t-NKIL>x@CGNDQnEAgv4gI40-5U6sx0g+J}s7k_2q(ijt(D~KZUZaGC^TV9syih7O zQDPJjYP1=*t#2{SZ{B)z#kxV(`ef_kAhkw`to0M$dWcmn;W8ja+<|n~N!R;*vL~&> ze~mlvfss&A*i%Qno?7-xj{4=1Do6eHIxEh;*qL5pQ_HU1ddU4@6_7beX`}uFhhPIx zcox49_84v{NRHR^;mzNK0O6&wGo1tqzyIpOb#`zJx~Qs z2~@cjrm(sGbbJcex|y1;v;GK9nei!HA6S*Dc}vlbTpTekVzcB?i0e;;Ju#nBI3@al zDJ^75^C`c6zl0j=7YJ6J_aKY-=m6DY=#Oh^w}CGrGn zw8H3ON^4IbP^HmIeBj~<6o-SPSO~X5e1IyARtQ%Lf>z4tOzUhw6b?ND620+8I#=Bd zy`ugb#nNAT=_UV5M6+klIcD5Mv>E%|V+@=)aT0c*aq5X2#NAg8v}@DUa^MTSt#chb zS?iUoLwa}M>~RO)WkW;PM|+|t$v;#H6$f*AKr^>>q?D(QdJ|8M`asWazjLko2b>8N zC~c;9{``q{7Q<{H`z24Fyigk~heeB*;TS{^(3wB{aF+Z%>>R$BCY^ls+I6CeEO}#d zM#_n#OZO&OoxS2WPh5_2Mp&51Y4TfKM4^-erviymX{eGVA>5KAGGQP3as7$kUL^PA zsZ+6s;qeEl`p@a1RZRCKUbVGp~^p*@*kNJoJxX5`Q=ciZZ~zli3l$6 z*bOQ=h30i4xC6iy=fWDv#@ktV`#JQokl@YW;W@*|7nC4K$ z1-a+Qbx|afKl98pDc0Waz5hPD_<>W}K_q)8rIkW+zYfV2tVm)x@Rjk3SgEY_rq+q- z3Kw*8MeOI+f!9*}Tq*ma_0&^w2VS=hW)*U09S%|n6{pzkm#wLKT9-XJ>bI9$k6aQe zmc7cKXLtmQvs%?+x&h)sYG~P`IOD?r}>mnDi25z zqOupG5Rmfv{Sxsh8<{de3S$Fp=ATT7V&v7-maa@nJGBzBCOjaeIfYi*rY6@K-qied zY;pjThN0DKBH27BeA&Dm;ggT7AAc-r+^!YFx6W#}XI}g88GYBRUb|*ZBrX{l3dI(hrk3Z(dV8ZP689Dxw!dVUpU2_ z_Z6Z-Qh3bdLY2++hvb?#1^BwT{u2Ctf>Wr70Qi&(PJvdQB#MOKl*BR;aEjoRH!>w| zC0>P3iApq;WI#COU{YF9Yn)0Nq!J^P4K;WR?krg}KYaFp!<%PaJ-hebjWZAKTzq){ z#>0EpZ(cfaYVWEudsiIXFzrCZ#ORe1w}wxN3}3uv)hdbuIGcY6bN+OIn5CalKQ#xs zD+IIr1C}sW-RI^&aI68#bOyq(G+>$ZN}PcFBW&@ZVDFo}S0&?6_nKPcXsQP>paH0)m=FwTcl!3O!5H zQ+QFw*KANFK7>GUN}$TW>rbarxZ;!vRjxRN1`w+?IXH!$u@|GznSM?_l>k+a4G_U8 zCrF_iMQ6Ht{A^?j4J@iyYi6ykwE{PpNFpX>fRqg;Y?!iS=CD)yR^7Srd3+Nglq<>A)#=@u1t9e;G%m8;hPebVi0 zw?d$>P~qSV88cFjo{bT8(2x{C_$;;SW%CqF4#!nfb%I-h>7&U{oIHu@X8yBaAyrp2 zzRbn>)2=@gr{XD8NyDl^cQXyM-z=!;u1U6D`;S_!uj1B^+o-GJf=G*c{uTLqX9 zs8cMI6VTxXG|>vT41WSu!mSLsPwgQ(0fF5Ty?xHS1-*LrOP?X*U;p}7TT(h2k_bEJ z*>R7O>?lIG%or(%k67WzVjTdn-?^y?v z*h$ca4k>}0Rg56d}`-%mV3W_(H_@&Z+wOkt>-$}nj%gomKmoHlaVA+~0cxkkf0~51S z4_JXPEEBC56g@^luY_CiYNuCTv=XQidgVncf85Ge&O$OyooK~e^+Ht=Xoacf3#tGt z5g+781WF=S;s%t^u=W8up-OVsAy(QAh){!5{2}aVr8nd{C?i(xv;31vq}b}c`}VI@ zr(VghQUwYI<;0j0M)wVgWCI-PbJTv{8nvD594F=;%ii>Sm9dq4>UkL zZ8ai*tq(u?c*?YyKvLxT4P;kR1)ct9ca?#IhRXS!yOrM+Wy{>Kb&UBIm-7#2F|p1v z_xyj-{MHjX7Cyx^7Mv2Ol6mfjQXwhY_2(a_B%8vI>rYcEVO0jDLfGS%`U+0*YKEwA zgwixr>3lz84K#7)_`)fnRDN(uLzUKn0#dyC2! zXPtF-lXY*Kb$>SrtB>v;xcwMmI+uK>&FR% zVd-8HdX-$X(!(SNrYF!BT4AdQR2keV9<9U~C=`6{6rd#Fk3Fn2tyOI3XnAA5#Vn5xBy72Eqb+Ip z*81VKxR`eniYcjtim%k#WVjxTPbE~$RKc}47dIN#PD{6nRo~VBo^GelWlo|w=gwbP zGOTp-=B)+~9l_`z*QA$Y;qw93WD)Q}^P6MAF$U9?t=rZ{MxiHV4KM4bFfDAK479^j z_qn8T>cIoW;}UO2W#W`jDiI|tKoKr%LRlvgI8GtUzW5ZK=>;jf-%q>#JUEqzPl+=} z$EU>aC$_YWPua+n6Qt078lk``@j)eW`nfSFRIaFB8RSyKLS=z(8y~Mh+ z(!yE676$jCt@}Hz`}?d12Y486Pb@%qwV|&*gjh;PY;(+BV!rAhbQg7}pDcYsM%X}RD zj0v#ijb~|sDIMjCS+4#-r!&wOy%MJEn#V3v!a%EdPoS7Oyn3@Nm|dz)AWf_zl(Q49 zn5axwgImQX1j_VI0)v*iR(IJ`xq?JH((Tw5 z>acgeMOD4_eJjRZlp_s6N-jlWyp`bn^CVQ9sG(BmsZvPMKa%QiEwmmSbv`h*2m40l z%$3`AOaJ%63$peWabPww>*({2ow|^+jz9MG*I$S8Hg3|K&n#ZL0(Ast@i8nYunCtP zm*uyxK+uyFD^+G$mgkep`6P)n3^66bn3>En`K0s4p2Qg&RM}mB0c=Mlem|hf7fvB} zzCu*m^`~*lm+Q~z_jB+mg;SDB;fqh%amt$>h6dA4KVLYdp~?lPy!Fq82$*516oZs# z`{*?ttlLYiJK-Lv+TekzU0$doXw70elg1rU?mr= z=u+w1c);>xT!^XQL@SeCna)6sRyrrpnP?G+Cs3mmGf>dV<_6R{8J~csB~%DRX$V>| z^MzaK+;!I!ivZn#uGxSlR5{V=NhlMD92tt3=!i3_&ur*7HtpiSa43PIPvX~8a?OXQ z6bf9Kpb&w|MJl<1$`vfI^6s}7o8H>@#1~k_#k^{4_*=lUoQnFiEmisVOG8yDc+AnC zUBY?ffsUUz`Q?{iu|ZW>sWMP15+|^!7=_DMu8@~*TUPLgKmPH>7hn9U^4B9rk0Yxb z4H;j7VOC-6y@W${Voyc*LV&O%#!_595n*Z1w% zf*IrM1A(6hrv$3F8h_&YV^-rjka_M2Qu)lL&`~N^N+o^_8%{x2&Fpk1RQU~2sj8u3 z$2xFI<@@=-DHWo^W)_^{6;r|H_e&K{8GK4WN|Pzrfk2h8hCs-aR`2-PmMmMgcT-yr zRN?)LR7)!EZBcfhascjs{NV7V6AQ<7{^IOD;7k##$9LAo{iL7@Z{GQn`>$R&x@pz0 z1+%-x?wWq`@b;g7x=*;uPsGZDaSv`?K63H+_VJ_oQ1?=r6R=zeS7OXEorL;{G{e&L zii3E}@=LFzS6%&qPP9UZOkxFWxuO-ui2^Kd+{)DxD6Cw}9;YWz6DwD=LW~h)nt!w+ zxgy2+6=uZB1**Kn%5(#Ym}3cx;0LZKe0_53hP5}YC(0j_EAtcl7OoiR9)Ca>Z`1I1 zecey8&;NX1$s??Kn>}v-t53AZl6Bw}3-6!K{loiryo$&B zC(EfutEBpSTb++aS2MdBe&1LZG7`Xg_St89^y~vvtyvq1!sIhVK5_RI4i0gG8ef5G z<;j`sHVj)>L2H_W1u3TZb zZH~d)w{Eso2Oq(2~=Z{P|KuUYAOoRfb z;z7!r+9$eNt8NaoKG#Z~sWo^0+~a!&cwmTFm9!Psoiz%x?h>)ucl*lbqucx3`*Dm7 zssNpz9^5%|aKrI^i_RTeuzz>>y?g!wRVL56bM@$rOUK6yX}@fF__7rVO(U0iV4_$e z!etht~clm|WqZ zRGAW>ilP}XJC;*XpOBqOu1->gHK<$Y_+ykeZr;KoDI29C4|DAJNq`QEtx%rm)pI|d zrxY+{gvrvZ{!LBiUSnK=Dop9pr7KXd5LG5fk6FBAIixI0)@-(m^A?iz=38%(2H&nj zCo&9KaX{tp(*l z6PQ2YQ$ne1P~|a>;uri1RGA6tu25xW{Yj>i@F~nlAybm|=WzWcf+{ag1r(z4<@ejL ze%+WMeP>ObxGpjRFM7O!@~ofII3<3+l;IT0QxvHgnQ~=PS~F{1t+ltPbTfwmsJe1$ znv$cN3)RjA-k6kHXn#8rLo4pyzRPEpUp_w8300uaqlZMFPF?Ib_U9zYqa7mtD&b) z95ZTQudUJB04yVJl?biOpq0d}G+L!BXceFv5WsQ+7%@WwU=IJU;Md0#30z6$urm>RM;pdc1!ur<$hnsT_Z(ZsJO# z#*A~`1PiIyL7s#bh!1;yF-6g$G<*n4maT+sjT}7|tZ{x(pP{^P{RWLl6eL7N?W}+P z^Is;n(jVjC%{SkwTdzK!1l?H8y=U)!eh7xe?de-?->_PpGMN|jD7vU;(I%BLW&iZG z92q|z)U(s^!!hLk;LBqw>JQrvWR|8CPU$EW(qyJm*j#_&lNX%Qem|U|K$VwIVR`yn z>MNlEQ4UZllTX1_g*|zBlXCBXN?W!>FPb}Z-pr}rR4n!Hm!JRQ{eKtA{9%!7A4@Bq z>(eSlv(uV+pDxGBO$F&YOE;|0wI~Xyu?lni8N2cON8+M2l$a-o86mH(xt5CGO^; z$9FcwJ-Tf}qWd?_JbGY1Y5R=r?VW3jY`O6) z=>!{Q#RC=$)Z-PD{^Zrku(V5%yt4JmS^&;AP=SLX8#8nO!$<4fysnI_yngppF^0Qx za8`z1PlKS$AEbZpwU_?>*WMkPEtoxX!JL_ds%bm1YIg13C_WLe1M z^b)K1LKfl{NYV|6IEWh%8NsMCgI3~27pM}n60=Z<72GO7Hz0t8Au7ZQs7gR9A6i0` z1LiBrWM}lowvFp${P4{JncwVEEBo@^#b$L0u3jS3yeVUBisiTZ_U=Ztz*ef)ss&bc z)$&_o2dkf1V72FoM69fX|BQ?II034T6j$EAQw>#p+6(=xE8|qw$AegB$1*fn=0SxD zo4}!upZUvQzW5?@?K<`P_8SQC311z-o-C5t!c0c)>eX+cKkVz^A1}Y$s!cnfjVes+ znMm@+-~ax9t{;B!rI(sEYr!X3uz(1l#<@Lx&%3rnRV|*qRkfV+dlcO~v}Dxa5(~N) zZC5QzwPK%CE1j!tXqIx2E) z#OhURSBKM9EL*x{@uJbg1~so+txQPX>SYVmEFV-kG<(^CpO(z`QR#vohvomUV(_P5 zg?v&V%Uj=nm8H!$*}K%r(dWBdee37y`fc{+UuA4oF=LYo85)(((4buU@5-jHQ~L92 z#XqT9{L?DMJ}q6~!_oylDpTOoa)rP6rflKws#j>&ywUJM{bo&_ynNYG6r%}J=u)j$ zO^=^u4Wg56AZ5}ht=L7?FIl=gD!i+8wU2dmq*?%&2&zD<<(~BQZE^Sa-?$KY?exUQ zch<-Ke zPA%(Ku2k%c+F_seteazT&!SO7N^BThVtS|GdS7O#Q@+UctC#h6f7=HSjws)Ss$Sbq zVT3BORMk3CG66wAlh`LxXx)lU7k40|_lI(;gbKAgRSWA}SL@OcwdU*AQtKy|ZF9*O zC;9xj=MwD?Wy29Xb+5eg3I&&%wP=Muki>Q3P;jg5J9iZ-T*UTa=iBH1{`W53dH_I( zKlOy6X&pLsp=7%AlPouG-KIUCM7jm4a5w8Ifn7APON%dqGB&7~d2E|P%X$^vI=tle zkzt#Mg{>VBI;m~J9(8lIsFtHqm3%eI7pPIOShb3!I<;>zY3!(om5cZ9jPBCB-Un~L z5mqE;)$*a8TQyoVbHeVeo6r4l+Jq{62uyhXnEa`XQUwTAdv@>K5V>~YtSM8+j_BOB zS%+3lE0qbYP^#FMVIdVu7OYsZK*bUTz6#4%sbsE-p*f^gE0eonm4bE3=lr_(=Y_Jp zS*hs9UFzkP*1J)`zD-t^Ziou_>te#_V^B{U`R_7widl!xDUwq?`(9Oe2ZW&&3 z%dnDw{>C9C*AFTYF(5R&Z}BC)iq7d$WPGcFgB$1VRy${#>e(Aq$Xq7qli=K+g%-@& zxYpNWhYt)7Uk##a#oP_56s%A@yPkfPOXaChA|KPzGc$wAmMBu8RMF~R zmF?W78Ex*g2}|eC+7P*B-`>4mZk4>C751KgVr9AkeL)rSd-C{^jcZoSnmDp;<2sef z6fKndi%g%qJEBkLU0bkP7mgl2sM+`RDwhkbULm+v#R840=4(?kSHA{%W^^nZF)%cG zc-W3nVRYTX?ja*u7OGP=bJb!w7EB-K$8V$6)NkY9(PiaSCn`j`9R>H!w6sptQq^k{ ziY$E*7n{zhqEmn7aqK%rDRp+I`cma};Qdp@l-QkWx-v)OTuLJn6$+$2t-iy*|KI;r zukkG_s#xqcY{Y0X`t*Ov!86bNrQ%nW%9pSB(MKOs)t1oJhaY{!@+$xcR}~f)PAbAu zt=qP@eUZ0szx~eekz@GemaW_QB#tuM+&FpcaFgm~Di+S%xN`PB-xomrF76o;H7In) z$go|bO6?w9YRAY@;r)tF>l8eqb)mt{3w5iPr{0$tOBZ;*V3s%YWPCGE`ge-ve7|Xx z?3@hA^-jSoZ)f@VjiBtG)UF&hq*sT9GbgQGvH1A0qo+@u{Nc=Lw%ECNfsIQq;D@|? z`SR6k>`!vtbp46!BO0-bddiiRV%GR=au3q04J&I09ykTY=QW?1L;HBo-w646Fs!#x&g(P_YRrUC3t+>LVdr__jS>a z^JI7jvb>kfXxjkfaQ!>A&Kgby-HP8rt{~hDsblXiQ~ui?b#Wza>joC5-$t|y0?liNWvU#Kt#jj=S1(`uZNN|#*LzDqGzCx6{1Py0!1+xC7K~lHI9tS>pXW-AI+sy*R+TJJmkt z6TnkQ_sWqYmlHMopLyYh7a&<=tvkyLH*e7ztf3Kg!fjZ!+BcvQZx=3Jic<>!!UM4H zK#bnK(fpxOrOWb3>fg#TVUm7q_Y7g*xh3kmibX30XQ^8@Yp1$-`!@~3?3vQOF!s-y ze#JHpF0pMy*v?UOJX3c>|1kAEs`cwN zs9UWmgP8c_FylNwd4Z$rVtxfYr)yfyIQ!$8EH7rM^kk6}!rmr6QdEGJ@YnMvj zw9*%?t7hq5H`l<%`KERXrp@XaGPgScxMIuu6kk0cbp7BGkR4PIc;VVmN<1J9G}$<$ z#Ej0to$KbQT_#h5idlL#EFe0^eC_sK{s!f9)hUysO^v+W>nlULUz4E0%~ZdQZ(Dd; z$0BpP1~2Ln0&+ztPoW5q|G6Vbd zUbbwxCQ~Mp(%Lv4r+m;Tpi1j`H2=(5GgdFGvn#Sy)XJ9kFAR^nKI8uRDVGlpI={Ei z#r^$no)~-Q?39O>=Rdv`{^0t?t0%`kzP&2${=vAPuEZJTY6CzRbzi34Vl5jhJ?%a-TT7F$N_{+kd;hr7VEI(re zY1%Y|>0Oe!EfYg#0)w?>7=EhIwf&00trm6*nbWxl@Pr{Zyk*d!W@@+@^se9KZ(J!S zlfQALT&_6Pp?2=?zsgqk%PhSc=EJp)_%I1&rpZijosFJfN6<>F?jMSv&F@~6$vmTT z2orls$KbvV^LDSBvsIPM^~+^o{(l>mzD5aTA$_HypI0xPyS7J0s#GY|scp;ty}F6` zj2St6!uYW?C0P^3jTrg9S-^K+eb_fP=xlasQ1dUnEL-C9p z;OJZ3Pazb>z_1po)7sX|U87`{uS2r6tX<*g!TmN}^qYTs|Df6$nAngiw2lw3k*Cml zsMj^;$pcL5LhEs{uUavmdw(Kdd?|I-cBx`YgH)ym`BZMZQ?ZZPgo%^E9TP7CKh||? z^;gop`4$KT+>lZTd(tIGI3v~9!6{tFqz4oU4$sU9x{x3WUcvq^G{H%AQ{F6HrM#F3vqR>aKzjZ_ycR~|5(1;*6$=!0EwvGGY zD>!h5l|Vt!pg)lV@$eL1JD@oCj9tC5Pf;9tOM4cb)u~9o#s!;wovTtvMtnO?dIf|v zshqodXpWjCvwvSPM>h{(37pYy1Dgg7X%;l9rH5^G4PMa;&@YN%$uBC{8lmiVQB$HD zIk~2P@yYFiy41;4s^F)^3*{L-Y_RranPdvIN)}Fu&L26XQPhfVbLY*PIi>Xv2Rc5! zHUhwUban2%^HXn~8F%%_kc$WUUD(_2!v3L`V~5{7G4a;P$#;KT@bm4hagXk3^hwqM zYpnl^Yr^Z-;k#H z5zGl~g64HCvIM`%;1V8(HU?D~@n=i-HX+WUF30Tf_3X;F9Cp7Fjo_1YQ^B zFpV4DGPDGJiv-~`0G>v)3c@uC_oUP4qWa~tRV|hkoa)o|`wQpJ{N{nl`2ecO5_y1A z)LLLwWU0AIt~g2_V7_=LiOm=no0gds*5;>FVj&x2$%?AO1yxO_)2#fZlzJak>xojj z)O~XNq4NpilXs_)LJmmMV|Nu+?E1>qvwhxt8&b45zCJPrH*bk%bt*K9>@^nGlMyYH ziscc+JQprn^7hBOZv)w&S&)yz&s6l>^H3O|w9%~#jc5@xtho}g&UN#BQzA?C5?{2bk=w*0>63Of^L-nZ6R$fBq;6U{cbgjd zI@QVFzE&O@;yJuU(8RWdW_HBIRAgz7kd?iQ;zUA00s8puw|ne)-4CcEIPB~$!JTU5 z%$xDehBYfspFSO6a`pHLv(Q9CQxC1)O~=}_sbeOMZntR3QkeMo@xvF-X?b#Q=NqT` z-McU*hS`)_iG?Z!L+tv*G85*MI)$o@&W=3EsPX?aJ8$J6BJb zI(6d0#mj8XL@tgKftP_?`YH5t=_l3CE?uD=p#tR!)5BMf8#DUrG9iVsz1_P(9%f7Q zuoAkrIbb$|P{0Jkf#((k!Kh%E=5-04(V_78)`hS)uu0Ttew(Lr-TbY;$=j%6?wTdl za91myqfY6Z7-=#S32h6>l$+A7uuQ@k z9g2WuOw0LQgBNs-pR3GRV#hLvfeHAXIm0>TZu#H&-GXs|fT!F*$J%+mDVecR<*XP> zW7`%HXM$6vIJ0SJ32iCS4>UwlL7~T}1D^N*VvA^FqmFMK)T3VB1|FcPRXS(88u|J+ zDLA!bVPqfDL@pnnnclI8!lsr=MexYnOmAGH4G7icYxixQ1{Jf1<^8NynSw2ARhTnr z!i2H^io6NmPx9-6yGX!h!%SrE5crL#4zl&4ndEH%P1)4na0sb0A( zw5r8Fs}c5D?b7MVa_>?*7n2jT!rBC|z75M>IV3YozhQ-}?Q7;3)U*J~e?q&$Oz&A; zip=jGLO2ZbQkW6s3lmp}50c{Xki@^Dx~0L(@PYJgQm|>|T=-kQE1$JO!+t}8Hh<8il1Na|kLz^oL8LCLb-s9^u1!ZhoBNvzDN4c4)?F)hL=pv5_3JFK~ z^e-0Czxeur#T90aOyF5OGBzzAZt!KMQbls~>E3zyij^jl((W&mLtx{)riWbzt1pLDx>tCE=Vh zN^D&96T2(kzy9$4HQaiEbE|u|uO8gF=K6)>b0!a%w_qW&SDGKpas@2?I2_0W>gUxx z;6$s%ix;wNOQ4NKKXU-F1);DR7zGTQmAymAkzi=%bty8lV-b}9 zm{w}4FvQKP<}6n*BLn(%NOnEM6$@vAOqtGM(kEI}%gsEg8OF+mEHDT{nR=3#2YRx} z^y5_~B(ET&OjKT(w0Z*D<~DDc@OYca?P2zE@vh(HYg8#m)#903Rfog{5qO1dY4I^- zN(7BpgbvYzE_uArMG?ul-GXO!E;6M<;c;zMu1Nnz`PcVB{GxW5^wmN?`=(?D(FrxeGKrR`Up@z{ldse$k+o)ttW`p?Rxgof@ytos z!*-36ocACUdGAtoiCsU?eq`nU*J`S}-uc6ms?fU11EkP;=lHe2#%7CgF(0s1N8tM3 z|0g}Weq``^{|Ho-woZ6f{*wErR{rAsn{WMm&v~a5Q(C%wB?%H_@sa!>zw+*T?@yhs z>ZsGmPKP3~c&dEGiqx0ze;elivWf6>&plVPSaEVBU`b>clHn|@iX`n_|Btu#fRFOJ z(*N1rWRu-Z@{6-cHr*YA=|y!$Q`9BY5RyVn&m9Ac9Bq1E<&*y%IJMX-D>%Hf>=bY!9^YMNHgw^}ghY+}M@iI=j z=bd+fDzlxilly0V@p22k&hhDy(cZT8iP{;t&W$-PXciNb46>CcVYoA(Z9#CNve39Z2b zr=-x9N{1Be5~tMiU+OXfFUZ6N{dE0?jq5h7U%q0|oViVPwRuhTDGOT0eYS7S=SScC z_O3!)7s-@J33&JB7vJ2u^!M+23s?u=eev{>clYjCx_0gJ5~{icEUrghoBDz~??Oeu zcpzY{dtqImw~N1_-|}*Iq_I#O#DhgdBb*s>=-nt#yaHYXONbXLy-*E!K>z`Q8sK0! zP04WyaUFtTT!K`XhwW(NKv%mb#`z4+kFtkdlM-YX>1~6O#lT?Cv>vH|rraU!I#sv&1jIn1U zsuOEDArmGhwo8ffBx7xcb5oAX%pB)wY5F98$A*cyBwdq2=3zT%PY~)6V$hf&129_f zzwdZ?7hmyfpkY1i0ok8p!cUg}KtRFr5=1ZfU*u8OWJ=68A ziVg4rHo$5n78vYMiY-#;P-)*Evi<(hj{{YvLw)|CRQ>3%{wa~a;il86=E&bEX71k# z)2%m5|L8*O-@J8;4EB)msQHBw6de;cbl7mxP=FU(w!VlJ4orFd&9@LH)LUU=PHust zqxKJf_@l%%3%IfVN_{c%RHSEQHBWB^_^61t@BI%zu19`ze_YkS{TqY|NbKu3Y$nGb zP(@U7?=|JmjvUC2^vev=v}GCQ7C6t$cbT5=3QW+{)5N-8nPx}`9EPPX(sxi^q&;rs z>U8G`i3U`yoG@KR2n#KmHYrdWHOem5-)2I*7Gbi!%4-usyM7c60fM;$=}lAmSn%pc zVLV5qAmMRsPs1bm=Ae)`5 zGK|GBI+m0vL7J36ZJ7JWD4*e&k2pJvXVfcbW7rrmm0$uwDz2F1fq29(W@Zn1<0UcE zKRVeLtb1WiM|urRh#0+kJb8@x>KX1w3qUqj#`~j0|$U*(UvS-c=q7Vug`vb z=ExhQQm0Y1ip&*vuARMh@w2O6eR}uim-lXetu7PXrM7kN?v1U>st@m7zj$^9qtxOo zd{tkD`tsD5E$>CbmVjf4&JwSAI9s>9xNzRwu|E3Tuo2kD)aZ{Yfo}C`Gk&O1Sld`L zK!D*D@FJE@^uPdqK!Lw52S_On{7%#h0nvk`-^FvbCYDE$eE+KMzi z1K8U6#Sr4B$*GKC!-PbJu?}F0^Rov!nFvfM7(QG%H-(j(6(CAt`)r!pF`LYOST^$0 zrdls%6L(z@>4-Nr&JUV|mWi1b?36K9xl<-=d9o4u5SNq@Ix^gg=)!(X3hNnh{}x3= zU>zA*1uA;IUxvJ9}C{>SJ zglr-BT%ayO5)l7LRo7lB=&K8aMMHW9%V@~JqsKozc<9IhD*GIw{M^BhNa@+p2o!<| zARB2R2?-aC5E4meGIw4Tylc|8qUBj$Gl|x3?@{>S!~&BiwmlX&yfYT~h~qyFJ!N|L zA@me$6cAfXhl%{{ud4bnN~!9oME*|di2Pkcp&!#ftS-`=@SKMOB#~uh*Q>9uUB5{r zQAZCV<&LnzDNpR!aiV?6=z<*vC5t*@LAh6nDyy zS?utOU;a|C1QBjR`C{>4`BZ!S4lOV6*vjC{D+u7Je@F$<7l zCXO35h$W>Q%uGORCMX)%32EiYhU7r|hFn+Z2l%g0gzGHm8d;o86dbXgyfrGD97q4b#%c+D7^evS^8c!xZ@tY6DK?M%u|wz>BM` z$?UCyHYMA+B-XJo+CjA9SjSM00jw=qm&!Zk9$AQTgW2JZ(Z0j|3<{N(Uxl@2rr8>a ze?c_xYso}+ZWdgAZJLkbVV@NstyOpsw%3m;h#2YYIDBqv^VV%INy*%MoRTP@h6eg- z>>w+0XIsDF<2TpczH;Kujq~5!{`$LbZ(slV^mpGX6pL@}T)lSj)YXfpZ(lu43E(af zO1<&i$xk-SDR^mq?!tv_oyXs>S$*p6FiQefcW7l{65O(7`_!t5-cExm6CEHepiH$} z{N}0{ef8dqC`hX4x$+fYa6|J|H~yVY+_PivBZZ9<^sM%GjW?tAI23^i6&gMY~-h<&_#;fK)tjeM{Fki zc}<2gF}Zh+Bd(u|40L%W%Dm>R?QwSSOn@iE0tnTb?>Z~rWp2L9{Cs0wq7FkuQR3Lo zjvne!*gW7zQmN0HGmnxJPd)XtFh)T?1F#eoVB3qk-*}VtKaJXd#3r8+yW7Zl~>6_B!(mXewgJT`PpP>5(gzJB)h4zl_9`Eycc6Jnge zpDwgHasg3hSFr&uR0{95#{x$w1$l*Hg}dtD0Mp^$SxD?3@YQsPsvkq7zGnI?#B?fN z(c>^Yc1Hew(cQ!4;(>Jm;$Q^i2Lubx5Ji={BMTpD<2Qlt> zdV2r-=Snq@-e37|e)GQ+7O~hLAQRTVeeZuLo@#d&+}(Ca?3>ptjq}&V`)X!n8h1DQ zK2I!3fy=A{1+y5C3`-iw#V9o+7bCn2ohv1yPB|2sYoDE=TL75vI zBzOq20Z(k?CrA$LBPJ31qavZputqJ8(VJJ5wqlB@@#29J!+Hnh&+}YC&&FInUHHrm zw;Ai!-^=j{7n{diZ62fJqkS?dUX(byrvb3lEjQE@cj0>hGTZd@(gCviO(OT)bf z+7A5FXqRVL8(W{Zr9c5|*26DORRRPE@Yyrd4_cZKwtV9EhmG&*(0>kSrA$2~Ns&-4 zq^=?5xs>qM2&D!HHE>`CRJXP3H|%?LEg2`2k{@@kp*`Ka`o*|*W8kUPuVR|FYfl26Sixd=K`bB~<`=qbsPx)7byQWH6B84!_t66%bthzc zx&7qn(=DxS79x(XaGt4xM2>FJ!Xm~|^-na|XwME9_)Ne4qLEwmp@gdSxx^OohtHff z2U#slRkv?FZgF5t5SMT~+V2hz^My_@dEyg*PjbQiwU5aR? z7|Ic*4B>S`fUq)TeT&{fql4p^smII`hhl#$Z<%2ZC{Pt?iXOx|FehAx_bPF;U0u3< zb)^ziwWQpWP)fvtMdLU#i`?gyd0>m9PeTgP8nRs`CTOxlN9KgtAb%45hs600A)`*5 z-;kVeNF%yw=1^ZLuPi!cahi+}y9H$)1uEf2U%(b3i?uguoyGJA$GJ`r z8NG5-jTbr;LKUUp?HP*qN{v=EshVJqk)#Fa8Kl$_UW$DQ1awp|aUVhfC5#!`3+pz# zwtXc9>+wi4k5`J8H#b&+;UgMYu|_8Md!^ zuzn{6+7`t)O-eD;v%WG<7Sux~4%6qp*#woy{3}t(xe-pdmMn&%_{xMOLlmY4`K$So zl&Q_ql*VM|Au#co{t80nD*|C*k;|G%?ptcSmK3`dh3mkn;-s-hKKW;H3IRpN0P@0- z{!&=Z}Gs$*VCJx7K6H$h=^Q0I{>YNYq<%KC@8L_98;%t?Cr(Z@;(6yb?Ofr6n& zmVN7jm7p7Gj>u%f4%|2_bZn7% znCwltuEmi|4T4P zZsiHuNbiAIazb4DAyrCZ945qTCMP*f$uRaHf~r)-P zJ|W2^PCXPzNgNR!plaLNd3Ua!|NFPMg_cC6s;d{z+`fKBDovtu@Ajp8w=P<26kor+ zcN6>J(GPdsy>)s2?v?ZBw^^K}2h5VdD(^zxmo;F)Y^<-DtQ+}MQE6skB6S13VyWFk2 zjo?~snt|~)F+p1r?Lb^Sqb|s$Uvl8k%48jXh0y>H=JS=xxZPMgYE7m0%1K^?{jRGa z6w7yOy$@@!iUe)S7&}7sVJl6DH^}i%hqcz^WCJ#EmTjf6x~bU;NnSKDmBc4j0!V$y zfwu8}_QY8bIVg9dBlf|#9qRsUO`1VHf7J+Oh9}qASosQ+h7ed<;<~QFW8Eb8nHjq5 zAP309;8ba9_>lu2_TE3sV=7;OP28RJ8${uP`2ehN z`@(X_+(gL&aq1hI9UL8h{p(+Y>Akr<7Z*4FiVHY$RN=I9SnCUZs4a*0e^8tphB1&4 z2xesm*|lZqx7DKN`>==txmHeepIzWOt3UxP)>@(oJxdI7KI_u-alXT9()3+U=c*KA z@@Os0x)>kA@HHiPbrTE|;&6^TrUcrhjnSkBYbVAV8nYpIbg`6WjXE&_!#HSVHsJf% z7e?whLRE@kdalcqbYmSY!?`}wIVaRMHE<-ENPVDYc@C&daq9AbU2a6+OwDqxO*hc0 z)AX4B5(0(<82Zve-G*n6b$Y(SOZb>DK+P$()U7OziDVF>5{EnPa%_Nb+A#y-Xh6Nf zPPMt#>!k*7ge_!asax%6@F|M64;p1$x$-$-3VR?zsnnKsjm82pAo-{pqmH(7%X2p` ze}3osSqVeezCH)^SOi#M-@AA7D~pZtPw;kq`T5}wcE51z%DLrjrK?syuRald^_AR@ zT%D?x1#DSh77taNzELm z%`0?yuH0jNg$L7rSEKLdD$j-#r(}PHF~~(G1{$Z7W?cNLTQA8&2_JUGT7~HeW_9oB zXT6b=7W;7UpZxTvqW#;y|GUMn@@wC|&&-}XpP@@}C8R4KLU`c`Afwg=!jPTNJ@-~I%LQ&?&z1l z`qkjUL;U;$hy|{#o64-mx$x?1ufwqvcc;{p|N0VtLRwb~%mT1bvMyfyS~#=N&hT^L zm4KK5<&T0^_V$jj*5z}v?x0dtRV$fnaW4uc=dD{moO>g0lv0eFRxO#39%V)=g?*PC z;7}5wtBBQ2j?q@cYD&i0Rm5xRQk)3V*gCkXie#tEu_K8fO9>pBJbEadq|rmuf`?|QTCXg@HODvN02H(G!qm~8stD|TBJ=tw*sw%5GHDs zP}cZ>VOdF0QooSWTj(HCw)YHD7N{W*N`7uxxAfBa!;}K<#GM&Y6mQNN8$$M{qh8!U;X@O4_#h_ z4Ot+hK84|Q_jI2vbxJ~{m6JSq5oV{Sf>R<|3ep0((0TYhzaV}^CC8%3kqPc27&dvd zeMYcW3`iW56XG2)=p_XXO$|~;MY?$?GD330YycG1@P5FFSOwLPo+ZJ+5KTblkFsIV z64*#y2$n!V0O7_A?5wexDDOciW#m&Tgs79#?aFOxrb|_d^Mp7PDY7+F7@rJ@MrvyLJ zP$)7X-d|5q^P^Ui$6fNpmtV2=?$@uswZ!ZF7D7#_A?WC+g^(s1tO?=U3LFze zvD&2M)cC|?jn?VsKmU1mhowAj?UbnqWDx{J!cr+DJ3HThtGKJM0YY#1a*E=vIzwGx zDC>rHJ?Jp0Ykzp9MbrL1-+%I#&b)t=8X?e_QxJ6gWrIRfCrJef39bGC`X7ICFf=UO zA{hm!0j&J-kAL#?9);tNyJLDX>0Wtt_Xi(+EKGA9>^JK6~ztR{7bR47ybFdj(eU3|Qx-(XYj9|wp>4xTP7a9vx)GLeAiL#1~e>%*G;0^~F3aU~y9forQS}B$JOsb1)rMbW@!Y+OW`^c!Y<^Bjv&JczMW#R6yE% zptFf^a%{-xQ)DqBAwzYtj%81RzhiBxaRzidtI^w%>%#D;OVu${N}}vSoS*S>cs$s- zUv;vRdS~@`qp$u+^ckoOS21pDQa~;T?2S`Mi@`>I%5!DFRHYLAVdG){IEKX1Scfhr zh}bAkXMG~Mr7jKj)QGe(4xCi3Fhxh0`_co41nQqo8$En-tfnblKZD7hs;f)XPf60} zk98#ey&^B^g{5;3ef&NZKoB@xu(%&W*mSWg$xGjSYp<`LzlG3)H4X5@CnTk&Wr~Jf zt7%#b4NINH&X6J+o2Mf}VNHuBa@HX&MWe(mRE?e^UjO{(KTk2oA0fsue|0Nh@4Tl} ziNa?@f}^wL3Xb4Qk|peqXum)7nCVPUN{7Y8tG}8){@wST);}l3v?!8PoHr+_xV*@m zq{7nrhYY`P;o|H$^M2M1cF0rw_kaJ7oxOcRVlpXbc``4)q$H6bXSn*sD2VWP2*IpM z?olh6Mnxx{27A(QW)WO~Wu8BW`ts{vKOzq8FDW!GDRRbdwXo1-L7~fBb8E>mWCsoN)jW|FIHW4ku{GCO z4O`7w&MXw;d~FNIIo72b8Z(W|af=C}{>rb++@>t&DQN~~eQxN;VCQE>>z_^y9ID<; z-Jg-?GC5Hn@2^P;aI8$yP0MlKO&J0zn>7343qXRwj9O5twD~3Ob8tN)G4d2S!zm`l zX|h6W$9WD)@*mQiZB!q&=l;|TJxgx$^3pypT*G~>nCSj;qc5&2G9_|eJQ486x?ILr zr#O>H5Jx|{6(L$syvR#~P(|$m>9}BAS6H-!Vg+VFx~NUpYlin5*8 z9eJG+wp4~eOC@V&%XAOzAlUve{N=;JsYKSVr4!t700}EAPgOipXgOpbiu4}Qot{n> z2woG}x~ToZi=(r&%pJTyoq=4$%S{QieW+1Uk*JOK9+>Dq0?TuGoE9@Uqmh9G1k5Gd zQc3$bWI#SY*^@y+?HKYJZLJ^0T5eLj4rIhIUXxgeRURfJQXew>hx*i)Rd644?m(2Zg%L% zQS>9RGoL6~g#BVvOh`zwI1A-MDk^I@GNEeXPp~mszxN-oML?CnDTWPETGd5qao!^q z<{22Siwm6@y#lSUW1EMx5?(Pe#x7&b(3nvJYLlIWm0Nty$aSemFk}X66(U5SLtdDs zFv5|ES)FVYts>DdAyz*=hV<;Z{0OJgXx*fEwm20;*p82}pVkWm0eY&EjU>@U`%4dU zs7P>nuH2o3MaTg}J-#F|m=P(7b!cvpYi)|LI100&JsMv@gl1}nB1|5tRV8W1y7tQp zvrik-o)VDrri^wdh|rdih>6=TQYgeT3NXBMfmW>W^CNUPyYWg;PJ&c6#1RumLpon* zC-AsdPVyjjl~g%GAYU*)w)w4!4LSewSgQ;}gM|XwPvK6Oe2lg<$|)nrJ{c~Pze8@QwkFw#DL_3#C&f9$jv9~^G^{pBqr^#> zCpA-B;1o+!fm5yN+6ea%&n;+`wd@fQ{6m@{G5GfbL``>pa^}qE3l}dX(VSZ7kq-f= zVw@1Pi&PX1u}R?S`i-0a`d3R%IC>fT6Jv!!ge=8HLN)fL=IIU&8Ve9qpN0OwfrAQ* zN`%~o&P1H7h(Cht-Sut462I}H=?ZBpTFoWwixf0bY=9kUD-I7c{U95lX$>iA|3=n} zjzj5{6t$<4l@zt)$R$NBC%yHi2_oYC|EQ=rtz|}cMR+alSA30*iRYFv-3avIPLcem zP9J_ujMWY?c@Y<~v4sgsApQ)mj|?u_xNouwyV}PYk?WKgRoSp*PZos1$E%VeaS&C*`tSvLCY#j>Q=DX1zOE5bcG+-kmkg~Y(li1dM?0motfv- zm|>g{qsOTPae`HAW{8t$xnWMsrpa;o`ZObqKE-y|;}X$AZlE8Hb?xhB`zX$3B#fDB z;TYjz6J#8c=s&U~N;@&mFg`|?6RLQ%$c~PNNP_eUvATynkvMPKm|>VAS!{EWELL%3 zC-|XNIn%0=4OK~o2{AelFu{LBuxo$l9Ak{nqy|A<9;t4bAtOrh`Xw8wtw5pxQqw>} zCIMr1xIO9>)O`|@BFd!hKsM2-S%x5Q{fZUO0aYD1bsup;E%PN1sL?^)m*Y)9)vMdr zoc!cv3v-_ugG66Y1iw6eQ2uo7(s|jZ!x6qX`N{RK&yWmo&64I-&%Yo}q&~GpUtFrZ zcq_DO=eI9gwqlfSz?>piwZ4fegpW_*_+=VXgY2`zl}ske^Gr5QPB!v*OQVUOz3<8M z7Vs|dUT6^>1LJ*%6-PQT7Hi1p!xp2i=db*sd3daBv$Sl%JG%CKH|9Q*>Yv%v-RS5k-6uY8q*U$m)Zq#$q@1S9CGLjj;`q9SFHi#Ic~s zaUw!!yS+y!4Yw#?wZe1}%K8-3xpLE~6s3GsXO?xl?+-q1dS892UiD31{OKQuo;DqE z=zuB@(}@Vv=}dEyibm5VXzI_K?tX0g$9>d9L^t<4CMekY9NZvoBXO!x1@>kv34po#%Wqe%VI+07B2 zc2%+VD~g?0PjCgZ1X>9Vi?Q9IVJXNJ;odLVZ_u<%y?O96{yQ7C1wkORm@?|GY7?Th zOhC_?80SzLWtTo?XoP$JNRR$iNgDnH^{qS(Qj=54Xl;T&Zr{#Eer#k#yq~5ZLJ>;S z&DIa=BloZcOHNrdsW=B>id5S$D-!jS6ZG?n-IkH|(`;R|I0&Y~(rEkQDEp%OTe!!w z#NgnP5H1xEik3EZq@STLu~%pc*!`qp1se^S9OgM_T4RGWkqN0Tg?!KOWPwd$#V9_p zhwNB0|N#$;Kd_A)h?biew$} zO*A-r>L<^O0C%QQ2*XO1Cb>F>#MwozFzD*i?%RR)o)j>6a)QSCuO7Gs<6e2ZJ}=CP z;m4R{D5^&$0~HcQR)`aeoK|e(c`g%T?4vxNjqvE789WRxSY@JCSP`vHB+Pf}iPL4D z>1HD4N+6V&)PU5|B9{#n9t-mgrQr~k95+0-h=j2~)xTP? zLioJ@;m5@9V2DGOI_dP;x%nc|frKieS#h24k4RD^GX>BsSkn||$Nz$Tn{W)Yq^FFCIx)_4 z%)1?8jyQgQ;2G0LJr#>rUySUNlDfQp>)E`}5kOUKvKD2{VtN8tO_|OpXj4>eYPzv7!iluc%~?i{h8a*Ew!4my z1AHPPrldK6iRpnus}d=3exJ1v*72lxEt%HdZuNsKZSkuVFZjDVyy5M}C_LtQ;WlNl zj<~3#jHN>oQBoAPf%#BOds~fj4hmzc1U8LJ_=k?dn%2cdV#7ws-yJ#S<4VRf7Ix zlNUp$_kgu}_49Uvo}QNLOj1_)K&bJ7?g=Ud82gfMK|Vva@JJ!fO-i(gO;BC|>;m~x z)E#_Dp1#7GJq?`R=`YYN*2Mg5>$p6)O&ib7aY~6;!D} zmI@t*0Yf?zhrG97tUY;o|-ZwEsSPrp2Xp z`PH=l&!)qJ+YfRS>tB%BQB|av8Oe`vd8z522#9nuIfvvy7iG>4_(v zME`;w&ykT@EGKxRSSGo`2S3jT?V-jgVfqup5~yN`es=6gO0e5FkCAN|+RarS>nAH{ zC7K$r#FC89wrstZ?W5x(Mv_-hZe(6`%$N3Mo`5au=_bsE@HCjSUiOc<+di5aIK;xt zZv9u?ZNd6M3bl%O?Uq{4SDPvJ>cx32c4oD?l-jQy+qr;gS%z?uuG>G}n4y>3MF+Wo zG#ek|6yY(LauP^6(2A_-$U2lPYs^AOTA-Emp{UV{Do7rVkB?8#5Ff+=rDP^&I4&@| zfsdj_F|>p-)tx4#Mg$2H9l)f(6C+C1R=>A<6Fw*jNoq^r-5X!rxphVSbm!XVqI34s zk3QM6`Now_a=X|LKk%D7S6~tzeP?6a#R@?IvheRm5kW#kaVQef;s-$|Vvs<5-TUr) z(iVrrgD=e)r98WQ`O3>Xcj3&kkfqqEEVfvDg~*K&jQSU1Sds%-fE1??MVI6$9?<#w z4b#n+6wlGuZA!S)*%HO0bRT7XsOgX;l3HAh^;gs3znKnq$V4-$zkk<#6oNPZN?-ERF{8zNBmdx4BKZMH&}1{Ii5Ah9CdX zs?<=$IQ`(Aw+iBeC>l~5uUTE@y0OyZg>v_0#qEG4lq@xD&B-;U`3+3*9WXV?QO*b^ zj>=kipIrj@P_QZ9u^?<@?${A20fS*BWsVtUjTCZvKCr{2u1eHYBwzq^NDZ`Q=A!-( zG5Sgq5u=`KN%C1qjw8?Q^LjL^ zn&CteKauEOJiu;(r<6s4z$R7^R5^UU!b8b#U+?|;bTS4j@9WJOz7#Z^SLmD?2uIxk zHL8bkl^rrX#(O|s*vPsRoxlsgXiFVwvZ$8WKB9=}-qkb;oZ4LD$&ilr9)V95&8R+2 zXYDZR;anC!O-Xf12^hkpK*!Gy9lK&m3fF2VcRyr7}< z<$PqqN;L|@{>oBUl2Nc0T~_2gVVpyhmt9Fp_<@h!!^tk8N}v_;LHv`7Rd0k$FZbbe z$Wka1$WK8V<14l}^4XFONR3k*5b%VP79AbiofNg+4rB0{XP(K-&J{xuPYN_Yp|3&e zAZeb(DIRdy*Z^<6X0Eh2+w@hVl3|HTi=T#=j=8n#M2CM!hNbTh{;jKgO65vsj7#$s zljEHaEiMcl5ZrNe)L7i|?|%RL=`-56S-=RK!VqU(cHG0Fi{^Ol{1q0dLX}XdSWPidZ{584;k$1q20F)# zvM(BIzaUq)w%m2+RBsXnngI(&s{&hKmTU|2jZ+dFG6M!hIQN}6ZlstX?RG*HC8H$5 zCdTX8vCe(N-JZ!EJG?5vu_jS7Jd;-%^k z&Vg&Iy?k^}H&3Yos)QJ~5bsj#i`mDg8XY8LSajAtzx?v&A4A@gxO26GwT_l_SD@`_2u;Mb&e|x204J`S$L~Pj=0n)nIWh@l{@xyiR%L7I(x~?ldYas60^z z_fI|z3Z_u?qdC`Tk!=$F^nPVZeC@RR%`S9ZSn5Xhe))nHm%74yD~+_z402#G0}~Ib zjP;AQ*wT_?Wc|Y+VW><=)$!}RB1J)C*~4&RT+wz+^-2wK}zUTb9421K|?|e zPZo_G)|8@=b5nH0oaJ*xsmpeupDeic%vAeS%Xn!cz~P60Rm`UcatmU%+B_`UD$!+&IP0-%ZZ5zzN z9Uo8d8Ked~bMinaFn_i1oT+}WqCZ;SHzU|4$$wa^&k*u` zk#tDD8m!rHzt8zY2% zeVRVepJWsY!LKs069MZ}wBtPbF+^j%2h=1vGH4fb=br^yAtEGH{VNnJ3uz_<6rvc~0DL^C8P$9ZiwXlmQejuJrcacLog_tUeU| z|M%-(SDI5B;q2pPd3@qdd2wG~y39t(OObrZ;;*{=3ef-WZ-3hZsNuJ2Xq?6q78)F< z!(hu|qq}8BZ=Z0-e&VHbSNZA-d- zd5QCuD#Z^=qA+ZOm=RW%Kq7J$tz)Jr3YXBWG6M$B$k2(tibL4jsk)%pb=i0~+Vo6a zb%JI>ltWI)2x9F~%BE*^k`JZM)spQDeb-EAXZ>ss(E?^~S+pLtNF-<~8s~(Y8zEyY zkEhW#YHQw|n^!J>b&4(5 zFCM#k;Zv%6@b&if`$DMH*ksX%Tyg3A(K82MzjgWS%WK<~E?Fc`ZGBY|t-ve`z>>EK zRFN}$XH#cUD#|Ettnr4`FQJMw_CEc2S8p!V7}Z0M_uzAUqJzR}!gH)-5^4 z{IHRzKfL1n(2>2d*VQJ&KZklsM7dL8gpQyL4wV(6*qkW@z>wqD)*NRs6#0~hgAUGc z%?KP)5N0zm+OaN4J2S_yw9IWeb?S>cca!^f-%->kCXtv;rQsv;f`^Gd)2$tzI%XpC zarJn`%D1V~V`GJfdBS?EC~>Vz&=!Z2c+erz+aV`9VEu}PUz|Tr@;7U!0=lpU;vEoZ zh0x$1f(RMHzYdA=qy5jpIU^o<&;+MHNy3Tbg@O+4fsJ@vcJ6u=4%;*R`gJK<<;Fk! z@sDuPAy+ffSnt6_XU&fw6{UUw!GG$CVT|9{X3nrgQQ$fSQ^?duzP_XS4jbUGhe`%W z1!2=+yAG|2)PJGM0hPiZ_2zs^&nXdAR{!uNzW@G**10~=H%E=~W6BdbMKCXSjnNOl z!d*pVu3tdl1M^z&7|8)LI&jRCsg12|bDF2k2p<>q%U^bZZk#J*Y#0xD+x8v!{?LoT zjvsMga3}^FqXMWBBaork4pnBHqHbmfRAC6bb@}q;V}}k*t1OE3!vf|=cu{hICMVc& zQnYqvreRLD4qLZHV~&_-je=H~$7f{fvc`;TPIVG<3S))Jjn(ZuT|U8W9aZ3~y=G+T zGsldG@*0*t#$i&d)3i*3s8G<|bS847DZ@xGGNMD>l16I?hMJybB!jdRCS7)B<~k$6 z2pj{UnmApD$+0HcP!>%_L`#gbCRa$H^!`(a-V~e)U<+fQ zdLPlhqj;>k*#6Dk8}IF0@!E40r#{@gd|r(>o%%8?E>d2+1zK@~0G5C%nfH(QS#s5q zlpg$&PYkV!7&}vLGOo-Md_}Vh0izDn76guNjdttIC$kpTD zwu6+g^+923NYN$x4xW``PBL3gzmWLAr_+5k3?MX(BWj`ULm&;|NkJagdRZqQKA|$k7L~kgrchR~^y( z<4|vlo0v{K^7liJciH^5YJn0_b?=B3Qkhsid~)z$>G*Q%hk!;I z8=nAD!``Q;2cgYxy!kd{KUX&oezM+Qy#@4n;)$nfYU_FO%t{!2u-SooN_veLVPpO0 zfBMs(nD6ZHu{rFQL`>F~`op&HrufHr$+X0peUQa6CCJk~MHwSQTp4TvT| zN_47{bd%$?^NZaeeUXn*`R2semzT_KE?&B9Ip>vEBCpNjvb)4APd73> z8mR3hd{sadgcEArs-X(Z5}b;PBtu!Op*odht=(psP~#NdD_$8dZeFo#X_TfmrPEBu zdldfA{ISCmd8t&t`;=A{u2u%ar3s4`8#fXczqtSN3xad?FSP+8j#!h=U$7YVn%?M)6$|+}V8B4e57Lqt zb7HS3II9+_7JXzaVly#0S*(I^_mi+r&?itRuu5@?A0{)q_^W%Lny#%;DC?jJlyz!X zoxok?ArVI@2(te-7FXEiSJT1YD-l&4`7V^yeL=X$8;&XP6F>kD6qMt({p_j>q<_zby z93r#a=8%3o$8{!^waGsaqi61C25C{;vO}~Jqje1_hFLjANrPueDNKkR+`^v4Li?|c z=|ymXWt)*-cOKaf`uS(FBM%r(! z^MdiUqrrP!B`e|1QYoO7@aE&t7pr=5;l}z5OdB)25_K%rK%OOQsG3`SbUHu^s9L#w!-_+D)?YYt;M)$I0$gxceRXF4z1!C< zaEIzu7F*=kt6!hFaiue1h5BghgU9OqU8`0!#II;fnm=RG(q${eHOQ-y*J*M60pmuU1S2|^Z<*z+<+7U{a?}TQAk%58TmTjDpY#1M<6T=>BKw&sZT?|uG zjZ6xr1`}j{fmlw!nqq1+7*RDOtUe1N_rIlQ(cLrh7g zXZ?hnxy>~z=Fix^am~KBUq5~7B%+(?+$B^=#cJV#@KEjhEb&@1xVmPIbc9vgQ z{9jgH!l2->{0VVeJZ*ecDBjjr`>j6|%!b&TB4y+MUe7u87@cPQFpF3IVKL&B_sWHhOQL;zeh3 zt>^p_CD@9fPFI^pM;rQ*l$+GqAQYy*E}@EoRzMXgm4sG>C6IC)rR~}0yAF#YXmxz=3-jBi%%0OmM5nx%UZNE@$ZcXCr&c@pI>2k5hJ-3I z_*p;|Y4(ew+v_-!@7W3|gvEvh58 zBNXc^F=!=7$-yi-4E1^W&Mg_n@sSkZXg6G|X9s;TL9&81t(gW=bapHP6(8}|TF)I* zy(UH5MSDA}m^b6}snci4noTLSnzoch;66@2yL((x986fxT~NU=YGy;U`JOb3P#y1@G%e1u%3Az)D#k$4X) zCm+23->;i)>{M`s_*{iqQEWO%GC=CrcO(Nm(pz_x=>Ua4IwGp@c6}yN|A`9qvlULo z?Ke!{cU|%c%@-dWwG^N3`;5hNd)Ti$X9owzc?%Zv49VajfF5m>6%9`VMG3u|XelC6 ztkeGz=Eh%yrS$ja1m|P11 zEV7+P>k7i0@HWySI>7Q@e|MkX5G7a@rzIQo&d!_I=?vZ_KmAb zdJ6I*-8Pc|FP%SjPo;T@{cmRLwRQqn8hj2S|l7bFDz-smjC@=&&(9 z1H;_=Wrx_5MmfMOhik{HAz*<>I$rw1Vi(kT5;7$E+l9IHD;YNuN?vy_o$XbLdJ_6U zBV>t!F%bA8)R$^mVA=R+&gEDZ<&@$-C@o;{)D(>zb#!FE_oG+6C)V=jbVFsFzGR$E zP7o$bMVxLL$+#5yglNu7&Dqbk*Ll+F5~x;VKdq|t^qDh26El(d$gBjRXiQROD|1$& zm4GTWS^-tk2KeczGmq44=`;PkezV?!aABcXAw&50BccFC9+>Lb`iNldy_o&o?|$d& z>n{o<0a6&LWcCS=`Jbgv^dL@226%gq5}8XGDJ2=;MAK=K0fwsFRW_zWkM-t8%oXY- zr@~b^2*JM`P^nR6PW?ya5rVn8`p5Iu^wY#CdRzLDJFt~QyoynH2L_$_p%~=<9+NVN7-(!_8{>@=5!<8(o^gn9S^)EO10NhGplx80)QIY^q;uIYoV0~t1{Xq#;;+aF_Yspbw6WPe& zz(C0pBy%`>iT(t#L?`OU@=usG7ols>~rX*Aev=WLHP}QAcg>|KI+nzpCUk9pwGW)>(!^eeUCEQj2 z3dIVMh-|@#WH1CBkqA|gv@7ZUBW*)dQ|i~hpwzF& zU8O)(mg%!_)6ouh)e*aY9C}h-Y7ZSHXW$XXc6IDHHL9XapXVsyTF}&$)PL(u-yHAZ zqInnG^|tLV5o`9;(@*zsqV9e|p9&ruDs)nkc!*RXAdWTAgF&0NZ2kTJS*DGm1j&yM zRpzBoXDW3Il?teO`M`;v&DaN2^{L*G@!YFG6_x>-TBTx~3#bw*l~}V0oMIKn9HB8; zUVHh))DRCCgSkOA6u{b6r=&T;OhG`FoNE@H<)tp`D%>|!xp%qG0|9GsQ9GhxIV9b# ze#oE8!rLQ}g{-Jn>Lj*XQG_i8snwEkpB@LOnZ00&?Al)M*^s97wttKeV>ODwd`3*+ z&akEe3g-yk{4SwNF$3POQXzQJs@7F|30eio0GCW~C;s<0|N9%Y7^klWDGT{8abYP) zuyXOK_t)OLbrE1fZ`!+K*`fDd77#-{M0KLSPd|C%ecv*=&= z{Gia7u3b8J`p{c)2Rc_i-%kV<9atGxzB(p$<16^}@oURkrqzh?i_l3o*Qrd%R)%en+WcIsn?ncm}^{-;f>WOYI)hiBDOcsPkCHanIqUA)7erL~HI140Hb*ET~DGW47 zsFLIgp;%$n*Ux)RfvT1d`pi8#ZO3~OswBBWXjSS}cMlS^H$N$a!;kipox3}sD!1dA z%FQnnAcc$bjkn$wAcX-6$3$<=^&{-_%?ZmAM-MXT1CEfd&MVqT>0<1r%Du`Ysx>i3J~cxpovd28=KOdn_)ybH*d z{Nd>zL#yJXYN(Pbm9+i=Rpp!a_G$Y>8J|@zJzBFK>ozzgyi}kS1DoO915`0JBvf(D zs}{{6-v#j|QJy2qBJ5{n>()(jV;u-=k%fl&2r#Xi>`q2pbgnHm9-FE>o}cK35uPBd z+5}BomVV7d_ZREDx7K)Vs`6Yv*<&r)Atty#*U?s&yT35mV`CN85ATe+a&{&Q6+WrRp!k=&SSC^Z{ZFsGEDRRwA$#V8c|CB+KNEhWm)%Rrsn<90XKR=$2%ygP#7qjjf%8Dm6$U z;Vopo#Db;ER_@%k_TuS}g))V%bmaY4zBt_;NJRm9HPBFM>eNRsk()wn#QOL3xubH2 zeOp@Ew|{Z;u9(F*@9_{mo9%G zT8X>kllx`opZv#vI1T?Bb$&&l*{jXIt0#L}XjK+aWs&qx4NtO9iV|RGLX4&%UAm~0 zcPbj@yM$2#>XWrA$GfbZ?6z{e>(Y{Tpke(pGfQ6(rjUG~p<<2$>?TC(re}0geI#H_ zPj^c48ITn?7!7Mywtj1^!f4%6>$RcM^96?P#P*@PYJxk%c->@=^%WkQtGyV#jPMnu zu0$->Cu&Xxu;qyYj*N;C1wn`t0q&0; z{}h$#-S<9tXWx4yxx&+jr<143Z~+bRYf_WN-+#0<4o+>L4A5GNx$qVkfdHJmwjb8v zC0auj!%spLFgjx9D}CDb_nEmLsQS0c?Q=H2BB6>Qt%fQFyws|sN+qC*X+mSloIH8z zt=D%IB#g}*3UZ3Xo&ddN(!|j_jnnH@S-OYZx8hwxk$N}blZGwH6bKe+`{*$9^r=@8@ zB`H9xJ9G0CyA7+~`eXxC!@@Alj4a)%39cI|6;XhsqJ($pIBj#96AGIAa}+MQAg_qm zSH|nehzsn3m}J$KQjw0eR#lPYlpHuLFWjLr#aN%CRI!&0l>y4%J8c0(R8jn*BE{*K z|MQ<=;p4i5Dm6|?kP`aK%WLOeyP(30Z|?{v6tHsr;>i;qz9fMLO!@rC+b2G1*S6UH z#b@t*dEx`P!z)XQZ<GrjYx5y8rc0UVBb_1 ztE2@DuT9hU3{@o8g2ne@y%)}=(nv=&RPjRP%O#0rW2!zg$R5C2Gs%@8Ft1*|&URTfaCc2{)?RpU3l{clrV?K9;y1*&Ereqzai zQ)j>7CG9O41>3XK&Q>xFk{Y+Ge?pkcSHM?p2XKK~jxCfFvOJ>t zhUT$h;ZODLOYZdl*Z%L<|NFncr3!FHRu1!yeb7l^^^3%P5K#!iYMVWefGi#|z9)Qt z``&vWRf|TN3rOj|vPyFS2cF~5AaDXz7}gjSU0w1+Y?F7#4T|x`z-xypUfA8cpPo4R z^Okq}%=l1ItSYwC23N1<{i?ZtJ*!j_s=z5`4UMStt?O53gcvbXw4~`_H)RGXWIU)- z!7jrR{p@l>v}0X{#`)M|iz^$aZA{idXA&`tiwca5Df)s?ZM5g`RR3WUBW-}Qwk!i} zR+eE-j$vAwCU?w`P~%epn#a@q21?(SwE&S@kT&FjpPH~~1i{!UMMIy@fg-hV>82459L_cF&iP08*=D=M&)IUM32`R>Tpo;%K#d0JRlBGnBc z%+*3(fK(?6EL*X2!=l?)&SHi8=FatNm(E_ha7v&CIr?s1KD%dq!`J7IwQu?E-nEOT zH_pmAe{_%B^6r+_lLy`uU+-M|az%a2p?9})v^%#h-MXrzRX_gzi*qN1oICu6*oV)9 z`*tj-j<|B}urU3-wRzUA=c;d9IxBMw()sl5)l240TeM^uBVSytgjeOZO zMR_~*UK^`DTC$9ho+GOhF#sxlC^FV|yw*;@YD_VZEQ|4w7D(8FHqvuAHUX%rmGS!7 zIR;Ogzoq*RYD(48xBgqX1+$(QiY@7yD7U_&?EV(4f3hrmcx#3ee<%hppHmYZOT%oE zeTT-58c`adospr0B8rheKi4=lSyvRMWl}_W+J?Fg%MRAWjj|1O8ft%tuJzk^gN4R;!=YDO@TYIh} zZ|zan4yYPQ8Vc(hQEyS8>PQEt;+VVQ?E&MXu+2)A?Rb0tKJV5Jvqb8X7 zANR<+;B5-1YR4&aI2BMeXXidepK5te`2?yaZT?BswwK@in1^7YQn4z#Po?T0R4^~3 zN+qG{*s)`6Q!CO&+c5!|iAxKCEyLU#1Lh9VW@j7NBIl_()}D>n1Lx-%@hDA6(oaIw z3bD%zu`3F-E046FlBlUqbm-EakF2nE7SzQ%V4TSb9Gu}lusKx&a~|5%xvn-FHv-gRf3b^@vde8O)8%(}n0}Xjw>g z3!DN4wy#@q>D-Y!H!dFgaOalgwHxQ;U-?quMSOej=BZC!Ti=?ofA=adi!H#%`D5>F zo|oS?e)QR6?+D!a>a%y3R7bq?;zF^*k+;{h6#K54p7HhPhr|x}q_)h>Z!YlOFem@6 zxljm4+q+}=gf!R9^NT423|hVQ;*zFod1Y?X3hsj{XccN-6|9xUEDAt7CXco$8K)r} zX=?V_$0`GuVO$x9 zexwJX7UU~YQQeJyW(trbW=d;@eonSwVV*(Eqo!oY9!_hPEkHyFs8TCd!W6HDDoL&o zoG7GNs(#XNlQ!cV(idt>YNm$*~WKrs*s6CWUjCdJ?(m;w3Ey=P|Us5Ack z^r!y`Art2mu~ZgsMBK}N{nvjN7L@{3II6@;!BA{{!4I`XKozf5yjh^CQ>8LP6-yDH zg}W6m)wFlop{i^xfR(@MRfe=0s>C?&5~`RTYN%r3FoS4Ej~=ZmOwA5|UMMJLZq@?>w*%CLjYBK!!QOn8|sCwj)M@Zu@M7IT0sc}jO|3z(6KYeHY zdoM3q-k4I8?^m8`{OFaXnD|hq(1aG(MzxI(ym3)MF7V~(-t`3PHsrcZ$#UMaWj0&R zAA4KblIJn6DhiG4^8>q9HpEw_>89qmu5M2L;`qM1w=V5nSKnIdSC#4n!0mr)1Ale< z#@DN6=1)#>YRGlpzIZ(QY+E^{JjJOdT{ok|cX4g>#@V@>=M~asRzw%2y0tLj zD{e;umbhQ4xc=;?KPil|Bf5&zh+sEbr-XIUv4$!^Vj(dI#6NTGc+&Ba{!vjtz?wK; z#{_@JDa4ZJD{n1%v_rhF?f7vvyj)%@jaN*6agl+w5PwMILQ|T7!O)ayXfubOi*X`{ z&72(683#;!p~k0K^H}^Uck4x`9i%L9iaK%XDbQsf2#fc%U%7DBXP>bmK0{-=NvJ~X z+y_-1taYJSsi6wA5~L}iRb9G#W#p6>`qb>~Q@Onzs+#unY5g#203Z)(l)XT-(y-uh4d_8+x8wd%n!p^m?)XhGo)aQO8bFL) z*u9XnKmYlEQF2lK``OQa&cgt=P&*0%~+4|z)Bgcq-GG}wV#ma>7K;lI3OFT67CmR_uh->0! zc{#jCD3qv37I@n8*C(HPS}Y;n+Vc(vXQ{yD_4-wJv7^8#sZt58N-@Rj`%=5(Px2h?z zwKM<%IU9knMYS=X?%%z4+uSL+9u?-}fL6~pCCn-hE>BhtO9RyEDA1hkT9fHqmY|tz z-acdM_=Ss>Sg2PlYt?AQZ59-k{OT7!D~)wnImwd;GOyH9rQ(V400Dj3EPPcs3Q6lH z-w2&aaSBbH;BN8O$ghR!#48SU9nLGRj(1dEag2RdkR2()FaWlhZNCf#hJ<>ASobmU z#kfC{>@%QISppfYcj#tI`|3-LP%BE>hdRs(3K_(D4XsOXn3bs`QIdM5EG{t2&eE5U zbBGNvENW{ycKrCsQ)g(*vhEZs+z0zU++X|r%L{kyTeSPb#jky^>&WM?9zFZ|(KGu_ zoO}P|xsOhrKYsR$&(3{y>imVRdp`V+sk{43`v2H_5BMmqbNydVa<Z;+r_J<0N)m zu}$yly^G!@L{UM#qJ~fx5=cTqfI#%#do#WFZfr~u*toaEEs5Fg>769gd-if)Gxg@lIb`{()AZRi}_eU~na5+||-2fv(y zxdfOp^AS?it3Tc%o}mx9eG)L(CK?3;Wf?yCtZtgPUVeLAf=FWp%FCr#%yS&T&+Y8G zDO91H*?jiOgEP)L5lgK<=G1szKvlsyr`+W~8@H+Gg;TQ*Uz~aP!nA!av|;7q+_=F+gtG>_l#TQl zJJdzANVkkZuH=dt*~4vAKi}NAA*{!rJ=&Lt7r7v!LG`HeXzNIp9<%h@!n`cZ4X8`> z8#~lFZ%8Lj)r`e(Y>03SmPPw88^;AiC6OV4-Pr)7vLn1%KspCWhNb*gX|y{~#S$%q z(0WbSGR!`!&Vys}Mf zh>6N=jTR2Z3!N9JH?`eo^&``aP}1F}aBBJ3fUT9G+a`oA&ktx!_sfj%A3d@k zY@L)Z34L60BHYJDy2>Y|c!Yay1O*N}iqfNZzOYfw|8ELam~RV{MAZ+L#Fm4j6l)1Ydo7C*F1fDR()f4M}_@f`O+B7gI1jk)X?Ia!t z0aY)b#}tzy9U8TE-NvNkR2NsbhaP^|p?gXh^IP0N1MlYHSuwr}n@^5h&oT@^|JyLvJCRG0fO~p#nU(ecq zH4ZV-iMMaxL4Q%dd;AGHhegn4sIto$DwbMjq0F!V<`73z+rv zGpz_x@V%6()Nab#oZoQTTYn3x{{FK+z46AIuf2Bd+_{$)9e8okfwOaWpG;c3d(_gs zv5WU~uUYqe)%xcqtp7#r9;e!)g7`BsQC0v|W7jz4EQMSBaMIELm~w*lqsb@kn|$)V zDYBgs!?@wB&}-oTjCykosb1uO8W-bJ66I5!=!?oisR2=rAz<$B^~_+uRzm{26^wAx z+eWqxOMsd7D+<7dAziI9!Y~L@D%EEP2D&{puDnb^mD!jtTlV_N*!Rv3dGG9C+Ph~4 zzj-L|wLLDc?Y3=uT(0eLHSD+FWB!!=#|>xWt=%!#*kiZT_%rO!v)kqM{a*ZR**318 zA~9DID+N_OLPLgxv}wo-LTX}2QlUD^7OJe}6y*%T9;%{ybcpZc8s_>0N^-S?0f7xF z(CHa|thVD8k00gJ0Cp#f`|fZ^w7ipH#$cNe=R0<>D2SDSs?&m7P1x%+>DZ4OU;3{(7k@JM(og4J`o-**o}GTM_4EVYa}UI> zJsH35RN2-ui;iAca`csx7n<${ynsJ+i-1MLv>61Oq%p)EqE$O`>^Sg&90Delk(u?- zLl50F=aSx@-{LlY!i2e6owCzX+_3e?K zvUH2^_2sQ{Dt$qVr5+UM!{8jV(kXk1Q~5TrvwA->D>00PHvlK$X#rBxUm~jY$jmck z8xG4{E{akaynounPq<8JGCkL|*WWyO{OI=0>o%=f{=$aUhxYHm%StoLbzVF>rLr({ zD9p$kZbdP;JtVX#4PHetM_s6EWnmyY0VztwZ5|gw<;SV1zNJy#d68bTM&pe!TMWJD z5L=;pYXe@ZDTy^U5DGRnq6WLs$SFYMx~|;hb_xJldd=G!d{WtN~C3gjMYq z)36t92P`(I5@ntty<2WYzRQ&ZD3R;YR{OysE`PRLerp%Z*2l4p}+jfHH2uoP&bn5ikb1$D~L@`d_4&awr zG{|bHFTTV*sPZ6zVnhHriqS<^vtSKL#-Ss}fGr>iL)0*RMoDS;$mkd^Zy)$9vj~ce zP*a$3$eGo7?0@qu?%@n4Uwbcn#qs}aJSPSi({Pu^%&!=kxyzi2Hwv8MU_h$wsCi&dKPN^eZRW+N8V)W#c<$|YSt({tQXwgo9;&2+ zf{p^GxF`ixxG&`Jqg#;uSa3=xOX*mupR8UoKRc>-)*u)3fjrdvC$Tc67np@tkR^~} zE=uCrX?;kF3#)2K@yd_%q)kcoU6kvurmy-91#ZmTv zHOC$FP*oP?+{5MZ#9r;nqgOMQuhm6gP+oKJA_ScKiOMSzgWJ9VGNp#7O$m^iaj@5u8#`MX3GCwKwus?|WeUHuFpslEo|( z%wmFyf`VngSO8|QC0oRPVJr4IRqYkHCUFW-6Vud}g$1yFWd9Qrw@%u2;=PYQyGxwH ztl^B}(#~JF2tmL&$Sb7>HovenI3yHBgtE`~ZsVsveE{Nyi9T@f2tNR`h9!4kaw*U8 z`6kmJQC3V5%Ds29go;n6toR1u#3cvSKui}OxzW_x3RPrfr}oEtx#A?Gzu<&lZa4k& z6Z>yOFfeo0ocr&;zqxCN6;c|wPv8DHPA5%n0Adg<0V_06j78IsGS)!RvD#RALr#0Z z8no_c;E5HY1_ZMJHreyMa`34$FCz1UxX~x7?b|O(iE#kIFZ-W*2YVPi-2EBb4*zWW zX)y(&F(YEIF*2Dc!JA4p3&4U#+?ws7WOI#oK32{Cgqs&Ni8%$`44y-K>f{5*^ z=|PwP;)ePnwEOQe`n8h=N5e9~xrAdUmu&D}{+%BU?E2V@3~Mc84XQ-8z`9g_oHJ29 zor|Nr>eDC??3FU0lfeflSry6ECuId>4edTCpiN94*NEWmB?-P5VTY|O*~h!f(?w&l z7cN?gRo}g-Z0_7%|L!0qfB*EE{SR)4l2ApG%(?RxjEWrS-Q@|1Qx1D0BD7tQ>r=t5 zPX#(ZSr+d_5fJH9HE1d(rg$g!?^v7aU6vCG^#4j&7<9~ z`+7VzBh!alYyl%~x&R}TKM}sq^l<(ii=oz)25qYfW2jJ0cTG_cgNGs1+~`vKnJ*O% z_Z}JM!q8oiRAFVL&AsR(<>{llr26X3E4*b4xJEeaHRdm)gE{R zX8Gk;F7Pw(q#1sscng~RWrrnaMWw(RG9$g-Ut!P-<9)I`{PEF%2VMj)(%tq zgMz{&zW8*8IN@LRn!a)HjURpdaanl<UiI zHl9FT<_gd%dnl_ly^3OdE8=~NqTDOuJ&Xw}P_`#{r3~siG^A}>c(;0L4`m09iS|v8 z@UF8h3amHOm1%wh0$L9r5L7TGXUmH0?+sKHR7JkHt;d3eOB$w3NllC!80t2>X9pOQ z{@V51<;gx22VoE1QA*V(4(J@!t9@ofcWPD|po(rUi*+xF@hB&3G}1e^w|n_0eeQH? zsdw(?{9ON1GS&vSkMGr~BF1f=WfcQZC5I5A@r-`$Y2!vZH>4uB2-sQEgTbSM?k7s#y;)YdAUuIR$#Y=jq z;wg|mKu1vJ*as-%!k8BYRTz02sM1N+p;xQ-9&2B}?LMZdJn{uX?km(3U=}nAK7|p0 zM$x1@Wzq>TgPpKX98mUx;9S^;%3aS*+CFjnDa^QI|Cj^geyh7MSu(bQz<%ZGH4cmV z>8&(zD^i`fxw*4;H7h5NNQzWqC5(1oQ5owsE!Ag6x)%aq z{YS7!jp<%vB3wp>b|pFdgi&6aJi{h#rKMrFRt%vWUdlkXDZ0}3dZ?P5Nu80-vAsJK zql+GGP6>`9t2!fq1l>h()-_go`>eK$6TD;kb;}#o`g;RaqY7frZ}SN6-#f&+bK;suyg_(%72E*$A2HR{@{ z4OHRuqfv3AG|DTsmrG(_7jR^5HYz?F(!`QmQSd$0hZ#}kU^I9n2V(`gb8S3h&wX`q zz@~8_`tf7fhF(>m6b(b*>W-k4q04Lhz<~O3W4CNrd-B9dCSy!xB~&T2vOpCX6|AgE z5-Y5PWL45u@MKA1rH3jWKpsYiP{m^_S6A`6|J+57`i&wimAgWCRPg!pN-RLkS9c48 z0KFn80EFRnDFo4ETZ`}IhZQ@9&D!$P8}G6*7$d`I^)sUtd6O1IJRG!+r1w^Kx(ijV3{pUoATioc#P{mX&N5r-(wJ^K@WTYD%7LMYJJFM!4PdHDrX z8X9NMoj-5>B77ipEFucX6p}wWlhH_@Acrva$(_Du2uVr>_NjbIm*0G^$C6|B6TJeG z2%a*DB9990XyKRMCpO087~C#muWaDWmOCdMdvx}hMf*<+kdjSP76DZT@1HGH3GJVR zDhp2G!7vA^Y@tddo3h2J%RI$2h87b~+R-CNS1q1DWqff}K}JrX34dMj2%ycSzi*eAUhd>*!YI|m`><}yU{8o^W0BBQR7ATb_j4W^;*40G zG*GJ0sy=8XCgirPid?4nnyQn1l&O?ZH96D2ERG_Q-Rd(bRd1sM#D7(v9h4X4GqR^^ zevFsFKHI-t-w-r+PLJ=00}!a%J?GJ^5w0yTO4S1?;oV~UcdAVFoswhdz#u5q_(Z>i ze%;355*!@>RMG9~7E~qqga>u6jMtYTvw7LTR`=mtAxmmsp z3Bv+F#?=f&gQL7jg_Jv#v1$VfBiaUOJCdfX0y4L6wzQ0aX^XGWq~Ds1kEp1yvTbdRL+qPajSC06{CJ zk|GdAUGv6EM0s3^1(hh zYALep*WvHHgPjhcilux6&SoDv-+A82A224FJHezRPBBW^X019nmA_iF!VQ`@aBt^X zhqs@;Aj^sBp-NIJ(2D0mQYxMl`P9fj6$3+#3JX**EwnAaez4f3T~1w5m??%NyZd80#J1-z~bg%eWM4swHKm^&9J_ z_nJG)@B0K*`m1YhdqTQ@_qM+o8rqi1AV~u|Pt5R_Au8=vbSdyun?^Py_v8W2V@JBz zBzx2UjX41mQ&`9C3~8N`u2QLs0w2sV^p0F^t3oR_8Z-Qfc%mRp=;IdK%Q;fPcy8c&cx(CM&U@d*&eb!eL@8Pzz0jfYNja8YU3fFgYP{mYMLX`?vVT3Jq*bG(8`2eN6o+sCk zVd?T4Z+CChgcEYI%ET4#O6?)x60F#zxmorJz`|8nwDITV8{=0Ve(~xXNYON;x`$AO zgkbgB^}qS8<5je*`6UID1SuR=BvZmZ$f-Wo2Af0mW2$wDTsxnCPQG|0*v7B;_4Vt# zWj|U1OcpCx;coc_#VoBd80v1_yK827C&zG3By&b1eEp*7^9@2?PKpVz=H1bzHzG|a z`pnfpT>jPcwBek*{Z~^f(^WSMRP_)_btD18t$*AHN(uq`?x6yblT1NL0wgSPNI_L+$277Rt(LS=OykH8Uq5aRBT|r141`>=6-+%!6XVo^|Q| zD!q~(s;Kkp+vV}{1aE{EwV46c8G#dR)2-W^?(Y*+^-fK?w&Mx=YqZ}pdYDT;zvozD zOmf zZF&C0(mdu)tCua>wPQQO5^o7Z6sVGDWrZq@SV>l;BUVCLA;lGnRY`FL{s-(Zjp@CH zR)SU0?gpwPu{!hWTaQgUB>XDKC-DChnWbfkIf0Gy(@5Qa!MnbzvOL zFXz7`vH)bHTgTfud_+`GNNAfjZ6AO9@!$UT(VzePL6-X7di*OOFo+Wp@{?BG?q}Y~ z4hdDtg1l&!{lnrD%wxWHoSc4 z3TS19D$V;R-3yXZ0aeoZAfZZ8DhXBc$tFLz}WNgan+NWBwH`?DP zsOlV<{pV9cCUGlG#i!`5oMA4cQlF6G3qMsjr8;?fPGD`SUrDUb=x~wBkK3BquiN+p zl~Tz_sX!}>572zCm7qcmhT24LG=!j@YNPu3qz&s;U6QkN=Pm{njnPFwgeJzDHug|c z(HM%1Ni{wtS}|^|Xr(y-Z_x)RUFCYHvLjYD8I~Xm(g!G&6?z{a&o2#}l2BE>g$Mtv zh(r?(KtLq~ewy%)2cNhV`U;d+{1A>U&U|a*Yd}<`Y-zp;!q?c z9}yL8uL+d$3``JT1kp2ICWWg&7UbohOgDXK5dn(yO0veH=Zz*CWZ@D>RIAJW=Oc14 zQR|9|S7iU=B!5~aPWa6i_CJzJAE+IoqhtL8gW7lK@aSWY;Tjz}bQr)v%?{93Vh68m zV@?Tuij?wa&yk-N2qSVwunGK9;DxXR{zX0|+A7X(y+Qw?W?hyte1aw_Sv<}IOB0<6rhG(UFk@||*=3sz+Z zRg4yUsFJfjF3JK`EqVVWs{*R%WIa^zIP0NGKJTz9d#J)h=%ES&qM+)~;bYMJH7l3R zm|Rm^mS0nvS6eoAY|6-_es0P%88#$Z8K7!aaWIYfIo>2dDk`jPc6gWiG~cwrUeP^W z8bsz56}R4KG_097xYXJ9L+VpgV& zd9!4lXF*S_ZUL%nBIDxDnS99{{*K1 zEMXk9{gaOUZu*fweQrz!2nz6LwBdJPuyh|m{ZUmt(cVsW?9_>Jx0uR3`wmK+!scMZ z6-dFSWGO%{kn6?0qXF6bq+Z7o>b}8dlmEiJ7nhX%=YRg#@TDj#_&N#>V#G*4XuQlD zUkhX*WgjT>`)VOLe>*{|v1rLz!TPDIzt*1<`Jbt&tr^Q+^%dfF#29=~R8$12R+_%t ziXP79_i1mqO!BCc`v@AfY=uY;0JU7MrJN$gIzNw#Md$zJmtTUs+-}~oQ#Q;m7svo( zT@@(96;Yjs+=)=6haP?yH3f43!e08{+1z$+UOpcuLpx`t^X-4<9qefis$`a0{H{}v zT=^lHRTzp8C_$+Zqi(Z6mEilDGVqksxE+FOm2BxSWe3B9p>BXG2E5+;r)O1qsFIY5 z9>a;j{E(+l&#L6JX`xhRsA4ihGeec;D0|RY|Cl_5{O%d7)uv zz^uLd4zi$oMtyaE-%j(hjjReYWnoo9Cx%Ug2$ml&mS>C&{ zIG8e>N2m4OR1v0QRbn|6%`j2Xpvn`dTDNu$Gg3y&zI_K7JUpZ{Jyc0zC0UgsR+3d2 zpo;mGl~w6{fHEelhblbbdZ^+_kv>449nA-b<#C{_z?H$%N5h6FR%L)HeYk4HzT;w* zrC5-nr3esFs>9~6b>2#$rYKk=!U1Bfisl%c{_^Q_=W)wuR7J2V{_X`-VOj?diLkep z#iixgNpe}x8<C}da0_WmNe{! zFCAAgfo~+~I%j~4s_!y?6ifkGM0zDM0oI6ov+ty7P-PJTvVQ8ajl57R{@c+4RsN>e z2btbY7ee=sYE7Ta)G8|O*ZnT*CNM;|FoX^tJ%;%rna0-byU4FBeFacd{r5K^AV|y7 zB_XhsbV-ZA(y+UfbV*1f-HmjEbS}%%AR*l)4GJO%(v8yj-sks!XP6ykU}tvr-upf0 zeCpixF3{;I1<+Gd`^c+k-Lgu9evXB^z5bIDZVT1J{$yePXR0Vsc*;4e`2n7OZ{_tb zPKg55b*$dJqy0dsph~$B6;dnEJ-#As4l@a)Yg%KiW6Jb^alN*QlDp6s)Vk^QzbftF zy+cFcSf(z}J%10YzutyPz-hgefv_0ZvbisUABCvb1P34d)z{Hv)%~yIJDrmU-E+A> zh+y10U`{BVG{<(^@=IJ8upJ{;%**Q$eOm8BhuQs2%Y&4+{IB7$H|sC?g+73Z7PU!6 zwNbhAlAiNt%hDB>oo&WYTB(_-%WzyX9c{^>ftLP=rfA#`l9EPq^%?fT!C>T%269o6 znUwLBe}i}p(Wg0Vcz#ikPu_j+>Lc2I>~rolIOE<}6P!=PpXFuJ|Df%-$&;ODD;Eb1 zNGwQ(eD^75*q?Toh9Ec+;V&bBP^{4dn@xQ~um;7ZZH9i{xKhFx`BnPxKZ!1`027vjEi z#AT?|e-@3yW_?#$nyk?P5j^-=o}qxgiVVu(f@Se}P}HVT1yP@Ys&r11~&(}am#=(9ho;s z8jY|8*MS#Idt0d|6O01i$fot+c$I${?b+UW;u|OKAt^(UJ#P4n_RpdY!{D2gQ4c?u znyeY$zMt>q(HPPUyyDu=a!l9nNB;H;j+DA$FTmi1v9Yfn`@&rSK4qxnX4bMtzLJa{ z%9F-fyeoMA^T?|YplT!av5=iN``U-<<)F49r5fDe<*dZrY#^FC|T5JBy{f6=hAzEM`<* z>cI662-mn37rR#y$(nWwxv11)7voX}q$gR8@|FGlTu`f;O;DPBC{WbbH{b2i1`R}l>q;WjLG^rnHU$Z1smC(;QkzswpyrvMO zu6L^2QR0M{d|PU)dohNReD-&gDzBqp^XJbKRVMnsO+Nq5rZ~!x8WyPTI__;1_z$#9 z)-0WhL65LXd|z6C$15m5ou|j=XsbjHQ~d2 zCxs-%Bejtm)!xciunnfsn-rt6V%g4r3~Y( zTzVj?6ynFkyDsZTUi*&@;?5XUZ1;&RUY7~m?_9G7(6`@&+QAMSq+R|rd9KXrfJcxl zKm#d`a81-u)~IOFQ?AGaDdo(_rs?0ZZRap)mWG0_+be^F8sOCFJ&+2AjzCra(o2os zbA`+?+Gc+5zg`^BrHHBye$&reoNbWTNVup!zubLu_%}w+g!{3ISa|;rJXwRoS820z z^o^E7lFq=n#}GrN)SDfV`beKj)0pM%6}w&!D7h@=eW|((BZa6Ck8I5lxkL}w_*KLR z{px4dZlI}%moi+j#CB{Yr8e|8kt>Es8kjZ%HDP z5P8;Xgkc|cKO_R-yy5!1$&hM_-7-Lm19RDT-_b{7^1}61|JenSgRT$h9~+dXhl{X_ z0A6OIIfKB_a61%#m-!ilp@0$IHV^YL4|fW-2`=*snt@F)7l(pnQ6FS&aa1r_Z5>b$ccm@Qee2ldWR}$onOESVCS0U-B?_iycpjOvDX& zCv|0bKKb*i=I%-9)$D{I$NEnvyr(3#C#B&m`*fZBJ{|)|Axo#JK)9pI*m&F@d_vlw zoTFnW+>RRt3S886!MoptOfqnltTfPuZnG5(ifr4neK0{{yVW9eq}Ba$QZ%bi^SgAv zm#(4}zN!1;xtg-+KN1l}EzN%pxB6Y*Z0&n&yL&Z zkzA>xFO|ddwE0E=Ofu)w-^_otB8nAfOVS`jeK0upk|?M5317R2;}4mg98!D*W<=?Z z09Kqnl9w~Q!YEvARs@xUH@aVFXBXl0(d+vT{UHJ)w(!&8pJ?1~(Pw#y8|A~PE92_} z*~xUo^9}xQ-&~U8H{I04tx6!k^R|rhR!dH3+NbvtR*K@Y7BSkpzOHuZ>_g*zjNSzl zzpA;Z3TAYM?#zDKSXUkd5*9!L4LM?m9l~zaE7i_M;)s*GZbp-<44aQv8cc{_E$HW( zr9h{s2k>2mUT%n)@JfIKo(3kg!A4Lv<`gzEm57)|y&)3Z@sv2nXS+|@Yg__MA6WHt zIAJg0c2c@=Yey{4#~C6Af?daV&CFSB#WTP(9bC$zNMw4fjo*2lF;d!zDj%g$O3(_@^(-)$$bYD;+9_g*Mvy&u6AWFIV`92tsma2UgFcr z>mJLH5VJZQUh;0Kw+lZnXb`&{~LmPu6uMxj0(K|4+d|)Zp!kT+~F! zW(7eUv5Y9;4@h2|6KD7_uy#_#(^CU3nPQzd4&Bgany+g2yQ0SMO2)Dq0rT=%t&_hR z+|ju8_5A8<5CMiVRcSqpw}QR=57%yA(#K|g1(KRp$=J`YDe#a|*JraTPMwC0Yde$H z9bC=?4?<=&Ccmipjrrv*PR4LQuiSoTf{Nio7g2~A`Lq|Bo5V<#(%zRpYQcv8;V@=4 zmZ^B3iwk11+|1zGyGou}AA-Ev6i|-+99tU~nlRB`tEklmEasf@go}JBahZjh{LFR5 zDLf8SH@oiG9;5YJk4BM+gNkpjwoSAjZ|_6F9flf4WqomNs*lF>8VNSn0KU)k#_DJ- zr#ss+khb=k+0Pkwq5LK``hc9|>YY`4@_lrV>s zKrQ?&ic)~zoOKGK1E(y2FjUXnq8;j|!QK^;a7OryX_ofFDD@2fX(|X~bJisj$|$3N zlp^y|E#%>lNqb-$+^Kr)pjd}c^`}RS&+6|~VXY=P(Cn7T>g_AD#ZHF!RgUy(#_CLO zKF3)Vw0=(_*xdDiYf(kFItFbfwZqHO;H(#kB^cLl#u1{Sv2i=&B_lf5WGTi{y#~KM zSACt1A22D6OWZ+!DzOO&120;)KdWE@c3HOTxUjG*(cC}Xgek_mpVW%_+lOnUjJdX0 zFHr^tSWu&Y!LtaluD0E~zTxj4nhLo$PiB4V)%`=^)X&(aCTa1Hc*V#hWl~a@+DNh@Z@fJlUKGYG z#$&=g?r%zUO}?|wdoMulbPt1L({QA2u5@0qxylXDC86-9nL&F={*Dp>)%$m|k9@bJ zf6p0Uj;p?Ru_54!`#*(=D2NnCHg9kCjYdR}cV~;`HHvSL3pFa0Pdau{6$}nlHS&2R ztDKPs4a(Mn3CdYYi}DFlfe~cp!88h9rI#o8LzYSQ)6*#wHd$x!UAGmG>oLFRIDAr= z?vL1iu6!@fZt}dxzwDBWtV-oyN{FEG;WSc;nb9WGUj9qy8*(9Ai~||Y4$YHC62y8k zxBhIYlJ+YO<+5aK_s`j^^=!K|bd}<*;Ani%5o=wioC)7s!SwdHr?zw?Ck`G(+h^0A zV|bx(GAy@S%_=~M)mcSaLZ+@vXUaUVgY(2u{(EI8cuN?Lm?=z)joj;l`Op=t;0(8v zD%&PHqm5dR)IKq=9gRun=NcJ`+*Xq3{3mB>CDXV)fd_k?to^q?bp{U>cokK#6(lB+ z<-M}%3^v`WX67{t;#JC7@1dB5aWQ8f^FGS;DO@bt>({7n-n_1I z^=AlI6ya$W?l6B4pPe6adiWOuaH(LU_%w-${iHOc0IZrgrAI0Br}Ts zwekL2^8=yO1cUrjM6$6}MEc){Z=!x$spwVG4_^0qH-~If`EC>}P-O_f&8Opqz}3F5 za4oyu)alRFN@chD5lse_Kt;mAoAJ~0b)6gy>4qr;LwT3r^A=7p2#HCT+)N^tT%w;Pb-wq(|lhIcs0N8H?N(?nl^sY%Fo;$ zZOGARAl2i$nViVryBR=~3gU-vCc;KgWYo?4m(dtydt|Fclne{kMVC4f=bA#+nK&F~ zBY21c2nM`^{pq||lgVxS$pnFI-tC^xr_Xxx7Dl!wqfDR8b0g4+zpvUK?#%-+Rdw2$ zSbX1~185$u`GDU@J^7E{n5qArYTN*^gGng!iRff&1a0$Oz%{B2BM1VRpEB%8#2hlps|5!>}!i3d`zb|(0pVi z{9~HB=Xa8#zs|y>RRvpMCy?s6S@AvAksEvPTyZBllBJ+%zPc(w?kx>wxpjLk`;f(_ zJ{>4BeanxG9aGb-d2cn%Vv+VEER-yY4Hui{49&EPpvqIfu>8C6ia1#8bv+isyiL&V zALmK&7ah+-vG4s{5cPb(8I;E8}USQ7u?y<-h(a5-dmZVmQRRs54ORlo>lo914TFmr+61g~d{h6iq!E3=kDbK6u57CxTNl<62Hqw9W(MCZm(ve%v{DqxQ029xE|{`?u<=qqaE zp~-5wx6HhBz$NXtm>E^ARY*5P=%$}@?CEZ2;vMKMIsZfV*IDR!2m7j+z%MpO({AME z7|DH%Y|%B^=TLB&e5~LI@(FY|6*OLOhQiZel-HF5g)Y(~1xX5os0xhr3op?P^wNah zg;OQvWsw7!8zA~_m;H;O@n1eiqe3~s{5At>g)!a4rISQCU(d!|XpZw;9qzA1jya$m z|0a9|Y$iS4M-uQzMGozF78wk2Jzr1Sdg?nW%Bd|r2y*|Ll!&R{y(PM{=f`cbmUJ<;=UVJJD z$F_JTn{@TN+^t`EIM6;rht6VxE+Hnq>2WbaQbxerGv8-#x4WCsj!MHeljntU=ek6= z_}T*Vv*+^_2x->aFkNgSiYT|(7qTlvGFg`b*54{}G}XjkKBaq-zEaTtDxG|$=TZEK z0EcdFhDY-UJ+c6r4C}bQP4FkrJ#kpR*PgW>&&U)4@ZJ^a5oD&xB5;bix+!?rdmc)7 zPtYT;?giB<9M2#03u1=$2qIU2y_MrHK$YvkX_{6i0F|pf5l9=9iJ@E(cBz2_bFH=~ zfZFzQQz3e{b_(sTlNC7D3aLVWm9ywP@6U&9ay|=9r+C7{`;=*0+apBdMrQj;YQj5d zB_-K^`gNr>bq_6{TJ1zhOxHuc#As4AH7|ativc?>Yifs z4TiBCr=sUBa#X-S_{jW~nVjn}MgdPN6#eKm*LI49M*1`TaD7~0Qet~uqh6EICq^1MQ?brs%;Gh@=WB@2S*cFh|`Ts zLP;kN^o&w^G-dsKY!JJehj1(2ZGYS9dV$qv@XTGEZpm$SPz?hq$iVoXH8SoD9najO zp{W~R1q+4`6?=cKX?1}vK3r>=hBAywW8cC4uE`|x%pl7@=t6VAZS;wDcx5*SE^L@c zFR)}%AHA|@u>rh`nTo=b@9AZI@XGPGIihbq6a)qkNIe*z!aA}m9ez zb5nY_qVuiNs#xJ6ga4#+6I1p5%du$@)b|nOI<^mGH@n!=HgYMWtu>j&@SRa|0IuWh;TL z`b_hDbpLqHLG)w-hXKz#a7=R`H(7H4g@3j=otO%lM0OG&Tz}uEpddb1rOy;()2452 zg281iq{y>WJR|_WfP=BghKYCV$W1 zmQ+TWB%@k$QCfF2%HN=svZrxZ%F}lY=nbWcXI7W)z5L6%@a1-S(+_i$wnNx;`_#|V z%^AEDr*FB(iL9w>EzA?rN?#0UNj<%of?9@qGSJ`o4X}Gk8t`Rkij1`-Q3P!`Y1f-5 z#PT*v)aBdznTR<0tY|tp`Zzd=V9Ud_jwXzJ&o#rp{)o`qEr4jCSSo?3!s-o-2!_p2 z0Bz%!)Is6R_K&O8gTLW;Jx3%zwbscA2Nu{tO?P}`YReLY^g+qCPX9)fCbbW<}>&x%~KLbMl%Uovx@2#kTUnHKLDyE z?Ywgmtz$FAp#3so!bXZQPOM<^T>Q(xW1Cr9fHEf*zX=NCp>`P{C#;p)_FRfbP`X{y z{Y7AvB7=0?E-_Wwam6b}F{cVP*ZY|0=Su*VnpnW*#3mu$i|fTyD4zWC*Q3efe5>2{ zsVRCW6un((=n46(C75XWb0XIP_&l)HKrHdqvG3)f)9jb3PG6&6%hz0z${k=r=5*Uz zf#VGzj*%x(nyRuWA2_EtDP!?9mvM+4rbTJn#?uwxxixyvrXOVXq+3=juJjDCIsdQ@GFVu!coX z;6lIXe)v6>Ei#xtt`hOc{plY&-6kKWwDY4+{%TlRAdxwY&%)wz+#hP}rO?i%kOE_? z)yiKJ>299i`)hiy-lVn-Wz#{1E1`d?}T;3S$;w1y9`Fg&+2h0XLTAuy`ED39r&=(?_;+F%%;#zEOAgaBA zBJjfF!#%+*FVm|=i*3iqbB5yr`70pD`k2{9{SMDDi)d)bgUB0CbVO z0;l}_$6#R6S#XV^hDMupdv&7^hrZSM3sgTqOX`k>lu0v(jVn+Y!~hx)purEl)Tjqn zUTS1$D7U$cYnHA7s~ohJIxTen%-x_00|+Ws_M~1mFIXiJ{Xf+P|`^^`j+Z>-OIB>QJxjI zt;}wJ`+NH1tP9B?u)cwov9EUyP6Y|U4(+c73s}g{zoaycMPDtu=1aBJwMaWnKu44cl5^FT*oy;s_ z2bh5&j~NR#j#(OP^-^_q`5116MJV&Xl4g!oO8PC?I64~f;$1ja0S5`=|NQ}QyEr^$ zdiDDW4dlr6FhRdA4C#bbB?`jEaRNnCFh1p`v>e}MPPn_tf>)Vp7=869uPrD%nA2eJ zLVKiV33F9yqrv`Hu{wdX4c2#i*{qgtuTqJKyIK>~VoM6| zKxOgEr)_ufNPV#L`Qd)|VpLbZFb4AtGKT9kDM1g~^yBQBe0FuU;Za+3V7+t=czDl6D&Obi_Zu?$5||DPX|`b7Fk3_ek^U=9Dm1$ zo~X%M3{~(l56x#YEABx@7^;*yR(>l&E*9Uj#j5>OP3^^ijp962rz#vx*W=rJ?_-4} zfFS?hd?zL2Jc=j5?=dZt*G>k-PuPPD(s4r+B(H}y7JPWqp)c_ap&nzZVmuf`d=_L|gi<(q!!n z(`QOIk!1HHEBnnqnlEDIbK2TbZ!kI}OID8PfpZ`9kIol9&>jV}#w|J*Cm7-Oy!Yc73ZhPu#mP?%urOk1oBi58$Kfcslt-YYc1KdS z14;48j#RWkOm`nLO5`R1cIR8ZSe0d19b=RgcdbFF#YZ$A?xzMO^!3iMkHq;l{Ma9# zw4de4pjfTlK02D3cf~7cRVNc}*fL%8ve#T&U@DWcd;V>!7xXfO4ez|*fsF{ms(({= zNaj~V$W=^iHn8%3{9d${S-%W|4S@O&vOh$CdAO@JZj0VqI3wAY%DDzD>|w*^YQNZS z@i?$@1TCUYreXb`Gpb4ncT$CGpX*np4gs08Ps8_Wy1vh{kQ?iew}0VE-GnZ`q^yg8 z??o8sK4e#%Q9dTKuUe^)V*(rb#x<>8z-MrVa})ub7Qugo)>A=V5aXRek35r-`QVWj zN2FPY1Rf63C+s0o?||C+**R?x83fLA#QYDDb3w<^#EQ|=1NHA2*Me=&f}o?uma!9q zPl<37SVD=tSU?zi9^aM-`2Wg%d+7)a=eV%vFU;@Es`+a5t`3&@Xo(a<38!A%{U(n^ z*5@-)1Uhrta+@Xn?V|O&Um6B`(>X4pPsC1`8Uwz99Qd2K{7OykyTkaHREd+)hJ*pnMF4$e9| z1IP%=+>e2}ck>U2K@e@Ks!O3Zso0}9^_k+zWHB?sKm`zbd3;d-aXU~t zW_VkHWdF*)^c0p^vuS||C&y0q^#5Rc65-m~hP)hfc~Qy?c*yJw>5h4n(~F=p)}+-j zN7KU9p1#5*rQETkQk=bjg8h>wR0iH!IBWdM3hdQLGIS@*_KP5ISj>X&7$ z!vvS#qhZB-|RI+;W%O;iBlQZ7s$Pgt(RgAk|Rb#)XTQQEi!MnG|Fl& z>@?@(7gRxExyUqN-RKDnbv zmnhlP0Vl^v8}hQm-+4#%r*{Uti9aU~v-lGDuIA&$MX;Wk93S$WsxztQFbIh-CX+et zd?jt_W;HwrxeExe#Wd1-r>aUKL_p~j;6g4`kQ~pxRbhUHhm94I-3pWIPIOc{q>3%|J`bLhkZyf zR*k-djnY#C(HT}Z)5vS_vS@jtl`v-}&R!4M&eg5c7oWlMiK;<522rE_1x}ocy6(L1 zg?yYTTGHsN&g^2SvO4Eojuu0|CPMuEyDk7!EgZJ%>48-94uGeObBbC6NFn~!fu@BCBwn(Jj9$2-5imctlsm@G?mF) z)Y_pS^P3pr5HdWjHwx*IQ8#;)-z{6-ydZNP=gL;4vGfr2h9F*AhPo4n4*E32gXaEt zy_QqmI$V=E3g*g_awE(VZ>77R<-t=(9T*tt= zPs>EOR4S`|eznZxmBPwCB`mkh47$&c;hWKR1IlSdsa)HeKd!U7x3mk7Ru7Xzzhg8d zp!0Jt-YAZ-si+p=ZxnIqknNMc_{g79IF!j~hM9DYZoC0me|;8RWSW!mk1Q=Uj*^Ow zeBs}2dA|2a4-N^zQXhF?<*vbu0p%06NAj`2SFTqnD7<9#luyV^V%vwVn!`d!gwDA) zI2Chh97$^n1}bBOyNm3U$2&p|VzpzmR9UlUm82`un`qEkN^5?lLRvepSDWDia8Fvc z%K*;getIB<84H-hlo8o*33>q~*YllPM+;`7O2t<0;d2vl;Y4BS?}2h$r82Jtu-mp2 zeT1zINB{)&=p`0Rzzu`+rcvYQJ9=xlU|vhPHugs*WyVi|LMr=WEVXW4GM@vaCW#0S zM(OX2@JfCJy%`@qQ=*zmdY@qx_)#)91F2BJb&Z z{^J|V&Iir|qL$ZY)ek`lL|rYXx}7%ydPG-V>y067cyHVEdDPI{q3`!wTa8QpYD!F( zS`w5h6%C=S#sifZYX|4rv#ciQyk2h=by6)R|8@61fGSjcn@C`iVCSPGH0xN)SjN8| zh-up%mz^kOHYzXkNh$rPU`G5PBODVcwjKU;@RGcB(c;#J*Qi|y%!$T@9gU7;F~}<1 z`wdL^{9%;``hd>Xnfj?>v-*=Lmj#1{d6{kwKvNub+A_`cQe_zYUR0c=a{Wb<4Gh}~ zD|PfmWwIugfvu9&LM2de=#gj{AJ%eSZXxX&jBedK=RB> zh@%Mf7i>25W_^l@Vhy7FZ%cixegp| z#v zLj4 zKdyc`m4HT=17ZHMxL~xFnDPrx_6IG~*dTOdYP}o>THJp^QvScT7nRP)#=CfRy?34FIuuMfj=3u#|K}7rU?d8Qs)BensUdE`_she|#o&9}j zJ1B;|fh=cM2GP`9eyUR>M*Ye2+t@T~%qFoVlI1s)b;}g= z6k{T{c?u1dEAELtTww9{PlOXx`uvOVRqoxQJm?ZCXjm$q!fLJN_4wYi8|n3gtg`+I z(jj$^x->*js1o`ZUl>DU1`xyZ@^;$za|gRR|8$B-v9a+lj(D4njL|A9OA2SZ ziu~Z3O{iCii2F0u{HKpLmFxN;cC7kw#rN&vcknX2Fq>dF0=*D>RQTV)iU>u3EIVK#Jz`P9E24~8r{@o z1Zj2$E4IVidd3`k&&$pwn_SqbRR<=2>V~$8cohF9Og~UV`1zsTfJKqXEZh_}@)pr{ zV>pVwUoff>iX?M+Rl0Z0SOI?U`O!1dgkhNJ=tw@7xjN#c>D-6COLLmH`}pcXCaq6r zBsYlvIZ=^oNxs!9C7Nm~XW5=^-oKh_xX|40x6aN_H5JHIKVq0n_g*`lb^+LW1vwPt zu?O7hSn9w@fNx423P?m#Q6cJ~&j5R4Q5zhmAPm3(U+SmjklW$OG~5w20$j+;l$l$b zNu)Ezlz}2%9-PhRurf(P%Ra{nALkla+D?3 zBA_fM*iHINeLEq+gKqE9;X{$c63A|fmlxl>T;a;5C0Y)LJvyv5D#YE$p)t0O~(5G}R`%GbG zr*XZ|=&eet0FQ;|(;b3CAFpZ@8|%;A`oX42h8$|4;IaRH*~QhFO?kQZ{j)wSNHnNV z32j)>APk&{6}IWPK4f)I;R$~rH4f&!s5NOKk_uCNK*wJv7kj8k@92JlAHGAsm7DNN z?g}qD6oE(J+S6Y`RuH2Y#JgGRM1f?PkfT4>oOj=hnKR};0Wyke8*O0CPhoei+1R5Y z+WwcCtQ~=)=9S})E|AzySO z4-vb3Y-4QVjUHRw@oo+GwJ|=35QaGV83mDlBEFT7Vk43&VRIaCT#bo*GbZ>Ko;776R-PGj#WCZ`|9NqqzV@EG3gOBi_*l;DozH z!2sXD^yZntFTnfLA-)wC5hoy*24K_AwUkkgM969rHvV3ngbzt|U=%@Ff^^v^xuI9{ zV=qDC3KrH+R0@Vfo5y~h^cUxeWh^~tvig*!?0B9;m&=yJB6v_Eh}H!^j`YQJoeOiZ zh2XBZ~`Q_#1ub!S|bvNg_T|WJ5awYVVzGkIP7%-E3p^T~wO$9={#2q2n7h_qN zt^oAZgqCsd5rW9({A=Xrzhai*f)fm#x`tCP;l8B~>Q(df5^hcTc?R^qYuQqe<^JkZ zh18OFEnbV6cfFZfr>QQfo4T11F4j|thO@mRz^U^;dC@F;uL;!&qb5%I(YG0GySwtt-PVD%GCO-s;zx5DelDfM0T4=w^cilP zwlr_P!7R0S<&ikF;clYp?$T)Jz##H*g7@F`{yd2*{xU16OLF?8Gg0B*u~Wcxj4rIG z{K?J+`Vjz1w~i}U1SsEsaMg4kVJXp`Nku+MXbjFJ_%-~KgNjK6OPib)kadqNV%XZU z#kxK_y7;>MB3EDExv>ziVdMc}vnpQ6&Dse%%bSZ?E5(sF4<;cxO(8?;n<>_0W1?w(<6-|X~{TZet*NZ`ytag|#2 zlbb8$LTKbVA6wmjF6Uw^1Vqmh?B3HOvijH|k4P>~MWbbgk3KTOJ<(wA2){8tHh7>F zwKr8iHhH2g0m|1X2nF7<3D7#}^gzj%byuVd(dKNynYe~@LFuUweofZGm{xaN^}qdI zpO;`LgnoE9Au46jgp-fejjaWP0R>W8}I9M+yHS?90Sid zsMU5c>#8jxJXD&S+L}hBv?RZl6J3nrUs{*GlBL2wKhewx4#>sEai9HSl%abQa0)@t z5^!S@3@vY>UlIcknz!vIJxqm|=**R)r+3&l9(2^pR+dEQL$;yqEqAdmj5p5X4(I({ z+nUHJ8Dwkt#d6;%TU&!A(!bZg|DN=s%Emg2qiXGKEd5*^;|xd{Ujfvt>vrqo^4x@y zp}telOHJ!{3=!_A zwK`9u07+p*B4M{-7?{KF|HHi=8Ng0Sq}g+zfVDa z=;?K%<->ja86_gIrF2OT7cxPw1Qf%J5TsGR;M`UPx>5fGI0vuqPu+FBC;$Hl@n0t} zA1y!DkAYCGkh=F@+Hqrf`@|zZn+h#XPLwYWe-HEPk1ZvlB7A?7$?|KIgL_4hmO@`! z9G<;^M)SDZuV=zr+fNc{y114i`FX7PI#YB8;yz~__F;&leX59R`=!ul^b$r!(+dN} z1b&>x8^VGZj^)F8>>us#An zbueHtu+oGbnynRMVdVMw`O)x4%UTr&hNN#2oXhs+MaLoUdTArjI)=Z;!AgoGr|-sP z>HhV8Ww*BtM#>yG+danr@c=(V@dWe|XRxJWZBZgc$_OqG1Sf{0)lS(GFakD?Y z+VS$7J=b-@6Z8!1mJCC7(Jo4^w!=mGuU)3HN;>)9q)mNKyQ4=kSX0(Z1lr#v=_QkfR~fSz7lgee$--YlVRKJsy95f3H`Hu}43LnlEWvOWNAK6l6aRU5Ft@5|utASGJux-ZHdj*?5i$H7 zW&8_m{>)@SP&Ai@TJQ`K(28MK0#ioRLYBELZr2^d$#+y?cGsJ>FvYG zDcdUGRnMGq&;}QZFPOuUVX_rul|}ta$TZIBN&u?zdRSiEWyV?P_f^6nd0CBxsbtVv z1uGo!Uy5I-{|>pe^%@voU}>?iV0Aq;0Bz@)eS69R+%}lvFg9-pY0popMf0l4#+8gO zUZ1710xp%@X9bo85H}I!t|Oui;^sc-kF|{CZ}ly_ONyu^OB%MgKtJBx^cSK}s;m8j zOGbPwWvn-xNSug>PjlL~ytN|OgObep+o(~p`Wv?BYirhtPV!oqUh<7FXK)!P8Gf-G z*@IP*`1~ROBoPJB<^d$FTw1suE)L^iygq2cyA&;zsr#ontRJfY8UyRN*!oFVe&CFh zSf6v=>TK10JS^A?1|s5s^b{-Khil;#sKeiX86SX5m1(}>_do0~%Ugut=ShRe^eEch zWLQ$ng#p7S%qcp=&0F9?i5#~s7>>d0gOHx6A2y32ur-Q$8`xY8PO@IgSd0-gQ1Fe9 z<58ZOq|XXOWpX%~Ad6vJ_OD`qf-zu{eCEy(p?+l&ij1HLM&b-Q8G4^>8b*RQ0%QFw zZvpB<4_ey4$6X7K{Dkx(O#@~(PA&a3d_tKfE`>oPOJ#DhX{ff*F?YI+9a}h96Z_jrDeO z<)vQn)Rgt^yV{nMf6Lr1K~SnxP%^A%^t=v?SqY4s&Vid~mOG*inW8_(7R5qm zd=|U&aKAN)fqZB=i!X@5V^kR!dOVFjirrExu-iWBz(&a3XJ(jmhre2UnG@L;#yJa4_emBG`6ZLn(vx*(LnzAL2QRbBD_xV0d!I`eQ?I4WG;W(m}Bm`JCCYFI-| zt37Je8b;{5kop9OD>c$3e+Swg2{USh`+UjDu>Zy` z%Cp4k>&$jCNRL`7`AA9;L9JjpUEZtU*Sk3p_L!uBVUp5cZqL>V3)RWRMv-swK^BfP)IDqx@=ypkIg>ES4EVh zz~R)ubBb!sp-wD>f%{G=&i)0d1n@xK{E`8c#fFih;_5|Oxw{D-u~4P4*;OayR~rWw?M z36P@Ezw+e~HzOJW+IrB@CTH9NwnHG{o&A}4%Zi~lFbW$}Z<~>kcvp5CRBz5Hv1WhsPw4NsJqcDj?^8DIQuhNTo>mT-k zA#p3Gkz5|Fj9$SFM~{K!MU@8l!UeRfIo@S$+e z={WzyNNW$tcm9^mg)Nf6_btd^ZmJxmy1lJFlRSU^}m*;hWnyF$0! zejrmgph(-U1N<-;XNz0?GwZmspvNf4)dr!oQ<0F`xv#`%|8QYk7JNL&dJx*b2yh9# zAzY}<2_Ur>qxVNU>nI}!N^r=9*XDioj4svH+reJ^^qSmee;OmA4E}tD3RC|Sve+ZC z)5@z#jb&5x^jpmo8LlZHqO{z%8JsKczHPQW=a#0wZkC%rHp%~W`Sy3q|KsQ^4ASU&ReEp9PCm0|swdzBA^2RrR7Z4T6eX}S3 zKn3F2q=5w3Q>ilxKL2`sn>GcNh~MT5mHv#!*%j*aiJE)fM-Qr|Ashh$4j0)zw42V` z*}_TzHp!5Dw;3lfcu=eT_pIV;S8LL-IK-*5CK-v}eAe@LHFU=W1imo}b z6k)Jl4U08WehwRktVNsL!nrNSlht9l7F6%RFm~dYy!fpTl=p33n0fADNwf{XHvC2b-zFnW+T3&flKw~TWvdDfxsmCkh>*TrY<7fa2 zZ3Q(X2$M9LCc2fkSFT3lZdkJ>3H$=SkT7xTCPR8HiouXF(7)>veyj^$o7_CEiX(+DDp8F6y|SKDbv!MAqD+av!5UG#E$bc zp!}fT(zL6ST*{X8wvZVAo3FP~D0ln5myU~$o4eF10jEr+e#tIR5Te$UmKWtweYSr= zi<*>t_?ana0(yFKVXfR1m!~9RzxahtOkaOc`UrxAIL~Z{D8JBf#;$yx@rXNm zRZQFOiOMJ{o-=yd(fY{7y#>?+0|{&?rqF{tIQOAXI{?Sl<+)0PpFBmSl4p@PISH3; zptr$1rO$pL!}dhu-fc|!4XiSF_9sKa^G8$%OE8cES;Ygm%@_0Tv|V#-BZ>H{Pv2eU zmeOzo)76jiVepyYs06e!$^6(%-Co91%XHC6(s1k=J$K8dvY$LvJt%CEf6$LTbw_7^%;jGn7_&`6=pIjntWR%5?qgA1lj=mRBkN zmMaO{*@SG4419M$MGp3og^Sl}N5eY_rO~fUxwiE&?i?NlQf@!oPE*Yy{02_blG2Uv zq*!U{zpT#WyDTv$N#)c;$vAPw=suYBhR%LOw$KR9{t8ONf9Ju`+z?(LoQ+!~Rc{S}xaB05?xVA3H@*ju-Q2?n>%o|i+1Yz~!w+c^HY%tkA zFZ1e86q1811z^4|4H;zNLxPj_-(niz!Qpm{*{) z+Q}pL0q#s%hjj0tC?yZoGY}iu(B(dO-CK9%DckcWm@tJ}oqoi0CYQI{RzZH%42kjFYur}hci9IviumznxnHi z^hiN#j+)p=B#-F&lqQto)@#~r^f4f{uHW?VRlW>i*Cr$PvfI6!0)QX;Iw9n1fP9`yV<~zq!`H2plMGsL<Qe?JE(rL+hF1nF6FeRke}iEn>&-Uns8uF0>b?2rIvu{X7#D-w)w|}qb9x!m)6mF9 z;mbSk39I4TRsbU4;h;V{;O1g%YdYyb+TfE@Lq|pkjT+yjEXzw^ci_tLpdw6tN4BbxREbfr-Jdw(DZ_Je-sx>&=nqy?RS_xaOHA5 z)T?{52@{Amu$^?)%RCOyAn%L}=#OT(!KP}FjXyXPgY-XaNd&GO$K^@+UL4F6_bYr1D^L3w?HQ?bTd5T&~Lz=#VerzJ^^s1ZK=r5(Lp47l4yKU8o zRzSLHpuF$JqdY~}lKJ;+nmTR-;wX2Ea{seUQke{f5}AlZ^in>de8pd>3DbKe`yb>N z>a;&TrQs+JBvwYW*6?m>WKTdy*tY{v3x$uE;c~Z0w(2`C#&9pHUEBM-yMBHa1BErnc(e4N0iZ{&BY7IXgdfrj`fXty|1%fCq4}fLO9cG*j1d# zF{W`#ZGYrL?D5G_pUWbefJk6lOyn{H~PKhH{ZfGsy@-Yxv zaDZOoT>7RuT?ZyhVdJscu80V+gQ7>gsQ28*MlybI4>CbZlEYw+B!8|Vis&l+VT|iX z#&i6Er-t(&24Y((oL?3t{r$*sDSzp&uI2{2jx~S!Y0`Wo8$N~aX6nzbC#E@`4r)kYXdlotKLU zNN6?o8HXK_~2rMC2qo(+bj46=8ras&bL&ufdmx29tzpWE#_wWxKt)+kG^xv6a!imGbaO#( zkUj~4GC#|vG32rFcASQ8SY4Hs`Nz+U#CDE1=l2px4_{czNs zH{8~lB>sj|xmvRFa2^EEyy%M3rEnXuM%v(Dkljr4^#dmg`d*0*l$Y zy&pZ(q{K{hEHWsk%v28WFhGIg71w*{Fd5=y&^{=mr{EE*l@!jznDxC`8SQxeU#zlI z6npdeafi{YFyoZcSg~C+w>Mb~r~4R4;|Vu~6p5Y>;4~}d<)LvA_E$gg`K+sYH5?2y zuf^BRIHj}zSal()a-#q}19*8#UI>!y%_E+F86S#`xQ8)o= zkXm_&g|vy6=Htx@7pcv5+|)YXls9KvrtqIEiHQ*T6=SV}rRXXwmVm88HE-8QC%R3o z6CR~2bMxAFXq66C?7ZZEUieT_5iXj^_EL4mzr*N1hnfUT5D;7jP?7G@`(!ZH7oMa( z)nB1QUh?a2_YtF!j5A{OvZ|$NRznZOJq+@NY)0T8=RB8_1>-Sr2&sWF`3*SekmR2G zrX2hv-y@LX)ZlRI8w&aXYR2UEBieqK+w&?Dx>=e+iyB z1w~4ts&l0$oRJodVdN<_1!rR)U&FV$5s#Epkbhyoqpq_ik>bVTmAibYD?1~k_1Wy< zL(@Q}xT(XmxKf6mNXuj4`wL3ql7(``T9%N=R*RcUx`t_8p>|uk&FPOHyrySod|xqV zqK8WmJyh5McEV)GW_(dY^e!RYULF$x$dE+8r}>uJVMnuVj*OkASg z^|;2mNw8#9U_j;FM)&(`FGqcIjn>_H&iaAOTOzmAsXVK%Nb}w|gr(P1HeKQL%(Gxa zq4p@~7_lrVCO+>e^)9Xl%hlM-Q?s5pcZQVzyDclJ^vT_Y-_X{iT5%!xMDzO?LRyih zxm*?DlGfJ0yDETaHC3)UK{WvaK*B1h6HB(>{amlcbSL#k+GpeN7jl^VRbPY17FU0V z8{;r!)fSa)O+j$hcoy$3@3I45z4|98dbEvFlv%#FJ7dl*><6XwOP@X!PdB{RvgOjN zV-TK)Z8lG+S0e1E%ePMIgAm7Db6@1!<)_LLl%m28PIXMle)BtoYMD?R1RgBl2I+nX zIK5kaV-%8xzeV?E3;j^czFxpYe4(mk5se3N%=RI6K z^cs(F^)tKv@NM3Fuio{;?<0`YGX?ii^+SJOo+3VaM7gKOSOe^lPfVsM_Uup6Zu}TZ~z5S*RwWWx}xgLZwvN8hlZgTlpfhr#b^kvd1+V-~1YI6c$x~o23rkVOZs1Zd?xm?V7dH})yGv*` z^!J%#zcx)v@Yg6XF z5DUDt_x}oj5ad7Z9AWv%`lSHtR-D7*5?L4+`m_?k_&u|=hW{kbXytu@U+jywx8v?I zc51s~lJRqS1-XY)8Ej$$H8NV+w6`S(DTR(E-?AE0Rts7$e_(D-91VFiX z!<`QFBr8GuU)E31Ai*5kzdRk`fG+El>d!rCQfX6kletjOlD9Z7htX=^fzubJ-w)Y~ zZfr*DX3Z|xDmgcQO?c#6di6a-e;P0};pG|>$2eKJiCJ$-el7mnQTBEuik8vec%)BI z=~1Hu=$Ny{_IXK1TK_p-yT9*rH@L z=%wo&P=|QYpN0oUg9!C~sQo_|d#_R#4~B{2Vp-T}LP&^$e8fTipfzcLNVW=8b!62S%oE;z!KjxYtUrliIpQ|QM}bbt*@F%&@7#{O0&h5S6~he+dI%D1jhA@#2fpEjGa14o5RnW$cWL%7zi zD`oUv@s;3%zQ{$>iv%lb_G@GI<*#YT`{cW38kPhLevHvT71ahED~ftpm%r4JLby1x=( zLQ&K}ytCNgdsQg(x!#>-wzeyAR6**+0PRBYW}k*fQqxqfpU8YLJ|2cXv?nPlH(c|E z(8G04hxP+9zjcEdR0F(nerkhX3PGc5q9XbYGnGBye807ocXNHXE-(;&ev(6UPF^*Y z9>FkMl}B@($vbu_J3sonpFI_bZ#YdAZ^c~_&9#fR(!hb%X34wxTkmB`sCLl5Tsdu^ z>tVU{`;OQ-wTk=ei4JXV(DAk-5>HLxHcv^Yi-o_B<2ZUXbWSYfuplvga&k!{Q*yMd z_EBiS&ZydYoW|%I|v{VKPcm7uZSAl z_9M|~Oal7Nz5_AihQ~iOGt*XrHwwqBb$pkhA@dw#@s0FyX zEK1jkKiz>nELR$_wbtgd7$2(Zm5zl zF%=d29-JTudZFsxc8xv`Bt=Smm>q(m)7^7yV|w9Ebz{H&?Ov z22dr-(BYvBqNp$nvoEhBQ$9DAbe?hzd|IyELq|vV6)Bga2+MV}yRwITmTd|rQ-0=h zFr|}&kCdp-9{(X+i}x`8Vw=`HmyXCrchcYFD(r0Y`~Kuqt^a|Kzy09un&{7vv+Fno z$t3SDTIi50BWa1Ln8!z#0*OZ+40nIHsd2TKI@-rlk9{7BwtbitqFYo_;E)z8wLZ}Bm$-D?kgN(>TMeGF zcs9}gDl`4p#ol}ogr1)zytY&b?%@IbRf=asOHTT0VA^`ICUPzOe4V|7(9rq|uq(_I z;)Mo56-jVvxq@sPq~wbqo0|X}aPffKygm-I8gfn(ToDL=`8$;&pH7*oVc=aZsdgqnXlye~=y&`Q-q!H(o1toS$FayjT|V z@ww7bPj&#mzw}+H8AQ+Wg74-{Nn&~5t}KPQ>W}vGC;*VMTgb+bXG{GuY~e4-+tby8 z4+A9QOSgNu2xsqjVbVyE!lpZNj~Op0eMf)~hdUgWqk7Hn<6>$9A;@1Sp6H@UD00P2|zanB|mb%Lo}s zCVLa@jn=8#Q(nnQ1;Gni9v7wiZSYHzytyAF3qGk7@zXN;ED2IQy#jg66r5h9Oi!tM zz8+hjmHYCEMla^!xb}8ZMLkp0$-BHRXlN$)!7sUVWbRbsLHx?`{j9~s%7V=Kg<+k^ zCFe_qvbS5$94`W%UcgM%kx-oR7d$B<=3nj_O#QbPmw)i?xQSO`9kqiywiQIy4Dfb@8@724dK9dz16=6IRMT6{aH# zfloUg7HZPdg&J_r-=%wVdp&VNV=oV16B79h{|kC(*||4Vu9a+@*y`o%%oIQ{rn?En zHLY!`Wjdu)Pf8(Ze*2!K8K*|uSN3wf{WtSoTXl|NPKriPzwOWg+$Wja*ofqLFXn5p z=Mf2CK0M=68eM#dcvmWHh&T< zf0v+KpoM$Vb&9wZY_D?hy9dYpyMZM&l}&-$T-HCZES`=%`Uv zRzC)GR3M9iflQf@W^t_}m|i+(Z&S6vdq{6b-6-Y~GvV|~mV!Ye3Emd634_Jr&CDX=EfkR#ni-zRy*N+zk5&B`Q1GDL_ykhjz zNDu$C`oy_wSljRV%aRQTAo%){rj*W(t zGW$7&e<;yR%(q%=8SdxV>nEuL@&SvdTLJec%D21c|J({${c&03%m#S6d*Sn zl|=pO_6+1vjM2767NcDxO{D663XW#}lqQeO_cxU6TRdT1*6zMj>7TmtL?ny|2-nD;9{NvV6EH1F%*K)9w&t(js_ zY`w_f662ENU>`&d9Wo%wDL|O<)3gQ);a*mWZeEt7@|EI6i~pIp|K5wi86EcA3mFoG z=AGc9_~S+DgE7+?nl}^g*5cn!PEX==<@DOl0p+J2z!pjCA%iwli}<`~J&$1U00VSMTXqFQE`o`j_~AL4mm z2BLviTrqegAF zgAp<fN(EE^5is7lgS*(Vz7J`cOjWb;zXPsCn9344E3#Mi7v#En?^BKYg zP)R4vK$?{E_1Cy&-z(d(8lNq0!%F#RpWB#|KTpkEMl%n9G~i)OuVwi32i}IeFs*w- zGH~&0*%N9(_!o{>DtV8CvAz~^6JI{!Q2qFiVd(O{8~9<`G;Y3Xc&LNhel=S^;J&o$ zGZSfS2=v-YkOVME&yF_2jchMQOALeTtN^*7VR<%RA(s47Zn#19<`B+pfv0h zEkI{GUG!JY68yVruhu$dA7Lc_e%YH2eRX6n8bk%76EOCNoeX8}$1Dv3(ukr4ObC2n zrWbVa;9dKemIJFA#z&Cr;h~05$YW$knY%XQ58n`#28{G?*xC5>XN$d9dpaoDMNUj) zlkOEc19zq#9Z5d~vCT%sdGvUEBBCj^4XSw+qwO6TG=wUwmQM-eQkuwEaCh1i;tZBFsO2 z^02H&Yb%JVdb94NOv$)ou1YA0!QmOD^iIX8Y&r}_o~S#(^`t5hVY0ebGNuX&OR96% z9xz8S|s? zpAxJX>uh69i%i#TA30oNo^OUw8IG~4rkxH53{$n%DaE8ki@a2i$Cq`U`%pV0KUw6@ zwWY5Yyi-E9Ys?K2Vx~m|Jk4IFkJ65sL=e%AwkY(7b6>nE*Qj$4dvRYi78O$yJ^lAn zWIRji+h`wohiBOFs;b7l=JF(#cmR`7oG%+avme$vd?Y1;DaPv;*5>9EC^+$2T9=O% z2!7s1(3v@GqCs*f{_a`;7^IU{KJf~9JD+d#Yg;r8_$f@XEl<$PQM{#HFtW!+8%e~( zRU54m;Hdh44FpT=K_RCPj>f-9fm&HoI6o;zH|-!Ugw;&Q%DWY9a1rmP#U6Pw!JWO` zVaCeVQ5bN2D_h3+2_j!if7Z{vZ*0CEv4NHT5<2cHUOkum+fbd`T7^0))bdQMdjnXC(6#p24!fNCEj)LGJ z<7HvEK`42Ox*ohB6s`W(@eYb5HTerA<0fG|^n_yWqaOJ}bkYc6uIzI!S5OJ6mu3PBG3~~SP;Z8Di=BTv9 z_6RXs0>`>(H^$+00t9Xrx1?s*)yUsi88Qb7C`)G_s(~J1VM`H`;X+ZeTL)sf+10HC zHh~m#*9>$g7vx~<#tZlmU#qZuND4nk4p`97Y9OuxsAUya0fd!vtDqA#Mnd>_$&sXl zBb}(9itbd=nKV?GjMjBazVRNSeK*$B4Z7q;I5vW&PqX(wJzmLAGPe3ZtnDO4wsk4= z*mphCpYnrLL?SIeQp<7p^dqm1f8p`P4df{@=yj@03zqCMidu#OPrSn*cm=Bvok`S- z(_7wKCn;eH>CT913ISqMaPh$VQj5P^hpoQ0rD#VmV1i9u&I=15C@)6nGFB1T(&G)x z5DJ4~J(zbl#(o=~`C006qV_H6^d1=nT%yRHFU zw;wjwzsawKCa*wZ#3gCwXn=2k1}Ytf=jNX?y*??)!7QL(0q@QQ^a1C?ubG=ie)bab z^-zV@havX)gB<97Y-L@srPvoOR@7}PZ|Q%5s0c`r3q}ovYB-mLk(8ohPfXW3z8)%8mto`f z|Inc**KwucK-?#nTd+S~5+eN~CZWPI{%%73wf~azr(Cv{a8cBZ{-Pv@g_IdvPmXt68>DuAoJ zfpsFt3pCMlxWFfGVn8g?c!{W|^VrDd*|QAl6T2EaiijEu55;0~aHKJ2a&iqm5@3S? z={}bkK}kib8$qqx>^R8ZzPApnuHq_TrGOM;_}G;SC=ovvtV7|1zzw=C143Cq1zQaF zzs1B?cEpwju4>_W8QPfh$b z$k~NjvG@P8(*;ew4MBX!;OUyOvIkiIeh;fJ*`lbv~{OHWq5e%sW zRhA!LO9SxEF1G(QT|_w22;b(^<&jY&TubIk?G!{X2BaK0Ot)Zo^@wgw9Xn2x#u>P<2q2-1=Ob2rE;tLTS zXRMgI*+9;~Yxg2&OcY@DMeU`kQG~n!&(PpHN8d{m5$!P=C}|g7@T4U@rJ30@zM> zNSnu)_4&9w7!eY|)b=tDh7!tKTUiM2%+8yCvOF?od z&yM|Q6=b|{@NXjgJiziD4z)kIrBHzBV$bs=hGyThh~D}*257fr587-dHUud&PXfQq zFWSi4M1{#1$b$Go8X-8Q#vn7E5YpwP@2)HyGuagMCq+>?#unn6$4(-6>nZ6R(e+jqYqtE*Ch&h_NVW%ruO{25^I*RQ6h zt4q)ZY=X~)@vl_FdmjZ<9GI5?uiO>?w-d=HBuCX=Cy4QLoa?~&j150tN}@ii+YiTp zbmlPKSLiR*6g{oNTB@*d<~k9lC~jV@86=vH8EM8DtmT;-byJ{&Q4&=s8urc{xlk}3e{ytZIuK1BY*5rwPFr3)3j$(Yp&DtS?)))MtqO1^ebyf61r4%~ z8g6D{fwFkuBVL0F_$LWVb~7q~Z(zX?O9cp2Eleo&0Ok4!_6`U_#PS%H9abNaEUgvR z;Aest)S*~`xo}babDEF#XPaE9W;4TI;T`Kg$?S6P>Blq12%D}BwUzXVN~*_z?l#no zZ%o?kSJrY-L!6LH%O^dIA_0vDe6*sMhjX#c9X4NKb3=?|OhCyl zZ|mEF<4?vh$Vh55z!w>YQt}AhYR^>u4Wob?m|0hpY3B9o`!BJ4&-aaX=`$_*&O$z} zMOc?&%62LV{yBZ*vrJZE&Ah?P_{9t#YljG<=U70W*IR0ixTEpnAp4l0G~m%c#ge(e z@fV2bR0mpIN}e#75RU2n^# z#(8<1Kap-yFDn)dyp8f~ooMBR7RbTifsGqr07U76n7AiH%M^}yjh@5)K)6;PG25MxFk)s-g5Of(;EK`%tN!#c@{tB z^A%;LYp>Tu^-0*33>p4{acLjcy=1Atl8t5%_%24of67+jeOY?qoUPNc_7N&!`%`-u!mU{8eXTFOG3N ze+;Sak(r-QtHvl%IO)jw%M*b*Dpfzx#WilIv#;ZL$K%g|&=vjsF6Z)M7_hdLPq; zolQka;)+4JOnOXwoOxI+2YeIe?VW$`6@vg|nR`}{Rx6tt+)g+ok)zP5XxrT~I3TqQN!U}n$)@=P z2A|Q&0zCnEWd$`M)qOhTbvl^=T5DP@*)5tS#j zt4+}YMj;0{@vPnkDt7)mpizILa=3kn&R@PJMns~=g}%q1q>L-KDo=q3b&B>^3m3 z!|d}4&8NhAlZBvVe$Y14~!ca`FAKx6wIO zK`hRQ1=Y5n9w_w>EAL;<)Y6Iowu{`#E>}-0!~~UyD3xfquFBpr+)yyk=Sr<{$z0B? zl`${eaLons67khplnNxde=C)vP{2+{ft$gTc9U+8Jw4qYN9@*DeNXsme4CPemDy0{ zf^HpD)4&xaH0)b}4vgKPD@a5RW`jCp4rPB7_i^`Cn*TX4F(N=6w>6}R;OH3xHk&z? z-R!!*RG7d-tv4$ieYHAQWf?I`4|}Qywu6uvapW$g@{*K5*FRiA zy7ZRU&a;-^-lCF(-no5jg+jO7J7K*Pic=rU3d>536TBvFms-NjFVMtf2P9p1(IZt1 zUnfO$rJe`HX;SOLa1l|O8;pqP#6BuGIwINwD2qht@yFPyDit8=q`$l7_IHclGh3_< z$n3e>SW|&QaHU>%U$p+G7tA1L;v-*qnK8-#u+yLj4v0Gf$h#;VlV{9@;4@qG>^9D# z-Pef%890cq5++WS7@-aoTb=H+wMRN-20n8e8cH4MJ)cH@4nyHOk(d`GWqEJTScJ1d zL|GVtaon1Df<0|K#Yso)LavyKV>xzj)!>K{xyjUIPHUir9K`SdgEB&=><{9Fp3^24 zWP%V+zcuc__hT~GG%KpRhal^svW6_ba2)UrYLP>T^_rj(yy07ve&We&Ev$|f5n`hoR+>8nI=OPl;N6K9NRxL zKpr~|dfxZ5)@xrFV~IK9Do#rC2Vq*C_0l8)XW-o=fmAjSuS0HMqONHeumiX(5eA${ zae#}{nMXjVfoL=x5K^7`9)utq1zAFED=p2PSFmB8&OTg-e93FfyhLuiksLIBW%;S_ zI1vXL^mh!MpR6v*oN6xDC-4f!)PK=k2A(MybTw>l#MoHgW}$Al#?WL-q%Q~iIUZxZ zb`1NufG;@rZvi(AC~p{NU$0=Ym{-WIwAx&>4E<8MECEebemOK!D>@OiUo51k!+(|D zvZ0#@7x0rKYQumj4Y)!75`pUQ_9sDXgac~+-NU$J`7>|xLh-t|P<(SWtZHmUdCWg3 zRj~oi7>pK!)!e^b|GMrdl+fPK;@~YLU1MW#oY!+%!(Z_9uL|h;6ulEzhrWzDn?A#k zeXijD&`nsD@wx4tN*)<$Lj0#kk#J|zPoO>Gxt5DM=pVUNU8S{*Ve=R0BKON7eCBMN zr^n9>=<{{NF7%3@rw5#pcZSG(Jkc2kSG7EdDdj1?{4Pu3j`#YDc&6JF%`Zlf$E76( zxN#dK)az>bbEE$zDZQU-sigj%+%h*QXONhwWI<}LNG%=D^D93)yC9>#pIoP@Ykx6u z>=Mytns1JOj~W%7>nyuSl#PIMoBVW~Q}gY4K_bq#oNtmBi92Vf&<{L237JOi)fJ5c zO=7t@_%-c&eE31K6w+~|fKSF6Ptho0WlWFa=JQtq-8Ga@mq(L>hmd}}&Lf~4%I=r+ zlQaXh-zKlh;|th7D|Kn#R4K-Z$ogs=_lb$0S?Utp&DR|5UiLnyH|W2OXGAmQt{w3b zD#=s2QKD-a3Y^F8Lg0$npqsn^uY7(3Z#SVq=`WBOHPFEFH566*7jHX;cB+g-ZAX%n z@>Y0`;)giA<#3k?d;&0cZ3gojTSJEJcgi2L~kDu+iw1iX~vpZqW8R&#-K*+yKvV7J!c2mv;A>%t6a ziew+ZyGUjMP0#vBFKb+vPL2p z!9!{Hc4yUu9&HnVy5Y^{@oXx$&@P=NV1b_l;`oc8?n1KDp^h7cT|3g78?16Nzei}fbw; z`@`J5oR{0C9I8Na7b5*<=S}3-i1Lg#;|^o+5%p0Tt}k?Qae{Cfi*Up^k1oH;y!eCD z3$WN8XmZKbG9&B(Retf*zGrVg?YY|Isn^6QUp00P zHmqhd_-(Eyv3ZblkW=0|_|1Gfp7nU=^XXqK#!3;`*(h9-cNT z(}@X5NppaDyyMWx)uAB56Yj%@hp4Be{dy!LR` zma{CiHbkHZFrSCk+g&QD3}rEPlML9Fh5R=;Ei`w^=HH;6uXU1?92HWaw}mdqlKa7$ z0CLQphC+hzQDPA z4Uu|m<{V`GTgUL@4}()Z)yf2Y0+w*;?i=`|I-|~#sN{(4Mf^0z3rWUJV}Vz!%loP1 z2#)`fc!HV*JYswsU{tu%d@_L)p38X0a3WA)m7yFH5ekXaj%KM>7gr78S#rkf=U=lL z&Rjxxq$eBuV3Atj=d3U7#`kWmYI-Hk*?@U2SKG2leyrXRGm1rNM_2X1$wD<%qcBFI zR0DqzumGnCS}(pSea%r6d8p2@3nGI2x>YXK>z&w%Pa^a~{MAeO@ zvmF~(tZ&3;PRHf?89jkhW6c1YW^BTw4tT?JLahmm`kmJ=A$X^K$B{7WAtzsCk)H?m1|nXa7om9vW2155{!g{)3VeNa%j` znjrKU1yus~M(NLpQ@K&9oVkAl9IY#Vd92xis+@~|b3m2d#lJb#KM??x`iC2g`=lt9 zf+`#>Sd|FclKyurHSt(V)Um{!$Ku0MA}1&AY8St;9D^U(A!YsJX`7zN*jnh*15bYy z_uPNdUSOvDdi;g!M~lO!VuK!u3VdXj-$SeBIxx9>XFL?R=%r1oKS0xvb&gC)=B6E} z(yRX&)Bk`fa4P>$CF-9s{SQ-v+2JSaG2ZLHP>Gb(V;|&M`z{ZI3^q}C{EgD3VPPVa z$@FBlGLhkEvGECL6bh9t>YIR2!U$iH90vBl!f{1X!*uZM;8_?nTzdOA_{R?#A%Yg& zSf)`V(C1?R98h%zsCwCQ`nf+c-!VW{YkeP((U#9=TA}KP{g&Tv*mfL!OO6C(H}bgO zzu;GtrpL8LKPSJ1ezRY;*Y@i3JVSqC)A;$@p^7`gQOV3a9vi)4TWFVng)cCtmd$hs zUQl3*cfshuhhbQm+X`QaeD>EgwA@!{e`LJ$^RXAcO?>{^kzyAQJacAek>eYm&|r%^ zjg95vx7176(J^74dqR|dLhK$!k%Fq*Xn=aYmV~Qv5Gy@j-AJtR2~~LzD-5PIyU7&- zRf=2j^nof({R>=e%z|T$i#BV*HsA@Xr;Q}CDR80D)CaoTfvVZPs=0nxE_~+uNuh>%1^B7SpU}F#l9UM^c|Cj9{nGxf z*=J^TecOMjhq^}&z$tuPECa_EFJ46ApnpIsI*r~_I0aD!r;JdQ8>Pw#RT?|SUMZZi zrBo8A62`3wfI3u(bj;vk6e&stXBSFk3svBhf-2=)2~?#d$0f(EPl{ZSxOZT}_GSs; z)#BE_#vq3xWo&u!~lY+l>9CI#XmE#aK`0zco+d?HSr<$^RIw*I3dn{U=B9C%v?dfVGOXOD$gqS-#(8`EPa}tolQkan?Hz7&!Qjy5hcnm`%Y}tXxG; zf}8XP(Q|c$_i~^kRSu}a1yZaE7B36>7=a=HDh-gQ#v`NQXPHI%7K{8;P;XE+WFTup#jaLN{{q?5%rFhZ4zQh`%6k!|&y3Jt2jsr*8ffl@JSOzNKz zsziKNITf~0m3TNXVehcGaL2fir}T6qe6Yum#51=)iKGB9{gI&!c!s^elgt8MZyYTS zz2cKcgC5!K_fWuW2VWhbe5OCNVP*YeN!!>CPG1rG84DW)swCM-SQYa$Z>VCX8(Eb= z6*hq;ITg2sDhv)!iXZh5@9_W|g@-`icz#SSIoRdjt1xKDF!E!WYYYZKC|+4ad_3)h z>}#(ON=y@;p~fb^{Z_P1_6250nEo6^8~BolC@n*qKC};2zhAffuuq37U%ddJyAD;Y zv!KdRL#WfwS>lTSsqL;<+j{HGN%d4o(PwjQQ8$jrRQM=bxHF~bcC ztAa}7{0LNOXr=$CBtV9upcQ_UXn+D$3|$3PqzPpw0qW&;fhr!Hf-0ME6;sAsU!C4Y z4JMZ|Gc!GE|KfEkTmlxB1hbfQAqxvI0Z}uUjAwTiM(g-B?FG|pRnr#Of^&&lhzx?0 znJj8y=nJvo^<#Gqh}}Q?=pp}@$W2G04@ewAg{zDjAoQN5Im}rLfzf;vROO}t>N22~ zvM#I&A48c$iQ_Y{#b7F8C7ypCXod6_5fRB_l4l2X+JE3s_~xz5Ak$!AQKaW|*OjBP zE57;+H$&CbZj}+@fQdC@>NctR^458;o!DIb_j68`A7j-HjQ0Xn*RCXfnOy(Ojw11) z&#YS9Y`JT8)!b#no$O|$5BadV&#-J7rC*y1)NgQ$vi+OBJGgh}w6qiGe#V={sm7H( zbM`F5n2||g8G1=@%E+pWI7Nrk^J1gaLlKp zZ#kgKr2ZLMm1OoJ{TTyQ%zb0}pMoke<`@mlcw{ZA!m21%#beTu>b^l0PCE)*K8xCw zfA2l^9BkW`?FTy#8Z^Xx^w@FZCrzI*d&bN;9-iJbgp06s8$qH2hqPJGo)<7I7%oaI z0dck(p;4f9-1vzm`#f=yR-z&5@X@@W3MvF40&A}8wQ4W9S*TTezJ-FSKQrI5q!qTD zEO9H-0979~(u=E)(4lIH zJ6#X&_l=6&B@rvUVj)(HSeif;XeF@;fvW7}3Y$E@tcaDJ1y(#nAy!7H!hSLUY>Aa{ zD+$4{uZNLM!zO})Ln&Qi>!af1&Yv*I2vy5m>l${^tba(EI%d4Sh{Pd`s7^HwG@}LJD-jXdi3(i`ByG|)T>E$C`#L%s)luUDkHa= z(6zRE`y53J)o+8w)Ze%+^ybZ*$;qjvagGN?umHE0^I_}OFIeaSNEva8UNu6M!YQ7D z5vsr`BUJGOmHL+rRat533;>!WRDf2Z{>f0W3spJPzsRuI{c~b>_Kgj%6StvaTv#cH zKk!8O72yu&>YMoIe@rcjbO3d-JD%kvzr7Yy9A_Y9-D7~%4xfh*%$Lv7gg(Dnk8fJl zBqn0%$rCY>24I3JD3y^_-8)plr}z=55-(SvirQ=fRrtgF2vnJ#;Jv)XZKm8e`+DTl zAe%nMlGP%l2|o1{l!5jxyM~l0TNT1kqb7yc+q7*@4Wbbv-NsFr2#~RB#^NPjkg^gb zN|?R}u)}&IMPkQt6###`X!&ld236NQHQb?8g$7kkv!N>E4OkW5e2a*cVpZqrTR!P( z`E01=^Xb}ZEUL19yGc_&{xoZh*a4m+2_dFyleg4L;%1>p)Qp0Ja*r&6?%Au)q$$&< zO`j#uWA{~DYk6h9fa8pOR``71O9R^&sY6lfhxui zzB)ffR(1L6)l+BA%J5?Z+OjIq0EJa4VkNA~r~wMAQp5_}7lmADfOvY`5sld-8X%KP zh!s$!$}3ScCThRO8qYHLiXse#EOa=q{2{asH2KV}g?>mWA*x6ov)lM9OaU|f{NATh z)@$kt4Tm;1_|clQZ*fbs`Eeoo$v)09L z7uzV$oq=IQD>0|Jp%uy47cP7v500mH_Ut*F9BhJml*WUvzWQoVkJihEXRoVLHeU`V zcCILu_t+qKaEmglM@s^OOT@CGXLdgO`?;EyUrwQ^-33%}ZC5WQe4FNUdi#^H!B1Q{ zTl))iU?SXHTEztCEsZkU;q>#`{I0 zAtR1qOu9a$HBC4rP$leDI-H(YQ%{~qPMpe4sNjKS<5bp)Dn+RTsx+L^164qk;FOhB z5p9o-j@Did9X_xcU+Czjx(qOlH|f+VG4#=sn+siuEK0IaZluXLV&#}m{x|)l%aPB< zhiD`J=$c2ico*=WDbc8c{&Sw%64Ea1_+dOfygt2U@BNX*sx+LU8Pz|moCtu5Qc=jx zlv5!BpvWmAt-xdzr7}U)cR&0Xuo*jodJs^B)6Vi@7db7GGDWt)UNkd#!I(O*RVp^IaUF8 zv3xeza&@ZZ%SBrKKvrf^py|&)j8j04A-g+vnZ-%I@Re6y?bNv|DeD0%SKHzdSdWH4 zdO2m3_Gx|>Uhom3z@(HA;wP(z$wiKYaru~7Y+lJQnKE_yGbFx0`|PW)mU^S~n-o!$ z0*r)O_&~1Z5N)qM&ogu>6PzDLk%B7G0IyuX*==pK|AEA7H*Nw|j6)>=iUxRFsKS6; zxbR7Spi0mx3#!c90UK*pq@PTSiCVomxZ^61(mvA*fLW{OIc!^65RwIE5o^90^(-D~ z-tMUF^hZeiCP7mRKi>0n=JvvAn+lOzh^0LmTI$Hg`q5i@L~b8@XxE~HdxQ7y+m%mZ z#nabYURmpcR!Rf3C01Bnh?O=GHioMw$>Z3#F`Olv>WuM#c*34N`+OEnUok322A$Y^ zUg!3y*1f@-vX04PV2$yeDjEn^oh=KW{b*0||9({8^5fBj9uthUEKHS`?50)R`uUiq z`|W({XwZ{sQKSF+o3*s^nl)=Y2G&&9(67n6o`bUA%6WGEaPL&BYrWFORag9q^mU&} zJx`s=l*Csprtr~u^iOry91{d*3{$vc=Il9im*}W~lo6*y`V&?KRNV!olEuFQRWc0h zP^yEQqxJ;q2WJRDn|_sM;5k5OwSnc%|x8D5w(k z5417{su-61i28T&%I70D$97y3fiY1~rCXZ&oT&~}F>C6$)FphvR#TgsF7ILt&1bZIj|3M&Ca zl$U1-Ias8P9Gxa8BvJ>MXf!e07=RcHLn%ex;_ZN6%p+=dkbk?>*PpmK98Jn0vK|?e ze)aRudG5xGyu0H(pb9cSU|Z^wix0boMR0w2K$R(6g(pV)?9!FRn-6V@N&u=%;VN5J zWr8ZD0n!gNBUDKZne>wtz?c(qHcKr0g4GBY(!AwMvSn3z~BbJmIMe;Gw=Gso+i0Kes<%&TZI z`yK;o_Ws}|O~cxhit>NvQ3n9v|^-lXP466L$WC$n*y(2=|Sz9 z^z@V5HG>vlq6e~X+hQR!B7-?7C}jG~Ie9=8-EN{(JQR`sRG`YJ{vmPXmiq@<38gx? zFD!EB%;>E>j;ybAH0-UTYhR2F(bhMyp5o&@PknK?7~(SttK{hsT2g~8{|Drslm3ba zmALjXR&bCOiwsVREF<54&eL1Ny2r(=OHWTmf-sg;5=we)C&umvs{Vmd4AVjafQQCN&uf6uVT%IU$3Vk@h@P2xcmc4VChDYF# zp6*D3C%O$eTH59R`6rGdB?PhF*kls;6B1L{V`XjVIwZ%r^B48(*@t{csYu_XS#$m( zQv-jA&&xNci@du7E`T3~5Ce(f#1CGOuqveHfTJfJmSq%}8_{+7&P!k35T?(oVpTX- zk`bf?KpZe`^W*8&}yWv3?>Qk`=tx-`Rg|QJ?7rnYm11 zQZMj1(MC>$KS3%x_TiSE$D4o4VEf4*Q%ihtq}aLLT1){G1mQXo_RfCLN{1?iR@gL= zj0CE(WWem?3I$aF76wy>kO{4X3mEe&)~(+}-jO_FY<^(i8oSaTk7LiCy`O#d+19N) zu-G0$a-=8#6U#?BlcJ!?7I_V+)wgkuf_p4zn%wn$63Y+y6+gM9$WIxS65ChYT-aK6 zDGydfDcbn9HNKB|`{d>)lQzC~^U`j-YsM=6y&9S0`n6C{#X+ye<&AGSUNffNn9kZY zFL!n7Sm*V{18b}q?Xt?vdEU?_C)3k#`6!-=`4uOP6)s!1ZNGl~rpaf^$jBHpcqsTT zdGzD6aG5?m@JvF;BSfQ+4mNmbN&?Mq))N5>U)~)){KSc5Q$cksiGfvVqPkco-7cAP zDlkn7sx+iBKo#;|^?4f}_DXEO>JaGj<@M`Kc2WO?Rf+ni1VAVigEQ*H+45fd9Tpxb z;*%Wl(HFK*rN+a3Ie^(QB&cT|5fzO9yL<0`_MAe^kO#_iqlsrCbItg=c!?L9nCmEa zLN+WPri=p-9LhN8l^npIqLgvq2lETGkv(X%|HfmAKk&8uAz6V%7umVBKYzFUoTw2Z ztyIMVtxyu^^KmDIN4HKJpz6$vw@#N+zp|YF&~kC00F~ahvh9IUN zHaa11$5eZksvTS&Lt2IbiX4c;gOtZ7L|CY=>D$y>Fao*^XC#i#7kPMkjdCBu1|lwX z>%H~X+ooFX^bGmx{Kf4%cQX!|r)1fvue$349jS6a6+=rwRob}=1^rGqc%>AabD);z zj>xn#LiuxpDqOGh%(J7n#=o-kh{Muj?bjtz(U`%nSQXA2^Fl$DFgoXFkeACIf1dXTg2TA4bV1efN|7 zn&}|LH~)sh^hxXnYbqgGl&Luy`g-J+LHqY?l-RnYglQ2gL)JQ0PCRqb0P~*;DBQ|~ zR@6#TN!kQIjO(h@qo=F)?LTng!i6nccdXwKe&|r-#Gcu73Hv|4Z}oxA$|$x%e5#|% z8!O$i6Z81YkXDt1aD`29+Tl?$F|^Rlqwk!XR%y%Ac8UZl0g$>$XC_qpD!O!fc%igi zHNXAhFzydSi(m-gg8w5I={J9(Vsreho{cMJ#mKUkDo^U}ywXi0gIw6qR%OR@tUPaY z_s9c##WDNz(~G2gozE&#!8qKqbsK7@aX~aw52%8NnxG1t5~woa6c)yoQh`&pP$dsq zseh*2zsNm4XvO5}oZ9;2SFz8T#?PI;MUnm@`q?u(VDyhg1wM?#y>?*%a*7z+0SjIT zU(+UXpGR6+vZ3_fSyiQ$DT6ngB>-kqsw}9|w%}pv;qEdM1***IpT4OguJx+DhaZ}I z$iXk8R6y$NeW{;bzG4ei62(S!K`8XzpZMC6gAR*g9DLKthMdg2a$VFv#(=OYMui%& z_vHXb1;Yz3Fp>qpOW-?=fI<36S*<1&@G!Q-6B$KtF+wvssO>P~mmDKx(J1svBdvl| zitasnva>J=2~Rv>-Y$e(4E`73h;`yJ7?yT!4HERz5e;Qn{|hdL}& zh7BJ{LI{_KZ!BE|aNOxr;PVWX`3n{iheBK>5e4`rPs51U#$&bf2t$!SiZf$-sdsvY zYv9MossyS)D_9j6{mP>K4t^&c794SybKtFoJ9ot$7gojNz_X$;bVUF}!`yf{x!kfN zxM2?7sr;`EQSmAX5VQiP@`fsING~YqRRP~h!vJrh!yF7NlD4_WSR1m6}5fJlzKrB!%FYjvp+Z_?9)##Qe3@V!%EnE zY1A?r(Cl5c*9Iru+P*idSN1w4&MY13IH#|bh(T~B_N);;|D~j`$G?nu<(qxgcfLeb z+Z?-u2vluy(t7{Lx3&@<%&21slUv++}-3rgGu9}G9m`B|#YdgCc)ju7oG)kq^KOQh`?2zxsMeSY)Av zks3~UCGq*zn=|m-A2d|SFkp)jbOx@5RXq4DVw2S?{ljupI)pQ932d+}=b`Gf%+qHf zM9Hbgu=7Wb#sg=h764>;n?@94ViE@J+i!qLKdfEbk&o@zxraYQC)>Bokf0wA=uqXO zks~M)LF;_+;OZEm3eQbJl@Ke%s`w;b!A&ukbhOekmjtRn zD^cL}h}BspCe1*sC@!77&7xKeP%mA3^vJf&A>CFkdev{{W55=Z9eE%91Qmry*5!zz zKc~I`X5}ZC^;1eoLgC1X5rKs^Ei1cu<17hJKBpa1mOlyAO9@W~;eb9u3G@p3XDCSrd7>%;(unRw!c91sz>(vKNP%B zlKLE$&nq76Q{~W}MaPe)=+)G-3#!X>5U3KIvQ_^Cs+eCiCYqvDpp{T6fhuq+8>+JE zRDAx$wE=4*3(P*?FdsW`%3;Ns=T{t`zc1y&rK?x~fht~4etfZ8;NAiYq8%0-c35;& zb8Z99O+Ao~$E%k4wlE!df>aJCbj9@1g8pRC`uVe2w!gmk zm+h8VIYo*aV~Nkxjo2CKD6!|pSAIjc19li*B0)hRp(M8(4Yf<%`b=ST6&?XSjQzKB zYqx&2e7{X2L}1Mqvo+lLv|sk3s&me_GD};|KBK<&*6A0sYb$-!SW9bXb1P~qX;8IB zgR0-{Yz2h@=dn_pC;CVXYs|^t(-wu{#HVMRJqJpE%H?6ML36S{xoh}lTtX6HjVZQ| zu=<_w)Q}AcL#WHU?Exf|K8c9Z@DX9nPKVt2DGjJ{hpL41%!hrC13eC&Ne(mjIn3Do z^qk#e)<=GE?Yck}uGgZyiSPMEJ9s8KEJ@U$$~V1$U;5HrM~pQqm<0k=%nNWzL6weH zntq-WsS9Qbw<1oj0gbZYsD3 zXIaqSY02R11;U*1AK^T)NNI7UfOl*kN;ytRVFeYAohSeG0 zr6$>Z>I?^9<+!dnLTpQ?4pLtw2Y7=?$tlc4bsj*Bh>RROWElIwk${9FH8l}ygVvo3RAo~t6I6-shq=gtDm&_*5vq)o zimA=oliN*Q{))1PKpv3WFn;Uf8HMoewamyRV588X;uC3)6bm|6;|vc!6FynC$oln5&UQZflE)mc<$dMu(>m1?{g zQv|sHwJ@tXZdPxHhvVKBLaB-bE3|GIu~I{o3av`rfCx#3+6~BKl^!a^VI{39pvuG3 zr@|+T&zVvcq)_qrfCF@%$jE4(BOgX|TOTuotd1pxxuloDL^|;LX~Xs2Jo3fxU9(F~ z9^=KMHcua3Vr0GTyk%6-@pj3Mb??Qt*4`Yi{m%QZ>mNLbZ=38`C(eCTaG(q3xI9T# zHx6O-2?L`*6(@G{`c=ohGZbLLWLxvu5ZiTSpo;%){JacQZJqmWVPTnaPh2l93;N~Z z@ly`O{$btHvVrBpt*Z`BNvQf)go+B&sfx=;MxXOA^gJPY7jl;6^m^%~PMtc>m?10(1O#7!MZoG) zre*2I@3&Yr!XN@`?(7y&g`ornNe3WFRRzU?DtXdR3p;2PzWU{N1p(vB724a|wGT{0 z6JheRe#tD|dD$%_1J4>;iKHjd@HaUXy_!Pt2aFCwhai$QVBkQR#Z1aGg~&L08C2pi z$vyGNxC$;7dxZKhOd)o~1)elDmlv)$G1Jf)qMbVe`gcxk~GT7{4u*<)Xkx%=h(FR8nbyk18 z!O>)>6nwIVS^ggsP!bJu~Zyl+5$qRBo?F z&>_LTLA-OHSkE!heygJbjU$4s!$aM|fUb(#f(W!KORkVmrF)Fq~h;5qD($v?%YDv5vh8&NX|a>2Nu)S*CB_dzWnB$C5Fal$;`u z&dKm(`K_D`8z`k{;Ex`BWxacza$IT>E}uB$L^+z`&N(A=l?jWZY*>GX4R?Xa>K*F# zc^kSH^()lxQ#1f4j~-4{==%F-I7OgJMyV<=sUl;dB7>vC9AiSvVgmQZ`7MZd9~SS> z3iKh02QBbgNK+Vnl>wG~A4C2zDH35KMIzh1J^@yZeIu&WriLuah&z#;;*paThhZfH zReIh(=>SABl;Bh`RI#SODFv#eey9gkdfq>ltu(2CD#j`Ytf~-$T>%FB!Ub9ZRRp9= zl4_pJ5TuJeLE>MSU56o4Wr+`1T$t(*tC&>(JE&rs-MxFC={I}M{ASHcy=Qu2v-&Sv zwrm9(VZ+AFxD8p15HL`8kw4rtD03_~ejsVHc=@m1z}dx}=fuR3;pi#M&sb zgsb7Bk3Q+w|F!44b|p(!563%n=wNc}Bo~sIE$a0_Gp6bbPaoGX4#V`!Y{GWTdEooN z!NY`r-+KF<1q&CWPNU%AT9moL*aas{PwCxcQi6>R8SD0(!=Bad`pQnbI`6BYig~3# z6^0eYtYJi6P1B5GB*Jvs>1VLX)nJ{Y!45wWZ#@_#pvojkV3}zq4#1`sSx%aKrn(xc za94s;RYMi4sWPaNXeGl{Y9FAE1X$_=%u0_<37nPW)?3t9*A)aHUy>4P>eACy%L?Vc zzvYP3DqZFFR#$_YfLv5}Pqc5G;M6JJ<>ffH5z$^VBK@|72U;V$c$(4&s2EmCj+Mf% z&_%5NHdN8-7a^~Hi1<2S`V|#j;YrE&Q&Ljt0P^5LX*?@EEp_emw+U1!xF9!3_1!Uh z__3w>?;lw-Y}tgNq%|p@-#mQ;^<$NnY?v5srrUzIyXDQ?LzzCkQ-fyHDGbjsN=|-$ z0hfsq&iOEx*dQrSea@U}LW1V|@4mM(T%zpLe&gHl{nkz?(+!0G9$h+0eJ11u&!7Au zOg}yNWB)V`LSs}*hS=CR0uzd5Dh*ZE3u~=P*B{TNs@7CWl&TC=$@;Y60Z~E6Vtkjz zd3+M@HYmZlyQtP>Ur!|W`8B#3){N{tlB#~mY+s$Al`{RX_c66(5leWLOlFOJ{Unzz z$vz`93UxxUs#uj(Ko!y}DJ!?mo&bX#z6Lwb z2?GizKkMBnT9{E7Q`>zFb_WXY9}spdO$Z9hf*?)i{{d7%(sgPyQAORzGD~4WMEKea!M*N#2o{;uUx%O+)DOmp~oTv#sWBn-GTU`YZWU(J^72b ze@@o*|FsZS6-;$-=gJgStNPcp7mD+L<=JWr+G^=qRZO}VrM&`QeTnwgM(sT#?L$*R zdjBDS#a8}6tTjwR${bd~u2*gdp3IVV_Q@ELh*SLPU>qhY*4DOdJ3k#a9+Ok~JR1~I zgy@CJeWCCo*DD8$3zS!XtX{qPcnDc~6usaxYL0ICbFTh75~`$O#g$6K3Y?NYK=0h^ zjZUTtm5E7+8;}_57Egn94#K?JA0fQc;1>oLmKPs5k>1B9E&pN>@~RlEN=mFNhLsHF z^4!rtSUA!tfmJ1;itA#1>3o1ym8~diSP5o@Vpydm*d}?un{c)+z7+ibEE>56-KwwaSE?lKVtW<75VOvS3 zlU~qDic=o0+7n0@MZ_-;g{Q;s8#iw3-*1$bR!j)w5u*i>8%_yL<#F@LT|0NJ6p^Mf zkc7wYz=9FGW{*(SrVy43FXwzTVEwdV>i5@89fqG!ft6!RMtZt95S=BzSRUxorOR$^ z9uhuq6ks+|osWsce|d>krks!5z{bY5GT*mK*(VzZ7LJ_p;b4V7FaO19s2diWt{63Y z+&gG=>_KmzfD|i>X{NjnJ@V+W6B4QvoRUzb7_icw;^y-dcow>$k5ke#mWfowI295W z91Aye5V{E+B3px-HGl7|g8D13F_(5FDf1gpsbOqY($F*TX%R*I7Gi^c75~v!fEuw4HLS1UrejQXfYJc$8(g3U64|ZQ>R(920tEebT zQFKat%$YOql!Y}bg%)@e&m`(ZwiLY)sg7Q^ZoLX`AR#|xM|4wa%cJv-$1_c!;Dg(ikT*%D)Z{?ZnoJ1l9-$*PE1IqD^?Xy zg^IC|bA$OtUt4#G`wtp$Z|RWLK#TE1-&@hAKV73QdN=0%RF7bXFB^`7%5} zonckV158Pd2=H9*Vl~?CaC2wl8g!I{_=h}^g>6ZAsiGKr)i|a1UxHcKYmfZs`I6K>OfZpA<=>coH)OKYaLVg=%`-*@_9y%KIL(TSvc&-? zp-RuBl29d=j1s7lvXo_oDyW!LEV@deO6RmM4^@uQX?1pZ8*FqH&VK^dXs0F`vHY>8 zkOl{%4NjyP7$@iySItK*89)E}L~6WDQKSm8<-dh0b_>ItG8F%WtRl^nfAL&mM+ut^~uYj2MXaTs(DzQ zw!?JdqQ;IJPc?NyOSlIqW~*Fvg&XX1(2zILpV6zKpl~0M^Q0=U{n5u`^uF@pN1t#A zI2+7NKB<;bWl#Cd_?OohFNQrVztlU?4cTdrZq)RVaGZ|4K4>Z!L{^Nw2c>46|OD7G3k*)~*U2{fkn>pORgp01c536DIZ8=S-FJk;Q- z<|KLM$8b1N$;Q3<)rtI zB_o{@(gY~MsbZ*-i%x+mR7VCL50pu&LDpstj{A*vnd|0QTqN8qd6Yzuq#gYfA zh*hDcf>VS8NNF+Ftn<(O<;njRs_=@lOrZAZiAVLzCQY06dHI#M-g-wF)T5xP64VRz z$Evwa35yl0)^Jd4ZIlG=D%ezAJMoW40$CnA2&jVocWb@qL64zS%&8duw6KR(tA8SY zk_CKmNbzSbf2_SaLr~l)TKn*X_G?@1cfQ&u#TkprL5t%O zSPm=!E@bWcje4J{@Fif4-*3~Vt$bGw_CPoQ0D{C00fX5Hqe(9*7{d)>KN61_%O}aw z)jQ9B_EJI>3m=)o4;m5DhAiL*kH0+;5Z~rtkg)Ohg^H<2WC}+gCY5vrpiN;+5wXG> za5#Rvm55m|$r<33fGS;^MOK0IhqEs5IaJ{TWDc;z7`o+Fnq9?WRG>;RtbnTWXeD`o z=^1GeLC2jf-?2QD$$B5fxK11E^MHp&{|PV zFu;H!$5vS{Z1B#)MT<9W+_Y%?uv5$4q%aZgwbhe{uAMsEMpp$wjTCI}ojYvq7%|jP zWwvtE!3Cu-2i?Ni-iCP zdK`V@w4v(Wi^^x=DJ0n<2k1W&dgbJJUl$ht7n;+*@|JsOha#!3#vk#D&zX| z_4D)d@bh)@_pu4~HjHqa5aaZ6qJ2XgdiZ$Loa<%k6dTFLDgTK7%{xpvY$(#H$S%jF z%-kU9kBln6lf|9onX%^k8d)D|=i@XxH915_Q@$ z|5&zi6-)0QGWmSbwb7@eg*~;w$zZ*s!3Jls4OD?stbJgMxD^8>_HcZitoig9d|#3`M(B%xXozDjW3Ep%W8cG8zR^K&gKH z`qhc-aJWy$j-z}u;uk_DG79n`m-g%n`Rz+lUjlr=Ai6{Q54}!RZ$8a`vHZ1&u2qGD zN}%ck?bT`8FIQ{t>=1N!QD5Cl`)hWEhsJRWZMadRMtb|4u45`vdYyOy{6Nm10u+rJ z>DRW^`xd6wx(y=g#6V0@tB_OExuX3d&I$3?8cLgbUU3M)L@ zzx$>FRm>|1RYb-^G7CPk3ahgV9)+91S_d&dv80%yOitz`3Kdfn7Qou4Xq-mg_6;Opr#M6-vmkmF^01DbD&l-}d;l2YHUlx{D ztL98tHU8B#lLyWpGkEosVKyo|MF9f*Y`Yf?bU*US%Be%tP<3SSNXylwF1Vd@N8Y$` zoulOD<|)TYNYoH?-nwnO@(wX>c)SXZkO;{%R$!Emal%KouTYLIH?~e6ti#HohrcKV zN98jomknPqcIdwCn~)ET?K^kVKgh+!RWBldt*2%P(=tzLk9zi$;`;ORIUDG?JH&li zxZC7t=V4gBn82_-@#&EU#bmf2+meJ_xDe{+_+M=UQnX40{;=**W6+vHEo=LntmSa1 zxR=K%!v+qg2K%}!hzYmMNY@aARi{%SrNJpRRFyNSO1XcCh!U$x1clWm6;DUsq$;VW z1XM|F6R1M&1*DxHZXH_-r=M8(k%H`p5Rf4%L$ZTogm*xF=WV_ty{Oz6V!Sy@i%@v=2K=DHaNxt!WswQvoDRB>M+&Ghk9^am_;BC zg=#Nr!U4sfp=;IEsiJEYQ1un9K;WypYkx`B{#5}`vO1z; z;<`Nlyxz&b{q|@snR~*lV4zGw$KqocO%$bv`uN`aAHXNk`xbTD<^7CLNJ92vxg(SL zI`BjSHN8S`@o}rSZQlhp>3#Q*js!?1GM~q0dG?K}#)M!e{4k>=RN+V3>=q%6DQKu$ zJPbCwiveK4{geJ`Y$yV$yMx4=I0M%^iRcwvi;b>L4gL3cM&0GiRLlx=T^X*zwo*eC zXa!DH2vtl2?ui0b+#)qpNyAFz11#kM0#$kmR@~Cm)MQO!SXi)`ljS?6duj{J+M}z- ze#ju$ycWQL7EPN5C|kc|J)=?MzY$q7T#mPgih}oJTM&h(FCK;C66_mCIKAoZVWU8m zw5`-=g^GfAOL>^&7U}f?p~~^B*>fq>Kn}&0l?!p}&HZ%v{ISFK&MS4VDJX!EwRYOj z2l3DUncw-yn%C4&bzs3rCF=_B-;qu8o*;34eL}G&<>=@91CN-{W^M&Fo#dN*A|^IL z@%u56c+iTm!)K^(vS&>xS)DT>?|AX}0f`R1w#*&4VC=B+)Wm)BhR+={)Y8HdoI*a3 zsR5A~+se|?y1dDzoSTcQ8$}5!!zo-J{+@f|>^tDo*R8~v<3kBg4IvPL>{^0aZ+b8agV<9sO*Mz$t1nV~?H+N9D!RjEk@ zT1oGpTrzkhSU$)Ha7uwHR+$>Acsi9qmEsryr);Cr+MA~eKR*D3UMdG+YkVpEHck>j zE9wK7Bpa9zz)BQhEHO011sYjoe|{$7_Wg(dEmV;Qvu*oMJ$DmAlDet;4jf|1u!!K> zKvBDNS>%^-ALLL(iWDY9yC~NX5gCJ|1+%c+DH6VP`HHsfs%q3oD%O z6@rH{_bT4_B~918dF1=yoA#^8j3MMLJ$2o&tfd+d+g*zIAGD#7$6vGO@5+Cyy))wp_Lard%7SDRS z{JyXWD7bo~*a4{X0ZNLIw0;kFvR=Cs4^8kfa#b9SK6q44ri*^lD?GzMkjF;4AkXk*;X z#rlJo@G}`1=~-Dh(kH;pRO1vnJW$1KS9|}Y@+NUg1yus46sTfNN#>G-D!J&?-amDq ziUrG%P(}45qjL!jPY7DCfF96_9Dh)Wmy+yol9XoRyF~erpOsz$b!C4} z)IQeLR0n0i8ffR3NS8|Jf3*K7ss5+FC~aZer=_V?BSdNywU}TJ-rc8tbV@|NevHum zS%Fs#&jy;zrY+mldt)14A1WMICwb=BBXAm_;^PvOWu_=l4+Qe%OWG-OIPNMpnYx{7*GHwds~Z2{ZeRQI&N}y)c1Fy=FyYhN zLk4;z&SxK52Rt35iN)(6ZDBiP-1pTf>l|{ zy4tWp(_;}abPK9HRF$EuOSF_{dPZa~_)=E#5h` zuZa*EduY^H1K%Ka790!&3(mTm;mzS-lovt&<{iY>*NLqVlJJoIPt`x?VdU-OgCMO8 zt)y*bcFIzzTdVgxDFcWT0|9>ggc(vD8w9kHjGbS_)NW>&KqY7CFfDz*53wAQ!HFNJON4QI}G2Lc;MwP$)If z=mT=)$~EOw@87w#ap7bMRnR#M7Ys|V@B8PakFg0 zj3EmqynX8A2?eJlTJduK!Nc?BFI=~N1AfTzsv6GolV+t*rH@mBpsp*RM5FfsCU zZRmX0LYw|46h8H=z;^yBuGQs$#`Kv&A>lw2qNG4NJRcoM)v!JKlDFf$u)w2<3Bd%Z zWr-CDRT8IEP=(Xr8Bm1)uiB(iLzP^BSXHGsRpR{vrx;n6u1#!H!WOeASiT^jMU5T<$scAWMi zy?}cwAJZ0%6}6b4WI)V-oNfl)4GMhG`y#|YB377_)r{yVUx&fM;ZV8d6M44zsa!+l8(f{gCacS#08yG! za3^%B6SAI?F0ohWRK@g(aN(Cm%Q_e%QZ3M?n5)cQlqjY&+h82(*6zR>h9Nx;c(dFD zv*N1#^{8?jaRj2pFgK8qi`D1sEZNuO`iAM=P7V&eYUO;Kfp&IhaZbu3 z%HN!-0#y?Ir9H(>mRVF1s>lWNJ?HCUJ2%jx9#5ID5$09Z&#s#PWj~Zgfo;xiDd%<0 zwC3pp#nsV;Mr7E~-R`rPD9_~NB#Ieg>@(1&n56=zbXJvOQZb(;p+bSGk|F9qO1pSYcUInVaqq0?%ls)7w5v}7EF{si@lN6?3RCKJXyC)f%`1A%19<2V>zue{qazth? zhf}*{Dm?9~-$asJxb@XKkGLj>FyUdI)4wCvz#?D#W{P4-Vf8Z`DMu;Es3LMo#yXVs zD1+^OLXTpif=~b%%s})mW;OGZ`3&mq3v0RC`*f)0#;rRtTqPq`3REd*RRUGmR^<(= zGCn}iN@rC)Bf&~-SV?^qX&`-odT53BRR>rp5ZEHZ+&mo@*&Xk1aiFE?ZqddL4u<#f znqgM8K^BA$VRsnm&?KH&B&WPsBdL>8+b|EIAO=}?bhZA>%S*6{WFo3WD+ySN=ZX!W zN}?4Ghr>sX78Vxc0*@7$oSz-xaB7Ctkq_K0Mg%xbc0Rk^!NE=fmc%RzbMyJ*Mjc-! z3?=&wZ(&a@p7`e1NiS$GkI~-Rsl7H|d-((R;~iE^9CCVfaq&H+SOlQvGEG08T6+pEzQT0K_tq573O8Fp79|dHGk}g)w3rY z-u$-c8F$xIdv%Vspu4j6{c>t|aZBOap6k&0No$l^((93FI#A#vVqDA2NE&uGE z`3~H5IG<25D2N0+NiQE3x{O27M(y;G7o05L3-sNm(Zrx8F{I)oaf->Q#wi7=^l+*& z?;pBciB%;OJSm7uqEt6oTnbL1NJywsaEc|#+LZd_%{%w(qBA<1CK{OM2?+qoK=D16 zEL2k#xZqIf80nZ)>zqW`nq|(aMt*;ha(YzrH+E2kP_=O3VniZ!>bMWc5IQ$ibBE&m|S)x)nX!&8^} zWzO(SA7!69!al8+c|wb0@hy(W*P}=U_596rm?e{ZnQxM>&Kw4+AObNhF{3c~fhUj- zKOtyE(OQ(T6Pes-zoG@d5JaxwI0)s+3&8fE z4J%AJ2J2nA{nbz<(Mrk+X;?|9l4zBfl){LK4h{{p_I6%<=EML~9nqa&mfb-EkE4R? z4rL1h2I-%onMh`J#TvnS!uL|sj*G{i_YsrLRw{BdO^96b#3N70Nt%$wi z`jb#~!qoh%y@O&pL5PB9B|piB(Nqau%RK;9d)6+rJ86^<5#;6Wx_bFk?bXk<_szA} zS82)CFX$}C?|Gf?$8}A0>*!+f{u$eYR7mGq)HnrH*`G0r_vkB|zyFfmHS1izQ%2+W z@86G&f>$RjEa=>s(eCbc;C@+qs>JoD!YM?J7(SN4c71><>>&D@{ZMW53L6=2XHih& z98bE*3rqQ&nc(t4mcTYg)v-L-#?5X@@Hyk?NKZ|Y218z%dlIUoce?r}Rf$zq+?|T$ zAWbSAR0*77)kvs9V(W&$DFv$JqEnkx3RK;?eRr#Oe4A4xH9yfg(MU0-03#MMXeC_z z@nW${N-(H|YXxl<2*bMqitPz(veT=@F0U55z55*Y8*wUhgjwhWoAAZ%iAy~-TYWXh zBeJaG^ON&0D-%Y}jq3ld465)dAQB^^V{yVDY7{1F_4lm)B&rvI6%;M*ZDe%Z!9$0e zHr1~&NSSdV_I=LbGvtO-*;T!V((NZj+V4EHU)u?M0cEIDacx#9r{dCxzY1Q^7PPJq z0(7lFO8DxRMryBouD!WLM7wBt|IkYNt&8^O^wI;Vwzx}3KT;9(c1ywYqsLCJUbBAW z$Wg6YSA0;tul&oGAAj;G&jrdQw+JDxI>&#tDXn0{3!;X(1eukEKz^lLV$SK3o1l18G>P(F)PQD34Y!h=`do zq9Xl0&dxL6-%^*HCG0G_0|uBy$TWgk4-#4_GWMApgs2|Ix61LTk4KTOlVcU?HqY1B z&Bxc*r=-YF)wUH&WAoPSvu4jUHGJi#tRBLHcYVp91;hW$@1{O_ghQ7zwtF3%TqIyE zpE-8XxS@+D3|%m8=#oi8l3m`=-dLl(u};`Bmj(fI8Q#s8PJQ2K-ar{h;y2MELtVzx zt=qR1i;20#Hc^%J8#fbXm4noE!~F*om6GBF6ij2KC=>DejT=zOm6viS<`!0KR!kLP z;`^4`+j~VZG#ym^oYmo{%np)+_cXstQTPj9rw5$1nCWP@&CzbF)0u7dr&pXcdq2}h zKeK>)TNwKCw)Nxo?>9WSf6MLI_I|FL%i{y5D z6V+EgIA;5*xwX=5-o_q9FvnxLY3O2lB$$+{h?fy zHK~fbQ=y3gQVLGtSYRQP#i?SBx`Zl}J&9AOe-fuyVrraX0ZP?Tnp8;mX;y)COf%}9 zOsj92E=RND2`?H4%Q5J9&Upc4et&D5YRv4-&p!|cV|k(N;^u)ImU%;u%2iY@ zKG4ru+Hc)NIdt%aLbW%SYOhS!UMi_mA!@3ZDXFABiZ-A6>M9ao(FE8*P_xz%zp7!xCXgs6x9_LltZ4nT8c;rN>&Aw5SrR z>e&%1HB>2vmEs1JhLr+U*a&g)8qx;>eNVVrzvp(eW|U2B+FePR_78~7d<7R178%*W zlqN{9Zy4qLX0ZD*f3G7xzV0{!)o6ulbO;VaL)ohAUen zI+b!ike}K9J$)QzJJ@YMW4qsY*Z4!L`-WQf%JJ@TFYbk>MN@^_?aE|9|GP9mdu#vQ zgr1wecx&CHR~4utuWIQ8ks5q(|9*9W2;$U7j7{JIDNsf9nMxW8Wu2)=LatiF#B)dh zS3L<~VL<}1KJu~l<_7J3YwcY#VOWuvU(khUV8q!5=lz@gQe3B~m-f=fzh0d6P41*` zvPOTCIr6*Q_qA7N{(0dwut`DZH1{@!E1EETPPUD4>VG?~_pdpfeQgJECmDM2Dg1r` zeh$IjyCU2t$2#?*b|2M6XbST%@gH`G=A7~Cp7(ADca&s3=i_aCoR>vM`OAr<2UTj5 zih0ODeJX}3U1Ly*Q)pRAl!}SXkgh)ks#pSQs6q_r#xuBoYN!%Ob??4nQWadf5}bBE zC_O(aBcGjAz{lkqiSafgLRp1)9lRD@|y&7a?XtEkSovb$$(a0y&I z^=WB^R-RNKp$eJ@ha(rQ;w$|rR#cZ2ed-ShP6cLB(PS+qQZZBgb!~nH-bHzJkN{Pc z07n#et|x;SdIl+4qI12UmZpsr{qU@hpEPS(wu-FYP5TEgVM@S_9P{b8_3JmmS0^Y; z)R@~2Wb@nj=<#md%H)W3dA=)6E%~o3=c`s?D?01H@g8?ufhr6ua7uxyD>rXF?@%Cu zSu!Stn;NLvA2Hq`fh;N>C`0zIM>H|R5m6)(0!G|4@aW>Tn*~>{i?qXg_tj7(|0}Jk z%ApF+MlrdftYKB!Y>~BGf>ve76~%5q6}dt}l@hU%R+R!($QB`FG|3XJfGUAjaS3sO zJL6qm!be27>W8#vcM?$qX=NLPu6`1!pe=Jf>yzUX@6a~du|JsQeyh z@07M^l7Om<{j_%u|8aTRk!{1~eLTQysVJ{>cKt}o)q+z?KOeJY>$c#K5T=BjL#}S_ ziLmB%I9&#?Btn*3eh`^IF=itPuU-CY+p%#6yB+hNL_O_As&N1zsquP5X zwO?-0p;hPaQrn$5T+`*)b6LJke-cT!gw@80Pjb$8kBi^8cHP(X{XV_e_4**8{fp1n zs!>BMyXH-5tenx1%lt0AtB+;(5}Xo#KWS10dLM~&{W#9CTY`Pl6sNi*;eM0cnjZ0L z;H&I;RsB9WSyY!zaiR`nvqbMt6XSxIMS3{JOw)s^Qk<%iqpm;|VG-RZ?M=^eD2Y-P zTUCfn3<1TeQcNn=V0ow#CRGXdPob%^a#_C;q*&3cYc*6oc=+`z2Xth=Z9c_Nbu_8Q ziS%_Lc|ZRA^Zy#E5Kye>apNYG7qg8THJUzSCca{xHC{VPR&o;%EQlZkkwQ#WW@a@v zn9|(R^&2;p=dMer!q315VACnfq|Bbb*H!;}a6;Foew_}gD5<1CRUd7BpkiCp$4aGbTGDDl08GBk@dn?6J(uG#o6_2PoZu z(gPz!M^$K*5Emcmkl^t)oIMy3kN%FwuWI3@{_l_JZLfzk#aN?eLZW@WNawfwJ&k<4 z9K5`}yvmkcVtRNwZTL2|?Tv_bQzm_S>((vWwX;ZT)Tr65bFJ!$+%BR~4vpIiz^~p& ze(fET&@%&;Pk(R8$Gxpq4PQ6q4RC7V#CJ{{Ga;9M{f13&|FEY*L&K)en1xqC0V%mb zxu;dD*D6U9Xyac!C|y1%;_4OvRN3+H^qMz!#xDg^w090*A_;=W_0`(jhqXl$pXPV{ zCZ$81WBW9(9?7n)gRC1Bg|zrRue*epSl3w{CqqvmBjwOxJsFy5VcI?;* z*-3oSXe$K}_)MEu6S3GqTxytrzKs}28gwLsdh-{;N0Dpj> z#=e0jc(W!UOuGK0_pdxoNvP5zR7e(Uc6w+=yjf0qKyGG4UUpnwjwb(n>V^EQ3m0-h zD`{1g$EnJ^f2=PFRmg3IT!6(U6+%{(PQ{v)P=&$?PAO2u8fRdqFid?TYLKWxMio{S z?2BWm4K1>r(~FQ5(xgJmMTYQ$Jo&dGsoeK5Cs(goTRsI?N?_D@N@b!=$tHl|kuj<1 z8Hfn(4APrZD!0F9zX9MaTD(M0!Xu5<4#0|`>W>Ga`R~^>|AkXQ^WW7vB2y`+LQ75B zqPBW_R=>nOsHy~rOMyy&v;)?aS9)|>^uYQxr@{+>Wkmd9(BL8Jy*+cAi=x#ORc+sS zcQn|vcHKtuf7S2=FwyXcm>`-MCEN)QVMKsIaxgRZA253VgAZrSnoXDhBTHrw09ENa z+Y|Oqg=hN@-mC(uh&UVzO%<^x0#%ZiZWP_&P{_5Lx5`76+OU$D8j@m!3MbtTYN)Ev zutFh1DdG+=#|RedMk#B(AU`cXHzqgDEhqU*cDzw$%b%4; zNG1+t6JTFZ2c9FwI`jy49uwfU#oNLtFHTpyQ%97QC#zI8s~i>Tmgjo?au*aj*9F{=aT+{XTb6&beOs z{>`3V=qElVNtWx$SfS!BU2JBhboyuqOOqa#F0GJ%ySiU4KkPJ)DxRKhP>C zJ2}OBn8v=Y#-T})>+{K;{Zo8~rTTx87C0$0d}&tn=G?@?dC8~pGh7OCf-hds6cr&e z^tgXz2o*q;#3>vb5~?aQsnk#<^-sn7C!vZZ+;P7zBnksVodeJ;yPZvL)|D^+Z=ecs zK|Pl8?l`p^#un)NYQK*@{sbioIf>U7DT*+`##g3dH8+4=473j`DgJ<4J}XDpm$1TE z)vpDjxjfbXDBMT8c?_bfa4M9NN>u-=)TEM^^R%FomK@e;}s;0N0z!C zixr2fkmQ{9t4bPHRGtK?@-JPkWtlIs zBm`8&!2H?Z94^%@=_07m2PmORF|5>3#j0WADNrR1D;cg*psFx0{6dCvZo>YY*sU3X z<5PWyC%bh^cI}en(jm#IwZ^H1#-WkMLCAJSu2%zMKy+NCHA99g%5A;Wuyxd^sSXuT zjaI@37`i*riSj!l>4t%-jMbCjRzJ_X!Nq{al)8l@@qJ1gJU~*VGe{lz3by?CgWC~?x)>PwAr#@5y6I$quyfrwQSiE*T;*`KPRoK`|+)D zok_sro!@dh{*vAO_oA8FJBPG)k7@6kJiWOa6iD%G6YJFQcEX!jG*9mw%M5(S)MWD) zlSXe?JPVdMNF&MtrnHA|UkdQcS^6}@Hs z+|GbDsH(0z=V$(#ErN1tgi+ z8i&Rj$EHb6t&*JECA)S?c6%YkqfbWQn5@v5=M(o9q+4Ig3%GVAAB#ZGq>@mjm{jPH z()GtW#Ze}$DpXBrRY|ClYn(upgeo-lCC<@;h%TT?l%yDJlZeR$R3X^;L3$uV_)(_8 zf4G66N9W%OlP0%mTS4Y5Phb7hx9_V6Of)_8e}pQAVufeIsq!x!nv0Ir1m*A&API3M zkWudD;YC$j^={c7p(Cp!ib*ICdsgXVrHA-AL6lSiQ@%3M-q|Kl=1Q58N_x$I^$x*H zT|3}cN}%d3?Ujkz8%wpfH|csT!mM!7{urqJQ@`PkJOS!TZQQh_{62YykW<&LU6CGC zL_c=IR6!Pymn))vMQ}(s9Z%9SvLwVSc!W9xRPiQGX+n6&RT7GmQc@XMue^f;0XHCK z7a=_Lcd% zg&R=Ty_7z{Vzi>l`rW&?Zx!9TS$OkW*7eJps~4lMTnM~;-n$_6_yx`W?9k6M0zOFf z>X+owk;Trc$1TS42Pvp@O-)hiwh=HQ1qQqzKtPt0Y@VpdJ>>IkUCpADfX}kCQgCi7 z5i7+FD1+Kc#0p7L-VGQX?eBB;V@KnZo*D?EvRuVxPO0ow&RlPU?^5C^-?t&xo@ieu+M!2~ z>jH1r{p%KY_x5s5NYLO7u34+rq{*MX`|hX}vuen%r+GHX@M?1YT(hfTEpmOEW_mZj zlQLd=YoGS!X6-c~V2<|ce8%@V;~Y&Io%e6^*X4=Y+r)hLr~1BXXSMk(aHLBmR(`MB zuo)@^s;mSr^>6tZiaxoxx-)Z_fUIt^tCX3D1Mud}FXg`;J$kfm-3pD*XWEN{^{!O( zJmsveFVmggOyL+T8Gl@wb|bP+o?p{Pnl?nTe#~fpGpZFs?qNv3=j37>Jb1{(i##RS9Ukz#s;+F>L)Ua6PHrfI#be3+kq!=~j$FDgtix{~L5 zy)fv;rRbYQ@waYd-v08!-8)ymx_?K(DVD7orxcS)LKQg0k9+d@#`^cwceTY^7-eVCxxG66NymVN%A$YeQ+2uKY<%kgB1&1f)q9p5tg*{ z3{svccuQM1qErgNsW(ukK|0Wi`^lY=U+4C6f0z{&p65S)lL^KTk57RrbR`90cH_UCnp7oO!Y^W#9RjC3%svvx7g$3>=;A zJ22Iw7doNFp&@IEI0Eq?R7a2qP4Z^AsB!%uz7;+>_$Q91=VQXlp`g_>H;$PcQIc6uV3g@c z-k;ei^Q5E{DtS9OoJ#b3`_Bt6tEH}P`+32g&|%Zlq8aJFADQkRaB9!MTZt3oo4@9d z^D?XNW%^vm>AI0;>jT6ZS919U)^A?eP%cIa2;kuYuz2}G=lY(et;-#yQr&MbjiOlPmRY%gEQ15h=M#*9biYC0XRVQ*A}$sl@58J3o$ zAb;HYaA&*YuezN6G&0;iB{fZ2RSHy9NKjWyDin3JR>`KwPO?sN=|qjMXU=?{K3zpn zkOZ(MwGluT+mb1FJ+v8ECNGEe#f9KkOm=CT;@Uagr+=pZi0qJ0@*<|?$1EsJ+ESE$ z;6{PlmzVwT-Aa3S|02s-4OIfA@ZtXa^Tivt`=6w;O#~T~HBaSea`F|ZLT>Pb06~l> z)8Iecz-q&nnVOynFE=3EGS-PCa{(u34+O=!XOjx>nCI3abVhfNr zQ6ag4vrSLWoH=tgb^Et$+W`%La;(m-Vu#CCtb&X!Cz$#-b({#quxHKzsSZ>rlfU#z zX;TG`h&EN!sn{>@g-*VrqvD7XsG@F?en&<1QRMbh(YR`8@mKJfQ?ugMTH#Klr3mR- z-}`ERD_w4-N7t1I;KIxAaL?ZT(zyqu5JHl)9IiqQPk6fU4`XHmQYcyksHAQnQOUx} zX633i)T$jl`hEKUGKRc44279D@gK_1@SCqd*OWAM2o?YNd=NlY4yqKx$|L1M4XXkI zsr8J)9X0uCsQUWB)w@?CZWcIPPThSza%xt<$Yj^{Nls0Z92+M&>U?w#)Uq!2r{#Fn z&-ZC?HKd7bz(Fz#0-2;vmYW=Cwv6ga8|9M}4Zsjf@*0?vlPV+BNPr5_N{qM**5q0qAh|_ZrSv(NN&igdD=r6K~5iE2TuHusUmy|`fqgw1=Q76#fXXUEZ z6iZpPdfm_=U3ab&$Mv(QgTPc!Rc`!xVKM^$r}I-CjNjb9uAj|;!BYP7`^WPW)4V$o zw9>Hw2V-;nb=&A++M8!jykT_W=$_-&TZ}E{Y(L7FzWK=LWqU_0-Xq8GMZ0@W+uUW+ z24$>Xy9T34u9V!|^U9JbEWEg4*<5p@k3#H6-HPk2_T$M%24w%5^O8t!)ScwS4?5MY zQ?pjh8jKMG+dRq;C;!)#85aV3Dc5ChTr2oEyBUp1KP*p3>uVSb| z;4?$Mifws4tQqENrn_k0ET0I!t^^wB9eCsd%`$#%Icz@RH{n zV*`HG@;O=4>ty2)*U2$K2PoC0(NIi|igdU}L`D^}3!IWrCD|09l?YU+IO=k`$_f<< zRN=YGiZw)+L+7c!dZR1{xsK%Ikt>UZMpX2>ls1_EtUjh+t`~ic<+Tf+xp1dDG}JBI zCP_}sGJN{yhJ1W6apl!?!>?{ce0?_)sN!dd3k9pgp#--#jvzXKLM#1$I;8sVJJc&P z3hBhrQP&Zz2vP=V=8}GfqYnv5`XR`La%Dx-#omc`qGRItFuu?V07a{P^5i$DK5g2x zrOi4E3Z3V<=O}tthd+8Ynj-c;_~>IP?U5~<39c>9N;$*gjo+?mf1pj(8C{zyJlpF; zoeE0%NvI;Ds<2o2j*7}5l#Qq4KjMWb1~`}%(?o4{nu**eTxBC1jK5@P|Ej>(%3Y!Z z%ImKWP))k+_gX>~dXdiY{Ku1DfBgRIi{C!X zeRL-->%9Mmmd2l&Z(D1*ATIFp{K(I;{fDM`_K<5Fw*!f>D5Aoe@NRg)uTkN-#y3Kn zeHq!D+!OkGBaNSAmvLn%YwF)`upaTe5z$U^>y?w{t5gMKI!UyWVnO-TIWtYBQlExMNQW@NqRURCALD_N3h_AqJt7bhM0@zu@=^rCniss+P-~z za?;1VE%wZ?Io!$4Y_h%01}A%ChckO^OedHhX#3m6&yu}9c=L@eBS((Jbh_t6n>WG^}^M#=CbmG4zPx3FAgFVH{7Yyf(`GyF=OTn6PLChzqbAObybhC^OhGC zU6J#SHKJ_zy6(LcG3c)%+L%s(dH5u^XHi%SoOlls+kBnW78>5KSslO6cvE|2#vhlb zFP|yut-aE>Z};xS*%_9G136E|FZpAw_KOs3+k-VQ7{hJrMcFqXU$`*1`GCH~Yb7Ws zn5D#v{x8)!@7I!BN5~Q{G1e#%My4fTgu@mXiV^-gn(fxc5Dqk_T~tk6c03wd!*d&z zM}~1^zOSj3Q77xeFW4M?#qPvF`%`bZ*nH;cu=Jeg-jG0>@KD$Ih|`HKFY(}TQ{$j! z{<8|iav+52(p}^JdXmqFNddEygIAE+#cRI_s!k7?;mFV__*N7&q(hI;%z7j2`Il_sfBRXB|rXA19&q zqSCl(lz=MP4TMBsqF~=Ri^}a!OOx)Eb0FNt)S}m_-cd}Bo&Z50U2yV*EGa^T)1DiP z*axR@O>hHoY~sp;U$K1UD!N&9?$V_^S6^?pdM}Ah3>-LU@4kZ^%ge`)=s!;f&J|XV za)$qYLxC#JpDFS1W>A)2{|ukrscs!oTw04|s2hlGCNR#rTM^B1)6viLyOg##Qgktz z_HYBx;*?eJf3N`vlFpgr+$lT78KqQ06*?+HASWj)6XJT3M_SC0)bQ;o!Hbj6O-l9| zo#Z(<$>TMR>x&wft{O-h4o!v3aT0y)i9I3W=wNj#N|-!&RKCLrnbsBr;WP1GV`F1N zi9F)G6(c4tDq4()$mq~e|Bzshz<{&oe9is5OuXIpy4f#xwwZI*Z1ic9zLrLv&Gyz+ zgdsKJD7B4vq^SE@Jc@^FkY!8>?f|n|6mcT_A!A_zCEeLmZslO-$x|n?2!^cY7QhW%C0>!GGij$hMoyZR~ajUOkqeUj7lhwP6ynS03-hxBg+ z>wd4{zQae1<;;JrPh(6!iB?V~b@8ZoPl53A7_m`7A2PS)uO!50DHF!~4*y@bfLzxMu zveVAxW+wttjFOyRTHaj92wRZk*nl8x*(X)0SMxvl80sIU9HuBU1Z9aOfcu)OLkHmM zn2=I)E50;`2B~iC)4g8I^nIl$dFk&@N|~SPiSf_2kwwJNNX$h4C$gXPwgv`*k%d9JN1$ zY5%BzE`sPTx_Z^r%tB`>)@jh7;TvxZfJQDYP01dIz|TFA0-r2q?0r(^F-u|lp}%ON$~0y&qn@Dw>PD$&Pr4)ilSQPr6JRk@NP~viNmkiOr!!;s zr-v?14Hyq`UE|QKcqu8)HwWQ=L*k(*QWyvS8!mks0dvlJyH&sBw*^z-&GadlYdWHZ<1*gy-TE@pe{ z17T)+>gYN@Qlh73sR-RGDiGp$^f@6Kl;C(IX!3H;rsOZYF<@Ya_U)9bQ#Ru5Tlre` zIAHk7>z~h@^I6kbvu0!3!xEHpjH$bGMPKCq54mIAPBig7^_+w%9@hQDw!h>J(cUuD z-Z9qR+96yP1-+i+bUb?Kr57eHsRFHfOjx;L$6i*4oH@iePMkQA6F69VWr~*YaakI} z^~jc|57cluS}W75@y}V$f3Jh83t?k=c595w<)G0adwU0EIryLM@cX4{_yFCG2?B$1 zjcmYb@HefsX;JZK&z!NR6)B#aF{7KGF7CCVAW=*dR41uP&EKD zJa1n{i1-n6k4Y$oLmh_jLzd`)TwRjeODW!iGs2f-Ms3PTvdT+yPW5|>_wPhCXDaI5 z(trO_u1#1dil0#Uk>kNVz5OgwO+GAnjBb6vIrwR+6xVgNvcgn9vi6SFT+rssa%X zG0uVljPN|LM#`sdF*(PLpMXOQJrI{8=Kw5%l6pH7FaP{O`(upu8%OQKQvy?NZPs32 zM4?Uvah_g$U0bN%8A_S+>J9CMHctyx-9SVh;ymrmHKO<}9C!{v>Q+U}3hoT_PK=|~ zYu8ihnsZhLJPKJpf|?#ISWq4oI$b954em8OFlNlB^r=*z!@t?)elA(Mf<5D&1q!)m zN~EBI`}X(WQlRRG@9x~Z5_vh_>wKndc8Y13$N1By2Anafjdto{tTO?Q*FE^h%|T?&k|=~T5cN{fZo`^E9wy)`OchOQDnCG$6HK|Be_k{It&cdk zTt58927v^H6H=h(xyEE=vcx1Fk;D6Ka%<^H`@8EMYI>@3y#&|(@zFjNK$Xh2QbScS zT7~PQ6^o8!ItC?<#qf7N=Y7)0WwY1W8SbY)aW{X>`B*C_O|Nyh(A-u`9%BflfJ0itaW;NhK-G_biDI>?AUQ9 zcMS!qu0{{A+*iZ%q<|`vXDS+fm)T#$ZHqq8qR5Gir(&i3zNY=uRqs~;Rh`GLd4KAB zlcUFDW8=NOeO9eqbNa}TCppDmzZ;8{T}HaP9232m&m5|GIk?5+)S)0zg4_G8n%Cv@ zFaV8=4k@d{djE4*qDMZ?c;C;ort*l@8}^2^n>7~v+vO`(5^d<)x9`G9qVE{@&DprN z^U)SAC%d{^4)?a7>Fc!koae#d0IVc`6b7k0phXm`6A@8*IHiUvsgqQUQxv91jMoIM zfv#{hxXIrod;$kdNLB%U2@nA!f(XHkW$I$u<0xPSDbx-woVm@~Q6A0T-N1ni`vQg% zOHUer^d@FW-id0#^2F)KQpJ1EK{JXu7@`a>D>_2Ax}i9-(y7YJs;40-P5{V7_J?YE zS@sNd`$!YMHaGRu)dJt^mjfR?$p7_8>S5&{Eg| zQxx7K9CgSf^sH}Ij+U>i#DBbjBWLl_Wt;{X#4>B3st#Xz*YK>DKovhsfM0(8_Unh2 z?%mGF&$P`-J{j&i*Vk#nnG<~+O#d-vB@JrkXZ$|2+ zu;$X*;;BIP!Za3{AMeq`e9Mk@qq20Si= z3E8ZX*7X}Tc#g2n>%EJiicf}E)Uq&YJ7)2?p>t-Am^Xd!?Afi}p3%4e>loedln`!7 zMV~TxY>>^UJBe>Po74d>T#wb}MqLVNaW@VDNI#Aj|H$i<;@ZZ}u(`WQi*Hjz;uyg! z2a6Z0fGYmgW5SA$rp}!C*&G zg1MnV)YA^y<}Xly$)w2A=NVWZrl6rUBlj^{^<_IK{TB(Q~bu z89d+h1qw&ksatpSyKi}!6#J-!`ETEZVn+!MZFD!bQ@m5Rc&8WRoqNZ*yc*}yKgRvT z7|#hYUY|$#ZHzj%F)HY2RLJSb5ZkCo+?k~&l^UnYxc+nnxR3@=Mm3sPO~4me>qKUi z%lyY1+&VA?{h^pJpVJ*NryuVV?tYe}sn-AT_}SXoQ;h_Lq(g@eG~n2SJ##N!7B~ePp)!cnKDjDNNq{4u z3FZ$(2sFUUC4nlSs<4|juZ1$ntKN7j!c{{`(CRJGk^tWO?d_rjE)K?TU9~?YR(P!h z(Kt^Wq1d5p$N@ru@1&4$SFu&`3^+QuQpxl0T2g40@J}c~fZaq`ft6duRnT1cu<?2+CNUOqrMIraE2;8LpbCY79rA-(0=-A_0I?RadHLZH6F|RpJ>~k9*wlDqMu_L^ z0GCNF7O$T@_JXZRCz~Vft&Lh(9c*U4ufZw9dS<%r@N$w9CLms5f5-ss7n1>w0j{km z8J=;zHtM&c(<0 z#YK6?M!LsFxWxt^hz;Bo>%ThAdkQ1oZA83lUxsr2!o8!*5yR+{cAtQ0lEvIaz#0s? z6wnwL!hOnsZ~p_KF`W~YqXQ+7B=5(zxD?Qcs0XOTo%wKBjjml^nDB0Gn?p?w?QChh z<2j>k4fbwnx@}|Y6|1}ToID@+X!^#-6i7)+ONW-jM0%lHcc{EwyR|rdtmoYuzA%`rT*`j#bX|)wEZ@< zWB-?1s|%4Wp4tev5_`KC(qh%R7kf-v)PDS$K{G#hx9k;SH=<=T(QMS!)otuJ5r1mg zsufG%r0DA2VCUx6T-yGvjSg?GYqY)b$$iZnjT>XaGh5CY)@sqz;HBQZiTw6?`Q`UV zw82OxRLXt(nUtv1wov}=#fZBKRe+le=M8bqJtzDp9|2ql`A`tr@-fM$mSEo^!L@IK z>#OnJW8-~36C-#JBO%-(A;vQ?#w#&CfT4*G(j-PCF_PjmUZdCp_R;^7i3&X7UXXDy zCJBBy<_YUaFiCWl5$lUp#&YvJS&OCT3>Y0Sp!1^|ddv;$neVG_c@REHbDP6$ZH?QX zIo9>;@oxSuq_Y_y}#XrIF!Caw*cuFv7cw_XAr1J5F{$Ln)Q) zYjCP6W9^sB;)3d59nlq3Ct+|#X-3t>VN4Ib%cJ@7>2dBu(;@Pd=4JZ>l&4`7hv! zEc@49f8*m%#?W{L&)&w(TX*c*vwX#>x$_r%GG=U#9z83=the40?JtRiNy7@BA$PvQ zbN;(;N~n@(C80_|E3Q-rR>f!qZ$!;nm+8Rw?_It9W!|NN@WS%}nJKnu31$fqhB3jL zLcJFTxJ~o4d)Li+sQrnaw#J<-_BU2m3JROF%ZSe4V+=48J|EopNb+w}+EyJ1P$cbt zyYYKo2f_+Mb~(09^!_B#V_2g5z(lv#5}lq;bn2Yw&|Hc&$We$0d?qAg%3P|Vz$OgD zBP2A&SMjYF*nN0i7>H8_u9)&?ixmklA?}Ev5tkR7YBvE-kfKp~@q@t-z+Bz(g+bdk zjXHLyJ9l~Cu?t3ym^Jp*sk1tbUj<}zp0J|J#1(8b?mKG6%vpYZ=NdL@ga@9|Uah+I zY4hGZ`7u7wY5dB!=Zt~xhnXYK(w>55-LJ?mqS~q!Kmu( zPnV2&l+^Z%&zjrWojH5f9spvhw`|#J;K2U3B1NHzM9&T{e>O+iNw-PMKb$(OUIW1r z_VGOj=bW=0H-2LG9zB<>d1=6mnK~BY8vL1qXH0&7-uu%Q4_LaY$M#LFPwcL}dxb&$ zx&|yFmfNeZ_BGp58zU489aJK`f_g&;^7q{0-XiL|Og?R2CW=wkDm=9PR3AImp9igulzgAotIsgVx1`Zplb8&q}r~%=0TM2q8!K z-kpN)zkAFYM=wP?j*QHh@g9~fms0X`LXzXmV?uWadCvE?|J30`Pk*zT z=!C3#qzBFrwUGHg+XfuL8o-E@UYhP90MW@s#4QvTWlL%+0Vq@wU;sMUJ`9{Thzm|w zhNr73ulN{=sQ7A#tcln}3FjG=7<<#*M3B~``vtRN+3FWRS@2e$Ni!OD?Oms3yN(lp zr&2z7mx(K9u6fVpWZTgTrT|s%j(*SD+J@OkV5`S~k*(ifr~rhrF=F;4FRSA4$CXe~ zuZG2wN)$y_Ib)KnE1F?`VVh_=*v z+Ogv$>?!qrT8#LtMxAm3KP>ZNoKis*IHiUvga$v)lr7c&0DB`IM80i#k^@9FdY!v9 z5F3^xLA{De06IBq(jdjtNFt$?wGE{S%0IH9!-n(Jh>L;vd<8qa{OSF(cjP1EsR7FT zFejxRrG_erRuZb1)p}^f%-2IJQXyoWB~Vq2k^;6UDhxCk@T)NGWRi0mBn%EQM8v;b zx&J@>x{g@Y0c9SAAJQ*@Y;rIWEOe`%nfTE+}2>%=H{C>w41f8-@9`^ zd}+!&wZv{QVp@&54cm=dgXn%~>XNtSP1~{S^&sme@n`D#nzx*`>O-K4AP)3zsH*S0 z_hE}+Q`BEqwz0xa9WN~+A(Lt+O`4pWo7=WsyEZLqe3#zA`0y*r=byRJd+MUuQ(7b> z#KDn}GZw9w#K3ok*7h>1<6_pTm(D+_-cO5>TuXzF9Xnx#wQSiEs1i0{kAA0)bc?W| zn|z(qCS9hk{OFCDbGuGjss3WqH$GyC5%uoY^Q9i6MvPrJa{21++c&i`+}il)uDV29 z2$cp|2 zAi*{(`D{=jnwm+QO3TDmo)TCM5n0dXYgS`Ts}Wd4NT6b#L6>ja_5c*fsXVsIhAjTM~Qky^Fnz4aEkC4N)v8g1rEu zpddkv%B}6_nvd!^Paeb1o(KYFB$GI z`^GS7yLRib$i^0WBymFY04bf2P9?yNp$4+q*RYpidN3)NBN%^LOcHA(>$l#?xmYn{ zF{!H z09C|_@7%d{`MlfN!>ypa#_i8ZiXmk}#rrJefBsxP%c}^8%7XMuF&fM+5+!W=!6pbN z)KcwOo`G1+x&`UyPRl=Pe7Ww!>$Mut`ioxOD|H=QTnX!G?X&tk_vcN&?%mO9dV>us z${cehp_b*SbI#dwYS!;Z&`bmXGiA<<-fZP6Rr8gt^63xb)f0`L{4o66pF%}w4u7!j z=VJ1b!iGT7u;JG{-?XH_w?lq3Iwhq)+mCF}ve}g@SIU+xD;GlZ7R|qFR$%G0bTg+E ztk=7X>A3}4_Rp9r|L31qhyKS3BAQ2Q(L!}vmFqI9>*&^-R~F-=G4`!3V7sttuW{dT zTwWwcc~SNY6y_>dt4KQ$_GI92)$Gyd>%JY@4QkeZRE;T=6asFI?8TBri2J_b|~Wjx|@4B0w4i?sjEl`A)XH_3VuN$mE~O~sb7SHJ(@ z0W1q{HC4;U#d#=Z7VGsh%_BLHLA4P*laachq8yZ*V?EDx$4)4MFzC>}Rsib(SZ4nE ze<$i_r}*4MQK?-i`pXNI+U`kB>J#ey9al>GLDKS^4ve~l8isTgy0u+&H-?E`jSm*< zo~+S5bJe}}(c#Ud;lY*!?kjCgOuZg?Cpc4W+O~)5NIeumLg0yy%mAVIdYL4AcA!B% zv~OrQCLCePt`V#-`e;P;p;iJ_aBjI8$ujNf@AF)~H8W6!D%G(P=_(~-rGS+P1DZk= zb6yKo60O+F89|kFtnS{qcK%pzN;9w?Bn$pEAjQ6&gg(_MvT#P)TekNU`J%j}3db#& zo_p|^D$V<~E!SyiiH_rncK}n8VtS^Aog=)g!^rPux~RZZA)ILQspXbzpJ`vV!Ay#$(PoXU?fxrTehV1(dLVrYwcq>cK1d z#V6o$7VkK|WXEyUyY>BXXrn2UK3zE{qg27#q!g?{&!9w$D@#rV(N|K0WEKA%9=#F| zEJ_U*T>7wG6|To0kPDENXjVsE75y`Esq|2#EPPxlcCAJCU%Vs#|-xgYMb@-K|MVb(ItYJgEEqx|#b)eu&=)Z_& zy$#=I`SKN}&zOzR1)PzglV1*w5(UCc08USSJ@bDtD{#AzRN`tzZ_%t-b8sK#yeyz* z9+|(y+aHx^#Z=_M4aj{Ivs8@%vM1pqNT@PJD}o7@(2A`cgFW8eTNf^#SrxXsk~Fp# z4-3h3?Ra>yAf+GLp^y`Ve1vwqRygX=)YYNHc0`InJ6O3NX%mZOBc}IUsH+LriK;GO z7Zw(@EB5e|MD4W~bO^`!nXISfoieG|$nh1r4X@Xz?~mmK5iS+wBJ~9oyN&#IXy?hZ z>g`)wP<~_l7mashR2R%H-fmC}^_4s+_|2en88gw%6S_iyW_<*X=;3Bc(N0r}cGiz# zU8XWV>ptFLW%Z~71#G9JE3YgjP@{kU{!F%P#VZx>GPQWuY5LJ^dT}|_Bgvl>Xx3}c zpuv)J&bzn&p+lKgKbGk>UVTUL?)ss>rGnoK%$Pg>xbarCYuDi&f!9VYTNiFUO#L`j zyY(MF{_{;s^Qa;od~h^6vSiIzs6eK=9oqv&>Wfo;QnKUN8r}P}9@MJ;=;~GzO2L`5 zot0zbqI76pQ89ExQMB$M?|19Uaji=w7b&Y1+pdKw;cRFL6&jpUp$f|&Q0gP# z6xSpz(xGD~BXei=&*H^Pz;17i@oYAoqhBl4^ zE!UT?bg)^n6c+#{8w~-iCQk0!t@~#NX)pD?vS!WZylD#_fvjUihuJ(-{c%U|@t~=r zd=5=rsMJzXg`m2kQY)f=)pXHC)XS#v38(xmbZZ+J9INki*Lv%2j@8|>7JPWpRa95~ zdR~W|dx{T!V7ycc#7tc(gkl;uX}V_J1{jZgV|t?Ft=r58_9f;&tcCXi6!4hHY7x&d z`hYmdYu9g}FjSbm_n6`RuZaI$4bpu@fn%?60O+S;8m%PmGrF? zsCsz$+{W|1eZmj6@LHFR${-TKMnmQoVcEb|s(x;~yYvjmLoSU^^ zsS=$gmhL&r>?qZ9mVWe@RZ5JRd1^KrJ$f|3aL#3STC!%t65XbWcQg!n8!Gk{>pHE_ zcSC@xg$r#!RnGeEyEfIDeqV%$rQTDUgfCX2lU40ry~a$e=C&d$c|AV9L|rr zF4QO7v(Y*_<|InUkGT|yKGrS%^u)V2LgkW_St`&x3UibyZ?YVNY(D z2p(W$HlSLwW^HnRG)$3Xay}!?J8)0Z^3%y*AB+GBc?&ie0fDD+&E_pwMAeniCuLW_ zH;E`cp+%IkI4do0k(SqR8)DC74y|MikSWYemH}<{U@BCp87nPX$-SI53`lG_GSqdQ z%_pnpWl)EfRcrbjE*zG`Xh7jM8qmO?&uNFRQ%2YeY?axdzO9{M-wVB&VpxKc?6E02 z#&6&beB`5NQ=G-(9AB~Yj&Al zbHwPaA7y*bE!!vADAsyNhO9Yi)Tl9JsL(CSQlMDLP7^-sYb{6FzSd>?Xh*Vhxm4~- z_3)~o5pr&Yij_OoWsKsKRrmx1jD zHHT@rXhzPJb28b_$pCnHtW58Pj`}7MEfi8hTQZ}A1kvu{$pT7i0KxfWlDvc4e&eVR zp9Fk?MeTIuxzUv7&+W^MXFhu&(>0R(NP2Z;@#N6XZntkG7~vF)RQgkDmP+xc^c;18 zQ#}4bLIq}rke!30=ydbn@R&Mn1_l=B#N8lx$d_Zrcv9T-CREVW_0oTHbvH(cirpmX zzpoPG%jk~0%Lme3C@$JzOYe;TUhb^BF;uCpLJZJRC}X_x(*2c^m=)1B1Z)>BT1?c` z=ng<_I#>yuQh=B`EHZayKA_1VaDiFD%pu$wbv_!ul>%zQq*PBYSZLF|XRl8_$z$|h zty+DUVzU$uU!K@J^C>YyZ4pj!1k`YHhrTV9vfS_uBp4#vATY&s=jqqb(fXp zHrN(chtrb6PD=`*{Km>9tB#C0DP}?_X~Zea4*XjYoI-LWugw9qg>DCpKu z*Vsk#K{hYTJ=p4t8hr+^)bHk}7`nnq8!2-=d|;a0+i%xpI}Sntxa9`!S%c>IMSANwC#r zYKg8Bz8%tT^2Cyd)?|Uw&-cUT0e>gqP;T6xV;gg>u&LZ<+_&}m_9Ibc0g_VxE%1Et zxtjHB-*xy`L&sE}II-k{>3L9ZpmQR`LZK?`q!(Zz!vzVtx58IOV&LaoTTDe2f=RC6hS#Q{a>qs#w1a9&%CZT`G`DX|XCpe=m#O$;m*UJwk(-EezmZv3y;I#E%zT?onEw-N0W zAwM94X~366SbXtsQT(g@;JV17iSd=yOX)7P(_JTBHC_leJz6P3j(Bsw-!yYqhC}?G z0fDCm4K|2o8mT zi##Dj)Wf|P5n*28p`PKPheJ;9KJ90J!bKGFBY&MLP61CS(qKK{hN1X`=_BjJzW1n; zpz66UO%Lj^&Bm&1cBr#!Yk#MWGrLY0Tcg*o(w#;dl?%Otk^H>pkTFvmxveTnpbuE2 z02yW)wDwDfa}(_$9J+Hw=HV0T*6Ba=vz}9lyh(3GG5&MQ2R^0pSG3;EKf+ zzaN2Po2-oM9ex+;rXdzq?KS{fX8Xa-hK#L39Rb7`MB3@Ii69;o>n9Z5C!*8LG|-d1 z4MG_y%OK0yNTvB@Pf-cw@6kBq)Q&S@hndD_BaTF#@lnRnbCJHW(Whf$g5zRC;^P>h zj7yiIuUv^|T)mob?b-##_3Ibq@?jkzsKsDq8FAFLSt=R*lTgKiRb47AR4EQsl1rt{ zQhhwA!miR!Hb;&e27{{qKVm*euTXzybo`_K*|1?F+yqRqWLfilnz!W0#zIqnwp9qp z-beb+N+hZfm{p-FuBtBX?JBC&&jr6d5lzkujSN?7sZ>`%S)Z-+uG%2@_3`VEC;sP$4ZM31Wty`4W$@Wv%bA}?zCgXUawa3_RHRaETtB@dCcQA#|B^l<;H88OrQ21myH(H84V)I|I=Vr`<;e1Y zR)544hvEYBjpPm}c4&Rx5mTDf>OHV*XFZ|a=qGr$KPz+@+OmIZs@|qgE{yKevRPTE zhC{IEz^V**zQ`Fdk%$&@18C3UnEw>2*L@5{7Yl*qz%EX1=dd1f$pBR;;1r9F)o012lFL?$Q!Hv3`jgQ=aEgJw;vsQL zdR6acSW-9(khPw-Kqf9#6US_1(~gy6*e+esv12EM5vUn7B?+jfy#EtigCWC4@Qy&I zH0I``e|#9a9MbFXiL>tEa@`#&s>bN9_7wuN5~^fHRs6em)<{H@Os%ehQV6k7hyhL& zR726f9)%?@9sNfvJS0@nImqZcY1F6*%I8Q(VNRJ^{H#V7kWoH-Z{`)Q5UwR^&qVp) z@)6~uWge}FuoXs^P2o@4kw~p|zE9?}={p+TK-&M*LX|`-W-BvR1_Xp}W!bTkz7^Xx ztz*SXk!VF2Q0rK!P^F?33sCx2EJ;SnP$kidkI#@$1zN?%Mui>xE^K>tA~P~3!+){= zGfl!7=A&raxt`h#Sp@o!!oZCJK)FeX?m#E;Mv8*x&Z*db zREP3?XMd&y?(kD8^v6qDptwjtlJJSD3|?Gi@RBM5IKUtS`V3oEssH@^HJX&~F}>RG z<<*9-NH#{Ss5WAy=_uQAJbT)Lil>vaczIkZ@tWc4NPdxF%d07)>ab;uGT)EHMIx|} zK4a$MEqVz=Q?N|AJ?>B$(nmA6W1m#iw=2zFs6?5LZ=X5dBF&f9d8t<;+=y9>~Hl=?cPEo@xzXaU53D!X)~y0 zj}c!$@5JX?Ge0A|nw=}s)4+vrF*S7Lx$wE*OCU>v%mtdvpsLD>=ZS(=1S6;hu z14jmNIpkI(4IoF(oQrIh02#!ZC`u*S0m*^a%$zm1Lx)aPs#g0*t`@66iZ~%kj4{Uw zVYS4$E1s|YVfL1So%SC z1BIoDA_ge>*KZMhhyS=`=H8S;5~>gaHM%lQTKQISxcGEzd$gzXD>E;!z?f6S?bRsX z`VAX<_Uv7zY+0&$)8a-My<@>bg;v@-@}_5$u9v)p_D$dOx$0G^P^F@kger+v+Kd%D zG#OHmUX?^E86MX{l|(BUqmWR=hAK6v5{?yc%;4+QI#xz#6(4^-bbnJis3L#^l>!<$ z7A(?3bX7o8n!PTYUXs^DZ&c-?wF|RtU)S{Tu1SF>b_NF>4Gjqh3kyNviV+G(?e}Rv zX+_1J)88MY%5@z*VoK9ps|)#V6s5b^C`>C{Wr?ScPZf%E&raeV?(~Xz1=^14T6N$| z1)D_dP6Xfdz_hr^5L<=QABu;6Gf2?J*E|oS*^^sgEj1>lf5+`Nr?oNM-dGi;cPfL!2 zBkUFVX4sCxRbz*bzB*fUDt2v`t?b&pJ6t{^!)Wv;@k1Kud|9s^L_x-wu~rP!?I5nt zv7V1oiqY%8toIc$F6^olapJ2pZ%hApD3F5aAE+VplqQKp)nz)0s(MPFzb902V?ycT zLPI@TB`GY;779yvbEK=@gqiJM&pk`1YSg%?(FdgS9iPtY$WaxDAz<+0J9qEW-xHxE zm=e5zva;nX>_uPTTD6V5U84)8`X_Bc#*7`$w|dOaAL|YJf7lI=DO$;BfIbW;!USoh z0;>E983Rlit<*4Ja>q)KR(!n@tz?`;LX`{yCd8eI@azN%07+!M2@Mg`gEa?L4<@ zUKsc#kgHN(>+~5j<@mI0xvo>H;&Xw*(&ri^!iEG4Wz3Lhq2Al-N4CpAN5tFG1__l2 zVf_L9W==1)%ONMUI@D`HD10j!aO1yJ9zhOATbPNl)xN~gNzK3P+rP})2L@~R9@uC= zug|)WpiJFCtK4l=pUH#Qtm(UD_1By2Ds8a+)Om4Ed@ec*h#C!apOk1J;1#h$w7d`5 zSvvNtyWEB`!{x@zDD=mQU>htW4=fXHmP+81qFpBaDG62hQ)XQ%xuujirAGhsIK`?q z5dT>3;1q-XDi4WMAJ)jID8Rb|$1LZth_mz*+kfCNAceuinIcQV7a~6R?K^xSyoUDc zC;U$mpd+0`Lv}JIrq+^5J%m=dg6Y6Jqvn@$c~Y}hZKHFi&6ve0aR215z?Y%kWU?oy z@V(fpd$LiWhR{>85{;!GKO{x}%E96@y7=4vDF}o~{p(3rp|CVsXky^UJz1xF=BE4k zxb81=>_nXorVNhZ_dj$ndQ)nsWhPEyF(py#0jPr}BuIrCfI{6F4H|e^fdcgDPH%Mj zyZzbfo9}2+dGN5etOaJ4CHpep?+*!8%ui-1j-m9bWEfC5R)#R3kz*x&s}vk7(~Ol& z2dj>i3RO%_)~4J~8fC1^qSaa7Q9-Vs&>;&`Kx;y@@znp<-I65>yhvq(V}46_S7z0YhtRj+bLyO{;aatk&zt1gBb>QG3D$qapvb zeAkIgLV_xF>V8pW&?0$mO{?|F5Es;6oOe+M@0f&TV;oC<+dqA#ESYlVE!SnDf?oo{ zG+vk{kT`64>2|}4Htt-p&s@dxQr#|*_L8v0e`Tu6oVTUHEa`12RQ&S2r?eQ_W#-I^ zY)ejV&Wsu!0XLG8>bFh3whRmgZ_9dMUH%n|EBCW%RkcS_(Q&Fj?iYRf;}qL3sW@Ol z%W6HS<4#3jgbUW_H)pVovy;2~seqjUzN?QOoV9mbmn{y}HZIA9U$57FTAh&?CjNft zu1X2#JwYoYsFHEN6mZIvO#xJCaZ1akkfA@&3XoE9D#@iXK$VJ9GW4fH)%zJ0i)UkJ zaO$3-DR=8OA0Lec!W#HcvOyI`*!goOcz$RX-o1B^BSiZt`z1DLXYYtYmyroYtqZ!2 zld}uBgOCEGHLNk(;0!8W&qPMC*!S$+pFe+o?TPffkZr1P<#-F;h!1Y&rpXZfOxs^N z)UVe)pz+5{q0tA9Bqgfq{T;6t8Pi_>ZJ$FR)HDQXEZ%|`AnB@msI0FRJ{{>Q3o7d* z9qFq$W$JXJH$|*(rTr>)0(>2O!|*HQu7DEhfrEy8TC^x%-Pt)JK8b5X&7QcNtm^>NI9#6x(-0IE#U%6k3I>V0P+ zIwY-D>tUTYtt@$RGc`?u5ZIu<(Ai6Ml)F(z$f)S0Y~O?9WFK1#Oi$&@Z%p<;>5?%KqtR znRDf<&~rLB$*qbpdKEXX3Pa3h3xg* zJ#w34O;H0ym#%r~4sUG|eQMs-D;F`6%yY%1(r2l_sT80pRhJ5=lB_=!r&y;(Pz6Sb zhlxuip$a>|-j&CDn3L2`<@&r2+-bmeV=lK}6Bs!7+Ps&LN#>c(KxDNvZsO`jiiD=Dz=YBob93 z`bUR)NmC!HK$Ri-N8^tKeKEf2U8Vg9vK5JORWu4q?M2hZn^4w~tyrmhDw_hwn~ect zx0yn;QHGkUeMex0wo`me2JmFF*mn4cQD1yf&*-bro?`Yn*C}42ME&{=hK(5MrJ|Lb z{3)Q7-07J*Rx)WN9V@~b5~|GcD^f~YdF~$NxqHM(-&IkO{ul&2O=VmlfI!JPgGj6a ztps4HXm!Z%)T}jb)%wiB>>$^J^y}b>&9~YY14_>A%6|1o9>|0aOUjqDEQ}xmeLaT( zZ8PS4ad2He@?z0@a=?Cn9bsJ3MFx%CJ~RO0KkoK9r_K8On=!+x4O^;uPf9>fV3R(M zr@BkhOPb(RTR_r=+LN5?D0ozNGBD)A_+sj2#+Qs~Tk0{UZ`F)#UrjfR8QZ>Mh(EW= zAzxO!NhjuBg{swSjavETG%mu`xTYBL`uw-fV+<^Jb(wF$qX3}Z7$M+DrWJ7&?_iLt6TzuXbd{9C_QjO3w9%=QjGC-8`Jj0 zrtC3$bC7Bz0ZKjB!ui$t-4*XF6(_4ym&pSbI=OlIpNol?Tp&rMh>trL9Fv_pUqt{)H!cv^aEtT7PGHwH;ylgn20QcRQn)vA4t$SrX#oCt!4*h#(< zJ}k-!m{#YFoBQ<}@Wq#37Af*6Mpa5H9P>TFPlKJui8J&0_#S?{BBFmF#X~#MO8(Xa z-L?KoqDty1eJwiF$Gk<4DzjL?LEXi4e>c%I?`SaFt-&01>})W{bSVGI z%VxXPpY2w#dgClvvsL=8r?}v(?O)Agh|BV4667f$$PE}EOgL+Rm+F62?l%|M1-X*k zE`7i-DO#A^;ZiUQwuYXhp^!t8CARc@3^k>t1uR@GqhyvAuxj=n-D_+Mr^PvGvqAzZ zZeK1$vGA(2fQ7e9V34u}pa&6P%Cc53El)d@O5M!6OH^v_UR{u8SkN_Tri|1c6;=H1 zTkJ|u97i%MRVS-T?^&H^uG;Q-f|)6y>e9vd=-`!?F2#t+eEEU~s!}1SCqb1WpKi+f zW5vnPA85rgG>cO*^ru1<>spIbTBv#tL-G+%#Xwih#vVkM1F-)JCTmSn{-J1yAPws-)K=kkK9Kj*K z)=PJ>l_62}_2021s#4*5qznh@ztR*qG2YM+ghUv!71xIuWGhw)mGzg0bbpzHRGp3= z7ggR)ox7-4d*>&7tJ$(=rz7y>snhw2Nb`AmA0>{e!V^CMmKniewiZk~HV;Zp@W3(O z~G4zk<~#eJi;BU%HeK7j-b~K(nB& z*`h-?0#zz~UF%y($Lc&?KF^+?wbrd%_i50#XfV-ZY@6L{gdS{&YZm&+szOY_4bp;p z))cDKdw|9YO@L@YAEl0?f51jz;_$x+^wBC&YX;?W5p;?z!LFWqUYH)<>oVKTFYv?o zK9UZh_nyYCRx(XWj!E&Gl<=JZ0^ul4+l-eaJRk*?6g*OpNPyAKhI8HZ!`kC(>s|UW zZ`arQvAfayWaI03yA8weV&$wHMM`HcT(ZtMNBz|Vv}m7yoA+rFG)YSAN%xGQ@GeiWmP1V0wXQ3!!XD0rC8x#rHTRio!1g-DakU7}ozNx}w3 zy#l{`)Goo<2yn?dZ(a?Gxk{#{@>HzD#LhDu1H+;&T%wlhTG)X`!EVK(Pgzsmt3;=W z{v~6lo262iO;NG3%x0-l2>oesNxvRvuaPZ#k?LnxLrAjqv+HBZ}QE>SAmVEtAglPIL0zG8($cz%UWva;Az-c93jcRh-e0xZd)ieR8V4Co&mv0&rwF9y#;Z4b%>lCW-$pJIGs_U42+ z268=cU6etoI90X#u(rcG&6-n}9XRwY&O-hOfr7tclf{?hMW~iSqX}j*o|M!C`r;2)*HqG!95w%o4iqm@#$x#gK^JqAi;ocBT z}P?IvJ^A7O5`D>o5ygl2s^Z^9r9(Vb|+pgUJYl#!*4gieW?-RG~_r#!}F# zY_FLO2K5^^x%v*fT+}+TXP}l1Wq$1stv)AC2=uUB!CgAxl6|#p`5_aVe?6eLO8#VH z11kf)Vs;?vS^UuKMlO4aaH79Uwv~%3^%~o{X0KF=xhR4dZ@0}eAQU!5@b>&-r{q>5 z%6DM=*=<)Yos)#36jD@Ls3JyT%K9_Qrckp~Y`J;paf&sJ5lOD3gyrEOaSA)|o|fce zpH2kx_MJQMqktaNgiM7m3KlFRJpvk0kx%K^sSB+!8Z>AKmte82Xsr$no{%6>7wI72 zUz)#XktUOXvXMW;n#fYfl^nI%e( zAFmU#6|a2F->OcBn?nwXklout6&3viRA+ls@7{g3Sj9fDsv8w1%=iHFt zuX^X9JC$jmPd)uvP$66`kPd#=Cfgi+r*>#CZeESCt8gd`@jWNJ4;(1+P5K-Yu9I+E z1U3neMmS9Zm>S~vNK~4?M`BHrMf;m9Iv|G4!6r6`nk+ull(FQnGCZ3u@oZ|Fd~ifR z4mVxQ5T_{T9^@j8=kKmJd4qVeaK9J|>Io23JTd``isz+=t-0<3G=Z&IxLU&7N){^A z1PNt$P>B%g6I;fZW!b}0(2CM6L+Npf?v+YzCx>O$w?d7oT<@t32ltyfy);6O6j_5r z02cff_4m>~k!4x*qao)AspjDNe2z=YbspVLQrt&RYfMB@r5CCvGGQReQ+tjl4q;>W znnH8t)=ut^8`E;&@YLu(cg%8UZ`a27W!HT2fTY1Y3We{j8+&@;^=t8I%u=NcRsU|6 zN?J9{6lhECfE+Zewi&bL(%II?KIh4sclylPpc2lMssT=>21^cIkmCdir5EtxvPWRB>iNJIHc-zGs-Y-wH0Tenj*x>fC;iSPj9>lm)zTz9#n(8awyMR$L( zsOl0iz=OI!ADg{lwjVU$0GG8FwDg?HN@OT%)vkj;J+weTAMzxOchxykn$_QCvVA<~ z$n2*``$36T$|fr%v{JTddbA>M1z;JW727<<`y{O(MqRxe6@O-P_@R~n6YDzuV9w{E z!l?ll!VfkF^noggRuZs)s>t(k?%w{btrk(`G;&Ily=w~KMxkbaW%&J^MbUL4LKrj% z6==$>UG^D)K8WQIEzp!O%F(OFiYM4BGF)uS(IcgI)wY$nMo$0w%W;bZLSdPqkrU#R z2sLF>QgBZun`ZA2{>xl<0SyA1c1uSI=cwtT15IrXiUH67Ndk$ynlANjy6lL4Eca=u zA4i)mHy!G~`siQJxpHtFiDC+b>E8te6i|p?hV!NPYxr*S4Z%Z!T#C1)I9y5ImW&W8 zt`^=FpH7Acjbnq-&q~e7O2)oO!YpIng{;XUhb28MRl7;`uw(*D6?<HwuXr5K!qhr3g{F<~@I6^wo=jw{Bia3!8$_ zAB&4&l%h%{OQqDFSjtkd_S0@C{^PG?N6luQ2p*MLR7e?d(J|3Pv^sa`CL7jhEw<$T zfpHS5ESlm!U+P{R645`TjqWcI(LWMZS2}A%D(e0n^Sj`tn}nD5YmC`1ALoJ?9VKQ)>~W*FfK>um4;?-dy2ZZzhv@Sa91;fijQAm6 zh!W+yPmW0&Tlk> zekta_`2ef%eP5tQ0WcA-dudQjC;SrRnmamZ8BitB3Y?Nqwe67K@I@$m2i~b_S!wb{C;Jq`c9WV85NhS;*#yjq&y@ly~j4%WgHh@plu( z)g0%jN2rM#gbyVVO36Lpk~F}9(!-Mo>*31)4I*%-cuWc~DgKdw6;KJpIofo^v8F40 zo2_K{HMKj=XvVPjw>(ZXwLc+W*>vUcrku6XSGfq+0n~h&fpHS@^x%aHCOogEHVlbb z0=5hRLxZ=axLSJ561goygiy(9X=8&18iwQ$3KqRcW*GsNB@avG3QDvxa<7t81k>VP zq0Usf_xKJYzg=Qo!gHv!Paw-3~sK*%zw^*+jvm z!O05PoXu%@*^yHl*YDTYtYSvxZo^&ei@~~)-aY6^=otN5z%smf!=nu>PzXes8O75Q~wxsfp9Q8w$f=*RNX4&*l)ELlT#jElU z2*ffIdWBnJ-s=8(LHA<6$Phht(A|~Xzkx#X$PoP#Qb-rxQKHuL#^e#wUVkOP)2Oe1 zmrLL2u67rdT<`!NE)y+CsPKAo%53{8em;U%w2ZG=vzFQG!+RV$Y~wo$Q;ATGjPs{{vl81}|YQun9s7e{FNLQ&DD^sY#qtv67M#EN{vAP(w z^~|9b1V(7XO{`By5@~kAzz1tQY)|cralr~9P>)tYXU_Grwi`90jmPT3z8iDGIlp@3 z6A+5mr?88bb_T0oMpW;Sg zpEtqZ6I2A84#CzV#3$o>f&w9uO$+x4gaR7C2s|C>GzmvZ!KRgd;1P%;@W>&cnZwEE ztCZmw*jztOHFq=}hJRfZ$m=;v8Jr%VfR}<_AlC|z%UAkhde{Q9lDsVeSSn^2B7~}w zCBlPhN=w8oMQl*e5w*#zcW|$g$n9p(3hgFYJFE!j4qhx%SJJnF87SH8s$(TmR|YD( zzKd3mnU#Bu>pZIE`bAl2O2`j=Zch&4z$r`&{)w4`(g?{cYP!L=TYh=9bHMC#&cab5 z8jL>^@Jk0xY|d?fQ0jGLL{X84${OtYNvL~?xYJW_-#C|+LMqAn zOPTn`niUTvOJ$b$Cl|hXqy1le6iY?b6($$43*3ZM(F(C~#F_|sQ5TGf=Ih1EnfZL8 zK~=EA{c{p|B9H=l0}ZM!wbp~kg$9YSpls(!eHFfhpqiVwQ6dSYhWHc*Y99`i@Lxn^&r|O@3BL*72Vdz#GY5f9%~u7s zaAcfnu{ubMHNh>`GD2Fc3pI?e7VFeuIJh=cyoMKx!C9wUtmX=*xDFRo2H+K-xMK#` z63Aunws5s1W=Yr*ewG2V3@NR~$pV9ti6Lkh`lz7B!!ij8>U}HWUMW>$dX}K-Ug@i` zEYK|!_ex)Zg+Q+2UP)%4HWFwlbtM3+$4o|rUREO~*7R6a2*w35+Y5(sL0|t1QEOT- zq&N^jzVDxkFJ^QFpimMvC=Xw|^s`Q*+kf73sM=twRHw1H@Mu7pdhTG>J^uoDf9!>V zx95%aAAUXI@Vz@1RhP;v>rcfgA{(-hgjFe{^sG|}Qxd0S^p6!Sy(;Na{g2|5w4+!m z!k`%5<0k?T6$Fe-4YdRmj`!@{XQ#)WgNM8%_YageZ;bzZrh9!%_iUT)@mk$IxPQ}i z*N5w_AX3px4p_T9-z{`>bC^5x6QAK zr?}G2!6+Px_Uy9dc2LS8naDsNiBbFrrU(|^?4|x!4ytHn9;yssK(lB?v^*{R3K<5x zckkAfXt(peeZzKF2BhfhAX~4pV2##3f3mJG9{wbFd%;TyLJ9fOg|p`ZZBBSJL7^0} z0?>`vAVHNBcFU&MOyiNn*y3pQ5Q>BaO>^*FYpb}pjPJQ{wQ!>*3ciFwH5XjI`ZEdi z37Q1qGJL2cgc4i`CF`U{_CzS}M00^nCvlfrtUj$kOmK^J3M#D+YvB~$(kY_lhBIO~ zpG_JYBa@!XRlUu*z1^=$Som0rVW6V#%b_YFQXd>+bu-?A#C86A+SGlZe64WC14@hM1a~7 zJCUi5HW#JkOl%l~k)ACtgf6&yBU}>HQ_fPEhbm2$N{dtf0;s~Mf>uz}2xZYN-FegI zMopT~`qLCgXk0sI?mVJ@Xe=mkuN(N8=56xtRQ~Q0xIl&ouK2Bqf;WD-gNh)D2}snw zV=qP18`B=qC6xXvuDtq2qS5fR-Xcv#RhNtbKBpG=r1{%cYJnl-*Q}K+21x%MI!Gdi zc;;*rmXj{b{OWt+U>IsZN|4M2Q$kP_M3hhQp>S0|0TJKxZE8n4N%5XU zH1Cw+G=;RlCjw#snhg;O3;{-wEjLD)9j!KB5|ErIunDxE2apX;d#P`BuqT7N}0? z(aJo_Lh{&?p_M9lYlsAv?=yF(%?6)iCwz|w96xc=@AwJt!`oa|RG_RChwudqLo#13D@!yP*rRHXp~wuPp<(G#oG8y_^F|trcsQH182`Z! z?nJ*en?ecwsnI_zRAJ1U(=B30bEkHwt2)sCZxJ|HYes-I22XZ|K z$e(hG+>#wg%W*6WvB67+1po440aY@K!-K6=8|)w7S?-j)k@H4<(V zsVKpe5K%sXP%;B05K75CozzG62-D&CtjBLMI86#L0YmRU6d(iXA{CD;q9yMF4iYoe zM+lYJASfwfgCYwiVvmxHp~tMFpjC3f(#8Wxw80fLB(OASMKDlbjU@oQKtsRzfr_A$ zBnKLNDG8I&VLH8v`1Fcb?sL1u-fYLJPhtKrpVQ*g zG0916T{xT@jTBM&eysD2xNQ&bMgR2tnKtyt>SGzo2hl$fqc@RJl5s!wpR8*Irv42$ zC2cGw>*cFgl%Qgemo8gjWUKkJW5>>zYvN##39#6FS>}y%;v1n0Au50A`XMWSN9Zn7 z`D@VqBT+@f_^jzWe3&CN6xPL8N`fkCfr$ZaPv2>(-GpcU$t7j zl~0Qn>(H^2!>TnR0C?ss9~_BwOXvPC9v4_;4y`Of6$?a*R;FRV$B*w_i*bqaZXM=P zCd4)C#Y4GCK&Q&hQw;*VEGk@B+Hi?)9?SQFQrt9T8PwC?_Q~t;PemX3?OFXdW^!Md zbUtkLI+ z8T_XAhbPl3=mAUXWC^sADJ^|6OQx|D@&;+F6AEKcQZJ4sbFVbycEMNF)7s6Tl|FAp z`LF@4w7%7civ%i)78W>xNHA3%w6No>)i%x^9tVB!e~o@D?VmnA`+W}C9&v3*heT!< zdnf3irYWSioj;ad&z4L|c%knEvx0Yo%wsm(ZF&VmM3G{y96_$R&K{_H;k4Dm+u`gC z84{-?RHdAyl5r9VRdSjCFB&LI_Y8C7#*LeYJiS$0tv*?{!Vai9?k~81FbY6w^B4Iw zTIfPNbumQ$sQew6)b#@fAkn`MAyKQ|nCTP6v1(vIt8WCk0v_O<>AD9?g>WuIE|7VX%sFJ>w`7q#bzsa2&OGEDE zSSc(S>03#(qPXhGqw7~9?L&7KXJGGLDL0ZZJE|LEw~(gB);^r1*X;X{QH zkrQsthx49H;mPa~;a&;A5+OmohlP73JS@^!D(^z?UTNZiN1Lq>?vl?26chCErRa;=+(reJe?{FpUH%?v<8hVF&{f4Ako{K?~ID+^W76&A&b$YBOM= zv)le7raz785tO>wVE_8ZA1BV7A3XJYr$t%l(n2~iVrN$NLTN;hR40|C7Z6N<+JQIs zCN(C!(G|Ecg=Z+dGuBkhv5pUJ1-*Fw6u4p;ri@e4tNOR%l(e5TP zgHsGisDR~e-Z0bi7ZiXK4x!=!T|Z_BjJVPxsq05VL!l{g!xUaVfO9z`tKL`w{S@DULquRAJ1`p7=j~P(>?C zP(^6eELyS6`{~J@I~VsRoF0oCg#tP8y1OUxn-=~XEkjFxz7lR!N`+3APE7l8l4acC z*`3*tIN0l$!+L)8j*|z}v4T4x*nKVLY@N07pxYtev;Y=X(fQ!X8E%0Cwgk0z4pn?8 zB_g*m$}F0E)PtIMpdPLC!9aml`e2}jB52?TD&#=DZ-tX6QdhD9OJxSil3_Exl|B-f zBFjS7TWL6f$z=nRM*@@SFPYR^)gEs9!;Cfk7CJB3;IW^c=gA|qX8#O46@*IUgGWyS z&RrUAx1)5=8O6FxE#G})zcF8~u_*vx0RiMsi2#4>Sw~>OR6ZpwlNP|@_7F3qd?VO3 z$9bPNH_q8Ty&q{Q^hfkw#i@TcRM96L-6Z-3_UYUIi!bZZ?HUvrHF_*Kg(icfz_F<| zZ<&9;B`SZPZV`w8KOCh9dj5hGN!-6WK-GtYC3Dx(T`VZ{055#4M=LrxUhOTEodmgJ zg-D`3-=%vKu7gx>@*ucNaWwEmpD)-W(vw179u?z%M)k<#j{b=QDpWDIwP=-c81VVi zyH_KZMjomk;#P=_AEmMs%%)nel$PcBkzT{9zwe))CC`rf@S2QE7ZmR>W$>3)D-^vx zQOPTcq^56eFl&3e#k;0#^dvuJ)&LqE^gVv^(6N)-y#p8R4eslD=A+_K$`{uJ1Cyhb zq_rFJR!MAjl2#&bbu3vJ5VSHx0+leJ6u8i`ERq=P#u9>xeqi#Ft7J(ly<=tQDq=2a zr6mOFDHip{tQfv@%UZXC2fY1!eEp5Se@lPH#KfaN9)IKRm{sn`Ar|j8y;#?2KvmJs zQ;K(*Sf$61LF4LdTb9*-lTZzz~sp#b~&I{k(mt)DuT=!t4Xae)G8!y=}HPV9}5x~oM0 zTIju-3-$kwFaN$El(zGAvBeYPYZ_vJ6j*f-DYKgs1bLq3SglDAL(z#@;!epCj5e z`&Q3kts`)8=XgGpYRCexaxL8krBb{p%C}^B!8~^Sq`Obx>O(=Z_Jj_13-7e$ zY|0MN2mDu&v=X$yq~<*VL*)%`vuVOczXIAx8yOIJsuJoK_ukqv!DFVCQRLMpx)@E zXf9C{TuOl|&iu^or}! zw~}b}=FRh~5wjw8R|wvohjmJc6O;)&8tw8i`~0N>C}{LiGXlEdg&{*hjjbhQF?$j9 zAkqHEfd#-Fs25aLl4y{F0!*{}(x1;1A$LXwjTXIb%hL~;{%u361vpbmlMYeRi~c#z zl)hAIj^3G4>ZA@DbdUtQuf?j9?bn@}u|INuK*S0EWF&U8HdA|$@SwNf$%DrNUA<2& z+#51*dqi88$PWlirk6566;)S8{0bGSgea4wudDnD0aeDuR(kHb<$KuY_)%Z~l<9ohuU9?~3qM2moENWuJ{%JJ z-Sjn|4_<`qk|+vRBrHs!$_TBBcAQwM)0i)Nb+evP)LWqlLKna5pI@DL+9$w7_zwNV zWB5oqrN|lwwxj1(yX2k6W zu(F2kEF62R-IH71N@(Q&1yo_GrPab%!Lqn>=dMiI@LyCKEW-59r$nQTryCS8B^oJ? z)?MqXLx@j>s@RIUn2%CUWd^Er>HZc4Rt7!5i%kV+BD8)>DX>DB5TW%K2Xuej|Nn|h z=0CR)TD^Jw@adhCmxD%wP%yd$#n(T-SvezC4KY2!=~V7NIb8@P*jO-Pdlmw20h==W zIcGY$J|j*I-Nqx`v$Lp8*R0ti#75Y5;y?k8v3qlp5ku?-YpgGoLdij? z8JkJ%aC*EOR1wzEHM{*a+U zH3rxU$0}K|RZvSDD}BaFkq{J$xGKNmXmb^<4E%~_1~#C9yDlBGpx-eQ|^i*1I3 zj!f)~Of%*-vc~kiqBe>ELfQpYh)!Sg&coam6MJn&dK@F*&pam}NpzhH-Vex6efrO5 zMTZ(o`@>gZg|B$$L97haJ9oJLgUj3AytthBmj#su^Q-^ga1;_d3`qh(7IEs&pL8z| zC{pT_Qz4}ep<<+9iK~Q)3l0BHD5(oDMU{_rL>GfVTon~41z}zkSV69sD+;WhI*S6U zH>Y)fTVUP4-|xm3_1n*P-@Lf=%gZZ?f0^NLyx-+N*4f-P4}7aPFK^tASs8P*b*NiG z)bOqy$pa0^2oV4m)+0CqezBnNUq}XlXslv7Ivrju(8P6VdY8rNH`ruxwfmG69lkv) z*D;Gq+Jm4TJrI$wMn8>!3>!}5aXi;%^jMjGi*0&)>ulpDe%57VowQ>Zd2vjVD6`RKaD zZRDz5Q=RrL-FA4Lhxd*HM{%9r>RU?r#X%A0`YmG88LUDTVL+L&(#HTLzrp}j zpjFY1lT^Lgid}|u9nsivVLmoO>~@e-2C%fPHUSqRZ@V2oX+5Y_|Isz9rx(~{lYaZM z^mNW*KgPtPbUkKYP9l4hT>x9`owU>2^f{i|b)USPxW_)jiaFVw7p2>3o1QqpK8Fn6 z>oP(72-*s@J{xaJNI?W1PZeZONN`(wDY-*?7+5fFe=dM8a)0$J!6TpDIr_1T#fQEw zcJh~(SFxE`POQ*}zP#ajZ^D#vs*MIIbt~O9#FUa6DeB@s*Tt6nSg>U7y1IGk5@Sp0 zE*J`|kjp@a5MK`p{llfYCu;?;zDB+Fqtr?L^6I+a#kuAZWBVr&dn?8t?{p{D;mym- zhOg|u@&C*aX3Le3aojdBaMmen&4>cQpR8PB6f{U>MKIXNu>-_)LVMnf(m`uOIL~tpop|GR^ z{D8K|tyI5gq6Ng4|#E zE<-yFZ7_36K_=?@`RUx2XE?G>s5x;W3k1O~G+5rGh*^I|7o+@&sXJgoi)!8awHef6 z)cA5M=VW9ZaZSL>eMJUzDR}|cl$RxHLFn&}Xmy>83Ig!qf?YVs66W1=oY`CT@r}KI zC;m59+5Ga#mOzrVSU2lG*Wk+-}kxAEK0cOKu^cQLSks9OOt zLCkaF7|eOdPOriR9RebR5Rq1TB|w(~n2xN^bkH#aE68PWI+x{zTpg?I-qgg)qkE{o z?S+`b_wQXs4ThxW!}|&6yuX#Gr^1Td4T4RAYjIjQP<%hUhPVd-5SZjUS7cbTAj_O- z1;<&H=`^fiz203)b{s3VzJzPKPAl1MdfU;xfHQL3T$2zD`%L1KSQYxn+u4-rF{xvX z(JKYJOli?8+jfYc-!vuYr*A2xXHW?FJ8%kDf@V+9;q3jXKT<>|LR4o;ri3QAhXEp{ z){?%QkDtHtjJmPoM5O1*@KZsdrmuPbBSa28js$M?It5!}+5TYby`i&rhZ02`y)yz| zY~c1Ya&+4oA;y;Q?wiB9xrF}c9NNx_5!`NlQ2X_#NV>IK8`y5m$+nEu0c{;mFxoiy zwQ=xmYk#z@oliTvBb`?r>FnSwhMi{@JI`LLJo`F&_E~kPkHf)XYY#CdZ19}9*=wPz zw}Xezy4^=9LpyLJO~n4U{SpFC1tSwpZPeB4x1z7y-WM3@c7TFM`qH`3C!w8b$YuFTQleXFyFV|(X z;l-jOaD^^IS`GNF|LE#dCKX#UEB9vG4EtAQWThP6C?bTcETov}t;U{>m1VRXfI`x^ zbQM9NUA-nZ&~iZQ9wWY(XI*34>YAHZmU6MpL9k-CeFm?!nQ-EetOOI;2S)GBLG%MH z!55)LfJLH(+$1g-9U)m+Q3vbZieB>Sarl2WDu}81{g+42@13}QW?Iz2+JGtF32Pq< ziFx5}FMA0F6fby784^f7r zy7L7DxdNcn=gV3v>a~z7=7@4t@nS*d;mD`0PIg7sk`a zmk-&VC)&H|-8jd;{;)t(dAm1!_gDY?JmGr8v~!;INk~x`d)qf3vz;PYrae1J<~ef- zgvG%jkiOR;1Az_^(_5Hs)3SnlT$&y~JUaT!=4+RZ-@SG2>Ek<6!a|h?M7}K6zkkT~ zoU{Z|!|d?)D8px35?Ud;&c)F+V#i3tWAozlj@FsSSe5%>NR#?~x>V^lP#{zXr7d{J z$)X}g!Ku%BP2cKJQc(Z^=?W5TVKEY5T)Q}bw~1ZrkC|P4w0(7OisY2yOx2#WQS_El zf_^alR64roii^@L?t=*WDGGi_pre1TI8*4#N;z4HQ=@i<0~V%sGBhj#AvVtoPug#d zW(?dFJLO=ElYjj2h`5lj2-DYpj3YjNClCAT$1a~h?Qr!9+~O(6$t|ABIDB%8egtee zEXL+T{){bRoY;Ekgol^EVetIK0U!UvNA=@l+`Q>Ek#|FF;O^b~_a8kudG3<^{=lL3 zyIaq4t}$YHt0|6qy^fil5_mdf()ztBRH+TEw2qaT7@*#c&uwL)3 zR+B0*`PoXbTO+bZ3Y9qX@lDygjBaQ2dgadv<+=>7)uVTle(n2?sx^N`J{i;7W1pT` zDk6kCvazy=Z&T=p?z)Ouh!YY>KeRqyi^1KEE?aBBEc+eXZ`}yFlHheFXr-rn7gxth zPKz>av`M#RNqP^v^oLew^xYubE`snZE24!Me|#?90@*|Ox->A2*i|OZxBcU59)JG+ z^4(3wyPk=yyBohc`bZ1X3Ro4sM(hAoMr{rbBT4r8qd-;SZ@Qo9PUWV10-<7=?w+;o z=2%6awyho@D5s)1Z){-$fc$g+*Tttxj4PcOuNGLrTBm~*$`w;}_ZBMZwc7-1@sAHL z>&NCn3su^XvV8t9uz*s{mnF=j)RSADi3olCgAZK$v~jPc4pS$<0^jLr-RW76@N-+s>@Uo4OknD zPlxe6{avyp9LhzskV}!&c3qx%;G|}?MlPy0(vB8>GU#V0n-b0xIHk1cl|etDh^{aw z6r2(|ej@0nI8!hvLIfMZ8F3_)su$IL>zUm?fuU|OHTUPAu3hvF@E+^7w&r@9Tx%C*TRkr$ zd9FPU>B$#^iL5fNFW&-WjBwNQW+Qf&zkkt%_}f1d801}^KRg}2>oX!Dc%xW9QN34*|6w`XQl;(3YiNgyT$0OgElI=#KnXLPr1mQ{0EX3p3YC zO#G9?<-LTpaehBACDg&J1~`1yXJl_C=@6TjX4_(4cCSm5WBdAs9G??^Zu^6K=i~xW zE3HyMtDl}dxEwK`>$3}mbip1EraG<}A&Uc!83^VR-4%P=5b+bqDd|tO-W0j+aFD5O#Kux5e(}-k?ryQBq;c($ zj;=A2Juj_1e!(RmZg=20-;k)F&?}}Y@#yJ|bvidwp70|ZUh-LGfJWRhR@XpQqWbKi*S{|UDwXP|!lIf}>sM0uA zT5^REM#w+Qb{g4!aPtMTOCDM+D1uCHnkP2w-`nhq%^s}SWpIoBZF-NaGuEoC&CE}> z0V^Vumyw7%utJUiWp$!qTzRuyi7)&1GrdT!1sl#^5gpiNoxWN~^~;-QcW<0J7iu5i zHQICM5AIHNH!aJzWl4se%QKMhg_Q(&u>e^$>Z*^}Q$Z#p{`k#8^FcEvJ>s_jgjT7T*=n{%qf|8GY zTo+at$0|u=iF#ysiMOPB?GhmX1-Sw-s1Hr90IDK(mm`ys!jB^V3Fr5=pP*HrJy7H6 zZEsGrG!75p)Tel$n_BEA#4-7~+ zxAp#=&}UCBzJ7WCkKcb`Iq+aQ|;4LRzZn=5l9Kpe+| zry)F;+D0l3@4xtEqSs|DDy97VJC}2vx5xB#j~%)zW`R$FYw%^?GZ&+x})OQ(NdEQlw(H5k?m;)^Sqf zQA>hjE~~;6Mg_l0#N@@R7q_20jJ|%!E9~ULgFD(d+vZunK+rRYv6JUgd^$a50U|dd z=e~ns!6LnQ81&bl7858~vlkCeojY7F#8nhlr=`Fdhbzc6_lJk7zh3EH9o9YDA=<$| zuodJwP(UbDv`m7kI5dtv{n(I{!u0`4U3_iB{WQ^C`cc#--?Gx(r8TgT|^Sl zGDcX!juejb8$}+dMLH%`sFE*u7D8XYY~k+3A6@fEG$&5Tdp)}5&IAtLp6_<_vR_}{ zLIx>?8?f|GzrT5S&bw8lPY0hJ4c0HpzHw=xEq0|noa>$TopSAx*UzsXYEOg^$OG=W zEGm>}B>@Y^O7C0YSt(++QtBDaXQ&j{FM9d8Wkm! z$>@WZZ2Yggh2Qjvyc`&r;2Rw26Awm+Lah^x~zuOmX)Mee=t&5~rj#g?90pK7V-cOmz6_ zWBdASbtt!Kc~Pe&dA8dZ3G?n6>DBVy1!vROTRMW}!T#KiSr+b55{q;<*52$Zftwc( zL&DulP}fXCIgOSOmA13{tN)$&F2>F5ZHR*qDtO1{aQC zAep1PajX9N^B2>vJ?d~hQn92;!`-su8QqMs{`sd^V8ry5mX7@L<_Wv3s8IVrAFHr{ zc?svYJ-8eG=Jg{>uUC-DJXGOcnGFLzdh%@fj>AJHx0^q+$dt*&`;Dqe?Ma=UJxg~? zJ)WOzJreipEN}|4pYW%8&BpS8Q|0^5pJ!dU)40wxhRhc@H4L1x6aJJQr`AcbA0&#T z3g0>Iia({uCCO%p0;iN-y^zvHg)jX(La6XnN$D!+4A~KJ;FuYI3J2lE%hx-i9^fUZ zFaA(Z+HX1E(>-p2=cSq67v~>Iu=9&|@{ikeB4&SZ?2*tI|M2M0v(fYbr7bmx00ZHl z2_%A*ycZ)lB%F6=#Kk4xCE;3Lzkc(4!sWB^SB^!*`$Qz{35wkj7_-*r?EKxQ$8SE? zch#ZxHXdJ2bx}1d5LvPeRjbnCRaG6b1hnck&&jO#5-8tc&U)ckX({U;8mg4(YE`30 zpTT2mb{*9`+3bA}*s9!hP@}#-b{N`d+pt&*V1(9r71v*)8$y0YJ6i%4*JB&BG%2GLKAf-!xs&voU#Qm^5 zbknOiU}4Q6bE^(nTy@COYV?WF#{I^x69&)__cQP)gg+(ZXQe--=ldx<3Q^>1D4tqN zk+0H3-jJUHciL=<+JDpx3&KAj@cHwX$FDpCQ$7?trF@;%o6on|a{foxn2xT|owrAK z-4We=NA$2gadUhwE%v+OcJ}s;Gq?7izY}@$abVodlQGw>-n#eT!6Vag`_5f>-9}C# z2_w^2$|H{-KcOuSNF#Kq~p7n1I$(`7Xn&bRCdFki2B)$paU=JbCeo zb()stZ2B5(!tcMmWE1=QZ?8=M)#%8ht8QoZR>bnaxrMY(DfGjD0x%^^3yq)NITE(B z*!f*Kev3+0^OdSSJhwahrPG7bXq}91&-|Z!GrwO`6e?)>0Y`nl?#@)v777%&XyB+{ z_#!dBbgDS=54=DZUpz6cYEs7PQX3tT?>JUTtaUft&nL~c1u_5eQ#;DcxtFj8@0edR z)n7;Z0&JXa4;!iD?{uFUP zMKMYGQ%ZhH#{I}o8OQwu-%lvA8hGjYw(_zcq9R72LdN%-Be!^&DL4%{dHTV_M+uL9 z?z<~qeer+riN4@h=+mA_CQ+;DTrc&M`fQ6B>k)xChLLTjU4m=q)o<;O4c>a1@!d)v z!QMCSv6$2f#H_HAzAvz%twd{J!DE@el>jW`<3W{dwzz!DUeo4cY$x^{53N4LCJCw( zJ;0Q!t3&{hZPEvWn|GT3Z~5-UI!qk2c=OE%PqgOZ!#;ZopleE3ql>1 zAJMFA0mxUDBNRf5w^4F%g1_`{I5UXL>>N$=${t&_*tQ3;Ae>>*RC=*BCS6j zjfa^7P8mU!HfeP%Jf``$r5|98D{;U7WAD7ft0=QS{`*V7-g{rWtFC43Wp&kE+p5^R zqEb{)K-!9eihxp7dM^pR1VSeygcL&PHKF(3OXv{h_c`x-=biV?%)LnwZ&weK|or>=j$NhI#4{V6v;1&@OKl<@tuvY$_k;@hN$ zv_B=GKP{S+?uz>uo7@ z3#TkW^^9lQPUthzAJ5cK6{S@xP~|DB+j6z>GysjTQay30>{cMktK!><=&Of&ReY7I z8%Xg3fEudqtJb{RfZ;y;xn>MG1%C z-ijGtLlUDFjB-mvbWIf)28|*Vid=BD4(^M{{uFGPHFe;%;8gLYK8;~4n0y|B6`Pjz zFFiBtI0rX4J2glBC&f{(BbFcKBG09|mzE#SW5dDIX34%#mn2?*=qkia2X!^lmVBc zePN%b_c@t*C5n}hR-Tc3C-uCg_$Qc48OJJ=U(sjWBmxnogHuY30-RF3^r*O>!YMEA z=haWqr!OMzr$m$LbVu9|(Ii}|`x^AW|LcJdf>U0KN_;T@r>m&E-cnTi zjt;B#oj!f$p8W?Kq%1XH@ju+La4Nb_z2KDYQKcGxcoMY};z899qpS`fs%?F=s*+Y# z2da=vlr4@1U{O#Nzj0Mbp^7!kOJBAfJ1(T0*rF9TS-m|aG zpww$$|8JZbRNS|Sy(qpPAf2#io z=qBMQK>1TTw9*0tNeb8$ZM92fSNqO}&`?TMuv7}mPdS|^gZjdI}ZQq);mm|ba7Vi{Nv=Ih`)%1@S> zAigO(nrBWhJG_gE@}xfJ?bl_9_8ZuVtkNH7TGHbikDCO^3cJ85`3Y>JJknO zTXzrxr0iq*E>B&vJ? zz@njwQto2VDs%u)L)CQ^zWuUYAK#xQVZaHQJ%^{?{NZkA$gc%@m%s(Q}a#!?zaU&vh}CAL{gKbu!3^Nk>XXZym0a3M%=95F!qxNiXP z5}jDo0txFapH`pqgC_)!;8rWfd$}dKHIE0;!bAc$ZQuFUx1CA>q*y4rJc?j`3cera z2wJlEQ>uQ-i~D&^J-T2CwLc}&NfP&i@;5+2e~m~{nI?%!idIx9(uGYySgg%N5l|xf z=L%Ci-er2TA>j%VD_5>sw{!o~J^q*eRERTWtZisPSdofZqK1f*P? zl7E`obek%F=r6iqz3oz&){5GtGEl`@!Z6jNqJOSerHiUOuPOpnEvT3aX833@woMm~&Xiw|vBJcO^YW{4h;=CCao`q)IA)|Q0QT*M!EaHH6B!eyJ zO22m`XhlUQ6xoYPg)61vep)vPi8dI;LNKQ5(Ay2Ke)k)!kiw~^=)Wnbk`gKmnxgzk zlSFCQr}WY_HJ#f$WmE- z6%F@K_pJB3R0xSk@vn;hMMIT1%h1$6vRtZ?Kou>ko~_q9w9+aiBj<^_ZT<*em0mqw z`oiZw4oKOtJES}_zV*UlES+3)V&X|Ys};xK@D|S3lmS;v>?tj}?8aWfPtkW(FVq)B zTSaUgRxu~>j01ZmJ6}3K`{pQ@s;jf1rEt`-^VBFUrZIg)^p6Ur!n|L!HC6F35!GDL z&ZV>}vOVf7dEHr2MRYcZWNvIFTI)N9Ifr+Y&i~4BmgH7Po{@fk_P0j2T-Fa7t%&s6 zZ~69du95fWOa_DRtvD}1D{`HDYW{>b5AG{v7VCl)>;F;hhtlz<#HFeQPC@w-oO<;O zGT>Ld+2G2z8dB;DPKirpQ`1%G&yx5fMb%mQPwCJftvw>@NvP2dr0={y6-+iQOd$mI zR7;z}4^@?VPo~jfFoHB==9~iu54E1S`gm0P78B8;acYVrr`S}7Uw&I8ig-B1pZ`>= z)ZXC%Km%3DCQGHDO5>C-`qxiFe_!<_&>C^6qPc%QsIn`nv`ZBNRk0FP3aXTiWN6;O5cJKwz9s8jGugu0nEW!4>)8vpJCfM#M|@Yt#|gT>yMvE-w*ybVGq3#uHz|2^*;_ga~%yc-W z9h@=IP2A%qHg zQK{&kaR0FO*!<4ZUg|!TR!~6`H!&x7=dN8@%eNO3Q%d(VFXE>e6d{#U#+h^N1r~8a zPGduq-n^xEwoN>T@X@w)>9H(N$&RCMuy=~HeV~ZblBJ?GmAF(NI*Xn&I7OLlVID=V zHa`5i_MLf10$%Nv121^oS^S#n4qVq+*Hj=_3)n&(DUBZzl=D)aLAJt<0rKte-64^r zzqnZg<54E)x-0&5?=rqC_`d7lOKt&LV^oMwkq^OXjXs%LJKM6_9Yn2F_LRC@G-2-;I?n0%qR7yBqxm2oQA{9eI z{PRPV>s57_{Aj1Ct%qjOgx3dEEXCKYTR(Z_j{o$WUAh=loU5q}8tU$f=BGi*&P?gb zDVTmj_9O2WY401AoKheKKx>?Gp~_F{7FtF2qG&1wIOVY^e4#(XrU-SZOqR+IRW&+V zIILs2bt5|DBF{aX^t~#7D%jy2FK6 z%7N()jLuR`DP%^#79id+z}bs{?SW(ezmeHlo7aZ53jIFpZ-*}n!k%s)gYN@#FP6v6 znGn%AXLGS7AI*(`x%op+nV4|u`i0$(o0JTh|9oWH%-FxGS^@o{mfYGEZr;?GS{ zA)Vy9R4Vi*OK4Ax)@7%+5&jrG|89>DqJP7Q{uK#T4F+Tft9`L- zOP4KQvwd%sp$m$GETwpk7w(JTlnVE$w3H6|A^$E2WfQ!j z@E+Nkr#$u3*xn;Tp=v>N+%GCcWfA|p(4Wtx@)0V0St{|Wf>5P7>Pn?n5h}u=DpvH* z2UWOKY>Xe--fHkftsg_6Dvh34(;oV)MI5O5&8bxsIrT0oU$c6vzVSJMo0kun)cahD zd1QB2WnGg>z#n^UzgX;}mTZx8_ zI|m8(fGQ-!X|e4nDM^;fRZ_~o^YGkDoN2{DjQ{01&ccf%V-;y+PYm$iB3%gIe)Sj5 zIy!^2b+#o4b>vX#B>493S~_j;jiIZKl__WN4Qjw5&ln4>#CPshmVp$y;31F6IH8|r z=s;pUGrfPgX-PNk-j;WCqu}u2LR3<(fAfnXCq;2j(4jviNgxWqpd{ZqA6B&wja0adi2$E%V=l^Xz*zEr{hgsfgAA)N9z zd-mLY2M+z1RXW1yMFN>W)+g0ciaX)+q=F!&B7S~n$^`vX+)sq0D12@{=9!9<$cxb>!aTIr@3b7N7gT4E8Y*L@set{R zJyT2kUyAVo$e*}HG=ldnC%~rJgHD7JLo+o_Sdk*#a_ui#@AIhz$)~U&2^|kq=YfM$ zdzVF#Dfn5Apll59G%xk}pa61==k*RBI&?U3OwP4$lrm1C@~1<8(t^rOQ9-4U(4SB# z2>p?zlF%P%3oV?kS%10#J)yr)mkN%$PE;wYt2+D|sImiqE?NDh&J%+|L#)P0Q56&v zbf3EJ@#7$z?t`r;9|||hMkw2p(p>b2C#C2UVL?CTOo=DuIaA_KjeV&37`)4;e;gej zsx&(tx0HV)TP%OdgDOI=DE=vV3Ll$7L6x7Q?hz{dmA~Rr3H>iXQ)!pkNtckM6>;6~6NX*&=9i%Xz~U~qimJx_wO!}I%8dq(&7wm$aUO4a ztGxvo?_yhaP+z@e0h-BUyZ5c3skxHw2t4;qV8Ld7k(4qltNGCNo{ zf<==OPFOajZm9_u?1lI@z}ec(%~I8HmVMwXe$gZT&A;o&yuUcbgo^+5Y0kV$3iJQ! zLKTkHa(Y>U@3*}L$rXLEZ*Y25mKE!e)Y8Q== z)K#oj&VUr}B0S;)JHBrGZrYadE>Xl71LmUDUlqv==mAdLo;VkR9KqxPFGQx zYF||TV5h$+s_B}Ye!aL&CuqaH%vw9jFQr|N5$0DjogPiK+;vBH~pk zsDfjFF_%D@a;(}6$q1&XfT}H9wq`Bc{^W61rHBG4(VcMJD9e))f}ioEVn+OgK_MU& zNKUD^pTa4i>W5KJw;a`Hcvt{Xc~!nDDxgXPl=Mat5Y`{^ziJC*Q-r!yR1-u(e_7OQ+D2gg!fq7su8a}B!=8XL;th>HEi}Hz@*BglDMoH$d#;G{aD@fKPh}_A4Fs2p z)KzZZOG>TlN8w(v+agZe#@XxDh^$nOm9$)h3P{VvYzJZ9()ii7HWhIsB6U8jk%dQ!;0SM#d1QxWhVLA`4q;8g zmmW&4Q2NGYfIPBVp`Sf4OBA>?L-jmKlnLr;7l->*lT@cD9_=S2>#RI8k zqqT0*Q!PgJ9-ihi-Ows}W-SPh`? z_$(<2tQifhaI65k<)cqK90(b$Nj)Pc@$}6rhLnbhMg8rtgu;aQN0#a*Mf|HF; zvMbYbYGX9Nf^Qk}gG6h4mw}fK9udmhF)1W03=H8Z`#fkpNEjHpteCXdo@wC$XOY0| zS&p`7v2;rgAKbHJ!$f{FYz`ehoG>P*l>I54qSEa2m+N|=Ki!B*HTV#h$_@QRdM1AS zvnr&D;ZkWrg_WoZg(~G(>AEUWtH1%N*loh7FhSZmbLOEK|K-?4j{+hZP>v0-T!d2C z80nJLAfkcgk&6ix|LH60NXsxtFKsOc_F z8Gp)$Qxf`9%|1-%Pp7DSp+8m^!i0%i_8SYTisMr0L{%tM5nD#2qFS@AV^aJ8O|#%Z z<0fAF_E%EbCmRx!zc;A5@58Tt?(of+v7>xQy=v7O(27vc+Pqd16HeNk9mV)ExN~5p zg#JL8g~Lt>4cCyrAWOAuj9-zPE1=0Uy>B^DImkEw*FY%0o5E7iFqjD2I`Ld^klIhA z5=sZE4z720jc~RmIGfvw4X1f7;~X9bs2Zy-q6&zLRE!StCH?pA-?KKi-z9u;1ylS@*T(>+uCnq~KHJymT zI}KV>`5u4eR;+gwPMH*y%}&>$KT=dgbv!nO%2G+_&uCL9m&%i;sMB3>)Dv|`3UjIx zRSK$901%P@3_#VON|6ASuo7mxW$LqS(-VgKsp(8-I<4<2*xh5w>WG5_f{;0q(45*_ zV-?>`?(`RCbVjcmQd6U% zzKrvoJ9i#BxN~OmUARTI88Q3V5UnW76=KONiBPSC_59WhToWMvdCMV_L8v+{GvQeo9S;@@3`d6&jPgkSAjlqw6z z&cDw^D|*?#?kxXEBAjSOi7Fs+>&d043b=DaHVP!f@rcNoQK5H;`hr9RjcIX(hecw` zr%%g(;ozKsF=Z>LF=t${t&I@|WWXSwtJT_lU-YicGbZ;FffW2Z8Q%TwA3v-?>bQ|3 z$E4Q#smCpEA9EN`R;|KLcSCZ&wU(cwa>t5V3_Jlrz1y~Z#7&#FWG~zDOy{X!ho*%`FpK1o zV3yuo=&|w3z?rwBP7cD8i%^jyRK$mh5$FqZqa-0En@dEG0x35w<>Hhmb+BoDzsAF! zYBnqss(NGqRYIb$_mU}dR-mA`SI3YO_( zpEVmAmb4l>VdCR8f7DR*`>3e8`1w!EfBf{1O|D@U&lqsx?13j`^*lRmWGmaTnm%LJ z&Rqr5a$4skl!4vnGer93#tEW4z=lf|dIAU0)1J})L?7J(GbPPodzC>$X-W09wbBL4mLS1V5uA0?f|h*wQVtai7Mdk^wP>$@kMM}HXx_hnPiS=Pj7#Nc+;#v_-2U@<25r# z&|tR_jkM+>m7R=LYKKRLKh6iK$b+q6UtI5V3;K`b_Bo$kjlLnVc7BKKo+mPHxg-6B z>Ft=+^R$fK*QbqWnUa#)y?^p!RhtycdkPKpi%V5YXQ?Q_)C6^%rSjMm5#nD&KHWtB zBumAn2^F!R$_)TwX)(DXTZdGIKvi<2v`RN)Qmpm538|q{1}j#q+P>%D`+cShiCqWZ zw48;TJhEWRl{OLxi?IPodNUtaJFX9Wz8M$d@?`ZWGk!=V<5 zA4~V=RkOcGZ3*AXw;&n&PMB$YkC1#a^H_aF@gUa4v%oqg>WcKa1%>KGG zku^s0-G2B(2lvdM@H)fWoCZ^oWGI4NSv^lqANYD|O45)KV_vEE$?MFAbZ57!JnAC8$SgexnH$i16rgs!ksFFCtQrNMH(Es=X>50~Dyz!b%#g zv`-~An~o*@THix6q~q&5l7O>$Ajjn^5^%L1d|Iguke zxEG=D>C19`#gxz?J`0{g0)3$frK+V=&6G+@g?dr~Ql0|sQ$Hlf@T&4$rk^-d0#b3} zekJy&LPCF9nbxGJd^n}belb^MZLpPQv=F zn$-kLXj`G9-^Vf^SS5X_wj_wfMs$c~84&+O@$Yfhu&XT9f(w7ONL1v5ISbA{k{>Nz zvG702u~L1kkXxrg@U}iqL7H>8)H*;F79LoW*J?`tOYxL_rBd4`NsNxQ3g0^&gjtrT zVyj3o0^d7F7zy^6vG;Mu7%FVC911JSqe_BQCY2O6x#GaS%~J2k5M|BzEPp`AOCUn1L+s+=7mMPDLWKf0xmP=??#ljj^6nI4(E+rPB zAuQ^*K5qSv;GMaG5C!LR_viC6Ei>o+rd=<1{+8^SQ2J7l zrBWj5qWEV-)bA3JqTDl!M1)`S2@X&ts(`LzwGg>=`dC$VR^wPTk{YY6-JP9D&i;j^ zGQkP~6>4MMd%YA|NFRsR+T(^`!hDsxy)8=C~TX+f)mi$yfUSK+TR1_KK44< z2RkKxDK6DAY2c2P##YnPeRW+WqW-c}%eu8xLiV12{;wH^iur8P%Rc{h53PV>8U(NS zR2oO3b|{WjFQ*{IDfFj!O8k$F{=lwHlV^?mM^54?1nwA78h}urz^h_(k+f2Nw3LdQ zhGm2e5lZqgF6<#hCr8E!>K~{yxwmHYQBO&PF zrvjQ8eQr-3-7PgW{r#`oUiC_yB5;biX|XA=6_Pb@af&>+uKAVdUxcIXD*h>j3JjVL zsz}xYRfbj}J%3eQl~-CNeu0(&6tM-9wE9Qmp&xhjQ+8!JJw9W}(q%jL9Qdg36meCc zD7dv(3NM7#Zjj6KwlvC^z+J2z7mT!z=0cKooqXPt)<3r#C_|QrI8Z1fxd;V3g(4L2 zWWs%xCxtU*G$@{EniK=7<`n@_ZgMJ?KP5bh;`&oAl_IP!mE})Gh5mf<6!CE?;!>&5 zpK+-ee)#olHCuEalM=;<6R4VyMfc~cUMK(4pI})Fy&*^iH&Ynw zAgAzi>lfV**0}raHwU*pdwGClj;+vr91zfENxW*DKg?oZllb1Wevy;`0UQhnb_sh$ zdIHNspoQj?dI$lC@P4h{c~{NmQ{0p zz`X*GsEtCXgz-R_4o3#cIxe%MI0u|av6T+!Q7O#eq;$><8{ZCTCMp_0G`uGkPC-!P z;xs|qygW(&Df3sZ>)qv_EQdl9tmfjN6~j2USJ}*7*TA(vUG4kMeeZm~ff@fHJ4Lxv z7#wg)bJUefRUD`im0ImpMM{8`2B2iDG!IZw0X4ru`&Jn0SAHBeU_?mhZ`$;kyLRvW za_Dpg1fsqk*)(7YfkB1fR4JAVTZZIdKqvl=Ip5oH{U$HI7xA8Kgo=QaOX`C%VIh=9 zLD!kMFgHqp6vDHf_Usc)2FHS`B9l|5c#40%#rG5GBv0kfEA@@iP7k5{DV*|BR9@&$ zQdB`1C7(;B3F-up4M9D~Q3s^-21sd_3Y;Qgdc~{tnsx0T^sTb8C&67Wora;u7o;Rm z`RMyEb!&O?q{Ol`)Sxia%+ufwGncSitEN|(8Tw?U=Tp0s^EKh+gZpP(h#kQ4fPJ`B zL1`UxaZCXVSF!^fp@$Jr2-^@birrJsV}DAoGJ8}zDwf~aG%iSU*cCIrrdp@8&8Oq+ zn=6)iYj?5I1i|1K5D;7Zs`H$Wu!!7xVgAL1c}5iwD&UjO(zm68 zjGkN@nn^{lNG%O3Ee%`yD?4(e@W8%Ji?ge+@BoJ94nDD9@_8(iL^Z3AIO&v%6FnxN zw|m+Jkn~uza2g}fj2z#NmcQ6JS6RmtVi-lHsfu1=o0`k z?=9`1sSif{Cd1+jiSLCXlm${A`Md~_l7>@yGc{AOpsIWNyeK6Kl2b;9wkUr}aLTAB zsZ!sNxL@&7RQ}MP%lgwe#j3`Zr-SyLWOauWHi25`{Alh1`Qh%M60ps z*^gFlZcO^GcITh(zcis+85XxJUzwG@3GRC-Y^&r`djEW$`Ey>a`tPjnCj>u8>H&*E z`U&$A^tsGsF%+6%V^{|M>Bg(Oo<{)1y z#|o(>G;Fh-!eX^5i~n69ueW>Kyrq*rN7H!5(AyVgeL%_8&W*V!T1+2$+r-3E@rkDO zl~Qr-N|T^uc;pQ|nKcXt**GDVAH?#8MG=C=Y{Z<20GMH>cV-Sek@m#<4;=isWiOVI zL)x98`bQTr=JjVuX|eRm>Urk)p|zOoBgdrGYT5N~?*zCOL6?eEE{cB&r&tV2IhE%A z5&hFT>Pnwh5>$K<6CJqpo#>Nw|elKfi*jYv@SxdV9na~b60PD zwL@B@_y~%i#w;qZnn^M!0$ZABr@>1_2z8v${%u2#*|$%K+BY~DK_!trkGOT(bpn`t z*kqSS=|EphH!9L<3Xn1gg^$U`f8$?`2Zef7-O}fVRQQ$%q+<9}mT-Dh+)w#aUKLfe z)?bu{QYcO_cuDN@#Y@6)zVfvK?!AcKnaO zUhQ9_I-W{KDOO38Z?f}p#aNLxGEh~m?tR4Te5a8aXE96$intB^d_$F#_y{Kt3B|M1^kXWmFiljxOdoRdg3R}}txY4>uq5|W4Bhl0w=A7pbJyl+Sikt@ zu~_dOq2_n8xKz?VQOPK+s^zS}r9zq3cB!uVt%#@>AF~{33VD+U$0!_1JA0ag{8tgz z>AI*Yf+0p8^UwZ0>!&B*K|mNMnvJaJ)PYxRUz^5-_wHQ0Y55@ObU*lp>>kqJdGV;z zSQ_aX;W>jP2{m=lb^OM;4iYEyaFV1aC0ZGT?8@NI`-UY)W{xdiyWIdC?%-0C5BtuE z^AhX>K(l(DHGarvdTH9VUvl}{E$ED6rh`y_Rg+(fqwb2RtG-lN8weGVL{-V4N@9Ti zFrb^X(%g09UcJ|9$mkS5m4auUKYziVeFtjvnfMPn+GF;$hr(|K3W8aB^SrHS@Ur2i zMEe#hdD=$?q0D{JL9*e=I8Zz-c__U>ZnQQN=(9me7xrqlNnEI!Bb8IOCshobGI76H z^;0J97sjKAru>O4Z3sKvq^QCRsa%(;NH#?Ts+3Emq3ZIN>weR&SJ1JVkU6nc|FPaM zKK{^C{Ci#fYMt5*o*C8g6lNb`{5Uhz_m&T;zWMrQxW~S8C~v`5Kz`si#H~<{I@Sgt z6Z<@kuD`7}q;1>pDqFO>v9eB;6><>3C>%V8m0_f;F)@RWIiEDCw3?0pkrVhGx z&yGdMY(X87yrU(($SAcFg1WS%uPOv}+oj68S=zq;R#eoBk5&Koe~0t_;^do(;0Kk| zQUzy4b!SaOXG3!#L!#LWas8N`+4<>j;w2ff1je7BTu$$Ew0nhMpq3imyK~vX%nE4t zL68sybu~_4>(N?ze)=0I3exyK=*Tk&brCUCoQ1(}a>n*Y7~o$CL* z{^g4Cp^EEkzK1=wd0^U?Wc4^9eP|6+U0Abu*UL=dl_pfYR0k^&iT=G_pL{n9V74fl zy5Uqrys8%3tCAj7T2)C(fQ1Aovg)b|Smj4VT-_wCB9TDLw<4nT??wZA&o}!)VB(GjG|j^Z=iIA} zGVmm13B9R6pYow1;z&M(5*oiEqW|l=0lkyQng4^{fvnyweU1=RbUTk?fRq>Ui{VTO zNO?iOWA&$e?DWtSm9LO0$fmGeDlPhV!<%0~XAMS%vvP9ZY1F0o2=WV@dExUlZh!B~ z?%nHA&&#|c>}F3!_L-sJNT?~`T@6*&zFg_GYX7QH?{4Nk7QjB4z&@Y@0_qqb<-@+~ z>zA~ZXLUVm!~^RVcFFE3vNnrHo(e6QzOfT~mR*?nUct6GU=X(J@WI^$TW2lI`VgCj zW!vrcCn7M2?>1}1gU9MvVS#sNDS~Yn8xs>xTQ#fcp@RkU#yyjpSeEe<99N`7i2<@Yf@%&_Q9^E#q-fzXS{QP$ zHAsggw^zEyF}y0K0Nxxog_r2N3&b8GftiUHr;TWCtY7rURCeojrxZ})%e*FoKkdjBCD~Oe&R{FnJME;dC4g)EpjY4MSdz;>o2}P zC80l+qVk|hu_;W7N=N@RPLZWjAQcg(z3};(Nb7Df-{Ir)ieqitVEi00-T{DvJ$VoVf zrzKsr!m=&qUI+FZn+*7Yh0cz_66V@S&2MAT7+>*`>YwNl)C&ob&H3#q(-spiouxDf zxzcJ50>9!JXX(4n%4(9c6MjWIMO+`@9NK&=J}d(R`nNraqg42J1L zZd#gKW9ynRvq$|C!~v~99NKR3)|OQxcW;|JE$OcmQW@{ez94lCtY=s+Q8LUB)l@(- zo`k9Cv)c5>@Z`Eq z=BDN`+#TgZMd*BPlrIKCS)%AR3;pqL`-MYQ+HBJv(SQ{HRUK&Mw_Y3AI2BUl>lRN1 z<9=4DuTrBmd_Ont7o_|V8P=PoQt+FIv6rHX8~QUYm6xTmLVv1&BBG;?6mz5Yz0E?) z?4)O8HS0CJI5={=&$++SH*FIKj~zQIBk?MxE%mv+Ny-eR`~*aR<`+7JIbTB+^5)Pm znDr#NNOb{NB))lIKG!on@n=?2^76hC=Mdz^is{%Ej{J_BjtLM6O&^{wR$Z z^~kn0n9`J(y0Di#?oIB><6B8v$4C@BaA=J$N=9R;?ug}Qs zchR&yWrJ1fjA5MmWus4LMB!o49E}0PH3=!>D4D^7OU|VT2=EN%puNKhj6JSkp4NVs zr{xJV`rMj2ZnT-{>~!ll=#gqo3H`ANRH^76OJCzvMM0JHsG|OtY(+EaR4!Y~NK-{q zUFGww+(@7{r#|=U=|+8$MyA@&qxWaboV{o7{%?m&7GFb2Te!4#8@9yH(wm94MeRh; zM1hM5(-nWm1oZTETqKIRg)WAQ#P-bfU7ebGhd`1P;Xt)=0Ncpz#ME(I5iZ4?}@!D7<%OdeEf;%b-%AGO>OA1o{MJ_b4~B ze>uzog`Ys%#DvrG(q2R>Nd;=kA&!CV!sY;r+F7GyhRm0K^1ai~M*wj0fUAxkrwR`_ zd#6cgYfD#gsVF8|Ra+6%3H?19VH(W8zcBAQC;vArqZA9C?Bh=Q|HKJ-LUElQ!4TIIL~;GV>ZAUL@7gkR%D}&{wt-BJuS6?MRwH?-<);t%8$*bZ0A+%a z$v4gth*YLlkK`>GU}YXAos=p3c?w8!F_|io}N@ObzCG5GJg0s69zn++^>4|X02}f z;2RIBT>76002*3_2UV=JHB>2WC7rQ~)B;<+mCjo!LLi1z>Vh>|;R`%aKjDXjkQ_ut z=EUvWcl6I$pc6Ohw*Z#jEX<0AEs+z9fR_(VLS7o5D7X^?lI)APev?-W74)8T9?A>x zMMwF32xUM@>&+^t@+a@eRdr39#s7_s|6w#v2}p@ERik4Bq=Go*2L0kVQ(pZPU#{M~ z-oC}cDbJr$xlW1uy(t1pUfd74KNb4Zt0R8ftUtjitA(P7s6+d4DHD%YZ9F)PyPlFc z`MxTR&1t{D&R<^q=;cqI_^QF*D%L6AHev8sIEvKU52=>b<0N7u!Nx#@{^%UU+=Pi| z&uDv}d5wAD9Qz=Kg(E--X)oXgH6*4sHiVd-4-GLI7>CLIFWt0kAf#o=csU*gjY$Xhr5s4b_kDQF{z1%{w5O{p}S zfaH+Qz6xZcOvHO7H3c~n1S z6}PP$KQ-w_{asT6%t$zNaM!_oo3^h@Cqc<^JZpURb?Il3xMaN19hf1(aaKM^Y%zqO z(@aac@z8-CJ2qrZ?t8KHWX$m-{TXtA9Ty=!fbRny!ARF$l?hWbdbL+Y>^hEG1%4dY z;nvzUv&TI9AUh*Gv*)>~WBSS>FlBgV!g(+*m|qhTE=cVD$y1*TyM{uK92D6CWoOw1X6BriaEjCn9_JYkJ-LP>!y z&l+|QHm6|fc}Ng&GFPCy7rTW15;h7d7dJxHjpO;_U)jEHJk|`Gwr%z3+`bocP|hEG z!?rak$Hb{9NOiXN6@oeft!uxQVxr|AM6oI6-&>e>l{547-#t$0KhT+bQQ^E>T&Q|L z6ndAuCatVi)fJg3x*>1rE_uDZv!qM%G5i#4naNt^@F9P#7KDnGv%Z^=d{<7dvv8n@ z3FC${T;ZRKguX&C3KXdp+qT4t!TBQXS(vBJmSGBG3yu~%@j%!GcAq^72&4gXFS zfn!c%5haT&j)oV9GLYiT#4Hd(q{+TLh1pm zp|cgJ#6;E;pX*}~uqU8r@{s@T-@9qfn169EWN>&$E{GLcn=a*4B)?etazSE%)01ys zHnr~lJ!^ax5!U*i9SgB_zT+i(3F~j)Jh8f4dME|;Cc>t`CPyo%7ZMPgckv$tr}#6S zxhEaYqaxUHtQP%8q@~E;;c^Oby{)q~u@pPnhkk4Ocdv#An4k8-#GWTJ7zh zt=IBVy)wbT`|5UW({E(Z;7rP$x_kGY zjwv(mub-${*&494RrfHHmaX3eHRo8nU;s7J9W?sdd&|DM?t zK@@i8A;)p8=U6S&{0f8tYdLEhD*cKs(s;3y^ebY0K{(4t3J>krm<bTfLt z{OWJbzPpae5*+8|2=K(m)xAzYxXBzhJ75!B#LR>XGy2?&2WRFEJB9NuX06EV%j{mZ zP3z}xtth?4{ZOTNfC0x!g#nd#MLgfiExD@Ns((<46yvjQ-G*7qHr!pWhp1Z^IVLKJ zw9|oYSAJF`FzAK{T|djfgy(Jf0L1`}z2n0#`z^EYyN>r#JUeq=+0lNV{ML`BeuukJ zszS0hQm&C?6^YIex(7faQnh&Fo z#GG0&M!?8S8Rpddp(khb`b$Q_W$^TZj44jgg_C@i(0v^JbIxQk;<9~Q`+hViG@G|e zi%W)gIF(f^VHpl`Us-1gF(Z;b0DyQowEgKfz4pNc&sDEn>mg#2908|RrJRoC;UhR} z*dh+*_PvC3IX3E;!g{gHpE-WyfU_q@_-tFciAzQ34>pBpQ@rFXe9W`bSnRxug2w!J zf245!rB2?hp5pq#r^MMrzk-hT>)np_Qf9T-{6~-94y}9F*4}1Pl)!-p6SRGTzDQbvpSYh7*Gd7At-YA#2iJcvuYGzOBxyQtLs684Eew|F%C| z@qP`NHB<_7%~+eB9o(IbNJ8*5;@*@fX7wnGxTG3;mJ_@ z`12pG-=o)1zvBR{qSLq;F%Zfh?z0g}X;6fg_eLuwi8E!$eiG)Djqh4*eD!+MBO#VE zW%DRJe<~K`@1;5xkHQ71Xevc0tlaQMy;eO32GJ@lBfHWMJwiWnbO-Nx`z=Bl8Qsb- zH=#%|JACs6AwH%j8{p!5iVHI>k}%-nGYjWL^D7pWca~KU z$CLgbgaIM;L+{@;>KMzcyl*7#9%bOjE-jz_6{H#h%Q*fl#_)H@WJ!;zUT3Xa*p+h_ zJb)S`Qhg55KL$2s4mdufK^b^7Vk`ggQ|wTd4h?l^yEAa}hqphC_E=_+2X`PKfop`g z`5H7~HXgMtR&N>kSwgD`N1QEdUxmp3(vXRSnY9jjvQ#_uA2R+e< z7Ii!dl`LP$z6J2)0h99nBA%cHPZ5ODe}($3u~?J(Y`(-l>i0+tg{qY45rUtmH|v6w zur%&wV61PP~hs#iN2{Te8j}0GN|_I%0so;8#l%#zK6hg9QN4p#$6Xwt3m0iHWj6f+!AxsO8Z4xxG%9)cc&>Tjyy{ zeAm`l*?q6c>@Ev4XsG$gr*Nj0l&n$jo;%)pSAG0+BH@h2zr9|8C;<^XT@@HQ>^X=R z#;4%G^PBzPX;5k@`U^^1*k?-UK;+rWrVoCn=8s+fR;jTct?axN3vwMnQh?>-TId?# zzg25ful<0ag`o-2mMvQstloTgovtqLLYVEEE~xqK2D!9(kAN5ALhh#1Jsv=4M@FND z8#y%o&av-A0h4i>EMPJZW{P%oaLm z*$hZ2?u6fyiox*%q>MA=M*Li7s%R304N{7ijx!aXM?vT>sGbxl__e6%HZX zL@XwLmzEdb{^mO)I-E+FMe8O#QsHGCR6$9J8<8Dg;!}Httr*hwjJw}?Q$2R|+unG0 zSo_nlD)5T2FszDM*>Y3n{)WXpjV*$KjCI0B9WU6TuRR({$kI~KDzdb6`XKc8vFh~U z7E&#EpfLZIKW6C9V4Sn?Lg{oo-x3B~__VY1Es;h<#&$hrR;`tc?GV)_xYUI1ft!M@ zvo|g6w_^HN)Fwl`0KEO#qu0GsiGz^d(eFy_T<+N_|9PmwD@>x5DW@|m&AjmKKp(TP%z66SKbfI=~hqV+92HzW5q|E|OI#hCj$ulY5o6l=$s zePLl9YD@RJ$vYY^zNo^0lvy=UY`~5x3^>}sQ9b6L!-wd$IC9>&=cy6SNfiHuXdCpr z4HM3WK58~rWndF3C7=c|XT}@uyyo_hsG2tT`hK16dgT3=C@TC{#TR=0EaVC<0@iS5 z^Y5-B5HYSxIr3awC!^a5AJux`!sk9~*62Fcd$EEN%mN4!C?qrfSC2cB_yeQYObxxG z>G4z)`i=)*61OCo3s*3s&mAL2^!_;^>Cu`$#zrfb7U-gtaj$Ov_@~x=h6RgavL{a3 zv1@nTgcR*B$Zw@~E6jF}+^$PprGnUO2D7yN*WQXGw(QO4b6J?;!I?g2aL2b3=OgMZ zgO5@7RqO~GoAg84@TC6`o6%=TeGk^_k~qZQr%7^EW2dToUz8^$X(?6F7AxGRoT+Fo zy7qsga4IS}Wt=JUQzqzF9GvpxB4821yGN~n-v=t-t>Z<5IO`t_VBiA%qbC4Y(Bos&zj>EBHmIb-E=49bP4Jg;C z#ih7%?^S;!y=xir%d8Kv0~bC2X~TxMa0RUiz>)r~&v~lSa|HcJ1T^~Qul-t|JFc@- z7Gqd22v`g@>mpOI~&sJnV-4?sM|4apwN9Sbs6mD(|ww{F^;~#R4T`yS$1tos6^z z?kZux-5Ji2qYU1%6v36Iq4TVf4}b;W4y&(i*&*x&GaAhfzByd+iP@A)Gh?pi+MnJ2$^^N!1eE%1QpNfi~0Au#D@>TD9_w_NIPG&&Hajfu| zRQ%yo%_gFj&^}qm7$^4%Y20R>*52XcOoxo#x2C2H9X>j>@(*8T13OITdKNFJ(shX?C+4u`5SQ-iTS z7omz5?&BMA5lW?{+=!p$N$IZ@ggQ!)is4U5(65yIDH~{NHtQN3S6SIPO?nJP=hi;6 z$o*?yuH3QtWn_~nxwQv>oP9zTtOId*%sI?5rXG`;IG%Lepl&xSM5kJx&&gCZrgS># z!S`OHxcI9Ew{ku+ow?uhrwifr_5ASyTr=zjgbGsC|ETaPqU$|>6bTEnVMz$oFBpCb z&Rucfm0NGmJrApe?c#O_uy0!0_t5_BM~=D=1tqJyvz_g9r0OP&YeIjk>pECndNVEj zmy1(qDE*BkbS%^TM?3D!M{k7wAa}ct)dLP;z$LT^Ms3Lo1MWz2_T?X4QSjE)qw~^U z5PhuyBBCCr{M?M*;0|OS1~4GPXwgGXuZV`WJ9A`*Qz52O^hb3$Wc7bnEMKk8y$nTG zRxHnY{CE)|!Ar|mt^d_+to?$K2XimLh}wBj55Zd;E5eVyXa*rfZjIQN`AD1{<`l7a zQp~6brj727ap>G{*gK6n-|)T=!=lm3t-8V_YN)Ez{Mj!%jt*$jQVX+m>9S2b3Z8G& z%kVBNz_Kt)vj_}kDR0Y-5Jns>Aiy|WX2;-#iM;uCd{|TDOW()sm-=4j)@H|tO&;4^ zyN&9%Mr7kxK3FFnRGEa73sMAEBb%<1ipojZ+zG)cqdwt+6f{2zr!>tk2vXsUbXPRV zbEaIJ^64fSXDXzAs)T^zL!7H#sZE=JAX-h#o%-fC9epRqd3o166+1S+oNx#Jh`p$b zGbteJGJ{C_+UEl_fETnSMSeJu2}o&Gtc%bX5wK|T?TyqIU-MGsPR%bPenLbA)Q;%fH7#n_|J)e>6yn^Y=OnE-aj9m096_ zN}J#hot1R6`qJ4*QE&%mD^2Z3A4OAp!n|kzPEIUKy$ciS89G2`&I#&$jl&8|436c3I| z(U=%L7Isk3wVz6Bwh-U8560PNMFhE>nKGf@Lx?gF${RH{t#jXD4}RL*Lo1INs1+^5 zy}GN~k8OG-2aU<($y4|5KTx$pa)j2dWG-T1mNDc02%$enSS;kyuwnyEN%sv18c4Et zV#1SK3>67)TB5T057cCd2Woc=^{P6Ko?>Es3a4CzA|d7Gq>2ppg>w8tX@0P1;xYYV z zEU@3AzKLn&W1%xinXS|(vW#RdQ+Q&3#NKDU3QUlph7wQW>6X{thc`v~0LB#b-4{Q8 z@~uxFV>yZ)fR(|G05yo{xL546Eg5wx)&m=2U$dn9STG#1O> zhtvxLc8e4Rmm~~`(8P@7+gW#+61~x0<~lU5!`}FLGIO#ROkpHw+lWMYzih?=xPvl z2Qx8!;H#~Tp5K* zDxPV>uKq*Z$Y&%8^+2r-iAjFjORlQJ=*f!O7lKfVG7(@+M8bUmf*)>_>E~ zCzlkba>~}BEfS=BQnaB6Qp|%FKVS2cCLKjHHlWkhX26&$UaB4IIv1C(`B0T_TXyM_ zo>ZApy?k^?i*2v~9SO>sg40BcNTB;_-eS%|5!WF*>YfOOn74vE01)Jjs&($wkM~@a zXMi^9N4OxM`EZ3-ntylg%z-#%7tI@T65KzgDn1(ahZzl=9pgIL_dF!Fus<~5+h3vv zRfPWbOmepOSD`;xf5@ln(BG>L&Dpg-r3$H3hruE(_aE*ABoIYy$!im=yIH-hMAz#} zVcN!4!c?Isc;DO-g#kA%>CM^(m;V?SGrn=cOD+g@;Qn)cMkDb$hA0yxvqzbPpDqNF z@bsAoFgM!$aD|zA@CGOLEXzVJctL%HE8wybQs5jeizJIVlO-8pdBW-Dh}mIHh(iZB z2B!nhNxu@rTgE3nip7?#mCLM37*fh$+`k={!)qfl?%wNsQrpKe(`gUfx||RA6kQWJ|tUaoS6c8 zhw;zEVJ|0oAe{OLj#sLRKm&a7vF%H*A>h+Bk8g3sx@cu8L}skteZXKjAFl2O_B=Q$)( zu%#PY3(HzJqnFU1-I403AseeC7q4E~#MHAo<11g2^mIXk$J>=OmmQMte8H#rbLoc;1^I8N&@69u8E7sGzmU7GX?D?RM}HU zw#GPUdG<`&i}b#|Td&p+e%3-8K-TIvf7qnkz!5Gtzf0$# z?*F`9LQ+&)G5&|jtICZI^jRQfw|EJTKxxo&G`u96Ofpx&4c&ZB2Z;#U2S3FT<`)wj(v;$yM@aQ} zQd(Dy6f<{(^0XmS0x4Uwr9U`FAbV&N5qiyIIk;V=%!vMB-%1euJG5Txr?CFoI~!X{ z=#Q2b68f_Wex;D=CTIR1ot+*BwWOOBolx>`i#Va;iazcvemT;6aV@^BJZUx8ou?!gVS)B2CNitkDx(Tu>CJ^L z9nKPxfEOE#xLTgKrKQ3{@hb|#bhWJa+vnqW;G&~*CHie+qS|-y$lOk2sQMiWO!}{I z{YULi-dD42I8=?wjTz_@AId{0;;w3QDd=&-eLhbr2vVl!6iO6cd9TZ$ut7@4{Y>9^ zi$r1RCLMEf$_#$rPPL|;g4&W<*^_?mKkEMX-mCS+ouqderHoZd@)`W;NtGt_e;j;a z#+lh?c9=U#O?kB|}0pru-z-qW!7LhXEU1{I@p1>uDR(eU3p;{uXd z^#5hJGR{dk4QO-D3m-pC$(0`JPgZ(vWXDrUY=uS!AWksa0XyzXl!J-M)$}vOfhy&W z2|H1LF!;SMuH6mnVE;S%G0_~OU1XguAnnL6Rwl^P0{eA2omBv8Y16)HQR(k)yPSae~tlny%WoavT{RUiVcZBFjmRN;=C|=vwNQ8 z<3*UE4kLo`j~Pe(&m6ROY^ain*}Du?OH6;Q6@wA5PuBa)P|lgqtt{9?fh5n&Z|eGc z|9l=)3UG?YVY zleBu#Sz19!SbXWM|3OJuBns1V|3Zg?>tg>DY|qQ>LkH>*CaRQ03_b~q%{XUcamCQx zH&dEeF^o$zX{E}FNrI+{r*bo+0}rr{z1)ujPFvG{=eMaoM~nUv2HT6 z$S4s)C#;8K#W@mAPmmO?J#@`JPYct7yMTs<#80WI zQG|+|Ns|vAI^1kP+Kt+Z@>^t4wF~gQqEc(uz(OvpanRdx9jraHedudcIckF)8klOC6s!vMn7C$?}l=C9q(IH#wQpTy3*l8wYiN9__2%RJNwC01{f}rL8nHP{RTabJT7vaiGMg_S37$#>z zA)eIxT&!8KEuSNH^1v#^PVc3JDVj;>Z$&lfX^VCBgemSToQKxm1x1_bKhIGA0Vn^m zLfC+siz2`ODFxKaD@j*MX%Rvgu!HC;?i%47+*l&C+O{Tj%77~wV8P`IBNksCQ;(h3 zC_X|!vIs!>HOa02fVPT{ilab_#T zc)0gjJx@;`_(r7ZaN2|k8QGgRZ^@pw?Cz>9wFwovU;wk++Mi-$mIYg`@z+j@_uC+a zA3=dNd2<6s8wY=xERxzO}f>8W(baUQ7ppXBjQt*ofQbmUQ ze4do&Oa&r-Mtj!C`i0Zcai)&5KV{GgHsIH76D4UiHYt5@g{%Z=CWwRMi*Eo201cye zb7pwbd8yLRdE}FEk(_1CxNqMZsgnHMl)4TnUPO% zmhWBtBqWiUR=X_{lsS#ZBiDx7ZAR~#Qb)GKdLYiWe#`bp>$KI&d&9oarZs|D;$-Pf zJ6XD9Rl$~VC_Fz)>jg!}2}6*JXrbQ1z{|oE57Cb8pzAboJ9F#EP6VEGNYnitm4T|< z;-1gYuk!293$0>Aj*H_z_)}3XLfL^n{U0{5spR8CO2{ooFA4EfdcYzXpBjz~90h5AT z2cG)wXkKD5up3wp(q32+AjzkG13+VWxOnLEV?Z={W5bf(g@+Fm+vXvlv|q8)bvvq7 zN|Uy(Fsm28<}7^D;1s=X3-d2?=AK!6L;dHO{0E@)i#8zT(hZ8PcnI z`UMPi2C$h&jAZbRlh>u4W#5GpsO07D@LKD9@%I~E`LIf@2hzHfojd5H-PTZ-0LAcA zxVyd}2!fM^R69-+_!VbHXupXECWJ_2&&(9FBkRc?@#-8&X|Zn1OgKMvc$3s|DFcV6 zywafk9aWlM>-Od|u%*2Keg|BwNQBT>X_r3`9VFC179A=KX1hE`MiDmj%OIe*M?7e= z(8uo_xhD%4gaxnl;ZZ)a1c z)aNq1eaCsp)MGO0NoqnF!P7XhX1sJZB$vebMD{qsRGKm1L;~PuPO(G$BroYCW+eii zaCfWLxj(JziOg9Z&rERrS*?gpP!62ZcjN>Xr92Wg0n31Wz)CQYxi8O;LD0{sf3uq9 zEdraN5qo_>o`=OMnTtt%&fBzXPzgYaQ;*Pze!g^~_t@!QO6X76>E#`-&BuL(c}NER z$@)7Q_;vCxDa^monSY;)Ru4;9mEbDuN*Y>8(yE>GwcnW}?HBn*iv5Em;I_4?(}vuP zLB@rLHKd0`=x>4mltmDNV=bf+iV4M{h{4JF3NT^_G3vktmV6|+h^^t&6LzKwgTg?L z$OH^jBeFz8Q?AS~+2AQqFtO4_y1tfEvCuim|>zVuTKzLNF0XBhq z5y4=t5z}KrQD4lhImlebo)BFGd7+E=p3{EGpTlLj$kajCZdo}T+f{5kr*Mk4iK3lO zimIKnUZtpz09y8;bogEHNW`?xzfY=!@-8_VGyUghaIA9vuW;Vw78{VH)uX~)U-6MN zv|8gPt&j&P7$ZrmlKjxAiU#yk2j9S$!JgY=BXpl(jK{=UYgOtQ`00AE0UQiJ1}6)u zP1)yAk;h9tK3P8Di!qF~N5;$LqfcX~o9Vy~gOCx_;&Q)3kL%#d-~wF zb@2;;HEeV$DVgW~+nQjM0jzkKrTqvmLRb=SE6V3G$mPWk4WM{vSF$38hkHK%a zNeps;09u_sjhV%iL@ufPM^At8PQnXUHZ<)*rtm`gEd0U&-eG1W`q0Amf% zMQ25dBL+W;`+|48OPr82G?s+F$Xw7oVQ>c&#zsvYeEsfibFo?_F>)$Jg@BTzs5&{D z5T+nS^|@%Pl1!lv$W2jUV~@bQp8Y549Q}X5$va=Q2r*$mtz`SU;;z^8l2+UMIeW57 zl(f>{_@RRZ)X>p(lc9yHUYwDm#}e2?fSPrYc;yMQLSvu04=%z|4fTG4(#S`UFl9l- z`ii;0_~$el5cozT5p2yw8r1fz|9*M*NRAc zIBUW@9vH_T#Z6h@1^+H4CXW;+=cTX12MI#**c19chCI6lEd9I3z!4Rjba|j!^Bdo9 zq+!b-mkAFVR|^wu%yl#+BZ6Gfd_pVLWe~xJiDK^iy|dW36X$~F0U|s4*>u(^!hzIz zy1T2k2=%Jk4a>3-D(FMmq(0Aw3c`~W>+=wbSYM2Ap8+Wo@spfX5Tt%V`UL*e6))Ag z_rtG0{H9&sA)`{qjZROhNGuxKTO3zN4@EEtYj0u>`XIjiJ}i_ zcV>^4QbMH*gqf|(5pq&I0PzQ^Jh&9ZiF#k&p7_)GoW=z7MbQapaGXiO^Dv3HFLRvJ znD5Mb%Ky10c7Q27cd)Q(IT^lTTD_x^ zR`so<)j(&@_)2LGvVLLLDFf)zTb2ckZ&=0}NcuR#n_-C>^Qv*Dvo_PNy&jf? z0SOL3{3Bz<3W^!TJ^{UOF2`JnF*4v&I-ivI(*EU!eIoMDcslhhY)jM?hq~U9S^<)Fi$bVqkPoGuKL9!r@?*#LbfP8k(GN0DHm&P2hn5YopEhZ^g$pj(j$MTP9mH6}dv_fE(aYv5( zScrUtd;w7l-h!LK4CRq{elV1hE@nNUb)6Bw8Zd?Nym&&aM4SgRPiS^PL#Di}Z~I=f zCa?9ueOpWBOmQ~;*WT$WMMV`=YiFGnP*N!>B!CwD!wdb*z24!U<{Yb`{`2$v2b{T= zICM-#LD5hw2(%JzrC}x20UMf$jy-DjJBNxqV99?7|L)(tcJ5eucgiv;4g{F7^rB5d8nbo7r z_#stn$4c*`){f;FF*>zjhdy_>fK^P)it@G;TRT80G`L`wafRTB1!@+MdC(KqGPMbEgCL@XkUT{XhM)2i!8Rv}EV0?hw6U!~;EN?N|x8=l)iZi+J zo}k@Akl;+Mcf>)$fT$q>I+~S{)b33BAfVu+x-|N$9nGZRnVHMDVA3zRuQZSX@3<@* z(F{JzyG$ic3;uQHBC&Q@`tlcHi{_4bV&CpnM@o`~_lzGkr@Kf|(c`0SL_1vslqyLA z#lxxloqXC+UHT_Xl@`uAb7(Ged10QBupnvmn6nt&^~zEmK+m(zw*86|Kwf5iR6@HJqE?a z+z6kDGieI!Ti2}}FX<{Ksr~UegHL2xcxbkN?aJDcS;>4HKeUz>yfrq*x6`)QkdJ=o z_GpckH-GpY&H|h5ZDFX{wCUENu+V5B5Eg}E+H(p1j!J=nBPJqO(j5zf%r$+t(@3g* z>&Mf-@tE{>=SM&E9OM`Jz^iJLoMFS0{-1bmluPHsdy3?tq62+J#`^4pl)#gXP{DBD zFNILoyju64pEO20y;Gkdex0t=w6tMgXZH}ML2zBf*rWWAIYI%x8JSpq#vbb>bA%mG zKzt&lL`{yEp&n~4F!FIy80}DPfB5b?FiWq{2*;@$lgu*SWh2=H@4_U4@w`Yj@mVul zxeN1Aom_TG|I3)yvqwHOskhWB^1&@xX9IusLl%FZ8)0*>JlLO^!|x{4bLe0RwBu}3 z<{VtFs;G3252~oXc2?DLR#cW0m1&!Z&|lu2N9JAW%s9EU4E3Ma;XmNazqoMT6)^u@ z$BLxYQ_`?3}oU zZQ!U+Hhn{24JEff{m~CzZu;#FOf($Csk5q4==>axu+2Cb+95!qj2w=xRLsaC@!VWp^ zLl*m`K_9bYziaRNuIaus4`4r)-q+8}UvbAr-^YR~{$3B8i0|pm2U5{dJ`bUyeJEmm zV3XOR+$iNhMcgP4q<+zG--XZB0HHo_(Us1L$s<$nxPxOOZDgCw#7po#m@M{y)ca(7 zK&3?^qEfNY)R_g8;oIjEC1XGmbHKs_F?L@M`!x2M2slkYHNBc99fRARMQ%%<0O7%& ziF8MmmUgowTu*9@U^{h81SRZqto<^S;x5Q|XVbEQ+t-etpYaxpQsy%2Ogr}>^r zzeIh4#VR2VW+*mi=J0y~seJ`2OJcO5&&B!`q)ERdDo?3DmG-`*s6KX97o2G3Imz8)r^TIGIk43nsj^ZQc0w3%gBA`YQ*S zN-Pu!wiDuGDF_qEY^>SH_RbstwKc*ZBJM{`JyV7`W!8JSZl8MY$OYf8`7jzU16rTW zl=rzyW=62=1fpFXM>$Aj3dO zsqFYJ&P#J&155^C&C}jqxhZ^p`)_9-ud4OX48f*oVDdRoItk^6r!c;R_Mr?y*=|%g zYXUdwID1kTJzw+k7i-=2-j_9-ccBlO?>`WEDaolZj2T7_)V#BvV2km-|jGBXJE2^r5lyiWIcZK?rQ z_2;WR4XYMeOQbD=7i2O5uS|UI4(d%#EQ6e;IgMxu*Mxj%j<7?@Sj)4MZVOd?hqVi& z@gqCeQV!S8JxW>4pdn<6{*{GqkKmVQg${f8l^Zx_*q}NjEdBhv{4Q_4tkzII3l>R;Bc>)E$X5U?BNyEachW?Kc7;-Is4meiRdNQ)(;@)Wg%m7hAx zK2SYATq=cx{%&#dFF#&p`p@eU2FyM42bQuy}O zB}ik@Mr7~KB?Vh%?%0sEVR6rO3p(m;)6)LCHc#ENJ%3-pibMOivnX0IT|kQQ$zl&) z5Sic5No0?C-#+sT?}o)2!3UOYz!pO2EJO|8gAS+ZUCUBLe@XdjbV=Y|D7uHPDp{Sf zN+c*j?u;v#(1*SwAM`;L$B95{WL!Er3dQtCupwN857K&@8H(^Vq81r_?@Ak4bW~8o z+3?Y+eTIx`(<`Y$qmH;*p1WZ=T(M$?8W((EVdF@t@0)uWNcw;F&O5$}s_EnJUjiy% z=RvxNiYTBwcAv-YV^^B=Dhh&tfPjirQIOu1A|;`P-h1dt2njX0Ng$zjLJ1_01ahuG#seFZ;G1IDU-Jd;sUm5v*;z$?~WF^5M8SZ1#DW zbwV%}6w9(N7TIHnsilQE71bXVSgY!e{x{l$vszcUgz_`f!|h*Q4F2K@V&_@vA6qNN ztZqG?D_5&S`P$#Cn{=lNbjGiW{jod5T;;>zvk1}?`!3rfrS6q3u*cbGM7E*x+vij` zwBx7i$(Nx9&;%$0^x^EmIhtZXJ)j{_66gt3C3hi`JX5sf81eQcqaV4bP7e`!D1rVI zl)~ag75QRnL|JlJcv;F#9RVYXxa$A{U&sIilGxtLM+A`7p4m!F!@NX zqF8ud2-*I6%Y>}3R;Mj2Rf#HLTT21$mG{M4u0mVUn;lgm%+I#l1SRkbY5nY z!t|e3CgQfN`Hm{Mtz*5ZTh@g%Gn48`<{r|2_pEB+MlCvJVo%B?Dzlc)%AwHmc~bOc zWsS;j{5kr)iuJlb)wsud9S43te9FuPcIb$kDPFr~-O4GOX1~U&U~K@CNC+tb3qS}$ zq(Yq0Ye^R{?yyQ(a>zLPrYNO5>EM^!DSRi(a{#6y&3)q0*L12)|*7}B> z(xl@%{D~aIPpBX9<6v8Hu_@SPt}WOa%*mf<$kFNXjUjU@$DiAoEyc*U3aAaQofe7* z-8(l?XrOreb`#*4Ezn;CIX=pJO;k6PN$JK72M`OggjgXKABfRVqF8h@Ar`~MJ6l4p zuQ0Bi%vI?18(BP9rUItjrIg+|S=c$OgRTSc1A-MB8Ra=~me>*SotYyaQi-!G)on9; zKqa;zF(|AjPt`uM7!RVRKn+L%v$f`E{OOie!4TPQ{ECN&4UD1MKNRP>#}EsqnBg7 z!8qK)gsiNJ*6?7WCK~}oB7ztZXkFU`4aJTiCejn1w^k!FVMtjNjIcRan0g&-5eS3^ z-?}!EhdZ!5Q9Dd4a%}J58zCmScvkq-8RPOw0hOgirRXnUGw30?sL1!Hqf$iT?fZlg z<_+|xnaNEru!JN$pq_##g4up55Q`)21@3}h_SuofIRyw@YdEjuV%~3{YI5SaV82H= zq$yx|9@cqQkFY&aGGJUr=>d)%?FZ2D&6Dr=sn;`))@_RtzIwwJvqo`-yaP0pq71qz zBIVL099THkA_~Fmv>_lXR>iZ(V*JVlZLu}TuP{V(@4(viTd0FCB;hYONN<^T-UEs^|0RO6fJt5X?JXx_3s(;M)@vUy?E97 z4V$)RMclHz5A(uTtMjm_wSOG_dWXT!wf^;q=6yATuraa>4uWkci%YW`RmiHE{k{cE z&P!3{SufvXqkU#9uuFy6&W^6&zv7QgvtDLNpaFB$ej_)rB(SJjmx?N*i&KDbp5>tBT7f$X z0jN%Z__nK>S9SfxAfPb-0xV1d=Eu_?B_2)BAmbW}M7WO34QzrI=0F_yWx-kv~s+wl^<-Klu$W8VXvSgrd@#Ep6a>Z@(UKy91wCG9GBw~+1{(1@ZlfdajrAX&f zaI1)ar-YR?c6&vtTfv)L-vPHW@M5zXtt5(t3ccQ0X6?)nBbG!V(*(eoxcAmTEK*XE z4g_~$U!Xd3RZXaMt|Fgvpf$@W-!)_{?0jIXHBuCUki#z_yUKRW-P=exO(k+tWFGIt~7hD)3j;xR)-_E{p ztP`Xy*QKt`OKOcl=iNR|J1jqJQt0lK;}z_NnxMW}fz~#W^bwi}O7>jiCcS%CXGgFv zfXkA9jia3`dw0+y-A@k%6cMb-NzMgS9`Gt9=V-Zx_En=zLF1okmb4KdFC zZl<+bXe37EA)al{*N(1vJ^51jx>|w0MTn*BmRrFlkXe*cg5}LA5pO}*7WzF7mN^6? z;btPLHXjMEgd-&WBgFb6FnjY(Z%rIhcEe=67mI69#Mw>vvy0(t=vz<*Vv17!Q#Q9s z>mK9)sk9|XPdFO8o<)@pCXCYhl(h^QATi-mqnB(E1IVU5Q~H?tq;pW^Dfnv%3tN+OYT7kGl;Av@9XEZf?|kG?TbJ_uC%kD}aLC@h;V}meh3!AIbKo;-r$7%Wc!|3}06>IWc$Hh&0j2T>(Cod`KXFBRQm$WphACVOAxb_56rY($YSn7Md4-FgVb;v*xbaXKKdpPV<&{vpZ5a5_kexizxY zwWN#twzLZL5w)A!waw;2w88g^U7#-%8mK`)_u(T?pjtLBMr7B0q3&>yqY*e1kE5f5 zD{^N@anR2YCIDT7;08}aaKEgPELDvc(Ws?+VM7JXjtFsNbQ@dKtUTDl=< z*Y3SHq9Jr8!l<_9Em`F|fBA%2i$+bG|Jx+LPD3U)=sD)oZo^;x`j^KV|D<@3<~wc+ zni;t*D3cSiQkCZJS=I1)>oh>Z!kCn1&qcqdIaJmH)FXAfJ=e1L$6W@0{{8TFzy8th z_vs+?#`(_oowsbx;+4b=b{&Tsxf2k$%@GlK;>3xI7vn-4(GwPLY&l@^JDrBU*`~uE zgDZgKIpOdAJO)EitOOJg>m)uT6Gok-BKSSRp_>t3ky$*fL(HtyWYKc5JJ?Wo)+1G2 z*&)spS3?PkE+`;^&0>~f{i79!KjKV*_aEXIuRs)XU7Y%jtWx$GJC6Fa&mLqa(xAQw z`%GA;tn$0@A#4-kU0+MeeF*g2u_&{)@TmjF<>khO8OGW15|x6;a!0!h#UsJT{!cQX z6i`JVe-4zEZpo+j=B*w9gQ(_?Dw$#~?fb;cZr@I3@HpJcgs*b~VSba3=3#Z@;gM@e z7sA(k%1!~lWVIaW4WbGNFB}&Im1Nl(>=E{+`WH1CYyxi-xD1<=ZDreZgn6MdTuDiA zXgt_BdY2K|>{9SU-~bWaxQ~Y~FbVxD=V1?hgB8*;Z|7`@U8z0@sx@p?5-~wvB4=e>&$jxx$Haxpw(JPq9ky=6=C%Ht{MT=~5i*>Ox&-G6R90`{LL+H+3(FYElyAXFN;p*Cu z@Xn)WKhd~{#=`^S88xsXbLuK9sYypLVZk836N81|D#$f@F{lDk7?MuNOi3ilYP6c1 zY&BV*a1gy>Q3k?Rki~E%W+Sk+th)n{!$AxRYCxR^XpiM%{=J=Ta{ZJZ}z;zTpb-!H~dm58dj zu@A_fHG0z1MtIpPZNRe0crx*Je&?+7j8AlxJW$PwZ`?c zd08R3e74rK10N(H0J%%5HuyqQybPWN z^Rn=)D$RP=?>phUv3?_FE}OP^?W&D|+qQ?IC%oC5OOx(3Yu6)=%~-G;?lXMqyrEO( z4xH%s!ziC_Bc`dV{h&$B`i@J##y0Caw#~2O$;6~vP=y^kcl#{yZ`ONk`ZcCm?=da< zj_oq^&u+t}sH^8_pP`fehW_a{a_Zb^bC*n?zYOaemN;8eH}B7ln?$pRNE@{;I_BWv zP{;n&!C_NZZ0-L0+*&=xRBG@;#(bHwUeyMzh7WiQNja;P!x}&^VQHbJV|}9E0~e>) zj4B{&vtp^hk|yklI%V1Fs6R>V!AkypPz6>j`+_xz(TY8SnH6&?Z{a={bx;DZ6nTm> z6>=8svoF{k^nsni8b+tb-eCvvQhwzrb{6}KjidZHz<$s&A{CGG77q-Rx1cIKw&q@T zclg?m5-vvMo;>8~iRzMHM_Qvs_O!)c;nO__bNN|7sRGt<}t{+NHI=?@lH8F2FTY5O2 zvGUo2N>9!%-fN=oI3lu@*ycn>XZxSs@*oTd2%qxnXOqGj;1rMo7>Yvtvgwq*k-g91 zQw2d{OTwg}9&Aq@Czvy!3vO0x*b?4>CXf@RA`7;E>C)LPU^XPwEt*E&X!``n1tbD7 z4T1nSq)qzcmRm_v;+1*F*g=mFIMhb{GX1G!E|YVW`&^_Ij7{%#8TReS8MD^}>~=(j zg*&ze1l>H+{ZD8axoPLl-3WbW&ct4hj}MPI;$D}39`Y2F+%11$)v?l82^d2ODXAnN8_*Py3QosbW&N-+Id`!;b$;zZP6xx;R zeMOt_CSJ<+jW`O?eHrC@I!^EVeeZB6o*(Eq&4bucBLkN@|kR8-Ga4%zJ(Z2U4D3>)Mwvj zVoxrn8REwO*z@0g`&9en>(8EU_+^E<9kd7r=lXisbe~m$8$$MO4BFwpC1~A-Et|H0 zgx{K9@Ql9=w?YnOST=77#N@PnduX^La^Hc&F-J}uIu*NhZ}h}PtG^vQtY-Trefm`E z-KUxge&TUnzHR;8e=!Cr1EqClRhfB5L}CpfK`Q|VXDC*t)g%fFfK$NiunpnKi=dPh z;DMC}a&_IrB6Zt+fG-A*&`#2>k{oz=1((u4u);|#ha!$<5sp~@@{^fRo_)dYKz+?l zIlb{d*cp3=C5=@VeK?v!TA+JyJ)|w7Ke>L9>mB;fr|}|oboACXV5o9S5b{_bdIi;j zc1Z&IQR0k4)O3kP3pBm15%s2~dnBTAMwIs^_RWrC+|J(($G@D8M_l0R>CRTn?5Tk= z%ja}`o4*~*2zd-;ca^Jvuz*a#7U>`IH0l^6+bf)kTE;gxB%S;?vrfjYD1oNa> zDp+}twHwOw1#J(fSq`7{NB_zrG^kh=H|dY!iD3)ei;&c(wN(>}e%Sgmk0i14^G%vS zMxZmazi`}rAl{pFe79;tl!u-4gJo)Wt=6K?XFrZZ^LwQ_#rT+z@Y7XK1lMI0|$>EKe5XZy)h)*Z(Z=1`Tjj7ENK4ApYL=U z@}Dm|H17Dn{{5a_IQBl0-m+8}?KfI}uE*AG;k6d^m;F)Pv~RjO*r4KOg)m>N0oaFH zB&-(hsCB6BuvU2;hAOO1oR{`3E#_8!VX3G9NKnwoOuQuMARFR@KH=4FK@%4(;ub2$*Q z_1KkcHyYu>?8}*uO$sg-BNTfdq!XNri#-KH)I@*+4p4YvDoVmn$Y|^TER0^IT&?zG zo#Uj6$maI#gazO!p5^Tn0CeeQ6{}LdnLNw=L#yQ#T&PFruxo?BNcj9U6Yr{2_iMNG zP~H5p%Nv;OIQ>FrQ2Rh$2qwRLd~y6`9?wF52rS{z`ae`@+Oul&UQpw2hWU>y z-spoz4jn!Mj4gP3D2VGE()_mhGI+*{ zru`?q+IGNGO?y4js7Hm*yO*lfg|TJyApQ%--OG3~=`kw_(^mp=jZ4D!Kh^LsBb;g$ zjJsFy3)g97yK2|QlE1)TtYvffzvtV#G6?eij-5xavuBCsVhtvq`N?Kg@AwgWYF z3vT;hyUCta8K#Iz9e-|5sxu`|TqpMr37^_*T$(3*3fct)JJDPC6fwG?Z2R8V@{|$z zis7ha;QsGTLZ2P8C_Gp{sn1QE;Xaoc^2FCTUr z@$INt181z5x?;=fpxtW&cdiKt^$*y-e(U!2n*%oo1OqJy+7^Npj0@QWYtDv^`Qz=C zE3U^&c{Lp{d$NsQZ3_+!3EdgGW7nQA$BsSWdn5Pn2;UbHzCSeb;5NsBMO$``nzyd& z*g5rk|M7C0U$e3?F;=*T|Io7rhXepHP;Ax!qpBtjx{cD9AP=^2(|@8H?D+l5Oe?a9 zo@;9XT>%O@DqtA0I?38t6&#HUWTim_1A50xt&Qk1C=)0_CjE9>fp?*z1jmcfmK-04clOQu z=Fh{EP^T-~g;J4;@9bFP%usO`J@TEnj*=H}W>AZgVYzRphx6R}zTLd63+Zmc~ z+aNjo6FdVnM>$b0{iFDIJzi+k;eW$^eH>SPb}KGXwssIw*l{RHupOiMnKZP_n_tvJ ztA_FiS1iZ~RKoTMe_k{LuVDnIt0-+yyr?>KTZ|5yGRPPEn*N|o;_dvz$=059Z`g@~S`4=*Mc!d*dJU zQTLIJ`c1%BsNGPXo)hK`n6`M_yfrgcZ1!8dW$TWxP1|?x2#Y*&dB>hev)X07_wXIZDw zv)c~yZT$1Z+CPn@+s}X1|EZ=uvtmrPL3qAN)84(SF=C9{!IdQXw5zdH3B6$_<;UMW{!;ZwN!!lypWaG@e$qC}%D z;}xfJ$Ri3!HRNAscqt=O^mP*46Membak!0S9K*SrtS$u3lCVqjMZUhV9QWBSI$MR* zR3`w}@HHQ+4UTCkcI$&S%AC~>Qul#O5UW!m(u1boAG7V-&LhT~rkqZtYqoFK^;KF{ z;5}`3mJ!_xUxsktU8d>Vcvov!1fB! zlSuqPAzx4@>#w@=(3~H8KI@h+K3VTe4*zIxTp#2PJx9ZXmI?Aj=K*P;n{sWZO8r(u zp8u%zr>;MFxbtw$&JWk@g076KbnWlp1zcrocU6VDJ%6v;bDX-G{5)~c%oRgtuTs~@ zIjfegwx>RU69t9G=sLR4ck*Jh5n7Y$!>%KgUlsqV7xAy^1L>mZl7|lS6NbP3eV@X* z=US~y&Gv1&zQ!mqR*V?q#^|{nRREl19<1K5rE4SHY1i#l=1U&fk_=#f)7g|JH z`!-g^${~m!-9Vd%E)gzcYYkPQI(OA<`!Q=04y!tklN2qZGei+>dj&!|ctTd%f#B~H z$RU;8<-B%u&!E8RB89=A53jkGHEesAhd)`^7-w1VJkGUe`5Orr9JFfN#W(j)C=&Lm zOA94*5|j#g3aWKXx%xH|YL<>mmqJ7prvn+efDmABH*zro#tNdZ6UgEz(ckJh-KPUt zm|>SVrJNmSoI|!+AX0Y9E!707bsitP<3Mod-Ai8%oPHky3x`|u8|*&JGzd6o?Dd6K zA79$Dn;&Gis_l$AB5d`0NB0i8diemYB_=0>i+k(a!HU`-vk=DCe-in)i*kr{<%4W_ z4yY25X?o##V;*Sw?c3jUdzG^{CU0J9B?u;!knk7SHNbdKP^v|?KV=Q8(0d=*4FCzW zh~p>+%F~!JfK! z!k=_(4*xpaW|u}JVUt1uAocnJW&lNE$L&~Hji^nh_fLV%T~EGfZHn@tld%J*uXwD% zk4RWR7aDbZclr3DX#Qah+BRXOCv17pgOQ7hZkkeP#>f)mhm>10@lLpmjR6tn0`oNV z3UvwvtPJoeI3S{vTTUdgLnS_8@g1|oof)gQ^`(?~mUh1B{)#JYe7RX;3{u&$DjGo_ zg^MVX;K~U_`}VE+c)c`_Ez(V{njn6i&>!Rl`T*~Pm}79!bzI+jBX@2Ys{$8+j5B3e zDFjbe2qVl);Yq}Z0g_Rl@MxX3n5CBgQ4IG1A_8F{vJJlLpG2_(Xz@YoTCRi8tkc`f zludS~1(p*c5_0|F)dD_u8@U25z@ddcP?=*G)v#uY>#mPI1~Mlx_!KhKsDY189#)zH z^_f1mizLU_=&8A(Tq^GnQN-XaYZzlL`7>vIeUh_sG{GTP-xX)oqZi zY`cIx!ddRPWAw4TgY(2xxdPnsf4GU&CvTt-S|wfwPz^=@SdWJkg(s z!QJN$$%U7hTR}h36E6FsXoWiMY~=C%uWGITvxwCM=GwmX4%|~t*VFDGV^_5XsIWS{ z)}jIUMr|ph^H59WUj`%Y+T*z=>X95a1NUz0Kpy_Q`K+oFX*64Pd4vA*rF;umZf!Y2 zRM{}O&_}In@=;IL`wCDBR2Nc@s?9o39?A&vZdn!9B0O*rnrzBCh7`wJdV+t1_|;~S z!UNPCs$=*mQVgr>z;cc{4Gu6i#q z{)lbwWcw$`y-Ts7CnCq`ouvwKr#9!IwQOIP>k7{6raYzeeil9@_9;UA)yl9>Ax}A; zPeJb&TGUJM{{|yqL_=@M8f@iOubFl$Ye-w{R!S2%Uo?TY)^3&S#q90@LS>=@i9Iy` z;>nFE*Cp|BLSoXeSxa91vh!07z63SVuWwagROlEv({c_6pMdEB^py3;4LO3m1FldM zgEKJpEPbpMo4DyR1Jj`$q#hz^K*Tgo&qfJVo)MC2A<#k7RHy-K9nRr&2}KsH0g?#& zK-WYWbRWtnc$~Ge=Q5onOBVzXMyT{cfFckZ4evxy`H z>tqU8JUp)IU>Idxaq>}1j-C@E-O6Ek7YmHF%8F&(vOW>hwi5njT^$yDQv4A#5-Hab z)Sh7FUpf=SF5su+E4L^jjl1ob*L#wJ%9N)hwZ|V8yZN4ROrbQ{rzx zrM;h^M!*QeCR@&kcwS4*h6)lGqcwqqv{fhzr3nOOaT_#&d0pQIz@**F{=02fNfhkc zW|i8r;>~@VTkKl;;`Rm4E*W2H&X|W5jk|Bj@Aqt;qED@b+3!jLg5xCY27&{{;BZS| zTmA)Su0RoFDnY%UMpeQ}aT634)MMW=@mN7zLb0C}Nu(O4d~`<;(&(i{F{xl{(?pB{ z(YEPQ=O11~92h^i-0aaMpvE1#zw%16hB>iSS(~EFc^jJuy#hQoXUv17%Hl(8b@-Fs zLiCV0P%+IM`LEBv`5=eP$aA%u$Eq;HO&eZ{-U7fwA?6m(#zz61m^pAn^)iwT3v5hmj6uK$4v@?L9Y{$yHVny8L>9hir#)&P@& zlP^pSksQ!CtBaM!pZb7=OD~)YK7|;_Pp~AG4HL&|FOsdh$8 zQ#1Sg>lqX*;`x-Y3dTM!H2v?!{fhM`C_OKSNFE0IUQ$fJjAf zT_^@@1>1p2ss)`P(G_Ip@G6Odi&TYS8iGT8Bqr`#>6o?5p&C+#ricP$hwxCC&aD-= z16ShQPBj#UynV}*LL&xLf^2FQX{}G0*P(>uTilXIXduC+6hVXN*`BrjiNX_&C|?2S zf^djRi15shJp7vPtm@&^oTmHASR4b(&tr&43sDlk?|D@b*> zgGOa6ddvbrA&7j%dce#F(?_<&U-99Dq)N{_TGR7Wnh`+xZ zpGudlN~VNAB2u#k&tRP-T?iUr?3HPDEA4M(dIzV(-~Kh6T@Oz0_kmoXSJ700T?_@b zorLwTt_8>!{`=_bj;_52k0-P-GzbMC?>xFD1=)oZaL}bqexd-!fxJLcU}w-A*EZE1 zD3!8R(GK_rT827VDH}2xjUbvOm@EuZhK*h^L07-3j5f_&#_%$?A_f$X49hf2WRI*U zvuX;>666m0He+PT`t9HIz=^W`Dc@ODt#%&~tAVfJFkp46bscK>6f;gu$AY`u)?}1u zgbEx^vKkNqo=`zvx1zWbc^I6?B{GaiL;9t_W0)-X2jiM=k@+uDgo*mj+Kpj?Zob z6@cHxe=6AYp91fP|CCjpYG%VxpdCt)kQCm~NqWh0%E(K3-Y~e6Ag~~|=uL`qJ?C)z^kFw{FZdCg8cI$uC5VZB5SjxiqbUxh z==z}Ha3u&A0ti-bhzud$p*hNZhDH=|+wFI!*5~M^bOFW$QR0XWG2zV2BOLEFaU&Ht zCJb!ux;~6XovZ0TQ55ujYk?j@h2Ur?Dy{cbnZ^lfihM!KbIvk`OL2SZjz7X(oRugV zYNmA2V)nEo$Jn$@839}1Z*N=Ws6<8Il4Yf!d3q?tYc+NsHrFDsB z36rAE=?(Y8`&e&CcFZi*^zxt`+P@h1AbsG~sGZ%eXKo^r(^cz2qA6a4CrF-m)-8Ha z^nS!mQhvV5f6A)&Beh4mJjEG1@)hUa3PzMy@Ar4+Q|a6aKw#<2nm|w%B)8I-z&@tk z3QgctiD$wpO1XTC7Hythb7)6Thz1m16AFd4!s}|+;(xonb}o7*WZq+I{}cyFb-_(w zJ!oe11^yXU1u?;W2^mT}u$DJboP0kjM^)QcwDqjB2Ja{S#x%-AWgOHNQ~ z@xWMNF0{r6f>Br56}h9=9tEaDiCyXuEK{u5or|iwUC-Pkek{z+8pjf;kk2_7@ z)vbC6+H%E=?DuHUMZG`Zg*glP(z@qqGpf<|#d79U2xvX{;VCto?~ z_PTg-!~U&bt(a6w(EJ)wte4p`n{J&-S`6GD@eRTjKmqT|B8rm3sRyb2K^5CR*!IYXpas9Zh!0{fM9OzSc>hRJpG<6gC;TEu}7n(L5`&-4W(K6hpc}CkI5_butD-^s|8?*29P0$Gr{;?mIPv%=Ry z=RL81%U2gqtarPfxfy?MSFm3>)QKwW5}HGHM38Usi?_vrH;22J%nk{g%y{W$d_NU8 z2}?wppRWb)hddSWLQ2?U#_m#HD*lfe0l1Zu80@Z^z%=h*9Vbx5V4q`VV=SQDD&=|- zIzTW{DCmGovGH*^IT|+9?RL3(DLQgv6Dk0ErY2?xjNK@6AZuh%_EBR zK_Q`6yXO`eKe+r8^}Ygd4iJK)J7L(ZBukf}UHnQoHQs_@LSDT{QeSbww)m4%G(-}` zBh?5uSE2Sd^T*ytecgg<0TK#9<5^DWS<`BXkN{!iz19|NS|;@qb%=AwFajWawo!A> zyvg?KjZ0O}HfrHFTEHr}6cO6d+FQ!>4MQQkUf<`AvOpo=*uGBHQSP^VK8%2}e$cgm z9(CFHqQuw-!%ux?0a!T6VkmQgCuf=fb5cej%)5Z?(N7eou1#@=H30U8^+3d@N9wd4 z{_A7pkOGRMBK0v@s#!P@{bzNt#%R;+#mZ!TvP#WI3bAg()_k0BevjL=9ea2_5yq&= z;xr}h!ZE>J*d1;w-~OBA^CeFr`KMI8bbH(+{HN08DW&(r&hF(?|0ph%{;@_R8?d~f zERd`<&>}7Jk{KsZGKLH?W3W#)a|f?Al8+gww>Az~&URGF^@QV&F%JJ)VXNMW@UIhl zc#-pZCa^t@Cvm3(A~!Y+^eIN#JNN>D%CkBWyQM$egf);37?BO;0;NJjgD11O+qmd1TYJY4DX zHeG&vfwJdLs#rZxCmP9$8Vg|FH&d_$Xl%&LLMSA8yS0<5e0I|VfTAZ1DVr;9b%U&` zYJ)FOrSe|4uCMe{$w%63L|4(l0-IzyT=^QmqQ_HwoWWt%Tt8Fap>fV3Kn?N5CZGp> zfX*`)I5;pVyn+g1QY5#OB-WHnG)xmZI@hUz-Qb_atdV4-amRPwZB=K`FO}C%DuT@j z{T@%z8W4A6Mgke>4&5DW#*mX_V;m`&H!sXGE-yEd4-`yp#qLT;NxYVL&NcEgc-?)QTL#ZA z0~Nx95*vYA5}gx@K^@M(5GzzeTF!zP669ydFOL&}XZ(=z@C8#FX*Zop+fjZSc5B1u|9G>;GuPY-uZExPrvB=#@1^BfvAFRnWkWl%p;7_+6ZNS;xvLLdCKrob-(%Gw_hsb;HIXAe~Dal zZ0&ulJ*M9FV9x(!vRHcveZo&?JQ%sL(UrLUHon68XBVVgE2!9A_!KlGeznjOmCyGi z`KMG~5A0LKP5L;KJVomHu!_cBFOK3L$e=QPGHbx}w|YL4Y^7qbOU96n#<8Ae?%)wd z>?Gs-bmP)uBQdJLax2@moRo7*@;9Z@~hZc6@uopM_wiQKqg5Ne#bXY~`NQ3_-qV zLG=N)V91oPl*dU#JavJ*@H41xN9`_)mFp z>6vKuKlcwj=~5jPGDlw0`K`W^Y@5e=7^i+U&I~tVCm0vtRtt@!u)m6faCBfhNG{&N zZpDY36Njv7BD2uA)-^$$7L2`*Y*Q4__Mot$f_@eXLrvr<$SD`t3`NZpt0H*a%uyw% zfH4ayL^>)?^;7`j?n;n#oBVXbUm`w{AC{+dE-hVw0-^`a60}x#21OPMOd5yHDMP%q zK4mHZ$zDIX$d})}?v^*%ZswU)HUIW)3C*$U9=Cct`liO#ieX?F;R{H$Zly>>Ma}>M z=ASD0!aNKepLu4pufegr~Z>>j1WFmL*h|Hc>R3;xxC5s%O&!Xqnt#wjY?lCQD_1` zkleus$#mbrIR2Ay@)zM&XaA5e>~O2Aqz}$y53()H0`ljTxTpZ%dmwb4Ws@Az2e;KA zL|8^Jk;4-ejl$BQ3j7OECH#(l5ZnUQAc@=orls9h9ljAYXJ=vctz+lR9zakNKd*l_7VMFbrZIw#4&VSR)n^G1Y(HzuzKR%FE+~_ z5STYsRlQM*RTIQl2u7gas|!h_2{Umc2r^bIIv`0tmH~HV0bu#~2_AtW4vbCWF83%G z^$NxKki!+=#KivSw(DOlax@NZ}o0e;wmM3*lBrzn1`#rv@9bgki_!3K07`u z2%0_6=T6i?H=A3*i8$>;_n?^=K9o?PxD{SGsDmJI`xih9tDCS}(nqWVxEtSyaRk<5Wl5_3p_Qa8DTF(iejIwM;0N@F zfZqDPEj`PDnbr6@AMYN9Z0T?tE#u7JEd0)9d2k=MIR%~sFDy< zcTyF|p9>(9Z>K?`=Ye~)Rj~aDJ^`kN%X9UHEtZd$lMEwsi~$_dgw=}$-6nFP^KMgZ*4Elmp|zYl3jpL5j?GIAV7~i<97U*>NKvM zF%mW!7w5|PHkROiLyQwY8%KW-dUD_kISEI-Yb7{N$&*;#*yqjb;hsu+@2U|n_K@kG z80=N7i^qt1!-%e99BghJZYQAvf$N+h_|j-`h!9xd3gg;|+p!ID@y=^W7s6M+k8TY% z;g&Ee8iMF?TrffW^ne6?A_ zwG;0=wdsC-<$OMM*u$?hYlQs^prF-6;@VG6`_NA!`2d-K$aChm)gk5v_mRK!ecrB| zyyzZ30j1DC=>nevws6MCe^vFEF(kKA6=@JB4lT zw~NVaHt|C^2}p)AJ)4|KU|VF)LShw+N}!u$)B2@3FR%_h%(V(6MUq62ejYL^=3;x? zysGf2%PS>}0Ko(Z?kDn8U*jlA=f5!ywh*ck^=2kgBYEe&c@n+sC`Th;ILLHg#_6bR zM7(5KMQ@nFmzo%dzc!AL?7o+AdXRBulyPp7abc#IN|T}uXY$Qk@;Bb{)%YX37QYZY zqexcbiTKM%_}RN4J`gB$U+BcFL^9{3hML40Rca`NEJ*^gj9{c0Bu>#fge+=8t1$@y zcmL4L3`h!l(yZ^AE6@vY7Z~e5YV#RRI=GZ7<9=4%psOGXAlEdDq{b^?J=Xpw?-o!; z%yPRtLI^1;^Ps|DTOU#Hf-k^!TXcHUCP`WU%q^>`-R{H9Qwm$Hc=V$^x$LXZFg`4AOl@d)B`X6&W45eAk?A$HSO-@X1{GaVIrQD%Yp`g3TR zC+kZp;kR0SPE2)-Xo{1nW_g9am`zMYtR+U9n}iS~T%q+XIWNa zq0KE5$K?S=44=9hfB42X#Z7F1^uft7CWvB|aelJU3Mj_$-p0|c;yjfWG|9rJ2<{jD zloP$5BS&P)Tgf{DY6J|jF@{w(B45tLtyCCxNgs^M6(IHj#@UhSu)sye)sO<7lQH2! z_|7HIaVqBg>`F|1)ve!d+IiLU5zjFE7?a+*o!3v!l6#GhuNDu>lu2Qj1+m7GAw0SDNId0T+`i)RL zgaza;WF-h1f&dIx{|br5`a`fgeMc3*R1klO52ruM?aNjHnhDXyVpXP=WPWse<(5^E zabD6qxrkH<6p@R>TbBN#&$RYm^@`B+@Cd7S5@RT+5?_I%@W}ujt&Gg}E&Pf0425cs zo;4n=`*pA0)roqV25pIa#o%llR?aZI1lT(Qxf=nNj6vijKsb?B z*@|TM9|>HCbJ3A+Ghl(S<0Ttf+QW-uQaY_ZHBW#GMHY@DYCGR<`1NdwtKt zcuOfq9z~iofr1|5$OA{CnkxZxdj|{vQh-T#MSaJE&|Zxepk)ZJdXTu;{*wy7*tD^E zq_2w%rGVC0pwLsj(4=Yk+TRTQ^>H3?tESU$hw4&?NEBcdC|GSeyd8m&n>IZsoJbjB z5V-i2s6o0lRp3G8X7%aUpSa~y+{_iLdZ$$#UZjE)+1^EpLw-^{!F9-0vfx)_BI|vu ze%yq2sAp}mq^*4%eyL2bqYAa#Rd3jG_Na%V7EAb91X2Xpnr%PkTb`=l3XzIFaG%Fv zB|M_8$VGQw2@%K&vx)JMn@Ck|VfME7sy}&<^}{M6!;98%>c-)=C;SP1=w6m5Y%=SX zP!(}!0t&R=4+=nJKXTqd6V6RE&I0!PRZg~04Cn^o1@;q+LL-d{mj04KQV++&UN)6G z8ttuZ83Dsl(i!=v07o;HmI-19v~%za0q`9AQH-RRN (Y+D7iIG*oZCLbFl!V-y7 z3CB%LIV;7p(iXswSOn0^DfqW0CaM5QLE!_Q9AXQ+8S4qa@2r~QKBNg-23(1n>MiKv zfDHf`Kz2|Ea#}zdf*C<7;YzsY@CrmZU}@;(+IN4M`^1hwLxrqCj2%Tqt$o&I)LER& zX%?o#ncoV81IG@9jN4`xDyhtua$*Mx!Z*57dkJ7Zy9hBQO4sa2Ph78@vns?!K9hI3 z`g1YnuyrsYSjPzO;2M1hB`w{vhF3!R;EP}@$W}apz@^8*R$#;!H%127A?80m;fpSB zFg|=5@+J;b%l;^aoW=dVeX0TAgs0E~|I#JGeK3hi1m-3ML_+42@PjNB+l$nn%sWCZ zGma>9cJqUz!IDROGgOFbEzvjw%Sxkfbi-{^+~j1%iY4c7-07|PxEJ!jscWZUv{H6Ra-LwgmE;}P;$ZTPdu z*IoaM|LM0syre`we&y{z)QIW;6|K>@1#x>oxS`_9imcHl91y|?MTO=owxue=SRt@* zSlhF_T}8AI6{y)y8=Ig491x`9vyI({vCTQFda6OI#lPQ+UCCxnBFZc5l24-#5O8Z& zFWp;ljt2gb4h2WiC!ym_Jtx$jU{J1bi;QO_=~!V#uSWVO%o{5a9T{OpjM?eew<;l? zT6B5~?*PsrN>)OPi&RAg-A*ETpyr`(EJSV>HFx?aMhROIjGj+`;eu?ZSq7Yy!)oCe zprUE1g~WY=3bMNRa30i+*b4l_i|BdC{K^+kZOo?~a1)wgzbEaNxYieE3p^Oum4N-o zJk{NFo@$v6_RDadBDsTr{g9`;0#&YQv-bfvBLFNg1rU2gbtB>x3&VQL*k8+tX_^KL z#9&IyNr`Bo;x8?dw4MdnM>sM5NU&dpfN6!njM)f|jaH~XQJO*Fk%IsjKu95&P%x6Z zBBy}0Lt=tRj&#(YBoGOh@(dIk7%x8F#1 zLRgzhZcFEFdM#Qb{bJpAAJ7NaE9b0=5D;sCIA&&-e7@>4_f2?YA-6r`SH_vI;8(h* z!hH}h3UQ3jgr~cmN(SWI)(03dpAjWBjd_7(@k?sQbi477MtVs??`>QHMFXhB2^6@ST$XrX+Bub(ZjURQ9d zsLd?`e2XD3Zk zDI&MO(!8PSd6`-r$likNsdRdZOTs~zBSru@^w8>im=P1LktR)BCyv&r$(*XA1+&bv z%o@Jiyo)u!N`Sj@Bmj!3CY{Pri;FV0tRK2${iv+U^o>&u{(#|YKf8MQa6U1W{B8!% zDbjgd2~6|w#cU0qIypd$Qv#xBZ5(J~M)rHl!lzz#I-Yitjy&pte56s{ro1DdMu2r? zgqLnG|4pQc ztcZr|eW(q@7U%*teK2*j0M$ajhhh->1%AGqnW62l21pY}ci0dbLK|8G$_Bkv`XZ+C!2QD|Um$ z1Qi)dOX^^kfxKtMst_U~Nm6WPzXA#fE41c^;&D3mYriVwb;>iVA{l+J-qnclYwa-M zkKhid%iuK(BOh)B_*rYhQ>dwoT*xd8I3B^sM0}}RS7JglVT59oe*L*h<$A4Ew_&xl z+J3Zp!d;Am5=)tVh7rDiGjG}~m?k8oHuyDjWV12R2hsPMzoOBlKd?(v!YaY+vj*sx z(ip=H=`$^u7O@<0DD}PA6P1{DFy#AdNd?t^3O+^n+4wb?J*WDck^MRfpNb}85|Pp^ zNi5^j|#%hmg4{3U=E_y~V5sb^4Ai`NyYLuQ!4 z*a>f&SYSgiT{ylbbivakTO|AuM_EO_tQ0caGFB%J%*wGBQV+-Ba1KTtDFEvUXm9|} zkY8Gc9YBz|Pgnyen6+hS9c&AE4f>`Up&hL4kUGSB{D#DC(n=pN}XM8DUKBOwXQJbQ49bJH%z$W+#xId3DjG!729vJ~$M->=q z4ifxCproF?s)P2Y+b=e4(x&Tw=Z<|q26HOu-5+9X(e=?37h{fck8eM_>3)tG)&@C{ z@a?<~M=)kk%_DQlYGF1{Z+rlWiE~9-BQp!L5)iLkk@nU$-Ii&YSDQf1Lfhw7I(ukd zeoI05*IsI}kx2Milzu9m$7mxhJtC1P+DSCF=+84npaq&0`H~Yp8h=yNE6f500~NoLVy63q72+DAyzns6}Yq0c;SWgI{+$WTlKcpIPM&m6L<$3Ji5J3;~z={Ks_3ovNZ zkK2(}aJI?<2uGilO^~2`aC2q~QH3tSQkBU`w~2L$;1zu7?9mUk?EEIVs2Ho?2Uoz) zni=5(Ialy6a|DlLgyHFE{1|h$!=k2%`C`_15pok2D;~#JSFtDBWJpmXGeOKgYe4rT zR|O6;=nR>u0H3?a2#|0-tbl^j3F{|HzaUfTH(fj{C7lPJQ&taOj8m3~NfId?5CzUJ zoP50G)H?#VXao#Lu~bsrMpz@U0}FgzB3h7iMkTsZ!PxPtIID2%vn5YWQcS_)RB1hO zrXu4oRGq4`iANFNHo6C3VRBoV5}Mf=L^4oBdEqH3MP5)J}r^N6Hnyc6jOHVVQ4Efa3SYbV`B!jUn9Dl8Z$?nsbatICeY(NjUm=>x_f zD$oM$P>5ch$u-IPb`+buZr?IV??ty^l=@e2j7xqmPH?j>Bm4 zF6ADD*Ry_|wZLeo4D$3JhQ%i!fr2DQdWB^m;ONTSRB=L9j4w9!w@2_wW0V*xMvO-o zJ(vzdN;`Ze1|}p{-cI|v1yvAu;VkitR?|d%W{pR9wYnG_W|j$JmYHj2+}1*_{)7)I z^<(J5suxbIXEhesonj;(H7QcqY9yytr~zV>z9ODY2`g)a zJ#>pGl=n5>5l9~aBl=&?aMCi`fEFaW`cMRad?+LsJIX*4$9`tCWKt7lAlXAgjg*3# zqSP?1C&wKRAF*?B4Z>DKi->H1B_gYHzGqql0fa};0(K%u95f$ltQ>7n8R4ai6$2Mt z4&;bho}0oTf?-7&=+QMHfY2pQ?;PWi*SL>5OVLkWgc!w7iuR(=<37(qNKw0~Ix|N- zL~0Kxybar+`yld^&mE-PMbLoL(V%J#DTWqwWL+!6%Ar(+L`Do)ScZBR5{k$~n;$@O z!I0;cWmA)WGFGVafbgkLK*PotAqw#)43s+b5N#e_z?z#dCX5W@!ziIMq&~xlG{hs^ z2PkfJ9MIpc3otcAJQ0_c7US*A7qbRKVFqcCwPDU_Vdj@vX0G*vIWN#9Ru?T0&P&$Y z;u^=phO+_-E|W^RVqD!NyO?llsQ1~|c&UI$C+z}WmdZFqlmN}4C`7*O41e0#TgD5b zNT;3N|KI8nFt$EmM3i4; z864aem}R=bjKj##J-U8^?GCF5F3E~Qsmtm@-M4quyR5gQgkuGlNzt?Gr$vpAGM{YV zDE8CBC86~DE0B#Ty}vRzgQRAo`F#cm+gK8-3I(pn*szNF1sIP-c(=+@vRn z1{4sl_~|8y)zImq)}NAO1nrh9x1u#Lhtx#;fx%IL@-xdf&Z??4{DRhyad-uTLm9bG zDJNY$x%hD22tT4)y>H&5&%|S=j6j6K4UvkWMjV3;!C1M^1-BxxFJGz#L=7F5DaMLl zc?F}#Pu3yLb6LIOstGB#LIiitDZ)x1+&cEY%q!%6R*smW(pL!UYX8>OS1(1Urlzpk z3hZ7G1aFc<_H3pY>HW=cNu7)%-$+=$XcwhlqaXalj6F!7K|Io19GCbOJ_L6&z$)C~ zOTkf~h*RuC1v{bz{Ig(Qc-@9Cyh}L_TfZ?M%e;#j7eQ%BQ5AdE?FupZX<=lj!#jJQ zKep1Dl4MWbY|c>Bo*n$uHrO6e8VXoFYuRqgpD6^xglu zO*F~-TJH$B9|0ruUW3#j;VxcRl1G@#jHWX1NEg8fDK}xkT1=Be8je?q5k~5@g1Apz z`gHc-Tx<%+GH8&{;aD&3pyGqD+u{Y~BRy12L5&e5Aj^O&Q0_tf;3=3?&_Q8{L7ArC z2xmbFrc(Yyi8vkYrsHKOCT@AfMB9AQiZAhHs3AaKxm%snI@ z;VJmbf^qj(F*7<@`4r_G!YV3%-g@4c`;`KducKw!$CRc!%-b&pf~YUFZsMIF%;_6F zB)Qe--yTujrvI3P=qh3h&~DdR;A7Dl!lV>tPYn@crOa5W5k`{nWK|g;g8g? zGyZxmC}0K4eg^jvI4c_+Fa1p3Rg#qx;B)txgMNBN70?3ONas}}VXGi0&Ld1s5d?)K zMl@s33WB1I5#3Psb*5Y%giCtf8Bx&)D}CE(k+%ch5%4?$Mr7$!6x0#bGAjekpcXMI z9y@NrBxl6&3akY&1Bt?9idQ5MA>1Xw#0v0#&XnZS(bI$d%0a_5j7^hSTLFp+NzC@b zD@PkI6d{EOs|&jr`YWU%=s6~MIlky0gDZT~{S|^p%ozh0D}+6Zn5&8fK=xq@sJ0MEp#Ss}AFd}p zPYe5C;ttSJy)NsKTx;82=I;kiI7Mg#)pfsV#F9XMh_bqBguF&s*Ek8!8q$Nw{kST zm)Xg72B|;*CG}Ekf2?Ixk?4nmXO}q{HL;-U{jeY>A28xq8*wVjJh75S7^i+Sg{f{P zg5nEne%}x3!I!#*$u* z+;x`%B&K6*1h2-bF5*M|5>C4bh(@dYGK?*tvQB_EF#e;1B zLU=K<&IrvaMZ*7xPC~cQ{vqJd0s4=U4atHu7W_2kw?``0ZEIyxs+>bs zg_Jb-m&&vQL!`|eeuW|6=;i1wz;%V7pbz-!uAESm0)mek91wT#6teMxNN3zIu2~s@ zDx;6Za!2PG2R;hfjget|tiEQ{+nCn@ffZG(a!yNHO+uW%?;bn{u zvy7V5b--1xcoBjdQr?b5)i1|}aM~%z%UhHi!2B*PF)dS51P3KCC_qsBl%8;kn0_Rh zeU+B-S4)uZYFsuEjZ=<2s@N{0^~2 zOH~BNgD|R#gE~&H)=L=Q+_YbLN)u0z9>IQP17|<7czl`pV;_X+0PUt@ipV2|Sao{3 zOV$EW1gVVV0-Z<9Q7xl0L?@=8fJi0q2wp0wifiRP1|X?Se(6_*?}bY;AiM}(z*|7g zsh9G0`an-mIl7H)NaA1s9M3O2*6@e?yhA}~77oLa}wwM_T$XcmX%X@s2p zG%?|5fo4(!N=iO#TwakbOieTcq$^>H0O{>z&$4rgPz}CUqo*Vc#S5tYK?3KHGI*4x_pQXJ=KADL7=_<45-n zzLs>c;PNSf`JFYRqXYAsX~h0%oE>Xsn{1d)V8}#f%J>0l1hy9u#(=K zQw5Fudi#^B5ikP(&qM}3VnkZqgyB}NiFk#^TSBs%aV<{tF|Aj43jdzwdv$r4adme= z1_$B`b2TnHd~HpLAr^Bm30V=YoZN>#BmU^ituJ!G%t3e896+g|5;Qr5roD<{lLd9-alohS>%A z7AC4*o>^7%PH)jvLTE`OBPG6pso*UTcHWq+^hX_%tq?5=fmAWLv4bkinEliCJ%RD@ z7p^8IIl%*1{zF@fXWZ^(|D`f|QN~RTpxd!UUekl0EwA)Ep+F^-Xtrm?8}S#yahtMq zs^Aq#gi6q}I5SWZwqvnO4K&z~M4Mr6B22~9mzZf*%akbnK>862v|z%JTdxv=k@;h8T2@5$iusj6aku;X8FcZr!%co7VK*u;7D`1yzG)JOJGW z<&OM<>M~nN;o6>uO@<|4bvOm8GaQFU53Jat)0_Wk-jF~ za3X3`)4=KX0-}K7X3G#g_s7Gp%saD>L6DWOb5RYX-E8}IJ1YR6xOUQrUnd@p_&H)P zmejqbWlB=aBTTh1g{eBmzV|aL{Sc;}agrD@%CPT7Ar^q8q1i)?M#?8;{c+nXUX3aYHi1zIs}N!lI!`P(sNJRwFZFZZr<-+p``y-G`OI0g z&VOUtwQimN%Bj0H4Olko<4Hryf{{Rm0-V6JCkQ_t_#g%Fcpiio`h&x=sQ4D##p{43 z?pglY;az=W4=s#66P}oqJ5%QMYnNjW&4+!^Z4`hxF)z9uimYzJ{yn{?AfS&l5W}GIQ9~a6UD_vQg}?2y(WQ@NQu}-EXV>!|58Fvqxy(?Gt-8Z7!;35 zVnlB)k37;s?_&jh1dRXtKVet`W&d}k#Sg7Ahj_(z5ZV|6W80QFW z;UlKr_+>^?WWh`$q6iEO>ssQ41KYd71yBisksz0PzDQVbJurTdcbbjb)I90xY2KA* zs>ZXZq^>2#!dpYw8kwFj-Trd)#GN?~tcZo`2#*9^9byvy{^TLEjPvDHIW83FG zPWnrFdxO!3_~vWL7xrywMYD_~8dS87t{uq39cDQ_vQyy$+q<#`cvqfh=cYf1Wh!}} z5s$`ip6o0FP{5?vYwWl*n4g(qp8Y5R{WwfoE=lB3)^L<$FMI#~!Y#~LOz|5`ePDq`{3a*H9@+H^c8Wk>vGsu5!>tCHC|7b8 z2X#=~umc_kIe;@)gn!+OC)VdXDI-_cv9Mtg>+A1a^elQsL@m$-Fc-Y5U`g4MZd8Z} z6i|MU2_du6vgpDNXa||-Qm`9^8)<*xiMnNmg?FLii&<6-lpTH8vEXTke;s;t>FoA= z|6bbMx8=*=ITaXHcp@Xr)a2?!L5Fz+8I!4DewpRn%U(fNy>c-!-+P;%4H6RujbFkR zQ{#tYuYykuH3LwPUmjsfr9{LsMe5!+GME%FKZL1>r=8*DjJ;mV)Zd#zd%rGY1dKz7 zSJ=>jvfDCV0fK$oOwow%RcjHiFzia?Kr=AA%6kPuN%Vn1f>|oS|D~onldqm8@z9~r z9wGCd;24kk3(OuEKSJA)BZ*w1{gCTP(9p2gRa%|{LO%IWh zl8DZVz;uT~f7&5D>rUYG7kX=1p(P^(&WScN_~F8Z!S$b83pfXXy#i6fXz6 ziSEt>F<(p#bH@zQVWrGuYGQ&q5+9PF=&8u6`?Ii zdR5mr(9$^6);I#(;wR(y&t@zpLfuX>&ihDOx64b6#61%Jr64O?(y1+s2E`!2@}L>_ z2l^HZm<9q|lw+L9iSQ%W+#=~JFA*!i03b$1ZESS@*sAn4Zt4HQtsUCY8%j=3013c! z&_GHch#cn-Ox#6^Ui^zCiJ=1fk@5pTcv&wF-8>Z#CaA2);cpBQ^H?@VL{Qr zP9wRTh#Yr#N3R3Houf82iQG_6UHiAR;?B|C1I`}sgA86zzI@v$AXt%OVZ%`jLcP_6 zG=X|hqCf=aD0>(3Nb;VC2>=C%0&N@qO{m>6TATmm;a&ZC%WeNsMmzrep0fw%91k1D zEbI?x6S<+jo*M2jUne5Qoj0yPYt zT{ghC7*Z8DeDrw4cO@t;O0!@yei0#q5Rt43Ob=zk8G&R#Nl0v1*cNRDOuH+1b}8QC zSo_)0Jp)n76_7b}Ijs1$@F1%@2(qUXTLwD`V`w-|O4^Pb0|Q@AW(aMr6s9aD1 z*fz5yW+Nc?fbG8}Xx=TErd+%PZz*!XNgTgLvMq>L z9iwBmbq-(qF>(!Y>LmEye1IRt0S^GBAS;%Qv)KLw2nR0W#Cj2t;A@ClfGDs=N$f$? zgJHRFD}%=ozk>II;sD_wj#Sg`1dbBE=HuwV_Vn}O34ip22s{6bDazAV5)*@1WUPO| zPWTz;FiVkE9rnKV=oyE2<68P5{D^5`2nA>0MQkEBBGL5ro6tr|6DTc{qh`* z0NMt0<4y!!zP_zk@V#ll^ z!O_Qyu- z{^;ncEQzY_?Ci{{t1_ty@_%I}LrCL&nS#g2sCJl12|s`eJpt?0Nl#bv0o|m}wxHnv zUCDP%%s%X0N+!mx9}Vy+tr)mvAu@@u^&Mx}eNP;$p_QI&eN^K6kF0!*9Gx+!n!`V@ zCr~SIG;iVpc_0qDMB#T4Y8kVs7gm*a0d{!MQ`W8F3c`GxrU=^ob@GEyC?XJ928QHc zit`P;7i7yDrR7Q|O4cvKwSZ@Pr?Wz+aL@NMZ7tu|4XL?Bnr6bnA&H0Uo_K^#9+ARz zZG;S0{vgz#+08^&!y?0{)XnCD-|u?sIYRCH&$KsdKotK2nO(sp>YE4Cc~#Ra#99Zt z)$@Gqwpp%uy%&Td(bF$e%Mmu~x%R&!QColF9S`LCT5tbAjclcFH)curR)5#@+B4KS zM;k<@3~f!x{4G|8-nB5L`dvIA4$J>j>X&>JwM>~U#l(+D5L7iwex28Zu3#)`7% zSK_KqX+KNmM}LTw)ODQJsLCM-YT#QMI4TCLU8=Ktx%H(Qyi-ax{joBVW4V40Tpjbn z6{$S`Rm5m4;^QwbbfVG%T(lmTBYIUGnWA+C+eI49ynP6Y0&|*(~Bt{w1FiG^|&?( zbgOvB-Dqot-+9-ig|~E<2G^1YVPP@7kr6CcwRFy}5#{FR^V?OE){Rv<>$K3ME3g^r z^r&;;nSGY8Ul-rl1vgl7|4(end(ASneB(Jg?g1hW((!MJh7;<9(kYLqmoVlrfg*73 zDzJiSJT-Om_2@!%W#Z;ZPas}W^yg3wh-#MM=P^rVO7iNV;Xmh+vTxgA+KE92S8;+S zKZTS{TofFM%@I+#z^G6zVT3m1)(L}J04~buv1dnbN{h}T@0V)c$Tsn*EnQ98%OAd292Q<|Ju!Bg}M7x*kuNV(|E#d%*dN`d? z_W7?XTN;~6cL;o1G3OX{(7#jeT!slGnxPeDIe>FW53uDLip} z=LHYWi;{j*K)C3?1a)IO1eHq6NMw?m0u`$g#0FIC`E+YyijcAk_%O9tI&WqxxD6+^d9UXKyZIJPR1p+ioCiC>vt?Xkqa0*hoHlv{B)t#^Vspu)f~ zrrxBre-td>lddHLu z+W9%uGQ~)+YlI9A$F<^TEXQNLw~=T;joCWIXjYcNgu&Z*1^ek+8zzgP!wlkiMp@=1 z9}p#~7@7=8NQzk>^G|l2&4o~dI;=8J<^7(}d_He#qFTMhzBA~wzev2#jrt}}Ib=&^ zZ^=&W=5pViUQZ^zY~_#~aU?^B+`{?ES=35#3F9Tzy8wgZk5NDnrh(g0m#eqy$%Kn% zCo7vMRsjh+zDQv}A-$rf92D|9gIe!n&z^05$db$^KN0OwtIt3j+7IzUk?e7YWAITD z#-;QR;RQ7&k!9HPd0l&mkr6(&;$E>UbTuC>a(W?$J@A9Q^48>e+o zU%NRzElenETMq!`VdhJMwTW;IPTCQyxs@r#z;@w>2fC!+E8JRKuS-PH#Fa4cHf6q$ z#c0ZPj#F^H{!0jppZYC3Y}z$Qi>q?kj6_j!X!&Xvp{MI`dD{iTz!}8) zY%jet7R&E2T! zI2n6-hyWvwYCCeifns4{k#X&?j)aeMGLy&g+3P*#66F0V42@J;ZhjDm6ilwdPg5*d z6hh!ZYY&^S$KP+a@UhnDn!smiLGGt#f;R(Ee=|2$qs26ngMM50Zu`M*V_t?(CSB0P zg!>ecUdR_dXJ1*QTl0kRBbYNuui0b7l{P5fp0`EaTQlz|WL`ibh4(HNLi zj0+c-kOXeqxM3GRV@fQ`pZBAli$zsO{8{R_@`yGWcCd~+p!(5Ff7bgXr%*4P!G(t^ zzILb&*b3?)$qnu%u_w24eZz$BV`pW+fGRS6orb0#{bs1sXFeCMazZDC&JW7QQvS)? zc2?CZ&EIi_Ql*6!s1g4foFs8H>m4E`z#M7nOjP7hlm8p=gWnI!0DFDC1Dh+Xnh}z)r)8`~msa}bS_(-0(=eAGv7ZX;A!|W+~1?=I= z@e-;<;xSnO$fI`FpZ)B3URxITk~)r^>^nE`9gWnxyi+D(1-gYpc@hvlw1 zM?sPon^EmH}Qk{j>389L)n>ts3L>Z{tVyw78mM_ZaIIHaE?<2Z=lKz|5 ziTG!_pTlzy&mCQ#D?`WWA+=!PYsdrNP+Qukc~M8jZ!XK zn~q^c^w@O$?RffSsh>!}58n$S`58)!=+Vp#*)45WOyVlvXacwGbs2)EOYrnL^p{`gLeD zd{D01<}q7CA#5s5#Ql+u8_1yu>Qw^S7E=S7WvRRQC@G_-B{i)_$^sVCfE;e=9X(bK zj_YCF=-*p383pt2c9OOUF`j!25bp;K)I7TqwztWU1}`HAIt>3%N1*Xt%ylQ(ZZkD6 zEM_i~e<{mKCvbLuO#G3d&Ie>jqSfc52puV4Ug~8ZWsu%E-aBmG)*ZlGduO$UdCwcpT|1K^+5V&geKIZ!Dq{-!26>_0IQjD#a&vb0k9fwJM9}cM!H)< zdv(N3gCZVk#)~2f9Yh%R_v5Cq9clxDqbbn%oX7ZFsw8#<2l;3Ayo8(fCA@+;6pdLf zQ65MT0dE2_3$iQ2ZWjLPTnKTU*nG~%%aGVc465^RuFf}=1PJ{KF1-{De2kfz>e*gs z@fUwe?8_%lTWxtjo>SJ#%i~&UKOIyim#f0lq=2{f(9C@ ziAB=zmqtPwAv{T@9wz>zA%U8!XGY`Y1fz*3{L*Hz<3n4-`At8a;f=vPAYMTRB&)7y z{$3R;dHdy(@h{yEXneBgNIhTA3Mz5M{j95u8f1tnGbWSUd%?kaxl-qYv!N~s)f%X0 z+)Izrve$Ubp|3=ttCK?82ETy?p-@*ZXutCy#~NF9Z-j|&xBn-|@>&+3M`zuUlaOVo z+E+Y$_1TloQekKT$?PzO(=@0~m&%8Io>p`*TJ`$sq!4vbMNeWKyQ7DK;r%-)_# zPu?fl-o)Oy11eqB{kE>BCQ;un9I<-3l3;b&JC%3!qDz-^(r-8YyO`!d9^vIOI;9Q7 zrH>WpbKF$jkc+fzc6xibw`Wdj%dW599(HKm#q8e&ay?)R$!hr-9ikns96cll4T#&*!|s9 zK?p{=Z6Hx4pWZ3BwK5OMAp!cEw&!!T!GKPijWW>_*|GT$dx>w8M>X;3sBM*$pSWz` zVRSWhMMrgaYS9Yv863%rJhaS41w6#2*IcQ-yHBcNxIJ?-UkHi2Usiq$q>uImp>2v_ z+*`vYM3){hzc+PeS`#zwFInj-Q6?wt#g6ToHLgvpir`=z$YzSbYixDW?JEv|v3{{n z+Bd#=s#B|eL%&tw#9qq1Bj&~F-MmaLLc%R+(O>D9@?W~T(V`Y^V5~;6yPJoAFK}qQ zxbmWQo35!Lai`vrQBE?iVdLH|T?3p!MiS?mof+s}7X_<>jt9gfsD=p9nKk}U5B9wQ z-Qe54M3a9r7%5o9S!rl7$XG+op|w2rz)1ul@7D(L5d96msilsC(?GgH!@pD2UayO_ zx@X@s;&u}ISY`xQJ@sAK<^;#0J~|htj_iT08lPmM;ggGjiSoMu&JacI4zqIl`1jK9 zAAy=7?k4VD%_z8V?<;r%SaR3(ah;&LGSrC?T6mgk+~`8gR^ z$;;(q>=?buVmF+s{#`8ZkDCwuwOT$A*?Dfk2 z`atTd%eB>+L`rrt&GqP(eZNl8<5|2E5s`79ht7Fmb5{=n1PS6V;bTn zMcTwkx-S6yPfd}^U#NcfEhsd=x?sIWFs10m0Ue_6h~MZJ9ExC3Ymbv0O$Qy~x#ZlX z2A+mgMqowq(gMO-f}G|)7L?$P#poji>Z?-XWRD}PAE@!@VDcHF_%YlJobt4E5G=se z^=0b{s_9jaU|eOSv0}R!4J+64@ob1W1Q>*mvvIOU+A&lEF2p~7eeq+R5EhJ_A=Zt1 z1kmlEtn_&~3{rO~hmcS$ME4TSL0R|0%Hp30p|c$$OT9=__AiuW;EV*P4LWZBDZR{- z*nruUATl8UhomOzNQPVSu*UcPZ_nvv;UTOIFGzBtAyllgU|ngMMcIhy=&lZ}#nxNa zW58zxMNT#X**ZkUO@$Yto(2iS#c!K!b;VBZxvSPTR(Z7ua;&P}gWO9bo6JouveWaP_W^> z+HzM=5Zt?Yt<%d~VXK3kgb=9$M7e=bN~%*|M>B|C!;NHE zGC49*|2l*h7$i$-H^VE36DPaHVxvlNw**@g&Y??~=-4mFSHYXO)M4=7G?cr?5_}sN zAS)Qh1W?@(`&$WN@=eG~COkn)a?G%Sescned#B(up!~h_P#jv2v0<&a(f;o4Sk`xb zp@jd*0&Zh?uwH3A$`YOe{gE@Gj!~5pPrvk`!=IwCZv`yRuB`ZP5bOpI=ML8|YEz zWlxK!QU72TW~qzx2Xk<#HJve)b9CJe&QHbkf)^jaN{_2xv!su~!`sw26D{hHyJ3~Z zX&jQMmypess%bOHSbZ&R-I?El&T2IZRvEz}ZwCvL3m~hc%GIgFb~A8PKBzw_YkvId zUJ;gygUvhS+vynVIsRgMgbFD64^jI)QzREGXRL#29f5FN{zGA8G~3-4MRcAN$pfYR z78K{A(4`?01_GIgmQnP*-$f86;uiXLy)mbEqnJQKdmsz;G#w=Z!wuD~zj%Vr_78X}y`@%vi;jL|41Dk^GeY~JfH;S7khV)R$URkhiO z2@8|6&a{KA(0OVgaUX3&MfBF(SQuMv*xu=#a$^Z;cJiA_Rtz%T$qE3_KJvEnf2^p9 zC5#{?#u_}RBlS%vI%!GIhuUTcfh1nMsOIt81;MW+Dbd^CJ}x(J`slcND6u5pC75?p zhu5Q4MU8EG*{<|4e#>vuOyKqlws;I%uxiN@b~|+h#bJ*T?e#~9f8cw(Go1NQpZTn~ zL`I8En8LE|U}L0kgg-QMaza-~9?oegllB;WFa}s}=MZRubpmsv*<1{PI($>+g_ckT zS-4*jV2D%TmRNXLFyhFr_3XJ>t21!2PMS8hxT-WCzNy)lnqa3I5D!t3mi@+J!NtQ?3)C7z zK@}b!`)9&(=24&M+9#1QtU@ka3IE3D<0h~3BmO=JA(Wj+Sa3_=*oIs1ZM``j`0jCo z{-5#=um?BUymb%i*l!Gh6NB5ozx#6KDTZV8&smQcb~_scyL(wpx%1LCq|Y43lybr+ zfi(nAj?iQ6&7hvwO&TKXW{6=ic*Keg6rvVI96E&p4V!9JO7VAc(pg47^hsfxb;K?8 zS0Y^~M1eh_NOB*ExM%x{iw`j=vA}NjG{+V?1H2L@j}{!7cJtA!3?baN#q4UiMFhQC znSSX4M}4nDuuBY~&i@G_93S{VX!r@k*hM^9s5BBtD$9et6V~6GXv+KsxQ@-F%QPk& z|bHZ(8*3sNNz1!`>u!7|_?)989-HGfDj9Poj^N{K5`_JZ~+r$D^jaENI<( zRFy+(ag5OMG#!(;tLz7nzb;tC%HTdgFz(RSq+oERct5DrMUmdjo&E7ElJ^cRTYV7wH>pOsUt-w)Z@r*=Jg(!BC3Kk9$ zW(z_x?1YMIWSOu&p(;q`l>!e6$%{*zCCk7=C1(YL3#tzmi=-yrzJafSBRV}D?z_1Q zzveWtLt74Q93+9oN?9!~9G;Ez=oKSA`|mB`Q)5Skq4$rA5wviA5RMk<*FW49Q8BxBuJ^)JQCW3QIaQAbu;&dcc#@K;t$|YF)+?zM{ z+=&1jzgD*#ge{c#nct>P7*w+p2)^$|MSG^;btsSuY;yxj$!2^>G?X0jTG)#c!{HiR zh_>e2P=dby8KICmy~?;Kirx?l2JlY0{-}}V8yHm#!Vt#q)K5Vl3)@dWtL!44LI6+I zK21N~icL$=4=aBgf|FR^#F_EZvInVW;(VLp9&1zPwuh{#R{HZbmoJMF2tOKqI1(yu z!${HLa)2B!d#l`zQkI>`S)>6Y7a_7=!VM#7@AmT_!XKl3^E;iqLdwZWj!$!7Zl0S& zJ7XZV*U2^QRpM9BA!}{J9?7q9_A*=rSc8-UgY7F?QvGy4P-I;QSB4KvO?07S$!M*(;_O(Gpbu_cVsrzy>Gm;+G{f4LMfM#$`Fm zuXaE7XY%{UURfs4e)DtJ_L<^;?;pHXcnm^x6dMU%j--jOY^1vrEdN+!7bbAvPq<&# zm|Z~~OC?!lJlXe>9`Z5Clmle*47m5iTq(QRKKI_vTooz~tEeTq+qr7{uy{h*9PO;O z&t(SY6Z$KoDw7f@I12}JS2q_6lkfkf98GQESU8B8iT_LR^Aj_vdplVWGifWC+FF>o z5i_Z|o4WmvBJZ?G@#@x-Cn1hptm`U2g#>(35|I%WP_Kq%UP9|nwRm3ekY|JdA zTui*-m}DH>EL@x%?M>V)h}~S=ze+`I++39{T*Mr|J2^U7IJgmW6En$MI9Pr4%FV*f zMa(2=WB=9W>;7LOaSJm?a|>cYLAd{C$X?**2Ht*{hpV|LFgh}#(l9WbCa_VEqO0`E zePs|fI!#zZwhSnGhXdnEG%G=xr5d*MzY?t9m0Jo>BDFE;qJxO_B6cp-f)c1jwIR_U z#-J(_;yKjJwuzsSw>%+petd}ku1C1I(w+FryfSMcTL zdo|K~yx8~>3Q=# z`1x*}9Ang8R*&>-c931xR70^{et64jp|e@H&liUaT$z5fT1_x&E^~S{M?50q+5V)P zn9lQg9Kszil^-e0gmXxrH9Ma9OaFY(<|$IMI=y$zqBsp?8j-J$S~!c{&6tb-jC+D5GnyE$DX=3 zt?R_Tzi7P)e5OJ!;iC#8mO-B}w(`oNZ+KO20Y3n7z@70`%Ke0Cj}=CZRr zrMDF}nC}X!Rf$(0hln%^raG4n3w3axcU{&e8myy`&Feck{P??|=HsBw3rlvRB48-KC%M0dEP?9Fk77KG!!+0YqmJ(LO}nWByiDG z;lOj3ma0#iWNDqW|A~CTcj`Ou(+KJLcKva_I&ZaPEi!;jgvPU)QwrZSSjD8n0+H@< z*U@$Rjo}Q>PksyReK3<(^ls(s7Wf#*`K0mNtXQF@vwM$Ckp1JG`up(nWx#~cTd3fT zJYV~J!j!HIa)Ps7SXh>(|5RvrjIQl86OHeJ)`8+6hsY=WqMZV<5qS$&_~Y`?^8G_R zx7sDahHIfGufn~}!+l0W@x=@Y&xHE&cfWT`cKmT!4XK>5$8ma&1A0@Vm(!=t-2?t) z-+s?$RCJG1V{WJLi`ET8ouQ)%J9cri<$vAKwm=(Lt?>RsPpr7HJZ0Q*0epsFXxjt;CJU(yI zr(R~ATA5Z^ZQ89V-Y1{rs2)&n6~(PAuGgObc0eb#P%!h7)!ziRa4*fwPrA?Ad}gzL zmp4g42c)u1-t{_N=D?M|Tx-$+(v}^Vr$mm*Uz;03oE>nUd^&k@(EW-2DzzmVjg+0N z)>GCg&S>yb_bWdlRKvd=5r^TAupwLwEjKpr4$eTlW}x%Hqf_7E4BoD+c@sda@ET|u z-s$rS&J6`p^hovcQr#CY+A^>30m{RHWv*+A&r80$PwG^FZ3W~(yuXRjwC*=SyWKby z`euo@)Y& zS3-%7D^_LhI2l#7WZDBC2*ID?gg=XY5dIAGa*OdDZK(=0n^hwL$1T4-t=l5;zWhrt zJes|Qk7;jldVyJOzqGrs;qH@vi-kaGsQDZWL0>k2jNR0N*14B<`l zzwH7*s}^d}`f zfGUD=EHSRCk1Q3~B-$*>E8E1=|L!?{CZUGI0wjjDEozrFDgThd@Bv$J`*k6}87d|fIeddF7NJ1_Ie3(7XNAHF~ zX1_wulsafXqlVkod@R_;LU#8aZkkGU%qh6`noTbs_A}L^loM+H2KrIt*K~+?zlbw7 zl7p0g&44n;!%|mUtbQb3WW-Bl@;iJgorjOg3-$3OArKo-D>csdSH7>Eu+#jIsP#tB zW>{v3SM=@vFuhQH=|wa0D=4$QXFoIc03U`#RFxU>OXZOGF72t2G(a6lR^^GF zXP?mc37PIzMShkev{gd=~F}83&F^Z+~1sTi=Q3UZpwkU^`AbUq+Ot_LnuL;65ixj zG}09KDV`qWCyHC~ZE%QZjtH&>Vr-DDE>~{mW7}jY--~9*vf4jmfP|`0*&cP25(KK{ z=3jq~3gJyqWd}I22pz}nCy5APycIDk;Rp!%>o%1tnxzl#7NLl(-=+Jmkq;; zL`%zv!YS#EH$l6kIlW0!M}suJuM)V<&jIw(V)kyA8c)sf>NWZO%u|MYMs6j^bYaq_-mbGArsS0~48>9GzbXWpuR1MD}A^*0G+ zl8%pV)%Nc`$C`Q43>@h|lSN(cauH z62%GcZDH95jm*g5L2gMb{Qo{tk1EVZrIkQmAzlM=*`gurjT5E=dk`tmqe{epU~mX2 z9*>s^u2kPXR1y>ff$Q=;F~Q|ShjNmTec|;V+*F4Ms4Iaa*`O+t51b?1Rj0&!1i-`_ zvmz-Hx4By~(m{XoNiLfduP#`@Kreh%EV_RJk}YxKbZ??~^K_;<2?0IWtVzL%L+Y^2 zs|y*yqA+PLXjnfrUfcael2;R~V6ayvRV)6o6!M!k4D(e*)n!$I8Ds$j1O<>bXp!3r zpJKFEGzc_C8-w1N1F0VPRsWUt2VwaRDH6q)wK0w2z5nR%2~hx@GKy)hM~~xvHF*fO zas~4hQT{M2U3m~DHw=sM`SAo#4^;@3@-g$3meDYe0yJF$ifO^{i1(kVkU9uB3gED> z(1Gy@5k)<<$=JhMsnCa-tTreV1;AH(?Jx>e?W^RQU=4UpH&oJ8@zaP#%h5EzMH5vhS&(4NFr1CKe5HB_sk8x`VJ( z3rL0nErQC$rZ;$1g~7wH0QXAX%!=lO3^~U^_&J})VVcrVH0x0oV_4TC{H7f$DhwXs9uKP=i34K@6b_(f8;jx~ z_M$QbG7m6nL!Y0}D+ga5tZ2CR-|nyQ9N#NqLXOPi-TEmf7DXqlcA7c#DEuOd^PF7t z?nHcPu%Z!RlbA;5z1hOFJo!5m4Jtl7s$4>8V$#uGcB_4QG8nXkW0oD4=oMuUMj8Vb=kUqk9y$sK6iEzFl>2*#7V;nUsdqO5y(^eh()g>34~K_o+(4aT zNDfli$~#HleRJbgS)v8sqVMO0n8zQDl_5|sp~!nFOe%6XPGsY)8dxu)F~zxq`~g}5q1vE>_8SstzA zPSL3FX?zZQ)Nx=WJ>Z`f63@b@C?s z=qAmAMX>_h<7vmyGh)SbNQ+jmXk@WetOF%7K^Es?>1xB!_Tsps(J}p|`{KQUK#T!hv~m7_^f*ZlH4otr-5Y zT`f8^j2AmDweY7_L!hd<5<57wK#~1;;UCcB*Gu`pFumI;c!|ni|oO zGsw;Ynd6vLM_Eo1QUr9dBGm*hD~lw#^7}?~okkJ}LCyfYAx)*%jR+h@LFmLRe5>h0 zkp@q~07PS0STfLvgPB1BPd=)tJ+<(_X_%8t3;rTU-MBW5QkF)N^lDSm$jWAt6hM%F zNmEDFlwVdfBoJ6)%*uHs)Z;W_!cfw(2swz3tkWGSDB#f~INb9Gc!x$|fp7^aIHUiu z!9_eU2I3@>f)UJpYHlJbvMBJt9Q*s&hFLJDuNWSH^s>+9460l> z${l7fz@ve{p7;_D7!xs?Nx`YcKDC56GdR#6*p1x4Hl2NU4MBnmWK!bGenXvPJ!i(}jquz?VeF9_A1H?cQ# zFBzZ&Fu+1?>;mkR6zr%dp{RR9qcdqs0yJXa4K8(zGpFK}YwV2)IJi4-%lgtD|IkzO zqyVJE3usw_#{czVrCjNz4JMomYUDEFm`v45gsvzC3jRaDaPKt5?)b!(3x@(*#MQPt zN?%Gh`@f=%xsxvk@JFTl5MXNv+Iwg3^DjO$-xr0cazT%}U3*ugV!X^?1yj8k&^=Av zG9PiA_65n4y{o7HE3?ftH`{-SAM1+f@%%piX4DXXG4qiTe8_W1E5_ep zQPib#W)z-^5{~4>ipz~{=ZF=)Z0$*^hI8^;ASZ^4k2;puV<&mE_poIJDLiY!F$j)) zPt0ZI1CLqW8XKIdIu6tVezGVtt} z7(2hs9%ecjh#XnTTGzMCqtO`aP#Q(pR>HC~k2!Mawa`>JRg|W{R+WEsaO%OT zR9IX!3ZdF7dc0^|_S}sK1uFk0fA1!h@67BXknXpFrO;Nk$As*hAu8-EY+D zaW(fI&)BxqDFsAj@{)Vv7!?_le7!KCm3Qv6<` zfBqI??gf&f(*UatJ7Qj3lwS2!hrnXEfgk&y=L)`D3WK7#drd_tm8MBuh;IS0JS8cM z7!ek7(4SL#%tfujbLC_0pJwjjH)iTPt8#}Y@K65;do0k zUv=RjTd%R>auG_y(87dRWKpKK;bOf1A|90%1A&zGH@$?{%UC$!pumGsfG6eFY>^!* z-_zkhG2|FHqmHN35Z_uQ@XM6Zm|=_y=p~D#HjuMHEmRQVWC=wczkC7Kn`_?Cpdv7k z5a2bbNq2Cdt^SRL3;+%+^O-ez{i_A54h7SR>!s8o!XJC~fay3J!ITRk>*61)HRJn1 zB)6Q(1-5Qa@Nvc6w1BnMhHAtL=xFyrWrbQAHxc@J;qoDS5^~c~arkwO z-%oaO4-QB5DLDo)I~jgQv95;Kp~+YCu5gyX@TVE%o{LV4;hly*PHHl zp~BNaU85@LJUSK&KEW`J=ISE^z)tubNlj9Bj;bi=42##IFX}Bl77gOxvf9%^bQ@Ui zj1t!0MZiGrrlo(>+IP03&^K0ut$Ad&RVbWxYvf4<)fM4-MePeXa~Vb%gbNxJQT$D; zH34)W0UYf2EY(h63EhdyjDd>C?!^q-3jf;fiM7p<{@J%)b40Em-#T%G2d9XN>3;5N z>P+MD9l$f7jjga}Bnx>}R_I>#{+3@Ii#lN3cf;0^w z#oB03tK5PSnJ74wQ2T_2b_scZb+lGMcGg@U8l#kRfPcYTu%&Wd!SxgeD@2(Try@YT zv_;=DdOXZkykd$`>U~`MSDZ2)zXx(h7K#iQ0P5`}v*KQU;>T_W9#l#+hCPloJ<_9+ zVVp1W=1du-IBKtOeMC8@Miv9Lm~fwTUl{0G^a$tGWtO{1$b^jUk{WYTljYU|HZ^~S zf2PBH(5kn0Xw~$n?A1eQ76NEN0_h0cB6r%I8IwP6{OPR~`^1Y|;ak&{Y>TlK))T@x z${Tvf-}!Nlgb}kBL~_BVKfO!e_3J8@kN3B=q?yBl_tkRo44%?`^T^hZE4RAPL=i!G>m}9U3>#C5)zl0$ZM*+~-lTX>&%BQatC4)kvvpQ^^WY9|Mt+N3t}}2`QduU8_|)S)G`39d zk!{@UaX|dzjj^?fQ6Iv99PyV5P&=Q~dbr6kl^@0*k9+pRcFO578uAGH^BK<*w~4g?fq7DFA&alTa^ug!?~vEJ0QAzQ?`vl2a41W zu5XA7y!5t=FOaP4VYSNf^T(}!XnXRoljpJ*(>JOGKTX;R3oBv~zXkK0Rp;yqD2{oN z8Ff4Fug7VZjCSnV3vN<&TsGtVb9aae=!!z*ir7m8KWz|x*0FbNsd$wY(2POWW_J49 zNA24WIJ#GU6Sv$&R$>_+hK$q5p_Tc84ZrD|WN_(mI?}Mz;fnU9JRCoB_`vpiwIZy1 z%!Njqng^BT4=O0Nj-RfrILQw4&YCKuM%}s?5IXaD1wXkT4Yil?=#8vqM4x?aNZ|d< zXWh$jL!9n7$D6`8DWC&Tc-qbOW{ADi^oor90b6TXxdB4=Zs0WwB4s1@@JAKQ{F{^aM?;0x;fXVl4H;csY zRl3F7Vo;p>#CEx^h#XLw$DMrX?d9Ql`)#Q7roc`sV*}ZC;?q;fPmX8p=)s^Z>1;xv z`L&EUDa=y=!R;MAFX-wb$JI4?2g4IVyr$}LI;T>oW+vWQ>RSs3%dE#FWfPUt=d#Hv zZz%)+UM6Uz!|BK2G|#pY$Jm+j%+l5KSf`p7QvVp=QG;JY7(ogr0DD)fq03b^9f^JJ zKv^IFyzkxhERyZ{)DyVVo#MlVxTSC6($kb;RBzGbGhb(g4j`bc33IRh{QalG;GQCj z+kOQrnaC~9TwL~Gd$f{`GbMY8@5^0uRc5|1o@D$4#}TH;Y1kNOIYptuI|z8ezAIw2 zEWGjMZoF}4?q^)~IA5vbc31~|`}YO>g7+P&33;>J+fV$ZJXkxJ`AOk}PISu*LtDOU z2*nZ{zV6paM37)*m+eBZ0B&QLlLEpZl8y&SU{8HDoz#$sl_G-vt7v^G3)s|x_WPzB zO%Au%iX4L5Z(ofacR9gUUN+p98%yG**J6-6_D@rj8Ro4Lk{|GZlNL2-K_3@(Muf&c8q!S;LcecopTkSMjw4~gyjMld2hKe3|B3Ai7mc%Q;~>z~zQ{GG|> zwB3nkUdX8pb19~Z_or{YvVWG4tLYvBJF#U*J+z8H5ET54%y>GMs&4#{U>B~~`8gAv zcI4l1n{D<{bF1xob~UYZvt@X9^h&jvg29NwraEUr%+4yvQn`$1Gr-11G%@B~Q&6xI z*rDdNURb82d33;^mdQg}6Hr?+_(ZM7^s+#{^9kr1^$Pv}0$kwy{{Sv160;FAiTsBh zaQF{x@c+ONRHa1!-}nMnP8Qbx-}r*uG*5N4RjlxtF0QUwG*V)UyKg?Q#PfX8n2;)w zGJ(nvVIhb>An;iP5~81TVCrpvH5D9XcqD&i7{n=y8TUqZT zI@_y9t;?%cm;TG`V9IYnko|7j;DPLg+87t7efntV6N8TsI4Iyq+TgvrmX?rGPvQ`Z zZ(RbJnHAE*jSm-$f#x0S^gYUyu1lW*iKJX&epc7|TefJShC8GmYEHo)^=hyp=_feaHsKGocY#r#SB-1Rvza`Rm^__r`?G4ME-bJIa@}l##_m)Nu%_=o;ltf( zrAuP48z``*t(;rJFnhzK!94^j_~^4Udspy$J4U)=uGjn^$MK#pp2y6Ii&ss)GHf9b znG7bIg~VZ5d6}H}%aSCimq;*FqKS(=) z(Ht%$;LmOV4kr~f?vGqM3~P5IF#k{<*DNhiO$@jYABB`=8@CTqws?7c0)?X|=omwL;(RLfg6%-dUO>cHFvna-CO;ZF zKq_4rEMG=jpe?)~fxh4AP02tsqJU<u?5ux zR_THHmh}3H{DKVbm7oLI@-qYXzkx^2=PQpzDTGVoUxLR}2X_1~m1_e@CzIb%2Hu zfidMiWq-6Pp(4&A={&`QSSE2f#U(|DCWll9-$(pU@ka}wT<>?6oL@n$a-Q&RLmzjL zm{59tl76Uux_+2`z#j9U9C1gyUwkv7Oxdr~+BxDPd<_2iBDcAg2B`*)HKR2;Y!TMN z_xXg=!3W%v&Ibr1Vk3=1vO}yxjKlgddC)#O-4{lA^rFaw$o9yXd#0n->HX<-mKrnd zuMYC0R|;zi&m@8*<0OEjm~u%an?ta7VznFTs?5_3KCRrB{nnu@6Dl4+Oh=`0H4XkTJba*tbEOy%?d93G7_|^ zv^q6%*Lgg0IaN7@-6Gu@K4U#Icx$>5d>Or^dEt58df9pfy9R{iaTT)^1?mNyLu>|3 zcHy@?`x+#*VOe7FVo{?~3M&g+in?vn4b#vTN2Vl970m6!`L!ErYL&uEx$OO1Bc26r z8LyO3+!3k~Sty$*I#icb3e@LRxN78TAgWdkXSHwrYXj*PS_WRj!RGr0^;5;0M~ziw z)Z5P8mtLIdTD6-f?b7YjPq0q}?YMSGp^{>sZzx~X4!g!*1es(!` zRd~_9=zRiyI=^k+FW(%$Ex*eEvjJB^oIn-=3j-^I@jx*^Ac8mn_xA$yw)^AK&gl?o zE}#JNe+W1SaX~OcYazcmpwUnkA1A477{JjLeOQL`0!TptuN+ ziVO-Zibx502&D)~q^MG<)gK5)sz>4#bEDv5B6|=y+m}7hZAygfU+h8dU(qmXCf8rA z**6}RjZas{>h!AFQQ%3NsL^7DE=>2bAG!+;OVYx$`?HON>n{AZIL_Et@n8YGng44xPLj+)&A2@^`j6zJXe3bvaex|By?Nc1iHK3onA`-y z(ZfOdf%Q1{=>6!sH?uLbi<3#0^Pk|4Ugj$c*s7qVYR&alX&0^Dw%y0B^B5~UE78@P zapCbOBg}2<@T~>8T)EmVUDNvOqaprQe!1OF>M0Fa%Rx(I%gasU`YQAF6awwpNB!}= z@I4vgjrjBJ?^oonn-fogmz_mVMei;<&fqQ^o2PB}s%iRa+N(3wJ6ctT6L45f9Q;x*{BhRuHReV;1dKvm!h|E(;`74MZO(ADyu;;jV-|-Ix-A06=hH$7j z^0YM^%w<*AR&R~_rPOHOw%V7icfNlprBs+yvukmBWqEa827eP)IPKZVIv3t%r;XQE zou{_-pUL}G(On>3$8TEiv|CSYUWd_NS(rc(pl??+T^?WB8{DT}Tc5LFWpLWO6YgxE zrk@5E`}w4hG8Eb6yj7ozFU!Vdoevke%evF`p(ZiGEdsP(Nv}0B{UFn2)0Dyu!e=5? zBGZwtk(=(n9|mv6BU9%0gSyH8G(9KHR^)iQymy-Dj}F{e%$}$5if@&6vA-=nSsfdm z9L&3zT^E;xZ&h^hKKXs-y&F6X$DLltyvQWwMDe3;;Z z8hEr~0s{Pc4n~G}^#2sA@_1VRrMhMNZ^i5XmFV@qWU&kk%>P3H+o)xhfHiFQxz(L7 zlIsUhnw7Xs{)?wI0Lqq*))A=j}!LtB1k!p1pEdg?EY~V<+o7 z9zwe2a{IlR`>bE!1r^q3i#_X6uWpx3s{NJ=cOZ7_Z3brbD#t|{idDxsrJs(b2gYJY zdf$2mVab%W+ArbOeMJYQApkB16T{WFX5LvJyUS-$(!A@@AMueHw8NVXyfbWJ4otAV zxPLaZe#RhTS;uT1GPPCMH>5b3T$b-f(skm(S>cZ0HSFBRg2dAbbWX?1Q9%E9`>aq!lj#|x|A(%cl=IZy|C<-){>uKs z`vk59>}YlT^V!Xfry#T3;@0Plmm1N-<aKjXIhw)aOdsyu42T@4o)2;}zlb12oe z(JA1E72lmT7X1f|=M(G)Lhx`BjSNJn@E~zRVOdnod6sv_MR7stAAw`*7@59Xk=hZp zvzf9FJUGz| z=~WyNSmP~fF|y~5ry&k1!<9|DlIU`~4V>7F$VWi&?(?Mqpvs03+G#>^J7Z>IDIY9^ z*4c2!IF54P{?6cKsZnSf8WnFZcsuXoGx^6}niCZ#dDeLe?yjQlAX;dhOjG+;Z1o>r z(+r*ZkDQKSj~MM{zr0C51FLbSV47tkDqZ+-(J6q?NXzK5oaF+)rwUL{3aX3I-B(f= z{%MINEXkS7F={hm9YHgvfr4K4Co6XUbPytJ@SfF_QIA_kcL||OsKUtCt?52_gCvV} zO4Kt(%k_#5KhUV!AnmH|ZBEAMc-P^w17X)@P>W^iSPL565PCk-+Hu2}s$QvPN`EzE zZ}0HbM@9N;u&H0Hb9KWML3}j?^$DB7t`(%6npbr-E!7@BCb)Rng+zsoDA%vvBv4RT zl-%uyp^120^T2cG%ZXX5BJ079dqVwIEeRo{Muyx19yZ^Ke$%K1@=4MUCS4+5Bwl&N z8U+4>5NZA~wa{Mp{1Xb*K(VJ#7`b7`9X1qTRdgYd&^2uq;8vv$IrIYWl2lk_$*vj% zkUaRf4pk9~s?hw#RiR7Cke7){aD-()UmAqQA}lYl?!w;vMas8Cx!7$zArZo=n$8IZ zBh{S4eAI?f-13`*H$R38uw*D&4q>+5D#J8}2f%Uv?+&deseodTlwj*OujZ7Omx)Zm z-%m_a3?^u?h!Z$c#yWE6O*K60y7s57TN#tXmnOJQ09GJiSW_X`C^T?$(GI@N36nMp zJckNsWS(t?c=@A0L0L{SWgQGKm%g^dg#TuHUMHKDo=!3>-D)g z(Zak#ROyo!rgq~0e!~LLDSL(e$=>-(-U@rj=89ESZlUI7vT}v&)?5+(cFcRZitVhGL_x1b75jTWf@GqCwykeV@m*2*(IiJ&sQU7 z84)&oWY|r3Ocs5VOg;|+utGI}oXs3PFQqpQzH*v@KJXw^4vd%5CC@F29IXf%h>Bjp zchNcNB~r|RTU2YI05+FOVd#vsQxI+m0=k5Ra$FvGh?Idxzn13_5&Bf-o#!oKu@j7B zbNRPm$nry>Bo++yBk15M`&ccj>J+yaj5*~g@z~5g)v-37upV>AG=tFzNHR!&*_m$` zlX0zR{WY1x|cIf~Y{9?WvWoUVmq$}k4Af?%N=;+ch z9g;i!FV!*X7sq4{yUU3bv>M_vTAc)vmlXVTB4h*(G(E|@KkD&f_qcWN8E!Hpc$nM^ z%oGd^XB!`hff0+Y#5FbEQ!*^~Y+8erFj;834lopPXV^&v2_u2eAO2f=sQdj#s0$%E zvvcFY^3TtYF3ML;`#|Tlqqe+4=F&>_0fF3%r%kgyiI}*11>G*&LFM}oJ&ig+TaP zN&yF)GzxC!voHdt(Soa{7m(ZnO2Laui(w@SfUo}~sEC>1k;?3ZO-E*7Z6Xm?R-R%@OXC^#ysth_Yd5alKyl!e|zu7mb#J3i?V>UMMQJ@JKF?zmP3%5q@;6H3qGi@VOqGms#y&i1K zIIQ>Mw`_3@SZb(Wci%uTxZzvd%*paK&->!hxl7H~=h~l-BNg;!UY06PU@WM5A&y4m z4VCDxvqkplPhi`~Jdm3h8|?S<$C;nW<0!e^wuUX9LgK~P z>{_Iafy=qc$JdYa;OB|!BW8$dpm7YzRw?*?K7`*$95r=KKbIk8f;;1{{44g3;=xe~>GHM0A97VT!pc z*?2m9SL?H?cO8fPLdORuQ-Bb#c9P~(Qa23<((w3=^#P;Crhwh8um~bnwK-F{0WDEp zv@#cg@GJ5wHElyk!Ps8#Vkr_9Y3X_{@`4>AQjD^zC2i2AM6`M7>Nv8o$r4P^JXw!PpdOILE3kAozAxwf)%9O0wtJwoR-kg{cg_ns2?R~tS;_o938>?cAy zm)X>+XP|lU*kQ6ydS|Q0be%D+AQrH~P}8@ihVt1%{Y(O16YhRV1UYR-sR+)>}SjDr?BYrYoSQOh4At@m34dR=Ex3W1mvpMWgkZ4t<{K$(v%rs zERg6#v7mDMuTWLQ1bPBPKRzN3zMD0_*hK{F^cloBVdA>ApUu~haVvp^uxh4ufr#{z zzcw7mRa*(sD^5c&X5IPs$<=RYB(3Xt20rz?MQWqZxzsT^3YceG#J7SXpZOC(3U0(t z2R4io_*x#{K!nYdc7X?NX#*n{W!%GXB3Fm|FAbjXVW&Q$44mg@^e2MDnj=@O3PM+H zj2P|*IVCNX53WouP&XTECGs$v1W&HIKOcc zXr(uUfZ8slWFw z@ijw2$U@l4NgJpDk>Nw<@_a=uO&fh59#cvS&Fyyw!X96nh^FoFnp#=zC zPUH;2sY&`vkqqI{a1I$F5f$k2qgUdU4-tb8@B9!R6R6|k-=E8P4=q~8Uw2$LF1g)u z+_WBo^FeS0Egmw*enfZ186;*y$iqOpCo?E_Q$CPYLGpk@-vQ98=D3GZ9|W8ddD3-p zh4|))}!+K z9wj6(p2bI(nvH?QCfmcCU>`zjlOwwvMAEjfdC`i|zD`Br1*^wC*<44-|f}afLn{ zG9*oKkC1?l-@O1i7cY^XesCsGcVZVDITzm*rrtjUwI2q7eli?r^XHP|Cd~Go+IoaGv8Ak068VATL(qsuotAlg$Q5|85#@jO^A0Q?WPb@~)_7i=y;XNQYyNlcC z+2s4XcaS#Jc4?k%mY3`b`nH{HBFzSQx{gCV&E;f&`znCHN+5SLE{PK+vvxYdYH-0R z>H4rF8r&iH`aa1UFAV7CG@|vJeHS&0%T4D>fT%^Oe;SrNbLx^js0PQjC(wbJLa?|H zgYC!NuuWfd&7V<6*IoNlx@)-hdDpY+T(I}KY1S?Y%-rQ`oXLK-kYfZ5F0X~?c3ng! z6m&Q};{2juw4t&2tDOp4#_Vi%+s`l^2MDSBk})AqXuhoSGO9jn94mS~NhZ|3KHW;K z06F#Zm9aGIm|QbDfj|`-j=iQ7A&xV{bL(PPLGxw?bCkIu>$55X0+C*eWz#w5g}A2i zovV7vHEibkrl7@2FnN*JT`sP848dMYD++t5K}L?T>oK@rZ^L3FA>*@>= zQ~l!>dx5mb8rW=4VvNl~sl#;+ur>+q$@^q3G|4J_Cpx5Ep>@>O$A~ok=zy)TODT^+XHdVj3-bIQR z4@l2!E=Rv*W&8oo$n7L;@eb(itXi z4q@#*o<+^zwQa*#T;V=3&e*SmTe%#4lESLXh5uS|!oA_hV?OP@^#${`Gd#HR7o_Bu zBBgCrOTxjrh0K-+I;L$J{rIy&GzUa|O0;L4|1-_X*W~~+trQJr^n*??OM{<;jXB4A_J98rtZ zG7b-Tm#OUm=!M`LL|>8Ua)enW*^7@e zbRc?ozsoVn7^qgD9>7_-z2Q;Sq!G9jY4!~c>sG3hA6;_?tY99Z{lWC5s5l73KFnd! zOk7NUm5STx({yf@mKdA9xij*XXy@}tLLPqa6=R5=6=py00;h%Cc=!6-V?c4_QuOUW z!X0U>QdNxaoUO>0kQAsI@$$5Nlc!RR6I;f07f-dJ_q_0ZIOL?1wWeg)(sh?RqGatB zkmQ1^IZAtQ^YX{gZ&IvHRZ!3Hj>}JVoH@Q+sRorHq0)_aF)WAzcdNqQn%{}0y*ekE zam*1{~7zH63yDC3|BU4GG<^{dmHBY$kyUO85w5#MWA-Qy-Ph(c}}WpWJJJk)OSY zQo^xf3n@#EV{3PG=BI{j4*%&PWf`Nmh=5UL)$}4nQAAYX!=a0v_GI99iSE`#`S=*# z+L=9wu3kxj1CbU1f}Xa$Ll@nwF?AVGbVtruVqmt_%(dGLp~JqbbFg(x`r&$%E;-S? zK)?`0Z*a~uYW(QI3z;|t8U<&Qj_z6+sx$aZU4gb8qv{fNTGWk}bry_mM%|Ah+h+B& z!?Ubd%AJMQ3h0(pTRCzVGoc5UQA>exlqMH>o#v>^gL|B|!hzhEP392aU^R(i1Yja$ z&UA$kXJqgPR&BJX&1iXI==W93;Frjc3eM8Bq7kZfeLcD#0tF1eSffPToYE(U-K;k9 zkfe4wdPLX<PV!LQCof0zw1sn@l>GCu6Ofj{CaWt#ocw<9K zMH01&hmbTXVJ{rG&9lSob=jJUx&6nH2&gaj>iH^=O6gI^~JZ1tEX zTDxoUpg&sT=B^BdVxi1&aHS^({)O{ z74kpMvAIT(Wn47_mkp;~XO*7!kMPTy&p`D=bX}L8b(&0Mv}0mozfyZMe2Q}P^9ZMy z6eu`CI&u&xz9_O7J!TCqUhC;XAZiGb8CClOtycSz-;y;6EaAMMZxA4&YKJ2_gtx&t ztD`XLUT_s|VxwJg_V`yo_!Z?K!^Cs|{E7ug&dwt~BQ76nd&vpu@-NK6g`*)PL|4#* z{M)b?3n=jnwrqueEl_|q9%$#UPT+t* z7;_N4{tZm)8aRhf9+t`_r9dh7M^Ep~Kkn-@bD;0wmgV1`a&HE_#H)shzhK7HCU7I0mXd!+QC(s`#q< zs{I5JD$o_ARw@%%Ap^BX6r0^)N<|@dKkL^+SQ|P#;kF1nk6&lo25CwTfxKZUN+p|; z?NUI%Xfs1XNfXyt=LamYImv`KCoH-qe})Pb2l8v4`Ppqke><9@auP;VbOp-MDHDdN;@DEaE+ewja^|a0o%AExOziA zo*>M#K(D**Hd%(Kq73*feHqZD#C5)yx7dM)8!o86O=bl6m&9gbd~4ZV727z7>S|v6 zwWp|Ib$zi}>G-^Z+Pg701E57W%RCGI3QyJ4!J#l>!c72`?w{Se(`LD*m*`O&H%#vF zkMyvUydPOBE3^VD*L*C$2{P3889=(vh6|A7QMdI7Q@>DHFz#88tZF>cq&VxFT+(2u zcjh)QjKS}>_p-PSU_SyyZ9{4>!McwqZwwbEr!&#?bC^5l5*66(LC0NjNR3?#MKTVZ z?$%>C9;KWd^4%=Ua&HN}oqpP^FH;})hjpJ0s3aO)+yeG6diNb7^pxA6l!UvN2>rT! zpMv0W{rPQM zCL*aOt9$YGwo^lVQz1q3Xlb$p`?3MwXv(G zP`i#-g~)#K!mD569sH`}F~A<+5`sdfRE1@tK_qd+75=)Z`G&B&a`O0fZwvm{R#41m zWT{C&gu{~GRXyF=2!_#MDLo9~neHRq6cW2}=0Q@OfuPqKVx-ZN19^;lkr*_6ohde2 z@`MDYo6p(u8W6UArkQWLoz`Qpcto>Q{47{U|k%Qe#lH{H}UJ zG0Zp*qf-0a4@*%~ki3mu!b7jWrxVW>Y`TPoE7fot1w>0EI8To|Xe?JhLYjp^N_Rc9U-GRu8a{Jq z@VkZWc@YtYLjWBM1x^v%PxKpaXO=T2Q)*t#*a{v|D+&b^J_d5NnXvwGBz|kIV!{is~RCG0QC{ye@(EXNZ@8DAf%>5ZM>Hf*P{R2HP_G zFpo*P1m+>u9;LU{*FiM=u@%q(%j`uhgb|FFJ5tA(6^Giy){YyrT1G zq4g_{(pc-38=UdSJ#*~85)Yk6-iO*EE3o2VMzig^4vAgmKN~Dz-D|L`?%g-!KU}DAG<5P z?GGbMQ1^!-2a5ctm-G1q>vKq?f9$dGK>Sror9)@5vZd8+g&u_%Q7TL$4EiW~wGfR&ykmEJK4;Dz(nIYoZ ze73siDiLrSVZOXd-<$C$%$bPyY3(KaQ-iyw`H6J&dodBtW!l+jQM4Elyf zR;=UU{4tf$dahHbXl0cQYM*@4Bj0uP@ONG9bY08spW{-ZBQG66v$UJ1T~qQI9N)FB zGXzzWa`2$hFJnJbm9)RSQIaydYgJdUDm%yJJ?f`a371+s_r&C^E;uC)-FqqdBh5GR zXL-+)D$4pHV+|0YD{O+Wt)d)3MO8Ku@KPS~W9d$*eUa*B1iQa?Vz4#%2$rDL0t=(B zBv?iX8z5K`p`lRRjs!*@Z9dTXOgNQEv)$Q#lW!zIGNEjUI3BW+MN`OH`8+A%N!C3Y zck}5Q*)ia--cCVe3-Lp2|MB!OEX+#7Fu8XnzsTIRs>%Tj%+jG-CGQ_z>Cd3A|6Pti z&-&k_27e8{WdC*Z`VQs!$AXLDUu6QVype;Alf8kF10Fs5-w^?uZ~rc9$M1oE#0v6w zv{FWfW_tWKu8{iB$W|Hk>&=YG$L_pcL~;y3y~!;rL!ifnic^#7jn{h6K) zkAd+&2TXW>*ZO_w|FH^&|F_x-W=2M~|Dmmz)OwHEXhQg-c<|Q@eekb&;=%e_fsN?-Z zMb7)BvGUQU+uK*eiCE))Rr8^-ltj(@rS;7mOKXRRYito2 zt~b?}JPsV|A@xq;FsZ9u5UPw%h|2QC-l~+|pNr31;l=_kp8o5OZZ~fQZyg>_CGXo@ zjqJ6FCe)-8(5;F6h>W}45~7y2^7A}OT%JU!f)G$|CMPZDx+X2$vh$h4VlIB4yjPjW z?iquY;H#!K0WCMh&j5{Un+LcP^p7Ku2ORImxM!pLkYS4-XfGzGuC_9UZir z!(Q?UEP33w;23W}Wlpf1V7_p?$mHh;y#U zdTG^0!^gkK^VGPmI)e_1aEMfOb*tV6+TkcsHs~Y9D7`*UrFO4?*DSl9JUTsZg{CI@ zEx4bG0gQtzHn^y0514G_`N4)^IZH*RC@xLVIVk-Ub(e&Bv_(vH2x>l-0EA@9yOmq- zloLBm$Mnp{zW&sEs{9Gj*vYGI>%tP$kn*~9SOoxETk@v)y7aLYd6Cpv#{E+IgT{Oz zRM$t@ztr~?#SO1}nk1)!G88?Ah?IKMR;_3By3-0p=Vh?y>%Aooac0w_!RaTH?dwex z&F+Tht|rLVc+yZ=CfqwG(wS3U9MUx3vX71NiZd}%`W9kvy%`$mEtjHZy;xH-S7hV~EXQ%e2sy6o>sqwQiq)XY+E?T1jr{Ewp7b)-j z%%Dfu8eGZXJQ}O($qc$jE!pi|rQ?k<;QcxT}oz3qa3w6o%b^$DR$&%UbA< z$--^p&X+{38Ks@hG%-uk&-1M!1Es!lgFeA)n#_6eO-6B3F5AU{0QF@5h}j3CK**hPgT3 zFhm_bXw=Kj&pazD=Tz-2b7I-a)jgUm@?-b=DR_lYI+%n%sFq%1mJcDQCPFB*p#H2o zf|N7{7Neohr^qnOC25pn=6uO^IKRker7r}eeB&$)o^aX?zVfk{c$QsE=H(z!FUr!{ti+PuS=>|LD^+i_(b-8LlM_cr7Azp*-aQtyCEW3Q zUvr?zx^f{IOFgHdHpEPEi(l<_ewASM*7oSp4QWTklPQ|oBTQscZ{6ASi%?qPh<+88 z-te!7TDbBy?1Lx!k3BhRSuBcK;OrGZeW;LFWktHzhTPwxqB>@$6m{3@L?6MJ`sfXR7t4Ut?C<7TY@xZY=@{)(GunFn*|n!a@j10i z5x9&V#;p8HEw{nRdd-sLvikPCOqIY*K-BHz{NtI#K%_GOS3(kCE#b-6G2MLH@+vHr z!~oMyEtKf$kr977sXL$pvrL9F zl7U;IlUcjD)!nsL{gSaJOLQ+d+>}RG1su>JIVq_H^o|RNQyTn||Cw1!HbR@z^*3z- zY3%&m?&aUvZM*|23$rhJ#e-1{@_lICMkjk5v_F$_tr!JCpJS1^q^}R{ zYF>dJqE=JwV>zG@zwuZ2WY{*;HHX>5(YqB1bWj*1qOYu1OIy=4U1}{?cA@{Qs71CT zf#ou$=ykC_LQqw`gl$H;@TnGHA!3Pw8m=TTzL%ZOQPOHTd335UfBrry+_v5kxC+n* zjP>0HpZMt2c)AX1F`kau_!+>lmoO<-T8JVOij?7Yx4vtJu!^=Co^G7WjpD*?FhYa=BqZ%2~05`EoOjansoNO8G_tL%g`Kliswi~y|F!&C%1 z94>`8^0jgF=R7AZdj66{%&J>!C|Uizy}BX~Jvf(2br@AP^R`kkR*%)xV=iYLe=Fl!VDk`JM}RR;J0p zhi2W{Xg9i!ERF+>)rDOjDw3($620iC{se@?ES)i|MYb(40iqlhxiAVW2S!41$|RS> zKuM?~Ow_fS*VIX)B-2|D`5fMV8Zn^I_q@~uHvSX=W83o25Sy^ino=%x&A<>c7Y$c2N3_K5od&!C_f3=w1! zVgPhNO*cDk7*(RpSAr;X=nIsi|2a}ZLOv-B_vP+O3iGGlO*D9>)VOJF)6rn>SlegHFijKv6l&yL0uZzI7$fTV{(5Yti zF^7QK02^al9(%!*<1bg|Y**BnzEEckYN8}fDlq(LylNx}gLtd6vK%VU}Of`+tgFIo{ z1m=JZ*cBh6>yZ>3C@MVAOiRB480==~;Sm}xJbQ|`LSFm6gFJZ2)O zWorpMj=ca_=4mY^qUVrY*Ot*Nesb9K4I5F7u=IWEwDb>4N*{Thp9IrM*rX69-&VWS zZLEH?qBlgTHkJE|%nSg@B6BB3!DkTIrP`v&(TcQ$6wxvZnFPEsrM_+TZp4BF=7EXiM@S$3ZXo9~e3w=Qmu0M2nBnWQ+4c=&$ekJJ z?j$qW!E;jh~+^^*S zK`=AZ zdCUw%HawgYYN@?qwzD6aKW2$9!)B15yA8cD>qxz@Wk@|=TMB9Ia(S@OjM_|kzUeykQHKtDjn?AmMWHPfdAt+ZQ zG#RU{bK(BB>O=MW`6wxRs~E^I(l=To|<{xADSEN{+F7m>BSune_yFt{x(q=~R+y5Dq*~@baqG;uX^E3-gp&pDf~9fK=$X zs|N*e$p@>k%rQ)HMkq$8iXYQAEmrY|%LLM6*1a>=`Mdd&!FlmbQ|+8JyNIWJ3AbOg zo8=}YYFTN@u59Tje(7Rx8+J>}*eVQnPfu<-os^pE51_espvY{Hi33F3%Q+6RHUD0d zsOCmTKkW|VdyxBjNp+GPv&D;&Ne$uj#WYp(+k5EYQJ8Qkx33L_&I;xw3_8wA7jqZ{ zEGi=RM`qrL?$+L1{?@6a?i>S9%=yc4o57p8(RO9&Apz4IjfGxoE@eWJBn61B8k+z8 z#^mF8yovt%S_Gda_k@ykP??C_ug$dlKv5*8GzB6&#GkwhwCILJZ^=bwBeLTacei;bFclZ%yM`e5@my(iRg6gq2 zhhF2y6gf#!n#3(qnv0~zp4wY8J@I%M*V)yAwPnn!nr|N6Za$-%g$C< zn|BB;c^M2~oOE#!9gQ8o!x@dphz&u#bJ)m}EKe{P1;$^4-O{Xr*a#U7!~)YeQTVZ- zxH33LW5tI-Gj4geGa}vO#re0+;xCbqgytCEJy~(g zRX7tCq}nnqcyg^L8Vf@54hzCkB0el1nHHALS^Q=aX55pb7@sY_wP-KezKm{M2#4(D z>=Zus)eY(h*awJvjTizr2-7C`BHL!6I7G*jsnb-&bt7$8dO_B?s@VHkMQd$6Hsxw6 zs@0*Wh766~cEnI&)*yY#)1s*)2HTMs!YkKp2&F&|PpOiq=$$%gh|p+ZPWEwU3-X{Q zi9lD};$(;9@107k)Dyf8si=E?SN_OUn}@p7LU<=CKezoEY8nVr3SJp8KKgFg6L+>? ziRD~A1wa*+VcH>om1ve`i;wv_&^k3|k8Vq}l+7FHy1gwMvP&vMC%D+axqLatp&hk1 z`xoj5;sz;b`iCslyfF!6wvuYlh9*282wR17u0Mzbx2R_8xyUM{ZF?RZFdn$|=VCZe ztB>9n6l^CyvV&1(VzF1&HTH*R*>sLw;!T3o;V`vHd?r9|sV=N=XxC4 zSOd$<#K!e_e53ov#l-T%HYEre*d>%XvXc8Nr9s&|6R<*L_pw5-bFH+p!Ok64@Z%${ z=H^9>r$O7d^B{&UQaCYs;dAPAUW6RCRpvYukAWUL*RZoyi=?CDmPAekYmX9-a=2im zw)O#w7%qo41u=yj9$vEyk#A9u6k6a69KF?=Y<NzUJgATU$a#mU z%kEYm!Df;N$NLR6$0iznMaui1O>B9`7aX7N^irzu;A7@=NPBki_dff&N+9_O3nxO| z%+z~M^foJLmtzHcSkeuwYj1hwA^w01M{{!(_oUFV##C+0=eksXB}H`SBQB=>-#>L- zSkeMTN$%;JPUOq_d2c-NQSau2uNhZ(8RTdY5k8GRxHylmXSp%@Il2i%nY0!q%_pCO zog>^Du4%)2Ce?;`iOkMVfu^0{1=7!FADQt6z0E6W&RfhlKC$R z^IsI^zbMRqQJDXtu>3_~`HRBx7lq|73d`TMu>6Yx$?_M4f z(v%TN0KkA&_06a^JWmzW@b#+)rz@=CG$?U{gU|46aJYS++XYUhmGpX)TdmtW_u$E| z;pll6C1oub!owP@u4uAn9=AcMT+Tm1I^5htWNDq6Fwv4Xep{?lH6HmO z_H6=g>T_pQ#oI9sI-7>_y)nbR>=Ex#;cH^@&R&cs_LBM4+k%N!NkMdNrdnpPGKYHf zNg=MK$!xuga9yLX)eeTobv-`1amo={GGsJ!p%(RwmtI6Ql70etC^vdxjYqRhEgeoZ zm~&c}+nPHDr%6W>-A~!lVCbnu8<7hRZWlb{I7?xb8Jb0O3bRF`nL{Owv}KfvWqza|lz0h|zEfhIs%mjL zU2s1GJ!nUfM4;=a*`;hnT9t5FTKqs7vp)@~r^CtDx5Po}CHvb-N$0pPSS z2MOBGhB)~rbz49td>DCmhX#WPDCAvzI+t!1kw|P|imW#rDZE}b`jOz~ELQ1bb{i~U zYhESdSF%tbuJk;UDW%^HX5+2b6y>qS8cRhMxdAgIF;a=5+GwQsy?82}k=29-yWvt4 zD#jm^br>}lLiJu38VOxJ5`4ahx?_FjAUB$&NX2A?7)Q>c9eaG?uQETd zbD)CmZ(7(tBRsiOS1R`Y7jthJ7FV;h3kMk7-GaNjyF0<%-CY6%cb6c+2X}XO4+M9D z2iIVM0N>=v&fd>HXTS36yUwqfFN+XSvNh4|)yz|LJj&GD z_G_dK>ymDPEK$7cwDl$k+m4~|EdiF)&Y_IRfI+h%vDu(v&hGJS#_%w?sz?3(bwLAM z0w!gNWWV7K!FH$V9}DyvO(uFbQwlkn>fgOm3QSRJuH{d(49qb$C<4$wscR|5#SDkK zC51${W2XsWgoh=BWp0aIc1IQkCY?e%SHA%ai6d*UA(h!@i-l)8 zW&Qrqv$7z3MsM~DrpDOb%xATMK;3VNV&qQfh^U5%v*hnFmkY;d&5yf3w>Thi<;&xq3;i3%o#r!JL+X zRPIehI1vfm1}>RUUs&Lp@3i$d71z^@=<)f&AEgNOaiT>InMTf@Z)A?S_CE+-Dm&=& z!0{6Ut<|2W&53dIY~n0)eW`K%b!Xu^R)9B@*S^oDH*F>(U4AdPG1b1IO=grwW z_(u=H>!8}*8&O|`{49gg`1fb#UI&=>p);CYx2>6P@i|^lzwlu9c&*y3SQc%b;IAHM z3Z4wT%Zd$RjwmhjyY?@$#{5vuyHINoH6PG#;nehE~jTLn)z`3sf-U9>37U2)T%J3Bd*ozMCqa$Z(ilz`mdA6&JBMA)8TOD z&)M~|Wn1&Vr(S+0+kLse0(HuLB%2%4ec* zE27T>&pH%Y``Y7AH8mWX?V#Uk_=&`_*<|_4R7Dp$w=wiDosU;F1gE62e{*=Unea2+ z@VWCnVEDqJs;dmET4Ir^sk`Vq9<+;j&}6(JpgJB7#WlpkmL#>5+2`I`sRiqA{L1~pT)RGY^zX;TOP2A zz~My6!Ntfb89VO=+0v^frVk9T%0zn0rNR8DH*>Glv1}5tSNyKYm6Y0bS)?o5@HPsD zcex}%@ij-fku7KJ)ml=UTJTG!`T7 z(SSUmk7r|5)>&+dCx`6d&9X18%Y#*bn3tM8gK6oo)d<4@yIMY&f~)l`hm#D>=q@v9 zQjKqdF!NUViLww5yg;DZ*N3|``yOlwzKb3YMC0UhZpn24dwlFUF@hnVMZ-fnfSj>Ijk5SA?bY| z*V2I3Z)$#T1jPY#|6t)Cm+KyUVBG5eGuSt4V>$XX#1lVr*l-yc;Njg;)Mq!N%-Bptrh%cz~JqD z>|D=8GgVnZY$--^UZ%S!z5W-K9~`Cjh~@UR74NpU23G`dpHf{AXSp9SXA^Rm5`ZN5 zVRM=x#Tfg|lyx=SN=OA+)79tur2l5&MCb zUZbRqAvK|>++y36Jh7Tcd6Pg9HA-oCyD-&$TxNRQvR5!2)@cHS$f1ci{yL=jf#{Fjfxug?)i}zrWCsK z{xrI!W)z>o2a<)c@#l9eBwB8|o$S;3Rey{Z`-q z3&Y0p+fMw;u>GFvkK+G-#IpTG#ukF{9)j~wOq`g zNWGI4%nHhx+IO0a?j-*rp%HrSZm$f5ckvuV7yjsQY%9%*dp=u6 zCELQKaLYh%q1A)5zml)jA3a@dg;dC&f`U8%wci!N(_^2i;yP)6jT+ z#kpa`KQvfkRYg~tF&et9tsWX-72#-fb4 zaZfPw4hIUQ8J1#I`_m0>G_Jt2Rw0(^l}P&Gj@~0@#cR?%K^_?mG)YU3GfIHd!9>Zy z#>h|4w2f^;Ih1n_U+z&_?CBnn4o+mu)7W;+W3_n^_7v})-q991OnPi!z`7;9Ba6A5 z!?>bN4tgtzPtW(UZj_}U#I^diS0W!5o3#jWi960~X7V~8xneVvZkR@j*6^`gN0@S7 z{vsrmlkVU|PXj4npu|Q_AY&_mFyE0U-6rmi-7_as)}4AT$^Hm}D5UQF`Xt=geV;Tn zbE$fb#rIOJPmvP)?l?Wx<<8&eGj^MaM1Rmm>)i~j89h-8S2}s$40w~|B8(tF@?~No zq{@jrIY@nGO@gzpqB~O;>yGu}NJFA|T)0Fgk&=>7w6^h4czu@Wndvcyb||Wi(=ivn zD2J{e1v8yxduH?JB*-Z_+rDyqY+YWim;}4P&+KEmg9uf;$ZWr09;3BYLYFequG z^klrU`NSsckLk@xWrLqmN7Z(WI>yv!tSD9CgB&AK$oI0u4e~n0dAVt+ z9F=w;SVC0Pan_TM^Bh8p5<`PjDGXNL*sv*Qc#YnmF~rI7c$N|1@$!8y8h-*NTSM|m z(aXW-k3x%G(!Jx?7<1jup+4ZbWaRNxSB5Jh&%#ha6t;a7=zt<19rb<|9nhcgC!WbX zn%$!h-b;r1;d<9rPB@I`!NL>m8g~@qBoHUg*1GIT{QO-N>vpM93hU)O^>$k!MYqaO}UT+5HoqW%);K@89+D-<_QQSM>283#ALv!@qs1f9c=9 zYJ>kb`j?IE{|HG|>8>QL4P*L_XugRX*dC>X>M~+0P?oGOAjhOiv>h)OzYdnGn{bwq zp{IDwottPw%E`iRj^Y;Q`Hu~J6v+9 z)O&tE({q3BsU8vHDlfyh6xw#YxnbzJN8s>?Eq z9Vec+idYOd9+(wWo7*Gvk!9Q>?8X`PAfIv{dlGQ$BW$~b?c3b1^G(E#;mGf!1kRu;iY zow|2mR(ptEjqN^as&few$-(6+=PtPC^fnE-xN%wn5EEx8H;b9S53nm4tox}ck z}rM@Xt2fn6s-1 zC${h}8jlOfe65GUm-h*Dp5>>>G*2_h7yi_SsjuT~PMh=gns?)irkb5}x(@+OS3W;L zZ|y{S$O(I@5lRtaq`WiX*wQy?c)-366fO3Y*)ac9nxa~$61$bGcisr~6@mjll7!FO zq=dj(7U7J-B&T63%#yYZ-*%28mQiBzltz4ppniC3SZU#7oawkAp1ui|jHnD|)7Wd-c2h^uN^E&e7bXRY!aco z+DtfkrixO1jjY@ex+R3`5l#<2t_u}PYbpbgVRbUHCGk+yW#@6}7 z&EAdrl!bnsqAc7IBsMjJK08ysO7|m<6)(^va=oG-m%mo_JBr;Ce)H!^FUs*wk){Z> zcI{q#w{h(|u9Q;yFH@W*Nn-& zsqJG&A-1}q3;lV*5~}bNXLy!ZIDx7izNaYtr^E{hF8X!9Xn$LOb?0h~{vj)J;TKNa zV5SOPeOIoqWX>=qja9~J>{h2`h97JS7|DrQWOs#U)D{;^lu%SgbP+{4Hpb z4B;u4^N`-~*iKmdgP-qCgo2B{lO1p$wo82)g8>iORO{zobxdR`=b++JGD0O z7@XBDgs4y$0#|ExYF)lBaEKk#@>|YKa*D;i4-tsw>B1!8Eh*0Q*2?$z1kMplG0u+J zFH#C8As1GR`M#E{M#*Z+Y||?87+0j1g!P`5ju;-Zq3X(`6#pX~0_m~t6jP^bGqX?K z!pBOYd@l*dX&*Vl8crz~Bc#-UgGDL(_-lY|eOq4NJ?2|-+FaVy)p#_S+Ubg$R1q;m zyrF=#opdn7?{ejACO_4jv(#1N>3*Xkg=3|uxnp1jC_PTZCm6fqH$SULZ zX1QLd88}MI%cM+x82(U4@~zW3(Mm99)U-$VYTwkmAhEKxB}m3Nlqq8}YrZhc$ctFx zn=Yn1RV~qe;$?=Y_|2XgG%Wu7d&uSj)icf*JfAz*r}!TcqKdT&p|FmpTYP&d;NLsG z7P|4soJ!qO)?Y8Kb)_wMFTdPK!;=a`u)D}SU$Na_2iOu{FPKBypVQ0SiW#0i{s)t8Z9N39vmAEtbvja)xsjLPcd9|n_;W!sv9_beSaJKzrH?+`psDXRk$WJK*8 z>=wBDbi*oO63 zlZL`7%KL((d-`J!JMf+LA-Yrs{0%X}8?64p7bwvNrzq__6#E8nZTC(=?WmQn1hb?O z!inKp1MBraf0~FfhCoO*$YkZb@$aHh=elWP_0WE_to+&l$%ZS-2P@a)ziv`qTcWLx zUGdCHBh3XhA|fJG*2>gh1>a&8&n6v=lS$tA>4oxGn<)JQ)GQ~HfCCpRLRGsLYl)mUpmoki9SdRwq|z1PSu(ShZT)@-7qUK+OqKKk=; zp`gOGP;H*0?c375n>R6X^YgqMlZP_;kM~w;G>xTHVNl1) z37?VZjU72Ov%qa|?`Y8!>EiLbWoAD=H3HxZ8dtG@8h)z$K;KCFMV0hiL?729VfM!C z6AoN1b1;T$pNMHUu9hDFiQZH6amnZ957-cJcf+pJfgQ6IF zcY9?V(Teay6GU$8QTJBytC>+qpZkV&PgKjU#buR&zTN7fK>g)Hxsn$bn|B2Q-KLzq zcX^weBND8yk$f>96FNDykbJ`t%9UqLA93h+Z)}kS8xVMRY^GSerO7R!H8W@i#i+EOfqxBA+t7v`0<^w>d z^#aS<_$aphXbWy}CP=__Qo2&eAnCY~!h?dx81EheN_CxSoxnU^Zfs=sefQ-~UlI#} zzdfNVQ&I!#CTtU=$tK#>UY}(PG?G<09}UqSrlQ(&?EEYN`e$6xQ=HV3w{#2O^6hwC z#zIBh{0^WxFI|i#z9QuszZi79jTmlcw@BB(JvbPPbk&MtiH$C46tHt9hwog%MjF*M z`WOH$JUs;71fs@Q3|KlwAG3GwnJjtBB1rM$A=zA+Ls6+KzCmsW5@es0U1x0y-B^Et zHhJ4FFqmL(vvZ)q{Q;fgr^_9U++m~dSs5`G-fezz0oi1e;uq)2l-wBDw}i!l#Mv#l^Qf9_Z=x-B4{9kxWj z-HuISxUOSE%FfzZ!kN$m**)#-{ihNtH{atjc!LYfN5;A z&vMPez(C%rt>XIJlbRteWBpdv6OyokTwOZ81N_2Ub~nC&8A@~O_Gazf3pPR>as~9- zZi`3h7~*jbn2;0oPvo~Rj{{F!LO&0BUY}mM59p}_6?>{|0#L)4f#U; z$9|79%=ONz@BKpJe+d4u{tD&&@t*!y!9UjD0kMB2wOIaiXZ{xrqW^R@|EfCrdod8p zUvvGr`+sycnPlui-KwB-T>knL`^Truf7eM0_n$jSK`p5Nb0_JqbQe1@3+wM7->+|+ za4f99lUBc`)p}=QV{ZDpM^(n24K(t%JNj=0MJ)d;uLAk2|0tCDo4@+^OxN!f|1&F- zs=JAsmlNm!o4>dvX414abF%_<>G711g97qi& z6GKkUw=y<0H5L7I=62{d{GpoV0LS$+kI<@3bltbN1^0s8EF)=c-3y+%jz0LWWZ>cf zFeqT8!hnc3sKo#NWrNu1a5`_vzz6YSRygw&HP8Vyp+fm<#|q|+?0*>k&xwTf0OH7} z8tH|eq)KrCKV#55EvI#H!RtxQ;;&CqElo*@H48e^^gH;uzyZ=qEG>k-3nBpk4)C2a zJ_$6nY=!|r7F1%9g^ez(|DIQebqp;jS2O_8LftW{#ytJB=;CWFh0Fd(582}HX8A{KE zmjK|yrow%LN-grHr*Ml3v&$;j9v+WTO!!J_cdJ^{l1Pu=_e`@GJG=Jm#`C)bfLF@s zp#RIZO;+2}4ume(7TS=1XA#ZXmtejUy13!>&)?FP^e*?3;`#l)8*X@RuRV~0XOmqn z$G^PQ+^x~f;ca+c@$x1WL5vF;rz!+pF<-6e=>PEOiuF2&yY%7cQ$ze-G>ltZueGKh zs^+e{P=_1Y1#sN+TKJ1j&?+y7>&Dr;oYt*7e}31a4ncPwLvf%hAdc^hsuhn(=jSCn zeu-1n@jmbL*{F3_T)>CK&1P%tdM!CO(Hv6nNaD-bo>sr-<4Mp;P|GJuK_nR+?2tnc zgHyn4rD6Om%*VFZ>`C+X>`)CuVhh5?7?U1!2`5Q(lQ`8L4QT=l_!{;HqfPjVP{zwC27Wt02++dQ zK^V(6QgKvOoER10=l8=u-TQ|i+I+2-j3pJI$^5uw)P!LM)+-8zJgE1e=c%v6@Fyg! zY|CXWzNk`Wvpm_q=Dv9C&tG`w2znBq(rR0wkqHO+Z0OZ!Lr#SONupaf$QuEh+95!w zP8roqyf?WcA3VHA%t!u4I7H^sq+$EdP&y7pYmS_OpEs*7U8)t>M2Qi2W6Tl46yOP! zp7vf@fCXCILMwR~oBPw7G5A*!RE{KLlt5Vkv9{y#&$qC&polgHB}wVghR^HE2^Yn` z7RDXFISHsk5gZaT7H?JIpp%x2G-ebbtN^HfU6eJZ>ZEF{3Bw=fUk&%)7L5&+4NV}3 z5LSVa_dOVZwk+`yV$<{U&P2ob7fVJ9{hnK%SfI6nm30YGGR;#VF@q*ezyKfdzaV?a z4h3*P1^sQJ4~HSPmwfQBHtzuxCLDzNp4ZAkl{Cop_^8r|f!Iq9BzzL4R3x!o@n4hw z5a#i^hmZ%~DYeGohJgr1QmSCf^iDS1j9DB=3I65lGbEZCdwax%G|X|e;ZJTFf}}o_ zzzi6@_8WRMwGUq-zA3{T4|n9s{JEmUusI8W8OxZ@gJ#g~IkP&CAw4VxI3{!2m#Jw` zZH#5pk?O~J@3wK*@Kslp(2R>T0T2Aizd_^NQnCY7D(_4}&EM`YMA4)9=TAN^A@LwQ zaw%Am?HTu6p8La$YvK;nzCHa{w-vz#j0y^u`_>rTN(V+D2QdR-mzpiiKGTNtK8K^_Tn+^#Y@L z`WS{2GKh%*x3kCoateWF{Ng}C@OK+`&S+}rgwh_BDDz1vnk9d(y7=nE3QMb1C3Q>%rl*#aC%l|PN z2paA0y5s)uKgVPNyKk!;5hd%fjw0XbWU1kqzXDLTT)q|nDfMO{I{c+=ctu~JIcww; z{6KsfsQ~V(wRx{I(+gXRQjE+*K>L87<458ZN}vqt^3Tuel?a8T~CX6shK1*P^ZG=^ojm5`=!^lVV&OR;1W&wp2f)gtxYPw%^>Clsj zaM4gd!32I6^rb6}^md=FvFOM7FuPMYOZ`L@(fc|3Adw|#R^r31sM5cFeZ(}R5E(j1 z01}1*9}0(Lij?o(p#)Z(KN7;ixv}6#z__9Y?R>PmUgp}BLjpL9+=ks^3086jwGn$$r0+= zP(hAPaxIkpRubWlZoTKf8JI}_eI7v`i=ATuB+_6)pv@FaUOKNP1yWBxQHVu& z01Nj*>K`E$6x>0Zp%*zY5k2|YrQ|Hbuvq1U^50m4xgmvlvJQSL0ZZKS6n@I=B{)0#` zv}7?QZ!QWh@-CmWeH{8|%gA^U`a2w@x0^R5RhoNPXui~PBU*(Io+wP`NZQC`41t?1?-OWr$L zMg#sGroXH#4z%$fe$D*c9EzU_V}{lrN^kW~et=LiO8*=aL`zzl^K#AvpYi80fmTJT zz(X+X0S;@bnBM%)WieS9{ivZjSbrnDchTeA__D4?UBv94qzQv;gvgIS4+W4Sr{w*v z$T0hHHUaYXpLD{?MpCaGZnW@g%l=^!G(G7$D(v5gr+#c+I5`FWSvO)4#3Z1~KNnwJ zT!|J%;=y1sA6|R<&lnsY5gPb?&c|DZcd4v@Xir_hb=FWiTNW=hao`OZWW66v@4FT zibnquv%`>#ECG(w_@GPfg(Va{G*pFmpHs(-`VjZ?aFULbtc0N}n(8!;sChh!=o8wzdK1%9ZKAh$t!?){fP{$_wme=Y=8phO!-}N%7s+1QF?H{csT3FUHWPj+ z8etkZ0YSLw_I(mufcS}~W9kw|N#)`0Ja1mH!RbwN5Jm`N1F&~je*ZuVAP25Br z0}HF`{m>4~MTeul(k$CI8bsLGPkyexV7+aIj4dR2zD`RO4aoH1^Q-{U=DEC|yVdyb zhJ<5gQ&#W$kM%BW{2k8fpL?`3IidqQ{9T5B;SyHR$@OgY}r`i(Zr_RrL|OFMyY%6!4>j zys-Pj#K$7LYWbWG^T-nDQ{A~wR}_@z?!{h+;ix*QbX<;&>oErq~G z0g9{p{b69dGh9ERELowPx`;8L-X<~;#-B)FYwAFQRgHyy9`61DpHqsZ>+UZz(~jPWI>>p1%*Q7b@v@Df&dytFF0FHX zT?b(%|8MIBU0vdY(p~K&TMwb4aOEHF!#pUr--%u5D&g^0A;oId3~$n67}fp_qeamG%qgLq6y1Drz1A9^60#R{GQU{!P@avn zc0^2UyH|&rfh-dnG`?#sxXF!WCen2)L;bPcega>$!$4p+gUO38iYLL_U98c5+;>lc zN+jibQqGwsnkl+H`pOg?(d*=K3D>qd4Ypz9gYnUixs;Rm$J2h9XC0*ZI-=KO|J7Y0 z-fcVq^;z!cdahRk_aomES#M7MeQX1K3<)iuH&uR1qQ|hFKyEt& zdFT!TE~l(L6&>)`(^+QW=7@i8WnEw;P)egC}jdzSeWA6ZaR{vt7YqRX^6Hy6{j0 zTqga8PA|_9v7y5xg&Ervn{i-i0jHqVek?4|6w4Zf=MZ-AfAF4%2$Zzvfg?(cKRcsa z6+T`-%p0CPX;-aLOl|c}9$XgxDz4FB5G(D&sGL{jqWiUhn$SHY>@LvAA)YK<`&|lq z{?UTpc8d6vDh14F3d&CIHCpDFijs`c(JPQrPCMUtkzZY^CaebJM3q_B4mp5)J1UO! z#NCbjmF@I=1O0v>ehL^E(}%LA?-U{yB}3p}^Af+U)_L3U4hf@_OU6k$?4cs@nyUkm z`4sc0()h1HFZ98F#!{-*)P?T_BT~j6j1&>{d5re)Jw-)ji^ zrp;0H#m`sZGe+sV9WQX;7F0N7uiGzr(!TB_!vv(1{0cvqh<}w+sZ7+X5=czax8_+B z2`|XA+JiOT9mgr=$LOt zlPOoD@fW~f*utdx8r*2JkH}ulZ{3z-PDTSL)okfk8{j1MS<%&Rw4u88Y49L!q188w z4kQM{q255c7&D&KHKet=cj{v2SS>r+86Y-!ScB_^c zAfu+iwC{auD)i{;CLDXHuS+QP-fAn9OsMB)Pbs9eFq;2<+iP-z3*ZW<#|gCqdGTf4 ztC9^s)FstN{9&5_wOm`smh~;0s5L5vTq4i7IJ2tnzF?J#enX-}06;zW&|6&T>!Vql z0fR-J@`O3r#R2_GNhRN&{${HQiMPY@&-K)@&3qt0@a6lx(EiP!h*jQulF&7t(0J+; zdIIL3K}4_7b9u$^G3E0W+c3UL$@qz*A1R2mJ%#iREaFYE?ggCjz4L=Z+*VTz2T{{$ ziaRgk{3o!yrsBXIJfC+)@LL?-2s(w&PV(m1|hI;cIGMhWoKdGtc?v5S! zmn<>t?U341jJR{-HD_W)RHy63)-fC}EMk;rFZULnp&Bg0#LtTeS0_Yvi?d(wqf(JC z@a$(&gOpLZb)o^{gr)zDg&a+b{*6{79|nR*Y`GHGy#V7537JDIHZPIOIF# zW{VYcdPLrVY=CfAJC6e5*Pv5#N0C_?Sn$L}7RWBmqkdF1=W)S00A;>TYr0DEsxG!vPSd6&#O{+m$ncCeW$|m3eiT~1J3-J)DC0-qzF|h9`u&(%AEL@ zkF>+bZhohG-c1rvAIBHA?Hi9;Aipa%+pBoe+y);3DjpThMH<=-C&~6f!lhMr@jj5S zVq`|cumY>w^x#|gP4b*@b29^Nkn$puplF##*cKV>$5LNwb|Q1ryM{1nW^Aj6m4Gu; ztZ|RU>gxia=If(lou#j$bh%|TOb9at{Baff;!H(e@lIlN`vq}3?>TXo=2mCMycShu zdR^^tsCU+oU~QtbV}%px+ z)C&^pc(f(Awzb17?# zP)JD>oc>~ijm2iXT7tH{PIu`N@=;Lmfv5ORphuR;r{XGKw4U&bJ@=1U+Rsy#^qKjS zQ(Bf7L3In#SyOif=$x~iXDjQ?yK-b9m(f`^e1+07SS4|^NQ30hYp^u;1-zjhq)ZY& z78GgFytqxP(+CMLmibm{t-qEgOQk&ga`EY{iV(Es^Ym)`tZ#dc1hZFOD)H*@924&< zAnYN)nb^%$;DVzzf&wjNem&kAU-zN;JAuS^LdsV+~8)H6z6h%#0^<1S%G zD+%m8$tSrJ37MjX#=;NIZekl(T;U1*X^9WDs^CN&`Ln#EyCg0PCo4XVvZg@CEzPeq z^sig33q=<_=ePp!9BXwDfjVFE!G2&9WSu%#O8YKN`z^E<_zWb*ZYnpN^`dp*Nmi~_ zb~l1ybK0&>!OJ$OU%SKLVF{%3y*2m86MnZW^_~|Ct}R%dNl^A@_BvneU>WhcctT?m z&9!?K&EAO(6o;DyOrZ;wI@75$OJ�jem+Sl`L>G6^j<2gxd5LGfgmXC_MEF+x~AGufh@#^!G#yY?z0X9 za0<55Ob)mlS(_~({Dxd4f8h^3jS(jm~A%vnch6$(6{(jL{R-zp;bQ4}H04@sVV2v10!+nCtsZQlfG z*_>S$iE|Q=9&*9X6I`cAReSndQZWOp%kIV(GepsX#b`ZSJ+V=VK1%@yeCE=P`HV9l z^i1t-#hG&>3C$WWxd|AYYovj`5bfvru)W4SLOEuN?Yx0Vc!y11j@_6cskh<@Q*M{a zRU*sbX4$b|3FXPz1cIkz;HLZLn-1X_2nlvA?7sm{B87Jorrq|Gj8L;BNxEog7`1(< zYQ(M+!LP?)_^HM;gpwNR7Kq(s@ zBVeBae{sITz6eQAG{X{pMWdR!bB$ep(3HYKAvNr<{CTDpoXO2pAk>?Hw?IbU2ndp` z@hIj>_-x3qH_&w2YwM1-hy!_>%$x2@%F)U@&mmI%+%|x$h5N#)jYo~ae8LO!#!h|YMw1Y^WMJp6A zACP=%U(0Q@Y&hGG@7_X~5mYK~Q0dH?jB|-WxGj+HLCS4hE3@R!8sJ5XH*qiwR@3 zR{Ad2<;g-vtQ|{tZ6#*|Jrcsmtsx}E9o*j+7F4JT7ZzlB;{)jwS06DilhLR&kyzr{*-P7u&O-qm9} zB^DM`?gNLopg&VPlGj(x!TvT~|D7?fhZ^VDisHEJAg8FjQ$7_{e;MYO{hQv!NIfx$ z0p6y*WkCt=CIO^)2{AintF_xEF*Iwr#_ZGSK}Sv6ffGQZEXYOHxXLUA`I*xAso3TI z%kcQnRoWF-I%i9Fb@nIbYtcdrs*6a2HgvKzt$X)s=#u10{km^KNGSp=zda~8i3Se` zFC+1s*y5>HKPcdhuGdQVq0-o!NKcqR8P`mZOSogK(6t&hc3FB|%mA?8Hyku&SewPt zfLABLe^w3^^Xw8h-|n{=(x_=Jo*n^1ENbR>6EW+(s1v+*B9DG|5~DI`gq2^1Br*^= zh;^<+fL~yDsfZw<#Fw~+V>DfyAx5?IBj0!_!rOhPvv9kJMth>@t6rCzY!J6PO#)4o z58O)6u_AJQ4Ai_POy_i0RT9FH7GFW$^GvBLe+ATm%}ks@l>u#mC{&Zj6z9!${9Q64 zKEWx?VA%E2`;}m;3Ig1dEQZI3dXmK@>D3^~@BXb+^+2D_i`YmDg7yabqH^F@#0pJp zd#uAQjnPmh41>if(B7@6B=y&VXb5Ghd}Q#h(NP^+nsHx<3%A8UR(@J+TBs|6U~L&f z{Z=7%O3#k4CR}<~&|KB8$Ie9k1xuGMX|2$~YKfEZWX7VT0QvTKTDPX;ZvWAmnp0;% zjm|}jU=0hR?wa++CSvx^TtNhPvG>%u!c-1g7hDHDDG%r5T=wPCS{E zPQ2~Fc;{&J;x4DC+QH)PE&gmN+?ct&t1-ItHQp00bfj&;?WOpY^i5~UQO7}@t$ZjnQkU{WOtlr1w@5nw3*RH!zfpnJVSw< zGctmjDrl>Q+w!L?>sLIS9`4P89gVM)c48Vu2ZIoAXQdY666gNfW0TkXU8}gRp9YCS z8_7e<1b?FiDoTi}`_v<}eKo5}be@`NrGQn@e7+8PJ8qM4g|V(Nr&LXj_jhR9g$nyO z)Cfu0alE2pUv$biJ(FWM$G7%T%b&-gPAy%lls))7f$laU&Dqg6HWddDV7=y2BnZAM zxe%qAYiFiwzCA@UXBLvRDGE9?5LoWiOBH$Jr2fmr0@2xMvDj@RN+sDhb`#_S(-nyn z)gMKV;w{hl@5U&IME30kMyVLE^j-ExAcZIJXI9BeQIsY?zI_tEvoE z`{+QcaJzx>CeC-u=ahW3_pQGDWXZ;KKX~0m-*&C)G@s>{{=Bi_8;3AF{GvsiH~DQILOUkdT#iTW_%fKTazR8^&yF*i8Q&a%3ZK zz`ncAf>q2{U9}lJtl*>^RcOg0LuFm;)-~clCjqblYWfXm2T2&I4}?Tj5<@Wia_*aVFxC{dI2LOts<+S zBox$Vi8oLM&#$U-aL7*I2?_yH=U;$AfI=&$Ko`W?y-H9hPk#6W6iyaS9HyzFJkz3{ ztw;>B|CrAZXyt?B&0$eav&hR~zs$osePzl69%PIf4iHcbf&;6eFKu~$2$Lt_VV4M} z5am&*vyrnBRs{`?t$~!1gxxk&Ju~-3qFTdFfkc9bPZc^U!@Fs6e0Xrd&H=%DQM3@c zD6v9wZR>2=ZcS95Fjyb5_d=nbE&?F+3PaR6 z>K>FTutKYub2=8%eFE(jI{GzU99}*|2t)y^hI&^i?XC^D)n6O<5s~g;4W$N?`s%Tv*uHy&W(ssjWIod4>HMCjuyVNuS z>+U13tOfE}=$uaP?&rT8M?6~O-Ngz?cctZJq^iqcvv9%VF4Kur&KSXD0PcRncuk|u z-nrghc&6kH51r?#UT2JGV1T=j+xM;0idrqX&ngdsrfhvB>OwEsioWhiThJx(3F-5g zgDpb?v?CnVDu=%KXjI}fPllL0t9Yz+AMhZ*1dH3(o65=gDqU=~B8@h2JvC`~W4Jrf zQgxKJ^udcfU#LDm&Tl75l0WH-Dpi#RYpm+-q$7Aqmr_uumb_ZU{=v-cX#6(sFME-2 zRB{=M#uA;$=^byzk!@LZqxxGd&vF=$jDMC8A3+Kzwk;)6cq0VMY`43?p--+MZN;DZF};2-OVAtWyI3 z>^?ZI66`WcXt-I6m!^sP&i5cnvapco_r%C}!c-g)u6k}5lkUXJy@(BBB7+!x+vB&H z^|9e~7R|d%@IedE0uc|-cPNkZ5hN3WhvuZIQ7IeX!1w`5jhcq&D~gerUqQAmNclLG z;t-B@e`~?(@aJNEF}`3VZDssA;fPAPbeJhFG{3h22>M?eIq`hn(Z|4 z+DJcDgOu8A3QE9J`$#om-8pS3S$fFGaJ>eM{IKPX6de|+4h48Z-^r)XE4FldF65I; z=<{g3=^14Pr;m%kBaL8qkcfSo@8SPPApkZ{V#nIUh;E$<_ZM&D;e-vCQX1~)A63FRyI*t_`#R*2lQ-oS=J{k%J2^TM9(G*qa?a+#*!jdC~GD4Km(8`JV_ zdxY3st{TH#Jgq{-au76ERbNmv<1*TTuVco&xBk8*E1lZDls!lw*CX1@pVZadD*l6V z5?i5S{sK1K#$<#!%1)y^_u)1H{?fqKU=wOZ$`4lZuU{(H;Q{TFo62lY#POG-lNTRtC3gqL?%*7YRfblvcTX9*VYL#6GG4RGc ziu&j%|FKvq56=>>YH5k>Fq2_`+-W92)!Y7d^dTq`3|DipeJ#=K-^SEmZ&Yo{Ysyqg z4(l96+kJMO)Buv^^`{~`#xlkjwXzRzSMf-3w)|z{SDRz}RhR9YUQO^@INmv3=>GKh zA{=d(8FPyrzX8bbHo*;E&J5`hm>n(C9q;?r;w;_z4q@#u>rcfq%s?1&=ps~WBe(o~ zILAHj02Iij?g>!8z95j<>+L!WG({I3zfZr?AFyzi<`Ub`UQQc5=Ti_*{d&8I$N=yKMhCccq}^(g z3LmZ-mEBo^M)zaX9vwl#s>u}^Ox*OgF zHXIWh&nk3=J>I$n1WR6g;Vaf5;gXHy#}7|sNw*nXamMrBP6N_5Ot(y_CBpbv1o!98 z<7$=fKy}RC6c6nV4)}eXI~Y{d$LsP5=;l*3j%s=}p+j3fW=bklk8=+Q#QSseb!H8| z)X`|`i)xDsrL)WC7P+XJn*cB*J9=KsgOTIW1~b@LaI!lkOu$yL&9<}8umMr`q~V~q z`Ha_?XNQULPG)`QE>j)w!ZQ2s7~!~iVF4H%-HvUYcDKg|hwc0yK-cQ}Uaas`MTwde zRC~3?ItGb2n({o>u_72Pb}SQV-fIrU=ToG5qh&D7m>~P@iwmQt<{EEdfFdAr^~?hG zXH135>ksGUTB$AS$I_9Ca$sk?j&bPKoWv38*GsIOC_~NcMM(zb1cB(d6A)Q!7TRK2 z-@}siDci{3*jZT8~j3#QXa=sa_v9AFlHL$ z#5tP#iLf1F@)IBEdb?Ba^XM+DInJ<#((IURxrLaaq}1p0DBx`{Zzy>6wpq8Me3%R_H9w_RIx zEmcOLrxiN0ndY8#M;w_*lkOz8vnAf_0XA#cyCESOSSX^DUI6wrTc1_#+4!(Vi+7c6 z)nl8#(f(oHZd9hbR2z9kR(;iRJX*z}z|mIkIfBH)`F$OOpwRROl`gCvO!KFN8@;6n z^;o2c>Rrbitgt|;W5O9dQM2}Q`8Vg>br!7Mv@C=z@0hH=aQj9%V=d3Y9&$0EOE+f?I}l=BC;@8h$i?2)sFRn+@LsAf#N@bqce9SN zmYdnSx4~7xrHx!AzLKMRR~Wyw`f+p2L>b*TeWSTP-tnf@uyO=-JKuKr}-Lwmqd5H|J{FcHG>K1L$Z2 z9P{;=e0fZ&On@z!wXJno&-Z&-sv73^cMw@%3L~8YIa*w#030&965%-aSDSJ9<`SU= zPw$J7FpUKYF2pPBNk`W5wauy3W(}RE0@M#U2XA=&5PE62WN-BvXmty|Cgq8^cN+jJ z1GhxNN8?5B`MGYHeNL|qtm4ICCs*ilR@)R7(#Hf4>(hpM4Oa?ZX9nB87l<8O##V*= zKoX{5h%#f|@M|{oyG_##Lk%%9$ncJ=K}ec&IB(c2Og|A>S>QQ zAzy|>yqMboD#gs)1n%1^xH!2KWB2jGV#PzF;)izSTH;-QXkpGVU1xnf=_!zkpU_sV z_;z+$(T3|$!F~WGQc$7B>{25mhG)fXwQL)1hp~Pwb#XEEgn+w8wfasGVEpJvPMD(M zYl1DewFw~xgF&CM;5tUfx}hR8awAG#=&Y!5H?tgp`wFRd=GvIaE`m zUrD4{A0#9PGe#)3eWnRtMvXDnjRi8qw|FGUGO$bD@TTD{D6tin0Pl~cSUfW>a2m%k z$DFwbYVI6kCJrTlY^}DK>!_eE{b;5Y#Sg#*x%QGW&-tK4*bh4Lqb;tDMzahv#)%2IuMDFf>Jn~0jXi$AkL$CYU+_UWT3CvXX4^<5 zQW^4<2Z+9s546@%h;%gzglTa>fM{={z~N79vFP877*U|~xL z1UbuRNQ1?YD7j^6`DtLG@sjQ%H){td>hUr%&2&fsz>U?*t7b*Qf8elU&ir*v#DX-a z8uNZd8Yapq&UU5u*M&7vgmUlCE1Ow^J{-8oc+(@%;BLfmslUBzBN{T)@x1TP+Di>$ z6oa5h;h{WAD6~MmBcL#au85g20gSr_8E*si`e<4*M_~0sj%i8w7R;fghR%j&Qh;2K z&GUqWfGH#e3zTVbsR50XKbsMUyP)y5Iv$m>_CsIOU3B26BOfQ@NXQTqZN`95Bmr$h zED?~U{sV*gKQ_=Hkn1AMJjcz<+OHm?3}1Z_8u90J+AHK^rNJoIr?cKjOM|ol^hUW> zY0eyGve)WMnL+aJvzJue-1r}7{{cOmbn`q#0XeRaqSU+3D;oRH&4SkA_`=0sT;Htp zp6m<;UC9oVi#0RzEbiY2LK_+3Du;qZ1DuSC>SoygcJ^O@ClV~(K3-CFUrCTpEAbm8 z3-Ck|_ug>vp#0~PkEDrgt% z4?LEPFpral;$Qy&4Wp}=NQwUaLOI?3>XP)fjQu{ji|4zCug$ARHVn>3k@kYpUHPMP zX+S>P5#y060(Jf>Q9C{+^^IBYvF7{`K6mX58DA2%?Z4e1c$MY|A;23Ho^HxoOspdn zXT0@AC>fP9!L+X_iVP42R-WVmqAZFeRBU>xF*dv~;O&&6OE45;_62J9zXS>?#YvUekQ+fd9gVirjUTI{s?oI{7xmfMBdk!D6zNx&35T)wa#p?t3_FCc* zKSd=d zKY^iGe3|AGen2mv(b91>89lPs0IDCWg}6HysSU6+fshaA^D)X_QxtwGrqsM4eOfzv zw5Z2yxqIf7(_a7Ox%&XEc$-k9!e0E1UaR=7vkpzRn(ePVRt?_{+8XVl!^iB+owhL# zw=yawTgJl*osfV^b#ELu6f~XiINF&@^!z@dwNIMN1e)e*@q1z7V4zON4+Yg-@f#+< zB;zcQzoUS{f(Mj*oD1ZBQ?ps%W`5GI{zcJ$0WHU%UTtvZ#D@fS#Mc`zQD$q1eDhp{ z6pbCIS%=jt??}_!>XXSvbHM|&mQaVF4V8Fc6eFe(eOH1D*+YO}e4i(oO#&7Fu1yL^ z8c+gj5~|GqL*aTom!y@#Z?zbUGiSDq2yknjHU&4Z^a33GEi9{?XMkB<|BxU$_4_Fe zC0}k)u*F+>aGcN0%~*JXR`&Es!k8!CPn~Tjqcu28U1ii;3s`W)xv`b>$}6Q5e-%6X zY$^znQxRd}h}LlFc!u-J^CQiRrIiT}u^rdWo{{*cu?#P#98`SH0`J~pcuf4<|U)EwhWjM}@~@Y=$TaWph148DVmK;vLEi&6`)U1r&RpA^bAl&gsb;tA3&6g5eWzn9ui^ZWL!Qc~P}x{DCQbFdjn#ZVCQF*G z$=D9RC#ghdo;@xsE@_3amw=|K_2`J^TE1_nWLX7G^^Atf ztinP_vyb&v<~SNP&8%heE;Qcye2nS#$ITMzgQtD3S`0r8p~^iMIU7+BrVN9N%l0fM zrPljKyd!}^RjlHJAoJsS3`jDJ!u-MdgdL>nmme7Z+&a_U7{#2wOw}Q{Sj9oW7SJ$% zDa`&?1kIEQhwO>?uK{%AY`O?{1eXe3h9^W#26ib#G3kRx|W?DXx0mhHFW&6iki)6bI0#SvsjFAA#jP!>=3mNaD5db{-{(P+@Y zW^fvJvn_Q82=x~4yJ5Ne_%H8@9sq9E$c>Fs?$>Ms7x(7T&f^7$1DfGJEmM_7Rz@cd z07Czz=OMHz8?7$OjgJ*WYLXa`K1&yYyCWo8r7*guY*ln~<)D&M1#Vb+48*4}#TFq& z@_`D^4>)!f6WwmJpHZXrnsYsa-CvTj5hlLtBvQFX)>mrO2`7mCF0Vnq&gc(%ZKp$qVs!yUF&K@6TG7^K$rFaAp z7}F)>Ezgb;qH4&1r*Ub>FM4ak?e0AqlI-hY&d`c^W&66LKwR+RNZ=k05|Z2cEacs7 z(1(Q?vv84Z`8Q|TMuqTHdp%B9&7Kza=eK1h1u>QNO}l;6mJiNL_*n$aJfZTL?^g3s zrB~{(KUN~|J_D2J`+5RR1@xHpZC_dyA-`2sMD0;)(I4<2Q6}S{Fd+Z%7Aq9hvpU!E z{bX;Vz5IEW-ITP0=6#HO&S?oC=PGzY1Nb*Uwc;N?O)C-VO{2Y{@|3uaM4kQ>JyJ5r zRZ^8#kS5q+)4yoEa=j)gW@G(gRJ&1i8j*q`G0U~bR2_zfDjwH{h4*7Y#<8!AZPc+% zPQqQ*oyRaPQjJR5wAO3VIx+@(iL$>IzF;q+4Y|%KMLCUrU6L_>F-Ry!$VAZ?_~-?* zHjbiqCN|oQk5<)qZoQ_fUxR!HX1*0x9jDb**;*FEZj!VOFI}d+J%xVnus&TTq9z-g zFnp#F8#4@G6hz<`nE6m3)z`mjfc=PO-q01Mga!n;h!$ec_S~jcY(LGSzSQmz*BYL& z;x1kLcn|-@wa)QL4maKCBH_>-p=wMX^-ujkNHKXhs<=3_nC7@A zPKAP0QMJ1PVuW*R{@Yr0ydUFpe>Vcu+3FpjO&gOm-p_C^S5YCY#Ro@u2@Kb0dZ zKJOk68@OMjA(u&l39;fmqF4Jyl|<&r^rm$hp(rbG6lu;)M*6T|?<471*tslieXVa( zb-XCIWpJVkH9nHF=o4vxhoN#^9JWdFw{#3CITPC*T-DoyKfD! zC#qIxazZ(8uJ$#?Mv>a8y$RV17X;MCx*CPrfS;=$oy=C91rHC`Q?}UzaB-~3ycSC} z-{RByJ@I_prw%`H?p0;I>3)U7r_wvYy&7M*jcU@Wk8Ol4Y188*qKwb^HU!AtdTLZ^ zLm_-XBqKI>=zDyr~2o`17-9P z#U*lp&Dg0)0t#yq9Ilb8)DOZ*`gq1i^AYb<;-eMU$YiqNHI~w7?ghLLM1c zQAy6C4oZRIZ&FsYU%2zUV1maT1cVH6%t8%eUlDeokYAGg+*fpD(?(_zSCm#u+DR|wQ1Xt=i&qjO9Scp81WNY`h9oVk=*qsuTqQHFO$SY@2s%^d7^# z8q>N7n1|CFDXaz}NxRM=kqL78 zaT5a>(FlNlMoH9s*)!r@|BdHe<3wfljON23`~zZQ#j&PcX2t~CNrsmKQs7cn-le9{ z)bw$aQ7(L3Ww@Ne@ZO=oI zzakL~^QY3P7s{qPzmW@|u>&n6;sxepgs`sSU6Te?x0WG+x%DaYl-B}ngy6R9ERfY_q!$goqbM$HUn{A$oxzMe_5WC6;Au5YOq^2cQM{^2!gf>X?KMT)k9(c_*3wA( ziwr+|%o0{@BP=PU zM!T5rJxEBQIsXtSO3H-4Eji2Z(wf?Ss>ztfa!=$*O*t3y<7X*%_Hn<`IBXXmZpt?% z0Oh4<9pf&JHqWa%ZtN|%T+9=LCFe6BuQkQ;9@1c3pe@659XyHTalLda3ke?@8E$!? zv(dX=^#0s8VgR_4om7}9k3Z<%5dLw*u9ouoN43=Y!&(=LqfD)u5FvXlhgF)gHEr1v z-r47b&e(T+@qQdMD_gt2L18BKwencE9NEU;WOa9J1kf!( z;l%B22)JBtqaYgJs{v4{uK^m)aez$oWL>}|enz4v8zpo@FMtGXR~kvi)WEt01$Q?e zyLf~zT#s>^CzI#!a5L=SdZV4YZ=~6T8+i_^C#NN()Y$}IbJ2n4vO#LDMBV@KG^nT3qO zqF5rvwNpa;a8M1YC~Uf1KCZ0FMDj9Pro~*R#&X>Tm|KyFQzeo3N=;^$83kn8nysTF zVlYd8n^2bGL_WoTF4|D>J7kq~R+0=qcMDD$X~mW@&`RpSh|ht)Ei=RL(p-22lnvfw z+T}L#dIYo!c{TJ7xYhOR&FU{omyp#p@-$@WWx6fLM?bi+o0Cn4XmdRY3HB#W{WZ`( z_+3CS8*{GcOZsj@`FN}ZkR~nAzrwk=B)0J}c`cho{He~mz}TxU&_XUE1uMX=Oms9Z z?^9EM?e2a1ux5laYks-JY{SETSz5V>v0i%xT*_@i{GQb%h!27k=nZ^9|3_5n@$k>_6TiI1@p&KRBS17 z7FVfnJuCuN<5x`IAif#j2cRxWbkt|OsL|TQuJREK>)e)r+cY)PN%t3gK@mtUi*Htl z)r%tyB>}8Dbf+!RPif0WDy1d{|LH^#KsX@-sxapI&VZ7tE+;v!_Ag09DluF_`Pm`b z6~r3A^{3;-0Oh$gCA`i-X!T9j_qs-*|#`zPSe#fQx!#1#jkFWA=jBX+Kf<% z|No(|7U-oUMr#p)NvOMj)G*Ue=gIAT*M7~KB$+LvtQA%3!e@6Dw2auv!w7A6*^YQ9 z*2s`)Z0VH9xH%22jX@Z4!gnrY--D!`(Zwg6d&)0BMPs_O?}Z61Q4*C?8uCXPT!J_i z=sZq)<-pK~zUG_WZ(nJ&64DAEoW`%8lJ~uj*GSykevU2iHU_^}Od9Nq(o6aoqfF;6 zov`)Iu><{N{$NHFffy%itT7h4BZ_3#O};pR7B3PCNcamYRdTAFHA$2aX}W7oDi8ef zx1L(&7}7m(hG6s)nLfi+F$y&gl7`|SnPctPmg$^abjuRE{xVYk^sM<4eI`LefXepY z*fgNB57$&CGTJ)^)ZLlXPML@O@`W<*8}vvRuTBsK#Got*DT2>%1HR*d%{CfgCUaB0 ze~{^Gd_!KOK$jL5fDV&zH5acQD0hhbhq@@;N0;wcvhG#y9>sTQ`*Hp6osmDkr=bCs zUZXFps{i-Waf6xQQvEpOzoBWMBhFu{7Xa55n`kqV|6D13aW4w~5WukrjVR1H+~F_n zv>9`wK#^BodMn9>`N1to{Fnx5lTN(*U3-Y3Xw?q%CT0NgDt`cV{J?~LIb_e*Hy{Pj zi|3ZS!W*y>nViz#QD6^=A{K$nGCvFdEh-9pq=Gji6ZD{>N-1thT2-{$+;>RLNR!2P z*gyS$Cj^2ohlr-z|3GeF37PwG&-cukTeR4Q&%VQ6Q*~f*@@&a1^Ov^!9s`AB1#g}| zqe(&i>)?%z?pA)Bz6pwfe8Zni#_xas`=tVKGJ(8+M@^Ei=6$kU4mncN(T(q-)pRuMn68gGIN=VQi15HT0jKcf(D}PcIz&CbPh}K;7`6xAa z@#Lv*bIV$HhuInZrT5~|>Fb1bNB%s*Upx7o8v17|OLKkd$7*TjgVNy0TP4gCI$;(P z0=|?9c=!QAe>Q&;sQ=o$>`hYT*XD1O(T(J4pRC}~j>z3?9;ng8IeVOSRh`ztxlntK z(fS1F@<%BvIT;R!G3XO%{O-V?_ji3O?u?k^H*Zk$-_6}XBl4=i?lOgS`^8uiqtZa; zcwpY(6^v>&P$Prn9*_+Hk_GQDF;d=vBu{zWhK|O4%8JLxwJ#o7hs?r6#g`jn!B;M|>vPv}ysc4qzhMkOD9Z9JelS z$*GmlYyZqi7dp}sa-2^C{sT7_TTkHi#IsrdiT#~C>C#F5Xiq>M@?%C~%$d)MA9GvM z#>u>#APnV7FHU;sk?Cu>k2v}_W{#6EOZ++H9{#Ki?SE5}&un7l zkyDlq4H>sdy(T@g!3h=dzFE5+X9!e*;K{*xlG(T#Z(jT+H3{-qS7~+r$7|Z_FEu&Z zjkU{nn-4Tog#_w1f$lQ`7O3th$if0KwN+7hb9}dK%-Tr}2}R2Lbb;An!l8K5s0xeK z8q=^j%yN69ueS%Sfe0~d73e1QLc}%&iHpMH#gZ8gXwu)_?~Oh`Se}QTK}@)+NbcrZ zZ@}PR*GhMjwET6gzky&N2luaDHD0giQt$$Nc9mwG22|Xh+vCxLJxntXp?Q z0I4X^o%N8`9sEP8aQG;AMWAf2AQz!1eyd=p_|gw3OWP-(i4A%A7Y>`JCPyJx1N~!m zx|X7?4gbXKfO?M>k`zuT+{x$eOAQw%1}p?c_gA35%&zO=x3V~@XQs+)8s+6VhU~AU z_k^=GtqsaJ>1pVkggijzklvl9qUR%hHQKKPERMDS8jqc14NAN;akIc1llyCdfBg7g3;Z3V0k4JJEy$hzZxaSAFoi)aL=w^4E|toz z4$~5oxw;Re|D3}b<9c95@-=*PGp7j-szo&5e8LdQLVF62F`$C87rF&6{$RomXlbt7 zF72j$GZyJa2DSIPXR6?sF`YHaNTEn~1u4u?q0=4t<5wghY>RIXkXdLs$k(gzy=8YcU1_|d zRoVR%`yR5^2~eu7R(nrq-TQX$7AiKQaa0Yw$u{tF67{g}v;2pV-ydNp-mLV-!~V6> zKL-BSO8+wOvXr@$|6$;Pl}^&+ZtKlICC1s0d!8G4eYmHaa2CQcW&K2y<~pjz_DnTL zwb&xQOMx6abwGfF#(>X+!4g?&OG0v>FOe5|r;oU1ZXWY2f5 zUoOG^SV9TS**rE`N#k2*_Jt5!q0fQ&kZy?s4YCHjYWx(kFu|u!a z{6qzOs((9kxn#1q+P70Td!uyL}jh5X8SkU!G5=8qzyT>@hrX`Jf+C1ct z&sQ&6qmr2Ezo{;hMQ0&XRzKedr`Ma7`?5ia?$y#vtFbJVDwnMx%F)Ig{OV-`u^@!V z@jupl+Xaqgaz=2*nD$eIbwTqGz6@NT;=*edW2OngLseG&utVs(VZQHOl+_yQUtEc% zY*9X>(1P%nfBPRchfyAye`rPGfroDbC+_tB?K|>xf)6 zuW`IvD8?{Ql;hJMQPI#G_Pyj=v4q?jPJxb+i05h^JfODbg%`iDF7~~=#z183xfB!< zTjHlr<6e1Q%a(oSM48k+@63s~ILFy9TNAfEZASN8J{{Eim(P-Xf7nxw;cxG3K{IYf z{BQ3}@?jLX9O;WR_Ud;@oKJ8;dvt5fI_+9q<1V^|yLR)?9vba@yRd9YsVBK6GCG+x z!P4N>nHf55iiUj6A4IhhN07Hwh18BSwMvHKP4WL`U9OtV4&z zw43_6>ytLB1X^b4G`48uhX%3<@mpj&2^QGza?e@0L3frL?r4}R3qAer?C+r}>}vzU zxlu7U0rvlyGW<~z&nNm+o8`}vR zO|Q(#%n*0$poZXMl(bgGGG_3Ol5DnE7XwE+kezg3T5>J)s1}KbHKoP zf_D4w*k)`gMVmJMuXn4-S{E0H_a6a*C6UC_wNK&Xy*unAaWo4v&y2V#`eAPo9wK>o zKgUi-W%Ke_zr*vEaJ$ur={yMSLdMH>6LEPxZEjJ}XDZ3_w&d2T@ZIBMF`LzdOwRA{ zysHK!0bL<)?w#ZCMnIdE-hBS*3Mj(A!UswR8(GPjiCnLLW38$9l z>#fi!)|gX&cxr>~^4dBeB>%Xq#}6ptz7d1}YfD4#@yxw^qOyY1N7B0sxAn{`G$CrK zi58agJ|rKiGARMIY!rHb%SHag%{!*(E*Tw$li4Q6Hkj#HW0yh}LFG%2z!}kjk_|0Vk%zK*n zho;289ln1cfv;7(kB1yY{;NUp%IHJEag+aQ0DM=!b9JX1KobAoVcu|L|Bumx|96=G zMQG;#9p?Y_VdCDF_?)xomh2mxkNK3iTVA4b&hNBE1N4du7if;}d6Xg8vH~BEjZfE1teFREMkiFWEBe zCHU*m6NAg4C%#ullU$4bE1xa)PgmEjde$qqVpL|nvrQxg?s<&0RLYVbW=o1h0sLa} zfW(-$sX zzrF`UYmU#Oz@|pzS=uu$Oejah;i=qUU^-Bn%;&^VnVk;dv*O{LgV(zU(pD)!(1iHg zmGbu!2FTFyHdv8*2Fs@Rg)A@0FCRUEPo6R6zNv6+dggYzEqC$t!|-C$kMB8)&Xe(EpWFj(&MJh2^M?vZ%TAMVE*eh(Jz`1zjN zqOsO`((2p-bEY0lAzvxRrg~))e~|U)2a@6VzhJeV7t^z7=p4JUL*?G1Yu&xz5}6GrnoQV=WRunT?B4f_>`RTKFA& z4mj42`d#?1Td8}Bej6VabMGAWocHgWt)0~+-0|8yT^>dGA}LFK(rN$|IkB zDbC*Q&7(@Yd9h9sJSIuwuP6*WNBs@+cf}6w`5FLiom+=~zDLfv`jT+syQgR+Os&${ zzGINnKDSTxrc5oBS^FEn8%>43&7%wuzo0g1T8~kpdd1YX`EyrBoj#TTs3kGX=*Tom zybzu_@%1^8>Nl+Zk!IUbP0MPO^Svlq)0XCnBDze1*xG^WXlUS3%UMs+@SF=ep-t%s zFI>kxgYb4!w%hW}xL!eHBdujdDYSy$Ql#?*)kANpqlftIKh#4+YPTSn*WIifx% z>xNI=$gjWbHlcHzMhHxe5P&T1@b%7cKJr^SMN{c#nHu@`i+X9SuCwtaSL=oT9&1mA zTeeB~AN|~x>o1hgW&jv(Kwi?Xad!qJGPdCh-Ul1%U#ie@1Fi68PyG?;s^EB zo-Mz4di%Ha;YY^cL?G*u4|I(91O?TNWaDfO>ueu;iGTC0Yz? z4k2=H_p%`DC~m;?8$AP7y|W(=9SvLu($@`N)T@UAgi2MkfKI`v^N1ogH*0r?E7(cp z*^Jjf%=w^yYkOs(UhkDpz=?r!W`LwJ357=}yhgGPrtbUc%J5*Wvjax=2*|Ref^I85 zaja2)6U;)3Tk%BDyV~LTUAP{p+17ciE=`%qJ#O9zABw5w_fMRGVHcmHZ|#}MlarNt ze!Ha@Hi$W?$G4gxXQ!-RPaNoNJxW~?0arx6{>Gr4(K?MFFyrH^?B{wZGzC@1Lp4K8 z25Im!+v&KETDCO*47qVK-!dEaT_kGcgg!PfdTB8njtlUP9F1a5NQ1WT?HT=89KN!h zUXgFyi-)jdp7Jvqk|^hgj5yGGc@|{3R3#u6QqXKO*-#Bc?RixUf zJ-!OUuH@Afeo`C+_m)cD(pc>H(X;3kMD*xBzVURE7*b2ar^5^bbl$#_G)kX+ppU%& zJXH8%m5#Bup16Ce>8lGiF9d7RZ^#Io;eGXGy{$_Y7}J0aBvv)K?+8)MHF_M6W;FPp zy=vZGInUl(k^ya1Q(t(oavu!?BMy7tEVLb=JGR9mhl>*c>3TO1hA+;}Vy(?C5i7}M zfZdB?gv})*iW|_p84IQpseZA%pPeJ`XKqFN01qI|(gvo_Hj->297_>aZR;Aoo~iY? z6HY}J^f89f&D8u0N3Om<<3+=Pxi)do2#{iI{?<{3n`E4=@8i6?=7f;z$_^GoRET(q z<$Ubv7^{yr_(82p%tQg9=CpW#?Wg+7bq{!Qc`(;?2?vXgU-W$AIcxG(h#qSwzl`w- zAGa)nnl)N6g2{zlM$%C9A`BZa0)Y{6xD$y=Vq?!L4L$bJHA^$BVHC5t0lp6_H#QOWz?PcW?yZnx%|m2Gi5X0hBF`i9lQ1J~deE z&q=x!r|8#=G{poYb5tsoDLu@WkFFL?MIJiQ?#5?b@6T?w`g(eRs`v4xQQKjfhJ&Bz zt zBc*eurYXk0n=>t4Y3S59%MWX7&7JC9l7`YCot>!TIBygoVH*`{LfB-p%9tCqzJ7BNVQWBL##5r zATU@6cw3)ur{wv*a=riaD!&o-=x4F5#iWkkEPnUY$p?rd(D^4@iM&6GLIp)n;`0cF z|BIX;=7kO6mM;yRvsYn?&0&iYAjsC*S^5T?vs?(4J9fQ0K_s-}-R`6F?uL~sMseeB zoRznc>7NowgSIwF{0~Ar-OMASl^g`k1|}RugXDnGKET4~dxVS8<k(A{ewuXa`Q#C&ednT>@fmf6bykXb^sQwH#G3<*k+2QAA9i{IkQIlb@6Dm(fWG)>84 zUVlCm=kQ54q;^bSIPXE2-IZc@*c@;kizT0OS|X z+!z?wTvM}V{kLRJ!ptxHFXsKF+vQlC7_S>6=1|J`Oyxe8H`m0HL|pk3fo+6WA9;QG zBVVsjS95~_cCLj=K?@oEgrngK@6z1!YatRt`ql^kcJ)r(_t1(lD#)B2>-k~4MJ#hV z+G+hHj-8=gTQkv8lB^IQmSPKoKgMPHy#W--f4R5}%|A#~vk? zw5% zxvSOPsk0mr;VwzUDbaos=DIBs&kIVYsSj;;+di|40JoG%c$;2_`V#+LrRUL)V(296 ztoy(U$)eX|$>4H4Hi0dme|m<9=Rtvo5q8sAQ>g#!vw#9rT2+F8wuj}#M(=nNsTZm( zz9i+7n325JLA|Z>xdW&e$~qkiWlS!I+4b__ZJ-29;(UF5(l`A+N?x}Tk@I=olCM(l z2hQET^ipQL4dMVPG%p>qjqb9vazhvjZ~ZoWrQ;<2e!@}pdi#FYqUe4uKVamo1K;^A zNO;93P`UzcUH0OcRUx1-+L!IK(tnPiPx6eHRlfTQ=yE|w$?+QW;ND=RH1ut`b7lv|HpDugz_9}uPK&ROw&#$J9dJJu`6amO* z?n~M)5_Wsr1wjSnI;;|+mt|KRNvCzW|dzCO;+|>B>oNp6;(- z9RZUhyf>mLBvD%N03}2Bx?-_nl_~ON!BhXO9qF>CbeiQyPjo6AX?3anzrYB>qjw&o zq=SK<;(pA!8%g{~?{tVs*2EPM$j%h)CC=bD%5SUUu4 zOmMX;j)@HfNB;2^c7@*w7jqA#eZQVDM6FV-qE^{}a`d6QWJTqyuho+G=l1e8wGHhf zXEwaz@OKTAK3|Tx!kyIdOZWUIUv1xA*J0GeN7*Y zG=h+wt&^oH)SJp0L-!=^3LM{7s*12zD{f&o4aF7To|Lmcd#-XHx2gCh9|RP6lZQ%*fP(bCh}Ye|U*J7`MHD zFf)YCwA#pjJPz6ifg;+eu%&wpKBFk=6+H5-hchp`WR#ba}omtAz$h` z4wu!Gd#{HOdl{XL0T38xD-RhkF!v-0_F=vr*ciky!6FMDb4R;ye?b@CD}U|4tkjZT zPjo*Z-S0)_ZGZ~tJ6*v5r0MgjUUjLidNQ#GQi2NZrCqS)+eQyGBJRRY@&$myX(i0G zd{A)|q&`q zaS>Z>NGS7jBp(MPhf^bd%w?a3%>-TCi!(>bDZ|!|NeEtbPrwUKz-}2lZ zGY37NmLz^0;`E=gW{C4i7kc@65QU17EOhWidC7p=Z?#>9k-U*|y>hPUvzPj~FvU>( zVD9ar7M10O)Ay!I2qHfScxWzwe%^moC%<7qA~yyk^$ILJT*+H4bX=HkP(#>|2XCqS z6O69u+1Ks;d*AyvLL<~@HJ{HReo0AxzEV4YqJl#oE56SYs)xB;Ry3ep2VHrDJp@!wM-*(Q(Rw?vw6?kVdd+QKme;AZ^;a13csS5HJ+?@(b}$d^@h6wY-tQXwdMiPd>*Z>i(CP|y84>1&ZJ4@Y z@{AviO0e6GymGCr`i5bLs2}^NE$kOK5eBY=e$u^boxBXJ5o!(87kn%#ObNRh2@bQ( zmrT}*<%(U%3iX z)yi}m@->$I{q4oSEIZ@Q2L=*Bdq?z(LFF7%2D7NQ6DydLTG(2(hRtM|flpY*#lV4L zhOftO9DF3yT5-JaD1m$Eks;-M~xF2%5%)*?}FdzOk`diE0{O*y-Ldf1a3kQ>=ceL8i=RmF^No2=hk^~Oys$IA%RRQe7!ieH*ac-t{}UPF`6Os zi^o?>FV(?CbPJ(!WNzTE?GA*e(Z7*XMRxxuHH zqG>n~p0)aJ<>Pl9sa*9qy?gQ1ndO&c<LFu! zUbG98#|wwg(~H50jPrS!%GotQ$_;u{WRfSOReZT74`OBpFZ>~)w-jeD9gSIae;vO4 z*kkn(Qm$RLEl^5F?5*Nh%?c*u>DwxU$a!}Ga zJfPM{nE&6To=sc0O7oJ!zvv{I-6hmkF93>0J@Gnrw7&seId9-G>ZzRe!WlEk)@Hve zM%MI-^G_T-#{mIrK%t?-g7xm|?6JT6Z9~n!L!9^MBa`OIB&EOS%Ochgq~kASBE6fa z?Zqm$---Y2XZ%_dEz1Z>%T?1+p~N7{PHBXufAFW>}Q-TDnUB>KTDK2Y}LP2YPC0Qcm6eH3@iC*B!U((tkh}dhN>GT>EMi` zKY%0Q`rftd(@GLw8m0S$fBRVvK8H2@3sAHOYuw5q6{|p z`HGH04&lP=ivG`qpqopaYU)N#LU~XP!C=BaQDFDB!rQS@XGeik{c;mtL2s{y<}|l1 zolCe4hD3PE;|9OEjcWRRmE-2Q0ymeVh~5n4>n$$X4q zY|d!@R)?cFLj)F-(kV-byMj<~LuY@ngqP z!q8Y?{ml$Xv88Qy@P5qt7MzMKlJHw$A($(HpY_c;x@t3lf-=@D^hFYP=UU}sxbgxE z5r16gSU6`!@SZnXTY? zW#q$AnwTV99PkW*I9w0AQ*XHSi@ks^HLv)i?#aMeeM+(oT0xj^2V$pQXsr~bt|Ok< z3_QXNdWO{#r?JZ@U_k=e84=OF|3$xgF;&G>=S>!khC~VNm#eTs?dwXEVmtKBUx*9$ zP`ws!QiaEAWp1Hz1D}POoZH96V5%&#IvU>BtCWnq%0%3v{Wn=RGn{0YzDj8Q!UsB6 zlV6FKT1yNX%vy92U+(8?7&}=CiFs2?TQC6MIAn-i0;A>aR6>(AERiQ=M$Fzl?ABZ{ z?Tgv%Q3&jKvN+v1l(mbJ*Eb@Oo(h1YmejZ7pBfr;cI}_ovDC*`%%oN(Ug#D8R)TQ8_VUvgiF5fIgv=C$;N;b*1 z!WdQwCVyF;QHRV~7t52)-R}&D4CKrYD|=!Q*8eSnro&uN6z!#KNNCLTbiOxWsy(u= zICV`TZeo&eYv9Z>#>Nw9$^?*dLVN3n_-TNu9T{Fv9CJ3Nff1lRzeo!6ldiu4;tV2J z8+`-@jI$btjCeK45L*MXQHgGprC|VtjY0(sK*tY^jwjb4iUF09NOcu9G&cETw*kiA zHdRAfU%e0QrCsvM`C(&YWc}ma78^JV*vmMYO&K2J^l<+EWI_BQ2N4dVk6CNaYQHff z@p3C0#m3TRdgR@w4S7Rd%LMlYlG z0*yYnSXz-BMET6}+Q`ZCT?FrDqE`XIs{{bmBR}4{)1qfmoE<>9&Y&#C{_une0*S7r z`8W+a*4L+NPCYCM%;|f5QbVXRFjLuK3TXVfdi#>UoN3`mkT@D@Kf!OqfKh)n6kO4l z!@HXb=#kU;b0$CjDbg=7J8^SY=C%or#B9n;Lq|a`5ueUHp##tgQ%`Xhv!t-KRwEw5Td0 zXG);Nh2Wh-bwL(j&?5K6KZ-vrR-Juz%Q8WC?4mLkkw!mRkhh7qF0PYFLhuP*Q4t-? zc~F4@3uKoiOiWON2df-WYS+t3xgK@TdTy0f!Pb14ARSRJ(VU=-vs1C4L9#G_q9%Ix zsxw8Ge_e}P_%#z`*`L!uHG(;G6I(q4VReZ<{8v@w+OrXOnM1~8sx4+49Ipya{i0<3 zQ*RatvOx~lDh=2%COgK|n^!}s1TpA)h~>syiC$}<8B(0|Yl=dRdcGqg82>q`yc7j5 z#4c99@qty7Rmn8Y$38PpCKM@!#MWM8J*mKAUnQWH4qLx=!n8s1^Sl zU-G`##&FxtvCYba)|`7kJ|xO}DRC=T&ZeIW2#tI;<5sEbV}yrd(ti}$Vw4ErQO2vJ zdd^ZcBz^_k{={>>33APeKFztEFRqG_-CEgHKu-_Kn(&ncW7x+-hT$lr8q1*DO7Qk~7liY&*}x;_kAPx254(y90a%*|LmRJ$ynV!0?#5^KMk_*T02 zfUYYqIOw7m7m&jt=c8_s%fmA+1)?a1s!U)+R#FnEMyJv@+FJhT!7WPuZd#7bO#HpM zl$~)(3Y$1}WI${JcS1lCK$VoHSB$jmmoW&1Cy@op1SUx_VFWNjZc4sbswk!nxDy;_ zPxefskn`wo6sf`Y$#ny59C+orwa->aRq+y6#ix;INVe)N)l!cp=a13{2oZYndvGBD zL|QHF#vDAMb0?#6I`j`O(Z$=LK!oI8bP{8gLtQu+uoW4?y~4QRY8Vk|OXKn2ds6}` z+@q#dA_0WL#tzf~^zW4ZH4Y4nriCSebMq@Er4Z=UtIa+sDU6Z7ha$G^UUW6hqnF!& z;i<;vfyH6>?$ex_`0N`f^=#<2&^nIZMaepa4D`|-yWVdH@3wh537K_IA`D<{{K37^ zEOFYgaNBxC5>Ep;%YeJcgTYZ6MFeA5$r=O+41{7?dxUA5c>5A*YiVrq!a^i9Cy|-* zIH))UaB|ua=<8^rOGq5xlt`kf)U8^99Xf*fY(#iX8g$$P54aP@5IE7AXY&lFTQSbF ze#+K_W*aPblgMLrN$R+axdJ|~v8NYSbVRJuX^i|uNW+TlI3;@$hD_oNSfwqj_o5`_ z_rK5q(44&CNo2h|wW2ha&D*;Cwlu-d-{mNd@#LY&li(s{)+wj2tNt!K=Vjgjm-B;XuZsy{^cK<6wMPd`>JSGPP zC{79Lz+basa>WEhfjO5xIR9Hs;jt>tTo5G1ZAJU>SPE5<9mKCDQ^b=7KuyhIgUs|4 zh{uPQQb|07|DyV1eMkhBL6uKv086qIpv6q`O3{;dXNFGj&`RGupZz=&*!tk>r$o3c zvVMs4lp9^6miju`n5MgrzNW%80^@x!JY`9TnEkPP__f=gGx`J&C!;VH5&;!y;~%aQ zc^67nME8meWP)Woo91AIO>Os&2utS|v;RLG&#`RhXf}dMYWE*3cyM!Wa~aiI&|PWi82ro_^r)lW{gbFyT3-sL9~U|E2ixnr z!)PN)@sfQegsE}wr1D?~&Kxy8vZzx~O}3StO`Q66pHgym!%|pQ5e-?dM8A5<2T-z- z-<{fsv1Tqama~MZq&*Y^P)@xU9EGr4t(!(U8i>wIpf=jAbP8Wrpehe53|&slJh^7q ze*)+pp-hkW#U&!NkWw~Gzw)Ri@kaEYb^j*svjm`e3B;yLO|eVKG7ON%SIkgsMfcUI zG%((4kE}dNDKKguT6?xP3lJXbP9$~w&M1+aTFLQB#zV9b)WztjxM+k{)Mi&EIQKp_ zf2>}CtL2T&#tb7+oVAVBttvzBQl`BT5gZXh8tC>xI5wJ;KwXlq zTFjnN9QGHBokiJzX{@9gR10wzKqpVE76ny7FwRs~mX|R$855X!!9>Dy7xHeKfHhqDa}v^#c*o|Eo}cAo@kA_>B62l4bJ4IrIUMo5 zm1B5Ga2xk?_M_TyEOzZ+>%HZQ@|C|;7q$3hqYKfOQmBomVFYf&ULH*PihuFBZG5-Q zY*IpWL2GRu_#Lv7r9q1Rdp>`rP04vM!H%)?z?7od)AAfWM+-}wffQM7_=jV#ck9d# zB}JN%3romX!^`Z~@2IXJrcPo-R&eTvX7V7Q$F82A)HP&AG@bsI45hb6-e?(dO)z zDaw&&GmI*utG3V0E9Fj5%i3B8o35yyV<2pFxVo@nsJt!4U)RvuSUQA5@`(jGaD(Md zstL!Ncf1dzW1ejdW1j}L_I>+Wxbi#0v=D#KBnt&!q{=h4HP&kk0jVd9V{Dqi08AP1 zh0!!(xU}lf+(p zsq92A^n=;!N>loh7(S9w%`#RZySE2u*_7qn?O)!xDt>UfQ&(dv1Af% zOEON4)i?*o(*?^SLC9Vqur-1~BppDHYDtgu%YimeU}5c&g*-AzVNT*OIRhOpvO|2M zPXCyUqB0eshwP`HLZEB^=DmX)MHdwoiMAQEFNv5KTbF4%xbDt z9JxduB9NVsAZ93$XE+FU5UC+zLwAH7k1Ay&lC&9vMnvV+&4qNWUOwkU%gtILrG z>k8hk16xyrS9=Y?*X_)QG~KJbBvn0!v_%a@pylaCi(PSRzNfj#Z2k>V*HwCEN8lp- zeS!Li!Ab91(W+4L^Kl`&4_}-1ZPq)QEJUFnrW3Q8GnP(rrMyH?7G|!!VRH6i#`t#| ziAOb<8M_sGDC*e&Cv;%iUf^5yyKVozbAzArjNZk}Flj4}PcD!qExrQ{T)vmI^!sxv zea7hO30PjbR0a!*KU-{SoYfsfDpe{TEAT|^77#1c^A~*v2H?dQHc@91=^8pQCNV_z z1!ele{Eibb=HR#FKBVXM)YyA8Wt?Y6td1QE=02Djjky=h&-Ismi5(j+Fn#!uWBE{I zCy;YySPEyahZt6b;Ic>-Y{4S=0>~;myR>iH6V==$5O(o$j8Rzf20yw)A4JD)A0{sf zwSh69G)xNus`jK0%ZZSOU6K$Hys%?M-U*3Pl4tni0s^Oufil6eM&{8S#Hbcqrb)fk zJ$Bg)yT4I{I*n$lkiBT17_ zFBin}j@u(TBWbZ2CfR#hlf)^qmOY6MnhX(ROr{nva}??UQKpYSKf%)KNd>Ljl`@Eu z>zh@R2W6@?cu%jaw)0(2wzW5>$^sIci9C%^Jl=M_%iRm>8=3(xMrWXTtzfgAGk=-* z;2&e3O6DVqVM#lrFI_ErqUMUu6&H;5dV-h5q2pjeJx1{h?zXF4 z8OMi7D*|%{Y(Od~8u9AurO5rxQeO7SU8!D;2%#znSlllQ;0Udro#05hWW|1(3FPc6 zN__wMvk(2Xac<)eSwg0VugfuZ^SG2gJY?}5{c8zTczufqbVq4H_jYTP4T1;D))%Y0 zVp3MsA36eQwQ;nV5$Pid?E@p%M$@F&c3DMvrGHLwza}A(L&v6WVPnfKwF-cdG(i5L zm(;iC$9o}lVvU3#G(KNG_y01*mp)z4E7_HjIBk`T9R~7w7~5tD>TjMJl7t0yqeP%Q z#iF;opp0wip_~17bNj5$jlqvNiKJ*%f}zQ~<+j;ZXnZKSOOPsN@s!Zu$`HslbrsJ@QwLczk?l*wtkywH{i9 z>pHU8qC5Vb?@yc&oQfI@=Dfq@A?>_ZqJhKdq#pd!PUwLZn`puana5%CWL}Yz! zxgBa_GR!n?O?3#lX1QAGRpZ?ZpdiZC5U1j-=L{ouTPipDXA3Az-7WP4#CwXsV6$HIsM{ALBvyZ{-xrDC88$kn#8Y>7_cblks_mei6CdraFvA5x_ zZkbnYVwtVNMoBG4W!e&~{EqDnF-Q2IiB?wyrZlB?Puu$$wEu$)dYVg7=CA&1@SODk zAnvhIb97Q1GXw}4<~z+7LEVK>T6DSPmLpdm>pb=n|P@mG+dfHLQ=X+kymmof(M zac&77EI&br>$|do7lThF!Zf*RBuMpZ`wM#Pvbm`m3+_~8!VsTJ`XiGX<}KDZ$!Pf2rJL2U5@UQ`}JiOQ?^){{hI! zgt0?7u(T@ShyIr0HZScYE3FIXQP8ZY>ym=emDy*^z^c<%PR+Y%D$ESggl2qY1urWi zx4Ue({wk23yYDM~g?~EBT)6lKW|;o_-$O^k;Z+9gawQ#xHqJPU)ovIm;cu06(mo)C z(n#<}G$UMaqHmnFA3NKoAJPS+RBC9HTO95=zIglrdD=gdmH{cK`z)Z!^~iy&G|{Ag zM`>L*qV1CX^<8;KDB8_0--f}Zne_ zmsQlTSK0}W=A3I-A+=8Xcf&d4PTR3ISG}&>AXio^y0caiQzH7?_v7>LE2&?Z!`P;G znNW$>I<=SLbT=BEMxS7BPwZ%9=L*vne_%alln)ntiOTvxzQLD&ncnQ9@-<&pG)g8% zdShzB;rl4;cX&I-u;4Wojk!^=CzTqTgC@&HtrJMk;0U)$*KP?{^aM7f?}B5?Fk~UW zp%F%A<+~I8Me<`_pU=hyhhJAFVq97(C-r!EN&`Ggn1XA?Nf&Q~i}O5mV!S3X9{HU% zlGX8X4~AhnsEPnc2C|x25+)m^q%yAM|y$ z1BF2G5!D)>_z}v1I@V4`fFQe~c9yQ%OB|`nD-fScj+YMvvGjW`fwFVD(!PKc| z8ti$y!5K%c4x*(ZW3Fk1ar$3L34>L~_Y+DMGN?R7r*s{aJ3n6lFdpZ>KtlR^i~*6T(|$1inx_FO;i|3W%q}qC88` z=IqQpOl|a>M$04cNn7XO#2zO`Y$(vr)?2JYs2wj47W~!F@rzeQ*d&jvG=LH^hK)W_ znuy~wcXbLHMz;RcBuZBud5e8}pt~Zt0@ii%b@bPHJg$-6ZDk{{CklqzKyjjwP<efY zph!+YkLYm3a3(#}7|iKl0LZ|cTU({8x}4-RB9c*&1W*Hv4uKu*x&>KGY#!8vV)QU( zi`UOg8Rh`3rcumuIkOBhMRtf9Xdq$K(H1Kaf+y^>{Okd7sq~-hwRvHEb60iQV1dg z*w5_6GoNU1E}CbCCc?MLe4n?P}0z>3LVXEMGDm)mdU3r@Arzefl_72cF1Sw zu>?R{`hTu$MuwPGHKa|XdYD`a;GMH7mj^4&^Q<{&%(F3rLDgllf1PO=VR|5fiPB_J z?5M2q$P%pr%yI9UnRGvun5m zViA$7CZ*Kqv_nb^LmehH^nshy)BdUaSdaw%wWT_MKV2sHo zj;2*x>DwUn50>1ja8YdGj@A#86A4?eC@9(ulD|0n|8M8C62YybFOX3?F@uS1DG+uR zS~MRey*I)Ew2aBTf0_KFW#lw0Vd9bomXb4KI6_P`4U>=JQVp3~a_}xU7a_+df(NQE zgKJ(+DFSg0>iu?Ytsxm5%kmrr}eG!2r(dc*<*9; zc2dJ==0OF3V|lav3zEkW5aLJ3_=)oPVY64RxiM|wZ4K6n!oo8AGL&HGeZ?ggiEDIG zb7EqZL{?2FH17sV#(_<}sDEXgwm;3L$D*@7P0EccOmqz%KdUNbAxbALcE%k1DS1Ey z3gvZ02HQ_vn1ec#s=PYG37VIoY#PekFS+hF_n;N9_5deWeeq%07=@S461|zZ&K68f7ziBlG#SxC4Cv${L|ZiP zj~lj~$B+1x>9ajyOvf|X2+clvizLJ{>Q)AE*lyDx#X4t+mBAyZ*kkU$ixo)I z_45jkxFf`N(qJ|<(&M44|AgR=i)>2%kfg|(HYBpLGpWVv$WI<cLyyjzP+-Yqb?7peIWHYhblkM=*tk*>n2Y64m_z{T1WD}nxKx`9 z1)fsb;%a)4LHcT1vD-BCQ48u%zc8;j0pG4M-+fExizFa@S$|tME3J3I+R~Y1V3HAW zisYl>b)}pq*epJc?d>4kg9gj)XspH}ibNG?^~GuYqTkK{EtnE)P={XTw7J)ni`gAs zKWxrbw?w^XAv)C?COXW0Q+JwFc9lh(Hyw$>Xw00xKDj-Nk%4QIJ>;?}%vm;!FIDa~ z%Y))3LKKB%)WCtZEo&m$rNx|Yjb>uwlIF1*UW1u7f1WrBw&}66e{g9T|6BTxg&ss) zr%aYuTKxIgaD=n$pQ$V2!4l9b@K8d$$ihYZvta$M^c_t`imBUIPqa!u5(?wv4TcLKY_x@Z_6NQToey^h2ONq1m@^_ZVt^S zDy`ozjccih!P0*nDwHg*APU7KW}dRo$%(ujO6vDj6kOSuK3Pl@l9~eh=8t+w3B`WHNNwAl1`zM+XbaSFm8H^nRpBl#2Fi3}nrd~&8+l;fA zrF^|miJEr3QiE({b2rP~Bn23(LPOGE(wL5Lq%beh*QEn=jDOL0{d=z3$|YDqBtEJ8l(~&uTv8JcD$O zSuYvWL4BzNvdI4Lay%nh#Gmo8j@zf%o?5OEQv|m3-z+44zy=kZ*v6-MFYvV`oh@8r zGX^VHGK-=^V{5psn&*D)Xq`!kLaSz(nSlZsCr|99ESm#6)!53a2o9ycENy}s zh?MPaMKbM;#G8^uA#3E>fDnHOZtXHm`$kt(t3!!s54-CK+w44y_xrnobyh2wU-pn> zl*>$dPONj9R435pF zF+GB6K^xzns>oJ=YEZ1(vleQ^KnT?lJ<`%1;S#R7j7~L8W3!A%lX&J<)}ERGx9>vp zQ2UPH#_%r8^#Unk%v)8lXWd`T(vSe0^YOf6)X^}yBg~%eIc`0y`O|-CX5cNsP?M0; z2Us+&p!cA~STwVnlE-`nm~}6wwTVOzilTm1?!w;NcqtSwp0JH{@rPG3u4|rg!{Kv zGl>h>0Wv0X?4_kuW~qD8Wp1RTNi2BtT<7`_pvQF^ zJON{%Y&dqz0|{pQmIQ7H0fQ4yYAOT6j%9f_H2TER^aBMu>3a(XVjMhh^L3LdMOy^z z^{sSd?MErRW#d|tY^9p!^E#W(TqXf1zh;{%wFEuvDX5fTJfEl@vwU9)GoJTeTv0UH zu(jSM2Qxy@ipektbRw215KJW0gEI6q9G*PnOt0BEI8TZUM+b*`jaH!5nDr;dO*R0k zO@2Jy6T>2H1rRfAhFLl8)%>Xm9BlLSEu?nFzu2_}N_UZSm%$BVObZYNdO#v&hnMRk zUxBB?m{u&3riw_{!mA?CHe=#{SIy?GMqdlniDL|N%QnPhXzGqQHk;K<<@%ixt5A!W zjTct_uC%I$w*CEr6S3>Mg;BnTsO)uR%b^vZN(0fP_|jO`e9C13=1d?*{kEEl#K$2k8jiCje%7072vduo)OSJmgkT?w51rwiM^MB_v1_fUv{y*EfITk`d_jY zcbZzE4HrPEO@X5tcG*{!;0f~QT5i$Z1WT5f|I1S$Zin84P__oG?S&7DTVxzU+C*AD zw_G`Wx3R4e1!ADPjNT~`7ff5A^Orv9%z4;U=8r(UaCg4xdB3}*&?KLijDW(?(u`hT zwy?b=LC*0DmR7BWBcgxW=eH`;J5z1YhNGX~rl;HTZb6_ng6NZ&K3Kk>V_)xC{w#Ru z3mmeq-)G&Ywt;Tl zPx4(&wOV@npE)}(nCx81kIi8JUi0hwUSb0|wZ^W>_p7a!-_NylDl?iHuNyxb{x8X5 zeSQJ*+>h=5TL&LLiTW|FUKf~we~!eeBP^4Dq~IfI8{j@%hFzl{NS$ORb+QwJ8fb{NF4Ueu{2|T5t&@(sdA_ zHag!QpJ@GW^gm&ruzKnOlJ0f*XB+=}5ZwE_0{$aWZ4ed2qrWBpL!zsnuWt&yxBL&5 zJ`-oOa{nrTh#G^&aR&^JBUC>*yjT* zg)lqNsqgvZcYQx7N#3bIXM#KR5{0WD66nVy_gH;pb9u4?>Vy5~?Bm9-8r*~^umLp| zbkgOt{4$-%OgQ-Q_Dk3)ydQNPlvFSOvI6Hx;yHW#A8eXk?rndL4)Bw2NsL}@Fi!aX zy?-B%SG6bcEw6vNuPRO-0>hnQbN50<;}!TQK@M(_j&IXv_i8>RuKmjW*fx;*2{Gk9 z5md}8;eXGGw)X}9-hP2l97IAZYr6A(Zl3hm2LiKSy_4Mvew^LvNw3*W!z}6_nWNSD4-WPR}3UC=dMpVbjju#>+OI0G^SpD!?Vr$1Fm z?LD8tCbyk^zGDHWD3*txaC}GD?A3s&L$+IiCn#6bkE``_RR90^{ePyt-rpBclXbRl zASq6x?eDmoFAC>^omz_%<&5;eyagLo;N8Ve$MbtjuHu^s@RC)f|kI=l`KN zm;NBx-SnArikzRP`&eDzAEMg>Vi`07B!3{CR@ePwR{qn(VSd@4zm06%+j(8t(@-LLMQn=WEB=aQyUT3-Y)`i5~m8VJzS%wL| z)D$hE{DEtGB0a#IZsoBjFUpn}Ak{=)!-P6?0gl`XED7KFhZc|NO8y?@O@7qC7 zlG2yEx#Ccx8)aN*x%pK=GZWE7l?P7_aXv2hXBsDEk-U~M4onm47Pk^Q6SP!SPmgz+ ztvK5o0s&iSp~@T*6b4{cmC=Ndk&XO0>_4ei>Fna{5Jd@OyVTM$X#k=H(5LpqVblt$={l5$3#bB1^$SKN@L0YB8 zVyR#&aMQaQKT{6;@RjjfKhYBqUF8`l&bfKE0?p4U{DXto$BlIMIVmag#2h|2j&CX6 zX-(m#XyBHeE);tP#)v+i3*g%D@xKj6UWW@R?%yMVcoVMH>MfN`Agky?<;>Ovy*sI1 zokMm+syVUPb-h+|UQ%;n#Z-WO1HNg31z$^x=(>yqIi?R}FGrWrpURaKSalAtmWh{X z_}WIKF=>X?u-x5OqX*(b)>OX4bO8*dn0LvCe5s~VSBU6;bTUE`yjRLN-UWflu?pcXF^CbgTT+8@O^6=@a@h;1NT5yv zBS=>xWrK~q=roqncDhllZ)KEpWqqfNsdm-^re{}p z<#bj~D@*c42Z~!N zs9@=)HAEQ-MgT9v3P4YFiPrOG<7-v1AL-AfLl>)5E;E}x3V1$hQ49nzgSq#QZ1(jbW&E5NLvN^Ld zfpS=8PyQU`8l(tdRgAuk=H6FtFzrB?4#14hk3tsw>IEIld&^@=kF{(2H4G+LMY93D zdZ{4SPWYHhG)Y3f2yOvV)dSXun3tn}zo%z9>z*Ua;m;lo%vjF=Vw!Q4FX;&ly$c9p zFraUJzOHlM_y;2S_n7)4<>y4%juWAq?`!t2?R6VA=#DqGH?)ZUIAOC>m6jR;qEQ4y=Nzr4VSgi?_TpSqZ0Oi7o zj)8NVI^Za1`yHUxsAFE?je#ad09LdMj?xHe{^UHnV<%b`N(B&d=&S4DGejL37#OQk zWkv-+?xapS9KO>LcxahvJ*LM|b(PqL)=v}Hd?T3M$HB}HxtH=>APNKpH9HVS`VQN% z(VY({E6OjPED>T|;VL0B3lSwI)NnhrX8zb4!+4`eObBewc7A6g%Vs!d?Z*!TTrF4h z1>+D|5zr{#G^vAK!+9eh)ir9$YUII@w=I+Dsb+!Cb58Z+>T#+CLkpX)A`Lkc(CM3Z z$^X{~7puqBH$F=#^9+!~KZ~`4x@FM_Clw)Z;7>KE)9)*VonYE4NH!xQXl^K-f`5hz zD9aW~gx;+&x@1!H{iWnGR08tN5|4;7!VyyK^L!PHxvH(ay9W3eCM6{t@GAK@SH&gR z9xp*@icak-*fN)+PcXkipN^3@W0VmDsB}hmYY2GG(27bhkg2xmTw&L~?eg^F?53l_ zR>+K-Rf?bbNQGtRz?~3lsTVXJQhmc?6j2puly6V=v(@Y{i=!i7?aUxM|Bf=P+j*)o zg;cZe99VDccTiG$7(1g$Uv)=$1QKl@+CwbnlLSVhDGqJpuB$>=nZ6((3e)h{1AyhP z@&uSd4r05r7Hmx8FPtzke&;ix(GMi}RIatqxnUCCY61NeEr4;B3JDcx&v?GI2Uv{X zHYeteKdXKqo}SKSapi6voMr1?h-*pTOdXXa1nJOMSXwoFdrf=!DkWQ5crudid#lpm zz8pWqFqSM<)sdu6pBhCG5zS`ar3Kh>KDw0!^DLmnGP~Pxyz9+(4wgi}jc^3Pf6A2i zC$}aYVj1X^2q-%tAOU)}(&&=A&7Nr(3(A;hFZId|D#I-2m4&mK2NjJ17)A_1s^{RY?vtg{a6~8Z z2E*8D9l1=*Q^|#Ba~Zna4O57i*WNhmd|5}F1?`{ZEWtWX=G;&mc{uQ z0!?dPUSW_vj@dx@kY*?rj$erzn3 z)PpIw6}1{Ou~7|+q#F4q)4PZNRMEF+mYN`0IH|Urc*N~d>&I7C3ygM1dekmkH3dSa z9m`1Q1z&;Psat&?egV0a4QG+jh|Cs{-!ypsT2=9@*jT%E%r-Wj)4f(wZXlv~fH zgIS)>oQS&IW9j`+XG_s69;^240UMdT_Z}pYxO1)b=(3=tT(QoI?IF|Mb9=E zo1Q}E)INf!hpaVqE-(+WF2Cxa2kVS$3f>INC2kn>VYMV#-_tZETx0R;#G~p<+h%6g z@iL>`rukybv#fBR2w#wfdcu)hB`+S37D0S&Yg|(kye>8vYpryp0%sOvjk7YhQ_Y7t z5v1Wy8-#twAhm&#_PeUqHm(_5_Z+?yNjdJxme}}NmRNCJ);GH>3$pEqE5U?vRB3oi zWOC-ZSR1YWN%&LtOFdps-{aLq;!+Znd8p~ zLvYnsWRk3eWYs}KBF0awB)5(gj;m!kh%IXw&RB*lFhP3rjeC9?4nh& zV7FoX>4%hGWHg&U%?7Z3yY4!$D`Z@KC?1E?C2blUR3Q%4`f;3bbPyZv$$&}^*oI_! ziK^y7cRvkDa-gRqPVaCAx~1SAu&H6^itJg@nuc%bxVS3dE+$Zl;)b@!gr*LqDZf%!wxGeJDacB2T$Z>M;bkTW8ZchoKZ4a5!S&#@)HL=7;;k)cV^t3H~X z3T*Y~vT;VgNfum8lEB)~aG+P!9~zBqf{_L)Bvi;G0{CkPRA5y!j#Cn}Igi0H&9U-u zDFTWrjA0@|?8xZ5DloqT6Fr<=@USawdJG;%h(a_1DYzhLti%H)LuRl*2UM91MuoVR z-p|cE^^AGRO*ewAY$~_VmMU!AgM?21Q=DHRLy^<(6&o6i?uiE%LaqBpIe+RB@jFSL&STQ ztOw->QEQz(G4EZc_nLKt80zbHZ!i#0B1m*4fHhG6Lc5CPaTFv`gFW4BG7D7&90p`d z&w<^5jkek0VzJA}FaD@Q9uP|A1#R zSlhNClm#pQt)~ss3~%JRZ185CL{;mI{gC8Ru(3S<*r~L%UOFnK>Pv99OkDUKf->GVRF;57rggu7q#^ zT;&`|0q|!!$Re;4SyMH!9UAt+rL^5(T#7odxQ-4jYbd_bKHgOUR1hcX|6}Ye zNZ)e>#5j(SNWPASIpljAFFL!*slpFhQ=n^N3S? z{l!B$NgwZc1hckvWl)Zad1e6~fg^d=pr2Kw)|uDEa?j#~UzHg&pkzHNQy0Otk|*+= z_RY>2t8Yr&QCB++)?tPc(2^><&6&&fMIWSxEZlV>!;-NTlr)oqRnN_V;?6|bMc(X&Hb8(Io2N4^#xOcA%f-^b2FM{F0Afh@^2XmSJG~{$=2c z2hZernum062sybRisW{SIgG6gu9@ddUhwk3zR(YQ3NY2snhXVJ;gre*DA9404GS#{ zeKs@((;_O01X;r=F`N(G`a?2;yh?^6ezYZly3h&Ab;@4tY~3XgOXEqMTKjr1Wy zrNsvDP&VBkm<5CJ)i%b@zZgCdzt1X_YmMKc&R2M)Prf<9&UV|^kNlc2*3eBp4jNJ| zbWAet(p9Kv%8L+|<8AWHI;-0{8h)7!b(X`3;;}`82-&1eV;qI0LXm~7Z?r2?U8^=t zdw~zJcc~~1E%I*$;x`jP<6psB9Q zX@|WS45D8t<0O8pSAn3VEBF~X;X8490Z8Y4pkQpNZ5E*%#`gI3pkgo{6sk5Ra72(8 zV_HsTKc?W@2Il-M5IgV58LSSvic`b>5XP_*+(})TL9i4WqS~e16x)@>hv0+96~F(J zZ;VR@+k58{MhJg1crw0z1`qw)JA)n6?zMZKr-hB1Uk?|;u#;UmjZ`F4NG3cp9?o*=XtoydQG5L!8PHu|~r0T$yxB^C;Z5LT4!rYR5X}TD+kn zh(h%$OL+9nbW%_*8N~rSKe~XDequGVTdjU2Rza2RHgR!GNvDL47Ug7ZPNimgaHyhK zs$_3Df?C(dc}v;YZ16g~9c0D6<%(;(_J6#w;at-#O-ile%$gAL+Xcs*Lxk7lVFLG1 zId`S=S7mz?4vItxE{uD)DjO*~bI0Bpwr4_DxD9s7tSU2Sv05JyLQ~$oJYzp<{a$rf z=xMlIZBtbvc2bx96%s6P{Co;qrPo>Cjg%ho&L9^)*)luZCRjQ!cK{xpDLI~(fNBB@ z%OHBZdX>6EvDbmRo7^*8+#+3lK0BT-?salG${P28b91cV8u_{c?p#@Mf4O{=jzMpf zjiyM<4FhLgT5g`S?1|W@&UO%QJ)`@tDVpqDf;d>7^lVXu$D<%`!(1)b zQ+ZV3^`TOH!a&)nuQkEVwG{mF@r;fh&tq{RG3|sD#=rNP2&l$*yn#7u zc{`&63qb*9;KL-Qhep|!@1)5nDzS45kZOC^Dl9nW&afL&KhWBuXc8Ba_(5BBoHs5N z?V3_yuYKwP6f9p?I;*KiEgTwrx*CKtJPx7$v(E7OkMV?~wZDcIYFBYw5Ka|KclL+KeZGv$k$Q}BL zSkluzTX&%!hVcB7#jhbR(tg8VLCk`!=E}<&$_76K%dJ$U#D`U_6R-(%JuRHwiMW?^ zA5Kf~-*R7cr(nW@U$U@*eD<0|R?$*(g1&_;gND z2THk;!L+Mkx4lon+It|&ldc#)z);qjExa||h;3OS>PIZoNpc$8iHI!{bnyKK7qihS z3!`TPS3Ve6{~s3-56|d8uL)K;&ElK0iiz4u--Ua_*pv19`(6OF8!);gK!SDyY>fHG ze26Ev2r%*A zEDMD-m z7F`!NK(<0s^&(B&L44d4jIb;XdN^6ZB;|#&Wc&e_EcPChS)r;hO(`S z70io_(!RK;ITU5&<1`laOh2R7H#kTxlzby4<_>ii;-6(wLd@?} zt%|F;$Toupf=R*zUU|s+(LcHbGB3f>s|xeUfYp6YfIEomefp;_G z*%&TqyTN>uX4d}VIMFR054N!SpX`g``4btN7bfs(bv~Fia5jA+4Fr@f_+!P|wTz#} zD)Oyro=z7$=DrApt!DSTs=3HUPdP7L`NW}rEZ9b{Ii{IJUzzlkf$$J9r`j9!B!zt0 zpci*?3bB1}0iki+9AS~aIZ$*t1;+5M;?xp{V?%yV5c}a=6Cqdqj9O2>G#85zdX0juNHE zJbw5tP7!L@qi)5$!0gnUkJ?bj*rQjOj9pyo6Y_yiGy4nz9G=Q|#*Yi&0k!mgwZXfotsQFf#~m_fyM^)G!5b>5=NBvnV6IZQ5&%TX&L_uCI{9b^iAl}zFk;}C2G zKgjW6nc8VOu{W?0c|GGT#(2?MV28bc`}Fs2#FZjM{Ac=gBysa_X84C;u2VEXbEjy>NNrBOx5=aY79pKpzM$L3x2{19C$gZ^Db9lt4guCWzZ zZ}r+>TtYeejkj$bXOE>GIe!v4Q^R|EbAsktPR=mu4&<+OP8xFgYRQg}-j+X_7;sEB zR{7JrE*ngRNXG$AwDg*Zk>jkF{*w zy;1smKs=_1=A0i4mV1E-j=d}ccgzm;9J2Z9)OCChMTh--q~^9HDt9oF6ifnFlZ1TX zqaggYZJ{(9px=EZ!byH~#)Dw6{l7K{7noN0udI-j{NoaD`a;iC9k)t|>x=h4XsB?zWLo(ZUyIg59h z33vpH8T*2rmFalx?0WH01Ca5l=!tov-L5K;o%?t!a}q0fdO^*!rT{9Vi0bKA!FzadbZCBw9sz?1S7bm# zi?Q((3fJ=leUhJ~BaJ9^3d3J3COY8N!VQd4*SlEz&yX~wA-t0xv(9}(eKv}KdYf$C zgbLe5aWFNzUatf8r!7lbOTr?9`qR*`mB3lyNbu9va=D$?E`NAQk1vT7)mV+oJ71r# zs~|7|@<9$|?qn3EZ6Ik`vZwD6E~be*jSg)d)nCb4c^`hn-0$B#GDKlbC(da!NA&tl ztZ3#;V)Q%N##_KZaN6pg!K2;h0xw?ZAbwe^5%Y*20sVN_jE_YY4mSG864RJG=_5+! zEit*Emv6g%LlG&7Ec`j=f*TY@jqZSL@fA$X*Bs5Lu{}qfi;O)?7_uJyhJ_=4dgvF| zP2fljdnA9lz;}_Mc^yWUY7XjSB)9`7zvk9OtZ>D$&)O$^M?E!0x;lI?jjw8Ju2oX-L@gGhLEDL#)$|SsgUHL#aePjo81A*?Fp<}TsED6~)UeV^LUwVBX={@H`H;Ms6;iQAhQKG(>4~BG z-Y&B*g09pP>U~>VrKB^|qy0DZA{@91{(lMf+28 z;feOR#(_>4Jl;Mt%&JcUASQ_m-PBrwoeDFAXg;yL6HGa}c!FX?_p2SAtLZg-O6wVl z<=Rb7K1K-OAby?~XFxk*cZ}OQ1l6*!LRJu7^_1?GntE~OSw^>0mRbzxJt)pgw{_#a z77x_tX^qRFCo!zeUslMNB5a>8}8 z_h8VxB)og>KB$u&*#fd zyQhTtbh{0M7K*N>Rzc;lXG>nZ!)u!=F)&}3Ab?hr!Q<=s2&TfCxO6#TrTEw(E-(;h`c!!WB z%XF|o{cyPmtM*1K7nEmkqK=aOg7aGjjSeh0)IW0Arymg;hCjkrDNP+(hiyOLfmlRj4mRMnEpMul z_Jk?u3{j|f=3#x`I(2DbDir+p9#9HX*`;NL4?vBEm1%4f++Rw~QnTLNX2wPute=z? zerHgTXb`~$1Q@qE&3pf| z^%GW559pkf{|y3SyLp6HDK^;+EY0mGVquj2)P?;bPYY)>xsgcW_0B-gEzs zd)0oQ#AmGDhPPz@p}~uAk{XTTAq;-LkV1)1KW!fqs1|?rj!Xh$`w{tHG59G)*ra=> zP}H+ldWOL7a$Z}#qfGz&JOzZ#7^Lcxwt3u<0#~>IuQZiN`puof;gi81;ApSrZ$CB) znJ^FpYJx-X*%p}zc$Yc{yb$3eXy3|6M~9l?(;|bkVnh$^NA0}Ov5{6owxWnlwo1>X zY@9!r)6Bi?C$7vh2sTEm{lsM42+63>)tWHpqD8W$PYi$mt@qVUMOo$?mmFr9{ouvy zW!v*!s{}l;K3pdxD9*)rP3=$SW}A)JAi4gYC8~#bZ7|U|;x9lPO)F7m9~BRwLvT;o zTByP$zB@@>Q6{#^g)R$?h;HBF*3`UiZ0cw+3Z@$$tCmb7*9{|LwROkD6Rn*gG7hZ^ z+rgqyD{!Ks;Xg;xju|X$J$p(dnKBT9L8P-Oy{v1`?*R7Y%+Rw@;nk-Wk-Z0B-`<3< z=-{2R%*_=R1T6s-2~7gu_q@k~;&Imx5|%h_4#9G3yv4Id_?+JjoQIS05s8Y6_35VO z*Ob=yqklNWB^^@P@(C3TGAo_a4`$Zse#;QxtLWuc+zt9_hLLO%Vd5T{#-E^XrXb(= z{b6cRe1-Y%J1EqR@|D1+Sa2!QbSxvrIW-i_9Lefcu>$sGLj%AWhUq0WrC3+X$qyP8 zod zW^E-wt%;S_3O|O5Xl`C8=p)XDj;pgs1X4f%b8751$$y12FUUQ!(wScY#9!^w4MGsigc<90}Vk;kX$9rk> zOyDaoa1I=cF#g^`&AiIt!LkfxZ*-b{^M7IHX%`gM*S#?plBk`JYcThQiP9JZVrTm;km5wSSVnV zqurg&$7u6kv4mxCpnJs%1!c1;xt0KkgVScm5hz~#pU+86Y$!ut1WG>uQ14BV*K=6V zXM4Q{WBBsFD0#Mx2Iv>wnE~(c^XJ}V9e}1^wgKMo|9+vm9)MZ-@ILG6z2yF1)gVeO zfltjnEYOFkX?0}tG}`opR&LV<$BWnaXwS!He;+S*$M1f=e~;QkUk_!>Y*-dWI6%n{ z|M)pT&DRcmM}`5EMaPqU9r(W_1d0C-$>IMm)8uL+@ehE954xHZFnj-U6Zw}Wt+_w- z$?yMxNPl|^qr(B^wB$bUcQp4L|9gcFA2vUu&3NeI2$-(vR_|<7-ng(@42F1 z|DH~KFZ3s$IR|pf_3HWE_0E?qGyFp+u|WO({Z=IE1g+YGk}fOiYg0OqS??@5=g)U{ z)c8Ou#s8x}BihFj7*{r-<qP8MmL8FI3J?hoQK*>tU{sVwgBbT zwje^$0U1QYH7e*$4EKMYe!JLxKh)-FJJ6dWLc;NSmp!>~@S6)TYCxrx)69R3Iu%>- zt{JGZvtGo7ysAMer^QgSt4yvAKzD}~^dDRue7gU;r^;<9m910%eYuMT$&^=ych;XB z%D)GG7!j?1TK$(l?Ijv6b+?TE0XQNNgnzHfUO#VPSw7mD$$EeL;j|uBQXl*W{9^QH z=00*YlXl4MUhWSi`>J~InI6{Un+|}-|Ff?dX)MnuYKGU%8Zg7pky@2zzznTJ(6t)! zj|T{70Z?~1{p4G04m?Zdzh^1P%`5v|)K=`Xh`p5h_kQ>_BsbP7>Uddom~^d0r0?yw z$9z)W9x2wIRYpj{x791`v+4e{7U%sRAxoZPUkaP{H9XlApg=95mqR00pAsVnj$XLk z@1|gkzv9qu3mI}-goYewUG&+YcptD14Adza)`B+>-d`t98{2*PaPgKDK1uKm|KH19 zv_vn-lBeFt`u=V@6P2F(0zCCieHgiSM&mzoH>cG(QyHJqIf7t7aWoW+RDE9WI3>{9 zu>ppW8$ehw3mqg_$RKtkM7a9Po8%VP@|N^FVbvg-&$9*^FL{u2oM!TR)u}n@P{`_d zAPmv|j(!)bS8oI$CGNC&3dU3UW5~yPPWCRC4bJjmi(7`v)E<}?t+IhV?$+P_Oa}I4 z!0)@)$Ho~6NfK{UCLo^d-yd2Hi38G$Ypc-5KcWZ5jY|ga`~AxC$(MiZSLC>62i%UK zI*3+=Y|Fgdv{jRVF>U$&{(=$Ksq$!$FL4Y7mGd-(;4^U_@t8I_1TBV`__GTMXipRm z317a+-XiRlb}f%ehE_;fC4@Kslyou4FbzD5S^sEftnEca{fC%qPI;|u;V(X%Y#QC6 zitqzv7Oc34dFw(Vx@{J^c%w^*G>DPInbafTSs%I-b+>M3(53heECoeY5d(B7ph4Qs z50;=qRrrX3p`MJ(t97#xm(qiI%NH`>TZE^%N+mqy?z0K6SNC-~khYr33t|&beFJd1 zRCc_GU}CSL)O1ijJ&X;8&isu&?{BdFm{g!O5M#BxuvoFO{sU7-d-Ch255{E7>r<8{ zkX&kZIT@T^2Q9~I3)E9U{k!4QczKAkL;`kF5OP??SG8a%%GdoTNX1k{>N-WBE8IXj8Hb5mhG=R%BLhtCuf7fb|jQvs_BLsL6{vH&&mxaiO?{ zY!N0;t8l%9M4>uu*G9dMIt^*XQhZM}uV!6ZtEUomB)U zCgW9KG8ZZY7hWUJR??^#X&PENy`DB~qy@bD{~&paLu<U4P z2PI1o6VOpU<9(P?%z@446x->61kuBHc64}97*8_XGh*4{CD10vW(ytaBcUe=j~9OK zMA%`9{3L(6O|(T#Itjt2oJ_&-b@WlF@jR_fTB|tpT*F=_|I^CIV{EQ2x3@dSTp8W3 zQP?BtfwoC79Q--(5GXCx%*5o>V|4wgM9OoK+UWlHw9~$&kLv!DG%LhI*TV+E$*xyW zNvUURj-f<6wsOuJaIOtsy6P7!$z>_Ov~w=YRr+h}2+eq()jf^)x|lr4CB=&ht?@}3 z6eujsU^19d3krLz^@{vR4;dTV=*QX#E@%^lhy3wVT>_;hwVIz=qdPh%+WKWeh7!IU z(dmgX>D#VR?{ah01=kmn+sdqRqHyxctBL)WC3=YqxnPgW>3KEqDXBR;PzdVjyXln( zu4rq}+%Gos!&Px04CPu#rBtC$j>&f4EpnED3zoA?pW>i3EvqrK#3f$~G0L|0K`HeR zoeq@y4itriH>W`EFz1!Z;A2HgR5&1+=YHvDRWV4~H*umv+f9M%a zpYQY7$f@fooBvr{fj8K&U+8K7!SBBc2JhAMpJpw!e|oXbj^e-2Cx@%+(t^t~u;@JK1dlQ>rrxSgUTV@CSfEqobX z^f2U3H*h+2%DLgFsJYlAVp3f>C&b6D8aO+*NbwpLT=-z##*~}2Ao6BTu-Kl|Izv37 zw|>)gkS2D-KZC&K_DnBe-3%&Fuw+=nki1CDw6~f)Cfg+2oJszky}ldw1@eL@_+Nz< zm0GrQRcH)}t~eCUg_EZ}7E^Ghp6#E9vD1Hedg{8jNlsAe-^n%@PN*~bgp9pAv&?v5 zzFn+%k}7AcT`CIyWoKJJ66bi?cM-8IjC>K+sMecrx8KD0j*lI2fa}`3>tuqjx(tEz zvznh`gGSWFZd9Eq6rbv;H~H?zLAn$8vb2L-XR(hgNKuuhzOv~Q8*fu~JLY@Z{!*)} zz-gc1TwqGcl*9hmj@}z1|LFaCF>%0HNO8^L7l`}8Dm{EmFlD3qd@{fQmejfc-Kj8Y zeA!zyYsuwfq@Q=3L?xrGXeH#DTiCz*Y5{xWaIn0p4bK=?u1Ufi0kV3`~-YKQg{d8g6+ z3j~||CVJ^SHJEYPJ&^7($yROS2Q0v^qu)T8e(Y$XBfMVeEmMfvzD|53WW1R9c#u5L zlJMI2C6dDcs(k_b{yXkBjd_pHxq!OCdlRXa!avV?@H=<2!t5AN3-)=BwCQ-ZT&!P= zLweR_&%e~l%Ot~$bXhi`? zB_>nz*BvI#aXhP<@TzD2V?Ca0WhCC6T?bIEx3O%0?mvIkH4=-7(rx{AyR^ut8s(F9 zXzURdWGnrbuz5x_F^8tDavWU2PWGlsj>J2&;;%iY;jkPjz}0hF+s8(C?=4}k=LXF) zgb2_5KRoM4Q2sE1FaG|K54#>VHNY>1$?=4zUqsDnbqtoXZ9RAu<18m#+Qz$31{V>o z-scvK*gE%JM|{}w=F2jz?6f<;boJEhbz8N|K2htve*GTn!-s;=m7)FO>etNtsA7H^ zK?D>Hf7CuAg}&LOj=7pv?=}3DR6G!BZjlqDd{m}m~y(MF00A)*4KlTXPqwTE)c*)+OZ7UH4-f!}tfD-FAJ=^Q$GvM=JD+_RFcE1dAjxYM}chc#%MyJOG6Jd_7-p;?QG)_%1pbCF>@vkK> zsf_9vIB8)2M*Kv_I-~KVF~q&h+GZdh#qz!LkO6-#E=8Xf@t9;fZV|2|Ji~2?QBSN$ zRlI5CTUwj^v*LB^HR+}oR6yfL@^O4UW)%JH+#FjQ)j{aKzF{lwJL+X65n;V|Vr*a2 zNV-=7QJmJyMu1~vC(o2b%pEZV^+raOx)52@>W7syyVsA@T-m3mbM0_s5B?{p@MoX3 zwd^lMNextw2CQZbIq|+=VE1H_H6-=hV81QJ-OkFDAFMwLCdVE2Li6yjP*P0Xu3}bx zrdD+w;EM@Qoa9o}GIHk1$gNa)rUM2NV(&6@0;8@E^rCT8BxUjg<9z4YmNF*s69t(g z(J0eSTAVMUEB~$|2}wtClrk-&fN|-iEjJ3DeyK|u7Fr?_HGHl4tnb_=x>j>5ka;8C zz8U+AduQlzz$wjNVyZ_yRzbhgW!1NQ-KnSR9Jq&ulKLiH7wyO|UFV9m1=Y5(-$lLo z5k;T>X3Mj};HN({0<$@n#C#?*V9Wwt6{_J0)-vpX?(ouo5);$W=S1NSD|$7UG>ySk z=le!&Kl4;V2GG3F%)^q-aw6w~`>2Xz5#Ej{ZjOYGS{T?9i%{LHczvfXjWi_cMpCl` z3ZO6b*aNwJ3~i#B!$$5ev4KOEEPvX=7%r}d(w#TY)gHd{rqV`FeQZ%h$r=q1Lw)#fYE7Z(lwa+PhVQL67#g*pC)1NP(Vo{KW|DIK#{@^)eXo$|fK&%xOsZUekA?T=s%s364sEgIz*15 zC`hbROjOjab&7euFMG_0-iEc-n^<0&vo@;?%&XNl zVk2G7CRh{i@j|TI|Duq!u0e4cV zp%4KrIHGVloHv5EvE`3mj9BI|x{&;Q{ay=J#wc-t{4KktOlnbmcO+TFIMxiWA9?t^ zxi>v@#wv$S13~`pp%SH8UD2F&p1 z1UsT0E1-*cDc?+Bx1<}<+xzNy;VVJ98NHGvOuF+d{u3^{*SWVOW9a?x^+KyDc&{5H zrVTj-^er>gpJNSQ6xGY9-Z_J+HzPL^O8whKV-0O%3Gu#uVMnYdx@ZcHPP|uCbZD>* zL)IPcDIljlk)y>MY*Oo}%ibStT|eR5H1)OiOt2L4(w39oXF;0|mRa(z6VerkO(H3X z+Pr%-rSm?9Drq`dbf7xqY2IRzl3T^Y;t1JQni@x7v<2gKNZnqgbwnvriWG=^WhqJK zDo34q%_T}w2^I<>m5JeB_OIQ<%!jZroyBGC5ylytVQ5{$)={qigarhq>1UhJ#!uVo zyNbm(y2<9z^Lfxsc@ziV4_vm)#kzyZa|d$*EoCJ)X~4v+i`08j+mGDTuspWh<;C#&Ja#5>GYVCQ#KM-fj6s9x)>QFJ_0omvWTUzJ z@gtvc2b;4*mz_fF4)huZ{E0)R8@Br)J_V-ig@pTPkpu{y-XcUA8>y7PLg48`hF~1& zK?#$j?6gb7Az^ULh4^wApkPux$N^@jBkdZg&*cMhn>ZoSc1RIO4&B#-m-JRZ8r3Px zesoJ|R;sfreOUb*5WMD%12x?o2X}Gn9iPr3EMR~9@&@_wD4nG^cJa&uI)g}+P;DDL z{uP621ZyX+OQEEWrGGC=$c^Re1pAvl9TF)?*s#g?OT}kSi~S zViesJDv?WWq@s_!N#~s6F>SzGyz!A&-l7vkDNf`V4!91lk9I^Ul3ss2 zyyRpeWD=T`@(okwsSMqb2HT~(<32`4A|M88X`psu9OKgAoUHEG^#H)c6}kETv`eL*UY;rC6qP?|xfrgr-Sh!2;Bl@Y6PIt86ie*5B9uCNsrP?P~tv79Lv z0|-s0-iTR$+;@YR7Nw?}s*?rMr_T=N7>g&;r~a>Ki!Z?2+md;b-3uHp?D|Xu>G|fy zZfb>s8at>Gj(OJZC!3z7CM--ugLBIfHtWZ8gjt6{H}Al)tqqhzs7Pm7X02qdqgqIn zhxX=rk!e_h1081HIS*UqYxG9+qJNyHm##R`-NkCccFM~=L>|k?gN*xn0nN4#fV4v; zT^gUfU~qD#U(943MT@b``+9rY`laB2t*zZA&r^(KMkz8aNWH!XPFoX$wER$^y2PRi zgM`>K)b%(*lyJz57SP0M4tC`8wG!hTSiOeiDFDxC_3AdTD1<#*5 zvxn_rHRw_gkY`uS8L{$E&pGvg?0aorCas%%rl5%6#1NKLnoOyH42TG0OqloPmLLyt z)R}K+#MKj#kzV2%D9CWW*^_hzkJO>3n?F8IK<|ZUGBFgRtYHdqHhu+BmDW7R#ficB z+-@&0`C<2YsMA6uX~LRd(l=FQ7AutQ9kJ0lO&#X*rMjJ2|$7`(nUU76$&?ZO^z zCv*g@1`rp5x3rp-mKMQ>ZFdGH>foOeg*l%3ws9gm-7s=Q=bZ}T8GttJ z+(?mS%|N0Ree=l`Z!9ZUUA0bX`*=04Cp{-E{1>7s+^$aW=zh=uiBLs$0wN=+lEkMp zk6Ewn;2Q#!YW6xvPemLs$8Gs|Ns-kjSDiu6_7MvwcxIp4$>FcJ2Z0GWt7k9IsO__{ zhPySV0S4p5KyJv$B8!4UvK5}hPeW&9|2N~}P!Bandg633l|~Z3!J>-~)_Jc8+^sRr zNFZobJW&hvO`HkG6gz7&c%x6I$iH`}dwlz_H-x7G-C{9*!vPasqh;cn@9gw?OCNuL z)M(t?jmX3L*DH(rT2{anIRgn=>eleNY5I)u_$fGXg-FZl6e^gW;a6&kiMVPW@ct>_ z(>0|;Zu^`~!Zqqw(iWfboa!S+g=g`cE@zdNh(<@;0-rKpj($zg1Vq;P&A|P%h6gfE@|lZ+5g{lp1Qbc}4`784 zlBRsMNbI!pE>;_q_7?16e&V(XqXsCP2C}>sB-AR@m=OnPf|Z!z^0 zzz7Eyrf4F~W~cXWPJG30mn+cDt4)@=x7tM!le76%@xkIH<-hV1nwGD@sB(#n!3(?+ zh}wLb{JG?ixFIPo3WLr2AT!4A+UZnFgSC8RBnBg_ewvYOV>_AhY=*d?Mp9Jw_=&v= ziCvP8 zDt07FWH15y0p}ac4;+l$@tsLAUCWv{TA+?|;3kcwP`b@6Hrzf*Fx6`5TZzeF3@5>w zm0YLDyvBLA5%u@1Dke?RAqahYj07wY^RLmphg-`S>V?&OJca|(KEAQUFcEu7U+4fr zi}9L~@}qe26l-k!$DFSv+BZzETQd@ghwRAm#iQCa@lq@-MQIQ`d|{*^B?qn-$iGbB z7dZ0a4Xto?QaaP!od)jljd6Nit>f%bor|nm4`RuAMk4|+S_vr}s+g<@BbON-q~?{Z zc;6Jo|Kd|g?k#-7EWuJ132h`~m4XRz@(R&zxz~E)skT26|CBu|^S40yHD9}t70uDA z?k1i}$@o2yR}@_Mi~3r-;#}LvGes`7A3e;}eG5qf?+%1N!09pV1Tuhmraeg{bgc+Q zJNvHTEnpoYUrN8dOuJ`_O7t2wcv+2^LF4JRjP)G2pRJj|1=4UFf&f{wosT-uUd`^V zBU2yvdQcday|*HzGM4SENLVbC7RhUKb{sNJt!WcZYY;7FdCznxlj{8V`5HuiGfx}= ztHxu*Jyg5pj9SZIuw@=EhSxLHIDt*b)b8>T$B8;#J4`3|^NMQ-aLdh$tSnkqwYOVW z>8BUU5<}3_#Gn`p=jBIJD?j>tJg1aN57f@by2E*Jorn*~1v*@x1g{o2hLZ$qhN*>? zbII!wJ3aQ9sF|KXD`vB5=Jwjgu|E}diwS{zNpCEN)#|LnD_Nd^4(GQKR0xk>1`8?! z$pFQI{BC9x`&g*xP*?Xjp_vF0gL&|ZfCzh(*607&$N471CyzjPRyQv+NCkE?QPVZW z*T8kq&qmoG`0;TeYC+BrMcKizn-wp`{c~uUst#FtYENh`))KlsfU7T2}2qJiz+?2}3}mn^A8LI$?g+J}=NXZ+DgAO17S@z%dDWyZZf zHabl3=?Eg~%RVbqz~z6!RRDWM91tRi!?i`)$Tm|mjZP?{h-KN7s;Zg(%Or-oX=H(~ z&|{ipZ|NXTFo!`+z`Ze1U#TtMwEgI%uymMppzRYx^I$K~Bcm+3z<$XG6;qlWqbp?Q zribBuuv-k{>o5tXZ}!M;e8>phEk%I@;bVHrj6uF#bS3#|?jcI{qAR)<*feYkGJ3;djII z52vb^lbWV44Zq(lA$QW7O>!6BlzyxCt->J{yTLWHA_X(CEgDB^AJyWUY4)(h+%q=m zU6GjkCcE%rd1JmawR=RiEHEn?!S^CyuelU0=R?9O8mOwhl~%K3<)X^2A3}{pdaQ-P z=-*}_C(`vS9n(3mxG12VlHBYLYYIs?=uX7qyE1Pb19`(O0E!ugH z&eyrl{c*TIqDcJ(A3}95i2R{OteI_@xcB8&E;y>DbJY=3gvD~-;qT>oA#e0i$+SrW zy$E_3-;o@L;5KPGGr zdtoEP8e#jYbZ3QY*2SmWni*)`Rk4~jWbICDVX)}^BOI1qlF1RRZ^q@0SAuf0fetYRMZy z|1o*8QX2UpW2PwVRz-kv3LboD&khxK_v3Q2`u(J#LTE;0c=qO($z)x%YH8PanYoA) z9P9`IA7r@?HMvxY`hG$$k{+W0k;?-brfV)UC^28Z<@vSgG=>o=y~f1*Vex;l_f}zb z#@xCn#a#;&cPUof-Q8VFp}4zK+={zH@rf3vxVyW%yF2WUf31D?I{W_IoxAxw^Gh-^ zJR@(CP)HlIW#$!Qwz}^U0lc_3Ou6vL20L=^+=6Pm=f|5Cqf~Og_WxD!)GSddwOcQl z9oVJ|{v&a=>^3a;CO_5$mPLCGT|Vb0Oz^98Ta(v`Y>M{bK@;1K?KF!0)Xp5Z?}ur6 zvy`YtZ%Yl3j`#-KqXlSOdmGchk~Km`Vc<)#bC(m01)fwtjkhc_T`#C8NZG*0)yeQl z`>Az+-6Dh=FS&jNeFQd1ynQIHq^Qx*TECgY;Z4*)xmrx$kVYfj5_SfUR? zx>1-3i(m&71+eKyZlebbuMB^iaSKzy)f~h%G}Jv{!PLr?o^J$$%G7y+dM_Gwx|oI; z`{79~ibjmQ*EF!3M75q%dvN_OW-Yz0SYaXko=E}OXugCA;_q1Y-Xy+krW$sA>BUQ$ zS(A>+oj{9%3YC>zo8t`E3#L{VMw9q)l1OvDlr2a410On`IfR98b}?WNY)bwv%w&F= zRw)YXB(H>?lJVbUxRqbZ<|+LX2e}fD70*{L?2eip)5)|{mz6>+w=L?wLRnZ&5A-2T zTLC@z#!r(FlwBGE-}8D3h*2SFz`qS^K!6K@8_*gd`Ja|BN%fips83}>O`q|Og#DbAeOy(cT7wA zqjv^u1%{7QH4>z7$x_p*B^Kg=s`27b4vhs}r~riTHkaN~Cp-OcVF0z0L1YW|_rNjM z9NoPmH&?11*|DY38t9%rLc$*%YLcde0slob7?#s=nPH| zhaIo}@}HN=6e4rn_lZ6nMGA`10c>vmFag{u4DBizQkn@E=@@VI8ZnRyoVMmMh3x0~ z6V6bWmxQ|X?}Cub<^%h<7vDpF;@&meFc`x!VH}Dmg!YH#wb?z^yf6M@%~H)yXJt_G zdQBD6jRgJcEQ_vB>G0c3syZ^C+K~F`SK%6+3~nKDLFBKlmWi+-?%txTqpBk$T3A*?mEJ#AX%B1Yy5>Lu3ZVjrr zLpeg;0chISmfFoEJx6E+zTN&&dO@b<(YnxwvVD(P;u$P5ZUZbM^el8XFbh#y)s(#L zYJRyi$v+&y=n(n#%P{8Ht=Le!e9dCfi;7Au~jP=qer);2;a~;;0#`2%TbAdcA9|r zJU)%xNmwQ=u&Ne#D7I1WigdxpY?R@e%7*ENRR-@*nt#I5eJHS44Pd+r9gRgcC`$+VmlW?|6@-R0a4i*HaAo9E;jd9Dx{06cMQZKg5q_@KOmm}U+E(;V4 zc2VGlLS_q#Lb%OBB4&+?+dl5>#_aj6-#>IgT=}m_pe0-^i3L245jN!Xq>E?r%n4U#ky{Hql&0+zDcg=@aXQrcAmkHogv?1;dQdoi~hk!a^({m`(> zQ;%nLis7p)NPrHZiH3Vm(kA;I2fr6X!48tslH3bt!3yc!9qckpX%!#W##GpqLW!{2 z{YT(ux?6e}{+q!2pt$b%%IwQJv+RurtYM0EA7?rlxzxn;P4O56KSCt0Q6M&xWOZa* zdAt`}8%fxgf~qdYz~R{(alElcG(H3_3Ai!rMZ<8$KBXXZry-au_L>RV#Lq(%7v_kg zHsx}#M)JgxDEx{9L>2riraDCbI7%bn9KE2K@NKAHbL%z65Di|3%CrB$`1MN=d);m~ zOuC@J8GY`sqd+&xHBB`Unt$^j;jdb(cu9&|`@Z!~f7%vG-|NOU<#Q1pQt5L69quVa z{E@chqX-fSF{9Sr+!Wp%d()Cj?dIKx`>0EcGRWvtgr1Zmqjy8G)uL1mYtdq7zxCuf zBV&9KPG6v@5H)+MPA|6FYH0h+a9K-;LlGka2g0>gOA;C5Wpjlgo@u?Z4GpsvDN7T< zBab!`D~q8lYG9_bQLDuTr<}fk6uDRs*_j8Kp{+=wnpwG0W&N(Kz-Q*me`KsaVCjCN z1UsBMa+4EUojOgg%wa~EvENiaDLS&uA*ngS7-0BGJ6ep7C2+`yY2H#WAdIPi6a63< zng6mgyJV*+Qau;+iJw=!7VMGk!)fi8F=!S!gR+;8d0205Qa4Mp+rm^ji7yJ#0L3dz zuXN4Q(;-r-vcTv<0uGi1!wgP7Uvl)6@Wa|rtrEwme4c;z9*qBaP63$d|KreM4O-EP zL!tbL?PMSU(xJJ5N6>tVeB2_TJY~I_(KOdi6!FhKkEsx8o@uEfQXyU=y3$Dbyn#C+ zQH&k4)LwcN+yCO=G<)kBF!f!|wALo;J}qmcK&$HJ6#Q4ci^Wp{KMuT|TsJ_fhhqdP z+cN8bVbp@~X&SfG#B$CZEYAC0q-R3kT>K!z2XFAIJeoNK?Z*)!_;AEAZ>)pA_wXqe z@$!oh0r2SXIlTud1|;Dpz}})K;4eu4hXVy&8X`NPQTfdFAw6i8-oU9-uZpc}Um|0UeHH085&d??H74 z2Ht9JM568wM=<80jc7oAiVCz4(Tv0S->Ito5@{B&SYQ+dIz>$~h6Xri0C>xF>~{`p zKCjz!o3_ZYkjgb!)gB-;G$H^bo`ZY-20p7I0D4;f8*U7c>na4a*83hk31l>L03G_< z@kIzgFW)-c(l@J7lb&#*U>B7m-MiZp8)rkX@d%M9q_@f zPCV)}D8Km+HdxksS`a|81IeNXnIakj;0hT4%G(f5m~erwT>wIC`)T3;J6(YSx^wm8 z6Au8QCeVpTq(T<7ANGgkN4Wk{6@caC1SlnH@!Qe|n6z0s4U_f7@7!yj$KYuydCm9z zm8xQ!R+ZlCmbTX6=nLc;KJd-DZhY_NhxT@95JlbDM)M229x9-4)aq^Cx81kedTryq zw2a@8s$F$$smU7PybgMvZJQ}l!&z?@vnEfIh@|D`R9 zuLr<$370(QEz>Zn>o0p8quLk?H{dlHDEtqCV}krL&~qMpguZS2063ih^faW=<`3Lw zGdq%WrI)-66K>gW)2AUo2X5)LHZ*-PYg{}8e7u*2!YK-}0%qeF)A(+~u-=fCv9 ze7y+G4<1RcyS5NUZMPaJtR=C+Q@W-l= z12dJ^tyCzf9X8~{Ut)2mHd=e5i_VPkzx&$XDuo}8hMCH6&9Q-v7V7EQRV9hsxF}(j1+D7E*c{|l4t9ivr z)4oorl-2qyFgN7lONs-D_2Hp@#Y_BGq^(EESfNH^JkUg*?^Qq0to(B-gnB{PLioiK zb)9f7@?sWcnf2S*mvj6@xVHN>&+%}GVI1Ds6Y?EB3nac`DBud?iHq6(JDBT1d=q|+ z>p@1upt|NNs5xRor7e;I5C$nuT(s zMvX%VoIVZNkmnCkbq=s8O6ZV)5;*@8`fs~{KwdvEW}_nBhk&vlOlE4ZO6YMwmAO#q z^Pa8}`#}{%wUj6lys^B+QzS|ZOROFczjqL82J`M<#1?L{qIeSoeRFZWBv(~S9YquP zNE@&2PosYvKTRF0R5FDh$KA5Y zrs=2`!>-BCqq?r4A>6m*{q>$=@rOL^pI16h%K7I1bW1+@A&jGWAt_F-SB(xk(b+gRAaGS5a(}hnv8|-P%q_RS@L_Zh@5QX>(h~o}5PJLb$y`!oTo^L= zb0JK16ES!LmHdWsjklsuBPCO9lB)lRG~d@o(kj~#w0#aJXBnTw3`~jOl=bIAam+_6 zy;8y{<=(qM32!<3=5JGG#SL@NM$_A1X59u>%lnSeS>?7R5e?=@(kplA)7t&{-5LgY zC==!(-f_Sy>3Hrg7K&KiVg6oOSwS_F<30jzN$7!phj9b5d`yVj7p>HH>6E?o2K|br#kyNtTpyguA-nD~<|(Nua9Jj45Ft z#&%brg5z(R1aQ$s@gk?27%mGZ1VNY;=Kk^%*!<+YH(a<(rS~Qsid1+u28Bm;W@MjjaN?IBjpTsd#D#5$0=d2uJ6*cKZBckRF!7 z*GgtY{Ga;#6{R7f>PLSeeYV!Z8ozX@Rx#x-{<7DIh*#$~(w!ub$oYDfH}fDHweg2; z8@v$_yb$k9Z~I>ZX`XOSDvD{8REjx#1o0pYBE?AFP#=beU(=(tu@4&9>s5A51`arr zVW_rO-qXUCc0g-kykw%#c9LQ|si=WNy3Z`}bjO=l!)7Up`SdL;cTW$6w3|Xc;o9#l z8K*)k)J7U0KdFSbO@Q%hi0X*Ao(<=&t>)19u|yDg%m@DW=1(Kesx%#SIAvf(h_a%v zs2t_lU!oH3IzEzMTWYQFZE>VkHMy=^ZQbWOpKmHZ69}>P(R9fD)U8WGIRcP=L*qBs zoy{oC3K@=`XO?iO>4+5mO^mmVglP7*ndpwRXnkraMrak*|7#Ayl=AQc(nToFXTqjq z_SYDpp1fe;&Oq){o%QG9xtTw05oJ`u$JF`|$9^jc-pBs0DlI=eOxr-y{4L>(`%9id zN_+)YnJ?!2O5D1o^=k)x_#|@*-gprP3bF{)jZBOB<3n0$-5S#hE9U8<82_vwliKJ# z)R!jO?HjG(y7B+aD2^IJghk5Rpc$p9VagMJ#t#17EN?j6SdRRstbtoB4rE5Skou{WlrtJTye(t?kIvJ! zi`2QDo)oqbUQ3HyvoTVb*}Xw&G0V4*GW5#R@D-tJmW8^jqZ;Wf=CFq8jPJUOB<@o& zvot?~Mh|UhPcWvSk-M$SQ1Fj#ID4&sgp4D3m@O+|PwP4lFV53)VFDf!Gje!(0wImt zLtlG{Pv1)B3MpW-$d=+0o6yXK7uc+4Wp8okbwiL5_D$-GwsywD zZ#=xB{-v&*pr_mv4B+5irLje<3?whtZRUr+5VH0!BQc94XMJS>B6<1ZZ(W{U_(I7nl2Xdc6P6ez{$S#Jw>c~u?{*BfN;QW}t z3IkkScumxBh87gj2~IG#C~_RtpBQIHIuYo?OT|u1KZ((X-gvZUp!9pdg`t&ean*Fj z5CS4U-xGAab&Ss688hD=gF893 zj>=&fgFybM{CM7Thn?|PjPFw?U(ND-dRAmdU#v2__b#SQ>ep==q!|huXiA{grr~JYh%iL6{ z;<+cv>Rr)Ap44N@sfA*>wUB<2A3hqI^b(?r-6U>_8L}kV$Jy6bEi9bUCT0+S2So5+ zRn&uz8Zj=b#ll43r=EX&x>Sz!Rtbtz5r5y~AObI6`zwdN=f;G(q>@n;@uy}&A0!?Z zC_1CQ*XQA5H9*w7Vo%0e7-ySiHNwYLUZxWvVTkn8nRkT*GDqLKTYGC_8~sQ=u|{VB zhC{$HQ``F_&P3EF$tTGkV3T5d1!*nv$#hEQr+g+(oO*+9dbO3Y8_td`t6&_l$e5LM zCnN?kGpP@S?JoHdmh2njc!yY3q%xWnQ-*8626r5ztKVvxfJ}D2uI@zK8qL$>VBk7% z+*Q@EP=&4E3K{3kJ`j|vFkPql%PA(&JaVmIKBwlZjf`XS^$m|Jm*8?q?@yUjvqG)a zSjma$;MUOUjSl!VjeQ2LZ(|w(O*(R~HTs8=$sF)}(nbbp*!JMjdE&fq^D>OLK6S8@$MY|d8lHTz390^X7RYb2swYHOp%?dJow?8boU+8f4wU-d*FjZ(BcBAy4fk5M9@=AvRRtuY!5W7Q zE|ep*0ciHQ<>%%(%XUNa9K1E{%^!K9LUZ$HnR=P_OZw)`qQp#2d4o>)Q#%-v zZp%S%Tk#}ZjC4Lzew)ZYiih+|(%5{i^9+BKBk_yEx3X~0?bqEJ>K$MXQPtx8_eNr8 zAaY)7*i$rss#x1*AHM7`7TL5OQ(Q=owNN#8QDFE1U59Ptf86 zv9E;kVnEV>)QI21J8HK#d9aw%y3eNklI0`L~%n|8Z?aklaXcE=6KaJkL=)94qHbO_lK%*D<9ZN#iO> z&|k|w3>sD4#8#}}Br7pSle44h_Pgq$hxNr}!a;GFb}G)5F=zUbpN2SGe!1Ny3v(QB zUt(p)Pw7|TuH z-LHZXFnomzYt@+|b+GyL0HrIC`~->260m?+Yi?yB5e%*1q-n@<0Ec0F8IEskwME`! ztPuj|l*L9<=bkTF<9?Fpxg6T?IxQB(Mg85pNB5X=y`eT1Y6rNM&KKoMod*>_!z) zG_n=;{Wz|+>Z?u{BT76sJBenncN>ky5+!TEEqFJ6aDHY#DnXleQK*SYu%?PvQgq6G zxOgHfV&3PUcj~I5u&jm)BcHm9gM-VaaY@{n@w|8`Natph8bm~(t>_;%QlHBS{2 zv!w}f_FIHWKcZ+EnkcqKFx*h<1=>he;9^Du-Cp-*hw%XQ3tk_WF^FnjZ`mUOseGe| z?}T<&st{SnRDBv$nRJ!g4NV?KtO!&R^d=>_ffX1~dfP7*3JC2&{5AIqJmzed*>cNZ z(&(yae_h-|uYTa4SbRCnzX|3O(XtieY%CvWl!+t-l)g7pA*@CNO(}YULApGH_nmQ2 zX@FGQ6>Zn{K6d#-oO3m(vn4A_WNb`<%7II}+J1=!_acWKi2*dKys)opj zUBN5ZgYGhlG^hkKT~^hg{8zPgK$>9Gf%Dch?nXMkbzu@~;eS9{ob?-cX>#(`;+O zz8+6nW4yu={8MH5x+Rh_(v3+J`Rb#dy_+{DQm5Xt7pxR+(y|#r4iCR{40g9#0 z(NYdTS(g!58bCqmK+nAz@_sL?CvS?kH zVX|7Wve8^YzR?YYPm3*9L{wXhaY0=Uz&9_gZC8uENScTtJidATlvob)M@_sBB!sOlr?dPl30@~Fjt!dIA)6F~Y4 zey|TZ2En#9!kk@58KK<}9TRy-$2sdMe~9k4Exu#1V*9%p4r?}f2E8uE8ukoQXjckl z6^9<90uz1-f=zzIb zryH_4br`%H&J*WMXUuJE<9M={A|kmvq$E!9igeH3;es6U23k{vBlxsFTp|+4a5h@y ztLudF;g&NRCjOAyI42@{hL*K^PS;tiO}I%R=3sABBQ1C{ONZy^%pu{T#v? z%Y`pilh{!#Otw;rj2J6F$4<9gF1+jv+{fzqYCPZ=_ zP36apljd#)O=+ZF>$S_Mbd2q|lUMUT(6DCO%qsI;sm=txoN#O>v(irhzpK~+*UV*k zymd-}f6R>_*G*)|eX2%4uImLeY){G2a?m8He!(MLQR|OM2wW{YYs=Be1BOjkQ&&IO8ie*{n+y{7|z~o6H}L#KeyK|+K3W{>89#Nge>LJ&~;8!!dc~) z{EmC2^;!vGstUfpKwY&1v_CFikH$jUDQs}B((bl<@t-Koei+_l-c&a=`nar;xD;Js z5fuv;TI;1Z#iW1RV9PjnDat{DHB{Ua``*s>5K8#Aix#s%?txMwp7p{2aCtW;j0>l)UYcvUqT zXG+~`wu`1Y*#f2BoV)%p6&}+#u%kAs_-@&s`W4I#vfB>LvG?W6f4k0#*!-xJ+2S+g z?3dH=#?>PJVVNPHdzYd*@(!2--!(0noI2L+1@X#7THTt&*_4j=jxX&qq`vx#EAATU zh=}k~@Yc(F6-rK13|RTMrqV1r)GXcncaS8c6S4N$R1=ACMmxkAdT^FSf(UlWJnW5S z+LEOTR(Inb))0zJ=BD3>UgtY3sSKT+w`0!~MNRprcm~T}0UL~9K>eiO1;Q6&2*Fhj zHTxU8mYeX4fva&H-JywP0BC1LVNB_a1l-I_N=?1&n_}UioZ>=UD1DUN?Ad+iGovdO#7vHKQs&M>h8-U?5vp8b+@E?p|`1o!G&ugj2(Q!SjVp zO;Iy0#ZhO0d2uNN34eJVIxPB{vS0W!mcxui1eVcxq|1o1mC{1YCpWyvp)#!=MIqxO zh;IK^5Djr0{uc_5{1aAbMgvC$FVl5{N!K_;eS&v5S?N)+2uck1H*qi_3rYRM#_3>( zkr6%VoigB)eM~Zx@u>!mvP#12 zUARU2vX9m*^ZbjDX8GKpY!fxxbv}ra<%E%?CaJFBTNbQ=9869>`+3)aFw(reyFf0j zg$8)6a^0;CrU2XPz;`S0*BD7dssarwBy7ll&X&n&E$Heplp@Mzdv)-G{P?h~GJo{o z*<8*#POZ7+KJPIWj60vD$5i=N%8u6f)$WC{g?8>vQ1w1LM}cC6_C(tXv-MFuRW(i4 z$Uf!TA)dEh8P;Fz3;jc2)lN2UH4#Yd^maSMK=g%E_8aUm=HLX=0FgNS@%cX@(qI(r zW6ZC)smqQU*1A9H?aP8}y)%NdXOMAjIQYk}(2OLNBecYJxYW!(JIM69OFLJE+9t)8 z_q7H=2yTL6zb{E}SyNR$#nMhQ2-D7#SQ$!MSk{KYJ^ar}4v2A}<(;(@w2 z*5am(n5|kGg{D{|1OAtx39-5#HU@|IZZ|A&b0O+jj}DsrjP{GZ1b@C0^H7BmSK$FR z*qkc^U{v5gY)qqGZiyaRxMDafi4#EJ+C+mXW z2Q);qNx$)D=wUigqBC1{&n%db^&GF@@My8lj~dORZxE!h>b(Jl zDiNIN+lN^*7o=g~r`7lrr|15X|2_wIx3VWr&v3{|!7I?PG)&9Ks?D-!GwzYBkQrMn zc9sZ4yKg&29Kez&5+HL8c1BxP2W74>tNIRok#2$|sSy`FE)2!O)L+hpoAe!&`Z(NCg;p*sA{9;^fG>PM9Acs5iBhAx_WL} zV^@bXv3T|}oCSlm0f*db=$}a6eY+K^%$_b%pB1=ue;d+hKEq4bu~-~eM&LIY;Ary( zL!Wo0ze&6A9xrNH;d!k`>L|svKcy&7M*)gPxWj|5Rt=V zBnt~pW%|O8Lnlrlf9ic(q7&Vt`rfM(r-kRL?5Pm1p5XQMdqO)G#Kt3o@BSp#g$q)*vgd!kUk|L0^GW^l zSmwM&RjUoOV@_kB~>ew1Z_|3oc+>30@w_s2(5Vkv=wzwlBn9lXTkS>R`^Ez zGYKg0BI%wFt!>m0k;focy~lUkFdQ||(b6o+u~KVGBOa0{gF|;%h;)uTOJqe@BFY@f7a#6B^Q#IshD%e^Zj)CHx92&DO8f*mT@=Z!{6 zc5gx#2+kr+)-*>NwTUSgRQ-g>#~=9=?)B2}61AtUH4hu)ghJ~CPFpRecfjZ+3$-CW zO+ihu-Z6@M_Oa<`@M6RVOfde#LBmaAeVUV2r){kYj=MeTo05`c);&|pXDDpVtwXdm zQK|?+IeyBCq5k7;K3pzbxJi4PnyA(GqDpY=X$|Gz9V#5Nu?-J4rNP4Wf3Izk#L#V# zKV8xs!(NQ4(I9gGquGEpU0_wu-<)HoXBoUGyx9dnlz!D-xU$kefrcM-*9Ie;{mitI z7sRDWYm?E5z*2(p+md3$lRy47nO$Yh0E2V-I<>wSl7EJ@=B95@6imMjJ5OITgA0PP zW?RY%j_sN4r+MM2ab2uAE_P;0ABVLhp6r-~O@qI$4esviB1_K!oSdGM%=X!#o(~8Ur;$W;ho9a8w=>EWn^;0UGi;<9|Z$4-Z1;__Ue`JF=)q} z?;Jicu0~YJXr%gWZ0oRmT5kPVYK`VZ&v8#49K zx7w@WWS45{buRCHHHF6?>wg@+0fvPt7|0O)1v}a<*;g5I8ObQGdp$~r{zehAIe#E; z5!GS&aX^A?nXe8Rz{dX{C?z&9?{%m<%P+g>x!lg(@`bDw6Dv1RiL2J03-i ze}y^c@!(2@M*$#?g@O3#A^hK%mv0?|c^_ymN&?3Fzkz~K;4xEl$8S8i z`R<8Cg&uyIgh;?t`2s0Y0Xz^apw@?Qzz<$#pea$4v&#dt=i?a9c}krN_*1e$q#K5D zokjV2qZ{j%lSG7WGwe6YnW5L*Cr7#Get^`=rk|BGL~T!?3vqW~CdnW8I0wYM4|HcY zFp4*4zS0-SEI444@tL#|8B{lZfVBb!>B?kpU_`zNA?v(5tjJ+6pgxuQY8t495re7x z-t5LG07BVluTn>Rfe$E*Pn3%+y?;mi2ZVAEmvt5ny#GJvT6psSRHL8K$1rqRlUM*$ zaTEBOAAgD(5zrh>U?8Fh)7lSc><1PR#g9qazoX`(rIrr+Ej;-6hcDkZ>z^TosB<;d2o{ zG^4!!IOckB@p`{rnR+iRkic>ezA4lZXOOf;Bk>kC{}go()hXz;u= zZ?V@pg|a)+D%dz-^KgXlN%j&j+X}yq*@q*8puMN~_Q!1f?)`%g6=a8fIb45C&%T^( ze=B9P@`<`R_j;f(t9ZZmeL7&5?EA=D<^?xUeBYQLQa4``i0pOeJLtJT=J-`Iz>Jakz@1#JCIX-}PmG=qFt7(?MUTciA^yCr*DH$earS$E_S@^4*+(hb%?t9u zr-$gZ7lnVnwEc|u#T=bG{?Xv|`TXTDd&M35;(?EZ5ZbR_^w+t>OC*sunb)mRy?hHi zxKIaRa_pZaC`P!xZB3o~+&6b)%rGop%&utT^#^lRm#Q=m<Cr<{e$+;okT4xcxr;JwM>0Nb2Rx*4u>= zqwu)$z1iS7@BR3uL1JCBw0DsBf*bawTj1@{_nF8?#rXF8?Xf5|)u)7%%ixv!m5a^W z=EHBSwTXtscB?T3{9BH&mcYXuzqJF6kiRi#{9L|F> zIPG4mTA8YP7OnN#u&X0*3k%-tqOcAy;Ys@PZeap#pCTZ?_6< z?+OA;TIGT>AK&@j6Scn|5@o%4ckP>P0gkN29P&ZF=lz9e{jt<{b9h`1xXdM}(r20g zGwJuXyN-|Cy`0ANWCn~QKZ-LuX6VOE6@oKr$^~0OxlKq<6?jmFr>sBYUnM`66;XPu zEh{{x2P6dHy}#YJf1^metX~*}d{ytoGkGxXv_wE`o!Y$Ke||l>n6)@-@WJeNKFz&^ zd|KTkvR-N;tA9bo7>11Knt(AoGI9Dv5_haDqBcL~C7A4@`sm@scB=W+^6%WsALlpN z?I;uJSYkT}$hXP$r_%S0%9kao_a%XDvsr;)I~EdwMeBmHUhV6Mxks|!90yiRXpk<% z7oNV){qNhpZ>Q1k<&})uzC!BnbMd26?W&moKAwAU`?KHeAFfB2_w7cfGO816lCp(q zg3>#5YkZ4cJG!cKBZO~Etqgbognc}!NMx+(=+fQ%NkoJPahN+EV@Yj%kd?RIg8*03 z65Z4+gKhzVm(D(4n$1c5;iwI2-AR5-!(hRy1$SD~oH8R<+dJMrS+~2WVZ>{}d_Rd; zRi}kx=A4J=@BMk37V*qb3uv3F=z$vr&g9Lx1oUol2;*dKuv$5!QObrlm*$xMz9I0S zL0s|J>F3Q~qzX6%36c(T3$r7Ex9GNa0M%Y-Zh_wZZuuVAcTTJOpB4hI<84s(qbSJu zL5??&z^MR~Px2}vD(~g*R{`yJ=U!^8x8G8Z1nytrr&k{>#;ARO_Xc7Zy@j74HPNk1M5dKomp;2Sf%X?_zXV8l z%AvMtmyaZLon`TNhxAYw2o%X!B55j$ye$Wvw>{gOnsirV?U`fpr<%kiP^Hlpr`e=J z$|u!=Oih|i z`(n0*;MYGisQ!@-#tb=5S?QMHc(@s5G*EYwldg5fJ-sAoc>t+wfoV7=uqeeP3SIVB zcHToI{raM<_9tta;kt9ouB0>&g9S59^>fj8+;Ll903;(kawyOpJ5~B~E{>e9$=72$ z1AC{G%?)R!TPv-|14;_-wp*))6?`<$xrDavkOH$QPG(-w6QWIf`||v4PvG{s{W5~6 zj-9@*QpYjtTEXW^<85;M&Et)En{9~$aM;mc-I3Vhb~C>3-(C<1e`njzv;(%9bu$lQ zLnyCof4220A*smieQ>rMb9^Iue?<{^H1Of^P5pZ=17yDQg1-k-j;TSjTK z-k!fSed9Z>RJ+HRA$YXVL|~zsWvV|-4{); z&_A-nrgDKZViJT&Vk%_KR;aMXPicTeTRqPagE`AzsoONO@;zzQ-BFXI4 zlk?**@}{8{i=@*@&6=_~Xou!_uWSs2TdNjSP$*Z+e4n;g4xYamp8n6#vw}DH2`)ye zdtd}WM@0D4cb2|cXSO*{aaQVp)RzZlapZq~jy1wE0`BA3EcHf5-=wEa9`C;+{Igy! z$=HgRED1lgi=1InI%!!1KzKtL2{g$<-}-iHCiX6U26>u;-f9S2i49J<%6(BN4pO+? zcA6TtN}8gY{+MLZ%_0!RIZBBk+i$Q-11BCl_x5cYUe|12j?S-998My#3GB9_-?m^f z+TMKMA_T?-G}+#E$Jy2jsd|RuNjkpuSweb0UAFg|`DdEg&8|OPZCm$w#vIE~&Tc3{q z^z+!jf7JMVqLBACXZo&x>iDfK4JknjArr@_^eiK|I;SBfpo6ihUCw~JC;R~UmPwx8 z!Ll%7WOL2fP~+z}0q(kSS{4(x3M|%9F&@I+0$xB?GC6JB#ur#}F0%kWt+o8D$e!>N z%y)q6-eW{iUEfSIDXY69+4FbW;^jtPUFtC7ewkHlSxsaZ9dI6w(I`6k_+gReXBze5obvcViYis4-aK zA8UDt!WZD7@Irryi8Wq*HVju(k*k^|`dZ?}7Uy6@rWJWuh&k~nM)orGZ4pa) z7nVkR%nk>p?a^%t0D%2wi~X9wNARod-$Ws@Zu7D5!%{SF*z6}~>%9Bf@m~dz4~!k- zSAkj@P(+ZWtC(D+bFSEJdQXyUk?IDLA7$9P=b!AWhK4`4m|dYGHRYA?q6y;6)n=TLvR-|5aTvEmm?;$gRcGbl&Xt3)+xzdt@54@Ok@VIaB~goy$^9@&9y>$_3F zru;@IaC2GtHnjdY>RXT8knc(i=2w`PrRytH7Btkx?3X$ZIUdsSF5tqOb0CH~<7?iZ z>rohcJe9A{VZt^C|+LnN4v;Z_-{!ME9<=;V8n{8d4Qxo(X$Ps@}+ zMZX81A}ERZc4nH6$At)GSRqD^3c%LR6m;dI^_1`><^t& zpn}%0p$#^HIVb!I#Q1KWY%uHe*LHpqQw#dvVWW%Vt5;QR>c@eb7A?#Ms{l^-AYfg` zCpE;Q#NQeHF4p$JkcUM^wGH>nECbJg#Z5D2v77Cf%+3gH%_36&TB%2EhQ?m$q1$gV z?F^LdgPkQlOCI>6Ozino^z82Q5NK~gm;>P(QxlZJN^Vjs)e4UzGCxMKiIFY-8X0@F z_)SW~o0vo7bws=Lym6L3CHb%VFx!SidXkOY!P=jd1CJKejx#7g(8l!|NSpLN%ruuo z{j8fCgbhzKpJ+Kc)_p)ZrXcMJ>zQN+dkS*F7;$@5wTPtr#{)kLvfL0))lqQilM2Z^ zQv@>_2dQaR@$pt~);8@-s(B!@2a;i+SV9cj!VC_`LGIkDh;>%HCUdOG{xEM450%{# z&wE-+sGi)?J;hh3!JF1Jh^4a3aRJ|Fh;jhrLKQ5#YGVz9W!y~V;v`N@U}l*I0)Rz} zW0j^3=l2|2VPA9}01y{hfpS09u(I^(vJK0NC)Pk9&DE?Ud9M}|=FCg{A&&iyHsU^f z&GcU6cw$JXqMYe;8*rEyei|0I2CxkK+k-0nu83dSA=al)``f=+5w!>+z8aby$Rx+i znmN*Ls2K(6c(RoycRD%VNE5Q`|9rIIPEohM<*0Z`Q5Z+Hv0`(~tsx}U8HMwDD)(&} zu!+fGx!}TzZZI zv96i+M{<2YA?b5k-yVY$01n|JIs6|S=LH8hy_`J}^&$+A>rX;@WAxb34LORc&;7-c zD+-%Jz)}M>O+Q~qH^~`W&mnCWHV`vy>r#d<4~AoXOb*~!pHA`oIPCeCkuW>4(j!)h z7m(14F^NUa{z%ib?s0=!C|Vaw6y^_8HTFVr!AF-`jDFnjj5zyO^hT+L$S+n+G!Nv4 zvVUWhQ1SY}v5s(lT9T({&|&s7Nt-1IgXFVb_+OO0WmsIx68D=B5+K0|1b26b-~@MP zaDuzT;2NA@!QI^<*r3530?gn9*8ssixr=?y-sjx&z8~)WHc#@f*6Ql2>gw)a|2v9S zuA=V5#;0xW2snMveXMy{qRBTM17_=OB^JV|SdQnIGutmpSK4w>+6f;v3Oe8?>!Ejp zF>bxjt1}DR|5ccQmR27k`~ma%wr%2dJKGD>@Bqn$%3I|k)dq)R)@X_sLmmtoL!Scp zU)Th5&dLkhVNQ#9TNUT8+1gvZzG}9ANqCsESi#4o!FIOYlu;n$yLDl62IXvCbts4W z6tUPDQrR@HZxsbY%Xb(A3E#o9W|PtN-zg&YttFZ0Wla3+2O+`J_7|?-mXr0eDKv9p z$kOqZAY`3qSRvF1q&uQveMYPXH-<_7{#C4n1YaBUThawB%0)d+Ro1p_QQMEc$+e?4 zh{@Muw&k1JZfPz>sm>HuqEB^^dS;Ai92?3FXSMGy0WpbLmu?iiv)dMeUqe4~MURdn zhl(0R)G(l^m5KAyob(>ITt1DvMNiYtzakB&xqp!&+5%B>hQ-Hif3n2rU8CT-VjG{H znm`Mw+tY30z~RQ)C{aXD;GbyriOy$QpqwAq&W0D_KXag5pvtR#os(g{OO-|7NrUy< z?SzBVTGMm@14WL`We58*sadd=e#l%6PHQc1o`f)o9$!;dSvQnBT1slkwCxr+8T-VM5 zLHO3R?MDfjE&5_*G#cc`SWnJZUSA~q-j}IKt=|$6tX??u?9QCqs#wYOb+F}oxS}o~ z$&Y?naRNa`z$@3+XAzBa=s|uJuPK;W32VHOMN{-j3Vz3xw#<0iq{|TE6PlwJJpH-jBwsH|wIITKl)$#LY>hjtmZ)-N8c~NQjm}g|N&T?+J z?=!6(wvF3?(l$|)swyKx32;F1Vixo;J@RKKiXqdy3n1(8w3G7`uz*leZG25=7~YwO zdSR@0b8yt+jT#}hxhMql1J)_up4nW1ZZ#_=cOiO8)*Iv!IwJcJmxeb5iS8QkSBq15 z3cB=1JIWg?cxU1_s{|WN2JxRhD{$V^@i$RD4>-d@Xd0p@h^8q@kG3#eCLn1)%3*fK zF=&M~Y}nT%9Ong&SC&sEf%9J8a<+MU$u&0qg{kT@RewE#cuxU)M-l?$pE$Id<)NFJ zBE>sD7>GL4ad_f46eWT-tpygpGanBFeYxof9T}*<8u9I{M;ViABnQ9}O)k5v-r(Kf zP+sW5y=WJVpFUW-kJ^kJ`Kle^*L+oF-SYNy#x0@O5bbq&Au-eKRmN=KTK*!m zL-9sT*K`q2^oNYxo+ztj{t7Mp)DP(pR?q}xub<%U4nqsPoKN8_g6z)e-B6<%v> z^$e`cb4FLBEQi);x{q`Hy9=LUFZNTnWar}2?&>+U?J6!a=7_Z%Rme{>SbKBd9iryW zTATzcH>^XVypGSx%7)uMruu$7#NB1wihL}h-R?>)nqZviTbEFraItbgT|KQr{0{8% zX)R1+o`8fA_8{~aqSoa*&CuY|fw}!G7u}$_EI8WkJlgLhTm@?T?TJXe9&4Q}zUvQb z{g$9L>=K~Lb&tv+wo?vJ(1GuagS9^#EmCu&4@W3gM1ndnUSTK)9!Uf zIMCL$p=;UuqTke}>sJR^1>E9geL41MKU`OjB!N%Nz?W()3%x@7#JUJAbILV6u;SoB z+Y?;Txn#B_+S#L4jiucZ6`~j?fp~()Epv~smtjSUUc7yI!xs!U<{y?o@d?aK`0m~{ zHsy}Pb~gtL@JSE6L^;P#;3K8l_*jBO$kcR`Tuf%`2XPI(54)yxcJ zX2H0>jTO#h)Vt&d7JfbjX)dFDkLYC_Ubn`rq@#h{__UDO)*bzG#9}>jvn-ar`8d8o zB#k_k)gR72ML|BvKp%V|A~l*n&B=ychBVekC`x6h@Dv`*~xNu$&)onU0~+}Z)!0_rI2odv8Qcw1rjPMVUa z4Wqg_H5rXy*U0^M@eeOd%NQF?T`u41_Q5$v-g`>V%_N$y)P~s})E5Dlpg=Fq(1(bU z+&qw0*=%&?w^FCt*68!DH(u+wi~1%ZmKa%KOT)6GDde{R72kUPcHviNJ zfC2{s5Dbl1`(n*V?ks3;*W-NUF&M@*-#oJG_b#TXfbYcTXenpiyY=>|)t--gN^}2y zy}}R{f!!eaZ%TAGEo_2DZ;*}N?4yE)wt1?u^p8K|ct7s5$?0#^kXI>y;m_W;AYJoWRTB6^UmDkMD@wp>ovif<&kRa8RP zv)of)tv};KlL(OZmq8L=Qjqw}Rvh}Z@X!f3`mA4j$ z6~SVl8x0r#>OBaP)|=4mv1P}qrxbSK%O*gAZ_Vy01M;SL4W%l?qf&TtTrngx724SF z$9LxD`!;aODv0O5XH){f#_;U{WWgb`h9LP3#ej9ug5B_54-N*Gk`21S<5rokNf%3g zL{+}KMG}XVB?1g_tzj4o) zrh6J9Nq#SPzsYClFVQnPtWv6cm$2Tdp$Aj4JI3yGeBU3o@IEzDX38`>tOA3J(qjb_O1$UQ3uue30NIM={)QC?01Bu8Q-zF?as07fGkCT0!j?E!QQ#e|EIm(gun zY^my81IygRem>|aFBTC+FY!blx_JT%G;9B7y^yXv^&sMwJ>=AGp!ke?V-3>L}VT>TN9LiT|X7~#mE)O#3AanWpsHz6Q9N) zlT>9GL2{n6gAYD@XpisC6hpkQ2Y*F927fDFGeCEi)7h!}@;A30)pGZHP?gphK>4CM zR;|foXsnvtzKF|vnXgR0c1U>I8K3xVAA%2QWw&CKJgjw?aTA1cE|N0Y@SKC5(K^=~ z;8W8Iyx&mXes47I@cmUn)J zdIlv`N;riJNelcgsCzbHN2>HTJ&IHEj&;EJb5Jxj%qSFMOjN}!O5}~zYc<$q!G0dO z{~`2XxdmLwv$FfI-YKC7)-GiG_mH*FoA7Ae!iq#LT%JH2d!^CGOf=u(J981;#!vHq z=^SupdR6kK((RbJ5h0IT;9fFXX8edp_9iu=U(`!`neV^$uEQWLG(-Hza zE+V?r_-YPbXm&4YKIl*^J#cDFfVEV>jN9_8s*4)8WXwF(##RHbL?v8jE9~o+zF%QF z{_ATNe_Z$lBs;~j$v$%viZGdkrOP7CaJ}zrG-uzY7yH5$t}7HE$#7AiTI86-C;KIs z*PmX|;Gj;JMw816ZJ^-(>*GAM@@*^;8{~1JkNT}wYz{$^cEP+h(fhQGHx7uoQY4h zS)Z+j7?na?ZSi+Cq?Y;1wE0oDl$^C!Zo}9hP?5n(C0)YGMsD+NAEp9D8<(-5_6`Q*cS+`GnhMpzs&mQD@Qv-CMngGM?ohH00d4bmn@ zse*cxFnpNC(lJedw1&%FPt5qT<9t(AP4ybjcg9#mD4}s#!kQM=^pxrA1c2~|-qWk< zFQP6YV+F!^qQA8ZV07yI+5u#;{#h3o1ir@5*Hf!yp4l^O8vY<(B+N)SujSWIXk_}1 zm6^=~bA0bWq@$OdJ}(PEic0k2;CVt@_!#!+dD?mmRta(v_T%R2`LcT4xm9%7m8qOUM*Un1ilHxxdI1M8 zXL|93#*n6}ZgYX;u%lL{g6D)_dXc=8q@sm=Z}dugfGbX1_NX#$UT0Z`mU2chbGMyA zQ_sISwCD4liNDkX=%)NH4J&o@@8wQPfr)rsH9f!>zo6pMNo`%PtwQ>wk)=%+);_E8J^p7x?)a`Vy*pJo zjY$T}0#l#Cd}ommLj_&V?~k2L*bmC`9!P{(1BrHa6}%HmV298a1?=Z%^^vi{$x^Kh zOb!3@q2}P@+4KsROhW+NeglJE!91x2BT%iozM8 zqnVF3V{GcT);vE3c9O{m6MFeXIe$vGGwiG6JCuH$AycuL4D%hpZvQ_?xhPde5gl-& z`ejAx=$S??J)Nf^k}#u;F@nob{>gl|wM_17RrTF&?|P?oY%;Y!#$HESRXvOyFw#ku zYpg?5&}T^$b8~xMTZ)Ih3RZ@fH-0P*F0xa5ji6F8d^}@rDSko2jv8`af7{KG-A*g7 zMDP{>OG3n-HbMSgZ*p{pKkflBtQH?r-dMc}G98lPrj~rMQyalOj?%+Jj@)cjoH(VU z%Swzf=&7be$n2bA0~V&R!fJm8bMgDTK@m-0U>gEDcFR zj!OL0>bG8Ne+uSow#Bo^E%2UyPV+TF?S9(m#^XASKp`bJ(Wii`YP}OEs;>KmVL(%O zpQP^+(2vkRB56vq>MfRk7_tk(VKSiaNz#aw&hXMl1lyADql^x2%FGd#c&a^U^XTw^*A;p*GEcXYg#+E%BI;8 zzW~Ay1hX&o|CE2gf_g-$!XIwsIAP@PMqEUJ6^MZqo2qa5u9`k%jeTbVXjP>CMkewv zG?sH=N7>i1Z})k8;m=u1DMc*6W$=YhI*vRU-P8ndUX?_`tr@#@58`M-PLP~u{p%NcYIE&KfU}gO#{CW z0|2R5EKHcrM^!}lRgYn?0G+2CV2);S{-&qi_!sP6B>nUvN#LagM@pMY|J54?aW&L? zAss%uS?+hRu;1GtidA^+sww?0r&G(m{l;c&{)=$zw|?LN1;GzZ@BSsyU*u0OIkD$_Nm z($tgA%w-h(df86Yla8YV{+&_9ur3)Bo9Fd)t(~j;Ai(f;AZr_(15EMHv!9d}=VAg2gb|mYq=}oq-5OO{dhMbOt@exkslM+Z z#D(4Uq6r5}gf$Tf38r}(ohIDXFy-3<2rn}2geei>NtM0=M166$njqPotHy7l#V-~9v5gRt@j3vzZ)0;q7J)&Sa-y&H8B zJ)nxq8h3#2vaOKN1&q-AB=~u`Gi>?aiRKCH{UJmj(@*M%0{k?50p%%Flk4udIdEU~ zL_i=upk=WO6ZUv{^e{}5^V4$VP1H%PhiyDiQElWO6#*pLk_o``0&9nW$m(u~G?3c< zaRctB9t7DEw*5`@?qe+A)18Dcg z%~C+G^kfTA3MC8zQj5)G@^^sX|Hs%aPX&^6E&-M3+VRsnys?(&o-6zYQvRj;qvJ;& z4j;q4Y^c}GfeS^x%XTkF_;6mP!vF>N#N7$Mcr>_w;;y^#i8r-o^E|k(1RmrEOJ31p zVZv$Ntq^{^n0e9$)$#|zksE?vxAf$1ix}!R2TK=Q03`lbWHnlh?)~@Uo{r9Sf{_Uy zpCD3zX-2p3n}e&4ot*UleV(`Yq;QI9>4%GVcJ-ur8vBIPvJ!Lwa4q@}pe7pYP4(mP z*d0SGRf={Ur!$58!Tjw0q-&DJ_Cg}@{B)3{K&|WD_~j=wp*0HzkHTU9A<$@rgYTg( z{mYKeR=+HNSadg7L)UTXJFWA_a3n+m^v1V6D5Oyv zv#vblOBvo#2`D?j-ME^usO#Kh6L#_;e(%|p~5?mx3e*=zWn zccxKNz-~3tQ;z%=oJkM=PiHHI0^P)eAw4)u>WB&0nTBkU`I&o3nV;lz`b`y|(YvG{ zELf~L8ehJ)h?lDSi50N)=OEhdiDN%0-+IjMg%N~lX_`-t=Nrm z3^|nN>ZU67{VLym&r`k_z7!)F|6-~kdbi!aRKq2mguCoZ!^Y50NjGm72iJPO<-#N3 z6W$BBelCpN-G-iypa1O$f8qN}QvG$f z01^!R_Y0K}FX-0T^L+!R#DZ++rUfNBa%wzd^x_nb$xO=-6mF1StEg;*T=0vx@k30z z3G2x3^_aHfhBMb1{V;1|yn@M6H4yE#illD!2s#%H_A$;_m-J4TCGd^)UOVYRZ+CdQ zkOCtf;sy$1Fnf;<%BOYJf%$jKk>%U>fJi52v`=viUwVu=YhIPjC)E%mr?aE;)>3nob&T>{x3a0I|+A`cvP-BVM6y3INa zUgkgjB)SHObsGAPdhj*{bzeUHWNiBNHND8_0Dqjd*$Y1Krxbd>DX^FX=O)BSDoz`V z|65xx|3V~LCp%byr>oY8ozny^s7PBpN6JnEU*0zv|5@AhCVFW5wm5fD(v9g`ExXGbl>gU3ADE*aUmX-xV!rm zyjZWmM%(&-&*Fd-H=umQ*3Y{$XeHCB@F(?HumbdPqU8O(*Y!v!aL)|V{3o0I&=E_{ zUjMUFVln+3p~iCAgLJvzb*qbeLN~!<8?2;{uA-TV%}F)p=E~F$|c7*U!~Ib($^cn&YHp15-H{@dhfa()wfSO=f1Z7qL&e&lHuK!5IuPb-s^hFEAYb|?NL;+8i&Ftvh(VezE+T^ z(~Dp8jf_sPQPIwM5}{7!?_u&r+P25|+FT-^$S8u|*-ja&cx;ei( zr|q?S%^n-?SO%Eo_j3L5o0L?meFFTIW7hWIAUgwp6JwN~pZlL?y`D?|q4jCxm&E)# zu7M%L12~*B0m7nh=rDda78bsU&~f+ijLu~qg!${!GtLxu83LQg_M5LGTy~87Z)ZGl z8(;2wjabsw$fqO2HvMnJ%iXVt1Mbi^0e_5_La3os&_6{PwZ%5?Jp5kkS-NPDq(BQVGI+s z*g3qtKqCr}JN<5qNVqe(u*}cshoXKDc#rAJb{VwCW@I86@L^473%D`keZ!UK;d=&* z&O62y^B!Ve>u)=+-wP0Y;Rxw{AiEVvbls^%%+juV?FS%c!6!hP}7Fm-=nd??D;ZycbzzK~n4KEUIpS4ePUgk}xm(0g;FC zRckVnI%rXbFEm;MTO(H`X>8)D1uuTE_cmisR1#Uu?^f*smqZ^ltfeDm)a=;3alpAC zt0I$eHx}&@h*520dF64kT8Vg4f9iQ95o<8nNvMR1ubf*4D|lAy7hN<`lcPE8cE{~T zawn2%2bWW<;$ZYXw>PeO#)0EjYY9KNe}*5nIFSRKLOg=9{!c_+Z&XC&E5u#q}&l^pyW|Wn=EVv_{40zOHWNcDE+6oS^8rk9q=h%C@g{G@I|F_?5k~*?<>SW+MlIm1DF@ENZ^+MGQ zM`^}xydjWnsCkQ+|F(2ZyU`?tUjB}0pp|s()dQNT&dP*{g0%2lwh#A=;(}Lr)XvOm zm<<$MEtkwAKH(V`eAT~3ExU`+{@TztS~EZjDuT{Zs0(p7%dWGzD@6@!6b8aol3~*n z3q{O~fnK!)gI~Cy#W%IdkHqIFbv#QwW=lq+dKSE_Y%_Bxxv=q!J)mG6Ibb}T_|D-F zA%BsFCk8s%GfWRF4EwD+FykR6-heYi(m@(JzSDH_UzQVeyjuvMlBr;=0`-!LBZeukxS4-+KH4T>9ek1L`4OX(bu8pXCRi=%Y1E4@ zAM8Q_M5yEbXRosD7gPuaJ)e%WB47@eC(|rT9gOvxBfgsx@bNmTTzpQHTFazwE4KCQ z?w-l+5{1vJrJ|qYn?Wlh_AC-}<#kv}d#pWgoVAnpozbne!zr`BVJ%T~qv_27m(YE- zmxp!z^ziE4A)e}C4Z#JAyE%AHFF%x+o!K6%H@;tBO6dzVu|L<}!F|C}6xP-59@x7p5Y6UaWZ`#?IqgFFP@vEq`$)_n2%G%P~?`X((V6 zuj^}BaH*y(MPr#8Snm@MveA%Y-vD7SOnpIJDyw1l@<|Y!BAea3`OoXLwr{q-dA?Y4 zc_mWKkyhr&9#z7)Aszku1Kky!2ymPitfq}SzQ9t*|LMu^0Ny2%?35juD+E{c{?~rS zC?{FBVxNWjM0wVgv7iG?B#=xLbfCEe2~O`R#>b43bV;8W-rll)leB1M9>-590RnD3EPtS4W69Jcr7sTq3RW(a%ZH zGJGh=bA`nWllz1S=uNKEXdHDbpxRo!rBvc0wbLWBR;S?LZrGR;X>_pX*TfQ|sSruf zyi_sp4l(0w0~9~E&{k4a1?u}dCv_*aBT}|2@Yr=4p)kGuUXIXn%EBr4X%4*wK?3zo zue#KUAav|?S+wtR*8ECAhM)Hz-Q$a2H~9303?Z)a&54&V=3vO7S}wkTqV1+|@$=hVYW9vDyvPwP+lYZTdh2mjvB`}o@mY?ig5cWIo z0Y!M)q4lyR0nRY0r1|OPV}ZwP9a&5M#ui&`j;hTV@t|z(pAv~LNt)849j+n3azE9U z0!o=bJBZcRTQ~n^4-+}_H=RT}oy21p@#>p|g1os4A8af6+_Y12&+2hb$msDqT$_c7)Uj>vNk3d94}xJUNmuDT)w@v|;*1XVZ4 z$C^is>dU_rV&A`4{-!G#DI`+oHzE?JGu5p-cKXetnZ=}pt$84LSR9VF4`E7~L7Bq2 zwjUddlamZ3mbK5$B)^NQJwAtbLDI6sXZV<{pIXwtMyMSPWgphB-3@F0sV{ zwv(CpOBPG$#eOnOv=6}49Uf; zHg7O;=(7g{r*HzIUJJ*dbImJVh-6;6qq@=ImA z56WUI@^jF0qWxdc1J>66URrWOpC1BwBg}fQ4j$>kNgNe?A1L+!kkAxNn)7&l@B(D} zHHN9!>(59xWa0BWd%ab%muyV@jDqCE)TB~qi(f-Pwx2^G?jOT?V6o%^{krYs2zVK( zZ24EU)TToQo>Eh`*g!p5#Y*g-&f1Bw2^%?W@`nta8X!3ku+2e+0lBZkLhrXmyG2cF zvTajAKItpI4gIV0%l3`tOU%M{b10%wQTcfzt{%6c03Q1JP`aloKz_Un#0M5gn__D z6T}RpvINHh@n#wgnV*cyw$dXS1=Bx!<~LW`sgR`;X28OGmKATERGW79osw+btB#z~%f#cgH`GTx0N5|XtzkyMh3zY?k3$qJ^$Ih!8w}kdE?C-D zE0w-u)Pyvg4PlYF<-;YpDWKv4*_?7|!!jeG!^$aKuMi|5uydAj6+!hpElRKY9Dbd_ z?VS~iQVg%pGplUW!kBjo4MG%xO)M^PEXFEPEny;Zw z9>WSN1bl?UF^`@s0ciJL2I~FSQZH~TtnF3>!SC8TC1ptXGmF^ywb>&M@96c=o_@2s zADl7)zG;Y(qYUfOx+pg?a=KWrHox?2`kimgx4hpA!j5l#TdCVL5bZTuXIDv~#98e# z_|UKj-H^>-BZfgnbUhm?s@P>Ia?yw*x4V__=lmeyc<*;PBQB}yFu0q>=}575TE5$w zH~$MAjWtPgp~#DQjvAfNtII_tafiy0*aZge?K>nJ>kf;`CE@OHwT%BQlOi%tVt=0( zi3`^-(Yu76jav2!yq9QW)*-fR-oM=⪼nAU6AmqP-)12+^F#L`~{jue8 z$om}SvMh3pFW`seY+V7l9&n9EuTM>$hM1b;Xw|(nhj5$0q0T1*hkmm#r6&N{&^nPC zpAbgmxjkblHVs{4jSSm?rEwNzF5pf|<64w2K9!}tI&G>nx|uqoMM4JyV)R8Ny;Sv@ zM&5irjimo4)#C+@lgHL}@U~bdFPaxurww4d~}{p`_!UtWyMM zD!q2$6=FT=E)AZQ?6NPyYb7lH%zA}pj2m=1*yFy3Rt##|DRAjaW$2oiwb`~5`pmO2 zf*XLDVutABNT@)ONKzL&s*<7mq=Q={q#edG1bVS}IRWB%(`;{5FT_37Bd8}YSPI;4 z+5zLYEe$@X9Af>!lIXPdrP?gNWo~os5GCyM`#G;6>6#qW4mbGe7Pd-$KrLQ12GgBj zvFQ7I*IaY_C2eK>kcgmJ7v4>k^QWp3)yASmQFG94L|j}N=0jMOh0Jc_1_RPw?=a<) z+{fPwcr6qF)@B_xE(W@f?&f2xREm(mhUsuvwBA=GXLDzim0P5O<>e}Eo;%dvZH8pxqBGMA3`Y@I9F0_u#tSYRp z_BhHXg=(kr?mb7>BX1o;=QeE!gIv@+AJXngfTh;q5z{e=v^yFJb!ZHf-WIs|hnPHb z?7!B_mN5XV^D^iqRpu%&`UE9X&*KtN?sxwr4Ro%IvOI1rsU{U#${06WJtX;=FABJ5 zIb~I%+pKKsHB?_>Cw^1>@X8^$wryT;@{p=60#BDki=3-Pdlhbu=z6I)6xBCxy?8gF zB_k*pl3IB_E0G@TX@WUku=5w%i8u-isu5aPUTxH{n1_^uQFbLM=yS3~#A*!tTGnxn zxh^{nfIX&)9)j%;B0n1O6omr!tk8e)7^XKjr+|I|cOK(JtxqF=hZvZd2Q&y+m6g|x z%WK_6_0QU9V+EHY&gGfQk0NB&bw4>|SdPArRFC~LY8$6>r;iKQrgM-x2Lv1?&q)K_ zg!19i14Qb?MqhPTNSI%Ni;Y{@09kFK|J`i|yfVSBV|V-( zqP4cosZy>OZ!we~nzvVOm%76_RI55cIad79AAX4KPd->Pzt52(SE{z&w)3IxoYtK> zBDBKc;t-a>u3Y79tq}}CmW$s9SJtA1oQi*(pwv)f;>+yM`=*W97;>g4vQX^`M<0q0!tLY!Kt!c*_b%K`gKVD?lxDdAD&1(lWFKHy% zprmpc?k}jVIx$QHi`n<6^Sm~z=rLNsNZp>Rm&HnB#dQ0exp;}8V%Ud3Svw6>w9Dv? zbn$6{xf?*fTwItM#@Y1=Upy_``ZKqB-@lxab?KYZdA_~8V_tnQz-%U8=qP$BL7@PZ zyg~D)mvBuikA$jQ>ZylEZq#AL>FT&K8XIrzQwWcmY8oe1l6abf1 zD8iW}YQ*X|GwG0>Rs(|Rc;`H3U$>tu>}F0@(Yj=L&C2B|t-;&#Kt4MeUI|OqiPDo$Hbo+sXugLVmAle!h zktCZ%Gs=45K!+pGg+`BS}M& z2KFyGF}3*kj@-z`^O!l)ud?XnZa1H4pnd}rd%7xo*7y)g8`5CU7)Q8~ue$c0r!>h2 zQx3g+?C!hONmK02bjq5}wPJ>5O?3ba^e;OGz*E+ez%5-`Z_Ed$Zwsqs%tS)rbF{H~ zmdk;Q){Qf?_lIJG2eU-*jS{rw=`l?}j>LEkpDDB(f{NbEl_foj=up%(v0*4RA^Y-J z5N4E~s82_oDyJkM^*c@M>gFF2)3ty)wCc5EksMFf_A#2&L{mFw6HA~KCw$Ae!|b&> z3@w~xKd0CtMg>w_On%CZsa95aCj-50@y)&fvqcC_Z+R*Ta=$MF@f`KKlzEmMzucdE z++(7PkSonRbC(s57C*OTz)7%Y z*LaE9?SAj!$XVxf$jbH}CW}V1x`Xb|AeUaSFs*zzoi#mgF~a)DaEh0bDzEW;*?=cI zVt1O563UU68#}z5J%kf}Bu=efa*n8HOfTgQ!N}yszhCJoc^isU-2El94V4GmsSGyx zDZQC%wAyuynTq`d(PVYyAMG?cmNegRpUZ==+;Ror6NBMrE0o|kc#4nQuPS-=?6uhX ztD4@_$vRW|Csw*p9QOp2$;zaZ+%Bgd;>12OzuH7kPJ#QxD$gihnlQ#DiYUr*W8*}{ z7u2m~wr|6MG=<{uo#Zopk8lJFeI?HdgU36mzIXreKnggiJ*Y{l`&?$y z8i$T0&!^JTHeFZ!Bla@7+=7KK#qSptRjoaLaq{MXgGv31F0GRI&8T-yiX#~$r?>Y% z7gynKG6gnudqK3^o~22>MGyYr6qI0P%af78oyd}JY|R*V>sA3OIUxvZ8#B*Sd3zSE zM6#x7@vg#`4{dWeIUDRovQg!ADW(i9hNpD=0CxbT3B+4*zRwagG}w%hbfd?#PtuE+ z($TSb7o51I71pxvl9)lH^vmU>SG|NoNkbOWo|r=#tvSL#NYOCj{@ZmAQ<%`_F0;Fy zD|N3lin}7IsK6=J@vFGW2Ml%w+H%W4NL7WLui;1yDFe57V3>T!>L zwo0<5cc$6eam@R;IWqD}g;a=U{*QaACvd;k!fA90-Z+MbxrMUsamHt_3g;Q22UPr%uNt^751$yMHj|&Q_XC!x`NygjSG* zHB*&vEw>8DB?OC_e-$-$dtG2BNk?T~9gr+G255Av zbd1nU9hnQhmDAM^qMx7qT)e!-ln_rpto}0WyR%g|y!{k&7z9st_s_^u-@}T!Q_<^& zQRi16P^1&$B-!UlIjqdFn>~qW2^6Uv*=KklCljVmL*47I8h;7DU@LEv^HXK-eTy){ zJ7$v&J%CCfyK`j`2gb~pT$E7fadl?0K9~_l6RgmQUY?=Y7nC(@m4b3!wnfW|z%3z_ zf*dRwRlksi>7wzB6!G7y>KCq*rnsFjSAEG~ahE*awCf*XB zKUy?&NWl29)s5^L@JqP8$( zwe5&Pks;Hz>ij15{9+IB?fzn_a*f}nz`5{$asmOI#rKK`b&5Y=%AuTr$mc%Md@F0l(Z#1#*^FyOOY!_D z?)3G_G>S15J+uR9ad37)-^P)7V85zHwpwLSvl#LWe3{Rh7@i~9Qsx?TU?lcak_HX} zKUW4iivLrh5F=(v)KsIt9gm~pl#ag)J0A3ku-BI*sLV&trw17oZfXV<<3<|CkUNum zr3A?1pQb_BB*fyRNV6j2Fs4hga})EeJNM5L{%Ehyczy}xrvBByD=#riMWKDi&+KPV zUjHSwXZbR!d6WKn0#5xoT;MZNEPECAZO|$^PGcTk@*@*#Vl@l;z#BQ210i%Z~;6o=yisfkk zB$r$&N6C&mQHn{b&G2NX@9cN0w91~2lGlP)>$h|TyM1`pE8ftmz8O3^Tt zYpw`^K^hD^+Dn*2O)&nS$d*`xU08Dmm1b2hczZ6R1$Ph~(2h)^_U=zm1()IX-M^{L z+CKCiZJ9GCz5a1Zz`KBKYUOg$@Jzi%=*`t5rw-@^SY$C)&Wk)SCcw)Lp|2UR7cpWf zh@a)ZvIm8ujTe`S(|v>2!w&D6;!$^|A)4vRnNtRB?h#`;au(UKW*VD1z`~v z7zhCz*ybL^pL&}+(e)v=SIg zNr16*H!FG(^3P*&k(TQXd~=3i5X^Z3;GG@OLlpOFDeiy^4%oZ6ljj=v(&*s;79|b? z9>XifDFu}K|LVic6yRSr#e15_1H-6u4IZb0-R-;VsScq0B*g^oN*#9tO3&I@0(}7= z5IV7)h5g5^o}3{kzQI6dtr~Ff6It6Lfv(Zv8tb#>uNi{gYoI`op>Jd3`JzotT^D-T zDsbbrbBCFOC;V25p~?+5BF7hOc7hLP?lC{=o;-A!6a=-^ z&u#mbgHk|-*KUTO#v2)J0n@O|iQDgN+_L2)`DPCOBe5NuuSFW*lxc+~os#1{f2V7e$Ob_^{>L+-t{s1D> zAmYUt1*a#ay_8v?PDh1ziCdJyHCbsOi4vo!Cs(G{X=;>spc65^^v=*H-fW4nnt3yP zxH3x76SK0iT8#4o(Dx$|ZAwf2*dH2*BlTM z#J@ED@yVZ0Ug`yZsDh;T8u-MS7WKF3LxQ)(n$Ge9_<)g68@=3wTB-k< zNBuRKR|K-CJ6VMTm1Ex1ltsv~u^(aXK+`!Qd*=8)etVo&y0ES5OH%Djb&A3Fihb!7 zQrZN?q$aW7>X=GNnl&*Mo5|E>+#l}1{|{Y%85LFgzK_F-C?z1N($bA|cXu=7pma!= zAc!d4jdbTQ3_UQUN=WC>os!Zi_}|>$`*YXxdtSH}%LRL1ab9N}=W$%SdnE<~gG>^b zF}lqd^Y_7132fB{miE(PcB(N@;Lh2{38VwB^{%^oH@qS4CZcE{uCW%XF%be^{P`^X z<>rgKap)i+DPnCK%6B8X^E&}EQ<|cZAGmG{wN}V`N1Atj8#%rI>EWzHPr*o9nI4NbR5%$yPwR{dOr9o36|&Zcw`xT- z0=Zo1NN5oR|E3xExOvq~<6iUV9Zxz7m}sZfkSkgKJi2uts45M@CaJI)A5?cXVq{-j zyMGozyQevZD-T3Ya|qZZ+vi`=^PlTTX||*k_1ey~Ys7kcd)}cJ&(aFfibyu1S*l%x znWh9mlJwRT32<{kaGw!`IqrRfbT|-bu5`=?tdk)f4bRcf@;5EcD~h>v{6#a zFpY1hp;WjIy7A~Xn+rsZ1|IH*T3dzL>$cUt$4{g6X5BC@+?ZV`NHFAr1pR3$BFh;& zY??jbHlvTwqbc7z-DAmSrbmT3C1)Sw73Sx+RDgFQ*FW9961Zmm6H5BO_=>e$qI1XuwJGJ5@} zdk~TF>Q@ndLbc<4r0luc<|JUuuw%h18;7g#l6c;blINLq<@j?I2r9h;L0O(3D#%%c zyav6zreIe;8I6%L?nkGwc@U32d z93mpGt9!|dIWG@dK8mQDXgT|+5(r!&R-eUlFl)os+4WBKOKB56&`EO9Pj-~xd?ySf ztr=1Oav~X;Fsq6V3%f1Y4MMcsz42` ztIdn%#K{vpX8>&1KUhC>L&OeBHb7@ja?irV{oO3xN|`;nN1t>BC`sBVf5>2Iz|ulw zX1zSUm$xkHN(jrlF9^~s#ZYY9ydD!V+si&pCpH$Lq=9FUjyNT@FKIOqadRiSiq~r} zHWz$qA%g2I#rx}v8%be0Oe@fCQ$Ye9^2C!6HpmM8q{B zG@~~`Zm*n{+-?F`>|)YXt*=u=%j|V&YJmLpyfMe3ET@aRnS6Dk81sFu2 zli@REwSlihHL?Lp>(fk4t04N>yNdC&g!5JV9%6Xe4OCbWi$qOXspl|eV-f%Aglw@+ za;$Qn?$2=-Tf!Awmm@t-#?`*yOga=L!GgLsIG#a$JTe1Yf#UkluyFH4AO%dG>xvE97o9tv&VXzB*^T*ZRPu?`0J zkuop&Laey_s&mJT}GYlqr}#T`Cl@HHRaTz&a@21-edUy$Ewo zd#OJ&s~P>mEPofKXSi|P+o`&b=LNjB9andHe|9WPJ$D*57TPAM=CmvOnyCN=%Q90M zrJgx5)#xn7DRyig&V-hJ|LQ>KlFdAa(iOqnwS&OkEd8BN8X%5eu_LHkRD|gFU?q)m z=Yt&q%k-4uLhr8xDI>Fe`gEI(n^4M+C(mI8z`vxcjmzKv8XKEINZmrJ=@FsQ*8egg{-ubS}FlVPM+@l&7E zIbL9IUD0G#214ZRla-a8?^ZY&JROkDXHzG!*R@<7fMdp(aTVb|awjG5V59KuJB1qB zCRy9*KITs96(m`1X>p}63BplZZSlQtG6L=;N91yzS=ZcW92I&-VvWoV>w$Vk)4gZvL?R2GNQ6tOT%E z3*(`;;%8aPiV1JElzKHVU4zi#s2Npl%wtS3lDER(t&OfqhV`bR$?Ip`jzAM+-h|N? zKuiAU+IKH#dxcyD?stsGb&6 zTZ`^yiRll0UDA^;%w2ObAS4et9wTx|k|{8pb36u({(ztI#$J8YMHqy!Tj@WwDu!k^ zW0G?$CJPbCI1rM2cle-_9-xx+o50NA=s5fs327RNbNaiQoW___gjp4RW5%Nw`-P`- zylN`nU7;+sK29Ym%oeR((+lH}t;QEvab8bkvbyhkDLM;}&%rV%|40fu--sHpO|3&3 zftmO`=u?dl?Ox*cp;eK-nFvzRVwyv;bz<1}uw%<8O`E3n6E>5jVLzeJn+yL~IYhEd zQ9l5ar_MQKw-?Q)s{+1ocX-z2|LTr}NS#iiKs0T8BgfX#XJ6{0{PAUJ%ePTSJ03YS z5T%G+-6legAD1B@TH;YnbTI(677-ZIa!M!mB;BV;4*+@uf#mX)s*;UW%ep zI`iw*5GJvede1JtGWVB@$||hX{ko=3iW8Bh*Y4oMWJOD1awDdm+-vvPEGyT*#|u}K z=qzDu+8cDiymp!2+eVY`GRZw#pxLsUaaVghDnWU$-}iqr{Cr{em=BS`_lU|wUNg+x zj!9GeQr>(2!aTK{nx2zl&-LiR@QJ9AC@A#=fgLMQ+o~^Q=e;xA0|}IXLzR5w+rq6G zX7Y7F?{(LFn?2vW*$omIGp3s~ITci(lwpa&t6rM*TW+7N7=37{4!qs5U)$*K;2v+yW9 zQ6*Am1SFVD_ned0qcnPBIP=dHVKF=Z&x#0Lb4O+oh*RPX)1xnPNgGT;`U+hNy;@;2 zYSPKZY&1NzIDMt2x2s&``+fH&7o|aEIdOa=8M+Ui2k5RN}qd}+> zR3`*eT)-}``eHTtYYK>NwS%7vuqNWRIs%1$OHjNeFk9|FX8TJ-e&cZ8#<_0*ZYN9c zu$nMP#VPUdo(#&~3#k+ta&rkSx}KrYmBRHgrb>L~f_Wdin0r|nw4*zvFO`!@E5Mj9 z<&DWuEvVCU-1e@u9f=+prEL)-8q0yT9~&hSgusaL+B{6s*l(QE`yX)sMq4FGcg_tAmK{ z=TgqxXgGhm2CQ{D7ru($KzIkoJTEO*%)%@K_IO>cwH9gHoSA@eZ>C95S4oMEZ%NXV zv_{vXc4EqOdLB|>7#T?{#Q!$Ej$odDY1q|1SHKg|ns}jd%V@wbRl>1e*q9Gt?P<#? z*}Toi1m>ff+u|xTCNP`C*CVA+5J&VG1jmn zT0FXrlG8bY!se8mv&0T#c<~#xy*TmDe^g5-NW2C9jm<@m1SqCR^}WDnIsXyP($ENJ zV=p`o;w3x^7xDH~x0=goWT$$wN*w;;_X?koKaYQzyQ#G>0+T33WGHs|!R)7{d$-4F zA3|QfBT?3VgnJzF+nfMc375BT))8*w5Vz>m|CqwycG`%8*)Gk;DHVUakKf3OZ_KN| zxh8&A70J#}VqGuRpEz5hJu7w#U^c$l-Y~1;RxQ99!!R$ippc|aMH5w5#P2Woyu&%2 zi?zfI>Yg@T7ta8jurJG<(dNpc!z=1-n@wDKJBuD`$Bj|Zv3%)>%D?Qh6&(G+yztfN zbld2eziGviG$jj$WK{g4|(*%*#;ctg6a_m!#*BW4nt^!yZ4+3Qc0sL zil!1@xFMpxRTYNSdYl5K9fZ4u4XF3D@W`84$b@!>E~F!Mgv#N&lJ!QM^UIE z5)}+$iGM-0HU0{7>D~)Th@p0*Mj$g<(!t!m_p{9U2?CyOsCX_OR!vyq50uQpN%YD2 z$yRDH^JKlF_RL>}9}Ys9>x9gh?kUGO$HyPu4=F_nba|p3BopXJ#gWv^k{pEtcQp1g zY(bzn{VOK}s3#cO1h3$O1V}IKPf_>xbV`iNnhN&W*S$Q4m5q>Twu6jSdc`lNkS5+u zRam@C?eB%%M1FWjYR5fS(#y^E^Yi#1!vg-8jN*laFqwXn>>iur0j6%-3F+5?wf4TQ z)5dS02Tp!5$-vxgJxfcm-BqBc(t1|eez9F4Q8xdKNM5g8AMq?3kjG&*`z8I=(8N+vH_lyWEJ4<2ui$DauCHWXq_OOwVm zn-JCP3-)?mek&-|Z8UPsM>p0@PCh3a`C(*gKMal;6jDC_GQ!-j_bA=BS zaFeGU|4ApdJFMb*z0&fP-Hd#=~WUWid@u8UC^df@_y#(#lSpo6H6 zug{K=q`msb(8d)k^D_0io7g1nI64XoziNNlF|kR>H*YqgZ`t>r2=JAz`RdeS?=^9(b3TpJl)1NO9!!RdTeY4uXjR4aHOGH)wRuTfqC( z1wM+5R9xQ%Ibvv~2h1_;3w>O`TRFzljdt#5ZUWL?lcxm#GDqVoa1^RgI6_mP=~RSQ zRC3%TUaq^rN723$rAFcX1IGM0+tts8lMouE1e@6bggtAF31s8{#x{2EHM`(okZlX9 zGgvs@MW93;q-_=U;^C2{^;IVaW0c$lv&-2d%9x_CSw$e>9MqrH#xQ0CtZod)Sagam zPXIbCUzt20(e*Pfv;LH(W0R&VW5OCLDhB*Yzk$l%4kPnPgINp7I`Q{r>Wn<=qw_hp zAtFz`Q}-qni&dOf!@eUc&uuG%pFZtmP$Jtjy=|Dz+++3-8?V}$3J`Y;i?D#SqLo{% zE=AX^O+86xRF$A>^be{!yNO^+{LpW)sA_s*2{Gnl8{eCY!BG$0T@$z4X(fL?lMyNP zFc7RQNaeWn1THp1f&|Mwl~5*S0GP8jU$Iu=rE{2uTm& zJ4xPgd+Hu}n!t*lDOb~|cC$*kct%lJd+WYYgo)*ST9+$+*8Tj*;AbX9RM-KfiR!Y= ztulgNd!|xp%mIZTq5FgLy*=Rmj7VLsSpt9$$bH}cH#`KqfrE{M;a_$2Za{nE ziJd!$_+`xxuRa77@iX<5Zq{{%S}S#oi3i&7TN@X}r-i*Nu;%!$+~2%GHDwDFt_kiY0VVUK9= z55GidfB2A1NRf@x;hOmf=;31vD77v1H*{bxP>|*GxMST7`R}+i@~!w7zd;We^1IIo z+n@eIoNO>MlwqwCp_4#_HwG+yNOr-Kjw&Du_>uo(^=DMtgU`T^vyHj7e=j*2@RXS6 zxU#_wL*f-T6iJqs66?sKaT+Fb-q)HjYZ2kzfB=xBm_T zFk~q*M@pxFJ19Dm>)l}auezp{N^{(FBo(=MAn6XDZ3;w4JRAXLl`j@GTufl_P|uP` z+vrA_X~N%1QVrbSzL#nFJ8z~g>?TL3@5D#RJS`Qt*72OVQWj)wO*_MeHpRAWobj`F zFQ69!5`UsU0Ki7)Ksq}=ALRG%LikGT5b8k(aPWXMj}psM)wE3p-d37MsbC2@OL$l9 zc%bHUs#I*}a7=R@^Vv9d2lU{A+^GJC6D4Z-x!*ctksMt{y$xfThn$07&JJTlJ4CQ! zvsbbX?0Rpo&dj&=u{CQ(L5wo=C!cAH4_rFm9KXR5c-1Pjm+Y@4b_N6g11HO#J-5HB zsgFh?SsUGxtW-TnEWNoqhs7yPLz)x7ewErMA1R&Yt6c^B+SFH4t+R4vY3HhB6{`8s zTa4m@Qqqc)RO?t^}6#vTVEE9=aGsjJ+ZVqiu0lEB-Wm3u&vlf6bn>=j3Jq9o-8TZrD{ zYD5!Brrn68U2i4Mh)jX4VX=iZ+8~eS4q}>_wsl@Xs^v=V(TtW#z5?f#nF&~(ZJIM%~KnuDYI+gGFHg}MB=?|DCs zB6w80f3pP%V*vxNAyB~fvYv(m&EGQ~Akn@fZp?UB{pBUL0z*$ zII#O&t}%#D3(38&tD8UegzZic+D6t8DW;^tZS7~8di&o~Jw{V*04YU>09!Y0UXUSE zmnEk6Y!>l_?0=xs-Bt{$PW-1YeIq~O!x+E@tY^MfG-#3yt3dv{QNjGUA$}AKWo9bx zs6f{rE%MWEK#N>lGg#QW=4j+iT=ii_+a14P*V$$+!Mk+pVuGH}lR4a_Nuq_sOw;|w zm`Xf8lsC~D3<=xIstHXq9D$F#^)~WnT$|UN@jHI?`#8v9GCtTkS?H6OFLi9Z`HD?T z8fV%50}CE|HDI65RQ_B}#J=gjaBILQUQd-P;|qKQ7$$`ChbR#~-l$qUqg+8|zLi(; zHgi5fD)TdvKiRGsryRtvzIOXb4ZpG<;6`{EeLm3|GpX`vs?vUQ!+AAvW{I%7smKx^ zzD1r8emMP*;}ft+s=Jeay8T9K#foZ-0LF!cfR^6=SVni=TOXY?v7Jm8&g(@;#_Xp8 z@1AG*SLzCs`wYqO3Y-+QX2t8;B#-8qoR)RQnQ8cR`LN#CKE(|ry;gJOW9Q4{)^i*(2027sHLx`C zTi%mIUfHw=31?IeBUbNK?5{1eVeQTy7eid3PDr5jT%ED0-umfqOTC6>peKrw=R2P~ zQV2HhvGr=co3%YDHKP5kANcTfDJG?JMc#>5;XV!JOs;Z_%F^vXDQMDU^k2Cxz_y8T zmB*?Zj&>S|3F(h(e}LEE(n3;daf9#)OvbnM>TzXx!WP!0e3|j+dy=Jh{x4F0jgpxf zo5HYq{X%mK6Q?lnfYi>j(qMh~oTrF92;a8$I0G(wFX?T0R=y5pjAMT;O`)*m6TDJN@|1NClt;hrJg&D5DuuPtl=92ogoS?R28O{uRU1&kZ`nfRj2cjs^?AO(6 z*16JLwk-L$U}r-`YIzs>)NZ?c3J+=%$T)VL!>K71SZXRn5MG7Pwr#Ri$5J*i5B^DBGS@j$Q z4|<-}zUJgZx|BvPsTb^;WG-kQ0<9|g)pnsxmhF#fK(EUdR<+yzEte+P!vwzd znBBHf`BJy#SAmK>+ny`oCSFC)GDr5g8oHrVUY!bwFp`l(!K=hixk0Eq;W{WtNS;%eLX;gX2x@5T6Bq|M$IN!GVf)0VpWHM;cB4WtFAz-!H4n{_&J_D^8*&Wt;@Q}GuT-)1sD%Se+dvZDS5`cy1G(98t<_G5n2;lW~< znD9Vz|z}`YQN9~{{sR}SgzP;Sj;OGNj ze^2mJ@-OBPF4^vhl*DOjduzW8mbopzBLzqwmZJyrq|qZ>GOpY#Qvs(zIlQ$6AK6WI zbLx3N=sb8F5h3(P4PEU*xNpb`f)ao+er|t5rhxum(LIz(MEmPCDeU#vr5jb-WdvZX z@YO!l>^8p5(35yaZr-|rb@ug?xT_D^^n3>AMydH5&;5lm-CDx*D`XH@tu{SAG7TWVMvqm4-fq~g)w(|P|yx>&ZJkstYW{}&D zqAL2-gb;B)XPdT0=iNnl9snqv!-@AJXA1;*dZ`f@5GKhWq{ffmTslfyX)(%4v!OMRN+yZc<#g8FJNhzT8 z{MPwVcDKElN6%1+W<30KGEMXce)4l(b|3u`j$PEZ#$__8n4C&dm6U#?p3vO` zpeyOO{hwe1n6w-H({p}sG3KM6PD)slsz6z|wi>~zLD{ad07`o$r~aBYx}sm}JrT=w zq9Qa@YL#Amq*Mso`fjN@e2QafTrbTiX9h$5+ToB^{-Z4fw_j8B1^2xCyVMEQbI>DE zIRw{m-$u*hiTL`2|LrnA1eDLdF;`NPCR!rz=i29-&$!`M)Op|Ym8ZA+#q1MZqvmSZcZJfj+LQsFDtE=Oi+)|Y^tVp7mdyp-IwYzeu{Ne2 z8osExsiYwvgViq3BmBa*<7bH#5I4c!!<8QsYq{CgVX#Wj41)4hT(X8!@WwBo*%epo ztpEpp2z%^*JWGXFxTu2=;8v>1-l!`Q-eanjZMxF?-T_Y##J70c1YO$j1Z`#=D|QWe zZzENUMk*|2!|VR*ZLf%4sy>shS54)Ih7+H4bwy&}Ke)$u`BL$tC%(VF`oK$%!uziC zezRRlug0Sq_kcDbMMeWBZ`ns-(?`(E`ZW!@=wLa1`x#m5Eh~mTcj$%Z9U7x9hN(So zRho2Fd*r=^$+`}zx-;B5YNbhDhRfyww)`Y9#>xd5RvoiaZDZ!fdmCPJ4fHYDS9g2j zt7sfPRJeWM!w~jZqd|zBYVD)xISE)e*p?IYv+A0urXv<*1pn~<=X~6`4|z6hm$AVW z94_fTybnwmz+zvMmIlS5UQcvqGFNrY|5hV*^?_x)8yicHkiMLgquP1zC}Mb@NK=EF zMM_xei;r@?@2}ZP>>7`fmN!LgSGw;<$1I94i}q(Q*NucZc{jM9c(i=IZ>EO02SLr& zU=ud(?Uk0x=2|3taTHQ%f<(Uho9%+d@ksD?{I!We4EwCvd>dX~$wazOD@o{*LP=#%QP!JRMSrseg@@0GjVYXXR@FQm8r*gNh z?o4QV z-smoyBdzp&w&JTtF{AW$#`L=SOj1dXSJ^;i6Py+Jgu!-}qmm+&512oGLpaxQf_1-0 zc|W6p`i&~HTQUk)Uc`dEK;vAx10(qvpuoh&!04D|A%FHmz`8l-ECdl;$!Sp; z%861@$+J`dY7)U^b{7vFGkU-NBu2#&b?B?zj*v9oS7kB}YM=IMa~j@H2paXzL+>O3 zFB=&$Xik(EO_V6R{nDh%lPPuu5zX1}#j2UwJoNvZ6)WwP*JWN)<{TO(w?R@1cJeOV z`Yby2M2rkAig=3<7iY9Xf!^`+)B~WvPKc2b`{1j9OS0M9-W}Da26AO;3rEUEayhVx z`6Mm2YSDjmF6M>uj~LPqBo*_{7B&`X=0M`%Xru_prt*rGp$y-UWxes9exXJBGon@Z z1pD{rBDGKjAy9LYr1)F2auIe`bpdrf0WWrwu~~pK-sC1=O%rw)UggrzG(@86Y$#`9 z%oRV@)D&F1UR><8Hn89HN~ioLuM~OfAl~vqL*fAHkw5BDizUwN=EJ0qC@8NTePrcu z0n&ZD*POQDR#*mBY01O56%t;Z{itHyByAkgD-hTued@Wb_4Uoy#w0`SdLDipv`M4~ ze-YGJsR-DMivR9~JSF|T{X7E{S9-G^l^#wF`9?b6B~PQQ<+^g~iM1OQ7Ih(+bC#DH zaK56t339U)J)Bp3I0*_#dJ`*eG0D3+bhsKd7c=4NB{>8NMnJ9y^e;a_{E${s5rhyrp#gc^V=D$ zr=An(p&>~*>}t{ezKHG}Es)n;GMGUzB3$u4A3eD!fRgZWcX(t5Gi{}D3~*f&%$V)) zcaB{k!-e$nzSbPc;#)I~$CMJ}l$HHPPwFNdnf*Tb@Mbq40@zz9{7{^!55sH*@Wadf zCGfe+jmHFJ`>gDl)29wzwzxHTrC%?u9AVt~> znXLW0aDNa`^8<I5N41A`6Bm46EcgYx7CE zOCLZpr?P{uQe)iHoS*-+0&|is#!IiP4ZqZP9G#F z&todO%!5U|NS_XvVrWksr%{X0*Nc*FGj4SY1qWF80hjtFiX(4hZ zpVyTu)lM`+D7N&A!2CD0J+-GfV zTYJ`Q>69!$5CBvDmmmPpE)Bv7XQzjGCRBSoPhE|;xSX0!_{R$CEeZ+FU_X%aCl;L~ zdhTOI2GrZA zCiE6ZWsKg7A{6?AL8ZF7o`oRmwnTx(c&Z$rlZcQuy@0&G-$t6r6gY94_~H>DrE=)u zgM#Nr0m#Oq=bwq$y#I~QrYPk!UAuKMu!uS{Uf6@jq{%wj@&JdEU*MV_HR zzmdgk*q+9hWqi)nmNC-SZV`&vz_r^oO0!8fieb-7fO8t@Zna{9_=;aV4~cdR3Wvg# zi>i6&zMwrR59FvyOG2Jh@KPMj|DbhtkiD*7sr5oLNqaBuV#n+Nl`mlO3$+a!N&~9VgR3y^!sP?hf!A^%yf%G2YOwLkQ$&S2;iDOV-Pe7)7)LXJIT)<&zQ{H|rXVv$~= zU6}4&*#3vw zG)i{WIh}FS7BaA#@l!6O4$ZQ8M~Ah%sa6Lei!m5ABWkO=Uk+6fjymDaqpicfOS!cDCCyuOzuDFaW)XR{G_4AmUIyZx~RNK=A^I>wX|J6K`T$H(|#IS%ea6{W0ftm=>6^3jM=O zc@C)xt@(^m&(aT)h&lzv^vd1qbMUut>k-zj@~h#SaZ5PmF{vY_s|?uVlhx2 zuB#?IQ#qFW;`4J`_IyAR=k@b!$mFGE*M2eF;8*PO&hYEpN_DuzmtDyexg;@{i!N}= z@w!}hJ^4VND&+s+F+C>2pO~wEn(f#|Q{F(coDqG%O+y;BC=bgD{&Cu(^QbnHLX8}_ zUT2I`iG4so&Z)-$#&vh-oXv$u(}dn^G~P9EBbxVsRthO#qfV%GI*}U1C<^16iE_1i zc_iZsqng5T4k={}Rtkx{$&uT_+sHu9st=^7k4nZ8yYJJw(@tX&^?u`HCN)x2GYa~E z_6fZanP2_QzWAPXA%BPsxwxjO{XEx`@CWaUFz}H|ni(=TWB@Evm9#a-#~CLBP^7Q544~ZmV?*Xb6JAM`A zB21~qlvZ~O_N%)b@jrP9pw%9;3Q~mEerm{sG1iM`DFl4&WGyo4Pms=x3tTZjP{}Zz zm{}iY;=>*{j|$JkHCU7OG7FR`t4%Ffb=I44f9MSBV@mmKUu&wZn)(Ub0|zelCPWU( zlnPv@`bRVSCFT`Cp(_XAb#Oqirr?&9Au$&ppn$jejGM30hlSf;&mX)IkUGQOem!LBi}3MWQk%Z(ymzUp=pPiby9p%L1XOE2{KGlbf1Uf_C&JE#W%!& zO&rHFP(qGprTZTuI>nW7US{^N#xy=6FO}t@{cN6md<4$=EG?*Afu>Zz2);$HidlUIB;7Q z-NK}x|I<^K;hHv*`F&TF1SO>?jF^*VTURr1jYMHsGmwNP<$NNCz%S*G;|o(f|@ z_0EMLvJw;r(_WH=def&44x^}8A!W}Dy^MC%u*tEpt&1!S8C0|HSS8aT5@-PF$OCZW zJHCzwB|fLvI9E7L<=~bO!BVlmn}^Bm-hgyAxIAAO3Kpf{l?Rx6K+2d9FpLePjA6io z@Ke(V0Ojj+?xJot^8e9jMtfidG$cb=EAP6_@16x=9R)Z!IODF^KYhAZQvtrCO)FD= zNw|iA{ag!3M1cOuDaA&?-2wY^5Qf0tp?x#_??c#v8=g`Ti`EYP>U!?*B1YU@dS+1^ zc-T$M2+g|^@Xhyj2S+7<6`e`?ubT*Rz@pg3vnr?C$-!Im00nYkZ+LgCN`4Hoc$5qu zABfH_pJ%{q@!Cd9GYJ4Idqp^qCNc55`PWe&nzEq; ziuD~mRqi5X>ZJ5!o5Ob*%Y$Q8NN`=^e!-ikAob-r!y=zkXjH>ZQoAhRjuyUU=urOM zm{bNHNR48fnbt1(dQbX>dHGA5#`aT5G)kB0IR zJzenbI~=<4h8)cYU)>k2-kV0|CwAjJT=;!^4q{`jwib)(60@|!vPpXn2wi#S=@B(u zMwsT|;TOlF${d}B_&Yuxr$JnIAIYdXu7|f^!w?Q}tv|0@V^D@fjvqg~$Y%rKpeBBW zOSw~?dHVea*nLPLRq^ZHnzj?=wsAwg7U@4`){lF;N}e}C2N*d`fa&kuHXzZsZupnW z00&C$ygkHkO?%e8$YqY~M5Dz~&m; zF;Z2`cUZRbrhHkK2?^yLrHh2um0@Dnr6zS1hHhq()2<}SWBiQXVC&L;Q<$5dtLbtQ zo9&*#e0M1p`##h}so=Q$5AhZb5Zo!r z7Y#L0?y5Y$qh*Qu0ok^4uB!L@)NXR+ji&w0Sc*1P}{deKgPhwZ@># zSNv0RkjC#@h{rgOCV2UQ(+-U2IOSxUN9J@j=k;ahQ`11w2uL4Va1qUz=QNNL-%aLM z+qDerwjOr7%yD~5nVAX20S;}f3;Lif9S$)1(v_0A`7DM8%`5L>4DIsWd>!~%0(canjviHiPuJ1iVkJ0C^hpC( zOPV%LYJ|V|(N~V$`>;Fz=tZXy0l6gfKd=V~?(EzDNUa|NUZ_c~J~^db?9S#rjm3^r zhsJqH3_RvtlV5WrMZTQfUeNq(RD~c3XPgg1l0^xqq)tHecRIG26Y}5W#~ErrPeno6 zqh2PeP>*^w=?JsW1578u+DMQ*{b2gkgMghei1G9`r8qVczf9p1}wla+(+WNB0YV3Kv+TB#jAa z{DwREXfZi!ePjg|ug@-GJ@E~Q1FlPbT(9h3?COFvd>S?Vd?%k9pC5K)ipzADq>7pHV&kkaRytR27-o%P&?XW9>;E_n5Z!kJ10!+v#z#=5y-# zMMQk7;eEE0gPMHw7(^Wh+rQWPbo=oD4guf_-BxnFWUFue{a1g_zVJ4Q|9~nbQRQ<( z{8RIPVT|^V0El6#s<4#zhgn=um*nxmjMRGQEQNhMnshtO0f{p!0-0KjBLmB-fK}8@ zym@p4u+0K{q<4^{xy$PFS^zzTM_9!e0v>35+H+;pwyiCG>DN{-eSx68k0G(-CVoD< zcv$hfkm6-ywGXbg=ABvm84t99b(Z^y-+=SSdUx;oRn_*%rz!UoW=dB#UoLr)Sst(L zKrX#I5VtkUO&T;tuZ3^$ z){sh^e2N%YYuy{0maEd@tTdt6fxOwpXaM9XnvK^^?}-EmnVJ26f(BJx$}NbXHu#Ch z4$|Y1*l!}IUF@$?JCxqbPk-TcwPXffxqU*_DEoaY@4r6VdKI!r2=TXJsCha6_j=&# z-+9GPE=?w_N`EYg9_lRO4f|HMfokSFU$Ro`o`cgjLNnK<*WYzIq3kj|8(#R`YS3Q` z)KC@K)iNMkXfB+ewb+(O{#et~Gj+nl(3HvQ;eQ7|Eze%PRn6o-j>DMy2p;gBVy~5> zyk7XdJN8EM;CqRK8Vdf0d!}v|3M|UdsRADpgfZ$UH3>+(QSjsjg1U!o5at{TU&DdlA90rv;8#g`Z=hD+-?u8Ii2mvph?okjPa># z<-(1hS$gj7(K!Dw2+V-(6F>~Ig&gP3#|z;k=(|$+ZIM+VPHdW$+D@TPg(l!)(BNII zLy3lc9?m^bH_y|;g2JB%nk>Btfccu|dSF;CUQ*snEnfe8zs2u=>gB~tEkqLlq5Yt8 z!!3RhBYu_ri!!cMvEjagN!mY-`cugzV;|n|ZhT7O`_!K!^xO;mT@0^$4 zqLcd$(>pd_*yhDB~)x;^1--0ic#b<&aP+zhYKM~ zS`52y-dtrN`Rl7^&5HNL@?*YyGD7>A+_frP1a$uUM{JdI_bPPIN2YNLW-J+^O2$lH zcgzB}St$8|pCrq}-MrU!7*i`8hYWQSU2k(=S`t!PW-p7?PIJd_|-%3ef+}NJ>tCl{n5Ti^_MZvHZifiWUQFE%m{n6maBl^$0lio zovbh9(AQ&lyY_S;4uqO%(yTAldH@%GpAF8Iz%wZn{#sB_(HSF;=vGLv8B-%Dd_JGd z_2PTt)quI!3>)PIY8ABmFhLE?ICt{gs(ik zjw-<39RLWu5*HTPvHboCE{U)K;BudR`K6wk+%p2}ziGY-OZXVOO0dBGdpkSjqJRx-Bh7OzEap!^C+~vi)M3|0S6X`t zO9%{+-$dC!T{)t6bbb18{(S_QCZ(3u~O zLq4rM0+gEk0zXowEKj#1qMvzy|04hVQTDX2K50k*4^&(8?UXqA($Ka71%dofN?Z=) z6N{ny``t(r$yiuZ{rBZ}`#*gqo9t@z_$1eNj#=0bqb{!M-#YL~v9-1=INStC`h*Nr zuq_-pcU=R!?vgACEM2%kQ*-bRItJ;2>zgWaQSvbyu?Xr0*f7atDdT>O9% z^2XA`patRR@HaW`&-$hvGhok$SIVqDDO!?tah1MLpM_?}%r;ryE4`?mG`J&Gi3&Xi z&=Ps}%$U6P8F%zlnr9yNz+Cs;6{cfaOg1i4doE)eI9GA%6X7f>#i(tg@nbDuSdS7? zo8`V$-No{(n5;cRC9uJ8WUe#Z#E#3cv)cvEsG>G$zx%!x_Y{oM)rPz1?cRx z<~4PB57aA6gw>VR&IWagecb@hzbDOO>G?IgR}F+{m|Ab*)t# zk@OKgm)~&wflm~8cP=+rn*r6JC|6@9K%Sg^z7w%u3h@1A{^4x@l+hCb+A=$x2|Ai? zzXyK#;HXf;z1D-TSg8f_8#h2iN$6Kfw3xSTWD>VqEy;nZk@7b1MyMEyQE|a9&3z0r z&0IcgAPk>zu#vy67bVo@nMazbzPlXrS(qRngVxQM(^~3#gK-YfsZwe8SKaJG+-I-O zT6HK(XAO?`@B{28AdA;6-;GUweG><7H(eS(zI2AZ38kgR01l{d+t&3Z>*V_U-<-bx z75eRofG$+%nom8-eOACJmCy;GeiF&U3!tN*Vxu@JrWD}%ziIV+*Qwu^Ip&&rv+*vc z0xd$2CSh42)q)W{dnGG|11+piNSd>;=(y7k0G&50e%uxC?rKi3X7ozQw3lw%bHcYt zW-0u18{T%lYGeHSAp5qjur-|nki%x*i^;g4YBK?B*XjS)c2NSNd^|j(KBq}~H1DVg zQXe#IH1ZO)2yMF)+TzsFu|%brP*jUFxDLN!2{94qIx2a=96j>9SrxPhxTI`zqEqqmKOJ%3q3_B42 zgKmG1%nv|QB0!X2DUN`0&8vCx6zSoA{5RnJCq}Y?%D0WI6Wkt0)jGo?SOZ3T_Mped z)?(B3!9&sjuV0Y-H;=WzonOBoM-ol7^lG^IG7CHD{N5Xi;#i!zhOm&lYXbY&F%#Ku z?(GRzl^aD+QO5nQ6@$TB$5Tk;w~Hp}Colj>%uV#<`Gd=J%Ij$l6bgXMcBb+{UTqsW zCeW+$SDO3he%fFFiY}U0_5UAxZxs+nm$eIH!5xCT1a~L6ySrQC?jg7Z8V@c3f;0pP z!QI_m1Hql(u78u6cjle%%ztxk&dqn#)m61?uk|e1Yunl$41QU84XPDm%tPS7Dr+*4 zn`X($^W)B^M^vS))Fe%+ZTk$>@>5Sv-txBIpsGRfAa7o-&l>K%!8{&V%F^4jum`#Sy! z64e9-c!wPavE{?|cV;IH!uk3EoeXKPo>l+g+ig^yS>uNMI-KD`c(hY|4gGLjrzLd?>*J&{yK&(cUppA4Gv3OKZ^tykNSe6mLW9xjoI+r|KXNJ9EuhBJWbM=@({;{M6=kr(` zVci=LNDUynsTjmu>ByAX+EGIPmm!ENuY6}|Go)}{@!{GPXR3Ve@Os($i?V^SS?2E~ z-K=hZVf9x~pG)Zso`?Rt?`*MUT~NO0$;1;?`qPk3XIufb)g<6^-H=*F(=5OpoMZ8b zsB6*#P+J~rW^DPBNfb1T#;?*2kS$uuammU6LjObibSNi@Hyk{D5O$~Uv*!9igSrR9 zU!*?R-p#RB7*+W9KeQG3d!PLjzMrn=Zn)NlN|j%e4mh|_*3znWyZUHouo7m{_U{#+ z|MblWL9P3<1CwPu{`dPun|2KF^Pz%2U494;x+AVKy<~r%22qq8af}PNoob`1&b$wq z8NEO7)IXv&xTS;xf+1%tA*Ie$>UA&-C?u?ee*KwQH+MG)@ zV|vorrWF_JT7_ts??x3nM}7|weOlfAs86kR@q@131M6RL-oH|?yoIuw zFHHccMjuwB%=GD_#)z>^yHc$dW&4x>RWbJQ6bX|vVaymm%DELAa((gpF=)lahR8&H zAs-7DupR%dSO;YtE#Q&av^I8m$qp({_HSJ1y`2F$6!QL-m`K`_Dzlx5x}F0Oul{5k{!`Ty3`|sVYnJ zc$VjN()ah^kp)Kt-^Y{ZbB@*9r$X)d*1rGJqKHE6PL)=pT+N764PE^Psj5@*#^Fqa z>f@(33Q)LF9oGq%*_2KzC2JO})X7cNOqFcZu$LRjL7_?$#fHg|b;rs_Xe*dH%Wjs} z_08*;%knvTp^AXQ;tz_>`O5oUGj$G-m?gJZKAp9cTQ^ZUQ@&a{)nUa`Y0mAZmrG+$ zqSp)^;AAbh{tvTG_jNBIsTD*(?{Kd zqb53katy1bRVxLoX^B!i+&d8nUJFny{l&8o=?X3pk|&8WW6Tlog2!Xe^U{{tTKT%l zfAuDX;CdzJwpaK$QMmbAWnDG6e*no{=D*9++E#YodZha#$bb>?>3>?B2o&XO=jUU# zopFv+xsjh=YqhlG8VLMZK)`Wkz#j35-#Mk@##j{dC*k#bXQ@Od_{;< zzDTl_FZ>wL`0eV$xVV11B2?M8ol4at+f>bpPe!jT)PE2h^cEb+*XJ^U$KbnYS3%%S zpY>k8PyN51LAIk(FfVsrPcR3IC$0AtPNvJh^I^s$1D!a3lCz6yyzM5RJ7pYyn%I>xnLyCMzFvGD{SKmMzS$A8y&Yt#3XGNAX3j@{EWj~6`M zRkX3Mc}{%5Ibplk_2eWZf&og<>fH*E+rf;BGth zX7h7)Rth+%0xw+~W)U73U}sx5b^=7e7qg{X4tS zzv>8pI(eRWpU~*PMkC~^ccowlwt92S+s2oNfPg&hfIZL+v~D{|TZqTJ@e3O^Uy4!n z;#K0)_m|N(3xvJ=QL<~{@LSz#XkNcA&aRZx|Gl>3U-G-5IXy-Tc*{P2LHZKjKQm_! z&Y#Q66cpF`Xeu-y;NSGZC5rSvIsa#P!;2f#{@CgDW0y&8p2h#UNSPtmMiC0rn+U4n zx$|T`j;ZY=1e~U|DQW5Z|J0U0{B_vC&*024SNap#Olna%yF#sAd9{Us#Tc*bCOHB8 zuVuh#ex%nj!CiaiN}Ur`t$^Dv%-@ApC1+CpwSwheT)uLkB%7O} z^OF3sv-+^2{gTs?E$#=wzdqD%~<(7 zk!V=h)L21L2M(qG65n5O{VN?oi5L+U zPxI}&D~wCNFtwxLS&E>11Tw9cdX^{cim2If-)^{BMQ8@P7YR9xgQ|9@zPV3~w0-}t5lIF;4z6yfRaeslH{6ID~k#6uuc zf4ODx-MEVj2$8!AG2XQQn3tRW=s~TnE8+XmfK!@)`$AO*4sdp1 zFuc1jcNJIcSBG{b?du@{>r>zH@Bh6`_dgtH5FE{EcKcQG$t^fY(>xz_;9)u7`jf?E>v{R*vbdvO-;CCbdo;KzHX;;$^h%B;>?f_S3Cwo(O z0GYe12l%O&jk}u)z*QW)0Kmx+;OI`qOU9xAaI^w{mYbJ@mxqi+%ElgC2>kn6N&;Z+ zWC0)(5<>hZ)!vXteoWp+{GYFbpy5!7cuzx+SPXcb*Tca71nk$l!f;Uycu%{)4~^zl zWcl~0zPL}x@<0FjTynWds+$7vT9)=7ll`ft`Ry`AgL<&)>9;-~BGj9pU=h(=GW1U! z0lqK&?IlQp&rgQ|FWN+iVI^cL=(O*B&Hs)o;DC4i8S0Mw<4f z1D>7@(DRqs5BMl={U>{|g-EPg=s~=H{n>50|0&sTQsEjPjN3&$+z8>jn$7ffnS?x%k0Hb=Vaqkmt*Tq4|KxOSD5VCBBFa~*@8Ey z_<8TO8;A!;Q62x+BL%u%Y%8cXUGRaSScz^0kJ5q`hSyidV?k^~jQQCdkgJS!X?c-@ z>1yC=VSK9>%z*FS?aJJ3S8Y1AdcN?(^{uugtB!wgcA~3I%X^b_LG@NW3+^UGEs9Q0 zgin0x#OMIyu&d(59X7t*?_s-3wOsQ=AwQdT8b@8ClM_yrt(S;aI$2c#`J(99p);7jr%@2U|5U9oY|AXPb8ZFKVNf(H+<$`eOf7XMpLgfQ zeEDgBE|xt;j{8x}3dTHMoFk4+LtNrdc%42?}U zUDY`kA?isMGiAEPwAFc~BhW1pUmedvQq%c%07~Bwz6MVa3(p|2mt#hC#MMwCVT!p* z#28l$m}Il4;s(CwT&{_?`!!t4{O%Gzkd)Evt{A1f(Lr5m%z?MXdQ=V0XJoh;u(N9u#bJASd$FO*a|hHXQO|88hidH8M1$i&03g)r^upWJfm;`U>A>WX`^{ViF2!*Ap5m}n zLQW{xWheN_trjyN@2OvjMT2;>fkb-Boz9Ix7`oyJ2laCjErh*PADY|eSWW(2H0bZ& ztogMdm6%#bV33DYX&^<-frc#WeYUXE$dnlSN&$4tylBO0%!? zh8M-B7aJD%oCuM-uUogk&Qz^)`9*Slg{I)WaIL<(e9KH0t+>UzCJn~s!(@CBrZH@7 zOQ_fP&4B*VmU-Ys#<{wS%CX0*lt|X`eC+=5)37iO2>Ut(KE>c|nnR1>4>LCMz4V4B zvgox3N$G*Tc_-i{jA&mM&nXoXzK<&>P|plb$s5pH5eLm3VkFC7s!+-q(AqJaV$m>T zmtfdRL+M#UQL@HbFo7aqY<;R^)C(BYK!C~x$#e=W9m18>Jh@`5TG^(f8h$7@17q$y zhuSEK+88e8-$etM2No_ zNds=ysXdOqo8}is-CCVQ7Pqt$U)lWT=L5 z2u~H2UQUf?(l{USETSpQ&^A{4DV>@5?eMXWB-Br)T;ZY-n0qz~AXtmDEORqDu{AY8 z0JfB9cFE{m2*uz}h%(I+Wq)L-LJK_$gkdH7DqQ+n1WJ-k5?jFyebn?1SMd5^uEdn$ zEgC){0-Fa${uGfR3rPkSq0Q&19)a;8hZ1FzM3$?b7%>AT=?_%TJj=hu1OO)q(5_YT zhI{g>kmv1G58Z!X^nLa}hsc4h+>FxX^fENCp=;Lqxk$*_1cP2>nxl zKx*?U23$aN8&(k}uooMHY*d^*jtJy!Rk3WOzzTJxBs$mP2YC%yv84PSz+imF_+2w&sH-($ zw~O@_{5;(N7>unS!&Ei zUQ_ZC*N}IisM~MVFUdLepY1`#CG1Q{`dmZUrWgs0ECE1zc`V7H7P2bHH4DmCvRjH$ zOa#M%8g$)sgwP35BQ{Aikqf}M6|m%luz=S6oc4W>_%@x3tlA$OWN)`7 zxiCA3!jjWP@OsUFtU??+W7fbDh2h}v7CSzcALafZ)4$i|Ali#87Sh64F&c1DY4NjtQkb+XIp85|(+}xry@A zG7#0Twl9hoMHhTJlFs+%{cNnz3RNvIbl(V0zPcti5b>#o4=B_Sxx3mBAedxtfPq7g z?ZqZ{w;au!#TExk6xfwY%Q%F+$Qg63vM6T|o%=@xka-ueV_;a-KY)b;F<=IS;JvUM zwF5%d$M1%%GbG^vfWE*!pJHEXW=XXqa&|1HH<`XZQc!879XXW457$iEk;4gC2#Vhk z->SP)@>SDqIFWmm`hMdBv!Z<$AeF4WtWKpsIe5P4LHC&ga#-_=YY2#N&4s{`rh8OD zds`%FXTqw57?UEMxFRGdic(!jfet2bDLM&hxkQXCp$yls)!oTCz%y7Na1fw`C7qs^ z_)(`%c(eVCQ{j|aMH-)iW0HCeyf!)k0u_rOmzg6-$r<<$$}H8BY;@~`@)agWg{Wwj zctnfHU0Fi7htSg_nV}oWYa?KsBL>JE(h=Od)DP}`KxzEZGd27$>1Ks7DaGL7x%?-2V(iiYP_nJ`#&tKgV)qg z1MFYKiqj}U$I3o%yt2`i0%k);LgRQ`^$mU=Z91-`MTyYnpd=)oX1a`XzQq*=xDNEM zWxsnjm`0$7l{A`T?-2+6;t7L34jp}$oR zJxgcv5>kI8(#1|3jp)Rsqesk{Y?5l{R++&!+}MEm<6-_dKCp-3)6}$t5+norB?wOA zYx`F*3gt_s=PAn=`#;)UNq!NEOig9s%DK2XS2-$GrE2msqc{(UWdsgVP#NLLQVHSP z8Y)aeZy3CmBoWup1k+e}iH>}PKJiU@4ZO|dRRi91EvOgDKzuBaut-f8A(iRH_Jbcy z5l(#7v(-GXp5bB@;2nUmR{14qDfL=H5(>XegDOxIpDi8mZX!yJO_D{z4P(Rt2sWWg z3pdD9kD*Erw5%9)uOCjq?>6NOD7+w^2dh#drg^_mekIbD(FDUM9Ndfjgf}X|76-0~ zu`5dz6cInI$i56#HAk1!3@kvzh(sz7;MGb2d4z+Wdf{flm%^xYOs%@u1UKHNb+?;) zSvOKi%^cT`5|&cq@)q0*<2~w`IKAtIKPb3sq^l4vRA1_~yfpuuvtibGRHj1}{^ijH zA1vx1^?x=creMKERRNOd@~Aw}sc+xy&5$1jC;stp!RtrGdQ^eL%L#+v63`m|Y^_Ye zEFzr^Sblp-rSB>A2itT^z=L1vgvosbChibHsCnK8GXZy7S_q>8Z0junj#^^igSP>F0wT8^(qX9QbVd@hq6fsDQ%_FsHR!1XdV6|VnpfY1ukKyA7rWk6VAG`Bt$dQ_dY?+Yj9$A zuw$`CD0-?Xu;JH;zmd)`!%J5ML;4z}cC*IjrHCbJ)2RSo1N8jdQH9Ib0DTlW7l)>+ zv}6Q^5y#K!pNd@$);Ie=avIh*soBSwxzm9J2JrhZ;d^gCkWZi#OR-SV!GIpYb*WtD z6p*b9n**6Zuh*Ad8DeC;DK_b37#Eqr?r3PZnYUY&I3)S^fXT~1e%WgPIi7l^jVU8X z5FR0`B3m!S4-oa2DKLoK1D;rEVyQ2FNn4^G4e%SP&eZJ2FwP~1uJ*v9IY8U6l>W{CP`GBd7vxVDZK?VWCq2u(TH{Fm?Pn}O z$|yS>OQ;Y9hqd7kU^oY06|$zGq*6W`f&kFJP1lCK#0VZa)s{Q-3?S}gIzBJ3K-2|k z$^?IllRZ3bjbls`{y_q6a6&1$s?#V60R?%)Ta>RIrDDFf*U7pAF_((y_nPY&N)_Bx zMM|09xs5f?sUp+>!wM$FgHd$h6x{ev8lYPtty2rG=c?d-in%UfaI3VF+H1$&s~4Ch zU{f{ZtJ|3H~WqcTB|V-6u}o*pv*lWWYsqIHPDs6^8tz5M;pz9X0xD`|J-5uapSmu>F&2>Lpe7 z*^}|q@H*UPbW1dWoM`fLfRs@VwC@OojD&O8zp+FzK2aC45AUSI&3A%t&0znA6Hf{v zmmCLNSU@-sU<`+INj}&(kC1V_zBLH3#7U8YVh6mQUgOoXmD2=&i=YYy@(<`R@jIq} zSlsF4`kM5IaVVLK9|f;4UaavqBmqLeT$@C&vli?%+Giu@DpH!gvM7uai(deGeG6YC zQ>v%RRB_UufJjo-Bq>QljG0y>25_lWuM!|d zR)r167EB#YgsicV_`_mRCtJwO>sx<^Yt#B0ohBGm>j6v{M#9Sf1R_-J4~qz7qurm? z(g7DEA%|<=TeiUK5b~jp_`Kc!l%i#P#_L;uhl_}b>yH|P2Z#azlqq?Be*+>zW$2Z~ zzss7~V5mwI%r&b7KAzg80k`tsrHHJi{;CmwhbzAjqybnI$S0Ra|6$*w_8&lC$?3jo z#NTBdBCpF`Ot*vGX)rit3VYQ*2+a;celwI(Z03k0Z?R~!5r5O!j8e>CE6 zvi5MM8-@idNhdnML}t?MKc&baqxio{|G!GV_PXjLI_&fL^vS)+@i>dOrRduB{L9l}PSfO=S|1vV#na)-mv)Q-!a6zA6Q$Zj+_SPDg{Y0?qw=2&w8@)lb#r_|`_o zhLhoImHGS0=zVTLfHLYJQWtAt$sO{V%#dl6!j*nJ-s{YccKrhn+3ER>u-E-Lq5 zOELrcf^=f4!DFZI)C~kxWS-|EA`BD~2C++LeY`s4e%(9yeFQFjnXMQ`DEPoB2!L)= zoUn}3J$H(Uc+@9Z!KErh$?~=Fn%R2!vK0WNJ5Lvtm8%DTO$hw8uCoH^t=9?y3z{iC zKlmv}4!qQpk>*Iw#+7yOggKB1l^l@PX5P13s``nFfrzgluC7p@cT=y~ELp*`YKxZA zpn|2mG&8DGl81Xp!MtPdV8hNqM$qXGqJYX?VE4T+aVVwo%STZqp{Np;&C26M=YSH= zfU8rM{A{6-@ZAc?3*qop5FH2))q_Pkg9%9I6GSW_g7G009eS+k+g!EcB60I> zb=`c%X%$F!pkmqJ|5!Hn!qP{>$JuVILOYswzzsd|MB$n9%M3ipbt#@AQd#=E&$-<& zZ3cwNrPRT+2haQk9g2MZG@c}x?*yLeafzj9_pk62hdvjsmT2sS=PS>TCsK4je6zL6 z0-K`%9OF39)z&mX_bdj|N!9<>f<&kT&x1+28f;uiUwIWZN@wG!M~k&qvpDtiXXnurNJYbmfr(y4(-U<;yi-dzhQ-;5Mw0Ht+c zFL>VTJze+f5YjfS{>H(Sy(s=5h;ZZ}=2VK?JPe*?T_Pj+l7bl*MJLt$i=M0#3`Mz2 ztirPYJNr^v5MHDY+O=+)Or%%V!atqRw2PG>h-6x zbS~t^{jIu!8DfjVMfLr-DdZjL2g_{v_;a@D6?4GP(Qo&II(gAPAnOwZw<;$91b-Oy z)G=|A5nCkFFZvf3`OPpWnqKV0G_zWtlIOR9t<;BT?M&oJI}>Ma*$z@>3w~FtILGV< z7&`3F?|L`E2;(c7NKh~4rFE^Po^3Ik1{?TDN=FWw!mkOlQsww<4U1UqwMP+)yY+G?SFZ%4ozx3AJ6A8X# zkUrZJ3-TBBb&1~l(^OSuT&4Yeo3mSeHc9@iFIhHVS?$5NOZ16f3CHe63NV52g1iG~ zGgEpOH*VUgq#Ju#+YH~ZX1*KtQU%N;5(7xr8tRlZda)N36RL7b()G zXyq%?dWZ;}^eiV(a~{vyUux3^GIIC&*DW#2y2b3)!I*V9ql}kB5;<--IEL?JoHZ)Uw2}1^-C72D0vP}k*NH+I{w|UTQXTy*@%!6!m)1i zJJ>O_fMmXqb_?}lrz=+K6@~|z0gpg3%etyJ`i&cBv!2b7#hbtVH(JL@H4jp8rZthm zqYNOV0|}MSPw(bLAKkMq7Js8s9}J2H9y0Me3pO)xSM)b}am-W>`+XV4S>0jnTj%Zf z0R36Ov>D?KX6YwR$XB1i}?N4n-G~er@wn_X0Nj3^89p1cDqejhwLWT z0oK|c@rCm!g?CfeReR1xo3~k9`>A|p3oJxQigF#M@w@E{%h4^ z2hpN>d(!KNFU>(#)r9XMn}scXZqDuvC0Vtbdq5MNDZO}=%!p^2v0nR_GU`S1mh*Ln z41Lno`UaB(Nsc#FT>8RCKRFm>XLJJu_R*)y_25DjQ3)t;Od1^dP_-^4tT5xweviFx zkMMuY5NHcU_#O-~AL6*iKZg@2y>#2Kl;pka5W{QU(ceIsq3%IomJof0_iGtNOuWWA zf0UA0yFY@6s9bBOe7Gp&19fF+&}@0E_iSm*hdtTZhJIxXHU(J+5vd|UjoHKNI-!>c z%M+Rrv*-q+%C2e6S?E5gIOR~jIP67q&QtF;UBll-4)cwL3+KPex>wrFpBxWwn%`Mj z$bl)xocX4Q8zPJLN;w2s|0P2oW}GpB5(uf?s`_+ki%mqq0~4m<=O&M%4bEUfo$4y5Ie%&r;8g0K zZ4iiMg*L{BPP6OrH8q7$mw2`24cd4+ozi&3UL9L#ak73PAylr&bMbPvc`vA0;V^hN z^@rF+@0O-S{qC$C3)$@-x6Pjt@qe7>Fc5k4VolluS98hDAjjT_XuP2&;fZWMt1kUCy771Kkoo{fq` zyfG8)8}dUy|7zy@IF{M>M?BW>gqkNXd9}rv9fbX#d-1q%!yZl^n(JB_9Vfz?)v(Nz zKH5^mx=f<*E4u}m^dHV1aKCs4__k?>tsIkIG_0Q78Fi07Z#S$~>PB84IQxDL(v3l* zJ8Ul6JOi*?wCD-Ad=NbvX#FWHCs_Y6<0Q&fXz|K_+)G^H*~du^nkhDy+!n$vHl>}K zq&~1qRy2@Mwf;T%91b;!vJ;q_78jf{xSIsbxaRjEsaQWbvRDJ}e*6M-+T4EoE%`N$ zY+_+Z2lw|BUrV)%H@<|M$0RN(CXPX z{NP%-MzLAvRV&-$>|>!5J^z_)dlzN1xWf5BEjauX(#YYufAcFO(iW%R=<#Xz(~)wE zLS1)0Ax}r-an9tOPh4^fu9&s7MYdG)rs_523P~K*8nC!@6AR4+f)!IXzHHrK-4wzn z6PUZkCL*KxC3a$YQXW`Dic*z?nH_AJ_r3>J-X3e$|3zVKHb*Wd3<$L`2zZfP?pC9aEBiN{jPL4J>U zS;tv6<%aR;ob5x_ZFi2tkLjdt@k%l zJT)~LZY7MLBq_}b2{p;^iCkoO!$+x3tB#CBA@}u1#B>}K9=+0`<7%t-(GLhvM5vuc z-<^=k4%bv}T5Jy>ak#SYim#EQyJ8q|$V z1Y!jYr-{}4XftO4qHxS`D>2fB)=7rrar3sHU)WQbY|p%l43&o+nP!ZZxNmyxL={dL zYFkB57j2z|y)fex)wffBhDZu_&`oBTA||AN$7D9-p|?ehx49pU>~k|p!I)QjcjNF) zu_GJ{KjdmIwx8h_3UrNb)Ur@f=f3Z$THcQqRgT`vLh?Ouf|ilit{QK44xd<+Lz^j8 zM^$f&J!zH_Y($}@BGKIU!aSDzs%xO1D+i}LOnFw>tBif82H16D2jVS_nloH58$l&a z1qtoE`z{fdfr4~K?eoy7C_W8$f%xn~o5;$bHTSN`Ht_lKqykcftTcL&Hy&+V$~+>a z-5?3gx#jKh!Cr3>Wu69tE?r7-LrsSKUj?Q%_Q>!AUC=tP0!)y@kb&;T;urG|za8VQ zK_rJl8YiT)Kc6GrI~@7Ew;qW5B%Lbo;+H?WHfbLCWHy;4LA=D3D7s2~ z6JpI+179X88e}-f-4?sz`Yqp0TnaF3?N`3@WfSLi)R_67u@$bK$%I_z7Q z)$<}*T8)o3oKTu5mjY)dT5)Aoy3y-Rv;^AclPVeq73|&!gP@h-XLmDoQ;Yl#SeT>m zXkLU=oxnMpTvg)ka7y@H%MnM!L_v-)o6|^(y*z^??2dg@Cqw2MjcJs}lI!s-4|e35 z2;>E4<)qIATjURo6Kr>D^m^pQj7$sDK}%-X%$e&djJ1rnAzt{&YX%Rvw59VAA}5|C zGqOBFHD>c}ltT=Jk#6h8`UH9HyBJ}eF6<~IdJ*O*9$%5u%YQCZGcpk;G`3cLe5+NG z2PBH~FesEp)QIwgqS+{@g9OOQeDX6Dcz_^-p`)0_;3esnZBXZ6s3VV($~PE8oYOjk z-Pwpd*D=Am1&f9Q7WCe=VN|me?uYx)i~~`5lsKIUr2ve@LH-PcXve!ZG<;-KGP@8= zF-fPCbPXGn3a~hNhfH6VMOV(c0oG`i)n&Y@Jtd&uqqP{n^#Y36!pk%Vpz_pfJnm$+ zwCtxY`5!VP2Yl-xET)1bF*hnrV6=M;A>B>5W=MV1`p+7a!gUkO#L?%oNfFpJr05zx z3q?*yyfZct=!>-$%3vM}REpmSJ~#&LN0ecRHW8dnH2j!rr7{>|S%J_>5nVOQ4|-5) zPeuWevshcNxUGw4@E0hg;^B`0#F=+!3y7yQtxTt27gf224L!u*$USBhF*HGs2-k=_ zu<>r&`Aj78BxaCHiHH!iP)rGrXicTZ)At6cDC|-wKXu(dKSwpGp7y!ca>^&8N+d@v z5XP&>Nn=cz6Lru^;}Owx3zQRJBB373-BWaf9pNuzUf=a4sHeoZ9lbXt17{7~<+VYH zdN^ot6J|Xb5oykJI;1Mo=G!pXKd!tP9bzjh%?PWqTonvNCp-<5VSPVE3;>XXNeIW) zz3@~}Vsz5sX(xZ62_K!=L`TEej4<4?AUfiq%C1ggh)SssY@$Mg&yR|?h-Jl3oznNw z7m#96`~7V(N^jUA=8?Qkby_gJ2QN@FHsj{nuq{-nM%VCt1Jd?dwnsn2TuJ(r^{OVp z?!qNq9t!tX7;8&#?d(QL19xn{2m3>mUxh zx2WK)vxv4}pg?>o=$hdm8E!frBKZ;-hw|9SU-3}#{ce0z#+d@?r4MmYwDY>KtgEi{cyDO10b?1$7KgD zst+nsjLZ^N&$NBSQ&1kyuC+y3G~?k9fl!zYuioV~OU@x}Gf9XSe$-!`;{a%3tvZlUvAtWWcF3@(#8 z$eKXF-JOJV5W6W{_-$St=9_`E!g}}3$r_cG6eEx3SZ^Y=(S0Ce=@~~1+lW~hPmgxk zM`lvo8NwD$0avo@JKeb*h%XSsT+T!=4LLPjl_PyvXsFCXUpZ_D@z2>5#VkP1g;^X? z+Wdn@VY?ji(fw5`1IR`SPrehAAB(NL!$k^$iEXH$PQ>01yO{Vhma;L*E~PzY%ptvt zWo!t_Z9Kb47OAZ{=F=xeDzp8H3tgSEuohAz*pHvWAg^5DR~uak2zyHLiO$@LQl^ zTX`KExC&PM>dO>I0Rq`yBo@ExDM>yJC4Jv3))D^FhXx()q#r$#~WM6|Y0 z-`eL3R$@qoE-@S=`E@Ro2jwRwk3EwqSo|Gycy3NbewCMyZnq-;yFb?PynK{1DOtB#Ula$3M&W)qhBRLOy;*~%|&Cy;`Nsx0f*ZwL9UoMT%K5MhJLjr0YC$*;NxI8pn7ILp9jKaqm9QQ|W`;oic zvWgv2>nEQq`^`$_a8){-SnCX!B&UOEDq)goYmY(2?y< zedaTYwHg2g0ued|O?tVvrjHEZn1GfOFXN22;Oq3tGX1+8I7rlU1ME#f6&N!_Cpc9alz-tT$Uga6z$U->CMZC?lNSMi{*qFyu9EgosB15;zfuU? zr)n)KVe1+cD;!c1Q$I~dMt@z6=&28C#U%E#@yY8ub|k>a=ej`QCX9=btl{hz4gBeK zGc!~WPEhxZQ!6be1|5n^|7{<}<(FCRzxl zN`G;u-j)bGV;M?$Lmd-5k-)}P^hKIoSw_65SrtW!v~gK!1?RADm$Rm%*vv{mi&8Z{ z-G%55ExjTSE)c^Z0c)Z}vt?KMU}TK%tu_;5M@}!d1>bfciNiWV6p8=K57!;uVL+6g z0BDGdKV=4P78LZuF<(F_L7<4|)CBWc7FL&rYe9+pFbGn+wb+`h|U4f0%94f5!W01QN8x|=3KzbFLc zzMz3{uM-Km$<#Z1wc|_9eRziHkjJs0LcR2HbYfR#E|Sv9M3PDC%`)MJN@G(<^ls6z zxxtB0kc0p2XYP0HnA$cuT&uQyZr0a#?}8Vmns%FP%!R%>7g??PY`BPjKN!3YB4Y-H zA%DLq00!9@+d?C&u`Vzium$2Rp$e1aa}86$Yf?2hw0n&;Z?f$PvklM2%v@4%s=qao z#CuV*(W8OEMqEdM?T1H2Tg|hv-gB?7D?wF4f;x)!yH_%I2%@L=vM^_Uul5$N=AIi( zC|jDt$23{%z`cuL)L0kdebhqM3pIKFUQk-`#@*8#um4BhL(hF3VNrUmzk&I{Mw!|~c|dh&!HgFX z40`b@TUWEt8p?-^o&rVokt9j z1uZGXRg%LAQLDthem8`Jv~&5DAx@9DzRM-b2!{UXaB`Xo#`wumky`%+va#w?57^e? z9j#S}>X!H^CZyy-R0u9+LU%$G=E8AXo-olkvJ{A>mUN>SXrBSy&GXHaxo}=<&`Z(yKMvaAb{N?TG3c>`?O-5#JX_mC9ENfp~vbcfvV` zQ*8E80K~*d`e4;Wy4hon><8Zp-SxvLB?S7}chNlXzHiu?GroJ;o*S|i<^-uA&bRpE zdo6qM6m?WN$*sCG6Kv48kw$wqS`u^5o+n~k_2Itx)#Gb#%fR~B@Bg(*8ToKduf(oV(GpG8 ze)-vs#Br*6OW@+ynmHqHtWW!w!optXbSBo-45QOW{{@4b%Z*5C73%xcHUo6B%M8WP zlo}-|`30XV80C3*5J{u2wUHfd^)Eqb9!2yYobk`ztnk_x zd9Zk^H}tx6yl?Y3+&PJ8aim%|(ht@0a@MK5{)x>v%mkNIBf9!qg>Q|R3hZ!Td(E$& znTe-z%WS;wV?02j8JYBtf{{GS`qRf^ZEh5VeT-4sH|Xi6`%H!b!J#0`$AoAeWSW|D z?qQ(%_gI1`qX2e%5O+54x%a3q_gkBglI2|QH2c*S+cq6dEI{x#du`Y0Z*Ip0*@_`f zV}I7RFB`2oKW{(7;-gH}dP$lV z`1kW$QqL664-X|;Nt$hZt9YP~zM^Bo-*ZNH->!G<*?Hb%&Q|;6eWZrk!rff_l)A~$ z#@p&Q>yq0CfpCkt#IU0DL!guyC3EPu1f>-b>Zs>u+q91Ua+~dLgZ3&Rr9;j(;b$H= z2w7<5%ui8Qu|oO#$eK>hilC3)fCtqsEbi||4qXg7mrSb5qB!9379&2}ixQq`vTaL2 z*F`fOfnP$TfHLt~>ISZkh6WDB7s#A5_5Rt-;WLC)mv$~#D%6K$_u;(#(N#zGPlXlk z2k)0gv`c=LYk$IRTQsk-{r`A6%b>WHrUB#b?(P;AO>lR2C$P8^Y|-Ej3&AzGYtY~X zS=`;-H9(L+?zg%3tM?C8P{lc?XS!#)r=RZGThrlf0j%+>*$58H^>zUN>GJ^2ogB%2 zPW0@SrjN|fyuH3Uah~o840M-I=0|p~pR~6s5+rdHF7f&%|180L@+fpBgmNnO%p$d1 zhAzx!sNVE9MPQxk^D^^&G9P;zCo7shyJswXQm9$7$Aipv-y4uTr{2ZdvZ z#C&ATFy0-O>+FIFm8=K`Dv)Gw9%$Xi54N?h7C+x1A&OrS`VXm~T!h|fo%r2-_oZr% z;dU5eFFksVT}f$zV8}W%ikmr(_sLDxgK{!-v24@O(4$)7kx>9T#m%@P!*{|1eeL_OxjaATlf?rB; z0FD1XePgvbhjfU@90JWRf!m--Gg9serlP@pCyhjW0zR1-*!@1nE1JH^hV?8hr&}*4 z&AnTYvDG;VbnJ&nhGY}kWVlWKzOkM6MSwS!vnP>L35CQJIu^ViGgW1{G5GQ{{gvD` z_b+jwV+XPfUSIcebZ8t}ZiK#S-&u3d9SNf;1|>2?@AJYJ1Cs@iKLT{(^GSBn+Y z+7L;p{-6Y9*b_l3qGtI(@5^O8fdj|0^b!|qlmz$|-o?Tjz=!nXUx^5Ehe+l- zD>9+PF4Mn{+DC%LlKUv`;b-hr?Erb`-ogr8^mG;RE&(I+YyM|4b}$*vlEWi-KQ}sj z^39zc=YdZC=Z5Upj3*ouqa&8_w_Ily)4Xu!_SKDvr__@fkxIe`& z+V-yT$dszRQVGb{~XBVE=t|D(Hfqsy%y)L=Bzn^NU7z z0`V7Psk%g{K20MC4Z9h}9AFw4rw%pF*{;dd$O+rN7t3p*VBzpM!5hNjMUez;dDChb7_Q6TeO` z$*$GQNAU3bG9$t4+AIr}7d5QLgmQI_sn@K8MsX@c$7Ttyj-dDXRc&D|e$}E>4r>?N zRoLt1E?C!#zwgpadCkOW4m|^`6bHY_>igfj&4#KiLUz^4{jKt&Bei}PBP^$XGj-l| zKOgf|!svp|=ZaoyhF!dKaeh7?7`J{^!oM*~Uca-?n^@Ic86r&`)K!1%W9FlDaWIkw zHD->!YI4e>sy19Tdi{j81Db`C9(R3R*EVArhLkzEt#pCRkO&0WI^@khuNqFVs<&Sy zWUuQ-XQp`p-ypm9XLpk4N2bL=FEmj!)zdiM#SwYU*7f&kMfXmaiNc~6ZwEOurgH$y zDVimlLEF_e-4de@6DM=+QdJj)^SgufPscN92xR3&AO_LMF-pK6=3kl2WB#b z50C`6fHjF-D@blSsLM!HCoNnxTu16s4x@z2e2dsWQ4>7DH>yeevOK4#)*&B) z$W+5k;DueHG_XiH$#^Hrmnx)$V4rF_@4ZOlrb`l#Uurwp!Q%OdOqJ~?X2p2E=;MDW z4b#=Csva2Lqn1tq);GmFXSC}53#jZkg6t==@412!o;%QLRmW5H{rk}DBHQ`#{uJp6zWv8U=ro3 zBobkXrj%+9(uyeRcPCs*ub;MYU*6u_`$*EL{{ZB45&mRysF zw|BA1Sg0t>=xta+a$0yN4cf@KX`#N`k^wLwn2YiH@0)k zfJSHi)2!Gc|4C`!83s?xndBf{ii@$ak}hsf1P0GTy7^Q!JL8{9O>fh6q!3Q=LykCr zrD^IqqKLJ!2v)DG0N%$Z?ZeOz=e4Iz-mwzmOaRsw@fk?-$kf~%ZaKYkh$6!~_2TMk zx2`=+Cb@+!wYLfit+(ux)PE!yokVOb433#0@M_Mx(=SqZblCECZz$FhLMF*t2yLwo zT_mW3#s5^coOV$upH}IXNGd`GE#?6xw&AgkgCXam2)mO_#GaV5u}ea}iNtlb zqHTjf8aRpv5xw6q6JMTn4K`kJ%9~Pv>PfyO2C3z--~zS zRqRK}=p2+nbT)6DQcagzC3mX1pV*YAE527?wn}gK#@W@RuOoWS**tm%4EGQZdz3F# zyV?(3MH345Yj(P*2!e{Z-gN(p`!StcOvZ731Y^!dY;PZeV#WM$(3$6iwKJ~ z5p`~u+{#_(X>BB`E)H-%94>)(ed`dVYEqU`r?vgXV3a$Ug-S$ZFjD|VC;>Jha289T z@lh;}9rw|3|-I#;_UQD@#TzDX`Od^LvdT=aHB6z!A)1C5c< z*;++1#TOl|m~f_^KestVrE|lU_Vk?jeUBp)^?BRSD?EE#KZn~dJjp>cF@X1lM5fE0 z%<))T@-Lc{3rj?nN$tOBI*p%@LQ6b$xyBvB)FdIutSGB<_4h|`1E|lJ!F5xcSuMlRc=W7DQwNrL* zAPjcEWaoGBC5CcNAkS*Sk48l;8-g}Sak~FMp^euew}m|6_C5?bp=#Hd!%iyYNd*t| zrBt4s-+v$}V~pLWlg(7Ge|DHIwmzvvSLBDrett8UCd*D12g~XzADe5R}mo-2zW1Z7Tkh$UlkbEh73Gjm9;iK`phJJ#Xik*yG$EU3`7h z{>ie^RV9S&;;(s$-<%&LFInZ(19#Q#g4LvR;v3sgDTLQloLp3%cp`pEPij;MpY_aD zG^CpRlQ%~4@M(fyqhL5LNOE86RV3?5B5^2EQxq_q9r2!IGo-Ko$}s}xs%a+%!3z|U z=SQI0T60i_V$MqI%)UO~Dj94!Oko&rVN9x{`8d9#Y|XM~hfIKAn5MK27R#@EbEBD^ zy~)pidV;AraIj-}30eWFe^7p{*tt-Lq~L=ANkXCn-J^m2_~qZ7GORHrqmVn0?_=a> z;X~34^!A{K>cWA3zJzZ{8Sw7Zk~T|fnDgpkkvA}Ao2Ro;#D2Q{Zq;3HdgtyHiCsH}$g9);FA>_P=pMO7Gn))A*#WHw9x2v??d z3lc&!vDv2cWsojB3zMtIW?SZNW?^Prwj^lR+a-q!c`}~<>0Bt&_6HC$+v=B)nkk`+ zn!QvH+ygLuawQ=y>iN2tZGfuHu?dXCM^lv7iAoWtL$Z*LKf_=nTQEFZHW#3})6@59 zuFwow|0RS}YSaX!_ijJ>lzT(z4^(YFlqQ_y+&dBx=WJRa}+` zq1kz0p!x%g)rcoT<;yl6ir_W#>5Hm!_~qX@+jahT0So>FfzH`3X(&1PVNOrf6L!nI z_BfLSl)|oWrt|C>6M1vXqlSph|FB5LudhldIAT@B;qEg@j#lr>C^J`Tm0>;I_8_4w zNb8oOx}M%yZl^(yzf#$9e&R9K74hLOkU@I0U@KRF*&x1J$({Xz+=_AOa(h!f?19N( zcHPz~D#sP8rrC9Uts#CWEs1fja=VxD}_$Se<`STZ;8W;f_%iG`%SkZwux9&A5 zQtJk3>nsf{76E^|`w&ThWsI7p$>Oey|376`1*w$Yd(sH3pIV~4wj|WCAl!Uu($0Au z!Aqi{Fi{&SoYPGa#uAqs2y!llBTLT6`|6_9ecS$?;V)h)B1{Ag<|MVr!*5p>v85-$ zcGO?6j=c&F2RISS6aK&(Lap*aKLOGlV?-%5{Jo+8t$dAUGJ9wc*zR0!-HC^htcD<% zCguG0$FF-R3DKES|Fy$CKBHpyWmRomHYz|;oWZB4tUKxq(?7P6kc6}q*mF5US+&n@ zL*7QS$nK$eTTnqi))xP zSn#n?r3`V5pJ_gF2I?CgVRrGkjP4lZCe_7Xu`=Qn=86+lIIhzq2{HY#0Yn}b-5+3L zs`fQx7na@>Zir(3)MY}niinYsCI@3CpygR{weJe{Yn_y$s2DBUb8cEla?itSkSWkn zxb+rA;idIV7%~s681Pd~$n%+c6l!=XykbJ>DiT!*>PdA>C+_F^tps5@C0%0>8~+WY zSsQ!D^+N~?!OzUlITVz|FA1)X(??@$E7!>4E#SFn-meYqLEbw+p{5w}$d-?GE zq1Zr2T-#X2^Zs<&)6By_8YiF(TIaP}sjJrVUu)y18W=q*KK13E3SYnJ`(^_uB%&wD zLPE)%suvVTYUjg~s@9#i;*i$h9z>AN$+mY~EqkUnB@UM#nq<%{)qs@ngnXx)jn(!~ z*4w1hMwj08<8b+nrg$a_jc1=g@oY}8c~s_oSY%R~3v#NIU`pxJ>=4sX204vCQq3rZ z=IjdCs(ImMC_JUQN($uG%Pr10?Pv_Swt&d0dbqghv%e$_CNAlQUBTVbJbDg zLSs|J9i#k(0;V2!dxz+_n%Dc+8-;>=n7oszaLXd9H74z*szt0K z0>%@Oy^%%0-ade0fLDN>1)}_TRXa}W86!bRSdn;9&EhMhiC`%YXH%&?L@ z)?lTI%g4~7glhkvU!orpe)kto(*XrJbp*@B(8pfXr@wdDZ{$sqr2FnuSUA>k?1{ON z7FSg&oKes|U(W#hg#nA#%;8Ew-z83w+zPbHBea6`*bt$rep$J|AwPpd)t7mBHyaO$ zu3&@S1T^FR7!~w#g@UXwM=Y5t5>v{JO?|SZ&R2WTA0?$E7v zHwtFo_w@l;?^Nx9{P(b@BN0A$w)uX?oUZe{cB1SZBla!H8!}gnEjpi;Jd$^-hW^gX z%E(bGx=ns`QthZoZV0cpG862MhtJ%jai>*i8nx{|FSjId$@g`frtg|1dpXxDD)#|2 zb9uoUMTr*pJAMRP>4>XGeK_&LWK32E2b_l52(?K@rQr*6?yFwTGiV@Q~sP*I%CLMYe34D@MqLEP`rs*ZrYp7E#z6ylKu)7c-KVsR|W><1C!P=~buKJjp^Q7e-;EQK& zS1A&PJ5+WT_>&*(NrWdeUv8!G0VVj3^f~0hnbt}p$?Lyx--FQTnED4fy}eC&`swp$ zv5u2gKC1xZKYkC6LB6GtHeNdCspj`V{=VH8LJ~;>wO6K4^T&At(>+LYSv`k#RTmK{q@)6R$uI} zKn95SK8p$}A5LpnfOC$A^9}*3DF89_&{>?XsyjC#yIUxf zGAv5U`IaPM#zGeTF1th+uB0;|lXSmcG@4Lh7P~%G;M?~``goG-LSW)0{l%e*lqi+Y zs7&Q}45XqYf{gtJBz|$_0_IXrfc!E`gc#604We5$hCbF^N|Qfs<^P&C7@jeX;Xp@C zf^UTH4Ajw|=^vqWjP9$`)Q39K|2kzfrR8rnr=(`>2F{BP(>eC;dW}Zt^7CiVEh6I+ zFN$*>(x16A1&*)t-i(Wr8WQRva{4&FHN;Z&n?`JSIabXNh(w)5Ts~1G^8z%$7)5bO z=_eRzppX%gh!zh8dM#|0+N6(}$?L;jdTA0;^mJN5OZBs6w26{duLEz~#tL0|8T4ub z1uVmX^xa(YjH&M~hC79@OXM#!k&TbIj&>s?SSlR&0ONMXr{l87R)@W?iDJ_( zE&X1-0p&wKndny~kshfP#F3|fR1Ahvw}5k4*OoGA7ZFcoee^ntP&*!r4yU|QZ_{PD zvBW=<*65#uROm5<#2iF7G|^j=q8%qKk08;3Q>H8#!7`v*l0Y20{;;g>{;JyfqT}r0 zCx@7#cA`LW$jz3lg6 zxWkvw7hfsX+2sn?{9d=v3hEQub^jMMKrry-+KH$~gBZKG{tp z7}X{h(gyFh7yExiTaXhF)Rg~rm8qs4Vf87n46wZKo}qFRZQC3ud%kezLkC1qmWB5* zT0hJ07)b7f?;cX1_J8Ice)#k76n@o{l2KISbFaj3rwZ*&m9FIS@eW1kfrRjr$hT}1 zt4<}uIl0xI*60hbLler#e5iM|&EBEwwnmF-dH8#Kkdk2^9F%~|&-k@$t87XOEoi=N@oya8T&QCB2qw>a-=^*=@Tr zQ#f=axl&S3M9X;PTxaL;nma=5<0v>q;{ascMbfoK=n%Kmt>n_ktRRu$_^7BxnPTQy zyFs=uO4amoV)EA-9*jnLCovGvW=5b%tV~4@)Zr>bPhXLWMERsOB!L@n6B+FRO*F~C z)tsp*0rXB5y1a1Dr6tIe$Igh}vA~c@x^{F^gK@QY8Kn+%Vnu_g%bJCj!j#Ksvis6^ zQ}w~n*B6mFSdgJnlweIPopErLm^jK~{Fi-DFg9>wdLI@DEe2ci3Z-j`ov@Bu^YbcC zwDBV88;xFQ2Ds503i8&-W}mhwOMHPI-W~0Z#qq6mtfAWq6!U%iei zKaXW6v6ii-4Tk*P0s~97V3P@jjs)ZsGHQI4FUX)-lk=jP_`{_lGU~mT`-W~=&tm?M z6mvxlRPlnomn)br9L!YcZ8fP7(c;S_k^Y_d6$gPz%qG|YR5wHuNBbibJ;ro7E-k>Oa(;}ucHamf+YZSz+IF^NG+2ng~ywt+2Cxx2MKtFw^SDOg(M5UR60->D?z1 z?*LPt+Q)-(e+8EbKpVi)b4+Uf4C$LfzM29N5Skm{6Yxm#Se!>Sj6{Mv$ZbX5d0!aZ1M1@Wc~FSg;b`ST9s^wg18CG=EBGiGdDa;1q7{N0 zWq0>=FPRt4Elw6d@X>ysq&sQ-)~A0rHSN!M`X@p_;M+gmaT)&Af*^#Ew`_J4YdsZW zSO2b3{NIeDWUUy-UAW*;{GRJax6q`pP;qSGF1VRNAc(fBD3`7^8l7c%4Hue(+;bIW zpCb~J$f{ooMlA~}i+W8w5_3P2Vj{>GCu+PUS>GxFW+twaf%RX2?;*$f2)dmpg#{8K zK@d|lvIPBWionX+ePeeA*M`J?hvumq&684oGjHYf#hmG+LO(X8MNwUr9H{M;Jw%eM z<>%{|$MEcK3`c9RA!}BXkI;goNdHwfmy^0~vHP2#hv1{P7{a13Dx03MR%pOt8ok{T zq#C&InTkzsMCNDM=V!0n`)&hIhd=q@U8>swVIk(CRvn@c;6%>iZU0ons~9EbPor-8 z+rEu|_#;m8>RK_#RRCWszgmBCwX5gGdU!MJl21zXk+DzsAZz|!m%x!k1%P>IBy9QL z`KA0?5t7D{@{2=;kQz2R24po~G%f+swNH^SzBTO(h8*3wN-PHwid>X0&GMa;Ro1J} z^IaDda{)txIM-WE39lqatM^BCFnc$&F|7l;$-;C`Q#%x-?QNL-v>Qc!Y_0!&Jh9|lj^QUfE(f~cBRq0G8NNQB6~nl|sHwRtGU^cjWCWcfqE1-z8&vzi zjh?vyLeHDXAC7CMEaplwpNPNjHGZ!9`aB;kWFIBfV6NpF+-fb6n`+y7l1<P#Q02Q?k0sj{{#_yk@Ie<=+LQmXXkb{d9ijXcizND zAa;BNnc?j44CMeuzb3zv|8kgGt~oU*iOAp#OW=>h1f#QYvEm14{V|k;XfCyk$DldFOa7Ob5QN6PF)$gRixtNI z3aS~_e$1BSLMy$Y@Wq-IKn@AVBLD%0GOHQ$i zD;>zt{l}!WJrfiVI9%H|L}Ix9>%E0xyr#**dwLw7863o&7+4pX&8zT#*@!qOYeB1; zfpagi`Bspn?I+iP8_o;;Zd!z?duSOoTHk3Onk~*wna8P0)&^0I{&P)2MgFl5+jrEp z!@r+}y0dIJWf!mSYuQmZkL{l~M3T~3LER_vFF?~4Ow*S)+m;3R&Uu3>=F9x^$w(M4 z`%~MCn>pLJ)v=6$CF8DtEFrGxnwA2ONASssE2;A)tt_|i5#PwBNfQA5J}?ex#%tC@ zK$WYa^hk%$p1+U9$Ej^ZfOU!7oJt*ao{i6G$!0JUI5^7~oR6c$W?}%M7X&q?bXm>? zTq%5(*}`FBD_n)r)r0$*Ht#zDN+NaZ@06!AH)I!Ediu`)O1RHSh43$GWIH4$(~}cO93Q{hqIn`h#?K8(#(m zqrb7F{Hs0O5UAvzMO-{XF<_1epo#$<&|LmMMc+c9pb)st2xn*NWPKuYgGl>(e56Sh z`aU`3liyNGXy!b(=#lU3+Jg*(NPu2yq z-k&PJLMa0<6jtAJ9NuUCqxNE#=>SL7aky7KK3Y%qz8Jv6Urwf0I4;MGg8P;BT^xYP zN7EL@=8Enwcsm%GK@ z^#T8fU(JnN&_a)&nt@$o%!x6G>oreJJE0?!yn$>RBJc6&GYs=UU4B(n#7akeCQEO> zdtNqn@H?50jYErm>}*5vS3I!mRimlMv^Ssj_T*bwW4`KZYD>i8WKeIfvlhvm1#^Qc z^FX1np3hIWVbXZ_u=GEF0wOZFZf;!Of(Zilw>XBK^1*hCH2t@pso)V%(Xt>sU#%2Q_prvtvH4 z+qN8o#xGC`Em1N!$D)mwaf;|^O%%ELp;GH>$uAGo*JHsQ}3 zqji32}8fS`MGF_EMAdRpiEpZiX21AJ;1~{GtEEely{A*plhl7B&8=03*o`N zgy+d*yJ8n_>Mdo6#GUJGL-%d%5cyv&uj@aP$F)VTxu|+(x|($Onh*}|oIJwX3K4mT{M57v4P2p~NVL7N;0bJBce(Ck za_>>EV@vqscComOBcT~SFMz^$y;W=Zq}JYbUNx5zIGOqa6}$*4c!LNfEH$=`9ihcV zqc3CBRy?F!N&Wbvp;#BJj$b2my6;|^WK+}}-T{Mv73n?NPb_xaBsEx_mssogp2rfl zmH94h*v!^-P%bH`%FHK|M87`s_tkaqL^)aFT*D`ymhWj-ZZ#6VUE3B5O6bCZ{v59q zjdmer3C4V``qh(Hs!ZEdEXN(tr9eXXgMK%WzRTbB_VyPB+y+Kx9&2(d=-3cX_Pvpp zf2Eq=QurcY6-K})GiO!puF%5XT27B15OjF3d!>6&rdSz!$;Vg`mHc4#F6syFX~WjL z3?+SJh?$3^gTfl83AE@4mQ~tU#Lh5B(D9eWXOC4nAu4#nh>a_0fAg5}frVcc_GrlK z{CfZ-t~Dp>%$$&YT#27&l@Re)xYkn}A%<M)xCMcXU+=63hwl5AV7;mrc)zrcMk#=KTEtWd%Ecs2YH4R8+jI5nsAar{a8`2> z_IEQ9zRGmXA7PR2$@?^`-i5KCxY^!2+sLfJxfpzayQ3g-ZE0KdW9UdO_*MO zx@)dd>`R8&rmRMFDl%Z!f0<${uVD}R%y15WYnFFEMu-G$9E+Aq&&qNODkVmk9LUc6 z%=%E!?VYEm@&iiO4Gsef-ZjyPW^;dJW~n#)Sl>qebRQ|3?_1T{ag1n1lVhvMM*=R4 zr9#4}o81`hBSYsT-iP5?sQ5@}e=39{j4HE41lHX)qQy9OCPQhm`WS6fL5ej9RAuGt z8wL`X?E(68t_y}bg6!Lxg*3&D@XuvD%#i(MtuQjRw};XQ5!y+;g|+FNLs~2Kym#AJ zgLjX(AA`DY(3uC+Vnh+(D5s0w!~T)F^4hBdJR3cgUQO!k)%YJ84P>n-E3zcsH`_bb z5bf=N=&z{WA=L1PX+gOm$B6_9b!cA|N>-f3UiyPo^w zmx3cE`P{FwBx@LUTS9hh5&$-t(9WV6Jn(ZQ56WuW`Pu+g0OpK6$T!t^+OhS$50}*} zs114%@{RziA`wugqhc|gsNbzC%QU9B^l)H3T7uQjF;*i?^6Ge*2B!TDy0j1ky7pVU zsCuH>i2v`n>PMn%#N=kqCdCl9|qW44@MJB z>(e=JSA+rzWmt9!GnBr680&U)>RKi;8}}hRlYL%pNciIBztDMFZ}<7;H~zNx`?8*D zYZu_h16F*7%U%FMDpLe^tgnmn*%~F-`E_xUDqg)TV>Wzs5O~jHjo?Vtq3P*2;&vx{ zk$Wik7snyk*^|y+)nMIf$6{%;{kE`Z>ud|5FRHmpr-?V zLV^&+$0MtnA3(#v=7?9Q$>>=0A1;gMh#tQQ2>a2e&hOgtC|@J((c-r;s6?qBX^M0e zta#a+@yUQ8Ea*DkE^Uo{`DaHXasK$`^pFgB5{r3^{jDbU19z^S3To}hNRvq`6qkb0 z@NSfr){&%czNVa&q-GYSpcCYb>KOR=>kpL`$clXxO6|S8Rlese>S#jh{1KcLg{87% z&sn9%2LWEF{$}VA&fjcsJ5bVTLL1JVbjDy|Lmwg|`ZVU;1ZPV(a51DYro(pav^*S!Tg?1yrs;< zR!w*mp1NPUOLjqEHc`%8;pXFf{UD9}8b_{87EyX4*j;lmDcB`rB=Z z1OPnLZ>=?_VBu3`*gt#j6Pw7?7zLg#th)b@%&;!wLp#?TKJng zxHzM)D~@iHeyJdnf$)8RR{f4Sk5gCW=+~n;A&C8fW2K=Hw94EGSg!FaniVU8*GqZA z3jnRM&F{Nodt&%h`-u)vmlhAr1BG{tV4z@S`W;XKmP^$}W^nvNWr%O|Ul zrtw>E@(X*Je}|IZ%+B8d5sWm;eNBqqaQf62gAuM+{p-ZF<98peyYp<@LeV$l)pQU? zlezR#0d9Q+dC%H>WB~eehhcM>~E~&GKO&>F2CB-#fm>*l;VTmtg$?4#KRqjJ>H=0divwo8&@q@6|PX) z35!pv>v1_%CcGv>IzN2%oE|&)zA^P|6XjE}8yMDVym?`sc(pw5^Lu$erFBwmsag;l zxr**#QQ5-Oq=nZszgdG2FC3`PqC58z-QFpVQ6`-ot+qj|5i?^L@(96|I zfI4tZyEbw)oOY#mn7qc&m0|C9h~GxI@FK0Ns`5I_4~8Tf{>U~CBIfsAn`(eOy~=b2 zbUsU&ziWENOYWA;sJ+cau;V?Qr^#(5dw9$&Z!B~m!H_=qTXLmD z)sl(HVUKA1COLoAjG+}Wg)CeWYfcSrrY@mss&#RQ zoS=WaQ`e-zT!RO4fTJ5P9=&Bw-EbE#q{kSx_R-Kywq0w{+*P7|ajJ}s5 z>f6Q#KNH%?&m%1M;1j&`M~o>i+`tj>r1k8UKI|1{Fx1&yno#}e=>7|}X@_36TCd|V^tETKV@oo9=G5)^JRVYUWM8WWx z>g$U5_068X+kRl~{&maZO)OB<09rW{1F;*INTrth30%f>xq-2QgYT9L;X)^G zChHUY6S2Irj0=7s*ycEgmc~E?Q;2)#9}`cfEcNgYl8uwuy9&OUiGE%oFdQ-8aqfaeMt* zRVL8>jd3?f-29h%rq0*<67(j7H7`$zf+c#=aZBYPjNSWy-!S#leuhO{-y=zFf(9g_ zi*z2w!qiI&XJ_6@1nt76(oH_Cj*xkO87CUpYurjNi+raR(TePCP}SC# zHZu}#8A0Yb^BzKhh0@Vedk3tirH{Pfo}ddagQ30;zlm}6tg$buA31SE4wPK2a7w027lJ>HYN&I%fEZPfPz zg~YAe)-I`hF%S(2QHTVkM#5}CHkt`JA69KKtIu3Y0j)@|bsxQt1w{*#dQp&<#IJq6 z+x2Tnt5c~ZuNN7P`(pn-!2w^qw#uUEXfuu&d|J16F3N;$cj&MZv*}HJJ^xatB>#R zKcZlMw}uNxQh~6WWNHoLotjzxk~98Z#Mc!1+lr~n4x2C9KZ)c)k`kSA$`D)fH7SBP zneQGNqecz`e@cu2Q3M=fjk{@u3j8Z(*;#IG01vpjtO&AAz{lAYt+RDTfJ8v)qL;H|Xt> z2oisU5!xa=c->8FV=oibY{doZAK?Nv^)X6gAVx$&coyzaGEHhD}&IBU!Ty2+KSzps+@W_ad|>uP?l}M%iQY z|0XUOEL`l$JJ2L+u)dz5Z%bG)g>qe|+$EzD{!g`CHv% z)zVEwPFTNZfbYYG`@%K7JouIqO8B91VsBZu* z#y5B-HI=U~`0M>t_b6dgEBi})AiuXUiw@_yKy-fAw6*0P=D)n^Cvo#R2q|zm1$)DJ zM!ZSLd&FI$-LJe0@3f5FYKEML1=M=F=4W-4n|U9Y*|6wG?wmb?0%&u#_6|VY^s_8A zOw41J7|XJ=TEx_thq!?c7WoNKJnOSApT<{%QXArUh#g4eNXC|qIXrSaQbr_n5eLmA z^}{`#t_TgtsVGSbHM?k6FKdZBEUdMsg!k?rD1?Z(;`?h*zxk_-^agKkjhJ!|#AzgF%6ZT{kd}K8ec}#-)r@^x1b5>dwi_ zs@=oLg`IiXR9zpT_u;U!^+LCJqetC#fa_;qm=Nse4^#tiQyrMhLM0>R z{iwD(@zhy0_C^p)gU8; zr|4FyIzO?EzOwJ-T7d{o({Ge7ADJ5W{`sWgizD$5!RPLZ7yd`Fdusiv{7?xPwDih| zVzt3jX#Pv%6v7CNr>12ew#A3zw(j*Ct-8tDHtksnIa9KE$Z{vZ#`}QUUv^>cB1mDP zIOqi-jv6ryXZeHd$joY<3Wk{)9#5YTRsE>=!u4t48z`gWY_?tvgwbDz)^ip@-i5Fw zF^b`5$jHCuKg|a+&4SQoPABQ4E?rV*tk)?LfP(d;dZ37tE=w=FxuSax4jUCtq2beOK5+<^KWb z{kle9fG+cv!bY4oR3QbuKeH;R)*s8+j4{o}h>}-0#Q3JolTYbVA#*I`|N<);RZ?^cyf!SutW z!I!Y)Du@dMA>0Y-9(+6vJG-Jb6B&jhqI>se4c>90-TN(8M*iVO@}Y-_iSJLn)62yWzWZYpNo!a7xIqY#F?iMY9Cp0bm^C2%=FX+7t+IY2lmk_ z^y(1U%E27d1u@IE3cuM6j|RsyBtrR$mQBk~MQsf8#hrN%*ftZ+@dZ%LwjlyObz8>i z#p+ouMRN>N1devz5oBmL1mCGC=Q>ox{?1n4*t`Uy~1I zGIX3#`I}DjK^Wr8la9(9cR;`&@Go+wi%qEGpJ?B0fp7}z=ry8T^T1{7r(6IJz4TVy4%SAyiH^}Nr9)4hWG8mA|p3##^RtBpR0wec=9tJ+HpQ-TeRcy zoCnUNxWK}|LSY-tJiWu@?FVAwKhQYY!a3+>gJZbjA@>x$FoGdA9U~&` z0}^?GZn)&%nU^8yd7IESVyI{=OQn~3UXwFmm;tIVAu^n+%(#T*ZSOzC07@JViMYYk%0^Q_^t8r<(Y+ArKHPGbL%0`$z!`x z^+r%*!$q?0!I70^&nE~d!}3u4#R?!-6UP&R*C=(pkw&1RW-jI%yi5#kw1}1u<$Da< z#ZmNit#7rwgvvZ7*IDW^5<`=w$w;MBz}j8fYB(tP04=kG-^r<69Xw?_8V2?$zz5Kr zbCu6}v-{jm$jN_!mtZyUDB8-BJ!Oa>!sck1aMrDxvPghoP5;p0o5M4)iH<8U>iS6sC#JV`nD)i1Ud|LljZ7TfpEF&=scQXccab!jr@ zhbxO5lO+}WE~2^-16WgFcVk)CF$p`}+0-q?!9U@`us2vqJ%iRUYFxR?;xSAGU5y?2U%d^*92md}_Bzs4t^$sD4B$)g4d++9q|NKE<*3X{KdJ%B} zgC}M@@N!$Ty3BOk=@yK-=^}{Q*pR?Zza9ZW9wIEtvO5Hin&qbG7sc{U28I90XwUsY zYA9IeL!_D+u8TEIXt}Rg?@v*ELnFT!h$suh`uLmdFHn2}2en@}*<;!p^Toac5}W6H zs^9WW@ys&Qwe>L&w6|}=(Y1Yyv(|v&8&KDefXuRHCMuv9<9U_a3iO;$=YIFuv74AA zhpg@}(D5v?sz~RZhv0Vf(?1v8!u|u?O;njY)??5HbSl1MZ>X$o8-IUO&w&1f{weDx zyY>-tuG*K{9P6=Wmh*4d7&dOSl4##(jEnjqVA;_2DVRG;B}(qvFP*D&%`F6oL@bk z37uCN_nE5qVif^Bj4;4-+o z+XUAHcY?dSYj7u6fWalW6I_G42G`*34nf`|=iK|w``*9#(R+GV?dnz4wYs{{=md5%ZuhscJb58P%c_gm;J%WRXazr%`1Z$HcZ2*~i5CSQwY9esTC2yW)?556gaSd#zXUI+XBs@>YINrsUTJ%?i%Yh^Z{7BxxWS}`u@%M6j5)Wy^|HeAR@0`wuoeMFhBlgN zc=G}7aeV1jrZGB-qq_;Vp$Jnbhs9sl^1Ph!*3(8)ju>;8f+;3yukWQDC%%{o_+o7gM7#OVb6#2e2izG5m84F^xety-NHl$;0$!<_ZlJIHXb zes3}a66|gDlU(3m&-HuPJ$OZ5S3BM3rCr*nJr)Mlv3-juS!v-NiWsD=neld@?e}xW zr*dR{ayI}9v7U+l$ZP>Wtarg@A)Z5C-4g@9rGjgYjp-&R4Nq|S0K?+x>x1_o$dBTF zcZOXeymJXZu+7=PwjJpCHI%?iZFOQ=R0=2*hz$6(4*RNr7M#^V>euD~_-qIiQbpzj zL`Z9cl%@JliAhZRw%;{xT%PJ}obRwLF13}ckX}7NZ(pW;0$qv#M|xs780_~C$S46h zU9fQu=TM(%!@DQe<2u)Pk{$#>g+tqPmup=pG{_? zs^A>e%U6G=SnrJ3ea+3LENITGypN2`Y2DC$T;@LUR`0=XY^Uzt+zL zq5I*#(|H0#GIM;nha!R?o9c|?yOeig;c2dojac3ak~THeVzZfd`lI2z&wsf2q{>y7 z$g=2T13QBb{FFZj6Cm5_*6*#o+vkwmfp0?`$L-#9yLMCWKzEqDnupo{eak(I?r{F& z{72GnhaJM<-H}|TF&SKCO^q{FNm5e@@{3bFqxdeTgV?a5s~`oL&10=%QI0zx7kt2P zyI8m<%ubij;3-RG{!STo^xo-nHo?cGBv*KeqHn7m$ZfF8oTy5_xU-_g7iyh{u-LweOqe-Plu!Yt8&Lc25d268!K&HWP#s?h|uMBVSy930+KiD_Q8&g zQ?>61QBV3>IdX+(QYX!|a9X|>WFNGEmD(KMwE*+R$LV;4O5zjz#^(`yU$qd}Lyi__ zfepXEe(@H(7XM?WS=^LjB@!F%X7jSb-qmFTENjYTR`EZRmu?uya{e=UH(B8J6cMWY zF6;$J>h3r_U@0@+IS;cMxp5=3Hb2nl>v4`ZXK2YYqVS_`JDsQR`*T5h|8xRAp*@K# z+g71vmm1R=$2BIvwyqCx*yu%bnId$!Rwq-HdYs_?CY`#z=Z7xEUqk9HkFO56<^@qD zZf0M0IvQK~&_&|}nt2Xq`oKD82+S#J_@Oi{3MHMu3jmEE(;BBtL00K+Ji#L64FwGn z90>g$pP}pNU-&w|Lx^9RM0vwbf;ta(3Kwlr4afFb+h!d3%k`+|?cpE*V8O)vzWlG4 zXSSO%u&H<0d3PU)=c12cEl^A8^GHl!CWB*Ss4ox>9GhrRu=vnArl-{OJt_8Ji-SLP zJ2%1Y4K;5#!7-Qv9ct|>kkT~Ri93BO11T4}Wcp3IZ13FsCmW<({tv_cIFlJ4*cqSl0s?|Lb>3W;Qe5iJ3+#?Rp zU|H!4|9o-SZq+|KXhz%5*d8u;P%tfP%yUM5Sk?J-vFpPgEERTqP<7?#dLqa1+?{`C zebX-_KvCy~T3pjXz^AV2a;ILGHr9w>q37+wN9w@=)fmgK;m)x{j>Zx_SdIO*2ZYvV`kAuw`mx{W5<{tP`4pJW28;sa=7xP%2nF@ zJ>iu-c>-G$nAE~oScZD;ShYuUTT6|5VQ#l>+0kkh3v$?nG%{tOT>peR@&Jm)JM;vm zHk!F;W@w0Ql~qc%-+SW8H(?mM+Er%0;~`1)t8Z96kDfv_FgUgGr8SpfJ!|FYfpf8( zG=A=;@QjIrxU>7&I-j5BTf3{%-N3)#GG^*TqHo^gXu|9`1YJ|4%N0rRL#7)5C<$w^ z^tAjsT>b@l^Ien|ckm?_Te7oT#~uqZCwQ-C(EjZM)kN75dp$8KEN#*{e!^-ti{)S8 zTQ%McL&3sJu6r7GA>$wyS8eS^gAk>-5RE_^Xyr?`q0?iO1VyBL6-;EyvL+at(K0!8 z!=o$YUEBO2kM13wlnLDrK78kj`;)gszDoDx1eb6s7A>z+B?4`kb>~l-#P8idd;pYTil{fOFeCL+Z3Ue_p8`xcM7Y#6^;|tbpr1`EI1dq4hyad@z$1 z#jTwYX&ZqOXT=o}Mu(y7*hQpao!auydLa%tOsgdlVedi{j4(8H@uSSy6}FhM_iw^B z;Zj7u5XzQ&u8x>g91oHqs+#(-X?eBD@r%epP0Apnl%iubc1g7kY&PfdFJ;J!B0KfH za<3v+j4&l|kI&s%yEZV2QY>^K&`P^^{!C}eH?p0#f}(f~mb}2vYWk%cn-)`S%;>C= z)@SbN2%Uh)z)ro}fENzz@sg(yj5QP?gihI?EL4VQGk<{#bvCI7Ar7dYC1){>AxM0^ zDOimA_Tj`%5hR_LjsFb+@CO{FMI!~d|8;^-?OnRcRpQ0-oe|`uI0$%_ofO7o1LTqH zU2`*E6OnJ`*@0mv8bk1}gvX7R>Yg}+u#iF&C%N9DQ-ePl08Ll;^nl=tvO2o zd7O>MGMEYtwA1H)0b2kH9rwE|!sC`^AwP9&r!DZEwE&q>MPXA~xN#JyOseFIV zLbWnY=wk!fhOCKF*>JwK&^l8zog}KDc%jXi_?+jE$6pW^Z#)rY0AuSPlkn3wycwBW z8}7wp4;hSa23>s|W>>Fswt#Q)WqQz6=CmX#A^pc*9Jr7ZT6&%f-$XJKKufP%Z z-iBdyMvZ}pTa)8Hx~?0@#5AqBS|MdRsFL8M%PAVnaPt;)Z9e1buaB%W)8_v4T@+y{ z6d&&rKlEy9HZVYiig(9sDs_L7E2ptv?%Ivg9_Q7}D2z3qYkQHkgabOwDH0heM##3E zEV!O}31uuV+K%6O@@5WShI+{mHL$8Q*6gusbMnUFFN74qy}9cBFN7rHV0s-z&>83MQV#EyMhPFJ|(}Kvn$#@FgdiE z*>?w?(Zy&0lTNUQsYxiw4eu;@-g{Ee-*o>RAgW8Sqlq=QP`dQp%2MoJtaHHNh-O}* z(TlTX;BB7}9}=LbMCszjEUk;`ZdQk!VD1ZgLIjvZfcUY2Q;eRR$7(5*mxNpyZ->f| zDxZfhs7&#o7+f(nobq@W5-0JFk>2OS$0?I!ahaS+a?+KnnGI}UPFuyD8r^v&H+jVy6#yIR-0VXZuD zEkDi{x5E)6eApIiWDQmFNiQn>B;sfR=QIw4CCS zI?Z(#YB%a~s9(eggX=`g2;wtZYZ2(atH5-4=hDR8TmQAbcJucNv2g$6!0w1eX}@S8 z_+bX?c`N3^D5dQ^`6fV}KvGW+=WP?RpMFgaZ^y$a*PzF zSH3Q^rp27o&E22w*|C95_yLa>v-G)XU`Y(bKmbTY-8TCkRJ`Uani%Q+-qR;b1qL0! zW#B%E6eT{NO+(Uca$qkNE%GH@9%LytupY<#cplXyEb^-+xxP~x8$DTybaismW>tn( z!dx`AKECspE;MDIiAwna;e$EiscOv~Jo1quTde(AAPL36j^uJJ)fF+p6b@K-NI)s0 z{r4II)1rwNpgmwC2y>%0tyh`0cmmC|;Tfwwl(y~0N6usk-=t-4vvwFxF9Sb{l#?82 ztzxvq`GWEViPt%&R5nh1K@@5*kC%|}s)s4FMC(%LBpQE%V%QKyxw;9DD(dZI3X?{r z-K3T|P+yI%1BRK!T^P{Ih2(gkxH7z5dWnC^rMVz6a$VFBOfUVNH?2pUnT8u-&jMHY zVW^)CM`frl;68bh$t?fuOYWqIwjw>kC4PKs;6`e-gK|ENwJ6<)X&fs8Pq3^J_2sgN z(5$%}{ZxzE_|EezpeoJaX`Gu)444fvlWvk&t%MWEU}^Xb_Glm>PUo*D;46O*A&2_7 zU}auTw`wyIk@l$>1`@TeCGy^TqF5ixK}3;W_TyeZdsf)9fe0Ef`gwCnaLs#AXC*EJ&>#w(HGFI%9V?U>25|Kt_iqx1V zqTqKeut0FmhfuzAttm{ z-kF>YM@8ui1z>KaKoz`tQzZcG?J$pmsFm3%P}|-EH8>+Ax^KdAqga&E?d{kn;|2v> zBuB@H4WMN@FWw^rqt_pb5g!$>15?z*bVc~0`8{#HJJJyzBo;PGEKR!JH5?n23H;;K zRJ}GOP^^#)xZ(zFb>Rh*U`aG-;#JYTLyhC1sTd@3MTV@^d>LfZ+-lT*P7^_@qadWW z+=17Vkz~jC2@7wFC+1eITh%q@^!#VZQQi6(B)ydMyM|ms|Cj)K6aaLnBw;TfFfmX6pG*8TiCvHh#y)*=h=Rgn~ue8g9zMZ}Y{J>@zncu}DO0uzNS6$K%q4D#*~nNI07xV|R`9 zC6vs&7JOoBuHYn#gmSiyNPCOHjGG=GCf;$A?SS81m2`r;&u~xp3PlK}n1O3|Xh8T@;>9Lchn1k02ysHvOh>hDJHq86Mee7~PvaZCr?H`2 zAxzFSu-b^QWPWL;hN#E(AP&Ews2_Dz%f6d?KGuf;@YK01=0sLShF9OoAP3oCc&wzl z(C1b$Luk{Wwa!$>b*b6aza6k?at;NIOYZ{|pj06xu1TLe&^e!?fzdvEcES0k)7@gF zWCN)3qVQ|PDVaxHEd5I$*>^W4>5+73#}1mpaQ%cLg0T@0age=Z_U)<9W{tf`=4+dX6QKBxJ;BFkGRZchnGdqZ91cusum2mvPez2-mhy0=%fu_{|?xh%5 zOH}jGziEoaM>7T13opze{e0`A0boH3p0yNUAPP{7nAfV%=f)!zMhbYL(%X|s8uVR& zI)NpY-+Wynd>oeT0VOPG4$8MD`Y~hu(HL=&>AtsR;n=}}lfB!pU*@^-@*q~@Ezcw- ze#As#ES??hARFy&(y5M?;XkLLC0;ioFb#&Le_Z;4JOf|IdbHc!3QM&@O=CoDBvC9B zpqS4GU8gd-5<1NZQ^YcQb^P(|tT*OWMf9wC@+epX&vjW8YZa@D`T2xy7dJIh*m%~m4^5gG(6W{&}Fx*%V zo`6%C(1wBK(7?2`Y%nYVW>_{|Nqmp(v|QLiSN76nJ}d%!+@t;FmI;J};2u#>Axdn~4MAv(lnjf8rA{Pb|991!0>8w1}a6sMXL_6s`AMt)fbtIH<$gb`A^uG~1W1 zpL?v^|3i?ym#4{(GTaj4epQ#|%iy~u^Pse{BD;w%%O6t@H<03=R{Blqq-nQ)Y_K7W zh<+O(u7YGEG6!*fLNMnZkwA;9nRoeZ4D^g)k$ssxZ+EVi!lxiKNWJt#)`3A&^|^1Y zr}5AJ)vcTm1vxphnp1uFKe?iQxxVJ7fplC&UK|4dlStHS>u_eKm~5qC{&1UR@(b~u zW;ij6-YQu6j%ocfeczKFGeR-#%;SS|gM}oX#6jZFg#kiOVZiQ|BywCa1|!5be?A%) zuHOjSLr^6op!@(}KA+Gz#3Cf)j@HM;^0okm5JB*ExG<5F=eyxM)t` zInRh%0mr){cWOij9xfLp;Gnc(fGa;UK5HBDnts-DlZUZX8~#0T7fruy4QErk)NDX;i(y>hqfzxgb>2Z4y4ho9$JeVoXr7{IfeqEXNGIF#rN#OoOX z6b_2yE@8bx3kHXOQkX(QteNw_OP+`Oqj3S>TGsuiYX_j07JIBN@fR&<#DfNjHf~3I zTE?KkSi7y`w#q}R!hrl|w{A>TJdVHRRUc^={-GGSE<#?l~jk9#xmRdN+kn?gC)pioNwJNT#q)2J*{tziDfFKxb7T8Df5WM5CF^d0rHL)$B9UEz=NjCWs5C|Bpv>e$pUTd6HLy$a6-+`<}LYU4B5?~L(szxTqJ(Crs=YxU*9wwGLQQ;qgq}&^(*A8UhOv{<@dlm%62@ zqNKv+)$n8qxSQDGr`Yl7prU!(ysrn9jFtyy`)TZI8N#pN{GPw2gwcDc@R9H(nKJ?} zfuV?B)EAtIbvpb11h`tB(}kxE5)vc=HQ0hGI zbr>fGGP^w`zo3uCFfOyDmuQ17+bEErMKo+Ts;0M59v_|wP5aKV9xfwOReJx~Nqq85 z5If!E1OGEg9Hfi2O)%%2y1jB^zaN|p5&0mhHQquG`?rV|KlHDUHDmZC*OmrmMg!+j zB?K*!@q@7ZR-P<)ll^s~QqL@bInnWc4gW@1p?H4S3h0yl(I=iU4)HtSi;I`^8;%QX zfW%E(N{9KYzVNJd07U{&IrR18ZayG|Ahlem6CeD(qZCJycf-A7Q~s6@u9@K1WqtQ> z7(q~e@sHzRZjVsDZ><5ddS3?X%i*#Ve;IyZUD4B9;OHCJ?|llLowHJXci=I*_TbE- zelO`Tw9WCYX=K|kA(Y?;OTIp1^9MC|#%>GK1@QOJ>Y9|9*2wxd>9HvpUGvKm9HKmX z0<~xO;hPm!&b7-$V^3c+$8!Vwm;>1~4H^g#%6@l^JxDEhUr~WMGl|*L4#RlN&@K-e zM`G`9d7*f5z0raj?4-8MPDJMG>x(`+HQzJne`Wv9-HAjC%OgKK|p^mkCuVAFN}Vmap&n+|R; z+Z1JjK)0mC+C-e_KU`QA%NnVY=Oy1CibaqW31E?H)W`&9lxsj2>hOnLBmI|L>wN`2 zsQv%r43${CSfl?lu4BUYuh2v1sI~?+<~l|=A?YbE%PQ-STeOXo*q}HZaTgO1n=_zFUnwDbx8^b zs{TUZ*z)bnpD9dv7~Dd|dO$*l>sgl88^9PA+&O17KNsueb1Ga29=6bO)ESc?0}^1*L+a%h=m)O^d5PROjweH~Z)l&p#58zT&_ zr3b-@#h-~?e--ou7@m(FL5na(g@ufN*`Fbt&8dpRjmuLYohXhFa&CW;7#s6^-Wn(5 za7zRGF|$5qw{-dCbi-RT>XD*NYl-iZt5TR6zV9h{@OTS~ z@~f(@pLG537!5f}2v_~~c<$3bG{=g>+PN0%d`*D^)v336PBrGaZoH<&&0a~v=ll4{ zZ!2g=mK0Dr=I99w6tbOTG!Ne7(}wZ+(Hg zWHl>2uN89Q;A;vpD|q4?(~THtx$todviHZ6?*Bn6Av9+r=y0;9EVhgdVivZ%JtTem z%A&4fjH_Rdn04Wcu3sPqQO5f@c%|x=^h3#cKiz0qS&H5_9Egw~WswEvMV@+^>O_I< zA>jyUUe%OMw{zjF248{nltEkdAoe%Q^f-|6Oz$?L@Atb|B*b15AE+xSBrM#oI?fJj z8z=`RGhAvtt~11wzn2C48glk;7aotd`xoLY<}Q6pl5eVYniEJeJj&0P)Pa=tebF|Zbc+lNJ1Bl3zP zCml?x&GB05wpvWczps`vV5FW6-e5IsB|7qT_$#$}DrY0OH8a zsxw`wWB?22;b&szT?29pK5eqNK98{cHkgpGae+wT^C%XI0kIkl9Qh3voe&8wm%|!N z4#L%_H>=poNZqZ!c2{% zh9d0AX<)9UCP~q5Zip6AWqRwj**(8;)~Zv_WPek@w~fFheTg;0j0ItV1|r@r-d7z~_(}9SaE)Jc#@iiwt)mR}{4*lOMd=johR3)33ho57RL7FvLfl~$o;9J3$J%k2f<(`#9mtJL%0 z+w-qCNP{qERMm}Z(zop&raY=1W-6QgZ0~kX*E|#Gyl5_nw)pR#3}c)%zuXMT2oduZ zEOe(YKk?wIkh8=K(p!4PPyuI~K)=~=yx#+$H-MGlSIw@4AG7V>(8Zw4*`6?eFA zl6RQ^+czu2YS))NVfv8sIcq2(#9_2$N+xONOCk4GZ|*pMa$F}QZ`G3V(nwUSc4oBa zRgkt6MXAj&&&6Ki;~;M?&Wh{{$%razC!IHfeo?)Q_QV8WzVzqc;+|Lab9{V$J*oD2 zR|+wrbVaj^GfY9R$Mv%z=AroQX7cTs_3a_ta&-1`R1*8)c~JOuQ26co?fUcEiiq0k zeclDd`u*8tw8Sv9pETZJjN4L@#PqZ$zoQig#S2S)fqw}v(muP#kr8eGnJ)()83>#H zhR72oa-&(4!a;Fi0S3;+T@$+ z4WGVSQ|j$#XLc(gKx6D7eea3u@dY;yw>M^N9WB;0=-Eyc$NOR>MV5S}LYLx0pzD+o zN&rcj+m;j;q(|V9oOc)wCtl4P0@BQpFI4!@&c6JI6ypMLtniT9@De~Z@Q||2AK6AG zw$F|iAK$APQhg&^``*Jxp#x12HE&z3p9mQe)P?!3hkFoDX+A)YA9xhcwsvoHa;cnr^I5;GAf9mWlL7VO?TjYW_*KK2O?5uROm1>wp_$F z`b>V7BcZVtKj=84n!9d^9w6CC&u2W4o5m&zs7T~*nk zhc;-F)0jj1>gQT2RFNj0VeUNPnd6Od7#a8|Safg8fIXz^shRrQ9Mc@{M)Y)Lacle! zPG2dkMklTDjL~Cr?4r8)uO#`Ti>@r(MtkWPWu%ky1p-S}40~_LvLR zzgdwf2k4wXW+1_O(_?(d9%kGdofw@*<iwS;U^K39-2sX)rv z;IYy5820iAcMvsRQh~IKGc4wu)&aU*XsLQ?LD0X;pJ&v?L|>Fwxm>KKDy#nPw!~F1 z*WOik|6KUREEZp{^!Y1e#ttILXoqK~P%NiBD!c=wF9cB(-$#`o5X~ky52ddzEcsai>N-QOzqgKSk44N6$o3IiKOCEX?dao;l*yUfBw z1w&z~9VXS`4;1u8YcYH=LjP9Agri0)2EUBizTR%6x29!3^-_cLQJyr0kn)-F4DH05 zMb@hOt-PuPIvomaUvW$?-2{BKFG0i4j)W%QW7*8uaBej!6eD)r;dS%NAg&W+w^rSI z|A50S7{l#0CX8a84h_jCtwgX9IhX%qL{P)x$hEF+{p6+vO%L$3b}Y`ASiFW3Y!o1= z8vTlWt-+-SQ8Bw~s$7Ex_8ma4i9BS8a%tR($SUjD*c*)cbcKU;Y)Rt!PQFq7r^r4W z%!n~;qNfmfjBNQUm@x>kw2w@!`U#$e5d2n;F0vK$%Uw>nxaZ@W?>1EFwwM8`x;}aJ zLv=s3uh`H&sig$%kI>|oY{WNAZee<&@&tB(`qSJM>i>?PGUo{(8hOikz_eEEjNGhX>1k^^@Nat=HR5LoY-p} zUj5S(Ur_~DF|>DDW9|%A)`q0Lw;&`(M=d0FDl>r$mXVi(6ptQ^9ElffTsQM242Yp2 zGW+7!H&T_W(nMF;Aj{hz+_Zy)H*NfB#-@>Iu|ReevUp&O0aa&PVmON4KA8MU=B!bO zHfCsspu~@+iZSJEBu|q=@icf8BkUz5orm1l`85h<_FkR0Z<`JFgBt%-kkZ#-4K*22 z%7C5^TMdD}2QeTOh&reeC7)(<|3lu49jDVgigA?!CTMuKi&{L2l$PCaWz!*zpB#ae z>$?xq%GhxUv)}lFZGLMXQrdbv)z+GK+1t!ZC*X)S|@b}TaG0#<0PY%`0>Ftd{6*^U0?Q#h!{aa--=QV6xp6b%w3nMtRW(KB|Ns3 z5Zz#~T?BSNREoJj5_b=IVUo*N)IBJUZz9cfFf=}@va{1;m*e;EBX&kafQE7l#tuKF z-z<`VkenqYl1i*Pe4mUA3{`s6ZhPq{mLsGBu;%ZOr|R!BaV$qoMSj1JhIv=_!c>I0 zcDcOC9wn*!%qusD+Rf0{?2gS4`E6Uh3&}f>Fhb}M(O*rPJZekV%gjisD}ww*EBTXl zp)}DY0gs*~3}p3bz8L>Ux-1m0YmAsUGTEsMcd0d3JvK1)m^w14*Ni(I*8y{SWMy!{ zd39dLmal1_j28-JQXryx^$=k>xEPi4Wg-WT31|95=XNBNj3d8=J%t~|B%w-)3o4kK z3#Jn-@PZc6f@2pkppU&(oiQ|7*$xPIRT5VCs;ivsj%^~X;ebeKd`{3{{gLIY0%BbmPBvtI_6i5Hdzh~}5Kg;a#bLx&I2aIAKo?67 zJ&zC?lQ6ejEa@K%8Px$Z3D=29zagxj`%wm{2?sI}rXb7}{RKX$h=6ZYDOIZg$uTn~ z-ie4%fmx8=%3@7NGdku;*(bfXjD_eVdjtE@s+6S6tA_;eDdoE+XwkpwABeQa)elm* zwI#hcK0K>qGmfEXsxMW_O@&e*Hl)&q!A|;0q`PO2Y9{Ae;mDR~!yLvE2m`}-Y@=0R zM*S`Vf>fcCt1|U;G)MxZ2P)!)Uz7QOSNA?Ja6unw44sQ{qoO!|QgV>qMe1GB%}% zklhAzFLpEUfaGq@C)oFONuaG-NK?l+He9wbL=jCBca2KF&f*8SxXa-rv*=j_zM{ow z4uZ5b9R^`E;2_9TCUdGAu&DX@0x*4gw%2zUs!A77$k5uh6 zPKQ7ji0V!p?A?~E9Fp}!;Vqz~!W_0AkchDM=)Ve8LYPlJ4H%?Bd4@$>4cV~RiS?3) z1WhT;e&muu!nDoT>EEtNG#==uRmPUqu)cKr+Cqje-dh!N|6-a1ta|S!ndVsUfF3#N z8cIuO@YB3z>$vVIHyJ)&*cP$qL*Q{{ze)V|vv#E>PUmRe*z%;3hhmO;Xxh)zqd@~L ztP+MHkNJs&>r0bIICRK_lN~9zaN+i1*)&koCJUX=gRaRFJhqUA4wUf~^{PY59;OFP z#>SRB_}EK~)`h@?ew(xwtk8GSrkZZu9^QIaquHg;p%3^p=};0V>efHV1Q~W@;_O?& zDOMG7mo0d7^P4OH@D9thY(Em>N0Ik`Q3in;eTP;L9tTsPag{ZUCAf?zMoDVYN5*D4 z4tz%Fl6}k&&X+u};`*%Z0FFhlRUFDd)IBj=U(D7^L4`I7Xr87S=g;0yt@( zC?oLA!EF{gZ0;thWHH{hHZquA@JbjQ2Bl%r%LW;`#E(9So#&W^@}qx80L+(x zd4wf8=r!t?pNe4zVB*h`-MF=4y+OPI88-4)?jDg?S$DsbbJo%nA*QLDR0MkCa7Yxc zZ-h2Wrafa{DSz9*6=CA7_?M%hHKD^qNhvvwMZui@60&d^ZaVfbO3pdLnJQ}ms%=@ zS5?}d;RG6+tgZj>4vBt5iPBN~Q;3j48INL z@5Ro8&dcamy4Cgampt{um5Nc`N#Vgkx>3oc^lE>}Kb^X=XER;89|Sie%+W6I2X|Im z?V^cNEoD*>fqGo7PEB6#X*|^V7PyxkgxzluKjHt-U{lU90^y7P_B4}$Z%b5)6r6BnD*E6|Ja-J4X#*VKrgVm=s4#jw zTkjn<0Z!a7jms)iiil&alZi-H*{*G*klh$3OXQ>+9s}E=tn}G+Mt{0@6<7xLN_=9c zkqfvsrE5*AhpG*?;A9_mY`3}t>~CHxxQ`7tVCVRMokC>dem!rJXQoj((RI{2Tq!=A zCaRPef8T%EvK|Q7*3$1~^JavNHfy>tl=@0@G3G!Yw!_20HSBmJ+kDDFY{lZn3{~Z& zn8DKzJ)KD11w3aBrFasBX$T??mfGs_<4>>PP$6>cpj;Xe9!x%N6H3KjXXx>!wa>gW z08*ah;{7h!e%Vw{+0sLD!grDN^>0;D|7a(BWErOLCAuhwuqAr%&K2QqgclGfV%fiK zj|)9F6ZJ5619ooz{U(95Q%0K8LO1#1i6$qFP=v-E4_ehV+|)3b+k_%Nb!oRj&`Ed- zew-6+>qpdKuTJo9R!_!*GvNgE9dj#(U(kJXoz~?qqpZ7W@m|-~_m;7fGu;ySdAOJB z0*=(2dwg<+G@DS5nzTera0m5$AwH&28T|cfiHvu6l;%bQ>M>mflfQj^H0o4MO*G~` zR$n5}4Fnk1xIi<;$sP0HE0k1-Gd$9iTd9P8>z0g{B%`V7qQJX@=7$#56pI=O#Q+fa zapCADIaO>5okvT@%0Svy?TzRv@b9RHTi1JSe0He>on|gF_$%w3`?)+j)s9UWRQrc~!?OV{`a8QUyF(*Cmw!rAJ9C;rMZ;hm=4EP$Tv%X2I2y)3jIFR^xA5Z@7HXH4|!kD1h;Y9$6o9O-T8q8 zdrrit5s_vMn~xsA|HET^l=VEv5g}V4#TSBP_8~WM2y3p6=Zs&!jMdRbkx|q0O^;_d zX)NZo_4$z(%*)_A`3R5nM6gG#{wxv;)JNJ$0V=V~@e&YPA_vaEwcO*FehPBv?}7UM zmYkd_T~nNlx9$VZJnWcDImAjogNu=nDDBV5|0_h(4&>P3;72XZ)!&+lYlL0)2hFe;Vq1$jQURfsE{eWcQw3}>DZ)@ zOjCh7#Gy%tR&m~L%kA#A+sIfiVn@pb!WTzl#>-iuKj#=pWlh)`7k@~I;q2F0 zI3xLgk`nO-R~26Oe!l(nFWC)*L1sQy$O$W<=tAt5LY-Gv!7Wc^<0A1~89T$1DAh)v zcXnYghbOXM4NGf^I|0*Mt!_D{)hbI=lkY*BbJrs)55Bu2a{fSXTyr2U zrGI9aHqzLCJ_Po#OWVaTjTaz_VDahlto)&ArZY(#JQkZ$K;HLDz<*q$64m7CPv(rB z7GX~JSnnSOw(i@Vlb!hY{+NwFwod#%ORdHk$0fQnDzi(~{;_n7LXiYu(`dDA;{NNH z%rEbgBfSwChuEgcQWb8(64rPAw+A~RB{Uy!%~x|UhflqhBed}`leMX9lng7d=@R$d z15@R%R&xjrJ$+y7Sr(C(0MO=4EP2J)$__5k`Z=X+}-m9AZzmuGQ4D(qa`#W0Y&*-yr`No20WB_f# zAtWVutO-s>pagUSByBWIz$Ak$kN$O)RfheFotg`Haae(`-qQs@BbgdWNb4sDfVbzWxiZ-z5x&Rd z89TBja9>uG7GVlhV!;KwrA&`J`%iNrnWo2znWv%)n9|yWW4`_VdA=m5VU&pOH$pi? z^l%Iu+~wtrFi_doG=)4 zxo&)gfl@4$b(|2e(>xAS0%w)!A-bY(;i2%qJ4L{K*)9|63r9ZR9g}^N)KVxWgz8`| zzW!U+^5|*Rzy0T(dQDR>`C)&6sxD<`|&EOj`YTHv_5AiSv zaFoMfBgG^`NnS}v3@3~Jbsp|VHlcO(LlmfHDfj8wXQ;1OXH})B5f4&7Ak6)X>YDK5 zFuPb~ewo@9QVGfZV1Mo34o3@Jb6lFs~;Zz~=W~VQWAal12 zz~5x=k$j;pp^4^B#24o|dz_}5?~Zooue2sZ7g8oPbG_vIWUMsImR1V4(ARZo3Ux{f z_@%YTW6eI_Ye)44E;z;_*i2n<`E2=lpb~P_dOE3q7yliZu7s`!o|Yj$YZ$Ro7mx1e$Ih{rqI8Q) z9y&mMS6`|Miiz4AZ8Qr)?TuiU*5+8?kL;@x)&?aEMMN^$k!J8xCsu~9(mgLbA_hSJ z9#$UiM73v=r)(_q0#Dv##mUGczX6)vWC>$wXEae1$%J~Ft(}x z!M3uUZv2cN>T?43(xr8CD?Lg4z^{;zw)wWGj^4T&>J2xutaP7`%dl3gsa|(-%ZyIU zxGLu7mJU|548ekqps+7TeTd9q9tuJxMNJYqVH=|xSf5XY`yDU#h=72eqy(KHQdmD~ z^OK&oA`BO~{PD3_Is3y?9+vzclO3z_eaKIcB;lVvffg3!tw98@qGZgHP+e(iP-R5R zVZTX5IAiQ5*%M00BHoNu9anb`9+ox3AXj!pSvF22HqG@a)n?n~4rnQz#2I)_7YL@-=pK@=C2q}r7I9nrQgz;7&3P6XG1Qy85m&G2 zpOxS%zH0~@7YQmKvu%1QWrfx9wPu1%)sQ=NA30pQ&~Ndq+WM~i|4P)gJ#JjP*p=~u zO^W9SJ_e$mI>tuEdZW2e|BZz1Y@(yEZPe?7@6TiOjDFWz@}e@;j?wvb>V15TknHbl z#udg*_2o)r;4ZwwobcFy47fK`@A+|Rr=KKw2^jbTT+;Vhy@YQ zhc>}{r|&v~SiZSi3-i3S%`hVJGu)Fn#S*gnqwnE9XOQ}7`> zn2Em%{h1(oMJwNes|Z#RG8If87;)GK2;p?l$ps(A!Nfv`YlK<>5 za(qZB9f6Ow`-hv{F`BwrcbwkY*kaO$GcQyZH_~1(6_JdY^1UN$?R=Yk9GM;aL|RX4 zHq|S?tWBEg!T_y>2->pfDyiYk@=JXJ3@s_`AUS8oe!7>@^XWh46X$| zL5y-aYuIV3_`zhexa>o>ex-kJ+M#{DT$+sGto%OZljLXUxIEXvedx-HQU)v}mX#m68s8Q*r>mAwv;*&1RMZ9Q%%V7A z)r(Rj0I*^TE^{=@2_21JkI>Mv5ZFK?$3(gpGm%=8 zv^fHL2<8`zO30B7RZD`?P%u|uA*6k|Q!+x_KJvCWc}-iW8u1%(V|#}(O?AtF8+YVk z*`3lAQYFdJb-1JZIB)MihG_YXQfq@SIgG7<2{^a5YZWd8VtwCj+cMm3x~d-(A_r5q zYF`!1w?KjNYC$&AHiH6)PSN+sUrnp}O-umXCCqQCl6tLC{9alYVMCz$<%VrhQAx)h1!!w?=+`|Tf^4u1r9FrL+r z4!on_)BOC>^*Vmb2on`Z@guRMb0ooRCjRI`OpxVsX$F4h(A|G=@({>P#q9 zlmFewN#l9Cc$FnQ56W!=R}z$ny*rGq!ggFVWz1jtv1cWk@6!|O@-CZhv$f1@Y#y^S zxLElAaP^jPRYhC(Fd*F^-O}A4-Ca`BB_-W)=+abk~0$?|tvj z=l!4`1b57}_FQv~G3HoLVo}A(A2^rYG*>kV-P6b-yR7DAh$q(o1w#+w5y@cM)9L8v zqKP%cMD)_txY%x`{rQx-3=ib$`(*!5LjMn2cUO=aj_1g*={F5Mo6$P-@VeBhsvu)yHiF5!wxU@O{|8G7Ic)C? zGAnENv-pa@RjiTcDM4LUr4Q!xH;oOTUyVzTV0^Oy51LSOCey$~P$qX!fw~IIuaGhH zT3EmNR+)GBH7Au(Iue|&rn;nC!F|rW_xpJ;SEm*#b;eLV7UIV2$M+u|64|KMh6NqF zD@7=@Z^m%aLS0@9gnGG;_6iMFhwnJ^ovh(2P9>&VkArfhG=Q?hnx^^JVd$iTvq1P0 zCegLq4-aBBND4K9ZOd#Gs*|%`FpAqfBVi2&mog<0z;1r{#Xf75jrg&`fW&tQ=$FYl z1x}z7vyIC0)Ho~iomZAJTs!^pn;%z6UWnDwAw2A^uIeUTi$ZX%K)K$cNkQ$4nT}$` z+69zUuYF7uCcNms>pg{+oYna}4}7wO-G}o=$|uwqUGt<+3d8M83{d))TBLze?~IDv zw=8#~rav_{j@=cogm5zlkF(XqkV9Q2zUOs>x3tT z%os%!1rrM@g`s_U;P)_akZPf*XN7Jk9Qq5#zhfk2;Iz=SNllj22>P?eh!v5MwjDU=kLx>lrM4~9#$8w*GvXsLZ zj+Rf~OsF)vT)jrQV|<_c>=?+3XT@Izr;0appr`fvOem-b`E{#Q@t#w|u+)Hk6$)fu zC3dc(EQS}?u_+B-ezAsT7Lo6mpDsZ?Jr#i!hrl$)%mp4y=i%7!`!zX3N4)0I8UhBI z+vW#sQ3O+v{0@;2`3M>bXl&537Pl}z4U-uMI=oVYbhx!lirK?oiy2>!r01G`i?X`z z|4W5VIt76QtBKnaUXiUk-M?A!K;2wB$~I5+PrX)Pm9#o&!>Y)tO3L@wR%oZ5s`9&W zIf0vJpf7ok7T5MD_I~UvvcV(I#@I1ReVBqUb>N47{dcdJp~*i0(8hD$bpbFIB2-om zblN5CZtX;~Gej3U+xqyuW`++v%)wSC>?sHtzxVKVSdI2zlR0mqdW)#Vc|hi^9q(XL zhSnzX?Vr={VV_7BUVGy+iMgQKMiFLS5+C-PTzLFjP6o1hnUKsfL8*|LS+<9VP}cRE zkp^KRQ^T@vz727AY|z=LOYi0YS!B!t9_Mo*IEYtf8Xwoo7m@eT3NOv%n-$&bg=n>aA%~m>xY*C;B zaCX|||7r?q{F$j_I_M}t6|VZ1oWU~34d*dsc~z~j_TsXQDJonfrcMm<+%8Ox9e(1! z4n3ghH6l1H0tqi^eB5;uahm(a2(L%+vGkJ0Os8OLd z1o`j@&g$eeaL6$V@Y4Nhm-+<}K<@T$D3+@W`x%pEoy&dd&i=D9nq1>s1Xzb{o{ot^ zIUA;PD>SqY2?RaaCI|zrbF!Z?c+7#Q23mBE{3yj1zs>mOz&K3eT7ETRvd*>`4a8co z!I>Z~Bc;G&^>r@1s$ErXZ#*m@K;({@g1VF5RSPyj8VHr-;ql`S2Xnb(?Zj|2r@pnQ z$-faK_g{M6eixg>!8Z3DIdVZg4Xi)k{#K~2 zZ^$5h%gJG<1SW$aq=yz2=6x-2iVEWe{c%ru%#OZj7Y(xABkJF;u77|O`^Hm9@@ISGf(&J%E6RHj=ub~PXx z!07#^GXnXHlXi?*-v50s3F>!BRG_2E*4s*G(CiIL3ubQvFHD*u5v5bxpj0bH0$n}J z8<*{juS3t<1@xBHLhs^na_b{%J`=DOJKT29W<(nMbWQd}#&7_lI8KsippYwCvtBjsW6lr*^;193iMJR)`_80>s zFgU(5O{a^lIC>oO?xXzIl6X_Ad>8F1?d(D3Ui-hEO& z{0V&0SY~*gMfMQHB{VtW(%1kHT1t*!!JPuM zBZw58qy3_h`i`-(XF9yxJ>QM$2eXxpiqwk5$`{L*Q>iU1B)JgiiYya->b74Q-2;7C z_FK&W1~L>2`at9M^hdc^@vs7I`2d*!HHHR`N5)ThtApiaCwqj5P$7T}$9A(}H|uvge=& zX|N1oVqBIeGnrXwW}{xLI?)9&vu7tWp4KLu#~^C1t6@;ELVPM`*gJEmq+LHw!T~ep zz$8Rxm%PS-qGmD6Yf}g9WX(|FmEjO~xk%Mn?6H?h?%3&E($C80Zt2skWkSYQM{g=e@ZBMSC zglY`Qfbq2&Yk;bKT2ab=^->RkcThEpIsk(eO_^Muu+G<`?0l)#or2`Q5I-F0dx^}K z)7*dBUtkfUokTdYYF#v$v>xqn8Z#N1E@w5MWavTxttLLmV33hxI98`Hn8I?sTTA?N zs>`w_3jJ%>WK0JdFG0WY`w)L;-e%1BnsH>))o%dE`5#IL?BTv%@4hYwbI`T*ywN@( z8heoz6(P5_0QG0OelVB7-X9bFWN3LSF~%n@C5|adrnJ>qtas=^9r?kDpk>T@xOQN+ zjPA7+x&f`cc;B`M%~FXpuaZPmF)X4s7nYcfaVGl}$t{rLsX5JZ8GpV1?-%E-VWnPIIYP;VkKx2MD+-ms`8No-mjM%%j9{!u;(>eY%_cz2e%MkO7+&K? z3hC|5Ee?X716L$W_@9q_MC>4@;?BRulzSJS6y=#1(r4^PH5 z+kP2cUa|P_JskkG^&y~kRPsl(q~0_K)A8S}XGb~{xr=5N8K(pY^&cJrUaeY+TJbxg z4-d4F#IB%|ZIAtE!5TZllxf7YAWeZz=55h)LRI`yc0y*%d6q_2sgMt^L#w*8fRY)QZ`-CkjWq{ajziTFk<3!zQeJ zGgWNX+E5O`Ft&kG91k-_!;6MXggYH-B2QB+sXUm`- zd1asxnW8#!(R7G!NLZ|F#_>LTc3z>JbWhTHC1*?JiLGhzJE%Sdyqm>4u zOFVfNv)0^azADARuHTsnJ(YE2-1C$(rdoY=4QVhHpbcw;7&VF_p7Nv1hRkovf64rZj_DX06-;+ zFpCIZNQG$Z=A%>uR{;uudnfa0QQ{)U2Ep9XOzL%c3Au~b$))lyFI>Zw?N>!cO!9PK zD0PJXrxPm~;L7eYHhE$l0b&E~=L1*%c>0+zK)1+~FeL$Wi&&7492v>qPArk)Lfy{a zTu}hGd}AUb_Z$qC54nDhMO@+>EU_z~j54E92h4p_0(DpR`X4p?Btu}Qn@XiC{22Hcw`94WdKyZGwDI3s+WRwjVmf| z7hRo=V~jyz312L6ujL;ac<=raDxYKjOQ@(Y0)&e2@YV9!a@4s#Kd_l6qVg|~npATD zAb0WapLubRsUbAUa*;j|xj|H4^x_&MxuS!~fiRVonM~Iw8wr)IFSN^HWVQ3rOUQHC zbWYp^@zke$ZzCL6R1(+6-k@;J5S(R>`##pyvs3EEr$z!*S1yDyQ)~i;HIDEUDsA?n z#)9vdBmAU4{xEF`TV%UqS=RNruXfUrZ(Fhnc7T?pZ8jSsvf&Tw4(IdtmM)eKS6PSt_TQ20oz#L zb$*(Z$m{ySkl^0+-Qh^q$*0yi=2*GUW;CXd5p)XM85S}Er$Ff7A=LJ?;UJ8~;Lpqm znp<$z?NHjT6yZnHafrS{^X4#Ov_dj14oJx6|6wDpXI*I^`~tLT?~K#xCe^HTP1(cQ zv;I12t>!y3vgnI(fYj!I$I}0)N}s3{y?f)$1HFkYhI)4kmKGY^*dci|8jS zFjP4#Dqo8wOUAwH2FzMCQcRCX8!S!<7-D;UIFo3s(sq^z0SC~sSc!CGLYkqvG6C=tnd&i;%T^Eh3|(Mw!z}? z<-Nmk-LR<_5+nWN|tM_&ybK!Z6*r6qgop1dr9Ox0IcBHn;p# zre$K6ti&$VZg*U8bAG`eGCJkcRsRfpM>iz^J#z=Ad&Vto83bkO&dIgtd{3_fwM51$ zF7P*Ml;;DzD1y926a9vA^t?PR?>gbY<77R3l_2zqOn;jRSyyV5&Vr((!SI^ zP@i+*xm!cmpPA5on`Q2t)QQ>!x8`TNgSQ!y(lB@_X>E7hMt&FLvKop9@2{#f0;LDm z>l-=QK)wN3`U-zPx^Fvb&Nr^zvn(PdPi|}9M77TwX)J=EwsZuzYB=!S*y`PoaJ9RQ zIC&hmIi{Ass9yQd8Fn?~Fyjkd4=OQIZ7|T49-Qjf&k5=Y%G8Xd8rAT}{HRS-H|Xqv zX7lA-N+c#QJb!koG79|F@?C=&TeaTjEsKznbqs!+2e->>O-&!YWVZXt|Px$5%SPLxYRT@Z&T{uuN&~i~WaW~3q-L2S7Wn<}po3`Ek2}HLuie#PeN{j{gQkW#lrIF;jKOKgcyUZf-=sgB1 z{D11ipw4Jg2}>_K9DLmm(IVJ+<3MK}Jaw0RWo}xRddFW_=4#xj+7{j7a2gx8+Nt>w z&ojM%HJg#@RJ^tUceQ#jo|#ABt&c&>x&R^Pn7S~ImS8|WH@j|n;a)}EPYT^(43`~i zCZ%a?7&*E>(l9EVM8dMdA>T{GwPYV)Kkjn=fR`h@131Zin#vKgyq*?@L`E;>?=p8?K^vP*i6;`@R&Wkob6WO)amPRCQ_V-5CeA_m+l^S@%^Tvn zA|&Dt)KZW+p4+p-uAW^JP&pGcpR!akL87d7&X>yN+~FZMXIkhi5cOs6u_LSW&|Eq- zX;R4mS&ks4Ll1Avvm_hND(&>T9a#8N37fUOIv{loB~|X@$Zs$#sO2;xxo1snQ|n#% zV0AS-RT%)jHj+mtbj-uqTV)<-lYw_qc0H&~5zb6B5 zUuEdGfnF3{TeDz+$1n4!s$qPDRhff``DjW7JNnXGkND>YkCfGA?jgUFD^7SlxL_y4 zW78Ljf-vAw)wSjPY+^lX=TJY_R?v5*)t9LQaCvtAw+L>^AMXHFsHsd9aH^y4U;flV zRH^$RXf06X;H71bAXMb=M!IED9)ED?+*s-J&Y_bPQN^%99N4K%)e?m)^GS8yTO{$n zPx`+c5t=Of=s!nr6gQ4XX2uh1yztvn{QQ+=JMPm~Uj>OJm#bI%4LqTkT#`>y8qsG9 zS5kSzrIH&REjPsAV=cl*QD!-%~u(Ug6B_w z2uD#b6)X|ttO4}M>@_744)PKv~->HQO<PYQ!L4TjuO{Z71`{9H1F6eotdW)lg+C(bR0WFxWqHs?W>*Q(ElB-V{CE-_U|F%w` ze|YIOTDK#Cp=Fj2#YIeLC$9uh5bNK5Ucg0epvROWTl5_NHMuj+H@C@BFtb_PrqxUK z@eDIbK$XCpBF1J&nzVjRDqhT$m+^S&o+C&UY8~IK5N7ebsN!?fsa{Yr2}CxYo@C$~ zwWk5GlpzeVAk<~MZYO7(&^htciPeo7^c?hfvAGx0(N1x;6=Wr<(@5cR!4VP}hDm-} zD|?;0jZ13$G1qBl>)Qw7WB9gKLZ+lKp0aoS%s0TEC|T=Qt*Xfiq+3AC>6dzW8fgZ> zzOkivMV==aSxhE9<*n%e68x|P`-~7YgS-PpT2lc}VPcX~2uP?mqM-$yjPe0SZKTfF zW1)Dr?qjef{W>r?foK{(J!`5!vM1tRQ*f&P4V5a7&d4WO?V_YJnC+CWCsM`(<=#p; zlMe-GuBJ_l)9C5J;Ey5QdlMZys6`#5xw*(R1~o*IVhbf4Lq`mnz!O_vs{mbh|C_I{ z$+9Z~L2g~48%fb;mH6^V7zw&or}ydEw6aL7TO5^YRQU4B^0yNF@C!g&{^&fWBD=$K z^gWE)DZvtPNb3aGBT@)n`Xd38(yHyx43wJ+6*+!8nV@CBgl6*we`z-_zQ15zTh1?%pTY+54NwouFRzgoefD?oH z9n!cQ2(ABw?BABhuv50=Z55|N~u9swS}Nps`O0!Q3&oc@{IJc zJK~SI)q&2mI`{~GJQh;u^`L+!(@^*xs00Y!!buEEZoz0%D38&1#)5D6k}>bh7u;Ua z7cvK<<|?LKo}Us_Px@GGXzziCpa{w%5Bn=Wg(Zk}{<0Q@c~8F%01u&KL)yLFpEU3+ zskvaX7^P;*KeC~1wZy2S&il6b+ zdn0^GLftqS#uG{-%AqBEg85Z=2)>Xy?^pv>cw~xrmE5;(kE4E>F?d_g)65PR!bEI`t~j@{JnhV1Z^f+i zMgN%d)H1mbY2FZB&Kv9F9i3<`-B2waShfOcS@n#hq6MmPYG4ab7{qqtz^QXm8B~%$ z4tb-?qQ})!=2$EF@^e7!1}U(~P@F9jnUW9K79!AMVXk%xP(`!{qhQBPn)0g?#whC* z(Fk^*uyW}nXEn&rnDi0<`XL$FG=GU0-ZkF@@@7va5ehhD=EPI~8`>fokWAd7EdlV_< z(plfj)^;e67v}@r0UK~SB2gv{$>IF{MeL3JQ%eeN(~BUv$NcAx$)k7*HKAZ36Adz_doeo zE>#HdNd^u5NL$(rX~K6YSvR@7Xo4l#wra+90|_OiFkkCnIcz)AG5H$w5kjA@Mo>8e z&ZX5gO08{@9~^Z5D$J-nUk!dT2F}@#Sy`h2^j#}`%?(wmxzd2X>q0N!-n&PE_V_+# zQxL2cr)+;UPe|suwi9r#lIdb1h{ZP6(o?}9+&5)^JzW5&k%5A-wZ$fy;v6+An)K_s4 zHVTLZU|LYM?hVi%eUXmSB66Sp$=W!>uMv|Rg@MBF#&U4MpY*!YL&cK(wxguUIMI(S zMX&_OWjfbrJ`jE0YR*S$T?j7h;}imiU&tUg~^A zd49VrS_FB-LhN%MJ^nDtd6rU>r1_G7DJ5!LrY8;_CV>TM43NsWUNQh(BmavQfS3Uu zywvX)xi$<+@b3nD=~n%dgcrZykuBTBxAB~t*a*OxH|zYwXwy$hbBSI+j~p|))RPw3 z7I11#vDbaNkk!lZd*OgA&Sy_H@uC+0e8157Jrff2=i75<2ZB zQmZ?!shfS&#t(|ONh9J+CL+QoF#6D04qjLjV=*JZyL$)qz2?n+dhar{A!>U@s;a70 za)reI6HnLn$T7$#u-OyG^in6Mk#H6VGO7M-XQXv&^Z5Ad?%Pe`PHBn0DL%?7o^ruN z{4RCU{=Jp)rYkSXa?^+g)Y&j!d$m)c_P0ud(bij_4lj#s(a97g`M*QE!paG(H=33@ zPVIGnoP}g)U5{$Ej#sfKJ#4n6P6-ZbSxxm#61F%Fo-M?0izaVLtHl+pAlpC6B8dPV zm47NC$WWdGI&pam84sasu}=3kI}GU+H7P71nN$H{(ZN#!!SpY$dc2Wa`S~Cbb#}Fv z{VM+dizqb^Q5MUw+Wp~(d74h|rqdRiSOefjI5_V$i1XB(r+IAY(B`1=`ED@KnZBIojCfKM(oBSuag!Cz>_#tySv=yS;F_-$o_#F56 z&o&AYo*52EQ6i2$>Z_YWudhKahgAyPsyqJoE?SAp*MuY1IJkA-sDaSgdfnyu$Yixd zw4M~rv)vBSEYEp_Ppj-#9WWv%wVV5~CqyfExKzMN2BW5cbM%qv^M_35w7+T>=QLoR z&i=Duf*`jvfQaxldx!|>R?P8`ILj-Ft23R6_P*(4->L8;T=dnOq5X(c0xxwU#`oOk z9tXWw+ekV0)3A{wy=KDNTvjRz00s&$@QvQ zvK;^6t7W&j0J!Ccx;9Jf;B^hu+LrR4|#6A4y;C1vs?eMdVP4?e}iH}rJ)o#3CzoU<|LF*hOX z*X<$s$w;V))bw<)f4diyVQfi^yN%mbWC6k4U@;TDqz3B`2h5mOocN5l!pF|A{RM!| zC8P|FS4EG%bbc^1{Z>xgs(EH4d&PQP5&hq)my=EFyPb`PG)%8Lel`jUE~-rB?4dH-LxzAY(L=or+qyM1(zQ7ZRx6> z;i1!q9{{`8e8MBe9VjormmcIxnH~y5rsA{P12TG@!pA z!sV*)sBW`Fwu!arY-;k){PeDdklh(*ZLl;98atdU_J7TFo!KbSP5fd#xSfhG3GHof zrm`?!wM6veYS^vO{>!@&ydQNEaeKDT-upD^jv`<5wx&=n8>HubJEXr1-x)js4m2{1 z?uzxua9cQ5^4aCGt5--AWLr^R{Ye5|YVv?(nB3wgi#9*oW_163IbizFZW*vKSmUoW z+BFz`aK2aQ0YY7OoIDt7tT`Y*C^jCY)DX;>Vw@E*(NDdLq#&4c*u2RBaBK6>vjLY9 zlf{u&x;#lljiU>;0{qInh}O@ZuN>1~hydp5YeO2E5_AJK6@>W4HQT z91(VN?y*16YP3GE*6A(6YOFfgfAk*OG*HAE%*UQP^}zr%%J_OT4XP%EIEXZpQ$v~W z$M=07ReK+_w)s|Mgx|hh97}If8H|q`GJ6WsK7Vr%{`S4d*MyvW1u+wOj@j`)pyzL1 zTHVD3uGT*0>K(jsUxet+Own_+rZC>$ML>ixpE>avt2St-fp16qjDUU2hER(Q;SAIi zY&vmHVC<{+*obZqGLDA=J1QdoZ}XCu)4~6S3GE8QH6#$-H=>7D|w>9T@Q}UFFqMfStIC7`upvpuZ-r zU!=6;Y1}nw$?Bl>=R%NDdzs(-d$g`htvn?=J)<9=)Y^mBeJA=NlN45GDkOsV0LK?D z?(@r#xYzyPl!`gNq5+46@4|%;|2T6;9*<@<%P*e>juW9 zp>fzuGV1QAVUnrcC;!3WqClv#XMiO@lb|H`%^tX+5^>hgabxb@rhb!O>3EZa&$ptf zYn({h*H4Rl4&iS-&buy^m3bUbcn1q&Ugfv!3TnT-yCu6NlQ|{Gc~d@2F@v>VZ~okY z!Qh3ThDhdV8VZX2RDr^V9tsAIYI3Z#V(vvf7COR7m=0=@tBYaBZ^gC(qoRJw#wKfAneU^iZsKcKFW~i3)!S)&INK1I(uh*_2-zdGaVhS?cJp-m(b`Uh8FAoue zqj(TqcH%oN&bl`)e4)%Ae+v(z(!-HRuPc47@z8)q+;B;Z$cT~*FxzQz8BV}vvkd-K z?T{S%xHi=2w2eCEy!|oInR6U!&h{p7O8cPs}8m;u8HZH%OC`m@@C8I$XXX= z`yYM(V8!XxtCqO=rPoba-(;anbjsypbWvY0<7BNg()E4Anv_AN(n}rSKNH%lrdJs4 zx{#gVv4#cM{-}>LCTz65vKzrHwi?E#3bri35?UbGyN0}TI?idKPTe&57<~GnA>af- zfgNY7kEGNVT&cxVe;5F4IE?E{e&~KwFir%1 z&@pkcCiUc*B-~~vs_ziW-~u`s2F|ND3<_|+u12*Xyl$+q!yhyJ9Ei19_@&uYA4Q#^ zi19e^tUr@$eQuN#kPdKMGKIY@2W+X-5>B)Im~&^n)p;Ml1pQ zyue<-e2|UjfkYEsr&;qJzbNF)jCPR1TJLs{sSpF++=Vt7K&D*fN?ATCP~{X&0VOP9?FJjd^%|7b>sMT| z(gx%Xa0wh(S6!*+RH`EA_Cd>*EZRz*8-l<(@$MwCAMyID|EYOcikbtK=?wZF7?X{Hh*C>+4Z$6(D`T>Z(2Xw#IeChyrs!qG8G+6>*B z*9t0zLI{IdzpYyTG&Nurl_$TWEul>587VDFwjCG0i`R$mbLAOoC9grB7zM*JOl8(~ z5rS2LXVY;33uPYuF_dgBp})v-v0R_BDg^v$0Hj`_@q-)#LU>OC5dpo*DeD3BIG?fB z@CQX!Y!GB7(~h;o4N#IMlQeMe+6>@xnA*Y;IV4QPM8nk* zj;yeGE-?$ftH{ZH3Nl3|BX&u9u}6NSAbW?wiEOkXQUp&$?tq)%)tsr&g?3G)`m1)# z7K$);q9$5XXyLRR#LU4S@rxij`&==HroKyXwXa#dvvr@?dC;sysr;lMt!E6H{d+LU zliFhO(cd8=P12gdK^9_x!;xh}9hzN!IKbLu2o5)^*KA)%&G@h3rDjFrrP*f$=BOsQ$5q z(4a~x(@$}*PEww7PC49!rU)5s0(6UiEFM`(z^_`pAxmLU4}L^7@%aHKkN6dDOykQY zr^&4*%ST02?o~F8h~`Y(^~JC{_ATpQHf5l^9#8s2S})MT`0M>2!u$ae9;g03ZvDL> zAiFIIKED~vAEk2NB*qA;1`P0J_8E#dIFjlN43W))g1)PL=nk#hHU6_^C=@=+C8ow^ zXv3R|(2`6Wdq__Xh0Qs;yJH+ze1a3O!ou%8xg=${A|N52-SoyR>qD3ENSjdAtWu z>q4&WAIpz5xB$eKV=mRZU4olkv=s)E!QkXMY&O3ck-G6#n;8Wb)A(c}HZ$}7mJrav zz2gMDsx6bW>X>jqddMq==YV$SgxK?=41!AYAh_!Fa|d8nOCAbnh>}D+6vlvRM|I;5 zrs^qQXWB{@A*tFisppCp9ke5w&(uw)f5Ry=`)Nun{k`)&6axo@>I`aE%nkbw7ST#T| zYdJ9>K=Q*|lYfeY)-~DqO?Vbr*iotSf1W4#cjGy4SC@ULsLcUjqX67WwFV=hmZjBU z;k*t+dqwb|Yfg|VIvI)nFjNoh&f-g&9+<r1;X9ganWt6agJM~dNx z7yt|nsQsOGg|E4Ws&3-^yxu8M0(ef+1Kpyz8)vzi^4=MM+DdSEOlNerNYi9(t229UKk{>J zu7$w)18i&1Se{iUI`!*cUwkw-KJ`chL7YjbC3|#!$%K1AbUCVwTzgIl$1b%Tzt1*z zMqE3MD)vz+;0Jdf-GxpTRAVRkcs5ik1FPwbFb6Vcy_)sxlce&$xLzlMou4=hT+yKB zE|6tWdEO5QW-yY0W31N}+|Y-%nVSK>8PQ>mP(lH)@wjQgbAV5n3g9QA3h63mgnfKp zn>_Oe7>gBo3wX>#p3VJhw5$HtPbPv+Uy-G{-QqF#``v^Vyku38N_Xim!*R{<=Qo`F zL^A4wuHp5CUu*`p*G!#IlQaX7UyhkDxSoIW3*nqK>tDJ3a-4X%cPxM@fyG0{0bHDb z>ONbA;?X4RLJUgh(-3MY*f+VsI{${64{eTT*Sd$j{|xqY;yuSZV^lIcQV8)iKN}&=Yh1g)IxQsjfKrlI zYb-r9xi(R$0WSOXz!M+W%kJgndIFE#o)&$3Xk=t~WOx|(1NnP+xJ|purS3d6H3jkm z{@k!63HsOsr<05B1m8rcAXtfh*Zi>2)t6-BWS`r0y0#dsDQ9Nd8Sjof0;SvJAmb7& zg*HO`1e~2tNBW)HoB4Zz2wAy6*g7QDgqte&zE~Q0F$ZCpdN;dA%_Dt;<5|9PRrj}h z&gyOb(DQr73n;EdS0G6a_qpvs8rY?$38WKl(VaJ9{1a8Sgo-fBh^h$}bL^S3nz>+) z;@Yp;>hwjMdBhvW~>Vs?(R+fp2jb7ojOMci-LkK{JqiJgG-8%MXP z6XgTFJIw4;k{%bmV|jn2{|tiaO4n5bLrE4x1EB7ALsMG!Z=`aSILqg(-x z@{4q^94tl$bv8-_L;5J<+cHvNOCS$JU6TQI1yb&;lf10G0%68&^yzM8>c_u2o;`O? z2_RWK42Bu~#E^+YIId24U3v?4_+gf5F3G_&zb&(^q0h2PWEGG4;z&8wyXBa2l37kd zMgxtlBMCfVnfI{g(W3Vw9g!&9Bmv8$19xhcP=|a%*4R%&9D8-Xg<3+*7Mn{c!2;gl za8sLd@K0&2fE3a9=fbZ)W*m6Mx?B2p>1)ihe}R=VK?z#%UOC=Rv|CuwJOs@;+s!2@ zXArgyD`cA?aC|8-$=qG^Ug0da5|92klMn+haXi|@v8pr4x>gFNt#l(8U1~3^`9Me8 zJWh(<$J1;ozks7*EbPF&whleMGWoK&{Bi5?Ss25-G2`Ko1s5G71q!KxCQ&Skel6?pIQJr}t?|6Z%SAs>y8|))*n~NZio)t+)EuBE3nb5SL4N84J<^G3mQibwYh5 z906Z9VTY?@e{9!EEDvpjmX2caJ_f7LWNdA;hbyR>$SL8O(u*E8Da@@ou&~Av^QH%t z;JCqo@r3pJz7jL?IH~=TwyD{RVy;(UlhC+c%#N3?nj&vozfoA~ny4OhZ|0c=pQK8} zV4(sP!OmDsAPBaFS279pPIG5hEmu45if3ydYNxM#eTmz4Bk?=mQI?7%fEUUx#xY(e ztxsTDUlr08BBpFn*_lL0f85!37s!hAB&E^SMs0F-`>1}Yg*R#Zb6l>A=cId$Sb3pu zOjI7m=;9%Qn$4dI8hbITC*C{uUR{Wx(_Z|n?P3EDm?l2SD65;o7u`X22s36+mWBac zPfK?B3^~2nAS>RNJ8!>MpU!>~YB3mVnD#^Gax`%f(g3RhDb<7&P$_u-Z6F8mBWfoi zSgp%juh7A_(tzkVH)D6nD-%ZBx0FJ0(`S6-`wq?Q z*vGkMN|PD)O>Z3nc^A-S=vmx|%Z9C<(TiV^=$4vbXNxgbGguFVzm*2N1oG+#GxIsr z?MxQ6nlrsE*qIIGKRC1Qa2G)r%=V zJYm)C@z)W0Ws%X@2|e(=Q$jgkJ%2CwWoWR`Rr{$WFV|G9=Qfp<)s+ zeMyWlnk+d}W))fVht!fv<5nx(GLmPjh^=gG)_lt7$`!s{Ss^AW7_4@d8TbkW@0()eUI#*D{vUU3k|wp^ocCnw|y= zmre8O4p*a}vLGB`rmT$wfW^>!+-l#O;$jhHi_Q;7UYAenaD+VJ3M&2?X@x)Xt$sx8akD!C4Bafkd zCF&b@P$b=8e+L>IUdS+H#l0;Cdpb;yoNnEHkcBb4Qr&SkF@lU)X{?w;0teX=Y%_|g zCL!%5!SVcQgfaUmN@qRxr#{4w-v@;@RX`_Lp5*P_Y=Aj7Nhajoi`kN0<8_%N@o3hF$g;DE%ID24@tBpg1Mk!Z*9`JO!wyw@A{F}7Px4E^%w zp!SZ-!D27MUOvA$)wcY&iUg~B`LBk#`Mzl^?#ODKlriEWH{P{$vVewig?7c?FIh-q zb3Z7nUtJ_aE^Gmd?all;gPJ)X-ctJw@ZhX$JGkCLoPTOhFlt$;cBWXG=vyh>k2VWt zTyqVmDJAw7x*7!oeN_|DY`9{G)EZUPk+}a z;`nK131sWN(qc?#@Q30wfEDId8+iUb4RZ!CZ7701kyV%7PzvLbdoxsy*G9<-%yJR6 z**h$~r&pJa`fg&Ek!eR|CSNj06RR%Bl4^kM^xflQ0T1b~s>#eIEah^}CiIKuhC7wG z!HB5##s050ot0Z}o(xX?Og#Qho9Lb@@0I;gYK!_K1fsn0uOEggH7^$&2hmmQ9IM{T zPTnqKI`12JBu7d86xJC)2!RmHogX`{OCkoRDQ-X-99HjUmH z7n9kFPwaKG{Z_KIw;(88?mKyf1`J4|*n8OX0}fvd;^5L0zLiDsacMh!;r84i%3b9C z^7#*}(WD2?M(=-~HC%uk5-#9yzXUxht3aj&kYqVpvEF z4MwFYjp|fx?)68bZc7WlPq)MCP{Rr14?t3KVU{}TLO_cvpq!YE{Ux9{yYYm-}!t|r`YqC4<9 z2_H3nnl;70+EF&|dD&JbbcC`08}de2f0~7_tXjfkv^T?t&icyet{Cfnt>91=tMkQ| z*~97g@!8cz)o*=y+LMHReF6yX8x$bn1k*S<{_tFKH(pP&c7v0}Zz?~nN;~-&@%k_t4UG`ota{Vy}^CQ8YM`Z4#bptmE zm^V;JBpE$#1%}|h6X?<%JP$R;4*chz{~vYl7-dxWGNZS-S4nCjL9# zJpFl)0*@;{QH0m)vesP;@4^A{xV{N*UmGv3L`??)}GE2>@}| zBqCc9<*bE&V^AkP738H4=>L7YKES7v+qYov9T3Ru$ppN5bL37_k%6ag9M_}&AQS++ z`V1tX6-n5qj(cZH;g7s39z^CTqx!yAf0IgY-=b73#_a2OgcD_6?Np)|TwRuK$^uqJ z{gYXJz$IRxxCQ;)uagHhO7_>CnX`u=1G|Vsm+!PI()u@lMf|rrB;WR{sG?yoet0*~ zz%$k+fDYl`myiMJ`;={cl`efx%BThiH*t7jGReY|2$t|&Xz!nd|DQjrp?tppW}cH> zA&smJ9USeA^sN52Z1l|`nHX8{=V-e1g%F02ivxiEESrzV(@>AAZ`7P}W>kIA6O}K9Q`$mR%PAY6Cq>9y_%eEa=l3^qjM-r)c^;{x=VwME`~1^g4SbPs zhP){ty&?h&#!L?4A*l@9nSt5Rq``O!+t{*i!%0!fU00}Cdf86KWr~&!8hPC{iLC>w z%7#N$En4RvT!gkkSB%Mnk{{$gIW z^^%Q!?}&~42hV$k)r}|s?4i80|7~8_42|NEg3<&yt9BX9f-ioq15VL!?E4}l1T1Lh zDGLW&bRgqo$@R`#kvEZ}zCU+gpM>7&U!0NMg4#}AJWN*1 z4=Zo&{xJ0wUoM|j&s!HE-oa}ZykDtb^%%=_69KHg6$4*1I7}h;B*p3AdjA4(^kmC7{shpAFT8-$h-hd84g95*TT zxK6Y@5dq@j7*2An*zGBeBnmv58j^oJKN~n>CBR07%#Ct16-t1oucZi|QVyaHlCMdQ z%4q{<1s8;W!MLG_wP_P#R5GKZW{`0eN{b5uLKU%$+1JHXjuJml--W8jX+4o#!_b*R z8)j+Qz&in&2vyuS^S$2QO-+t*44fhxVo%e=Izh6)Dsz{T_d>0UI@;|DWNn`Q za_v(Dr@h2LK=lxZtFmG6xL+vSdUFtKJ4gRC{{!_HfJX?NrK;H5RwKB(6kUP-9W{&@ z77jdFT;h9`{USjJN1`XnnaffQHV}QMZbDp(=W*Z&c(*>|6Zzq!+DdZGDHcMk}A;Ksd>@_(r*?0;{JJy1JD|@b2%+K z2W!B*@KO4m!OSMU#cLO$4^svN42kG>Ot@%4-+J`GQo=NM`A7)occ3$SOBZw)19?hv zUttTo;)p;F-G0h2!_`(dOq5bZgd5G}ctVmhxMz?chxV7=!O2U+RXxY`Cn2!24rgeM zELrz!$&b6G$D(&Y)qvLaO1E^bc40#0~S*<2fSVVsOB8od4>#O|Hmj$cY@PHIYM z>(@?4$%h<7Tf&Vu=X_~VZd&(U5Qr`#F~qTRLt`~AKcvW=CoCT?v;+7ntDSifH^mpEIYJxM0)y<4!ACj~x2pTzC2098h zzc#);h>RIqA4rNMaCCin+obx{Z3G))mDy_3j``Z>_dWT$3@##m#@5RD?kh)gE}T~gSAnA${9Q>);}V& z?M2+$KdbUTpXrodc?8aiAgq9EuUm_+oy6{8@9>5xef3%sKQNXD z{|tHL`MBN<625@8)4qj(xW_-)(3B{U4oIRB)Yet5in+603ti;L0(8r zj$;A0T*bTL8yj!o2qovj3$5%lFhQlX6!oyylE3nsSoEEsk%hyW@rMgzbI;DqwFZES zgisT}BVQc?UM8njSbY4HXS^>;Pfa8^y0zCtDUfUFeFb6u+CBzF4*A zYc-rVT(wI`buJ7@=iFuVwZ?W_iY<*E5BuB$wH>!`F_SQa;i0X-1?_qt_UBP%ccAzq zW+Mj7LT8jaJCP>Ry|zx;q?jm3G9Ph#S5m-Xjn+Hhp!98NJYArcT9$sD0kpQO$bpmi%nL52ro52>o#Ausu-7@Ia}M>_$Wq2 z_XUky`m#-6G~gl9T$wpV8dV0+4mI_Ur~cdoq)sq4Lg7{Nwz@)VMn-&;_z6jt5`rz1kA5%I(`&ha(zF8A?p${@wcDX1RuT&EfMD~1G7z641FwRWb zpBEMv$DR5uM7R(nUei?+NkN^%8F{2liG9#BOl6bVO~c){w0I1?<-!^A%^)TsdZway zUyJhP;qxSsF9#lBi5ijk=O*Jyz~}OXnMvRJz4Wb+v z78gT_{E0xz&NL-bL_rl73)8tAvLr2IW04zbCCY4U>~Xq)II=4EUhS;~& z8M)Ojl6Qzo?6w@EqnfM4Hpo=_OabymNgN%W2;tGV8||{(Y&nIv9+n!y63}i_=6;sh z^pA5&4NzQNM=nkDGS7wsHtglxi+2$-0IQL3Q#YH7Xh14-gIB4-yhd(@NKRKyS&6-5 zoA{n?5mC#hV;%>3_c4!bM;blsm>(dy20F&^u+WFJ8K_%HuZTLa>Koa{n)+IN;@Ol$ zyCaqdc-7iisfH8aIeA$Cb~AtiKo4E9T;RaCeSbxklx+p`oE&+sGT_oKpeLU7T zn9RBglL31_iy^|)LOR-Q-#7H(Rx?+ihqFjJ1=jX3m;|_4kkof3BpfuA$fb{bKE=`?=nd`51PpIhc~oKzBB&k<$TLA|ZI5}w+)uKgqt zOVDqaLyYZiK1j3{j?0p+rLqKOd?JYgL8b9e`B1dhW&;Rt+0u)T0);sZufChOr1zR! z927(ZkeQk=A*fbqEH8wKFsd-}U)dTsB&Kg?I4dHVzp(7Dc-e&4%&l%haq~ex?|re> z$PgxP#oskv2${)NL@{-~b7zgFYlup<~T19_!(3x6QxDfoP`M3u+)=#e{jd zK>5y!f>>epk$OsJ96-y;YFVoW(2s-o0KN?hPwLYMuo!@?vT0#OKQ3B*tzF0}^|b)b zgZp~ho?2x3n4Tnvcun(CN*uVSN=>i-TnRF2i%!HVs#n{$fZ)1at>0#K*4WGqpidM4m!mo%uVDPG=K4N2b zkn4jLH$`mEk7ZcbZ)S0v6z=9U_$y9E;o?`3XPj6qp>B??k?6JH5oEd-|1a?0P$SkLfC(*8N)1#gp3#tXs{ z3@)lFIJn}fKVL5sggEqZmgdk5j8(K^C7M_Wu^%)&D<}hFtDMwj34R1vu@n7V?=DPE z1yO^h)qWFQE*;0&0Ac|Ux@ye6=zIodTD4(?_s$pi zxOjou;?kslveG~Slj@phRZEOBwBP`XCa{ixT0J1iLV<^D3EUBqY&Am{h0DEuyu@K;?PqNi2J|d#n~Z*ws=cHdjwam$PrF? z`k-HpV~hLMw%&1PJF%YrD-E3a-!yO~H`{NOTTaj9AD{L{){b}#-;WjWXcdecY@F;3 zj2!To7+L>0Bxqyp_&wwA$X_k~dy=$~p_!h5jVq)k-S+?sJp&#qJA?LLwf#T!{lB#T z()Z=;Z44BR9Pu>2w-ge=qg66;b;Q%gqZPEVw6RyT)iW@{`wI&QI?&_&W%4@&g6A6? z_}=v&!%9lu%l{pQq*YR4!(*WT$CU3jJslncc83{i`=#lk?*WuL8dWA-I?Ly}{U|Oc_qq(v*+Cg?hb7JbG z>166;C)|a?>y3u`-1};CS1I;v)XN1-I`>wm$i`bjm+MbM8$535acg_oXuWmm{!Y>T z^>vP7B9CYG?_}e)bVoRLvqu0pp8cLW-s@uuj^;PNxYu*5}OHV!y099Hw%r-l>MV?$!0ZBf1hfna1?44q92Cu z@YZ?L8(XLb? zvxnB{r3fk}wOp32N)b7++#`;J86EWRmhxO#6qxjvQ15DFQl9C}9N(kZ4eFldWus#| zHt$3Hu64-DK?V)ut@$M+a1wC_qthcbB7qBQJd1IIk`De^%Vdt*U_8&P?{M0sTx9mx zA7ov4W~A(ztLI6)4*oSdKO*@9#4#T^4LgE9tVZHMdaho?7RglEfUuy!d!r^i-1;YK zN5^aEN4NnlVW@9s{0{^Y)dy)E6lPKr+o*W|?qJ+FW>=(se6HKh1s!EUv!hgpQi=tD zLMZJa7CM>Z?mf02ak3S0Kj^wk+j`vaP$t>rTAGHkH;C+wcPB0zr>H##@Q%)}*H1TL zy79Hhoz*~ZbJ!~AdnylsD-PS|I+wTWF!%%O7YANP={ghbn6a=0?*F`LCQCk1SSh78 zdZm6|ZJngwciDkjhqqhLswlf{5%Cs$htZV2Kiv=QJeBr6*|vSWX5YW9^ksY*YA+5OWmD;VFO(L`-gBfy|J)hRX$|^Z1oEj@6 zbEI%TOci3bWV|+6>Z#V1y6yJn(o$A-R1~ zV7u0iAo@&6FC`TFzTaP!iju%?kPWiMDj@Ef9oRpUKU&$Bd$~u;`twpDj(f;*BXz^q z<-+X;iwW-BQ%WKCZX#jEtav+ZgQAH3BF-Zg(uvS$&t=q7<<8<`p+WOA$kkCpFPLB# z5Vu2BEIl?{>$;hs_&LaEBESs<>@^UrB(CnozA!g#5%wGQ6qZ|9d>4be`oufv^g1d? zvj(OnN#DFGLsu@F_P#QNX&MGbi_>=^@G#0AB9ngNYs^zymmHOTH5E?CF?n`Euy$2k zmsWSE%nI$&0C_WQWw+c{)3^~IKCaLKdX^vInz;nkz{O&5AGIL0uPj$@)_5=mQiJ`* zAI%iwYJ&%Hk@9a_=wQ3^gG-XX5rxkvdvJB)`Bs`Xx6EK#>8;#ZJG!r+Q&blF=b}j?& z7K!4Ehw{WkZ0NXL?@2p z`5nA@og9mng>r7ASmjEzUKE!tc3dO6b|!=x==UnkO5`bX<1Up9N^p`I3xM-z%-_lQfiCBHy-t=l`;i zTg8?d^WPHPveKgkNwOp>6TW4+1-?G&n1x}s4t5SLuEYulWa6!IHh`s6qkLwLUpn}X zU=k;ZzKGH|7k($Pyo*;s#6hLHNJ?+_Ek=yv4G91u7(Jxs;^pHawNUk~0OxVIuzLjT zgNP5fGY91{n$Ua0MxhawxBsEi&hZ|@3#pjTAIix_O%X(m#+sqxbijsaguAc#Qw}xq zBn7XPF!Va+t-FNy9Cl41P5tMk6EY(33~WWI^F8u~a+YDo`h!GsPV;IBGm=f-^<)vV z`$`1)5Pc2Fo*M;|1%vW@cPc1k6bW2BHIS)Lot&=2`Y(}fNVt^PB^NiCO87BCl?{afE={=2bE` zfh+{n&5AIU>UioiVWww$Bs_g59iL5%vv&Nec0Q$0g?F*}syOhF;Um7rC#)yaxRrt| zPE=^tC}{}K*Ic#|uGl&NTAdu1`_AoT&rerjEmwrSA#n*EGBAMlakb>;cgSRy|PK^TL~H5%44al=R1kNoXd9T`{+oo5j<57#vow*zf*@ z3Z6$Y5#5ZAeHNSH401|JQVh2th{D1^py3|O1RE}LUS;7d8={PAiriuQ>_+wRM6KFN z8*#I5fXuDPx>m#D1=QJB{>=`jM>kaJytv@dAdV+6iLX&k*K1SOA16eV(|t}SfEzmL znbrj}J#QX3o+mbDU*o}@hs1Osq=y-o*4Jw|6R=i|KU2h|+>t0DPiF|msg*HVWH#qC zn1|auYba`a-7gIpL=iR-U5lJBh}Z_J`Cbfb5PZA1=tzn|tCy_4PNB{x`FE|;nr(W@ z9qpNW;D1^T8x$xBa_J9*vtC}h3gbm2!*U{3k+U7^{}4TETPi&{Yad*!AuT+%UsFsh z;M>w~Wks8O^~*h#CNJV6Nu6t+=2cW#^XVAQA6A^m;I4~qB<`&JEr5rBi<&$;1TUFY zcMA2a2gOHi+Rbz|gL;fdnlavkYZKurONPtdE)eq7s!;BbNoNwp;99;MpN2uz z#|}or>br}RV$|TmHXO1~ZC_2znQs*s#N_9Nd*Y@k!MxCq@?m9C>ww2G>D$S`o8ST} zBzl{{IkF5W^fgAAM#DD{j*EG3w}{-okZUD=w0k63GlJz0O6;6xIi>_X>Y|ef1hzjy z%56GNez<`J#%&JjPAb2XCB@+7enK7}jnwdVy~3ukj%4JF1sP1@L?pk!rk8p%K~(M* z?|e)i2~Uuy4VY$wLfniWaJ(B+edCO-M<_8nuckInCZhK9Y&;3TM3bLb{bGhPL0yk7)j_*w>I9JZ2i?X}yJG|K;hD72 z%n`}JkjM*K?^I(Lg+-!;;%78S=LS(#iG$JUWlcM^v5L`JE5~mlIOn9<8EzDyGGxr! z>QXrzD-#pAlX}X?sb0VfZ$Hw^I%zp(I6t8i&FG#-}f?mnXNJ%#>*i8Xh2{0qf-O!J?1KB6Ane- z<<{xt>+nS*%OPPCiCV--M;TJhGSC~pjyuL1FcS`3y!zh7AW~p!2-7j8*F0vUWhC7bV;LOd-uf}wye?AUk(W*s zqb?keG3F!>XMtFX66&CXDiAHZi5PIph`eqsZ``<_-06?v$K&OAkBZ=bIppo zmp=#H<-d~z%6{j=aEYg$ZqIcJTz!o20qE=pweL58J+X|mSb!XM6K4>!$vnLSC&da47&7;bX~K{5DA8!K2dq*2uon~}jyI@*Igpv2OZWk_xcu($rdmpJoK0 z>Ua-Le|*_kr9_@U!74B_ItX*{)loT#k@a#JCxn7;PNcDgFA0#?p;iEO{{d9vq79E? z_|7WEYNRBAWtcB7>6~c|>?O?WXSoLI8y>g^3#ZH@zo&-g0$8X3`8|J7-8E;03X=eV zFU!y`7aEKEE7B2Y5S0+!n~PydR8R#;O zc;%|p5rZC>YZz8Qf%Vq9^q_aliL<8T)W7Y5Dx~TFd!ivU7Lb-kQ)PzfyxyWRf0q2{ z91jerL-#~nS-pU>JC+nXIBHZ#tsqR%E@Q;#56CV~Y?UaeNE~%7O2H0uvk#XNs(l@) zL~g)tl(-&e33eQ*D<{F6r;{GZX!S(@y`f+4MNP?(8i*zK;g&04@%S2=Qgp1L&w_0O z4&bAjtQr~0Fdk7dbmbqIHCb84j#efI?ocAyptDS?8Bn8{lfefBa7apN@pLN+aB2yz zxA!X;CV1x%Q4qXI@${*NovG~Z>aHD0XfQ?;H6!BiVIMw|dMAjbn#??ji>8j76=YW_ z8YdldMVY+yr;fKcn{urrw;_^Q+E_%hrPi;cXK}=2W}|Ab$(EJtJ3MW(yd%lE2ojEA zV8T4}lkbxDVP>lz3F8j$G!y~`&L1c%JsgcahiAP=i2(IP4hzIHW=*-VgB z552V-##`d99UADcjO!WMmr@wV+Gr28tj4xpbb+0X{Xrj1>Y8jPXX*3AZvCrryBYI1 z5RUUWB4~sjt}-l?^xi7iRCTYvfKa9Iw@I`PT_y{1il1r-YBS1)Fvd_H^(P-Lz5s@+ z`AGi@$oIxKH<1X&vtn*tc`HyrNARuIEy+W+UGeWVP zaF~QQ;#WLlH0PdSM)?w^@JfTp(9o0JWy{j%cfkW$%e&n=L)GlmYwzr;YNBR_9WE?K z0sFG$1!j*<1FPi_TJj)YIFY(W#)Zo?D`(CDqO}ea8+FC1Wem3R7eCm}KmPGm$H(<- zuJxt8MptQxb^grJrc-STOO%h8YaiV@m+c1*6HJ-=wHK0%>2=6!UMV1?%|E@yoK>YP za4|g1@YTwM9KD7s`-~DQSzbCZ}Sd8s-yUua!}bSJmDf4g(7V$o=M zbpIIpuzOxFM|&g`coyn@0xN=KALnt@a9~bZWbYM#%_odp#?3&ORI}DBA=%zXXx6bi zL03^LO6q3sZ0wa$3r4#%5O8!3gOKQz^GxV22F8xVM6`}6G$#pmNJ|jtNF)c;eN@LT zTU6i3W3jngf)1P2d6~6RYU4$MXId-bCw#X+xuy^Um@ySG6lFnSHYU1it#s)Y&P|;jmY*O@0j;b73zU6vIR#jP}W#F*-A~m^6 zVP61;#_QZ4fPcqvwC^|ml&>NrEG#wq@pm%3H%|Z)~w%5w>I97@Q!TD^99S^ zwn5`-+*ebQx#u)iSkuxZqL zPgkZ)>{`r$iRdG$e@pSe>K)uS9o)mu%h9--(pI^;)^?VmA=R2O47x=foRW#6%@Q8YdgOrL`{Pc&K}wY z^xE#iA8(!**XJ}sXfB{?%z!v%Uu!d`U#)k3`2U6{S%Dmgj1+h5mAkR<{l;UyAJ?TXkCGM8xLpQ4|!0}xq>|LXMbk?V{ zCP&WO3_Ef5c`0jJlESTp6fb^eiapo*!Ck^HK&7Xz%s_grufI z1BvMnPoHOGA-hDHhQe9T5DDBKY|RsN3f0#RVzj==w9x9Ic9Jw%TQ=keq1#Xjv{Dn^ z*+}43iOojHn?SMX)Nivk2J@_($+Q zjfhqVi2L&1^y+z7vhI87mA0Iaqxo40DUyAsxDcp%d$j9b(cHl{o+P$Vka?3sL0OWU zUz(e;dDIhBhmgGb+kvuZ^idL2_S;*MILvy@?Q!brPEk@8WaB6GgD1IUi~V6r=eZ(f zK^#=_rOw!3bE3uP^9%8?TI-#^pe%<9)vp-rKMUl!Z5mXaaF3-5TWkske}O)*0R)w7 z|1#!CR1e4T@y=hl|z_%yid5AGKc=iQAxvfF-Ux;Luzt)C-Nu2+oNM`vDNdJF} zXPj;ikKx%Xd+v;Cv3ecimBVTi}U0e$jW|MJ!8^C_n?1C~i zt*xgeMP<65I={)jbT)r~gj4W-DlA@h>GJHBwa!LES5?-ApQZPHodT`(o~RE4sUZK_?&1ox#6mj-f!DU`Rp%Eiv2+QwU9jW#7E`1$A2)X{dHIvVxG3dO30QOTCSPB)0F3sq@ayq!8W8HDxnMeN*b;b^# z+%H)D!x3`1DcyN{5Z5|gWDmZ=y^1P}YDSlbz6pyHyqHp>q{BNscrV~hRq_hu%A|o4 zVhesPdi+a&j53rJeG#mBU4&$GZ`0t?lb+uU`Bu(Q8_bIBJ}*0{lNp4qJ=*86?Hrrt zb#G~cV2*)pa0HAmZEb*@*B^tpm(#eU0w1h_Mmv|Vu7TdWrm3-Q^Gng`t?~;_st=ju zb%z(YNf%j8`K1jd82fQjSmngh9g-Mv%{snG$=XcI8sbaPby}c&|U>n2F!5t^f`dzch*nY^TFn9 zr0(C>#TQ*9kNg#xPnB|NR8F%isSg2D<7K9%{YVu`+D;C; zowR?zqMCk8!!$NcSDwMrTLuHpoL8Co(e_gW>CV7BzYJf(u~0v@Jt4dm(I8;U;N)V3 zg;KZlp9%ssRu0lL4aH3^XK?1jWdj!_Zgy-Kjmm?Rt<^F!`Y1z6Kx-Uv5M@|;{Z=fs zqGTk6_07Ey>k-DiApMvQPO4@0l*4r?@*3L8;&E?>ozXpikf9=Bqxs=Miif{}?(vMI zu#FZWNiAbJs&pF8iz8L&I@WFdgQ4u zl)x^+m{zLdm0VUcLQi#bA~qj8#eMNLWN$u-#Au)!xfdgbS;yb+9&F{Kk*6BbX+#&Q zuC>lb)zxRa5bsO4m-ul{1}7{_p0vl3Ku^#gRVu7}tn{EC?Kh1uGHP_vd1_)vGH#bUYu-B>*zA)kTK7vmYOUx7`fK=0_N7n~_JkE&VLK)mH{ieRQg z9Z-blPaKKxEE}M0+y&d8SED>BC_{C5zk&P_@>>{bKYgHMcBu+i5iY-U6=yOgjUr*= zqb$rTU_zQ2tF2KXv$iTlp@5OHGVNO$6mKd84Ks93x(!K|*&nyE%NHi0aQPLS7bS-FS*oTlIW$lC+U@!@Zy23SZAP9F63j5NcdIk!qubzE z2Dn@iZ7}tzy-}Tkk4B<}76o3A z{Gls#^d%9Sj0HAWr}_;Yqe9I`J$ytKGN(Zjj4>NHZl^yej#Y13$nBdVzdSjmVg?l zmXBx8toCHHqHGOzeg9}BNt^aN8?QVo-SHJ0mJ@gF%}C%Pf2QEy66wMKV44Z{)S6C6 z8aLF;7?-#9ymdnWTJb~U#cXsilET3t{urcKY3PXQJupohz3BqSAODk{fQ>0tw7e@w z0yjDeNQ@3AKC2&7%dJS;$57;S$9WeMw4n|ylFIe-DUoSNHI0&@&*r(Dr;w)RcL9HN zVuwhRa~!!jLURJ;ly383^^i*7PDH!OxR^r_vA9ICY@%q^QY4aTd|dke>aGF}xv=`R z3?<}dJvX_L4gv&*4pXFh`|-)2{jrK&Ve$)zj5D|*aS`FwLHL_FC(}1rDiPn8#{TA# zV2QO>JAL6$AiYdSXA!*2EQ~=E0u<56@fPBRdNmn_`W%x`8hnICR~nQhJg13~I-{Q~ z;-Vh1rVQ}B7mQn(^#J2tb7%xkt@j4bFnQqrP%~j+!7+e-&-+4+a!MJ}(d=3abtZQOHRFvx##JWUI z3v#qO*-g2lL#jDz)>L-m@}yD-_S=1i&9&BSi8(1ShREIk576G zHf!*qq*muMiKa0$TwyALYgOAdWm^HQFIs~(t>BoqCm==xkxFF=PG#6BZO}FDezLh{ zx-4!kS1css!u>ku;BQJ{jFr{qr9m}fKb>3O=GxGL_ zx4Y;1P1_!sE`y=#846jd6w;fBBG(t>Z|y6L&lrRkDXJ#W%o;8Edem2L$fV&8Wq?#Y zzedc#h{2zutMLm`{6TQLZ(j%~Z|#ZJZH8DCHS{oLwj?&WeVuE))}GA*6w1c!tqYmf zE)W$TkZThgsMRrV;pi++sG20n+;nwn`4{}q&McT~>Cdl!sFRn}(hGSh;d#8A5{S%> zw>quxIBfF|SPXy6qD!@*h4w*>b1{aaa-=Z0 z=Y^x@CfM#*V!-}h(~dN%3RObIq+T`S69Fd(rFd8rwX}$rp(N@9s6|0_;Z%n$hWbek za9wdDDNGLFoH1|mXsbrw6mLOxjXFy9#$BM-rdQ(;N{-bfYYKi9=5V(cMvFqmV!5eUu!QNB^dJRE|ZhEPBJHk~*x01oJ*~|@Ha}ORvR4iVLCNpMYz>U^l*fR1nOP!A7s29hZwTZKm46quF}2txJjHdVBjx1218-9 zx~Iq7f~Wj|U3;o_{6E8@J$qP*`3k&;L9hu<{7a~8W`AK>)TiOXu= zySVK0_QD(rou`ai5-#5N)!x4vTi{}nC;CP1+wQ_3CGG0;T^XQ`FtGD*{H*b{y;44V zi3W07m6WZ~$f&7OKIdu*9Jo;z=dn>EKkfA(sHlP=Hx~jAAdY5f0;kiVI}2*GZJ#Z^ z`}2KP-eX&}|5sNUcUVE%QkMpND0-RYg4_ajoJ=XXaOdjuX`>ZgO%TiiBOv@1e8_mZ zParq`)tdD5{1V~gd}|M2gngWpO3FSoTZ4fPmJzds@fEu$6hb9JA1Vm%Gf{XKTa14W zF&{ztjGJf}r~?#Ee+HV!>K%@<+e%N2+TM|i6H#Lf(la(9f~t}`KRgPv_Q zP+8S*6i-Q4YFEvuA3JES>?uHfsAvLti|d;++aWx1tSrWVMn2) z1~s^Q~QkyBlvii5CnaQE%lyGz2>|IQr=U7vaaJ9T;$9JM^ z{6!=`GNJ0hY@^WVr?E!(EV_Dq?R_tY)mT9%n5D3e*P96tP2sqq2WGUkZFq&9PIg7$ z)VA$Z_WMwLoxeCKubeonUb z*9bdom)X(gj00nGNVyol>F6Bc(ja0r=J;3Cj*G*oZpAN23gAo{r z?;F%J!Qz7)f{Hhvg&mhB6t)%_3sDt$`v$mlcu%+ zpA)WUs*wqa2eTZb{z!k-W9OB2Ao}zA8aV?#V)D{99ai!EXV*|me*9kFW44mq{qAsI zZa_*D5IQ?q$T&0!SzgtjeSV+{j9253^}&e!wV3UVG$+WGZnoSMC@sA>tzQ{(-oA53hdUv$1Lg0Y?F~nXV8){ki_b=VN}S z+O;8P^Ei-6MoWHKPOUSQTS$8;RFk{k?)`A;4kAC5QGUTuF5xT)F$`Tjayl8dDn>Hx zGP0b71Y~k^_(3)1S{2#tJCx!oN1UIw2|4IWJ4_TBRH06eV4EkdMltLI^3nhcW&2$ z5Ih#xuIZ}4}8jhc15@xYT1>3*`SUtw=I&K8~?^+<@(b z(2>MKbu*71n(}hd>K2;PwTAa|jOU!>3>|q!Q6Er8?EGdqf1?3K#w5y++Ea@|jVhX) z5H}6MsND4?=-xvDad8U23|J{uvO!#QINTf%bm}B(VKYZQM+M;~xGULZ8q&iCQ0o|C}n?eqKH>XU1}7 zm6feeGDL%odyc8QA!xjnjQNRX2RJm9@HD<8s?1vC5hQ&H3J!c>&%Qr&+FI7i)|F&4 zsyo()+7)`cVPjnwMqxa+!Sl;I*;>btB2Nrxsm7(bh?Q=}ivz z^i+#<@DY4lRJ*#7;IW;sAnJHckL`I&j;$^Hoq-^*3)V5TT;a+@WJn0 zc3id`ZAi`90%bliQ3qG1ql3Pyn!(dPd|@yDsAu4DumhmJx`Dls7mk&<5-j){5n9(+ zM$hPYX_``btmfigK!Q@RDW+82SO$7Y=3yQp)dx{?8&n-CUk~2N9x7vTsWKH|-Zxk> zZ5t(h7MPrm?05fn{sE)FGvG}DDd9p`4|;J3k8ojNFZH}t^@_q)f2*uh8%_xX4?U@- zxD5tMtl}bB{>W?HM3gEYN<8M#ZA(4_LxYOqw@zFpTSHST8!96@-iw-saQf=-5zp7u zmrw%}!a!#)RO}F4EzXAqa}JG+M~8a0ADdrV`_F`MV0Xnu{2VHQrf2?r;eIT-CA^T-|5Q#k0_ zN`^b&-2>-ha#~9EH$5w%{Y}of%(vFsHRc`Q-9-5Ln4Hf0rSn@1^pQYw$LW{F&DJ20 zuUM6T>vusoN=Z2$(P=4~Ck25mYK^n*-&fs9F!aEEc97$8#uK*0@oyz6UUS27D^ezq z#*Wd&^rsdf3q7F@<2+~DT1YqHyHw`1%A9O82Z!=B>JkU?G#{%Oq5}a6IEi>nr14=t z8q&!B;MC36ydEAL(S8l5B~6J|RO3j;WVsb+`_1Ab2#AE-_nO%q^JglRmL0h)fuBm! z5NOzLMKoZn0`ER)PCJfE=NbKJfVa{>tF<{&3F`(}vYx$$_*}!n>s^J$&RFPSqI?DU zU);U(b8k`Dgw+4uBo@?r>Xe^cGWqx z>zvwqt@V5sZZLvc;u#78jZ?MV-7nJor+?xR)BV@WtJ3^5%k({aj_>XY+r-oyifG$k z>u9`zazx@-#vMoEaXnk=heg87&En;uZvHF&HAkt4GI|J9ZMhKuwD^uf5kd^6NcXjQ zqyaj}8f{mpz$Hm#D_A(!Bwnj{e0*G{ZL@5N*MtJp6yz2C3iAJY(_{f}v79qMJ(g!8& z94Y+EQaIsOt_bLPvOOkTL+S0XAsT2%d=5{c*SCzTD?$mX8u6`oeBMqfHU>$G_J$uA zTv#FMFwY;(3qWDAIWN-H(c_VVINh-{n<6TCns=j!4`F1#6YZvSN{oKg(OAG7hml!a zzZONf_U;Q1-~Q)rFfA_(DQ^SduY8&9$&{ZDEi8#$jH^d5+5T z|Gttc0PEK#F1BN}bvW~INoKTJAn5X;;Sb)erGJ=I=l0#K7QBRxolW<9&-nKCOIDZy$O9)+^@>U6z4~)TC z=QG*VEEm;*6q83NL-t$(&u%2-ES{CWMUZHrrn&oYS5Y19g*)ppZpq4vOB=yE@$Zs_ zKdVN@Zib=#-RAQt=fI|zE24|dVU45?^4Z8j@arX-FULr1pu^ePt@i#A+f>`R*A=vt zlN4E95W#&SC7GAkCgwHcT!?y}j?MwDFdPISIl>`H+Kp7&vjR1?IWIMj1L!Qy)sx4M z#9PM{OA2?Om`+G*30$&(0mQaK*I*JGe?5ylMUv+wBh~32cN`;6yu(h}KwFgCT4v1J zz8}>oyCDH@8Ss)~L+@}CCd387i<=fW#06@!I=`-YS5Uy{l%cDo&hfFDAeNV|f;tpX z+!AE0;F-3C6QMPV4}%F0f936A7F*WB`BY~rZ#Q`)mlmmLH5J;HbgXWdV5ZfobK|yD`RQkd=cs&8Wo)PTFZ0CvRAZ>w;+bO!` zzsybur7`4La)#|kR+38;^ozoqJ^@;HwNDj)2DF3s6*D0HAybSgqH)F+@(JfnwOyGP z8ykCduPIfki%+yp#3x{1*^It)&TQWjliD%%Chx|~_*V{dolkHgFOPjajn^i>FCAY@ z_!{;*0OwL0>NF}A3zs2VM39Hv*Mny+o@l`B_+*JRT^H!%Pe}8d08oR3ErLz z#H`hi$*w1@c~);#QKaRwt3VKtF5!|aPqKnl4(|wAGn~dO&m~^hHP7>hOjIt(@E)E+ zL}a-xW_`snZbZLyD$J);oah{7rC)zA?TIIrI}*1@D)DIN2{>=^nq5|c6p*M}F{C(` zsY4HH$WOM!*+=IldXk7)E}2i1>ua4?jpv+Rok)NX#y5JtB<~ZjcAifZOXi*L@VOE- zrP+S5ui**y+m`gZ+!5p3 zx4BHBXh@tqi|ogBoQ;g=K=U+0238bIq)(qfp$u|TT|DxB(0upb2h5{m^b)dR=T_4Q zUcxJu!KSpn>!^jQ{_^6mVo@zYL+u40gAFYdw_N6%W~xHYDza0PbwgnIZ{sD=5MA#3 zu;IR+5vb@SRjQ7TnFGUKn!U?1#Yo`6>{V#SViDAuR_Lq}JaN&#T=H=*fB*Qp_$u8ssf;tVI^uLH>5`hkz@nx}4%oe@f|-qCizkmG;Bom z#epnh%UZXQ{jlPRfWz80vVq>T!$5x~L79HhtD~ZgR7T(VrVnO};YG;8r5QBArekDq z%98tsJ_m%5?kHB(O>*GS$lu24oX()OVg=P!U=_ABHNqs9ojRpAE;v_pz&DOJ zn-d445FvPc7)coM+cPaJCx5Vtc}Fi0Pej-n@KlKAPj{q%qX-7|`L2rJp8KOLjkBpT zs@1mr)>7Uw%D>BSiZ>17r2B^Hu}a5*whh6w5;95n_8elJBqeoCPt-iR`!CB;$=$J8rOdXdS*H-dQti!a5MAxq zLB`;Wp?J!n6Xj|&0Pkv$(T^XhaUR4*0e4rb?a&*6LDX_W{+b(#*EIczu{Zib zJUFaIpaC?EO0=K%bQjDj2L=$elp*j9EY?ai7hzzijhrbOkCRv|{PYNmOk$tgU21m^ z5ywdXHQSj`or$9;>1kcdcL_)Wd0_+4*2_a-ADDvOPE?{kagsyH^cE8vu5Hnge@ z1&JDU;ZnfX6fEeifqOZ=+uO+7NMRo8h7M~MsIe7m8$tLRR;?s;*)lbKQHOH%s=0OS z#{~B1LbLEh^k2efoDR7Q_CQ3p+wr&?4ErhuLf*U%PQZm&BT|}@&no*XaUMnI9MK3m zV>&REO(3OfBZnSzG~4M(J~5n?hkp=5k0BVuA4h8Lqk8shHR_aD>O$Hcql$VTVs#a%l4yKO9)mLnn;oQb!QYWf;qS`Ob zPNco>bhWHFh>LNNeQ2F4w0l_pyy)QHwgYMmd!C+Cg@trX4S!xK?s68|4-?+=j`VFq z2|$olF;D$oYmsWRLn?E}y^HM+HZ^Y}Y>?~9ZmCZIMDUCiY!JqY2Tv1Ia<<}(!%GIt zhI7`AXZ>BJP{CxUZbOzuICCa}^!_#oWOI&}G%zSGlniiC4yl4ku%jA8)RLrCp%?YT zcA9^dV(=I8Ic;8l+6|#$jCCsYr|{I>s;x>dV?snMFo=!h>hmi3ZUL6BehL zQ`~C^IKL)-?ZC#i8r<6Q^W4i zm(aYR@a1_rIdobb#~VbwK;SXPU}nq3X1oKyE%lf9re6(&1L0V5AK76~gaFDzHrFAGX{mq1BiqNZ~Jp>e1+ z%8aF=EgetlIJ~u#8`)9r4`Fs52Qi}Zj-1V~P zpP`10S0!ySL7w{LC6%TNeE{hNY(4{94^c>wk1GayGG%zqM}ut>^1?;`mSn!B7Eno> zokQs^KX?b#Q9FDjCxGZ#ML`y-#^>$E5glhgShE1lzO|u}riOzGuZCc`8(2ljIU3Bb z=zjgJcXjUke^A6Y{$C_QIsUgq=zpp_|D{Cef3E%iivq^^U!`lZu`_c1FXGm)j&2)e_KTAGldEoZU{lHAe_iGXr z&r^;-qD6ZP=li}`zlpvrecs+uslU%tyPCc~?@;)XgUz=(JLl`dO~@f2kk{UY{t!0DVna7S;O*`XY52TGLiIi~< zchRar7?s4H6J=6QO$rwP6qptUuUOmx^>4 z&iT__HoiYQWft;M2KfryIv*Ivgc`u>=wSRc(@Yn?b~~eRpj{1546qzAw4!MQs@VXo zVHYtWqwSx$1g5y#NI3*?$=lB$eHo{h2q^cX{E`3`La`Xtp1p;znqZr-(@$iaYfTb~ zOJ%L-Z@T!oK7jhL4ncjdwg;y6qsm9I$+HbG&exYvchp>f z+ZC9}n6ehPes`FbVh9ys6nuhGy&?fL?A>ts;40 z_VVzD*Kp)2FgKhpvl1(?^-H7{OL!28oJJ0Du@ZV4g#-Nkt35EhLx%@2OqH*%?o(US zebOZwEuWHE^~&QNz1(cgZxHR!YgGBFaPIgyj2Qa!kHP4UyXJh>h#Daz!CTpi9=Jey zqdm}!Akn-PKdQ%$T~&5eoOfcKzjl462=2cndF}Mjty7;>l%jN=sBH5=We#`ma}S^Y z_IaAw=zV8>o6pyqW`gVDY6X60|0&x$A1;p!{imz}ie?B#u6iRlBe#5r_Na< z%75P-I&FBWd_P(EdZgfbV&O>gug`eW9A4K5p|v>RY>>=QuZeyqGDyN4)!7tK@~pgp zE%vH!P8D;vzk1C!$QB(0OM2;P35`CIz?OQmMX+ z9Y4z`vTkpZ=m~R2sm-XvtfJhCCId@{}HTC&l6wE9sI%5)4@ttZ%l3%W7l>H4jIFNa+Z1>e@s=3Gr8 zgq2)zcV^u8vq1XbaV`nqHd~jOd4Zn6ue>_7b>{PDuNR*n-mE3dyv!)z_fsL1GqM(0 z!wH!zqu6jMTv+%WV(;xJ9-NG#)UTY!horR)Ug2eCDc8-Q2$siaFPVWQts9qHRA_pc zWgeiqH%IOzP-Rq7!Tu&f zu(p!5yY)BIj7#Us)g-ieCoU5!VjVrp+Z_|-fC%vq6ULdJ}>!zxr#+)2A4l1dgeGnq?ROQK(Kb6&a#TN!g6=r z!0&{!uZdA-wT#;Wzy<^j^yCIs7u>ZIu=Xn26*7kzY_wV)dAeX_v9uZXUEg|?v?8jK zR(oH>`$m?HneiG?18vNU8W*C%bOjd5^2fo6qwTO0A8x{8KnJ+vZIF(Pl{zzm(BO*VGXuj<`{J(DuZFWXBA<4)P&l$>i|5!-YjHBWNRdAu+vp~yCyn6m++r%^uhq3;DncN!#KUM1g z_Hw|MERpbZ-jRePN#>2@0=T?A-5|T|b(L0Y-VCt1{ZJ^(+ZL9Af&{Py?E7REve)ow zh?mzWS~B%#Pfi{&4~la+3Ux#~S;b+W#}IZ6#=>cbu{N&$c8>53WMf$%z+|e^Z@&Mz zfDKii9qqv!H2|^o3Xw9;TS2mkqUqW7*JLIvj{#GJfyY)aH=YtvWI~Xw9@v>*6nI~1 zcBMlfCu5uaY*TOxvZo@{T8)%NDa%jV8T|o@Mp>pIHl-HI6WFkf9uXRkjt0IRYc@;% zsV5jM?1-4C?F0ymSG2H*fO1M{*awa4ZMtdrQQ(kG-sa7z4K~6kv~Jb8VFicn@oEu) z(AFZx6|pMyrhRclomke))G&B!*tK{sqv^z2mv)jBQBtDfCd$)jo4q{9lOVAzk`9S@s6+mdIs}T%p+Ymn6@Wc2$@`@xX?8KAnOa{p!#zcWsig))g9s)5W*!jCio&G+UWd&=4C$8|@Up2F-yl&AA zyH~SrDPtfJhM^xkt-8HfBlDS~3*%XGktO?3A!3tvO>}}e8rn|U9|F?{mSrNn3b(k& z?J}?wr5~z&6vEqD4n1$Ojdsm0`OzA;*FsI?z;8-T!5>-(IanX;u{Y;*Qx!b_TP*&f zn6om#p{YDM>@WtjB5I{QRUB#{vH&YCMkDK}up^LJtYp&dL#=nNfU%z`Nj-pkCymy6 zRmZ%Mhcu>^RDobXA&`+Y=5i2Sn5J*fRywLv4|#SFBU6`;ko9=@d_o6KeFzwfhgMZl z)>I4*tr^4*pSa4p7Nyx_8W5ip(@1ylo+L4qERNM*^hUVRitvtvbcp8ZoI^_Mt7z_O z6Z#|*t4&S35B+r@<$6q59e?hu5i@t@o);2=lm`i3k&reaFTM>AUR_+}QWY29N2o;8 zWC?(q_yCx=@n`VB{WMi=1U)WQu~I%XY?=o=D(|)EXOG!1=ZWjKoGQBYy-`Ivco+&9 z94?heK$b%REKsLQegRY43M#-0`=A_`>_Lv->w(EliaHm>=Vj1Q(8xBo?_vz7+94nh z$hMg|53530S6m~|WK{s-q%kS>oKOI$DU+tTTiS7A*^~q$`bXWRgfc$^;%h+*-tY(A z!D8Vos(8|`et;z^osa!r!%@-!vxK{vH<*LkXr-%WE=sk(I}fZm*^RQ{9CEoy;fo(- z=Hbe&1H;Y_N`Lihms2Lj>>7a{Trd7T zgYYObOPo)G@VvBFGV3P$!#f`n^SJHc-M+nn@T}$b`g&3|VT8tH^UGbx)cYXQ8NNnE zGrdeFHQUEqXgo}-s~SP}l*n;_g98g_R$eP8?&fi<5sojir2Bra_nta$7W$~e1nM~U zG|*z2%$g;r?V+hkD0I7$Q`De~!ta7XP8CJkn;{z9>e$6S)9&qMjB;rEmQ`NuasP^m z*itbWXBC-?ma5v!M-!juUnnr^i(yfUG}B?@ED}xVucB>`c?q)WysNGjOTzz$N4EWy zE$naw3OCN7RQL-xtFrjbdw|nZ)yBY1gc9^rej<9q8$NQwp-bpd#p|WU?B&S|gQc&t zYO0niZuLQ2WIz(;q6F+yh@2A+gHa6Tgm3P__clZ9`GMDS>BCSesdhJU_#dUQfyuK; zM7r~0s`~VOSb>ndkljC&<*Dw96%8_x?jBp{;7?8r7@JG;W%k>X+4P5^r%i+GCzR;C z&lxW1f44?r5JCcO{X?CgNMNksR4-x!TiBdX$U*A^VLMk@g-?=!WzoZh){>UPxPB0d zGZMmdxd6N}e)*P1#hbp^G{=_LDcz^P6#+>7^IPe=oXtnsZv#(HcnO3{nTDjN+y~M$>k%ryVX(B70yYB1QPuRnmD|`F;vtH4inv@t3WTwFmY_B~w{wR9u zE!K=qgbYi_D-$F~vC7^bZP%|#VQVIEh^0zf4Hc5W1=j?SPCOCJe&0=?gYYS3y+a_5 zD_LI`neu9K?``JoNy3((Llpo>VKv6&MIHNijtdt;hXWT~!J`o$L;}lE-7!Q95dKwQ ztphCv^Nyq%$*SW0JL3>o^Z8@iWIZI)(O_?29eUg|w-nAn=P0fGwG6bQo)=cq!nTeM zzM{N=^FC5I>}!R%nJZ{ zv&M6IuB_lYc)Vhar}bcvmHf?>+aeU-{hxso^_5GeKv7ex%(bvwda5=$F1>&`B4XO6 z=uk#`9*4cS`SP2>D-z6&5C-y`sUGnQaI+ZrEaSX9$m>(u&UIvdjZ=!*oow0D!B-Sb zD6_TPtJj!$=HYGla~&q=zn{!nKRX8Q+F^Xj_X(%X6az)Z_4W-&@JC!e4AypF8b0kf zLM3zotSo?s$KFumTJ$rjx5a`H{yNsUY9m)*wHBTIXd4%%7%?l0GiQS$y&5ZOVHfSy z$&G*vQ&IMygoIp<5A{Q*>;L+=N9K!33eYz#u%TYFFVWYl3YTV4l}@e#N68q`Ud;nF z>dZR?)T304#2|2Xx@ToV;3@ba&ODr*tP3*qf%r|%L^NZ=99PLbBm&dxY^Nhw9qcgk z775$K!e`K(lfBAPV7XAp0W8;_y3{2)8CTLo^^wL+(s?P`Wgkzn`H%v7?T#DMtggs}5*6avE@R1aftt@b2D~(`Qf|-J zxjOp#pror@VB(k6JKCLv?tbKmP2q5af_{jBaje{ob59^lFiciB2uAo2XPsg~`a=wd zgn>%wBWTEkNP(OzVvt{7C{_)H5s>*##d#B_SZB z>Imqx#shb?w25kO%daa)Qrg%EhQB8&G{9#H4#9~GpR8}U!^I8moEQ$ zlVN3+w4Ih`lNe*~Vq|T_eV1rNL0<>w9yh+$=&6jk01?CcXOfhi>?I01BqyXvksKEs z&yap#ZWbd2o_f`3WsSTsqz+TltvQd#LMZt1etpl%TsueGP_MG#pH9HszfosR<8XhS zb|DHY(q|c^2Z&8}*JKMy2`MHXH6oLB?rN2FJ zew9Y?Gkk#2H!FpJaEZzKyuM5KrS>1Di8 zj*GOot`qWNNinV;byb!~o>_V8`>DACr|NXJn_>v9we`2eB*`{Mi7{NuD-0J&SEXGvj%)zL})6SBNwN1I4T9E#I>vIz^gfe2gL=3hkl%vXrVzMTr zq|1*!#=nuzP1bA!_Nc6P19Nrw0Td26^^>~$;RYp@eGunSE7lClB(=8pgW_ePLaxyI z$RjLe=E6E*RU*iKb-HrJi`nU6fjxK^V>K&Rq*1;74uPh=fwZF0LRa@=?DbpuEoy8m ze_K3lyqwFcU;SZA-$dvKu&xj}<~=STp#Pj1+`_gB1cOZ$W{pQnHGjOhTnjkKd%*Yh zC*Tzhu9e5cTp=~*@XyiPG1?#mAr`2e$BTec z29-tcG1TAetZcR@bZ)#v1#11&z!?s#pX4~S@j*o69=}{trsBNAW8|_lI}O+>JQVU? z-4~f+E`mN$LHc{(JJdtV-`Iuvs{l#f=U`Zr zJ8TQ_yNql!=c#0FeFynh^<$4QN`e)kAtA>u1`oJuGi$7WFwjvhmR}iXk+=4m^sYL! zbf^;-o#}EsLR$7(Kk;$%j&3nK75V#2#@L@yc1gsmhdi|Sv>aef+4GWPpnjQa8hueN zcvCn9Ik(iG9_KKtRM_@rV38f|8PQP>wZSgsF}Esq2)ALzN3cBJRUBa0geN{uVwlyI z%c4?yaTlIYM_%m5svE*7lHd4s1!{VTcDz=oI(uc6w-U_}k#{FTW_Hh4Aa=_P#Cs2< zK_&uAJR>!&pQLFWE318v$Q1vua@nJ9RltFaJ?w);pk+01Z)>s!E}PYsddBn2CpU|7e| zGuXQ`m?YJ>w*X&NX{e7jypoZ0npkq|gD5(Tlpdw13p9+RN_N=S@J>>zJ#^efzH+2r ziUfHUw@4obgyKxFqzJa>A;)O9YnS$wBt_F`i~cmTwnshEhy_fB$tK0p%}70v#mw%_ zO5E0Y9bUxh3K*_dNeh-E{dFHIX$f@W40Rj_Cj+t%$`i5g2h**amh&LQxQ;(rQpP^J zY`bVvi^#(*wW!{N0}+&aAmA2P$I2@00At|dtIrNdhty>|1hlS`JuP$%u(V3yyx@HuD>{I z0;@OnEdrE#^9@p`^JSY_e`((Vy;+CMV(4ZI5-<_qD!Zkxdr37J+v+iON%wK_ka~-V zjc4;s0?lC>Vq}fXO$KInQA@K88-)nJO9z7beD}d1P}S)=_7F}~-a*9`2A_Sufplu( zhc7TPFCe^H+LCHAX;8j{^d%T0E{SGJ$XLB&+UxUJ(U)hrL!#iJE#d!ZY4jNnKnvXA z<%)O#Wd)uD>Tk32JVJLMJ?p@9Y)WksUDpCy0VnOA<*9I(iizCC| zcRmNOSn~zJKpY~HzH(lA%p0MGGSI>^UiU11(!u*YJM_z-g;_lCe=%oyUuS!B*!~i$ z2sx$#Ps_RM)9dW3*YX^Iz?8M#v`=j$zy=$`0J?T~QVfrZ?7@XA#S~;%etUYDwVRze zf;ikjd#5k(eh#&Pxj^(s6E# zNn6GK;pyZePXy`wKt-SJr%OL|#z}T7hVPf#l;mWiFGw@6`*6`&MfT$j$h|}EgX>5E z5iYnx4yjX^C?L~2nnL89DUo|GfJ@=)S76F@-Zdh^QDFQD4^Wu08ql2ngf4w%cOBe? z6-v<)86LXxb0(FT(bU@AKCWJNZwH?1`*tAL2g{PX~sLZufV%96bFto^{?;NNz3o& zSS43iv3EI#+x~l3xIzW@{rtI+Woyl?6Nz$ly{29T#UK|@VvV4!I^c>yF~BO5)PL;z z0$&S@=KLRQyr1&6{}C+zF9zE=|C8?iA2|5`&YAyDKkL6_;veM_w<@t}w=)0#*Ip8Z4&4YV&c_@z&e^uIcD(O-n6UhpSNiOe=7A^VHe?RtKvo z&-{B?`5vpXskyROXq{298cpF1QxtgA!sVx%_g(%88(|OUz%3=Ohxg07?Qws@$B&7} z9TxEKtkJCQeLouftZ(IM)Y@*#WtoYZ?rReQTL7`m(ADzXM<6XQAA; z4mCP7!li;R$bkLRgXbLBoHYOCygEZ)GDiRR{lW1aV|7Q=W#p0foFBw~n`g;-F_Gi& zR2=swhu%i>(}RaQRhT1orGX~YDV=4hS`KZ~G4D+cS{O9ro<%HnCpAgRf%#J5I`8d9 zyJatXyrS!C-<`-!W9>57({xSa>>vxTr?JBgmKAC#0)L9weOF?Z~{~hiuk=SD)p#P5JPqZsh0&G^G`1{gRv7qUKV z3taHj?Rw~+!ZAXGT;MW9rZW%1rt?fWbF)O(1Wk7}qKG1dVJBh<-UcJA}??JoqUu!oAp1S9}AL-plJ~(n$i`&})TE>Rm29dFuJ9m94dPpRO0voUG zzGBkPYGGyY-maFe{0r^i`7YNNK8p2OUH9~HZjySd(#|A%(gR3mBo_gFl&Rc^_V};D zN-BS%9@nNB@4}U6)zp^dv9wA|^0xTByB+85i`h@J!l9UQ+(&kau4Xnjez4vaQv8x(Zf=yN-JLk9_ZJ`N^-_iXb2 z4W$*yD~Ej;I5e4{A%&u>4H$54Lrvq$BdFo)q%-5<0d6MnKqWbh3-Eb7t@*w+0R2a@ z0FX5y{4$4S;63tBPQ+6;TRMhFqnl#ISxvNy)c=UaM3({BWJcm}z09LiaoB0RwSyAo zHkOmRzy;QD^GZ{3#FdcUE{2aq^KK2o>6Ey++h>XMX*;cn7Fq1gKd^X&{3Zcd3WQ)F zyN_v&d)xSv<8^zsaZepwHbtQf9S77MhiH$@5-G|V6WgOwB6H7@tBcQLBb-mO`Q&3- z1Aw!cOY@|Bio;Lg!nyHaNvv0nx2v)#ltq;VPU7qw-;LXl(2=)md;T`Gma0>Yqoj9o zJCTa4c^{bZg&!X$#90Y?b<;%HRkk!Tr5l6Zhr8D^qXF1)suawvI|An3fo8}`^sNB` zFoAb4$EtsKOIB;K5QBrbTt~s|GRSQA%qC#=~ z17`u|I*Y;h0f7)QvFr8OIttM9gz(I+Drr^qvDwX^1+h2Yrd-pq2Ero7INZ{ME%-Gr z3f?9~d9Z*HmqcFY+Ts>i$RsxSjDUy~YDt|gpduK--KL7&_f%%;X11l52Mk$=7>E~x z$(J|B=5yEY9$`g)J!_`Np*F6ziPougeQFw+M=Gl;8}<6!1Ewq0L@ul)(iE}HoEnYB zn4BXu!;Y657Vn&0O}Q!ImY7UH*BoV^pvz0F+MsWB>+Hhv8l2X$cApo4S~-Zk;mVND zPO7@_7F{;kGsrqnyOvl>jkwFBgaY`hQ9!90?0-jyS>alWdV_kPkRlA4dh6*QhZlt+ zS@M?!Gcy=yz70iP>?2Hj7OhJc;+#*3Ig zH)4@A324S!1@A(ecR<9$-tTto3N!ZhUxcR>2=O;TMDZaSPA;XVa!hQH%8&ks*$0v= zz7JOdo-Sr51*ICOamsiuC0M7zC_$;K*G!`u8l$Aam{``DQ8&VAAi~IsHTC(dvYFXf zxN|#<>FnRpJQ{EivVQ>V=wb;Hs;{KspmIx5XrC7(zl_?YIRhCATa5YlC_Pt-#E?7G8o>m-=}-|BvUpk z0O5rgFa8%p$qT`;8M5FcKInyb9704vNWM&DaT@lvW|NhW2-!7(Cr42qhm%E1EX|_j za0*k+Z*07){BIyy0ZOztLOd!^He|m23SU)T96l!CX7C_3pOlMIp={^%uLC zgvEFrL{zkWCl-$>sZvqB--c`?H@ozlH7DQi;I z(E?n`8c7>0g=N~!lx!DN zAtj%TgUP0s>{GzjP?yuQFYS3HB<^YbA<;$)=sD8;0`0>SOFOo}b9pW*cRcs4FUAMw zRuW~#wwDwJ3xe*$pMt>%Zd2w_i{_%tUJdoQ;)FL()StIY`f(KVp?@Yqu@SdPR^A|H zNAHU*1b10n#Bb%B+}&o6)hrW+p>gi7eVOv=p69KR-*zFkHr%UDvEX$2?yJ-s+Xcv* zGLl=N&{OZfT7X#}7%fM-T{(8Q zOK^pw*Kp^}C@U7}8>bPFn?Ai?-W_=}gt3yw6W`HzY{fGdj0;~JC-D=od8G;W!iT?54}PjL{#8yfzjsNIeVq?)^zMveI&u z?fuEf>&58C6u?{~oXSwGW8)X@8*2}MiXTXTiU)~G%!?|v zx{DRsTn@~br;R#IH0G>K6&deh-_NcZ+)6h43$Vqpvi0NQ{7A_$Qu7?o_&S(o)$BZ41}QHZ+)Z|$ss}4cf-28D=BsPyxIaI09#cIto+mem-V%#OSp0C@T!l zUaLVKYwh`tNrr=@Xf|$OhazsC_yf}Wco4#w$wk3HVk!1t6Y3tskXDcL>aLR$`J`#a zK=5UO1iT9 zL0?>78Grc3UhNkP7yq8fgr&MO?^r6~9ZR>ch87eK5_TrA zxeYYBJ!=C|!gC(pOR6VHquAz7($+{e%5(W9I4Ot|F-2x@C~e{4YwfXgY8l(+MT5vPG`FQu+r?AyTm7~4=u}`8D*`JfWp?FTFgX#_T{w1OiaYfuGE|BR zRMuC3Y_}r@pTwVOVvlT0J$@?|ELW1_uo2FALw^OtJr#4)cGf+-Mb!i?_WE>V!+gHO zVhHQo8s`+eNhu1v?}fQ_lc*>$&WIQs1&L3RkWxhrK}QS;?})pF`Pq`+#MRe|(07Pj znopJTuA2A0<}6*?HWLt77cy{*z8rQJtq4Y^QI8^0`D8re*H+B_d*iSMv^EFHycZ2$ z60Il1xr3)Ign$f}25&P{z$WB1adDb3RpAy|EfYH83!b$Bg3>MXU%Npta;VYL4kJp%+6k9a38o4)Tn^BqTL~(=aWAuO3!rxvfJkgTI2<6=PklJw@`?*|v zz|B}V{5wsUo~9atu6%4{;%x?E>^j;*i$0$1>a%pPT9*uF=jPjnSZekC@TjkW{v)L@ zc(9%3YI__Fb#>!&7z%py`bI1vWttU{Il5zXjkdSmSvub$-707F*uOwKIlzKxiZX|^ z17%PiRHBT%j|g@vjvPGIK0aWcVsF83>0)LL%S+T+G$CtjFk?_521MK!h7yh&RaX-i zaNJ&v6v7boByBA0fAnZji`l(0!u+u4C)8MYWq1lE_*pW@E%9-LN0be}ygq$h#~3-3 zF&V~;%dm>O&GA&nG&^-NnpYTryPS$MTp&6RelT7Os(;9mGAzBEVRt)++C@vth`j9l zm1Y2OfIeH>f&V@{-9C&;*u;)hTo*k-#(p$#if9&vH)u%!lG@E}KrFl+r>u&c*>-=j z024!|s(1~Wey_X4$jtQ;oNUp?)_6>>N}2mNgXKm0Qp(F8f}0??4Lnb)KF8hzAfi@9 z;y0^T58w9@!TLbnDJ>KWOyYER6y3>8CPB`Q?yu*t<#cTjllW)`y%4$>vY2)sB*cs5 z_hpx9RqJ;q^~mg@7HDw`!hO$`j#E|jJQ-$2d!OY|vQv1TpHq0wKmkP5bfCndfU=w| zd#lmg=2w&{H7SF97rTbN)~zffgWf) zobe07*38~g@oa+IY>Gk<{~yF}f_1|&I)_c*+Lxg1ZYTB!G zy@9im?U%c%?lQ){b#|1N7sAp^;7(aUNtaDTK-{zw%=|=x+U8t!fmFC8v_;bn`t4uG zqJFkC5>c?ug6tphRa9=}+Tn zi{HtfPeCH`CfLgm?Dmz95$Nzl)@*y&TpJ^1h5~3G8@-413L?maY#U!>N0d%#7YMKA zSQ-Ye3Ak1v81YcFXx10J16L_4a_Nr(I?FjgbpO-PC8xN-&#768|-6la=AW^;!N8Y4gA7fBzL}^S`bA?@HnSH<{J{tF-x31NvW-Hkp1f9se_8 zqgvZKaccDX$r5vw@(g+t$LDz!pZ7^>2New!oy6Uq>5GkW zh+aU&1da~){5vI=aLqm55%_!Tww!pBWte3azf4c#-F`K@+BF90AO(Sdhu6cuv%lZN z-6Ut@DL-^-9_{1*sLYh3{AhAu>J3#0X{nLg&K!YBc<22Ua9Oc9Au*nwkBeQ5F;-4@ z#HB+WS{KCK9h^06sRReRB@kK~hZv+I7@(?;`bTk~E@;EnX3Z|pdP3EZ!zOX1uGJ~h zFI7n!va(s5y>6P*N2a#@DxG;d+eWsM7%}=|*$?Tf)=}k)e@jvh}7* zik+cZiF3+Ad+yi9rpTX$$bRp)@b~ZweUfx%?;B@A1rFvW6CGC6nKw=t$bi;fW6KW( zQpkJCP+3To=<@8=Y)6%He4CC1nGQ(wpdEKyv6v&J(*G1UDGHzW>u+ORsaLPx8Y`uD z((~7MpV}Su$`kM3ZE7)&;>Cu|;eg*mK)9yC=lC}LG~fya)i0F1uljZ+ zJFy)hQM`YD;2qs{PiU!}Zp)v3zl!;!esf3n>8P+-?@%ehTR+j;>Vu91t-jVCu9l2m zxOIBII({7*>d&fz?m(~wetYxChdr>BZ9<_mIYcN=Ayp;Zcdztymi`5)U-e%z7s5pu zd_-m(O=lluPTqny*;Y-S5t;U)KoMyT!|v`5t-$ZL&uzGQq$i3H&L@rBxY%$Kkg~il zi=(AGRv`Kh%tmn(Q>>=GlMHz>V%2`Xg^)g>hez6{ntqFJ_~Tsi;9TrD9JGa8d?O=r zXA~xu>*yZSo%pSfmJe?9KI*!76=N8O%%8u^@G__uJ^>u3_eX*?^e@x-gmkaJwj>?ecHBZo2=gAsoJ>-Qdwt=&L`rx{UuU+qy$CSz zYCUUnyk2Gta*~)jF3C4J_1JgusE%?jbnmhO)Q%Pf9mL!@=4wf8-0)q;94gP^VODCl zT3x5t8G2Gw7ZhEQTXEeaHcwt?A6&M_GuaAzQA@=%+sSO5QZ4334ZEeER*EYcjY~Q* zH@+bnh9ss%0U9x5*|sT27%P}0=HEI15j9^qpP^@FoCFhPD<8oyl!Sdh?&?MNEV zN6kX7N;X@YTO?PY-1+tk=0++d5z)JFaYn7lcU(>AT6U^aq7w55wLmG~0}^4G2yGSq ze5F`X^z8q-#|=hY{=cYuryxuK=4ocaKhw$* zqE|nmCl%I!2LfNnR&${BK*t5p-$`5Q<7l*(Ss*xvO=o3)s#0-y$ z9$l1lQb6g;(TAXj4@Md9PH6Zd!-juLwzz?$TK*7N!bzGFhCOHPO3_H~U*c=Q`g zH7csD3|W&h_s;EkOPU%&Ge80>(}uhNjXOo~ZSz(N{v^%&?B94kX}vTFh>B(JWvp<2 z?H$ZuaFupfQp#lwn%{7em)u)F5U=7z_D!G8S_nVbL4ryNW&NQ zD<_b9no<4t8beBn`tI-ZB&R0x=7Yd`pEbrw((_s8hn63uRTdKSY(yZi&QdEoQ?gl4 zk}j)aO}tCOVKdF7s6!eVdzg(hh32mGk7#WOQodD$Anx1=MMGwER-fI7RkR*~W9>c~ z=svwLSB>S!L?aSsc*a*smbH-tBS3$?rrjRMSrH2aMI@4xCAu4UgXdvOG+)FRf&J4{pQ2AK-eI;OFRWdJy z6MKi6OFeGX#K@n&Sv<5HD{94HgNfr33Fkkm6$FjIcg4Ir_vX_#x34#>aad>Kp&S)X zyfN!M0)>&ldF+igu4l0Q?iFX|{5Z-Yc^X?M1^6pP@fTPCiOnTa4T@E5BOew>z4{{< zs`|c(MLiHhn#cvo<(ZRV&%lC{(NvI$Rh@#>*JXt2>fVvAG`EUVYY2O00xDPmktH<8 zETi&9OcyWa?dCV(G2aPDgZQM{jV%6LHB(xC-3E6V{B4iM%0K!IEjmPKmJnJ{b!_FA zY9n6TL4|(!`VmG{3lmf$C5Ga-IjPQK0 z1;grYP-QT32ay)pNc*+54)x~j3MLBX_j|^21nytySFm zAke{edB~wiyrh-mM5S10N~TxO}2=&xqK5$&gv-(b{)$_vWf6eGHq7D}8*C zkPB}sZ0#@N|kr_j-5mf#05jl#EV*1n4uXmy2TJq z&AC}%mt@IrHSzYOA+p~dMhXs-p|V60^$+ksHd1I!#&fxZ#U&k_m1LrrfE@&1Tw9sf z!rD^Ez@nW2;7_u!emT#cQx6F-!Cp`jatunyNg4)IXqn>84N6inO$T;0oO9uE0-bIZ z=uSJqrhI_jj#u56bjUxm96>A>hsmh( z7-)@psd;${=lgBTPvfqygY|Sg9J!IJ!Ti2^xNdW*ZE}4|nrNJs0;g-f>LmCc8U=X} z+Pj9eX4Qm&YV6Cg4%jp#{3sfGCAg7XNE-CRmFrH@x?-@57)!g=BEzZT?!PO9RIxB` z9Ag@Jgod|ONv-(0W#&40h!(zBS#Wtn2odijJ5=W>NG=4=@B;B9^dQZ1{wckPr==cA ze!`UxzPKJpTo#x4RX1-hG>?^3Q;QC1r1qwgZWc&TI(|*u9y^4ld_6-HzFz;KjGnUY z^4W+#qNrr*_&GITe0jPycTH&w+wWc8p?>%MrUP%k8OI44*3-%L$LgnA^PW}nEH1nAzlYP6z`Bp_cd zF}n79SUj9VNQZ>$5QplfX*tuq9Jbiuy-KVnTCzPy36!(Y(JL?YFyU+$1GN=4S*T)j zO8W;vNZDMbqZI8WqD>>S-3IOw$no)CdUjE9l?xU)s;hOvn9AqYNSP@+VB!uQdM1$s z>m|f#1N=a0o1@)D^XMR}thH=_W$d>=bV@(`+_=t=E5_vuF%WXv^(;hKqZTF=2+3xm zKDKlYlqdDOZGtGetr#A;`|Q)+#>2lq{aEFgI!U8e2kXr}dPhj3iGX56UVGhpSp>tT z(j3ckR_&K^pQCHEh$Fp5XER<}1P6*6BXX6UM0r?Xa{}BHy_<8~Nj2g; z5N>D)`m`$s&hFg)1kGENJPCiV$70e>>v9n5DlAo(Wlg;fEBKt~dXnXPyvNM)x=EwO zVO4l)y_CbxG4@9j%LcPcZYMxT`ut78l(4=K&PO6mo+iPX;3UT-NAF2+BUwbnzyIC1 z_(V9P2%dXEyqskA`J1fon6@NsgFs(v!xMujN+uciUg06Qs~mp;+`iC*XxT8wq=x;p z)pD{^c@;5m4Lkx@@Y*xoQ5ol+v?NoWQy{zy%1Y*(7EUKW|G8d6UqM^FRYyTS)=@+NA4C9FxQ?@VYu=cNM%MvwAz*hrVixHsArV(Q*7#&oeM6eWvr$nq7dTx3jnL83G4S+XY|c zJZkv)B%FLfO*K~F&4^0LFvQhAyNp2Im=1Ec2-jmR?3=}s%_lIl5}g_-835G?tUr}z9q840DCx6Z_DliV7id>wz*Z!G#6*-~+M zA3}GDH?=*&)-Cr3K1;6b<+VBxzO_r)o$gp<@cwk^Yhv^J-Mv0dk$c4W)X)@xn{e@j z>$Z778P?T*!;DhLF(PAMDBu~8%x!82Ihbrc&w;nw>Ut-zLTh3*QD8{iRmrTho;{+P zi)661fXk;{VGh*o>hy$o$)nCm;)noW`V~^AWFrkDc)px5DN%IkM~5Zib2puD~u^B|TQT1Tcnvwh5EI(bmE zWsDL-H-&nnK{X%az!E-PJZ;~3{r@t~$(<)EoaCT9@h zQ8Aq&g7eH>zB>l?F*`!dP)c5!Y3>L+MIXK_H2Eit%ICKz?8b|O%*xRCJ_{BZp#>$@ zL@Tzq>a++#Zf`646kT=u@Y4smYjYjB;h9<}w$LJgEMt&S!rE5AijB^t50<|yR{_Zo zkqZC=yUbzo#N==QHpb6r<|QHN01l-HtFDx2ky+TLU@>=>8-L5vp8rNAZb{)N&}7U? z0kDG0QX$cGEJMVz!eN|tXDaSaNUei>tVrPn!@CO@EZl6}hux9*w4`5)m3aoVlK#@{ zg;qS9UX+2&A(vp|(Ke>6Ag;Q_8QjOC#dP#@gXT*EeBI*EwG;y>i`Dd%&8U|eT1syG z8V0`U$b3(Jn5-~dZE1j2K^mp$6wjpTnP)VT;B&=soAt1WK9pkdv~5hg4gVf|!!_Qk z7=Y=gk;h(mzxKB_wXFMZ;1J_Kf=T}!*8Gcbi18ml=`RZUU%ofie-e~`2@d^p?Z5B$ z{~8Xl6RVLI2ST_%TY%_3IxvXnm!Y z7t8fxX4u+zk|PiVxJ8w&{|Hzvpirn1qL1>2xeWhLt60s>Sz?qqa+*%s~3 zFaO-1UpM?;!pAq?m6CsM{HFA`Pjay%^egektZcHoFSah9 z+kE`JtDIB!zEk}3(nnN#fpfb*1JL6=?heGeJ0s}m>X=?Ox9%rz6Vuai9-hzNseTCi zzIgmStvTgQo32z#Itk61e0=_{&l0JvJ@-1j-*Wd{(pcG7S6=fhv!;K?5D6cb)f3XI z|0(!_jC6!`)TUNQPZ#6c_VPCM7yRpVgE_l9ov^9*b~K0NYE12M<9|`-92FLRg$&J8 zlRL4&FgeXGT{Pap6m&8drkBwCdr_t~x3WUnD>P?Q$ZkHh5f9C=tSy20dvj$8%6@$D34jo%V>0oTy+xaYRa;%z3} zw!CAh>QNZj2WA)YlfAt#l>l`r2AP$6hcTj2RoQz3F3bVd+}f7Nw4QgpIWoc#9X-MK zwf;Ta5}!C--0O`jfl!TLBV)476*l}L82 zGuqZ5XPz{Eh$iuKf(jB6tmFLbl8*`Py1m%RxGqoE)XDr{#%|p?yZ1NApUd0Gl^)}M z({`~-2d+f$f3TpjI3TSV&obYJ0dv+MC{x>*C)J?7;r1-&aD<+n~tMjJ4dpO4V*6*87{fE9SME~%E=Q;iRJT++Vw9DJl`j*$d z72r@Q`>4(e20iLB3D6jT?3Fh;>({QLRWGCXeY3R9Gl?AKp(iZXsjTQB=9X=F)upwT zS<$)f&55Xvyt>fg1;57xptcaRg|a_p3Ti*#XR4eFvUhx%VrgCV_09oR z$WY*-na&IFx)QyM3HV`b?9_xYF}?u4Zufo z_CuJYiOG_DV&s%4g%_Al(~KfxkIELip_u#?AE>*%S%y)|R2D7G$9+49;`9OY*~u8d z|NI+F#B(NGSG>Gp8g;2>XuqS+obbdBC7mGzx@zIDIwg$=r$`m# z7l;5yef>BgWCoyVHQ&`g+2R;4(roQPL4LH07JtEENOmuOkCPu%huo;sJ_~)5b?8CWZK6f_p&8Q zYBK{2ra0y6a|G&0VxbK`Ep$@o-^5%cl!-BU$}c_>%{JGAlE&O=G(VOF*|@9%um!lC zeAKT`(M!K@BQ0;O3EBYrYJp^d4S-dF)?+c6l$HPf$oC03Qd4XL>f&Sq8Gdqs0X#DP z(ay9?(lS7pgzu3Z6cS1`)}+4EzSnqHYP~_sJrz4a9Giuni>dY#P`6Coe!;9K_VjfI z^U9>v4l^tVGu4Pq@`wKGO9_+~)OC_h$X*7oJFZR<5A7ba&|gh}#w3)a*nW%XI6MhU zTJ)PHDt<`;wiqRe6%i`=-lXsA@*@a_ri+GU9i zNF=gE)O#mTy}d8gJmm~obxkTH7AO*Xlood(U(2}>$8T*WB}eC>?iFgI>i%jtUHD%U|U+E4U#JR4P|UGpAu3Gj54Y zSP{%C9;jrb&=OGP+S<9BvKYd-MT&6N(s()`0Cq-fj6vWuia_Z~{+VVzcK<>Wl0xcN z4_;;OKP!I=$5J7+p6$Yp1YIqVp6V7eNex6=h0` z4ONg~dlL?EMdD?J@i?3Y5EvCr3{J~TAAJdLgAr#Fw?!P^wHO_g@D~fQt4=LZXr##z zOiEOL=aUl({;oE&^4nMm;g%!@$Os!ICXMK`G*H6FU8G8IqPS`ADq_BdoEL-iK4Div z@sHw1%mVo0&fNmEn5PX};?x5Bwho zC;f91!q$o1#9D!{Hr&YRTHD(em<~Mq5URrSecp7W2ylRbuWm+Ux)!4==Ws((69qx* zRIt+0lGkjYTVinz3gcSycAg9oz%eeKhI)XUh`?7uTAxViKEr#2tWM!Ej1x%F`DwcB ze8`>Nl7!40=4mT%DMp$z>LvyV4!HPs_sBKa&Kw{k7BijG`Iea6PD0seqgjSHZr|lM z?Xu(mY{{trnGD{EaMK{N5oy<bXfD_Leqif7fJ!*)$TN&zu_enK+)4;Xbbavd>3_d0{W5ie-{>#;KYAG&1eD%Sl}% zPlEUjD!q4bAC!Lo?%I%L_&FMAqmhv6%?#6Hcc(T^bsu0e9lQ-WN}iLTD8(|+H?lF< z=rrPcm_sh;GuuE0AeG__V4iWwA=a23T&bY~0v&hi%2= zUhc?@v{hApq2xXDUxpO9J=jto7z2%#VPg~gsi zW}iaw=JmwLjcVlTWW_b+=sUi|rCi%ab^V!%`oaLXWv_W39|v==Hgg| z29cAKH(Za~`OtQJyqnc}G*`1aDL^FzDizOR9>HLw{D|XGIY33EjPcT3zo;RXD@Q zum=&+v3-oIX+giN;{gjK31FdogjxX8wVB!m$+URdyC4QJv1&@n3kHDIXtE(5Ko)P zCdnI5?9B8~%psiEY1E*aRyp&Ugb>~e7Z=>dVi~aK%CUVLI*k8V<_1dJISs-0}Z_pZqWz6*tAFrn*O?7z0?R0^yMqd4IaR42zA0BVATika+P%g9+4M#@=! zAnj&R5{i-%xEmPUA}JN=5?>v2gV6xltbEnqeZnjrr9>1YNBPR*dSJ%!r)P(q$Vp++ z8pxZBsWdYEH^rj*o2Q<@qWp_ie8qzQNMgI2tNhcnYJjp_U!(W^hU=ZW{dmF(4H!>s z8WA=O)JFzwuhA~$bPEH>=g}nu?lj|{E(klus;c4uP z(=2iCIKL;#F&lVq&pDi@+m8_$CmP<*?9}_edFetTIm%5c!Sn(%fhM3=G>dwPpYZY_ zgC_3CEAzwJI2At;BT1_ifs;Ls-hX?dVW&In>463|Hi8~HoLBe|9<~i%L}$VGRRXr2 zPDY^pgEMR1e3TC^SozkL-D;3$`rfdwatt2Mz+M@0g3!L|>Q*wPaGK-@7DE0P^ zpVB)AlxelEM%L<%tpR7>VqLgMGeCs!jx-~PU(eJw&A%co;uHIGpGvIQBad8y&ZO(prKQ7yxthzWv(?_Q_3d?=B&I6#p_ zKy*{&4~>*9xM_XxI!>AD-hZ`c@v;bsMs*H*efYl$X#XM~c#d5Uk}|D?)1GFE^?=a# zQsz0f`At~d1fSsc4H?_+QI6cqTycN1@g6?*vYG}%xRlpqqR=zi2V@$bBfJ3((@=4g z4S(pu+i+ADFkSZp9y3~H_}>AN|2X&duL6>P#9IDmK=N;Xn*T%N&Hrw=VP*V}k(mFl z0SOBMBh$ZSll}!H{|8(G^`CJG(|>&6{~Io0V`uuW8J=57IP6Zob#>)wt3!CPrDagA zdu-xFYmb{L<**yX@*yKn&^=INVMh@yy%RrY$pCUdssirn=oJnW!;~&XNRc9Xa7gLj z+HbyZZTAQ8eXGae`csqNFBjlGD!4Kilh*}x=R+ow@O>$Dd6ToM!+D)pV?*m~rfY2@ zOZ3Nop&I4I{aM-lm{VUD?TujBw*P4O+}mwe-{F$%{q65ohq|7$4lXjmem%wWfhf;%&9l;7@cu+ z?8kUtpdWorKZRo+V(!{o1-0AKKer1X+8^M&Lw`Sb-rjen%1gcOHW1v6U|+W%zU{Pf zc*p~Nh|fj`DE6=dc;6+Q>2uEHn z!a7}6)AnE(ddr|28#!bdSg|{KDU7uF_JJqhU89VsR4$yb35<1ZE|K|kX&vt>)LQQK z6D9wx1&4KL>rU?_U9?bgtXJ!NvDZFI+#aC6Q-aMxjfnA)u`N#pHy?r!41njACw#8}|P8KO;?Ti9$Min&3!WYjR%&64lZz?PrrNXBZJkTz?#6a3=P&2?qxH)q7(2!p8>5XDfI%|J2z*f0-1_)NZb= z`j*Je#tu!xLxL_{+$zC!**HiFGpA%RnhalZCk80x;7{@ zU)ihF@zhWE-ANf*PWgFAzwh|GVF7|)DY%#_u!C3D|5S3T4{UupzW>v{9Y+y<-ukM4 zEWgpOSFPp&X+!(%ewQy+oSsjII4XUNR1tv4V5aJ65A(RAXwBO&hloepGL?p*Jmegg zWjeEQkg9ZDCcLDcN~t>gS*#%W0)bt$Tu@yEFDLm??0siQ;v!|Z++(>p5N%1DaBo2g z{y*u7(qDSQ6jK|hqzDj7gBTSABXXG4s((7(b+cPBS(9$A9UDICLMF^$af^B+OmC3#)fLR#3=g5+M6VG@&&JKS67OS0B`=G;?du;3 zpL*Jd@&>`MEYE9Tv-L49we@+PZND%p1&;yNPn$UIa4o+g8-!x)#j zA*GFbj>8#qh|duhq2%TO5M<`>{=$V)y~r0FyP`pdlzaw=HYUOgeJiM&vA%gNuMXq9 zECx((cFvZHizS%jCKX+8%iYmcCfB&dzRA~TiEAA?Eq5tB0~ayHmsw;*YWk4h@;Y%h zVz9qT)F)$Y@24!M87J!vn)$PkuoGP|T<+98)mlUn7F!v(MNW;&xn|d2ttLT!R|t!MC%gZS z5TMX7PgOO!UgdIwb}|47dXa@2IS8Yqr}}$@j2CAUa4ENwT6VhU)G$Ove)LVGW<+^e z82jkfG36X$+G8uf3-vl&?OFKyN7_Ir4CV9rT=4Bv>&kE*Pa5 z?DCg+Z3xzzG>qlL{M&?WH^c8y@G129VIN^ZepjG)VL{0~B8T`lapDcymn*;p`aIeOe3qU_4SEnbLEQi6~!GT*LF4 zHAj|?dO}QZC0^oFSDW5J_GaZ7mRKik%WuRwz|h|FyRI3(Pu|aIU6V|lTx^F4`C?u*Y`fnxPS$co4-Sr?c8S>G z(sbK~VM&gso$<=O6JK&@qnYp%EzEo@z$WFYP)d1W3+|>T3O|@qbJ7eII4yuO0>!Sk zaE>IXKnMeq;2$Fz8jJ=8n!So_| ztY(5V9$pK^Dgx@)S4@%psaRmT381JxRE-zxlB#w-Ll<)r)2h0pzl(DPrcr;o-I*_1 za&FGVbM*8~GO1LBFFy4v&>aBd4vx8)CQ)3Tte?-5#;m?oy!T^Jwq6vXd+5dL@#Sao zN(o-zF5AbXQppYtexo+(v;zDUl196x_*Dt292d6QU=xuF(!f!5XDTmzp^P;0iA&)Z z`+D`6eoRcY~0HFqCJee9il%WVDJP&%0SHC%!(u=MEK(fb% zX1=r=`9&7>@veXp9e5LLiz;Z&Tv0dG!FN)Xl&=r;HJ}VB2X!v_i!F8<21Rcq{Kz`Z ztR5UBn}#Wtg92;StbLCJ0(2)G;CBfUP#A6kf&d4AO4KpLIs=jCiVX(j%$tK@cJc}< zIz9(juS6!ZPJOp6j8OY{Y~X0f;luTJm~viGb`Z)(m~(l04sZk1RE`brk7D@sbf;Az z;rt|+1ynh~f!z{MVJ$#$Jw`$S_^`B@Fj|On&3mG!Qqv`-Xn*=!52ut7GQeKwhG;Kr z=He}`e!=Z4db>F^(3N*JnG2J;QWX?{z##+hgEfA`mMBrXVSt}E`2_G9v@iBnGLUs7 zkaj8zlnm?>lubS2*eG+|HI08W5HS_)pRmj0F82`BO;9-npz#H~v0U!s8KfgdLqzlH z2Fv4J0-G79G;0^uk~KoHqccHuR^0pt7gl*Iqm<_oF-+OaQ)}xrdZcfw>KuG9kWv|c z!sn_#EiIV{aQk-3UZ-`OM64(EC8ZQB12gs((U-L!JS2+0e%dFC7i-;!^Mev4-I?|bVbyrB~-J*94UuHeD)9-}&Wt$qRh#OIDNf|vSvW|A@Zq7pp%t{%B z|K5mLT;!Wb$5gYal_>%j%$vx75BYJ9MmIzL#gl(qj_4snSTtgmWASl1XVpt_9nE?q z8@~D(;sm*)!RV!4)t=6KUyp19Ei5pxwwl${_5>Q34cDk$+mdfDJtH9dy2`c4Hqha} zMXdVMx(Z`k)qN>0Xwo|hl#3jlfD6%ULhcUtIoPzI zz>%gtX2Tmpa=B$IW8Dul9G}!c14U_gN23GqI_yt|eYw!6+;=icp!6?}MZz_tET?vC z?AicaLMZiIQ5IF5=@yb}n*D3AYi;6Gedx)9Yk=;#{I=p;yO01X8IS9Q*|P|YxshO< z>e;DbQIl&GEhqNYOLAGI(s{@p%@YERQ(A2gf?gAh$xXNr7~lqoZ0Gsxq5VYYk=ace zY2#Gf2hX+4-RyC$5`SU zO;P=*uM;2%%8!fRk_M@s9#Zf{Gl)!GH1*C&<|Pp8Bf8M7hp8JCWwXS#iZWwoY_y@1 z)Aw9cfop+-_R244A8acZ>l=OzPlr|T(jipezneADv*BW5z_2wF%V=+iPd+=P zK+NXYd(Nw+3NbiD98S9`Gg)Kz_uXo826{s6Lh|YJ5g>6Y7@)Vap9?d>%ckBwhBH@O znT-&UJ)nVfUf&^z%4F$@4v$Nb0gW)R;$~qy0e=ZD%~sClTmHdRX32g2jSNw5>sSbq z4ZsW(6X3r2NRD6-T^$j-lz3kS_G{$Sua|M?v=1`6$I?_<)-2|5qJ?FK2G0@kfYOLl zDHcjzS8?e*<`M9hRyp}BL%v|wpWM@Ukite^QWbS5MbxPvVCv8SOv!C4rc4=;Ct@r( zlrDFm(Y9lXXdDX*-x5af9>6p1tfV=Vdi%G=8LcaG-i541Fj zG@l1tb^O4MU|Y;YPW>i7kKUc)(3|>RT46OI;UZH5OzvceXWDuZ&E!kkBwVz>uJhVc z$;eg0iMY8&1Adm{1@84*SxyK0sr=*Q>#GReKtn^-=t0)hcatRCIM3c5vVbo)jj$c3 zJkSroEB#cnynKg#G=>FJVFpEBShVc&IKhzJ8WWR#p3b)5{V6I}eSL6I5#cuCAqSwV zt;C4=UgT~d5_UQe2`YE^gywE5oFod=c|W3G(iT6RA|IU1b33L{H4z9I{*o`q`VvNC z0FNkWasxu@Q*q>i+LctJ1+?Qr%*`?zy*^jW{$y`d(_kzE(U?K{sbP3s6+nCB1Jr40 zhnRqF-+1S0MhQ+|ip)Wf-gxgcJsU9uXbmkH7S@64QkC`Rpp+acB`*sGI)vHU|v!h(YbS0u(@KF+vAJL z9h{EOQ4^DyXn*{$=Ha8q8yzXG1X+MNMd|O@U1NdgRzL)P%?rc(MO%(|t!l}5YGvAx zR!_9PNOPVvSJl{L25!lp6;$<&fEf6yn^L!54ohijC(FrqaqW)=pq&zwgxBi9uE;+T zKdmFHooQ{T1rut^+$7u_B#aE`7DS21MAVL_Q5iLh2K)l(Gtn0;ugbRCCWGyjeLbCo znghX`1WV&&b##6}2ik=J!I47)f_kCZCILs}Xu!=VknBcE#SP6cAmkBYA{bQo6E+cw z5oRkfScH$T*Lwoqogcvo2)aYeJ!{;5m<;I!QxX1dVV|JQ?8P39K+A?+f4kG5 zN$yx>lYP!%Nc9~tK~wGChufcm&Z`j94?O2;Lr*EwpKo6Ptg=TcP`dW46O;jnb{)aG zflaS8K?@K%PzPo?;etxBBb_1kYPq@LHVYXqrXR7hQ+2M-D;@jArufX5eyKjDyh4p^ zEXVZu>C$;y)40z+%e!S!gpVy%juL|#A?V)*qgQgLJ4L=Xi-YI;cV9KTq=0(eO)tWP zFB-abjE)3Jb(WXKL}zzo^ovul@}6D^1Vu2O#;!@mntx`OLHq#Q@_`3#I0)ju zvDbOCmA(|8_Sx-UR~=uNa_&a`M#Z-Hn35ms^tOG{VZlq;MuYLfDX0zLF>gBtZISwx zc3u%`XzFdrSz}}WOjaFych&X1zf*5V_IJ!vrYBio&7!5f1me|-Y3NxwGi_xr2Gxi( z2St7s;ggS|=;HZXKHm1`_;%V*Mn+$OUv6Oo$RCD%ZJxbbUk24|6;x6m`S;{4OdDW1 zurqGU+#)!!-RWs%0vGf8+?OEAkPvV_`wh;7Ug ziSJPRPeSvY;#F-Nv+PckKNP^xOoZ?q+qVUpax0P3a&us}*qBOY{{g94&zqvScMp#jry~ljUbBDB7f8&ZoQUy@ZmEXpVwjfIi9k(q%C{1v`l0}tY~t)o z&^EX$r{QedsYk$6-%pdUUKe({6G~hKXEB%rjYZu;ebZCYbk)3#xehMTZhXrMabZ7_ z)%3KE4SF_zVM0p)*QFRn#6=25#T;m<^MN5U7FMja@}QKQ)1;?;5BRdla7U(Jz$rK< z*}cGuWQ~N)RQlTB1wy*(;XtJ8anKOUM|k6wzKUh80O_IqGw$9P=h-9&$}S|;U$H$z#XxX#hwkTcjc>9UJ;qJjCTcm z=#A`Ss?NETTRwhs; zxzxch>KaS?N`+f;%M@aB%e(&O&pSd;$YX?eYpQUh2VvcPl#|EHZ1=NrXxq3~^<>fX zQq@q%RX{FI`oy>q=tZPoEQjf-qX3akj4`rY@A(O3Mhr=P!=a5S`iVO30ZZSdAtG|5 z)?-ILs;pC8(lv; z{kb#;a!zVYWE`GB+WS)E6(bQE8K>XjYpUcd=GO@* z#Ov7^Hl2EFVjJg@e|X~wM6lcOC-K_X{OXMfRT7B$3{}&3<)Fqw-$Dm=9;+@r?O-?% z1Emj4#r?T}ytl(0TBrweO=xGEPay3S;q%MCQNl5Zp-!#34}RB6eaG(hjx`Jo0*!H2 z3nNike7dy|?+?2FmgbRksx1i$WYWrNmoO&?j;tMi1h;46E;84uUxoA1xh5COXm0qK zs#1T>czzPJ6KI9|rD(JmQw{4>r`NNYuiYLU11TWR^xVvEOBmt0Rxk*Qk~S7vw!`#y zs@*w{s9p3U_X4kUmiZ-8$6e(1P}iNHb;flmlyfhf2eAy4g_KJ)&DBY`s}Pxhv{Tdk z5K}}h%EwTWfEm}dd79B(=_!gbjz;98W)HiJ;|ZXhFg;n=Qk6dFXoK|0rb~@E62-<2 zP`z7GgIy9tVB?TISuHe^(}o2#u5ZHxUgOu;#upT~v<{J-T)!RzeGq65s#)5+vl-jD z(=Mx78j^Ad3S#%*G*S>90Em%cJuBo;VhNG_$;n8HCYe!>i1ce=ToYYO1C=rY4LQ{y zy@9U}j8wTidwjf@e|+H6;>A_NWldcIIoRGY?F|P%9O;@2T$j*qqb8pd_xC_HBla9l zVtCrU=Fa{8QOQV|3g$(afJBDAXYtBGqjGH1jt*Zo#&5(2oL1DoMAZgiR0FUpx?yT{f^DC`Cq>0sR!?LNEq7c;FiWXMH2E zKVBaWk&-qWbrTD8H(P0=OjWGYuAE zh$M1^gWS^8>e?HDHyr(=Vvu*3(D*tMB?rrQV zUwcvGE8(4Zo#)@iD=ca(ua@VX=Pp-Wd||akQ?f0>{sZ6CAM{=^)-G)=xaXC*XZUu! zyX*LmF!FW_-aPL_R+oC)+Cg!b1A1Nl@$9IZ!a}d;K>YMMvDicN;k}k{UN+oIiIe}3 z>}vVw|EFXpcLu}R61JTWKWU{gn5!o|dupvNk9kcnPrpw)hLEM#bxkP`}*Z$1b$T*R z9+%6^F*X~x|Fy?P>VYyozyr6G-&1a6l@9wyNyQ38X020tte>I)I9?fqI0Rl%236@+L)>i_m#T2DuX-YwCUVlwRW?rQeBo+M)t}7N1IpWM}qfO0l%{sOT|0m zeTH5Y9NR+s$NlN$^~P;@ub|`Wp>9RLG0s=H`gXLT<+bkt9O~CDhwGtXx616_!ynLS zb?vj3@E&f*{*p_Y z2aQ_OhvOMBm7|FRN##N~10I-$D1ciwFkXHrFFheRrHc>7bF&Lxy}(40?G}W5uqaO* ze4dIQ{Q=GB0QanZ4FdL_fF?LYX@cXAhyoD0yPLm5bs>P#y6KkVxD%Zk2XH#iuO z_xPqVd5#o%y!)c$YY@@a4rO3{%5OUb){_0OW0l6O|0sfI@Sv}kq;y`-x7?0NTg}fg z_)HPjG7QVT31LTNAHJ7bNaSML1HH!H0?Nip5FS{BFL12!Cu~hmawMO_Nu80AhQlST zXkb=+%7q8hT~IeP8R(JAIxA_&I8H0QlB9t78P52?J>zcpAQ@ILb~>Hc$DOW zyh%GzIMp(4d7Z*jOcew>SM3zws0SowD!JzssqJSgNhng79C-xa@<$LO&b_yPl!|~% z+yX7F7+N3{(~f$$`|E-H!WvB5Bvs*1}vVVYXNAe?gsqG4Wb@7Itg zj|75F6{Msfua}ou?+~^$WGmTG^@eQeBf2t>p6`Q)a*#UYfZt%Vqz^u%brKAPp0!rc-^kwQ)@phX>|)&0}$^M(k=}hxK;rOHQ!qgykqhB zbCJl&3@s3J`f*cM2v$;;VD-TT%vtXtwvfF>IL;x1;kmg@HHD9W_yU@Y6ZyI!c=tf@ z5RGqG#g9nbQ|_|ti9$zW4x>n0h{k}l#VnN1a3xyh|vYX;|pNfpF+4C1`hw%p0!SlymN7xf~s&S`2e}K@2`QeO3smp_+V@ zU-%$z5h!&eB|&?SCjxP4FrhNmRa@m2ZsH#Yw++ogK=$ha-!DL%Vxg$h`Og$jN1bNW zFX`f~MULE_K?aVXJ*~XUo?bU<3l|r{@tNb*g1IDzDa&#|?X%>z@aPg;lLRh1MVsNS zL>0JK-yc5WNL|ZN#NkmIQgCLHCHwR%^7G>;80!6rpc86P`<6h4O7I1(I-L`Mj!fUbMxnU~D3NMa?_0 zGjhhTgHdpB5f+<$xd3(-LIE((hwW!z+}1eU+QbaNaW9KPzqr%Bl_ z)${_fhE+NhC`9HZX3B))N#z83=>#(UcFwr`=_B(Dp|LMv34J(uG9gQV6pMTr^TIvs`P zVnW9Kn3(CPF9An4aJ>L5tZwpsXPZb~3#_M|mi3170QdoJ6U@@^yzIHJ5J*5Ghm+C+ z9LEZ!01msv@arI?ms9gwZyo7arr$WqdJEtL(f)q-O#g$pcM7g84A(VdV+Jd>ZQHhO z+fG(&+fG(&+qP}n&RU(`)u-#6?%n6?>Wl8Xc{6Ixs#*1oF~0YIo;UL>riiS@Syv!j zW#CLiu?M?6o2jH0%dSor#wZ7d+J8L0s8#b=rE2g>;Wn}{GA$nK1UizDMsgVg`GK7P zUp!7ez9xsg4=h=0NuU$SVV<_FOiBufk~8>Dqb{K+Oi%ImxYv<NdfMN8EP{t$6$0dtoNbzMC~qf%mQD?HoBSD0N~= z@Y3?EYsE%<^{*ch*}ntGaa!*-CWv{~LYm~X>vVd7hfUXfZUZ|$X+(-PkfHhyl39Eg ziYb0tS5q(GqZjzqB(SlPHp;)XrUqS!Hi7?8nxPxDl9p87c3QRb+os^?f|v=y!HRE9 zRz&;>0A{`8yQqEZ^;q{M@<)8KbnhZ8YIHTlc0NY26MSIeqpRa$9z?doDv3UV$$pmI zB_)ty=te}^&{@SOq8t8DMtsyZ{oSL*3UD`OfPrMeYU4`JwZz*c14Gmq>3YexwQTWpmks_Nn)VWl6*dG4$xTH#KZ=Hz z6lK+9RmrY+k+l^*F_EhsKAjsFRX}G}6hWJfWxU16yc!+dEV4E;Z~mth{ynkefxBNc z>U)8A3KI?~O>~A6t~PnNYW#%~p(uaZgZf;c>LtVV75@s$w0D~yp&75CmSn*PK=KNF z8M0Bwli#qtM;YQdu_S$(WvwJVH#dOBwI9c!u*?l@=pJnl|Lc4hSd!ZaUd%SoWKJ7Q z#u_Bs4NLJSUkM_d&m+4ShwR@L2QCH1g48XXp_~g3)Po#4Fh7dzL>dM>=!(!6kGIAe zcEj~_68%$<_9kj0&qLNtN|=-ISbPgT`!N2*WmZrKo`A#sS4`8V@SWJC;MHH-y4F?xY@PvqUXSLyikmtq>QYhQ(IWOlU2uOH6-&IG0uxZD67sTwA|NT(zVF? zAUW~EUDzRY)i`He387U&lSE1$O8!D!Ps{~cJv_^`d>+<2Zoqv|bc>kmR$3FRm$9LQ zZt#1_NIpjW8>W|nrpxJXr^D@(NRY56{n!5)GpZ$v>^9CEiIWI}607xh@s5~K63YyI+ z3S0e~tKAjUkeG9gUEXl#Olz(%FoWDuT3ScBjr9M=R$Y*;dC4C&=;c(}oJ4 zB*>^{M_h*kx6B%7ajj?}|H-I~os^FVdfA0HWBLI$ke)V(;NE2ZZE;DEr(a$figD+nkfZo#%-q8buj}K6gm`r zaT#U;klBWDNQ;Vek!#Cle0c8%gr@a_b3#^!=q-s7nvzcr;PV!)DxS+N!|BE#B*l;- zlFjn8#ee>CHc6}SQBP@RE}?1`yk?jzw$-Wl z8twTi)v%#Q=tyw0G>aT&ZW{I+YX;OC-SrP+8uZ*+(ULI^rb0Bs;J5IP$zI_U?`@eU zgBC*$1)(@J3Uz`Ua)EMn=^-6?>$$DgzHdUe%jrSSK8f^3ZTq^I6fpgsS27|rw%svJ zmKeJo$GT&YoXxyNZ$I{FvsdEl$g?8)EsLZl&)^S4Ub)kaKV7Lf0m%TDkGL2}XWM|k z{EZ_1Z%O(tmvxc0{)(jgLIWDJML4f!+9CtEj(q8GF%*%Iw+)@aIKNpI7d}>%r;rV{g5Gu$;}*74}_VMxwL8Fn{QjCiLf?I`V@ z#3Q9;nivq>8P5}@0W31Bm4KV7$M=YBw>2l0jb#O^WZTqe*y(rUQ?E3oD;doGs@e$! z8i2agTuxmYDOAR|5ua={6dg|yhawPzINAotg#T$XiQz(S!y;?xTEc{*Y^|&iC!Zjo zdt_-s(-iu6KtfaJPZS*Ad9jjlSp9UYh@yYG(vVseIb{t})`Av*VgA&edI?k8Z)J=|^g z1#ILU0&m{4NZ93jo3=S#kg&!3m%KxTqJ7fg4DuaD+boWrrmssRn>SSa)htPO!b;NR z$D$FjnO-r499$iOLgC6>8;GGmO}Uuy$bem}%NctQd`nlSWl~sY_gqba_#O=c>5=LY zUEIha5<_TWm%snI&44gX8_(w?S&}ona(QF0`hIlw`}EA-?Qh}6eVg({jESHV425>p zCI~3cpeN}XP?mDqZcQEPP+s(fFd}AW@}^6Am--shMbU@6@Z5}*u`@Oz+80aX24g?^ ztd;l>1((IpaM`j`f>vnmfMFdv%2gfyLXDR+^ng-%R`fk4X&!^)2~oC!HLNq)xCorS z`4#%Y;`P726FPk=UZZ1RGzCJT%tqT(%r8E=*o6hu*X{Lq4IJJ!MYy> zOwzz1XZ)F;g)HhzO6Hs2lX1UCBu_Z>@oQ*)^;JL&&^VLPvr0>SXo*R=#7xk`3g~Q)(d{06o)a;wdy8_ZfHxWsdn@XD zuLYZSC`F|Sf$Jm6zfISn`jjThNo#Hz87q$8Ii9Z?T{9VB)x7qD(P~FDJP56D0AAJv zop>f0=;jr_*x|1j1q9){P=GWXiC9zQ2}#nivJunS8&QBA9nce5mZD$kCpcWzeBCG% z`baVxnBif5Tw-vNPaz6-g{Hn7Bi0F={tr1abmI>6sKCV7(_dirBvINXrzpSt!CLS= zOy#3VX(EwX5u+ZN6wvD~vqQ))N_V2@IB{W=n>J0FnX*cm3A9#1CTy^$)-!-LQ%GNg z$ntqNp?*s%2UQszf85c7UTW6;C(Cl?|AhkNKUC~i)UE7%bZNqD@lLpbQxJNx#(sYQBu*72JR%NA6O6$efeSJ!TJSJzqn zNc_lN)IYVqtE1w2(Nf-TSL51LQ!1K&Z$|Z0OiKR3|4q5WgP!9Hz;|VhJzirIU2W|= z)sI|!Y^1t4c$Xi>j~e`2zyTuX_!fxXyFVPY`*1uBeg9ba z-hTM8b$HV}$dfA5RzJ;^J=g*d4?pshpFE&)q5`Yq;N5thC6wjOqN3tV<+zmZquh8x z*0Ikg;4kbWy;-!iOe-tOMPyJezTNki0Urai&tv%dVI{pe;wE|=L_WB7ruFCTc|qS} zKHx8Szdee%x#!vG9J_4!NXsG$B@N=X2*R@MLGa#2dG-$=-M7rS2cfzmHUM&^g1|xh zgSUv*fx_EM24>mFAgjQO+{;5@WX@@vaD}!SEYc~4@@6Fm_Jq&`c5Mx8SXPg81liRb zx8nXgGAg)sV2gA5F8_M<99BU5k>GS1bv(0%scv+N1XZ|qo182oKs zRihut(33gY+|BsycAZis zUz8VX?&Bb}xY|+ws`<1gHLjD;yc22F`k)8Uam$+o%EaNXX4%@C2?F;WVt!GO2m}tbRtES z=zu0;i-klmB}DUXTt z-OyNfdHITjO?dr4Mke}7Vw})+FL3p+sGQigsTkh8{TP(0)c4TZuQv7R+&Xf;7Wbel zgx=0W?EW^Nx2e@v`7Y8mr*wKeH?y@y87T-=Z$6hDYQz9`=xmF!$327faWaTV!Ma+_ zl9BOugFnLtzy3JzISq;BteQM2p9r6RuO96Wd7HeEI6s5MN)N4?aGnoyJ~-3i*M?vG zjnGfBz**<3=gxlNzuQlHrQa33L%Pv3Z8IkFB+B+ihU0KYKtF7CO_fv(Wv2?&hlgt& zpXBMiQgIJsg*Gv0C$OTW4?na-wDU+@mz=P6>R+9C-D_5sH9X@KQXVyimA4RM0CAt? zCQ=o-@;O+xtewe8`b7Lh-7FUp^(gDo zd}E{}M}VuX@K#mx#SP5!e0M=C1r7DGNE=8+EEg;6rXmkV!QSDBir(T4s+k7s+#txT zAPxesII$S}{>w0mf>P^D-42k^)d=D-#?sti{X9^C_l5nE)47G4+W|8{i0Ym?(r-PW_iG@naTEl36s-fdVN)pK8qbq3ie@+8`VUw}^fBiT64-hz5)g)y}6Rq+{U!RV{pS z`L52gYy+Yz5JA&O>!>bmh%$Em%wfR#BVhR2raG{ z4`lXZVVUhQlHQomA4p-V&TG_=k3%kFa=B)m18cc%H;urF&Ji)eVOa0X374#xcZby| z%1~W;X(<~(!o2Od^Y;5*7AeK@XR#Enq`omm92&bP`b%(Ji5jJ%@{c<|Jg3E8A@lXh z5ZUL0mtFO(L}y+~w@)un+JeNvKT0PrR4+@_1ppg01u#2cM;idiVGANoVArf(>seH+ zVBY?Xm`dI9tJO+-x6ZKl3pof+P_(J;_qE&*)(k3ICzmHVv04L4Aj zL(Z4n`@NODvV5Y`WlRGRcM^C4dxmfnbZMK#s9Gark1q`tp!z7qUd}zT`iG|x9wn4C ziHfAVWm6^F8hAp+uSHaKG$KULUZI8q##Xke#tyZ*=R&bjuCmBbsU`8Co${Hpl84T-caWj16n1m#tm*Sz4DZcpr@q9zB31sjI95+C(N0{=k=yvi(%~*J7{viD-fG$6L|Z)-%^u#Tui~O&Fdd zd3<2Ze2x$e?->tEK|>Q5hZ+n{u)*R96YqEY*$$7K-+B8l*-2_R=bVMB*Ai zFAz1fglyah)Pq5_2TzzPTvi~{j&rYCo+u#I3J6y3QcO-bzXS^ic;2xpIC0P=+k_!c z@eBziteub&PeEzv*DzFAm683F?%Yf%9q?4dyiI`Qt3YPSaE8&J7ljXxS@m=tp2{`P z+?mvLuvAqW+@BiWVPu%taOmwoyDR1wP3xjNT3*cSUp`fK72Ir<_owjs*n5VC#j%5f zJ`^?`AV~pN{w})Di{`>^Wm!()gP;vYs3B*?&*!nv8kw!#cY=6s8In@o?=w+o(Ku>S zGQ3xfcc3|?WvZh4hLJ2F2?W{9Jip^>DCF{Vj&@(c8vlaq*ZZ2e0~#b;T-%``Y_Bl~ z0us?KEJ~ws6cD0fTZy9PO5Kg4Tpwo1Y&s+l){Jt@=M$5Vi^0k?6?m~veQNir*`Tkj zm0H{+vWDtoq8~=maX7rqy;gjYMaA-lZUDDQYp6O6@4rWts=*rdx75&Pv|Tfm$6{8)5WpD1oHy>+ioPmO;VPU z;eF1u&`2K8ywHR^FC@WtebP$zJr5p#BE zfR^|wsAG2jX1p8tos7$gp=0Jh&n$LAid9HP;c0Wn6;-qy)rFjahz%0Mbx1>*89Zq@ z$uI2_*zcwMfAXjM=^F9$4tve|yKNV!GWfO#W_>BJQ<{!gm(Z6!WvUR-0rB2EoG1$~ z|9a2!g;;$C@ER$MM8fvJs;&uUsq+(eqoEYhR2=jIf=a+Q3vd-n@odZ+P!p2#NkL|p zf{gF_m?98~e=%O_lr#ybkKBak1lMQR(_c(eYx=FT@5t(L(!!?YgS8K@fV6YZp3v4b zG~Gk1cH&{%>y%N5%1cVJxxy;M)X$`uL4qSN8#d6pRw@-(4}$uM!IU#k@w} zsLF+a_!6acCwP^{#!C`s6Pthw(|{ZB{M7BP8X@Ow1iViKLpt0G!ZpXd)V1q3vu8MFpsB)v1^+F_xAzc z4SG=x#<99ekn)ifilDdq^(Qgg3P*~180ytiV|hEKJ;~VWK(v{98T|;YqpnZ1q;Zyt zwIxopl@R_tE%TcV{e%Ai15|rDur@}3(S`AWY139Hk{jaX*Mg6y&Pg?B+nlzzMpn4i z&%Ew3?wg`TZ8Q2vO~6o?Zd7T|of%?#2LNQ4%ta;Q0QjF9cehh#l$xAU zG|4#fsEMs3pQzVb_>fT&o^m1&es@?6cBz*gL63T6$WY=1Zd&TO@YBC)6q2e3>oIM0 z*dh>C@z8)KZISeL#gN;n1A*X{QM-(`TBvhdDOJH8bH~hAPy8GOGBW8NCj&vAICiIX zl3Q2a?7>0^_vHp7f!t633!2 zOb-+cm5?AH`4eXXyS_St?NuVSuA>QMyLj(|hvPQ_U7+1V82W+@gNdUXtVL_dBm}lI z__cU=D@%bI*v8~4xFFF0*-4}c`FFg}w(Vm^K3(3TAW*>&92DcvA&R$8IX+pgEkfGo z5go`17l=TYF}E2m+aR8?s3AcyFF))miCSa~;eI&2h3AuR9Q6ax^C-@=LPe!*s2vXn zy~xTZ*yE_eN`(;v*dzeCDKV2;C`$qVJb(=XO(4k@C0ktJ?Gvtm)?^xZ``{CCL9!)V z1d2_1du%a<{JmBK_{d@4G(o#=2q}m-Wc`&=Prto!S=5tmyue^4JAf28w!sNuo+A#G zfGM(9P)x6|vb?S$MW`P#vB+X%0JD8|GIzbpID0g=lTK_g=MZXU@EU^~M7h9jT0GiU zvb-xm64E__Jh*)t;=ipQD=-bD&hg_Pw_r>_WVl^UUs7&LVF;}-HKhaBI@cA^yTmQ$ z|72=VpI*)x;gwj3XdZ4RLf^rXKVie#x~di&>z}TA3Bd}NZAL?FX**50)$CVuXSZ7< z+wkJK`JZA;V8slh6P^GyX#&N`3t-@7k_=e>R|vPIOcs@fB*aY%-wxrf$}-Z-nC&6ZH|Doxieu_(aeZ& z@@GEbZ!4_v$~Z8F~BBRoW#j2;BwU07Go2*Xf0jP{33Z-_zM@DeZT6rCZs>P*;ALb;%`*5Yl) z&FqP#zUB;g+I;Dp`X218#Cs9~)*5ZYZ21A)q?+dnL2vX-39NF=q=BSlk-V$0{y<|C zkg#8v)4!sBpRqMf2a3F+h+k}^07X=DSuU}X{ijD*EOfZ}tvH3nddJz0gH+bKn;+de zBUdBJft8n$4K(vK*)u9zAY>l6I15tkHv`LUv;tK|kb*Znd1{T@P7 zt6xDdS#}(e2n;pQdRWDWLxpZd#(eRA^X4xC`1JFJm;)cx8|kZO5rnW z=b3FX@9wb&7c^rqpHu(&n4i9l^nUSmGH>}y!wAiakJ!C|Sr200vX*X@>|Nks#|liR zeCmXNQeqW_ z+YKgSwMbb99&eB4dgMyviOs~5>3irP{hp609#OrfNgk3gzrvB=!9VB$K1l-I8vt7> zNE@NL)cCd+E!hhf*TlH5(1Z>*Rm>vnsl(rv-Npt?xqU;sX0E zAv3iSn&}1|zTJWX4C!?hJ0wS^iw6rBmwK&hExDoxO3v8t(q$Rql~fpdhZss(f6QXV z_Suv9Xj9)iaP^t#^od)_^x1L|HK^X1ZV=ZH)RkKbI6fsrcM~xVQp6z`BL$8F2(dwU z_a4te`IZz<4ix*gf)iyM#yP`m@KFJn|3c$t+>Vti6Yz*8=gysSLuD#CF1+{fNf@{C zNElzt8HX4z8^OI54vuX;&Ov7_XkV_cbflMna2$f4mW=`j1{+zdGSPycN_f--*fBO} z4zicIdc=Zy<`ZT~t{4>+b531{=M`uSPDyTWVvQE1cV{E{L(hvEtZLaXbp;c8?8ytl zVzE7IPNC{Jg{y(-5o-E;LvXV+94G)c=0jQ08Z+)4sD66sZRCqDm$1Rf)P-6ZHHmzTD7Ap$JMng^R4;h0E`OvS*IbWp1h`%KVY077mcP}xXHZRg3 zb5XN~nv44gy}PfM{&_Wl=irlAq+W<|?MAf*4;~R%2sWi$SuVFvF`}jEn1`Pq`%)>F zDsc8)_@yFaW~rgXqaLrO0TF%8WhgT@1Y1{{8Z)2j!LC7#`JEG^R&*vFi{|9bNV^P67$Nqa`*gpb*AJJ8ROdzjc z9P;Nlwi6?OQs|C0*&h00-qkphW4-mwV zB>Kpvm8GGw!i=<&A#hcjM!61g%C53AXPOO!*C@U%QuKuRx~!qA)rV&<1ot+0om^l1b-1qP`UvUNa4OgjZ+tp10LjjpHkaxJh_&$ zWW_!t+8Y3c+wYj&2pWYX`_ODeb6V|Roybv`zEbc26KJ?-?5Fjd-12#BEfjOljEpiC zj>mesb2LbTG~){}H^6%z9PAg43OwitVeRytmc@vOe<#El)$jCGGj@$Q zV!u0uundGj(_=()a~h)(IJ5L57}*l_xH=OtH27>&yirmb1~sMqYD(!3O2Ln0A{*6^ zJjJ*BxsnnweW=W0X0=W)8(d2+-DXV?-COzMga>Obv&SfzEHt^)s4@kcT7Gg|8RQG) zl2!ycF^LtE)%O#(a^{5IUxz>jsd`IXNztI$pMmh;HqtWP1GKa=rXE@lXUxSadlEK_A1l5!_v%&tE7 z{{azQ+-Lr0xzPWvO8;-M$A1x`_& z@r;a2jQ>L}l%p|ex5b9KeMw!DSWZid3%{GlG~Fbd@N;*CBIt|ipe_pWGenfI_T|#0@?xpu7wUwGHfDj!*_7 zlK-5-jk$=%{Z+6xSSCTb5|cET(Q{s{0_*UA+@{95z)X`QrwhXVupH?p$hGDW1Fg7D zN=5-K=r|sL1kJ_4&b8GiJ1mAEZ>I!vpV|rKqnX4dc1_VNYLol8>JquF_cm9ZtjjJ6 zmUFb2kMx%nybGk<-?FK{ff=(AgSo+RrkU6Q&0^$T!t$FnT3E-WvF+^p0{izc$A|=D zX^%O|SaJ5bZc&Ko@d(f81hB)KlFhg{3eG^$x%MwvR`E|h_uMQgH;F}|^({zZXyFHr z8RT*K9SI4BF;#o>$1#m`XvyQFQT|oYOip9xwU;P)ea}Q#zqjR0J}3ZFww#}a{87?= za$sPNDR}oWk>###pJqtDkmjY6w`#n-vCedfa5$gzZ+XrQX(uJ+P3w$wxjo~&P5ox?; z!%0wC%_H32B6zL>ccN1b(+bV*1>(>FVuw(o+pufxtmOCW0-6ovI`KM^uG+9 zJ-)*AqDGyMp07hikrd5U7!KK=dmoVgiY(lQT%-QK+8?fUC3j} z7t-D5VB?)@9S#;0J$n%=q-Xgq35tW+`BU7Z*1d%3-H|#HaSl z_!YgXi1>cW%k;gfG2geX`ge-Tmowe&=)y%8n(Dn@THU`ZyxfWPRG4L-mzq`iUBdq8 zSBCu|*Db#|pIyeUT)c1TfXu#l`U&n2huMFRR%RU?9AEc;U!5*i_ZM+>AMx_<_HFVlK9jyySkwtaqDC32A6W--?1{Z?wOCWY7AC@uHeek+kTJlAm2 z&Z*PO{}=O(PCde!y15SiygXioi2v3-dE1MC#FkHZ3yk=g~&l% z>&tBZlib%z2I||$Avb{(zLA5&$y(q#^A2*?ohwib2FU&(TS{nxdNqdE%_|1m!tARL zo3fcU{2I%==YP2Wt|Fm&AJS+ZSpb{v^;bOd^PS{07qh1tu;d*-o{ufW(~ zbE}aoAxl3Od!u!CiLNcwjGD z)1kinQ{j=ldGY&S<%iC<{6)ZM=}nlGiY_l=n0_T5*PQEL-{;-?PrHFnhfd$mw2N8I zQ9lYakHa;tuiLMHz(4GA+a4J5Dc1Qy(LlMZ%iSyS?vT}weSVPljdL~DMsV<}oEB)T zf5NcKd8S;sSz>B}XTFXIlJWM~$ea-^aeW;kHqfV|+=&epk;S$zTd;XEq(CY0X^%lD z@qb?<6f22fN|*v@p-Yhc#b&gI@S@i4pHQmCS+Au9n~k@{`%sT*plmtCwbEC>=rI(7 z4e2;SN}SPm`~J35b9g#Ca*Vsj_(1+K5!OuayCl>?Hj9JLc4wD`C^1df6?y{8ChSP{ z-%f&#Lh0fL^Fz}eDtKw;eMri{$G!D*^_#nPY~x+yW`*nN_7DNo`wK#SVM-jFxqZc| z8+3k;cfL*m$0By=;)%C?B*Y!in)4l?XwaF^wW`2~l%KB8nORl{U_*X5z+B$;Nk`dI zQ|~{svst zN}{Qr_C~1#ud(4ujPz&cb5hBGub7Y!GOhi z3E*W7Z;(y4S(_&UP&O4rTM87s5GIYJDmT0wOeC%lGh%T@H-7c(ct|^Q+$YV7Z-a*_ ziLo)91I};fDmuh{Aysq=T|UagDJy>=Fw`Y6LRvfI7mm@PKirRr=HbV-LNcDAUkg%! zDf2Hum94~aXa8-6`c$pA&g{^NgLRm>1M#Mch0#i}knMXgreF-dvH>e z>oVyXM08Bxa&NV94+fPG*gSeXnk(3rIk+mM*u#SW$wKf=FK-p%@GYORj$OK>EKmvH z0CTfUXUuD<%g($tZ-o?AR;6TD3D3HrnhPROvb?u<2%qn*EE&DYF43>}uxaz5WdiU8 zqn+q?2V#a{IOhyJwIYI~NKfV#ij9#ffsfG>R?|g|lj{67A!~f^?~NF-FXx3fR)6IT zo@-_FD=dS_j`62OM5Xf6YwKS0wT_w;-7e=@>k)q{Rdl#gmmEK@5dcl{sK^nVK?@l} zCD3>v9{(#RLrn#D?5d_7JI}0g!twz$ z`_vvtKVha9=R(pXg#X@86y!eMbjK`#2JLuqD_Mn285@#?n-EE(2moQx(3PY_W7Oy1 z%s!$_wqU9*xkQCKJ}?cx^LXt+ozW75=WlTNB;1AvCLbSwteNM1ge^d$i{!2k(CW5E z?1QPf-#8ujCedA-quGxLR92fgd%BJPS8#h#x>_Xama=u_2z)lQ;){o8^V8WT=?xPM z-Jgm?osL913iW%uZ`=gSkauGZ`dZl8DoQ%<18osT(?bJc>3!x;rbr$a2c)zs>%0?V ziRQIh_mY6U4U%FtY4yk9{u4gYC}9lQb_Ct-?pSvonhQJ6_#CfeLB--CxQx`41q2>O z`6G3u+)yr7^(_6lKBAK4{(@P!BZ(xsTJq2jdEB5TmzWv}JcAPSXfAma9Oy*I30AW8 zeX*AX?iM{dlJ}{iK3%5QY>|a^L(fQ4;MsAo&O+OGS9kF5=>wA_1nlIZcwZ1#gFcPj zY6|0O4+?8ITr@f9W!X#cae5r8Dy{n+d32EdS=|}m3Ykittl?bi^jis->^YSuEPk*XLEbURr2*B_ z%4pTk*&t>X@^C!;IQzFtdZ?KM-C9(_i^NAsi#@RE?(}x=w3JJvmdD^GSVktiR^%f@ z`pgF|$+-grw{mPngE9Xt;)(6({#72HaHe%)-5RC9Dk);)s5@+4p`fS4D>Js^%s82Y zx}A7dL_`T?uBqVBKgLSC5oEdpF2YKpn#lv@7z_2K7|P41jTwB+$kqCOeh^oc#9kgV z@=b}L152@&Dxav=}|47X|PhTXx*ll6; zS)4xwb}}t(Wx6GCQiEAF)=uqC(ra`VUZl!jZ%|I@iyDYmodY}sO$r9#$NudPL!FIHO7&LKWt+HXE%%p`M!&)ta=H`HgdWAnWjc@!MTkq3zGpYIQoygB zCN3teml4tt`mIrADp19xQB@k^L;f`SQH(TBV9w~QttTje?^L4-nUu>joN~}2Mp1gg zZ?a!dC+(b1sz9oJ6jb)2Ez}}HvlQN=Z!SeN9!OMAK;*+Z7)sZ3LY^m`o7;w|!sdOY z99Y!9=r6}YGvI+E%ub)rXzOHHT3KPhGtFSjJS*pgQ3%kjFK%e~-ot!o#i|@L+2}tx5O7mx#V(^+d#Y)_-JVA1YU%nB zeZAtc-^)&KEdF~6iB0z_kM;{|SiS&jI_7Qk0=5=yS}UO}EKs$CLGMJ1@~Fo$fYIi%+kd7#OlqquRB5XbKH1APiTo@I;99y)hat3sF7>_{2L2MLGY z#N0q!dB0V9b?jB&996m%`lIv&M(?4~+XQwAU8vJEmsx>2+$G$8v`Z&cJfagn%yquU zS`SI7H14p?%gC!46f?P)$OG&rrj^)gu{{!}Sq332`S#mdmUyddU&NFdNh(UJo@S{k zFxte!+C`Yj;tUd#08a}q=Q8@$?>?2#3^@^b!i3?|C(~7^k1~dC)=U}#zuc)zMXx+b z9$%oBFBzu>xy`+^=+US=YHj9_X?FWE9aKLymmdypU?w4RBy>=%jQMKDwwOjGS5;Mr zP@F;g{o&G-H86^B+ZJ~+qRGA0Fv5O*=iBDjB@oEchxbpbv=@!(0wbz+8`i}J8mR`=X%CvT74uro~TlcRG_mskxY z^8uYuh>$JKKAWX!x?-mx3KvhU7p6i^;q=<0nPY$0ZrWn?u5aDej&xtTNuC(;Tl4Xd zXj|#=u$i8{KH#A=4^>UTs63kd$+s4TR`D9iR~KhF@Q4?*L4Zri-{Puc{t}g7jUa{0 zi&#uI`Xy+3>3Z}ov~}_7m+iDfys%=wNQJ(A^B5CDOFU%wGE7So%un6dS!DB)F&-WX z-Y;z`bSHE(3&HrylVKDB{T4<@z(#}UM47TP`?7ai?Fd9SX!0=A0qSB6JoB_X+xNSauFUSS(lqoY&q|$Z;LD z^!;c@O3EEEOgwbHDKkXKHDR)&-A*{b@!6-2ML^^H7=4JMjaN~xjLd6)_yL_F^wEI9 zb{XScVodEo06E4Dp?DDNJ`h|V2zC>Rx2lX(kLf9E?}UmKcqdg#76wjaNUxC9Nr8&f zI2`VGDWBjRBr^{}1^_su&V1PEemT~kz3i3Lou)^eeJ>tsB90c4pUCGHco(8g8)qaL-^T(Tns|}J46FRK2M>I}h zkduh&`4gG`ECp8Rc1c=`;QL8KL)j7O*6Olp6vjzh38 zG}ecfpQ;&)yLqKIu@yqV<8ai8q2pXzssiWHe1Fy>HJr`u0>r6`n5;O!tw>6obKR`6JJ;CRT;-8~3|O)zQH2w-iL}f4 zH5dbU^g$23oWwLk0mxp(oQh0Cil~!CRMJ|^;nz#3h7mux6dDy65=f+Dar1vJYQxRBa2=uLC1*Dx_`yp{pZqSZ5Kf2geBiY*vr^N=jNHu# ztA21SysE@cqolRj?Zn$SIZBZ%`(GY-8|ehRVIwE^tKPH|2U01VqVMqey#9$6k$>Z> zDtIb=K^{sxP}O5y&s;Ny|2)h5Mzg@ku>=ZAx^7z65^Q?V@znV#qw6`iTl+5@3l5i- zPb{S3E&D$h0|(`>K!O0OQOylBbNQsf^5xU)&@}-q8gSY0uUtavUjJ+7m7?v!t@p&D z5rl;GTocfPDv$(pS>SGzb!83&VgJddL&PWhMU@D?q&x?j4# zvegsKJ^I!9UA~p$BNB5TBNvE(0sVC%aewBV z4CRiE?WSU?d^SzgDTTe_Q`$gVBOcm1V=Kt>uL(os$n7 z$da(qqkmMX^QPMmP%_ir0r&UzFd(MH(VGhJMUh<35d}|B3CtlmXY7NQ^a7cak^qZN zkPswE8Av4I1&2x~>TU3xqDtIwwtJvRQ2FA(hej*YH#!xIDCX&-K&G+0Ee0Y@WCBW? zhlCQsjd*Z6VP~=t?(Rp}qS)H1JBR*FKe1e9OvDM@WY#CDbxsFIBp&@%QDQ_85HV_F zJQ1jD#h4Wy(EbU=oYeY8P21y#dk!KMza33a>odSp>RCX=hPpb>v!VBuQbLg0t+H*~RjX{C?TtcPDT9;`GV97@3(FGx=SNWIUhe zi|vx-PJ!IXiJbfaQJXzk%RaCt@;b62wWPSOo9_j}V)*}J!OZ+m;@*E-`2M>K=6}3+ zKO2bu-aY;=#Q*Q@B>qPq-~X38iT`9S{Fl}6f3t4>pNxmB|87bjGcyb0f8Jhb{TL6M z5x=T+^QAAkc-Bi%e|MR9qObd(H_K?Sw?6SMh|Ge)M&wb%9eo3Pliy)VNM6yX@?vx^ zo||o%vNO%m9S+~6I($#oRDA3%*XMkFz5&B6CfjUuub)^bN4J0M9^YMhueL+q7M|&s zg$yNGFQYv3rM|y=YFFHS4d2xq+Bj-&0m!ty2mI1?*k5(Du`Z0RJn!3lGIzDUC3jWr zJeq%uJioI&{KOk`eMUZNGh@xJP+A{0yVB7~edaUvudHmpTEF`Wol6U6d0}wYZf<`n zg7$bCv9jsL1n8t!X}U%0e+fC@i~uR%{O$bQf{=oY_}NC_M`!%s9{qzH&NM`%-vMx-roU=?m;*NC#2vkzN*mMR-8#Dgj^qyW_w#eX7;N)~j*G{G zZUeI8gBz2*E}k;7nMlgRNNg%Q*_hRo3K~t6}D1Ga&*Ct?}bQhLkIMTPW zH(5&6t+IN>k_$1#uWQ{yq1SD8pl9br7vq`?i;IZdaWvK$W}m+w(_ViuYw>7vUB0!y z(qJw`n)}v!mUjL|fAWZ6?e^DGE1o61!^rQ zqoE(VZ6iAQ^h_hQ&lHy;Xdb6;NUw&V#uQw}{y)035J=1yqFJS{SCcZuU#%#T#a}-x zoe5Ei#)K*T&15K10UJF`GOom#0x}NoX9VX=)EI4_OPBF^ppLnWTkN#vZNFp8uYR@2Um%2*Djpp+==3MHcfOExR;{-mc8ODzK)=4@uzg4e zKbjsp_LKj`8wL~T!Z`+U^Ucg<2j^*FRJgI+f@c?pkcPlTej_3rX!OUpBHv)v%jSbP z$|WP1t5qQ&hC|SEt1ddli)WLX?$`xGw9BG%;r5Y~$7jmDTCuu*&^K&-Urf;q;7m9^ z9lNI4YJ0^ktNxQIkb<^Sa@Jmn0L=}{+EgIu<3DUXRL;=}7JC{Me9T1IH!gQ0{#$9& zLbwuyJHV%gT&zW9?O5jB7lMWz zAOGA1!(xRQd=CjBTLY4ns4n!HRp|aQbOYr+BM9Ln5jGI+j@fdFRtE81{?|*kIJ{zE zuHgjze525a#ZbHT%RqF`wqNcK;xs$OOTRTAv#TxUMdkp$g#}J=w|h1t2kw#SSsqFh z)OK={UPvI*utJ*8kY-53>7-SRM8o4RLo3_NOqC8TbD9#t)K8V1?yjK8<@onzDQ;<+ zDxV_6v>x=e$e{K&gK(&iQ135*90|dEnv13Nds99NUEy$X8$o1AKB84LBI7dnp zQa<&NTrFSW4wWf~BN6Tmge6DHWxmkT#;QeqzT6eE8GUBXtnyg$=M9Bf_}Woj!$`W~ zTK?Q`nzxxWu7(YqroFjqJrVXwjX>vy;gUnw6%w=1xtZ;ZTwN+`*N(*IN#cQ}e4JL! z>M5h7fhT?2IGojBJMXWLaP-LvJa0~z$@mvxM8jPQElhB1u7 z3g)H}5%%@q&wIEw3tU(?q?=l?E{v_5_u`s|Dh&LOp~ZUnw*7S%0|e|gcVzG7W$O3+oT8E9Jq?EY>FRW5SoLvVVEVy6skfL?++UPQZ`et zfmnBUp|!Y1d@`!A#N2~+aR(v+a;$d75haNW%EP{*zeUJapaH*-&J9+EYaPc5)RQ!T z>u((dN7ys=KvV^wrCJhlZzCr`Thj;!6nw!%rewa3XoF#DLXeK_H&4NG%^iy#uIrmZ zDSiI@hB|M}$gb(lk(DSQ7Z6({*Y&}}HnwOK<~gc9Uvd54w4KGMvl?x(g>cSfUFOZ5 z6}xvS;4f5uc+pu=4O1nN*(;4z9K{w5tMfPEh|k5OvPtsBjyeu>F^bbEtC)rO+GX&K{=N}K|!93-?dMp`W5GZubvcW;flG7*wc7C>S z1ds&tA__*k{a}A+OqDxB4Dxycs8#Ll=bmMTq4^}BgVlK@5Vkg~i?szQpmC98o&`D% zh@E?5D5bXcV|v^H2sEb0IGI8HYt2U>4a6bV5h@|5HwJ;6!vgYw5vmDC;v~6K`Z;KZ z_Lt3Uxtf&?^RV@JKbELdSG#lzt+b=(vO-;rU@Mbagjm8~Xm%$P67mpFuY#wuiEG|^ zI2T%UK4Oz+vjVINIz#$Iq=kv;Pmxd!v-#{(=+ov0?s{iZsl(~0mR3Vzrfo1HV%z zZ5WiK(UdV*E9;vOL@R`d*_*}l^%iOs*h;+beIY|C>j!i&nxPHc^q4wGC8Z0JAeP=W z5ju4qZtXC*vE^kipNq37MXFyk%an`8=nUUna6vgE=_o7`@2%n%xQZL0H2J-&JWnNJ zRIY{TLkH(Ks=Y7Ahp8`CNcI7TI~52hU`C26v~KH75G0NiP7I=9y~Y1DH=xp0icwgN zVX@ZUC(v(TNa^nx`wi^(Ol@$y>_BFyD3d}?r!19i-jm2o80bIM{kG5Twdn^Sv@@mQ zPS;DQq{rJAybz$&c}G95*pe`RznfxMw_4;9gD$j~NrHmEw{M>YW-&n17-ILL`678t zu++Yi?55krSK^9ER7YVOaoWOd!VE~m?jYeK{Kf$q89PCC+Y^8yy+a}FKwU(4S8z&#cMP$(YvqB=L9VEit3QI`L0si!)0S zM-=czu&8bhnTVQ&n>s;4XE;4t87?16#zUcSA^b&8x?DP4W(Bi`51RtyHkL4w{pUtk z3*2Ju38XV!5?+wFP>R_RiTElFYbcbhMdL3ri<|B7j!L{uA!YzIRxsivlW$vTK0-b) z8we;tK-wKZP14~Qr||BL#(;KXfI=7&-`SRc37Xko^$bKZe6Y(wT*um{^4`MNkahJ* z@t*#NCYk>6nMMp9!{M;RpV!RHP_EmIDo8orBy{x=?;Nr87%dZXnuiK2?Uh5#N-f=( zGtov_AA!XmNgQExGW1Cb^G(D6hB-nXN6i^ii*q0tebSD}m$-V=y@2|l9eRo|Qp_8) zW^dO}9EFuZ_%ySo6%$UKByVsxCt9V}n+{>75hZyDXWbO7#<>N`7$%1F1Gd(ix}Fz_ z|GrI9>ENQ^-nUtoUxY;Y4JqTku&7`AH05TGQf3HxaB7&dp*Lp;%O5F@S6q*fNbypa zAAQf}3~q|G;FpiIUFOjcHn%3^#|LeZ$W*0}nb6V&iA3t`3do$Yw%e5^?#cGs!dexQ z9{j$FB8n6}WnsBnz-c=l68-{rY30a4%$etcGK>h<+2d$+!98=7|3~sz_GCl0H(7{{ zxiE7^C#d5=3F^^q`qZ5mZTtP3@ETc=+ zU9H7MzOcDpo(hm&m~eegsSZv((yF+(_L{+V1)q#&nmLYeu<@fAJjZ1+3uE*vL1zo0 zzI2M=0BUYhn*FBW*ei;7tO1nHqsY`BLND#C`~|3ldHWBPN=g(!=9V{p00b%dXZEGV&@_IH6W+n-878oH zK#)bWCBr5XgwxIkJA*C8z&S6*<&ixXM46ZcXBb%3 zg&g9S<)1o$=gT4ktWv7UhW$kWvVU39*LB$$<^om@4trr!$2hK{pt^WeeBYZCfo8>}C=*UQl@! z_AUz|wQAq2`J8PUk!h?aszp4#W>~>8eX3!t0`ZmT#1ect2HQ!;E-Thy$pQwY=Kq;} zdXZdbYc`^U#Gk%Pb&V{(1DTw?428k&PMi|Dg7o2zSH3QVS{ zs1hRv`@L3wcL^fgspbx~ht=OxfL`3e9HIA3^y)GqUcc_?l6Q=#I1Fx{Qu4LCScw(k zI(08P`&U3&LfV^RQG}nV6$QAlrXdFaf_BrU+`bo#_H^}L5{cg5&wF9FsIF_&aEWv{mCW;loK!TXgS%)pY4GwAwhgPf|htUVw&?j#?7atD~AQ0OU_m&zIO5PEg*Mk#Otfc0*g z28jpxAffsE9a1$v1y(w{ew8zx(kRM;!_mwkzV|OS9OLktk!SU#!x8EA-AK84t}wTo zIYv6U82YH4u-a=?n)@|%k=y-mz<5nS@&AHnvHl+fX|et&@{sw4QS_)pRFm zQOxO+s!aD5Yi%gr8?tM|hD54WNZ$+x!TaqhwtKQ%f5 zS73Rch_~C+n(mrIWKRZWJJV2yMP4|?W-t5^+lrL|!#^|k!n2k@YWT~2#P!q$EkQ0r zcLt_K2;;yR%wau|{$Q)s!Zpo5`R$?BHjgct%;8DGW))j8hdn_`d`#)i}tGD za5u)0GWO~1_!)G2)vUqu0)5H*_dnEX>TU~hhg)mhVa4^p-(JJePf-@QG3#F9T|H#V z0t2;gjrdjBzgxINuZ8)-w}>adp&r-#Z2!A0xt6W`}IPW)YZ4z))Dr31(f?r^`f1*GG{9) za#4@xc2Tfb(?fE7>_W(wdt80>HVR{$ol^=SnTM%wF7v?S*^44RuE1l6{j~SMpqtW!RAWz#e3M!vRfhn+j z&$wQ`g^7`j&@UVg#J-y1mK=m<>T+fuEEsvM#GDznhhW~jK#EF9BLq{Av%9?Y`Dq+e zD74;==`dBYS|rGLl7Q}hqdkLM)V{ujC^u#T3jxTbZfuF0`FSoZ2@C+lnQioxxDIdu z38N_W0rf+xkwlQg3n^AhU75cu=lJH6hm+yzLV@^#c!_R@R>css-ew^lHtYEdni&=F z?^CdLgBArmCnY&fHAHr8SJJmZPz`A4Ti;!>>2eV+xaaPotk^py@iawTTX57casp9* z3A=obox5SWZy&Da+(3!So6s4h6W;pBaAxRUvWJ4aCo%%8$at0lM+HIi7sYbD;Ji7o zJ4}MHi!OWFj|fHRf@1gWXzCBxwPKnv()Aj7MHOjZVqyB)M{gSXf41KXG-Gpy75(A@ zs^qxwjB)50bQjPMnWpTrxtyN~PUn`_6f$KM7w=+-c&021fw=q$@Xh|jgu$C^<;6oE z7T?N!XDDfE({dA+H_{;7Rdf|~m^C2dvuMN(Grawvh(sf#vOhg>{Bt}|h;E0xd?4q^ zxK5iEHEJa<2yU`_%MW8>2E3rA1-pW=39T}hWLtIIXDNh2q`|;F8^Di!H5f%=WG_S7JF6$tiq+__klk) zKUAQDpCbTw0w@H(We4DRWQ(BEHgpgYl>N*^DtZy9HNiNEF@b)AP#(B=I6}l`C#udS z2XGMbF}Jjyz3Q^*$isk8nrxdYdI^lacdeA;>E?9lBy}lsCC8H_lll3flde%&xrOEd zZogg|ihD`iZoHFDZ!SG6=q&$>0CUcB@N?>K3# z%bFBUMK$+|9!gPoGqwPjUxJJlY$r!+n%YWm$>Ks5z}8s`?QhFd5i)O%O&;DVJ~%YM z%<KA>y<1pFJTC}=f-LG|R{;_FE$4JwW9ZdMPKwSu*Z{F^ z0t{-Im>^a73OTnmn_+*hJ9;Eexp?^PoiXRVVM6?#L8;7smDbt3qfs>A(+?hsce)Ra znW4bb9>?Fq;sTr&mt~W*;l^`LGNq8OgH?m?t1t5@3=!QZ%{P|i5q>~(M}-yybaQTc zwUvt1%2M#;=LHmrh5^?Yq9bJ6nUKi0=UOO9uwLK)UXZ?*DNPBKqprF$q)se|(B zZ-D4NOdZ|G0?MHf%5$k+EhycA8H=N!mN22P7lE0RVS}_S#ODBVmiiUCJXy^J#*L&p zpr_pwR)<8AK}fcn8qyt@omaUJv$l+h^MPa;R3(eLsN)^+5%i98i_D5-GKH9FU&a#9 z8)0$1IfAOrQbIpqPq8=KCL@&WP3>sHu~{u9C7`d7kX-zbrT|xlUUlomr_en29BDLW zNJ6YADCS;%cmWXYzg_(Rc+3Y;Pw>QX5!bf7KP?UQC*Q^_b+A4wXnsIqnTSAGw{UIeiGUHZeJV1Kg8=BbYRg0L zP!HbRdb-}qpie83&5Xwe?)XF{8lxLOHM^a~JH@iut4hu@mb7Fe>*2*BRTr^4c`UQU z9u`Ars_+T$JX`|9SzEuuDf84XPA^}cu4pwW-@o}5`%l2pThrc@L1gl3xK+bw1P~i5 zK`u9YcJZj?PjZ!*ZAAm)w;2*miaf%%dH5#3BiMyt^dYNZ&2!lV>Exj=XE8An<;JSW z0z!dgehv1kwQ>$*xVq=n=|936gP#RLXv=Da?g;qys$MX>!0G0>j$pFvCIaK*CS37# z%9+KuRa3(@F7f3NENT9Qj?@$1fJX}Vhtv!mNszHM%r2?ModHzNK@WN{2+an>(b~?U zAD2_T*=d5)Og@|qL&e)J+1)2;qz8sR4@gYU0_D!-)LW$L-<#F$7;q>;jl&DQ8+WwZ zuL>jWy>9&KMN(sgEPfA+96_3o7wS8r3cWpBR*HUtd)DfPhO)*Gmzhpd_ z5fXLk5Hx5Bom>g6ZB_74efdFns^;Bu5h2}j_3O;ov$NMt!lf;rP&)5ls_Q1a|ISAU; zib=$?W>RgixDAvXIKl`?pSw8@g)xS`;!$W0ep3VqAAu8D^sn5Si>pt=@3^Gv8=(m! zm9sg9*t{$9)@ z2pII%vu=QOgeNV?`khtc&jr^iF>Bnn;aISiXAmY>SC!{cOT06S-7=A4v4^7DgtZBz zlOtQhFTO8DnR)dQR@m1`U0Hs!i-d&~Ffk`lLou#!+OdJcPz(5}Hix86-5}=&m=2)! zU~{Z{Nt7?kl%a*Sm?}ZnG7I!K6yYW#6ny!GpX=e=y?J;0yyK|i;10_8{dubOh_4AW zimKr{$q=eDl}4m&6M6jd7M)3FnHsD;EF{^3on3QE>3B;4*Q$c(_w}iykBk?bOGyW7~a@L5$ffYU~)V{^y*6iO;8a-;R&|H+YnX4bQsh zte$idKKJFg1W-W@i1z!CD+GV-(uF(8^#JM?c%j*_^7fP_$`s-4R8AF4S4x&$^9O4J zaKrOMkEiH$HAH1u_kjmzF3 zIZB18k<$o2+>CqcK=3H>pwzVirQ!d9z`r}DLLn@%(cUBsCwHS2UmYe47vD{p!Dfj$ zL8sTglNWFVwOZtE&rRFmv1F?eG$4#>YiD3U^!rX8D7q|v%=Ma~A|b`Jw;GCvGBm`B zk`Gr)48}Iq9S+9YX${qY?&+s+e;Dy^J4YX=CX#ntoU&GBSpgu9Fdffntmr&C0(J7vez2mXvv985eI_eaEMlE`> z+4INI8^1fGJVZ$hXe;duf`8@fn|#sV_)1J!UnX+Fh=6W+wPA#qo-I-Fr1qL#>gcI- zW?04o)|rN7+Dtb`erK3f#et+(h2ofDRUZtm*06SXH=gtu`Gf-0y;p4$AMk45@79lB z(T)@PfWsJ{5W!qZvM$EB&tGmR$sdBBt?Oz?`hH)K<7I-85_AS7(}=KCe%7R`>UJ&I zho{M;6A|mL_mN8J(?b)TGPwaujgsz!z6GX5q0|jaq|DLb`I`__L-0~wSvcGXIWESO ziRk=nOO~)4I-~L9?|#Jk=1K)vmom|`bcN$s00SyJUr>62R0KcT)DtesG#vA+I6Z45$1M%b)enmcxh^>0VVM{ncr-o$i19<*9;;Us#XNo0z>YLo?hvgXUuB^c1ikK zG3bgUVmrzK2`7j^{3jwbv%=WD-$ey+PPiws?OMSpP`P2svn_0Mds`(_jVD6i)sLW7I#Rb;675yQn+FY2GMtoR+5k)qdcFW z>A=4amAeW8W$buh*ei9)5F#QE5Q}3YvWd3b5CS4^6oNEF*K%>s)?`WJF6 zw$+`FB3@wo$XEx~u3`x#gsBO#Q|Cc)i7SQf+Zy^oe#zfB2ApG710IQcF@D#Mu<*Z> z?+b+}U0_zn6ZCVMi?*tT=T$e($fH}LNH^|2di+9Luy$U*^}Y1uhapMZK%>UeA5pZ8 z83-ypS{T3yPv31;j+Jm1T5Beyt-OnQsH=JZdD_MZ0!?jYj>CWhya%!xB_f5za$#do z*vgTsteL*39l({i-`Md-ij@TkGc%=H-H#+b39W(>9-%W#j%`#kW;?N6WAoA!A#IF~ z9oY(xv5Z#3;3q#@Qvh_nVJAO~Y{8{x!%~fwc#n=u7$Zv}0Ka9Df26sIfC8?uvr`O(zl@dLDmvXku8ITC`2hCQAh^$4H*`kkkA1n!@wRw_>!sw*9b>mR&&K3PUUDa`} zEr=!qxFT7Y1Nda|94g?VSt(wj!S+gPZ zmU@4i@M$`N(v!KQ`LY2HSifH@ShN^4-t#WGegp3Gyf6G0sF&^kAWnhpe~DB07c2d@ zQ18F){lAZT{}D3&@1%=AzcJF|Gc*4K!GF&5^Nkswh3%jG1%)5X`w!_gwlVtW2rTUX zuB?%X`KPD(f9zA3)U>qS7()G=(q)L+L?tn8JAldE@=zqR4{Q|IDwhZ@knvwKivzP? zTlic4-C&A)4A&-PUhd3`64K-aLwCI~+!l-ZRaLz>ZSlPNuF>UPL-~CDsi{>VvH9ZY zJEQE(Ve$Bs{q~^Ju=!ORp{1;% zyj`*Wqi`m}`beu#_*31t5X$Z>wOR&r5Be^%Y z)cSa9RO@SZ4&hN>%=P5!nhLc~K=2XVBMVJ-&l%--5=HSi)96Atc1|x2e;K?BRk6@E)h)btUj62p+c!GX6VDGGYLj+Oxp}P6TLG z?lSC+Te8%2EslBa9%6yp5_`c;_&q|qro|RW!DrzzvF6vz?g5jB^ z*;V;urZWML?OVA%b-Y_JRvH$;Y=Jcczj<*N!X8-5)*+CK93qq^5c3)&teZl*JT0X0 zpAN?PFB{2Z%6HwuGYlu+cZrHOqKi)}B&gz~{G}xjVgsx0| zad!*Kn;_f%?^a*r<^xk zjagz;I0=^XP`w`?RZF88ix`jtMykfanv^8$g4Jo`ga{dF;{%__bNYKvXk_EY++ms5 zKsd??&(MWB#wVgzFvgG>*0pzEbAYA=42dN6F4GI>8Wy3#6daz^oW-8fPn@mO0GoL+<~UEM{(Qe29Y4?+PCPPThUWq3S}&D0W~ud`9U>sVin1b{9`QbDcy*xIP`#2}jB21qzq>bVHs@ zAG0}bj6%7m!N&t5&A%r(GobO<$5tW47*)SQCnSrBtI{4Uk;aA?&jM0_VbXyYfpGBl zT^xnAf=*2{n)Cn}7gJOMgO0L2^%^UFd+_JiTnCuuOC@o5VUyoxOU6ukYB(8NJ@>qp zAiQm8j}YEN2a-%&i;Z!m10G8a1x0n9Mw&GdfeNAxL#Su=3;eQ`Lbe`ycNL676O&F1 zhMzgp>-7P`o1q*t$$cL2JoNJ;LqG7Vierfn!MN~Ag+7EeWwh97c%I_}6OrG+792hG z_MrjsfeJkAlkQ&aujDQ--Y|&X4TTxrw`QFle2`0S#$LmftWrykB!N)>#r(~gluyy? z2+(3P6Uo0!M*<$rTL>efU30gsIKEea@&W4X_E+Y6B9uh*y)OL{mCF_RdFe>m=TmBn zRCa5n)q#`C6CY#^qv6jaJKGM^;;fPoWUb$aLd5Y&;jA(T^?YXg$_8T9Nqs;Je=%Uw z-;&N>zY8FUu|+OLI-!f*WLO*qv}xNO?_nQFQUqF%|BBpQbw$|j{Sv2}-2L(;yrVYa z9omTr(B;8h2DWI!4NJ!zBn3*ABdkZmJccJ;v4J8$evCkfP|{J*B^jh}21j_b5aMkZ zN8e!Nvzicq4)qGu8u>*u%e(Df|3lp}TNA)Xs5$u24Vsq4NEQmMd1G#-Kt(s-fIS_p9An9NC+<0Z1M$LAub2g`~hGpy* z>*?(`vTejc-!jMF*mxRai-q2M~{>eV5PQxui z$?s9T+)c_U0*CAhodo~rF=~ef>Tl(s9FzAnZM3SNOulH$uu}09ADSFuL6TsJ z4xH7h0)X}>gajXY5-4ZBXDFH}L}rPH)`vrnm7+5mIxS*N7IoXAxn)z=Z+7U!Pi%H< z=^f1g^tbv@fUfHb<=ZtVwBNG?4%r~r#cjcu*!Wmt_~ezDWi(%;Le>bz3@ENOQ&e`> z@I@__RW_fGxuoNQc*XgE(**L{xvJ20{<6gHYF6P!bz;@^(YD3(1~tc?zqdTv$-xg^ zP=Z-InH+3QE0?fBrS=51&FIH7m7RzKk=JqN-lOzw;|r>{N?4J|Ac=;}ZoP7RNcMiD z!oCGU#>*jscl|WJ6LA@t+!z1jl>chOaa?5GuT5RI`gi3q=90XALcGtB^{u>ZRLPy3 zhncqn(JuC(A4yUr3T=o2p<9HQ3Val2RuUrt)izK=rC0+pW6|%fzBgcoHGT=J_V>x^ z;)ZqUyI;&o@nH+o$8!{SUlh++fxf7%RI^ys^E4Pg(=H9xAln81jDjM|JzO%hm;*=I zv-p;DZltxqY&rHoa)BOKU4N3V=Y)b;L4j3)^uSZyf_CT!=L89r0W*>Y+uWPClDsw7 z{k9#$+gJHrOqlqYkAswF%cV6PJCv1newQ5X?Fl%=93lL94s^k$zjiSpqtD!_(}S1hzB2W}?V?`{YF=sxfYyP38`G`hgjKZ69sO5_!?Wtb*H&m6SoZ>hiTyi9 z3#aJ=$919E!)QkQ*;T%#$z-P_1kSefTG&`er;Hu40>at|j={bw7*@C#^w5(91dwHX zV92aj_0N-F1}L6XR-+YT(Nlr%b+CAy@mK+T5Yjw7Tp+u@^yp(7c~K??$4>m62y!Hu zGDFOt4Z=w5P;hKw--d{?R>P?zFGQh6QZUPBFNV8_+urtUfPT{*YI{A9`dVKRAJ3!L zYuU%S@mJUjfOK%L^0@CcYFx!% zECz2S^njiPzF_IVhQy8HG9p5W-3+2^Jo$0O_DrI*ae=dk>6FhY)rDp1(@>W%C%{H# z&rO(2@Z`~IlF+gApCNj>tXqV4FriO41+z1l^*AtYo2yW>nmkKn!mYc}P#YrGVa^JJ zGIluT)n$3wrR;t=p|X>4-tsOu?%RRzTX;u^Y|(c`ODiEkBWLKo#R1ovaX+7u?ZR)j zC3zdq{KAMy&l>y5)JBgIRY&xeGLF9?O&$!|A_|btYcYzHp^CSd8A~@=Y1V3yrl>ZX zAf30VbKk64Cw=g<^VP$Mdyro;YvuKbn1M2lX}d?**VK9UC{3ND zm75UgT8E^umXBfn$&=LUr3qA(2#bcq^fD7ole6qYjzSco`gB{MZI8o;f)vy`Ju#mE zMpHZGzj^{O{Y;sI7)<&opvIg^rK%t8SU(%D(dBwMGmKGHt01J*AU9YNX5OgIbKiaz z_1n;Z7aKpHeT5RvVH7qW6y1`O2 z1qPL}(CBE#iJ{XVv~hd5=oBoYwkF2_+)M9>LDzGEr>NMI?oZJ9(nj|XzBRO0PPTw#@BhQReRU> zn=f{pZ2f;R=(7JGXqwpn7fsW@Ccgjupi3uUV`J;&h|j|Q&shD>xcJ{^#ee?m|KEe} z|1{kGH!`64bDV#)PzpcS|Csz)*#9v+D&TAXzo+B)cPHVWctZC7Gzm9py~h#_+kbg~ zMdVjywQ|teZV`9Q&Z8l$Fu*}gasFz<2ModpApn(o_y&GGyH$3Tou+NuU;??6PE=m} z`RJb(|Hn!OMTqc*1p9`y}&vLB-?!B;)O>!2PjaL|yiO$vl`n z=f)rPZ}M$7eXn-Ed%s_DEq-XQlosGIQP^uYOtvl_5LqJU#yQ8G&G@ z*4$cyN@GrZ=J`vu3~*@I?7}Aey|HTROwo22ec!jC~v3d+) zt3;#utQ5zYu4i*6yRp0dlC5u{@9hQ09K-_;B>rgYX(#rOO^JPgBQqS(_GeccSZo4& z(eSPp_J(p><1y^qTZtb@^o}A&Q@2^tt?Jrv%V7!k0&c%MPRyoa zT#g-qF#GcW6c&;Sn5~gnpm1;T2)9EPJBi!S<&CybHkb6)zZu$b^|<8bg(X!}DDlNY zr7vYZhI@Bo*EY9av1E*uIZ$7(vHks2-*0K}9cpg1g#a#Q>;vh@w_%)Xz(`LP+@=5# zsjMnpqJAgk?TZ1px9CPdSVI$&z#cxLpDs}qAfUU+!U<-&k_XSFH2mhbC-nV^ZJfvp zGI;E@#|Hdi#ZVvkDe)1)44*V?OUfGuq_0Q2ZmgTGa z^SwVxfU!p~pR%nl1I1UGrjedS!m4=iy|p}|z@l2F;@`JiM!ARVuB zReHn~etdKNdFN4nAN=(V#KBKhXPG^dIMZz2jt>0DZ(bqXv@3lM!kX^?`2=wiE{&gn0)Mrz@!IZ_d zEoYjsTPPUXKDbeoQX1y17%Fe>&-Kt%ZI*+1H#`5!7QS^3TXFB7zdz}Rz|l6vnSZ-z z#@_DTP8dF`hVM$wD)2bdY6)OT@yD$gF~7tY6%TKt$rcbJO$z(^VQ1%L$D_0XtDM@z zj+8I0_qnobp~EjDnwZl94_HOaC!W1}CQ5FnSpE9R!v$XU(B@O_z1Uq=kix3&^~N1q zxv)zemvhm}AV!@k)F_83!Q>#H>82R0R|7TOljXmI=PyY+@xv1OM&`RI%(pcrBr)6Q&! zSnz}Z*Hi7y;eHwAGJD1_eS1&I2nm+l`*{z)x>cY~Fx9Q_Y~R@4aSVCzKfslef_YxW zp8@m47MC>jH;B?1TJ}%h4jpsu0K4FZbgSDEXsH;+cLf)Tx(=Xqw-^svUY@wHQ+PMl z;M|mOQ_S$tRq@d8EK;KaZ|O6Qh9IxYuuAIhYx0^uS>}D#m=@6xJJov(ADLq9eX$!J zcU-fDxC!>~`1Y~q)B%Z9t1^6=jokEr(&H25-QFnr1+e;BK}E@-?3e)}8!_kX!RZIk zV`!HucS70(<6mbX7-ge}p&%I50h`Zx_TnRu%F7sn^mkrrCveaAh{s`63lfK%BU~cL zN1)IIh`JdK!;BIO^=p#7=yz zW6q$Cj&CR@LPR6~X^WDiPX!58)Lb7{xREMJ1npQ)lX+{)kin>vy&z5r=iAlV@k*&W zK}0)*+gV;=)X%VX-n6=k=ACtR=i~rvi(#sjZhulYF;o=yP>~8=3@B$)yJUGK9eZFL zUu^z1H})+5VNI$pUCiBhDI)Miw7-5{+K+li`As(1v410r4ZxAlIWBxVqB*kAFD+tdEPyP*ogd&py;XpW=&J691j`$GhX9Px`KP37@O({=O zMbeH(dY0@dkBI_DJZnT-g1$=G1>n&KI0#x50uUOgC0LHU%MXJDi^Ud(U1Xx^q$gt# zE4!<=78H2I!3M_2&Te0t$?^Jhxy)v@GWmH+FVmW3w_QWb`Z~s4k3D3TV*6{JS6`~> z?uw>Gb+g%%f!Obop|zqIR!og?*=6Kw>bes*;AC^zx3lD-{7`luGt~6g-Lj7caKORG zfL^qmNl}s9)d4l7S<_)SK1cOKT88RRik*?`-i|EF2xOZbvSpT9;6K=8Gjxm z+DCNR31I-QQ4%E5X;LHrek;f%tv|K|G5$^BM&w$sC!!~ZTJ&t>8s!-^x|&?m*&gvBh^)s z1G?ie^p=Y)SJq?>S3#cmJ0_qfp5mnW37nyCNhqUojWAMV`3PVLh9iJ|S{z6uv$e5! z!2{&)k*PS@ivVH{J__bh1-SIiAYvl|_Y(g<%4sB!zsrCfsl(}s^|=o9DGZa{<{EW? ze>*^i)II&aGcad+Duy6>dua)=WI@kfz0P8mIo)*IhkdZ?G6)u7@$O}z;>ag*OD}HC zP^h8GFxBGOsHjB_h{9n@Osm!PaUPV?BH|DIz=v{!)I3F=ht0qNvE6&>#* z?B8lN9{8N=E4UHcYQwZAs8O7krC2Zbo^!8^|D5cc8SRod33X48bF?Me;pE8ln@ZYA zPW6V>b@fj0mcuI6 zNHf*1WOgb+#uz1mHb3efZGJgRO=fzmMG3T^xd#~kw({Z!OLrT-dK{d9z8~lI$!d(G z$f)}k`5)CI>W(HZ%R)0I7dF0qy2sIEcxU}cCJcM=#4nz8d!kpoxXXDt(+*RYj_g&J z+knUf#)fae3R=?(ok=xb(#LM1rY!#f(7*n{uG3nM{||BR0Z;YY|BsilWn`r!$xOysR+2p< z$=Hm2A@5kNkK3wPhyvFN# zzUFnk4|YO{mFX3dWblq(6-h7_kZqm0tvaCVTPxy2l`j3p0cUl@clIQ1DsfvUf$hzj zXdwrm)o1l}*XRPWq*O7~X+&1*N}lyFBvKh`bfmHSYUWSm^;eZfK5=qf;T>(tkd&6yUhRccNTngKyw zJLOOh^Osi$t8&Md6b;NE_TQDIN1|k=XgXzUN$2u9jIX|nkhw&0k1D6GDWqHfXMRz- z9OXOlE=IG;I|QHJhdupzynj+QF!({|;cM=GR4b(!_vG+q+lUY1&BjzsAGYQVHM2b# zaG*|g0Xs9Bnw2w`tLpYOtf2x+Dys4TC1d?CO<`iq+NaX*OG1C#Vd*`=n@nJkmvIT& zRyYdjGGwbhh!aXoUH72>p1y4o?DFgC9?_3{@VBCAr&Si__n%XG-*m6;Ri(5@nM%Y; zgie+#_1%llbaOm=FXL6=yVP)PTIv+On~84p%%C{Klc_AAMy6>c!^eW99Uc)K`K4VF zC*mYbu1=4en@LAla|>6Ff#e7tG^^+)0o9?@+e`*gf!y@11+3&SpFmw{bB^lku^uF; zeh0`oTC3v*L%Pm+)wRLt+v&1_>IdwP*?|=ACoGxu(-4GP$3c%fZ+sq?+4376_lGx) z->ip!@~?7&)Zni zoS2d?FTWP^ZsFO7n}i8ppRKP4xn6B(DRguSTWB7Qu9!={zWGe=+s6YEJr|fdJ}y*L z3eHm>SS#XKd~xT*+SH~*sL4}o6O~>FMT1VV)osv)=O^jLlH%HRL$nlnt$07*zt7Q? zd~LlkEXl9XJX<`lpqAYQS4FRI%r59QvtQgWbs>Yl`nXi*slutMjju5;i^eRnAFuZp ztDX#Oq=De~;UCf(fLQ zW)nxn>PEaAG7fp$TiN zM+0k0ZM{!)w#%*$3gXks{8{x7gfw zqYgy1KQ+^b%5$b(I#eQE6FaqbhBu@>Nv&LN*4*-Zm(#a64TV<&s$z_pE-!AEb)Q+` zQzO@8=a+d>Xu;i#{b9b*yvM{cmmw_9r`P$n|B%AFHl zc9wzMPwdB>7nR4~UgnDu;BYp zCO$|@BVivy{;-U(XGxNxfu`VT)p52muq2(dOwEa<;XU41-O?kGI#!?}GSIJS>kHy|ce1Kbc?gSR zIn*k5m_Rd(no;q=;pH^?hz&8Hv*t_o<6ROrgI-<4BBBx|TcW$HZT5gai!H8zh^{Fa zw?wt8QX`8fmJ91B|Bbrvqpv11k60A3x)n$2D;k{3@l6dlC(-SH4p-{U49yW;+`AdA z66$Yre1kOy7jP{H6B8<^XL#O)9K3hR-2PoatSt+dPqOZV@+Hy7$K0S2qB&QsZ<@Uy zT&w%g-ARS73$GZc82Q$i{pj7(QQ6?b^i%6S51U8tY_+neeP7apQNKAk^0Be-NXgf5 z*9vK}V%^w9{OkGB%|wBtPWe}C)Ku|bKhHl(r)8ruxi$_ysh}gKx8RY}i zrEE%c0;d^@8O$1j%adp|oB9aB-Tb!%q8>z5UuEPX5TPG*JzgBOY4%Z9@n+jn_h}W? zgW*%wnSv3DvkgRC%5d|LdzN{C;U-P!{9P8}$z)A7UxPTji$K(@({7s%+D=?0>%7oFCj0@w*dX z-q^9yFVRL-8*ryhBs0qb*XkZA-Svp$bb-2}2W}Kc{WOzN7ce>Ib%5wld_4V}Mp{M5 zxzeLG2W5}Gw=%tQQ#x2w^vzKwaYmA>VS*6_kCc;>mBn0DH(2Etoj5vwa9=5$kTA7n zF}Oh)bJ!rEV2DumvQKKcvS|3r;T98vn?Vn-vkuDP*>_+)mB2dazj)iahR$08KVov= zF!u#-7C-WoGna~gzHpDP^ZZaW4oN% z`jy7Qb4$L}@|w?5t6PpRjl8}1;sx=PnByDPi}Q)G=3y!dLZ=qJ1y5-mk zWMvf7r=RGP=e@kraN)(-mtMK|my@7^rWr-5vwZi?N0j*TjePUT}9((tl_-;iy@Flr|ByfJf?N8tqOc9)n1P3@vd}g zG_)``&jWQn_&l3{D&&5g+0t32GfAZ^)c| zd#(uDeq$y(dYIm8Z}fb7kGPOfzR4dh1+>8M|sO+$Cek(kkLNIyGv>+ z>=r$)ew6%h`hAYTZowl;8)D8RR^a>$V~zTS_=&Q-*=d5<$07K>Tv5VbB$#hbLU7D(^irMV z8=s(SlJ3SEV~{Yig1wklVY3RN%J^_B_V$}&@4{J~p%sVI@!!AE@EJC{o-!9U&v^4q zr9^#C-07NhB0O=BMy=Zw*pG`{HU`Mhyn~~?v4Pd^AU!uA1+m{Xh5Wxt-js|TY@F;3 zjp2z5{yixWWT^lDPJsYY9?0+h|DW>MmDT{}DSl6Z13j0bfxWS{BYeQyg?{jR8J*xC z`RKXi%#9rAwdl8}23|CXNPK{|fAAxJ5P-P1zXJkor%6EY@N%g#zzx z#Ha_*Ul&9|e;urc@@)44x}B6Ffb##!(r|CD84R@DXBcQZ83pXd_FJ-c)&`?)z~JSO zh|$3yza9_S9z6{CW-cWH81gnu_}`JY2*7_LOH2{TqwV&)x`C8947veAtp|*Mdy;oQ z4$+l;A17~YWNsj8<4UiE_!?)_}GBLoD#bjW3bcN+c|_-6vx zudT5gZSPWw88{kP+L$85$rQPLeo2$6vAu)2jWs_z?*=RGJOSv$KP>;62=aG_W}s0_H^g7WD-fXs3(tB;GGE0Dgf74B~`O z1>hT~`dqCYA>Y-WmxmLwt34F7lh^z|M!*C8;~QXPDJ|M#2Js@K9PQ>%(2fY8+aCyW ziO~jtK>jk|-Ae{Rast{<2cd3C{Xe?D`{_{d@AchRe)h~h2!6jR2Ga>aQXAUc2lM|< z8t>bm-Q5Qx^U3Hx9kZziBP+PkemaB)v%aG)EkSFgz`PiV4H$+XOZ5AWOvt0(9J4(I z;X#lf+D`}njS~J40;IY^`{^K*Re|2Tb0ZiO?WaQl{I{cDfdmMF6DDLACxei+5oiNI z003z05E$e)`|T)PV1K|MxI#h5?QhBl=!hLvyz3iK7$=eget(1aHzn*S?Oor1f&Tmk zKyB^lVc<9ZP+Nc*`eiunYP?6Mpw6VAse@q171>?_^d78iek?Fi+-$db$g#{P^ zXmke5i;*0Fkil*Ar3|y?P{798&rpUt1DrevqXo6qVF0>9j~rlpzm3zK49NfD{=bE- zch5cu`4R2;fdB#|Xe<^KvwZ?!eza%`5dTN3J@jv0{T`A6C{nZ#AecogVUXXE;{D=H zFdi@`GH#BNA1E@n^FP*W&k(?1%r*>WObEej_ku8#AAq*rPci;MgHQks?#G(oJ<|zB z9p*#J*Z^Y~3&6~1hG3@RAegB*FlN3Pe6CPB3yqx)I?`FLPDc6U?h>D-5I#6gOY>& zRNNn15Q5o;f?&8qFmo#*sMl$twYy;eZr#_Y-jm~o0Av`AsfYe;>i3X06yO-6X*vFF zpX|W^VV2#5$Ad8u2ry<@12ASm8xSCEfW`uVFxy!W3=@g~Hx7-?K)5ktG#J3FhW#qc z0os9Z&z2KeQH8P3)Q~*XID_9MLjjVPHUvWS?3e5Fg}^)HMtSuw#E!ZS9gxq@9ZrOc;R1 z_lv1Oc=w1hX2uH?Gf{>DqJ#UHnR`=UFhDg6dYcgj@XPj9F1t4)2oQ}%Lx!M#D^A$M z`jEf*LVxrJvuXnnX4@BpAvyeQw7dHb0eD$x%q9GaMU;X=r#XgoP?*`(5I_k78l3@S zCN>}pIUEp`LZdSf%nF-8m@N~$L=lr^0{_h}+AT9MKy3tio;eu9cqTG`fVLS91K1Ym zQ6>x-c-jWoFVY03us`Z4VF2%Tr^Xh@;(wU>FhCk~zqB$uan6ZM7NB?^`nM#>9+ras zEl;xN8z9Vz??8YU5*i{60vNyOGzaKKG@65vGKjWJfVqFWW@tPe2CxIrSYANY23l4F z1mLQm(HjV6Qv<=wjex>_PtATBeQ(4aj9HKygqe~6W7ZsmS;+txL*~TLFZkQ8-OZd3 zfS92n2Vj6Dg+_B2z_Qyf&IFG~{*fw!0^;ZU1qDI8P|iO_fEg#i0BgHn2@e!bw8+9p z6c54xvbG;J^YDTHpk@eW%m4*+Y2UEH?g0Zx4Xv#XtaJZs!WjBDy||ac0p>UwA^`#@ zIy9OCO7+khEC@4s1_8tko!+)*YDm3AVAU^o#ud|Lo}L$F$;J@ z0jVT3>;@>nDBn3t`ac{-5N2635Fq)B#!x|+MH|2XI{=NRg8_9L=rjko>*zGcY-Yfi zcpS+pHd2xcM=1sEmhks$;im*`CA-xTleEeOF(&|rX^(|*hhKXLbG z0X|@#?DvhmCHsK+M~l?}tbkT~D8K_jW9I_27g~>p0fKG&1-tiV5TJjnQrRP;aJLFm zW(LeE8d3xTh$$M);o1__pZ&P=&r=G3`s@AN(!J*c!I;L>|Dw5eZvqfz$8JCXy^F@= zfHAY(z?cyV7_;;N7{jPHz&%D|s8B$vYQG4@ABH3d5NJl@=@86viy%PZI2um}1c1@n z=U~h_5B{4mwOb@1n296=V9ug3Rwy9Kv)=~XTPy|vl<}eg00V3hGzvGNe=FzO!+o#E*j0@>IJ2(&}j}R??acNDUaXGzJ8aazbNfpa6;A*Nyn|{2c_d4F~}Q6w&Ao1he2E z;0Oj3i3C7vRk1;F=G)Zpga3U zn|41P1}OR6&+yt?f($T9(OLsQ`2$+*p?{0M>{VEp1ua3Ci6{s#05l{T?xkU}+aVZw z-G4b_`G=hh!7OeE7jBIDj+u@C11udhCK8O9;|a#B)(QqNi}q7k@G^lv3PZt|O+6U1 zBOzeSh!BjK3_}3*=x9tmyp#|lIl!!b3gE+|MF+{W0!{PkEvN8~koSLwM_lw`L5hX=VHz?X4t{|50*Rx?LOTL%FyE*BRU zP9t*%15PV*OD=0;M;9A=3l0ZkduMa_HJDsZhK4q5sCzU~k%gVHB1+o+>sa~u5OoZ2 zYZrboApBqgJgox1!VaEQ+C9>pqB#WO{~9S`+w30c&PGCw)X>4+kki`S!I9I{#+l31 z-p0w+f$OTWJeQ%Bvn>~3lsiV_&L|Po{9i{2KY0(QM|emZG1y-#3O5coVLZFXxkLYd z8z-V~yT`fHThuraD{5_SV9Q}>Xzc93X=88tdvH*cp4k~3BBB2u2e*Cj30{W}9}PVi z%*P40{lOp}_>bLV+o>7&+t{`pcA%W^geXyC+r5UiPS-5W4Gj>I@4#hb>}UWNVFz0- zK5lLf7=+8-*qH;yWnyk^V2N5>D2iWq#*c`~{>SmdZ)re|964lqcwG%*yTVgg@E^M; zU?=kXw+TQT>fXJ$JIB2LKbrs$$^`y30Z489A144FB0yBu!=t5$Y%rpL5-#iTs}SMr zwQB-U8vid7@ax`IfCQk97@{U%d(Alw-L4tiBRR{#(cIL5%Ng-%dV3CAdmA`yIiS`X zgo;ujpv8?H9O<_&%lMBY{&m(5j5JZ;0WAbw^FZLN4ID2BRk?ryg&}SKe*;B&Gdq~b zvt7GEcL?t{C~~d;4Rreq*$yhA!elonke`v$yIt}2Z=lFRmK{tuS@P~u3LsR(g}QfDQEmhP6=6^O8|u!gA{h%= z)39q*QQpOGP$X~uM^F&_!Y=qDw`(VMCKv|Yv#fgs7#RWiM^q#bYKD2>T59)L_ewCb zl;s~$5jZGNWPRjr)SYnV?-~Aesr7#{9O1GH_t}0~r#myuzl)SmDJlTswlVRa5Pz*H z{AkthO@pju1r8Gxzye_YgYf>s+%B2@HA)ct9#GIOdO%e^{02o~_k4AM9KkBhpk#^E=FBJ7qONkU#6xeIj1wEjI(WMRjD z1pOtx@G}_*?`{W`pC2CW*o6vo1-6HZERX(=sK4eH39|zVzo;0_7rQ|BaxXF%{vSbq z4Rsp_g$hP!*j=c5xfhwC{YO+J4hj`+q(OI&buafKLks_iio`*o!Vux@U1LQM-;U3| zy{yOp~)|0^mKS#=A)T@Rtqe~B;{uHJU@5~`XEfco#e zzm0=J<>&c>m{94>->Arf@Bcd1ZL0--$O&=%*{`v}ZwdZ`nNTq%0P4Stb$f=laZsq> zKV2$R?Z9tTtp4C8RNNha`Y$_Yd%teupisfwe{d5jKm8jOd9LE$#tOgZ z3XX$9g*&jjjV4sF9RT$o%)?*n3Ps|eP~o2PZmS7ZrVBv*_nm_XU;Z|m;N_TqgnLj) z_ur_<(xQKyVI&S}th|T_3{bzK&XxdB|ACvf%_jK0hKO9$FY3vkc8|rhef#jgVIojakZ@hI z+g?HyJ^mgi(wO--Oe72n6b3)c0URePaR|WtXBmPaP*9NY6#8yk2~~{)!2Aap`n8@& z7!)Y)A3+aPoeKc-A6&R?xrHH6P>}HK&TcM3ozD7=`RnGD|71J-8YdEF2NeEtt6i(P z$9>zr*z}(y2=M}~Uv$8Oi~{dM+~c}!pHTUah}-kJ4TA!OXBqwwpgo%tf=sOb8z>S6 z1q$chT`ts4UIww2+gUkD8~EGAerGk6?VXIb{~&7MV7&cD5yXGQ*pQ)rxkX7hbYG0 zX~zq%u|@pb`5U}MhXC=~E5x;Ch<}JTcp=Jm5YIvUL_Q1tY{c^rpAp|h{6stx(FXAy z#P<>Z;GYTje|<(h2k|V#KX_X{M4MlqLEOK7x%0=JpU4MoHzL?+yz{r6&xpYw+5z9# zwmow@-sdG_Yg0!vWU87=(%jM!o~GuKv@~!u7B@!DGd%zD>jjFg2X&%fhbD4UNPZRc zyVv!S73WZV1nFC|+=!y-u!OaPcyV|+2gREhY(`gyjj~jzO_vQeztI`Kt6C6Rd}ZL2 zxY*jgFh2XuU@q1*nN#k>@M*d`AQ?#Ck$LyaYxx&o4n+pbTkg8!=DcfBdASW0uSsI> z_kEnD)2*B#y*SffmKoH_O*j0au&??;zux4Ai{MK;C!rjRzL&}NdI=jA4tK2$6$D&#`E8RWvqWGMD9--WNI@U3oZDOv2 zzZjIJkbCaTt*>s%MB?-~FYn_us6L^`0;!w}6lP1TV!}#qKkmhV^+ef|8LM;6DnPgm z=1za>YrL9epzy~_PtIU<%1SUie%fbt`S2Jy$d>9>b1tndrMMHNE#=5PCA@Ni#WEh6 zKKS}|tIbfu1E}YIo zqeiTK#pSk(wPFiTJ*;M9Hs4+wJN@kx4~-*}UdxH-q7d7Uudf#kyq6{-mimT$>sIqX z0O2+Lj7Q~xI5GUR&+mKQ;rG%}JRvVJih06rZPRsJvV^<8;OxC7g0l|RKR*{<)~b0BrYGs4LA6D- zmQr*o(3|wdv5VfutI#~3W!%zZ7swD51-swTiQv`W@sZ!00$>CrLns(nA&Mye7nLA| z+0=m^y3Hw~$d?~-Aa11LKokJNuiE6M2XVt-@RAG}_)81T4MnU?Esf#mTp|vJh*x3q z!TA%BD@1MfZ%Z_=l{PjvHFG53fnSKkb=A?>N)_=9_3hu%Bi>5GCE{#~q#t_3 z#fe<<2Cmzmkbua}!#A5T7|s?*j}BPSu`6M?y*)wjG7w(4na%ZUx57{K!CB_7`?add z%~QE&7}xVnMRB1EbG#RG@ld=BI4UH5&Ub>Dv55-ru57sU0TC*{!=#6)6|Ye6=BtVq zq^W3Y`QwZFXyy!D&!f_`DlMSQ@6Lo>Pr)_MGg|R(PkQ`rYC~{wYISS*O~c) zjNJo9ijt>y&z|oOs12aBBdpgxEE32Tp|UpDW9~-U+~Qdzm~!ql3#4o1a)%dKCX808 zA6I*UV)48_cP7t@a`u$5mb0^_bx)q9I>AW0Bxh50Kc~=Lj=^TBClRYFrHAHEZsZND z^t?__I?+|v%UbD2YUC^AtAnR^+Kk)dM2`5oyWF=PD9Kih;`lxzbEc;i>sVqlax%Bb zyUdg(p`5JKAbU^~4{JtcIi{WUiAv^+-03DqUnv#MG$op%iM#K;i5Q3+9hc$>4mA@n zy^f8}iuTX%OL4!#^msla?r>+6Ns>^epV8oeB&77qMw@V&pi@cD1BMB?!&wYxWo1{? zjzlYGJa@-8K06T*qom7z|2Qe39j}3Ft!8+nmc)nA48ofc!H*MZMfHvRmSFupwH;n+ zPd$lhA|6}R>dOR9|75~HZ7ELLMBJdv*4nhZrAJJ`x3QFBRKWAGGQB@{*3(4TF}qTe z(C;fKMUS9{=_o$I4G~S>&#(+(!4K5+pBnPpRs#>_#SH{({vaK`!J2<2)682*{j!pD z3e_VPq0GTkMX}$#w!%4NGBl6WU#%~dy{962F-NkG-PgEZncGp(6$=vM*N*#HQmCfA zIPJ`rw59mR!4zqIcAxFB3%CecWtgyTMAjXw<}WSnVI&#@;XXMh(iRaZ6{Ak&o%m9? zd=yeIIVL`6@BwE`_*=fMVK14WqvCqDeNB`n#n7UiKG9{Iw%G1e)#@caO-TI>gO@+$ zDh2~@x_aF$dF6LrniA_pnz!$eR8wF*b(7aYZm)wKp78(P)bKo*!BkJG>EDs9wC?j6 z{|18=8J&c#AFlenmjw151+9{DN}GP4d@Y_F9TUkvDKY=$kUL>Yf2oGY&A0QK3hz0% z2o@t}@Q8xG&}BDK;`%*{mg*OHzqU*`(mX4#UTLxNxK{cTKanm44*~C4cDvg}Sn(-o z(t#@FG8L{ywMKGQ2R@som18Xr<4KV|7gtOjyd?PI5|~<~Ht8A8x!&k654g1|T$Oqw ziJ!AxYDmAVtZH$sm+Z=<=ZKl4@#}AQl`dizsLSxXYRMX3F)xa#qrvrKt4*1yFPSqI zY4eh#8ef6M^C*tSh*k44!W|~V0t_sD~=6Tg0nB&!uO?|sp67wNw9+0u4G zQFSm*l3@@QGIP;+t6()zp-#6_oi9``$&ZaD`gNCO!eX@#5*rWrpyPL?i^&Y!`b#-Ftzo4)Y&^Yw4g z6EH2^jqk&v4cLq>3NDvx zmI=snB^Ieyzad@|5>UqAvmRaKTYmQ*8Kdpjiw`cJ8Y{pH{vom^m78WC9oVTD9l`qJ ztZbNgn1lwiJ8KJZDNoVYjvKgRL|7>wJ<21e7#mas@6a1OT|E0^MB<{t`Ux@{75np~ zKTUPGX1_(N(%9XLj3QNAruE=u@6piGnL8cKN4=bmCq;HxDX<*dz)y*QA#3h*1K7j% zK{@=H7ve&0OECmaM5TF-sYMX?Bor($rQQCY(|H?oAS(8v_Hojy^+-*XDrwK-MssI(8G;8S60Wb ztcrXi3w&@@eND3MMo8RGTF_!pTuMmXVo2PScpHRaGKWk^86TevLbw#Co7>>sPYF&T zh`&e_KZ+NxM-qREF#eg?^t@KYdQsBUnPrpnY7A^m&Lbx*dm!w?NBo$Y&N-Ha zW@lNB;XqHU2685rQ!qL4bdu6$R9K3Nu2?x=Ind18FCihVU_z~OW+Q>+V(L$MDiD#_ z&j_8*c>dWp&Mp|`c*NMfD^QZ`LJy<**NN*+h+C6LG}vZBmG zCQ$@Q`Ock)m-boR`3iQVR8i1^#LDftv~g*=wpi^to3f;6)^S1MG1!X;@3s zl=1nE$V=~Umn4`sPTwx+TGn1nw{k24-@PxdoT}x(Lna00tg)Bxmyn5`EoM@`u6d8c z?J&FAdH35?BqtXXxqkwt-19c*zr%6BtZpFKPj7^WAT%&{8Ki{%y( z;QFxf@^dFVD~-ahXjdC{cE3LqXk@EJD?D)GJDq^dDuRIW%GIau zbH(Z3sli=tbNreJ_Hsr$Z(9)EguQmLZRf{2w?L2E)v%UeF8M0TDj(D0I<}x_mW1wn z=p}7OZ(A%AAAhP5ADUon-7H&kiPs{}B|B7Kk-(ciUSJ`LjI$P3XHzrN>((tyDoo0; zy4}Xs`>MpiD&nc4X**yO`<4gJ6W=d+*~?1yIW^}GN00Q#XB!c7&|jUr17_h0 z$H_5xH5aUTJ)LHg0&HxOcp?ch*DE4x^5%HPneTTKy=XSqH8$}xjd@3B#%FvJ7v~n3 z-@rH)s62`b3`9479{qAQrh5M5d~@-sul?uj7mVl~enu0T7$+ZbG*uFW9Gy;%WUHo! zn)Z4-V`~j`K2PBom-(9i!x8i>ZQN7$GIg0t`k;E|33HRyju6L{!^7`r-?lwV^?t)Y zJZ-I9wrDNca9%$9nHvk~YsbtkOXG6_TSE%<^Nv+-&8uvmy`72peuO*@*P3DLyEbaBpNUO!zHoCf1PdPbLOhCbm4sb8q+gMO_1S*~``Ci&H3PdnnjF!|)HA&Zs` zD@WPB{9%E&y%*@Xr)Ca7jtg^CKeu&BygFy0Ds5`{&Z~OS=Wa)KAgDhHBx6Mb!OG5E z>0MDBIUG4DPo=CSl{nNFc4U*dBU>s_TzN2qr)XgKNyf<Iz_Q5Y2{+-F{cAnGVW4j^%&T6_xfAOe&(5DeKO{Hcr8t3GzK}GhD-kL4 zS$RRi_Of7U+T3|c2jlFKkwyt(ZNlo0QSgb+$d^=yg>V zH3NLoFwR4=X6hleYJp|T=W3vVAEI9wZLujvwX>={(hR|>5zbM`U59-Tqh9&>v8vWc11 zBPDXPSuW#F)xqH>w^hS6me$JyaoehIUaC7<8IW-NJyv8B#arxq4MrXj2DlM z`qX@A0<^-wuV9mTM|n0vS4nI#Dn?n3&@9k)ys0Zg_eb)UUxb=eXst*EtrtmnyM_|X zV1ke#>avQX5h(fxR^%%eez*H`Op8}}3&>uP6DoJ`s|Q&$bEY14xG!z}qWI*4z7CyR z#uNC0@+UQfc@7jj%DSVj{v-KYUc{G%(5bvvm&(Ffn%bM#Cl-%cVI{F?$6L_cym$Z% zlM%4ZmY<+nG0Y!oU4JfH0KLRwFp<(pGJU7s{)1ugcM2K?mgX8Wd>zq3Q;s=Fr|awf z5!BMOmst&iWhSoKW4k54%DKcCo~VpGC!F-cicU|y9w*k zwPN3mdd@E=&wP?xU^I9yOQI3LelIey>9x@*{!3e;TMGUUsnt}+TBrsj7JYNRpFMw0 z`&=8@f?9L#rb>H`u4=R+i4}>&*BVKhj zA2a9F5iiWtn)y0IGNVv=@3~}HNBi`>&!cUx7xceAxji>E$97s+wg^Zuzmd)V8_TGN!Ks1vec9!=}*DBE)!f5zFhmr*yv2MH~WUr#=%}s61Sl5 z#I7#N8+0ss2XRJ~jy!I@O(XG8Jjk3TdEuHs(4$PP>FUq;-w3~*zMya!RDbE*Et^|C zMa`DP&mz3uDB$CW9M$y8^RueA@v~9>)XnCZa<%5cmaK#JiLPq5+0+jt_KanWE;klZ zBaXjM!--QnkdVi0Ra?>QvtpcaYBa{^h(-`hGmP@avAE(Oqh^s60XK4s8*$(9pB2-TGK{ySGJaXRCFs&nDgs*70_GnT8`Bi;kqiDOt*Di|220w_NUo3eg-+kSc{wT0YlbytthxI0Q5B{^S*dsQ$(z}hrAs)^ z!h~EDNYX}b(P-nOyDPdz{CGc5V2g9H-I`In=h5fmxSVUu8~AQle>`nT-HNVyRW(7l z^kUQ3Z7!R;Y`8@ASYD;Z7v}Oe0&S~z=2*Lmbf%YGgbg_>!rhy0#j7eR#AQ#Y zLJ|u)p;)4uGrN8EFB419uO>9o_wei`c?ldonoMSw7aJDAB2l}uj$8&=By{E*) zY5jQ?qXW=&b`=VW&#-& z8m{xe$(GD7?We*>8kuOfjm4HU9ivOspc^Il55kxH3!T2a$s)@fhhyBRU zZjLd+SLKDS*e&1(KaTE>au-N>!#r;mFMU_?QA3-{E$Zeo4w6svp7qGASO~-jG|9c! zway>=aox)r@4{Cf;-BKoZwH%&7r^#-_AliPq1cwkl?t!es9ek&N#Dx(#_{@?J?!Dy zY2jtAiNhI^0i3m(-$TBWmyh7gvK{(Sa*c}o^ovLO!}UQ%f?pzqmTHeK&GY2fSqj@z zN>)S+9dvg;3ZCejU_bkoeW>0 zUs2^Yvu5xPuSM#kBvJYYz2UoViS3k+GFv!lvpxSvDIPZkzTa(jpy=RLk-3r zbjips2nMgwx@z3}CL=w{$awoUzcO_mS3}iLJef6%B6}k$FU3L5Dt6Dz*{DIz`)p;< zFpJ}Z?-cdat|lpj+5v%H17*@{j`m&Mk?9HSM45p4|_v$9g7TqS?lrE>hTa zz5AU=T1LKDLdS`g1`kMXIn?eNKbPF9B53jc-H}UpD&)@xS;)uwUW;|PxVKDKOkZ?w z*+^cAPgW*^MP#iMDc+%Isp{eM!H9XmP%J@2T@K{$kRJanJk za5>#?zg2lKjCRGdEVIh8%&e7b&N|2mY6wnA)CiDhFJt4+Jl`(Q|Ff+{Nl40ENfJkr z1J8iDm{IWRg)pk#C=SBeg9kh-*&elM;{=>*o^JeVO?JZV0$qejH|Pq1)keaBLm8>< zHChmx5=nCM8s@5q@n#z3)(*Gq)p#Rtl(a2HXDIF^P@_qv_Ep`dCgB&(ehECy$jvT8 z-RrFDV#pMGk#_RHb1y~a)hkVw_d)D>#1R`pe23W$yr1Zf*iSnKjf;*HEjzZxw|X$? zuh1>noemA=^qw@OOu{}HbOO@7aRbWLR(82UI00<9mao_tJ8~sI3A}nf)APKZV*ZH% zNr(7b%f*LJiJfc*r93FXVw-9c>caNZ$O=B|pCTzT+lo^vpr5HECPogvw%Fh~WQBJ} z%6#(Yd|F*Z;kt^f{aR6HV-u8FiX|b%*<{Y8Wi&q7Jc!$vS)Di$?64Ng;lEfSe*iLA zWPFPv;c=!*YgJuD$ZBRdt5rWqQkJWn9_~9uy0qJ8aIL=@GY@r!NNHR;akDJAWIlGf z0OH*GxtGwSeSl<9eY!WkxG1=2x!P*@S-M$b=|%B?{BE#rE4$l0Qm)!^tTfYjg_*@c zF7l!)<|=HIvTg^zUz62&PCm=3!QHgtl=jxfMY|$`h^3D(C9Ox zk}_fr1{?kZVkF6eLQ~)GID{-iOhY(JZeib#^Pv>)68;e^JV{;@c|lI8sa?_=TyNq_ zA$sg|NXJcXCumYY3HA?{9KADX-xwmr1rF8S@ywY$qm*h+PfgG0cc8_W@5-sZ5gFM| z7N2jNpK~OI9%)L%rdfekRPY#hNam&I%T0&}BI}ckj=!Ce&K~!+dblX=hGpSXw$UHa z7j7dZl;cL_Aa-GZ=JQgSXuWsrz7l^%6~5H*bB~R>AE&<(Sv0Tz zv5_6yt%O^UR{YL&t*V3RyBzHDaPF3JS58c6qvPpenIGW>h0E?;_QjU*`c`EN)J)6x zgJ;&x6M8GYn=^BWJ^!`xkyDw+Q;)?J>h&6Y!KC!j&;Lal_pDr;j=O z1HP$DC`%Bn`$*iB55-l>;;s#s3A6~Z9@4~H2A8r@oA1Ic8Pv?!RV*u!(vmN ztGW$zntA#!7-I0AQcIVrzs`M9_#}HKAoltb4F>9Z{3pfNSlryi$S(|tCzdo4b=Q84 zykMeLn%c9Hc{kU{NTr~GjklNY4##{|&wzTD&?O^6<)Qbj@?4FIWo7wk?iRtXaLg0) z3!|>MmxT6KA0CE^pH;tgiD|I|O4oZP`7?3BrIk}c)`fi06E)+_-gMHfEy<_b`)*Js z4vDe9{E$387MSY&M22?u)K!UZ=Gb{TkL0r-B$-181_mlSt0>q)<;bka#@!Po?=}RD zFJJrIvE(W51j%C$HCuJ__G^{7b6Cs5!mcQ@KkHFpuBG`oiv+=^-1BRVS&VtTu7to0W2@jOuC_A8X7gaxl9@d8E&`zw*P6Il;;??wadsO)Q_;)K5ts?H6M<53Z-@ z2oE{!6_Y%3A&atXIq&ipN8$)7@6w`6Em+-3V1tqGp`mW8W~Gsij%~PuXQHG+3Ar9p zJIu!`#9nYuVSX4mBd4QT)=p;MFqG+D5c;SG`>|a_XvD3Wx9VYJIF+2y|X^lDYAA9dy}&3&I~ zER34!5@)3)f`s%iXvQ(0eaV;wN+4pcmN8W_r+p*J(&aj&Th`8Dc8r$$>{+v;&2JgI zDEb*z>-@+z2(?$u1CL*McQo!Y)753qF=vK*8BNP>N_0$;7kLlJY?`O`)>E82hqKnx zGij&5L3N1hX4df#c}M=F8D$--q$N=?qn@vv2|t_4i)@Sdy^Ovjl;ysf8d0VhOa7L@ zGRaZWtCk^%e`Ih&a`G+*g!7a6;^@|ki-`Yew7#$|RBbsoZzyVQ{&neIh2d&@9zl=Z z%O^&VV;xw+JrdU6@Sk*?>O7v7et99Jt>;k(`0kHOy6KreaXg&gvINF#k>jWwu>&(} zmN?iD+ z~7)cv@TQje}z+}E;ojnq)$w~MXr-mfU%6Q6i;YM3yB*2LzT;anf-7lC}1iCaaF zoN<-bK2;Y<%)_EY?_YdJo~CTYCtPzmxcgZdYfYOz&ZebJl+u&v82eZH#gz|RwX8YP zB<^3JaBF#^;Sg{;>c{(|EdK5dfLuUX|--$=pEA{8SCbN^hy?deuEsiHwZY2#pJHo_4SwJ;9yKylzhN0Z`CKIy3@hE%@;HzO1a-k4>bwGU6e zMQo^_X8HC?=^G>FcVQ-#w{OuMvM?{4d!$_YFiwS185GkeyMB}`jHz8DOw4q8W=60x zLs6Sh`A(F)FkPthn*VD`nI5OHJk>l{4G%WdO71)(EBS}Y#~iPD3ToB{h7{j`NJfUp z44QMS?l?%9^%zWI`8x_T5a~-Xi9VYk2=bpjLMMhFjjNJc_rYP^&;2#yYoSto<*SA5 z@71uy8xB%_$vsR;aiaw<8H}}XSw>v>u#b1xNsqI+BHuphdPuv<=uaP`sST~9zJp_Q zyOdtNmSBW8zMtO1%V$eciWq!^qUFF3&9#%0$PV9nMM-tz1v)?VEqvS>%iM4FX?@MwOwIAu7R=7V+D@;N;MKGO_F`b<; z-O^>5DpSGOf1&#YS7Z=_X9wOXXgzMolE@iwrG(Kl&?s+zwT4ba!x(wu@XNXnSl*Fa zbd^QfDgJ(sRWr?4&pvuQ0i&TVA>)3PFl)w_=4Uvc;P>K&T-U;(!Nr!3bVL2aLkZ^= z5_lh-Q}^7;9SR-7*DG+p&RN#~eOkUy`|HOeuZ_PnKUMS)h3Z^@tO{L>=cZip(D?A< zLEq(|s7k4vRqs0j#vtR(Kb;djw0yalVkilpkvceT7n z9;Wjt)72Gvv)9kof21UDWMPSUNWICvz+Y7@t+zgP&zk?~7Ei9nG+*_6@rRFE6C4%V zPL}=TCARpX56^bn9_!Yp|Jo{<_Vr=BB<@?D_r8&qugObp9u+Cf6fo;zF^am-pnENt zI|76Q9nI_eq}-4}V`S5WQ{7iWsrglAyl->ng0{8y(2Ks{plD{i5Wz8UsA2Hw|+p4{lsBR^{Re|Bs--qn~vnBLyDlAh@qg69&0mfUBw|vg1UpH=4K~z zcwlXi$QP{X!&j!0yFMPR%Q*Wuo`6u`QqcIPv4LX+4m#1Ad6j`yD}rX;tl#oC`llaQ z+oYP8`47G*lH=mb4+N2=uuU>&%|b6Li+HOBS@=^*J6p8fopr)l_Oh2h>a1BRQ(oIm zsim)JTp9S#khz%uW2j_c^K58HAnBcUMlA_vgSI0kIZv|9pe-@PclcETLZN5Hl_o)| z4$)c42@ck=J#jH1_R@}{4}>Rt(yzB|g7crByhZPtx7sqb*_-Q|&#T7bO42&)o;zih z_ceomz@EvGwKsvS!;xTlUgZw}$sUCG?4F6T@p3i8NE8kWUdoako};`a)T+ z`!IOD+gt;=+xwT-;I31W0?p*3<|OmDW%Sk}Zwm-6d?j{x zy>wWdo421b=nz#MKb2Y?zneSRIWB9j(lAYf`c_#ol^5*orH$_;ubLjXICr$`?8Zod zSxMQsqkRDunXkt<-WE@KrLB3d`owoWY>*a@tj7rg>D&4ZAG}94{o3(hb=M>w-;*rH zF>NM|m*L{|*W&z`s5r|4{df{tL2PZZ=XynhUbghAKYaOkMDoSESw;TL$FFZuI?MD* zmmF>($ZV9*C?QZxB6@fDi9pWkf$9k9646*uoXaXzT+czz&v-L>pCe|m7o@m1uJf?} zczZ*si(Vl1EVYM%YgN(pY8RIexIGPAoD6(*(jUHYjEvTwJ!lB^*@})j8 z#Nh+Z4L=)m>!A#}^V52S)28GtXI{VXdOmYH+kfNU)+}DN-BqokI+odMpz&LGltV^^ zen^`uo($rD$>4GG`FzdHV1>P{@_jO8E&3Cl?;jdY`>k9cDSzmdYI8*E>X+!vilRdj zxGf{y&-JzzWySCdvdL!{NB!~#%fg52c~maQ>#=)e&yA;DKEo2UMY*9CW0l59w3E;7y@zf2?B%|@hCjS(^ThKueUH}Fc5R+G>p^z7T)yO0)}6Qcg1Ot8xaBlsXoS)2}g`09c(~t7jTt-0U>Oh{lh|=(fa&-m8v5Ipg{n*!2xJ z(4Kw*{T4;YNr~I{5Oq+>I8^E!oP|dfO)Z^L)U-PF#l>Y`J+R@OF)edmeR$*V)~x*J zlYhwV+V=+Se);Z4=XgSuTJ^GAV(``Pt=YDJZ|-;7`)<2x?Xn-!34<@wIft5~l`y*) z=#HrS75Yn3qddpE5eqNzNaRtHN0%2Yc3&QQuyn9QeYtH33fpWCIG-rcEU;)p0TPMm zLIF!e@>f_bEK=k15uLr}lI#6G|J;q_%fPzcVesJ;O_#?Wc< zkW=N+vrxJ!-Iv~)e%keJ;k&MnUH^3H*BMqjuC2ID_+Fvc{$>g=!Ne+8HL(8@hlt6biT_k>rdqV?HbkBsDWA zeM244ghPSSh(tBSq%{+Vh=TymWTC?;xU??kfW5*!rlgcsm`v_c=GJMnR_$~xYe96k zc9-_B_NZ24<-Rd(D!nWDQj%3BTawe0bCWBQ8?v90Ey znVFlzAx~-)Jrv{^C9a-+@XVh6m6gy8MvWnHXsBsa-oewOsFFz#-seOd9!*Xc1yMaJ z(vtl>_`siN;{Z+DqzWeGeQCTX?)paZ~4_c?H#tGk*Hl zRBYV0SCo&9dM!q^!542USFMN#mh{#?sLBn$_xK~jjjQiV=Wgsvg))0`Ghz-)#Jxzk zc8)^=(&bj%yRpa)_~P86YA4`ZM#FNaR;4$T2@&IDqgtcZ7(fg{TopIOjd9a-VS-`0 zagkw-;TD5sed*SU7gR48exdq>;bYauhLh@(1_Oi~#9JT~a6}^U8D(XItVCW~9Ee+S zY>NX~AJD-8qMgCm8=8Q&C=`fBB%M|pXQt_9Hl4;_!Y+e1Q$Z^THCrt~3$ru_tk`X0 zq`9al;3+S3l$AtT2`z!G5iPU?8hAyFl*FRUp)0TW31v{Q#!)SJCDi_wCK#(?(+R+* zp|WX6DNtoIMuc$yl5fJ+445WJ|6}oErPC;^zV6Ax?o7&Qo%6yx$P}1?8IA&NR1rCc zGEajmT|9f`bdw|%JhQCW1!5c?n+FvqOx4w;mQ`0aJq|#Q11$J0>a z`P?Z@b;cia35H%ZI)b@J76_L{Ch_48lUG+?|C`iSi+2wXe)HO-LTocg~ zn`mRUW?JN};n(X;Vs(wZ#8X}K6M6w)wVWQ~u$p#)YcE!P5W5|U_M(UOGEGdLY=ZwG zZ@&S8Fw!Uj5l_oD?uO30q6wF99h?!TLJ5u42x^HHN5O=(F_WZ^5ldKXqj(Qr)Fe>f3m%*INzi@_3={&mr8tfcY1nC*cbfM?_CXNZH1PLu%B&Fy zXUB?IRNovMpF8pB1HYO%=dC-(Twd$!7$dQJr;HW#H|9Rs_Op>!>LyT#yoEE$es1?y z6+$3JUVZbq+^-*dCHKcIjza3~s*J~C>R_~Ba_-~Cu}hv?w&gjRqB}+1l+p&Su|Pl7 z6oOvI(-zr2J_0)cnqoi~iMYA9%FWl=Qs-|WZqdENEpV4)<^U*JMnF+zB3ZvclL z=1QpoMkPKct1x0%7$E6$b}+DIb5^uE_+}0VaQFYxs7z=*_KnA&gOBPE-#DO7l3_`Y>~^u8~}z; zfJGwSP{1CE_(B0_<;GCJ7Ln{Wyj-aBT75wu^EDfltzY*9sRi4>RR-D6XE)83L0hIvCv6a#fX)~=bJ&CUN~Qb+H#J_;(W0t zd}aapaBr!U;TSf?O;c@(&ru;|;QRWVhsSSaBdF zTw~S8Nlc8fShL|#BZWJD{yV2{AE4wu-^fU9C~qRwq`t2jNC2P&c~taYoxwn)mCY1bZ1mJ3&^RF zJP5&g1fLWo{1N+N8)G|SYHY&qm&H)HgaN*IO-&d3E%^Z!WtZ$c3u;fis#q@GQ7mv1 zaT<166p)=bF$|dqIvH*{(bL4Y6kL2?Yt+a-SL^s6AjDE|GptT+PJcV~tO#Rok5v%e zEqQwTuh_bzlD?mdo-4jaA-ZF6gGE2}i5+?T)h@;g)WTD_vWR;@j73ymbWIVfs_&@n zs(*^S4p*YTmaZjh{c8iakj?(hf$f2(1AhyA6EOAFAFF3Ud$1r_C`QGY+G@8JSPNmM z$Mm(Dv+Ea$R5S+SkTNb0HXb!Hqqm;Zi{4*UtxO1|jk4b1tgbH# zmQ+^oHXCoNI99<9RUCmu?y0LEq%&c%uK{Y7-OL4Ek3vXLK$0tyTm^wTqFCo{P!|92 zc+^7I!85Fe0|lvD$>5DY<->K79_&BhoOXYb((e*oeqT1vqi}TE2LFjusdMtv6=#eH z;Rx+xC3)OF&7wG-5C6+O{FT~#aZj$wQa-K3$k3Q%3Hoc{dO$VoUU=%pv%E^prXtx z&SDju#i(>E{whVLY!;iYdv!D1^_+nCAqFy%k&^{A#41|r$jVS(cw=Z|_#U#=x;3;l zyoc-wn^hrIIH4*wMhX&MjW{@RNw%N{$xcXP{%*2ZNJVig-QmxO8NUwuB1x`=@E77< z5OsyV7IZx(>+S9qqO%mV5S$+zEm;d&tb-$;44@CvKV~hi7R6xaFLZTNYJ-1F3r=TY z4jV^<{Ej_*Dz;*1E;TgAejru#(?b`H4M$EbTh(&;znA_y?y8OjraY1omiPuoX&3G4&9HR;=Ca*YMxU+>jU$6naQN9cr4ev#H zWZy>bXWKQ~b@!XLnRl|Crq|T3>3uU4-$ zt?{f0Y_sll?+v```$}iL$YR0EDb568U3cq>CKaKBmY zK|8ZUC*_txKi5rV>vuZXJK;0uP24e{c#F9zI)kgCO|(di1>%KqeM}wqc->x{S25dT zSSMeMI&{dnG|1UZmKZhr8Dd&saK?yNg(#V9!dC$#cbvl+gR=wud@E^>PGfIS500FW zjrIoSwl|m%@Mj^PW^D~n{y#^8)=xoWdX#pXaWHW7)1Ai)lz>_^3f)}G!lB~04LgI- zclg;A?n1EFh_L!x@Bn;&+v~Y|bKiUY5xh@Re_-D9^%rixykpk<%N|nCHRYD)ew)j^ znmhHcSE-p+(0ix;^x@q5xhHq7PRZ2s7t|S-b8im*Ax!losNV}VeRw|!f%;7iAx`~s zj1AM{besF6>tyKP5miFxC)5O8GZKNusfkEtuG2`q3OlLr`!xl2I68D3*(3XnSYh~j`+GC69Q17t-( zsnF|od0b2*6^1Km(2FSIfX6fBD&nqA4v|FOCBqAf{s`^o93N(gZy0Gcf{hyk{NMsB z^>xfS6Tfb@3O>9x_R_>xa>#RKT@TQ+c-0Xqjz3iR`w%x&3kZTQp zzzRxu3I1xiEOC^rr6( z=}4t+yYn6Izun(@zV)grb*4e~yFJPpD;d7b$jA+RsUZv%0w|Xvg_0E6Al;5F1(NWG zeH$akBPSw)80m@}i3mrqVed-#BT_t8;TxoXkzEo@l4yBF0e}?xZ8#i>z&z4Ht)yz0 zd?X2A1v%k+C5V@q?Jz6<^Keb?MSzd4wz>2?N%7+cD= z5C1rQ^RkET<8l;lyQ;$Av<7I_oW^Hz&VuecpJ`_$%YDtY)~al`Y(U z?BN!`d#3Ev@*^4i>nP-QI~;0oXG^y9=*BI?;pi#UQA=KU*;pF*Xw#y#j(}YG>=zfD zpZn*V^2&>^6SIy z-XKlL5okl)q0;OT-8AIxa&L7D?vNOSAEYa|A-FZD3Lc;d9QOP1K$r_b@g&T|qXXA|f=?cCgRU^mLPhdqVs31S)wt6DWZ77Z;q-&%*Eq6(~ zq_?CIiT`sTBLe&aOceT{!ftSGaP7CeUh-barzIA(#C~cs;;WOsvTA8 zDxFmugg3dlw6rTh6W3Lqc1h$6!aEM^%CLWJjV#b)Rk`$Mi zB@wbEtS>fI5^Dqz78P7caYHE^<^3z+a$H%!)p{H+P(;nBoWZ&)wyWZzz=3Ig=qRqJ z^x7)+6KVQbPu=ys%OC2D2g=Wwpgmjx`se0NL&RyKO0)kh?nR&8@I zQKI!O+TdE^dd4;AQaN4N@2QR=M6C&2mwYZ z@_@rjot@m6xFA;^&Q;EAn9jC1XN6p11r1YEl`|Afo(Hg)#;5jwdqP$FO1mDL($;`| z%(CGg)_vtFlHtGgFsJ2xPCVhs`q%bdYm1^>1waeNPM8ezp4Q5yrb7; z57wR+0E}ZoL8!F&2N4|UN^_KHHP9EqU`rW)rNqrzkQeb@gJ`Q3`EEM9eBfN{QIN;$ z9`<@hF-S4V^JaM-iB@tfLiRg|#LqaK#i+A6_>mQbrQ!d;v2zjb>z>V`u1Uwu%O-d& zN6{`3!g;4q$tc>v?(gZxd-PD_6;CwByfeth&my^K0fZUn62MDdE-1)jVvY8Tcy*zs zA$M_cE|a?}mTPOTmD$wuD#uX6?{Ff$wT0c&QRHx!|MSn1SU(+DDMVwYyT5%*SbFMy z)df#Y(8OX4TRPVaFK2A)n(5G8sX-fdxYi6`&pKwe`AaKd7J_rwA=fg%)N*>sei9w| zbf7TY0y_Rme%jm+jFq{{+=*y1rY>|BdVJ7-Bbs#gRSF8nabnMRY9tw;foM?xyNLnw zR7u3iZ?`Yt7t3jRyev>2jajk9RPJ&Yx?*vc8-Df@jk-`1i)wHTMB^gm<$-{onJv01 zSQdk{c0k6T4h%B0tk*Nlak3EICzE>t@cFE5PYc0sf@g*fhsq`^s<(L|BJ zd;^h-;XL2@AAamJd}tK*$|;!|b!L1tbw%!v&eqzg!`kx{zjW?rbEmbkErGF>U0JupjL+^-1JaDl8ToJF1K}0C z-POeA$PSGtHmE{kLrQLHufDzJUhP9QLNixr=1r;D+d!|^?ks=4X+V39c(PWOTDY%%ds?-#t9m2vaBRo7E6|uHl?3SA506X z^tg0q`nvR;=||H)O23%?b^6cgp|r6NI}l^xZg^APrq{Cz3w2@LLfut571NE?P1UW} z-KKj~w^R4J?hiV>QRmb3>4ZYNPH>y!!6e2mT~s-CB1>%}J(ZQrEte*%t?rRa?1 z^e^dEAta3GMd)yY^q?%t%^RDU+}zvDnxDo|HGWJ|F6k<18SznHlGKTHtS+UNrC9X} zIAmCrT2^w&6=mpkBxgw1u5E8y7DPF6yg zVGrd5-z^T#2Hbi@(%~O*k_I45Tab3~Gu|=cj1oPStl%^Z-q2O-{ zkL$-)9O`1DKKd9x9mLg4ekknB@yuG~{jX6ysm{f0+$Lc*aHMv^1PRX*@M7b&JQWUGCG zj<`e@qi&Ba8pQi5U&uZwzDdv)#f?VGN~={gx(E^Z@prA)&iB=_Q)-m$wR*hw)Kz+< zlvS0=rCp_cr8`P9rH4wjr4|dZdV)B|nXuVqkyhapUzd1DJOaz#Q!=ezv7z$^;UVA# zJYnuOgh>%nQv7u@Kg{0E6@2W70QCHYm;IzP-<98)cU2}b+V$jVW_6r9w~_*m$U-RP zVeE~m%<5P)&QF3ejXoZV#Z-}E8Zdc^h}jY}ATMd+#nfvqDk5QB5w<{ZcfQq%B!9jL zPB-Z~b)UX3v>|%G?kV+7-9DA>M%~SNhJVX7YzS_M-LKvj)hMp7ZffHo<^Wef3(F0z zP42?X`?eL+8=6*x?pkw4@3Xz@-@Iw+nudoWT0=5TH)#x0$EGKZsV#1U0z5ptzW>Or z+rPP~s&=93$r%NHABzn?k?Y+cjh)o^{IPet8o30UhBLQw!Pg}65BbWkH8iTH-TIwH zKW9Ie-lKn`e_>jKj+U`R;l;s4`pbiB^lJ<&i?$U!U+_F$lsQnix9EWM^PE->BvNc)GVFS*^VKiA(e*OSRS$t-nk0Y(oBk zzwjWvWS=g%$pqU1PK&v+$F(jTFVtcvyuZe^Nm#WaM0G-0KnqsLia$7J85qXiN~{&A zj3)yiGM?f@lBK$<@<=7?tK3n^Dua;yGN&8a!7n{cWk*Dn=&7i`VRRFEbWK4+5bvC+ zav9G}4IH|Ia32ztH|2WrB=i3i_9eh^RM*;byJvbdYxnGX_iUQctUa(YdGxBruo-MNX}k`n52~sa5YD`A(lenJMEGJb0c=5>f>Gi7~o)2Viv5-8XVv3up(Nur3-^Ja>iO zc!ZCwTvq_&i5rmomG_80klJd!bJwl7dSr6j`fbl{Te@w);chIsedXot(RRIAi*%g5 z*0%cNH?9n3($>tHFK$@8|CVn*@SB~@VHUqUoJy8wZ@Vj~efhC(K2->O)|3Kq9AhkG zNwY5FY{|bWI3Bz@xGl6LdSlSu?tC0|h+g-7U--WGj^~}w@5MiRoV!D2y3hu3t9W(x zdU1F5R`E9P2cGvrj&j@aFl%!-DkKJJq!*3b(qRi52~V+(XA*^g-G*AMlWvzIOmEkP zw;MKM*=G1sgj1#u)62%N$L^%d+oaZr`noJ}Jv)>=Kl_`kHJdJ(z~ut2RdGFURlnI5 z8ci-WZiv$i{GV8+H3BgJG441`cl?i)3JD9~eLf07GN;*g{3ugiM#yKmESfUwKOIZVL_U@AYlXqdX zzh$wMTAf~Y&mc|ptr=*@w>%zy39*jpN!*B9LoY38rrk4c0VamK;ojrE+r8fn&Y*&L z0PW7WKXTjMAfPsMp|1aX<^{GHltRG8+YuXpc>}dLs2tsXbUSPzzV{2HksNy&785}T z=xP%~0JJmoA+pAhs0j0iSn8ZQZEk5^#DF5GI1=tbQ~-&KzFgPBuHt-VJEs^R_=7pV@W&%0bBb;*y7|?YBGbsNGw7 z*805TQ0Z{}qx>J1Ih_j~T~ePkkX~zR!>}zmN?NZrs(rrgGv$XJkJlbw>M}<2OER8P z6w7q<+w;N2C6Df2-1Pf}Gr1)nhsZBB{C$g!Lb16RQ4?%J(Pm>Yqd!mjqs_%rqSXim z&2+L<&jW6EN*6>!?`(=wV$uNXv(ov1ZeLzV$)ofU5CNz)ocPY^Q8qdn1yN~+D_~DQ z>t7JvfduCrnw{xX-awR$QgsR9Uqjf)L;4aXFVR3L8qFwl5*wUUn5<}k2d6}v5iB$t z7_LH-$xRKF5{yitQlA}+gV$VB^UR}#Jz$;jcoRg6=qo+uhPDeA*v)Gw z3{@8uO{p#+DI81bZ>_SJ}JIW0{zb z4!Qa`X+mGs)wGQW!WeNT>^7SemI{&;P=3}@)jUd8sY?C>-j}=rV)=o*=A9CLYWT9n zyau|NBd>XKxny3;ObI_RF3xr2wQ4TMz!9igqFb%@Y$oINdYo+u7I%=zkU5UXmnyz?7*f{!zP=@2GSic02RF%U~+(^18)Wdg=%rYCG$_$nN~ko z7xelBb;RN>dXP!ninq8MZ*fE3;!eCp1r2HqFVe5-7Sot3cNF<4e6f#;OfOCsXHct$ z?$*=airqv^=lv+Ct#e)}zOmI>@Fcv5(ifEWQ40FJvPZ3t8-< z-;RHGZiLNZ&UXRN`QOh2C;iA!!%@`sVOtwpJFjhA+xgkxEsa|`4>k^VPA@#N(8X&O zyS=`qrBmq?s(G!G99?fN`a$*qzuf7Ts1wmM&!Ok2Gec9NXap(JoK7?nMq(^+L1H4Y zC*eT8r+uA(4uPWkf~2=hIr z9G%-v$;*{-vduqi^%_W1|JZXdbNT#C5=*H`CTzg9WwGe%fkD;9HX9o^4GnGD_=Ycb z-_BjvEh-hNOi+|qBqKSQ$STWimv0{7*C@g6X>GpQ$!e!8fw?P-y*{_VHLORs{vXPYH7#6?fubke{|a;YWGk39d6wQjm~6@W_QcWKTgxaneuv@d7{AFJMR)mMn?}E{UQ@ zE*SG%OTwy$_XI5oBVVBr9?s#DlFiv7bClgK(t(KZkPf6~vesEo)9rm|CXAvee8RUk$?u`^EX zvB|$Hywx9n@`RcbzjqO-IXpd99+a+wy*whUHMA81^ZPZ!srIzVw4C3F7JyqeBC+nC zSY891^Y$~@T3*BI7;hWF>~LNi%w^@g7Rcp{BFpBr;*{{tb2(#x_2jhy>>K6WlDsyO z%h|KF?u?yT)xiZ@t?E{%(`vVjNP`0%#bCfWYQXyBX78D5wrLsNKYDOF3wG(f@S zCBxL`@l>{X!SIn`VgK;K;pt&f$7W_&9FDCRof6KN%#is&bW~Ug+;-sRF39t(c6`tr z4P@V9I1n#&2xA85@Vw5Td8kFSZ&?xCjm_(wiImG@lNyC&q0?4ZnPgA7;wp1{bZG%7 zaBkIfX6HlR1o&D`TYsbB*V1i{G~hy;=ExK+=}em)adBK`0VoV8B!9u^kx@Z%=iN=W zG5VIvw$8S$ZLMRSYkJhyE3A{&x&JCz$q(DU!vsJ^AyVNK@90S-G=#b6&yz4|cnd=Z z{^Lhv@bDIaa(*5yKbBqQFJKAGVNem_z>{ zz^|{lb?v5|nX!AvF1)5z#5nIu_=A;H(EHgAT=iCCo7L$Fh^Aqfz-9|p7t(tRQJS1_u=?X#N zc9UtH_h4L91S?tR?>+14b4aX4vedh(Yplj>u*};f@yEhj;*a8DNa}*kF22RyO$dJ3 z3+-Cbyh=u?9FSi^+E*eO%xkh~sTW|K=dw;%?%YyGY0;k;p&ab@3i934X<7C!yxBYix*iu^WLLOHOXPBR`sq_aJ0n4zhIc&7cq@Lp}&2K1fD<(CF&M z2DW#Q#zv6L`5;;HL9*n7WXXeS8zl2x)@lc9f?k`zuz~GP&q%gAZ*dde;y%2E&CXlg zjkmZLwT28E9=WAFNv&Kg7U-OpjCfQdDoi7TUZhiG#Pb$LJio+|$~OzK>feobZo6~x z8<}?WL(v&?&pd(^NPnk^`&eZ=jQ2sp8EIh9&&d{i8vhUijUc;e!OLX9^CPn0Wsbg( z1uv5YFXO6HEO_{vI|x@ocz|f-EouHIHvIpT*;hvQu0H36paPLBc109_CB9*0v1_i_ z63-jguGq4w?<;d(yn-9>?Xip5{%Zy^yXIV%_QIma>@+Wiu-~bI-E)vbk0ry_8`1B^ zS<%h>XSI0?9;A#$3U&vWB?i^=F$m$c8U+O2P>v{0WDy{|yjfv3L%f;nThyepMjlxC zbZ!Qf7IH@Jf*kE4ZuTh1jwapLm~kPO1f7Wc@)ozI_Ar1w7q})MCO=c`>P57LB5LS- z6y_s*z2#|9Z9A&e$6wH(S+Q;zL%>LA*VMEsNWnk|dBRd5k&Gu}Ns(B=MLcCnWnqV3 zwM6ZyBC&#tOclK|lLZZs9cLMz?K3+U?%0OvLs` z``r7KJ+bczuW8QRb|A;{?&v=I9?u?mU$hOe6j0-c0NkQ4=CYK+9U+bpTrvOzlrsRm zR4lN$oj0Ywde^J+T-FYpMLMN-@WZCtmBo}S!KnVpa1*i z<11FivWw1VnWuKALWJ-a=T=&AA>4PJU5j!XdK*E979W9!icbpYfEWoeBxAzWLJeEK z7~*8Ly%D?555Ef)Ml_d%;w&XrG7_jLXTD!*2*Ib;XkZkMbByQ90+-G$v%>$Sn%v5C~DkTSHp@|oc0bN2@yh(4q~lzlk=wcwN4r}Bq`FXsKr zLX2bo5SESYm{fSq#|c9+6T&X{$Xl$jB7ff|AZcd@B8`#RUvf8*-O;)5v<;U$dGdrO$3dWY<^XL9`v>62pBonzn{3&^jyGGOcE&sjuu3zrT#{YF^-}+zu zZsWi`Bmrw70V^Q^Dfl;+8bLn-qH@F%)gnsNs#;S1R#3E%OTDH=U(MzVZhLjF)fJ6+ zMJ zSPQ2Q@}W&p9Xbm*P0_xb0eV9v?uE;*tgluk8LXimR>UV-rHvlEFjBz72xQr@YYML z2t2po>T?C%im6C34MUOs-^m2vPI_su^wI7)q;>Jblxm)q72X=fV7RGN*!`}%D}sya z*2*aa`AS+!QI(R!LSP(PvWO6J2PN{FhH|EGP;z;#L^>svb1sk#brADhvS&!XgiH%d zNm5fzdE9~$hUcSt-TBYmZJ)6pv5U|`FBmRMNseehXUaLE;6k*hnQSyUBX=^9HkrAo zf6<)IvI$Tmc`3Y~l-HU_F@y*|fF9sUBHtXvIJmt$2*DwhKn12ujR5e$ycTCEqGL|7 z^I=wcITX2xkUr*a4drVAw1p@5`uOLEdzTK^yVlyBo>aUPN;A7#@13(Rss>L2oXz@7u^)N2E z8)e-@LlHyLq4~HT`XAx(RKCGfh@HA_YxzFB>m)(3c`D z0i8j2A{EgQTSyZ<&GXO@AgrUI+2Gl>G>j*%Nh0`2n*n-T+h8b%O}HJ0cs7y+Xkju8 z{q?6&Ko6 zTxAQ+Uqb2j@bJuHGQZ*_Qf1w6`i6AWqQM5wLXSxonOD(&Zm;31VW`hgF-Ej_R2ZCK z-g)WhhlT???KN1VC@}roNoX##N5QQfawjnvb4!Q5AN(m^9vXU&0w5<5`K>J;2u0HD zIq?LCpGXQk_`!8skMKn~yXe;8QhzYb3gc_<+OTv&b!EaCC0l!Bq_Jpl+e5V__x;Q2 z6$zg|92H-ld-<+yJ^4he^xe;GSbP6i*|mU;?cF<2Zj7wBtoIWaUvZ#amXYg%Oy1+a z7w)&tqDuLLC_v}h=N99heD-fmoch3j`4T3)lM?_X1${Q_UyP z3E>dT9tE~JOYuk?B9Kf3L8@Iqr9pXBI>d&F3f+g#PS;Zxho>)Il)az*CAaZAaJ(4Rp0jp}k6W_r9%6D%8()JTn4ifD z4tK&`cAw_9_PM{5d@?zewEo8a>oy@vSsxkN07(h}M+#WqwX@@PMi5diXW}L*g>7=E zG2)DEak!kQd!0oGNEWHwvfEUN+&T$Fa#XP*bJdH5igtxd4Z{gKZd#G&w8F%KVaZ75A7|hD)Jk##cY9&|KdozJZX+ ztxIn^W8JQDaWT6oP)g)e9lgcH;^VVg{nPO`?{1TsHH z-)wSlU6X&qM6TFW!P9LjJpOV-wJIt*i02SeuqDLF%*z;Y6h5Q3LfI~}v18-MqU6(= z?_(Y>$DfD>ZbHH+5X;jEzEe3RnV?nKZoc6!&#Va=0(k8iQb~gfiZ40DXam_fawyox zn-DdBK7?pCcl$^m+8D+$r5NyVF44L{hNNS_$c+7R?$y3@q{e=$`=Zq^?dq!au?5xM zUX+s*espUtjI%CeibW9>t6dN3VLdVw910Ib)&E0N)gP?9BfV$&h4+K%pDllI{=xM}@5j}G?|D96F%dBei!kEzqk5uW!7@-* zM^z2@nMLxs((IS%kC6aeDQXog9z{z=S(&q1EJP!SSX4#9;;NI(SIv-bPp=u;O=rx| zZZsBe)(xT&;hBU3C}{*xw|HF|e6`wP;{x9Vs^WZ$)sTqbz=+{IGq8P+JH&>=aEv)b zN32$#5;ky2JdxG1oo6PDpPZV&ozoULYXY<mhn%a9qywJl!_3p~tUz5T&W5^%KAMwG@kDl{obHf(5@Hm_kOAKb*!Gz2Ed|CA+I$WX|of4reSTrkKi@f zCDbx1v@3ZkZ%ZbvJe2RwNu&n%1Y$#9>VBbHsMnaDQZwW=oQqqn{<f2ZXuqIrOg=7YWk;%;OND&|V@Q<^we#~qxGcHH6&Lut4 zw|zUR`68o>YN}ywh4qQGwIPUjON<0EQZw6NhuO+1Zx6xNqFJ}H5%N#89$udmx8R3n zm2doqQ&joM;{Z6?Ng=I)QU6th(;WEpmu1nO*>W{OhwWrh1YyaVS-{XV_3AP0wf%)Je zMHGug?mD(`AC!~p5zUM=NGid5kx0);qfEH!E9*NG`s|+;rP8M_*QK^VraE`evh7!_ zd2HR<2I@mL+iYU&w8B`f##Sx5Y>BXF?v2MP5dq$0IFKBCaLaN}0KzKg^Q#`+!OHh6 z!7yWfyCN%g{f_Rds-YCpYJ?SA`TPQY+J_i*I=lE;&YA$ycEtDwlB|ggz0$JMGaBC* z-;_AJep&po#J2jKiK)c*65ftLM-U4z#z!n8o=c=l?3cJ7)Ss|C5q~@8!CgJN$E|xM zHwcNLSXc`wv__~^gY$wCG38LPBVY0A`baz$jK^ar8W)9U<2jEChaUR-Kw1bKm~tILJ_>U#dSgFk`kw3$NYKUEx0kw80AGTNx76{%&E4>w=?KhdlLp+lyRL{VoG@MXW7`@yo| zI{R&B$AbM=4srUItgF!NBZi+X zlno`?G()Aa=*};!-DPm(%(@`xHnrJqGq#zT*{(J-Gcz+Yv)yK9W@cvQHZwCb)40z) z-_E%+yF2@1BPx{@QYurbQoT{iQ0CLHM&!UO(ZF0Mf&tzW+Di1TsR+#O<9!>bsomwg z!09)Pb18$(!T}1Flh;qfOjNE`E#8ah%e4V<7Vm=HcNP{q^JivE=^A z|AKaZQM|vP-QRV8;k&>2e?oSD&AGqn@4ByYP=Cw*1LFNt&wtCm(7V5I-rs%xw)r>x zXMO)d^!~%TWBWJU_fOe>kiLJ~{Ri9oXZ!!v*1sXXe;+&4Uu^F$#P@gm-}Csp|KH>I z+xFk|PksMF`2IHXx8RrIg~vqqrTcwR;C~DK`^2Ewzcls#4(Pe)|AF?{zm&rN zGqg8mwMzFx@bLwTW>!!~jc6bA2Mj1Vu*)>~$peT%CH*XF2sv3w!U z=xHgnTw!tiUP;J9)#R@9o_2l9Vkj(FuF{n_m)Yi#lFBkQ;W93G{@&>2x{T_2#uE_h zt!aC-S(tcgN$slrVkw(MjOwb*J^G#MhNs++5LMUGu9x64Pmq%8#w(7=)nCw}A;z=& zOJb30>>;=@S_VON&7xY-Lol~2g9~43nc4d-xP-T=j}S+gI3po20W5r-`j$;*gBa(o zxD*>uUq>!L;eZ+|5@({BT!OA|MWJ3KWfXB{flt#xK=@1kNDsw_h zEg06gfEJXDbPu1&V&IanEPG2Cxy0m;UF%e~h@2J@cJI@Q#URd%bFmW9lxSe$o+(3m zDP)7rVJM}4E!^~u5-%EvgHlSvLp#b^>m&?|+kbH4y=%VcZ+`Yaa7=jwKOn41m*Co< z-@a;dXOLRzynvJmS&RSgq3*we(La~}{|t72F};7gp8u=j_kSPbEOh?@e*YEh{sMkb z>eS3Ee*r%_*00~9A&l4X!Nmc-t`# z#x>v+0mKgoT#rk=oDwm^fgY7l)z)OZxT;YIKnR);`@R-wK- zl|LX2iBP4v(sdRq!Qtb!GHK{}nq)LXY!0z(e|$sS5zc68hp9VnXJ9Z>53GA}Bfg-K zDJrauA0TzC-eS_;j&6FhMck1TwVCw>X8Kvskwi5z=Y7i7oBN?CJ~(Cyjz5@XH2Oiy zBe+ae>%)z;Z4)X$u!xZRB=Qs>^GqNhI4tO@Pq;p~LOT!Fu(nM5ap0OLxY7JDktuIJ zXoX0tFeM=8kD7wZr-(NXlN>E?-ua&4vb`L84P~IzkvP8n*~2Zw)j#Atn1$B>A^n?- zyOZeim`wYqtZZsKDh}s^ur|&+3p)@gBm^6whNIc5f7T}K4&h^c`ryEhJd{q2AeitO zY(H3~CuCOhL;OS2igtvM#{m0hP3vB)vk)fcAfX}>W6X5#&Q0FE+Q-iuc(zFIV1U>S zW5w6wRil8aMMD1@0KSk|Xw=!xrx>CQcFa?gusz{EXV!r>@3Z(@xIxX@*#JUE3HHyA zFo4LoOFPKh$93#`-gkNS677jim|<++Ps}y?=BaJa+F0)p3%^yUN4E4|zpp%P3T!N? zf;amvd)S=wIuN|b*TkADY=H4z$!=(kcs}X6{6ME4NIslm{jY>RitL`g@sZAS{pv*9 z_7thJIdpl!2`GOv-hFl^v=n@)yuOm!Ym459WP-j#m#*4f96ew79o+UbPpFlpaw*t? zOY?n*(1}y83B;j^P;g8B1G7^ar-!cB?#@M&q`%w}8!}*zeTB`;KK>F|gcbM>3#cW+ zXHAG8doqa8k;UKy`4&sY805s_R|c$)*l+EK*NVXageQV@+(_^>WsnOh0MIAInz;>E z3+e|;vnJJm_IEZ^9R=1aN}(IiUyX)&^K!21NN;jJYCB1h99;YAUDBrYFbGMJW-z-s zG4q-Pi<%6j(=}_vc~a6O0u|w>ux|u*#Mr{M+lRf1-ON3ZZ@DpRa+|td-&+JEiTtgR znnE{;EaV_+NX)!aX-UtsC2;9)2lAC9;htK}j{_#!PFQcDZTW$<15Sfizmsm6w#8f? z(gvJ<*J!=|hDMOpO)3&5NH;y#2bpvhBitiLRFncrqT<+ui4e zNC-&qh8r3=S4jaKvM(ygZ6^d{lKth3^2ZWPp|qlmHp%a5-01e8Viq^+;OIUby3zIrLU5gjUyT>yBb(3ytT*YJEL-N&R#NYLPelMy^U(Hd z^HB6Fx*aZ|rOmnxRJ{w#dBl|}JEi_J=Qgt48JXT%)Tk?0-$qQTi~76kmj1d8=eEmT z2ip1LXai%-(Ec0fo4%bFmWPrz8aCGcMxCY0nl3FCc$d!FBfb*&BJ3i35nk2JZIAO| z-N*Lp*2^|dFwzrP^TF+H%aG0a{=PLy`%W2{9?T_snQEtpNnpYt5GOeyEtxcsW+Tz7LRxHRL+)0G5Vh6L* z2HrtuXrjwN?@d7OUBEBi-|qnMN8rFO_Q2&CSOz(VwT6K3XNR^k>A3fh`2E?gt=Xx^ zW74O)d$(49J(zsnhmP7yJ)U>HteO!KCh0%4B1kWJgbiSwM8bPMg~Dd1o}#IkCERE| zOCslRpqmkMA9IgH?}?*jVDDx`kIhv)!I}B;VC6V>+Pm9;V})Aq<0%9h{wKVW0^I=k z-*Z|6C!0|Z0R9&=qGF@-3&L}|*9?cR+qv6or^iTS>VC~j405%owvXS)vP!R$F}b_L z@5dt3un<;Qqjzr_%oAvS=|0rAMj)~9=ozM{IMn)LCJpC-nKIF-tnqacRA=j%& zU4o6Rw)MM(9%(ae@n^t24J;zp6sT`yMZ=lU+?m}G5E|DT~ukWRie zdcUEF0@IWk<&9!Aw zbtGZbn1#TPe&xDrqLmbA#4s8E43)+C<Go!hhaAQ&ncJK6Al2R$h|^!c&t1Qr-C` z#JAiKSu548q+w|8UW3s-15uukJo1gVbN8vvG-IE{O+@AOY>P(#Ym`l|O*?|+&8%}w z5~$2m$LLx_)TWrn32tfp9g-P&@K$CP@6#PtZ0=QqlAmermUu-l=G)ll3{xh`Z%jxM9hj$)h-xss3+2F~GVn3N5Fr7zt^C2gg#AfB9(!LLT!_Ti5>QJ_WLmn)Z;5DWQYUxCn$=iI_N?=s~o zEs!R+iIoP~C-a3`Ie}m8zRMM%i7C(=hz+4D2LW@lbE3=jIeNhg^FL4EoDZEZQI&#} zf|L)c)~M?PS9&da@ ztc|WnHmI9BFYsuUsk9{;re(o(V(zv2Q~Ia*srz&KM}a4lZ}~-n$emAa0sP+7bO<#4 zwHdL9g(7}H`C@^r>m?XEsqX#vrj z2`C~7<28_(@2u8384}k<8gwKUh>%5*Y0KltdsQktCD0e-TPQz}y(ajNT8?UpO|a~< zpe)ACXE7%agsXm(t0czHXBJ$QkoC+~1nJYMwJi{bevQ7R6<^)kZ6V1LTHn*(I{jT4 z!QwOrK0+`&gk0-EU(+49wPRDajl9>j{fTp7ZS(1eG|YVE4do12BOBWef8H^A6_kYe zo^f>jqvm!$uV(ZnR5YMNoN@aMET!62h@`xNwkgjepQf^cl~18)kM1pLYa{3t{eqJX zOnWkEEMr%7kGG1XEDt$KFj}pzeSVsmDGb7}xz5OuDGZ7#0w&*wjG?l+F$FiLY%zAe z46+&;h+<^9OqFpB#B#`+Os7L2bO-h5V>T3i5;kI7P~=6kdDjNFu&_Xyl7=K_F6@qe z!*Bnn##UG)*@Bc)l;$}-F~)cVfl3CRFUXvISvNr<~w2PXAB6`UvOTZ?9BQ0Mo?Do$!_V$o(;YaRG6}Ue~bhim-8` zppRg(g(NOMOKjGMxfwEZy5O!y4ti25AgmzihgoukOby~5Uz=4_Hawhpr35Pc|>ayx&$(Z-PDv_1%!`u z>@nYP3|_-+eGoqfq3*aPy+SsTa|7OOUOayb!seI|q(F}S5vz^V5c2X>^-Sav{t%V6 z#hmj{bkVX6+_}B8^sx+J(mAs%=Em~e3{l0z7uB%dBA1+tDoPeH{-f%Eu`bp$OXL~e zIY8d>E%77j8T6Ck6D>z9M`SUZlydgNm-u$XZoFIi+xhBMJAB;XNH|llkO_U}5p4Zu zSXw{xc59Yj)Z@9_! z)dht12EQ}5>hSO?&leD6)gGK4d zdqkRa;+;Xjop;@klU;n;e`(=+#}2)K?H2>1TNmN$@FN&iL}o%yn^JH`P4+XREqb(m zQ>N7vN!ncz06(6;!*rwWNZG*GcHUlgniW0*(f~i!)$q<2J_f(je*t5pvE!;{AK$kv z&|uE2kKs%*-!qEbGS;VN?=r;N8xpp17W$5r+!=Bkh@UBM5umU-t* zPzvs;@d`ZLh+=>LP%iaIs8lk5PO=x~MRV%Zt_hq3>yKZgKG&v**dPY=WfQ?%Z`5XjrKL$hU# zh0Ecy4buQ^2IMwlUuBMKN<%*bAUKC#Jwjg5<_6EVFuQVQ12iu9DpN0jhJNO0+4;dm zd%1zf93kCRF+s|H>VDvJWX$R|BBp0b`LJAL@%;MiHWwwuB8;$Mug`c*Pa6Z2ctlhM z@H}EZ|7`KQVfwztek&d$&I{CJ@496=u|?8VwBIjv0onyfaf`LJ7)T4l@-=?E7BoOD zAJtqN%l}?~%~J`tlsGn`yR~&sG`KFvk`I2YclCbT4PXZjjE|q8vJuA`Y=k@wOn~-7 zbJ|_l^!e-pt=tp?5GKh2$W9?f&{Rew`54*c;h!!eno;9u@-K*+$R8=aq*sa~e)MFm z08xEHxBM`l+_do~rJ88+t6L{U)}8aRIRL6}W@Qc(X|5!sm5;ROPbT%BTn!}OYG0kD zyb3_mjYy4Tz818TeUX|8X-P}yB=ICXmfB3}{8svUcGtJnbvi?sA7&xzV0Viwn*+@C zAozm4kO!E>>S-#9Zt98Zos;4jyw^tmG#EfK5P3p!G1h!3yu;N^nFwxpu)0by-O@^m zp8D2A{)T`kJ+T!uOYH$rD$X-7ddaDeG8?&Zz-7CPGiVY6+F%rE4_ohE#|kXafZ3(S zQ&J0CgGT0j23&t44?cdkS^Rwa0P+3&wFUU`1P}UOZ$AM)s`-R#c{ghL!)$qjseSro zAtnMw9t)x^De&ASd=8XgpA8ZB((UmEn0{TD`ZCe~v{S;WTy8$#8#)O%@C4c`pb-&T z|D%h>52gNn;*>xGjek@fvc)8${9W_A>k(=6@b{ck4OmE1=t_K(x~5;3n{XpXQp3`1 z*@PSLrk1q%>9QuMqIMx%V46o5s@5Jjse@H`JskpCK~xV=&(wEQn=zaGk1lC%7`4ls zdt~`#`q5K7(FfLAb#C*&K1aoAkK0@Z1jmx7HEXNQFVY(^%}D1Jq|;>-RS{@u z!xIvb(FCEPZ*B>;*JS9n9$mSul4f{Os4;L7_|$z?LsEi*%@I#Fl%<_Z#L@+WA=88|2EawN!n%I?vqNtb&F> za9w>w&LHv14go{?1RoQ0O#t;AK*BPv1bf?Jg1HY{_VhXg(zv*UeH$W&ymh;8q9YvX zoRKp%O~dz>v8}8h3k?*t#1Et1-=m5mc^+v2we&f$*1KI~zD4+~FTvrFFzfNiBfXi$ zR<;8$9K z%Y!GS?qarjsk!;7o3AC4ib0!Ze5sPWY2 zf+Ou>i$$xRf)Gj-Igok&W=nhLx98yV7095RTVCD6nIz$_TZrNy>e?M59uVxyB?np1 z^|$59o&BV%1;v|+AE9sI2yd9=fL0zIL{EhRvFhy_j*4*zxRO9hX)++dP-8;a`m%a* z74_&3c5?#?Ym7z8c{@Xd^C1OQV4lB*a3p{J36=IvpXJQVg9+D0R2r_{qsk@D&WR$_ zB*2tJMr8n%W!4j-9~`l3t!*~Zj1>=f5d;7y--vSRtgfocLv4WrTew+Eh#BA`hW4cV zOsUVJa)|g*f=psv8JvL4E+5O7lmL@S&c51C3d*$s4g!kL4(YgemL*%SmYTFkRDAy_ z*G?qA!NEBP<=))oT5ODMtbX`LmOyU&4Qx$@1t%{h=$i{41Zn(s34Znl75YMqFF>%F zc+Nw13OO2cFu9t^>52yKXEpla&VHp&7aA4YEUvi2k%~5-3i|$}gSt_Kz$~;@PY^CA%xnx@%*pIf0=pire3zq5!c^6PH%}PDi+Aq(u(no^J+|6`*X#D)aPjH?3#a$TKl#K5qciUK+p^0f6*JNX+lC}uV z$fmfMYFrXeSLu-fdzgiG27J2_8KI3P#$+{gm{0*6iQhE(m<7<1XJ1vgi97G5V zWJyqVLFrlno|5de@{q3aRJ}p%>7=9gL4-FEL`$fs#DNl_4u#-At|t;3I)zRjE|$z< z0!nu1s}(e+6An5MBz7!Mr30t_SY4(U#$at$09V2mqu??Op`ImN=k zNylmg?`1Nm1|Q>@)wc6GuxUjQmao8b^ingz^Pu%SA&qPPq31}+_Ffi_`2L{(hUkwz zgo*L#%gVs*)Ael?O&3T#j1Cg<0@AmXe>SKEW9t#31RG8gnweGz_Mnv#?Kzr_ysuLqXQrfvikxvqd!BQ}R(tL}H2 zZ$FfBZWZHb*gi#v1)&{;h(;eBMsnDieab12ZdMw)#$5QJjzAY#z;DyxD`%?y2OJKA z)6pMRJKA&MMtpl`8HhQ*@WK%`*qs7ie@)K^l}(Ee{FsQ0Oxp{TJu5O zGXR?oyeD>FnAw2Lopm_Xc9DVQl?^hE8cR zAq&`Ob<6b$FdgRFtHJ>`a`q()9L{y+#?$FKvc4XZUq9u8vdI{g%QzyFmqju{nb!IU zC!z_3b1v!KJRE+e%u5+HYf=7fp(LF9EQ$?o8|?b54Zq`ND#5R_Iu$VD59p+GapymtDx%g~N#mUc4<+n9?0NQD$){QF zKX&(uvD&^{fytmqFC;BtpQ9ffA+5>#_=LH;1&{?0JtMmVuvH&TUwrfqH5fY zOc%H<+w@E7^_j4U7>pgP9^fY%GqGgvg4ovWHhv9(HQ$rJyBJyJ*iMu3VZ?-78Qr&| z0w!4qz@{!Q#~Zn;B8De`+>MY@hY9Axa|^?X=6% zszQMY5&0S_XEdWl@YZyWsFzzfLGyU-i=w=hJguy$ubn}cQYOxbQ-W1Cpsh+J2Hwih zw&IXr4xksIa4@Y3=k%73G|uzT%CF6((6X8sQMv~D0Ed(+t+hiE&z(;^nd^mA5*cQm zq~H;-U*yDgWM($BM=SV{xUC|KH6uybUypSQ=Os+%nf%1~(|v6G0{tEK7`TDYu#wWj zsK=t3Tv8~(q}uh~sX(*{@!TzIp@7M-L?B5i2VX2sjb9;`-}=yw%A;{YrvalG8$Qc& zk+TImY2ke4W;x!Z8QXV?1hZl+Vegg*c6w_9B%;SipZqSxvgy>mTq(HkI6q!Lg@tET z@A_+E2i`6CQVFBF#nW4IWHBYBa>NLs3>r#t*oLKVbmq+cMon!R0+gu|%ggMJLDY>y zcj|6u?@p7Mdv~#tZ36|%J9^-XielJXfj^vmyLN$s)Ib^<^eS9#`fabDlr@Kjq%sXe zgN&%2a;9boY%a$WN}jA+)RBp&BX;c7#m=bcK31!!gxWOnlt`zD6}7R?>Y82aqzeQz z7#=X{6u4+2GED9;T^mn#4o*&H7WDL@k0rZl)nLD9DO6TewQ zssNX@J#bB@lg!zDoZTLeZ!E7z;h2dQ@m!|5dY#lDhP^_Ss3F;~9+?m+8CemT5jpfznp4XW+wrY0$C0hDA$Q$GXA(I2A)zHM67K?0I;=Q!uPBC4_8*50`I_@^zR4Nl%!Ci4L#B#NX$ zFMKeZxsKOl=)(0}X1$&gjb?-B!0ckgMYU?X`-(^wVuobsBXOQK;gAT`p^zAbISQ(l z)ja!xH@%7wggMy^q^oA3)hi*{%q%{*$pB7U(?iKamPdo&K6nj=)0hD)FXrmk<Pd}`GU-!YCLU@rKbm{ z9LgFTthNI$-dYVFx9sky^=s`G1CG!wqrMKPZFz$8M?g8s2~5qH9?WoR$IC=HG93a=Hj{gGqqGKMpx>3Q(QQbH%k2jYF-|hD@eb$ znrbO~!Gu14e4AE_JvmO70f2*w6+g%~1v4sV+MqhYP9UqOq?kfaORO=XDc-n|=5~Kd z>70pXQ*R|hMPs4qrhZZjDAW?07Vn$L`V*e@sjqj$>nhP?ckTfgWD2L)r(aKJG_JdT zE9DO=%E+SzH|{ujyG(RW_coE0mXTnPU|L`!6{H|lXy`XCspHm@DW9mEvKqFcvO{6c z+T|#64Kf$9Zz^kZ?eJ`Hciep;UtF!Sx3+569o2j|zu?5YOuZ?7=Y6~w3Nk!I2;`AGac$vE`QY`kaBos20siJAf z!;dmt6{$xNAv;!2)4N8ZfexO=Uy2nJC5t)y?_n-0RG18VL-z3ThxS(#k>c5md&JOd zs-Zj5kB7tnNM}8@8rq@-c6_q({B$yFHs`L_VGH*a16r4JBVdO%>@D=lOKI}C@)8uO zm`<(!HGaU#Q+uL{70Pa5;T^uFNl?oZlF)r9Ujumt9+?A2R|y6>Z6byY95KpaT{m)j zOAMz^1|6s0AT!frml9oEwJZ`9scbn(k{y@bg2#@=A>&)apjqj;+L;=HHw3+4Q?3wQ zCvQ1gq*m>fwDeDH+Yh#we#B8d;d@AN!gxXMnw%R*`yeO!^C^FY9fk(7B?^`{ z8Yy{#d{D}^k<+$GeRk+rOyvSUe9ZZ)moH^N9J8cQj&NSl$^1xaVi!}YPBn?Q+gEX# z%pa6!3?Vlj7ds;;C7n4EJw9ISo|yRlernW9w4^^XOd9u)#2?tTR-`j3h)nB&x(t|6 zXC^Fjw~ieyDoBw6+Addm^x>AiGx+k*`FhBO_!HFgx4WvyOhTXVvV1M^_cBq<^JXd_ z+dqMQ9VURuKAXnSwDeKaqAW72XRFK|*_bdhAS*8aKu)K`~m)7I&ivfxz~a z*wd#OqGs{qn53a12vT8p0#1UFf&n3+hFGmNlC_XSH%`3lwgK?+w1xWEtWx7Y+P-&k zMEM2+720+%WgGs3RI{@g{-UEM;wiAlpJ2f= zn#WHRe}^s+hn=E2pdx~!<|5f2J>-T)Apebus|N?{F0u3k{83%fg_Dm z5l7nGJH9}dHXlEsD|SPGB!Hz}MWT?hWJj_~%z9qP4DEKYZZmb?rTuiKn8dZH!7bA; zsE#;RK~rp6nl9IK{uJFfQM&o;adIs!4}RhDnNlT>3%5DlW=31_ag{k=)6HHd|5&T~ zj%^l>NY`NG07|Z2`?%!19JLIlmvpwqVS#TOApa@Q90&RijjA_ew)oUV#{P0$_D}Y%kiFPKNWY=$@p_XiOT*YE0H3(=zPt2bn3he4fRNKwut7Z-RpcJI` z2{3FhELpRrK;q|Mp6|$7PBSGCDeup}l)8-AR#b%1~ic!V!v7a8gzAqlDz^?-*%!SMc?sZ;P z&8zjS=2hE*1L2L@tDChQhJb@lrKg3&IDT$F{_Rm)m7gq8ngun6%XM5Rk@i1Xml|Ib zoxq2d)8R7sOAddg^Mz*69kHVV@vYg3=Ec-HI{IUlir(0Yl2W9r|BMf{Oy8x$1sAc# zDM+78%V!mL%k`+5n6XqfT{b|V5-p9TLc|#teT((}Gxhl7{LJ393;9BQq$EvD-i9^w z$YQJBQe=yFOZEtlZuPUXkL|=I5jAqrs5s}8E4p|%DlU0^Rn-a6#qG@Y|S-$pZ%5rNLjV_NU@KACiuPE^yz*w z`qA1VDFqui0ikC)SA(O(9;0HCo*y}GF%c1AdkNpJIJOd<6be~YX=?Z7F^?yVI@!n1 zB$^EjNKUN|<40}%S)4Z~2F)ebt^rY$5_#Q~UzcusrQnNj*lyeKtBKUF10QpTNCONi z$=yXg(g(T^W5*;cufZWKo)!Yi6}oz!6_u@8v*nf}X0T9IW+uEn{lF!;MLY9h`Y77w ziuryE<}87gWUfq)G8fyiXyTDUkwKptH?~)K)mEjgc%s&r6H{oSv79_FYQG0#JqEnA z@YPC~MV&7mMW$z<;I+muQSQN>rT^^HWtud1ZO3yN{az)RLO<|i%E@abS`T{L>Cv-N zzpm7)M1Ov5Q%w8jL-g30pFnX`8AgbL?cmJuoNeH`(yNMXJGjEb)wdGKIJw}MYyPcn znb`*W0gSHYC{)prv{i~OL*u|nk+@(ZWPyy#-&Y2Y^#>e;nBdZnP?MfPvA~_cIdcK3 z=!B+dGiKt^CBBnccXVwe^C9?JG_63~1LtgW6pRqRB=e^?VAW=DyeAbo%jHGzA1<+_ zw8Ag_wpv31?u>EA)D~ujP&%>UVi?h2U&Fz!!P2EscX`+Fg$^a+m8q*RIv+lsVS`!W z9ySwS_JRZpfP!ZoTBtRe?zwWy8l>*_7Tp`rv{oA}X8l#P-?qL7`@pNoK+)d%dz58jiq>f{+{DJ9o|r^J zg#+y~LlL7msJamx-TBECfzP)R*NJ6R$d$~uXUm<~P^e4aOaF1#1sl!fB<}E|U^Xj| ztN7u-u?@+Aa#vg^UO*KwI6Ry2w#zj{db}8$u`se{p3l7%KlHm@mb|2RRQCxe0&Z^9 zUJV*p@D8N-G{3U4RY7S+Iz+$BOmd!tWM9FWJQPaik18?;hs!ZVF%$@0Q_H?${SD!q90((p~W>pQwGoZ zuy_-<8vDC)-7PBQRnaBFMaQpigMEDt47StukMN~V^b|STeqwwIQ1=1NKZY+?K?s^C ze}R-EiS8!#YZ8!h_yyaNy%44tL^|uzBjWq_=m*%pl}}Q}K`)RDUN;tt=R)};Rtp3j zi@qp2pfrtoGk2u6tyFPx_L!KcN@Ee!OE-RfC)@ zuBj#38>h77wm!d##G-YLg$g^4!Wmw*^}N{u@pnZsN@~l~%hq$5P4F%!SF#n_@&q@s zLU*wyeP*JV(%e>?;5au7Dr2?|1VHu03$WfOLny1Tt_G+%cFOexV?V z0VLoM2>X}PgwH|!U=<@V?_C^Ln}?GxjW#RAh6mgJkuu2gblj)un(!$Jh>pQ!1> z4VI0T4P{la!8W0dity`kag)Xk8UqU;e)(Dg|4J%&y51*&4jx&yBfPC8a8}WOXzs9* zGKD%N)Rlx-6LX*@0s_%%SsCU#VR=Q1&4$Z-6M{pU%GJ?fc(sEqBh-<5eVsGQ%OFv- zzBsL;{QYC$gJs6}4QMm=xUajcyV)RdV2?>YkiCgQD#dks{H^<>+q&x^=au$rqL0&v zDyr41(TEP|b)kq&4X%f<=e5MAxo1|5E_w#-8m@Bd*MTZ46$h&8BgrT&Ix%kWqj-fO zmD$8)?n{<<9-GC?%kFft6gbKQt3N8J?1`#10e3aB;pPll3mhbZ2)4x~ezbE;KSVe4 zHVeE%JBK?&H}@is>A_s00*{Efr^rEvw*d({*<%N;Qd{>>$7^B(?h2v5o^iksh>zF7 zoeZa`f~9PeU!$+qHi>_3*rE{SXf6?x1(3GDhgfO&7#%>2BQll8NhpPck>+BQc!lfk z+VAG)sOG8UwJX_H$f1)$4+EFsK{vyhGzj>>#3{TAz1ZjnJtgaXLsNrO@cE`dr?_F= z0w^%E<>PVO{beDwmY0n4d_lhLsw^sv+I;j~=kiDOqHjhpo9C~=&Atpe*?!OK-u8rR zN9&Vid#@(iN8FTgq-!3S=f zwD3bDvFbz{Em<}WirFLpSjJ|xs?tU#q>)+UChWg$Wz`!b81|>-tp6CG%&~9#5P&8K z?W>A}*FvMkA~G(#Wcv(kjwz%TH@M)FGxxk|6@}I&WYKfHRoMM>I1$Ozk@eHr*jy}9 zPzj4Gbryc1GA1)#bGinZ9f*QK1~APpQyIfJT09rAt}Wh=62iZ=T1)4;y{z_4-A$-V zkI^J8P-}9is46kHy&s6bR7R$cowqnGwwq_+s4{yF4J=Nna8%##-*=Ru!E{YG)tu*! zEi@=n(MrB|7&=cWK5Ec=i`_$Ab*5w&2m5lf#0oRM*uRaoHz9jNbtaHfp)F9dlve%G zC~VW{+OSLc6uM_d#gz0(GygBpbYV&&x0?U=dE({OJ5PQ8@sZsJL6ic1C8l{_q z1;*E8*OT#K-Kd{3B6Q>2^^h{_7d8^8+Z<1ebAW8t@l~Kx=@tj$25WWm zGvgvN&04Ti6aI)Y;2;yXu*4iImvr2fKu}Ucs_PzYui;><3#`;=5Jf}iyAUDUnFU8h zjEW&IG3$R*)iNn1ap9GG3NEJ$BTrDKS*)f=SMcoUk}hC~hM^^L^G6Fi70Keg&Qly6 zEO$f7u873aS@sLm4EbSLs0?AT70Muf*7mY=3I^D$zfUMo?!5YA*wk^`>nUw(Yv1>B z%TaY&eo6Bj$~j(9&=N)aeA*L(^)>r|{Yl5%OPP{QaAoH7>&1SX)7wX_tIV)*rjLa7MeF@m(Y{( z;e^f^p#T!|mHr%cvB`DS!Qkw}$gK3@Ki+*6`)~Z&V7obbsfYv%?qR9+kTB#$Mc=}#jR2c-{ z4;Ekd7|8DVp-PF6%r&Ep(8xK;^i~x|>bn6sPpE_u{ zqc-ARlU=vE43^&a8E=2WqtcvUdsjk#uFnm?i=VNJi{)Q-zGey0o>ff)pwX(WFSiOG zhZ%DfdT1PeO_Mn6DpnUg9e)F#I@CoVJmxi(gS~6z?QQ5=71Zjpm9s#nM1g`!q)+a@ zBFF??MVBrXd8g~v$o4IOA1r{L`&kQw-AJ#Y?Z}&)ke6R+ju*Brr=rZLUbtkY=t;j) zFxX@Dn}!X~%%WmEANyLgc3f zUE`LeWWphhYaDs`aa#rwb z?KMe zP7^E-Q^z&J593-)Ur=ZZo55n+8ce3g=9Uvtx)6QlBWbm7W6Wp&bqC~CN=a9lbK}MxjiYsBoAbr|vy(6GPqtQpaB>8EOUuDL@k}32;!b+lespCJRC?`lFO`=Fl zBiL^)Udpq!c*rdDTXcRprW1luilJvM2v+><5BDy@TZ$o68z#0CEA)~bJ+v*Lrk@?r z2ew9zDbA%u=esbrarEx1Vr|NlSz5N9+~iXsa=FJ=a#&Bp{YA0&iM7>g#>=~JSJA@T zyWz?wcxi4_d5LOtSiaULRl{3{_0epRR>9%>;(L*GvRCHwLrkGP?fZU5*_8DeGRRb8 zChH%bp0qclq8sUg?~$6Br?jmRQW(qp{*N9hrB4U`bN5p+r~41I1ZO1os$dj!Z~R!Z-;?Gl%|<|kh-)q+J^cHS1)y8P4%H3XeS!0WFWVm5+Xt1 z*P`Q;Tbwi4$Smk#Fq%Tt$5~yf9@q8Th1*vhq8_8K zqo2eN@h`^)llryYwQfF^p9-HsulcX}FPjFf`>nY*-NKm$mCz3Tk1>7`;8ZPE(3@yt zmaQJtma->^XXuYQ?Q2{xhj~q(I)O{-HJ0EOk=yWXMDJmXyno^ zp}=NY(FdT=usJT?Goox)%OH}S6uQwkpV87ibf-!Nz-LRl+Ul7SJgTcYhfw1|x3fl{ zcChweI(=|ifAt@42v0`cerT1ZiBt}&<9@0>uV1gXL=A2_bf!ESbt)B$+IizL)0CC! zLL9;=Rm;4nM^+HffQ4O^J$xp|xB6s#Yqk0lPo>W%&etze?Vw(Bhv67Tm6A3}wXC$P%wKB8wQ*dAy_qL0wp89) zMZhn#E4(-zleTQ`b8yTHWr-s}gz+RX{|GzWq0>Yt`Tb(|tkct<%chMuUR6G)0)1o2 zLa7`(Rc(RA^k)Pe^B+2mXzsoqSTbeFN`QMNC%BWy{J=<>6=Z8T9XdHbkTv23{1w=N9Xy#t)n zu4gp=WcJ;&CwmZ6va}QPxDIvrrjZ$ZVb0T2NlHFmAwm}`UqGvK(jtrwk?(Mvo*?#^ zG*6YB-*?o7T?wTT01R#BqpDc5h?XcVQ$6tgKtXKe7Rf^$EmT#W8DXqmV}*(RS8wG^Xi32 z2DNGruhn?RlP9L=eD9jXZNc3zqBa)1~X#=Q^8R{JcO33r1S`K*Opd1-JGiee+^%4A5il(9XNXC4a>ZAy}fuw9n_3 z8}^Hm_b|?X@}d zMZ%F}axdQJPpVp12Ie^rc2Vr~1P^n&OAM8*aGO%bkdt7i8uK?Y}W-?2G;) z(w-mq+%+JyztFrR#Y_4!<%uZuU@0|I^>W92i=4>9N)`%-8v9fwhL2RrzPD=VjC(ba zwX)N!W{kC=Brkb-TJfmUVvW@?W0d64^r26k{Z`?-F`!rVpZF=&3xN+<9c4XaXk$;i zhU`7%+1!J_SiN}|bR@lKeJHr^EGU`E65;kTIr>)dx-Z>?nyR@xNi{G~@>B+HCGx&) z!f-#(=o?)32zXoHo~4~-mzJne)1WWE!!N%ZuQd-8S|Pd}o}^MvJmk2ByN=4$%V?%? z4|hr0zeq>Zq;>niD?KN%ZyXvcvpYgPyw{@9uDIKNZ^|A$oB`)+^yy2o{_1BH=II0! zJ1sV*m$S9O=7#? z#98Aws$$xz{H`>0nSuoasLMZ zI6%k0kSA8Q_>T$F577|cLJH(z)(99r=rI(Zmuq!1%FBl?bj~w-pGmF#^QL(p((=@A zKVPsqJRz`}@7v@r3J;~8`hDvCr~a_eOVU!E)40?s zHWdMuqY7}GPw7&*MHfdykik50vO8Kribb|L#r+;jUQrY{x!dFV(Czl9HGA>tyuEd7 z#|j51Rc$!?mrQ>kwab02E7@BV^%a+*X`geiA5z^>=r6O|EBj&C;wye)2Qa}8Q$$JmaKVY<6;mO_?pK7~{RcAt{P8?Z?z zi%fMEPkc(mFQcGiIUL`023;CUN}@_-RHKPHot`L#7I0#JAEllsk&mcF3*|YFa-M8C z?eWT!?a53wSTWK=A+@51(Hst_tg?&Y;m|iaH?fIoi>Xjyh z7guQnjW$ur-xWO^eIfc5|NH1i!bjRu!YQo=`xweiz@9O!z#8-sl;c*+Enyu+03?IDj^0LM+`DL7-SqV1ic;^M?7+- zN5&D)j*|bu4zPO$>%muD1F{_rc=1^m@FRm3m^J({sF4|3bOi+w zg(9L>+aeUq`U{2}wnzp!B4HrI{=Nv8ZNnGEzyoYDT9p3}w1`2{H8BJLN|bP+kO_t| z@Nb-U{hmu?7H$hGr}uw7w@n`o)4b-Uuk~7gQLJq2aBNP*uGjh?vhe@Zhn&qzRsaP) zXNFuac^IsxDXe+xs1t7jCm}b0q8uM^^&CD6iZDx+G5u40u9M%>X?=WMbIF7UDh$Xpiq%3W1dxRPzz6b{a^m7R( zr@6Tik(EcLRxXCF1G8C_F@EraQb>lFc$rPWf(jEFn{)BZN_FTfcIm#p2>256sy$bM0>)`^U4XBX>mbmd?_;KqOKTz9iK{8<^0SB`+hU>}h3D;j?6Hh~4GaTtcpzC+EX%^|R+j-aMrJ*YmW=F@5#Q@5*o)O@%4i25}(uNGJ} zwM^G)yvwkUwM8T)dE`Z_*WV9|>9GJG3$zD%0{oG{YXPqJFTerJJ3|8?!T>NJBNRXo zsFRIFIDv+rYb4tQff1Bz;(XYWXOs)W1cYl)E_*K_{6Fb(9QYZ!3m;x5s!StT5YY zEG&gNr#b^na9DuRYIloP2TuCOvZZXUJ)6RctljU(*K0iPWcoW9Hi(?u$6&@HQhnGS@sKQ;ANOR_D~YC($geE6Xv7fQ#13biqyo4Y>AYXHz{y zrBC+v=`{j7`3`tfya*)28*~YXTh5|)Ht_q*2E+Ic>-dSdS7boj8y{G6VV@&VC6|YReqH!t<*d=I}etz`g+M-$B6MPu`Vb?}Eln{V?K6!TI>y z*=5|2|8D;y{zHBp4JPR=Qrxh(YA$zymjed#fuMDQ%XCgq>vM^Lkl*LW%S#dr3x9W; z@Hy)c$E(R++Q%ii=cH2W|4ww(XteTTrIk6KRz_;=jzDkMILl&Es|??hY~QZ-1eU4e zT})&Jucxb`I7xtSr156a2*}|i700`is*@vq(5M+CaeJl~0+<<4QrozQaaI}3iNJcv zmK<3KsS>sa)|~nvJ};aj3!h8-=KDom`8A8~{mF8AnJTp{Jkh^~znBT0VOl7yKfQOh zFDJWXEn7)oOHqCSIL0_ZhU16WJ~t4x&EU}I8w-quLQG{ohn`c~Xcx4niGvyn6GZG&xq99kbhFrFQ7D7(0&kIc%Ipjkoe*vAleB z?0oP^M`=mW?+@$>Bm#^l9SbM}JEU@2j(363g+p2A`>}qDHU<(->4ywQ=A?c{Sl-D?{_)dkx4ZOm-g&nqV!5ITy{`UsF zD7MaELjlzWD8s5Bi!p4aqIiEJvsnGOnDQ-SCtcz8SSmjT-6z}7ieuFDQ+k{Zmd=MR z6mBmaI})28vW|TztUbMMqpvU=uJEto*Dc8RT~L z?(WwzR<;hAsd+12zmnQ2w{q0%;bEB^WegwzYvEX4@6OhXY|7 z3uQBm2${_$iuKzZ%r={Y;0C{tjCp%;Bu+y)ms4%l;FTxLq|Q9sWb%tKQ4)C(Co}e$ zFs+DWm@tdTDz3PrK(>WJ#Vw$I_RkKE6>tTXY}Q3iAP@`EBS9LJxdZH8VBbL|+TgSn zVvhV?uwhxK!D7aE1Va>AyT$5;_y_W#FsAK5_c?)sVDf1th_ux*a;Vtha?-V`u|vw& zm>uQ<96PHvw~=Y)ZnD6Tyd3Fson5KR86s9Q zMC5^q+#0&j9YRXEMi}v&9Ff^lYG6c*$eYGpn25e;5H|d;7o=J-7r&YY+41S%u zL1;St%QGqd@#Z26MkUMBmqVV`5f}NLjB#amnjcm@qJ2aZE~D#JTj=#Fp;4{RCwxx6 zQe&@WUtGq{sK~S9@)ED$r+OGxIO{6?p8v(zn*g>^o_XW*j*gK=*XX{bk#$?LB-@g0 zIRQ_|ePIK+Lx>A0r`tFwP_8s?IYLUeaZ4|t+oZdtP}(iI4=BZ@fu1SZF3VE76uSSE zLLqJ1P5J18o$vR&BPVIU-S7W7(afvSXf((3JnwV-p6AixV%$BGsx*swKzL!S<&YwO z)KX;=aw{=7hg$DqQ9`Fja^9TN?(P5(F4Vz%5=H?NMvCm{U||spkHz011dUjne~U{W zhrmF-0c@F*`$qr_2Q(caGIL8E#m&UT2nR)qmc2dXcyV)RI!gG!WIKrv(w$Scp|hqr(FL;Ifo%k~dLr`$O8!qiWut_9L~CY$}!Jqx!zI`y5Y{rgZMlg(n6 zfAe14JMzYtz^h3#MA$?3?ubyqt+>CxQLWq*x-oiV?2f`{q}o_ADy7m8{Qgv0h^yuHcwrzt2)JNc^0&iFY|Q2-J1!Ku*~vju&s@G?#?}%ezwD~F!M-<7)k~!S7(qqWXOdvt?4jIuI?iPLX7w)ismxvZ2Qv?|uZdsJ zJl^qi$4j+8be!pMpb9dJh@JxIqO-r!U%NVUT~%&JY%|9E$*3#UCS(gy0ou9~dU`S% zOQkijoXup~MCOCpllc}(s7UR_hq-$#NGA;!*^o3W8O9|7uL{v`#p;LIXEaw=0ZGCl zVt|MzSUfz!xk?XK&K+zBsmD{|Ak+#mbwKH18tn1oJ%*mTh0~&i-voDN%2!jr(yc$(`rS4)$aWe~tW ziHIT32xgvU1a!?~g(aQ=&{+$?J09!kOrX?#N4nb0Iulq_+REKRI#W}-x)H!{fyv<* zhgTf-GAS+S!N5WJ40GRJU$cPe^dRO3OdJ@VI-oRbiVIT(pCklQSjdFSlmY*E6KYDi z?20i9Zld)5-jP@r_teIaoc$jMM`B{Z?jlPMuuh$n$u(2rUUqKirBaNnjr{+OtR)Ib z0$9T#>J&#YU5jeYjc(PEP-3|y4Nl-(m1e(x>DZ2c{3Z(xe{$pd7kFdVXP(`8C&F~M zA@n_U^Iwzsz&CE%ayU12`#r1d;^)|-pV+z+DVM_7nO_@Cm|6P72l%`a_I$pKUMMa~ znsONnLeW$jWP_sBjXE~-wBtQ}JrP6HxIVN#ygsr%YBo7cPN99G-*}_#M#qiLn_Z)c z(d1}#w6@)Hk8PV{oAWN$w$h`RWt2QpWW^(+1s7QoRzNtJ)49@Qs^|K z3l#BTTB5Cvusa1VSz1%7?x)@2t0;Qze%$@4+kim%wnNEpB}xiq-C&30&I)_F@`uV9 zh;`s%waW8&V-PB8r3PVdtbB*f1AcQJ4?Gh3bzNx_rsB<~DOqOoGc>naoY2wb!dDxUQ!+trS1l&ea{b*qu0u^DOEIxO983%Q!c znycB37pVfPqnfwT=nRKDMX@uH@OAbX;?_>Mr~bHqq|@NTtni1uBWEL0=Y^!Eo!jK1 z)WLqpI&LMNf-%fe+TEQHbw0`GGL)wc4;6<5B8?~OS@*5Wuf4Z);hW#RZ}A_#GozmT zek2@6@IJEYz{r-*^!DeczIOkT*Zyhb*1ljQB}1JkZQFIl)=MtzUcBY%4}I>E2Vb?C z1`tO4=g)p-_^vfwSC4nfNc9Uko5}bGXQ5;=d6JL|Kf!!e9 z5WgW|sip=}gQ+i>z8HPf^!2DDvUma_TS>LS%6FyGQYa0Wi{i4R4vQ0-7amJN3pxip zE+{KQD9;Yav{=w07Au#zRxVzxT;^Kaf`McyK?;MDz9A%(#QMapgfa1iSP%kd-bR8y z9GU?xivu|NK6L|(fAX%J#yrw^Tohu5H zaA`5+M|v7QwC00iBB5B4AvgyPj3h;e;^vZ1nV!VSKfnQxh&WJKf_tIQGv3Hz!!z_6 zzv{}_yvb{pJq_i!I{7`)l>c#kp}t7UDW)Y;&n(OI_r7;}S}Qi%o!*hl0eEGC?aXVY zJ$M2Y_AOnrtHEq&uhwh0u6=5TueD`?SiNBGH!m^Y>M~~2*?d>JD?c|qH~(;6D(0Jc zaj15q?RM9L`KR;m=FBslx+5%^jD}Nf?c5#ah2uGuhEb0BRm{Q*)(#u%kNfEkWAHln zg7E=aQAM(}6sy&u*_#%m%Bq$cdOVSj4COW8_u?*TiuAV+;zmdJhA1LKI zAU=sdOk>jc2mBVXm(}u*^E<#JKCMI7vYPRQ%bf& zDA=$dI+#gQD@Pt6ZULOZCK3?Q14fkH2?0lba@A z{^_s3`rs#4|5@~Gxj36`WHwLk8T{$yMK>OJNzB5#L_F(3Wa8Vzvtln%%zoKrPKr9l zY=3|y6a@4C$ahQ!%||3S4<0dpLwd~rNWk=vH0~Pr zJQx^HnXdD12;OMCRUS*3)&y1thf*IjUniN?N~xyN&~Xqnb}Jv8aHcb=2jwVCQ5o5ltRGvrTgcB(rLfBzUJf!;W%G%Xfy6N>Rm2fak|m&Kka0*l@}?T5Z!gF;ic|UQlrgV_7hWi~U(r`V9~Q0JKi6b8 zEy+4kogaMfW5&;{@g>s$k6A03uIu0bjlq3mN4#N!d;yh4&-_~20xE49E+s0}>GPnK z^%ZkIlCk9OKpTyiwH7tnJfaO4N04f;IlzhaEV+iQW`~4Mb5==~Yv!ipafZB2J6=(e zj}~hk>oHoxg+HdffkBV8QC(zRZCqu2#A?o&OO~>&U@v$Jkz%yHknij zv28(gnR%78%CcHsWnUFpRa@41oq2;aV!JkSZS;ojn~gV{Zjuw$tm$7YZ=W1@tLH+d#=W<16Ne0eKtSt2GGu2EZH#z~xYPtJXQz zIo@d)>|EbD+&RkMyw-WD)6)5d<+s*LZP5b}+Y_RSWRd^UY?^(@ejKH{9_gQPSiF9p z&Wx0J6;@7!6x4GfQ>`>flfQ1A@s+~4lk%`Qcb*$qT3a~3{?811KF$;6v1VHE51vEf z<7pnoY(g#uOen;}z5+642NJYUYgi;h9@_xlflMCBLuP&`j+}#AOsvm4oQu5x3F!aM+t_05bVJ(GxG3Q(P2E#~)9F}d>O&oN z-`pAOolv8%%xu3dsIYy#;jp(TDw)1|2QxCU91r9!0MqB{>AT*0(s0%Le{a0{W5FE4 zcD1(j$0j9l+vc@hIj_TG0S=>9?A|(=6yLg|7K9rqOY_yEQ`d{bu+JnxuP+wTs6dI; zU^L|nBH%qafqASb(_|nr&>DQzPpdI4-P<7l->6~CU>q}y8^m1(X4qyj?`G)oGAxQ> z7)}?4*xS!hAq4Is-Qi341w3?Kr3ud+Ap)uz$EOB*K+!!6dix*tk1&r2NZBdGF%{fl z1cPW^N7Xn#UgGf70(N-nSFCO7dLS$Q!fQe-p1Mv%7#LUbFxQqdnst{|9JVrCi&@G6 z(r7~UT7zc*rV=g)&h*`8-Y%}cK`SkR%Q2~@QPY^oIA$6*iMve9w5vvcu zKqt!>rQz_3Q~HJA+%HzB;?%nHE~b^#Liw^V=}#et+#>+DkBb5ReEMR%xR3^3i*Y3j za3#Mo-SF62)=y~rIV|r@dGMxXyGbhni`f=1jyufhZIf<{S13cnApiwZ|AC)Ru zi_Jz}C{p*bf*pPIPH8reM_k?=pk46(S6nT{;I!r^)v%lI+ufA-T7riV_foauD}aV+5A`%QEFUqZKgI;#AT0C*@TV; z?%QF*Jk4#iRVF%E$8c8YMt)SijvN0zo`89I_md25b>U~iFFKn-HklpEj%STp_Ec6J z%d)IOJ7u2~XM-X9;N4^s)n=~I647e2Q_`GG6+XK$34m;NN@A1%IQzocALhXsFzDtI z<<^v--xIgOZfgl<;Eq6Xrza6dKe=h()F^2Cp|0>*jXJt5DFO+ zcKGVvI51+j*Aj}JeIwP1hb@l%BQ=|G=3$FQM9lDJ-s@n z+3XKaS2Q9|12Pgh){fA3e%-T&@90@K;{3nM^jxt1_C)a~Z?C*;Ae$4bxoma!&f6}Y z5%b7FmtyzN9KE`;pM9}BIA=xQlDj_S4u9hM*`0H4S&`X(bz57xztUCjSTSBqUR1h! z>PL6Z@JWuDeP5V!KU+65Tpn&NK!pVH%zMZ+J%S9g0I<*RoRb}U5|Emw0h@u5YVx5B z0}t_qzyhyx_yz{=bEp#^kfgxiG~&hB-);|~VybBMlB((UA@xsO?(+-LtksrU4YP>Q zO#`o#Kts@qIH$i-noynt+mo#0^<1-Ub)&yf{&tCC}1Gaob`kbalMJUH92u1C$?WVqRQ zk71kf>xOSyr1=u-xA^joS>A+iPAG^h^JqYT>2~%^I+HYm3}Y^N++;AlWk=KUP{wXo z97B##$GF2dhQ)3NirXj-)ltK6!g1UoIUqj{&1^V^v(GHnR@; zFkY)yNB8*!5y0T!{t;LsQ4R~WPSY#Mlo2e8Dx7f7GS7^a@~C3uo(_(XqlL}5`@z5a z`9IwE&7p@^xYSUr-O0Qi-5+YM{rkV)&}bCIcaHq=pHF{&tiRuI;L8glN_up%F!}FY z-9LPK_ft_HG?96rvqhMrQeqoX*2`^xijlv9O7oe<9LTz?(r{`N0R-H(12jFQ z5QKbTzZYH*41Ro&=B;?A0TT%(iPE}(qbE5r9iv>VJsytK{z!XAT}aat4mwtv#F%%P z@iJJy%cND&RWa!r)6J$aVJx*j`mB0feNFg{$=Zvag)2hKW9!qyq2bugq0O;RdOqzP zcaMj@jzG)f>3!(D_yg$&;WsTOV!u;QvyfR_j}4YV_y8cT^nN`Zw<0I<>2ID#Y7n2S>>N9yYMt8kqEAdt06xV)DTSD=;F=V{_1 zZKgtq&T#VNCU}iEZ9d^?v7vlf{Hpjz;)eU< zkoucegMa$^`p}OPp%4xqV&7wC%|x*%4H&6T^3d$4|Q2sg3@zT znIO4Hde5{#ywrnlAwAw;ps&V8<4lVWBNU&s;V`xUmx=+vP|eG6h5*W$m#cszVkwe* zRMl#w$oJtFhaQ*aYK65ZK7}{n6_UqCger{v`Sa^lJWlN* zBrOhC?=aqB`lNBJ`gnDsDrwcRswh+g?f%ko({jtQ(ibE&6lH3)SDr7gkiTSnqiB)(=dmi_#$CCjW_P8w`U!IrY4GQ~BT$3Gkx3p^e$B;hj>18)_F%sAJ5g-V^) zhfqIcc4hX~7BXe&$;r)>kWGKk>8a)v30#FsTp;eL#2Xj9kzC1W$!BwxqAHY(SQMnJ z%Gyn3E^5hHNqHAw2hI)1zo5d=5Vi+=Legf1-||gP;pM{?(>V&~rBG44hHC{LXaKFy zGl^Tm+;{Z`P3eZ4;uS4g7k@B&Y|$59d-wad4npikN)G1kaHRs#4%^hJih1T$)m3xX z?jBit&AbcVd-hp2f9W^=o=e~NUis?$m^;1cN9?6Jqs_raNxK=F8eE^{6>)UFE$3#o*V3)f8lyrIW7LD!Rr~8hApGGy6x8QNk4R*k}!Wtj=MyI zmH5dFep=LHohQz>4knk0%dA(T7w&fN_V5GVuUWq)AGRE@?v{Tb{#Ja=ep>cfj-&0l zbX*cQ(VFfZh4y#Dsjfh;q75-L#^j|0g5^yLV_l54&ouAqQ zxJGf0FOM>!0qLifKq1<61=z;G*1!&Uj8FS~V+55Rw}>_1dSA5|6aaj2C6?WQQJXD~ zIsHaqJJFS)ta)lq$^|wEPQ|G@4X2#UNoQiky>!k_%x>vSFkhBVZX$(g6IB`mz85il zJR>kNcyco)5V8|C`e7$f^#zK8ZrY5A3vovz*&|D0_Nx760f@OxtGTNJU(&6KBZ7oq zv!$DMt)uC{3sIMey#;dk(u!os-l+aAs(;pcC+qKI{WB|nr#Y=nKL7z?)!lU9#r;iW z;hgjx|-LlhbMWBY0Qw2 zApsP~!R(0X(fl&ouwmPpyE~HpAAjlLxBhtW!RIEou}4ix_^O`E?i6SI^u`;ny2ZEs z*Npw*EhhcsvHn$=KJDY=CmIA^_cqg~gpxSxJgJcF;PYXJM*4jR_a#ITxpA7A#aUz) znk1PA&**oWhZx)Gp)D;)k(s7HE9N}elF25}M;CD0!z{YjW2TJylM~9sz%gJo^hpm> z-h^^gd5-=;eZxI!O?yXB$&FPbwrlBGx>Ci8M;CeCHt65yxtl4j#v%(vsT zUgj2o)7eqhnVM!+%yanpW0>K%XGOd4KJ@|r13AMS!yNm9@ZE;H?WPBftlF_PHEtf4 zc3O5?zoLA_y}QGzm?7WRx34dWF^hA5!t&WRwm*StA{H%~PV7uPjq(ESOg6|$LooPj z?M08r5wKYk^p*KJH}18ta{-&I#vnr`Z`UKY=2)D5yf9%XQ>;E5WiSzY+OcXJYmGx)YR8 z3}^IAl;9hfgf$N-%jY*wHt!4MP!%H^D8z)kFB9V)Q^LWwkS-w5J;4mJKmb}vB;0t0 z$U>0bIyh2vo6jPyWFpZn#5eRrd64M&Kt`m+yHPYBadjS8*Q@z*RSrh3zuV8g9?M>M z+2kw5!bRb|dsiLUbls}{dLr1pD4EPvwAkB*C6iwtYb$3mg*jJ>YZlDh{@t7Abo3<} zsSkO*o!7j0(E>~f7fj7F{1TSM4D|F^ZI~qb)jr_~41F>8K#u`QfNRB@+iylomUeT+ zeCd6vaiDi_?Z)1la-(Z^pgz`}!Mj2`8lSxI&bd1l-!u66;O9dR3?4QfG3^iT5B;eA zqs0?zkFR}g?WwiVi0bcF8or+7TGJzzMLh#iAzgkk$Odk3UU*jt& z?5l;w7qLZDgLM&V2n{SM6U!~)$ra3^c{f_vR#d)&y^VNq!~6iR*wU%l!;9o# z;{{{ENqgcW9ea$y?==tU%!QlOwY9a{+FiKkrnU6dn9W{a>)i2$d2Al{c+Kln1I!f| z4Lpy@R&nz)p%tfS)7K3QuX?2L{*x^3H|~sL+lo(TV|CGq|PUc%83tRIE>P zPX-MR(KQ;bTeJ2Fc8ic=@}BMR0_!nv*hZTt!B^`xoh)rWp_Df1873t?U4N5uf~Rmn zlC>rw6se(<69v5rPE(fWW`(|tsR^^v{^wJ#rbNt3K;%GK1dMI}^VwIk*s_@zmK+q2 zRMSa*dhsL#)o)w8vVU%-5sL>y3@(ta&hE~7r@=fcH<+tr+jA?j%VI1x1C>n{HsH!gv*MTsKVUfZ1j-9SyG&yPH%c~7W_<~p>i~pS|g!B#n#}e5`G%0e_e8|7^d zjGz^Sc_ts3rAx{#2%B!*#l~w(MU-Rfub7Vd@DRc@hKDDbkx#>%PPa@*?p7n08!t6L z-VVx4r>r#Ip`nMJtp~sp=g8CJ1=wP zK;{a8%#{YYspejin$G3e;)ZRr$T zrD%;|L6<0$4kH@gMqc`i;uh6Dt-T@l4Z|96WnH<9&vbnGN*~_l?pf zt&gdeP%(iBJqnYzbrci%MQw61p)5+LiizA|gHx-d8~MttdZIChsrep(UnMj@w_B0J zp^SB0X1itPl1Js8^7FD0(cz~wplwo_O0r|9W4L3q!#LJ4-XZSpV3Zs`(Q&-P*fHGu zb=bzOx@FLpp;vE)-VCjQm>$=H93R~uNjIOX4!%gtgn(l-7c+%pfPzG%I4KVh5qgzA z4%kNQmo!{FU)cyZj|?TkD7mr)gPU9-dq><{b3lC^r03K~YakUtcZgHsmp_F}WAG+H zdq}mFxP6SRaFtJQgqM;n-S~-F7mr50PPwK{UFg@kWJ7XJt@HXt{^q=?{tME+kSiJS zSDnmb`t;W1cMhj+hOpt zgTy6PRM~CKLKyr9--~#1nmJ!Qz43Z$G||4<0Y^SJIgl?m2*srFX=e@7cYimhz7G}=>sj?+iPB~ zkrQ#3S)?Bo;EHLJymWc*Xs8cjUXB_KX$R*Xhe%A~;M_x3rgIMl?{My+Eu4Eop-lQb zj^V>&IQLhM4IBgUaVmp<1vd70h7D&%Gvk?EnNt~)nic{)v!-Uxu0*X;A`&Y&na}iT`e0^z`;4j7q`IOBa*xbh&OY$@ zvKn?}MiKeBYHA+aVcG%OF0xbSXj`)tyxi>bCg~}k-cLfG4~X0`(8&{nmo%?V#X1Mb zWF?~V$eAhr6%5|y6pg{ZbBe~`B@`3{;U@)iF;7%&FJJ={zhWTzGX>7jW8?=_UOc7? zf5_8m@-00Fr^~@FN0>RxO7uJidK-??UWin!G*lWdJ?eZkzN=(b@n)=KP_X5A$q=y= z^6IR7qA({+mtgwl{m9qCkBA44V4mb1fT+) zwz)HvcpVg;NhZft=297TGB~9gRFw`65AdI1BVz}3Z+q#VQ$!g&jfMp3SuiDUUv(NZ z0yPnH-oSwFY2R%=7TwRO^5o{#Xl6CDRW039YPFr((poUV8_=1Rs`!imTaPcqOg zHcUO65U|{jwp>M&F77-C$6XP<;y5rtAS%?pnL56BWnRxg9y2@tXiBfkP*IpWY0Sx}vkZF#KLlDX zJPBmgs$8F>Ghg=W3AM!ky+}YeG%gt~zvR+y5 zUY{IMHo7+^9}=x^B~B*AG3&>j&l#R`y(zxwI_ds{$1>m^2n{6r)Pd$a*Jk-9m!&GU zD{5BFRhx*~D3V`U&MsA!sm8RjlC5;TuKZasEp#tPK4X1G{{LiC&>B#Z@nmwYc#+F& zbGy8bh&}E~IFshf49gKYTdgc}FY}tisGOHbUM3n_L8598<~~q8Qw(w*W$}bN&?Mq^ z2vyk}&fD$y>6UiIU9BnH{nxo(g~2I4Ghpyvd}gRrnteo|kdx4>c=(p|sbiSZxJpF< zTuflva>d0&)a3Un;bbHcu0U1Fx5=V4A(N(*Pxs`jvl@w>IYL#iK}KcNq)%m{nuKmz zW1Ao#S^q?Z}QL4MB%y3EjS#~D)ih~1#IJkRhBGxnhdYF2Er@2D9aTn{-%vq?xss$LA=vD z#MLMEpn3w$T+<}0gXU~ZQ4M+AH@i&q5A9AiXCnbazJPc8M#6cT%Xs}nc!r1(Na(o9 z+Cs=f$Gu9Dms?|`>p|qy^Y9$$)f5R1alVo__~s(JC6!~JzVt)0-g@iGwpu29;neJ0 zv@rGCaAoOKWnS8Eb2-(BzunCg)2H9x^uipE-R_Gc;v`mP{9@|gZckO6awfz4-e5Po zX6pFrz7We~+_qrq62nD1=SSV?QD{{cK-+UcM)~!806ji^LK0t;~)uL0khlD z#z|*0-DDZyu|ASUhsJ{w!BeQzjt9SQU|yZpT7Pp!odx$gHuMYynHC%h4x<9dcyJeX zln1AJzSqZH84<#IFq4B z0kua>pMG!FioQ5kgbdn4^9iMZr;eG)T!a5`rO|TU%oJSBE$G$U>m79Shwfg!1c?^< z9D>2`_=BY_nv0%(t;F{#b@tAi-U|bLFWRD|Xs>y*=Fj5$&Eh09i<8i-B}m>EmoJ(A z9tQfHg@Jwm4E{^Q+=HEDI?R$1|9Xjkz0`|`jdUAKM!mei5Z=F_@f@Ds7#$ezVc65R zdl3(&B^{&J&5z;c$8bY`c|$*jTBCjN{u%ukYC9bR?_btzbPS3q^Y`zAdT|^z5UzI3 zT|i<$oxg0kM*CEkv%%#Xmv2R9l@;dsouO>m2H2lTNB^LDF2$Kk$COD-lM@ruwmxk8 zmXS|p{`9cL1YiYl0!0l=h!c=4b2dz%&BWnxbem+7mMvc)g*xZEIWM?X9uike+^{e4 zZKd8>{M{`6Zq^c9*YEi3qpGWLpWfwj6CV)MVDKmYX>ac;JcHkJPQpOvEezh}pDtOl zdR2?15P`xe(o(^h^A|1#^BA{q;2Bg-LQ3y;EMB(iX~1IM5a!}l#jAGajRTPo@`OSZ zRmLB%$+5b0eDxm!hA{}w)#O1y0C*f3?-sR~K#`C4_qX*H6P*}nwzeh3#Qa5V?jlM= z8=U*orD6ggL&yH~tYTsw2HJ(`<@u$vmL-3C#~(yL+NHy*Rv#AEU>@9x8s8gujcbNINi!&$D|B1UCra{9L znkV@DOq5NfNs+5jxVh8)*Kl`Reuy@d+;e2pxr{vpAfcCm&x#xnZncf+xplpohS2S)|B8vY0 zc~hNBnl@9aJlNB?tRvjHcxuK#SA;9vc^C7Q#J4xNa_t+|-?Dh|^8P!fZeF1V;JXMa zY4;HO(oty7Dad#C(sdZL+3bjEUa#TU!EVh;IdhX?V0LH>0c zc#WJEDl6FF@{b(<;_^2;Bb zfetUm;P+aNq(nf7a}gBh2a5AU#Eaa|SmY{vaavW!fRsg^GN+41Z22!urlS;vn3w^r zLksET_GD+5gUWj=c(vgL&!c9|xH4T*q^#o)QMsGkj0#5~{*|v000g2hE`Lbg9OaAi zW0Kkx)c{SsdQ7B~kNF97>c@9wD6!qV+`{FHh07XCfWvSCd{Y3xBEWP4z&FMDo^ie* z&OeOv3#IS#0sRmLe*$s}gJPrJ5;Fh4ZbxXz{SEjXEe(S8;qb@C@ zjWN92-7xQN9B+ub8*CUGCK`sgB~VPDa1*&8i^W7{QJbZha4t&6i;1-Eg6zz<&#EOl z=fs3`S2w?-nRFWITXHavk;W}-H+k|$QN!zbi_toA7*kCqh!-imtp;@6RGR^!jh*1!gvI1pTDNSRwe+Jm+nmI@zImN+LB@2>J^9Sy6*KRcx^-nT%pH)fLH5xt zn?5lWUl)jjH|K9)%N|}3AqNe-k8=r|3(j;2ak1k(-6RG@lvvQt@n$W1R3T`;Jz^wo zqYr7Id1<4O?`8}F{jX%9byDn`&$un;;5oRBl|HBaBJ|}bQDMaB<235CqudX4NT?TB z;^5FXXlMjH+MeXF89wC^<6zF?KSDT}xt=jUdn9l$@GSe0^=SMTR|Uu($_(2t~B7k+bHU+vQV*IE$z( zV8tjTVdQlvDvKJh@Y{l_5H?{!GDUX*(g?*(fNKYJf=+=*(cCwQH<@pfZ*$(}xg~H@ z=%$zjS@C*4yfvn{n^C-g%Q>~jriaofHZLF=4;ZB&Sy0{=C2=e*xCl*Pz?LJ}4z~_( zq>QRK6wU%zgh#VP;rPdHxcT|5&);^+qP}nwsqP*ZTH{zzTZ3ZO-#hh zj=f@6W>sabs+G@%@^;b{H!qc`}!qlm^lEn#~~#i>z+*-S^bUD9fxiUAe2i% zreoM>D#G)V#U1KLGj>`%Zo>6kn!2-k<6M5@-V5$u>IX}^o z!$%!`KVO0Fxb<*ULM;$PznMWG5J-l@xK)JR(HTu?@!%Tf8+-zxtAyWXfy*rPsYjTf z9NcoNdUUSc9OxOUZRj`8T1oHBDwnDZ-1B&3mqX)gr#7b`;YeU8yhFn2vM-|HfBtOg z0-lpse5djJ>eH7s&2La!zh>J}He;RuW=2b0O{sO)*Z&GXQhTmG>ZE~}w%7VHa$Pd3 zI@i<1FUM}iga|1RFCK+{r1O!_M3>Uzqdipq^%~3|{*VL(W(<0yaw;QIbkAYCAJjNWCvY@Zq%G|({#El}x{6MuFXuz}So~C*ga_-xdpEttpBw|y1I^^$ z{@`}jt<<^kH~vx_in~ky!Ec^@o>2GL)D|F&w8&?Y909f+Nm7_g$;3tTjHUxl+RU7V ziX>6)u1#I>+bHYzU|Hoe2Qve-E~q#4YB|A~w$H|Q*EhUH&P+Z2*ZPqq3cV_;;2qL1 z@hI5A7k;;9ozT+KG*0iqfVNkY9pV& zjqT<7-H}Ze0Qj3VO!UA;?|1HUGYKZ!B3_}x2O>dV9^IeT&CQtBabmihv~y*{lWI74ICtsZg+h{H6W0Iko|KDYZ| zlSMv0!uW{6-elR6=rL*NE{ohmqX-~=b(v)V-Ha!MU|wD(b!%r)boL#fu)MPI<(5uB zIdc2Ud&UDK)Gp!|L$JBA&8KQOGKUfJjnY=7UYMQ=GU?u(PIzcpL$ayaxhGafUf#gy zs)Guu8c50$Xo8r?r9(1Gw|`w?yFNWuxR(TRIXmu3Ae!^I5tM|i2&5jC)UZ6?9jK6& zs3}3WHXrP<3mY0_7j(Ytlb)-hfJ-e7be*;G+Uhq?ir?PsF36jxclP|kZKXFViY}LY z+#F(xd~QpA&vcKC_q{%AmU_?Y>^n?df<`wkJUj)`mhG`z18r1f#$-5{j(pG?RKgX# znk%mSYA2_>J(h=@8VQ5v2V&~slG(1H#uO{#;^@f->RwN`z`#-Mia6cIMJl}$07@|T4fXBIWElcmY@Uk|s09n41UztZ>g3@Ktm>x%2 zZ_fO_ab~tAiQ1mA1so|SLel0Y>0vOKH&XTzZ1IY0KFK!qm}D(p@TjF(N!{DmA= zXsv7O==?fDBa5Z!Fi@41e)goZlS33xxu7;yXjU6s<*mc@wzL*oA?7aQf`gK%wxAh@ zE)q{(w2^gki~#0UZFBVyPl+#;aU5v@GIDUcaNBs>O#Rug#A=fu$p7Hw_r1lj#nbKr zy_uh)-}Z~w+v8NGX{LEzSIx(M4DAuFO<3C?!!f=v`CR?lQw%ODxaw@eyuuJp;v~P# zyW$2CGl&nKOEDCB;SqQh{1|-sbLq|O8V{*>epeaKT6fQT$^q?>cUEi({*B+@t=E)Z zlM7jJ=@5u?0~HZ&n5JdzEsE5;D2ux{1)?8SMmPzv%06<667O@WzMuNoXt8Gr9t^z)?H)jrC@7~ugoz63l(f5|sSEBT))u5!Ey zm$b%IXY~wU}Y5nvEJfcIL2I!ifMPtQ7VFt^DyjiQqdH z<~3;UEzrVsMKSwxFH)r-QxUOAL%QuilpdLav4&&7Rc;WW2ujVT87C^qTDg^ zbr#*UYN3Kc#-LXjFgX`Tb3zxvl|llv7XCUV=brNn^%!YPsS|#;&khu8`&T2s=Xr@K zF{S@pywq@y)6rHke%hO=_^5E}GtHG7HD2fb-*WsN|IdP$9-(@s?+X95I{~4Xy4T#d z2h!=EbJ(8Q)$QJt=8j+l?_Os<6tgTpau86VPb7P6bng3-egiWS(6z3&Gf!MUGbN_N zcl$&<$Qhq9a7<5Q!N{E%aMeyLxqR7-J2YfYv%j%=? zcIMTlj{yD)z6Bqg`^1mSf#XL^a~0Kig;+!h$F;J#%Ke2Cq&|W_QTWirj}n7{LF=Q~ zH21KoWo})TPnNR2la~m`6RU!}@Wgi-`K3~)$kGz^cKjs8+JpVu?li`PC4;GlkRJP< z$!flPlY5`{+IQOe32w9pa;U~`sjnp8|6(o@rN+%AT3Ejb8K7|=mrqE0!9aP>t6+!u zS5@+~Nfk~M(-<2`d)!Xg77+C8gRL{g+Jzv9mha=VPi&~^wSKd-tFCfor&yYQmKSAqDLey^y3*#z!)zDxUkhuPZVlOd>@UahhS@m$&LjtX> zj2zQ}COK10o>wrY(`?I_Orw)>BocyRI0P6mqG$oVoM74t?A&w5ad_{Hya>XczfWMS zZHtS@?=WZ@WSc{>B>egmAB8uxym$x%QGOSdr<5a>6&%VFAw`Wf(H_)mI8l`Gwu&6pynA;${+xr1{g~wrq53tfJ9ivqLEMe zaV35=ci+)yeI$Ed1|0{jpfvgmm*AR>C1Y}LDV;N&fRw^nL5nT^{?d+Br?E~`!qXut zw@$WcLz!c9ilP88JS?^@w-m@ykdID~lH&lPcSGnBi9TAlcEyU|SwRZ~>Uo?qzX(5j z9s!^^;0Bnj^np(ZC)W@>oi3(z?vQISbrjQ1#JHpoN#&>_K@de+j7!v-i82mTo8)Ez zB35YQ3}k944sY^vuybDjS#p#GZ?!{)4q#c5LWT&rQ5w~2=sr~u3fcWk`L6qx&*)Zh z=0yDtsLjfG;6fN0`zi(>`)e(?C(}N&F?#ja5{9>dntGBcIX)Klxh9bm`tx0evfbRB z z5=WY_VMe2sh3dgCvG?OZZXzTP2Dj>o5njVM41yn_nb{p2aqX z>kVH8R27^f2XA4A)wP)AwGLVYwt$4~S!Z0@YN;f#3`WX3;V6o?du9w`A@UrD%eub9 zSggzNQO{v_0YIR}kpW-dDGdu&d>lSHxue{88HWyw73aqtC%HF{8ow5N>+8d4*_1tK zRlG0Mmy<^-ivxuebxz*4+sMhTmP{2C(qA`q*qnl%%T0NIKZ7aDs|o@GH@wVdF5kX zOmKY}7p2@wU|O=}K;gBaVOxOQF=TG9cWG(rx6g2Cc{0D7?QdUpf^uKgt#0nUe==lL zl~N@igywi)bbBmF4O5&Pv^&+LYvcKlyhxnJXAP%ZO+OrihmhKoH_b8eGt>7r)irt4 zvXn%%f75x}@9!LF90?vdH#t8^9!We&?4M1*H}cbb5WPnZ{FPE-z>HV6h0$tM+RRWITDA#s-A_Di zW=a<5pOnX)Uv{Pb7*(0GF)=j#u^_et%QuYR= zAF>6sdzhwG&s1LWtsB|U!s*3nvM%mjswD8NxnsDj08iF6R76JcV>RD&5b z3#6MBK*%;C-KES~{#Fvjmf1{hnvYp_xX|5XY zZ(7IwL&9Heb=cS9DyblPd#!O2V;Y?7i`GwBI29*RxIl2~!y%V9w^T;>VBjG!!P@9D z5bFwzDm`<=>@1S@_fyI1aHDW1aL+AUEpL%6=)dSs^siewsKRU4ncM(0ZEM{n>%Stb zWn=4^46qcywtU+Ig&OrP^ewPez_#y^pq-_mA}_SQBW@!u6~1K`)Hc;jE4{4^tZ(lZ z@ZQHJLeXv;$L$q1!Q&N2uGq zB-o%(J3>WB@$A*8K9dSYK?xXmakj=t_kw$htlvD~x}shjd-Uwb`ea;%>*I?YYIe%p z*&A|j1F3E;U@1lby?vxTAo%L7+>E`b-?%R&8eKS`32fX)b0da*o)NBJQoyX!WR%!w zB-6!KRxM1f0)2W`Y@c1-Hw`Jms-6to`LJ6aRh-0J{0voK#W4S#iS1lS zEh2NP?g@NA!oc7|+L5zQhI{T0?z0m9R<-O?2y&HXePGj)nb+m-x96RhR$DcU9N49D z?~0B$Q8eQMOjk9tm?t)f|jQin%E@f0kw3@ zqTS=?d{-%;u25BUHE`UQz8^1v+DGs39~@KHRcbh6s(s`;gxu9s@^~h90IheE);usAi2JBsxI}U{C+o#MwU0x zGFbl&YQecUn{uJsbuwBHI$lx$SK_^H_m>kNUFtO}XlF&<)pHpKMR2Y+D3iAAeA=ia z`r-)IDYLyNRt~ejVliRjGiPYKKAmsAR?wR=k?DC6pY7sbfUapIuKi#+)Jbjo;Nb+P z?O3uyup4jm!AXH_B1d5-W;{6-rmFQ;I24W#)%95m$+vqT5Z<%>z%IihmVbV2ksr`P zI^b*dz|OE2yg`{d+dO60;ltm+TsYOt0CC@hWsCx$p7Ge$2vBpj5uK zL&t2V7(5O`>E1jQmn8}-PSotS9)>$njKnS=b@d|UJ!F+cYg#op=S*{!LYV*#Y9*It z+mm58qU+iRKUh>L;y!k%`icVDCVs?E(ARC+$7P{w&#KYdr{He&cOi0Y$g!Lo@qN9% zXR6{Tut5XPeYICGPFQcs`F;WU$6Yo}#MwpzB9S(2e_RBaRw+SBR{kC zc^oyWTF^GZyAKb)dqw1@di`Gg#$4Vqh7>3G&iC#1^9*IHJGc&d%?{GXM~x`LKXQNMM&(Y}qr##WW(b@??44YmU?3rI-{&WYPaisJ81&A) zmOZveo2y=cm_dNSQcqdd5mVZ?heBlr!>5)mk2&ew3L~rCZC!rXWKaw;gXd47w~@cd zyLUl0>UxMPn!O?)f=pTHk}dji8vY!^;X7jRfC(e^OO~Z0Z5z{Nt`;K2 zAw1E=rSb~Ot`BuWvW_6wbJ5AGGkL=goC}r*pq(z8DTVoJvBxV`tg@^Qlmp_xtbfDz zc${?_jno*I>h=W4z`^LEcT9nj?El_?1Irrsiw~yGiH~qZWc&%6jlvhP&5p|rwa0ld zK0O$`KaY0CgoW(l@)|R1eE%%KjdACozcNGA&G!%6=pb==Oh~F*vAXRjTqF_(H_<3N z+eykTrWkBlb!fl(OjU4s4uPL~5Q_$F6ioAp)AiXt$TKqDFW)tTx!QMGEhxWyr!Sg3 zXKhQ@&(0vv63Yn|TSNFPg21P**8>Ky1>NL&JhqvU%Rks;ym4hr?ywtPODl*#pbt`m9W)8ls* zih!6UuxAXXyX_)RWvfs^R}y3fhCo|Df{Y!tiL|1$bt4YJgW@i~41%s^aWgR33Wvfr zM`-jK2j#YK8y>OME{W_Qe9 zD|6x_hZF02IrJ0t2=z+6IlC zwxBgPhKqH}F92IeFcL9Qoi3$nKrWNciOyo>IKw!ivLq!}YCY+>zGWV*0vWQ?dJ#alEAEL> z9>)O~ntP|#Pz_HHj?$8lmKl=QnjU50T25zG*jrbaL3Q~BW-p4ZN{Cf66w%BBqC9`c zFn}{>0UR^>p8no!aV|PJtzO#A_ZRvu=F>*iFZV##ujGgfE`o6g!GZ223PXz>Vxt8| zwF|Wsg5%i=ePU7r?1=j4xa)fqpX%5HsRvjq;G8lVrl*4M8V_R>woBfbm&6y@%?xH{xgvOPN0mb zowcGkuZ^LLsfg*n!~W^_Khy64sGB%#mnncE_RKR(vnV>02FM+c zpp-mEckY*tU1q%44oY_S(E;APMV9;yj>6XjD8D^ z_T{mbS#sC=s~7z_I5m@Z+&O=mxN=#eFaGqk(O=y)^NOcxU;ODQ<*R8G@A%4o@zgFb zCgx&$PVQ)rO)b7MvMN=cvbxE9yQ&^PSo&6nTJHYC(S=XTCQI8z?~}MJ8W{AvtcIm< z>!&R#jWS13tso$Mh6d^qcm2asm&lznw?r+Xh1yA-T_A=!mD|YgGu*5Y4;){?Ry1fh z3jk7$h6+aC0k=hkAct6!gd|U^ss`Ez=~g4f(OrnH2u6-#BGsu2;3<;g=$}y|H2`R7 zpwj$xv`wW*P?=|?9nY$vmy$1~)*qR~9;eE%4wuNfb$?z6(f}oP<{+uoKZ7+)2d4Uo zMXCv^`j}#ZdYYJ26@>nGyp7KPCd4kr?qxLkvWC(T^UB`fS>@S2>tK}MG#wq5;R~SU zX}kLWjiCQn_kS(m|Ax^20>Hn3kTbOX0oVU0a{e_Ib7umU|3FAc$lilMo0gT8gMgNq ziGzTN;m0T$8CY3$3FswV3~elp1?|jjOn-nxFX(J+`h!{yPDTRye-!^i&@wTy5zq@8 zI!KsWnp?O)v9U4zz}m&sR_&i28vo%Eu&}cKbaylV7i|PAOh1&Yp~ruye--|F^FPLH z%0$4%#PAPl|F`-7%lYr%|6~4)1WYU(3_k$=A2cv>FmkZ`|Kp*%%hN}Dc$uHaxz?pw zTK(PZLaHOdM!MxlbjN74XQzSNkpP5yXh>61h(IntU?2fu0F9!k7(vJa@_mIZ0;Zp^ zxXqN(*78q_JT$1(LPATDk;JAzZi>d2@5uy>=g!H!H-GMP?DGV(c?z?$Ik))?C-Z8m zeUA|g^&&%_{VW*G0=$05 zN5XP|2blPtDy*#@Z?gP5gkz0rF^VY9Xk_39E5(J5^ zZ5cGntu5c8GzlzrKf36|CW1>Gw20!{@DU!HmKBCHXD@3pmXiI2IumPjR=5V>7-F^; zTZhR#kL6O4c@8J_Wh!ETOz6D@APs$hNUP)-9LS13=d>Lom2EeyFp>>zFk zcPKf5iz^b?R&YBcxxx{Q9k({_eYn2t0Avkhr#CHaZv|o^ag}#Eqap@v2Oi9&y7<|O z9@)atveR*(HgFcMf_V&QlV2_%$+v^s+f~IM4i!ov?F$W9ti6W0NoZ2AscI`(UWkqpC%>bWQYLaS(R4kq z`5A4TS17KCzU>#FN8@Sy!=nZqO^ClCf0l>@4xaUS$ z4SMGpK@A3Y5Y2kpqBGDRqFwU~ALFlonLRgemPHle737zj66mO*!mjWsZ?MQ0aWLNi zi*IoGD}?erqSjwTG}`^qcxJdPmTx-DgIzN3Jv;%8UvM_lh9K)pw$sB>)-kuMcdG^@ zLxmXJ5la`Luxcv})=qGx5pJ-=w=L)|>|;P2aK9eO3df?wU%8iRE-{}#H3PpVFsCp& zDxsYNGg|67Jpy<8Z&bt&yj(#V_yv-Xu>F5&c{r`v)UL;@>j$5Ty|@qjq_=}91>7Kd zFhtY@8~rogJ*cJ~eMQkLLd(N#UY)GBXP$r2xHO-U>@2>_Hk$=yVbg9FFX!7))GYYeQJka4%~ZiebEEiL5uOmKA=0wfR|J++&^MR_gT^^ zotg@9JmL6c$m;ebOt@R+)5Tg7uUxoWvv+IOYqsg^S}&42JUpWtay*l#s6$p6EHIcZ z8E#d}ye`#JPEG3*&#f{_D=~m&&i^*mdv+O79F(uF_INjD6wiL9Qa+ zBBNy4{pIfc&#LY<;N*L7+GhO z7;$gImfC=N)nUhPD>WeG#B}We?SGm$5b&|m4b~bta$s(Ky7yrQ^@7Lz@he3Utu&H~ zLN?yV5I1^IiHaGP8)~z$VHt^Tk^i#;@&)*!$+0rQu9y&F@}f!uLSEQxU*=&C5R3Q) z_u~Dt>-6%?Y>QwiY*q7Lh2h@B7qRZzea;F<$RUPC6x+PHpP(N4c6a{qc#mOj9; zd2}=tjKr>jbj8pg)zKl>UW*G=7n7+SwU&9mD z9pCRAp}}!8u0xj5ap+H=$x+<}F7eiVyDOY!us4}H6%Y)%Kun+;`Ka*+?E~@hcg{I~ z-rKIq=e_D~Nt(%IujwRp!;$0qg5BY990pXj(r52aX#X%)V;6p77gi$=P9qOWBTn&6 zJVhLl6oJ*N^3vUV*-?AhQF+->O_{0XQUilkI=ZQ9asorW!|+rodWB#70j%~+Fs(m? zwjWwc7g`GsM$1DO?c#ty={Er;!A|X)w`%Wodz9#eMg()p31<{+H-R~EXd#X`JptNI znskd4ahD*d4#_I=CzPLnUu2N@U_qr-upwY32d0v>8`VNPxSd2 zcu|t7^tTYw)?xs0dk&iczq$vvZ)np3M}l)40_KLhlO#(FU%Ye*5KoTu2ml^+K$x>6 zWIedEH5Fh_wze~RU#pX~9MD!O^>&|LYiv@*#-E$QWK&2n{AZN=Mwb9+J{f> z$Q+DXe3mpHED2?62@FA!_985T3F*Aq$&xm1k*aMHZ>oug5glfVpMb1M^o9wsDdF$E8StoKFU ziIkT1K#49IZ(wouW;X(&>}0J{+{mla>IQ^*JI<9ZnhhFQRNV?%`V)GG$t$F@@hb(y z==oFUtmu-HiSClWT&*JMWxjN{QbC;;wtoI)%~~rk8&|T3rv;$n=0}+3g3PKWu~4e3 zxF<#+7NkyYXN&K#dS(sDOSt#gsFOR;T~^Q3PSMV|>Q0hQ4?4o>ik#1Iy%g=2Gatpe z_2^Goz2xK{f}Nvfauk$gik%@V%*X{0^FS&feBzDycwT}Fz2GL)R>o(Kj&nBSZ6&60 z=VfyeZDppX&%NnSxkb)!KV9tHTu9S9iLyQ)bUcHx(CNmlj^Hv}r%0XAU0(vSj_fe= zO%!(_vQ0?sV9ao{eZ?V)kJ$Za$M&MIdslYld9*itY-7~C7o%#vhp|~ z=zl@HDh;oD|L9Hit!U%d9t27p{&a3MJqb;H!rfSt3Ioh@l$N9x7Jgf(&6^jNxaL}diY27Y3&TJPHw%nt5~+@K^F#gJ z8|_vhk^Nyywa^MpFH?Z)kv{-%zF1)-L8YFTU&4E=Y8V)ZA8|*`(lNDXW8TP`>y6f(=_^0_kP*w`;Ts> z#*@!ejqIgv=33`5_5HH@G;isznX4=AB68f%>@;VvFwR88B_@oh2X~L5e6?hk4C0=P zpjm4O-=H+5PtC@y_~t&wiVBNb3v*2Z%M?@523x90cU@_l{N9 z{Tn8pRDC~Cys2^1R8+FiqxuJx)(rUINyMO7@H7bKuweRodh)86a`I%Vy@W}nY~L_1 zuMXdfjv$1?u=LC9^WLZ;r9PEi(ObC(Ez~F8iaL8Fp61@OSLIo9-j6b>qgcTK{(Py| z!noVfJvo61_`ikK#?|Cnuk$(eImms!?w8xhH+O}o#;D{}FQMgVb?T4GERU1BsO6J2 z2IG_!Pij}}MiM{H7?_~|UrP)Gp;43jYZUc7XeOe{WpdLps9u3dLISj&>qp^rKvoqQ zLlbpM>UHOuPv3tiiwc~ge5s1Ne@Se3R!|@GLQ;dJe*kYuwmsiFlg(PtlR5c)9zyOw zrr=VyQ4;HBT?W-X^RT$%Z)J|@z~rY|lp~T6q)(A{Ge}Mm z`WK)%#i=C1pTaot9%h0b`i+I&=U25R)+PeG93SeBKOU~S;Cf;e=jK68$=#n;jsGzr zJj?chyCEn_za)KDq-Lw~T#`5%cUK%VJv6)Hd8JJ!ksj;b04^&|%@U@|_KBe(?Jbf% z1x*w+VQWv)5x*vdPe31&^n%7+wjc+W#MKmJQ^s{&Q1UxDL@rW%FWFxoPbD8U$m>FB zn@xmoPcj=h6c-`9u|7T2f_Rrxirg(eBy>va683G1xgk*t&y!|ETaEkWL%G2bxfRjF zD_>gz?s;)Yd@2j9DcNGIsVgep9{wbIRX%Pz6!>L2x3GPPcqe>^^onhjDTw|z^>CBS z5WX)bgJ|1hk>YA%;D(uyrr8py&9GhG}2ot=5b6qk= zsMk->Pj;uzXF8Afp>@mkqwc9>ymEerMKeOeRyn_DkvcW7F{>mUc{>93gp)DGJMlYqCOKe=bg^-^4e4Gm)mPJN z41d1fq+anti|cuw>eu+=sFj*e#jn&?WDHj|dDOFh`+zFKO@wNdcuruQahR>fIi2lX+i~i1h*KXIDTZ-4H*BI<0==YL6k^TYxy2$fg z#ji50J_Q`#Mqhs<7fq}h+?-|)KNIccV=5aJL=K9gU5s3HW!&wK49^$7aXv z>#k!edlL^)j`x_U3|L?13n-E;A!)^LW=ee@q&hNpMDg=$7x?EAA7I2en9+yn$CsU* z+lsg3u7$5*><>+QvU?+TC%+@UW6dgCzAQ*K+e^z^1d*=9t z_X*-lqyxG-Gc6M9)ehYT_>tmB-G0%&*=BzG4*INpZF?QN>78ws0ZYt9K4!7^FSG9OO$@DsGZj(0b8)wzfX7OJL;Xx_l+7u zq!XJ~1GLyH*gx=nh1J^t<_oSh5kWRJf)!Wi()G^wuH$JHtM$qE&X`Vs4~YMRtT*c& zaLE?G`XrN;-AWI9bv?q3ZwmLsWlPZD1Gcd~DogzH5I+hO%rlrJ=LgKt#QFQuC{Qg zd4FR5QbnPrUbG#e=Xmb%`>xEPSMhe-Et2mHGMS$j$332|N3GjZqAYV>K{~<48w5K{)9sX~ivm!ty5Iha2p6x(JjiB@{nC458)?Ybz!+3Yl zP7x6;6yu(ZzJS>UNIug|Ab)>hU{ zuBoDsC!Lg%M*5qE6CGTv;Hb#3_w31Qm%3<(ZmSl#Zo+cv8iYnJk(A^<$qY8QK4hSl z7-v3RVc_V=iIn0`YRG^swh-0m*kGt;$JsD5pc2r2>~BB?Dsu!aLlvqmAua0JrVVHA zze5@(ewq;C3*lcaeGP9uy6g~(wNn^M3n5NKfpGm)eFbHHX3)mXZ9KWLz5PoU_2?mP ze2vn*hD|LgQCJK)h%C54&+`=Fu|_aJ;Hh|UbyN!@*gzL26~|IhZMx~Vt% zldC%@ar{@r9nF;vW$hRenM|n)%0hV$8MTX<>$&y7MZ+mQQQ8%ykuS$g`Vi_om!iPgH?Z_!YZ9EBn|@Xc~^$Sf~3>AQ7I%+H-P4KSX7I zFTQIY4SFtPn>U!AFSnT$o$_PDR`jQ@rWdguv= z-4IO8R8|+bYqZjO7ngXmW=BQ1o3CI4(6K-GIoS<9RHEULxdm~`bh`Qv*D7H4Le_T3O{Uu_bE2xwR!K?RLYKlgti0W%GQE>EtnT-M>94PUc<}H(1d14q=j!ur0i8 zARK~;o9^?~V&FD%^?5p>#RYqjLW~<`;x#!S4Ap(KMd~YVfD66bP)0whSmRt*_^kl* zlW%Syn8J!`R7sOa7_t!}iJImCr&Rs#FL4whx3YFDR>A1nU|ktmY68OOgk)kJLRpo+ zaHLDLN7^|l`OYE$3=Trtm z!K#A6WLiUr2FMHfgeGuX(+;c-%?{fe_{fNK6fE)1uSQB>Yn7g{CUGfqI$|r<=!u*# z;BC@~@_+S-?*Y*P==O4yE-nRqz*a#n9FQgJ85~XkQUJ{9&UGMo)YP#TvK`!5z|oQR zkc~odeBlTd87Q21iXh&oY5)ypQ5;7{!z%&kkjMb{9M@ET%>}b?)GP@!l`K|A^Wg>mHA_xSpd!OM&WL`V{P4bVzhe{L5d0uW6=5UESN7 zjR3!4@6vVD(3azp>c!^a?Q{RR-)B+RQ&!VPlhmhxE;vB7fYc=^&Xu!&Djj4Oyh<%s zu-r9-Tqt*sMC#X_=llClul(k3z@Ry!1L@znEiz40=<=-(GEH%8!NbhA6_rF!;ktpRmT`ScPNk?`di_UXD)PeWlYTb0(9&o3&bHS`VI4{0Pk>fOHg2 zS3iO77`$$)oyuEWq<$P`fIh+5KngJIKe&y#6(f~P(jXE}QX%cy@bZ{mWQH=y1;*$U z2pL36&U0s!xyVMdQp~!J8rJ_B-}NnjJt!@o=KTYl?Hj>fF(k#Ls3w`Die#E>6SW{a zRki>x!usRrGBvHIksWYpx`Yfsy7`u9 zPTxRL|+WJ;$aXvrO9jhykDUW!V(#e7(wpS1W#aT?Nu@{^IY_ z3d<7v?JS!p{rkuP>TZr6o@Db%jBd}-iE8%iD(gsaFXK@xxK7K+1eU+j9^SjA+u(Ib zC0GaBmG{fD_!IBP9HaCxwivFsqt=j;%fl`KDZFpe+G#IA%?cv?D5Y9vj>RJvGZN|8CdY)bNM-YC z%e>p%NTf!DU+yEg0ln9?>cO9`hqjIL;0?XhF%W&71UjV%eq9nOtNCl`v~_?o<9|Yku#yjq5v)E|(Fw>tX1{ zc!x`p3q@Ej7k)1lksWoTR)^g`J%jh8$DN)t7EBow^I*8(JhL7g@`zzPx%Cl#`0~3D&G_uk;QA_pyYHU12tU}G&|1!5Ug3ibP74R|O z1sd8R7g#iqS2my%-z_`L3(3{Ook6h`&^u)|QDi1rOnf(nHZEqnjW{menQ@z!A-SSRTNc<~yw&(8( z@vAv*xt-WeGsftR5e{bQcInFoO&x_I9{C2>FU88%wBKU(^=UH1F6Bf>=L2(@5X)z> zXcdIwXP6EK#NGV2d!unUnCrd zeFC#*Xs#hmfr@?`K{E|8+!=N?GL|){`Yr1=AvN5V)!i$!zg)$zh@Q0UR$HuV#$!*m zCk;2#4_C9-y=nNxDq|e=s-o;1>I~P^3!Bu-o1m5q9L{pv%(Sa{F?E=*Cnqk^;*kx*4bO+COm;g+N3V&S<5J|cO*hfW!0R)IK# zRHE2Q4-d0$(rC9Jo;Mgii*s;}Kx`C-ACO7&PQ4$&AG-Juko`T)lf>3BL_VDiVdQ>Y zWP?a!qsvE>*2j&2kJKyI4HvX|fJz6c*YSC@6nM0>ETJas7SWMy-C%)*hE^L9lp}ah zfl&S8Ox2`KILF5~2uV^%QpGY&7Sk+NRI^k8)KYOwgK8`P%4|-igyE~_?y}+PT2mh@ z0qpQJK#sme%nm(E4-$)El2h9=)^nh{f$_?Ojpi z{`%llewa0R2Yy%j>v6;L^8i@(8 zTIo6>f=ql9%Q4cU*r(AW@gwPoQ_(%vbZuZhZ7RNuMm$PQxqcq|FRHgJnAP6HFj(xi z?qxnB@oz7>L|Y>bGDOA!Q4=~PLv&rYP6}tIVCv?L|HIlnMoH4O{emyswrv|-U0t?q z+je!?t}NTOZQJTHx@_0f{k-Q{FV4)I`7j^%%7|DiBCjhmcf`)$Ut6^z`a45eb)SPb z`iIN1`$5>&xJ9X2vxrfV`ejl!8v5MuZ+_f739O0lP9|76nH^6&VR>(J2R?tk{TmcWCLs*FZ+Znda zs>SzMo<9g-;W{%7&vVPh#0DK`VldtVYDAq4r6Q}r9l^14L01Dvc=|4GJv;TQ^w4IIA{m(jM1PcNh{IZ(7CRxHCgy{O0wJ*G!l*b<8;fmILE3q{rub5q>k1vdS6j zMtERyue>ru?5J@lmUoSIBgA(-dhy3{1t+WOv;uw=yxP~X(_pHsS86vhV3B!>iNsf_ z(;P);J*e=kR}{2cO_T^uv|gSD$ix+|R)Yu$kwG)}k$Z+oIjgj}t9_J!^84XK5y;*v zx0T}HUX4tX2IdbdtvVlNcRb7ndyWD*9VB7db6v>FQqfb>N~B!(r!vc4w|3d)Y+Nlv z)wxSb4_YL6I0EU0H-vdm7Z&YZnr9XcrqtLzuISBB1Rz_`Z>%x>Ia{V!5wYwf2;DF_ zBuczleaGrzTijUM5>%htG-Y+?$)IU9`FcNU5KHylAKF^5Qzzm1-4y$z<0AW(u5shO z+7;7dYEw+MUB@Kocs||ZXQk0wnf89ZB?4VwbLUg5WpTBm$`J6B#q04i%z`scvt8&0 zOT;EBR%@aC;U#~)9nG#R5+_XO`+rBOI53NKw-610 zGN+_hR+pWU<3MC>Njd!unJK}oh3~#Hjf2Y!n0g=h~Jp<=1Y0I@6=-qtI2-p?P$fzCnlMdh}KQ6q?A$KAF2yz^ckf=QpIF zd^oS08QcB-y6~dM_pJC?wPlM5e_xDx)2bT5eSGl6SLLy_fO+MczC1hf>tnN?f`YgY zW5x$;J!#aoh$Np4tqFTzNSh4@3X?Z~PQMi(YNFJ-N|222itzLkq&XMuAh3#pGy`M@ zuI(ZyUKJaCKh9yXR0ATG^>qL_1se{-O!n7_yfIt9ib&FE{b-Ch2C~5`#_VZt@su=c zK#d|T>eniOxew7;Nnb=S51up8Z;gsMFYe7ezb&5|qc&YR!aX?HhQiKFiI2cdtDu`5 zoQEoC<{U)EANE1^Q^*UZq!noDdC`;oTaeGI*Q6JHtV3*? zU*$*L?$RFT2`&a~$=oUUZ~c2ks5H}>Ath_|eLW@T|=Mt8>M@GJXE9BgYiKgR0WH&=+C##aTvlgXT!GY%Oj+J16+q+m)x z1de<2ot`)TaUKUA5>Qs6R}~{d^(zAFcz7a8q#GiBNfKnwWf%y6YJ~)|<|Gxk@byR-NxS`uOwt&if)p z*wHDP_bEs+k4-J_Kg`z&|hECciX(WGrWhweIj0#MI&F4@CLT4~Dc;sT29baGxa{ zp18hngjtelpg~`TWk+Sl+!{7=@?ac}5J`F^iYRa+*TBWh3exCe=eP~g&}0D$uWLx+ z&Cx2=5M4!@R%OK%r5(rI42u7t#d2fBqO!1?nL06ABd@5+3I-1RG;P8*H>k(nza#m@ zp}@Xf$_#}PR)=qjm!KsiveD=Pw1>U01UTW)4?Z7es4YXqW}tQh-*oT;N&TZU#zqg_ zE9F5m-#D2np7`S$b~mp!4Gt}7P?1h5v5mTjlN0?V^HO!(w&tGo)bPVRDT)(0L=ys!TC-Q%V0L#E|I_xb^{?cqhoY{qxRNo}Vg zUuAsd!HY~_y6X5*#=GWmIP%Fa@q)TFIX~QgfnyG)XiUw;cP$xNw^s4DOe#vbH-}w$ ze+tUP`KdVIatQ-XN7MQ8L1J3`!5y~Q0%k(5^^i=;>RFLz_2<~x-rj5ilK@j9 zm2HG>(IgZ-F)(v4`1c&U$oe&C%D4eNEy6mTzM0Ha-XKTN75VhPz?HFuA5;~oV~iHx6AMeVgDdbU_tiSOxv>)G;53F%-g z5X#_*Lujrqshni6_w)u>CCr~IpcaRZjLE73}9@vqEZ>kVlw8_wh{K>Nlc z{({1SoQz}=k={vG>eV1x7^pEoJ1WDPY^5R0U zPqE_qy(ibIwt1b(!kpKWO{d#0Po1^SR!JCXr@{Th93P*P;q|7D7(VAuu^HFKVmkzg zpBUmW^m6ze#-_oU)lqcqh8OD@*{@_sPRS__2UAbY^p%?RwI6}_JGzgv5_6jb+0&*j z2&EfvX9$T`c*F`PiQPXa#vfly=i;Ho(Bn4Em6d{l#QbU&vI5wSVKF1;N{O|tBgf~j zKm%Cw3?(poRUBo5y3C<87ocQl6nuo#tsWu;a2_9CAD`Xz)RTye9wax4_!C4uvndQX zUbpRoYy$U6qz5r~e*~7mrjV9OU_Bs)a{-&GLH&r+PryuUUxgaiW2Wr$g(%ZXrZVnW z#)F-?lBCnRxX4sxX09TVs%&j~@U{b?Iaz73i{cV^^ABGFclf!V)_hIS9v>YB6;2Y0 z96q~8`fFHR8g`Jyh^1=j+{Gzh8n>%)tYiAE&~32d#yyYe`Qv zFp!4NeOtsD_S#?gKaxu1H}hE$q}Hl&9OlKQe#+ZO0WsWxRxQ#z1mfWD{HUniFIyEI zpP7oBfE0}4K_g}(jh#)UG($W|FV;pWuv{I8X+^pjMMgV}D*8!u)islPs8l?Vj*4Y7GFa(7Y`aMk2?NPgApVWukG_xz*oA#zganbFT zKic}`Oa3lTIZWS7SO2}Mp4*XmT;Y#^l?;72(%fvd-70CT+55DFx45v;ImNc#I`10s zi4)+t5b?}kDt)?d*4>_*nRl`c&9E}Hv$*H**_5`jd|=8h8JAKzyixYhkh)lC60`D< zxwv1?UbnL9QGNSy;bx^*`XO?0Wi?_YBiz*3jJ(0Pjpu?1|dnnprC@p9bG- z-;7Vy575_<`CLq&_`Uh8~1(ZOhTMuX@|8;y9b6^Ln>V1LZ%$Gl!>*#Sj%L~ z+>`%R?v+T+W$Tsj4)$z{TwMe}DoVwE>m1mHeP|X)xUC^LRU{*< zxWx8ODw-l275Iymji0B{#|GG{JLFL$&oSh8d1&kii-?&)(A4b?(hb=_v z6%N=rpjzWwsppbvL(Yi}5paLbS{L8I6O&+Q{9MEeUMaOeU|y3@*#%m4;wNbLSO5wb zkN`HIgmuWXH%Bq+1k@p$N(Zp1h*zmqJ%Y;=75CBB9-#0l>H4c^4NUpIrfffuHcnS0 zHB*9$gnx4x$2Ptn^SDo5Ridfn{#U4smuEVLo9o&rH)@OL+a0!jLvlL~yRRYjhM_a` zMUoXA$4k@g2E)ZM2ixyklE0$fj-02vGB~ER)pz8n2Uh#z7Y`(4kTS=lBu{=09Rczv zb>}7&a&`z3_18Ydp~u5@IvJ9f(ke4-IOYz9ICmzmOJTXjnR43NT;Qmpxrk5cacTF< z$CK)}>+|YCP1fq?Sai~sB&~hNW?m9qLrLao)O$RK6dd3ZvU;39DO5yh07N3z=%3;l zVP_#e2IzaJnx>-XW^kR<^oD0?7Vl8hw7K=1tjbNqN~JlnWBq#)#hr!jv~-%zxlAJg zt;6}zBPe}8kd-loN$_H=^2r-l&k>O$Rai*qV8c;xYJ+}~#P@AGw%hJ1=0w#Oci9FFc zjF&ynw(ShGgq{EJKDPojp|&t2M3#Fj9Sj$X5dvG zD%fKgoH4-Lo(D-^`Ys&r&MkJhZ$z)ynr9|Mt30uv)1^PFwQs|J7(uMtxzpXlJVm@y zeE5IHFJM13W=geBr!HeLBs60+V{wK)^7QP#$H3|(w;_aPr|LoDM{Yp7@Iu?s;|yex zA*__j$pe^lxT?ds>NsCy*UCQZx`QMz(~6ka^e?3qIFQ*tIUtgA`?C9pM}X5s!h8Fk zNB*EUlaz(gme0xTGP}33C1d~QjzMPzRAFZcF1v@8w-wjo3I`f$QknBEIXO0zhsD^T zq)F@`wA&hzBtP91z?sTyqp6)j&dY-0-ho8>_~H$7AR{UB*NEfSSo3)rPA%E_ew0|Amt={3TnYXFJz^RwMAvCdhbMoi^`tgQ-AYHZFIZ{2n}9Kw#AaFDep0|Y0cR^F7dD*Q~qaCh)33`$v5q$y*v;Tvm|keBcr zWjVl$Kp<~8ooi$=-nv}f+hRaW*3ofDbaNZ(O6kh}IE?kkX7KCYY#(r~$TBhm0X?q> zAtlqvwQU;7wRHjdu~qr#t6~Ry^W#sMk#bQsPA&FRc_aA>H)_;OU@*pH{(B9WkBHG{ zL>jIcT#ZiS<62XeRR;V~c}&K!Hr~_FLK=*n#g6wy=ZtR8AUd=a3IC4vrl#}eSa`;zy~LBC`$<`llbZqhHE1p~C-eeOk(~Xc3w$d_`*OS5TXVa!!~T9N z;w$PKW1HTso#wXlSK^mlq(euCy?g^eZ@?}}cg!w!yLZRysZGifiUXA*95@0_$b=Rx z5~%Tdlh#Bc*Uo_kQgUfblgB>wo6hK6Zj zhC=*^DI}1-IgFAsYZFXE9R35lg+TTT2?Z5(g?Vw3XtBRKvN3wUlOZ|qIy%j2j+yJQ z!3P;^NE%pI4zyCB3a>G%eZ4(l=E|cq5XPD4TuXZAzTIl;zLmDqeb3FtrCQ52ugCZ3 zjP_W1Mmn^g*fUb9b<6u{Fd6f8&zny4x5{0smYQ?PQxtV0+%bco;+x0j) zfMPx|r>_TIvYce$27a_A`EEadY+03{XU$$}NXKNxG6u`hB$QTeNZ^zO#|qx%XW}eg zcFodn>j^j$#R4{|b{#(>$DZArh!I|y@k({ELB*qi9;vkA$TrOhItwSO;oU#eO5`s< zDc%)(=9VfbqGIorT;?JC~Pud@+!EXbDpzjL@waf6jrdlL+KR) z>S8LMie0wC4L9gi!A8R1Xha*i`68#&4>LGexQkizC)jwZhFh@Jh&iNq(oMba7^zGS z@oVjx`x=^xcuT8<&;Ib3iu_7}LJTKq3QrgfC+$>qAZJk_QezOd!KNNCNfIYfnck)( zZqlZvpGacuTT|_>d!KgfZtyM4eB}xhihLRU_@hW zr-+FTW`IZ7ZnDIc=V)nKbG^v%XYgkerJ+R~>P|?Y8rS<0x;-GRj;ycZmSv+wgRajf zk^@nV*9TWGlhnEzus!>_rANQo_}KY3r`6V4;whMSMbC9Xg|Z&hsrZ4R)b6wjO0SM$ zzVUE(gP<0iardgHvAwa|V@c=OGGoFpS-Z$_-=jsOyke%NJo7@0!|kfFT%h)HIj2#V z+3{&uiV(}T=Jou_wXFJalRL}T3u+TE=|9wh%R&QTJ+^|4GN8-Y6+l}LdOCyFqSDl#s+vi-2GxfP?{9!d;&37YM4LqKm)a zY*oH)b4NIH%jTcPTKM&r0E=camasz0d)K}kS5YtAAtWQ81baJ$+LsKUt{xTXsphBv zwx28OT{b=RBa1}H4BvVY0{^)^bKTze$1i9~sC+6w?NEhLXcqws`Y?i4PniE+yn^B^ zPKorhL_>IVR2dTs9Gsdl3(X)DbLl8ner5P}c%%Wv++bRD3LYe$2ITjuG44y}C>~j^ zMg-Mro%&cQQtv(*Xp$web z$YL(|eVHpkD@zur#=xcq2U{IG@TEY;A@EPPO}m#JF!vUD$e5w86aqv?gbZ{_N$N2g z(ZNNbjYtk}X4QiTiDr--Nq^2U1=8n~@e=#K5Beec-(E%bQWSX2Yn7s3IP^7hyMxAS z*I2CcvH}%!k4tk^vl-w8<87O^m_|Ab_VgK%Avz=4nUQtOnCgJYI;K=bHAKYBk)iJa zGi&Dg$e)0>RxCnPhwqR@#th~7sz3AS!sy!IT$q1J_qAz$k<TnfeCJ_}}hD0YV!i+Y;0`2#bS}Ap?eKv=nwR&#Q zT=ugR2^7B8Te{AjrwO{UBG^LXxlCN|P|u(f>790Rz5h8i`i7Bx_&HT3nIHSBp83-R zbXnsaw&TK-LS=vpBm>o@0uIjWd`&9cLd2|u>66`Rr4zQ=F`T^WC4r~rL>wGrhPrGb zwe&pF&-?FtTE#I3f6~_xM6%D&2kmLVgeHmFvCLnbzM0-m4*UG^PA0&4@s*Q$D293) zCUrLvyx5Q_I`S-}+c7D=)QcYKIxz78NO#XCH>DEz4>91Qo8YkUOe3*uZ*)Vmg7S z5Zi}LBB0{{&3ng?N4$;GAKt?GE2425#gy>Lv_dQ9qVOV)ngRPp95<1Gh)uWyPqep-Xk4ay&vld?+~#@;SBI%kL@H&ND2f`yMqt zeeG^rj*$SsJwlk(9VME*u6u6!7@hEr2aiPDS$KLFu@k?{IuyQ|c1E@iZiWMcv5<$8)DyG@cb4Ev-hrQG*S$d|(guwKyLQ9OMO2J?18gvFy z{%V?A4*#+#8HU~qU=&Yyp~}O7>8bS$LOtw`6U>%G+n1GVtEmj4_<5ZW5P_npiT2gM z9uQdGRKQ)_I5jysxpBEcu%5lDTiv$Vv?ZwQ9nGg)&+k(3*Y$;9MR%urw)^CB_4}4^ zf!q*6M>nC9b6c6^i+)MH15#<|meFt!OWE(N0HV@y(sF3zM>>~o*fT&3!M*Af;5nmR zVqUA<%8ar5WUL#uyQ90Lq1fOi!jpR;NnW*uaYB%Vc0Y2YEzB*>FXJLjZ3d>q?bBif z->-uQ$K6&axcB) zYha*eV{VG%x+N7lTq|qIQgFPQ(!42G?Or*;XC1kVP6<7 zCWd@#RLhih99#4|_+In(wS0!2q8z){%lV8>8D{B6>EJ_!0B*79Uyn{GMb(MoekG%8ZqlI5-w-TQpLexmTtppI`*+4@+hmpx~em%!I2%#MD^V~n7LoFg= z&_j8J8SQ_-2;M~Xk!Oy8M9lr!o2J#y7NL(AGoC;*RG>(vUFhv0$C3hRhLbVFFitVy zFl{zNFb#_O#13%O7LnVK4%4!k zqiB@FG?l|5uqJ&J)XKk%CA(NJN+in=e@8_wC?o&AuGDqMklQW#kRR8;70!#RqGw}y z88K+601D{aasx9;eiJ{|gZMiOBzw@q zHlq#7T4U=@{Y}3t*hSvNW)kT-85TCZ><-CPVSel#(+wR^=X+KSqWlSQnbCZ5kGnom z+}6*=%=8sAlqF28G>D2^fWDKiz}{tY(H#-f(ZgY9I(vEj{7iV{=RUF?qCTtlxW9oh z(^JA}QJ&Y;;mS@~VLGY3<32qO54q2QdwDOP0C=Z#i!}w=aovhU43&0E=U!q>3-=2m zP<>b4cf7g8<)R6aIsf9mEuIQlQbp}3v{Q*_Djqoc5odXgDB6S~a4ycne_6$ls?>MF zyOw|wS&-J~w8(vQko5_)&v2g4Y}`lSozQzA1m*vHUTTJ?Fwf!O=H|cl|@;KUYwT@!=);QZg@S(O5y;04(n3pyx*yOl36nwgu zoIRJkQ1CSCH}SzJ3|3MIPl>VgzE39E;}A4B+dh(uJUDEa*@wqQIn^+gPI2cWB8L%; zW+AZbQ+S+z?kW}JF`Jb+o0*xu&%;wzAZ?Lgq9yG(?iiNFXiU#W@ns3x9n)821?T@G z=wK0n00rRB_+t-~=m1uF6cgah$TX*`pWoF><`XdX6lht3R4S8eunXwj9Zu~PQs6De zGLp6n6Pk`?h7tbPkBuPj8GQzgQPC+&mU3hH8{uB8Xa(w&Xou5P`KZV?vdkZpHc@kM z1%~K9$JK}ny&)8^K_gK6KdEVDw8W~6RJYGkO9nrwhxKaJy_Y0!1g$YvMTb?|2=B@z zlglS(7%rI})Yt=s#b2~njGCF%`(fU?Xn>i*WutFv1{&>!k7bS-T6r|)C2L$#z>S8A zqRFe?_feTmm0FwK9&fV{=OzG10uCSL7Q|-y!2DGa2en*6BwtVsdcWMLfgwZf5b+0v z*j4g;?RsiB?=xS1ohXY#7T1%Sm4RZZpol0IPc`&5sQ+WQ%HqJN0V-Vs>6j*9HedDKw?Z^zbAzu1ovAwEJ~{$R8JPp(?;l>61bec ze>e;gGMK~==2L1@(?rR-i({KZ|HHq&Mr@IuDyl*FeMdB$pn&hfgdW#cBThjJD@lrl zc*t-ftQ>#umpEyNImXAI2x6)0fq25eJpeW|-U(aB66@}WShN7e7G_dSzZjK_%;--f zLWnwAy60aaUH!L?XO*yYN_wK+2#aG%HA~c&NLJQi4)U^%m`w^t1{ay5ZRyH?O#k#a z)t=QW(LUZ=QJ(<9orA4_WGN@pE%7*EsXw$nlZ$Ix0zdg}o|1RmTy#WGtEla)Cwo)} zKaL={{VV8P<*2$TzKCS5DpMs}-L*@1*pW??ZA0;W@a{5;X>(Mnc;mw5sCEWS1YON} zLnrGdVeTPQz}{$9AeSLmRJU>Ppt~^|Q+T9woZ&ao^Sj}!=`l-D3~#V@JW!~h?*#kBYltpvviOefBFL;D&&-N%8yj4diQ9il=q#7 zj%4?H)b)ALYnm(Rv=gXL15Iuy`@j^;-rUIHUE~$4b-7U+#uIq-M zxp*lV)Jwb0rI>t7%9#$&Gq5)^J7584wlQgzFGX? zc-T>rRa6X=Q1$Wx95E z;8K54Hyd`+O@a#v9>_y(cXIo>rfwW38(m-X!rNY0=_6BIWHU;f_h>{NZV58+j4tu* z&ylZ_SuMz7PxZx4H9g zVdp=2q5m&Jm&E@Rx@45U9iDIA>pyKG7><7(|G(p0-!9g_ysrNzoa>tv`VX9oNb5gg zE+!_Je*;?oU|Ij5TmJxB|A1WojQ@>o{eyV@3+MXh^>5GUAH3_|7}vkH`3K(mU&s2N zVAuZ~{~PW4XFnaH|AKP;>jeIN&HjyYv3}b~|7Vn|&vN4jQplBO1b=a8ZqsrK3Q}Mk z(lxP7*#=~so0zD4O%NU7`{RdcLhLQ<)dU)1eY?S=Mf`-b zPJU}a=CHOkP3mx~ZybN*u`h#U1Y*ks&9M&w#Y%Iq(;=cH!(T@yH#rNQaZH~_8;Sa; zmxD`Re!}yyU7neqLpl$a?h~F=<3Ft}zMtzkL&>V1J#v+?e=oAj{dj%1O&vDFBBtJw z_mU1+o)l69ath76uGUvps^c<0wP1F?BYwTDt2lHjZhY0;M6^_hZo0RrA>#b=Tfw1Q zRW<{_@X)N{+;@~C;Ke&@I`=@IOIu+h_{BSS1ZW6^KsX|h$*h~#!BB8Cs{DgQLqNsN z(aPXQtvV4s$NV!x3hq^bx#25tMGn~Ro2Et;ip(oU!BG!Vr$#MKtirUJ`ZTZbkQQq# z#ddKfQ(Y_f%JXV)z_r<}msbevmx#<^S|RRitXZr3ysda)R`k20yW8ojaV#IG7;J$F z(Hxfa2RRLiK7Bp1;InpT(jr$(3^uK2ZBShLhv{;@f<4k7fF=l)+g3vV_g?vrV*d9V z|DVnBpY{G9_5WWiuK)WUu{JRKX1M-i<9`?~m~V#b+oYpsW#as1xY#(p87@}t|6ds{ zw*SU(F@4wS{|m$Q58C(N8Lt1z`2CyVVrAj}M*#a@_0Ph>@!fj=#|}8}@^Hr+TH@4P z+G5>mc#2}nF#S76rzzUOR!;_7VI!eShCAk-Xbmg14G$u9iy}>gQBkLUj^ql(0o;JS z7vIUmkwNqWB>Z=SFiNd(CK!lp<{u!ES z&}4`8MR|5|8j}z}xkls{g>=Oq(G}ggn{sKc8`9R6hiX0McwJ|p-88j(ZT2~V7yAD3 zWPY{E@dH9_*p^Z|{iR<#B45@!5;hsweRPUYH+daMzW*FxPotG-lxGy z(ma}3mSlG?J&rR8K+rdSyK?cKttF!O0rKfz#)5iSmVmPZxdhu!()!3RP;LZLBy46D zZ+Ir3>)3&lVX>E;3p?9t`2~Aa@^sz=J$VNJdDOu(t?q%}2*2>HI27`Tn6?1@;YYm1 z0tMd^JNC?H|6attQuO=VK@Ah$mw;d9ftlpR3}YD=|56~-xZm$pDstlb48PbyeXji5 zo^8TtwR6w3FXZ{1y&W>zrtj&4`Z;>(_1nACV8AZ^9-?d^-lkoXT3i|K^9D0(L2Ybb zraw14Y23p*sxj>(0>Fm}q^=L4FR8z=4$GIZ2lHd|_btb25z}7-*Ip>VS_!frcf$+i z%Y-fWTj>+3D>9UVY>2iARG@jJYC&GK)9R`k-F zh^R=F4p%a~x#g4f4_mt-Tj|p#z^fIr(~99yH95$wwv)gNdm7)+JNu{;{H^wHz7>7d z@n?8*J5Y?M-V_5gEP}gk;JfKPrCKqAn7-=+(N$gp*9N37_DLgP&!+DbUNS*2eXWKb z)hcuMY`y3*)t9BWu7C)9y&yPIh_H$$+)C8y=tG^NL!G7_ebc&%$73)S21gx%rSTdf zz0h58j&mw$bZOM6-Wsg%l#rNf%tTtUd`)4kwyJkkg9=$HtNfVM7nu2&ENl{lZos0{ zfxNi}f0pyYWf|wq#2iro{lI%K-JW1-Q& zIPkU@2eUb0>}HS!gaIoD%0C0IeF8bE9P!)mYI5qY7Fe>hBlF5w*}N4PhtU|b%D`JX zKin|no4O4wgVSLrcI`JCjUKz#7-xLFnrp2eU)QwE?h@zs3*N*~OwiLaaE&heknLoL z$Tk+oHU;jjvCnmwMhx6h0(D>(fEoxy|2*~~ILwedY77cUt?Q@soyhNLB(?OJp3+4R zT?Nirbnjm~=t&$ihnR_;(QFh?0~2ULG{A<4ZO!Dqvua*O+2vs51p54pwEI1Edlh2P z<$d%Mn}DA0`y?2%YlW}bd+C0k{+^3(c@gRDh*bZm6=w2bdeaB1TyzCv?CikRKyKZ=5`l=OWK+o9y<4ln-nWPv1NKRsR%I_yi8>5q2b3y+od`PTmnQ zv$)yGrh1wcpL1+{{Ubhy(fA5Polp1FMJhsx{8km8e_?-#M|~FDU_>^|DV_;sM zRZXlAbEqR^i1&BwJRHL;|428;%ov6<7OhTErZRxd1}{8mV9cn?J3v&tV_DmrEFYfb z2Z`qKJ6XQVx|m_QRS`$k9Y#V$+r0Pz&tkqH5-;|v+Q*&spM#u5j$8YaCq{j5SmbyA zX`D6O*Rk&yWYWBr$aywbs{8%XyS$YGi*|c5HqE4zxNAp+^a4oX0l)#;t>eACx!zp* zYy&dAiyT;)`kBtdP#z>{r0~-S5&^W1+C9i$h&B*X-LQk{eCoWl2QT3TBZ~;*CW7d) zVR;>6BIU@FbhfM}Kf6-CbWx!lo zw-!`@61tT*zNgi;?6F`zJ}0SpEGH!+*;qVuBc;e5zMQo9y&?xN&&z`>>CjS0owgHS zyia#Vp*KFa>Hv_}^jx?QIMQ`mxX8+CWM^*=Y-CVV%$Xh#k8;8+agMhj*jwNHV_`2{ zw<2rzs;9oCY3!!77nySm%jlim+qlSIb;l!`ASZ|qSWYXSec#`|ZYegMR7!EhJ9=$< zn34%?6F72q#Vb~G`j|?sb@y~pIu5obOZ_X%p*Vw=Vk03Rb!G-wFKclWn+so z9X!O+C23YC?O&kQByH6w4fN=%s>bUS7Y&(YTW<{%C2i8osAfvBSgc~oidw}Y zIKhS&nb$?4o`pY525Ts}H;0L&zPuuFFE zGH(6p2Va@~_>~XQ-gDeStHxFn!R98GuGZ&VV!PG3oQR`cO*KI4H-VCbMtG&$ZAkCr zrCQ{RtFe@%iEW`6;??N*MehMFbs5eEpNKwn#~Y$nT9Gd5xtM(>|0cI zfw^wE`PyS{MO#rB-}KO`dfC&oG@d|cX46#Ptf`?DTM=tz)1=E1-Q4U3CuOW@Mv4*F z_V&#KZRBrYUS=L8ycL^!89T1t!S5gk{CQ^~=TSNuZA=0WvB}vh8&c9h;h>hPCt2r+ zKX@5FsJ(*naU_utZRBT(CJQU^&{+uXfyd>r4qB^qSSSWNkIqo1;alz8^{6U4b;5Kj zJX3m@qHgLaORP5$9!6;L)G*et*7&UF?|&VAU44Cj@Cs@c|6bnLV-q`zWD&-GzL7Yoj5YY4jLzb(=M?-L>f z%7}|5oF>HHi0l0KrRp6a8}X*d8+2!wao>fgKy!B%OU&63A-zUaQ- z)#w%Vb-^<$pK+n$)zzn^TTZZar);N+^L+6Nt<6>`$6|JHf?`P7R8i)FLPxw1tY8CZ z;K+P|B8MjOwfNgUK-+68juWzksXP5EZ7s>>Dm_I``-4zv_I8L2mI6cxniWx0tQ+#p zjHxH|1v2V~t^Wr-K+NE=0jnFpX!}@cW#}{;j)RDbs8`oRr=gG-veCe^KdqJNkij_J z`k+M1Cr)Tl$|lhQb>5=y3x8(@_zIl6LH7<;(&WAJ(h&u_!}=X8CwTv44O&<{YE#%Xo{C#$Vywa#4RUcm zcXxeE#~8vR>ov007-yfSp6E7?8A>XZhHQ53%53ZpHrGV0U>XDScSn{qJhGnLs_Q9YE$1sN zguwF`3Xi1r)05|$8^QS0A7qt3WmXckX7`a<#*?q3+qZrZJ2)b@0q%(&{vPP0i%fX9 z@Y#8zsw6{bf_jboW9oBtB;YvGxT znhgJBm*Ey>olAHk4wC-5?Ol|Z%6d`ddj%G$wgdsm$f(?G>=X0V7ui>Fu)FVw&+iSM zZu9rC8^K&gl(2jp7R-da2V>S3oEHSu2bEi#7u=6bR-)sL{=e-NE+r#ZgPX%+Z1-L8 zZO3_+T6L17WYNc|SVdVhSR(LU0NtM}v-tM}>BU#`ZruEs!*gF|0z+SMUsdu|3(+fi z6qx&;z~qsmnw7nrOdD>7opK2)V;PGQ`;AznujJ!?<1$C-*L>q$Q(ZGVgI7q?XSM{q z%#Sy#$NR!@YV5$5JWLsKMi`%xIw!)wT~W5VJz_I%j*#xOjCaTaV{(VbcUkZB?>g^@ z&xEj`{kpp=?HcU_Te@{-=i_xbQ7th$VQoO%A-;$4B#I&wz`m-W=?r3Duh(#KR--P) zVVl72ZHea)#5ojGC6Q?q?63>9ebx<8yC9G98CAUp=kSE^S9}QRNtqvLC)X&zF1qZQC=|+W7O+%uP0l-ie?s`%y9}o6W>vt zIn0JFi@0F3z-;%Z2#W=eqYD!s;)l5@ZH{G~V4pGXN1n-^+l&rM4lKtPSbC>lcCgw| zc>gdkAaYe*`}^J;hwA_O6k7Bew-5#WP%n79x114X;{Tv^syDh) z8kof{c?+K6m@x}Cxd{L6MVp;m2%8r=n)Uj-Jtv;yjN+I4Fabo;SBiE7>+zGhAY{Uk z9Y_N|30mF?43m?fBp(|`VyU|=g;o@6>)KVxrd^(T*gIgl?~0z%>?sA>Kk+G@Mslza6-YIBw_zvWK-Ngl{JkI~VZm&N3zn9czQpnBtsdpXO4S{+_lRU`3n(xmM5m)0rBmdj?|C2*-CWDQ{ra z>rpk}#9i9?kQ>QiwYjtM1JMT*ZH>r1>#q>8%>XNy?IXhV$CE!xJLdg@?R8jepr#ju z^0co#hQ&9c2c~<19&P81pE>*_)Ym2A3#EB3cJMvz^^^34*xp|`;LM%crW_H{$pZ3u z6myxA!R3Uzf2!)ajo6-G)M{~^I#ZeGz?ih_P`3d%DtsKYucu2ajg^l_+}6)0?B)M5 z5c1XK!-zfzNtXX+oetgkZPi>;1{gLfF&f6q<9>C?{&DD2Sj0=)t}5Kyq9!It<8A;1 zlk$h1yeR&1lN4IKuQ`&SuGB_M=uS`)nO^#$FG(LO(;byCDau~N#H5}=CU$3`EJdC-AS9(G#_uz7K+F}wTgADCHkYNew3GIBWd}x8N-3c}Rf0lhhz2Z6NBEp{7NTTB-TfUoyAl(w=`i#c2k7r_ct2N`llS2{X`vPjo=~cu1~GB4uLPYW`-2SA_@^ z*W>WI6NbV7V()G=Rs45~B4<`cK=4gfQ;`;|u6tPMC4uzmLueM19G@nmwk+U6DVtZm z%H%!Y*=UQn_0Te~oXQ!Pnad}!loESTJ|&+fg}wiJ>r+;{eD38D@2kxhgI>YI%fwPG zgtmuz&hP)8AdSGo=9zT6#uxUP>QzrWl#3;7TS`s$)uIfkPgzFC1eS__%**>uc#WO9 z5-;mEDEFXX-(F9%lyVkToIs7YFEm0gwrY(54BU0#?(UB^?m~5$T-Hk3rM0x~GgUJu zYaO{o*(X_@XD@T(iD-@(1S6?L9;(wt8f&0o0A<8>vGq%6`tBGc#|hD^%#t)-!)#hv zI;2U56&Qmv95iuhOmO0@;3yJnsmEimP@lcvfDKBdwfqw+I(4!-1@bz~2#Xp)%n{_BOv(N!5S;mjQ71-#=rkQ1o~-%~ zYc*w}j?h8mWO0M2a3UK=Shg=!geEfsUjS!f1Pc~-?4LqVzh)!HH1=co5}lZU8V&vd zH`;yxegU+vzyY=zZW>#-JAz#uX&L4&2EK<&HFu~b(!3Hmn868=M6bfi%1)Lm!k~k# zaO8i=geop%Vt7xhd`O<0!PHt4S_nz_8%nK7d?mQ{LU1~g+0h#-$?Ph?vj&^t)MdU@ zZ)bufYgu~OMdT2GxQ;#4ogzx-#*VDgpd-en%J;u~|qBwkzG8N;ftOo!f!^t)z5tmDN2dHPXX2NITlc zUpsIWoSvb1C`&rgs4pb~W3BF46=7Hbah=+{YAb`*TT*0RM~e7{h9W~LiY~^cBQvUx zr}Xhz%)wt@BGR*pks)YL=~<<}?7N%DP==oS_ zCB*^hXy}y{7GtwmQQt(&L@~r@dy~OC5czP7-qPOj#fF)`G?mqQ$r2wXwwMs2ucdwt zF3gnzAuTYcVTxcBnB}_f6B#A~Gn0FoR5DlCKyq~pNd)eo@O#MXzE2zi8ULKWolHlW zCb+Yaw+;S_U@Tm%=9=MeM!wIGX5j;5CE~LY$HCZP%;*NL2VgV59`{8A^n5O)pH9&B z*`V$NNQH(SbdQbDNXo(;1c!W9$VCmfpAm@yP9TJPOCIIC#E<)vTyO^-t!8$c)QX#~ zx%3$KHh-nis(V&{v-r3)OZtt04WM|fI54D@n(De)xaPwUUsUo4-gpL4FBG{7&Pg;ieW8zw?p{MG(mLPfa4y_9%L z6Qzl=^3Je5Y>&aBeu11-_|dbfj(m<~8fEi#<=9?&ANc`h;0o3!HLsKFbid}}4eoC5 zF)weRL=*&@Y8(|>lA4?b<$Bw z?GATsc^U1Z{l4e0HfD#zY$Be9%2In}X(c+9m8=Hykr$8Tiuy=yJXuv;S>bYK>#tnX zZxBUO%#mGQ*IGSo&5p6XMY%iLvn+;eLtSP0^bO0_3^TB68UK)fPPZ1T8YRDBJs;_j zz!B(2bUO4+KVq@uq^V7H7;;EljdNorO+|~c-95#@KQ{`oiTh!S!8j0pcan}YBKBpIBeqX>B^zr(vxGiRid%SKhrwQtwOUk0P1$9lynN{4wAJVo>&mVrvaRL%&CivXt0p2db&NkJtsT@@u(hdGZ#lJb#aK>kn(+NcKHoM_6XaqsE>M0o z_uIP)m0$>?FT&{eV)Q|Jw>J9gMUSc0?eSk!)+$tUqL2%Lq~A2dSNe|tk3L*t~qDAPRZC3^{38t z_18C?>mSxLO6j>B2Kut$Z39QT`a2UR*{0Xl%u!p*$(bw%uJzvTMS7>Tew(bj_BHEk zKnwi?ke0ArKoY*^EEYK!o_kwBfU_1)%Jj+w$xr*iUp>8I7vvd3d^b& zBh?vvfqO|#3|CZFPvZA3J9`2QoAU6LD|f|X-nSpz^IloYG_MT(jmo2ggp=$mKZCIGh25KaADK2|;;n{qtQGY9q}S)yAtfT4<(D z5u2a#2A!S?W|M^oW{aRVTd+!g)gemRq9{qcAnMJy^S4mT^YkI$b`#yDT69!zko0;< zCz#E`^K=&GU!tp3lfhu)=`MaB&+%#cFV#aEwB@qVZtRQ`Hr}RJMJjr&Us{v?dWN04 z>aig3{!wP9KtpY*T#x6Jd~TrLUTbIAw{}}eLbz6bjd^W08}`mX7wzgF@EtTmRnnqQ zOK#QJD;g~pfprUW-GG^{tV~p(0Gn-R#2&GSle7{J2gci7LLb^_*J_S&Q^Fq3Fr9yyyy{h zh~2ecQNmeA0L30YOU3-t4+!@`IE>@`2%SQFbjHC!aW}vsP5-GH)d*E1-4QP0O4H8{ z$=vQR4YNvAgQCj2Wlr|y9>JCSM;iJ$*#+bycd?mdlYHtV03Lpv1E(-Kr+|wXgm05d z5;{yRVSx;gtCj&ezzrzZ)9bnG6+NJx0XbkCtgdRhTv+c|8SK;b1$14Vw97ZlD`_cw zu$Sk<77uu*13>s;4pAe$VW3)u`OzH1{!|Q$0>cJ+{g;kO?Et_=0RE@^mW#*Mc2dKG zH!Zqx?uIQ_uP=$@NkY59K|4OZxIdgL#wYRrnKfxN3Oo*MCu0 zEOIu$J*Zb*3ff3e?&jvRwHpQ(3D(R(LqRSWApW4A1VS|E=dxeoKOk-x5yr@Wpt>c_ zALMP4--Q>C`k=$WQ7YLuiIg%>>NN_eUjB? zv&hDvA=Dn$J8fBVjy=cc^LqmNFjH`gC7H9otfNYE6D68EQjm#O;+g22U?$qFMUOZ& zN4;0hsW!5`Y*l7A3*EBG7RJMzc259JSopV|H`e-`*GSY)uZ`nV8?222tO z1cQEq)#x+0{BEC1;zXb1v}gOAR|RddA_x8cT)UiY@3T`TNwucAH&r_q%;vaYD6oe> zwSY}rnjTcml5FFhE|(-3BtNv?Rf7#>xII?Yp61H-w*_f1&3&R;71i2qJ#FQ!PbilU zF^aIun*+kjlf%H4;b?{oV4ndXpR3<;o(tLn0fQ|>)8Z-B+#3o3d5P|9UOS5S_qq%cK({jCu3)R502Tq> zW*{6E_0DYVTn5oHiB{6gA+3>rCXRpV+&`A)PF_B?V1c)C3Vkm^->L1IckZLPwfR^6 z@e}&SFWd4$rD7~*^OSu{So-;Wx6IYWVnRu{Xc@I|(R06LxEr*Gj$t1c@K2M5e>zP* zQ{ZO#Zuu9oZnL~Odz*Y;*8R>meQySSE=wM}BRde}MJL^sb4!rRm-Hdr0OX1xpCue| zhrOYEtJT7J^YI3TBl)aS5B{lmFED>RA|GYn#0vw?L65}ziz1{n1T z%)^Ymww94TAVd8*L7P*KWygay|3aGMgcY!d7E)i9cOlbdWJ`73bvTK!T>ZXbOE@iY zpd~|T@h@=9Aeew?paGW_&yDmFZ(95W4%O%=!qyJOnZcS>CMzp&H^7LfNF*6n1cwva zpy50ap2RK_&{dJjg;AG3Z%!qb54Eg|UU}w~u}#0(y6{6?*n>qeF-P6E2RrFD9z2+N*=_Q;uFDIXqJ+hZms@3Z5 z>Z_zaPoMXy!kwO--jpZhH5Hd`Hf=NUp6ZgE_UgXs+k|I@6V-y5zu7ce&CisAA)n_T zxsH&}9gbA_pa!Gc&-o~nr}pD;Z&e%1A1HErJh}S(BHo&xYoLix(99MqsI5y-&(xX29;dc=D9*(pcvNM!=5d*& z$7dy1VsC;eO0eZT_bFI0EG{-AX1E^b3eFVlkb3!(GuVo!&YYT9<0>T~%2F&puOP25 zkJp>y(U>i4pG=jIY!?&8Vq%HFk`?P@V#w1MQ&Y@Ztm&;L5^UF_@j-CYQt1db~ z2Ks%fvAn#9<8q5!?i{SPYUp*lbBn6@B0WIhKyMMBYX$o;(wl3@oIMR}?`m|wdCDs* z!Z;0uZDfbWeAuf%T_?j%#=SZ1dVNI60}F@k&8V^renmjsqg(l)P@9{=|NRu-NyHNcvddX&EKVE9CsFAKMayTklw_*j_h z`7K}o>(0OcfY1*J$ZU0N?*_J7*xAhXjbz(ptj)n*I~M{m$aotZq#AFNsKAblfvvf) zCo{WpV)C=yY{I##&OKi?Kkl&@Lq%m}Tyy!nxYuG-5@oSitX#R8?_Cr2Iy{>H>|L54 zc$4kItFQ~rkdgdUo5%8d9Z!l+8K07cuhA{yHhPOFG)k6y!aMWz22VZHKZiI%<`uq- zS9u*jE5MLoPD4@&r~xiuuV*^zoXrq2aE4j_l^F!b(AgZhKk;b>ubtL-AhojeLdR$*pOs%A*ouCdOz(9DZ-r>I147`qypt{;xw@Y|RFb?D0NcU-am<E*Db2ga(1QNn~?(n3P~D zzEzhjE!pJR=-cSOCcm%bZojz2^IY^u{%?H0@&7ui_vXnZ`SIFVZQkVkvXaGl>+v;3om5mqepEZDXs*qwom5sW(y9Tw_2J@@H2vECFgvdj7c)ry>Uq^Qhw1Of`Qnf8 zA{3lcof>rG=mH+;0-CFJ;0T*I!=eRlzbBR-FL1{zY19uZ&s$hYV?ONbFV3)8^S7vS zFgF~EOcrv3%4Dn}Sac1;kpx3;q#pz~Lvab;a3BKob+9)Oker2S@oyu&&TMTfIXRsK zrWspFI=_`J(A9Qqo65>BZz^`sRbT?MnK&xX#n2o`Y$ijXkNM+ss?I%MxiFUP!;we- zcIc-&fAfR#fvL$$0&DM`dE@-bcJAwAn+8Kgu~ts_@Ie#|<-qHVU?IR-P>}hSEA`gLwYXoIpj_o~ZYawEMhdSl)L(LMAr?(yip;+Kox zDf?^jc(DaK;WUSHq_d%R!7&B8Vf8YJvxRd>EZ;|fFsW7_>MBWtMM;|nNrOcx*X7h;(Wyl`HCS{$ zoa{MFy%|~27l0^t4S*d^Xz!7fX5bKx28R>0@F{R{j@qt)(gY-?^v#=ifn!= zVG_l&Bfb6#jcW7z0KbQN{an7;#?FV4URwr~D>P~?b5H}-g~L<>+y5O{i;VE56%&9B zxYn(OZhNv)u>@s*e0EX;a3`bb=wIGBy5rHk)YCn*{_I6re#5J;@4BIG1$Q+Vys^z+ z1@nfdHeH*JkA3~-4l{Qbee(LPyRvXT503v%(BWjM;qKSY6|dv&BD@)D<4ky4TF55_ zxP=UVRo7JK@IGOgXPI|d&N81~XVFw`x;z?HCWGcuq z`3fQ?rEYRTS>1qRAZvT{KJmWN`^%mz9nF8G@QuW1-RZjQi=`SL-c<=)D=V?^U*G1)i(5o6pQXMT5v-0DnB10u9urY+51xqYL&{%A)BqnoFB2NZ- zw^<7cV-BErsZ`H)Plj04@OkDu$3DU?>T2vz4J%BmEo{+DaHk3UvC^tYos>>n-QF@?bE#yoL`L%0blr?LcoipN&)DuOq$L=ZRX4s)Zym z^T)^od!&SeEYZm*s34~yeobf$>7ueIiE#L7;3ooD1sK7LJIX2!uJZO$w*EQ8f#E z4pH6K28RvgaywpD5lEWLS92tThI0)XdNpV`*O2RWg%UxA;;pO%3Ch7`!QDY2cm$sm zaE*VWni#F?(r~d0weMF}b}F3Fat16QjaaB>N=BhU+k*a?w{ zr@YVPyr4UzKP-YlenS70__Xs0m+nDvr){U>0oTs3Zk= ziMl0Xr?kX)skPIoQ^W1}YRw|uJiPxIt`cgT)5$EWE~YOK^QC-ezDoyUDqIE@to8x(4l=TeFP|8S3NNtn4 z@6L=R3&!$dV?v(noi&9kytJkS?-;73bY9b8H!w5Ne&Zria-)#1{@x>KG7KWwTvsD91W;=;5W-x_20qRU@(ePd(b4Zl3 zNqjFcD!);hILa=dwHqNdjw*OmfpV-2D;w15;xXa@iqS9daIy>=ZT=g*(6h$>@*ImY zo8vLS7HWMjkr-vZqZ92NWoHuGSzF{deN2Bye^C5$NYKR_EnU@0d=tM}xS8K3JkIZx z#2F&3ld|(HQ?r8EO&+(I2tF6VcD&G&@{n$)j_cM9>h|e)-N$BpWW^ITn`KM8rO&d{ zA`HSxS#UijTNFzfyrY(57SRHP_FR3^(j9xXH6zqvvYa`Pt^y9vbq!=r&w&QJyH>la z)DFjdufm(exWWe&nq&0%iPvK?`z3@zLRg_*lMj-0y$=^pm`8eEd; z=hnULdluRhkH64Lvx+OPs9o~yZ?8-y^SMtC|LrGd?jEeG;}1SGGe?f}oy$M>+ltB` zyqtQ`mkn$<9dOpd?;~L@mqFQxB+v|`sS20#6~U%jw(k}$*s zKR=L_%`JfEtwRn6JmvW64y0bMCAu13J4G2V9c6a{!wyZZx}mVRibU87yDf`!oIh*6 zFb^1QzS!aG@QZ77n{|U^FnqxGx^hf8LH?jKOu{>s3q1?`%Oc&LZvSS_fPctwN7hdJ zPS4|Dh4w}E<4w`;i{JNtB%SpCSvf;JdalK>$Z>1vR%I}9IwIN?`U13D6_^l+c<79z z`RQsIV5d7g80JV=2G(SPoxbo+urH}Flkc1epAK8Xs{_YD+J4^^Gl&@8JD~iTqt-ZT zF-TMRM3(vp9qm!AMe?AD1(TF3%(xnvc|Xmc=y1tvNK7~(i!0<1}V zOYEH+9{P~d1KYk^UNkvqH$@^-R$essk?qSbo>WDb9{e8FAAg5hcg%^G#+{o(!ItHZ zJob5G$ri>zH;tbJUvUQrnPP6>3!JCMOEvjlf!@QAonDjZO@Jm*0xk^&x=a|?8P(39 zPtoMQik2I(|5i03NbxWvsQ8cIf-5jSddPrKAmm`kP|i{fR&GI7HUTmgi;5WVW^iFC z@Sz62z*_GmUXw>PP=;9VJVLz0fl@><@jNT)?+Z{h&<$Z($b@Q4E)6TXAYRrlKo7H- zt3cEUn`8JY}ILugQy1I@+s_d?9c#q-Z!=w~< zXESD0m0~&7X}CP=F1<#$MmHo3mhLMZEfv+$!BUQtx(c0%1-b>&{KP#XUVx@b=_KO} z<3i(o!V`tNOU2RB(+N&dh!Q@6yT*DNl=s#WxB~aVaa$ zJk=4*YH|khTvPqQKvM|COhS=Uo3&68Eh-A}rVufO&Cu0ZqdJ`3u0hv67asy0z_~sy zXxF2!_(EV6bDx`$)HjwiZk-UL&pCB&pbNTA><60U)BuJIgez+pmt-6b@#e%6f|M7F zO9cu^2(a?Sm_iG6MH;GQ=Qz71!FJGg18z$oEeDkQ4&u{RCPNI|_<>$PIKGCY`vSrn z7`}}$=mt07fI`lMaEPH>kTw8qw=R;jGmc^c*17LD4z}EL;@{uf(gw7fldw>Gu`TTK z6`RIRm+0$Ply)>PN%bySGyS5^Uw@s>nDf-PHSGKOdymZU+avvN(s!ErYTMTS;H_UV z$e#@?JdaO7pDn;2_!8vjOD>$WkPdJQ2&8s!tQs1&I?JH@p#b4<1ed%V!GvlUn0ZvY z-H!ak!@mMY^jn$?BHR+{rUM-TJ*fak}99xYv{v#j4@j}hR?K!$3(85xoqy3@GS*W^I9RBl)0R21X+$+$1>+u=Pu`Q(9llb z&jgAUJceTl&W9rzf>xagau;*F)JGW%h(D5C`Mz44i>`NVb?pEba3(u@kX?c7l(;f! zhjd)xWl6<#NS~C#^@v`2+UgX@b_Q2`k?JV3vO8&>SY@kX;!nkogft!5=0fS~Epz&1!M21qRnLqa*o@h-VJNB_qB}$d^f*2pKaWV`A0OzoizXp0g+_X@ zPcEo&Ft`Nn$kJy72=0j!5;(-=jD;D403pP$>B^Pc7T;7Ha=vxno{#@_=z%xRZKF@> zWbcaVc{gyAf3$JqimS4>|BljkKc?ajpRVhO)~MGpX+ayVHm}y*MiSiAFJXmPv34F7 ztBk%c)^5do;IXZGDp?Dt#12X7z#9Eo#Wx#)G8`;sLg=q&$DaXbo>7X%f_U%WR$xn0 z--tucG&@d>%A*ZOAx+I3dN}e%<=5ml*aPwnb2M@69fmF-D}!5DpBgC8M^Tehz^)ne z3#gv$T&i&bS~uQNP1-Kj;?b>NYaD^qT3nRb)a+!%Ifv$t;)G*bnLc&Ot;+q*`{R5Q z-(;TYy@|ictb0J9rNvvrJMoF5UD7VY!}7!SRIx$U1HUaRT$bSclJ!7Px-*v^2#RT5 zQbUp8uHeg1bFoKbZklM9sa#fA;IQi@(I{hMr0FI5cNEj&H23KUEli}TtXlF5sKaKL z@3h%ylmYqv?(Qnht*gtp4GkGLTCTaO%O9@VX{BsyEVK4mN3F-KdaJkS2(RbG32|Ho znCF}V$ZL#kJ)A#wogC1lBlY!A>S{P=uk8Z1)y_9ZEHB#?k2&KpSH7R*Wk>z=zsaHj zpu_GcZg(M84hHR5L)k>6Zj4P|vVOl8{+cgU8S` zkZ|&8q#RgTXQh)q?vG8GckaD{{Au2ik&c7?>pJSHg6_(eP$*ua`aj`kpL={Tw{;BrAGP)b;O|JalnBS5T4Qf(7j}?YI2wwcE$F^UXJnjq~XH{I}(FnE0I;Tu)L04 zxY&3(%rlmUmC;-j2_vuS+1Wx{m=DXG7| zkv69Ja@Fi@F_wC1yLS+po-cAgg)X6ipF`@AWYmjZd`Siu26JBG%W%F1Vb_v5e3=@O z%jo*D9c8=9_%aVW&&$m0m@P}zmhgk~>3lXe3vdEFZyk`)q87ulz;jwPTCg$a<7;OW zHx{ER6b7nx5!1EW?!D#0EP0Et8CF+vhm~-6{R@84Y zS1qybxMw<@4pD@D!Sr&)MQyG=*V{N;(&K+u?W~;3%m@*e)C@M2}tl zrxF7vl?(t)?b$HN@X zCCJP{EaIZ+z}vCoF~kfoNfZ-M08?GieT7%ssaLlys%wrW{QLU!}zqO_^BG}1*igGmr1luq74!)m1sz! zHio0rg^H*+aHQAHmvZ_Qab+)W*s%oFTyt#7h z-=$@BD_=aYx3cPi-_eT;zSVilYpPCfaOW6x`k8%$hqB|f*>*(~c%8x0cS-+>I~P?{ zdpxmeh83amP~=i>+vckuUNmjs>RpScoxQHIBUTojvUO&a%O!w}!J8i~;|=Tl7t2v24w!}E!1W5tWL`id!dP<$Kw1AGVj0}_MD zhsncNv_DX7Nlh-8tR{K(K#{5s0mr3r)CljYdOPObXdz7 z#%N9-U^T;ouMGpG!E+XR=I|8POq!r6G?HS%e-ynV7zLPUNE_Mi1)JzoOKa4^q_L(O z+<+}+ix1Z9tPxT*qcz8B_=KLe*L2tPu_(2MDw3xlhKR`;5DcZyN<8Lxr(o5{{OH zirb63i~EX&!Q!38T&kGjTr3_fK2|IgcTaj8yfM^2f$A8&47!@Rpc>eI$5@~Xo{>kg z$=484c8*^s>0`dQU+48hyq_Zm81bMfjsX+&Ybq7ENM{r-*4HRN%wq%*A&9nEK5u8D zkda=yMma#wGodlX)Xqo*>`f@WVuNOsDxe7l^+Aoa6*d0Y8BRj_b3Rhci_tmjub+Bx zpD)X5EK|p(IMoUxA8INqzpTYsJAJI~qDZ#K7Rqs!TB$>K$GPQKH!obOK0WrrB1kZ! z(Y&~PF>Si%($cE7G5@6{p=dPAShJA7D8oWCy7(e6%{J^VCw=CN-F29_$3ImAjM&XK z>!~OSq}-RuBum|n$PwXSw@6?KnTR#vyWsp@Wb zcf0%CJKejHQ8X6>#g<%J5Y*>I&I{4eB~foAGztaMOf}3^bCQ#*cA9CsnRc7|%sb7y z&8N*e^N4HYQ4Jy)f0hBohWZO{@35D_G)h$yZ69zFohWGlB~Fl{Wf}>Z0U^B7F#$jf zR=)17nlaYUP?BQ}d2;fh6|KAD^QjAK0?}wr{Q_Qna0ZiGW7Y94Apb8=l$E^j#j30B zq=r)&Da0)(*KDg~b43`=EMakxK(s*8Q00V{p9Tw(OGCXAx1E~A5R^*>VZ!si1`F`~ zMU6Aiagl%qNCB;)fL2AIK*PKR8d5DlR;>&?r!_PVPX-ag^Ixiw)lxwGT(pdd91Z0v z6F`<%SeW9y43i53T&xTF!tL5zrC? z+CW)(&BGdk=kJgu!&8u~nt63OzZ{q{w3@Q5xDg)8NP(gb^cR^o)Fj%m&AXUJV0=a<0 z&>-^2c2yO0S7i`0qe1^4B4&rj%j<=hmv{RqUI5eOoJY&R%24R;f(``5o?>{pLbMsV zoU~*HUgpGH*}_L-fR_WkHe-}+qz0yfKY^P6N5l*%<(IMb7hA28wmx!aYp>$6n#!k* zP0ms)jl$G9U)yZ5mbZ>g&YoTlr0mbL(d-0w>ebeT_1BDTSrqbWDB0FVzjkf^^<#l9 zSHKsI&R9w3@0poni}o@3Wiz|2#Ll#l09X8_z3B%c)^MsOfj0w&fL~>k33d+TRcEvf z!#rvhixjkMf;%ReHRv6933#TV z*|o@d6TQu_-S)0e45<}KK@%YE3eh*5Z{~1nh|ZGE_r`(dM%4sp>^1N3FR5#h_S$O`rGu$(5hLcBUy45ysG4~G{l1XI*W08SyJQ|+6$P5P^iS6i=k zT;KDinjeh4zx#V4@p?*P*6L2Zn5W@& zqTzMCr%f2u4C)#5Gf=pud8I)yWNNro2dYL05PhCrK1?dc&mLqjTVZ4{i`y&x0;6$q z9eSt1b(V&8v(OiIs^IR3olQQ5b`=G=^7Ym{LcLaW#>9HVI=~>ILCz4pOtk|o0v#XI z?%x6Z4C=pOoXo`Gwel=^iM-t|++0K_7d1?7Em~4^nfo~wX9i2z zsF!U?uB}>3O;fhy)JkZJl9O6WteR*=HzH>HK&ggbt zuyecYjIdeMswGcL7bKu`C8D3M$u`P#`=3s%CdG7p$y1{ zh*+0=_2%|%AUYlnFs51J;$0@5JYRsyH>sg&)f0{qX~aEXtGnMHl8SvD!H%9{zrSv= z?hu|D@_@y916?;MA~I`oh$%LvY4;W8_YH6+-scZ@&H4ZH)$wqk)u4omnQzrV(I|Wm!4Q1MZI1-uJvGwGxFWqAF z*GPlYw+Ee{b7z@498u0@E9F~G2aeAX<yke!-?;gg`ZuhcJdq3|Ly~T=ubA}zrd5jV{28Qf=C1`|JsO()L((k1g8Y0kd6a*0)?{5%WK(nK=ToOdR5k95}>gH>kmx z8w_1y8JFrp0N`bl~fusl=2ym6}SQYX4e(x-$sJsY=K!ASX8BOLWO%WTkJo7V36E5$(V<^oo?5goiZU&bz-KeUr!*%die09e?CSL!O2s?pzx3_#ieJm1Gc%4s?rPrFMBFsTsd)}B zaryQtLB$tQh_~0|Z@`IoVHuZs6{m6?kKecDcdYE#pT2S7v-gbW60Mz4c68oWDtB$&|Kjme8O3B30+AF;9E`K=V58`C4h$IQ4y2fuJCj}>&U^X#>cs^TfZ^LiSISpbbbiTU zs93Bm&F4SvKUTT+VrcoT(b4(nVsv4YV6zg3U2DCW=FCr_@u%>xtKs zbH-)EKi$Son2^iu3XKKFLjR*97Eb84?nx$e!}KtEil<&+oEYZtI{MV2X&UmvMiYqPTaR{UvRVcVXh> zM1R04k!MD+itCeE8QPEEmz)^I-j>N_$BEexR!=7?7btdbM~dbmY+;PB-@rJ?Kt4fjQt03dzbt#HP<*Y65SJd%PN5$R!& z@Hnb_$N-bb(3nDj`YIx7nH&u@xtnJywEUWyBz0KaMlGaoQ=rp_j zUQ>$gqL?PPD^s-dlFc^xGty=&P;8Ut*sv2*pnAiSM;}pG2`GU;j*H&Hs6>ifs0lWW zjG-3Bp?=LUfi>=qO~u4XJmIc%WS-Wlfxc+}MX&0-q*Ir$bQ<5yV=kRxdI0rQ2F`rr?Yf?3z$oF8z zuz1I!<1AKh{ln47K;B(MOiW+Dtlh2b)qmIUVAlK*Qd`<-HGCk^A2;G=UT#-%s-+cl z%dpH1a#Pu$HT8aDgSkW6E^k(b^6HAJ=GRlx?cWeylKxtL(Rk5(DfM@d zcFiiY`Z?n}=K0io`#bt|<+}c%**PsUI?F5deSN&G_PTAR?6y#J^8L2$w)wo6->4Vz$`@Z?yk4*nF$_f38hG$UQri(E>o{0%5 zD&ADK| zAkQPTn`5ufM%&qByZdS2RrIcBBeA|5P1Od_xx>i%r0K<6)-M^DsP${+6>5*@aQIe} zM3C2sxf;cgD3|U3%@n~Jh3Em~m;2yD#LWdbbAh)qqb|!6?6YpGXl>*2KtoFt8>6P>4mDiG`tXlUxSM0FzJu5yjbX!|kjs#E} zMa^va=zWiOpgW3+EErcosBErbT-C)rx5kx&@3LC)2uE#Zw_$wo=#0{)XI0*%l&e{h zcSY*fdAE+PJM^kos_)@vsC$v(t@R@?BUgpCxGH|Gj{Dg_|K-bnj?NK@$5FJQuR)^= z(=MQ|(FM%5?~WpG3j3P9J!hk+IebA#-S}U@xN%i50T3!tz?rwXJs+g z*Ofdl@JHUKe4;FSHQY$ul&f*GLoR3qD1UEb16qG-tM;(`uyWA&q`5!!aP6pcOgUye zZhj_pw01%{VLUH9FYLW#R9xG(u8k8sxVvl63NFFj-Q5a@;GW>_?(QzZ-CZlV1_|z( zOV&R7thMEwyMKKDzT22oYjaS8$sB!DuU0($eY@|(^VO02R%Pd}^F70b1*=LWMSE$5 ziSTt3;GQD`;OOmOU)dPixL|f;P^yUECx5sqeqAyIFrI_=F~cHYBl=PU?3bED+a$= z3v<+(u|Iakk^{g)?`X1X*gf1VAMkkNXZpr?f{DLJKz-v$PA)sWme+^!4^hbu(|*zl zV&mV?*S>^Z5aXv(Y$c9yN^tp99)MmkYIA>jWc?YzU~$Q8N^)`B4WE_^jII02q4n{D z3)Q$yN;UQ|@43)uaIbt!N5;X=@fSD68|f2OHQFR+kjBGhcWRr@PE=2pPJMw%6BeK{ zBYZc)!WvS{wi(n%?{YilC>ak)iqo2ffZ~09pgaYvQpFn?9*niTNCc|$;}ja@xRC^- z;PWxBLm8s;HL0I*-46>#pLiWyZ17(XLq?x=K23T;ZT$k%9YN;!R~u*6zq%R!>EisK zSe{G&v*kJCCp(~ttP1=;`JR&iSlRz(a;{>hYHMk1XJYy`#PPSG|H1eC&Bgq`e9z&v z|L`~eN6+!!lmBi#{okI;Z&UuSp5rk+wtXb;Mb5kih~kBzZgELfOUWLl0cG(h-8D@y zR)W@E=Ns4|@lt$0{ZrkU83bIB69W!edJfttb$X>>47*3%7aI&RC7(*I%obxW z5bsvv>`$L@1f^iQyV&X|-b!)I`uv9SykkWjeFFMkR@Dpjjh}mPy&-xMAi|A1Plbo% z`N+@1vbfW|lbe)_UeTHv$#%t3Er=3jYFb2WVj8kzBuNw6bufhOerfVBM|jrRBruSR z&|AG8Vl;SNsE$;Kw92jtGit$eMpvs2ydMj6@d3AGw@3Te;Qnpl|GrRvM)!a5=>DIA z`nI-zGwS|ZbblLlle`&qbNn{yX61Y{>VET*XJO{x`2W?`O{uiTe!0!zO z|5s=F-y?s&`M(==bG=!L|F=&!fR*__*fbqlo^C1&jryKvY|*?_sT8~r;FA>b{haYJ zoLi`n6l{`Ic@89k^Kf}G??T%{{Z!^Z36|nD6fKnbVR~s>j*Z~Z5AZl)2*8Vd7a>A$BzfyhobV_`eQ8Bb`ebTt7_vCQP70*#_Ymtv}L?L8aIi}4m zp?eBPlCQl~5J!lv4wGNBY zx`lX!3_aGozG=V&LtP|`jeZTqWO%?4fBuqQd&aGn}!VaY;gV>U)D z=&~?!q^0f0&yV9BhFj9kkR@jk*;}Q~!)+!Y>ma3|yoYDIv`*cR+5g^ ztWa}$SwzD#88Muy8=1oxVhAKOc_ZWa@Ws}jO$OxHzyKX}E>vwWq{kTKO#=0e4N~sGE}q5O zC2eO1h=qpy-~PKDO6^1GBa4jrV`s*>xElSHDDctPh*0<41^PDCr9VI8qH>hdQ($V+ z`4w#a@D2h+cyT|Ylxbs27L}k&s)p60^ODa6C)rK-RK6rFYv+{g5Bm-9i%<=zz8n_} zE%KXdNF(S(2orgu8H(U)o)|i#12aU+8C3FoLineFbSlK24S5mjNWY&k%MyJ;*{JE` zTOJ!e7p{9}2$s;VL<14A6h{(QH_&nY`7wCg)x-DtiOpT22=rbUG#IXmxPIiN#Qsn3 zGL#8mT?zV}351<~ABqG+1(a{S!i}eCF~v)S+vV5%2sb&L4KhO!M{~8!_pu*523!Xi zhrc)pI1VYa@uwwFk+%(uk1JU<4@2vD3$_chffI~)s8RYX7fS@+fyTfs4A)lOabxG`YX;BX__8gv=?NALP7Q`PpEey# zm4@>Ed=*Dl`mXQ{+evjtdZNMc#V;kQN?sk5W{W(f%%acQZ*gcg$+>}`L4T+cur^s- zXsK4OlHI7!Ztyye!8ZPt+bG+#w`zPO!a}sL8rYSR>&VhKzZPo6W}RSkG*QssUKUAZ zJ}hyRkhj!OOxx;eAqg+u4eaGy6RGyeLux7cGh z|6NNa7-WuNgtx-o+XH)!)$9O;vn$#FID|1zs2oJiL|AwUo;}K@Xg64Qo)!5f=h4_E zDa0z$W{pNz9r`j#2pBgw54g8qJQzM98s)h%#0l%BoFDiBtOZWFQNJRhW|94jCa=Bo z_wMFLdJxR_ZooN`QD9R~T~8}%-)Xjn!q2M@u@>zjqJr_{l7y0(l6edx+4CtB8In~L zMB#U-O{0$QeTy3Fo;#+CbLU87xms7g+w25GlrjW9zAbP7G7GhoTtdd{%0O<}YZW??HkE8t>6tc?wl{TKYHN*_M>!&)GogMoe= zvImMsX7?Hx1HbBL$m9{$?#Q(ll<7mTQyBYK*k38_bzZ*wuKR75TzmEL4?pc+1^GW- zK3%%&=frg(ykvI62#P&0X-Q2Y=}>X`;m>sDU$6UT>D<5l#;_H*=aX;mj<^%%|9-W5 zo+3|24+Dw~pptY4%QUF05>%J?8Ip4XYCX3_Y13*z z60WJNdJLuoobnKCy_6Fqr_}=wwFq7a2GZMEvA2Uxp0xXPBKwLVM=rK$l9*~Z6>;Ic zzb(Tzc$Xq77h@5S5(ib+BKS)9v!z!+-7UEHj@B!&_wW^?d573`=)+o6@oJPHYgfeO z%)y)Rg{HkfJL&A6bK|1iYsmN^O8koO2_&8XTd4EvfOjbSlHga?4>zW%3z@8)b>5+N z-k}QKp*{Cm71Y+@o*}96Dpj`#--0oR!M*$Gz5C3u3+v<^)Z~27UWv0%=1U@#;05Vd zVg0<0Q~ZTwmPs#P;UAc$Q*g_IZk^!HfGDc95Gv`M zq*9I9X+%&%SpYs!68Y3DuNZ3dU6#50{Ob@9KhdsX{fk}3TyRIA$NMsiVUh27q^hyuKym zOA4`QQ~9Bzmy~7_MFo0zaGV|ebS5jeN9KliV`VsPv-9###-GiOd_O>d%6*Bna(uDEw&u%y!xq}D ztJhH$$W;wqXdhv-@*kg0+#l`urq6#IbX`O&p^bO0HMiHMnp(-|@BVSNt1%X4IuGr}OHbgGYp- zOGnaS1^Ka$MpHm()E9d8rd%g`?beTqfG4sCIxfFUY#zRg-ngwM(%Awb0Pb zKSw1ql1sCn2XS!>n%D`CV`bZ@xZxvu?ksE(4R&sf<3)6;S!rytcBbq^)$VFKA%(XE z;ie+ZPpiZunFem48qZ@y)wTd@xrT--knYfo2hz_bV;g*~)+Q#{jci;#yO^mC4&1o> zf)Z6REnw34!RKn4ZQNt(IfQrjaU2eRD#8Zf6&D(9W6R8xv6F^DRZz*2>Nr+PgPkq$ zt*LzYf{(H!(6CXeR1K&og+fi>@gA1ok0NsK7L^>{GoM_)g7b$lJo`Q z;jzc>!#c<}=yHL%Er^3X$n&SloK84PGW)1=nyNsUo!Tn-304siW z$g4iGUl2?@Kp;d$61*GUB8L^ujeP;g|vF-w65IY-)_jTgM$Vw1iJnk#y4th*FUI}V81yjBN3+zcz_<^#TJibF` zswB!5kQ4I5G590+iAi$5KyKtUmbOgW^rPkeka_VK=-N$SB5&~C>0F5YD^ZRO0}@Kb zm?o>!P;_^%)wj&snKN2Br$eDJIStDKPy^X3!9@PYWu4D1UWmF<^cH-464BG(+@q%k z-f5IXxuFeyYApC;MxsW_&z5C1?djLR=e>JFuN)olHScS#JFA9HU?Y1b5G=FUX~ni?u_pp?GrWL@#V=hY0?o? zSo4hV`HMG=T8Kd3rLuEGXU;DpQ6P)w*Z@4=|&kWj+G(%pps<9Qv?zTUYuPbSN z(OVUhSNM==gq75<1Y+Jd+5@tBd}cc~Ccdm)o#-?2U$$wb?_~1%xMx(QBWz>Q`o*?z z;+lXkPhi&EIU-VQOsS#5Eb^yqJ6+c}N@#gMuS3`V(&^G?%MX_347f?jFdH}of{TTj ztngc%LEjIlcDaL|NIHg~#te51Eb-b9llJRBe?~Yq6EKRdr3UHU!t;#t8&WR|xBRa6WY1buRi~X!wE1BXWJP{aF1@kvo*-K2DP*U5qr3ci#-V#_0N#4$ExAQ1_?a zE$0*FQ_P#jlJi0(D|n@k`eN*!w=>jtaw^1R3k%#K-%YTcR?hmEfq%7)VMoP%?{KU>gilMPL*ShUG1kc`t??99@aGk*%L zu7LV}qVC=y-BNjm-_%Dh(_V+V!J(W>Pv?vIaCE`kd99Crykzu3IbC`+m*pg2x`}oF%(dK#Jn+eeczOF4fjRqA$ZKz|w^W=bXhDni%*=sExJ!T2 zy8rCn8@Tk5eR%fkJFM+OZYtz+;*HtJ=pKQ+^pFPbLJp+1fG>J<<$E+x-qQE#BC9@&9^@ToQOENIXiC-T7=8ei0Rp{f9V_!p@(wxiZm zbdBz_x|?@r(0bv}gHP`mUt{e^h%G6fbnzi9SK@_{kc>yp$;OW!7~DWCcciS;A$=@EW@%5?CjexN<{N^tG=y*HBrc z)pL^jCRYd09@zBe6pQZk&nt$-{#D&2)kV~`JnN%*C7L1GSiBnM#hQ5Ko7S81r}cNn z*(bs>#M9ZePW`Gn13>ulzJtcujXkZPV9EIqSBS8)!tjfN3iRsP>~sGKNseWGBJs9& z`(k)LbuG)6s5>gWoaA~v*x`^ssH`B%6jfQbI(g$I@-XM?9R?(GHp}fz%9LjOk=Mo(~ccVS%TQ zA!9TVI9j=$kJo6LpPO^?_V6)L`@WVvUb!G91D7CX+|zt4ntY|_vZt?oD@QV_O4%C= zmNA{%B9@L;t8mhJ=n-E}xn1kWIE(IMw%ahzz_QcBVX6#n^SG0H$f|M_yFM$bGb^bp zje97?S+6zPj8G2D$7etQpfgxz*Jk>})K~`2V|zx4p52ZFu_I?rzvZxuMiw!X!v`=T zL=I|h8R*K{+B!+r_E>4JAt1&DTUIOOYV8fyEaCz71{;?J?JUB}i(9IXt5V{zMA}Oc z))2J!zaq^*;0uxWA#}M64yQ+%Wxp9;MV&PJDyNZuvzPfSxmQ)SqB}ULxnfT~WM4_R$uS5G2)X>E1%Ywmw;0E5nVQsY$oJQG0R z^`2qi7&}@*azj0COIJXItl)EM8)@-;jNN*f+G4iZ!HeU+7HO~qXtik_t3V1LBc#q0azbk&X@4Y6A$(|* zW@k4X+d`6cYWo&96~AE2c6?Ok+IG}Nrps9C_5-4M?C|txAay^WDvG2jw?AZX`>AOc z=f;&IpFUiJa{tYKpXg(ov08NY8jHDY3%34{jw}0D*-1B>f}&Px;yU~4@Zq=j*^0zO zr2$F=x7J>fkFC0gKdv7`xf4~CG0RrN&Wy^Ka=&nkRkCE2IMH=vecBt2F7~pPk(PMY z*PK=`m!Ef`Y6uT%IEmpbG$GczKBtr)%xKxIQe43xl4?kUc4RSBi@7lZ1jT$0Yr8%nVK2f@4hh z4^6+g^Xaa*x{k>YMOm5LeGkp0x%JAWccJB+Z!Jq zO-K;!IN*M%@ru%tRKwWKZSUEXn>Toy-;VAv(&PO|n6J=jVxAZIg%nVuq4KXl<_&B8 zi6s8yG5-l|lcg6n1X>z7TK=t5>YoVbt*!9K-{^zn!(Z_l=ii3@uXydPt?*m7(tm2{ z`+M>~f|Iu={RgB(_y2Er?f1g}eWCsg=by3pTde-l0{5>`{O88Ezj@jlk78tFVIyH- zW&h37SOL25A0(aM0&gs2YYsGhyW9sMCu37vXA&+BR+10Duk`zbkrlv2@@z#y{PoBo|o8tWeZr>QHDeD`c z<$9Z{^beh$e~od0_yhwYA%Pcii6Mpx8B^mmty!7=;v&rhT#+q`~rkikQPTjBb(wuP;vrzkv zC?SphceSb^{SHC39%4!25k%g~^GLb~JJc^UkEz$!f%+A`LTO8`P}V+N>kC*ng_Z=p zG}odZ8p2mWH&O3r+I+ZtywvBDKixWCj!mPQW++*?4W1_qV*&c+_#Qil0qx|xLCv{# zpEizWKIT-D`yf5iUBA1=JPOkE^i4z`x2co$y{$ysw{dsCJ=9#!Mr{~mM@(fAPr(LtWS|;Ocw=OEvwX*8Yzzy1<3kE zW>0(qAS{oYvqewn0QP`hz;@uI8C!5a!Y5<^Y|Ap{%Kc_|>7M}5 zz@j>bdWYH(^Y|gEHI)65JgRGO{h8g(BL>#k}P7n1wauf10(~9)WDge4-O6wc8eL3dqm7m z>_eq90lMlQzD_s*ewkdcrTf-Agib^QeGIPn($AK?#`f_6`t=WCZ}pA(bq@g(8z8UA zeLLXm=>7*Fzws4qy8N=&_&zy69ON~;4+%J{caNTE1Fjoh0n(e7+eh}10M+&GkrU;> zs2caL6JtOs{FW!|xUT!4JNd)P!gFw5YIGks{8cXa=KdLWR<@QOJ- zc$s&2A1wU^$PM~wdU8{NovD3pz*1dn(8L0;%BVhYA`w_+;KY?awyZO{j|RZ5 zZw;CF48X2y^^=X6cmOulf=2gw0ouzMV`gmWvcO5hxj{4XbR?h_sKUHHYC;QOyH}mU)AxW$wWa3DLuRz;lt8TdQq%enS)_C;fGUsieD zsum2hFQgV*L1CF&XBL(wfk)d)#?Fk5geQ>{&yY`dL*YUpEexqs()z`OMUruZEG})@ z&r7AWs3fc)t{{LyaGP3FqR#L8M6m_Yh)$d%8gXdyE-;RZf+&tPPALvVK}j({Q7>T@ zH%^i&rzFD4Xu{Y}051vuY0)yID6U0#kxZm2#)X?AnF+-uKVn!B95&G_iesHEw_(h7ukU~rfk48!23zO8x5x9=9S<#tl zimn)f;yPcYYqk*q2_LctmIN)cV-=rwg-M?}iw}6>>?AvL>#AuV!*+2-l2vY@M>c35 zxJEW4UZpOv%Pw(6vz4ylM2X|QL>v=F`6(X!;?CmR#V?sgcvSXm!q&;$+2-$nGJBB< z8(c9)^9@s~eDdgjLg)TW4ydv_% zC6QwZ3hKlqh>CWFDNy1FNI>$lk{ox6*I*+r6rPf|Uz8k~4;5%knF<0$$Xla#_2N7w zPN^)ZTj>)5+BzMnZyaGqZ0XuEcL8zQlD4F+sk>Bhx)dLk%y~+a@g=H?>y9O=C|iSe zt*q=ZMR_EuC|UzXnTqw8$XgRenMhkxcFE#SD6o|#5NP1zGUV$bP3TA5b9ce^J1G-% zz`2r5oM>8MW~kzvK8+BG*yNh<0uv&0cO7DoC@SZ@_!_mv>i`KlU+Jt%9<1V2Dd;7& zB+?|)N{+>>Is*zw6LdoLl9bKIO3e5q2}hLTC@I2Ab>Frno+c7UHC1U|S|SA|1vr|( z$fr1H_QMDEI(G^u%h|p8#%SbSO0M)Eo?ztNT)j8zGfA`fgfDR!DH;wml1#@H3UTcQ z=0R})VY4rBbtH48Qm7*h3TT}YG+!|=V`K^ocoG`GO{)}U)g*jqEXgT8B+SE%AW?oJ zRhG!0;G&2Z4!zgQ$q=0>PzXSo5s8D#g>om1q#i-0lo53{qv=7w#g?K8jwq~Sp~x48 zOO?nH;t>Cew%acjgtm)h2{mGGl_e@ZOyQtlUL22@Klytz#|gy|NyU`2e-SC9Q5%bx_ZdhmtYoz3jw zmxxt?Zuw2|bI8k$z%zwg#%;UqrA>N!#D@<(*fdW(+fzLo-TFQH+gKp}@bX4)cz$r= zz~~qr_?P!yVC&+~MAy3K$Zq)Urg~PMbG)OsFxM_lnI{}hK_{yAP_LNveYdP`a0Frx z;lmvURn2@TzX+b|&!qtsLeV~PE*vhJ;z~I zbT{SfVV99?VVeg`K(=4kA#BCc({tL4lD^x1*?{wfY$1B(zII`J{08H#8@Z}#0NaA5 z1I`4SoV!+da29uv+7zB|4q^(^Gg%?>PCw~ASZiV&bY5v41g@A-t~8Cz?Q<1(Ow`ZJ z9f79Tk3ua~jkGE&MJtcB-c*Y=E>vP7)pr#)71sL4nmd|%nroe-PTlrdB`iP(xyuTm z-NlziibnQk9A68?@7f8^Sf(c7M(-Juusp+Anm}_0mR5GxZ=XR2o8CSz0`nH#8fHlF z5)UR%g+1{q16LJ(Jc`v1boAD*&P{i&)>jm**F!<-WONKGuXGM8$LsEu+E!nxn5nx# zfPAKUe?DYEpIq@>)s68vt&H(?0;_)j=dR8+q#vP^)^$}PHtP6-C4R>yZO5PUumB_5u76 z7_S;s7<*`n`!q-Fp&-$;Qn#ui;M}bAUU7YaPWW;Wocx21U2vYx?y&-*yQ!9vq9oUV zc9R`8q*HiCsDJ2`psWyA6|tE*Q8C-H111_+ z{!M7}K(21cQ9;@iBq>3b6lk*mTmx4eXX50*DD*sRe z2pp8Uo>T(@9E3r?nN37y_y{QSZu=N$R)5G00ZJM8>oTJ~PK7)0_Zur~veB87?$K-_Rgwprx3jDA1(`~+~d=7Vy;{_EJ zfYJlI>3vS*hTRUi4rAy4u?K(Cp)PS-QihhmH5NV0-UTzjH`OizqBj&@`M<$Bl9#HLK5#S z{p^lHO+fH`wy5Rj^;#9E)&tzNdJVT;RkLizigjvJRbnGBwWvH!QOgB9YNJ4`A7PBk zjg>~}oWwl0Lo*K@jRD&b4y3maWDd3W>?xAiCsU|$hv&?q3pwT5u-KYVok8->LuGtiwxcB*nC<$e7weF7 z1&7P0Qa9gk)Hx11W>yV(T#OELtoW}s{)*#k9USoqZUI-{l)Xi}DI(k9Z@f-lhZ5Kox6PJcS%Du+%;MsXX`u{;9X z&p%W8biL_y{7ANk(o8S#!8MG{{8BTXN)9L6d%vZYJjmP>c|w9X54ow3ic({Hf@MarXgK7Y znY=UG{F_SiMwRJ(V+~?s4vF-j6C3oZTJsnW^!@Q1PvW!euHy>?UT-k(oWPR$Sa8H7>B-_6cW_nt~sPBdGGZJf@o z(pv{I`TD38&7z`b7VoQyo12D39pEhEaN3l7pUy?htT-5Cp6AHzBatz4*O*8-g;%j0 zpwv_Ej@XM>rhv2cbC z)NX_d2FOe-1y#PVVo!(lxu?gN&jq0kf&U}809CC9lW?dyelEa5(u%1PfObH!*4Q#%{xP>gT6%QuOIKZSBB1wc z6Q`(-P%De0U)_hs{x?CBd?U$5#1PaBIY z<%pA}iapA`9g|hU0Y7PwgRub$c3)dxssQSP4UNOj@oUyKc;1f9F*R)$x%+aT{6)ia z6izKpDcaO);j4o3ujgY<6MWv|%w54x3vG^Pyto_j#Wdj^pW7~4{Agbz-m8cIzB z8KTu%n!fVtbl9$Psk#a_YX3Yn$f<9uBwOBchQZf){SMc{6kuhjs=#<7*Sml8F+lBD ziz`V)u>d1+FONQO_(UPmhLTXuRNJ!EwM+EfQxmJ*u-^v9lan{0u)_YD9d>W2IT9;< zd|j9>OkFYPos5U~u}|@P8xPBrtm&OmIne{IvM(8AbUa82^#?cHtk;lS7r*3GJ_jj= z#(TaKo)l>Xl<_qbH^EV2X*vpS3I*uD8jfG*Z9sA7_hnL_?0l%r4-`%UFEzkWb*wX~-=aZ_K^RvVtKk&zwg^mPEf3^f23`y*mxX zJkb9o5~=gh%Sh3P^#g~9oyjwi_t)Z+RiICHyJrYSM!6e(TAmzMnowp0s(8QEjFn3j zR{s8|SJe0q1^!R_XSpAZJf=SJ%{!C!)tJ z`gm0j?m4UFqFm=W2=duM9?FzH1;ti2iQrtwTRj~z>mKm*-Yv_m!YZ`$dDFrw@+c)+ ziz~y&NRf07Ra;-?SDHzuzk8)kk)j;wGKiZrYqKln$W4>6mQ0-^y62#F8svEdwL2=R zhRbcxQNkOe7wU~_pl%zuCjg?ubvI+hSsPGnYpuiGd@DZwDDh^;FZZEtL1gr zG6hQfi#eBH=B7TjN%I>lSP}-MmVm1|BgrXWD6kbspNkHKj8RYM?Zr1T?;5@66}>7_ zI?rfJ@)zAq1}24GYKKNBREfVkN45%=L$dZ1{us7)&zizdaBzkQjA%dmP;2GF$);GL z9?N5d@}2PrO4Y}pOiTx0( zQhT4XP+A8YzDk%OLM^oAa`b>7GFdklqaB~XDo4xb z>)^#tf2)p4{JsTs@u;aIB?m@z;|9kymJiPx`gxyxRA5xE0UKxCQWQ|=fwvbzs{ucD z4pEa7xrU;}6TQelHnXQ5%Uf<7rVBw{BuZM%f@oZ$>5h>IZA6gx!upt3*^PefmMCv-}pI`IDPtAO#7dRz0YI! zR{G#}#3No08l%Owsy8KHCZ3L_oh!ao+g7j`d1kVZiZ{86E$ne3#jYGrOIk(c|1uof zLXGM}cHY6^8ZD+Mpgf=$z$GJ(C!6o-Lo${h!};iOjT?_-JY-T5xP$0nJKn-ZjW3?f zGHf6sJ1PSh)?gueXk6tir|+#1nn-2i_EPwDPvIoeVkl^3v{>LQeYkop*#|3zM@}BG zRWzJyzK_gQ=7i)!&1z`iINB`|PwQYHb=m!8xXQI}C(0L_=uTQsW9@@F4ms827_Lz} z_ji+b;UNbE3E$7ILoL5LZ9i%B8a-;DDapi!!qp02{cy=l<`ukUA>m4WJWBJwN%l;5 zw@VN4iw;|P*E)#&gFe4h+O}e{Euwy{~_0Zr)d0R;s3r+f5!BGL9YK2%75mr z@Y;-kH~7iO_7U*kI!3_%sAJ?}=J+djWqAXw|IJEDQ|H3?wFH84SQ62cbwP6SI_4VfLEAEGr}C`!U{SZ=u8h#=zhO_hkJVq{M6` zp%aL~3%DFF;|(u41o^dXjiBeff_MZwKj|6S(y6?_kW_*jD#w~Yr42w`6QVE6P{Dx1 zc*DftAo?u>%_qyIJd-e{?5+}p;~*L84{9SBLL2~_W%t$kzOV4i_88zd4!t)JH?=D- zSH|{O2KP6|>WN^GIxrQ)63n&WUsD)*bi_&+P$2OkQ4~Z_hl5)`B?w^@;PsnAe==aG zfy8`A2VVvOCkBHRBmh4S`^s6v`fR3Pzy+oP4Hbd-N#O;E*o%l5MY36aqLGmL);A|1 zJANA zrxfznZ1?xw@c*hdOl?h^oE=RKZGMON_bUhRKNR8oFDc~T$MfIh5e~rbJi`3(EswAR z-s(5lxcki2g) zxvE9g_yPw0nKo_B>pT*U%Ak>^Hf%dDKuS>?x^w@~J(sPs+$>oL zMy=MWV|?88C$bV78&7GqGd{TWI;Pu5;L|n0?c{R#TT?`b9c)SUPFPb#*4NO>v+;vh zXtQaDI`G}T5h3tzu@Wy54;{3z9`rM14#n}Z53f@|a+{)i&$CE(F*Cikt;hpx-C{cj z9kX;4KyX2amtf`TD~Zu3edm{x7$|0OdvSCUN`7dncnKe)){5?J}Th^I)iB_vn zh(}i4*SaMW=Q!*JY`QtN%+0sQSCo#JF{P!AT+7f@a_VK$ujdMYx44ND6vxSwX2l`U z$*HZ78fKF!y*9Hn2G z70*QHeLWkQg|0%UP+bV^1sju>_yaKYI_gQMn3*HBOyV~h2ONT2f+Wr8t(ouEHxHO6C3Teu!BAg$`oNJ%C_4({@k-3$}SO*Ta~+VYcNv^K}M98|)FjYS?g z7P)p1oJi125Hb++;21M;40KL}SWcFikr0r&=?`YLnxG20Js03Ps-h55N-7f`gVcy! z{*bP$55RP6{fIFS7YVHfavFRYTw!{JYM8?THwVta@)ImmV1^%D2IL!zM9-mX@mk*N zVgd+fr zLfDO$15P3Xg4;cR^_w~vt$(B``C9Nw;g`Nwzy$XGS*819l^rkJV1369DC&Y?v%0M6 z9R>sv5wF|WEf?$$f>bBxs9E-6@5y~GBPqJIrTFV4^^}Hb^26NSVMR>k%ktu@!1D?? zH&ns5R5!~7V2sVgv9Fic7!(FZSs(qwMh4M>HFRfpYscMpGl z0tq!e&gw_B3S(J6J~01pC^^sIbKLPf7Nba;=tW*cH4PgGF?vLt+G06hA!ku)*~4{* zRl(E12*DDg!YDOdlZPMQ_9Sw*kRMqR86&FneZB3ibBSwSC%Hz3pl_@%_AV=CrcZcB1bz=9tgI_|vN-^oqi) zO@?=+f54wN`K6fY2`$+>Y)sF_ybaeY2M;}(qgL7IcEtF>gmgo06g=j(cgr88W{fO^XY034bu*#EnGrsEB zOJ3@u1))bf&QXY6kad)ASNVFpkpk?q1w+hn*?hIVY@nM}*u)X&EKMUJt|}ov>Lt33 zDrdlmu!?s-t=(cKq0fs|6BOh(_1)B_iK%I_S*}^ng0azRk!5jaF}JA)5NwlUjlPH;Qh1I< z9Od@h1dfjGlp`eErl9Iz^oTVqaP#v@TCvD23~A{ZtYVfHz^ZgaqD|`p?O_pPvltnJ z$#tVbi6$Gren{5tq`p;&hb%bKhK8yFhudI|6 z=V5YVD>AXKsq)3KD7e@k=99j9K6tDXRUGdT#)M~u z7HFbiO0m(I@D+gw>H!f;y#~5@?GnSO9zt>W6z*{9_6%Jas;%I5T6?M zp}W14%|UyUE&qzz$-eLGqM4>e(W@-7s=NRrp2{t_3jOox1kZuKg!w+^2j@B>f8d%Iu-mT0c zRP;%07ybmf9`7?%+bpkqMDXRIv`;HP(P7o+@>rZx#8U3b&s|yz+w

7_Ccla=T# zGiCFYoJ+(??#cCCk_*f7%rbXoG;o!IO*3n{-3aTqy>^2>iZUBtSY8@m9vx9@wn{K258WUIfuI(2mxUP<}u00|ME_8`S+_Lxe)iZ+<~o{5mQ zQHC7Y?b#iI3r8f#Wgrb156P_d8&qq6Cz2s4=wuinQZ&ejn(q7Kd%OJD_vg5|KfrKy zcOJZv@0~GZGhowZGnQfc(Ma9%KV zaAk1m<4rFu&^E9~DBkQ-?@M6LFGtacG8AIIAf+dI(1bFq+h>_z8} z&vi8QlCU{6(lu$Izrq2qLL=Lj4b>zEDj$NLoP7;&oaCB{=Tq7e8-&j zb{GXki%CjPD)X$-_2RX8KPj0hyBM|6$?pCgy8G~G`Ww8n5!!h+A^R}N48vR?+??-H zFVmD{OH#xPAEt;>H5$AWj#^=0^?UObTWKMJc)shAgsPCz6qp?#={bCRFKBKCzWr7n z8`T?vRZv5Lt9Ja4`dfbXv4t9c`G8mP3;u7MbzJMhL`7fUe%)eiUF5wRMx=TBu*)uV6g>Ooj0fB z{v=Y?dUkr|cY#dxW1hRET7is=og1WquRqb8DN5=PvLy#SXE~N&_LD&NzHPFTc*gxC z7p0mKKjf9S0}~Bokk-W>h%hUsUzT?Fs)x_G8}N>a?}hJR9#L~(?3nC(e}T!|f4Qp( zHY3FI4yO@@8=NIPYMAA&+vFcq4iZ$xb5%W)8+|FA;h*iD!7G?$^zON`g5wHj=GNb@ z;)BYOwj@_*wLj9PT>mk6MErOSyYr6m7B9i;lBhMxQka;BC+Yb`%WMf*BLAr_ zZpD~LLv*uO%{{>5yQhKH6}B?2LWV-6qEx{puUTj@Xvd`Q-S@e67)x?d^1Q{VQ9f~g znu3~UGXS;jhFXnp{Tq6gHc*bcvmYGVL1=xeBZ4I<6#^2y`^R{>dJyG(SWT$Y9YAmH zNg4TvOSFn(V$->c((kt1>5BwhU6D7AeW=wMZ222Yo;e>6Z(4b~O_e3RO;AKBk@%3F zI=$PyP7NvcH4j@)u7skP)gC&X7N-J+jra&y+S~4U6gQJDCvYyi_-cB8Ka-hvD5?B2?`L~F9Rzxi1g==7n{;^cM*HY)a04=fm? zw)%|=tNPXXQ3-}r8#EvqGn^W1>MYh`EtQ|G8nj@!uMT>2;R-(^aD?4ba7=jgdJJ-J zqxY%*WORLG)f_0yF06mm;f|!?RqbAlW`9I+BifkaZwq|5S?q(~?smaKI_>A$3EaWB z4tY%NLCKUYc#Q8Kf!uf5FS?1j3Aph;k@Yo-o;Q_)i~Z(g;Tx=|Y?FYRCP z(s(2}rCg{R_eD81JbEB#o3)in-X}Yi52V=K8lAphcZ?^O-;#=>T(&byA?O8e&Jurv;Zc#9uPx`S0M2jX!$)_Qx(t)Yur{9110!?bUbmlXd|+nK zjLW{tQqGI3+hbgI>4fJSu8!^Fmo_Tj)n()~5)bONGnD8b2**T}2ffNbJi}B+6_96Ul{{)PvAV!-LuqP&!P`$qLc{pRUjM*>}?Ykn)afi(b}Ntw$q( z_}TndkdnT&$1mhzt^1JdVRTLLBTwsf1hl5AMjUEkDE|@z+IYXeAfB4l$ArVMfHu+FEBy zr+XD1g~q#CuGv)MJ3>vaFHrL;r7Uv`Zr_geSzBntdBW}-b=gJHrX@`LXcXH=zLr%_ zR%dRx-cmNeoZgGOK%GVhqD);zd4PWy7D-8~JL8xdDm*9LmNq3*b(^1aDH|H--l+QcLBX3W9Y=4;p(sXV-=9&y3uvmbFREaF>SE7p4xBywEx{l8-vGz2Zpq zs$k@e&T;M7UmFs?tbS2_J9(l2)Dqk(1$RU7t|Yut0Dk`v_{lmULR7U$(M3HF%y8y( z#!9lKNBHodzqBgev!M$qX)#;nnH=Fhu~-#a+}%-#+ZxQaWH`>R8dL{vSOzY+Fh$%E$!FqYSm41zG(!%P1P?&+wYeBqB@JR_#U#$=!!M*)>_5T z0`*eZ&Pv4XwY~yyX5(U2BO*h?qtaecC zmhxW${Ci@)xheb-p3Q+Ny=HXzLlw}U&98XhfG|e8RDK*x zz3$Q68S`l{cxV=yk~i3Spg*ad-Ub=CnH|v3{o)vF!*OoJ0;&7iJ;FZzQ-;cD&Qcu% zPUuw3{abXRTIpiLe!??ZbZVd(uFU{=J5jgL*iVCiNN`1xD=i!cyJ__NMUe1l_K+OR zZHNKY@PMc7pXsyb5pmDZimN#+SYIn?+Y2D(Q^wH~RC`UBbIa+cuvQ9)-Q2I$WMNGr zT)^s1%B%IY`TL}Wr_lEVTkQveN;hd(2Xk!H6E<%3%jNp4yYoeNonA@CmpFJ{^J^p< z%Lowpa6ljCgm>?Z9#Pv0quPG3JSK=N{ZyO6uW;ou$fR!{T@!T8DP$UJZ1&W9$CudIF?01A4Bj2WzkC+?lv+ z7PQg^Ck2zcA!9G9sKf)t`0|bn&h8_fIxjp7gIT}f#|=(zAh41mrrBesbff-lw!aJb z!?r3d?s&wq^sckI5DidB6JO$ZwKyN}nlxuXKf{l~DK)Q9d+@75my^4#k|S|(rbi>_ zVi+h=VG#Pk^qw-vUB~4ahC5Lb&d+oTr*8+3mJ%xF=v@VV#&-ck>Vz3q<}a;q!ok~RaTxlGXl z2zJ|=;bcF>n&ZT>8K=Mc>T(~*#;l6F8d`c4tGdo@ zB30yA|8Y27kI!7O5~@fH04@?z5ulYpEuaO8C}lT-5n14Hb{I;obLKGOKs zal9cOhMGpZw5b_?%poqytmezm5YmxxvsOri>gs8Qh!!I^e*5frYzkYh$)IIF1_5iG zPTUMmF@k>Jlt(a<>e)ZQZn+~{dYIN1*XYVHz+9{7)PQfsm`1L5hyKV9a(YbzK~(Ua zTnj$-)Y`y4p<9lt7JlPPK!#kx0(6Anpt`2McBx^)x05lkntpt`!vgF} zm}+g?z=l#+h0;AEkzYj>WM7L1f%jGQ58!j7nL}NGT_kGheyWqm@~tf|`l$1Zak%IFzY~Ux41cyw z|L+JxSxPx)a~(^w|Hu>m<{>|MLP3kqO`S&mX%zu5p=^y+TKJ#xo^WS;&zxkJ$SpLj^F@Giw|ARZHqheu zX84OK{!e+pe~kPq|HVlEC;E$??US|pzq054Xi!$jg7@|hV-tJA%mjXJU1RKD>6ZO6 zhe(5mNtR)T#D?IOV2WCo{eZuI1tW+7YL7$q3GL&`?~;>}z6P^j!3t}YJ0s7^C)fTF`iKczChzw45AsC|{idyq5U4bLn0v?y29@ z&4OESoh1TkMx@sKn~K+4=}Pb<@hi&i8XC7k#>*~KXO^owMtQr{eNSQ1PgQen`arrC zgq;@0fVD$5WPF9Xp=Wit=mn#Zitj|<7kDgUT8dK7_-F}S@{PQ#5Ne*?1?Sn!{?Z(6|B*bb3(w_nI-lTxA~2*f`wLSq8U}xR&0b{0MR}(9P6P&h&P($1u5Q?^ zv38>$PTb*FGJBSULoEM3P=iDS>io704izh>o3NuA=B2r8T$VYnAz9kKQ;M7U^NIO3 zkV$Czs(dTrH#L|0wGaJSxpHwrd`*$0)X8yaCbzfW~+9fbkn<__iYEa|O{!!4HGL2sEc~l_C3yHc{?^isNpCTNf+*Z@AS@6ej zJ(t?x+&~0#EOKmn7i@aNECxO zesaEIX859Q!8~##i`~c4EHAEjImo|&U5xl*&|)R-S#-I81i;=uC>)MmMGL$rTGcmY8ts1>CnCvJ>lzrk;g9st;x3ps!lFxfWbJV>(49M*`a+q7w9u$4#}=pr*K)9)ZgD3;c3Du4R5r0s@<)Hi?d}o6{d{jfDG%dThq_YjJ2-@7Tx5ShVSfvMfT zsl#_5^$-S8+!yC4t+Cw5FJWj_>>Kr~#x}@7{p1Ox>ws+^_Ex_w1g$;sjaOz%U-I;B z2h(jt;aY)_`gwMH)DB4C1XFq|F?Pve1ODBZrM!54=1=iqUC8c-Jd zYYX(`3XBtqH;`k*ZQweLd#%7X{PCd$s1N3o%}5Op{Wha%lDb@uWlnOe?UL3g-FR*2 zfQW(nxRs$cbNpk61MOf{2Hf%xb{%O{L=$=~m%rX4tAPvm*XL!-M;R2M-FN9@EKmrwI9?uodLlXrTBSuOc z4A~RtyRV&`UU6ZIc7xD#z`UF!Z&S0sRdFLpBPPx3H(CdGh0wnUkgefK1EvYGI3b8V z@~}A_N{H^P8mw#onw|lQE{aKB7_V&oqYmhn)(yzDC($p~DhW4`_;KzEgXK`I&DC)` z)_`2S0KzHrPB@^M3AwflpqqM*VR+@!BataPHGFs$5|a+R`0bCc{r; z@N0+e5&hTB+t{+#B=(7!(d~=w;MJ9n60kx|JF^kd>M53n@1v67^2XLlp`W4)#acJ{ zkSz?w7iM2E;o_FC9Nn$2%2jXj%*x5W%wC%OinQRM7rmb3pj3o@jDQ{R;ZtJ)X{+bd zz}xOd`ZPTzUy!F}%ROzAt-f@0R!V;{@WCQS-n_@J+tHE_*aYlvI2Dh9%bd#D(uFrg zbPt;jLl?b55J~)XP@qyez8U`wlf0N&>zj%mF1dG2Of;hVSdxcs3^Dm?jGi&dR!vU; z^{T)l0b)O9RpUS5MIwZ{fFA`lD;n8N z-KAXR22%uK$Zqfiz<9C#L+SMymh_KkqW@j#CI1(t_kXOs{u-k7r(7+Dzoa64)(AF# zEwO%!d;eZ<{XY0xx%DZ<{a2CqzXvG&|03`IDDwW#mGpn9OaFWp|5caynXAS8Srvcw zsbTt?zWY;``9J1r{c~OVPx@~B|ETYV{4e@$#{a6({A1bvQ^wXmE#$xJyMO0){Y}x! z{8t`Koc z-%(obKkXQwr~7|{)zE#ej=%36pP0!%HV??(=*BmyJQ)kiG>dG-yj=&#@_<; zzuO)D8M67~==Vhair9PtIRD~y_+#X6|MTCj1{T^sAvT}ZhtE&#|8_n2t3bKQ&nJI$ z*j{knpwmMTNX3rP`T>(fqk{{e$0X~Ka1z3c05YJDe}xA}6~pJHq{wUGPVvfWSb$XU zu(v<;wTYGH08sMLQBy?7RK{z~Dm_&UU8-p6q|&>1zf1=RKCf&i-F)GwymWh5vn5Go zwz$aBJ0TF=KsjA$8FH$L<+D*VTiy#A9*&~oP_!@CM2j8d7SK~|bvYj|)vo2wg}I&wgo-isB!G?%ze zYa~&IxzqIz4YzKOyL~1~*{5lZhf-vLhRAz4g)4d*j?P3RCuI!153t#;AvO@!3M>-E zO6Ua|mup9eN(RNiX2@;>+xZzYo&^LUSL!aeM{5rN`$ZBE*#u+*cTt4mixSLKed`y< z^VmR95NIGxpraK2DQuquc*el2;sgYpC)201EgH%F+Ym2C4hJB zlGWLzHLd#462^_5y}TcWNv>L<*G#qqK{qUv8?jzpe6=jE=0UY^4)0pzpt%E}pt%JH zZGz46M33C7(=4YzF|xi7h2o#uWv3ZVf!IXwRr+#6J-c9JF-|?zOhg^>-ScNasTA7k zt$TH5jV*#SqcHQ4%PzjqA@ZQkM&ci*Xn47M%?1>pIB{%!<;BeS_C{7u#(m5WL$h+# zvqMbYPBu@bPy?B;oHTCsv-0+52S}IPmw7KiFU2m}EhaBP7cZO|pOG(`yg>NSwAty1 zbClgpVpIIV-|``hM#&wd*^7uIp#<>u`6tlafu2A#wR~7bV7zFvpr(jmVUuQL-Hxwj z-3z~<0;mG40z?ABekqfOfevL6l@B#(7WozfS>rmBH7I8>RXnSEThfLuF+nbMZ5|g3 zUm$u*#;Y?FOS>nUbV6MGC5`t4c^aWhw9D8F_lgiW7rdLS2RKx^bLfg5%i|E=_>1VN zcOy{6?KHofA30ifrKRe0eg714?zqkzxsYo=_^$C!W|O0P&@SpO1TPCLxK(N(B_J9= z@H#qNhN))cEkHI8-miHA@LCzkJE`7HG=N=X4umNj2#x730r)OM=E^0zxUIZ!U&L*| z^%2Do#OOwxkV!*;^1l${l{RAOqm8taamYAi-D)$evvIdd7x|mLq5)m9TnPcW!lWIK8&|up>AYx!o)=Oz;59D! zP&N2dHMF3v#-XbDt+ppytiD*RS~Qv$uQIQjms+hBw3x@PF>6r-I$e z`TWvCspB1gg;rTQr>e$otW#}EFr`vb6Qk-+APgOq{VCd5pmP2xNYyjVnKxllLn*C_ zVdBb3zuvL!iL+=p?F+Lch}F4ra4SY1Ezm_YLt)IEtFFxlSp9i)xfJZ`Y|Ww*q$AS0#JIkj zK!>{7*3cp?;JZuu&(0nW#{e?jANGp&stPCd_V1nEJpuG*j-J2t+eUVF+N8O5){cxIV1vczxVG>R8SD@tVTtd9M!FC+GM9D-d8wbGfm}Y|+3a;5 zqxm0*1{+^*`k~h=rAg^J-Fj&}t=6ZI>*w<;Sm!uxHzP{BlO(CCc zo}6F7jXg}jHLbj6ce9ztK17~e1SYneX0F{YrWc#L=*Hf49H8HI%rAPZa|&OYc5WJ67J1TY%#LJJeuqpn@s3|d24Y-nPo@KPM^DwgYf9A?U?^%KujtLlb%SimwBh@u&(X1z zmmbk8JZ(9IlVep_6DI!$|ZDI#WnCf5?Ns;b&jvqU$`ZHvYJiufc}Yb zQ!?KuKNvSpoIMzo)HFB>OfcgrOA)F4n_4-sYVy4yu407g`K|4JklYB(F$(+WE=tHo z_MNe7T{~kyM~pKOjme_XsdQ;_PhGM_Ke)>g0(& zI+3_OQF{oP$?Of$xox9h27*rrno@4Jg3-CB!A{Y+glh_?dVUutHq^aNZT7d^<#^J3 zN8p*5yrOxs)kf@0lzr!Y3cqo_jY}xvD&q?Fusx=**(y`>VQPXsb@t)zeI>DlQ2K?{ zLnZc=a+qlPNZvf6LBmzlHBen1cypO`5!48Ps<+6pfa8ev4b)z0s`OUtwlgSZPe79Y z8}``_@!C)-UC5hTgs=eULZxgO3eXPKaROzyN#VDcxq^)VpyMlHKqcVX78eEX?P7*6IcfwaJ>%e7v%V@YE z-y5c<%@7T8nUOdUG392JWs{!hu{3S>eVv1Td!ln9xX3p2cJ`A<57HGhE=(?zH<2GR z5k{F&$s@D_@Z|&Omc6f+Ij+YtdxLW5yMedl?h#BM3_1jC-nO(mfV%4@bQd7#PxRQy zirIEI5<#ADJmWyG*l@pOxF=|SVZ8!mB85$Bh0{Y>^3^K)vvGdQKrL}X+i!d1VM8c< zw_!tR452l!ZEOSk^%VTd>yZPlpJo$2Q)H&(VH#5qUjQcIDn2OQ$>46#kXk7mFd%03 zL0jb}h^K&IE%;FbliG=p3C4h@3Xz5(T#~h?e2W6PsJ9J|oXR)m7kdjWA zewI+R5%gG07C#ynOrOlW?M_s!zDC@03(O;o)~Bwwg6jPJ45{2E(xy|k|8mR2TAo0A zw{lpRyP{{MT@iFa=G@0z|4q<4v*X5K9%@gaN@vc;YV=3wVs6g>Tk0 z&G@TN-;Oxjye|oV1zMez$xjU7=yW*Ywbb8!!RyC{n^m<=@{F)A?t5v9#&W7`3uw3o z71&d45q%9B2&Mi^8CVnl=xzMP+SZI##f;QPA)6;rmenW#Uiyw%7+mU%bz_HfXH64- z1r9e$xx<|@fphZ|x=hsXLzA)Z!It>^VZbMj8 z5F-xwz}hCI-F8~M!?{VZFoWqK^6rg?#;q!VQ=>L_?K}M|L`qVy4_2F{m`Tf&ICe0u zP`o$9Q%qrKVE)lRPmayJMdNTk^@frvk1e;nfNmPjh%$!(tyK+gBft3;*YGO5O?g_N zJ;(URv9UGp6YuDrp2N&3=0?>~j1wLGtI%5`TE0}X+;Z7x{QWG*S&HNI z+bwOoSLHCzZmWVHt7f24!_P|^)bC9m6gM48ceGUrU&)$3={E|a0dIOKcVvbZUkg6sIAe|2&?fKZ8Cq#LaeZc0a@Zk z+R~TYJe8zi=24C0uKh?7n6g!3ZGXRkJTS9&TT-`YaL6ke;V8nv&juiDDL1t*Uuvt7 z&HSP8c0AX*chGHCN#t6WUzfL;feB^ykrc-oYt|Zb%sZva?8~rbU*R#lKUBjlw8%Lh z8m7A4CE`OpRxB%w6F=9Qg9znC+EIEJs0g6i z9BMqx=ZYi!8Sp`{Z4Q?2Tm?I97}jJG2mcaz4NE||5n8Jz%yfZ@EAd-mX`sf?o-eBa ze7IaW63s{c62kx}yJ1P%wc{8LovV9psmJwA7SR+|grT|nEE&1M;-^Tj8})Fmx}GnY zGHaGCni7UGrbhos9}T=)Pl3EIb6Mmh9w8J(#n@;`rf{X#R+lyI$ZlXW*;Af8$Gv!w zeu!m$XI9#~~who~9V`LBpZ{2%MfDveF7Q%C*gbIvejQ`2=cmg;nUY~=h zteuc-&NA?U3b~-9kKiKLXq>r*-H!y<>^I6uAB4&8FN+x<_Xw{`Cm7d9Ruao|@`fha z4D-#Z*`cs(ZqueYP?E^UnyXEa@klR_uR50GU6#FZ_W&{)w?*{O_3(jGscQzc3b%pPfKH8H?XHrcY?^_ao!y zn;BTyKIK>}e~kTp{(Fr6GkfCqBg-dZ`1`dCpTOYn+wbT93|jt&Op3oWnlLuA)3^CV z?##69^ab=km2LXJTTT2mslf?ABWBd3mlj^|;Te)@Rj|tJ5Mn@D7Etq+Z{5S|Texpl zg8$jK*N67pJaRj0RAGii5r&C~aogSXZ?zAsDG3J49F{~9yTq6=IO*wV&IIKQzs6^h zG3?+mdd}&`85uk9^c5h;YvBY6*r;!|ha+&fZkE;Rkkffa11oh?C0BlcZ!$(@<|Eou zQQbYRg~C?4;3wxFl~fnCI;#-eEnYVR$21`zKHZ5K)G>mXlbLvu$dD^270OW!t$OCW zIZD{QmDdlQhRB$>76~dKOJ~hljH`YJC}BIrgv<)C2LhRjv4;W~B3bA2mOagLCF8Z7 z90&Wn?=H#yG7n=41|o(MGS3T;@=%5fIc25-0Vypp&V@{-U?Trx%%_{_(VKW<1pkLI zZ)fb5%C+Pr2W=uc-Fw|*9Y#jeFS`$x9(1RkU_9T~Jnes9h<{lje}h#20e}B#5&eM; z|EXok|GfVGIDLk;ke{I!e+QI5$reVozlLDY{azEFh%&>!Aj(vqum5WolYdLWfcz7r z{6C~%d`1BM15#$B{gnOvJwb<#;gdl5V=jMS%8<;Af23gixr@mkBY*n<{)Q>jF|htA zL+5kKtp5*C<#bmFC+z-eEBncf#(VC(bd~e$`HG48iir4c;nZq1@Cj7QA`SX#k6p|I zU=09RVIbR8`dtuxYklw&OJ0hUt7T*RU;X^9oUXpZ4($?sm9oai$9E3kt*ZCDD|3sw zbiZ`p?99D5$!#etENN*eF{nEqIWOgd>h0p|AE69j_Pw>;48U)`DKY>4*?0>y%gt*1 zV6B%od%!PaQ(*Ev**|@3 zl!5V6b69ab%d{Y@P8U2mtJapT{73R*Qtbg1I4FSYWv0sCd_7?5C zr7b`valQwBcy)4h6(7S7OAw{Sp^lIc!MTt&Yg+E%f&-%q*Kt9Lh5llTi?p9nm@5s; zNhpdVyuo~h5-I1St7%LTLjWwx>5j@F-)_mX=fCQw%0{h+Tm_b}coSxQJ zD*vM{(KDDsgqrkWx9p)ugM#qnalK~UrX}^_;OOQsTJNi?59>??Q?>Yg-=oO`ruqZz z@(8Bpo&_OnL)IAtdrCzaA_MrySK0_Wo%w5N8Q5nZwj>%6+Ve^6))HI~faAEHTL2uc zk>IpSbj#a^Yds^yGmr}*2R>O4VQ0Fgx{=iGL-iI&1a2I-1O=7q5%k&%;tSBc>7Y0) zWi{uqzUKp);A8YQCy%nIZnkwgpq|?^3K&2coD?JmFtr!rJiD@xa8cosG3a^&#j#gT zNmi(mnnD3JE5&$*BxOVf5dP~VLiFO9?Kg&HV>-};hbumo-k7NZh|P>^P2S%rija^zFq)tH#^%pBiVOo}IUY8DpyGQ9E>*?Hy(u?;Z8ca19j2dYj9F3*R>$T7; zlouqAKY&vhR<=A`WAzmgfp{!QQ%14}QSi?WQ7)sER|tLh5S#P6Iyi|MM8k51uoP@s zKl6d-R>sikr5r(#fV{xR$)}lRDL%tz8EGGDA0B2VSn!D0ZMLZhP93B=+#5Lfn*JS? zX7Clifam8<7WOX^@zlH(vJrT1=cL`RBK#3L%NQ{U@sREyw#Z;H*3l1;z;ooD{AR}V z9!h_-3DOo*aC!J>>F>M}WJO)uyzM#@a>3)OE>w5?*tdEKaf>3&!ghmqFT2mFJJ0pj zZ@lW8Xp4@0cf{82tQD5b)4K=wnb`|=MG)Q; z=k6Jn4l*E43c#-WNwB&xv9c+TGdJ^-)1(GrJ|SP@scGrO<589ydV!b0+%DuFOuSjRol zN8roeFkUXCe#OQsBh|lpDoEaVmaL6_P{d{Lp?@eI!Mun66bcBMBmgDk#)=_vUI`5k z`tTjmf91-?yK>w=z=aSI+2qr~MWuQTe-!zQS$;K0Gl>5X^H8xU;p?pP@h8m>cD3eW z{b-{ozTSaPUFw-EZVSuAVION$?C55BPP`VyU5&i9_ZICKprOhhqk)NZy56=T?tkxf zliAny&>n}{Q;?295SOVIZ&qs-Y?f>mTFys~uOBhdFRqb3mQz(Qh!@qDK9u=W0t7IZsSykuhbCI*y&?qr=ijIDiiC=qMaSu|KK4yW%8W;d*kCT%v zP4v^KwR?0*y2bH_(P-YXmFt;~5g#b}id@$ZBTna#?Cd1Ew(4Ft*H!dLjGZCoUTuiO zDl=PHQnKx|wlBgKKCy@sqRpZ$>HOazfUQ!*#z3D3A%TKuQOV+34l^(B4_h4fTO38# zu_hgr_FLdSf3zPu;V(a0TUz!%FjqP%8vX6=ZX=7c^s`Wgd$QK+nq^{q+j46IxCTYJ zAE=FTfyl!^3p{B8v5>&*$YJ~Bsb=SapANMLhYjl6P zFIQ{S?r`Ub0Kap{HyGDi<3WY2FI1;o0nIs|us2_QN2B0XqVVxeS;Eh+;UeD2Dp$*$ zX)>~Nt?;s~-RXR9*k4(q%7O3aW8m?Dw=xF@pJ9x3_gqV*!RZptRhW>jGa-CobL>rO z4*AUHD>rjz#Wfrq?-o-AZDX6j26@8yauez`7&mDSK+1a`nZ&JU>|$|Whi!jzyKJbjpJ9i1)JlqVMSEO4~^@q)w5rPanMVqx|kWe*^Rv?3SSYR1Hb)g@`WEG zVNz}d!d}+WnT$CTzWr*F{;~!7$YB<^*(2tJGCuzziUOR4`VM2DPXiSCic=Jzw#9qT z!$%(4yL%;h-+snu*9EtYGsElBtnEys4#=_1-W1L%;x`v_itlII1ghzWG?&K>$Y>xF>LL%o*UzT7#S-$`o!8>5E3_RJF*Dv}fvxg(g z>oUZ(C%4S(d^QF%`$6}{w~+CMg>GFArA=k#w_b(z^b6<_;uV)S9-U6<8$%_B8`x6m2o#>X2ozH|8;@3m2C-&-Q%|)wNbl zr=D7^l)h&O;|DkwC66Y7vX}b0zxrxqn=599e{PhwR+rYcEvtW=y3~C%olV@Uuj(K%a&?U1MGPO5kTS=6UZ5GmE4Z?-6WIL#3m+O_(Bk6S%yA4-!{O7(g z1YpDR1oRZM;Ul#3vbMe!*@XN6g%RDace?+whevim8CYyi3LsF48+s z7OEygf-AsYu+8R#v3L*n2zsp3T?iB9Qsbr0UqQqY^|q&dLw%lgdQ8%iOr#EQco@>e zMX%|ge2-VNIqEp_AQ4yqR--=yQOsvtG-&^@TaUf4rQxts4|hxpNrT_$5h446AodIG z3T7jmFtff-$Sp6ZZnqx3c|$58nxH1(j4(2$ckf|O&Ll@tRpepza#r}b@<^+RYE5Ge zXpQxOnT2X}r2Yn7Q{x7}ZKL<5lMernyP;_aB$!zK>eZvmcx-6L=d zdHAV665b=;lO=7RhJqa`e6jWt2m~FnPH({Sk^e!@R}>5nCbVTr4AB7^hKBT zYc7YlqXMHPOZQIq!LFZ!zn3aUX3RG2*!KsD`O}x3N#B!YN*BbdtdZwhkzUL|d5~F4 zMeDQxD}AaxW{CEvZ$Kq<-FkRIha_Q*ipzlY+pr{O+SQ{NZ5H9-E_PS5V{JtEf!u>8 z_>K)aL7GBKrD0$8EJw}uMC*zy_);6dHU!#d{aIbNSb=LVd2!unT-mURVb^3zYag~X z(MdG+fG@H~k5HeLmW?O;5TAuFG~!ZYn;v%eEc#EY;)G;Y47&NMa`BY>)K~a`RY60y zxh>#qR=}u(hM0$B0%JRKb!~$-BpzmnmKUc6UV!g5be6FhU$}YO@%V_Ib)8Tb?|(cq zum6Y`LEb~4hg*z_%nr~e8wGfVFFR;J!oVr`pmGJ<$hWtnQ~Lf+UAo75#K-Lp20An- z03sFJdaTq31~x>?{gydAcsp4I^PZ}AjA6l}@xz19L-LGKOtlFzslfAV;*JU6Rq>kl zfC0<}5y;5As7sKVuVl~aO{Uf5a7(i;J`qhcrb`Nv5!Ug6Nv#~byj%Zqp=YeQKXc0X z2Kj8p6LfJc$i{d_Py9%Lo^2=F^Y|yzd9ha!^o^dFi} zyR(F^94GC9O=usnXT2JWe5ZPEQ=x{(;nG8I5ihA`wM#WsQf4M;^U|4RrRAc1r8@B_ z`}+CB(<0VQWXRBuQ0{=2R6`F<8j^wQ2K7n5#D#n{3+Iaz{!eFL0*>YO_1&qYM57@o zq>|Y)4@pI4WynmCDXGkq5*3+eMVUj$JVq2HBvTnfXhMY&3PtK$&-uUS{r{hR``-7v zzUMmExw5Xk@4eUBYxu3T_q}g5-(ycxZt8YSBv;9+`0C%W+HqM~Su|(CztH@Xw;z}2 zU-2g|^X=JP=ya%eM)L4Re9y178MkUVUzl&Y-nNV*eYgArGnK0L4?F~`sb5|aZ(e^8 z*l<+mXoZQ`WdpJCqR-#nElU}!C_ADO$tCY`dRFg@@+*VV=$Ht6UPkwuN@E@4<(69| zx$haO(SOA^1f)f(u#BD33`+^mZ%{s5v1oTH?WdE7MlDOfzkd3~4|C<^7cNy_?TF&E zJwEz~#L}V_q9)QNHYl8a>WFB1|LXChKS+g|Tg2&jXOpKZZ{`P#>Hjp~ko=okvw!9>UYuxw7t2gh>WQx65rfX%Ryjf%}*_N9mJo8#M zanAfs!JDt@#dl!9uyH!SyCF@4D z8D*WRp*wFX6S}-7u3XeS{fhYL+>lRK@mV*?klb9w>>-CMZ|`=AS=CnFsC26j5N&)F zd1Ke^^>M$RJma}?c23iC`b$hoEVp9Yca}m8;cXv>#eMgThUBKFw(IVCGA!R06jDc~ zsLd$YHtO-h6)+{L2d@nKBzbM4L`W#dEnEu8Ss(}<3ySWV{Pp|T@hj@Gwi}w;lW&U~ zz6dOlE%VK_`Em9|#XIp|BGt-m3d;)9byHj}D_tM#sHVgU&HhREaLa#`)APpnxp&+C zVhbhR2lLf>%`-%Ap}|6jj2p$Jvo8Ei3ViBawW?Jjf$BWThicRwN$pWvN|iM&f6z zM3(0qae(9#MU4q>P77>R|H}5d#yBf_KcZR6yZnvo)ELKa5(`}c4rv7dJ z6PcGbhO`~(+x%%!-?99Vq;TX*xdRy&rjsoXbKG97P9ScM9<@)K68ieR)$*v3251 z-~C@F>yM3?bt!mW|6pu)bYah6)qMQM;HXQb^3x+%TtrhwSMN3xy}?_lRC?vuEEnt6 z^v~kUrK073b5-;0aB1j1aA|$*3NuQA?fqWY?39JWD@f*ju3Jl**vyior2}{yZ`Rme zm2on@k;WnQOyh0Sx%byA?r%JnyyCR*!5U9#4z)`%lU1cg!9)l3obs(31B}x`%eCX1 zD~cL;>pj@dCI8%1+oE$sCz@-QpH1!)vn^_MITdT0toC)ZZK!b-iOQ7@>*{gYIg`6J zuq#@pYj>AU7F zGqR3vWE(qtQ6~FwVs^IB)e`HwBNY$zG|0UHlC>8)UDr28#JINeKQbEoo=4fH)DZdyqzhdTNfar(rEJaJxw7rMQ_=mbr`^WWc+hY>Q zf*U(^I)D%xpu}p#zPplzoPA0s_@v!+rdZq^j`X{`EWv^JZ!8~$jq4km!V_#N*}rG=5H}y-&&k` zKXGOEmR(BY1B01=JlB4mHgVjeZ*^eUtL2O0nZ0taxe`yyji^V&KRXh+Vi*p&M0zwQ zGZ-ksR*C{>elxyziMc`hs)Ub z=8l(1meh{EzV=1&;xe^K*<@a}2wUqZ_p7^XMVwh`s{(yklDXQv4ezy@=e(@*in}hJ zaXR9vi1y}=+ewa_`AGaOBez{L!rt$=mv&8M1CNlLdj9?ov^{HA3<@L$5zZyW5mMI4 z>{*kM^~p#(U~l~G8j^L~t_yA#K2$#3`)h^7hR!qP1a0kdJwu4OH-Dr%^S zy?t`imm4>CL@tu+@V@vHhBp=qxi7E4ZL!|!Yr83fsui&t$m}I$iE*GxRWcZ_lGkJuk^6ANrRc*evsM z+gb4niyw|_%ja6&@4k3XHIu?6;gnw`WPGfz)9rqqbHluk)hW+p+Fa8wKi|$#ll~8~ z)BOje9tI@ZaEN&DY0W-Skbb_ZOs7^t+-K7!NwKw5`JJjwe8F35%iBGxs}%i5Ew84* z)r@sM@s-w66%PW|i`%b@OjO*dsQH8TAVDEQb@bu2m7g~qj8)mj9`0wmMKJgLh;_hc z6}f|H?8RDn4N%LJEow92k$7J^8Ru4#qY^H!o$t``qEou3Ipm_L=FG%u4@=35T)o|Q zZe<$g_uh%%5a-vw!?}mkL3EhSz{yoxqrgF~%B#qBD}7LwOb%4mBfTP#6(d63GI~}; zo_|&<8FFSnyW-6qJ(Fu$hGT9zomo~EAt`dchIbYIc(}~~`}M81LZ+P4JV^&QX)j)x znYlI8)Yg@M4dO`oWl`O0m|w)XOG>uA>_mU|gh$MxSI?}!Lsj^-Ju#)E7*4+`?v$?V zd%U?jAAEguxwU&R$LUY-Gat!kE2#5>ofh}n?{Mrr^87aYWHc9fF8f1{t>N}HFSEz1 zwl`_$WmX<4QE&^iHJ_B~TW=k1(ot+Fr?atNvqXN4+m10qy&YmFqK(sIJPxLpt--zD zs28VHmHAj_;@v*}yaOlnn}SP?cf`sJ3@UCZHXnA|67kUQoulS;xw^o0TLWsig5HNE z^o0(ZX_}s$cP^B%S$1o@i8YP>B+e-wH~rzR%xa&GYQ3F4eMXPBBxc$kZ9TZ#=k)QN zaEGJX#jWSp@RlaXp50D-@Lu9)bdZqlyzpgj+uuFArg^cu;!wG}MG4F6<{JMx&Hr(BFrlrpMMKT5VKUB}E{5sxc)Rw#$ z5!3kP)FS8gD~7|pw+{Cfs0p`dwsC>-J;yh>h0=IuHSN-7L-rQ%7>x1kQ z3Ax0vpwNdsHZvDJ`SYloW-lBG+vwp}%8$>cx>T~qUjLwf`{(fGe0QHd@r#>GGb*EI zoYpA4-^AJd`{021w0!=_qTV5{*NdiOZi)}rIViZyNWST~MzMEInH@EC{QYI`azch<>^60d84zCT=IouYhsk~i?U;LugQ@na&THDcv zAmvcEb?vu06Ia}~lp@VYbQDq3o}DaH3Uwu<*4z+$WTj;0ON>DxS#AeBZwOd?l0-|6xbC-=y8) zzeKq|zW;dSWJv2&s!Thp=g;IRGa0L`awaKU_hgM@%We;r(GtwG+d?TMR+eoJWk#(h zfyd{omC3kc}PC73Ajhr86ViQc*v&r`pjof=U1P4S}dn(!`-^_ zR^;=$T&-uXXH6|55Y>IUpZd%m%c*y$)fXru%-C`tNji2QNv%SA6>Hg;ORsXG+sSsX ziDONH2V&#)%{0F4J2WcM`MB?f<(6Bk`rr};1wwJD@i_sG=GD$;T3(#wd#vL(d@jQE zX@WIJ;}E;PPx4vk(~+Diar=pt<|e7^=K%*euaJ-xxjtnWpyD=Y4)=p z*4eeXOg9NSKS^HHs@_P}mA2z?aNcNu-}_y;PsfS-CUVV&iFZf2Tjxdb9xPFZb7&;FS%Mp&F*JuPKbX_ zeA?6W)56SMPEp!xFj6<_`N=9_)!X8xu{V2;W$Dho=lM(jX0UXAAvce~sVLRz>ULwZ zHvuX2uh&(VG{5TW!sfG=GJeyPvSmch-x-f(DR4`5 zzq8$K)8w9AkJV3XV^!5N$lod&nVp)pkN-{APoq6wTxYms#$Iy`=ty)rnDg!OkNgsf2?SaSDf6 z|MXS_TyANqd9=2>_V)MYMw6u1SvhAOuk@{~tXQ4XH^e(0a@dz|+=~AAmsIY|hbt@i z!i{o6eeWLK#rwkgaJx$sIZ?(qn%>E}-Y7%=`Bs%xVzG*M^>1yjTX+0Jkm#aKcZjzb zSHc@1Ue#U$1=IUeQAW)?d!mZC8xoYiCLAcpef z3Aqt|j99RkRQvPXb?M$oi-CKe7dC5H-|Fefsi^8KSvPykKs=zR=|bn7=~rbLF;?Hc z-+REZDzxKhhxyt!+&Pm5m%>R79Y!ruK07KGUd&yRXO*70Fz`H8;%q_eZ^^+<8}0tZ zy=5+KD~FS65_OKu2A}qJ6|cV|_atDwkaeyKuU^IWeO)?I@dd|jo4!qy{w&xNGcmJY z`@7)}nk;{Z)Nb`!>CN^<7mLmpJp(E2)Q%6C*Es73Sa>UY&U^uMo^xV1WE z<0W6aBK`84QtS4JWk0z3Lw)rP{_mSF?*{0SuF>GJGN)nZ+ne^?+SPZujJ=&+-hG-i z({+tS(>AbiuZ4O4!Ay3Gh`kXnS!6?!)i)=x%SLEC)Sq9z<{)S2pG~Td)twVJsR(b` z((vtwxBElY)}Kd9PB~Q!B}YeWG6-$Zem~ijz%#)+?%k+7*EKwxwRXg4`emDujCkWm zmMy+>YQj~AU0*bQ$rG-XB6aSTSvgWJ&UI*KL7b<9Am__eZ!7&(_I&%=XvC8HHgyxZ zMqc{XNt=nnt{>CajeL%dPyX|>!_cKhBVIMHS)DZHQ`J~}LiHWxL4TAPY3|)s=l$pA z@HJmwUO2?YnYs79%Dr7%^^Zu8l6WQNp9wX$x+$io1brEPo*&RXBH{Th(lQ%x?3^>)~lFpQiG=xnmb3)Iv3G^0bN3D+V@3*!CHuq#Dr&y7>&&l?%^`uNTYe7&tvHQ?I$ZcmKsz)Uz-V)-AR*#X(bg-qqS zLB%JU2V^`PN4`gu$CxScE3TCsPfTiFT%PsTf6FM>1MaAPxAmh*?NzsL_ViVrC^Ik1 z+gYqt^r~>Muy)baU4BM>N@18>o^r2{m78}m)cB#+%CJu>qVYa|eYRKj-JUnW7XJvg z*EECt9L;?n@h!izPvNl-|HK!I9sT^~A#Z+iJnXl0dmx)~MJYHf#QuFgo5w&#)X=9V zV%lTPn@&ARQsMb{Fmk0re1uleC5xn}fFDQQN~X<6)}$Z1kdUJsyz64!(45Tx?Nf!} zlhy=l{in}3_4lz%y%?w)%666+_$)Ipyk#CAwOx?@xIIx|Z}Sly8|R~Ziy}5V&YEuw z$tux*64HP195G>#gGY(f=3w{uja1|LX!rEo=Zyyh8-kp#hKO;0yu06_$;i=!Pa)R!(@iVjI{1>woISVlc;tjyeIgFuHaw*$5GGRlqh`(I!?z`D%d7diu6cTA$xCK?bS2EwxTY4!QpbPA zJ-)B~;qKFdkBn~vU3GA&AJ$t7k*&i9Fymj3bXD!7sykhEn-n7nJVo^fn@);-?qiqnNJ z9Ug`cwRO}j3pagJT$n(5r#?0EV|4Z2Z>brd_3mmlt*BQs@Y}{URA!L4&Q4BHQ(gJ3 z-jmd;vezPd*c;2Qt-tny#lE~yK=guq#G3UvQ7J1XHumIbQ10zcatz|Sb;)TLpf|ASh?m~&D}fKQd{m%`bXHetUK51 zGG!Zh%1b?Z`$(+OX6sK4X_J=Jz4-6aCEnBb2165BqN%3eTaIjRzVzX!vZKD1(@0bB zs>45r^vWGJ4fr)rr?T8_eRJR1#>BTEWj^d{&=~>IuIR`zj{>vaEmCKH%*@xdNjm4> zO;B|a=x|B@yei~_nDFEu;nzInx6`k^?y{VI@rk<1KE-Bb^{!*L1=pyvCuoao_+-y1 zHpb!;`D|EiH|Ma2Y+a(+Teqg;Kl(O}N#9f#9-8p>7u7Z_br1P=jz@|A___U`i{npa zZhW*Z)99D3jnA?)wV{A_G_RCAg+qEaWx?HUQ=4bYKXY!^{qF2e?(qE+bF=p0!S+)& zrlE-!Zl23Xi5OV1a>yz}RriO<$>o`chn~62?mW8PjP%ym;>)wXa5uLog=W63xD&z^ zw|q<{Pn__#i|+Vy;9{s(hU49t_x{uTm-fE70c7r7&=@|7FIkNFE}wr;f}xCLZfYb@$0@1BbrcS}C@rALwb2R*j=OGczhsrK2k z8)~cN$Ig8-Z{NBuICSGKFVj?OtJ$202JiHTl3DFn2vetzYa1DbaA3?Hh?Z zz6GPBRtru9Rs~Yx0M##6Ow92JC1~dOlv0skdoNA7EqH!$Uc2h>*NK3N4^{zgpFO$F zV@ZkI>LS=mu4*-DYV7FCY%9$=q~~B!um?v>e8SCol+IJ3Bqpwx;pd{Qx@Ft0EkO;1 zEJ~Xq^F@Y;H95RTEFyO$)eFR?=y1Mo3p(j|5{@}mSFY+_*D156xVXbwYGST{jlMQj z@9D2A9P5QL3!K`Q2b(xF7l=+%Il8Z%_AHBGz1f<*b|K+Mp8R9GHlwD?pHAP9`EZW* zaNxE3KF2plxNhDeSyxBYq*F#3)*n7V4nKdRm2Bqbq^h$~H0gJLebI7{HUlBr;grsM zf9y`>XZ+|DNx^&P>9^C2%Rl|Muej@d&&_t>6aV^Ir9#jT^3( zSjnmAWvlSNQgEAJflH9Qv!#u9{qH%J_Zdh1`P{#HPSU*W-IYw4 z45IA=r><_EU+FE%!tH-)&_68sqWoJf*;2}aRG$Cg#oZHU6rP0=+V_dao^T3#C1`s< z=(@bfg$fbB*S||Bw*|_Ei?oYFHq7gOd!!-P%wrbaB7dX5OSUUD{mQo=#(L~U`wTy_ zdYy4p!LIDTB>&Ip(*LL9wM#E3dWQ*{3FBr>xFG^hB+~_H^#AF*a&V&izb|QEboq}H zwNwgmiAx%&OqVp!=uG!&lHg4FzfaT(Qb_;06z4zg)%=_C56}Ocs3p=FU$py2SICTS z)%|bE(rR$ok+XaIpX%}lyvNn#=UNb4s@xru^3YtDxXz!jLTh+l_d`8SRxz1@Qpt`|=f)UFRz&Og2F zNLaS;emKR#Sgo#Ft4D^rzhJcBWmY23OPk#LC)_z2F1erjWBmYMR=#cKc)sSMq4d=; zVVT#}k1sY_w`dz5Xdjlz643OxBjCw0pnIG{QoM6@*R7qu$}Gvj2On&=P~Kf7G-|Et z6J;9p{o$QMQR~#Qqjh(Vu2bcTS{~K3J1?SCH%dK9Of|A@`J0AY&sTiBa$x!8Wv`dN zUS`T_y29^D+GD}VO^zGfx!qTNVm-G)^6|wJ*Q$hd)~oIn8dX&F-(4j*YNVZu2p$$GASxIW~sM}IwEp7uEYvD1ky?p#}zd9i(7W_*U*I@2oihOm;M z=52k=Z5^8zX6p9K7Ab1FjsTxQc3rFYu#``tTh|ZzgcJ@Cb z>{F_IM>)z->&Tm3!*Ny$ud`-K%aUbnV5cPKX-Yjc^yO-GJHtJs9Phx~4Zd+=&Wc7U zZ#|T^kbRYVt)hwq4vcXbMZeoz*E^iH@K9%4pq9qF%cd1Qx8!GJG}^c6tL>c#_Mf3Y zdiicW`AM8(?wWr1U&UubSxL6~`BZ8LSvB9FcgD}5+o-Tss(gO}>8{Yx3+2P+Nijhe zQ%%k82sL!-O>mYE+GEV}Gc>Cd$L^TvNO2>-%%(rR~NCGEWX9FE_rrXLQ;2x3#Bs_;IgT zp0{^imoH7R>q{?Br-mcf;)>1iihQwm+&c%Q?;`iNRdeHf3VhcUdie`v$Ua--68K>A zgSX+qrVHbrSBqXU(hKf5OW?Mxv- z{?D_LHSMgp*Jd65-_OUiHW?)(${*&wT*n*yIgbaQ7I8jN;#`J|(VqS%m3>3c=+C*T zR~nU1R$aQX)=Mey?#QcK;>~*5=Y`hRUOw$h&`wGG;?Wh56hG>9Da}e>=9|c3lGDq_ zafUJ;-W(^`)6OoRCeM9~zU5}(m7$amXS!8q-J<^2egojfCvsy|)Dv)NL^ zSLwb~o9pli+jnj2`Houn_>Ia6*8tOuU5R(h`aC=6^8r#8=Lmx5j;Eg$HCY>Yu(D68 zjP+al`RLDg6DTj}G77Oo#uZ{Yki-9ubwAYY-Qm z*JM5tFda4>W}LR}u7B6Ju?wNLPhztq49dp&4FupT;_cK?kMGH!UVL)6BXzs)Zq91A z?sj9{dn=+p->Kp}uP+&>7S=f)fuA49UqPVj1s-obs$ZYow^ij@o~3qKtetg#rufCH zRnJ!SIdx6%A6{`TY|(cy+H>@o;>3IUL&wVMi?5&cOdt8R=J&44agV&W(_1vB*8fnx z>y%)2Fw|BphM-=dx<;%!LU=^V`a!V?@6qQXA8)M5jW?+}E@{wnckcFV$=LmQUj3*u zK`{lA?J;t%?k$uaH%^|FIQRV;<(;$TpI$=ey@8oqdqUdWs&rc|UhQNHjdL*8aX(LNVW6PZMiZ%&udkwx}Dm4bLR?m)O2ID z)}8s8KjM6OGV{jH`E|0{mxCg`@;>*xnqfH`{jy=zPql~bgSl6$&3Qhte!9SytZ6gq z^s4#dWDWhqHf!SKs_04>Bgv-qjzj6=1IomoD>tbIywaVf3d1srCElo+W(W8wj$?r7OkKkQz zW{4$dYqw>G#ia_0buG`ycq-F6dnA7Wo%1@2xN^ zeixR!NuF4_X3j@B#g3(hJsXrf%%ZvQ_18M9J8g4V!U!vZUij~6IbrV+Eo#`s9yFFT z>y9%Xk+x_o?NZArmh3iDXzU`9I@>mN>l;Mr-6Uq#`2fC;#a% z?n;xqm%W4LDRmJ$MF?x_x9dmWAF7!;cDa4EN0F$+QL)6$Pu66|e?IbZR$ou?^Xtiq zOD$`XLnr&zhj~Q1O)0dl1h}mpkjvEu#Y5ly> z=$_CO*_Rd;yUf)me-Rd5>MKpf5OP=NudWR_cj9-d(+h&`p3+O<)=#B3P`t@g_4i_W zZ`4PBtvFcL`C6*eM5C}bx=ciZ^V`RM8O4IS4hyT1ukLaP`oPNswHr{dJd20Qo*sV(;;{Uw#P|MlD%FPm9{1dS=x75@T z)VFqav30N)#FM0`g2zPU-E7ZV2@;4ZcmnB|sGzo+xwGpC;f|3SMW4pxjNg8%m>|3a)MWeu{;2B@+{!bd?-|$i-Li_tVd?p%^1~0C` z%bJYeKhOL754gzkKWS7vjmmg;^gn5T|ADrHi_jR~hG%YvC(t1iWTHWV2L}kAiT1C* zm}pcQjRXLmnT8{gi3p8ICD7p|Kc;p>8lH$p=0~Ixh>%qx?MOICW|(Po0txPFWTO53 z2l6}`j!I=@(Tv~!BtIGvPo^UCqvB|Ic-xPuFBJ#VL&l|mtjH+8bQ%s)DyF``8<~#b z1B8H#OQh2XaLpc5UszwzGiKV~4Ul#;B8^N(+Cg73=*>p2B~;5o^j_WGA_n9QSl`3c4#{ixCso6g8D1y zOD1Dv0CfeZDlv~sBH|G{g1$@0l!T)pyiw>x5&`K8G;qeq7&tl|z9PajE@%r8_2X1L z9*0MGqtL00FOV?xWn4x{LHq#~#z5!7Xa}D}Vd~3x9=06;6H}--3JLWu6c_;`Q}AIJ znc|=sW_~yl8Y`$cDur>|CgbOyiPpI3j!#hKUCL6oMHu4cd`VI|mwtac?sdA9x}itEb>(ku{>?iBv!VXkQA- zFSKJ^et@=H!mklAehrWS9@Tr8GvlsdrsqLB0^{v<#_yjsVxR~*cFuUry5Wg9tS=#e z=A+Lek{OpsAY)+s9|@KNT@Ro^U}f%0#S9G-;6U*L^|u^EW8Xv~AT&?p$*z-?gW0`*{| z9r#2FCVt>>7+eCr1i&{lA5?H*s4al}@YppX<57PA{+@=F6~tOZRv=R%s*|uDSd0X= zfchbjJqg7TAX6$_mBF-@z!~HIWo8-OPJ@uC%F*bK>z3{ zj(~Vc#L56H80iaGnMy#$1wA0ZRWeL`Q0OGAZQ*ES999oV*mVQgiHrfVBH>WI0{NkS z2=oAiip~XGA~HW%U&hD3nC1+tyHsvK!;V2C!zDOKUos>}2o3HMLH#(ybIAUf+d(|1 zVC{oIz{Y(N9vjag%wYI{d;ygo4yKHZ3pfW4Uxh>X0JB8;!u-IH&~`KenyY~hE#d#D zM68_?=@@(uz7EZCK!@m9-JnrWf6w3pjb&hObTq#NJ|I&@`G6!0@v)#Aq$SpfjN*3S z7cM?WpGO3=%uEA5U_nqCZ7GaIMq>roKE^H?d|>So>(?0b!{md21kjw5F+bF1z{i3k zLg!4uU@n*+0bO74*)%Ffua@#x6qpS27~o&P+o3ebFA<%D`9WvqcHoCFxgW%2IvPU( zqhsnc5Rb5U7a|H=dWF~rB$JqN2}|S}P=3Ma1{KOi=<{I19rYVHFgOgq6dcCi<8c6z z(B}aO83XhMfHB&R01C)V1API9&rAb3ldv+N6EHb8L@iV<4BbHe6(gQw@hOB=j0~tm ztW6ULSUsR&a3X^b)ZQ3;U~?Q29_wQP{vqoIIz+<6Bj6W<*YG$Rs*?=NKt!GgF^Yu7 zTF_lgP7Lb?4bk<0@PS=RFc9W;;Quhb1mr@;#4SKqSeyu@B}9k7K4@r70oD?Vpv>a} zzYxrrX$(HFdQYRFc__>eQ*(p34}wOY2dp9E0;0j>wSaSIC?03b4~=CYdpznB0mD(T zH9;aBgI{2NC>8~M0pmjFjHjbxFy^;J48_<717Bfl88is2=opLwFEfpSo6wpYV}2;U z2l>&lewR#JqDFzqIT?C@jnhODS}y@UK!D8igV;kwWdO2=>7eZxi-e&uz5v4PpMhU8 zmIi?uX$ScNR(El9bS^Lv3_f7sXVkxd?qc$N#=4>TFN0rHCqaIUQ#ed~z!;<@bZCj# z1F!_62T)2wuriE6#QI_y?3*x;3-&?A)FNR$7&l2We*e@SfHyMSlgC5@T_d14mVv|2 zm;y2-V|@v@UCjCtG4TUp_Y!(fqM$ej=10R|Z#=kSME^i@m$0{`a&bHad1iiL&6mPH zOZavYrY;Ke12BL-4=z2#=qZR8@g)$;F!>q|9YlN*y0~;87W2EdD-eBJf(KX-$fGj#Lfr9l-03%SH1RRU@1wL>~ z_(X9z|^?Opr&Z-p}-oUHV9th?{nP@#s6>Y!>EBG{L;u^M#x z<1Zj72$;-sX4oaFr;Hi}>Nh~9L@bu4U~n<`91p_+ zE=JC<&Y9ADc9%zh$b{N?&scSF-rj`rQ z9JMzn`Y^ud$h5vdgNg|=4P=Trj|4G~vIM`7tTFe6cnJwLGYv2%#@B(~W7Y_C2(yO^ zr!BCU8hFFxWdv+(3C5+P`5@TQ68RQv-66gmd?E&y!2F09J)pzc3M8&VUrdYw-5_A| zZrDsk?F|qnMkfh?|Il^-C(#%WK^hzkDtmyUNM8n~!JaFCL;&$kAV1PlI0u7c0o9@Y z8H)F?%Yw{>NCW`LOauGCqkbG>GH4sx4nQ#aJV1IF-oV{s{3IMdK=B5gQh>rY^B5FB z<7jOY4nkno7os^7>yf@B*k{7{7f4-@IfGw=gA_<#$ed9*gPvmcG(rC$f-v_5y;`Ey z42dJk8=ROxu@7{lqBsZm#n#tI5I!(AO~T~FfN3y$4zOnfmdQM4IDLiL&x6x1WK7(L zu#fr|i1Ac(jUXq%;0TC#IJ5@J$Vo8%0Cuv_m<;n{ydB5nCn*&C5_Nviag1$&VxhW0 z2mg$D9+WmwTcyD9A#6JmCYCXR9%3J`v52YDfMzUJLs6jQ@mV(ODHE@nRz))IuzJT9PJOzj_Jfbqr9Zi%yMaCioJ z9>ge24HWE+gwYo|d;u9*HwGW54l&{anp?pV!6qca2k?vf4F!W zUtk3p1CF?&b6FBwK$#G22k~R6GbfmO4h0UhqP7b2BVuX51|mP$J;$T_6`(^jw0;US zGWKi~9Mr0+e0(OrD0zYEsFh4kOfyfkg4bc1-VkqXUAFL&KUgo|G zo5AL_;1tnygPl+GY%=7bnD`5FA)$OQWQFD~K!fE(<^nX#n#1WeG_FElY@Q4=L9rQN zOw8FqpkdFRGfJC?EkHX8mJe7W)L-ENzhL-)4N*jXR06s9imaOIU=kE z9^EU4#ENPE*VWnF_N=ut+rE8*(mJ*mtr;)32udGyaBvm;`&|XWqk__^_9q?SeQt;n zfB&T*Xd<`|PqLy?t<5Q9qBYsl(!vU7b&^0fr&&TZfkv^!o!rm%zc=~UC%{}>;pLsb S->iYTfuPuS?^e`QV*5YH%9$qs literal 0 HcmV?d00001 diff --git a/src/assets/downloads/delta.json b/src/public/delta.json similarity index 100% rename from src/assets/downloads/delta.json rename to src/public/delta.json diff --git a/src/assets/downloads/delta_report.md b/src/public/delta_report similarity index 99% rename from src/assets/downloads/delta_report.md rename to src/public/delta_report index a16403227..90c09ed3f 100644 --- a/src/assets/downloads/delta_report.md +++ b/src/public/delta_report @@ -1,20 +1,22 @@ -## Automatic Update: -> +## Automatic Update -### New Controls: -+ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. +### New Controls ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + +### Updated Check/Fixes + +#### Checks -### Updated Check/Fixes: -#### Checks:
Click to expand. SV-230262: -Old: +Old: ``` Verify the system-wide shared library files are group-owned by "root" with the following command: - $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} + sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; If any system wide shared library file is returned and is not group-owned @@ -24,6 +26,7 @@ by a required system account, this is a finding. Updated: ``` + Verify the system-wide shared library files are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; @@ -33,8 +36,9 @@ If any system wide shared library file is returned and is not group-owned by a r ``` --- SV-230379: -Old: +Old: ``` + Verify all accounts on the system are assigned to an active system, application, or user account. @@ -65,6 +69,7 @@ a finding. Updated: ``` + Verify that there are no unauthorized interactive user accounts with the following command: $ less /etc/passwd @@ -86,6 +91,7 @@ If there are unauthorized local user accounts on the system, this is a finding. SV-230470: Old: ``` + Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: @@ -103,6 +109,7 @@ the line is commented out, this is a finding. Updated: ``` + Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. @@ -120,6 +127,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-230524: Old: ``` + Verify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules @@ -134,6 +142,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules @@ -151,6 +160,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-230548: Old: ``` + Verify RHEL 8 disables the use of user namespaces with the following commands: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. @@ -175,6 +185,7 @@ If conflicting results are returned, this is a finding. Updated: ``` + Verify RHEL 8 disables the use of user namespaces with the following commands: $ sudo sysctl user.max_user_namespaces @@ -200,6 +211,7 @@ If the use of namespaces is operationally required and documented with the ISSM, SV-230559: Old: ``` + Verify the gssproxy package has not been installed on the system with the following commands: @@ -216,6 +228,7 @@ is a finding. Updated: ``` + Verify the gssproxy package has not been installed on the system with the following commands: $ sudo yum list installed gssproxy @@ -231,6 +244,7 @@ If NFS mounts are being used, this is not a finding. SV-244527: Old: ``` + Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -245,6 +259,7 @@ number generator entropy gatherer service with the following command: Updated: ``` + Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -260,6 +275,7 @@ If the "rng-tools" package is not installed, this is a finding. SV-244547: Old: ``` + Verify USBGuard is installed on the operating system with the following command: @@ -277,6 +293,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify USBGuard is installed on the operating system with the following command: $ sudo yum list installed usbguard @@ -294,6 +311,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-244548: Old: ``` + Verify the operating system has enabled the use of the USBGuard with the following command: @@ -313,6 +331,7 @@ before establishing a connection, this is a finding. Updated: ``` + Verify the operating system has enabled the use of the USBGuard with the following command: $ sudo systemctl status usbguard.service @@ -334,6 +353,7 @@ If the system is a virtual machine with no virtual or physical USB peripherals a SV-257258: Old: ``` + Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf @@ -346,6 +366,7 @@ If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. Updated: ``` + Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: @@ -366,6 +387,7 @@ If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. SV-230379: Old: ``` + Configure the system so all accounts on the system are assigned to an active system, application, or user account. @@ -377,6 +399,7 @@ allow for a normal user to perform administrative-level actions. ``` New: ``` + Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: $ sudo userdel @@ -386,6 +409,7 @@ $ sudo userdel SV-230548: Old: ``` + Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. @@ -407,11 +431,12 @@ $ sudo sysctl --system ``` New: ``` + Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: user.max_user_namespaces = 0 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf @@ -428,19 +453,21 @@ $ sudo sysctl --system SV-257258: Old: ``` + Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=900 The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - $ sudo systemctl restart systemd-logind + sudo systemctl restart systemd-logind Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". ``` New: ``` + Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=600 @@ -1823,18 +1850,20 @@ New: RHEL 8.7 and higher must terminate idle user sessions. SV-230221: Old: ``` + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . Note: The life-cycle time spans and dates are subject to adjustment. ``` New: ``` + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . Note: The life-cycle time spans and dates are subject to adjustment. ``` @@ -1842,6 +1871,7 @@ Note: The life-cycle time spans and dates are subject to adjustment. SV-230222: Old: ``` + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software @@ -1856,6 +1886,7 @@ Timely patching is critical for maintaining the operational ``` New: ``` + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. ``` @@ -1863,6 +1894,7 @@ Timely patching is critical for maintaining the operational availability, confid SV-230223: Old: ``` + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. @@ -1872,19 +1904,19 @@ The fips=1 kernel option needs to be added to the kernel command line during sys ``` New: ``` + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - - ``` --- SV-230224: Old: ``` + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. @@ -1899,17 +1931,17 @@ data structures (e.g., files, records, or fields). ``` New: ``` + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - - ``` --- SV-230225: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -1937,6 +1969,7 @@ Use the following verbiage for operating systems that have severe limitations on ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -1961,13 +1994,12 @@ Use the following verbiage for operating systems that have severe limitations on "I've read & consent to terms in IS user agreem't." - - ``` --- SV-230226: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -2010,6 +2042,7 @@ Agreement for details." ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -2030,13 +2063,12 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - ``` --- SV-230227: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -2079,6 +2111,7 @@ Agreement for details." ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -2099,13 +2132,12 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - - ``` --- SV-230229: Old: ``` + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. @@ -2132,6 +2164,7 @@ requirement. ``` New: ``` + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. @@ -2140,13 +2173,12 @@ When there is a chain of trust, usually the top entity to be trusted becomes the This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. - - ``` --- SV-230230: Old: ``` + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. @@ -2154,6 +2186,7 @@ associated public key has been installed. ``` New: ``` + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. ``` @@ -2161,6 +2194,7 @@ If an unauthorized user obtains access to a private key without a passcode, that SV-230231: Old: ``` + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2175,6 +2209,7 @@ access cryptographic modules utilize authentication that meets DoD requirements. ``` New: ``` + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2186,6 +2221,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230232: Old: ``` + The system must use a strong hashing algorithm to store the password. Passwords need to be protected at all times, and encryption is the standard @@ -2195,6 +2231,7 @@ plainly read (i.e., clear text) and easily compromised. ``` New: ``` + The system must use a strong hashing algorithm to store the password. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2204,6 +2241,7 @@ Passwords need to be protected at all times, and encryption is the standard meth SV-230233: Old: ``` + The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. @@ -2215,6 +2253,7 @@ plainly read (i.e., clear text) and easily compromised. ``` New: ``` + The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2224,6 +2263,7 @@ Passwords need to be protected at all times, and encryption is the standard meth SV-230234: Old: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB @@ -2233,6 +2273,7 @@ to boot into single-user mode or make modifications to the boot menu. ``` New: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. ``` @@ -2240,6 +2281,7 @@ If the system does not require valid authentication before it boots into single- SV-230235: Old: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB @@ -2249,6 +2291,7 @@ to boot into single-user mode or make modifications to the boot menu. ``` New: ``` + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. ``` @@ -2256,6 +2299,7 @@ If the system does not require valid authentication before it boots into single- SV-230236: Old: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. @@ -2263,6 +2307,7 @@ mode is granted privileged access to all files on the system. ``` New: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. ``` @@ -2270,6 +2315,7 @@ If the system does not require valid root authentication before it boots into em SV-230237: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2285,9 +2331,10 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. @@ -2296,6 +2343,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230238: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2316,6 +2364,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -2329,6 +2378,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230239: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2346,6 +2396,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -2359,6 +2410,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-230240: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -2375,6 +2427,7 @@ functionality. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. @@ -2384,6 +2437,7 @@ This requirement applies to operating systems performing security function verif SV-230241: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -2401,6 +2455,7 @@ switch roles, and run_init to run /etc/init.d scripts in the proper context. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. @@ -2410,6 +2465,7 @@ Policycoreutils contains the policy core utilities that are required for basic o SV-230243: Old: ``` + Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf @@ -2430,6 +2486,7 @@ storage) that may be assessed on specific information system components. ``` New: ``` + Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -2441,6 +2498,7 @@ There may be shared resources with configurable protections (e.g., files in stor SV-230244: Old: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. @@ -2450,19 +2508,19 @@ Terminating an unresponsive SSH session within a short time period reduces the w ``` New: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - ``` --- SV-230245: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2478,6 +2536,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2487,6 +2546,7 @@ The structure and content of error messages must be carefully considered by the SV-230246: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2502,6 +2562,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2511,6 +2572,7 @@ The structure and content of error messages must be carefully considered by the SV-230247: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2526,6 +2588,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2535,6 +2598,7 @@ The structure and content of error messages must be carefully considered by the SV-230248: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2550,6 +2614,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2559,6 +2624,7 @@ The structure and content of error messages must be carefully considered by the SV-230249: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2574,6 +2640,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2583,6 +2650,7 @@ The structure and content of error messages must be carefully considered by the SV-230250: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -2598,6 +2666,7 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -2607,11 +2676,13 @@ The structure and content of error messages must be carefully considered by the SV-230251: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2622,13 +2693,12 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - ``` --- SV-230252: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2655,6 +2725,7 @@ connection. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2665,13 +2736,12 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - - ``` --- SV-230253: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability @@ -2689,6 +2759,7 @@ until enough entropy is available. ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. @@ -2698,6 +2769,7 @@ The SSH implementation in RHEL8 uses the OPENSSL library, which does not use hig SV-230254: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2718,6 +2790,7 @@ file. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2726,13 +2799,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - ``` --- SV-230255: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2753,6 +2825,7 @@ file. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2761,13 +2834,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - - ``` --- SV-230256: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -2793,6 +2865,7 @@ policy defines employed algorithms in the ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. @@ -2801,13 +2874,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. - - ``` --- SV-230257: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2823,6 +2895,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2832,6 +2905,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230258: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2847,6 +2921,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2856,6 +2931,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230259: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2871,6 +2947,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2880,6 +2957,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230260: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2895,6 +2973,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2904,6 +2983,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230261: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2919,6 +2999,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2928,6 +3009,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230262: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management @@ -2943,6 +3025,7 @@ including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -2952,6 +3035,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-230263: Old: ``` + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -2965,6 +3049,7 @@ RHEL 8 comes with many optional software packages. A file integrity tool called ``` New: ``` + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -2975,13 +3060,12 @@ This capability must take into account operational requirements for availability RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - - ``` --- SV-230264: Old: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3001,6 +3085,7 @@ used to verify the software must be from an approved CA. ``` New: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -3012,6 +3097,7 @@ Verifying the authenticity of the software prior to installation validates the i SV-230265: Old: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3031,6 +3117,7 @@ used to verify the software must be from an approved CA. ``` New: ``` + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -3042,6 +3129,7 @@ Verifying the authenticity of the software prior to installation validates the i SV-230267: Old: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3059,6 +3147,7 @@ The sysctl --system command will load settings from all system configuration fil ``` New: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3073,13 +3162,12 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf - - ``` --- SV-230268: Old: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3098,6 +3186,7 @@ Discretionary Access Control (DAC) is based on the notion that individual users ``` New: ``` + Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -3112,13 +3201,12 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf - - ``` --- SV-230271: Old: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3128,17 +3216,17 @@ capability, it is critical the user reauthenticate. ``` New: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - ``` --- SV-230272: Old: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3148,17 +3236,17 @@ capability, it is critical the user reauthenticate. ``` New: ``` + Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - ``` --- SV-230273: Old: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication @@ -3185,6 +3273,7 @@ Using an authentication device, such as a DoD Common Access Card (CAC) ``` New: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. @@ -3200,6 +3289,7 @@ This requirement only applies to components where this is specific to the functi SV-230274: Old: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication @@ -3218,19 +3308,19 @@ Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol ``` New: ``` + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. - - ``` --- SV-230275: Old: ``` + The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. @@ -3242,6 +3332,7 @@ The use of PIV credentials facilitates standardization and reduces the ``` New: ``` + The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. @@ -3251,6 +3342,7 @@ The DoD has mandated the use of the Common Access Card (CAC) to support identity SV-230276: Old: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data @@ -3263,6 +3355,7 @@ hardware providing the greater strength of mechanism. ``` New: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. @@ -3272,6 +3365,7 @@ Examples of attacks are buffer overflow attacks. SV-230277: Old: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data @@ -3288,17 +3382,17 @@ detection of corrupted memory. ``` New: ``` + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - - ``` --- SV-230278: Old: ``` + Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently @@ -3317,17 +3411,17 @@ syscalls will need enabled so the components function properly. ``` New: ``` + Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. - - ``` --- SV-230279: Old: ``` + Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. @@ -3337,19 +3431,19 @@ SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued S ``` New: ``` + Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - - ``` --- SV-230281: Old: ``` + Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of @@ -3358,6 +3452,7 @@ software automatically from the information system. ``` New: ``` + Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. ``` @@ -3365,6 +3460,7 @@ Previous versions of software components that are not removed from the informati SV-230282: Old: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system @@ -3381,6 +3477,7 @@ functionality. ``` New: ``` + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. @@ -3390,6 +3487,7 @@ This requirement applies to operating systems performing security function verif SV-230283: Old: ``` + The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not @@ -3399,6 +3497,7 @@ or for the use of two-factor authentication. ``` New: ``` + The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. ``` @@ -3406,6 +3505,7 @@ The "shosts.equiv" files are used to configure host-based authentication for the SV-230284: Old: ``` + The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not @@ -3415,6 +3515,7 @@ or for the use of two-factor authentication. ``` New: ``` + The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. ``` @@ -3422,6 +3523,7 @@ The ".shosts" files are used to configure host-based authentication for individu SV-230285: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). @@ -3429,6 +3531,7 @@ The rngd service feeds random data from hardware device to kernel random device. ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). @@ -3438,12 +3541,14 @@ The rngd service feeds random data from hardware device to kernel random device. SV-230286: Old: ``` + If a public host key file is modified by an unauthorized user, the SSH service may be compromised. ``` New: ``` + If a public host key file is modified by an unauthorized user, the SSH service may be compromised. ``` @@ -3451,12 +3556,14 @@ If a public host key file is modified by an unauthorized user, the SSH service m SV-230287: Old: ``` + If an unauthorized user obtains the private SSH host key file, the host could be impersonated. ``` New: ``` + If an unauthorized user obtains the private SSH host key file, the host could be impersonated. ``` @@ -3464,12 +3571,14 @@ If an unauthorized user obtains the private SSH host key file, the host could be SV-230288: Old: ``` + If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. ``` New: ``` + If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. ``` @@ -3477,6 +3586,7 @@ If other users have access to modify user-specific SSH configuration files, they SV-230290: Old: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. @@ -3484,6 +3594,7 @@ of misconfiguration elsewhere. ``` New: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. ``` @@ -3491,6 +3602,7 @@ Configuring this setting for the SSH daemon provides additional assurance that r SV-230291: Old: ``` + Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. @@ -3498,6 +3610,7 @@ authentication, even in the event of misconfiguration elsewhere. ``` New: ``` + Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. ``` @@ -3505,12 +3618,14 @@ Configuring these settings for the SSH daemon provides additional assurance that SV-230292: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3518,12 +3633,14 @@ The use of separate file systems for different paths can protect the system from SV-230293: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3531,12 +3648,14 @@ The use of separate file systems for different paths can protect the system from SV-230294: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3544,12 +3663,14 @@ The use of separate file systems for different paths can protect the system from SV-230295: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -3557,6 +3678,7 @@ The use of separate file systems for different paths can protect the system from SV-230296: Old: ``` + Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides @@ -3565,6 +3687,7 @@ individual accountability of actions performed on the system. ``` New: ``` + Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. ``` @@ -3572,6 +3695,7 @@ Even though the communications channel may be encrypted, an additional layer of SV-230298: Old: ``` + Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that @@ -3590,6 +3714,7 @@ functions, ports, protocols, services, and remote connections. ``` New: ``` + Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. @@ -3599,6 +3724,7 @@ Configuration settings are the set of parameters that can be changed in hardware SV-230299: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3608,6 +3734,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3615,6 +3742,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230300: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3624,6 +3752,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3631,6 +3760,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230301: Old: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3640,6 +3770,7 @@ location for device files is the /dev directory located on the root partition. ``` New: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. ``` @@ -3647,6 +3778,7 @@ The "nodev" mount option causes the system to not interpret character or block s SV-230302: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from @@ -3656,6 +3788,7 @@ attain unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3663,6 +3796,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230303: Old: ``` + The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3671,6 +3805,7 @@ users to attain unauthorized administrative access. ``` New: ``` + The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3678,6 +3813,7 @@ The "nodev" mount option causes the system not to interpret character or block s SV-230304: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from @@ -3687,6 +3823,7 @@ attain unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3694,6 +3831,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230305: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3703,6 +3841,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3710,6 +3849,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230306: Old: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted @@ -3719,6 +3859,7 @@ unauthorized administrative access. ``` New: ``` + The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3726,6 +3867,7 @@ The "noexec" mount option causes the system not to execute binary files. This op SV-230307: Old: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged @@ -3734,6 +3876,7 @@ users to attain unauthorized administrative access. ``` New: ``` + The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3741,6 +3884,7 @@ The "nodev" mount option causes the system to not interpret character or block s SV-230308: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -3750,6 +3894,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -3757,6 +3902,7 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-230309: Old: ``` + If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is @@ -3766,6 +3912,7 @@ compromise the system at the root and network level. ``` New: ``` + If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. ``` @@ -3773,6 +3920,7 @@ If user start-up files execute world-writable programs, especially in unprotecte SV-230310: Old: ``` + Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available @@ -3784,6 +3932,7 @@ kdump service at the time of system installation. ``` New: ``` + Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. @@ -3793,6 +3942,7 @@ RHEL 8 installation media presents the option to enable or disable the kdump ser SV-230312: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3806,22 +3956,24 @@ generally useful only for developers trying to debug problems. When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged -systemd-coredump@.service instance to process the core dump. + instance to process the core dump. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged instance to process the core dump. ``` --- SV-230313: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3835,6 +3987,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3844,6 +3997,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230314: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3857,6 +4011,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3866,6 +4021,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230315: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -3879,6 +4035,7 @@ generally useful only for developers trying to debug problems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. @@ -3888,6 +4045,7 @@ A core dump includes a memory image taken at the time the operating system termi SV-230316: Old: ``` + To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include @@ -3896,6 +4054,7 @@ time synchronization, centralized authentication, and remote system logging. ``` New: ``` + To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. ``` @@ -3903,6 +4062,7 @@ To provide availability for name resolution services, multiple redundant name se SV-230317: Old: ``` + The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home @@ -3917,6 +4077,7 @@ Officer (ISSO). ``` New: ``` + The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). ``` @@ -3924,6 +4085,7 @@ The executable search path (typically the PATH environment variable) contains a SV-230318: Old: ``` + If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. @@ -3937,6 +4099,7 @@ global read/write access. ``` New: ``` + If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. @@ -3946,6 +4109,7 @@ The only authorized public directories are those temporary directories supplied SV-230319: Old: ``` + If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. @@ -3959,6 +4123,7 @@ global read/write access. ``` New: ``` + If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. @@ -3968,12 +4133,14 @@ The only authorized public directories are those temporary directories supplied SV-230320: Old: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` New: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` @@ -3981,12 +4148,14 @@ If local interactive users are not assigned a valid home directory, there is no SV-230321: Old: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` New: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` @@ -3994,6 +4163,7 @@ Excessive permissions on local interactive user home directories may allow unaut SV-230322: Old: ``` + If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group @@ -4002,6 +4172,7 @@ may not be able to access files that they legitimately should. ``` New: ``` + If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. ``` @@ -4009,6 +4180,7 @@ If the Group Identifier (GID) of a local interactive user’s home directory is SV-230323: Old: ``` + If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the @@ -4018,6 +4190,7 @@ give them visibility to system files they normally would not be able to access. ``` New: ``` + If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. ``` @@ -4025,12 +4198,14 @@ If a local interactive user has a home directory defined that does not exist, th SV-230324: Old: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` New: ``` + If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ``` @@ -4038,6 +4213,7 @@ If local interactive users are not assigned a valid home directory, there is no SV-230325: Old: ``` + Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. @@ -4045,6 +4221,7 @@ accounts upon logon. ``` New: ``` + Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. ``` @@ -4052,6 +4229,7 @@ Local initialization files are used to configure the user's shell environment up SV-230326: Old: ``` + Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. @@ -4059,6 +4237,7 @@ files. ``` New: ``` + Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. ``` @@ -4066,6 +4245,7 @@ Unowned files and directories may be unintentionally inherited if a user is assi SV-230327: Old: ``` + Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. @@ -4073,6 +4253,7 @@ without a valid group owner. ``` New: ``` + Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. ``` @@ -4080,12 +4261,14 @@ Files without a valid group owner may be unintentionally inherited if a group is SV-230328: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -4093,12 +4276,14 @@ The use of separate file systems for different paths can protect the system from SV-230329: Old: ``` + Failure to restrict system access to authenticated users negatively impacts operating system security. ``` New: ``` + Failure to restrict system access to authenticated users negatively impacts operating system security. ``` @@ -4106,12 +4291,14 @@ Failure to restrict system access to authenticated users negatively impacts oper SV-230330: Old: ``` + SSH environment options potentially allow users to bypass access restriction in some configurations. ``` New: ``` + SSH environment options potentially allow users to bypass access restriction in some configurations. ``` @@ -4119,6 +4306,7 @@ SSH environment options potentially allow users to bypass access restriction in SV-230331: Old: ``` + If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set @@ -4138,6 +4326,7 @@ exceed access control policy requirements. ``` New: ``` + If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. @@ -4151,6 +4340,7 @@ To address access requirements, many RHEL 8 operating systems may be integrated SV-230332: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4167,19 +4357,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230333: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4198,19 +4388,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230334: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4227,19 +4417,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230335: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4258,19 +4448,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230336: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4287,19 +4477,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230337: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4318,19 +4508,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230338: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4347,19 +4537,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230339: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4378,19 +4568,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230340: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4407,19 +4597,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230341: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4438,19 +4628,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230342: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4473,6 +4663,7 @@ etc.) users to allow the centralized platform to solely manage user lockout. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. @@ -4481,13 +4672,12 @@ From "Pam_Faillock" man pages: Note that the default directory that "pam_failloc In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - ``` --- SV-230343: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4506,19 +4696,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230344: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4541,6 +4731,7 @@ etc.) users to allow the centralized platform to solely manage user lockout. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. @@ -4549,13 +4740,12 @@ From "Pam_Faillock" man pages: Note that the default directory that "pam_failloc In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - - ``` --- SV-230345: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4574,19 +4764,19 @@ directory must be set with the "dir" option. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230346: Old: ``` + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks @@ -4600,6 +4790,7 @@ based on mission needs and the operational environment for each system. ``` New: ``` + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. @@ -4609,6 +4800,7 @@ This requirement addresses concurrent sessions for information system accounts a SV-230347: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4623,19 +4815,19 @@ No other activity aside from reauthentication must unlock the system. ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - - ``` --- SV-230351: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4649,17 +4841,17 @@ A session lock is a temporary action taken when a user stops work and ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - ``` --- SV-230352: Old: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4673,17 +4865,17 @@ necessary to temporarily vacate the immediate physical vicinity. ``` New: ``` + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - - ``` --- SV-230354: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -4704,6 +4896,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -4712,13 +4905,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-230355: Old: ``` + Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. @@ -4732,6 +4924,7 @@ local system mapping, where the system is not part of a domain. ``` New: ``` + Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. @@ -4741,6 +4934,7 @@ There are various methods of mapping certificates to user/group accounts for RHE SV-230357: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4759,6 +4953,7 @@ Note that in order to require uppercase characters, without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4770,6 +4965,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th SV-230358: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4788,6 +4984,7 @@ Note that in order to require lower-case characters without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4799,6 +4996,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th SV-230359: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4817,6 +5015,7 @@ the minlen value, the credit value must be expressed as a negative number in ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4828,6 +5027,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note SV-230360: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4845,6 +5045,7 @@ same consecutive characters in the same class in the new password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4856,6 +5057,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230361: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4873,6 +5075,7 @@ consecutive characters in a new password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4884,6 +5087,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230362: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4901,6 +5105,7 @@ of characters for the new password (digits, uppercase, lowercase, others). ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4912,6 +5117,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230363: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -4929,6 +5135,7 @@ that must not be present in the old password. ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -4940,6 +5147,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " SV-230364: Old: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their @@ -4949,6 +5157,7 @@ defeat the organization's policy regarding password reuse. ``` New: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. ``` @@ -4956,6 +5165,7 @@ Enforcing a minimum password lifetime helps to prevent repeated password changes SV-230365: Old: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their @@ -4965,6 +5175,7 @@ defeat the organization's policy regarding password reuse. ``` New: ``` + Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. ``` @@ -4972,6 +5183,7 @@ Enforcing a minimum password lifetime helps to prevent repeated password changes SV-230366: Old: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is @@ -4980,6 +5192,7 @@ the risk that RHEL 8 passwords could be compromised. ``` New: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. ``` @@ -4987,6 +5200,7 @@ Any password, no matter how complex, can eventually be cracked. Therefore, passw SV-230367: Old: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is @@ -4995,6 +5209,7 @@ the risk that RHEL 8 passwords could be compromised. ``` New: ``` + Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. ``` @@ -5002,6 +5217,7 @@ Any password, no matter how complex, can eventually be cracked. Therefore, passw SV-230369: Old: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5026,6 +5242,7 @@ components be required, they will not count towards the total "score" of ``` New: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -5041,6 +5258,7 @@ The DoD minimum password requirement is 15 characters. SV-230370: Old: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5056,6 +5274,7 @@ password. ``` New: ``` + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -5067,6 +5286,7 @@ The DoD minimum password requirement is 15 characters. SV-230371: Old: ``` + To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -5088,6 +5308,7 @@ accounts) or for detailed accountability of individual activity. ``` New: ``` + To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: @@ -5096,13 +5317,12 @@ Interactive users include organizational employees or individuals the organizati 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - - ``` --- SV-230372: Old: ``` + Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials @@ -5122,19 +5342,19 @@ client operating system handle the multifactor authentication correctly. ``` New: ``` + Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. - - ``` --- SV-230373: Old: ``` + Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if @@ -5146,6 +5366,7 @@ Inactive identifiers pose a risk to systems and applications because ``` New: ``` + Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. @@ -5155,6 +5376,7 @@ RHEL 8 needs to track periods of inactivity and disable application identifiers SV-230374: Old: ``` + Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account @@ -5181,6 +5403,7 @@ Temporary accounts are privileged or nonprivileged accounts that are ``` New: ``` + Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. @@ -5192,6 +5415,7 @@ The automatic expiration of temporary accounts may be extended as needed by the SV-230375: Old: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing @@ -5210,6 +5434,7 @@ complexity. Note that to require special characters without degrading the ``` New: ``` + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -5221,6 +5446,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note SV-230376: Old: ``` + If cached authentication information is out-of-date, the validity of the authentication information may be questionable. @@ -5231,6 +5457,7 @@ default sssd does not cache credentials. ``` New: ``` + If cached authentication information is out-of-date, the validity of the authentication information may be questionable. RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. @@ -5240,6 +5467,7 @@ RHEL 8 includes multiple options for configuring authentication, but this requir SV-230377: Old: ``` + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. @@ -5247,6 +5475,7 @@ opportunity for successful guesses, and brute-force attacks. ``` New: ``` + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. ``` @@ -5254,6 +5483,7 @@ If RHEL 8 allows the user to select passwords based on dictionary words, this in SV-230378: Old: ``` + Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD @@ -5272,6 +5502,7 @@ functions, ports, protocols, services, and remote connections. ``` New: ``` + Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. @@ -5281,6 +5512,7 @@ Configuration settings are the set of parameters that can be changed in hardware SV-230379: Old: ``` + Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for @@ -5289,6 +5521,7 @@ applications not installed on the system. ``` New: ``` + Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. ``` @@ -5296,6 +5529,7 @@ Accounts providing no operational purpose provide additional opportunities for s SV-230380: Old: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -5303,6 +5537,7 @@ should never be used in operational environments. ``` New: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ``` @@ -5310,12 +5545,14 @@ If an account has an empty password, anyone could log on and run commands with t SV-230381: Old: ``` + Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. ``` New: ``` + Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. ``` @@ -5323,6 +5560,7 @@ Providing users with feedback on when account accesses last occurred facilitates SV-230382: Old: ``` + Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. @@ -5330,6 +5568,7 @@ use. ``` New: ``` + Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. ``` @@ -5337,12 +5576,14 @@ Providing users with feedback on when account accesses via SSH last occurred fac SV-230383: Old: ``` + Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. ``` New: ``` + Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. ``` @@ -5350,6 +5591,7 @@ Setting the most restrictive default permissions ensures that when new accounts SV-230384: Old: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing @@ -5360,6 +5602,7 @@ interactive user defaults for each account on the system. ``` New: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. ``` @@ -5367,6 +5610,7 @@ The umask controls the default access mode assigned to newly created files. A um SV-230385: Old: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing @@ -5377,6 +5621,7 @@ interactive user defaults for each account on the system. ``` New: ``` + The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. ``` @@ -5384,6 +5629,7 @@ The umask controls the default access mode assigned to newly created files. A um SV-230386: Old: ``` + Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern @@ -5394,15 +5640,15 @@ from insider threats and the advanced persistent threat. ``` New: ``` -Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. ``` --- SV-230387: Old: ``` + Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. @@ -5410,6 +5656,7 @@ the cron facility by unauthorized and malicious users. ``` New: ``` + Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. ``` @@ -5417,6 +5664,7 @@ Cron logging can be used to trace the successful or unsuccessful execution of cr SV-230388: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5434,6 +5682,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5445,6 +5694,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230389: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5462,6 +5712,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5473,6 +5724,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230390: Old: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of @@ -5490,6 +5742,7 @@ storage repositories combined), or both. ``` New: ``` + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -5501,6 +5754,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i SV-230392: Old: ``` + It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing @@ -5525,9 +5779,10 @@ audit data with the collection server. ``` New: ``` + It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. @@ -5538,6 +5793,7 @@ When availability is an overriding concern, other approved actions in response t SV-230393: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5551,6 +5807,7 @@ filenames involved, and access control or flow control rules invoked. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5560,6 +5817,7 @@ Audit record content that may be necessary to satisfy this requirement includes, SV-230394: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5581,6 +5839,7 @@ correct system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5594,6 +5853,7 @@ When audit logs are not labeled before they are sent to a central log server, th SV-230395: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5611,6 +5871,7 @@ more difficult. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -5622,6 +5883,7 @@ Enriched logging aids in making sense of who, what, and when events occur on a s SV-230396: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -5637,17 +5899,17 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - ``` --- SV-230397: Old: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally @@ -5663,17 +5925,17 @@ organizational policy and operational requirements. ``` New: ``` + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - ``` --- SV-230398: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5683,17 +5945,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230399: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5703,17 +5965,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230400: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5723,17 +5985,17 @@ settings, audit reports) needed to successfully audit RHEL 8 activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - - ``` --- SV-230401: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5743,17 +6005,17 @@ settings, audit reports) needed to successfully audit RHEL 8 system activity. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - - ``` --- SV-230402: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5768,19 +6030,19 @@ then investigate the unauthorized changes. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - ``` --- SV-230403: Old: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5795,19 +6057,19 @@ then investigate the unauthorized changes. ``` New: ``` + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - - ``` --- SV-230404: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5819,17 +6081,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230405: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5841,17 +6103,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230406: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5863,17 +6125,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230407: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5885,17 +6147,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230408: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5907,17 +6169,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230409: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5929,17 +6191,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230410: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -5951,17 +6213,17 @@ information system (e.g., module or policy filter). ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - - ``` --- SV-230411: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -5979,19 +6241,19 @@ capacity thresholds, or identifying an improperly configured RHEL 8 system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - ``` --- SV-230412: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6010,19 +6272,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230413: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6041,9 +6303,10 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). +Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. @@ -6056,13 +6319,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230418: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6081,19 +6343,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230419: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6112,19 +6374,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230421: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6143,19 +6405,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230422: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6174,19 +6436,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230423: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6205,19 +6467,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230424: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6236,19 +6498,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230425: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6267,19 +6529,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230426: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6299,19 +6561,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230427: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6330,19 +6592,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230428: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6361,19 +6623,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230429: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6392,19 +6654,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230430: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6425,19 +6687,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230431: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6460,19 +6722,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230432: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6491,19 +6753,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230433: Old: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6524,19 +6786,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230434: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6555,19 +6817,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230435: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6586,19 +6848,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230436: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6617,19 +6879,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230437: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6648,19 +6910,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230438: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. @@ -6672,6 +6934,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. @@ -6680,13 +6943,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230439: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. @@ -6703,6 +6965,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. @@ -6716,13 +6979,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230444: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6742,19 +7004,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230446: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6773,19 +7035,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230447: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6806,19 +7068,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230448: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6837,19 +7099,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230449: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. @@ -6866,9 +7128,10 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". @@ -6879,13 +7142,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230455: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. @@ -6901,6 +7163,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. @@ -6913,13 +7176,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230456: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. @@ -6934,6 +7196,7 @@ The system call rules are loaded into a matching engine that intercepts each sys ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. @@ -6945,13 +7208,12 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - - ``` --- SV-230462: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -6971,19 +7233,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230463: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -7003,19 +7265,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230464: Old: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those @@ -7034,19 +7296,19 @@ being authenticated. Daemons are not user sessions and have the loginuid set to ``` New: ``` + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - ``` --- SV-230465: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7079,6 +7341,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. @@ -7091,17 +7354,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230466: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7138,6 +7400,7 @@ directory must be set with the "dir" option. ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -7156,13 +7419,12 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - ``` --- SV-230467: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7194,6 +7456,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -7206,17 +7469,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230468: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7253,6 +7515,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7267,17 +7530,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230469: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7297,6 +7559,7 @@ system is susceptible to boot failures and crashes. ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7310,6 +7573,7 @@ Allocating an audit_backlog_limit of sufficient size is critical in maintaining SV-230470: Old: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7346,6 +7610,7 @@ all direct access to the information system; ``` New: ``` + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. @@ -7360,17 +7625,16 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; -3) All account creations, modifications, disabling, and terminations; and +3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - - ``` --- SV-230471: Old: ``` + Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's @@ -7381,6 +7645,7 @@ to an incident or identify those responsible for one. ``` New: ``` + Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ``` @@ -7388,6 +7653,7 @@ Without the capability to restrict the roles and individuals that can select whi SV-230472: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7405,6 +7671,7 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -7416,6 +7683,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud SV-230473: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7433,19 +7701,19 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - ``` --- SV-230474: Old: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7463,19 +7731,19 @@ generators. ``` New: ``` + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - - ``` --- SV-230475: Old: ``` + Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and @@ -7497,6 +7765,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files. ``` New: ``` + Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. @@ -7510,6 +7779,7 @@ To address this risk, audit tools must be cryptographically signed to provide th SV-230476: Old: ``` + To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. @@ -7520,6 +7790,7 @@ during initial installation of RHEL 8. ``` New: ``` + To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. @@ -7529,6 +7800,7 @@ The task of allocating audit record storage capacity is usually performed during SV-230477: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7556,6 +7828,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7574,6 +7847,7 @@ Note that a port number was given as there is no standard port for RELP. SV-230478: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7601,6 +7875,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7619,6 +7894,7 @@ Note that a port number was given as there is no standard port for RELP. SV-230479: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7646,6 +7922,7 @@ currently available only as part of the rsyslogd 3.15.0 and above. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7659,13 +7936,12 @@ TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. - - ``` --- SV-230480: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7682,19 +7958,19 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - ``` --- SV-230481: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7711,19 +7987,19 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - - ``` --- SV-230482: Old: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7746,6 +8022,7 @@ securely encrypt and off-load auditing. ``` New: ``` + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -7758,13 +8035,12 @@ x509/fingerprint - certificate fingerprint authentication x509/certvalid - certificate validation only x509/name - certificate validation and subject name authentication. - - ``` --- SV-230483: Old: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -7772,6 +8048,7 @@ If security personnel are not notified immediately when storage volume ``` New: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. ``` @@ -7779,6 +8056,7 @@ If security personnel are not notified immediately when storage volume reaches 7 SV-230484: Old: ``` + Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and @@ -7807,11 +8085,12 @@ local time, UTC, and the offset from UTC. Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit -https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + for more information. ``` New: ``` + Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. @@ -7824,15 +8103,14 @@ Time stamps generated by the operating system include date and time. Time is com RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. -Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. - - +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit for more information. ``` --- SV-230487: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7863,6 +8141,7 @@ password could be compromised. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7880,6 +8159,7 @@ If a privileged user were to log on using this service, the privileged user pass SV-230488: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7903,6 +8183,7 @@ disabled is to not have the capability installed. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7916,6 +8197,7 @@ Verify the operating system is configured to disable non-essential capabilities. SV-230489: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7939,6 +8221,7 @@ disabled is to not have the capability installed. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7952,6 +8235,7 @@ Verify the operating system is configured to disable non-essential capabilities. SV-230491: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -7979,6 +8263,7 @@ address space layout randomization (KASLR). ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -7994,6 +8279,7 @@ Kernel page-table isolation is a kernel feature that mitigates the Meltdown secu SV-230492: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8015,6 +8301,7 @@ password could be compromised. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -8023,13 +8310,12 @@ The rsh-server service provides an unencrypted remote access service that does n If a privileged user were to log on using this service, the privileged user password could be compromised. - - ``` --- SV-230493: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8045,17 +8331,17 @@ disconnect activity without having to go through complex and tedious procedures. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. - - ``` --- SV-230494: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8072,6 +8358,7 @@ implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8083,6 +8370,7 @@ The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data li SV-230495: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8099,6 +8387,7 @@ exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8110,6 +8399,7 @@ The Controller Area Network (CAN) is a serial communications protocol, which was SV-230496: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8126,6 +8416,7 @@ system against exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8137,6 +8428,7 @@ The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, d SV-230497: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8152,6 +8444,7 @@ system against exploitation of any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -8163,6 +8456,7 @@ The Transparent Inter-Process Communication (TIPC) protocol is designed to provi SV-230498: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8179,6 +8473,7 @@ and small-footprint systems. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Removing support for unneeded filesystem types reduces the local attack surface of the server. @@ -8190,6 +8485,7 @@ Compressed ROM/RAM file system (or cramfs) is a read-only file system designed f SV-230499: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -8203,6 +8499,7 @@ any flaws in its implementation. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. @@ -8212,6 +8509,7 @@ The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time commu SV-230500: Old: ``` + To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary @@ -8233,6 +8531,7 @@ business or to address authorized quality-of-life issues. ``` New: ``` + To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. @@ -8244,12 +8543,14 @@ To support the requirements and principles of least functionality, the operating SV-230502: Old: ``` + Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` New: ``` + Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` @@ -8257,21 +8558,22 @@ Automatically mounting file systems permits easy introduction of unknown devices SV-230503: Old: ``` + USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` New: ``` -USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. ``` --- SV-230504: Old: ``` + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. @@ -8285,6 +8587,7 @@ configuration file or is related to an outgoing network connection. ``` New: ``` + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. @@ -8294,6 +8597,7 @@ RHEL 8 incorporates the "firewalld" daemon, which allows for many different conf SV-230505: Old: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -8316,6 +8620,7 @@ notebook computers, smartphones, and tablets). ``` New: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. @@ -8329,6 +8634,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if SV-230506: Old: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to @@ -8358,19 +8664,19 @@ encryption of the data may not be required. ``` New: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - - ``` --- SV-230507: Old: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to @@ -8400,6 +8706,7 @@ encryption of the data may not be required. ``` New: ``` + Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -8411,6 +8718,7 @@ Protecting the confidentiality and integrity of communications with wireless per SV-230508: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8436,6 +8744,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8449,6 +8758,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230509: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8472,6 +8782,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8483,6 +8794,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230510: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8508,6 +8820,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8521,6 +8834,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230511: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8546,6 +8860,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8559,6 +8874,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230512: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8582,6 +8898,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8593,6 +8910,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230513: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8618,6 +8936,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8631,6 +8950,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230514: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8656,6 +8976,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8669,6 +8990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230515: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8694,6 +9016,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8707,6 +9030,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230516: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8732,6 +9056,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8745,6 +9070,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230517: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8770,6 +9096,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8783,6 +9110,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230518: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8808,6 +9136,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8821,6 +9150,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230519: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8846,6 +9176,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8859,6 +9190,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230520: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8884,6 +9216,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8897,6 +9230,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230521: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8922,6 +9256,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8935,6 +9270,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230522: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -8960,6 +9296,7 @@ unprivileged users to attain unauthorized administrative access. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -8973,6 +9310,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" SV-230523: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -9000,6 +9338,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -9010,13 +9349,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-230524: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. @@ -9039,6 +9377,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. @@ -9052,6 +9391,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-230525: Old: ``` + DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. @@ -9072,6 +9412,7 @@ mitigate DoS attacks. ``` New: ``` + DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. @@ -9083,6 +9424,7 @@ Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend supp SV-230526: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -9103,19 +9445,19 @@ not have to be employed, and vice versa. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ``` --- SV-230527: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -9139,21 +9481,21 @@ compromised. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Session key regeneration limits the chances of a session key becoming compromised. - - ``` --- SV-230529: Old: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9164,6 +9506,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9171,6 +9514,7 @@ A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can r SV-230530: Old: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9181,6 +9525,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9188,6 +9533,7 @@ A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can SV-230531: Old: ``` + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of @@ -9198,6 +9544,7 @@ reduced because the user will be prompted before any action is taken. ``` New: ``` + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. ``` @@ -9205,6 +9552,7 @@ A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reb SV-230532: Old: ``` + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of @@ -9216,6 +9564,7 @@ access when the system is rebooted. ``` New: ``` + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. ``` @@ -9223,6 +9572,7 @@ The debug-shell requires no authentication and provides root privileges to anyon SV-230533: Old: ``` + If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and @@ -9231,6 +9581,7 @@ have access control rules established. ``` New: ``` + If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. ``` @@ -9238,6 +9589,7 @@ If TFTP is required for operational support (such as the transmission of router SV-230534: Old: ``` + If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an @@ -9247,6 +9599,7 @@ account. ``` New: ``` + If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. ``` @@ -9254,6 +9607,7 @@ If an account other than root also has a User Identifier (UID) of "0", it has ro SV-230550: Old: ``` + If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. @@ -9261,6 +9615,7 @@ unauthorized activity. ``` New: ``` + If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. ``` @@ -9268,6 +9623,7 @@ If unrestricted mail relaying is permitted, unauthorized senders could use this SV-230551: Old: ``` + Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. @@ -9277,6 +9633,7 @@ Intrusion Detection Environment (AIDE). ``` New: ``` + Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). @@ -9286,6 +9643,7 @@ RHEL 8 installation media come with a file integrity tool, Advanced Intrusion De SV-230552: Old: ``` + ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. @@ -9295,6 +9653,7 @@ Intrusion Detection Environment (AIDE). ``` New: ``` + ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). @@ -9304,6 +9663,7 @@ RHEL 8 installation media come with a file integrity tool, Advanced Intrusion De SV-230553: Old: ``` + Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and @@ -9312,6 +9672,7 @@ must not be used, unless approved and documented. ``` New: ``` + Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. ``` @@ -9319,6 +9680,7 @@ Internet services that are not required for system or application processes must SV-230554: Old: ``` + Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, @@ -9331,6 +9693,7 @@ Officer (ISSO) and restricted to only authorized personnel. ``` New: ``` + Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. @@ -9340,6 +9703,7 @@ If the system is being used to perform a network troubleshooting function, the u SV-230555: Old: ``` + The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to @@ -9358,6 +9722,7 @@ should be disabled or restricted as appropriate to the system’s needs. ``` New: ``` + The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. @@ -9369,6 +9734,7 @@ If X11 services are not required for the system's intended function, they should SV-230556: Old: ``` + When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server @@ -9379,6 +9745,7 @@ display. ``` New: ``` + When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. ``` @@ -9386,12 +9753,14 @@ When X11 forwarding is enabled, there may be additional exposure to the server a SV-230557: Old: ``` + Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. ``` New: ``` + Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. ``` @@ -9399,6 +9768,7 @@ Restricting TFTP to a specific directory prevents remote users from copying, tra SV-230558: Old: ``` + The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged @@ -9408,6 +9778,7 @@ methods must be used in place of this service. ``` New: ``` + The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. ``` @@ -9415,6 +9786,7 @@ The FTP service provides an unencrypted remote access that does not provide for SV-230559: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9432,6 +9804,7 @@ expose secrets on some networks. It is not needed for normal function of the OS. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9443,6 +9816,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose SV-230560: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9460,6 +9834,7 @@ SCSI devices supported by the ipr SCSI storage device driver. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9471,6 +9846,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI SV-230561: Old: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may @@ -9491,6 +9867,7 @@ is not needed for normal OS operations. ``` New: ``` + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -9502,6 +9879,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. SV-237640: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9519,6 +9897,7 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -9532,6 +9911,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-237641: Old: ``` + The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the @@ -9541,6 +9921,7 @@ can initiate privileged actions on the target system. ``` New: ``` + The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. ``` @@ -9548,6 +9929,7 @@ The sudo command allows a user to execute programs with elevated (administrator) SV-237642: Old: ``` + The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw @@ -9559,7 +9941,8 @@ sudoers(5) manual page. ``` New: ``` -The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. + +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page. ``` @@ -9567,6 +9950,7 @@ For more information on each of the listed configurations, reference the sudoers SV-237643: Old: ``` + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -9581,7 +9965,8 @@ until the user's session is terminated. ``` New: ``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -9592,6 +9977,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex SV-244519: Old: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, @@ -9603,17 +9989,17 @@ with human users and are not required when such human interfaces do not exist. ``` New: ``` + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - - ``` --- SV-244523: Old: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. @@ -9621,6 +10007,7 @@ mode is granted privileged access to all files on the system. ``` New: ``` + If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. ``` @@ -9628,6 +10015,7 @@ If the system does not require valid root authentication before it boots into em SV-244524: Old: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9643,9 +10031,10 @@ general-purpose computing system. ``` New: ``` + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. @@ -9654,6 +10043,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access SV-244525: Old: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. @@ -9663,19 +10053,19 @@ RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_ ``` New: ``` + Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - - ``` --- SV-244526: Old: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -9697,6 +10087,7 @@ can be viewed in the /etc/crypto-policies/back-ends/ directory. ``` New: ``` + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -9705,13 +10096,12 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. - - ``` --- SV-244527: Old: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability @@ -9726,6 +10116,7 @@ several security functions (i.e., ciphers). ``` New: ``` + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). @@ -9735,6 +10126,7 @@ The rngd service feeds random data from hardware device to kernel random device. SV-244528: Old: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. @@ -9742,6 +10134,7 @@ of misconfiguration elsewhere. ``` New: ``` + Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. ``` @@ -9749,12 +10142,14 @@ Configuring this setting for the SSH daemon provides additional assurance that r SV-244529: Old: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` New: ``` + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. ``` @@ -9762,6 +10157,7 @@ The use of separate file systems for different paths can protect the system from SV-244530: Old: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" @@ -9771,6 +10167,7 @@ for unprivileged users to attain unauthorized administrative access. ``` New: ``` + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ``` @@ -9778,12 +10175,14 @@ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" SV-244531: Old: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` New: ``` + Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. ``` @@ -9791,12 +10190,14 @@ Excessive permissions on local interactive user home directories may allow unaut SV-244532: Old: ``` + If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. ``` New: ``` + If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. ``` @@ -9804,6 +10205,7 @@ If a local interactive user's files are group-owned by a group of which the user SV-244533: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -9824,6 +10226,7 @@ modules which ask for the user credentials such as the password. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. @@ -9831,13 +10234,12 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - ``` --- SV-244534: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -9858,6 +10260,7 @@ modules which ask for the user credentials such as the password. ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. @@ -9865,13 +10268,12 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - - ``` --- SV-244535: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9885,17 +10287,17 @@ determined and/or controlled. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. - - ``` --- SV-244536: Old: ``` + Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. @@ -9903,6 +10305,7 @@ without authenticated access to the system. ``` New: ``` + Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. ``` @@ -9910,6 +10313,7 @@ Leaving the user list enabled is a security risk since it allows anyone with phy SV-244538: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9930,6 +10334,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -9938,13 +10343,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-244539: Old: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. @@ -9965,6 +10369,7 @@ a protected baseline. ``` New: ``` + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. @@ -9973,13 +10378,12 @@ Implementing session settings will have little value if a user is able to manipu Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - - ``` --- SV-244541: Old: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. @@ -9987,6 +10391,7 @@ should never be used in operational environments. ``` New: ``` + If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ``` @@ -9994,6 +10399,7 @@ If an account has an empty password, anyone could log on and run commands with t SV-244542: Old: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or @@ -10011,19 +10417,19 @@ capacity thresholds, or identifying an improperly configured RHEL 8 system. ``` New: ``` + Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - - ``` --- SV-244543: Old: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. @@ -10031,6 +10437,7 @@ storage capacity expansion. ``` New: ``` + If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. ``` @@ -10038,6 +10445,7 @@ If security personnel are not notified immediately when storage volume reaches 7 SV-244544: Old: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. @@ -10059,6 +10467,7 @@ notebook computers, smartphones, and tablets). ``` New: ``` + "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. @@ -10071,6 +10480,7 @@ RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if SV-244545: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -10098,6 +10508,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -10108,13 +10519,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-244546: Old: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems @@ -10142,6 +10552,7 @@ not namespace aware and can cause issues when launching or running containers. ``` New: ``` + The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -10152,13 +10563,12 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - - ``` --- SV-244547: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, @@ -10179,6 +10589,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. @@ -10190,6 +10601,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-244548: Old: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. @@ -10212,6 +10624,7 @@ devices. ``` New: ``` + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. @@ -10225,6 +10638,7 @@ The System Administrator (SA) must work with the site Information System Securit SV-244549: Old: ``` + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -10245,19 +10659,19 @@ not have to be employed, and vice versa. ``` New: ``` -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ``` --- SV-250315: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -10275,6 +10689,7 @@ By limiting the number of failed logon attempts, the risk of ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. @@ -10286,6 +10701,7 @@ SELinux, enforcing a targeted policy, will require any non-default tally directo SV-250316: Old: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -10303,6 +10719,7 @@ By limiting the number of failed logon attempts, the risk of ``` New: ``` + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. @@ -10314,6 +10731,7 @@ SELinux, enforcing a targeted policy, will require any non-default tally directo SV-250317: Old: ``` + Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -10337,6 +10755,7 @@ Routing protocol daemons are typically used on routers to exchange network ``` New: ``` + Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. @@ -10352,6 +10771,7 @@ The sysctl --system command will load settings from all system configuration fil SV-251707: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -10366,6 +10786,7 @@ If RHEL 8 were to allow any user to make changes to software libraries, ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10375,11 +10796,13 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251708: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10389,11 +10812,13 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251709: Old: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. ``` New: ``` + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. @@ -10403,6 +10828,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a SV-251710: Old: ``` + Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality @@ -10415,6 +10841,7 @@ Without verification of the security functions, security functions may not opera ``` New: ``` + Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. @@ -10424,6 +10851,7 @@ This requirement applies to the RHEL 8 operating system performing security func SV-251711: Old: ``` + The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" @@ -10440,6 +10868,7 @@ The "sudo" command allows authorized users to run programs (including shells) as ``` New: ``` + The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. @@ -10449,6 +10878,7 @@ It is possible to include other sudoers files from within the sudoers file curre SV-251712: Old: ``` + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -10456,17 +10886,17 @@ When operating systems provide the capability to escalate a functional capabilit ``` New: ``` -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. ``` --- SV-254520: Old: ``` + Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. @@ -10474,10 +10904,11 @@ Privileged functions include, for example, establishing accounts, performing sys ``` New: ``` -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - + +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. ``` --- -
\ No newline at end of file + From 2f60aba86e0867050ab25004bfed1c049e8fd08e Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 21:03:59 -0600 Subject: [PATCH 32/71] delta updates Signed-off-by: Aaron Lippold --- .../downloads/delta_report => assets/markdown/delta_report.md} | 2 ++ src/courses/delta/05.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) rename src/{.vuepress/public/assets/downloads/delta_report => assets/markdown/delta_report.md} (99%) diff --git a/src/.vuepress/public/assets/downloads/delta_report b/src/assets/markdown/delta_report.md similarity index 99% rename from src/.vuepress/public/assets/downloads/delta_report rename to src/assets/markdown/delta_report.md index 90c09ed3f..4d8860995 100644 --- a/src/.vuepress/public/assets/downloads/delta_report +++ b/src/assets/markdown/delta_report.md @@ -13,6 +13,7 @@ SV-230262: Old: ``` + Verify the system-wide shared library files are group-owned by "root" with the following command: @@ -10912,3 +10913,4 @@ Privileged functions include, for example, establishing accounts, performing sys ``` --- +``` diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index d0a7f8b15..93239210c 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -34,7 +34,7 @@ Details of the changes are provided afterwards as follows: Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -[Example Report Markdown File](/assets/downloads/delta_report.md) +@[code{1-51}](../../assets/markdown/delta_report.md) ## 5.2 Logging Capabilities of Update Controls From e30efbbada65d07b613684481c082e44f9b7e7c5 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 21:05:36 -0600 Subject: [PATCH 33/71] profile dev updates Signed-off-by: Aaron Lippold --- src/courses/profile-dev-test/02.md | 42 ++++++++--- src/courses/profile-dev-test/03.md | 96 +++++++++++++++++--------- src/courses/profile-dev-test/04.md | 80 ++++++++++++++++++--- src/courses/profile-dev-test/05.md | 84 ++++++++++++++++++---- src/courses/profile-dev-test/06.md | 64 +++++++++++------ src/courses/profile-dev-test/07.md | 78 +++++++++++++++++---- src/courses/profile-dev-test/08.md | 44 +++++++++--- src/courses/profile-dev-test/09.md | 52 ++++++++++---- src/courses/profile-dev-test/README.md | 69 ++++++++++++++++-- 9 files changed, 484 insertions(+), 125 deletions(-) diff --git a/src/courses/profile-dev-test/02.md b/src/courses/profile-dev-test/02.md index 153136640..edc4efad7 100644 --- a/src/courses/profile-dev-test/02.md +++ b/src/courses/profile-dev-test/02.md @@ -1,27 +1,49 @@ --- order: 2 next: 03.md -title: Repository Organization +title: Understanding Repository Organization author: Aaron Lippold --- -## Repository Organization +## Learning Objectives -The repository and profile are organized into two primary branches: `main` and `TBD`. The repository has a set of `tags` representing iterative releases of the STIG from one Benchmark major version to the next. It also has a set of releases for fixes and updates to the profile between STIG Benchmark Releases. +By the end of this section, you will: -## Branches +- Understand the branch strategy for STIG profiles +- Learn about semantic versioning in the context of STIG releases +- Know how to navigate tags and releases -### `main` branch +## Repository Structure Overview -The `main` branch contains the most recent code for the profile. It may include bugs and is typically aligned with the latest patch release for the profile. This branch is primarily used for development and testing workflows for the various testing targets. For production validation, use the latest stable patch release. +The repository uses a structured branching and tagging strategy to manage STIG profile versions and updates. This organization ensures reliable tracking of changes and stable releases for production use. -### `v{x}r{xx}` branches +## Branch Strategy -The `v{x}r{xx}` branches represent the changes between releases of the benchmark. They align with the STIG releases for the Benchmark found at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +### Main Branch -## Releases +- Purpose: Active development and testing +- Contains: Latest code and patches +- Best for: Development and testing workflows +- Note: For production, use stable releases instead -Releases use Semantic Versioning (SemVer), aligning with the STIG Benchmark versioning system of Major Version and Release. The SemVer patch number is used for updates, bug fixes, and code changes between STIG Benchmark Releases for the given product. STIG Benchmarks use a Version and Release tagging pattern `v{x}r{xx}` - like V1R12 - and we mirror that pattern in our SemVer releases. +### Version Branches (`v{x}r{xx}`) + +- Purpose: Track major STIG benchmark releases +- Example: `v1r12` for Version 1, Release 12 +- Aligns with: Official DISA STIG releases +- Reference: [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/) + +## Version Control Strategy + +### Semantic Versioning (SemVer) + +Format: `MAJOR.RELEASE.PATCH` + +- MAJOR: Matches STIG version +- RELEASE: Matches STIG release +- PATCH: Profile updates between STIG releases + +Example timeline: ## Tags diff --git a/src/courses/profile-dev-test/03.md b/src/courses/profile-dev-test/03.md index d06550b8c..d1177be71 100644 --- a/src/courses/profile-dev-test/03.md +++ b/src/courses/profile-dev-test/03.md @@ -1,29 +1,49 @@ --- order: 3 next: 04.md -title: Environment Setup +title: Environment Setup Guide author: Aaron Lippold --- -## Required Software +## Prerequisites Knowledge -- RVM, or another Ruby Management Tool -- Ruby v3 or higher -- Git -- VS Code or another IDE -- Docker (if you want to test hardened and non-hardened containers) -- AWS CLI -- AWS Account +- Basic command line experience +- Familiarity with package managers +- Understanding of environment variables +- Basic Docker concepts -## Required Accounts +## Required Software Overview -1. [AWS Console Account](https://aws.amazon.com/console/ "AWS Console Account") -2. [Platform One Account](https://login.dso.mil/register "Platform One Account") (used for container testing) -3. [P1 Harbor Token](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor&redirect_uri=https%3A%2F%2Fregistry1.dso.mil%2Fc%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=WS3BsNb5JevECV4aiy3irfegFETBHfRd "DSO Harbor Login") (used for container testing) +Each tool listed below is essential for the course. We'll explain why you need each one: -## Test Suite Environment Variables +- **RVM (Ruby Version Manager)** - Manages Ruby installations +- **Ruby v3+** - Core programming language for our testing framework +- **Git** - Version control for managing code +- **VS Code/IDE** - For writing and editing code +- **Docker** - For container-based testing +- **AWS CLI** - For interacting with AWS services -1. Environment Variables used by Test Kitchen +## Required Accounts Setup + +Create accounts with these services before proceeding: + +1. **AWS Console Account** + - Purpose: Cloud infrastructure testing + - Sign up: [AWS Console](https://aws.amazon.com/console/) + +2. **Platform One (P1) Account** + - Purpose: Access to hardened containers + - Register: [Platform One Registration](https://login.dso.mil/register) + +3. **P1 Harbor Access** + - Purpose: Container registry access + - Get token: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) + +## Environment Configuration + +### 1. Test Kitchen Variables + +Important variables that control testing behavior: - `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase, useful for testing and debugging a single requirement. - default: `none` @@ -34,26 +54,40 @@ author: Aaron Lippold - `HARDENED_CONTAINER_IMAGE`: Specifies the Docker container image you consider 'hardened' (used by `kitchen.container.yml`). - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` -2. AWS Environment +### 2. AWS Environment Setup + +**Option 1: AWS Profiles (Recommended)** + +- Easier management of multiple environments +- More secure than environment variables +- Setup guide: [AWS CLI Profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) + +**Option 2: Environment Variables** + +- Traditional AWS environment variables +- Documentation: [AWS CLI Installation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) + +## Step-by-Step Installation Guide -You can either use standard AWS Profiles to configure your environment or use the standard AWS Environment variables to run the test suite. See: [AWS CLI Installation & Configuration](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html "AWS CLI Install Guide") +1. **Ruby Setup** + - Install RVM or alternative Ruby manager + - Install Ruby 3.1+ + - Configure OpenSSL and certificates -- Use the `AWS_PROFILE` environment variable and AWS Credential Profiles to simplify testing on multiple AWS environments or segments. This will allow you to easily manage multiple sets of AWS secrets and access keys with adjustments to a single variable. (See: [AWS CLI and Profile Setup](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html "AWS CLI Profiles Setup")) +2. **AWS Configuration** + - Install AWS CLI + - Configure credentials + - Test connection -## Setting Up Your Environment +3. **Project Setup** + - Clone repository + - Configure Harbor CLI access + - Set up Docker registry access + - Install dependencies -1. Set up your Ruby Version Management system. -2. Install Ruby 3.1 or higher. -3. Configure OpenSSL, organization certificates, etc., for your environment and tooling. -4. Set up your AWS CLI. -5. Clone the repository. -6. Obtain your [Harbor CLI Secret](https://registry1.dso.mil/harbor/projects "DSO Harbor Projects Page"). -7. After logging in, click on your User Profile "About" to get the token. -8. Log in to the P1 Docker Registry. -9. Use the command `docker login -u {PI USER NAME} -p '{HARBOR CLI SECRET}' registry1.dso.mil`. -10. Run `bundle install` in your isolated Ruby environment. +## Verification Steps -## Post-Setup Checks +Run these commands to verify your setup: - Verify your newly installed Ruby environment by running `ruby --version`. - Confirm that InSpec was installed by running `bundle exec inspec --version`. @@ -61,4 +95,4 @@ You can either use standard AWS Profiles to configure your environment or use th - Verify that your `aws-cli` is correctly configured by running `aws s3 ls` (or your preferred test command for AWS CLI). - Confirm your bundle installation by running `bundle exec inspec --version`. - Verify you can pull from RepoOne by running `docker pull https://repo1.dso.mil/dsop/redhat/ubi/ubi8`. -- Celebrate 🎉️ if everything went well. \ No newline at end of file +- Celebrate 🎉️ if everything went well. diff --git a/src/courses/profile-dev-test/04.md b/src/courses/profile-dev-test/04.md index b94d011ae..e203b5e0b 100644 --- a/src/courses/profile-dev-test/04.md +++ b/src/courses/profile-dev-test/04.md @@ -5,20 +5,80 @@ title: Test your Test Environment author: Aaron Lippold --- -## Getting to know the Testing Suite +## Learning Objectives -Once you've set up the necessary tools, you're ready to run the profile. The testing environment is determined by Test Kitchen using environment variables. +- Understand the different testing environments available +- Learn how to use Test Kitchen commands +- Execute your first test run +- Troubleshoot common testing issues -There are four testing environments to choose from: +## Introduction -1. AWS VPC Testing: This environment uses an AWS VPC for testing. -2. Docker Testing: This environment uses Docker containers for testing. -3. Vagrant Testing: This environment uses Vagrant virtual machines for testing. -4. Local Testing: This environment uses your local machine for testing. +Before diving into testing your security profiles, let's understand the testing environment and tools we'll be using. This module will guide you through the Test Kitchen framework and help you run your first test. -The specifics of each environment's configuration are detailed in the following sections. +## Available Testing Environments -## Getting Your First Test Kitchen (TK) Run +You have four options for setting up your testing environment: + +📦 **Docker Testing** + +- Uses containers for lightweight, fast testing +- Perfect for local development +- Minimal resource requirements + +🌥️ **AWS VPC Testing** + +- Uses AWS infrastructure +- Ideal for production-like environments +- Requires AWS credentials + +🖥️ **Vagrant Testing** + +- Uses virtual machines locally +- Great for isolated testing +- Supports multiple OS environments + +💻 **Local Testing** + +- Uses your local machine +- Fastest to set up +- Best for initial development + +## Test Kitchen Lifecycle + +Test Kitchen follows a four-stage lifecycle: + +1. **Create** 🏗️ + - Sets up testing instance + - Prepares login credentials + - Initializes testing environment + +2. **Converge** 🔄 + - Runs configuration management + - Applies system settings + - Prepares system state + +3. **Verify** ✅ + - Executes InSpec profile + - Runs security tests + - Reports results + +4. **Destroy** 🗑️ + - Cleans up resources + - Removes test instances + - Resets environment + +## Running Your First Test + +### Prerequisites + +Before starting, ensure you have: + +- Test Kitchen installed +- Proper environment variables set +- Required credentials configured + +### Basic Commands For each of these examples, you need to update the `KITCHEN_LOCAL_YAML` environment variable to point to the correct `kitchen..yaml` file. Ensure that any required supporting environment settings, environment variables, profiles, etc., are in place. See Environment Variables and Testing Target Environments for more information. @@ -44,4 +104,4 @@ You can also isolate which of the 'target suites' - either `vanilla` or `hardene ## Useful Test Kitchen Commands - `login`: Allows you to easily log in using the credentials created when you ran `bundle exec kitchen create`. -- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. \ No newline at end of file +- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index 0463d8cb5..ab96b28ff 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -6,18 +6,38 @@ author: Aaron Lippold --- ## AWS Testing Setup +> +> Note: This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. -1. Configure your AWS CLI and set up your AWS Credentials. -2. Test your AWS CLI access by running: `aws s3 ls`. -3. Clone the repository. -4. Navigate to the profile repository root directory. -5. Set the environment variable for the kitchen configuration file: `export KITCHEN_LOCAL_YAML=kitchen.ec2.yml`. - 1. This uses the [kitchen-ec2 driver](https://kitchen.ci/docs/drivers/aws/ "Test Kitchen AWS EC2 Driver Documentation"). -6. (Optional) Set a specific control to run: `export INSPEC_CONTROL='SV-230222'`. +1. Configure your AWS CLI and set up your AWS credentials + - If you haven't installed AWS CLI, [download it here](https://aws.amazon.com/cli/) + - Run `aws configure` to set up your credentials +2. Verify AWS CLI access: `aws s3 ls` + - If this fails, check your credentials and permissions +3. Clone the repository +4. Navigate to the root directory of the profile repository +5. Configure Kitchen for AWS EC2: + + ```bash + export KITCHEN_LOCAL_YAML=kitchen.ec2.yml + ``` + + > The kitchen-ec2 driver enables TestKitchen to create and manage AWS EC2 instances for testing + +6. (Optional) Target a specific control: + + ```bash + export INSPEC_CONTROL='SV-230222' + ``` ## Running Through the AWS Test Suite +> +> Understanding the Test Workflow: +> +> - **Vanilla**: Represents an unmodified baseline system +> - **Hardened**: Represents a system with security controls applied -6. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: +7. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: ```shell Instance Driver Provisioner Verifier Transport Last Action Last Error @@ -25,7 +45,15 @@ author: Aaron Lippold hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None ``` -7. Create a kitchen instance: `bundle exec kitchen create vanilla`. +### Key Testing Steps Explained + +8. **Create** the test instance: + + ```bash + bundle exec kitchen create vanilla + ``` + + > This step launches a fresh EC2 instance for testing ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla @@ -36,7 +64,13 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m1.21s) ``` -8. Converge the kitchen instance: `bundle exec kitchen converge`. +9. **Converge** the instance: + + ```bash + bundle exec kitchen converge vanilla + ``` + + > Convergence applies the necessary configurations to prepare the system for testing ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla @@ -54,7 +88,7 @@ author: Aaron Lippold -----> Test Kitchen is finished. (1m13.52s) ``` -9. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. +10. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla @@ -77,7 +111,27 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m6.62s) ``` -10. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. -11. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). -12. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. -13. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your courner cases." +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both `hardened` and `vanilla` results + 2. Compare to verify expected failures and passes + 3. Review corner cases for complete coverage + +::: tip Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges: +> +> ```bash +> bundle exec kitchen destroy vanilla +> ``` +> +> ```sh +> Pause your instance in the AWS Console +> ``` +> +::: + +1. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. +2. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). +3. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. +4. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." diff --git a/src/courses/profile-dev-test/06.md b/src/courses/profile-dev-test/06.md index e5cc83928..e46d84fd6 100644 --- a/src/courses/profile-dev-test/06.md +++ b/src/courses/profile-dev-test/06.md @@ -1,25 +1,47 @@ --- order: 6 next: 07.md -title: Docker Testing Suite +title: Testing with Docker Containers author: Aaron Lippold --- -## Docker Suite Setup +## Learning Objectives -1. Make sure Docker or Podman is running -2. Login to your docker registry -3. Clone the repository -4. Go into the profile repository root dir -5. `bundle install` -6. `export KITCHEN_LOCAL_YAML=kitchen.container.yml` (uses the [kitchen-dokken driver](https://kitchen.ci/docs/drivers/dokken/ "Test Kitchen Dokken Driver Documentation")) -7. `export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028` -8. `export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8` -9. (optional) `export INSPEC_CONTROL='SV-230222'` +- Understand how to set up a Docker testing environment +- Learn to use Test Kitchen with Docker containers +- Execute and interpret InSpec tests in containers +- Analyze test results using Heimdall Lite + +## Prerequisites + +- Docker or Podman installed and running +- Access to required container registries +- Basic understanding of command line operations + +## Environment Setup + +Before running tests, configure your environment: + +1. Ensure Docker/Podman is running +2. Authenticate with your container registry +3. Clone the test profile repository +4. Navigate to the profile's root directory +5. Run `bundle install` to install dependencies + +## Configure Test Kitchen + +Set these environment variables: + +```shell +> export KITCHEN_LOCAL_YAML=kitchen.container.yml +> export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 +> export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 +> (optional) export INSPEC_CONTROL='SV-230222' +``` ## Running Through the Docker Test Suite -10. List the kitchen instances with: `bundle exec kitchen list` +1. List the kitchen instances with: `bundle exec kitchen list` ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen list @@ -28,7 +50,7 @@ vanilla-ubi8 Dokken Dummy Inspec Dokken hardened-ubi8 Dokken Dummy Inspec Dokken ``` -11. Create the kitchen instance: `bundle exec kitchen create vanilla` +2. Create the kitchen instance: `bundle exec kitchen create vanilla` ```shell -----> Starting Test Kitchen (v3.5.1) @@ -41,7 +63,7 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m1.77s) ``` -12. Converge the kitchen instance: `bundle exec kitchen converge vanilla` +3. Converge the kitchen instance: `bundle exec kitchen converge vanilla` ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla @@ -52,7 +74,7 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m0.88s) ``` -13. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` +4. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` ```shell -----> Starting Test Kitchen (v3.5.1) @@ -71,9 +93,9 @@ Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 4 failures, 0 skipped ``` -## This is not the **Error** Your Looking For, move along... +## This is not the **Error** Your Looking For, move along -The error below is just Test Kitchen telling you that not all of the Contrls in the profile passed. +The error below is just Test Kitchen telling you that not all of the `controls` of the profile passed. ```shell >>>>>> ------Exception------- @@ -85,6 +107,8 @@ The error below is just Test Kitchen telling you that not all of the Contrls in >>>>>> Also try running `kitchen diagnose --all` for configuration ``` -14. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). -15. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` -16. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." +## Next Steps + +1. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). +2. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` +3. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index 3924ca960..819aee9c4 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -1,23 +1,35 @@ --- order: 7 next: 08.md -title: Updating - Choosing Your Approach +title: Pull Request Strategies - Choosing Your Approach author: Aaron Lippold --- -## Choosing Your Approach +## Learning Objectives -This project follows the [GitFlow model](https://docs.github.com/en/get-started/quickstart/github-flow "GitFlow Announcement Blog") for managing the repository, accepting pull requests (PRs), and merging changes into the profile. +By the end of this section, you will: -## Micro vs Massive Pull Requests (PRs) +- Understand GitFlow workflow for repository management +- Compare micro and macro PR approaches +- Learn when to use different PR strategies -In software development, the decision between making many small pull requests (micro PRs) or fewer, larger pull requests (massive PRs) often depends on the context. Both approaches have their benefits and challenges. +## GitFlow Overview -### Micro PRs +This project uses the [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow) model for managing changes. This workflow helps maintain code quality and collaboration through systematic pull requests (PRs). -Micro PRs involve making frequent, small changes to the codebase. Each PR is focused on a single task or feature. +## Understanding Pull Request Strategies -**Benefits:** +When contributing to a project, you'll need to choose between two main PR approaches: + +### 1. Micro PRs (Small, Frequent Changes) + +**Characteristics:** + +- Single task or feature per PR +- Usually < 200 lines of code +- Frequent submissions + +**Advantages:** - **Easier to review:** Small changes are easier for reviewers to understand and provide feedback on. - **Less risk:** If a problem arises, it's easier to identify and fix because the change is isolated. @@ -28,11 +40,15 @@ Micro PRs involve making frequent, small changes to the codebase. Each PR is foc - **Overhead:** Each PR requires its own review and merge process, which can be time-consuming. - **Context switching:** Frequent changes can disrupt the flow of work, especially if developers have to switch between different tasks. -### Macro PRs +### 2. Macro PRs (Large, Comprehensive Changes) + +**Characteristics:** -Macro PRs involve making larger, more comprehensive changes to the codebase. Each PR may encompass multiple tasks or features. +- Multiple related changes +- Larger codebase modifications +- Less frequent submissions -**Benefits:** +**Advantages:** - **Efficiency:** Larger PRs can be more efficient because they require fewer reviews and merges. - **Coherence:** By grouping related changes together, it may be easier to understand how different parts of the codebase interact. @@ -43,11 +59,47 @@ Macro PRs involve making larger, more comprehensive changes to the codebase. Eac - **Higher risk:** If a problem arises, it can be more difficult to identify and fix because it could be anywhere in the large set of changes. - **Delayed feedback:** With fewer PRs, there are fewer opportunities for feedback. -### PR Strategies for Different Update Scenarios +## Practical Guidelines + +### When to Use Micro PRs + +- Bug fixes +- Small feature additions +- Documentation updates +- Performance optimizations + +### When to Use Macro PRs + +- Major version upgrades +- Complex feature implementations +- Architectural changes +- Large-scale refactoring + +## Update Scenarios The choice between micro and massive PRs can significantly impact the workflows in our `Patch Update`, `Release Update`, and `Major Version Update`. - **Patch and Release Updates:** These updates typically involve minor changes or additions, which can be easily managed with either micro or massive PRs. The choice depends on your team's preference for review speed and context switching. + - **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granitary control and review of changes. It's also easier to isolate and fix issues that arise during testing. -In conclusion, the choice between micro and massive PRs depends on the specific needs and circumstances of your project. It's important to strike a balance that maximizes efficiency while minimizing risk, and fosters effective collaboration within your team. +## Practice Exercise + +Consider these scenarios and decide which PR strategy you would use: + +1. Fixing a typo in documentation +2. Implementing a new security control +3. Upgrading to a new major version + +## Summary + +- Choose micro PRs for better review quality and reduced risk +- Use macro PRs for cohesive, large-scale changes +- Consider project context and team preferences +- Balance efficiency with maintainability + +## Review Questions + +1. What are the key differences between micro and macro PRs? +2. Which PR strategy would you choose for a critical security patch? +3. How does GitFlow support different PR strategies? diff --git a/src/courses/profile-dev-test/08.md b/src/courses/profile-dev-test/08.md index 9db384a75..e26f9135a 100644 --- a/src/courses/profile-dev-test/08.md +++ b/src/courses/profile-dev-test/08.md @@ -1,22 +1,48 @@ --- order: 8 next: 09.md -title: Secruity Benchmarks vs Traditional Software +title: Security Benchmarks vs Traditional Software author: Aaron Lippold --- -## Security Benchmark Code VS Traditional Software Applications +## Understanding Security Benchmarks -When planning your team's approach, remember that a Security Benchmark is only considered 'complete and valid' when all requirements for that specific Release or Major Version are met. This differs from traditional software projects where features and capabilities can be incrementally added. +## Key Differences from Traditional Software -## Security Benchmarks Are Release-Specific +Security benchmarks differ from traditional software development in several critical ways: -A Security Benchmark and ***its corresponding InSpec Profile*** are only applicable within the context of a specific 'Release' of that Benchmark. +1. **Completeness Requirement** + - Traditional Software: Can be released with partial features + - Security Benchmarks: Must meet ALL requirements for a specific version -The choice between a `micro` or `massive` approach depends more on your team's work style preference. +2. **Version Specificity** + - Each benchmark version is a complete, standalone entity + - InSpec profiles must match their corresponding benchmark version exactly -Regardless of the approach, the final release of the Benchmark will be the same. The deciding factors for its readiness for release are the expected thresholds, hardening, and validation results. +## Development Approaches -## 'main' is `out of scope` for a Benchmark +Two common approaches to benchmark development: -Benchmarks do not accommodate 'incremental requirements'. Therefore, your team should always work off a fork of the last release. If there is a 'main' or 'development' branch in your profile, it should be considered as a candidate for merging into the next patch or update release. \ No newline at end of file +- **Micro Approach**: Gradual, incremental development +- **Massive Approach**: Complete implementation in larger chunks + +> 💡 **Key Point**: Both approaches are valid - choose based on your team's workflow preferences. + +## Version Control Best Practices + +### Working with Branches + +- ⚠️ Never work directly on 'main' +- Always fork from the latest release +- Consider 'main' or 'development' branches as pre-release candidates + +## Practical Exercise + +Try answering these questions: + +1. Why can't security benchmarks be released incrementally? +2. How should you handle new requirements that arise between releases? +3. What branch strategy would you use for a new benchmark version? + +--- +**Remember**: Security benchmark validation is binary - it either meets all requirements or it doesn't. diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index f875f0550..d4d4e2942 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,29 +1,55 @@ --- order: 9 next: 10.md -title: Types of Profile Updates +title: Understanding Profile Updates author: Aaron Lippold --- -## Types of Benchmark Updates +## Learning Objectives -When updating the profile, you'll be making one of three types of changes: +By the end of this section, you will be able to: -1. **Patch Update:** These frequent updates cover missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, such as going from `v1.12.4` to `v1.12.5`. We aim to release these updates on a regular schedule, either weekly, bi-weekly, or monthly. -2. **Release Update:** These updates occur when the STIG Benchmark owner releases an updated version of the STIG, for example, going from Red Hat Enterprise Linux V1R12 to V1R13. -3. **Major Version Update:** These updates occur when a software vendor releases a new major version of their product's STIG. For example, when Red Hat releases version 9 of Red Hat Enterprise Linux or Microsoft releases a new major version of Windows, such as Windows 2024 or Windows 12. +- Identify the three types of profile updates +- Understand the scope of STIG and CIS Benchmark updates +- Recognize the forward-only nature of security benchmark updates -### Scope of the Update Patterns +## Types of Profile Updates -The STIGs and CIS Benchmarks are scoped within the Major Version of the software products they represent. +Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: -Updates or amendments to a Benchmark's requirements are tracked within the 'Releases' of the Benchmark. +### 1. Patch Updates (Minor Changes) -As we mentioned in the previous section, ***there is no concept of 'back-patching'***; it is a ***'forward-only'*** process. +- Frequency: Weekly to monthly +- Purpose: Address corner cases and improve testing code +- Version Change Example: v1.12.4 → v1.12.5 +- Typical Changes: Bug fixes, code improvements, test coverage expansion -Each requirement is indexed from their source SRG document, aligned to a CCI, and then given a unique `Rule ID` and `STIG ID` in the respective XCCDF Benchmark document. +### 2. Release Updates (Intermediate Changes) -Here is an example of various indices you may recognize: +- Triggered by: STIG Benchmark owner releases +- Example: RHEL STIG V1R12 → V1R13 +- Includes: New security requirements, updated controls + +### 3. Major Version Updates + +- Triggered by: New product versions +- Examples: + - RHEL 8 → RHEL 9 + - Windows Server 2019 → Windows Server 2022 + +## Understanding Update Scope + +Important concepts to remember: + +- Updates are version-specific +- Changes only move forward ("forward-only" process) +- No "back-patching" to older versions +- Each requirement maps to: + - Source SRG document + - Control Correlation Identifier (CCI) + - Unique Rule and STIG IDs + +Example requirement identifiers: ```ruby tag gtitle: 'SRG-OS-000480-GPOS-00227' @@ -32,4 +58,4 @@ tag rid: 'SV-230221r858734_rule' tag stig_id: 'RHEL-08-010000' tag fix_id: 'F-32865r567410_fix' tag cci: ['CCI-000366'] -``` \ No newline at end of file +``` diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index fdb024dc2..348b20072 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -5,22 +5,83 @@ title: Development & Testing InSpec Profile author: Aaron Lippold --- +📚 **Difficulty Level**: Intermediate +⏱️ **Estimated Time**: 2-3 hours + +## Learning Objectives + +By completing this module, you will be able to: + +- Build and validate InSpec profiles using Test Kitchen +- Configure local testing environments for security compliance +- Execute tests using Docker and AWS environments +- Implement continuous testing workflows +- Troubleshoot common profile development issues + +## Prerequisites + +Before starting this module, ensure you have: + +- Basic knowledge of Ruby ([Learn Ruby Basics](https://ruby-lang.org/en/documentation/quickstart/)) +- Docker or Podman installed ([Docker Installation Guide](https://docs.docker.com/get-docker/)) +- AWS Free Tier account (optional) ([AWS Sign Up](https://aws.amazon.com/free/)) +- Platform One account ([P1 Registration](https://login.dso.mil/)) +- Git installed ([Git Setup Guide](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)) + +## Skills Assessment + +Before proceeding, verify you can: + +- [ ] Run basic Ruby commands +- [ ] Execute Docker containers +- [ ] Use Git for version control +- [ ] Navigate command line interfaces + ## Overview -The development and testing of profiles is accomplished by a variety of tools including: Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite following the instructions provided below. +The development and testing of profiles are accomplished using a variety of tools, including Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. + +### Key Tools Explained + +- **Test Kitchen**: Integration testing framework + - Example: `kitchen test` validates your InSpec profiles + - Use case: Automated compliance testing +- **Docker/Podman**: Container platforms + - Example: `docker run` creates isolated test environments + - Use case: Consistent testing across platforms +- **InSpec**: Compliance testing framework + - Example: `inspec exec` runs compliance checks + - Use case: Security automation +- **Platform One**: DoD's DevSecOps platform + - Example: Using hardened containers + - Use case: Secure development environments + +## Development Workflow Our development and testing workflow is managed by Test Kitchen. This tool is integral to our GitHub Actions CI/CD Pipelines and is also used for local development, testing, and releasing updates, patches, and full releases of the profile. +> 💡 **Pro Tip**: When starting out, focus on Docker-based testing before moving to AWS environments. + +### Testing Environments + Test Kitchen uses Docker (or Podman, if preferred) and AWS (using free-tier resources) for testing. We provide example files for testing on a local Vagrant Red Hat (or other RHEL variant) box in the repository. +### Platform One Integration + Additionally, Test Kitchen uses the Red Hat hardened `ubi8 base container` from Platform One for testing. To test the hardened container portion of the testing suite, you'll need to set up and log in to your P1 Free account, then obtain a CLI token to pull the Platform One Iron Bank Red Hat Enterprise Linux 8 Universal Base Image (P1 IB UBI8) image into the test suite. -## Example Repository +> ⚠️ **Important**: Ensure you keep your P1 CLI token secure and never commit it to version control. + +## Getting Started with Examples This guide refers to the [MITRE RedHat Enterprise Linux 8 STIG](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/tree/metzger_dynamic_inputs) profile, which provides a working example of the workflow described here. -Upon the release of the next patch, v1.12.1, this process and workflow will be incorporated into the `main` branch. Currently, the process is active in the 'development' branch, as linked above. +> 🔍 **Note**: Development happens in the `main` branch, with stable versions available as tagged releases. -## Checkout and Clone the Working Example +### Hands-on Practice If you would like to follow along, experiment with the workflows, and understand the process described here, feel free to fork or clone the repository above. Follow the setup and configuration steps in the next section to input your own credentials and accounts, and learn as you go! + +## Next Steps + +After setting up your environment, proceed to the next section to learn about specific testing patterns and workflows. From 5f0e7273976656b73a1e2557c3381c090f22fd0c Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 22:48:00 -0600 Subject: [PATCH 34/71] profile dev updates Signed-off-by: Aaron Lippold --- src/courses/profile-dev-test/10.md | 81 ++++++++++++++++++++--------- src/courses/profile-dev-test/11.md | 55 +++++++++++++++++--- src/courses/profile-dev-test/12.md | 83 +++++++++++++++++++++++++----- src/courses/profile-dev-test/13.md | 82 +++++++++++++++++++++++++---- src/courses/profile-dev-test/14.md | 71 +++++++++++++++++++++---- src/courses/profile-dev-test/15.md | 66 ++++++++++++++++++------ src/courses/profile-dev-test/16.md | 34 ++++++++++-- src/courses/profile-dev-test/17.md | 78 +++++++++++++++++++++++----- src/courses/profile-dev-test/18.md | 22 ++++++-- src/courses/profile-dev-test/19.md | 13 +++-- src/courses/profile-dev-test/20.md | 18 ++++++- src/courses/profile-dev-test/21.md | 8 +-- src/courses/profile-dev-test/22.md | 6 +-- src/courses/profile-dev-test/23.md | 6 +-- src/courses/profile-dev-test/24.md | 8 +-- src/courses/profile-dev-test/25.md | 11 +++- src/courses/profile-dev-test/26.md | 15 +++--- src/courses/profile-dev-test/27.md | 18 +++---- src/courses/profile-dev-test/28.md | 16 +++--- src/courses/profile-dev-test/29.md | 20 +++---- 20 files changed, 559 insertions(+), 152 deletions(-) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index e81db23fa..a3a19a342 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,24 +1,50 @@ --- order: 10 next: 11.md -title: What Is Done for a Control? +title: What Is `Done` for a Control? author: Aaron Lippold --- +# Understanding Control Completion in Security Automation + +## Learning Objectives + +By the end of this section, you will be able to: + +- Define the criteria for a "done" security control +- Apply the MITRE SAF yardstick to evaluate controls +- Implement effective control testing strategies +- Create and maintain progress tracking systems +- Debug common control implementation issues + +## Knowledge Check Questions + +Before we begin, consider these questions: + +1. What makes a security control "complete"? +2. How do you verify a control works in different environments? +3. What's the difference between "passing well" and just passing? + +## Introduction + +Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. + ## When is a Control Considered 'Done' You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: -- The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. -- The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -- The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. -- These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. +1. The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. +2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. +3. The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured the spirit of the testing required by the Benchmark. -## The MITRE Security Automation Framework 'Yardstick' +## The MITRE SAF Testing Framework + +Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": We consider a control effectively tested when: @@ -37,11 +63,15 @@ We consider a control effectively tested when: 6. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. 7. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. -## Defining 'Passes as Expected' +## Best Practices for Test Implementation -'Passing as expected' is the most straightforward concept as it directly corresponds to the test conditions. When the test asserts a condition, it validates that assertion and reports it to the end user in a clear and concise manner. +### Passing Tests (Passing Well) -We strive to ensure that when we report a 'pass', we do so in a language that is direct, simple, and easy to understand. +A well-implemented passing test should: + +- Clearly communicate success conditions +- Use simple, direct language +- Include validation of edge cases For example: @@ -54,13 +84,13 @@ For example: - The conditions for the Not Reviewed and Not Applicable states for the control, if any. -## Defining `Fails as Expected` - -'Failing as expected' is a less straightforward concept as it doesn't always directly correspond to the test conditions. When the test asserts a condition and it fails, the reason for that failure should be communicated to the end user in a clear and concise manner. +### Failing Tests (Failing Well) -However, as we all know, a test may fail for more than one reason. Sometimes, the reason for failure might be connected to human error, conditions on the system such as extra lines, files, or housekeeping on the system that was not done, etc. All these factors may need to be accounted for in your tests and perhaps captured in your output and 'reasons' for failure. +When implementing failure scenarios, ensure: -This is where the above 'best practices' come into play. You don't just test in optional 'pass' and 'fail' conditions only, but also 'dirty things up' a bit and make sure that your 'failure' cases are robust enough to handle the real world and semi-perfect conditions. +- Clear error messages +- Actionable feedback +- Proper error handling For example: @@ -77,17 +107,22 @@ For example: - Misconfigurations, extra lines in files, extra settings, missing files, etc. -## Defining `Communicates Effectively` +## Hands-on Exercise 1: Creating Your First Control + +Let's practice implementing a basic control: -Clear communication from your testing suite may require you to use a combination of approaches, but the extra time and effort is well worth it. +1. Create a basic control test +2. Add passing and failing scenarios +3. Implement clear communication +4. Test edge cases -Here are some methods you can employ and things to consider: +## Key Takeaways -- Use `expect` vs `describe` statements in cases where you have multi-part or multi-phase test cases. -- Break up your `describe` statements into multiple layers so that the final output to the end user is clear and concise. -- Post-process and format both 'passing' and 'failures' so that they are useful to the end user later and clear for communication to other team members. This could be in the form of lists or bulleted lists. -- Collect 'failing results' as simple, clear lists or bullets that are easy to 'copy and paste'. This makes it easier for teams to know 'what they have to fix and where'. -- Consider assisting 'Manual Review'/'Not Reviewed' tests by collecting needed information, such as users, groups, or other elements that you are asking the user or another person to review. While we may not be able to fully automate the test, if the 'automation can help collect' then it still adds value. +- Control completion is more than just passing tests +- Use the SAF Yardstick as your guide +- Clear communication is essential +- Track progress consistently +- Group similar controls for efficiency ## Tracking Your Progress @@ -133,4 +168,4 @@ The MITRE SAF team has found the following best practices effective for organizi 4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the 'primary deployment platforms' that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. -5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. \ No newline at end of file +5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. diff --git a/src/courses/profile-dev-test/11.md b/src/courses/profile-dev-test/11.md index 5a2421289..b94741697 100644 --- a/src/courses/profile-dev-test/11.md +++ b/src/courses/profile-dev-test/11.md @@ -1,20 +1,59 @@ --- order: 11 next: 12.md -title: Rules of the Road +title: Security Benchmark Profile Management author: Aaron Lippold --- -## Best Practices for Profile Managment +## Introduction to Profile Management -When updating Benchmark Profiles, adhere to these key principles to maintain alignment with the original Guidance Documents: +Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. -1. **Maintain Version Integrity:** **Never Merge** new requirements into older benchmark branches. This will create a 'mixed baseline' that doesn't align with any specific guidance document. Benchmarks, STIGs, and Guidance Documents form a 'proper subset' - they should be treated as 'all or nothing'. Mixing requirements from different versions can invalidate the concept of 'testing to a known benchmark'. +## Core Principles of Profile Management -2. **Benchmarks are a Complete Set of Requirements:** A Security Benchmark is 'complete and valid' only when all requirements for a specific Release or Major Version are met. Unlike traditional software projects, features and capabilities cannot be incrementally added. A Security Benchmark and its corresponding InSpec Profile are valid only within the scope of a specific 'Release' of that Benchmark. +### 1. Version Control and Integrity -3. **Release Readiness Is Predefined:** A Benchmark is considered 'ready for release' when it meets the expected thresholds, hardening, and validation results. Don't be overwhelmed by the multitude of changes across the files. Instead, focus on the specific requirement you are working on. Understand its expected failure and success states on each of the target testing platforms. This approach prevents you from being overwhelmed and provides solid pivot points as you work through the implementation of the automated tests for each requirement and its 'contexts'. +**Key Rule: Keep Versions Separate** -4. **Use Vendor-Managed Standard Releases:** When setting up a test suite, prioritize using vendor-managed standard releases for software installations and baseline configurations. This should be the starting point for both 'vanilla' and 'hardening' workflows. This approach ensures that your initial and ongoing testing, hardening, and validation closely mirror the real-world usage scenarios of your end-users. +- Never mix requirements from different versions +- Each version represents a distinct security baseline +- Example: Don't combine STIG v2.5 requirements with v3.0 requirements -By adhering to these principles, you ensure that your updates to Benchmark Profiles are consistent, accurate, and aligned with the original guidance documents. \ No newline at end of file +### 2. Completeness Principle + +**Key Rule: All or Nothing** + +- Security benchmarks must include all requirements for a specific version +- Think of it like a recipe - missing ingredients affect the final result +- Example: A Windows 10 STIG profile must implement all controls specified in that version + +### 3. Release Management + +**Key Rule: Meet All Standards** + +- Release readiness is determined by: + - Passing all validation tests + - Meeting security hardening requirements + - Achieving expected thresholds +- Focus on one requirement at a time during development + +### 4. Testing Environment Standards + +**Key Rule: Use Standard Baselines** + +- Start with vendor-managed standard releases +- Test against both: + - Default ("vanilla") configurations + - Hardened configurations +- This ensures real-world applicability + +## Best Practices for Implementation + +1. Document your testing environment +2. Maintain a changelog for each profile version +3. Use version control for tracking changes +4. Test thoroughly before releasing + +## Summary + +Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. diff --git a/src/courses/profile-dev-test/12.md b/src/courses/profile-dev-test/12.md index e8d422d8e..c4d8ca942 100644 --- a/src/courses/profile-dev-test/12.md +++ b/src/courses/profile-dev-test/12.md @@ -1,20 +1,79 @@ --- order: 12 next: 13.md -title: Creating a `Patch Update` +title: Understanding Profile Patch Updates author: Aaron Lippold --- -## The `Patch Update` Process +## Learning Objectives -A patch update involves making minor changes to a profile to fix issues or improve functionality. Here's a step-by-step guide: +- Understand what constitutes a patch update +- Learn the complete patch update workflow +- Master the testing and validation process -1. **Report the Issue:** Open an issue on our project, detailing the problem and providing examples. Do this on [our issues page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues). -2. **Fork and Branch:** Fork the repository on GitHub, then create a branch off the `tagged` patch release you're targeting for the update. -3. **Set Up Testing Suites:** In your forked branch, set up the AWS and Docker testing suites. -4. **Make Updates:** Update the control, `inspec.yml` inputs, thresholds, etc. Don't worry about the InSpec version in the `inspec.yml` - the release process handles that. -5. **Test Your Updates Locally:** Test your updates on all `vanilla` and `hardened` variants of the `known bad` and `known good` states of the `AWS EC2` and `Docker` test targets. Also, test your controls outside perfect conditions to ensure they handle non-optimal target environments. Verify that your update considers the `container`, `virtual machine`, and `1U machine` testing context of applicability. -6. **Lint Your Updates:** Use the `bundle exec rake lint` and `bundle exec rake lint:autocorrect` commands from the test suite to lint your updates. -7. **Commit Your Updates:** After testing and linting, commit your updates to your branch. Include `Fixes #ISSUE` in your commit messages to automatically close the issue when your PR is merged. -8. **Open a PR:** Open a PR on the project repository from your fork. -9. **Check Test Suite:** Ensure the GitHub Action test suite on the project side passes. You can check this at [our actions page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions). +## What is a Patch Update? + +A patch update is a minor modification to an InSpec profile that addresses specific issues, bugs, or improvements without changing core functionality. Common examples include: + +- Fixing control logic errors +- Updating threshold values +- Improving error handling +- Adding missing test cases + +## Step-by-Step Patch Update Process + +### 1. Issue Documentation + +- Create a detailed issue in the project repository +- Include specific examples of the problem +- Reference any related documentation +- Link: [Project Issues Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues) + +### 2. Environment Setup + +- Fork the repository +- Create a branch from the target patch release tag +- Configure test environments: + - AWS testing suite + - Docker testing suite + +### 3. Implementation + +- Make necessary updates to: + - Control logic + - `inspec.yml` inputs + - Threshold values +- Note: The InSpec version in `inspec.yml` is managed during release + +### 4. Testing Protocol + +Verify your changes across multiple environments: + +- Vanilla systems +- Hardened systems +- Known bad states +- Known good states +- Edge cases and error conditions + +Test contexts to cover: + +- Container environments +- Virtual machines +- Physical hardware (1U machines) + +### 5. Quality Assurance + +Run the provided linting tools: + +- `bundle exec rake lint` +- `bundle exec rake lint:autocorrect` + +### 6. Commit and PR + +- Commit your updates with a message including `Fixes #ISSUE` +- Open a PR from your fork to the project repository + +### 7. Test Suite Verification + +- Ensure the GitHub Action test suite passes +- Link: [Project Actions Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions) diff --git a/src/courses/profile-dev-test/13.md b/src/courses/profile-dev-test/13.md index 5bd26a58b..42cf4ecd9 100644 --- a/src/courses/profile-dev-test/13.md +++ b/src/courses/profile-dev-test/13.md @@ -1,18 +1,80 @@ --- order: 13 next: 14.md -title: Creating a `Release Update` +title: Understanding Release Updates in SAF author: Aaron Lippold --- -## The `Release Update` Process +## Learning Objectives -A `Release Update` involves creating a new branch, `v#{x}R#{x+1}`, from the current main or latest patch release branch. The `saf generate delta` workflow is then run, which updates the metadata of the `controls`, `inspec.yml`, `README.md`, and other profile elements, while preserving the `describe` and `ruby code logic`. This workflow is detailed in the [Inspec Delta](#2-inspec-delta) section. After the initial commit of the new release branch, follow these steps to keep your work organized: +- Understand what a Release Update is and when it's needed +- Learn the step-by-step process of creating a Release Update +- Master the key components of Release Update management -1. **Track Control IDs:** Create a table of all new `control ids` in the updated benchmark. This can be in CSV, Markdown Table, or in the PR overview information section. This helps track completed and pending work. PRs off the `v#{x}r#{x+1}` can also be linked in the table, especially if using a `micro` vs `massive` PR approach. -2. **Ensure Consistency:** Add 'check box columns' to your tracking table to ensure each requirement of the updated Benchmark receives the same level of scrutiny. -3. **Update CI/CD Process:** Update elements such as the `hardening` content (ansible, puppet, chef, hardened docker images, hardened vagrant boxes) to meet new requirements. Ensure the CI/CD process still functions with the updated elements, preferably on the PR as well. -4. **Update Labels:** Update `titles` and other labels to reflect the updated release number of the Benchmark. -5. **Commit Changes:** Commit these changes to your release branch, ensuring your CI/CD process exits cleanly. -6. **Follow Patch Update Workflow:** With the above in place, follow the 'Patch Update' process, but expect a larger number of requirements to revalidate or update. -7. **Identify Potential Code Changes:** Controls with changes to the `check text` or `fix text` are likely to require `inspec code changes`. If the `check text` and `fix text` of a control remain unchanged, it's likely only a cosmetic update, with no change in the security requirement or validation code. \ No newline at end of file +## What is a Release Update? + +A Release Update is a structured process for updating Security Automation Framework (SAF) profiles to accommodate new benchmark versions. This process ensures consistent quality and maintains traceability of changes. + +## Release Update Workflow + +### Step 1: Branch Creation + +Create a new branch named `v#{x}R#{x+1}` from either: + +- The main branch +- Latest patch release branch + +### Step 2: Generate Delta + +Run the `saf generate delta` workflow to update: + +- Control metadata +- inspec.yml configuration +- README.md documentation +- Other profile elements + +> Note: This process preserves existing `describe` blocks and Ruby code logic + +### Step 3: Change Management + +Follow these best practices to organize your work: + +#### 3.1 Control Tracking + +- Create a tracking table (CSV or Markdown) containing: + - New control IDs + - Status (completed/pending) + - Associated PR links + - Validation checkboxes + +#### 3.2 Quality Assurance Steps + +1. **Validation Checklist** + - [ ] Control requirements reviewed + - [ ] Code changes verified + - [ ] Tests updated + - [ ] Documentation current + +2. **Infrastructure Updates** + - Update hardening content: + - Ansible playbooks + - Puppet modules + - Chef cookbooks + - Docker images + - Vagrant boxes + +3. **Metadata Management** + - Update all version references + - Verify control titles + - Check benchmark labels + +## Tips for Success + +- Focus on controls with modified `check text` or `fix text` +- Unchanged control text typically means no code changes needed +- Use PR links to track changes in your tracking table +- Maintain CI/CD pipeline health throughout updates + +## Next Steps + +After completing these steps, proceed with the Patch Update workflow, keeping in mind that Release Updates typically involve more extensive validation. diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index c9d63d32e..50bd5ff2a 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -1,22 +1,75 @@ --- order: 14 next: 15.md -title: Creating a `Major Version Update` +title: Understanding Major Version Updates author: Aaron Lippold +difficulty: Advanced +prerequisites: + - Basic InSpec knowledge + - Understanding of STIG benchmarks + - Familiarity with Ruby --- -## The `Major Version Update` Process +## Learning Objectives -A `Major Version Update` involves transitioning to a new STIG Benchmark, which introduces a new Rule ID index. This process is more complex than a `Release Update` due to the need for aligning old requirements (Rule IDs) with the new ones. +- Understand what constitutes a Major Version Update and why they occur +- Master the requirement alignment process using multiple identification methods +- Learn to use available tools for version transition +- Develop strategies for efficient code migration +- Implement best practices for version control and testing -For example, when transitioning from RedHat Enterprise Linux 8 v1R12 to Red Hat Enterprise Linux 9 V1R1, the alignment of InSpec tests to the new requirements must be `fuzzy matched`. This involves using common identifiers such as `SRG ID`, `CCIs`, and, if necessary, the `title` and `descriptions`. +## What is a Major Version Update? -This is crucial when a single requirement from the old benchmark is split into multiple requirements in the new benchmark, although this is usually a rare occurrence. +A Major Version Update occurs when transitioning to a new STIG Benchmark version that introduces a completely new Rule ID index. Unlike minor Release Updates, this process requires careful mapping between old and new requirements. -We use a similar process in our [MITRE Vulcan](https://vulcan.mitre.org) to align 'Related Controls' in your Vulcan project to existing published STIG documents. However, the `Delta` tool currently requires manual intervention, and improvements are needed to automate this process. +## Key Concepts -The good news is that **these improvements are within reach**. We can leverage the existing work from `Vulcan` and hopefully soon incorporate these improvements into the SAF `Delta` tool as a direct function. +### Requirement Alignment -Once the 'old controls' and 'new controls' are aligned across 'Rule IDs', you can migrate the InSpec / Ruby code into their respective places. +:::tip 💡 **Pro Tip**: Create a spreadsheet to track your requirement mappings during the alignment process. +::: -Then, you follow the same setup, CI/CD organization, and control update process as in the `Release Update` process and hopfully finding that the actual InSpec code from the previous benchmark is very close to the needed InSpec code for the same 'requirement' in the new Benchmark. +When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need to align existing tests with new requirements using: + +- SRG IDs (Security Requirements Guide IDs) +- CCIs (Control Correlation Identifiers) +- Titles and descriptions when necessary + +### The Alignment Process + +1. **Initial Analysis** + - Compare old and new benchmark requirements + - Identify matching controls using common identifiers + - Note any split or merged requirements + +2. **Using Available Tools** + - MITRE Vulcan assists in alignment process + - Current Delta tool requires manual verification + - Future automation improvements are in development + +3. **Code Migration** + - Transfer InSpec/Ruby code to new requirement locations + - Verify control mappings + - Update test code as needed + +### Practical Example + +Consider this simplified alignment scenario: + +## Best Practices + +- Document all requirement mappings +- Verify control alignments thoroughly +- Test extensively after migration + +## What's Next + +After alignment is complete, follow the standard Release Update process for: + +- Setting up CI/CD +- Organizing controls +- Updating and testing requirements + +## Summary + +Major Version Updates require careful attention to requirement alignment and code migration. While tools like Vulcan help, some manual verification is still needed. Future improvements will streamline this process. diff --git a/src/courses/profile-dev-test/15.md b/src/courses/profile-dev-test/15.md index ee85de3d7..7b634b18f 100644 --- a/src/courses/profile-dev-test/15.md +++ b/src/courses/profile-dev-test/15.md @@ -1,29 +1,60 @@ --- order: 15 next: 16.md -title: Test Kitchen +title: Understanding Test Kitchen author: Aaron Lippold --- -## Test Kitchen - Getting Started +## Learning Objectives -[Test Kitchen](http://kitchen.ci) is a robust tool for testing infrastructure code and software on isolated platforms. It provides a consistent, reliable environment for developing and testing infrastructure code. +By the end of this module, you will be able to: -## Workflow Defined by our Test Kitchen Files +- Understand the purpose and benefits of Test Kitchen +- Describe the Test Kitchen workflow +- Differentiate between vanilla and hardened configurations +- Execute basic Test Kitchen commands -Test Kitchen's workflow involves building out suites and platforms using its drivers and provisioners. It follows a create, converge, verify, and destroy cycle: +## What is Test Kitchen? -1. **Create:** Test Kitchen creates an instance of the platform. -2. **Converge:** It applies the infrastructure code to the instance. -3. **Verify:** It checks if the instance is in the desired state. -4. **Destroy:** It destroys the instance after testing. +Test Kitchen is a powerful testing framework that allows developers to test infrastructure code across different platforms and configurations. Think of it as a laboratory where you can safely experiment with different system configurations without affecting your production environment. -In our testing workflow, we have defined four test suites to test different deployment patterns in two configurations - `vanilla` and `hardened`. +## Test Kitchen Workflow -- `vanilla`: This represents a completely stock installation of the testing target, as provided by the product vendor, with no configuration updates beyond what is 'shipped' by the vendor. Apart from the standard Test Kitchen initialization, the system is considered 'stock'. -- `hardened`: This configuration is set up using the `driver` section of the Test Kitchen suite and is executed during the `converge` phase. The `hardened` configuration represents the final `target configuration state` of our test instance, adhering to the recommended configuration of the Benchmark we are working on. For example, it aligns as closely as possible with the Red Hat Enterprise Linux V1R12 recommendations. +The testing process follows four key stages: -For more details on Test Kitchen's workflow, refer to the [official documentation](http://kitchen.ci/docs/getting-started/). +1. **Create** 🏗️ + - Spins up a fresh instance of your target platform + - Sets up the basic environment + +2. **Converge** 🔄 + - Applies your infrastructure code + - Configures the instance according to your specifications + +3. **Verify** ✅ + - Runs your tests against the instance + - Checks if everything is configured correctly + +4. **Destroy** 🧹 + - Cleans up the test environment + - Removes the instance completely + +## Testing Configurations + +We use two main testing configurations: + +### Vanilla Configuration + +- Stock installation with default settings +- No customization or hardening +- Represents "out-of-the-box" state +- Used as a baseline for comparison + +### Hardened Configuration + +- Implements security best practices +- Follows benchmark recommendations (e.g., RHEL V1R12) +- Represents the target secure state +- Applied during the converge phase ```journey Test Kitchen Workflow section Setup @@ -49,6 +80,11 @@ For more details on Test Kitchen's workflow, refer to the [official documentatio -## Test Kitchen's Modifications to Targets +## Behind the Scenes: System Access + +To enable testing, Test Kitchen makes minimal system modifications: -Test Kitchen makes minor modifications to the system to facilitate initialization and access. It adds a 'private ssh key' for the default user and sets up primary access to the system for this user using the generated key. Test Kitchen uses the 'platform standard' for access - SSH for Unix/Linux systems and WinRM for Windows systems. \ No newline at end of file +- Adds SSH private key authentication +- Sets up appropriate access protocols: + - SSH for Unix/Linux systems + - WinRM for Windows systems diff --git a/src/courses/profile-dev-test/16.md b/src/courses/profile-dev-test/16.md index 543e799be..0dc021f15 100644 --- a/src/courses/profile-dev-test/16.md +++ b/src/courses/profile-dev-test/16.md @@ -1,15 +1,41 @@ --- order: 16 next: 17.md -title: Test Kitchen - Create +title: Test Kitchen - Understanding the Create Stage author: Aaron Lippold index: true --- ## Test Kitchen Create Stage -The `create` stage in Test Kitchen sets up testing environments. It uses standard and patched images from AWS and Red Hat, including AMI EC2 images, Docker containers, and Vagrant boxes. +### What is the Create Stage? -Test Kitchen automatically fetches the latest images from sources like Amazon Marketplace, DockerHub, Vagrant Marketplace, and Bento Hub. You can customize this to use different images, private repositories (like Platform One's Iron Bank), or local images. +The `create` stage is a fundamental part of Test Kitchen that prepares your testing environments. Think of it as setting up your test laboratory where you'll run your security tests. -For more details on how Test Kitchen manages images, visit the [Test Kitchen website](https://kitchen.ci). You can also refer to the GitHub documentation for the `kitchen-ec2`, `kitchen-vagrant`, `kitchen-sync`, and [`kitchen-inspec`](https://github.com/inspec/kitchen-inspec) project on GitHub. \ No newline at end of file +### How it Works + +Test Kitchen handles environment creation by: + +- Fetching pre-configured system images +- Setting up virtual machines or containers +- Preparing the environment for testing + +### Supported Platforms + +Test Kitchen works with various platforms: + +- AWS EC2 instances (using AMIs) +- Docker containers +- Vagrant boxes +- Red Hat Enterprise Linux systems + +### Image Sources + +Test Kitchen automatically pulls from: + +- Amazon Marketplace +- DockerHub +- Vagrant Cloud +- Bento Box Repository +- Custom repositories (e.g., Platform One's Iron Bank) +- Local image storage diff --git a/src/courses/profile-dev-test/17.md b/src/courses/profile-dev-test/17.md index a4ada43d6..9aff7d368 100644 --- a/src/courses/profile-dev-test/17.md +++ b/src/courses/profile-dev-test/17.md @@ -6,28 +6,82 @@ author: Aaron Lippold index: true --- +## Learning Objectives + +By the end of this section, you will understand: + +- The purpose and function of Test Kitchen's converge stage +- How to use different infrastructure configurations +- The differences between vanilla and hardened environments + ## Test Kitchen Converge Stage -The `converge` stage uses Ansible Playbooks from the Ansible Lockdown project to apply hardening configurations, specifically the RHEL8-STIG playbook, and RedHat managed containers. +The `converge` stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration. -## EC2 and Vagrant Converge +> **Key Concept**: Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). -For EC2 and Vagrant, we use 'wrapper playbooks' for the 'vanilla' and 'hardened' suites. +Supported configuration tools include: -- The 'vanilla' playbook establishes a basic test environment. -- The 'hardened' playbook applies the 'vanilla role' and the Ansible Lockdown RHEL8-STIG role to the 'hardened' target, using Ansible Galaxy, a `requirements.txt`, and Ansible Roles. +- Ansible Playbooks (used in this course) +- Puppet +- Chef +- Terraform +- Shell scripts -Some tasks in the hardening role were disabled for automated testing, but this doesn't significantly impact our security posture. We can still meet our validation and thresholds. +## EC2 and Vagrant Converge -For more on using these playbooks, running Ansible, or modifying the playbooks, roles, and tasks, see the Ansible Project Website. +We implement two distinct configurations using 'wrapper playbooks': -Find these roles and 'wrapper playbooks' in the [spec/](./spec/) directory. +1. **Vanilla Environment** + - Purpose: Establishes baseline test environment + - Implementation: Basic configuration playbook + +2. **Hardened Environment** + - Purpose: Creates security-enhanced environment + - Components: + - Base vanilla configuration + - RHEL8-STIG security controls + - Ansible Galaxy dependencies + - Custom roles and requirements + +> **Note**: While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. ## Container Converge -We use RedHat vendor images for both the `vanilla` and `hardened` containers. +Our container strategy utilizes two RedHat UBI8 (Universal Base Image) variants: + +1. **Vanilla Container** + +This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. + +It represents a standard, out-of-the-box configuration. + +- Community maintained +- Standard configuration + +1. **Hardened Container** +hardened: This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. + +It represents a security-enhanced configuration. + +- STIG-compliant +- Regular security updates +- Platform One certified + +## Hands-on Practice + +Try these exercises: + +1. Compare the contents of vanilla and hardened playbooks +2. Identify key security configurations in the RHEL8-STIG role +3. Examine the wrapper playbook structure in the spec/ directory + +### Summary -- **`vanilla`:** This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. -- **`hardened`:** This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. +- Converge stage implements your desired system configurations +- Multiple implementation tools available (Ansible, Puppet, Chef, etc.) +- Two primary configurations: vanilla (baseline) and hardened (security-enhanced) +- Container implementations use RedHat UBI8 images with different security postures -The Iron Bank UBI8 image is regularly patched, updated, and hardened according to STIG requirements. +::: info Next Steps: Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. +::: diff --git a/src/courses/profile-dev-test/18.md b/src/courses/profile-dev-test/18.md index 1c623eca5..02b48d4fa 100644 --- a/src/courses/profile-dev-test/18.md +++ b/src/courses/profile-dev-test/18.md @@ -8,10 +8,26 @@ index: true ## Test Kitchen Validate Stage -The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the profile against the test targets. +The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the inspec profile against the test targets. -For this stage, the profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. +For this stage, the inspec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. + +They are located at the root of the project and are named something like `kitchen.inputs.yml`. There are also specific `threshold` files for each target environment platform (EC2, container, and Vagrant) in both the `vanilla` and `hardened` suites. -The following sections provide a detailed breakdown of these files, their structure, and the workflow organization. \ No newline at end of file +These establish the expected or allowed thresholds for vanilla and hardened configurations. Sometimes, we also have specific thresholds for hardened container or DISA EC2 vanilla configurations to allow for different hardening configurations that may be part of the test suite. + +### Key Points to Remember + +- **Input Files**: Customize tests for each target environment. +- **Threshold Files**: Define acceptable limits for different configurations. +- **Platform-Specific Settings**: Ensure accurate validation across various platforms. + +### Practical Tips + +- Always review and update input files to match the target environment. +- Verify threshold settings to ensure they align with your security requirements. +- Regularly test across different platforms to catch environment-specific issues. +- Use the `kitchen verify` command to run the tests and validate the configurations. +- Limit the control verify is running by using the `INSPEC_CONTROL` environment variable. diff --git a/src/courses/profile-dev-test/19.md b/src/courses/profile-dev-test/19.md index 7fb8a7a41..08e0f12d0 100644 --- a/src/courses/profile-dev-test/19.md +++ b/src/courses/profile-dev-test/19.md @@ -11,7 +11,14 @@ The `destroy` stage terminates the EC2 instances, Vagrant boxes, or containers t Occasionally, the `destroy` stage may encounter issues if the hosting platforms have altered the state of the provisioned instance during your writing, testing, or debugging sessions. If you face any problems with the `destroy` stage or any other Test Kitchen commands, verify the following: -- The test target's login, hostname, and IP address are still accurate. -- The test instance is still running on the hosting platforms. +- Ensure the test target's login credentials, hostname, and IP address are still accurate. +- Confirm that the test instance is still running on the hosting platform. -Sometimes, the solution can be as simple as checking if the instance is still active. \ No newline at end of file +Sometimes, the solution can be as simple as checking if the instance is still active. + +### Additional Tips for Troubleshooting + +- **Check Logs**: Review the Test Kitchen logs for any error messages or clues about what might be going wrong. +- **Manual Cleanup**: If the `destroy` command fails, you may need to manually terminate the instances through your cloud provider's console or command-line tools. +- **Update Configurations**: Ensure that your `.kitchen.yml` configuration file is up-to-date and correctly references the instances you are trying to destroy. +- **Network Issues**: Verify that there are no network issues preventing Test Kitchen from communicating with the instances. diff --git a/src/courses/profile-dev-test/20.md b/src/courses/profile-dev-test/20.md index fc22727c3..45ace5336 100644 --- a/src/courses/profile-dev-test/20.md +++ b/src/courses/profile-dev-test/20.md @@ -1,10 +1,24 @@ --- order: 20 next: 21.md -title: Test Kitchen - .kitchen/ directory +title: Test Kitchen - .kitchen/ Directory author: Aaron Lippold --- ## The `.kitchen/` Directory -The [`.kitchen/`](/.kitchen/) directory contains the state file for Test Kitchen, which is automatically generated when you first run Test Kitchen. Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to see how you can use the `.kitchen/` directory. +The [`.kitchen/`](/.kitchen/) directory contains the state files for Test Kitchen. These files are automatically generated when you first run Test Kitchen. + +### Understanding the `.kitchen/` Directory + +The `.kitchen/` directory is crucial for managing the state of your Test Kitchen instances. It includes configuration and state information that Test Kitchen uses to manage your test environments. + +### Using the `.kitchen/` Directory + +Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to learn how to use the `.kitchen/` directory effectively. This section will guide you on locating and utilizing the login details for your test targets stored within this directory. + +### Key Points to Remember + +- The `.kitchen/` directory is automatically created when you run Test Kitchen for the first time. +- It stores state and configuration files necessary for managing test environments. +- Understanding the contents of this directory can help you troubleshoot and manage your test instances more effectively. diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 19075f8d7..08250aaa0 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -9,9 +9,9 @@ author: Aaron Lippold The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. -Each of the subsequent kitchen files will inherit the shared settings from this file automatlly and merge them with the setting in the child kitchen file. +Each of the subsequent kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child kitchen file. -## Example `kitchen.yml` file +## Example `kitchen.yml` File ```yaml --- @@ -41,7 +41,7 @@ suites: playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml ``` -# Breakdown of the `kitchen.yml` file: +# Breakdown of the `kitchen.yml` file ```yaml verifier: @@ -97,4 +97,4 @@ The workflow of Test Kitchen involves the following steps: 1. **Create:** Test Kitchen uses the driver to create an instance of the platform. 2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. 3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. \ No newline at end of file +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. diff --git a/src/courses/profile-dev-test/22.md b/src/courses/profile-dev-test/22.md index 6f5885953..46d0f2d61 100644 --- a/src/courses/profile-dev-test/22.md +++ b/src/courses/profile-dev-test/22.md @@ -9,11 +9,11 @@ author: Aaron Lippold The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. -This file leverages the ` AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. +This file leverages the `AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. Alternatively, if you've set up AWS Environment Variables, the file will use those for AWS interactions. -## Example `kitchen.ec2.yml` file +## Example `kitchen.ec2.yml` File ```yaml --- @@ -115,4 +115,4 @@ The workflow of Test Kitchen involves the following steps: 3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. 4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. -The `transport` is used in all these steps to communicate with the instance. \ No newline at end of file +The `transport` is used in all these steps to communicate with the instance. diff --git a/src/courses/profile-dev-test/23.md b/src/courses/profile-dev-test/23.md index e540604c4..6abc9ae40 100644 --- a/src/courses/profile-dev-test/23.md +++ b/src/courses/profile-dev-test/23.md @@ -7,7 +7,7 @@ author: Aaron Lippold ## Understanding the [`kitchen.container.yml`](./kitchen.container.yml) -The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers, hardened and vanilla, and specifies the inspec_tests to run against them. It also configures the generation and storage of test reports. +The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. @@ -48,7 +48,7 @@ suites: # creds_file: './creds.json' ``` -# Breakdown of the `kitchen.container.yml` file: +# Breakdown of the `kitchen.container.yml` file ```yaml provisioner: @@ -117,4 +117,4 @@ The `kitchen.container.yml` file uses the following environment variables to sel - `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. - default: `registry.access.redhat.com/ubi8/ubi:8.9-1028` - `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. - - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` \ No newline at end of file + - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/24.md index 6fda8f8c3..42e35d0a8 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/24.md @@ -7,7 +7,7 @@ author: Aaron Lippold ## GitHub Actions -Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing in our workflow. +Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing. ### [`lint-profile.yml`](.github/workflows/lint-profile.yml) @@ -29,10 +29,10 @@ This action performs the following steps: ### [`verify-container.yml`](.github/workflows/verify-container.yml) -This action performs similar steps to `verify-ec2.yml`, but with some differences: +This action performs similar steps to `verify-ec2.yml`, with some differences: -1. It configures access to the required container registries - Platform One and Red Hat. +1. Configures access to the required container registries - Platform One and Red Hat. ### [`verify-vagrant.yml.example`](.github/workflows/verify-vagrant.yml.example) -This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifing the Github Action. \ No newline at end of file +This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifying the GitHub Action. diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md index c17d86e4c..fcfdc9d91 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/25.md @@ -12,7 +12,11 @@ author: Aaron Lippold Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: -1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. +1. **Run Cookstyle:** + + - **Install Cookstyle:** Install the Cookstyle gem by running `gem install cookstyle`. Verify the installation with `gem list cookstyle`. + - **Create Configuration:** Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. + - **Lint Controls:** Run `cookstyle -a ./controls` to lint the controls into Cookstyle format. Also, run any tests you have for your profile to ensure everything is working correctly. ```shell AllCops: @@ -63,4 +67,7 @@ Lint/AmbiguousBlockAssociation: Enabled: false ``` -2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. +2. Run the SAF CLI Command: + +- Use the command: `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. +- Verify Changes: This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index e4f602575..bd7e3b0ab 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -2,14 +2,14 @@ order: 26 next: 27.md title: InSpec Delta - Making the Delta Release Branch -shortTitle: Delta - Making your Branch +shortTitle: Delta - Making Your Branch author: Aaron Lippold --- -## Prepair Your Environment +## Prepare Your Environment -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and locate the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file, which will be used in the `saf generate delta` command. ## Delta Workflow Process @@ -17,7 +17,7 @@ author: Aaron Lippold ## Using Delta -The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. +The SAF InSpec Delta workflow typically involves two phases: `preformatting` and `delta`. Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. @@ -31,9 +31,9 @@ For more information on these commands, refer to the following documentation: ## Scope of Changes by Delta -Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. +Delta focuses on specific modifications, migrating the changes from the XCCDF Benchmark Rules to the Profile's controls, and updating the 'metadata' of each control, including `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. -If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. +If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) tool. It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. @@ -44,4 +44,3 @@ Delta does not modify the Ruby/InSpec code within the control, leaving it intact - The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). - Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. - Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. -- Parameterizing should be considered. diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md index cdb6f62fb..95d6f10bf 100644 --- a/src/courses/profile-dev-test/27.md +++ b/src/courses/profile-dev-test/27.md @@ -6,13 +6,13 @@ shortTitle: Tips & Troubleshooting author: Aaron Lippold --- -## Tips, Tricks and Troubleshooting +## Tips, Tricks, and Troubleshooting ### Test Kitchen #### Locating Test Target Login Details -Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. +Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `IP address`, host details, and login credentials, which could be an `SSH PEM key` or another type of credential. ```shell .kitchen @@ -28,11 +28,11 @@ Test Kitchen stores the current host details of your provisioned test targets in #### Restoring Access to a Halted or Restarted Test Target -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. +If your test target reboots or updates its network information, you don't need to execute `bundle exec kitchen destroy`. Instead, update the corresponding `.kitchen/#{suite}-#{target}.yml` file with the new information. This ensures that your `kitchen login`, `kitchen validate`, and other kitchen commands function correctly by connecting to the correct location instead of using outdated data. -#### AWS Console and EC2 Oddities +#### AWS Console and EC2 Considerations -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. +Since we're using the free tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or reboot in the background if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the `.kitchen/#{suite}-#{target}.yml` file with the updated IP address. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. ## InSpec / Ruby @@ -46,13 +46,13 @@ When developing InSpec controls, it's beneficial to use the `kitchen-test` suite 2. Then, insert `binding.pry` at the point in your code where you want to start debugging. 3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. -***!Pro Tip!*** +***Pro Tip*** -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +- Remember to remove or comment out the `binding.pry` lines when you're done debugging, or you may encounter issues with linting tools. ### Streamlining Your Testing with `inspec shell` -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Locating Test Target Login Details](#locating-test-target-login-details) section. Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: @@ -61,4 +61,4 @@ Once you have your IP address and SSH PEM key (for AWS target instances), or the ### Using `kitchen login` for Easy Test Review and Modification -The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. +The `kitchen login` command allows you to access your test target's command line directly. This is particularly useful for introducing test cases, exploring edge cases, and validating both positive and negative test scenarios. By interacting directly with the test environment, you can deepen your understanding of how your controls perform in real-world conditions. diff --git a/src/courses/profile-dev-test/28.md b/src/courses/profile-dev-test/28.md index edc8506b6..c14072f31 100644 --- a/src/courses/profile-dev-test/28.md +++ b/src/courses/profile-dev-test/28.md @@ -11,20 +11,20 @@ author: Aaron Lippold #### Evolution of STIGs and Security Benchmarks -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. +The Department of Defense (DoD) has continually updated its databases that track rules and the Security Technical Implementation Guides (STIGs), which define those rules. Initially, the system was known as the Vulnerability Management System (VMS). -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. +In the STIGs, you might come across data elements that are remnants from previous systems. These include `Group Title` (`gid` or `gtitle`), `Vulnerability ID` (`VulnID`), `Rule ID` (`rule_id`), `STIG ID` (`stig_id`), and others. -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the VMS used the `STIG_ID` as the primary index for the requirements in each benchmark. -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. +However, when DISA updated the vendor STIG processes and replaced the VMS, they decided to migrate the primary ID from the `STIG ID` to the `Rule ID`, tracking changes in the rules. -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. +Examples of tools that still use the `STIG ID`, either fully or partially, as a primary index include the DISA STIG Viewer, Nessus Audit Scans, and OpenSCAP client. -While these elements might seem confusing, understanding their historical context is essential. +Understanding the historical context of these elements is essential, even if they might seem confusing. -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. +Although some data from the XCCDF benchmarks still exist in our modern profiles, they are not used or rendered in modern InSpec profiles. The intention was to ensure easy and lossless conversion between XCCDF benchmarks and HDF profiles. -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. +It was later realized that since the structure of these data elements was static, they could be easily reintroduced when converting back to an XCCDF benchmark. Therefore, including them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/29.md b/src/courses/profile-dev-test/29.md index 0e970ff0b..e5fbb4fb9 100644 --- a/src/courses/profile-dev-test/29.md +++ b/src/courses/profile-dev-test/29.md @@ -7,16 +7,16 @@ author: Aaron Lippold ## Terms & Definitions - **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on their impact on Confidentiality, Integrity, and Availability (C.I.A). +- **[Control Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier provides a standard identifier and description for each individual, actionable statement that comprises an Information Assurance (IA) control or best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a legacy value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These updates occur when a software vendor releases a new major version of their product, resulting in a new major version of the corresponding STIG. For example, Red Hat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address edge cases in testing for one or more benchmark requirements or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. - **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. - **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string—for example, 'SV-230221' and 'r858734_rule'. The first part remains unique within the major version of a benchmark document, while the latter part is updated each time the rule is updated with each release of the benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a class of software products such as web servers, operating systems, application servers, or databases. You can find these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on the relevant Security Requirements Guide that applies to the product's software class and function, such as operating systems, web servers, or databases. Archives are available at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). - **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **STIG ID (stig_id)**: Many testing and result analysis tools use this ID—versus the Rule ID—to display each of the individual results of a benchmark validation run. For example: 'RHEL-08-010000'. Examples include DISA STIG Viewer, Nessus Audit Scans, and the OpenSCAP client. +- **XCCDF Benchmark**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by the National Institute of Standards and Technology (NIST) and the Department of Defense (DoD) to provide a machine-readable XML format for creating security guidance documents and Security Technical Implementation Guides. Archives are available at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). From 79c950c458e1142041a10f545e1253630ce4b727 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 08:45:09 -0500 Subject: [PATCH 35/71] report file revert --- src/.vuepress/public/assets/downloads/report | 10483 +++++++++++++++++ src/courses/delta/05.md | 6 +- 2 files changed, 10486 insertions(+), 3 deletions(-) create mode 100644 src/.vuepress/public/assets/downloads/report diff --git a/src/.vuepress/public/assets/downloads/report b/src/.vuepress/public/assets/downloads/report new file mode 100644 index 000000000..a16403227 --- /dev/null +++ b/src/.vuepress/public/assets/downloads/report @@ -0,0 +1,10483 @@ +## Automatic Update: -> + +### New Controls: ++ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. + + +### Updated Check/Fixes: +#### Checks: +
+ Click to expand. +SV-230262: +Old: +``` +Verify the system-wide shared library files are group-owned by "root" +with the following command: + + $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} +\; + + If any system wide shared library file is returned and is not group-owned +by a required system account, this is a finding. + +``` + +Updated: +``` +Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. + +``` +--- +SV-230379: +Old: +``` +Verify all accounts on the system are assigned to an active system, +application, or user account. + + Obtain the list of authorized system accounts from the Information System +Security Officer (ISSO). + + Check the system accounts on the system with the following command: + + $ sudo more /etc/passwd + + root:x:0:0:root:/root:/bin/bash + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + games:x:12:100:games:/usr/games:/sbin/nologin + gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as +they do not support authorized system functions. + + If the accounts on the system do not match the provided documentation, or +accounts that do not support an authorized system function are present, this is +a finding. + +``` + +Updated: +``` +Verify that there are no unauthorized interactive user accounts with the following command: + +$ less /etc/passwd + +root:x:0:0:root:/root:/bin/bash +... +games:x:12:100:games:/usr/games:/sbin/nologin +scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash +djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash + +Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. + +Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. + +If there are unauthorized local user accounts on the system, this is a finding. + +``` +--- +SV-230470: +Old: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the +following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement +is not applicable. + + $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + + AuditBackend=LinuxAudit + + If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or +the line is commented out, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + +Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. + +$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf + +AuditBackend=LinuxAudit + +If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230524: +Old: +``` +Verify the USBGuard has a policy configured with the following command: + + $ sudo usbguard list-rules + + If the command does not return results or an error is returned, ask the SA +to indicate how unauthorized peripherals are being blocked. + + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the USBGuard has a policy configured with the following command: + +$ sudo usbguard list-rules + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-230548: +Old: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +``` + +Updated: +``` +Verify RHEL 8 disables the use of user namespaces with the following commands: + +$ sudo sysctl user.max_user_namespaces + +user.max_user_namespaces = 0 + +If the returned line does not have a value of "0", or a line is not returned, this is a finding. + +Check that the configuration files are present to enable this network parameter. + +$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + +/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + +If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding. + +If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. + +``` +--- +SV-230559: +Old: +``` +Verify the gssproxy package has not been installed on the system with the +following commands: + + $ sudo yum list installed gssproxy + + gssproxy.x86_64 +0.8.0-14.el8 @anaconda + + If the gssproxy package is installed and is not documented with the +Information System Security Officer (ISSO) as an operational requirement, this +is a finding. + +``` + +Updated: +``` +Verify the gssproxy package has not been installed on the system with the following commands: + +$ sudo yum list installed gssproxy + +gssproxy.x86_64 0.8.0-14.el8 @anaconda + +If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. + +If NFS mounts are being used, this is not a finding. + +``` +--- +SV-244527: +Old: +``` +Check that RHEL 8 has the packages required to enabled the hardware random +number generator entropy gatherer service with the following command: + + $ sudo yum list installed rng-tools + + rng-tools.x86_64 6.8-3.el8 +@anaconda + + If the "rng-tools" package is not installed, this is a finding. + +``` + +Updated: +``` +Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. + +Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: + +$ sudo yum list installed rng-tools + +rng-tools.x86_64 6.8-3.el8 @anaconda + +If the "rng-tools" package is not installed, this is a finding. + +``` +--- +SV-244547: +Old: +``` +Verify USBGuard is installed on the operating system with the following +command: + + $ sudo yum list installed usbguard + + Installed Packages + usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + + If the USBGuard package is not installed, ask the SA to indicate how +unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify USBGuard is installed on the operating system with the following command: + +$ sudo yum list installed usbguard + +Installed Packages +usbguard.x86_64 0.7.8-7.el8 @ol8_appstream + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-244548: +Old: +``` +Verify the operating system has enabled the use of the USBGuard with the +following command: + + $ sudo systemctl status usbguard.service + + usbguard.service - USBGuard daemon + Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor +preset: disabled) + Active: active (running) + + If the usbguard.service is not enabled and active, ask the SA to indicate +how unauthorized peripherals are being blocked. + If there is no evidence that unauthorized peripherals are being blocked +before establishing a connection, this is a finding. + +``` + +Updated: +``` +Verify the operating system has enabled the use of the USBGuard with the following command: + +$ sudo systemctl status usbguard.service + +usbguard.service - USBGuard daemon +Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +Active: active (running) + +If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. + +If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. + +``` +--- +SV-257258: +Old: +``` +Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. + +``` + +Updated: +``` +Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. + +Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: + +$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + +StopIdleSessionSec=600 + +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. + +``` +--- +
+ +#### Fixes: +
+ Click to expand. +SV-230379: +Old: +``` +Configure the system so all accounts on the system are assigned to an +active system, application, or user account. + + Remove accounts that do not support approved system activities or that +allow for a normal user to perform administrative-level actions. + + Document all authorized accounts on the system. + +``` +New: +``` +Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: + +$ sudo userdel + +``` +--- +SV-230548: +Old: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +New: +``` +Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + +user.max_user_namespaces = 0 + +Remove any configurations that conflict with the above from the following locations: +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf +/etc/sysctl.d/*.conf + +The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +$ sudo sysctl --system + +``` +--- +SV-257258: +Old: +``` +Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logind + +Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". + +``` +New: +``` +Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: + +StopIdleSessionSec=600 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + +$ sudo systemctl restart systemd-logind + +``` +--- +
+ +### Updated Impacts +
+ Click to expand. +SV-230223: +Old: 0 +New: 0.7 +--- +SV-230224: +Old: 0 +New: 0.5 +--- +SV-230230: +Old: 0 +New: 0.5 +--- +SV-230234: +Old: 0 +New: 0.7 +--- +SV-230235: +Old: 0 +New: 0.7 +--- +SV-230238: +Old: 0 +New: 0.5 +--- +SV-230239: +Old: 0 +New: 0.5 +--- +SV-230244: +Old: 0 +New: 0.5 +--- +SV-230273: +Old: 0 +New: 0.5 +--- +SV-230275: +Old: 0 +New: 0.5 +--- +SV-230285: +Old: 0 +New: 0.3 +--- +SV-230300: +Old: 0 +New: 0.5 +--- +SV-230328: +Old: 0 +New: 0.5 +--- +SV-230329: +Old: 0 +New: 0.7 +--- +SV-230332: +Old: 0 +New: 0.5 +--- +SV-230347: +Old: 0 +New: 0.5 +--- +SV-230351: +Old: 0 +New: 0.5 +--- +SV-230352: +Old: 0 +New: 0.5 +--- +SV-230354: +Old: 0 +New: 0.5 +--- +SV-230376: +Old: 0 +New: 0.5 +--- +SV-230380: +Old: 0 +New: 0.7 +--- +SV-230382: +Old: 0 +New: 0.5 +--- +SV-230385: +Old: 0.7 +New: 0.5 +--- +SV-230493: +Old: 0 +New: 0.5 +--- +SV-230502: +Old: 0 +New: 0.5 +--- +SV-230506: +Old: 0 +New: 0.5 +--- +SV-230507: +Old: 0 +New: 0.5 +--- +SV-230523: +Old: 0 +New: 0.5 +--- +SV-230530: +Old: 0 +New: 0.7 +--- +SV-230535: +Old: 0 +New: 0.5 +--- +SV-230536: +Old: 0 +New: 0.5 +--- +SV-230537: +Old: 0 +New: 0.5 +--- +SV-230538: +Old: 0 +New: 0.5 +--- +SV-230539: +Old: 0 +New: 0.5 +--- +SV-230540: +Old: 0 +New: 0.5 +--- +SV-230541: +Old: 0 +New: 0.5 +--- +SV-230542: +Old: 0 +New: 0.5 +--- +SV-230543: +Old: 0 +New: 0.5 +--- +SV-230544: +Old: 0 +New: 0.5 +--- +SV-230545: +Old: 0 +New: 0.5 +--- +SV-230546: +Old: 0 +New: 0.5 +--- +SV-230547: +Old: 0 +New: 0.5 +--- +SV-230548: +Old: 0 +New: 0.5 +--- +SV-230549: +Old: 0 +New: 0.5 +--- +SV-230550: +Old: 0 +New: 0.5 +--- +SV-230557: +Old: 0 +New: 0.5 +--- +SV-237640: +Old: 0 +New: 0.5 +--- +SV-244519: +Old: 0 +New: 0.5 +--- +SV-244521: +Old: 0 +New: 0.5 +--- +SV-244522: +Old: 0 +New: 0.5 +--- +SV-244530: +Old: 0 +New: 0.5 +--- +SV-244535: +Old: 0 +New: 0.5 +--- +SV-244536: +Old: 0 +New: 0.5 +--- +SV-244538: +Old: 0 +New: 0.5 +--- +SV-244539: +Old: 0 +New: 0.5 +--- +SV-244545: +Old: 0 +New: 0.5 +--- +SV-244546: +Old: 0 +New: 0.5 +--- +SV-244550: +Old: 0 +New: 0.5 +--- +SV-244551: +Old: 0 +New: 0.5 +--- +SV-244552: +Old: 0 +New: 0.5 +--- +SV-244553: +Old: 0 +New: 0.5 +--- +SV-244554: +Old: 0 +New: 0.5 +--- +SV-250315: +Old: 0 +New: 0.5 +--- +SV-250317: +Old: 0 +New: 0.5 +--- +SV-251710: +Old: 0 +New: 0.5 +--- +SV-251711: +Old: 0 +New: 0.5 +--- +SV-251712: +Old: 0 +New: 0.5 +--- +SV-251718: +Old: 0 +New: 0.5 +--- +
+ +### Updated Titles +
+ Click to expand. +SV-230226: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a graphical +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. +--- +SV-230227: +Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent +Banner before granting local or remote access to the system via a command line +user logon. +New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. +--- +SV-230229: +Old: RHEL 8, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an +accepted trust anchor. +New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +--- +SV-230230: +Old: RHEL 8, for certificate-based authentication, must enforce authorized +access to the corresponding private key. +New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. +--- +SV-230231: +Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. +New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +--- +SV-230232: +Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing +algorithms for all stored passwords. +New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. +--- +SV-230234: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require authentication upon booting into single-user mode +and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. +--- +SV-230235: +Old: RHEL 8 operating systems booted with a BIOS must require +authentication upon booting into single-user and maintenance modes. +New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. +--- +SV-230236: +Old: RHEL 8 operating systems must require authentication upon booting into +rescue mode. +New: RHEL 8 operating systems must require authentication upon booting into rescue mode. +--- +SV-230237: +Old: The RHEL 8 pam_unix.so module must be configured in the password-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-230238: +Old: RHEL 8 must prevent system daemons from using Kerberos for +authentication. +New: RHEL 8 must prevent system daemons from using Kerberos for authentication. +--- +SV-230240: +Old: RHEL 8 must use a Linux Security Module configured to enforce limits +on system services. +New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. +--- +SV-230243: +Old: A sticky bit must be set on all RHEL 8 public directories to prevent +unauthorized and unintended information transferred via shared system +resources. +New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. +--- +SV-230245: +Old: The RHEL 8 /var/log/messages file must have mode 0640 or less +permissive. +New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. +--- +SV-230252: +Old: The RHEL 8 operating system must implement DoD-approved encryption to +protect the confidentiality of SSH server connections. +New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. +--- +SV-230254: +Old: The RHEL 8 operating system must implement DoD-approved encryption in +the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. +--- +SV-230255: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the OpenSSL package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. +--- +SV-230256: +Old: The RHEL 8 operating system must implement DoD-approved TLS encryption +in the GnuTLS package. +New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. +--- +SV-230259: +Old: RHEL 8 system commands must be group-owned by root or a system +account. +New: RHEL 8 system commands must be group-owned by root or a system account. +--- +SV-230263: +Old: The RHEL 8 file integrity tool must notify the system administrator +when changes to the baseline configuration or anomalies in the operation of any +security functions are discovered within an organizationally defined frequency. +New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. +--- +SV-230264: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components from a repository without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230265: +Old: RHEL 8 must prevent the installation of software, patches, service +packs, device drivers, or operating system components of local packages without +verification they have been digitally signed using a certificate that is issued +by a Certificate Authority (CA) that is recognized and approved by the +organization. +New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. +--- +SV-230267: +Old: RHEL 8 must enable kernel parameters to enforce discretionary access +control on symlinks. +New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. +--- +SV-230271: +Old: RHEL 8 must require users to provide a password for privilege +escalation. +New: RHEL 8 must require users to provide a password for privilege escalation. +--- +SV-230273: +Old: RHEL 8 must have the packages required for multifactor authentication + installed. +New: RHEL 8 must have the packages required for multifactor authentication installed. +--- +SV-230276: +Old: RHEL 8 must implement non-executable data to protect its memory from +unauthorized code execution. +New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. +--- +SV-230277: +Old: RHEL 8 must clear the page allocator to prevent use-after-free +attacks. +New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. +--- +SV-230280: +Old: RHEL 8 must implement address space layout randomization (ASLR) to +protect its memory from unauthorized code execution. +New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. +--- +SV-230281: +Old: YUM must remove all software components after updated versions have +been installed on RHEL 8. +New: YUM must remove all software components after updated versions have been installed on RHEL 8. +--- +SV-230285: +Old: RHEL 8 must enable the hardware random number generator entropy +gatherer service. +New: RHEL 8 must enable the hardware random number generator entropy gatherer service. +--- +SV-230286: +Old: The RHEL 8 SSH public host key files must have mode 0644 or less +permissive. +New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. +--- +SV-230288: +Old: The RHEL 8 SSH daemon must perform strict mode checking of home +directory configuration files. +New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. +--- +SV-230290: +Old: The RHEL 8 SSH daemon must not allow authentication using known host’s +authentication. +New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. +--- +SV-230291: +Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except +to fulfill documented and validated mission requirements. +New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. +--- +SV-230296: +Old: RHEL 8 must not permit direct logons to the root account using remote +access via SSH. +New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. +--- +SV-230299: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that contain user home directories. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. +--- +SV-230300: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. +--- +SV-230302: +Old: RHEL 8 must prevent code from being executed on file systems that +contain user home directories. +New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. +--- +SV-230303: +Old: RHEL 8 must prevent special devices on file systems that are used with +removable media. +New: RHEL 8 must prevent special devices on file systems that are used with removable media. +--- +SV-230304: +Old: RHEL 8 must prevent code from being executed on file systems that are +used with removable media. +New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. +--- +SV-230305: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are used with removable media. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. +--- +SV-230306: +Old: RHEL 8 must prevent code from being executed on file systems that are +imported via Network File System (NFS). +New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230307: +Old: RHEL 8 must prevent special devices on file systems that are imported +via Network File System (NFS). +New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). +--- +SV-230308: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on file systems that are imported via Network File System (NFS). +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). +--- +SV-230309: +Old: Local RHEL 8 initialization files must not execute world-writable +programs. +New: Local RHEL 8 initialization files must not execute world-writable programs. +--- +SV-230316: +Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at +least two name servers must be configured. +New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. +--- +SV-230317: +Old: Executable search paths within the initialization files of all local +interactive RHEL 8 users must only contain paths that resolve to the system +default or the users home directory. +New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. +--- +SV-230318: +Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, +or an application user. +New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. +--- +SV-230319: +Old: All RHEL 8 world-writable directories must be group-owned by root, +sys, bin, or an application group. +New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. +--- +SV-230320: +Old: All RHEL 8 local interactive users must have a home directory assigned +in the /etc/passwd file. +New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. +--- +SV-230321: +Old: All RHEL 8 local interactive user home directories must have mode 0750 +or less permissive. +New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. +--- +SV-230322: +Old: All RHEL 8 local interactive user home directories must be group-owned +by the home directory owner’s primary group. +New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. +--- +SV-230323: +Old: All RHEL 8 local interactive user home directories defined in the +/etc/passwd file must exist. +New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. +--- +SV-230324: +Old: All RHEL 8 local interactive user accounts must be assigned a home +directory upon creation. +New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. +--- +SV-230325: +Old: All RHEL 8 local initialization files must have mode 0740 or less +permissive. +New: All RHEL 8 local initialization files must have mode 0740 or less permissive. +--- +SV-230328: +Old: A separate RHEL 8 filesystem must be used for user home directories +(such as /home or an equivalent). +New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). +--- +SV-230329: +Old: Unattended or automatic logon via the RHEL 8 graphical user interface +must not be allowed. +New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. +--- +SV-230331: +Old: RHEL 8 temporary user accounts must be provisioned with an expiration +time of 72 hours or less. +New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. +--- +SV-230332: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230333: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. +--- +SV-230334: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230335: +Old: RHEL 8 must automatically lock an account when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230336: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230337: +Old: RHEL 8 must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts occur +during a 15-minute time period. +New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230340: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230341: +Old: RHEL 8 must prevent system messages from being presented when three +unsuccessful logon attempts occur. +New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. +--- +SV-230342: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230343: +Old: RHEL 8 must log user name information when unsuccessful logon attempts +occur. +New: RHEL 8 must log user name information when unsuccessful logon attempts occur. +--- +SV-230344: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230345: +Old: RHEL 8 must include root when automatically locking an account until +the locked account is released by an administrator when three unsuccessful +logon attempts occur during a 15-minute time period. +New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. +--- +SV-230346: +Old: RHEL 8 must limit the number of concurrent sessions to ten for all +accounts and/or account types. +New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. +--- +SV-230347: +Old: RHEL 8 must enable a user session lock until that user re-establishes +access using established identification and authentication procedures for +graphical user sessions. +New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. +--- +SV-230351: +Old: RHEL 8 must be able to initiate directly a session lock for all + connection types using smartcard when the smartcard is removed. +New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. +--- +SV-230352: +Old: RHEL 8 must automatically lock graphical user sessions after 15 +minutes of inactivity. +New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. +--- +SV-230354: +Old: RHEL 8 must prevent a user from overriding the session lock-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. +--- +SV-230355: +Old: RHEL 8 must map the authenticated identity to the user or group +account for PKI-based authentication. +New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. +--- +SV-230357: +Old: RHEL 8 must enforce password complexity by requiring that at least one +uppercase character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. +--- +SV-230358: +Old: RHEL 8 must enforce password complexity by requiring that at least one +lower-case character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. +--- +SV-230359: +Old: RHEL 8 must enforce password complexity by requiring that at least one +numeric character be used. +New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. +--- +SV-230360: +Old: RHEL 8 must require the maximum number of repeating characters of the +same character class be limited to four when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. +--- +SV-230361: +Old: RHEL 8 must require the maximum number of repeating characters be +limited to three when passwords are changed. +New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. +--- +SV-230363: +Old: RHEL 8 must require the change of at least 8 characters when passwords +are changed. +New: RHEL 8 must require the change of at least 8 characters when passwords are changed. +--- +SV-230364: +Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime +restriction in /etc/shadow. +New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. +--- +SV-230366: +Old: RHEL 8 user account passwords must have a 60-day maximum password +lifetime restriction. +New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. +--- +SV-230367: +Old: RHEL 8 user account passwords must be configured so that existing +passwords are restricted to a 60-day maximum lifetime. +New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. +--- +SV-230372: +Old: RHEL 8 must implement smart card logon for multifactor authentication +for access to interactive accounts. +New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. +--- +SV-230373: +Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) + must be disabled after 35 days of inactivity. +New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. +--- +SV-230378: +Old: RHEL 8 must enforce a delay of at least four seconds between logon +prompts following a failed logon attempt. +New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +--- +SV-230380: +Old: RHEL 8 must not allow accounts configured with blank or null +passwords. +New: RHEL 8 must not allow accounts configured with blank or null passwords. +--- +SV-230381: +Old: RHEL 8 must display the date and time of the last successful account +logon upon logon. +New: RHEL 8 must display the date and time of the last successful account logon upon logon. +--- +SV-230382: +Old: RHEL 8 must display the date and time of the last successful account +logon upon an SSH logon. +New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. +--- +SV-230383: +Old: RHEL 8 must define default permissions for all authenticated users in +such a way that the user can only read and modify their own files. +New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. +--- +SV-230384: +Old: RHEL 8 must set the umask value to 077 for all local interactive user +accounts. +New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. +--- +SV-230386: +Old: The RHEL 8 audit system must be configured to audit the execution of +privileged functions and prevent all software from executing at higher +privilege levels than users executing the software. +New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. +--- +SV-230388: +Old: The RHEL 8 System Administrator (SA) and Information System Security +Officer (ISSO) (at a minimum) must be alerted of an audit processing failure +event. +New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. +--- +SV-230389: +Old: The RHEL 8 Information System Security Officer (ISSO) and System +Administrator (SA) (at a minimum) must have mail aliases to be notified of an +audit processing failure. +New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. +--- +SV-230390: +Old: The RHEL 8 System must take appropriate action when an audit +processing failure occurs. +New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. +--- +SV-230392: +Old: The RHEL 8 audit system must take appropriate action when the audit +storage volume is full. +New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. +--- +SV-230394: +Old: RHEL 8 must label all off-loaded audit logs before sending them to the +central log server. +New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. +--- +SV-230396: +Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to +prevent unauthorized read access. +New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. +--- +SV-230397: +Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read +access. +New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. +--- +SV-230398: +Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized +read access. +New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. +--- +SV-230399: +Old: RHEL 8 audit log directory must be owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. +--- +SV-230400: +Old: RHEL 8 audit log directory must be group-owned by root to prevent +unauthorized read access. +New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. +--- +SV-230401: +Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive +to prevent unauthorized read access. +New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. +--- +SV-230402: +Old: RHEL 8 audit system must protect auditing rules from unauthorized +change. +New: RHEL 8 audit system must protect auditing rules from unauthorized change. +--- +SV-230404: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. +--- +SV-230405: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect +/etc/security/opasswd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. +--- +SV-230406: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. +--- +SV-230407: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. +--- +SV-230408: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. +--- +SV-230409: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. +--- +SV-230410: +Old: RHEL 8 must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/sudoers.d/. +New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. +--- +SV-230412: +Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. +--- +SV-230418: +Old: Successful/unsuccessful uses of the chage command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. +--- +SV-230419: +Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. +--- +SV-230421: +Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate +an audit record. +New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. +--- +SV-230422: +Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. +--- +SV-230423: +Old: Successful/unsuccessful uses of the mount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. +--- +SV-230424: +Old: Successful/unsuccessful uses of the umount command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. +--- +SV-230425: +Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. +--- +SV-230426: +Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. +--- +SV-230427: +Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. +--- +SV-230428: +Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. +--- +SV-230429: +Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. +--- +SV-230430: +Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. +--- +SV-230431: +Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. +--- +SV-230432: +Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. +--- +SV-230433: +Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an +audit record. +New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. +--- +SV-230434: +Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. +--- +SV-230435: +Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. +--- +SV-230436: +Old: Successful/unsuccessful uses of the pam_timestamp_check command in +RHEL 8 must generate an audit record. +New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. +--- +SV-230437: +Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. +--- +SV-230444: +Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. +--- +SV-230446: +Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. +--- +SV-230447: +Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. +--- +SV-230448: +Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. +--- +SV-230462: +Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. +--- +SV-230463: +Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. +--- +SV-230464: +Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. +--- +SV-230465: +Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must +generate an audit record. +New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. +--- +SV-230466: +Old: Successful/unsuccessful modifications to the faillock log file in RHEL +8 must generate an audit record. +New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. +--- +SV-230467: +Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 +must generate an audit record. +New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. +--- +SV-230468: +Old: RHEL 8 must enable auditing of processes that start prior to the audit +daemon. +New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. +--- +SV-230469: +Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to +capture processes that start prior to the audit daemon. +New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. +--- +SV-230471: +Old: RHEL 8 must allow only the Information System Security Manager (ISSM) +(or individuals or roles appointed by the ISSM) to select which auditable +events are to be audited. +New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. +--- +SV-230475: +Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of +audit tools. +New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. +--- +SV-230476: +Old: RHEL 8 must allocate audit record storage capacity to store at least +one week of audit records, when audit records are not immediately sent to a +central audit record storage facility. +New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. +--- +SV-230477: +Old: RHEL 8 must have the packages required for offloading audit logs +installed. +New: RHEL 8 must have the packages required for offloading audit logs installed. +--- +SV-230478: +Old: RHEL 8 must have the packages required for encrypting offloaded audit +logs installed. +New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. +--- +SV-230479: +Old: The RHEL 8 audit records must be off-loaded onto a different system or +storage media from the system being audited. +New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. +--- +SV-230480: +Old: RHEL 8 must take appropriate action when the internal event queue is +full. +New: RHEL 8 must take appropriate action when the internal event queue is full. +--- +SV-230481: +Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a +different system or media from the system being audited. +New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. +--- +SV-230482: +Old: RHEL 8 must authenticate the remote logging server for off-loading +audit logs. +New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. +--- +SV-230483: +Old: RHEL 8 must take action when allocated audit record storage volume + reaches 75 percent of the repository maximum audit record storage capacity. +New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +--- +SV-230484: +Old: RHEL 8 must securely compare internal information system clocks at +least every 24 hours with a server synchronized to an authoritative time +source, such as the United States Naval Observatory (USNO) time servers, or a +time server designated for the appropriate DoD network (NIPRNet/SIPRNet), +and/or the Global Positioning System (GPS). +New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). +--- +SV-230491: +Old: RHEL 8 must enable mitigations against processor-based +vulnerabilities. +New: RHEL 8 must enable mitigations against processor-based vulnerabilities. +--- +SV-230493: +Old: RHEL 8 must cover or disable the built-in or attached camera when not +in use. +New: RHEL 8 must cover or disable the built-in or attached camera when not in use. +--- +SV-230497: +Old: RHEL 8 must disable the transparent inter-process communication (TIPC) +protocol. +New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. +--- +SV-230500: +Old: RHEL 8 must be configured to prohibit or restrict the use of +functions, ports, protocols, and/or services, as defined in the Ports, +Protocols, and Services Management (PPSM) Category Assignments List (CAL) and +vulnerability assessments. +New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +--- +SV-230504: +Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy +for allowing connections to other systems. +New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. +--- +SV-230524: +Old: RHEL 8 must block unauthorized peripherals before establishing a +connection. +New: RHEL 8 must block unauthorized peripherals before establishing a connection. +--- +SV-230525: +Old: A firewall must be able to protect against or limit the effects of +Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting +measures on impacted network interfaces. +New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. +--- +SV-230526: +Old: All RHEL 8 networked systems must have and implement SSH to protect +the confidentiality and integrity of transmitted and received information, as +well as information during preparation for transmission. +New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. +--- +SV-230527: +Old: RHEL 8 must force a frequent session key renegotiation for SSH +connections to the server. +New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. +--- +SV-230530: +Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a +graphical user interface is installed. +New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. +--- +SV-230531: +Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be +disabled. +New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. +--- +SV-230533: +Old: The Trivial File Transfer Protocol (TFTP) server package must not be +installed if not required for RHEL 8 operational support. +New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. +--- +SV-230534: +Old: The root account must be the only account having unrestricted access +to the RHEL 8 system. +New: The root account must be the only account having unrestricted access to the RHEL 8 system. +--- +SV-230535: +Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-230536: +Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) +redirects. +New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. +--- +SV-230537: +Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) +echoes sent to a broadcast address. +New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. +--- +SV-230542: +Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by +default. +New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. +--- +SV-230543: +Old: RHEL 8 must not allow interfaces to perform Internet Control Message +Protocol (ICMP) redirects by default. +New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. +--- +SV-230544: +Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) +redirect messages. +New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. +--- +SV-230545: +Old: RHEL 8 must disable access to network bpf syscall from unprivileged +processes. +New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. +--- +SV-230551: +Old: The RHEL 8 file integrity tool must be configured to verify extended +attributes. +New: The RHEL 8 file integrity tool must be configured to verify extended attributes. +--- +SV-230552: +Old: The RHEL 8 file integrity tool must be configured to verify Access +Control Lists (ACLs). +New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). +--- +SV-230553: +Old: The graphical display manager must not be installed on RHEL 8 unless +approved. +New: The graphical display manager must not be installed on RHEL 8 unless approved. +--- +SV-230555: +Old: RHEL 8 remote X connections for interactive users must be disabled +unless to fulfill documented and validated mission requirements. +New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. +--- +SV-230556: +Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the +proxy display. +New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. +--- +SV-230557: +Old: If the Trivial File Transfer Protocol (TFTP) server is required, the +RHEL 8 TFTP daemon must be configured to operate in secure mode. +New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. +--- +SV-230558: +Old: A File Transfer Protocol (FTP) server package must not be installed +unless mission essential on RHEL 8. +New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. +--- +SV-230559: +Old: The gssproxy package must not be installed unless mission essential on +RHEL 8. +New: The gssproxy package must not be installed unless mission essential on RHEL 8. +--- +SV-230560: +Old: The iprutils package must not be installed unless mission essential on +RHEL 8. +New: The iprutils package must not be installed unless mission essential on RHEL 8. +--- +SV-230561: +Old: The tuned package must not be installed unless mission essential on +RHEL 8. +New: The tuned package must not be installed unless mission essential on RHEL 8. +--- +SV-237642: +Old: RHEL 8 must use the invoking user's password for privilege escalation +when using "sudo". +New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". +--- +SV-244519: +Old: RHEL 8 must display a banner before granting local or remote access to +the system via a graphical user logon. +New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. +--- +SV-244521: +Old: RHEL 8 operating systems booted with United Extensible Firmware +Interface (UEFI) must require a unique superusers name upon booting into +single-user mode and maintenance. +New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. +--- +SV-244523: +Old: RHEL 8 operating systems must require authentication upon booting into +emergency mode. +New: RHEL 8 operating systems must require authentication upon booting into emergency mode. +--- +SV-244524: +Old: The RHEL 8 pam_unix.so module must be configured in the system-auth +file to use a FIPS 140-2 approved cryptographic hashing algorithm for system +authentication. +New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +--- +SV-244527: +Old: RHEL 8 must have the packages required to use the hardware random +number generator entropy gatherer service. +New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. +--- +SV-244530: +Old: RHEL 8 must prevent files with the setuid and setgid bit set from +being executed on the /boot/efi directory. +New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. +--- +SV-244531: +Old: All RHEL 8 local interactive user home directory files must have mode +0750 or less permissive. +New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. +--- +SV-244532: +Old: RHEL 8 must be configured so that all files and directories contained +in local interactive user home directories are group-owned by a group of which +the home directory owner is a member. +New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. +--- +SV-244533: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/system-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. +--- +SV-244534: +Old: RHEL 8 must configure the use of the pam_faillock.so module in the +/etc/pam.d/password-auth file. +New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. +--- +SV-244535: +Old: RHEL 8 must initiate a session lock for graphical user interfaces when +the screensaver is activated. +New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. +--- +SV-244536: +Old: RHEL 8 must disable the user list at logon for graphical user +interfaces. +New: RHEL 8 must disable the user list at logon for graphical user interfaces. +--- +SV-244538: +Old: RHEL 8 must prevent a user from overriding the session idle-delay +setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. +--- +SV-244539: +Old: RHEL 8 must prevent a user from overriding the screensaver +lock-enabled setting for the graphical user interface. +New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +--- +SV-244541: +Old: RHEL 8 must not allow blank or null passwords in the password-auth +file. +New: RHEL 8 must not allow blank or null passwords in the password-auth file. +--- +SV-244542: +Old: RHEL 8 audit records must contain information to establish what type +of events occurred, the source of events, where events occurred, and the +outcome of events. +New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. +--- +SV-244543: +Old: RHEL 8 must notify the System Administrator (SA) and Information +System Security Officer (ISSO) (at a minimum) when allocated audit record +storage volume 75 percent utilization. +New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. +--- +SV-244546: +Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, +permit-by-exception policy to allow the execution of authorized software +programs. +New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +--- +SV-244550: +Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) +redirect messages from being accepted. +New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. +--- +SV-244554: +Old: RHEL 8 must enable hardening for the Berkeley Packet Filter +Just-in-time compiler. +New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. +--- +SV-250315: +Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context + type to allow the use of a non-default faillock tally directory. +New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. +--- +SV-257258: +Old: RHEL 8 must terminate idle user sessions. +New: RHEL 8.7 and higher must terminate idle user sessions. +--- +
+ +### Updated Descriptions +
+ Click to expand. +SV-230221: +Old: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. + + Note: The life-cycle time spans and dates are subject to adjustment. + +``` +New: +``` +An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + +``` +--- +SV-230222: +Old: +``` +Timely patching is critical for maintaining the operational + availability, confidentiality, and integrity of information technology (IT) + systems. However, failure to keep operating system and application software + patched is a common mistake made by IT professionals. New patches are released + daily, and it is often difficult for even experienced System Administrators to + keep abreast of all the new patches. When new weaknesses in an operating system + exist, patches are usually made available by the vendor to resolve the + problems. If the most recent security patches and updates are not installed, + unauthorized users may take advantage of weaknesses in the unpatched software. + The lack of prompt attention to patching could result in a system compromise. + +``` +New: +``` +Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + +``` +--- +SV-230223: +Old: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +``` +New: +``` +Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + + + +``` +--- +SV-230224: +Old: +``` +RHEL 8 systems handling data requiring "data at rest" protections + must employ cryptographic mechanisms to prevent unauthorized disclosure and + modification of the information at rest. + + Selection of a cryptographic mechanism is based on the need to protect the +integrity of organizational information. The strength of the mechanism is +commensurate with the security category and/or classification of the +information. Organizations have the flexibility to either encrypt all +information on storage devices (i.e., full disk encryption) or encrypt specific +data structures (e.g., files, records, or fields). + +``` +New: +``` +RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + + + +``` +--- +SV-230225: +Old: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + +``` +--- +SV-230226: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230227: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DoD policy. Use +the following verbiage for operating systems that can accommodate banners of +1300 characters: + + "You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you +consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are +subject to routine monitoring, interception, and search, and may be disclosed +or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access +controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to +PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details." + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +``` +--- +SV-230229: +Old: +``` +Without path validation, an informed trust decision by the relying +party cannot be made when presented with any certificate not already explicitly +trusted. + + A trust anchor is an authoritative entity represented via a public key and +associated data. It is used in the context of public key infrastructures, X.509 +digital certificates, and DNSSEC. + + When there is a chain of trust, usually the top entity to be trusted +becomes the trust anchor; it can be, for example, a Certification Authority +(CA). A certification path starts with the subject certificate and proceeds +through a number of intermediate certificates up to a trusted root certificate, +typically issued by a trusted CA. + + This requirement verifies that a certification path to an accepted trust +anchor is used for certificate validation and that the path includes status +information. Path validation is necessary for a relying party to make an +informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes +certificate revocation lists or online certificate status protocol responses. +Validation of the certificate status information is out of scope for this +requirement. + +``` +New: +``` +Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + + + +``` +--- +SV-230230: +Old: +``` +If an unauthorized user obtains access to a private key without a +passcode, that user would have unauthorized access to any system where the +associated public key has been installed. + +``` +New: +``` +If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + +``` +--- +SV-230231: +Old: +``` +Passwords need to be protected at all times, and encryption is the +standard method for protecting passwords. If passwords are not encrypted, they +can be plainly read (i.e., clear text) and easily compromised. + + Unapproved mechanisms that are used for authentication to the cryptographic +module are not verified and therefore cannot be relied upon to provide +confidentiality or integrity, and DoD data may be compromised. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD requirements. + +``` +New: +``` +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. + +``` +--- +SV-230232: +Old: +``` +The system must use a strong hashing algorithm to store the password. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230233: +Old: +``` +The system must use a strong hashing algorithm to store the password. +The system must use a sufficient number of hashing rounds to ensure the +required level of entropy. + + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can be +plainly read (i.e., clear text) and easily compromised. + +``` +New: +``` +The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + +``` +--- +SV-230234: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230235: +Old: +``` +If the system does not require valid authentication before it boots +into single-user or maintenance mode, anyone who invokes single-user or +maintenance mode is granted privileged access to all files on the system. GRUB +2 is the default boot loader for RHEL 8 and is designed to require a password +to boot into single-user mode or make modifications to the boot menu. + +``` +New: +``` +If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +``` +--- +SV-230236: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-230237: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230238: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + The key derivation function (KDF) in Kerberos is not FIPS compatible. +Ensuring the system does not have any keytab files present prevents system +daemons from using Kerberos for authentication. A keytab is a file containing +pairs of Kerberos principals and encrypted keys. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230239: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-230240: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230241: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + Policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include +load_policy to load SELinux policies, setfile to label filesystems, newrole to +switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. + +``` +--- +SV-230243: +Old: +``` +Preventing unauthorized information transfers mitigates the risk of +information, including encrypted representations of information, produced by +the actions of prior users/roles (or the actions of processes acting on behalf +of prior users/roles) from being available to any current users/roles (or +current processes) that obtain access to shared system resources (e.g., +registers, main memory, hard disks) after those resources have been released +back to information systems. The control of information in shared resources is +also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information +technology product, but it can also apply to the configuration of particular +information system components that are, or use, such products. This can be +verified by acceptance/validation processes in DoD or other government agencies. + + There may be shared resources with configurable protections (e.g., files in +storage) that may be assessed on specific information system components. + +``` +New: +``` +Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + +``` +--- +SV-230244: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + + RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-230245: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230246: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230247: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230248: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230249: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230250: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +``` +--- +SV-230251: +Old: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230252: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + + The system will attempt to use the first hash presented by the client that +matches the server list. Listing the values "strongest to weakest" is a +method to ensure the use of the strongest hash available to secure the SSH +connection. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + + + +``` +--- +SV-230253: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not +use high-entropy sources by default. By using the SSH_USE_STRONG_RNG +environment variable the OPENSSL random generator is reseeded from /dev/random. + This setting is not recommended on computers without the hardware random +generator because insufficient entropy causes the connection to be blocked +until enough entropy is available. + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. + +``` +--- +SV-230254: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230255: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The employed +algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config +file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + + + +``` +--- +SV-230256: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Transport Layer Security (TLS) encryption is a required security setting as +a number of known vulnerabilities have been reported against Secure Sockets +Layer (SSL) and earlier versions of TLS. Encryption of private information is +essential to ensuring data confidentiality. If private information is not +encrypted, it can be intercepted and easily read by an unauthorized party. SQL +Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all +non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 +specifies the preferred configurations for government systems. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + The GnuTLS library offers an API to access secure communications protocols. + SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto +policy defines employed algorithms in the +/etc/crypto-policies/back-ends/gnutls.config file. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. + + + +``` +--- +SV-230257: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230258: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230259: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230260: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230261: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230262: +Old: +``` +If RHEL 8 were to allow any user to make changes to software +libraries, then those changes might be implemented without undergoing the +appropriate testing and approvals that are part of a robust change management +process. + + This requirement applies to RHEL 8 with software libraries that are +accessible and configurable, as in the case of interpreted languages. Software +libraries also include privileged programs that execute with escalated +privileges. Only qualified and authorized individuals will be allowed to obtain +access to information system components for purposes of initiating changes, +including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-230263: +Old: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + +``` +New: +``` +Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + +Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. + +This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. + +RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. + + + +``` +--- +SV-230264: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230265: +Old: +``` +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the software +has not been tampered with and that it has been provided by a trusted vendor. + + Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. + + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This verifies the +software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The +operating system should not have to verify the software again. This requirement +does not mandate DoD certificates for this purpose; however, the certificate +used to verify the software must be from an approved CA. + +``` +New: +``` +Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + +``` +--- +SV-230267: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230268: +Old: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + + By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + +When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + + + +``` +--- +SV-230271: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230272: +Old: +``` +Without reauthentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the user reauthenticate. + +``` +New: +``` +Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + + + +``` +--- +SV-230273: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + A privileged account is defined as an information system account with + authorizations of a privileged user. + + Remote access is access to DoD nonpublic information systems by an + authorized user (or an information system) communicating through an external, + non-organization-controlled network. Remote access methods include, for + example, dial-up, broadband, and wireless. + + This requirement only applies to components where this is specific to the + function of the device or has the concept of an organizational user (e.g., VPN, + proxy capability). This does not apply to authentication for the purpose of + configuring the device itself (management). + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +A privileged account is defined as an information system account with authorizations of a privileged user. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +``` +--- +SV-230274: +Old: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) + or token that is separate from the information system, ensures that even if the + information system is compromised, credentials stored on the authentication + device will not be affected. + + Multifactor solutions that require devices separate from information + systems gaining access include, for example, hardware tokens providing + time-based or challenge-response authenticators and smart cards such as the + U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + + RHEL 8 includes multiple options for configuring certificate status +checking, but for this requirement focuses on the System Security Services +Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol +(OCSP) checking and certificate verification using a sha256 digest function. + +``` +New: +``` +Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. + + + +``` +--- +SV-230275: +Old: +``` +The use of PIV credentials facilitates standardization and reduces the + risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support + identity management and personal authentication for systems covered under + Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a + primary component of layered protection for national security systems. + +``` +New: +``` +The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. + +``` +--- +SV-230276: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + +``` +--- +SV-230277: +Old: +``` +Some adversaries launch attacks with the intent of executing code in +non-executable regions of memory or in memory locations that are prohibited. +Security safeguards employed to protect memory include, for example, data +execution prevention and address space layout randomization. Data execution +prevention safeguards can be either hardware-enforced or software-enforced with +hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. This prevents many types of use-after-free +vulnerabilities at little performance cost. Also prevents leak of data and +detection of corrupted memory. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + + + +``` +--- +SV-230278: +Old: +``` +Syscalls are special routines in the Linux kernel, which userspace +applications ask to do privileged tasks. Invoking a system call is an +expensive operation because the processor must interrupt the currently +executing task and switch context to kernel mode and then back to userspace +after the system call completes. Virtual Syscalls map into user space a page +that contains some variables and the implementation of some system calls. This +allows the system calls to be executed in userspace to alleviate the context +switching expense. + + Virtual Syscalls provide an opportunity of attack for a user who has +control of the return instruction pointer. Disabling vsyscalls help to prevent +return oriented programming (ROP) attacks via buffer overflows and overruns. If +the system intends to run containers based on RHEL 6 components, then virtual +syscalls will need enabled so the components function properly. + +``` +New: +``` +Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + + + +``` +--- +SV-230279: +Old: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + +``` +New: +``` +Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. + + + +``` +--- +SV-230281: +Old: +``` +Previous versions of software components that are not removed from the +information system after updates have been installed may be exploited by +adversaries. Some information technology products may remove older versions of +software automatically from the information system. + +``` +New: +``` +Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. + +``` +--- +SV-230282: +Old: +``` +Without verification of the security functions, security functions may +not operate correctly and the failure may go unnoticed. Security function is +defined as the hardware, software, and/or firmware of the information system +responsible for enforcing the system security policy and supporting the +isolation of code and data on which the protection is based. Security +functionality includes, but is not limited to, establishing system accounts, +configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function +verification/testing and/or systems and environments that require this +functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-230283: +Old: +``` +The "shosts.equiv" files are used to configure host-based +authentication for the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230284: +Old: +``` +The ".shosts" files are used to configure host-based authentication +for individual users or the system via SSH. Host-based authentication is not +sufficient for preventing unauthorized access to the system, as it does not +require interactive identification and authentication of a connection request, +or for the use of two-factor authentication. + +``` +New: +``` +The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. + +``` +--- +SV-230285: +Old: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-230286: +Old: +``` +If a public host key file is modified by an unauthorized user, the SSH +service may be compromised. + +``` +New: +``` +If a public host key file is modified by an unauthorized user, the SSH service may be compromised. + +``` +--- +SV-230287: +Old: +``` +If an unauthorized user obtains the private SSH host key file, the +host could be impersonated. + +``` +New: +``` +If an unauthorized user obtains the private SSH host key file, the host could be impersonated. + +``` +--- +SV-230288: +Old: +``` +If other users have access to modify user-specific SSH configuration +files, they may be able to log on to the system as another user. + +``` +New: +``` +If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. + +``` +--- +SV-230290: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230291: +Old: +``` +Configuring these settings for the SSH daemon provides additional +assurance that remote logon via SSH will not use unused methods of +authentication, even in the event of misconfiguration elsewhere. + +``` +New: +``` +Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. + +``` +--- +SV-230292: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230293: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230294: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230295: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230296: +Old: +``` +Even though the communications channel may be encrypted, an additional +layer of security is gained by extending the policy of not logging on directly +as root. In addition, logging on with a user-specific account provides +individual accountability of actions performed on the system. + +``` +New: +``` +Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. + +``` +--- +SV-230298: +Old: +``` +Configuring RHEL 8 to implement organization-wide security +implementation guides and security checklists ensures compliance with federal +standards and establishes a common security baseline across the DoD that +reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry +settings; account, file, directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230299: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230300: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230301: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. The only legitimate +location for device files is the /dev directory located on the root partition. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. + +``` +--- +SV-230302: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230303: +Old: +``` +The "nodev" mount option causes the system not to interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230304: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary files, as they may be incompatible. Executing files from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230305: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230306: +Old: +``` +The "noexec" mount option causes the system not to execute binary +files. This option must be used for mounting any file system not containing +approved binary as they may be incompatible. Executing files from untrusted +file systems increases the opportunity for unprivileged users to attain +unauthorized administrative access. + +``` +New: +``` +The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230307: +Old: +``` +The "nodev" mount option causes the system to not interpret +character or block special devices. Executing character or block special +devices from untrusted file systems increases the opportunity for unprivileged +users to attain unauthorized administrative access. + +``` +New: +``` +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230308: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230309: +Old: +``` +If user start-up files execute world-writable programs, especially in +unprotected directories, they could be maliciously modified to destroy user +files or otherwise compromise the system at the user level. If the system is +compromised at the user level, it is easier to elevate privileges to eventually +compromise the system at the root and network level. + +``` +New: +``` +If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. + +``` +--- +SV-230310: +Old: +``` +Kernel core dumps may contain the full contents of system memory at +the time of the crash. Kernel core dumps may consume a considerable amount of +disk space and may result in denial of service by exhausting the available +space on the target file system partition. + + RHEL 8 installation media presents the option to enable or disable the +kdump service at the time of system installation. + +``` +New: +``` +Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. + +RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. + +``` +--- +SV-230312: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + + When the kernel invokes systemd-coredumpt to handle a core dump, it runs in +privileged mode, and will connect to the socket created by the +systemd-coredump.socket unit. This, in turn, will spawn an unprivileged +systemd-coredump@.service instance to process the core dump. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump. + +``` +--- +SV-230313: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230314: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230315: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is +generally useful only for developers trying to debug problems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +``` +--- +SV-230316: +Old: +``` +To provide availability for name resolution services, multiple +redundant name servers are mandated. A failure in name resolution could lead to +the failure of security functions requiring name resolution, which may include +time synchronization, centralized authentication, and remote system logging. + +``` +New: +``` +To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. + +``` +--- +SV-230317: +Old: +``` +The executable search path (typically the PATH environment variable) +contains a list of directories for the shell to search to find executables. If +this path includes the current working directory (other than the user's home +directory), executables in these directories may be executed instead of system +commands. This variable is formatted as a colon-separated list of directories. +If there is an empty entry, such as a leading or trailing colon or two +consecutive colons, this is interpreted as the current working directory. If +deviations from the default system search path for the local interactive user +are required, they must be documented with the Information System Security +Officer (ISSO). + +``` +New: +``` +The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). + +``` +--- +SV-230318: +Old: +``` +If a world-writable directory is not owned by root, sys, bin, or an +application User Identifier (UID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230319: +Old: +``` +If a world-writable directory is not group-owned by root, sys, bin, or +an application Group Identifier (GID), unauthorized users may be able to modify +files created by others. + + The only authorized public directories are those temporary directories +supplied with the system or those designed to be temporary file repositories. +The setting is normally reserved for directories used by the system and by +users for temporary file storage, (e.g., /tmp), and for directories requiring +global read/write access. + +``` +New: +``` +If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. + +``` +--- +SV-230320: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230321: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-230322: +Old: +``` +If the Group Identifier (GID) of a local interactive user’s home +directory is not the same as the primary GID of the user, this would allow +unauthorized access to the user’s files, and users that share the same group +may not be able to access files that they legitimately should. + +``` +New: +``` +If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. + +``` +--- +SV-230323: +Old: +``` +If a local interactive user has a home directory defined that does not +exist, the user may be given access to the "/" directory as the current +working directory upon logon. This could create a denial of service because the +user would not be able to access their logon configuration files, and it may +give them visibility to system files they normally would not be able to access. + +``` +New: +``` +If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. + +``` +--- +SV-230324: +Old: +``` +If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own. + +``` +New: +``` +If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. + +``` +--- +SV-230325: +Old: +``` +Local initialization files are used to configure the user's shell +environment upon logon. Malicious modification of these files could compromise +accounts upon logon. + +``` +New: +``` +Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. + +``` +--- +SV-230326: +Old: +``` +Unowned files and directories may be unintentionally inherited if a +user is assigned the same User Identifier "UID" as the UID of the un-owned +files. + +``` +New: +``` +Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. + +``` +--- +SV-230327: +Old: +``` +Files without a valid group owner may be unintentionally inherited if +a group is assigned the same Group Identifier (GID) as the GID of the files +without a valid group owner. + +``` +New: +``` +Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. + +``` +--- +SV-230328: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-230329: +Old: +``` +Failure to restrict system access to authenticated users negatively +impacts operating system security. + +``` +New: +``` +Failure to restrict system access to authenticated users negatively impacts operating system security. + +``` +--- +SV-230330: +Old: +``` +SSH environment options potentially allow users to bypass access +restriction in some configurations. + +``` +New: +``` +SSH environment options potentially allow users to bypass access restriction in some configurations. + +``` +--- +SV-230331: +Old: +``` +If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. To +mitigate this risk, automated termination of all temporary accounts must be set +upon account creation. + + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts without the demand for +immediacy in account activation. + + If temporary accounts are used, RHEL 8 must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + + To address access requirements, many RHEL 8 operating systems may be +integrated with enterprise-level authentication/access mechanisms that meet or +exceed access control policy requirements. + +``` +New: +``` +If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. + +``` +--- +SV-230332: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230333: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230334: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230335: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230336: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230337: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230338: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230339: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230340: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230341: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230342: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230343: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230344: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that +manual changes to the listed files may be overwritten by the "authselect" +program. + + From "Pam_Faillock" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + + + +``` +--- +SV-230345: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230346: +Old: +``` +Operating system management includes the ability to control the number +of users and user sessions that utilize an operating system. Limiting the +number of allowed users and sessions per user is helpful in reducing the risks +related to DoS attacks. + + This requirement addresses concurrent sessions for information system +accounts and does not address concurrent sessions by single users via multiple +system accounts. The maximum number of concurrent sessions should be defined +based on mission needs and the operational environment for each system. + +``` +New: +``` +Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +``` +--- +SV-230347: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. + + Regardless of where the session lock is determined and implemented, once +invoked, the session lock must remain in place until the user reauthenticates. +No other activity aside from reauthentication must unlock the system. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. + + + +``` +--- +SV-230351: +Old: +``` +A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but + does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be + determined. Rather than be forced to wait for a period of time to expire before + the user session can be locked, RHEL 8 needs to provide users with the ability + to manually invoke a session lock so users can secure their session if it is + necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230352: +Old: +``` +A session lock is a temporary action taken when a user stops work and +moves away from the immediate physical vicinity of the information system but +does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be +determined. Rather than be forced to wait for a period of time to expire before +the user session can be locked, RHEL 8 needs to provide users with the ability +to manually invoke a session lock so users can secure their session if it is +necessary to temporarily vacate the immediate physical vicinity. + +``` +New: +``` +A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + + +``` +--- +SV-230354: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-230355: +Old: +``` +Without mapping the certificate used to authenticate to the user +account, the ability to determine the identity of the individual user or group +will not be available for forensic analysis. + + There are various methods of mapping certificates to user/group accounts +for RHEL 8. For the purposes of this requirement, the check and fix will +account for Active Directory mapping. Some of the other possible methods +include joining the system to a domain and utilizing a Red Hat idM server, or a +local system mapping, where the system is not part of a domain. + +``` +New: +``` +Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. + +``` +--- +SV-230357: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require uppercase characters, without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230358: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. +Note that in order to require lower-case characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230359: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that in order to require numeric characters, without degrading +the minlen value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230360: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxclassrepeat" option sets the maximum number of allowed +same consecutive characters in the same class in the new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + +``` +--- +SV-230361: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "maxrepeat" option sets the maximum number of allowed same +consecutive characters in a new password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. + +``` +--- +SV-230362: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "minclass" option sets the minimum number of required classes +of characters for the new password (digits, uppercase, lowercase, others). + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). + +``` +--- +SV-230363: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. The "difok" option sets the number of characters in a password +that must not be present in the old password. + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. + +``` +--- +SV-230364: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230365: +Old: +``` +Enforcing a minimum password lifetime helps to prevent repeated +password changes to defeat the password reuse or history enforcement +requirement. If users are allowed to immediately and continually change their +password, the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +``` +New: +``` +Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. + +``` +--- +SV-230366: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230367: +Old: +``` +Any password, no matter how complex, can eventually be cracked. +Therefore, passwords need to be changed periodically. If RHEL 8 does not limit +the lifetime of passwords and force users to change their passwords, there is +the risk that RHEL 8 passwords could be compromised. + +``` +New: +``` +Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. + +``` +--- +SV-230369: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Configurations are set in the "etc/security/pwquality.conf" file. + + The "minlen", sometimes noted as minimum length, acts as a "score" of +complexity based on the credit components of the "pwquality" module. By +setting the credit components to a negative value, not only will those +components be required, they will not count towards the total "score" of +"minlen". This will enable "minlen" to require a 15-character minimum. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + +The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230370: +Old: +``` +The shorter the password, the lower the number of possible +combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. Password +length is one factor of several that helps to determine strength and how long +it takes to crack a password. Use of more characters in a password helps to +increase exponentially the time and/or resources required to compromise the +password. + + The DoD minimum password requirement is 15 characters. + +``` +New: +``` +The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +The DoD minimum password requirement is 15 characters. + +``` +--- +SV-230371: +Old: +``` +To ensure accountability and prevent unauthenticated access, +interactive users must be identified and authenticated to prevent potential +misuse and compromise of the system. + + Interactive users include organizational employees or individuals the +organization deems to have equivalent status of employees (e.g., contractors). +Interactive users (and processes acting on behalf of users) must be uniquely +identified and authenticated to all accesses, except for the following: + + 1) Accesses explicitly identified and documented by the organization. +Organizations document specific user actions that can be performed on the +information system without identification or authentication; and + + 2) Accesses that occur through authorized use of group authenticators +without individual authentication. Organizations may require unique +identification of individuals in group accounts (e.g., shared privilege +accounts) or for detailed accountability of individual activity. + +``` +New: +``` +To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + + + +``` +--- +SV-230372: +Old: +``` +Using an authentication device, such as a Common Access Card (CAC) or +token that is separate from the information system, ensures that even if the +information system is compromised, that compromise will not affect credentials +stored on the authentication device. + + Multifactor solutions that require devices separate from information +systems gaining access include, for example, hardware tokens providing +time-based or challenge-response authenticators and smart cards such as the +U.S. Government Personal Identity Verification card and the DoD CAC. + + There are various methods of implementing multifactor authentication for +RHEL 8. Some methods include a local system multifactor account mapping or +joining the system to a domain and utilizing a Red Hat idM server or Microsoft +Windows Active Directory server. Any of these methods will require that the +client operating system handle the multifactor authentication correctly. + +``` +New: +``` +Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. + +Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. + +There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. + + + +``` +--- +SV-230373: +Old: +``` +Inactive identifiers pose a risk to systems and applications because + attackers may exploit an inactive identifier and potentially obtain undetected + access to the system. Owners of inactive accounts will not notice if + unauthorized access to their user account has been obtained. + + RHEL 8 needs to track periods of inactivity and disable application + identifiers after 35 days of inactivity. + +``` +New: +``` +Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. + +``` +--- +SV-230374: +Old: +``` +Temporary accounts are privileged or nonprivileged accounts that are + established during pressing circumstances, such as new software or hardware + configuration or an incident response, where the need for prompt account + activation requires bypassing normal account authorization procedures. + + If any inactive temporary accounts are left enabled on the system and are + not either manually removed or automatically expired within 72 hours, the + security posture of the system will be degraded and exposed to exploitation + by unauthorized users or insider threat actors. + + Temporary accounts are different from emergency accounts. Emergency accounts, + also known as "last resort" or "break glass" accounts, are local logon accounts + enabled on the system for emergency use by authorized system administrators + to manage a system when standard logon methods are failing or not available. + + Emergency accounts are not subject to manual removal or scheduled expiration + requirements. + + The automatic expiration of temporary accounts may be extended as needed by + the circumstances but it must not be extended indefinitely. A documented + permanent account should be established for privileged users who need long-term + maintenance accounts. + +``` +New: +``` +Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. + +``` +--- +SV-230375: +Old: +``` +Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, is a +measure of the effectiveness of a password in resisting attempts at guessing +and brute-force attacks. + + Password complexity is one factor of several that determines how long it +takes to crack a password. The more complex the password, the greater the +number of possible combinations that need to be tested before the password is +compromised. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password +complexity. Note that to require special characters without degrading the +"minlen" value, the credit value must be expressed as a negative number in +"/etc/security/pwquality.conf". + +``` +New: +``` +Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". + +``` +--- +SV-230376: +Old: +``` +If cached authentication information is out-of-date, the validity of +the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this +requirement will be focus on the System Security Services Daemon (SSSD). By +default sssd does not cache credentials. + +``` +New: +``` +If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + +RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. + +``` +--- +SV-230377: +Old: +``` +If RHEL 8 allows the user to select passwords based on dictionary +words, this increases the chances of password compromise by increasing the +opportunity for successful guesses, and brute-force attacks. + +``` +New: +``` +If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +``` +--- +SV-230378: +Old: +``` +Configuring the operating system to implement organization-wide +security implementation guides and security checklists verifies compliance with +federal standards and establishes a common security baseline across the DoD +that reflects the most restrictive security posture consistent with operational +requirements. + + Configuration settings are the set of parameters that can be changed in +hardware, software, or firmware components of the system that affect the +security posture and/or functionality of the system. Security-related +parameters are those parameters impacting the security state of the system, +including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example, registry +settings; account, file, and directory permission settings; and settings for +functions, ports, protocols, services, and remote connections. + +``` +New: +``` +Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + +``` +--- +SV-230379: +Old: +``` +Accounts providing no operational purpose provide additional +opportunities for system compromise. Unnecessary accounts include user accounts +for individuals not requiring access to the system and application accounts for +applications not installed on the system. + +``` +New: +``` +Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. + +``` +--- +SV-230380: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-230381: +Old: +``` +Providing users with feedback on when account accesses last occurred +facilitates user recognition and reporting of unauthorized account use. + +``` +New: +``` +Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230382: +Old: +``` +Providing users with feedback on when account accesses via SSH last +occurred facilitates user recognition and reporting of unauthorized account +use. + +``` +New: +``` +Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. + +``` +--- +SV-230383: +Old: +``` +Setting the most restrictive default permissions ensures that when new +accounts are created, they do not have unnecessary access. + +``` +New: +``` +Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. + +``` +--- +SV-230384: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230385: +Old: +``` +The umask controls the default access mode assigned to newly created +files. A umask of 077 limits new files to mode 600 or less permissive. Although +umask can be represented as a four-digit number, the first digit representing +special access modes is typically ignored or required to be "0". This +requirement applies to the globally configured system defaults and the local +interactive user defaults for each account on the system. + +``` +New: +``` +The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. + +``` +--- +SV-230386: +Old: +``` +Misuse of privileged functions, either intentionally or +unintentionally by authorized users, or by unauthorized external entities that +have compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use of +privileged functions is one way to detect such misuse and identify the risk +from insider threats and the advanced persistent threat. + +``` +New: +``` +Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. + + + +``` +--- +SV-230387: +Old: +``` +Cron logging can be used to trace the successful or unsuccessful +execution of cron jobs. It can also be used to spot intrusions into the use of +the cron facility by unauthorized and malicious users. + +``` +New: +``` +Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. + +``` +--- +SV-230388: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230389: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230390: +Old: +``` +It is critical for the appropriate personnel to be aware if a system +is at risk of failing to process audit logs as required. Without this +notification, the security personnel may be unaware of an impending failure of +the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the +audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + + This requirement applies to each audit data storage repository (i.e., +distinct information system component where audit records are stored), the +centralized audit storage capacity of organizations (i.e., all audit data +storage repositories combined), or both. + +``` +New: +``` +It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + +Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. + +``` +--- +SV-230392: +Old: +``` +It is critical that when RHEL 8 is at risk of failing to process audit +logs as required, it takes action to mitigate the failure. Audit processing +failures include software/hardware errors; failures in the audit capturing +mechanisms; and audit storage capacity being reached or exceeded. Responses to +audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, +RHEL 8 must continue generating audit records if possible (automatically +restarting the audit service if necessary) and overwriting the oldest audit +records in a first-in-first-out manner. + + 2) If audit records are sent to a centralized collection server and +communication with this server is lost or the server fails, RHEL 8 must queue +audit records locally until communication is restored or until the audit +records are retrieved manually. Upon restoration of the connection to the +centralized collection server, action should be taken to synchronize the local +audit data with the collection server. + +``` +New: +``` +It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + +When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. + +``` +--- +SV-230393: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +``` +--- +SV-230394: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging is needed to determine who, what, and when events occur on +a system. Without this, determining root cause of an event will be much more +difficult. + + When audit logs are not labeled before they are sent to a central log +server, the audit data will not be able to be analyzed and tied back to the +correct system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. + +``` +--- +SV-230395: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Enriched logging aids in making sense of who, what, and when events occur +on a system. Without this, determining root cause of an event will be much +more difficult. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. + +``` +--- +SV-230396: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230397: +Old: +``` +Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. + +``` +New: +``` +Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + + + +``` +--- +SV-230398: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230399: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230400: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. + + + +``` +--- +SV-230401: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + + + +``` +--- +SV-230402: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230403: +Old: +``` +Unauthorized disclosure of audit records can reveal system and +configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit +settings, audit reports) needed to successfully audit RHEL 8 system activity. + + In immutable mode, unauthorized users cannot execute changes to the audit +system to potentially hide malicious activity and then put the audit rules +back. A system reboot would be noticeable and a system administrator could +then investigate the unauthorized changes. + +``` +New: +``` +Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. + + + +``` +--- +SV-230404: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230405: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230406: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230407: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230408: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230409: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230410: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + + + +``` +--- +SV-230411: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-230412: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "su" command allows a +user to run commands with a substitute user and group ID. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230413: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230418: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chage" command is +used to change or view user password expiry information. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230419: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chcon" command is +used to change file SELinux security context. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230421: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-agent" is a +program to hold private keys used for public key authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230422: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "passwd" command is +used to change passwords for user accounts. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230423: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" command is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230424: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "umount" command is +used to unmount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230425: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "mount" syscall is +used to mount a filesystem. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230426: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +"Unix_update" is a helper program for the "pam_unix" module that updates +the password for a given user. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230427: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postdrop" command creates a file in the maildrop directory and copies +its standard input to the file. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230428: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "postqueue" command implements the Postfix user interface for queue +management. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230429: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "semanage" command is used to configure certain elements of SELinux +policy without requiring modification to or recompilation from policy sources. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230430: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setfiles" command is primarily used to initialize the security context +fields (extended attributes) on one or more filesystems (or parts of them). +Usually it is initially run as part of the SELinux installation process (a step +commonly known as labeling). + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230431: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "userhelper" command is not intended to be run interactively. +"Userhelper" provides a basic interface to change a user's password, gecos +information, and shell. The main difference between this program and its +traditional equivalents (passwd, chfn, chsh) is that prompts are written to +standard out to make it easy for a graphical user interface wrapper to +interface to it as a child process. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230432: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "setsebool" command sets the current state of a particular SELinux +boolean or a list of booleans to a given value. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230433: +Old: +``` +Reconstruction of harmful events or forensic analysis is not possible +if audit records do not contain enough information. + + At a minimum, the organization must audit the full-text recording of +privileged commands. The organization must maintain audit trails in sufficient +detail to reconstruct events to determine the cause and impact of compromise. +The "unix_chkpwd" command is a helper program for the pam_unix module that +verifies the password of the current user. It also checks password and account +expiration dates in shadow. It is not intended to be run directly from the +command line and logs a security violation if done so. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230434: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "ssh-keysign" program +is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230435: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "setfacl" command is +used to set file access control lists. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230436: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "pam_timestamp_check" +command is used to check if the default timestamp is valid. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230437: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "newgrp" command is +used to change the current group ID during a login session. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230438: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230439: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230444: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "gpasswd" command is +used to administer /etc/group and /etc/gshadow. Every group can have +administrators, members and a password. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230446: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "delete_module" +command is used to unload a kernel module. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230447: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "crontab" command is +used to maintain crontab files for individual users. Crontab is the program +used to install, remove, or list the tables used to drive the cron daemon. This +is similar to the task scheduler used in other operating systems. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230448: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chsh" command is +used to change the login shell. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230449: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230455: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230456: +Old: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + + + +``` +--- +SV-230462: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "sudo" command allows +a permitted user to execute a command as the superuser or another user, as +specified by the security policy. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230463: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "usermod" command +modifies the system account files to reflect the changes that are specified on +the command line. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230464: +Old: +``` +Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify those +responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "chacl" command is +used to change the access control list of a file or directory. + + When a user logs on, the AUID is set to the UID of the account that is +being authenticated. Daemons are not user sessions and have the loginuid set to +"-1". The AUID representation is an unsigned 32-bit integer, which equals +"4294967295". The audit system interprets "-1", "4294967295", and +"unset" in the same way. + +``` +New: +``` +Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + + + +``` +--- +SV-230465: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). The "kmod" command is +used to control Linux Kernel modules. + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230466: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + + From "Pam_Faillock man" pages: Note the default directory that +pam_faillock uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + + +``` +--- +SV-230467: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230468: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230469: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + Allocating an audit_backlog_limit of sufficient size is critical in +maintaining a stable boot process. With an insufficient limit allocated, the +system is susceptible to boot failures and crashes. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. + +``` +--- +SV-230470: +Old: +``` +Without the capability to generate audit records, it would be +difficult to establish, correlate, and investigate the events relating to an +incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some +startup processes may not be audited. Some audit systems also maintain state +information only available if auditing is enabled before a given process is +created. + + Audit records can be generated from various components within the +information system (e.g., module or policy filter). + + The list of audited events is the set of events for which audits are to be +generated. This set of events is typically a subset of the list of all events +for which the system is capable of generating audit records. + + DoD has defined the list of events for which RHEL 8 will provide an audit +record generation capability as the following: + + 1) Successful and unsuccessful attempts to access, modify, or delete +privileges, security objects, security levels, or categories of information +(e.g., classification levels); + + 2) Access actions, such as successful and unsuccessful logon attempts, +privileged activities or other system-level access, starting and ending time +for user access to the system, concurrent logons from different workstations, +successful and unsuccessful accesses to objects, all program initiations, and +all direct access to the information system; + + 3) All account creations, modifications, disabling, and terminations; and + + 4) All kernel module load, unload, and restart actions. + +``` +New: +``` +Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + + + +``` +--- +SV-230471: +Old: +``` +Without the capability to restrict the roles and individuals that can +select which events are audited, unauthorized personnel may be able to prevent +the auditing of critical events. Misconfigured audits may degrade the system's +performance by overwhelming the audit log. Misconfigured audits may also make +it more difficult to establish, correlate, and investigate the events relating +to an incident or identify those responsible for one. + +``` +New: +``` +Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +``` +--- +SV-230472: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +``` +--- +SV-230473: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230474: +Old: +``` +Protecting audit information also includes identifying and protecting +the tools used to view and manipulate log data. Therefore, protecting audit +tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will +leverage user permissions and roles identifying the user accessing the tools, +and the corresponding rights the user enjoys, to make access decisions +regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + +``` +New: +``` +Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + + +``` +--- +SV-230475: +Old: +``` +Protecting the integrity of the tools used for auditing purposes is a +critical step toward ensuring the integrity of audit information. Audit +information includes all information (e.g., audit records, audit settings, and +audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open +source audit tools needed to successfully view and manipulate audit information +system activity and records. Audit tools include custom queries and report +generators. + + It is not uncommon for attackers to replace the audit tools or inject code +into the existing tools with the purpose of providing the capability to hide or +erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed to +provide the capability to identify when the audit tools have been modified, +manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +New: +``` +Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + +To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + +``` +--- +SV-230476: +Old: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which +to write the audit logs, RHEL 8 needs to be able to allocate audit record +storage capacity. + + The task of allocating audit record storage capacity is usually performed +during initial installation of RHEL 8. + +``` +New: +``` +To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. + +``` +--- +SV-230477: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230478: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "rsyslog-gnutls" (which is a secure +communications library implementing the SSL, TLS and DTLS protocols), and you +have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + +``` +--- +SV-230479: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP +transport, which is extremely lossy but standard; the plain TCP based +transport, which loses messages only during certain situations but is widely +available; and the RELP transport, which does not lose messages but is +currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 + Note that a port number was given as there is no standard port for RELP. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. +Examples of each configuration: +UDP *.* @remotesystemname +TCP *.* @@remotesystemname +RELP *.* :omrelp:remotesystemname:2514 +Note that a port number was given as there is no standard port for RELP. + + + +``` +--- +SV-230480: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230481: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + + +``` +--- +SV-230482: +Old: +``` +Information stored in one location is vulnerable to accidental or +incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit +storage capacity. + + RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system +utility providing support for message logging. Support for both internet and +UNIX domain sockets enables this utility to support both local and remote +logging. Couple this utility with "gnutls" (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to +securely encrypt and off-load auditing. + + "Rsyslog" supported authentication modes include: + anon - anonymous authentication + x509/fingerprint - certificate fingerprint authentication + x509/certvalid - certificate validation only + x509/name - certificate validation and subject name authentication. + +``` +New: +``` +Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + +RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + +"Rsyslog" supported authentication modes include: +anon - anonymous authentication +x509/fingerprint - certificate fingerprint authentication +x509/certvalid - certificate validation only +x509/name - certificate validation and subject name authentication. + + + +``` +--- +SV-230483: +Old: +``` +If security personnel are not notified immediately when storage volume + reaches 75 percent utilization, they are unable to plan for audit record + storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-230484: +Old: +``` +Inaccurate time stamps make it more difficult to correlate events and +can lead to an inaccurate analysis. Determining the correct time a particular +event occurred on a system is critical when conducting forensic analysis and +investigating system events. Sources outside the configured acceptable +allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of +time stamps for information systems with multiple system clocks and systems +connected over a network. + + Organizations should consider endpoints that may not have regular access to +the authoritative time server (e.g., mobile, teleworking, and tactical +endpoints). + + If time stamps are not consistently applied and there is no common time +reference, it is difficult to perform forensic analysis. + + Time stamps generated by the operating system include date and time. Time +is commonly expressed in Coordinated Universal Time (UTC), a modern +continuation of Greenwich Mean Time (GMT), or local time with an offset from +UTC. + + RHEL 8 utilizes the "timedatectl" command to view the status of the +"systemd-timesyncd.service". The "timedatectl" status will display the +local time, UTC, and the offset from UTC. + + Note that USNO offers authenticated NTP service to DoD and U.S. Government +agencies operating on the NIPR and SIPR networks. Visit +https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + +``` +New: +``` +Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + +RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. + +Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. + + + +``` +--- +SV-230487: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + The telnet service provides an unencrypted remote access service that does +not provide for the confidentiality and integrity of user passwords or the +remote session. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + +``` +--- +SV-230488: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230489: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +``` +--- +SV-230491: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + Examples of non-essential capabilities include, but are not limited to, +games, software packages, tools, and demonstration software not related to +requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. + + Verify the operating system is configured to disable non-essential +capabilities. The most secure way of ensuring a non-essential capability is +disabled is to not have the capability installed. + + Kernel page-table isolation is a kernel feature that mitigates the Meltdown +security vulnerability and hardens the kernel against attempts to bypass kernel +address space layout randomization (KASLR). + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + +Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. + +Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). + +``` +--- +SV-230492: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The rsh-server service provides an unencrypted remote access service that +does not provide for the confidentiality and integrity of user passwords or the +remote session and has very weak authentication. + + If a privileged user were to log on using this service, the privileged user +password could be compromised. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. + +If a privileged user were to log on using this service, the privileged user password could be compromised. + + + +``` +--- +SV-230493: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect from collaborative computing devices (i.e., cameras) +can result in subsequent compromises of organizational information. Providing +easy methods to physically disconnect from such devices after a collaborative +computing session helps to ensure participants actually carry out the +disconnect activity without having to go through complex and tedious procedures. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. + + + +``` +--- +SV-230494: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Asynchronous Transfer Mode (ATM) is a protocol operating on network, +data link, and physical layers, based on virtual circuits and virtual paths. +Disabling ATM protects the system against exploitation of any laws in its +implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. + +``` +--- +SV-230495: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Controller Area Network (CAN) is a serial communications protocol, +which was initially developed for automotive and is now also used in marine, +industrial, and medical applications. Disabling CAN protects the system against +exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230496: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Stream Control Transmission Protocol (SCTP) is a transport layer +protocol, designed to support the idea of message-oriented communication, with +several streams of messages within one connection. Disabling SCTP protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230497: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + + The Transparent Inter-Process Communication (TIPC) protocol is designed to +provide communications between nodes in a cluster. Disabling TIPC protects the +system against exploitation of any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Failing to disconnect unused protocols can result in a system compromise. + +The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230498: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Removing support for unneeded filesystem types reduces the local attack +surface of the server. + + Compressed ROM/RAM file system (or cramfs) is a read-only file system +designed for simplicity and space-efficiency. It is mainly used in embedded +and small-footprint systems. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Removing support for unneeded filesystem types reduces the local attack surface of the server. + +Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. + +``` +--- +SV-230499: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time +communication. Disabling FireWire protects the system against exploitation of +any flaws in its implementation. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. + +``` +--- +SV-230500: +Old: +``` +To prevent unauthorized connection of devices, unauthorized transfer +of information, or unauthorized tunneling (i.e., embedding of data types within +data types), organizations must disable or restrict unused or unnecessary +physical and logical ports/protocols on information systems. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services provided by default may not be +necessary to support essential organizational operations. Additionally, it is +sometimes convenient to provide multiple services from a single component +(e.g., VPN and IPS); however, doing so increases risk over limiting the +services provided by any one component. + + To support the requirements and principles of least functionality, the +operating system must support the organizational requirements, providing only +essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official +business or to address authorized quality-of-life issues. + +``` +New: +``` +To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. + +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. + +``` +--- +SV-230502: +Old: +``` +Automatically mounting file systems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + +``` +New: +``` +Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +``` +--- +SV-230503: +Old: +``` +USB mass storage permits easy introduction of unknown devices, thereby +facilitating malicious activity. + +``` +New: +``` +USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + + + +``` +--- +SV-230504: +Old: +``` +Failure to restrict network connectivity only to authorized systems +permits inbound connections from malicious systems. It also permits outbound +connections that may facilitate exfiltration of DoD data. + + RHEL 8 incorporates the "firewalld" daemon, which allows for many +different configurations. One of these configurations is zones. Zones can be +utilized to a deny-all, allow-by-exception approach. The default "drop" zone +will drop all incoming network packets unless it is explicitly allowed by the +configuration file or is related to an outgoing network connection. + +``` +New: +``` +Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + +``` +--- +SV-230505: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-230506: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + + + +``` +--- +SV-230507: +Old: +``` +Without protection of communications with wireless peripherals, +confidentiality and integrity may be compromised because unprotected +communications can be intercepted and either read, altered, or used to +compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., +wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless +peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and +Near Field Communications [NFC]) present a unique challenge by creating an +open, unsecured port on a computer. Wireless peripherals must meet DoD +requirements for wireless data transmission and be approved for use by the +Authorizing Official (AO). Even though some wireless peripherals, such as mice +and pointing devices, do not ordinarily carry information that need to be +protected, modification of communications with these wireless peripherals may +be used to compromise the RHEL 8 operating system. Communication paths outside +the physical protection of a controlled boundary are exposed to the possibility +of interception and modification. + + Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing +physical barriers to wireless radio frequencies) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are +employed, then logical means (cryptography) do not have to be employed, and +vice versa. If the wireless peripheral is only passing telemetry data, +encryption of the data may not be required. + +``` +New: +``` +Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + +This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. + +``` +--- +SV-230508: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230509: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230510: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230511: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230512: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230513: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230514: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230515: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230516: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230517: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230518: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230519: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230520: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230521: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230522: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. +This option must be used for mounting any file system not containing approved +binary files, as they may be incompatible. Executing files from untrusted file +systems increases the opportunity for unprivileged users to attain unauthorized +administrative access. + + The "nodev" mount option causes the system to not interpret character or +block special devices. Executing character or block special devices from +untrusted file systems increases the opportunity for unprivileged users to +attain unauthorized administrative access. + + The "nosuid" mount option causes the system to not execute "setuid" and +"setgid" files with owner privileges. This option must be used for mounting +any file system not containing approved "setuid" and "setguid" files. +Executing files from untrusted file systems increases the opportunity for +unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-230523: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-230524: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-230525: +Old: +``` +DoS is a condition when a resource is not available for legitimate +users. When this occurs, the organization either cannot accomplish its mission +or must operate at degraded capacity. + + This requirement addresses the configuration of RHEL 8 to mitigate the +impact of DoS attacks that have occurred or are ongoing on system availability. +For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exists to limit +or, in some cases, eliminate the effects of DoS attacks (e.g., limiting +processes or establishing memory partitions). Employing increased capacity and +bandwidth, combined with service redundancy, may reduce the susceptibility to +some DoS attacks. + + Since version 0.6.0, "firewalld" has incorporated "nftables" as its +backend support. Utilizing the limit statement in "nftables" can help to +mitigate DoS attacks. + +``` +New: +``` +DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. + +``` +--- +SV-230526: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-230527: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + + Session key regeneration limits the chances of a session key becoming +compromised. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +Session key regeneration limits the chances of a session key becoming compromised. + + + +``` +--- +SV-230529: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230530: +Old: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the +console, can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230531: +Old: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the +console can reboot the system. If accidentally pressed, as could happen in the +case of a mixed OS environment, this can create the risk of short-term loss of +availability of systems due to unintentional reboot. In a graphical user +environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is +reduced because the user will be prompted before any action is taken. + +``` +New: +``` +A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +``` +--- +SV-230532: +Old: +``` +The debug-shell requires no authentication and provides root +privileges to anyone who has physical access to the machine. While this +feature is disabled by default, masking it adds an additional layer of +assurance that it will not be enabled via a dependency in systemd. This also +prevents attackers with physical access from trivially bypassing security on +the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + +``` +New: +``` +The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +``` +--- +SV-230533: +Old: +``` +If TFTP is required for operational support (such as the transmission +of router configurations) its use must be documented with the Information +System Security Officer (ISSO), restricted to only authorized personnel, and +have access control rules established. + +``` +New: +``` +If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. + +``` +--- +SV-230534: +Old: +``` +If an account other than root also has a User Identifier (UID) of +"0", it has root authority, giving that account unrestricted access to the +entire operating system. Multiple accounts with a UID of "0" afford an +opportunity for potential intruders to guess a password for a privileged +account. + +``` +New: +``` +If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. + +``` +--- +SV-230550: +Old: +``` +If unrestricted mail relaying is permitted, unauthorized senders could +use this host as a mail relay for the purpose of sending spam or other +unauthorized activity. + +``` +New: +``` +If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. + +``` +--- +SV-230551: +Old: +``` +Extended attributes in file systems are used to contain arbitrary data +and file metadata with security implications. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230552: +Old: +``` +ACLs can provide permissions beyond those permitted through the file +mode and must be verified by file integrity tools. + + RHEL 8 installation media come with a file integrity tool, Advanced +Intrusion Detection Environment (AIDE). + +``` +New: +``` +ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. + +RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). + +``` +--- +SV-230553: +Old: +``` +Internet services that are not required for system or application +processes must not be active to decrease the attack surface of the system. +Graphical display managers have a long history of security vulnerabilities and +must not be used, unless approved and documented. + +``` +New: +``` +Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + +``` +--- +SV-230554: +Old: +``` +Network interfaces in promiscuous mode allow for the capture of all +network traffic visible to the system. If unauthorized individuals can access +these applications, it may allow them to collect information such as logon IDs, +passwords, and key exchanges between systems. + + If the system is being used to perform a network troubleshooting function, +the use of these tools must be documented with the Information System Security +Officer (ISSO) and restricted to only authorized personnel. + +``` +New: +``` +Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. + +If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. + +``` +--- +SV-230555: +Old: +``` +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding. A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly requesting +X11 forwarding, which can warrant a "no" setting. + + X11 forwarding should be enabled with caution. Users with the ability to +bypass file permissions on the remote host (for the user's X11 authorization +database) can access the local X11 display through the forwarded connection. An +attacker may then be able to perform activities such as keystroke monitoring if +the ForwardX11Trusted option is also enabled. + + If X11 services are not required for the system's intended function, they +should be disabled or restricted as appropriate to the system’s needs. + +``` +New: +``` +The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. + +X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. + +``` +--- +SV-230556: +Old: +``` +When X11 forwarding is enabled, there may be additional exposure to +the server and client displays if the sshd proxy display is configured to +listen on the wildcard address. By default, sshd binds the forwarding server +to the loopback address and sets the hostname part of the DIPSLAY environment +variable to localhost. This prevents remote hosts from connecting to the proxy +display. + +``` +New: +``` +When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. + +``` +--- +SV-230557: +Old: +``` +Restricting TFTP to a specific directory prevents remote users from +copying, transferring, or overwriting system files. + +``` +New: +``` +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. + +``` +--- +SV-230558: +Old: +``` +The FTP service provides an unencrypted remote access that does not +provide for the confidentiality and integrity of user passwords or the remote +session. If a privileged user were to log on using this service, the privileged +user password could be compromised. SSH or other encrypted file transfer +methods must be used in place of this service. + +``` +New: +``` +The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. + +``` +--- +SV-230559: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The gssproxy package is a proxy for GSS API credential handling and could +expose secrets on some networks. It is not needed for normal function of the OS. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. + +``` +--- +SV-230560: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The iprutils package provides a suite of utilities to manage and configure +SCSI devices supported by the ipr SCSI storage device driver. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. + +``` +--- +SV-230561: +Old: +``` +It is detrimental for operating systems to provide, or install by +default, functionality exceeding requirements or mission objectives. These +unnecessary capabilities or services are often overlooked and therefore may +remain unsecured. They increase the risk to the platform by providing +additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and +services. Some of the functions and services, provided by default, may not be +necessary to support essential organizational operations (e.g., key missions, +functions). + + The tuned package contains a daemon that tunes the system settings +dynamically. It does so by monitoring the usage of several system components +periodically. Based on that information, components will then be put into lower +or higher power savings modes to adapt to the current usage. The tuned package +is not needed for normal OS operations. + +``` +New: +``` +It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. + +``` +--- +SV-237640: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + Currently, Kerberos does not utilize FIPS 140-2 cryptography. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +Currently, Kerberos does not utilize FIPS 140-2 cryptography. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-237641: +Old: +``` +The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password and confirms +your request to execute a command by checking a file, called sudoers. If the +"sudoers" file is not configured correctly, any user defined on the system +can initiate privileged actions on the target system. + +``` +New: +``` +The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. + +``` +--- +SV-237642: +Old: +``` +The sudoers security policy requires that users authenticate +themselves before they can use sudo. When sudoers requires authentication, it +validates the invoking user's credentials. If the rootpw, targetpw, or runaspw +flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the +sudoers(5) manual page. + +``` +New: +``` +The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page. + +``` +--- +SV-237643: +Old: +``` +Without re-authentication, users may access resources or perform tasks +for which they do not have authorization. + + When operating systems provide the capability to escalate a functional +capability, it is critical the organization requires the user to +re-authenticate when using the "sudo" command. + + If the value is set to an integer less than 0, the user's time stamp will +not expire and the user will not have to re-authenticate for privileged actions +until the user's session is terminated. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +``` +--- +SV-244519: +Old: +``` +Display of a standardized and approved use notification before +granting access to the operating system ensures privacy and security +notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces +with human users and are not required when such human interfaces do not exist. + +``` +New: +``` +Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + + +``` +--- +SV-244523: +Old: +``` +If the system does not require valid root authentication before it +boots into emergency or rescue mode, anyone who invokes emergency or rescue +mode is granted privileged access to all files on the system. + +``` +New: +``` +If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. + +``` +--- +SV-244524: +Old: +``` +Unapproved mechanisms that are used for authentication to the +cryptographic module are not verified and therefore cannot be relied upon to +provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant +mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to +access cryptographic modules utilize authentication that meets DoD +requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a +general-purpose computing system. + +``` +New: +``` +Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + +RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + +``` +--- +SV-244525: +Old: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +``` +New: +``` +Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. + +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + + + +``` +--- +SV-244526: +Old: +``` +Without cryptographic integrity protections, information can be +altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by +an authorized user (or an information system) communicating through an +external, non-organization-controlled network. Remote access methods include, +for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information +include, for example, signed hash functions using asymmetric cryptography +enabling distribution of the public key to verify the hash information while +maintaining the confidentiality of the secret key used to generate the hash. + + RHEL 8 incorporates system-wide crypto policies by default. The SSH +configuration file has no effect on the ciphers, MACs, or algorithms unless +specifically defined in the /etc/sysconfig/sshd file. The employed algorithms +can be viewed in the /etc/crypto-policies/back-ends/ directory. + +``` +New: +``` +Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. + + + +``` +--- +SV-244527: +Old: +``` +The most important characteristic of a random number generator is its +randomness, namely its ability to deliver random numbers that are impossible to +predict. Entropy in computer security is associated with the unpredictability +of a source of randomness. The random source with high entropy tends to +achieve a uniform distribution of random values. Random number generators are +one of the most important building blocks of cryptosystems. + + The rngd service feeds random data from hardware device to kernel random +device. Quality (non-predictable) random number generation is important for +several security functions (i.e., ciphers). + +``` +New: +``` +The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). + +``` +--- +SV-244528: +Old: +``` +Configuring this setting for the SSH daemon provides additional +assurance that remote logon via SSH will require a password, even in the event +of misconfiguration elsewhere. + +``` +New: +``` +Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. + +``` +--- +SV-244529: +Old: +``` +The use of separate file systems for different paths can protect the +system from failures resulting from a file system becoming full or failing. + +``` +New: +``` +The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + +``` +--- +SV-244530: +Old: +``` +The "nosuid" mount option causes the system not to execute +"setuid" and "setgid" files with owner privileges. This option must be used +for mounting any file system not containing approved "setuid" and "setguid" +files. Executing files from untrusted file systems increases the opportunity +for unprivileged users to attain unauthorized administrative access. + +``` +New: +``` +The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +``` +--- +SV-244531: +Old: +``` +Excessive permissions on local interactive user home directories may +allow unauthorized access to user files by other users. + +``` +New: +``` +Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. + +``` +--- +SV-244532: +Old: +``` +If a local interactive user's files are group-owned by a group of +which the user is not a member, unintended users may be able to access them. + +``` +New: +``` +If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. + +``` +--- +SV-244533: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244534: +Old: +``` +By limiting the number of failed logon attempts, the risk of +unauthorized system access via user password guessing, otherwise known as +brute-force attacks, is reduced. Limits are imposed by locking the account. + + In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to +centralize the configuration of the pam_faillock.so module. Also introduced is +a "local_users_only" option that will only track failed user authentication +attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, +etc.) users to allow the centralized platform to solely manage user lockout. + + From "faillock.conf" man pages: Note that the default directory that +"pam_faillock" uses is usually cleared on system boot so the access will be +reenabled after system reboot. If that is undesirable a different tally +directory must be set with the "dir" option. + The preauth argument must be used when the module is called before the +modules which ask for the user credentials such as the password. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. + + + +``` +--- +SV-244535: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + + + +``` +--- +SV-244536: +Old: +``` +Leaving the user list enabled is a security risk since it allows +anyone with physical access to the system to enumerate known user accounts +without authenticated access to the system. + +``` +New: +``` +Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. + +``` +--- +SV-244538: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244539: +Old: +``` +A session time-out lock is a temporary action taken when a user stops +work and moves away from the immediate physical vicinity of the information +system but does not log out because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session +prior to vacating the vicinity, operating systems need to be able to identify +when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be +determined and/or controlled. + + Implementing session settings will have little value if a user is able to +manipulate these settings from the defaults prescribed in the other +requirements of this implementation guide. + + Locking these settings from non-privileged users is crucial to maintaining +a protected baseline. + +``` +New: +``` +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The session lock is implemented at the point where session activity can be determined and/or controlled. + +Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. + +Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + + + +``` +--- +SV-244541: +Old: +``` +If an account has an empty password, anyone could log on and run +commands with the privileges of that account. Accounts with empty passwords +should never be used in operational environments. + +``` +New: +``` +If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. + +``` +--- +SV-244542: +Old: +``` +Without establishing what type of events occurred, the source of +events, where events occurred, and the outcome of events, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or +attack. + + Audit record content that may be necessary to satisfy this requirement +includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, +filenames involved, and access control or flow control rules invoked. + + Associating event types with detected events in RHEL 8 audit logs provides +a means of investigating an attack, recognizing resource utilization or +capacity thresholds, or identifying an improperly configured RHEL 8 system. + +``` +New: +``` +Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. + + + +``` +--- +SV-244543: +Old: +``` +If security personnel are not notified immediately when storage volume +reaches 75 percent utilization, they are unable to plan for audit record +storage capacity expansion. + +``` +New: +``` +If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. + +``` +--- +SV-244544: +Old: +``` +"Firewalld" provides an easy and effective way to block/limit remote +access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network +devices and information systems, which lack automated control capabilities, +increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an +authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement +action if the audit reveals unauthorized activity. Automated control of remote +access sessions allows organizations to ensure ongoing compliance with remote +access policies by enforcing connection rules of remote access applications on +a variety of information system components (e.g., servers, workstations, +notebook computers, smartphones, and tablets). + +``` +New: +``` +"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + +Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + +``` +--- +SV-244545: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244546: +Old: +``` +The organization must identify authorized software programs and permit +execution of authorized software. The process used to identify software +programs that are authorized to execute on organizational information systems +is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for +allowing the execution of only authorized software. Using only authorized +software decreases risk by limiting the number of potential vulnerabilities. +Verification of whitelisted software occurs prior to execution or at system +startup. + + User home directories/folders may contain information of a sensitive +nature. Non-privileged users should coordinate any sharing of information with +an SA through shared resources. + + RHEL 8 ships with many optional packages. One such package is a file access +policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that +determines access rights to files based on attributes of the process and file. +It can be used to either blacklist or whitelist processes or file access. + + Proceed with caution with enforcing the use of this daemon. Improper +configuration may render the system non-functional. The "fapolicyd" API is +not namespace aware and can cause issues when launching or running containers. + +``` +New: +``` +The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + +Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + +RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + + + +``` +--- +SV-244547: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244548: +Old: +``` +Without authenticating devices, unidentified or unknown devices may be +introduced, thereby facilitating malicious activity. + + Peripherals include, but are not limited to, such devices as flash drives, +external storage, and printers. + + A new feature that RHEL 8 provides is the USBGuard software framework. The +USBguard-daemon is the main component of the USBGuard software framework. It +runs as a service in the background and enforces the USB device authorization +policy for all USB devices. The policy is defined by a set of rules using a +rule language described in the usbguard-rules.conf file. The policy and the +authorization state of USB devices can be modified during runtime using the +usbguard tool. + + The System Administrator (SA) must work with the site Information System +Security Officer (ISSO) to determine a list of authorized peripherals and +establish rules within the USBGuard software framework to allow only authorized +devices. + +``` +New: +``` +Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. + +``` +--- +SV-244549: +Old: +``` +Without protection of the transmitted information, confidentiality and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + This requirement applies to both internal and external networks and all +types of information system components from which information can be +transmitted (e.g., servers, mobile devices, notebook computers, printers, +copiers, scanners, and facsimile machines). Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of +interception and modification. + + Protecting the confidentiality and integrity of organizational information +can be accomplished by physical means (e.g., employing physical distribution +systems) or by logical means (e.g., employing cryptographic techniques). If +physical means of protection are employed, then logical means (cryptography) do +not have to be employed, and vice versa. + +``` +New: +``` +Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + + + +``` +--- +SV-250315: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "faillock.conf" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + re-enabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250316: +Old: +``` +By limiting the number of failed logon attempts, the risk of + unauthorized system access via user password guessing, otherwise known as + brute-force attacks, is reduced. Limits are imposed by locking the account. + + From "Pam_Faillock" man pages: Note that the default directory that + "pam_faillock" uses is usually cleared on system boot so the access will be + reenabled after system reboot. If that is undesirable, a different tally + directory must be set with the "dir" option. + + SELinux, enforcing a targeted policy, will require any non-default tally + directory's security context type to match the default directory's security + context type. Without updating the security context type, the pam_faillock + module will not write failed login attempts to the non-default tally directory. + +``` +New: +``` +By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. + +SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. + +``` +--- +SV-250317: +Old: +``` +Routing protocol daemons are typically used on routers to exchange network + topology information with other routers. If this software is used when not required, + system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. + + All configuration files are sorted by their filename in lexicographic order, regardless + of which of the directories they reside in. If multiple files specify the same option, + the entry in the file with the lexicographically latest name will take precedence. + + Files are read from directories in the following list from top to bottom. Once a file of a + given filename is loaded, any file of the same name in subsequent directories is ignored. + + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +``` +New: +``` +Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf + +``` +--- +SV-251707: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate + testing and approvals that are part of a robust change management process. + + This requirement applies to RHEL 8 with software libraries that are accessible + and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs that execute with escalated privileges. Only + qualified and authorized individuals will be allowed to obtain access to + information system components for purposes of initiating changes, including + upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251708: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251709: +Old: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +New: +``` +If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + +``` +--- +SV-251710: +Old: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. + Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the + system security policy and supporting the isolation of code and data on which the protection is based. Security functionality + includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), + setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and + environments that require this functionality. + +``` +New: +``` +Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. + +``` +--- +SV-251711: +Old: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, + system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as + well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" + file allow configured users to run programs without re-authenticating. Use of these configuration + options makes it easier for one compromised account to be used to compromise other accounts. + + It is possible to include other sudoers files from within the sudoers file currently being parsed + using the #include and #includedir directives. When sudo reaches this line it will suspend + processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the + end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are + included may themselves include other files. A hard limit of 128 nested include files is enforced + to prevent include file loops. + +``` +New: +``` +The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. + +``` +--- +SV-251712: +Old: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +``` +New: +``` +Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + + + +``` +--- +SV-254520: +Old: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +New: +``` +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. + +``` +--- +
\ No newline at end of file diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 93239210c..7e50ae9a1 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -10,7 +10,7 @@ author: Daniel Medina, George Dias This log provides a detailed output of the command execution, including additional information and metadata. -[Example Log File Output](../../assets/downloads/CliProcessOutput.log) +[Sample Log File Output](../../assets/downloads/CliProcessOutput.log) ### 5.1.2 delta.json @@ -28,13 +28,13 @@ Details of the changes are provided afterwards as follows: 1. **addedControls**: The contents of each control that was added to the profile. 2. **changedControls**: The parts of each control that were modified or replaced during the command execution. -[Example delta.json file](/assets/downloads/delta.json) +[Sample delta.json file](/assets/downloads/delta.json) ### 5.1.3 Report Markdown File (.md) Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -@[code{1-51}](../../assets/markdown/delta_report.md) +[Sample Report Markdown File](/assets/downloads/report) ## 5.2 Logging Capabilities of Update Controls From 1c278dd8dcf707c30b5d9e21279d69c89c686ddb Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 08:55:25 -0500 Subject: [PATCH 36/71] adjust use case --- src/courses/delta/04.md | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 6ed4def1d..da699bd3c 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -13,11 +13,11 @@ There are several situations that warrant the use of the delta process. These ar 2. [Use Case 2](#412-use-case-2) - Update control IDs based on group ID (run update controls) -3. [Use Case 3](#413-use-case-3) - Update controls but create a backup (run update controls) +3. [Use Case 3](#415-use-case-4) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) + +4. [Use Case 4](#414-use-case-3) - No mappings were found using update controls (run Delta with fuzzy matching) -4. [Use Case 4](#414-use-case-4) - No mappings were found using update controls (run Delta with fuzzy matching) -5. [Use Case 5](#415-use-case-5) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) ### 4.1.1 Use Case 1 @@ -35,36 +35,18 @@ If there isn't any mapping between baseline X and Y using the default rule ident [return to top](#41-use-cases-for-running-delta) -### 4.1.3 Use Case 3 - -Similar to Use Cases 1 and 2, this use case updates controls in baseline X with new controls identified in baseline Y based on selected indexed identification but also creates a backup of the modified controls. - -**Process:** Run `update_controls4delta` - -[return to top](#41-use-cases-for-running-delta) +### 4.1.4 Use Case 3 -### 4.1.4 Use Case 4 - -Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to there being too many revisions or releases between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. +New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. **Process:** Run `delta` [return to top](#41-use-cases-for-running-delta) -### 4.1.5 Use Case 5 +### 4.1.5 Use Case 4 -New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. +Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to the baselines belonging to different platforms, or too many revisions were released between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. **Process:** Run `delta` [return to top](#41-use-cases-for-running-delta) - -### Suggested Enhancements for Education and Training - -1. **Examples and Scenarios:** Provide real-world examples and scenarios for each use case to help students understand the practical applications. -2. **Interactive Exercises:** Include interactive exercises where students can practice running the commands (`update_controls4delta` and `delta`) in a controlled environment. -3. **Visual Aids:** Use flowcharts or diagrams to visually represent the processes described in each use case. -4. **Quizzes:** Add quizzes at the end of each section to reinforce learning and ensure comprehension. -5. **Glossary:** Include a glossary of terms used in the document to help students familiarize themselves with the terminology. -6. **Step-by-Step Guides:** Provide detailed, step-by-step guides for running the commands, including screenshots or terminal outputs to illustrate the expected results. -7. **Discussion Questions:** Add discussion questions at the end of each section to encourage critical thinking and group discussions. From a5226c2895be826add8a128461444538aaf57779 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 09:04:17 -0500 Subject: [PATCH 37/71] link fix --- src/courses/delta/05.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 7e50ae9a1..3fb1a40dc 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -28,13 +28,13 @@ Details of the changes are provided afterwards as follows: 1. **addedControls**: The contents of each control that was added to the profile. 2. **changedControls**: The parts of each control that were modified or replaced during the command execution. -[Sample delta.json file](/assets/downloads/delta.json) +[Sample delta.json file](../../assets/downloads/delta.json) ### 5.1.3 Report Markdown File (.md) Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -[Sample Report Markdown File](/assets/downloads/report) +[Sample Report Markdown File](../..//assets/downloads/report) ## 5.2 Logging Capabilities of Update Controls From d10ac0ba9c4c02cd927ca6cc3c546709284bb02c Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 09:06:41 -0500 Subject: [PATCH 38/71] fix --- src/courses/delta/05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/delta/05.md b/src/courses/delta/05.md index 3fb1a40dc..ed21a206e 100644 --- a/src/courses/delta/05.md +++ b/src/courses/delta/05.md @@ -34,7 +34,7 @@ Details of the changes are provided afterwards as follows: Specified by the report flag (`-r`), this generates a markdown formatted report containing the same information found in the delta.json file. -[Sample Report Markdown File](../..//assets/downloads/report) +[Sample Report Markdown File](../../assets/downloads/report) ## 5.2 Logging Capabilities of Update Controls From a7ed5ff7b05fe3bba5ba1431153355d6c33da393 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 09:09:32 -0500 Subject: [PATCH 39/71] remove md file --- src/assets/markdown/delta_report.md | 10916 -------------------------- 1 file changed, 10916 deletions(-) delete mode 100644 src/assets/markdown/delta_report.md diff --git a/src/assets/markdown/delta_report.md b/src/assets/markdown/delta_report.md deleted file mode 100644 index 4d8860995..000000000 --- a/src/assets/markdown/delta_report.md +++ /dev/null @@ -1,10916 +0,0 @@ -## Automatic Update - -### New Controls - -+ SV-268322 - RHEL 8 must not allow blank or null passwords in the system-auth file. - -### Updated Check/Fixes - -#### Checks - -
- Click to expand. -SV-230262: -Old: -``` - -Verify the system-wide shared library files are group-owned by "root" -with the following command: - - sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} -\; - - If any system wide shared library file is returned and is not group-owned -by a required system account, this is a finding. - -``` - -Updated: -``` - -Verify the system-wide shared library files are group-owned by "root" with the following command: - -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; - -If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding. - -``` ---- -SV-230379: -Old: -``` - -Verify all accounts on the system are assigned to an active system, -application, or user account. - - Obtain the list of authorized system accounts from the Information System -Security Officer (ISSO). - - Check the system accounts on the system with the following command: - - $ sudo more /etc/passwd - - root:x:0:0:root:/root:/bin/bash - bin:x:1:1:bin:/bin:/sbin/nologin - daemon:x:2:2:daemon:/sbin:/sbin/nologin - sync:x:5:0:sync:/sbin:/bin/sync - shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown - halt:x:7:0:halt:/sbin:/sbin/halt - games:x:12:100:games:/usr/games:/sbin/nologin - gopher:x:13:30:gopher:/var/gopher:/sbin/nologin - - Accounts such as "games" and "gopher" are not authorized accounts as -they do not support authorized system functions. - - If the accounts on the system do not match the provided documentation, or -accounts that do not support an authorized system function are present, this is -a finding. - -``` - -Updated: -``` - -Verify that there are no unauthorized interactive user accounts with the following command: - -$ less /etc/passwd - -root:x:0:0:root:/root:/bin/bash -... -games:x:12:100:games:/usr/games:/sbin/nologin -scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash -djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash - -Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. - -Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. - -If there are unauthorized local user accounts on the system, this is a finding. - -``` ---- -SV-230470: -Old: -``` - -Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the -following commands: - - Note: If the USBGuard daemon is not installed and enabled, this requirement -is not applicable. - - $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf - - AuditBackend=LinuxAudit - - If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or -the line is commented out, this is a finding. - -``` - -Updated: -``` - -Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: - -Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. - -$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf - -AuditBackend=LinuxAudit - -If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-230524: -Old: -``` - -Verify the USBGuard has a policy configured with the following command: - - $ sudo usbguard list-rules - - If the command does not return results or an error is returned, ask the SA -to indicate how unauthorized peripherals are being blocked. - - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` - -Verify the USBGuard has a policy configured with the following command: - -$ sudo usbguard list-rules - -If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-230548: -Old: -``` - -Verify RHEL 8 disables the use of user namespaces with the following commands: - -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -$ sudo sysctl user.max_user_namespaces - -user.max_user_namespaces = 0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 - -If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding. - -``` - -Updated: -``` - -Verify RHEL 8 disables the use of user namespaces with the following commands: - -$ sudo sysctl user.max_user_namespaces - -user.max_user_namespaces = 0 - -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 - -If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding. - -If the use of namespaces is operationally required and documented with the ISSM, it is not a finding. - -``` ---- -SV-230559: -Old: -``` - -Verify the gssproxy package has not been installed on the system with the -following commands: - - $ sudo yum list installed gssproxy - - gssproxy.x86_64 -0.8.0-14.el8 @anaconda - - If the gssproxy package is installed and is not documented with the -Information System Security Officer (ISSO) as an operational requirement, this -is a finding. - -``` - -Updated: -``` - -Verify the gssproxy package has not been installed on the system with the following commands: - -$ sudo yum list installed gssproxy - -gssproxy.x86_64 0.8.0-14.el8 @anaconda - -If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. - -If NFS mounts are being used, this is not a finding. - -``` ---- -SV-244527: -Old: -``` - -Check that RHEL 8 has the packages required to enabled the hardware random -number generator entropy gatherer service with the following command: - - $ sudo yum list installed rng-tools - - rng-tools.x86_64 6.8-3.el8 -@anaconda - - If the "rng-tools" package is not installed, this is a finding. - -``` - -Updated: -``` - -Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. - -Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: - -$ sudo yum list installed rng-tools - -rng-tools.x86_64 6.8-3.el8 @anaconda - -If the "rng-tools" package is not installed, this is a finding. - -``` ---- -SV-244547: -Old: -``` - -Verify USBGuard is installed on the operating system with the following -command: - - $ sudo yum list installed usbguard - - Installed Packages - usbguard.x86_64 0.7.8-7.el8 @ol8_appstream - - If the USBGuard package is not installed, ask the SA to indicate how -unauthorized peripherals are being blocked. - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` - -Verify USBGuard is installed on the operating system with the following command: - -$ sudo yum list installed usbguard - -Installed Packages -usbguard.x86_64 0.7.8-7.el8 @ol8_appstream - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-244548: -Old: -``` - -Verify the operating system has enabled the use of the USBGuard with the -following command: - - $ sudo systemctl status usbguard.service - - usbguard.service - USBGuard daemon - Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor -preset: disabled) - Active: active (running) - - If the usbguard.service is not enabled and active, ask the SA to indicate -how unauthorized peripherals are being blocked. - If there is no evidence that unauthorized peripherals are being blocked -before establishing a connection, this is a finding. - -``` - -Updated: -``` - -Verify the operating system has enabled the use of the USBGuard with the following command: - -$ sudo systemctl status usbguard.service - -usbguard.service - USBGuard daemon -Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) -Active: active (running) - -If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. - -If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding. - -``` ---- -SV-257258: -Old: -``` - -Verify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: - - $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf - - StopIdleSessionSec=900 - -If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. - -``` - -Updated: -``` - -Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. - -Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: - -$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf - -StopIdleSessionSec=600 - -If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding. - -``` ---- -
- -#### Fixes: -
- Click to expand. -SV-230379: -Old: -``` - -Configure the system so all accounts on the system are assigned to an -active system, application, or user account. - - Remove accounts that do not support approved system activities or that -allow for a normal user to perform administrative-level actions. - - Document all authorized accounts on the system. - -``` -New: -``` - -Remove unauthorized local interactive user accounts with the following command where is the unauthorized account: - -$ sudo userdel - -``` ---- -SV-230548: -Old: -``` - -Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: - -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -user.max_user_namespaces = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --system - -``` -New: -``` - -Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: - -user.max_user_namespaces = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --system - -``` ---- -SV-257258: -Old: -``` - -Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: - - StopIdleSessionSec=900 - -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - - sudo systemctl restart systemd-logind - -Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". - -``` -New: -``` - -Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: - -StopIdleSessionSec=600 - -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: - -$ sudo systemctl restart systemd-logind - -``` ---- -
- -### Updated Impacts -
- Click to expand. -SV-230223: -Old: 0 -New: 0.7 ---- -SV-230224: -Old: 0 -New: 0.5 ---- -SV-230230: -Old: 0 -New: 0.5 ---- -SV-230234: -Old: 0 -New: 0.7 ---- -SV-230235: -Old: 0 -New: 0.7 ---- -SV-230238: -Old: 0 -New: 0.5 ---- -SV-230239: -Old: 0 -New: 0.5 ---- -SV-230244: -Old: 0 -New: 0.5 ---- -SV-230273: -Old: 0 -New: 0.5 ---- -SV-230275: -Old: 0 -New: 0.5 ---- -SV-230285: -Old: 0 -New: 0.3 ---- -SV-230300: -Old: 0 -New: 0.5 ---- -SV-230328: -Old: 0 -New: 0.5 ---- -SV-230329: -Old: 0 -New: 0.7 ---- -SV-230332: -Old: 0 -New: 0.5 ---- -SV-230347: -Old: 0 -New: 0.5 ---- -SV-230351: -Old: 0 -New: 0.5 ---- -SV-230352: -Old: 0 -New: 0.5 ---- -SV-230354: -Old: 0 -New: 0.5 ---- -SV-230376: -Old: 0 -New: 0.5 ---- -SV-230380: -Old: 0 -New: 0.7 ---- -SV-230382: -Old: 0 -New: 0.5 ---- -SV-230385: -Old: 0.7 -New: 0.5 ---- -SV-230493: -Old: 0 -New: 0.5 ---- -SV-230502: -Old: 0 -New: 0.5 ---- -SV-230506: -Old: 0 -New: 0.5 ---- -SV-230507: -Old: 0 -New: 0.5 ---- -SV-230523: -Old: 0 -New: 0.5 ---- -SV-230530: -Old: 0 -New: 0.7 ---- -SV-230535: -Old: 0 -New: 0.5 ---- -SV-230536: -Old: 0 -New: 0.5 ---- -SV-230537: -Old: 0 -New: 0.5 ---- -SV-230538: -Old: 0 -New: 0.5 ---- -SV-230539: -Old: 0 -New: 0.5 ---- -SV-230540: -Old: 0 -New: 0.5 ---- -SV-230541: -Old: 0 -New: 0.5 ---- -SV-230542: -Old: 0 -New: 0.5 ---- -SV-230543: -Old: 0 -New: 0.5 ---- -SV-230544: -Old: 0 -New: 0.5 ---- -SV-230545: -Old: 0 -New: 0.5 ---- -SV-230546: -Old: 0 -New: 0.5 ---- -SV-230547: -Old: 0 -New: 0.5 ---- -SV-230548: -Old: 0 -New: 0.5 ---- -SV-230549: -Old: 0 -New: 0.5 ---- -SV-230550: -Old: 0 -New: 0.5 ---- -SV-230557: -Old: 0 -New: 0.5 ---- -SV-237640: -Old: 0 -New: 0.5 ---- -SV-244519: -Old: 0 -New: 0.5 ---- -SV-244521: -Old: 0 -New: 0.5 ---- -SV-244522: -Old: 0 -New: 0.5 ---- -SV-244530: -Old: 0 -New: 0.5 ---- -SV-244535: -Old: 0 -New: 0.5 ---- -SV-244536: -Old: 0 -New: 0.5 ---- -SV-244538: -Old: 0 -New: 0.5 ---- -SV-244539: -Old: 0 -New: 0.5 ---- -SV-244545: -Old: 0 -New: 0.5 ---- -SV-244546: -Old: 0 -New: 0.5 ---- -SV-244550: -Old: 0 -New: 0.5 ---- -SV-244551: -Old: 0 -New: 0.5 ---- -SV-244552: -Old: 0 -New: 0.5 ---- -SV-244553: -Old: 0 -New: 0.5 ---- -SV-244554: -Old: 0 -New: 0.5 ---- -SV-250315: -Old: 0 -New: 0.5 ---- -SV-250317: -Old: 0 -New: 0.5 ---- -SV-251710: -Old: 0 -New: 0.5 ---- -SV-251711: -Old: 0 -New: 0.5 ---- -SV-251712: -Old: 0 -New: 0.5 ---- -SV-251718: -Old: 0 -New: 0.5 ---- -
- -### Updated Titles -
- Click to expand. -SV-230226: -Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent -Banner before granting local or remote access to the system via a graphical -user logon. -New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. ---- -SV-230227: -Old: RHEL 8 must display the Standard Mandatory DoD Notice and Consent -Banner before granting local or remote access to the system via a command line -user logon. -New: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. ---- -SV-230229: -Old: RHEL 8, for PKI-based authentication, must validate certificates by -constructing a certification path (which includes status information) to an -accepted trust anchor. -New: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. ---- -SV-230230: -Old: RHEL 8, for certificate-based authentication, must enforce authorized -access to the corresponding private key. -New: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. ---- -SV-230231: -Old: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved -cryptographic hashing algorithm. -New: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. ---- -SV-230232: -Old: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing -algorithms for all stored passwords. -New: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. ---- -SV-230234: -Old: RHEL 8 operating systems booted with United Extensible Firmware -Interface (UEFI) must require authentication upon booting into single-user mode -and maintenance. -New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. ---- -SV-230235: -Old: RHEL 8 operating systems booted with a BIOS must require -authentication upon booting into single-user and maintenance modes. -New: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. ---- -SV-230236: -Old: RHEL 8 operating systems must require authentication upon booting into -rescue mode. -New: RHEL 8 operating systems must require authentication upon booting into rescue mode. ---- -SV-230237: -Old: The RHEL 8 pam_unix.so module must be configured in the password-auth -file to use a FIPS 140-2 approved cryptographic hashing algorithm for system -authentication. -New: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ---- -SV-230238: -Old: RHEL 8 must prevent system daemons from using Kerberos for -authentication. -New: RHEL 8 must prevent system daemons from using Kerberos for authentication. ---- -SV-230240: -Old: RHEL 8 must use a Linux Security Module configured to enforce limits -on system services. -New: RHEL 8 must use a Linux Security Module configured to enforce limits on system services. ---- -SV-230243: -Old: A sticky bit must be set on all RHEL 8 public directories to prevent -unauthorized and unintended information transferred via shared system -resources. -New: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. ---- -SV-230245: -Old: The RHEL 8 /var/log/messages file must have mode 0640 or less -permissive. -New: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. ---- -SV-230252: -Old: The RHEL 8 operating system must implement DoD-approved encryption to -protect the confidentiality of SSH server connections. -New: The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. ---- -SV-230254: -Old: The RHEL 8 operating system must implement DoD-approved encryption in -the OpenSSL package. -New: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. ---- -SV-230255: -Old: The RHEL 8 operating system must implement DoD-approved TLS encryption -in the OpenSSL package. -New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. ---- -SV-230256: -Old: The RHEL 8 operating system must implement DoD-approved TLS encryption -in the GnuTLS package. -New: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. ---- -SV-230259: -Old: RHEL 8 system commands must be group-owned by root or a system -account. -New: RHEL 8 system commands must be group-owned by root or a system account. ---- -SV-230263: -Old: The RHEL 8 file integrity tool must notify the system administrator -when changes to the baseline configuration or anomalies in the operation of any -security functions are discovered within an organizationally defined frequency. -New: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. ---- -SV-230264: -Old: RHEL 8 must prevent the installation of software, patches, service -packs, device drivers, or operating system components from a repository without -verification they have been digitally signed using a certificate that is issued -by a Certificate Authority (CA) that is recognized and approved by the -organization. -New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. ---- -SV-230265: -Old: RHEL 8 must prevent the installation of software, patches, service -packs, device drivers, or operating system components of local packages without -verification they have been digitally signed using a certificate that is issued -by a Certificate Authority (CA) that is recognized and approved by the -organization. -New: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. ---- -SV-230267: -Old: RHEL 8 must enable kernel parameters to enforce discretionary access -control on symlinks. -New: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. ---- -SV-230271: -Old: RHEL 8 must require users to provide a password for privilege -escalation. -New: RHEL 8 must require users to provide a password for privilege escalation. ---- -SV-230273: -Old: RHEL 8 must have the packages required for multifactor authentication - installed. -New: RHEL 8 must have the packages required for multifactor authentication installed. ---- -SV-230276: -Old: RHEL 8 must implement non-executable data to protect its memory from -unauthorized code execution. -New: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. ---- -SV-230277: -Old: RHEL 8 must clear the page allocator to prevent use-after-free -attacks. -New: RHEL 8 must clear the page allocator to prevent use-after-free attacks. ---- -SV-230280: -Old: RHEL 8 must implement address space layout randomization (ASLR) to -protect its memory from unauthorized code execution. -New: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. ---- -SV-230281: -Old: YUM must remove all software components after updated versions have -been installed on RHEL 8. -New: YUM must remove all software components after updated versions have been installed on RHEL 8. ---- -SV-230285: -Old: RHEL 8 must enable the hardware random number generator entropy -gatherer service. -New: RHEL 8 must enable the hardware random number generator entropy gatherer service. ---- -SV-230286: -Old: The RHEL 8 SSH public host key files must have mode 0644 or less -permissive. -New: The RHEL 8 SSH public host key files must have mode 0644 or less permissive. ---- -SV-230288: -Old: The RHEL 8 SSH daemon must perform strict mode checking of home -directory configuration files. -New: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. ---- -SV-230290: -Old: The RHEL 8 SSH daemon must not allow authentication using known host’s -authentication. -New: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. ---- -SV-230291: -Old: The RHEL 8 SSH daemon must not allow Kerberos authentication, except -to fulfill documented and validated mission requirements. -New: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. ---- -SV-230296: -Old: RHEL 8 must not permit direct logons to the root account using remote -access via SSH. -New: RHEL 8 must not permit direct logons to the root account using remote access via SSH. ---- -SV-230299: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that contain user home directories. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. ---- -SV-230300: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on the /boot directory. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. ---- -SV-230302: -Old: RHEL 8 must prevent code from being executed on file systems that -contain user home directories. -New: RHEL 8 must prevent code from being executed on file systems that contain user home directories. ---- -SV-230303: -Old: RHEL 8 must prevent special devices on file systems that are used with -removable media. -New: RHEL 8 must prevent special devices on file systems that are used with removable media. ---- -SV-230304: -Old: RHEL 8 must prevent code from being executed on file systems that are -used with removable media. -New: RHEL 8 must prevent code from being executed on file systems that are used with removable media. ---- -SV-230305: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that are used with removable media. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. ---- -SV-230306: -Old: RHEL 8 must prevent code from being executed on file systems that are -imported via Network File System (NFS). -New: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). ---- -SV-230307: -Old: RHEL 8 must prevent special devices on file systems that are imported -via Network File System (NFS). -New: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). ---- -SV-230308: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on file systems that are imported via Network File System (NFS). -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). ---- -SV-230309: -Old: Local RHEL 8 initialization files must not execute world-writable -programs. -New: Local RHEL 8 initialization files must not execute world-writable programs. ---- -SV-230316: -Old: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at -least two name servers must be configured. -New: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. ---- -SV-230317: -Old: Executable search paths within the initialization files of all local -interactive RHEL 8 users must only contain paths that resolve to the system -default or the users home directory. -New: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. ---- -SV-230318: -Old: All RHEL 8 world-writable directories must be owned by root, sys, bin, -or an application user. -New: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. ---- -SV-230319: -Old: All RHEL 8 world-writable directories must be group-owned by root, -sys, bin, or an application group. -New: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. ---- -SV-230320: -Old: All RHEL 8 local interactive users must have a home directory assigned -in the /etc/passwd file. -New: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. ---- -SV-230321: -Old: All RHEL 8 local interactive user home directories must have mode 0750 -or less permissive. -New: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. ---- -SV-230322: -Old: All RHEL 8 local interactive user home directories must be group-owned -by the home directory owner’s primary group. -New: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. ---- -SV-230323: -Old: All RHEL 8 local interactive user home directories defined in the -/etc/passwd file must exist. -New: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. ---- -SV-230324: -Old: All RHEL 8 local interactive user accounts must be assigned a home -directory upon creation. -New: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. ---- -SV-230325: -Old: All RHEL 8 local initialization files must have mode 0740 or less -permissive. -New: All RHEL 8 local initialization files must have mode 0740 or less permissive. ---- -SV-230328: -Old: A separate RHEL 8 filesystem must be used for user home directories -(such as /home or an equivalent). -New: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). ---- -SV-230329: -Old: Unattended or automatic logon via the RHEL 8 graphical user interface -must not be allowed. -New: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. ---- -SV-230331: -Old: RHEL 8 temporary user accounts must be provisioned with an expiration -time of 72 hours or less. -New: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. ---- -SV-230332: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. ---- -SV-230333: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. ---- -SV-230334: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230335: -Old: RHEL 8 must automatically lock an account when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230336: -Old: RHEL 8 must automatically lock an account until the locked account is -released by an administrator when three unsuccessful logon attempts occur -during a 15-minute time period. -New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230337: -Old: RHEL 8 must automatically lock an account until the locked account is -released by an administrator when three unsuccessful logon attempts occur -during a 15-minute time period. -New: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230340: -Old: RHEL 8 must prevent system messages from being presented when three -unsuccessful logon attempts occur. -New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. ---- -SV-230341: -Old: RHEL 8 must prevent system messages from being presented when three -unsuccessful logon attempts occur. -New: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. ---- -SV-230342: -Old: RHEL 8 must log user name information when unsuccessful logon attempts -occur. -New: RHEL 8 must log user name information when unsuccessful logon attempts occur. ---- -SV-230343: -Old: RHEL 8 must log user name information when unsuccessful logon attempts -occur. -New: RHEL 8 must log user name information when unsuccessful logon attempts occur. ---- -SV-230344: -Old: RHEL 8 must include root when automatically locking an account until -the locked account is released by an administrator when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230345: -Old: RHEL 8 must include root when automatically locking an account until -the locked account is released by an administrator when three unsuccessful -logon attempts occur during a 15-minute time period. -New: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. ---- -SV-230346: -Old: RHEL 8 must limit the number of concurrent sessions to ten for all -accounts and/or account types. -New: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. ---- -SV-230347: -Old: RHEL 8 must enable a user session lock until that user re-establishes -access using established identification and authentication procedures for -graphical user sessions. -New: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. ---- -SV-230351: -Old: RHEL 8 must be able to initiate directly a session lock for all - connection types using smartcard when the smartcard is removed. -New: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. ---- -SV-230352: -Old: RHEL 8 must automatically lock graphical user sessions after 15 -minutes of inactivity. -New: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. ---- -SV-230354: -Old: RHEL 8 must prevent a user from overriding the session lock-delay -setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. ---- -SV-230355: -Old: RHEL 8 must map the authenticated identity to the user or group -account for PKI-based authentication. -New: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. ---- -SV-230357: -Old: RHEL 8 must enforce password complexity by requiring that at least one -uppercase character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. ---- -SV-230358: -Old: RHEL 8 must enforce password complexity by requiring that at least one -lower-case character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. ---- -SV-230359: -Old: RHEL 8 must enforce password complexity by requiring that at least one -numeric character be used. -New: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. ---- -SV-230360: -Old: RHEL 8 must require the maximum number of repeating characters of the -same character class be limited to four when passwords are changed. -New: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. ---- -SV-230361: -Old: RHEL 8 must require the maximum number of repeating characters be -limited to three when passwords are changed. -New: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. ---- -SV-230363: -Old: RHEL 8 must require the change of at least 8 characters when passwords -are changed. -New: RHEL 8 must require the change of at least 8 characters when passwords are changed. ---- -SV-230364: -Old: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime -restriction in /etc/shadow. -New: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. ---- -SV-230366: -Old: RHEL 8 user account passwords must have a 60-day maximum password -lifetime restriction. -New: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. ---- -SV-230367: -Old: RHEL 8 user account passwords must be configured so that existing -passwords are restricted to a 60-day maximum lifetime. -New: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. ---- -SV-230372: -Old: RHEL 8 must implement smart card logon for multifactor authentication -for access to interactive accounts. -New: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. ---- -SV-230373: -Old: RHEL 8 account identifiers (individuals, groups, roles, and devices) - must be disabled after 35 days of inactivity. -New: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. ---- -SV-230378: -Old: RHEL 8 must enforce a delay of at least four seconds between logon -prompts following a failed logon attempt. -New: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. ---- -SV-230380: -Old: RHEL 8 must not allow accounts configured with blank or null -passwords. -New: RHEL 8 must not allow accounts configured with blank or null passwords. ---- -SV-230381: -Old: RHEL 8 must display the date and time of the last successful account -logon upon logon. -New: RHEL 8 must display the date and time of the last successful account logon upon logon. ---- -SV-230382: -Old: RHEL 8 must display the date and time of the last successful account -logon upon an SSH logon. -New: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. ---- -SV-230383: -Old: RHEL 8 must define default permissions for all authenticated users in -such a way that the user can only read and modify their own files. -New: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. ---- -SV-230384: -Old: RHEL 8 must set the umask value to 077 for all local interactive user -accounts. -New: RHEL 8 must set the umask value to 077 for all local interactive user accounts. ---- -SV-230386: -Old: The RHEL 8 audit system must be configured to audit the execution of -privileged functions and prevent all software from executing at higher -privilege levels than users executing the software. -New: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. ---- -SV-230388: -Old: The RHEL 8 System Administrator (SA) and Information System Security -Officer (ISSO) (at a minimum) must be alerted of an audit processing failure -event. -New: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. ---- -SV-230389: -Old: The RHEL 8 Information System Security Officer (ISSO) and System -Administrator (SA) (at a minimum) must have mail aliases to be notified of an -audit processing failure. -New: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. ---- -SV-230390: -Old: The RHEL 8 System must take appropriate action when an audit -processing failure occurs. -New: The RHEL 8 System must take appropriate action when an audit processing failure occurs. ---- -SV-230392: -Old: The RHEL 8 audit system must take appropriate action when the audit -storage volume is full. -New: The RHEL 8 audit system must take appropriate action when the audit storage volume is full. ---- -SV-230394: -Old: RHEL 8 must label all off-loaded audit logs before sending them to the -central log server. -New: RHEL 8 must label all off-loaded audit logs before sending them to the central log server. ---- -SV-230396: -Old: RHEL 8 audit logs must have a mode of 0600 or less permissive to -prevent unauthorized read access. -New: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. ---- -SV-230397: -Old: RHEL 8 audit logs must be owned by root to prevent unauthorized read -access. -New: RHEL 8 audit logs must be owned by root to prevent unauthorized read access. ---- -SV-230398: -Old: RHEL 8 audit logs must be group-owned by root to prevent unauthorized -read access. -New: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. ---- -SV-230399: -Old: RHEL 8 audit log directory must be owned by root to prevent -unauthorized read access. -New: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. ---- -SV-230400: -Old: RHEL 8 audit log directory must be group-owned by root to prevent -unauthorized read access. -New: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. ---- -SV-230401: -Old: RHEL 8 audit log directory must have a mode of 0700 or less permissive -to prevent unauthorized read access. -New: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. ---- -SV-230402: -Old: RHEL 8 audit system must protect auditing rules from unauthorized -change. -New: RHEL 8 audit system must protect auditing rules from unauthorized change. ---- -SV-230404: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/shadow. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. ---- -SV-230405: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect -/etc/security/opasswd. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. ---- -SV-230406: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/passwd. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. ---- -SV-230407: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/gshadow. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. ---- -SV-230408: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/group. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. ---- -SV-230409: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/sudoers. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. ---- -SV-230410: -Old: RHEL 8 must generate audit records for all account creations, -modifications, disabling, and termination events that affect /etc/sudoers.d/. -New: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. ---- -SV-230412: -Old: Successful/unsuccessful uses of the su command in RHEL 8 must generate -an audit record. -New: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. ---- -SV-230418: -Old: Successful/unsuccessful uses of the chage command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. ---- -SV-230419: -Old: Successful/unsuccessful uses of the chcon command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. ---- -SV-230421: -Old: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate -an audit record. -New: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. ---- -SV-230422: -Old: Successful/unsuccessful uses of the passwd command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. ---- -SV-230423: -Old: Successful/unsuccessful uses of the mount command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. ---- -SV-230424: -Old: Successful/unsuccessful uses of the umount command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. ---- -SV-230425: -Old: Successful/unsuccessful uses of the mount syscall in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. ---- -SV-230426: -Old: Successful/unsuccessful uses of the unix_update in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. ---- -SV-230427: -Old: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. ---- -SV-230428: -Old: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. ---- -SV-230429: -Old: Successful/unsuccessful uses of semanage in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. ---- -SV-230430: -Old: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. ---- -SV-230431: -Old: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. ---- -SV-230432: -Old: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. ---- -SV-230433: -Old: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an -audit record. -New: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. ---- -SV-230434: -Old: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. ---- -SV-230435: -Old: Successful/unsuccessful uses of the setfacl command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. ---- -SV-230436: -Old: Successful/unsuccessful uses of the pam_timestamp_check command in -RHEL 8 must generate an audit record. -New: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. ---- -SV-230437: -Old: Successful/unsuccessful uses of the newgrp command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. ---- -SV-230444: -Old: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. ---- -SV-230446: -Old: Successful/unsuccessful uses of the delete_module command in RHEL 8 -must generate an audit record. -New: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. ---- -SV-230447: -Old: Successful/unsuccessful uses of the crontab command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. ---- -SV-230448: -Old: Successful/unsuccessful uses of the chsh command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. ---- -SV-230462: -Old: Successful/unsuccessful uses of the sudo command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. ---- -SV-230463: -Old: Successful/unsuccessful uses of the usermod command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. ---- -SV-230464: -Old: Successful/unsuccessful uses of the chacl command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. ---- -SV-230465: -Old: Successful/unsuccessful uses of the kmod command in RHEL 8 must -generate an audit record. -New: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. ---- -SV-230466: -Old: Successful/unsuccessful modifications to the faillock log file in RHEL -8 must generate an audit record. -New: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. ---- -SV-230467: -Old: Successful/unsuccessful modifications to the lastlog file in RHEL 8 -must generate an audit record. -New: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. ---- -SV-230468: -Old: RHEL 8 must enable auditing of processes that start prior to the audit -daemon. -New: RHEL 8 must enable auditing of processes that start prior to the audit daemon. ---- -SV-230469: -Old: RHEL 8 must allocate an audit_backlog_limit of sufficient size to -capture processes that start prior to the audit daemon. -New: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. ---- -SV-230471: -Old: RHEL 8 must allow only the Information System Security Manager (ISSM) -(or individuals or roles appointed by the ISSM) to select which auditable -events are to be audited. -New: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. ---- -SV-230475: -Old: RHEL 8 must use cryptographic mechanisms to protect the integrity of -audit tools. -New: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. ---- -SV-230476: -Old: RHEL 8 must allocate audit record storage capacity to store at least -one week of audit records, when audit records are not immediately sent to a -central audit record storage facility. -New: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. ---- -SV-230477: -Old: RHEL 8 must have the packages required for offloading audit logs -installed. -New: RHEL 8 must have the packages required for offloading audit logs installed. ---- -SV-230478: -Old: RHEL 8 must have the packages required for encrypting offloaded audit -logs installed. -New: RHEL 8 must have the packages required for encrypting offloaded audit logs installed. ---- -SV-230479: -Old: The RHEL 8 audit records must be off-loaded onto a different system or -storage media from the system being audited. -New: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. ---- -SV-230480: -Old: RHEL 8 must take appropriate action when the internal event queue is -full. -New: RHEL 8 must take appropriate action when the internal event queue is full. ---- -SV-230481: -Old: RHEL 8 must encrypt the transfer of audit records off-loaded onto a -different system or media from the system being audited. -New: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. ---- -SV-230482: -Old: RHEL 8 must authenticate the remote logging server for off-loading -audit logs. -New: RHEL 8 must authenticate the remote logging server for off-loading audit logs. ---- -SV-230483: -Old: RHEL 8 must take action when allocated audit record storage volume - reaches 75 percent of the repository maximum audit record storage capacity. -New: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ---- -SV-230484: -Old: RHEL 8 must securely compare internal information system clocks at -least every 24 hours with a server synchronized to an authoritative time -source, such as the United States Naval Observatory (USNO) time servers, or a -time server designated for the appropriate DoD network (NIPRNet/SIPRNet), -and/or the Global Positioning System (GPS). -New: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). ---- -SV-230491: -Old: RHEL 8 must enable mitigations against processor-based -vulnerabilities. -New: RHEL 8 must enable mitigations against processor-based vulnerabilities. ---- -SV-230493: -Old: RHEL 8 must cover or disable the built-in or attached camera when not -in use. -New: RHEL 8 must cover or disable the built-in or attached camera when not in use. ---- -SV-230497: -Old: RHEL 8 must disable the transparent inter-process communication (TIPC) -protocol. -New: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. ---- -SV-230500: -Old: RHEL 8 must be configured to prohibit or restrict the use of -functions, ports, protocols, and/or services, as defined in the Ports, -Protocols, and Services Management (PPSM) Category Assignments List (CAL) and -vulnerability assessments. -New: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. ---- -SV-230504: -Old: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy -for allowing connections to other systems. -New: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. ---- -SV-230524: -Old: RHEL 8 must block unauthorized peripherals before establishing a -connection. -New: RHEL 8 must block unauthorized peripherals before establishing a connection. ---- -SV-230525: -Old: A firewall must be able to protect against or limit the effects of -Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting -measures on impacted network interfaces. -New: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. ---- -SV-230526: -Old: All RHEL 8 networked systems must have and implement SSH to protect -the confidentiality and integrity of transmitted and received information, as -well as information during preparation for transmission. -New: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. ---- -SV-230527: -Old: RHEL 8 must force a frequent session key renegotiation for SSH -connections to the server. -New: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. ---- -SV-230530: -Old: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a -graphical user interface is installed. -New: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. ---- -SV-230531: -Old: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be -disabled. -New: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. ---- -SV-230533: -Old: The Trivial File Transfer Protocol (TFTP) server package must not be -installed if not required for RHEL 8 operational support. -New: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. ---- -SV-230534: -Old: The root account must be the only account having unrestricted access -to the RHEL 8 system. -New: The root account must be the only account having unrestricted access to the RHEL 8 system. ---- -SV-230535: -Old: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) -redirect messages from being accepted. -New: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. ---- -SV-230536: -Old: RHEL 8 must not send Internet Control Message Protocol (ICMP) -redirects. -New: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. ---- -SV-230537: -Old: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) -echoes sent to a broadcast address. -New: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. ---- -SV-230542: -Old: RHEL 8 must not accept router advertisements on all IPv6 interfaces by -default. -New: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. ---- -SV-230543: -Old: RHEL 8 must not allow interfaces to perform Internet Control Message -Protocol (ICMP) redirects by default. -New: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. ---- -SV-230544: -Old: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) -redirect messages. -New: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. ---- -SV-230545: -Old: RHEL 8 must disable access to network bpf syscall from unprivileged -processes. -New: RHEL 8 must disable access to network bpf syscall from unprivileged processes. ---- -SV-230551: -Old: The RHEL 8 file integrity tool must be configured to verify extended -attributes. -New: The RHEL 8 file integrity tool must be configured to verify extended attributes. ---- -SV-230552: -Old: The RHEL 8 file integrity tool must be configured to verify Access -Control Lists (ACLs). -New: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). ---- -SV-230553: -Old: The graphical display manager must not be installed on RHEL 8 unless -approved. -New: The graphical display manager must not be installed on RHEL 8 unless approved. ---- -SV-230555: -Old: RHEL 8 remote X connections for interactive users must be disabled -unless to fulfill documented and validated mission requirements. -New: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. ---- -SV-230556: -Old: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the -proxy display. -New: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. ---- -SV-230557: -Old: If the Trivial File Transfer Protocol (TFTP) server is required, the -RHEL 8 TFTP daemon must be configured to operate in secure mode. -New: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. ---- -SV-230558: -Old: A File Transfer Protocol (FTP) server package must not be installed -unless mission essential on RHEL 8. -New: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. ---- -SV-230559: -Old: The gssproxy package must not be installed unless mission essential on -RHEL 8. -New: The gssproxy package must not be installed unless mission essential on RHEL 8. ---- -SV-230560: -Old: The iprutils package must not be installed unless mission essential on -RHEL 8. -New: The iprutils package must not be installed unless mission essential on RHEL 8. ---- -SV-230561: -Old: The tuned package must not be installed unless mission essential on -RHEL 8. -New: The tuned package must not be installed unless mission essential on RHEL 8. ---- -SV-237642: -Old: RHEL 8 must use the invoking user's password for privilege escalation -when using "sudo". -New: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". ---- -SV-244519: -Old: RHEL 8 must display a banner before granting local or remote access to -the system via a graphical user logon. -New: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. ---- -SV-244521: -Old: RHEL 8 operating systems booted with United Extensible Firmware -Interface (UEFI) must require a unique superusers name upon booting into -single-user mode and maintenance. -New: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. ---- -SV-244523: -Old: RHEL 8 operating systems must require authentication upon booting into -emergency mode. -New: RHEL 8 operating systems must require authentication upon booting into emergency mode. ---- -SV-244524: -Old: The RHEL 8 pam_unix.so module must be configured in the system-auth -file to use a FIPS 140-2 approved cryptographic hashing algorithm for system -authentication. -New: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ---- -SV-244527: -Old: RHEL 8 must have the packages required to use the hardware random -number generator entropy gatherer service. -New: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. ---- -SV-244530: -Old: RHEL 8 must prevent files with the setuid and setgid bit set from -being executed on the /boot/efi directory. -New: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. ---- -SV-244531: -Old: All RHEL 8 local interactive user home directory files must have mode -0750 or less permissive. -New: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. ---- -SV-244532: -Old: RHEL 8 must be configured so that all files and directories contained -in local interactive user home directories are group-owned by a group of which -the home directory owner is a member. -New: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. ---- -SV-244533: -Old: RHEL 8 must configure the use of the pam_faillock.so module in the -/etc/pam.d/system-auth file. -New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. ---- -SV-244534: -Old: RHEL 8 must configure the use of the pam_faillock.so module in the -/etc/pam.d/password-auth file. -New: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. ---- -SV-244535: -Old: RHEL 8 must initiate a session lock for graphical user interfaces when -the screensaver is activated. -New: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. ---- -SV-244536: -Old: RHEL 8 must disable the user list at logon for graphical user -interfaces. -New: RHEL 8 must disable the user list at logon for graphical user interfaces. ---- -SV-244538: -Old: RHEL 8 must prevent a user from overriding the session idle-delay -setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. ---- -SV-244539: -Old: RHEL 8 must prevent a user from overriding the screensaver -lock-enabled setting for the graphical user interface. -New: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. ---- -SV-244541: -Old: RHEL 8 must not allow blank or null passwords in the password-auth -file. -New: RHEL 8 must not allow blank or null passwords in the password-auth file. ---- -SV-244542: -Old: RHEL 8 audit records must contain information to establish what type -of events occurred, the source of events, where events occurred, and the -outcome of events. -New: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. ---- -SV-244543: -Old: RHEL 8 must notify the System Administrator (SA) and Information -System Security Officer (ISSO) (at a minimum) when allocated audit record -storage volume 75 percent utilization. -New: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. ---- -SV-244546: -Old: The RHEL 8 fapolicy module must be configured to employ a deny-all, -permit-by-exception policy to allow the execution of authorized software -programs. -New: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. ---- -SV-244550: -Old: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) -redirect messages from being accepted. -New: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. ---- -SV-244554: -Old: RHEL 8 must enable hardening for the Berkeley Packet Filter -Just-in-time compiler. -New: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. ---- -SV-250315: -Old: RHEL 8 systems, versions 8.2 and above, must configure SELinux context - type to allow the use of a non-default faillock tally directory. -New: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. ---- -SV-257258: -Old: RHEL 8 must terminate idle user sessions. -New: RHEL 8.7 and higher must terminate idle user sessions. ---- -
- -### Updated Descriptions -
- Click to expand. -SV-230221: -Old: -``` - -An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . - - Note: The life-cycle time spans and dates are subject to adjustment. - -``` -New: -``` - -An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit . -Note: The life-cycle time spans and dates are subject to adjustment. - -``` ---- -SV-230222: -Old: -``` - -Timely patching is critical for maintaining the operational - availability, confidentiality, and integrity of information technology (IT) - systems. However, failure to keep operating system and application software - patched is a common mistake made by IT professionals. New patches are released - daily, and it is often difficult for even experienced System Administrators to - keep abreast of all the new patches. When new weaknesses in an operating system - exist, patches are usually made available by the vendor to resolve the - problems. If the most recent security patches and updates are not installed, - unauthorized users may take advantage of weaknesses in the unpatched software. - The lack of prompt attention to patching could result in a system compromise. - -``` -New: -``` - -Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. - -``` ---- -SV-230223: -Old: -``` - -Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - -``` -New: -``` - -Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. - -The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. - -``` ---- -SV-230224: -Old: -``` - -RHEL 8 systems handling data requiring "data at rest" protections - must employ cryptographic mechanisms to prevent unauthorized disclosure and - modification of the information at rest. - - Selection of a cryptographic mechanism is based on the need to protect the -integrity of organizational information. The strength of the mechanism is -commensurate with the security category and/or classification of the -information. Organizations have the flexibility to either encrypt all -information on storage devices (i.e., full disk encryption) or encrypt specific -data structures (e.g., files, records, or fields). - -``` -New: -``` - -RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - -``` ---- -SV-230225: -Old: -``` - -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -``` -New: -``` - -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: - -"I've read & consent to terms in IS user agreem't." - -``` ---- -SV-230226: -Old: -``` - -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - "You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details." - -``` -New: -``` - -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -``` ---- -SV-230227: -Old: -``` - -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - "You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details." - -``` -New: -``` - -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: - -"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -``` ---- -SV-230229: -Old: -``` - -Without path validation, an informed trust decision by the relying -party cannot be made when presented with any certificate not already explicitly -trusted. - - A trust anchor is an authoritative entity represented via a public key and -associated data. It is used in the context of public key infrastructures, X.509 -digital certificates, and DNSSEC. - - When there is a chain of trust, usually the top entity to be trusted -becomes the trust anchor; it can be, for example, a Certification Authority -(CA). A certification path starts with the subject certificate and proceeds -through a number of intermediate certificates up to a trusted root certificate, -typically issued by a trusted CA. - - This requirement verifies that a certification path to an accepted trust -anchor is used for certificate validation and that the path includes status -information. Path validation is necessary for a relying party to make an -informed trust decision when presented with any certificate not already -explicitly trusted. Status information for certification paths includes -certificate revocation lists or online certificate status protocol responses. -Validation of the certificate status information is out of scope for this -requirement. - -``` -New: -``` - -Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. - -A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. - -When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. - -This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. - -``` ---- -SV-230230: -Old: -``` - -If an unauthorized user obtains access to a private key without a -passcode, that user would have unauthorized access to any system where the -associated public key has been installed. - -``` -New: -``` - -If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. - -``` ---- -SV-230231: -Old: -``` - -Passwords need to be protected at all times, and encryption is the -standard method for protecting passwords. If passwords are not encrypted, they -can be plainly read (i.e., clear text) and easily compromised. - - Unapproved mechanisms that are used for authentication to the cryptographic -module are not verified and therefore cannot be relied upon to provide -confidentiality or integrity, and DoD data may be compromised. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD requirements. - -``` -New: -``` - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. - -``` ---- -SV-230232: -Old: -``` - -The system must use a strong hashing algorithm to store the password. - - Passwords need to be protected at all times, and encryption is the standard -method for protecting passwords. If passwords are not encrypted, they can be -plainly read (i.e., clear text) and easily compromised. - -``` -New: -``` - -The system must use a strong hashing algorithm to store the password. - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -``` ---- -SV-230233: -Old: -``` - -The system must use a strong hashing algorithm to store the password. -The system must use a sufficient number of hashing rounds to ensure the -required level of entropy. - - Passwords need to be protected at all times, and encryption is the standard -method for protecting passwords. If passwords are not encrypted, they can be -plainly read (i.e., clear text) and easily compromised. - -``` -New: -``` - -The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - -``` ---- -SV-230234: -Old: -``` - -If the system does not require valid authentication before it boots -into single-user or maintenance mode, anyone who invokes single-user or -maintenance mode is granted privileged access to all files on the system. GRUB -2 is the default boot loader for RHEL 8 and is designed to require a password -to boot into single-user mode or make modifications to the boot menu. - -``` -New: -``` - -If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -``` ---- -SV-230235: -Old: -``` - -If the system does not require valid authentication before it boots -into single-user or maintenance mode, anyone who invokes single-user or -maintenance mode is granted privileged access to all files on the system. GRUB -2 is the default boot loader for RHEL 8 and is designed to require a password -to boot into single-user mode or make modifications to the boot menu. - -``` -New: -``` - -If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -``` ---- -SV-230236: -Old: -``` - -If the system does not require valid root authentication before it -boots into emergency or rescue mode, anyone who invokes emergency or rescue -mode is granted privileged access to all files on the system. - -``` -New: -``` - -If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. - -``` ---- -SV-230237: -Old: -``` - -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230238: -Old: -``` - -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - The key derivation function (KDF) in Kerberos is not FIPS compatible. -Ensuring the system does not have any keytab files present prevents system -daemons from using Kerberos for authentication. A keytab is a file containing -pairs of Kerberos principals and encrypted keys. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230239: -Old: -``` - -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - Currently, Kerberos does not utilize FIPS 140-2 cryptography. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -Currently, Kerberos does not utilize FIPS 140-2 cryptography. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-230240: -Old: -``` - -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - This requirement applies to operating systems performing security function -verification/testing and/or systems and environments that require this -functionality. - -``` -New: -``` - -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-230241: -Old: -``` - -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - Policycoreutils contains the policy core utilities that are required for -basic operation of an SELinux-enabled system. These utilities include -load_policy to load SELinux policies, setfile to label filesystems, newrole to -switch roles, and run_init to run /etc/init.d scripts in the proper context. - -``` -New: -``` - -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. - -``` ---- -SV-230243: -Old: -``` - -Preventing unauthorized information transfers mitigates the risk of -information, including encrypted representations of information, produced by -the actions of prior users/roles (or the actions of processes acting on behalf -of prior users/roles) from being available to any current users/roles (or -current processes) that obtain access to shared system resources (e.g., -registers, main memory, hard disks) after those resources have been released -back to information systems. The control of information in shared resources is -also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information -technology product, but it can also apply to the configuration of particular -information system components that are, or use, such products. This can be -verified by acceptance/validation processes in DoD or other government agencies. - - There may be shared resources with configurable protections (e.g., files in -storage) that may be assessed on specific information system components. - -``` -New: -``` - -Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - -This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. - -``` ---- -SV-230244: -Old: -``` - -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - - Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - - RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` -New: -``` - -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` ---- -SV-230245: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230246: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230247: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230248: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230249: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230250: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230251: -Old: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -``` ---- -SV-230252: -Old: -``` - -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The SSH -configuration file has no effect on the ciphers, MACs, or algorithms unless -specifically defined in the /etc/sysconfig/sshd file. The employed algorithms -can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - - The system will attempt to use the first hash presented by the client that -matches the server list. Listing the values "strongest to weakest" is a -method to ensure the use of the strongest hash available to secure the SSH -connection. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. - -The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. - -``` ---- -SV-230253: -Old: -``` - -The most important characteristic of a random number generator is its -randomness, namely its ability to deliver random numbers that are impossible to -predict. Entropy in computer security is associated with the unpredictability -of a source of randomness. The random source with high entropy tends to -achieve a uniform distribution of random values. Random number generators are -one of the most important building blocks of cryptosystems. - - The SSH implementation in RHEL8 uses the OPENSSL library, which does not -use high-entropy sources by default. By using the SSH_USE_STRONG_RNG -environment variable the OPENSSL random generator is reseeded from /dev/random. - This setting is not recommended on computers without the hardware random -generator because insufficient entropy causes the connection to be blocked -until enough entropy is available. - -``` -New: -``` - -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available. - -``` ---- -SV-230254: -Old: -``` - -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The employed -algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config -file. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - -``` ---- -SV-230255: -Old: -``` - -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The employed -algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config -file. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - -``` ---- -SV-230256: -Old: -``` - -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Transport Layer Security (TLS) encryption is a required security setting as -a number of known vulnerabilities have been reported against Secure Sockets -Layer (SSL) and earlier versions of TLS. Encryption of private information is -essential to ensuring data confidentiality. If private information is not -encrypted, it can be intercepted and easily read by an unauthorized party. SQL -Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all -non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 -specifies the preferred configurations for government systems. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - The GnuTLS library offers an API to access secure communications protocols. - SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto -policy defines employed algorithms in the -/etc/crypto-policies/back-ends/gnutls.config file. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The RHEL 8 system-wide crypto policy defines employed algorithms in the /etc/crypto-policies/back-ends/gnutls.config file. - -``` ---- -SV-230257: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230258: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230259: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230260: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230261: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230262: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software -libraries, then those changes might be implemented without undergoing the -appropriate testing and approvals that are part of a robust change management -process. - - This requirement applies to RHEL 8 with software libraries that are -accessible and configurable, as in the case of interpreted languages. Software -libraries also include privileged programs that execute with escalated -privileges. Only qualified and authorized individuals will be allowed to obtain -access to information system components for purposes of initiating changes, -including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-230263: -Old: -``` - -Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - -Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. - -This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. - -RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - -``` -New: -``` - -Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - -Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. - -This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. - -RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. - -``` ---- -SV-230264: -Old: -``` - -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the software -has not been tampered with and that it has been provided by a trusted vendor. - - Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. - - Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This verifies the -software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The -operating system should not have to verify the software again. This requirement -does not mandate DoD certificates for this purpose; however, the certificate -used to verify the software must be from an approved CA. - -``` -New: -``` - -Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - -``` ---- -SV-230265: -Old: -``` - -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the software -has not been tampered with and that it has been provided by a trusted vendor. - - Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. - - Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This verifies the -software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The -operating system should not have to verify the software again. This requirement -does not mandate DoD certificates for this purpose; however, the certificate -used to verify the software must be from an approved CA. - -``` -New: -``` - -Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. - -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - -``` ---- -SV-230267: -Old: -``` - -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` -New: -``` - -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` ---- -SV-230268: -Old: -``` - -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - - By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - - /etc/sysctl.d/*.conf - /run/sysctl.d/*.conf - /usr/local/lib/sysctl.d/*.conf - /usr/lib/sysctl.d/*.conf - /lib/sysctl.d/*.conf - /etc/sysctl.conf - -``` -New: -``` - -Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - -When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` ---- -SV-230271: -Old: -``` - -Without reauthentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the user reauthenticate. - -``` -New: -``` - -Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - -``` ---- -SV-230272: -Old: -``` - -Without reauthentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the user reauthenticate. - -``` -New: -``` - -Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - -``` ---- -SV-230273: -Old: -``` - -Using an authentication device, such as a DoD Common Access Card (CAC) - or token that is separate from the information system, ensures that even if the - information system is compromised, credentials stored on the authentication - device will not be affected. - - Multifactor solutions that require devices separate from information - systems gaining access include, for example, hardware tokens providing - time-based or challenge-response authenticators and smart cards such as the - U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - - A privileged account is defined as an information system account with - authorizations of a privileged user. - - Remote access is access to DoD nonpublic information systems by an - authorized user (or an information system) communicating through an external, - non-organization-controlled network. Remote access methods include, for - example, dial-up, broadband, and wireless. - - This requirement only applies to components where this is specific to the - function of the device or has the concept of an organizational user (e.g., VPN, - proxy capability). This does not apply to authentication for the purpose of - configuring the device itself (management). - -``` -New: -``` - -Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - -A privileged account is defined as an information system account with authorizations of a privileged user. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - -``` ---- -SV-230274: -Old: -``` - -Using an authentication device, such as a DoD Common Access Card (CAC) - or token that is separate from the information system, ensures that even if the - information system is compromised, credentials stored on the authentication - device will not be affected. - - Multifactor solutions that require devices separate from information - systems gaining access include, for example, hardware tokens providing - time-based or challenge-response authenticators and smart cards such as the - U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - - RHEL 8 includes multiple options for configuring certificate status -checking, but for this requirement focuses on the System Security Services -Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol -(OCSP) checking and certificate verification using a sha256 digest function. - -``` -New: -``` - -Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. - -RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. - -``` ---- -SV-230275: -Old: -``` - -The use of PIV credentials facilitates standardization and reduces the - risk of unauthorized access. - - The DoD has mandated the use of the Common Access Card (CAC) to support - identity management and personal authentication for systems covered under - Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a - primary component of layered protection for national security systems. - -``` -New: -``` - -The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. - -The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. - -``` ---- -SV-230276: -Old: -``` - -Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can be either hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - -``` -New: -``` - -Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks. - -``` ---- -SV-230277: -Old: -``` - -Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can be either hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Poisoning writes an arbitrary value to freed pages, so any modification or -reference to that page after being freed or before being initialized will be -detected and prevented. This prevents many types of use-after-free -vulnerabilities at little performance cost. Also prevents leak of data and -detection of corrupted memory. - -``` -New: -``` - -Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - -``` ---- -SV-230278: -Old: -``` - -Syscalls are special routines in the Linux kernel, which userspace -applications ask to do privileged tasks. Invoking a system call is an -expensive operation because the processor must interrupt the currently -executing task and switch context to kernel mode and then back to userspace -after the system call completes. Virtual Syscalls map into user space a page -that contains some variables and the implementation of some system calls. This -allows the system calls to be executed in userspace to alleviate the context -switching expense. - - Virtual Syscalls provide an opportunity of attack for a user who has -control of the return instruction pointer. Disabling vsyscalls help to prevent -return oriented programming (ROP) attacks via buffer overflows and overruns. If -the system intends to run containers based on RHEL 6 components, then virtual -syscalls will need enabled so the components function properly. - -``` -New: -``` - -Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. - -Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. - -``` ---- -SV-230279: -Old: -``` - -Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - -SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - -``` -New: -``` - -Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. - -SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. - -``` ---- -SV-230281: -Old: -``` - -Previous versions of software components that are not removed from the -information system after updates have been installed may be exploited by -adversaries. Some information technology products may remove older versions of -software automatically from the information system. - -``` -New: -``` - -Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. - -``` ---- -SV-230282: -Old: -``` - -Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - This requirement applies to operating systems performing security function -verification/testing and/or systems and environments that require this -functionality. - -``` -New: -``` - -Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-230283: -Old: -``` - -The "shosts.equiv" files are used to configure host-based -authentication for the system via SSH. Host-based authentication is not -sufficient for preventing unauthorized access to the system, as it does not -require interactive identification and authentication of a connection request, -or for the use of two-factor authentication. - -``` -New: -``` - -The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - -``` ---- -SV-230284: -Old: -``` - -The ".shosts" files are used to configure host-based authentication -for individual users or the system via SSH. Host-based authentication is not -sufficient for preventing unauthorized access to the system, as it does not -require interactive identification and authentication of a connection request, -or for the use of two-factor authentication. - -``` -New: -``` - -The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - -``` ---- -SV-230285: -Old: -``` - -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). - -``` -New: -``` - -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). - -``` ---- -SV-230286: -Old: -``` - -If a public host key file is modified by an unauthorized user, the SSH -service may be compromised. - -``` -New: -``` - -If a public host key file is modified by an unauthorized user, the SSH service may be compromised. - -``` ---- -SV-230287: -Old: -``` - -If an unauthorized user obtains the private SSH host key file, the -host could be impersonated. - -``` -New: -``` - -If an unauthorized user obtains the private SSH host key file, the host could be impersonated. - -``` ---- -SV-230288: -Old: -``` - -If other users have access to modify user-specific SSH configuration -files, they may be able to log on to the system as another user. - -``` -New: -``` - -If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. - -``` ---- -SV-230290: -Old: -``` - -Configuring this setting for the SSH daemon provides additional -assurance that remote logon via SSH will require a password, even in the event -of misconfiguration elsewhere. - -``` -New: -``` - -Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. - -``` ---- -SV-230291: -Old: -``` - -Configuring these settings for the SSH daemon provides additional -assurance that remote logon via SSH will not use unused methods of -authentication, even in the event of misconfiguration elsewhere. - -``` -New: -``` - -Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. - -``` ---- -SV-230292: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230293: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230294: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230295: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230296: -Old: -``` - -Even though the communications channel may be encrypted, an additional -layer of security is gained by extending the policy of not logging on directly -as root. In addition, logging on with a user-specific account provides -individual accountability of actions performed on the system. - -``` -New: -``` - -Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. - -``` ---- -SV-230298: -Old: -``` - -Configuring RHEL 8 to implement organization-wide security -implementation guides and security checklists ensures compliance with federal -standards and establishes a common security baseline across the DoD that -reflects the most restrictive security posture consistent with operational -requirements. - - Configuration settings are the set of parameters that can be changed in -hardware, software, or firmware components of the system that affect the -security posture and/or functionality of the system. Security-related -parameters are those parameters impacting the security state of the system, -including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example: registry -settings; account, file, directory permission settings; and settings for -functions, ports, protocols, services, and remote connections. - -``` -New: -``` - -Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -``` ---- -SV-230299: -Old: -``` - -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230300: -Old: -``` - -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230301: -Old: -``` - -The "nodev" mount option causes the system to not interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. The only legitimate -location for device files is the /dev directory located on the root partition. - -``` -New: -``` - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition. - -``` ---- -SV-230302: -Old: -``` - -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary files, as they may be incompatible. Executing files from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - -``` -New: -``` - -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230303: -Old: -``` - -The "nodev" mount option causes the system not to interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. - -``` -New: -``` - -The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230304: -Old: -``` - -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary files, as they may be incompatible. Executing files from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - -``` -New: -``` - -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230305: -Old: -``` - -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230306: -Old: -``` - -The "noexec" mount option causes the system not to execute binary -files. This option must be used for mounting any file system not containing -approved binary as they may be incompatible. Executing files from untrusted -file systems increases the opportunity for unprivileged users to attain -unauthorized administrative access. - -``` -New: -``` - -The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230307: -Old: -``` - -The "nodev" mount option causes the system to not interpret -character or block special devices. Executing character or block special -devices from untrusted file systems increases the opportunity for unprivileged -users to attain unauthorized administrative access. - -``` -New: -``` - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230308: -Old: -``` - -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230309: -Old: -``` - -If user start-up files execute world-writable programs, especially in -unprotected directories, they could be maliciously modified to destroy user -files or otherwise compromise the system at the user level. If the system is -compromised at the user level, it is easier to elevate privileges to eventually -compromise the system at the root and network level. - -``` -New: -``` - -If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. - -``` ---- -SV-230310: -Old: -``` - -Kernel core dumps may contain the full contents of system memory at -the time of the crash. Kernel core dumps may consume a considerable amount of -disk space and may result in denial of service by exhausting the available -space on the target file system partition. - - RHEL 8 installation media presents the option to enable or disable the -kdump service at the time of system installation. - -``` -New: -``` - -Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. - -RHEL 8 installation media presents the option to enable or disable the kdump service at the time of system installation. - -``` ---- -SV-230312: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - - When the kernel invokes systemd-coredumpt to handle a core dump, it runs in -privileged mode, and will connect to the socket created by the -systemd-coredump.socket unit. This, in turn, will spawn an unprivileged - instance to process the core dump. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged instance to process the core dump. - -``` ---- -SV-230313: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230314: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230315: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is -generally useful only for developers trying to debug problems. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -``` ---- -SV-230316: -Old: -``` - -To provide availability for name resolution services, multiple -redundant name servers are mandated. A failure in name resolution could lead to -the failure of security functions requiring name resolution, which may include -time synchronization, centralized authentication, and remote system logging. - -``` -New: -``` - -To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. - -``` ---- -SV-230317: -Old: -``` - -The executable search path (typically the PATH environment variable) -contains a list of directories for the shell to search to find executables. If -this path includes the current working directory (other than the user's home -directory), executables in these directories may be executed instead of system -commands. This variable is formatted as a colon-separated list of directories. -If there is an empty entry, such as a leading or trailing colon or two -consecutive colons, this is interpreted as the current working directory. If -deviations from the default system search path for the local interactive user -are required, they must be documented with the Information System Security -Officer (ISSO). - -``` -New: -``` - -The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). - -``` ---- -SV-230318: -Old: -``` - -If a world-writable directory is not owned by root, sys, bin, or an -application User Identifier (UID), unauthorized users may be able to modify -files created by others. - - The only authorized public directories are those temporary directories -supplied with the system or those designed to be temporary file repositories. -The setting is normally reserved for directories used by the system and by -users for temporary file storage, (e.g., /tmp), and for directories requiring -global read/write access. - -``` -New: -``` - -If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. - -``` ---- -SV-230319: -Old: -``` - -If a world-writable directory is not group-owned by root, sys, bin, or -an application Group Identifier (GID), unauthorized users may be able to modify -files created by others. - - The only authorized public directories are those temporary directories -supplied with the system or those designed to be temporary file repositories. -The setting is normally reserved for directories used by the system and by -users for temporary file storage, (e.g., /tmp), and for directories requiring -global read/write access. - -``` -New: -``` - -If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. - -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. - -``` ---- -SV-230320: -Old: -``` - -If local interactive users are not assigned a valid home directory, -there is no place for the storage and control of files they should own. - -``` -New: -``` - -If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -``` ---- -SV-230321: -Old: -``` - -Excessive permissions on local interactive user home directories may -allow unauthorized access to user files by other users. - -``` -New: -``` - -Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. - -``` ---- -SV-230322: -Old: -``` - -If the Group Identifier (GID) of a local interactive user’s home -directory is not the same as the primary GID of the user, this would allow -unauthorized access to the user’s files, and users that share the same group -may not be able to access files that they legitimately should. - -``` -New: -``` - -If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should. - -``` ---- -SV-230323: -Old: -``` - -If a local interactive user has a home directory defined that does not -exist, the user may be given access to the "/" directory as the current -working directory upon logon. This could create a denial of service because the -user would not be able to access their logon configuration files, and it may -give them visibility to system files they normally would not be able to access. - -``` -New: -``` - -If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. - -``` ---- -SV-230324: -Old: -``` - -If local interactive users are not assigned a valid home directory, -there is no place for the storage and control of files they should own. - -``` -New: -``` - -If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. - -``` ---- -SV-230325: -Old: -``` - -Local initialization files are used to configure the user's shell -environment upon logon. Malicious modification of these files could compromise -accounts upon logon. - -``` -New: -``` - -Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -``` ---- -SV-230326: -Old: -``` - -Unowned files and directories may be unintentionally inherited if a -user is assigned the same User Identifier "UID" as the UID of the un-owned -files. - -``` -New: -``` - -Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files. - -``` ---- -SV-230327: -Old: -``` - -Files without a valid group owner may be unintentionally inherited if -a group is assigned the same Group Identifier (GID) as the GID of the files -without a valid group owner. - -``` -New: -``` - -Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner. - -``` ---- -SV-230328: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-230329: -Old: -``` - -Failure to restrict system access to authenticated users negatively -impacts operating system security. - -``` -New: -``` - -Failure to restrict system access to authenticated users negatively impacts operating system security. - -``` ---- -SV-230330: -Old: -``` - -SSH environment options potentially allow users to bypass access -restriction in some configurations. - -``` -New: -``` - -SSH environment options potentially allow users to bypass access restriction in some configurations. - -``` ---- -SV-230331: -Old: -``` - -If temporary user accounts remain active when no longer needed or for -an excessive period, these accounts may be used to gain unauthorized access. To -mitigate this risk, automated termination of all temporary accounts must be set -upon account creation. - - Temporary accounts are established as part of normal account activation -procedures when there is a need for short-term accounts without the demand for -immediacy in account activation. - - If temporary accounts are used, RHEL 8 must be configured to automatically -terminate these types of accounts after a DoD-defined time period of 72 hours. - - To address access requirements, many RHEL 8 operating systems may be -integrated with enterprise-level authentication/access mechanisms that meet or -exceed access control policy requirements. - -``` -New: -``` - -If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. - -Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. - -If temporary accounts are used, RHEL 8 must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. - -To address access requirements, many RHEL 8 operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. - -``` ---- -SV-230332: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230333: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230334: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230335: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230336: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230337: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230338: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230339: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230340: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230341: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230342: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -``` ---- -SV-230343: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230344: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that -manual changes to the listed files may be overwritten by the "authselect" -program. - - From "Pam_Faillock" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -``` ---- -SV-230345: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230346: -Old: -``` - -Operating system management includes the ability to control the number -of users and user sessions that utilize an operating system. Limiting the -number of allowed users and sessions per user is helpful in reducing the risks -related to DoS attacks. - - This requirement addresses concurrent sessions for information system -accounts and does not address concurrent sessions by single users via multiple -system accounts. The maximum number of concurrent sessions should be defined -based on mission needs and the operational environment for each system. - -``` -New: -``` - -Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. - -``` ---- -SV-230347: -Old: -``` - -A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. - - Regardless of where the session lock is determined and implemented, once -invoked, the session lock must remain in place until the user reauthenticates. -No other activity aside from reauthentication must unlock the system. - -``` -New: -``` - -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. - -``` ---- -SV-230351: -Old: -``` - -A session lock is a temporary action taken when a user stops work and - moves away from the immediate physical vicinity of the information system but - does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be - determined. Rather than be forced to wait for a period of time to expire before - the user session can be locked, RHEL 8 needs to provide users with the ability - to manually invoke a session lock so users can secure their session if it is - necessary to temporarily vacate the immediate physical vicinity. - -``` -New: -``` - -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - -``` ---- -SV-230352: -Old: -``` - -A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. Rather than be forced to wait for a period of time to expire before -the user session can be locked, RHEL 8 needs to provide users with the ability -to manually invoke a session lock so users can secure their session if it is -necessary to temporarily vacate the immediate physical vicinity. - -``` -New: -``` - -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - -``` ---- -SV-230354: -Old: -``` - -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` - -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - -``` ---- -SV-230355: -Old: -``` - -Without mapping the certificate used to authenticate to the user -account, the ability to determine the identity of the individual user or group -will not be available for forensic analysis. - - There are various methods of mapping certificates to user/group accounts -for RHEL 8. For the purposes of this requirement, the check and fix will -account for Active Directory mapping. Some of the other possible methods -include joining the system to a domain and utilizing a Red Hat idM server, or a -local system mapping, where the system is not part of a domain. - -``` -New: -``` - -Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. - -There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain. - -``` ---- -SV-230357: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. -Note that in order to require uppercase characters, without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230358: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. -Note that in order to require lower-case characters without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230359: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Note that in order to require numeric characters, without degrading -the minlen value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230360: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "maxclassrepeat" option sets the maximum number of allowed -same consecutive characters in the same class in the new password. - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. - -``` ---- -SV-230361: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "maxrepeat" option sets the maximum number of allowed same -consecutive characters in a new password. - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. - -``` ---- -SV-230362: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "minclass" option sets the minimum number of required classes -of characters for the new password (digits, uppercase, lowercase, others). - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). - -``` ---- -SV-230363: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. The "difok" option sets the number of characters in a password -that must not be present in the old password. - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "difok" option sets the number of characters in a password that must not be present in the old password. - -``` ---- -SV-230364: -Old: -``` - -Enforcing a minimum password lifetime helps to prevent repeated -password changes to defeat the password reuse or history enforcement -requirement. If users are allowed to immediately and continually change their -password, the password could be repeatedly changed in a short period of time to -defeat the organization's policy regarding password reuse. - -``` -New: -``` - -Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. - -``` ---- -SV-230365: -Old: -``` - -Enforcing a minimum password lifetime helps to prevent repeated -password changes to defeat the password reuse or history enforcement -requirement. If users are allowed to immediately and continually change their -password, the password could be repeatedly changed in a short period of time to -defeat the organization's policy regarding password reuse. - -``` -New: -``` - -Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. - -``` ---- -SV-230366: -Old: -``` - -Any password, no matter how complex, can eventually be cracked. -Therefore, passwords need to be changed periodically. If RHEL 8 does not limit -the lifetime of passwords and force users to change their passwords, there is -the risk that RHEL 8 passwords could be compromised. - -``` -New: -``` - -Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. - -``` ---- -SV-230367: -Old: -``` - -Any password, no matter how complex, can eventually be cracked. -Therefore, passwords need to be changed periodically. If RHEL 8 does not limit -the lifetime of passwords and force users to change their passwords, there is -the risk that RHEL 8 passwords could be compromised. - -``` -New: -``` - -Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised. - -``` ---- -SV-230369: -Old: -``` - -The shorter the password, the lower the number of possible -combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a -password in resisting attempts at guessing and brute-force attacks. Password -length is one factor of several that helps to determine strength and how long -it takes to crack a password. Use of more characters in a password helps to -increase exponentially the time and/or resources required to compromise the -password. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Configurations are set in the "etc/security/pwquality.conf" file. - - The "minlen", sometimes noted as minimum length, acts as a "score" of -complexity based on the credit components of the "pwquality" module. By -setting the credit components to a negative value, not only will those -components be required, they will not count towards the total "score" of -"minlen". This will enable "minlen" to require a 15-character minimum. - - The DoD minimum password requirement is 15 characters. - -``` -New: -``` - -The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. - -The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. - -The DoD minimum password requirement is 15 characters. - -``` ---- -SV-230370: -Old: -``` - -The shorter the password, the lower the number of possible -combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a -password in resisting attempts at guessing and brute-force attacks. Password -length is one factor of several that helps to determine strength and how long -it takes to crack a password. Use of more characters in a password helps to -increase exponentially the time and/or resources required to compromise the -password. - - The DoD minimum password requirement is 15 characters. - -``` -New: -``` - -The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -The DoD minimum password requirement is 15 characters. - -``` ---- -SV-230371: -Old: -``` - -To ensure accountability and prevent unauthenticated access, -interactive users must be identified and authenticated to prevent potential -misuse and compromise of the system. - - Interactive users include organizational employees or individuals the -organization deems to have equivalent status of employees (e.g., contractors). -Interactive users (and processes acting on behalf of users) must be uniquely -identified and authenticated to all accesses, except for the following: - - 1) Accesses explicitly identified and documented by the organization. -Organizations document specific user actions that can be performed on the -information system without identification or authentication; and - - 2) Accesses that occur through authorized use of group authenticators -without individual authentication. Organizations may require unique -identification of individuals in group accounts (e.g., shared privilege -accounts) or for detailed accountability of individual activity. - -``` -New: -``` - -To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. - -Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: - -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and - -2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. - -``` ---- -SV-230372: -Old: -``` - -Using an authentication device, such as a Common Access Card (CAC) or -token that is separate from the information system, ensures that even if the -information system is compromised, that compromise will not affect credentials -stored on the authentication device. - - Multifactor solutions that require devices separate from information -systems gaining access include, for example, hardware tokens providing -time-based or challenge-response authenticators and smart cards such as the -U.S. Government Personal Identity Verification card and the DoD CAC. - - There are various methods of implementing multifactor authentication for -RHEL 8. Some methods include a local system multifactor account mapping or -joining the system to a domain and utilizing a Red Hat idM server or Microsoft -Windows Active Directory server. Any of these methods will require that the -client operating system handle the multifactor authentication correctly. - -``` -New: -``` - -Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. - -Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD CAC. - -There are various methods of implementing multifactor authentication for RHEL 8. Some methods include a local system multifactor account mapping or joining the system to a domain and utilizing a Red Hat idM server or Microsoft Windows Active Directory server. Any of these methods will require that the client operating system handle the multifactor authentication correctly. - -``` ---- -SV-230373: -Old: -``` - -Inactive identifiers pose a risk to systems and applications because - attackers may exploit an inactive identifier and potentially obtain undetected - access to the system. Owners of inactive accounts will not notice if - unauthorized access to their user account has been obtained. - - RHEL 8 needs to track periods of inactivity and disable application - identifiers after 35 days of inactivity. - -``` -New: -``` - -Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -RHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity. - -``` ---- -SV-230374: -Old: -``` - -Temporary accounts are privileged or nonprivileged accounts that are - established during pressing circumstances, such as new software or hardware - configuration or an incident response, where the need for prompt account - activation requires bypassing normal account authorization procedures. - - If any inactive temporary accounts are left enabled on the system and are - not either manually removed or automatically expired within 72 hours, the - security posture of the system will be degraded and exposed to exploitation - by unauthorized users or insider threat actors. - - Temporary accounts are different from emergency accounts. Emergency accounts, - also known as "last resort" or "break glass" accounts, are local logon accounts - enabled on the system for emergency use by authorized system administrators - to manage a system when standard logon methods are failing or not available. - - Emergency accounts are not subject to manual removal or scheduled expiration - requirements. - - The automatic expiration of temporary accounts may be extended as needed by - the circumstances but it must not be extended indefinitely. A documented - permanent account should be established for privileged users who need long-term - maintenance accounts. - -``` -New: -``` - -Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. - -Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. - -The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. - -``` ---- -SV-230375: -Old: -``` - -Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password -complexity. Note that to require special characters without degrading the -"minlen" value, the credit value must be expressed as a negative number in -"/etc/security/pwquality.conf". - -``` -New: -``` - -Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf". - -``` ---- -SV-230376: -Old: -``` - -If cached authentication information is out-of-date, the validity of -the authentication information may be questionable. - -RHEL 8 includes multiple options for configuring authentication, but this -requirement will be focus on the System Security Services Daemon (SSSD). By -default sssd does not cache credentials. - -``` -New: -``` - -If cached authentication information is out-of-date, the validity of the authentication information may be questionable. - -RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. - -``` ---- -SV-230377: -Old: -``` - -If RHEL 8 allows the user to select passwords based on dictionary -words, this increases the chances of password compromise by increasing the -opportunity for successful guesses, and brute-force attacks. - -``` -New: -``` - -If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - -``` ---- -SV-230378: -Old: -``` - -Configuring the operating system to implement organization-wide -security implementation guides and security checklists verifies compliance with -federal standards and establishes a common security baseline across the DoD -that reflects the most restrictive security posture consistent with operational -requirements. - - Configuration settings are the set of parameters that can be changed in -hardware, software, or firmware components of the system that affect the -security posture and/or functionality of the system. Security-related -parameters are those parameters impacting the security state of the system, -including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example, registry -settings; account, file, and directory permission settings; and settings for -functions, ports, protocols, services, and remote connections. - -``` -New: -``` - -Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -``` ---- -SV-230379: -Old: -``` - -Accounts providing no operational purpose provide additional -opportunities for system compromise. Unnecessary accounts include user accounts -for individuals not requiring access to the system and application accounts for -applications not installed on the system. - -``` -New: -``` - -Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. - -``` ---- -SV-230380: -Old: -``` - -If an account has an empty password, anyone could log on and run -commands with the privileges of that account. Accounts with empty passwords -should never be used in operational environments. - -``` -New: -``` - -If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. - -``` ---- -SV-230381: -Old: -``` - -Providing users with feedback on when account accesses last occurred -facilitates user recognition and reporting of unauthorized account use. - -``` -New: -``` - -Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. - -``` ---- -SV-230382: -Old: -``` - -Providing users with feedback on when account accesses via SSH last -occurred facilitates user recognition and reporting of unauthorized account -use. - -``` -New: -``` - -Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. - -``` ---- -SV-230383: -Old: -``` - -Setting the most restrictive default permissions ensures that when new -accounts are created, they do not have unnecessary access. - -``` -New: -``` - -Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access. - -``` ---- -SV-230384: -Old: -``` - -The umask controls the default access mode assigned to newly created -files. A umask of 077 limits new files to mode 600 or less permissive. Although -umask can be represented as a four-digit number, the first digit representing -special access modes is typically ignored or required to be "0". This -requirement applies to the globally configured system defaults and the local -interactive user defaults for each account on the system. - -``` -New: -``` - -The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. - -``` ---- -SV-230385: -Old: -``` - -The umask controls the default access mode assigned to newly created -files. A umask of 077 limits new files to mode 600 or less permissive. Although -umask can be represented as a four-digit number, the first digit representing -special access modes is typically ignored or required to be "0". This -requirement applies to the globally configured system defaults and the local -interactive user defaults for each account on the system. - -``` -New: -``` - -The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. - -``` ---- -SV-230386: -Old: -``` - -Misuse of privileged functions, either intentionally or -unintentionally by authorized users, or by unauthorized external entities that -have compromised information system accounts, is a serious and ongoing concern -and can have significant adverse impacts on organizations. Auditing the use of -privileged functions is one way to detect such misuse and identify the risk -from insider threats and the advanced persistent threat. - -``` -New: -``` - -Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - -``` ---- -SV-230387: -Old: -``` - -Cron logging can be used to trace the successful or unsuccessful -execution of cron jobs. It can also be used to spot intrusions into the use of -the cron facility by unauthorized and malicious users. - -``` -New: -``` - -Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. - -``` ---- -SV-230388: -Old: -``` - -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` - -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230389: -Old: -``` - -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` - -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230390: -Old: -``` - -It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - -``` -New: -``` - -It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. - -Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - -``` ---- -SV-230392: -Old: -``` - -It is critical that when RHEL 8 is at risk of failing to process audit -logs as required, it takes action to mitigate the failure. Audit processing -failures include software/hardware errors; failures in the audit capturing -mechanisms; and audit storage capacity being reached or exceeded. Responses to -audit failure depend upon the nature of the failure mode. - - When availability is an overriding concern, other approved actions in -response to an audit failure are as follows: - - 1) If the failure was caused by the lack of audit record storage capacity, -RHEL 8 must continue generating audit records if possible (automatically -restarting the audit service if necessary) and overwriting the oldest audit -records in a first-in-first-out manner. - - 2) If audit records are sent to a centralized collection server and -communication with this server is lost or the server fails, RHEL 8 must queue -audit records locally until communication is restored or until the audit -records are retrieved manually. Upon restoration of the connection to the -centralized collection server, action should be taken to synchronize the local -audit data with the collection server. - -``` -New: -``` - -It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. - -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: - -1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. - -2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. - -``` ---- -SV-230393: -Old: -``` - -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - -``` -New: -``` - -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -``` ---- -SV-230394: -Old: -``` - -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Enriched logging is needed to determine who, what, and when events occur on -a system. Without this, determining root cause of an event will be much more -difficult. - - When audit logs are not labeled before they are sent to a central log -server, the audit data will not be able to be analyzed and tied back to the -correct system. - -``` -New: -``` - -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. - -When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. - -``` ---- -SV-230395: -Old: -``` - -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Enriched logging aids in making sense of who, what, and when events occur -on a system. Without this, determining root cause of an event will be much -more difficult. - -``` -New: -``` - -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. - -``` ---- -SV-230396: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230397: -Old: -``` - -Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the RHEL 8 system or platform. Additionally, Personally -Identifiable Information (PII) and operational information must not be revealed -through error messages to unauthorized personnel or their designated -representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - -``` -New: -``` - -Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -``` ---- -SV-230398: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` ---- -SV-230399: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` ---- -SV-230400: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity. - -``` ---- -SV-230401: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - -``` ---- -SV-230402: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - - In immutable mode, unauthorized users cannot execute changes to the audit -system to potentially hide malicious activity and then put the audit rules -back. A system reboot would be noticeable and a system administrator could -then investigate the unauthorized changes. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - -In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - -``` ---- -SV-230403: -Old: -``` - -Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit RHEL 8 system activity. - - In immutable mode, unauthorized users cannot execute changes to the audit -system to potentially hide malicious activity and then put the audit rules -back. A system reboot would be noticeable and a system administrator could -then investigate the unauthorized changes. - -``` -New: -``` - -Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. - -In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. - -``` ---- -SV-230404: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230405: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230406: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230407: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230408: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230409: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230410: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -``` ---- -SV-230411: -Old: -``` - -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Associating event types with detected events in RHEL 8 audit logs provides -a means of investigating an attack, recognizing resource utilization or -capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` -New: -``` - -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` ---- -SV-230412: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "su" command allows a -user to run commands with a substitute user and group ID. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230413: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -"Setxattr" is a system call used to set an extended attribute value. -"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. -"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. -"Removexattr" is a system call that removes extended attributes. -"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. -"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -"Setxattr" is a system call used to set an extended attribute value. -"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. -"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. -"Removexattr" is a system call that removes extended attributes. -"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. -"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230418: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chage" command is -used to change or view user password expiry information. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230419: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chcon" command is -used to change file SELinux security context. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230421: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "ssh-agent" is a -program to hold private keys used for public key authentication. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230422: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "passwd" command is -used to change passwords for user accounts. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230423: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "mount" command is -used to mount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230424: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "umount" command is -used to unmount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "umount" command is used to unmount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230425: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "mount" syscall is -used to mount a filesystem. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230426: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -"Unix_update" is a helper program for the "pam_unix" module that updates -the password for a given user. It is not intended to be run directly from the -command line and logs a security violation if done so. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230427: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "postdrop" command creates a file in the maildrop directory and copies -its standard input to the file. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230428: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "postqueue" command implements the Postfix user interface for queue -management. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230429: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "semanage" command is used to configure certain elements of SELinux -policy without requiring modification to or recompilation from policy sources. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230430: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "setfiles" command is primarily used to initialize the security context -fields (extended attributes) on one or more filesystems (or parts of them). -Usually it is initially run as part of the SELinux installation process (a step -commonly known as labeling). - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230431: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "userhelper" command is not intended to be run interactively. -"Userhelper" provides a basic interface to change a user's password, gecos -information, and shell. The main difference between this program and its -traditional equivalents (passwd, chfn, chsh) is that prompts are written to -standard out to make it easy for a graphical user interface wrapper to -interface to it as a child process. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "userhelper" command is not intended to be run interactively. "Userhelper" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230432: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "setsebool" command sets the current state of a particular SELinux -boolean or a list of booleans to a given value. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230433: -Old: -``` - -Reconstruction of harmful events or forensic analysis is not possible -if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of -privileged commands. The organization must maintain audit trails in sufficient -detail to reconstruct events to determine the cause and impact of compromise. -The "unix_chkpwd" command is a helper program for the pam_unix module that -verifies the password of the current user. It also checks password and account -expiration dates in shadow. It is not intended to be run directly from the -command line and logs a security violation if done so. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "unix_chkpwd" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230434: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "ssh-keysign" program -is an SSH helper program for host-based authentication. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230435: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "setfacl" command is -used to set file access control lists. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230436: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "pam_timestamp_check" -command is used to check if the default timestamp is valid. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230437: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "newgrp" command is -used to change the current group ID during a login session. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230438: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230439: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. - -The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. -The "rmdir" system call removes empty directories. -The "renameat" system call renames a file, moving it between directories if required. -The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. - -The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. -The "rmdir" system call removes empty directories. -The "renameat" system call renames a file, moving it between directories if required. -The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230444: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "gpasswd" command is -used to administer /etc/group and /etc/gshadow. Every group can have -administrators, members and a password. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230446: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "delete_module" -command is used to unload a kernel module. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230447: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "crontab" command is -used to maintain crontab files for individual users. Crontab is the program -used to install, remove, or list the tables used to drive the cron daemon. This -is similar to the task scheduler used in other operating systems. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230448: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chsh" command is -used to change the login shell. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230449: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -The "creat" system call is used to open and possibly create a file or device. -The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". -The "openat" system call opens a file specified by a relative pathname. -The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -The "creat" system call is used to open and possibly create a file or device. -The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". -The "openat" system call opens a file specified by a relative pathname. -The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230455: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. - -The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. -The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. -The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. - -The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. -The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. -The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230456: -Old: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. - -The "fchmod" system call is used to change permissions of a file. -The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. - -The "fchmod" system call is used to change permissions of a file. -The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. - -``` ---- -SV-230462: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "sudo" command allows -a permitted user to execute a command as the superuser or another user, as -specified by the security policy. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230463: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "usermod" command -modifies the system account files to reflect the changes that are specified on -the command line. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230464: -Old: -``` - -Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "chacl" command is -used to change the access control list of a file or directory. - - When a user logs on, the AUID is set to the UID of the account that is -being authenticated. Daemons are not user sessions and have the loginuid set to -"-1". The AUID representation is an unsigned 32-bit integer, which equals -"4294967295". The audit system interprets "-1", "4294967295", and -"unset" in the same way. - -``` -New: -``` - -Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -``` ---- -SV-230465: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). The "kmod" command is -used to control Linux Kernel modules. - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -``` ---- -SV-230466: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - - From "Pam_Faillock man" pages: Note the default directory that -pam_faillock uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -From "Pam_Faillock man" pages: Note the default directory that pam_faillock uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - -``` ---- -SV-230467: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -``` ---- -SV-230468: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -``` ---- -SV-230469: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - Allocating an audit_backlog_limit of sufficient size is critical in -maintaining a stable boot process. With an insufficient limit allocated, the -system is susceptible to boot failures and crashes. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. - -``` ---- -SV-230470: -Old: -``` - -Without the capability to generate audit records, it would be -difficult to establish, correlate, and investigate the events relating to an -incident or identify those responsible for one. - - If auditing is enabled late in the startup process, the actions of some -startup processes may not be audited. Some audit systems also maintain state -information only available if auditing is enabled before a given process is -created. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - The list of audited events is the set of events for which audits are to be -generated. This set of events is typically a subset of the list of all events -for which the system is capable of generating audit records. - - DoD has defined the list of events for which RHEL 8 will provide an audit -record generation capability as the following: - - 1) Successful and unsuccessful attempts to access, modify, or delete -privileges, security objects, security levels, or categories of information -(e.g., classification levels); - - 2) Access actions, such as successful and unsuccessful logon attempts, -privileged activities or other system-level access, starting and ending time -for user access to the system, concurrent logons from different workstations, -successful and unsuccessful accesses to objects, all program initiations, and -all direct access to the information system; - - 3) All account creations, modifications, disabling, and terminations; and - - 4) All kernel module load, unload, and restart actions. - -``` -New: -``` - -Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -``` ---- -SV-230471: -Old: -``` - -Without the capability to restrict the roles and individuals that can -select which events are audited, unauthorized personnel may be able to prevent -the auditing of critical events. Misconfigured audits may degrade the system's -performance by overwhelming the audit log. Misconfigured audits may also make -it more difficult to establish, correlate, and investigate the events relating -to an incident or identify those responsible for one. - -``` -New: -``` - -Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -``` ---- -SV-230472: -Old: -``` - -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` - -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -``` ---- -SV-230473: -Old: -``` - -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` - -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -``` ---- -SV-230474: -Old: -``` - -Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - RHEL 8 systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools, -and the corresponding rights the user enjoys, to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - -``` -New: -``` - -Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -``` ---- -SV-230475: -Old: -``` - -Protecting the integrity of the tools used for auditing purposes is a -critical step toward ensuring the integrity of audit information. Audit -information includes all information (e.g., audit records, audit settings, and -audit reports) needed to successfully audit information system activity. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - It is not uncommon for attackers to replace the audit tools or inject code -into the existing tools with the purpose of providing the capability to hide or -erase system activity from the audit logs. - - To address this risk, audit tools must be cryptographically signed to -provide the capability to identify when the audit tools have been modified, -manipulated, or replaced. An example is a checksum hash of the file or files. - -``` -New: -``` - -Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. - -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. - -To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. - -``` ---- -SV-230476: -Old: -``` - -To ensure RHEL 8 systems have a sufficient storage capacity in which -to write the audit logs, RHEL 8 needs to be able to allocate audit record -storage capacity. - - The task of allocating audit record storage capacity is usually performed -during initial installation of RHEL 8. - -``` -New: -``` - -To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. - -The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8. - -``` ---- -SV-230477: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - -``` ---- -SV-230478: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "rsyslog-gnutls" (which is a secure -communications library implementing the SSL, TLS and DTLS protocols), and you -have a method to securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - -``` ---- -SV-230479: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - Rsyslog provides three ways to forward message: the traditional UDP -transport, which is extremely lossy but standard; the plain TCP based -transport, which loses messages only during certain situations but is widely -available; and the RELP transport, which does not lose messages but is -currently available only as part of the rsyslogd 3.15.0 and above. - Examples of each configuration: - UDP *.* @remotesystemname - TCP *.* @@remotesystemname - RELP *.* :omrelp:remotesystemname:2514 - Note that a port number was given as there is no standard port for RELP. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. -Examples of each configuration: -UDP *.* @remotesystemname -TCP *.* @@remotesystemname -RELP *.* :omrelp:remotesystemname:2514 -Note that a port number was given as there is no standard port for RELP. - -``` ---- -SV-230480: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -``` ---- -SV-230481: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -``` ---- -SV-230482: -Old: -``` - -Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system -utility providing support for message logging. Support for both internet and -UNIX domain sockets enables this utility to support both local and remote -logging. Couple this utility with "gnutls" (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to -securely encrypt and off-load auditing. - - "Rsyslog" supported authentication modes include: - anon - anonymous authentication - x509/fingerprint - certificate fingerprint authentication - x509/certvalid - certificate validation only - x509/name - certificate validation and subject name authentication. - -``` -New: -``` - -Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Off-loading is a common process in information systems with limited audit storage capacity. - -RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. - -"Rsyslog" supported authentication modes include: -anon - anonymous authentication -x509/fingerprint - certificate fingerprint authentication -x509/certvalid - certificate validation only -x509/name - certificate validation and subject name authentication. - -``` ---- -SV-230483: -Old: -``` - -If security personnel are not notified immediately when storage volume - reaches 75 percent utilization, they are unable to plan for audit record - storage capacity expansion. - -``` -New: -``` - -If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. - -``` ---- -SV-230484: -Old: -``` - -Inaccurate time stamps make it more difficult to correlate events and -can lead to an inaccurate analysis. Determining the correct time a particular -event occurred on a system is critical when conducting forensic analysis and -investigating system events. Sources outside the configured acceptable -allowance (drift) may be inaccurate. - - Synchronizing internal information system clocks provides uniformity of -time stamps for information systems with multiple system clocks and systems -connected over a network. - - Organizations should consider endpoints that may not have regular access to -the authoritative time server (e.g., mobile, teleworking, and tactical -endpoints). - - If time stamps are not consistently applied and there is no common time -reference, it is difficult to perform forensic analysis. - - Time stamps generated by the operating system include date and time. Time -is commonly expressed in Coordinated Universal Time (UTC), a modern -continuation of Greenwich Mean Time (GMT), or local time with an offset from -UTC. - - RHEL 8 utilizes the "timedatectl" command to view the status of the -"systemd-timesyncd.service". The "timedatectl" status will display the -local time, UTC, and the offset from UTC. - - Note that USNO offers authenticated NTP service to DoD and U.S. Government -agencies operating on the NIPR and SIPR networks. Visit - for more information. - -``` -New: -``` - -Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. - -Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. - -Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). - -If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. - -Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. - -RHEL 8 utilizes the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. - -Note that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit for more information. - -``` ---- -SV-230487: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - - The telnet service provides an unencrypted remote access service that does -not provide for the confidentiality and integrity of user passwords or the -remote session. - - If a privileged user were to log on using this service, the privileged user -password could be compromised. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - -``` ---- -SV-230488: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -``` ---- -SV-230489: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -``` ---- -SV-230491: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - - Verify the operating system is configured to disable non-essential -capabilities. The most secure way of ensuring a non-essential capability is -disabled is to not have the capability installed. - - Kernel page-table isolation is a kernel feature that mitigates the Meltdown -security vulnerability and hardens the kernel against attempts to bypass kernel -address space layout randomization (KASLR). - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - -Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). - -``` ---- -SV-230492: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The rsh-server service provides an unencrypted remote access service that -does not provide for the confidentiality and integrity of user passwords or the -remote session and has very weak authentication. - - If a privileged user were to log on using this service, the privileged user -password could be compromised. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. - -If a privileged user were to log on using this service, the privileged user password could be compromised. - -``` ---- -SV-230493: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect from collaborative computing devices (i.e., cameras) -can result in subsequent compromises of organizational information. Providing -easy methods to physically disconnect from such devices after a collaborative -computing session helps to ensure participants actually carry out the -disconnect activity without having to go through complex and tedious procedures. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. - -``` ---- -SV-230494: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Asynchronous Transfer Mode (ATM) is a protocol operating on network, -data link, and physical layers, based on virtual circuits and virtual paths. -Disabling ATM protects the system against exploitation of any laws in its -implementation. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation. - -``` ---- -SV-230495: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Controller Area Network (CAN) is a serial communications protocol, -which was initially developed for automotive and is now also used in marine, -industrial, and medical applications. Disabling CAN protects the system against -exploitation of any flaws in its implementation. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230496: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Stream Control Transmission Protocol (SCTP) is a transport layer -protocol, designed to support the idea of message-oriented communication, with -several streams of messages within one connection. Disabling SCTP protects the -system against exploitation of any flaws in its implementation. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230497: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Failing to disconnect unused protocols can result in a system compromise. - - The Transparent Inter-Process Communication (TIPC) protocol is designed to -provide communications between nodes in a cluster. Disabling TIPC protects the -system against exploitation of any flaws in its implementation. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect unused protocols can result in a system compromise. - -The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230498: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Removing support for unneeded filesystem types reduces the local attack -surface of the server. - - Compressed ROM/RAM file system (or cramfs) is a read-only file system -designed for simplicity and space-efficiency. It is mainly used in embedded -and small-footprint systems. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Removing support for unneeded filesystem types reduces the local attack surface of the server. - -Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. - -``` ---- -SV-230499: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time -communication. Disabling FireWire protects the system against exploitation of -any flaws in its implementation. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation. - -``` ---- -SV-230500: -Old: -``` - -To prevent unauthorized connection of devices, unauthorized transfer -of information, or unauthorized tunneling (i.e., embedding of data types within -data types), organizations must disable or restrict unused or unnecessary -physical and logical ports/protocols on information systems. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services provided by default may not be -necessary to support essential organizational operations. Additionally, it is -sometimes convenient to provide multiple services from a single component -(e.g., VPN and IPS); however, doing so increases risk over limiting the -services provided by any one component. - - To support the requirements and principles of least functionality, the -operating system must support the organizational requirements, providing only -essential capabilities and limiting the use of ports, protocols, and/or -services to only those required, authorized, and approved to conduct official -business or to address authorized quality-of-life issues. - -``` -New: -``` - -To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. - -``` ---- -SV-230502: -Old: -``` - -Automatically mounting file systems permits easy introduction of -unknown devices, thereby facilitating malicious activity. - -``` -New: -``` - -Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. - -``` ---- -SV-230503: -Old: -``` - -USB mass storage permits easy introduction of unknown devices, thereby -facilitating malicious activity. - -``` -New: -``` - -USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. - -``` ---- -SV-230504: -Old: -``` - -Failure to restrict network connectivity only to authorized systems -permits inbound connections from malicious systems. It also permits outbound -connections that may facilitate exfiltration of DoD data. - - RHEL 8 incorporates the "firewalld" daemon, which allows for many -different configurations. One of these configurations is zones. Zones can be -utilized to a deny-all, allow-by-exception approach. The default "drop" zone -will drop all incoming network packets unless it is explicitly allowed by the -configuration file or is related to an outgoing network connection. - -``` -New: -``` - -Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. - -RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. - -``` ---- -SV-230505: -Old: -``` - -"Firewalld" provides an easy and effective way to block/limit remote -access to the system via ports, services, and protocols. - - Remote access services, such as those providing remote access to network -devices and information systems, which lack automated control capabilities, -increase risk and make remote user access management difficult at best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement -action if the audit reveals unauthorized activity. Automated control of remote -access sessions allows organizations to ensure ongoing compliance with remote -access policies by enforcing connection rules of remote access applications on -a variety of information system components (e.g., servers, workstations, -notebook computers, smartphones, and tablets). - -``` -New: -``` - -"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. - -Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - -``` ---- -SV-230506: -Old: -``` - -Without protection of communications with wireless peripherals, -confidentiality and integrity may be compromised because unprotected -communications can be intercepted and either read, altered, or used to -compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., -wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless -peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and -Near Field Communications [NFC]) present a unique challenge by creating an -open, unsecured port on a computer. Wireless peripherals must meet DoD -requirements for wireless data transmission and be approved for use by the -Authorizing Official (AO). Even though some wireless peripherals, such as mice -and pointing devices, do not ordinarily carry information that need to be -protected, modification of communications with these wireless peripherals may -be used to compromise the RHEL 8 operating system. Communication paths outside -the physical protection of a controlled boundary are exposed to the possibility -of interception and modification. - - Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing -physical barriers to wireless radio frequencies) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are -employed, then logical means (cryptography) do not have to be employed, and -vice versa. If the wireless peripheral is only passing telemetry data, -encryption of the data may not be required. - -``` -New: -``` - -Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - -This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - -``` ---- -SV-230507: -Old: -``` - -Without protection of communications with wireless peripherals, -confidentiality and integrity may be compromised because unprotected -communications can be intercepted and either read, altered, or used to -compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., -wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless -peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and -Near Field Communications [NFC]) present a unique challenge by creating an -open, unsecured port on a computer. Wireless peripherals must meet DoD -requirements for wireless data transmission and be approved for use by the -Authorizing Official (AO). Even though some wireless peripherals, such as mice -and pointing devices, do not ordinarily carry information that need to be -protected, modification of communications with these wireless peripherals may -be used to compromise the RHEL 8 operating system. Communication paths outside -the physical protection of a controlled boundary are exposed to the possibility -of interception and modification. - - Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing -physical barriers to wireless radio frequencies) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are -employed, then logical means (cryptography) do not have to be employed, and -vice versa. If the wireless peripheral is only passing telemetry data, -encryption of the data may not be required. - -``` -New: -``` - -Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - -This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. - -``` ---- -SV-230508: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230509: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230510: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230511: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230512: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230513: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230514: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230515: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230516: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230517: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230518: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230519: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230520: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230521: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230522: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. -This option must be used for mounting any file system not containing approved -binary files, as they may be incompatible. Executing files from untrusted file -systems increases the opportunity for unprivileged users to attain unauthorized -administrative access. - - The "nodev" mount option causes the system to not interpret character or -block special devices. Executing character or block special devices from -untrusted file systems increases the opportunity for unprivileged users to -attain unauthorized administrative access. - - The "nosuid" mount option causes the system to not execute "setuid" and -"setgid" files with owner privileges. This option must be used for mounting -any file system not containing approved "setuid" and "setguid" files. -Executing files from untrusted file systems increases the opportunity for -unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-230523: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - -``` ---- -SV-230524: -Old: -``` - -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` - -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-230525: -Old: -``` - -DoS is a condition when a resource is not available for legitimate -users. When this occurs, the organization either cannot accomplish its mission -or must operate at degraded capacity. - - This requirement addresses the configuration of RHEL 8 to mitigate the -impact of DoS attacks that have occurred or are ongoing on system availability. -For each system, known and potential DoS attacks must be identified and -solutions for each type implemented. A variety of technologies exists to limit -or, in some cases, eliminate the effects of DoS attacks (e.g., limiting -processes or establishing memory partitions). Employing increased capacity and -bandwidth, combined with service redundancy, may reduce the susceptibility to -some DoS attacks. - - Since version 0.6.0, "firewalld" has incorporated "nftables" as its -backend support. Utilizing the limit statement in "nftables" can help to -mitigate DoS attacks. - -``` -New: -``` - -DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. - -This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. - -Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. - -``` ---- -SV-230526: -Old: -``` - -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - -``` -New: -``` - -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -``` ---- -SV-230527: -Old: -``` - -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - - Session key regeneration limits the chances of a session key becoming -compromised. - -``` -New: -``` - -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -Session key regeneration limits the chances of a session key becoming compromised. - -``` ---- -SV-230529: -Old: -``` - -A locally logged-on user, who presses Ctrl-Alt-Delete when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` - -A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230530: -Old: -``` - -A locally logged-on user, who presses Ctrl-Alt-Delete, when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` - -A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230531: -Old: -``` - -A locally logged-on user who presses Ctrl-Alt-Delete when at the -console can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In a graphical user -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken. - -``` -New: -``` - -A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - -``` ---- -SV-230532: -Old: -``` - -The debug-shell requires no authentication and provides root -privileges to anyone who has physical access to the machine. While this -feature is disabled by default, masking it adds an additional layer of -assurance that it will not be enabled via a dependency in systemd. This also -prevents attackers with physical access from trivially bypassing security on -the machine through valid troubleshooting configurations and gaining root -access when the system is rebooted. - -``` -New: -``` - -The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - -``` ---- -SV-230533: -Old: -``` - -If TFTP is required for operational support (such as the transmission -of router configurations) its use must be documented with the Information -System Security Officer (ISSO), restricted to only authorized personnel, and -have access control rules established. - -``` -New: -``` - -If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. - -``` ---- -SV-230534: -Old: -``` - -If an account other than root also has a User Identifier (UID) of -"0", it has root authority, giving that account unrestricted access to the -entire operating system. Multiple accounts with a UID of "0" afford an -opportunity for potential intruders to guess a password for a privileged -account. - -``` -New: -``` - -If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. - -``` ---- -SV-230550: -Old: -``` - -If unrestricted mail relaying is permitted, unauthorized senders could -use this host as a mail relay for the purpose of sending spam or other -unauthorized activity. - -``` -New: -``` - -If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. - -``` ---- -SV-230551: -Old: -``` - -Extended attributes in file systems are used to contain arbitrary data -and file metadata with security implications. - - RHEL 8 installation media come with a file integrity tool, Advanced -Intrusion Detection Environment (AIDE). - -``` -New: -``` - -Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. - -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). - -``` ---- -SV-230552: -Old: -``` - -ACLs can provide permissions beyond those permitted through the file -mode and must be verified by file integrity tools. - - RHEL 8 installation media come with a file integrity tool, Advanced -Intrusion Detection Environment (AIDE). - -``` -New: -``` - -ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. - -RHEL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE). - -``` ---- -SV-230553: -Old: -``` - -Internet services that are not required for system or application -processes must not be active to decrease the attack surface of the system. -Graphical display managers have a long history of security vulnerabilities and -must not be used, unless approved and documented. - -``` -New: -``` - -Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. - -``` ---- -SV-230554: -Old: -``` - -Network interfaces in promiscuous mode allow for the capture of all -network traffic visible to the system. If unauthorized individuals can access -these applications, it may allow them to collect information such as logon IDs, -passwords, and key exchanges between systems. - - If the system is being used to perform a network troubleshooting function, -the use of these tools must be documented with the Information System Security -Officer (ISSO) and restricted to only authorized personnel. - -``` -New: -``` - -Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. - -If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel. - -``` ---- -SV-230555: -Old: -``` - -The security risk of using X11 forwarding is that the client's X11 -display server may be exposed to attack when the SSH client requests -forwarding. A system administrator may have a stance in which they want to -protect clients that may expose themselves to attack by unwittingly requesting -X11 forwarding, which can warrant a "no" setting. - - X11 forwarding should be enabled with caution. Users with the ability to -bypass file permissions on the remote host (for the user's X11 authorization -database) can access the local X11 display through the forwarded connection. An -attacker may then be able to perform activities such as keystroke monitoring if -the ForwardX11Trusted option is also enabled. - - If X11 services are not required for the system's intended function, they -should be disabled or restricted as appropriate to the system’s needs. - -``` -New: -``` - -The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. - -X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. - -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. - -``` ---- -SV-230556: -Old: -``` - -When X11 forwarding is enabled, there may be additional exposure to -the server and client displays if the sshd proxy display is configured to -listen on the wildcard address. By default, sshd binds the forwarding server -to the loopback address and sets the hostname part of the DIPSLAY environment -variable to localhost. This prevents remote hosts from connecting to the proxy -display. - -``` -New: -``` - -When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. - -``` ---- -SV-230557: -Old: -``` - -Restricting TFTP to a specific directory prevents remote users from -copying, transferring, or overwriting system files. - -``` -New: -``` - -Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. - -``` ---- -SV-230558: -Old: -``` - -The FTP service provides an unencrypted remote access that does not -provide for the confidentiality and integrity of user passwords or the remote -session. If a privileged user were to log on using this service, the privileged -user password could be compromised. SSH or other encrypted file transfer -methods must be used in place of this service. - -``` -New: -``` - -The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. - -``` ---- -SV-230559: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The gssproxy package is a proxy for GSS API credential handling and could -expose secrets on some networks. It is not needed for normal function of the OS. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. - -``` ---- -SV-230560: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The iprutils package provides a suite of utilities to manage and configure -SCSI devices supported by the ipr SCSI storage device driver. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. - -``` ---- -SV-230561: -Old: -``` - -It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - The tuned package contains a daemon that tunes the system settings -dynamically. It does so by monitoring the usage of several system components -periodically. Based on that information, components will then be put into lower -or higher power savings modes to adapt to the current usage. The tuned package -is not needed for normal OS operations. - -``` -New: -``` - -It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. - -``` ---- -SV-237640: -Old: -``` - -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - Currently, Kerberos does not utilize FIPS 140-2 cryptography. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -Currently, Kerberos does not utilize FIPS 140-2 cryptography. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-237641: -Old: -``` - -The sudo command allows a user to execute programs with elevated -(administrator) privileges. It prompts the user for their password and confirms -your request to execute a command by checking a file, called sudoers. If the -"sudoers" file is not configured correctly, any user defined on the system -can initiate privileged actions on the target system. - -``` -New: -``` - -The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. - -``` ---- -SV-237642: -Old: -``` - -The sudoers security policy requires that users authenticate -themselves before they can use sudo. When sudoers requires authentication, it -validates the invoking user's credentials. If the rootpw, targetpw, or runaspw -flags are defined and not disabled, by default the operating system will prompt -the invoking user for the "root" user password. - For more information on each of the listed configurations, reference the -sudoers(5) manual page. - -``` -New: -``` - -The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page. - -``` ---- -SV-237643: -Old: -``` - -Without re-authentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the organization requires the user to -re-authenticate when using the "sudo" command. - - If the value is set to an integer less than 0, the user's time stamp will -not expire and the user will not have to re-authenticate for privileged actions -until the user's session is terminated. - -``` -New: -``` - -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -``` ---- -SV-244519: -Old: -``` - -Display of a standardized and approved use notification before -granting access to the operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - -``` -New: -``` - -Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. - -``` ---- -SV-244523: -Old: -``` - -If the system does not require valid root authentication before it -boots into emergency or rescue mode, anyone who invokes emergency or rescue -mode is granted privileged access to all files on the system. - -``` -New: -``` - -If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system. - -``` ---- -SV-244524: -Old: -``` - -Unapproved mechanisms that are used for authentication to the -cryptographic module are not verified and therefore cannot be relied upon to -provide confidentiality or integrity, and DoD data may be compromised. - - RHEL 8 systems utilizing encryption are required to use FIPS-compliant -mechanisms for authenticating to cryptographic modules. - - FIPS 140-2 is the current standard for validating that mechanisms used to -access cryptographic modules utilize authentication that meets DoD -requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a -general-purpose computing system. - -``` -New: -``` - -Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. - -RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - -``` ---- -SV-244525: -Old: -``` - -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` -New: -``` - -Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. - -RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. - -``` ---- -SV-244526: -Old: -``` - -Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Cryptographic mechanisms used for protecting the integrity of information -include, for example, signed hash functions using asymmetric cryptography -enabling distribution of the public key to verify the hash information while -maintaining the confidentiality of the secret key used to generate the hash. - - RHEL 8 incorporates system-wide crypto policies by default. The SSH -configuration file has no effect on the ciphers, MACs, or algorithms unless -specifically defined in the /etc/sysconfig/sshd file. The employed algorithms -can be viewed in the /etc/crypto-policies/back-ends/ directory. - -``` -New: -``` - -Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. - -``` ---- -SV-244527: -Old: -``` - -The most important characteristic of a random number generator is its -randomness, namely its ability to deliver random numbers that are impossible to -predict. Entropy in computer security is associated with the unpredictability -of a source of randomness. The random source with high entropy tends to -achieve a uniform distribution of random values. Random number generators are -one of the most important building blocks of cryptosystems. - - The rngd service feeds random data from hardware device to kernel random -device. Quality (non-predictable) random number generation is important for -several security functions (i.e., ciphers). - -``` -New: -``` - -The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers). - -``` ---- -SV-244528: -Old: -``` - -Configuring this setting for the SSH daemon provides additional -assurance that remote logon via SSH will require a password, even in the event -of misconfiguration elsewhere. - -``` -New: -``` - -Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. - -``` ---- -SV-244529: -Old: -``` - -The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing. - -``` -New: -``` - -The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - -``` ---- -SV-244530: -Old: -``` - -The "nosuid" mount option causes the system not to execute -"setuid" and "setgid" files with owner privileges. This option must be used -for mounting any file system not containing approved "setuid" and "setguid" -files. Executing files from untrusted file systems increases the opportunity -for unprivileged users to attain unauthorized administrative access. - -``` -New: -``` - -The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -``` ---- -SV-244531: -Old: -``` - -Excessive permissions on local interactive user home directories may -allow unauthorized access to user files by other users. - -``` -New: -``` - -Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. - -``` ---- -SV-244532: -Old: -``` - -If a local interactive user's files are group-owned by a group of -which the user is not a member, unintended users may be able to access them. - -``` -New: -``` - -If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them. - -``` ---- -SV-244533: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - The preauth argument must be used when the module is called before the -modules which ask for the user credentials such as the password. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. -The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - -``` ---- -SV-244534: -Old: -``` - -By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-force attacks, is reduced. Limits are imposed by locking the account. - - In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to -centralize the configuration of the pam_faillock.so module. Also introduced is -a "local_users_only" option that will only track failed user authentication -attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, -etc.) users to allow the centralized platform to solely manage user lockout. - - From "faillock.conf" man pages: Note that the default directory that -"pam_faillock" uses is usually cleared on system boot so the access will be -reenabled after system reboot. If that is undesirable a different tally -directory must be set with the "dir" option. - The preauth argument must be used when the module is called before the -modules which ask for the user credentials such as the password. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. -The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. - -``` ---- -SV-244535: -Old: -``` - -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - -``` -New: -``` - -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -``` ---- -SV-244536: -Old: -``` - -Leaving the user list enabled is a security risk since it allows -anyone with physical access to the system to enumerate known user accounts -without authenticated access to the system. - -``` -New: -``` - -Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system. - -``` ---- -SV-244538: -Old: -``` - -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` - -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - -``` ---- -SV-244539: -Old: -``` - -A session time-out lock is a temporary action taken when a user stops -work and moves away from the immediate physical vicinity of the information -system but does not log out because of the temporary nature of the absence. -Rather than relying on the user to manually lock their operating system session -prior to vacating the vicinity, operating systems need to be able to identify -when a user's session has idled and take action to initiate the session lock. - - The session lock is implemented at the point where session activity can be -determined and/or controlled. - - Implementing session settings will have little value if a user is able to -manipulate these settings from the defaults prescribed in the other -requirements of this implementation guide. - - Locking these settings from non-privileged users is crucial to maintaining -a protected baseline. - -``` -New: -``` - -A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled. - -Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. - -Locking these settings from non-privileged users is crucial to maintaining a protected baseline. - -``` ---- -SV-244541: -Old: -``` - -If an account has an empty password, anyone could log on and run -commands with the privileges of that account. Accounts with empty passwords -should never be used in operational environments. - -``` -New: -``` - -If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. - -``` ---- -SV-244542: -Old: -``` - -Without establishing what type of events occurred, the source of -events, where events occurred, and the outcome of events, it would be difficult -to establish, correlate, and investigate the events leading up to an outage or -attack. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Associating event types with detected events in RHEL 8 audit logs provides -a means of investigating an attack, recognizing resource utilization or -capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` -New: -``` - -Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - -``` ---- -SV-244543: -Old: -``` - -If security personnel are not notified immediately when storage volume -reaches 75 percent utilization, they are unable to plan for audit record -storage capacity expansion. - -``` -New: -``` - -If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. - -``` ---- -SV-244544: -Old: -``` - -"Firewalld" provides an easy and effective way to block/limit remote -access to the system via ports, services, and protocols. - - Remote access services, such as those providing remote access to network -devices and information systems, which lack automated control capabilities, -increase risk and make remote user access management difficult at best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement -action if the audit reveals unauthorized activity. Automated control of remote -access sessions allows organizations to ensure ongoing compliance with remote -access policies by enforcing connection rules of remote access applications on -a variety of information system components (e.g., servers, workstations, -notebook computers, smartphones, and tablets). - -``` -New: -``` - -"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. - -Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. - -Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - -``` ---- -SV-244545: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - -``` ---- -SV-244546: -Old: -``` - -The organization must identify authorized software programs and permit -execution of authorized software. The process used to identify software -programs that are authorized to execute on organizational information systems -is commonly referred to as whitelisting. - - Utilizing a whitelist provides a configuration management method for -allowing the execution of only authorized software. Using only authorized -software decreases risk by limiting the number of potential vulnerabilities. -Verification of whitelisted software occurs prior to execution or at system -startup. - - User home directories/folders may contain information of a sensitive -nature. Non-privileged users should coordinate any sharing of information with -an SA through shared resources. - - RHEL 8 ships with many optional packages. One such package is a file access -policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that -determines access rights to files based on attributes of the process and file. -It can be used to either blacklist or whitelist processes or file access. - - Proceed with caution with enforcing the use of this daemon. Improper -configuration may render the system non-functional. The "fapolicyd" API is -not namespace aware and can cause issues when launching or running containers. - -``` -New: -``` - -The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - -Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. - -User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - -RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. - -Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. - -``` ---- -SV-244547: -Old: -``` - -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` - -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-244548: -Old: -``` - -Without authenticating devices, unidentified or unknown devices may be -introduced, thereby facilitating malicious activity. - - Peripherals include, but are not limited to, such devices as flash drives, -external storage, and printers. - - A new feature that RHEL 8 provides is the USBGuard software framework. The -USBguard-daemon is the main component of the USBGuard software framework. It -runs as a service in the background and enforces the USB device authorization -policy for all USB devices. The policy is defined by a set of rules using a -rule language described in the usbguard-rules.conf file. The policy and the -authorization state of USB devices can be modified during runtime using the -usbguard tool. - - The System Administrator (SA) must work with the site Information System -Security Officer (ISSO) to determine a list of authorized peripherals and -establish rules within the USBGuard software framework to allow only authorized -devices. - -``` -New: -``` - -Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - -A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. - -The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices. - -``` ---- -SV-244549: -Old: -``` - -Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - -``` -New: -``` - -Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - -``` ---- -SV-250315: -Old: -``` - -By limiting the number of failed logon attempts, the risk of - unauthorized system access via user password guessing, otherwise known as - brute-force attacks, is reduced. Limits are imposed by locking the account. - - From "faillock.conf" man pages: Note that the default directory that - "pam_faillock" uses is usually cleared on system boot so the access will be - re-enabled after system reboot. If that is undesirable, a different tally - directory must be set with the "dir" option. - - SELinux, enforcing a targeted policy, will require any non-default tally - directory's security context type to match the default directory's security - context type. Without updating the security context type, the pam_faillock - module will not write failed login attempts to the non-default tally directory. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. - -SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. - -``` ---- -SV-250316: -Old: -``` - -By limiting the number of failed logon attempts, the risk of - unauthorized system access via user password guessing, otherwise known as - brute-force attacks, is reduced. Limits are imposed by locking the account. - - From "Pam_Faillock" man pages: Note that the default directory that - "pam_faillock" uses is usually cleared on system boot so the access will be - reenabled after system reboot. If that is undesirable, a different tally - directory must be set with the "dir" option. - - SELinux, enforcing a targeted policy, will require any non-default tally - directory's security context type to match the default directory's security - context type. Without updating the security context type, the pam_faillock - module will not write failed login attempts to the non-default tally directory. - -``` -New: -``` - -By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. - -From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. - -SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. - -``` ---- -SV-250317: -Old: -``` - -Routing protocol daemons are typically used on routers to exchange network - topology information with other routers. If this software is used when not required, - system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. - - All configuration files are sorted by their filename in lexicographic order, regardless - of which of the directories they reside in. If multiple files specify the same option, - the entry in the file with the lexicographically latest name will take precedence. - - Files are read from directories in the following list from top to bottom. Once a file of a - given filename is loaded, any file of the same name in subsequent directories is ignored. - - /etc/sysctl.d/*.conf - /run/sysctl.d/*.conf - /usr/local/lib/sysctl.d/*.conf - /usr/lib/sysctl.d/*.conf - /lib/sysctl.d/*.conf - /etc/sysctl.conf - -``` -New: -``` - -Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -/etc/sysctl.d/*.conf -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf - -``` ---- -SV-251707: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, - then those changes might be implemented without undergoing the appropriate - testing and approvals that are part of a robust change management process. - - This requirement applies to RHEL 8 with software libraries that are accessible - and configurable, as in the case of interpreted languages. Software libraries - also include privileged programs that execute with escalated privileges. Only - qualified and authorized individuals will be allowed to obtain access to - information system components for purposes of initiating changes, including - upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251708: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251709: -Old: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` -New: -``` - -If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - -``` ---- -SV-251710: -Old: -``` - -Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. - Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the - system security policy and supporting the isolation of code and data on which the protection is based. Security functionality - includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), - setting events to be audited, and setting intrusion detection parameters. - - This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and - environments that require this functionality. - -``` -New: -``` - -Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality. - -``` ---- -SV-251711: -Old: -``` - -The "sudo" command allows authorized users to run programs (including shells) as other users, - system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as - well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" - file allow configured users to run programs without re-authenticating. Use of these configuration - options makes it easier for one compromised account to be used to compromise other accounts. - - It is possible to include other sudoers files from within the sudoers file currently being parsed - using the #include and #includedir directives. When sudo reaches this line it will suspend - processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the - end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are - included may themselves include other files. A hard limit of 128 nested include files is enforced - to prevent include file loops. - -``` -New: -``` - -The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. - -It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. - -``` ---- -SV-251712: -Old: -``` - -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -``` -New: -``` - -Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - -``` ---- -SV-254520: -Old: -``` - -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. - -``` -New: -``` - -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users. - -``` ---- -
-``` From b755c152ad8fc76cea30df6255d133a169a0f2db Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 10:29:04 -0500 Subject: [PATCH 40/71] Use case adjust --- src/courses/delta/04.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index da699bd3c..00a67ad0f 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -11,11 +11,9 @@ There are several situations that warrant the use of the delta process. These ar 1. [Use Case 1](#411-use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) -2. [Use Case 2](#412-use-case-2) - Update control IDs based on group ID (run update controls) +3. [Use Case 2](#415-use-case-4) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) -3. [Use Case 3](#415-use-case-4) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) - -4. [Use Case 4](#414-use-case-3) - No mappings were found using update controls (run Delta with fuzzy matching) +4. [Use Case 3](#414-use-case-3) - No mappings were found using update controls (run Delta with fuzzy matching) @@ -27,14 +25,6 @@ Updated guidance sometimes modifies the control identification (ID) values of a [return to top](#41-use-cases-for-running-delta) -### 4.1.2 Use Case 2 - -If there isn't any mapping between baseline X and Y using the default rule identification (rule ID) for the control, it may be necessary to index the controls based on control group identifications (group ID). Running the update controls with the group ID may be required to provide a mapping from baseline X to Y. - -**Process:** Run `update_controls4delta` - -[return to top](#41-use-cases-for-running-delta) - ### 4.1.4 Use Case 3 New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. From 2ecf75db5aefa65b08127ec6bd6762074a17c9a1 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Fri, 6 Dec 2024 10:30:08 -0500 Subject: [PATCH 41/71] number fix' --- src/courses/delta/04.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 00a67ad0f..f39a832b4 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -11,7 +11,7 @@ There are several situations that warrant the use of the delta process. These ar 1. [Use Case 1](#411-use-case-1) - Check and update control IDs and metadata based on new guidance (run update controls) -3. [Use Case 2](#415-use-case-4) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) +3. [Use Case 2](#415-use-case-2) - Generate stubs for new controls found in the XCCDF Benchmark file (run Delta without fuzzy matching) 4. [Use Case 3](#414-use-case-3) - No mappings were found using update controls (run Delta with fuzzy matching) @@ -25,7 +25,7 @@ Updated guidance sometimes modifies the control identification (ID) values of a [return to top](#41-use-cases-for-running-delta) -### 4.1.4 Use Case 3 +### 4.1.4 Use Case 2 New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. @@ -33,7 +33,7 @@ New guidance often contains new controls that weren't previously defined. In thi [return to top](#41-use-cases-for-running-delta) -### 4.1.5 Use Case 4 +### 4.1.5 Use Case 3 Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to the baselines belonging to different platforms, or too many revisions were released between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. From 3043ac6d4a0268785bc866bdb7119b3909e8330a Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 11:25:23 -0800 Subject: [PATCH 42/71] readme/pg 1 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index 348b20072..09db9f566 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -1,7 +1,7 @@ --- order: 1 next: 02.md -title: Development & Testing InSpec Profile +title: 1. Developing & Testing InSpec Profiles author: Aaron Lippold --- @@ -46,7 +46,7 @@ The development and testing of profiles are accomplished using a variety of tool - **Test Kitchen**: Integration testing framework - Example: `kitchen test` validates your InSpec profiles - Use case: Automated compliance testing -- **Docker/Podman**: Container platforms +- **Docker/Podman**: Container runtime platforms - Example: `docker run` creates isolated test environments - Use case: Consistent testing across platforms - **InSpec**: Compliance testing framework @@ -60,7 +60,9 @@ The development and testing of profiles are accomplished using a variety of tool Our development and testing workflow is managed by Test Kitchen. This tool is integral to our GitHub Actions CI/CD Pipelines and is also used for local development, testing, and releasing updates, patches, and full releases of the profile. -> 💡 **Pro Tip**: When starting out, focus on Docker-based testing before moving to AWS environments. +::: tip Walk before you run! +When starting out, focus on Docker-based testing before moving to AWS environments. +::: ### Testing Environments @@ -68,15 +70,19 @@ Test Kitchen uses Docker (or Podman, if preferred) and AWS (using free-tier reso ### Platform One Integration -Additionally, Test Kitchen uses the Red Hat hardened `ubi8 base container` from Platform One for testing. To test the hardened container portion of the testing suite, you'll need to set up and log in to your P1 Free account, then obtain a CLI token to pull the Platform One Iron Bank Red Hat Enterprise Linux 8 Universal Base Image (P1 IB UBI8) image into the test suite. +Additionally, Test Kitchen uses images from Platform One during the hardened container test of the testing suite. In order for you to use them as well, you'll need to set up and log in to your P1 account (free but requires registration), then obtain a CLI token to pull the Platform One Iron Bank images into the test suite. -> ⚠️ **Important**: Ensure you keep your P1 CLI token secure and never commit it to version control. +::: important Secrets should be secret! +Ensure you keep your P1 CLI token secure and never commit it to version control. +::: ## Getting Started with Examples This guide refers to the [MITRE RedHat Enterprise Linux 8 STIG](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/tree/metzger_dynamic_inputs) profile, which provides a working example of the workflow described here. -> 🔍 **Note**: Development happens in the `main` branch, with stable versions available as tagged releases. +::: note Development vs Releases +Development happens in the `main` branch, with stable versions available as tagged releases. +::: ### Hands-on Practice From 534686a2ba469459ab45d22d49b5164d114bf216 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 13:59:57 -0800 Subject: [PATCH 43/71] pg 2 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/02.md | 85 ++++++++++++++++++------------ 1 file changed, 50 insertions(+), 35 deletions(-) diff --git a/src/courses/profile-dev-test/02.md b/src/courses/profile-dev-test/02.md index edc4efad7..18d5648a1 100644 --- a/src/courses/profile-dev-test/02.md +++ b/src/courses/profile-dev-test/02.md @@ -1,7 +1,7 @@ --- order: 2 next: 03.md -title: Understanding Repository Organization +title: 2. Understanding Repository Organization author: Aaron Lippold --- @@ -15,25 +15,60 @@ By the end of this section, you will: ## Repository Structure Overview -The repository uses a structured branching and tagging strategy to manage STIG profile versions and updates. This organization ensures reliable tracking of changes and stable releases for production use. +The InSpec profile repository should have a structured branching and tagging strategy to manage STIG profile versions and updates. This organizational strategy ensures reliable tracking of changes and stable releases for production use. ## Branch Strategy -### Main Branch +Security developers and engineers should be putting actively developed changes and updates into feature branches. Once those feature branches have been completed and peer reviewed, they should be merged into the version branch for the respective guidance release. Once all required features, changes, bugfixes, etc. have been merged in, a release should be created - this means that the version branch should be merged into your main branch and a tag should be created. The main branch of the repository ought to be the latest, working version of the codebase. + +::: tip Branches are not releases +Sometimes code ends up merged directly to the main branch - this is fine - the main branch is not a formal release. +::: + + + + + + + + + + + + + + + + + + + + + + + + + + +
Main BranchVersion Branch (`v{x}r{xx}`)
PurposeActive development and testingWork-in-progress tracking a major STIG benchmark release
ContainsLatest code and patches

Code that is becoming aligned to an official guidance release

DISA usually releases updates to STIGs on a quarterly basis. See the [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/).

Example branch name`main` or `master``v1r12` for Version 1, Release 12
+ +## Version Control and Tagging Strategy + +### Tags + +#### Current Tag + +We do not recommend using a `current` or `latest` tag - if someone needs the latest and greatest, they can pull directly from the main branch of the repository. + +#### Major Tags + +Major tags point to the latest patch releases of the benchmark. For example, `v1`, `v1.3`, and `v1.3.0` all should point at the same commit representing the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. + +#### Patch Releases -- Purpose: Active development and testing -- Contains: Latest code and patches -- Best for: Development and testing workflows -- Note: For production, use stable releases instead - -### Version Branches (`v{x}r{xx}`) - -- Purpose: Track major STIG benchmark releases -- Example: `v1r12` for Version 1, Release 12 -- Aligns with: Official DISA STIG releases -- Reference: [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/) +The latest patch release always points to the major release for the profile. -## Version Control Strategy +For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run using the latest code on the main branch. ### Semantic Versioning (SemVer) @@ -42,23 +77,3 @@ Format: `MAJOR.RELEASE.PATCH` - MAJOR: Matches STIG version - RELEASE: Matches STIG release - PATCH: Profile updates between STIG releases - -Example timeline: - -## Tags - -### Current Tag - -We don't use a specific `current` or `latest` tag. The `current`/`latest` tag for the profile and repository will always be the latest major tag of the benchmark. For example, if `v1.12.3` is the latest Benchmark release from the STIG author, then the tag `v1.12` will point to the `v1.12.3` release of the code. - -To use the current `main`, point directly to the GitHub repo. - -### Major Tags - -Major tags point to the latest patch release of the benchmark. For example, `v1.3` and `v1.3.0` represent the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. This tag will point to its `v{x}r{xx}` counterpart. - -## Patch Releases - -The latest patch release always points to the major release for the profile. - -For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run 'current'. From 71489a993fac864bfb226bb1d5e77519b8bb6976 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 14:31:28 -0800 Subject: [PATCH 44/71] pg 3 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/03.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/courses/profile-dev-test/03.md b/src/courses/profile-dev-test/03.md index d1177be71..bdb2a7602 100644 --- a/src/courses/profile-dev-test/03.md +++ b/src/courses/profile-dev-test/03.md @@ -1,11 +1,11 @@ --- order: 3 next: 04.md -title: Environment Setup Guide +title: 3. Environment Setup Guide author: Aaron Lippold --- -## Prerequisites Knowledge +## Prerequisite Knowledge - Basic command line experience - Familiarity with package managers @@ -37,7 +37,7 @@ Create accounts with these services before proceeding: 3. **P1 Harbor Access** - Purpose: Container registry access - - Get token: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) + - Get CLI token from your user account page: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) ## Environment Configuration @@ -45,7 +45,7 @@ Create accounts with these services before proceeding: Important variables that control testing behavior: -- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase, useful for testing and debugging a single requirement. +- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase - useful for testing and debugging a single requirement. - default: `none` - `KITCHEN_LOCAL_YAML`: Specifies the target testing environment you want to use to run and validate the profile. - default: `none` From b0377c9705cfe2561ce314d2e17be456ab98d9ed Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Tue, 10 Dec 2024 17:17:05 -0500 Subject: [PATCH 45/71] GIF testing --- src/assets/img/Delta_Class/Delta_Files_1.png | Bin 0 -> 67285 bytes src/assets/img/Delta_Class/use_case_1-1.gif | Bin 0 -> 24427 bytes src/assets/img/Delta_Class/use_case_1-2.gif | Bin 0 -> 96617 bytes src/assets/img/Delta_Class/use_case_1-3.png | Bin 0 -> 158158 bytes src/courses/delta/04.md | 23 +++++++++++++++++++ 5 files changed, 23 insertions(+) create mode 100644 src/assets/img/Delta_Class/Delta_Files_1.png create mode 100644 src/assets/img/Delta_Class/use_case_1-1.gif create mode 100644 src/assets/img/Delta_Class/use_case_1-2.gif create mode 100644 src/assets/img/Delta_Class/use_case_1-3.png diff --git a/src/assets/img/Delta_Class/Delta_Files_1.png b/src/assets/img/Delta_Class/Delta_Files_1.png new file mode 100644 index 0000000000000000000000000000000000000000..5fabfb420e7b4b5da2132b04de80a3cff83c99d9 GIT binary patch literal 67285 zcmeFYhg(xkw>P|#&|6fRbgWdV(jlNAs34$pLz9jWdanT#P>^1vBNn<8C3FZP9qB!k zgx*_#(0TEGp7)&RI^X&JgLmheYfom@nl-a#P5aH-?=;m_s418!005wV@>uBw0D$B! zgFYF_Wy*~lJ~sfMlDAb<)O@0-$f@b#Xk}|}2>_4ZCF+stYjrSW!sB8TY(PX`-b@o+ zs`X%e^7Q-PY%#)(N3hGo~0ThUDNlhAF6%`So zG7kELpTX3!0I``R6RH*GQs*XVB+*%2#K5~Zl8MP(e}WD<0WUGV+dU8@_rjlVOYgp1 z_sG5z3VK+l|9)_x>g9W_1+S9syW*+D&Md%FUe+i{Hek3bCU?no@Kfk(`QK3wGZn~? z%xq>`>FN2h;aZ%iQ1P4LUymb)INSyO~0&5vGMJnJxt;p<%NK9wKbX@skz zEZW2Ftn)I>Vr^DZUrjq$KBG=FqYpoMlaIT4#qQzh19bejV&n^v+fB|czC*~gu3#yM z^c9(1$@5QFSQJ>fyJ?_W+xfP^3gW+=!m>q)yw~-^-ESCo_fm&HAG5!v@j>_SAz4G<`18v@W4&HnD%jD%_EHeVqll)_!=8CFl{M|2nj#FN_yejK z)C;kqd(P=WN?m{yZ^3^@^-{|Eo=r?6{e zk_uD~$z)NVx{R^JlB6?65pS%%a@AX0+GW96`MDQs+uidN(mg|f(e?00dCCsdrrv?1?; zlvoTo2(5BELSB1sr^v0bn~H0P4jNuhmv777G~{x->Y#Cz?tS2U7un_DL zPF{OmgAJ%+)DG*cqWKP8ceY**dv~JHD-dJJGn-`f_B{SzMt8e;N^>lht%KW}Xgt~e z46mjG*GYawZ~Hy4J6d*R2OBUm~(@Q|hE$AH?R^oZ1fbUJ zMRANl8rGE6G@qB%qtttV$Blx!qoZlu7j$pzEvS1 zJCf-U8qG_ysyk2pNT-pNIK7=PFZuHi3U{twStnyB62B1}qyABy`)&d)>MG4u^=9k* zwC$+Jw^y$ehdXQ=sNJ->W_>mJ+9)mIipCY0chT=4x34{kwouu<`6x#6i|h+wTQ*z9 z70DHf{ItCXPYgQrJD%`p@)$hH)6UcW{!?q^;{g3v>!(>As}_{yq*B4%w|Z|2ayj0q zj1i2j?a1O`rsI3hcqb|DiGf0X_K=pk*5>nRZa%&=-da8t9?FCzK0WR&9a!$E=F#W( z-`*Efs9NT{SF%j$^hl)Tt<;&;%-2>e5EM&ERWVX7{+gKs%MQ@|nlGJKuH#*R*Dlm% z(Jskr(7sh@kS9ERw~#(Bv5-x(_RC1Fx^AVmb-wG+Qh{E+MB$7!M_;yWWPf;Hd%u1` znbusLa`fFNgD*rC;&TnYR6oKeESfVbi+(P%F`Rffp*vywvXbF>*VBmN#C)BC3V5Mn zp$S|IV<2Pf8|smG@O(pnO|9)kSaE#u4@2w59_kE@TU07SD%&djOwZ+KJHrVzx7_{R zk81AJ__~#>1q^&%BVM*#DIT&Lsx66L!>p>TXpGKe2fl1{{4(;mH+C}i&MiW8ojH`$ZS!IuPR>`QP-oS4@q*mHM;hN;6mv_-w|y)jy2m6v5`^xaB-?M{1;| z0@Gk)T4xBhH*aQ80LmJ%ff>!mcMu!zoBKe9mdGIy)DPse{wh>siOAEL7& z$9!XcmLXiBWx>VE;QkE%5oPtVQBu3^9%DyF0wy7sIB*_wXC%(#HWXivFWi+^i_Qu# z4Q-{uMINM}M3cMybg$@dWBC0TJayOX_Y?IaZIuR``5{%vg6IItu`1L2tEY{=PRT~nw zp9&;MCnY5Z7<3x>;6{ZTbx)xkb^d|LJez>TlC>uN&pVOJs6D#^w zB4BXl@h3rSsVk#P;``U4#G;J?vO=4e)(s9VHG+vuiKB(51qYWCj9`91V`k-fC&>); zJ`1%(lEdlGC#5SRi`jpu#gfDp;NkGyO4%vq#{G52$eGubD~^0q2kx~_zN1mgY={bn ziV7KO4}lWJwcGCXwRbmb>M((xTJ`>Ci*nMwPYJ>GarM1~uj{pC@@|1^pw^({5C+mh zXg^KjeNJjomSYxC=GxS_ROvLuR5)A~PQ&IQS$7uR5nJ$iLM55wGb^98xK|za5KZ3y zt|5Mfi=$HAw%(U_XQ%>|hl(2fl-rv@F6+9=k6+($HC~EJCrHlt1v!7($ysX&^+-NY zY^*&E$ZM|njElp3{noXa43}`!%j4d?-ufX{Xn*cd=_h><@%zj(RMc#A669zgX9;89v+SY}0G@(a{ww|h#Qkp? zFaU(v0!06&d3pK%`@~#^OYVQaA#tGq>E*v`m*Gt|`2SLa1ys`>*QwZ=)n26+*f9f?rw57Z~hhZU(dhl zY3XJA-;x|$|J|(11`7Vo5fl~>68zuT+-$A>f7t%!{EO|McKu77?BBwqHEq2t?e&#x z5tpjItQt&GR8saIG5?>O|E}o2ICWetT@)P=myB+(|L&`QGyiAi|783}q``lP6cPVV zk^hnNADn-iApOG9)zRMluL^Y>Y~5fYvV#9x^8e&A_-{6t@csM$X8O<6|H+~MzjFL% z>i^`>aIwAA!>hklg9-mz!hfdyn_gD%Z`c2aDg4XM{z<(wG#G`f;C~q{jDoxAqcZ>~ z08f-2XnTRyr%3Cp^mHW7MMYOWxN#CyDRKr8g>&bHb2F^d+jHK@Ju%+_4THjZuv;9}C(nmIA`6WTjjki2y_257F*3A^(@X2!`1SfxW4n!tQK>c0 z5!lis7iQBXxptjpQN-8u0KFbWzk@!YH(09c9*6uOwSxYJh%W!(`n4W34&hq}V%pPP zb?S}CkQ4I7ii7GA7!-9It7~_ud0W)0nFh=OLymW}^lIL%uTWcApZ_D>_KKJuN$_sBR_9WACo8&%}HnNW^1FxJ4+ot-xKQ6q`< z@gGaNC!y?sMlWJv4(eJRvM3| zWp{pmbh&KY^lVKO5xla1TE@Y%7GvZi$*^==?s)lg7>h&ItE%(kwXl+l;}VXMk&)2A z)3!j?9$9?%#U)9CxMW%P7Jk^|Y#4$*IcdB&!L9%3g_)@btkIW_8oK^*T1eER+432! zouviccwCHY=5aIf7`N;Q+pVsVof|-Feyd-g1t5E)Fi5BfGYh!2GUV`E!p&D}gL&WU?RSiZc#4QAV z+HLSzGrgW+?3_i0Kj_fZr-RLN(itcB0(}xP?)xR0ElI8S-6(Qt-hY-hOLB6}m_UJb zer%Ef&2>%Z7OAbB-v8d*=GWb3QLrSp<=rf|=^Tw~WpR{E*9v@GbA)6=9xerJE?vu$ z--gJ?bnhi-sUO8OjZ6C<9<68u9y^7}Ouq7JqBIt&J8ThznJKVygYrh}H{EysSO*?h zFR>nGT^wcMhD!qWOLZ9)TfFByh$j3uU9)g=^5=7|{ilVE$AytH9_9KqMDj2Mnx}a| z3q67NTeJ?avT^iZgNI$5Z(Xo&dbP=r$R;(3zIO}}M3tRQy7sbVp3ZZ%otqpbnvfrY zZ0+Rro$c??IQq@8h#HoBWQ#<6^S{n6IiG#mbf9ZHb2lOP_TceS;Q12HI$+V71OwNr zZ8jLgQt%1|93=;O9~P7x7vO%t)_z>Oep#hPpD|=f2m=;kxaKxc^RzICHH`>acq%i! z6Ge288+e?%baSWe(lna8j1S6j>8?HRwzd!GGuK7*2T3_2A&Ew{9@Hj>Z%rg8&o(_Z zT1mMhe|&Ps(kcWSU$v)hKrk8;a|GCZ${mFm?)7(+=I=jpnqthlk2P}XxYIo9KQ&5i zN9?j5NT{93puCZa4^~I+$IBnZOBt7o;u{VsO4u^@i>#>wFDsrB!BwgiaK026;Dv^; z#~cODas`+jZp@r-{FGmEg;{$I#AhbVt;;$+@aj-C7Lnbs)rf%Em7?IhT>(v%euhW! z&oZ99Y?Ru=G@cH;4g9dP<~wsTjZ^om8QfklIbY~M`m3{MKI5JDzg0Li+v5ATAI^Ur@%ljS9`@?!|x$3eh3~1Mzb~C!9zdLS1N)zLr z$er&*bFd%xg)I^hzd<)W`L(F{eEF&xO514Dqq5dAsz=s>8H}zg@mt_)K9C5+OEj09 zO_VJB_Qz40NDgg;5(PgvMLjgKkVZe|1Z9pkp6|;gOr$1{T6`zeEyWD9Kp>usSb^2hz;9;hn%U1tu0b2IcD3#AcJG+=SM=-E2$!Ocbp(s0yj z$ZY%srvHu)nqI#}(I3i;^c)9rr#NUY10kYeIRczM5?E?Ry^;K*N16{wJ#<{Pd-gKO zV}>uu``(G-;^y^T(k$t_8(R4Ot(!Q%9UKSDp3^an^%i4osdJy$xd zrt%F_q7;Rzj|0y}12c{_$LHSLQQkD=I4BLXv^&zc*wY9>dv}|&i~6nR2E0azIQn8R zV5?}~$+>IY3gr4Z5F4(IJBe4xiz@3D?lpV*k9radjh%W15+C#!i0{A#jk+W%BcbB z@SVetdY1-#l-yo!=bv4@T?(=B|Hb9^Yy0nv(a~e*W&aA4k3G+rIm$>EoH?7CkxO?Q zc+#A8+L1-|mxRNhlFLwtt!w7uY^FCV=)=Xn$p!rkd4Qc&8zJz5&{l$s*s{M91eKTM z*nnB+kJP{vEo;>}gnx>iU)Cfhf~3^@_bql|za7RvXC(fspuep^4r)cfSVWa^m{k6- zsT%t3?q^rope&5cJlmi|{mL_tscSVgE*N|279|;wMexo_rlc`R8>MNHWiU|kgJk!iZ*lm z4N;r?X|ue=W!D_9dcdWdL7pwHIe(Zk74r+3zfT zifKH9=kSblnNVz#eisop$UZR=0MJ)5I4mS6Ou+%se)G2=%;hDSZD*SP+2}=$^LY&# z>@F1PzRu>^*8H{rapzVgHSVc4x*h)1IQeP+>0%ptA%tFriJfH3 zM9J5(asj<<3TJ=yELu|W!&ypnj)NFoinR_W|9U@Z7U`V~+FW=D>M>>p?3t!G67~Vfy3KeHWeQSFNr++srKPfLh4VXXUFw$ccB4T*I1q-bOPc1rlKIc>MBp zF*>02+a8*hWPkgS4(*yl{%axLQuqWhBvgq`+$r1mJHPHy{88~AQlTz?u15&Sm>o$~ zYRo30LDK10iFAFDjzRR(rO+#!L|+_61Hpi%v?(zyTe$#68{T0pJI4g#^;5S;0@@ZL z?>7=7pI;e!0dix?MEk62Wu+GLAj>KeANcnY{4~m+WAaJJ;N^tIi!*XRS&FoJ-COv$ z70IM19@AasYfN>E7S^Ov2Ed&(_fKVV=074^lGHi74C}wo&E^5DOK}yD*9}_sXF=@V z*i}POYY2Ph!HulWR73sAUpAcCX;XWAKu5f`PX@;+37H&DUf=f22p_U9HI4f9K6fiB zJ2#f;p$LRLQ2)RXxDI87OjC= zJ>@L9?m2n%hnRtk;NK$DZL)*D(Xp2FbM|ocJ5%~&d52r zYV4_F1`1`DA3!O>t0ZoFAqFj2g9k#$2w_Cj*>^%VrzagxTOEl^kKf&78s|jEx>r{c z^G_BMg-&G#hWO$0KIoaIz}-dE@NuZ)VW>rr$b;;AEYHUx!Wt1vL=|E_ zPM~x;7)VWkL7_PMiDPeZL}U@0V|4tTTrb2DAz+IzaM?Fo9HmzedsLSId0vHZ|8*km ziOnn?fBu1#hE$YcnpS8YU;y`od88kPPuY7=DuR@}`nDxWkF>w>KLIxV=6~JzChf5N zyxnhr%m2kh6eT+&Eo=wmHL@x@Cx1LKP4?$sN+c>ajSrv%uej%q8;d!)i*LTEEr$N` zK|_=j6u;pLXtbrTh`XqN%++{-Q3i2^1MdsV5d7Gk`RB@H$bK1BeR&E0axTB`lc%BI z+-jFxA61f|gWIaQX}QVV-U<+7#iC(X=p;p8F80^lf=NE8i*t)SAq?2pPNJ~2VMB5v z2*SQa?0d9cH*pm`r=_UcD4J{T*1Jxgd-rfjuzo)Zz#Jx<(K|IFYf(q3~5A3q(iTJ&eJ;RDu;jOb6-=m-hFV~2*Y z&7(#d^5q@2rJ7?&sSJxvT-C9+MCS)1t^&^bdqKVLaGhMPJM(?@{047WCQ+ne$B!(z z(#^W&^0~022kL52ar^wSCKc-2t>Y_$Uon0YK-jm9FUjswO;eAP%i3$~Lnd?QOoGVl ziTE0QeGZ#1SHKRDlZxcbnFHE9A8s&UadWW@k@VoDmNoC?K|!7!eITT$yat{f1LwEF z4$8)-_nDLI2q4RsB0@e>7Fc>C)7Jt+;- zvJ_ML$L}!kpEGJwg%PaSn+C3hFUx#mI2egN$P1cp|65Dd)fc3{T^%R>n2lEknSl6A zJ4O#rS}It(&9Jv=QXRc8P09W?GCuR-c<%O=M+jT08GQNOHw8D1r+5GKqWZmdst>Em z?#;zMswOPn2#&R=>^_0-3w*^3}7Xg`NhBlbLKGpR;hD^;u||R8MLq_8KwY z`2HQBK}x0=Im`9ySm>yG>8&)R%Isu(EEm~5o&Zv0Ydf-Wt`&rzG~rcGN(9G@_i`AC zu`4!0$(9&h8Fm2}^20qK)Cf#uyBhx&fx@UT$>}hYjd~|B{1abw)D`)h}R=jGZx3IvhRP zGMfjtKvByA%9(XOFCrKpd#7%I+m#vbb8=gCwIy5JL7VJp`(qRnJ{_h<&#`2> zO;$3C7M1Q50j{MjCOO-nm@8kNazHrwY{p)n+$lu{+cz`Ijwf}1?kVJWk?V<*In||p z8EYjk-)Fqfkao55AmQ%N#vRQ_=vvtmDlPB}HfUTS6a7t59a^oQout^V5=gjRR?(XJe zn5>N7IgrNWo=L|=P-N$(%>-r7Ir=*=c1W__3RsRv@FXs7^9DGLuBVfp29&zDmeQX~ z+h<=MRn@uTAdBuKO@e@%06vak5v77?I=(Ag~%hBkeo6XX@#~T2$$sb z%h2SoyZ`uSaWrdcPPE39pBzKz@#;>?ZZ zut+U0X5;2bZE^2frtf!oKj@@YHUXC=u6hYMipT+n_JT&5h|d?5_wcdR?}sZ^W9rMx zYXs8u8eX%Pp1B3~tMq4eEne=k{4Fi<{Jto+ztE@7KAOs>&}V+hy_a48IkY>wGKVz4 z_~8F#{6CdISu1kZGL!4g*d_m>$a7IL4w9>R(d#^ojx!C4i{3SU2kYaalYaO=`Gn0W zmWdl_7L>fl?U^8W-zR)r6h9PrORFL4?Dfaa*wuo`<9dO0mP8V1|@)I4sTCAU6SHWy;0I1d|gQLU>~a;(3= zc;WMty(?-33n31FVd+r4x>@?>f1v02JA&_)-!d9Y8v5@Ki*DbOae3`n+hw%5`-uY= z!u|2d57H=Y=p|@P4yv=3KN)Yn#c|Y*JDiJ#V%N7M#?yZ0@FI$pOAdS#USl8OQ4;K)(k9|{VyJ|TOZEegPHT=_PtkPR% ztlZe;lM)aET6V14X)Pk`Lt`Z-)km-Uf5ZvwTEa9N&M^9(c zhzJWm5WYjgurHGLQ+2!R+e=;FlYN8h2#&G$r& z#ZNc6Md4`jUfQg~-%N)Su{yokmGhC+)%&sl5i^~S`|+i?6EGDT0*$dz5T_4|`uIm75`7vWUr!qIqEHJ93re#cGNl~8X3oaI0pEpDx( z5r!N=E1wr%g7QwCJh@bQ#@?3mpfv9tZZ|-*Zm$tX?MU{xQ@vMmF0!4)wd6a<0f9hN zEvDL$K>54L_5Ckx*;9#xJMKAfi-lu9Po)LrUC2^Nb%I|hlMn1=AB$txCxIcbclp5A zMMM>xk1uywpEsspvecYFw;~w(r4OXtZsU2Eq@9kFcphN50_Q80UilKA0~JbPWQ(pw z=I;!u%OHfg*wNpB*W+`Smq(d6grhHfVh@mUeW~bZH$K;Vun@Ur(Cag@y_?)9yB0M- zf0im*PcOG!SY@vO5YZvQbQZRm4&eLdBBEjnS{6EoK;*qI{M4EtPCw5Ed`1}G_o|z+ zB8qOuz|}q?4J}+{YNJj1rX+Wa+ve#On`S(`P1)Q=p$3Nu&At zKrrJthqkz~rZ98oPxh#Ft6|9-QszT|T*%IJmA~VF7TrFCq{xOazegdsq_;rCq0lfZJjKNC8Q_yst=^!W0wR!bB=^e7FZn7v4oi!xV_GBrX(P zEd}wph^V2TC?`Fk`N#}0R*3z8?qpzQi#}SGSW27T`)1*((C^nuKWF4XemJ&2&n54D zCu^0Rp$`+#{jPa>N`hLVaj6^^3LT=>AYMVh~Z7JangGwlC!-%{=%R{nd`$#d&0 znRUqq6pzH{pN0B4am)JkNfT-)fV8|)`r03^DRyNyfnggEAuesl(z&%XlbMq0w*&H6 zZW%~SMhA!+YsKm`{=NoEI*DXsMRT5^-d8mf}z)>=yVX2&*DT~ta+bnF6BLj#&) z6JTl6P#TNLLWsaKEpnIP4lT-gsK3vfsy zugfhX;{>2uK)PAlMgzN(CF2#+H=gxtM$Ns(K6I`IYcBPjXipo3lJwe*W%DpO2}9BK zfHh1Qo&*0AN5g?%X?C_w7hUH*zHI+Z8>zsPsGZ-1<}u(tDoKtHqhi$_d8WmCxO+Jb z9<8iOyh3v~!i)EaPhb1`wrL#Bz9NXtNY*X6U%(8H^cscg2=o_X>2A~Yyi-NA^zW5H zN7Y3+r0JsNY*_FYAhzbmEd?S|d%1p4P8buCf*Sn^^2GtdXi7F|FB%jfwGFxhFQJ?@F28tLfA0i;CipotDv=5}`FMqbTx z-~HOoBTQ(t{|E<7Zl-5r@NJ%hO>k;WFDh5l7A|*Hi};1v5^}Os?=3xNZ*IPkxk=V<^1NfbE&8t1{@`}}$=qF%^pLH}P zG6VY0qzsaaOB$r?5%v6$ZHAlFIZTk()S>pV!V~HcZZ}tu0Y0byQ}L#=xQ`InekEoB z)JYOe@tJbjf%i1um-L)Z zXhPW1OW~@>Cj_6AdwHWvo%uX4sjUN{2zUbJAmm94dxd6PB?D!a#=C!8s)pP zU4D<#lr;~K_eYe(0X$4}Fv8-b?^>e|r{JLLMez@QS%9W7ntwN#QsD8k$`j{32tS%c zwm+>=^szsJlQ?|8zGn7RBFx(|;24HNk91l2Axq7_j@C|^ICxrl?X)ne5b&9VI{Vlo z)50WS!W4QH#pZwNw4XLDX?Qp+FF)z9k>lgz*~&D&zGDfZL|cf5-2|<5>{byrl* zo4yHF0JvPspSkyR9&8s{THS+w-0KHHHMM-vocMU2eu&b_sG|bpquY-MWtJrNZr<3S zUdbyKwAjz_0eIe4WRkNR9xHVnEmmyj@-&293eRLhjK%cH)g#(irT5;gzLsft|n53C*NL4;@BC7 z6{Biw?Yl6cSJJwYc9BTkbiQC#eSii{?1aq7%~p5>C&?vI5)pu_7^JV$v;&VWCtz8C zNje)(M4!DsXyjM^bo{f_icoYzHNBg`myJS{^TEej6OB)_UU81><$E(L>Ykmc%ymVT z7_XXAdLz*H<25^U*iycR|7wz7^wvm-v6Or7pMAQ5bkAKjPZE8go1KO&mX9+BlakE1 zb+9Q=I=e&udsoPOqTJ^x<@I=;*#dsS)u(Nl;0G?gT4}fXQg+mgLqLzfIM+LTFF`Xl zA?kA4`DLQ8)u!gN#wCtWzKhM#P` zGcZg)xiKbFlYhNX*q9AQ^y$x^0W|4jS)x8td*I5)Y!I(}JEla0zLG*0zpUFWj z#{bjih=UvhU*&!e3DTh-KE z!M!#G9+qBWh{d18Nk<#`Qm){budb!q-t#G!)2QDtT2dcBocQzHyi2l2TyNA?)x`Yc$!pcm zBHrJ7YF4AQ7!ui!mG=)PKP#!?mcH7H*L}ZP_Vs>}#xAeMu)BD2cu<_Xe0-4N**;o$ zzf);yZnCo0cqQLAyHJy;n&lkXegslNs)W#*#+P}|QatY4w{(F;We95^KMEoL>(0jk+L2x$YZ@#l(apk-5I`RaFDD6vPUkEE(;=ON@%j*S4 z?OT|QH#5(-w&hGEw#Hr_bJwba&idy5TnCmY7(Ub85H%e! zDMeFpEN~1^jOEL~!P2b&)M?Gv_E_YBDUya8nL$c+ILz(<$TKnaf#U*xlx)pZux9K@ zO#`YXE5-M>UqLbLgP##~pzHeJ2N+}2b!$ky5e;gQ9sYe3!r}kyGh~|wPJSp3_|R)A z8tsQ3^F@N8=(}`Nj;;z2B)zq-r5C+96MY(3=YuDO1-kNH(956O4DD|iOA{KHRU6+F zsFbUt3&es_1HV#6tCju8YA3RJ&8a44{5u?kKJLxxqE;F1%COFqN%xsBvOAaCFHv8g zm_3N-f0CJ}Pbb}Zmt5;l+R3}tiA8cU74JRf_G2MU3!{BR@rdyTGJeBv-%gT~NqvJC zpmOpl)tad=-q`tET$LQ{|CNf>sr% zzWt>b?8gGG_g|PtBpTf2;0pr@La*CDCN@=2m>(XD_+1{!)i0@gmLQSxlGv4o&M9ve z@Y=Y%0%H+v6#mup2le@G_NOSAspcM_eCdiiq@{cDK6AZ5Jv5*XcNmras4$*SnW25L z>kF>jc;*jTSM2U#a-H2cWx%!-5iyjMt#MuN5W(P$&+0|Kx}LI*l4m*5 zEDoL}8mt~?r&^(GcAkP66~iq*9=&%hj4<6SE+#CWdgV40=i+I+fV628m>+>80fwnH zQJL&MRc%&XlzlH5IR};;cij%wgwS2G_4h_RW@x--E8h~wEsDq+iAejjuR`SC78N51 zEPFont0Z-n@;30W0nC%u6aFb132Mt*9qU2R@pl zgM3ZQh-QwIt3zXqnpB!2`iq78bnK+zx%(CY(xOXWzMQ^iH-C-rGcA6+*shq9I=N9N zx1dE}>iUYC(K^Qj4DB?tv7cJ*S9a#olpHmhT&@L`l&|5ibL1UVvF2>nOR{Z%dou;Z z2)$)tS6(`OQ@Wv58V=D%WdPLF3gZE&$bgH7BB}P#vQE1e6_wQ%%#!1Z9Lz$ZTrouV zMP#s{C=@D*l$qVEuUYp13knCiauHkR!)r#HgSl??-GgZBB1~&gflnbY)2g5$lnAl( z$no}+Qc0&U*SP9C8IO+1*WG>? zJR|d?^%s>A+iv;hN!|;OCWZ?y3YtvOB;nv+v`7X?i^z-?p1E6LxevtFgxV6m3Ro8b z-MT}ps6+Gw!*mC2!!>io1aOgkSD^{4!!<)B05oqeFuv1}Nvz!M^ytnwC5_?XiDdb^i;2KsDzI)EZ;^zr3%8PSkLG_#0BeQkmB^}0w z#a=0>h|~FyCq_+)aJ2r;`~DvEfg7M`zxGfvy8s45im#689-G}PPc9}`t7(-gFcDFI zldd*otI_pq8m_lSw(LqA!{h$E;&O%O)FCiZGgFYk^}c-<{7TYF>sl^&ylwjH%A$4( zW4L;ba-#qKF2ROy@N2R2+UuUa(3%$seN2RlbXgIqp|fk1JV+T-k0eIpBnF4n%MmeZr`8R7+LVW(6Jp`VrvAMCIGFm^C{E;K7HM9mSXqMXI+MlzShCWHrD!jpKE#G2X|mNsI&7|G(f<}HBCcnqiNhv+ zy&dEKp@~Iq_!$c9_FCzib={k5S;14*r+C!O&+)eY!#$E^$9a#Vf4&o1NmJv=?0j!F zVj=i;up{9f&-SN~oc1K+_kWC*%uobdjWwY!O3^h$XSD`**XM`di5PxHnBD)|(%56mzu30mHHma6DL7FEN5zc{3RH1GW-}D>w05bsCu3 zs<@N2JTU>LM3NZRv2dNlt$?l}XI02#>j0Z_1>_hom&j<45k_VK+>mRvbODMh%ZzoC zIxbxxODL{@g|WEa5s%Hu6t#Fc_N4T{^CPM0MYFI0xII({X?h{W!nS$qB?J!491oyF zrxmKYU4>GeYgm*jYFVicPoXX2fvPnx4<6@B5c$-Hr}1gtNTYJpkeU`Oob>WHs(#<_ zIc9cw*Wen@Rd`Tp+V-jbgAbWijNOU#?=p!8oaxD7bu zhM~HBMlB|RZ#1RlY@ea7vk6}gh%g@X*JX4yKZQaJD+`w9(5mz`s%o~sjfT*i&e@_z zvbv-+XytlVS&zOWsf%(b%%!e2v8mrH=y<8PXKUTRLp&HcepBV9OT7GHVR>JS-%4{A zud(Gg{G4m;+z9Etr+-x1x@zV&xY-#~2wNOGE_`FYCP**KS;X(OuNl_Hj*E0EUb=3376Lu{t37@yk8Veem@d5N%!geZnB}Cg5Zklw-ej>HZEsMpAKu zI82v}_D-Ge2tEnsGb*l{eLMM451hG(@U3#zB@-LnC8CNa7&z z-5je$r{uLe1{WO(uc`Xf%*&p!jO7)o>8RVIETVFv=fqOUl`*3FU(&OOd8j@F7v))K zMS6aIjOluQ%>SahPs9D4zQzMYt0Div$XVUg{?nch66^Wv3!ymwtr8Q8h60qW1S7z% zC)loAdW0J_-wZGg_~_myy#Km&d474!-o!6|yB@_!>Hs|Qn0Keg3^mA)jI(9OJ-Kv_ zFHuF2_R)y|-Qt&@*{fh7WI?oNXv%O98Qd0;!kV$T-$be1Kc);tKJvw<&7^w+9LQG^ zrVyWU)p0KAwBt|jJW1(mlGf5yX%W>QqKk{=AFee-;%3mLaqzE^(_UdbEKZ_NC$ z^-(JfSKv8Hxjc7b^StIs1JO#;d*pqRFG$L42q*B^gH&IZAFxN0X@2TD-zJ=)EMH#K z$p`^)fX+8kemdaE_a=?IHr)&i?H~h@#e_4lsmXE)fc$jKYArHMU3^@fAS?2KvrD~V zAVA-wghO;Xi%h_O$Ka$GGxC}S2KM{wnjXejhb2Cuet0e$*G2cOazKeolT9xxjkj55 z{|jwsZHDIwZeD8@S`gteMZKS9?w;1vLnW{&Fhu#7uGH(9ndetwk(5~R5umxvq(R!D zhs8fvh%GTv`MSXbNT0XH<-X%a;HI{kc>sEh<#25f^l!Dc5(6&sP zpfBFWCljNgq(TS1x@8||T-Oum-wJl8k1U65nqLB3o#2OdnWI%UXa{^OT|aa0aEjeCM*fWykKJf*dI^W z;9M0KN7$oFwB!W!OVZ{@s^TNS^)ah8ebey-zPd)a@Zqzi$dbW(s=JRq>qBRBh0=bj z+J#kMRR4u33 zX!D8%iwa*0P!kkDhH1{0^|!ZMauy%u_`v{Dyug(|7WwF|>!Tq#h%_q08+gpmJ5@=d z+@EPkPo%X#{4WN-Yn+f_WD7@qAtK`zTQ!Rt(PK|P9FIzQ?cGS-b%5;Ln;d3cd z@_0Sbhh0B_eGE7+l>5ig7pLTHlx9?QCWI+%HThwV|MTQ~LAuX8GUMxN<3cT7kEVIy zM~znSCFl4El4}}>LzOQ`4!99$DT!dyAC+?aU*jjWrS0Z!?C%T6uv}>^R*MBoQc5Qzj>MfeNxFWyexId?tZzf){Kf*+36AcCK?vqH|U2+AB zZ~Qk#FxzM=J64V zs?-d$j5r=sgY=fA@@l30h?=;XQCBq32TL~M1r94jF5&=U?`?da4W^i;(utbC#OqH= ze&m!v#CX0tvQD!#!q612&ANJ-y$h+5|M9u8lT~Ss^(`+r8@%6EE&JrNaJ_`9QVMGy z=c_6U_^^I^k7Q?x(V7BKw)-3MXw!RQGA_ZH(Kf;*&`td2%i7Nn3A-mbT zGcH*A+{`}M;L%{UiD*6O2f!HaFshIJ*FSis%9Idq&K{AUkanjx`7HXbLUSGbY*nQ< zQj@ZVXvPINVbIqNJR%?^5Wi4KttkwC3fkyhMsMvp-Og7XvuOK_i-+C66;|u5Hz9gW6(Nm^jBJ zI}u}$isEPfcrKx<40?bz4xa#7Ndq5kYAjAve*^$Z)VcbVB_aU2AKUseFo+c*)6*ko zA0F>A{KF5Cd>QK0RlfO&^PsWgRD)US;)-UqT&{QE$ywIt(Aws57vV_%P^JTjBFy}0 zxl4WX0g(UN`8UqhID%awM=H_r(n1cBCoS_B?lO~BR_cWn{4-#jJmOS!pfAsR*j=w9 z`2jjpqe6@m$2bsw;1I5gqQ07^&Rt+KXtrrwex+(g&A9mybp=k`)Fv4dh0iY;L`yfz(5aRvUNj&Sj~}8B6!<&6FCc)s#iihL)T!x zWMCrqsp=pM;s@}q-Ov%rmA`5@xNsoI2EZEG21H!-k!LBmGv&hsei zO;MA^Zgf3^Zs1G?+k#(fS8w`3F*S3?;D!6welbnN{Y2XEbIYur@qOU(GEjH}EQx>jzdh5P7nI&tr0aC2a=)9sqB(Nn?lhggH zIAi@BN%uVdY+J50IOmJlri9j8S}^Un@CxXG6}wl8HVDFk%>q|Id~9w*K)&?1rY}!H z5PKmL;d5scb)d)Rn0}g+r(gnDiRODIk*&8ZR%VJgsiD*sLZ+tYKP7)dqXZ?67B}D_ zOZE5s3Gm$aVx^p1d4OwV3-TqDDrc*^oaPy49(*xjNP1@Psf38!0x9NCb8NElw0;$< zBjFe6figmQia(Zd%}OUqo$b2Wwr1L= z=wI{Z*T58mcClsLM5i{(6-W1Vml9&W1P{BnQ>an3TWEtiqj`?M)-GQsnN4R+ESqzL z?*uxJ)r^Fyp)$~T=y^LZcQ+v};sG5D2tWf?0UZiSzd^jM+0;gpp<`w+94p~*us(WY zfDgF$xr$}6O1XH{CP?kN9C(qCe#yk?2Wejqp?pO8gI$la!=>`>_v&IA=R8!`#%IMN zqI4n`b0zn!7^0j~7s3;)MCHolSWrKEVqgLpoz>&c0I|#qk1oF7@+f(7G=+mEh@LbX zyr>14|1M(ZGxK40eMiL`^q{PAEj`Tk$E1ESjj09^P0AxGa_NHDO=kvYi6C*5g2T@q z>GUE#Sk$i02U-O-=Q!!b3B%)r1p_<^b(MF`i$iC&<9<6ua!Y8P95Z{@L&rF%U%mQq z56NGQH9j)EumyM83dxVHi)x8Mm=V7;)(wxb!g-1EZD2V+!|Ie4s0-SSq(lSiD{ahk z{45YwA!9n^S2>v=C)gSjW2=bNUP}_^+&;8u>K_6}k_CaUJOD@|9rBx+n&!W00FUX@ z{(`uLNwMr^S>&7ruq}ezCX8g_HZnRhqRKyONDI!cY!X`Wv|6im`AAV5{`&k4@A+qvBee8RRdd$TRa=!Yb&{4#2}*@+e_gVr zJF%N)(|S^eUsxVKlH)Of@9>-z&f$=`?WLu=Z^(*9SVY@~Kf%xXyjV{nyoKp+qwIXn z6$(a^uEU@QAi^N@qj3XFnttf z%CqwGyJ0!bENrSkm&9t2uB*hbT*&g>4zGGy)O(VPiBh)?!~NU2C_%uI$e|;QzA#HfQ|6jP>Qiy)ZZY3hws}J$z%+);qfL=XH{1%D&xD z2WglV+@M=3SfB4eQF~gR-v@8hG5N$9HxtFch%uT*Yit2?P-{>|Y^=mLT}#Y_q2ziR zT$(PW!}~OKaXy>#O1(y}Z&L6LE_wB-h7IlGZ2zTSH3Pm6d&}m_U6H*I%$2b5{7&Ux zlQY%Di;sZi z%s7%Gkd>;mzq7MDjo3(qc)pE;*UZ_{E7)fMHNUwZg#^Y$%XD8=a(0~ghOOg%88x&< z{HBrge`YMA&1ozSMm$O!3JD{(zbdMUmNqDd*C#}f674eYvpm`UZf27b|J0f@U_c-g zzsKxEB3Rqh=G5&eQ)ijJ{nPZ&`UE=`=dCkk{E$v326vO8@5w40!UUaF9?8&k!Vf>N zM3VR=TISXFOV}G`66PiD2G%j%&XRit8=>BMNS+{2A-{B$2co&0$@4@gU zlhq%ZxFxEwlKFIT? zU~c(jDaTzXj47N({56JYbX{&$yhaq$?Ift5yvn3-PS1uQLcyLyI>M5R&jyT@@R{0Y zUNMsjzAqEX>6L%UD3CY%U_s^Hsbk0nvv}eCs#H`&JEH4x>D-(z{7awe_|PvuR^~1p zy}OFPA6$iXSrg*N2g~cLweYsFu@DcxfoV{mr2(j4OBWOu!5kczcjyNjKi>g}0+!n# z@*Sn@&d)z#OTfNg`@vHiB#f!duV6%psK9?q*C!_s++)#|3B0HUXQoouqCPRJ1}gNP zFvD@?)Rk+VZCh^@WB&xv#R2#)HVXS2%DF`ZMLXCF3+!FKP6EqX>pR5 zWz9dd1%hb5eePt4MdfcQW84@{9-9o};N4>RRu7UmowfNh?h;`+F@ruGm}ldCz3Gmf zZSVtQUqF3NpV<$o1<)y1m=YH62{l#9MuJ)9$4#YdChP_B$f71^4J$@H%H-M}3kK~L z)6dJ+(FvtL=uOgm#^TVPeXmA)9ekGhyKTp)kdRY$c;P}vKh?3FS-UQ{EF^kX))xY6 z@&h}0Q&|GZG#lHSznq)4=rpg26v$-pMMJh&P!EjBNFN-8nb2DSm3hzKY`7_dQit*D zIu7I9)Tm~bELp%V2;75W9AyzS@E8WR!tDMFJ^=|J-}Pl)-Y8(RKpXO^e<#Id#l%(% z`FneAh}2fUroJB+Eq@yw|A-MyXYObmB50>^|EI4efOhFZ@MG4T*$&7xt9)~r_q12G z_9zuAA4&F*^3^4!l{%m$`zW(7Bd`zsl5|!pNjJSYenL3Thd#ykN*73h3e3dipG=&T zYk&ij$xnv2TBxqZonoze`!<5neCFDQYeaCV$VGc?uKpF}r%FS}#(XtH#?uD=gL3BH z`kxvvbW9@8Z(r@XmcRM*Kapt3-OTxSkM?NO{*q_vMtfcu2BYFP1;N z@Yaqi5;);)w=R($c)+3#wlfPBC3m=RdOl0r|ApvDr*(AvhZb82;1Cjyc}JmtAPNKc zg7|N&b*BmP)U^x;u6xG&`UCydQ?z`jR+ijgAzYrPN1 zeMk{e;)er25XLgU)A$++T}@0)hu#KUNy8|C$=~JWF0QU`=-~@COsLQF1wJ4%Uz(IH zT1Yay<9M$9q677n!>cK9>9#w*{q%zCLi9h-Y+Q_v@Cy6h(N?v**t8avv@xpPHO5IZ z5PN6&!E>k-;D=P39o;5>M2ZH0!+dq};jVJ3{eC4NOP_8h)FhW8ZEZMp zCbrxAGktFeG-pj*QyL{v7p2=5wsf2nj5C~blG=)PMK((G{H$!|%*aapdd;|q=52~N zR&3s(#9`f%3pYA?+PX8CZb^cL#VZAx z)ZKiqsqzl)aG-Je{i@%^c2++Ta5yOZmgyfF{uFS`A?%04HyUSBL91*_=(QP&1sYO# zWR>1himlZu9I#pCxuy>Y=5s_VtCp8>e z{MXct9QrKLfh83RVgnwLgFRv2;zEoq!pCb`?`DuMX46rYf_s)ONw!I%%)hXCuMrcO z;4iTQ_fa!AtXBwSY+N+l16ATm4nR_WRkOJYhKC-bg!FS!=Znk>~OEO5;(HZvb|-;ZI3Vs8zhM^2w_)55Z+!N;gCge(e0dl zLd4SeUw_}`0f`SpFulX>8v_$oRIaFSOOFg2#$jr2!9TKV{ijb46?(ZRMQ{2-J$SA3 zMo>9w8y_VadK-6mPOQiGFN@~{ihADp|L~k@lCQ8xV=dyx5AtTyQ*WQk6lv(*s0@%; z{?>Qfx+F9h=TeN}_wD|?97y2AUsL!^dFPy)j>YhONEmBl)#;CtYzg!lZaeO@C(~~ILa`FPr6Wubk zn+hs)T_&?@^0&oz7;9+>qVeMVlfkooMZ-8~Re61#rYES1mG?yZ>3}eLYS}r~CC)x> zDwpVbded4LKbFTk=`^hcBZ5FFL<48EW8V&$GSJw1h;Qi+l!3@j`*Nc1fD!~mnn?5; zdY@ExH;y^FHIqRKP}i|S^a2~7t3opON*64^4BjyLe2tZ9LG%<2T_3SZB&D*T<(D$SB)`^71J-NE?41D;iU+=Bf4D2G=?O4^whRsFH5%K^ zULO_N@EMyMv3g5QYgGi$uz(}r0Yqg8LWhAxAbNR27hv>Xf?pkq8V$a1wYlNrMT5V< zL#wKi<1XU3uQr;f&_lk$bkc$@qUCouQ8*&K{XQZ?G6-^@hQF8MI;Z--tG9Bke{@5~ zsnYi4=`YWhu2{V;>b!B%FSVLd=q@n*b+sy%$8V?>rXp%3!Wg-D!`kGZ%?@%hc@i1D zr}A=Soch9E?ux;hW3y$J7^a4C?K!a&NE7ajT zb^i+G`3KeuGu`+jO{*o3^ByR&w12n;IRIigYk_yt=ipE*@rB~UPEH(#1EGG;(p|E< z(Y)snD?v$?_syUYvA4D!f)ZX3J^tAP7h2nP68Xiqk{)gIAg))bM_6iYx+O?-27YWv)XIZ8PG#T#>HM{FlzWr*L z;aCbDcQt>t<!#b7&O7itVZ`HceTj|6gYrD z(NL`u+km~kBpkns{tGTl@5rb0>H!o`;(rL?1c*0^mRd}e3p=xR2B@zc${NTOt&tD`zy%QYxf zjJ5nly<#7$;ewW=i`+3J$IB$`EV#@`GkEWC>l%-~bA0YYg!I54G5s8~MR@vpK#g>6 zH8cNDsbA>sd~6C=Pl6yaE^t6lKnIL)97w@@s?RU?Ki!J{YeUKSyD}6wD6vdyT2Zy1 zG!3#+)ZD01^wtO@Xd_z9p*g<{IW>5{hn2oHGlXB?suFRl7Ej>EBHfn{LDA%&H^lf^U?_BQ;{bHyrAARr2&uUzoT=yS8CAB-vIBdd@8temjh#sXUA!KZy@x>0CTfW8J)w80$*{Ou@x4p31FgCZtxxqok(}G+L+PoAX z7wq}tF=a;>k+~V9RH!UKT#Nf_v4)im-wXINEiA|)ruDRR4_rkRQTkM}npFfpaP9P| z()S9+e@=iU^cUg-5K z{l2BDGaIL>Q5@9-{5Uvy`EwGA+|d8K}n|bQLV0mjHE6M zwI4dn%Ja>z0QzLLIzE=HpnhJ@Cr5jP;+Q5ONI$Zcv*4C`wfZ#O?XctRlT=qCZ55$W?2KQhg0TCdAco^>9@B|Igl1KqNw3TIK#AT6_ zg2VzhrtRdGtbgG23oCD>xY5UfUV0@%=7081o#TeqfElVsa^Z&;{ZygtBxuO5m-d-N zAA1iHHw#WngIe-~OU_??t>(Ax%k$TUXz86A%Ucum7+#ba(_tQbSJ)qp%pCJ{r2Dl| z9;KEsY_V3otQD>ZuOQJYvZ)xbtJ!{oU|Si&k!xCFX=s)06Dlh#>PzR!ftyrayy%@0 zoUt>#n(`}9b#>leeQ3?M`@z*`ly8^IWGVWocjKxo{~@$`&dQ=7cFu5T`^OL1Mn3$R zh3OAl%enD%E)3d z+EQ`EgBH>D-$X5cea-2K-wCgRL z-om*2^mqAZ|M3NDM$>v1u_;xpv|^~`ZGxo&hOhQ%cM8cqo@7#NnNCV&YX#I?mwD_$ znCzqy*TTwnk?Fj|Xncy+oaRt|KshIyEod^FNNUCKdYw!MlGMbK01-DYyTn8epkM;>WZkc$qXI-84&$m)JnJUI`me^vXbzN zMk{qdB}ff-Dzaw%LWA*`7Qz}Wo+^#QYGIkO-AH-ZW?og*&_l~lkvCf4Nq^IApVMIG8WYVZ`rq6!(7JYL>hx7h2CWelB z9HivgLvW!pDa#e0p8UEg?p!bG=cq{a6_L@z(=AI(r6R;;^;L9hRpq8baLDCXj}~0LsW$)UCWU6=8ysGg1I2+p zXz@t@d4Rgk-F(xx`Vxm2Dm46G1-1|%OJoFu^C8hViudwme=J?pL4P}4JAfA)qEdJ! zT8DVC#Lys%9EZ)rAZmvboJ-)a`;6S-Dg8brlu~{WstJvU0Kt(eobI1TM5q%LAdBmW z^6KYxdQ%Vq*YeZqtlSsPrzRQV_@~B~9pWTro24h&lEPoO z@O5JN7<;MrK1sLo@8GWJw~c)pclz?aw_tyahkH$|C3iSi5B!gcpeB@0Cmo`*foWpFDBwUWFO8MyoT>;q#EI17PEsP|Q_~|5wT5)O8=WzRpZU&`yT%4qxve@(O zIKKM9Zb=W33N;8;Nz?>!%%6Q2E$($GyiQ?B#c?Xf9dyD%H13dh%KJ8Piujz+GT(HC z#99QdSF*Y-j#dyVbUI|csd#=7s@l5~(_TB=joo8Kc_<@X?xW@@JnJnfE)zW-LY{lN zQrJ#gDaH4+glW*-2OKq(y9jEmIMhE%`x^XpV#OOH^+iyd$NV{$DVQisodBUt@u#$U@n=tQ%B|m%xlml6657m{VeP#V z7fD2srJW|kpt$UDC-dJ~fGEqfWRJWXLF3+dSv{fQKVYTU?89nBoaWD}=Ec7_!G8~( z;&%93K7OqILG@8ue*+^UD~F5Fuz{O4`}`i$?5QNu=$ZI%bLEj8K=TzTgQRAeQIki}2(iX%0wA1}vTRd{V z2U5vNXiYm2YW1-q`dtpy3GBW%Dumpn{(|M*R}uCNwvvp|2H*Sb5AJ5<7T6z{eoc74 z+`b<4^0z!|a?yT@PF%YA1qU(j!lVuHPfSJpvG9WVz^Ry&H`gvnq6Wc;rJ3H+g&$ax zGob4|#i#1?M^T|#IA27@L7svl0IoM8Dz^VdtT!G;GEplkN%>s553Rdz3+-H?#|au`qA2P;PDEn(*k zs&VunWkDv@09D+h*XJ><()Yc@sSV@!vzjeXc-%{C9s#lvw8x5zEj=YIswHyz=l-rH zUz#q4xAFv)c{=Ccw36Tw1gbmG#K-K_S5cFk=r~p7v@U=%%;YOjOim_|p?`wMnD4Z; z-rDiApVOV~=MlZGX6=VIxt5X~fc+XoW!>oU+JV?(+7Ns1-q3hgcCBya01W`vYXs@< zd|x(35)y05m;q5P6XiphF{IMo%vQF90_R`EL#ZWl=3h%&VSk)g$63+KS!TFDh}`}n zX0HwkCv1tmz+E?oW-7z0>jM9b#)%d8580}J8I>85Q5;nCtHPpDfn^Tluk3AQcV@YR|*jNbo%dteK$|Hf_pS z9SJ`3F;R+Rp!3D?VN2$~p+7**OX3yeyZWq3lGvoTymI8#3sk5RIw!M~>h*7imM2_8 ztp~iZ#m%^D3^wWIQ=SCUf~FsF;h{C@)!c%j-9NK({<-Hz)8X&}vR05`AvREeT!V*MVqN_R{r*NiMdn4WFM z8+5xcO@}a*bP)1s^+OaTpE0}CtH(aOJe~7`6K#wv9N`_EMf{AhHXr`#E|G4`PxKmg zZ4yUqX%d%CU0=}0E_J34tb4!vbfIcjnf6CbUhCdvghE+03s0jcp=x_OAYSAKKPQ$n zDJ0+mU_u{QKNSFpSn!sS!}co9H{n5u{u?P6p3C?=`1=pTXE-d+h$UTBX9U%c$4fII zT&u@dgfK{~i_V%?0oe+;9($CDQKE}oR>eG@Y$=ylSG{F3Qb z)byl1Mm(o00-UH%Pv92hbJlDWc&OyYQ5`S1wZnG++F^=Rx>I=blp5V*nZgTA+fl!N zDlQ?E2Bo-Vg{^i2V(mzSJOve#5rRNl zayT#sYro^$Wp|dg2`uX9MDjtFJ>N?0CrvN^M`wPJd8{F?#-KNHmh?r1h3et!O4v`F z3vVah?uBcGZ<_iEoW;g0YD8)_3%zOiST*9&Oz4jiN4l09jVx+c^igtd8`i}(*K`W$ zt!#cNN>#Ne-2#7q{Zcw(w?jT}N(gxsrz93uSkERY=IgtYbO-MP@B?7RR9jQh)*20?f_ft? z?L#jpVK}(c4UYs7-~8`~=R;$MlWsdL6-hdX`~;;XY)w%U4N~nJN*NDDR#v)eu{CxD z3rMVlYKvTl2#2etvIB_GF&rsP>ezJ~LXlNdCRHEuI()E$U;Y~o+)+)aE@vM2kDh|| zeI)}wer24{G9`wziWY0c^gIJ^%mRw*U7)z-tYC3W0GCnpgt!n6I!h` zc6Su5|6VUtP{jqWBR@L2#F1Prxy^L$C?Hu2E__6!V5xqlmTP;QD=qbenl2bfnt9|0`HB%~jK zZ}rVNr`2n7)aBs_$#8qk3nm#RSf57F`5J;UCp4pe^k5qQ#t&g6(+-0~!7?=#3WY!8 zjJWMP=49|5KoPT6!xF>LmHGNk7m<}E8qCZUpI>x!MPE8W1VUBHKdLhM6{VETOu}7} z4V*Qu?2OFYFP!&EKY%xo)P7ZTyswx%6>zP`y@FyiB;MxR-e>&o=_(o?Mh8uCWz{%r z44PEXN^L0CwBDAQ&xE}fMLWEXrAV{BPCC|qbVJH<(}UALob=B_f2u1Ji?RA5ou9Bi z$lCdBG+*E?bvmum#|6gEu1hgorv%Vtt~ByMc6*m+K|U_vQUj)u|?#+dDrIOEs^}M;aqbQT^ zny5ov8FVL-<5s$5lE3C022zq3U+c;e*VgViNQ}~cJY%n1hV|_M1T5Q!4^$jGx3yk< znFH3re!Wiao_)9fV##G%dL%03esLZ*Ppa_WygYGSfdposzB5;`EXH*>eAIdMD(YS6 zBY|5+h~^bL!(-egXEu%5Kb7-9xKY#A4Lb`4mG?${t1$V z$!ctHtbN^l1$KuB339ODL}9QTHd6E_N=Y)|$>u3^@c9hSZvyb3m z{apJ@geny#Vcbm|n5YJ9j*EWL zOu%6p&{ ztyO)OtM-rvh?0I-rM$?F{&o}|%56?`yYU@o9wR}6cD4Jjr_#uIn3WT8^LsSE@+*8? zd7u+*r1QX((QjtVFUY5C3WQJ5|K&GRHVtnOk)pRx;kU+@a|A&O$E323Q;i@EbWLwV zTaF*qvEnBmGKNhe8RPcqse?(srDdNX-sj--@zBU@#|o#o)?vJLn;{|13xUToPwgzc z&)OnsgHKpd%$NZzVWxv>l@VuS?mL;cZ@`!V?P-$sH=^f3Nr@5c`|r$PUxV04#f8DF zA90JY6etw5B=7RcC=`<9uq3sLwKd2RRY}uwU|58qum}CJd;g@*`@5utb-VJek9<>p zp8FpEvI{srw<~LFz5lkCW~7dD3XWJjH-pkh+xZVRawYb0GxjVsOz@%r2on99Q7SB~ zw;|yhL~`YkH5eOBLZdfrOIuZ=qygZrfLunM#qqQh-lCzI`ld(Y0JD$e1ITxvthA;! zf|3Qy==obSzxAOuti3Ir)q(UQh=Bj8z%?uWnWuL%YU@8^wZg_Y5Lu`em^0QOQW75WpPXzq}Rmb@*tfq&W zR@-7e4L&m*+bT>_{E|n-aniNKc(H?IV!n|Y@5ScwOGvWJ*rIK=Kgm$p^n6l+OH57m zE>I=SmtfH#(w&pY-ANriyjO6r_$WcliI=m@ooS;9*vf#yzc(07nVS<8A=?FRO)Q6n zPfrkJK8{l(_$#`9!A$7Q1xe&~fUmDecT8ZDUaxK&V34n5-5;AEanz4hcc?o@M8=|Q zXGO#?0ccJ~UU=D)}J-F`Dd`#=p#c{cl>X@s!U_R2VjC z71m}9efy_Ccd7g}1pQ>}=7j2lQNAzS8n%a0xNh}~6J5DgzOx0a{a}?=%DKyJJ6n{u z1-{(!P}3d+#yRMwCC400L^RK z+Ow3FP?he6MXFOJif{hn!U%w)h$AWf5ocfX0Er&rK_3pTLujt^goPBR(wp=GG^txV z`w5~)Ny>HAe6vWdac_53+jXUq2pyxumj-$ka60g0o7{MHM-g9o8&KcGOwVv``swE_ zook)jJTa)W|G>$*{-p40rjTBvOaOEvax7G!ww3vlZ{X z=u!HYrei?ekvljb0#AG+^Zb51)d1!g84*ZMAAOZ2Fk!KrIduJaGj*UKN$UUDX!+30d8q{YDr)N%{tyz~$throA)H2&TYqo`o{R~Uq* zf=ta!ZEZ|pWe#*uJ__CMNx`f-v=})RFQ~-K0yPV?9oA;&jE1z=5IBrGeakaG0vlLG zyf<5Pe?3qcw7ED-wNR;Ug?ars`10&saDPtTU#416qkW!_L0H8fad*9f{FhW4D*-`U z@q=@QZ@f}RcqVtS%yu4nPxy#wz$4GaN+!i>q~_cuH56P`nES3qa2jbrXEXYHe!e~p z7J{)mot=`fq$G=6h>7itVy+#w^wH%0zhmAP3?C$u*%Ci~RFU#&V7z>CRpK-oBjX<% z>mvH3f%h3?J*;Nwb$pi0HYaXU3qQ4%?K`m*P5l{*Tn=+{wvj92@qzTXbJsUvRcSo7 zB#SPPFXUBS7F0Q<&F_zr-(=*uzGH6kE9)9FUW{yEAY}oOY4Edx9|Hj7It5n%G{* z5qy`=do4CUcMMW&8Z%7jTX{vhYxhp%RNK5g&@3g(%)allKVT5?cJ%`%>VLuY)JGsU z6~;|q>{6hG3H-axrM_T{TeqC)%_`OatZR-EtM}(~&XKN&HJuJ0_DHu9h_}I&XA7Whni$D8H!?mL(2C=}MaQ z*%y&t$_n`B>ER{?f*FntCsW-*Kd?cd@dQTrxZ7F6Z>^8`9w{gwqQYaM9|tttK}!%g z!9b57jU_XSO{)NgG14yyj zJo$=-5}wt5oZxkvZ_+beE=pO0hvnW;N%b#t`clILJUXH5#3lp&3Z}p}B8aLg0)&ge z7I1$O4Gx38Kocb@pBkjKR^l_HnjVb~4@Zo)iG;G%fu&h_+Clh zZ#X6NsN>cZBR$C~B)!wyfocav5IcGrhm6Gp{mvl5IB27CosFJ_GX=K+&@tT_3$n~5 z(LMFZY@Q$6#0mIKa|t+OWaXPVL_W(a4xy;76pgta?>&9T(<5AhN52xqxcdEJ&8Irn z9KG}a<)W%HaLSYI%?ErRR(~|L?mpJIda9C5m$90l@zOooMml)bUW2vxRw4uSkPUUa zlBWKhOvd%$$W(GD(@E_Z|CNho2pijyY@}siB4?MF28>(qGqbFWWAi3$*P+*G|akI-TrG!T4tx+6S!j4G(Z|Bme*zbt3OmRNqRz z&Bx7J0Zs#xs>7$T)X_fKYG^Ms=htLX@K`P=-DpYapt6@;Nur=}E}mO%)qZwL zT!S=|ipZeqpf{EjcJ%SvGd^%^<2Q_(ei2f?d@Erb5)qm5$&da-Jap3%^_iG*%v+o7(6Pr2_gs@?UI`l8J0~ zQEH(Z4+xd8F*`VwU<6+eUzxFBeEK6S8AG6~l3r3o8_ze^Pz!@1xgi$mEe+8uL_>L}Gx(!Z4HJ+n`-;)6N1=u@kH`;vh~^J;Yl0>o<)aP$ z4VtHrtVkr|X$rvz_%DII*k_~4bEZxIpXB~=w2)(k^b4p%aY5Qu6<)u(Lm11ysbgR1_R*^# zIc~*}{A)@(JDoqw8Lu`MGFDSoVubMZ&j&CMJS@A8Cg98uJBK?Z$JRVmU*>)}>pdYz z1PEa0tw%yf@(O#?U>fa2sV5WKpnMD=3y4}$L1%C#Dbm6lXFV0d<1byL1_L=vIFMU1 zTPl&aI8yTgJtSgts>EgxHKdY3LXMvtf%soJu*?eYjkAARtusLUOk!qO~DNABe)m3PQ*Nrmmsw5kae~@w0mW1wDn_sF+ zkDNjyRQjT9JjrE3({KJ0)uV)jazKnsgViJg3csv z4It4V4jdDpYM2c6*f28x@d(uODBUFc|9Cs=uc+Q=jn6Q^fFg~6bb}z>HKTM(cPOcJ z*8oFENO!k@NJ)1n-QC?S9W&JBd)NIN?yu*pvu5VZ8+$+ddH08E@0nmVkgI+2usQ~F9B<3 z!JmiXDq8zAce+1={Z5sTKQoSLqMX>`lW1O+-aF5#Ft zfKGK~A%;N<3yX#SIEqUrRj7ojnhC+msbs_eum=FkcmZqxkRYQKaRsJXy@W4Vf(ScM zp(sflzGvZ{uR7Y!6Dw+D#Lr_{0+|)l#cAaSZQYxE-*UmmC$TQINV+?}a(2QmCHxLnPn& z`?IJ}%n3&uq{L>)$IFCq3Z}>{;VXR^Y|>pQef;4qJ?B955b7^M+G3;}<+nVF%k5h$ z=T%N@e6Mp$v03grjpHqImG~`3Wk$?ql(4V)mh=6k?c?|?v@)A@#ZO`*(e0+eU3O(+M@lz|y1SJ4sW#A08jN6& zNJ0iACGr?M7^>1TGnJkN6eHXhBuAdPK%EXnpY*5eJ~$Znqa8~aRoh77roL_17~nM& zXf}{>CmoF1x73&jk3`=drz(t{Klo zrMM6o@_0k?$?>~;4X1=&bF2@uN$7^XG@e^J4H&$R*j5rB@TGS2Ry4s%bwsXejFLXN zM3h<*D}Y~H>d=*h*7~rG5;i|Sly=#8VH%YIlAvEdE5xqe7LfY{gAl4_B4T(CTA2wD zcBg=!6~2lunqkv>CZ9`nc52(tFd21U%f!cRmmMbH?7vQezu0wknRWG`Low+G<7QCI zWJt%eC9lWhlLxh zl7Zww_kk5H1lY)Wa4Y?dUK?-qcB?wj3h72D*RAFEA|^!j>j0h$kx(&vBGy5{y`dYE z^%hVe{u?*1?kLslGL663;8}GDaqk2xV!*0|-ItNfJXNis;XIr2KL7XE947q%@UuF^ zDR)VWJO}cUujG@Ri~VFh$3p`?SK3-$+-?mI4Vjst;!anJCgSKweiVnJ!{y8XMtcB) z7|Fw)AdF!dLd$-b8*CEv+^wkt46o%85lQETMl9XN>))N9CQnTV_YHeW!4@1kr6E^% zemRFCy&m%=2{JP@zh8}3``_|t8zsKm*}R8F&j!77q>|qiY5Wlc_#;Hu+&5^B-y}G? z&2g8nLAq|B%TaE)QAFZE_|cqf;4O^vK?%@aFq7WD6FfVgSOJ z3!xvjKqMBHmIU)dIDyByJ0zUC}57xT9t2lGC4J$S3 z7v$mLiG?HzTot(pC$|3Ncn-5aNsy9uafz&oXro98QjqCSK2Zi%z~xFh1Cznr3rslY z)S>Z$`b2^FO(R22bq2DhohD{uA9vy=1CvC-REmOD$O0JA)<95jO|k;BsJb3Hy*9l^Jj-hQg5|&mc*QQUA?pBt)$h^6JFR>Cgn;s`equmFdDC8gOvG*fXw_{# z`=gq)yY5)xtg*RAI<916NuHWf@Az=xQafuJ$xl0xJj-9_uagA1I02O8I$Izp04=6+ z3Jn8*f(u}XD#P}=0!DBf6NAh;FmT|X=XJa-k}}|^f+&fsz=m<8&%wXaQ&dT~GC2-H64ujGi9mm77D=YQ#8qcXMX zx^=YPq{?AI%Z&>tgSft7BK>mREnmP_5*(E|qfzTyhv&reIe%c$6I?X-S|lkffFJat10iP3$e zJ07@_D}MEMggy?$lD71hxagNrFHhjhfJvZea{zYif2NpLPl^fP6ae9GToxjS90DI8 zy$k$D9z7oIT3TvqKLf|9Do)CV=4wf|gwHXM$rV7N3rMT;PekSk%r0o4|D3)+CxN~5 ziKHT3)&aI4(do~q)B98@z0R$`xUAZR;-^zdFgI1WAgb6Je~Z!Ax<3p8;%5yG6Atn0 zpB*T_%QJ;T?zN}ZR(}D~ro}V9YdbXvmj9zrx?G330{VXmHuaFk{7upcb+PTLR zsS-~U9IeY&K93X?6>jRARNg8GWa2o!@!W#8zb%&#-}Ml@A*Wp_>6=bwP?M zSIF8b6>~is@^g`R??}{pq_S0UT>U6Lj6u=t!_RBwI2j$IdN*HWL*sN;mGh_Qa%MdA z9*IN}C>2HJQ9ZKgH*z2Js*1N-XZxzj#8MUMo1wU6EXo*5Y17ifo!yq806l28y{QH& zh+5J~6K75qDn+{HLIBuL5V~_=M@sKh7mPJrCa0@MHS2@I zRUY5!uNHo$4sd5!I%0Ku)gz^$co_{zjqYGF2jNkCkv4z-vbjnLO_wX`eWKyP-FVm{ z*SL!lCdw|2GUI*K#arRw_GP?G4CU6TMDCVqWtq7%EU$CscnU@C+acqtsEfxmZ2QQT zmMF;JQ3>M>_NnADJeJvivfq@2%&jQ5@d*W~_eK~@0_bV<5z5&^(%^W?22gcWCZKr% z)TY4HQ`KN*FMT-s^lbk%8#z_9P@Vm7gsQ%_9^(ES=tkERi5-7A{)6M| zfP#IBUjU>Y++z|y3&YIw*x)!gKjY-3cEip{6zP4&Vw}ctd?m~+#u=hW{1SLXE5q>? ztqQ7g*HM+Ubr5c17SZ`v;mWptsmmMc2Gq#WpB+Ve75t2Hz_N%80lce@Dbo<96T-^kQnYx}*b zCfX1?@8GP$>~9G{1%%P?H`Z7kRh_h;OFmDg2a2YK=aQm8*8 z0nl_*%pQ+@>y`~6^8?8a$8fox9>b4eJhN3Qgl3p5+$e-maO|HA3NNu(`;(nA0<*1D zw$OFRv+uW<>T!JbBuKf$o&iP5;#7BYz4(Ox0f89$0Mu9S7;2d|yv71469B;iq*6Y1 zCb!dkygl|9P*?0r$)H-SWR=%GfS~jK6O0s~C$Pb-4~x1#K-mW~WmZUc(z5Eu9i4q~ z0m6T!$^&G>_E)RyyYa^tojHupRt4Pk4>x5m2SYx7{@B#KXO22k!ur=#$}Dp{i051o zn|NA%Rk^8@IvOR=5c_AO72D#${=ShLX9VQ^+(Yu@8PNCaS=QpvnzzU>y9_G-C2a(* zF*J<)_TX}S1>+;2HP6JP3{kv3ttw5%2~z?0IllfzTYqn7y>;{9MuWSlbcgD6w(&00<$bn(XruP*?5ntzc|!B&j*QB%4^>N@)fza35&BuJ9ZQqC1Q}XG zqmo{g#MA!6VKBi~XOq9{z+?=ZzA#@ls$)MP6qK3)IOfs+Z_fTazgi zW)kt*WDZbY1-FW$KrU(3Tu<3J3AqkH^V3u)s}85XTK7c}3JkU_QqDa@XIZ}!&wkvx zo^kGcwU5Hx#ti(cjj{*xBj^Lh-1kBr0<~HNihgZbY8jzPfmN2(qKc#`Vl@*bwKCi= z#xyZ4%k>O(&o}#hJTqL6EhyLNK-r=(zf#J<5E(FPtDrzfvnVK^8@=* zengExfNBmy4yr7hJ1~n`aVtogS1_V3N@yqLx~{&pto5e#WLTtJ#pgiXc~ns!t}X(V z=iPDt3e2?{ZA&XC4H|KG&OQxd+Pd{Swl*H5bND4Yta^7YX~D=wy`%Tz=PRFXV^ZpR zVwQan9DF-4mUBfzMKSg=GZA|bJO0m_N+M3x>+SuXK*|dFvF5fiBhvc5`mn{7_3nD~ z9o@FG1bw=rO82cO_HSFPMYOBjcqTuzduTHG=e8w=2q`;I2~Cs?%6YEJ=-1Y{Xedrg z`N+gS5o1!49z$bgHH+X9(g9`M)B&Y*WfE1A9QqHxBeyb1p|xtGOEicZxB_v&Pt-Om z375oAX5*Gmf!^?s0XpQu%cu-#S>~P3@yAnOIjl_)zJU&))Eb$sMYaEK2IPvnVZ@YXT(WeSj5hOa0~$U_5?`Ppi=vX ztfo1z$Kh)ZkBsc#{DVDSWUH7IKL|$$GglPQnShdLTmHky9kZx-$|nKe;N_*`(f+ZA zZIbQFoY%@+qloW{Ltpmg0w?UO08sPVA+#pDnHb~jmYx9xY&e-N{k1AJzv$@STlJ>W z!vdEK;=Ol^!q+d@A+@%(=Sd{@DMH%r5JI*X5NxpSyq3pgR>D9UX1E0&=N7QyIja?R zk5Cb|zSS3o2^u9`w6B19ko#X%9xcXAItT%%u7@emzcb$Ax>_!dik$Kv=}kk#=G{2r zMbF($@U>H8b(b3t*C^bQl-9xR_==l4)Kj&Abv&FKE~Sz#h~@CUJp{O-t7DD9+!*e$ ziUX``nX}zXAv6RS?w@Pf6XVcIXW(UBkQawC=NX}V5>)U|vesT*nlbQ{Z$Umm6E~{O ze>iDjvkRZ&6$82PlF7(@>p$>n??T_ZJRi%)0#uSGf$9AttT5LAZ|+~XBq*F8XBLM* zegj=-rMPo%0zgnRA@9p^nO*z^vX6iY;eYpe)07B$(?Xo{ez0t9V7+);Nm3or8BkTh zc^es6kL-BE(d2Nfj%Qk%7XK@lXcGmu)fz(a-YH&K)$-$avR{Ld5@CE74@C$6Lom~i@V>u znoy?i)i$WF$>)93n4_10?>w&uB?I6EdAU5JqCCkpa0#KYlI?e=$cf~(gz?mDZB!>p z0l9RXwhrYknb#($gcQeUzR1b!5iSD9xWil=AFH?VqGpa7qm5fj;D#?$I@&Hww35-u zzFt`1-}`~gV{Q4)gZd93*yWlY#ktn6>w^Wy@|I7C&!Ve)vK)z&*1TBkB3I$IyMa`1 zu$Pu|`ix}>w&!LEuBA?Y^KbA#1EOz<&DX7S8*WV!R%1854>aGqDE-8Z)n3uWO1W;K zGA}7=dtkY*Qqu|@NQ_f8Cake)x^8wBMInew4!$`2Ql3v?o0C|DZInu@-u<`)YFjW~ zvF1UrNCa5+WeYo&e`QB(lK2dW=M3_LWH+ruI&5l08J!;n(P5cy`|_TY5(dY zB{giWlQJnbt$>RVf4xBE{DsD?|F8Lf}dPgWz9z9(Aa3zP3%0( z_U-}a%kj?bzbqgIlR{D5kL}d`quiv&bRvYIfwGD^oU1MdUzUy|I)huj*>cM3+rrl2 z;UpK}PqM^f#^|g;e_W9~>H{0 z2f%zSlk)BTmNd>ri+?P?0pKtXg7Yc4EYxy_T`)iMVnm>Z0w=|`zWktVf>2Ulaifct zs{=p{(D#246MM2Sj0!-fhjjwi5}iS`a9wW;sFX%%@@NR;e!X9ulDf*+{h+vr5!cK4 znL<<|F`Q=!&UT)&B%$^N&NUnm6LT>eT&V8|O7oUSs}NMzkDR#MeS2@76UCg4 z=7|6@4rCQBfZXtgP(LMn?^tql+ZXm&Wz>9c&S)&^y?)-baH;eDl-hIvpLkp=Km|t@ z4mml$b~5)KUp=y}8NX7>jM^=8OvXt0!U%i^#QpTBBAmA!L||*4oj;$DU;fFUFX0WX zI}3f%0&86)N5?9D`s&lgbq15uI?O-X6IrRtC~b0a39SQ&t4TDu-JN~o5J$wp5DHojv` z-{3t6DHk=uIUa1%9Po@rUtU&imTZay@`Th~JY5*tmMq`c@~qzE)qM`}2oNDOjFq0# z+4X?ZQHB7%lGiq>5}ISa;rf{&l3yyG7Ov;hHSy|mf?HTM8F+-U*Y0D0J;30+L*JKh zW|JB-01f^<4A;eaqeKUVQC0gqLL!+nl!xj#0p?R2_~_a(J&EdASMjkcB{M<-MQPP& zN)^2Y@Pf1tC8(*M)LPMZOHznEH6v$O{3lQGTq3B}3jFaqyYuUh-@ya8^bw(F~bd4^$eUr?M+29d5#gmN~inv}1tDW8LMxmqv z<^Txxo+rfHw3;JyuiJb)pVz-*(LS?^n6^$<27}c(dwppo}E|S z`ACJwktoI)X6um_Hk~cMq;4#i#Vnhg4nkAY$C)yBo7oH>>BT2G$P6~@pwjlP)zVbu zm-iSKUA@cPM~wzYVVGCl;pym#ZldGPm{?>X0ZxA653Lzucgsgr)Rmm7SAm?PLF&6 z-R13uP#O9!wTcTD(s-M>;?dVpwA)aQvK@N-(ppP_%FXl*K3<-?>6#r5kT}r#;4*rY zH#IK1%nKbiQ$6*%839(!^;+?(Z|$?If1&+ zAar|M6b2~9WgpY3Q~FTHf+;hD`tf!yaOnUvEx+~bZsg8kVuHGtXOJIBG~%q4HIF+3 zsa6i+B!ccPiy&fjnz5&!l`g(tx_qY<>`l|(VC4Z*EU-Uzi7c9*%|FQ)uega_=Gumc zeOCE&XNUsWWaX{vF@+-x3Qzwik_%*zI+V@LND*(-W24?GLW`J2VW7@1gyUKGIcmCK zj|T%4U`h+kc4=ABQe|TVK|pe<=^4Qm1nU`9{1gTZH7MblTvS^F zT|{%kJGkBS)ocw}c}s)g#W6>{^XgTwLI0ahbFQRDj`WB9TRS;Ff2`+7u4fKB78(Rc z<-}hPTY$gfB#;BXiN)u1*wrFLA38-*re%$#$N`}OBn|It_k%-Z@o_o=sm9KRGMta| z&RTU`ptxn+Yw||am{R~k&;F0@{v2#(7j4}hgUW17!C&Dvc+woK-$P%XA{x|R zEKD3;JwkZw`V^M#~&!<4z~AUqME+`9tLxQpal-alT~wWOi&`_HJUgZMq8S52`R+fshXW!U`Q1fFA`1GV4~M;3??jfT&sDp7)qSF-rmP zJ)GY}DlQ%+`Rpd+{7{si|LM@GMM(n-sL}^03YT!~lV|ha7N}+lFDzGzPE)c7XJi{B z1{<@+;dsFF{0g#KXfA2$JOle4qC8uQH2JqG=SGMLFI}Q&4?MiTo&IfRwnenTyt`Kl zN1gY?d*1>osHzuv=A4{GS-}{E1k@$GJUsD505wUzn%!S7ahIolq6QuGK(~c{9pd4y z?JlVrVz%;9rX+eN#aPDTvPa03ebR;UDsoDX8lp5Ub@)+H z0o*^NjAx~o0)D~F&r3?rDf)F0QOIv?2RWoW&6G)v<&x|*10ls7PQre&n=JzhS#Oh7 z*aftI?4Rf9v-K{jxQ0trsYa=SF2>;7nOijLiekTAh%-&U`}hdHBk4P&gdMby8;XsH z-ZPgR(kyef4;<>i#<2Fc6!s1TOVvF)g-2N1qnxLUTlV=`A*qTFEGz2s_03(NcWakN zxf)IF6lb*kDL2ku;XkPIN%GO{@_|vz^5=759P`beev{zG=osr6d-_lDQkRvC1aA?S zZN~U*s|*?-td3tku0A~&x4n9HH&}4vDbDJ$&8E9}HtPrr4LCltZ??6T5%*_QPiNOf ze#jz3o^rJRoXTQ~MwG9N>j~B}(u%*(#?W;pu>!|AaX7J_U2ib5ntu@}ong*0KdM%yWW))OSNI$T>rD#; zx@9FtBX#AEA5MW@wENYg;vy%wv+nM|RZhK@YA0LvCcI1jHAc!>wB{Ed9-`x5&lhc-`GZ-(71BqRDoN%qBhWv;9B zXVnT9{oYsGwT*kdVy(jk`<0o)<-n0%mO;$J@rYsezSk=z``Q8_yWzEqbbIe+VoA64 za9W~D{ z?J51g-gC#?L%fY~&v=(qf$F*c=|R!hN5DBR*E3_NDBH-TQRk8ehsb8)mrdWCZC^_6 z)%W5^AMbO<<1t!O<$7^v2E?Ja=Bz=T{{7C|^pZ%WL;?3`eogB?+99pVNRd^_UTkmkz5V7k_qU)FlUmtseclntm%G25G>22)7y;q5^_OWIdk`3ZO zH_r$lIzJoIIRl43Xb4cBFV9rYs;+N0S!;ctofTx-6eDls1d(+jH&#NGx)S4?NIu#7 z>bTeCq1(ka5BYfV^ytD_5x5K6mOMOQD#{&S+K)%(^d)H67-! z&Q;~Y4mbVn%AJt;(bg5Mb(zj1LWsMj-7IgrHroaJ)t)2mRmUS`Dk|c`dL&&y&=&+$Zn4#yKbprM0n`XLoefwnCz|s}P*K z$L}vD(+^R|Z6G8?wWG3^axv@S$dbw7RVE6R>(q17dE8Q2_%E+}esAw)+us=PszoNlc#Vjko`s>B2V}*QSMy$8xKlvxUGDOj`M$HE zX@s#9PiNC*#jtC^hQ6ulfsTPV9#CZD>=~#= zpdB%MOh<)~^}g+-%0edHG|je_`~0W4dbv^}$3k|#Mh~Tnlx6PhjB|f;DxFjoImT{0 zYCdTz=9GW>&$`t<<-1>yyz;O9rQjnkr2Sw7sv>qZwOHdk_bFuC#@X#2+JAc7fUaF5 z&EG!9t7vgo;d5+#EHvt=eDU(Em%`oP?ymjmj^6XnOQV>eSnB^b~7E9>Pt` zMYQ;DvE#4%Kp%s@xVgEF+~)z6(FPbgeV%jn#Y>`h-qb4lb~@R%a#4U#+ow&)qv@j) z`Q57D)5GF_N#^~h0^_?{V`~nt@$dzehbff;NT$n#+_C4Vw-ItgJ?lK-`Z=kpe7LrM zaueB#kx)CaS&S|NwNN2qspQ%%!vp-apFwy+#j`=j4UH24aLUd~rX9=cAx5~xN$ZW> z^WXgxFJI$=D*g1Z`n3FbKl;={;X0)n$)i@)ry_X~m)t^sm^ksQ39$7uf*|?n794MW(w`EN>s;a_y6_B6%66dRB9v&z<1P7bZVYq_j=lfDV|SHQca^+RPtRY%#_tsDH};G= z^ESU+(_VRc{(1cVJH}5}#uu~oE6)UXUUXBTj@y6E*>_t*w>VFyIL9xIZ$FHbx8D!8 zXT(Ugx$hpkjqjzT;mFeA|E}BoM^JZ8Jxy;%q#wsd!^{qLpPx4vse#-$LuM(T zONl$B_dl4#SngQj*jiKm2)(j=7P@WilsD7)oe19aK2<~RsuMN^d^ZJlj*<(W$W~5+ zry3uG9`auLh-`$?ai{IX^el0>gnf))AltY-s%4aEvfxqiLr%tzRCtG>+P4430sJoK zs=M^wW;IT2iG<|b*ZbYoU#mP_s_frhz8x>aSwu&r)o9{CKDP{B{xX=S)rJD-zxr?Z z%bCJ})OQ5DDH{Io#E)W!9|zm-6_htBJcq3ps2F(8HxiuL_IH5-xI zg8=yNb=UrJR(_AAhI}5xn;Hw-$;MgIgL@1$kV^?j0)*Bk`_IId;fa^_oj=vBf5v+@ zI^(nN+BM1T_uE3a?H3~L@lgO-s`HqTAD@9)1vRAK6(b%Hqkg_9LEOQrVV&yYZ*~U^ z(o==#LMlC3ar(%8F2{8f13A&LEl&-3-o}3SJ>cl@o~h1CblQIwx9``kS=-N9F+DEN zU$&pVYx&T)j^hfOSgZj7O}!Y|3Slrab9A6Q^ltdp_^yb!UYPnbIB zQM9CC?@h2QScBOPOl5`b9Rv}Ukh^(aSrf*i*FtjFuSwSa^M&vVkJC%=m+-js!(-4m z<>2vutQOh6NSAPLqmN*{h>#?LAmSmZAPn3-Gly^c~MgM`x3d$wt@g>R_ zqWfwuY5(Tn#A3F2A63c(h|;0`E6Q+^XZJh#9y+>HC#gj+Z}2eDzVIt&_m_mxIK^p< zjp1*i2b74se-qiv_1AHd9v;61Frg{bLKGd`j*8Kht*nDn^{vOYLhK!#NugcW5qyik zXBpPff{x-zUygqnujV3%ca)@SLVcSjRmar73wHTzthix%l)fyIHfB>0dWpyhQ{NC^ z{6Nr-x&|mT!_i+=Jm-7Nll39!16c4ELh=OUriNx1kTvenW*Ff&nC1HoPkd}HKcfA(1s@b5s7;K4>&dxoN)HAmmOzSLb7bLb*5Hl_*xlu-5*osK{x zVbU{vJvMjwR1a3lA3M6}N6@3A3obbxH#q9DALg@_5Ce7*yXWnD?lS^*PbkdVe@M#19cZagSe@El%Hbslj0oT>D|q9eDI?> zs6tFVUJyb5sLbC4zQ=Ej%%?Z5Qu-wFmmbGzKYdiYar%uol67<-I&#MCBe!k`59Vq@(N?59Hd}!U1)w^D=)h$H4RmgPBZ!+Fx#vmxpl17su%U+ zBFUtw0sp5bEkd-lJz^6S1%mQk@x3Irqmt|Oz1HiKsK`Ftu{<6;z3m~?y_oP}l+Y@= z2b1=4rH@+Z_CAOD)qWk?YAQi5T>NP>XHd&WyTea(#V@FM&ui_u%>!*P*YsVdC>bbD z@dh3H`HVq2<`>%%0}8!b+_X|_C5E;Qor6#G-W7blQCs!+2HLw!PM09WHE5C$)p%@kq8s{f^bcrBS z_0fO5%RLGBZSm7g*n(z<<3tcC&F+KSW?H-MX zX=Tz6`w~9Ybs|PspfxU7@IXq9h;}yXXF^py^t^RZa-~bG4g+tS4z@_9R?e1#3Mb@j zFh)?|yf!Q8)hB1hA*)3oh8%gu zKcU=o-8}3&6@W@tYdP0r#S^lk^l8MsjVHOGj%qH~&A$*6Q)xajoyJBk>o}FBRW6gf z1J&xg+Pq+D!2ubrNqPqcJlsaY$a2lfR&Sv1?12sg}r;< z+QUc6cAAYAc}b!sC5tYDsx?asd0x4Dg$hDbj>tF#-BYLX0p9*2EEHn6AHk84THYK3 zq(#jJ=qdSgs~`+37EOG;e9MpMLC%XyNn>9EVQ5|*aMA14p|uRvJE)>l`70PnsW^#b zH3WB)Ev{`-MOg+pM%*9k>?l|@+;wEfVxbbh9`@CGt^Y+$u#cPbhsFmEX-ks~W&I)77M!q9mv`w5XfDpJNM zOs%TGX=)>9rRG8qxH3)#GL?+}C#xLoXq!AH@DQJznSvD^y4Q;uAY)XyCnouNNPP zIe8Fbi^3-msz`a=g^2%|G`v7i#Nm>)*;#R41Z(Y)Xk@6`n`}5E64+Jj$oiYJ`sr6C z>CU??L={HkYowI( zZ4O1q-Iecak@j|b>v33^w}d`(;f(VB`7#0UFuTo;O`=V%N6 z@OvOy5Bs?#1h!)2L~bA5hVjzZg%XQ9M^-xWWF6tzvtp0ezC&~EQ;CuvnGfXO&EsgM z1D}4LrF~{{gqVx);R#p0-$wREZI7dg{dVPN^opB96=4FCWw7RH_Y~gZP}34D_9ojF z7d_9yaU-FQTE&726rqP73c}o4dla@5dm&=aU6(AK7uTLsn*#hL#dRHTMy$B=gGS~a z^u95`2YKg_Q!GLU6x8!qKXIgH3@HNxh|#zy5f(Bo12x@$`e}?C|8Qf7^L6qF2Y!)u zq%WG!Vw*-sOqm0m8G=ocK;!@=!&$RQKN%{Y877yl(l)F`b6Kp?Ybg?t;aYygdzG71 zqpdHq;?ZL7Md@vuw00!gC%tG&s=Cwu{WRXG@|~FXl$z{RbZt4%RUAO zS&)&E2m1 zQ9M{Qd))m7o`Z;7B{OUiA1W=2@2hXIqCM8a+GyF`3hm8zFSWhXkotEA<|-az<_KZW z1kH}mq{coa!V;wXSBLOCNVS6@F4nHe26Uz8fxTtGPs<%BUXEa1pWH$E?+VTUt{K<*VCa%}PG9<9#rvU|>R z-*IKVY)$A=(Z9a0X`Px7POj&>outsy7H@i1;}A=_O`j+NF{i#(uf}gtHpf_O+7aiM zMXIfSbx2lrQtv1%ePtGnrIEHTP--nP6I|h+@NdYlU|-xSJ63LMym0Y>e{@-{JOo;F zX#VXF)pkZ-rh_}cNHl-N{@?s}liVt^j)q?hkF^nMf(Ib5TfJk7 zP1j-zm9YDjyI0FH(9N_<=^M>M%qm4D@k!&}j3(nMg;(81IhQ_2-e!E0K(}zF)?2e2#-CS^=}b$ztGL@200`sXf*hh+hm4#gX?S@4k>+VP8+j zIEcYp^BftL$ZOjjWX4Jh5fD4vS(lf=`Swc!=TM%ZMEp>J0q3=Md{FN*vGPQHV^{h0 z?zq6ErZJg|pyGfS>50gXwvwSU`6A?d4)IRMzsUpx?xk+z3MT_!OXWxT6a1@pn_!T% zj5aD=?&d>9$_I@iC#0ae0EKL-6|8^d!XxXCsWGK{Ui`%SNP#;u z2&K#Q@N47T%R<6Yu{6;=i+J zqfM1()<`{HOIL@W7QL~pP}0)|>o_=zZ)J-mJ$ARVPVC=i`WwnaZq*ofmV*AhkDTD* zieL?o*OPye~l=za4{ykIIZ+AJvrvaAEooO za$(GS&#m#6LNiDgLFDSCnZS$*pGag{l!}h{j&;=sopv_R*7&0KNs*{hi{i55tKJDE zcLAtpcrQc_a{B9M-GFFw_qq^(LZMAdN~^fdK9%@^YLnKJt!JV&PUiibT%_(cM=%}P z^M2q>sT&t8d^!ALRNAW{MOlR9Zh87x4p#$O{5Pwc7W6<3iHCVmw-43IIeO`{1sn8sP?}J%ZBhQVAm#{P9$h4~pkGeLewqPy;p7oFLDo z>{V=>X%*gqjt%uGb?UVLq|zI&fpxNUl0_%CShvbbDv*kEy^=6^nV@)9-_1MRVAT7X z_t>y^5-pJdO78xvQOQwv~5h$q(;`Nu9wtj?R~ zd;Ll1J%cdlH9i@~Z?LpYd|CMULCNRKKDXLV3rVG;Kx3eOY;4nt@X_L{o<1JCmAZ{Z z>Nd*$ddcrb7S=>`x@Es9U@gq+4VzI4P(Eo`JjFR#eAzYp-6}73$6UQVpk^A>aiR3e zZBzz^Hco;>kG9Glt@3o*8*N$%!8}r=J(B)qYQ*Lb5qjqU9kJ0OkaHCMerf($;X_z1 z#wyF=jnH9t5SBz2nunm^?oy1qk7pp71n=oe`G?okG>(c+Kui-y7#x$1Yb=fqOpu7# zSbJhz z;iyZ3XgRM{b=tl=F*s?7@GWlSj>47nBS>V6UtanYggAb0fY&hxvI{1L&TIjKr2a-Z zw^kfiJU-_EqF4D?$)H;;KuGF;FTAgjEj#!ca4G3|%T||41)r?wZ#43iJ4p(H%lg?U zc_0d9Bia28j*Gtc09581`p0h?d{oX zvv$V!!hE{bMDg^x09>-uS`L$Lu+Pa-${S}@vUFz7zuMUcO-B>lvp0dYpU4?XC=jsW zhKu*tqrQniIp|mO-324c#~zQ$NN2Y_<@^5Md3i6T-}~oLRAYq1GaD6=ev|F2B@GyF zIK-qDxHdG-leZDl#=HS*L|+g9CoO5y*13Bf(HUoezn|jCP)*;N zF!0A`x;JN`9T*pZ;q%PzC8F-*0nHwr5Y6R@D*t7cjBP8i>Zvt*otR`N82ZYN+d5?F zTL0_*kja(m1f@fA-@Yx6h28jX2H_ZnYUW%c`;)<)9%U4V44llakHe=OX_Yf~3z7iF zG^CsSe%jD>gxNVComXsxe;9gSxC_j&<>-&QzLcU_QT|3O(aB$k1a958+$X4vIE7bw zs2K{kua+=$Vs1)%0`Ri=^Jb61DnmRrZY8l*F-9o8X}9r|sla{bjf#I{<;}KFj+G56 z(Q}klDe<`GJ#zrm1AN7gS2Qt8kX!&H;>go_<=CiMTGshVx*v6Pv1Uid7;hDEw3&{a z+*V66ZRxGvaYjPg^#)kpM}G#Q?cx0BM4SjHCptnTK_K6biRiARplv|HjV>f?u$3TiLV$d|BL9!0eu?yLsA7`$xvxi&O(4@4xm2^p*pYTP%!lN>FKE=FbVAt z6f@z)3>}zb?WpRe*5x9liqAa;yL~-6bIF&SvQv=!8%;5NM_=Z3;1dV^b-i{vnS_c8 zv}?VDW=-Q7nI)3X2X{qBK&XHbSFee@ICE!KY_HTQ;`t3j-!dRSz*} zS4G9qbkXAO1h?S9-Q6ufAV_d`cO4+Xg1c*QclY2vxD5`$2ZzDAeE;)(ytm)ZT2-g3 zR`)vHy?gI{l+iAXv?3s>swA@MLYKGMlG1NkNW? za!I%f><_b1FBP(Jk%$mqE@AqH%b>OzzV9;=HwOCHOB?YNW<8Dx;3^4%cN~yq&;K}{ ztk+L}4|)j3H&z7&(_-i7BxZdubWFF-np>1sB8o1=Wf#l~_$a->Ng;+IhI(JFSNMZC zeV~M&jn8KJ^HYMb^PpVaC&QRH8^o;8RzG!KS>ojvphHWqG71U@HRJu-=TW62NxGrm zi(#dc=G1aE6lDgs9k-fW&}6X3Bmlnhiq}L^rBn_C(l(HsekhI0#pYW$G`pVTZ}pJyAoWXHO@2s$uK1_=ZMEtMu@rWl5+d2%8$$ zlZ)FSLXo9hI?s~!*>~R=k^=3+JoJ^mA`ysfht*6Q;X0Z7#E1e%PW8)|E3~^W5t`7I zco<3g!ySW0>5975f{wk29-L_c4vg#wBC)DVh7Pkxb~gn7rlYZNucf$U?KfYc;)^Y2 zY3!uM$>~gmDhXK6fHbf6@+8FPRVD7}AC4aZ;be@~NY;WQf`d=27PYPFi!!5EQbs|g zEwa(o#ib&GqT93dwUk_c8`b{IVR^AL{1b8` zV#P8R76|y$*S~5EKooRgk|s6_w*N{qBrb&U%3SxY*-A^>&ZUmy$7tqcA*~Vw@`$zw z-VUIIVy=LyJN^aN+_l$`o%(vm)>vn=g(fGE2XBAN{t+@v#E%=!E}m`h;ONN+@8SdwNRFY0Mc(W3o$h(|Ty&pwby}zo5 z*ur=!*R76^G41Z`r&?ROW^JWr z-lvC5q}q^bl4B*3GDIhE1Z6T1;UG3AoGp1@9ri`bwI4NDmZ=y0EHcK%Ai7K%1yh^z z@fYw6o6B;Mtcm^ABO-q~kVS%mYr7tGxLG03wdfKNyhC>;`qoVAT1CqcF1J?_XF(O* zs88Gz4kRbYiOd#Ama`I8r&cts3X-Cc>qS$UJHWDM>c`X3JvfQ;yDC zKvM{wau}Z(ko|Ezh7ld?_OZ1#uyTna=!#k2gL;$Z-Ym!weA8 z1v{|M;Pbl(zn~QflB)PkGo*dc0bku2_x^rwhfdk&GVKaILuzgC=Z$x z=S1tW)uLE(t1-9>!r5Eo9pGRh_P0O_$-RW8d0=Xlu8;Ui?n5QbXRhcpAiAeSZ{83% zh<(XA^G8Z}%$TY#*l^SdW=>94_zW}G8_JK9(-`-Io7c`jO&~hF#*YTP+ajE82LXG&_7c?{XxaylrtJJ^5}XlQx_xTGSxZwVHixV!C&hI31KW z7v{&(>qM zKGXa;pbKm=&hbQx8R>D&*Ds<2Es6*Z&qs1&v75~=<4l{HB~!NAxo)?og4#wznH7A= zCLKApA05c;&MGKq%~pTeS!l8v<(N=}18SdQr7}%KpLPh9jh5TK#_2SJ`IC_^{-BNP zYd=rZF3Wt#n(#I*J5Dru!&`#VPAm9?wOf+sz~W8}$i1J;Sw3Uupnr7U#x|X5QToGH z7+r|a0*4-*-X3w2MX1vi6j{!{14)>u{DP4E*5YsT=?ItA_UnPko-{0qAYqe@sCVmLJ23ESkRZd zvY%?OB;`LpxNqt%X3c7_g$Su7A4Byr_jnaW{sW3+|H~7jvHrthp|9*`@qa^8587hX z<31Q>bqW9Fp~mCW`X8$Fe>r6*?2wPbOj(i8x49o(3fz6?j?ak|%5#$&vByV1FZO*y zW>tlrBHTeyMiB33r+4q~g6ahm@{S3Kl1mrVo-I zsc%uT-ENLoxMQ#K^JcfF0|eyrd_M`;<=HZc-T*=-)odn-dFr5uS2zkfP91eNa!Kwz z7p8@pMv~y;e?dXoS?ad&u4+8_M~MX@*lVu8*Je3_7Zze2%gdd7G9{7 zJL`dl>XW^-2sf4MYayy8-VUYJpm4UH3UD)c3ET=<<#BROPx;^Cx$893=lOQMzUMZ8 z?!ltt3OzBONUEKBkR z&cY^c(pfGjEM*8iTGh}~S;+a>0fY)!FV7*L*m7}l3OFH`aLN}`3Rf}(o~vT4RD$cL zmcXwBMnsLL*DWa`U8C>*>oeZljzY}@XWdHAvX0D{jB%xf2)ydBbl;vm5YL*F{Z2MJ zTb+yozxxGBdp{4e9fC>tcs8A9Q@{u5(Q)0&h5|djzl@{rdDU0d9Q^rx@`aSbTNWeR zf?G-eM+Fn0EA5RLjOfl*?NEtxLO&n+kSlP{l$Jy7CbpK_BdNW<@^V7#(8E0hg~R7! z%PzqjSq_ZuGUtULx-Ey+8+guF_!n(&VncI|y9}e#M%x$?BXv!H6YU0iSbI6nm{Oa= z?VGzc_9=gT0kMkOB)KG+(TT_9#MaajJ||pIsh`{stODBtzut{ytS(Oa0rum9 zv@?m~P>Z4clsiKJ8-&~1LE(HLv!wCbkM0iz#VIkWX34_ELSY_Kgj%|5`O$wOo@!2h zI&*jZbRC|DpAACxVtqEXTW%baFWe|5KDe{$O5k9-i%F6Dulm{kSGCGxR=!;PSN(40 zK3K9h>RUg2{#W2i{wr{6zhkarKMEW>+ea1V`+qUbpgvqpMR(V6I95N&yF&>QZ#e_zOWivY${ zmrk|YFWCL*3c??K>Y#oj$voKYWF_xuJe47`k|NG4^N;K4U8A`7l6t@Z>1m5Rt}Vw> z@QzQ*mO!94g}yl}Bki4f9PwJ|y0Vex=b!Gm>G9A zWypGnfhh+4V>8e5b_c}bULmjbA{y{v@>*- z&?`EzDeBv-dW+osrcCc6{w6frieD?`XWGSK4fLj6YreYA=i0MqE8VE$G)!tK0293$ z5IGo#V>E1r>2&RXu2~+9d)HZ_z(m@}`nLNz4ZeOr17IUNYX``-^nM^h11%1%*6+jC z?};;yhc$89o^Th>A@)475_J^wbJn+hSD)vu?IX{}pAkOoibu5e}} zoH`v1Ufzawp6%8!Ra7~jf6#s{6l-2_o-QkWY&ih|oy-9YUx~Is0 zp77wJHnQkAOj+=dq}s_s9w+AT%&jNVcUaKGK*fbJ3VTYCf#Lxpb? zOkTS|tRZ#ri0t}}wwf?AGXYSTGoaiZSqZ1aRt|XVI^^w;0f-%N(+TJ)akMj^X0)*c z_m20}IqwP9NeGl4y=rjE1&O+CC}XF{?Bn10M;<~`zVpsb%W(Xxitf-wjaIo-+(sgT zV7_7iW-;vyC@|bizP*nCFs&Vt$jKLZeg9&4K}cil+947me{Xjm8AluS zBr3=v`JjT9sWbfrbhyHV21CI;$Kvv9qDIY9>=+~he5J<0(m{hzFK}%4`*N)>#&gX5 zk+2IJXeHozFpB-Pd@gHdiZMyXWK$JT(6qtQ}Lm6pJ&$6Q89DRYlM*-l=oEE3Nj8gjMG;`3lX80M1{JFW&EV{rjdNyqN)P7R^D(vA;9s%H{lR>XQ=F-nO z`l`@#<4^Z~UpHtE_QBBW;sLwDDI0W;tkXO~SHw0#k{r05e9`heq$K5*k=;HZ*4hGV z=3{Ha|JD973z`!cvo+68NB4Waru&b`QL-CML>Dxt^}w{QG=L&n{&o!eXZK5=UlY*( zb^Tt*%3yt3-%Sn3c(nVj@F6$n;?Q}yZk@KHh}nva*it?cB+!6d%v^Z(SOf3Yf17Us z^8ALJAm^Fb8 zCb;COpN>+&W&ts=fu@taIix{Yd zo%IwnezF8|oy&0SqMy+oF4O;><@w*P1?`rZ*=YI^2*H7EOwzqY-44N2rW+kO6r2G_ z4$07B{z6D+=Iui7=qdYfZW_|C7hPu^_YbJG)?z+=n_!upItq+%f#Wc}HKzNmZV`qS z;pteHmmDrON5A2f-;=5_dlV+b_Fhm-$^eiJ$2ReXFX;hLAprH zA-I`-MDoUo79wnr)wALm1G(3d3>X{RAtLg%jh`fE(UB(C!?J1aQODRkZ51P8Z#-8v zbz%0lhme3?4kSkQj z+ya)w_&ZdhqJ(qnSeX2+$znA8!cF`|1>6E|{kWuoZuhz1ne@dN;2j4jfEn#dW~;r7 z44Z2##Y7$y&hY|zy`P{(z~c(hqk0Dr7;Xk|+QF2E9tqWmLDNeXdlLlJqP=yP3zoocal&)R7oiT=|M%d==HS$Qo9Ws1 z&zmL)!o`8x%WWy>M;5d&ci7}SzMSpz!Hqieg6f&#I4u@e+K#L5q8mQC1h?9<37jVC zM~ZSoonXSw$-*6Kxw0ClI6js)s!!Ac_$uwa78v-DWQ6Pg z?WJS;-ybIrd$kN4j5UkS`}?R}f-NdSfy0vDk}OVsna$K(J6-woN))$c)J;uNL4%vv zExiYquxnG$?i5|y*DrWne)PcAK;Vk@Z{_nwHf1Sa2qnZ`HMXp;2bg9Ww!w0uYx|-x zDF_M+?S62M@HQxbqFydJtu>wtEF*o_$p@8wWk+F{v!u_h~A0-OP-pSHHd z%zN*DCIQEVY|*@r#8CyWmEwu41jdgw^+t07r7sz`{>_DAcSXVlQPwE`EBW1?FY zf41agxH)je)&cJ0ojB&au8ZyCom4_u5U`Lq%Zs_anB?P?Pqoy3wED0Tob{%n7zR`gxho<`FgsvAUuTua?M)}qYR+pI0=&yizKWXg>oTr(`M&*VN9 z=SNXoPhWLkj(ZLVUyw~?<)a2)PNoX!bRt}Se2_DN8qri1?!LzZdk&kyQxKst5w?5k zP4Z!Pt#xQWRq0=;C{B^DQCq^)_p<%aFR{lHnCpeF5>V@ndo_DT`lKp&Dpv(7_FJsc zkISa>FAj&Yx7f2vop1g3x#6ViAMbksd;#BHG!G3#H&b#4wqsq*j?nt_Ft;1TWQYKKcL+22y#8 za*K(`m*s>!T0J{*Iy~nUSN3PopXbkMD9As1>#m?iCwWO%X}q0chwsOPR#@fD7Wuob zoGY0k2mV;dK=|Ql2l~gx)?Omwzsv-C>*)lHs}8b~llBRa);Ju-3=gEI+gFAE+|BoJ zM(|?ax(%Do%WJU_{|x=7)o;*qYJ6tkUpvb}d)kQUeQZOaS%v|a-?3F&`mfsk0J4gtZy)%*#ngDql$!Oy>7V1MR+QIo<)LPlN{e3ng}MnIclE|3Vg#?0f*us2xf zH9b+?J{K?@)~KCLW;jreQ%oBWOp8~zPY5M+04U{=pNO<}$K(U{{M@6N?iq(6H#}LC zw!ecQ&g%S28gJMzDmcYCGV-j76P%oy7)%MKO-q?nYN0(t6+t)#r<>n`o0i=uoSQow zzz9bfhUEglF>cpHMS~H~o;XQ9mv6*^hCAWWlhvicF{%DF?JKqt(@yBQILB?N22q0i ztq}rpiP~O8y3%)}p=Uo>hk5>iXAZvMn|o1K1Z^%MzH(o-!TG*&hW)WQdYSAg**OnF z0eT&X2r3TvFXNSoP%pSxjctnTba!`9L21Y|t1hKnyi?u29k)*myq5h6gN<5BeK4f> ziupC-P2}4UV@o8N$!9%%8z^fr(Qa1QBqGtV)EzJTV9{@j^#1U0{$;k>KM?AyB%pdf zXFy){W=reWlzwu~RewGgplQzyZ;B8smd|c##Y0VDdNOWV_;AhGId;74RG>CBsu{<* zJlB51$7_i_W+$xHJNCpH8s0eKNDra;T!>ptjxSS1raX0h&Q`5G$MHg9{sKb1VvmmPgy+qWUgcfQ0 zoIc*Inss|~EM%jE)%4|+a+`$L5tXlMDE;sBo(9}crrQ!~N6Cnnx8u)&yc2~w)8W|R{rLhW<>2V1K`2C{zfbfuW^Cp?RLPhg{ z6s@pPfT88loyHpmv`KO3TL!`Xb}lD7ab-Z1%B?nGg`@a}GpkmgT!KBhxHfkfG9MBY zt9j)~c~k(iN{YOykWODnAn%yH!CpViiNB38&>6!)_*V@iiitODN?yZpG4pzT6_#;e z;m~d%R0~Bc;f%EM?b}U@&pP z#7TIb6JGik|ERiC5^BJu@*N3hgW4B~dF#{WdZXI|^01f}8G*@h4w@S&GPMWES|Scb z;nw5rqcF^0=i5JmR){Utf2!%NF_2Y_E#7+%SCDo5gCIFv<$f0Er2G?a3 zb{Xtua#Mq-+k8!1LA_1Lq+#m(?AUx8epDsDLtBg}&O{E5w9xMjPkn>xgHooKb`e3D z@9%|21~i`{_)|y?MZ!v`-jssRT6mZqx!9NDXWTwiOw+7fXIFonC(;=6Ht z|FY-qv}vN_G+~Td?J8c8xYvn*ywI|KxEJA>Yz>LMh~gEF))OWNL@9k;d361Of)U2y zlXboRgEZ?R6k6}v=3AF7?2_VIm=J3*CyUKawY;ukMWe<;r(#3aC`uY-q||N;1j~kj zNgrbMR(zJ)RQ~Cx|FT&vxWLi*<*eA`%T!0a?`AUqBqimP>>aq?#5K9q!i5IQN^L&p zyy}TnU&^4XZym_;)f3+B@QZ$kikY4W5kn))K`Zvd{m$FBBcs;L=B{_-2aOIwn$%{-aMz@Yw18s&WCcE*h%M;bF|5NpmyQ=#&06^@k#-JLhBNB<)Ud6+wzXA< zc1&c<}#=qdIv|)W5NuRoQJQZL4 zVo6C$wsSUdhxy_nieg>rJZ$ueI|sit?iF8tRIvU)GD9*t&S8QhHbuBq)ULl`=rnbS zLwnwI<8t37JGa-nOr_Ez=D}(|-dLr5je6 zMBBzpxXL!Vz8UQRuQqRSVB5d>v{_KlK^HMhWekaM2zF6h zXrKJYw<^;KlXe@@eBFn6g{@)}Yae1)-_zPz5jl)w&kfDyMNW4|2$A5g@9Uu%%MbJ*3~+Gx6r|o{)cgQp)@9KUU8= z>>dt0hw?OWWbvk%=Jw`p`3_&02z9~BmRNNj(urKVZ(R16aD14@q~~9p&+}x*Jol^I z3PGHuD+rS4zn2|$kCR+i-bgT5lCZxLUoMp2sci#T5}(w{V9k-f?DWSl@kwh(KpGZ> zOB}J9@JAJGO`>1kq5XPQj_O?fQ z!qwRc%K4%3`c?VtG2?zx7>xGtbuj7+*2%35)h%SWvQlRcy=46={S~{d>%9mV0e1l` za$0w-bR3+h!x8EnVTBsI?J=ds*$W&8?N%cxPvDE9x|fAoEXd68e4(U<48D8^k}S|K zd?h5pZ){L99-vf_0UNm@J#*ZW%jVB)=LZxB;hO&&R7-#I8WNPM3p$qfpK7@KL-Ojo z07l8q+(0P@`QV$^gr?gA!NG?ZZ2gG`k80F|{=w8@o6m#+KNTr-@izj>?K*laS)w0` zy?;@|tBtDl$RRAYE0c4vcfr1%QW*ydu#&*;N!;ms)2Q05*LgB^RMc#@cs)FgN|;=& zTbSUgPhmOxh+g)>3Zq`U6YAiJhX2zr$Wv)bIRXnyi}^f;U6Qq!$<3q=7fZ-XPWh-H zR6$P#!RE$+F<>9?4*`3r1?RO%y2J*EfOUj{&aiyg`_j&+rZWZ6XEyqPTNbDLr$!Ni$lS5ut(b?bI7n9mlitRqk6nYwvgjrmPa!i zZ`K3p;;4l1^&ZBzJA6w zvo}T1AihjmoFe^0BDZX&+zm_B<^QjwY{me6n@#q*L7(4Ars?QD_=oV$6+b8s_-jGu z)1<>&K-5?u8MfGPpS;&h>W#|U@vzvPx-ww8 z&iMimoU%!=~g)|5gBlg>lHNI4qj+G*FsH&gx!34fQWMx8GdG6dzC zVu}s=cDC4tuSf5^`USja{v0PWP03o4r@G-A>SDhU2k7x@k-zI~%SqHe-X3&5<2*sv zd~_!vt$;T?*>#1OhJF#jpO(3+nMT^$k==A7xYYV!Uw9DwV(IfEzqx##SPHe%cC^gp z)Fzsz@G)xbA%C8{pkDs&@}8AxSf7-r{t5@3PFR*fMezat-+`a#-qJT~3^fQDNk zHpmD&5gX|fGLnif!1@FvVkLxU>UCrR6GaDn^E?(X=&d!jBZFu(1uqGlpwJe)Y{O}& z!Xy2ju-Fv`d{Wsh?CZo`JjLIsc=;?E&4`m?GKYu;bf|)GOHY~2?U*GG#2q%RWBm5R z&m1r*Sbemv7~vhVam%~WX|1~R<7G3K(dVLjmGB50|D|QVSL>q6&`pI-Hk@vLvMOY$ z%zZcSLgN3qhvJnCWzu~sviFe?PQ=T?kUy+nl&Y)PBHe&u+d*%dOqK!_>m|IMpUN@8 z4HDY=)wSp5Yc_|`?f_9&xgSk`n1q-obfxI_xTt+=vyu*n$WO{|aIuE_IMxRV=R`6Y zIhCPs$#@Co$)8NRW1fiS?4<@R_2dnpq-{$=Qje#89e^r@kK!F!9md-&(5*!{VV z67=H@h^F_YwV@Qix$~&_EZvZU^7AiFnh5iE1#`nnXi6Zt7h!_dS_rNcYiucvbpG%9 z%{Rp*$0bWMkM6A>SL98!KCG@lW#=y&0+fS?2^04Iwi+g%H3C1nEK^=q_5GUsjQvtNGBIY4u|0n27 zrCWQtQL9lWj#OM2S>u3HBmB^;xEho_0b>B3fZ#cG#YKjQVE8jX3Qw?q1;ruK0yg_- z5y@no`=zLb_ijDUO@m_0IaKbz&I`uTtvn6}AXOtOF!V1*ayedCk7xlZ|Aw1~riHhd z+>ztH_Y&srShm#Zt1K$Hf*2+gjK$Eczp4khqRygpJb(0xyAr>;nYTkLoC|z-Q0!;n zcx+~KMFQ+Z0Qy&UH{zDq$}%?ATIOhq1KY}gk%B#E(Vw24)g{$&=;vg(vVJ9=bdD^Z z=Q}5VqRUaq&lNL#JL1g!PYnl4bHm)Pqha?4YBR{kuG)&PxKftFgS@?0a{eu*8^AQwT4=~$zl_+#}<9JXn&wZYsDLU zvBn~UlLaP!CM#gAHPhU1=q(Xc_=N}hczOsQG~ig8$8rx`R2}H3T5IfuTV2&okDQh_ z>aa?e2iZ5vbl*O_qYlgtjLR< z^B{TZVS1Iru6ydVDOy3|!o;B(i*sF7xp1p6D#g^r0xq^YcEYsRRN9RB)T&~)Ba6pb z*`+nx{>=<>mH9lXzxj{RNLpZsH7?FP2vlH=+JZXu>K~RnV%x(y+DUs}N@_+OrO6HZ zulT-}r5#T?G-fNVa*9BMcN}T?)0$>K>y|5*n69KI|!#T;9iWOA=My_=)8t+_5(#pVw|CJa7!5O@dcD za8q&d+qkC{{b~@NDug8iKYT!Aqv*I!N)kI&A|?|Ogi!XVc)~I{u?8*Z9m8*KT?&vp&q%$VA;0t3>8*P&pcG5rST(0co zL9fF$Y!2dKu>=NitQkW1UPOrBKex($oQ8G+PSyxB*5t(>j`~TzI)AB)q) zu#8QtA!KGU4bULus6|k0{U8w?#n`nbBsfBGGvVG6DqyS-S=bW!`U#waHD+LjfGyMJ z_OQ_PkE16~EpzJbiOU^;u*z*%$e1jKWg7sGQ^xT?bxl-xI9gfecX}jYVjAbze%c?x z*w~6g6eiE&<|BLH2mM#FSHRb~Ev?RmuC})?+OG*rKIC3>@Vy81^~QQ_Ubj2bGQgya zRnkEqyvWCk?Es-CB&doG|5y0H<$YKs;vLFip&hqfmWT3%we`zHs>5%b{9kfC#G{m{ zt_*%9^m}WtQkf7G7@u~e(APvC*HRyFk(DuESr3v{RiU0Xhp5SD&W7ykE zpgU_WFT0j0x&X25MjS9mz8p*1I> zQ0zC)C|o5FTFNhDm)N_`kzHvf|6TNpx5v%DqUk-EXFh2u)(jPd8scH9gL9c9@%Dh7 z(=RmU^{4+%jq2b)OU0Xl$(RRP{DS7&5v|gaOu|MuE6F$Ph$Dsg_m&JLw_Q_nL6ZIj z7b%664Hkb7`HM@<#G!SW{PC?kenyqqR;n(KtORLmXot1- z$(PQbgNnT%v-0jExDJm2zwEOe&MmABFyU@u7wYOLq~hE*gxR-#b`)n?u15vJ}bwsBjgyevXCLCAdC8p?RvmP z33I!b{ye4$@u%f#$`AnXhK)pw;7)klZYk7gFO}pb-fR&Cy6kN|M@5>!ZU) z%XZ4OEpuuo9ROQ4&1#X?o^Yr^ON^l(s!E$!*W}lj_z90*Qc9(Nt7?l}RM=RKzuB=q zRfi$NP%0ltbW~=RAi?=2J}GabFE|;RL2r*6;~A8TuKu*4nWfh39_dk%@NUMUo_UP? z)R!Jj>y3g2yzVXY<%S|3S$cIMGeVyC=@ps{)xH8fUP?%UNLC-1P)+jfuGGt<#m=`| z!5G?&&2M)rtUEcJA_qUhF~TAvr&3??uFZX62-c-=O;7||bB=V^6wzLmjO#yH^1vSO zhR$5dmgHc&x(@nqgG1nc8o z)O?D-?Li)}L9&~T#ALZYpCQj#*}P<~(du5o$fBL(E-2x2MlI)<&g1NknE_*7@^t4L z$viA1XwI@!a1Enu6fV>rcN_ORMFBc49cxh&{}l5o8qUNE__HKjQ9&I6j9CejG>C8l zP`3<>7xw`8A_fL#98ax@Cy%hcA#P8ewOgJbZ9UG`c8l750JrN8V1jq;f|3uXNIqkb z%s)uNbO|oL9;$=Lpw1OWsKnSM%J(%H9B2uuk;Y~~S!t{#;#_)(uZO?REMw}iwrfcG zhRp%}q#9MT>K*Izc#K_{8+{R69*GIpv%(?-8QNqEu}vkIp^2G|30=DD#f%_cnP!yq zd2F^M?K)~{_MANh%=4Vfg%UZCmx zk~4o|)+&UGYwGk%Ue77pvd5;ZX!QC#LKjI~aT>sR^Q;#j6$f3D(A`^9tO6`Td{2V)L`gPJj_YGSvEY}FW zu~J5zG`6NzC^0oLTc(`3OVSW^O*@i%qcF91RNpMd@@3~Sog@uNKNeL7TyMkD=kd5D zTPXgVvMV88MJxgOcE&O>p$I!OUpb0Q9MSs<3vNPmiYMzzK!tz!?$ClBW)X{&vyyV| zKN*-HyWeidrUEv*E zIzco_sTiw`(Y;HhM^#5PhJV<+oV?nCfQ;lhGy$-f^0l&#k1H#h-vC`pm%)#ps?xKa zWi4Ra)_R+q*2q}?r*HSaZIJ79A2SFe^CCbW zk1!WWuGJy*ce$`X0Yf=|Nz*fY_x>S}8~C(T~lg#b~aHp$E$b?T`c8Mz|1qjmAA8V^`Gufu<}qJFUkAP%`vnG7N3o>#cL%Rz>pSz!=b*&>q@8WHDG1j*c5B`ei)P0MX zPNeh!+uI?wzrTmw!KBkCQoGJ9nfkrqxZ=8@nyPifiz%d1ZW9$XI)ZHkWKGdG18x3Y z@LPgz3}RB7dlb=U1hL1Pw2pv1R@m|h8TFDI))R&u<#4*Yt1RIT#**sfzcnsS%zxC* z!rxDo?ll>f8BaE>+1Eqaa!W%+zczqB8ryA2v{r*g8JM{iH)N&(6KgCc)L)-S=Q4BQ zlNtj@{5S>t*~r$!$YFD8*`Z*k#zO84(r(il);1NDh(w06v$2A-s$>P=+ETIZ!skrp zpIrUu{}O7|Wbrv*;%YlZKk`u!@@2b6ckc3{eU^w>PYt~qE;@**P3EDMjXR* z*WCVT=uSFBxv`?$y-FC%{bjGUmvmfLY(XXWDjd_$g@$<&YoTGQl)@gt{T@k?6z^DUnZG|IaQ+rMZ-;4F%E?WsmDDr zk;P}Gq&0h5eccCV%NLCr`n`GIQcgXDRF19}K}ItRTU`JP zPCMLgs=U4)r{oOr;i`PpJ{9G}OT*P!r5LEbMs=+Q*e2ujg^yKJ-Npi`P0HHVaEVlJ z6kXo(Gwb4_O%Yb0<0Bd)CHfC-(kMIHiGKgdN1rq@SZ3Ojr%4|sfaQ`O=u}*FF7h^a z7RBf^$*dE$zRizeGVPTAOzEIBLDll0QIrz!@!Q}#XP}sk*ttpFgH*7f6(DLmi*V+x|3!juIP*+`^527zVUS^p(LRzW5((MZ{};)Gi<|n& zAllfnOMI5dPyR0ngBg7c%YV_)f9pE>tc*^FM1z#f`Ck%?v!Z(1kLVNG$GY&yipu}~ ow;lDck0iy>IovJ(-!^yoPFZ$@z&JAOHXW literal 0 HcmV?d00001 diff --git a/src/assets/img/Delta_Class/use_case_1-1.gif b/src/assets/img/Delta_Class/use_case_1-1.gif new file mode 100644 index 0000000000000000000000000000000000000000..385273bd2ccac67ec98abab245bbdfc6889f29a5 GIT binary patch literal 24427 zcmeFZc{tR2*grmtVayCOgE3=mtl46atyE(lLW3cdoFOD3q>{E7V<#bNsm2mxsm79B zjeRXDNyTZkLI3xd%f=ab&s9Bt*Mz$ zG9(A|>6<5C{Ycg$hAUgoK1(Fqp8Av9Pc(91a&16-6KrNF)-4q@YkJv6Uw$ zj#-Odc}f_xGzNHB2kgp|!eZBACFCVmp0tD{N^<29Bqf!lBsHW~9$rdHPD)B$N*XOC zO_Y|hm6o!XUU>v*JXRVng_oAY{?ivxd0xoRo-bm55uFfTz4pS;TO~pe^#Zyg9O?~C9U%T??Yc;oM zXlQ6^YHF=KQym?hbt^AOS65e0*GEtHke;3%iA2&T+34%*8yHXw4Gq_?UvFgSVzlzY zjg5^>OiWBoLQG9fH<);A*sx*a$_v`K@tFC>a&vR@O`A4t-n@CsmMs<*7M7bimKG;0 zEfOs)Ev>AqtgWqWR^BOFn^ap{TZ(Nxg+j5XG}y1aBnSHw4h{}mw{CTGbaZk|aB_0m zwrv}ATMm^NZpX^Y-L-4i?%lh+y}f_??Kk>wLv%Xb z$H&Ll*VoU_&)?raARu7x-o5+w?F$YL4habf4GleT;6QkI_`!n*BO@aZA3l8K$dRb1 zsOaeEW5ecJluiw6XyR@|Q>C>mLU%&qO=bxZ&Af<0e zXB(QEl?BztK$ips1NorzSqLTs{7DD+f6z*rB>ZoZ{BM%{|2awE-$3qgc?y@^&Voy7 zdG&D%I}gQ;CkhQYxK@!g{}2f z4{HPORqP(Dzw)>tY-ZrX)`qK-Em801CkGp@J-Nw%A{8AQxl^5qlG@%wjny-~=_*?< zIyTij8_YA@|NBr=?TcZyRf?ihbKTrMj$5Vot>)`5A8>cn2P(P5!kPG?wu8Ork8E}k z^+m2xJY;N*HAU$+UpRK;z>%9Q$xF_Ea*%kPnp%3J(m>sQIokSfr^FSaKD?hjb&^lF z+}Meb=xO!2dj9y*((?Pqs`u3GSSY0`F2quCVZ`3_!7GX1qlPETp0F@i>mU*_o)LX` zB|0g_(xVUJY=j(pz&?u22`r*$H)5=@!OLK{-1>A9+d?^*A7?ZkJL`2o{Nn7)8NwAZ z1ST@e?@`YJEi#et5PsK@4Ug=U(`g=}8L(~Rg?+@mRQ=8nCtC}#sOhA>nJkae@=^=G z^&JV)4kaK6Tr`BpK;5B18DL!AoZPwn!spbbc4G?Lh3U$X?b1A*_s-^BAQelqjelug zVCQ+{TL{S(@ODd8Hbx9+UaOi0Uv~9AH&?Occ0hrpqUtvW8B(Xt@EM`Ft_ug8v@dzURfnl%a0hW9sXF<3mx#NtOUdSDqn*nTIsJF`0?6r8lUFuf73Ku zTKT5=RsG91Eek!`Z(Enf_P=dgeqQM79VnAm3!NA{ zoy9Jx?ZJ!PguPXZJ@Q9hE%p)fIozSLglE`Uk=9Z<)TR zdVkye)2sKxWRZ1CBi8tkr8|_hSC;NNn!H}RN3~n`VU)H#y;nYrc^!HE;Q>8i z-N$ji+>nnC1Iw;_d=%X9`s3rU-gTcQA|Hf&nv8mJ<V^eP^}%=zs_yNe~A318*h!G`OIv z$KFV&7ubn`EnyQ(c4*9gN!XM=27?NR@Qj495>Y zs6CbF?LgBoly5NdZoR%UZ2t?(G<4shfdN@o4|hE^G%_zMCj)fnczfbb3C*URwnBa< z+KmFNWW@P%8zktvs;{_ecQg_!&}kysC^L;m_oq^X(AKSkkze z<=D4s6xBKohLEOl(p~m+BNc;EA9;kzRY26%dU$c!t|orxg0949x&(B}!aVM@sCBS1 zMD+2-ku~JowTB;sUD=TyIU}rzw+?PvUp09Z0$kSBI{<1=_{n9H~%jn?(v&Nn@1=NDkaWolpBRjb}M zf_%VBLHa*+dbd#h^zmtNJ;vww*%&wzb^BRMZ~noXo-lLq{;sDrJjAt#$(?P@+m%JW znU|_ALoAq&8%4~cu$aI7XtNre0|GyeFthxASF39G-W?lUid3KUPRJ1bI_GPc(w;N+X`s_-L1jrMaHQ?WbAV zRbrGj?Kl3qYbRD19Wl%UdA%2$}{%f;*s%8V;Zi$>qg+Z3X=5IZZT2U z&2%cU)F(#KIFaf?_t0mX^d?kEI13%HU9^hs+;_ zYJho1AjgwMf)mg>=G^58PcRnb{@PMzAk-^(DT>-~76^+|OwW2429I%G$XVyZ zEltj@#5I|kMr^%kkw6-j9{T^Jo$2scsFf5#%0EYPvDsrcOBmeEef2}+2tG2TQK}>2lItsY9 zb#LWAgLrnTh?gjBRecF{AryI4toI8!dY8zgBI_m-(j1w~%ZEdOs;WIJ*^}*wI z{`Q5YND9~?eXq?0eKqmxvskdniBB~F&l>iVop5N{T(eD%j-Ea0ulvU{*o?;wQ2ACk z{O=F!y&7`Oz~_?Eu%ts=KTl}V;AgzznD{aJyND@zN8B6P%~BlxeKRMdj_=Scm2RUF zloN$Xaw$fLW|kaf+4g}4<8)2JGP+O-rRi|HX4;}zbm2XLI(tfR7?aytO$W6sr#$+o|cAYN;++rEq2;j>e=A!klG(^p?0*_k7il} zer}nD;}KF4u575WmKy;r2pfMwR6 zlLA}Gwd{N{I;F{TEb2&B_U=mBKA41yY_`^U-^87YlV$&PMW%n7vcO~K0M5c1??Cu7u z7zS0%?&-A2)Rv1WUvO3Hi}w%Q9DDR&JK+K*L^n9l*7DXFD?DK_tj^D-)M?Mos(o)S z-mm;q%c%`Mlk?zOL-ZB>M=o?`Z6FfG`6~?_tvA6BM=045S|2@gIC5)Oz2=Re&`5ak_9l&|-p>#wrMV+n zrfuZ}e1*HIp|g?Yvu9$$_dTY$o7?(v!e%a4I|44`xyExNNq=RWyB~UMXO{eLQeT#o zrOs_E3#_xc!wzY&NNw@8nVx20`yWuHl zJcyqfPx`8PEBFW~a%`v-P~^M_!*&)-d_85S+e(o`$Ze)ov+p%-hp!YlE;|us&Zj>l zMwHmDk*HWgn5?@OlS44Nag;qhtRGorsVqO|yyudLqGGDDh{Rf}1ZI>vf5~OGyMTIB zYhgT+vy~$u4@y@R$1y-jS2yFB6ho;B?nor=e! zC5Y5iI!L)gR>Z-ho#ArxSf1gFKdQqc;tbjVd~^Y6x3^zUcLg6E0%L!|NB>$Q@>b36 zSP3)Ju+F9ghs{ThrQ{R4d(U)sv)VV%pz*TSn7A&&z@4 z=?W=`9LsyftMOBHOhYgA6=(B0VQAZ<%D1czYzO0Ty4JhL(=FmmW*hT0=>e(EnPT>8 ze0>MS2A^@Q3!Bc7@3N3aE65%$<2!_3`zwTBfU!hSQaW$|C3WMq z6g61abtdW!>Hw5f9%Es0crr}WO44nQ4b%9s#TTDv7P|RJv$3x^LrJknsKagA0CD1q znjFn~=^@77eV1KLsL@0BZph&lZcz5Q(PCN@Q_29-%mNdGP*pH~8lAq@20u zC1WU_={1EAebJ39Pvo%u%+ud~mv=?ePa**^Xw#R8r05 zmu~q&2F$zeQx;4S0$htmnHVi1qZJXq&+UDCaqsXS6`m)fz+12F;<&w)&HP-HjF%IZ z%5!RAB%Jz@hE=axIV6a{5$1R3UWWK30>e6E&WO{12wY?$2oXg|e;8K@vr;9sD;i1N zJ508f$27$PI7k^rAK#bqj-Euhh?J{vpm%wghx9486J%|h!o}Qq49@Yh!s1#Zx2mHiYOhgDl+*d`lnSpl$6H4&+;w8`TIL#2)hf*X4*PY8 zC9V$<8u|InzOjknY-S2nyKCT3W#pW9yk(5XB7oQ*aQ}hW|26lTSA+CBB^x2@2%vn! zuTXx31z=r80ndb^-IJM6ldTAVXKGha7&?l2`xh+57-}ws{TfeG<38(Oc_`tr32!{X zpiExIgW^xPz1N%Tfyw>FmULGMGBI@DYP>{b6dqI`!RC_{ zd%Qq;*5`Lgn?BL%@vea$LP=4 z;`9_r^z0Bssuv1s5 z&h!$Ilcz$DD^X*i!l{q74#Tn2aip(r_WeGD7V90*GABJeR9Uyr+r^lnIO{`R@oUsi zIC5asz+OS%lEB6*aJ|c}k|BkLm;`G?QKvfM!*vtKvD$bPQy9C`&yx@2sd9nOF*eVN zlJbT!pW&i4(R^sKD&Rt0tTMf{{pVH0UgnO_M*`3owu>3)osVZ~o+3(v+{k6(e=H*Znq!Ywog}C(8Y9rN0xkqhep!FKmTr`if1q8NBkHU1q2*~v%o&7qBDLy+uf^IwUQIr3ZTf9Z3f^XU1c<^p zZ!gcC9!f<3U4{t<|1=MnSv7E_NdUMdmJGc;+qA23#QPcq3Y*WUvl6n5Lrt2+no_&; z!(7b0hB%8;5VV%D&bV?}e0Qv>iAPIu(TH(KZ(3q(e)xsq)oMJp3*wQ=EEVAVTxX$w!}(m|Ojojc(xI`aBv5JxTR z9mM=ietlzCAjE@8y^z5X8{eW=IHn7`)(-rL&<;@GSkP_2-& z2`2G%@;!F#z8O@N2m{scbv_buw&83x;-}rHQjLAB%WG zm%acnMdpcl3SO;m?oegzi=E%(k5mDebMBt-Uq22S|21ltR-GzfZXC;4xcpn7cIFLZ zp)p$KIy*iemApYLXXn$g_(`MVp41o!)a|dy&ji;JD^a=lJV=An!=`MaUYZV% zNNo;j;%9U|j8HuzQZ$6?FhD8XNmsc-!m6)pPuV(uaXxZ3Ehj91c3Dl_{ncLS@6UPMAlgp?UkkcboJWPy` zm@;iP&4+2GOhjZ+s(r1@WlTt(TyhLNO={g=gPzZ28bixZ3Ym_(Tuu;s@Ylonp4%e~ zUrAhrl+W`^x|%LMpJViOW;^1)dHY2lv5N%-Kgba}IA6`%g3J6%EgDReGg8^L-x4=v z?OmggGWPJ@2rY!US*KL5pi@_JyN}BR~p;Fa0h`Ny5^%s)Yg?ZaM;O7O;p1_W#6iedO3=B+_yN z6$=cP{k+YEDvWRM(nABo<;Wc3P+drYM_Vd@;Ygq(e0w=%AJP6)1G&4hME~5@;4VxO zzlmE|nr5qfXG4OR`rV6S)lzMSAX|edIZh~z%V)|T=uM2<`rKXF6DDp<*>QP4zTCv^ zric52Wp_M`6h=%B8+}8MAt47kk6ep*cCt{yOI{;J8UO?qpPDX^+rdnqV0tj|ndMtjV5pp_gSb2YqcwVEUcnXBJ%;5ddbcr}3TF zA07)WbV-ja7EzZo4{P_UQqTptI~gy9fyJaj;T=X$?K^9Gg(~Yr530X$XK>f5@ssYq z^ibD9E<_w({nf=HDd=}gKx2q_cEZ)zODf7|>l45^FTW`H)(Y5z=dET& z;!o^Bebu-TK^a*9n+gX13BRz1|Cn)cR%ToftRCMJS{8D@57^asaHqv4D*T>TrKdg& zvl83(J}o=>13FhE523vwtVsK!amd5l3X+RXzIWrHd3?)+@@-0HdsK6Bl<3G;{S}s^j2f7QQ*N5-glx<=JdRwn!sPwt86w%ahpl^2_B@*{LTBor$bOxcVV!=gV8TK+YoOjcdlDX?u4c;4g!-skme@q~+$7;%KuS<(-xB@w8l(tf+x=6+EaN z8~W5k!D@Ty)1i1pIwdprRaWKUHf#D>4z~!TQa8QtUc8usAz`bNu^-7#y2bev;+EzN zIlzsr^=`EG85nd<-#=eBc=?WpLeNv69XL}Q);2o0x)SwU!wpAi~mHAcTr)iGc#0b>w(^M8y{ zaVZ^)U@xU5wcKoj@-ne1RMo1|7~$1M@uP5iq}=v&D=DH(&*KMrrLbjwy1|XAf$M|z z5P~(R5x|O63q_R+covhKxcOSZW$CKq?Ob)aHy9VjE(0Ch4UgSl$nkK|TRdJ3DO%=vHKKVs(i&Jqp{7-> zOhV<&BKnRmPiVBWGR%@t_C`_({jM2e?osJ{_Wtd{`c@vTiHq}|HAI&Hn`05rAEn5Z zylSy)2;E|i?yJBo0;_>~%5ory@)_)j0&bM-?%5mZAAxNe1#)-_Zz$XHye zV-wdR&LS2usUOLKIGP@Mc_V+?g-^FVE#}@zwpw>rA$YzNPRb82=E=JHB{q&aOS1M7 zaG}T9mR-VFbin;%ZUz9Tx}*i4AjMDAs6hh}A)Fy50_|9F`q=vp##kBbIc=g{XYvw4 zQTO76hJ{e7?`vx@pNPV_i7XOivG#@IqwCIS#$Siv#Y38Im7Z0=FMj<<}D&+Duy(434l8!5T2gofo0I6d|Vbsf5)7#76=Yv!(_ z*rBqzI4-dWG{W19%55+5N`RUm9Eku0zE`%`4|SsQSsU9z`*TjG zx0@4H}2LucQFKRMVApl(C(b2@y9(*mmBjaIgUFv`EK?5D+J!(iQLu_S>ExkV|oH2 zE~Lv-va*OvHjJ~x&9-;)z_&k6?rMu(QwtW_V~Dx_GAHD53t4{|e~h03gCgMg&GesJ z|G!3e^y>FfUx>(%bK#)-LmdCsvb zp?TX)yceS0m08v3--`a4moxV;1*!T0s84U&suZ<30NcIxWS7BTS5CM9oe-!`U;p@V z^BS}InFTDKLYmxo1de?^Si)di;e;i%{Fb?VizK8RqLs^@fikiBu2SIQ^y}f1Q6Y>d zeV-l#ZisrXbf5dRY^B`>j(%jcdEgdR9q_}5BFGMC=~8BHNS+c_N3D6#^m$C8N=9H| zZG7!4Egol0$~R=k*POx^B?m9_(;D`4cc{J8GAd3MbMu^gWHc`}T43wmI?e?Niwj94 zj$Jk#VTr^n36>3))}F?>k2ZHV9n>>RGOQ%62y4K&p8!qrs#X1z@&{6K~W-RZR=Q3l(#0!7@Vtknwm!f8Zs47{vyXC-hT_qw= zeG^XEZrE-0sX_`5HkTRr`obbkKO%_UN=UDp>Sv_P zU%q;VDMC6H|6xJ6pgth+@X6}~8SF$#ML@qk^}gS4IAww=nX05a-YM*kBK8OtV->hW z!VVbJX=O2XWiShRJ42uwy1pOwQ{J6jwQglW1k9KCEc0bx6k&QMDS;_hWgYXMdoig- zwrk@K!Cow#50MXR491wbs-z-ZBje70+y~y8Dr+M(=@C7Xu`c+<42k9#o}silY+SnBL- zk3|71S|%~a$W%gCYiRbik~OrhE+5O|cfe9rohnEm?a8_W!|F#IE}T(#_*#YM?m*XM(2nOd(!NIq2F5edr*3qJ zAVt=N(Rr=eI{hB z9l2Jw?(yp~xVDSC=dG`A_=g}gbj4@9&YM4u;Okbc{XQTIYyVCg@W0RoK+*;m zL0WnUXoHAi4&lAJvz!J20nmmhA68ai^#&(xlNH)N!!Vm7+RTVCIF$mnH9d;rZWx~w$j>Jh){bHU5xF1bSw@(SH0 z39BaZ3ist)aV~vo?ioEsw!dG`M2GV#C9rj;?aBZvM`JEDCm;zFf`r_6v%9Max< z8Y9?{(MgpPI@FsIZCM6JR8cRpeU+tfax=9Yjy*tj*`Kg) zul;5G5+5{Tuc&oRU+x_xOh=X!{DfHOG*6C?wXZwgA5-TCx_?^yH=RbFRZL9ADgVP0 zL`ybv`=4*@a|+N3tQ3d>VSZ&h?Zwridn`@^BSDUv%1=Z4?p5D@SGk3CekT|BU&zI> zB^?lB5@-v67}G{X*_%GCt}Ck!Q(Jq{ktlkh&SR8Qo~{gtF_Bv$uFn|FZ{Of*7Y&dl zvRLimhc)3UCWDE0PfG~r?Tf$Va)}&Px-dF>wFr!^dlZgHC#H>8`pX%3hS|xr>=~$# z@r5)@3uBGm@#ZgUk7j9{kOP!Qy!JG_sA`v2Q23%Suri>nsN7zhJP4@V=mM47u^j@H zn_#}n{b_J^Yt_WAmA+v?Wg~>{J_owu!o{l)E$h(*>y#W>f{3I+@G?mmy?bn|utNz_ z*l}81sUk|h%f7{ZqeGDO=Mg3utvq%`d0#|vOO}B({CMHn7mo3o+w2KDY0vFT(EB$L z2As3+l*uFMi=?^>73@v>f}SrEx(zFXX1MtAqQ90a76c}Z3uxHjx7SSeQN!XC{b*S!?()6mln%l~3?1R`scx|@(( zs9K&4(T`HqDq?e<3af~#w(ax}%C0iWn-5xwmb8Ef!660Dn#1`#p%TF=VohsLn!9=5 zy%ob61CREZFT}-yfmx^V!jD7T-&Z~MJ=v&TX9WCVZ{PQ1`+H0cXsO~>G_)Ly3m`Yp zlGiyW{ObIACkcZf>n48YjgS`J4lCk8Whcj_&_zO=cnUgcvzabG);W`D^a`;EB%5Yg zM7&hqzT7|&Ad%!rjpry}*{g0&9<4%TDRW!V-}!r!)P<*XH+p)!=&q z48SED2q=ZgFN!8$pv_tl0+LolB1lM?&im)L#xg)^I1fjnrO@?**J8?5q=13;I;}6Q z2Xh>7&3jDK?15?8npF31_4_&x>psF<-YlmZ&75DO2~bY959VN@2ip7j=V>r6MW$x! zEonxbMc37%Be92$Jp=EUI1S?_QuY0%u6lFd>1ZGcmy?mA^jGkQ_f+iwO)Xr0A^1t# z@TE^`a)88?<}!lW&N}hP*^~&f7aI=$S}EZ z7*IyJ-aO`6`=}Bd$&NJw^Z^RTkUclc^|Sy-xLsD1Gd4)Cur_HEV5 zVGcEX&>mnIncaL~C$m&YChXCn z%Kh7Sm&kwZteEbO0mJTAxc}5^;gJ7aMt#?hFSM^&;f+~Gy8gKh;7rHG!cbDA#_w4! zQ5XHual*g~24wjTdhX`Hp3ymAld61c_o8ii-gU7-1t80%7p{w;LC*8mZ5GYceR>C& z7fT1%-+wwBU2^OVph!) zj3G_A5VMtiz>vu=dbVXtb^=U7T89qc`fd?G!ChUCkTcz@1)!$ow>EJGABT3QbnBD? z;)Ywa#vSPM*-E=~`-C20?#CbkrrRUk~}fbCTvy8BR@M zJ_lb6r&T&frf>b-Fk(*qC?>q!z9s-lPYBiQ7+C9FttHdM?&wUjNmGP>)7)9aL&6W6 zQ!%ap>_vGy8obzlf-ihd2wjo85dWm@)5524AKeJ{7nWS9?WX69)1v&8?j27$_-RH^A|s{uv?pv#mZ*;h7TKc!h96YDdK``%CNBIMAk)5bHw?tcNDX z!`X=ns!qDSL6NzF?R+0rdb-=LbUO)K-d z{*GZX_j|f1MwL=P5An`U5OMIPIzMR}%>Cn*7O|;TXnPaD>L>SSuufeNxj|mZ6EOOx zo?rl&_nr6wdBVY1PyyLU)dFB1$=gI&OIIg3PWz5HT3{Y#8cG`;|4RL8bVs#l;nd!D?BtbYq z>;1qB2mhsoJFw~@mx;frBi(4ww68y07 z^x5mGb3F)&5!06EoNYu?x5JrLvt;XahtEMY5>;%1hvK7!o<6L9Gj0$RTjaU!A?6lT zKHB%gU7W)}RvS*Q74scYE7C270Jn=N(t^ipR(9-PpHdn%MmjTgH@H?lclU?R-G#2~ z0qH+eLd#VnFAD$*#^U>d$dO+J{omQTLL_ZvlO&_OA*aBzI!h>9W`}W!nrk-%rf1&+ zF!2--oPllA0MzOQAlSMRg=sIAYu>rhy6Wi;&>a|d^ZcCEbE|ph5?B^Q!5xu-Dpr>Z z#b_vlAtIV(F$(q(=WiT~T737?i1CI+YYr8a9;%dJol^NtRfE^K2onBjiuA8#Z0l+q zHhoVsdW?(Uw&dCba9c7;Uq#dFXXoYD!ld;BA~m>0Sfj1xvA{I98)|>2)k6Cz{aHtj zTs_4%$61mRtGo+f-by*Wm+%KNr4rfqUCyI&D<~t2Dx(>4Wga%Nvee-LRG05?A21Wb3B3Q2U(J{W*JT z5vo%1TEK*Jm@W3xRLO1CK`WOs@){$o@24gBUm)~9PD@mQ(~>JWE2kx!`_6{!RR53D zl6KXjy+Jfn376uHXK}4kDG9f7FCs|z2y+?#Ox;66($*`dCD}%xJV%vW`b(EIl=30N zct?4Xa6m@P(d%3B8ix4kh~q9yCQ1glRhrPe?`wf3e3;xd)Obm$6K(UV?@(pUGjAVV zV8d4gENcIWoOi97BM`0ttC{ZyBqF~87lfukBnj#bo+;OM2-D(8R^hjk2|c z5S+)XOr_G?r7Gk=R;Ui2UaB8GcsJvGty`!KdTnp|d^bWO4NN)_A>}DJAhA~W4yvBv zLGFG8#B=#is=;`X4Mc#OZ78et?A%f-d@9Cmv?8azCOKX_wBn zh($^o%P*6Py6|WMiOQ#2*`z2+j2n#UcvWwNi0_PC>&vS?)}MBT1tVX!Q3t1AK416L z(*T`Gw0#PpKddzX1-Pd`>}NaH*<>@p#Fvkx?3{73SZ?sc(H$PuSEZEbJL~j8VTUS} zrAvhDGg5(}v#9Mzww8C`5+mFKavr-DK}#=x($<;yR@6fY3|xz(t328HwFtOq$}`0O zc%SvJ$@RZ~_~o|uU%wJ5K#%4NSpyvXegl0I{jZ$d>u`#IlY5n)Pwt<0oi%kI|Ka3* zlbHnjZ5$-RyU!{+X%fVdp6Y!O8tLLkZdJ-dru) zx!*U4cC^kKWU=9c4UrLCXbZu^7!@_zOHL!X>) zv>wgnm#1tQzR`B<^xU<*r?%a^aUyQXiO*T_{MdokbJ9QXyv-VnbXc8 z?3uI;V~I0o$OzmI_j&*7qW{PKAO%tbO@oMnh;ruyT5#jY%x@C^ryp?`UtssLB-Ii< zXQw(SX#^85a(_heKo04f{Q~(N%Ciw;{;Smh`OoU()~d0SeMu{{{9??g|7XMumZ)@ zuEm%`N~!Kmhjl`l3I_@_;=pT?jI?XErzmDlGWFj9gZOAg)g_XuGhqo1dwCY7WAJWai)Q3+49qQCIi}p# zB}=!pw|YV57c|r?!3CtViO_F}={&iS2?++JIPMeqc=w6i33omEyE97OuUxmODJBvj z(kCzyy;#q7qRpBUPp8t9^yCjED8&)N?+JUf>i4W+rZREpBSJ;J(g=4_w?ZtYrWkey*vIWNeG_aI)^)xXpOKIk5v-lK1}h zhC5mMzYBXE`ST34GtWxg{2t$h**4MT0#cptQv##wM_JCM@4Q?)VO}K3Z5uLmzJ)Py zO;z`tH_TY?QAL$@6+3V0p;+7l^@r7--uSvT2BiL)USp#_ORQ;!@J0@%s6U_@!k|Y- ztx&2@xJY-H2jQTz;*v6VVDsa25Br zb`l^29X(!K4IUny8PJ^V>u}Rpnl0)#o9b#eutG00kQ*vJ+q;6Z`3F%dx4Ff_!{2l; z17_olSS4z;@cFNMu#X#UkE;^JqY@#~htBdKx-MxUv?6qQVyAE_38ooEMYu#Ug*=&} z>&ao#rUagLb4CJ$G%bH3ih+CXqZBf_&Rv2I(HmhV!NTTYmk4$S-%7Z!vm_tIN1oPt z^BGAr9GUPXFJ9doD=I=)R(Qoo*c4hVB+RyueKOmvbIwQH%^W24G%*HldqGuR1P=Fg#rDR&>R$_o*{R~(>%L3P+kwD^N7~8{&@ekGr5qk?+q7GrG(c7_1%a8NGnU>{J+-X(M5clW2l*Ll>O zd=};iRX9RPL9sg+Hh`{9)HAtQ*}gh@hZVsCQ(?$4@zRx7!aon3w~}HfAB?pGSG)u3 z^yuF;=$paqzVg7{O5a0)RP5yib4Bu3J-;5wZjhkq>-ceH#;VK_Ipe`k0W@c>zi$>A{VwL0?9o=uyeZ-w<{F^wCl|fBA?8yQ{ z;W5EVk6$Qy`KxK)gC?Pj-xe6oB~YAldcFDY`shF&6YK`>F@NMD{$LYd=5<)Y#@{W@ zIOq_Ex^H37ltu9q4OUX+t{~F*Vp{YoON2TWy!Ng>I(X=SD1W5k##A*7{B=F2EwD#g zI(>gMyIAhYH-gp4{P*ac+!@6iD%jz&xs*dGnOGZ`(gw58JdjUa zG5@PG3}R~_8rjE^OFP@H=_`#6AU|L8L^{HfPG#ZYu?r+>JJOp9Gmr9FWPNLw^P?`u zQf~<7^|qh-W)XE=^(ky)6ia^nwe-23LIg_5Ts-|y(9m8*EhFl^Eq`gT3w?ev+Cl^c^ zo!{m!+&q5wl=tVIg+CrX@K(~wOCdjfqOfLqzj>6X&M*Uu??mG-oeIxliC1@W;Xq?%J$D+bw zG#Vx4_(yZ^#E511)KbN|sPLlc7~?2bZoAlqM%DyFJcY|JO=OW4pe|e?5;wvkFV=yA zT^xyZCZPWyiMBMvuIuyCw~X`5i<2k}_sT=Na^mQOc;7&l7bo1?G;U8`d{ARN&L#fK z;rL)eLWF68=v4e0P(oy0LNq7taALx-6sWmE^%TxE}=0oH4&R+n;3tZ zkd)boIb)iX6P1)5m2_@AF~2eCqG#d~Cb@`${u(BlzMRA{O&H=PSM{MrF;?Y-l%s*5 zI?ohg5@?@NN;4thzcjV{e+(l3w|-nH(0UL8gaz<9eq~tm&mUQ{Mg1Tb`fvT9|5N_) zzrS!ANCqz7M{keEPe^DzjSt1LqA)5wk4^S5TT%#<&nokUb&t>yse)&bt*q;Or|5Hr=ztfJt9TE!qcGQ!{0Jp~=t-l^)ypV55z});3 zGsRB75k)Y(D>vN^RyzL1GC9j6cG@mOWoxuh(p?4nvpOy}ydK`YJaBg1-s!BPh5-(F zMu)zjG}m(+tiH}_?v5T#6cIh}|81G!Y_F>``2~Te>KGi@n$6fc+6n`m&rHQ6fr!V^ Vj0HRXnu@`T(qJpA%dG@od^q3FzCNun)`yJTYtH-r&3Vn+ z(`yyeKAZ&xqkpO_0RTXuP-rw7gTdf%I1mIO2*Ts>YHDf(0)d2gB@u#1#6=_$iA*NL zFie51DYK%^rNT~BDpg%wT|;BBhKBPTb@rS&b2R5H(A3n_(umN~G}8K)Xj)oKEiJaT zCPQ1Bs{Jn+YHM4})z+UoS8ML9Xmevfq{XcfrX)=;XM8A^Zq3#BO@bYV`CE&6VrJIO#daT`Sa&5n7?Vkf(2&t_n4WP zEi&UQTC~V~k(;@>`QpWkEi5dSELpPDJYtze#Vd6y_?75#l^+N$HylmBqSy#?%lgLDJdyAIeFi{eFqL4 z_~)O05Clm}OUuZ}$jrflKj7%BzP6D7O&5iitEzxbIdokNQ)YT zRFl<(?26(?hiTT^`&%kXnvc@mvh}@gmbM-Q(NVgr8bl$!5^{p(O zIM451_4rWBvBjIa?$vx7k(YR1@Vj68{ZsF)9dEnt-~IVj(QsHbZ_R^y)89s)mT!Li z;QsHQ%AxiPYaTxM^Ly&sr?-zEKAhc3Kr;n`)s9i5;ur9#YC1N(3XrhMY#>8(Vg#VS z6wUEtzE?)DGU)=d!K_C`Tw{WcGq2fZM3j*0_)wEIm}B!i#$?CB;sSN@iebRh`dcG^ zNaU`)Z8%alMp{oWujUSVn7T7S>q&g_@QL8)D^X!gvx+*waUR?%^*X?#ZZGt@vTM~qj8Va<`r&_ zF1-#e9+TFc8Lh{g^vlvUwvr;UjMi7O>Iu{$^F%;w4jG-==ql85XynyDQ1|Dq zvR(&Mm5*p!b2gK9DC@EoW|yXBP#Gc?+CwYWCCB+uBv91EXtubO><}4$NS_0Aqp=1o zpKj2(F@B9*i75j>TQ9se`Q%xvNTA_bD6MO?4{}GDevvl#S~hmLHnjQ(m;C6h-#||X zwF|jr=N1NG6V2Z#O4h9GA6B4V@<*=O?KBNk-S@{ij#ac6i-s*Ry(tT?PYsq#-_L_6 zOa%+0&e%2mu3+o+>Gy?6U#3UI!ll1POHb|k^+9s^`mc{y?|k|7N!q;h_gLkNUB5q9 zk6i!#<=)RPzrV_$Wi!ggxw~h^TNd7!ndq?lI`d8Lx$Mtm&-&eezV~ju@#jZ>($_yf z6~bkIr-o1M{yRN-`NrR0V|Tv({jF?Xrka_2v0L?LYUGCM@66Ayvk^!V0}xw=)>R^S zA2E7viwty7rc!gn*oEvmLWnYr)*%M%TI%3^%5*xZ2=B?R*EplhF!L!QtZ%8;u2p6- za*9Y>*$ujVN&&N@2u^BgF#M$yvPi{Lm5|+NtUI2?_9@ml)zY}YVf+v$r&#kc`;mFb zcy@3{vG$#oM@#pOALf!uXwB>|<3xARjSmsk93RXslV>)Qo@EMY;bmxVk$#WU`pnDOqLL)}6a=vV=~)!uDMKB>&80shRJU)$7}yoUEO^$T)JvXY1;x zXZj{DF*~pLCAB?0|7-Fxi(JMLuI?$;{VrkqmIa(@>$&9c{R-zuS>WZ>&&oo+mj!p0 z1>I?Tc75OXaxS?%xOw&Sn`gdXjqxoHdC~T~s`mRe-jVW+BdcH3_IMS6-CM8wLz?A#HDYdiZ=&its9_+Hz-zP;~x?T_2iBiCZLdcW#Z_5G--?!2}usr}WPUq9~1$k%y7@BTsE zpVckC*W*vM_rG`eStCDkJ@K;l>yIHnYkNDd@4eIh`pdqbcNOFt{ATYr6K8(j8}+@h z??wBYAGJU4E05gRKjQuNSKrSEQ=K;s{%n8y_t(#d04zly9|c-(N{087rp@h8fR0mj z)Ld!CLZ1Ob=u|zeODeGI7=Tlz8t8CEmZ#64#@VSxGrx-L^&NxScc&gPaw~GS`V8s5 znrdQpRpcgh3>p5OYG%PVMM9rpW4-AXw%^VCQys$#9H(13xi^nr_IYO>I^7oBb@Sw% zj(1B_rrWvjt%7Es_f}`8J7WB9oq5sm-uCXas*{&{t8m0;#NpL+7r*P)`JWvlD}GNu zM&L>@+Pzly3_f2SIX~K3iwWSv+tMqv%mXC{qEGh==`$x z?(f&i+&lM1e828{_500K*PRDHJHHSkDF)zjK!?E+xMdDN7dawpLs{`_K*1etbO(83;*%mH$S_6KKT9T zD?+)afYwaa>-|+`t+_Wi_wiJdIuITR_}Vio*638Fgc`O z(sz+~xudr#`EhB$@?X3L&D|d*1{?BCv*)@*9NyblZRG8c*a_H3q~Q(Z;-%|WDW%vA zcX{>h>lRU6J_gokd)KDUUH1CU_BI-yz_Ina4eo@*VNRLm6|qm-OXXKE zo&yyhPZ(-&l$@gaybT}Qu2j5E=H-h~BpQ!9wo83*-Mr}DG`|o=*xl^BwMk>|duyU9 zO2gZQYr>rNf0yhW(7!*P>zp4k{R>x4J=-U5bu}HQr%@LAPsxFU)2XNOSbCA7RLJP{ zUa{9(4{(mRVdL7znY3tr(aK~eyoOrIapS=()9mW(Id&DMRJ29aXvATtUz7SjSA8Y8 z9*qKK3n=_-@ibdN{Z|?F-!J~}mqcqebn~%W|0{I=6S*}DivNY&dQ1QBk$a)Z$NgFV zC*)px!Lek;|Bl?At6uB;FUTF+{4wMIhuq6JHR^u||ApKS)M$f)|ApM;N0P(-2XcpY zjdA`5a_cVIcIeuFBKON1Yy1Bbxj(#z{}Z`i>0kdhabuk<0!Ax$B-j{tx7S@EQ6yaz~>LC5kkXZPxlU_&<<40vA3Tx{?7wPG0kX za2B~E{0wtr1`nBCijilUSB(xHCgy`fv&c;|Agb#lEYM=V2MP^gUm|PN^c4u(g2QED z^d|X*kS0@(U^Mw65v0!9cF|QUQ0n5U8G>(@U#%#No6i%}1$8Q+b)<54Kbn?SL_<^4#W0RI7paOtMCaMS;ssW8MsP=PIKS z@v7E?T=g4kbplcCW}(c*oNIU9x3yJR=gHH}uIb0N)$1B?h|Z(S3S#=$bzmyG+ zZLF!0 zw7(o<`q1Z?ujSSKdB}M~8&QMtb+c6r*VKx%8LnoNY!&m;IMFv&v4w6_N9y1mj*2nS zf5Tt3R67pH;VbYWnTK^X3Xav>qUDWWzt&I={gZ*w$TGnbo8%;Z@TCR*EV5EWLqMNbgef{H~Q8I%JfzJX#FV!a?C=tr3Q+%KaU#N_4*%;Lk7W=A-v6ofukvsE&5~Co=!3&6@Fro zDH@p)SUyXIqaL`;^)XWf7>k4{F(&Gf`ll!djgH0xLx;|=*1@I&gkUF(!CP5GiLnw{ z=3l*+ znwK@C-`(N@pye*9v0^lSG}FFoAmfbg9wS4ghAZtvs_Ui`STR4-6wXIkS!PS3mInq9 zfmN2P0xx;p*4u`m{EpU7W?MgS5&yacyfafI$_T zG_w2_@$#UtI^CCY++sfzacgyh!9CW8mF6N`OwW*B1@+OAmI`>QipHhe$eNtT#>ok# zLprA`%jQT?M`Ig{)y2FfhkjJnm+%bf(abmNOc*%{Sz918>$25)3~0SLVn3v_{X}GK zD&KJL@ysdD03+sgf=E-6lCmTGYcFy*7d!*?a9r6@Cr9rFH$4AWjB$4{%U#*WHTk~gIp8AX9 z5B|9y>tp?!a?ZT+8ugy}B))t=84&cqVig<9R)@Ft8f#qWxTU^PEsz#9y zNc3OpWyBQ@>DU#NB`l6#R~JTZe$}|Gz|9zj|~zH!_9chFPuNWC@#M^h9X= zA7X*ADZu%A-nHrI#|(=pv8M%(Md^?VSM;QAKDMz1w4!G^Oc_z4M_sB2t|;A%fmfS3 zS6qUrxMe*6Y6Y*sP|ipv@#$(|G*=fZDQ1~XDu@uuDFuHMy(y(2xJGNv7pai3e^0{( zGaTKP1N_l;)t`tFJl)<8?K|Eu7fS=kEk(J!$Z+rF2xJ#ubci=&Tdm@;Eb1*O0sU$~ zz5-mqjl*QmJBjuyaGN(F7SNA>o988~*A#{4@(PLw!J?$10Ra`WE^s)pPNw zzVs-&-!EOG;@p(L3OSg<0c{wGrYw{l16+J6e*FN-M~SnO2Cfj{l9IMA7hwZrSZ5A~ zXpPyxz$F`lDGJaR{Ufx|F$tMREpUMC3zwT zF65)w{4`Gy7u$^qRbVw4)+s>T!#h+RId~NTcNK5G#e%Nz;df$L;gP{>7bj?WTjZ`9zcF8B{xwCj}w+JmqN`lq79WmyFzYIi6Fm0Ac;lnl#^e~_MjNp`UxOh zMrf6h2Y4$>skmDjC>J`Ro=bkMBvtWZjjOP23{o=!zn86OWRc3{CVEt21B3KRx~`Q$ zY7~=_0c6g=hE5s5QE928z&6QxNEsPkq)U>pwuxh(=8(=XuvN`LD`jeR zJo12?+({+w6vb-Mxy>?iKaX^oidz(fs}YleInZqeS;vOp#siAQqzVxZH;h`&RqK!w zR&wX-Ffb_`VyA-KJKN7Ysl)^|pksL_?E$rWB62@M%2dS78DFHvSvGzQ*T|wg2k`Tk zV=Fn7UI3ynFel~kCUgt&JBb`rNO=^&n(OXI3he$h-11cp@1mx4bh+&LG9Rzn>Nz!Q~oCHX>l(-%| zcSsChp%PhrBq@-C1fX__2#>gDd%2`?Wj@9Q<;{&EG?Lrpgeb;hOfpm!!6A527h>$83Nh)mnCxmV2~u?fr2A`q($Jkn1tiTDyzNu?lr3EekQ!6ITZ z0Qdlu)4jW&^WXta*pL>@9wiKHG zGfoY`U6eVzMaU22crVeSz!!v-_T*~_;TwJX_h;D9mnSy2p8QZ9nP9=MsqhafrBKDQ(NSXD-6H9mB9isLcp?p!0hj^3^3PP?GrU;-Y#e^Sn#}7QpOW>BCKgv%@{HY{Gs}QTr zO47KJ6lM$#$ly>MIkM7JB}GvQ8#B{@Rxv!x1!)avKVR`%T~Z2dr?U zb->?v@DZM~iZ1)3tZF!1KO!fLIbjek`B&xLwBy8@wOUvX>9>gFxKF0XApS*2Pe(V5 zh~bY^%9w&!9=&2p26rNqcT#wQL1|X*N2{YUsqlA|2!2bYyl25*=;c~+Y@Pf`&kTGh z2NcJs{gIJpwo#MBltC`&JAr#gr+ncSkBBJ!vb-ffDAg>=%~$s)Srq(zUwfdL?$i7e zfv<6wThj^quM#?jLVqG;FCHLW4To}A0wO$v5Ry)!+!Ta&2xUY;{ve{f0n~y&q1?E{ zX(03ul~V0aX+du5xS*nyq@N0+p9lqu@Gp6kTU3-fqBbIhM?`Q9XI;+vfKVko|8VFV z9{iHptzrOuKuiF2PxmcCdm`b^yTx0Sq-iVu!1deIN<_qZdWXRk zwa+rRTSO=n5#LZLPeqs@SM*8|p;Sir-a;zn5H2zx=Rwo~7NJ;4ddG!tFbG;IYmiq% zB?D?7=&(eYu;STzPcdiU($>k5L5McU2< z4zS2mNhI;T|#Z8uz43c1w2vI4CDS zG~K4f0beNLb}Ha3A}ZzN*9iPvS#mI)-m0XYzK^$JAXgFehO8lQ+3Y-vZxQ#?d?h)Vn=w|?HRfhE8V`l zUO#3kJ_>m$UgMZhMHv1(0EtXDf9^3#VVr0*jvINiVdxp*q?GFito7in{#157^;*zq zg^yvirMgOC7S$B-F`qY9|K0dv>xr9D>wuJkRG+Y#h$}Wlx<9UpFdBNnul16AdL)rw zdbWAnyl|tgD-9`Hd?z;WN&s(TXp|A_>7D&mF*Bc*uPIz0P;-Ax967bIC48%1@WH&T zy4u|B>>HbUrr+Ciw)jJHFnputa|QrE`h3uSrDC4885;oBKT(6I0;X=P?!NPu7zCuY zAY^9g6K}1guI?rhn#$yYmVb=~a^s(Wn4gZtGfd7V<>#Rpn6x;dfgQl)w(6!K+tQ8q z)Q+L*ipakSC)DP094bt|MB_o;3W@3isQ3RGFdQ0`htIj3t8(r5!k4Fw= z67(58a#Ao~MoI1&#{u?~7_l0-Lxw#c$40Sc9S!7tVSIJ0B+aqX-}796m6;46NNEu! zo4}$Uv+zvG%4*UMNIY$FkFyDYT(Q>s2FXuKHnn8FOY1f+? zkUIVVyz574a`7x&po@=xvg>BA8HRb1zHvx5tKxEaF_q?FxVNe82|_rD_rDSNae7sL z4u;9nOT3qSx`Ys{e)-(PGTjRIAdY6_Bf-pF$RGqXuo>5RpWP@UWJpt7sN}3 zG=H`tW|4cc$;Y#_hY*NSDoQ1>!*zb}1vE4VnKx6cGVEnzQN4^KNt0=SJu7`)JuB7B z-OZpw>_=s#kpWFvB$n&?GYGVG&1?ZG5l=^Y>c#nghVVvxGHOg*MGgu92RO~mu0Qe; zGE6879D%m&id2JO6T|z=6VP^XPRh*e430#mDT+H94Y|mW2#28f}YqknbJ;DdJP zn_KOn1;rNW$nRp@YMZK09_ri>s+#q_%ZdbBH6Z>h-_SGq=C-KWrG= zxN@2c&MD)Pld%|JGjd+<<9j;Z%WRouSp&$m%#F7h06Gz9i9mGsAAOd#SwMH-%$%c% z)o9?g2?}Qh^cak?^(%TW+ydUAoTsmc&Th*NE&d?Oh^zgMD_mSJtHnnuq9_u~@{a?D zAz33TIv8>g#999}81SuRdM_oW`)tSKXfjp2Yc zQEthPYc7s*P1WV<0r)r{!J&eioU$!5Npyu)&c+N>ZBRyLw>jGWFzB4+|NKOhk-;cy z6?zwgkfeAAKH@bmcM_puOG{|Z^g4`q5A2&&gb#G{dDtd?@nGWnjRHLqv$rD0%BKjV zw8*xxmFZg<+T;{qx1qp4H;J9<^7l#8v6GyI8vGMDT(E~j4=Nkuq<|w{dtlPq1d}UF zNC$x3CWUpmyN3NDM-(3MC;Hwv0L3+3uN$sh3P{zVdl*!)m*V6Va0TJ=bls#D9}Kb#yEA>H}C{)p+hM zHab$jh^42z{P4=;ny?$9)!4>7I8Bbja3M$5GZ|^Kn>3M$$$X z#B_Mju#q8~drAE$7f&a?rwW&#KcsIjEz#SfOrz9>+#&bZ)olhF4RZ_5sNyPzw8MGp z*KgJy+j*}+NA=pxkZ#G{MJvcwd%t-HiIZb@O^zy23Y_UKnyQQ~hIbek8J9<%hwjkV8M89Vn)QMPD|RUv#*4fu^CwFU@W_A*3HSPuTb@}?BwI* z`YjqKRRsZ#U6v3w@iAsoROLf(BzmB|e<{aCR&&eorMZ@KF4uhh8RKYmBNk7iq_R+SBUP+XlQ+>2y5Mv`Y-`tO@SUpz`HiVUN$(rt^7_} z<%y#5cxm|+8WOF94k%@mN!fvFCz*))FXYM6PO0l8 z@-PO2cnn^6Fs6Yr4DE}_*nD@sHXRqo7jD6)KTxaU1q-9`nPPUDNddS=0hXV=P`csF zr9+gB3}_z>+9uM9qY0CGbu)bC7AOu7j}cjN5IKibIJFEqDIU-jwS+wf*DB4m_dHTyxL8JOZ0 z_v9%-0RFZ)eSY3#qe~)W%kognX)7Wv4VMW+BtU636l?|rwFo17(VrT0!rL#D#%rt8 zg&r*i0TY>eQ$mOjCXNcs0FpKUL`k4nZzK>e)ZJ1J250Qf5^mra_+%B#=U`CB1+&%D zKBd5^H%k}5?Try8as)vw7{g&amH{1%@t_O~lR0^WUi3RYv}+XS!%3efIp$*_^wsxb z?T5_u9|@S!wUq>d6uY|`T1iKt072iG^bRHv#97X#dF_`#Nxhfp%-oU!NVS9RT}Dqe z+`!cb<~!*tL17-(Zl=FS8q5z_~c$z)U*uxM8 z@!RcX!q-C=-slP6rZ2BaO^-42iY>r&I~e-Qh2aIM7Hn{S&I+_%%{|$J{Js^iUOJhB zi^D?;m`D^~xQX$QefNr{|H^lXc??pyj~v-9+40 z_ThapXg4i$9*_gZWTcg6o+$?`3&1o6!)yY*b`|caK!`c zEMaVLhPy_}3=8B3gN8Q9Cj6s9SLe$%*Pu~M92W|c z)Q}|T7@FH=`?PqPFgPoX;w%j0q{nfEW{NCyR_4|$e2NU(5u6bf(jF}h^!5d}1ZUl7 zL`Ss<5(|VW!BAL1+H)Oryrg)`R8V9vxY*r&XSL8t{1ChXY^)Y;WtRrG2o12up!@bGUU$y7W4`d zrQjBu-#V@Bcql;$Mll7Y8#2Hcz?TOe_7L#2Z~_Tp$`tHi3KRE0TqWAY!K!+L zXL(HX{p99AiMxOAJje{|vsQoOK2Yo-*iwxv;1}+ZXZ+@6O-mtLx7-MkaBnqOxCD$f z6BXv`*>MFsInX|tFkXyX0OXMH>3f*M-J%z}A9)<#Upaq^*D3vg0~~=laNH+Hcs3Cs zx1e`eZanPVP&B#m@e*WHmN1%@zL5{@Wr0j-=6+e`(;Zn{J==1dDqeN^B@~o6+IHir zb}ZwFzzk7EvD?-1Z4zRH*S2M0dj$KcaTqp>uK>M!)AuoiJCO`mF%-*JGag5{1>mZi z&_0g9mh%*v%FMnU97Pip@o%`sfK%OT!*$RyMsUWuVBXH)fYM@Pe9kEmxOYq1KU{FX z$Zyf1OoJl9uWNzP1({Pv?DsL&UH&7~V{AU`E7&~xgd|A~E@%qpqMKJE)2zG%iNFy6 zR#KrPMN<|2v2Ss<~ZeL<2W?Pm+36O*~fT42sYzQh6SsSv^na4o}-Ld7Jp)S1jd5*1SIk!Knp z+_%nxeQfaIErP0d%{p#5)RL}Cro8!fpK$LY0T{O3dlFJ+&iZv>H1wynE5en41yi6w z0BmR#3l3Zzv$pyYD%@T6WO3({C7+)NSSuOlvcI>3Y)Pf{I^4(!k2!8&Lhq@WR}Yg| z=?}N0Vy064@q*|nFewJ|uhxO68Mu3y_GO5b3{2vHs>G8XI|B=f7RMt!ESJk@@%!!9 zqcK?s9^Vj$7oa@Acp4bGN#K6qYT&!9b>z&bv~?RUKAWcro$^6~VlJ9=V7_grzmnj( zmoG5WPqWk zdt#udY8?$)+HNMat(Ts?6sdK&kwPQvwaAQn;u9-|Hb`%tsKF$%g_|Tr*;Py_v5jR9 z9IuLg)=j1;5qFtjpJbMm0E04Q+313cN;3*Kt&0zya;}IhB~Ykkru=5QrQVP!g^ft!Rt*Id{;JXDSeUD6W_4nN$red$3J4|NosEjU0oHA2O z5q}2THUaSOjf#|{&;9{`pPAeXZj3?+W>48*!A>ruc`%1Gg>JFbE6Oc@Z6E%Aqu1)E zi;R!-x8BE`wa9FLlolQ!ICp83Hq-xl*KHM660o~^cAEjWPYE`$1OTob@f?@0e+j|8>U z8o7Qjv&b&t=Y5T(&RlwLapr+34(3{sl%{Z@kfrB?QKd>cjdx5YqL|I&&n#dH!h^XQFgp%bI|Ijn5Vg*asfI&nm zo)%kV8)tkvEtFwGx}e-ij!uy!e7lg#|v_N*f*bIQ(KAkW%}G-THCyM|2OwDr)%M*cw4ft+!kz41rx<9rNDwd2Tz9fAp;uEka^0TXXB$3StZxymsyPNn2h>zwZr;JQ9e>s& zQn%3HZwR>;vmG&9Nd=6r+@0T>StrzQRN$ZdK#JqM-`R z6fThiSu+s#%Sf0+*dCTw;CTWq0lY^A{9wWLUc_7i?nMM2T8SqwWRqC94KL9vPue^` z=+$y!zN3t0Bt@Xh~G z7V(zLPQ_A~nNnpYi%@lJO>(zzCRc2{+}D@Y3+^vS59dL#G3gFo2nR3ZvvDV&tbYux z_)}Zu4Wi&lu>oULY1EhnsSXjKucwcJDmJr}8~yU`-nuh^V(Q1R>UC;{`7NS%1~r>0 z%oURgBiD4STH5}UksWN8L#~VYmIBJ$QvN{THJjdeOy@s(xdo2vm!!LC9B#a?r*V6M zn(y0Tk5_5j5_u(*&{DQ=S8z?jgBYiNDcPXPz~y4JcpE+VE-%5x&~)mCONom2C6Y|# zV@^2lJY?LnF@Kl-HL|OT)2HV{g+x41)6Z)$eP zpiB{$K+nUL#*J<4G}9UGySsIrbYIM1h6hfE#uZpkDK#2FEw*}xb9Z$f3uhP;v4(lQ zdPD?yirxI8UHz$tnO~~&TyW}TT6vI##FgUkVe}@}_G3Yb-fnOw%b46-*pRbVC+5dd zOuuZ-YFOU@Avv|j=A~i|bJN!>HdXYr*p535t-|WqbRTwp){iQJREMiQ+A%7rT;Mo* z{8lH}Cbsr-xZb1a(e&n1xu^r&grny6S$mDuoVgVkoQ^vWvvizy3m0ftT@TxfI^;tu z1GtvyZd(0CozAh93j)yrMm-!e=;#%14wt)WAG&kzqy|4y-*!>D{uM2IP$ z<7qRQxV8nbmeMzJbS5n+4$b;37x;Gd96y5;-0eEM4^H1OYW{hQjP+XXjE2PnJtl2? z?>U@s(_W$37HW}tdi(@bb3DB(e}49Y*TC)4Z=DAC7|%4%j{XFawz|8#+4k#33_j|k zp$+UX;FCIJ^Kt(%4-h{UpX-pq6rx=QUjgNglXvoVHPf1;BDaCJp=q#O?| zjk5=A`xfq-ozPMiKFy^gNP3q;7x%;Qy=r13Kl^H`cvGUcY)+Sff9L0RvMNxP&HOeN zH-eD{V{^x&J>YsegpG*EK!g5QNkgf{9jrwUVxku8!JKl(eCEiYV0^uA zzcMEUzXc?$#VmhgbUMqR(W=1T$X#D?WRE1>@Bp>T&77AWIXkl$6_dVPnU`a6{KK}J zMMrk>+)9K!bWIUDqs*K&M?-Uj*}B0m;mx@IS^YX<1P{IJs&)3FEF+?`@);=vbu>wT z3n{F{)%d(6vA%Sx^JkQn?UTA(l_Ni#(8lz1GIhb2d^XlWdei0>@(w57+oB0FvQWC? zFrQkYwodAvCC(mk#MWnWma{x!74}&0)6zp#D8YrWwt|;4|WOxO<+;~ou&*Q7w52Ws(l$a#N=p}H|EEPtSFu9nn z`p{Y*JG2(&y1S4zv(s*1J(&$fm^i%}ls50&y!KtV?fiJ(kDUU27?MZ;-V`C zuf;zrKZE}i95>(jHk~_nD8|!4;V+cmWC52r%}#qU&m+9!8Jf`Z%VJyWY3 zpZjM!-Frq!V>Q5q_(QwpTXd3R(iV?Zz@d0?sYMo=J|R1__xKi_q~3JBwEDD=>Uz>r zP~d&qa((4;y87HGPsc=cBtM8tdK1%R9I^up1T6K_l-k7m8hM23a6SEK)guFkC3xFO z#hUxZb^0NbIr=ftd)^hG_m#@Yd#++MJRa3AJD-aCJ0_!j&hoUV=XeLPF&Z#UVqS2Y zxS*g&dy>;kTbyuu$Esme|7eWU1kju=0%&8w&_XtVaB_wWtGRXH4D)Q?)Szw6%TBjo zsvuG9rgxCmK-0LBH)yz3>mAK=4lK`6Ut^8(&h=zJugKkdFWt~K=`p5*M~ZKBGaQX+ zc5dn>1byLZeN#4Na!d)oo}0+OGKJP>L}h4fy5SEVWbfV&Z^2mPZv6}OkYg?$@8>UDJ(?BPM8m0xI=-b>`9Gf zd4|Qx%c$cnN296oZTZ!pW3L*;vK^z#6Z?Q=3SvSQ(;(%iz@qDBp3zLT{sG{X{qwxs z1x=@Q$2rUG-^XnVlaIxUE{(mcholE&`wE-;llmRuU^;mI3}9RiU$z{eH zk58UBw;Z2FsE}na=z6!^oO{z(1g1ut0?WAPoXo;@nY!L7B;zEhPVxq)!Up@q3wAu$ z0fQ#%9E?+cgVS)s|Hs~Yg*Cl5d*2BO3B88iLQ@cw&^xA3B2AhIf=Vxf5Smn#Bvb_f zr5B|)0Yg!W=t>9(DoqUt2pXygh@gU4kT>dD_jcXu-S@K(p0j6Pp04Y1`Jc>uX1+7O z8HF8tP%l9jKGT2jiA*w0naC+;&mIS+GLD=?@K*D44+#c zgoC2G^HP83dT0kmn}rYyCo4=~40|!U4H&~Vdnsefn3NuE62`Cr^ls~wTE{48v`4!w z%kU#ej>U|rjcH6?g6}EjoOHax1_&zQWSBrz?C6Ik_GphvGad!%Xbu9B92~@6GYPdkXl9LKuAS-1PQyx-J$rD9sDdVF|hbO4i zMxy>S)vy@TOCqaRx*1Gk3`#+o33z93B&@AOKaQx7;K-ap5q#=tFh~qOPgS8yv1$-> z2Qa)HHcW$rxLORG7ThQeBSXJ&A}U_!+k(~_FqlLZPN3>VQF+6SmAo)|AEou&q%&HsrWnW*1JZJT%{1I|-vq3YVWibfN$<5bB&@refX{8|s6@g58N zC_$f$Q4S;nQ_zPwh)_3_+5qNp9mTH4)sYsD7=VIaVuVxpS+P`2h9~=>H4HF(a%2@R zsuI8iR7=os!f0yLgn59}*H8r{G6;-UcEe~zVHg9xh*CUs5wPD6qz)D`)<8-dfV84O z+HM%c8WN}pP%QP;j>Bks5!E_?OxX?^`zQzfK-y76Ed$X0Hc{g^3r$PRfqWOojr|%L zueH($^T%?9!9;CZ55P$LSpo}h}T3Dc|5+(6G61JnaCvYF0I9|>AJJ$?DCKp0v* zkm$RBK7_*{@=@tFNS;B0Rv;+e2&Bk?JW>Tc=tNcTfU+y^VKn84!zQu^ksz(X*D-=b z{>=TioO0D%sakPFZ7-^NB>}ixQ=f)ccK~U}fwWyQ>Nutkb!=h^RP8jNF(cljptb#| z2gOmdV`*?3qUKNTHaSTSDA`YEHxqCO-`_VMD+Vwn5N{tC!Do2DSBs#vIU^ zH~}WbgIMe}5j9HjJ%*MbaqS0*fu)=>0EqE`+Cqt1#b{+GqS`dj+W;wv z0BIHb=jjpm!QwB(kRgMV(BaowQ30~pJuo{DQb`9>bB_2R3kfPk-_kn}zD)sX0OS&g zDmp+%8-N%NQ#m&a=|E|Gd!yaEswU^5cxo+Cv0g2n2!|s=Sh+0ueTKR=t*T)0_ z813aAfVfS~Qcq%~8Nvp0&RSV>jme=j9fT#QXDgle0jVpeUqGAOI0Y(YJ5XkHR9a&{ z8r=){hVHyVIE4f=kCG2KVPeiHYHkoj;x0kIkrl(K2o2`12FL?QV)BJ$O*r+d2>1gD ztu;`q#exx`jiPqQ3gEr^8Z~MS38`#Dy$GpSQ@D~Sfs_faQ$e8Wv3-2gJsR0J&v{VQ zOVOuw`y{a#Eu2MPI@3_hilzca!s$)yC{iYls4+;;ZHZSz)F>JlGr@DFVldrTn8HNB z?C^LY07xtQ0OQ|WpMQiYAFn2UR-1?gG@FEH6n}CWDBBuvNC6PeZ zRiIZo2EYO|MoDo{M5T}*8+(vfya)gdgCR*R2?DY~OyRge!+4-FN>YwVJTM;8njsS$ zFVZ^%+X#WxxH5I1q-%kka)4HI6Q+TUR1$#mR*0a|Ffa-!$$}QHoGx}mLQV^_dm-W1 zLLiuwd^quuLcZ6Nt1!B12`DF5R-;99Do)S26&gTuoU4$^KdGW zB(|I8`=#Q6!twG8Aayv)lox{YI1mm)NnjG%Ftn61h2Jcs z-xw*uf)>#kIusBL?hQTXrvg15#wNwi)!Lj+!!f7$_ZyJK8(I&0Dx0)&$A^bvh@lYe zw(V+H&16#0I6{>9z4|o-uoNY!AtW?nET$C7Iemg#Jj4pu3`)5M^}<>Cnpk_Gq#DAQ z5@sd=DZuG?`F9j<7{F|QB{07Q9*25#Z{7L!`~5_O;2&mS9wZL{EoBU}F6E_+ZmL>v zu=ckoKX1NpH6EnlF1Zk|+6w0Uq&637wkXf|e~#yN5snuJFe!vP>M&lC0>xoyNjVBo zIJh5<6eOxSU)w|#SwWT~grDEi*)PXLBZ~vj!U}`9%DrhwHl>5}?WxjY;76pC0}5z> zxz?YeG0jPoiX&|Tv+fWy-cNUN6mOSq) zd8K>(b?5bWx;G*}m)HPGBcpC`>y-(0l}YK9@9!#C(W}tzsyM7yY1UPFRL^*j%<1}t zlk90cimWzMt?~TA+1nWT99d)ERd++LzNV}Gmfp?wFNsyjN+}?{T8y4J(bxc>%Hs_y ztX#iUtQK|vO*h?@nS%ih1z(RRSOFg z)s5fhK-Es5I)?U;Vk4U`I<}bU-)+Bp_m4gO?*6;o6<9t$j9wH*EdQaZS-eULMqLBN zW#=pHN;J%m#UBQ!Bv4fW-@3KCsfP`E&ANMAqu9?~-YqV&pXluqstCXUkp_ymk80d-KEdeG}!H4M0arw1`W5ChyE&t%$PiPp;|s`;T6;t8U( z1ThUJIV3@@16Xj(^|8>mPIhBX8t@jh2(|FK2werjOFe2B~I#)y*dAx}m3) zu80_544nvv(sp$#L0Y7;XKO(1e9WR|&DP2CFu5$G>OCR4ODH>%d{6zEFx5ENTHlxIAQLhI|0+!Cs z*a{-t`*RJ8&YgYH9`btpUQuN5t3U8Jv!k14B&D>c!(;acKAgMpWP+lfv}Bs0Kp3=v z&t8)3JTB>%ue)z#N`j5qd1oNYWTxZ9SnM=1p9;O~y*z%%bVqC5n<$61@xC7Fv+0&B z0;uyXc3mz^Nsx$vqYA?Lp1r#P3PklwSbfKnpz7TNbSc2mH%)@vXLbnrQEhK3_H!4e zKud6>Wp@_G;XTxTUIJnDNxu}H!)`!2Rr%?FY?kFy*@CC3OHgiX3R0x-KF{Wj*Drxk zp10VY)Cmt6eXT$uO7@8`Tji|o)t_jdr%nN%$h9WAH&j64!K%DLqnB6 z2a28M+j}St+?DJAiABfpwl@dUP!POhQRaSe8$nN$cz9@M#6$*)%XuN|$f3!FYv;55 zB`gi9<6*cp#floGu@uOS<}QO;;E~>t{emF2axzB%9R*nqDN^_}ogj&gJX-zrJ# zhC8(6+;V~0YV<<0Z;_&McFO6C+?SpTMNcV0i-VGQW%19&d5nwCh3e{oRH{Sz3(mT? z>2RO-Wr0eZI)j|tpzi+*LPT3_Iy{i^L{ z)mt25t+jiVQxf4g*78e}H}lKc_8S~ZNq|H>?=EXrGWKIg1;W+h(bKv$q9~0>KqhW^ z@6HSMGt<#Y?=Dg6KsZXQ;`Am1%BR0=K2&+N>EVJB96jEX)$jbc;-N3EBX8&hv6wR= za6j$)?!LkyN3OL!J$Ux8wf)TD>BRI{oQDU*pDeSabr}#CPY|HxtrGwooDWta85=Fo z1_+|8P8nCfU$TLdYGJ~`1|cQ|tY=sA6)($%;K>(~dR@Lo66=}Ch976S@htrN3@acf zWsqva6fRYR)zI{f8C2I6M=T2!D&~e_nnrMkeJsZV9j4xJ)Mm2KC_W7nWM+OJ&KU5# z6zvfbB(ov<6yYwhpkStRbrjVilEBOxMHW%dWIS1&m;6Jx2a+(J76X@MIUBNv6rN)| z`yZ`Jno`2jam)AML07Mpd|cR%V!c0G>dDK+Lze8Cz2c!k(Y1=3yQoHIi%X%x06a)o zp>#$7ZPoz$RpuEN4ge4bNj%>G0=Y)x*}r>&Fgm7&Bxx2f4;?7`9-!nSa+wWA2e7h$ z4jJ>}LsWs1%gAJ%;?jO@!CqjwO(HiW9srP=6Wb~60|Bz}c63kiMgSRbrIaHI=gF`5|G~PTq3MA5(Z>r}Y0=#0k zmRDiXr+PJn16Pa@A4EdbeJEgd&3M7LPW@WNs_FJ=%Rry_2Znn+vuPeMqR4ZeewD6e z;J$8Ivt@_l#s6ey6JfB~`6D`KU)$_z3ALw0xBN+_$$^-;&G_ z8lA_tn)2?wjd-`?aEC=ZZB8&Z9>e>1yUak`y#P81;JgFaOL3e=^ZU7>RUSJMbvxYI zl*VR+={)YNW>H)|19+k$4y*AC8G|#D=KfF$;x;fW+^>`#)J1JUVvgeNKox z|G713khTuvfx1@>n{nwMR~pHXI2>5im>w@%4q%>g#cPig47*#i$h;EASDi&xndtOz zs*x4@P2GmMmc~J%@qmC1jEFUh*o{5j1bGf=bMJj9X0^;EQBw3M%xS5JHO1RDqmWjm zbsP79!gY9%3=%`MnVi^NnaGSMcwb>*24u0=?13@j+X{V&0%(FG=Am@6(N=R-NuamN z3t4+azdnE>`ydO>Mx#H_ercO=HjXkrxV_y@kq8RWUw}-pB#TwLW*PC70^XkcbeA0o z09SrBlgmVF_3&~9td(tb8d-CZk0ZGk^rm9qUtVawtpT9x$qp+K#+XB z@p%M)z1Np)@Y+QC%ag3@A4)zMETeq;N3Tgn)EzBZi8KMSIg}D^dV0OFiqxaslswm* zQL?spH)g#3LKb5;*6XADVtXF;*Wc%~e_M3sBWgQQSm62b5Iqt>ptR&2_on`f{Tb0?x2|tB z=3zPXW?9jdvux;5B(o7RCZ+i0YF*^+JG|7lN3EsI{v@Kzp-mP&r&(5MQarQqAF%^w zFF*CPf8T1BI>(EkGuzOaBo&%jjl1z|2Km5#&YrK;#}9vf8@cxtwaz4v2Ka;qP(?S$ zEEqb96`pDIZ12i0Js7}B0^|%a^NcdDSpx;**&%q|1JYbxfZao0Uzm8-I1nIB9O$Oy zM-3!s9~r_JGFYJV?wjTAB7^r7YGj(rTrIXQaVi40*p6}%3B$hm=eMmJ>$%y?_S3ljJ426yrTQy>z!j}9`Y zbDf009p>3;;^C3l+%KAVWkdLNoB5B)tR86osLaGKf0W;F6K1O_ z;7f!h+X$T86mVCScgo`SY!*DbDY$nan? zZx$(O7Tqqtd?iFwwC;(Zb379l0NBQ8df1AI#lNgq74HiHftdbxwH846|Kd_HRlsQg zFF>5Jb8FxKV9jkJV`%k%SDXFc{Qm!~DgVnbc>rf)xJ@Zz|1dKP+-(zS(|nq-fB2gK zM=l7|^pWynpjoy%hQ=Z8Wb&?3R+U$D5G%l9*#@^;pMGw7Qdz9cT3Y zAbbfcj*X1{!($|77wjy6z}P>$ca|&z|KDH2|4W`I0Ehw{1W5dCIp3av*94id51W&n z*SuJPF-N81tafHP-`fJl4Z{d((Cc4yGxlK*-}N1eAIRI|YABCvV(i0yJz*Hes$OYX zs1vfXFc~&CQi_iJj-kLzY>8%BQ{q3CRugQimK@IX7$@^tl^6{j$f-{|gdm@g(6-*`w)>s#QfP@!qMj^+$%C0JrWXMbjtSm zZ@M%04QtmmIfb}0L7x)2tjtS@TfwE2oTe)iJfFE2&GOE=Da`KbZnT)628(Ls+XzV_ zia#Y79jm)y87AVM$C9Bs_B{6D+XMpSBpm=^l~axoxEQQhg+DHlpeapASFD;n2D0tQ zv5+DN^Cw>~U_453s7n#J^h9w{1_kM!J8G!2RO@N@+0~w$20qKvCxL_cFJ$2c-5)@Z z5D_4=jj5u1w!k<3|H%?cRfg@P{<2+_FqY(o;uFzQa2>#vA&ETDs~wy2ml?av4+gpO zs(LVM?k=T@AF=bgCn_QBh_HWG%-CgqvKmv+LVuL28aCYEf6d#vL?gPo?2O!!$1u}>Z-GPP&||JkF^>Gpn|@fNl)}l_ zE^nESPhePt-DmP@6=S=+^Zf-lZ*xU*x?|CbiPI(DprZyR^H+F8!W(_Z_$X!eoYq944ST0B`(`lqglTIXiCnlu9M^*aGA&|5>(D>xihPi%Un2y;X8H&n|AMs`AJ<{Mab(x zy-a3SZb_bXr{n96UR?=qO{?*5oV9ST$h+#FR@I+XGkQdIj$AWc=hns>C6~V3w&6zk z-BxdJ7~+z$>@Ao-C{kn7_JU?;AJ>_r7uFl&SyBKD)(L;iQ+dTkc_n6h331~%<-s8r zUNA2`uD|KtA#*-`yD_D9&Z*YmcMazx{jN=#p!q2@{t^B64fAYz@8R~R{S2BBy~0)9 zE&VVfhb(4(e!*p!Pk%EB$jTDUQyx~%8!lp|#XC@LZ&)Vea9Q(#=TSq0?PX8H@5R|L zR1n#HAqy)S-Onv)kj;21XR7F(&8s2un>Shi!)Yj-Kb?lBEcqf6r@7@U{DnF|MRr?m>0KkWxnFENdgycLGdl+_Uy_j(TU}Wf;H&P~5>_|R~724Bhs8~00 zTLX*EZjantIs1Vxe&5qd1I{2GIqQ=h!Lzx?c-^*Etg0YVh_A_qo+LqGSYgdrtyQF` z#sLTWPYp-dMAf}=t1jotC^}T!ue&+ELOXymWZ}?q=|Jm*FT-0*+Sf(L9v){81~>*z zcn9~VNCZT90sJZx?MZH%WYN3sW>}K2PF|DsU2wpwZ7fOKoeoNz|32_lbG(XjRz+o9 z+;?r^X{z?&7;(Mr*+J&8fSNRe#L%~M=l8aQjAEna7bb69Jbmv_EcE5N1cv)?cr>4V zAjQ~?mi}5QR#C^x<{~KvY8P|=B(oWhf2}* zJO>Ya@O_H6C>Zbl?C{2-PW9r|DAAlZM=Q~H1$W=5)=gZu?mX33IKFnG?kx5Gmie)R zM>`^BURGUxc4)lr{MPsMq7MyE$f2LE3>8Ho=6k|~WRn_%-+JaI`SLvwpM39?3w8Q@ z(~QBgn4LR~ab0B(C3F}E7?RZc2b1a*znhej@3sfO6!`u>S`~ce--E?p;oHVN>Blco z99y20_v4q?+mUF}n+j1+d-L;`DF1E?4z%+~LVO&4SbW5OsY^oHMKDgJwR)sTH-c;7 z&4>NgW#Cl7DpuGVn|zA`$%6ys57I@I?MCyn(EhYAE7lmEYnMfC>6xHWdT8Lvagx0u zNoVoU%pc*iwYOKt74R=^xr;e@)T|e&dd!a2y%_%#Osf{j->6S+d;(&N7;W@iYu`_= z;QAI`)W3?n#Ay*aG`|+*{|u73{y?pSfR_*Tf)z_T z)4sE_Q^!3RVr4MrMoia9pnP(+Rvw~o7=EJ7TPnTxlf{A>1q2);)s?gQ1YJG?phmQ~ zO=ObkVs8(GMR*hmX4zr9&>qpDj|J)4#y>z%ozzSv?jaqf(jP8n zEeqWj;w7Wf@}?icH}E?E_WBi^t1^ZTL7FrHsDL}}i3RVJJ* zwITD6^a|@6Put##dEELW<@b<<$75T*P!t!m|_B~{#i#wQ5(53gJ03k)6 z4h#UQY|q{~e|Oy}D}&|w!>?n;0G~S$r;gomF2{^EXdy*kOP=h1U+35#=Y>`vfj;lD zk2MboM2^lB#?|NmTy-`F3o|ap=6#FYm~9sbzJBU_bl6(oZHw@lrsB_AuM32(wXYl8 z9l5{sKGiM=e&W8b^Js-6mg#Y>RDBg41v{mK0s+@W1RU77s!TF5VzoJN`?JzH6R`qp z5oHAHDkMPt3r&`>Xnp+Ih`EFhkEsN%jj^p7H;wOu@Uk*?Mf2K}&R;RG<3T}`!QlTg zM9x1A@n?4X@1Rio0SXrLKS8nGCA}l8im&|z3hR>FIm+xmL19&_3teA(^TEf4fJuGy zE!tt(qRJv&wAgmuG+hLH1Kp??0cYKpAFujhY(F#=cBD*AVu$?n&bhtsWwF{E7Kv@< z&$W2Q&X#m|byx3RtGSs3Y&;Vjvw@>JbqAl9BL^{sfnvpaX&M zz)x!t zEP~K*N8or<6&(P7(aUeGIb;xKr8A%DL3bRfVhs8FAUsD5*1Ity1|u}yc%K<*TyB!0 zvUDPx)Fy)!wwR6wTw00Hw1udDqfVk%0V>Wa*`RuO3yX==+FH6d2a_W~u0`K|WzJ}R9%a;P6Z8?S0W&3Af#KvK;QE45($K5{yW5VR2lt($tjKKKtM_>f~42%kl z!07!~U}SG8RmI4sGd#@;_a)nh29xva2sx%e;6FZ;;#^L?z4{a{lE2oK%)w_EzV|e} zBFC%7rAU&l_Cz4VRVVa$p*Mfz&EVs=*Viy$5?#4?=ip7O%#gz z?BN%cygE&XVn=%&1`71*M&M$09ryDBP3aZ4lfQVWewJ(=Z8LoFy{pIxpFv5z3U7)f zZN7deb>qY5(vGm@M~N?v8`CB9H#VNivV31WDgxY?I{#8mRrX=tzCT9#_w+_FN#DL0 zZs*!!cenU$nCs8Mt>IhtBSaq49XBIIRc1#9jLI09*clxtC$}>e4Tfbi_QLNo`u&hW z^Y7n!*8)Wskbe6%Umal*4=f%DO&3B_{M{@D4xum38g%>Fy|G^=OCx%({jp zOQFiLe>oH9FJ~%KNge(c-A1>mQZ4x5OpIJZJ@b9SmoN-PGB!#&pql*|ry%%7=)LI2 zc<8=4S{eV2%1Iq{zp(?m1&vmADifoxMfR_b3(=>y)AnCxW_T<6gv&WSy`5jiv!M)+i4#T-U+Aq3|7NY9+=LH16PB6SISs*!be2O55jft zZ4a;IIoZE%JVJo_#o6D8*-?$8DtySNa%zl3%@46h^Lb#0TsK`7I8T{}~7W4M_OEfaLuX zNaBA2>ErGXAOYR~1d_o?W{#^9Z}@zMZfJ)I4ywuxa1d2IzgLR1!I>SV>#Zhj5O3_N zb=Zw2Ot?z&IF6k^l{2Z)#~~_kE?s?p5}1>bK{`nUsINi}S7Qy8lC5(U9U3bG^Y!oe zgZ=kLcU{t&Lb{z$;FN>Kn#6i{YFokAnlvX>Z^9X#{J7hJY=XSB!mllO6W7klyh7_u z{B>(cob_k<#dF*3dwEAH>eD%FGFFv>9oYMg} zVvT+gQyp%@=LvEY+5K_x#gV{)CF|llXQt6_g-g4a)?fm(Cu#ayv{vqeSzF0t=RiYb zu%K|XZ7;{W&t@}7xhT>ohV({DoOtk9hnodfQRmskgS_#BM$C-MANXAWl`j?Sy4)Vy?c^Knnq7euI=?ceUn;(9%7RU~DRp!%=w10l=VU;i2Z+MKtLApv z`s2P-D0wMe%v&3nh^8p>AH4ZmTH5r$& zMsDcb-M5uWU$L$?;>;haAH#5xB>T9wbiF{w8~o0;I2Dbp%(R}`dOx&Eq0q^akG^}a zexS@YYaKDTepjH@wH$Z+)b%&d)lT(V+6U%8y>*>&BG78pLZq-aT@UB+_`1Yh>-6MC zS(}NWyPwusn2*GT-lZsJajMbAPHTCN$F@M}07V+0fCt*k3kwHA!q; z{Y-cLE*sxncUQfxTeAEMUxUQ!IlyDtcR5Ax_(beAX!_ILrVh__s)OWb=O^^Srpw(u zleuEt-#~80d0vC6yfkoHSz%RbdO?Swnv}ga@!pU51pQLY4|cdGWr&I~&c#AcoUgfY z3X(;~J7L|=!ELM-pFg``rt8Lt?Ou!nEn7PkcJ_Chf&D3RxjJ(aW>E;96xffH_mF9+ z$M2cZ=YIx@{~Xylp8YB{KC;UGC^b%R{46zG4Nf!vpGpl=HbKoGnp;+zFRe}ld0Uk5 zV7%odE+`WV+)}dUlS{&d^;^1jU0kMjewi(MYgdX(4zx%f7H@HTIXd}*pAu|K4uMiZ z8nV=Ezsnb#f*?$h8RI{?w2me>r$(dcHs6_VVMnC}ct)=ueSCJFOJ!m3!?3|-3L0}7Dw<>O^&V$u zBHaXgpLinh*Z|E|_(V?+htVjBazgsf(#u4`L*heD$td!iz05ET#%dC7pRo_Vo?YQ! zR+WiYpIuX>rh|DIE2y`O6&JI&Hq<#R6a(prB1ZAqc%g`28Ln-=ponocirG@I_XiN* zuZzR~0R$-UKg;nO|BCx)8IN8_{;#;-9Wy5$mAy>CT!Lh-l@uLmUFr;!K=%5^HIN={Ek0qF-i)r#j-CNOE z8>$6s)85?Xc%E&0Y|>{;ZydyV>h05A`{!qi?%p~}y<&(6nCS|nqR@4q?`it@by}-qCyJFbmaY;a&E3(bh5P_5zlJ3*!otm9q;n4 zNB(IlorZhX7iNU8xmglg0xjl0uDlz6^Wq!j-Lienv&T-6p4eZ8L>{#V3UbplirPzp zhuOp~3E#|n%N5UdtIb|CX8KJwIWoaeeMo1GWH04|i$)TZ-q1b_8`2CaMl>UN{BGEa z?a+;-n*gC;{!`d23{&d)D8@a69Rw93DQAqfX{SVFCO~HMUz!`WB{`IOl2#Ob#BT5hG@^c3i+<6N+I^BA@tGLQu`ylFN zxx0FTh(H3Eo!cac^5ISj;rXrCJ=Ja$0{A5-Z_g-u{|aUCR-yV1Li4N`LxO&qTCqsi zaH;2=@GE-UBypFqervIQh=1z|hix21R>;!wiujrFbg>|pcTZR%$<6GJW$K9sKPG55 z)Lz-CbqQOE;gRW{vo3#@dq5E$OGwND>OSbvK*5j+yeL$^FE&<12R z+(DK>S!Xpp?X^sdnU3r2vN&cQiC}h*J|NHf)aa*o+P=SLcNH{d0~L2Y_eMT1f`&w! zp|co<^{cMiSIC?8yV5WFy8-_r*4|Tzy&0@Me_;(NzoXEMy7MR2u2(^Lk1VGx^X;=L z)C!SYvt59WMpG{DXa>UgVjZCmQ8*P{3|v&&Wm$LJ3As*QZbC{MGNi_<})P8J(V zPR*L|GP{Vkr#l>KZ5pStdJZ1DDVLOhNw%gR?pdDjubS@b|R()OJCiNa_a~>N0;NioHbFmRnTgEXnBZfiR*8NbEzy*~ARQ z6}H}(Ed*yl^sLM|1>=a$3>*CrJtJIZuW5j8{XG?+fhFb;V zM&)LEA@fZu#asymn7k^c)OU1yrOV7QeN_DT9IbUN{{O2*aX#GjGwld(s!nII9nw2FnRmgB7>s>-@K zD8UG_`(ln$k8Qt@h_M`uU4)SY|EM}qV3EJ|X$}K30AR)+0E+-%k8@&c1arlGLu&`V zeFeTxFrL!8-AD3B=GmQ+}HGFwc9l7#FIf;qmH7B7y3dD4YuH-kpotNn0 zO3!N*6*?62t`y%sO(A7{-6~xlZxYL2yCl>!25QiUXO+7NpQW+j9yMci(Y>@#NVH) z7WeA#&~ano_>LYnxa}Gp6|DZ*q0f^cs!%wLJ~F5;XDsvz@*v-qVkYS|LA%H~6>cR4 z15}j-yRRXntl@9$M}D>(4=Z|a$k=Gmfc+Ur$me+p-OSM}TiB1pz}(c$>-Pxd`nzfV zVuV_t(*VgG&Bw%TuDtC2=vO!R{bF)*Dx5c}^;Zi1B?}D*^ z`n%fikNTnZ8|qX%NEg%i5ut9=)6reo%t~WKW>l?fh@C>d>avay_O>Dd)cl54lZYQP;mFi(#S)nUJhd>L-i6nV+yTc_*-#Pd z--zkzw6xYMI#!u(`A1U(vW*YDADp)~*s}c4=S)YXTnkgo^|p=!&PuZroC9HDpcIT(O+IX z648t@wmycWqO4U!UY)t*K+Iz*Hg_FzspH`dJ_xR6T zk< zOz$6kIdMZM?sZda1pdL}qRSaZGdEvtO!c?FG8{$TxzN}m1iy1jwCMAatz4oIhJ@th zKV=*O0?zzw)SNfwL5pR&A&Hjw#B7h3{tB>UF1;Kk;Qf#GBa9xtQ-;wXX~6;FG!5)$ zI24PSgu53{mW{F(Bhf-a6y=zCy~ya_-6;B>2KgHTCVodiFEsuy1gsp0O4upQ_!9w# zip_~~p`wAGLze~%wdJ3(*e#fv5e&|MZ*xYVOMK~Qd4+rjf6G#4F^%`zO=H0NLyf1r z3kl4eY?h+OMNF$X$p3K^fc=4V-rw9!WK^S#gyiBh41n0VUmYWwyHpT zE>%7JNRf2wEzPpa2VGNLIjQe>SZnw40nM-nnK*fI; zBr^!Rv0OzQ19K(Gy_wU%Z-s^Yf#MjJBNJOOxTvE4Ghi zxn~ZCFI^a$csN!AZO6^#upd9e&$kpGrj7=ICe4ZV0`Gt$yMRd?vQRt z;qXTjtDYSnTADu>pwHSp%Y0+|c=MCOoBJiRPcJ8tOIOQC5oY@IuUfBfG$#wa`lc7z zFw+|*8hm}$=l$}X0#N(p_GadZU6KgaX}II&&=rs`Y*VJ{-1htG85u9#^ZEhBf26)V zU2xGS?wiqq{YX4mP{-}C$6EVSjxh2poyemX)z8JPs>#F5xXbIF#B1<-!zJhUkNa<6 z;rS$*plSeR}iNe|S+ zm%-Iyk-nyEZ5H_No)#4a$iP1srGH*iDzw{VE5?m?-+HU4qE_S$6uR+B6Sf8s{WqjJ5v#Y5Q&q`|rBCkxsAZLyGlR~IOk^NwbM2-uuM zi@F>5THo=moNKRN104%bgs91P;L$+riXl#&993b6NjF0rg3Jh2Nv#M8LgL!Jy%lr z(r5fqG-16ywaD=Baix(%Bz=jMxw|91uYV_apT0!c{$er-~nvm zd4Qgi4R)92Ih!avUNNGsbVO$qa*V+ch7ihNh=&&-D?#}iKad&mKtVQ5;BVzd%RfH- z-)C9>MUaQ@5#D zwzz;=YH@1i3&cH|(Fo?la~UXxn+jHHWB z@ptTe?Pe$Tz@gZRdu{g5Ipl3}MUIsun1K;vL4UcdAd*ft<0?3P;hK%n=l@w3pZt5E z`$du8MqXK4CVq~*3f!A!jJ(cs#{L?4y-~m>VV~)AWFzV4cvHfWTO8&Y`k^?>+0bgn z(ac~`IbJV^hGPd$f6o?y$)t)FuH5F=?gt&MvhbfuSe~`e3tuL8HczSFbSwiI%CSDM zcAaQGK6L#cmXLTO`lZKhehWrnSPfQ>0`9lYtBs7Cf5cqeL(O#Fyl#t36b^E3O;gIx zdVQ9c{ZXpQ-b|qkCf9%Us{90Ss^wLcmEoF#$-5J|91TjJa@fO_n6*}VpQ!P;n=1C6 zk%{8re4#BKyVMi1I(|@GFYFcRVEN`3-)Afl?{8;`9X>Vl$Hld$1#`oU_Z8e`%BaFu zEc`AZx7cRf)=M-livq?GRPOo?khO$zCi%wEw8plpP~Bp?NysI4(&J-j;HBa-8R!u(~`ItAII3^isx1Nmi{Th#CE0FyX& zU!B+0$dB~VE6lcVMz_ma1dsVWvN6`3{Fj*dpK;{P(woZ9>G~IrZmS`9yx6!Uv6VU- zX)~QgI$_su)~p~Or^;Q`_)H;GTb1ZVe+i!?zqsd$Vxt)sw!J=@%GGj@DiCqtSh4vn z$-%DMt50s}H%eAA=F>P^T&u3{ijKoM?fR}1n3rib9dCeHQVm8l>CXWTPL;24NAxG$py`~9oR%=H?B!P4!cFGBeAyN;FmrqQ-l@v8PV z2>IC0TUE-_m6+qo7=m<%3g}j&7IV7)O19^a`eXy~%7t;w@zZP;2C_#D-c5rn^>#MY zdM^wfG|7Zox`mh@@POg_1dj~5Aqk5IckCegA4zy9_fUezF;P)tf+bW$p!m|EhgivU zk4`Uu)?YZvP*UDX$rK4AOEaw06Ozm?X1pMW`U^*>zu{=+A2IRYaAfl*jwbnjOh7UF z{W$@(Q!cP0{DiFZYXYiiM(wXrSu2oa7}uYpvZ;bOpZWc*t1JQ}|CG;I&?l$b+_G(Y z^51ra5sfc3n%u2UL9D#^DW9z_%7Lb?pOhdm)mRrdpBn!@6w8p$9@nZC#Vl{Goz&J6 za1x%7Kk6zANaocZ6B~Xh0cFT%3p+n!qo6dp5>fN2I|GinkS6qmc;uQKn;q`Y2O7Cz3L&i5imV8g z;vFsCgE!Re|3Av!JRa({eFGk5%rJI_>~nHs2=pEE=wg@F|d_Trm&6f4TFo zts5~_zKw+5rp7N?lFX07`Y3pkJwk$5T-qAWmFW^d$l0h}jCW<&?`*c1FG8K<(%x#k z1=7=lLULUXww5tzib15FILW{d$y&En6X5y$j;IR0EVnNVnw?+SWA41tMWF`-21ObJU3*B#r`>%tWFTdBi|3M^Tn-ok1Tl*Dp zjQq5iWoG9iA47FhPOH#g)o=Mi8d{lowJ30c0JmcFoll6^XV^!Xk+lB*?Eq}hP#^k!M2 zj@^z*V*{b2Qn_MIf)`1*!P3db_2E13YaE6~j73c6p~nc6+k>x)&rM%>h1OT~cH>)+ zanXD(H*tPWDc>UNMOpAzxt-t!GWe@=4Kmnv(sn-d+*diOP-yc!!293x?z~QZI~kvV zGrzzhic;+NUWX9>zXzZHZK+`W)$1(eomeV})qYtjzP1a1w6X(jw$5n&S9-Aj*Eu%F ziIAO9*bWiG;NcL(;NnE@e&{$7n=Ad2B`<;pINp^X^#nq}knuciY5#9tG5Wj~3xlur zH)Ix1aQFdD))NiClC*QcLZNzh$l`>b) z=R3o2HHXjNlTvYUZhh+5`F1c2PDxP>U%?CF9QJ%ke&4$k>9OX`9wYevdw&1Dn$PES zNGr?P2P8jDP^*d_>I=5}Es)B$kn6fqy=A+3jBKaX90VvfQ=eF1Gtyvrpe;PlHCwa5 zehtr8@>95ljci{R;*kUmR{iSd6A#(vW5H-VN}?K>|9}gEQK*ob`2PkM+J7$X-T&>w z*d6%g!#D*OsM#-YIVu9cuzWksgy$7RdgIR z%B1i6Hl`vR`qCKllS-rXc&^t%-^JfetJyZLvR!Ow|E9e&R^#z`R`|Ww74w((*FA+D z=v;;oX3_Y}TXnbRI-wR{iaYD8R(-#elsYxA_ArYTXcq(aiw7TaezIYc)n6WN!MT4Q zPN4qzng7VS|6r#6@yPkm4Ve*$oO$F>(hLyg*tO(r{M1tnrKe`@K?wOyn+*+dsHLKv z^Ko+>Nt_qy*}g&;5FA08pQc{P;tn{pQ)Msv^LswmkI!W(HBICaY7fNjbyZ|D9Ij5d zTeBC~dtRXv)w`Vu~+sUY$W~}e)~2iW{_@F!7tSg8Ve;FL_w_W!b!by3n`|mYpm66iA;7Djt8(4P6)$Df`Ri z^QxHm{_5bWFCWvZ29E}!f}0=u|Ju6qW~Mdz=jsL%TQnhrq~PYjEE*5O-SPJ6%^Q9l z(0Clz`++xaDs38s&>sRImvm<3VAb*0B}qiq%p~{JEYX1oJx&U5M&@$3^y;0p`S8{9 z{oWATBs&Wg1~)>s2)20dg=jvTgoP;XhjfcEVk$!HF)X#oi;wnwb^{(T?oH&xpf60C zP~2q-Koihz+vPq|(X-EB99{}ip&=APx5#VlVe%5K1iZqfk7M0?xud0AK?FD1^mF4_ z*$h@PIym@y_}7-?u8X`#XA1+9de32#g&sz(X20?YK+~l*vZ+gbEy#Jm9dk^vDjQK& zz?p+vP?W)EoR*2=9V=&lBwF;{jPseh#+ za?I(E?c{7UTO^a3id|?ehLe7qf7WRuIRzz5&Whw78+rUlyt9q1>l&kw)plIF!)BSS za!3n_b>4iPp@1jh9hX*0K0+TDupCXZYw%Ye&o|*=WvgAnC*a)tRxaqOXf9Rc zTvI;Tw=~Ws>hO{YaxXD@Ck68H$+9kP@)a3~d=ckn56`%E;I&L`&)Jef_d}J^)|BS=efo65BLp?Db06|3)~e-tS~NKPVos?Ve;a zte#~v%t7&?C%X6YrZ+(pFqZCB{a)QN3(>E(afcH{ruwyVQAlqV3p z=MS%0*U8h(8_R9DbCDPhC5vEIJp_%FadOqAEEkm;y(sSKswkm#|DsXs&RNZj#(mH61q7S}>$XGB7TLcvUmtDPfI~r^9?GvejgtWr zkN{rhK~NwGH;D>220x_|s05}DZ1P*$9OWX`S;mzvU&^4`*_T2pK3|nPz!} z5|MITEz`L1Ts(uSad_uu6&$4>;P9lMHZ;|BF-U!$Rf*eoK~0!*fz;#$d&m>$)r-KY zKCY=Tb4QD}%nj1?Y}aSS#RwwlV^-qW6?blyLy|aPWm2xd(0uFIvshN=!0s7&N$Oz> z*-V{2IU)X!8Ep!JByLcloD%Q3t%)42BW}+o0cyvMvBEa$@eZ)(3MG~Fk*noc@Tl9D z94f8i6z{m{1fp+~RWB#{9~uDh&cCZ^HU9Z;?>T#CAZ2KY;B>%*H46`)T#7Co!-rRD z(*pzy6l|pwKoDHCW{S@UErW zByEgOwGB2893ztP1yM9osGDf&oSL{cmSf^|?=SkXW&K=Q2rj2Hwqm~&bnjXAxdJk9Vt##_E(jZ9VP}AG9?6J$rr!x?+?n&gyGHmOL z%jtyRC$e!jHPkqcQ5gLG^Nj!bc|T7-=2&DjAsz-J5!Po^YmsgT;=_XQqJ!vQ68Z@B z$tsumw$R1HtqB3^UT@*9pNLuIU|Pan%8%+h zeYM?Cj&dU0YU6-Qs}NkM#|)?0)WI3mn|>}5cDhk%*2=&fU9&Y-`RsWLJsNa(^Jd>4{3Py#%HuD-snsbCA*E3$- z;Fj{&i+<5`#rx-4y-Jou=*{9NB9d0v^_$#N#njYJd=3*=EJC%sYt_G8F`*?TL?Cy~ z?A@nLQ`l#V>pps9dndA-#}H6I`?9}%$Ma)-MNZ|>?&34!_0PBi{Nw%2=Uu<&ia7lC zt!w8_xaR5z-Ck>xwrmdxLX$&CFzFag3p}cy5cokw`vV3+1Aj3lF@n@eAaf$qDv3Qu zk(~Y#wjj1SxP!!Ex8{9!)vAV%G{%mpC=L=z$S4q!s9xT$gp@~oV3r;wQQeJyBzRK?J>s+fIV=FVQZ7df`u6E) z;)c)d3#wP&HBrjw5_*p6fn#vm}Jkl&+%uS$HQtgwxy=1&C zbM&!uc~(r@yU1*TWTwg(NPdj=+0V!^z_1^_l<*&HV=;;tqn4#rS$U9AF=~>}1&(o_BSstbG`n ztS42reW`z0R5sr-u9qIgJaFYU7W2U7N!)7`3N<2kfNTdQ@urRU1^A62BSg^rckAuW=7m-?_i`5cf!Ccy#Dk%iUbg@q?fbgBI#tWWlY~3;1$)GN zP2U%g!Oeqit$a|^c4K@3tAeaB7$J7{Zf~g2a5&83BHJB~Fz*EnM_$4^6`l_vArnAh62l>pKO8U_qp?D#-&e=hli)~d z$_G7X-`9e*93YIu*Zh3;eMvZS8&Ul&JA$9dj=+($8ALkBXc9`P+=4-*41`L~oY&e{ zs6C9^!&j^;$UY$rfzaoinGzxh(w|Vvb66pr7SdA%OvY15O?>|E-xX5Bp0kLnLJw)3 zjgS+PzMTws@rm0k&l#cBE;W-i6^*U|Buu;I#2*9%@rA0knYK(T`RrlU4HvgHK%@Q! zi;L}mmLFWYX0Qnc9a+r0h;lk+o=$zbAbn%i>A{sRZgVY98IQWf^gWh)tK@t>^wQ($ zZH%=_o_|AMKu*5aY7SkS~h{!|MMBO{}1RMz%R8~m53h#!_kOHIg$dJ+{ zKp}y5s+XYnz1rpcR_#u1qZ}9h>p>2RyiWi`QVcGgy*-`Afb-k!?w2SMK7 zyDY$XU>Xs#l+z3(;rE5#li7mLS-+Z=PmZiw6VJHJp%svGB|Q%+A2Tc8^EimnZw4ik z$2EFEH;9D=T4@nH1(Xk zMXX9`;=PpHI^12l{AWGClKu0;39Tw3V3X{BfqHdwJ8vJ zd&iZ)OeP4L?_0_B*n1G9_0p|^g3v!8pVzR}Brd)Nax4AvG8bp{?Rz)GJ}IpK=+2iw zmbU;Yk$LYtL7dYsjX{PxX2Msz?}IvZ&)ls}+k+OeQ3w%0I{_7|qeL#HQn`$l4x+<_1J~ zM0VW#0pKg`@|K!60~KVT1l>AWfy$pyvGF-H>sD~qm^<$hxrEnI3bgi197={R%4j^R zBzv0_^53tn;0ieJAGZQQ!k+{Fu{n| zS&~Xs`F-w(AnC4Ms{GzGwENYF!78)f6tpvt34Ld7C|AWpfJ47o1|O!aEfuQb&Lu-d zTFK2oP}mzts&U_~oy!9kPEwj+P2Cw|P{L#%=k^)U<`v)H8!=(Lam(aNrqNL?M+Je2 zgmdf;+5)icGt)+9@p4qK>q^~DC6RK)budX-2(uOFeh&x=XX_sGkdrLOuf0FxQZQC* zP!!HF_Rhc^9ZOJof6;Br^lfbo?85Xrb#{qZ1%CIR3D0-7{Ue2%iJ}B?-!5uMe#}+9 zdCqd&85S8xS@+lbd_PIwLX?A9{Kc}wKqwh#VS=}C@|=zlAfFgOQj@nc%^HcF)-f8ZtwX-;JpM3jHP)4!I*rvE96 z(a^Id5RC^rDT~Q-qk^Yp@sLC}2*_SQRGpQ@ozIs}^y2@qy8cU96e0*EM4@dWD3ElG zd1|-g(Tg2&BSDNsb=~|W7xi#73F>d<Qsc3}OGH7q$oxX& z?IzWk1|CqvD@V_zbDP;{W$(2^7oA|ctu3Ocrmf7&@TPm;oW7z{B`j{1$62lxYY6!V zfFRY6T@tJbOqVNXsGhuiUu*n+su>S7>^e*u*^>D3a3@;e&RDFaI{iVMlD0N#YcNJ) zEmpAY^1}Ch4PI43>{A=S*@PBeD|c6;)Yq@lkdBE(H-*|-)5!qOCrf2gkd*d-w2Kr@ zCraG89CM}ZdwDas5Y(zlLq9!X7{)b$34n2x$D;8FoSK5-npn9IiNgkk)Je;%9ISlby572b&uAaEcf zg>jeL5KL`EghRai)d3;dw2-MYXMqX48WBTsHK;H8+`}mm-vbTS2_wWBGmKO*&~Lo> zdWLkW@p5F5P_cTtI~(1^=Q5M?AQ%G@GZYN5e2Q+>!MI*BerXoj;)KQq%14bWGJfBU zW$oto+iPOZv0ldnS7(ebl*9%R1c|>asc#LxWn9Knm9t;dPA_9-$Z%I@x$=2bX zO*GT=m23zJIoxV6WSiy6=3aByFqF&6ER0bQIR^sSNCgjE5oe+>bA3%8pekI-9Up;w zQaxDiZ3JO3GFf~5pytMd1&?W^&>NDc(u5qNkGK}<;! z+j7n|xw!>IBM+I5kRe?Pyo=CJ)QR0!;2L=>h!;Ad%btbGSK+>E@CzGno?xSE2iL{) zKd^E7p8|XMD@gQjYzzoL#m3lQ*m#E)1)^bsq$;(n&4jh zqh6s{ADdNOd8tL_wZNzv_|XdVdG0sQzEs~&8$(a+!}`Q)tL-M9*jAO4eihjs!`)mZ z5#P)GlbjeP^N$Ic>7WD+v#(pTCb1HvTz^e?|$kP<%vd7*qxiOu*~+l_**v+RlFMnol6fR0_)${)6>7#72_fTJ0FIe!qE@Tc zIla!gTWiSf^5^1#XJFeAW!NJV5r>66=eIH~+au+ud)!7xeeW{GqcQbG%`euBaAf-4 zV(~jqg+UN1Av8s9_F_JURToLQl+ti3XNO6A*Q~W^TruvdYHSb`=k;kqeLrvGA-J|F zL!!JbF$AX9(KgyDdObCdKI5++6&`~)3**XcGs#P?W2Tfk=yj+q&<%slt@%PV(rYYW(h0)RNwS$XyIZ$kLO-&Ih%!PQ6*jZz zU*0c0oVLHSoypIQw?DT!sLAvsL zJ_lCa|GB$vRQ8cY`d%r+v4sRfVX*yL+q^GLu^+d7^$w~m*>s%u9jv$Vh=Q*I4Z&|s zbBmeV^h_b)QO0^B#qR0mGEP&HNi_=1gY*%}L!Ff1;}@eQU{F=RRD*szhCQ2an3SnP zQY^+?78_`cuRO-CbE7YD>Avo3#A9{igb$K_w%57lO2 zgpB&$-my(GP#E760qIMz5MpkRWCRYc3z5qKs&uI77FK{>d{He^B)64X=hDcurkf`8dxa|KXh7{pM;6eYs2i`i&*6+P&cj1mNlLF)K+ z&XDa>v}i1bzadjlh!pCA#?@ZwXJWCt-r=>WxSRWmd9j4w@6KyIavS#h&Le?$RtrfG zIvbJ&?z*tricUih9!*WjBsdU#n32J4Mj57gpU9jKXbr1se$m1 z3!wqd{crOAw1GlK{%WAkKmx`83nctK+W?SYNt!qViKBGy@A`bGUsl=c9B-3UP5Y+} z+?Uk@dA;_kzfjw0WC{9JV&++838MC-oEy+rQNrw zy5{RD7u!j+aFh z_?re>+EmtwYGzNGCE)o>Xom>A;Mt`WDM#;39i!ZRtchXISh7?Rsg#dXV4&&Nj0LtD z0X{#0FWBF|753k*=I;gxcG@7B2jXi^0}axy4Br|3&OOBpM#zcmLeHq6_2C30svSD{ z?v#EP_e)}^OFyIEJ$ATHlt<}uksU&Yf}BLbjBF?jMKicLTg?`_{pk)an8`~%vOzAp z1zlngtWu%E){<>D+!FeD#j#hrS}ph;QYI)g-|1k+1>C3G(8=*iPpueA`p)pWs~L0 zs*9E(Fd;Hv4-zG_KCj-y;X$j+rCYD1s+CXCtia?!-^W5uh~khXPXu~fh|ZtBnt!cy z0{>O%T#=FVszquBfNw34oe{2rifBSqSpo#DP)Es0r$l_*aQ497BK;p{?f?0}PCydD zDKX_;bI3q2x%`tJCka=@6mdx?Q=Et7g$JNY8X~`fXNg(g`+QsFnYkiaKq%=0B?C@w`e;kd(@NMqk?s0sOlQVy|)8Ulk z__8zKbAR(`Rj1j?PDb5S4MEtWk1nsow9_~CLpE3Qzj_@Besdvoe@mA{vYj!015QuJ z2Xa3mO3uLco5Prc=U&y~G}z)os8lXhgy_JDa`zqxAj3Gb1qSN&hQheTuuXus8Q^yQ z7-gYb|<1ns7vo;r51bO9F|Z_Ji#np@HCP$L9h(?poYBm1=&u-ez+FAKu*iM#b5t%d1IF z3F>xhue-gd=WvL4nCj8QcmKP9WB>G(r`%$X6K(DyBWO#83$Ay%jVcOER&wb}ae_Y0 z2R3H`drQ(7H%F=+K34ukdZTWBMrTp$LjN}py}2F*!Rs#m;%?7|Jis?L-SUsTL|!P- zBvU)*eu?)Ot}H;~0=^yX&M=x${-({-_^s-+ZUK(claza91RszpE*C~1_5CfHB1?hl zYAP3ya=+MNt0tw-loHfN;kyk;@KUJGCy~OGv39Y@W^gi5c%5Wt)wAoFdqs1op#WJ% z%~BnrueSpflryg7WD>)NTOTTR$t6ZyvwI?o zlG%*HH8ZReL_aslJ-RCN&YPT{to(R5T)UU5_X^;6jlPm@WdlrtD$1Mj0Ki^)tRcZS zcULS9@%W*)uD$hL%Bk8sWzGszzN+E9lsF~3OJFKHBZgd{k(cHA1K5p!yT?D#0~p>S zPUyA4<}1I@g8>Ia$gvInLXTzYP_yiCLQ)nd&g7=l26r*{4Jq3zI{3kq`qTV1YrtA> zu;c7BAfmY*L~}@&L(BVK;0BFUE*4PiTn`f5)AzF_XOi+>)L%w6*EniC!zlOKjcH^Q zNClMVu|H{*GkPI)w_lB4A*0^%3ZC(|BMog*hzQ=|9Ya(8>xz(c#yl55j!k*J?_!Rj~f^CY7o;0kQ0z|NfI zqpN#nj|oYQth*Al=_#sZ5U(h}>H+|BhNq>xlN=xqvBrXkolxc=jI#auXcU1Dy4ehp zSHFCNRefnSBTyrxN#tyHL1PHaE)+I~!1&@*R(zyjlLM$BAK1X>qTIi!zJB&G&&vk2N>1E=uDR0-L zyGc(tFBJ)jF@`iig)|wxOUw?WH z3+j4Cqs{1jo0#tnssPFF0-;OwHX=%B#v{Al$Pv5-;LrXXOfepS1ivwY1++H<0=*>81A1M>W)yR5pVc@Mweq+XV$+~)a4BM{rf zgUg~$V71we8MdLOrgJu*Q?14MlKBS83H7qvMT^jIDwNJ7*y|G7y2YKm&f$rM4t@mz zaz;>zxM{u4oig|9kqhDmxuD^Y_LH}s+9P2+9yu?fI|A`6GV2}3-_|X^#4=^~~t>~b`mU)&WwhlPCy zMO+B7!iGyORJ)ybF(;~)A)t{OMB{M}1`P6Kp@O zR05&6g>y8pT29p zGMrQtViYcVpcF}V2XI^KIIQO-%Kk344*#ble?24Q{_eG6fAv~%IcLMF5Ma5cd?d=h z>#Wy0ercQEow!T8xWkVN0Ee(LR$TbI?u*Di5< z1I1pu2dKw(UI6mxX8HRpU9s)7C4gko9qxa4F{p-+o;QKG-Y$&L=H(AmoNvj{n8(fY zH4Kb)*r{Oa4=Wo}o*L6}9zR!1-mh!NU3~mPbv=zkA(|oQ+NRxi`@qeKDod~9E5Gfi zN&M$H{zJ+U{yhLXLnxWQ5z3GaKq!_v+Oz&`PR_cZg-cV!v!$=B``b_S&=H16h zO_qsdK)K!QPw_!U+Wc&>4x`W`GkNr8>d7tUF1Dd-o(``IB@fv>zdrRLsw50AOR4wr z^G|BIt370i}97*wju&@Bg){y-ZJ#zoILcxAj zsKC=9cQX1HdW=0dMURPJ=&{CgnJ-rUgaQ@9p)GKDhWlrH=}Sv)Z6|LEDD~wVIa5|R zicdEEnbP+w56V&Jgj^On?xtNRfy+O`=HRQxWvSKO-D!y|R{CgC$w%1~Hp3-M5XoGj zNYqnhdtK1;K+&2rz@66wM=6M!9Gq(ggOVCX_ebT?=B-x)-xbtn02;>J+CkxpXc zu^npZ_RGJdJpHyk7(OtKZC7K)v<|jA)>wkPHx>wZ6}sfz@l@BlRw>iS=kH3$NFrYEwAA|0@Jv=hS@8=14-sQ!!1FL3HBWRN95IILxb z{!xwo6`m^p_wxUQC;eu%Q+R6g?rm+0q}*FODO25^JA=;0oct}!ey3$hds-z4V$zb^ zJ$#`*{ff_F;}^kDjVvMOcw{oGER+_Qpxea;%3^Z`oNeg3WL22CpqMQ#Yh{&yV*LSo znmSfxZs*)ylHvrwIigEPuFZ z-u(Dod>fVj(7+A-`raynZ%|OVLT3y zh6KSF31_iq%7yhr<&>b1V3>n^jaH&v7alFX?SiqdhOG*fID{s8Mcr7;sT)g)QF*+s z{)|h64=?N^i`4DSotkfoQL^wnQ)db5I2o0STP2`v%B3h12^VQhQ_TB27lROz(@TY) zDrG3`H`<8y_{7SFr4Sf-?>QNqna*}w;S_eVc-SDESk_~dcbd7!gh;aepa~bwF*Oos z$tqU6oS`Z~J1)xzGZ6u#%3 zcB_|_`CPwfmE&iPr-(c^Vg-+uMqlZD90C&=7+fSpfn&|gycYr$WZ^d4a@R$(39%VA zUpbOzpsKrW1J@=3vU|dda9S{@Z-Kgjbngej15#hBC)lp`=*+Qbm^ly1b2op_UVQlG zmY#K(7#_wkKq*#hRGAtgL6Mtf^>rsVdI>20Uab z1tW3rho`##pW8e7mAl#;#7%M5C4(Vs<#gWVY|YS@r(JT6fL$yDw%U8JNyz7ehNSQ686?OR+C~ z35s=!#t~NGQPNGdrAA=*W5bzlAp+tXfcwECv?tiO%)|a*QK`;#{@zZM5H)<_Vzhoa zn`#o1BTeKR^UZwkE^*$)Ud3nmCJbNK)(TP;EP3AxwoVR&q9o(SZA5gYpj@?acqyi$B3)B7pkrIXkv>0v4oQ zzrbQe{PKy1?8fOblzrou*3kcZVypvD_cR!a11xJx7+3`$v>KYD8LtRR5u!9(Rhch9 zDjl3RaEVp6KKij{l%U6gPO+c@lPRHKdgtSOWgl0NhVZ?o}7-bkK^%#_$l8Y@YIlSqs6h(LdVV`Mb~Y`;7X(!QM$Bg@6_GP z)qxP-d?jrmI`_WWDmDwXU_cWp6hLG7dO4w)vL6tEv#^YOCcXL!f(POz6bTLbb=Hq354FISTXiTby6q)ZrmVp7liQ+Jo=ntOYUtwSqxK@^5vi`FU zGMe=C4d80t91gx55t&~C7<^6~u%L@KU!FK%jh}sDB@q4GUufK|WnCXna6R8id7q;< zP{4kyF_Jp3KS_irzF-chU4$sDrSJ8X(?Dtur`1Gdgbt@DJ&Vq6_edT%kefojuwCta zo$HW8g>qAkqc|L&F@k@rKU3UsW~JUy7{{ZX#^^a+d4o3@C+UYJRaI#Ecs-2_;+%7X zTR9L$Dq{6%p{YV6jZmZe@(mRbaiH8~r;K&IIXvB?GNP{x!~6XRnErfP?P{R%d$dXG z7__kY*4TXlHqOtyCYL~9X*-jd(dBiRSN@E4ZJrDmBD$Aw&mNS%{2qalDsTf<4d=>7 znwmczJqLu7U1zr%q9Hqf)%)`rdp~E)87+FTXy}OUxdbdDFhGOh^NccFS4kX4JW%mKy^Gn7h2+R1%$ITmgibKyG}Zz7 zyJG#zKUL>!NLFqJ2cPUH!dD-MzOGGe1Du)xHe#3| z9nSuAE`eA(k6vIo;MhGPwxODf{SbW7gD&g-Oi8DSi5bS)tWx!KQmt4Vo;^#0ZS3CC z&_VPQ*c;*7E|?1Q9zn17y>#BYO)}JiP8kg$soAnAUMpdw5tsOamAmB3;U#8argeIh z5>a}}35U|Id1~3ye+gZ5eqX_|HX9@85X!&#gP9o3C+jkC)!b!zFgIE1mKU3lmmLLO zfBImrc?*sH>IX?z9IY_E@V5TVg@DCFyU-ZZ*WRC&_WOAs%|Dw#Gg^TN`8v?xKK}ah zz)U;9P0<2|P6t34t|4|)1I=ib@CXoU9f$~YMzU#yfDh_j^mZ(Y2}^Bal_Nm!oL~Vb zI9OYJbXDX}1c2fHXK;3wybT}#)qf!Xr0#D7NIpS;@}{a^2=L)DnEi647`h3M2;4W3 zaiWA5_bnxBlcK{LufR&fmkzoS1=x5lDyNs7#e{)*YJL*T4t#;a-VG%deGTrLGH_BV z>@NJu6a5UUw@~KwtN?oT>sr|Xq$Di+*|7+-~RfRlC&m8$wFAiq4CL~)1656+qs7XkqDMlr_Hy= z9|xwnYX7RLUG#$Ek4Jd*f1PBMu>mr-e!*88G z5G1wWQ;-kLF8737cqlnFs}(vqa5-(iAqhzGcisH8-&t|6X4QmO4PS8K+FHZ{{L%@qXjPU%+K}D)cOA3Ow4JYGtor# z3%a;(0AeT7x?f`66$L>guw(#2V8Kuj5J2LNJ=b3f^LMb%OR!y7jnmVEDcGSKjoR)?SG`P&mgu?@qH5$Ji z+YY@zNbYCMS2q@-is9>|S47qpoF^n;cwC}3R5_9k2`Vs5_aV}=WiVHe1!V}OG* z+;^Bv<_DX6iok-!kv)9R)#7AA@W1L%5R*~_G(jo5pWU=%3DUs^Oy?D_ zh4WM%WZz-WvdU2r=uejY)t9Uv)5`MG*jvT@@h(RF*Oiq2m&I;^>X*eX?Q}EdnZ+(w zl7U--wj?0`EKNvWDL6bgq%Ff*p+N_lDLp`pO}eLOmRegfT1WK^?SSfz z>C18G!>65Sif?fJ8K4k5b>uvQAd;QYK1Xg4Q;|4sssSpRedE<>7mz8LfW+7QHaBCG z&rtE9G+JA}PJ8PKpDs6NRgzB%0RcV%A*w0m`1$lo-O~^GY2Q{lV>zmx%1crjc6{s+ z$tG66T^{gde{J9=G2wr9D+&BwcTOV`{@ZQG_RDRjcjC4~jntg%Bz2@p^S^eW5NG%o2vh%I6D>-Dsw5X-A#K`N4 zn<*x6P|=ehNiUDKR@ye#-c_xQGN^NT5l@m#th)idv%L{%dGv5v(qn5W5)Um_XnuSB zAx)4C+3Y2m$sJ*d*e$M^3NDcdql-k%rMI`kKz1S@b)i=I#5sC>JN;pL3q8tQ1pt=if3US{ao{L`UNlBXwxb*eFYV`SPVr`?}r$g;o(tsBa|Ej(|`~Ics zjq|Tx?HsMtKf8Iw^h^KV7B1_9|My9yS-*{mU`1$g!Q+0{zPbIkB%KdL5e_T|RB8y8 zgCXK83Sv!Bd|A^rSsL;RXu!hg6e|lM_KBsyBcs4hhAPm19*yD5&R=|Z@zQe6!wXq$ zRI0qob_hiVpCw8R8^3~$y89S=^bJ$b>eYQLl_ ziHvOrhZDdla1@%zAi(E$q5_<5u;bR2Do2#i@mqB5Nzr)=+74u13%+2NxHBu|eJsmi z7PZf%gToh9o2&F}tq%F! zpU@5??~i!!NW2dwX)l~d=uw=PGNqDBXA7=T5FcDN;G1vJeB?A}oXYQjQ`LJk>oiqm zJyEG0YpPa%dt?GZt*kirRd6Se{HxAO(H@zV{=`>5`c3eNtNhwuqtNL2>QCS%f_TfW zxyzXiW~o9IpYAdGyUci{RW>}v!(4c2&~FTU>)^CuzAqVC;f-c6T5G|2~m zx0E~2VIT^1A3_j^hlW^sIEqS{Gb@)WoLLXjr^xAfpc&4?iWrXOd;O=z=wIR2x>Zpr`DgjH>R317s8~FX?$@sKoV~sXIG1(S5P%PhGV7(<`AV%AKZuUlmI| z7aQxs)Ds1pxz>9L7S*K+w`SjrMY_wD*J~_-4I&I|dB@E*b)P=9$`9nusAGNZaqisp z*w8eOpN8#_N7R0*v;%{IoBZ0Z+-Ir!<~k*J6I$@^`gO~CBWNKm?%g zKPrXc)SkzLybHfn(Z;IK>14&GWQRo#MnG6~=A-%aj{mgK(E>72kN+RZ6mn4s$=QGd zl2iM^f08Mb0b@zpdF>6U$g^Y$II~K1fo8m<7t3if1yFufOj2~#M~d~U9A!5r0}PyB&U^ZH`T5B<_LhdXnvw|@TMeckw_eTm&A0-g2h z+tK#r^rzQ<+J6ma%$^Qxee>qNn0s=C%v}gA=g3_$`rW8&heB&}!G}xk>UdB+yDaqq z>pM-C4$@DS2V}PP3qp;7<#g806Xp@D5B1ri_&OpI0jUip`+?ZX1R_TG-dgrUG_;$N zh{0_l=aDEJ$n2)<+YN@XP#91?Qu@)gl&H^E-Oj6t&;%1{smNPD(zCI*N%AY89uQ9D zn{T~lrYK|+W1VULEZ*9colIf}C-?wybp*63=U%D5nh~*rX#wM;sL90F8>?ctRHvJQ zhK6;dV^xbR!VZn1nkNwY-Ce{yzQQqw~W_iGPZB6KNJ8`P_V@q7lzH} z7yHrp$nMzSeu+-8tYXm3H+xwmd(lHL2gtT|-L&f# zT1ny8zg$VdyH--+#!VPS*-C$l+wCs0Q*y6+CGo*t4?ueEy`8Hk+3y{vpHsQEzf`i{ zzdvmm(=7yhl@62hj%y#nT+9GsguIal!-GJK5LD-e^Jl2GT&aiM??r|mRQzj?{LbGi zPpK$5|FcJa?KbS;Ngzf4*&g{HTc?2(|3CJ~|8F2gHCH5%!V*7cc;_M!gS2OX$y*Tu zAen-^pyfqb*-XRsyYZ)tnJ1$VLN-ZO zRJwj|)b-W%`F8t#|Ag~?o!9g6dalR)swOm?NvDL3AJf@*>fP^9IrKV^Cz5coDM7LS zv0%{K=i+Gj1haajVO;K!qNws1XPq-c_DrUx z9qI0t5d}V#ufLq=R`_U_wqSJiEe!^-JM%w}ZB*-Bg%1+w^ObDg#m+Pzyz)0+xu2jA z$L6C{jJ22d>h|uQvhX;OCq+s!QozYCmF|BC1Az&LZ3)n_f7y-5sKLOi_O5-+L z?28;36IFn11l2XgXlh6NUg3TXyBoCJ%Kp2uQA|>CAIh;PB79u{z%#J5QR6MXz%2ZR zh*o5Ec97odQ@}as@Qr_e?XQ~L+)G?a@)Jv#juT55XBW5A8#q6}UjrZmA!R=%fqX1q z%Ktr~cW`){-kE=TgT@r<6oq;Yp<#c94CFpV2Bu2fryE}#%hyMlGp13k7-X3lK4AYg z%02Q_C`v_2Rlj^P^G-j$t;}Nuje4V*LM04$n&9mS28NJyLuZu5=bwYOlRD&dpWoPL z3jG?FRoWAWcU|O16yQq8)x$lmiky)0Ix>b?fZomY*Y-TshuGm4UgB=skLe^t)&quu2{Zl~ja zFCpNgcov}MPe`%EY}Fr$Gftj(8G?{p`5@Y!y_(Yn-9umWp%Nwthn%(pbMj|UPuuV; zvlZ`rg=V0#on`R7vZ4Vv3^e9q7ooIrMPeSXRp-2sb}b-9ghcADT*tR5YS&$cFRN9U z#Rc-*BgrU%*}W-DGMXn4^cgT}o9@$hl*bQTkBAC^160cg1a?I%07nZ>Pq-VBmSPE& z+3uSc;M?Y#>I+TXeD;-4HFPK;BJcr-GgHDmL;K0`W)iSg_-sr0wj3&Z#2#9WyqUh z*o)l&cE1mb?BR#$&)(rWiMbE+@p!jc_-gxvv~eC~*QogKa9yHO(BL6s@Yp?S(DlB0 zf9#3lg=e-CG(QGx79u#)yyH|@nDl}!7RLk6W)yq@%+a@=Ke`wT3{_>1R!Fp1 zGv6=v?fPdVqQ5?dLBiE_-0fuz_7C#ao?0GO2xu5md`C(!$=r2o3{?6LHOJm&k;I zDAflrWOzol^MHM`#8Ed8T@yR5@p;y^C*SaVeG{gC9-$F-F5>*Qh@kx)UujP*BIHse zTmV}h+!f+vLck)zvT!&Hc;9~7|EO?c%hNr3win>j@UJb;zjHIEdjS9wiwzdPJ;&?_ z_-$u0O}_~W38RyX{b4C%$@Ml}so;vS!tHPp)mORubnaB8Zz<`a5j8kP^oV<_a}GA- z15amay}>9sLuUpN+rH=OrYr+|qb>B5dAGloC! z5YD=yUO~abEZC*tLDibD5Du7VCH_WWrTQy_8$ZOhYV1S$orfsIoYn?n42SPiO1ggP zEx)YuO8Ux0>J>=BhGIspBAP|;f&1M)X>7g7^_ENOS0A))=N!HH`auKAlQ4|H@q-L zmxmVq4(uO@Pgt_)Ek?r)nmnc+>^}>2W-5c>PDj@H zkAZkDxqdc! zGb?_y3^ws45GS1g=`{FOhQ18(qmbco`%KQO`35=C;8T(Rvc_yGdrZ_1?fcYTIX08~ zOSdk9^xmL(Ih>K8vE;%P${!=w7)jL->y*|=aI(K#9G?cM7QLp8aJI7OW_W_S$U;$& z1{a>ZB0~V=CLC8}r>sT;F>fhw!Lpu;ofJ=KlP{DrFS;5+q*aZZ69tjc?TXIV1SLBjt<&6c zy330{?a%Z68{d8_kd{^OLo6a-+LGlJqZlyy-(?i0*cAa2by~Ys38aJUyF|=jH@Q%J zDgmd7fSa?Y_GC^Mf(vBG1yiDFb?u@P@P$3NrCyD$wDZ4Ooaww!`52Y2>MkOj(*F9Y z-^U7VzhrJ;%uLdc>7L8V2MJqA7(5&~$}v@|;jpK~jBDO#Naeekt^M`NEQ)FXwa z9=(KH)Q`jRA)~)%rn(@;i{zjBspD1Jp0S5Z;6P2W{Z_9h22dS&IWn2)IlYHd z!b+rg8k3K+ylDgTa{^L)XtG_YeK|*@ck_!DBDof7;=^I%a|+Y|;Dj~CbO1yajs03^ zG!8kG2>ySYiLL(cDgCKJzV^RVi1I{*pdMdO5}A>#mkPuZc0f`954roxwnz#|B1UIh zeN&CeKEtKi$zGwT;=W>3vqC-$7is=}6knwjn` z&0>q%79k<~D#_1X(>ci4j2iAt_Z`zW5Pjz*c~wAS3iT(-YS~?#Y1K_;@!y>1c|e$| z`Q%01>gW4UxBFhcH2l%A_U_T0{MRCIR2h-i9Fi;l8mA(Htp6n<5XFGGP(mte1Gsio zK$X{u+xoPRMpgwDL|Khix3DOcK?rB6>vh6Y&1^0f%7j~$=2G|Vxk+zKjjau%XqC8b zhn7#b2$&?zZZ_|7$>8Hb!?7-qe0p2w`yWL%re;mx^y*@;k=C(eBQV)wQY2I6y3|%oxo~HAN z#1CwK6C}jS^|_)(imm;v^Ls`TDg?vbZ?&N^I2}K8C@yF)=3})>vs(TWQ45bCdfwCI z_c)Hi`^%Ua1=}OmUNp0U^Yh2N52Yji5mH}Cy31?@`w)Ol$7X4I93tPwe>A{4A51xv zH++?sT?ufN2Qv0BcxXz<1yyf2IuvrEDLnP73#uIFKl;$QkA5mC*m#$RE_f2sYT2((ds|tmVdbd4lipUM^62tuZ>tPgwp7jG z_mgIu&*8$$lXx`5Cb7L1!+bq-%sY*xXslRT*E^;9re3vuCl9-_Oh>6+fs?4qHx3dr zagV)}q~bYhu4!0aNA-7+vSb0*y})BWm%Y*vBI(${_nuFYA)tcAV^i$xFQ&NxFK0gL zS-m1A53HCe9TzXL$i=ZvQoU7?@o8##;kd-|b)8lL>|S||YDME0&o(2aomL9(E1t{b z!f=^ZU(?~rJ1q9XLz($i(C_@{rAs_nEe-NM=fC@pLU^?TYse ztDF?HaD+c6?#2jD1lSCTJw05Z(bn|QQsCcitQnHns_i6Xz-oKPpbtr1R^-kftL`Ee z4FAgP?c~$eK_ohWG{gVQFG?Au@5+vj6s4}q3zPbmg5(6`1K`0A*^sD6NA3fU<`ZhL zu@ip?4)KwaER6mHFK+&a{q6LB!_xl|4=DMmcr5h%5|5{+;-U6SJob6N0JBYDoTnH} z-Q^ZG9@CR$y~5#iagSea7|;mn0zAq!trXQ%CZIyS-c+cUW6~-?wl0I4^%v>!f-ReYwn_Vr-kMH3^ouPn7 z;LG7E>2u@Ue@!sf|N9O9651Jn(4Gfz{}tM=sS-)p6;(1&QLz}Twr;&ty37O znj#!DJAn5ECgwYAN9s>2$T^rpcH2_!soEN{P~*vhkWye*wE3{5u{uh)RILcxZ*M}z zTCTqUIXE?~g1KI1Sb3ufs|(9nx5i$#if{LdnS|$NMhq`OiZf7R4?M=A-um#Y+m)Vz z-6#hO&ncPzpFz4t%NVDecqw7l||(#^i)`iJY&d)>sD ztI>$nF2Fygf+prkH=e=;0(%$t7~xj|I>9o;(Yn7wd-k3dk+#^pJh`X~@GR1IdejY| zc~ZJBNTavoklYokU_7!W_K(qmcG-UvV~);+oWI2RpkHzRY3$>ZWP!8iEY5$SS3F4; zUe28j*?Ygh|Lx)VzsUkZi9KiR(rCI8o^SS-k4o_@k~&(vfLj5ElF1i$2m6kRfPtwI z8tyl~)`s6VQ7w3V%L3uz#EH4-*bvC(vR-x^kFEAzSSavua^3qmV~Km(47Py(nJT&| ze#6eAZSzT!0FNDEewuaFn~q%4DEiQ~Uc!iSIf|h)7MW)+R!6EO>u<_Am$nQS7R@Q9 zG`RgU=0ULe?deP)k4UsbXoYze&Ujo_%6^-#PuA@NlYN@(?;dY)UzmIb+V6=e_Vp53xk3#c8CncAk2X$3)r@;L;GC|#Gf<6%nY{W2n%DM*ASB?9nAbC-jlB$VRH@r1 zA$HPL5Jtqe;amtL+ZVf8*0qb^}dUq<5d#ZDyJTe=?aQq4|A@Wx;sS>Pq_fYy)UHnryUn53w+UYC%gHZ%>a%v}&8uv}GKJ3{RAfojF=zzL6p1 z+WoO%1OVh&MC^xCd{k#U+*Y6lkd`;8P4#2~w0l z4~0?{WQi046flHx&_|uNOJ>3tU6_=xp%EVk9j89Ned7gc|0g@o;g()WSS#I~ z=tF>foIph~tZm7D50S$u_LF($%V3 z9L!>;)54oQP8018u-km*Q+(N*_kE_buDlrb)+}QMHjXB*)8S-`y(!J`y=YN4e4Ofz z@lsu8L5Ge)WlT8rXCtbfv^Y17NAP!zJ|3JxA|_L}+KH6&2fr`nJ3E*35U_0DtT4;O zg*;iA<~``I^{tO}2^yajX})K*{&TQh<0pq#t4G=7?eR`Izusj64$kE(3>i3ITOW5o zB5Z9)xP(Zzr|b%;%Isf;h21HpB{Qt*Jpw^iDeSawEIt$BQ$0N4ovJm0l}4z>McVSs8wg+Y_&?z&l|SLKJ7 zlHakI)Fuk%fDUyKqO7s{V_5V>fStf6u+$&NYcm^dB)BsCP%4P&j-k-nsIwG6k(Rg{ zJYH_|k{xVX|EZ>s`B}CL2nBSg?~7Wxwj3@@(NF}h8Z<=Q|&3et7XP_i(M@ga1ENoO%IR z&99!I2vru_A#mmtOMj?{y_K8-a>NvyS~+Dd@Iq(`hGBw~wg18?`hW=^H#eM*{9c&U z*Tmg{tJw%k5cXxehS}gxtu!{#GPvYw;)esHF?`R8-XO8)#l~_U$P#nq;t=W0zv3Kf zONf&gK4eiLmAWFd6mV=zYXc+pw(Mc4QpzJn%y$U{;}B*ZnI}1RG|GTM!Ti6W2a89n zX#WETD<}@8N{OfI9z+xI*65jBD&AVLWk{@fBMR(MHlixBw<F#3OQHy1HWB62XFR1Fu=IP*}j< zRoGJ4VF<@B;FC$eCvW8qbp4)?-w253;g6m5!S|X^syN-BX6<>aB+hq+UXO6wW#4|A zz{3q!LN*C3y~gdsC+61MwHe~7o$ZR$sZ}3gP=6^u^Jdq+$k^;jsF}%u<5cmTf4XMK z2Bp2*f(US~#C`1~(v3Ve8G3%?W=St|_mI2ZcjDpscKcs-jOU9!`$VnPIY5qs`Iof z+SxNEy@h!!$86_~KJjva#4yb$?-oM1Vod6uC3ec-7hg{xo}NR!6}+?9>#AC~b{SJ_ zExHLZaAs<89K*~=E_;>?lyE7HRZ)^K)*u|m_Nog?D=o5!jhtKr%FP;h@i?`@wYs8g z8ij-vdaDY|nyg^>&PCheJcHIa0^X??hN!NGTL$es*OjSnbtyLb_+Udq7E1kWDWYb) zh7&Nj6}43ktDpsuLoa#{mJ1e#vAkFe39O+6TLnr7n#kRCR%Af9RwzAkys4i0Z7bmA zTT-gQtQS7Oi&*o@*Cn>MhLi&`1XuewccU)bQPPZ}Pzo+>gciYXg1`)}w=5rs0t9i` zwIc<6cWECn=5VfO6eNff{3zl_Heig-cDU0Yi#TYs;kU5e#>8NsaFi6u(cnMqN;Urd z=Z^o|iY6un#v`=mQMdq_g3UYoLcJqU`z?D*M0MhVz!~-Q#0-6X>kWXnvPRi%ou;1C z2;;N#{k)kakiKW0OWz%JOSJN)G9qi&M@r3VOqRIEZfjTF?0&#rI$EY#duKfB=KGQI zH`xw;vEB5BpG{tzc>NQMTv2aC9S>pOFxobI%0;MplVRkGRR?qWOb|dyy5;@Ni7H?^ zK)=cYASL}&AdH8gl#JQnTG;@k1{)Xghi%J^e}Cz}lkE67r@zz+LJk-qI|aNptpob3 z1}%y_DESCnjd|UZKC8!85#u2Z8LIdUIOv>Nd$wDC`mp)6TaJ>8==2R=~)lZDO3+Jm~IPxCv{sl{z~`MsKaZRk%q_ToxKO`-o__uGqm`OdlKf+t9bf zj%1s!iA0ldDWCPH#B8mBm%loKqPB`0ZV$q-X{7D61t>Fqj`9Gzb0ftGRC5U5*9mxa z?IaD0yV10iTJjff$O>D&mfWAP4p5#gzODoH0YMpU7?J7{&%1}uB|AhnLCLp(&p*rD_YmrXI}%w_;HRnpn8(%zSj zFBmN6RRK)7u56A^2e=n#WFb-b_vf-XUjgl7W@)z0c)3DaZ zvy7D&dq3LYaqFs*+>=yakamc7E2K zzAX{<>sLMA31AKnJ|~8~)3&)={EAmO_QrY%*XM({are2ZYnp{0MA&eyc#PG1{gY)_ zx&1|9AkXkKqp!}|etq|~Ct0ws-{ur9nLqeGxbngGKzW}DwX^^AqMwiOvck26#8**L z?>VmzA*zrx)5z;{BYi|dxUy01JhcLRI#ejNSwPCu|_<8zb$rXHL$9!3cVx^R)oNZ21+H(}>O z((ml!&)|zRJPW=(F{il0eZq9SV$#TF@CR}RHgRN5}_v@CMNb6vu!2sb&J{P;e z3~{dmp$WKgi?gu+WkG}x7XYpe?d~*CaKz8kcje|yL3Kd59J{9B{QLGsnTEh-{QDj? zS`I;5o%;k{4*2*Td>VNM19)#L{XWDpDp{p8++CfO*~d?=90})A@<#>r7&ki^ab6-W z75dzUPX?ou!!fBf9YLs5IJrc7tk(N~?_*MWU%xS3kowj+=DnNK{EMi|(&km7u3eR- zFwHMWW{~w-6(h4t8)|)3DabFlS9d+J$Z@r;n>(pQ8)iLMPS>jno^16$S|7{{Bf0p} zNg0>oi4j7f7JR7&BiqkI$Ze#`El4Ohryf;+2>{dBr7&ZC0AIMEgsoqnVFBmHp^soE z&mNH4KAFGTUd$sF-Z+l4?qzu6tPr)L<1738%jWPy-iT?n0C!IT(lTZiD z!T+lj)F)a2`lS^$o@FOmq4--Xs+bRH_)$e?TA`6y_ZO|8J#|f`(}F)@DIQ5v1Uwkp zatDhHi^sIGE%mu{Q9Q6|T1BE8O)hWUl4!Sg90zK62-(sOVwoE4XEsx7pxG5OHMA+5 z=@*9d=>^RnvU3mYu1`WsI^IMH%W=QsRwbmV&lnH5>OH>$Vt-^MXPkSB095)_&8h#5 zT@5v^XPhxDe#7OJ9)s6I9rgGG*FYV1509$7TlC3&ci^uQMa@ zuWg^K5pH8T2P4H5(AW82vH=6KFF|tskn1@LV8AcNVJS(U=}!~EymQg-mnfaRywP2! z!)54^^0brjPU~G67V9n|hosIi^wR;E`c+8%@}6sTwX+}#2HW%Ih(MgmY-z*icbg5JNI8b_q&zA3THz~a7 z*M&Q0TVC_@?Lu?*g_NPxTYZGjBktIcXxz6Oo|>q0zneAkWrO4853U4_7k-*^T!=%Z zeAUsQ{bnwJVgMC#nbBS%Q<&Bqz_zE<>fo=RQ-`lXhC^uVyyvATDi+(xJAbeMBaD$W z1H^sDi@!2e0h7~b*7xK~fn9Nw z9pz`wtV5{yA?KqG(R(M}7(PQx**O3A`VpRMZV;516TVbjyF3U{R~91eEKVvCfr$_@ zn2fJO)ODns8mR{9o9>SK9?_)NZVp=zDJ@p*lgz$!m|rcvoXm_pS#nK58~#PXtogPV zW|2QMHuEAi**eP$pRUeWgY6C~6(n=V1^3n1@m@9kwP7NrSWeSd<=bsU?|%BUv^N8r zp-jm)R1NPeA*o;eeANHueT6oOT75zK@)vIaT99(v^BAElTpw*&3Y#WqZ$QJ11o-4B% zq6}SnHwx^qYjv`WP5`Oz;l!vq7n5zuY^WlUyezgC28&Rzv)4MpoBLZ&P810PUofpI z4F)6==8BUjL$75?|A>y-V^LdS{j04OSt6iLKslWq@q^NOS{o<;15RFv4$G-8DT83x zSg6;5VC*igl?+#Mtv}O)wsV2-w?dH+!%rqv10iH5lT_Pnym!WdNh+h5_oWa3a7F_V zw}3j#`1r?Dz*)!dNvdX(W}e>;s|;rjM0h6-L`Cg{B!JgF5(Ry8;y}dMyMUxntuRk@ z(`A;6EHKU_R?Cj06?I$g(BEKZhnN&PO8LK8t}v^=HNBmqD>q-ET}Kv>D)%%(omMPB zLt)bL@aYuJ+mWO^FuXkoCTgG2owmPhfZy7e^YNyGY7o@!`ggUK@yHZp~FkXdM-4P!qEt3#IsM#vA<7>`1+1 zy*5JSoyj>sqkw|@B4APV++?$i} z5-v_cu~i+$s|of@>+}(~Srv_Y5mBOpF4(C7yhf%Q1y2HHi2%bcN7;J+sDMFkYsE#z_)mpV+bYT)wc<(K^8ui zwIOF;Wd^VWBqB5lX^Dk{C?4|7)x1dkyo)$cSb1||cYst+RRl#tjBy?zTMviXI-Eqv z`*XdS>Geue76?(SL5Ol96x(7OGbmuAm?YxYl}tm5NZ||-d9wvJ4QvBPnC?Hf!a}BQ zj>B@FPePXXL%S^ivolXiH{zV#~d1%HDA(AcImIMtbv%%2z$hwgP={Vr zUjWT}o3a>5LPpr=aGm&_29)vvtibd_X&9T|bcXK*=f`OXm*ieXwL_;!oCh6d8_5;Z z4YwzX+T&GHxAdtWgJVXQiGW4ysYYX6g*2CWLM{Yls*N4xN0Xb=RaOF%_2X$oTgxG= z!={{AWSmZ5nd>)ayvFzaVC#cwX{Ar=eV@bC zCBr(6pT|ejYo829A;+l~EIfp**wKEl<*@8PEUBtj(#zR97d`5YMYLeX(+iRGR17IO zW{_&M3>Zf%AT5Yh)|)&k>Cque^nBCd0!#;5W*>*vnyp8`u%=zHPYuaH#A?P%sGC@zai2F({h6NzriyDqT3CL$rC zRkXA#PXmHy>HUq}Y~~0eJ}ETr>+NxX{ZoBj0(Umq|&SFLUQYH;<#&*zi$FGeEd+_N9TK4gd3U6d2t zWY&}zsEUu|Hmxa)&Ug)3RB% zMZxqyaQn-|b>;!WQ(_nWnASNHAq%~bVW91WM{+IRX(`X83AEdvprv@E%I^%U#l;iT zYPA7#!%ghKb^Vi{@Vk!tZ;c4&v_?eQjyh%Zcn7>aOUUZg-=ctO7%1;7AzM8@Vf3IZ zw$IQm2#ddX?Ejx(mj6`4r1}<+D4^{?hYLU0(8jOv{*GsUjW?l;0FMk znyzF@yWuzUY#_iPu?PTy#4X6@87}0i8w(-P*)=Oe8Q8Vm1NudVBQol72Y3eiH{TX` zWQAq|b=RhDJDIOa)Q3 zbHn6N`!<$yqboSz|M@V4zlvvACkc`N+{!O8>EQ{Kk04_EB_^BC#Sdw!!EC3FXFgXL z8~&0I`S5jw#xb!_+IQ(X0EV+2AZ}Uag-~{%XZ9txgqMdQwH**Wj-NW+7Y zpocHErF2IDI2A+Px1)IZ$}LT3X2*TzUyL6>cl|RZNNcz1)0e#Fm0@Yn&d;>=Nb^=RCXFS*`aG@Axx^WS zDND|D*=Cy*q0;End83os{+X+#Z5eBu*S1kWewTi`=6BN`qqRaO0no$YuTEGiQZW~`^# zqncO5q3B5ILyT+ygx$_g51%T!I`WFM5E4aSH{f<1s+{W0N&yUN%zL@`QWorw ze>)X$sJ~0{r`iIKIL)0>wtu1FwB%0@)qJ}CjBGG)`c#kK%kYj~1)tmqXlU@6!P>{- z=oD}izg-bi?+sasr`nm9@eKHMH8Lw0`t>rfoayudKpTW(WFYbK$+ZT zOv!j{zf?Wn-V+Uf#2QU6eDlQ*n)gXX?;E&7l8TWib>Z7%g;KZKYb*5{lp?CPwP@%Y zT{cIKRY>>mY9uwn^5OGAG4$#SeP0%)4zB7L;@Ikl&9P@VzI`CYYPN_hP8}r;vOr;G0(u6^wg}GL38dcy`~Dkwo-3lj5^ku{c(jmbH&psG%avND2#FGk-|hq) zb%88bnOG2NAs!D13@}W=o&@#Y{=-b|uM)$0?g&rc=av9~_*eP}Tj`GbymVvcXnS)+^kZ;vUwV_* z>Xb*zq}HtO_UAY5ns?hS2U_@l{s9_B4lz|9_JZq_U~G$)z)vMzl(}51q!VN(4PF9x zq?DEc`cOv807zuWg?R&|CH5!YGR)XH+U)q_AhF%HlgWyXPLfM_!D6J?4S2#>#|`bu60D7sI!TL$MP(dMrm?M7{}DK zdXR08daXzNFkNz5qI|Hy{33fFsZ3kZ-CzY>>FI=Eh|Tg(^BmxXBqNAHq+NxkD1CcBrj1Cr=^PA z-PsU$(Tisac zSGM2)UkRUXS@45K*=T_lkXs*bG9f=GLbsZolz@Z~m>{DR3P6I12IN^a%*hgEuyM%c zN1gH~Cq|H}vnz`UKab;orNM`ka-bxLFlpbfG?-9V1!6h73OY-Jv46ahJ>T9%{_kP_ zR=>a#PFOVhxB4wd1L{YN|6Bb!6aY>b3Vx=3#4`=RawqvcyaW#QbTaN$hF-wSFr79O zpT|*;1CtMtlD9|C$qW@-O_xyMMk@r-`{`5%>UDu4DAnqu)!TDH8P*dWG4J0J>cYq! z(kndpUeO}FXUd98zY^)9aE$BT%Buu+lzXqar1IB zuMHO2P?%~X7xgQm!$n|lXCzEOdi3`r=Mu%db4hvjJJroArlrKM_Xb$%i+kmgJQU2cSodBXa$@mMYe}Z)PgxaU5Gn|!BEzH7!mwy7IoHMOTrX+- zn5a_xYS`k2=h0)tqNO+`wj+>KrP>z)NmVnh0y_Z}P~OeB_g4H;?D-b8#<`ezCVO~i zo#?jClagWl;iI#Xp_}_NU~P$9ZsD|KsN|U@O>0;AJKErg)3!< z+iY!eRo~P~m6MV$YFl6p!Mzs1B-Jq5Np{VeL5N)`w}(N@Xi7b#Nl-S+rK7}_vynNx z{#Nqan9S6j57+!Z2#L?B$e~+ZOuL3=Qs*?p-0Mlb?Ja>c82)_9%7%G=RRhZ^xtoFm zj{Ecmnu)JERAVxxPv+`p%MeXk?5oprybx0M%tk{=tqnEffIztaSeJLs3bE-UzTFq8 z5fYENKjV0f-M1O%%xb(_!qYu!(7rmC2;)p?Nj->5t#YmzliID@GRFFB~B2HwQpE6{^SAl999 zgK)4+40Q1+i@vB!PcVEzQXOL42f^2bMfLCvBHW@li5SWHd9wAiK6)X10Q@4J&=Lv^ zV-vUazeK*j7@&P1R1kqMHtv$zKAAB$TMkl47I}n`<9nH3yqxAhoX`~_e*{?m-FxeB zDHAI8|CE2-ICs#$#gXWjIN}4nZJvp_lwaal{s<693d`T(7@-1)Bi8NpUt`r;e-X#T zz_36n1~#R+?2Z$0TqqL^?m|M%Wn10Y9it(YDm7TgIIC-+Cd1E@E`Q}sD`#XIxnkxQ z42_alo-VIB*ff>CYqn2~offkcW4G3EWTjiE!K~{|^&Q&GgB8KJ`11}#D_bTQCdJ|? zk_Jj1r|%t!NU!7U1LM%cDhitpxS~Wh7VA1a2@P{`PGmPi5YkSV;*ZJ;yUSFsFTTTV z7*zvS;0TdlYhrn|^?`(>rH&&USp^OuBqoJ6DG<*xP~+Brz9Wqe&F9B~qmiKMXu&vo zV4R3X!~Fh%xt$D~v3L=k*JWE0PlQ#n7Be2~j z&kD;s(NsVR(#Gp^T3FsR8qYIW$Wr@1xmnd<36(vjBC;Wixc}WfjjDTOG3tvdnIFw@SpYb+7q-w~QH;>$ER)-X^I-cVq~$kzEO2{ApJEaKcn^R{$mmOgn!d<5 zU9rdV*x7WTSViW@*?i*xYJFHIOaM(tPz2wVgi5gqiLE)`ac5-Yz z5xdg^mEug_+YE)bF1HeVElZR1t0u-U`ih_mT|WC3^XJ)-6iJi8cK3`?-6+HDDF>{8 zIbdu@Qb~!!Bu6a-mi)ZQMx>7@3X4)HpN4nzQa+5{bG!MH=Cq(?X$b?|bevl~T~|V4 zVxf;#(*NsEvLK44Mxe%Fly6DKj7_gvmepDn6?Pl+sZ`Wh%LR?<0OQ}!8o!*JhuUv8 zx?Dt78-&CHnIhcd_=P7LMmVqDs*oxC)F#bEG_XveYx61!O7BslKTY{LlGQ{gh- z+`W<3d{;_#n2`vFQNru{-rA7Y=UEAUNpz$EZH`9E!(pKq6KRz(P7MWH0;W%j84{Kt za{G6&@OIdmq@Qz1kyg)?q#cz6{xoJz27g<^&vzRWG~Rl*kedP72qDk@+%agU3)Q!@ zArY(Qc^Y|ThLZy9FTktNK@=ba&}H_zg5sptw`IY>a%KP*kT#sTpZ7H%>i}<2qKrkr z=n)$=Ha4P4fmT`G1%&;%ohB89Z@^rHdGl*%~AR zSOZr%3yT)6c5i-Z3+Jr{ps1(owNRisa{m3E|G(k!mvrQuNk?|cFX`wxkq(&S%$an2 zNd%La!1=(%E{95BWE4>9VkZ0MRP!_fhDQzZ?A}Pm zX&djkb_?CR&BLBdNSn{sdFyg-z_4RXp;%k#4M`yq@-lqU;rO8ZYF7i7pifyv^dSGi z8rTZh<;62)ge7&QaT3SSPF>0TytsBD78xd+{Hrqox9c{DS!urY(qWTD$;`)lJhOsA zloOqy#P<&Pz1{}9YjO*DXMZsN@Y=xW@_b|7kc1B#eCz?L)|x5+%KTQbgaL?j!_X z$6E|w>-xd6l&JTUe1MxsNPGbT?Ok1ZEI^J1{V|#N>_3NAH5Ynrrk1Pr%h|waflmM~ zfK>25nW-&yHfthcxaeE!RRN5E^LFQ`DZ8)_q_5bHl=+0Q4?ULf!mm9Vy@^4waf>No zvOAEu3hvI?GA!5x_*BmW+=RIYf(W^?sgqJWAyH5rXZ7y}#2G?Ha@^s^TnShaxK@D$ zr5Co08~v87^}R8Ijsrx*ThH8H4Lzn4yyHBxYZn0!HUvcFwLTJBR1$(@!`7%tXaf4R zJvcyATV{erjV_Z|ir-R#B&2ootb60`BsW;vUuUu9lUN?7=UB@Uw47F|AxQcgTHO3gTHU9&d#yL=QU~d z#~9Dk+320DRD4F(6MDnRIj$wiq>jv~q=*f_&Noh&8_c-sb-;5-VLy-xlakMF3xtM1 zi8%8)9rZY6sFe?DT`_a9m-Rh}wXhulE(%j_Gp%a;Kw6{AsKy&h2Y`J?4w3p1uCF;= z?Z5TnxaO%7Y^GU~aq)P5-K_ax^TF7f9QXKivnLLZC-(4-nu|m%@@*y`UB*+Hw%0wV zKBpJJpvq1(>Fz7>L|g{_oylE6>Z7)|4z^o;&4r6!@^55Bh>Cvn86!sK$GBgL8tfrc z!!h^c7+e^yy=3v~xh}%{i+q#e6Ff;TwDFH-<%@CN9L_bO2h%E4RxNHD)e2f5taop` z=rrZDadeIGN*drgazyt!5!-t9^C490?mEGcH=u#5r?8A}CD)5#*eC7++~ig5*Un4M zU!M{~=MUqz6)W9IKYzXhLTN;ZPoYozBVasx+=PQ`J&iC*7ywq^21COVMTEACX2Qc9hLi@4Wr+2Y& z<^Pxxp7~GI0Vcm5p1q`hNrl!gspvc)0J`Qd>)%q5Mg<3Eg@Rzj+-Ms6xnF+Q@0?S? zD0*C;YRV0RQgM1tWZ4;c3~9P8n}5bm5fp%}`&9FOVK{v4y_E0AuGdkoDpFH% zaGV0i@r1h}TC@K9GC_sJf?hj1KAdo`D?`mpDUA;CC@gG90kAwMq5wo44_&qyKD2C# z-ClAk*u}?rIh%E$7w<##m_wWgq#JDQXF;m`o~v3jLv#K!wZj($KM5QqZJCuZQbLpCW=!EB@aCU` zE#s_M>Wfy#iL%&|V>-lAO`CHdJf;C53peXWXgQw6=O6n?NswJw*i>EPl%CfVKzL%G zigs0b>VVNb-eNtg$*|?)M9`JZF+ok~?~9F^*VZUy>7w_J_1c*#fl~S-rIC(4>Z@Bl z?=^Yk0YJK*figQ5t@moa)5X^~a5HNUWlRt_Qhb@`TU#DL(C%;_7QCFwg@(kC?)GPT zFCVG$m5ae|xsw3z?CfA_6A;+!ydB;KaKz`a4gU&DRdy%fGvZweFai`JN13Ga=U`8o z0Y*TH>EogKP#j`TG)-^ynSVCVbv{T4cb>^o>U@AgWU@d|Rvy=OJGsfki-^&}GEy)# zGNgws%_^e&;Vvd5=$&&~HjZ||(2WRCe53EHF>mGl&zV<2RMU-=k~LU(B+oWII`4tn zGQGA6i+3Z!kQ?yZkNmazBC!U@u zjRnQwx)DqDKJRHiIKz26+~HM5u1ucudQX!LM*)(_^;1B(#ZSvPVb9F~8$2-4<`-g# z=h=nR&Rn(_dA^;pJOUzmG`vr0Hd;2oStseEE~KP)^#5z`tiz(-_J2RaBwZs?;(*|0 z5R??898$VLKqRDd(`7MqN{KYm4bmmbkOrxQfPf%~NQsCD*1q2%_J)0q_nzPL``zc< z`yBtC2Od~!)_Si`yxyN%JV?-5r{IR*#{dX3iLM$PBR<_F_}S=01ZV50`K?pXj#|?Y zirfkhAG{2AjlvHiDOH6#!y=}-bV47y1QWgp{v9uZrDbW3aCviz%o2RPOh(MBD>D&L z%GCw~X@Ar1By4|gX>yy4Ke{% zO}-zBvrhb0Y9D^jG{mVibKaOw$Y(Uceu>sWCk3e$vsH=c#&N7}HU*J-EZ~YL`MpD* ztGSr8nAtM&HsGo(?QGFQ5zgN|gM zW%g&Ng7yOrAIR5|P7T9mB;4P!Ux#y->yyzj0B&A{hq-yw;lv%1=&z#keskGg`!kr3 zpJNXN(eJS*jyi;~IN|}jfzfIsziEs=(0#;@5*&!!_5aOzu?T7t_qfd_%4C3zmD59OWilDb% zm^fF2uUk>OhY3$sew!y91kJ)fv40bQRc#S|m0zJ(3lBrF+nL%6J3jRTtmxgoK5~5Y z1_drHBdwPM*|fyveW!i&x+;Y8<%jL*8h^LBg7b*__Axw8VNO;@acZlp&BqE-pUC5rn; zg0TWi`r4h=4?XIS!;WaI`9YwWGri*XzD?`CM1$_8gSHO3#vp0Ut$_5ixHdoWDE)&C9y_m6tuk3|sUc zK&N(ls&A!N|8Mhmzx&#xpcebdb?!=+`3T79W$4|%G5K^D=(8av0gPBjuzoj96Mpne zqZ963_Wt<#O+t4>QG@JT3jBQZU4W7MIup-M;@sbeg2vLw0gRkxR$Qj5(GVU^M?u9- zuj*T~0Cs-zBh9y_*eJ)moEme!`DNkI&av%>id4N;v&VhYSK`wUztxWl&S)GU~B>V-`1xhGvq+LBM^F!AtXxK zWe8m-*OHjymj(-ETPzf)SxHV=Ew0WedpS_TUhtS(na29Vg2=77%M3SH(<{IOd3tI0 zrZb6PQ0hhA)VDp40$$;7S|Q^(kvJ$giM!;p!v*M;=J(rvoYNaxPdT$UveiTzP*f~x zzp(;}^ko`CDY4xV&_l-{zNHPjQW2*NWbS5_PdU54nNc)8M<2vsHi5-LhsyM+h#54T zC)Ggyx%~#f1-|}0P4stwTC*U%Cw@15eR0i1w-}Q#$+LmOzyo?3hKK zKefhqXQt;SH`&57QuEJEdQqD#H#z!XoI$PdHyu~4^PVkCwOABurN{YCS%1JWxuQ;m zMBkOX=0Ege@H(V&AP`gCBOSqg1xZhfgIN0cfl-XkL(ZE;1#!;z^BzqEGfN|~l-O&4 zHfA8f!9!==y?Xsapnl? z-X}w-3uW_0hQK2csXY{0#7gU+TPgg6f}Jl&l}W%dsV8Zhu6zQ;5N?(x?>HKl?G*c^ zQxq`;kX2ucm|A-12Q-;fO zngt@s@ab0@aJMJi7#Zg#94kEZ{RDt4IpD9_mZQ!CbJy2^ltMoec4Lc_FGd6%6M?CS z0jlW)e-{|l+TqNO`hgwUQ-VWu4dCRpn~uAGmOx@6wD!vB@AC;HX6rtQdHH7~rY)}w z@HPXb-xUu$UPpT#Se@+Ff*@-B`EyH5Io+q=5E{iG310e%fk(ZyQfZ10Kkxka(1P zrCWHdru~%*!XZ`)erb(gP4fG~$4J3-ZgaTZ>M`d)1h?RH2WRyFf5g#tVu8-fT|u9X zNw_UcK_D<02up%rkRc_8`@M)aWQa5iJFX99h4IYbPlSUn@^NYql~>UA@zyh&_epem zYf8nRevJa7yCY}&#Fw0bo@YdbGw9S;{49{!Y18f(f+J;#NS)HyB6!NNRqZmsBOd^D z2oLZUD6O)mr&bIwu>=@tw zz{}P_X1=;xefK)2;Qfs=csKeoN_4esCEF=xXy>Vh?G!U;3zf5Y!{}6TA33!$FxP)L zd~vsWN}^n(x5B_`KTsfn@%9K8>^uYT^i|UB@{b`7iIev|ecn{*z*hSz;D+14 zTu9!T8(+ftK9mSJ1o0QhDrRu|+%7z4K;JER2`uH`pLzbO{8}BC4$YMaJ6J0Jr=fe6 zm!gG^d2WuB)EUID#fa4ny+{ceSw7~~u*m;~P{uPl_uyEIqf@B#P8qKZQu55@U2u&< z`#mVfhl9hOe;TIPA6T(nIoT&_fM*Fn)J%YO%RjzuGE&)($mT|NihH8huCf6GA@MU8 zT=t9~ABb~lJ2+oi8KtA75x|!!Zdmn^8>|JHLjGQJg4Ag$~BYLi=CD(8r(`?HUW6;V{IwZqPF z{Jixr@oQ5Z`twnPL1-8;W&e*bxAPBH#N9_l%&-ur+aD?UzfpUk=u*lA$S_5MfI*d$ z&dGFt9mm#av4J@^b&1cJv=K_RM`{xha?`Jsj@6LmsGKe?w9fK2&ci2tw zMET!QPu~M~-rrPckFz)3Lp?`!QBU+f>N!d1EC!qJarVuIaKpbh>dBY^HhDGE!3c6H zV5T&iZGYa`=zLSN=||Z*mGZ+tRvN8YY7k&mk*5N*ch3|veAN2HJ(7=M3+%2xohsn4 z_FC0Vx^-2nnc+s(`fPq=@}-&8^l?5c#;}>a${PvFtcKWr2$rKZ-7eRogCxbod5~T# zby`g_Bi8s*F#^vH4@yl`zbomvl+?p&@ut?jQwk zQK+l3=u#=IiOa`ha&1&yH38}ppO$A;EXD)DSU-7~ZYzBmv|WX_E|ZUhC!bxDA&|%} zLE7v>5;c^FdLhIQ5iCcKl48)Pz$v5oIdU{4y0&sOpxkbh;u`W84)HH@Z8TaK!At!_+`mD=hxb5o-hM=V#jq!Q;Dop2dCNv69)w~Tx!EZF0UqpcX z5tME*nLUG6!6;&lAbV@>+sWi`t{4R=U#tE>rW@$$qi2k&P4eT|finBz3W}RCGmNA6 z*u$%HHxiOnMjLE#+{^=h0Z)$9daY|5sZr3FT=k%%X0Zr$Mnl-`Kf4a|YCK&3MB=sC zLr)2!5W3dbgEeuPXLU{iKQuKb#bk&2lZnkcyMlb6;~`jB(kDWhz1dA&a&@js7G6tk z8Lxwyn;|*#NHCu4Oo{0SjW9k;5DOTiW7b8-g3JEPDg(DVv72Cm?Ev7 z+%qe{vxPuItqoN7f;IEk@GPC**nlqRA4Ft4lVH)+gzpFL~I)FwH%~r#|<*d~mb*tOeHa#mO*|r146DkuH@~z0I~{C9H_; zGZN!llVWEfes9sE6GF5VayB!!C_p$j;T7G}M)lWh%~!w?w%uo$uv#G$QNh}%LcFHqIGZ)UKt%so5#{zU*e zL_jbUdsLX1lF5IfEs=Z>0s+Rd2D1BzYZ$nmt&H(wx?wx3d)<(XD!A|xCULj!zo&#``NWMS_vPbuX=EWoK z^e`qBpfi*Ri|#_j())toU09O)nm{5;GujiftdLuGkCnrZDF5%HtKNxDEGiF z9u`I*+&_exdLBkiK@w;MHXJSyPC=gw+Mgd);F=l2+L}Rp{Z5aJRLWV8#kofQpb)m+ z`Bt|_YH6DO3JIryj@sbFvu?q8Up+lc^~yw&>3XPea;H5kqDN#?@0{vpZkoQM>T;)i z+@F1IF(Gy6o)V28>`|v^;;LGLDgxejf7HReosxt-zq$U5VZH#Bvfjk@x^;r~*@-tQ zqaS7w=Vc3$#OvH=1}Qh;^9dA2K_j=4rJKc+(;JvACG0IzTG3H*t50i{T&DdHZ{u$N-e%@zW((~0_Nt|Z;;`|<2KN)o zdD8^fUQ3Y!X*Xb6!arCUv>w=wf2LXPG5Z+kogEAmyN`j^5HL{O$=%*%wPSTZNxNZU zdtL4+k|o+ z(DIb9$9&s^)X(ZVIJkcG$b{kaQE}ha)tYmbD=fUn;WQ`PsS8vWN4YNZo>28#Qt9so8`ntAVkBzORP6=T_PM>?yulam@ z+i~QKW_uh zvW4@^11YI*c=OpPkv4&7VZJJMGrkr=_}c<9SB72?$}<5I>_OrWM5OE&xJ=)Y^@Pt`T~XF{dpTbBmtmB~Qx9GnA%z>l4^)B6iQ^m`1)qD_sefBE}B#?rQrxS3ch!2H|}|YCZemDs*Y< ztpO6RCUmbRkiOtC85=iHrsnwV&20*1lv2p*BrMAVNI;Eb)B!azr{E#B;M6fY zZ;9Vmquc9pFfO(P8d69s6&QTvnx;H81@oHTEj~>E^F>kV-S$64^C{O;=}S#3Y8#*P z=8ln_Pd_z_!jl>5_HS1Rli@LuloHf$08fNnTK=#n!sLO?+`0Mw4&%^g?ZG&kj{QKR z*Kt4d-J5TX#}yQ33MXOE5?=`3Ev}C#cT`!D@cEDTBpC=;_oYiniN@6NjFM-|N3T0P zxuPTLeKq)bWH_y@GReyyX7^d$PF+kj{;kR{&}lL|RHJ_}P1HrE_U0>3vdF7+7~(MQ z^;~7)aI{Ie!U=kIsWyft=ksK#E8T;BQgk*$SplEC-dl8t+q$bsU6HSJpNm6@Gatd+ zA&1pxetkq*Hw;>uY|E;sVggeiMa z#kuH&5(+&RBTJ%)g&l(6f2vZ;|9CC_jP&H$;d7w-r04cdJZ8E_dNv#X zNqWK*c90JBG?}nAK_%KkSxRa~cAFR}Q_Xz-bP5Yx<^>j=awXlciWx4wGK@ZQz#T}t zyUt{{+Oe5p^imaIEc%^18O@H*+Gdu5;eM0VJ`#a5^S77^&st4a5S{IER_{1>Vv7x- z{yZ3gVxAj)9e_8>H)PVdRN$zni(}!6;f)ae9pbPW%<*A*z2@1__!L;I?LK)3jAD^Q1{yXRBlYTKM^wTR<1a3SNP{iWd_|p z*+oMk!uv8<^^Go}CpHGBfnolf9xn6bv6&VTH80sN`?fX*Ap?u#58yf5zh%$Gsr=xN zb( z$OOWPSsbumwBBju5E%$QuDo!hL|%#lS!P!|-&@3u1YAN?CmI}k(3a@fp+$8P4D*B! zoRX#9erdrcKnD*txG#JvCbNQ+Mbyx$C-bRQKRqoZB;kiq>HOFOQxz(aHEhY0uo{S; z)^Z%ABYZW-nGqj&YqDfWocf+D-flung%~QzIi$+MGhx}g>Zx0PEFazmcFgf2^)bjN zRtriEQFI80N8wwmQ!Ouh87q#jR<2|HJ3*?e&l|b!Z94>?c)YBt4Z(tFuYA_14gnQ^ za!ZgODc!Q!x+vbOAFS||NN>!}Wx6I~|*#!4g&a-B6ekDqg1Z>mf!aMH)! zSG;aDdg`&Un1kOqR%z4e5wU51!{i#O&>o#Nrxbo+`?%& zV-X!nox7iG{ahq%ZPI`#gQty7A(}pnFRx%VByCLSD7~zi&uP73NfHY=ZAA8I_6hCF z2#3jU+li~M%IxLswLN`SG5HrM&kq$m`uukG>fM`{zbPT2wgRH))pRxFC6_v~r|b-L z(OswW-BCj{b@(_0Y=gR%2B4e#@Tx2*XDpQ6LPXn8o>k9850k=48;69xfAMzUNVd3MtF&Db$N{TV^MCkZ+U3a9cyqo^ zadp06&8$OOA~%V(OEum4kLE^(mH7)K_f>-Q=o^OHD{sE!42{ZU5Yos(WtDh02ku+2*qGKcGX&Fu@6OUPH$&5b+A|F~YdCjxk5&ZZ zo$bWSkVknHQbh1T8@yeekdThDu9-Dk_<(H#TLe^y>X!J<#;vX8C=&6~$hPv}zp(+r z_Ct$|nHo8C0?@hXIbZ;qBEW$kWCu8a9XbwT27!=2GcG{yps zJ5xA5GK-u3DQD+ANOn132!R8>P3SRKsCYa;uvt|~92e(`fszYf_eDDMFDB$MfqXv= zjq8}g1)n|)bNRIVvcajvf6nlJjbk{8Pjj!#W`9P5^XIOx#?Jb}S7cswdGRk)wA00s zj5)?ibmwOuFLe%5zTEf$(^e&fS;>xTmb13J`()7@UV34HZ3 zzuVTU!I@Nh<^`(!eO3{kS>)y0X9X9}JJontyc>#|HMn7H7AIWFNbMPU4c@8Kkn?&}dllpGkeGq8)Xt`2`y8ZJSin&d92Vi%^rU_GEB81Gsh?nflnaMP zT(5aHIDD-Vm|f7;+eB+Q-GFvpbMkl}IVg3);j@tsx|J^OzI)}!A6<=E3YAxf8^C@b zMWlJO&<(NyMopDUUOeXAfLkPIHZ-SC{9#NC-d}<*K^m?#1QfMC55-4|Jt~|58Gj}2 z@P}LoZ0qKGy3wXYk7#~urisnNx4{t>esc53GRB=p#xz(;!Lx8qQ*+(>HkKUQ zMrmr~Nt`4;Tk6gMbNG`7ZPanji{9r!3&4jCkJN$dZC95L1EI*cJs{NnH30~fo7?4U ze6`P#P59yclp)0W3f!-E-tCT0l>r!l-h3c~_|32>V8f{3RjeY_+EeShHt`_96VLfP zS6n;hF{?Z|+Uk88YlZKT0e@~7+w?|k=X0Bix=sz{9zSZ| zEh@O&cO&^*+|e@W3q!ZHCD9967m9tSL?n3q@a=OClx|XPIKQ0~b*#{fE#{Nm7=C!; zX2(S?>u8e}Pno7y#)iD@WLi~L&+HOpt~+nSBx>Bp*3MafV;S=_@q=#*rx-!)JOEge zFb8jX0su;V`h5_d zi48!K`^uJH+HiPn@viNO(%hUMkT6yJ+T7jNE9$dSajac;p;doOJ|O?G-;<*vzFTu< z+8#MoGwp5Kf~HyuL*=f^KepFEY4exgq4-6LvAlD1jb6_B?vGMT9Y`4Cx|p#sXe_tu z`b6QGYv;h0G-B7{d$@8Vv%`g#ECwN7-^PLlso4P&(sNsL0+iz0qqJ&lf-%FUwj#Zs zrZ}rXIVu9}18s`%mg^!+YOBvYuvBJA&pN;>o%2_mX&kXq-eM~Ym-Q5UY?1?>y}OMS zKH4@5NXhyMr8pirQy`!sFqthVHvqysLVz#{_HdRoe}gc88c+TD0EC2s4h{DGuP=!) za5$)URQ%+gjXdBCNy}vf%#z5*?y;1=!^#jqM`#|C)F7rY()J>lp}$>rAvs5rr<}m8 z*d$J@o!gVlVPDsg?3SmRAz@CW`p)e)^>kquwqs2wo538p_`Yk!f?V1qYL(JQQWBO% z?p|)aA!I0IQSY<%y!bL{^xZ-zwFCI8Tz&bZN$0ApDL@~;YVrF{lX=LI=|6Xu{s;f_ zzc&2Wf&1@YU;kG&=GRFC{Q=_sA6(l1H-FWyllbr5a$)c4b`%U>JwOZt9E-!JL=C4C2mLHzXA`2YL^vHt}~OsQf3 literal 0 HcmV?d00001 diff --git a/src/assets/img/Delta_Class/use_case_1-3.png b/src/assets/img/Delta_Class/use_case_1-3.png new file mode 100644 index 0000000000000000000000000000000000000000..45dabb7ff126c2fb8c61c75bf991e09eac3d25f9 GIT binary patch literal 158158 zcma%j1#}!c)}}G0m||v#A!cqfGdsqZnVFfHnVIc4W@ct)W@cvEelzoCX8+wiXIrOQ zRg!MqmelIHy7&7!R8B?|9u^xG1Oxfe>wb;mg3O2wxrcH zu+}rAb+NShO9X_=g#&nMY3QI!=wfMMWzXTlP5h4*9KiFxis^_6|Ix(3oSXQUv>c(J zwVfd$fR>(?o|p%gkdTne&cKL6UP$C$;=n6zViN}k8xA@;XJ=X#tnB~QEno-f{;Hv4prxn#_q~ClTz{2v$eFqrTBr({S^|d$sDlSU&%*VO z_WwuCe>DD=iT~T z#XraSAEm&7=7Hs+`}d^rz!Ff#QGkH(frtz7E4qN5X+mY7_RmyiuD62^L&uT$|KRt7 zVbJOE3G>TKkz?ROL#y>eMtS*q6nxBW|A2+uoq^002Fehd??Zxi0T}aoziiGrUd~+4 zOwC+x^{;q6ca)WNR&jJpNj*9FEjOA(qfo$S`=8`vpQFi{ndR9KcQOZKXd|?!aCg;< z?6&1=GQgc!WoV}}5FzdH=j|G5daK*9L5fVQyyL0|(^TzXEw;uWa>F(_O+_^|-|7d# z4+PXP&~|>5Fl{^5pZVoXCldXX6fbM*s2>OU5$=@y|D`kMg&j#A?Cj(cLfCi5=O2l0 ze3vgBz;S<3j`HA2MJaH1-iSS(nm^AafF?XY;>+V1r`Sk4-Qq~Z!t=YH9M!HL^snTM zJ9WxRykev-!D1oM2eG&kCXA}q>qLb1*T?xg&HY070qPWajxC(>FJ=E!`Tu(FN*V_( zlxQ$~>@;it{}SMf-1qsWv$$08Gl1gXTL0Gmf6FbFaYLFcy^3Wx@Vq^UzrT7u3Y&~$ zlR{1EL`cZt{?D}3!)9~U4YT5EyuNVK`9a+Bdcmlk*7DD0C6Tyd4;%6F_t-HFR~R!% z6J?Ro&;bWRo9&?|3;9!P%cvjvKM5UwOQ1simF#T0>OtHu+vAxXO5P1o(PXnS^uW$E ze#~+Ib3p&|PKWEW!?)T%@$!0!G@en43fXogvtMt&b(GJ9CI_%2P6LeJ8~e2PaH)tA zWEOOIDl}+>3WdQ`S&E+s*mlK&yX_hYZ9|)SSJ<>wervQqAZfiH*WvqtOm2A*jdk2F zCf2YT^{qH+U&;K_In@}|ZTCRv9_L$N#9>RrQ)7l>Qzqhkck)~mxY%VY2C}^mc88bZ zgi}d+7-2l|(NWt@Q6VqX*B|^`{l$*z|$A__%&#>ZFNwk!6syS)z6#F0g^ zi${gYH_5wVTyLwcha}tig_@jsM&t6R;ejT@-|{AT7mun3^IXkuB#d*P4E!e8zRRpy znHPAxn1*b)QMr8NII+I7+UUeRtkT)viWI3t@m>dr*dGS%7x?XHy@0y9Ka53MjbnQV zeaVNMZ*dHJ*yI&|eB?vx3`wG6g`h>`it)}Eo=f_@X_#TP%hF7+2XM({ z3bC`pqpV=dVMD@&y6EH`$XXY|Vf}VqkKvB2lEb#;5AF{|ZgRFH1q#@h4kzvUc-p0R zC!pVmtVYf^U1;=+CPOV0%R@wIVb=94a9FxS3{ZMSr@;TmRYUt;i za4g*>1KsR*w_8Bl`>*)Bq;rZoTkt?-TEjX7A@#X}(y93uB8g(~qo zcNaC1aUxMtQ-#S%oMw)$g|%`X$BKT9#+il@SZn4B)GnY6$se41F(mNVd(0KH6s#4- zq{2WdKh89RMN=S;So zm+nxik6AND-oYDWpGG#Ipr!m&4z9g!hVS2+!{Mu)jRrO<|qXu2}WpHuOXI> zCn9nV*h+=rvGM*ti3e$j^L-eRrdsBk9#U?d?G&zi$1EZ~nZFlf;zTnBR7)pc0!HxD zV-m|l{iBN&qcxx3k?OYL=9VI(F$LW|!7ZPfY+SVS_HF_dole;s+?z_8c9meO708cc z^aNZyCj}{NmxfV2_sC|FmLR{1H<-qpa1*wtyuVaBszNS>awF#NO&hP?2%@p{L+rk6 z2>x(eeFkiM=RR44%mwcF$RePgkMk`mBuJ>PEah0Yp68tZ6rV!+Qw~D3%6X|cMbo$x zxM;OB`*wZvc@Jv;32nNl-A~&V@U&7sb7uCZ|-$()?kpV0a(P*$v5$wg^rpJ z^E7PcE3;)Vv{G`4q(g~gku<$r{Wjd`G^jFpv%K8m8U>lXw*~SZ&ij=fY{pWWC=`Rn zulW6`El-^{*M+3h0-B5-RE_(G%a#KzetAC;389b)Ssti!I83D~N91N|YT@e@kx-_R zHP_o~LT7qi70!CSo-_Pb=!>86da>>aU>q29kSIU3T6b_ez%pX>2OSVZBL50|3^fI+ z9^ZOy6v1A&U!8>9*r;l^4Lk#L>49@$ZVyNF~PfuZG2pZ+PXP=-P~S5 z^S+fV)49KPBfGEgZ!@Lj7*~vyJ7(z~L;}}6D;Ie%ib&9%@nt}Pr5!6B-gBSz)4bLc z4m*zRnNgut{`E*Htm8&o{Z*%f(5sE(z)D{NzRjmJ5S8f@4BDMJk*Kb({?bSeQ$PSw zZuU?xCACYOo<`ejD&?D$9Kpv6IAS@KmhzI2tmR^G2+V>ln1FgS33%$pZ~xNnN`_o# zq8wHW2|a&su&tWaiQ3GPkm$Au)8B}DII804BS!o^mt2zr{f%Q9L$ZKx4i9hQxXz%3 zIy(hco)TZNgkve9mu{}$8Yq+xZ}ORDYYTh`rmDX19pQRzVZ#<%ej#;U-z@U9EF1aG zqps?h%O*z%<@Xb9oWCy&4ZHorEda*ilwN%)XaPzJLBreAi^gJU{(OFvku(-udY~L= z!LE@x&ldGBw|{=TA~7u@73%h`iK`=Wj+qUX{Cv=#9ZgbQx7mwT?uZa+mU?% zzB4hW=6$uGZ>W5~6QsoscSJNYnF(C%VsUp$N%gHBa9yl;uqB&S81YKJZVCN+v0J%d zDB>@vR$BRZLv=c!-r%m9S3=nD9G+t-L-TYSTR7y6H)mxxK@orrsYpQQc^2k00{0D0 zo9nB$xF5`I506Q6h+3PcHaEtd?{RhGfQ^F~OaiZi>>ui4M@ApH9|Eg~i6RlwS17j| zbh7O`e=6R9kL1Fk_{P*Dh4z>9YY*ghU6h$shl%9K&0r?B&MrtK+G}WBj@ggdbnynn z{z%+htxg8t36k2#6UeuuTfbfkx<=1Y6DK&U*AYw4CC4w0sw zNlZ{KD>JT5W3Z5s7)uZjUCDohT-tvAe%^|u)?PNOMOqm{)LaDZZuFVT+Z3)F2=ZEh zk%lf$RV_-0xArwNDF>Jbg(_|88Z*&~-d!lSJggVr&`jFW8dOlCeO#fXUtteVlYdy6 z1(H89qP<1UfJ!Zo{A<~;i483v(oG1V(Nlzm;reVpWE9t49Dvkgk^oA zumB}mzHqpJ24RDpp;I@|)J@EZmyw`OnY>yi_h7)1&V&h{QU zsNHFQ1RyW4-EG#H>P~#muwf*e7!QoZMk6hLOdhix_=8EWb-)p-g!7skhLr`*d+Erg z8ssdM@q_|mZ&}sqb>07P9s25ZppCSLrW_S}{$#ojq@hXl3|Ijv}*u95$DJdlC1F&htp?Fx+157b|rnF@vd_yX= ztRnVPW1c0-JKJsNOr(;!{abMhH1gJmVKaNxJ<*|Yrt0P&gfEx&&0WeG7}#dKUNT#( ze3#X5C_YjXCEx5d`CJ|_h)<~cit>Eu?QxGGa-Vr`9fLV-9Y?leir&ZTR?7$ztpv5# zt}u&IoLHb5OuxXtq#<}MV${J+Frf6NuG@w>6CKDg-CRYI+%^>5@=Y7tcEuH_nF@#V z4>g;_{^YK!a(_gZ%#3|F%1=Do?V)WOz}pK;Ab)6$(+kZT>zi=6&W$*GFSP zvQs`+agsZ05wK?fPEVZ?SGdsE<4%ny!e7V)!`j}Km#cSnj;BQ~T6=?ZX~O6jb1uir zOv5tJBq{nzWu3F8b}del#R{tI(hZKCW{DnyVadNYX(BH4>kA3qW{w*(+!4Mc*Gl8) z6&1(bJs+k+>yk=Uv@@_zWdlMEJ1deS~! zAKg&;0AN2LD>yGgYF|^&AN*yf)GD*8$ykg=%pTWO#KFG+4do#yCcaD#taGmI020Sb zs}#s@jv+|QJw(^5)+$TPjX2CzmF~p60@dhYRjN$S707f2o+aI*ZeI?akj4Z<&LOr? zE=HqLVi7MfO#}y{C=NLV5sMq*$yJOZ)VWTzz1ZzDe3Nayo%bQmspGuz9|W&9 zWj}JH7_8dM>W>Y(Oj+A7MqQ^O02gZRE;h4EruUECV$UCk7+rK%D3{yEa?0p>D@&>7 zI&M6?i&_We*)Qu!+Yel-Mxuvm@M$(g4rZsysJuH4z5MAUZC?;f_KuYhHf=Oruh$dS zvhi*!zG;1r1n0!AAaKC#r%n4I&)Bn+y7)5=kAD(L>pS_ZO8`ojLkNLAKIt!ZRhLLE z6GRBsM3fKF8mE#Uh#Y*y3ax@udN?itLuPRANs^ZHKIsHLFkq{d$AE^HeK_dc?m@+1 zE7aC2nbs?8ELF|x@Jr$>S;`bWM`bPBPED7{SE;60wp}%eiy8vD^f-tQdE3dKSK;7H z+BxslOA4;MyZwmT@{Xri`rmdLJuSlOej~lv`zeMV`lG-L%c88LTlD@Q2=M~p?GN%% zC5tRJa#QM?^bo7;9j)JV>-6N^ig z0=f*)#G`UOPDsW8GLR%#bT^4;uE;I@983b>wxEAdLHO&-3Uaa zrFrfn!dCQ^zEB3`;%*_6Wv(ZkfYtr?S8F{dA4iV&y8zctj$bqc+{uBPC}e$2MK}Qs zNM08;;nN=g%dlI1!WFMEh9o`|r!q*?@Cl122rZM0XiU)dD5Te>ulDDS6`Gll(0NkQ zFwwjlJNw{>5KNhVM^MlT_}&^DxS_Z4(4Qa90a~6cm>jkDpb(2t_$3OP9Y=!t9_!xT zWD{u{m;YLb8Vz1_A}=+DL}}~_`uY^&Q)_4fC7utV43Ro|Ug*Skd-19IWpZjdJFq=i zAh_{S1lj|FT#`Wu<8wl&Pq400xd_lhpbEu7shaQfizn?LFPIp_-`{ISzX9M61+H^t zKr%iq8q~wKBJS@Od(T`Axb$`L4L;w`%^7Yyo(l&63B3XEsuohc1zk!i{maKhWaPSO zyDD0#^sK~{ZHyx`e~edlqX(Plzosvog9N4Yvip8bUQ6$>*)dAd9AlWQe7@3t&N zRVc+{Gy#FGOyhS4py$+xgQlAmo1SMdGMqhY=$7#l7HjeN{lw`5ZKcDZ?YSZtK{_Sf zl+Dp*(^J>&^PQeo+(!ZAyC_+yEWztbOy$Ii1A(8hf={~SYK^P;%p=}NrdHrG!xg=~ z59Ac*V@}^k?>Jd6fSMsv7s31^X9%UymfXgz_yUzT6s9N@Db3rWHh(|%I7trldDmZ5 zKFn0!UT0-x`%_wPaNIb)L6@d?Hh!CZrNw%Wc!_Qv3U{nBhXv2mh&a&uCCq`0S>nR> z$FYADgT?PG8|1`wM_VO|qVk3MM$)fZ^%2BlT1+FLI$7U`an;FEBd;8;)Di9jIzJNx zq+aFuJjN_j{S3nMb2D6tg~_2k7L z;Q0Y~o%$^a^YB&d9$$y+Gm0&81fSu+$PLR;)1DpaE!jJ(p+c>&8aHUFQV_~M&3={u z$*KE!Z7O&Ft%>osS}VF}T(6Ya&u*5^oLGmspD;yu#xYU)YwnkpZG3_*+y-LJ=P9&O z!BXkyy2q)AAzTGtoN%0AA^&Ka_c<-`v+~OEZ%Q-_o!5kSW0;tu!TCH+3Hp-v1)@D} znBx`Ge93IS3I)id89*~rQby?C5VscvS1C}un60;i5&V_a8w`fzfoESNMtm zGJdPQUnI*kuPqx7E{nvHj!}O!!Lg>!ABfa1D))+| z6_`3YWG5T>p1~*#bo>jggpw!KJ}Yzwb{rSm`*o3D>Fho&>5nc`P=p6pwi{UxSE}k4 zNM{_4>8BuIF_K7Sd$oj`6ZFc|gQVbh8~KAYXpgRdf$9%U2gD5p(+@oi-=i~qTn}QS zsNv|NrxWxB1*R@nz;3!DJvA=}s zymUlT)c@e8&{?8C)kN~b);ZBTnUmm&4*Dw22->jK!0o{K*H3~|#6V*DGltM>hK;eL z|4s;q#gu-pT-V((vQgGx3;J=oB(!wPlc`GT`1B2Kb&yZf*}`U75!lg`(|XSx}52aMC~l0q`%rgV@WdR~+lxB)Ex*)!N@= zI!MHD9UE*Rjn!4KnqqUx)upjfjs~z<3QHLy3AZYO*&nk5YBQhMp`N@5!W+O7=3yz2z2e}MRU)d@o#kkBl0069slIg z4)<%1K4x0o7h%4=T?&YCmG z{UYuy8m>_;42OaUb^Yz6F!+MB%*V|S)@Z^lWS#_!vjBjWac)b@b4;Pcph4$pfP&$# zRYD{g-utbDMn%(=$81|rz*RRwgR~FLazDc7m1;MMX<1T?i`mI}qjQ~Uq{E+|xG9|h z4q_K=bfhwEeMw`twT@hGXPOqXx5lgO85kDrk{O)7ca5K-(~H^kwIg6>eN#-S=PNSk z(!?sQ6^gF=-lb;`x8mv@as>wnwOgZ_L$8{wr{Nl9UvAYdd8|no?5Pc-H-xH3FLF^= z3uMmOeB{se6qWhgHDbdSF%dAe3rR^tKVs0ZeQL0RRJ7sKd(2a*O$^{L*`{9D0L;#j zoblv1X+*@?xH74F?Ix_|MfRMtQy`A7@uxS~!RSdKx;48KocdfaU~%S^kt-Iy)(Vas zWta{d_R-g%PH#k9~{gTn~kT{rw@Gfl0I+00r={OGUGlES9QEG9>k- zKZ}=TbOkzc9yz1UBzd0-XRXd*Zk#t^xW zY5zlwKVL-kRzBhW8v?$CrBla^#6efbtJSG0@uK>Wy;KF%$_8VXY`_&7XgoNWUk~|- z`^#~NvhUzkYJk?I2j|=a*AUj<)L{mM8@FJ{NEHJtXrC zU9RF@O=rV}?>BP;UPyJVFz;=P+jSrdU|rF?W&q(Y1^ioIKS@C{_Lf|YPr2jBmEY|- zKld2<`)r3hQXlIz_DQP)i^jEmfF}HS~3(I=Z8{g)S zeW|5xlbIZgworjF=+$n|_Da__XX0g?No9{U2zN5d+KX~exxT6+A9ryh8N&sI73--e z>l$R9%piRG7&Wp3hAbfib_O0{DioxD^N970q0>C@lmIWB3tRlY(j^pg80bdul(5(JX~@tv3-&cyy}}Oq~E?D%b@Z?PFG$QyWV0)Y!AG@k8;L?rj#qp)k(Kf8`H|1>_Oz^Db zzJ0Jaee&K-Fr}cqvC90IB1?Z!erk`*%+{S~sv~T4dVkEt?T^~z3y55Hrsd--Z6>S0 zr6MvJiGb7wW{VI}>kkZJ{1#uGT~!bOpW!TF>A-kD4Q*QxA6pOLeT0rJVPqg%AeYiO zX(>Vs*S#Y#x&LjeRtc#~xZ|D_FVKQacx{%)LrExgIdQ{CL)Z)os>YiLE!1n7{d)!# zSWY38&QcW#id0p$#>HPSBdLd{}VfIGd zU<75E-tBV7NKC-H%?gyhW{^OZejYyCrM(|KPRjCZQB|$QIy_jm63#UD<5D)%P5T|2 z6#ZFE_=KfT?_~gewE2|rp`@E?y>6~K$TiQBa{)^T!DAU;V}HwwbEbzCn#I&HiWikVd`c2swLE{<%5RSL3X>rw#qZm zfpmT=v0t1WG#>AV+1c){QZoyI&54{hz1EzXPOEh~nb?_di|$a6vVep5?0rmNf2Q)V zcfO_=oREeL@BOSLl9my((h}$jGj2gXl>&l2_{`3%FB4Ff)JpNi0@s$0 z*qxSi&x!+?IP`IQUYbH)jAKtVTI}yfF_WuSkY$J1@UxCu6RD?BX%YHzJ*HzE=^fAxq+4GM6EPWg&3ryInZ~yk4V- zr7$!77I>Jr^B+$pr8x>;&cqX?KnU7*!C+OmapV?;b17w#1D4b9cwca5w&_zqai7!P zWLD5TV=BtECT;^$mXS?}OG@PR9T&k~6=Bo2ayMo|{Yq%z#ZtPA4g;Q)m?rQ+HrfRzg zqa%qsXtB>4x&94B%tCa33ah<>1a-GV2Jk6x03w__&$LoAe%sX}~+goM9`%?s<>4YG~9DkPfIn zh{+hV#wDmdCa6=2g>L*P%$@_e zXw~w|r0ECy{3Yx7_#0fFr`B=rFi6VT>HO#~0>ZmZt5%XsTah^Himopo`^lo>JcZk6 zqSC{3=4HsWRORJb13Z*o#Y2CNpTz^Zm=Kq6!7B9Wwh;);k4Byq;s5}QDvktc*_lGd zwSh7ll9a6K6AseUQy(9^27&tzsGC+`d>Mup0qG09v@JObvDc_l>=x&cS(<+;6G(wU zq{whV@IU}p)D`P01A>^3bQ$TZYGf*?S2E!vuPZJcSRi>vhyZ_pa26te%uyM_Fhqm} z;;M=!OMx8GX@EXT3JeV25dk3B3@M;9n;&M0%Lt@(M%U<-XSudhTsLHS0ugp3rP6l^ zuxi&$w-CDr+H0v~K9&(o4}+#=Zt`ao>xnG4?dPzC7I`WXM|Z&V)P_u!4N>4_n;dN% zOO#`aUuviT`*JG1g(Dnvb)*7O8@efU?^r?HF(zhuN!*mi1o>d?cKj_Wu5)$Al8p|x zGsx--K}@d}6fA?sPrN+4Oc`4Un89mn0@;mUZrpsB{Gxc#pG>>@&>sgoEN0M%Sd3#^4nmQ%tY*qlfK0KWEJONLdqR7}#pNJ4f$dm6O8#=< zOos`y!IUSUP{hEOp*3oQH41CSIVsT~pYx51^Fjl1%0!0VxUnnI@4L#wx03fK$iU9$ zkUIdLFaUO+ZCcMr4><)OamEo6Vj9ysO*gh2kg|-(ilkN@lI)M9?$g$c7Uzi=@|F6l zcvQH;_^Oz*ooMFOKJE5(Mf$yP1tY2F-0-oT2JZL7S;aOH`qQZFz~${q@igOuO_2_?1*^7*i{Q7`HkoA4;eCT0`&_ zh0(chS5LLb-T6*<5&*w6D!bGhS#LrRpuGD7xGugy|~Bj)7Qja`aESgrQ_^z};Locs)>>CTB% z%<)qpvFXu>pX?4;$a#}Jb0dj8k>60;F~LEAxo?vlp4nIHxYsD*e0+Xi#Egi*-fd&Zm83t3IxD0JZH8}}YwEjs`v^qX#vhizb=az9 z&Sn>?!%6(5o#b)2VS)lMECJQ@!Shitsv!84uO4>oB`uaJ>JlyQwyWa;bR>smc1kS; zjx=zm`&^V-_Uv0v2ujp;h@8~oJzoG(W)o?KZAfr~99?j$&00Di9%V3s!4fNQT9g!a zS|$)9J&W1iWETNaB2-be#G4UVfpEHVk3+FA9QTU;RK6!|Wa07cv;l5W61-3?{Tqo9+{zW%{7f_8%|=vpaf<{_{I%R%6^ z?Hsf}K?2{jqiF*5a+2O(gz@VNg>oJJJ>#|H_g%uNfU)fxA8yJNT)=a6NIcA+}@H#m9=w^SFlG5M1QMiN1Vt@ zt3w#`6#RC=ordDON?n_#*OzmoGM5{28CENe#wj&%DkLYEPZb8U+~oDfx|cArkrDzG zt#jqYX8B^MN2c>)G2gr;8FMNmfv)rU78#jffl$k9a7IHeBTH^QRDuYkn`JNS* z81uSRh7ltxaauVv=N@un$up*e9gI!G*Wq*myA8e_i;5A1U&5JgtF*)tB&O-=p_Iz; z>^kk&7^x$^;PK2(7Gr%kUEoPE59f``KO2AJ<>>ZOZ|9_{hVi{B1yLycK|Ds09n)$M zMLa~rZm!T92y9@t0lNQ%nJS_=X?49yCQ?x%V$eNsnFh9?0uqfgeh$>3p1b&R;sIlY zPy|s$_+Cx7mka9U(fQV$^DZ6Rz3q61;@0YNi%_^ak=?JClamU*7%RXqI=NR(Dr&4K z&_w4?aE2w93Sl6(8F=au54PA!ngCcjn9YzV@X?&~SL^4NMlt95s;9rS1Ma|GPX9tI z`P8C-5@#;rL)^;}*6*{1#;0)KHFTMk)rh-NmsKBeM6Uof2O{VzBWV z14AI8E$sn?1CNW^3u(4nzNsF~XEjaFxTEt?VX*o5fBc&XOCFjvC;7r{-eCA0TAdyM z_#QTXKm*<-Ceq2(Uttf6vCr)j2?1x*bJ6YHZpDN5QRC27S^bs&sz>_hu>IowkwzHQ zwU=+eIHgk0kF_DHtJ)}L%Sq$4AIso1iMo0qYZm)3XuvqDdSknPAUfU7>eeN-(dzWi zgokbsH@TD#i8Jp~YywHG5-cB&R`NSqeoQD~gY7m@V{;b?C0kwkTH|SK`G-=fzYImWjFp%Hu>8%9I9?wYMjKr*j2aRl3fp3N$0k zEzHZ^XsRP0@IQz=F;0ERFn%Hfb*2m_8|yDsebWP%ovb{R*S74QZjiN)7KwpLr$8Xc zQ7HM2Z@o=l2wQEx#T#wM((lHf-y`#1Yfs)@%p)I`MT>7I!Z|+-xV(<2A+jS{6>WLn$xU#Wp#{F~nz7gqWL-4L z?NKq`%_3HDf7~yor#Kmq>I#CU1+Gdl4aO( z5j>xCt9rdONU!4Jf`>k#mE3)oV z?qgHIprf<8`1>~?;!VQp;Olc0!pB{F_uyp*T>1xt8hs(}l|UDkabIe_h60Rw#hNEtx`Ubo0|pKh^SM&T$@>I+-v zR|a3x{X|50M(JD5VJS5}@S2+n(*nWUCfJ?949UdZ55Z8-BoOe%xUmPbvp=W8fExA= zgHo^2R5T7@1E>g@NA99-t3Sh%Mbp1rk4Yq)&c|68Q3OR|JCaG~u6{W#oFOfwwdt|# zCU1%kYrRXC^Fe>;6>Euy!dV$V*m9=cKjG0CK|%^ijcXK@WAkQQ7eWKF{mrrg#zo6B zed5V-9-aB(*7LsaE9qPSCREJOu@ob#ucWDwyK(-(&s#}!UW=i34X2zJ6Y&D34+XQg zN{jVhA`dB{d`izFW-%!KK;hSguTMoqmMlR!%hgO~d1&@?L`R~Tq!qth^p}BbRP_~; zs5@6745s?vxCX|{nUKLn8v1gQSQ3-{Y7XPnDtx+{PB5_CAs724@@M`!Hu>kxRBRrm zaM4mW;`Xt^xcfCjIBo)zKfDk+<;Aqz&xS|I z*5Cx-V9~JQgT6h5zf?_D?I%&sn~e{k&Xcu+Qes#Y;vZJb^QAzN3Y5!3u5{f`%b!3Z zm{7PDVr_jXQESXSwcJb-v|NZp;8T|wQ-1hX;TncRPFV!yaO3GHU^ak4)|n;dS$DGV zplW$@3k2hbAqJo};sE`Iex?O*@KpH~(Yy;ORedj2NcS%Ay5^V-Fpy_0=3#K!eU5Hy zrg5aqkAlWTPcxhWD3Lm8cskc^h|AvbbC(h?-#Kz@{`d@owo>Gm`4>9$OPW_}yftcE08JiL7W}W7Yb^tVkXk^&80MEhz zs!HnJDE;apRx8}RvWl7m1>)E|Az}k7gJB1tH5Gqqi$h1+fuS8S1;huZ#<2Hg*X|Au z!ti40r17P|#Lwx}T>d6Q zSuV}?>!DZe%lVmy&BwENgK9<|BGSM^8xg(aKs@vozcXft(ESZTlIwaQNpKSgnC8fN>tn>mWq75Xd)(6=5)H zjY)Wj5YJ}ixFik~cYOW~$o4_9S5|S_Ox&4q##DUO;bpzUX6iumGUS%5< zAqQyWIDXM$1DzqFCZNxu)s1osOq;o6X(xctZl6&#VgK2&q+1%e2*g1hfef) zFmy0vT~oIn<^4!E7D;O&zwNpNhPJ+Q<2M?#9XFR;2ewqglThh?G8d)CjlJ0$N#6@fI!w{Ywe_UWXrNOp!J(!aie? z1>1c+q2xy1#Tfg3(6{62+H3~oN*$C}S|x8MC{0z;38(@D8iMr7Ugd=hl*jLpHIuJsZ3a9`MIE0Ju6BD?VsOFArQsTxIRNm-F@wn?QWu93^Y&P6bH#cSMaGmc z8if$g9BO2wOID(ag^Q}nJ=T3d-rz((N_8ZwIlitji{*O6ockrt8l6^KCy54?pmNCc zomQk%<(iS%8W5;$gEYakk+9COlI*V^Pedtii3?qCu{@*tk{~ieQQY+w@J%nokim#Z<=fWXZ{B5AY)b+M{qOi-6r zT9`>{UQf1&&QX>qPRe&tNTAbNZ!DXcX(U!157w8dJ&{((;QP~RTasuT#M5%Ms6;p% zwN_k;**HoBi1Wl)K$Z8Frcj>+ZYYM~GV{I)bnfqQ00!A`Gl$dZv%Nb)SKU9}ACZ_c ziD1BIu(gNmsmm!26V4XCPFNqaOSD@r|!v6dPcm@&~VNUES z4VjEAcF1N3yYRV|rnI<^av-+v&0ZW#S`W0{br1A_BvL7GfWZsg&|n-*E&&AMTifD! zZS-`o4K$@ibodJ(xJvQ7_XP^7#d7r|AYRMn$8#@YZpH_c4hK~6r-6^%h*j%+Vtm6< z(?$c;u@sY;%Gzr$4$yLf=0AnUvK zkPC&xcd&{&Ks}w;TVMf`v=;Q^sfMFRS4PRkNm~WV@I|ZK&e$p2^wOQrFfODJ{b#Hh z@Oe4*g#{3>wh|lEoP|0jS?!nxc<)_!EOeF4u(4M>Q_W+w5Xcpq`=v0$Tyc93^KTSOdF)#xT^o5=dDxx(_Ixl^jZZ{!R9GOb z!)y|WK1O<|YVEM7P%~^k@F64DvNpHyKzvyqkX~7|zhpo_5A+N2Gph~_dezg=N5EVS@ z{fYB^DG>52f!2XU>%vg^hjj(69GFF!vHP7E`W~};apqTer!o<=vT|IpPb0Ca*=h5I z66>IqmF#r5btIkv*_MQ!F$N2d1WPvrj$19rD> z2nJSl|atTN!!rZv)AD-N8|#<}cQ zg6Cc_ZrI){{x5)p|1?2O2DiapYHggzyjD^SNa@v#^$GeniiC)cP1tq#EeQrsQ%4RpZoR~FP`T3 zhj7uq`~Uyq#Q#;^l{5glFKsA!YCHe;Z2W_S|L+O=pI5$W|BJh~3~Oua+J$if6lp0g z0ZMUcad$0NytoxB?jD?$Vx_o*Kyi0>C{WxrI7NcH%SrdM_j8`}zTbI&oS)y7AIVCx zR%Yh9=Nw~>G46YIA-?V?drgu1OXJ^kvH!|$|Ig#O3BJ{ZaI?R7@j_R#wj1OBFyrgr zN*ny|-uUO0Z6G<{^(x9iOSQetjgkNJB|nc8R;B;=Vtgv{L;ax&HVyVpeLE-{m5eB! zw6!ZAPM>~{fUb{KakVTcFZp@FNG8zZ^!H1AV6{L5cRd zx@2;fQf5l_D_bHX0<(LHL=OIMkIHR84ZZ5^b|Wdg`5;+6(j@M@sPL$o7So%pMLWHZ zP~XpY^D46z-&S1XrqvL3WbifKl|TlVgW%a9l`CqWi&@RBi=T7Q!E| z6~2f(>1X#*Mr@V#GlN6d<1hp^BKho^OJh%A`PANfrK>l=3rpuK9f9%-4(&t3WGROH zk3aEAhrwitahP9yVCcUO<~ezrxNVM~lSC3~?9DJP_&?EJ96@s6;uKSvh%Q@{uXNiM z@fw7V#U7pL)b)x$Nlr~sv%f*#psS%HR0I8P1%GBLF-P)-r$=HRcYM1=xtdu+x1iz= z(>2mg#>cBDQ50#69le6yl_+ySe{zc>X3w_0;Qk|EiZ52@$bY!}V%>(Q19 zg!GmDHSRlW5m)q2ETYwR6IVNMust%1z4c$S4Ie{(in`{AfqvM>m zM?EGi{Xtu4Ib=Rda>Kh^*^rqhso6)*(j)IrlAQ`34e?DpI|JK2jhv&U*t9-BD(UJS zT!5CA9>Qr?1U2P03l>TF;x8Syh6`6tZ0FpI?W{Xjuy!Vn*szn;J2iN7F7OPW^BA}Y zU!9cf>9#YE-W@DBSfAwekf2=qK^)b~%vz(TidEV1Eol-mH`5X)zbh$NX>KxcE-_C0 zXhA)wyRcWT=a|T2N&6m~$l95taeUbPDjKQBq}z4D5=bu&IeCF)atW_3v%c6}U>~C7 zVh}g$r7h58j;K{g+T}-`8%~9tcVWH#G&jaH+15HDqUa{Doz91kGE-~+63+&zm7foZ zR&Di$CFJn6Ht&DWiG79d3d`M$)-^DMvAi@ANLW44u_Q4=yGrH8G7LD#eZt|Vl@CVa zkJ@t`h=Ny2N+<>#_>L+R&4R?1`pDyQl)=tsg(c6Fu|5sNV`7GKh$`yUzEf=n$qStP zq`h;Du24$7S5RWS73Q@}Kbi>xA#DB$Zl!b9YZR@E+2bgJb>-dmcDc-ClFJ(DlA~%C ziKh+daSA|=>tCO0Qin#}_9SXdf~V_lFVv-p7(`E`LXMGJu1!(h_N~@dCd}-1>#}UT z^}A~o%ne;_=Atf_EgS?&&#YY^ht6z5X5cmdWqC5=GF*O}uHJ6*#T<>(l%Fk@zDFr2 z3Zy3SZj&KebXky(7hL+wI`l57A1GmcTDFhgu&vK)R=x8+@B#|+JXL-=Vx~t5+7-=j zTFRN80+rjhHLQV?gqpdQLhBrAgxQg(FYlOFJXk>HSIonfP$GYj$>7G7Uzb9oLE7Ov z*?Pf+FzvSF%1>xZ7kdWI-${-%+VR0tC$wh*+CL)@nypmC3{+H^%&pCWR}bof>ttVx zOIFk&h1edosEgMxni3f{TaOO1>vh>!wTUSZP-i-A;Q1Ykho*fx-3qL$Woe1-Q9~)c znJ(_%kCTa#;IdZBHT(N!KA$y6DrAh$=sSW3JoMU^SIK%^>L7}^T)V*t- zJo7sETT5nbhORF5)NA6wr^N*oTYd(0^e#|4r#vv&A2~Dm;jmWN`Eg+a7X&-kQ{IaG z%8b*nDHcH};J@q!GcCopA1w0ibP~IebZn7Q;!c4;K%{woSEXi;gzPwv6jUGV?b~WE ztQSAqAGtI$wk*dlO0AUNWmuG@$lEZn`b2K(dPNx{)pS$u!``<`MrF#xBk<}V%aC`ah*D68*?g~-6sUC4@aW-*73JjN1RJ~aD= z@?7eP9&oXR96x+HsIAooF=AC4IiLphQ9SoPY-AwPzu3#43?-r~uvY&eM=O5J@%sR;|@97-HqRFr=s&0mN6FWrlT(%8b#^-HG7!6t@{<~^59b< zocHkS=zdfA*5ZIS9VeNGzp=Z2s!`msh^$N@>By0v;%eTBhjcR{pGZh4E=f5t&bKcZ z&fN|K^vAO(;(Z)B@|k_dOxNE5NVWe^`TD*`!;TL)M9obHG;3PX!Eq$CFotloe1&cA%@O^ zZmEf)dYaHVx!}a%)l^}@p`nfs8!a~4cYJX$M)UST&!wL>f7kr-wqP;g?w4rucC-f@ z3BVIq2esNk{3mCZ&zMmltDHOn<6HWpDvQCmh`*U%ql~wyjX}%6%FRcI2VOY-q=t7s z3cKj#a3<nJJT(8*r;2ECS8 z>VhWBu07`Q`qyO^)56VU7-T0sWqT|r3QOv{8G!yH2=S7IOq%qD^{`og!^#ZFp7*`n z-QpBbit-rGwXPJ(^JVv|F1jbK$rtToy)uI(_o=FM>k7|+OTF6iL?>9F6lXE8?b;65 zn*{YTd+{OadHJ3KBec#ROOhCH>07mnZ=`>^AVO7$y_dpnAs2doEX`zCRR9!tD6zCB zJHKDw9-h<=*2AqUP1|-89xd65h8(@w`0^K2M#5TlkuEpNuOBhJEpG&cP}9!nYeoAR zZC0(_Yx_Hj>$N?nHC4S2xFywV{r$n#6!~)QNa2fpKuBiwsPdSWo{qVCAu+4&%XOs6 z1myP=bT6y>? z0x$UyEC>nN>jo$t#lCx=SDOXY#HkdDaI5(mU=*B8Z{jVn5&&;D(YSwxl7cCOwE5nr8}lp_a+mwCG0 zVc_zaL1oZR&Ex}3&DK^+=LKuF6MWdtJ0!(yutwLEHKw!r_5X=%UIl)Dqb z&ZDDQG50Sz_UkIF_5(@b|93jJ#kogW+=tpqU{UfK|M8jO=QwlEzMtWuh;L@mn)ir| zY=Mx5Bg;qBw`Hv(qT__+2l$)!VIB2-l-^};wdgDnK+pS<~g zECJ$vYA3dt_AbdN+xpW`%V3Bqu)Ero$vCVG zS}OyL1IdrNKs^=wEyc`6|55J2^sz@2fr4rAE$(y$q)Xd2`hzJ~dQOViQ7wO&t0z!9 zD>hNZEQZf=yX|$T{Vj|RX$d(MJ9Eoz4qcf5&h|cs6UVg+CC9w1_9T^*yaW9uZIS(| zZt?q~Fk<@{Umo-d&+)ci)%y(Fj{RycfJ$%Ge(|k86ihvb(mGjVIqdn7)fPa5uI|n? zCt;BzmhZDUY`T%?Z0wW$f=i#V-6!G`T-Yqe$hc8Tv+gFdE8Q3HS+$yvu+pTl+7jEz z5qUHxH}US;=b7n0S|0ij?Pbzvd$gz8Uxost|wYwYbJAbm!6UIcRDIhwrF<>(~7Hh0MCY+wBk9`!BwBQT)I8+Byr(NPbs`onuV93b-cA z;vK2nGw6nu{||g^4bk)cl#lc%FNP|MrdMEG{07arlZ7SebkHWFgdTaj!drv9LA#c^ zbGWH^NOT!&r#h>(mK-|Q_%8C~i*M46+;wG&G=$W8u9i#N!c#F_h`&BskRj|A6i}u5 z%0}|t*v2-07`9#s2Hu?Lweb+#z_oU`^-(yvi&igzjxluira5PFdZWS*o6EnWJ*&Vf zkHxhJ5OCvI@an>l-yLb=Jm|8?<{1Ng{^`(eU^2OAKi1K9h_MLh(Pike82;TX)AH>y z3ypn`BpsS%hi58?cpY+A^~&ORw;hZ(cWo5!#3Oo4qRIU2X0W0 zvF?BRcnZWPgeLR2Z;>WvjE>gAt3vZ1cNr!thK^U;Y&SS`o2(1zU)Ue`F;i3?JcqN> znF3^Z)0vg#oFruY@Lq^}PSlEPH+l7?*>%}`410f;xLl8SiZRF3LckvET(ydNC7lXL zOAut4V*%Ev$D#)f#Zt&PH<`m(?m-P`@CV~cwfooscQ2YU2p0Tr7QP>V81ID1up1|W zSFvu#56)D^)-8qc%^yNU?XP3oK0KhZf3@5QC`CVxlBG4C+{p66HP_gKuX`LCpCRRh zV4q;050iG60A}t-E(8@kBJf!Y(Rfl3`a%yDNZ4Dzf_r%~^NriR)_oLFu2yb}sV{SR zmjP$ECcb#<-NZnuiejHJad+05aD1~8CK>gs|)ymI(ggw_=7{(dMX)d{0 z>t?5sWlpWsDE_7O8Jc za({zksCK2v-Hnjy3kUaWp-0b%BwQi9Ay>>FKq^JAdnYd!+7T6+`@5Cr-WSuxJ3}+* zc=|xkOl7~jAGlE`Zch&>d^XfUL`T`d+S}@Ee^k zV{s}L(WMgBf#J*mO9V$n0gx{V?gMHYZ{xAV5Ds)9KsfGJRw|?=}?Vg$b zm&o%$HibE^bgZ7w0*H>c%}{&BAkLXtBi!ok*ptXmuWt`m_2oUk&Nh=sq3?0d2<(zUu9`udd|HeZn6h*9A?>FjO$XqLzN{+xXXU+j8^ zP{xB~7&YM+M2Yz}g4<~9^@^dXmREN)??+pfWZp>{iC@tmNR=%n5fx4_8l6fcE3+su`G2LcR zN}G%p2G?amj**rU_8s+PVmyf&9UIFNuMliuD==gMrr~mry7XkXTSYX*^g*jqQR*zr z5V~zC%v|$y%0r_NrgrH=_`;bEy_2Z?VcSD^a2}6{*Wqc?-MbD}?R#(3@DOSd-t6B9 zjg0uRa)r^piL$Iuz2zu+iQa)$>|3P}-wpeEtGfN_=IQ4XH9P%e(9VP6>TAC<<_yv&(JV2Dc-3!0ms7BsYBVM%uv>sK8O|6j5eCkKr+sM-?30DWBZxH^$eNdyi{LaF~IH^bwRfWX;t|A z{VIl&Nl)vQZl868xFwtKkEl305~QfFm>bD0a^*1UeT}bea8yf+K3c7OI8pF_dy7~j zrf{5UlNpPhU!>K3m#fa^aXIf)r}`1&EXt?XH;f8hBE+=-_F$-Y+sO`3T;*PwRhEwm zO%fM-$~*&RtV*b@hFBb<645q%JBwiF3bKwd0`>c0c43!#=DEU5OFHLJLanh8d6z%P zM3MC=>OH`V&Os2fA3|M>>Rk3RQaNBxQ~oqj0{xvdkN`cv7YUaqI!3rI9sIq@^LoLi zm+mx`TL!LPF(MQO`$jFo8!pErPuJm2iE6(MAKMEU)&CRkn#pxb zY*1i7P!rW=LlcNZL#+b9wh@z1alD(Oxf}I=P_!HsO3PSUy56A}2ZdxKklg?wPkc%S zJen^zW#gs!t$t%7@^Ji;-HR)vm7ZJa{Vk){q@$VvKuIMUZAzZ$nN8uhEQctuvw_B2 zaDMn%m`g{B1+cDGdMSDihtwc#J#j*8`uVK~!iAhY$K8p>4~IRrMJ`~5pRHyW~YE9F1m`=rln&_f+jk_MJ*=yvhw(y0F=KHy& z>P$l_MQ<8{@_4zvX7yv@V!icZn8C%(N?!nJVBn%jrEL*lxqp7mHtomG>I@*73wo` zD?f6w)aG7re;oEOUaSgEzG9_eO&a%PBiPz1py{FC%_~Y0OCjLRywf(g;z|((vA=d! z#;&fTzEFTf>zTk&W8ZZEvOR#%T(AcOlQNj6A`*$`KWspmRhGQJgqDi*x+$Rp>`=wb zIDq#zmS3RCp>+5lGF}eGXylg@xKH=^>lWUbjBap+R*Pnyclh)&ay)B+*bsdS>BR}g zxH5Acd8%i3zvC2_E4f>U+Y}l0R#f_XqH9zsb^$@AOW?acD7#%9g}=yKDrfP?K5` zkHQ>h4N@+?2*FpUC4>eury5Eslu( zp&|R8u@_u=Wz|+q3}ENy z?3V28u6~BHz=>cI_(DtZAq_w&fL?Odu|Vrc=0cL8!`m{mrjweoK82;sZ~h~8D;U5`B)oTCF5V- z+j`w<7!`>}RL<_Rln5l6OjH__E5^X!z(o;uPF+=?KG4%l>De+R=$a?9I7=R5A#l~O z+;R7tuN;r2ODSjbn~sbC*gga)P!k)MR*>iX{%&-+a&Y?Ek(r0rL>X zDx&5Kf7Lx})0W6S-0+uOQT)kIbK2VyDa#fV_j+#1{kF8kIJJe6>W=99=XWh16TqBZ zjWh_lO-Nzb3LJ>2f_E@LZ=dY;$c(Iztukf@dH|W{M$|hH`I3@h?DkgLtGtwW5`<&SGnIkAFDypq&0&ZEr_ZbhRG%)0!+0-$J^qnQg!y8I5+HPAMn_GI5iNL*I}sOOIg_ zj(7Xj*}fZxq9i@6TW^o_t?lhv4Q_AKGdPh`O4xB`2Zby-=p{Mg;AlA2aeu>MW8b6D zx1-!XlOU5M16O-wau9u{D)yV5>a(7PjR*g~Anuhv!+^-DOZ_uxuY+#+c&*nb`b`#E zJ0((j@4Q2M=saJ9c_gPQnu*;mddi`%6CCM|EKCUW9OceF3ktVO~V<3gZI@* zEcZ++fAKvF;nK4eUTSz7^&Us>+*8HO=q0#P1$kX2du$#WPm`RNw|=}T@JVQ@B}2fc zv=^^)yWhA4QbdSna#!?-fpAk*6nI!GH-k5L=|AA>NrLB%mcF>%b~74LTLa7P-&med zEhOQK2k`pe>=9MhO$tJk--IF|cBf;z02X@fSJTV3lj&Y$I-$9|=|KWur1Ri{mXE8$ zC*;RgbM>L63#o3MLjA{e-NQEda=a5 z-B`$H%e}(1=}pxuGY4&J(#OD^t()sAk;*o!2g+I2%|rnckClzp;-t&zyo-{tw;Q4C zq3cXJEkptjWtO31^hv`0&1ahm_8dD82}jTg$F+Y?*}tzyNn+9o=*#KY!7TJQ(MkHI z41%({Epyjn2Xo^ujJv}=>STB{|3flH|7d5rLe41BnZR6%d&_3vN|*V0OXXi2wm%ln#H7ZHzB6=|&rnvOuS+dAAyb?C_3+@a z9b?{3i#CtTfemMVC>#0JhGX5P{{NI;+?V+MDF$<|XE~y`n&ntW4_4C1YU4V1gX#bd zNp47zBgq%z`cBF6<2?d3%C{S_yjh34(>1`Zh$5ursqb#l6?u0NoOH^t4ni@15E|lMV?*6NR zgofE}z5ea418!7@gpjrSzMVlbho2EOZaGaRlEtDvSIXnnqgou>T0gnGYZLYep7CeP5;q9+O~%^39Rcgs$4wTd*rN=27CGbnaz^G+@vgT}S0G~KXVv3%t+cUEU;@6Nv+0$+oWdT;=IMkIa##Jj~y zaeh4NUFA=<3kcI=#3d=_iL;_Rt)c91cF}R|r=Vkd4|uiw+Mq5n&uBSSQ?^14z9h3; zkvp~cs_yeM8Swd(y@La+?1lT=Z-i+DVQC3-8C22omvCHWsv(uFAro)rhO+K# z-Ia|hh`x5SDLsuEvlQ3))_9;bl9!lXbO{Gy9UO?Wc5omzlvWepw2Z+`I&=JC*mxMN ztwZ;0k90NL4=2IM4Wxt4QgoNkWv5{=f7$rOnsWK6g?PA@+1%JF-Z9jnH)8&WH1*cl zFS*ZAR#^!wr<<5rrO(!gx$4*ApSk0l1;$A>`kG@lvSWRf62_;S^E1CPRh2iAM&dT61?j+Rv=!Ic!Q_a5bmY(>Rp9 z`2{)_H2f1~F4ModzYH$G=P_0hWbLm(#CD;kp;&_($DMK6?(-SF&{64QX`vY7Lqr_+ z$*huRX5DPG@Q6>MVSC!1+6I~M!bA&bk2T6pV*z54*=TQID`7E0#(N+?s=j-fyW!DP zmbA^qnW3pnRa55V(1U5V*pYQ{2_+ldGHm^R-i@0AJnyyUyyJtuxP>EdsVkHa@)0!n zKz(0Eg*}?LfYM_H^to_GHS(v(gL9pF>1Ry%YaUWz@_>hsIC`m>_ZJ#R{blLrDi(!VCglrJt) z-n=lo<%I3P6k%c}k|b3b$v_t0H=cz6@L@{Qg~j<9mVD^)z8U zv-1#gf16od2|Pe}tiz-4c2e}Y`^&rA{c2Vvr@1e#SnTcko#3I)adOa)(aAv~_+|hX z{j*V|B)-!ZFNf2%g$Uv6q1iOnwu>1p(XT?axhwx9mB(XpF&!GHd&vW}#-1LGg655D zxe%OEf9ED~k#ZG8%0x2YN_j@{^auS2#vSp^>)>%|da#NA6NWrB%$m9msUUC_xvw~D zLYD>Gi}RpvY0$yfB|4)aM$xuGR+S)u@dz%!nPb&!3it}<9sY)bt;Q>dr^gvTRYH0# z_=XL32k7H$yjgIfNux{Ywhlxj<&4nN=c?|SW!pnC4k~ohTMPA`IO{(rTo9Q@EKB0Y zN<9X7?-p*tGmwcLx|DG+*SpqB4u^+z2De6dan?^&iGV6Sbq~_`D!NH`>^c|PMui79 zi>CAy#b;D%EX~avt)X?eNE!i-OvGZUMt!3o)5D>Vrl_E% zaBYuhdTzRm_%-y^uZw4{Gc}LMO5BKFdx+Zibf|@3lMOLmKaj3hbWQj;3>uuM{aQ}V z47n8}_NRT>$w)ef<7a;)i#E51jyxV&=ZMe=dyZzst{qJ z5A@LQx_=Mmq$j3kz2>us?8F5ykMd5n7b6F2scBPVx#0Ej%Y&4LM{?g&uP=} zXwmzrDw^ZkZnYiUv`5c}F3-X!ni@W&{^vZp`SwHhI2WP&WFE^5~x+E<%3B<(;fHUB; zUPTwcYvx{VnzQ{Z#C2#jUz((c*e>lc9l6c&i&~y~MHe=?@N2pI=+*1G^kUHGY&cIU zsh;sCmI7bDmJv=yuZ}f>E1p3Di8inC;n-k3@DqaN5KkAFn0yQO@C#JmgsrT2KfT8x z6MdY6vxjwk+iyQ@@0Bz~2X}Q1j}Q7Rv$m0!R9g>}Xt2WQX{zo{zix4Rq7L$)r&%>%dz*=dp0YLo7@Fhj zw#}n8G!3gp{S&WZg|;bLz?L%wJFOuruAk1-CyRtCVc{0~bd#^`2mPAY^v-TWtg-5I zLKuGGPBIs|?i-HGdVgxuAIS>D3ZfFw{L<a9_ZC=C18Eq^5mJ!Rw zOUY5(gHO`954Ik=cfW#Uhi)!T-II!KPj@!`kWgC_tGUa-#^QE!pzfh$OCn*LFf5Xa zWm7-u7a&yI%nT?!OyZW@M%`o2xIB$*4`1eFFiyF`0ja zw-B2ff{JSORe}u9y#THpt}!Q4f0%|2tT_}dZ@~dl;$Ma-z-njTVa#%sA@jWob)PFx zHRl4g)Ed`*44>6+y>Uzz7Nqqcq;8YPN5%>fPcot;h$bz)S@^>Jc!aaDdeLe>@DdqL zC4M~ae&O;QP9+BV+rp{DUqh2c7Y%1`KWvd+7W-EilmjeQ4jZx~y)V8-fDxQv#S*!~ zceadvC(;;8o@N@$5T?guvvn?~AFp%LxCfgYG$=*#ULmaYj_QFDF`_!ewvuoytsbOl;(U{lU9iBnY;3ixK6!Jj+uDu?gZC~+rG zl%nes?6r%*O2N8Om8|Mvah0Nx+^8>uq1cHn7Qa44jC@4vPLxmApW32Hs}m&;V#Gcn zA+z}QVs}gZaQb!mz`En=bxg)n=4CAuTC}HDj}^7U7qrZGkNrvCwnX2o(qyEUp96?e z+feuNV!4_ZJbNqTwhKK;Ds4}8Ggw*k=8U|T=`da=O-E)~FO-%!UjV=& zmt4SB&DV(mE!EqXSC!Jj)>ocs8zla7J%BJiSD34^*J>{ggU25A^=#o(YuEH=G_>jma>_KdSHOT-dQi% ztMgtma}DierJ(Q^fI-!|_b9^_fCY67o=_9A_o~$v@~Qlj*Y7=#THk=3F-7pcPuQ>i zihY|EYY(VQV4Y@fe}-uieqoZe+kXMj>%RT%@{3xY(YIe?^i|9U370=Z*pMy*ljO+! z{-tP=;issh5R99cgd*OH9dq*4Ys`)1Rv)$dsoDfx&T#3B%r_?ME2S%Ke&5q;)uMb* z=#0ajF)CZ;kp9$2ayss!U%k>Ts|v%B7*b%5!VB?Bkgs3XrKRXIRfcc9Ay&U+v7}P@ z;k#*NK;yUEvjq6qEbp^x;DGv^4ZksPlGXsEAfNIJdb`FSPh#X@#HYLwHpE@=Fp>h4 zMLEMu6+@BvigEbfz$q>^Wd%czfwETTxWpBbBiTx6UGllLfX~}pTO3xF+ETNIWJD1? zZ=o*4M;rx4`ESj-kRmuza6b$stJ2g4Uu@TB0N0jG$j4OJkK8<#NuCF3nrx^=KKIR5 zOn#rYW*w;~FaP}z9!%dB*8{z0o2{L_yx#@7BeLjzPq0!!$8=(HRe$z&<}Rf6~ftqd0l%Z`_S+?w5b$BCwWkHIm2gx_vJ=UAUcX^q_a$ zClNF$$k))__n65O4Dip?A+sD`5?wqWlX6YYy$Kx8I+qLBvdQ;$-q#1e1nh;+Dz^8IC!QM#K5`#;2ePgv z5w({PsbDp;@;Yrw?T%-nyA`fTFA!2r+C`Qq%#+P9&rrN>tGGrb)pkh#`QAWJIeB;U z45PjM){k+lFL~`TSj-@Q*gS1hIIoXCbZLD(*WYmmgBowB$XMZV2U#Y+5`mN8Q!_}{ z)Jux(s?=y!ht5!K!>Lsg5av_pb}&vJq+Y}Y z9pa~gsgxoa)HMv3>BqjzIx`fvBd_X@`!KI$Z-ac4!G!l#g&G6}jK0UEhDz(*EDZI2 za4U7;l)CV{FnzbW93;nXimJc7Nk;(%a-FE^xa;+9f4E#wGpZ57+pp zt@t`yon8IQ@mN+*P+!2yfxQbj*|_y8$o1hu6Rwb0bV3q!cwec$k(+L}p6b0GelHR< zI8b%PJnIx-VN_SzBGl=VarbO}5fo>Yug|T{C7Wyjh!D*o=PTu07_p~cG|Vk0EIToh zms=j-+bYaE$>jVT5n8X1lxG&ra5M_Y7NmokNg7=7Yzze}gd7NU-r4d5GN-pvf;^QbH59#zN8ZjKifYo#?&&5B zZthq<8Gpw<%5LCsn^z^ilU76x3D=(iG(&7F4WgB58fs&1>qME(Mukv$6St+d&$hJnM_oDPnznV*LY z2cj}WQ+wHo*-_tqMc*fWUsLvxLP=jFb|(Jo=a2m208Za6M~PILV+`s`PAo_ksvc2+ z)k<{36&1?_#?{)~jhXe~R-?D8E}yo3%caB6{oC^gw85z`Qxsns?9?*?Rkka;wm$=> zYFf~C>y1}?0Y9o4j<4)6g*0>>`Y}P!^wMcyO1bRBf!$w^u=B!8KW@XB)qZPqrrmeD zTEBPnBSW7U&m*|#9oQ)Sl!|TEn{#^OPkHc!W>k%fP zu1Ck8vNJlC1eUI7Nx4m!amGeh-z1HZI_KQ)2HC}D4{98MNn6h{F~XcdP=S(fUPL6u zzy{fvkn2qBRNV!(ubSS8yIq#K$m;#rTO2qQOAEOQ68jc%U%^PUe@Mv$FOjnMyOMmH zP#$$_Z}$Z?h|(DL8x9*_)!-lsJ0iTsqmI zZJzo-`03V0EP13tWJ2vOW7LJEmW_8iVcM|S-D!6ozpmfpl=(xJ@htX{{i%l5QwNq} ztlQ4Fobq-YfVjbBqwPRE#e@_*;0(`)Efmvd5Wi|MRLXc}H~V$lFu9TM^jE`J0Cw^t z5>wYl4`TGtz@)3DHovI1A(HRSee|d6naP=p{ga)kp;z4k17PI) zkCPY!jGrlW)ngV8x*fI9=_92(X{<*Ob$=2(w^i<1BPZ`^>^D;N(`0QGILEb+BqiXb z0rajVmoY_k$Ds=|*1IYMX5!5S2~5GLltw!udwX|e`lzpTM+!NtJZ2)MvM+M?Fi5*o z7BtMs2)X0)WO)+pa*Q4;6#WWZ+hZDfQ(yANZscK2gBMPaiP#^Y)mAD&>V0x=XhLrW z9?S7#n$;H1K8wJUIi}P{fku=Ja<+7pDxsXK&aN zc)csM{ryMp%!3`+{NfCaF1^J`KX>44U`9RB`}=(tF+6h;Us!ubf+&;u2JiuGimBkK zhp4;D-oA-&{HQ&@PxCziJtxxNteyHrz z7nLZsHA;Ca)1iVQ;1RvO$#vI(jE(Is>b2g)1Vl{6(olY{xmW4Bhrtvc^Y;~-5s~mH zacx8+MRd=e`&B=ZRrfg_dv!nZCU48JzwAu;-Kajws&S#u4)2YZ#DVE;Z8{$eR>xO& z;SCOWZj9nCfP_s-Tj+I0i%mhAB-&l)tCkx6en|W;(s2SLCbHu&K#VWHeqaePcBww* zez@W;TKFm*ekL&@J<2CE8?{+9gH2pmMIes45OxGv>U@@8YnI|%_D56rH)J{x5g(@< z5kj-!umAcvBa}LOY&qE|?oY(gS~haI?_WL3ZypuGAAyGN9Y(NS`D)7`C~F&m_}Oe< zTY9LqFq?Jwnf?# zvR`igcQ^dq8~^pmm{&Rg%y*cFY@}N6b2Oj!Db!{>Mh_J4UdS{s3j5EC{+~bb_tAA! z2ODF@GJI%aqIcEgxkg#GkV=ut;Wj!3Rhsr;j$UZY27Trci1+5*RkBf-nb71cD=J$u zZu=Wa|JCMNWq08n&0VQ`NQ^CauZ5~^H-XJ> zYc3|O++e$rUQ2ZQMwb2p6>EW0pJKFXWIb_j&G*>P&k`XpDE5j)$vQl^qnhsxF0hWu zo60OeER>Fg)ZI%NmEH|h>R;V16>d_pQcP<6o|)6S-M<>0vR4(Uyoc{ zFdy{Ie=|CP%dVR%wcV?YwHpYfBG-9!r_mO;x3O^*Y#S?c3saTcF)NU zrkh&jj!Ch6?buW?9I7c3V8E-E#Af9ZxIZ%GrVa~)0DsNZ2C|~PGvVZ5xi>ReM%rh- zYW*H5NNWoXp%FN5H;vT!REx;wNJvzO#o4TYKJlX$GF#P*X5vmG> zcbf!_hkZr^{}dF3A=tQ$JMxcQG3z!==Vz%(>^6M7YLzxmAc z>iikrDY&GE*-al;UI$#JgP^9+A@B2!*LG}`80E1J@D)srD5wkxze4k%22IvE6eBqd0@3aXJ|mc&=U)^MY=z<+E!hPeL9_&gSfjg#{lnluJJJJRSsuUGcZc6VENt|%pReHLud zf~h}q$x*o3RQHi}iSJH^fHelZ>;7YnV&VWdyG)i)$aJt6!gqoZwLwp0!GnsJ<;k+=_&9$(*aUa4BrdHeHgP6%<~!=SXp&XKBO<9Eg5!Dyf;a zmB~ZFad749j7J?(-udHXKUnto?>tN&?TvFRR)bWUYL;@Ra%Av1u~Qp6wlaW6Z#Otl z6YY&Y(RF&6^5h3HZDga1yz9^!kK%NQN78f4IC8qZg>mI9;pr%ih6!6w6vB z`E9rooV(f@RyXS4M85(9M#$F+p7T^LO>E6saM}c~qgn7lI#iXSzxNP5RVHVOkN*7Q z(EML8-T~0CMDZmu=4G>2ymD>*yi2Hqq=+z8(Lf!w!zJ;lsH@N*F68xlO&A_PvU)C@ z3QyX*!9rlrt;;PZC1T3ihu|oI)I1}2)TenRjV>gtF)~eH`Qw%XcE`O0yp~5jdy{{l zYYN4dJtm!VA`$(*`?vI+z=5^m>|5*W%zfdd!>rCpw8_LBLOq@I$bG)=R3&adWVlJ? z)A|aL_Sv125}rV%@={n%19mb3@gP)z|f8ZMp3u z_r+cy%UQwPin&Nffd1GmlDg-^L6bx7gUQ^Ja2>4D)xOw;;@t<;is1XTU0jSjMq?}z zB+KL%jc^Nq(ieo6k+HOH>+LtcrbD}%g)yXb{V&khX67>AX!w3FJH zx_4I^Sx31;XB~5{ewV9Ez>Ry3(zw!8rM>L!r6tVV>|$T;u#9?+Bx7 z6F)UW3|aTtw}*C%cAK3<{`vw_YgvPcdh^mmYnUK2lG%(u~KTgs$TO?aR8SW=fJPPRV57k4^!DXIqZ-fZS7|QbkO6jqNKF<*- z$0%V;rDjduM{MjBhlWMQ%nC75a(O(3Pq@EjfzV9@~4Vc`6yS8BXjq<`k^rL`d<{<{7Et!VR1tg{RsK+tqxFUK3Gb#1LR>g!pi7 zYv5{JUlwQCWyaF+*9>?3T<@J5EWhAk%rn#h{!pKTqUTiOi*C8x1nH3ZYtYs07-4sc zBL-BCqrh>1B4n=nabw=7-s-+l(Au?1P-<3~H@^%Auq`#|yk@+=V1E|K(pY@3#rSU{ zp8_moke}Leqn>&__mYWRA(EQ!FPui@Ny9PCzpW}|p&L$1(>7Vt#Fi$PN_cL91N&5l zoy4L>WpZ7Q${FJCFhVsIv$3e2SMG5umup8~6UoMGj{Guu_E}lCgxY$vvXaxa0v$ZI2oX%P zeBR$$o+Rp9v}71bMGX|ng;emU+4GOZW-n4XfFpyA8)aOj0nMMSKXg-b&$3nm0i&Swq$q962CQ>j%$7bckgm?U zvma7|Jpz)1nJeq3`IuReDT}0$*){Q}t&7|!#KcK~yJM9PbGwXEiP^ERP8&4V6;zgt zRkjcM(#-d#G+^Nnca`oE;)lhZL<3)wZrV@9eSH-SvT#%k)|eZ1V0_=90TCs>6~XGI zfu$8R4;WDZA(J;?;`H~U{&2dfs)6Z5LqVvlcHa@AhbTdrptqWC|D98fqC1VeUEL%3T~m`#(Nh@)|< zVC?tm84=3O(!<_@7W*=8=CoHYl8LB<%-ynPVCjz2r^HzSFhCPnTd(=^12bUFibAPx zSVeZt_kL-3JR0f~2V`#niRH7%B@BVGKec?6!WRq|-aY`Ng|$n$@$+N^;ER*kDDk$? z7epn++le;&afhzJVL#uWm^QjZ<-MH!ng^bhKvJ@f1zQafjSMLb^uUQ5s*|GcENl+f zPq%%=rtB8>NVWp3jo*iEim~`?t+Ja}`|G5;YHjj0_roRxQu?e}lpt^MVWg(2i+Ms= z8V?eZcm6l=;lBh80hCKs2%ap5;@p!$h|(Zk2G=5tA9JwD*N4`yxyR z8D^ixa~dt}x+E#IP_9U4tt`^UAbf<#-!gY*qtzZE_*TsY4ZX31I0J14v!&5Ck??Jr z5fh5;;4a1N@F*OfYbI??!G`KMZZ+n%X<{(!yi+#t;KrHfDehrhZeBi3m#Y)b6DAf( z{Z}NcMJsbwA{s6!U50JwQq9ZxiK#%z09$gaKqNJPL5U03hB>0J9bj8*+YE6@5}C2X z)BRpuhFzP9a%v-IoyUsNa9!JtxP?(WS@Hd9(w@)1JpuvhkUkg&)$~l`7y;O8yn&N= z0GB_M$grH`i{W#QKOa!xobe+-si^CmN~L;&9Y{kSl1K$tSW3#OF$yXh;w?)1#DvBR zO~eUss3)1Q>-0)cyp^~`(rR1Ftmju17dY2-w!fJhq5YZK5)WR3zh0(BV>t;m$(Bfd z-&c9mRPF4TkW$K%UGW6ClrB_G&$bdbojK-Uu>f1@4mB22n8lIRMW~54p{rs2!I~2_ z9hD&2u5TTUIs)*-Av*A$7|(&qSe}jJ`u*=C6Xf5>)aGUmay{F!`}V%+4SJh4_XPZ9Hk6X&6M&L````#+yC$}JfNDrrhDVDb7aMGLY}3cI>)-SjMG&|yG;!`_bG#V zV7+_t9h6b#j;1}J+y`P%nR^`L4I4jjs|m36JDiq$|HH3#z)7%i>mkwGoJFyC`7?@T zoCG8SGxwMNt%k-+>^Xd-M|WXm(so5axjS>DfAm=NBhDt>j#b;Z&8+43wn+c~!X@Y=_a|KsmkT8M z2&3Jv+dU{Hd+8RKo&HPMH9rle?`ZGpzccHKcIBD*AxAoXqXV8g9$P`JDdx;R8LKLU zT!|10YQJc6A2?f?gH&X*+dp(ba@`hhrP+9k@9o59ZTf+GJW1&(!aqI^17qT<_P*Sp z95i!h6Yw1>YR6a8d#YyjJMIX0y$3HZ+SyBAfP`!z<>#pWjhvyuC|k?tkzQ{CTKVFt z`jz;Fo73^j8GLC;I$FUK!iGW{gi2b+YTeV&kGJDf3FEftTs`mmI1j^EC`8h~9hl?! zmgGNGcJ42ynC8+xj(num%)>LF^)Y=$lb{@)DLt#USF5C_@z$zZ{ph+Wc^2#r@fQ!) zuUg$oH&&Z&!@rsAgcHO2eIB;>=9}t8`oU(UsqEOu&aWnsf+lX}o&oq8h`rgYihvKM ze^aS2fm(62*P1f2rS(F>m)a4S~ za@*%Fgc+-uidMd+Vvtj~4Ez5W-zBP-&*vv6xTx~rP*&#QdvCwnPz04kviw~umzmi2 zGzv5-k;{vg^8F9Z4V8Coj=t}{=NosFEUWE`_I(U!xu<*rT79RW@a!m%`v(r7PyUz8 zayz?_Z8O5cF;T#<;3Fi##wE3G{_xPTanS$rR@7vu=MgT(30f~*b1#@MoG4Tbnmn~ zTa-+MFh8bE=4$=ANxF4EDl5z8oVD|Y(Kx>Y%-pHLUj8c1rW?9RMR$DuH$H#!x@hB2 zF9l3ti-dVNw}!hDC3%srmiY(KMgDY8>Q-^Q{W;UBMVp4X{HxBW;TMy{&<1qfi_q-e@}YStbdu-TY%<_ z{kMhdZ3AsirYYC73;Vaf=I`5v z2DV{quoyL0Xm}PjEn&@{XTRWY%nm6L$Z_f)>>2G+R2JDYQEy+>HqK=JZ!?5Xq&3<^ zo9&<4&1%S9ZKqV<1Bg!V`XqJww?oNurn=S@ntFK;{*R4~|JwBU6%lX&emWycWlOnc z0AGPSZ(-7;iNjDx;pZFFrS*`AJ^b%4&3`s#;R1t}d(JhQ^IZgCdhf3B$BrImHZnan zIsaQD;D4T<|CIz1eF+SLubI`_f&IVv=^iq0q2wn{+^FAlgIhqbW=$*5_k)`{{X_ixbf9~)a{{sf&b7Pi z7}Z)R{vwyF_&O5^kv~@)b7k1(V)=_)9&tw7UR6hqJ+8ky7%>8kUrVd$o7Ehpq^T*G zR#(Phx_!{?>rE`Y^=Kl{XJr<m`Cw-*`j4<}yLWs>itH3xWYSu7pu+(z)+kC0WHaDqO z<0yzQdL;^)|DLopjcQ*nT5(V%fayePy*!fO>O@2Y>5&2cus;d)$+Ol(SDMlA9RVIF z=0=dbL{ruJKgFYEunczaI~BlBK|ZhW2e6&BuLw-NId_$txd>2Hs3-IQ`Y!+?szf)N z{GQ`NbgfroEBI`6RPbrThml&iSMKBp0(?cuN;Nr_D>)ctVOYUvdHT4c~Zx37|0c$mIgI<}UTcsB#6&DQ-M%iu&78|lngs-MeQ*rt!vB{#5 z_X$f6pGYrOOS@os(QJ7X^Ja+?EY^pn6tIBtoAv@q7L$wEPe0tbexjanE7vJH=Xrez zmvUDym~irp3hDajtJU%OfS~$Qk!YNT-D*n{QtWGzRRoP1^^o*7oRMI$909)4tg!ij z5u_eCSnWK1$}MMRk|gM`pNziRKrbELMX z5RnIjwEp~EVWUefh<}F+v+vZpDtxNVbzVQk_w|Yihn-e@B29Cr$w-W({8PJPK4j;W zIQBe7WL1P#qtp+iSx8-1RTWrp>$1a+XgaNLhx#AX`C5%i<&si9vu)P#nK{*(?-8Ooc`u4Rtt0d zbfEV*UYxX!Turc?ZL005-Q7&xBK-A2LXS zxcu@_YlmF@l#WYqP4@*3j~024Wn?O>=hWIba#H6XNKgY+@hVdA#6EdIDs-MZk_cXJ z4yfc6sLzhI7Qapxcp6jQd`^l$a-BxDGL_$cV$-XFm@Is+$M)}c^wtM0<;Uzp52C>r zU4yaovu~gD+~Yp+;Ob|ny`fMpr3;b77MRS;3_+{BoWa<}CU&Oi&H*9ENIo!7HvITjW$&W zEgKy6ax?H(>$*xtYY%LLY2zTSUWl99Ai}2*ya%0^{DW%xoy|n~>OGgAoa3-9VmXrW z0H5`<_G&iy7P_&gSCN3>UIAJ~W!0gZlWGx{+iAA(jXKl!ZivUoeYp}@3wxt-Cf0Qq zDLgll#P>67zKH(BK*5IBmv4$!?Z&1x@%Fe=akTAEOwt}-CPwwm6b;^4^CnIzk7*Q< zt=ZBDq#DjGU@adk)3aLQje}_X^S8aLSp9pU>S+@59~~j0?%As*ER)4w55dH_n1BGn z?!+9|DE%m0x#|>utcU)|0kX$I9&y45>(RlK2p*M3yxeT_I4!*I@V(aTN@>f#2~pem zuXC45vC{jj=de<^QiGJ&NvS!)AZ?FkrWwp^NHo=?z=(GdUs?P4IevuTw0=seE%>GS z1Eg|Z|Jhfd=iX#++iGlKXJVM1fr8|p`F<+rRHh#@I|iVBTAy3lzpRQ9d{&B)e*-O^ zV(h%v5{0kwx|f-{TO2Mi6v=bo6y(^z%a`YeQD*zy zM!x2Qc~iWO>!ZdD?N?61|IC*Z=25=0@gei|0%K1jX3He$)n{(Y(IcOT9@wMu^lMrhRBmUUD7@NhBX0^7p zx`YXt;vtlpv;A%r2m!vC=UrWUR`Ns7BYsLnK#JaEa8Qv00rmNCW4kSdYCPoCz?hgg zOQ6=dI{%wY#$1JL?R&D4$98=a@3kmx#C*%s`0e9orXC2K1tQoSQu)_RC8)_Ok!ZHY zzgW5Gx>Rl{_SMMI_jkNHoJeQpfse0XA1Id+s;mh5I>Jm1J?K~D{~s> zqWMnVzl!4cz!K@3#u2`ifA-UEl2NGEYvluO$&)T#t!EAqFFtUezH;rSaDu3?b`QVW z_&Zkp%WU{1I35U(fzAG{*FUV$Jhr@Z4Wy8)lI z7PnICq^)n&rEw8oxCwU^XqjCASB*l5u9ZF52d3vRNRnYz&{2i81UU(o{8MH(MM3jH zB-+Mvv?@IWcJgu66(8A$29y@4LY1FRkMW|Y2wNK_Q624S8&KS`b6Q9IvC7*KGSfi% z#;tkP`$zvok}It6S8IpL;SC%JewRne@Scs1Ns1@1&59=z(eY8uy2XaN^_%_mmCvk8 z^yF>Afj@A`(L8mKv=7A+^htyhGwJUMI~qodDq38(Q)^5a)89x7r-(_JFyX2xh_^cF zqtukkK5MypnKrLs=6<{{PO0#n)&Qos<>JmEQOPEG7{t}}u=DxuYep&JO&eS+1>pz$ zKKSYlZW#Q-r=hS00KT&2w8CV4%)uYRMRqtDNw&z;w$#N`dUq?u?A`>=1mFtO??LmKW z^1aei+lQYHE*P;1MeaQAI0z4GrJFk0`BT5BP31K=Z2KQP>=5q4c7T-n@JPILNy+a% zTm)?7+ae|YonKnX$?) z6?s1GA-}zBq+T#|Yum5$3dsxTlFLApq#4ifP8!FE0qVC~7{e2Pwf~UgWAil^ssh$Z z#!D6C>+&9m$3#y-Ac3JK4(L!LpyGvj&Eje!9ER7fDO} zTkLp;R_V#IdN`mMGU0%C5{noCpr}qOYAD4w9hV!Bb=@=HxL&42OxcC1oc0%TMdG^N z7P@plh6#h6w&u$gVLi_Xr4E?0x3sKRIf=2nfLs*5I@w-jDzs%37Ax#^PZf{5@%R8P z#2pSxrSC=nd^u>b!qytl_{6W-7wKnL@`|spwDo5LWzjndh~kqlpoxVg%}{rl(??}U zXWN=~zy2@xCum1{=K=y%Cps4b^T|3d#UQ&!US~g&e8E$DfM=U#eb9C$-<#gmauRj& zm~Z*$qwi;g_EIZ2>gfV8tvgfoRbsp=*SsEk0fpEpy?DfBuUleN?M@6XF5;h=Zg7Jk zvdR`vLA$6qOKteC*WDOap2L6zJ)I@t`ITRZJsG{l_FPuOy_NtR0U(7iHMaXQm+fhy9i;b zz9BM#`4Uli&k`cO%_2PZWTwocwvUFB8|%L=C$!Wcn_GZvlA!B@Fx{nFfo?cT`g$Qj zO9dY1SZ{BHiLNzH-bDTu-%*d?OfsdLZA-4O{wqlXWtmd7o zNKNp386KGwD$2d8-LYEK(ajfG)BAO!G5M^(Z|7oSu^;VP@HX?FUBjCl_OKqosF_HZ z;J@5w$_6^CC|N(WLGF=(yu7?$4tPhRfg65tH_0;w+l3Y&B z2%hwxq8;%uo1Jb{=1YW6v8nZ){M25vs}Kk1LjMjU|H=%xPYyo(C+7TeDd~?y{6gCqoJeYF1}85*0pP zUE}o!(d|RRo`NpdKRj5AllPZ=628t2y=CQ&g)-A|$-9uc<(-&hrHgg9Ew=04&k8F| z;sQVc0l7?WY_mWW{9{;xtzVD*pz+DH71!gX1HME;2{x=U<9uY1VzFpy~R!9#TO*gj$5R?4%AEVEDt34 z!o0kIsUf*+2<013F5q6*ol^G-GxBW^UZ(ZDB~i%K2w%G5?d{lS7~8ZqP z(3=@tf}+P-^Rzze0ZCNtel&_KY14i}6(-B!I^t$!9UCEeG(FPdDGvZzk4i+A>z6@M zE?ti(-a{lvjzVL73SAzRL>R)&+0qR#i&}iwwoxk{FS_K_{AgBzPiT-$*-LR*;Y5HT z62UrG80z+Su=Y!w5K-M}Tmq6*`EtmWRcVQz%^=z?Jpi|MOhWN>)7a!s0r@4!7LNz1 z7YBF>+DtR$N_=qY^ynqitWR>3HBv0}F&s2e8B8P$%tj-lc>*oV$lY|5@>Zt(sw!%Q z7f`H)%s5tHU^SEs)3J(F>bmQ6?wVE8SUbcFjGcpgYvQG%7BGuVv#GO(k+)$4(E5BeEWtehcO6+iIJ%4sT|`-3u!UUfRi4yo6Td(c9GuDDnZxRHKEOoZ98}V>NhFM z^Tvnpwa8aOz$4=j4D9J~mPej0!dWlOm}n;SBM1w7Tw2pG_A*TP?er7HVcnRK+4JOA z65o?n`d0#;CK;H!JmU!PcTSY?pZ_b%*C}#j5Pcm@1WRKgrK~FC1W{q(a-Z+%&~SRc zz0v}X3X^B5D}6lwp~4D+sIXoxvAo-wPD9v7X+O$3eX@*8Ai$lb+Al%@x^KVcjyrdv znW;p@Uu8K4ZEz-^n!>n+9G<-ob0tAoSkNwt@PA=pjbj>tgTGm9wG?P6!(b8WG*Ut( z16S-KBi2NO z?im`_A|`>Hq-OL*hKs#BF=2;$y55tT$_hujx#=K_c46z40RLh?RI$Vz8 zfob#a#p=YhUwFUa83g|AaGfp%nk5_JCINU-$XQ`nI)SFa zg=-a_{AoWdB_#_b=^(e2lb9c8`!`fArui1dkroFsG;6=bYV^|%edBn87hHA|VW@8V z-4l>O9hj|Rh3&`s&*^0cNX2$1_lhVur+IV5fz=Gd}Q98Dx|jqZ1{=yh`3mzTw9L08f= z)ro#zn&FtRB`WfXm8qt$ei5qvEw*&R8>`jW5Ufi8ClR6=V&Kf{IG(+C_Zh6R%J#FY zyKDE!zIewq!BR)yc=Ot_Yq+0$HC4D+o0F7OJpZ;SCxnng=Ajeipm(N))nypJ*BVzd zGJ%9LK4N4@(q%URax~S!(&!<%9{7p6V(QXc+~M-rfUp@Ruol!|QWE4XUscf2p8MQu zX`1_c?=^1O=Wq>+@^K<;Tcn(PaDavAPi6DfD~~TD2A}n6da3DS$1%y~N3uVZuWma# zrPEj8?uE*U6`i#AfEt9!gGtVO4LfylRa_1uX{Yb7R8j@|SgdjHuLmhp(JUIn?B}F0 ztbcj3=NsKiO|l@KEV(Rvq=!gk9{4?c+-IJU2zEPGVSFC)aU_+?hxU|RME<275K%US zq``ZX%7TI@1S5ve%(j>gGW*Z6vaioBib#&4l95fk`jzS%EKj0U1-q@(Oo!)v2uAfQ zmJwbLLIdQ-ySs%+e`y)px!%*?vga1{f2HfCI~s>K z#3DbfG4^wz5r0Y&Q!Rs#vaXAR1;1`q?1Ld^2?RcV9!UEE%tyOkaGV)2g$%Vsrghyh z6yKgriz@vvs-rij$DCynhaI;Ea#%_8wxPdJV?M}-qdym&PhREo%_Cw)1NqxEPUGqr zUoZTl#CE^n{%nCEbQ$_uB=Y=#G`*;Q@oRawM!6EUNTOyb=X=FsM3-RCR|nSIg6l2N z#Nn+M0`~j$SPrrl?jkLw0Q6^AxO!bOCnoTAf*diVT!DtyL^GZ&LI@a~G@4D@-QOg+ zdtX?-PF{ewKXZEcRtM+cJP;;;gYfd}P+P@dMfB^w%_{2>Z!g0jZRCmC!TV#+S(m5r zbpQP(-(L>YLl55mK|(ua+^aCXJ7Q>G&$2XYCS{hJ);%5QqW zVksiUR!PP8*KLRELd8>{I*z%+xoi3~J4sObf}#Sf%h)knK>@NTMTqRYM;HM*wYx!* z#m0Pv7?$2x-58eA<-{-*iC^h%V@4T8%QXkaw`F>QuDxX+HIsdX!^~nTTARrrqH%gJ z7eKgqort?3#cyN-h%u8GQWJhuoMgtgJj&NS(V%_nJf92|AO7J2Gke|~U0l24Td&ST z*Y-guQyX%o?QLxO215w4m9s0aJeIh1{N#)a%FZ70aMR#Ve)m{g(a5%;bMwna0rcB>U}F5aI|ayWBR zlAjPQf5W%cA|-H6__oDBoVX2xFIy|*-zYZrYD9q4`TR@c_H`sF=}vUqy|#QUurWOieccpU3z|jqb|Aw&b4GpDZc+Hwuh3cRDC_I>p*(iKX16N#?1S3>2mnKj)mb5_B;SrQr^LNQC&JgVSz@0oZFeKWUcdPWsY8Taz76e*iLx^>dK;k zNg{NPUFep;2V82ObtavK2@Ur#<;l*{)GC|Oy65oJXT_)6oq_O$NVj}(I7@RJoE$rU zFWuJA+>pZWsiz*Bfy~%YU?U({Kswze2r1-*6$F$ZWaHnQ0*8!j%QUL?!CB@004@+n zWq8}kSQQidZ1^sG-RUSp12jeCFlnMx>J$EIQqCO#Y}}vila8ygW;-r5(GgAD3MwC` zS(Eg+*#ZcB7-ibvkZ2!GSZKDB8qv=eqv92e-Jp~=6*8SdE48KuRQs@=u8a)WP9;Z%e&&i47R7|gHr5M%pRRj zX&ej|$|iz%kdv4C;C*t@!H9M1q^2fM0?iNEdP6Y|Vh`E+Z(|{gGfFfZ8F6als`tLy zkf|qt12Xfv50HlIq&u(@WSzL;Tv&|ES1;_?8@S;%{Xc-i^3I4xI z252R!_v%!RxFzAL@4%&YG@G$;H-N|HhiK9}8i@$LY?4sET*r@4%qi#&R+QN%V%0!8 zdM|8&zc=P}6DW<}roevLu93M8MVal{SNan8C3Mu$DP~!2#L}_Xv>P>Cm*5!dhZRz0 z!|FPTaHM}iyRiayu3K$_x@i`|mP1*k&(S5)ew@y`f~mpQ>vdX4S&^0tt1;k#>GYkl z&TUJw{;O8oXL#=;IrK-z(51B-X)Pr|S}UVs(eD=0{h=Nvh0UhNuv|yB_>>sDcejs>%a{*cKKfzW3vfySkdL%Dh8C zN{^4Y1ltUKf9O_f#Rrja6V1m{YD(`aw^s@B6)$ZsHEH+hILVZRk5NcJ=h|u*>-w@j zP8=XGB*32uLG2v(fuu*RGoV+b4cNLB)74Y_hUnar_n&^*qY>#&eyDph@8px=Nnwrb5MWdS< znL|Pc?RkHzR!&S+06whTv$pKl=x>Aa&K%K}?V)rW;I1*M2|>~vq#?j^M{ z2x3?3!#&|AY$)L2!C0Gaq^-U+eXZ1_4jwT}V&tL3lWxl`FwLKegtGO{+xf zlPk%~LG~%x%WQG*Nkk`?+WbuSDV|K&n+MI4F1eI{@k%&7TVuR4Ev4~LCJmYS zA)-t!+-DzdSPw9^L7Llp5#%x}MqlSWiHhE*Z^AIfXi?LQesZ|!k(Z%=$L(n-x}^ij#3A} z!X)G6M$UapRA4trAM_=1ugxJwxw%vZ&*Ofj)aRS)iNSGx#)OpUB42lG&qLY{K2aO- z0W)-i#2GDYju6u}tP(k&LP03=N@vc$XIMB;Dea9KTxT42K~JGh)3=$3eBy1ftfYgd z5UQ=otx|fdH7L`AwaD&I>~A^8v;4!nGhZr;D;@9!H%<(LcPBEk5(&e!4{Y^hc_48X z*S+%fz1>R;onPc$78Z=pF7=aaW<>TC%2Z8mNN*b3`SAo97He0#3zLI(ch;`j)!en; z^-&QYtO_w?pBw1O-WVh#Z|X*o-OpZ77Yo`+K1n#Hr+Mp)=R!c=-I3DuB3HqTpxyTc zSL@+d*0A+g!unFe22yd+kg1^>U0$=#r$)GoUar^=|GGVsCu~YToIujYUdKjm@Y<6B zQNYPcn!B@QyQT8Uy5O6fidxb+fGztV#R|gBJCib2P(N;ay;14SLVg}Pumcyg&-3e= ztGbHzr~A;_^rqL-?DYHB-|?2ONes;nO8oS8!hrc) z8!HuI8dBR1YKfpy>@i?`S}P*#k|7N%NUvsQ1Bu*y@~8kXVdd2k0ElO@N9)0F!a6|= zpvozznl4Gbg@q@MA$=oO`{|2nFv~sRr{-%Iut9dTBhRJBP!^uypcwMXiTUVv87wC6 zYC&$`;=Po0Tt*Udol1e%P9&oi0KPK7rxHTRY7ReWaHD~IDisDed+|u_mqCQ+bL-Mq z`R4N_;jA$R9h6gr6LL(cxhkaGD3IrZ<9>;9=BeV-97KPljbtq%7t^3$3&h1FLl?11wS_4*y~-HQ|OHA}J$hUA*ai2)w33M%~wf zm!sdu!bM5};{RsO57nwm^q>V*}?!U61JowdRwB#-V!c=5L+PR;3PhV#4tpy8WDu zZ=;+XHuX4kowsqsDRzQ?Db*c~+p9S8uqtv?`LmZ~KR7u-;y8RaT4u;vSiT zq((nI<`N^4=1sHJ@KFlTdAzhMV*AwwDM*Q<0HJ!z1vxq?nHFwle?t5y-98%rFYLFB zGba13yoIfqtKuL|Ib5cixQ#h(CJ!mBvTdQ#*{}Pz%Eo`3ZDC>rpvUTy*TRm-JAYFq zJlafQ+(zW4#go`(VPxJ&JkD3?S?!|j}l3U!70c4Lfx)A{T zn}JE}dC0#7^Q#+Hwp3o5Z)VGGwdgDJ@JO7V-kqINl0}rc%;(R_$WJ1Y?VA&TcS`Hx zaxE=;W3pYs8%TB@l!655;Y7A!B4BA{4b(T86fWYf?W3s;A9t^b*oYI48Ae#El<6`q zsBSf&f{c}r#HhcmM}K$oO!ba4V*;PHW?%5g*LqJ z2Nc=8U4ES+(O5JlOFV2(gW~D0op1m&7v5W6hOA)9n}bN;ytFA7Y%Ru7q&C>vL%=9e zG}wfrW8KxdRs`SIix&zOlH2)qvlas|j+@AJ52crq*`2$ZW%06M#}+A4g(Gkq3kOQA znx01s?KW1ysT_!2@rD^GwWm7#{|X4EA)yF!!blvU(8WS8^%{z9w8m?;w_h`m!W~26 zukPZeX0`a)M$8%(UnR4fDBszov#h+w==SWIyFHJhJr~!7=k7z zFcRbVdmx4$xs=ZBd!MHTvE`MK^h&$4dB10>RdwAED9LYdDr8fq%351(rnYa&&jumv zysot9wY%#IJ@H{wDQtQW3GlF%143JoF=BRtpuj*oW&f`5eSaWvPy~{ucssO7L_|2) zE`^vp@ebd1wR}-`^A-uyN?RoKK}JVNyf^>)Sfz;uo^<;%WSf2Klei|(c_y=^)yQ1< z^~ytyD|V($eEE2O$Q2@N;pM`fHyw$SNY447NLnRo&Fucf282@qX<*Vx8k|QSCp)1bBOWj}T3F5L4gVmcGj4z`}o=Xg2AE1C^%y-dMM89g@HRRFRH zw_m9RPFve%e8DFpfg`*Lx-lh-T;_`<@(c$$HS?+%p=rD6diSx{nh`vK4#GhsjAfrb zdTO{Zx7vJQ&ZT+ij%cS+_1-NvJSP1HdCaq+`KqI~&skd+TebBQ+5OpZ*E%Shc&I$> z$N;^pu0!R3tllo?I+@2<)S#XM#!3ZSN(6epaWwcakZ`L8dGlE{il`)HmY>txuKX}>GM#8a6bd9J1I zNuL)VQdl`Xc=Uxrh|$BG@=k$`fpPhMh2{`Kty4v?n;{Pe*7F%hIf8jct|h~+l4M{5 z{nGP)vH)&`NfofV-fz()DNMZTt$1jzK^xq=k)d7nJq&-+w+{3`YO64`m3+4d*7i6$ zBh6sQZf)Z5_fxPc7BNV8UTIO3ZT{9cAN#&yueuX_GfG28_Z376mIkfkBl!>D|%6-7$6xIjW>q!|x|8hp}Qk`=ZM%Z>^n@YmhYjpC+X_PPK)rNuDtP=@jbo zuz*n?ba^4zkF{_1ofri>F${UmlT`O&9#Q;9L3#0VQvQEY!DS#+@EB;1;B~8#X>&24 za`PtDJmY|m^VmhYjf%0D+3$`a`AOz!@AtPKYB$Ab-9LgEk$AL~j&g!4I9+{9L#%fB zP8n%*69=O)ivMAv9w+}TKifhOK&;@0^P>m4<+Fu}K26|7C`Gd;bz9ZiLVTM10msJs z5u$^0t9dWlx;#T`K?(r~eXDV@XhOZA2Lwfg&L+jwJ(ob2I#rnAA~d>6kGEj%8n4t; z0X@6&m7l+nr=XOTAQ(mXo2Pp*5U8#%Bq){Wr^H(ehU|;HI+Dgz^t-Nlza&Yj zC(efG725;n2Cc|^9M7)g#%g)wlKUJ6QLoC=m*F0c$M7T8U09;@(bxwsXaK z0Fh057XG?yawkTKEM)Fal9AIo#jQQ$48Sf!aYib^49gXodv$r>D%dg%Qes2v*F8mDEk%JBinICT=A0EaIqSKwADgT86Chj=PwH0LSBK!p>>E*#j~Oj= z3TY!1H0*n{R3j@PmGn^(5Q!|rL_r;a^ffOCJ>w+`o8BeoG!MlLEf-0TsXuieG7+p@ z3{`4YQ#4e^s%1D@K-)s?E1^O!x-xO#HIo!Pnqv6#5yNhHzr5OnGP&&407`MHr!eC3 zzS*`M;=tG&*P+e8i$+KLJl^7%v&R96LFeG}xJ0!c9I;>&d}XUr8e^`gg|+BJjDW>r z*K6I~HNu&eX((9q73dp4G|wc+Xl`AcO+ad4B9o>fp2@9An6$LaX&!y07#=eQvd{oJ z&C6*UbO^mle(L!!9cv?j946E@Ot{^+b~VS9>PYNql??=ZwEQkSBQ@DRpx`)c`SH$# z!@pX#^K?MhTd5wJJLoq?rkqrzwcR=(`_!c@KhX{!6f zKvoeyDvAuw3aEtYJjL_TW&SE1YI z6Jo>2M)FL5zc0_P&i*0tUj8-GgI-0*zSkp&L9+`Yh~Z-gn&ev=f4hjj&0C{(7cUo; ziy=3Yk!WrzRDG+?_kR{zBiun#*wzDm|DEky{{O`GHF+MkAW3)+2+0F2(SVnTTJWjd zc3j0D>OJvZOQ3>os+oP=3M1Pmfn0|GF|r*DK7U4F@^9&^n(k5uUA_MYu&)EBf?U0s z=0jA(jxjg*7H}grc4~kQ_nnCBnDy7e(t@s6e}7Tt(UinT6Gmui?X5lV zR~HoSo^i3Bj3P?4^5YuTE)||l;`%fCpfYRsPG12OE0Hu|nkbwFL9+5~MS1CM5(U-5 z3aSAS6}?S$lCERes5tv@GRcB9SG{m?zn*P&D7g*1(D_IwTjxhn`nmPT;mN1FCswFq7J?3$RBg^J-5(8c^E(K9!Wv0OGi z3rP=E^K`2I5hO6l=#A69S&h!OFC)cjP3KoB^K;^}Cv=}Oc`Aa4qv1}=3{}`mFCD$! zLHJx3McaLxVj#NrOzD%`f+sQ#a1ZfQ{0nwFLtF|Hvjvv-9vXt8>EfFF)w%C(M}#K< z0?ibw{5_|zTBMr@j+`Sg><}*=2Dsg>s+@3cY6WW&h5(o?3KRKg;_3%s1R|c4<1|HU zu&Bv^4u0n)c|^8TF17ep`2B$h$aZI@<+9Xy?Wc&6GG=He7ROjiQmY)kC(*j8R)s;J z@rovS5KrY! zPDcdjI7(~C7Z(G3qLrISL)q$gTjlimBpw1sU_I7iMU7lz?Yr(_3|RNb|9K2wZ_20$ zZpbx?8IkknvyeA+ZxN#n1ho~&*3V*&LkNG-iB+U5*9#-8wEP8+i_x5ScE!|aM&`2_35PV-aX;S^4 zra$Pq+FVR<^t%jVC=#0>{ysQ8oL20Ur$`}JFzdVZ-~-7PD8v3)jD#70!Fr8!AZM!kmVQmY_32BGjJhVeWmxg4K@_q~oATRokX zD8rXPtoyf>`LU3X7d%NiYr}Z7=$1V9F4_>onWF!}*IS1*-M@dsigKYKArb~52m%|S zfHX`6q`Pxc(%m@)k(hwwl$P!oT^lJS9itmY$3~CAv+Mi)-S=}pe?0eby#Ls-Nu%6=(JK)y4^p?+tkSuS9!*9G9RJi#$!OcqMTYD=Fl(c3DRGo{hpiRtps9xk)Zi z98rsz5f1rI9~@s#Wxhlb`Zr-75Fr(jaLO+cQfvTWN$B*lx-dv{nuwW1V7j6P`R3Ea zYF;2ll{iFzLre1~Cc+yO%vvt7nZRByg4`#mt6zJgmT)G>``5fcl$9+NsjEYJ&vD1{ zLY4mTakAd6y`AJ5&S^hLq>04nlYh*BjhnG4jAPXATcf~$U(RWqxN#ex!Qa_dNtUZe zOR$Ld%*c0bvY@FrX^?9Ed9~VIrtZEA3Nm|D_rNtBw6zLBWbrBRHy=mxa?#Up=uvpC zME~$&kGPtiPSUS(?tAxQ^~~-w2NdhYpT8pOb6nIjwGB+os}0yLeDn3Cnfg5v?%OpO zpXlbPJP}X3&l^K^WCD|=WTPW;D5{sF!FgQNEl$lIkh3&j+>S!xQzo%${lmvU-ut$g z1xz8%On;Oi5q1H0wcki(kEDUT?3xp*RE)LMBw`okTnr3OgVx0;hIjjG6X|We=N{6v zZ_JfdDF>Lh5gS^!wntD=n)x0qyt#j7Q>Lx+r==(+r2UPa6qYBykN#4By50VmBp90= zUBvRnt-tU4&NGxix>ZM*TxZ~?&O$-PJLQD)E_&Q$Jnks(<^3<^b?8rqvb?Mxab8=a z$KMYtUpX1~YfGm-KOobzJx$YHaV^{E!Blx6&6hNBgI3A^TW> zka=^4pa-&KbptO&TBmoG!%%`MUHT31F!(&A$g&JoLtvPW3|+UeJzJ1-b==NDx~ru< zW!nwX$gzkJ+0}n6$cYti0ie4pvv8AI&l=+aYP4&n1?SFaC9@Pj;a4evBivs;_g_t8Xk#v*yCi}v?=)RrIOxb-y9yBZ z)d&{Kl=NK6cf~9yQ?YUJ438JxF~9O0do4eN_ERVYr&)K%u77Fxa(D;zXxAI~T{}60 zfJf>b&&|_ZF80ej>y*~d=cagY;?VH5gSmybYE>%I>J>?XA^7dRzPY%RqmiAyq(#D+ zwsAi#Z0bI`M@vNUZ~tv`?*9I=h0Jajn?Y@(-c0@T!xSPTA+ZGkx9Eptfcg!s8bk=$ z29=lX^O#30OztFo+ic#7;i3{RBB~FwUvORRW1|fsO?^KHGdJ7S77v{~R%+0%x2v?6 z7NProS7Cu5iF+Mmku!E>67I^^&0k?76}sR;HAvuZE30!%wSMRXgw?BxXm4? zXtw%ayWY4jF(p-lfWgfNyt$F7s%HN;yWYQrFP`vsNV&u?-9LKwOt7X}z;eEDWFmAZ zjZ~9eFr9Fmc-g~v?^mX4V@S5?x#T}V_ph!{w-+i1QZo7cC^tp9}zPQe&=Ob}|a6!c5MRDQvwljTEh zHGx6W{wJM}EWVHf;44mq1@i2+0WYw_XakX zW)kl@_8Q+4Qi>lidUT(~@Yed9l<8mFU(zNlt0og@p0>8Byx**Js@WO`YCUm~B{1s0 zj*H2EIk7j!Zq*pSlmZAKJW8n4NxQ*Rob)X&YVVT2X;t2>pjD+_9v&VzN4vMs!W^TZWHEYtyc~#{J`r9a?T>_CVm1ujuWiv}Yl-b)a=wHq1 ze+A+bw6~`s0(W0aE3ILNDy!s6s9*0*-V?cB;cfr69@`{I#NE2E$M?nV{;l1Y7C^~+ z$q^52PWWFFaoziPJImu3IvOCoc_POtae_}^Xd2?$J$rOFqg}zAP@6lDVnnACOk`VC zrCV!mJ!1fbeGscd-k4T?iv2$gg>^n;`eN@&URY{R4U>;n4H@PIixKospc{h^6=Y;j zMJjp{y-H(KZVrkFTJG7W(}QWNzM=zChi|1r=8IybCuqNnJAeB*#n@tY2O^-2I-1it z|91G=uPus(I{LMA6_URx(V-sZqUoD&_ROgB!&g!I$x(sj<^L^@S7)cXhi)e(D|UYe z#s0_hmf-y-clW8Fye4)-;i;G)FXWr!MULR3-yQvkd<(=Z z+EV|c#6P^*O(SXEl{x8FgEyTay0cLv^5~J+v(1*XJne_Ed71aF-)R&n#^!0tzLS0X zP(voiTRrl4A*W96AkF(=|K&wS{4QHn)AYQh(Ch+!0PXG!kLR*R2>fE>;IMw1NqH~e zvT&VmT*S$^Vt89*kyCIAChI*UDZF^fS{6909Da-F*P|b@dVI~pW`XKh*+_x%$Hc+6 z?tOksP1L2qdITw=nXDS1-N2mdFCSQ|^A2QLnmO%$CS35J;gS3nK+l>+_s@FBf1i4b zr1~LyM^C@)gnsqelS-d9lUZL1T&Kmd~4RJZ>BhmFjw;zB{z5TF0s zMYq1BQ-3CE%0Jf-{hu57-*@u=dGMAXnWuL(_RxTN%};>K8;S_KZr>OQ^IJ+&Vq(zS zTX+B8@$mumQ~;L0v>9$Rfl&joi>-eDT_ke#?>GJOj%}%=Ldf^gCstgdbx#n!>z%{< zm;A8&5+%VPA_G1Ng@(HPPns`DZ~uGor@Pd^3X}=z_g-x=;z?pKA9Buu*sBWQ^5FmY zwCCivUo+@`yd5Kj`VDLdT_(BLN$p~t7S9Rez~Sr6V_vv9JaS1&)g);JztV$ zoIz_Lf%4mcIRi9nvg;>SV13zaxfH7Udk$Kfuigi28b8OiLqHUS)}!Z}Y{gxu?l#J{ zrdi+4`t2$+CiMc>BHX0Iv%N)qJ6jx8xA^k%SgW7@sDm=3^h)2pl;5$@)}zA^;CsAV zMJIV_6P@n+=`!Hl&{HRD(s=C1p!qyYMbC8l>6WT^qRn1S2+3HXmSf{8MG9|AwWky^ zj^;+!behH2#=zxWmMHqTK)-sk1{F?_<>rC#g~RZiYPVXW4BlZWT*9UjnACi~u|MmX zQ%`zKLVC{4q|wlCa^Vt)Z+3t20odh>3SaY&vFw={wK2*#uZHzxy|XqF4ArkF+VKFa zZ}rFric&7~RrQ_F{(~TtU+UJVSMlPBSp5E(J808U{)IK&#W8;c zCDHRAj9;pTcri681m#uuq(PW-=fk(HpIeiRlC};zc4(*EVivfFPxtE3=Rwcwg_G!C z*D^{19}E6|VbB+Eu*Lrj7-!c}J=E)G4_G%1DmuLvDHNl__5XAmEI(&567stNUEz%&U{^Sc}~$O(sY#p zE;_-CSt8FZSDq@)?yBs65FgKFma-{s6p>`@y%+}aHWUw1(o9tiNw2>V%Dz%kGVkB_i`gq)+il z$~JWG+i`|f&26vo)^hv056TJl@5*G4_4wi5K)$atHS!2$RE;aH4K%6mR=&bu)wm#w zD$8muEoPSSjJW05-s{blDVo8~&>kZjg`1xz*C`3BqD{>2Z5Oj6Hh#)aj$7Mqjx!&J z$p2uGCi-C5CNS934WOx8T*y5^#b_N93s+|Sy}mvpJ6`Y)DgV1*8PCt?^YPb4n(%fM z3hbQ%s6eNVbO`h>^qc@XM6Ws2#)Jki{4Y z^GYJ|YyIS@YW#DngXSt}DDO;j(#XheNoHBI+gI-5>o$)CUr9q(*)Xr!fn^f31Tx1~ za>65fF(p0%Bz6z~JT9eYS{31A7*70U<8B$kFX2y&_tv1e`*Br<6_&NsH%jEG+$}tn zT$e;yhHubutZYUAb&cbnCoR#y1it#`Y8Z~?j2njEvgc0_i@{aBgEClQgc)@rGH{4o z`y5w}Q#r1D5hHm%1TCtXYe356;?+KOjWYlMQ*hQ<1K&GtUgx~D(TlKMZ*aNPLI}9) zfN_Yfz3RtFYpM468OZnSyU&PgYK&}Pia(*V+cFq{;nbJdP>| zGDwS2z>!V5d@}tO{Ke;>p6J|!@ga$WMxfj?hgZB;{wEW=2e;w5(;=f%ep*s*=%B)q z^~KH~vO$u1G3`OZ_Ywd@98Np_-A>_SPK@U41`@}0u^2;cU`F8A5{`oxm*@C`b6$XX zw&Kp&Tqukpp&D#hef=@UVprHSYdQXu>}D6uv{xiE_(z=hB=Fp+s9Z3Wyp|GkBoPnV zk*6-Uzj)?-sAt%pu@tb$PLHeY4-tA0a|ZrX?WB&@T1)r+Io^LehPHMf7(SkKyk|%S zt6LDzHdXSS?C|~(h^~>L^_Dm1k@WjZOx|@AnQd7aXOz&U<9-KOa0LGR=5KE!X&K-C z5VCgb;vAS=@8Or4E|H&RK`}(04U$OfBT3WDZJr#nV7@D+l6kG8_Tf#sn_@a)qX;gq zCoDu5foj7)FbI}j!_qPO+5B>9U>E)Y1qI<|qZcVcw-WWj=?vxZcFmH9t(pbegbvdw z4%7xlivd`{WJjU?y1&=^-bx9Rd+)OinIUsokJPxe8=MV%%wVPFL_537W>6D_?{IeC zGt+{oL_1My zcEz$5$}3_Iud&RtAXqsP;Ri7AG6)O0P|`4dL`zD?=qeL&eQ=ZIstZ)g$F? znRx1`r@jmaY1gRD(I~ZrcZX)iTKc-}&r>tuFaibHlggME-Itl4{M9;Bm zor9_M*ShY*7LA^R&U2^grM*jHVj>=T%MKXR`Bn|7bY-L+ppU_DTPu;BBQh8x}Y>p_I@f1YUw2b>gZH2x{I4_aFe zbFUr{lCDOlcj)xl_nu(-h49Dup%tHVlQ8Xp)30Nz(k_qt2*I%#+3!pw0R}YB%I~!U zIo`Y}_P)VqS6Qc{~ZJQS^MP%xb`B&bDh_|JXnfYDWbQ z;>3Rh1<9$i57!a&cQHizfj^Tor)&tHk&XfJrxDhz_S zkn^Xxi5h?M4im5o3AQt0{)tkM#esyI{_^(imUTVKGo!tFfuRrkSI`>84Q5!^l5z;A zW!z-;w#)S8P?{Dtuz*5vx=~Hn;EvZ|MOp$x8LE=~%k(ERfxu zU2lJ~zbFAkZBoAk`>j)7H7KOBPG5FopN27{?s;E(0ZOCE^PKjS%MYnKoiw9u5HF)R zJ7L6??G(BQHoXx=KbCCV!P#!m!{%8VROY^Un)qnjC}++%jMo3Od;-D56A|2mJ{C4! zZu1&3`seTwapmqd+W$J8Ems!!OO?3gE1N7ffuS`&XdctAyhuAp*h*RCu7V73mhVPY zSV!BJRc?KK#2RYo8M%hMJ`9tP#8-EfQ9te1FiPhB_+k=G-8s-+T>imVcwy?d6)cKI z(EZ4dA3JoA2LN$4Tq4V8%B9|W%sOUSk|&f23^7d1N2k6#ndtNEeDQJw{n$_3KI% zU|kG9ag|#A9;M}-z4#2ZaNd)798#E?ck%R5|8+QLRC%M_xVMV?a;PYQ+wn95Y=Dwl z4B*8d#mIV*XDagI_FV~^DG{IUZiNyz>L$`=r*sF&E$`3Rw2}M}^4p|gkkMWFi>hRe zjJu5!f0r}XE=-Tzsly5)1oHUYIyqu)! z?YGg`+-q|FwHBHXVDK=MKjQn@Jd9w_R)iQ#5Av&2j4h^fH*!;m*>9=4bjRnX!}0Xx z8Vzmfwm3HL*U$wMufhYA`{0vx*fwwAwWv<1fong{nEZyw7Sg_~_u~5+ zS^o2c0BP85uqZ`fyF;s5SX=MXg0A+~{jX^ML7Eg_>3+X~Ghc z$g+;;bWg9Q8pB&Pk=}t&KM}in-+K-^g5hZm|I}8;-I>wnvD9euXT65r*-siyZM^LHlDcb_xkTd z=STd2MFQ4*mV4?ywj5W34$h(Vf7rt#sz4Syr;3Mmft$s5o;an|)ILyL-O*Gv{$;~* zmH~9H zQzr@1XLABkYoTGBi{ei@c?g1{XuH0h%v#q~?whAIb8fs5!EQ+gS@fEUOz}HEn=2AU z-_e|+Q?*JoO_drnQC#^6=RSc=D%)Cc)t^*<6{_HsGX~aCqsjKVz;gDq`rC#cBbjN7 z=ij9JxgXUNYg!eQ_HdF>FZ!&?C$66=3+N2_16mv=j0eH-Vvw8+g2h-KGTwz8UU4f`e2);Nd^}dn;n^<&M zf_OMS6D!~7>;@)u+M6^Lf9&ojIqD4WssBDS^U>|PM!Zb+TQxdk?X_*jngDsbl22ct zkK^N~@TsRwK@=q_))?^tUwh438^K&7s<&pgBndbeO-q{|TJGLaCo%%_423(jl z>uVD1)D0FK@%orZF|Sx|`lP}a*62T! z25*xr7nTCD&+fgE8Job0(cR{2II-*EyA$rc;CpilVP#K_f)<C zsNo)+P8<4;Eb->Gl#D96(i;-|rqKBld78D`b3Ym_g7LjLvl4OFHW%b{^!cz}+bG>D z9alTx{s#uHUn{(?6l8N3#4zoOmtR8y&&WM5+_f_H8Zm}nU;P4K1zeq|U(A9^HBE6x z%>|#fdKTkfNk5h#GO1~$lYqM{2b29H+zjQ}_(o?%!l0hT2N4aYFOC)%;vV)ytzVIt z`94n|vGBe15ZRdGsOuQ&HDfEwEAW|5R|uUNe}=~doj$2#{s=?h_uPD%=}mGVeq}(U znndNMQDelYZbC+J33WB(`a&H0Hgg7n9gKaib){Q8%q9A4B7d6}iZ$_y4Z90v=5`4E0mB=WYd`e&0qolcew>gjbn`<~PnBcH=bcO*O6Kr2nPcm(jz1^TcI_I4+z?b08 z#%HCaU{Yvu=!yZEEvklTvfPdg9}>?H(jB-<6b$`5+#uLbq7aN!Jl{zU0^kJ_JG@ zig=G$6&$PRDpye(UhO1ZjA0CKa&mdRIbwJU@y~T#=`(sWQa}o)9L#Z?pZZE1C}Kzo zdkj2ZxS{6eZrF9lLZPbJb2s}Ou*468hDNbXy@OxWCY-N+d{YJ0$3aUcUY1gEg)9b! zV0Oz5FbY&>3>170TNN>fGar-H`g$e3=nWhK3*T?Gf^X z9eyz92S#6m^$+NS`GVH08?82=h}PT-?zqZgzd>pFn)P+BU^_c6rOJRuq6Pu* z#rN$Oxw^Y^6Ofm<^k*0E>?IN}o-UPEd~(6#`s!>po0sNF20|9`O3!f|H*}7HXC^6H zcNLML^b~6Dizi{6O_oOud$rF_L3&A9QdjCy3WJq#=ACs{)X*G8FU~4YbC_xRT{Uz#kBDj`7;=nn{XwNw{kz+3eR)B%_$idz$DV>;Rk?R@M zw+mol__B^3F<&g`{CT+eUbWAk6*0?MM|TgD$ymUS#gSHNa6MBjj2v)?GjxJ-J}%X# zR|KRvR5@grI&qviBj-QmdcOL!zTSO0i=J{sh2QYMNBB_z{WLD2iAcBuY^PgQoS2S} zb#^(7vNEx*zAYR{|8oJ?c8pM^nQ*&~&}coKl{*WDtA^A!)?aRG+(^uL8HLeK9c4c! z><5GO(Z!;@7cg1e%C-{?$F~=N9x^{)vx0U;@3m=3wPT|$H9n)t9AMxMhnc&B%GSdV zcH&vjnJ&AoEg^;ty=V&|AUQ_(ibr|f0a1+P)16D^UK;_)ul z{0IdZc#oA6_Zs+`G%e+DYYTNkqPa1-p%@ArG1AhtJmapX(pUV5zh%|?I+6a}wMy0* zi;SYdI4w>+gVw)k$Lkd|Ccb;HTBF^x}=2!&nu5kI@rpkZ0OaVUYtInF)>Kf+aE@Egf$s?k}$;VR)Z=D{yBq zQl_j_k{NEF0+=MvaY6^!s9QQzZ%I7V`}x-~i>eI2&BE(gx3b&4e@Z*0nQ`7$ruor6 zsM0-ValTgmw5dF{(XNqo`?frI#1D73d+gZemSZ(D{{nzxUXSB+bQ}pf7zn@b+TR{7&1kvc*&O}% z<|G^d8G&VtRbLRFwv_bd%jK%7pyGn`G_Ea&`a-9bp1i=u{}SVI!_iKNU;-C)KR`*`N9jPuJ7pp+`r0Oxr^MTl%!d@lOvMU>O)>bnIN& zWn`|V_IXNTM-2jlC%)-4(QF5CjruM3D)u@Q6`G2Dd)<8bGXVdZCNLD;)HNK9Yue?L z;a!i7+b!GW%*AapzQgsfUbxH%DkTsdSwm^qC5Ck@fH;2llo7dd0od z`PzvqO`uCO3RXaVTB`R|V~`s76*u+d0Z~-O4>2|*LL{5JjPqTIht5=xe;6&z)tP)E|_k2p!{5$3iwY5;qELGdq-;i~Ynb zj978D`DLS@O^@Lq=*Bmpl;qC0A&_%raiU#lWnpTRNOh4KhS4XJGleL3#|mak^^|r- z?&!-pp_SwFA5I&KHz$4&Q*-c+OyDnTCVbe}Cy7&m_`@iZam zRpOXn#&L$it38sFny4bJxk!dUkG2~lca<>kXu>o;VP|LyesBL8C(h;`p?O&ppioD~ z$B_Ggt~n~GKfU=lzC6&fWaoF<&QE|G-2s#=BcR<$&6*z6KQh9-4OM(`IpADWPI6f} z6X@Dj(FZ6yxMMt-roQib=c1@#d_(0@y!iCjUuy-c5)}^JYQ>0h=6INo_#Vw1nv>oR zUKU2`y1Ltdc9R&4^juY5kKKEI62j|U97tF|2Kw5>7pyOM=O9SN1!vyMuk}vFs)-v{ z#e>t=<+^Av-JTL~-NbvnosZb+s;r`&6Qc4FOV1+Ia`+yv1gl;bR$3gu>aHD5Z4WG7 z-qb*vD;9^rs;4HNHkF=D4TJ(LbnHd5=*E3Wq?MO(g~4r}3@pw}^}2I&ukgA|*g5BK zt*==xTiaMbaT4;<5l{u$tIzyo4>N%ke5_iLZdq{kSq8?KB=nfuB-L}9?d*MM69i{t zsJp9V?Tsty4_=`bw7B&k@KC~Dw_}x5(s-p zh6%_dUf=G#2A>SH_VD@sZchkIB}h)L^|&Vqe?7Rihk@1p!PDu`0JZ@?(xjt-=^!Yh?GpOL=#Y2lb!RnDsaOEU%7c!Ofn0!sU#Do z^(U+8APKp|^6_-~#Xrv8OTd3B&rO{gKF{I~;%^FlN{~mQ7>K?Q?d$%aVXGMKNwKhF!8{!1l@ac(|CAZK z?#x{TR88dFl{tw;p!y|Yv}vo31>{-eJi0Iqnm$G2*W68b|43hUPbI=uQepWmq!U9BK`IMT?i^wA>Q1NX;qZo`vNg zxJL!IktkEBNa34*Mf~$*6Ma;|gKPuG3zRRAEXS+tqW$8}=j@n~Xq)oAt=^R?zV<(H7V?r!*T(_$BQ+gL3!I z7M8*y(Ofq@jHR+Pq1I6Kn&(S$0gsp-d61b%w&WXF;7BKbHrHsBC3T-2712?bsOVqp z+3t(UwDBU|&rb-S#54lSlrU%#jeja~eNxFDjs?&@{4Pvx;$A`hAvoVi(2iHqK^N2c zZRkA8^#iGcpBgsf%??B5M3?L~UX8083gDxqPvn9+h7E;r%LoFb-EU{(I)nhlYWy_< zYMnw~OmyWdq|ojKG4J;)#S6KmVnoBiTMRgacao80!m#<`g+VBbsePu%87u&$%pW82 z>_A(mdSG87L5Xvxqt)C*Z3)RX4%UVb*@q<#Tj_p)YR+H$q2%=5raa~*KeI|_G85K_ zQv)lD@P?F_WlsLnQ#qT6Aiuu>158^<#oX7yg6Q17vy3llNUDF7du!^$;?qMFnhaN$ zI_i|*OQO9w{O#8F{s*9d#7`smCAl1fM&_?iipgT~XNxy>$sryF(~DMY2YLwBNIPif zDEjjqR;Y2!;SZY98CYVfd2Y>u-#W;t~|GGtDd0I%it~ukx(}yhj8-9 z?A|Zy=u7udT8Ycq#Sgx&Ky#%9KeE-C%cdjo!-1#c$1vpG$mx>pfgm(_m?-Dj}fr?21?25&Y-mTgmE#Iq&<5Rqfwd>PcB}$>{+V$#|j1`Xsm_- zLG}TGj1)9)wJ;Nq0Jnzl{MF7FYe^~Co|U+h2wSw0+x1CNAVvpPZxl;EO2)&+H$qfv z9`GFO5dl7WgIXJU^^e4ZG>tuXK^^y}63_J#f0K&{%@&B!T)QMnKJMO>atHc$0eEdI ze6loZ!mTp96fg3Yv3+c&3T(Q8yto8j=L?lu24gPx2g}g!`o~da6?Eh`$Im=vlQ)Wi zoU$^>XkPOD~Gup zXv^leZ*V==K;1do@E1C-Xp+vo)+hYs^wF8-{_okIG|0om?dk)* z=jpNf4R*D*IBFzQ2tJwA24!$orVv}>%fE%W-?WI$9Wct4UOFVXB|6?Y7oM&cU%OL8PxM zr2$)&YsZcxAf!PaDwO zVmDU|^Dfdjbe4+->V@kWm3Q<5^4_Te-MAV;Ts|A;ft)?rLqaTl13SotkOd`(ZxM5= z-O%9N>t=-mn5yJd2>>szR*%RJR6R}M zD+Wi@38BP27LJ1aj(T@XYS=}KE8j5ljecm(H1Q4DH0 zBv1y4WM=y5y5Ukc&p6*VWFle6P-WGy_Z^lLdiE|@wOS3bHTLCYB*ePBXGgx0bvVTy zK`}o3n>EFy*F0Tav&q4;B)Hysv+m;&YbD$!gL_T>*ngpnCS2sCK}6;oO*DouBqRi`YfQpNBd1fE?3(r|^k( zG0pPxL6t|Qeq46#UbD87WVWPRE{2u&#uLlcKq}X)mVPzc?z##D(bFE#EN6G#n{Uk2 zpICYA(S+pbV{`k%aF{7_w+?7MbD176dRjUrYo?7mTMn~pWM4EiiAEl4LL^-F>%f-8 zFQi!Gzd`W!onT8 zR!%^TzBJLOzSuZH(HspJ@7x$-2(vW)%2v8=N2^aa7CYy@ik37e5U?FK`O>xCTNG%! zAyC6B_d>Qh8ML~VD59~^3*)IVTTjdud4m{-+9@<$ZjZPo>LK(ao>_;?P!^de)Di*$ zzGf(DVM3Or9_Ih>^=q2%KxF3pJx>l|#8UbQp zin+(*I>wJi27L;-ib^v~e^-uZi4$ATAcjEXG9zynops$U8cIcpOSSZ_bcxj z!&5mVOupccr6Y3q_T6b{DGB(hyR{j#lY$sGA|4WVu^uAe%90h?<-;p|#-bqOt!F%> z_NnDUF>X!c>3q9nq+*ez-1}aC-WNEorHvt$?rsQK|ErfE@Dapsxxn%X?zWyGvA zGZ#rm=S;Lda(lTCm`$=Z?`5CrJ#DqhY;z13YbY-n$c@JBLoJgQ3FQpY0QJD_LWhLv z_M_H2cbKwD=BzVVYBfvB^tQ{$33$XfM@F7gmCDs3U(iEI2Fa_6z5H3*e2)z5cr8!y z;xlK4sJ5yhrvdE=;AASiC-rh{KBqv?&VGgx0GT`Od<1R2XZ#AWrWE#pr7)GiZy0r` zngAB)G+?GH;o2|}t1sg6cqsx?(m{p5f#dM>dJ*2WmSoiEF#T-&CF;KKZJ)z`1zl;b zgtlYSjtyiH_8qyf59nh$BN=p~qW|!_Bh)Vf;!(6KIO~Ku+sYqFt=!5xF{TjBp)u`F zuCcIWVBH8SB6wd}86|^0k&9OS=H;FDqCy-HDM-5oWx=!g8-c_(hUYq~? z6NEvyAPK<#a?oD1lSY#NZdrwt>zz2A9$UEjUn0w>?bidS0*Nu7z)B(OkiDJAhsBr@ z>HR)zJ8S>!o|4lY$l74LQrOna6FxH*$6d~w=}T6KBaI&HP5C})VBmRs z(A7c(4FSh!#|O|Y1mvq%R|aYZI@ zW+cbl!Lh1qOh-GwP1u-bUpV=ZHqnJ)rw-jH!!IS9Wz&TIbS z>g&>v3L_!$=q@ZlXF?B37;75F=+J&GQ$ye0deEn+_?mIqmn_4HYC3h@vpuG*UO1F$ zkTPF)HlDVVWv75E%XFL`TbeZ!rtj}4;b^AwoZ<3-TxIiE*MT>(hM#_IwrNT^2JBWY z{nljSJ*c<%ikFo0?dm%@9)o(c5$CGcdU<MuK7<_PKzFR{^U*xgpq;mN#AO>{UDp(uM!0!9|c~X`+IcHD-U!zSz zV1^uez&2kNol#fzHHLkNxI~bJe$jRAmm0X~(b)4!(+YO#?>3lQ0 z!6op!@6@K6enG{M6uW7`>tup;s6+RA(9Z?bysveu?v>!bNd7tX`~5qF1*G4q|Jcj? zT3)OyH)!mK4zAO?g>>a~Z^{B%{pTqKK7 zZP9mZj>8wVddd9%pf9hAcRy&;?dg6GV%0U8N z_O4i&#~LhnIgiqcazUMb8Yk4S0L!X8HVxLek$yI`oRP>CQ#s9x%=l^0ewLYN-YPqH zW>nfRKde+oY4#P2;yhrmDDYH^@*58i1S_XK<09vVHu-r&NBSh}{>)tOqOZ!id5;-$ zw+SWJU|5c^G67AiZ33Hi#K7&Y6i|6P6V685=|HkueoA-2U>|;FLBqcj>gv7^btE=v z++LRN4Hfeb^+RbZ1<&$IR$+jX4M9~3;14S%-pXL3(IVORUHk?H+(1|EJ$Cb7*r-%D z;zX~R3bsnx?)F7r^3j%I(iLD<$UhjxAS$7f|`45c1l8wF&{` zY><^5BjQ4ESAT7G(nQhdU8At_7^{6sTFbKhE*KVKI3$sJ@mT%jlAhK_-5%>+6IVx0LO zV*hTfvT;H<+!*5p2)C-@oUso%r=eT?4EQTvE=LJskl-}-cTBIHQDmZ$Sae=m4uegz zni%L4Tg?YG4fMrrw!Ke`_W~lmbqW6_EiT)>=%YVr^77yK6+1d7Luh_ooS6FzsdA~- zTXVLcabxObfD6p+E1ge14&e@9$4mLbyCHTC6G_TfaowNjUrwi8#=rEXaZY^t{oTA@$Qe~LJawT#nE1^A zf`SJCD?OA=;?)yJy>3a(!OfQ(WZe86^F|t(vsbNytz$&c!F^e`7?cc(QBCE9YJcEc?nF2IwK7ke2V5=Q zh+e_#jXfEY{GV`vDG8NbYdTp_S_R=KeYhy5j||$`vVstDhU&33#6B9tS7Gise(=KJ z**d&G^660K;)f3sV%O)J>2lkBtT|6mc_&sAQWvC4goc~Mdh5j{rL}H&Q0&eLDx!8? zs8J3k>H;%ixKZOq*>`Ucxb6;Ynv!KIv%)Rtez2$1h3@2TycXRG0Dtu!{A2@{pc{2_ z9tbeL(K`XoMdG40D$i+TS#kRbY86JISCDI3Zq`4fhUT)C7bN+YO1VG~Lg%8!`X5j_ zEe8brvG)`zbna>`t9~YRB z%gNWdejE6`c$=;m!*?Flu#CQp+J?!#m!mwF%@lliv%Gj|o1J48AWm4Soh}@Z0b=bU z{eZ@2dv7uM!ClY^@-)w!OWWpwqQDgp$}a&aqHm_MI5R%)#TN&28(E3mcRWJpI{E>U2>|zHE}eCW-#J`D$pkeSZDq{#v<4&wRlB zX})W|(~743TC;%tQ(y=FlX$KPXu#P!&E$;+nGNq#>FE z#B3HvMv3mH=CgDag61IFgl6hDkh;a8VGD6{eRzzb^z?+>;KK|)^y~HQ(DsMy)u3jM zLzs`drQafZ4FD&I18qoQmyne*e&2gf@-97eU^cOqxf5PKo!{)XJ7s|_aZnW=eA>&! zXWY51tlvo-L2q@DY#+@bDmV5mXzMKKfTZh9Y3kmF)`fV>UMXpIiq zcAj*^je;{@SG1xHsPdz?9w?Vv_&uq?<;r&(`G?aYKA{F0gQ;c04`vIsb{_RTB}1Oe zmh}ZU{6FlycU03$*EXyODk6d)ARt|O6KPTdi1a2M>77WE-U*<9fb?F2RO!8!sPx`@ zlU_p$JqdZEr`+dx&biO~&-dT=uEok4ewieD_UzeH_I2$M)xf9Qz5T>d=9?vHR~et- zB-EM*T;PcgKB&0h(H@PqswwrrzJmrfxpce_cZ%M_3H3)9t$p`urtm>DYCZ?FIGUhc z-Ip4$+O^mU*B*Mlp;WoT9q7q0-UNFg${Yp%u&7u3Eu6wQY=0=>}^Q!5hCFZ0|ZcuHN9!OO)ab zko0e1J(3jc#6OHL4)ryk>B-e@+#2^hdu^}`uXz^2ku5oUz9<>EG|6iD3Dyv8ETavK zrC>F_ve*t%zCbf1Dn7*hVBMb4a#@}Vj?t(X&3Wicmumd@df@ZZ(5L2DZ*;3WkY!B~ z(W~ff{Os|>frXwrnFD_mAUvdn{IGF#wHybLo zjTv+bCS!0|>%hAMi3ql{PU5J#UkvFtM90Z4AZvYJ_$pH6TcYzgmv#Z zgOOs|3oZk=I-0-Y6$%g8NxkpUJ?pW#92E9#;!*TY{>2m;4({NO@9hfTt8!iOWKeYU zcDrqY&2U+H=8{xMgG&$w`oXNG=bKsck`;Pe){9Jp$?@!wDhUgklep64(y*>~o$_s! z6RX=0aU3meqxqOutF?OUezd(mmT-zCWuy-Qp~z{RVkE$zq!^fw@a>s9KxV$kjaFNa zE&+KHFbA+ldfr zpRGBaXSL&))SoiO(Pq`-%p{7b7{&|rN1rWS?cVWW!Up?K$Y;lzP z^%+Wr?(#IW>MBlA;ZF%1pMojdUzpcSbnd=3^)#IKtG6Mwg}`rz)R?9G7!)M&fUzsI z%kjt`TZ>ka$J6<0ws?>*M6&xqBel1W7Ikq+PF2mj^S5|*(~4_qdpuFlb~GSP?exr1 z$di_p$zz%GH4`54GAH6AZCGf-_XHBzI4s=Q6OhnqE?szc{jm63uy$snO%H1?(g85T zYf8|<&H)vs*?-y#r-b6LbBeT^Kft)$=WZ6*q>uDb>BFIcL$wHvAG(QT)F-ZZq~!Sw z!r;5?kQYY_ua9cl(>?eqj{}XAfJP4KG9R~jqT3RV+BxcqwK8Z@A+8dS^)Nz+rqQT2 z_IqFW-6BQqu~Y4zoJ{}DZ}u0br}i}g!RNlptxf8#_tE;we|VOM-OgOz#e>g-&PnNq z;nk1l?~h6C8`~jWg9#6UycRF^d?=O~-(%3O6(8{FIlub5QwcNg0Pt ziI_9y1^OJ$G=JHO8O^#Ly8BeqDD1;qaXS53w?&|>PELN8==g{^!8z-$>x^WsGWPgj4KABhQwWj!+m&#~B9<5;fArWwG@^ zD%%xU{uN@>;GI%OHhj`1+jj1@X(-&+uEBfsfL$Q4_n0vt6i??UoExVM@dn$(2Y0eYl;U08v@3clahzwCbHbY-C8hAaXwMJr`DgCeBTR zao0>qj94EXQ4Ky7A0S~KY&LoHi>xkt_mOl+JE}lcdx%dfsc+RZ5CRr&uw%0zo(!e< zgO%=|gQ?npFZ+h+4`SBWOf>!ee-q}Nhv%>^tLUG3RJP%~AwYw?0*|8E-^AViNr&%%R{lOEbCPa6OWx&J0|G{bhjR*FZS2IO4W8O^h z(faQcvA?|a*AJRW+_<-=@GJ}ek0$&h2j9OKTg*S5_jTNzKY07UvG@PiYZUfPrgH9Y zA0_@np#LkG{*Q7c!woFgNy*og|IX59z|8zQh)MU0KmU(X{d(A)a^umo4&f`0-xCV_ zFOmNEHyPg#Lx}Jb6XqXk{6m=kAu6@?Pu>21r?j9%_Q0y^!<}9kU)3Ie&nQ+HKetygFZGXvoHZ9(4dtb)B{^7*_SA$LxZV=n- zv4h4RpzG^k6cA0zJwex(F~a$0i53|Bu*jQ+p75e`VK{@uXt7+=RzYlg)5t-I@PCjT zEk)*C9^G;-rNr!G<6qzTUh+oRiwCOq;+p?9a2~%z+c4$J^zgi&NjLu6-&g8~Xs;jT ziBtKnwI0*nz&d-pW5YxAUpnWPN#71ZkB9f;x>5gHs}mnRQoB?vvkU&YxxaPeGnt>_ z=PU*k|7)$FyJG$#L4xFpSpTyt|3^L#fAOE{c9~QNwh!W8lSOZ`S1F=arZs} zTKqc&b=0i?R_hZDdNfCV9+XlO|Hsk(+e4$MpW@53VCnp8t@{tVBR|(>{YPK7B)_Ix zOC2-ZC-k6PH@GzNdm8+OdKiHDj`H-+`Q~?haHHi&bs+z!x4ynv6g$Qu5a)FTZFHBs z|KO%u1oqkhPega6_h%>07XBCCU#f!rgm&GJEmFlMtwQ$rMfXXGKx_lT8CGwi9qoNa zxdl|X?()#8WFY8SpcO%&`gc7qd7L}4!((VEF;fV(+M9)#&UM~r0Z`>)FExA-rR4HaHgZmkFK9kJ zc5zgih9VkYNS^TfkG$ujbvtTsH-N`kTr2~;81|}P^3kV&G%F1}z!oo#doz0cL&Y;6 z-fYV5llN)qZqExr>#aW^qAaVDmoMYXKhX}_MrL$PQR1RIbTd$5#d zRZCh(Q-#ieVC}F(U_Bqn0mZTY1`M{9TI^qC0!`uYIG++u9G_j0=&FzIQU$8IBS>p` z$K4hvdV|w9Fs0m*2#T7|p454CZeM)azO+oSS5Z+qfRe}g`lZc0e0)77vZj=lJioq? zAN`)cQ+|4HIFADx78b+Gb*k5BXZB(ppD z3)ii*FJ|&qHV@ zbxiCGnfKm?uK1EZZ9wyUKfL6`>4*;Ywd}=Mw%@x?>_4j67md2;BtB__T;r{Sy`9R* zhHnBDhX7;V6jl<_p=pbAQxC0}st>R~0k);CRSh|ABqgK=n-d z{>6`gi=RC};oqui6uA$fWL|f<4nmC_8t#{1?6ZkPOP%RAu{;2X8L{E3Ou`!AhW^K% zY|bxc(Tgn=X`}g}vfLF>>)6DqZk>0oy^0-K5iU{qH!;}n-XHbgX^TWnWbwX0Pk4V$ zH_tThsw<>>EzOSx$rC6(K0{N?kG#>O-v?{ccNRZTA*$A2T6?^%o#eZ3vJI`&jk3F= zqtKyabtXAcJJu>mWEJuuaD3AnsL5UnaC;?XnUOq8z@Z2*du>QyOmXdOfE9~HUiFw$ zw*Cc9e_s3jxmd;4JCX zXsewg*E;ZfM|G*|@eKIWaJ`yc-Vvm^VBN>hKzY=;*PxV{3g1MaN3UwdPG`hG|9FHpd>GT_R2PaDtvGhEX(p zR2FiP252m=+#z7^*O_z$z<$Mn^g6Plekw&Bam9jWzIwyI7cL#QIXCAlA9qyf#_}%}$9b*sI@VK- zHzaP7s9f%5WJZIJR^;Ph6|M?>;kLlB+#Vg^x5EyN>ARxm$8`YdHWI*Nsh)_R!(X`! z-RT{G>uS`TUvn;l)GLR%prIz#tMqRM#85)6C!)bI{qGyQ8T3vN!1J*|d4|>Ebcd4J zFnFu7=#!1V>~83KNYLne5j6YZh%kIi{S~>fG>0ZrsbZ0xT?H2)hj~8rSE7#SRfhe z?A!PAHerqf`rdYA0zp*$F6%Ws)Y#~=Abv>j)R9Oggy-8(Nlk8dHSkwF!)$7Y^)pGup~5=OMmtwr1A@<>}s)4 zfq@5m*X0vtd)Rs-Z1M!bJ&K0$BJZ$_1sex+`}dxxlNq+q`1BI;I)eJv8H z{k;o7T3Pn>*b z8KGu#XW3WQEd4Ayyr3R+b=qq!&^`1eSLEWAjN&s7-)9YIa;|~oUiB29$8=P*$C6B8 zUsrKgLiFe2`!Or#)prct#j_%#+!G+$O$ZzlXK;64@8|P)Puj+T_Vr`1Xxa%BI7YM5 zIP5Cb_fjo9GUHY1w|sk-&YzE{M3j(Ep2T+(7|wf>l3jPbtdw6JgruffXB?idFYy?t z$i?NJ(Upx3W1R;bRhk}Q#0>=SI}o$jbK!V&JjbmFbl>kdN31VoV zu@2}b%-VZYS4awVBY}k(%R}~~zPZvL0H#NfCXR5x)eg0OKPm?qrQyRx+b$IjIPyGZ z35)l18j#5jw%^ZZ?bdF91wM<^a78C0>3Q4ybe+~Ev;%&)U5AfLG9BRN6LS1=Ip&T} z*yj-{d%5F)!hWQF{W_`3G!;BB6`Y5-RThPuWHdVp!@abruHR)@JI28gu$M+Jdwj)> zJ+G5D2*nlQE%m#-pB>TpP0h)!;J3^w*57)(r~gt-sM}`tcot~LBo*qRa-8Idy(`}^ zHrV{s$tJ}iPm-H-YGGw`AHi&^(3ksew@RHrp5wvs>4&ts8u8L9mTp1fmV4QTo3OHD z)p_4NUa}1|mHaWMT`f<1YlA1EPlvb`dc8a15%;!L$wRc78&W;My?*0)x?2;orI0X| z^el{z{(EhVB^M`p`lWF2U<$sb*Lo}<ugAM~x-@m20++O;w^=JvbRmm0xRn9znx)rRjYt1C%EC#@P;!2Yh z&;gd+y7ZO= zc-rR)rCX|r&?dZ0nBL`l$Wo464cas$s(Q3pA`1yS&2M7S&2@?*aa*X}k~I5GUmD)CZm`ZqkoAFdQd;+O=~4x?S@u({d*5NgL9;Vfh|0aSB?J zF~G-03QO5+o6*yrDy)x7>kn;s=zqKo zcf@4_1%|snEkE}B?#6NNj1}diT!kZl%?eA5_UvA{q`^&OyP}B$d^_a~I}1FepXO?@ zS5)DN`FV2iHHl%EghSHVjeJtt@aaB2$e6()|Lf<&rA<><2*d(VJ}N^T7lwmo$WzoA zdMquS0xs2}N$rEDcXYK3rij5B@V9-oXLBsCh+8OGR|JV9UzY`3U}}kb7xc&nqjxNt zuh*D)oGoap#5-?evB1H9Nt@yVkUF=xiR8oF(;4#wBi|YE5P> zD39{8T7}?mtbx zqu5YA#xv$oknVsU0dBGK?!M2)t6}*k@0k-ZSp77ZV14u=^{}H;muns57w`AG6&bB+ z@Q7yTQp}?x9rAnpBKqX(sKG*%rwb*0a+xArgjhSQyV$+<3xlwY;DM{|po-D^bh|UK zzkBP=pkB-8oCVF(d<-h}71w*G<)YGu6E9eD~6n;U%fWzx=A1Fkk?t+U2>KhzH8?Qw7edN)3B51JaMaj?rJ`= z_PK}_%K`X4RGzUk^J^I6IZOR4iGIZ%)GVV`GUM17U}t7 zXcswVwS-hX>5qY&uS@k5u5f$!%6!W$JihN+-H867);Pynuceeq!Kc5rJ6ta_4YJ4I z=jo>C-cTkMkbQhY&a>O*-e)WCBuh|d6kBih5hsICo7O7@9#rq#>2Q2wf!1uKl~`k( zg1E00VLPPi(ekx%P{-$W3;bcDJ9_6R`qj&V4X6z0-RS>VJgWKktt{d6{t9ft~bP4-EynNkU(%y5D18 z_Ne(&LGgpiaHiuJKrLmxD-dhTy7l=dYTzMcqangLDl zGNL91o8y`jDv~Ql5GFnZB3<=FSbU@zcoMa#t2R-C0Nx$4)0gv3rkt~zz#+DQdG5lq zZoaV1U>?1b#<@l1cgVghAK*F<+L`I%js8p}{8gK7Sh8wLz4q2*0S1ko;6zD z#N6$^!pbm+F43Nhe_mF%bsU$%NHoQ3qni6V)n(@Nr`SP54YBv8L}e@Qer!t^)->l5 zuXxN}6*+dyf;093i826lnSVmI@3vyh>03PjDabhaCq48va^Dy~p3RGFKy|>EGyC&s@*%3OIguKbOH;f9-KXqU7szBb@ap{fLUE1Hm9ffyKf-&F& z$`YTS7(8JC4zt(kYkGGHP#sxBvNb~8QsE1VZ|v(vU2=R z@>jK?ie)Hf_k9i9Z&dLw+HC7~xrtinRy)*_7%t_kIf+{zF(X#R$r_()?^Uq$U3@MC zw_F&{9%y!K)^+cd3%#G88^IBrco0d#K{0OBOCNS7w;;QjYZqB%=fsr`m|Hi2O({)| z*++MkrpsA#$hBpC-PnD9?+H5G%B88*6)s{6 zacT0&gV{;1DY%2#{7*5mEV8KNC7?6wbs4T&lRu;12@@@{`eL^l6M{_n)@dmk>UA z_}f{P3ns1FWaG<)@N(8L*^f2$9_xVw8g{^hx&0NVt_=s0RPIkxoJPiG#6rCi0%4Wa z&!5{aSrR4E6R`@Eq$D)0Oud`;a2r7{>OTM%h<$V0J}9~#qr!+CohQ>J+d~~za9X^5 z_s@yoFWe@zdDv*q`{%A(OMEi+*`J)+Cp}wDx0|wL@y$ak{v+mPAp*v$y*Hr$w7geY zosvpmt zeafSfgsDkpNNTS+ym0VzR~l$xA7VF^_zJ=rbY0tl7=@lC z4>l$D&UE@{7VTsZ(M)g^}r8vvo~s{7HV0ZlT_ zRK@$Z6o-QQyL7+|JLyh)(?qCQ4qXoyTC*8ZIJBEZ@tikZYX5s%Szu2QF*lCs z*uh7LIyO31cV2f1H#n zEV(VrbutJ|mU*oADWHHaefu(z=coQ{(hDVk=z~4GdiD~ki+c~~o-fMIijKWiY)G1% zVlmA2U@mf)EcA70Cec&a7-FlJ(FH!${-Qw)*D(HwG(8twqY5uo%Vke2BFwMusC024 z7(s8JTzzy-n%>C?LY#ludxB%iye0j5vIa_)%2hC_UtXuzY!puw0&LBx)IHE>#V~(W zEhK-crM=>oVi7huWTkGwWpT{{Gnr*`EG~4Cic0t+Y{SwM+N|Zb2HWRaS}5wWu8X+5-1(w_OGDG7sg?JbgaRBb_gr% zq-RBCtUVADE~yFb?2+&tdob@O6*-%d7OHFp92|D>C&#In&v4zFTvq&C|LAh1-j-Gi zOH1_4(iNZSS`{_+V!MtNIs#Ed>|Qr0%oV&3Pdy!4F zFu5EXM+q!=qTINK}>a%=Kg;bU#SeJmf%sk9LNWI)a^ zBT^btOA!99nbPwTF&yvPEn^tvobjx|egb|A{+l~ILLc4SsU@&Qa7_)90A{{xU40Y^ zL7#c$Jm8&wfJEM8DXFSI@RhJz$wQv)wz}BGA8?+{2zYPP;r2ZfQK?@Ocg$n^VaZvQ zTaG9&0vz2A2W;Oy9dk#gu5c{oiR(B<1RhO?%Y-cT_JJ|s6;oCSPWyZ2CmZR3pcUis9;@=Ug_9{o~=Q8sU zcbl8f9oL9ma=SOZ9E)|HiJ(T;xS{8tA&bgm5vfxExAA#=Hx6EF@OA|cl)I!YE)3`s z!wGGUn|L8l=Y(F=^@DXB&`Ua=__~j5X|TGJ$@7{;<(1S?I=Q-rmz*XhWIS)*pe~!@yD0pB&ZYKHJ9mLpNhBF{MO}4LCaVqSrhxgFQmrDXx z6&*8giSkZ;Q?cWFeth|v6&V%XNJZWsAj)34?E%CrHRV!Tlc z;0P<}$^|q$7k!q1N5tWiBm<+^mwzkWMt#1Pnj?yeGZmD-OtvG==qu59nD2!af6O(uS@xCU5TyE2;Yy#F zm;$tAE-8FlBg#oOZaNUKq<989DBS9=1I|q;+?eQc04mhC$HzV$bT)WSYFRkIu=-|p zRFNYOmXDn{>l@=S;mP{$CVkhvI#J!!oP3Do#SsLtOQcac;JDvYy6l-hvqMbvSLxP1~ShG$#s1Pb!2VA$&v>Q8`Uf(2&cEVVCPkeo;vgP?c_p97{IfdwKG^rrJn3CS3H|&mhr5`K0KD(;WrQQ@TT=jdk8LX&2dA?1p|j3 z(*42$z`?=7F(=|cwZbOI2+0_VJ>9o#b&)J0TjOSSTTw8BoC32>N_uzeRu^o*^|+sB zX5`q>sXK{#F3v*}FBIHJlG26GSgjza2FQ)zLRRD`sqdh$ zPYkQ1uJ-U>I4XWj8FzSj;I^I*H;y4$SsiMw`8@s8F;7g{LHIEzSH#d5Oq1$gK|bPc z6TI_6lu4j?&cmCiMH@6N1Sw)L_>y-CP|H-_(JdWt(SK$^ImFqvBsNnFom@6b!){ zXsAHo9k`A3q>oBi`>eer@tT8)YZIzb!w|jK>|zG$q1%7_Tl;hNPMlkI0Q$H0>ZCIl zysGrfD>`#j(LSYx%o6E)O>e%)q|Z6a7$kC>$WSdLH8wsGR*ml29v^GYq)eq>F#t@A z=!1{qQN+*xgwUMCi2+x0zceqziQT?Nw7gsD6N%5Sb-eVno;6NY^_U1OdeG3Ed9dYA z9^`;kGj00#{ofHu{=QF#r--MKcke&{9Y*(6`|05&l^fm4E5Flc-uwDjL#@+pI#O;8 zmq7JvN!p`VoYo@cLR3V@i6Sey+l5Qhf6DVG{O5!d4PJrQ*;AAL4qiFIy*adTiXX?* z{9_WKAW1&X zyWzhg>F*_s5ZF`Ei9^x6-#It%|AUP)y8jcHdf!bn1r1I3RaF-Ie#)^HabK3@qSCBz z&QENce=D64vo#DO~>E;eY+{>ZfSzqr9ZdFCG3j@u`P#(1@Y)0Kpy1zv}33Wh+^;MfMl)vvr|1Ll}BXuJwwu5JCef^;P2eO~vLhXeS z@@U#&qEUYE<#F)83w{G5ojU4`zb)YUHjz|cdK8xVe^W=!QzHP(wfBk4FN1pjk~$h= zuCloN)g|L1bqoOWmr?w!!DthEnz`$Er7Ct8>!%%JV;eo}`j8p**GrWCu8hnkOadJv z({G*ouJ_*l7Z4^P#sIM^4>O*}&lYD+VG=NxR~VU=HDRCre)ZKqg7>~o(+#Wphhvd< zE&7Rt{i7M(2HzldeS#2`#6f>E2F7H22%*T=e>bHY{=Rg6ub#k5q^a@#4d3SHr+nj{ z&3&}4sG5wG|HuXKccuOL1g$-^^%=V2e8Bkg**_KhFvv~+uExJU$>jVw!V(uSKL5wg z{`&qO<;<_0kN>@~Tk>dAM*+O-F&JOD>>~j!1NQ^`?mZ94^z&Q6xW^QLeq|x$WO_S} z-;vZEk2nP>s(hQ;b&XXfc!=xJ)M>-;)?kJ2fs_vIN56YyM6cgRYdpGnlPGx+UXmX= zmfzUa*tDa5`kWgAyX;q=D5&xsnmip>8!G6v5dXi3PW@Gi>fc5GB8P!*q-9=}sq*)6 z^w%f&M%j3O^#Ok`tJB}STV7PDqr&uG?Ed#&x?4VS=ie1x7;^)2T4RQd>CwMh4!Y9T zt-s3n_p*lU4UD})8{$Xz{x;kE(YwDy!LT{`CmZ^Y>ii4QuG3Y659i*mG5hyl`s2w> zzN>#6Wq&>t(?EOlCYDsJ!2gT=-XQn+A2R-}1(__^Vt)GZ0|65M4v!b}3m5%&kEark zN&U6-|C!VOGpGN*o0C5^{%@X5o!`Ge%@lq4xg@LB)ppGk#)Q6h+=E|ZFmvZF;xO1@ zXPo&}S@TN%L{UYAy8f-tVt=@RpOZS)&!LI0JlE_o^6Drpl%Jn)0BoqgVBVkf!C-EEG9MD|y_VhEAc=b`fA zp!vmui&p6kA!7NF!)0iwBa4>bfiJ%j;4 zh0ujQ&fo%hk}MziN2zcYMg7ge@ZpaS8%)>ts;sT1N)ZxHLeODVbc$MitD_Z*o%v+L zQT%XntrR|3WwQ)xtY5lsI_WJfv;x7PpK8^O3P8?AUkopdQdZz$0%!|K+V!R zjgt1|bmp15BFf1+B>6qxFUX`1e_co&rir-}jC&f091x`OFpGCl86y1Ygu2@Blsy@~ z+Pw``X>yf)(<&@hx1brD9?v-Cb#}3}TV}3GAt;0UW_wO>2ytm%R8sYw{>#MP%xn2& z7nXPyre;2pTos|}n(IsCL6`F~FRWpcQekStcXV_R=X5tglZ3-wU@|+Q8_T?wL1h4$ zJHOkTo7h>P%Wth@u|%jO^Mb%Ab@fd;=+GZLSps{Fx@Jxh7FgWCn)X6-&5yAhK^OFQ zD5abyxgND#JS}WO5#6&vjNW7Hh}@B@2n&v)^ab5Td4VPTY-MpW{$rm%GHyJjHU#XL%k8H)d9<63p!Wqr<`8^pN*ryvbkyQc*$=XkVH z(G_qKX4ua3_++FS$mO|3V`ZG5l`>hACjgy0WvBO|RB#@?dHZ|m9o35jhw*D^Wi#sV z^If@-gLH`k(V$6}PDQ;x%^Y2b`}DKLBT8TcYtrM>sZ{1i&oNym%uL!U%MYucKC`&r z|6Du3Vawz2TPF^2#MyGNuk?58i1)5W_eOEa;)eO{%)sV-%_L^sY40@UFt(<0bHb{{ zGuIy`2@AmZy9zZ18XYBgQnJ*P*-Hv)Uxi^j3Xv?Ros_mYZ(_$Oe>nt^|8@?@{@Ms7 zO=oi0@_*E_!6Qehraa!7khMf1$E#eb6dV!`;Cty#aj{7(mp0AqL&f-??z(}IOLL<@ z23Sw5Sko#h+x&U(b8vzIG!ZL|5uBD8P3L5*OTuoIeCuQn_-^?);eB}O&goA4I3*u0 zt`6h&mriogw1MdtefI4iKhy$Ex8aYc!2H3FBCw_>_SM}Jsz6HVEM2>+k$q*fY40d_ zS@ypm`vf?Trng7wtLz_8q-4@X_Mh~Xmd#x%xF8BT`#2!6*7?vbC-3up$0ve4MQO%; zGeiBSj=iy~h5dvZ!hIg1?&TGOu*Vgv^R@5qDGRN$5C?7E-QVrl*{=2N=zYBnFWiL- z9X#IUJ}4Q6Kw4T=w;K~^QL~ndJr50>L~kmRH@WV!ZnF_eQ>2LUgE6mhpZsMZlqrds>90>)ei_q(y8d`3mNpJpdSpC3k1q-Dj@`kx9I=eIdKCdHrs2@n8*7yvNwvSd6-53V7HixK>eQ2p zP>8uyd&7Zc{q(49vKm-v=PK7lj-BCMd1Q1}2D(IFazTpDWrsPC2DC9VQ?hQmO{MSa zk!KNCKSaLmvL#mSQ5Cr{gtuj*^SEvN->=*3p&S*RabZ<*_xV zG+ad0C_sfr^@}XXSw;AI#QBTBHfGNs{`l!mN)jY0M;ir%4BZ05g+8H|4LXsMv+G-y zX^G?+PnHISzj0PwpVi&HlfMbZ8y@o2^cHDBo;^ApH0@~cS-qj9mz4$JTi|f+9dlkZ%_k5?wXk77eo2h&@G2WeMs+K>gQsGj7^`l=` z5;Zk@WA;GxdrtTD?l6LP4b>)h3^M%$diX&4FB=#CQGzJQg?uWW>eOAfH{%NV=?QW; zK+H$P&%nN(F~n?9fTYVs|2t&HGnzE0c%hqupFjk)x&na`*gRrdNI8d(~-!@-s(JgRtjkyNLpK zD7|dt2o*^AbY8tVJ(c9PXm8Iw_RbT$R$q1S*SM-NTCGOjzArO6ro0((-Y5tbbvu;D zw}UICrwx1t9_A79?>=NyEA{R4C^%lLcijwO*Zl-m7KY%GCkPxk32NGHsjPN{ces*i zeha%2f!k<b2dM#(_?{Vejl?1EelrL+xHWt3lWN3WLA_~PQ`DAiu#zL zGz+LUCkWECcAGA73YOdGn7(G8b#@~yHkf7_FQEiITD zLbwVvCbzdaDKf<3!R5^^=AXyUsaraGIMr6_g*YlN{oJvv!|FL-uNS@pK+xo1e_l5f zwgdRknAyKQwk9*?ZJa#KQt?NO(@XtL{jJ22Ve zB^!DpjuVqF9RP%6=etv}dGS-S% zUAvWvrfXP~%ixw3j-l|EK{DUeYJV7hs1U6D5o378!;8hkK1!xo-;omXeC-oy@~XbM zK}We`rDbXvN}C~Qo$;m{8qGTBH<7JgjVXt_yRNL^ zv>CFU?3mB5m(^2xKg+}}wyx$a3$kls|KgJyOFm{R^kR8C4`PPyMp}N0R)#yjcooYqk*5e~K2cTSj~*F+G!jUUi;E47HN15TL|{!U zS}~cB=Pf@l(3%Cd8%!po9WAg@RW1yG4BgV zDc3Xzdv_Uu&WrgWLa?{KPr`g7ZKy<>Mv=LFwRky$)2tL#RCcuuLCsyPB?L;vGGJM4 zkCxk+e5jGVBwQL2?K3}kN(mwuL2E1>jmQ^rX^_0}q3|*a8W_-)slQ;C;=A4xlc*PGj(x?1<-`u*H^~ zRBinAR`@>I&b)w}Wm@#i;!11p$bhGMh%dvARU%`so1k*JM-g3w%#Oq>K4#kL%2$gU zrc13MCyDCzE%cj;PLG>5=g+dG$!+_-?*`qzObr+_8l!=2-r+^{lV}=Lzt_*Oy9y(^ z;~VYOLtm3(WKij~9O!3vCslE+9F~QSRB62jC+-TR3a&0?H8Ygw`Rck=MEfua+A7?> zt=~>HX@GxyVEqVj9`VVm{y&F8H}SvRzj^soB^fa%S=u~<53=arN1h{r%Qatw0bA&t z2oB&HYj-;Cx$zV zxeFjv(-XPP4C@77*VPK7#)#o`Ez5bN4ZmCIxD_RLXLqEn&b=BMINs~ z(Xkn^!HF_a-UhA$znyae`a+n;0Y(qQcQo?PG=3Q(nUXY$+TJ?A}xIa>&9Fm_enN-q^wkGkG@d=S5584#$S!2)Yv z>2S2$P)rUqO&uxH;@{nkIV2a-EVU0KULPEyO-oORk<3lbS3e z4t(VNPxG+)Xzw@w^{B8{T1<2yj&q1Fk#NqNXg{3ak?QNkVxfkw;Kt+Cn{^;m+}RXF#MwSdSstN+Ok4N?I_LZlc#b<+PICNG>@$XB#&z+Us<%` zJPLF=;h-P;(aAz_@W8ju`MdQbMwRDBUucbA-jU6Cwif5iVn9%=dluEZdD&Qkl*`0^ zT%lJf#h(XC?G5PwwPEb@qqz-xqSr6PDztf!*p+wZW+MxQlfy`mYJv7VEL{w9;F?|c zDk;|U)2SRFOJ$3rN1ZAxW+sn6635knIdZJ^8CS0rN71rrlD2B{P}(OzGzpc)YVz1S z$Nd~+gs^I!4ez23c~Xs2V9!m`#%4=&x9G_;3TteHtoOZ7VX#&(1Stv7%YqQu-x8qD zVF()ooFH88D?#hlQiF6M067;Fx!LmggXy(#Q2LJ8;6KhS(Gcd`v5dE? zx$tOdy>sR!eqA{fQT4pbg3&y3}tc!pkQ^A1!qHcf*MFU{$ZmQS3W=?UicwQjwSM@@AS7M|8UEDsV0G7TxaVXOlwWY7RF(~IWE-Re9@JSQ~1K+6`n7M}|>|Q13 zY7vVgh-xCE;nl?O&~g00UYVeBvHos8mubu_!$4=6&!kRJrsovL zYEiJ$psZD%WI&3dW42E}r_I2nkN^p1mUik~sWmgyNP|j9VlqJwP$Xyx_h@LX!gX0b zgA!W4NWuO<>?2t*BKlA7C_UC)kZh5FdFng)X-L}%TfiCkZN$eYO^9~z!? zoq|ZF7jA2R0TmweObscbc=Aop(`-c|oOA}FAdYE9ct^^QaGO1%~jc00T`%n->i z&2USlZ1qjVL_`wfw0g%Gv_W8E{M}N)p1VCWQo$v|C{~N@tA(xgBIN(Dcb?I3wq4&( zPeg*~U6iOnM6Z(&qKg(0Wt8Z>jXorzgdlnyqDSw&OhWWBVK5jadat81yr-+&xBI@H z^{n^X`{iBBhjUpL<2aA9kN^Jd|86G0J2oFKAOK8RKZl8ONjGHU9IWKmV#;dF4h~z% zUIbDbd8Mg?Q!B<<=tT=-2k=Jct336Bk4fHYt;Kfd+v^u?o}%SzR3viOP9JuuhQ6%w zp+S8_tr1S(Wj?$yGBl#dO7!>GKciwWD9j!WxDuU_m+Hm9gHLOH{CYC_=vnJ=@Bivq(4WKemAEA)N z%9vw8dy@BOv=eA4=0uq#B8cFfZC@ zABF-fsrzgjZsNKbKgqyrhURs!oOF!2HgmpZLU+l3H@Wuygp#|A33Pf^(bhv1{Do-h6~#z!|Tb z{*vWFq@!Uz+z#6nR=ymfuuDCYmt~LgN$PYta=gxu9@Q;*sMzR1@!{pLk#@y5VVeW@ zPQoLD#QSFLXH$rEG*K^%svo3fiex-xS+jGb-rnk2jMIz#ibFIfwbqlMS~o}N-fMVQ zxC+KOzPrp*hv{R5d00wT3-(er+D>dj$WoD{zFE~0kS7|EQDFHu7K8i+G3e2*~qr^W3i z4_ERH2_c%&*<`u|sI|O+N_$mGpPjvQM}ivtwRO zQ*#e;oWri73@64$AuDHT-I<~{+Qq^YrW@kp{3JyOW*)zR`m3bQ)?Bn3X>xJ6TwkQ1FGlw2Ik@4UeBDb~t~$P+ORnMbDo1hOqJd zC%B2DJ`*CVmG3u&9jpgrs~W>&IdQE_73Zjbz&SSRx#fM1qjYnGu<})YQD-wB{e=s( zE?#Ur#>Jy=^&s4bTH*XtEq$i9v*|t^zkJij9Y^m?G%B8IxEQfkt-RVF+0x!eAv<+; z#C}%=1e;;m%Y1jB?BNm_=#sfq+pdPuyT810^Q`ufH<$8^AAZhAheX@dGS*)(tB#fx zTY17T;d~|evhd7Gv^9i6DQMoCe>Z0P69u*#u1qj4jb>);HGZhw(y|~(NyT`)*!qFg zYP4)Zak_arn%TN2W1>DQwWhuO0V84JtEZUv8slb8*NK>ALkUTP>72i~h)@TDBE)}R zVch>hpSYXhnT{}HHT=;mLjk@|-*)b<6L1N|mvIP5w!{2B{1)|nn;Z!-Pr$60l zJhy)MnzBnLQcVjzwuY~;&%RHotbQ5B*VTC~MaM1%-=DhbOZ`sQ7h467qaD+{{O-8~ zz1LORVm5E@m)buU8giqC=dvjV(lDz%4Qu8q8+Gl9CMeXin(O2yTj&cl-OXQf1d7Ja zRWrsbVYTXUGTrD!~oU=ebXb5~{PjIC>7|1b{zk)Mb% z6Wu~9@Yv~IJQ6w|^TcIM_9tZukmRDWoooma2v8SZcH`kr=vH0wI@&1_2#^)Tw1DMH zPFBH;&V#CKM$^NG+cG{4M+>YkHvJ~0vPktd}i}|LOJ`?J~(@ow>^)GIBRdwQ&Ofl{bvgcWNfTnB?FS9*D4}XV> zeDS-7w)_PX#U@^B35r%_J#m;I#8ASy@xT$d$w2F4K{84KNDhYjWm-`7yMfSqlLE?5PsgMog z(ngSJIeWAp8uBE^rWz2UHC9s>c4~#;2l~d>U)vr4)B1Qm2DWSLp6H|N`{JA&A=W3Nw^eO3L%Euu=v%5Tx1-r&O3u{$v3}eQW^4^b&Z7~azhj^)cPccm{rX^eS5LISVX$P$1Gsofx`qI97k#oV$xvAoMKx4fW zZj}dtAVxZIk>@(q$GYO*f_L8{``Hlk`v?%0O|qRfX#o5d=8-qJ_E_38+Dc!IvmW_p zZb-c_PHVd+wTwVTXxsl6{Cpj$_;SAK4)JuCcfmfC*-Z$>@}fbW`eaXGDd}t{PP0K` z4z19lTLpxQ3r|Ib?RxjrwWqin`LYwNcqb{#o&u7?PHPBJQ6Z;w*-JBdh~-PRbwo9{ zWRne89q1(cR)=4e?%$%l`8I&D*lsHY-HrD1jd|9s+?2PymKplQ#_tL`(F`M1Aa_0& zb+v9Wb=hCPdHWBN7WMur^H`A0|ek|1e_tnRHnp5$t5AQ_Bf7doMq+#PRV!CWW z_)7AcTOKF9F4O%BtU&*P@75ScWFZU84^RGq-CPINot;#}6N#A8>Bm-JGG4(!kD#y2 zzz_Q0F`!|4ar@wMXp)xz5K}|rBCJ$@&96E7tzJP1?~JxO5o2|s$&%OTyIS}##q6bv z*nR}9o+z4Dm_uhhz4pY9d?HK6ZBvWSa(KS%MQ#hzt>D~aW;cbEMczsi19 z!Y$#hV@>fZtW7XKI~53h6o?}hO!Qw|2grH}#hqq1yl`-``+-yM?cwtZyQv#PLl4$R zrZd*jn7G2i&_G^<;x8A}Bj*4s6y@WP>WX{Q6*TX9Vx3<1K_?u)33233Y%f06{0O|E zt;lCqZ_a~zQO51e-@tHUJ$s-Hm1yDC<}L0~2F`!45a2a#eR$T#9CrV{1Laeud7*X9 z{L{g~K}RS-s;hqTMjeNiFHK06`Qa8MY&HCjP15(vJjXz0>mz%oMH%y-LF1+F`=k88 z-U9uxyEAX7=i6vQ)qk|86IaL?7T6k+l~b%XPeAVmT#(Ib34BxZ=#qQTQ^2g z!UYq=+ zHi0(?{oL9Ccfr3YF)s6CD9LdpW@*Bouzhgxa1nE-sVU{OzJku}1cp3)Ax8agdFslI zL7cg7lq!kQUuVO)&ss!8yZlz$R zCEKs!syxGNoJow7n_f6s4W^`u!qwhom0p5*qLUQr3 zCoVt0cTN%KH!6#nR(9cOQXxK^1XJf}&z~m1iEV7ebfL9Bq81DNao2H6CMu+$$2G`A zoDm8i&eF5_H#s^CWYMFE&-f4G08D=hnsg+JR_r-F5h2_@b6qwLr&!f{vXo(gG+HRo zS#S>=Q=HxtG~Ds72t7TYe4hJpJA=jL@cE$F>UhubddSj&uwoO)>ErL)sZ?=!M+rnN zm$e#S!uQmjy}Qemu{e!q9=!gN5+6R@R}kB}@jmi_(BbcQ$E&{hpj{*{V(uRLgL^oI z@sya%kB@IVd!PFe9=C<+!c4jyC#UBNv(S)^q$jo&mew_}z!{ zOua+HWz?Nla$CXjqJ6)J4g1rtNHeJB74AJiW1&lF!-g_UHO@5tDc*6XqWql6Sgz4p z8h<-+6oI{~<;#ABK($`={Jna9ToA)q_hO`;$SaI@)E@f1k8LN;0v|m2#_vnH$cMk< zeZ7}MXEQ_Z?Cr_Tgc{?CSNI<17>$kgzxnRG(}_bV{1jE?0vWNa*%;!;6)zx9{F*l} zywj1X4=(bgU#y}5?)5dK-R-&o(=DUaq2*D;YWs&tN zn&f?z;+p7H*Kn}%+pn*?$fLHobs zn9dYcg@z|h>xTs=<1J9fO(*FTA9M{vJihx9H*U+62Nlt2`?}7@s3|1VeT5#j)HIcg zSOqDNp(+&Bb{CSa)=dZWoW6_Sfo%sk(1;M&Os-`dVXk{5XkTx;Omr09j1CPo>@_v| z7pg$j33D@&FDKzz{hqX|2L!b?XlA7S0N&F_vuiIw!N`LqGDL^pX341k5eBuPuWgx(C-f{kR$h9~1MF#|G!&d=Km&4Vuf?MvCa!UlyA$JfaZ}aC|t6D zT;q0Pn~~o+la2FZC6GcDDyip*yex_O++~8)ny^L9MZF=np0_5a?r5lkO_*~3b^MP@ z$xeiIzQKa-uqX7@AP4t#5y91pj+R~zrhyVC=awjBHE-&+LNy%AnNGHNw0J#s)exc$ zqaji6{QBcVN+}N%0-&P7C9HdK**Werzvse5iN!SG7SHDn8ZA>RITsHY@JIj ze7Ogz~@*^Vpx+n`rsUoS(Nw(wda3YVH&!hG{qO|9CzpQQW;_mnnojfQXcn`@?JhIYJxQ+es}(~?P!0R9jk?>D z7j^rSEyQ9D;Nj-nEKmJW)G7W0FR7moj*!y}Onq6e0onU>lIlCv09;D8Cim*QuzX6D ztmNyrnfZ}45%;F~a0Ntd{vML3cNBpvmj6kZ z;Nt^?Nl{rhV^JU;zy5g16*O*6nR0#wfT&et{g0wgT*Jw1)VlZ@5{rAmKrd0-V%{pN zxFb>VIjrYN?w*VrL)aJXFM#H#q+>FPd> z>(8aHe)q1bmS>B3V|v>HoXSmaBClmg;icWX->+RR$!8LLI;&(oVl$~oaYk)ARxu9l z?R*!k?=z8;MUlDbl_N7X9@b(rQOx(_s5dbtxAHBy!t%yldK>j9Ffy~Kzp_Zs=IM^{ z^XpdTB#!IosBGaVh9ce^hm&=BtlhL^>ITb9UWH#!cj6a7fYd7BKmYA_Rmnh4YPN0Y zmreD}J;(#YR)^zVa+v*xe%k_maZkvXK9T%bt|p=AD&C$C)!?(IVt>G&z)D|1T!#vOiluM@OI+&2@m{9)O@hDplGP)E0gQo?2M@CwQf9ga<`1Gv zu&X+0p_3d_AUq-qM|(c&Rc`MCIFq6Ma`kLU!+?7cAF{1~z%|8&Aojdx1zm=y@SAa` z139^DUo9er&AHPKL+(*{wten#FB!)sDl}t65%}R^3@7|2m^Xlw@j}d}q+6hP&NM{} z=BhbUOW~u8-s}@K_VDE8*59mYM1bG{Dc-~JaW9UJnsgRTVYY0uKbF0!T=Gkqw{Xox zl^f!ZchwnFU_wXD-wKen=pSZd|pQuZftt zp8z}e!{MikDy^fr71!I1J%a#50-x`3gRS`&n~sA~=Z@2(=e;0xg0^g#nhEVUA`V72 zW1l-WCajwuJqriX4)f1zt0yQKh+!-G_ufe93kfi84XT$ZaOsc^ew^BQ3nWx6#bO-G zVl#eOPnEMsN3nFP!0l?YWRL+SPQv>)$QMM2MZj?VDw`*)CmV6#j4l_U=}Se1q#uV{SyyNm#RCj%_V$j}USkmf8s!Xq^; zyOnAmvxG`MSWG=x{>1Vb&;4lL!FzJn-LIXnzMBh!{QV>Mb1`K@{Kc6P<7V5II%}T@hKA79Ckn1xON2tin-!J3HJGgK=y!Rd+dMh(O&q z8_TS$dxyd!ZgdN>ee#$jRNa32rF4E56^J=}wI~o{a~ydM4QHc#dE-^5%FosZm+qur zg|51)sA?}`ZmFFLbJibB9pw0<7|21ty#9blwB1{{{(?yExNAFodpn*iTs!a+ey%6b zTDwTPuoDL_A+5N_y#ml|wqw%+3RwonwTst;ZCH0Kt)pEGJk!!AMoC$#ovM;VwJh(3 zQ!uWQ@hAqZ{BV!rt5<#mtm09bO#9RHhv*5{)OQiy#r$A^DPd+`U%aV+Y5Phg=n-LL zOKIB%wzcf@-l$jebyN|LQsQ>*%zLUBNxyJMO;s)pb4dn=7LhEc`zCx&Ma8;hL`R03(o~!X z7P{W^ZR7~fC37$x*iO$`S z*216O^vRulXltVKm*J->#E-wQE{s?BjsBEOL!|YZEKTTG#%{CZw(@ycTA9$i$w*KN zruJ!=Zs+DdK2Z6^k79C8+e+kz)-7kh8siJ@(7IR=_!4ho0cvFRto1{GY*}uE!P5S> zt|*MA1*m#{{t#W&xi7jSJ8IV`tCKlxdise^Bm8I~?p-9X7#8Fb9J7vH_}II@$db>? z%gzr~K$_feI@2clFh@1SNv@i+os@v)5C`~K4xzf;EoNoZTN29(0^D=6KHnZX`pmCB z$`?yO0Cw>AqH0;4&XjXdA`+Fgmi*{H2KJ&~e5kH2ETXBCV?w$xWjIiMxXH_cMJ5-a zF>2=<4mwSaKMy>bNVBDSxLvwc!yV@y)GoaU4qwhOn+L=F#(MRPIM9dRTY~WTZtVTg zOtNmBewKGM+IQvZWqri?TFTv$>sODS+1z1vWJ|*O-;%XuJ&^#yOuM3k1Nd!oBs0i+ zFD9Z*NwAggq;((3;nLwX#$|dnEM_5%H4YYdAGkc+&^2OIim*$|*xvbWev*1F_RWU* z_2E@42En@tzMxH%7yh74R7uMy4z!)NGNateyY7UN)2}OslnI6Ayj3n|^Mi>N-jqHX z(~PdMQ z_2@)vt;f)!@dloXB`KZl@i{Y&>o+cMHL^ro8orGdQC?5FbEL-`>xsWxkF&PqD9rty zt6R-n*z4v#u~_KQHHNN_l?p`nl)u?AErc5xYHpOf6LFX=m<$tE-qq;;G$(>mTish+P?^r-=b%SHwv|*bU;%1<9a@Q3vchE{M-E4Rh$}=D^i71R)o=N z%FLm0Of;fnsbtA>i>9X}-8tSTM)Ye_03tH>*G_K+CmEC~BQ1<~9sPqMu>dF%y5hA4 zjjru4I>s(^z|2k! zncDBy^r1VS6m7Q*kb=|MH*Vd3dTt*(t@L~#$5frjLIwGWfV~W59Ig!_hAcB+c%^%V zN#3$HP^3)=34a>dGB7M~XB2*5vh+$@8RHjUvpKhvO(S6a#pbC)x(k(QoV0aM=b2PM zhsV3Xa?f6fba7o?>_(&3-GW{l7&pua7;}r^F&YW6YUo70RTUw>&Gzuz+UMJvDMvyi zR&cNF$9|lBVhTX*-p8~ zHMP2}!xnYxQSJbnAemc2_PWHj{`d0PREPFcYdX-wIl7XYAHCHps zl(iH@iC4Mv6dMXsVS6f-$$8ri$;B5SiSY$Ua$oLGkmTB{7=O)%!!P>8*nZa8;pzuU znB$u}qazinnIz)pLJsmje7vG15Uw)C=69P4lq^hbr~3zILOxQNKcu&O&?~5B&MI&%+VztufSEvj&(D{s`~UU=*j4{D zGww7W?&;*A4^v5Et}K0#c>n&+Rg|R^*Mq*kekD;pfi3|a^iEIT!HBVmJK5vkp#`5I zW}d13)K)HN7Zovjx?O(*gz~u8#hf>fSfhF^iCsqGqDGYy@;N`lw!e0jztO`~f=k^X zo5gSF(N3pso9MpYLv$lL9{J|ZaK6^Uo9VLQp-y3htvANs3YhZwe+D;k;q_W)Dj?29 z%Y6RT0IG&f^g3UmB{Y;z-!Dtly3`%<512B3xFP)dlU%_p(R5>9J`-@h++e0E^G zyo4`K+}{f+Y0p-ALFe_mNm~Q`UP%OKySn|Wx4F!uyLoJ}Ka#O}*84zuS;Z%Eeos&Ta5apL9um!gm>)R|?|L(k*hP;b)m*vHPcTNlFJI2c(9>Fb{U#0*!F{i-Fy|~)s z9a?LMJ??>WbfF@{IyYdfVzbH45mF)N(w%1$vVxmGn5E0k2CgcxY(o>@oqfTp3qPL{ z?SON@4ehyicuhjpFYSF-Z{P6R+uKtk$$0h`g5oZCINgFFcO0H6KMHMY3p%4HlntwN z8kNYjpSG7L5gPJhI)rM*z+6D8%{b`py@Q7-Uga)x+9ufGjOIq7u=a)J9Q1R!vo!ASn)d6yT;&&7|zKS@> zS1?vS@pY%N-_1AGlk9XJ<(p<;Aol1O$QBGN7p2v3tFwTwiG0&NpXWC0EfQYdFA2Qg zy{2$qE^GmFL-Hj}3f@kAim0>sisK;?u2O-s_b-bqkak#gjmF6Dd~(imn`$b-|zn-&EUfk;69L z>&_PYxL*l#MuWFck`1Ppjahjb!Z*N}?`n4obyJCC+}t8kWpOW8&0RIS(V%+!>3pqI zPO8jj^Ovhi@bjML)o{?h1r=pwH%G%l=Ieqx<_jRnv0EQr^qU(ViJ;{d=#ECiZmt8J zjD343Lq`qE{$Nj_JtyC4g)w+mQJ(W|n5=B(*_ZGHTwvfdhnuZp8YTceLwxq0>9mSf zUSjw64`|JN$Am3~PwjLEs~?CSO!kEJ`WEOeD*$zMJwPUxFcplcOuzvEUJSAimh5Pu%a_;uNQV^yHyn(h*OLfR&6%zNBA;-Pd zIjFw@Y2MwqlH4nskPC$h2JG>tI5J*6mq?V#$VDc7(eqWfs?wMk@;JH4@?BpoU{J<$JAp)smgJ>rxuUCc@X|zO|+h zzwdcj*cB{gMn#SV$XPcx7e8KNiw;ckl*|af$*>4BGavj+MaJ^l z7hLuDE6!=7XGtY{P7>sgEO%c=;@T;Wvjlp6!OL@3)-tt>g`en7fHrZM*0-<%inhcN zaZhG`UfvfC^vFbhiLuK3CuBoz=>^K&o!cXyyO#QK#_EO^SFXN_PUEM6?Kq>Mwj?7guO7vB`+p#l0Jq&-eYn21^#c0T0=dJ$Re&pr(X%5}$XVjO7e|Bqq)_MnU>fqV!_@nX3WnAVzp1%@Y{dSEk z-OuxKT=maq5=HWDSW__~-waw*O#Z?mhs_i3n)MFB@b0OU?e*!#8rk>WL$Omf|vG z@J~>Om;o3KdXbv{z2WXFo(l)6d*V<32h!-0l+OAB7!65h`#(Xee|+%2hVQG$qooL* z|D9Q)2S(%nPqe>=^8Zh?%M%^gg#I5)G=hRReH}G(H@E<(E$XEcZ~y6$`9Ad%&87a~ zvEs|nTBCRMFyK~H=gKlx9=J5&dR=p5j8(0YXe-@ke>o~MMO?kYwK#mzqZ=)u&jz)v z-5MzqHF4_pnwqJ}8D4r{#R)b^4Jun%a&0k*72BRIDEHp*_`2l-ICYaJb`t_(eV&A~JW%tBGQM zv~)P@M3)#+IXE52B2Hu=$S?g(ubzn$O#2mWo6it{R7)otEX_OCB1BQrv9y&$+=qu>tV&IWb&@M*7>%%_jS6-?FwuV&qAP^^xgNrf0wO2&wvCTJ{u&pl`lA@S_qOdT@?L=D z`y_yg(M6WS5N2LYJ!h{ES`6JmqD9D6+lk2I#R1?-ql1@YF^>y3lJ@NrlCt~^!YIav z2{C||s+PfFkXMh;q-gG@bHDfR252iSZ9$&=&sa&W#aO!LVAZp1V}fR5bMD6VXAr&B z^!^FHf&I%e2qdks!@+`*-+F9@{i4PE-upn2A#d}Y8BFc3ljEaEAk9G-AX_5V^!|iJTK!Cm20thfda^7s0cnwxI zCMJEJYfGuaOE5>_Lxb6yTseQ+{mk-#!jO@=R>fci%Mc@z&@ho;wG)3-)1K&(FFJ8R zb$B)Y&m#VR-^bJ)*tZ12eZe% z;XXP24a9+eB3qRq?-VFqwhS^FbRnXBoCwv7nK5RI{hcy(+Iqt=cA!>*3L!VnL7+G)UUb!I{wR&|U!XGqJJ{rq0#p^iAyw4|0V5W9nYH!%ArGL^%?i?3g~`RH<^kRVurl3M=m^Z&i^! z4YrZ(lTe}Sw=$PP1rvD(7H%JN6i2_EIW;(Hp=-+p!=sDnxvsaf5ni^~VRzckplejmH1T5a13xVw4v+|Ftd2g5nDEdM#+|o<_=30+-MG`=c+j>)u%53s9pBrNz+dt1 z6JN$mHqDDV0J~Zl=9C6|O=koIh|Gj`D2wsLsA^4q+yX9k=4b)7WQVt)h}4w`43+Rx zIa8!i@@v4S$#rrY3HbSh3-|i@&-k3^ya?Yv#a!*)?@_)G$elN89eTy^vjiUi^if)+ zDxWATfG=fqb0db@_S3OK<+EW5BP-m(H`RAp+uaDH)z?$=wz=vb7wu&U(b)U4UQIFx zUYXq)v$8Tjfe7DvcW1VTi>!D|T=d)srF@bjTkLtjgx#-JwMik6$V3d`gQz2E-TRVv z3Vw=xYnG0V%C{LQ5*Yser_YaR(-#_0Qy643b~R5PYT5ufp=ejtwwu^j5!`dCD++?x zm)Rz2?;Mqx80O_haMNci7p7HO&5I<_G*#-e;EVXGdDpEBVZ7^-P643Fe!t#rii;Rk zQSPs>FB%r+j^XJ+z|t%u8Qq6-iqY3i#ignYMEd?Uf?} zT;6+DZ6#vzk?$hO^yBks)}vW+TCee%4mWxR(|YqI(l;!e^qB6i#Y4agi`g_nN|1Fl zmCdL&x_J45bCP*C>QY$DvVwdm@jHJI(V?^sIsk2?jy78<7iPERSQvMg<<6Cugz(rr zIX7%!nv%4*PXo9b@Fb;f4m`@OCaR7(+WhTTsJ@eqt-&8#=N`_oU(hMqekh+c01_^e zZ}`Jer=Xiy-|6l6=Ex+}*!bhE`;pumhbi{THE#VI3}BX*IY5aUt2vk^y3PqDk7t(s&Ln-|AF-u};! z@tG=66v7qE%KQB<#Av<5RLT7~O!PyAz2TR(@Nne$5y(MLwmb2Afi^o|s9En_i)*jh z_)cf(GU~pVVNBC??0UV9PmZl}-I*PgnYEE)#W)|YRhWjRN}Ti*Cw;8h8z$dddS15$ z87^=OTc{2K7tJOMtF8=ncZ62<(|PmBhLGJ366_P3k7mODzP-Kct;$T2!oWqhx^hon zN$IM`%%>}W|CRG1Ox1|~X*~t+jKzJI>UD!m^HaO2l+|bk+ay4b`n56?aEmg@RT!hl zHt3=Qa!P^pu_%Ae@jse^c1!MG!OqfM)gy|n#LZEZ`}O-rnHOZB;%>Q1K7FRx+LO`Z z!e$(Jk)E&$oi|XFI^}aH6$A*co4;z#O9(hpG3nUk-8irLl2!1h?T1~a)jq*nGv;+FW`%8G7 zIvnwSgbx7n%#j17@<~DmYS}{vC&d;;0;n|hKX{^^m6f0V?5Unj+U;Gs$wJ^F{zdH* zlRr?84ulxDuGK4NBQ);OonEwlyYyxM?3skHNYG%cU)k5hn+|MBG0p%~w9B%?-AFvB z#LLGo?L6%aKt)6bRGA~uHBbsY1Zbt+hb$qB-;L089dDOA*K7CUvsM;!SI%fdf<1Qp_7V0%k3l)-85q}hT zSZ4Bk9b@Ot*_=x~dav`rOLP3C#F8+j;5&uZ`4z|eN|`s2fR~H5!w3mSradpf2N4&j zJvnW#1l407`N#!N<<7YgWR)X9(r+;R%3=Z!eqs#7Qqn&WSs@o3A)BUAGFO#YDTd+H zhM~p+54LxaGA()b+j$ecE)|{|nLc>rUle`ZOU+b*nN?!173tXKriIaru0`+R(rKnF zcmVF1`diM;{@pduM(TqfUv={VTN1GI{kcPBjQX-!a(LIp+tV-LfSlkuz3+bXWyP9M zc9UPxkEtH=b!3j-<98ywNxG>x>(fO)7l{s~`x5`YZT@lpY`xQw(`7{O0G`TJF%N1w zZvt^PkeVMp-_HoYw=PP$cAtiwZcv&$=OxEpxuxO}CANUACAbnoC26hVqm6dGD&lIIg|X4wDYa{QmYQ+d(NcHY;-W`PSoMkaW$O zajBbij`nArs`q^u{VL;7>*==75m+hz5ZRouaO+t;A!tO*`bND8dukD^ z+8eS-v`%JSZWizzZL<(`x$f!8HJdNKdqgf&Hw<&S8Y0r|?HVFDDyBX2Umq>U8{d1c z2UuY$#j^lrFJ*FsRf6NWQKg0tt?bKr`CfCJUm2~he%EsCiD(~gN`rPr46xG;^ibT9 zcuhZkf?W_)lQoM;B-<;Oul_=3#eP@)W)uqxKh@6%Z|eq&EizA*qf{LIE&T`Bo$Zcx zzV4GqDxw_CFi!wyl?P)_CT5U|tsM{wfgYj7V$zSfF_IQ>JNmW93R!J_33{bx7I;db}lC9o74mqJ+ zn_~3w+6oBk4+%8SPu?H!I-|U6Jz8k?W#v^;Uq`hW_?VjIzgA=);L*G8tNrldP2x`< zD}9^S=sGl;oxUVJ7<}BYp!CBnqe3a^bazOr4Vz>eYyr`tVOe#*LCD7GG3 z_(q8I1&LEk-c*d%@XCUfZIf{JXs#)Jlj>^$E2jZDHY3q>Mwt#oYRC}d6t>a|%V(;n zh8`R=$CURyK{^B-CLBh~7jg^@HVwTZ zow8;75~k-6%+-)xTp=!(5}i7cHI{U9MD4fU{rQ&^{~uM3^z#s#F{Yb5;vTYw z{=%O&CbG`kLZ3DWf1bbq9w&(?ZunYG0bg7A7ov`?-aC{p;2374XNJ zuL7Tq@ZsQ=)b@@}irOW&B@UOH`Y)vg8aaKNmqHYR`Aroeq{Cwp> z9IYNns;uE$@})&?8WmMBpZ#TAChTJ0J(1lXh7zy4n!d08pVp8SKhMcFTBAcnBBJIN zepQv3kolL>hDqwlyU|BTkNgu!^5z3t&&OKi&1ZUb9e^KaD!Ll19V7@Yr(yxWeSJnH zAS*z`^0vG)%xq!yCSq-OU7yVAcK!0ZKuj6bb}W2d6Z|iKl9Shv+I4-qHd_$xU-#%X;U-bx zMv;)TH9X%`;O+!*D`w?JXAC%eNL|a+kPO3o-|1BXdwy_)`_pHr@Fhb1D=?VxUxD*KIQ1_dopZ``{gnSq)1r+K>GDzB)EU&3kZ~ zWS5zpG7^uVwru+xpY`k~wM??lajx}>6QYu<{!YH5HGr)0qb2*4S4WJqo*_9>M%_mm z0o!W`vKw#F1lwQ^XG!^TZO&e(zQPjac|f@>6UNupingP|uEAVCH+ha(1e~Xcx2bZH zt-i^!1+D6?A65O_HYhfIflIn|D@De$42F>mgSR~qCE;2)^wKX}Z!(WaHZIhkQA)M# z?YfV!7GOsWb*X1@F@(v3FqVy+{1=1tqq{RgaA|&uYo^%v<>n%UWj^=a$nU(+ z@Wh`Q-A8H*5d0JFX3@&x{LfngSt`7E{S_IKqZpG4+&0Cf%(b-^GXU5k(H%!yV!;Wx ztsf&(jVL-je(*9rzfA@~|9BoL{Jb#_Af-<(^A)Kt-nWG*y)w>-ev5mxyr$Sgw_3UB z-85f{XCFD8=~cp$VjVM|yizOXEb8@k6DB!4bOEm z9e&(wcyIOwmn`f3_4(8EF6qqfcKK@0rn94s`m2OVhmcj%p7r!`lrB+*!z|P7X#}vL z^)7!)@oeR#BO7ug3DIH&#XuK^Jaq6-r0yCy_JluBhVK_CfWz z6`!rtF!G3BH&6*5bRAL!#gd*pw>@o<-1fsOQx2Rh$ql%U z_rwUFLX9P|R1ENhs2bmLSbd!y5YX(vNz}9RP5`qY4U|0wkG}&j5Z>}y zQ|Gexo@Q`cSf!~^AENJQFqfxpLu6K38VG^al_Qpm-aY~^^&}8wg3h%qeN~dlb9C$~ zhh;0f4!Ss`ga!Oz6{%#{);wMR(=K7!7s5ahp5S(3VzcvzA;Znt4xk8yl6^xlfiN9V z4siKMxEMGkL@ZpL#8`l!E((0N4@TAd2EU-~Ap)HtW70>*F4nk&Qg+L8&Ad zSm~Mgo`x@UkHccDgE|Z`F_$xdXn14S{X^YFZ#x}cpg)n^4=-*Kd9m5R*zO9Us@h-e zFlk|hPCB^fQ+S=}<-rahlP5L*mGv_S_w}xn^<1tzekJO9%zss0^etTf_0Z#nvqR(5 zD!?AJ0Wj&V1e8eAo;wy)G=$O_Y9p-b(Pq~5ZWvQ{&b~Ll&O*R9maqpH+-m7J4#{G* zVWeEUs!ruwJYl2Pa(e3bi{pDK%A?cpIaw&+V3oAz0*DJ-9wo1$7?4 zqj*50>!uA7U9Wb`O8uyf&y`(kw*!>30tRo~vLlF4&m$AInkQ)3JYR28JlC5q!b2}I z`W!=Lcu(%P@0VfMcFD{hG3RA(|E^erG-DL%07QWZUPI6)7FUvx7{lRB0cZp{&C;2O zm)z)yct=*&;{I%${19(Ai&P(dl8 z(rok+>7CdR>AiOlkS?82f+z@5rGyrmRH>mCDM6|v6d|+_iUJ|hr4vZPdELMA-+O=K zeB)f4G0x4o%S$THv)=WrGUr^S+`GGA9>#&dJLrjzMfy+tW^UcO>HXKd@)I>sQSiZD z{&&a!=$WZXin3J}`h{oi!8$xAQC-=Qd0~s|7^)_j%5$~WTVY2*#(H5o6I|`qzhozBQ~bAA&&Vt{{czwS*Wc&?N|+9-E=}XG z`boEpQ7LSm2nWrkYKTBHpz&{@o_m-7A2pI|zx!x^gyQ}Y^!?)!cE?gfp+ea9NyR^& z_{XJ7D$p==Y24EC{#!o&*EIwlf3o}C%Jf{#asJ2K|91K99T0fVykln9`$u;Fw@(Xk z{4HJ})|7d0YfAYhwmMwL_K07m+F%0$P{zc}1_eoB{!4Q;82Lyt5k#j|7 zOh1ci-u%GPU#F3Me{U@2PWcif}^!amvH_GV=z!e{N*@cw#1UtVa0aKe)OaI4I4 zmfX|LHr&zClV`T>T6$+&ZYbh!Z0b>63HwK#{Zt6=o$sag7Zdx$e$TG>a2bS|Ar%4X zVR3OW{=)sif3$>1jNPnPxzB_oPlNwGlfv^W)_&q!g_(fKDfrAT2+2|?Xcn=*e(#o; za-wibJJ6OHr<%moU&{=JI&5=4suD;9yf`3B^!4-_Lng$|d$7iL`Wgn!MpN{Y07g`m zoe#(gh61=i>`%fD;dpsK!gB(t0*V>__L1k-gWC!pzn$1@s(xQjAEcaQEYC92y}$GH zap>)(t`Di*EKhzhX_rj#j%l|{X^V~NA`Db6l#K531`YG_zPt72Djl6;1kc5^`$D#l z8xQ(V_SS+XjGVG-4x|DQH3v-uPUIeOy7|C7AZE_~%CT&~x;>-AvUcvlY!t?&fy1GX zZnNz>*KAh6($DX2^}q{FPUB^%d)Agqs++YeY&H|B2!|5+>*y)aP!)tj6z>oRw>+&hUK!f_Wr(<5)7m_|Z9kWOX zE|jzgUXLox*q+j@FWj0R^G+!28)rqN9mgx-pGAMg9IfJna5xcBXds@YcGjQj^IEm@ z^6H!O>|WINy{tRCMPS>msPo6GXN+Ro9yipD=~GEBrC!bq^eC}r^#9;z)5Gv`E@&p{ z8-!0r-!9u*AEl=yZ~ZjnSzLW*Up0i)ck&MV)bs{S@g5mo$1axe$2N7!L)V?QB=YQ_ z?xbC(cE^_Q^~WJ*xgqp_^8lZ+ABLR{z$@R?7l$<)s*Yt zC2P_X~S>Qt~|K+IoMIiLXoc@mi;H)r~F3Z(xd$ z0xj57s4MlZk;?*J8qC1cxXcTGtt@hIk6xCL1fD4Fn$@zA2k_>@3V>qFea`> z3`>lZLX;$2r*1B>_ z^>3Nusk6EFG(Vb2@AT_WOq&PQnFXG9;VZPX?qs|s`^d76vvN>+KZ@(!uP^7_xe-qs zuiR7gajUs=$Lgh_@MddD4wL!UD5eabfVRDH(M+H8bSB?9ISrXLOQb1Yj(!k4*Yx-} z!!v2yf2#IICiJrov}Kz}+Hs+3GUoyQlb%L*C14CeQl*qdPNom_y-SsHvCHzz@jl2&pV#7YE_vS{>yFnilStVSvPUqhLn}4pP zz7`Saz<81~8yrlzFLQ){TlR2a2#FPc>FXY_nMn_Cr?RQRxjHX(&k^R#2COC@n6U9P zgDYnDtvfIpO^#tVML${AH5>1hH9+f7TF`9V^#d@D{|)$NQqhltbP189SjNdmrg=?Y ztEpT-0c-KJ(-yYoX6~1bkrmwc2oBnV+`V5shg|N|hYYwL{>rs!Y28Le@V~{^__B{IsO>@3(iQ}q;*1P*tr7`AEqw*>782h46l;C}%jI2OmrSq(#oc)QD z77AM>Yk*$2ZfdDv40u86b8xVjxoF#2iiha(rj=}X>hAdpt#8ESg{Rm!N%Ghij;w4Y zIm+thsJQF=il*7<-%CrMLmzfiuT?6$cV2PW>ilF`ek#$S+USpZr=UTp!7=lNUi%1x zIwgST3vPidlunq_t4xdbMph-NYb*aj`FH?m9lVSZ@Jr;MiB^goS7LtJw*-}8VUwW@yOm_bPmA9_wNL%UP*C$i5J*|5)AtbWAGTxa#h5A3T; z6@(e4-8cJo)aO^IIOsMccZnwPbjEeKkl$)~W2yDPeGt$2SSMU^-SKz#UVK=l1tBW` z35`P@9=#{8%#eh(i7O~}n>!6e{(v67!NP0)8I9HWBlWfK<7%60Z(iM&cRxFvL>~(PE%MesK#LXSI88FiL_h z+L~q8B+mH9-vlt~vr!Lh~~(-Znr!e|B4>)Pqob~BHV?HfB`)AP#jn6fu9!4_hFRZ{IrOA`*|6A3E!9CI@Tg6S(hf;FUB15{znt&#sp=^EscG)HU1qtYR+I&K_EK1E zqBMmy8SJ|Ro>2lrOx@(jf)~Tov+A)u>NrUFr#dlC{e3KP%=o4Wo5Y%vzN{y!-xzki z!JY->G#G`Jb~PP8+A_^L0Jze|+~iD@6HO=I>ZI#I=tYNH(xMvKf!0xpJ2&O0=Nxfn zK2;XNjj3`V&^yGcBHMDMId>8tLdpaFt(DbN)wbzPJ(D^*)Lw2qdgn#MQo4`HIwt(* zP_ViQ^Y!G3Ity^_fVd9$m)eRw!EQhMnCSpK!&aeMT)@Gp4*=7Zf-!kXXBwo4^Gbyr z$7Qm~dOR++ z^AbM?Cqj0K@tsH5F9oK8(8mVkS3rA8BzZd~IBZB+6t_xJdrkGtn`AzXO zpENLr2pKn4CX@zTcAHy841H@4*$>kHH4P0&nB3>(^YodiyUifqG!m2+sT2_JPP`Fn z-@2|k1kg^J)D=qC<%lod06GrlAwAhW?5|#HGmM#l0DLbuno2XP{e8b#fkot-bsr&4Khz}s*kr%M3*LexiHem*w7cFmVnPNNf ziv8!bGm!$DcFG}Jv&{|roR zJead!2}x5!K=`4+NG&mT;J9sl#8c$md1Vmto@}VZHvYe z&(jJvLVt(=aguAxa1hlp3MRCQ&T)hsHuZ9<=6eJW-`y|}u&%i4q%L{%69rNr3yuvtNe`^}^r3-rIQ`;=+Y0ygs@1#;fI)A^(lM{e8m$4IKnhUO~j3*EUYo zW~w&y!PbWy9-XOjShO>t%4jveAB>itZFE@rMN;@ih7}u< z`?dKkvaUvMglf|H81j9CaB#z&EqAU0-2ciXSLYMM3e-3ziSYJ3K_yZMSxRL)y$ujx zT8HF)utt!e#dzg?mSnYX*{!GAhd65Wn{)ZCUmLf7rT{Ji7$VM24C`?3t&7x)Eg{S8 zr;rW7%Lbvm3! z+bSE`K1deP=P->pwC8zvgNJ8RMo9xM2n>~#aBgeLlt=czz^IIvL2RQQ^d(e@_a{NE z*xv5u`5y(`7`pT5=`OXYUUR@ zY1d&6EhX+LW=S0??=Jd#>6ouNJjdsn{>YzOE%7uDDwGi~zdgWL`JQ@tQoUfYPrN+M zqG^EAJUcVo6iL%P0>c(l6S!ScqKy7`2nEG6WgtDV{>`6#xR9l?M(IWow7 zyf0jSkv?gjt89NhrHKEDVeiQ?GXDug00TpUcF7ceF(cRvoZ_u*({3gm= z0=XXM(y7u5;zZ3HZj}h6%&nrFkbA2rVUJlT+CiA+osk4(Ucon!t5it;z}{1RM8If1 zn5y1EHqD?ek77OPgn4Q%)el;jrWpP(MaZl@7>i?ri4O8SUOEz*d?jGN#h z>jWD3sS6w>e_`)m#0A+gr#mO68oa8hF%T3VqUE108y*NEi(Ra_UEShyq3=DS2guQ` zDN0Jz>Ml?2G0Ub(^r=RUZ5la=Nx;_+S1r~x>)+GuNl6{ku)C&&8K70@Z}1LS+QVH- zR=Ok2z=F~HbfHDr!c-S`ionGw=UultK4qJH9wYg6e-w2Q@^OAN*{X(#0`+uLpGXFg zs&uXy2xM|^dQ&kOW#3*`FyL=HwB~5W*3c&n*eP>9d%<%NNH;WP796t&#k z<1b5$6Zfl^3nOVK-nvA5Cii(6o49ZYBR*JjF@|wvebR4tm$vDdoB-JRGlcABH0ty6 zPPVIOb2^qzuIa&)%GE6Y*}bfqj)LS%dC$I_F~G@qO9~HfGw+nXqysT zODGaJUdC_Tg3K_Qz97G;P4OPr5~eKDck32*_p0{HSkPj=?%dvUdeMa1q1IN%xL3+* zB(7SJd2Lz^7aO(vzV4s|8eV2gdvTJsdU?+WX`IKeLhWu1$%z#q+OWk2%sxFAPD(7m zV{uCZ7*0unQoEmud%Fkz*-zf=p6{^}pG%k1cxm0i^LJ}Jb;0ZAAHgcNLDxa?nqb`> zh;Mi7M)oJu(Vrq*jB6;q8iqI=WQ)^@)O0{1x*x6Z$@IGg!x?>?^$s_@>?Y85N8pph zTJe`<`q0_RsF{GxZimIMZzfeSu>s#h>T~_E!U3>@FXstiJn{LJa*p8>j9FtN2p-Gqmv*Ub7J;-=)4}FnH3~M|s>i4+RE4}u-=BPf^{mjF zsN7UUcLyJr>LFfe7u3CY-#jny&=Ub;-3Yk)fc3mw!p`~(GB`wCGNe~MKqK5H&V|vU zc9MGi+P%oyok6OR1DaGhI4(kNe1AD_O1=ED+QOJ}%I3j(>0`jck2A_1KlRkt^w-(a zPHPG^qB+TM8mq{n%>E=?O(fQr9%%_|H2xjX033kO3!x?LSzrtD1J(!a8GO97olg)HUU6fG5P8}Kl6{de1C zU=mXTd04Tu7Tvi#@tM^5668PiXwa#y=C;GKRcD!n+XR*MGxISTd-{kH_O#fydtYtW4EOLfahV1dE(fgj zLMK1MeNZj-UzUqx)@{&g^pLt$B`&E=J-#@H7DtCzwoEREGjKKC$;fR-q1>h-WTo`t z2UJsti%7s;-p04Ny{g(-!c`>QgEY6!6~&foyE+=h$Oo!lh~*L;|6mK1wVh2G7dm@x z2%LSD`N9-+zL`(4?%}KJo$s&|mJNK$3~Z2| zeK1pGuKT=O6OzX4ZbqAeN3ZXrLAK{;yy}ThX!^8F;J4^k%F$i#9aUci@OUnzt?<3` z-&q;l%G*%fi+)>Z3d~vKFrj!T_!2TFv~Q(oNb?v7k9Aq?raW~HfVQ8qXNE1acxlFt zTUgA9#BgEwz_Bc8MVAD>CbhV=>g|ye?BA-h`9B}H;_A5y3NAKGVJeo{J$R7)1hu;9 z?IJw)ZY<7^Q4S36L)MK`6K-~tR{Z)OResJKQPDeFet1S1CG(K|ei2p<4tm5$nq*b$ zuF`(K(u$%BWZVMkaQut#MPeqYzTdKP`5GnBCsQg^7qu;gJY@sf-hJ1IuU$x(^`6FD4IB;=$osrFh;zhx&jlZ)>fm&V3bJ5`3@W7*)l!3F~=bIZevF<2}A5A$XICO;4KzQ_R zq;ZPN&)%x5HnkjA@E!;>yiitd@1#K+*=cp~Q*drvq1X#D$SdNNy?4_n#YJ`wqugV2 z`N2tw$R(Rx{+^Gm#Vx<3^@(7dk+Pan;-LTq50CY>fRI6X85KYav=B)1 zuSV`VFWU}o;}wo@bDz~i1_}*EryuT4d#-!!4od;#4>#Dvs;$I?KqO^jEKc<}Aa&@D zc2-?1=Z;I>u~xZs8SjB-r+DsK791OV>}ph^U*!hEgEp9s4g_a9|3R*J`08{Olzdcd zF|0R_JaTNVOP7KRP#0A69vt75htH)xxZ{#m{-JM+*SbE2-%L?aiyMx6UQv-i*>3D* zBPL{OEpx@SX#My(T)sV`9f@eIS8n#o+X+sqKZ?I zleK;SrdH%;I1JQ6#5c^*t=DL*i(46k)3Twv7JEBlw^=%<)R;-E}0=k=CDW zFN2mfy{LJk+Co$I*TXjzO+8H>dK%4af(Yd7#tn^KFU)eT*nZN%Juwis(({y~gd!9lVIJ@YnUU&(8D+3}XeV)|EZJVL2m09I7 zM|EkmPS!@@n4R+BRoVB1gO*sE-umI1p`M8Ku$2l^t+KgGtFo)6scX-ZVdR5ZW+w19 z`71PNY%XCkrx5| z4!Gl0Ex`HQHSG03TXrB=Z;RqrV>rI|?BX zU!iFMV?zdAL9kgTn`%CX7&Aa+`?1hHC<0DQ>GReM%OS^ zusadQ9>j2uf&sDxxhv3+&YdM@x31+3Pwfhz;+Ji}-W$=DUvzaq3PE9&svfu%yqGZ< z6oEckwJ3UeQcVztXn?|$f+f}!3(0c*gsZI^WB=aBB32*pw#>QZy^g<1O#ev_Jp{osh`_Ilh>cTcjimJ2Qk6dA(|V|`WD7JC^?_fPh4h^xjabmr&Q z3tIpARWHp?&jr%gh&v`xuhxqTmX@~&GDHF#1*Ok>G`MjX~U42g2VX# z*gzTESwBqs$0wIY5f)n9wKjl8wENNbGls$@a`|z_{~%Ajel7I}cjW-~4(C6!sQ*K{ z`%NH>c9SK8?#@wf^TX{?GIOdehVAr>NI1{J87zpY8k4QvP>C{(RsGd?mc*iR%CQ zs*np8ABM30XOPAJ-06S+#ZvtgwX>&B#9ze-{s-vc_SHMU!rlvw%KzWl?ES!3x(w0? z{qL{3d;b)bPw1<7(f@Uq{vYpUPJ8TC!GwRBZ@nR*!;llkhXQmMX^yF=w9`<;_VOPe!A<270-zr;;faQ7mLD}2XH)oJ{(LJ^C|meL{#Ie9qUksnmBj4FHUX781JwAk&A@$mj{5@&XtB-x=VKW#F z-*5h_*MbgMhXDzqDev`IYuU9*7Bb}kM!n`-|Gas9{GKK(E1)9tXt(Nk_>p1!CZEZ6GCh=JcO6)v_vlS5qk9U54gMRr5dyFFO9=@is#wO*fjjgGR63wxgj%i(nK2~A7)-a{ju()`nT?gWW=&Mz6Vb9YeQuxG@C_UG;XyX?9P%eU zB4u;TM1hH-=~!kRtM5}!ooclM_nDGX_oz55vNzM7T0LY(#oTxrMrkc>d<5Fk%qTd_ zWlTE!UQ@Cq`6!W8=0_gSo&GBDsq*7j&rC7y`dyRA;3Gy3u7ScXCUqKVt|8@@5($XG zkB7ormTuoa=aD>QTvUnWM;Ec>3f*C(MSVWek4pB^+K7{xgc zxx&_3P34Gb^-PHBq+^8ocBvvwf=S+@;7+M`C@FWjp^5dJrqw+mE?xI37;BRMavtv; z$GJD8juiGKMmnWi2ESf7gXO zE4*P&UV|&+Ls7uSd(0IHzmp5&cW-4^r%^TPWw$TH6%{MSoo?M$ek0g)e@dJ&X(^IX z=;+9avDAJj_rb}>gG=6sDQsMDMqSbb%hHrnsSnbzZ?xrra_p{xt-&WNeEixcrW!Ky z>1gb%CdWgAh8mz~4BP~IuNL&VLhRy?Bd$S=gM*qi*Vk{}0=IdTnYp!|HuFi-Wbux5 zr0 zxq)2~r(@V$!ZAC(GILhpB;Jqh$=*)MKAdPwW~`Z*+q3RZlclg~uFDMxLmF@uIoFKE zG(DgG2dGQ7BF%@URmuhGR6a+ea$(wjDvHoBfzZdt4|4lE@U=a}6OUPw(imw$spv?u zzYK|(TWJ=Iika$(obXw=^!Uz^oJE@IL z(@Q}-$E}&`zcT-r-{jxbwVX)Ib_j6iYe<<}xr_8)Y+t*@;|nrsB0hl*@8Z^=CfZhq zw#3u3Dzrl%oh#Qb5U#Ss+|uWyeO z5>Tsnbky#T@TXDN-!rYS(lHyAz8lkPv~L=uLQpl#RsOIG8%=-RevX-eAHT5#FV*u^ z)8sF`pi_ANC6YX)9Go3EuRDDxK%j+M^653w0{wX}YG=WrOy8+xu0$bevRA-Z!JJ3> zJEs?9RrI9ZdfCn1n#!rVVt)N_zX8qz&mlbvo39jO!EmPvE!3)gb_}L@vxE_4(`&c9 zkArPX14V?Q>>eQRfr@L|_=2kZw0#S=Bx4?beBPa_3@0Drr|C8FyDxp7vSIGsJ6iqu zfEnF%d0;WUJX4Gwe%p3A5+d@P_$E|s&``Czg?!3v(kib+%M%yL-rV7S=*VYY$~giN z37Q_{08kT5!7hRvS;rsz!~~ji4TBEW)q1_(ZOHCAd-EcY%Q=(b*;=GLkc#(rzjY?o zm1wSt=xzEf;c%B#U2~9`QXiB3wfA{mO~W`H{jx#9rp*z3NTa!Va6#q#eIljk$Tnxk zl>=OE*R2|BJe9p{H}ee9Q8i zyXLbiw}!k(&Pzm%>R+C_qd9Y0RU&7ITH?(O_Jt$YgKDQ zZ<&DwR$bjAx5`W+cy=F)!>8v0K#xEzADBQ3e)QNIGyYELz$~#k-OU-_Aq_@@+Tzaf@%j@!O4Gt^BDG44gLboyN0^6<+0I# z9JpAcaM8HFKS(ubyHAq5;X5du#M?}rDQY6KTJe%u&h6R2do{OT)OL<4Ms`xu`XGXY zIow)ce<-BuGH|EU82rS%^-x^1ENBOR^*24_=8)IPMtElkC2TjlJ*(ZnmBiTVQA1bu zP+e|YygP-PL%0a*zV)&GO|vg8iUoP8&Z{D_f(z+vFV$2j5Dbmi)>$&dFAYCvK3Ga3 z5@*M~mnJj0_vW2fTku%g_a`l;R;^j1^3XDGnXM%*^DlwN!0lha76eb&q}CDZP>tT$ zUOmX|FAmTOQ5!A8DyMB;BF-T6>+ET<k~@Ee_prpi6$m@r>Q)mq^vNr;0hyrC zlJ13oX?;VQeZmRFc5B?khshp}GjUx8o0o4l&LE1Q!mT;$1@YU7wri0#nu68QkB*z8 zCqCK8Em->A@>PSRqgwT$ge;u4v4C8l->^`y8Kl6N2#h5fOfg3i)$}Jn*BkH$|N7%1 zzD_$3EsM?CH4msW8oDqtB$^csipvhVUc{BH8j0wf3Wd-$vy`bK=OdNFnxZj`idinc<5 z)3`-)ddSJ`Gmik2G`YO5L0C#lFLMt7jRN9u)j;)( zoNO|`eYs@arhT~v9DAL>WFhIjSGe_}t!xoY-eoEOC^vCE>SifRQRcXIJbUlz9P**> zbo|FF;vb45G}ti;Ri_7w?`!&YN*xo2Ja;?UBViA01FlrxyfmA!T2jhu@p$^x6Juv} zZg~zyzUll0wc1H}F~nDp?{A2w=JoO;Alm#5@H8=Y>9=aiVltn6oXE-3y$=~FWp5xm`clPnDb2BDl-=}6;GsWG^h(t1L)1}!ZxaO36Od(y9E{m%$X8M z%B4C2=KY?bc|{`&^p$3;rq_9!RIrC~l&v_Ps)^U-p)E%%Ws}@ecY5e;^G*gNY<5XI zgYJ&~H)!1AtR^frgZYJG49W$WEHVJ$!;pkGG5&m}SnnW6wx4PRZ9u~Ksz_mPen^Xbk}wxF~BMS-e)Hl_>NfZz=@ zjxX!J9&86}zQlbi;Y_bX{&Xp-!E9duq$yZR%WEOmrX&12L%sb21>tZX2q(ex7%Qf z?j*YIVyifxk;F_bx40L|3FRcy^N#uYvc-uq#tzO?AUh`%)9Ze65R7^J9tZ?#z=*TB z7xcLo=|{Sj7`%F$abVJ`sgHm(jp;bO6ze35VPaGdv}8OY`XKIgQf!&evG0rGw%ZHl2S#`kDwKZ za2JR7@0lKzs2|CZGlC;j8gQ<4o#;x=-rIX34xnn)M|h@ZGKrA$Qt8q5d#`>}r|llx z_D-;Z(Ce_#8opm&Y6NeS>yiXJsr82>C(U|hDn2yBFFO+Dj$S4#^;bRFx&c`!Hrh(~ zrvGvWjmoCz@)%1o1c!Al&@{v5S1A&+nl@4R0MD1C){0;#z4apv*q#jx{zj8|z@`hB zDJd8`#<-ByC#hx5l?bU(q$TXA@=keQ#4GH#ERCT@_Pw&yBpVxBCS~Ky)-Z@q>2z2Q z$1nqTv#Q*DOn28aQ&+(Xtb*X>tBGN>y>{IBQ6SSh8hxT*{p4+wlTTT`V8j)WcW?Go za?-@SjxSiSdEr@d@pT$_hA3JiDcwq+k+@uXvJjO-;@9`=dX{pB7a^sFAOQ_7wMUS% zhOCPOEpIeVg(gr0`>@G?&!#TmL-vs)S0og@AiatFFgLoO2o?Kr*m$0(zy~%vn|k7P zYj6j!Tao;ol7HJR*nYj#qN$=iOB!bI3`afr=xu~+v%o$5dd``c_+C9(y}3Zme(`e!Ws9mch}cWBE1sD?gw zzf?@l)}XA2Ni{91)Dk!h6iz6<9m0KIsJ$q6dL!Wgr$i<18IO62MTLB;UBMSdgZv2C zA)vUdUN#uH6fUvDEcuPIoBBP@O~bhUu@SLywSwwn&R5umN|xzh-9$Z%!TDr&8=W|A z_coj*f!^n-XYvRfhH25Bb-|0DSlahy$Itm%bQrS+13hS~=F!0)0PeN`W(>e{=^|bC z-ck_31BTm{1!oZzn3)L+-0}+ah?wr=kr_E|XQ3gVmNQ||fZeelJkOGII1V6Xhi(&O zHp@`o?P1@C6$#3qKl~V1vrjTA^`C5~oNc)kdrYXb;#EUb18wU09yrr8{F`x&? zUy^hCQcY%`$FbD7NEQ{o1243^30=8ncLM-O$;33rBnQZC|In+6lTWYjnZc+pNX@Z< zTpPbgQ9Rhn@?je_L!*s%$t|&kTP-6PGSSHT`@;a5o3f4H4?7g!Er8m7qhM|4{zSpv zzB#`8^*0DMTjH}F#xZbFYX4^*A2LU1KrzmKWKi{(oq%R`P={Y<0{tW!Jy0i|4pDn= z8t9&UE@JLE$@JB*g46`4_Lf*yS}eV^fxO#ji&2)F?!-l4eyH!^K7&dZkA$C`GPF!z zq(&P~#&Q%6)Wq(QqRKVl`;6T^(XJKTYlbSlg|hRxh*1yX4|vj>`?WFGR{Ie6_y+EP zX+izZ4py5})e2I_Dkxg)YhgvKPYcm*<)efO#6YGmW~$yxhB)0n0%_%%F@loL$RaU4 zNi%NG32S#5Qabc~bSw0sd$mj$VMOe9DaU!8Wb>`ue%kGt;_z9w?zYRU6RfKY#gh*k z_CSfKN& zzH?@k;-L!~J?sJej}GQGZ;dIH?5u1CYhae(IHnx}eay`TiYEF_p{kbhoN27Vk`L$n z!mkk(_s_f9$0GWaElIn}xXq2qq)#|klUn_g?YIgLru%I0`S0w+CQ~ia0~dj`0>icp z@JF=|x}!UhKWt+A-s>4Dt%f5_|7iIarj~Y-$@JS@eV*zjnu4zapzJ;|oXo5}yUCAs z)at!BXYW)oE6g1Y*?0!ZJ~czydA^b+XbXf3t(0yKxW;_j>iMl+7u()=#ig**COsZ( zT&fXK?7xZ=2)_Zx9F3D&=4A;BjFux+O0?pecQU_fhu(2?i@O=*j|MTs%2eo;p>%|o z>QSW~i{~t?Mm3TpzQ!ZZesCSmokFoguic#~Z`eL(S8`7^E8{+8XTcE4uVOdEw~^=Z zXtgM%)9qh&-kiB?i|{rd^1B`yF3{)BxV2WY+b7eCR%h3-pu;f=cxlmgP5Z zqpq)DxNKZfdB`2I=N#RnHc_Nct=*-vy`CcoClq9t}~P`C91(M37dZUZ#g ziW^~Va=$An<&rIq(!}ZTf)9I(6Wf!QBi|3)6)9R%qOvmQ7zi#%>VE&=%!vO4gL0d= z#(}pSfe|-ump1R}OwmSf6gWLRGqk~p1fUsOOS|#0>BigF`LHIg0ci>BLCcK>n+hLD zD-NJSys6nD(^Hy4{yo1K6zz6Y;oM3!e`XZOZ-j|W8M2j7y7%QIsby6vgp>=E>A+); z)p|KFe!PS!`_d7T0Wm7Sh6425^#kwrgEc4Rx0(n`FOPP8tPC2D?7amZr;vVivKFxW z*4TB2YU`34ff|%y#3}-zy8=)UN+QGARwxT7H`)49ZZ$K2wv?OSGOp6cS6#p?H8L3I zLaWkCJ?0?+4YX}Scb;vPr})9R+`4!ehw;m*sX5zAW2kBdbLln2M>zy zl7LjFi+Bf%$8pRgaA=e72erfjPE$wMcb6&09L~9ovVt}(@Apy@{AaAfi<|c26?w5U zuimEHtPYfB9Tt+~c7DUYZR0^Pcx5MYmMrba@5~M3{x}&yy5Tho5QpusBm$`LP@@N= z(ZE-cXssv22gNQki*I|YbJq%RB}IMCblA74x%G%5sUEmQ2&^>KH|gdlkMwRnuDU+P z6=_Z7BQUXrCaaWoLA)t7d5nVSz7?Af2riq`M$_Rsm|y8yo3WI_iB!d|)YAgdv4; z-~|5UVMyN#R>#M2%TdrEuC7RXlRvn@V&j|V-#6@yE5}RPsb)HTK7RjP5nyl=$1yiw@|K;7yVJb*R}4BRCZvy54|FXh~1tChO) zs<0m}_PGhsoy$^h%l1N{)kJ!XMA_xq+in*yy|L%1G7)FNnaB1MEBI2Nmv1%S;ifC{ zNqAxR#98;M1UYr~U{mb7l7f_mb37MU?Am$+OI&&%?anb710q!KH)k0b0F`XPIgH;MPEAY3IXVZ*0-uQHU< zr_qLWh3bPz^|H=E?mTCQe9Wt@i6!k4XECqG&b2SoEqoAPlB8VN`PQw?Q%?ej_s{^b z@ogP<1HrPiY#AMwGd}>*c3ffM%a}l}Ju)fv;vCqgwp*LaTL+L*U^RQUcQcWzlYEteM2$eC9p!bm#J_}kw-<) zxY-hNO6=Ou+q%(i|(}YWhs! zGEwy;zKpB&)yE^PZqz<-FwYjkd8x!FVqDAtxV)^f$vSD=ND+VB$5kRL%);(Xm9ydI zUjg^}&i)NL4Z!j>qnMggbPhmsHxg|Ew)h#=cIPRPxzzJJ(Tr#701GUIg--;{*sbL} zDq)3$5nx9mcHB3Aq2K6e3}C>N_yPbs%e3E*Np@gB9DYXXiigeg?8*Z1Vb7Hj^UvDQ z>XsPkb3Zz40r*x-NmPF?a9*k}RFsu23w@ea+lk+T?v+OGS;r#^65^2+P5A5U^dAP> z*@O9Qs#+JO7RoQX+|uYl_>4+i+eNL`BYy&$Je<=iEuh+`8VxW$!NRgYldE8%HHAFYjjBP zHm3{$c}{H2!q~DCY2}f1w=z0!^J>w=LPmH5Y-(+!Xx)Xim4dIwe)yC^KK+ES#yHz$ zq0xZFGg<6s+WK&ac~^AT^m4@Mpl5W-9d}laqbnuY3NQVxT^ASi11b6&)JL`~mWFuZ zBcLc{B0+4JC6^o-zsw&l%yKG(m4CCG>nk8~DWl)MD5!@UqdfvKN?96q& zUmuTjru^{u9s&U%qzCzjo-gX7zJfjWXBsTAm9_yWD;dOC0kH+u=d$Pa!LMb-RCdMq zB4z00emAF@@|RB@TJ|kp7@A*bliSUzyU6D&45V}&zYON*rmnLed%q8*h7UDQr~!H` zNu)w{TS+kWn~JjR3RA4*nc(~C(#2!K7!L}u<)*{%(MpJohXnx6%AMpE5on9PivC_A zSwF-(moF-i$cnG6~n=~Q$# z*L+fT1D>XmivKm#q(1}X2t@&S7N_rV)1*cJ&B%QF9b=zBSwgZ^+5Az_3v21o>3u9BoDd6$9NrRr@B?HVl^k8mcIAmmI(ZKv* zw2PLfd1z^z=~TwItf0NDVhZ&|D6ClkQ1eb}BKCxIkY3db0jt(HEuoxHtuoxjrMwdb@g+FI1R z1gt~TGCZnpf<<}&ty7TxxPDKKfm8TF=fTbp1jZ6P&zuJ(Q&;SN<~Re%09)V@o{0y< zPl)<#35~FcPSI5e!ydg~kW~F0RJ|clao^a9XrSCek#?)JYhbGX`%Y*GPM)Z!tUVcA)s zsl{sHH2A3^uC6dBWTR-3xf$ug$`B_JIo7aGT=+`6lE8DUuwJ63Lj2Ec2?! zu2g&F@IC*Vn*cd^K^AF4h&rV;-W5LoL*_0}A}8nt)dy#;idrSk4;~_ zZ}l7Fi8xu|MH+it==i2F`DyztsVignH59F(yzTHt;(RpX+u8)t;S`(IZRE?vaN2BN~Bb86vk*kZl7UVs<(?U?43I8r@Xxy!2}m=@t&z?z`Vgsty_~Rora6 z7pQZ$tREwhkcgkLWh!XLFj{UyKlpi^c@m2*#gL?fyjNVC^?DXyulhMu0mcX2`miFd zbjh*c1fWw5R$6VizoXH^PjpTw%X|%T@aK5W0=C-Q25J{g>1k>UWer)@+T|=B3T?$@ z77z|4Fj0xm%r{fp5Y2SYoJeys7qvg40t2bH%%>gxU+leSSd-hfHf%#g6ja2B2na|G z5Jds05ot>A9U>qiU3w3?kluSwklusz9!2RT(xk%@0-+-bEs((X;68hwv(DMyde6`I z$NP^fkjaygImaAh+~dB-m=W60D~Ja=04{ddEn(J}7FpSHSo}3rp4VcA0=)yoJ3G}9 z!~fxgbf%W1fC0&6DT`#P^43Xat?|9%V3tWsT;g~E(g9p*X^+hhEj^H0xsQ`%=-7C3 z2gA?5BI50e$h~SOtYHRFZDu-{c5z`cG({OA6T($vDUL(Y%C@g3Pj*C?2E=CowunpC zTxEKMRsO;Uqg3T3mDvhXQNai@JyfW!`OXR#G)G`>O@$bF7@|WXS+*WOyd+Y2J7I3d zw48+wywL;PVM+q2DF?#*x~5RweMOTxQm)sv0d&3mq7p+dECtHbkn1yrx!am~8Sjhx z(*VCM)$QvK0>l~q9D+GKni{C{xbkVfaQKSyqh6FDF+6jl%rND_R_YS&hiOkQ1u>Cs zyHz+bzyqKz9(2>gaIX$^}u?lq}|2HHkrS zvVEP7FT!6+qZnC!Fh*b!?kfkm{CQRIt1CdBxdA)jljz&|S~}MjsF)wjT>Q$UtXV6+ z@JaC9dH#4C>t8KLn_4WY&nZImGCs;AvS~!)=v$djDpqkiK^0h#n>c~jKjD~@JX0nC zpW4MQy2BPh@6J<-O+o86YHNEy&iTJ#x0w{-oH>+#SqCy)Kojz1r? zSoBcV->XBINO|RLkLi!ytN`aIP!9n5crSLwvJ;}LLW~@BEX=*e3sEcp$0fkQ<;!o5 zOLBWIOCq3MGFg2B%=upJb+#~*#1IC0y?K{+-%1bsPTbncj5!IMs8*a6hzP!*b;NM-)3uD6hkBIy@Y3ctbUn5ZI`*g# z9f4-NQlC~yxl3DhVERJj-8`k|>9a#QgcM27wK%oaz@E{iymU)01GCn=ip=qmN<#FH zPcY5|3KwJHD$?ba$Cl`vkv%#1J5Osiy<%zRqbLMN-Sgie%{rwSOVco^;IYje z3SlbeZ`Zxjq*_c$`{pqrqqG$!?%l)ZX>*nKXeRjDzS15YZF?@ImgTW@bTS)N*jd<4 zcq0zU8RRZ@>YW7^aJ#spZ2RlSqhSJ05shY|GwG<_YoBkep$i zFld8LLQJ;)ihWfidEt1Yj&7b{ccgG{3fj8DStI=eAj`C0e6gu`Msg+#XXibi>9Hv{RCV&K^$~!IA|JmXze%?K;ggUa zfVUd%3z@o;&i4~)5~`^tWi}dZ|4z|kDb=8HKI{rWnVGd2ZqA_`+F^z$h zE#s$KU+dt@ydy@fd?J?>Bb}YnQ zw+s&Ntg^9An0vIbwYYL%Kep9cGC6Zf3hGf51}*O5Pm5Qo3l5@cWUGXb>uD+@wN%p-1>u(LCBtkS!WIyb z9iS4Q_bO>Ng#TAx_NI}U9(w}a>MntruiVe-gmOgi3W{*SF+8kr$7 zgOBcke0oa}t3TRT4s;lar#p&q9~T{5VV6yw%7)aygwvdxXtGJ(l11N}`X?V$l83$) zRjlRb`NpIA!Hb61I3>jf#Oqx%y&X8|Yp37wxv&9EgX^f9>KQ3m(8-^}L!6PNvZ^P~ zd3HqYTazL@Yuxd>MDL^@qByYLCqjPWqI)%%ZDeJz58un&eAVx$4yoRmdSqDn+N%<5 zSAWa$L*%c$ITnLr$*E@$j|MYF4R=icI@CZl>#s(JoxT zm%!kScORVegMR{?P?d%5h=3^MT}PeNlj7r53(G}mO8QdhvGnRvc|*RlmL?8iTV$ z?{6F=7yi8YrbexWWrJtUOke6lGuq4$C>XWq9p*(oSRnjB8X5hB-06tkcNiTbc4VBKtO6SKFTNXs!y`8 z4wmt-Lp|zUCa9>JC9zorAMVeNaB=ht6|`En&5NhItbc4_Su;JY@%pQU3>Ku_g=^Ise|-o57=xIWdP!iQE_L2jvxlsL!m zg}KLy`n}@uU46eYl0Bg!(hYP1BwYUPb&e<+n$q=N>rL+T?hP5Z*i|#e1`V?Aa-yei zKTAd8E{-p-QBi7-hU0aE9rqB!1-w@2L8%#jxU!v8@MT#-C^5hqfU8}AeLpgEM}?+& z{xu%^{0I54PAC<>euys@%|*FvtqcLT2er7cUU(iOT=&-$B;<#!YRSb5iRV!H{of$h(d_rB>fuW**hly z(%Cc7l4q+DR+y;JWE#om@Waw)I?!G*|E_4gKUpBF6yTACL+IIL$S#){e} z4}Jjm0?mShUe}CDkSUy$7xJ4Brd+>3;|7E2U^dn(zD|}}T}Y}+KU&VYy^Y*dURbgI z6@DGTGV2*25~2z;7#-bC8FQTx-QS=0u5?2ZR_9{br%Ig+223Q-&IZ7D4Lhui-`}~S za(KF({b+u+fNs?Lmu+4~?r+kI^F|4I|#8Xr8^)$>*ASrkzscuu1sI{k;5!M?F_r zUg^ZHC8iZiK2Fw~UTmy~qv9axN-qw5W51W;l|tw@wkKc-x;4qXV_xQE<{(9$B){9` z2mq1}H+AU32+qozjGl7-67D0xS$9m1#EVDScA;#s1=ME= z$ZRt)fz%EyQA((h&JtQ54JS|gzjqh>sTNQ-S^Oq7E`&Ps0{DT|K*TTzRuAU>Bc~M7 z0Y-(?5!+-hg0qPVLQQ}+M%zU<4btZ&oyyI{$B}xbhP7wK%w?s0pE;)UqzZvIQwt(` zm!9lRa6xoeJMQG`W1H*7*&OYqy1{w%8E`xOttLkVK==xaY%y=k4b<%FZFJqY&>Pu8 z_zYEV)XFKPemdHeEM~*@e;Q}Tbufmrz_WP>@vWKJ z#=mWj8F09M=?Rf4blbNdS}H1YSCZj<*a!r_eX4w(v~QR4OK#mD+oh3m@v3KeGvady68ze+StIY zy#{dyTQIDSi%dZF2puqBaRa4;__a*}OogIWd}(RhO-uHO=Tu0=n*GWpZT8P$jKafh zCB<84D63tc7}~t>*4UP0t=<6AmoP>H2tlC7w;AhZ-$oX~S}bLKPgx>wF1(*{?;Y+J znSxCzr+ou=w)9I0WlMB@O@9h-A7=B~GIb)K9tJmQt`OFu_{x9|#xffnKlZ!wHqXyrc$&p|c6P@$*~D9)aZYZR>+@7vr58*93N-Id{d-GxZPuQw!i3PKv?Z+M$&p+Bh;n>3egd z^XwHv-4B5N7he1dH@(y@<|JXjX-M+YQ}~RGs%hQ_QgfFpt$!EFr>napAqELb-TXPn zhyRKy+8i`h@6m~Qs@-E7%DcK_DP`JOJ}_5e{F}M|{sC2Ki+k+hK4gf&3R?!9r40CX z%ieBQSX84Isp2asySfyCU572iSYX280^ZjV_8OJ+M zT;F_|lx@smmj_e~MhuG1znvlJWZQ zOZ=6T*eC?B^_pr9)II-`cJx2lZu)KjTd!rc=a$g_1u}V-_kNa7R07rz*;v3m}{9O=V;>v=yJ=HZ1Sfs%^#zD$ECba%d68 zQOtMg1kY&G^pird&uBHo_6Dj#m(k7G`8NI0u6u4C?5*gOgReCAcl1z;60V{DNOR9e zTM#f9TuRXy%?Fmn&ST{U5nsWmW z>RA#~t3hhNbR3?-Gv68?+DnpA{Rmno_#6r>6!*&$9-Fa~!$K5VCCWkcY6!e{ z7HkHaxALN=8giQjmZ)$3lgr>H2yhuBi2#?ui&MQ1Tlyj{@k_O_k>6My$j$gA*mZ`D zGHk4Bw5a(wKfs&?F25b!dSBp?xPaA>T(It|_GibNVS@>+cGWUoCf6%eqp=a~d6hTa z#|v$28tgX`Cyn>K_1>XY@$vW0*MJy!K3~VLeOUbAxVG%yc&WaniQL}WyZj|$fE9fS zyKge7W7>Gd%`6pYkGt9hIY$h=zm~}&rldnSL)3{y%0reVf^f;4p2wv!a6udOhF(v2 zG+@BoX$0(X$ZnT3a(~A~0?k)<>%83F5k?#C3Ac`#+sX$>7{7oGOF(ieDk2+D@D=YU zT=FJAlxM_yNhMXjh8+PDTN&|$4>BCC_4CD<##x z->d(nq3FBk#&Z(&NL~}Z-yibBG@x?6FrDIsoWB`zB59+^h4AMJCy_v9}a?)xli}EWfqE|1*l^NJ(E)xD} zJ($PLhp>7y%WBej1gvpq9~nvlEGL1UQ^5w~l9ys(MBfCd*S9qaR$}lzhe8Ng8epen zD&$cj@&%e7)4L@EhkBmCxviG<;CY@`J>fiyI*a#5=*Lf+;y-7=6n&3Bf>9HwjU|v$ zNtg?zW4|fK*x@fD`X1ZX)N9~6BS-I#HwDnd!#o$MhoPNee+t2!pf$6{VKQF*EA4vK zT5J7~?V`nT&bo9Z323}GX>6{@epf-@N0S27+wbp9d7+z?YnVGR^4;$cjXqa2Q z2aVs;9O&K>!s2Efzb^a3E!EYYbfG@sdzq?rUKn>2t zw*d=m604Yrqu~8}p* z(qk&GIhDPs?Ut&XD^GUs3({ItoTEnR?A}^&d$_fAQbBS`Q!ZBL&weJMWN-6}yHChc zHchr++ZQbi0dW&LM?UTu3~iOYak7M%TJDBztMZQq8z;9Im?)IoXy^mzsY(Wunvcq? zPYAtI5pQE)7K_P}Sz7PO_GxijBl|*By)1ZYJ-9|ct*IY9o{)qDJ=#MFNB<<|i6WpX ziy%1()Z@XEwk?0t(wtwxq&r~1%hcD++Yn-b-f59_Pfz%D%te)K|G`CsluNE#_ks?I z+~(?Kp&Y&s8wJDqtUsoA>}Ajp6pr@>g;e0RBEcMzfEv?opTudYJVy&EZ|2~Yo8-=j%Off!8s84 zdv7=uFBBA;)C>sy@Vu|2lR%Ha;YA8?4JbMxba+=#n{oUTeX$FDyS)8r^QEGa-tvt6 zHZS!?y)@2aGNtn9>PLO6+}w&plit*h_?4w#M>aK{?bahjyym+QwHs{_&o_T<@Faz3 zIsEcYAnBLUSmg;HRVgW_TQRK>>j0E=c26@>6l*oSJ?zM#03)k$i;I_w>&kzMR?^d4 zgK=u%$(W2|H)CnIaP#*?JC+A;=dB8g{HR9-iOx_FkS_JErdop@RG)(71-q#Lmt1O%_N6{#g8KV zgfgH356q|uI(&IdK%BJ2A+7!QhxzWIL$G66xMV{?8lCq{|7hMT?iG23ZTl5wRumzy zSN@nXZpP(NPlkiPCL6V5AV~h}e>B|jv@ii`qfxToC}^`%w>In&V@0x+rS{FdVuDP$ zOp%T}6{5qWipY%1b~DF-)aG=E^;tbGV&JH$&8Hwz@&1%E+-(>7iR$@bn+y-c)Vb!c zI!_njPZYv}T1cKQOtw{qXQ9IWMV2C;jA`=6Vql(lY76)!UWG1HBk7J%G(}?i6Y8IC8i020)kFRXJRkdp0{>0c31@`^XZOqSwKp5B^f+~WsT%cI7qJo z*il<7Y(Cs^6)~rB;q;b9#S&6N*PqZ}L9HZ!+S>(@0PH6h$=3ht2oeGRfCF)8X(1v* zf^i_6l%dJQi6FWHT^UU<&lM0JE;d9RF)X2bh$vH_fyl#yN@qWi)D{oZlR#_7J7im7 z5Xp&@T_N-lL$%ICNz@t^%%WvX`m7R``HCQJC)@7!x0i{Wm^C-=6(SI<-%{!lOX3dVNW2$;zN&o zb)?E`owU1gnwNM_g;UIKLAx+jbBZ5!cc7{An$2C^5w#obpbuA%lN4kQ`L5!_mEjHc z-#9ZU9V|m1@T?yYV9P+enhJb(U`xI-kR-7P>Hq>s&?v8pmwU2jasJtX?+vyFkU(<_N*@J8Fx)r2ji-)7^5tw_$3TEs^8pse8QultIf83DE+#<1V^pi{ z_>VPyOm5s(Q9q5>qJ{32XLj@1zuRff>&&Zc=iB!fJK3Y|EPa?)LhmZ8p<~kySS|M_ zrVZcsm3#`ftuauvmyDQdnDa~xsLh@}VSLSTo$m53bMl8O=ixGCPIwWI%k$Q4^G9sm z9=E7!_i!Q^rp3xD=ZUG^7)Ku}UYRa6UuliJxu6MPykfG^!Uu<9?!xAtuK-)T8{$zo z+5AvwJHUD8qw()sah=$b6vK*M#e)H(N$4V?=YZPZLwvX*;Q1}Eon$HuBrzw2J42H^|L!ozPTt4yKB}*7gP|&%qpfcmex`>6#@MQ_m(bX> z>%bUJDb{X*3=tk+Hg%U-vW4DQ)e6xW(k<&wuzh+E6bo2%n@Yn6yVNGXus_`6l+yO$z8%*6=+3DpYD3IPQjB?>$GapWL3M>o4^bo= zfOH=j3)6N6;w1LdI4Sym{)X5p5FoquzIA2NwEc2nVD0~+}lJkR$9D(u9M1wKE zKq`anPH;_==KFq2faV~2BF73Hc5163zd@WD8Z=4>=Tz)0DmgcGoefKEy~oC>t9a2# z?$g)2(2`pau60{0cxzqedY$zr{NY0wxJjkwW9MlDL{E6)%23|%_C*dHUt)53Cw7OJ zK!17N96g&bS4gYD6^*SXmjBGb8;>sPm9;$2k3rtoIMR=_x=BWThwWVb8D_qq1z8lr z>KQo*$|m4@fd-2{`E{W5xYGQC3ab|$)5wxX(iT|l!;sDpc}!~tin~#U#>1YYLkau$ zpf9rb2DNE4I)Ji7uS!seCXFC1IRppF3=(s!zDoiU3lIm=&5H)1>DseSk9z6{k^Vab3q%$9@H>N)&ZEX)^uPZM&P5(!az^|gb zb@RoVIW?Qo=We9lN@Dcc+U$PC*YnERcP_7g+wn?}?5M5D6m=TY-0T*)Q}B6n6JJu$ zlJG8^t_vl41Y0U(3YpYQD!f7642zM5_p_qczw9kV@;#{YyUHisND3gO$-o!0x6@d9 zzDmP)yCJ1srN#nq6f3$s7N!sE6QEI`<`4vU2&zEx5v2OmpDVotZbT+biyIFNa4feD z4aUhBd-f-(Fo*EggjUyTx9+22pblU%dwC;-h-xJQ`EEYB#rRhYY^)1qOtUzqA%#xB zaiC=MUJ}kEkiV2C9PT&WJo2P!uM{9EcVy5WTqfmQmC96BA?`RRX43D=w{Ua`qiYoHP?KDXZ z4I|j-yR&vvP4%zCH>*8ehWn2vG3I0(kOWQS0Yynnp>$G4{ z?sxn+5os;4gMRA|P3buc1R2|>EF)W#nMyH)a$op1Z^2Njci^REm~l?v<@E5nHvm_bIetSKM$BDn zAvvU9PJf=RJ01Rl<$4{En|kSpU5wNluMqh}W?tEee3FZV^Xa`Tm{@;~5|#{c0|fV9 ztFjp2)g&Ke8XB)Fw`+#RWtxg-S5F#+t$N3KTAW>Mzj$eA+ilzdNanr+ne1)6%MGfY z;rf$y3tcn-7SeAcla+o$g?>NX((ggJ(t^6xdWA)7(uZ{LEBi_~xGL~so_r4qL6lCq zgO9(zZlO->9?w55iqv3`yFD1~O+nZW^hKLg8ve>%AO`#9W8%8I1?3@s#>Zc82kx*t z5d){uMZ{?lV8uU?zY9tGJNIu#R`bdL5k)F64e37Bkv>Gt%0{QW@qpM~_DV5)&3)`M zrcxX{`zujg_#2DA6>FJS$9ejaAUYObMF4)%?>OvT*cR%v%)8k+dMdCOS^fl4K39^! zKeeiIs4dF{^GKt9ak+}ktVzcJZdL>8!Z^5@ZSPD4Es*Hjh7xDLw72{yIaVq2_x~y$ zQGcE|;dzH2YQo*{GoVz7d1``F?;0g>qPp=JoRc8aV8@C+nVU_0*Q=rJchct$sys*a z;R6Tj2acyVk}kB}y2Z+O{mKn#Iq3`ZU)22QUuj&Blcl&Y|3_B+pVS9zY-ZP=zkB+s zw=M2k(uGQ{4af~oMH9A_eyQMv_TGupKnP!d8ec^$;t6xCAkIe!_;hI{)^7{HUmS4>~8v z6A#l~ls>&ja&Qob4S|O*KcDgM^`Ftyqp~2d97eSiaoY{$Czb8nE6RXsKkiCxXy5b? z~#(<{RaHSD1NOaLtOv-$|hdR9ukA}q1FL_ zAERCM7Pa(GsXWni2`}!vmMt!;cVD_l6tx~d_U^$52-VZ#U95B+iABd!PvL_=CJ8t! zz@HVL-fs|SA8gw4^T*=-woTXWKY(-qgQ zk?6u?mhr0XPZtLZ50f~ADcs#IAg4X^l3y~ZxRclT>1=vY&zqMIj}gneA^E)a1#K=sre1#M7{-}O#sG8I)!n{ zuhS6Su8Mk%-oO*shK1SypUujJGJFO%ebp%c1Un{##p?7HE>cp|f>u)6ymA!2`eo!L zb^c**dP^%Y#{SH?7}yzomD}`q+h-py6yCss&gjy~2a?j%xz83~AX2;={h+~$=Dex+ zj#nCf_N9=Sb{C2&@J5#6zk6GxA^ZXB(1&O8iT_^2@t?rRxBTXJ|5MiRudno5Ldq+S1=KOz%r~P$-f4$iM;taSVT}z;l{;xV^e^q<*od*CIa;W3EGygx! z{9`>}vCHdA3DhX_+0U%D=Ta=2hf3fdPpY5{b;M?75ZW;Sv@hD1SJ3G4Y(4ODm8GNw!)JLTH2W=>%ptYm!6{Eq$E3d9zKJOhb zfI#j@dgQicNhOSD+}VE5(NbVLjD<2fi3VdMB$4Wm&9}5>8?;*^ z!8sJY;DgNmLtVJamOSDA4E(+lbXRqR9%>!C zP{z&@_EqoUPesfS-s>c=ka# z8nOUnWwS?+e3uoyyckSW+94!YkUtt6A(2vHPx@uDo)OX!bzxx?Gld_e%yGp+qkBSn zHZG(J@a-xq=2tu@Q8ZR5oM#tn^sR(_g1)`DH<}B%Vt_PPeZ(xN&mhNmwd zC9v7ZeAIQIxe~;(AyKyD*nLNt*xG!Y0oZpegA$N%stlUWY_{!DlckxG%3RbT$iOpQ zeY-Fv5RO_b?=^x_7(X=i=|l-v0yhfG7IftuX+9QtQ|abHO<(WEC1N`mIw1KR?G~?5 z^PmeAubQyHwFFTSJ-IRz{lMQEfeT(wrs2^s_2<(yMYo3C2>)^8q_sh`57t;q%2j^o zAA4Uhy4YBIsAvajWgigHG~fy+rJ!9kiv|6u_<(!BJRMz8{l{MLXFPcAiF7YmDQeh3 zHmmK!r8!3b*8DAzm_mM;!_QJ}cRPdW>x{=OjTEa>y0r+py2i9Ovi9w{Hip?F?vnyW z;DP#n6^HEL@Tl+(4YT!4*(nDZFDKVDif)O6J9+Kc=>CW&CT78=2~B@qTA-6$9aL<< zuqgBI_tj<>=2ryD&zZ zi`U3q5alC22nHjH#mT^#yjH!A=g5CPp2w<9Cx`=dg+1yALhltmtd$YiFO5WDmK9&ZB z_Ep=yQ@BJ;2M*ZGo@g)}eP*FNku!^u0NNskE1sMl%{gev3(9p`UVK%Lx!PyE;?R8V z)b&FB_x&Czh?;MW8ntc9z`hHV3VI=7 z+mk4uGO)aeOZL0DeGh#IG{z?nwbM-ptvx*1nbP~mwwf+t=l@hg#>N7gMXw?f>kMS49_a6hcjl&ens-X2dX{Cb%`Y;+2q zIp;bN-pODfh{7_KkY2;CL;Q^k&KdbCrXUy{gv70Ah{X6N7_og+3Vi38)fp^K4Q@)B zZhI8nm$OH`m0v54)SJCG$`7l1&;{`(HaI1j!8>gk&_Ax@OMq0rn|;}>3)Oo1F_sB? zdx~Fs9-sLXXOd!LmW*i4dhH9neh+$7au(7+84EMs7*O5I}RwhPUvYbm($z~5bREosRweQe>`LKD>%J@3OPs~9q=jLK#|Hxr5!+h2BXx`7O0Oqf}>_EoU-*`_VMUC;!2b0X> zU>BVC+10uroW#U0ous@gAy0IelF#K)e+PW-bw(ATF9aEhDfoxb(Zlg78Fl97twT9PWJ|YIlO>#B(ysU z?LaJL&kexN?F2vXz?@msnZA9lk?E`>#ol^e(7E)j`Uf^RO^Vv#<6XO{=@8ybtj}Ih zq+Lm)uZ(;Sjd^>Wwmj%aJMDZoORM;zz+)BfF7MmhfrI-=QzuF*9zS~ijLT7MoF0pM z%#~@bqtKhsz(J%C{n_sp(Jv^+cAOit!70C}8G|gC4(Ne|?J;PV$G~>sYdu=N-LWn6 z_jyB-b;?-nhMJa`9$Y)UoOu`Ao(?h$vZ6h)INtEvhx}L&n)JZ`lTp=beQw%-z{F3& z^63t;O5yZ`e`mV9K0RSkSU94tN6Wa*tEs8Tjbg!;Qzq@cQPLNaLB1U2P*pzJ}KmWAkpLU?Ok2^jbGX?3qa+0 zQ5o`~Nsk#Ag=bHS1E11ew*N}C_}0d$h)KkB=FYcmD{^<;TwNSijZvE4oL!-y7vWZ+ zLCc_f6I=l{epXzkgt`wzA|u&DVoBdFr3gSZOE;xHS5wa(9$6_>UiQvrYD!MLPxoah zQulS+d16Dai5xt(TCL!%?*S{+gUC^b4KX!QU9p<`h_x|m<%Zq!E09V!*}2p!)#^U^ zTrnJEyJ!(lyB;g|{&Yiq-Zs?9I=y#FJkWup>_nsyw2jm*E$3!@IYl)ONGyl$VrW&h z1WKFpRhUM+*M@L+^)h-6&*i7v!bCULtV7 z%ShTCCOQ*NVy7T!L-#oXh%)irLY$)irAP4M1YEtiXA{p^H45Q5$JHA8jt^ma6i-Z? zaQ2bIBPHOBFV(~WNFsNdl7M$c_3^xuBF0Fr$O@$Sv(QXd(r{$~>id33twklY%!_v& z8nPoOJ{?L^##T4NxTUd%EhtJ+R@WHs;J;f9Udf(4Oku5-vy+`T&f!TgB$_R|HaMo0 zG{=|9(pd&M5f}QIYQiZp1&2XF-91A5SUnyOdg6A^LB+N@$>DNWR2hJpY}4_mFj z`8ZP%uxg$w3o=L&`i7$E%OzO4x_ZH^2)a?Z{3vD8(aW&3RVp*={9%lMZUpG!u9M$u zp6>e{bP-6)1*;2q>dCpUA)wPWc^4dRPdFK#@|b@cG+pt#(~BbLhuhG^o+?M$RtLq; zZgdJ>s1*aHys?V4POh{Hetr|)a{yHvC2Y3D&eQLEiKCWNS9=NS5tG;KKFOwZ$*68o zpaD*u2Qz$@3c97$8{kqzE)FhQgg|Z&deVDst|=sOJsb$gwV+@Cj~o1)_AWT=h%~Mc z_T|bpT~c)BvKmw5y(mVo^s!yP2Nfa)+9P?{fYkS>j1lt#-TYi`d-PIMTltcbaGmGw z2XB@$CbyvyLcharg3PfzsiPui2(AU&5)Ob-v4GQI>gal zY+KZvWag_3Jq~i?1zk2c>$dlj#K&}cN)yN}x-RcdzXV1=$Ew`O7i|^;^F0lus_ErL z1-y2HxjQgJhUr$Oiw*5^`ul9^ZWQiIM7jHVrIie^JJX4|p`(36mOVGe?SU*}#85~n zbwn&5H&v2CjBg+f`h*F(bDFG=XI=}N9|4=^5eVV!4P`O&qnF{vuP2QXpfmI4#{*T78U@g((+eS!GWZ8#I8PN|tzWOVhB%VTl4s*`TnO@hPq*T1ccs1@7>L0; zIM5HsEr#hpsgoU=ban}n$gfdj;*%F%d17{~$%DdQgNP<{x`=zM(Q5Rdnw9JDJqv#} zA6+jjT6_@_s_Qhi@qx+i(;xc+pDJUc+qNAh76)u|zTrJb2ObTBF1g&H=FP^c)zY_i z>m=qs<-Os0v4U({Hhe+RtkX1M@8jpC+|eNp%@@3P8=LfEWyyh5blX;?BYWyEmBc4^ ze(EZ=SWcbUAJE>ojOCiNOP&7O1zFuQP%4gr<&laXE`XHV2QD?g2qq|088+6J17+`6 zSk1Or1W<=N?1GfTsezOi2zW@5yuY`Q;pz7IXlL`CAT!Ty^nPQ)+f~%(`a_BJIPd(( zpXWN%d`J;m@M3aHQrGDMs2}x4N~)$~r=C8T7_Ju%zN*KRJbfsWu~1;-mFMwC)#mf8 z{B!A0i*9NP;VDb-`gHR1^@DB!Nf&DqubUldmlrY zC2f3_OSK<-k_&4^C|=ass5^Z6P#)lm%4X}D%D`)KU&By!BvJxUjl>r%621=e(~chF zxR|gw`DsZ$RY2ZgeqfqkTZg82g|x$7=WTvGFE7`}E{61&MtKJ}<|*;(TX1~$aE6(b zg_C`9l`g1P_dXttx(zKE6)NSCWZMGrq znwBL@C)5n|N;Xr4?dGc(V>A6Git=3^-FJM&eQf>p5FlsMMGWt_Y-z5|RAKYNERHX@ zM5ZazvK3Bi*R_OBs0WbWR+s!MAzR%1Z)h0XPBU4B!ZH z`w!y`JQf!Uk|=xzbr8u@zu~{4sIf)C4*-IOb{0)Q0u#++U@k!Q6jVh41enDuJx40U zhB>%4f`*Xn%(mn;f}za-J06#Zdo@cvOL;NfN|~7cXfSG~w^$jd>GZM$QZ85>Y-`EE zHFiBt!ON1-eNt4@Ki8B~5E4k-kG3I8Tax%NXi~GG*P@ftY|Et)-Iu6q@rBWWar$SQ#QS8!?8dB5*6$<7Ep zp3{B>GcE(uNIB|eaY(OIxSnX;Yg4LEez7SMnAJg(gnvw}$qwm878EB7AFy$MJl_qj zT;-!2b!GjX^KX-4yzDvXUpLDHvhP2*Rq1LB9UKP-<+^G%Whm{Kb04bkDFyxHrK|V(URGIu^*C4vo_FgO>rCj= zmD28ofuSm;{=nQogV@4MGn8&=47W$~b#v#<%cn&#`jS>H$5w^zK-&namtJC0xN3ks zT&-G=Hjt{IgXSLVwa%erOs;pZix&+6i>(8c#<^+?h$;qlt%t2VoTLq$#-bSH3)z|z z4lkj$#{Nb94Hu`f-NqC3HR#f~+4aMFP`cMGiv@^$0E;;izbdWTN_R7AHOJC987=u^}u@1Wc1i7|Ca9RxgLm} zS0%vwe0W+~Q=Hhoj<<~{kX;T12UCk~NYRXB0! zGyt%YB+AqGnRS?Sp|xUW%JDrHYWxvM4*2kQn<(GsYrXWKEghVb+fxdT z*(E9|AiOh9_Lr%pqdr}KM>3Z&N{(PfH@=K2yVeB}1|Z+t_!8=+@ykFO@W1$#JnOw{ zA@3k`Z10_AvHF*8%3rC(_mc>gy|ij$_s;wuK@FuYOt|vcB>?_(}hoD;wQ^#1=Cg!z}Zg#-iB zj<(;*mH!L2__sf>o{o{aaWC#K(_#J!WB|jfzR3U}#sB8XvOd#LUF-gP{>nTnFd$08 zI2QbO=*hdM&w(*m!52cX|Ms!}^&()ibK=b9UG#rPUwL}(K0uj~IVbD<7Zd#_4dx$Y zocErW0AtYVVK4t36m#!d9AH`2vuytyV)kz*g1vhx0nCw#3I;n<{12wjfBnCgPT`-J zGqHF7{`r{!V|0F{Z}=Cj>EHg-52vHIp1*re^Y_nB3m9YJXPEKde@)L$CtUr%ZT63y z_W!oofAIzn;?NjtfIG2eWT&XEHuBSiPb5 zs0V0M?9mr&e{?eGWrYjy-uCK8A`817g`LqgrDfF39aaT@zpjv*-6i;z`D+mU8vt@t zA4=ap=zA1dr0{1L<@1W8O|gwirC4D{)$bXi+s)kS_7IuiTZLtjZ#E_`lo`;e&78}s z%$6UGF1;e-xylN)+FjK!t?HTSK6_lQb}!6bH~RQ{UvBzOkH%DDmczgN;pq?GpPvgo zTRLcywU8Lm;*+kUkCu7?Xmd2-x4+9!fAe2IKAOAPkC-7RI9|OelMFt@#tR*;sDT02 zimyg>{NB@j0yf^L$Z_t1->A$LOd}|k!6bfJ1!jh5KAovv7mVBO%j=^hp{k-Bh(?M;%LFp_ zn+b>QHQ*yP>~frjew~a!OE(qqy}#P^?r1WJP>8 z|67s-$C!OSwyh??+lzq%y8574<94$oebCmc11*A{hRupMW|cl@C#Oy7d|$mwlIAK| z1>r^E2zI5la{B2X5{U;XCizAmN%0e{G#-R8#93t+#GF z3IZY5|`6Cb<6dL6)7cQ(m62nZZec@kV~q>ac(ZyJ+4+*|p~} z(+%RPl6W)e+Wpmh>==ZqQ~{p3V@;;pXB0xvqyhLcOr2e!miGu+;_&KD4(-?uJ$oy)ZX0wMx{iUP33zXbr_ zeJKfwfwvf_Cp*8ynF)Z;@$#4N%{h;{kM$a`4CQD271;V3m~(2^GcXsdkLSNzAh*Xz z9a@n&19#_R%0pvm>f-s!-;KyBE`JTRgP!Z9HBHZpE4atX8pAhS9wDMt9Kk6(d4&ftEho}bh(BJahaXP3EALqI4fwLNY3)6 zc5X<~E_?JDh|9lG6qLYQJGFRvvWbHsddOzf+mO~uqM-{ zV_0t9r>iy)h+H(B9oeG`<4MyNXC-B>sw^b9Xm<<$$qwfPL9dLnX-Jn&z*Iw~T|=sb z2IgIBea5eA8mtU`z}qAJE~&-J+QZNY@*f&kla02|<)-_G#CSq(eq@*&Ven7cc~fn4 z)l48!(ctJq8qs=WZ6e9l9Agf&5i0OBzS*#w_)hA?|8@Bx)TAQ^};*S~j+~o;8;~4SkFC!ENQm<#{X( zNXG7>5aQ;(QG{BnK2axsCdo4C{`Vc1t}r#y*-6w7W@KdLX9#^rKr9`&;hc?+x+G0X z8=_cEKhxgRw0^M3=Qd@X3#xA2m(NsIOC+HCla58os?B%Mq&}fy1ODPXLg=r^rj2IF zdrk+dUh}VI0{0v5Y$X^Si~PK-IP`;iP2-P0xck(U0he|!kA6BV4hYeX3EIsb@h^9& zWrhO;F>k}_y;ESd%s*!A{;RY6P0h)QDsLw!m$j^X)u)Rex?*6m!zD5G4U|zRXqC9b z3)|~=zt-ra@$t4NG&;F1=I!IgT~R9Dov)5@$6vuERm-uF?CCG~zfh|6H%i_X66dCn z*4~SSq(cPiy6;u{q@&w_))PzF%PE!A5fRFV8gH-(K7^+}+USuN;0m-HHkn>33Mmb! zGo#q^Q*YSv*6jd9v-|m1E{IALGX3bnw{eVClj4O%6h)+-=-dByws zJw>Fuf+l>=azQ}Va04SZbBsR=3ac^k+x=nLyGg8>mU< zr-A5qkID31TGeVMf5V>pV_qW7a%Ir8994EL>{fT()g4Y7d84G$*o@#5(VpXMnQhmj zudm4m%!Vzxr0fy)mt}3O{sB=%+BN3I;kNt)WqCxtA=8mo0=qTpvrE0d4PbQHQ4=)P zS(ntzjz8x2Uy(bHh>02yzBnU)V! z`{KDeRw{3sRB_uc9u6XsGgjmeo&%JmGIEhX?Vo-lYRL!3iRWFZ?Iv6Scz4DVgk;pu^BMv$OUozw z^j<54&K=BG*xVjgEJES*ji{iScScMAb%_$Y+{OZc;~9Fmb)d)}-R|;0*-{7QK#SFz zMIU5NXl33b{EV(=_4v@6h#Pxz5n1WkMYEFNLGsEIG}t-C$W?Kyjl}b_Xv(88M)wVZ5>g>wmdk{3`f4&KzYNq=Y zd6~(bctyHKGPR!8oKlR<=d^%PMV>>wBB<=B95X-xmET zHUJJ%7*3C=&D@riw|W9_oF;_@F|sHXCp(jAM5^^@AM93fajun0IV>T$D*Oj1glU*6 z+vl#|T105h2w5EV)W1}(>?x7;(~lYD5yAJKV_z^SvR!N2-QK{y50BcN`B~hz=UkV$ zuyGP$!ff-9Wxwdgx@xjfnqZoO)8&zOtlNv+J8+fvjjY73lz>uR^sC>=9IrPtzm9WA zd^0~?fz+Po?*Zn;XVRd!FS&qGoE4hXd2NeNzp^9aOyivt=(TDTx$bCh{;gK7d(xqn zwF!;fkcHfpco0guT_O_;R8F8(ap!4pMOLX%R@2hKF-LETnfzApP(Xq-cyT9ioBw_- zgkQ_L$Ihv1p^JH^tG(p<>R6w^TdXt#F~IzNua)9fZg$G*aC?6?YBFQVx3%vM^Obn~ z>K_#^ZT4r^FUun-o*-Gfzff;%x`nBarIz|VK4lEbVymk;JBq|8>8TT`K_vAbN;IXc z_@wbD7&?u}347S%rRTG4RMrHJ{?j$Rcl{H9v5mx?gKf?>?iQ8Uej@iuUuQ3)(&wF` zBZ`N3`k#{P#J5J?4=%Vr!cn;fckl6^Sz#|jwUJ@{I@STv_HS7XiEK}R2t+t3Fqm&J zN#`cw-XdF0kjMrQUT8o3_fB~CB9%~2SVBzR;}lqAI-;f2j%ai|Mib?^CgIAREZU9V zeI%Zy`wWRF26J^%nTVc`>b;y@m1CUFe^g)N6gohalxmGO> ziVLB|)uLmkUu#D~Xe7J0J?sKts%-WcC3GvNW5>%p5$!m9EPB(+-+%d-&q~L(uL`wU z-wv+ynS6$~uBw#13qGg>m4Cd(2${^*ze|}5G0-|(ixG3XnbP-3sJ;zaD$u?dO{g&6 zXuG-B`|$Kt+6^pUs;%GA`J|dvz+vBcj?Bq>vJx8eOEYQif#GSm7u2bu`pVNgz#~_Z zQI+oH@2<}0K03Q1hDm@uNmuN#(}v+m5o^6v8Wid9xboK8?oW&|_+?trU*w`%SRlhQiO%$N z=IoI8nw>F@ic~1la!{xd=Wak`^h!|c(py``~CVhF{t+hU}*5{Tg6=>cwRcVni~UW{<)iw59~)368LM~0_J@`MXV zzc3rSmvTQEeS!qRQypkMZ-@k8d9+K8Emdn+Y-Nx>xAPQ#K1mj}efI?0%y?c zuX)Nr2kmk<=x%erWNT}cbb$qrIm+p?@}!zgvF~qs!Qt-dJ7{bB=lO0!WpVPPXX=U) z8G4&3=w%1%{9q>9^|+IW0d_dj?P!*!6*DELla`McukJsi)V zrhi!V)`AvoqrwK}VP=7LiMICh3OAep~>v^t=bCDb}| zV$ox4DAD?`(WxVw5CMnR~t4ToR;RTcXZ+FfAtwo zVdQcVKZf4qx@|X3Yvu_mRyGr|BSjegC}~pI8wIzQd<^f-Q(}X23btvz%f4=_B94dY z3Y=3s@sb??$b}L9@B<6|L${T}ivUr%P(2C&|K1S2A+ozxW%`cJZ0)BIxO6L2V0kj< za?1XvNJv^3Z?(7M<7IuLpiDO)$kq~>dP2958PcCXb<8K;$h)C4F4;4Dc>XQSVbr6k zO|t>#Lb%bnRwiooB>7-4%IckDU(D1_D5YRFOGRSUYg*!Rm5X_0(RF67%Pol3^;iZw z58`Q8gi5klZxBb*@%HTsbjrY5BD$oY{*tqBXkp-P-#bq|R+z)Y z-wl6RECR1+>)B~_rkk^Ye__H*ySgnAons`ON|%D3Cg5VYl=o-!r=I;H95G8gg{@~h zG)zm=mzwtx(xfpr*qkN?lj0GSsnqxstQe(bwv2L>(9)fvQ$a3<+=i3%c^F3VMx@Lrgf@YvFl7L z*2TJuA)c-n87s;dt6=j%H`wP`p#uSEFf3KvR$4coEs1Z{c6R342#epE3@GGqvQOYG zPa~sjg+0|+%|Fex=1;!Z=1|f#?YEB$+7>)Za>d71LQ<74X3jV_ZxWN2jfS0^pnR6x z@nxcGniHCf;q$uC3Y5~_=Ba?pu6<;N*Qe+PBD-e?zYne>tff@GHF}CfgHQ8djEv3i z8cu8u9pE%|ITOys8=HFE;Q7ZvaQ2FULbTWcb-uP1_Gr(BD^dncvG`zBo~Bfv742*y z>&)MWn`f9BiC~7@1f{Q=E@>U)SeZst*}5_;U6pz9X)mH%(oW&=7DBdq8=hB1R4_o`~HFwW?o9)C%e#o&xMe zpzJn|G=QplBSi2VswD2jlJY`gW#q+x#tnzMFq7q(GS?|fbV;s(fQ#-b-S|`KpEr)2 zGn_=tWP)h*HV%joGa)Mvf>>qJp5b=;6fst(x8xt9PD8zT3UzFS}p= zM6S8ibG5khJ)Ldey(~$rsd74uF)6F|fySP4teaT>TAf~;pralk@+V3){_>aq$!K!S zgH0geKJ1W9^YuHQ1P4wR-Ust43roM2z#npFKdhL#keQWr zahk+Pf-&v-WOIoaQ`7*nAsTdTZiGuYaLT&XJcx_5Q78pi|% zE+HXl-;24or-}*YSsYjXakjkpdg)~)zfv#A4E5!)sM7(kCq@PxTls3?6)2OT9atUV zp?pPW6qI*hBz5-&D>{WOuk+euQ^ooC0iWYNl#Ql@X&WewNa_iY@T)GIAu?2rT(}fc z{N=8alga~-&xsTXU6TMU3b?-{XEUH4vsg|_Hya#Dg?q|M?hmVS_Lr19JJuBs2cIlS zlKcLwW6A!aSQl^-O!OeX{R6jLLVTHUi%2AFc?1x) zk0W6aNA4Gf;kEUsj8E$ zg+$-m)xQp^MFeHIIT1dDU*00DBlkt3Y-DOr_f*hwa#7V4N>63It}tBQuPREgQ`6r# zV^!*GZB-VuP7%+8nm#)E@ooH4u!t_8>b&7v)SoU2YL{;1DBEL<()XL=pWvLLiu}Cb z@(VuHn{ZoyDVOU#{t&enNlMLs51?IDIYCZG0Uu7wKwt>+EG`z`qosw_w)S zOz}>1PZ*h%wpWe>Ewcy6>{^+lXc}uTmVZ=sI9j)fP>BPH!yVUpk(Ca55RZGMpVIru zYfciqUnO{FPhT95gY~U?K-QCLowHN6I8cF923ALMa4Psp<34^r=)UOR2L~jvN6!YF zK8hCKRa&buES_1Nzm5;|O$pIlHelj2F{who*^yTwIfc6Ua+v+TBONWn_H$u}f>t_6jRCV27YD&i(mN(Ud>$O$5 z(QRU_Kx*oO<(=wgsnwhXnzna45GI(x3Ilfpu(ou=$F|#MtR|};5!q^+HiIN>n|c-l za$=$xN`YQkGu^ZJt&PT!ZgS*$i(N?dX!ilhWCnZ?Mba8G8}ca?NiU3~hwi!5;_Xp>m#*pn z8dnpxptRbU6yuF1g0#ti37Emeu2Q7`0~7(GVg(wrgGVn zR11lDT6vZ_{)Cy1E2qM-r#(Cfh2$$z0jyG`oka1h&dDPlVr7cCiJDTxS* z>59O1E`6|>)(J!#7*s9OL6HG%S1($qa|${^lDE=AHGVAzYAO#xt5oRP z#8b=mpK6W@D%B?N&&H!k^zg#6?w7>pb>GV+k=i&o+uk?Q_e4IcLN0Q*YM z-;SJh)?D|B(10-zBB(Q7*T{aEdh{KW(CIpT@u70JG$9r47MFvv9=!vid2N~3H>h}{0&UUk9^_1DZ`$Km=PO0HQ@VSugc)KFW#FsHo(ahg@ z?x>kC;5oI{Ka#6QL7*3Rk_PQ8V>u+4o*mtvQAus*p~dSK$eV zoZYkK=Dsi5jTsv8lUu|+8-*@+g!t_@#!{1cJh&&skh!_$*(sA~RyGMP&n_k#|9J_3 z6LoPKfv6JP;s!%tX^e=uJbkG$uL!*_J=??w)Y3go{=1)AeyYxuJ8w2?1yMF(H$e*^ zO70<2W%uM^O>=OoBSISJEsc4QaZyd%Zn2I3StXh_3LD?yJ;KVF9h)w2ACVNX)eeSw ziL2joxgBfpGi_88uhs~X6Oj+J(d@vj) z3WY{o*iqehbm-ZYY)r-FDpsp;r9y8NEu}A|Ae_nf9XyBaH81GMpa|rY6xbZ+^1CZFy#hLXzE+ zRoQC@eR6Nu7=>$fbyDp}=7Jf%_!?~Z9b&r8;!{dX+Ey`RBiq#5>-8-B{_A?vGDmG+7;Ej)}XRw*-@Oz@!evPV;xf| zZy?!StC#J8F&qkEbMTBi+zHh)G)Bu6v9{L&)n!O?o=D3VN*VUM|CP!XZY0q$bf zU^~w9mo)bhw02HRYHj}y58L?;vJSpAOPpivawkXfDPvgB- z;xi8WKU1^}5<@-UH9@K*s)v%XwoWNij%Iqxsztte)9k6O_J|{WqJ~mg6drHZ>iw?= ze6>!d@K}52(tMP>%~^etmnW#0sV&A)a%${mad}^wSiUaHP{=jeeTL!(es^?7L=)mw zZvI@&n*jq<&O!|t+-EVR(#9aKz*YaXP zPj&fy>fAXqL7fOIi{L}cSL?3%@je?iFuL}WoJl^K{o*UX#Y3+*lsR|5* z&ApHt%>5E=!moX1YvN=@ogGC{s_yLAys2#u|EpeGohu@{`mF`iVHuTgx^$UfGw7eV zD1*f^en2t`t&x)yniX6_oOW-3j)~D&b3gmAy++TC`ebW|FoG0pe2eXmx0jG)c+%ij zw_|lXHCY^(akOp|zPMj(INnZW=x0`xM9(5xPa0RrxSh1k$&$X+f{`fn&QJfcX?6+c z%5Jy%=!z;$iLIsF&%Rw$3;%iKe!m|1ihnw&x0M6tQ$KdM=zbv1nb)_{`A)ka9`IP0 zeCvIO%($6jBUn*J3O=M-9`TGgk4P2z%`G%Bq4IocZ$B;{`XRzAX zVEI*QT4B}p5FE`Y)$K_dYnFZdnS^d!Lf!L6Vjm`VJ7(%_l1fHX9%L&eKBz#BHJOl> zQapF-T9IWA{u|O&0njaS2R&+r$!1Dz(MaO2#HDWCAHTc*EYffc(#g zA1Fw+p*Z|U*^KoXSgaaPI{?z=K>ih z*69H$K!gHkd+L>xTYQvQ+9@#kSAqd6j7g*9kBQEcN~{k)T}J4RDv(mpTQKUeui3Y` zYuA1u7Gv1o>pM>88vldX7MGCZfLg<(A*AdnDFQWtm!6Sv-6kq|tmL{Kp6mHhXQvEG z+D-60iv^XAQQs9UX^SfVRUMt0kzA;;%i;HP|CK<#23#ucI)MuIK>aG%c8LtO5>>6^ zbgJ6<{PtRP?4(>OQ0pID1ijjc545sPR&ERW9Q6HN&g9F%fS)7PSOf=r2-8Zfh~6@(ZILr=(L+*J!m(g($zGJrrs%BsTf|AlB;n2md#w$e@$ zw!o#F8~BWgz>M!PwRdTiZ}8#Tq46|8wtG+13@zuou2-*PQv9dTLM|CoPQ!MM7As4d z{O{2#ThRx4 z>G}Ae9DZNJ!@@|wh=cUp@}Ij>54hU8W!K8jN3c1cQg3h09g-lCVJw@KeI^}L@0Abt_!)A6PI7P({l0$z zG{p`DgcpaO6;#@x}gO0YuF2GMUkgp$-{?rjyPxft|nr#<8}u^ zyE`vrrX|L+>*~tC7g^icfqi1Q=-KN`K za#JB{1dw6fom1A6A-xY3>4*O^(aSM}$x4}j|I!?xXv>nXcrs+BE?8h@j&ZNvYA-EV z?#7oNm!;n%=FSCWj6}6)Pxn%oyfLTGo4BazZ*iQ=I|BZtvaBC%nMxnd&}o{gZ7#mJ z2rOEd@DJ&21H(E0+R2W(&f>bF`m6NQKgt?AHkKD2>B`hgGh|d5hcH5)4jmu*C`2i` zP}0b^rCU5jJ9yGRP!C^b=Uh&-nzmaR&8gW==!=a+W>wi3V|DK(Vp)8Q8lPd%Mvn!5 z7+Kc1Sv+=0b)KfR-@|jSY`sWd>GNV#isWE(v|e+FS?X zyXbaeg01=yTSDw0<8l`>HcPm0j~zwsRj&rd%$+~5+d)RRXM8srh1J*tIFty|N6y01 z`D}Pq!(%i$jEXT6D8LK{Tov`A{r@^F4BxRpds^v(N@zV$hCC$iQxTO0oGVJ<(#cj7 z*?TS(EaPI!lQF{$J>rfC5^7KD_MKC^c_y9aAY;pR{5TvDwbZXRvfq+Gi+0?9P&Ys1 z?YOZSojUcN3~*!I3De>DbN1x$ZqBmRvtykn;gF>nWvJ(EV9PeZB{?AGo7v(8J;$ea zccjk3U^(jG7)aMP^+zi?eI}k%@$ePj>CMCq0aVni`Ja|NqWnO$Vrzw}3D|9x5FW4rUtA&LHRCM^Q@LR3bT z)$k^0jour6m&5p?y|9SZy-0pSn7aJGrl|acfW&QsF9CWZ<%c&nLXKs-2$^_1*O-_2 zYtWf?c^kBW5jNv6`HSt6WZM9mHKarf-20)Mt9YH& zj!H(`s|LUPnFTnx77XbG6n#lMFyP<<3$?a>)YIUHP%aJBF)geHPJfV08l`-YHse<7 ztx1uGn5pXGdC}O*d*TwEnu7R;y@u@LCAYgt6wtp7FJOc+-(97DOoa||ZvODOwx$z0 z@0Kx4`&{K(iv4$F)Ba2>odhgfvb&9pKBQmk4C`cUvaMEuz!wdC&+pj@d$;o4x^kZ5 zCe^vQkneS^;*fHk49qVS3lK+l?!`*VA3^zn*^iZfKUP2sTp$am=2s(GE=qu2v-%9# z58Uw|GaKCtmpv<34LdHPeX^V;n#7ti z#$_FZI@Y;v3RKm&WS%wt-~aZXUxuX48@-;DBJ(o+->dtaa&unmPu0lLkNaI4Kb{VO zP@KyHk_1tWF|G3N62BW%|4!rrcr?7_j(ar Kx$N=tH~$BklGvgE literal 0 HcmV?d00001 diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index f39a832b4..14287b240 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -21,6 +21,29 @@ There are several situations that warrant the use of the delta process. These ar Updated guidance sometimes modifies the control identification (ID) values of a given control. To make these modifications from baseline X to baseline Y, use the update controls process with the provided XCCDF guidance. The process checks if the new guidance changes the control numbers and updates them if necessary. +Suppose we want to update our [Windows Server 2019 inspec profile repository](https://github.com/mitre/microsoft-windows-server-2019-stig-baseline/t) to the latest version. We would take the following steps: + +#### Step 1: Collect necessary files: +1. Download or clone the Windows Server 2019 profile repository to your system. +2. Download the [latest STIG](https://public.cyber.mil/stigs/downloads/) place the XCCDF XML file into your working directory. +![File directory containing an inspec profile and an XCCDF XML file](../../assets/img/Delta_Class/Delta_Files_1.png) + +#### Step 2: Generate a profile summary +Use the `inspec json` command to generate a profile summary of the inspec profile +![Generate Profile Summary JSON](../../assets/img/Delta_Class/use_case_1-1.gif) + + +#### Step 3: Run Update Controls +Use the `update_controls4delta` method using the profile summary file, the STIG guidance file, and the controls directory for the inspec profile as inputs. +``` +saf generate update_controls4delta -X ./windows-server-2019-v3r2-xccdf.xml -J ./profile.json -c ./microsoft-windows-server-2019-stig-baseline/controls +``` +![Running the Update Controls command](../../assets/img/Delta_Class/use_case_1-2.gif) + +The output should look like this: + +![Update Controls Output](../../assets/img/Delta_Class/use_case_1-3.png) + **Process:** Run `update_controls4delta` [return to top](#41-use-cases-for-running-delta) From f5573e84855db2dbb8d667ab2d4dd612a3a42b49 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 22:53:24 -0800 Subject: [PATCH 46/71] pg 4 and 5 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/04.md | 2 +- src/courses/profile-dev-test/05.md | 72 ++++++++++++++++-------------- 2 files changed, 40 insertions(+), 34 deletions(-) diff --git a/src/courses/profile-dev-test/04.md b/src/courses/profile-dev-test/04.md index e203b5e0b..47f44f531 100644 --- a/src/courses/profile-dev-test/04.md +++ b/src/courses/profile-dev-test/04.md @@ -1,7 +1,7 @@ --- order: 4 next: 05.md -title: Test your Test Environment +title: 4. Test your Test Environment author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index ab96b28ff..a0788827a 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -1,13 +1,15 @@ --- order: 5 next: 06.md -title: AWS Testing Suite +title: 5. AWS Testing Suite author: Aaron Lippold --- ## AWS Testing Setup -> -> Note: This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. + +:::note +This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. +::: 1. Configure your AWS CLI and set up your AWS credentials - If you haven't installed AWS CLI, [download it here](https://aws.amazon.com/cli/) @@ -31,13 +33,17 @@ author: Aaron Lippold ``` ## Running Through the AWS Test Suite -> -> Understanding the Test Workflow: -> -> - **Vanilla**: Represents an unmodified baseline system -> - **Hardened**: Represents a system with security controls applied -7. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: +::: important Understanding the Test Workflow: +`vanilla` represents an unmodified baseline system while `hardened` represents a system with security controls applied. +::: + +7. List the kitchen instances: +```bash + bundle exec kitchen list +``` + +You should see something like this: ```shell Instance Driver Provisioner Verifier Transport Last Action Last Error @@ -53,10 +59,10 @@ author: Aaron Lippold bundle exec kitchen create vanilla ``` - > This step launches a fresh EC2 instance for testing +Executing that line launches a fresh EC2 instance for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... < OTHER OUTPUT > @@ -70,10 +76,10 @@ author: Aaron Lippold bundle exec kitchen converge vanilla ``` - > Convergence applies the necessary configurations to prepare the system for testing +Convergence applies the necessary configurations to prepare the system for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) NOTICE - Installing needed packages Updating Subscription Management repositories. @@ -88,10 +94,16 @@ author: Aaron Lippold -----> Test Kitchen is finished. (1m13.52s) ``` -10. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. +10. **Verify** that the Kitchen instance meets our requirements by using InSpec: + +```bash +bundle exec kitchen verify +``` + +You'll see the same InSpec CLI output that we've gotten familiar with in our other classes: ```shell - ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla + ➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Setting up ... Finished setting up (0m0.00s). @@ -111,27 +123,21 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m6.62s) ``` +11. **Destroy** the Kitchen instance: + +```bash +bundle exec kitchen destroy vanilla +``` + +::: caution 💸 +Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges. You can do it via `kitchen` or by going into the AWS Console. +::: + ### Analyzing Results - Results Location: `./spec/results/rhel-8_*` - Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: - 1. Load both `hardened` and `vanilla` results - 2. Compare to verify expected failures and passes + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures 3. Review corner cases for complete coverage -::: tip Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges: -> -> ```bash -> bundle exec kitchen destroy vanilla -> ``` -> -> ```sh -> Pause your instance in the AWS Console -> ``` -> -::: - -1. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. -2. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). -3. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. -4. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." From 31d8a3b3d061636500c0313824718a004a2b436e Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 23:37:42 -0800 Subject: [PATCH 47/71] pg 6 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/05.md | 4 ++- src/courses/profile-dev-test/06.md | 58 ++++++++++++++++++++---------- 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index a0788827a..f1bbfc018 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -97,7 +97,7 @@ Convergence applies the necessary configurations to prepare the system for testi 10. **Verify** that the Kitchen instance meets our requirements by using InSpec: ```bash -bundle exec kitchen verify +bundle exec kitchen verify vanilla ``` You'll see the same InSpec CLI output that we've gotten familiar with in our other classes: @@ -133,6 +133,8 @@ bundle exec kitchen destroy vanilla Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges. You can do it via `kitchen` or by going into the AWS Console. ::: +12. Repeat these steps but replace `vanilla` with `hardened`. + ### Analyzing Results - Results Location: `./spec/results/rhel-8_*` diff --git a/src/courses/profile-dev-test/06.md b/src/courses/profile-dev-test/06.md index e46d84fd6..a0dd4e31b 100644 --- a/src/courses/profile-dev-test/06.md +++ b/src/courses/profile-dev-test/06.md @@ -1,7 +1,7 @@ --- order: 6 next: 07.md -title: Testing with Docker Containers +title: 6. Testing with Docker Containers author: Aaron Lippold --- @@ -33,26 +33,36 @@ Before running tests, configure your environment: Set these environment variables: ```shell -> export KITCHEN_LOCAL_YAML=kitchen.container.yml -> export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 -> export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 -> (optional) export INSPEC_CONTROL='SV-230222' +export KITCHEN_LOCAL_YAML=kitchen.container.yml +export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 +export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 +(optional) export INSPEC_CONTROL='SV-230222' ``` +Here we will be assessing vanilla and hardened container images. While many containers are hosted by Docker themselves on their [Docker Hub](https://hub.docker.com/) platform, organizations often deploy their own container registries. Red Hat makes their registry available at [`registry.access.redhat.com`](https://registry.access.redhat.com) - we will be using their [`ubi8` image](https://developers.redhat.com/blog/2019/10/09/what-is-red-hat-universal-base-image#high_quality__the_security_and_operational_benefits_of_rhel). Iron Bank is Platform One's hardened container image repository and is available at [`registry1.dso.mil`](https://registry1.dso.mil) - they publish a version of the `ubi8` container that they claim is more hardened than Red Hat's baseline. Let's use Red Hat's `ubi8` as the vanilla container image and Iron Bank's `ubi8` as the hardened container image and validate Iron Bank's claim of having a more hardened image! + ## Running Through the Docker Test Suite -1. List the kitchen instances with: `bundle exec kitchen list` +1. List the kitchen instances with: + +```bash +bundle exec kitchen list +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen list +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen list Instance Driver Provisioner Verifier Transport Last Action Last Error vanilla-ubi8 Dokken Dummy Inspec Dokken hardened-ubi8 Dokken Dummy Inspec Dokken ``` -2. Create the kitchen instance: `bundle exec kitchen create vanilla` +2. Create the kitchen instance: +```bash +bundle exec kitchen create vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... Creating kitchen sandbox at /Users/alippold/.dokken/kitchen_sandbox/de2da32d73-vanilla-ubi8 @@ -63,10 +73,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m1.77s) ``` -3. Converge the kitchen instance: `bundle exec kitchen converge vanilla` +3. Converge the kitchen instance: +```bash +bundle exec kitchen converge vanilla +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) -----> Converging ... ... @@ -74,9 +87,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m0.88s) ``` -4. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` +4. Run InSpec on the kitchen instance: +```bash +bundle exec kitchen verify vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Verifying ... Loaded redhat-enterprise-linux-8-stig-baseline @@ -93,7 +110,18 @@ Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 4 failures, 0 skipped ``` -## This is not the **Error** Your Looking For, move along +5. Repeat these steps but replace `vanilla` with `hardened`. + +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures + 3. Review corner cases for complete coverage + + +## This isn't the error you're looking for, move along The error below is just Test Kitchen telling you that not all of the `controls` of the profile passed. @@ -106,9 +134,3 @@ The error below is just Test Kitchen telling you that not all of the `controls` >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration ``` - -## Next Steps - -1. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). -2. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` -3. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." From 0acf0b84a4ea0ef8a769f4b858fa0b5fb2b22b4d Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 23:57:29 -0800 Subject: [PATCH 48/71] pg 7 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/07.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index 819aee9c4..b68dbfd4b 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -1,7 +1,7 @@ --- order: 7 next: 08.md -title: Pull Request Strategies - Choosing Your Approach +title: 7. Pull Request Strategies - Choosing Your Approach author: Aaron Lippold --- @@ -9,11 +9,11 @@ author: Aaron Lippold By the end of this section, you will: -- Understand GitFlow workflow for repository management +- Understand the GitHub Flow workflow for repository management - Compare micro and macro PR approaches - Learn when to use different PR strategies -## GitFlow Overview +## GitHub Flow Overview This project uses the [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow) model for managing changes. This workflow helps maintain code quality and collaboration through systematic pull requests (PRs). @@ -102,4 +102,8 @@ Consider these scenarios and decide which PR strategy you would use: 1. What are the key differences between micro and macro PRs? 2. Which PR strategy would you choose for a critical security patch? -3. How does GitFlow support different PR strategies? +3. How does GitHub Flow support different PR strategies? + +::: tip Why not both? +One approach is to have the small feature branches get merged into a version branch on successful review following the "Micro PR" approach. Then you can do a more holistic review of the macro PR associated with the version branch focusing more on having a consistent coding style, ensuring no duplicate `input`s got created, identifying InSpec controls that weren't modified when similar ones were, etc. Once the version branch is approved, it can be merged into the main branch and a release can be cut. +::: From dc6e632a023b9e11596ae3b87f4bb98986ad7e66 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:06:54 -0800 Subject: [PATCH 49/71] pg 8 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/08.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/src/courses/profile-dev-test/08.md b/src/courses/profile-dev-test/08.md index e26f9135a..9e16f4f0f 100644 --- a/src/courses/profile-dev-test/08.md +++ b/src/courses/profile-dev-test/08.md @@ -1,13 +1,13 @@ --- order: 8 next: 09.md -title: Security Benchmarks vs Traditional Software +title: 8. Security Benchmarks vs Traditional Software author: Aaron Lippold --- ## Understanding Security Benchmarks -## Key Differences from Traditional Software +### Key Differences from Traditional Software Security benchmarks differ from traditional software development in several critical ways: @@ -19,24 +19,26 @@ Security benchmarks differ from traditional software development in several crit - Each benchmark version is a complete, standalone entity - InSpec profiles must match their corresponding benchmark version exactly -## Development Approaches +### Development Approaches Two common approaches to benchmark development: - **Micro Approach**: Gradual, incremental development -- **Massive Approach**: Complete implementation in larger chunks +- **Macro Approach**: Complete implementation in larger chunks -> 💡 **Key Point**: Both approaches are valid - choose based on your team's workflow preferences. +::: tip Both approaches are valid +Choose an approach or combination thereof that is based on your team's workflow preferences. +::: -## Version Control Best Practices +### Version Control Best Practices -### Working with Branches +#### Working with Branches -- ⚠️ Never work directly on 'main' +- Never work directly on 'main' - Always fork from the latest release - Consider 'main' or 'development' branches as pre-release candidates -## Practical Exercise +### Practical Exercise Try answering these questions: @@ -44,5 +46,6 @@ Try answering these questions: 2. How should you handle new requirements that arise between releases? 3. What branch strategy would you use for a new benchmark version? ---- -**Remember**: Security benchmark validation is binary - it either meets all requirements or it doesn't. +::: important Security benchmark validation is binary +The benchmark validation either meets all requirements or it doesn't. It being an accurate, representative assessment (and thereby useful to others) requires that it be the former. +::: From 84503226324b06bee8f1fa05b2c8eba8e8b9eeaa Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:51:31 -0800 Subject: [PATCH 50/71] pg 9 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 49 ++++++++++++++++++------------ 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index d4d4e2942..485c8860a 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -17,25 +17,36 @@ By the end of this section, you will be able to: Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: -### 1. Patch Updates (Minor Changes) - -- Frequency: Weekly to monthly -- Purpose: Address corner cases and improve testing code -- Version Change Example: v1.12.4 → v1.12.5 -- Typical Changes: Bug fixes, code improvements, test coverage expansion - -### 2. Release Updates (Intermediate Changes) - -- Triggered by: STIG Benchmark owner releases -- Example: RHEL STIG V1R12 → V1R13 -- Includes: New security requirements, updated controls - -### 3. Major Version Updates - -- Triggered by: New product versions -- Examples: - - RHEL 8 → RHEL 9 - - Windows Server 2019 → Windows Server 2022 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new security requirements or update metadata such as the associated controls.The guidance author is significantly overhauling their nomenclature or requirement identification schema. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of controls due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
## Understanding Update Scope From 955f16bbb9c9a760b17a306cca7df50379912e68 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:54:29 -0800 Subject: [PATCH 51/71] pg 9 - forgot to update title so it has a number Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 485c8860a..b7b845390 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,7 +1,7 @@ --- order: 9 next: 10.md -title: Understanding Profile Updates +title: 9. Understanding Profile Updates author: Aaron Lippold --- From 28ceec692336fb4ba4fe3acc71d99e6400aa871f Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:57:28 -0800 Subject: [PATCH 52/71] clarified language pg 9 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index b7b845390..561fe6dc4 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -36,8 +36,8 @@ Security benchmark profiles require regular updates to maintain their effectiven Trigger The validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests. - Guidance author making a new release of the benchmark to address new security requirements or update metadata such as the associated controls. - The guidance author is significantly overhauling their nomenclature or requirement identification schema. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely. + Guidance author making a new release of the benchmark to address new or updated security requirements. + The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely. Example From 43be27b74a1c97df0e50e9bc70dad0d2feb481ee Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:58:31 -0800 Subject: [PATCH 53/71] ahhhhhhhhh Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 561fe6dc4..9e046c754 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -43,7 +43,7 @@ Security benchmark profiles require regular updates to maintain their effectiven Example An InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5. DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0. - DISA adds, removes, and modifies a substantial number of controls due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0. + DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0. From 52d06c355b515b0fbd974432451d2352ca0b97f6 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:10:10 -0800 Subject: [PATCH 54/71] pg 10 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/10.md | 179 +++++++++++++++++++++++++---- 1 file changed, 155 insertions(+), 24 deletions(-) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index a3a19a342..8ee0f2464 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,7 +1,7 @@ --- order: 10 next: 11.md -title: What Is `Done` for a Control? +title: 10. What Is `Done` for a Control? author: Aaron Lippold --- @@ -33,14 +33,14 @@ Understanding when a security control is truly "done" is crucial for security au You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: -1. The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. +1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. 2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -3. The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. 4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. -Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured the spirit of the testing required by the Benchmark. +Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. ## The MITRE SAF Testing Framework @@ -48,20 +48,19 @@ Our framework provides a comprehensive approach to testing controls. We call thi We consider a control effectively tested when: -1. All aspects of the 'validation' - also known as 'check text' - have been addressed. -2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. +1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. +2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. 3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -4. Any documented conditions that have Not Been Reviewed, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -5. The conditions for Not Applicable and Not Reviewed are early in the control to ensure the control is as efficient as possible. +4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. +5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. 6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. 7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: - 1. The test communicates effectively and fails as expected on the 'vanilla' testing target. - 2. The test communicates effectively and passes on the 'hardened' testing target. - 3. The test communicates effectively and fails on a misconfigured 'vanilla' testing target. - 4. The test communicates effectively and fails on a misconfigured 'hardened' testing target. - 5. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. - 6. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. - 7. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. + 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. + 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. + 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. + 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. + 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. + 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. ## Best Practices for Test Implementation @@ -111,10 +110,142 @@ For example: Let's practice implementing a basic control: -1. Create a basic control test -2. Add passing and failing scenarios -3. Implement clear communication -4. Test edge cases +::: code-tabs#ruby + +@tab Create a basic control test +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' +end +``` +@tab Add passing and failing scenarios +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + tmp = mount('/tmp') + is_mounted = tmp.mounted? + describe is_mounted do + it { should cmp true } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Implement clear communication +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Test edge cases +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` ## Key Takeaways @@ -132,9 +263,9 @@ You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'che All these methods are acceptable. The important thing is to **choose one method and use it consistently.** -When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what 'still needs work' without constant direct communication. +When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. -The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](https://mitre.github.io/saf-training/courses/profile-dev-test/07.html#micro-vs-massive-pull-requests-prs) section. +The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. ## Example Tracking Table @@ -162,10 +293,10 @@ The MITRE SAF team has found the following best practices effective for organizi 1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. -2. **Tags, Status Columns & State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. +2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. -3. **Assign Priority & Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. +3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. -4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the 'primary deployment platforms' that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. +4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. 5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. From 7d9e6a828cd33b2c21b237456d75b15b387a079d Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:13:37 -0800 Subject: [PATCH 55/71] forgot to close the code tabs Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index 8ee0f2464..7246aa210 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -246,6 +246,7 @@ If a separate entry for "/tmp" is not in use, this is a finding.' end end ``` +::: ## Key Takeaways From 769ee071003f98cc4495cfaaeb025cfee2297b27 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:33:57 -0800 Subject: [PATCH 56/71] slight reordering so that it's profile management, then profile updates, and then what is each kind of update Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 349 ++++++++++++++++++++++++----- src/courses/profile-dev-test/10.md | 314 +++----------------------- src/courses/profile-dev-test/11.md | 119 +++++----- 3 files changed, 391 insertions(+), 391 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 9e046c754..9cb8b3163 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,72 +1,303 @@ --- order: 9 next: 10.md -title: 9. Understanding Profile Updates +title: 9. What Is `Done` for a Control? author: Aaron Lippold --- +# Understanding Control Completion in Security Automation + ## Learning Objectives By the end of this section, you will be able to: -- Identify the three types of profile updates -- Understand the scope of STIG and CIS Benchmark updates -- Recognize the forward-only nature of security benchmark updates - -## Types of Profile Updates - -Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new or updated security requirements.The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
- -## Understanding Update Scope - -Important concepts to remember: - -- Updates are version-specific -- Changes only move forward ("forward-only" process) -- No "back-patching" to older versions -- Each requirement maps to: - - Source SRG document - - Control Correlation Identifier (CCI) - - Unique Rule and STIG IDs - -Example requirement identifiers: +- Define the criteria for a "done" security control +- Apply the MITRE SAF yardstick to evaluate controls +- Implement effective control testing strategies +- Create and maintain progress tracking systems +- Debug common control implementation issues + +## Knowledge Check Questions + +Before we begin, consider these questions: + +1. What makes a security control "complete"? +2. How do you verify a control works in different environments? +3. What's the difference between "passing well" and just passing? + +## Introduction + +Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. + +## When is a Control Considered 'Done' + +You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: + +1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. +2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. +3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. + +The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. + +Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. + +## The MITRE SAF Testing Framework + +Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": + +We consider a control effectively tested when: + +1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. +2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. +3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. +4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. +5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. +6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. +7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: + 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. + 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. + 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. + 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. + 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. + 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. + +## Best Practices for Test Implementation + +### Passing Tests (Passing Well) + +A well-implemented passing test should: + +- Clearly communicate success conditions +- Use simple, direct language +- Include validation of edge cases + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + ✔ All system security patches and updates are up to date and have been applied +``` + +`Passes as Expected` also encompasses: + +- The conditions for the Not Reviewed and Not Applicable states for the control, if any. + +### Failing Tests (Failing Well) + +When implementing failure scenarios, ensure: + +- Clear error messages +- Actionable feedback +- Proper error handling + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + x The following packages have security patches and need to be updated: + - package 1 + - package 2 + - package 3 + - package 4 +``` + +`Fails as Expected` also encompasses: + +- Misconfigurations, extra lines in files, extra settings, missing files, etc. + +## Hands-on Exercise 1: Creating Your First Control + +Let's practice implementing a basic control: + +::: code-tabs#ruby + +@tab Create a basic control test +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' +end +``` +@tab Add passing and failing scenarios +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + tmp = mount('/tmp') + is_mounted = tmp.mounted? + describe is_mounted do + it { should cmp true } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Implement clear communication ```ruby -tag gtitle: 'SRG-OS-000480-GPOS-00227' -tag gid: 'V-230221' -tag rid: 'SV-230221r858734_rule' -tag stig_id: 'RHEL-08-010000' -tag fix_id: 'F-32865r567410_fix' -tag cci: ['CCI-000366'] +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end ``` +@tab Test edge cases +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +::: + +## Key Takeaways + +- Control completion is more than just passing tests +- Use the SAF Yardstick as your guide +- Clear communication is essential +- Track progress consistently +- Group similar controls for efficiency + +## Tracking Your Progress + +Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. + +You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. + +All these methods are acceptable. The important thing is to **choose one method and use it consistently.** + +When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. + +The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. + +## Example Tracking Table + +The key to effective tracking is simplicity. This ensures: + +1) Each team member can easily understand what and how they need to document their progress, and +2) They will actually document their progress. + +### Simple Tracking Table + +| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | +| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | +| John | SV-230221 | N | Y | Y | Y | N | None | +| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | +| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | +| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | + +In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. + +Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. + +## Considerations for Grouping Work + +The MITRE SAF team has found the following best practices effective for organizing our work: + +1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. + +2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. + +3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. + +4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. + +5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index 7246aa210..0f48dc35f 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,303 +1,59 @@ --- order: 10 next: 11.md -title: 10. What Is `Done` for a Control? +title: 10. Security Benchmark Profile Management author: Aaron Lippold --- -# Understanding Control Completion in Security Automation +## Introduction to Profile Management -## Learning Objectives +Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. -By the end of this section, you will be able to: +## Core Principles of Profile Management -- Define the criteria for a "done" security control -- Apply the MITRE SAF yardstick to evaluate controls -- Implement effective control testing strategies -- Create and maintain progress tracking systems -- Debug common control implementation issues +### 1. Version Control and Integrity -## Knowledge Check Questions +**Key Rule: Keep Versions Separate** -Before we begin, consider these questions: +- Never mix requirements from different versions +- Each version represents a distinct security baseline +- Example: Don't combine STIG v2.5 requirements with v3.0 requirements -1. What makes a security control "complete"? -2. How do you verify a control works in different environments? -3. What's the difference between "passing well" and just passing? +### 2. Completeness Principle -## Introduction +**Key Rule: All or Nothing** -Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. +- Security benchmarks must include all requirements for a specific version +- Think of it like a recipe - missing ingredients affect the final result +- Focus on one requirement at a time during development +- Example: A Windows 10 STIG profile must implement all controls specified in that version -## When is a Control Considered 'Done' +### 3. Release Management -You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: +**Key Rule: Meet All Standards** -1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. -2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. -4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. +- Release readiness is determined by: + - Passing all validation tests + - Meeting security hardening requirements + - Achieving expected thresholds -The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. +### 4. Testing Environment Standards -Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. +**Key Rule: Use Standard Baselines** -## The MITRE SAF Testing Framework +- Start with vendor-managed standard releases +- Test against both: + - Default ("vanilla") configurations + - Hardened configurations +- This ensures real-world applicability -Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": +## Best Practices for Implementation -We consider a control effectively tested when: +1. Document your testing environment +2. Maintain a changelog for each profile version +3. Use version control for tracking changes +4. Test thoroughly before releasing -1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. -2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. -3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. -5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. -6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. -7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: - 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. - 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. - 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. - 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. - 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. - 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. +## Summary -## Best Practices for Test Implementation - -### Passing Tests (Passing Well) - -A well-implemented passing test should: - -- Clearly communicate success conditions -- Use simple, direct language -- Include validation of edge cases - -For example: - -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - ✔ All system security patches and updates are up to date and have been applied -``` - -`Passes as Expected` also encompasses: - -- The conditions for the Not Reviewed and Not Applicable states for the control, if any. - -### Failing Tests (Failing Well) - -When implementing failure scenarios, ensure: - -- Clear error messages -- Actionable feedback -- Proper error handling - -For example: - -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - x The following packages have security patches and need to be updated: - - package 1 - - package 2 - - package 3 - - package 4 -``` - -`Fails as Expected` also encompasses: - -- Misconfigurations, extra lines in files, extra settings, missing files, etc. - -## Hands-on Exercise 1: Creating Your First Control - -Let's practice implementing a basic control: - -::: code-tabs#ruby - -@tab Create a basic control test -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' -end -``` -@tab Add passing and failing scenarios -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - tmp = mount('/tmp') - is_mounted = tmp.mounted? - describe is_mounted do - it { should cmp true } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -@tab Implement clear communication -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - describe mount('/tmp') do - it { should be_mounted } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -@tab Test edge cases -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - only_if('This control is Not Applicable to containers', impact: 0.0) { - !virtualization.system.eql?('docker') - } - - describe mount('/tmp') do - it { should be_mounted } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -::: - -## Key Takeaways - -- Control completion is more than just passing tests -- Use the SAF Yardstick as your guide -- Clear communication is essential -- Track progress consistently -- Group similar controls for efficiency - -## Tracking Your Progress - -Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. - -You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. - -All these methods are acceptable. The important thing is to **choose one method and use it consistently.** - -When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. - -The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. - -## Example Tracking Table - -The key to effective tracking is simplicity. This ensures: - -1) Each team member can easily understand what and how they need to document their progress, and -2) They will actually document their progress. - -### Simple Tracking Table - -| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | -| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | -| John | SV-230221 | N | Y | Y | Y | N | None | -| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | -| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | -| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | - -In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. - -Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. - -## Considerations for Grouping Work - -The MITRE SAF team has found the following best practices effective for organizing our work: - -1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. - -2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. - -3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. - -4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. - -5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. +Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. diff --git a/src/courses/profile-dev-test/11.md b/src/courses/profile-dev-test/11.md index b94741697..6928b0a96 100644 --- a/src/courses/profile-dev-test/11.md +++ b/src/courses/profile-dev-test/11.md @@ -1,59 +1,72 @@ --- order: 11 next: 12.md -title: Security Benchmark Profile Management +title: 11. Understanding Profile Updates author: Aaron Lippold --- -## Introduction to Profile Management - -Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. - -## Core Principles of Profile Management - -### 1. Version Control and Integrity - -**Key Rule: Keep Versions Separate** - -- Never mix requirements from different versions -- Each version represents a distinct security baseline -- Example: Don't combine STIG v2.5 requirements with v3.0 requirements - -### 2. Completeness Principle - -**Key Rule: All or Nothing** - -- Security benchmarks must include all requirements for a specific version -- Think of it like a recipe - missing ingredients affect the final result -- Example: A Windows 10 STIG profile must implement all controls specified in that version - -### 3. Release Management - -**Key Rule: Meet All Standards** - -- Release readiness is determined by: - - Passing all validation tests - - Meeting security hardening requirements - - Achieving expected thresholds -- Focus on one requirement at a time during development - -### 4. Testing Environment Standards - -**Key Rule: Use Standard Baselines** - -- Start with vendor-managed standard releases -- Test against both: - - Default ("vanilla") configurations - - Hardened configurations -- This ensures real-world applicability - -## Best Practices for Implementation - -1. Document your testing environment -2. Maintain a changelog for each profile version -3. Use version control for tracking changes -4. Test thoroughly before releasing - -## Summary - -Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. +## Learning Objectives + +By the end of this section, you will be able to: + +- Identify the three types of profile updates +- Understand the scope of STIG and CIS Benchmark updates +- Recognize the forward-only nature of security benchmark updates + +## Types of Profile Updates + +Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new or updated security requirements.The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
+ +## Understanding Update Scope + +Important concepts to remember: + +- Updates are version-specific +- Changes only move forward ("forward-only" process) +- No "back-patching" to older versions +- Each requirement maps to: + - Source SRG document + - Control Correlation Identifier (CCI) + - Unique Rule and STIG IDs + +Example requirement identifiers: + +```ruby +tag gtitle: 'SRG-OS-000480-GPOS-00227' +tag gid: 'V-230221' +tag rid: 'SV-230221r858734_rule' +tag stig_id: 'RHEL-08-010000' +tag fix_id: 'F-32865r567410_fix' +tag cci: ['CCI-000366'] +``` From c68827cbe389d8628a982931a8b63f7018a2534b Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Wed, 11 Dec 2024 17:47:24 -0500 Subject: [PATCH 57/71] update use case 1, begin use case 2 --- src/assets/img/Delta_Class/use_case_2_1.png | Bin 0 -> 145022 bytes src/courses/delta/04.md | 20 ++++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 src/assets/img/Delta_Class/use_case_2_1.png diff --git a/src/assets/img/Delta_Class/use_case_2_1.png b/src/assets/img/Delta_Class/use_case_2_1.png new file mode 100644 index 0000000000000000000000000000000000000000..79929db8f607fef61abfda5b78376971b2daf4e7 GIT binary patch literal 145022 zcmeFZg3MD%mQ*%ob1O(}zICWGFl|I6B?dVA14~Qr^Ul&nu84+{7 z{z8&I;ud{I5lf6L(iP6aR7a>P-sWEt%;1zvR$j?)*`lGOG}+~&>l%a9aLBxra+KnB z4;x9kPvvvA=0o_Nwj3xv^PL}o@28-xLnOHnJ7bcEWxq~lJ0WJ`+hhUrB(FB!tbKxF=w{aBX&M@VP5Xu2@k7ZNhV zqtw&_!9W#?8h>u8z}%bAadL;z`@AInqP~?JY$K?av3#F?By<1fARIDw(yFacW851+ zyU+A|b@{_ivcaOYi9A-EAweMQYrzUGj)f>(q%CGfEL53;rrp-gZTw5hfDa!sKaRjD z?_CxSsqhPi!Kc_N#|7p-!rYyo0x~&KT=z8s9Vzt&N3a6lPFp@x3{$%nB^~W#$@78q z;10mwcnC!rcd--PlyY8M`hoMbB5_j?*dH05xr?~-cK*N-SU2tZ%4FG1U|jYyz_K&? zgE@Q?N9xQ^#M91$1tR}~xVQ||*GHxWs$mpsd#b*C>-xOB{S^M*N++DfvyO0|L%%na zbaZ8l&L6ATujdLovXpFZ1!K(+pPyXZ)${jhJ+DM8SwUHkJak4xc@f`mYaUMAr6UN& zwwA63r_=R^gvRv*5gFTwQf-_pGYb>HNAwa#eKxJqt{RDsLgo?Xar_4S42@S9a}<$$ znmIA+IeG;yrC|3Lq+@z<_ecT35k>BPRA}Tq|6qT_C51e9GAJeLQMzaYT|`Bk^j z$t#z0zXf!&8@i2!aWZutl0MuEv}C-NjrksU3GLC{0I^^)a}j%p_Rep2@w_ewScC zU|!-i7$G=0zT#f#FXeeTazhCdba{F^^GrLGtZmqkzWi(&w+Q!F`I-jaWH?#e>dL}} zcuk{!lf=MkpAWx}*EMNF<*3{y|0Lffzh_j$#)+Bq((f-^?_R60NRRYpbFL71E1F@{ zKh54&2v-H_ zBqhu@?N7=ctNMh!$CyTR^1aQ(eSt{d{`?cJ&f}?e-8#31c8p)xi{2w>K9M*~qGIPb zMx99IVyQTfSHn;!45VL2f6bxT3B-w_sEqQHW>of9rAmp?GA17lO%)%ePV2Q=ryLDw zk_2ZF|M2;k<^P?QpTs0n?lpdx1bx=d_UkGHR?&nkf)7{?7*@iH--v$ieIU9)B5Om) z3*C87mnhWTrlElnADU}mXvwDL6KBMwAvB3}boQwChR8lu>- zwJLk^#vOI>OYMsKNq`IFE=-t~7-t{tB?>oXRHQ<Qf>kN_lkF}Kh9JORY_G#zqhDT7ixZI zpP(xw_#RhCrqq}-nXjN$t7=wYKfd)ty@021NtOIprg`Y^z+b(;HGY(?rrC6T7g{<}mUNulVdN@KGXdB!dO7}cR zv-cito9q;iTZ}iBM(oY)O6@34EoFLXwc6xNN{>X%N6}JWMKl?GA(iq{}Vq*pl9W$5yvJvT?-YJH$57ocfv-OOU%WKQqT&hoO*R~w2_+!%LOEYVK!{jmL zeB^29QsnvNz$scu-ARPWhwRNZlI%u_xk<&`7F>HgJly0q;JKz@c=)3kAA=}^^2ybr zE;m``0h9rW_^@~(wFWiILZm|eLbpj(3-UelNv_E$%Rp|-6qb|=?gXp1+C+1hb4+ux zPT$iC)7q??b+;IPGF-j=`Ial&dbV(y^Wf}YZ=alhoA)apKL2a}rWaOVe%JH<-)2%? z_71j#PV>7i&Y_!$k?ej(THQ@f6^^U?@Az~{Wywf+offC_%1cuZQlZ17sW$b$bh;Z^ z?93gZyStlAPQ}g#j-1Z2wuMfOeZLIFIpR5n>+$Aq=eO#~ZSS{NcB8h+m)1avZX+xs zY3V|1McpSoR%BPx1LGlU)iZ?yDTisR&3%mnJ)Hq-Dr;xGQ-cXxjYC(@$NZD}=DXZ? zwzlan1=g?9H`1C2 zZZ2}jWU2xtHZQvQwaV|u*Y2-s{@^E-Sa<=|p;A2oq552RdUXQ}yd4q`wp1&iwc>P)Ke1E%=y(*EBUBGCu>!yn>qM6i;j6TRBOg$unSfBJB+z!cN z$zry3SWWE=k-3ra$;mTTwsSwNS@%Xq#G91cPT%GzcUcXSQHwE^2%qmhK#0Ey+|oBk zL&tp#BindoC~-dON$p9boJ(dB##SRFg9^QiG1;*((PJ#*_@?M{c_i{_?A0p9^h|_~ z@@I)PrdqAMs!gm!eQB|CvH6d@*5_y^qxEU9&zjE)Pa$#<8J_R`yD?WnFOzCG69(PY za5RqRSlkJn)%Gl7W-v@4sU4}6u527Uj@EmEm97$J4O^%~OXXiGC@k8K{KEZA{A`Hm zSS%SiSd#V6uM;x$cZ1)Bban9%xw6gH5$m&P%$FPQM?1>4#2vq3i{+1xPw>?2*ZsUQ z#onq0=dWY2((JLD+8|ZKQAbms*Vw7FlS-1*6q#9jx2Dcjlvm28dFwP3%e6I-Ho#Mo zTNGDx@B^*zgO*u~byou@?s?o)A^gWBU|>K6o~`M%cm0o-ur5fkc;c<$RWfBelbe}C zSX}X38`^=|r?r9$B&`?wHla%&YjLU^%gsitW)jHaF58 zHZ;w7Ijb~#+-?f-yS=&cX^w6lxys#dEQdIF?ICu1-}n-u7GnQ?8uyw4i<9(*l#`?} zIXam?MJ!ocTTuHcnG3LgP0QD9=)Z$nVs_}sYZc6!-Iz|s zt82d3gpXzAkEEds+V8TQ?Vs4|ZH1>^@h-W0+h(17+w1aoO1KnjZG?M%@2JjRiJr^N z8#qkR=I?QQ*|=)IvHtG9(5$4qRJZA+XY-lle3&*5{o;N@SL1}e0PM0*0O|~0O7n{N zRJz`Bb9;*V82jU08PrHI!D8xnz#aA+d6!@VED?6y6*Et--w=|noDmP<^i-Q$8@JEl zDZ4s7Lmz3>57cu%WWG~b8`({m1YzH8z|`Hm485+HPYTI!XB-*+_I{5qrzHR4=nNozu0?F}@+x8C1 z0_BmuJl^B%M{&KSw+L)9jiWryC~K08?v} zf1Qz|{Si=sZ_j|kB@^jCPa|z+BLC+aaT&OWAfh5BBLkdOjO`W-Q*jfA?f<|LjS)X1P0)EI3FV*A{{E0Z~7u22qVadi>SIF?k}J=(U~|xj%Rd}8Jr~E zu9WEFzD1N^d5b(5_%=|o9p_tgrdPIS=OS)bB5~MneA#4~&^Lzoq?xJ&<&=ct!LKn! zV}~mayjn)wMuztH7Tk^q58Vb_ot6YRM+7f;Mv~6lhErWl`@#hd>uL&>(D0G`gem_x zQA@m+!99yw)sG|kpF3FIRGVBlPrOAlaTrkkd*b^djC;oS3HJy3Kl%6pWD?~6p|!mb z&J2XUs6(6h`cE#RnSrih|HE1I{Zk61PWPueUq6ceIl>2?olV{U7&Sn9g^I&q2u5WS z<;wbVd=LE?>KXlG%m6JB84aI31DPl*`H#8(Yqad8?Ej>_vOr_eZK#?v3}J0B8Hlf5 zil&t{Ek1nvuFC0PcGzYpnQLKpqOkE@p<4Cr$|XKKxnxc_#y=**Er5guRnxYbu&UpP zPifwVYApB1F*l}IH<*+8=yke-_4+>A|2fAqG(^HvtD2cSZOq9Nta_HBZDzHi?MR2L zK&XGFy7~WbM?+LQEv{Ys?0d>m)7i_n=ZbsQ<+M@Q`ls{i_)c@n^sGc!=PQIqOEN`qIJU(@z$RAyCZrAI5(&!bjqi`l9ICyv=9dl*3}! zV&L*__n$A*9Opf2>jtY0pZpJgp-?~%48(Wq{_#%U$KZS?0`oj=q1q%3(B5GBTb%$- z8rVpB*XOHdepq6FviPsOEBNPh^F)@_Y8&1)pYvf!#-y}l5q32V<7%S?6M(4ClBHObfKXg8Y5J9iPNJ3wGFBXq1cm$j`P z&b5sT#dC(58rRy3H9`AP`hgtQp}CkNkbC$gd#1?x(3$gZ9DAEbOSgy4M{M=$(Zl>v z7(&+-@wHj3YOS9ycKsF?cJ=?3=^!PFsc$0n`jLB2)Pn9|gAjND&EeIlwbhHNHD2Pa zO)Iy}B*?BFY<9|VO3%$o?1}p4E@r*ow~J$*rP>v*?Zp>+zeWpWKqYj%IxZF(fo>0T zViZ0?ZNecTK8bFrr|>OE>zpU-ps}#Dr2*E43jT$*H-xyY!)PBs=JdfLpd?6h736sm za@b93lgcb#==ArBZ$pxL&m9QWzn#!`Y&@tTy%C~VZSO^m{fuBuJvkgiPQOQff8EoF z?XfM!+Me!qI70>aU4d*;C)P73eS+{n{6SiO(fA&amP-vES zJJYv8V1DK4vh|8DIsCozj7h@AiqHJwS^Cw!;3971nf~2rLddF2yH8W%M8SXb=Y2Zm zE7DGQh(6r#?CJHs8Dx%f9 zhTLdTTA!ymJQlq;04}#cI{u+fM%W|U0J$B591MeD`$6_8_GTh@XLE~}HDR$!hfcLA zZTmftJKL)uMR&thm#o8WdoK>d_Z6w2$2{qNpXJT6^_?5W(q^#+#jPty=Pj$Ub`#0b z1TV`Y4xaL@M+SALJ5FjY;7YwprflYmdMp z`^i_)DkHosOipvNyaSsEq08w*&J5_F`1mKj{4^)6E1UaE8@w$Z2Q%Q??&X5>(qYS0 zvyF2rY@w7hi9l|7m~SifkRAe+afYAtI4=SE!CkfernL>%<+3tkfy{|`?>7Z82=&D$ z;g^#&fDItzL#h-RRODT`{xzX{RpQ)Sm<`H*639msYrm%FD6P@tm(aw!diTEdu*rU8 zPw)KOP7u`V5ql4o9-uEo>={q?SL};C(d4|85@+B?_jgC%C^v%8zxjPKeU;gS;HG;m z&HA;iHFU#T?B`B?#$xknTxqHcl=_S+j~q7Lb6RGFi}ls$$FlsPqSwvX9u4KPS*mTf z_G@-;jPo3N$5OA`Jpqd$1%l9|2+#BE1u5`plmtCQ zWrah3Sm@Xrd;fCL?I>t7`4x$J3Q2IH4UQgUgJ#l$9hO8TuOtRZzi>kB6B_4po404~G4~&Yd$^q)p;r~Lsp)X! zz9pd87VzPASH1Oy)sR2x{mTPPyon@kvYERx$o-jP(Mm{A;vUR+```gxgp5MV3pr$gRhP1%x-Za4IqU)G2qY$DaRf-LE#L)(x3M@fO zKA9vf8n)c$J+t@RKSA0a7>F}5%}(5SHnXjbAhdfwn$S}9LB^FzO88ppq9Zp!Z&s~f zr)Q}4wl5HB<9U`6WPMF@Tr+1aU^~AgqI7qRegDajudiNu@O}+)mkmp4g{B0VVqZBM zv23z@zdr@tbG$V@{G=|@!dedff-0CfXO`h{I^KB+0`4^`dhDv;^;C0S;R1X5Rq5O6 zG8~OSw86*hTOa!jJ=dc+&)LbTHr)rW?tRM=10r1S(~|m1q|Vr}4Xtw%PT4asv$E>Q zoaf7-Jl4$@lXzw=m(`{6Fpf6yRf#gA8ENE!%>MU|$%Q2iOxRlsPITgNrMF`lcjuRh zKOkU-cv9&SDgKns`DyosJv|=QMP~Jq)I?rs!I(P*_3u*7i>=!M*k0EiY5EYsL)!?8 z2vk^x>fI(!Ykl}dbw+Fpm9s+$kmD~NX~6Fh~CMQU{c~s2)1(un6DLnI?&h>=eqF19`->jaQEnT z@yPK(&{I3VyzaKVoQ~XM^L->)y--!6@Gge`ssEwe|s4vKqD-WY}R<#lOB_m4E4Hr>_%6m(=)(^*KA+c*cpQq)2NN*Q zIwl4ZFF|7<(3nGDVeg5b-@`}l9n`#M$A#6dri~&F85LdM@Njcax(4_QkT|n!Xk%^c z>EGY*3g>W8^!Xl5Qi^zxW}P=hDAU>w8snH<3DCR)yYdxdZ+8WP`v@Y^18pe z6g`#G)fBAeSZsQ~pU)akBXHDomaL!Or+4oWYH4N#_zUknsezru-PdCN$8+Rk^AX@gsU`w~Gy!+MVO)b}sm?yHTCZBXY@6Ix6uf#Y?S})ey zP(FHCzosL+;ew0j==-1CCQmix!4|JtcyJGli~`*s$N2Iz@5sAO*G$$A5&4~>K)OQM z8W^wzuE;%(s~0f)-!A5%(9C~Co?J|0a$h4|`T#n;oLc63u9-oq-pYdagqc9zNj{!c zd-8Vp2(AEewfDVgY=t#i({;{I#fN3VmhSKNV%gol>@!y`>Jv-m0lp|Sq|FlN4CDnJ zSQxES^mui+0jR^h5Uob3$ALv7J$NT*A!0<3S?|W(R(5Z3Sh(X$N85l#dCM0Y&ucMq zYx0+$&56N)@gpw=?a+0N>}@<-*k^R^r}pjIgvO~Sk|26s_quw1mEL78ZK}A<8|JGW zwq{_z!bMWVg5P=d3^P4 z#e_NIx|7~|G=@R8g{tWGU0g*=U(I5Y%Z{x6EPm)&%9}y@Lb22#$DcPL(;*i%mFj@)b;#$kKXhP2?s${RbP9WM&z0rHv;OKUH$w(F>| zwEHz7buIH-;4AYI@}#9nt-Bioq5HlPXiNrtJqZ1WozT0L@ZZ=)uj7*k+k`U}pBLTV z0gfXCo9E-6#GHXewNG!p#qU;6O~izZ*1Nq{>i{oUt=F7utIx#eX}fg&BKxJ+1t(R8 zKP;j*<~CtyW152=mc8pa4-hnHdpFKYjCT%SAS;Qa^Ay|90^S# zKim7e$_z%?RmL?Tv{i+l4_y%C4WVD_Fk_qu55pA6Hu3l}7}?uRjU$T_O%FdYWBEKpEB!1DDqLs-H-VruFPhaJo#b{8aF5Hj$p2e@oZ~2eB!qD zP$Wf3Bxr+0%m{6aIVht6?4c~!G`>`(9e#P&r4R4ok9e&cvT|V#oq>IdaYI|ON8$FZ z*}!OTJZf>Pe7aRXAB}s+Im_5|U}a+gUUprKdEDt@gbdkV0pX`eYix2H*^f4@VA*^C zuWMpEr{xPBnD2!qt>hzh5SuRcl?2(-f$8Y!Nb!sJ*84gfI_I6KLn|@Yi|$R7Wb3pX zzu$}dTl_wb2^iF$dx%=~ANIfiG~_|*Ro(B}J-2;A9>M@Jy0I4N8n7FD{DhZL2hKvY zfQ?BM;RRpo2(*p(BnyXNhkBC0q=l{sN_=_D5)(R8k#{G+_YGQI{WLfV$68j5(+r3h@Ga&M6j@lnQE4{xdT|k9gw>w>%d0m>3k?;2*)sm3s z;?z|~W?||vRGhDO`}fh|Nnan+=R*bUoOcG;)X8oK${0ISFVYA+D_)VYUlFvxql@4% z0FE*LIXbT0!wlTA7kyA_1q5Yqa->R$!TZu~zj7W>5TDuYoska6zT7kS;-i61^2}b> zF=}As%O|6|SoT7gcqLfoN5=!MfPZBl_1@}Gn>qhyxLZi6*Xb7N)1uUll4l*}FV18Y zAeRP)hqsT}XgWj$0)n^){6SM%E69uos8i!1p&i}?P(P6Siumi(o>f-N(#a08r<6qQ z2jf5Jd|-oOFHa+DjufNS)+_HBKPd7G>iH$LrF9HQj6FJ}fv)bj0RfX^x@pl!f3cj} z?VV%Q56r#K{$aG6>G(T6H+sFP;fdI#+u1@T5N8@K!aUgW=)*S~{ z5HwvYpx%ZtJ5;lnPW#kqEmQMFePr<6fC(K>(XdAsI3a49*f9K)#)>aY1tKRoSgh7j z0e*LUZhE~Y-!Zwg;zT7d#+nI76!YY2SiD0NEtkYpS$%BZVo}4&%uq!KtOsO}psf znIkvp1}b`?^BRVWUOyrawr%pMH#@dqt_Sw0Z@yXA_dt)oTGwGa>HsN$y@&XgZ;IfE zbQD!hN0w-7MXgw~F|YA7n0ZcRQbmE!ByCK`poxCHz-*~Ffpf4;(>5|yVKc40`6$_< zL^D5h$n_PVCI~oh)|-wAwH*6_;FHFod);L=pafj&mmU^%>>O~P z#Z8LMc#>30leoU3Rhhx!y`fq+Bj4(3`_V34YV_LErn;T3&O3GW3sQE)z1jrTdPG;B zE!{7er^ji-W$c~q(~!9sM8fSbbW+*DDQEc#td35%irm-oIyot9bx*-{af+&Wvie&O zZqea`Ta;S3;ynT>W8bE&N0AjaDn8MX&yBz*+jOJT2f_^PDreoI*VXb(C?tzJxI_-_ z@P#afECBt0t!+_tyMbe#M{9Yftc*0#Zr%(V0tiMQ?Z$F$K}(!1=W^9@urU7(GnLC| zn=*JIB-|b=5ReXBVh9;q@VFLSDFA<_b!pCybJnNFl)5X?MK8F5evmuU*-QBRP&-jm zVC=`dB2UxO2#+PZJ~?`7aH8U5%>|U+f}GYHfn;x94yXIYQK?H8Gs(^{HxMQrSs&Wf zS3If30Hs29-$v{%0)Cchh130sKg2m2(__irRvMNS@G?1ns__6caeZ>VZ-3t*l~N(M z!4OnGd?QTYObI%B3d!B^T}eKUI4b2_g6P8@Jc3r72aljn(W9bqjO=J!EuNn>U9IFf z{X~a!`B%;yOXtFahSIc~i^H&!;c#K>I!LK*WsSgQolygjh;X7}ewIP#0z3a*g1uPH zI&3H0Wb~DD;e~-7p8XdW2a%J+3uE4U_?bX3tA`+GOARtgUCFtAzo=@Y&z-FQ*`q=O zL$IYt4gRw|qx-(#y9##_`r9(%K)%A#1T+|8xz5t;{jsk(#3jR5Tk7$eIn&R$9k%B4 z(IE6QK#y9)&39TnkKZX9xr!mz#>0_{n$npPJ97krh=PkRk+7L#*TugsH4zz|6(CK~ z$HP6BpN;XnJRiBZl7D7r$PQnjW|Q2VNqqIuFx|?3VOZd39vpA%6Vn27U7U=`*U_&d z|CfaBA0%|>xxeAujlWc$#8hSn1mh5DwM2fmRiSTU*dDg_M)k)(F(zG4`84^`!#R!1 zJ6q3ly}&y#xtNW)Uv;jEgN}*HIqo;);pLMRJ$>#zOn`NUo5MiCwlERnO=g8LTzes@ zpPJ$@%3EKUZHPDE`P|%?K+Zi{VJDZ+#ft@w&f=pWUwclh6d=Ra*uk?}+qA*jO28At ztvQ!A0Y>M!H?xbLd`51}&mKSXtmtZ3QU7@K<9%Pu<%f>E$JRn{I?h)d8fo1a-)_I0 z+uQzrY_*YpaC148Ois7i+e&1m`Q^qSZ;Iw@urrQ!OrhrDsc)as(s#oHr~^SVi((f6 zU})hYfQ6}taR>8b)=jiNB47d55e|Z5_KoldO-Xy$lE$^S8IoV*HYD>?d^y zM|Sjn>0oxc14)`hjVG@*+CJ~Hpm#)U^u~@9R9atlY-(71&ZGInq)uqHTbjI@SQtE^ zUSv3m4R5NCrTM+-X~fv=nYfRUG3@s9C%KUR<;qxMVa@s3TrHf&0+#pqkh}xDp-1T1 zj-mJJWL$*oW&7prT=fJ-PJ*t}j5wZuP(9wN|59b*4p*N~KGkO9eub>t&q(tHi&%(G zz6_-$CqBC(%|~stK`#{3kVLV5=QlTnM)Ll8)GIK`O|w$5!6--BrBOT;KXk*FL3%Iw zIa?Xo-=&A~)xHm`AFh1qs%g_h=A7F0^9`!r$I7NzL#*CF#I6H+WO8@B1gKp9g$Z4! z4nNz|TM$<;wdyVHxoJ#dhgV|Ghp|t~0}J{I9(Apptf)yf;tMx)jA+F~?;{~J!KA1d zR!bwAbE#sz+>Ql}NzrXPfqc)BWijcTbWE>}VM@5Nyi?Ei+OK?TcVQ*W!>;;WVQ##b zjZxQaNs2>?gyUUlCMw7S&3lXbglb7GYCU!~6FCb`bHyI73R{EQj1_%YFm`AcJ&(n| zghb0cR|j47BS-Zse^ea-02hvy;yg5@SNc_>;AEo+HFEc!DFH002$F>bAn-BaLk^eDIB#M6_~{pbL1x|-vX4ZtrTNNX=RqQT>p zGJ}=6V^$ITyWckj5_bGyDJNrA*bw-!WNgmaC=Fz>>ZM{rt(WHyA_>?|-dqMFI^b3m z_7HIgv~KgiyA9+Fv0eJXa%(Kh8C>fmVDb5}_%!v{o%j@APSV`?=93tqg~Sref!9yH z;=%_4gL-d}n44q<{w0a-k-t`OzL|E(2 zF5enuoAZKCAI%`~dr3s%-kx#17@?SPFs(~Dj=hH9MS-H#z?f_Q>#;IM*-NY`c9mzm zc!tCL0~>j*9Q~g>TnCj0Z;^vuK3(t1{&gonJSu&kcI0lBwyyWOqF)*!XXEV0_%Y#G1dy_V11X>|Vy_}C!qC?H+apNS z+)&2G3mN_GcI|#?KFA8@yjoo;3%+uRen*B%#_ondqDz$Rw2&_bGEsP%(`-SpZ-&dv zXH7f)S}f4`OONy4d+vk_9BvPhBwa9x^;Tz)xsyNZIH`6x*SF^8MeLUYCyJL`vWNQ6 zRU=54%!>q4JI)2vs2gbBTrJDXLP!4#R@Cph=_JOl%Fns_R|vjVEmWV9l9CRr<7wmB zDau7|70l0u^R5P7<_-^T=YCKm_RnCGzkGIJJh{tarc!fgu$WQq340~t46^sAV>*e_ z(LbiawH|Tb`FGpVgRa4)WN2p)yqCUdBsCzGmuEx zBI+k(JZdbZ*pMb1_~a-0o*40K1dK@8qKLvha8Z@UsV=nMZqRWchk7crT2zKjj8}cO zj{V?x-QocwVJkX@(;8CkRx2A~0K+nCs@Sy%>1tj8X z-1C)Yg?zZS639!z|M5mgMF&%2`)r3Ej&?6%9|t?G#;rzwNGxcbS#)4v3u zzBXCA$Oe{kl62l@@99SMpM0GyMq>I5OAjB&x}7yN`q{2&FWsq`q3g7dSt*9A7i-OU z02!N|lKRVJ^lXLAq2i-g*BZ$c8_)G_na8Ylo!as25h%Cf*H?Xat#k^>5S%Dc$;VI5 zdherU*~}w~iR`=zZT?34UOE4@%Qs@R3`Bb0*S^!@c>h^8S>2`c(NPB~tHhp>sZYXM zF(K_@sjb*d3{|iV>`ga)<1zSJg8H0?C_)Fn^TqXprTYVYHAVHFq1e<}b8o(hif}hR z5?~ei<|{$Hjm$5!eMF$HGvje0tG|E87vFdgvrFFz<(pFX&9#v9cP11=cD*GX6(|4+i!(#X}O1(nk~cqc^du@;5Ap zk3{`fh~%x`>Av=1u!o<#>6L{i{CDt|-)vTmx&;dZp z|DX8hv3ExwScgZxM#2l=@Qobl(Ld1Y6e2|OXJ_n{Pe}a%bQG(jQ2C!&yPWTrh!>Zw z!eIGRexdLOApIdt^#>@OLgsB}HuFh3B+-V~G%ov}*eVH%#t?vh&V5FAAW1!~!X_tR zS9}d@%zxv409>VsdyK>|;Oe)7Tesp*3i#RBD!G54`oM&zHBfdXe(gkQmm5krkIC~8 zuxGsd@#gJ6*)XD&rP@>uac@j=pio^A*E$q~U@@k&J(L#Wdw zTGcs>; z{znJ6Q~*}~by0_CIey*k1n6>^xYq|1&#) z{rvy2%`XaR0}A3A9L zhupRG^3FTC2~LG-#k(a9yFU)Cog1~Cp&JR#+E&%?9=sRFR-jr&iv;G}a+cQkP=-|8 zv{%~NGH04%)sQQj;AAmbv;#DnbJVu3H*p@~nyRwv()GBQSO7{8=75Za$-?xshVxTZr63R!~qA7ItK+A#$I z$0=QBUFWIB#cJ3Jw%7E+j)Lz(6Oq5ka; z*zX9>aWXIXiM;hf>%2A-3mEV%KrI$}LTo6TEJ(1!MjK}UYjk|b&O0AePjMTDjZ=-H z6&IJC4GZuf1;;8oV7s&-H;gGlnsF_}N#EA31~WH2z_(EoZu4s|!={ye`s)EqYp$2; zoBM$FV#NV9wD(}d^RhCYd}ax#)tF@;1;SRZ)+mz;3sk#MV(MR4%|{+796~!eFKGf|lbGkk?%QJIy8!O`TE0{X&5{Et;N|BJ&d2SjwI?+#KYKS+*L7OJGP?SF zW4S3Z&pBl{b%ky(hjN2jKnh7ZRFi;OIjgt)E@!{c)0z>IE=!gACe0vJ=Cc>-2hOJ5Add5@G#X zxIoE6Wx~|#%#&h>Uz;R_umXVRU)8cF&Gd~Ji@+U#iC=7taPVBf<#rRzlfz^Z4rBdC3l1))6lZKtiu#jt-?`WJv1mY7$YY)X1^;OfYK)vBqAiGK6wzB^$C4^%j z*+Znx@B11hwySg@vbkiQ=Gw*#P<%*w^1gY}Kh!K}E7^y|!ue38Dvp6{oSP z+%lqYBOtDwQjz;Qa@QtntntHL)7Dd;wWI7ULvhqviZOt)Q|C7p5*ot0LzJLZRNkCmwkHjfo7SI>X2n zN9T!rlF`Z})lnCb{`{)OY?LwzF=GN-P)ifbx%8{mh%$kI57d)B+-3Y2MK{uX74D0! zTU>jDR3rRski8m?9D|FR+%FsUgJGLLF+lr=j-_tZg1f@gM;=FRJPD+?zX)%q6mFMm z4 zy<=63dU8JT@@B+Lt=NaBWiZJlK+cA9Qso+34jfF3Tao~zOFmsu^l-XVvDaQ-P?K(L z-A%(<$iS_GbWzDJh3JE~bx0!U7l!r%6Urtsl1FYA{}7WyfWUkfBO47KZeA)wAG>h6U@>a)tEC< zFhg4GtW>Rn=;W zM5JGteC4Ie45XKc$gHHQB+5gFCL)V+b&XPo_13-a1u))B>I&&< z2c+ETdlM~awO`?rTH*_;w%unoc3-~Q7utqbOsG+^?(as@qw{SP>h$O>ivNkFQ-F1?V;CU9dm6fvpuO98>&w`8Z3m{_@ zzsPxvrEqFnUQN^wa=uG07#^azx6J>&cp)!c0jlvlWUrCw52!r^U_oP754(Zf1Hf^x zsIOl4(|iB0miK+soPkvGS79b*?N0dI(w!4^LxPT7A4-uma=Ngo6m3&L< z7fGyN{f;*?!ha$AOVU^<0vc_Re^V_xgI3Rbkw1~nrL8?qpLX$E5e!|gc{5nsa#6hL z8DnJ{Mug*W(R)=EAXF6Pe%sq{q5i3;cw=&O`8z~~;(gINHv35VYfZv6X7yKgi(kiy zFKGIv@k8BC(k&T7+@oevY3!M)M_SB<^NPM3uf8FCgr|o0PO*ADPBCe{zZ1W{dN(S_ zvmr4G``|bRTuawX2itv{$8ASW9S|OuYkfeob(za$E1ABaQq_JdTt6yXh^&!tNcKyPh-wR7Em%r5!t^mIYMm*`5Jv% z$;~U_SEl?8pM@&)RVBk)0DP%S(ZJJr9%~b=!JyU3NLvbyx2B1s zs&bSoP$}8X(qYu;#}ko!!JxFI*dYH=EF7xGq zk`cG9K@t;7xCP1gl4jSV&03sruRLnF_CBG?H) zph^W04-~ti>6_dx!LfCyAh$wuiUA8r{`!>0=9}(OizZtP>I9isT-_~P1EaSjYqMYD zFrzd%qK#AcqmV1UgO?D>B+8;pD#EH_u$l1~edX3wn6C(o$TcTDP3rSqsOW}0{P!bC zy)7F@C~*LptQBKnV5Emi(k(3<)|kQZD(^Jht#tNa6F(E z?Rg(-ZS_>sCKqij-!)-xO&}DhK5`;V^nD9uWU);N&WyTr@sPdwB}MI z#=0K=MIq{nlq!RfW2L9&tXwl1q8;dib`6h=ixxJc{YKL3!0hW7hdC+m`UEPf}e)TEx!s%VqSM?7eDeYc*qHL2fnwMr-*#s`P?E&QqZ*@ zy{0^&op{sJM2DoZ+oHigO2X)u3)fw$dS1oow<4BKZT@!GQ_-g?Exo)+eWzn&;(Vi# zZ*7gg4i+TrH{>%!z!{K5Cc!yc8EKqBIOponQy4q3^cpzZ8b*g>tg7j0bRs@7_R4V} zThJJ?a5|nJMu*ey0#pl)tqa&jE-KE5zU=U^NSV-jV@>)RV^tCN?2+yBLOcL@75id` ztGq%nSR`E}i%;*@C+de&`HA{_?CVoG%G_!!cC#!zDO(v3gmxfW{`nIrau0_}D%p;- zt^~n2kkU_lwr}Z#EWy#Md8v$A@mp1ad{VfTi89o!ecpDAI(P^@yHbxCv>_Kes2o}3 zKA$HF7Cg~VgrkX0azHrTxE}u+B znqe#@pi!tYiF)}l+V&0KbT1IJ;bssvQd#C#U0(amqynshw{F^ zx>V3ZIUE*|NxqIJd9!jSK^M1kx6-nlj)IKm6@zbL;d@#&!RO%u6mKpBy7pQ5I{m(7 zG;G;sb9Jo4NhC#6((qw5>8|$mOG3&!XAs%5#lX)Oep~)tR?J(ug=J5=+2c*Pk3;x3 zyZ{OcWNC!LXBELp)Wf}Oqq0FiVtytlW}ZhOZH)(^G5AKyoAfKoqf__AbL6Np0$O(( zRV?2xGTdc>x1s1ty*+D!#bP#Sux&^M zb;Clvq2dEZ5j~7ApY2w3c%b+Z6#>O7mi&&+ri|_u+fGC4d8$^VXCL>ee=sI2?j7s- zv(sabe$FT*{JR;=1AH}&dZbW58u1Tc$GPdip)ic&b zAyM5!+*!u$%8E$O)9^3UlR6fbeL|Y{3iXG~HzMI@64o3AhpF#lw6E|S8zVNFMag_> zm^y9;rrs^2L?rdIC?mq`9+5KGh?VDQ2O7PJnbWrMKluaJ>huH zenf3Nn9M*uZT$0^ZloIm<*=o3>#jIaAne0}*cxl!wZzT2(Cv*q~gIZCusN2w62^N?9O`n<5(D1k6@m3H*QDG&KCFn{Z_+Z<{>PKz>p|Dv`0oT@rlSabF)X6)&5!XX7yH z_2Z!D!Rt*K6!rS?43u7u%A2d~;#b<^gL4_NP2TivWZPVPtZl+)lh}R1+>|f{#FtfS zc@Di*4zVswMqf2aBV7*+xx`U&5;88dU-s(?jY27>&`|BNi~EIDHLlMSkn+zB-Wz5L z-hS@pOlSAbI=zATqKYK4JblY=v%QX1tlKWywo_Bf6^`Sup4`O5iT)Z&bM-vZ%Sexm5p}mu#@qf7wVy(Nw4mqK z8(t$Hi?=Vg0~Ya+$8dyL;fXGObnry#D?x~_D{&{e+uQ*a*m3d=P*wj=yS z<2}XZ?x!QXrTZQGJ}W(_Up){6yehT0_<@snhNi^r!z$sMsC^e1ou^uF{^=rf8_vM* zZ6|ATbS;AYSxK8}2<#`TNtGK|NWMoDJ$SRR!4w>alylx$7-EMHBCil;RPLS4lXHBc zW5KXT)7sm3gJb`OoSi#KDK7|_RuPKP|J&MwBTLEj8G@toWRWX=O~cA^;_4LJ$>~5q zDmD7e8nNeWl(9r(7i339@#Dd7eaiA-kDd<5R&2gdNl*k%Qk$wqDjG4lXgC?6{TlaL zz+3is`7+%1YpIq|SVq&J4UOmP9U468ec5qAY=QYQ-K5V~TdgYgQ!^^U?Cpv@IYQ)Q zvspL{2JHl5(gpbgD5$UKI*hfOK37M@EqF@WRBEQEMqH}VUBO3V|ho>>vM;&KAw%nR?C4Z+$tB6>@oLxV|nifw-Gqe@>pB6O4tBT$JY8ltd|A(lvev7jE!aXe|9g;(bba%HjC^eKcQqtWhCEXnoD&3t@Go&;_ zch}G{aOVA<>s;qQ*grha-fOMZk% z`NGg6c<(I_E(||BAjqVkvxwNRz-*z)NK6d9Bw$hJzVbsQC{P2-q+lw?=&upYA^ z`HHHXn^lBMQO5%;Q@EQFA11e!gn;>VQsT~$t(7HmI(-dSJ5dS9V#upn_b8n}Y{sG+ zlYA5Vq`bGldAOTlYM9zyikpOgI6&VDR?KAevtFVjc>EJ^D#MiMdC49+g1CGB?qB)J z4M^!@Dq8}tI(mtAkDoeDZZKpfe|`i-4b>_0WIwmFElsg@&P$UQZn|sXcbnCiEl>!T z4rYHxAJvw4`Bz%mGJtNA2|Sb#xSiK2tf=Q?m>w5glA)%Yu}i+ZqvZ>wowt&qB+#_^ z5$HSpNBuU{i9ihvg(2&t1CaTvL#ow(Q_>3SvR*-|CUugX z6+}Xs3{t(iV`>y?{Drw~-WFzUH3e{@@0k9pwDhqeA-b893rrzMW97nB|xH#E-~wvw>%e)s&O1PZ4vZP9}r#U zh<5Kk5~wphtQYP{6<8IVsE&rsUG^&uaF{TyOY^Wgj(<7MLGv}J8n`F*1^Rx_lYUZI zYYnY5AqHQ5cWAE&rUuXmUo|?<#f6t8Vwdv#7qtYQ$Piz0FHr}h9}nXE5;g}Abu&R$HUZ;~ehlmj!??ED<&D5cGIy z^}YWI?z090#3697YuQSka^2Tj`-r;Yn6&sWDOFY|st};0SaYl?I8e%S|7L`L>l(lN zqIp6DN&B-ajX5Q{25)G>^Pxh&M|p zK962(hlGq&Gbpu)+D(2a(aw{;ZYM)6k<7aFO=|`VGOK4kI|GK-_7^wlcj`GbJ}h|Gh$n$(vin*qIw`h_z}0ZhRA~Cu*hYLX7lwYiKDq;P*j`f!d-Zs zI~dHrrQ^H`I8tzq8cX2bk7|>dlXdi7+y<@2`@g!jjOTe{s(NtSr+<0&_IwWW*xq5^ zMk0`;*>?>`ckA*{P3X(zG01V1Xij3wItG!E)x(QG>nBI0# zoq@KrZ+WB=icox38lV6rc-3_a5v(75mE;|G`LrL<&~Z?b;0-UDs`S!_n)d81-~<*v zU1EJc<~M~~xLZA2>lYCtqjKAixHtg^BGin_)MdC+sjaLK-{Lq_*Mo?%^vn9sW8?F8 zhZ2_qgcKtC(-tby`*WdcS`Z`$0B;p1=325N5s)AN$S^0!v92s!nk`QqJ&(47i1ArL zKcSf(q#VwSaLa0qB9ryVK!uf~65*fXbC`rTKq({rb*JdQw1KOpQ8_7);d2k{)*)eF zj{Z8$>kQYW^q9?O9~B5=Ye`2NE`FHlc^MkyhR#|skDhf;`Wd$T&DT8DtL`t+*Dz?jbU7j4R7l0h{^c5^ z;s2u`c2%))TfClfKrHuTe=QZmGBuXZ^M2Vhl!Y1UHEQuteCacPuQ)W!W+zY;&D+2G zEiM0BKHlg$`(5~|4UgH+RS2Xi^GRt}>4zIh3s;@>OgsmMipscR5`5XY$G_Hf`w-jTQDLKPPAlwGI-4LBGVK0g5ZvW@?Q33VI`_E=#F$C)Tf^v^0(Fh;`{rEN{t zm&J#rXy`|&T{L~RMT~n?W2ekST4Yjj0}5>_2ctjhzWaXU~Z>VBW=S+seM| z-XIS}>Q>MnMwa>~2j_+^O^rdS~eJYoN9hT9sT1XbAin--7 zWKZw(hf(^d1zH#^?gHWR$bVT1#eucMBA6NLBBeF3quW*r)_IakB9G)#Mt2C9YUSN(^b>V2^dDA?44`c6#wd@LgH2`tp2(2Kq2f}6z@(Jiq&Hj+!0q)+MJ*6f z##>FZk$Ou)J;~*r34=+f_#EA2<=R$TEi3Y-!fcA;=ziu(l9KNTj@#+)1zUIkNP5Bv z?Nsv_&vXjk9c7C39V$sM)NxCNE>{cyl9vYYh>3GXxpO?yf0$8Ge~O@i9j|L~IPxbf0%edU&tzf7?t5v`n14C$;j$ zNTxaw8gjMlTG5l`><8qQiWbYd(9b$#4gKYv7_>6KrB1Z#r2OZ6#wnBhcU3$lmS1~4 znZttOAv^f7l?@CLZn0W9_E12>d22YYXjUQBAEJUez$#s_|^uU z#JYj}T6g{2Pe&j_XmRk7ZUJP)^bu3ib;0XN7gnO}C8fSMgR}Emb@^?IZePnVlXf_^ zs&3O-W)qESUsV3;yPcZhDGwQ*#65JmUMD&M7((+pb&n!W4q6 z|H6luBNbI)&$p|5xii78kUt!dLaC8X$)^_tN@vbC4(~=U!@ZLN5xKFq2d98W{kuX^ z>ZK|pGLmzSaA|jm&sjM2aT|0Ss>y}Jm(%9M4w=8`UFgS@Pg{K{HBAYgRJpy44IV=` zoyeo#$F#g(018u3ZIj{4H+Pc}_;`T2{B1<4sa;d7-k6Tw`cMbD5TsTHjq#^F$u%396JeO-x zvSaYmz?xMaGpGLAM?9^CV>fa@H(8mrG|HHbFPe{0y^bDsRD|BO0wT>x);OL=l^H<= zPphW%{}(#)+*ma_hGh2*bs&sR@ejUN36XEQ=Ca|n2DYjg-KIl+rT>KX-lM|Mt}X0m zC9Ad6>C793p|+rPuT{^5+pSWc^qZdvlI;?Pg{^6^1GPto9f2hgyRU`eIA3-UWe&Gj zMM;APti>HshHv>KXRceaGiA(IqRY)8G+>%(MAeTi#L-FR~Vd^qYv=;Lb$xmk{Q#ZT~&KlW~p9`kd} z&K0Z4voaI`6YU3Wbt7ctYOUwG9j`sYQvvFCnoUmIZfti3a?SZ^aqByVM_;;^Z=J=w zfsP71D4q({IRfI++umUlTT9nUxeluDc+K8anNC-(xk{qLAYTE75cbW_nepEF1{J{X zx85sYPMoCp#=3M&r&*|h4v*Jg89p$kU{!ULeYz)!?~_IihC`swDhfR6g}ZN_Zf9TY&xD%nZ=_(6cUgYa0-KDuR-wjF6MdZiGY~w{9=@!&2QK4pMU7U+PwxqIXo9oob7_-jlT3`8rAdJ0=B9Di{1?Fqxb* zP3qkloI8@kmEd}b|LB?yu9X!xtR5k_w;SF+zaP(&qG#M=jcWE@4=gy7ob)%r+o(d$ zYkhE6$0#M46-Kek4X`{^c55gc&dNE#?KLLY2K>f(IBZ5Y+=CFj0*&eKTD=*Zc7$&Y zy6em;svEC)@ZTBq87|>()65{l1kSvveT(b&p#9HrtxAF6joT496Vv&Z0hN1I3EHN| zh{wUXvD5;`Z6M?ifN!2`HQmJ>_pQN4oR3H4z*T&ax+b$CJOexQ>)irgrL+4o9plO` zsb7pn@EtLe>Px3s^kZ-_N^4PLlITbiHgvpF%f->V1B0qlMNzBNVv^}TNhNbia(Gt; z!Yx|H@WE?Y-;_zLyc!I*~M?>w%P^6s;Ip8vA+?JdnLy{7rQ+! zZz;HhT|**EIt5mYI!E+AZ_-TlOjHLKWQqw*rEP!UYL8o?+dKSVfpnxo;7j{vsG5`o z6y?e)A>uV5EUN)x8Ev)Hv*kVS?zL9S+j<@eD5F0=k`7C&F*$p)v&Q>vXN1SM;Zu5a z%hiseSd)tAZnm@o+!YAOx^~Yuj$!`0;<}=0{?qa9&1pK?XU!#U9<3S=^zJ9wvN>i~ z(~psnT(@qeId9u`=eOwP8C%?yY?L&{-YWN);P^RsXRH>?S78SqD}L%aAgk~8$hsNM zS@4-!qG{*(mFH4I8vohXbR4=u2b3RBA+^UlF&`*0+R{wLuQcdHGV1h?)@4Gh8$GoG z@k$mYW8Z4;>!lZO=ZeSz<9Q;2)D4y?4ij`$i*dnmd+G+qz#^Hg3`cxx`K-qVwVr-R zx78@3y?(P>dVTdbv!`8K%H=%R;oV?lG+F^vuZltq-k259N}r(u!Qh{tNcb`JDXrCb zL>2RA7Rbrq4Y*G_`#{bQnht0kWqGmYafe&(&jS`?OugIya5)XD?IEk;2e@Fy!fN3; z8h)bFdZgd-jLthsQ>v=sU}m(4mz>M;OVbq7Py$`%y@lqR0f!d%M~zE|hIU67$|-(1 zbt{Oz3*LNAfE;vc;URPC_P(RMY0EWoZDb4Ull(BJvYFtNXgDBH2;>fS`>{xl6=;#a zkWYC%L+d+Kbf2p4wwFnnsJ#!Oe4urS&*RGn*(V#=j}W%ia&eGp<@4n47)eT%tjQZ| z0qRdpu$}bL!YZqFvYu%-kMzp?<`nXiobISRKjhSxQaWv8-n9-(R2wejkurA$oY8_m zr5E-XqKPNpABVd$p+aZ?;`y)>TTL~`orN{Y?l!4_YOV?xY;1kqW-S@0JXXaGFYn+O zW8ht)-1@>Q^z80!GI=+1pWFhPuM-ZPGJiIuU%yh=5Sd5eyPb4Y{|hEtIZt)&^>_QH zl&Y;E=9Zh`h-4_j6GE@&U+F1MD6WHE;yQj)1KEo2&t9sJSjoUp8y;lcqJxPNO=~u07gMO|W zp#A1u50elELZM~Sb1GRnm5?8J zc0IRQ3@im=7~k?Sfls@2X=Z*OL=q&tY)@09j%5h0RVA%ysit!hX~?4@MVoXb;!9^< z3GGNPic6GBb}&%Ie@l zO+6B45^MQP%6I!#QS3<~+q3mCR>Q)A-**|GjORwG%2k;*b`a|X_9VLKhKJe#hC;MV z3pP0*V_{0$FV|frEuH~U=1WIkwK25%Kb2Ia6GV{InGgcr#-J+|QEhn`!5ckgYVRJ#lmGJ6d`rgusy06pj8}y z%lo@s>m`$e=BP@YgVW-tG*5UoB(+#z++OdIM6LLzueQu{G@*9SH4|X;exxS82CKTW z?rB$F>YoX8oXbnd_%fD7E-zdQMI!0fX@DZla3hEHVYpO)7^~TbvC)t5dF7Q!>I`Y9 z*}K{G3eBv1ACd@CzXxaqsq~k+;_wtk;2Zn0Xkw<*=}B2k6vqiOT$b9QIu&x4TJP%M zmcH-eO+?#gF}OtU_DFS4e)`xB3G<-AhA`CdHmXXc(Z1#7VA0QM{Dy@akoa|XDMpvn z_}Vb=QSM*)F30GRWwqn*%%FAli=L?``qtCaqh(Y2e-K4gFo!lQs|EdfIPzE=u2_2G zwAmCXYQ?!CW(k@md2HvbyjxJFX`{onidk8ts~BQG<}>7eStWF%WSfayG_CiDS7S*D zz}i{?jD-8$^zo3<--#eHOBt5A?`ToXc*YsCvhAw*PNRbv9Cl2W9zPeKmU;%_m7fNM z`K8j2SZ)<-g0&;X&)z)N-L3fxwM{hN)Pz3Am&cCs!>T$14NuQgfP~5aQ7McqA>^Om ziSP*7oqc_c^v3lE`CHb~74U2z^jAg9QMgj?msIG{ZEXTc#C<(aa4B2D(fl8HQP7r5 z96X7{ja1lIN8Bk}NO>(IDWWkU1V6$*#^J?cXIJl`Clx*ewr1HJ z6N=)LS;XIgP-0UNA{K>whQA`Gi2!PQ)azZ%6zu&+AGQToDb9o@`n%Fm!RX_2+w2#? zQ3bbv!J8=hcos(7R9{MCGuj%d*UKLiXX!qgbt7SQ(XGk&gdZ)}TE{M}bCYR#;S4}- z%4awp04`^@jAo~=I<$a;vI~~9>tG(=IW%5HMfWi0m3rg-t`J5l5z+#u+x$pB&ZtjT zBem{F+BnH^l{wry@}XF9yp*cv-EvH;N~xvB!&XZvh<9(HHI#>-N=qM>b(lgYv=Vdh zJ`tw+>|Sy5(!D((FnMF$)N}rP!8IBNSHcQby5KQbTy0M1344>dG<)7F585(guk9U& z-!Hg6Z{mD!_p`ot`Cd4L{zdgIj%ni$MB;M%^TaHgL7sQv+%*_j9=T*@jEu$M;*rKf zaWq?{vCwqEQITmemhhhYWSUhdIPPals8f$Ry3tTn{57rc7NmO%EuaJcOfUF8iZI3I zj(S8@UOxY_u}XOGOUJ>z!YJ^`@Fgel!UZG6@9EDkclPU}A71qbHJy7g&Np*X=hYn- zPpe#-Qgy&UxiN_T@IJ_;y$F_l9>~`D2^fqSDv}`m9uFAv*Dad8s!~3ll|Lq%u0hjY zJ2$m@c%A+8bA1Mv*&2~>vFc@carwasJp$1$cOt4%O+@YM<{ z$Sa~+_=*BAPnwOW9sn<|prGKTPPVAwPZqO7$0ifA)NtX3{NFPXG%!mO=~FK=*`X%y z{XB1Hlt>3vqj~&y^R9=DhFOp}8gY1rST@a`2+d<_jf)us&W%O}XK8f7uH!dD5)E!b z1$z3Q<<0Ngvu6cO$hJS%n;ZM-qp(gy|Gtz)`=P!|c6=L$zrCvGS1-EP#1`zowfHO%=pQ6q0)tt^EHdeSJKn zs#u486Egxi6-#w2C*fUDq6hRFHlE)X4twDSs&rnoZnZ0x&JJ?SR+h7g&G|O6`*fJksu7-E< zOKR(lo?jNd0uiC%-*mt!#_&y(cKXfKLM6Ic+cD?4bL+M3YMj3D%Bs&?+A8?CI=+5c z%~H!_%;Dncex19XFVm_w8PHjdz~R=(8Az!{H00iNuP5!$7!+q4t+=!>FH^i|HPxhd ziSVktG|}jAkjjhlX}IR|zhwE2;)g2Z!Q1}AwbqxU&ss*gsX|OfmqK2a6lWhqWb79P zeanAJ64s)%Nxe_QO5c7$u0-DM`yG`K{n>a?fUWwx`f0Fj^#frMdiZVg>SIGR`c7bP zx~%k;!7o;}5AUNz!Z@_vp_gA*YDV#v?p1^lz2lYc(;iScV0E|F9#ReyCo12@>gQE- z)%mU*8p04u$YOdN=|G`MVO=S%$7ihrg??dX)Z8?J$r$_xjj#Kr%LWo8+C2=ghC|ac zwiNYrip2D4ULcQIlsmc+40|JCyoT$urQ(No47DDFQ6X#@Ol{I`NZ%x*qTt&lKeCA52Y0Il8@wsPEhcB zjp`r7mKnLpo^D(chD^9?Pu#51;IvSh6l?25nY*xOkZrQR%!u&A2#C|S{ygY&m{W!L zP1~D9U2FRU_n}IV;L@}tENM-|$qhhu0PVBtLjksdRk6f7N7}v38_oPnu5iX#%X6op z70WP%hok=yF+8CM+Xc#hxx%mh+VfTe3S42G|4nsbX7s-ktTVH;sh8Ngh!I#+`=iO= z#E6|h#a5lUd|kX}Zi;>+vWl`#&@UH>qK#66XQRw>G2Kq+rJg0WuR@967N;HD@gcO=Yu~K?2KttSV%K$GDTFbZ?E zQjUZDsPGUJcf@-ZaA}-%J={&~T;lCGoM?BiybnU>Ju^X;0jRYzd^#T}VR)QkQat*2 zMl*nvetI~Vodf@lU*`r_W6bhqOkPg8JoHVjw=appB{e8#C(!5)QFG$<=pYDkIhG9qAWky$2~qRsVHFEXy9!JgI6gtkuD_GVxpUWU}+XV$3E zCvR$7Q6TNiQO@voBp}F#_2K*2^JB^aUyXg@)8qMMah1?J#8IK^o*|zW`-28R< zCHHRl2VDL_hnD;hA#oW~wR9Y0fX$u?x{S5GJq`ewB zXVzHVDrN409y=IKsi)_qOmvGkLw2aQy9?Ppqg!4hn8l0K#T7YPm~j5De`0wgyGzPF zEOY&`FX5Ql@4(-ZJ94lysj~I=8#Lti-#73ZX*86Dbx36K8d+NL%b01^+d2lKKQF3e+Ty@*>2omk|sjlSjjk%n}4O0Wt-6ektg? z#~A=DVQXh3xjMF#QnP~VaS<6{fO(XHByqq{3(B_r;{xp@?(og_Rqo63q*>YFaIAY} zO@5TYP2WugcQD?_vD2{;6VLe_%}f-ZVp|DW>|wV|wR#u`NrZ7dK23?l;1|3U-2R*L zetVF&ct_69I+0m(^oOnM+FO}05IPxm7PHV9R(y(9iu=6N{;JsX$WL#<%4a%LGOJOB zbrBS?r&6wol$lN`d#Nn?Wu_SjZ4~qH*(bwRN@j_*1F+h0ey7oz!(f_z*eG~XmKMK zp`0Z{RqS~4@aE+L9M`GbdHXAOP*j%SL&fO*evd3wLp^`IZ@oAG1<{6kO-b;U!CRAOs;|p63 zjc+s6q6j9~B5&q&Xz^;Zp@WRJ*2M`P`THPvE#$kqdB507Ew1|P_PWfgH}!v~m-a#d z*7un(WDr{t+u$qmvWkH7tz(f&T3H-Fkg=u@4F|9YIupWGvR3$rxJ8_Zb(br@*niBD zdWQWNTEsISUhwUj^KP8J5W)BNf`5IDhQnPhPe~F> zr?lhHjo3QBMOm&o5AX`>G{`gSf0!mB(VGAKQJO4@?v7}bWh-LbA~yB6zjf}iUu}(X zk)c^v4n(K%S9-!XGb4xe8Vt0hbWKOS`2$p0Ry(<87s;zWI``;7j4dh^NJ>~b6OJ0S zRif006Ft;*#vVpIEb7?iJt#OW9%L!+m@_Fb8f=b2*znfL`9$Cm5>@{Ls`Q!!QH-KT zs!^Y>ddt3=q-7YL^K!N7awxADh|JdNKoIGwK3~lPiVpi3dioogckRP87b8w}k{fWd z4&wqsHvTF8{mNMF?$DB@#g>9$1SAESFneSQ9P4i_rns?+{id~ktOb!N}E@) zXk3Ezh#+<0A_f-V*B4Tg8oK^!-f6&Ucc`~%>vMV6-XL|mcUIX0+lw#aA9v_o z4|BuQ1hrqlAt}x9|B~2u7H&k+6Qsm*kB}3kYPsV6Y8nL7s=f*fDtk_LCrk@?-Ps7obv|Wp%M-GwH>41Sm!@xg z`C6=bf-j1KSF2iIvhmWjWc$Xp<~kI~F*NDDW$y1a=zou6#`Im%E0)Q*3RqC>8qJ~j zI!dm~R6r@|z8BJ_qEqs=eauyU*7WV`Z*}C?&-nGr>5y+;$4VGN_iEns?ncQZsip~} z6aSnZzVYo@=^cyiGDEudQX#d%5EqNWbM);2Y4tmpoej|Q2cdCETUY9lf!wa#2YN1t z&h87gg#=Vf$y{Y-?EyF;ZPH+wq;NV7? za6k-fKks!qd%)6g+Go_3#Khao4|dSRmsg0Cu$Rf-)z5KOU9Ogp9tvO8i}BD7qM75p zSkRA;{RKFER15|JEU{^h=ZDuVMyop31J18jeGB}&jl=s$X_jwBF~5j$ApOMzEIq?l z3d|BM{)hKiZ2yHjM{GYZF78X8U zL<4VWYh>X1;C5>z_BlK-8ZJ*y_c_!H8yxIYz|G2T4v4dqxYb4G$JrW+V^^J*PL6bg zl|xaLuI~#}7~9-nDZl7Pb|!one_Hj6Fuc=dyxQs2YYVH#GaFcHO*hQ~%bf55+CWfH zY9TIqL;H$QJr!6sb=SK_X0K_mOB!~hn-6Mu1ozsZ68A0yttkvkMZ zJ+JBP;*b%t9u^)5aY~|MeD04gL(HPC^-X=xg-zPct^sP&C^z-eEzv1oEU|yMoHS#E zGgBCwW98LjDXwkA=K=2@;Bgq0CMoGfFJmewj|)ppKmgBzkA2d{e})^U0QzF4-hj?H zUqZwB)b9BS`o^8P%ob>jx7bL8B}(3pB#b*``K5@fu*}3{z{3c-VZ&I_b(q(qN)AfS z37aZ8FFnAJ$M<%tv0gn>{iv-hN$L*ylxOo(H*}=n^7y3?z;wPd?t6!659+B$+4Xbz zHfOee^Ud1WZ9UC%|FA0w5LE-nD`vJ3Ot0yws<@NLO^I_a`TS-sr{2!xLKKrW9 z6!Jn(1xa}BU2c8uQ>$k(Ju|1zw&#a>#)Q@EGR2)f?>bqdAiZ>*^V8un-{)!8g$B7! z4v`lKkTF1%ju>uMahAbbq{b?g>qkRa+e5vKL%++G=kWJ|(_;Ou^Y+-m$8I z48)`Iem zk1G>*=_$=~VjN!4C7lL@Mtp8aN{oSza z8rHp0gSl=*DslZ0y_B*@sX||Up>8~x!Pu&jfm?uhRB;IdtFvzs;=G5R<>>qR>tB&! zdoOM$b;E)V#L1i*Mwp~o(q3H=ib+hN!T-4u|9IsY&a)T?c5C8Kyg7Xy;yYHN7mW)w5NV zAX<_$bVHP)Caj7V`tDL-0`99!b9|zmuo_!z*7O>2mc-Xhf1FG4%%ovUplmQ^)6_CE z`m?KD-8xnt1T8gvm}AxuJ#F;Fb$bQT;A|>FuYyW&c1PK|9vf=F+SOM})PeJ8gk(3P zO>E&<0j9);U5K6owk9OZvZiIawP&oJ|{}upA42>ZO_jv zJx9+TYo+e;{fDU&kVDOje|>PraUv*Awdm+uT>M@a*DL6PHmck#BOAw#MD&H3NWb*; zIzf+kK=99jIUW(Wr?k0a?-1G#v&6c($n*@UKm6LGD`gxXkT4SK#yeO1%hxBpPuKH? z%l9XMc_Q>ThWp}^YyMU1k6outx91)6rv6f*^b@h@+z}1&NK@?q(Zbq>x^(ZICd%E< zw?wTUrHCt?=B3&_|k_sHD_ z(g}%rjtise>H#8~f1^bvz9xTGT*^LgqGTHT6#Zh-QV`=HD8(;7%q-m&UM;7&hJ5#3 z`#^*tGM1Bf-ht5_J9zHa+V#ORX(pTX9F<}JZVTVASwxAf^%8h4x|10+vCPPK`e59{ zCFo1T?` zEQd8CuWP9@k3*^)LJeJH%<#}e$EC5pgIAKhumdo^N+J~pAZksKa8F^zKm-#xmA9oD z!H8c%-Fk&+#QB^i@}x!jh^G{Am9aYAoi7z5Us3dA(t-$#+JFB1DKFT|-LQ;?cEUZX z*e&f?7U%59E2e;pxI)798zu;ZUeJw7t|E{{<5G4ob^|uj;?@Dq!3Vc3Pft%byXz<6 z@uyF_x(gy#=2^?zHY&J>(fgq=_cQUMpDEty&5%Y$d+BP#--3r438BT!@6G&$*f?CI zg^U9GPg=xmAJZfw3QBMt_K!MJzP+>r9k)P&udSUxp3()BA#oX@4b9dLwUt~H&rgFU z;?J@*Vn&YSg;EZKH(Y#2C(SinhkqYgD6nteLjD~$oH_ra$Qy7T-5-H|?QnZ+V;VD$ zFzyYw*13f&bT_}ydQW#x0=@);|2z5pDPURZIQ(qN#dq^kb029e>o@I~%IjDUth8hD zwIhq?)yHNGc@}|rqjE#=$utA~VimCQg-rR<#wSE-0ReR4F)!{J0z#D}m4=3knTWmp zY7J-U1o#~U142LSK5%_Kd8)cW74P6@c=(+4v#!1C>rfVt| z=%&*B@WlJzk8N+G(aCv^@(SvrO%|68hfigKcADN(<-TCWvNiFH(joHHUTX)dRXK9K zELGbxY1X`_($|OCpvWnf*Ws5b#6|}Y26sVVkeWq#)@Q*Yhvu4_9vXZ^e-5B{ zm_6Tf1DXiyMlgyGMU8yH%}M_defvQ2J-Nc4A)ySUwLB%MBahTTsf)(+#t6FZuIG|U z;s7`2zb`NT-oY0MFBOlmlaQhQ?L=w_G9-q70SWPy>fA>ueE+|7UEa6)T05H3tCjT* z-z|YHgQ$Myi}ToR8`uX(O(B&C@4q4~BK?u(qR9rKnHF5-?qA>53DhBRTyTB;fbfmX zzHx0Q3|C8yR6GP-)G+w0S->zP)Gv(Pbj|)uu$x!(_Zyn{#)pV_0{O`;wIv<_odCV+h!<$C>JWCXla;zD;%zTYMhfViQalt(OX|7 zSOu_axId(T2>QW3QuOIdEoffO0YXebp8Xr2q;$&whmk&;al;4!3#c?kfu0Dqz6YSj zIq!cdDqIiJ0ul#hlZQ`_?7bQ;ZrEFw@=Agt_eG3vBzkJGT!s(kcHfNJ9lXL>Qs_{K z`LiEn@@crCrzbD)=5+G%<@UPU((iO3spVDs`}a7sx%8i8nUvGzlgRL|yPQY3?N*Af z=lNlwXZHzd?EHHH=0J_j_yzKzRXVH3gPhI8w@c0fgu1Xy(W|WQCP7OdY$WAANs6F1 z%(DGLi3sJA<~8Tzy8wYmLMBM&>(j;O>U8v^sbC@8!Le%`f_&v7{broznev*vk2HV2 zfPW=tc^}WR0bVaEsBC&b;Em$>qPQ3ESi5RoRe4U+?ReDMLeV+9i;NtO31*>OZvds=w{B}0BaHdlL^-&p2=@TF`O7xJ&$|EMY^tBTeT-{xZyb$6)p!Ey!*)aXOFj! zzji(v`zf4~Q?7fnet14p3M)BEc9$U`JDOF(5xT+5#qg9A%`E&oZ7ImaZ<)JCJbp-Z)|rc_ps{n4i4h47-$C zhKFrmN_6Qpe1 z(M3RsKUGDj->6(+&+HY3&gMBJY_Kh2RYNb{X(4Q27W+&fTiX4@kWZ0naJ0EX6V5Cm ztgKQQPH^nYG}*yjG|yS$9ll58x?j$CGgZhVT!>6lY^+t%AOl()bbfmNNiEtkaA+PZ zb-Iw{_p}Uy6*c8e20fhMu8!2_b^i9A*9*MuhR3a)C*WOf(@MCC*9PO{%>1{$YlU|(`eN5gp zDwgzDjJFg;x`Q;eA6y8qxW@4+wQ2vm~kslB1_Z{m61!;`5wzD-UT-zEvL?1xiF7vRm4vFb;NAL^0G}-9T8I+HdzFTcY>Z+%?OOeBP6HPD7?7jr(urfu3?(K<^YI0jfYo zJIF&#B`9Qjm85kIb`X)bH9r5y762nS{{Ay9o$2q-dw#bET4FZl4in9@c)4HI!!CWz z$8oGxS{i54)odu|Eh2k4Q>!Fq;E-BOr zAfmq#%VwHfLH^`@x9Tr9?e^@YTmQ2za&wPh&S^xYyQ(|0;prFq1k&j}&eg5H6?S(} zc1gz?^l^3g+^9k5hV>!xI+1#@=e~m^)B1l~VK?@j7;MJ7exp#~ab{waAXINK)dsHZ z2bzX2vAg5%q&~p47$XFds4CiZ%^k#Ao5DOUL@M*Is>bGC*qJF9mB=7!HDsn);t@o= z092ipu`0&$3eU}R-${S+sqr5(gj2nLb%-AkXMJj~{-c88LQ(U5rlKh~5QBs81|Fh< z;^#7y^Z~uHCQnv|-mfwGoy85e(9)%NuG<8Fv)RK`?%MjkkhQJTzdDB=N9g^lP|&uJ z*ZNb}I`Au>IPUV*O^7?=lBoAnZveDuAy5?dNo?WlM#`M{0LACV%*iNURJto!r*|yrdO~IgZV)NW*h3$Vy7i*Cy>{>!(^2Z)oC~p8o}nB15R-vNZ{BH|2N{>2ygyJ|e({dUKS3wL&fO z`mH*2#k19p`880;$D{f}t2Vrw5oi0+HwAzlOJ}}3_^yCEwfRWIDNwn-CM9=l=Mz=K zlu6J>rg6G-7k}5`H|YC+rA<|hMu4W+X?=Q5?*Ngh)klnTlsA^ah3bp<6K!6SZVOwX zPFDX)b#8(&<<{McUToAR8FtL!qyP% zhHb`}YBeN!KhY3hJEG$Cne+~uA*9ag>r2nSVU!7$ZVafmy`?m3slTibKtnGg?Y@1( zkodVQ=OxVT$=VLZMRZg141q{+N+m>av`q4A@0%lFJALAeLLl#9ziGiGzW>-6E8&V6 zG&y6%Zo!eFXF20G!8W-0X*b2TqbE4q27Dl5{lA(Tw~GVt0^fxBeD>7MRYSXalmXg2 zUV-1>LAfb2y#W)KEWbEjP9|R*pAx$ZCCFQm#vdcQ(eaR{=97;ze2i|b%Yea`A&r7H z5(o{C5w~X=M5fHl%z4(YrDl(%IHu#q$0?BiL(^HfHTk~pe*ughiV_mT0%-&Vscndq zl!}5#45cNdn*k~Y0@6qgY3XhlqS7$Bq@;VmfU&Xh<^4N8zyIKQj^{q^=eo}8b)9E3 z6mC;>Xo)pahJjxMrt0)eOdJ)qk_wmQyNY)_{G-<753{ zok@aX$NyezJ9BP-B~LPqNh*U~LFiaAfO_D4W}Z;-_qZ$KwTvPI)U4C(OY3PO!tyu~ zPA+IPsW|#>0nHD^-hYH_3=x}mThLwxs@Z(Gx_c^#aX_eCW9f|Z$k%#q!Pd?XGALZ| zl5O&htTb(Vl8C=7q@e0({4ts6`gPpc*iBVbe-iZ9e&QuAM|6_oSbcT&a()m~Sx;h# zUvO<8_d>jbD$y!$K1QM|ijCt^(Y1EO^k(_yt#jfd&f5M754k4p>8;&>cOuuGX#LO? z?m=z-@wN$he6ln(R3WkXSnd{Ar(9!80eAe*+gshS4f1p%V_U73RRvE252~HWQ(aPB zFAX3vKJPq+m_IoyXBWA61BYY-2(NthS*e;RUir_L-dhIK(pD10n&Gfl z%w_Au_R73Q+u#q~10j1Qz zD)5qy-VqsIyN#F13Kv3$^3Rp)QUU(+XeH|njK(JL5mMz!z4AoM(smwY@%$&hvs<|8 zvwsvNG~iWonAfwsyE>S-J$Gm}_sn(dXZv`)-#o!ri79D7-eX3!^h`c+IK2AzIunUa zVf!grZ85c{c2sa_9YU%Nk^-;1dE3HtL$t#i)w21kH$q=o;cIxUA6cu#ZQpU7(P!A& z5my^0pMWn%jMIAF44ghxyB`%S&QpvZ5ZpPymOgy=p_}g6^d5Zt(f>0jWi#yL6 zJs$X15CAvO%cJ-iNCew0l}GJ_2bt8K22&L{E#N{PdL)Ch1nz^~xf!x81M)a0YbBmL z_^>q4@QRPQ{-s~mUc664CTNSoietXgu`F0ivhduK02p3Fbh!GrIqp~4pCmkZe*e{s z)FVbjm*jI+KFt?#kiD<$p|mBpCwHrS;Gh=o-RV^lccv6M9*^ijJChHRL;&YH^u#3(|zV&ki0dO+`Dq4 z9h}Pa%cN$hM8%GT+b~RM2&|KvUarMwGU53Imy^x5GY76?R5jmi#p?5o$9T$Rf0KL! z`+n|i5F5IEo>%N&`t$XVvQ8rrPE6h@yLYhL@c$7j~R%a&)k+NnYKyAuru(oV4ve2A^(K?q$I!Ydeaq2a21+`r-W${-_x+d38cw zT2;w6ufBU+viB{|y-l9}ydx-blgUmDI@l^UI;7V+&(wn1=CC`u{$h$G1_KfUs_eG| z=oV}$s$D2o5Y~k29ThS%qb0PYw=KGofhq_CBgAbPCtogQ9s0FJY<0_nbOpLQX-1@v^lI;s z4cReizp};v9(cKL3q}&(4e%Rc2PXwn54w zPX3cSuy5)UKQgr_Y_gxLa(R2!c?@NzS}we0<;r!|?6v}K288Q}2nO+}+!5ClcN%*f zOKU|}k^75!ZCh_s&buqemL5HDD57;g%g+(waq{D6r7$dUWEXRtb`(BJ{??|O_{xM- z>s<7iZE>#93+Z<(blL=W{}7x1{M1F*ier3YIw%x8UE{ndTpw&QpK2}KH0u34MW8?hx(dIzs$U%DN&@2o?FJr(4@J}}`CbK1= zc9QnRM?FvxW(#bExl90}xp@KoJ`AV(#Zfm+zRMun=m4*lqFrG58Euegz?L?s0x5w5 z(hLlsP@ z&vvf6_!KC1wLtysGw4tqWWv(H@_+K%ELRGQ&+Vo;*D+miH4%CDNeAw&%DhM_!^m1uyxm+-&k1G z$Hb`-WTHG-T$(CtX(y6`d!!HZVOrn|8M;;97LiCv|fwzhgJmKIj>Pinb44}y$iRBEd!4m=Vp+i_}J@Z z!y33s(+-ncH169Eu-1)-^HvMAJ_o=@^IzDuq$@wPCMzqgWk*gb$pX8!ezL=;7(I-9O&8jmA`|kOPn3Z!xr>8yL>C)oGt-r(2v`8 zA-7Cqvko860ha!YZr}aROL}7F<&2v8WL2o!8&Q8CZB6c$4?Z7RYWSH~$IEA6^J}vE z>|IC`@ysP@4)ZTs6Y_c;r4=wwf_cy%IRT$prM$!YJb`$%T|Z1;WDDs-5LBtL1VEX> zc;%w(c4s{vgafOrVzNrtWi~W7vW6q$*T=h+$XEBiz+Y=iTnUVrvB8^x@kuq2aweVM zp^avctxW`+#Mun+sW^NF&rrA?j$$!2^cl*#Yq`m+w^2j5g%oj&_)q0R-t0>!kyV^27+N}|0(xaKtkmXS-_vdjR_k_thS zwFg0qlippooj87U)`~Zlke4Srd2=;BaZ*F7f{lmEtzteK8$M<<)FVVttbbyIt zhHbH%Ph8}sPZrp3@UX$=GY(!n(k*41l$^s`F~RSd{1%$~x;QnIre-@|);)M*!26Q> z6)}I2=Xvejo&Dccja$`P-t^Ogq0=K;#f*1vw-6q3H|Ae{skeQo1a`ga%jtHt81{q= zt;}AYg-GmDqcW(H-mtR{*pHIt=ywC^R=d&tc#v15N=CAk=%f|8LvXP_!TQ3*yen&}ZdG#n|I&x*bzwWkiHkCvQga=w^;kxdJM zWQX}pFuH|`1=3&{#_VW|7Jk!pZN+1Hyc8H3_SaP3WBNEeyS|4vM8<=m8(Aua5zI=& z``pbFZC)~OA_MVHGFk{4mWBMYM^2CjgI~?pG>q<8MVj}&YXhA)CIFZ{*E;jyr(u%H zor|KUgY&l9-c-C{`hO;F%WAV%)1n}$u&y!R6lQWnx`b)iR z@wW=HTKhE=2ZO2@v=oP&c^zb?n!L6t$JkPbcd~_%UUv2oH9zzn^!KX~TCk4KRAhxi zM7H>_abQD3iCxqZ;CMr)wM;Flwk?PHHX}%%)9?G^jBUDVI)G2Xs$Xb^qIEYxpYp!n z1IZGxc=U%0jvp^wWt`dyx3*#msRVz#jCltM4mW)L)l9X znC{}a0;TekoXm(xt?2^T)B48NqaSBB$41nD;*BOQ{zE%IAcUAE*1_ISS1YV6XYk`DWM3!`KYmB`)Er$QOftY=Y!7Vo7z9D7S5SU759PEOP=BEVxQ zEnAY+>=)k?kDHcoHPnaZ>oFZOo6eg39~r2Id-9O)uj$Ni~g6qi0*LIU{ z!Uhcgiiy37pxlY=k5oK!Vt(8&0eeQB9g{dy5Jvlq7n?wDAUY`R_xz7%-RE{P&I0ao*OAp1_Xg(CPh{B zm1X8*lFMtGx1Cse*YNBkKqF~d2humSp!1ZJQHacL-D2d1SXo6FY~pCk7SSl4r|6}!kcOA{d%Kr7HA+`-bUMI%n=`848vXMmakWct}2~kjc3{zPZ6BbLcG} z&8S95YH*h!ncJeJv=i4k95j2+Oo}3>f zeAYw(HL^W)E+4;Yu)6BHP|lu}`aOeibsqu)C(^Ea&+=BPDtndBpw&#qZENDSTB4Je({z?=vq>8%HaoBs?|M1NB&)Wfld*C*aSVu9;$Vz+=wQf|C zcaRrQ(|wFESoPp1Ln$>9LB0Q7^?B?L_l`35$6KwA31>?Xui(7`=jLAtn7XW9Zc4 zWtIgm8^zE(=g;3oqn~5@oSQ5m%6KaiO_3h|KgF#(eq{Vh(HK&}Wm&WBJo6J<&ZL$1 zui@_%BN4>8(yAkCxwSR+z^)zNGOKJqwY=}9w2qOm_NR~SEBXBE)xUfHete@Vtn%}% zl&6mM2mB{fOv-z1&D`mgYOO&!!f#)8=kQ@)rap~!V)$ICTEND2V=wU_tK76wjLs>k z8>R87!h5dzTuD4RoY|e*YnTx_TMvTvKz6!)lpruW`&3n}!4+2oGhp~3d7r&U0<{yNm4qeX$ZuH6phQ@nW^fZGSR zE-IdEbPnrxPz`%ImE)qe$)_V3?ouaNt4kTxqb~miT^mtHDwVS}c0$~ND@ zsl&UnZ;2iEi?oG$UcdO+LNBSwZ%+6U9qR7)K&o}=*{lO4z%h2s{`l1_bk{hK_E9!oCquwaOyi7XfX&qZu!CN8mR4mH<>A z+vv@6UrrlU6#)u>tE8|$u>MKL3!&3f9cw&Sg}<1Rg7!Cl&!oAKjsOQyzvQMwdaj3M zv99Ox+XX*dH)T4-^@qa=nL|uin^(;9jA*Z6q=A1 z)W^zLhNrhgc9oSpHF0Y+!Ph?RU{2*ef!gHinPi^P*b1Oo0EN;3%dN*K92h&JJ1@7{ zv+isG;zD(a@y_%qfXG`%CI1f&*nJVOIk&ucchivNLuWhGj_w{2$~Et99dLh_+XJ5& zc#8IS8A{?l0Fr#Zg152`#L&R^?p<=N`=YHCjg+Hlmo?B+owJvU$|%BjPCnAGu0L+k zz_lSGoo=Oy>k65KCC?tWfL^Sc``>Yu$zr+z{xy|Yv##F%`)jj%@;`E1TsN3e{TKE zedcj)M&>wz7kq9ovvprXvcc}aV|aH`m8ul>(lE8zqg@{nW2!x}0HqGC?v3XiN;X7_ zZ;05kpFJdup_ngCs3Yz;;`9$a#|6NCr-RVvFx0xc$1(4hUr;h^ITk^#fuDqh2UdL*-i?)%Nu{`4^UH`$?pW22* z7#*VkOH0QPcQGcjYm7h0(bqh1yjmnP9R-$VE6Ol<@JAb^i*}F=7JWA48?EV6F?l zwwczD?=T|hVcHLD^gu?Z&w5}nJW?Ow27my)P6f*Th19wouD_eRf%OT{LUdSZuT5q} z1}b$zIEWWrsH*z1S31xj9y+#L;8(=RX2oilx z9T|ps&y}ae-H>4lLCiu=)T95ayK`BdvMy>QH`O~(jc2R{2P&R=@0I7`aJ*LK;H0JO z#QsILblVskoTnwOY?U%l~9{J(DlL z8LB8-XZRj36k!U+nBOcUWctX=$G-W^&Fd9broDddUET-4AH{F1V&jsf&xg7m*}R%z z+1IkzBupmxTeb>`Pewuj(eLSm(UX&JlyWYLw=IO`GD!M;4TpKYn4i#-u4pcgu*{0p z<$322&zcsSDA^H{d|(((xfa$>OJ-fI9Aq0iu278JvB^7tHOl$x{-vOBNvYbV? z@fa7$p|nja`pOR?+rat_p2y|E{~cfo8CKLp`ONVQy6yaC;xlcc_~_3jf( zDWL16HLTPCeH@Q94!Y*^%~N)h63W>m;6!|7yG~<>d5pR67c&3t&3#LCehc1t;b?~U zcH1f94KYaZM?WlA^pyiTYyKFxx^MsN&^Sp9oJ^caYW~wsdV`7Q2LSxA-}>o5pknXz zlwx)zTD{8d00G<&p-v_|l7^d(!6!NJpyrA%JDS#$dcl;I6dM~m%a??4aaDn|WS^n0 zTZ9E*U+~GqFBwCb2=kC70FPDX@9qC+RH3AWs2%pN4&5o)!$eDBKsj(TZelyN0Fav*7M6o-rp*tkSa=V0iV*aAd zU_)mCRa$;)?qj;KqH_WlQ50+?Tg?FnwIl# z>Lu{rW4npA;8U4#?r~1=C8|JJtK($0zKQ+-VmJez4!>*S8>=_GJ-n4z?mM&uJD>M2 zl{;myVNdM`0@`+VPxHLDO6JH~QnxTt4qD2@?GKuD6eG9s z-XAJmIJnp1V6O3}Enbi1c`pm(aL4ls#3fodJ~bA zgHw4T_>ZsGmwYC}srg}k=8TC;lD30Vmuq)_qtbSsnU7b5w@x}X93OrWuK%M_z{x3r zdce6FI%D$KbLXU>X-!R|p+at&`_Y1GX^9qeqr^!*=n+$6=EtvqeYMl?pMg3p9Hr?! zu213~I74n*t(0a98}!2ZSTgDqNHjh!tDAn#!DS)M)j6excO3Y;PhrZ3!i`bQ3)5b~ z1jXH`h*91)>BM`0xJAP}HBIS2!~ zb(@EFA4p6d}_$j^Zd-v+^;HLXaDWZmLN zPO_kD%5OnVizgXSo4MN=3%4yk=yzS$NOo_RkPa`kgmw5#{=4nrxB&5tAN&|K@z%z% zdIpLopBzEg_x7;sL9YcAeQoVA%=bnOkH{0uy?{sO(db?|1Fu*2t3?5q>_*4p7gw{2 zU&|5gjNl|C^Ag&r!WJ4ao~Kt%UmKxIjz0Dusw$J#GqBCn?76Rb6#K$8Gk3hu@cgi0 z>rZxN1YnHtRm13HO2+uy|FHuwn$WkTxx;pa3oudwb_6u-y$Ku~FqO+a%N)(isUMph z5662HOE>Ob(MTtel+rq-KG=xzbYgl;QMe(Kdf+FI21&iyr9?aOx28#c(sqkCKZRNk zI9MOK5=t2eTw#*2q^`^ylHov;9CsV;&!7EsqZ@s=)8Z7w5{t=)rML;9s)8- zT(&Chc~c=-JBPI2GO9&#L&e(N_qv1jbtE<7H{yRnY%}Fj5~)=aOT{zY9d&M5a>-jl zOMkHMn{@M}o`b(ca>QgTez-M$_||?yD9qOpj9VAE?r+wg4RXjS+`Ii+nml_b{L-a6 z>j|v~8(VkX_oD-Q$kVj<(65k}*By$j<&HC6$8~b@TbUlbQ2TM?oc<;}G`1@->nYaT zmzZlHZ_5RC>_i3aQbq%-KU!V_53ufzxob;H z*%s!mK={qden2tyCd0iL0eji5h^l$P&VOM-c!3YY;OE(&kwUjf(c90F1~$2j^jOuv zN^8)y7acagn`z%sWul{ZuTMD4wNH!fxlmVJ3^h(CtbHS8AFQCEUS-2mUIZfRe0-Fg z;u_=w{eI{{d@r>J%!rSJKA=Ck_^53h8$I9WeX5_XFt&HViPGBoqahzSGwIqZ*hEa~ z5BLc6Ekx)Kh^MSfrpThzzd1qot;I=rL}9=h>vXU`f0DaZp|~=y)VN0QX-9Aq<@d?> zSk!svQ8vbZc)q@l^gZ}mWA%u&7dYB~tg+8e;I0F1kz$Ul@D4R52wY3^Hy4|hLrw~| z+G3|@{hTp8+AR6935Js*8%;eZ?@+{d=Gy3?^2e~NM*icqd+v!3sQ~){#JuY9I$0)b zdn#Mfcz7q0ZTeIloMIzoVS#a3_ZQ?d4YP4-hBFi`szjBZd@Hp#^WIv^F9pw^YC-~| zwn^!Vug9A8;Th-tU8NF8xw-{OKO!zfck9>q-Ts4XM>)fkH)mXZyaQe@7Bc4|h4`nB zOwsbs(w?UMJ#tT{{+y|#QlZ-=bFnBO(vn-CY!Sjf)1YfLpN_QCk+ zt=(S>=-i)2xLiANp>l(XWkm}KOhqfF`%9png|oxw;;<=JSM`idU??)l`T~;Q&%W;u zr$Wi{CAGG~ChM<;Xzmx4_%@Gad+W%XoOJw^bZMV@P0&(g^vlRmV+?1kT}E#xId1aU zE6$5Kuq$ZIp@(JK^^Y9Q#*Nl8S&syU!SpYby{x{nP_H`oFTo%kIh3>BwIBb!OPz0{ zB!1D>@o@%cuW5#{-tR_eeAvp<;pxm}=8VFLd=3)%v((9GmW-*)ZC%P%uVq8_>rT!+ zfzT(?4`>mJ8MNt?^y zK9~z+OUh_@(4*$-<9A39QrStm)1S>6Xxbbzecn)+0szQf;ouZUJ#M0~jhom|-C?K{C@1pog?~n>yK>Xq7ua z5=bBy;Bx3azI8!O@E+mG+{KGBsI9^GBWasA$mc==s1w;E1fav{K#>3!f@3Z?m|;Uk zQOnz_Y`m8n>69=8uE2&^E~76tZ!aoWrgl$;lul~7{T1d4-oHtzB(*K|aTMR_I7eW5 zHTlseEgJl16nR9=)HMrdC(L!MAzSAiLn%j98vHYR=a;$s`jrSup7M3I#S76BDk>71U*|6Nf9RLL_5Al|m61?=m!d{Jd44&YV%6w>`;WZ0dp_T> zE+5}23(cCyDv@6r`}B1wcKR4Al;IyxE}XO6&KciyCS7GLIr%VGEa%;LL(5+D> zYfuzYn0QNO82qc@GBY!%`cxTc#P(}oD>|_4H6V-BUBpd$fApC??tv}J;ty=?84C0v z#2U*%gmHJ%JXY#TvXJ+4U;=!!ke8Wc$9G6z62&UliNn7k`iDZ%piV4&lA!LONWG4l zm!&VO`csq~g8s!{`Q9-Ok11>m4{XREkj3_hU5(D(wG z)O#`~{}0jf;2m0A1g>g*la)GWYG2eHFQ4)_DvVEs%jRuw zwhwz%nQe~f~(|9a*wm#W9?0nND zx~+CI9e#&E;6177E^1!&r+i5*PvPI<%}Ai6SsT@eB+&Llp z9u1~RC=#ZJ&HX$&&L#0xs|GH`0)79L&kB}7+w940x4&t(4|+sO*m^Kh=w_1xX*ojf z0-9TSxiOx?o2n%cpvZ*HwVBEvA zCQVSEO84(+uA(v!B~$no9kl%E&GDFOl(OSvJ104K-@~h^kS0mpSnYz-(!))835mW0 z1WtXy)RqxhTFGwlMVj_(8qPu3s)&Bco$+k+(ipY-dCl7!gr__~TYd6BRlW9^KJ0yB zl~QU2FDGs6%I7S9_C8+!!*t(NAU47oJp>8fJhjGKAKCz6()3#v-0 zxY`^jyINy`ru6BcdZZR4!qBs5`B+)TLL0(FBTIu+k)vw1;|lf zB`U}O77(86YgxTBH2WimA`feffBw@j0DyvMlbD%_(PAI@Pg(xvYY4tLJbCL(Y^2Mw z3|j^O-oZllerPwaPP`JLB4ZEB0Has2l29W~V?dp($hQOT}3PxnhCs5m`U?9ecwd%}XPRwPVe?hd(gGJT;gJF`)6Us|Th zy@GFQE3ZWzcMjEryl{G!QSJEa_P27CjEbGcT!%-6-4KpycKqf`}d6D9AKdZDZi0c8@jWw532lT>~Kl%xa6F*epX=y2Y zkdzZPsQp>0tR*=n*zl+A(EqBAkHFrHz3(%etDYZ?5Xqj=Dt@yKZkO0Ruc9dYp+g=w8hQk@q>c+<-oWckK!7a;9A2EcZCh&cQ*8 zZYN1yM>b{#m=|e%EG~w%WTgDeQ81IZ_>QBFhIGFpp_nzmTiBq-qlC4<(E^Qn_N8w* zZI_4S7|@tan;|9oh3{zi-NmEWaci+IZA6iIa~AqN|A|h2o=GR#JfW)?z| z_y5>NZZF=g+IZ;k6~Cx@I%x@`2Yz4sZW<^+ljKId0p{_Gk?gC1gqL>w22Z70ZStnk ztr!@750G!2tpi`uQ=~=rJ#t7SWdq9wm_I1zy_B-UnOUpGtHs7%>d6bt{L z8AF*yVXqA5#+rM8H3*vq40{4Lqr8;_csQj>_|&i5vynse$kAIsgIoVyF10gTKAmrG z0S=ZVdb~-)-{#_;-aBf9*sXQxjkB)a&zRHqc*CD9ze`?@@;Jk}zzXvEa~1ysZB5&& z&#C|itp^RTDP`9)A;ztyuhv(^(RVqQnv#DP9!b!sm}_z)m;1!fo{}Te-`*9uGGMjM z?1ltUHksE2A>bO$eGxn>V!yo_aN*HYIb$zO4ZrHEG-31lh1$>u4Ef*OHs`hZKoi@+F&St}8R&)v^ zw|Iw=`R%6lKA!IiV~-6GhX%@C{$mlFH2m{AWtX4Rh_o58y@}AnT^Q-}U`h>*#EMP; z8Ib54NlE|79XS9Z-#mLstz-jLQAwFoW_Xjv5G!F~8 z0r*D9l}W=xxNKxo*#VbH4FABtXmtaWMuaioJH(zWsKv{%Stu<-=cxd``LNi{5h)Epf~VUq!Tw=#85L^E=uf%aK>yyn4w+CokLN%D4rKiM7gKy2G8AfU zZ+c9nd11aN?oKt*G=1CiEU89pw?&lKEC&q8k7rc-gEgJH%UizBfMemJLK#7a8!m~_svs&iOloAZ1};DYGMYHR9;MM-pdL2HljP?1W{+{9em~V z0$cj~MU7WYB7@%!`YrO5t1jg9@zQ$o(PA#|)Bd#={T5^F?#c8IRD@RSTg#UcLEmj^ zDxevwRd2?~S_8xs?p>(V+h5rvjp876@?&Cy)8$p*`zCeLcTOCh-8tD*AZ(>jY*D^> zvto!r@g;E7YqI%+%&y2c4}hp8$DCp&))zr4_!mbP{Td#$m3>CE+lUtG90E-mF0zry z?HZZQ(Sy2s#h>mfrIhW!X$=OVWG{D`G<>~J;g%|HH<)F#>wILyI1GtMUAv#oX!Z8h z&eOOOx5|$C4Gi`M>X#g1wL6tzC_(t>O|*`6b+CPUR-Am|V0a40-5H{gr>r2|oj{8_ zm#{TPj}7^2;*<9QJEw^UhoHSJ+uN;oi9x2Fo0m>#ehN<&mBJ`0NJF%LNDf5LA;{{d*)t6rFws!POQZ6UY(>cIf%Rls8TVP{)lIzm?K z+YF`s(W`SDE_Y5vCN)$!0q=|U?w%FMb?sfnM#=TNZ2r}*>7VOEpWyC=?*^<7vR zRCv7>GzkoRV&(^^v}r~pq2@=!nP-7!fsxD&n=Ygu;~B4eNN+cz1MkpnO|?wAZkr*F zr0z6VyL&}{&Qpbw4HIuYn47I| z8Usjrr9m~p9UqT6iQjGyI1k}2jn&wtWSh>~Hw1p0gq?GUd{Ig@+vn)H?VnTQ;Iqh? z>ZT6fTf_MRQk#7*7bNVv;$BZtz6nE;+#Fvuf4PNWTI=x)0BbK?E!`GXnf1*1!bAZT zV5_}RDNfJ+!ZHVmjQ1Gyox7cT1vD~uVn3R}b#H1LOQ*o(y8&%G)}o%iYK)Bev8$fJ zbj$?3`0SkVAMa4oS^6R3d5&my>&Lbe-G9=>YDn`jR8zAFC$B3>9kmRooKc5uZ$m`A z8ULk5@&*?7&cP@AeP3oNCDTCL>zNfX!PZ~du6p$&b6h~fGl2@fJ5j9KbVE1uF1n+; z9f{{1`s9a}(IMFi7O$TT-cnB<)j$4mR5(54NhPy6ol40TLEf}W)*L22&C>ofz8~*c z%qRC@T})opa=coKZp=)obP6)GxTLLL@8rG8qgQ%ck{uQ9!4BL7M%0?dU{tZTK9Nb-yCnYQaAg+ulxSJ;FP#EJb9>rfm~w&IJTaL zwOJoqB91Iab&>JCY(sop%?JI8qS^pXi*=8H0Mp4a2mdu)DeJuO_8R~)Bp452a_u_! zA*)abK_>YwO3o*xnGdW8?G7?7&7Jnm{cXGeXpn2|lmoaHr!8M!o6t)LTn>Pi0d7S) zjlLXD3|ddz2_oeMH(-CBU?6_7z@s%Hq|8ksReSXVt9k6|sWN3Y^~C4`WOkzSLY(=<<4c3SBIl$BY~C&JCQ{sO(0Ygxy2GcpWh3)13lLm(69y z{DE2|R1I)1#e8%|R=HIyIn4PKX+I(VA~^|pBXwPE!N*jipEjAEtH_(N{U6z)SCJh;4%m@t4LJUNHksl*zSDKZJ=osCCQ^Bx z+qAyXRh~}}u%@XZ{fV|66k&qq`da2JSaOvD#^yvE17SC=_`d^q1x3O2on0f_R`b zFUS0v`Nh&@7N=2{zwmXjWS|oTo=$1?eGz|GR{qZ1i$sz@85<4ECuJ1_}5CT8Z zaPs3Is8iJ{f8DmRSzN#C_DNIb_rR|*ri{1|Sb2tH?_PE+Wu$8PJ!`0IcaXJBYlDI` z;AbBEv2B;fcFH8)x|Nyp_wUM8?_sFq!})Df%+;b*+Gh2O$-?FqaBG0PaY7c}VL+0c z^?A~bK$VuC^{c<;B{g~!eM%0SVzDbyZe1!Cb0IyoNPn^H;;(7zZ&3oSDFK71@qhO@ zxB!SYM^HTG);%rct?0sj8fNRzNC8XHTb(KM^QJu+SXxa+4=^K5QK;j;wnK;$26GO4wJYyvO)lF>og8}S21mOAXz2npYo)H6e=Xx z*vn0|$U35eaTKW^E0t6{@HSFmXxXnvErNupZ z^;Cpd)a|1q|4L*z>%F9#Now(A*=#u>z((d=pupnah-pnU~*)7?q+{&}-3 zq?3RLxio6kzn6^0@5H#VDJ0r0BbNOU>0JW>u|4wgOF+2PSeQ;m13H)DyX(ZI8std0NJ|n ztaM|_WgmqP<@8_?<0b;Z8%(|6B%nX3A%_}^IEiikEs-Q5=P%*;MAnQNAaZ^Wu3 zv~)vCw0$=8iS?>W{jgx1F+vb**Bavxy?J5g#M4pzvt&^EvzP1`xU}i#wN6+-u4Etf z(kHZ#yujbw5 z9$;WCjcLwTAJxxyv1X-wPq%=5poSt#Eq_J{rlp7Jkts)}3iF05-~4GM#2;%KR*v7+ z1iVf@+;Jor<{|IAZL?nv*S7r)#BLo!-p4JVa19sQyB6Mnm%=#&_*_3LC)2TCxr=97 zQVAyF1|6Ubha&fzaNxh)l?=Dc8We7{2E=i?mMV0$JcbF##gzRnWgfIm4BYTERDfvO z+VCk7)_b(d5g(rM!99n6rdSYDN=cE2Qs&D9M!wnZO3Sq1w*4RGxEWi2RZDS&Gg0Up zU~_l>8@B|#f;k{E^2CiL$t{|)oVct32N%VfJ#u!%LEIJ%JRV4erpR%lPuW78f4RKFRyGa2;OVQ~tpssBYxa%uO{h3Mf(DQmlvnh6vNYY_)L!PL zxul|xm5#k3pj$@kL95om{%hodYi|jIRA{_s9(y#7F&A({pmesYORI;Lu(-HLr#{ce z5)_&;{~=1&(fGsi4V(2rZT4tdwGifc4*c57Z4rNfT?iXA0La#6QgIiYE1^KfN<6~$ z18E~CfAg!bqg0Zj{+KuDJi3eqUZ8@hwhRpESfEs!(CH^SC^dFfRi6q%;}`UiVLBB; zc06c+A-L&1XX8@2@x}Rdjo_wETFtG>kU4y&oY|W1l}o&!05jhbRDZKo;TLA9j3$nq zK>4|`@T~FLD$DJkh6td<&259$VGe>gSe?=@pxa{P3i?foJi5A2z&9xZ_Q*SPNSykC zN*mb$ymZoO1Qk_l2clU>Rg+F(#$Yu-GOLWw&8QZnl)$b6GB@a_pzL|IUUG!k{9EnB zPKUhXXHDW#4nzly%Tm6Y3Bo#Y-lpDbx{xqVX?%32GyuPd+Mird0vsM4@+hq7`wSag zOK}P~^+X+e%AHR9lxb0)DmRlgYC;1dhi2d(Y?is}6sZC_*X% z0$WdBdbedQYUdW_IC@CCtgbcw0p`=l$99&9d(aa&MzWy!8xfx9Brn#8cPhZbS7?2+ z9>l&`wECZKANx3Ti5$NYjgAahn?c_nkosTxa#R^TB4}D~rZkG(U{=BA{EKnPt&{mx z;85&tTWC-apsFd$FLL>TXwRD-QP;uFc{yqoAy?bj`Bq-!z9$o}fg59;rN(ll+`b~< zQ=LR$TOsRjxnynk|KsVrAF2M||NlJaIF5akO-5PC%-)AovWv`P9FY-H_I3`HdPPK5 z#vz1`J&N`v=@m)@#S)B^5W0kR!rzs0!Yh*QtUP}7*#d@<;CH&|!xEW2#LsoxSh>P6X z=JS;bV|6cstYwxSrG@gmMv1zSXzoLPQ}MQSpEf~tfuZO}E_jUd9FG871v*GT3;h#@ zs{8#%)#WjfW^R>s`?oTLE{M_tuR|;O&799^OKV?3RS3W3L%*s|4U>Vt&&^$$nmMea zw(eC#LqVo^b~MyG1h=+?|J9RMD1O?d@C;SoKn(>enlpVu{XZ6f*1y8q(gByoIoEC= zqO2gQK4(i?0ff{nQ7&L;=B4t86fBa?tLt*976UkN`y|IrDM1G}D=x+j-&%S@H(Sa&e@T=ISP zX5lG5vrCMB=N(9U3906zxdF)`RTc3J2m?m*TZ5Kz*@sC(K_%_nRrlcZgfj&3n)tSiGbldkg9`WYpyuYLNH(Sz_?2Fmgh(97wQmj zUE}9&OKcgnH0kp805zl_-6~C+W%~F``D}MzCCj&>HT*h7rA{A>hZ{Gy$N~Jul7qqU=@SIN8*=JlAJ(;NSm9R8tZyt9}N%Q2t(xuQx zdnonQ{N&mx@Eb6!diQTB)|5``q+Yc;DRbPi5jQM?$j6I8yYEDftZXh6-Y8Q(gq+nP zLKZ5tnk$rc<<3{3=>nhcWBz(}1=c?wu$k1c&w4ahyWa4TF08@Rk_+3_F43I>lpEyM zXS$!E?)UZOfA=p(#TpHMh19HpX2>BL4shbXQLk*-m!pi%O}Pbfi)7{k^#0p=mku%` zwxQ$COA1?vk{Wfar;O=^F_7165>yJHSJKc+pr_!RInjjcEcj8_HP{dOAaJe_Is*fd z0y$`NQnqS6`+Iec_T6g6PxdAuNVIsmdny8BM-XxdZy2^z$y&L^9=-x28zY$$pb-JI zAEUlH;nA8wH2pmw^G>wvG*NGPG!KjJ=N~$zX%?DAW3qu)QwRHI#_YTp9>u?Umb4nc zwXYe?AC|9*?d8%VmoXiN!uIrp3G1zDhE#lx$8_8 z*S7*mlyXgpx=5?GKtfKrM&bG>Kfyh3vdJ>y$x*~Ioyi!7JNm{q&#Rs2VITRBIb9A! z;vGaZ$cszbJL*A9co}>(ckEp=levQuO5iR3h)%B(x~Us7CaP*237K=)`#9!Tp#^IR z;K2L;$G?omhJ}2apPQWH7MyJvD_C7Cds9}qKPRfX4b7S`f;DVn2UHgvTa1S(cEon& zb;th(plQS1Z&(F9v4?#eo7u?B`(rCXq%w@gV+AwKfNIiv9W?Z-?y#~iK(}LijxSVn}jso`ecKdO-!F(UY6u7 zO*jL+&y{Lcjd=4=Bd6J88Y#Ju72$wSln~Nd0O!#IAN8;?;@VC7%~4KYKVUf2^V1MH zvjWj!z509r-kiqnhayT;De}blvCr|C;ZB^k-mde>zkgB7#FONH*iniT{S{eX?3Oo zOG%y(W@|AUiFIO7v%e@ZZZ#s9i}@uLDxS_zpBFt9@%7cL`nG#%utQ-Qz13)c<=9jE z9ymkz`UsrirMW*Pv{J1>h)B6c@oTkNRa~;Ay0jF4{)S$k1X$^>Q~K;N{YYz|3ADI8 zBA4`12`?$*K#Q;28bW>y~rC4eO>ir!h@koyhJ6rgiU6N7P&uoOX^Nyn6! z+kRbrj;5ST3CA(|DVp73$~u&8ocrE(8}M8aEbqr!gh3uA{*nUC`hapUWy?^HmTK?M z_ROxLHh5QHw@;pKdEYXg0hDnT=BlANy8}O6wArwF)(J`5KIEw0a+`=v_06}v6|JNa z=5*+t@;xEG+*)%Eh##gXR+CWT4kCN+(OOs*w9mcP1SXL;$}Z$(kwJI`<6JY*1akMv zH&#Vg-K2YJG#-=W&)qiGc#d-)ytB6(V>lba`v-Zr?rxjD`>oqJl6}B&x_?b)_V+to zc1rU2>@fp&CVVZZc+SS zb0umPCQi?zRV`{iF>=>F9yfLh7mE_m==GRO)% z6ynE_6;gKsC-eut3+-ne?kx`yeM`)mqfJ|I;te zkbs6Ch5HlmUoRg%iaHF@xXYH=+c@jd`fmzZ^OY${~bSd z{2k2%lmIG)w?bE!9|GDP{VR7^3{y@U^lRbGD1E5=QE@Ojj2BD}`bVzwHU5m9VMrTh zjtlT=u8#1?Dc11t0FKZOUJqJFur(%+NniXZ(|GmjfyvJSdEpFrAqXPcl+18GqU(x7 zxO?v&*qz;-&5sEvK4)<09%8ButyZZphwu6;vIgHE`*xSZg$k*K|hy z%PTkj7o(fVM?alAt9f}~CUcQuA@tAmWE}d9w9Y=5M$|MOc9+~Vf$Z7b-jZ@SZM&a- zLTxK;Z(qH_oy+A0+)Tg;jCvjk8{G7{@|j*ag~=!=pD`e~gBq1<`%6}c;OZLUsL~1b zoPfDuTBQ(gSkZ_yxv#S5vPUUb{J+q@I?3;0ywAw|`Q!Q|A$@Y)Ok;6aQLK)5@HV-Y zw_Fvi8I1OSI^8RO9k4LFgf}#bP3>caBW__6{pvCOKZt~zasbV-K{f!E3@>t*GyVv$0WU^>bH^J zy6f1`$`^1oW5#qK8qkfQZWwqeNLUIR`5E1h44fHU52`4ek=YM9H<-s5vG5K=Z> zpHjvA`p_n&&NghwETHx5vpV^t5f1hxS?W#cs18GX+pr#(^e1gL0&KT2=E#i)=xXU_ zxg4$g_Fjv`<{;;Km%`>vVN)wn>0KCX@mNafZ6rK=eV(!K*+% z zv?RqHK?0h$&l06i5_=wTXzW8bYFr>N$fB00jR_4pUNX_ny0U4;!QRhA_^bdm-we zYt=P>Gn+@~r2&0j0nZdw2^8}9VGcDbJ7Oi49FGdr=~9QSGB9k$z$ecusqbX*?L zS!M#4ROS7F`UF=P(o7FCEx;KB_*%8~CPw}1(X#mVEj)!G_{%j{2=Z{-*H1|NZZ*p# zRn@q&Cr=N>;mPg4qzo>JbW3N1@mH?80|}p0j*g?#P0NB`OjizTTbUS zQ1;!%Ggqfa{zqO}aDanC67DDLCVb+O!#o7Io?S2cq%bU0#IUU}<#A|fCty;+F+%ms zA9@F5Ai#aCOnPpZJQGT_528y1%iHr!%JbYqX!n&|;oj#HIglw7pwXI> zw90ssCyKiIY{)UC697e(IcX6Kq{H2}xaUM^d(aAiqdOf6kU;8^&W~DK>k0pLQH1*mX^BnlWGH;UUBn#g^-fYpEz6$!nP|luiWo633i%& zN$-_6DKInH>Va+ma4lPtD6W(MGNqGRo?~^g4fq{+(|V6ltKR6e3_WymDie089BeTD zI=>WBfQ2k;NoBZdG`E2OWA?M|=cPlP2iDa`VFsPw?(W1ylrZs%I5_;I*Erqw3D1|# zI?nbSD@tu8FKoQs9~C|MeIm2h-Ko_e zpw>zy2F^E?wl+_HbT)?l4DBw!*8x3!nXnQ#jU`bC#shU0M)caTOEIA6(}o#{=Gj{-$b=7>3D#Ix04ozs!UUE^F}zUKUmI+kFr09vqXQY)l~br z_MxM`IQ2izQpP9w5iq91opuCR;-xlH=~d)Uq4Lk&h29rMDMKUEAFP+IvYqz)*lv%e z<6F05sCs^jw!8IR=K*iSq=yd)em09i3@!C$#KlbY}g_%7Zs&s*Jt(jDgn%-88m0Y#Jhnr zVdARW?S5Vo=CTB}nhOcqdE?ZUeWoQHSse3&R3> zgAfx%J?Gtw24}E#kIQGK$b%J{``c5?I-&=jJLGLb%r0R41lz_6#a4i+P&qmcO-e)7|N4ulxYfSc@nLps3 zZL=xw*8Rit#G4QF4wl>bony;_igiVs2;4NWTe|(8gPOJ>Lh|kNKwl?IyjSS|YUypi z`~gOp$lrmp?_&^qGPju@f+iO7{JyNi&#f-Su5~W!ztUoweDbswV zeX9L&>{>b8^wF(|7Lf6}`fZQUc5sVnqoIL4DQe7It{?;SMfg(pWe7KnH}mV;cZ~cN zsFrJy%?`E&VI$YnU)`42{gp!0jo8RjOJv|cW(B4F)jZZ63b*mK;X@ zvfK~(PPAshg5iOx#mNsMg#}|tH+~TJ;4gvQFPw+~vG)#S!gnbW8lnr zOf7sv(9FKR>R+Cj{Nb`{ovw0D#wio}O`yxw7(6W=a+}b-eoX1rpMW?Ehp*zXhh6iL zVGUUD;t&!0`(EQt9ow0a8tD4L&FJR7+W$8=U$Dsjx0DOXat5x2e<$0{Eh; zxvBUbgN=9;V1JqzAK#K62f3KUoqK2%do{M_N4o7zDo&3+*8n2AbN7-rn3yNr2;gzj z+kmxTxIggd{K4k<5Zmrb3_Mi0VXpXMXhMLy)F+_9xH4Ue_#RiD_I}BLg5O_qYN#0W ze<|5xhv3LLl zg*m1{UeViSFrn$g&)vlSOqi{I)~(&B;DeE<68dy*rM&gOO^Xv+#zCwp{z_ckFF0{J ztN#Z7Ko5b7D0Bbhmru>RG2uM&S~*c+4$3!%aCY}(0A{CKs(Obos?S}XvdlE6m2srf z#QzK(w*DG(vGpnrJ-q6A>D5_Xyk&Cu{fIBn*r5R}OcCK}b+b8w@{7?a64gD_TD6k? z9G6|#(kFiBu;yvM@(%b=EZ6J)UF-|7spG;9#;>YKC`a*2`-jx*=yP3$y5w%~99M** zHS^ReH`E_7BOfkjG0Q%|O(a75PhOYpm!0SGGTzE&RhcOB-wz}7WlQ7#R7$u6W(9K& z2`j5(ZH4k|6(6uF4_F5ec{N_F7zM|lY&Eqm`MTV`r<$J;ijvy)m1HKAU^3B))px*H zyzn^fL#;CF>jEYMm;0!E@%DI@*uD=&sLQrcX@6qlCXKCD6?(<0f|`?BnZAPf@l28V zz7$;YZ2KxlvzFNFq@_Qn39jz2W`N!w?cK1lcT5;PKL)*KOBkg8?SwcRt!AqM#h=`~ zq)w>xavqK@KaMRQX=8cqC^$8d7i*}Q150;1ey;W7*wK@9d;&TStUWD=T-M=#Vt4Kn z%Mnag^mvk`B)g-a1+wUS6~Ce6Axs%q$_=PTocO*wJY8wo7sIM=^u`~$?U68wg&M2U zJwjg2q=dTCvnR+&BH*}TkbYRQQG|Q<;x1Cb&7ZfT+ypd*Z#oot?;ZY4TQCA$67lH| zFjRS1l(nWiDVa{p9bQ_d+8?scut=5Iu)DB$Re#&kYvw>pC7YUox{uTvu1;7pD{~-$ zt#@}mN%J1ZhXq2Lth?vf;SF(H$J%x+54=h8CztucqOdS?Ou#N-UPt#p_)ttuQ*(3Y zSBo)rt9qH~>`a?$p$lcjsLnr;dk4!x0}2UUT;gJ-^f$-$xJO5}T63WP(w{N9E?_9-Aa zvM4Kw!7yQSe7u%fL@&Q%oo0Ly=Ea0L-t=4{wrYR@&2lWRV)GHmUG_Qq!r0xw-SVQh zyo^aFMoERQKkS*p`2>H%$cMK$Q}xs7`|61|^@TQ!o=*(MEy{Zw1*0A#w5F75 zJrh!y=)daf?>~eqv?esJGkOQpJvol4X+^`+Zp2=!)L6VP|3E3D3*$@HnV4KX3Rg#o)r!>>1ijJ z1>zgIWJ3O({^Mxp9_ons!c`s&Vi>v9#6BwtC#i_PmS2M2KaLBsK^)xR_E?6pI=l2 zBGgjYy1DQ;Tt?-upzfgXEuQg2Q1Dnq6bMA0qKaoD2b~^Cvek=InNkv2ncGZE*cK?dQFnn}yOlWEOK<8{cC>Pt$ekmd!k#rRs7M@`8 zufY38ySK=Di`<=mfy<*j760*L&0zdzGs?M|>17yqRrgsS$Y=azwun#|9#Yu>Zh4Us z`L9=T@@Hxs?d9{JoSQQfkz1K|SAjZY)6A|XiYF&Zy7TXg$+8Zuv zv**0C!xoyPukRL#^|~D)9lbmh39F-0;_Ll5_@tiy(Ep7qNZ-QO8|D`}ovSfoG3X8Y zt8KBgl9c%wd3k93=}TbdvR|{Vny46k(Txgz5A^Go*4D(nV0?}!JpTB>xoQDxA+C4)lt@l7;K*;AohH+ zlAUwpo@sQMv7Gh9ew*^=A5HrfOIQ2TipiNC;=6w<%M7U%v-J%Cp#>p-4Xt7gKWcrW zJH&#bu&0lA9-TcimDa%-<;IgY!{hr_(`+*|GkZm!*Fo5VJ(xp_Gpn+hFQ)?ynpi4Ws@S8Uy*n2TE zuSD|+aLDgeU-PPWn>W&-nf?dR?9KVX1l3{5D*(3Q zSQi$53N*?FT;++xSSNgLm5p2%PJmdh=VbXgd8^lGUv$LSTl`sh1-JW9`4bJu?{*8t zd!es3O_+q9xkI=_?8*wv(B)iD_uDnzUpatl?NrJ8x&4_ss#*wmZ`zTRv&0fpV;nscevkA`JNN#$=u!GoA5}U z{Hgy7cC9-u43POq{KR~-DKBter(R#NqS(02jZXe<@N2Xoqm+PQoh-B5y0}j0rS|@x z)kyzuZXma$*th)L`ga~}JNU5EjLy_viL-Q0aCp(%->c`vCU(!{DvPBb)ja;8!RHW_ z0R_U;=o&Z_Y{q`F8Sga3fA(QNJGWhYcSNcCL4adnX1pZZh;8!frxzZhk(0Xh+|MQ$ zj2f&&l;6jwGZ;#c7=L^Y%U^O>9u`RYBx{@nL(b;+&R?GmOexf499?P8nFuU{bEIJ@ znC!aHI(f)xEcDO>l7+@LS(`s{5;r^4puZoLKPQ3i=C}>LjfXRvn_RA;(!d$IEg;|5 zB^spUh;!2UXq9MWMyYHIByj1DupI-Y8208IRYaC#m!6hV&JJm<{K)7M#nH>eX{aF| z6u$RMDVb5o%JKYoKE5}4v&DW)QQLM3;M{eItP5YnMxF;ppH4Rhp8ltEc&VnlhVG4Y z^XR1#;jjs&1QZgj)i~j7F;SwKc*hm@=CG^Lg+3S^*x_07(Eq#-~yCS>puJ z_X{mx!SWW;lcTn3_#8mvhGUCl5oqX1H3qe~d>xE;LWEzIS@LiQ+qvWayMEDrHI)pj z_>qMDHXFuqJiT@FYp;YFARUZ3j3JKs_{a}hA<6~QPsbv9ICff6y-W5H-Ufpl2PS8k zh;#hGx<<0@3c5~otc)je-{9ag^-7(umn)4r&pm(JK;>Z!^}@H zR|U9U@4ZR}*C|`F4bf+gxM`3Hpdw23Xx;#7`_r*Yk=YW@_O9&(z4I$$ zzRy6YRnF6Xuv5P;d*Ut(eADEKec6T_Hu=b+PdBU@RpC=nsHG)^lIr|9yX$ z%5NhpfZ8z9$Z^Qn31ECNKlMQ$cV-7XZQPN_Ab?tK2~`g^B(a`MDX4CUVl{D#RsL-O z$0nf)pst_$w>0%Y71d9SMUQeEtwVi{{6{kbO+SQ(e zYMYJ(AAgHLh4!AUADzA>;|Z{fG>t`vnqTNw`DcZGwb0K96}m^@Ny@7jo4Zy4ghs{t zj9G+ZwrGhKpS=#4iBt#>9Ve?*shbg+WrWHVM??dvWb`8teI&*qU4Z&F-8lrP!GD|6 z*FC_P)eymZyB}zacB#zU>?u?za~UoB3&0iw#XQUq!q}NQ%z|zZiVY&`Kp{J9L`(um zaP^#U$92K5lIlqiY%&G$XL6BR- zdDqK1rGBG)0Tn*4`L)2D!EWX)FIo>P*rrzmvcO@#p5^hAUK5u!?Vx?SdVZU&p>WQI zLK0A+9)1h)eo1q!k)(Wo)rNoJ?Yy|NKB=&!?P&j|ri6*z**!ZHk{`0zd9?kBK0Rnx zIC%NEwDLQD__9G{gYr`Jao?(1BzHJ*BcQR)z)o+X=8ncm5NGt2lMm0MH~mJII;HxJ zHg^P&p*7~bK1MW|dpcF{vlpK8uj{ymKe*%SwjDGJHF=3ixv@seYkYIP#-6gYzmkR? z%Zs*#Cytg$w_ZYND*32(mXmi2>#L~JW?Pcj_U5?ofAkB(I|$AfY;ID_p-hV-KlLsja|KXx?qh zXFPXbR!=>b43`dojwjr-X8S$7{P$6>fnz6@8CXYza8^4T%xnupdYOPkF`GZh0YqTh z)9}tC@e!4elEs3Zk+=yOT}|g6MFYzv>MJj7IEThVCga=aa*MHhPdB>5S8-4$guDAa zDqc%_lUju;k9n_xP>qp>$@m)FxXKFqhvjnUy|L&bm0ZiA$&{)|NjN@mwt=l{{i+WM zc*=@$@N#d=3-fv@Kpo2b=Xo!cPV#sz@~uz)QC`kYOTnE8XJ9pcH+FENNor?Gog6&b zGlbk3;g@4l=B5Xbp%Ty=+GaA<+#(e;SAfNm>!2Eo5Yw!S${M&@0M4phU-073R_jGen^_Kva_Oz%$M{#kjlYiHWpG`SK+``x>YQtX z$k5uKNb3>EWkTBhA|0l)(Lwu@$-gi(m0QT5iP{zvb=rYGdzCs5IAAOjC<`S9=x9bj zs}tN=`I5UJ&j4qR4S~1zXew^6#KK>b+K~q}rv<6@HwZIZM+>xmMKOga6A>+46ZPe# zh`FtgQcjjNz$-txZH4x@h%2WnN$78yM6bK(;+7xSeU==qAV2JZd-zXczk z7oH8=@n{#X@9|RmomhAxtvru|5c#;`O@sPuNBZksf5kQjm6HzkhQzk5E?3`Ksk!1` z?83)6J8=VU;^8C7Be@VYE}fdx4T8)&~t_p0ZwRlF5(^aZR)yvkTr-d}@?R3}0!GEki2z#d7La#GT zC%KmgyJyY2-=yVC<_eLiBHvJTh<yuliC+4xd1sw!_ET#P z?fWry8;!dI=fy_D1r|O3)!Pjhu<+;bY(31;TPyx+(_ckvZS}W-r!%vqT}XxYnZP4EL`<+QGT2Hj!lfp(6GkV2nFcC@;l1xK1&RUJcwJqF%Cy@ z7+Z{$o)7DAW#Gygyn{F224sTC`yCl-4N8f5ny4z(;8gbl#E#sN*#$uqxOIjcQUWZ| zlT=Jr3mltj+!3BtE|*IX%R2L+VaW7zCiE8rKD0ic&4Nfvo!@da>5|MZrQ^3g`{W0R zdEH|ITb!z#h?{8ZZx`|?MRyG{oy&ST@=^;POETOKCM%oTmy!FaA?s{G!T(PZDBs-9(gWj~&RXz%*iPHFhq z^H5O?7gYKbcu+lnB=F=UYg)}EUyBOagly3#=+PdS0{gXL?{T$r`Q$r;u~E0aN}kMJ z+olP_!2ugDYPx3EtP1C|*X15erq(LN$aD6f+aG(*9uy3=249!qCoNBpF8&she~9BW zjW7Lfk^=7}g9d{v{5Pn_dv)1ZbCcLk&>_`6Qsr|F$m=)>*~uz_)#ny0;<6u^1ssa$_hi=Bc>u+&r+K@$*t$jN54>Gr!gC1cJ7!Jj(6+g zS~hGhh&Gr2s}__GWg?(0-bL4wxFG<3gA&uCe~lK8h$;a@wWhGNG&YVb$Affuw}m7q z4UH{;o4cc^s+T>dGzoLLLm$9I}(nqJEV$m|f@fBpgk&}U1%>bj2_}>u# znvu$5<8vzD9R)7A*Mo+7vA>1}Vz}Xv`>y~EzL+Gphst5ZQ%1)s$uDT^Ld5D!zCdiK?-4h$mVMI%UZ_HtKq3KiYr1FjDrWzFj# zoTz5aMB+{Qi67z#8OHO&@BD^0gB5SjQtYqfY%H#DOYMtO=3J*+_s{nC1F;t$=Qs_< zF`JXQWrusheyPGC2r&)%U$kk6?vG=svotbTo<6S3i&bxXjnI|)Rzzq5KW7xIF-ur9 zlXY%QoW=J=&5+4F>)cc0Tk|lVs9K+oK1I?ebrM#*Pm_s$NPVK82P7vg63u;15(ID} zA*SrN>ERsR*5Wld;-}MBtu|Qyaa<cXoOA0qAX`!<{XIW1X7=cqWv;?vb`g$ENN5RY;-3%5_FpNF5^ z_PKUJ{?;`x_(ehOK}WtWmV39SFP{EyA#Jn6Bu?@wxMl^%#8&d(QjJ{vq?knzE74wy zPX#U~xWY?o-`kP0h^6#bXBYnt4F4Cre#qe7ftl2F!f4DpM4UX1&PP%G0KJH+10c%a zH&I#1pF!!j!872JD%y&}3bo z>tFanX~>Ye*uRsvejA!@=ZyhZ1Ppxg^TsrWu-U%xqlIcbhTkb~ypvlg(2rk8_lQRZ zyOw<=JZER)wPxOy!KMbf^kV1ImB#IF=VkG$<)l;+nSo$F@FS@l zTuRn&g&DhszCHg@J~}ErI^5a4#6hZg{xZx*NH$I`EORTp>xtY%|KMM3-E#NZJ1*!d z#cjLsTNjJHXvGW4j)_Xj>3Jg*BU zUP&4(b4AG1vW+Fp)_))vJ%aWZz`eKb3YZcGaG27Au716>PZ z->(yR3C;2tZ~-aJT?xtYFZGF`;$#SKQ^+NLUadRUPqLRLxIV_(qn-3P&P3R?nwGa0 z=0Eye1(eO;E~QM}8Fja9L6xJCUd2pZgNgk1YiC3ilkD)>k2Eh*HS7|x+_~j*=7s5i z+b(UpB!jB<^M}GcZjmw`NDNiyPv)TxB(20xO*1BaaWa3_VG-tk;71>&M?!)FcT>Go!d&(-Ha}PsibPqoCg+5V04hhP&qA*-#+~S;o7%!xCVz~ zxZNyFOig$|45~$Mv5FNZXt-idJwkRnb-6^!Zbi?V9MEXzUSraNHi40ixEDk4@u48A zx$;bVXTt1(qbl@R$Ky}mw@@*ah8RenX!%PRKMCW?z0YxGiiJfP`N4iP94?JUY<{Dy z(o6G>+lQhvF0RkxNU<#oS7`Y8_YXN*-lRsz)6Ug4NSN?Olu769Z6v9Z*d5MRapkHa z*ZH4qb}1b=`fum4gqOTqJFR;~NXF(Cj}*Wx8eW17h+rv6*8{lTTb}v{yI<(YLJOj)f&6kbB6+D_A7!eC$ldWuir2*B+#nZE4$osE zH~vtcKQKNpO`qWuepw^pHr$8tGreiIg& z-0XE*;GwR-4PwT~{#TTnnAM)9N=m>Qm^IO;&t)JJaGWOx-JzSGuTJ3O{ z-YVTP_!A%@K-+*W?2gtlYz=11k=>7~gqcD^eV`YhCGwBe%DH%ZuvL?$F@-c+6ZuDh zfcdTLj`$XHqt>9}NL2~9FnRRvt#p7e3v>OgrGYQJjZc&`##22p{AkCR%2wL9dU4$> z+fNrVG-gBAN>_u(e_MvUH}{^O*g9B7&}};vWT^F@Jy)mD@IUSj5^7rtXCXKskG8a> zU~2_O8Z(SIxh~LGc;I+ucwt&*m@P|2`_~+A=kA31#9k7~Cu>LEl{+)xx3IkR7TXZ^ z2GOsmPz6};o~T3sHQoTVOkVEWwf0JC$?VBj9STSWx4;oaRWZ>d`wmsrilnv5LP7g? zemAo@;jv=GPs!yPK@>*`zW=VDU*=)LJYPbj9rwuvKScuCyEcoaPSeN~reu^mshyis zC}dN!%TAd8g5M= zuDt-+t*U^72{vxL->F0-0Nr;Xgn);y)3)iAA`s5tECRy6>kKmj0$3mzL*dfXsIK}b=oZ={C-vMJM=z5gh)OJ;jw(=uT#gct z*bg-J-nd)%F8P+YPmr|=q$GI|$tw?#n+>0KwLuaBo@-)3w{I_*@-v?)hDU4J|*LSrN5aB&BT7JM5*2YNh&VNMiL(Yt_6I(|GN_;>+>1MWD zC;z^5xSq!OVi$bb6)d@99-ize9|ZYxxtWlGT5Gf*?8q%Hj}ZwOhWJ1EY|`q>-*vB? zeEZS*VXf1mxcfn5Sf7X-{rlWKS}*{$1MyV`%~m%QAeDM$Sz zuY147+|DZ(-ddmVcQQQfbfL>dZZUc1@TPoBaLm$JGM0QuFdc|EuLc%pdUpSvPB>*V z9c7yDXo5Jyj+emrknm4zKDh7bRP&vdQ9)qCcz1)I-9URTsy}L&kkhYAvd=LG9!k;u zyUY?Ic}|_iHVAeDx%4c>T@~wA$mB*Z#$5w)V}W1Rv`ewY&^@Va3lGel$P>%tq?cuM zces}9?i9YLLPy|;Kl`sj%Dj;a#+O^y;gN31YP&{S%D2DfSH$8>W|ym|h)Ilsf)BUd zw4c9oK3TpRM(;Ust1%Hkp}uBV^@OGu!tGzV`gd2d(35qBHRdKW8$|e*w5w|MsF0Yz z@^Nh0LPp)aAoudy@UdPi)*Pd#2JD0CqeU-;*Xl+4q|#^E4ifxB;G8o*WN z?hdK+Rzc^au~sQJEsp__1gY0HrR;br=SZSzq5<{U=1eovo>Z@;B)eT3#W**av2kTC zdo(y?yxmAd6F~cj&!FY-UfyDM0Ee~}-h6SAM{1_9$=u4STloMKY*bIDPlsuo#{nNi1w_=`$%G0!tEBrliBQBB=rnEOGsmRpeCP zDct+{VG^CgHf$VM*t)~7r-2%I5UE{`-Q{WdB)u~V`Vw{*3qu>-<)z4iV6ox)?YS7U z7z821WKS;qgY=LiAjgY#i)b%zxi~*HwjK0<@sYJIL}$kzh5ggnPpfQq4qP6Oy`m_) zIA^3A>FHv4Gq|>!t?}^dKk$hZi&pp=@ybIWfXG=;L^|LV$%x*uuUK*kHHnCLHR(gemv3jA@RpQP9O;50%-Ynms{(;ex>0$c@4%7;86DzL!U>? z($qY5QH;k3=29_KBW*GLEJ#lkb0agSd_~6 z8oyiM7ftk*Fcadts2}b4NgWRaurzhCt}hE((S3}{7eI(V z*}tPZ^R(Ur`A$+B26}#SI+WFi8>%tMY8Sd_*q2yvn}8Q3Wou7YC8ysMTKBlM^`B>}kP-LPB@UzDjtff&;M;e~n)# zqjlS9tOEe-H4_FnviA7T4O5(v>AwESppL}udi9OAUMnq*UBciP|1%?w`RFjREw0=P zuiT6YUYd-Jf5AjqCq5;miOM8MdChg6ql29?^=bpUG7c+X_q`<2N1tt|6LWd@6-C~6 zM^50Kt#}Nbmoe{b{llI9@?94-_|~x5?)dREFfA}F!q9hj%86cM>L3pAz0vSqHFcgo z{8&zW5iu^hpz)E}1MhggA_L9Wb~u0RCVdZ9)gY}dFf(R zH`8;d5IA|#$f7OKa&AztD>BUI5BscTiz;Wn{kgP#L29d!)wQuzscFOeB$3pT{Y34t z`ze-f5{+&ds(x2LJ_Ti3`~saIPm20js~mfuTV3Gz?T>A`>-j^S?;Ab7eA>Y}YfR9H zDT`Rj?AB+oyTLz89+eWiQR%cAz-DVLJ2(UFi>^(tk*S}SLCw2k58*^0Z@*-uUS!yQ`5pkTfZq_gZCS?)bB({@x zMX_N%hy7|>eo*V2%Y<=Lp#Gz?xp_A1CzY!95YnQAV101OimH|}3?3EJ9@YP9cRdNy?sYb0rSdXUezZ7L|h zjyuEl&R(HJ>%00Y(s01Q`9sp*(4tN;yu;%atW@M?j3A)VlJ~F#XM+1pt?7T+HM-&ZyBJ@m-+#eTVNL`I8P20vll3?Cl}4vEz4Z=SM>|Sp zzL8T!2AbIq%X)79?{2(Flym;y-I!72q_*{6@L?LF2@7z@xV|LU8M`m2Ba!G$+q!D@ zH0af%=@I-R=Avy)Brl){8m7)48MwOgyLk)pMVp!Te4 zshTxvQ+q|ks@khci=e2s_TI#%_Nu*C>=i@=Z@%yGzJEY|d5-6~bKU24o}W`k8)#3? zzzUf2_%%*?+x?5*EvJyXS%z5}T{O2RsQ>^_q?)4q>zqan8TH)TKm1>QM;5=?;%xPO zOZ_kq`VNGp2W=BP*lfs=F1z85)J%| zg}-ioaTn!VWAMTMZf<~dnYRzk$=QQbI3Jg)pS&rW;56Ht5p}ZGj!#*mcm?{wiDva- z=qGv{G`w8}&_)9IUjqOACAKJcOalG{2Ko)ZZ&^Gqu$=@wVb?RuB4Q^}Feicpy?I&l z*O^BPknu)(9aL4sHItPt-B{K6%;X3_RHd)+61MiwTsfF*1 zVq)|VEraS%t?9X_BRx5nW1%s*#nL>D#Sxu(e>Esb_992*DybyStZ$6*6bk<}bgWa* z>=XZ6=MF*UP6uD%vIV(d6Z*HWl_{@}G47sPbcaU*B+b?D@3~`do8{4FU`&J}1Ll%A7?aWP+sSHVxF-{h~St^eA;Z4N4xK-D#!Gn zzQ?VLH0saqojg%%nrt=1DN!z@om7TTP}hsbWJe%G8~vHeC!{q?U4))Z05<7qV}IyH`D84_hOO#tqb2>&JgsA zfVP~KQ8(p_ z<~j6^4ot!Qu4JD{-C*7RrcW3$poTVQ+d2G~lkT;&M{%Z)w38ha_U}a+A@COGB758_ z9&SSb0Piy??>6HZscLN^xuDmr9Qf9a0T=kmMg{b;Lj2|!a#QX*=#H%LJ*&uUy4Vc7 z-W-))y*D%k+e(4k4Yh0+G~1up1fJQXZOWe4rPVZ_7NrpaiI8d7t|iB8;}S9C;ZPhL zle3pU)N*s#;v#!}6z6h%eQ?u^5qF-Og6(g@_c!k zC8zPTEmuZ%gl^TqfD;s$3X{(McQp>WP;Vo9@{OfLCtzDIO$UCQlq^3u2^*MnB-Ei? z|8yb%a?ENj@&j@C1OJtjRAyY8;XBQY=aJ`)n@;dmak%A)Z|1qLQ~r&3;EA{amB{p9 zbIa9i%RFq2i(?v3ASybn!~fX?{M%?HFbz9Y|O+aMavBKJ(<8a8xBbgbJ_y_p9wdA=hR?%dg}{mA@Ee-$7kJFa#$t9zY*s4#FFezSo*#MNVsz?MQ~0ch zCasJ2o5f76q>PLpl}dS!nDbT+lO;Mvul!IP+4+n`MgzklYxVh(DuD1>|McM<4%5cu z(9U+&T-)B@N^a_h7(Lfc=nXNJT!vV`L8df}?(hJ1lLLSB(K-DDnmG~%$MO5{`>X_Q z{s$?m-Y>5y*uNOozJ$-ksvu{Mmh6E2W?1wFPf5Vl28NbH5KGcXF-7xM{6xx+^T|uf zp&ezEAvIGxX=&JSMLhz-hd>jlaGUuuvo5x@2A;9$_KuE)QZZ5;kOGrQ6( zx5a?XaFOS|tHMK!<<2bk6Ehc*@U+jmMy6}uO-pFUREMAQ4(g9@>ud{*nN*WZV0u>4NGC5OB! z*CS>Du|7K}@9>#dLkGmOu+g*ilM}S1e)gg~Mt=(FydDxB`Lrg@yw>CiJ4or|%t{WU zi%r@p`p5Oz7{v~i%ZwJ>8Rdjv2i1UnM8}t}xDgrY2%q&YH$OtBK)XY3`)~~fapXn% zKtmv|Ta4ox#hyB8c#aiYt(1-7aN$`7e`+{I{3bg6?+evpPE6?_AJ?W)hV)(^aoo5j zJ@ivkPr!1wwcrX`>{k+)GEWO_oSL`NntyxFkUS+sk?G9A-)SUD1tTQY-zJu>?IH`n z0^Al(R)6$(<(c^sC6}?vgxMrmt}{1fin<*aA#B-0BnR74VYH;2k5-Y6 z7A-&Gj1sa1ya~_*0VcC`Rb0H5#D_RxUYUX`Oo50+>Ohnsht!It@yK*rkdJ|iOOoU2 zSN2sFv25KQ`KS_`XyIOMxNz~*`@*GcXv-gQhSO*Ir>6oUUjIGU`m?N@%(5Q#E0di* z(|{1Nf_7^ckNT8j{3f(Tw!`S#Y7=IDtix;)*uS|!PP9qYvh*fRr7$%!K!ED(q4mTw z@G9podO2zJCALrdce6-lz|Hl+$mhR=6uspZ_Ba*!bMI!f68|K-!>Jq5L9F1P=h6_) z=_EbF_W85A0G5bUcNE|Frj`2&Xp1; z;~>bYM{HaE$mVdRvO+QkkxF1%y`n4sG;w~yKQ-d)-;j@<3piG+@FdRgUWxArS&#l= zB1pf3U`3RRR(RZRj0tB>l^dcs2`sVYXh!g2KGCrKLvKc2qgJ>a7S9Kt-By_^u`VGrY*JxrXhqK3Sqgg_@!J0wKP=8jlG-zN~S8K+9>L zw9=yZUQF|0>zCgx3dN2Y>45rUn*J+Nin(_L__Af$#>3Dl0{TGm9n9Yuo6t%D+QVTm%iC}1!&mwxvZHi<71o0%EtsiR7e!SY zquvjFUc8!LbPALj?3hh`0zbT4BifqJe-9&4jg}hXAEFqdgY}#i-d#m{@BV1G_TWvE z?c#4}J~e8oIy=7i?zrk`T@!uL$`^s#abUf-gM7~bfw}#RQ=szD$K*Wp(gMeM&HV{}$4 z8KYe;J@S}+h}O`nVLIv;e_l~Hp)>oOpZ!jMQkgjTz4&pyOU*A%a{1O8Q88*tos|R! zbBUoGV*#n8?=#KGL&>mz#fXZ$JZnpTnI zs6r>)l()cdqdxPoZI1gTYgY~5lpxN~mW z5w?OhT;j4;Q*uij=5|ygmGBU<)6h>W>>w)yrzGVf6cPHjRo{V0j;_DDTzmy-ZEhc> zRPr9FeMzj?jNty9FXky%smL#%COyn3r(ZJv3{H-uDG24iR}nslnKU~-8+BeWf6%%x zLM(X2Hq9HMzCi;?L!XVNG*@P^u(1Ouvs%T}j5xC7Zb}IM?+4qgiz8#*<7-J2oC!G) z=t=(d?gOfq%ls-~j#7Z<_%JvkQmSCK285a`0p80wnd){S$kD&7SGL_EKb9wctE3!Odoe)S} z)zoC>Tj{PHH|uBC12jr7G++T)7W9FqR)9mF;Z7!TAZcn02d$#l09J8zCN)3FM{MM7 zJHZ@+oU#M~eu4MVSfHx6Gb}NN6cydFNh~F{sw_33L_)Gq z<b)otcGDErQB1e|>-LBb@yEfaaW4{`u`Ws^1WFoVv;IP?A-KFU5Zj)h%nv6#2ZS z=$BRDQen+sC=fP7r!$L4ud|U*gnj5t%kY@B=MH)G*l3I<>8(%irlk9;8GjCUZ3f|qRlmh9}{i@3v zm_6}Uz=6LREhmC^S?!}KO%)N(hOAnR!UBSUC zipPlpJWqNxEz;L^Of`ye+1X&fMjHjWW_JMaW%A+HEgujmO>HorEOrd|IX-KvPdT9S z4rf+_nA9=x{9z)@#i^BgsVHV20e%<34n-M?v8*0(_2H(&nC54^u<;)_@EipmJ=;?dyNx*N*?4&^PZEH{eqBP+EV+ zWM-+S|0Tu8B}CZign5MKT@bWI{*D&>yq#a9T&)Y=tZ;0cBf7zjoB5 zh&7@gf1S2XFYk2^cU=8s$~(V3we5RExZvckwn_*uNE<{yqBY<@@fncdwnS26eumrJ z_VY{Bg3vO+F%jR$$W39b+Cw5?S6$gF2Mz zf2M=7enW}yuOf<%bM&5daM{=m_}jaYuSr5wV;1C!Adf)D#7ApkvC+6vg}z^fn(9*2 zFX{9CveiZpA!feznDO@r->1{B87fTOgw|CD{wgSzJm+~6QcX*D{37uWjGDIP@vASp zkrq~uCm@=0{QZNyi`(J_^J`L&m{=o23|IISX@Vs`RhDC$*C!iTJH&{>UEaLj#i@XC zOk1Y}mOAbK+$>dw*88^&G!J&4;eNx=MN~iE4@dHmtMXrvfQ>Q4n6!t{;?>5!A$yy6 zW|Qya4elT;Pcf$*m7I&pC^_p^7-n}DDfWw3u$Vs#P_zf$j6uY z?}GqfZ9d(xHx|i0Tk;%;PW5bAK#UY8s!CCyb(MeFFJQJNz{qLYPzo#pki8rGl?q6S zZ$g+SvHMk|K@Y*v2+D#0tKZOiFxbKGTzgr`kQV99_uNyGA|{)K>vDz$UnbCbdmhXfNNwN|Iy1spuKn zx{9@^6CfR9C#+Fy6E2J7@Yx|%brAQZzmW}l;XuRL)mdUgDigz2pP61rA2{2-aVd(t z=b_LpzMHD{_y%ob3_NtqpX4_^iewM+4}3>Y=FMnJcL%qeQRCs)>hbv$F<8m5%G9DCf=gem6_h<$%##-z4s7wYUlH6C#+UFZF z(J-r5&%tx1BJL-epZWGK1DmGLhhRh?-?Ln$17_7E<9{2h7a1|{YcT3BppOiht4&#M zrqtKMf{J9CL(_a!tRL9=3`>!emmU3(#pJ&Sr7sQ+XzHD64>=o3#yL-Ij|HrimC4CW z=F1YYUG0;mn0=Max$$(H4NoTXeFMYmqX3u4Mp*a#lKF79zX2B|?5U(UX$tNt@5WU& zVh8XS9)(^9MBy5jtJ(+DuOBTbPRxK`URRBC6uo+*UsEU4DiaeQ{MJ~o<$mh61(aAI z2b4YFZPoaI=C&dfkEsnkW;`q`*&#rrL4J)BITJQ=ze9USAZp3*8MKXcU)_{^O~DOe zRtN&l;6kv*%9K#pBfMyLM;j~Ko!g$pNCPekQ1Ss{KaF_W^b=VzunY5v&~ks(Ij1Q_Hn zpuu9a_TysAoia*^$or==T2DKZTtk$bn#NaX;-3w6rbvtrQE+5UW2qrN@%ND(Eli?f zXvu)+0Keq}TN;hx-p1Zm*xyj`cV&EHGK`vcI}0V=^Z-(2Uf}=6OVo6BNMs%=@I8+fYjvx?OfY0BcWH5Zw>+SMsGU| ze#sTw4o=^qjVCb<`hp5L*UtylnmXC_`qqa&bOAbsjr=ys@U=sXvC#I%xJ5Zv#j z5tXGKSWxd##%By<4Uzzq;$M)@E)#Pm#_?pSD;SizPxE^kWjVauu9(#}2p9pCV7|gzh<&-6=E;%6iVPw`m}E}R+Mkj?sloBtsR!#R8sH=|TksO`q z9?%coB4<_o>(fBO&OHZg(?9*Wbo#ZXF|U_}t%xQ&xN`KBP713U$wf z-_yfZSRw^iMw!|SU}>nt-)wAfT&nrDPOKlsqq3+!mFR1X=bi7TYip9*p#%u9{~+*qcyIk+7GrH57#W~_k)kg=bEz{jOrH8u4pT~BHfpY`G4Axb`&8L zEa9!4&&*TKU*}F%7eT+JTsIfy-&xxJ<7{PVb~tEI$2+F;=u@L~B&M{l0L5zVE*J}R zeK_vF~-2*tI&-iOMmm3e4^qQS#(I|Bh+BuQE~K zvs9<;j}?5ef zPhqrpa%gf8KfGenMN%_8V?9`J5@jU&Wfs-g#29iQfpB{(D@{u?Rl# zG}^xiK!RhD#BnlbZ(DOaxP(EG`hScyj%lRdk?91Nl?T9Jb8B|=hQ}$YJjzZ8{~G?(@w>)i9z|p(8_9S zcri}0m}K#Y}EiIm#&r-1N@@>ICb?=9)? zuv@L#?3NAeSQDD|GIYv&7*~;kIA(uQ>Y8%rb>>w4@bCx`qh5;wVe4Zj&5?PmoQ?E7 zF8%&##KP2QEMq@nFgIAs@f7wxe3PlpLwx$o`1Ju2u#2l_9GplZlxAOKoOXBCG|Zo5 zvwgp+C3I|6t&WkTws4zW!&Yc7E;t-=$qqvhCuy@#cA~q*6Qg^=lOJbv(ZM+sFmMrh z@i4IWx1ikm*Jmsyh&xN_HK0}y9#I>7h^Qh)50l0vYz5IhA&K^T>N(^-*miH0cq15% z&?l1nDO9OZLcA2RSvd1R;sHOW&fnG-cT19O=z%eBxHpBS%apSI)X;E&%>rsXB@LIP z0@|2Rq?HvLbWG~iQnyu&kNG+MKd2`RVyX}7X<4o`N^$XHbZYDhO;7GXlYUIc4Rvg< zF)hd{$*~;|JM+;MsfFDvD}~@#8&vn!?zc^k=vTjA$s-u>43`eUm87jwGh$xrb?_gnsO)?v#N75h>uCSN5cV!0>PDrW+?Wt5JSmbleX zL+XO}P(j=d#Kvu-aDtS##=oqtO;eCdN(7FR?fQz~3FHI=0R3AUDbqQE_uomT826Ub zkf4VBeTJhnd*j$00p{o-(|{5C6x%JX)}2jTs$#Qn0K*h$D$7%-u3Rs{d`pb>-dSlJ z>(fNp>)lqC9^prADQ1Tl3Vyxe(y)Ofe9(^B)r6VglO@aZ2-Zxg)WYGQJ*!w_+~e-< z?kiO!EA1`6w+WjzS92O?Xd9?Zrli5fRMge1O$V5<`}f` z@c;z0=e&*Nj2Hi=f~0{qSHSn@eiqtIJ`9!?<32ApZKOt6QV>s2WTnh;NGegG4u%WN z-Ec%HlUP^uBVmVQJAnv|MiM5L{FzP(ghL^y14)hZ7yE3qxjUS~ienk-O5eO~G>u3h z12k+6>U6O;!QO>4a%#)ojIh1^N7~bsX7&MuFlF&;#D0y%vKU~FcZ98KZD1XYyBQHA z(1dn)z3H3c`ppK6?HLL-$#otG7eu9hcSbI`Rd(YOGGSL6yQ{zrGR0XsyaL&4-?cs@ z*+=u8F41cK4ZByCr`U~w+xQ2foHP-U-uW}FTGG$phL+oDP;)Ixoim>#PO5>^5TlX7; zQBS|1snJgUQ7etm0;Wx`2XvQ5BW=ykWvQ}zyWUw(YP>%HVJN=1&<|ucx;Z+&Hh*gE z6Zv9&jK^=uVZ9+MEgEm6#u9Sv{kHy73X{Fk!f`rzQL{c(imR2#v!Q{mJRK;^ZH1x^ z!|2d_YnF+o=Dj!02hPJa?;>s4V9|V%0xb~zcIlQ!%4}q}cNMDxG%Dy%;zsnTF(l?# z*%HrtQ9!SF%Cd;pfUX#t7?8P!9|GY=rt-jjzm6-x(A8b=y&8swb?G;y>R0X&_1Kwo zjY1l(g+#vi=Ny6HQvIJJN&Jt%0J-3t2U}n<6!C0_fQgoZu|vB*rY*Br?)Gfq%9uP9 z73>&ca6eH0yeF40aD|xF)-pvlQ6fI5CdK`9ZDjEe7u4t?rRRc~qjy2~NR3Daz=>OK z{g4IVI3^t)%gEf?M;`qr?iui#_}7tIt+p<%SP%~MZHIsc3GI13&;6^)y~pT zUN%-VB2z8sNO^xMhV&bJI*enwU&xbO?!dQQD9I`lAi)t>N_r=gDc_@^aBdH|KWgSR z1gSnCs3t1^r<%MC+GYJu6buxDreH?^NQ5RrI&jau=;bCKEul94yMv(z#oxkz3}1-- zJma(M+_kIYH6QOr@@27bMye>1_-?V#eRa5u%NFOPu06SV;!1H#xhkHr_MOw}%0Is` z#`4T&v?t|3#jc8J68RFNcSpUz1qOPOHa!K{r@nPq2G9ufgR=v+Pj0juqW0|!;!*=7 z56uGSc^vyhlB*}zrjT@Wp2B=f2occd|2p0^`=^wA+; zZ8|a0M(3i`6?kGC?(G@dY>TZng+OUurChH5d(EjL(Cbvt_NO|msVM{d#_mp;U}*iH zl@|Cn(Mk{AuxRUmV!+AN-oiK^b@AfNexl5$<$&jC76fTq(T>3o!CWX^uu*sXeB-Jw z^B~ZDU5$=>`agkWLvjgiXztJfAvg{ght>3HqH+a=)n3z7=Mtq4J}#ku&^z%bW#Vas zN_j&tepK&tpYm|_oth-=W9CY+{$WADvygA^V=_|t-O-lKU6XR9}zS^5KNR< z!u?2oJ5GNjj-94}Td2-HpDzFaK}$m6IBbKlS6!h44>S2N!bHdZ0B&9-0h}f8jdr& z2nn1b&w9?+uBh?+vIBALLD(so2_NjW{Huvtr8CzbZx|YrRj-fh;y^rtM+2W)$QehG zS>Ag2MjRG>Uv4gx)|@dM0g*c5)Fz4lF~Q5O#mvT63>f}a8fk|EinFDdRbwpwUP}2la9P=}0@&4pw?T37c4;<{pF&d3iF>y9`nh}+*mbVG0XDf$u zV{?`kbb+ba5W83Z+Z6&~J7N*GotJr}Vjw-jT(h54rg;8sx7G}s^R50{saa#byUQll zYVXqZInvL*+kpTa%E)quE!14rb!1Mb!*_G$&EQ|4oJ6}`RdXD){OR1Fj5^(X0|M+A6~{n4&zksb5$9ouB#k^{D~ew-pHxtdrae zeZUvH{>{(N?*?;!(kP=(v*2=KFx%3B{CY=LfKvZYQ8{FD1#)jK)sH3=k!Yj2l1-!0 zfED1-^?p?6!Ha;lE1T!qk+~TEEI0Ca(2={+uXXFlE>_Mj@XjYTpWOY!jS%1lV>3R& z#pP#GKwUrhW0bDj%2ra?yy3gVdU`vV^F=0dQF7YQlz9zB#sma=Z zy6>8~dv*{kldq$FaU@!V~d+vbHhG(|(Hmx>Og2rg&wLk`8)YeFPEApW;oUHV% zF#E7QtqwX!byedw=s@ll#GhrB*S+hOY@`IiGW?7^T0BW^m5R#9Oq%8J*xISFqp<9~ zF%#`zjHr{TPttw(>4`uamF=WTpi}G&T7z=fIW5+PL1xNAI{R6dF-thCgJIJxWivU) zCSI%=Qy_qRk9UGO=%M>`W`?&54m00)4Kc|If0%YLURm~)%$f_(+Z=0{zcf@%X`GMw z0Ck4AP6fO+p&;1XAAih%PDWlhlqaw2P5(`ltITVKloL&R+^rE(rF$9Pfq0sQe)yE6 z&WSAk52rp#_cGkcx@=MM?&ATV|CSz2R`KWCH|E9ZIrayQMMVOVxHwN1tirk{;}#WRr&CphT$&(IB@4YD9Jrc+Nn9$=+Zrg@glEpsAs$Yo#Sx6 z7ghAoa#X(Al21%>(wo0ZteW?9{J`bwW(j--Y30evTl21XAkr7uD6_fz(d#??2?ECg zRBk!dyId5GGdd{fcSns>pteii*puneJges6>K&;|d1J1o6`a7z!%|6uB;wLl4^5go z9MxG#hlHwI*z&lS^GF=?sI3y|^v+2((@d}|9Dd^UMbQ@d(UPdW1l5f4l&Sp%oXjp> zpB=Ny0i|k&&aWISmxv-j)VIY^$UXdy>>~v6CBkp<&hX^3=Z8O8UII8TUV|Zk zg$}U!XzbS^*6Hm2kqg<@leSZab7fb$%M{>=owuSpzkgBCRGmKGerE}jaPhoNnLu@C z4)!1Kb;mlwT$;oqlHT5Xqw&T~t zP?EO^`%WeR6OzQhFgIZQRUPU~5877kkH5Gb}F| z$(L$!CA%HjxbWZylU4|`qV#i!-e_8# zWFpVix`>z3`BMSk<#gHV>q_(icXKwaKmI6VA)My$trckD{?l)%g3s`VEhi4XUp-HG zGCxZC?CCL*)-7z?YYZKiUFI()E*7cOeF(?Ffz=$ewSC!K(BmhW5%R4*Ym-w?CvHn0 zA6sizFT@^J@u=<`GxAl*Jd5;4GrsL0ZNQ5}UA7Cuv)4C5s0h$jy&J)nzsFyo|rd@v1zsWIE7U8w4r8W_4`z;D3S(A1O8`8S7{_vd=tRs?Ix-D7dw< zd26j)MPz&<$GckfYvRT*h++_EuEzS1#Bs~EO&)o@5?ylmrIg3+3hgYS5G#w#X?4)= zmkzmbr)kc#9w((TvVqY6=nmsL;!MrlFh_YJ{GSG=Z+~=HeNjKscco{eG_EM0#%Q=7 zqN7eHN5+7SZ?!G; z+f)tI@cFRTLPvs^E0?k~pSHI4pC|`R*HK5A&ZwqyXCb^R-F3~^0w49PK7L(~6(1ew z3fUmknrlG3I*T?b{Lw-`rynlF2oDio#ZWkPu}ETmB=y#mX&^VhHe1a7ld+srTzI-3@W&o42QEBbx+a#QV;b%e5 zQs71(nVM0UGr{gsRi&HAJZmGZ*>jK^RmBrw*DU_42G0-64IsaI;HaO_lV*u8S_>N~ zugFQ-OI}$x=z8t}vT_(D%fe|tqLFai1}o>_&3emlrI1Tc2y}MnDw0QInkGMhzr`$7 zAhVOoM^;mXHl=tloXdC4xoxT1&pqzYTaDpfo?f<)6R!gIY?|p`)@OX7`W&>OcfDSf zSLFxf%ZyJvK7Y@4M5ZG@K?<(G5-xG$AGp70Xyux(oKqfO2Yj(LZdtp&8^ToP-nGA z>;sxgWR;50x5%f+DjHBfL0EERY9y|y9@7YCagybn>pojjQ^6Pg`gTk8EBJPy@`x4< zGE__4f2~NBpXRY-WQTwum=qxLvO}m6S8Cv9bHeSqx4Xtw{$Yq;(q}bCo5QPAhwW|~ zBOs=Ym*2md;TOx&6PzSyQnpD>rTN-%jRg;&Keh6AKIUs#>4f<7uc>BuiDkbzBWrf9 z{cohkh?r~3dswLNw(OW3Y)?I7;B_8n8RNCIXk!wG<21F*Eay9%n>9pQ+_*o<&~}_6 z-jsLT^E=9Ahq^lch}Dmda)IwlN)^ zFXrXX&Rk(TzWlpISo`09cHc=M&()JU8~2;T51U`?yc><`rkXiwyifim)euII{I4vM zt?&8!G~jMmv31>L(8pE{s%G+@`taq`S$TN1`P&g8w00Ao7;_3yBC#%-*ck@Emgybe zto@@$zy7teZ9hoo*F&*F&X?mR-#++wHyxeB>6n z8mw7@R9?mG8*9f*cx>v|@f#S03ON1q?^c+i(H{8QYi-SNQ6d)elU!DpGuxs7O=D~A zQ(d>D87nBeMd#bsjLfr?_t+lH@J>vk9PCxm_`O|^H)_E4Y2D9+j&{n3{=Q$*GVlDV zwEmO9Hqfd%jB>!<2(y1lcUl$5PkW?`d1T!?wZna;a-rSfmX}fd_S-P#+A_~+XY=oE zGbe9$0lVjY!NlJs?jr(+MmrfV^wn3wphNF&u0eK@Mj=%K$q zC1^+xlId7?{a&vq7nG)4AtLGJBChoHC%NtYcCYdGhb_WPUu`lHu0qce4o}>%r9mcg zlvfCDsUt>~iy_H(Muspu`eA*vv^i?6U1rNd*>P1A((?PZTxl9)q%3R!{P$>v&&RZO z!EIWiDNT8$i|@Ip=`gd-ewqKBsYo7SaaySG{o;<;R63X9PGoS3&xybj+0KYwq%e^= zc)|y?w8AV{s{U#7uV!>i-0JG7f$}MJ1p^T#Ljh{35jb?eU@q1X6&KL;TX<7XI7z?K z%CGu%ZC(o_z^O6Hd+4#)<1X48^nF0te#nl`4ofit?6QI*s|z1(dVTUa?q=pCA`xHzFQ01nG7iWGGn9LNsmq= z+#M+g{p*s_u6UMebhT@GV(bl-ECl~@F)*B*@o++xz z`aOk+oV7*cQqf0|TC(H1~MV@8`8H$(1QKm@=F1 z@gO7Y_qetsg0^}itQ z_ugwbPqymJ&N7>C1M416PGwCzj4DGtDNqQ0eJK7ZFYEcb8&!YEoUTP3J?EncA2sGg z;w7=(7q7k$8ZskZl_xXtNRSzb)RY&NSP2@cs{+bGd0f@uvR}XAc_h^0VG*}K#y{lI z2@`NDl-Ahq;yRRy7~7U$UsGG4c`}cVAe{#6bK83*JX7;Ivj^AE6m|4{0^TDqumD*p zxsmy6z1mC6dsu2Su~ntXi+~S%C{a_N6%|Im6|U(MVY4*jQc^R(XEPpeIEoQci6G=pj+&YgH2p9%G+!t;EKwy8^0{y7ihRc!u%F_gkI@u&%>}Va$Zdzp_YyX3m zWxrr*qLwT0%{z);T;)R^@M zaY+lq-DSuIhA$-6V|Y?xTuAmv6xk^l(Ana;{GAfV4Bd5Oh3|^JM|JmMyGg0|FJlqH z>}$(A)AB#do)59(MkC-D8&SW;p0*Un&21Tqqi68phd6)z;n~!ulp{+r&8&w*E*NXZ z?@`1}Ufm7Jc7&Z-gYQ=FY%y`_&;af2!K?M5l(kKoOspaec~;WW-PbBq0K1F6*JPhL z57GtW*QZdV3n9@8?@Ff@d8p`lP09u&uYClpsmKlrT&@=x(riS_ z;!6iYJ}|c%`3fOFnh?z`t)!4x%WcVTDJylxe|x*~(LOzLEnfbo;w|Yxa*<)V>Nok1 z0EkdkD$H5U>RzKTt>3H}ns`{Fc@1=*+}vsL7kxnQ$FuL+<3Vt_e{=kZ~iY|lS#Z=TC z@CI8b8-wDvox()wXm5B2;-rsNEnf>n(k>ZGM~Ff;ExJ<~c2Lb&P$|$ppfW<|s5nko z4ssf6F~RL-H5yXfMYFKN1_?N-c6cUQz7S8! z;Fa724;{58NEE2j79>B(5K8>cy-pv_Hs+jJE(nRRGdVfty$A8*&k?K>s#T=nB%KRW zYF#uo_|OAX*z^I{tStf?q5_7O>`NL!&BI-vgGYyrI!VNOJBYW5xSs>2hL$kk{yWhV zf4`<@-w8C??E5mobybsFP~>P3g-cDPUuvY@0Lcl`KFbcdK51!LWuM+P=!r}I{wGdK z*4BS!=Enn@H7fcK*RR)C==@|cVH$sGi#fQ?vuMkUU``1OWG@D%wY7jF zkkxt@Be;W!|Hxdwx5==VhL)AbgP+jnVB~m%!Wu=fqud**dMmG&h)jRh||IA-cU=@+^iUbl3v<0G>?jWV~WyCpbJtMA|oTtNZ|&*2K`7JDg>yVZQFPn z1i#|Dr~V}tb?tKX&n21T9u4<(Vtpw8mcN>#j~X0MuXyVr;2uqtto{xiCw)7$IOd1~!W@_|e6YA=L<^P@@NMg4v!I?ygcGN|T`^=~=oqop<8nOOIAnEn zk#e?6-o$sSczi6G%H9p~o&QKk*F>y5+|Rt7ngf*TEc2nKT~Wq=1}kL<=YIy4g|;vO zURQzl2TA+w&mHgbTl^)87g&{JrDURSIdSAPgRZJ;Zi%nznU!tRKEwHTVd-w0O?oKg z#HHrv`z@twqYwEer$iPy%56xbjt|XGq93iQvfL%uQRy3}!q|(*LNj9#y5d`Nh*Qa4PgBIqd)+G3mmt zgCGfaq6AgD5FuWqH)FSKsDSR-!Eu6Nf8k@3;FI>*@x(=ElCwD31zk@E_!meQ=-`PM^3*VPcXjgL zPMmW7_-bC9S3%D<)^UsO9&Am@sYtl~M^Q3*Cf>^iLkdryWt<~_`4$&9*hXwCA)0mJT(4tde6W$@ ztR>?$M*QE=Xo^r5J-ngd24~nRP7&4fey1N(u(VA8qRUfPcK~?c79(% zTNntm@Yil0`BryPwO53`#~u=I%Se{LlBq=#ZDSL0qeqq-(X z!HNE0g`U{J$hVkf`A56N@Epz&T*y0^7UU z=ow2DMIKC{_(Xv%l|pYaK^C&$gy{jlIgN#PQdrdS!J_v%sAjE6%*VcEgjurf>GE9KROf>cyPl!@yj!x-{{#WD+o`p!>IKj`1N%N!D2cs**G zIvBb4j;x>tCHx9#et1(Tr{z74GwV^z6ST2N!%m!gdXVGNSjhS*-cjUlz>{j&%l*(py-qi~l0vcVKRhCTOT z^0Rh(G_#FEtzLJz2IJ2f&Iw%8W}wSeqYNe*K{xu?==zexJZ&x2x zXA={F-QRfCQ&+;dJ7&XPwi&}+z!&i6lxGb6lkFz=mFVTJQJTD$2e`wXc|8B4_siUt z>Qp6Qdu|&#%&AbaDQ!FJ8oB%L{>5}udx-bUr#j| zv+dcP9b^_G9$9jekpmv1xRR^9qLg}{ybMitWcRO7NlsPZw^#Xi?&?fA`hApQ<^(cI-d194UwGAU zyVsu#1uFpV*Z_sM)~oWQR5Bq|OGcC4Hu+i%6Z45~cO}N# z`sI=lEtL|7pK#Z?AkGN|E4&S}KDpa-VL+56oVui$Olmn!uZjT;Ije#C@TE+$zJUnC z=jlJ|WHu(TR+N_i1UjZF(;b`a0ARQa^WW z^wtsd=ZvAS%$BYDG-@|BN`(IURq&;q@E(Ul9`VAFeq)NiXj{bsX6xdd7l>>w!xgxa z+I9cMLzrV)L1fR&q| z@35Ezb|ij$SCVp@pJEknRduAUTp`f@G-l03+H;6$Wxh3hm zYZ$d${~N#jcE;~BSL??IzhWgV!2O%IB-bM{UX^^pZAk`Mt@&>@XOFa2xhG}WDCh#j z0IQ4QelMu>`*tYot}1v*z0PAJknT|rfoFwR-CPn;GwQ(a3{kgkX}CLuN6(@R3G2TS zK2w9~=Q(93MzRYH;U+ey?x>mQfBG|@hy2^p)nxfm^jhUrS0dMIFb-K$8s`;`>{Zmk z{1`||trYf50zj3!wR_cuv1E&itWWEOf*&=ibwDGEZ;%YFLt+$~jGJSq~FRn=zqwGdN0105Xs%EWa+m|<`5FUghH7Rhlf_vblyVClhR z#5_J*C#K-I;vOKj2G^8Q3WmQ5_5%{!D5Ed{rm-e}EcM#iKx>}G_=JS^!-(-A&OT~i zM(+`so@2jFzp>psiRe``OBp)C-=_5V8x&uSuNSofNkRL7US8t+C>~>S3-X z-RHa1VFa`1$R*1%*YFIh1G>KGsHoj6TWqrl9~@+et9*EdjAK(EF68i_nD`d)lK2c-id84 zK7J~oEcBxyB{T>~irX>uJ|8oilR7ssu^hxFlv%Xy_KBi>4gapYyS@mCbq+x<(0BTP zS3Tqjesc3mwmx#fR1u0GZyh+c9LDKcn2w$HsLc)&@?t&+zKl_7`Ktg~49J1hZE`7W zef2c1Xs&k~6Hk=Bjjnu2FTPb+tVDVqALjwBu9Vbqpt8MGNcWSWTR6=a{y>$qY^%w| zsEy=&_-bid9VoP6?C2p+-gDuwFAe$E2S5aI_sAlii3Z`V-iQ79xnh5rd37K5iZ`?T zJj2-SC_WOq`>$I%_NZ<{;~%CSjDrb7n_A)jq?Diz8o6)dea(1+j3dsN~#$AK9^+cU0x9v(tjlwp8Dc<;-{u z5lSxrH++&`hTFsw&80q@57BS8vF#OvzLakcRkw{wV+8bLZd3HhufAc{E-23O2`jNI zq;ab}V~tbpjP=?Fyy!UVtfwhG?}!zCFpFL}Mz4T~JZ;qO;!*WONsv9^wJ5&F%eVxi zFJu~?24kXSrXC)(s>jnHsZInueHpVQY+w12cNV4ci?%GoUdUr$a2&lf?rBP!U^TB= zUFYN&#Z@q+FuL_;4yY41lai7$(4vxqmt9w$aLOS9(6N4HA+>UU+2Xyyi4%vuRPOn_DCw`oV#aaN&OMFXrD#3tMCvP=I;;L%W6hw4=Hp+zi#MU_Fsm-sFT+nenR?p8 zo=@}8;3pE;+wkLxuYpG?x10ryf_vE8@LsLOnfmpHV^1%hfqnv7s_DuIl@EAg7ezhs z&%vK;_~DTRe~a-Cl*aF$s@eZ-qBOR}{&Lg0ZxT6W(=A-NbXg_W_OBm1K#eEyjq~K|qP=fYSa9{0Em#?z5Ht;XA8!7~-4j%j^=@Iw9#t zWvJ3*#b2(XnTJhA2z?f!ES1bHz&WJMPnP!+Orlmx_Kc;x`zImW8l>>%nIUa!=UkT& zsV)Rhb%U%-A%?nE6>^7Qjhc#+!L)8_Brn{(*?{S}ohBNxf4H1{9hw%v?v{cp#O@Hl zX72$f(0=k-_2U+>1rS~Q_?hw)hAT7iDR^Q!D?XVoo9$y5qup*%0Nx^g!TRdRQ+2yZ6+J*Dy z+ghpPH>R;J>V-UBvUZh5dSB_qMwS_oUY5uDknrrs>7pm2NKZNVV}Tx4Octk4^Q7=& z!)R@7Voj|lMluVtPs1Q|5Nmzu+JuO@&60S>`q;PQ3;~FZFMKG1XMe-Hb8q7kcil=vv$095I?CUj}z>T4;=|oF&xt^Pf}6Q2=s425+?S*pJ*L|q7_ru zXDJQQQ-Jm~3!9BK1C5g@+?r1SX^S0o$|J?Vn+b5B=7?Pr-&-3hlG4dCfWFfVUtq6n zK{NU*7@!t)A7JxgmMRAOd@@yU1%O1VEYImlyT$o#`x77DSm!2@;+W}$cUj{Xnvvq# zxQj0aa&tyAU>F2b@)r3Yi$8fon}f7u15Y&0sH_Y^LakQmYll0}@kv+tycB2l^5l_I zzh@}?yqY9qfp%zh=Lv7Olugh=xoYQ-2_@IiWx!oIKOH-P3b!`8GZaJt5=X zr-YyQ#RUyIzi=eJ{IqLPRmKTIDfgoMf4jRM#dNi}$)3;ydJOd0DTkO{g8EV{0`R;7 zKBqGU0I&dJ@i$2$%nR!B6pcsZ7O_OPSQfLU{}z||;RvKsUe5T71bFta#i8OY7X45kBOm8>l~UHR_;>PRO~aI$S|Ot71j z63m#~$W=YP^I%~JD{&9Xd}=S1)nR<-<-|+l?=hv+@x|whSc5^ZMDj~5319PdQ6Urw zGr5kCQ-oj-+#nd@HbjGtGwUXFPRm&tU<^DLtR7?;w+WFBkSFSF{b+6Fo9ZsKZl^2k>7oLsja{ zc6zTIB{0?gP}XD5jdSQ5_7=bgN=Bownr83=Z^9iq9af}Y`l>T+8Wya#I9qv8TIva= zI3+m_(qpT1Bh7spb2seyo~(d56tUNFsQKY#wY&3+9~*8fe7x1xDbCQA`2OrC`y#m) zgtPBV4$9l*ZF+0PCg05$l@hSH%YUa{DO_*iQ|9<2>+=^g?cA8{X>UvJOYop$u8W9q zP!42#I+)c&>CU;Q*s(TAAu97yhf4xgwWv2^?quzMjs(N^J2v0t? za9vA@A9#6wMI70pa}=WQ?+%_{%~vHTSc;6h>j2%Z67-fY5m_Nl^VLuYZQ`}rQlZ%~<3W9gyfdXMRN*<_44AMN??#KIa zR1e!(2_(?o9w7oXbxe^<-zD>}GIYQln`t0~UkXQaPzOK_$TO3qtu=xJHKwG&*Xs0( z^M(0E{eVl{F<862Yf0MA|O#)At1vus)Sn>;dxv)YP$E zh+j7yq8U%0Q+z9{@w4ctLQC_)D$YWyM#|vcY=64-e=eG5jiD9=-;Gq{;mO|Z^=&oP zuoDNT+5;|c?LU|9(mVR2E>fAY0_PI&JB>g?KTGZnCyVM!%$kIeb6t&} zEUFkNp!W3cS(b_oSrJ>Lc|Go*s>c`iPS*rKQtr-EGJznasM%=78x?sQ%rA1fj`9`4 zOUGjwyA~$xSu>c-ZxTKAdJ-I?k_l5-_LRFsh76LlJKv`zb`;uz%^fF*ekgC9C)aZB zz^Dp9gt8J!;5l_GPF>fkIE}}2UF@@;mFaH*M0aKleVwmM^WB?k@mvBYl4>A+SLvEJ z6L``l6LpGmBh==YOElxZOVk3Rd%blB(dd2*HgH9&?kI>ZSU;`mRr@&XyVh6rpZ#Gf zt$1G~T+7T&V?^uhq#`*_?JAitTgHv6aM6y!f991HLtt^gl@uS98+mY+Z7 z$VQsWCzTwzt&(}YCYHGysTud8sg3l9Pp?MhEAsI|=0v%+dHg^p(7NLun)U`gtzUye>8+bHQbvGR{ahJ}0%#F9)Qe9%9^sn@+?8S9623nf>iG|LfYfnWD&JKLf{zHp zM-0zreRlH<5R@+7|4|Kia=a2|FjRxx@W%oe=-7mQ`a^>_+OD}C%hCItROT!Ag@G}V zTT+JJF>66N{KYO%FQO1H1;!5(BoRR0O6~yl1Xw(96M+`*!0};S)cc_N)ars3rbAG^ z56DW}huj=)q2fmPd0{y8rSE57@iYJlq0?u6XeLz~w%D(&Veb_(37Ee@5P`y*G3gj! zbGnCKF8c71V`x%Rwi8vOp~&{S3f1=sqJb86u&F8eXH&U{R-+z&O(oaqPYP?>tecDZu@_M6Y71IMa}^n6>i;H{oPFOhu6~uGH9) za>dyu+DRxk@z1P1ez&txlvS?6=jKJ)OzDv9hfS1u@>8{7X1>j1#dNk;xNG!t zED`+4-xN4ojn|cejS7oq_$yu~S0)r!5!{Hsf`$C{nGWHH5E&Qvnyfb?o zf5-x1$7qlV^9-2u;4*ABOZi~M;_{?jWfnzexWI`T`MM`;B6{`LbzpD#In?$YjX;h{ zr6G<~e~wnoPg0hHZBz9~Eo&;V=UKWCrk`Ob@_fX}AL6(}hvvG-*NS(Vl~HF&H7h7U z-i5B|X3VUV?VlL4)89Dg+-dqa!4IR;im!1Sr}aqBs&SXjLVP%Mvoqf(cu7^J`{MwI z4+h3#a^nx=l{jEB))|@sVJ&_^8?tT)39okQgT8Fj&819c@d1|mYRXy1EdP~ZwUxZe z!2cZk3;)-#UzShLL&Mi@Z?o<16FyJ#Rt4vA(}5&pgOmp2J0tq z0f6TP7sDYH8B67DejM{4_k+_rvB0OZz+Qz%gOTGZD|h1~m*kJeL?ZZzM#FX{nzhEL ze5q?^yeVIFSWX_{kJnXn&WKW%^oWSGb2}vm%`9AU{=Lwb>GrTnY%4KAWqV+WT_zmA zF(Ur@M@c|{KtVq$@@LG_HK<7KlBZ-$yw+bbl96W2{*ZyCX7#H{hdP65gu02LYp`t6 zqj$1lgPyrB6W-Z56286h+HRLRH4$MgdwCTdQE4W#JmVBusdXzi3!Y zdVMHpH@YiFAgJ;vDZxUP4-e?8%J~|&>4$_cf444{fUf*}zoEwr?X*aYyT=_r*&e?O zDMag2Rk!YLtUQYk;3-7WP?21`MzK*0X@{nyvgs&(olydvq(twVf#;Lc+1Q8H&~w%a zlvv=h~J2oAt*S^`biG|AR{A(H$ zH=IVGUT|dOa&qgIznhy*7fk$~j5n9DDt(%?_HDyw=NV@iIf1uwzeHFf`ER}e0LM3z zYCX7O6V>sW$x^kyIXUR>HiHnmISiJ7PQ3V{`~QeE26?xk;SUtE9&->yLrFg-SJn&7B-@LyBb>+XYVa7Yh z^fdg0gw<*iML`daJ|!{OpcE5zuEGK5ZJ3STq_L;iq6c+;@-cNe$jJs1PJd>CitNO? zbnLAg2X7Kooyrkgugo=P++yq)hpmto{xUTG21a3?B1ts~r!v-$a_?*WW-91*^Sl>c zX`!WsrGf|EcUM}igK{PO>LZvDYDzKSJiR>N)<#c;4H}VfZ-?#;Uv_Kpk2)%E{4YWn zas2>G$vlcZ-b}cX#8L#1Q`hrD>3{Dy&)6M)(EOqE>Ie%n(nn_0+ z8hc~rizeJS#Il;z89!4OH!ZBPq9HLa=0diIAglz!4_)9o`8VEaiwzN?vYb(MUg^ab z2&WnGYH!m}ifP!>X~n^_u`^JO2p=&8oaK60QZBHI$5r={A1lY-?`_j5HydjjKGvwD zq5inTfHt~yqQ5Akzt;b>xiGBq>y$9>Nkw2T!%uHDrC=|@HHUhNAP?T-?T2r#Hzi$%#Q)7M7w&MW7vk+3J$>RzjFZfG>QaQ{tI0+W0`BYFAbVOclt_E^U2Hu~m~ZOy8%Y`|LK zZ~w~7A|BB%Ir!?By-zeX~)BV>83ede-%3 z8RO+>9wbjxeRJ@ZmckvaHK^Zx83?1j$H4(GVxSj!>+5+xBF?d&2M~;p2gJ%I4(PLd z3hp?^K-{sq|Hb_i&(HMEah34Qu>U;3sR@45A6v&l)X25}b0gNZ&X!;l1(0Y0*V^?z z%Cd5}0idlc2B^XkC+AzF};q!~M=rD~Dce+VAq_sZy@i%y5-ls%1aL|Bw zjjm>3V(`^VTympvRu8Ltv2mQX`WT`-(uH%|_8`Zi7T137fD&S})1r*Js{E+P(?Q&u z!fl9%Aq*-RCS$X3DX-yLAUeWyZ?MOly2UC3}f`f6TKi;F9D=;sivk>-nG6i2!j)aa5{0@w_BLyT zYYleg@f;LHNw)McB9ui}2f7eZzmg&)rd5wbN8kE>8_=?j@L{WEhArDiHLo_xrQ~jz zz{sVAN=SQ#)7BNWoz6NZIeHi0+(ag}dR;WQ+5Feai^rHcld*p&2Cm%D?(aADg5Q~r zoaOu%NECEtxjOW`tdcXv9hE5Y$>Ud&4Oo4e*uRLumI&@!6UepemA6( z+`mX#z?Ar;T=gIx0GcPO`<%e(2cYY;kpeJ0!?u|zn#N@`iRHvRqLzn6Xrlh6lLS9k zMl!;CwQP{%{HPvkOYOUP|E{;fGGu~&Xw>J}`S6#V_hRDW<(P~|LVHO#@t(6hNZl~R zy-K#W#{f#$t|WRDS+iHNeBCi8N8Jnp9fgV1K{?QA7)ls@^~K?a80GQsAB#7d2gYGk z)*EsRfI*JZqdF8h>q6{{l!okg5qcw z`*>MsAm<$UD~|mMW*l&i{pt%*enjC(jO%*VFJiln_fng`y5_qzy>Dm@&R_28Mzwn1 zOr^xzB;2Fstb^)IJ!>ZIh2y>LF;lm%xW~sg7(O+|n{V+>9D`R0+z!G0>qTYJC^byj zodf_Y0M(S_0H#KaEn)JVq6HKSAf1@biJjteaq(K?oVMl?wNk)xy%n!jVSDmXAY(Wn zNUKIM5yx%v2{uhra*fObE98#nIW=@cr{K0Ai8?kSq;qBq8odRG5MUlaZ>l;DinFK$ z-+tG4tka~bNo5&#_s2s|><(4*mvw31Kzc8!H%}Ppo~*c=>~r~~hHgdod-oZ~%^CD7He5&EY z*47eJ%2aW%s=@SL*4aH7K4&}Usq1k7fBxL1;PpQdHr}aSUY>J@7t-jWMI)Kk^7z+B zcx^ifnR5eUA<4Sr>WAL}*Jrskx8we!^K}sKE4b7kBfCO{4xqT0?TOk-ayZt`k{Z&J zus|)8k-jj^qmo9=(hegg-fW~5!(KtqY*J2S8I+tu8AR2Ss>J{ab05sOIK`3O7M|od zWV`{!GF9_{HOR=6;;LS-W@w@kWqAg-RP)H#J3~y}<~g{)#L0D(LTi6H@orLz5?DJg zO7J@eFMDJ7;e!BjnEYGL+`$5J#)-Nxm$^_*%%n}+rvaGjZ;AYrfQO47#FE0S^LYAR z_^tg6gzLU-NOMEa*c;5P_lq92|1U+=YJtJdNUS-hez|OYWj&*x6HR<&NC5sJ^8yI% z&l4k8il$+hz*nFX-k^UpV-Wy~t8Suqf$~`rA);$&$*tzJ@abj;m;uolbH7G1;Yze? z2c{jHh21n|4fp5Rs0-Vau7ObME{>)FCfO50Geoq0aKMT19(IoH-To%+IyoO^8M5Lt znUQDi;T9*_1s7dB)w7ND=l`PK5L3OiS7BxWd44l$=$cG0ii{4qqnlCQ0@TvM3v`*72>O#U1{^8)`Q1UC1Y# zoQs&Gy-9Q5g7NQ{hcZj-OV4p~__P^W@U2TeI9W#(A9`Bz00@2Z^ib8sp&pBCW;~0n zn!zm9EP?=2!X~-iYVBQ97Vl(O@S}#cRT)y!pu#tGX;syLG%_b#%e|0I5UPCO&AYo- z4^>X~vnq^`6TLUzEz}8q^mwI;{7Z2#+o68{;d7YfOyMu5gWVk9<+4PwNN$CLr-|G7 zjxEn$Y46Btk79$CVF7OvpD!Bq>6+!77R&)1WpP@ShACw$TC)ZX}Zla9$f` zx%0b%^O9xP?6L>^S8rE1Ufr=vcqEf1Mrtx!GO}Da5W+v}3ErAbstzRQd{(v%*dx~d z{?fXC?>~}zcJ1CVJ07SCfM*;yp;~{hoa`Vn)f1#Ulv=e91YUv~Y^LntKnYC14=8)5 zK;)}GQuPOu(c9%g0;wf{WCvGYi6!pX>{(!e0nzD>5=kzgu)MK5GCvixA#}3{VHf6`5R1*A1nyFbR9amEMhdfDA6g0Nk^38UF_?8DI>FA#DgzH z4(X{SIc^XL>#xvYxL$C+Oq7WQ6X&nF7kE@>1CNX_iNcZuNKA~HM6}cRGbaq*Th?^# zxRpJAs4OAy2otIr1V`HTFQ9aTdGbG_2NUj;7q5G;<}%la0eM8iN3pEdJqkaC;~4Jy z$X%@eTxp_4I1_B14G5ZD@7{JD-|}NGvoHB(-*)QG=w3LseGf!5VPv<@W;tUGcBbyk zZ*rgbadh(qZn(4TQ4Lzf_(YFv_H~fvH<-u-4-ohb>>?@zpz1QI*s|w_Hi)9VE(O-? zU!YiKVQ(h%Zo;TY2w3p18J`nnF3($-!5zYwJQqzrbZ&i3jGeMA9KDaB`&3#mbGlWo#HAY zp=U~?2;4vpw^%uoW_}7lYIkpa$$w@9r#E)o(&(0-3S|b+({*i6n>NY@HOb1bW5%4Z zq&NTaJA-MO`2wGV?B3p~YVc z>A2L_9d$dXqL@`UuIKor}qbIU}aUT$wQUgD)D6PHsA7GFuYzfWKv?~iSid804O;pW2=Jr zgx^=CHkrfkV*fm)1J_OsmRyrT$uEU|OJpL-)(51uGGSIR-B98Lf^wkYY$~=AAEvb= z=aZ{~Y&NZ5I6XE)sL9ssjT4jccl%8CtFiz>2VUIUoR+EJG6Ny7TK9UCTKiDM=AQ&< zsQBusa8R|LxJjkb%yuy~faI^t;8#(336U}>gxFBqFp1Vz! zFJ_Ea;{J@|;LTd50l0mJ9QjN(#E=wybgZ6hDPVYjEbB4t*hNYH9918xu7B>lLqc45xF1)3C0ikh(+Tw~Oi>O{XEJqFwZ6 z*OWDTyGGA>_E8g_0c$r_wAa%Q^#LYzY>l!i4^QrXP4ALqAC*duueA`) zht=RN>)ecf<6F1Noc;*!BXsqy?+$}|tl%$(Guj97{A(E(=a<{0!~@?k&w;zRu(ihM z@{XsYre&kl0%_||!YugP>=eKE1o(3iCdi8XyFo^{7I}cWDggkA_^X0770}pU_dS`k zu)4xqQ^*4}yjhg6Y(p@YlREpG?XdPj(BpSXEpS((h6Y=jqRgjaB3d_w;r!^tnJmm;<6 zYX(E(I_rg6ttM*>I@cJj?>v)t-`uz~=r4ZD#u1*@Y3KBAh_j&MP(6@mA2%W3U?)Fl zd`Nny{EZXi)!uXb(cjCj6T6Zr*(&~!4_1CLmZOwnlY4!V%7Fa=c%Y)?r(?k?7BWk^ z)(G&o;DcO&T7>IDrCO!#ooR6X+OvlTJXaVQ zU%6~dhcU zh*P?{rBsOjzHa_PonvUvD@W^`jkxf!gVNtx{tMGoOwS^;&_xN8aTWpG{Xt84?^7g) zB&jWB7>5M|WNwdao%1LxgElvr2`Ac8H6d>MD{e%9j_W7P4|fM;dPd(2f;QA)ZPv)p zwKm2lWuHvjzgF_+-52fc+wHSkyg$p?=@8N(QeaBWKhx_zR!ZpjM)F$imwfxgfPslO z5~#|xwLEPGqD`6?{Umk)!K6v_13X8KwrZSMkt&A4A@gokh?0sbegVP2Z4Xf5zrT+w zvVI!+ma1{G@%?U1+uy3#m1X4l#I(-Y@F_8OCL|FLY+A&+_ywvRaqVBD|0WJ zgXt`)%v)H|Ees&S^9qT@3M0?Vp?nia^at1!nuz?bNNL~N;Ti#$$J>FGSh6MJRfm3) z;u(NFGX`qGu&@}m!3o1KQ)CFJ9*7;HUSM#<-~!atrd&gCoLCGgfDIFOi{e7_pF=6M zb}`wpB-U?|)S0K$vA`T7>;~?dYAh)LmgA1FpLqV=WOiHt4&u?&0--X1aN!+Dn8#s3 ziCAJvk-5Aghp;K;xAd^6_*-wkNx7$Lfq~`x=t;2;!r4G$$I9P`(&`(3%dyA1*{Gx~ z3|o~qE_^`j@2?vjrrIIg>+h$(BF;sFg?DmzcK-!9*~H79N_z|>xCLP^(F+UTZzb7Q zo^Z(w%i2ofb$e*YET8CRtV+&`NDT@(=Z@^AoO?r9va9V*TrnmRk7=f%AFnf{8huVY z1BU+aZ!g3~I0Q_LqTf5h^16nBK8*tuxtLFGrrJPVz$~Kd@JI_q0CB=zIensJ!nmiQ zw0rPEBK3MK-y{tqhvMs)diPoZ?tc4*W9umDv$mh0Gsk!91k{jiHK36??BRfoIzSan=G8z1WuXP=(d`&ajZe@~j_h>?wS}Z`$iMgJ6Yj zaABIts4<<0(PBP`Anr4SYNnQIH7#BQ{yga&}I`mAcoY`?oXwAtXP|zn=SfqvmN9 z`UMN^3X4(a-j`sHZ*om3>-u5bUptW^v1n1S*1WvBC;_bXScS=}A5`4Sj%Mf^)l&37aP}xLIqUwHLGyclA z&7q?fRSOuHex@XY#qxz^-(BSaNy|bp_o6iJ5V)&ff1O#zwf`(5mQ!kGcZ8!1nM02| zQ0uoJt3^9vhsv~kz z-|?%5XEgIDb+X_BYY|Q%cG}e)L3qMhF#m0l>PorHx=Bc*6{#z`HnW+*r>cPn+XsVn zc4o_xl&MGVI_SHnoI(Z6+Ku~FcVg*ILunQunC__+#hHF`KL^9<)XJZ$Hw87H)$@jk zOlqg8u6AmXgSIiwx5~Z-buXSpUz%<1 zt0*X^$c-b30}l&xl1R&f@}+8np$)v}J0jmbzoy@5s?-M}K6p5E$&xX$1|Q}Uo7o%4 z_4s?@YwR<2FXjNJxwbB-<-rT{CsVAUcpRa; zA3x~Lw%22SHDU)_Vb=h&?XUwXWI$0<2Q7$oW^o{{X)T1zuPM9N ziv}vYcIXFoVj(j9-LXnq%_z3+#Du@Cfe&It_$5cnMJrx@khrZR%@?gCZg#mXG9_q??igdHv?-?1Vx@udNN*l1m5= zo-bO@h4Kn9xTI^QW3KJrm7f3V-GMvPQ4Bq;E%j1+GxOH>b(MEmFz^C)m)v?reG|KN z!&o5!;H+$s0W^#$KJ_BZ>N>!C1$u`)4Mcv-WNr^R=r95od}@6>holCWV(@dH&PoFC zhYxrLbiJ;aH@mT0Ik0q@*BJ_^rjfEo3H3zMe$=ITzQ%hTnR@^U{ zB6l`VJ(=x=*V2Ot`HjJivQp}F3-hbi*a5E%y zgG-=DRziY1k!opck{Sh|sMG;71HJ{wk-7A|rr#4Le`LuNOil)X!uwaTK#yicRA5bQ zJLrkwQ+KB(tz=HZANoWTj~YE1mwy$9Fq%0?CMr;S_yBbetoj+^^qg-RNVP$5JL>FO zY^HM^Tt+4z5bpw*0`CSR(~)_|)Ur23<}1?U<_7f(kE9ByCxFo^w*c96v2NDGL>s@F}%-<(##%dXiT4 zq4h#2^Yy{ut?)pBO1y}8_tlEO%|UV;w1bMk&bs~-&d>h4 z&i_}+A_uoxA#)!WO~Tih=Th=T8o3N}CiU-hbW4Oja&sN)oa@UhQ$e-NkS%S1y}d5v z&-Oz^Cp*?cXW-K7PS!wx&{S8v8;@+Us!4U*hfbxqyY%V+Eynj{>ffsZcP49Cz8oPD z*})Cnf&P^I`dy^O?^6?EE`GrM#)<}YR;gujcfYrx3JVQ6x4Q`Z)=3kFO^oiHFEhJq z>i4@P?DCyI0IikWC_ZBez~}`kY6imNL&MgdBtDveGScJc44dM=0m*0|J{x=#3J|^5 z{{XZs0P+Qe@>(k6Wa&EuV)4t75r?QjIqCV}6?sC;QT$szjlAFda(E{|`&&jOti*}z z*-{}E*+6ri_n>bD5;yByEDrfnA_Ta09X?*wE_?tr7WWy3;U*K zP?MFxG*Osx`;5V?lF6Rr`7nUvrjFjMDaF(>$Ej&rp|3dFe8J_NCVf-Xm<{+j;xzpd z*!5m)R(6^?{>I{AnS0M5@Suo^dBbIZSN6|tz<30+T7afJWITfS>n{ENGxz5lr8%;i z((hPf9?C`ERS$tnIoCN|Y$TG0g7<`-))uEs8^A^Zxj_N?LZl*0X)37oA_ii7?39FX z>A|ny6&B2`DXjnf}ghu1~YCn$h(GOrnjuw2Qg%Vd1!IhTj1W1>UYi z=lFwWi@G{=d6YkXhJ?MHFvd=p-OFzKMWkVV4{XsBo5i~1u34J&QSs^C(mCrNC0-j`6khzW#S3eY6B#4jEhho4h6Ejkbi08%eSCiLVW6E z?<9EmM73mJ<)a;yKRWO0$|rdeBfEK?9d+!x4^<55fvF=L-;wT4_>)p0cCukHA~!E| zM7~!}^i2_LRPq0Nj?{IQXC2o~{lXvXfAGO~fs)Q?Z_$u}XPW63wq|9f#rRa41a5v( z74PcV6gorJx=2#xR~H#;8@1tl-LIwnFQ*U}(8&7w+cSX8Z4FRGZt`)J9`~B|MBmE^ zBqenD3q}cglr+tR$#?}o5_^!^^>41*fT$&(>Ge$B7(KO@9SCY zrkGih5H@g7$@s#zkh?kE)}msKTY!ab&cFPW&2xQt&iHM0zd8a%6ugZakYkZ~vSCf;NH$Vt zYZA2z6kxh0m$?7g5@&4qyj3(H{2xI41|GPAYjLS^10(XeutC06?1=jeRqbY(H%jAu}QM$Ix zOA`@H1Gq+)%k<+u_M&a}l5|&34y`s@WoxDByk6|Q56Jc4K5QdD32eB*m}93TyuAYX z;Q=@jyRIvc;QP+tAFY>lcTlCoMm`q6vD_GBi-T~{j?}QrxNP5yf0Y(t6NuZ;A&H#A&9*dWrW&c;i|r4a3U<qXU0oaab z%Zx@XT5X_|Zzxph`aqFd1a|_+(Twee2+eSKcYe7b28S*N=G+2!rc@>@h2*+v)!cbc z@5lSBfM_;xCrxjII3u0?d6W z3FW`828HkpaN*nDFs}UmRi7!G`f^=bA3}KM^N2j z6O2YgnSUL5J3x7j7!)BDFxOx~NViSSq=;_LXO^%^(l&U^`~@Bj@aOKSai**p!3xUS zrg1tP8GF^9Cfp0>nM&GfiMR#ox9QQ!V9s&+g)`*A6ed11AjrUsxr}S>?>qPfWgT*z zxO2*H`+>?(>3b)3>9q6)?6>nKL`JTmD2r%V2dofwz7zI0TeMAs6@cMnxZGkv!<$)N zKwB)79S4NynC$p*B7yFnKZjM#m2Xlmw|iPsl17L1rLQ&0KfIXlI?~HKn*db}iLd0z zDJ;6G6d2#licnQ1uLr|Q4HT%xMS}Ry6s0O9Peea>mv}o#s-U?{9kmUZ-6p=NqJ`q~ z2AgVlW{@+`>@ts)(kZ0CVP|D6dyMKJPnvq5^`Vma*^}5Z$Z2MAF|H+E2=;I_LH=LARrQh zl1hhk4AzLGB7-zaODUbh03ssYNDYVx(ls>0ph%~HbV&`}J;0sMcinq`xc48JHD|5& zIp;ag-utz=eP7j|Wu6gAp&2ZG3$a>-ec8~p;w+;?(NE25Ldsv5NRd!f0C|djqV@~I ztICVczaZD(QiDdp|HA^n_y#6&3L-#JfTM#vm8QU_fa^McUj@9Q4hM+PQ~80a&*CAx zfzJmR<^sK3AOejE;G8H1R!|(*U09PPFHNmp`&v0ZESk<-q$4iebl@9z2EYt{gB~c~ z!E^x8AGL*8`)Pn6uJL4!*)s6k@P$y*IPDsPL5mzaez_AMIROY84XT~%{|;g8$S<`?*Su8IJZP@D35+K)#E_MpX1#A!0Y0;6J^2U2<2tLus$3YY5seXQjVG1S zt`_|(GNf|(wV^h8W!uxNaz(&+?P5Dok0VSOj@`9-;Lvzi26fW>KG(lb>Gyp9QOCYr z)`aY0cN9R}WVKCtC;U8!8`nmXteNQ}fW!#(Fh#}j-%70?K5Fgp9Q`%j%!$vlUMr*a z#|Ce(R&G!YSKjB0ns8EuyF}&fZs0y46*{GGhsok7U#T8b{J;4@72W$F+N?3hJ?iD ziA_JjxK1XVEw=D*=b4@pXdt57H~;x`9h3(+hTBU47a-o6|FGJvTjLD@tAo)!>kQ5Q z&569o#(1e?AmSJ#SZ3-k0HAyk6vFhT&;;~_i-(>{11>7&<>fU7aL^me*#^cS>v({M z_=D~Q)DF4qV=x-jxkxb=gn{$F%1+)^f63WNeS&N@S$NnFq=J*{h|d|mOFK_x@(^?k z!bGcuo=pVzttrSMV^_!xsvKE%6j;W1Rhhl&;u2k?_m?DFX5=`aHk3;8(eZ))bD^6Z z?l&5-1~JUTt9M{?0GL`)vH54<^y0)3sTf+wSIUNb` z-!yC^xtZPU_U?r4|bf%yBo`@d_@YE{4iifT_@hNjBvyS{hIoK(H*Ka5K|ICIEe}at19@xcsz! zjK(iX`UdjduPpS<()4#4My%+Xm+GL65d*hgD*M8TEQ_l@Kp4D{$XrWK)}WMQ>)v@S zvs>+Q;rba(^xiAHw3wJXp-Tj=cb#o$g@MIf3doROl`h2z2 zZl)n*J@rpW@I$!RaLrxQ&?g#$S|0Em`nvtuz`dmG)^ zS45$;{ZEzod{u#{tv>Ns{|Io?cnFcfD!O<#`3QI^C8*r!efHF4SX;91N%&oiz4FO_ z^?8?X_6h?I?>0-+En)noT8Ha)TS z>#1tbyFVy~cHq%hb!S{Rdrac0I7zyd$*F3&)Oldw^h>TQSc<6g7le(gO zT$j5`8&J>6b|4O1>7RHal3D$cb*1f-A0sijagi4r-dROrGz_PF=TD1WC1fIOn%&+K z*#g$m&?!7I_Hm#S`~IRG-OTG#3tVV1LF;sd2M-jp zh0z#LyDlrb*K6{80o=(CyE07g*KDUMpaOcYQ-{cDgYJ-j6I`F!80P3vb9!4P9Ijeo zc-tFk0kn@8$$egt@2podu^dD*=EBP|^m*VL5b#>R{Z|W@0v|H8Z@yH?C`$dw8nEiA z_0m`frS{0D0g#^uWp6p{M8EAC)@7t~WK7!1PLWMy@@uPP>!3xGBea=tgKV|rhT}fA zuv(wnsstPGDq*F9(cdGj9yzE_-FXi)FxNa0tyZF& zDA^7{=1AujRc#d)z z5dKYs{wMRq*;kgP{KB-86!ZLc5#^0+5=fPcz_IPszT8bZuHDJgW2Q>=V0MQ-`j4*fv|WQU zGK`gCkQA8jU;ezro~``*u|eY0Mh^h7+SP z;uS{L?5q#hw)sYXnJFtD{0{e%j@7U}RUFR|%p@S_q~8nMC7;Fl_7WuJ=cA9Oy7@37 zTasI98(aZ@c1GzK3|y5*g=H7$&SERoD_}JZe{1*mNvrAM;q3ID-S^slXUqGfj*W?3 z-yU#drQ>fS)vO8i=nivA4hZuVtvUHBO_uP<8qO_7#@lOjm-!QfospTE3s?(XmPJwh zWEg{13=0mB?YTe;lqlr&zl_)==D%o7BBd3MIUNvs+AH4e&NHLE zCamm;+$(_Fx|mTgy!q@tQZ6V;kaEi%k2|X=bdOSAL(NYYUwjzCiOW@ge|316+!nglHdA z0g&kUG5xaZH=(jH;P3mWpm-iH%2yA`H>ls*LWNqWn$QAI&j5H!s+7fSCV^dicfoE^ zK`eFAf~26q3Fs1u|E_$IaXuG9C-1WQOuGdJvzsW&Km*4Q+7OxcD-K+>f54)L0QbOH zC8*y4A0L5`pDAt6Vo0gtJrThfL)NyMLpK~x=>6!B#la^{0QeJk8Hqp$3}EaZ&jin; zk^htE$0)qXuW!`xWPze}8|>GMDhW6UUF`5Y86o9#PY%y#uP)CxoBuSo1*;V)FUPml z;$%7>Te#Rao_pO}8u?D_^qO~-bc(pX&{BO<(eeI*D_{6YJ>upszi3#LG0x`ak4%>; z()0Pyxp3Mqb;j~7c|dFM?Ed>O(R~Yx$bdhSk7l~C(zocgI3{c*!lUaqtO_&KWRwVx zWGn!5j=G`EzU!ZlZgIQ4&J+9sF>-7ldSrwvw*Z1g>+`imN4o|FX6w$FDKtD*zd9c9 z!UCiwL}E8B=**3kfcNob;YWMylZ03=ZVfem(wa+_v8kqL<5(-c1!LD zV|_&Acw~aPvP6Af0*ZA*z8Q2#mO_7^2{Q;mCet9c<94AfB_0du#Lw4Uodxe6?(|)6W`v%H_|$8;F1` zvVK9zgAEFT0Luo{L;mY;=QzJoZ^>P+e&3lP=`UpfGY8VH5OGE5u=4bI=1@krW6`;< zutwe)8!$tavaWyrBT`hkN0dZcX!$H{mLhC`m&di;CiPDz{^(wbz{YM8ZfPH&FNj+} zKt!~Q{HP#=`%zq}JxY1@AjYCT;sz9HrQZzC?<;sdbof4$aE@YL( zj|DajoYvT)b!({v`uX3_zdd9MwEpM~5-)#kM?43g&H+FksRnre+t9)84RiO?(;P>6j z8qVF2uv2)m>YzY(F3xVcvE;X@;8{*^c_F^U=ri%!%%nPGTAfa4RM~+sb;r5=C4|-J ziEZ_fYAJf!CzS{t)r<7sPh&n)`@*z);5O4$(HkCs46sr?l=-JClXXIP&t1s|xFi)3 zx0swR^^cRBWN|}$slA`{A z@0av7t3H2-3m~~<4KxG@^>bfTvjoemJ+*}xBZvfETX3iC*ssrA-k`%ofSp9qjkg%- zGA2VuHy$uo>_A!U8Mi*$_;ZjBkK!s^-=|EJO)De2#pny}5w+i7$hFlTWS9Tg-}iBy zU{t(J``uaCRksmbMLkLeyqrS`+o`^>@N{;c-(MLeJ@;jsHJ~I?#-j74SoP_L&Z^yC zbcw8VUVCOMZMa?V&YtH2`l{zhoY6+&G@t*S*GY$@X@qt>FrGpx^NfbDhMt6a8nw$tj6%g;e(7(%BL(V z{muKh#Pae@bJDGjO|!QMQ6}t`BQi3+tK>CnarWO!j$ScX`h_^_mk0$$I1nuV+xAotgTiFji_(wz>>sy>fF2tD zOk;h?LQUQ)UbAxEcXM5rjpRHZ8u&<I)qP-_%hD z+=Ablw&=)sbNmyus)V0}uw8%zu8e(hRWEBWfv(NOus#-5QKcjCwAn7seU+1p^S2h4 z`djKx`;P;ZM?iiWE^eYH9f-elG?eL}@U#a11$g@0n+^Q-^uW~lN(HkoRRX%^W%$Qx&=-CQwXq;g!AFh$&Jt8fuCI!8KR zI|*;Eeez%5m(%U%umIR;P%UL}qO8w9tE)2}020ua%<*lIGUX!C>@<O-R?A`ltW5uT4A6E0^snE;1KL+n=884Ei=<8Wt}ht zhRtS(Ii1v~30x@cy3l3!M<~R*FCgR$9e)Sl7VcoQ+G5UA@?N)PRHs;`MA#M{$=y;} ztK>D`?0AwXKNwzeATDwk9u_&Oa?5vbm_J_VSi5?Fd~MLZt+bkLWh1EFAWUmbHZzGY zfUZZovTt+6-w?2WwdT4#?l&ViGp4lcZ{v*vtYHPn$$?9D)byjU9Lkstd&bv!TopLv zb=zwX?wK3Ms7Jo32$~%Z`4FfeAfl{i9zn+5W2OId-J!*>_)~C@P@O`LsDntEEtb>P zxNqF?&TIchP$rcz^Cz~hV6?`^@gxZ9z zY9c91$M6O30&_j)u_uPZTMFZ=SZhdU2UH8NpVWujhrfXu`3vN^D946k-!AGmCmhP3 zjt|7@ospL&u3X;m??xF>FA&@NC|f2MKRcrLr6X_IF*bCpm&RDbRM4W@7X=XLm*i<$0F_Hcf^`#ShgiVIJC zj`>ndG9;ZB3zg4q=GBEMP+23fXr(}PP!LoauZ?CwLv8^L86G84-wUG4ieiyhHN`XU z7%T8w1PNq~xO%Ob{1Tu!nR`M7r&{b2eKK+E$bKt;7*4lGYG-sW{%oX&S~r@V zI1luU>puY$?D9pM)tjXV)Mkp?NbC&fDPxsSOFWzGUESPX%1N$%i}$4t@WkK)w#ePY z{%-t!V)L~)($+CtT$<31oUjl|6Byn=bGF)SCKbOy|uDN^S^ ziYA{JLBUa6YiIMf(Sj>F<_v(3OgoV!gtCOXujyt zESLJtSOl&9Bv4HAXKj8o8ftbO^d~MgpQ??HNmyqoDO_+SiHU?YpU#KV~UuQoD>#MNS`-+{-Kd-Xm9jx61~x{a4-e1DR98 zXWDi0AeTpMuV=pgVe+MUpx0ob{VK}d{yP3ap5^ZozWW7O=LZi-@39)pD7F!Ye6IAz z#eXzspEQ&Zr+ZknV>*KUrvZtH^>(SA5xDs{AKpBmzmQbueXbjJ{r_lmOC&vQtYh!7b;^kkkNM*?tjp| zqq;r4Zj-wkI=$zQp2fDErfWC%$Tl&FJ^n$P z2}IlQAm_o*lY^X6@s&*UD1ji5ot(hxJ0X4cL)-IoEqWT@>w;z592g2Mi8{G9J2;5l zAKFW++echX`zSnCnvR}~XRfPUCv7}l4wtic?^bdKXrsN6J(Y>jDS27+zl|R~a`fx7 zyyp_xyxxVe)62k5^|TyW9A+B-j8A22Zrz&m;4Um?36^(#`^XKe^mE_r$qO&fZEqr$ zOKVy<{9naD7u*c}<(y=!Z&&5mYxi&Q?xL!Q{6Q?>N!?m;nl>imDzpq?t=bUgKl3az zH_RAVyrDBi%e?VJ6`QDXXO!!Q@-T&_VEn?=?U0O5i;dcJKm9fv_;|b%ONCy%$*Z$_ zDaBCOd0hkN1ejY@TY1^*eOX$t^q4Z9LxPvx@#>LQ;&Nm}3f~P5&<4%s*MV#ybo&BN=FL(GYa3%8<+_6j4RGmT4S(o}KF zMiKy^gFl}BLL_)c7$si9ceo=z26<>prWR zLwtrzM$lf7rd>t0RX&&D}>)x-gvr-x8%lae+LLY1*G2Ppb)ZPmP=fvdQ7K01Hu<>8!9BgvlfI zTolZ8HMWs3+=(xD$!%-0LY}4NJV;TBX#?y)Q+~|Ie6}T@8M*&ut@=+v+Mk7@^x~rs z@@Zou?9p$H>e?1-WS8zMNiGW4voX4W+d+=gF_kgz9=)FJ>Kng-{Tw^^Fn?Fu$Y1{M z^JgNHLpk-KvMg|1BbFnK=&r>-9h}#+qBNS9tx|pUx9q55KjaK8qhj}q!A*!Rr_AW? z9+qmXM9Xbt#xHI}G-yp0&Q8%kUGDcc^B{f2r?@)Lc@O-s`C?*wj5x328_>Gfd|(iD z?&eC}6WM&h?n`yTdHgI0JJ*(kp9Q$$pU;7uph#6U^n?CoWD-l!o{X z`Y~sndtu$V;I63DR*lddU_?Wm!q^)jq`7FdSoom)v%~MSr~{@OP|HIA9WcWbq{10Q z;MoM+fLH;I0Ayb^sXDHogmTJevCKWtc3&2+JNk-cVS?Y$-kAofQk@n7#k~l#=VM(2irL?0n8XggOJ#akgXUb2HrU&!b5%mjE%`PFhXF z&il!i8nV33ob`UEF54_#tZ8fBcRnyFbkTt{4CnbY*+O+{O+nHIB`V!+e&9##Jjvu*q+(+67EjUj0@+=WJ{y)PsS>1j= ziTTxh@!7%Zw6-Y?=#0L}!zU0t4Me2VF+*t2pClA{fp$>h4CeMt0BNnN$DvE$FyH}F zdbHpqDxQ~GU2lhs-qjEl)ph4S0`0o=YH1U7jBdoh7i;bqBtVWpETau6PEEx<&S>^VEeZ!EL)R9^e( z*XR$8pD5Ib<51y!INNT)mhP}p_ZF&zAw8YPdR4r8yGdTAygGLcfN4zPiW!slzykjSWltrR z4b*l#W}lBz$>RE;N@stx0T?d2m(>42eDvr{RM%>$f7D*FLk^2A=BO%S?Yq#3i-#(4fn8_uDA-P=d0p{)duBbOB=5!r~lL{^-AD%qeONdYE0;7Qvik}xd1cnxu z@(a|fq8_&!!A(&Y@f%g%j$xF&Ng-4__LCTmYCD63e5Xm5?w{2`C#OE~A8$Ch&(Lz# zN_>80H;Qv&Q{zBO=%pgGcKI_qrONJe75#nmMo{wi4{TAfhCgG1w93J>eWra=;2(GW zfrpb9%f-KfPPkiyB^HN<+#Lu*GD``3OLyP0dQV)R=~2~WClon9OY(D+e4Zkb9F5q2 zQ@D1+a&r|eJy&t70ojJtWGh*PS5uc>{;{bw?yr-G2bZ=v%!ZtfOvT)PpdjKHc)IQH zMb~3+?7?XCEQ&advp&xW>^uwTf-qdl1x|mCLR&mmn@gfIrYZt)#88xh@gQ!v?Gn4n zC^98+o?AeU-z>{>D+j082((f3W9@B)!_)OtfC;pgL(j!t&QjILd&!cg@=6R+XH8@| z24!{L_etr{d zOMU4!BrSCUR$!=Gi*SGkH31k@jhnsC&{2w;zh(!q9y#Qn4iZs6>1@r1rd!DtHU4*A z>$H5aqo3@P)}>nSA{#X^Ec#h>&=8X=7`W70<`} zNp0dP7h#x_u)i1;QSVOmd;PU?^6~{vCpXh1k&(SHVhb$&o)YMwQaI8dMQjfsdOg1S zk3X>uJCL{>Gi=C+Ur-B@aI^s*7RNPcf1#)hjt*058rS<8`Yob&`EsOZ6H|HSVw*5a zl}=Z@fSTGeT7X1$ORYS_%-r8mFi7gXiWQ#G&V&Ck=S33(^GlD#>zJHUJZ^a1SbZ7z!FB&D`b zKC^wHQzvFv&KZM1J~QOs|FrkYQ7dw%${m8tMSSqMGyiwx#af+;DjqpyHSmKmXq}Jm zhwhP3c2nKEIPfXQqw9dOSNHD&-;LKS$ zy8NOO^DyPp8Zt-t+rEoe+Q;8kD6+sckTTbrrbph?GuN-LnfnvyUG5KH>Do zvd!gH3X3!NuYPr2MTb@c$S0mLE2D=LW_F``_c2$*AVFyz@<@+Lx&~jrXv}%IRJ-ZM zm7)-{tejRPzxR6Pw$@o^XUfTc$k#LRfF(vEb$%78gK-z^cM__+5`H#iN$-_lbDu~O zLl=S|ey3k|TUH`mFXfc&ewx#q>|xI-XWH@=jb2(mm~Y_4edswpP3;7b^6r3b8UG;} zca1#-ix83OiVZ&PiJd`dKMmP|J;%|u!P1L~(vcd^bp!DlxVd62T@wkPqF^dslla>* zL>Y}0w>2)~P>Likb+kk*3|^>lDsKt8i7hYN1z(aPzgCuop2&IwOo1fooxyx4>zsX{#q+J2qLMRN*C!;9d4kyjf_IK z&E&iGXNoe{2b@3d3i{JwQ1~5S8q%efVf^8{^A`Q1>N9|6iyJhsw+A!s?4*Z-OArI^ zV+mokla?>^2~R7_l(nGE*-*03ytA2m!8hSZ0RHI4s~J!ysP~2uD|t^bfjO&zb{y0z zm+dB1vEtX{Y3%z;U>x9N_YfF%TrekNa~IHxWs}68J~_52eWDX9&*m*>R^SvU`Q1(W zAw{iCUifP16nViY5U(!$XM9qeRcqIh?rcVEu%kR!nV5g=sTqyqdC`O@XZF2UrFZT| ztX=2$-H2o8NFpToRV45)oOEZD7^j)v$j_UK<>+i~o&8zkZ1Ur4xy_hQsN(O{UpAV| zacsP<3k|n2ICojo=$bAQ(`K)1nwiHpPPt<8J1#J~!eTOKbu1LaLD$(TDo1n+RXG;s z=M1x;_iVx`Vg&QG_iB-14CZ;TVONn)aZB8vKoN_t5*a8m)Vl&r0!;=U)=wu-IWSA&W+-iHA7iTFikCnkyAS2h%lZ`gSsQ zjE9-RPCF2{$~Zd7`c^;jEWVO6dzvxpJteXU4~I3KY}uRcr$$kqX;-{)+Eb;I0;q6_jCb9c zy&1prQ~$v_O2Q&sc+oDW73t>DnE=PQm_eV9LcWyR;=9B@f`J^OFQ%bxU`2r zDOVv^N7OQy{fbeClB?Bra2vEQ+}q?1nklcdy~X}|jY!q>M4W1jv|_t7A<2uq>&ZG88?!g#PQ6)Rk50OQB?J~2rY{tCI*boiK~-aJ3^?6S0bBJiHX z1t5A;l}!J$dd-Ed&V=9R(3-sxkx6w96XMsm$MyPW6$wKViU%33i?(lW92rd~$5izE zpnNF1r15)X>#O6>F8e^@=P@nW30p?MNR`Z~33PP%Z>Kxk&5Y0AECNmQ8hNl!pFT`a zIM;SUx0c#_`}2G6xioYoB@g6P?i#vzv%!IWA-tlFpJ?^LUH1=OfO=G}0`(m)7p@MY zb)A8(iYwn&{4gXn$2HjV29M$vvm%t;NW7?sQV8@BZ4uJ*Ic8G?*;f37`X{m;IO2So zCr>e_IBV~*=o^YC-(`fL#+UoJYG<;p2PBZBOCKQz&H$c07 zshpN|ndR^Mm5$vS3+L3c+LFq@`7fsQq!K2y_SKsY)H&$3Dkx+`QpD}G7DX9 zWB0bu^_%vciY8c$m?T$<+3eaI$%F{w&Aoj;H=f~T0raBR~voR1u^I$?K0t+AaR3H;KJ=Q*eqFFG$f|ikAk^XqNoK8EKZ-#HEVI^f1|? zE1=H;p8?q3J&Z|}o5*}_E);%`U5PP#Q!BKqlkNHI>9u%k(YY~7$V~RNf5%7hpnnw2 zpKh}bwj`w)W1V_pzrRgR;$=}g0sL0p=hZ!3`=WNhF@4>M?KAME@fVANC+$<4KEKxE zDTOLi*)3Bm*k54m(%64VreKfgYPu5jm&SO#*RlzswiOSrmQpiM5n>7?Z^oxBmhETS zZEeC@7vvx>qwmoVo{s*>(Im^5Ah*=V(X5oK@;%LbG8Px4)2#gNJ}OD=G3l-ubtw*} z(~!C&h<%aSX|Si%Ys+oVqpAKStP^Rrf}2}EJ3CZ-*3p@Zn8Kb;!_KyPVHe?ae{oJ( zB++G*#^%xvmNz`ugg3RpKOew8=tTi);3`0fBoNvJ5TL{dvD{KMRZ?6bOp!;zg=085 zI5_snAiNTJ+s1Tsdz!aM({(qaS)dL&o&a*2i)5yV8OHGF+|y51G!HIW>q^rT_KtHg zH)SJ_D2vQe-h8gFG^eWL-l}fW^2H=!h+G&27_16scaDrv0nW6(al@7y;a!UC<^*U#)q@%lbQ~3xdUVS4O?|w6!bII)D@!BKp|@zED&l z742ha;XwO}`~xB&{`u@?Ovm}M^W}1s8KXB&D=7?ArYN{f(rV4dJJD(tKp7=&W z|35H6gx_l8G^*7;&EiI|4aoknKdX3#*;_#_kzNX)2e-J^Nzt7PHzCA3V$T(c)IRIi zc?_Yjb{E3OxB?=P9We|QWhyT=3}p*m9N40*jLq;_xeLG?U3DP{1t<0ETHOn zWxVrzTS9`GSBr})Yu(biHp8?;P|6+0&mvLTv5pci)^3z+vU>Lm{53$4TCA_b-?TH)?nPxa4X;#hV$7+T=hE(D^!(^IbxiwfhZoi zdeV4fD$FO_P<_X0L`_ad&`WzxM;pNO2*T;xHgesz2m;Po%Pu#x+QwoEkbH!*2Prvo zLIYqLWG2KnP%mcxo+KA11=9dw=^>w?Dn=O}qO<|}E|KMmvg}Ci19%Y!z@uogX|z8= z-Y(ekMbKZIf#AGbb~`D=8A!Q9E##$iJHwinW{2FX=%szBxp3C`K&XZlJS@xkkWG6u z=nUZ6GPR}%5D)7+>L-m=Ko2s8A|KQ|3+nX}kaYu*c?sg|c*9n2$I?{n(l_&}0tl%l zeRZzAZN^mwBu5?tQ9kp;D8H93Qf*{oQBQQ8gk(oa^?Yi6iQ8&zWSAvw!U>&O#b@d& za8ya8l@)3TKg71sb@SFGpEJYN;e4qV+d6SZ_ud>c9AU39PrWnLYh-vb#e>`EOewd{ z<$RYI;cL~F#N@iy{7(?~6#+M5^P^1IHayK+*bqPN&LcFh72*n{ea|OnO*2X0h<}-{ zH%^vbP&54bufCz{4{ZfDuxWRY>{zTcK372wNB!nEC(NQZUcy4-YT!3{vCG27-ct9H z-fM+`?^hlb%Bu(238W1V|CgO8QBoR08{sNX!bO()_brEs`Z_j0BF`{+DhXPr!h`)? z5FJ!b0B$ab5Ga^H#qLTq0(?mxEB)xqgA^uVZ?`Wa?iJQ9KmmX-k{LQR2vd3&I64Mbzy{+E{(7jg zY(mW9sihMLYW#jX_g4X&i$--XXD!Vga)pt{V;pqugbe}Ugj;*Ci3TkpxcQrM(=cza zCJ%ARF4V=tRcoa(&gGCJ*B`CY{esTy@*pJVQjxL;5pN=oPYu}fL@iEH$-+A^Co-m$ zKQ|0})rD!6V87$rs@7k8O3mq=#mf@Y8)Q}H!Ur6_}$kg67In;D(dgc}<`dsC> zu3zcswcx(8*Pqy_X(m@?yQ|vs42K{1Z7dU0ICn-c$%Kb=R|@vb+& zr+Dz>Dw|))Ct00w9h-&{b%VG%^0IQ2c-^2!{Og6Dv6m~)kSD8MC20AE?mSVGDbY?> zGYQtzN6~4#OAQO|w#N$|Lc0S|E1;eq1rOyuEO4u=i#lhX?2S5c9wtY{B{!J>Gm(wX zmMXizm|LxsDemrLRyu!k0b1zcG&y)*+;k#(&VLq~V?@uiQuDc(83tZHha#8&lk8_? zvFWf6cseTg`|?EqYul1Ze?mr*8p8_0T^D4#v5Xnky^tQ^9L*?Gpt&!*950(zCsAC`_0J7Jd%J73p1Q`(Jd zG!FN5dYjsDqA5 zsbVJX+&rUb3|gqnJSTnr9^7n9QE7ooSYmo4@c%PsI$D`A=q@x77&?7bplpfEN7ypqmRuYcH=g> zC!9}Cu9FJ&DtS@Jhnf_|m0_Nbv}a*#_A8IZA?GC9fOwBwhL)M!=W!dL>st2w0!|$- z<9EUXclc+|#5RY$*19<0$=r6_SRR7ehfRu;_}BAHR4=%F-T#jwKs+vCm3-l2xYlNuK%*iG@Lb?TpiFU=M6$ zC6O%k2b8+hFUscW)EyOl4jtNeFGz2CH&h!L!?OqlLf$F@D})qwG$PfG|?27|A|ke-s-_^IHEM+ zxcFW+mda@7T069gsf--m|9+K`^R}Z^VKuPW6!R%JaijI(ZN~dQfvFtK*`55GIn*tD z!Y|f&`+2yEX`VZT;Z~y5H8;&+>E$uoW7R)OO$Howqxf!35))qX`(T&$S3)B-Ggg3Op0Q`QNs7GEtBdghRBrNyYn#isAFYCL_e+n^s z)GSw1%g3m7rL@`8`KxRh*$PNfxmxYk5G%7e;>VE&If-&5UPj?Xe#w2n5}cmC?#Zfgk=)$M@0BN71C0 zfn8$gmCvZ?$#yYX?waP_2`FHm8=r+@SwB40Af5ot#GmVZyz=`o0eRQopgDl1f85se`*}$9Xc1^Vh5_{%sw8 ziVOSLSqUkNxBIDVWU!%z+19gdC*tYP^qbc7Mv^tFIuX8vY{!kCd|lI_5q8zQzivv+ zOwm;tDZv&nmt77p3rY8H<%tp%JS%y;RbAiv)KcS5|Km$M@btJKvD)N*&r9O0_w_MX z944z9nLAT?z|~+y&8GMF@d{jPZ;qar^}LWPGkDo%z~w{`MnNH^!c<25poi*UxT1B66Drtf=l~-TW{*pIbO&D8YjgcP-_PHYI*7(02`rH zL$tKG8zN=WgM`2I9bysyM|OGC9hx~CZpB@~BG3CwO%&>Zb@9&9Ru#rA;?^m-SU#UO-yV_+%tY@O)gcP?6MPO&Pb?m_%vz;9ebwb7&aro6zzQG1ab z3m?pO?Jhs(>TAo%aD;1((|}<&+28PFCe_`k4P0b#MI^N6@s5VgZ6nfFO$oNq`{1-CaTm z?he7-B|v}#4-UcI-QC@Nad%r}S!DT^=e*Z@p6~nz=f}Nfwx+wLx~iu8uDfQ*Ic)4! ztqZ;T69oEmGp~4bg3M2s){VEipXI%mmO=qb{esS?24>1nRHOH)P$8Aor?dp@b{L_k z(1M5MpfahU-_;lLddNR}|K9zINj@~{kyfb-ges@p&qbq{T90TL_*wj0&cSFq3UEen zf8Wek%piwlqwJ#VXAkUpJfgrI%p7xPy*(y44Z#M66UWSWl^f*m|LMKE$hrD8O4*1o zKWBxYI}BI4W{@M_t)o=B|BXr`mUvK4#1CGPayCt?E}PHFIi6!!Gb^#`vV0;hJF*R# zJt>wmXpfp@Aoh6rtOETV(on2IPa}BKqws()Yc$=jw}7TZlJ^sBnEq zo)F8U?2eX^08FnHx?D^|%0pTigkm^;5$wJq*j{E)lR=Fsw&D9|J-un4%ODCSoT?uM zYhCPKhT=NI9K41sEfBn7E=y9uvKIKcV>o`$JffHaTmZ%c;;|`g7ik_!C+{*%Wb!4T zzn%-;5HxRr4HtmbmE?Aa=(8Ll1jLL%WJdfKza_2g7I)Xx_DY52Bk8n@$gRUB9ctb& z+C~3i6E9|$-Y02;_=``E=2sL<;cDC7_bQ*GGeNk};ljBCnhZGjY>)*3NivEOgpM-Y z{AqI6_s$t{PrbQ3qxC?>2lKK3-`^d3#{9{mf3=T1-KWM6df?yT+FqiT(O50R;ES5&LuGv29tLgc)6_iy)2WUsDYsv;yO|G3$+elv{``U=pDz7&Zk|L^{4qt4_E$n z!;f&N&>99iehEq)rGU)c{@8%3bNUOO;XfpYPA`61u@W0AQoi277&d(q?N1#Rk}0-LI_xYB=8NwO$5oq&u#6Y z$LcXF@jKxO&e70(^uPC|-OpAHXGPgqo1iU!WNW&+z~`q(`S+6&V#%DxLcL|p=aS52!uxT z?ngGl@di|2u8aUqv%h!Zf4=)p=*vjMo_;9b!}qb9`UWLh)Ap<(<0ks8N|AVjtvsmB z503)j^6-ZsfSRU!h|LUAYsX|4LaSKqWrG_SW6%jy$Ulr3}&?Y5nB-V?_{ej)?+9 z9PluP@h?LU%IYv#r5U?C5fQZEL}TbkSr)D1F+? zJ#hkA@Dyj+rO$geu(Bg~G6SdSsUz6=sV%MuJf*Fev_=+^zvnJ+;}cw5zFr2y7}5UH zs0H1--Q*{@1(5&)oO<9HVo?>b&J6ZhS+aGdka4c(YShFof(S|1uP7xAc6f1RWW5`F zFT;OAF#7wuWZq~zKU&_FmkqS!Yfh2)&Ld@fVZ#-VTcl9o=KaB^Wsg0uzT@F<05%06E%*e*ljLU`)C+=f!5rr=i-;@9k zTR*uV>PC)V-L47l51{hHHC1}AouK`Nus>R&q_FrN$(JTMp7`x)*d=UuU$nPNk85_h z(~YQ)MSd~6kGmMcve^;J2Y^-?6-L$`FY_;$5SlKUl1NO>6$i5BADih(HqPHZ^a}op zq;1G;mBbd9lpC2^k1!X`78>V4XXd?D$T0m30Aw<%tORVplNgh9KT^IZ`vQH`8PP?+L(V?OZg=RQ&Yk2g{3X6 zZAyQL{Ek#Z!&Bprt%_)&k|z9>-qD2X3sD_PuvC*C+v0T&D%`)Q^5N!3gT3#=*^C3t zMQys3@o|BBb+P2bOv#Hvlz&&@z9SB;J1M_0uD7Wxu#SR{EmNIJ8)b9kz&hPTc9AtSLPb21jd_f}bm2(-H;24~v{%~Lv&tgpw*0F{m5=hIkTJQ>qb zR@nJaNBrH8s4OdBSz}0bK1*{;#t2?gf8THphL@A@1N!3d^4{s~r65h^hLoR{PYg$t zJO}A$4ABIgJqkH-!L6$8b5w_QoRo4}ADRxEZ^U0uqSKKztS^D^_4TH~wdD9DCx8n-?5m;1+Dp6CO!KPP+RpWzxs|=*omLv^bXI_`6#&07(zw=--3G_;aAqnd4Yh*-f%L5ZO*VHVl0i0L-vuO4 z=JDWoWsr)=?C#k6F9VQ5$8LlBZ0k7wtd%AWwbT#n!WJF>Q7#j%d37N#`Gle>jQ58oz6#;H0hUw$+xKJ$w*^= z;(5LXsKd}B1ed)R2=VIB2By-i0CQ2Z`+AN%y=O_%&9^SDYP=TKt{!{vK_bci=zYJ~ zvmD`-7}#ldks+A(wi%jY@3IP+d6&Eu&VH_3$(5kt7$(`Mtrq3RsxG8ooX|ye!hjjM zG?86I9_0YsAy|;#4tRe<5pyxW9e*KjjxFJ z7NqEaOL)0Aex=s6Aml2|Y80{n-)`-!`6ze>&`^xDfzum#X|F74{xi`Nnpj)TaZZ5G zC4SS@H=!;RXArI#Ovb^D0&eo8YAp?41!oPIzB2 zmk@orzW>Zg6UaL9QhTe|rTTdx$5tKy#O8BE3dWz3D}n72(~zDv^>u zvdxJaP|eT=H>GNMe%Gmc<6`{Bq55VD-eNLqCKAK<#&^PZIff;PDt}6H3-Q?D5m!Rd z3QS|OMT4b~o7ZaIdBx?|mrY1%PigC6YZ1POl;hPzkHQw(hIUV1pyhoJGua;;V2FC=6*Nr|K+LHwPVFaV z4=={R%uu4PGh3w7vvTBuX~b0ZMI_AtjVfx@%ja8zms=1b2Ar)~6s+ij-s!S>=3r3l zgXix6^qYXa~KFa|7 zE}%QIl!g_U4K+i(i%s=||1g#0XZJtW>J8j;5H1fa^^5mRE-jGXnbF)?peQpg0iPu| zru80uSLs)k(@AsB6Wn32(6F+J)*VRGX5X-^9(d<2_~-d0NcShNp6j8HTQ?+MTF~v< zK=@*XE7KKR%atY!PJ#b=hZ|rg@*VE$3kuI(+vcZbqSh)TN6)gl{FU|HR!JHWn|26I z0EQF#(5b$auBt871xl%L?2EiU_Vhf_C)?8Bx<8mgk%kC|$ZDQXkn*pmt+$U6Bk4#;S2_Eq52y#jxDj-|>?A+ht{x>L1<>ZX0I-&#g?`$*Y_tDS( z)pfEjRnO2E@H>%v+2+KQe~KFUkwhlAT%_0Fq}F7JoU4xIBcijLuiluxgj|2xaArT! z_%mGC4?E8(GquicnVEO`K&qiK%P2f(HJDpNxCMeu0Zkb1e2|8bo!wPOHz?nhPJ%+` ziMDE#8;yQ8r|^?Jss|$dYo>_MtH%51izMEVh$KMy{_@@G8&k96EgCpP>d_IH9&?2qboeLZ&j6jpXObWPN(C3ML|!C$XJty!%pBYPDAW$Dk6M$r{l;LyP_Iu z!`r51b>@k6Vo{c!4(`qo6l(J1NH6=fR`p2S-6_ng`q#`H+#4yt{c9-hga$4to`j42 z0AzP}WXN?pXCW6Kf32Oly1A<>*!{S;jqqVDhDGULSa{YDO=E_IH zEDo^c@%D4c*qGRuRc5Tj-cMmO@?v%R_>XzXu)L~hm6+jtsXCXwd?el)oZ#r%>zSZ- zD+-Ww@ReNf-KX0Ah8=uikRo`P74+bdAZ`BPshG4P*3;2SI4^X+z2k7Wvm7(Q=scyx zL5IZoV4DaF^pd*RRxnAgV|NzhGs2Bgr}_@-smgZIe7oC@XS%ff5l4g{WxYdSAeqS26ypcP*DuttUQv=F7YhxNVryI&E6{ z-E8VzeOr0CAS~v-I-6O_59zO109>3Vokn?-;oq5(M2jacIafC8mEPyp@c-p>s*^%a zr%|^if7&iTztv%x8LP1;#~t%y%X!QVbu%?O{>eb?naj23AlB{{-7H^ul@O7E8jT=H zChhkq#s{h@ARvMs-h~B&8-PPs3{f<*ekXBK!gV#)Mv-=577}ufgSZK25D;o0=ND`U z-bPqoG%&jth3YxIo>eN(f1J!TPgVLG?wm>t)SJ0pA^JQ#lTJq)^F5R|l`V^x{3nN8 z6pwT)P0zoG?Hw!_fn^{Zh1J|-g;lNeQGDjK;=SyXFt&J?w*gIO6{#o18)@4Mxuy0< z=#XruWV?$r6umAYu_oO|kpU|RpCUK}VDLZYN*JiJdl4FBN zJi2g{h9aI;JOdkIq?82AQ7xxjHyv1MS!{w39Tx-HB+Os{w~LG4LCBa&!K9j0L>+bv zmF8Snyt^^vEEm6YtXS|mO$MW&?L#Jvx6l>uv*v@NO&tlhNzZnAX)~L!War*8FS+@{I0^m zSEao()%}~|Q0)GplTOo~mr~4pgT(2B`)T|p=R_Ul;~s%z zldGzQ7&yVq`bSADj_4M;pPpI&noDd11bh{`WKq1F*H6u7WD2HdhB6?z_JekF7Z>?% z(&vZ_3Z+AwZd}=u-xaN=#r>jj{0}F?vIeG{y`}!PQ`X zITTEe9NWUAb+XWvSW;2S-|d1=hhFhyDp4~6Xod6-q4?4_YUEPj1+p>-sR}S7pd!|o zTzU(f@WUkpBYGP$Sky!AX^Ji+H=qsOq%)t87JfD~+r^sR@8E_FXd#ePFM3sO?vUJ> z6mqr(;`gcx86SFAU@t5+DUJJVQioG_@Jxd@)v2KpX&Sl2U)&^R^aouCkLNE9nlwlX zpPu!YMauD(PByph#uKnsFYMLHuYkR&t&cf_MB_WNz(NgJGm-j^Sfg^B#f7$6b)K1v zd}9#$+`xajD172~Rj=&U2^~0S^?x!lJ@D`lN0XN*5RA$>uLRK4QhmKxQ1M+{=Ic?H zmP;!Sy3;Mp>z&Q!rOsIOMhVNBXzBSFD8Ex)i$@3^qHf%#q zH$rXgIY3^X;-zlxp`W2R{9*rvFRy)7f_HJ~h{K@3gWJB^K0Zu3%XZN*2p> z-o}5AFM$F7BOf%kUh3TH@?Fnaxhb|>GHYGA{gKM}y!}h)HaR>PnobjpT!Y*&QU~7z z%2IIJS))E9MAoqe{Z{tLS*bRWR_2@MG;+voE0IPnUHw9HrQ7~(5W{O89ntGnfq0&f z;bbJ+8ywz zG@_5|h@r?53Ymk5!9m}FcKW_FAc4-YN3N}>jxn5%HWQh4rc%fgi^Xov{U`wUrQ&xb zT-*-|^hxOc;o$9kyVw5VveY*}fcO}<*bmskpxpnf#j>XI#z~joUAOhK`<@$*w<9hR zp|psJ){B^<{)cYrZ++|SUJIGK7UoDLY{j-_qL- zWCF2JiRY+JZq7P#uJcuLAqAY~4LP|BY+j*-{A))KSjtU9f#4wu9mn(xr3zH$alkkQ zsRz`>Z+kX&Ch=(3SL~nq*MIZ4)GHaXaRSqybv(=;^gCjZAXD(Otm~H{+^5&niWRPH ze2xG%r_EgEsF|LH@1e@xwjxv*>9str=QF=C4(pbudoc)QP-YOFAu&Se8!^a6GY{zK zP#AFExnIF@mIrnew3K|q=18sLg^vgt1%`K`dRIPOp&=&D6rHK~_p=D2c36NulR>RF$I7cVRW#)){iy-* zs55_-T3K`vQH`wp`##!0fj~3qus20-!qT z-NyyTqdCZJWp6>X^SR8w>s)-iO01D;)L<+Hp6yxqlfyiD`ikBi^`@EK_Sp#j<2(rM z1TMznHUUvipn?PA**OitP;C?mZjy$C*1>1HtE(WKLy`Q1clsa%Myn~@-U-2TSI~9> z;khexd;aQAtHZ5s6UY8#-dUU!_&zk8^%s>MGI@rEe%`^9IQAL;3mV0+yM7-UF^#tNp?wUHM!>Z+{fkuOtECw7CsUnMLLUZB^I&c!WN}J9}%Dp3#Hpd$>g&TIM^r& z3BXUyWVdyKgKK7oYn95?P;y#xR%eKU3P_K7uTtUht2oYuS%^d=U9hG&PQuQ0DdWgt zZPpR8`4;p8ObB#PJ(^K^jPjtw?-4_F>DrcjZ&~t-rk!3ueOa_^9>q+;W2gvJ zB2a8`91Pk`i9Vu?FfWS71joqji35l-_{OlsiginOM(RQ3SX4DY1lNK3`)0{M2`sm| z>5`iB@JC-4n?&21Y3AuHvE!XxrF@R%=Y?&fwOIYuGz{`}^yd+wKQ^OzO7TZJiTQ3N z^>z(>!DIeL`F7~i{}g=Y6mK)TM4CVom2P8juz*4(I8(I#b}}OQr`UY0P|Qc++lfMf z^Nry;i}S*DyWok-T3hKc#$h$q0zh-A#UA}2WtA4vpLgm!u7YQp=T849{<9Pb0G!4} zCUf0K|6KVdthAb)%kf?3td2~{AdB5p1$@SU%qZDHnS0j?nmUHLFMcJ6b5|OLp9LI` zr!YnpJa;QMCUST)s5O)`@` zJ3oE$9WqVD&r;KaokJry0pSEhI>?mr7@1Ukbv!x!#bOIWR-SCGbfMu4OK78JuIOi} zl;NAnMkI`O*qi>+rwGgo1=pOF@j*Tj>;PH7*OP zeTBj{lRarIRSMll`Vjn+Di04-y8P5a?b52HaLc7+C?V>iW>1%!Yk&(SfZPMwl~zSlY(bPBb4-* zu2!F&G{A$=;R4F-0BOgL6I=N)Gm|!v2m`Rzyk!KM##`=+hXPX<|1%$#`h|x0+S{Gf z#dIRQ^2dW8h2fm`zD0y87S)z~bRcm}WlYE8=HmhsVf8LPxHKWX%>&@m zO*e`=y7;cl&?>S%$@bTWk&+F#f3vfhy6!@5cf0`PNRa7^_4>Gj4-R@2UvG#QGbX z-M6BJya&j1`Q7n;MlB(LI5-kfN9q^UR)m zsgtmEQ*Dz@NLn_lK&C{+ihGsH`?#mV^@hW7|BeHkYsfVrg(xMejR{gowY!8iuCunO z1Wv3t5Jz-7wSnO62UJQ`{14N-pimF$Uos5r#~rLVHh!amcw+$2A2^!kRqF5_$H-Ia zmpgpvM61aBaEh%(-X84&+L`DoH2Eez{;e=lN4L+B9Op9jm~=R%NSgXFR#y89hNACh zdooC=&w`Z-18juoeuNj*WW?mdlX~pli9G0f`Xx4# zS=6vCqeOar_>(E#a2jWZ+(Fs-=$ZgD@yv~(E&Bjeg~2Uu6;3(ZH&Ti4u)X(woIF;+!xtFRAeGE-E{Y3K?qZKTA{*19hKu(#Ws?|c8u%`xX55;qo>*VN)Ao?l&iodjrGISO-VTYT+P^mWkJ&K6|NLzvHxD`^iFL!4 zH5nYYOF8>eUg}SxH;MXf)OYQ=t*&|^9PW#iC|z@I_Z>#Jh)b-2>G$MqNttEO*&FJH zF!n2jgZ$Z8rBrhyLMy4SZ(*Hw+=puJn;j#UoTcUUKj`t8WdwbtDS`e{LDKOV68J)3 z72~&?VBjfPwI}U`@g2tn5s=Ebn_>XDBjY6!+SbW?@0ciL^jrS^GEpB9uq1=tDbwcA zB>mK{7sMd(FJ#@{Xpgv2rqf%&?MKXqaZo_A#uGB*j6HL}WKm(zMfkkkOly zpOjTR2=lQ#4;%hB#P|Fgkcnr{Qdg<3ikXiVZrvHn71(wC{BEa*vU!rJr#Ze7C~Wmb zII($e%*jpAxg06?VLLP%p$ycCG9PStxBrOHRG(&Bg$Q=e<$s=Uf0(a4A8xtFRY7`J zTrMz0xYA18EnydHe&lALjiU#RQId89(suXAA|gUum1g_Yb%4RPn<7EcT_d?1&0LyS z7{mELrS*TqBR7H!9kz%Sxt%@>qH>90kp>apH%Y}~Qf^XXhc*7hSj7S?=UrQOZ5e1H z6Rh_3*1IF%dx}e8aO{?vQ}i(!JQ+YiNf$!*-Pm_Lvh>?n{zrFMF~TcLAJId}oMb36 zSY-i^;ZHVi5!40%&!vSZ0GBDR6dg0_K5oWl+u3Sje_I~X^l%gPl>RgIX5v2j`4B0jQgLZ4Tv^ljeVzAVObCB4(6EgpLY`?Rw?SmQW(BZ%r*bp(!1yo4 zqE+eP^2tv#-)Z{KX*zrM36Jtp3fK-R2!-Xa-Dl_oE38Ul_xY$7L0YNqN21UzN(C$0 z?Y{-=7qOXgX*X}v(%9LuF}dY`?(!FINkg~Z1i`KlB~!0NZJRbwudzDm1rc1KDzDDS zj(#@i^A2geOqVAm3*Hi3eDqr$)n5?2PMJJq+ZzxrHt~OTPF>#AQP70!*H-XrdKX@c z9r_h~xN1tD0M~uom6>Wyne@-%SJ;A;;5uBX+K}uDMduUfz4Psh=cKp(@tM@-~ar?fQZaL8@E#hq(Be?43sY zVnLXsZnwyAJq0P!o3RG>@r3&NDfyK9(2b{kZg=jM>Bt9cbgE6(O~Ts(K|bKQ-T7U*mhckhtsT-VRq?|hVpXV+6F8ps~h-r=B}AqQ7|37 z!neoq_{>S)ISk_Dpuq6z65xKiKpEj&(~wh?eA7CTiT@^e@gd517st)5>~${TT<@8r z;=tY?OeQ5vmz1v~T15>`p2XA=_@3lP|9ODij1$^WGzF7n(ne->lbu(3X=<9#~ z_h!l}ADEVtqOHU*{$I(jSDj%}gt$$w{;!*HkP@Rs!XO|v#jyV!#(zW^+P#`s2ow2# zNq!w7tQRDkfl$F)w*MLP|2%gr5+-FereFO39-^iY0@eQLAO{sJ+Whx(n_*HiNozd* zYx1vxMx`nHd?3kmegD_Zl&st^DbC`A*#Dm)LSX7*p_mPR|KHQcLE4vsNwFK+el^km z62wFSQ`i4rmAy%b>-A#nGL1F0C`70ZAM*?KmEgzL^3sw41$?=b>iv{0oN(&8)3S*7C z<0|sJb>rC%Z2xj+zh=hby?hR1d9eU@WBXOvr+wIEkmi+hk8=K(t312daaVsn=?}dg znQ@OWAk#>eGt7+}B1=$r|~h1{_>DjP}{3 zS<8gp6neGUMtcjebzb;htmr{TG|u5WdI&0}+$BC|T>m?8vEW}>ZlQSEL|GfRbE~y| zMEF}ZPvy|I1M@S_Ck7k%)E^GL7F+efu&Ft^;?nKWAp6n2Lbh68 zHL#X`?o!xM*8BoW>TL5qk~aYIH(&l@Sry!Rt9&>~ah*Kqa^e5-_;{`Mw0dUeep2CD zZhb4-xl7A(1gj#|D5FjdZcf8pI`*?8xFW79A+_Kg)oOXIyjq)%_PaUP*?3U5xP&p8 z`j$Mx&|1~3Ba3bOoUQo(Hj$nw?>Q?y#|?QjT4oX+y6<2uI>6^@m0oIK7&Vp28unlJ z-}1US{IFucwRG5&PnCSO@xez=+eDp9Fi20g;G(9x&;4&7M}ApY3e)Lg@ba+e{cD@) zc_#m}Yq9=YN~SBx={eWgdx{9U`e_)6NI4jFRcx%in|A0mES(D+@G2X`8ax6QE3k1A zac)L}mf~hRaCr)apO0FJI`8{WlGI+n+ zQiC1U!~0Z-S<)mCA2}$-8)ZC@B=%-UQ4=8l$=v%Z}dZDQncuTPI3Wfmd{L! z^_9M7u4l)wQ7(Dsux3!op-swvg`c*t*MeXsaQ@0Rq!hi@y1Mtdakl*`+#hBE>26{G zPRjR0M=d9M7cHu*lU@t8Ew6;lJ4)c@lgKbg9@j$`BKAL?0H9shuVj{^$f7!p<`K1r zDNA$iFCzxu{+eT%D=R&IrBl<@PM-8VcV7FFaTP&z;7N{TF4m=h5t$NoV}$Lk2_9DV zbMj^Nt8h*)ZQTJ}EQRKd`NC9lHre<$nbcrh>|p#(-_+ zmvTkbRq3_eAUC(RTq2$`@UN!oC zxOwFugX@rK^OeE|?YSzfb9wpf=RP0ID40s5Y;Tkd?Rvv;u4&uj1yfef zhph}|PUKld4b733VrIqSUcruQ?dPtQDNlB^Y?&WL9qR^ZsuXer(BF?nL~9M@Qam3D z0W+U==>>l?Ut{buVS98Twv6iTvp-+E?OP?fB$5UlEW!i;zPxj!Jm#2-+r5hR_i>L6 z*Uj^Hfo*+OQrNT_;$6Kq7USQ>jb2I<^Saw(@o#o_A2T7ZU38&2?87MUmXa-H>jchM zEW~+E<_+3(6I6QipA$AVN!r^TL17g2U09;@V-Dv&2mBXen}XlMrs3><}^1`O3;>Xr>jGjHf~owl*s zA3fpUvzjcVxFk(q}~GFx#~_eO+*OUzm2>GLPf2 zG(C+!iCK;;$Kt25Yjfm@@dTTfAD_Tda4oY^#a@s0q|ct!G0MxZ&=9?$eDMi9G%Cf8 zuC(Xh=2vq&k4z&Ew7aVpet}GmdPbR`M(kL`1zq{M);|AZusAbm0z^-?OXjPgPNVt5 zp1J;!q2a*Zdu8R}p)YTbWU*;LY0{#-im(qEE?5>d?b0#()^CS&V+nj~-fHg+`Q_gh#@eexf&Te83d4_sZwF_?AT2@D!?%_G&$q-}+WL+- zwYCppAQ-sJK+tHAd5ArX*Kc4o4wjvFrdVzpRkt+s1P+sM+>%QP11 zKPexVjz;G;sI)BvJi{8Oo~;aJyIH71LpN;Zq?CW4uhiKlUFYLCzabem`E1B{3~LGY z;ssS0e}ywD``fbpJyOd}QSSh^U%0Y(bfdc!C+|s#YJ4P!!9!9qQu9<4jkO9FW{z(< zQnc6Bf24UKl$h@+^J2g{YFj(ATU<$WPyuYMqX><2ah$6ik1w zqZSmajw40$BlocZK}Ou_{JVC;cRq;vDT$~!ygj=;@W9uAwa^MT>f76-RxYuTh%(mG+xFg{U zQW`>a%x2yz{CrP?pV>h+0n;M_JPDm8ndSrx29_u~Y=$brwXF4$doL5{oskdoi42po zlfTW@g+em9I>zlvvh3o=8#-ioiHTBwos-Ry)q^sO7ok)L3if|- zch5%GE4oM$&_QOiU!g&y__y_%6>WN3If^%pa!iPOY{{6})$N;%ll>mX(N`lY&QO7~ zbpK&d(sB_N*OiFisJp-AAD>5BKkY%;KkAm0k9RGbQXYHh_jtCrVyxt}L;e@`>AGG^ z|Ft}g6n4zozNYSN4}^R$78CB@151HIxZASrvzk!dWmN_edHT;+E66D)glo-4GE}Y9k17o_ zZ7I|2?|5?0kT*hdry(#))thz=H>^76rFW*OI<67jF=4edw@N)MI(JHHy&=($>`<~u zJ(PL57JjKUIOSwvGjLn}!9SmvoOzQ+e@0Z?0Qh9~XSw+AYYkDlo}S!(fAN#;cj3`U zllnJj?f={bwZwsRvPS9>o`2Ks);)w9WhiLc{@4?@rc<@%>lN7KVA@%HS~)Ynh!#GhW4Mcs5qes(n@m_0M2Vw5o^DBTMJcyTKf>20bRSOxmQp!NZKNzwJUY zQ(7{*s&>D4jDKIsdkm_ksQ7olE?`t@c{`{v_Wh`XP_oFzRui7*)QQzaQ~OhM$=!uyyYEWRRfrbv#+wja}ZN;qs4 zA5CXJ@J-BEerkgS2b71v9M;IVb*nzz!Ru2C;a2WaQPW5aMkUqpuuri;uB`&EdehsS9Q~fRe)(qS1DvgYJCEDZFPq@z5^sBT5KSGs|#j~ky&mwhZ%Fh4B~*cm?4n12vCCflc5@q`7L$I8@gev( zd*$imrw6>-PLN@NTH053bT%Ri1i5us%6Yd^mH2Ykgk~IdvZPqTBe~qv=uw?gxi(&h zk4(kcT0~*?Qt6|AYD{!uk=?E#maAWjj_QB*J^ys7=*y_&9A?)DMl!EzEL0M*A!Y00 zI7+y9=F#C|j5X(|!zR%rQ%CfTD+Nxp4k98@r;X8h%L^$#LSC{((5%o=3UVYNaSOpVW+sM%n z^c%{;`DKprlpn*>S)GQw@jDO9l(vMr(%Hd!dT}d*o9BAKb)FNIt!>MAs^+ON>$jXO zR=8;oJfx%7llMuBxBhr+(!nL!*~P^l{eNn2_U6HfPRmdT%ml*y0-G+HXqKq0T zmG5-S=aHixya0cpQO<1(Lz(3CITGB(a&p*-d>e`RTT6c}=O))(r%b&{5 z;zy-+Vf594XAfa5isI?L<)?+X7uruhzmtqd$!`S?_53QxqhCGoRu5aTZ_Br(x<-G@Y50%%a`E_36WG7%#s{kc%;)QmBkP z?>e2vQd)QMapA`w7d5m@J>cs6nLpa}-_!m3+bbzxvGMgCRi)Nv>eNN!O7}Nn7%P1& zq*w@@FKgl%_~rX$Pqs9R#Qlp)BxACkR7isKNK)#!I=I~W84w!mgLV$;V+*`?$nL9L*ne%WD2VCzrD8aw(UM)fhdEuHo4|hWwB8K0M-JIO5_Etz z$T@k;gr@&~wF|lYCl`#sfD!3{YCKm;qZ&;4_Sw0Pmhtdp(wvwyGW6C)S=T!9)qD=7qdx{wdzk9;+mob#ogjZ79(H5)qo`{UsscYTz?``K`?k=P7 zRrRqYf9!LGJQx2dbj(h?qcR1J4x}!tro>fu(wVd1Zcxw0iLc(<@%P&8A8tEBjAvz5c|h7)RO{ zO}AK2Vg~*gmn+q@UQ^(!Y~uQ4J$t|Ll~nL!$C-gO#Lo%sEfy*SO8yVc$rF34F+b7QmFZ-|qw*Ij%0XJ`zv7wg8qaIKM4%kpPe zamSknax8MJ{3q2|uPCu(ywVtXY#@P1+?^rD@R%&Q*0ln0%KM!0rAZIIV zYR463OZk%ai6;}*Vd?fFx()`;9gv6YA;`8IdFcsE@ zS)w|>n`Y4MRH#s$LGAYf;&*}Xg2V&u9pw2HxTw>Z*&5@tQ);GgzN~zxJL4IODez0^ z)8*6FabH}>ty@WHu$`~#=JMZ}!3xt>-E(w5b0uA*ezGr$wA%qj9Wc`GvyXqzlIq|b zAwv>x+*-GrJnh+cS}hK6L-eYZKY{EJHZxipRbZCf7h$50)4<3!o9{`SMiw0sk*SzBC8;TIAtgPi|~4rbb)jWbOO z6n18mx*NW5!Yo~&PxoJVV)@lg!y+l}wUY&fv)KkUqnUvoL-E-OSJ3R&XACx$I(mxG z%N=W6;|@!TFY-Qd&NU}`;m~AVJoLcAD};T#{L?gZrv~f8*^77j4@%~ZGa~Y*X*BT` z=k_0L=2HyS^oR{AInNtu_kp$4`>Vt*hbu#QoG#Bn`-OY-*T5d`ZUuq-CKIkwTSlX8 zbz9T5T*_RAGz+~jQFmVzS08}HFa9IVv+e)rIpf`iTT3HtUt1l}=GVIk$JRWnfVx(A zR%ub7PPJthhlASRaXe?!Rs}h_Wvj-0Y}lm6ZH8x+G8wlBSajs=w1Mc`t zb=?tHy``MJZZa90AaxyC9l$j4GBnJSVronHbeqF(B%NIiksPs5lFhPr65@keR%3Iz zRBhrL5E@T&u#>aH<*Ri1$&jCoeeQ5leoRB9!JKN}*Bt95o2SaK&78to-S!I)=KLhi z^&RG^7tCBKBsmUJi1q8DQ)oN%oY^2z%OtyhS>dzUGC!0rj|)6+E|Ei>p0eNc^t!a@cv8#lh838Ha&vfc(zGFFlG`4!mUr~Ig~k(u3HDGKCp?zgk3w#c-!uhr~@xAWLdb#ijye;M%v)hZbEq`%a7gDgBzy_YNUFv`f z@>R`g&o`a*W{VXjRcIeWaY6Ko6%SCJ#=`VBgMy8?mDhjlHmV2B4joB;$s9;ffOg8m zmein~UY?s?a8z+w0AQApc()W#Q#fl_Z~l>EuVBLR|Fn0We@!jz8g_#eQ4olt0#Y|3 zQX@!_CcO$<5LAjZ1wso&gMffE0qN30m#*}ZB1Vcx69Oo(2_2=15F#~n&cyPbv-e+c zKD>Nf{IW8cnf0uB?(2SLa3W8y2v{C{o)U%E!-w}Z{G7KRQc-cEBWaAeI^r2ah|dyw zTZs{r0@RfTmQZnd%*wd8%Snx>z6xfmQ`A1sM4mQX>Us)uL`)a;37v3!`c3Vc(PI8h z+WA5iCuM!;k6xEC#>CUi4li*fR)fH1kpa6p&L=$j+)2w!K&N!Lk4X{+0=C*ltt;HF z(+IwN7^}ABQ3v3{k3l%p+i!E|vo2MfyR;*I6jL7fSh$#tW5g}(qBt?UW+%hzK*BJ@ zS!k_OzVHkhm7b? ziQmT!$e2*1`6I^%3y`wV^EEdTKCwWk&byl=rK`>|$@R$%o)Jm#!eqC6ttblG;mFVF zW?jQb+L_PV@oI)joj}-qicF1$teKW}t!t>v+D^nl*Oi{w3)fNF}^b^&hVmlgl*cSkoVQwvmqz0?0_32_#|bMVuXVy zag4$~t-dT%tGQ!ap;jbN!sL^`)fVZ4^U~gy?0gGEmz$}Q+_Qft-8j9f!{s0SAuqG0 z9j=21D~c49`0CHjHtcj5Pc%eg*&BZJav1Dcg%Xdk2TF^PvA+;exX*VMWi$6!iPFad zlI)k%eba}^)g4|*3Y~LWpBI>Gwk&XoA&ert(?I%}RxE_wUzD;jcgnS71ZFJQ%Ydgy zLqBR~G6>mDH*6cUDIwcgD2GVM^JAYLx$KoLKGP$z%conRW0Rg+$#_(OyDtDcC!W~M z(Mag|#>C_ZBJLFzj&ref8>Bjh+2w>0XVE9!Rbq9V``ws(a}e(7`j=_k&`|PHuCsaN>VF$Iw$Mah4^0FlCUvm3_Zj#jgEU4znBD z_%ud{(|AHNurEYGTooTC=w@>+>>DbriW%ku^5n_Df>%YUWANhK(YV}4nvPsUUtdKl zRZM50FYEo%w^AOP@Vgd2?W~jL4WYfcC#bX%IsT1?m+;5! zg3DaobZfR%Y)%1ZR4CF`dXnVqwPM1cBzK*WeG>F|mRYXFN3NH^9Qa8IE+0S)OB3zu z8PMOc#=pHEl@{q)!Z^T&q9%axxr&H(kz@Qei`8!#yEOq5g?))i!Wpu?1LM@!Y3PI_ z*y2gd0nBEooN4a~CHs`E*J)ZwHboY@M66Zg!(2pNOZsKWG+OQkOufjB6h_}pkye-2 z<(|blxFf#l8E@hYCCD$kIXm@lHo7j}*zbC+O?O~i#P!->H=*8hlBq?M6D`+be-!&t z)LMw=1am=SfqyLb-#hZX2|l>=ZQAR{mha0*hE9k~zit{ggA#pl5ccer=tv`s$=l>Z z4a#$1X#*!r1HqdwO|8a6HEW_E70Ok_5PePVk^+ZGfk$JMg){1Lk!kyVU-Q;yTTHXt}p5=iie!`3BjNow~WNhXjisk8w;&;bZGy;AzH4I9{{O7Um4OB?L4vWc8fexY8EXA zXBV~S9?A2#sDCu0&yXYdZEv&p`r_-%I~+t)MqBA;&ZR&WfDJ!$z{Mcp8gs1en_AYa z+am|B3>dIfK}j*&H>6+QS2NhX@2)rG9ZSlV2<%v4If~GDvQQkuGI#m{hdp9Gp*-3- z`vK7aODnA3&&Faeo!G!pqkVg&)`9}eqa0K-AVKk!a(|45XBNBQ4{H*#1|P>pMxA__ z6gj!a+or{gj6E_st;1cCzHCQ4=Jjr;sV9Eaw;|cXBy)6sXe6sQ!!!!s?%kXw6aCtX z5g_Z*cUN+IBCd51qOTD{dW@v!0v9@Z9)fL7CiuOSM^H5$Im)OldMXb7rU9?~u$KPE zqv+6c?-gp2J-QPs#)%j-AzM(iRGKAAP}Bn_32rDqolq*O`K105PSw_Gz+|MC3?hD< z3eSCTw($KkG*P{QWZdM&@oM|(?M&qqaO)qy+=Lg{2QJ-%xc!sOBdGxomuq^~|9==c z0OnPfKyTa%b7^M$`RU*P_2L2c0lM2B>_`9M2rvx;;J+mP`s;tOc_xZ|;E1rnzZ?!F z%-{`wy5^Y7KiND!2;7C!x)t`%Cf+_xrN=v`CD(alP`PUtV8ZfUKm*5$33RGre#2de zLm<}UP6m7r@d{jUHc2yh4IClF`kpyIzc*JmUKx&OeGe5}3IIC^JrjcUlcoF*5~X3mN@Ec5^niO>R26$kfUG|y7$ELPfhwM^ly zTxld2>0ulm|0Ob@$1A%(i|FF82%66QKn6G5y@LZv(8?Ri2LD-P$G=|T0hb9JORP;p z(f#l+G;xJCO$<#gt9*x-7E~l5mH$I#&jkQS7C{kkzj4zvD@|KREAE5u;okEA01ML2 z_Yb*W`$(1==HPgy)3OIdWq&dt%#Zdr#%3!&zU|1;4Fr0G^${3n=fXv!$W;oBoIG zvTe|vU45Tr0MAU|gZmHJgm27K{EV>=%j_OD?#+thxDU75$B!Af z2QQD!D|vfQL2_Qp@NVr88YlL_#F{*|I1TtjR+t~E&k9%+5WaI$+FDnQ;POjjc}mjF zr{nxw_bMW{41D_%H|J-I8<8s%pk?TtTxwD1y&oU0P_X+wT={LHp>!98j`?PIT@VFu z>GpA0~`)QHZGbZ=!;gkCS zfjO6OlZI{a)1b}u=A^bJ2Y#DLl0WynZ2JPRZonS^(LHsr%X|^e4pr`k8T9Y&11S#e z*5*k;tA_H2otb-?3;GVIyH1Do`Ch zyY)8ju#%1<-QqGP){FLM8R3uKGYPqb#gGA^#UBhB=j;q*GoLx;W&DV8`qf}PPq(=5 zr>Lu;(fWLYi?PL-9sS7_4+;+!DDXPFAXeVL%Y35m+|AoJAAxD=v$ui)XQDCOww&QR zvw##tuYx{*ML|##^+3RPg_A=$m1r%dgYWrm)|33<#aa_IetW)xL^a%w!mN z6iX@9bOes?lp;f(rm_!@?kY46qAUI$r`QIT3>Uz8Nc*rZ=&vo)CYJi&BUuQElldczLv6N zry}EMaQyL7!(9KVm zG{7}8wUQ0%kCbYhyHdH(E2D;2Ue7)Gu+sPM(l-=a(mswdL&wjBGSB00MhNMxB+<^k z2x0m*qf=+yb92s6!dR*Hirq=`fFG}998HjqPqQpEkg}5w8JhHD$9FDD;B_k`XRBo* zv=!fgcDxc*(pxq>h-qYmimz{WPrC`uN&PJ~C?Hh?&ZJRhRxxv^xd<)xxbO6?Es7^H z_02%xpfHmt`5hhin6mkdmWFy~XTg1=vxuT$h<5>ugCXB{PLN^eD(06EH*}1wQ@SyEI~~55xlS|UdwC)U`k~c9 zTd!&K08>9HkMC6qYjP8qTS^3{*&V}7*=aBc)q&T-q;uvOkjlwY9(`wHQBBv@@c5fg zSdYubtKEaAe|(mLuxzz!R-raac7LvXT#*Yf#|lWh&ve?UxjeFg-$?)FapB_aL%`%~ z4H`zDPEq`IJHA1KBn=R>mVtlABCzZ3XG~n?h1KitT~tJ>=dOilGFzype)Q!>X$RTgy z-;&6tL+qdhrjJ`~H3#sF_~8wIu56arj@r*2VGJT7Y^BRr| zdW(0K+u~dWT(0D6BQ?rhKBUb{I9O-jz%@uTzCfch+TX537u!e@Tu`FAnHNw!8=y=q z7pWOQbeS$qYr#`@%T(ugp002Yn{Wwh%V5jJEBVsp=cFLLLdsIM>1623$N$2=9CE9n zRnLYVgSl=dkUU`TS1X9iV2Wa?dnrb?th}mz-Lwu=%a};eUSjS8sE5y1$4x=jpRogX zCg{$i;8U2EF}@y(T~S^j(-zk5h&@x32?7-n;X8QAUKQ^heBn$uf0cQp98pp--UC{1 zC65$|Lh{3a2?a;Uujy*14B&>dU_0pBnqg#|%~qU6VXnKx>8(3nl6p zcs?Io5Stf;l0Pzuu~%P~cTz-}RPWT&{!#w4{-F$!Gg8LUED6c+@%GxsXM4$P^$~T$ zDJ$ol%#^3+mo}W|Q&${*uYStatl6@8u82Z&24q5!@NxN3aC9|)tF-hzk8Qmz@<7 zo5%2q(tCy7S*Ms>17Stxwr6K%XOwKeXX?X?!=ftykORJR+0k! zona4j;#O})1zsprCjZPbteu&W$%5d=bngz`vKzLGsB3+ouhmh&QgU9^G30|RRGH+{ zJ36@*ZRzLw!J(Kr{not)cU2Tv{%URsYJ2<~b>R$HOK=S8Ec}TbCEnG;6CLwEv7hn# zXuhuVc_o|tw%Bjcd~&2(5c?=q?&Mn5^OO$Y!k8WW#M7LocO0PuD@tRih6%2Hesj8I z%q3`@eGk@DyQq7Zz6zntu^|jS{yjt$k0m;f3A19_nb#0jUp@HjcRp|pVJ`kD3Uwg3 z+~D%Fo@3t3&}8%9i>RWjI0@O1vEQ?4UMZ5Pe}z3$yp5t^%^U8dn0xO=k@V8;eL63D z;!osyhu~DycUF4{<~T}}XDxChS$#yrw$R7keiiueUV1B&4E6Ba=%E^Y9gA9V8S18c z;Z^8-Uhy?1#2&_=thK)HA;ocrRh(~#s0*uQd*2jwNSVR%33q%d{pVo$X(;-x3K0pF zJ;rD=V+cF!OH)&O7P7-7xos@E$JNb?W&m7zY7{JWfW<#>h)2Dt~~HaF`j>}!;^%vEYOvAdUz#~Q9W^g<%c1(mgNE`nTW(81XUL$P1@%(t7YFvp!H}%4)t@= zwj3!o^(Rat>X(e(@Z51fwlv6_ZvX5r@7I%T0bbCcno zjs<#llT2sZ_J;~XQ!-F3oHoT@G`ET)i4f5jD;KEL6psm!q0T?DGL}yv1TxR!&hRXT3K#0K#OTm&U7j_VcL;GyObn$ z-v?J1Uta+;tD6q6aMXY)B*+%jpzwIe5XW&WUT~{00i~wvPj&uXZGAS8>~dY*Nh|5V zc0FWZI}?XWL~yhmv_&hsyh;<3Kv!$YLZVoY?;>yUgfxQkuy31VTAQ8s+q)~+bNOAS zTnx2$JKwhJx~m$OvE<3w?*#LR@e%#*%lJQ)%*?gAX5M0kl-ke_a>Scg6Hi@N^h#wN zJ?$&FYU?qxWf~-}IjYC|N!yi!u3L`r&AB+f+0&qKw>@BXPl!KsF8f?u+^$5NkWlyA z`dQeN9&%>uFC(0uuCuD$XPd=RQ~cYearqonIIgv{vy$ARU);j;t}NIaa*XOnj`}x0 z7+}j#!4n&d_WB!IL_(KvI0CkI#mUH`)n{}PqtIE~(Gb=Igt+A=W%>e036x&~DHe4z z6II_)7<9BYtcIp?K0_{Lfx3CP6SYfU@~-{$?jVV8zB#O3A>IGGN?y!S-egV0XY^>7 z=CY#XQ1#twBlVMa(EBd*&Q11z4U9ZI*;@B)o|cdP?PVwlk1y#@`Tj#z*`=cD-|6z_ zC4HFA4r$`j!;?8968nA&Ha`<=iD;m#NN9q+OMV8_U$rKtvEXtiuffsZY51>jdlqOy zHqldj|CDFSIKky)wM_bd+#|S20%%h2&$ep(7EpeE^=&zDSvXvl8DCq-{!^5CQY+1a}QfK2C0a5wq?>S4UCpnw{`d Date: Thu, 12 Dec 2024 10:42:50 -0500 Subject: [PATCH 58/71] updates --- src/courses/advanced/12.md | 1 - src/courses/advanced/13.md | 8 -------- src/courses/delta/02.md | 2 +- src/courses/delta/README.md | 13 ++++++------- 4 files changed, 7 insertions(+), 17 deletions(-) delete mode 100644 src/courses/advanced/13.md diff --git a/src/courses/advanced/12.md b/src/courses/advanced/12.md index d13df36a6..13f1ceb8d 100644 --- a/src/courses/advanced/12.md +++ b/src/courses/advanced/12.md @@ -1,7 +1,6 @@ --- order: 12 title: 12. Next Steps -next: 13.md author: Emily headerDepth: 3 --- diff --git a/src/courses/advanced/13.md b/src/courses/advanced/13.md deleted file mode 100644 index d332d29e2..000000000 --- a/src/courses/advanced/13.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -order: 13 -title: 13. Delta -author: Daniel -headerDepth: 3 ---- - -## Testing \ No newline at end of file diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index ab2b3d388..9614253eb 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -13,7 +13,7 @@ To conduct the delta process, the following items are needed: a. Clone or download an existing profile from a repository source to your local environment. b. See [What is an InSpec Profile](../beginner/02.md#what-is-an-inspec-profile) for additional information. 2. A guidance file (XCCDF): - a. Download either a DISA STIG or a CIS Benchmark from the appropriate site. + a. Download either a DISA STIG Benchmark from the appropriate site. ::: note Using Generated Profile Stubs Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to create a skeleton profile structure based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. diff --git a/src/courses/delta/README.md b/src/courses/delta/README.md index 991f55b1b..5866a324d 100644 --- a/src/courses/delta/README.md +++ b/src/courses/delta/README.md @@ -1,22 +1,21 @@ --- order: 01 next: 02.md -title: Delta Process Developer Class +title: 1. Delta Process Developer Class author: Daniel Medina, George Dias --- ## 1.1 Class Overview -The purpose of this class is to demonstrate how the MITRE SAF Delta tool can be used to facilitate changes to InSpec profile baselines. This process is often utilized to create a new baseline profile from older revisions of the same baseline. +The purpose of this class is to demonstrate how the MITRE SAF Delta tool can be used to update or generate InSpec profiles. This includes updating an InSpec profile from an old guidance document to a newer guidance document and creating a new baseline profile from older revisions of the same baseline. -### 1.1.1 Class Objectives +### 1.2 Class Objectives By the end of this class, you should be able to: -- Identify the requirements for conducting the delta process -- Understand the purpose and functionality of the SAF Delta process tools: `update_controls4delta` and `delta` -- Utilize these tools to update InSpec profiles +- Understand the requirements, purpose, and functionality of the SAF Delta process tools: `update_controls4delta` and `delta` +- Update existing InSpec profiles to newer guidance documentation using `update_controls4delta` and `delta` - Determine how and where to apply these tools in various scenarios (Use Cases) - Use the delta fuzzy matching system to map controls between two profiles -- Become familiar with the delta process logging capabilities and the artifacts it generates +- Identify and review delta process history with generated logs and artifacts - Format InSpec profile controls appropriately before and/or after executing delta commands From 357529aef8886eda290b9ed277936d407490af13 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 10:08:49 -0800 Subject: [PATCH 59/71] pg 12-14 - update types Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/12.md | 7 +- src/courses/profile-dev-test/13.md | 24 ++++-- src/courses/profile-dev-test/14.md | 130 +++++++++++++++++++++++++++-- 3 files changed, 142 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/12.md b/src/courses/profile-dev-test/12.md index c4d8ca942..edd015781 100644 --- a/src/courses/profile-dev-test/12.md +++ b/src/courses/profile-dev-test/12.md @@ -1,7 +1,7 @@ --- order: 12 next: 13.md -title: Understanding Profile Patch Updates +title: 12. Understanding Profile Patch Updates author: Aaron Lippold --- @@ -43,7 +43,10 @@ A patch update is a minor modification to an InSpec profile that addresses speci - Control logic - `inspec.yml` inputs - Threshold values -- Note: The InSpec version in `inspec.yml` is managed during release + +::: note Version number increments +The version attribute in `inspec.yml` is managed during releases so you shouldn't change it in every merged branch, just when you cut a new release. +::: ### 4. Testing Protocol diff --git a/src/courses/profile-dev-test/13.md b/src/courses/profile-dev-test/13.md index 42cf4ecd9..a881fc230 100644 --- a/src/courses/profile-dev-test/13.md +++ b/src/courses/profile-dev-test/13.md @@ -1,7 +1,7 @@ --- order: 13 next: 14.md -title: Understanding Release Updates in SAF +title: 13. Understanding Release Updates author: Aaron Lippold --- @@ -13,31 +13,33 @@ author: Aaron Lippold ## What is a Release Update? -A Release Update is a structured process for updating Security Automation Framework (SAF) profiles to accommodate new benchmark versions. This process ensures consistent quality and maintains traceability of changes. +A Release Update is a structured process for updating a profile to accommodate a new benchmark version. This process ensures consistent quality and maintains traceability of changes. ## Release Update Workflow ### Step 1: Branch Creation -Create a new branch named `v#{x}R#{x+1}` from either: +Create a new branch named `v{x}r{xx}` from either: - The main branch -- Latest patch release branch +- The tagged commit associated with the latest release ### Step 2: Generate Delta -Run the `saf generate delta` workflow to update: +Run the `saf generate delta` workflow to automatically update the InSpec profile as per the new guidance. Items that get updated include: - Control metadata - inspec.yml configuration - README.md documentation - Other profile elements -> Note: This process preserves existing `describe` blocks and Ruby code logic +::: info Saved! +This process preserves existing `describe` blocks and other Ruby code logic, but you will still need to review them to ensure that what they're assessing still lines up with what the requirement says we now need to be assessing. +::: ### Step 3: Change Management -Follow these best practices to organize your work: +Follow these best practices to organize your work as you implement any new requirements and update any changed ones: #### 3.1 Control Tracking @@ -56,13 +58,17 @@ Follow these best practices to organize your work: - [ ] Documentation current 2. **Infrastructure Updates** - - Update hardening content: + - Update the version of the hardening content that is used to test the InSpec profile to match the version of the benchmark: - Ansible playbooks - Puppet modules - Chef cookbooks - Docker images - Vagrant boxes +::: important Parallel workstreams +You might be required to update the hardening content itself to match the new or adjusted requirements coming from the benchmark instead of just consuming the newest version. However, updating the hardening and validation content lock-step is a straightforward process! +::: + 3. **Metadata Management** - Update all version references - Verify control titles @@ -71,7 +77,7 @@ Follow these best practices to organize your work: ## Tips for Success - Focus on controls with modified `check text` or `fix text` -- Unchanged control text typically means no code changes needed +- Unchanged control text typically means no code changes are needed - Use PR links to track changes in your tracking table - Maintain CI/CD pipeline health throughout updates diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index 50bd5ff2a..8206f8ff9 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -1,13 +1,8 @@ --- order: 14 next: 15.md -title: Understanding Major Version Updates +title: 14. Understanding Major Version Updates author: Aaron Lippold -difficulty: Advanced -prerequisites: - - Basic InSpec knowledge - - Understanding of STIG benchmarks - - Familiarity with Ruby --- ## Learning Objectives @@ -26,7 +21,7 @@ A Major Version Update occurs when transitioning to a new STIG Benchmark version ### Requirement Alignment -:::tip 💡 **Pro Tip**: Create a spreadsheet to track your requirement mappings during the alignment process. +:::tip Create a spreadsheet to track your requirement mappings during the alignment process. ::: When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need to align existing tests with new requirements using: @@ -54,7 +49,126 @@ When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need ### Practical Example -Consider this simplified alignment scenario: +Consider this alignment scenario where we are updating from RHEL8 to RHEL9. + +The requirements are the same: the `/var/log/messages` file must be owned by root. However, despite being the same, each requirement has its own id. Consequently, we need to use alternative means to realize that these requirements are aligned. + +Attributes to consider: + - The title is almost the same aside from the operating system version. + - The description is almost exactly the same aside from inconsequential differences. + - Whitespace + - Version number + - Capitalization + - Other alignment IDs are the same. + - SRG ID / `gtitle`: SRG-OS-000206-GPOS-00084 + - CCI: CCI-001314 + - NIST: SI-11 b + - Check and fix text + - Fix text is the same + - Check text specifies a different method to do the assessment, but they're functionally equivalent + +::: code-tab +@tab RHEL8 +```ruby +control 'SV-230246' do + title 'The RHEL 8 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc 'check', 'Verify that the /var/log/messages file is owned by root with the following +command: + + $ sudo stat -c "%U" /var/log/messages + + root + + If "root" is not returned as a result, this is a finding.' + desc 'fix', 'Change the owner of the file /var/log/messages to root by running the +following command: + + $ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 8' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-230246' + tag rid: 'SV-230246r627750_rule' + tag stig_id: 'RHEL-08-010220' + tag fix_id: 'F-32890r567485_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +@tab RHEL9 +```ruby +control 'SV-257916' do + title 'RHEL 9 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements." + desc 'check', 'Verify the "/var/log/messages" file is owned by root with the following command: + +$ ls -la /var/log/messages + +rw-------. 1 root root 564223 July 11 11:34 /var/log/messages + +If "/var/log/messages" does not have an owner of "root", this is a finding.' + desc 'fix', 'Change the owner of the "/var/log/messages" file to "root" by running the following command: + +$ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-257916' + tag rid: 'SV-257916r925735_rule' + tag stig_id: 'RHEL-09-232180' + tag fix_id: 'F-61581r925734_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +::: + +::: tip Different yet the same +Even though the check text changed, it doesn't mean that the InSpec code needs to as well! We are still correctly assessing that the `/var/log/messages` file is owned by root if it exists. +::: ## Best Practices From 0f658f40706c8dd2330622123d0c517d5fce6657 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 10:16:37 -0800 Subject: [PATCH 60/71] fix syntax Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index 8206f8ff9..d3c39b559 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -67,7 +67,7 @@ Attributes to consider: - Fix text is the same - Check text specifies a different method to do the assessment, but they're functionally equivalent -::: code-tab +::: code-tabs#shell @tab RHEL8 ```ruby control 'SV-230246' do From 753545e59bb441c1f53f9556620d9526559a9150 Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Thu, 12 Dec 2024 15:38:31 -0500 Subject: [PATCH 61/71] finish use cases, addtl updates --- src/assets/img/Delta_Class/use_case_2-2.png | Bin 0 -> 52835 bytes src/assets/img/Delta_Class/use_case_2-3.png | Bin 0 -> 122715 bytes src/assets/img/Delta_Class/use_case_2-4.png | Bin 0 -> 51977 bytes src/assets/img/Delta_Class/use_case_2-5.png | Bin 0 -> 35967 bytes src/assets/img/Delta_Class/use_case_3-1.png | Bin 0 -> 61376 bytes src/assets/img/Delta_Class/use_case_3-2.png | Bin 0 -> 67990 bytes src/courses/delta/02.md | 4 +- src/courses/delta/04.md | 61 +++++++++++++++++++- 8 files changed, 60 insertions(+), 5 deletions(-) create mode 100644 src/assets/img/Delta_Class/use_case_2-2.png create mode 100644 src/assets/img/Delta_Class/use_case_2-3.png create mode 100644 src/assets/img/Delta_Class/use_case_2-4.png create mode 100644 src/assets/img/Delta_Class/use_case_2-5.png create mode 100644 src/assets/img/Delta_Class/use_case_3-1.png create mode 100644 src/assets/img/Delta_Class/use_case_3-2.png diff --git a/src/assets/img/Delta_Class/use_case_2-2.png b/src/assets/img/Delta_Class/use_case_2-2.png new file mode 100644 index 0000000000000000000000000000000000000000..5c99d3e026b41cbab4dcaf10c2d7c544808ee4ad GIT binary patch literal 52835 zcmeEuXIN89*R}$R4Z(`i6$DXf(n|;^ib#_#9i*2K={1Q6igf86l-`lvi3mvVB|v~6 zJz!`7LVzS+IOjdb<9VOw-}mGD@o`7OY6%6TgN6Xjp`CohrHPsnOKR!|^c zHO!nWEF7Gz!7jGXLHp!_2pi3pE-#gpB+S4dUQ=`MD+^u^(CgzOC!{EgdYC0=s%MF zT~y22!s#&>M6T0C`q$9>PvL(i{!c+EzT>9sx?AV#I4qhp?x97gMzoVym zrz)fUL?&YGS{rT5ldHhji=O6}uAV$Oapm#2g#rbK>3PL*ORs{1K11QrZY6g_o{^>3 zdzc|Y37n&nf|bn4w_2BQ?LuQPyZ)z6Qqjqr_)lNHB4;@!qxmLozd1p1hV4In&7P{49%&vlb4ph`zm{?|m% zwP#x0jb9YNmDQfKzX`B%!*^l0#7#-}?wP;aB?Ixj<-2lJp%97hYuZK3Y5dkHCjO`D z`fC-``5rL-Q2*ljD~<8E)a$GrVcKV}IwgN7vRwLSSNew0z2+*pJ;Ap=e#zo9-7ity zD1?_kxLxPH!s}Z8nB&^tQjq)XLiihEcsi-z%dcJy;q^^qPp@Q98WyNyh#LCGaPW_v za*?=r{cm}E2f1E|(lKiX*hoA&``+p8}%e~pfb6J=eQop)aoYgPknIF7x4qLg%EBNH`e;d0SPsn2IAqwot_oj&^5nl%@-*Xw@57wrGC5ne?^Eq zHO(2ia7wyHVaj11)4*3p6m32j3`b!Jm$h1(j zT>j9fYN+g#Hf=P;T@bkA61cO>f$s<&!UlUY^49bQtuJV0n!Jtg%rO=qS?^604!I=$ zbd=Oui164GR^Wx^%mIw#&R-Ql#}G?4ILlV|U(F3(|4@a2RiT6E1k%jmWx>yM)YZ#j zjLyAmo|^b=WD#F&OZD|-(#);AT0Y?l8tqkk-<{C#!1})YNEG-zN1DOCJiMYr{nwV4 zb-4tynxLT`D9f^ULCh}39~wg#Gn#v#$2s5MVDn64qHa8!vCQ|9PeuYUz0JV__@RZa zayon!rxvZqWQMHBC`BR1LS25TFXoE%;RsVLbI$Xndg>rMir_xGjpyo=S`cyWpJl!) z9WidawajC2Key`f8N$fgl+lSVCSLHU0Bkxz^RAw;0@}}^-$c0o#ZX}5EjGu zYKecl6Lgpcs*A{1%ZUSL8c5qBG5Cq;$d{Y%cVK3*H3cDuxms{bNc%V9C2~7PcbT`K zyGC%1nPO=AyqaOO~`f46)oDqQoh%;MoRgzVqEy0?ykBTqeVNTw#%;(2D(gwPSOzUmC`YG0kS1l zHJO?aRqRWai*{VQp#m@CzLI!&9ce#26I+=s`}>6F4WF(i|;rzrr^#0Q<_Nn1Jc!h^;x zxv#FyHKavkCVYRq7VCkf>}ERMMf}DXNkrkb5Zp=$9JPW=CnhA5Y|hL? zuLJvo@9FjS*RMmGmaHa8PH9M^a~fO<-me|l6qI<=dKj+2xBdfjbCM!gzf(^Qh3 zL?}dr{3Oam9=LaZf{awb$1C)cp`T7M2NH9T%y}E^?sFcU5X<|6@J1~;BN4}wCuq0aUa$8&hUy~vpPfPQ<3k=H%_~Qhk4$q z!B-Dvt>l9W?Rjy~!^h4o<&Wr!7qtN84|2czruZ`V`t%TGvnrNmmDd8+jD!w9+*)mm*f zJ<4f4AdTGG_75EGRWLwMr&>2zC+^UqBhjhGuIM4hYm52ITtHZcE7Ws-SoV!OTWD(Q zCS{Y>Sl}?r?&{~0<^+SC_8l%ldnxIs>Y?mwz)iLNR-sNnQ!CIh{Uk-odEI3()dvuH zgJJj-2oVLvMu}ik0(`F`iB?G}1>pIg#ZBouhAywafFF3uOO*pHR1&YPBs^?4oQqb) z_Qluc?ovG}BB&3Kk31fp;1xNHP_DN@m1C&&s~M@iNE1(75IAWK7%XvKvkITiyG;ke;({?-d@A0#$|GBrnMLZnBbYke`^`e{Gh^n;D4~oS-EnoiGz&VZ zxY=ci=h95vBw`7itxu9wd*2_;Xmf1ad|Wjl{TA-s0jOzXDZxjOsVA^2G}*g`Zkf5C zWAB%m*Ir0{#R+d-jTCo>b+Xig1n59WlKt>Rm44rjD-Bf+(JJ-k)H1i(vUmQ; z_bD#X?X;Zre5M2)rGbSj%%@gx@FbR~byWYZb9a1!!8WB%hW|wSuAMwQ-(BhphOg>S ze(K=8N+k;jht&ons+y{xm8*!3L&rV#UgMGz=SnCJW~qw z-u_5LyBFCGE#B|1o^(cTpl#Q-S^oB-zK&nDUh6&A!l)M$-c|5D9_0WaVaSqmLz5pi zt2ah9hDEaYXtXRe#0AF{X0sTth8xjTYxR8c)rV z$=+<%iZT|*J!7PozwgqNQ8TeP)hnSUzWd;cWqv~IHq>rT>})Ur%yy<|ZMA~IFRliP zS=Ffwqps@nThm%|ojMrn;_`v7NWCsoK$TRbReRO{*vnwi$Iw>-2vU7e^C*<{^I?l( zw;{F)UfVRUg(oEckExl6wkmi<-SpFZ5UqUf4kZa4`5E9J^L%l{T?EtFE1y_YW~Ef*w}fZ{=!j)rgEQP zoXc9I$KrHQc$6h^`sg64HLbhm=lA!4?XjAf!{Ylc{_+~Z31J!9Z#W(B>0O^sTBSsd z>w9YrM!-AYfuC=ewnY|St_bW|L+i+K8QxVQ#b>hUahwuV_E)j_fx57rfOvZ;Xlc+` ziS2pZoC^)HV2H0@sb9c6Z$90Z$MDsns5#{p$~qUYI@)rzSs+eiZSI27^yR%%DLIpH zfh1C1Uct@JCC<$GTVHsp`Xq{awwr=pp*3mr0!&^d28HVpZ#%&&iUKS;=YGmpVJt^! z^v-JwEV46KL)|Sv8ZSjm0j7G#luQ^J6 zajbF+(M5Im6o~5}`}G^AJKn}zt{5qa2K8Dw;xZC%hJK@E!n&*DBR%ju+&(@*{-`LT zi&-q{JP+CG{)DX##?C(#-}$us<4s^|RP*c`Syp=E_n2>}`p2s3*CRaM{vBZQXP=s6 z_%N1~Rcq=0p|Acv=f0lZR!{C!zVAap`4ZmLK1uy54r!s2>(}`LtM5~KEKaoZ7~|_I zQ^SE6*d4p2%(3oeL%~Kr;!5aSuO{!{Orw|Dc9pj_xQrj31YNOyU~j$@B!azia8mtB zJOa<5k-D72M{0kz9QhLucfZgnk9wW2^jW?C2_i5lt$6t7&@*qj(Z@;+;x8%6H?=lz z?DYMVPI?Y4Q9erga)TJsyXpIOR?d`dw}MX(2bh*l@D;6@ z>KY{x?rPUx%d^E%^5_+;Ua}&EYJ^AEuHLev81!_$Cbt~~Q*da{BUS)^XtBgLY(?qr z!Ns7M6&>>8=$H)hof|>i>lYEz2O(~&Ngkz(Fj@hFx(YOaINRhSmomRFJbspKDaP2* zV$gVU(1B+IC%}-y+#c$c#OIX+w_4*No2t@0`9_S^Vd2cN=I1X0_W?;8=;pOehF>e% z&vTkjJ@gIw{ci>?J6Ka>B1`xrMxPel*&3tPk{9x(WVcPWh{0Y*bmfd4_J$dOa(ztc z8jsSNWlxQWGwsUfcy>VDB#%R-1z=@hCNJFmMb`me)cIJv=-uJja+Q`r*QB$Lm`g*& zHWIkmd(uT0u=IlO{LP*Yqg^<8boElwEIu>X(snnj-RUOA2?(F{YJ%Cd(cBTF6m2W4 zEC!JZ68eU8NoZQ|fUePX(&@K97E2ddTYZemeX8&;$67?{`3*;)Bi8lr@U))xjsSZc zN^EyPe5*V=nHY1)(mxgGjx7Q)(SSZ45vzm5(PGv&he&!qb2R2Fwrj4p*EZw}i z5?4yU+-Ne>`kJ^fe)B@%z%#u1kEvct(es7XpvGwF2J;z1LE=?*@)EJn{uz7N_i-dS zj$?Nt?&zyVv(l~4qzjxgM_*AsP9{NNQ|qDA4GyoF^-@r?M|O=4nE>0xYikg}+sg83 z0jYHkeN!CeW3P~;^q~ofwOkpR19Yf#%M;3oUS74u@?KOGOBJ3*MaLN!G~wWfWj?AK z-Tg8RyJHDZcPF+3dCi;3f{ove08?2EVq%-d(3gbHL<(|^e7jSRZZtU88(5cmJbReDK4(IgxR~P3W z-*>vczP3T2_==otGJPBmAiW!Cx)1Vyh0-T{1^5PLE)8;?NPL*Fxqaxs3880sVCW9G zAEts30J*|0wm6ddX(IWZfjQuKF33_^&J?}d)&7u+Dh>G03wvolsD&eysZ=BTo7Vf& zlBcZ%2h|=ES;sAlTX!1!+il06cEx#lM67r$Ohq6QJ@s_1q-1ksiRub9&o(5qi(^L( zIb3nh$M}H9()$oR!0(N+6LIdP#c*q0j#13ft!7&?G7<#5+|_e4U$jrn@3jJHNfs@b zkzHQyF2bIxg9GQY1M*CGCyK@*9JvUCd{*(&tEHp(Cm_C~hKRj02+)!mkKvUCjO6lg zowF>&*R_G zIta&R!h&5n>?lyh37pU3jvOAVj#NyRjN;o|!zO`xhSEqvLj-2*aORx8RDP2q;hRqq zgzO!t`{A-)q2JH-#HeZikljm_A-u0g?TSYGeEd{Bct)iTkxo}&yzMFG+kW1D5kpcy|^08^-)>|G|Z1DzcFmm zq0%+K5kXcHjW9sCC7;4sUAm*xmy zRDwc6RdwvxXMUlbHy@aWMDZFbnE-(cL-dVggS z(7fPPV)WS??#5V?E!Qb7ukw~1Et~>5hESUI&L_>s*LStk$cgGT?U1~y&4Ja8HIhnO zIc#n{73D-=g2Y^BNMX??zi9u^CkQTW9`*H3ve#qzwfCgfY!+SfZ2b7h(PO>D_mAbb z_mcO3k@)Wq1_y_TAJ8X9TCw2PbC1?+i~7LN4ijNt3wT1ScNPQ9KK z(D`f;K5676Z?8XPIoCF%1p(m?+wAi!cqPO#ec|nPd*0m}=-by-|KUtFyctF!^)F$% zliuhpO%bvVlat8t-w&*q=s-bMc1GlMpk+lEUjF`8?9Ebr3-0)C2G{6fBbCWO#rxgM z#Si;f0~a5VzGTZw(wti>v3&pFI!En(O00eMD1PEFG!~QE~PWLO;^7)rpI*=t0`) zb5CGTt@Czi9WvT%T%jV1))wC5_Nv1b-a&r3PUB+ktAWYebrT~QQjnr$vQes^EYjK~ z1cDi&PTI40g%PuzVZKnl5;QlePaN29KfLF6CVrv%4T`V8f7 zAX7F=V=p z03eGH_3;I>Ib{Pi^B)ftn!YFvRZ9(qDMxTou-f>xmY0ypfaF?gc`M^5dl3#C_rm{{ zlFXJpraB`>d+P@cc^pi3&ba_;UhG(L#PT}N3lU6ZPx$Vg%On!YR%p-v9n>Bd=1-)$ zoRRk>`r6+P;EeRT$Rad2k_aPr()xcOUW3`m~@Z{N%6=_Xlm zH+BpDEsXEQ>tBL+t>86g)H=TDxBe4Tdi>0#OlDffW%ZrKoDXSCg%@b?YekVc;T!%@ zX6Pt9GED@{u4$GZ^w-FR(D)|$T4&GSV5Cvv`DJzJZYWZ`Q})Vwl^9m4DZcu5Toq#a zKiOM~R7U@i{Wn_D^y+IbZ}0APl^gcD@;Cp%G#+z~DGxsS9E_^)viw85yH|20ZYKg) zy8J!<7VH;4`RCn0v`l(lrS5-YId?t01E?9dlp`CpXzB-L&5 zERsL5MdnogE&iWE$vBgBH3@45`dd5x)tdj`4S#gV|L=zX_qxI7Dpl3QcfwuGD2dx| zWCG5vlv;%fixFL3mcL;7O`SjSP^f^xC5YJM&Whr%c{xk>q~Y6L(G7$ujV&WdBcH|l zo}NEW$rHE2GhO%OnPcMaC^FR^Ivlzd3W7}^@#L&|ZP%k*g;Un5kk`$VKyMA_>EX|` zdP`EfpH+fK-#%^d+#S6+@#?&4m^deoDxj@4?@aM6R>T_hCYLQ4H!B#zdfpGtAcHSrSB=M?GXkX;d8Qi|$uX$3{O1 zo-5LyA=564oywvXU8u+sNRc87w5HK_#%B23b^vf;VN~adG{NQ&cCg%s5tVgP-J5bY zc##a+7j+X9WO(~v?J=@G_P8iH6ul|G>%$m5jGWxghEv>j{Yh%@+t z8Ta_r-;5K#6UE~UJ9eGeSo_*~q+oN$Q2+kc?SrW2F*C#cQ8Y(z@77D6`0cp!W%FUZ zhEE$@^30wh_x6D#yejwX#N{_4=8?T#+w1iy#(mnFgv_Y7Y&$&F91H$e>K5)Bqw^X3 z$3UY_HEJIw#FBX7`=Wdj(?Kq2NrU^juBE^EJ)ODNR3X%;wocBpV(4xXq(Is| zOY&TgVpP~0PvP+1y#8=Kpqf@UK=ij&*|(JQSW6ult>@%)p!+S!N-3+)-K))>!h;MP zpFAfXATIaPi0&Lt6btZM+wA>JuDu|Bqj7iA?x5d;Kg-wX9Aqv~e8Tp=j<&(zm44?V z8~)qLUpl=lOcN6#4G-G>jGlmvL?M?wxA#*UTq{ zbc}oiOjFyDD0}jz3<;hRW#EVT90I-p>y)msw>Ck!8DXs=2 z+nWIBN-`dJWQvZrn17{@62p8J9@y!ZisBDf5GU?807o^OnS#J@z%A6F(HGQ2biYal zAa9N(jn#+WG)$oQXSpgyW@j0g7UxHMF>KgN_1*Ty%HBwNWo_M>(pA7vHp|NwJvD1# zqWXV}B#W!dJb*^#P(xW!j-he4hH#p>km@93^;CxBaL*4M+J%$C#Ol zQ(KR_hNHF{hQ83l$`oQg_6A&I{o1^w(Euh_bo#~a_9C}ND=mK!yy$F(#=>{Dmai)Y~U+bKol^yv7UTusDlQpdqRmu=y z_)}!Hk!}TSC7tVLK2H+pdc{T?J@r@}Y-MVq{^wlc6((Kr`4DyfNwTU`g*I;#HPtQS z@^;6Z2?Vuj9ARU*SAkho=tlM6)6}zliwjo3wQau$k;5bqsa!e7q6$r21!eG|J;WYv zP!sTEgZCyWtS`KNoTWqvrCph{WT9`Y%s9HSJ1*$ygqDjh)@Wk#FlpZ4THKhBBJJd0 ziCZsmj*XX1@Y^ON>A4SYVH6J=ObbJUL6G^1fHB$dJg|cj7ccI9AR5=W zajLR{J1taRa!AO@=VDWa0jWM$JE3aop%@E#c{sZb#b>)HX|N&LDaX&ZgJjiq*ai%L zy}$dReyl6mN?Rt02dSp?JhIyQ1Mp5tv& ziwxW*?rc!oqdeOMu{z;`qA6<;hVGb%`LF^QmW$alM|Nd7)%o62g6+i4W&7U8u=MLR zvCLl9)yB(wPyq}z4GsymrsKYs683S#Msw%84mH!qy=utLpbd<7$Sndv1x`p^~gFg zQ?*-8BXUN{b;qKyO?a7Y$1<@l+`z+hAWirNGcOr1h@V;7ny_Mqd4n6TWlH0wDwrJQ zzLcP89=itC!=LQJO%$6)9;gw-Re&G15BuET5`8ur&rX1kl8BaDsFn)bq9abYT@XLGQuEgC%pgg=kPph3Aj;M zZK{91PHq%Y1?cL|=R(YQbqk;XHs!24@%QDvUn@BmsNb~h6EN?|-oD(0!CU5$@r@bxo>aM(+8?w09O3TGGZ2OJf7B_BZ*&kN21b@gATTrw2YIWK(Nukm{&|7FPsGVUZH5bb&rNw9EHef zo@7f&yE})N@m?leB7hriZ4akuAEbI(qF-J{+{tgc)RvDY+q%T!TvR3EG?(vOY{}B; z$sO78w0WkqmI60zgHpH8ES?;h5^& z>}9=8z`gv}+RjUNWFq5Z2=pN>RNLzPn)qz1c31rxd&glCIS z4h>d}kBK@QPBN@iP!$w$5~YyXWrUF;W%*)v0PE>tdH;<{GvJWT6_-x)w?z#k=;jTo zX2r$8@;|1>`9Xq^lGWjjMV%txT40JBZkaqC63I$Uo(>-t{b=1R4l#zc2ev6ex8nN^ zmYv{h#hI{lyXLnZ?W4+M$J+$3tC>gAv}>v1RogA93eCms7K)V622LrLi_=s(e?DAO=)EXFalLY1EBRCfx3o7dLk|c!sScC#4bWXL=BcH!g>; zCO6I4F(B|NLXR0ST-USv1!-Dx6{)x8`IODqM|eY!db z&o~ka_|mjk`_7dQRua=sR(Cz=q=Tos-T?fZr>-C*giE5tnLo$*b=0GjbC2ViPtMLx zPr_Y`Ee(gzUGwUj4rq4+`lN$cr)ux(sUCT;6349Y;5u$@Z@E{LRz<4mV0B>LtG-*p z0M8ZI$Ttt)qV8no*O=mtYSkrv<{<69U2va}nPSfVfL)?)(YjjY_nQMA68}|Rg03io zS9n~?FHUqh^e%9q1(DhG7le;8-0V zt9snGB+AtaHhQCY;ge70!vG>&ew2gVv1pnT^^2KNWllW;#kEQRt0i3)hQcajeuu=G z=4rQ`rw(-u`>!ls+`5;dVw#?TCLS#_e5E`!#HL;6a)-s`bKdylHVZtPqD`%b3O z;pCX;gF4XRdvpeitNBW*_w^$aW6epgG|@WN(eB};@|r_^P15;l8#0-I`kApeu|A}U zZTqP=nr6pb@-%nMujS`H_E@6VN;KT5$@lS2;a9R zZ`V#pVmHP;ds13XvT`T6Ztvpm%`Bh#J$$=&GzE+ zuzob(51+~(Oeu?LXlLfUytv^2S!>9Ka~h*Wn|~84ub1CLLl+L`g6oZir0s4$69+Nc z*Pb(Y-&Nv%yUmpc*KY!i7IfeY@syvXJ}+XY-3kildlF;~$r13w8s->>&d9Ha3sKbX zHRC|Q1{ZzQP?Cqu$Mvt2iWs+}Ey|Yh?lH7~&h8|6cS*JOf(TntB$U*8 zz$HjfICbO1i)qp+w+B?y#O3lJ3C+oRH3%G<+eI9wB}YTR~ewpETqi7 zSm4f7HeC#=dm7fS?{JgJZ|7dRUUyuR=0`A0a{s0e$yaa9<=~LKJC_cPj$8oryLzc{ zv;Nk{1DAad9;@n?1@`sIEx#BOx1^Qq5q4g*T#V6S5?}db0<}u1OZSmDQS^=|2;2Wr z{Iep;ZYjSfK51Lr@}i|YZ=+EB^SMd{6B=_(uvZp71)2D^rOWEPYFtfIdu;)pPT6Y%m3nHO1bA{zj z#GTs`5?*PLil!K@i>sscgZ*CpSMlBC~uuBb|HXM6b>Y_D55F<0OkJr zviAKtPACDNXm_=v=34Gk?zj_|xv&uB-1a7*cyA#p4CvZsf;wCuPP*gi)N$+76`{Q& z))Y#K3vw`Ql1=SgP+?(HUB@MPDqj;C>$NOmGYtjx@{NY3?XFB#su>eXfnkn#!O5k+0a55+zAUFA>9b?KK*;+Mtq;+tumh`H?v zf__IXkQ9{#OtoJ!aWjBdFntgUwsaeil}&JApko#;$}mqdwC(M!U$1j`5ch?t@_24n zVHh3w`Z7*elC_)*b)Y??G(Yr`O=2BtuF>SBQRtu6_J<0*EY5Wa-SguoHHYJ7k|NLZ z(&3jxojFhNMD}|xExb_Qo2efmQJ0uuC00E~!`#Zb<3MmYIy*Dj+o2EM#UUk-!=<>> z8lCE5XD+@w;z07BY^J6+M?nd&lytba&sgouZqS=ej@%_R(AnkFC3_RO9{p6wjqA}1xS5KV2Fs(1L)Z-1nPI1^ z3cm-^W(Hr$hv7ibmFXKYLzg~FbgdB&8P9)@xv~-(Cv>AIBR#-*u)AA$rO~6b<2+vl z3>jyX7?I+>*W)w7EqGhP;%N|lPZhH#I;)E<0#xTzpb%w1;`B-gF{4@BMKe|!=ROQrHt5x|PQL ziYE$hBUl67h96Dr9CmyYjW-!qHcXJ3*exl$;nQ=joQXT`^`TmLijj2EJeGjN;knd- zTY-Bx?A`t!`%{K?7LGd46j#Na@mGG25H~Mf;WsnZ)%-MQb2c9hAbMcF+Enfod4ZeX z`agI%kUurIY{uAHt&qcB+2X0Z7SqaE;HmU`H*}k<@`cwXO zq9xLbyeT-g+(;s2{>Tb=zWDZlTg~iSldzQ^+f2on3nE|8I6s8Vs9lPL_2!POAC`qX zu6Z$cw{EzbzLFLlc&0I-xVN+^w%OVnSn5(6vOb)hp`5(^kMnMCWVp!u%zEb7rw3<3 z-h6HFR1h3(?nsup>AUK-z!@%C%yux0;Ckp_Vv^ez;4`F0|OeReqQuJH`JY2W`Z>;Hl#~FUDAM)9Gd3S$X zhko%|&+jQkw_j+PB!Q;#H?YSi_xP`$+KI3J&cKBG{tBti^?OUce9cWtoFCC} zzUEr<2O9525D&VqJ^KWCDoo-YU-4S!1{5*6Q&lxx#fG$>$K#LY=tpye5EvfaxsGXf z+QuI<)~kFv#wigzRhtX(W<%Q}8oT|MCTfI2QRb(Meo`x6&nhZFtieFj{0Z!Ix5y|w zT(8~lA1M5X$<2QeV_&W5@19OCsk_HMoI`yQ?iC}k-BEG&V3anJ#>m*u66vtk1**Pd zF_`YL7Q0+Irk6V9qLF>XgP%myE&K=wIL&td^46=Dr&v5bsb0=ba341{Xh8yI-@HwB z)6@3ydd_uoZ(5Y61TI}c>PbO@Ri1j3EvLpH8I=hZ+vYkB4FYSZTn94hZdcdln3vGW z4;cu8@+&<7*$P%37;7X{nJj8EyX(KWTEXc*i7k7kBGb7bYVHZ`OLAzaB$wx#Y`{B0?5r7AI^s!p5i^{(bO5xe7 z0r76`-kcsU&&dUx{AxcYn4zyYsv@!po4X{xU@`VUHI~mk@tho=;cEO~X)~~%3{FOb zirkB-)_jy2ddfFS<=oqW>Z!<0RTJ}ab>TBbuA|Zi>-AZ0Twjs~M~wR2))KE#9s}=N#v~8Qbk6B8rlgI{Zv1;9DZ_6g34T=I-66072xr!`4Uq+08 zc!lpf%n|J27xube*OPz6F}b}o5|0w2i#DO_#de z2({n&nraloB=XsYvun5Kg3n^5W*l4GfYr)5Jl4acxq}pUBNZ=izd^zu2tM*^&xjBi z!KdD3o^;NKUs)GaYd17RX2Ug6T?6j(BRYuUYPby<$k(zY!!FLV0@a?D0;%;|{jy$L)q4W9ES5K_<1 zNpRjs!clS`WAf@cWK2G~`VUMV$4JKHWo&A!2YRmw{Pn*8UYH)^^HhZ@sL!$!+!}I1 z{N==hVgol_3lkB8l8N?zVC}W3Gdr*UfwjjpizpXl=vejMd!`d-w#t)Tn9ABioWZ>v z8n3bLQiVxuAXF(oN?dlsJ4I;e>@Iv@KL?coHk>pQduWIlWUD493=ZGRrSZnJ(NLcEKflDrL5BHXUlZ1M^z&a+jWHo z$Ug3mXYMp|k`^VDX#-FEFkTdo>8FdU6a|CH_&rP?E@m<4HuS^~JsK;KrSI{9gMiyUjIK=;adO92k!>&sQ>k@jrT#DUEwU@CkD1{@Dpk>Ea4 zgVs9fNRON^Ua}iDwyy^38~5_r!iFK<+Y77MOKS(zEH5_?1Es^u$64G#2KH-=Ie-e@ zqNCJ6v*G-TP$t^98+Ua?roOnrP)^;m9+`{DB1LX>+M^kxc#pNhRjUM_?Q0}~deVh0 zFP-ZpCMt5ASJdMl2BO9FLRFyu^cDsjDY8D72?V(fKG6l9X?*>;gG*XKMH=7f$eGK~ zT4B|Hk>YORw2}Aje%iFN>X(FWUPXL~Fhp!seYiJmV;?KG+KZ9i&11PDg%M!?@%G4N z$FiQDW{-)Cx5F`i;O&ij$PzC)IlokJ<6?YWmh!ZB&$C6xw!zLSUcEHIz7D+am|d~L z!S1wG8VhL&T0N7hMaa_lZ|J}oP`dbh(ixJWUXr~{I$oEa9M+s*z| zS7Pj8`o-9mU&26dnpOy9mF9YcY24NR664&joD?P0++otVmB;HC&RBI=t6V2W;Op9u zM4jEs@ZM1FaHu~8IY5yde1K(u^)O9X=>*CJIAlF6K@P3Cr}XtvU)0W9SR z(*DXuS|?YU(sjO)F`Ij2=WG@={sQcuISj4v_FVbw-*Dt4v(z@8a4f2PA1OcH!iYIIcZVx<$v=y+q zEch6wrCxo&j7m@ZwpYVQhUOs|U0Q2cOSqNoB61zaD9+-qgDI?eg&6{DKYK*PvbK}* zghSOZm6EejsYB8!_|;;lZyn6Bq$42V)9Wkg8?FND3Q?MfLW&HjHEgT3s+4W&SYcDZ~Dl%%ZiP{hHkxef7EoPq%GBAh3V$ zXlUoNV>!1!8?>iQo5z4O$U>3-1g zsXIZ$=?`hCH|%gwbMJX6pJf!d|ffq*A4gt|z0|xdY{@GXzwt zF_CT9phnI+7{uisXs?bp+P2|BrepQe@+0PD#d_5_HR_egF7}-RK|OlDBzmrt$f@?6 z5A_NqnJ~f|jv3;MOv&7+;W)-3t&FMP`uk0#%wy8%o%{3sZJ~>&iQ(r+5qwa(t%aZE z^n%BJv85w+6wm;)ZKP!fv9(qKB<+N!ah3soxarPn}mEX=irpz~$DU^cjPmMiU zzA$-Y#Y-5LCd2pPk-{2UHI_~0f57(@*Z+X;DO+Ec zl5LV~qR@z7c#$MAdL>1FmrUDb6_OIjCy!zj)32h6o~cXUdEQ2C!AG_= z-;TaDX-aR8DlxC~{b^o6b!Dpvh{R>6>v^F~({e)An27x)i_1UYD%wxYOT}(BFs{QF_0QuLw{hQ=lfW#= z){x!N&nPa_#6jXpgH_+FlB#s`rm6xCBQM3FYT&$1r@lbEQ-^2!(O}Ep+dcoF07D#o z-%|`q=&AYjUg4^{7WcHIN{{ZPVa*pWx%*mXcFk9>kok-6{Q!C@WpD54I@uKi6_P0r zyw-4@r?O8X=A>!kr37BSrW+e+uk`6tNZN5cRk>5eB+CiDltelCI0C+3c(!Y3b$D|r zNTRXx9lfQp$#8^Oc&~yd+azZS#!Warnzy%0?Lp{F!wcYAW|k4GvK4HZ0mozcRCJ;9_QV)i?7tKO;p$d^IfMZ zF?`qF**24p0DvYQwkK;2%eXYBy`LxJ@B5Vx?R}#b z6c7WD1kZM^OYz`Hg%d5a?fRAa z_1^z^d#B>X=Xn13W=-#c_(Nk~kK0YRkc>ROI+!0?Vz8af!K$Y^ZomApeI0RoDIOk9 z&1V4V%`bLt#SLxU$TV7nKt|$ol?!j)lrI)OzPQpkBn~IJSll#3aKWB=l5Ckl*!IW; z2KL9(`V{YE{Efk1w@4KQr$r<|CY*$~32VCd>R_d@3vLjv<&e*)iuPNn&(7+Y#X$88 z4)2E!Wc+6li&WJ$nrAILPPK+SYCCF1Q=Y@L7ig?;vz_3+E_1g(ckRt^A5XzI#Rw(i z$33-BdfY?B$fc6OEx~53X0VU5RK$5isueecUK6Fr`r)dHXFLAgZa8bjHa)PHu$LP% zGHM@hMDt2?Z_XzC0Q2R0T)OdYlRzEc;%;O7l?s0$6twANlLwIIeA=!};~dYmka57d zZxt&5vZiBAJy%Uq=YxKKGFI~li5q8M2@ccnd7{aL@%>Zg8)KjIbD1mOd+aAIzFWn> zqJ6Q#3p3F>H7@3*&7K2a8RACUV(U!d9%(2X8g2N3y@F1;O<*{BF7AM*tH+)^Kd-gGwW4u#%NhhH~cSPzS!x4 zi@{aGch63#UNMrY#Jx(mUF3R(6&28vK-PALuw8FI0XFi1gr!7py85NSh4!Yvy*_0k1Fy!P!UY;KEmL&CK&^O&c@NZY-Dk{0XV(5Llm0BO9vy)m@ORt5Hho z&ilRfrs>a>0JbWe*palk3)gabz$%?e=lt?EZtPOR&}I7TnNaLt6(Fh80(=;G3{En) zpHF_QF=8r3(@*P_H1TtE(?ttw&;*}ru-~J(Ap^qbJn6IVi+KxkXyMq;=GDB;Zxfq= z!;A3brq1mUs*p+6JviOfztI3ihaUqb`J-8jyR0({ETChlA;xPWF7IDU;%#U7m2-z> z;lR}71Z61if%o1+&JT{S65zT(;9%u*5>a!&>!}l_^$i+9?>HeR@*1@b|diwH( zLX8uN8eq7q;rXMN9%ld|v0*GlU9}6)qlq==r zQO@co5}6k4U^4OZP*J{LA=izL7885%B7SGswo!E8F~8zB zbXcNIVBlpp2$FxQF944|e^LNB^hWZILDqcLXPgQkrzXHr>DL+N;fCki*1Qs`0Qo<( z`?lAT7Zw(B0v9%jROsnl&+&);7DCs?Xeq6p=*i2HbvtilQ_p%>3=iZc@AIB6Sml1A z{=V6x#4AX-%FgRT7q2Yr3SffMjBo=R*ai4BxXn-9O^{G{x?aUV(`4MFvl>8EkUPph zmor`^1e*j~*IGt~zp-6VLDS}UUH~7<6Dx80Cxe!5r6Np{Lk<4pa|a*^lP7k1tzpT< zjF)JV-J7SGN69k7FHRwL4W5S%2n!b^CMjAu^*gAkwYSmiURMsZqi0AgfAH*mitfN? zp>BAjb9u31Zv61t2gh@~&soTXs&^(HKR;Cs-7-4I`$0`H_~(A_9Yc_KOD5ud zQLA6>r~y@<2wfwRi5PUt*7~E*{pXvWcM}2pL_$vbga73X zKv2ko+Y&;sSiS$vCPdE+cv#F5KYjX_FZNGf0C;Am@$vb=jIFkHz(4=*AJ4#HfR85J z>c)*f%jTb-7p4q2asKax0OYg(zqt_43(OSx(5ZF`WZ@}D(v6|+rxjs_N)|W@%5oHLn|t#jY)R)FH^P38 z?o4TDVDxrdIC*}d_R@C{?Dh6?*yA~C1P>akbE&T-&_9A6<(zGGd=l>Hz4zmZT~r-y z(L;60sv2eOfdsaHU*DcScw&8JRGyKZ;6uCEf|Gn&QNN*6cl~C4q;cS)33)6tnNhX4Re3 zW)+=-91L&DP36mb~mWKG!SQ|Jzz&ay@8+-^)$q7U&rY1lbYnepNWS1DfVw z26ja@eLFq@Z{O_zj8FnxL?gjbl7fCRE}?Uy`|kI zpkcirSDJ9EY=+J=CLXiiF7)O+{O8M!t?4)~$6I z@8~78QwS94g@+^UhDF=wUync2I=t#b#K)gF*TM5VJ6vy}i;pbFTN=*7sIQ40%_kSt z=O9rL)5gZ9BDXac-L~U}4vA_D4;3EKInfO}Nc$A`X9UHmoXxIM6|vlzw6EzN7um7V z2c!wF*YCI{-`qOI4kHo2{QXg+&1}!H?ynMZVk1J#QDnV59*ZQt59ajkI+rc#@xn)G zxsX#wS>RCpstIqh4eq4)Q?3CN-*f*f*?G49)Zk5PKuWZCbp+2kHNS}JZP*fHWly9^ zxpTT%=$}5V$Z2({E1Ks#Ti^-E`bm`T)ug4&)|V;$+VVFy59n!brt-_K0=AF}fLkGE zx<#59uqAYQyrGK3?}&sm1MK8%%Z2yAxr6)~sElEOXf&rK$!@LBb1THa+i8mIS$?RB zQ$;^d3GuJ@h%kXqZ;OhRbc6?8#vTDl%j!?!!uKf6R(o4cDZ@Oz_5D4d&=bumf^>hY zD+}J^{n6%%4S4=del6C;*)1kT0n#o{_GTr zc7-tyOs|#4;#uZXl~1kplE6!`HxthQS`kWW0Z=wTS<3j^etgtG_|wk~_Voag&M+Kl zj;hG-pH0awDhpwrLsVBsy>=+VjvJ4c!$9%}=JDC9CtE>L18FEgfknVncH7WJS>5+!T>YoMyl$Wr6YM0=d|I?R0wh@%k{KQ*i9cv!47&xY zbtN9(%DTP+zK0!^&qWm1ej@J`t9Tt>hd^r=plvRQjZ0{N*ubu`DUF-imdmy>rs!Er zK4jcznxJ_;8HpyLyh*Rnyw}xAuv!bJ^v+>+Zy#;+9IvrfGJxh`@@l^7p{lc>>ouFz z4j#Ij+2fLh;~VRf1OOeZ7ssOGkK>(0o-upa^WPSgUVLE`3u9JcdYi&d`&?$K>PpJ{P@shzvAY>wVvx<(jM zyW25#y0#W50m3!@NcHZ707<2MSO2gUT=bSB=|4w$^!=$_$E;y?RAG)1=Q#CWm@Zlk zR>v*ug6e*;YZ3oN@m3OyIgT+O;xLr}SUL>b@I&9o2j^bjlpJ_(2*7jZK{W zZV@LJ(N&Bh;eGT4ZM_w9H#L_zi__oo>%HSbWA1Aiu6UbL(t+hTUTfGA>6P(~u{>8p zi!W3!RbSKp}ujHNb&cuTX; zr+v7+TW|fNCI?OVG3PX@BY$a0u&VJgt$l0*K@EeBcx!LOh+ylxa7A5oq z8H0fh_TI1VC=Id*ELFUyJ^yaA_GK5a0d9z{Kv-OlDwiMKjlzN&gYpM-S^L4+f`4Xh zUo2?SSEPf^g<_N~ihpGByLudq_Ic?4MNjDcMNd$PzBE5NjfW0gsE}}@z1f0uwBQ+l zfcSNIA=9DiC`L(>X|5eD1+^Yr$@c7o_!{1Vl}_=&CY9G^XX*C53AbqV*!VK;mAd2yWU-B{i1@w5?~ripdjuIsN@nfzG+#q*P$`BM^OUENVte%N6Rb2e%QGC^f3POjCb+u z?KVkR?{jbk|Cxbp=Y<2{`lBz5GS5U$w~IiY8dqyv*48bTKYLs59)jnrM5&)W7G^5c zVceq2Z}>4Dd%5Hnd<<20NSb@Vju^pJ9tACc0OQU4K81D>`rTBK)BAhYQ)y!+QQvR4 z4okQuhKE5`o;OEk?Kq#~74AMC_=^F+)wCMSGl{*>;~ktfcYOZ%L#-=Rf0AKmlUHxt zb4QBWVAi88$C>T83OZ+ad59o+agsW=3IqMcWBt=_kf{4(xyYetM z+Wd>_HezWN0mOr|?6uL3xntF$&X4a!`aQ2gr;3VO+8ZS#9y!ZuzkGK1r4C3TOQq)E zX1#5fRKj%E=-)fgk&izUZpv&aQ9gXxkbjXJCn}khS13U+2a%!l_wG*D)G)s z0lETe^Z$9>wL zk`Nn0g6z$^4N~7;<~p$(gRKb-+eBshLF349tPXD@ng7Vi0#Z^KY<<}WWU$*ToIaUU zCfG3VqI&y)0c7+p>+56mXwnvtQ3*^7SqZs%nPNuYg_qdn<7S+5+x+t%R4ku_houA_tCej+HBXxBz-TFeV|B0>9g`u`oiug;@6 zc!qP-cAM)Jbn$tQ|}9o4$R%wp{RbWdsJ=ch>-@ z_AQfBOAX^B&l!6lp?K8-X73b{TU-ECe1?czdn~3MP_%c@q7?SaSuSGG+t$`{0%&g$ z#53yYaLJuuEFO6s+)_X8xIR|fMF8@#AO4C@qF_z+YW`p*4Fh+EdHg#_1T@wdwbARs zBPEjtwfyTEEh!hy>s}TPQS7P#-_N`>5cUUirG_SU>klaeXF`-TrO+ivs{Xr~{!64r`2*=ee)hJ8sC> z$o&PWi~R#q_l25WuMBWW=qh$7|46QyX~1+5?q`X$#&YXs3I~ppZ_|7uo0E2kI{I5A zA1iwI3rqglYEDv=^KQK;WWwu1=C2U8DBq87{NYO#yA34}XJ+r>hzk^5SgO&Iy6@^} z@jmCG(F8hjn^(=;3p4v!RCN4r=-y7!<^70T!$O7mT$+;T%mni*_+twg2H(!uFhFr5 z6%yU=f9uBFStk|!s2W^sPS{|1LfD{tjjy1k=J0+~v9*hVO`-^Pwn~3~#j0=W!i16X+S^Snhj zp+n1{H04zBoj2cPLjhIBA)ar5S;eQ_RqoX6P2<=NdZ zearmsKmC8UFf&~M{M4~G-2CHKCI9kv@J9gryk$x76v$q*gJeey4YD2GXq}|Z5E~{SbCFZJxWOEepC{I zLdNAeg_7_%$p>6o4zC~%{z8&DaGOpx1d>)|SuWGhz7c}_X(J(t zgV$kNB^`|wdQNsI?@Uag-XRjxq8dYZ<-w)@c%;k!w6wNXw}uT0=jKBo@*g_q7O5EHs zi}(`v-EY#b5=HowBs^zgUfz%CpRIDtkXq@^T}KZ$pQ&@eHB<#P9-Ds~950RGMQ=r` z(tw90TB&aOoalgIcGUb$CDeIHX|m3ZS}3W}-IpUnglean#V0P}i)*zxB9&GeeGI~% zi*_2-aPWxyC5Oru!J|Oh%l|RV>-P!vAFE3H4`#-($uzz&U^T0p%+{X$K#_>*Wkat2 z^0(8g?6Qo$-Rzv*s#Oqv8xT@k(LDKCSgI|(J^AH%@tkt4Bz=Yt+bc(zb$N!6d@8o@ zH(g(n>&54*h*7TqLiHE$iQWgMiI`n&vB@Ms&LJkpxSEAT%f6VK_%-2toViBs`+Oy; zOhSg=tWcMs-Z52Q(}JhQz6y^(%E~fV3GeLGF_+)oF(`?)uN-_C(my!Zfq*4PbfW1- zkDv}?A#9#)?#Q89gxgrSO24Q zE?p6P@Qo@{RebR7vq#3|V=!+Qe*iIl6I3Na8Baj8Xmn+(&bp`)eWIB@ zE4J+?TBZ;((p4aMFRePkx%<{enX7E)e@;Om+bgM`?(9j{%(SVShIsQVjJz$IWH0{^ zoenvN_3yWw9_zc^0E`>PFa)=f>n3t7x00f8bX-+f zw@IKLG8@x-zv@G|ltwPAruh2mQjSx7j}zDXGS`B^qvZp`5b?7QD3-57KEb6h0J|Km zo@Q0xvV;E)0{xiO5kcI`U2H^b9zdo1U!5G5R#puP)mWd4qYn06(Ge9AOP}c?WQRAM zdhcZAq2%(@RAza`714f4@!r`^_`?mMuS&waDLeWOo$DL9q-UP~>zjp@;4W%X@RV-& zFTiNb_QKdTwyyh$h9+<$Ur`lgiaZ!SsOuKLd`g%7#Dp|F+Zb>W z#1)s(7k(h0JX(Ogn|>-|)-8sAQwvgZ1)s$J7~dFf7!Jt8zp;>v6^lzkA)08r!g@!` zyTyhDbt`|K-vp0?SM6+PkrR$PuM`LLRahGlA8*4W^+{Z>{@YCVBTf2%zr?YJSyuks-d1{n) z_1QWDG>Wh3#HW5No-Zh{W%f!DdbFjY)T_M?Mspq)K4}@-J8Fr~YD5jO^QjO(oE(^N zDw4DB0#h~XRJ_&~O6?o#U8w?3Q4Zyn2^p>aDPkeCerj3I7{m@;(BrcUo;HChqMhU! zpwm|!X6j)w3E?!Wou6R52t9IYxLIzg+{&{LW!Xi#Bt9i%)TSCxUn8T29X`i&S!XCe ztBfO+F!@S%QeUa#gqQ1h=m%aOE#Dt1%Y^k$)~8B;H>h{3oldGk5^d0RT$=IfdsId< z>GMW6Y2J}szrOBj$HVBjRW94uEY0>naeeee_2G8SF03DPfB{A+^yR#1>{p@&I* zGrpOIf90}u>(dXFFHQq3midscbrfLwdF?14i;qUi3l#{7q6Z$~k)YJK_ucGtl6A@z z(_$Etw8NrhH|EV|wfaSiipuH~clfN-wREjP=vQIJZcoR0BEKGV(W=0L5V?2R;&5XT zh+Or&H&DgtMr0PIP!X{irc}Gl4l68mD@ydjJh}rN3@G7SMST8zw8*=7yC!zWHMXvD%2AMY;poo{< zED=bXDm2zK4MP8y_T;x6+ihhEyKFx1Ix`6mMC^jaI+ALdf6j(j!u280*G zkRT_jqr0Xl989l-wpO(_8}vFMzoocPg!%>+!S`op)^%&>!QWg!fYHW)o0av5jfWqg zNn70~)K~{owzfkl(mpq$RK__=pK^w3h%PuQ>4)g0K}sTUzuR35$owVoG3ybK105yb zc%#kwOCfU%vAf#)rK|v|{iV|qb!HERlOJYHm8#F~wt42idHpmA1RC1C)3nctxO?bb zjB4kGs(T%vPzRtrlkLEMUNQ`!a0>%W@vu<-dz3}Cvul^RpewMw=d4|-7kXvuhP)2t zT`zM6j|UiXI@wH%S$JX&)|f&fu~r-EH*i39$AK>j!wIF$4BrJ0HW4;a?%>7$a$PT7dGS;226M&jEp6g`Y#oTpm_cKg>Euu# zHqHFJUhx!yw+Y0|w7;2x8qHy_xo5H3pO}UkT*FVV)-o*fYPNYGLwXFh+tO7T_bliw zKpB)f)$y{m^Gs=$`kO`_gogsd9kH@onX;q17V(C3m({(e<4DwCS!4J(&cX@Nawel1 zuBKGAE$xDv!bSv0K^y*U$@T~31QgSB=r!tXQx=6n?V#z_<{EC8-eQn`yyDKo-G^fv z>GwH4H4;VbkUyR*HFC{+Q!-Rnlw&XOUc~rePxZ2qv{Be#>dv4mHKvQ%+@U-`nbB9L zfdCH9c3z+8wOX7k^hXEQ@$R2;^Sb(EAD8(aE(IN;v`r9ko5O0UB(W!-o7%q!e0@zsMP+d^>*?J|;NE*HmHb82&0?km5yXH8S+vRt=TqmONq zaKGX>_#OLPn{NkmiIj0A8NU6jPx58*M{rh6N=AxXg#zx|moyV>kulc~M6?rez>AQ( z`X{x=6S3bEW2xw}YJ!IFVk}$dXD3@@RzPimRTjSclTo@qp+?YT%abk3!foAhBeh6& zdtZbf64^CJ=n#K3$d!0^dAMyvMGU+ks9=IUl$=^pw=$3`2Jr2~r*A*jS(I-yY~2Bm z%Ca_Y^;Yy#m#X%fW-w`CcJ0u0yoR6b8`MREQO=k<^wzP4n~8aQb{pE+CzUGn;J&XX z26+?4V5CMqr1&)U*4-cf*$iLua}f6{_`JUMzT5OeD0k6E&cIzbeJglx*|C#bE%T|9 z-NR3z$H#_sBjnzRiA5DmU?I-7>LfG2stBj1QE^_C*=Y5X$Ux2H3)ZV-e30B|HV)9S}3m%SJEgIwdoHQTq z8k96VmcB|zbFji_k#F>(YS*WZ_gx2lC6f>CD{i-= z-LS%cBTgau-JY6%hiX+FEsa1|rd>_B)qEXS2(J^dQhe9UWO!#wFSklo<_pNhR;6=N zb(|ev_ExIOgP99jCbFSjF=K1OzOB7g2+~Fyus2bim;Y5zy)>6A-e!KLGJ2VJcm;?F$fz6zW6-SI><+fhc`yaO3$+PukN z%L$o2J0)4W<9jgg63)(hmPdG#XdxG(){(bEZlvdAo9)Kg!t^XB@kG|j*on=topea) zif%`lk<^joJh(m3!w!Q-)%xQ6mO*W3=ndh84S8SJdo38c14co;WvvaUzv;YPNCV7e|;Tw zc5M~?F9+|L`@}KAd)!ho-g{qALw8lH^1P02_GTJ()2$r4r;1M#=_n{sGCfWON6DV< z+LZGSR-H^36a|$w4wXN_9h>Id2gSVAFlaDH|;pQIiKb zuhJVqjmoba^e}6})pf|Rbqdky2B@1UZi$_l&WU*P?mQ)`J$joxBvvLjHE}th!1Q3d z(#e^s!Si^jPH*6~2H z3el`LA9eVAYc&?Ted<5V4msv0yhUdTw2DIbgItbqfvWNP!^W+Wr^C5I`Y&Lco&Lv$ zY5du~JB~Zm#EE>&@}QGQ7l=C9UWnoS%ma%Q-)vY~p$E^sDLAA^JZ-AN7~7BPIo;3* zjI0(s{j|Bs75vt&R#fnO`GF>4wVi~0uXQurz-NN=Kjzchs}EnRS63E|WzHsx@|jbx zr@4jx_T0>8C8?BgXt650gbWek@uxD5=}ca3`jwc`Axa*h`fRlFQL+f1?4q|cu3mh! zmn~^qd)72^^j83Kp02G{82-p(u8$WTOfKYe)M%8tr2U49vu(W2N#PEt#}xkTeV9&* zC{xwMUMO#}H=}1y`P(?zRRby9SK;KkdKaZk9{qe0Ufc9jR0PMU;{>}>{f!wLz;v?} z?VKX?Wsbp|8P@)2+TSksj!DOKo)tr*L zeMc3$J})8PMaQj@4Bebg!kU`CNg65FAyXgWw~YB%R2W>sWXH(jxCLTjeFU+Gn=C8C znJeLy$Je6JZMhk(ueogJs`}#nx+G%X#_2>1@ z;wSa};DpgC4y6#W_)YsC!+VLKfc5QDK|zY7pRzsnBM+iG z?`FmuITK71#Z$7x4$sSmQ5LR;(|8_~#k^(CJSi-#agcDI?aWM-;5PSZw*Aib8ml{5 zA%VkASwrIv?;bq@{-icV%574otdCoNb#JN zbiaj9c)u_H)tm`o5+yf(A4VDu-b(rl(2D9`yY}2)WpG*>QZnr#Wg%&phPU=Px*9|F zUyze(){*xQ8>T2;`2O9T?MVNG5@j9dq>2f)^T^vGRIJ)Q*FX$MB;Ebg{}ZzSUJ)X= zaywJ_v(^iGDF9eZzeUh-qWh`t-o}LWC2rrHBN(qGsbNrNB+I`adoE5vKjq{eEL7V} z8#}x^3WHty>#+OwN|LRq2ESEwE6*SZ+mTLX99ACTXwfQm>B_$yhX4N4Pw&o0SunR1 z6Yqang8vDK`Y~P6*()L-4^dDIO|18>nkOTkkCPJnJ(RO|A zp`H%VXww>)_0iB(k@0zthuKSbS z^xW^Q!ytfuCF?InK^JdRB~WVeB0txB7Cdd(OS5*eGqBl4Qt3zA_z!-9^I07t?&(fT zqcUJ&%B)=|I5X_oo*g{c$i4oRW>QB-CMn!T6Dp*cd7Y{j`Jpg}QKq?5FQQ)$F`b&6 z#V>s_Mvz&fUwoppK{JVb)x6ewGC^7Y=}(Xb_!-_w#P^6tndR5kqm-Nhd|0_WA%j4d z{1kA1NdcP5*IXwU!Hra}iYmY{c+`^1du8bRcpFo;auCB@zO;Z37V*BtJ+t{}cjl1m zvxseiLVKX@!Hk)cUd0bjzuG5@>fJDVn{jEf?5nxM62c0lEqW)i(!;5g631@?B~N4V|hNVKV_a^oIdA8i%YJ{d;&#%IS-W&$}q;_f{US(TF$vKb_76(8N~L)hxojim3b zXdGaX3%J++q%KOivT+ogrnoC(zbu~rmNiV1q=dWa2Zr52WiWWMt3dH~ziA++HAlV^ zZiSiuP5&7D&GY#4=ax--~G7r&cgYgepMoHBU1l6=lE~@S#H_$CRaJI zr5-WfyZB7gX+y7PYF$5uq8Zu6v>&(4d)V~Rm2(1W%HW2l-|Y16>7P&w;-J&)XS?0l zerK|Z{A!i_ z2F8^-&L(2M1oqlj{0UTsi6r`Kyp-+txza{WsQT1i7C(%PnbAKdI-4U@%( zHgXF`G+MpWf1I-W><0{$R4Nj6?)Ll4_h?!QLz^@FCP_xY)l(3~0SReTNx zD&YNI(UV@)S2TQ?lDm&@P?s85jih=B6{NW@PTEX!XwZ>tLUElQ`DzIkF)JJ6DbIN7 z(sz7-ii`u`-J+^u?Z)cqi%Iv!wBlik1KCjJ`_5P*E|TZ;!GJH1%I`8eP z<`r>1*B6YHgo_2RPb$X{M3_40qEUN|~5# zqTm)v*5COPUy zr}WJACIt!AAcLU1u}R&o;~PWL4fqA?m)F-SaPwV|^Pa`$<<(MIyby_YjQEK+qSVE! zMn1+_I0qTTLk0H*_^(<6g<8JqARZ7_JP-RxIv+82w`abzG!f0ccuvn_498|qVe1j` zuE)Q;xldjB1FXU~<~H0H@g6dNm`~l2?xd7$msN%i;63 zWh~WfiJA>16W9Qfl`3zKxEk2dnzwSIM5CR@RD*B!CfsOm%dBbRz#r3aj(MEhEMn{^ z^#!WfJHpqU0ABe@35mS3LZzyE<{2>4_TBOXJUsVdTgOAx%+cV}Ze4rQTKCuff>Lq= zp@xk|fbv;3rs)s0i9EQejDjq|u!1H_Zvx!jkoJ=yP`i?0xDd zvNQH9BYtBJ+aFIeY%t!^R)}_Q%HcXeJn-td)Q9_E+(*~w)xvm;=B$mturD&?pL+$U z3oLSkymmK;8%X~}FqdVwqc(`s9wG3Pu9E-Y70jZ)``a+MML}c5oJ+eWl$PiLoVv zI|~E##zQ4+nC;6bnDT>nnoMX4lh>iUMihEZ#jjPIaa`0HBkmR)Dp@v}Vr-paoPLMp z))mT8Aj~j0WZGzpn94cjc+VB?9MdB&JDd=i0RSf%0z-}jb|KFI&hJ!D1qsPf=BzQg z!zWuJes)aPcu8SAlvijRKwn09eU}i-9veB)Rd)bCZoB$rcZ?ka)RawFWl!D6Og=Iq%GSjs~?>)XubJ0v^?IfWk!MYew)#wZGYp zr1}>CxfTZxz>Tus2m?Yc=7J9wE;2RGXyg=)H6rMHJ1pLiE}OzZp0kFrx`S62svVzfs{ z*u;$oM2NH7=2@Y0_UkXm!xXym8ro8Jgz$1CQ- z9~q~dvGG`~dSH%MRPaV0GGq@?7wKFm&#%HMz9{~&?`+*+PN~BDycCk5^WN6=)h8lT zM!w{F`w^vQdi4m${x94(86Ummt!~p&-UR6y4f&ASe(&;FcMURbqTmr{+0Am{$p9b> z!vs!aY7o(O8?twm!rUE|2x3WluJlqu1jHB*tBshey)Nz=a}|!8f3-UPtbE@77^)rH ze@A!$K4(a8<~Oqy{(xt14`Cdb<66p5E9>cromZ)?k9g&g_!=ub|NL5g#)-che@GC+>zzHQwS&f zi#gH7Ik=)WUcaGa2OC2PEFx6zi#|%@!nYN_si*hxt~<0xVMe&!&Afcqot?%fJ@xY$ zZHs_^;u2;UDQFi z|6o?c?Kq^eS4?UN^@6td$4k@9>S^k}kzFUP$PfCiJcm z(4%HLxQ~0F8*DHq@Vft05uat{psibyiF&Pl>g4ZsvRte6*9z?petNc>lcDQ?Hgfd4 zh3BWkl14Ful6uxGnKhXj(_j@*QKBOxEm_h9=UI=fJ)wlG8u z)rE#I1PTf|eo_9!0S*qB?%iwh za7xXcT}vd)E8=_|@#O7C0T8OpzmCFb4M}|0*_vnGPFVHQ^p3W=e2Uxn4rKq+Z$Lsc z=k1~|QTYf`eg}%%=fdNVqe!QEBX?la^6DKX6+^FndpLxaOC|F;z22Rdq{>~p*O`{T zT|tNe60mTSESpXBjcl8G+ZCT=Zk}!1eDUc5?s?t%{(Rz2m}+RJ1!St;pD?doq;b>H ze^7GvQO6>ft4Ls5TW{Vn7-dE5dqnrR?TC{LbOb(0MzM2lt&WE$Y;-m1?`3ee&fDn= zE7ot_Hilh?gwqSAOMFNrwla=4%f{RW74m~7ykF18)VYdw!39MLc{FU7PbHgmFd`Kk9q zRCYY=Uk|ZrRt)ag^_;?|Wc65VEzoMvwD^0LC%>&VS8EUCmjsJ$<&4`!C}Qo3h9eXW z=6&<}b%A}tS@>du;BDC^Q5-;@F*?EIEog3#*T$#&#WcUTJv?L;U0BTe&oC3v=pa5c94S7xggA&vG0>vmHP^=Q3IAb zx&7J3&rm$~pt<(B>hT3}J~Z#9pL}*Kulg-s%xCXfVF6vo7Zn-ny;k7n>eNWkhh&fxV11lp=fvOiA(L1zwoO@a^~ z&ITfNtblaLDi4GE>tVuhUzCMjzsFdbgFfc2YO^#oCOetB5o8`dYsf8k{~X2tg_o2^ zh|=PSZkBOZw(rVGnu}&6Yh(Mj+mkeUhWGY4+e?HVJ<{hk1+qQ7hvv$~zi&6{$rxc* zMGrqB6+0H@vGbxBbAb>@^?-txx`AXiUQBsSQaq~KgW01rB=|9c%{;ezTe(VsS+J(z z@b`2#T(#x*WdvqhcFp}{R170!TXYs!Bn5lSSLFwnmLa{UbBb`W9Vu>Ht+81YRqeci zZce}J)Y>zolX!s-W|T(1UT$X#_rfd2o@~kD7CiN(uSky#bcU8QZ@h|aq8#@{j0a5> zH}lu@F(?v4rzO?QQ|^#2Fw`8YAY~!b$`W!|5?AUzrHZaaNvV)2svO!Cw6qO_#oLCB z&vw}!JqX6?MT?H+8$qisBycV!JK@iJ8Nh5wxin@)mVy)NLI&NUs=d4EDCbpI)#uQU zKhNl|_a^SNfQdoxtgyfHonU_Xd1wHgY7zdI|NZ8Z0(9v%==}TJ zC60c?OBFj3Wb#VLNL2KeFN-xEZ1a$*lEA}+oN_*ZOC$dm7K_H8cM+C?x$!bMYn!|` zAmMYx9W`EGdu;WbRs$LQ%%Je34!a)Se<(Nv_uRDSbebCMR%WxOl$oKhS$$GoU#|99 zkNFqLT=NukQW**Df5TRTxH*MYU2!qRl5>aX{;>Jpz49&uWdm^}n6$ygWp%&+%r9#1R;4bX+_|)(_Nl>7NIrA%adnHp_mnv_p81FDXuc}CAnMs z)TNw4_Y7aNUfEgt$zf{@2lj~6Wkr^DpE@a=3;J1ts2y)aoz9*-ktG?SmWkK>Ndh6y{@%)zyH3?Yt<;(IU0LNXZ@4qx}u4vmJvcV@|?dE(Z<B0JZ7~0a zr+F5!oh_LfxEK6Gyp|mnRa`kqXIQ@&ks}qVhZjHz+`~XP1@mk|QQR6j%&8uEDF z`DG-~Q>{BsDFgd|19nsngBw9)Ud#pidRl$2_5FU;HFEbkpzbNB<8aShYX!BB(j4}t zxk_jPZ&l~nX!{o@c1pneCV~GPLeUi(j$G ziAI^4PTLz?hb%VF>heyxZIfGUb)OguN8}y4lonPQws$?RD4P?4%{+zpI$4t^PZ#x; zC6W76G1zLAh^`F^tS8z;Re8F8FziHxeg@CQ5`RHYe$5A}IqmlLVpXSaptf@5%)HXnkbR{ApARrw?nsjNRZ~y`6CDNpa-XVx|qoC5HhK}^!nZ>@K|D{t^7jf36(T=1qwiyq3kMN5P? zQAF4T>9V?*Nja*}Mn|XQ>`-`M_v^&Zn~PD}O}~Lk26LQ=qw2E zT}4m%_r^%1yJoE4I-Tjpzj>-tUy;HO!bV2ga{2S4`Y&+Eu& zUG!^?qb5_ubL>cCtTT?0N?E0H7m2>ftq7I6LL^&n~GYkWsn%la!* z#4jQv8LxnI;8R>BYvxX7_AqXKd2$5zA;3at;dE1R`-*$7rH;Ky-fJ`R%wRf_4_Qv= zdrS??zT5uyPtC&agyuqFB6`Q&Q*^SdU+59Or~b+!U0(y!#T1#(4`3Y9liXCqIm5!u z=)!>4?Aj2PkyBdIhuw(w3Vb8xX6)vT(Trd(efY*GB&HYmq*XxQ7Av**BIR>3)~VEK z5>9}umM5Z{dU;F$2D9&`F7(N?D9Oj=|4`pwjA)q!_6#2VMOGRPqBR~Es0)V0L&GZE zb7!!g6y+SXDFbkm(OT>VoQt&nn^pRB3w1+2ksk`1tA|{ScAgNC-hIO%*$;@Ali}P? zJoB6cugG&b9sp5yVJ@^%5XSs*|g#lELsrQvEcVHNIjDy5A#I%DTF&`waU zjxmToj@eNfn3`jBSNU{5of7|$pQMnRN|e>-T0hAG%VOOC48vcZ79lhl(1Z& zVNsc!qG^|JTq9IlP%(*%^K-3K^|iUHp>VE~*HK?g6rne=^&s;=Cy)_$Z*rlR!D}EU|7AJDy1@XqamBZYM~YiLu5~m5od~S4a&M|P&%?H8J1qQpoXUcQ zrkiS@yDf5&_|+F}F3Q&Lt=i1A@qs|RzOtd(T-5BX`%M{rcVn&`xOOR>>d|SBKh__p zu8s1=@1k{bhwGSjXnyU}mY+5Xs z_>>1jt9OMGM8i_?23dp8Xso=dd?%@<)07)ytZxpci0_}DUtiD~BdKXCPl8OuL0&RU z_{zY+ZIMR|2)ezmV#n&a$GQE*CNyKd=0VDmC}X$VI)?`9iAa{Asd3n8@;eTY;!EwC zq3esU*b=?(acSDZ+#dMd(j{F)97m#g84*lWd}BOLMcl^`X0Fp-$n31Db5?L%JS}{g ztD*>K$q>I&;N^xEnL|a>bE{8KzD$`l)LGfnTh1*Q?=gg_r5#=KJRP zGpxVIb8`|=$Ik~tq`4Y`Zg9vfztQO~e|)?tgwHpLwixN0hj}=QL%X101?_71ERF*S@sQ*p|i;;Z#x`lnDBKf-I%H zrEE+o=z4z`0wuflFbLYv@!mv8!iEFXCIAtPGxe)(J@<*6SKOz>X6c=-?`p^!S*LITx|8 z)_Erd<-8-88-Jz+uij)TC`nVD^;Ni^85{9|;?Ti!tewJmy^POjDeUffLlEE>r zj#95~ko$PIyMsVY0Cq1aOB-Vmeo_(KXghV*bc~#7un5OYFdhcxY4kZjR1(uQoL=oH|5 z%2mZBAKHJx>)drd^--<4z65=}p?baQpeh6s>Kv8ovK*t}afGZCX#4?zN}i}jgW*ni z@&oWdA%aqCg@O^CXDiS5HeH+Z5vJSvaLSY8JWbQ=>Fg!+bHx|V45%LyrL9AJO7XX{xmj1Ru0SPgm)HdZfNF647aWwn)~9HPW-ye#vT`jd!L`SEGW6@7Zf^d zHqIPQA$S?ny!&``WfcOVOMqF$t!>|Ug_lO;=QCB@=7UHC#$Dv?m7}Vls07}$e_`b` zMhLabb2dznh{jr;Gdb^fNp4A_z?iBscV!?A0&R$@s5uMI&72CTdRVr2`iqXxLyNu3 z_agam=;b>N_D+^VZD_f;@>1vh80mlw3kw87*d(V#79 z;xW<|G!6s;G;}-QM6@cjYVW>FY>qhvU9)CIjptZM5?#$+6;#AXw-Cm&8Mv6CTlXUs zWh?Ji%Mku&-OhQEQ2|CXxW{-Cya6lRNeENhY#n+~b2gp`O0{u8gHdAEUl3{9Wznq0 ztw`S_Mx8N>Icf8`RG{;Pd8Cu24Va>BX^lqU`7@}v?~8pK6A_7l94T`iHEZ~t#+HSY z6?~&_kUPhjBYlE6hp@ne@4h@82ay$e^-%7IPi~*+7eqn_(r*K>agefTPwG$q!F6t? z%qg#sOCz;H{n=TWD=0S;pyS2iARHUXrn6)yoA)^UsdPX9CSW#-!(@MdkdW59NXhry zD-LM%$qfVn!!(u&ZgSzh8&s=Z$PjJwdi%|kT!*m zAf`BJE6;SMK$X593>fAIkg({qYA2I*8Ie}FFL~{feE_X63CN#Nhl#4afF`zxzs3Q` z55}v!hLu|hWkVu&G*@BHr=^kz$Fte&ta%(kV8_|7<>QnOb!J|!P?z@}mNY3ly8I^ zbzRXro{FjV?7c4|ny8lr^hoY`o0T$`0$4^Ji z+_!4Z6bc3{g;03xP8%W5raV9haEWb+f);@JH2Y}G`%U-34J=-F$T4XjJsEx09ST(4 z#0vZ(#zE1mBO|AM7U)n<+fTPrMPp|FsCVU7PZMK0h2i0}(yO&e^NwXXzf;2c{HIglW5`9# ziT`|4_DNM?+jvxX)vzkmaSV|YFf?Pn#ES{*!Vy@I=Dckfunk|?qg&3knvjt|AQLKt zVox_@d-QB`k|5(UZkqF%M`~{13Dj5;-SpGK9>e+*pXCq(4FZnZrLm$mdBCXIC08k4 z$I-cEYl95m<*zHPNpKnT5RRFd9GhUg*|^X4t9>HwoY3kF(=yLP7w_xv`AVF(yPq!Q zkBnTti}YjVx|*H}^WyEodMd_ad0p?%BzI?ZT|--FzSM@KnBHENRHurlo&UfDv_}fx zla$EC$-#3klk1(Or2I@?2y>d3ZQlm<7dAqR>}>|aL`BSeTOnOZE}F%Cs%(kZR~K5D zkM|DpI_fO0}={OfHDa~*T}w^iVQrC#1K8 z3jC;4%L=xr@LZ)o8`=UJ{CN{HB<&5n1q#nna^m#csuxmzqKq@zUA!iKViD(Rz934T zmvNrx1-+`2l%VS5_mRaRo>2<7=DQm@q0#6(_;Mb0W&`thv-du=dE@QpePZ9w#d=-a zxV;;3B2gCe&77b<8-^CMu6qQ*belbBwIpccfGzOm5^^y90E}+>1$`9)G^%As*prW{ z_DVPOTmF@fj4lvW(Vb3fuP-ambIAWfD;{!gw3!Q=YBILDGqpX6M*YGG;%Ch28WAGO zMaUH^e^lViQ^hxm8j3i!nCrVLwe?PvOJnAxlI@Zq#J+pic!WpYJFX5nu39Xq$$Gx$ zO#gP$sKt7`n~KX&-R*)5)tCfS-Bd&gh1)a)Cp9Z3M9JL1jq)HU5t?%dn zu?cM}W(?W#sP9HGLqARcjZ@ewW%53gj2K+-;r9aZbV;`)+$8~sca^6Dra??#dJdgq zM;rKQ<9II2>0HqH0hYxAMXH!3N-DRCjTTGu@F6;Rq;vyz*^t|2Wr1;hy6Ndf%AOR3 zV?wp=|6ATgb}ojdI88U}5mF6bX=(6ya{0W}RO!-8hn&0W(#pwq=1VS=}_Q=T;o$}ggpZK0hLPbnpf|n$3uOl;gRCz%Am%f((xH@ z`ziTVtr~3d;Cb^|Xh^^D9fPi9zG>$ZAAm2@Mdcp7uc%o0aSCrn0>IB9OuPfxr`w3GgbJaDOpVt7qUA=c#bq7ZwCg#<bGIgLd7Y3XmmJUF^*I8yE0jl2WDv5DMF^m=Wu#}I=bSr`&AG9C6LV8fV6XLuw zgPRH02&5_Scu%p{rKe}B?N(tlLbcIfJVCtScetW`O+?f7u|(ekTKKcJ9O71@i8K@P zF?%a@Jp#L5)pkS9;uPORg?bT(l|7!X^nU^~jeG*W>kiq8&&&1GZ|5`EFULMQtrv_^ z{Gyys*vG{sC>1bbJr6*No&wKu!k+zDAO7UypPx2Xf~1#rdq*hc<^1mXw#Ma+Isg94 zuKf>algYg`o_QU;aeik|CQoE>4RWXNfy7P8z^H$Fy!pk{ z#}KeWOi61+{9hREf40>n%Or~s)r$x-68|^c`d^U7$Ct17uMqz8KmMnW;nEcsW&lhs zaQ`CwzkgSN#r{7~=6}+w|N0ZZ8j5#h23mFP_y6O>{_Q-a`A`1k8D8+=zdfEA+;|pJ zz+q@g@;_gMOAPmX{_Pk4$6=ETF39XVJWu{wkpKR)FO$6^`y}z-UYLKrY_GHc_6OoVxUnD)#)aRZl{3k_x=?(ti_HZdZ%m3Sc7oi2`buGxj) zzgjrK4%%mdnVP0Lf+!cQ5~cCAir~mf<3K5-1dW}#hX`0}u+Vw;AS?Thq!8fd1(;=2 zjmf0z71han&9jURf$(SF;xkmhitl-C;Jte`R87YGZ~u^aw|8-m z?W2bmG)lb0&dl)2{dyL-=1f1oT4Y2eeyE)g&6#aDJDfjVF*&i{C$su&7np%HkXsl{ z#qM=jw(^sR5Aa_Q(t4N{(O#vtypKCZTHceG%G^V$4EW;JYyS9@xBD_oq%$4P)BDOK zjU_YuF9C}r(wmvz%@9@{YpkCSV9@Cvat9&Llg3lr z@OKoBr{dP2qW5MhPd(iyNpHnHKX1!y<-P3xXzbJf8>`=Aow^BGeC04*;Wja4j zL^%c%r!O`xtL|1~;U9oGW;?Rf5h5zErUu=HmBwSQ(~Kkn1N>%mZ~#o1QpWld6Y!8Lp(=yJ@w*gob ze^=CS<`+gMzp2whW*2B~{*`_j)Xxh&42vYMWpl`(gI4i{9_H643>pwWf0rZ3e{A-_ zM9Kifae?*5kbw2c)=3HEo{JN3)5YRfGwtEB|hWP z$V3A^?nn+?Os2&DAK0(#IDq}4N#Wcz?diVwh$uVA%G9{#f&IWlg2d5+;sk^1WEx7O z>C=eGbbgD^(us3cG)MTO+!;;Nbe(re^^wMO`3zp@N1e2NkUQk3rd;ECw$jyK&OUtT zCP9U*KiW)Kd%uvvY9uAQ964u7yr$F)$!eZ9lzTqHREvxrdSb>O`%w8*`eeVJ&1nQ? zik*-S9sW8!okyu7>fu}W&AVV}px<<>Pi9zB0xMGj#BN?qudI%DLcF2XKgB!d9T$@T zq>aUY%@(_E=t&9$zrUGOY*A(cW`)4x5+^OLa&~SdkJgR`p1vaQ8_oj5Uq)RR1tGD%h zT18t3`9XOA$<^G!!lr`B&kGaqJpyq0%HbrRb2slJlzW<7u4c=ToMv>58%u@#qc{mv zso(=qO~b>x_hXVpH@BCk0p|^7jWDJXD)O@N93NJG5JH|wQ7zY(B*@hRVY=2BNj7)- z?&?J2Ry8)g*0#`fFkhv9U>H~nIRn0|&5V+l(|o~dqzy^Pf%X2Vz!@m!DX%$ohmhD? zUzH;l$~c({w}HBf=1&6?t!PeWHolz^`Q!bEcjJTC^YY?EA-l;RgyID=rsitNd?GSi zyB?$-wc&)HSr^sp#K(?&7I!u;k8#KQSRHlkS)hh(^|9;B@-asRKmsL`}tILh#Gh#YgC4gpOezyV+ zu^@Qzg(Rm5of$t-_V&|HZiad1U&LWmjx#=7`_o>$RN_qpZC6S8k0bUt^;QW2!HJWY z$x%~|U-xYr>oYjdM+yXv2KQ#o7xiq6*mmS3B<(C7k71&AvX1yC^qE z0#Hy;J;w{iKI-p|QFt>-lfh6r+LH~AmkA_ zdXt)4*gHUN&ff<>s_*yy15$keK&t!Bj){`M=)#0X3HqAjWzJfk?5)xJ1JD=B+-F71F~8cKb5QOOCH0&+f6Mplv-e5>uO-U-F4X*%XFbiva1`l zzF_kzQO?UKUK2;>_2OQq7b7Iwl9PYos{6BA%(ux>n9q-_U=a+G`3x1?lx6~nYn9B* zR4~l*2w_vva>TcKPP(kp2u}+s)si6-J2gH~|6j;ziTq~fq1rjt>RCW^`xqD(tYlqO zD}tN_fYi^N{Q!{4F2pzwZ6@ZO5wCXG0ZYD;E<@Gl(#X{u3@XJS?~48&Wc6LXKGY)+ z>}6Luvx#GL-D&BStb%&aY2rSI-81Wt*832cn{w?(v5C^j*;XPFx`e>{lk8rrXj%)G zm`I<-mD>(&*KaMYY}WEA@KgEeT-)vuEL~lUP{NG#P2fi%6 zZ6w0k-gWK9*@>`6a7OlR79Mte!>^jMLfA2*m8JY&X4`KRt2xO0X6S-$6<<9VvYi2_ zRSIrnUiPNCDy6%U)30H!XUFoWQA<(}YI+knSU|CM5||Km`gzT{P2PywsI4X;Z9A9W z?uB^jB3N^)s7lv~goBZDvk3&`arrDh_wZoGNNopZ!D@tD+OszhP|55?Ux<)_w)k=n zd{AiSsYzkqftvP-)jZ)X`__IE(Wl63)bf;%7Kf&4{t^Nerjv+lWKKdBm(WJRI_qyc z-%|D7XEQMj*h8F)oj6HhvP6M2K>Z?`Fww)UoeX`bWiMq?PzZ?PrcvbeJ>o22VfgCZwdX&9(FbXhpi)*?wHI}ISkjDsLXwmkUd2bq> zH|vp=RN=ZnRID(W=;|o@M{z3&=;5B6 z+77<<1hxoxh@9yh>wAyBzg8aFtHC)h6SL_FHL@P$37}ccAU@?L!<>*fej)WQ*0(&U z8RyQhU07j2`ht1Hv%z$`;Wei7B$@Nt%6Y7KJjXp=eSnn=OY)UyEs#i%IGZ_-Zp>1U zTLDN(-&n~R2cL)V@Xm){fF6W-c;c~PUKvOx{{mP5P7Urcihyukppt1N9UoDMhU2qP zCMdgUe^V0~07+8lgDlFC_-JO?@*qucAg;5>`qqt?6|Y?VQT6Z=D?_1!y9z2|k&g1j zncXUfSuVa$V;yUu3y;zkL3FP^qWr(jtjd?T8}GFQtAiknaQe(mcP>OP>ZOxT&$-iG zAD^z(NXlGm*RwC4vo2WY6~R21(G3?s5Cnhv`}V_v^vc{#lTV5b2bySv6M1=4lN6C~ z>Y^l`oW+foQ)e5qQJILLb&0Gxus>|MsnmpW%UX@nii=vxx^GvVkuMvIlpJl$_(h7` zVVNfMIbrLkJ74iB;XXF-%tkAi9NA}ea}@3mh#kFoPoPr#Ihx>-e=3HEu6boxixwp3 zaOa`1rHRQTS2xgB)?!@d=37wiF?7;#wt8*UrM)R|Za%!0%#i(#n4~W(0d>XwU_WL_ zcR5sBW9t3r-i>?C@H#sfsR+VS?d`rAFfj;Or}E>W7KBRXV_opt3riE z`IAss<#R3l{zHe`n$eQIT$KYyK6^dx(+8ndE?)~tWfPEZ6VdM_RmKa4NS)jMT>C=4 zt%gJ0kEY~$$86}ZjtgQof`==$`OGQmjiMfOo^uo1*w$BL9cB)uUdJ^GG3>NTNyBmu zr$9EyKNowxilAFTzMtRn&I>c!k+uG8LY?TnORG?KtV*AF|6AST6ajb9sLJ~+YloE0yi_`yLH=d_(HA2Joat@u1}_XLs~;E2Wkd}#IO;~mJF@1 zY%rjH;@G4B)K5=Yn(8ihfyNx~TEQYK!*DZAt z2Wj7Ln^{JFfBNleJS)KAd7l)~ibkYeka)^Vf0KAiPJfbkO!ZZxFC=yZGw^3YBH+dy zxlUl41TfP}Cx^++M7eBTn*t?STN~HM-H;3mgXQeXR3hEQtSF$9?dq{>!#;xxC-$om zd}W<9D59l6?4F%F_h)62&S4}%TPX4T-umzPvmYn)eb93kV9Za#8C$%K<$dTKTOC2A zcq-_|BTe6jo)fOmtB=SegwiP~FkV&5gv zDyD$v@s1dZvcUQ}wu)-9P<%8>Zd@)OqDsj8P|H#Umr$0q=JkT;%9I99wc))@3T#57o9A5_lAL}d< z#Pu59hkoJg_1b9}f91O!bs`mcL1v;(ZIK?MTzs9HoPa`au0m(OhZqPZ3q!gJ`tF;L zf*;Dl5f&zQPEU-jmyYU4_vBvG4AIe1X)av41p59`R_b+92VL;SU9O*v;@z}0>Rocd zr62w;-sYB496f_Cp~E!m7v2}9^;%;r3EFxlsHZ>)>KCr~9{suIfLWn#>H5Ns9wgIF zwg}K=>xkE=jY$VS{N5&U6d7mtG|KUGy&V?yUfMb1BwPA81}Y*XUh#WyTO@I#ES`)D z=A$CYCI2gUa$Q{;I!=jMRDW9xtHn<54wHA)0&VMteI2hK?k|M5y`W;d&0%>%MNCy% z__aCQw;r3M9*lD1;gJ;*5~b<^c3lMeCeB-%`jzeuWsV^0udKe4fgSL$+&=-ZP0kao zNF(b2?GJRG-?N*~)hwCtT8)nSuiDY8z`#_axrt=D^QVeN(q)|29vSTz7oKUz(!y39 z9U!bBUSMCq>E@f>$n#LObFcGD<6|nmql}kDA8{`~(E=oAy8=h(=FzsfW&vc?abzh= z)NW-N-54HLBWd}S)6?qnQ79GmnMtcQ1|A6PvYDLn0x}d$)^pm85gSxls;VhKl{3(Q z)5HLGqG*3c8k}LRm{1naNuqc6X4@BNBYSt&P%#wP)2I$m%~Sf$Nu%YSsZ*X3aNBFV z&Pizc8w@*M>#i-K^8XtQvoav`eXvnZ=WD_o%Xsp6IG?Y&P)l~!*68OLc`B_CRp^M^ zEtDrSC=7K}lwY2&Z4j;r6})$jRsFzooX4uO4u4ys9a1rVB1~2z()N79Birg=A&}xJ z0Q$rWHdqM6%2cxa1NRas`gFmN&Dz>iKhl$Hi}5MwT^mxNz+{4Mf4KU4xS$<=Z6Y)I zdEU`g(&i{;r%I?4xg&s29mO=>{=$5BO63FdAs`dOoYZ40ba0Pf;CSGyyzWK$IL8{} zXODvidRGNzWc@jnEdACz0?YMy{YJTFP_6e-VHe3vHfg#t!l-E|HwO zX1BSER`2pznt#ajYbvS!waq$Xh4*3LQ9MV-v=wFNPU<^~=G3YXtIYX~au31@puR&km(K^i?=2QnGvRpfd zJq89IY3mUcti;W(X5QbE<#{Ss!i@Ws1-=P#$+gjr{t+tssw$D6t)+pD&xY5w_F@e=8WBfOcs#S&B-pl*W0+ z$57a4)rvf;YY8BX_+9fl?%VuBhPEvmNph%;5&?!j=-&`g&os4cCoBHUBr<<}PR#%Y ztp+-^20~l%s+b&56zz&sT6GZ(2WZJPEEj5LZbYSG=_HEV+yGXy7X*djPrsKz6nmpO zzwVXLW7@w&Q%JDvG-@^-EqHH=TD=5yRnqZ7umjE1TJ zrp?L1MUjgxM;ra9O-OR{6x3DHNRPCdWMF%HTHi>uA-r|c#Z`$Ac3>?} zaHD5_%au7cfb7`p4|H7LmBu}xse5MRy@UC&6bi_?g22b6UVBXh91Tnh9GmYn0-{5M zizr<-E7x-v-QM^fEFd!nKV}UZSuKl33ftN}!A^$8RZc|C7ZxV3r-*WJV8)tMc0sou zAv}Xi+DJ3@$Ic=PF#w39y7>;@YaGC-#zK|%`Z&K9qy3@y+@hoHNTdf=;L+ctX^k1< zfbVJa^`6HDqS!-D7o(68J)Su#Vb^E)0TYXS+dt^XWtvo+@4q0;Jk0wSYLrEh}<$W z;2t=C3$QpX{yiY=PJ_uD$(LTYPtK!DqngCAOi^?Y9sRv;CJ7Sd&eVPJVU}0J5mmdU5VqtH%&hS%CG#0yyALH~)y%iAA^socTW7&-y2w-9; z4jFrb=t_;)BpG=x7|*YIi13vF9N`pzsmAPb92mM#vP7^r7wm;3>QDh3ZovNC zHx`iP2~B@95@MBQL97qGtO90>_Hd`CPG!evnqLs7LRu(~Q3LCr^##*^13iJ$4VX4A zo>qJk4gRFg>)TB0dF@9mR=w@UA+>>RQEiz-y!OY6=5VLjK9Ak2L*6@c3XfgoOcrPh z5J)-~OoNB1lc8`mxMIZBE30^A@W+*ahlZ1)LaGI97SxH~js*p9wweu8|08#IS4l}J zOuGLvJEO)*|1UN8LdGB=C{AjwbXsG|3=H=?EQ>ri0JxXpHZHvjltti!p=Y+w+Hy3+ zQZM{OeD?)NPju1)w9_OKLPJRoiRM9<$4jvGECEJ?DEs;un1%?1oAYT?F$vh=>R@Hz z%ZKlV+1G0eUn)k2w7}ebb21Zv1|p>-k0|C_J4;aSx$5`3UPmX%F+@q%A_@Ts8uGSJ$aL(?z9vDXiTH!{mB#$O*N0&=`Dg|?Y;FA}}qgMp(8$`yO* z{Yu)SAa~z+EzP_NyIQWF#+okgbFM#HXhUl+-dS6ixKU5@5Lq!&4Ui!tBD0=kK*j+t zceh38U?`i~RoFP!!?Y=2zL0w&O_@fG`kR|j`iQi_?*;bRNtH{$ff_$K1Ybm&D3%$!ogT1bSQw=WDKL4pVOBm|eiT>=CM?(R--mjHu1gb*~i4XzhIp;gi`RdkJ-ygT?PSvh0-MxEyb+7KVe(TpeQdvUPx!B2>;s?y>Jm80al@EcPLZ5c}i1q4R;H7WvP_$P$tf3m<2Quu*@ z@cdgC0t)>63VtZ(AR-{a&xn80bDsTMPGrR#q<_0cd<#!U5L1(ok%6Dp%v>xi99*p( z-IN(u>EQ)uKdEcGX)DMJm^s?BnwUG9TCjTAJN+qwAmk+gzqGe-GkNW0Z|C4D;3fR_ zuN(sK>pzbHZ(skF#m!dut+s;lYY9gei`P7?Y^-c=MP9ys{aVPy+)_aGgVaBZ!|#OO zTD!S92><||o}R3poUD#6RseQ>etrNO2Y`cv1)hV&)!V_%#EZqjmHHnq`M39cuy8eV z`Q+sG$NLU%KUiwr zFW34$2eFlVMJo8E%6(v75DN0UJo=!Zo0X%{)8jqwHcp>m#Y^yfzeK5Mwx8>zn}&Z; zk*ATCXVUK)Giek)c0}5a=cx#I#?Ryf(AfU==6wvw-zWa3l*Z?CPF*a4|HHffl^yd> zUWNag_y5Y_A4Bl}KRLV-d$&+mn`@;+=i}WQMO?0HVIJol{?9?$ku0C%<4Gpqb^@l` z9*K4w;A=ekJ8ig`$3f-F$nZ#eVU_jCf(bUv>D+jKW`33G`EN?}LDIMf70+%lP@3}h zQ&!Vzko*_Y>y`8X_kBjko%XFXjEkc~62-n4MB@#a(fn1UztcavK*$sc1Aa$e|^{qlvFjKkZ{5#|ZN_sqw+gKV;#MOpT>rLi= z@MZWoXnaXEi{lP;{uM&u;q>}@4~);H`miwl)ybHDSl$2wI=0(TIy?1?w$JlHG#w2P zQm2hrnau*OW-tf>89 zAR*zTj||F=mQc2-d|q6c;`89EX3Ohghiod|TDexBMkjsc z3G_4a7e;n$H)w5>)`65&DL$(d;D7Q(uZOH~=G?fi`Td)DjGO;;PiIympmdN$%_yZx@4Y6BO4vgg=pwY+a|-jLs! z!7K<|+pj`oX5U(>XX%*MN_V)lJRusDKz)wCo#)?A;+>Sg zvG^r&vr5WttdDNi_in8y`#tHKLV1}a71f^&7?gHmDXa)&yw6sLH*zjU1=$<7(n5&Y z$_dIOZH%8DY)yW@^<1^Tzi}J458N(+X1d5qky_7Gq44eGkn-&nlQx;6XaVFicA7GB zlee{Yw$d*zuOM-E>cGdlysvT<#~p#(L3;M1+s*q+(;tldEKs{;PB^dk_3hf#g`HlE z0`K_04)AsHCE;h-n78ag+6j-qEiPph#fOs9+rOnZ`0c(WqoGE@?28k z8(+!~f01Hf+4V(m!3Ek8h8gB&aGBDMzr~U#bv4x$%AP7P?S9K)9PlEXLbDjp5_~bC zKWpH1l&tsa2c@24tn}wd-IZ#SqrDKFS|KeCB;-aUV5T6_Pg|>K4SII_hj9(O${g>_ z_~#g8mQe&GYqeF;(_aUbmgSP}_Knin%p({ayNRFQ9*q~@C+a_4@wPi-D%M&Nkt%d; zmb!H9u>)Jn?j*2jj89FE=hq${33N(Zi|ePZ@|XZI=o+lt*_A-h88($e7khtdmvIvP z5Iw&76{U~16EulrXYP04#@tWYJN!)cJgfy}6F0q3abVsAhB8O}^48-pd=J~L3LjaO7xCyM<`Toyv;Z3Z|#emPiP-Z`NWclSfZi{ zC`qj6Cjum}*lUBo6Jx(vCN)`T{OvBoZIeiYaz`tFf{e`$eu1Uk%ubDAVvIOvNrs{* zJRRh7^c(%+Zbr|!Ly5n{LT)zTbR!N*LUCq6$b@acX!3dOg;sxAr7XI`4##l(CBzIH z#n4B=lHo?JTqx;N*K;+jE5*#T#4tQ}L(j6IIK~DgD!oQ|*Sg)`!91L;>V6t+xQ)% zJ++A&9)Iu~Q!RY|k?uxisOmX)a`4k5k3IREJ#P$)Sro80WIHRmGt-lni~y(A(~<0` zU6cj$%gy74U`dQc;rB&DhKGftmX<@mJ@tlR*k@^C<7)q(YYVoMPN%(wPtpuZ(^QZ* zcIVRMCIfTwmtBv)^FpcDkF>j-o=q%6Ry%oeMy-pbuHCJbdmr74GOO(ykAG?EHL)I# zUsBZDPAOc7tI7*xET0EFN(#HPY9JPKG0l=;Oa;|!cJKZWjB|%=$9e9)_Oku)@xQ5Kc z5=+asc$?u`T7XVN&ed`ZPDIsp=ss%EJ6Q{_JY8LnHpm}{A#twR>n6MJ<6ukvpazmj zSR$D{-;(6SF)SB~i3|)5X_SQ<2y(+24Xb5UrUAiqzp$)?P(Y?ola-bu+345j$i_G) zh4M+sWa>u#6l08|unNMiiwr^@IO=Z$Y&+$k*(aN7_=dzKhav-_@Bz2S78_-`(7$ zQe1b=c0!3vosODzg3wlj&^dI&@G?Cl?Ey@h#2kg#mEiX&$`awa0kunl?$6dp0UE2H z8UC7SjcTkC{1wB|Nu?75&EY0ghEq_>H%!duDMk*@t_1z>^c?)Z0ml57%82TzsrzGR zG_+{eBI#T zH}-$+coqReduow2rA)heSbnG)arL_uPiu3gl?kpmMGT3vpJt zb*tCl+!8w&I(BzhYyCU(*7zCb^Mg_Q*M5Bgc|uWfTtp+Jz#sK96!=E9eH0npjR>iI zUnF^%9rUri^VYDNwYq*TIvjOeOH;k5BHme?P3GKQ7L0o8okoC?Dk=*7#s}ZBH07;& zwx8?oBr@?93r&$<_Iy9&+gVZZ()-Ry$Euax$ayW+yf|28QgZfqZ>5&Z|LNOfX^=0! zK!3B#>AZ5bQV9&^{=rkSu5Jez>qqe9<9;I*ZHg}T<sSDcszlp7Fi#FQP6YvhXV4qieQ=N{;984S7_ zi+u(3Hrj1pvsy}2FS1hDWTgC^?jY=B4auMYrXr@Cf;dl|ov;jcibH}+)e7;mFDuS+ zkGO9cZa{F3S?1^B?W-l%rb8#FtVEyo?))Sz znWEc5(l8n36VDr8N%5BJwBkzmbsYxnYykf9LCo zv37-JJX5~@@Z|}7@7F)zcYX4C#S7dTI#E^fgP{`HeX!f51}L_x(keM^!soVE_r*Vk2KpUZ26Owa|AjRCr}3^QfC%q8MoCLP zu@p8&)cf_`qgCeSu+I73I1ydlVY=+bVDB9;6McoQMaRW13@KL(T5`_UaWmWAe5z5| z_?BUvY!fSLe-M)i8)~}h!<9iChUkBvZ#8ZWS>YBk$v{r(8jS8Y@ZfvhykEJ;>KMJP z+kmyT2c24El4kAu*%>gOy5dFs#&iWAYds7uRk;|)KqRQ=3dvHR?7(yh3YO-E>!L%8 zeipGW86K9RT7qKB#3#V*nV|cR+A=KF68#lWqcOjF)0FRRGlAgD+S!m%8k=t;L#(DY zAt@grfM@ln1uuXp&<&3ir8Js(L7e)Xp<3iZRmr`{V)2mRqZjWuOvj2wa+oLuiFBkZ zhBh)l>!VhCwMQs(S*rsen(pQ3cZ_=H@Tu(=(+&E-`KadyAs{>1-Ujh5Qk*GsgdqEW0!mWP0i=)St@NDcOyK^b zM0l4MPa+JaksBfmt{=L5{7{?w91#h_r*}oAZY7+e|qkr#*FhVTkHPg@!c`S zEtY(G@?!taV8^3%IK_CKF)f+x?u1;MhJLA#O?%;4xP3mW(wrG+k;#Hf?6w`Ikz4iw zH0udz>I-{(sIbexcgJk_GmV$k*HK$#_X*_X2A#d zIPmRSDyTKn8rcQMj~^{kypaYI=(HklUVS3wpCAm@VbK0bPrD?`&#@vtTZup|r7lA~ zP^!W1b*X{$g|90Rg-SjWv5L<)=f=RpImh3h3>mwUf%syiOuBQ8rJ=z5wM!i-f_sLr z9zFepfhP?}j)p7E*w}W`4Z*5vqdz+gYnoF)d8iw4WvzR^Kri<@r`lW1Ktv>z=Gq>s zkuyrPI-&Mal|!`~NgBDNd_9O+oIBZVH#YC+Drhs@p8e*2fUf963)kxH_P(SK&n5y( zC3)9Xvy+L%MNWMRzpLs*=;Q>59T#=!>oG~6f2Z5igJFxySjZCy-hJpPAIAcNA?QTS zOtFN_5n*?jyzh(`xYS6^ouGJy!q*p?Y4nH14{3u`^|8&Z(`A?>f@q67WmSC^PB-1y zp8IO@L|i->E>V~$l-ALY0yG9JrWvK}4B^z$@esX)S zCCnG$-T9&k=pb_YjuyG*o72N3i3y+cro1tYT4yTK2X!7bi&|CkOGA80erlTp zm)Vi;TJ8+cnXPA7c}*|?jBNE@$3R&{evPS~rFKr`cmzdTqe7|*S7 z&Ql4PMCBdEg>UbjG={vlH6jtAKb>YRP=m8tCd@Bw0w9m|&Sex)yQ`wop8)%_WaDs1 z1ra63@F+l(^aYhK8{+kn+OLSN(6>aF1zYE{CG2;cRaDUOyW^!{<>TTxitSRr0efe(isi4y$QJ24N{X7B&7N8}zI@T&jjx(acccyJ>W?EPcSkLkU0(Yg zIbxVYp1!jC7q;NVXP)`Yj$^_spM*L!=u|-TmlBy+LgPWuAEAXQ_1$|4Ewqdu4_oQ% zPQghn99jNg=U_2DJt~6&`@Q@TQ!uuM4PMpbp}J zfb<&`4b}ouEWE|Q$8&t3l2AMjdr2$EjmrNZT6i50bN&5qBO5$S&jQ2nVrG>~QZdsB z-e@MHu?4b(b?8{>1Y|c0AP`U$f>#1hH-?Pt8+tnypD_toDL&g8o`1$Ps$uyzQs@}V z=t!<9->`bbY5EMeI6g=iZw>P?8@vo~P8WGv3V;vSPB9dM=A9@h(v+^h)pU3~=Dq7X zoW}J6e#RkzzdT|_nbkhB-wG-FrDfk-8twl31^A!wn=}BTq4R`qHl}Ug|5U|41;fQ2 z*g-&dxG+CnTa=(-^%pkY8|Ya3-s_*}c)j(r<(9?q+~8|ren(1{xd%ebSf;<5rUFL- z-sh}s{+wjyJC|qD3;m;@(3D#AbY`3tlfR@E_zN|L*d)ka@Z=XY48lpI|8?N^#)=PK zwSxf^^I=v$A#kNlxO*U#9l=g$z#IRpV{eJ{fYlxfbXoC7=REmtDffEP3Z;XWp=QT_ zLBR6MPNu8U*>s%im-I<7%WR6*SAN1hPc4P~B}w_{m%@3Q(am6$L}`1#lrR5D+FIur zh_ZK_rw~G~Nttc-Ocdpr%0)tYQ1EgIx3hby=hKXPVBneJ2;xV3Ken14!6unw(yRKjDLRVm?o(r=WT8Dd?8vLeT zglF*k-r#x6bq1Qh+TZxqS)cA8+adZy5=C3YEHuvI*cXF;v1fsvi~s@JBJ^o_-C8*I z{c!M>&HbIv84w2W6$z)*%~!N_?7o2#&1pAH!N51B!c)l+v%)6guLzk>__p>*JjgZU zWD+=>E`HPgbigzwMxL5Rgc~gZ{H_;^@~Nzk`zD7LbJZ9z6#FEC57&xW86mtY^l>t& z`ZVEbO3-cl^Vj25*)JYo^C$P`&f4Im{q1z!7Pt+BgSYOENtY?W|D*kU{|>g#?sa## zekeQ$GxT$RUg+-yXWso+`+^0gLuyAo1}_M|IrdMvx!|4 z;8qr6CmQfwA#tKz_(O$)*M~go5%KJ*U^$-1p~+h6>@NmFXqq2 zi%%fc+Idw7wT(!*_S9u;o{)`C?v^bNHrxC7Y&qd5jVksBshYE!3^`-9>x6r97qlIb zIC|KCJ|?59`t@Dl>Omvsl>TiwSE4!A4)PY@I6<_K@)-Gq=(B!=CTl9buo+brVCA*kbmgPomM- z*4fh8W$Bc&`Xy+m=={zwiKx(M?k;z5twQ>>TcX{qOMq3jLdSNtkB)OkV<<67rx>f7 z+C)PY3kH5NF`omarW==((4&{|l4rIcS)&3OQnN>0n=bD`ESZ&fgTre~3?qL`<4E@H zdQ;Vd|3kwP>8=AM@pm%$GH3CgIa}*=Ia^)*JllI*B}d=kBEQ(_-eex5B_PkOPNqIa zx$lAK6YB2KRvm|Zj;L64LoQVfC_cvJ&Q2t7_oJqdTQDrXm1Vcbngz06T4OOc;8XB; zi#CA*XlK;!yg!U9z0zP3OrOuEm^00R;6TDfXQycv#wzU6pvxbpkT~3VAo81uS8gY9DgNeyKv`-N`Jy#+TD~rAFow2(wb{Tdi`{4`B zx06h9|gl5?KlrQSsVgqu%2$IH_@3?QG zsX|&-hvkW3z0lKI;kJ0UUr0&c3%wXGAd%3cls=KMsKUg9N4$S4zXtxYK@3KXT^bUpVX z3|>0dmEM{3JJ1f;o#Zqo-_Zn* ztcQ}2$ash++^3BmRZ|-hgV2fkjQ7-Mq3ERUK^Sx?hPr%>zC$c%I&l>ZtTeed+&13b zVNGRtmLq4#D<~LFDE9)M$kwx?gk{R6?^%>S1y`myy%?d6duKeyrdIw7HQTS^=+d#| zeo9!qsr|7IO(HDyj3-9y>oJx>16WqX!T+3$x3BYHK2$1!t*JDl`g07`@!sROL?n4W z+RCv}JZLc51`dWapLP8O*YECWF+QEF(UQBypm{N}u_ms)Kx!u~H7m^h% zPxtOnI>?TlcS*?mR>8; z))D*}FKHEa`NDR*(glL!UiEnAzX^s(Oe;YFb&{jIxDTC2H55HF_w;-yWUYDM%G8Wr zwyRzawOdA6nN!X%`3TgzP^b&v8eYw{OL&Xk-*#W^kMSWK7zhNZr9Wr5-tEPC@^Zi8 znN~dgP;woShCTGVq-weTg}LGiO1Z;f2X5t+Da0Y5XFpr~i~yjBS=U;eO*R8k{}Bq_ zK_0q+%WQ1aujp`w`zxh;wbRfQg}P{SwK}_GmCA~1D|_j+1cMlZQaERwu-fL{1zD+x zLR;)!(;9}w{%Yo%)BEsspURXQ$~}6`Qu`3Tt8-UTree)GpGpVRNu{D}b&D{2hC|6q z00<0Vx&?zq`9A_@gPpX#`+76*tqZ=~08KB!(#k1e*8L)_Hlt6_#z1-OV>)2b&%rG< zX8J>t^RPB5fwABPrM#u;D{*g1?Ju$>m&&(Ogl24WK5of=R`&^xQ@aN<^QFjpW1{%w z1_A-6!Ctggk;l)C4mdKmbI)588z^-`&pq6-$W}UEIrupHga?HsO8Ccn^{YwVt;HJLqgD2R^RkBbPymp z45LaAYlno#*^~2Ks-qt@Ndv}@^&EQ0huEZN{NselYxX|;e-1R_bNzduvC)@50`cIv@2O;Nr_}E3T!n+rE(8*$=cpjF zv3P$Q7Ga=r&yBqy4i8q%YGXa#E&g;iZdhikk70lj;AQ!+B73fUw^M(AveIVX`1JUb zi*Nld?zn&>`Mafq59q?S<@l)nxR7)oV?d?y^OH01F0gz>r7pY7I5Af-~FO$CVVFZnVdfcuwt}m*3_}k2?vU-Y-5h zi?`jVFLM)p!wi;EjAopzp2+$6Cg#<|xT+=1Nx$cE;+r$+{L^Xd)ri2csUBpBnDH0B zVF}rfzR&m!8j`-nRQZ2(myP~BpSfU;qI^iPD7z8Yba(YbUi&)1jm|QwxZb)J0b#n8oyy zNfb!GyHE(n-|a%}`nmn#q0s0F^g76urJ#>$%~E<4j9;Q}>Q{2_YZG=Ppcl>4s;2jS zY?mH6M!-R1%1PW?R6O*S!>;v^3!#%}F{=iQbs!@6r?rrKz{l3MrRne+%H3ASDcE|B z_VQ*v0>l6Z8ISAzLKnmjHjLzoL6`VPX?*FUkNTc#as3ElJIgbfrHUcC;p5psNw>C@a2ApV6S~=pSE(I zXvrB#I>T{OscR}w0D@jRtf~iBa9<(r$dvK?Xq;(VY5I9i+R8$&n0A;ryjCey9WH5wKH=d1-Iyj#u z%$I6YG$cFJPesn9h`yhW1&Fz2C6MAF3Zu10eyY4@&${ zOGnzH)pE~!Y0lG&JLQKsPpAO{yB@?&J2W?{lZ4TlD>8B#z};{!hm|}i)>iffMXfxs zbNezCCFBohLnl;LJpqxM_c!9~co2%`GMTQ`Y&n+~RtcQ7 zZhYHI`kMi|MvU!m-#$}XlYLi5`e{SLif}~QPc&*pf7AT)uaybwS9;aYY>L_#T~k{; zLg0h|3EAN*wJ^LrpARG9LG+iszL)vfDN=atV)$cb>F0E^-br2#K#HKN1ORJ%*vfFO zaA;Xa@4Vgjr|rrxx%(kK{)D!VOAMD;(hr8JL-{U+^;V_&Htk{`^nTmLi}0GrJFq)r z^~}s7jfPaF!{k0jA2V9;<$|{#U#3jNEhxc;nCg`50i`k3$3w-Ch70GsD%?Kk&Ha<5 zR%}7oAv#}YZpH`uv8ii`ZEt0m%<|Q%E1}}cliHpniDcAgaS0-?o*E|n2NwH1M0Zsp z`~Vn_rayX>cr%!_CK$UTQ)(_KFaMe;XuiXi+_I$^zCYTUjK!8xaT{rReDo*a-Y(a# zk+9Kvb6b4)0;;;gYXCGE!-U#^B37sqWp3LFC$pR{{YEOPx|OsjP`;eJR~Cf6=#a5> zZ^)w6OmiQ8^e@^YyYel8YOFWqegT2CO5n3#Wh0A*5nP@RkJGn)Rc_26s;yk7!kOSS zrCq{$kVsrHG;9~zZpbIQ)n3}vo@*kX=W6ANV7K}{BNv;^$3q`E9s=~aCPvyjYHOfI zs?J~A{6($6zj&+1jyUYd)#;OTN6SS^?w%;f7O@=-Y8G(2RRtyipYCE}V$U|>zGh;s z5I6M>O0?mjjp1S%?#Cyq~Fh>a9>+hsH)Fd6UO5~#w`j`A|^_z8faKYX_e=0 zI+oQR=D4Qg5}@x6X0euMONwRiylNG74Y?aU$%&!W{^>^c&5CaTV?k0@A&O+H zQ5H!wb^VwbWk158W1*$it>~@N`fVr^2>w^`qP4`@w3EMZ(rHYJOJnTu5Aok1ToWL(5><^pp12ktCcx z@WmPT>cP99vzJ;7H5#S^m$b5)fVCD}16Q;LR~v%wsvy}$yh(-hy{24~=UTrkkdMD{ zXXGrh;~e>zc0oTJpv-E39Q@QDbFPKyh$2ACBY)uz7c zpV2~ki?j63l0XyIL6X#WJ%UV|Ih>?xr*{QQ*FqmfjR@Y((=?ojsI)t71vsd3 z08vUpD!GQZGn5xOaUj?rHFdqe)N`;zdaI|+-2IztkOA?!t5iN(;ao#k$JxxbF~yHs zr}G8LW`-mpRR13jQr+gnt)RK%W|uuN9I7?Z>YfZ+$w84l zZi`I=Q_4cu%s&qE6Mosh)eRK(B*MX@$3^aImo~@v>RUiW^dwB-kA>SYDwUY1?0qyP2;w}?R zN7Youc40m(I<}Oh+|N3T%Cpu{?lp~MQ{f?uS zGeRkkj#?&7K`}H2PYnFl_>6SBdvF3_lyl#-=T7N(wi^_7Y<~buyia5`(N_l-uH*$i z_gfGUv_onXfAnIAIh+2WJkOlawG3m)v^nUS z(PXnOufKUe14!L0VVr_tYIacFPkbuJ4GT7H+n|ec^l0ns3B$zVzm_-NUV#6za2Mx- zi?@!Ehu`mkUtdgel)_XO<>t=mizrEO(?@aeOrm=CRO%x9Y7`F#E9|aKv9+?TL8cE< z@ep_Dl!RPdz;N>zbxvx~q{&#tYFLC~$fZ_uhBJX%P11Pp6bP;(Rpuh5J`A*?QLZYY z4aF|Co8%3|9zs9UgJoh5dZ3V0)hns=UbkoKeFIOuQ+p^ChQ5~TbnRE| zda2SR5gT4Mlw-!=+70>IR8-11pre`@isgp0y1YMb1o-t@+)ZmpunjkF+c(b{VXmHo zkN!~)n|?;HvAb(H;p)zG-vv|X@dsn45`3`{k-TQ=Xe!R&P}B^f(!d2t*d z?n#}pnz)QV-O|c`(ei11QpUT2y&L!|c}7`BD6 zCjmLS7MU}j0Q3Q8ek9O4!X9jY*XMEgUi9QKV~Hunhu>kqO#(=9cMeRvhkBjzAC|l>m)s( z9jHPc?pLMSPNYmE>&I{$e{>B<5*1XTT#dq%nM z_=^uy{bAiXg#s($sJX0pXmP!1rXslMGymn)V0<*YJ)1F4A@9n^h*aJt3bw4GlWt!| z6JK<5kL}D(`|>|js8wTbk%q(iA!uZ01N+)47x(T@rp&8vfOa)HcBYm$)lQ5_LoN73 z%;9hR&ajE>Cjlt%J#YeGvdndhzIe{nI)b)fD(IzlQ=qvqAIf(0UgVleb< zNb{XBU5s3Zy@Cg+U+o6UvJ)u$+H)CjZ>sfiiCt^&E9Hz9*3HcQZIfMxSL;_BR8vC+ z$x~_kpPzQj{lv`!6rNtEr80bq(D}4OOY;ri*&BM+-5Ha|VEXWG`|TLVt5KU1Y0N>Q zimyH#f2w18BfGCU2Or+d^&a_TKlzT4i%bfWYWkwP6H-7jSnN1Lv}I3qBbBt#qZ0& zw_0E@AB?W_1j=!j8B}DXvgJBi()DpD??RqDP_F+_0*}i-sTv-w2w!V25O-1IUxrLO*J_}(t_ehcY1B1 z&yl5XL8|;NV*osxVcfcEtqRCgdstCWM)CG>1XZ=HAps-K;)I`;Fw0 zJZH?Cz}<)IVE2>#iWay_Y27-kWY*W1@%x3w<6yX|el_`Dw$C!Ds}OvT8f#Mzcbe~0 z8}+(RPl(_TU0h~xGjl%LUXTkI(%hyhg_rnLW(2L* zX;*~!Z9kGNwELe5{TuafemjqeJBdw70XUHqeLa@B4-SS$_HS5=&;Bs}l#>3zLGo8K zkWL{ROp0x58*@)0?&t?C)EtKx^@Jtzx27yq%<+IXnfU4Bae+TIWT|xcRL1S zTZ;x~itVSMfwZD#!DPXmN6Wd^!g(_QR(+?{4i02SEi{yjb2WY!JgUY%X1(Xh7;sd7 z8ou?WsAd}pf^FJa1FekC{u$A>rnF_42{lZL04o+>l7Mrx&ov3 z)|)23{7A7nNsi=}V@J@+`8ZIOfw-Qfwk?E!Z2FGSc6H}zh1ch$|D89}S&aM9F|KXg zVQuO6w^=&C2|w^2+&Pgjh}-j4FKwe2mYYVh5~bFaftB2q+;+j3G_n@LoO!U9NmPmM#ew(7#m!U= zQy!87(hs5?fb1ViP$Esjy5%yLu9bW{aPVhTqOZ$Py8a|53FN)wI@zCAgRW|q5ueGX zT_5IUD$0{$t{zJdxVEWJYQ9NsQT5rFuxcxwAO+bVo!U3@$T5IKosuB}!8E_LbZMx2=`yw|G0 zHXXRqd?%~H47ex!Sj6Up7q|OX%KlA-Y*%QJdxXz|F1* z68C+dgPNoF$A8f=CDpOn{tFuu0ma(6nqqOkD>UhM@Pgsiu#60mqFhQJg4N3PzSYnT zK)e0!_YLN;XzvbtN` zToHCc;?u2867@Cs?i&Z;4153Fc$tWck?|^GFa%JPH}6UlAcbBFXcqQ%8z*Z{+-6fX_u7| zQ>5V+<9@DI*Dw7B(Xx4&vPzM6_N_a*>w*(P%ET%mD(qLCDL9Td zU;emBGfIpPUGN=@uQU}OFN;?iO6gXDKiBNBaPPf#>bd4?-swuJzLoI{UtKj7ZdSr$ zN>gAT=sNt}wluXZ=O?N@koYGQknaExxcn6Xapq$v{53!Y?Q zFODt?GVSWkiW(6IQuaXH1ujw5n}3B?Zxddg)8~l~sKF-W>ffL#kx_jIXX2>GD^g+BVm`Z_BuKAE%K2733 zR8!)QPJLEBSAk&fo#zbp!lW`=e;07b9?h%WzsHqAahnbfPKDFq_P4hZluS)=n9yd8 zvfk~8SXG-{ApvMCsRqrG9H_VSmA=mUM_vgf5fZ#@q3#4l@7uKb zXC~#i=&$MT&n(uR8JfH*)F(BrcW*p8&B*Ood;HZYHG}0E{}pFx zl!ZE`shtsCye{MQ4jDR~uDR7;*v*-6#M$7XYk{CIt5d}B7Y-SGP*4<|S7YT@K0gM82(IX6ko(^+(ZV9p-pqC7``A)C@FE(0Pwj~3N8RxX@!&LH^`O?VE{4|2XbQS}79G9XtuYA+ zx%k>v%Q+h3$YYL4r?MY@M0n8tgu+pDjQu_SPR`AGsrqxI6^o^GiF)Ny>7r5i1)LY* z^W+fV*!BjTHx>7ZS+E@3e4hvw(`#{$JbbG!+Q;;;)f>kb#xqS z@Pgl&A$_MiOc?o|dPkx@mYOZhI+qKUM!fxXNf1; zH#oR0=}s~T9IK_lhoJ4#MME^al9vo$Ir+P6Fq^ zI(FcoTvj!g-gmBf9NOUqcO%Eto?I=0tRjx<(=jsz7hSjqiHy9Ss`u6HTn85O!)Y`R z-_s|IfJF47vUUi|d^}N-nb}v<9n&gf!|I4)ECPckDs=fx1E@BjiNM+7F*s?O@eeT* zLSBCi)&s;eU}2D|>*Z7`wre`M#^b3ZH*9Amb7ifTCKRhC!g3YiTNOIbpkey%+Oqw{ z(ByBRN|hVo3uQk=yApP@Z)}c+ZmmhIw|Z*CjDO-*@C}?SkFMN5?ij!N0D*(-Fsy!( z>ppBzw5NkE7s9XQSX~XyLyU7%tf4$2ZiVC@KRK5eE5Fkbj09-n%5yx5vfsT8!q@Ol zS|>^ZMhx!#!0Z86A!UpZCg&xR(V|yrMH!{q?cL#Oet8mrq4jI1>>L$0(aJUMyVRG2 zrm`*c0#O~Y#V+U6$1pE%Pr;L*)3J74+K*$!W6}@6kR)kn`C?Z0=3CxOAhpe?N(zxW z(OKWy0)E@SeRczpU2c_RLW?{r)9adO<5X~ z1968_U9PoE$)M-OAwbaJ)L~WLy1c#Cl&_dOh7CaMHhsNSv8AY0T0lSzSS9&8i|lU6 zZEq^kI~Yvlw*S9qd#k9pwzX?FxI4jJ0|W~McL|o@?i$?Pox%z35L|;M5ZpbuyF<`I z0)_L>tZi%W{jL8y=d^Y%=S5YkIctnD$9Q}1&nxE}mw)#(I~zBgqzx#$NflRqArIu$ z)ZCS0Gmgof49oWIgfQHiO-zTk`^4M?A@x_u&$n#5!gsIWZx*qq>dYK98*JoC55_BE znKb$hcZZ9sRW!Z3Zp46Ga+|)9Q?i7WP;y6;E&E)*ZDUh~Gn?D=xA|svd7+!n9?vDy z)k=p%W}Z>_`19%cQi?f1Ab`-mO>&yus!8BHg2LbB|I}_6W zfbhLnxJ&k4wxwCg=|Ly@Tf9%teg69hHLSEPTIenn1jPp@*%K)>{h}MmqTHQw_D|$R zE6NYE-(=5Kb`fmLz)};BePi1qhRzC8SD(V7T0Y;|l<%jItts4r&_BtJfrS_>^4cFrQDwi)T``_xB!hRF+Ya4QSW6U981qX3Xhwb;1KBA&;MbN{!-} zc{8YC=zNci-nP=+9K$rfJ1o5MUrnPcIz{p(dOI~0Y&XnNw zg&s|A@MP6eJdtT;Lj>)-M`Jja^?}-3E+In*tk{X+!vvoZs$iQw_Xs=t?BOog-RWuu zc;%%fMup$WgyWWKINPNc zK3B<<>g|MperCg2Cg7RU2^)l@x_VEi+2Z!1#Fps=`!svI4VtRpz33U5Pw4NML`DGR z$E1Pvhxh#%(&4jKMJpI~lb^p|Xu}%kR^pwMOIe&SZvq z($lz=f;b;me{WN5Z>xa?Zbuf!ut&yH$S3*tw}yAdaOY>T%&X1gsoGXC;#kbVCQ#MT z`uz>z@d`HK@)_l3vllj>=F?3_asat}6KuwzZ-tkQQk9|5k`2-sxOrH(IakHM@1*GB zB$O7oQ^kzV6fEgNPMG%L{|8wJHYgbihd!AWH?CjD2d3;_G_iu!D!A4=8y6$b(Em7|T3HUy4 z6Rk#pqKTiAgd#ooLb>7?UzAF|H5xr!px9LETKO9I)RI|QUlw@};Ly<+bwS4!xQ902 z|8)id^#e7xhNd?m7hqBu@amWMUreN@-;CiNHo>OT7|PpIx%FHYK>T%NF52P8CGhM+ zlEMnPyDgrxJ6=HT4e`+HktvanJqADAwLf{GuKBfic*oVXYZzq1>bg2T-QwAFw3&;X zA9dgVTO#=1E;7jjCzR@TN1$?ixuA0WPtE$Ew(*!n(4F!!6WV=kjXu}(b~^gjQv~#f z50F=b?oXY~VHzz>MCPm90`0c@(1$V+On?Gp}}( zk1}zun>2qg+!$u|DwyaFht6)t@+$+GU$}*0hj;u9nTJ+Vr~=;OqvN#YzOvp26J1~Y zZEY!udtTWqrc&V_Nsr>c#9*Q4gD%Oj>gL_oWHS^oA}7pF8cq%Yd#|^@y|_Fd*sOS; zU&$)}suMf_Zm-aN{B8AnLZ$TknL{lF!~mW-B1%{fJ_JG9&CUTh1UdQzdcYAY=t#-i}as0j=+a0(^CiwdM@f#esmB|z)1TGu4!lUwzhaxt6thaR~ zcr4LfGi6mHsZcPld5&wuve_<+QumrqyPX?X5*_!ShlGrTBYK;(m%jchI}tlAXK8j@uY( zhYZ1%2@7BjCF7{aop0-{l6$>^io*9EM+ZZy2bFgvzZEs$>ve*u* z2!qnewanviScbRa9H;+zy>TrP#&1}LS*IC3n%w{O_|H$Q^_rePm64`VSike>yQ*nB zh^HFGRz8z?^PDYNzme<8HQp_Ik3*N{RO5a)Q^=WBdfBX_=cn4_d$-VSmQnE`j_hmt zX3=5AVQ5(K>8dDvir+?{7&Wn)ou**3izrMMC8~-e5YSHQ7jZFzESMnOY(+7{jt;cOwTy)R#@kCYtd{&6YqI`OK(VQ=C3%1}T5fmRwHVnDs{CT26M*QVp0;u< zmIiFJc`rLWKU!J>#TD{(8MD_Mqbt|42lH<0tF~a3l4i5HdH(Jf!H)%K^ZJ=#QLNW@ z!m^&_PdDgBnZjF$a{V96@vr0Xm`SkQ2e89%KAk?nV>Cdyz7v1jTrD2VcwNnZ5@Orq zE7hnG3fk*)!fXP@$TR{T>F^3%uj{Y9KRi*|?-=2EG^36k`kfUS)yekSj;g*Q zzOjD+4`n~BY6Oa zv^lL{lJ6f8mBw_Zw@jOA=-?#&OK&amllQ4iSNr{5dmP^*(cA#ub;D#q;u}rgDuHx? z#iV{5HI3ga6Pu{-jHWw-jG8TTwvg}LaMRvkLI4Jc)TI3`2h$%OgG&;X7Ux|wTYVUg z%Uh5oaFk)|=GpQQt9*F1qaN#5w-F$mNZ*q6d{s^GK4XU{j?9CCRy~h1);Zw&v85H@ zM6QG5PR#yA2$K;(R|)@D7&ZhF@PU|84AqBBc2=KwGl@;Qtth*WqkdE=eg;&B)h>MFGG4VQ;0yBc~XQ-mn#Z4^5 z{V{UL^SY;g_tz{X4_<(?hRFvY5E>0(V=}4fimN`gCG*TBN3p-3fWs~>k`sg%ZHAlW z7JiPGYHoEfQ?A7Y7&LLFQ?rD6V|gP5`1;{pP5b#MbO9(VgBFAU0_EkmHXuztm?rf7 z4q8tPjnoQi%n3Y$6k^?~8hBL1#`61r?92J^#7oLzL81ho03ddVU5IfF685`dJn_%AbCrzE~v;SsB=UZa5Py63*< zI~)NBq@(48{C);Q*u^<-S^U_0vNWdFv%I2bonNhe>F~F=2G<-wQ1EK#r{j)SIA$fc z$E>~^RXD)um)xCRrAzq&wLLz5u-1S3R{`o8Nu2N~_LuciEh6xJQW-GysqKpYVR6bQ z#^bI62~3_LtTGub*>byY+!w?JX`uc(u^vgkJSFXW-m(gCLZhe8u|QsbNYPa~YgzYX zaT!h~Rwc8F_1gO32Jk=@un<(XovtGIoyiMZzB~}6FoMVZxy;fN=?L+lV27eZe5+ejeizRi5^O1 z?O3RlZ&7yYSsGDMpp|%_P*_4?r3tB}p*GggoT}N=bAQ>p)=l^WmNDC$W z^8&-fd}fZQ`;)O1q5K3}itKKcmuAx&I=!E_W`N4=I`03JxLp1CEAc2t7GO7FfW;xY zMJqk4zV6zUNwtMX!n6o6V!JfI3zlktzvvEK@8w-$mF{y}%xYXh?i6iw)No0?8AO-w zD-Y{mO%nm=xhhi10ozn}nNvwCp04y89v%>ji)y#%EQ3nq_?`Og1Vo^?ynH2)15$a9 z55ov}Ko4edkLK^epTXOa!6Pgq;eq@C5jcrj5F<@7UMIO^keTtr3ldxb$O@{@vtXy| zd{bD4`j<1t&Qt@hhqLdho&*%ctJj5nrYFR9XCG}UI?pf!RWZnYFmc8^IpB@bV?HD& z>6EwMdgb~yw8-xF;X5OgTwcPF9?ggg0wt&sTM&~5(VKqR@f@zj-%igYT`TYN`Imay z*}e@7Xs)FEOJ`T}F7m&pg8rkWX7#JA7F1k{M%;WPZyuD!hbjf{llWsrR9PaTpva5`}J#@f{-J^ z<%F+>qV~68Af|YQAQn8VvhNshUhVI?U7_nJsocvwNQyh3Osq~e+}8=Q;9*CFdAgAr z|2)~=X6@0>>%PYuQ#i=hByArj`YXuNLiystZuYrFjPHz+xa`O-c|;Z zUbG7P_7sA3XoO*KE64YkWFUZsK~mYj->~Y|B*1>dMMsiVOqcCeG_8NJ>waizu0dL; z+|(-P*yZ$l7kA;x1dQC>)DBLg8wVAlFEy_@9bW6(bgsJ7ztDg_pyNbW#n<{8`cAsF z7#jdw-S#vnrMf?y+kL*OACrwtV`V|$%m^j?fDKjssmjmj1X)Ynb5$Qt0XK_-&}JLG zY#gQBzUiUvCDH=YHnxM#_Q%%YJ^6UKnJ07U$?JF?j zaP#AJQdUe{S5mH@wtvkmYq~aBRV>e=iwM0_<6P(S&x>nt^I!NE!Quwz1enQsrC2S-+Zwzde$QRn?l%nWqIDb?+FU%0MJ<9 z{r*@?m%g`_!_T~iaQ{Sud~cH98b@CdZVuYEvWL_G$2qM*>R6}7U#;n#u)}l{uX=|5 zTZblA%n@jk?M;>L8H{fr_#xYsFUh{CJ{*6J*X#yIz@9HlB%}T%va6z+$e|YtUEs!0 z7S*E<3Z@TS7X|Zpzs%<0@S*Foy=IJk6D=)Fe8udG((U6#G12(bW+nzb#=J>b7@f>w z7#?p@;U`X)(wxaaZ8G#TbaH+ARb)Ud!mdR|CE%IJrWLYIfk>C`-nzzG<#w|&YL%0$ z-jR7%@)JCq^~7*^Fx(pHpbGh43^7cypm{vqdQIk_@rpz-foj@VbTtVD0eAUWR+7u+ zR~O6ou+ZE)-eKnkY^(kq^HnPxoBn0MjOnJGa^Bd0bcdeG7Qmt8Z~FD1A*FGRCczWx z-iBC?3$`WG$@2fD1igBPI}I0uR+44h6Ns>s-ytuf5k*jPXz%ZQe^GjsDI|yvR9j>q z;l6hpvILwYEswbd9ZoxI?gq;J-F$ll#9mjjLlA7eBfL!U4P$q1o9-jIGPb!)ao6TIwi3p zYf<$rAk;W!{ND1jLyF5H%|OPd6lU?O@Ivm!my> z>mLT$7w=-qu}_Ppj6>0?>KqF*^8hAwgmccOOi8Oxn{6OlO3Mv}u-uRda)&WoQbN?c zEN%AP^?^y(oK7$s=4a6#ChC zFK(}jgP%!?+JFP5$a2FA1d;%+CYUD+T%WTp*cE35N@`^MNZpyljB$gK{^Rlgi;kGy zqAmWHGNM$~ufh3)|2Hz?mK8>_%WnDoX&X0-`mgkw%P|V!6ti6d`R?C-oFTO3Fh``8 z-0HvnuQ*Ae3QPuKLsiN{AJ|RaIP9gb1yG_N8n~+62KNB;6)JcT8iD!dNu%62=DIC6 zF`v7eo}2HvB=x)J%vh7f1g~E;z2&5cX37mO+H0v`Cz#bCr|7S>j61p4IrWIq0EW&8 zG(wTiH>VdS2)C8f$P%^mLGwORLV)F-efCEzSIx{Xz^%=Q~~*V(X3+C6D1 zp^c&cen?Y}TjWs71jSl3^?NucOz%8+1*XUwaVKX5!2Yp}riG|+S^ z=G*xwH+<{u$M?M>rIu^5^=^OK8~k^x1PR#yjVy`CL==<1AOroGLd0bbeH`uU?B`X< z|5y9FKRsnkhCm5L%fIt^+FFezQPsb^sT*kR`TMgml%tzyYe6IB^H@*3-0N#JCDC>N ztDAnXK?I(fJpX7A$N1N}m%e-HJi30KZ@ho-|KslRso0D|kQz=pspEe7j{~tBI;j|M z@Q2Q3*JSQr2F@Sgy&%`9^d|i;IPte5R{aoa+2xAE93lFRmtu-27eRDfvRTvQVDp@c)aaKw#`SN1@PesW<=HIv>iP^_h zcayW7M0Nm@b$NI-%;c)5W)?u*AH`+!;^u!XdVd+la{g!0n*fvOe*^CTDg_;!)PI9_ z{0xuS{A6>M{)EVvwc2#+4xxFix#9Twhtl19O+mU3!<~~-nG?-#1B?h1H4xZrwE?Qs zq&-K`+o3i9?G=VL(z#HZQ#6&pS+&B~st>ceGb`kOeocv#hNZRDx$U=%F;Sv;5oPmhHiWiVw}I zR_ljTD3v&4(B=c#Q00=Kv~rm3w#Ls^dj>_)E#qB=q|ST<)74=&Ter!|1)p_WKJeH0 zJxZ|&>7btLurhupbLke?cM3?(6}^h-z!Sdh{d4Sj$9Uf1lkmMl{Pm=Rd5(|JLUv2Ak{X&kA6!3vuGrSM0m>)Q>2ER#bx`S* z?Vw-=z)V+XYlQoNY@FMU5uveXs-WQ{Ric+{RWiqBw0K3keHlmbbcMX0K73OA?7_sd zpm3{vaVdfs{x*%8E@0XOV-Z4V@Fn2pl7sSTjkvCKChe%pViG(0nK^jp zN2cnzQ+Beo-@(zTp-1b!G7_T#D53-qNr}imW**5#W(;wk()-)9qew!1P}ZePI4HT^n9N=TWzfq{0Z?+t_ircM|Lbus1UtEKG*A`$C1G)f@htxIj28*ox^7 zKdM#`Ph}~W_zmuv6?Nmc%R)L?f-0PTVG#Aa>d^5wfq;^Xd*h%a3ZvBwWpH`&kA?z8 zm3Lk+bCpnkZzu3RLlv&NZEtv%L7@!zuhGo2j3S|=#j~f@ly7fQV#R>I3^GQ!QGLh= z4AxdFeBAv-x|)Kg->Kp5Pe65OzsoxOC(HcC8;j+on;}#Bd@e66CZP+V*pe@VNjcAO zFNQ~z9>S^c!G(KFETQ9evVTYgzb%D582xl_vyw($tV7y;SHal;p^=wKBr=)M%-2y2 z%I~bj{{AFNrs4;$T;)%;P)D(1R$&B_6YdR{1Eev(XN+TwkK#60!^4PGhGnsuFL88O z`DQ<6yt*@!=aVA(V63o;ab5%tGI_~u%00r^-v@4$=-I(HyD7U@@)?R?#bKW)$(*P$ zm$xDKiZ?!oDPXu9`+^?~mGa8nnLUfA8}ro_UYJa0vW|{D%$Qqt=TZ@?CIUIatVT{= z)I0tT`4+}m`HBH@CNuMQ^3W~oBDR7=&cU1+JKtF8wX&I&OWI6XT1gEnxQzQJ8QJE1 zQRSGxw@7><>vUz=UKmS!MPdg;T1@$Z%j|49d`^%%~5Yfw)19U38q zE)u;7Z^sDzW7dhzd}X zAtHS23P6N5p5s7?^m-Mhg3)&-g&PfmI!85sf%TG_K(Uh}D4(LaetPq{{je-OXJNL! zp2?zZ-M&F(wxYb++RA-h1Kb88Z?Jf{`5DHdWk9C3tj0`#by)E3b33L;X|-?=O&r z>qinVJ4#Q;+_OFaOt*X@C(NBN@hCq1MWNUMa_~M+8as6^Cz7?sAySY1FN+Q^WSxA3 z>Vx8Q{rJUlve%K9YBsCVGE$G^H@#UWrF)I?2cSm)DbUlzeFdu^)u3wd4PD03+$jBq zcH_0hl~r)@hp0)r7T%fg+fk#QI;71S*OLVkTfPhFOuJ@=u^bOB+m1GRF{QvtQb9id z6QpVSbB~>PBJI|NLMgIZi(bUco=4A+m=ou{v}0xsNkqN3R;meZOG8D)9|W&O-h@c4 z&XhTdRWUM5zyvlDn=aJQkh&%b4|F`vZJeo0_8(bOB4=v6Ldarm<7DX8G0OJe2z=jB zNam^9Cz-~qwC>wl5c>f{D47(8hv_GIRwHt9<>b$o)c?n3e0m3UPZ9E(TBavGNT>9(iQ zbSzW6c0OmAiMZ8>+$)H!KeKwA@@RFwmzqFeb@jeDiqL?yXrX?3dY;Fz`9%Jd%vbUi znR$sm?Z9T8RPZX;bdo#XWcOAoBtEm8NXdr|tQ_}B=?-C*iX_=Y1>0yq^Gv5La_CE` zG5HO*6E9x-K$xeoFCs5)&zL8=KOHSHOPxGzZ23tyjO-_Gs43VJlXgrYhT0Ygm3`{t zkk5f5JN`<9m_#L(yM*JYw7!oYf->l#I(tl|KrjYn<1GuJmtDd#*3Y^^4;(( zNNG!ZI|e&9FIe@Ii0Ry6*_CSlGo@+!9WEsTXqb=Yh{``U>KhSY%bq*aefnfvUs5YI zfvhEQK;SA^+6zJJ;LhsEk^Q<8EHJgaY9r^A=EK3WVrH{u!wx?S&b;w;=~cW~a>vup zqcDhy7=|!Mwi}=Py#M=r{rvaoJBd}A*5|k>7ByG(K{=5Q{_4=IBqn_jG}YSl95=l5 zEsSjnjd%~yWF4^mZBt(8beeRI6B;=z5Im7vn8d-OIsF{tFQC2iJ$V~-#vql!d5#pF z>(2tttytkgIS`ko9Xww2BWLYsO>w*we{J-z+U$AkN)@^D_^MC=kBFlmuYWB9XFG@| z9#TM7uvM~T2RUT{y}$IHt}Tdj)?Am3(U^mqoXLX$L+`HcK~@qK>dG33xnh|cUNBg& zv71c-F83f*-R7i)0Mdfpk)t@C2tEV1#lE6UdwIkQ+ckk;XARt^4A5r&Qk50&Z9Ai* z&Du%X2Wrf6cmAz?+bA) zRUl8DFb`Q5yWzqt*EDEc!FKL>j^(u81GS3(yS8oH@mZg-ZxY>D7#Ihu>ps`rbe>4o7> zY63i7*u-UXipArXSihj9vjo$_FBK6t&$#tLRi>8%wu`Y_3agoOCraAmZ|8h+NmTl1t?rF>)t28rL&}8X+=M@&#g5}?jN~AAblgxNL=N$C zf5Pb#M@J#^ez*lq138SGVq#?;b}LW$S`YQ>^$Y@p+PpO*G#}6kX@zuU= za(UI${zBU}=M=p)J8OHK_MUY>aaIs#3NpeMaUp0RwT>WAWN~zIIj0!`su#o|7w{L& zDy;--EynOeAxE|5qyms$aDjbFB5+1HPGrG##<%uXRBg9c`UU5D1NtVGb!hpj}-=QZbEzRlLl9H2+_5g^`bpZ zmc)%3;o1_t>6OQ!_r2r9j-!`9_O<%e2{C?H~~o3zF7tyUAVm2ihDWU z*g=vi;AhHSkLOnmO=NP&^)#@Z5Ph{ z!J3MDicE}CQAO}>Z(JDLO?_V9fgkKA%=aN{1|q<`Qr7LhX&L%Jhj}?Neu)wY`|!&b z5V}@=ad^BIsfi*F$?DSAP;=L#J>|9e(J-DSaviW~xkWSFs+?YuPZ>(C zigUA@dSq_!m)4;NYQj(2`CRd;AEr`3{b5Don)~0P|?J%+i*M+4Y|0lOq!TfDP#dkZq(`+le!|F zCA94uADqDupz?M$uKc;9<0n_H@4~|4C?&0w)47F4EYPpusUwJLHnqi0;oD2-_ z*sN5u1`cx@Z4S0^2{L$?i!sQA1ihQH3e%=;m7I>|23%*{;(K5zKT$;Co3p)|Yc$>- zWnOQrj>8v7M3&J624MKWqY(8Di5S^vj_njf2?Z?9P0asrqk1 zA)!MJzo1}9#^$%*U`de>vBu+jF`(lAo^LO`xSJsP8_-S?*fiAdXb#SLd=_D(%Xvtm~!{Xp1R6I0!m_jCK~GmHf$iD^M<^ z1^znyrV#0L)je1ES@fO%r^uV28jz;9s1-H0f~)HdME)>!p!5+XQv(|?xx69cPSwNP zhp2I9nfV`iRdV{(2^)PMbTX3iP~Kn;+EB#W-0f<)p+vMy44I5~m3DkO#zDaY1zm7i zywk@KmZudE*9|dPtfB|eW=M{yx9X$|s$+&pdkIRDvePkLgy4ww@WVx9ez@idSLk4` zmQErz+ICpnfQv6g8e`_to(<&*j19v(_M`LBTqz!Xgedj!C&ia$qn$QkhsoL9%Ibl> zMfotWP)s01Z64CK1Dpw#U0~=f+fStC-2FyKCwcgZtM1a-^Pg9^h_{*(z&#Hh zd1o}|8=iG%FU!poM5^T!%7xqm2qFNnVUS4{M1Yy<~q_2$8u zyzUJOSq?v?WwHV$Xvk9g3jI~%JK|_8gYM>3AiG%f2)ymk*12G>~DY!;uaZhr0v9VEv{OylGHQLGHpLdV#m~6S>dc`>0RUJ?l*hR4eMIh;j!lhm1Nu zNw`^>HALJ#_HAHi}1$_ zi?V7d-*sAMbs>dIHGI^ui@*^=yalZg#t;*~FI|K78 zF>`)*w0N|{+Htd4wsTo}r--rHBpV89*^bq|PI8p^DZYpeJqj^cCd(r&UdWHMdk#NW^!VMT9nbzoreSxJPe^Y2?BC`s7vXC@8R5aWdi zjBOIJpVEO!uH7LI{!VAQDdNYT(rRiAfm0nv&k|z0I`&sRUT|Q9agAzp{j%JiZJbV9qyd_d$p< z1vM2Kn9P)swa!99yOBXfu#-Xbv&1*!CN}azXJ{r(zB30@=dM+?-!xm36PgMx>M0BgBZObM0(J@CX;Aq z6#Y>LLh2sWBALR1c7nq;BQ0;$KFsAAg?LWXT zzB?~H2|EyPk@msZf{oZ1=cO07_-b>2qcAv4LHj<}>~^7xqIuP=PJJ)jo7h&BWd8k- zh57E+s4On&G&IlMWP<(HA?~fP81BZ@L3=3iTj6IdpV(w8ZeS-~+3&sVGHoLe??Vi| z{k0qzW=eZoix`@qqefZ&7Gdjq!&lrM2z4Ac?`3nm2-OVOIlt;R!5R8cdBE<3OOItH zMst@8^0``)J7uv|4$$XH?Zq)o`PQR+qB{T`O(I2qIvu-5ykK3hW&L)^=c^EACL4+_ zR$6zLR&sDn^izVsGnmYvZgu8nTB4}c07ELI8M|YW$PA=`{efXix5V!4xw{-;N8#3e zied`Cfke0%UF_;;1I^`8(Lu%<-g3C}Ht2`@J0S_bgdHq#Ue-}cQ=jBA>fGnKfiNHP zy$c1N9bJ0S6iold%2YD?`%l|Lnnz#(4jM;nN76{)XErQVF;#p<+6{;zatz3_y7{t+fM4pvTo9Hr-*plPPE8A8E(gAr{C@ zsD%%Zj&?^3_@86hzCF!8b9v&|-&zeKsF#|r=0X-?;!KC1pWIzctZT^2?+V>}%hhtu zECSJY>;sK1OL7IU8c-mrzw*Wfy*P*OrNvouk`oC?PEr$`mPq+#@|?%7gdgvnvmQy5 z2<>ZzzdH(TezPH*98T^laVm2wh~DnQf8;_JVDm=caFP~T^KJAX4|El`A;LP_v>A4kg;bL=|`jOn8@52VmH(t+RAnxvf#kT zKBMi}Wn&Ic9gW)V z=yx~xDCp*On(KPvl*ST%-a-3R+rC#evF0HBW5&aVixHtuCKR!52lD!+rhETmBn_|# zQfR2o2d{XAR;}(a53U_eJV=$DS-<&(hg>>_e>sXDDnwtSAK_Yag-1o$bXx{yr$mPH z>&a zx<7A4ap+U-=Nk0g(pnv)ndmMVfnb?+Eu1tN6n1nh)^jWdKQZ3@q)tRjp%Z*=6}<<8 zC)*%&Je&2B(zpPpkBs+B&eJY&;o?U(z-}Zn;x&fBbLEV!A5+s zU8X+PAE18)17G7U3ad2BZK?bcob;>~@-l;qxvL2ob;(|sfEf*)HOZ5<{Eo^+si_p% zZ+I9NO=Q~8`rM|fhKLGsHgLK_ysbF zHgpCgSck}Mi+=a0T}<93|5%Ri0fzRDd^d^jlcyXFXx)8%O9FZ@4Df{m?kzq2Y8~wHL{amOmUwQg) z^8SM7_FG_f841~tnRwN_t44YAgG3%Vf7=Hd9bpT^*&J^sEoZWw5Zx^C!qJr0`WrmMx_Qevf#2e%7q-LUl{6OPPFXXR8`GSgBMgF$_Y56 z%i{eB%U#@v)YYPTg$a);C!pI~stcZIwUhMu_}l(VDw@n?_Zq9Kx)Dm3l-@PlMRkw1 z1(8hu zv-v9Lg@_%y_P2x;?bK029}+KhOSdX#6v%Qp0xqwPM{^Ls9V{ziwsbzCv&60Fu#&Fr znuyPh<5)Wv^g~BUU6(MIczmPyWN76-_~P1zuh4~+Ds8ne4mXXneaQvXJs5^N;42|} z$Pb8lyJx=l(LK<`60W4so1ttLXLB!_PTyLO

ICecWp`DbqO^gw-g!5|Kf`kG%60 z7s5#u{8$4IgD=wxyR72bF?WnG_>pyFhaoi{q$_>Sv)D>!oC7a;bzfZ0TB?(4{Vx&k z_Y75q4~%|WhU%Nm=NaT8Qc6a^J}$)1KQ=l*o@vt?IsJB?CY|T}W}CQqa%MQW*HpS# zX{PV=)bEjGOpW5Xl0F`W#=XR+SpB>{+x=QXlU55FRtALrq&5&shC`3ovh$1-Wv*jO zE0^LQoo~NT!-&qRHlj~^_WE2REpLFF`&K{9BQl@0ah^roqS!{MXuWX-Fa+7&_;eF*P+&pcUH zQg_uzCTZ4Qsc$<$mx+1O&VRQ{{2+?F=4~G>lj{?$>Y!wa-=of~!4M7zcvwO}!z+W> z$yp8Rais(#oVCF5h0zQ%rS0rm6yeiB+D&OtE$+`ik1fYl^b zhg5Ytkx6%N0d<^9n$1}+g3&&(5BUA!L2fdy*}FR0pTd&5iR!L13p*1FLDQ3+aWiZ4 ze;mm-iTh@G^hL&pWXutZM!vhB_@(fo-2yvmYRz5O{`tTuO=iqE7iz9(H8Mf^d>E($ z=@1$VM=JUbhxN>z)MVdL7SoQ2fDdsf)0V4n8PVJMCsG}O8SMpg5^lI$Ke#n3p`fa0 z$8rDDkZJUQDN^)+7IeX~fx?x&V@EzFJ)1+HT}yaGB0Cipr=tf;V$7pmZlKnOQvL6v zTrAc8Wx7!1Cp#%o3N3+FAOqU&T3(U_H0a>wMo+1DVTwkdqAIMrK{?Ne!RkCVGA9^x zaCa=AsM%yeJm$IFIB|p+*cTj#bFVQx(}gnLzi2+zq87wJ|Qe*l^I^!@h(Czh}1l>o?WI*(J62bP0e+c#+nN3uRgp!E$ zg4#y#l`=EfZ3dj#XZkiAC!80&DBxSZ&TTyjeL>b1oJFm$IX=`bL`UC-uBYkvu|Dn) z@me4CO}o+VL`TyZ-nE}lhVQ&Lx(oB&;|MG3 zI?qae=m;;5u2@d!?Injl=N=~$ON)zRnXQh7N5N|YeS{-_%H5-dwpdcq>!m!!_j9#& z&zmj5HJX4)?yE(-=(_K`gEOa1J4Gs7^wft;FPjbSDPEStyKbPZ$er5A(8W;?;Qq5t z+qo)r2lsof#?)2qs%BWmXHqXK;X>w))H6F{A6)gLxTr8;cZ1@n+f%U5^zOzj%b7`%=W-1%rb>Ju4 z&tuyVtf8wx$v6EH=AV|<+j6t0sN?&Xj<)VWsx5ItX&?M?1~V`7aAI_#9C4d&j~-;l zv3Nxz zTqw5SgQPA_hFU!dpLJCDOZ#PIeS5CPp>OHd=VtV#L79+GF%K=DSvo+&dKjwxmpZ=d zHN}J#{;zn!X3uJC_PD;v)k0SPz6>VCi70KEmSmIE!f2KEj~%gfi>J&={mtqiL=~V* z+_XXo%Gsi0~>+;qwaYvZYO<_~6rPj?%K!r{OhWhh-Fg(02cgeqd zEHEQQCN;SS=M@cjiN(B&Q2wxA1g^gTx_>$$<{J3ZT4g!0m6e@KC(?Cvjc8(IWbtym z<1nv6AbkvW!K%GJrwn;5NBj9*me+@j2T{5Jvf@AQ%Kql#_}eCpF+5=QtL3yDQ>jA5 z-wwk^%+RA5o>@K9)H_Qzr~JYCzOy?%gfVl==RaeuVV@Kc9|q5_t^Fv2FW(Z32vhFF zls0GL;9F{$W1W=~#Sb6_NaPOp?$uYk!|9OH8%s;P5;NQ^mn zO{e!VsVO=8w~E!TP@((ll-ij{UY`;m7U{WV=dAxG$XRkNmEf-qM z!=g@r-9iDIgWE74$4 zo45Ky=lYJ4x*pl6RAP&4rVSWDG$ z;G6u^qyrWiG8w?K{Z-;(FhVQ8GWWjy>tdv%PwIQRB&Xd*ua2fi&G~AzH5~`kAxe|M zaE*A^(}0bWy77_8eY?4wgq|n)uU52b>pphs%W3#SfBCcDYu6qp8Ec`j24=3i|NUsvhwEqIseoen}UZO{BNxDwn8h_%iTZN5nX zS8p+#qShHkYp~83Ijtedh=gFEI`aLgNf=vkbpi3k*VZNTUgzBoXs6PdmSLX{v%{qR zTLX6scru?#3gn z-31JOwXrsBU}9^HF2BZ-P$H<7jmi92oyNGWGw=gHiq+^KtupWw_Uaj6_o`pNd4R-O zCeW0SUJfSSGr0cAWFr2bVKPwiloulLEDXhA&{KK280?3AS)(VUXAdbQy{D(<&_7c8A^#-JCXuGkoMaDOme~-}gGfoa|A9)<`P7}g$I!<0Qia-W(a~9l&*C=Txwewo$WVO(B9&J3BJbZM1 zFaGM}W4>?kh06BH8t*FZ)=?3bx0}~J0j)~Y>dA%q_%nTO`m*`NZokeNy4?`0HS&L_n}7Ja2NzlZk{fHc^!*tm8>v zGx)KF4Jt$&dgZ=TIZTlS0)MQoCkzFEj#-3#X3pVDfM#^m^mTZT;3;KLf!vOQ-&L{E za!!6@M}S|hO?N|e*xqw%I3BnK0M@KZJoqpA5;ZR(;xu8@OtP9_{UJ{+6;W5>f8Tn3 zC&dqp)FZ-WsbA=&lvmEcn<-Dr;<2J2Md%?ApR2r*RR3>4OSW!_`m+HNWPh=oJsj6g^~T@GJY}1~~x@a&_?%3*PgEU45JJurx$dCKe#0YLflm za+VkHgo|CRBn9JXhHg#=yI(Mae7^8b{9M8Q)U|8cT+&$nuCkI3>WJ6jL=CqwOeMqO zqSb7ATJ_82g#W-%GFrQ{b=pa1n>JeP?emr({Se3Ucy<-T(YyJ|XP+Ftsd+t(E%sNz zS5rmhRh316ccQ|d;ePw}jJPLr-QQn!+p5g;**q9oXuNHU%}Ih{#W+WVC2xYP480R2 zgkf%;xv6jEw2N{qU%w)UX(4#;~ z1q|AutqICBdDNs1bE*#%$vhufFczYmL!L~3(4_GN`lVrl1+(0k_)#2^QZ>C#zWL#= zK|{Eg({0!2Swp~zmT0tvlcF{&eY}PD%<#4$rrfT?R{?$+(euYNrK^O5T$FLnAH<`V zq_SHTI@g7EKG{2}5VxcH2%W?YwGbL)3zAH5RvpMF*$QQ9A?}py>~0fH=9D;TpoljF zomOV9y_xQl-;8{rG-2MQ3$wjg;LF-pJw7?J=(s@myzVdA@c8^;IqM=EGfbYk-n8S) z=d0nTn_asf44lTDdMaz7LdJYVDPjZ{)MO0nKoj!UWs2DYId`H8Y#;Vd=E7`vH~DI# zbFMC*EI0ybq+NyI0`(CvaWwup)hu|A#IC#$IT}ouD+&Y%@~^qrR_zKkI0s9=j^y^; zFB}o>WGzu^RE)2kFf5J8Jq1BB5e7h0@URvX)=VmYvtwe5u@_YrIjjMF(hCMJSy$x$ zoO`%|Jvg%*X8{Q)p(iR?LNqGj)f#w(@NR;X_2?3G-S6Gz4dGSZov6=OqWGQ$s*)J| z7f0D?in_A_X2~e6!++ zBoW_*m{7~jKBy!%lJ&TnJy{X^ol8|Zmh-K@F_eW)TR!Le07QBGNu4({iYu-2n}Ctl zkAo&ySgb~nD|-YTlFn3_bsZWS-HUf#qOaB(c{o6wIu z477YOc8n~?-SZ~A2YF{XXoAm&U^!rv^nH|?^$ky4XhYNPAO_7DM@9V zqYYlZz7_WJUy7!a%VeWZeOUc8uT@Z2>s*I5P1s&_z9zO3u)y7UpIP>1oinX>J8&kP zq3mMV1jNkBwVAq{D17f#iz-;kv?*oTe#H$~Tnk73E$V*{^;`nCtv_@a(3ipOx6^3n z`)0xK;m)+pYP4Dk<8F-SqAKC7JD6BFA%M6~e!cTi6$j#GR1;JyhxtBf4vM7R70t z@I@U2hpA3vvoODtI(VdOaXs1+uxT4K4MLNP?~mfd!#dKhIonNzEYE`xv*kZgRT$1X z^=yi?}lYqh|*G?vVt4ZK6-t+L9JP!uRkdw{KU=l3TGN9HpdW zjGo&`10U3YZR%P}fy*}q#nkj5uI{VR&+Ox`Qn2#6ezRc~9n&f!@ifiu>%PyA;Eek~ z(hZpqVcXf^8zFJ~?8C!TNY)H%oZ15}PZia8BA2+}|3pMm{ey@!dWCjW&_q8Zqa36o zsgNm3N-@ra!oStsM!s|K#{?SghGXNAJWZGusL>3U^;%bap=f1w_D>)(NxE0CfBCCm z*tu8g=Cs2oBgT%*0-pg-i6lS(I)~hpAv(P#K57lw$iMe1h@JMjq8HD|C2>2^hm2zz zNt5ldO@OH5xV9z@(X7FuQRcRD!kgiwI7uGYxH%ZzZADsw2~FTk!DU(%KB06f6|w5K zuI9Dr$x#fTPPrda^$#3)h(a1?> zqYF_>>{s$;EPjkf*?QkO8Op^BSunWs8^I7^I+`$CVCS@lz00@JyUAmBQkBH5H1jz8 z!p3%{W2|m`QPz21e)Vqw?RzLchu`>O8vpP>jBmm1a7w2WisvgbN?CzN%p6;B4{EtI zmd=fbUeqXWq|5z{$gB&$m>$s$g3My%GyukPFwlj*xQYmJHSZw;4Om`&v*p;N;T&XJic5k zH6-(>z~*cT{T`@;H#`p6L!qAQWO3D27rSTU`q$S7tIO#8o__*~mPSKvK=_2I+Q;Yr z_G`mpow-sf6~Fr@%J7C!%onD=@ZFt8IRq9Tc50xFdG@M|_aS6BC?Y(m#Bg>`OY(Kp~1V2GkaV5fgkd}uI{F>T_3yiiDOJ7bTzUtMp6uyFft2wg)4(sC@d0%8Af;^XmP+<^~M<(RJ+ zZezB0Twn=@gQXsSB&9iW|ICM;jX^{(^zIs+dIPzCqqUH)^pS6O#d@3h$~^C`XXE&M zH|qBooAIVopozoZ3me#CM2|h}m*p2)Iy%K9Mc;_@8(e%o{OBV#Mzl{-@0j8C8 zEmTCK8kirE>ZJ1U_^ed@IcmKSFR5@xF4;5XSTr+J7*(Mw4zv_yP@KK1we7c$@Q--v zZ?Q(8DBWvpYL#kC(gFUE$%NMhhavEv+-KzT5*sq((yw0@ox(O@7V&@US@6Um9 zx0dZE;7#Ip_K6%+;c~dmfccvfx7Bg&gaSv#YfFZm$G)XGeAnd0Z<{TkQueDX74f=! z!4u0MNMKxmafn~Uc04Ks65DMG2`BL?Ic>$PNb^4NTwE6xnyA@}VqgH+*l!p%Y>^`S z{kM@r>n}!%WVvEM3%5TUaFZtFJz4{PGRo#(vsT31f9J1Ip540&%&}Q!*b(#bIKJB; z-wW(v`Dn_9tQKv6eMYZ?#Y7#BBUHL;!H;%LrG`y~B&*BzP%8zkE+a|Sz=utY z-HS--`aoGV>g6K|jazg>h#hRP3qjU|-XNm_WBzf2v^`HxA!l#wsHM=Mh)QLuU{*D; zVL<<8@SuiO&jGa0GR|u1=s|O|^{G~_zF^ZwZ9r8m$A;GMxh7nG2F_t#?_$V3sOIvXWbDT2xB5S5x)5B=?qj3Z1KlY#yq`*jY+Fwg8 z2koekjy*zabOM;RC{n*>7fw?D=Q^Wr4@+zbZ4(U}B4JFkRUpzdA=I)6q&_R*Y zxI?@hR@{<(x=4Lo-wl}xlFF^uI6uBbfu&-OheS3Ez3DyE2p9!s>Q`e@1BdL&^813# zW-A35LB?Xk?RxPZ+d;;vKE6HW&K4@$_LdGQKSY^C%wXIc^P;5~U^`lVw#Ku{MW{-( z9{Qc{8-v=eR`OlqvfmdT`=ukYguwv-qna%E9f+-TVzR?&2n7a= ziY{Pc_8{7~ny>iZX4L=(w_ukZPI}=QQz5%5}db?o1_xyJdR5W8*gP=2!F1I zoA^&G;g^d4nI(LANN)euNa+slkdiBCf34cOrJf3bKT^m2Qr-r2e&cuj6D+U z@$zkQFlN!Y$!8+JsdvNdK8SKfBiQdH*8dGr1um9Z&<1t)kJvI}cxB8?{cp&T(m*Z4BLGJgQHb!F z)TW%1kVgjJY*fF}itM=AICtp~9FCVW3S)6SY&(32Sqh(aeyLz!2|EbF>+ajoqed`J zFFofW>y!WltR!G={43&SMu+y}O_-ewU(RBv3>MP-U&iakK3|vMS z&7UNti##p$ddeB1xa2=YGKNNc9=_UgJ=U&}+kYy#Kp;^#8TXDtZLrnQ^asY9ot)@@ z#{7Fg%+I)Wc>oVI^#sD~GiNulljnY1>voB8(XPk~#hD-M;O6>X6!>?|liStm*@I1h z5_~G2T&3__2zjViM3Sjcb`q z`aN{N|KRA6H_E6si<=iUEUk5_q5V~t?a%|2zmNA);J#pd&l9OxK#J&I7 z+QvhK5b6zc^e;w_H=F+f@l{`RTC3`8`*+`-bP94-X@bjtmlOja-*ETs)Ae#^@l+6W zO7~Oikr~&A#IfxtN(sX}(q)Gnau3Tc&3SG;kz?HtzUzKb)wWc-`xg`XP-YJ6zEPO) zWQ0I)TqJzs;@P1R{x)h*!*wg>`JK_hv+`#%_}ADQ=xy#{v`FFR{!fTzS}JYstJt_L z)hHqhMRtwy;Sg$xBjGy>tLLy7UIxEz5#GL*Kp%8g5t)x4`} zk!P+1CH)50GudbPhD_bnyXDW@c2l2`j^FM&DzXq(c2u^h&+gD7Jh1_F0F8c=Xl24T z+O@kvgYYeUVRB!XJ&SMhX7(#6BY7f-;3CdYLA7_mgLkLMwdxVwpK6GdQW7Y#fE!GC zw_M?)Z)uT-qrPa~heir+2l6~&93a8lP=)P~k|@nuf3*iwzfL)e(7GG`ARydHJlnxY z=%wa)X^|__Tz8-rmXM)_%@%i}Q3r~6XF;{9zoR-_st-rZ zP~B4PC%Sbf32{d|CFg5IC=*ts!rC6BfumP^>}_@PdHJF=Rm?jI3++8O=+2ebqep{2 zTb}3)Q@;e8Eu7~BtI(dy9Z>`mR>qok-LHuClqkL^s#|am_QYRRC0>+SSYJv0`(7bH zCYS6r{zvt0aFK)C;Wj)_=Hq43C-iW9%*RXWZ(EDbs4{PmWU<+|73Z)YI+wy2F%%!| z_YV*+p8cF0R_;XQPU+jGwIJj;qFSLA3N8_a_^~{eSeQly&24D?L(Km}4v%LgUQ)@K zuNj|{BOUt(>70FyK+A1+`A+?G*+QMUDJ}tlh2fW(T-nYrk)Kh+hiS7ARqCCcG;^1$*+J)I zi=GhPQBJoyE4`T}2dh;HZy?r60l+tExV6EPYL^&rMCwflgx zW6A3y25FeH0aQd%^_fh+YU5v6xZkPgV~ya@uI>X566iOM_iers9tT-COq@G5^A)WT zSvay8ND`sP4qB4Be{s<6r8e}KGBh!m_>6u?0n3Pv9xW|u-IJeM)=+V1Yn=Sz9COIL zw$IcYXiEZjKdlUNFslr8gd#eIeYi|5g?|39}2F zu8SG!MYB_wu7pNDqhG0OTMy&(ntuCL-u+sIG~%H5B?>53=#wbz!~H@Dvyjgy5`I-= zPMOHm+rhZ)DeDM~8t}6;4Q9A_gs2bU?Du8ciLUsOY@F|^zn7S>>kwFU|1hLE2M(6o zllkJ3PTqLSZ2_}YMgM7a3y|SG9#7Tgw0-WpNBpm4j^@7kB7Phf8|R~xr_D}h z$LlHazuVa%4AZZ7V0VPzkPNsXOrBT^eTduUYYKXe z1hFEA1m=E;`naRvluN<_dUuZfHVA=zZ0H#7c5Q%K>j#ZEXyZ& z*f(kFpMOU11B%CzQuGg_IXAi7?RQR7ed%3Y774q}Rgr_YPQJA3cU5lopuJzV@U5#T zWN=T?-gYuVOkna`v=oeAtlIgsMtNZ#~^Sz{aY8Qj{Y9?B{{9hrs ze{f%c>qNhaD~C1C)xQ9-$?tIA+n~;ms*=Z1H8i%Sa$Yhac0axwPLF*6h7LI#90Vg- ze30Wh9K9#cw~Up4Ty$RaC^~>fSBZuE_z{F5e%saEg#& zz43casv~h zmKz%DxYy$k@n=uG7R(QFE%e1ll@=97(!01hbn_nugVgT#>X(Ar8}%bj`q#Wl$=gbo z-=U(v{mfdlo71spTq{HD{p+COqi@X#<=ew2oWqW3OI)Yr`_mYSILh_%`p!Y(N$h|6 zIDdWDM|6MUZ|i`R^xzDv{H~r3bM{E|W@2XgTK+oMu}r z5-WJJKiRUk)K0ljM6Jjqu#;R?VTHoqX9XJkI>sw2@je=iIne0;NGYQ#jE$h2%3>fj z%j;?r)VMfc$rJ%JdECE0+KM)}0)sStYbAjie)vAzwTU(Fw44P2B+P+Op z7Ma_gNqe<0SUo}=f|Flj>N5w%}BoPBa2(dFrH;5$y}%hb>qEp zoaK1uTlwvV<&2UH+`hgli}niwE#)?Gt^>FAsLbFvYV%?2%t3D>Usp=is^xZQesGrL zKrtl2^}^G0B5Ji-wKHTtO11RGbM~HEf?VFY$KdH+uw!dF8sju8Uz!AH9u$mf>CHr{g7r)=Zaz3nVjK2{@u1cW1|WeqcHcTmPM9e?&Q|s4Z}B95UdOIKjz!tX32MfNU@R>+XMA{ zKu0`fonslnOQ)W;?+BXs{BdDS(oi?G?#Ie4kb{o7hN#RzgglwKS7@^z$TMRWxmmce}k(W&-72vrBd zSjEyi9pQVl9s!wpuV% z@bO^%g=J&ztw~7PeXIZjJzU0Yc?8ft3VfRJ5o4x}cWR+V-s?=-zqr1v(?rLx0H%>{TLxC>YPQQm^a@21lTJu-$6U(Vs8~zwsK9=3!_k)t>317gJCv;PAH1k&1{ABsSn0$)i`DWOX2dkC_Zlk z>K8xU#p4)k?*pf)kku@BjO)q#Kao3I5X#{34|lH<)f#@(NDxXIVzCk9{1M%S^oQq` zs~dN@9hq<3*b-tpPdH`8kpE_pzKRkHWiOEw3_lP_EFc7!MT;%}XHk0{BRximZrkQO zS?Suex8Ppdk7PO+#iw9TMw5$UX1K&j z3fbWOe+940D-oNECCTc#4mn8j5IUDbW;U|@K^dpZWfn5F@hr5#%xfJxvuWni;3b7K>1J@bFkclbZzb%XyKylzjv8sXRk_b73Q56lMU73r^!FE6=OGVR-v+GLHF9^az5- z&tau7+k_&os3`KuPULbrUo-GjBr^2KujWO+kDGKNyFnP6u267oM!QJpjcS2K&I1HW zSpFs$Ve99Tdi{_N8pXP^A;InAC4Dqnk9iM&n7wE;BVIjfMtAacLN4H(lyZmLU|qI; zq3*@rg*vZ=B4SD}Lp`Yd8G)Fg^9rOB0NaSsP^yM0L9M`jB-n~VegR6D>Mw)1| zz$T0LFc3Y2hnledn&ge&I9xD1&a<)a|Exfaa~ZU&ix&ye3>wY;b#rz;@)4gm1nHvh zw$1fo;YbQ==s`^`hl$H7nmM`ylXd{wi2@=k48#o$t0$|5D4%z4zM9LD?p1fD5L8tl z=9fysu0fBqjX_#yb1XFMcx{RFZC|NRnwSmeo5$8b<2Sp|*Sr#x8A;p2c8Es@dr@7#KRi%{lzmAljm4aSiRd_Ww5?L^7hYC$PJE zqGe;2u(8%$L#5%)yO9snmAmsx^22kCzb*J=}jxwgZll>`~rxJ9m__7>@O ztUTBk6ZbKfi^WE))Hch6Q{cUahjAS5*to`*9m(cc+{%0}b z(fVEv%U);6KS;eD1N8B~n-L?b%!=#w+K>nUIZ{w`;z9~d$TzZqu zY18fCGho~KN;HQ+UbWCn%;hMUc>(Q_4wM;-;Nc3rJxt;g&)J%IB&ANbb#_0JY#?-c zoE=ae^1Aoq;IA-z%S3Z_Y(9XFG<0GQi&3M46#bJ!&8^zDf4pGy_f*a^2c|MxN>KDR zTVTt&mfpl-b_8lRm`p`;kMrk7H(xM{!3jE9g}qfq*^EssH7Ue5E=SL@Hhlcp=-o+XvrR z_`M*{o(o7XpJd8r0=-fw?#=#27ajq0VO^zfU1mG7r=j41#F=3~0XkO74WYF0+a{6u ze+SJqoRp>b~uhh|D~l(UZsuP2fB#aJRj6P>mmiRYd7 zvD%G#lFEzX@43g;%hseXE7a5?v}xKFkPJBA>?EhB###d0WVxo zk~V?vX_uK@fOfQ`d$>kyA6EEsgj)Bqp}g~EkoP3)pdqEPI@n#gCx9$5P#=K&7`Q)r zu=LYpvLs5IhtCpk|57Ce*;XhzqG114C4x8{@Sw=$seG*^JthO<9wcB@ z5agI4DmNxlz7LiNG@CMN9`$lnseOgCh%@6W2*j}7-2q%R9|TUtWbd5lJ(s+h~Dso7?3R(D>WmOESHTa>5pT zF^2%o&vO~Hp1vJ5=0{e=-)=0PdF+J7FL*L!q&;B*t7z1suoli?tht+Gv!3rW(d$BS zC)7FJvsEExL;)BN^IosfkQHg}a>6N~HNs3J*^Hx7_3xazw?GB@e08w^?{6)ZmQ!QodUqBN$B(I>6_B~UFYet4RWZ!`Di#xFtB0zQ_HACVjBA|;2~KY({{E( z#Im#KMhuSrAkc9}YUgR`xFy(i%z~8xEeOp+JrD~i^6)|HH+MMkANi`k1=RUB3s*7o zF@i48a^tgT_TL?e81mb^%cET~605}Smr}3Y&}e-hmdu(iBC(UDGsM0itwV8a)-Q1 zhtjD0e-H>SEuo^RxN?n?K=qlJIZpTqOC@Vh=#cOFI0NU*!UB$^jJ{1)F){O02#Ee;b((YD=W zbUTe-rh-RkGhhsd0VVa$^6A$As{0Bu&7@1OcmXpd?QMA`mUfMHyH;nqDr13-M&ZwBvi;$6sU-5g5!GldU&u~cc5LJ5G`98xtQ(@oSdtn{??7K6G4f#!Sq_rNMl2l=! zv`wr`WPXA;n9UC+NegY~F0%xEr{i#7lg>Y#h^LyxtY#ij4igSo5(ITTy0E_ldv4p? zoS3mln$?}4%RYW5s_VMd^ub-x{w3u{?|fpL!?$s2lF0X}TSAB>YG|v3VxC(*Bi!wC z^(eK9=6Y3GXUWsd&VLO2E*&TY{frSJyRCsvHJ=@YM?{4WTR#C2qVYx&Gh7wa!H<4k zAOBlZr?@~8VS^gywJNn++V)q&)GD!jJ-Z8!v8Qx=PnSw?S)gS=_bDtZT2n_Xb2InN zRH-54CZfwZN2>YT3VP}f_gSsRNq&0+m#Ux@w|oOxJ6wp&)l)KoLv1VzyxpRQ5~=no9ieJcJvVbc{b{{!S-D0u1nhFUFRA*QA*d41Yv8 z|5ACqXOhlZ?CQ?s66aH3ptGTJE%twO|*ue?O5y0ZcIrW!$ViK3T>Pk>}F_rHuWQ;EJL&N zBbfl^1_(z4ozN@(`t1G|AVDv^7hb*Q- z)sC>%!hgSy`RN`bcI&@`9vYW*%Qj9P5{reWMXNOUVofw*$={b9rm1B~IR4o7tV*TX zd8I8{p>yhY>T`AYGX?1Ifx^= z(lDu2O9EMD3bq5!nEmcy{UbaS797wf^XD(KbAEVLTr{5@xtZrr4Qix(VGX7C?INcd zcKSs`;iz%KqEh=*pH>%w-ovX!6aDdDaN^o`f1~fsM%5JSQWREUy+MnzSu7ygZ35z` zSwjYmJ{&R| zAv6~z88Rx&^UMIgK;Fb|PkWPSZhj_>xA7xTK?Y0|yintw^TOI>X}xA@#KQ5pZRySJ zy`*^w@$n8jXR;>iK)c-4tXU>x;yz%1WShM9hYjP z(p7#OhUlmn>-o;6{8N7U*M&(JClrHBX8p&#uNNZiH`xxE((mz(S^RD{evJ7%);Nqx z-d38O&+5P^-}zrxzEO!ZJD49mUJDG$r=TE%gQJVg4+yl@mXd~s7H3C`M4C%^T)+$IJ*P2_ssbR0?ms7_} zJE8H1A+00+vDit3Ur8-0zB(=YT-XYg-twU17i-avwj*#F1NHefmc<1q0KeTHwISi7 zxl`6SGW%`P70&=*fI`gUxIaxtdL#sI6~u8h?`7k?rFyGNu_tCZaGl_nl^K7jlz7-m zvkXgIu_RDvAOJeeVl*H1b>-#VRSRSz~=>$n?9&JyBv=jUw*(zzz4f_^L{*Y37F zylK%$mM222{n+fhB5+M4mw(m@+N}P5qhKc{Bl*2&sD&!Be-BG-+)g8>a?Fnw;f>wn z9HQ9E(|o-RjkLoIS;UOPetcci$~&yx)cnlGtp3tQj)JJO*)R%Z9PIG43kl=PR3B-g z(p;g0>)xi^#mbAw&Mdd`YqL(ZJo}|@#+b=M8$#WwhnbV^eGX5Yv+H z)zK}*ep;qi&hqRl{iBWKk2#~Tv|~Oe^#r^FzoB}UQcbgihgY;crJFG`Nxw86r%|lh zs}#ZTv*e}s%Q4@@X+iWIq*p5g z;5z%^*j`8fLHYgfFEjA3@ezITH+dIB5D?qiS_d8J-5W**BWld++9l>Fej2;^u@=+yj%xW%a23AY?eV*svZrsY+WLB zO!V1NYKf(_xF^o#WU4@IO_spxK#%@Yx4a)agY-$YDNZyg#195V>DT=QoZ3NEF+WbK z8?ljM+UpA44bhaSA>`?}d1H4=BA2%Sm03nEez_6$EZ}j4;tg0D2R%P4Qp&dSX&{uX z42GFCqmgR0l>Gv^GVXcJlu#M?)Esf$J-NdkdGDtKW=5Q-DyE?i60Pymp_!li^nXyN zZC4or`0qBlOLPXQn|NVIq6%iB|BBP1^IZ9~LstSnX0A?Ek6q6pE?1Ry&)%fus)XZHY%BFTM#b_Bv#QE&65y;esZ?u{@VnXCZ*=3|3hMe41&VBY zTf{En2XC>!e9}C#lX)%S0|t@jCFz$Fm*CrVjr^2Pv0WKt7u89t?}SL(ffCMv>}KWg ze2TRrj)T%xb`+Vw?Zm?yp&Q|@kI0r&H)CrMx!f5$&57XXJD#uU1x~7hPYRh6$yThP z<9HOsA+E}Yc2_IL*^vb?A6mofAze7Kv!q^S9T6%-ta_!%2Fbh1iQyH!a!eZ)%Md!J z<@B3GAEHCKDdCXvlB7hhB%*+pLV?b*M=Jlw6$;uC$B@SN)DC;Z1@>vQ0S^BJgq$iE#~@FYDzI?6?faVOjh z@z>HTB;t3ka{Ma`y4Az<>bMsC{b5P`_yVDGkaH!@mhF#n*(XB(A~}P(+5z7vofJ#K zD>-nfhMIU`8zeR=Sz((iuV?P-!5_bjisRB?kb6#p&N27rt46UA)l{Y}?ugOJS=jVe#bo0K1vZV;6OwrxJQ zc~MsFqQQ=r=jM`6uKRgBE+?62>xv5B0HK}LGwc;Flb=!6$1Q^bp~ouGH`kqSa_=9P z1Cc-!zB+9z`TI_f8JyAyW?F_oR~P76UENiIT_VRNw^uQ4Smp$Tgvdca?V&_}hz68@ zq}*ib!hN@7p4TI>N&7h;&UOz0MSA2=PrY)?^WwUWMSq8m*k%U!liF-gvP!LPGn+(W zv4SFh))#KrgJUw!0q;6r&s~x5j#D-&_SZdq$x3dp^Nval%)@zfR~oaDFK+C7={9Be znS?dEcT5S1V<+Afhey;+oOIuoM4q|_R1?*0He!7U5JBaKFWv%itkUVa%h!K=A4LDY zL{4EwJv*GIX&|>m3;B9tfieJw{Bb3VSM4-PwMg6)cKF)Wtz=F*dN<>>TA)3{rOHA2 zriP(4e8<9fSz8&5Oi7ubYen?1`{{XCWz;k2+iYW9k&vHQHAuikG zhf?!Z^jV0fQw)bHeWL8MHoHj15l(Qirp~_9Y-jf+h+aKw0_STTM;sw-KKG#f5tkjz zTy_{dOUs9!R1QUybEJ8mMXW|}ZgIYbPm>1)VbOf-R?qXy45Ft>j%=@`9(+H^fu+YO z739+uH7EK8!tw7}G=}*OJkA<5@Qt^MWLGtvi;Z86BRzKZZJCgO+HZ}#JWFG%7(`he zM699kUdaTYoBaJ{&Kinit`OrbP*9An0;@19DKmO8J~Hln(T^)YP_yZ{>MHM&$#?67 zyh>%$k053(Cqvhv*wzM%R9&qd_~?!#g&e<%*Q7Qt@^dJoqpbs)dc4PGA)=&xyI10@)|t5`+&Ue|iW5KAIe)7zaxJIavOY;T>X zchFrDE0IG**8Ox!{%!6}CIvBUSAt)I0ZCJ^9?;(s^t3kAAD91bT&V6f^6+eWrJ`gQ z3H~g%ZYR;tXwJ!d{oq0lW9_OrlWFBwZtGc>Amrz5ET7vAJOSTxcJ*#)X%<)g2189W z<nw>2?7VqbHl(g*J&mZyHgpn{j004FTH&>YFIH>k+rL zWW`UBuT9%-J21)k@4e)*Jw*2Rqn#%8%<|AVq6T%nX7Ep#XBeZmLXeVb1X;zwL%L`v zm`W2x<_hd>6F-^I%W$!{)e`+m2~f*GpymGJ6{K0pN{oXACZ!=6sZhOQWm&Zw@+M!+ zc?-GNbpa#14@JH50?O}KoaJRt+8h;@&za zt}bo+MFIqO3GVJe8xQU-2`&ki;2PW|&;$z}+zA%kB{;#|N#pL)*tdCR=AD`6tvXew z>N|D*?4qmLy?d{n9}h|PI(rm`nu?}go(vm+o+eyw_HbC7Z;F58!u^hb3C zSsO2Z`VI@GWC%wboZeS#jt9lZ+kI`Ukl~l`eVEjNSU?Mg48f*IOi-oEdlYpq#aUB^ zGB!T)26tSzl8ajMdg@H=`{;&CXM$bL_xvXP-|eKX-W;wjtcyfdblZ8MDk&%i z3|(>HkX7>?7?tlX0S@Ft*O#{ykqNUJ$Nx*M_fVp56@a z&jU(}Y*7mV;!1ld3;V60glAS1iGX8fEy>u%9*p>#u;jgj%r3n$DbI=RE-~RIhTd0$ z0pr??kE>W%#Z1XcFC@6$D45cIUBP-(&*9|@LX~5rHd(cr<&^#6u((f z?^Py))rZ*V6-6~Wk7H#^s%;dbNneFEI_Gxl?`a%Z@h_5+Moo=z*2aUIvxex>&@Kv) zdq)+&R9Eva!;zK|Qbs0MoE`)+LUj(sl$5%b*NAG>JSPQfIa<&n66lBKvzRFQ!yNQbQWL1-DY}oJFtHDw>#g_1op3hSZrso0pf{p z;zAWcq~z6X6tAAQJFD=QYCobE?cH;oi`)S5MBVQ4W>Ah>Z!%ZD5SWCTpv;*Qkj_dW zl22Koh%R0+t8{vQD5w#{Yta5~gWyT!5Bnztk@qbie6vXkgZ7TK6>hkFF1SW;{3Q{} z5$NAx_dkQ2gaF_|^3cBDGynA`bR5`7cB*&H1QVC0B_*UcePU<1%ET5(Z>?oa$YjK& zlGL6U-@lUi^|A|3JTWO_=li)TaLIZcSSEb~pSgyYS8(`YaGlEOnr45k|n>hmZFtvmo zc;UN&Tw(teoQgD!LuF+Gqrua4=KkB`#^%4>RTvs9d^l1^9Q?T9uz#N#|9yu1_bXyy zxb&#jPE0EI|2Ss;`z`HW0myQ z^~O>oVs6*JvYfxil)$A|VoD7ZU9UEqP5_xH9f+<)CfO6F&G^v*gm zkAtd{cFPeVj+FdfpX(lz>5^3U3uDjsI881C0xB}#7eyQ+xXscem5VMfAYY`j9&Tj` zM0tHokE$^NK`^x5iP1#qw~NOp3wzpG9CsSG84DkYWW;R0)UDOnaZG(_}>GuOik;t*F%QOAiWDvYHG*zmLIKIMI$uqUf-xs9K(ZzBpIeyDLC z1I!tlb_Sw>Z`mSOk@xx5MrK^A74i#ASx4oYop>1bcw_D#we2MnqwP&I;YMa^(rR3o3Qn<`2)>hp3;gYD~A3;J>jBl%3c9ST0hRA5-_% z>yt0l0qY&NKu5m+=)S)V+4f3!cor7QQIUzNG#O%hje%Fe&g*Jddx$oJT^RUtnhz$i zfs%eE@TzlBjcfA*)x=R7gI?Hon1zi9JxWg_<>J`BS-Tn1GTc$5!_t_JhQq*?ZD0Q3 zNp^U>D}1dL7qD?WsI?*|v-LOltMIyke>A`1{=yh3gPWoYw8ka|a!s|f(_eyKjhNdv zF1f&;8F+fGF`D6et@Yk$`u*`f@B@b^8$#kpK?F4(2t*L1Y5W(gNq<{EzzTm^6UX)z zj?-KQt?ib6G6AiZqw+cHGH6)hSF%T0oe`a$?CJb*p* z+JbGV>8j6br|y$@n;M(<-2)71X5M^DYAfjOT0NsfyeN$&57D`PDzh0an7`$r3Go{2 zMHKEUDgJ<7wEq^~p;e)$=G)z@b-~wmMg}<`-4qV}kLy?MfC$S+o*z89<&g$^xi-y3 zCnlofRGb#!$b}gnI?25@Dq_dwiv?9Ke2&L+V{g148wnU02OlRw;h+yUi}nF#G@ndN zrNRV{jMqL+qMP)nX2qK4?b$oHiNGAN)kSLQeByHEWR}ryt*-kO@+~*V_^f|2cv8ym z2sYeU495)UO|li18&@_RBhZ7|(r3tQl@kZK9{fe2flt$^!%%8D;5W%Hzcg%b>I!u% zX4!cA_m!sB{4$|d+ILih1o_kTTz4Q~1dYP*t9F)tEfAI2ww_RM0(w!E1vrbhKf*-` zkC|rrppd*+_0dI&Eb@fzqM-qz|5;w{NWD?Tq1%}pI5S^q;@P!t$$VTi1gvx_5P@8h zuzSB;u_FKpE{Y^67^r>#@_}dPB~C+Z(EA?Q9`IdE9 z9Y`yiIjbAlXw*>P683C;vNjwc{svN2UKKEq_}g7}{Zpvq76!ln=Slq&E;u^zU9H{(#Dw>i%?9E<%!#O_z@T zJhhX_Z(`-V@}@`VeO=F#&yx?CT|=kx?Hd&`vAzMIj6;%S-^xo5ts0l!W2JKHw z_(AIt41Y=fIiUOg(1+)-w=>6!#3;GX<4Y)sptb@E35Y>RX+*KuEqCwQ_C-qmFs!O4 zdi{x@2UL+GXNwRe>_9b@4~b{H9ux9*(Lu$U=Na@8PIQ@BzEQ6rdyoAzRjh@`t;f;* zarZf(l98m!vp@&+#L@-!GQh-`!mA89jNGP6-vHM7h&2~M=0+JchhRH7{76Bm(9eQF zDK%~<)g8vLzLUEw*yi1cNFx)xUonJ0X=S7?)OC9{6i?lX|KmJHG<96@ELK+Az{0CN z*TxTcz~Uk9#t4M%?yc9qMJ2^wn^ChR&04?t6yR;EZerg~BJjKZ#o;VPM+XR3Cg3GZY~=nLq{Dg<`5>AP!DrKHY`Yb%s@}LC zvfFA(?#3;kUkCq?q1$nD^69jHuln^|^R+Vnr0+Ypsw4_UPumC4xUKqTo4?-xFxt-L;97-1@5db|)h z^4w#%RKIiM+MyVQw_Sxbai2#pRtV&>1pWFTmS#tiXWV4^f?=e9t%Fnm&QUM&`~&~k zM^rO`BZ3hwlI_&T%`hy#joupC^DOg@-gnp|^l1>O*AjP+w&AU(q&vwURN^AA1ym{? zB>F_h4Qhq#Fc&D=14Jzme{Hohrv=yueWn7={fcuVxAeWqxeKzMOYu7|^pRFos;ddS zF`WnIv|!+YW0}5W_8b-z_#gyxUxgD@{{d!=c)jKb<}|Dv|FilJ9NT(PEU#1SF~=1- zZYK0U^lTG{J8gpv1J}6+VS2MrO!z`W!ZDpkxZbDlab`FD|0_u1jS{yY=#&0}7Ih-m z6-r`LIcxM`AzA)XjqwNexUpX&Q*kI}eQ=fi!Ccho*FAl;U;g^9-$){%cF?B@0Gm0& z^$JP(*zux0iFl@lRX4gJQZFDk2TJPdzEh#{P0)zg$xkvMV^AuRSz>&jOapE2#=wxt z2&eZHLphC)?gjIPR9%OX{OJOS!!VK19#w6?beXR}$+>oSZoEfOuHNh+@i;CQAP#wM z*6hy1$Oql4iwDv7WEbl;@TSJN-glh#rFFe(ut3g&6+&F~Njk2Kg(iBT2^oLBtX{8M z#OZn_4nu37iNm13)@``~Y0ELc?UuN1&9fNbpC+@eFC2RgvxcYDD1q*~X5H|ZTBu<( zK2N(sOd0PBQvMZc2`oM+_lThVW= zkjEHwK8MO9a0nO|Yxfa2Ap%_JWqI=}Y*)#DK>@EL9{#0cxyb^%K_LYn+4EEvXXRFy z>1jX@kmw=sAJ)tC+j#53pLqo1d9z-MelU{$-;3%$kMtCnnA57lfb z6*kjwRl_7FwH`sP({^!CWL1xrB?bsK?j}OS0iB3q7&|BNRI-IKw4H@d>5v%63I+7K zzsQxUgy&u(MI+Z(!Oy_L!xHnuic1Pc2e_`S)j*`A#W+TtM#-imcch!vz1Wt{u#g0RPZ5gVNl05IKT3IGn+U^p`~6 z0t=t7F6q6|xX|fa)h3(Ly4)F*a|O?(J)0GC{t{VZju{jM{rsnz7wI3;a-DZ6D+xJX zR;#c<=`n;@BoenF9_J`P45obZZ>ddJsrlS%O^KFkg--pX9$6qhqhY8r2eTKE55{O1lBf^g!)Q4zGwjAON3UB}}xGsLWhd=E(cl##v z((TX+sP5+`#2czzt7xv6+i`%@vcW-YpOna^b+{obw1?jIAWFm!k%oz5iVy@oa- zJ!iW63AfW8t#pI#S{7Vvr{h-Sx%Wv2$L7hd(NM{G%Mno__Q*udje!ut)GklzJK}E? zt+LKQod_(}2B%Z*vMnOrfCVTbA_7q@?l_@P zaUbUyKn!YJ#5bI!=^);dIo2vlY$53T9uUm0HiEHL$fr zJDV;}sUY94auG$m#R9U)t#Fpku9q0Q0@)dhK!d>S=oF~}HX7~3s!Y)Y9se$i%B20A zd#8P!!!eH*-$%Aj{F~{kV^s1S=|{{+3x~0tvi2wXe#4b&eCeA0qHn)wm(Y!Z;qC&| zIX5V|IsZ`eJxFv$`RtvaP9;CugXL=Wic0w$3 zthMBqh-GQ|o5Xpe)&zq%)-7F5B=DrP#WTt(Rf_a5DD2Ha#A1hDi+G#Sja=wvg=pyD zA~&LSqyrU7sj(?+{xZJ0Hl}eHAQ=cF^G0jQ6B!0H8HY=bjZMR2L`>A@g&qUx0eE<+VM;ifNLYU{9||CktGqXocawm8m>F-WUv$A!!9DD= z&z^X_`bkMww@#vc?sJ({UeGjADi1)K@CC`l+6p;03-w*eqr0u zk_f(JZytW}&i(Ph-c{CYdxR&Zri|wuF8#0d6w8vIQ(A_z8;Zt$KTr#i4OPO%a6~|Evi|2K}$J3DQJ}0CKLe)+cSpIyYz-)~mEfwRbfEBOK22 zx-fVTl|4FdFYN+P6kj8I#%-f@PZ>&?UZOJ9c{sboVa0aGXvlS*9ZMMhR9JE*=2sRA zN{}40n;6cx)@}&$V|#=RN4z%RUimB`pu8h`$}5`Al2g?GN`93^zU0v2F3WtZVS2tr zRSS7KWANaeKd9jLOQ1I}?*F-VNc0UlB;+Y?IvXz}f}51VT82tx@Gy+jc$bH2e2T#> zJ(%c)-QeE>se}M=Q$^P zdGQ=zUVJCBo{5L9RszZM^TTyM*Qd@|EBndKFMoRg+!EH!+_b>|+zg3&?wE@~b()+yD3k|dk zI{7j~Q{+CtyV#2$_)Cewv|HmDs$p1X&)p*+dJ`a;a28`@$zxZRP1A$6DL~byN4;Kd z8h2g&zDX{dp<=fPkg0TE@nrBayt}jK7fJLcf8NA*8zb|>nzz5(L?u*7?TImkrN7Bn z(*q(Nz`fY|Ay+HJ2!&<#&aQD={SSldKORCGi@E$M{bXtshifk^>&(`q>0qagFL*p> z?9=YzITsuu{SxrPu|K6r9H-ju#YuyF1sc4J+7d#`1Af>t zJ2;a3s|NYc!f2K#HC8bs*zHfeBUoccjyiX*c9vk}l5J7_$TKH0@?&?3*X)BlLgH~l zxAOjG>#>M&>w;IluL?F&l2NKuH(5u6WYPQWD!}XuUDJ5;mw)!sXQgxmG8VF_>;8CX|AVTYT~pbh<-R zy3}W@^P{cLryMnae0iiaY1Na+phfucc9eGJhO>$t$H$#V$qVV^7jDQb*|AsSHaPxa zIrkZ)JB=J{qW3J#BS!0vxzTvK-+6khAnu2i#sEk<#s%p(^o4^4lAToYKtu5pdEwrhfEyKvR-JFSVLgkXZEl3!+mQbh7O z3R>c66M-qRnRF=Mwux`GZ`FhnebpS#gsac^KW)?&tMcPHxzho#$+YjllH z8f_*-=H035J>1_UIAu=gBQw`{6zkWbN6N;Pj(NO^&V8WA3RjW`!152#ip^7GG$8B+-o?Eu5{6+}oc`4_uUzJlp%GuTk{?o zr=O^~RZ2CIJ@G%ZZ4BB^530zL(c;W|5O#;$6ahhGQmKCSK4$}|YXWi~xh+Z|{wX!d zyex&a!>9;XmRwe))JVYKNBvwA2^G1|^zr}%e;5Q-KNq@p;Ks9c*eiA{yZ!S=T;(Ta zA@Xzx`}2vBsvG=X`op~9mngVxi@2?Z+?uW1%X+Q*39?f`AEM^@Tnp_VAzY0T8iqZvG zOO+D{EtC*g)6*5TD6$SxQ5%(PPu}5MnkM8EqckQg#AdpAY>Mi(_P*oWRAYjw!@5^Z ze9n0@IG#P%{GlB;1j6LIkC65BXxmi$w%+RMWKXo9X*lk>7tGVH+iR^|ULC^mEP z|0^i=si>ev7l@J0VuaYeMn1bj5BX=aXG(R~`TlyOSafa7e&=i1#1+XXvxg)q9=G2X z-2GF(Z-ZiLwem*3O`?y|AaEsV)Z8kMwz^WFa@kuE@bEn(_*7l4&CbJmq-=5It2Vv` zbvJGp9cSFmn^@~7{21jwkUPb`OGJ<~E1JR)6+y$uxQ-Tw5o; zHLhYFe>VBln!#9elt`ERridV(7Ihyq%~O0O*_Yt3L0eU~`%PzHFYzs8f?t!tZSFR<0*!7AFRN)4k=KQH~9gF zezh1A^^LfIa1bqmxgCp{nP0n8H6_KYyYk_1Hik2onEwA2;{^`s;5`+|g>pz?3V%(} zJ<3?iEOF9aL{QYSm*_pdUUjDd40nN0mBc=(Gf$o#WXu}77g@7A!vAA(w}WqtG;CS{v9$BQkjC>p1Cnjx&EI|x zuPU#}V5YZMF?w5)9A*K>( zwwlNz2B(oHDXNnxdaRB<1mnCrYh3K^F0!QI8b!|FT!0`=jHpa?6@f-u+<@p|Kr=r- zedKp)kc%6zskY9y2|H8#GV&mbGxQ1+bRnH1Gw5z6TSFV%jP)YR_ib!>DA#u6dxoD> zL{F5|=M3(A5cH7HZ~*uzR)=|am7M^8ci0CSH2Kka%vT(qX9gVc+m9D-NaNzQXfphT zZnEnQlS%zNVvTmYe}D@AgY9f1p+bOv@02Q1^!W7l(o1ObPpLhj=HseId(-7)n=<&k ze}Gq93GT1Q#>R8ErPBT1G&62%8~*mP?OQP+=f}8kH-dG#5>!qLsNFV&6C-Pf@Jg5L zYaeX(Q8sGY%VE4i$H;G2r0>`hV^w7ntnZ&!`=k@}L0=q<>@FnXcFx$RTuafb7!w#V z{&`@s0>-kp+u!saz_h$29;$0MS^gFy`eTQ~JzL|xu*(1mcI}E6f9?r+hPj{Uwg~ZAl5bf5(GnQV&if*u z$>Q|YWoNDKcy3&x4>{k^>4`VT@^JC)T*C(^boFE%KiQ~+I9GwO`WLo!=yxBTKCf4O znnb>hpoN#&->aoJMKv3BIxDa;&75}Ma-mGF9xb!YS<&1Z6HRt1XQXzPVLeec`W|om zkyU52{QfooannX=Ha}Z3CTfqEwNHu6GF_eWT8*lgZbdVNqg2Tn9*l{hBrkQvq8to1m8Mia#vh#qlva ziei!tHA?Kqow%;S#N%c6Ojw3=lP&=1yV28wbnOcu@7e3!=PhNKW3fvddu8@zHWDh8 z{WggUm?zPekXdS<@km4b9#2EBQj4O}C?~)NlR*;4xcrTOQg z74dAld?q0)O0X*ATE%~3XP?UR&uv!j>s|@Vh!B}4R%*z;x@AMXS_LNsm#9=S0K?Caf#gklr}Ro$1C-z;)-gMu{j z5*0uog{VGzg#9e@CBuCyHNCVt7w@KUJ-Aymy(?AY!B>q+&geJp-qF&7uL1)|tD81U5S83_0St4>Tsh6Cr! zx@vn(BU>WV^%AVs5AsjeNltqc_dl343@d&Kf9FOn%Qoj;HCG~eNx~yvSWQh9k$L)u z#w7c7SN1zLkI@cKpcV7#y!rz*Uk*9{v@g*YLjUs%5fd^`kgp1E<=&1G9=7S{0A-qz zebuSM;1Bmfe-DJOvBuujecXMg=M3fh3%8;(=cLVj3`Wi;2}|RzuR;t%*RnKyyod8U z@Y--cw2|DOsSB66J!|)Lb`8taxb26SRadzh`f(Goa@S z@6Be?LRzlGd5F#1uj)kHz7W*XG0%OV#mhIM$v@om z?b<1TMEz`k<~Pm=ZX_roGG{8rWp8;gkWP^Y+f`4guV|AXo-VU^?Yf^v`)zH$3^=NL zsd0Rr&6UZmhKsqQQw|+{pJ#{2RgHb#LV!=1)7R)-LSi&83~AXpWu)zYa#uU3JjpsM zE-HtpG2%HWBYe|59gI{8`vBI9tp_bLeISwGnrZ z!AduATlNHIs@D`|ib_SOw%OI+&U_de|Ccv*^S%Irv}Cr)uJYRQnAv?vE_!ukS9f?k#zk#oqhhiZx?c^L)B&E&cohurOjnD` zJESGcfFS4eo1Pdk_Lj$IFcV5l*B&FvT=p}P-1if3b1hmP>QVum?Q%c!x(&s5R2a8A zRcrTQX6N8Kc-SLldabc&e2vM@u$)o5J6ldYA+4auVEuiYDw7+~0#$UD2N18Etgh=_ z!oBqflo1Q8@=>kK%Sqk);IVPpXsry*lEbMy0(Sn%eEo8$r-G7z(|4G>fxZ=PX10x-_Ma8M;`?PUOOuzJ+oeF?N~Qt`|Mf|Y)#fo$%`4|7v8q%W$j-bM*qeP{1<%u?|TKP zJeoW((pI;D*{{?7*T?<)egA=!y`fsuhvfYe8yo)i7dB?we)8!Ztf=X~`YwCeaAcsl z${vE0)p+Oa68z>0Swj=;e|=m4VvK)lk4_ec@yyy?C)q#221YX2M?*D`+dVx1WZlsG z2Ts;5=+guXc&exxpCkVZ)&l4_$*@$DMGWC9y_?n7+Zjp28j!X-vq~H7-$Kxe7H(w2 zCJRyq8daoXr8r00xHct0>q?%Pjh~P!=@9I}eU=4fBs!wdLqp z@g4V?ryT7bzJuOhTO|8VZHa4V`jPD1JjwR3ZO<0yeS4lP+82Op1LMvghoHK80K_%{ z$B4z{=fm1sHTCR(psO5STNvLPi7;K`>9q)kE|QkK^i+YPns@|AUs?mrTxdl*-`d3_ zOZBgdeajr@{$RdOMU*_3eb|5u;R6dIM+??VWde?-mqW*$NVsE-Kcn^F?xCg6jUQRk z*FxXA&*D)seB5yQPo*J0uUGO3>oB@h2jlykHcPIqH*3ep~JP|K5(q^2#?7?+%U*^aUq&G@da5=m}`2C&1U%JNa^vx zJZL!6*rQE$el-FYBCgIrBcoTj`Rx@_q;66wsD8l>aX(zMbKZu;U%>zi*H+?g?Nd>* z(@!jG_f_07NmZCnXHu*mMJfuW`XRRbwiq)J+d)^;vL;Jz5-ZN_BwN-=u&j3|%=VzZ z3i*r`-SN?t53+LK9oRd1)AC&nXUQ0t8}d3k;y1>svU*rLh{XE6ngNTT+r%=tJ?UmT z(C>G(eYZ~lr1r9m4QTpF2!v%I?W3^QPRFFi;Z8S9U);0I_%#poc3J1F(+7m^@f0iG zzg#TZlBjZIzF?KJQ-m4Px1)CJ4w)d$ci$$IqxRKh^rf;C#KVPo&!%YdPj9@I@DwmYGyQrq zzFIl2xM=!E;3^B;pL8Ma2-ANjF}(rgBk^7Kx3WH>>y(XUNu&DPR{RL{x&Gac-mO|P zUXqB;koht46!0GP^+$g!?2R{NX)@PzT47-{t3XNI5OP-c+V38TPRLz>) zj4kE&`9Y!E!wsH}5qk#j+dfu>EI#!{pI437Ohh#?I~B*29OiTd-AaXZe5ImKcS}X^ zI*4tTkzvT+5*WX3m5q`4bAG%1E-Q=iPLTv<=Ne+)ju07L6A*$;w$lZAB|Du*G{V^yjEp-AqT>X5oKDgtx5FZ<>o75lPIOr5D9P*JOz z7>=U!&d4MOGG@J8r8E75rLj8x(v^IQmmMb)`Z>yGX%EK|i1l8y0H94p1t-#;cG69( zllt$V4)7Mw%Q*enhK-`;5u+K)be6sgc<2u5WBte)1PQc}XF@p29|!LJr`T2JQJFXWhZsyhDh#)rVG0cgvXskp zsft5Slgp$-`99)c=>5gQJT$9Pp@hu^&O0EA$9 zK9gm-q3S(T1Dy*Y9+yW*BE}w8+Q)|z#@w5BU}X8p9+h?(BPr2+VE~fxM_~F`E;?4zDz|adWAN2a0pDv+Ir4kSl z==EXsd!P;O5d9}h=T~Lu`My>T;peyv#{Fp+;;4vaM~3@W;pN`kc%UK&uW9LzkJy5h zAEN0sbPfG{d>763+Me1l_?OlSyr~MonUIY*#k1(4`W0f_hdHZUGaM8#%}sufN|Fqq z7XO#DUjt(M%n#U9{(3GHX(Vl54HAWEDQun?5rUx3Amyn3mn%MOtC!^3r}4){gCeI= zxQJ++J+@jwl>B7x<{lMpU4(aO>w7z=if>ioDI4Qd)x>(E99@CVg5I~u;FW6`3wd94 zGVN_eJx_^-=ZY_(PP^G*jL1x|Bqs0rcQ3P(t+ZHH^EXQvLJb%V-`L3XTHgf$>0afc z9Rbgqr>&Fqd5rZe*TZ03C4nroeS{J7+R$YIHy!OR{S~Z z-SG|=<42^%Z3f*Jn(NSgC)k&%x>I0>w)?X@IeY2-``nlh7jfPj>iC57E5}6(#@hGy z8#l|koju2f$38ztvBsj3<%Tw0Q`JZy%d;)YJ&oqSs3MqJ56IlQ5xK@zz2N`6CLgr5 zB=_K%TRcWoIcJl&yF}vTjHyvK3Coo0aXoQdt2umeC6g98#RzTDrM$XA^%QR9AMRE` zv>bBFYClIIqG)3ye{1N5=mm)UeOORcq`W#a-?ar*xy_Lsh(H6moKf_Ijb)5{E9(%n-Bm5lU zzm)UIUJU~g4@9budB+~h2&yVa1y@xS#Qz-FYWSL*wLaJ9KhAINY>SuARIiRPp>&6?_66-V*xx?R+6LQEvUd=CX^?0mc=?{|o+mPl=V% z<2X(YPa_;xxgJVOcWAe-Xu}#W+nhpxzAIM`4d*xfVy~k9a@?%tp0!%k1eM zaUFQ?P7j4H+9|%=UTpCso+)R%=f&)jex{zC98cO-%TnMC$H_s~aS{8G$Q*4&-G=Tx zL(DH%^1q;C3ahb^f-fElkMmr8i4PUyo9pOo5+VSpi09qyPxc{Bq>xT0w1G)WYT5uVqu=P) zLK8K`X=h-K)$tbkWdltPaaY$XD4|SymS^p<+pF{eL1}>)a^(>VQ>hdU{kAWq@Fiu3X-nMpJC%$26d_1l!nmTSPYr?}l9i(YR7)vsM^h1{6;oQxh~ zU7l)R+gFtl8ciKeaUrb~9}G1OF}3<=20bgF*I1W^`4sAqgC5}>;o)oUa6&-a3Um56 zKcTRiyuU6$HpG+Sb~Qe-q3lb$*v9b-sD5O`b2c5oi1jQ{82kFwZvWVFaeNRM7iNJ; zNd#1iW3Vw%%DV!LJ}2`6+@7 zukvQd=c6Snz>D}sT^WrVMwFQ^&#czBKs-*MS7FY!VVa%av(Tc@^=j+Pc>8K&nY@T z?HDp-?SV+fcLSmm>8oLv4GAG^5_mfH1EqVF?+bt4$$lY|oe<_s^>)Rp$6gt4cMOJXrWC#ih)hmqJti0+mJ}4?sY2Vkd(m8~Z3)WQgwi`@eP&Ghaza zcKB|;H`QY>m1l;6o4r~?DVjJu#^hmh$f7ZbaW1b{Uo;9C^W}yUyqb!)ZZZ&Id_4CfVse%x^ij!)%G-v8LFNT6LnGCgdCl(ht&eNpO&D!V^EYVKzbqO zM;J>oO}LCsaK$z2NWJkD_Ng=``>gKNx~j%GHr!1&Zc?h7F|$Sj-xiWgQ-R<-_Htby z+pX8D;>%0I(#0bawcqJ@^CH){>O57_H?oG2S`J*8?s^D}n0@<>H4@)gTO{ut~ec~Tk@KwXsdKqIB&o ziEj;N=RAL0f3jJrh*s2203% zF1iOK&5nPa+Dw*B%YzSO*qp-m$$u?U@fQm9JcK5#AELc}y4udd)UEp3EtD5)qJNd% zu)cncKSdXZFn4#w+hezF>=yz|tJKEsruC-)D8xVxg~F;PMuxMB#+1zMxvJbTB8RLU zm2aLg>o><2%Bcx>%rWF-VeLO};y9t??(8_T~94#==K1JqHa5=ufeB8#gnWqmE!Nssq}eJP9?!%E~#Usy{JzEkSx%X*6k+pNn>{8 zm(l(As~AFU?@_fZuy{ur&3v}4m48S!qHGu>fiUl(+3g~la+O!YtZV}-CAgtu_81FE z6#i`=w4rT-5qsA`9@23*b7EPa zONC>$TA;8bU(B|A`9%YkAO~0@8cO%Qx~{^%QZq`#KJZ)9pB+fz%Pjop@#7qiCHtne z8M;X_*H+NWrshzC4!F<(ajU1W&CB*IAhNx~W*gjFQg|?e$^&agqdm!YKOj@|aQ1sCK6s05f5@Sd9H>r@bpX=3*6dZ9(Im~i9r!E;5YlM`N@Cu@uFQ)8dW8z9 zsoGN8%KHmVKQWaU^13;}<2FDcQ5qg^fy=PL^=kR?L3#MMJ+kEaTg&$vI|sc!CJHmPnvu>?n`Td(&;H+=+yE}Bu!py(VU3e8u zVhaGm^!InGw}_s{UMtQ{QFJ)3!VpFD>y!w=81_QIrqgylA~e6hulh(p1Skb?G3ex+0E@i#AWI$w<>N&}1LtX!E; zLWR~4rW}}D>_EA@gVr+ot_~@o9a{BAS6YQ!t?={&)8+Y`Xb+`cF?=Tn_aC(All=*b z0S{R`+P2lFSyt#yc!_-HL(>f{*R>RF17_kv?XZ&>>O5-XrVFITL97Lb)N#$n8_l4z zdah3i;U-ZMb*U#i-Y(gs@d zA)g3syt}zM3S0LY5~*|NgtgO=OlPyjc@BgvV15sjc6kCL*iYcXS-imYrY_#rZJ zCkmWu-1NFs2S)94O#z9yLN&!i{ieM9d4B&*9DEex&NW@FJO(MO&T-K4)Hj!0QWUCs zQm)41nYo5dl#*Q_hkHH*NMlmFI8KhKrhTV)jzsSjp+?XXoO=AepoLK2Fwn=0+|{D^ z9?}sqWys*?w{gF$M-dw0`W&8xMu_KuahV@gdIc4-X(FOZfI06u52pVQK~O_<2T1e{ zjdV5VJxz>OXCKAB0OBjluOBr>s^~Wf_U+3@xl zacsSl^#~){goq1T;XVFDbnSz$TbG>s1|E;b&q=-7Jf0O5TeLOML)T@!i~W2r{GN2t zH~guQeg`7p9p-$oszYU$LqW=1_3Akao30?@_^g8~fHa`xV}yHCJg8$W3&upUO%x!p ze>bL{8QD}i8G7|N<1Ex-v;4GN)1CF_w6sM2Y|qjuOl~F%WW@;gw^%Y%yb{0a;*qqJuma z_GKBZWJF>MhG$vB5v$yh7}kLy<_o7_{REqmQLOM)r#6S0PzxmWbDCSI>Z+NRp?z83 zvQL4trCddmZ+YOCDMv%- z1659HrTGG8!*2LLQjM4Yk7z23`@+DgBVesdtn|Iiu2Q`x6fKH>^?xjiE0hG(>V#Objw+H6949hybB$JW&EFLT0kqn2VnnRtHIUS9(eAAgR`` zj>_;FwE&5O54gWmfX*-ft;}B5Cd$_=TqEnrzj*WKbG6;|P3x;pPZ^8%~QkP8;-@UciAQlv0bX@@E zfBmTgx^M)Mm|yb&9j%SvJj*!Xh?^JPA>tL|N5~1aMu#+fYY_N488s7bCgmE93P8kx zTll7LW8Yp)Q0G3&BZ`6)Y`+`(DfVzIV`s)w8h9HGHUIE=!WTHKhxaNJSx!*&WP7vH z@sa@D-CTpX!YnV}?R+5ty4!g7g%^L6agY{_FweVG{E^HHgLbq5j+p@i)%*W&_m)9% zu4~&S1P$&kL4pN$C%8KVf@^{Xcc*a;7Tlc#O>lQfg1ZKH8rKHqA=zuaYk%+F^J}W6 zW`0pr(FNT+w_e9}oRyRC=OYwG(5HG>kBD11R3o~+q2uewe`&2q2jKo+DQIu7ya6Zar1AcV_Su_ea7Gd1>k zL7ExExqUH{{oJ=&1zA#WM-u_{RJM#h*h#uLaAQY>^@^9kq);NN&>52}>7CH?#1BJ) zYa0Ig=up;`-S?!l!o1%rg12Z5&-tuGm@$>j%*;M~jo+4Mrt&D~C3_-iyZQf+w4c3+ zf4nFTC-;qToCu^84)dlw5a9OOrmoJ@ zfsbEy@8&v+gKmuyZT=AA4gk?}^LwB$iof(68xya{Dfm0_$?(ljEc?)q?G!ikA;%o?*Ez+IB4ASrr0)Tjwab%Q=l(# zq#}>_A2VpizG{BF{Yfv-c6hZy`URXDsY6Sft@k#5BFLGd7?qDByuLu5dC;&KcnKaao4eK@AU$kh;P{k+z!Ou3;2GS*^6?`2THev=p5wxxUAZUsIPlC3G zGHo0h=zll_%VOgv@i`ofHwP6Vo&=I;C8K3Lp)RzFz@ApgSO{40Eikz;VgK~u%>>CYh z;+UA{`?0^AkI<%lrNg)STI_qj6rzx-N5*w(Ps++Jee*Q$ld4nC@{0hD9Xa_7%w15y zKM=8H-;^E2wp@~#A5s8rDDYv+SqM$w+^5lA$PYOYshxIYg@pEr`yVAQONPA5Llzr-WA7?b

!i#pz(}sIyRK(c=4i9N&%&4^c%Uhy@_I4O_kqmz=12%u8Uc2UUP@f?2 z?YU**`*Tzk)W{#SRlZ>`>_q;~8T`1o5>0nU4Kk$?O4tlGwrOaiM=rPSmZL9FSP(_a zAT)|)9hs-rk~+Ec>R8&JUxV&1sqza$c7xf)^M+W0B8C)!VD5KCv#d6LcNb2mt+B#7 zS>5ugLOE+^FbFjE23D+2?{J6TqYk{5?{iJ71h*S9%rHGicF;I_qmI*+z2@1S7X7UA1ltN7|-+A2& z4FEx@4LKkvT{+!ME6J2_a-L>{8K|xYw>`wbI&zcvd_!&ZT4*q!l_--eQ-8VNEm6L* zF&JW>qvqLjv_y{;LehV9yWLxc(|EN)j$d1aCNvo`oQb{WC0ly&?#IB7$DD_d-jUBv zwiy#>BJ-^_U;(JIk#^F7DyDI_+Wlu{da;I1MYFbF%H$!X%{fHKpLP2)V3Zb^ua)7C z8oHcSxQV7qtGs@@9B=z|`XQH>|A)-6ysnRQAXGHp@A3-wtpgbMW5bq1728Vl#cs1v zf!Z{psjx@cx5SCYw@x32(c<5?@GK<1KLX7nql?#AE3<~iz%+yIVr%~i`NC9IKge)R zXO02g*UkNH1pG~e78bmt;!+s|9FMQIg1P?bJyfEREBy4^dziV2h8xn4V>Ax6Zd)7} zc`}}FWRj?Qdj6^-^@NpXBnIR$aAJaAmz=x@QQzF&)IZR}#RmxBYMDnpt@Np!IlPZB z11>z<@}uqgj10G_cjpMjgm|!z(4_h)rUD@sG&OWa-qs2qK4IP98{5B0MYzF2T2ak> zI)3DwsAM7p*Iu^28pk1X|7M@1;zQ}vtNaihDX7}}GJJ(euDH|4m2Y$vK6@Gw>>*I`>fo(cUC+-fnyjMnP_1THpoq_Dx} zLQ1VRoS;Y>d}rY9h?e0HU({Yul%?&e_&d7SRfgMLMR9mMzg4blFwddG*a zs8Y?4XYe0}a#xbd)-f-=Qp;UDfK8E)M?AaT=d~K{smHM6!`5 zGpTySoDcl_aFy1o^bcxjzDgY|{E~3a&S7&6;;ASs5=2BSud4iv!__W7LUVbH!*%Vx zT$vgBs9ZYfIQW{19H>5>d$4Q^!)xl%>Bs#I{yN>{#)(Uq>=3@Me;T^U#Z@DyntC!K z>%Gz)l--@h_-RT~4fGV_p0&&+lVJoXbzIk~50@mBeoE;|<2tl)Sn`faY$r?<~oF)%&wi zp+OUi{J$(lvm3Z7EmLmduN;R_lTLE9*3>_Q>|tt!e@lB~wavjdk-<$G40;vH1PhE^ zp5)4v+S4nZ4Z-6CTJWpyimezyksHMS8oiq*VFc|tzC+tUg{oc)(hA3<^IdDGf>d?r ziv2R1xZ_EU*&r(eL5Sf?8+6FyCo^tO-W~qrf#tef+?#ZBRe;32zXnDxGZ#+>MeU*& z<}$kHMc7RqA~AIH09a;D8=$HzsET?91o8r&%KrjR{}A~JCm}vl!Ts%nZKOpaxb0Q< ztznpl&{L#&u&Mw?n5>YxSF2X&xQWZoua31|BFL%y;m@(08?jo(0lKAva1gw2S+Y8$ zxrqNGpj#rJa;@2b7sKKW>py$~Ceuk-4V*&X0(I~* z9^>1*@RDv5ekrE<6vi6`xOQo>(xEaYE=Mzxt>I`iyHfe;{OIO+QovJbzg-?P2D=%r z7(zM$yS`m0`F2iwy|c54IPdz9XoNW|&u;3WyN5cetb_km5>KZ3U6=evnPFCjQ6;4p zWdf%4UHYU1)j87sY=;9y7L;>EtiqN7uMhb-7pHG3SVoS}#3~Kh$U=ud&6EPPclc${?lZM|pFP z#U?V>Zx!{WdQ4Q6@icB;>fY;>g&|X{*MrwSL|6v|`nLyo(mC z&E%A@VIOCR7Zp?f5%HNRaL06k4uHsm!veY{2sJ@Lt_BEvf@ZqH>`xtmqZpVuI>hxW zWcX$3hebe+dWgQ8i^O3Ro2i@|36BJ$_O=l$AhBYLXKy9PS8we#+8mm9DuB0c@U6|k zk?U)&EELG>u|ObJry;CV3I<9~6Ic6ZvK7Xy!uvx_!P5TyJc92~Pf!^Ol;X&Uq+B%> zZnVS?#6aVzdtPq^4$%6#9s`t`A*sO1^1>0eM+#?ysQHdPhmMR!3TTo3xafzmv*I1q zyDaiKcCT9L>F<4wdHmBw{DR1;?43AFZ^YC);QhIf1gI<5`U_jnh&2f-XePlNaK7zF zXzMvrOveLRPRMzu8b*>p4-G1l=OmgFU{WDQTcGw@V)4EB@x(7%;X>~cV2iQo8yy5c zPL@F~G*ceFU*(Lf8TRe(Upuv1lR-yJ<|ca0qp#FV6l|@&dkz2=+beM9IsKKuXXsD< zOe%p!k@?DN;OaN=teuTvF+bT!)Q1L$M-6?)ewEide@Py*@Co$48$#sNgZ1st?9=oE zg?LnQeE~=TK?bspE=km|j0mY;MxrF^`HeaE_wQlGGc+|t{rk1x3PTq9mN6p1sj{rg ze%L0lD|oV=pF<+yt%sigU8HA3MJUm&51djit!)*~;dh;XSqtc>ex;Ymr^4`<{l!H8 zML+*H5}Q=iKcTvk3TANWe@t)x*a4@Q$K?*=Esdx^hmz%U`Q*Lh_1Kj5kl(jK ze_og)jzC;DOL^wyc%%nX{hQAI4}Xa^0>-gR28mM?Tycg;VKeXlJHWLmg=WF5*H>$G z#ZR?p6e>ekGOjCo^YR%)*=?`vPU3*ag$VH(cTH7t_QD9GZ1rpU@m3)~y10 z$3U1<1S8x1ZR!pQdoGapfv9-z5LA6=_!!ZN%mOQx&>P9zb?SB83F~}hL-h%&{h_Q= zk*624|3}Pb6{J86h_r`w^d7rDXm#5SE(aYaoNiR>0ZK=on@t9bMQu4CuAP)P^mkl) zJ)JLY3Hf$bdXP98oAG)ybYz%yl`B(6fh=1JHxnd-zC!kLBIkzP-5yISdWct`)y~k} zm}Kh*Ju1NYsl`|c%w@%1zyxFoG40GvgrstyYS&PI9iFLk1@d%7rB8rHqjDWSlh(66 z0k1l=vu*q=u$Du8qfi(PP0ZL;nFhv`A9>Gq$ zH!(d}rui<*h}83$MFOo!?uiFip%j^6^INAXB|-9UmBP=~>yS^g?v_}Un^BDBw4SuX zzKVP2Z4thg+yY{!K~B)z%Z%mww@19yx_Q{8nqC>`sa`$AiH-ovR zqLEtuY`z~`di!-Ga&kx7b%M%7Bg%G9Hods{jrkivOO;j>LNazq_qb{U`bs~w)zp_Gi4=pc z#8TzOjy6=WZPjcFsgkwDouvB<2x8uiZQEudIktZ-t4xG8uL zMM{BmE^Yu{pkG%0nRfc2Dj$#~RRn+h%)iWfyY0LrdpDL*VCbPXbQ8V)a7V>zlLE(C zY#}Z1Gkwhj0d*w&YOA+UWt-v5y#0RhM5{6@Cc0?z{iJ4`ys3t*7M);<@+t-a|6~v{ zb5)Ml)j3y^BU%Ut;UC5z#0mui|+zS>Um)=?mxYB@6;t zLux@t<>Z&MRRhvQs?>YBGWXa!qJz6ymsYrjEKmnUGFch6!L{olf{Y{AnniWA78J-N0Hf@G>J${ zd}q=vGX189sj^q*ux?_1y~;gVwkcJsYBsspXq=;?86Sp@DcOt(IN1Rh8_<24N5bbz z!4U(x&knoay3eM4lRvso!T8aC=|1mlq^C~G){+&K>h2gC%=Y(N?LMKv{X`7^re^@~ zB5cd|mGz~(Zc(f~tcA%-M~F5U&+h#y#joc)EDwJOgE~KW!SY@Z2h_Q65ZDQ!_mydl z&xhlP(Plso2QYP3eC63$sP}I(Aq-mfWG*ki3YmMpvQayguV>QY(OUaOBhJZVas*di8@3%_}>^2(97u4vp2976|X`&jlzPP0(@t zUHo;K9_(1`wWVb5FKwD0x(Y#*rAoBDpfk`|u1l&!GK zDgIFrJ?QCbn2(0Eu=MbK#3Qc}s|Tb~+o;&U%B0Xr6K`^CAEBeP$VR3~9a{}^v8P|k z-NV1+xby#Hl*vkR&U2zWgSrV;yVT+lm^)|xUakwZ%vJYq*1J< zCxON&jt@TyJn0gr!**s2ml8Foq;-M$=!6 zf_+y!zeC+_igQ`Vm%;!!26~xitE-0z;ZGp3PSfO+!%!mKniPFE3EP9~AxRWJrsDX6 z*%~deVu}%xDfpYE@e@Z3A_F~f#HP}}IpS{?t7`|vx)mowZ5tL=%Ot3r4GZ4OEzY#* zWqR!nB2<^90i|pY)%tBdopmoj|77N%E_-+cpXR_!w&jX$r%vEpQYO(Hl z+*A=K5xu8qv{x)>%MUL5{G;%Pxf8|d4HYTJkTZV4sv2OXM!h+8U^L$N&i?wfAUDL4!y$O&qe}7p0^%FvhR!J`lc2E)*Vew^b{L z;oN~C$}hbP(PxKMh>AdL{YJMe?6`{p#VPlE{+5aN=R#n(NOLDNhVRj;y8yeHBukqt z?+1Spn#sBoQ6p5s%n1i9fo-I!vE5u#=P2hi#G=~$h-a5;-Yb2))x?E_w&4IpeEW&i zF$NU1IQAXvv;a9q<*nU+sxWA|k+5v6@XVz{D~gcExQQcvK)3i|Qem{miIB;|1_>r>f{VIZ!T2)Z zE_=(nQE>OcG^2H@O#rI3o4x<}Dmn$EzWCi7b0Se~XJ?v`gbpVb7(qKfbeZLzq@~iY z9n&U0;OtW$nePqTSlus2Y$7uur?MF=Pv||V6yEFmo<2qFVK&rE64zt{BcB=_UPjH8 zbR4PmVE8+b%i?ROL>P;zB0if7!uTnN_+0_V%ViceaQh=s20t%&q#a31ojUD`?9{8h zYcOp0v4&6S%cX^dbnBpl8s=H7hGwUvWvg0-7WD)=z7^G=vdE?f3*i85RK;A>LLr@4gkQfN8vtas=$mtA%|W!S*fUC$tMYOpp_W#jMlF(M^Ol3 zik?>x-F{* zA&=dGt?m0sDKLRx@?Tf|Rm6X}0J7t;u&wD*S-l$w-7*prHLzm=2r&n{uk(%~3L?|b zM1EhesL(%{pr2vrAsH&0ptn8N;(-|@Mo&JRYUc4fqg;dqJS6A_+)U+=*VBbhkr0ci zv%tfkj^l_L$24IwM*aF2gFTNa4-~Ps$g;eUEzDS@O>JPUOJ@7g;qEf=MISLAF{L9^ z$K0Gz+)=Nc4UcmYP$UGLN!jZv4A9t#ME}sgSgA415l$b$ysSteBogpaGC^6XuXx9p zPu&y6(U#}PN_V7Hh1ti8&tqt-mA)&h1YIbezC?{)v810x2pjlojRPCqnQ5uzgmlpxmw+r4fv_{D7AEZkD`L3m3reNCFD z4!4-m5J{dW*!yJC*8)}fTEbytsPB77X?IE4SDrKSaHJPBQ_AhH>Yk*hp!o}&M;^5k zL1j8s)1NtLdF!4$fZBK{{7DqE{SbSvs8PCcWD~<{e57ei-yF&Fdig7qxsLYxDsx+7Kj&*7bkGyhE7EMoMCEa83MKzkoV{6z& zw*{B;^|m;$k9JV?X$QWvuXy(j`~3Ts7zy;cDd`J|x7(qk0FUJwQHSS+lmMU7?QdeYT$cjKDqJ+XrE#Rmun)8*_))ZWw3K-I@{vN{QC0!K zb~o|E0BkpQQ2`=zr9!ugm?kVl6Tp-f(JjI%eBO|dtL(4i)q+54VR0m#|>5ZgJV2{hzn{o*1t{6^qj8P+F(l6@{##ck4 z@t0?bhI7n-P1PzpGhdfNHSkizAHz??vKoDXynivf69%IYjV~+Tx)J(Y3YogBxYzok z;iHoTzYL&J?W8Ymh_l&v(Qv7QZL!q2&+H<-MiDwHI37Q40c2{0JVI#G3W|WpPywHl zVCD=O=TE+f^;Ht;JipICG4gvuwV08_Vi@z5c|H$ytt0nV5wrQM?~a( z`;)j7w71Rkm$y_+|R zx(Ku+Ok&(cvhUiD4h03z#a%reH)zrcgttFgdyw50)jcT)FJ5>A0pe1r z+$um^inbe8+F}rN+|@ju2HUvGgGTJujV)XJJX77X@|0I8OxirbUM-2Q>_Eq5=}I*s z4yO4;L;+B21w-s*Ewe7h_m1&T7|(ySxD&%xV;XZ9${mR2*{w32nsmq zT%eQ-&+y^2^V1TeeU7;+SsHEhohJu;E4v6RK`|mAD6pb)mx$%Cgu+sigz!pS#uZ>B z^NHSm$lT&p^=!|sz@#4|k+ZAcLJc!1NSP=?#xacPv!Rw7DK;)hO-AB+Y!TcQBxWw# zPuc)Jx?x@l*V`JOH_bZxfj)*1OtP!gv7I@ig*gA%(* zVe{V{P*=$PGK5TWoZjmmWVm^mJ;;wi-S8_Z2~G7ZLOzAjHC(SrAZ2=QzFU`0OUU~6 zH8bi6l{lVl3MxX_!R-hnQ=i1&r3d-YG>9WetB6FV`H_Kkz(u9;{Da1da>dDS{&wo* z@zM7lcdgG7?8JYS@H?p-X#5^y1ru%1m(NAuHmKv}`v4|(KzgcilUe}+q^C1>ZGsmX zi2DdH3z+nY#NNxI{K0SC*RuX~+AD)7%!t~bT((~=vyR59J*XZ=?M-nx7o-G`&~6Y! zN-T0IoGyQp#iu{t;3CxoP_OMwxA>Xb6%X!K$vryl%9o(b5xAuFEogDC2Dy?Ug#7QJfbGjIteq`BYn|h5wpR}Q0mLDLo z>%$%gf_I{P-+te#dUxRCaDKOLlo&*9+wJL*b~WZkl6Yj1Z0(*bHh`hbC4HKH6ED9> zZmO--z2^{^j`dTzg@sx8em#~=5hu=Ii~8f$#ZSY)Xvt-AxnK7e#bpO49u$Z4W|-xe1Mnz?o+1ie^Q+jH;M%%FKuqcN32UU$T)> z(QvO_H??i017;iT-}g4bVmUd$x*4wg7cHw^{O&JpYF?h%Z*8hPpiONa`J+u;X`J|@ zO`Xxh76-JcJ>jeFfHw7G?4sUZ+SFkDJ|l#Aj}MK#E|ZgD&FEuWKc7Q(`0+&;J}O#z z=|w*qQulH@b^A!t?hSCyXqb1&ey?ic?-ah&*!Jz4!^y6QzeW`Ur%f z-gYA**@Eaiw&N1fNuQW(&HH6Pdc52$8^#A~(-%&KVHVj>a@kmz&I`I^Je@nv_L2?- z5dm7(@6ik8U$iVK>clcMqfVm7(#fT~kXy!vU2InI?3pBfl8fT$8(A)bAo7#K6Z3pO z2o=(AShh?PfMwVD!esCrk2l3dFU}HFF?sKvFj>sMFxj%&Uk9~3uge_hVPIA*2JKh8 zBCX_u-mm;>#T9w7rZQBlE_ah2mr202(KDs+U7M&H2~N@d=47Kl5!S_VNo|%?<%+mX z#$=%2F0V@jh7XnPS42C8K2dz*c^Cp$NTXF-(hT&g@$>ZEwWdKF0x3hRE(33qBcnF_ z@SV7RUZeEyykv(U%gqsjZK;O8zv78DzD1Rjen~eW0&ni38`#FPRvgEs9pK$g73@)Y z>Wk|92J?tpDp^&CO76RKZ4{kPifRZn;aRIj$xU+41Ok5Hg&g~Nsun|o%$w7a+hwym z?^s~c!!&!qUGik>@kEDh)+K+@pCMTaB_ASoee}I!7Em_s-44G`y4t!D_D=db%kl=stfg>tNknplP+aFNUdvt^4NN&sqd{Es(5oGU^T2yQ5JED_DF1d zMeK7|4j8}z+iJ~;Y^ySSp8(i-|FfQ(KEXaQ_2Y=2N~14CM)(iY`q=F=XZ}1?3It!V z9=^vZbGrVXfZ5dy!*)sMQVu{`4ZO_zxyIOM-wHdH7NO$)pz&Of#+YuAbqeSXvt@AFCEcv-dCZd9N1>H0}&uz&q;OH63t*Q%#Ud18y+-`>SnP$yT0ru*{FU znsd)(ih^OUsjJU^_o*_{G*;z6gtz;lENgXN(BmFI`U3waOY~ zd;?;I&z57e_wEq+AG=sY;QdA95G=ABgu{dw2RoDq3Hsy+?iBsmb4 z?FZ!P4f3!u&n;Kx=}m#P_M|Tia=r|w#_V!Mqo(BZ!QeLO!~a1^|9a*EL{OhSNA}?h z(W@lG#dCE-j$c(fvPzD_#-^bLQ&X#Ie1AQ@U)kIz#QwV8O0({3<$>|p*5FKyGDQsa ze%l?T36C(Yy6^4ouf8{xWMvRD=N@GdKFYjcca?iQcAE#tSE_N>F(F*v0;lcasd3-& zQTdTmdK9HoCskob>8Pq-r{9-WIs(j_Wrf5v`t~hjf(!LSXZoU{7V6BihZ;BF3Hv`+ zHnGQu2zwxKOnrQD`wMjN6yWXoC%{|Iw6EbQz3aq&?OL3G;G;JWznSJP6h8k& z{LeKP5{@y@3O9-n7K}_)H6n~AmDa!|KnH%{nxW1Uqfut=y2VoEJyRe?6JUI1J-w6i zW(e~FFO3_HK)3}__(nn+REWmX{zVkLj3x-NheZ}9ejU7qE;JcXp>In^U;63Y`GqO~ zcuGr9I1-}1=4UoI*edot?yUNEzSH9m-}$->Ql!k%m3i6>@SSkTluvx8LF<4;sj+8n z&nwkU{MVA3MGV*U9O^a%&Mo)1nC~>Y3%t=-Brp6UM$kzJIz38(YHH%z-)Y@Vo-VyR zx%`Ho7{kMGlz>ZmZA3ln6~ZY$3ZRv@r^OL`{iylmH8;%jL}vG`G&qzZD%a5@ShQ;w zf(32}cf6}5%3h5Z`P>D8w5*B&EB>W#zu4JAjU;w$f<;Ulq=q7*o7~IB^(n0z9=$GC z8lAYkFifUa#-;42>AU`S9MFyu}#?=O9zd^JsOsO=FdRKctFf7VVl>;fwHlQScg1CUhQt;d*y*~p< zX~{=)0TNsyiLG;^<|zLqAFG#N;I`?ikt7>eCtP4wLl7c?34 zP66ABvWA`;`YgH;FLK{9u(->^+t3TBv#9W#_OB=dgh!JV$kVF#!Fc=?KXE0?z)a_B zVqq>j(ABx?9l7Tps}Z#URiL^&&>NOSjPuukQ-txi`)A>?15tzM*>h_(GD_V#=b(uI zwTq9KXXEk-XN%sqr7==pSQkC5QAlag9`wX{!sqKyM+xIGG4!;=vt)IZak4|TuUk2;81CNE}ApMQD#^`J!~8+Mh)(G0UFIl|;OQAzo8 zG(j04Dp%c+x>z)&0iyD|jcVzLMuq0__a540J1QY49wn=8r}vD?Jyyc4IY4`Q;Ixmj3Y-yj?6;T`b;O2XSpsF!^QG}2_U zo{jK+j!41~d&ErPU4qhId6dZ^1@p`!tHmz5RWD%AUr{p|k_D#Q74b{6Ij7|0qE~xu z5yISFDt^(WW*KNI$}`NpQOwW|0;g}$b&Td#9DNfexA%v+*e|v|-%6)&PT{qmx5VQo zCOOIf<}~hrr6JPpAzAz0;wLd{M~J$z3x04kF&AdA47ana=;n~`<83nZQ`N2$0d)QL zx8(JN*iHpfpx2&H&g^^NI@0}^3P&^D!Ky5bZeynbN0{ojv}wENr4*CGy4fNEmRp^L znty8`l}JOEmG>MRJl62xp$=Jr)9mg2NYc+yf(LVmpsDJMJppT^p1vjc>aQ#?q?v4J z{PK*P2r9iJ%BM zBj>Py1{E|pK}q(~p8XHg)HWC$Y3cBj9h9mVk)@@V(P;P`jp=*5V`I=3re>&wtl^xT zdw8pNi5jYoFCR1d6>1gD5S&RcaUredajCbYg!^v-&UzH8l$tU8@DcT$qmHpKg*{Ew z1NQEwL>^xsW2h>dE3w~$>Z^{12Xp+Iqy+DT9%0{B$|$#c6h_F8vV9)*5@`bllE*_F zHp({ReKY2x@+td!!E*4^_)+{-XT-1F-A_AhsBneIRfTBwHiBVX^=bSdLpz*!{ke|2 z_ENpSDjYprLpuIj#Q1dg?I#TTEd-Ug32!>FI+hR{bT%wcfHGJjVlMa4w|aYF`=!$u zX6mhWBm0Sn6TL~Vc{(>Yr=H96@shSu0&gD92MAx+i&Wf8JmcEWJ?Et9pKFi)4+^Xh$%0F7He8K4g z`eJRF$+1XB-F|th1`0b!LBBJT;Q8u}p7PEwaWzNoPUsI(w+*`SBRcOION&*^rCrI9*= zO|D9uZ68e{zcS{svymbqu|yNh_OD`)=D4!Z6_>iJt;6?R)>KfLS$b&UFNmg@i{$rqp3H;%iXlDp-KGiQ9!(C0q= zNmf4ye@gE50=xW9?gq+gxw<^klfwie!hZcHSz&Pd2eBPFqBK%!eOHGjW%U>~D+V4h z8h)scdQ5cYi6=*X>!6rbW^ZD32|^a8kWmh&^{bnLy%!&?epT?NRnvH}KNGCH+^A2k z@M7+l^|WsLExr3kB?Sj9;7j9&5(9C`DI2r!dUaZP&kla$j>r$J}P2}ER?US)Y)C+~qE~NyayVjcjZOi?Gj)4RGRX@Ke z-}goDWK8%igD4AmeK?OcJ^kC-dJKZMYb!Nvjk3~IRGfYa;%29)f;qcNet;*M4jpZK zKq(QH9uwDY2rC_;{Dq?lgMbVbF1FEruV#K>)_cha>uzxP7W`dVm%#)b2(j%;+w@hu z;rnO32-xkZsKC|~?J<<#yzBdm9{l%J>VJLLLFNxdYq|nsfc5!*=S}`||M>SSlR&Sh ziD)nO7e;Fev1d%yrAXWE@y=#g|KYI(f?d0P?_NG+df(ap-@}5}FfTq%IXK?#;$^sH z;gYX$j1br#)~;T2W&i#Ag2jxk?XhhZ0)ml2j{;7+h1Jwt4;PgffHI(0;1-C&fiKs2 zNkVJd2UT@Oy{m}>>9Sft{gx>b(6;+E@T@{6#1(Ykx!ev%kX-?Nn4JAeO(Xb>+bbi5 zn(BP|Om@cmZ_e`X-}w7&LohK0_ITq!USJ{8EN`_?mwl|atq*rAODY-#(9?#&`pr<> zcGIhc$(-8X=o+4~yTeRF(eU(q8-HhauOY)Qw^Y%|{wuqC*3S<>0oR{U!0bnqPN$I@ zv4oyT=D^c*0iI`}Bqjg~s9SFZ)Ub?u*s4wW=z#3*oiVl-{rIif`LV<8Rkh^4YFUDx zv?})84ZW*z%CwTzCStK^f{driU}JWf99K?=`vLHe7x4RC&LdZaHNZE!!6;;t0kZ1A zk<`UBYLSa{7V(fCql4L?uM-PiryHy-CsMvC*Mmup8ViG$-d~6iop(({lbN|&jsu~I zxv8gbhNeFp%o6O-374!FIG9R*aWn8S^im8>dc`qvB^CoDfp$^unN89m6LHBsp@2BI zi+kRTDYThMNwx%$xxis6?!rUU%ZNu1Bct!<>pKX{=orPC^cLLAGn-qI2yjDBrDdV; z6>;d&30>83tL0a_4zZnA41hGMkOQi03hG=g@bWA+$EP0iJaz@nbg8Vxr79#RbW|L$ zV1Q2UrA9J)O39hSKY9O`M_q#n*1Oz{m>Wv)&IYj!!afFMb8{U(b`L&XNoJ(XjrE}&TNu&!V+jS>V}y#qrte&YkT@^ql`q}ZPhrlO8o zDhTof9_!Y9!I`gjQ>lYrsIwf+f$o?rRpq^$4O#?Z)`_Bt7wnH3i`+%HtcRLAW6G{Q z8u7${e_r=a_Jj-Vp|n%H@1`vMHc!kQIJTq87;iKqkMxk!E+UeYQ;>E!9Y0wt^Yf47 z`%9;O!&Xmz?zB(Ys#=oF(WnOd8^xzo+1Pg zKZy(#d|WR?g*ykY$BMjJyjJ5AaM_1Bn83)Gzkm{JASi;62z~9QOH$TstmD6gJv;c` zVL2`)`w}6a3jp$x=HI-_&si^FTmqbTW8To+P|a_xtAI~Lp#*K$& z(VCZy#DGKH2)3l>KuEZd4^@$lW5nrs>esY%Ji+vY&hy#pNEH~RyHdWr{ zC#DHDoeD%cm#GE^HeQH5vDK7g{yZJK)zKoWN;!jUPiR=)QWzlV@BGzyM6yyN2~y1u zjGozi_KT;ogml$=$%QR$Ib!+-IOOcSycqzxgll~2^7q^|PrlR8F8JW;)m;4C_B~%5 zq|B(XSe`66dRIBo!FSC%YUqa)rTnHpI~54?UAjcH-{W~^yZ?^0>O*iGMP5f=82)|` zM+aZk%UPF8c%M7GQ7uN$sP4#f0}W8mzwkEF2{BoAWj^u@Pt+HBManqpAI92MT=R?a z!si}Is$%!HxmPYpgR)cTn**oz?5koAh});z7NBzR@%t)wd#v23XP52*1BR*hkF$*G z1)k+Iisd|lT@XbCSW3&IF$uQ(k$VWfk+&nPZ}xY7SccCjAqq-fOrD$uQx5QkC7T9O zglKP!$Ih3wp<59LorAewUw2wlxNd@s$oxFh)(cb|LBGU2XKkC-AhY;}1<#3!(vVjn zlOl%1W)^wn;g|}4A$J@Aaz`nd`q1|k131(ZwG;g8uAB~dSVgLeA%$}Ntc2(bh$6BA zFit<>5IeK+GR+5oEJu1EUY2Y-hQ8F~{jt6)p*AHE98(F^mLJxyitg)>&3&W5HqaI# zwn<-lfXPpdw(UQ5Gz^5l?qrOyo+cnz#RR2saREeo6fs9B8B!q^Y~&7^jQE8je;r8Axl!Q+ogMi>w=EEWt!u$(Rd%NS?ET^CRwy@< zj0=S-`P{tP91${+Qfv1;vWHE1RZYCKWIKzpE*T%mxcO{#T%pPlGkvv3U@qqo4&o_{ zq+G>!3MKQJzq-MM8Te)|Y=zoM3~^vnvBDY)Anx!!=S0IXLCgNAE;25D;e(iYcAdZ8 zuq$L8_7e9?GM57qy%sM1szrX9P*`i7IW}+YCDs{jh!fqnUrMZR)&!Bn5J(uepnt+4 zY{$jaYT2YEgbAFWwL`SAc&rdmFA??|0-&a>p>xCox5B30%PcxzHLgBF*`r191(&Xo zIG+NLo#zf7&_+Zxth{-b(^tkT-M>WBCMl;}>{kz+(R7!`vEyDf(~1z%?~pgoTtW9g z+v$Jq>FFr^-$Zs{{x(Y16#fUJWqJczZQ+=w?&)vix`JVx~t6cw+W8|>Vyb{?t^@1JNa=9998d?fgo#G)K%lBAZyK% zvz)VFlzl}Yhqk8b4Z4xWGtz{71Py1PVSippvdD@!Li-Nlq&RtIIW^Q7hDHpJ#uz*z zJmKKOR<$K}TzFXaxrDbd#9E7z(ro$*qVrxNLb2zH^q`7Dc4FKpS*5F~Jf7;Zu60P~ob_**Es+WoU(y`Z2V&0Ww| z2R4%xZ5iEoLz@4?%?|D6JAS3CgEh#|D}IHv4gT1zpOHp5ayRzF)Ze|7U0Q(MpvNQG zHqM2p2n%0>Zu|U-GH$(Cr7-kmZfG-o>gcSM_cdCNR1OGg0Y}KcpFJ-V>>px|>UI^n zz5I-bFyv|(of7-;`Q?dtr|-7pC>sNaE~Hjwz%t%y6i-kB`9kCg@QOC&g}(!Cg>{^j zrvo=}ZYc8&DJQaj(n~nmAS$+Mts$#{GJGs zK#H_=Ezlu&1Njw$JqSn2_7_lwDWw`!l?#43L!E?n81>RNI z8P*h?zQ1(`}B87xL@5QxqCKYd9a* ze(?ku6!IH#f0+DLJL8P$BTAnOk6Ke@5E~uC+cD`L_ia+%_qT~Xd3UK`89DHG9<|x| z4nc-v1o5C0TA+0$SHN^;^O2exHJKygPbwz*=;=gyJXxzUAf;{s-*BhPQfx;4 zQ&1JWhC;zZ{0QhY;hwpPZk03F>+zvp;L%d?zJw8kQYf@&C&F_YWOasvf9K~G-!2G0 zHDYHVn^8Csw4vwcL$IQCWB=*))0MUbq(IoWVZe1rdeNc6gOa}_`wbo&wFi#SF*;qV z19S>V+LS17LNBzlMRz?0!|MHgVYbBwBP;6AJmDeA*C?Dg3yCx(F8HHtwsBJ^;w`L! zpmCx?Dd?cl=c<}A(l9Lns_+tt5sV=*lqLEs6&S3@%nSnt2MuN4C| zT@{?<+SEGh&=e-1z95l46rW!9(S9h2Z|jNsy3vY=69Krd9=ahaW%gxnC0@l6fk9Sb zcVZibRjFa%^u<4DQ1mfj2L8$I$PbYu5g+-1Eq!a6lQ6b;&Ict~f8YkSLqMN@>qECr z;-F5?-#b`)>8y~SEKznC&wm2%QtIe;-S*vp9z*u)Rc<`l!bFx-BL_U73rGr~M@*5_21GoEWWPQQ~4z3)|%UdV$m-?OSR*YKn*_83ef+>-CG9bwQTRc zxVs0J-~@Mf0tD9tcMI+g!5xAnxVwem?(Q1g-GV!uNtW!r*Iw&i=bl@2s_y;xQsiZ( zyJz?4F`n^z26COV@4W0HW{b&kX^SGA0s!J@-7oOr<7QE$NJ}jy?H_K_HTsap9|5;% zeos1uSV|SIyaQqY3kReO6HA=@Gad zBV1(1c`Ne(`Z7cUYGdMFSgsz@n9YJ9nPi6;;Za&?!28t`u$p$&x&t7QO zPjn8ayy|}YN;>B$)~>H44H@!fg&B2x%{rk{$xQq-aC!CS#FgYUw&4aqeijlUhC?V& zBN3&!5`4ko14BfHK(yfXS8YwB`?N1b{B=hs-lO$!K&X>3=KIRidV%Lv3#aO|!2I1a zd10RAbGr;G#fc&}g#)fjNERB^2g+84uEGB2MKyu$>oo>yXZU=mbstew@lQ08Wwdm+ z)*n}?D%?_5^L(Ve;;!RsZU=K(FzP{fIWtX*ScNHbS`PB77S^EvKqA`SaM#y+35h3m zZdv?rV^ArkJYbcqze7T^3+IkV65b<_1DY3cJs;i8fF=N*sC|#Wnv(y@K4k<83K39N zp{Ix2#|cZIy;8}S9d0_%sL5VD7Znrh4`jJ6yHA9pS#eHJo*8ssac{BDzm|GTAw?>y zrw9z>0nAl8PcQVkNQmm|Z&2lmhy=xfI%#-2Qq{_$UD!cE;nqBp?)f%^*A)N%zhqHm z!A@DrL57-|B5C9Vg;=64SBR3=n*lbwV*!VFa8FvW+Ugd$%x|;bLJD-Oub3I;S|7i) zQ1Zc}xub55vfE$Ry@<}JG)3kvN2o6w>(V*Lq3c`zE?`;^^t5b|;eE-p?H?w5xJWD5 zne^Hf{p=?iR}Vz4sLdE(#QvHgNiU3vQ$hSNNznct3givHvMqhXrGD@wA&gTk|ElgC zb4*8xA(j703qp8AdY#>Axp|`t^uPSA{!om(WCi4fGjt=-rC`az+RC*Ka80P$5RT}* z4!E)ND0pwcw06kisaYa?NUtDVXi9&(U2mb z5H)+zr_G`_dq){H5BrGc8>$cEIVYN%uLdG5vWzOedu%EKjmlqSE_(1tN?c>Dx-Rjo zixQMqJ|S!YHmIJFTc7a^@eNDzu4_(O`d$98gpPK_G;GNkuwMKTDM27g+V8T{@w+8- zkp{4R)ID65Qy}0O|FVRJ?wzm39ZGox7776;wTVwPf>I^+ry=xXWWcubS-&C3%<98= zr}}w!w{MEEmu#$jf*e(Wm)Ch{1)UU~yR8eHuRWc({i4E$^U4SgoriVse!KM`=>)5- z2AS>(18hy&ENZIM=*djzFH3ShV+#zgZ?dw5I;q0n?S-L5*oepH!cjTgOMO~SQ?_YA3l5)=r;KTk4#hyCph42nra9rnSdnm@%864~o(=5#QL$_k zAEb$x3axKcl8_=hVD#mT1D@Wv^?QH;Dc~$U=B(Q?!^}Lm!74;3``$2U6WZ|#D_?nm z90oQYZdy<>m-%VpTfu`TMA!Q%!}d>C7b8PTBhb4}`09LevUVxa=0!*Pk0YQNRIgqW zOrF2OW9+qnqH$7wx8$uEygr+ z^u^slnQaupSm}rQK*!q>*Yiya*H#pX&yFjesNe9?L#YKG9c&DW)sR)Zn7M(I6CZV4 zn76|?_I6B^ zby{qQ`&cei%57=d`Gs#xt7*OJB}#8%`D*?a#q+0-6G4+3G@n{3!)DXFTqXm}6lzEn z^Gy-@-zklS4e>i}K&DyKG5&yc?ptU39U*rfS#f0ddf2&LQZ)T$6^RMOX#(ILxMz_F zsM1|;2;hg2gNP@z0fBeFz()8c*TM8&FOgQzhuN~P3lJ~ohviCH2wS3Jp=1^=TOo!r z{iROJ;v-ZPKlh_X^uuEh9)>{w?8$CWn9j3DTCeyMxO0bE&{#H0MljsFY=bsjZmdIb znTVnc7PLe)VRlDu|AftIY+3K-O!nB^R~HHFGaIKLp}g$E z#ts+FGL3$n-yh?tGzZaA({LfXFLEgpTxH$zw&BD%GqIXu{QVmF!IIy$6pZaa3Ux)Jj0IrS=}46sTZNH6~z_r4$KC{(jp zqyLYTKv_%1H$O>lHqi+X6S$imDxsR)d4B%vM5Vj=7%Y4mM7S>q0A_#|8)=riJ6|3H zaZwD?#Bq?EjrHyV;t4W=7+9l&2&IOKt9*^> zGhed1SWK=<6dTw3(^fg-MJfU9k5>yKjGhf4BiPcSSuy%Y3zYaxiV6UXvgVoxD`_R+ z%`fEJ#a1Gs0{+tvgYP_OeRGU16^H;spiW!j7xK+fEz10zt)=2o`%!$8q)F{I}0jg>T42wHk)fz6*E8- zxFb#_$VohHomH$eZbjg`X6%}G5ZY-Mtw?T!@?PjQi%Zp54;kP@EB&5c*b;S!&nys< zY7hBi^CIg5M;y>f?S_-~Y3H_&ZP^=qw>7CGb`;$G*-z+x51Ntx1FRiVG=*2)nElS` z6-x7_)7XmVtCZ#|sK%3uAwL*9?1L!LZ&pz)$9xq$L}8h=_dbD3C~ipQT#e^loFfl5o%PD`8 z%rEij`UF(Np^5VsfqrgK;vc8If1fY=J1Y%vy}T|GgNG)djC1N=GLsoi%3Vk|RNFE@ z@gkGJ(sL`M5|5WR3?Z99;JeL8PYEQ~ z@)SL;F9yy$&gK;y#$;S)Z~ruK7Gbndme z1F`cV!SMLSfz%5Q4pw807m6)*BF|}1K&HMev*VyozVr6$Cg-VZ>l&o9u)~zhDysz| z)>CjF$=czHFy~WO1n<)>ZNjIB7}`yB;)$_adH)kWDuqxUJ5IP>bZ$iQz1?sGhI%>e z&}?AUUobkxBsaz0s_!~|&HbtMHzlefRa*KeyV}d3geW`yYaiSgK`1%_2=Qcz8*Gc?j#ktWIL* zT{?4Kk;`0G06-U84U<%vdK@i5&+Rr}Ui5W5V7*xj8c5Fe`rV6J^$j%O#oW{*=DHG} zuGy~xmz~P4bAR})a|UPn0uk*Nfe;kP`Nb^P!yE1+54u{ZXfba#Mr^f^L#!RTQ0 zH(4vC2iAy}Nu57NEA8nDl~v*>%nOd?p=8Seay=Z(R0BwWFy^5t|w zABK;G!z*3xiWfqWfYN;#M&00V<{8Jg=#!voucV4X^yRN7&8S4l*hR})Y9!Hqk;eG8 zK9KXx=TtiAbG>Lx)FDJ2V87+KVdHR-!6*^-H!vI{J~dL3wnfJBotAzZ`S%R-@0to_ z8Hn%?)#h4iY$^t&zivDQnh@r*PQ>_5FOJ6l(#FIWLrA}n&O*g>p=Y9~9%ZIBeo14r z#QqMx6cQE&^Gplkymjm0>Bbu9e+oB#|McJmW7E}t62vDBkj4Hix&E8^ z@LzuDOA`nPVaoLx{HOmXy4AmC(su>fSDt=}Emg>g;MKtu+CtXGM2d1Wf zFJHrE*;Un}V3gOOt$H?aW7ebN4}}i~obOtvOob&hKvQ`-8OlxU`8;(q+baBXQV#QE zxAn9Kr^-CuCMEn8xct`<^x_3uU8HmzqQ=wBk1)+=b#*n@W-v%t{IeCi^-rA~>uJ-K zew?`J%|s{JZi>^lg^_*>M&iVM_tmllpicP)>){=>kx)))U2Ci8f4h_fV8GrJP}%`P zy8KQ+mRez@MOr-T{oIHb8p>)jrd?%$-L^f<-E{F8Dhvyf!$pz{)An$z{nH==hpj{f zqK=1NTL3l|dC1-@U;z{jdw(JanQ6uw$yoDvo=)O&%%x-c*=1Zz-phVRd^K9+V;7q4 zfhyv09a%Uhg%ch079}PwA2-zIP1d#j#rQ3D%~j`%)9~4V3c*PjLxS+-zM}b^ZHGT& z$%pthre?8Y9Oxneb9H}k#DjryW-!U>XX zoZQ^y((nU0miv&=1^ystset>^YtijabO&N%|{U6ffIB?JEpK&9sY6} zwkY4Luru1e)$Ti8wh>VmO%2C263P~bg$A640TFnj063uMx|G*J zt}RnzItcr|?uj#qDb$ljg(ti}VJhILTD)NyV)C&Ka+Q_;ZI!Lp?JMEI^uVzRiFL~o zBncq460E>uckGq20{{xba>J4vxmoG^oS&Lj##qkVT+g`}?~%ZFq9bjWZvS>=`=H*C zk*r#fFI0f8&Y6e+24Eq1hKywj;J?g;0X*7o=E7$2ZGr#C0-Y2FbCEw-0RP_*>nL+t z;3#BypOWnI)E2X@WY4QZ6M}t{boQGpVH2#vs6t+TQ5X35E%-W$hTw!@Az)4y0lJSf?pXa^hwLv=YMM8(K8lC-Qtgk%j`-X)5n7sm7+$1zeKVJ)G zX6)N8iWx-;?bLFi3U-PgQba9jzTC&dQV?kTa8$u$p?gzuZbS1=j_Y4h@OZh$%N!|f zY=-WlR{Uz7_b;-4`0{A@nLxrPzUU`^ykiyYtGl zFR6K&3n^&l;T-Djk8$7AjqINnlUyCR%;EC!E355HYZ-I(=oxAZ*qs{I5rXObAn24m ztJ7*rsS`yHO+|~I&QtDRXX^nX+V%?(O*`bPn%DCa7Er-JXt|da>6Ps0-?7ZLOS8bo z@SQA82LJZOFL0Ywy^;M}cB(mnGDhJDHudwjUWB@>gw0)=Te?1l7rRR0%KA5C(a2zN z`(cG1Fh78Bp#_luRmFcuNgPH7A>8hT(NY#4Vb<5DAY@q5U4YIzzo{un(kP>5+k3M* z97kEt;23T=p5}?uWH#K_uJ^q4Iylt{6hjV=7U#!3J18ERlI}GFN{fL9no}0m+pjnW z3|4VbEobB~3^(};wF*kXT3+d^uwf^d*TM|+5SD98M$L=hVouS1-Mo8rj5DQZ06JdD zGVygZ!+)JCzaNAkXoP-tK0;hey;+EQSBE&b&y$FK0Q4NQPP+<@#-%4&#si2FE(P`p*A`y8P z-uH9G^Ub|mRMAa8f05lN|AId#cwZBw;D5lt+LzkihGFOP$UJO@M&9&V<8SmfHjJhd zNdY+qZ)?$nO|^pTeGgcgQDkhD`l6#x`-#Pm6?zmY4xeFJOagUp&prX3#hQ&yW#DCc zBG699Q@ZV+Q1EU2A*aV$x$F!pMSfUo@f^^h%km8SH=ZDMW(eg4GiEC*ZG*!KaHp zi+Ti8%}1DS_TeB99*&&8(O?BE?0>ju(Srba&Uw_4SuJezy;9Ruz<$|Z`*Rd;(K_jZ z2~Sa^8fNQ9yGp>am|SCJpuzg;6@u!seJ0Ixi4Eg`-xK*cw+sw2K{g>3LBi{!Vn>i& z&TmNOh&@oe4B2%XhDQr$2@^~g6YEt@Jr;6sltF$YXp(WNVN@4gL$C8;mnOfpgul)g ze`8xz{+!+v;3&l2VAjj{_~o_bJ@Of=*OXc_DL$oav**UOGO(JkO@=7{Cc^vmk`tr6 zt!3VU9ZF&g4E~vsgv{sO(8HlGb}28*J09qH`g|=jDI>{dmjemd3E3G!OxLcD5Ys)yS#?e$ zDGaJotZ8);^I7_P7nW1>)SsjNuoSrNpsC{R_%fA1p|V>}#i}=wJ?|a(sl_r<{1WMkFLD74nb?bJSO~ z&+w{^WbLB8v94XGy0fxR!3a{r0fq$glK6X3C39fOt>G(!4*Hjzl8aZ|TFljc2zQWH zYP;9T3ZO0he*~@nc_=7*LcrCk;Ppz4zc$>pnwx0XS_P?6`eH6LW@RE}DGFTeP1#Lk zA;J#u{^ki&UxT<` z<@gS>n*$)s$nT5okCjQ`fR%VB@6{E%O)3_U;%bcgapic#J=BK8?b-7s;C-EC)P?w< zq^PftNRA$e%rU;UUWQ6eZk5z#Hc2|xSnGE!f^!=aslk6IS^qUMma>tv^(+(#7@!!A z^KG#S{GNaW;2>0aV2&uIS%Mef!aJNz1M}>isr#^YFcOgt&3D^;^Geyj$yK8Q$Sjs@ z$U*ysE_v6XT@35IMilA|Mzd&pTTzJAXa9^fnlh8x9g~LnX~@e2mK{pm=WP}h3XLjJ z^I@9HKBJrQ2MT|pCaiF|+2FjM#xjHMy%}iI;rR@*9cTsh)X)+1nnDboy^kf1c8mZ^ zFog6p4vwzsaD2*Ga`x+mw7I-fOrcihiZw;ON7UclkbF>o!~*-y=XjBOt;WR>nWVbF z9_?n$jn(yTD0$Rd@rXqWnu3K)KQg$A*o_=(9dxBN(+bQZ9ss6j8~b9u8EtXRTfNkr ztk|+C0J!3Wgv?X5K7iS5#g_?{^V+eTlJSXT`jeU7IXFY#)YtGdmk4m!Ru^^-qkoIx|o_!e27_X3;lU^@Z$#Qr5Kk!64t1y z9M%s?dH!nx&ytZy3R<(9H!U~9*Z{gmyYjU^TZTUAWugaRT>7E&xEL&O5Zqt4F5Svm z>`M^Umr@;(ls0cp<<0YA3}eTA`V;1J_lN2OiM#CM5qv~?+y+2HQR~Z|H52wwD&I?+ zLvJoNG9(HQ0~l+$96u)3(87dGyA^E(s=fECO)*yG%%7($^o^RXY2*n|iw$8+)o1<9 zJ;#u}ZlF4z8$jVpy~$oHGC5{UsjGWvDe}r-W5p#JI&w;-8T0Fdy1kd^T4)mu3KF?g zl-E|Auh_4)nHGdLd+b3Gh7Nw}H?N4~hx`~G9g^z#3P%k&>ic->14;=J-=hAddPQ0= zzQ{y9nsqQGJC~;o-C5Xl;u|o}K?>{Gob!@9^6HN3R7?CH^q9|62N`fEvDWRo72kk zFl_yspaZNtJYz>_YobxXQ=q=*VEVhWHGGj8bPR>nmK29uKj3BgH#tyW|>Mr!_q2B@}#VwNtq)%bB&wzKl zuUFhzl(~s=d08e|H^L?-Nw50r^)kKB*LgB-ya8!Vzxt$4nqr&E9&32cquc z^<6)gx5{qQ-j3UD4^fE^sFQ{=*y<$dqB|>({8~oLYwy@T85Ri_DgjAe9g@fwqRy{1 z^i{(B8A}(jiAp9%OSRUIP+rvEAti^cBnNK|`w4m1gkS>ou+z0TcqV{vna16?BbW1Rs{cRLmVc~|X0zOKugDIb(Bf^Fw?V&~O=jNQ`t?#B0alXoB-MZ!Y*6Z6aiW$?(mN0^j1GYx^}f-) zT@*_V5`CHF0G4JzLj*~--w1Bn2w9_)b#|zT^ zZ=$4!_o!3_fLHYTWTfS9E|LGqy~)mXpMCtryAWW7b8j0Wp3#qCoFS$j^_03Iss8`6)sZ;Mr1=EqUF2f{K(js6HmLjG8MYLdvN2#J4!DC z8QsEutTtP3p2tTljJcd=*{g6TGWOwU{QMpDv&sxxzXtiVE{a!IVozek(`i(J&CO>& z<7t{ur}4Gg6+zJk49wgp20WsZ$BaAIdt>f$m=u=&{vBm_;HEnZFra!PczN9 z=~7WqDV(rlfHxg+?CF4@jG5Jka2Jrc2%XD8j}i$R`Z*>Nwa8u=P*cq2T0UZdWD7Ys zWW1dacm@ftuk9NQmnd~`p76Az?-pP3S%yUqMWIEVTQ|#m41HcxsA9k&YTl?1D;~=y z@=?Ol0t4ddMncN8Agm>LsC}Uvh8AqnU6@aS(4PQtaGx?x8ouECY`QQ)uLZ#}%djm_ zPe<|h{?%3WpA4=)(|b>cFc?F&!qj>NX|Ut-)n&E`ik)M}>%D}7Z-AQ8lGndzG|(LW z#v7C;lStS9PNTu=_InX}*m*y_^4}1hWUV`_^cTq%0-rqCnDNF=c!EXp#V_l`nU1wJRxWRsA8|xLAe>D{6Ti=FdxsU)=+^(& zz5p|r)m4cdl#jyMtIyg?kjuuf;Bwy0z#mOV=~ZXAr@B^q$siCpSn(|ZCgur1^R_Ms z=DWuFjbk}==4G`$Z8!%|j~tH&;!^=x%ClV;~d)&o$? z2RNT@HmmHFMLzBNAy>Xw3-11AEl3mbYGWO+7E~l7vip-iRLVPR(A%?GRIHibA4z~T zb3MjH@ZOOQOD84q-@FBj%VmG_7VJDxH}&F#h`EyDmU;X1%H;Lv`*K-M4iek$)Z#?Zu@NEp(eVibOlQFYmVh5wMm!RkmPz>^P^>XasGW_gJNZ-`^i2 z6{jB#kpCvkvWn8p8qM5QSp7}{*G=SB01nWND9pwt{agnfLAG}+s|3bd-2Z`UmX)+b6E>eOc}+E z_Du*s(iq>a{=bh{nLYS_k67V*TC|&0mXcQSvLmqD+7by^HQ3Qa>e=7Q(94130xKAS zoyG*EgDJPZqm%THM5UO?R97b;V*yFU!W9QJO5b9hL8y8lSu64A=q_Xh7%+$HB{c&R z1Q54GpTsR2!(Sz({m9Nr!jj;=J9QV}<&< z3a(i|SAB4tR#(u3&s-_DZ@B6>3b^D;>NM8l_8*(C>3?BGf~!96!Q_MI?vs#h=O$9@ z)Zbnx5k#o#)m_fu0E*Lx_*X{qGc}fgO`E^`zI06u^8lrrk-))J zKdM>0A-r8Qs{{|6LKqejw=C7sXNw=1Cc{bfqXXw0Fs(6UVT{en7}-*b4oY#xyZw}o zO^G(VkZXxWwGk-$$J+-}5>kLqn~{E;G(F#-m{8Bcw`@qqeGqP#K9YnsI&^P=`nkKD zbqR$x*jmc|P+L@a2NPqN65@`CH6KB5{tGFxjJMiHCdn|nDks|>M1<5{^8O!@B6rVM zBalx;)b6VXDefobUeuw=Qt!xPvMA4R70&R*q-2ccab=LF4f_mGJ_BtX5~925c^w&4 z;X(?EWWuhpM!arRaF53)X}#X1o?iE9_uSWq_9ykND-5NNw~H&TN8e|bSH7RLRL{&= zv~Tvu?N9-Ua})r9eT%v~*_&GXRwvq3Cf8GM5Ko{5A)O;a!N(UowPx~Ru`(Ai0?(v& zcbFr4m+@PsjsSWpV$F^G53W5<*m?d|Td{f*sxIx77OWJ{8W!pjopR7p;hbs0N{DIN z6Ze}n7)={rP-p^(b%QJx;%VFU*_Dik9PQRpBJ9@t;tg(cjzrjzu$kE$F-8BYY46y3 zA?J(h1fQjI{E9Iqp%K{ktnY3JlN}Rz-&tKEFGJl%Os{y;y7KQvM%*fh3hjg(ecKls zplkGG-4?2sb*=o)&gJ2m!DcT^ufS~Jwz4Q6=0}4cy@o*9s)(iqM;2X1= z754eL8e9BPG8T>l3EgAT}G3{3Q zR92x?UkR34%YL!1Qtd&RJ1(?c9k;;i+!+U$no*}vR_(toK{LKDkmug8_#q%+}eGo)emQ4#CEz0_xQhg{mn?~f_;Sm7_O;2$?J%Q zuHenCM>{{G9bE@shWrO6tbAF-{jt63j{I?6e=O}+NUA^;<-Kd2$~b&<|R|02T=3D^Xrn zN1#E}u(o9uP3!@a?^1+M0Idv~cO9tx=LhV8JgwSB$MpMO|B3%tH@`kSfWcI3Y-0aJ zsfP!al)uQToVS!+|p@?<=YnhZ+~9#_{#H-eU@57LBx4wdiH zSHXiBELO|?Cs}$e+(IY(8Lw8U{i)XXiHrFJ7UiBG`)qI12Ak5F+Iar$&H2lpF?*T( zopkFCG3>AX1Lr#uj5FSJu0wzRiw;siWC)sI1eCzqy-ny_d1Ge6gNPzKYAkb|FIF6s zz~-y%2`ID0L6!5*yLitG8KI)&uK3Ol9fF_k_cp(|UddN9JaD_>H#)usI2j>+&VPNA z|9GBN$+k&b(i8Q1#UPXPX~6P|qiDAEsTzG?fVE;=yUGB%O-*O-=KwA4&{y=uRr1R? zefKU@3QgMpUuy`BpSL@xIQ+bP{pYVtZ~zM|-RDQk;O+u}8pfI>M>Py>mv(F!)mXoQ zWF|5sXrhlK(munPR$l>_BY1UCeT{oCp9au2xMV{IFmEk(t!pk@YE5%4W3I{>hX*LzC@9FKW*mP+yX zxIwv#koP&wmKU+kwandhytRV12JNG+8SmXUBA7B%D9OaXRIGTFfs*@t+ZIP1Z?hg!woH6x$O0%+ zRy*JkPd%=Fh@>IbsB9(Dupu-TJw{}D%g!E^AV)~vVW2CHloKKIq67)~y~|({v#y$~ zD^%(g@BDths95h`UCykX#O`>fqn$P^J_*MHco60C7tO$jK@Y-4wYB*|Y1)Or^0^s~ z#;lo9r@p>xaX$K>=E48;!#iH`%VRD!-0t;hlNX&nWaizb&`0b<5EYmv-8G$8`;+jPyakUjFlZlo&93%ImV9DIJMzc25Rei$DY( zAq1@n-Q%5?$Jg?bvrHN3f>=fh-~opyq+(UBz}jyHw9QuMyyY|}fV!!tRER5yX6;xp-HhL@o_n)^;~M=N&^wAOr2+D*1* zbx3g$IGb>jh#DRzptZh zjqkx0UZf42Xr4_*V7a7%nJsny!=~h`4+~M7w>|cjX-Ogq>I**~XtSG9YqiIuOgt&Z zP@4NZz_`NYz1D;vbRk|CTg;1q1#-fIg9!=hTondE6vAptP8v>2_``40+^)3KB7A>yo-$bMnzMI@ih4l?*@F%Fht zYXGm7x$C&4@uXi?ky)W=;gLd=VE~?R%;xMJeJdnA>Rt9Rv};zy1cbjm@fXn zV0wQxO~l&gGbzV0rib~ak9w25Q3M*@s*VJ7IBBlJvk?j?pp0jl3u}eDaC}rxty*~4 zu7;;)%+L`4KW^cHdc4Qe4|o-jmGv{opx1bm&+9DbEI+->r`p2NF^AY==o1O^V zz;w779SJy}mAWjquG_lQ+E|aN&}wwzlrbkZ$tt zQPUrL?XP&MKpSjMbsOxm`~xN`EwAZx*J&?L4+omqtvpbD{^WTL$%sJtdK#!+FFLB- z4ZsXopGJ8r!)@rNawpkT99AbHfr5)GK{`jJ4=)t%;K-$2a{*Z(P$E751{wzutv$S^XFbygH(;4F|Pu zQUFD#RE0{TWWKDmFlo<@Qtc@B+8R>1Nc~kh<#BrF-9vLeuNTC%0SNPH1Hw(Gu#naO zCwkqp&5K((v9ym2oG`iH_>cLNZ-x-IPm%v_#s(W-V@V)_-%S0ko_N=C z=lci^ddNT!0=0<2*NA&8e5WtT*y}~bXr$v;;jd6x;keg|sT^j)81_jM{ZTX#y(!+= zAPfUdmwpt9yaORZ0jkthmKN*D=M?h6g`@oT4ik8z+T@A6MSx>Ve8*3hPQHRBTxqW*;3J-vH~U-nA6_CIXB?%QuDs zyDlW1+^_DbLNOZ}$bBZMUnYoFKl=?()NX(vyjIiQZIcSlMFTj{k@uFW_y6 z>RF#D#l5OV*y1KZ-=b-`UY=YX;W5j7$CY9yrNxwvMoZ%d-T0AeYO$X(F?*x`b{SYc z%J`G@=cCSQ$ruy-nL`_+T_H$2-p?A)aE;Cnr;clW$e}xjne?t7Uf#8TzN7%tvx+T2 z94D{!c_5NtL^}*Ca;?=wu9uV3*$RRxwBe&6ew9g$=^Sf=;raWoi(zmit$4%MfYm@^E(}aEbem2xpeQc z&a396ZAIhWj*)j(RZpp(V=Zd;^zhVnbT^H{fsx;{7HxcjH$y}%W0KS4X7CLxhW9MH(% zZ{Tl1W-z<4meSd(B?iad1a;6Vn5`@`d3ayMSU@5o%nn6wJ;#>&lKbdoVuC!Z1{3y7zc?eDVa$A- zt4!6emMhoJ>+6p#6qvP*wk5y3i%8r_3)6ohR$IstQ*cOl%?RYC@hy%qO-BFN1MLZ* z*FFQ4{OfKXevGpyJCnFXi`}|JdT=4pZjk?3yd>B~Q!4q0XeCB&zxmF!wC-yA3$ zy3!aK?TJh8l$;JowVTFbXL=$)e}?|t=b96X@P zSo+2l7grSbhi6xYRFMhxOD0_R$gRojw)qNsh3-hw7s41CHv9}dZ*wV9fR@7#1Cg=B z8&dl~*iiVG{ZmFH2)9FFw&ZJo-uV<);l4^~;yiu%BeABU(Zik`?9i#6t`*YVv8iBj z&-PG1-$~ALV!idk-U?rXcDx%^Y0*Fvh4qgbz|^scqE={goNr2?{4B8*zUCF+t&tYm(!+5C)G1fUUpGUVSUC=ZV9S&CH_FX}V z_7RQ=H7i21*29$2?X<^Ph&@rj$r+7~cWL{@UOQr@_SvQ@Gb4aGl=X@~D38+f@^i>` zk#F`odwYT`;A4|wngr$j^!;GWbfU|a*YmE>V(}^#JA@Nx?*)L@m1@TcBMOx}71AVb z)cJ_yLwS{kk{H33#-|6sE(5sp83TIkYn;J+j<*7R>M}^>p4T!v@5|FBX_#e;6Noox z`ds>_R+{SLH62l+^3O+l12zj@hH|b(vsb82Ui+(%U-;$#o1IOGcIldV7}c0mMn*si zxT782JSpXCtynQf?byr58oj~nMfOeJhMRR90D|24TUT#EuNsvpaN1&iqqEO%ex1h1 zNr}eVW0}h}THG3NChgQ^&>I!jYw3~nkJtSSD405|JJL7~bHmQ&YwqHglFEvCA}wW4 zguR;ZTei4C!32(Fn{anSAFJ6BrjkL6QjL6~!E?QjlCzK3z1<5paqn(#cl_`)lom2+ zS(9{bBMbZ>{fM2a6eD4IJYQ`!BZ2F-H~-#bs{$(a6R8x5TM!c4 zS}1MGX#GxuWRVezG7uR}ICVhuu2p;SwI#e+7U4=?CVq4|Vw32l&d&)7&&EenUiMyT zM9dQQ^;YhM=VD+PEKoo)ffI_aKO-T+{+wN;R;_Kk5Xwae+&k5DjyPpno|gkD)5e(a z-*aiY=%s#2p_sz5n~!FRH5{}XW}CB5+y@MYZ!9|#g0xWd%5x_DFP^Vz_YBypWmY_Q zIHww%N3|$_4KaB&B_(WtVr+ojlwm@K+ul=mSnA0tETy40c8*8u6Vw*v)}7^J-ObYI z?EkQAqkMpH)Ew~(9}m*~p}~d}I;9D8_fqTC2WOSOt`MUyI$3Ce2;WwJc5YOd$4Bbr zevGkRYXb*`LZW2 z?h+%ltH<@3=X9oLM;Y`(?h$?a(k`lR(OKcUter1szPHj!BPqS#&wF2VmM8nBlVi&{ zv_km1aW|8iFBG3Uw{^(q*A0F&6<60J<)7r3UXbwDbxfw-qnw>g7yP$|wnz+7+lHxm zo98=ectIjaQ? z>2onKQE9E>m$-%xUe{WPrn%#xm}@qz87$3fKsE8j!T-xTjrZX08_k z-&g|;ZJV-LOn3Xms4@6YUFgjOu$vz_Pk7-YfoS}en_l>hVp>t_=0tyAph{QsC> zXk+m6v5=w35U^aB@7NQ}bn6Rtz1`ZQ#e2c|lc^$DHM99fqT>l1;|*)nfN+aw<~lGm zFD=!Uht$Jqk`Zlz^m`~RHxIg(OJi&Jt9)kb6PjqKwx7z2hyb>+#?2-(nb{B3pV{D7 zpkjdA*DG94T3Z#^Qo3(qgaJU}=rrZP1&);A`!p8mRG2zQW(R{3CBe?5^z2zY@gs1- z@aMaRa6pL`88S+cZb{cJcW1sGFG`SRcq8IxM;`b`-GJQ+;--_xu8VMhyspijX2a;- z3GoW38|-EmYDKoEr+kVMAPfj195Bx55EEl?l&seFT^en$oGGCiqa3PqvBjW}%j1=R zb@<}*Wnp_X3Q&e0H;LVS8nU1{g4bBSIW@XzG7ASoz~8M(-QEE#eoPlR8^x?!UWo;T zAikKmf2`;Z>KKvil^naeji4Ri6S4o_N#-XRCv9|k~)ULTzn^7`$|e z_*_LM%z^i%EuFejGCM`tJg5!@B<(7mw6ITyezlclXA&Fk$9ZK>gDLAKd3tzeso8St zY+oJe?K&!~Pr&6{r#h{qmG+}rS&86IDPpsm%9|BQGlyu`H(TtZON?8Nho*2lu%+Cv z#r|{r=95glUn;CpDO3rzEew9Ro$q~~RlXTcc^{LYVLnxWL#KsHXg!BjUh2BpuZuvK z-h}VEO%mMlG`eX^uKoR6B;7X+iBC_%+^&5Z|2PJq$Y5!au_LK6r%;tmQOiwN_AY%5 zzXgbgp%7HFJ)YNG#r9OrlbikVHk&aueW^@NAJ-x`v|=D@=h6kApPh*Z#_zLkKU)z`PtPvGd+qM#q@8dDe|M+{q{ekFo!AnSk(G{eYfq%T2 z{#)h77nc&{(p+ex2Mf4UQZkh5ly}bRSo9nGIVu%AfGyzsr#zXZmHu35vPKr9W1fF{ z3@@gC&s#^1q!albl!cK;{aG&(REK~xbe81SaN&G=^7xaNd@UzFdix7NxSa^uV7 zgsj+#8`Du;4Z#-~WRONN+VPTIZ|%{!CXdn5nhUjDA}*d<`1B$CeAU>;_W4#sQU3Rk z^HBna9efMT$!RC|s!E1%w`sFIUQ-yYiuL4jkwAJ1XwM1QbB6kRNK!rBQx_6&Q8IdXi%V~4K}mzKQiJ;blfmB);-~z_#PDjbf5rN z8n_u7^o@HOa24>*WyFx73q~@y@l&SAyXad8cqyhYVil`Zw=y& zuh|Wi#XN`W2vEFx+h&&ks$y0fBq^^Qu&!6i7uQ>ES~Z~XmYygFZYQANXpC-E2Z!&P z-PgNt=-w;hpbIoBMw#=yPp_@^6RfqOa5yk-?+8FuuN_IYIC)eGaRe zcIzJ8#0#A@h_zL+;XF~d$?d}+;K%K(o$$SA8X@9%Si|>f?mi>iueKR1EDMw5l1BAhM>^c*_k8=}MU#*Tyl_*3R<#hcw5rwdgusur}@c*8#3vvS)m? z#E&vGaJH0h1%#C~Xhn@8m5L{Abtzs* zWmBLLev4hu1Xhv@RdjifK}`_oY}lXC9mGNeI%&Qz=b`}}7Snj5X&=SUx3M%`GD*@# z3Elg?x7QRsDCP!c0*i&|Vsx(|^)i!5GF@MI;P!IE7kV9NB!*?p+l_F-<#62pVd~

H}JAr~|6o7`B@ zmFqICgV51lB8!&LjzflKdBN5wAP_CCQB|$DwgOXKAmd#yCK|)iO*hUUUr%#V5ecigRn?hXnwg5ibk6#SEx?q-tk^J!Ks{&rUN#EWUrvaKOaT~T(E zTfmMww?MYseO%{J-llLUiis*Xeu~`DinmvY=CxW*?J0x?;~)NW8#P3s+Q+=zh_qK_ zx!Bd~u&gEbN7o;S;{?#DsR(S-?mrr9VWIIsfL2={T4aZt%W``>h!s}}=no3#LoD=x zdy^Yug|UbRy{aAOqdV_sqO+xo&PI3`Nbp$~YQZlK_ZXWlXE-nRAsM|qz_i_mU6nql zXqzh?w=^F+6=|qIR*~UX8pe&1JsE!=)YVrDCot{W&&aUcsr61%qYw>mC?51=DOc;!Y!it!dNosO+E0pRs^$a8_xqn_ zox`+Fh~afhN^`3_E0Y#K>eLULsh=2c2ABuYqe&`_vB#16KCTjz=sV}Xw|I@Muh#|z z4IGvhq%ke~S*4%G#bo(xGA&iLozaC4H)(8|pRy502>c@2n4Y+{I-jzA;M87M>>dQ}o|4r9;SYiy+JQjYX*96VY zY*#wqY-z+-MzkNEyAp>#y*(Swy?B;y%6PW0@=RGIxLCAdGYfIOnSQGiv8QRMmTUNk zNfIFI9d>wIo;3s%MUMv*Sq-GBM20?9611oYqp_h(Ht02cGK;vy%Y)h$DbL~o?fFlr zL+|zn*>0f6b5CT5#kz9{x5~e1&!R8q``tynUF#-3YnLZtreZ4XGU`SVOwYk-W9LNz zRe3EHbtnv1p~7F|I6@at+eyd`rZ*>RH#F1fp8>0H^+9!mQC`jf!pBX|Cmu*9;s zdqP{ydig1S_xTUo+POjDjRvzaGTyh7A4N%kRKehr{R~5w8ZoDyXhxkfe$%HEbY@#m zUQAaI0BaW>^hmjW6FD=exRBMu13L3b&XFll7S&>@V`kvavwBNC_#Db3Zojn-b#AzV z&F|f4A!R7{)9|!9^}?S9vhZ4N$igGkyEk9H|8e}TLY9>%|NGJLpMv9xU9eXKVifK$FET8@r9JAE}e8*PPs?>Vh& zEj3SBGYnE9*iBKPHA=Q8CF>fMUh%IG!AAac1ckl|f{i{n=>ca4*2(IZY*#L8($!YU zT7QybrZK>QM2l?D2ASy%q8(WkM}%uc62jw`G1hiCwq{p(D$H?GV|L&l8>2zPHg;2~ z6&YaG0M&?fcT%&BJsSSv)2_x33|gdzLpV0#L4hl~`{|Uyb)(wluM5%O2XFE-exBbO zb05iT{OSZ|bX4>wI*BKwQnmAQ_>-WvAL5VZjR{c&a}U2)-0rA6y9J9)Bb=!leuXkT zP507|BjP{T31~}f?v_JIselk9CsG>;f)C!jp8b&aXtR=U$zlacqk8nd3T0YzK+9w}%nKt`85b=}{_cRBYnEp~YG00&qULQ*TuAYu-O-mJp~ zhEYhC$=))ox>%0q5dc6fV!Q3F`d)yU&ZKN2AJ8^*Lu%2(G{I&Q1s}S9l)C^r*EW}$ z{>JyC7(f5nv&!D8jMsllUCXrJ#zg7fb37(nB(tce7z<*9lCxB?Nmd1XaSef|{Q4=_ za5&%arVW@K+Wd-~1A+fK@pOY6`xgK%?-=7XQlw9gFeZEVN0kkbLQQl@I%jLE7sk~D zpxtq8mwOqBBVyf8*~|YCyVz3c=p<#W9U(P<)};WibX)yF9qDwC=Ybz<{`J#|O1flJEGg$Xl6DUg$Nb&_S$xTSiXZ|1^~+ zVr$*TVkiDMR*c61?ov@0NcdaaxOmgqiwaS1!cyL+g7nO}cx-~J{a9PvEpdvRoDa&7 z)YcpK*m%aWbDoL_{`y2Gh`ZPK7BNlEd`-pOb>`E$Ak>$(*ICY&{juY@Xkyg5WfM+XZEE9x7WA zJ3?*DY7dghy#5SsU+bU}%6)yoy!k!s{d@M}XBy$HzZ<|-f6Dn4?|JNd>)mA6%s&lW9F~N9VX{V7_Xhid8u9C)A{gQ1V`&T#VN`7 z?)b+T^d_xK4{LLrqx1p|u_1W7v5{6k^w3xs2cnQ7pzmXu9R(-pwmql!3B1QDKs}P$ z9OPr5@#oY?W>r%3Q0E=@dAg^y)Eq;G6f&sRflEb?l}G7BfSKt#I~1ZbPi4FG5KW_x z*x2-bli7`aXgUO!M@%Lg!l?s(ngRI>Ap=hd25vW+8gOWgakusndPTm&j`1XbVgfsBC+q(4}CE|ikIWnJlXv#s1t^qA3f_Ru1+*7HxAT4 zm9`Dt9WpBAKT9pz3n6P+MjZDlE@TV7FR(HvfIEI8s-Kn{2hEmq5uL830UL2-5 zG>PB9|GsXmn8;wJ;A+knsWmBEW4l#7DjqkAw0y{7{MH26=R)^;4GFY}w}u+2{hgXm zoYb|-7Ux#Vh<$K5(r?$|F9OKK%5?*IXGZ$sMB_>jMwyxjM`CQmrn8RETlNpCW^`iq zPnll-T#xoMTU1_YJroDXr$Q4!POXKk`Bw6w9Q%%i&L>~pzczbYx*s3RVsN3AfBb2U zA@*Q_yZ}A7vaP@6&oB}iR_wT4%ole$b$0}KO z`(3Ax4jyD_}I?Z8i_1H77n;7hcsdSnF9mj$UXT^vWHhtu9zGC{6BOUKU7rQkB=L-q?xH7|?sxx+ zjNzE~nr~tHir~KY9OicSWmgeW7N%6r{cG+S2Z(h0>x&dF71u=ez|iH{g)g{au9%tI zADZCVMfxCH9;|ot{%n zw)4Qk%5Q8DMC_WFry4*+;VV6|i{sIO8VA&f^G*R^$A(UX!m-0qwiJb-#OGY)L`gi` zKtebTM?y^Klwe)Azs_lBxeN^JBjJ~aS_3Jw*;n^ueD&M3*i07J@Wowz zc=c~#JK)PsRxK&QO zG(~AT>c(OK-17T#%lm!l!o)}tHkygPQ;p6posi|dVLIjk?aaiD#t+8f8eSQDtZ-Qv zxuzh{4g|OsRdvr%ZXD~S4_sU@6gIq~XZ+amQ?4=#V;#8pT|CSy_F^66kGFcOH#|v@ zmO6n{e!GvS__M;fZZh&{Ec7uhjwWCY{-)TYE|6pAy#WMgAPh zRQaZMTda6%#6_*YqaZO)W^8vio7ft363O~Uxc*AKTqlk+)K%ma_KsdMuaoYP8MyiA z1(3>d`IV`oHv!&tVz3Mf!n*ReAkP6kx@oin!jVj96 za{zp~=@OiFP6Uqo5xc7j;cv{>wpY{1Ilx_^3&o^j`vfu+sFchP>%09^=x>sG z4Y?j?muPLp#hYITGbS~Pre2}7%bgUL!RB?EYTYe%vB(OC!Q{ns{e~H&v9SK~a{sri z4e7pyc;EA$LGY-mXkcuy%XluYtOoVRX25JIaTr;R?Nz;M-!;!0;URCHwO+QJ+CE|@ zJyvUcFfb_bHjj}CSU?J|d?yz$*_{GfzZ+_W5&{&c`Q3xrwcVLf#fOVU%lp|oI0e$t zBw@L^npa5;dOfr`mwC56Na^%|uEWh@Wl3|F9m=mMsI*@&Z@vlncxG>YMQKbnCN*lj zws61B7$0K$L0^lCX7|H1BRq-}8r#p$IHHQK6x?|0BAt`}IT3lFGjgj?%q-$S_nqkG zOQ)RrRz71jC3LLCj)5p9ovapgE32o*2wP4E%e0!(Y>SnXV}<^C{NbJ3pT3mvFN`v%0Ys_B!c;9KM^V+-uKO zaoBT7YfP7PteP6t^)A_0qjH}ODKXckx0m|j-!JeZu3Nk-Y4C__AYabT`5{&^deC>aez4Wr+{_)=l1L&xcP*NoT?0nR$p^&^ z^TgQeUEqn40@?UM+v5=MpdkEHfx-;9(0@N^Fb2Nc|B2uSZ5@&t^t}y3arnU{l@YQ! zM0&J<&zALmgY0hVm*l^w3$MSai~P5kw+`~?pr(&{>f<#egaBME^S2pYbC@MB77VSS$X= z2Rw%@3BI7!HWy^zAj51Pvr127~0oEss1oQ?mTw_x!2{jbMVTa6Fcr)1D-MG8SR zIp^Jm4c);Af0;yz=*?i+!yQa4wW!RuW`(QMRG&pVJC8eZK|!7N2c}PgH&YE||%1d1W89J}OM3jGTb`EA= zIqjEmHj)RY?*!Q=Rz>i*P;8g02%!~RV&{bC}`Y** zUD|&D{Rv9${d>l_kn-e?crOVwH164gak*D?H7zr2UI?;Ybmj!?5qq%JTl-0b&&$P}1 z(s2zL7hW65Brc8IkGtHntczE~j~?Xay@-g;)?O2ZR;3fA9w%Sd(_iT$3Gr_F9GDs> zpi~HsPSHFcPB-s2B>MACcH7_LDg0kpsmq`zYv`a1mJt|gb0CcFMX|CL8#{}*n9(|N z>5M6lyqEnUDYE!B*SV^2#JQ>sE&1B#WrpevYjR+>222LTO0g`y3r^F?{AI!Q51*2! z?r}grC=-`0>MAhoV|6Z=2&&?|{Saay=PGc%_8fGr)QieT@j`;(uA>RhM8@R4N{;#9 zyNNb?a#X=2l|2GaQ#suod#Mp58d0yHqs1I!We-VcV^34mFLyAfs>&tg)8FvR(A(YB2OLnu62?zN+8i{1#^z@#j5^_M%4QT=sjmHA3|)nVVqZI2RMP6`oq ziUp6+O}!&|mhRU~@>)>bS7?7h;lY&a%2}AE?DIT4mu?cWA9!&3z* zQ(f2Ap6Zrg)rRM-WHXeF9`}nNd9uvwI@ub;bwq2wB6ZD%FTOB^|v65F9<>56C8Q5BYNwN!7{Habr= znXl34fk|>WGVp*@MR_q5{vKEVnL;Pz~V1tL>FTISZJhFC|>79z3cQ=!OqVocMAsH}KP`B2+ z%^GHQ_^WY)z$FXaFwB@COH@TNEUeac^#CsW$ zKbr!kbHM`>uMEkV6EwwX2W+j65|yLiIiBHJ5hUF&M2qJolY46>6~IP2I!iW_xpr`R zey?#265_xJf3?kEGv?6lO z@a*)_L2CV9Vmcs{KUyPs*J4*v@a|w!db2v_gTQkHf{oVua>n_mAqNdlvJE6col)#_ za5rU4H_A{JmQFj0SaIE;YIB6^)y>^e~cAy-bB#ZM=#1f^`37gv@)J&z@+Ici(J`Q8Ba%;^sFtTtwd2th61w$aII<;R1I0 zmsqVLhw;@F0)I8Sv!*cLw=j8+F~t`fi?7V+*=XKQE?`4pUd*>N5HHqvmBJ%BB>u>M zIukay9q^6Kc!cS){puP&b~Y$i>e=>2dm1s9n%n|1D1L=^eJi>l3(~x`9%(jF`DtSz zsZ>8>%0A%gnFTghsrV%gGS#bQv0#DyL&eg3Yn9iya{m!>L^C`syWK zpe2;s|7=uux;6+qf&zs0o`|-!+*exe_iL#eXSf}va_R~IE0jjgy&N`#Zyf9gKHT@E zj#iw*i&&HjYF%*ecu{AKkW?wzd0NWice1S$5#ctxD~x{{5 zSxS6n>h&ypjVl{&9KfsH)PC_&roU;lmG-rTXBCby%HmTWPHwmswV;^ z$&G8+VL<}_%xN*d_V-<9P|@D?)&8Q-EovueNhAD<{<~I>!-}jrB58oZMMO?+G#XBH zzLlbcoTMaY4)&Q#y&iHg{*am|v826_1AT~K&i)!>|2V)42&K#c#^dT^_i6enw_1dj z<`Eq->0QaMwp$5z>UmDa$gf5#5gKlxvQy_Hr6m;%KHzH~kr(vT_`TWs=WoWO0?D~A zM#58Qe|t;x4LsIEp3K=#ob^1I)L&#h*v@~Q^|OV}U}^pKd8<_C`ga;|iG=FQpX>HQ ze3QqjNg5oOM%mt199s$Z|1!J&tFKGUykgfL8PC?$y^+-^ye(#H1@ZAkq-!gTkB8HR zn7cjC#(eIHvBPm2{!iewvx(HQS|=`N`Zn^rZqpTFWWt6K#p;ePA_Tk0wI^vnS62Fa{+Q`&|)Syj|7DcCQ%}PxBxdnZSDe#iH5$HjxaPf{d zL*YlXK|>)fU#RH2K*gzPJ#fkiPeM)Uh2dTQHlv?ub5*4)DqasbY1pM-yD3&)R3rS_ z2h*FfxLY7fD)J_K!YeJyysjq49kWRfr0vtPaZ3WKVQzINJv-?`9yT7OS*%nU?;+W+ zPr#|!n}Z)Cc@=FTRsfFy2NB)}885!%+04=No(JM!PkBLH` z=Qjy~KjHwNI4ZkdlP^N>^%-afu@0ZizV*@3UQ56p@eoTn!skCBIqV(`k0)+hbk6ip z2yfv}G$-u#e2OvD@pT08 zf`%a};VeKbemI?Y)5f=asc5@I^M%~vjxLq0M_H)cQuFi`@wh1u52Quy-DhI!!TQen~QTrs&Tw9+Ak{iB@9iPEGwt32OtQ zW()3>A8)BJj9h0ib}^G5z2%#58TlFgV|wV}nd@j<+0oqc2MESA2|V4N(tpreOEvWA zx6gtGe(s%=D!=l?6eS;s?y?^4UD=4cSzkM4e8;4~u4-}#CMkb`ov9IZ zpQJbvD|#_Jzm@*jrqZmw4sZ&SOS+)iMAxOPcvA?O@;9dH$2-coz!tQp9cO#$$Ebb# zb4#0Mj~9fpZZ5dVVy9y*^-m!~&V2PgzhHdjc53?4+K!XYOt^*)bkhMoHWb(uP`NGw zV(I>#uAS0S(B-x|6j?K;_vy(O>$R`H-woFNuG=G6(s$qQNXb&lcqlAjk_vSjcbcsa zCQFFdj#Y)<#5X=(h|F5&HNu>Cluh9|$<`Q{1eCf$zPUPQIoKvqL0eI!s#mJ)`qXIJ zZDaoP{f);QQ&E%73;becjVf9eW&w{zLyeBs9_r2W3gp>D9-1U-KzG!$71)e*kCSXq zH+b4*%k$L#CU+(3y?F1`& zv%O#!H_$XDVny`tF>c}3Ki2;r*L;DY%_7IfPVyCFSRp{2ZNYN*lY!HL%6pp{hUMKb-?J@5HEH-F9h?A>iS+fiG8~7#xd2W8l+sSGJkBmqnC?* zQz2qtvYgaNm7&P#llhnVJO57XnlvAjBDtTS>rO{|ij9sv(|?MfjxtTa2VN!M9XUI4 z)hYtmNU2ax6__Vzh*DqIrn|D&pNK;xsKURMgDy{I#%Wy%uMop*2NH2dYdhDM zECBUc@SM5jxBz}Ew*LL~CzC4#agqAyHs;LujEs5p=D0|m>`F1OA1w{5`@eWj1N>{v zB|_65kNB&6`5YB5O@M#{LK@y!yh|&3Vz`^#f0$1QAHlmX{lY8HJQP1Z3MW_{%__gQ zHS}QA0M(oHe{;qE%}+LyUZdz~E0*JP<+=K~|Kwo&*DpFA*Doov`lS5??gXjg0iS28 LS}JAA*1`V^UBL}Q literal 0 HcmV?d00001 diff --git a/src/assets/img/Delta_Class/use_case_2-4.png b/src/assets/img/Delta_Class/use_case_2-4.png new file mode 100644 index 0000000000000000000000000000000000000000..f9deb36287f663f489f9fb97c2b058ca6c7158cd GIT binary patch literal 51977 zcmd43hg(z4w?DcQN@&sr>7f^aAVoTaCLmq9bOjM9p-P7!ASk^{m0qNyNUze7j(~u4 z2t``x{pNkY=lssOzxxl|JkNgi?3uM@GHb7ywLWWB@MIQmfCp2?13+PR0QNs5n2Q#30RVRV zdjNvDlVdLJY!HBjxr6>`&j$ZDC73iD>%Yq&5llNEr>mfL)f-pfrJ`4q)o41p@l^36r8|!~M`R{%dZQNeE+Bv)1A)KK9 z^lSA3;o&aL!t&2R|L60c?`h*@_dg>!x&7C)FcXCR(*k?MF97>LePdXq{;8GFw)3)a zFjlm4#E1tohK!JaxYWP&|DTrs8S#H{8vPHah@ja2=KNnR|2L<;n~kdi!Vxp1yUhQ* zng3$`-;MvpCy5Rg0`vsC;%%KPWp(cInQ(4tqvT9zBE0cBn3 zduD83d1BIbGPBdxws>P=U)kc?ec#X_`uC8uz*+k|mK({>{}hTwu}X`ek`crISN$(6 zp`cHY&i_T}Mv~!5@)LU{vB_ch|J?_MviE=Y`Tti+Ulji*U(3Cq2FP0<5~-6CErytY zfNB#iW*Z~of$7Rlah2|W)JnyNQGoX0ZR z3`&JN zy_$FFWmx^ebbH{1l3WzOMZ@lDRC?@6N6TLC1$`}pyaKxs4S7}2-!`@J8bEDPb{^cKxr&TV~W}ZOmsdP4sC>>fpvyuNBZ>BA3N^q;ThQ9W7GzCEq}S5HwzGAAYR1xLvy zPTV_5F2^6V{9gE7uQD+qd?wO+6d2L5Ecv`NZ{?!DtZuB$;~}YeqiB$@=K&O_M=t+Isxa@_iT^hY~F2z zRJq8naE$c*l=oIa3NdzvFtyqB9HOmdEe^-qs77oH4_E%W7ws}%{CsiZ`gG>E(1E=MkjkN zh>NSToT!YpP+i?0N`(3x7+@^a_X&4-!sWM3ivDjyQx_$T;OlOSYo&f^XK61)|B-#h z*=aX@+CS@yVHWG&jMMy}GS;Q*JT;*w}S{X!gPmHPC8@ojt5fWa?|>y>1`7Z%3F+w8LYHzzzv;p%;XHc7ZQU z;`kp6cf^i-Vu=VjC~#RJOR<&SF<#{iSmAs#kWbFIBr6o;g@m=6UjO^{+930h4Y(%> z7aCwq4!6c}WH^=>*V(LnC4=lmf~qeh|x9R5KsT7Z`Z~$6dB`fvayqr->V?aC1GX<)J(Sh02T`_N9t3N~_8=BVIj1 zJ@)2DX)Mg;M?vU)$6r|b!42~bkPSx6-jgmpiv2E)_~^>WU~!9K8Z{VzvR~9Nt-o16 zZ|(4$MK=f_K`i%pPs`4$nXamRUgqrxT#=}g01nnUMU1AbT^+e9*~4$zA)96RDnWHD zrgvHKaQ;|)ncwER%&J4k7@szzQu|D>f&{J zpsqnIq!3m3%ocnIKfN_Q{YOR_Q;g1E*EQE7B*$DVE)x3PpQE;pPSX{|_UQr=@Bpwo za%>{&^xNU8?CompK|;lE|1IBk5&6Hdp#hf`-vMCzyI}o$%!&g!-DEe3E~fh1p(X3|qGKNjBYk?B*aV z?HAP1y)yd+tMh|QvId5yF&a_B2yZu`KzZFaH*X{aZls@F3i-9NOq}JNdYZ(v#e2FK z3Whb*JbKJx!VqvgdVZ}eBjDt}!xY8p`Nx?0#qHN4UrR=q59XvI3y$RF;R`W}bgMR*M3*iw0;9v(B1}evRCw6hlZQrorK|$2la@ zPIkb2-@BqfON1=M8tDPlVafvc2&Phn{ zM4sbZgZ5l{xNG9>9d&ay)r;24UzLoW3l{~wy^a*&N!O%|NAuKC56#h;FQu->R%f!X zKzETy7BE$eUe$`h=^8#1wL`bVOnA|Of(vdJF@dYez;So?+YnlPik-gbACmi}(UHo5 ztFrWUx673=F?U;ZJ+sTf7P-uisofg?nSD`{vaP>uE+jUr)p(-KuT`Bl8L`dx13|Op zbUI9jw~3_=-$=8s;8yF>x;xgIekC{l>a1W3WEmwTW}41H%uC37uR^O*7k=Ic^2rBn zroVtog_v2iFJ{NEsT743$jR6ZP(I;^1WCk&_e$@%6euwC8L8!5bL2?BP42Z$z$1L9 zVO#YC%46}gu4P(m!Y;*s!ZWhB_1Ypb7$xQ4w{dV;zjILSviW)=f*2*{B zTU}cIOGSOBErHIW4|5GTP_ZWF8zx~;oqgUv0NdSTwO<{r{wo={hqJm;lx_Vx_bns_6e;vwPl&+PN4Z5cQ>gAf@ z?;IK2kd6hW8vETc{z~^PQ^udvebDr>4b0aVBti&c0Vadqwi$RIc2gTFH9z^?{!=iB zD^`i$h}={Q8_Nz3T>er=*u@r6e1L;v@vs$X(9AT}UCdNWH=D{4dcqw7GJipG-!omx zZ~ZiH$Ve**0!u{GXQ_h3?$Ydg*D;o-*DU?2=MOV+?+ZbduZ3G5KT&ly6>WWZQ`plJ zS+r~<-t=RoNtBo5k!s>P^ZN*Q;(mJj<0uzigNVEfx6Rj7d8W5rhkZL)(!>jXH)7~i zt)z{Mk>SlC@8-XeJKremFUl7$%TI(W_vYA%2QT(Z5f`SP>@SE7*ZglY!r|^Rc5oEN zL)oam*hsfmTfMUWtfl2fvgzg<1_e2qZHfw*rr>%_hbp~`>`vmvLed_v5}Ef>;;#5L z#jreBTUR1V3>AZd&`=z_P+_*vZaHss0=w;;!--{%z%QjI&tqu*FwaM8n%K-moj4+V zP1bk532h-#;bnz!F#%(;G^>YNF}2GFGe&1w_9_Z}?LAMz6*e9@g9#a?CJv%9%0lrR zLZD?~_w!qrA=SK!9ABx~neN4X_&Y|Qx)&?^!XwsL?J~}Y{qfg@mE20NJ)@?Z)zt$| zgzCWG;Zw#>y@S64Lf^ihBS-sbNw@)$mFMv;$)3 zRKcf7hD_5wva-n@bjP9TLb66Ajw*aFg5`gGrSf&@JARj|=!3xR+0`mOvhOVcN9l{E zHhhDhKO7|Eg*@H&-~7?b4!g2l-K+JtQ88L-gm0Fv9E73{%weyjk zopXJ+QOtUW#0Tx5vM`m_Z;>`ExM6Ei9xS(MZih(_X4O{u-cA`}R&EHRAY;I;TW`=! z>FOR`h3qY>G)1QH&b&Fv&s7`W8&TBlinKEaUI?ArVuqGMunmpXYKz(8(uF@jfE=?k zBL-eH;y(B;*1G(j?)lK)&l`-RXRyGF!I(-RpcUCt8EPLwX{2HY(INf-Y+Hkx>~Us{ z$z$f~-Z0i144#wZF1;0836-QotmD=b!X=pAKO1voe zG+gibqQL&G>`m>E!!Pe)oR@r-0leXDjN?^|gP_hTG7cm*oABeWaZ>{e*Ire@`n>Hi z@w-7dEDkI`ExS$lTZO*DP|EV0r<^`~u4K>qUkt=oBxG-5KMs*K=En#!QNpJ zwA+cd9DUp8o_;5$)qwE&L8myfM|6xV@j4j|7CRfJ=aB zrm3|vJj8xm1J9l*%@S~jWa7PZf!DcD|DLh@9h*|{j{jvyhRcgt#aXo1)+42g37@}P z91_i$IgGNGd9prF7KdlZgGQ0xoaxPn46>PVm5s>d8KVpH(7N1%KVD5Kd}=i6m+IOW ziw*fi@mPT<7V=~g+ zpQU{q{CxJey=H0y5gBen6Fs4x8*as-EuQqv>o=>LMKX_~7mgaX%A>jMZ~5t?ZerVJ7%IvUjY-KA8vm1TPXznoS97#ZC+&jT4Y@MX+>rwEGB1vp&V!hWIe$;L z-JakGXFk3vs)Qh$>AwM&JicsG zA*|I<`i~9EuQ#Zp^Zj?K#mZ2Ae23|&Sw=wvfUMKe0oaAPvVo|py*b3WWhFHNzhuZP zpNXI_YNf%|MLzO5)2n@@Kc$&6m- zKbXv?dt^vdf{MJdhtjh5eI-DnCiMNH>_OVclepwTY$^&Yq$E@X*ugT5eOT_(lPBz` zSvn>aNIXkal7h@3+Ieub|H8jFvYvy)I%z9Ii$RUe;ErS4EyT%k@_$va(Zee-|1bd8P6P-YfQQK7aJrYZ^LwZ!5it&N~5n z`K`Yj!kH8n&VDygt*wtm+Uw9K zR7+nTgA<6w({5mU3xQtqE(<}2eU*OwUYo6dV^1H-CfBk}q|C5yrf7tV-XP)QrL`l^*{vr^l-XG-|U>h_6yFtHDv{a6AREv*>pi|{T{_3iB@@mLSF1yoTqL%U?s8+bfY)w<+mJ?3 zY{7*4dof*VB*O*Vl(#QG<>l|qM{CW!%DuISGUx;8_g#{x$s6$zZ%zO1BX`8(S`TpC zB01Qlj|3P6xwpaK1oXzt!tLJ1tSdq!UTE0CF()yzk-AWR0Y&>8QNd>h!Pi_9GzC&N zsl#GUCE8H`3|F+Zg?D0|)Gy{H_k5%X(!6^D@|RC~h7)n!sv1sBRg`gEDT_CHtB58m zV39;~5O>|7}KYUUWY}1gXxnmi)tC0Rjcykz^wyizZ~!;D9iPvsN8^Z?1KBZu`2n z(tr1G8qhLG5#L>t&PJTn-u{|yx0vyOgEJx!YB=&pcVTU;SJTu7P0{V?n%-h|!(?RB zMp6+9y$N**ZsXTrK2A(v^^w7(SMeippiWik`)SAQx3>qKpRih z{yIp;54l>(0nFpVf=jrZiM=WS?XUrR0n&Bf!Op~YqI}t^yf`>n#+Ece^e*kvk~*5n zIIbV^2tQIJm|q?#Q(6AxG_)Zdz+ZWmnbP%CE8`y5WVd8Ki}XBoYWN64F55*nKGop| zSXry7Mk!lai;ic;PrV-$`}h-acS>oK`Yp#%Xwr0?hh_C2KM#B}N*qM#_3YBP$J}hE zM8%zuKGIUhm%QG`=piWmdU(~QH~N+62Ci3>QR@fKye^TxgR2expAD%AAX2CE;nc1_ zn?dndOJcD^S}iMmvko8UD{r?esXlq6ehu7~2C7a<4POOG9z3C!I+66$pyws82=cOS z_izUMqiZ|u6AF1{Fxc={ba8m_QLEEhUsEA3F`8@S0ci}BC23*B*~#a}B;NS=%SZ(8 z$%X5u+jaM4M#Q+->Q6%{|E^tk4O@p)czgd#1BMzPza~bk%2Vn#{-_5B6)LiipB^Cs zh2>G6?nU&=4iN|RD%#%4dK(^nYc(R?TjcX5VUh(LjZRcL;-X6X>Cfd(~O6DVv z7e4#0t@d6(hUrR`IeKUvC1;0LZ7^8d2MCNCI2%g;Brq*{aJ8_R@>x5@CLJCNfwvdQ zRrF)aTiLJfpGWUMXuI8MGl%Mj4h3p9K#VBVX=c6=)`OjNAHdD-u)L-LmwNQTL;EkC z9`z?vCWP}EW>r%4?+c+JTX14PcDw`8S^TboPy8iZ=2G1_mMqLYR!)0zcjK@68`Icb zmo8ND>SZ%Ix_4&BZ_S672h}j*@6?iMMsKb7HWs?}BZ%pY$FzDCjnPAI;S9!VRL`vAV#3&31f(u^x+A%cHu|#G z)~8J<3xfTI^CXMbACpCA(D!|AL=uv-jXOkMa?uUKxr8-B`+D2;@~sddH4Z%3JU2-q z^eF44jL&jcp9o1J>Gs5gomw9*;`U#NmpCu@{b6@vgdKVPW>>ff5dKlSaqhI>bm_lJ zO~Q*za1Tpw!E!z*I9lHl)+)iATzSW@1?)}-IL<+}KQe{{8i9|?i~Og-R&aV!ys#}? zWW=|NC!xVg@>1f%{K+jw&lnN*qc87a3%*kn^Zes;hj(E*i0eH?$o9mH^oh;)`-q#*T-TLQZ55{_69)5B_}Fk_Qkmst zRP-QB%(D!qWcr2vOdmzVXJUcxYdLUz#jK4pHilT%`{QMSyckR7#Hb)R`Vo&aDinIx zJC^_9=^dL$Ak_|g^pn6{AuG zBp(%MS6A0~N-f8c&|EzmI}1ED>OXDQ?u>qGhuKsxb}g^>AQ$b_wR`zwuNkqFxiPPi zVK4477?$pfVqI-s50$L=fy9G?@(}0m5ye%ZNiCZdf+K-@h9uAzmv#7{gC|rOZg9q& zrfc+I@72OtYYm4HQ;_1p`bjb_c-(++g7|HPJ2a?*S{`oTT?p@Ed7#0QSi(#A&{)9e zNmm?dE;+5Dw6gV5tRp{0=&g@KxLdda`K+piOjjudxz+SUU8{)hx{139CuzxM_aic? zODjlW-J@TkjSxA6S2s>lzX6lnBv!FRfaMu-;_- z_{^Y6W;Pe*B2EZWr3nY_7ZN_htNK1Izbl&~IDXAY4cu$DZw$KaVipKj*ixC{FtT~% zOvc0e>Zyg+yDwAY;ntr5HcE6?5_OtcWnAGoS4hYDI3g48h>Awe?4MBr+|;vkdE1E3 zgc@ce_fTV~&yq4WQGHIXM_whR;xQ?Igp2nrOs&hcX7m2cp;s0 zR26hIJ3Q(ZP~7qJfxNtO`a&+Bv>%izZ7;SYXeq*RJD2apVPc!IjQ^ZseBtNioU$2J zm|~6&u=3D_8AMLy4Uda?MiTJZ8p4dp5TFkowc_jHFI>0uH8R0h;Jb=0~7u9i{4GjyHuD$yso_+WDIE5=-xbKHcuBZneK2UnV&hKcfMD6+hf zk0RV3^qcT(zce%y?xjUKpNPbXE3v1gQ2)7K+%8<}wr6Yer=Tk4)qT0}5E0UyYOYDz z@O=G%b_QdZ78{S1Y(4g7A*}a3IJZk)c|DDMH2VV);LLf!WCc`68E+zo$Y5%{3v7BR z{Nt;9yhJ4_^_!|5MUDBc?hQ~S;`oZ|B(93LiNkgp@ApH>*d28{xQQP13C5K$=mbAdM~=a`7!NHz=UOyvS!M~h^>3F8!y?LQGl7t-Z~t?x zi%^@#p$64#O5J*B_mLzK?eAIA@qL{#GlW zCedGN-hwyT@cpoR?ANO5AN9dvYO~qFIC1?t8?X)z4!!7$wz`E5`nDCT>sw&sY3mpL zWTcc8^-^K9NEGOTweJP#hxk+~ZVr~aml>b3HdxzejUDs6g{HfF2rkcR9^^Y*G&qTp z$8B;yzO7z6OVE$;*^b)c0W9#FQ`>@(KQd9hMt##VG$T=Te?&Q-pbmLvXG273JM z_0c*xh4G1|&1q2ux!V4-toK((_R>~* zKUqgvUd8o*qWi$dxE{^qk0r1#qvJI9cw#@6*VHKfE>ya2)}T}^xiFE6!MnYK#0-5- zllymF469l)2XTinS#E#4wkAFs8B9BAF3w+Fx3(_t^L--;L=PX9243!|-#A6?@Her^ zez;z6V~TAf@s@1<>nTOLG--F?br@kG6|jF6uwReg60#v{Q3W|JZ*9Igog;J)l7T~p z;RX`6Pr+PRmhfSar4=&90ZN63rJYQ|EWrLwO85c_V|wAd8YMavKvqVIZi;rydHpa% z;?v4&!r)8hduyA_oD9F6qa9QXNp!gfil!Sp7`K0|hVo9I+;6*I=K&^jFB_QL9I+gh ztu%Umx5VF&h7(6c#zHj3!Iq>QAn;S^BtrEWOP8Gr^6}ln=z<(L^{lexWy4yozK_y< zJ4+gx1ZSJPlVU>GK=tap@sXYU=!t zbL zPyg3`*TYRcM_GPKdukDjisM(fn#wyMC;tVPYyQ%`wuolyU6RA&B3b|D!zhGlMJN3& zSQ^L{N0!|I)kR*&hzH@2y^H{5{`^76PcrZt@S62O%WXD(SWy66gT(l%PA4Q? zb2X)+kZo>1u%<8FWT%{LB(U?QVq_s(=13|wB#Z6nYoCQRmNuufZ5e@hN!X;H#g}<= zA9B}K4O#vA;k+jE8B*%da}~vh6-a4^>@|vB0xMbkVds94GU1>29V&79Bv*WRsK9Nh zBvsKC_oPAbhhaXfWN5XCw5?yGMA$BN1#kQ3hG{>%d13Ud!Xio6E>13kUdALkU+=S} z8qc?g|CqjsFgIynodb;$_4B*#L)_LKO5UyhSdIPTwtDT9VwTCd*E1(8X?`S$V7OZz znvRj&AMUL8_g64ZZWW#P0fx~!XQ7++Z4*-d63G7Pz?*3%PUzX23B(Y0^H1SM6Rj*Q zl^Mg$`-DrhIW-x!v;#eAPQkx*NIaBYOcGk@5Gxx5Y|XjMRl%{*!Lg-O)Yc2FQ;*g% zPFjYskf**?$w-{eIU3`N_%2e2AW|yRdI*{wI+RPOLLoQ)90zG(PgPh}Lv2YNuA6W) zT;zZ@jSE&Xk`kY zj&pcdGZSLWWSQXRtjepdKBZ|bS5^fHpq<6E_DpF{b%3>65+mNo2#g859?O_Bcsut; zXiwb7;rg1XReFcUi3xUzw(rrc{G{IVr!y~A@+No(@u2Mj#q^-g|90bj0#XL9m zz3~3ZtBz+zX=1HEqS{uIf2b(##NJL8$<(&zca)N&WI6wWZZ=gdWRKzmZn)I=t6&VUdsBP?&oO}GLq9vj`Kn$pn;k7mqADj}PHG+dX5nI{vnb=KZb zE_519#yd%@EN8TS9)^={mMmD&ayt8E5ML4%@I*6jKY-v)quTC3q5hX&_`rk^rFl>% zJ}V_q^*ttfzjnyd5gdK};X#e|8VgFSxt7uft@Z$Bcl?thiQ;^mg1z0;HCQ4(mstgT zqALeF`j|-Sk6v${GGhDs#(+lE{2KQmQ>JM}$F~E)Wj+6ywC5RL2Gwl46R3@qJ5@|KSpBiBJlXBDXrK)-iCUxmF=BKZrnRr zpM8zhUh})f-n%2tyO;CcBg-zl=}pZS!AuO5wYv^Urvld==|E`Fo<>J(VQ`AJ0sUddtsMpeL7I6c!Af&M2V2UHM0-?&^E z$W%CPE)-^F-MkE6FqDWRw}YFeRaLsUKF*Y9H2q=DDQ8g`sI8SuFpR5*W_>_xM|}A! zRFjIr=8O^p6p2y1WCNqEj6wxo5rN;Gg773~%9OXWEon{Y1eMao{n||*q~n4-aGUH3 z19b+w?sxRr8DsTfyA1loS+Hv>$!r4S=MtF#Rm4!rU+fh06}5zGYy&?&Q}J_TcvvopaD>T~{(VDdkEYhdYOntn~m4V6+=RWEZgDQrE_j6n9~Af&1cAK2Dl;VrW^ z2L2Y3oYN0tzq2F&7bid#cqs~*05PURxMuzw6WDSB<6_+HV8S4cnuT_fTAA$jGH z3YXqex?H!TAyLDCL-&V8e8k&@(yhO8oOoGOf_-9BdbT@!Tn72-A|F;Z*MyJt`);k3 zV8Gr_h&YiY0+xv7XBW$)A+P!s@3lxWU=KzAP>~=E{TxhhZunEAYzxcc&VZ&(Bwbha zET3dPj=X!lAc+Nx*YC2VISVf3%w>6*aYHqZn2_(KtcMNs*A9cvGN`>(7}wwiOzQKW zu@0BJE*N_$ziSIN#wWj`ihJFV2JUcY`B-LDmt*CHd`(k0Z8Sk${c464T*oDiPwD-1 z`Ra6^)7_si+}PEK5(udDhSQ5BGie>-g>&P3iyPo)?{Z@tqWegCZ)f6W zUw=%Jqp8jWS-WZD&in9D{Nv10$bsig9041Wh+&&|K@Or!;%%++d)5<^#+1aa@Mmj^ z%28g%hhBe!@Amg4o>oxSjNHS6vYs{5pO3o06q`kx=g28tk@l=k3S+LL0Lo)`@clBf zD|gLfBW0^009R*D2KGjspVUM#_n54|fk3?Od+wJ6F2H<^*$!t`JZxn0d7$=17tZlL zGVcbxoHey%ZI-gR*s*)L20EM>pH?eB^9*(l`IIUq4{*W*t@9-HzOY>Ohg9fSW`!uN zd9%yB=!u!($KYb)$W+sb05fk!Skr4{5%*rO21l#W;5^PY$5*zQY-d3xq{k&%@4eWD z1N3ndYyk_P4F?+n_trvBxT|nGryc_V$sp{Ub));hH!tJ@TgNvn!eD!=Mo|63A965@ z#;QNOWFYT#1!DCCu~eNfUUyz{2 zyL7%L&-qkZ=9~_y>)q}+q)_R5pm#5#iL}yjD#05KCCZviJ)Y3Q*#L0c6H>Hh@ZW*| zMkKHifA?vpHZ-D-DVAN?v6CT)1p($r#@~9?=u>Ku^@4XtQTztsSv|2@Er}Las=U@p zW4bh%dP+rZCrR$j9Xd$1L=VA#ZhaH?*P@u< zIfb}KkX!j6M&HKBNcc&#Gy3>?7e)Uz#|#riD_>TR1?$1tI2*&#G!m5UK0%4Xze`@P z_ZM{%UihhhJuXq`2m1AD`rr>f_%L&=H-Yjijd=bJt2}uZU{-sno0^bjcIf$U4DmkJ z1(C=~t95pSakQ*X{p$HHa^^243UE9j`7E0xs7?gC-82Jh3}_9<^=_Y&A(z92V>x2O zX|s!d&96(2>#q6^9?01@(sI6W5zz| zW->+vcxE*4=nU%!Jg#IkTjRl0C22?{t_Vg(pgB7xIm7C4B!8z1L?X2}{l2d^i zoS73ELNIWKUAb?BhZKN|@?nRFqlgV~6hYp=@JipHTJlId5*x6W8Hc~eqV5n@-#4g2MEK>?I~BVEXIILFAaOeMfZ~USTRdeC$dwMlEo}9 z)1wBMM7uYWjij$iV;>i^@extQ5p;Pn(O586L(szi#Baa z80Xq{xaD2p`q<+n{?yP61mYYz<3o9A@IEF^AA^fFa{>&-c4N|e)gPY|7Y3m+0oe4od4N-x1Y1x-lyvJ6lP~2F9cC3MVo-^axp3i_Bh17fgSX zCm$!FI7bx@d|cw#DSuKiMasJ}@5}mZ3Iu)FxE+uD78;kMnbD+5Q3D@8R=rK3C%04( zyWplo5a9G@V=XZ)DzjMWGymW=^i>=Wj-8w(Mv*<+e;SQ=lwTPl@lmBe`3a{<2usq> z6XSi#2XQ5>rQo&Zs8u<~3SOU;{<6HZcqK{E#3i8rbg4!nv!sN7(&Y<+Otyq8%g* z$q#x2gC#JV|*wrds8&T zhefF-utf^u#3snl_fwa8nem;U%h*UD{S=F8D6~0JHcgQPRDIK>X%X1oRm3)v8wGZs zY3MylWskSFLSH1)&ME5O=*pEoanGtHO)nw!w|<+D-aGi>dVLln8PTY}yLC1+2U?0$ z$rDY&t}9w>i-KPR(TtY&F;N>N@wXGs*jL`bjC6MgWVHRkZ@3gvf*h$=g$rPQA>$Os zvIAavLQ315`4xIR`Ce*xYke}<1DR1LTUJ{2DhL*(1h#`#Rul@RsTT{;ctC@p!l^pZ zk7M;2jlH#mziTeo2MT!%Vz1QG#{4aDxTPw_f?IduK0V1`P&^CSRh_%U+8$+w%@$vyX7K1hjEg*pi&*~n{V zY>(N&2<-Xmh3#q{u(cN6cWotmfz%!~JGpO;2?RZSsOZ?2>V73xl3*=ZoAu6*_-Da! zu^wgW9=En?8@qiOw0~)pUh{1_W|iIhh{0RmgZzEwj=KBg7SHD_ILH}1eeAzoePbp; zngue0;WQW@i4=emb}@{DDg*Yg;Df7Btn>85Q4L0KV7uMKxDUsyFHCqHKB8C( zjy()+z=>YaMi$=WlSCGLl?ZQ2VNgdSnWj|0$8dU#OO|!JuIe6_%tFhTE~dm+)lfzh zjtd!0GMS)>Gh}M#SCJK8_c;pIylgP794IZfE-jC9)5Ogw4(Mxm^~;1+m6T)7BXfYF zI#!FhP|Sh0oAw#i2VUYwe{`7G(-jk{2u&qk|7);tST7bet z#C#CqRHU4}lc)RkGv)V}`Jz;Ss2bpmsIg*#*fRiiURqbjP)J3Xm<%~kWz2?@tx8D| zflJ*`sns~BK#tw3SfCu}QaTjIYa_*;VBux5CM8}&^5%}2m`_X}?y^3n3gxkFavH?W zof5=mHYPk(=z~^fvSayQI8&8kE&a?Qwejv#rLQ^-F}EWWgq9ZFu5-H2=fNKzj%Tvc z!Wo9af3IP#%aSyGU_&^gxS;+MKLd!?nV!V;;S>aimw7$j{F(!0?OrOlrBlfRYjx0P zYQ44#Okrgr*I^4~TxZM7xcs18!JC-adphIJ*%0FBFYSnO4AN_VETVJk+8Na7tbi+C7t)WW-(T*3re{-yqz#$S)&Kja!AY1!PcGvT)G5C48oHNl0HI?9*L0 zGZEbM!O~aLaMmA?zd$B&bfnkf7dSTWYelKapn!ZFanjzy{0>y?f`NkEqtDLLI93W6twe( z@vtMe*YEJ8>mFC$4~oD_8oUas;?o{YT5W^ zHKchm)@2$m;2lyhn8FYHGvHu*R5B%3DeOarS2HNlUqZq%wyWS1OL*9)GF^Fs=w8Gm z5<3&ab8!~xxd`RMyLga9&p!aZy|tdv<;(r^hxFMO*8 zQhw#MN;8w(w+^8|=yJJyNDI+@U*&H3v(AVj2&(m|GGKgLim_%zPnvR8LfsAs(5L1! z`=o&EDrnHxa;Y(tWpj#o5_X@`c>9!%=dOsaydX*GU3Bah;Z|Oj)X!GNf)1N=BARok zL&2DouYPc*pOC6~I?ZnkC(or%9NIwci*Dze=cAna^d$XZb@P2GnP1fyefH`Pnqe|p z(g|VfS(3E^&LRv}OyOC>KxaGVB*S&-uYKAj4e3#k0D7rpp-{8a{UVl1IvgpSjEm+| zqZVWyb_eGMg&(XNnp0p|YQ+eyC!oHRR?vzrc)cu7*G5D$LY`&QU&30B$7f$Zm0VNM z-i#eK476bpy56lXrwEU9)fy_*p322WZb^k3YmLVWIn(?sKDW~f?-vdfb`@cdQ>=kE zBBfgwpY6_(GA%*LPnw3rt26^A#oN$N{DXY%3kOMf{{kPB(PcDmhZVmTZW)!*v9SSW z%7_X?tx`*y&qYL75V>lI&TTcDyk^0ER+>hIMLo29%+JC%>iSg!q?4^fc+=kfDN%*9 zph8Fc|U);7FoDGT#0U)MpIZBz@Hn=XsvRxIU`Tx;~2@UFS~trN9tNX9EQMbM|o) z4*cmnPWzG_5h^b&PDSX!GMAs!`mYcZpVPsFdiVRcCxI-cbVD)`QnEgiA~FI}@L2wj z^E4jqRivGbMr=}$8?oLXGX*|it>Iu@l&gKQFXg2cJ zD3Ow*UM+aDyp<~Z$s@X@@xU~qC3RZ6(C?Vbpk75=^I7N@3$mDyI0#$+P|k4y#adhm zFBPG5?GqO61f_TFdl=-~f0EHVXe?a}YguAmz0eAnKfjRmx)SpeHlakBPYwSV`@l<) z8NhQJ=jVE!pxm;v-z(ejvH>Ks{)jr}Zrwghg7NJ_P;}Of&?MHqtZ*#kerN=o;k~%J z3viXi2xnZwnuI^#!m_sRn#D(r)2;=Hx{m6Sj3-W96g+I(fo9!K1#?wBfD)E53_OE` zC_PW0)FmI!D0Q1o&{r^`_ogBVyY%p{n`k+^mC)251nU?E$ET;N71t79@D&@CyM4;` z1rLuVrgioWO^g&2g3)~z0mC3k!#QP6N#}A_=+KMN9TI};ejZMVL!Jr7cBa&&!D#|@ ze7y!VaOhPKp&eb5h{wtoQD0oDyY|jcJkF(E*0dyC^OyKVnwQ@5ab0V^WZrmIdN~s> z>go>yuGy7ksqlt3uqZa$K8@4_gFE3pFC6lPElh@pNY%!n>su0QEtf^FUHw)4MRW%8 zT>PTE2b&=xXw^LqBCUNEL4->cRr6-8F5r(%4882_+1+0KcH9IiXJjvH_M#T6_~45i zjTh#pQ2fJsfO1ce3h*L~)7P~SUu-qMBb|OUCG1znxA!$^Ua?BJvA9-i$Vzp^_ZfCc z6%pu7IL{LPp8YUbEn;{BJ-xIw6{K(#8FIN|N zRIEKqo_H>rJ^y9m+uPib_>_z-2wT3)C_8T(n!I9wQ$zctpWrIN-eiYjGA1d6m*t&e zv2s6q(ra?pw55iN(T(%Pb+%e%z9TV};>`=grB9`uC|OkY8+SLqY(W z>=c{)!Pnqi8TSFLXw4epHMyJ3r7p+bph~`m&ZeJ>MHL|Bk)O`hk(2lk`j}~Z!HFw0 zn=J$I`?( zK`VGiEpu!KS6}fdXzZ)4PR^H?xo?9fsCJ|`{;?mKf>{>lllDEbmuWjax3S?TX_Znp zBC^TpS4q^;4$bK95ylj=+tM&vn2N}!TZD$pfJ1wq8y_2K?+TZV&m|tP^}sBn6B`g& zm?@NT`_DQHX*kY}2Fn*D-z`2HVhl72-74(HtEDB)E+p&5&J{vhN!mq%HY?NiN7{Ub z#xB_6pD6QlW!9G9wDVwF4?Kllfj>YYGPsm~tU_|~&RAcl4}Oy>V*;vf?FgQnGaJk5 zs_-!rnm)LeKXAm4^@y}^F-QG`G|cq)_`Ta&Xr!23r!_uOtm?1U%FT-Z{0pfNBR^ULtjyxuedtV>6rq!QGO2pH6B%X&3hDzNZ$C zs*#n5C&1z*wRi~gmz^qLjE;ntobaz1R~m9bx5W!-VGwk_GJdCotJfX3Src$jdT&LK zOVj@_yGBYeH8f{|%lPP2@%n|opzEY_aK2uwM#vMZNGe>d`%EdH1Y_)|n zJRTa6IVH{Xe>IHZasJU)23Y;xc8#Kuws&Kp(3IQDhQG@s46^4dwnJ;nAXXpD-$DHbRHu^;b+Et@D}M4^^Av~dC3)G-bzPoX+1|NUP8DSS6ZuSX3VVP+Y z{jLILMXRXxx+$eD*dJADYW?+9>nQ^$h2WS87t`D94Ax_%2Yu8Zj3#rsSdhqK*C-Mn zj>9*Enb9l^{HPr(3H`QlGH|@G(CeSM{|{ep85hSBY=JH;?vmiLNN{&|0tAO( zA-D&(;IKG^;O-I}0t*CpcM0z91b2VS|K9uFxA%2_)3Y-@-Bn$uPSv^gEDM`F$XwAj zo)o`Otxbn!IXJjD5TG2knvb$uP7Sm2N|-I~hakkdq4J2Y}Z}GmF^F6cd@D{5xPdg{3+h&tu;hN@lZGQ_YRjqAQbyXC&a*P1Y#BR zXg2udtWIk!AgMjWajb&}t626?Ryl3z!ddCh;%{{1>QYG3J7oIK0a^L<7RYo|E?zmH_>|BgZU>uk^$}>*Ir-J z%wy~##eo75z|fyzzXJ7p0=WGv((T(CJF9xH=NkBN}1&AW+Ek?e|-g<(f+rrMx)z5XieH4x()A@ebY&rWB*EM zpWjo>?Yj-p_c)H;i<{}~o-~*iojWoFLXkkVb&O*F8h5c3z`qjxw7?c;E7QfM4i0}V zhs-EC5N02Gs3`;hQJM&hkxjluR(9`lqy%$;5UwCBAc8jk&T9WZ#fW<4Xakspu1Vja znW6+&NkJ^)P!6LX0>hG`!*GlP-&g98;K0CnJa|t}{o}b0urX8pxtf=|QXOpDoqxcm zpnqlv6S?=8e3xch_^su11($yIjuSFas2W<8s2In=eh{C0bB zJ)uaQt02D|BsO2%Jk%z8x#tzN7CN8wSlrxhy)KZ0&+C|*5>RnN0=o48&b*uuN5J#A zqHDrr#a=Z5%2~fqtsEvI3H}7bQUDI0HQ`kDw(DOcy!Vo4;SlzRBe*8$vnrLsz$Hl3 zQl$H8Sxt=1*QL&aRxYs` zurPp2ofaHvqg|~Wu9%%+WpL78U`K(vmY_N71J##{T`4>+8oAHHXEHP&X0w~5UZ}^W zeA5a3$x$f1i^lvD-OnGbUdjEVpqCY*+<<3HgVIRH{a1^Uetu5w_v?hF*PgYc4nE$H z)}$P}l44TK0EmU#HFpG(zi7(vX)ek*GJHw;fA%bTH=)s8zn|M8^M%&S)yj3yoN_Ad zx9mqSH>T*OZG?=?YssmU*@$D&Di8@60GRi;5`Kbj@h|5BpnH>w5j9#`2e~An-VdgV zSgM?Qm&5i2KLK=8&;W>ML-D&AA{ZVHbP;6R{w6+RNZYZqu8Ec5@XtuW-lj2_O|cPm z<#(3JE=fqP-<~xF@SrCNI|>7TyML%t^(1+Q1%>p>pia+@N-#Sr!#&I^I*k`N1%qx~ zqdF|VQ)w2dr_)&4I1W(jym6%{;PnYOq=?6$h;WeTh@$nf&$3F9rP=h0Q-4s46kkrL z;t(erjkBi7*)|bySW;>}?f)BuE-O(>QEh!cA4>lttxztF9@WSPl7(U#X}kT4FOduD zPiQ(qRQv#Ix+#Ne=&PK;*w%+R2PmK48>BpQ`>}7$uP?rz*K}@Z5p;t3XDBW7z&65S ze0u}+>M!s;x&sV^)(>$m2g8*4ql+@aA3$oN7=g|{bKZ^&EZ`44a>vN04*vSS&cB*K zC{wK#EJV8L&u`rMH&;Q#DbSrSBi+ssgrwI72^5(kE)>EdfXg$(rZThqbweRNS-m)c|UTb*uE4^QiIe zL{gXqiD{>6EdI`bOsH#_%r6yd?GG-LU2(24>PvBzi?ke#r7y@9OdpeZ3PnbNM9%D?Nws+@lB``XQW(P`Aio%03>qrCKUe0El{}nr z09{y32u!Tw#3-`7mgvrnb$S?hPEzMx8ehy2$IPP%`J;9$@LCP=+LT*dljKm&zFs4< zZmUil)KmlOTOuBKGkNTWTi-VZfENB9eSi+;}5>RB;-f z7ESDX_`x%tV0r{83e^u~u>Cz$fX$lSZi^vnM=KOMpYUXH!KJ)hmD!lY&#R(vNPmrb zWk2cgm&Rlqqa;VAAUyoXRc8F?!oAt@{Md)ta#q&gJtl0?vY|&l?L zOVIUp39x_S{7BYoM-8*C`S3um+}NSZ_PXI{Ixy3W{+>1W#y%$<6-Jd@XQ#x{4|dyH z!#@mgE#-Jr;79ph!_>6H02|KK94DUN%V7JLAdH_TJhch)vua%s5(UD{3m3-1dB_j# z%9=&HX4!JWdg?r{!}Mcn ze@slPxXZ=&TH2Iv--R)}`wbJm;IlynsD40F;iUlFw1QNXKweOK#QS-wcMlqE-?x_p zC@|{2x8|eP`}!(EWizJkejc|d2)h|1{bwxf}Ml=KDG+#sKFOzRX^*Zm*P~>0ARGo z)!mstE0CeRSWX_S#rN5Tm}%P})yXL@UTEFJ&xc2P7to9y?ms}1A>QZjKl-Lor)&!! zYCUiN{Hn;vG-N?qOm4Io!k1ukJ)a+1Q9F>os8MMWn>y>ohaQh^nYJp9cHvgdXBqFr z0h(5=?V>95Rq)RHluS?T@n0HBNdNnkyT0A9zmJzmxcltg5F;z8mY&nb-A1yIL%Njk zQR+BBrSElFf9;%p^VeQ}?`*PtS41S39Qg80a221Jy`s1-VGsJVEl1jwK=VenU0A|kzT4h!PigY@(3-Q?#4e&|X-+1#}35~mer!oC=gZwn9coRBYk zUiEB7S>4QL)&+reg>9`(@!s_?vi<3ogxGtcv%?Te!pw{Ujp411GiCX2J~Aal)}fy^*GYJ`6b+W36{aJdYNLnrl+&HRT+>t>GUWUW3qs!Inth*R#VkF; z?U%qTjI5!bAIDs!5i5sj92Z9Nw6gKX^uJUL>96~q-|jt=OF7eDq2@aE}(Dud%; zgfszk9!!Og!a9~J=P(*#wv1u0FWT6!RR?gI@Z(q4Uqv;KyO7SNh~^vn1z^vqg`1XqlFGY%)AyABYQw@*M%SY?|MNv8aIeLC| z0`)x~3`Mi<*Tt?2uK#isNfbVL-@m%A@^5t^?nf-QUsNdn%)URZ{~4(6 zD>4Y7p<~554%{T3PLh+1(ZZh(D<{T~&nUAD^(gakRMu6$s(Yzm#WM9x#qT$RVcM(r zbL2^5;E(8HV5H!Xr_&fM&@c%)3Ef++t{t zYr$>2bU3E1m}0BVbY_w7DbKxxS1iP(gnJQ-of*;P20CG}98wnv^ftv<9hCKRP9jks z5{HRY=M5}ez*_(}({gFLWC%y=ii#(+OG*h4r&vLbMn9*BNRz6aEZ+Yb@12dg@(~T| z1>B?Am{a6_QHp*Z1qKt@yp%{qT7&jiHGJ-hb{FZE)sH1^>P0+^-Jc`;xNCobNfw*- zV@iYtpDOK4eAD{nD~_S&;LcK{x%9MiYpwm-WGm6{F4ys2mdTb;IwoPZ$ZgkoNHi(& zc(bYNQ()OR`CC6SXCeEiP1cvmyT|U0ffCWUU#l0@AvSZ+az?mSl&ix*esELhpvbGYA*`jHIay~~ zP{0GyQDI~XIuBV!al@<A*4yfXHNB>HhlD`R zhx8{t1k`}Zf9qj6d^+Dx-l!)aAX9%u|M z?l4|mg&F{(WJNLcvPc9ehL+R^Gn%rnzgG-aE|dszl?=Ueh%N&MmFm~(*^w=x0=+a& z_-JZs346`#+9&8EQaRJs@(t;iMsMzxEke(-V;9KXcy^sIz zN*|UbScRsN*@Li9*Y`Y)rB+z3$O`x|y|=sYWdV8|&sg&I7qEAcpX&f3JCyIey1r|w zr7*6v!9ivU9!{lKqu_t#F!w!imsI zj|!q0OiPof-L{J%(Yv#|Tl>a>6KQp`Wmyuk?F-X%uSq?R2hWw!{=Q5Zo__0WpOd?& z^2ikAo@req2|rI_2&}dtTEZjX4?s^~SS*k=z)%lvkDeS%1&buL2Qz_$V8H;3%vPIA zqKTRhhb<;GK#31teHZG?SNK&EiCTK42?HtQVVG4fb!g9<8dcm;Dbz_vGHD5P?EjdO z^cVRZY!;&zEseT0x{!~>gq^8gU_G1WCBGv1aqco0egzL^R8*Wy#dO%T zh~98wkJj3@^>Cqg0krm}N6gW8+efr<9HvWfXR2T3GfRIR*`pL#_&t)OMXm&5_TuKShZ^P=kgRP#IQ$;U>zuAMOlq+dFb|bXt?mc480Wg+ zFDk_?e=6IaDMaoigw>L_$GJiuPKb&mCo?=+pvcAC&jUmVg&Uaw&r5Vn=p{O6I08D277&yquq%Sd9# zM!S$m7APh+-u(KUPcNCqaj@wbYmsSlKAyykmGirhdXn(EK+!b!45OSSt8XgQYig_- zkJ<(%uNJ!;-us9=t`*!)*1$Oc!@)Xu(2+s&)!qW`YjiN&yb(tytha;Riiw_rSrLXt zlYzp}=rx^|oLmi!zb~9WqqS5*36LwBTfo8 z1}2&SezqnCh_K1PE^+|eVK`OnAm1@Y_}9_OcWkqxXsEzsVL)HAw2B;J9n02o%nm(5 zXx|uUjh#YO41T5lb__PgVD1{fj(f4<(64w`3E^}=tSayEe8m!nzhT~Ok3savM{6vX zFKCSrHa_L!Z=;<7k*To7vKKH5uyZM(A0TQYN)Rq|?L+aByrM!W9N4A~;b#r%u2Y1G zNuQ^g5$d6IYn@D=${mxmF6~=QDFMiU#Nn<0#L4|os{$3SxkR%*Y?d)~v1Vv9j>`;M z!x{Img!F^WCqRQ=QRB8$b}?>0JdB#(XcqrbA&gaTP&ZH2G-6qX{PEviekA+%2q=RJ z>Z^veMS#Z+_IC^IPgi%pG1s_#Hy4tB+P7>zHMOtQ7pI>HalOpVwOX{?cV~}za+=S4 z2&cqOtsl2@pYn0!XWlSdD9A^&#u^X+@Tu4y!Q|NDOdTwirpkB93_0QT5Jo^>o#5^t!*AWUbGH4o!m~ zJiRrwx=2wd7i1P)NC;Rva-5ZtYY^k9+%*+2FwJ1t)Wpgm2ipbTai5z)G~Z1U`-c)% zD!zet7k>8VmwbYIA01qZ*7o_qWy~Bc=c*XkVX7a2A2`)=?NtFSeV>7pS%x!JtKquh7^=OEM98;IUs?NM+U*KU+vjZfS4el7tv=!{12A~x^?yck|Y%6xRklmkf;Pq%_)*H}aTgKEP+Vj#UK z@eV<17;IYbJ9e5njq5TJ+*o9u2jiGngoe;A4omNah1Ro1Hm(@dK&MtP8<3_+PsI1d zwWRbpV>@L|HH#F9Gg9x>LOspY@obe>7lkU}cOz!-zd%c*uYbCL}T9m>LWaOb3Z}yd=^9z~#a7n?w^(+;W13wvxkNq)hsV zi~Da-kW#*+NSn}Mh&Ixt&tunBIHsM?)i3hjo{ZT-&sVX{=Y7OwQ7(hSTD125HgBCL z<_$KoK4W02!Ufwt-KX9lTX8AXww)bckpw z{sXs5TA}Q_%%PvY)_8~Lk(2z2_$05H6REfl-;|L|Dd68zXg_6r8;9Rf($G!NN_Aq# zH><*W_Mr+1s5h zmLr)w)>_RXz4hI5HOVeIDD#4aV7#aXS-E*T;~X=~yVKoPw&x14xy#Xa>U~zhzCZ{zkO7{6wBi~M@x9F_G^a0_0!sUdH!oSL>8t8CygOKUsu zF}lb}3{^Hb^>xJ=hHc{g>482$6$Ja8N)lof;AsHtopm)R=eN8?re*&{+nb);M@&~+ zUn)og=+W?SSjJefgN11dRyrWd7`!<64q{(@P!ZKcYU0<#2z8c{)E!{JrI3IYFBlPp zu*^mtH$W@PVe3AxmZe{#n1SPT$RRw3I?0BfhPXq(&$9urk71@_b2O@Q)dXrh%3F*j zsy;Yh%LeG^x@unod2yw*NccCT-Z`dp5FODm23&wW#nSkg)`Fh4sZ`SP6Jdk;BK5oi z?)iVfeQs1=r39t66-UNUzPpaN$wU0BdrvhSK{R$;jLLxHT@x?kx?g!+Te zhal@o!U)+^**p{HS3WKY%EFiCg)TD>dh%(``IlEX|#aF>D^%cN>=^f z<*#a*C(3@VOS$J-3m1z164mkw1;_7 zs}E3HwB!gi^}9#pS=?wxjer7b0P;KL@7uaL5Zd?5BR3|p`3J~?s$CjWI9Yu^bY+>u zq6(?MR014GT*vkl4#oHQ;7kj~oa6XRO=om*?tK;nnzNpM$^3Qcu+Q&kY^tOZ9Af1} z%pH)GA-Wh(=CfWpl(Nf;Cm4|sKC*wxX-|n1Ug*xS$2L!}H_udu%bF+wSN;NZxhaWzUpq5*0V$gOb^ZNhMB`xwu@swWYoyk&NV;Q$-IeZ)m!YxDD zzIw~?;0%oJ)TAErZFVa^LJj`8+!kV%+YFzDRi>1g+^nZznw=K^;H&i4vW(~Dbmw;X zVk8&{LenO|Mi+PWGVAu;pcoQ#tDD=#^y3PHW#IlDgF%2t1grBa7{_f`@qJ!lZJq?G zS45FBe^{rzZ5_-6#P#%Tz*Bk+3;`*UBrcq3upJ(}DQuOBTaOf(CW1gFmDJ{<6{_%m zv+dthWiL!@{tuaxW#ak?LtC8!I7j3^(6RCZaWkg1Luj4Uk7#Y((`gpb-I!JW<4#r~ zFG|X%*;;c$mGGku#=`o3uGx8VyL&5DC4EUKd0`N<$B_RRbPE~jL8*=VvHPNG z%a6k-m2@s8W+b>a`oHM}KTvijUc+n4VHqnSqEq`_uIP)@39%i?{qr0%$Zu@Cs8j1U zQa;MZ4%!~&bOW zdF}b+Jf&Z#5Rm#FAO|=DlUdeiJAl6us4StO7>V)4pkf@HO^*}h*ckP|P>5rIMSa5j zTSx-df1?;|OTi^Lj&jc>eAp~Zw<~?1ByAN5uuH;i5{Oc!MGdCMF$KQxLs4`E5KlB2 zQFiN2h~xOL3iLX2b~F7@J^Cqe?^i&zIC1}C%#>7^a&T_bEBl({si9>d9gdQk4n5@; zA-I8W2C4Uq{ClV!Zk!d3AwAa8iSO5M0_AtpcK4m)M`qH37^puD_UhF9UCV)dmu$&T zEI0VfIv%O9N3CA^S=i}tdb*C{v5bL~Oa|q)yjMhz>CYKrngJDd`1`4> zZEklyomtHM>E=`VN!8fq_3{7CE~p{rg!Wy+GR7fo*YPIa4E@pz9Y}17Ydu<++dmlNP<8Q=tQDXq0D7u!{=Tp|4kCY0uAeeI0F_;>9OoDDF zQ0AH@nmVeiIIE@0N#Iwc(1z71|EITJ<<&v}k8Sb$LP2eQa63mY1-2}(x@+*r9oiaQ z_gWf&h37eqsH#GnF9~IYA5udrp(m!;U3lgAtzSV9WH4TWx!gXZCk)}53!l!hJ@pZHlO|Nj>`TMXSU8sT;M%Hhet9W`myxVgZ7dXrS z|BRJjY@~80u{-p~L9di8g~1fWfEEJ9_c)+v1?GIABv?F!{&y10e@r>qrDKIY59$i) z7A|W{VUFRlYUmC<7SbRV0 z-$y0RWm+~#{|uCw>%V<|>F*=9Z?b+eV0Hi3u-($`LtN>V?6ul8bKlA!@F0HNO$tIc zyhjQy^2T%qlfVF)!r&)v;MSCn0bj`4dgGYj%8^~%n*;3xwAr-zz;(5F9b{ot41la! z7{{1s7DQpB5KjnOF=CvgJuZgpw@nIGRGIit*2ijA#%Ct-%^30nCYB*{xm>U2S;W9S z`{)SRnl7@{HldW(APM#=|3Z+YP7{<qb&Ap)9^C3PtAP)Q)n^*ENYMCD6Di5 ztBvR1kMPC?W?;pPp5m^N!_OfvjmpkB@Whr!`xB z<0Pc7C&c8OFDE`b_dMh>5!@g9@!t5YkDA!)vwlJSQK-kh zK+7!1z89ELdy?A*gt5Vg#z528F+ny|s^otp>TH|#adZ$>4Hl&c3~ev88B{iezDsb=J6HTj^pfO)4>r7r^LUCWAiy39__dL3Vzvj{JbR|VLpfc4@IsQ*k z7);l|3ZsrOj{-C~_ZCB6&Xl(xwKRr_Aw>eB_M-DHt0WcircqpwksLaPrh z1k8^gYRtme)4^*TWXd|Np2&JDGQ(Li|E9wQ!eN}VnRTLwf9I^!jQWKnw+Rqt^sg>Y z7zt4@`z`w?LZvctmXT;keoxx7`{9Q+j}z&Irp)#M8of4qZx>2zn$lXIti(Xi7Zg|9 z);NaWH$F)8g!ev-q-Ei@xlE|mi=eOX74Hv?94ud7yu&^e{zzoYdM0Mi_1UD_nppDn zBJsHO!(>lSIXh_RD7_MUt4Q-4-`epf3$d`hulIWya6cMd(8IBEARlf$5+fV%y$e<* z61}>PCdU+pxOpFQhxUv5ZPE6f`kgtuDnnyi+iX#uw$ob?kyY2D-1Ew;Tg&wnS3Qa}a)#~v*?CZzxq!0%2jm;SWvf7NxGO<{D7gNKBhM6DZQ(w-KTMm^zHqL%dX>*uZ*e)Sz zg`x_SSVPt-SgTDA+)lU z^Wn0eNm4)QKc!CMHx_Y;{s=z0E1+BWrLRz=*^?kSO|8-+MxDbtw;6F6Jl|>+&dO0$ z-o)Y77fhyq5Ys95B2`h>J;wT|GCy_rm#L4R@AodZ`{}U6&f*}HU()Cawf=)p>p$}x z9xdSaG>@9a<$Lzp>Ps^8x$k|nkl#}_tLM;N|9I2po$vuYem1A?vu-89+G{8|ar;X} z3_4S;J*OQl1$jFOV-KQ;hlBUR`{%K~c=Df$vdw^15P~U}Fy~u?rWxrJjjjhYYD+ulKqF~^y(f!9pK9R)NDZ@H~I_Ze^Y z6x#X``uf|`z~v(e0H&Ni#ot1tVg#Rav|(?LW(bZqe}69m?kWL zPI6>T?J*}3FyT`P-v^!-)}9ZLh6BVzwDWthT`dtjn@g>YgE``i1iFZEH+Q5(>>78H zs)+#KE9U4yusoH zl7*ZCyI!x}7B*K+Tg9yqg+F`c`4q;d|NODxwb3ogwBDACb*b4LGwIxkp>><4ZE9sW z`(=KEFV#y*wuiO->W5=5{9}K+pY;u^!%>PIIcfk~W&=FyT8N_2G*{nXg6P2Hawyn2 z{UI2pd=1|T#;_IsuOV8PKd%JLl_G6eJf?OHS{N^0Z`Eh-9W7ro7$IS(FQ-B@y`PnV z2svC-dl%zNMRE;g%8VpZNtU*6uc}$c_pDoQ)y7s zx|!jA!-D8FnWZ7$b%r2gzmUGt__ZhGXY%8eZq`%Fr}`yQu;HiI1$)nb4ToJm(45xU zxg*z6MPV?el@BN4xP$z-V}MSyZ-({18{a0;<4gaNJ)u2*Zf3)O?n8)O3eQZKvf#B8 zT2D>nN_SXeL!<*}!c>g>$m=nVY91KuuToA+y5lkGDmL z&~gPoPphOxQQ@;d(Yrubplkf{C#9WBIJ#Q=!|xU6!UbTd(Uf17ZE^Qmsf@(fdL8(g(a^N-G{P>=>9V zB^?FOG6~>``Thz!owXm^^wwB|38nD8Hq6WG%?WTMDenuhgR?kVF(_c0T2?6}0)(Id z##SIu#Ztva&Lijmhr#U_YkrneRbe;kDleu(3JCZCKEtIp8Pj?7K%L7~%3d|v9r?H5 zY(8^&RZ&r@k=tIXcXXsNvvNc5_4|U^hsZ8-S24h53C3O$j&UG0jyMaCR_SYLcmeLQ z8oorXNa$$XVlZEg1c+v_kAm@#7T-4MM1`j;yvBExP{;9(|ILsbey74XVudMZu7C$ zZIjt4qh*>`Wwpy?LS&LHS<`Iw=<(}$sCj*nP(h>RCNbvaOs{tC*Ol7wWXGu!`+Vvo z(F{SFqrw?j_JtvJ5o}pF9RC9`!&2OJmucZcj^z?EpR2#UU!RAdVaZWZ(kPY>=yN%dY>k!#CA8NJDdS9q#e;X6J9H~A(O-gwBjh#}tO~ED$ zi!Ga z4A9pA{WoPF(ES@wt1~}!F?-o*uuiz z?{SIuw*B=v{Y^G2l67!2p?T%lZf^NJ%FX8GVXl4b^ZU%5)jg40D?6{HC7$-@V|&4= zA}XhMt_m`OMQR^?Y{!yy%u{#W+8h7t^I-Q)G62U>*aLeiRP5Ox zwN0%i|3GZL!mZWX8G3Q0j>k@7y6Dpe<|tGzZTTxy(`Tn$=>7BUS*U2s`OJi4CZc(Q zn9zx1v~||`PYbT>yB^xKH%1TtNyF9OV~cj!%Y%RJx@_gf<+ zgT{&;qoe&H!4t>pT2knafFHgb6SP+w)hDq*)ZqHZNAh`$?LhXddG)%2L#ge4)E*=L zgIOP%e<}&fZ|6;-cV$E$RGqugc|X&mW{W&7jN9?7xJ>P)m_*TQ zM)}+<6!Bk8NT$<5_2ddT@sqMzCvc%tvKxTPLLkd!UK#9Mznj|gecq9ebiXP~c#nVF z$`|^M$})~ReM}&>p>qz@)%l% z&%a)vEnAa43^SOkfXG3Dxllzt9&9$-5LgX^lY*2djcim#?{r$M#s`omOoDT0@m*78$WX%qdxB8{%=lD_@f#6aeb$} zPn@%@m4vUS)jqciIje0F zsn&PiPrjDnI;*pD;i)HIX`O9<9-rEN1>|(Dd~NYP%jWjebDhx`4TbKqkYL$tGRGe5 z-pzxWMJQ3IpJZEZWNd z57M26-?}gTq3z{>+ijX-%-~@%ndi;SM7-?tV!G50qPzX%6llqsVrkrt`>vsmg1Iae z{!Ybi?d7IE!lRG8J9}XJp+woI)T0APHbLUP?qA^a!##qzj?S+<`{k-AQdE7(wtA38 zI#=I$lzV5~I2(>1mqPmd&E0fvyTBq8;_}5GELdc(u-J(cI6~Go6Dz&VR99cZ1{7H@ zKvZ=NT_}u9bSBUO1E%;tNIzDjI=zFowWBq8cG{sbTRfHSy^Norl3B&bJrtoNY9m?$ z81OLU2X7*R@?I`v99^9wh7ues?N1j_5hp)i!hyg;y43#t{%Z;o1cp3Aa+HGT;Pz9W zQ|lA&J;7wT*=@d&+D?7HBdxoCP?p=yH`+j3e4*#QN^7<^O+!(hHzmj+@)Ij%uP=Li zTpzvk42V&;=3nX3m^g9UEfAx6vdbagA2*OpO`ww#r4s=KPL#9zR_m*I>srprG2)>HtR_<3~? zBuJ;Fi{Km=s-Y|PS~=2}eAe1EX;+%#mRX~K3(HOycOI>1KKW8=8BKofGTe)A@bw{0 z?c>!yXNUL!ALzbc^jA4c zZo4YjeG`=`*@EsZXH^`>WSfPKkjnbD>))g1>9(^ix2>nlZ~+j}OpIdE#!BxU#?kw| zY=d&-6Sels%u}wn1ngV-lKP#gGaN5|xrb8=U1pL%C|rVBmBMO@S;cY@iGgCu>oYeNdQYEzMq zyw)D|DX^G6R77yhuuuEJ|Kai=y4nQ2S-2|9q&GY|Vxjd0gQ*fBKN1 zZbC8AIBev){u6T+)gRe&lU(*r4B=ge-ToJ?OWUnCELZPkRhobZAJ8>3m^+^0zalGB+)_-Qw{V7w=Mc0k5 z>FGNxp#%?WZljS<8;03beU*v$GqZvx)uOS2|94Fsy%dHt=&%*>9UZpgywB!j!bO$1Mn#+Dh#?)rO45U>l_e%Y)80`O{-LAsac?oT(w4n(G3DHrR<3BB$KGIZjZ0jAD+7n`-gABKBO<2YHgWx9Td7d{)fFb{lL`5wRQ{Q;|c#NhAi zwO`|rD7o1IB60I`XrNe+caCz1V*+MZ7X^tCGxvtN(g`T^z7kDcYv@X5-9q$H2YZ4% zX~KGk+(${wPyON{G~%`D&U1_*T-f(vl(ZE|s@)^UAf3x-p8vOu^W#TM=nUeN-?Qzd z=kUe93nq%UgOFJ%%-G_0%$<)64FGXA#w~$_<_3bUPALY<%u-E)9MnCT-dMOc7gftg)lt7+hmXrKEOy(WWFm+#- z({`-PY%dE4Paw&;$kq>WkEP#q6Qf#-RN7(0FOQrF#yw-u6p1#TrkZPiv8iv+6k;}d zaCoV|r9~X-$d2)-mu*(eqNO{w>1Qm2?sS8)K-?W?HrTaFcJ$}D0^VP-o(}ezjcVmc zG`fYT=4J2ZJG*>3?zf$4OWVdDoYx_?oqPp9xP69U91^v)2%DqRyVJPH zR~J?f4%<2V6U*V*4gJdwmp>&H794x=G*~D5E9mSy+5!$r{$4IPCTk{}C&Upo-vi;$ zIK@8(KC9Xo=LxZUvv|{(48K2_UL4!5w3|i#L>TA?ZJ24$qd?G_A&8KEkV2GbJy}~q zPvX>*F*=m%J7-21jFY>rEu2#SXAVwX&@^yi#neD>t~;og$(|5#$>&f#`wJ5(%?Dz> zSn^?^z{BEU(t2k;9foSc3H{XLx}}Qpg(WmPTgM7pZJTDc176?eZK?`k=p-3zTRrkv zElf+noL@hKHoH8{sR|rJK>d1*T_Q8qR`u2*!H7n)&`AOikM9B>-;v#QAmZT|>68xF z_D7^+r60HPR~=054jZj(zG#K~wrCsHA>ytC;e<7{y6Y+VEkX8al3&h5&1>`gz8U{b zZ-;c?fkRAcMo?As)0mF+n92 zH}u#$=>*t_n&`uD0@Np08IMzPv`cO2(ci1|=WXzkuy@6pjgNWvccz=Wd#2ub9oK5n zFZGaJ4|U^!BN?3pCA-a@XY4bj&m=a9l%pEVH?$97zao%+)boKJ;i<2$Gp zBi6&OkAAQAN~6HPFO9p+=T~sK=bKh3Adlm7Dt&TKVZe&{32*zs~=AFe7y9Tfd-B-7QG$}go zz*D`z4989-btoqcab;n~wZ@ySUK7j&^Zlbq`be4p8-mofG!GNMi;9H#5>?B8+JA0iuE)TUHzxnqi?; zA?|Z_rE_Y@>}zAqY{a{wn6%Gx*V(6C5Hi-?f*X>_#3Dw!($~a_YK{|4xR~|^sJA0S zy#W;&kjk!ZHdHiH^@SIq#C}$;)xp?%7zIwv6b^nJ7eke*?4rA8kyiGd7u9P1=X?Ln zY-vm@^f6I&cxF%UlfLJ)RkmbuH&HCHnGOI+q_R@Xi0Wx4vAS5f-)s`{|V3OSi>W zOJ20L73YZk?+oHnY}#jimYPFe=%JVipU1H7sv47yelAwUnoy4L)ZfBlYXZL^yf7n_ z>|u^_90I*^v#}lP!Mbq~ScUim&AA}<$KS(vVxZT{OM8-rrFw($xTywyWi};q=UtmW zqR2fqIa#hWu;F5qF;IBGnZ!SsoHS(%KYmpC{~~c5|G#g6Hy57;^Z#D;hTA|x{|}{t z7N^ES6p(HV!35I7)x*6^lD1IxPZq*c!#;PM2Zz>~gPsY;f*}3h!yan`Z1&d7UH9?- zfe>g^Y&D$6XuKj3iWS4 zeUX%%*U2bYvc?4K1e{GHj$MTAguqR^M|eLC-Fy@RBj*1B7lX;EZ*S92!%}8r zbh*yZS(<~}zfFrtkJct$g)C@Pz0+-r1aAhFwdPnYie7df7YS9ct?I=K{_M_Qvk^o7 zf4u-k-o(%^>ePqG4;s$8P~|;jyZjN!8f2%iIS6#dz?t>?9+|bgd#!H~rhVz>Y^@=$ zDauWAQ52yjq(RE}rc(c{tavd{G8+wy<_{%w7?d%++WLG7G#=oM^D4%kQYNg+fFD$P zK9T97FS9M|P1?OBV-Qu#hV80XY3y-#i@Qe8Bg98sUTamYvu7N7TwR4f9l7-(AdkLG zwS9ayef-4-o2xBx{g-pasP(Ke-$u~xw7N1gD`dgvc4e3w$r)PoVbxjuJhKp|{oK)` zCG!@z24G$UXuDIyUHE`7sxEv8vUyLhOV&#VgcSb+*({;Z5*oS&iqd=k67T5M|@m?Y-16Inky<0a(1 zkE#PvFuE^1vO?aLXsPqiW8R6Tv#p)c+;LJ8I`3&H->f0Ka-P%ovX#3rV!>c}1Cxe5 zyw@w>Xnef^bjVUUvA)m=R6vBnXobLDCX-J{4aB$eANGJIB46;vR+=lnINgY;w6#%e z#2?w-Zqtf3GI?Zp?52JQw?~F6S#P>X2%_+9x(JDjVr66qfrq89BJrmNVT(TejUMWg zNkSe=HhR;cuV&gBPD^4NxZ4&gL#ghffYtvcvLEPh?e!$z7fx>Qw9QmBfT=Z%FY+#d zGglX&N7=)va^uXDbQ(zjIZu4|Qw4 zkMLf!EKU1)`Z_-nyLKgsIsbzl?vr%w7HpuA?9P+l>#d*HZX{gv52#9gH1i{V4BRmN z1{2jh)y86170O*cKcloZI@7qjnp7+FFt2MB7+J_8`W-unt}NO9G#K+_-odK97Yb|Y z@mTatDph(D{tw`3iVa0GO|j+gmEbl}oi=du27;Q~I2bYqUt%PojlhMkCaUql98eZI ziccu%cT4X`41S2}L}oKBe$dj`6eMjq}?_ZHj&4ak|!B;i=>Fl%hwro3)h=8|e>shY+n)F*7H2lL)PNuDX z^i}pT&3p$G-%ye&lks%^e5^pLc#OK-<(+nrN65Vrxgq#~MPIqyCXT9J=WV2Q?jz%m z7oyjN=g9YsO=4tF?&bUP&Q^?i=>pCZ!&SI=pX0g4c!x%NKrJHWZ1Mdrxxy_{YOk4n z>C2b2!t%7F8a$WL_;2VZVM%;~pbljN#t)YdEci!|6l}U@@;r9`v8zg!Ea0)=gQ$X& zIRE2iX|YdA*qs5uF8}+h?FxX;HG;;I{@*SMf=jf7#i;+7VTzClu!>3;109x>|M%7Y zpBDzPW)T<0=BIz(pbMLjXi;}K|3?I?L8uh~sjT2;`2r z9OSKtMf86kF%e1{1}<6YYGnTJ^B~|xP{2KtbR_+6QQ&`Q3BjeVe3bD2J|dE}0tW8R z|JOIn=t03JQUU{uz{B-#FB4p_v?GBCpe_FxyD@R?)JvM?{Ys{hqm!tL2U@SZAuLz4 zUKq>&NcLhcL2QukgO=yK--ZZaz84DL9;ikk%_R@S=)#oea zr6&l)^mEZ*1l1bq#%8S6>Q<(g9x56JNbLd_5FdT!KY$^>)(2>fnf1~S!;j)6w_anJ za5JjR3n=W9s)V@;&SQh5%WQAWDwxa>S0T+;Gk)j!%XG(*x-Lx3eqC3~!0rGqzZ$`E zJH=kY)3cYxfS<_9@tJRs0Mze`RD=6(ERr%s@u91}nYg+i(3fA(E4mOm4j9Ul`%kH?QXI-ImvI0K8gB>qL~KqKIV)a(-3(2u8oeizp7$iaXn zi8o7XZd2RNwG%Ta(1wT)#Wn;i`0#z2R~Ro_2tC&Mxoc@AWvH%XOUCoY?J`Hsw1+PM zpIHFI+t|_*>l^(!XmL?x?Amgu5y)Fwp|FRoQ&EAi0aO3Y;;j7)23X)1L9!6&!DEG2mM@Yx^grmBaoF>gm(EpEH=z~jvI%sCw&FiJMSN6Eu6jb11!$hSwMXA*qAk*-y~uVaEnh5 zeRP3s3?;|3m%^Yi=h%-NDs>J_>MModSphsalr4{aE}jAo^aYr-Z7BNU^P2OC0bxw= zie~zPUr~~c6%1^(Kc==x)Ls#59S_tG^==J|&AN3FY!2L6$2M5jv4Iw-k}Xn&G4`kM zZ^{VE_-}fz{l<; zEF*i}+PH(=sc@ZpLl@dPe0!cVFr~6zlJh}IZIfJ)!Zi-d6gIk;UTX`gGn)xyE?w1hsye5J?tll`d- z8prtDfp3#-W0?Wll%a;Hu#bxC64GeoGVfvNRfVXFSyFr7VnV^ee(tP!r{SRIaz4Bl z8ny15xeHHT!*)XJ5rTK{mI`loQ%P~SjIL+p-yYcgHoIrMyx6V3i-{spMhrs)K1wcW zk6B@S#2g&(LtxZ8OZ8I!ctbr$S?PCyMuXclI_vO z+QF*OTR&%;a$BSI$k*6D$LqyCLo<;+O?lC$AY5CjD_XMu2oVg)GVRivrK(h)V%IFl z%7EiL&^uMgdu|q|Q**c^i+1#x6HY(|LaW5ySa|evkZ4U}UVNHUPga%u9sx_!k)TpY zq*x0-3{@!LHsYwA^Pag=i+MSRiae9rsn%za{5Uq9?Q#l#n2=t-O&%IGyGb7SD&gRb zXShN}c92MIs2eR&R8-}wgfCVniW0qqquleydTGL6UTTqbB=!l%_^#2a4*X-_I_bN2 zi`-EyK7Es!%h(#EgOB`pY+v#B#_}$zP3^dCo*c!Fg0+XIz zJ8rjeG7g89&aA8fchKwf?9OkWw=Hna8(jz_AlW1FNxik3y1 zv<2wfjRgm{XVVz8K5?!Y1qD-bXglabIGrh5Dm=Ie20G1(qqFdYPV{L}_{r8IkisRG zDsN1RyDk*NyAYz)O`)<%eDbhOI*Nqgfv4SU@w0$aeN|*0xW4#a!1?vn?B^uZe419P z&p86Cb{n@v(S!;ecr4lr`_J*KviG?7%oo_mdXq8Fd9~@bh~GuliWioOi#@2FvW^uF z!s14Utz}P4#j{n6VF=sht|6AUT-BuIyf@GeVdUrZUdr%gi)Tghi?4>HOcrT{L>32A zSam?{T_H4U-9_eo>Ll+JjtB0wD*7J}zvQz^oN@1C9MnEHY{jHDWaFY7JiII<>vnDz|2vNi9sp5`K3> zjbx#KaqBVD3j0~vp7jZd)$pG1ZG4VcEI=_iRb-;mrQt}pi;i@HxO?%JdoZk~j(LHv z9NP?wPyaT10NUo3!>oeBc(?`kdB!((s>>?sYu^pN9_g>?+G+L@-=#h&;9D(EKwPc) zk%z~(^pY6uctQtDqSUf!o3Zqp28p}%;4 zvv@RXEg1DDVW>`R$V53Qm@Mz;PVci)@Rk3pg5J|!T@L1 z=v=%r`@W=TkH+Z57o<28ygk{Ag|OW~1Ssm9-24V`2tXMOc`21CNab#yL6t zW$85gW4@c2cJ`#-)_&PzciTr2J}4@^EM&OpvDbXfi9mFrRRJ@T~;F?6Tm&SEGkZ{W{>FR1QLujZPT4#8k_>h$& zD(qI;Rhx(pa-p$8cYb>XO#1e(mE)ORCR7GxOLhpJDCY!rHPW`*^{3LK+f~!}JZi&r{vCQ!SdfbC8ie@3UZHA}p=ixjUn1gh)Begv042Z+T~wz@rueu z5Max3nwjkxR8LDU#MzmyE!ug;&DE!wpN=iBKXO1+6cAczHQO}1=?3ZWja9CclHBie zGAdK-=8-RFrxS?f0vu4f3|`X8b`mSt#`%f4YPHyT2ekUPJ~PXeY?&+Oum^weN0FbO z2rEoc!b>4bY)s}}E^=XK7*?E4%qCkamr&vr2!Vr}5uW?;^aC`+xROhe-WahQNO>q8 zy-!QN6q``lS-#@gOv*&VgGJ6O5$$Twa7|Iai870N-uLnEMz)2w_wV=mF>=zlqf*#L zPdJYfiQBXjns@4Tp-cK#W}H6U_MEbcT=P(oe|((RZa{XfxF;n(Ae#m^V*ajIAsqs_ zgQ1f9&f^m(ui_`Fz{)skL=D5;#324z?$_H*6O(2gxC5t#tzB1?nJx@iQ#NsI3*?`T zk9DUAiccSHxn%D=At6a{sBbr9nj}lIMfOLsYY7P`4o(P*v(OEVrII??s{T8JGi0$Z zsic4Xu+y(0Zk?+o6^KDT7o+IV+eJwdXzvlJM?E&c-Gi!tMLq3k2&imk$-}IraGG0G z%0l$4lCDH5K~qvAn=igF?RlB7=`e0I%X&0JG&Z>aR5At6)k5c#Yuh>XB4x_ks0>{i z_6sro&YIGC`K4Md!;^xC$DBbvDO8bcX+qrBd|vBWpvFcFeN1?if(}bTv(m2a50+-R zLv!*tmNnmEdW9h9ln9<*0T;50XSKKbTh{^q$Q~7BlQlx(89YxIv1{RJ#3b=``YZu~+Js ze+#9dePavJFg7zKGQaP!sn zbL4@ZTDu@s;3Bc31``V`5~5@gO+(~)KFHcp2d9X(v_rhqTB0RdPQsN}ogtl5q^3PaK%HVxl>A|QL1QVy3wtAUBTs-WbVU0GtPDE z*`C8Zn3FO35br+?W2#Vwii1^%avYWJ`0xqlwHhb%?GE=3!*z%d0{Ls14H-s~+U_L`XO1yt4do0jVupuWEey zybY^9Hm)|qXz4<}d41*ltb1xE?ByS*UCYRXY8z%N2ld8JHA?2y5Y|tk?(XQ7?AU!Z zlD2rCT_{22$$FMR{XBOGRhpa(+>+oEIZ8xXdr6WelD*x~qQhuGZ+tb}3LI`EO%hsx zX%4xQ-ONX~oJiu1iAW8`80sWKHuc)XtFpxn__Q;j;Q_-vgET9OX3G)%ENn@f^982h zxy5t1Oh>e=f*yEQg|{k?JVqPtzZ%xhOWD3sw@)(3kNJ6flygs9%w1oFiYhNKw zdhNQ7^n$!-uN6v}+FjSYJLw;q3HV94#G$6DnvuvVIUb7{U3|T)U&BLtuqxI6t%?HA z$|EkCme9;h#FQY~@d@|tFqRjon5IX`T z9EYf?B2V~_dtXOG>yI(^iBM+@kDI|2C6$Is6vf&%PiLfW;)}xxlk)Eo(9p&EIekX@ zKBiCOX&x3~>34T*LhtP9E22e0JSfd@qN)wuWV0^@E?L5laW&Ts*D?^xj$z%y!`ZBx+5&=Bu1XF z;mGmtUhp{UNb6Rks(js1HBwJCj9&;QBjh-C6JH5Pq!9tgA@Q5rh?pB=v|iz=5G1^1 zWu>cnP*>5I2$j_&7-f+`hZs7&BdV;()XyqrVI1&ys2`W|(9MccnAaCHBELl9+hnaBmj~PEF*cvez!C+T5TGQnVVjU^*+_x6>zaQ}$aq2~4;KbnYbVWZa zJ>l_~h-y03y-1_rwhy!&V<&Ju31)D_Qy$XWr4l7z z8YH2TvePyQa@f*kqF`|?iVRJERazlf!SGOXyx)-eBvFr_PD$xxSPbN2>u4y%rc_z{ z{F1#|zk<{nb9l8 zq_2g%?4J8P!%pXOFq(uHlT~P8mwIo2Mha}H+%@@TJK~u61{s)|+NvHuNvLe$@tSAi zKYge9WP=oG*HL!rp>|>S6tW6s?fTgS>{GbtTt!nY%s0!%s`?+jdvDOG?7LhNcn;6Q zf*=4m!U5n=GOdXI+)d}An=y;X#3uMu!+<%$B{z&`(ma_a{avC=^Rk?}bkp92P~@WB zQ`{d<-X$74FyzgC!c0`>o*Z zE%q_Rh)kM(;4^-x&lii3B3nze`=U#x3GoYOF^#K)P6nAiWlZ1ryNgKh*yfZr3uh?T z^MBgzlj@sal|6a0>X5D%*)%XS;MrhTV!J->>Nn)q~C>ld+6mJInYZ?TxqS4Mu#iPmdOxm z+G0Z!fT+FDxNu|!!!~ghm~PMiDJbkkcj&kJer3yZ)2uAb-8{0N{EAQiK@4Rc=q^wD z>Mv834@INo>~z#g`h;4ef>K0-__K!0=fz}+&{E*qzNZ^xW{(8dHAN5e|hsxRd|E^+5)TB zpz95jzPgdfRL70MpEu5zTylgX+3vI#x&a9@RdE}zNT5;H?$`fBwi-g}*WIzMY>VrV z|MA9+3Np7+T+C}WJ_@yntEm|7FdO+q8u!oCF?p`WVakg4Q5_rTDwT%`l5kq)qdP$; z`k?-w3(W3^_3y_pf14ZbfMb9Z1}^RN3v-V9vO+h}i~n}BH;*FyGDCq?2$XBC#{Ka4VZw(*oxi;suoiYm zp$y#>Pa&(?u}IvKoDz$Aix-X4n`VcT!ov*@+x8{RG93GAy6V){KsFQAR>SSl6zVf; zE5`Bpg}Uj8Tdd`$*|zkIKBll_k>}~=?uCTk@|$?y?BuF+a*3b4YDygiPgCCoO%S^e z*N{hBwjgC!*#@~bEbSIi&)XC4rIiT62oL*TestT}c8OHv{~L#TaYK?|P?~8Gx(W9~ zzx3wEWqG5!hAM56~Tv(3NWJJejMKuY|8C_!m2I1=0PQ0g=q7HC}t??CK4R7K{0zE(`gy;9i!tP zv$JQPewi6u^WBWl>cv8NCpJ)vE-5$`!)VO=zHG3Jl&dSQlCK#j(c^+9!gd=cvcXI|QpCA(PuFO9{p!H{? zf-z{-Tm(y$3W_HokYbCf56}7o8{OJ{VJkTCcGyMgE7`;DPPLLg@RTq=El6>|M#mX!bgbs;%n-j_*kWp!d%yKv zoOiDGS1j~((XBT#kQ%v*@kz~ek3AxY&^ggZ^AV)Mq$8}Pb$2W5W%9opBW6E;5Y_!Y zy23-cK_!I&r%fWwW6Y$jDRi{Zv3v-~YPJ0Nmdf2~MTV+&Ob5+~eT{BzGdfy0Cz1nC zPfwtPH0%1z3Rj=}-`o`sau)>F$cgqg)p{#W)i}!bo~FVp*V}K$d%S9=+T3c-iynKc z&q3p z!<)wua@e`9x-me-yvB|1kf?JZj%F1O@cK%!v({K3Pr#mI(bM;%j!B;h)?{e<e+m|P9;_lItu0>`+CgnYg;hyW z^85@WguEd^HdgsRdy*6(;|1Enm}ph;&e7nz2-eTJQ}psG3?-({2zz3J6Wv^I&6T1z zbxd*`ELgrCY-LY~iV9*;mp7u_E<;?{RI6%7I;;~zmi%UHdmlac<6c`eV58lJl`m?Y zo;AUtq&%h%p86b61sYvZkWWb&E@_vkRgbSy;pT%IX-BDo(*vwFR~h(VN8AX)G^N#s zqiM&%1~i-LbG3{!^5ZG3< zFfvoaR4PG`CdEa{?7m_4u^R|HOq(?e+BEBh7xzVnXZ%=Y&*!1-ALaM%bW+uF5ZU4- zxe@)yUMB1Lh_|$M8Mjx>-E%O;8$OjZPV1zr$ zw*rzp!7RSTPb!uCPa;fgH~vlVS3{DF5L$6NQg3>q-^n|rvwi$>=+#e}CHu8`Yd4*1 zT9w~S4A1!tO!K0ia@+X)Mpe~Mvk>nd7$aar!fKFY`8~EPrR28Uerb@st)EKa{)t3Z zRq}VZgKP*TD#}@oj1Y`b(07Ea9S$kp2+9FA9kMr{`8R|vj1bK+Qk|H|$sf{KIt(PP zC~QqpPEyV_kVwbL&-o?eaT7+#ujR};H)tuyVZgP-=Zi#~mSJmL)7l%t0R{)?9i)W* zR3{%r6f&EQkm}|~9*^)4zR-Mzm~1;7y$Vv6I6+#SPRzc9uo|?_klI4R7Dgi63D+^m z3Ww9IIneVG4B{)mwFA-z_eLW$E@h_TSjyW;Tc6WK&ud#FIw8?hs=*#9| zgGXbh*U9L1#lCkgYoc5Zbo^Ma8zmjFvpYWzi65m=Wr;26HU|B>?hpoo=cWi|H6>Ui z0wBIEB;j|H#NM|s9naT_48q7^;VUJ#m#akvcmbz3&31L^6ZOVwPoKEp#Ij`950Q() z%We*Mrf484twgMx1J{B#V;s}jX5-&&d&y=V)H+Gc@;ALZv%)-1y=k$s7y*OG|9s=3 zK@HFUICrkOV#EO>u+pSLNv<)_MP*8Sm_{K(@;kRPcP}2{KwL!45JogTbL__du%8j9AKbVtu!EkByl@ zN@lQbzmm^K&j5#NZ9^z%e(}wWeAY?%%tHf8k*8GfvD5DBi$9geK!0X z1VB#LnWT-vz?}n9fjA_+MK_K&I#>p>JMC=E-WSt;4auUv2*tBwbS)|R2IlH^FjpK- z7}F%X2RAHPkC(e%H`cYsFGbvydrvv>6t>V zS@>+7MpxB3A@x37fl6gdCE_dLL?gIL86d#~p{ep2qiLMvG@DTojp#&WZ5Y0nCR=&H zVXPsc--f(&VNNOI==dP-qBNpF%jl5Kl5AtD*+aG~ ztBj?z!0siHnHZt^ESY>cgqu742a;m-3*kxEXg;Y|Y-|hF0K0&>`OY0N$7hmgkLB_0 zQxqkCSshuQ-|1gqL5~+Ztz%yw!P!4eT(?rBV`$oxUFHVgG z`~jWL1QR0B{<=mnj2u?5rWF7n};i|x$9CvYe5!x2=qp1;Y9^rr(Hju5)*7*=95 zjt9KF_CXC2iuP@w^b3r%jAARfS_!c#j{v^J0u2aG+np8!FF*Qfa-sGifpVX!5*{0q$E}8ufAs#Z;+Bkbf^TFTfl0Fh=Rl( ziqOwCSdjvTx5i2}%}u5bcb$Dhbh4)uwJrb1G^O@!-Hu0dHN4*q+?6ndbg|OyaSRNd|30hPb0(Bj?a&oa5vi{}Wv!lfP`+ z>Y9&P(=llL;3$$kfCj4~ZrliuuzX)LaowTd`war!UMrajDyz(3>jVz`jb)TGK6?*8 znR}Ffx0I^z_@JSylmFe;dW681>NOM(IO%=McY;iK0I;2OnE3iyf2XJfM**&Xr`!SK zE{rGiZTj|$L-uLSR!x`d?mN<*rqu;G{O@_S1L{H8NH{nsc^2H{>sxiL0_F>+yc3L5 z!35PLS-UN-zg&v17BLhB|CV2m@g8^x2^?MU~&8hJ5;|A{lfv>gMRj()}Q^CZX z;kj3?)#%LHmnCWDIGi{hV*|W!9Ais@{A?Z%pI>kl3M1TA;#egZ!~q>F7{R0j&xCHP z@OdKGL`A2OZ}_}o_iZCYAreSy6o-=qf$j+ouVfek3TEhu`YNF z-WXiHJ;6T0!?hZONy($KtN5%!f1}>yYJ;vgrg{eZsK1JP+{K2JXbPL8IUO?#gyFh( zqGXC0*bB`$Kea(|szM-W&FBx1*?|2aJ11YKo4Hj$J}g3=NKtjfhhQ(I?2QfR4Qs|k zMBo}nJky=QaVrW(ppHEKVzo3EMh*ywxe&r+#7@%RO*j@7bm6c z`hJczAJ2X~s!r1Bb*9P228kdqUlP^H%L>`N4P>19f&GqYlFNKXBraX?B z$&o3(O?^al1hn#>AGDnx@hagjCH?^uMvroT&u)lDy*$f1`Dp**QZBz;`r%3kV#QMC zr&%1Bk^A5`Gc#{6D$UvWYyOFtp+%tA8yYKOidb6lY7S_EM|CQLW>lYqGekMQ-al@9 zgG1G=z~!zV-t`)CH`f+(dUn@bH(Th1C1GUD97FNI5<9Y1~?H zPqaw8Jgy0$+b?pP&G|3LP5tTR95(V%tRx;K14s9o%wy6XfS#W7rHa1#+e>{NnHtm^ zQ%#1bn9BBOMF?tWucoiVq2x$%b*)>g!!M2~gYRndo{U<~nDv8K4`xPWP%s{g;q zixQ8`xKohsS#)jS-udWsRi_!Hqm=e>81tFsemjwD#aGAj7LB>Br=66!y0ZImNCY(l zNiSBp{vd%EZ;32<7HdD?QSxw^d6lrHO}l)AC{-$NY(~72)<^-WU^&v^zy02@7f<>9 z2;Xf4ZRu6VvW5o@T_xWbcaM{BsNWg3Y~AbWL}qR;*d)k!hm1xx*u?|!>xNzSR9AZ? zD*`s%p`61ZxEFS}!rv&yts>~>bFM>H8qjSE`&psjR(A8q5*78Qx94f`b4B#Ot{&nD zL1B{c{)+UJiPU-C)_2+Hk-B*;d8fKLZ{-Gvkf2c0O11egyK`arT9InbNYK%T*ytB` z-kOc;gG`y!#z?ayf1>Ep`ddUBC19@}tQ?}CLIuOWl8IU8_Be5JDLUZscc*F-#?JAt zTaiC8^88j1DcZ;UG@xtL_QOkIMTeO`6~HngeT{UD6=4Bpg9q*FZ$!F#F-wW5pe4j6 z#O)r1`L2*U2=YfHu}lV+B4C&=Wn_~ZHCq2h?HMRvDWiS8h<*;~%t`o+`wJ%bi4q=& zz|K;3WN1{AhOnqrOoDiotN&QmHBCmc-z@d=?1k@SKBwJj@79rG*xUT2f)IR(GG-LN zGQ|X4Z8wwkKniK9lJ>J+9p!d+K;tvx`hB-yZfakKg(IL3s%T8kjiW+r7(^Pa@FlCf|y-5Y{?_ z`t&IKr!S=aNbav!hP!d;Z1xt&xq@k5OiS#P#UdHAeExy6ZqaxIk3(SeUAH6TH=>v` z{k+q=dZ(T85VTY4$-12rP!}&eYH%Fo<=V z;Op{@3HzrLKFGR*3HNM%T#$^Vh6MScaoI?|;i4&l@@nzfllN^Gr$bnQ0#)=e0*(qL zp7p#i7YuirQls-@KK&Fas^dSJ5+j|gCnX$adV|t#!f)$9Qg);X9!%52aIVVo#2@$M z12`$_&eZO4zuIJ7ni#jIO^0yg!I-wx`;)IDK?b>ve%NV7(Gh>Dn`q@ZF+Q@~0n0!^ zP9ySq1Ud8ySHjs=Wnaf=cq6(}HgU}0$*l=9pE(7W#AHo@mg+>x!$^IDxo6yRqyK&Z zfF1#Dygf5YyQ>;cD0b4TFG||MWgvLuo)Nwb8dXqDnrz4f77La7>x@|{qJ;9KMv73?X;2s6~ z6}HpkNgR?S9r2k2Mrr>(+p!_YVU?AcH;gSikQ@XZt{2X=UteMUB?eY9urWhZ*s)6! zxJzJUqw2#BAiY36HqYQQ>pq0_g<;)r8GFL!RR1z~+C_H;U1vAFk`yA({9K|9J zsm~!F$+q_F5Iug{TT4wL{fRWbINWZ$5VtA%y=P+01$-u7@vV52nA?EC36Jflua$e0 zQ1M7HRvpi85c*tfzTSwUNXq(+Laa=WUK5zzeJ{NehDK0MyL>2;=A+tr0AH$>%I$oZ zkl!m6&5K}9)0UnmwP~{7N@!Ne_1m96d1sBRVs018yeyi0A?;5|#yABH6(juCRxuV$wbDAkmnY`JCs+mHhk2Q_FkIcQVoBXE)g1|0k9y1E9G z8_v*_?qQu~eypyiT`b72tT<};Jx+cdt@uTuqji}Sl}PG?$QCH7;o{YzF~X=od?5FZ zJ)ph)Y(q-}uc$rS2evDvMk45UL_AR?-m8kj-4Y3nH8=U#29URkKI9{cMBV%cBL6A$ zwso9j()YUmZ!`ztWr%_hIZf$6qt;^ExNI+6W_FbC78p1&?n!L(c|L+gdB(ic=q@HL zLv-ED^x{OjY(2oQ9v@QJ8Iq5dnU8VxeJoKX-H{fL}Tl@97W%X*B zPchJHp*$_(t|R62SuCv+j-9eBd&$c`I{LTYUyB`b6903yU$P@PL+NVf_M~$M5DWUf zcb6Nn2r{i+nCNm^tkx2Bzq?EDeW${bGCioJ<`Zk7(EE!qE8YT33WMt2SL{gpM z^m(!tcKu&fEPIKS0ypmFjT}Xc7@SATKV5YU*xJ8nNSht+w(Q@TX|4jpplpIG5LTRl zXu(9ar?e1{=Kq9Tf={4vt2}XEo0>}{{*TP+0Uppn-3)n@cFE~uhdlU}uv)K9DRBXT z|NU47F;IkkguFF=aJf{FZz{ssfMSdI$6|ByC0C05yqs7K8s+N;nU{@I64RMymCzRV3pJpy_c*s*a;23%Rzjs3s3*7>m~T#?bxLo@m0Z&`dcTddjXZGqxt@e zNj}82G2DXy-j}_8Q;y8kKH*D#BTvjdPd7`%n1Ovx?4Q{U**dNyBdmN13&5{tPQM4y zYzXT@whly10nzgSAiNj}-1Qu~G-v{HodC~I@h+xs*K9HV0O{$bN*%|Z) zoTB9}o8SgCy#ECFoV)Co+RMB<0dLi8B=d7!tgXRs*fV$R3@a5X^$^~F2zT>2M*-Wu z6Kq9+xPDe5d-!Ik1(*g6KRW{=Bv-8K61AiLd8&>9r|l}%qviu}TNe{}@^$b9Rx2fc zM+b;R)`b%Mw0KhD@Qtz7SYNU|26%?H-j&ZYczzV(2*Ntu&HrlsC1T>*;`Q>(y=ida z@!0J_+Q`pXjH(?cEPT0V`&k9wL9DZ!YaM{MJ^3vQ;9E0jhV_DK8@<4eW7;WrPaY>F z1QdZIC(SgZBc3KanSGh0)2!Z-J_9iPfYJ|_z511SUdkX7?>`1VkTSa~=fk)X}(7ja-ZRTg;2iOB(N-=GofLC3eX zxXOD5#>E9%UB<1a{W?LTSm$}W0CAs^pni_@Thl%7K>}f!HwD#oM03zLMdnAcz~hW& zv=Zz2v|Zj7q;6A5+Y79aem%l!a7Fl-vWo%Z{3ztACK?MU)`7U!$kJgu{ec#%(8Wzx z-!6I$iGiSH%DkzHYUAB~i>z(Un`J!MtsX~&*CO(hv~DEl#Tvek64lR3CEdp!W)C#W z8h?D%1uzKuiZ!;fQ@GWSb=z~{Z#`aK@21pox&Yt4Pc6lgWkLPHsAg<(!|%Bt^Uc7z z%v@i>m!HByRaXOx>9T;h&wGfNEBjM@77+3((mM`h-_qze+l-(ArXHa9!5=Ig zw4fMXdT7y))j}$;b_$1o&jB@ZglXlqOD`&qxgL_I;4BnptechfeNf=+L_S*vlE&*R zYgjuy;{oyID7FD{iiN?z4XFhOAn|GAo7yjInf_H%9{Ao?=#|k;U=!6yf!(j>XTb8# zDT$TG#%2pVnyUMtJ}!i@*qmVJjajSA;H4};8K+qJ_+ex*!6AY_ZFm=KY-$Wn6F|E) ze%OLDW;69!_v^g&5cYU51dv1DYQ%}RG%se z{MkVy=F>Qq^8!FZxuMqIyC&$6CJqBaPHXxZ?kHeT^sWKix0o-TgpJcq=U|fl9XDhE z9e#!tNTN3Qy#NT!q%hbmOp3%xYwSjS#LlC20t$`ffojj~rCm7=4pc{7N&c>d2v*%y zsU5Xa8qvo&#B)zv_2xNNHfatF&iJbtirPA_z0AWx_tA~v9gF<&8>%wjb3A;M+m+ zqC{rLq36C;Y0&!3Jf0%kBs@YT+Lbgp?#D#dT^j3u@?DhvVOfLmu@_ssD5m@^4ZAr( zRfP5+`Sl_1yp#bv(#9+v9KwHZS_UDO&!}Lk5X9Qo*(qKFlMTcMgoEU1G)|V=8&1|( zXQozUxL5mXwA0xlksSA`e4&(V-(6r1*V16KTD^}IV|pP3XMs}NBtUM`)N`nr9fmS} zBA`AyM8uCqNK4Qg+uVFtVHa$bBNP@_aXkk(14Mk(%k3SS0p4!8Jx0A1PL}#hilC^v zoKQYDwzo7!N|%FhU1eOSJys|8=VXN5=d3r3qvnld%mtQT*$0M#Wr;kt;}nF3CNg}f zZs(&;+#)Ke{gu;|h1O^TeQ@-v2?)@EC< z2IA)I{j26CxY;IuF0fv4QQz~U=v|vDOX+Wt{5h&?bH+Mdrl}Hrkw!hk0?61_qS`~6{@JRzlf3Ys{Ron~vT)zkK4U*U&8;NQIU&d&AA)Zfn;^1kx z=W!XmceKz`>FqIAZ}6h6L^kW3C{7v!R(P0LMCWg8)DvpYz}SX;6^2iXD|>05T$))f zoUM!X+%GtLd|?zu8AcTJ!yx9dJ|QeXL;5cK$~(!-SdvsS;}J27$H z8CEOg!fPG@?cS@gSe@vn*Hhos`nN1rhx92sMJ0|rd(-FB4%Yi`ybm-#C`Fc5 zc2>-O<^Aj$=3dS6w=qji6k_}VIpwD6K4nygWlWk{usYu7BK9fG;yw?ohMx~vpc-E0 zd5YEbUUNj1h|SJ5KJm2g|KgWpak*mREwk(3$<eSHAfAmX_Uj{!2wPg zllW?7O-|SuL;Cecd*RY&y?XKQTuVl^Si?wCOGyejNcuKL%l zDc^3KOGGtE5AY)1qBP2veoSD%y7=?AN_$~Tf%$wuP+C@&E9`do%}1v!yl zl%yOtD%-GDscW0~0t~_-GxgM0^3#U)BjA>HqpD_sTE<8Id?^v_6zR>PH#_sHY>7P{ zOZ>ho{a)z0nAY##H3Xu)wy=%+wT3VLkaW&6z4V%w{#zI{!ZJiiluU!0MAlbpw_k|Q z2#0l|G-e~NChw>+u)0omfA0^WX*=#2!rG0n_Fl2F4{Yp!RxniGph+6^P%8bcYI-ax z?r}Qt;;DER)c9s&_E7oD$6eKJ7Ek<_Sar&8{V6UJnl8`11mjAUZ=oL>39R2y>BirENskvpD@nAITxRUgb|xf0+5&M;g9;vi+t`-d}Sam~iTw zSMHdxw;pXeC(WB~dd;NqHv3_K89^>Ha_!#bOMSu*sYV{)aK21;f&>h9$G%;by4Lz` zsb(|X)I8%E?=D%t32b>XMq1<&%E1}P0n8Bu zol9OD09MW7DK$5Y+P4IzcNvNWzR1pgo+A5p-Grg_d*)wDl9L$ZeZ;!s$c9&X-LtCe z$FF)fOY+QHq4X8qlU5Odk7g$YC6w?_qFhT*=zk~ZnOH$x!sP95j=2FXt?0b6=J`Y6 z2x-)KIdcbYlOO}QxzDx&n@mxIZm>SDrr7fGK9|6)*V z=b9Y5bZ`KdWx;Z(nY;MFi8i2m0<~6#4_Hlxk6A8F_T`4cR&4)2_@T3>?#}QQR@IRs Q9Pme7SzD=0!7}v!0yD-Z{r~^~ literal 0 HcmV?d00001 diff --git a/src/assets/img/Delta_Class/use_case_2-5.png b/src/assets/img/Delta_Class/use_case_2-5.png new file mode 100644 index 0000000000000000000000000000000000000000..70cfa3f8aebf4128deedfc5434d4c184545f6933 GIT binary patch literal 35967 zcmd3OWmFu`w(krQELaHc?ry;eB)A0+POu>a_W*-KaCdhL5MXdkaDuyJaCi5CJNch; z?>+0iukXW~wR)<$w{`96s^6}vt`1XEk;OzOK?eW;nDTP()Byk>Ej+)0`U3tx+Udj& zPk_$qvQmJmQL;Vw$tMe4c}rzw01G^i3IK*$1Cai*zz-7m0RSMyhX7FE=_~l5mJ0+R z!c*X1dM?6$a{_5|5&t_6*nrakZ#AUl<>9G@nUjTuoioVZ<+zjF4K6rqt*PsxtE?n! zW^c=3YHt6@g2Ths;jail)I%7awY6|DrSh=-V&^REAx85LhcG<<_cA99)jupQHexio z%4$^7_D&X50vuc%Tr}e7R8&-=PUe=v>hEO!Ee<~uqXD_NI0$ocy1Tn`xbt$@J6UmZ z3keBva`ABT@UX)<*quG?TueRK?VM@i&nM5chvd{s-m%l+<#zaFVvSg`0E{|KFPVxA1=w|1BuW`M2c% z;fa5_`JbzBKZ~P_a{f=9iK7Fle*^#kk^uR4Z#6xDhfuUwOMNZQ+k`Y@OD!mdLDS8z z;0Om`lA5MoFD~Y81G#m-RcNKSZ77!%LvJ&_Pi4m(y9`sGO}czeI7x$aP+k5y+Zz+6 zhH%;;QEb8{X)Wzh*mEVPyXU<_M>%KNcSS8Hx0#fk%=#N6uQyh(F+Ce>tE~<3;|;79 zW+gGMtFCFplMM=8AIcO7e2Kqj8rYiHN+x__s2bQxVh&oDT}U!Iy|$?=+<%F9M9O3T z@EG8WarsYZIg%DD{G$a)W{US8WjgQS(k@zmLdstKRRCwYeEAQD)&yc*MLvNBeKAGq z*VUe@uFj`}PPdbChi7vda8KrL6?6!DNpjwF~tBkVxTwGc=@dbC>gc2aOV3)@>F)xe%{z-7C(B?lQeA ztf;7f22wt*+S%IL-YKQTohL}#CA7+lpU0*AGb^w{{F*-cH~9d#myK z^&K6{KK<_AvNw5@_jy_cB@(bbXaOZ`x5&o*Vnon=<;rkn26|w0(*nw_e%h}-etH~x zZhI&)zAri+dpaCzsfI09w}b9CzCAYBKQtUWOWZhf4()Ttcq-i#GK%fxTldj)u3~iL zK5W}RZP%2BxkX+5t*_G%Onz*VL0#Q-o*u0{9pN*cr1&hPXg%6CLT6#?oKNe>_X#gn(x5l@@ z#=EH=WRm8w&bPga&>xrg!vePNZ8s})gW{%%Wv*AyyIatu^Tw-l z4)&As@$JNP*dC+Yb4BNU#rx;1mAkCtWPLm4770ksEMez4Yv-icCN=inW%r!-$ebpL z<1Jt==b<@=mEwLEP1QrHH%Hv3#cTN@TgSy(VuM$_V0S9VrW1vMOL*IB-fx@oX^pa_ zMEt7E!i_r^yk7z?H~Z={E$gF6e&V(A;P$-L`IvHS{Iq43RJ z^D(r>%YiNAK#z`(35XtN?P1zC_{L}W(5ENxO{A4*frs~wJJ<@?L)1Oje(Xx$v+@jE zSpimBiC?5aC7w1U+@7!Pp9PZJmgeV~?#nbv_C2A8x!_?4jF^o{=pjJM!R<3{DY9xDyqeT@qt!n#S!Nd6Z ze$GATHY{fz*sRmOuLVVuNsi8psC( zOeFguc60^EY|K5r-+#aKkf?f>h>?!fnR?x}r)SMW-yUN> zpJFRsyi(P-f$e`qpR@bhlLa4>zr|0t-@vr@kT$%S0z_`B=5L`M=@N$eqE?SbkESun z#Dd;edvCE4qObopx~@GQ6*);PLNK*29<>5*Te-Qf__zZ@?@#&Lci(fel(;FXlG@~1 zQ)0d*X*b?!Z*Qk*yuRMhyN`Jsh&jx@$lP&hNWT5u`S_cr5&YSjEQ$@CuW;7BZsGf4 z#fsj?$;hNY@nCrSW8iA}brWgX#pu*e?(X7yrQzH=lfK@#M4=kY5Qdn=h5SR9@;gb&jeu-vup*(-j*JnX)!DB#@P#l@348WrEFK?>b8aeJS!KZ4uH&Y_;u*vr?ueBl;>Lh_J+ z8qsxB#u2j*Y78hBtt+r&gr@gFC%tgd{cMzGl&V6 zF1FC>vIY%o170x)%@I(#mCMMV#j<=2?94+robH;htdzO_LxoojzjH-#xQduVt(OTx zL4uEO$*i)N!^q!wU~afFokjSnYw#Ejb1K)cEIq-iF8(QabYRHa__=&{8j-OT<-44L zsMd{nqt9pP-=MqErf@Q6$rTXdT{W-t31QsNrpy-C|TRif&S zf^u@VmSJIC&YOJwX3xiH=yN9&3jL?ABwaoY`3FsJei3&3@Vf1$T!vj4Ki9J{3Vh!@ zpgQsFSNY;x5|TAdahn=*mwKEw=52X%?B3a`Z)kX=t?eCLaUdWl*t+n=4X8UiHz(40 zu`}lG4t3RWhh5F-w7?N;IjPUl%&Y+P6bXDq@)WVoVNQ`5S!8eV?P6(VrMln(-eI*Y zFE1a%l|Hy~`s^vTp4?@hlnG$z=6w4-s3d~hcm`|5MM{xz>BbaH9Pij5KVkX-d{d&5 zweRNU)>2tn8Lfs`EOOFT=d~lU@^Mab3yAF@=?+IScwklO_kAS;bDHD5&Dmtk7H;P^ zjw=5+XCO{}j*X|p8lHHb*G~+iai1;}Z@^?21|CsXlm7kF43!ic*9ht%95btr{jt4G zZe|-h>b>Am)m;1iO!e{dWwBrq0aDQNZJ%KBHexEOh_j0L4g}kT|7C=vIj&D?r>|Ht zO65d-sM|DHNuaa%NNo2l_I~#BUDT&Ksix&|AM`a{kX&ORh4^ENRVU!NH5meKc_TJQkm5> zANMkOo2iSIUEIvG541mCB64G6g5(E?`zk1T--Z3yg>l9XlSeGPnU=qrehqIBGF|{C z923iQ+MJ1I=be325GqfJ0A;*K=fm<%hecJ`PMezn5{DVosRk0UPB20G{6c9TW8<4WYJx?(cO@a+cP{y{R4;L>U}ucrMUjZ zH~%qZLFn||8L#}9@iY=eb>EaH21qvVw_q|jav4%kdna$1Yw z%ol3We&4oxloITS2qp+7`p;vElI(DO2DriWAf@--91M6G&QjYRT{tIfaM$0(}g9xaAY@p?DhmGTorF{DX(wsPHe09p4O0` zW!)cGpRRw6l#7VLJUjROsnu{)0`_)1>BqrAx_Z)g>@P2jBEgA}TfSIpQBJqShOthd z`bM7e=mhEQ>fGp34e%9Z{FUvT!W$lHoDSWeC)v{~X{)c$CvG9g157+zl2 ziRXvL<;pq{-2&YYT~%mw!g26tz1#97L@w`&a7zrD0P~EQiKyYf6GnBY3}=!I*M`)R zVxpIh*!Sp7R_^qD`O+ikFl7rZ=s3EAE_B{j9#=mv`Bt6(8E0;LzLGSKMPso2=4QSe zX9F;&8)4fP__Ol0ET?gTtbf-G0?vMFhDaeMni}LBw;47%_rJ&;J+l#omtbLZ370CZ z4Auh=uF`>YO+Q@5i3P>(@mfeFb_StYJNZSKD+i;LhdYEO9}V~1sFWnFw)jx=B{wzg zdiIEnCX(IElF7f9OliA-ggu-kuw}zTH1!8NlbT;od~*^J1p*7n5R_O4>j>)XIrpv+ zyl+oJJBXF{tLnTa2Cgw)TTxy}xW>T7B%qack=3(CEpZyZY+6uIS^PIkuWbS%?GmFr zw;4ycE|J?Q=Yo8R7j+kt?b+<)4g%Gl4O)`5p-Wfuo(23R*Y&l@M`9;(2hBfgT!*_m z)+Jo^y(*y1ej^LFZUP0bj*tTpDBoTUN1!sjCk^3*idQoG)wj0JRnqjBFDYbSOn76d zRJ$$#lUG%{=mAN)S%5J+2wVCDSd;nf1- z;bc&Us&O*ISUzN*KT;Ym-TNvgY8hoZnR1nH+*;Q0sEs^h(2X518P~NttNN5_cd#tz zt`7`3@*DpNmSkY~D3rO8zl_;*D5D`XuUdj)f`y=4u@L2d@l|kf+)Y@Vz^gGwy)l2` z5CwwuDO#(ehxaOISSTunS(3m=U!)oRw#ll?O5*X_T3f!3yl_!}Y(T#2bo2;%Ts6{u z9PI^deE4zlly(fJJWoZ7-G<(Q?^5I~@jL6S`H&Jwt>0mTPXlG^^GzA~^G>ExiUyq% zA+XCX)Z0s6(Cw8kyJ`XdsUviBX~Lkw#x&8End>vir?cM&?5-m^qrZcI0L;$P;Lcf3 zjLv@@6+(d5g{C&)E#TZvD!I6bC5hbIsI%U)&8Wbspvth@;s7m@Cy{pPka|QguYmZVqK&(2Xc84?rHwZ|qR1i=nh5 zfFk2FqucC|jBut*H*=N-$;e{EhX#<=8SK!m=Lz$atPrvF^dqvK2r%PivqdhuAe-oH z!F%HE6prt6i7D~F-`6MedUi_)d%BC4v@*N1x;7n4h!%NGqxihL!G6AZ){b&XD0Xo2 z>VolqvJ{U~o}{?`5t^hn`R!gmFmj|V+5IJ1$mR7*%qgs?dLxPgK?-)|jhX1((WUA% zYj&S!CQNV?<7u1`Xy<4iu*VD^<7x?MJj9z!3lBJ643`1kOMVl0ogtqPhyhiB#3wy` zcgwIcQz_!Tjc$qbCMQygAc6e4>+aLTq$Y2qWC!s-Q6KLgdv`@JX0VtaPuL0bVoxvL ze_x8!X!T>DnsYQlgt!8j?DPM8o8F=-uwmt%!xDg|&K!FK_BA05BXtWa+aF?1D6V{; z^lnCtVbxIm=W}dU`&LI+ZkUjxm`P!zz-AhMexLocfU2{dr2u=_IEk%UUs&Ts!NS5i zC%&k(vVh(qcY2e>uE&+HG;gJ`3>=d00MP~BnBF~&7jA9oz`b~r!nY*MU#c^)PzE<)2k0y8U!ROpn^-Dzy&Z0_vuRwC zYZ3YMBD-U31bX#+z}tfTXl!>fyYg6mT%`lEbw8eYp3n0AP109U zwTPyKN*`J;A0wcJC?zu``g`5~^|%w10sob*B{|-hCr0H-I@#sk@A1M;A}W4x^ev|E z;^h9g>XJl?YH9N8lNny=va_8{tPZGA4Sa+#sX z^`w~P)9k=!HmNS6v`3L5$q-+e#ya;u#=9Y#^ls}}eC^fb-K!DiDb5&_OViW5e3Sbr zWiaJdqwKiZ015R>$d7t7A!Q`QHwn2^J-e;02}|Hpt6^vI#R4X@FHoXo$z$BC<=A(( zg%ly^QHxhF?mD@_{Hx}0+o@t+nNM19MOgL1n&=7Idc;n;g87^Q*4 z`Pb7aCXlKw#vhXkLE!JC6%f;Tr0z>lltV+M^%dzkgG(Nc){Zf#r1`a_}SfejTFpEf7qPg}DO|Em|@*!Je5>5fhx z9JFPnZfK|;$fQL_C;VDk@o*{C%J_mp38e2meyDB{nJ8|GvbzYSDDpOCO(ixuxe!-Y z(8gxGrF=BpQA@`=W%;RDhJ(T76vW8KY2O5^JieX}W_=rTm8)zN3uPM|ao58=`KkC7 zB~k}u&wYh;E>MXAkSiqGsw|aFPpW4@X1X9=mnXeffYh8j_Ld09hDj&z5xM?|;~V~H z;pAPp^Hb4z`!OlUSV?n@>dF#al^Kzo0yZ3c$59ZCEH}ZDRy)I)W;Ij9&Qi5skx^!j zWSx|jasU1Ji_3w{g5T5jgXyv60K!AQ>0^J0~=C*m6*%I0tJ5+#t7&oqU2#ov%(||K3a~*+L{a`WiXw zar4_|hkf*e(d7%_Bc`gXMza<3RuaIToQXN=lQ+df`mU~IqN_Lqi&SxaDazS%Vljfl zEUmwJe5{3sxL6_|HGpg%CpR}_6LYzDPNVzFL?K8SA3$Of*9lOekV^GvbNWbvmk_z& z4yw|6nskcCQu_cM-69(KHftJx;|7Tso_us))nLeb5d^^TT{k2#9K|yfXH6f2=CvmG z=*x-$svDRT>7wYBk6-S-cA$5xr%7S2TwinvYocWibh zV}f7Eu^S>%S}%Eu2w;Y3JosSBJ%a`N^!Rgoe;o@TzOlL}7VrPyZ6_l6n(qyzJXIn6 zV-RD2yw4D6OHet0SxR~wEu0d7@agew8m;Eqai-$$k5S1eC3H#7t&qZTWQ0*|AZSt! z`}9rQSrhBdBvW8o3B`I5A&c*5nmYhl(i~mN-FUsOrXNqlmU=C&sJ?u*m5lZ~w zsE}bbZE1w3?lLzFF$Mh+Da5WOEFvw4nK(U|nz1=#G%RSm>^9p7UVhHAsi6ESay>?h zNtG6Q*^y1;NyoJqJ#M>QsZxABx?}muAstQGPbXw!r5Y zQ9iQtES~W#Gq-KudP*vUjL+_qT1Hn22(aYmB<(C@*WwfHw84rPlBO)Nm8_*ddv@5U z9iAsH?%jAfj%%hVS9C!PU-&4Ws17D0LLfC9F0`p5O5UKG=1@q@RBeZOUGJ0~!#kdvHkYkml_2P2V*;Mx`Kc$qFY#epi8 zqh^gAmJkA%czH~f$*fX_EOVzZ^`n=O-8QhRLnJIcOlDvlz3UY=&MECBA3*9bk0w?5 zAU}`(YZd=i5OH4)ohol#rp|qLlR~0`FClEV(tEkS4WOr-3H4`CoOo~#EcTcHV^vwPv0KowAwLbeB3{Y;OeARO#UL&Uxoi2DWq%_ z6N?P=8iI@6A?VhgBz>{SVB$^A2f&K~ac`ZVw(}*8pV4k2)v3J;mST)lA`S>c89{4G z5=w=PCLQRczt95@b&8~&zSmLpEZoQ)^rdyXh{ag-V;GMGAoq)i1HPpVM3y_nSD!Pe zZfoJ=l(q`wO}YKbU&K>l1>{X=89GIAPAM8~Nn$R>3WI#NJBNScrsR5C>di1(Zy<3l zdrL1O=c2pBt1e!YNy}XooF#>2K(sX1r=w2Tj+%LW+O8$Q3tpn9;qA%Nc$V8lm|+{~ z&6aX2qBPEtZ>sgFzI8hY@wG+Acjh$A_zV>ITjeaDU&V}uN_gIP@rt@bLGUrVF?^&# zHortxwS_&%-8~SrPA!*J&sO-zxrI`koWZhp$Po+tacr=Uk|W>*nNOKSF&Xp_ ze@@9los7o8j;F9qHhbx(>z-Fqb()N?uMi_#Vh6}$YtPg_&i~$id63RCS!_saUG|^? zNh8rxB+wvl8(tF{=3Q?fEM6!VE3it#iWMzp-W9YsK`Fg-ZIj_vc54wy*j_R6ZSZ1@ z;@?U=8$ATyL^T$vu(;ZWGQE~Chp)0R9mf#zuJ0#C-+Q$^K?+W zj)XNWe2)sEpY;Sdx2n%S7rg5mct23 zqtV(prlYRQ`oz>Rxgp1u{U!0DG3)H~07_@5%JfKhjhzieBRsMv?;(nE~4p zVM}P8A{r+!zd@t@bZlfkkulI(wQXh7{Usj2YT@14=`Wl_0_W z;0|<-AY{FCv>|6!VDz%*7c`L?PUZTu}!#E^wbq zQ?MI~gzM;ZO#yy-KHT-FW57g@+I-2fTkRx77n{vkE8uR&_Suzg{rg@*2?Z$HIHm+|XG<|m_fTMHwxHDw~jz$00vG1)G`^9a%6pSa(+v8ScdB~cl&a;v1XQzW0tULE*jh`-9Mj0OnxS(M<^=NU)MJeQ!pd@X~aAXpfK z_yfYQr!GiU6!ij6i4R#ad1d;`<#>|v)Re$e(PU<=O10aV5*e4#SkM%pGR`eICs6OLOkY-d!;fOSjIJ&a0p~}ZACl;dsv!*I z#_2hz*wPPQ&arS(m{Y3KUU{mS!LTJtWbUM;@G*iE1z9ffcV0-8u|J&q3sFy|KJf8R)x%)L_0_!yJ> zQM)!C_xs|GFan;y8U5bj=3ww~;aecWHdao*0)#!+zwgmMVi?j?!4jjSeN~5I8|Wpx z6(}(3_DfZR`6s5aUqiYR`=BnySA;}1l2U60E2j=Z+jqE&7S9a1zp-B=9quRxngvvq z+wc+WwpJ_OSxq5mHEtp~WTJayRGHh7=c?2ssbp-fD5I1a`&*BWm#c1+E^GO}&WM(O z9!?1#UcdZwkH5MzW<<0|Y?=&lKH{lY^h{2nbJwz@&q6bKZp|2T@pXDIEM;WDk<`Pn zsvpms2}-|n+=volpcq0ID7u?Q^W4^ZI${N#JHGz&1)J>M0ahIY2e}84~HU zk4g0H0a0zdX|~&o)6rbui%n2wfPcI#DdOaCm&yb1l@(nZP zPY#pKgzn-AJd(G!i2U?a(

@kc$6{$R1+>Va8;E&2Prh1C|#r3C0IqIT5xT>Y|m z{06_W=mC<@ffBo)tT9(o2M?D#)pR>5wnkJ9&h^f5FBMis4?=yEKgY1hMbyeRVeZzx zW6w>70J~tRmP6B>tn%I(N=FGe+hYX}X&s8Wm>*MQPRZ^JzWlfj*J;ZS`JsP5>o&)J z;y8Xvw6U-Q9i92G5RHigVk0}fju8{ybX^89 zisn7Q-xAqV&{wJ&&!P37kUl1daF{YWSVuAnBZx)-^p*BaQE)@u zE9fkx82lzy@VtN+SYD6H1(wM@l$0d%S1vb>20hr3T14ExJ{;(fW9FPFVlRuovY0$Z z6gpD9TOEaoC)}430<_rc@cdYOdG0B21}CIt6nkVpN;ahfL*u)O04Zsu9;B{I)5eR5 zx1SkJl%6Nf$AQiMK;p|6vckNzGP7KY)DSvjTju8#R~x8EoT?m^WKfbeHBN0Y@dS^z zMkH-U2;a+dBWp?Zka12FWie8!QeWrV2wqNfCXj}hV5r}L!DBCYXutoaT0d}UF5eSCj&ZLyF%Mn_kHOvqrHp@_xWEN+hJUPl8uK(~ zy;6jh^KMKlhiIkCtX~Sn%H`C}h6_sSO%Ocg%7kjJsp{7yy*i4-FMn^I`VmFag1Jt^ z@Yf%MUau9iI$~dyh3YMOBOosS^c=c7Q(4$f|k{4|1hF=31Xzo zajx#w+baK=ueTvu*5C(jQ)`X;8Y2=R5;88^07Ni<_tUZe3xgb6OqEwed+K@CIFJZ| z!MKg|zIWfO6+^Bca;Ye(MO8?$&GL++FBl$SwWQ>d02{iT+Sd^@gpR7{rsf3=R1xN2nojWK^8Ay07HQuGh zCi#Xi3aPx-3kPd9d54?>Rj85PVmNQd5{hb!1=*|Hpx|~;q=7y`IHY_Sq=rm0PXY?r z?9&FydAc*k`Ups4&Dp8mANYrNG4&EO4f~sB%TP#a1W*|5W3kD%2q#-JitlL6yc;3^ z;~YglQ#Lr7c?hXpwe~kY&GQosG%Hi+Vstr!)JI*KawKrMs+b~Qmv=KLlO5syC=0Dr z87;KGc6P)`uw}&u7P9iyLJ~frj-ToxKh_)_HkGNm@j4FqEQ~zQG->(eHSNRzd$$Ud~C*DL{~ui~Hvf(1cXxeJX7y#!hWm zluQFpX+onj66+le3V)(uE&&2&aP0Zd;h{m&DHdymZ}He~=8ZG#iy^Uzc`?5YFtVBl ztPs~g=s~aS9FZ!njkd}02R23DzeYu1!^32D?4^M_B^YElTBK#Vm`Ldm5H&0u7%0;< z{9!0>AJM+q)dkxhg?GP<{Pu$!%W4WL72?a^l$&;RQ7Cz2kLSHWe#Q4!!Fvc~i{3g* zWvP!B_sBu$4i~lGX3d^nbrMS3ikkq&)niT@U<3Q6^nkT+EKyVc)$x$;vWTJ`uO{7G z3UP_$r~27(dc<>cITdY0@B3@o%tRmdGAr=Lf#OFk*}QllnxdGW1+%)$nQ;a)GEI2<>1f^{C1D2ztS)W?B$*Gx``Fbm)WM%?B-z2^+(XNGCs{ z@$a*GV~BhP460NaxM)H4NYKvs<%TsbGTe($@D<2rTBz!kigxAAN zwT==lNr)5d-awttrb(j6ZYf`lmYygMn?&^W78zje;Kei~ zI1!O;N4xvplk63t{>eKN^bK)dusij$tsO2(gIF}#!>_sYmGefM{@+Dw+^_G~>iIBT5_b$h zw$^j+MIWbjCQ5F`9&Ep~g`7p)US3>Z7z|#}`o~?V6$YR+5X%2Bvf;$OD09iqI}U7% zO0(sk;>@r6Fvrb0^p*^tPpXcDnr2rff2di3%P%kkM_37{w`D(AkNxfyMQ%-WBhKL1 z=frn(`n%CcQ<*s?YX%i)QKy7lTXL*GgiPpAN@yBArMcM*@NI5>+qo%YRK4RQS38L9 zg97@uA`}d_^?SLMKLc}`v13%V5J)fr6OlL6$prL05sl11G4lpT?jwzac z(i_`BnYZDb$9+aU5j*@|kAW{62KhaC@40xF-=<8vS7Kw`FIk|PpaO!pK|QWENR-q2 zIw#0TE6Mf$^m;V%r8p07w0Z*=ASrh=<9@2kLswc@*xvKE3jHsV!uk?JGfzkJ-H7xW zUj8C&9mcmmMokpGj~(lMX`XM8EZ8ls_1` z*dZ6=!fh-=Ej_ViwZKlEaaw%#JSchhD^sdfvyvDnS4b7nXS(*$<#T$t=5r4PE3dF? zvAo5$_El)J)~)mU5}}tMrd|xeK5ZI5yVP4oEzhhk_cc_{;g_rn#}pEIBHG9m%-zY>Irs;EAC}19PTUNt2tFpMqpf& ze(|J08u5uo@F70*V+k0-LP=gKwz3H%82s+-ib5g$DmQ7S@OviZ=x;V0MVA@I56J3( z{B4Y2cP%>Ef_Ues*jXZns698m-l<)LpQnF*gDlGh++%k@>^X4?HfI8+zZ;F5;A$Kx<%m_R=iG<4EN{B_@=g-mL z1SNA8utkbqWW*V4BVz_S;L${Uwnkl^opt1n0g(|zm1j;+0gw)9tmrRyJ!VTkp0A^E ztf}?(x*m09+Q}V4Vxjk9B>Oul@`VimCz)IU;n<6Bp?0 z(LZ1%D8Upe6pZ%j2nv(^b>&zwbAwoBj6^3>0N={WsTY&WJ{B1&r2huE0qFN4MP;&C zvU>YvdQ%&o9MhMg-#v5NB$)|CULWVYFb_-N&1$H)*g^i}rW~5r1t90^GBb|~dl75k zj8$OB^3qemS9M%ZXlVagFCzpZL)lPLB!cdfdY#>Noykd#CFfW;dDOIC zdMEFOhBFUcOzdO4RhEu+yoI55RrfDcVs?5o^kMYJgp{@^Jr&tlR0n^9su~tshW82; zAcP{e$3-T5e>iyhPY95pYM_DglN$1gnI%$cQ?%dnYKZB*RzvdRBTqsoA1&(bm&)QfGw?2gNRx8EsP5u7bRLEBD`C$tjf zGD-19Z^UDHq}#|$GOn+EUM-|lr+^qY`Qv%gDLpT+;(Z0Ku=K9XR)FJHCv{pS$Lw00~gg-v4APAhU@c;y6ZX|tTl6P&(C7(#2 zEZ$GJ#J0sDT52s*>hx1`b-Dk|)&4YvC$D}H_c^`{9Me!9V_kJI!Z<_ilYT%RIe8tp z>584!arLnbFQ2%Gm8FT(ukXu2WBZYdE@Vfl5=`uTm2W3g&!HRe!y9wL~#*Ue#Dk6tSn-lPOr_xD~}RArT_Ec zJ&4=$Qn3}FA`_8ny&2($E3AL;&S;2^IgKHSInae?VY6fcz^Y=YVzz}qd-f>%v%h(E zov6cGh@V|D%Sl-z-Uy~Z3^xbXgSmz- zYQQLm!dgx)pR=z101@2znXh+m`ZCl~_ZEkuVj?}!RHL3pKP$A#9`Z5kE}_(IlzWSy z_FHnNqLTq30Uu4;nM)l7=S=|eFI6u!)ouM5LF=e}T(tt@ zUj}sp@*qiN(o<*lEan%sBnXe2cE!-x9DPT0{F@A@s%57jdlS+H9o%&kqf5hh5s%AAt&th!|lnmbc*~8wB6*V?d#g)Zst-|RNJ(_)iVJ{NV4{yI>Q zLixhT4xl+G`##I)=Pe5wu`<8DDhm3-Mq!KVGavf9m~`7_?)NsOVrV~+Po!JTx!xZ! zS2`X=6n$0D_*2@KKlpEB(_XvsIG2ITE)ZCBibYdYaDr@#|So$7tY- z=I`fcta+F~4}_Nm0e+YS23%H!igXuf*y%CnN4T0MS73llVpmIVcH3QvFJa;wjs;b5o>x>_SG35M%r05%10)+MB>BJ>z?jf6<%R zewf^s^mLcE?yEkp0t5t2H+X9aq6o~VBdZ5g!XUIAw3m5lvtujwW|0h4NmG-CXp1!2 zFrKA5T_27lU$!x#BXw^*^5~6SZX@A&toldx?1Oo{)~lo2NP|s(2GNGcRAk&kep{`U z(5$^R_*!J0-a5`tmQM6Dgcr@xk4ba_&#Jgm=HkGx_>@OSzFI93x%K@7%VrM1kSowE zI;7PfyKYO3n~D8}Fpl?IiuBaj&5Jx(A>rXG00{6t%7dO9^L@)CT`BJ%_M7QJ3)`w> zjO|or?B0DG?B?bH3pp9#&8JQ~9LTfXcAbhQ zV1G*VC8iwGZP_SpCYR2x3N|GV-DCOi6gfc}lU(fk#ZmeR#;3C{8nb);bH{^?^%St< z+vsH2#jGkERqV~-7`-iKh@hx3PL)wU;zP36GoC7XpP;Q7yn)Zm=mDWhe=*J_7@``O zd5(f+LBK#>ncKy=mnQidRenfQK~xRlMHhqokU<{2>nCwW8&7gJpiexAH3KFdjQhtZ zD9}*&E~ebe=`ZS3&5+79G6Q)WsOFp#XaTGMm7>$}cRoZ;z_>X1+n;|DQkn;PCK(s2 zZTTbv5n8=9C+V=5D#nzoKBWfPm_i8YRN^mPA;HssW;;5>e?1r;#au%&@D8RA(H$lc z{68f->hjK{T6bi;$Q%c}_EpDgQ>-^`se#-e*?xc~v+FhAQ;1b?P0a5Y81k*Iofl6T}*cfeMQ9hdLb*)30vpJbZN8g-Uj zmlhsX(MYrKVtd>xDK95JUo6Sp)S+toSLst9eNyw!b#}ILmGm%s>YDwp5hU)cy`5)1 zt0Yt}X1dge8Jw?`9L=Br%O+{2@`{PLwr<1OVB?Jg9E*JPh9XZhF?T?>a~V*^yz4` zeJ=Nbf)@tbDzL^WlaTA7u24U(%Mp8>_E!>}$?r%XW>opCuCTB@rIZE#{+z4I%r)Ur{g+_t~0+0b3| z3TPo(~wM)XFVwUCj#)DT)S4agYE_b05>e_dXZT`&QYMqv)Q@->!oB!9mTO;!)?D7IkEc=*ABa7U z6f(?`TmI5<_Rq{|o6Be~BRL6x-C3o%Sw*v#wR(oSq!)yYLr?S+$WL&90{fe4ecY2=n~6Tj>TI2mXJB=7wU}ne`F&Uy$m@L%Cwe50>ma> z$AxBbwf3Xj(USX%e@oP7Q#{|Ky_88&fN$Dd!9G32IYcGK%+F3Rz+>t{K{`dCkf{Wb zGH|0qO5i&d6qf1O*OCNhSOdZWA-I;Qe3IdP-TggEJWku9&x(O-j0n+{+2&*p+QgDl zKHaqPL@cb{Bm05S6nV=L(-NbS$o1Sq`7&NV+nuq7HEh|8o<&Tq0H0CfTZ2bL%?MOEm3pF zcj^YT1nmWe>P?%h`e}nYh)Wtg^;2nh_yC?%AlU+Rxes0fnG0b$gqK21-c+~PwZ0s( zpNgz0-~@#xe6%1Y84byZnjej*eX5B0CbabZE*PWr4)i#N*m@sYB|IF z7b|}(t@Kwqcy5;tYmrh~kk|7prkNpQ{s>ZC-<}U`FZ<@yhZUn{0IHJiZ;Eq+ZSmw)zUd3`o=x6Lriv`L7}RR5GOE zCoPT07j^*&GmF!^_|mXKs}V%$@kqKH=6}>L_0$Kz%MupmXvpa!6^ix~R02%2RqF!n z2I+ya+P}=P08xFNCHZS2WX+)nzm#1c;8fNL3qZ)cBA{bv->hpi{vt;k^S3Z2e2Zv{ z=#5u99(TINcbVf@*~{eXr#TKDeSXWFd#0BTCe!)KhaqENLh|a;4urE+2*<}6X`d5 zO!&rV{XCaCAIpDF(A4WF<&33mJQl@Ws_pMhd_AYjX5@%w>Occ)#=ON3BBit!Kw!;U zc8@7`d@hzC5SaR2e1u`{IE`FH0B98@l_iq7jxf?n2>At*E;JwmRFsEvX;e9>sZ5~* z9k@t1X<9&*G!ah>_#w| zO3b4IJ!$0$o#r6W-~bH-Bluh+1Q8E3TFvamxpCchhGs<-)*Fa1Cgfh`W zBl87h=sBmIolCnaU1-{OCV%*8fR*;sZt!&8fH0TUCg7!xKm$tvRG^h}^;Wla4GEp8 zcq)u)^iVnlNR;5A_5~GM?0gQ<9FUSMaXHV4`!`DmtmjwXSgV}Z{+}k$1gQCpm}N8} zv#)(!RvON1GqPLye#@7o$+JvaX_iTMF@D4R!|O$P7tzP^OFI^%Jxcm99?Q}^qf3W< z3t#h)@8^|nzR`N5qE?ZIgH6QRJwl$g zml;OT%1p|UP?9xi&}k&f;r}Ti#|s@uNR;>nCIF7pxkjZDUs^`4&nJKRg%VFo68L|B ziZV38yrdfWOB_E?If6qoN>)N0eg&9`r#S&Qtc>nyN6TAn3SC`jHh`9y#CKF?Y|>ZT za_uDS3p4>5&}#lHb)qWCuMbLNOX8Z>6^1@xM0?E#oWmv$QK4RF#Wu9~j)3KUP>=s^ zFKY|$$v0oBam7PlaGdiOnN!41L{s9#X2SJ-M#D<=d9=7OT8kSV$I@O7ZOGsCB7TeL zLmrFLjnRjBuhcaeSUv-ADC0;sabA63B$b1mnu6Ei?!j&^g zL0b)Sp#f|2wdzwx?v?uKW0gB$!6=#uj-awe}Eh~UyX~$?s>CUmT zk3u_2+F`xM@=CLaKFojI*JNSokVm*Qiyh0!SzcKbcWZ4bO*$waU|U#5X|&e7>q7AJ8ek zO5$lfvWTLqk$r99u00Y4!DL}14LkBjRp$Z}|ZUuLL^`BLt-`vLru$=1NYmx-oN zW&ziFNu*sh_)riW@K1IRo$uJ4#6Sz8{m_ayuB}n?S!*U5{}HgdSkO0@Ba~x#7x7$_ zc38i$bi*|5dMxd-G(5)AHr`k27*RM%;P}k!*1TDLqkWCJ21xR6Ep$TU(WWWYT%t&q z5jLClm)|JyMvOfFrFkSRM=TA5yp;x(IG{s_r6r6Nmp?VhGHGc)B~64a*Q}8O8a$GJ z76jpED$PNK5@<4QD1zh;3zp|v2IKngk ze0V9=ZsJ5}1qu|J&G!!=1Lz?tQ zp$*d>2TyhAhhZ7w#%LF#_xW8c-6Foj{Ks{j$9?&55Q(XIMR|w`o3(27s?KpG4ilz| z&t2PU#E`#~$qPAhQ+w|m%1#&@3ZyC|iP5i)J-R9sojf zagc`@2qQxm@9$==5>czwYT!5Kb$kfbXu4N@ZzE!`RCu@Nu3_(+nvP;|1u<*#= z>hqfJkc--vJZWnR1=*t&rLk+##8ip-yq7lx4R-rbBigDCOyo5l`hw$}=3{LdumwQQ z+uAf{8ZBuo^!bd%H`=0fi|8$1JC3D0Zkn=&JY5fIW9cqd&lY#wN6+Zefm3uhuXzqo z0JBal;E#wP>_(L!h&FsDG)CCWHQJ9oWR8)!EwqV^NYmVpk|QCDP)bUE%CF3@T-&g$fC(rh9S{IQ%sqmwt~3y+P~a3`QjQ-* z9_aecA=#!`!ByIkM;SjnXg*f)tAlo^6JXIV>Y8k&U5VDN`npQafmQ(}S^xttd6-j1 z2?bgk)6q_mITYXXDWKXby|h6=L-c$?9Mfy(eIqO;n0phNAwX%?G%$3^&@4x0H>dYW z34I}J>(ZKOW_QQ7rO3sWgN*gXQ3ZI&<0$$2ZD@Qhht_xukIV9uZ!GPQ-*H?YKJv@4 zs<(a~>RFr}s~IZtpwB<4OgQF}v=&<>@>6C>2~4CZF*W)oi2@DD(^9Cg#x0YnZZkO6=OJV1=bL&#|({3bxl=vUjyHBn{a6;A@0cp%8<@zY=BG)I?W6Xs_mqM0hkJw29%5@JVIA>mIhFIc_>8E0zmCe2ij4= zeK<*h;IyHAz9GJ&wl0m|$mB!Q^-C(0q7tt&}+7o`$1r4P=VBCd_4`gh;42rOywLRZ%&IVZh6#ZvYYy zRyo?8#Pv&F7AiUrJDor3O+&)pchPDIM-oWKpDa<0PaWrCzWP&bwm^RhzDnXCL& zNV3=>#gqzd(*~Wflc^OcD*XhIYz30IbR3WejLHRoW@4Yxp?P5(r1G|?_2Eii5^?Y9 z<&mT(DFBw|i*32lTTQsB$2^}Tl>Lt`SeQCSF@H+yMBX>@(&TH`~sZO2Yb7o$&vlVH`# z_?*yo+M|&oBS_K4LZBtJ5xcN0u;M7Ed1PXE0S9vjZ~=`dEG4|O71#1Ka4B=;P}&JH zjYMbQ#mB@{q~VzPTp{rQ1>j&Ly`OWA=qe-mOuU33z!=EXPLW}JD%SvUCX;*#wa<6r zn5jTUo*MK@y6S^eR(mDamuNeA2>||$^y7BoPX$zVlF`Q-55yg&*QeT%WKop(@iH$g zy=rr{Hn32Oo*Q~sjZVfNS`HAp{r1~yfvojtz^BbO0!WJlaHt_kH>ByMG5WH!%gw)R zInoLJ`j6#3N_~pq75Z}|Fd`NJBXANyoP!N>ssuSwlV?9K;Alq?$XO(>W@$&dIDpsl zfY>&K&qg5V?aQzxMB1pW1Ul&sB2l^#kR@4xkkKok1`O1Jxg^jS_(f<&fQV^hD4TEt zAi`YRlO!#EvH>Iwr^P6sKqaSKD`@;d?Mt&vDj;A2C9SM99cEeTQPU1II%(vqzDOF| zg8*CpD0KiN>gTB7kmlxAfR56_EG@rPj=-e0WJz8K4OD7jtFqBj8UC^zAd-j8Uf29~ z>nTW|RvnV8KsOC4;7I}cMqO5bSM0*dm%L~vEf7B15YREi@5pIQ5F4F#v}_m?YI(;5 zdl60gJ}9_eHZ0;fe#xJeJ8nR@N9zvCEdTC>ygdzE?cOy`=003}4JdK_Sgg2LAko-9(a|9c|6jwvqCPeZxSp}h5(g?H(U_dLP zWz@44n&EOu0A`t=ImeGSBaNZ~69>C%8VmoHax_yNX)b_KJH!JeZ7cIImp)Ie+y-X& zm$s91&3TQtwq-QFFm2O?wufi!;T;CbgV!1c%+|w5-zakyuRNfOkya1ee)4Xo@!PRI zE%#W>y{HG2=E^orX8?N(>5{G6&j%JxTF_o#L>n@a<`dU8;rBC|W+cssn$U!D*au^D zv_;p7eM8~ zw_!hj3kff6h`c4<%;JLx4X`K&ZfLX<07knwA7_m1FOob3MQ{=)UU?axPWh%Z>l{JF*0)h(^tf_C_v21Qhv^ z23d#cs_>an5D&dhQ=0@=_!WExW_;4y0c;(zGbb{&g z%?IIKqj*%T{Af@msEIG_AZcpu z;c95M*sVEKxt31(9P##MD$P*5%5n%PBlMI|^_6ZXdGN^2Iw8+_Z3h^rO#C)9q4ne| zzUhzhdqE3zO4v!csm6THlaBTaelWMNq}lCCgO<7he(*x*=(_ML%xZBA%@dSK@di zF!I0)vAWBt%T9vnNM@JC9upye91jf1C%AO!1FMFVl<)n zRW+iH(5CjHn($M>PVM6qcU|*-Xjq}E2d&43Y&DFY_%yM~PE=`n(wPiNYvKe~m0F9J zJj_AuHTTIx&BN+;JDGmI9U!WHO&n*sy31d{nWK+n@(b+)loXQGDQ|ABVN`oag@HcX z%9L|$vXlonsRaBvNTv1vHv8}d2EHMH1AP1}1+lkL`^2@;wqaN#&|`FY$LPz_md%gf zvOE{18`6i@i|TSQy13&G6dJ&KiS#^!;p+M}TcagjfqYoAsAIKq zT|ELo>a-BJm3S__~tnG>D%vz7ez45Fp1NtQCI&#(!dLmyLq{JnC~YWo8kMv(Kbz#6dj)u^AEQ}X&Qh8i%_~G^Ez`7W&WD#Y z?!|7*4xhG8RB48VZt3$`)J&S?OlB{S+<+QifYK?aY}*`8QecAd3$^c~5x#OEr5VGu*sI3b zfyG=a@~&OU6K_uhIs9|wVBvqgYPcq7c7qZ&ewVCDHK$8bGcRaDZa ztWrKwhqk}9^>h}-0u@3ES7~WxCD%M2^;5|JoKZFlYw=V+%#w6Imnnj-Okh*fwv*Q4 zR=6ywNtpOmz8s|klIm0DXwLEGOEM|37Q3b(Te5^)PV$|cX+LK)00iuOQq`x)U(S6R zSJKl2>vPqv)40;=Qir-fsVL2Ig-w`ttp!!A*)(d*np2@@UUr z=jOXagYcU>DD&_2iwz^X-}IjRNKWh;!Ca3)+5viTAT+;fe7NMjxmc4m~y5Lm)mlP*)fvH>4p zKm!srYh2p=080U|`Xz2|{)81jkND)RmsVz%9S>#gNWqA9hoNbrtAAC`YH-eY{n@{iH* zU6j9-*^ZZ!Zc#an_mw!3^QFUTgwE%zXPL!F6)rnGg0^d{JHc@M4haenZN=kjUJfK7 zP*g$N)RusR?1O`~Jb}!VJmgQ((2`6*l%7x*U=&CsZv?bP%t8k^Mz8o#Od}}YQPR;C zRst3POM0Ve((wt&YY9b?RK6NbQ+D{3b|OuFzJSZQE5Dz-@>!V5|FoUOr#sRlPCNOE zAcs8aG2ccdX~GxqKvauUf!(e?NZ#G#Ghzpz@HK;aEkETLx`(^~5eV(;pwh19<`+T&mAuYv zX<8;n1jE0*yscNG-gpylWLrc+#dI^O!*t+7@-|1TbmqZ?kGVW+@pG&vj&@Naaj6-w zF#OEFQ{R;*nE8>zt<6=tKrQ963GEwxKD70K zMmfLLFg);!j1=Ig_gcV8Jx>L|fC*Dg+jp`K1}1TKtE0V&wqv8(ZL_Uc3%ArGm5co+ zPfbM#ZCAQXa@03&3b3yEM=6(9chUlY=BR$_Ti;qfqqn{7ZRJC<{VWrWro?m`27)W^ zFdUUWmLF}%dlBEu$v?*Pa%jW4T*>Prfl;aV5n4jzjlasiD2*V3;vtWN+oU`9^MFHy z^dtbKRpa!zW(EZh=Gs!S(-shH!nU1wL)1XP9@xx{`KNRupkYUdYZt?uZ_olbu9MwX z8FaJlF@3_T30EQ)M;Iomo@`i%LmdnLOUUgfPFzR0&Cq;t={0>cr)tFzK$g zA+eKLHY9>gz~D;I$9Rv?ls!g2ZrZSoi^?5Kciglifze(bWZDQJUX6Wb6MmY? z_GaGN5q4{&^4!+CMj|k{ifQPSyaB`>u6K`*VX1m(05?)vN=PjOE zVpWc9K!|4qi{B|MO7k*#k`_Som~XP?Jlasef)=xz`T`M1xDvWya?-v_GYZ{E*sk`a zBw7RwFUnDAPut1w+R*!6)EB_ROr&9%RqiEg1W{hd8!V`Hhg<-+9bak4Rc~hPUTt!g zlQhKQ;`4lQNkB_n3qsA(9{{Ty>hc9ej2fyBWJz}iAd@F;*3b2Ikknlt0h^lskiN0D zBwd;AOJBy%$Al{YPX02}6e__93`WZUj@=!ZZ0~r-JL=lG5jJ5=uv=FwiaRR3@#`PQ zc#P5ddHUyLY3~VIzYbU8oV+X@%3&QLDFDcy{h*9DKEc_G+0ZlrlIJZ=)3D`ftymAu zqD@tQI2whG}NYIN7MCC`#`+R~*$%R5YmJ{Gqu4Zmg6j-|WY{9`;9(Z=Y*{y47dBY_cf z;UMNh`EDW{M49k&9OoWa2hT^=jNH%=IAe1j;oWi`VW34sjB3*|<`P~7auJwdN=&Q> zRD{^4ket&VB1dKJWK~tt#w0?HRM|`nAelBmQz$TuP}`y;hthUffBWHK6Snfnq;vo$ zo>|0al4|8T^~gUa9w6m>-Zdv7AH*T<;RB(xANE)Au>X&`O&0 ze|6qmTMI#lmEfgv)mD97CbK@b&u+A_(mL71CoBLQfl0<^#8hiT`)%T*VSeFK!gi_n zVseQ;c#QEm3T-UyC5pWeJ(hP_+65-}z)1{`$?>}>vr zY;_1=%#6-Ezf2iIz=+^;VzSlOVxv{mhW-&$v!x@M-DXUoRgxJtWu~M+Ktyu@9tUi& z2qrU&kXee7sBCq+H(wc_o4%WRkwwU6|0JL1sd-ER5|7{9ksDA*KGh}6{v+&$e+}(N zTdC;6ZYbIa{U6<;a1Jz7?C4U#fU$dHOirp_lUI zkIbM(N|FlrtRlZWsG4K^b@Wllt(fJ_NS&dC=|hsHrOvfjcdmj$-aX)pXB0Fw(+ z)HmgG&aupgV`v@d(Te8tj*=|-{IiQBr5q=dBRP-C@g0yb(|ecp5IP|89WfIZSJR%d zX`mqP-VWf=fX)X^Z_psohX9m*D15?q4jkb= zZ*Kt1f>xh{@-NLQbCBt1l4!L#{0>rQrmuFWbM;W_tiCH$&-62%KvTu5KO6(}2kFC= z{M5;i|4!Mo;dKH+Uyy)L+y9!mW;6}$EpK^Cz*^59Ei@q?<~j;p+OhOUp&cddGId>+ z-;mdpxIU6*G&#Do%)o5?l28_FNF8UUb)tz}PM04kI(D|OBPG%EGZf!~bAGye=!@-``%moHw0LhviP16CU$qN7rtdgHE41lONCv*v0=zwlB3H{TrfZK8s z@g{;6_yWVEF*DwfK1Gj~34r(UI0VLdoleeQ+K_%Q!I6eU2+hW>z6;&1k7GePzeQnD z+#>oIpG9Si@mNF~(iibuRQ`}YB)c4o z39agoL(2BCMGItsr#?5ItDM~d(8QGKX=KfG2Y|2ea>A#c2K=-^wV1&Gc9qvYX?D#I z^C{aC7HC7wX-%MO4jt(p(G6@Eqoq zujO}srNhy{D9>%gCIZFDdUzhGusC&=H@des2X1Lh5hxQR6IE~HwFsPfKt`)*JsjQ^ z)RGd~4^xeir$T$tqSi7mrX~dD+T&vKVU(c)GJ6i0=TrikbOg`L5k9Eq6bDEa+U72l zZ)ZIhd{z5VCnDB!|5CIJUoeSW285C{`8jwu)5g;|CV4crBhU`hg0%f3cteb-Wr z)PFA^#}v|>@_B`yty01!02p&MdDqh~1qL*!fJQAYRzBcicJlKi4-+e~HAjjsYa@M@ zWVN$^jwoPBx>Ti{_Cf8STKYQeG>e?p#;vD3gMscB*B&M`p|$k2iJyr|d-2a)iW3$H z9&N}LB4%BiYt%kfM7Wq~O~}Rsuyx0K6SpYOB6=&Ue;i9YM(gM4pO2-z99p0El{`NZ z7|~)@Gdr+`i329a&R3`@xxwY9A*2zA8bM+fq~_%tB1{oT+DDCuB`@KQq?9I64&Df( zvAM`ep@?{93Yn%=*=mCzQWcVO&M)(K0EiK-TJ90#W3qYKB}=V0s}0yfU^3Ar%n>5V zrXX-Z5z_PMIjyB9(JTbgDU9 zJ_oMHIl0S;pN?Zb`T*PkKT^`DpuVP6>f0N#k@vke-_gA>tWQz^Mx4|%Bz_{JXN1w* zA~axRJCPQ~1od*_F2=9%ZAWQ^q2|)!`^T}gW3+yrOP!C^b&Pf?KF1M%Brv*vhDO&2 ziQVlZ?i=}rbNPVXJgvnc;R#s+Ou1hnb=>%Xblb|gDGiDAAtvTEIy9$W% z$4DEkrq;Y20#>qBnRCZ4!A+V7a4oT5E~O4>RV_ZX3g0GW*Kv|(qd=j0NGY5wvqnYN&A_3`ZG<)jPFz!=x9&=(Q0b%p`^hBP#H}#Y0-$El7gEx zU1FBRb^}<=CsLT0d)ZXUM9&&I%%?_ZeFh%P4XbTM(to$S?VnB@7|rir?o%EdVAOm@ z0Lp|%!bV#fTP!Q@QNkj@9iyWO?=A3LZoL+jzo@Ru)bl8Hx>VW{gG(i9@#oHG=4t>b zPkaf&c2o_T0f0KlS0+~CH`>UNb960&z6!YVz=x8xVBX46dLnfD5t@kETp(l9(VF;I z*g&;IWWdB|7XQmyP>BOJaMzs+9ZE1mfYN5{HXv8#Vam~YwpT4@b$D(Cfo!iqSS>f% zJ*SM+Iq9t0FO!O6J%U|=o^ou{8u_g`NgTgUiqkdQ1#5o$livW5c_&`Xt73CR&&Ph5exmV(O zj)7M0i=4c9@4ifiH`*-M8hm%TPVx54G}pKX1`XgA+{bJzd8H4w7FTAP7AY;2#;al|d+cU1baby>uBnfzmU$7n-d$8~)q zFxowPXP)N>Oy&lyMmTn&X>iaMpx7@bBWMTN7|0$(B-JjC&n!8k}5kXeRXeZ$Y=s4v8*-F|#zV}i;qhACW%E3RrGO6hng?LQ7q+8{50u<^W z_BF{cQP!_PKA6SSqE*qN%<(DHEc9x*KE*lOn~xaOkbL;nC|&YU%4%9d>Zfx2R|Ql# znnJN^R3QH=U66FAZNv@yeTp_=|Lp(Q-g(E!QDlF-W_H&G+a#OJ&m@r~GA8}Q34w?L zfkYIDoRdTnNW=pHBBS3S5Fn8F36srFgged>BAa|f7(VO5&BV3_z{Lsc5z+`)GHY1B?K619$Ns$Lwo57Iq_4 zHS9=fu3iUh=UrNyH2*kVgu}(9l;MbSXFv*q#RT&(tW{ zoovZE_9vx_p~;{~N%u_91VVZs>2s>09D6E(Q?)T|bwH8P!}-}5an&1pMKm_-;shiw zgEYNEPm_INdA$>W2`*eghF`$Zx~hoc4#`R}Ytj@_iL$H>$MaV7Asq^oO%hQiJ>yUr zl^OOVfioCg*7OK~+(1(j5&$a9R$A&jGISv=^@ z7pV10FJoh)Ix*W??6FO3$Kp-lfG!^2ZO?4EPLJ{CM8J?8A9&35=|l zBZ|bG``}@RK`$?)L=#oI+r>Gx`v%>%9y;OnKYstdnXEz=BaZVQ0Pl734)o} zNC&pkUQv5x$SI;`snat$gc^j@Vr#2(k9`T-lfHEhtU)8Og}ed?)^-_SDjntnAfVJF zHNw{bs476@Yl-n0V=lr)S!mIxeVUMxu&3B;XaTQDC2Aigttp&IAfgF%(SS`rjMRjr z$5BAc>@F-P6;=`ovz!4o0E(?a?9>twYjd7ZJ2B{pzyTp!ALZ2}>M4E&&|ct*&8bjS z2T~d!7hqMh=4kk8I#~7>GR1MV(Ai{*;SM=BGbV(h(8J?uY>x6$&8cBZ8ndCndzh=rllrSxU z(VF@?msS{Ol1vZk22h|5#6&tk!Xz0+ztjNCZiFHC(zs9c%r7A;&+V8dJ-fskxHeQMztLm4?@vLij8T_AgrX!O;!$&msq zW)Py9VXEm>rvf@m?V?2V5Ph{x!cv-adK~s6bxCz}f&eZ8AE`VhZGmDYnJ6Vi=m7;p zS4meEn)YB{0X!tJm29{jXb~Xjt4L2oD3K^-_8!Wi+<=~%y+-siOC0r*A$FuQg3$SG z<-N*k@5DWdY)d`ZS_Q%dRH$z@8m4@Z9D4u>#bvUj@K9vV{1ALZ%41S#VWCQkRA%MXnmVOp=~+?= zhg2!RT*y#jmpVq%Fkt%yv)GFOChEx>uze@=*CbZddzTd6`=!Oh9~TF*r0_|8#7**V z)~^%sNu$%QB`{hr>tF8Qlh&XsSZ65823TF7Q8h_IzzZFbIX>0#x-xP~K=}a{wvY7U zP6^YjlPPyo^RV;Cn2Jq>b!A01^B36k3Rnb9HZsMY)JQ8mpcyD9hdG8kYzq<-2NYh5 zvT7Y#fPpA5U-2cGF*k?sj7FIuS^1diH%@6Wl7<)sz2u`#k3C7kiX;#Hk(W|3brD-s z@A9%$2|215@S#^g$_ODwZ&NL0*I{D=*4)`hnIyj=nIloDT=F&>5p%FA@Q?ETt}r5? zti4wNp8@%saY*bI_ zvXLC1R?#d;z;7i+LKk-q<bj}CSrBqDZq1b_e|Bqo3ewGEXG*G&17I=YV=2Ng?n z@t?GK(J+nfJ$>NaHCfM6cTC7Fw4lD^0kpG*?(kGsYz6TpE?{PMRaCE5#`VJCV&P2gd}14bCCqW z1HYO-KL0LOQ5v~TaW<8*69g#3Nk!%XeAO`SwsCr%}QrP zQK>3z#ap0wN+0PFY0f}ouI>erti)%}AVdSrWUN(|iqLPctnS*#6Mls6qq5>suyk0Pm5%;ixi zdZDB=`EfdlIx&dVtC2n%{S!d2TL60}F;@xo3Uv~&!0?T2$ADJeMGRMpYtV(>h&5T^ z3QWfq2w@9j)Q=Igg63c`QBtWWPR&pZ$e1dns0Bvs78{q1CFCp6f{8WbveMHFn@S*z zv4zCS*cJ_&(OdLjXB$VMCIq}ns=kQz-CnBe$DO(!D=o-8g{S)W^%l-1j zMTC*bc_DeRb0a_l zNPvF^46+y5G7mf@5mm=4G3AB*h#_=Mt}#1TkJPh@hR6%_asX4os#0l;OzxGStx40> z;v&5;M@R7hLuN(~f{fB&i3V7JngoSClK3#mkR>V`VPSZgIa#`|Dn5Av47Pw*paJVZ z7CKZ>R&3Nu17d}P|CQyGzwSk~8MIkY42aqSVSrUcSD7LpLcsP4qmrm;yi;b>6eDQ8 z5Y1NoL|M5{a-I+I&K(U)n56e<{yuKn`&RvZdeLiA z8cBZ9IF0Uy8oyEc@%MDsh7O|q@Ar@2aufdgCpSiGAE;zH85PZ9OtW9eMpOP>or_*4 zk%^rZZL%UpU#UHS6GDWYz=5$~Vc#BvC(>hop%N1*k#v+_N%^oh z64DU%rh-PSY}8HQP+JU2n(C+ui-FwsMZ&HkDGs|6ar)Flg#Fu1DJ0Ac$S36uz1(nLnoN-MkawY6@dfknYAkuiIf_{)F+0-6av*rdcOG(kq) z%HlP%+5xZf0wn^|DVNIKCm$MdE~7R?bvpTeFiy&^hHw+So|g&D0?ALw<--`e9TDr?9yRc9gex0)UGT4EL7> zLdFluBA!+>ArkP#NDEIZ0!G`8Ruxjk)+U-v64DNsX3G;lkW?ql`Ns9$b*}rFI#gZy zx{WtZBQ~dhC<}nY5B_+-CX|(e$DUPQjsVdUK$HOLtBTSNi+>htD zUp)OzJtMy~|6zYOX1hII|4Qq)()blL!+3dhzFq-_0E8_z z1QY-jqgAF-@kK{MQeVNAK_A7|!BPm+4Lh(<9lXaZwTg>0gIc8y$llE+GGY4>kXhR5 z$VdRzwUtgmGqKe*4N#afh~&U27)&c*$iDyzXc(SJm}QMPA#OALjbI_Ro2_VobGwxx z@rt6I-6#uM&VsZ>R)7LCy%9Eqi=rEPM4G~x0a@Tx+fYs~g~qItD`L^Na>~dp5HZV* zq8V6Y^N}5j5ik+s3bH2|wkb0+*25=(F!ZVtM5A~H*0}ela!8OGKZQ@nyLxdvE&l51OQX$)Xe@Zn)YuG$f^+JFYDS}jl%C_N# z8`{06yqS*Yd6?G5>%Fh{4jR((Z^b_?kEArx{GcUTzO*z6Hyo~IFoFn(^ab+7`|EHJ z8PXg&2YkcwbvN`Bvy}p)WK49#(H8lkmhnSX^QHx!u^pkpMV)WYQNMQX>!s7qyR&{IQ!dWy)X$AQ7==5un4+K0pOPVYo(p zLsIg~K?Wl=apQSd@8j$HL{f6?yi1E{xj-2J0144aL_t)O<{!_OaJV?l&Bp)iv(Ms5 z4$Je9z{peN3+tc5HE>`gIN;kIo$T6cuXR(WPPL^U_#*)^jL-HVer+0~Y^Z7gQ__A$ z(e#E&KWW7~zfZHBcWH5w{PDxZ^G^$#6wb#-ioE&ek(nH;apK?t2lCH>S6+F=9eL!D z?(MhVwuy~^4PXQSanDdc(h$JJ$XY$;J9DEjjlwm0pO$`FyiWKhrIF-^YWCiH@3|9B zIKjRC`s-<=cGSPH?z-zTNhi3#fn0KcuR1?Kho67WWnnT#G$6$fmDdkgB>`8b$nJ=m z)+u5_I)MZ2a=>>Q0Ezp!>d|hxqcxrf9S=ey!G{1wBf;g6$FOn0cN(7oqh=n6{MEk; z*XB6jc^bWP@1L7XrS(t&j9TYeh>&#pYrKFlvrZ zAymdW0h9=9_dsWf0ukhnL;TxEUQkH6ZT||%rMU=b5#-u3LF@n90*`EI_o`@I&dI!90*{Pxhe?+1rCf( z4g@e7o%J3{9XOCV4g@gDT$KcZ0tZGX2Lc$4&Uz1}4jjlF2Lc#nu1W$yfdiwH0|AUi zXT66~2M%P80|AUOS0#ask?sm-0MjLJ9 z4nO>Gx4{M*B&Hp025e-`F)w@Xy|<}tAAR(ZyZ-v?-K<%&qQSy_MmWIUM`xUIhSfD^ zuD$#2yGu~E{r20t!4paDm%utF5fvJ@d>n?v6X|u+vYDKmK^5ag|k8vHWkj zXBYce6dv+Hh|SuTg`30`R4Ba`|r0iwrDKq{-nd9e*o3J_ugw&2H>G~&7VKt8X!j{ zr==aOuuDkAXKmYu*JNxXjmpWRTG*(@8RX1_sL`#kj;Feo% zY3+s&>>-C7VjoW0_fbb3HAADe85sNwakFOl}TWqm~9aaYzef{;GNtM&Ez`y}kSP+i&d(xTQH7px5O|gVRZq(vHS|hg!^U3fpykd$G!8;I|c$!5p7rAh<)94*DXOHAP@zk zC0^ee0*`fO>*B#yC!^=TyDV# zX$6N0h2()luLn4O{P9Qo60N-Q%GOxMjvZ@aum=#r){|1|HJoPBCVeELE3drL@s-0C zaPr9~J3#WRv(Dmma2ewOA1eUKyXgIQ-+gD^sNF~_s70t~NG1S5-1+u{jd7oS_AwjL zBab}d)?05qcg;1|#Dg#OjAV{|infi-5jBmEDD5{Y1$i2O`spWYXCzdwT`!eU#yoOs zGg`E0k$t@|Qt!3bUS?RvfQYe~isO9s%Pzaj?Xkxmrmg`Y2Oo5RP2455pD|;`xb@dx-<^8use{1*GwetJT-+fA-FM%8X2|xE`@)3_t^G2v z0*#mpPCM;1Q{Q};cshA|&Mg?hXbjjt{P2V6?=%o}cJyn$EC3T9^f>n|uHL z_pMP87qE(6y&Cr9lTSK;ixD>*`hI_ZzuohvUfP7kaeeN&=Nyd~gC%-A;EDbpTsAo{ zb?Q`8t5K;Lp+(y8?yIl9ayQ<1qX7z%4Ie+i0z-1N&IuoFKd4d9KKramH`sY-130dj z1sG_FN;>vZe@GkYiqTiv&&w~rY&J(mgt32OXg~k_^KI~j_Dx%kw`c$C+qF+S%h!TL z!D^NXY=$FIEYGB!g1tb{SM-oYL)H&^} zUfYPbA3kohCv1&ThfN7EV{{iOo-n7Me)?b#^5R2?${%&m$FJMkRBmlX(aMQRE>VB( zTLmKGpm*16Y=przlXkZ?m|DrZ_b(kk-ua`YZKlrS?I-CYNt#}&!k&oAck8XUMzcz7 zU$o6;+UF99<=~+!B%>VgIgl7QkjjAx6DF7hRPUpj8o7&JbcJNpMfDMiG7351M}|jX z(U&N4t_|2rlq5U^4g?P5ngaoha$S9a_`reg;XnYR?y1XAlE8snb0C0GuB$H)A2`rG z90*|4J#`sM5;%}+4g@gDb@c_}0|&Z?0|AV>r!GTD0ta%<{907*qoM6N<$f^=*cp#T5? literal 0 HcmV?d00001 diff --git a/src/assets/img/Delta_Class/use_case_3-1.png b/src/assets/img/Delta_Class/use_case_3-1.png new file mode 100644 index 0000000000000000000000000000000000000000..530c57b903f623628fa35e69e928170eb3320194 GIT binary patch literal 61376 zcmeFZ_ghm}jiH*6cmA)|$2R#z0SlnUR|j001y+ zX+AIn0DwJbWzsqNvwPlXz}8s?^flDD4=5kFLOQEFb2QU(($xjrJ}aLC0Ha(0wEuvd zCGN8X0MNdV1TdWC7tWFa4hR69<-mXXaWwyi1oq%S|1Jamp$SkmQq$5p%Z==P934G; zojnnrPMC{lh!ZZxW(YG~9eI0Ccaf(Kp3fXbknUdppa5V<`Lm+CBjPDP(%sF&S01T& z?Ozb`XXSsIMX&My3k2b+c+E`LfM3ni$B|z~L`+2Nni3;FKR?XJ!Aaimf%<==pVbtv zIU^8W@}i;v0RbWbk|Lfya8YqNIXO`=2~i1&yJrx0eNi5Wr^ve=z5@S6Ze{m=DZzta)v@*hqfzW+U}vjK|!(<3S_A}0Djw9ims z|Fp^*xF8+f%pbV8pNZ#;hmwS(B zk-*ga`L0*T%E*l ze{*uiBMeF`Hzz&Pa~MeGcgY8!d2(d(T`{Sz9UVx5fSu5H1F%e8$?YhGOy8p;b0Jfo zHLBC%f{FZ&(}Q0v3jW{TUb=H_!e-9wll`V-&;pY!QYuC)(2hbNh7W^s8Pr)bzk_x- zj5HSiUB^JV6b%%`&^|Z6{->!yixrH+Ypr5R{|o6KpfeES|4_j|{~ySiF#m6pOQl@X z*;LO=fLLK$1j@B*>U=#s3Sei(JMu(`R}MJZcgfEXK-7$T;hZ+o;-Q7+RwZ#r(D=YKz z^6CzT{P8X9ga)|11?)%xw zp6uG5?o!eQgA3L=`O4NKA|e)xJR}C3s!45pf43;{vB3`1jk&)Yq#L5BZp!R_%f1KC z$dBS?R;7b^N`mrX!l*bh71r~9aK$xLx4Z7_3hf1hdoPva_fG5m5voj34BtP<5Z>GUgSi@}Nw z`K_r=*l}kV%-z$IlXoa&dK7E2f|mAr^2hUZ&$Fz213FM1{eP@O(NzLz3Pe6W`Wj|7@6f>jD_ALjVMNyp;l)%^;D5|L)ZGmD69If1Rp+-p)=T0n%XxHQ6V> z;jWPJsuJqyw&RV4XYBA@3!dTr5Xp;$p(gO6s++8ryiy9yb;G#-R>2p$|5W_(xgvEv*Kp%+L_nxQM z4F4F2Jw0Acxq|Et_-G1Q8E0_rj))2z@BZ}*( z01C>GD&Ad>;5(k@)VjWjjPt)>_Te-8i8oaC!^xwO*c8%U4Rm-0d+)8b?9&I6QiSc& zwdwDDzVG*9Y9yyX9?$t{kv1o90{uk5 zGeMcMczsK9fqZP%a^A3lrekJ%7e0o2?g|R<_c_H;I?nU_|yT_QWTJ>l5M$ zw*$YchEQnSCxK&uH(rKn7n&kEN0hQmSW)3&b3$u4_;yw6N;IN>#~ho#hs_s5Zwtr# za_&{026-Sl&`-T~Bw+-4q`1t;%FZ#;%l{Clmh&Yp9`KTge9LT%eJo*txv&&z8Wg@} z$PnSY@46XR+m;mmtY+Hv0RvZeZYCl)zl4<)?jwE9lHTcOQ|R_{9!U6#xwPFh>NA}^ zZc~BsvePX6UU#8(M+)|}0w(*0pPdT^m`gV5pcf5%IEiVDkt*vQA#t~;u*XO^;1sX{ zOKP5^K>eCLpcdg~mhf7BHBxR#+msxy&p_7{r9N|iojXJ+nxh(+DBZU-I5Psmj0!1{ z-_Y=PXxJh92oQ;CNBW!;#SJCLI4(B$3Pf@c&c!^51xnoPk-Q(a2M;reJkP9>(7`6I zGs4B`(gS)%ZwPIRco*LmZPo13>3YMNy8$8sApS-bRACaUaV(S&573^y@}B)}Y4z)l zY@srSz$<{)=f^sg_C9fIlj(H`ju>L9cwQ`}FOLD;SP)G?+W_>u<;Ue82+{54cq)EK zL4W{32%IqQlY#4{%{tf{@)U$&OB3)aj&}PG=L)GgSR!Xr=8@%OEjHCWa@Xoa_$3*$ zEsR-oZqp4ye_C7G58d2fiwsEE;fCC$SFwAEz8C>C;}T*3wWT5pFYtvwb;g1dt1uVZ zMkPJ*Tx!Q-oeg3yUr3@6$+IYcUafK&!vG(3C<;q3O&@1K1JP(J(6jY7-4JVp4C;d`<<%dqFniHdsVUq;(dlY6 zxEqj<7vQ#*TMyIbS3f155AD&)Rb%0}AE=$urM{ndLpE#Ko#t@DsOhaT+wN_{^-I)u z`)Q?cI^igdL)uy>C%l>A=P^bNl;`SQ?MDAP-tJLydl1h&>=vVqMzzxGF zu-xY*uEXpF27|8I@{U0CNX+lH+mqCmn$|Cx7BKVL_Z~EQu%d;&dKKsP`r`+kj#{_x zv`P@F0{6O4?O{3&$QYU-n)HDeWRRZ84fKr=gGlI223SnK_s-AQfREr4F>gt-3)F-M z&2f?ww)Sl_4Li!(^roJwX#YSzJ6!Cfvkl_B=qsKvHk9zCd}E@YerMv2I|-Q`bZJQ# zy>gd)^G6r4&+^jEALnuzD1ejoCEiV>hN6Ijb04O^pnc}2(+R@@B0JH%zXsJ4 zpC?BRkM^YY`!=?w7WDgS4WIae`!S=>=C*tE5U}j zn7d#{Ndy*y-={UA>CvbHkV-heMWi}3;+0S=jlS*q#WxcE+kL;29?Q;RAo`pi-zSjY z$Idp>-9shyh<^p=RFhcS65u z>Dtud=9f_Kuu^KSp}6c9eezI|KK#ld8ff=y#g92qK-XOUkur}a85g}xRPs!OA<}Jf zQlg?{UN6x#bicHL^3yfhzAN9Q&sKOciM<&6{(bOFNsD{nO6vh%Vf*OLm7DVc(j18q zKWlh^c-%AjP`U7C0Xwb+B`ex38T-r+#0;&^feooL5@x;2{hW{S7k>cCjlf^7Ij$y( zUvYTp(So{*#rJQx;We{<w3F04PqGUKLyu1;nY-M*M48z=p0W;gD$VYe2aK0y zkj0D`9$=CQ^O~Ll_8sM!k|0MCBXcednhR1x6T$Euz`bR!bH(WZ%+^*Q;-a#akbUeB zZpp(Fsc}eOR~~^G>FOeiTYxhpL)YF%v5Jxl&r}9&sL!4HP@C8QtOVA4`-1vGPoPTc z-k03p{JND6r0Q2DU;qx$WWPOTllO_%zhlB|L?}>guGG%VQS9)7X@~TTAxoBoGs#6i za_s7yIUymmBwLuXy7XdEZwOJmFV=t zr>|@0OfkjTyemXXBTPZ*QByl!x5&-kDk4`^@dLd#2YsJaUC<)U=bsGzZ`m575 z3x??JN5nmvx*%ZBl;U72_9!w;Uhzn7FdKT<7GQkm*7&&qIO{Qi^;iYM1I^+w1xPV_ zU^F6bDCP`ectAtd&(+mX@Iwqk#5XqaXXQM^Au&4`y*CMymDV`bybWge4F94QkrM3l zaZ)wePani<|B4gZ!#GDRo3mK;<5j*j>$3K@e3M#E9g>EqAFKruMgpS#EMZ?mgj@u* zTMmDGwv5S=Dxv8Zb6`S40+s}}ekaOye~ox|PS9=y$TMTuvhLl{N!u5mB7bGgBpE7K z!f}(vu4!goTLeaghOW8WRD|x9Xh(V!Mkg$0`3tR2uiZ#}{>SuGLqlo(39Ih@Ni|BEyV$ICfu@3TJAOl#de#`T=3&1uD2Kz%q(0)qMMPv!q>aoB?Q^YUHo&Yq6G)u_>B&mlw;2q z*l*YM8aQo57z>>aRifo@Utz+er8UZP@%wyKI{_y(Apr*xl>}qEzU5p~Ww~Jq2QX(` zhh-p-U`JVn{@Va<0oRDwJ&aeABJPyLJ|jK=c=HEv+uj3Ax|o#{?MxEl#mNfV5J^e* zn#Dajba2&(q{&ChM36<(jd!wGL9RXC4V(il)244*$m}|US_GZT zESH_F-}@WlNB<@rVfu&I2Y;8_ zH<2$!R-t0_t1QR_`M*|m{dep?WPWWtDSYVV4-u8PX927BQQ!r3ZFPZqU5f0IUG6T4 z^k~xBgA$K+ha@FG1Z`&c&mP$7WTQ5J6twl0_#Gs2Er_gz^HFp7iZl4mHM&3;={t6K z=;?9dhAi|iJZMZ++BL;2Ui5>(>8moB*yGT;Hx)kanSIkg&WZbD96&s|0%Fe1I(Pad zGPB|wjG~&juBvG1O|Hc`O&Oab<}Ph|DVFj`l392+tF_wNSe0QXXV$O>s$N%iz}ANK zpzaUZ4yNk_UK!xQu=1V#foy7HQFn1p5(ZyH$pZ~XDU!oRN?__mF@v}?XGXJK&U zuO;#QYMji5mxwIQM-9oel8n%_`_&NuvLg99D3!-@Anjo{%aq$4$K0ElqdV;IqglMy z=P(rYo9Kz`=&BMmYLY>GN+5F>YR5+1s#a+R7O2L4Vn=g<2nGOwYA5=);W=|22zvdW zjm(kE%HZ=$po`(c_IC6vulozg04JHh2mC;RF1xgDkV6NHa-58x^otz~tUMo^v!lwfTZ^kypndZm>)nS=2i*5 zN!Fb^a~C9Gm$a05w_7%Tw3IoBLGn7Wg`QTz9Np_%$Rl{#&OX%NrE%d-?oj!MkYq{3TC;@zsQpKi5J23eIl(pL{`% z`}L9rQZk4(E*@EiX0c)M7D7+j?7SN5kY=GPg+eT?xI{&FCb@SO1MLh=Lpy&oH9`D5Y)iy1^&+4 zuHq%PN)}|TW+#eS+E))tgDycW$?_5JA97CctZDb}YD!_)5{y{1t;p zJ>HhLwO+d{KMNo1=qM2wm$n_}3z^}!|4Nri@s2GcU%*s1kSnW(I7B89QCQ$3>hs0x zyhGg_h46kR$A@CB)nL;FTAgPe5_ubFXxzwe}CZHhr)PN`5km$^9~>EY;mY+T|%Pd{QJ0QfT5* zKp#w(RBdDg9_4iIy}t~N?eN8CGOMN}_}?I)9I;4Pcjx_j6+&k>k+}>=^jGEn>+dSM4hq>^LMLrh)<5+buJdhi6u+p(sup z#JgW4USqOg+78K!c?Z2*o-H)XER;(z5I7z^H;=yu~K*qJdQT znkkF2_X?m=Dv-9adx1N3e+jrUyx?+yXjY$az^mMqJ1|lBFAkfu|LkpsoxcYq+TOtH z`4F&5Uugi>_e>T=+rH1-O1I;n0}64oIen$~urrTUHl5=kI>}bC_=D6NV`-9`RWc+8 zHWB!`ezI)}aN2yfqVKC~vSHg*wDY0gp_$bHfC!@+9^Y3O^c}W%Teg}F+~_oVx~JQ> zFUCu)5F&E7ShqqQCMv7v%udRo7o~^+ij!ct$!&sr&F!n z5?ehW%_2#jn_Dw%T{dHe z02lYl7QNenlrnt}W~R1^*i|T;=C8=e6{iU1r3q?JiTTyuTvACPLEoZhF zsnGVg-L{l33_2)W68-n=U9a;id;?^`NlxWRc8sJ#OhcHZfC-;g6=`&qo?})Z*?R{= zqmMc6QObWTCA<@b5IJ~_vd6(q#JE_|H16w`PJYFo4@WE=6HO!CrqzW=r9QGuaIHx_ zx|@E7#I?c?*ACOb;PUp;Sybd*Lb(0->Dk6R-FLcF3_|c<_1q4^a7DUqXFKgK+q+uV4qW zHP1szk3=z+oy@-x>R34h5O(CcuWb*$0iquh=3zP$^wK5sBLRK6)sd)gS#+dz7no;n zWy_@20DH?Z6vwCZz^+d*yYBu|VRxF`un|%MxrV(k>==@2zDR4vcS6+AX27s2-aq}v z_nyz{jLF{~!6dAU#I|asJh^}?)U(s2x7V%LArKp4!DfvH9R-pqCq1SuK4XeTEXVSE3b6TONOxAJV>4r5Oz;xvBON5K^DrgY01c5rCImKu3-PDOI zulJq+6wIo-3uKPA{#H#1DugbctYqH!{$PRL%BF;h1ds{p6z)*Y zQRYgpz{T%Kv(`vF<&BlbJyCe~>(KFt|A$GOn9Sf0!N)K9S_A@WL>x_p9N~Byp2(43 zh8F>s_YMZT*!8(VcJ)*r0~KMC|J;P+__av8JAga-_iQMSr!D=c(*{)4+B<*W5L1LL znKa^qF0*9=$8c5d`Wnz7n%=Fn9JS(8H=?npp6~9jU#UlHkC%Z2OW;IVV)wJfL|c{2 zfzzp@LjAMjn~k)T+{p$M1ay2qC_YcP z1mMnX!-?5oVuQXk03rM?=KGc{E0)Exn`g&5*xA2(^_&&h#`;e{w9^_5>u})~k`}{f z;Dk$L@A}pyZnie5v|HY~HS4ZEN8a@ z9N$0CAlj~T@F#kfl8n~b03a^}tI7y#ppeIi)7J^UG8HujUJ9;)bf-meK_DU6Z$u$V z+@w_kk?nE5JiP3aDOR{AJ$3jq-`@p35&5tt)-!L$M99KV>e!iP;-O)!@B|mUc1mS1 zYGGp6=;sWmI&O+*RqD)#^+>?|zkiG91$H%PSpqw)$_aN@!Dho-w;?FRPg#XvKsp79 z^V6##qEG}@T}>v<1{@N2-{of$(y3iEuBuph^`-{OlkR3C{YRVW>qZ0tTg?Lo1D5$q z^8lCm2xa0eeXa^CCv)VYxXIC2iW={7rGTkr!{lpJ;7?DVOCKW}rsE~Wmfla~J$+~c z+j^Mm`}-NAR%5k?rrWOQp~%X#fN%(Cxf>To;WJH~d>eq4sZM^KG1Cd`-^oF(nY4&; z*oFKW?=0y2J9rw{6ijY&DSrFscV%c>%hAlH2;lw1EC;9{3*a6QP!D@RU#O_r(Jd{u zvLeo(tPe~}s|OIccsf|^7DdH8+`(1>*cAyZeOqp+B-X*umWQzSAmd&5vtu+~(wysA zBbi?Jy62O&@3ON)%Nv27hmrSerio+y<152;W&@>>}nX@*U&{(W~h? zjhW>K0*UB5vrjaLz?{0`^`6>bpH%S8f{NnUAwg{Z_I~Iha^Q8tW@Gn;!en?`R!{pm-w#YgK|(1SVKp9Z z^l#bE4j|ZAWL<0}FUrgexzlTB#@W&Kp`%Ps%R^Zsm2oXTw^)M z3WcpXg!rJzy)gs^_IIj?DPyP%7JZ)#O3E z9Z=uwmZf}}n}z!JAd<7I>j1YA zDZadpcW_UX`M>_?bgXUn`7=JW#K4sWOvBT3CzeIU=78R=y?th)w5iWis{z42O;#^q zA@$r!I2{j#UbpK|`%zpPsD_){ZguV!eo&fjV4QWUB$g7R)sIIFz|cLL4FB>5!0T)<%c&1W!xY}wSk*qEnro>OngPZ2{nI1C9y zZb|e{HSmCrg9`o%iF3S#S8L=>L zc@+qC{Af@hCdy}`GN4yqmoSORvZ8Oki~W>8NF0Bt6u6S^wup$=E8<{Abu$=uU!V6q z#$yFrLZ$A?V)Pu&027V7 z)deg7GZEt+vRx7irXh02hBCSR9#7M?)y*0CmTyW20Jw`v5?XTfS>32wXz@pXro zS|d$ux;{viNTJ@W-=PrExV=SN?T=cch2`O&>VUqxNt0>8s(hN1t~(Cnw&S9WV(cmv zp-WHU7aM)l<{MMw`E(VOPAEr(JNvD51c@>DwT3AOxcXUC23B>UANB5B92djj)e}s- zxm@m$wiU5&7E-qdCO=@k2obIh!*v}1Bqe=S<%jIg4KL&iTL5v3U(n*0muZWgPKm(c zZ7`&9%aOoUg+1ZSJ${OOxm$e@^R8gySjMD$a;ZEhBGz$%9s3mIsbrw^~UQb#-b-G3|8U7vy^wC>07w< z)wwl(Avt1Ag9I`m!fk|T7v-@-H9uC5@>xf%Q){6bzMqNHMIy~M)IX=U2aGUxH)-d$ zOpp(2a|FF3=cw1>Dia?S>gWLI+WJczep`be6nvLOvW}IUIb#6_6Kq(U60DcrYw_Wt z*129r*r&xT$(EJyZY?Wp;LyZ-_k)Jy)%3|!=WbUyjx6{K!ow`U2ymVa)jzt0ThORp3Tz3O-RhDCJivO9yjT(;?(WNBfSzN`SxrZT(ip?eTof5X^14 zk!$cti_bD)RJz5%BjQCX-{_5qA-pF-}KZ?E!&w|aW&AsG$zSA@eeMcW7aHsR3pP1ofVPtkX12=(xWx1B`JuFxGg%w?nq*q zT?;7F(^#(yOiWQ%?$%fZ=2pX2k{)W?>{9c&9bZmF^JGO6zh@U%i?%{HkAJ96Qj2Ck z2?jf+9Qm6`Y+?Lt9?n}g&$lp*{s}P;yvGMh0HT#Mrlg*62nBzCo3r&fAsXFlQeM3) zlwH|d!U;j6R90?Y_^MSGA|SQHwburynB>LZX-t!Un%s%Csje)kxnC}8sFZOOp;6+8 zk~!}IcvH4zmdE1wv_JH~U69#>$yu(*L~$o<_nZ{_J-UOFo^Jo`5Uwx9zx@Yxkp7vD zSUy-k$H(JqkCt^79~1N4e`P9`e3{MDFlmWQBKchIzA{CzEt?hm6CgWYtJ&)0X}sJ0 z6ku|Cg%;qt@A}q@F}HP!Jp-9#B&f5~wEaBAwFf!=u(jyNzSnMTy!+WW7=v)uT(8ifZs3UUNh(YuMpHz>G*bX%5>K!y~3vxl*$>v3F%tuM+biD`R zn?l*(@&#q+(0gXSg)^7ouG^fiZPmLiR>jKMK}x&N%^4bt0TX5nrzk7e_B5@$qiNk= zjrGc(=grE5Q>BKbE8@=`3^8B}Bmjx;-t1QiTjyn%=#AatRSwi(7VzniLD zAT)4`_Ls1=%r$i}TYAcVO8`RUXWiFMTH7jr_QC&1M53~u?%vzDkI&D=^*$voch*dn zTu@oSZdFOFvGby5bQCjnQ4HqSX13%X{BEIs9CEi)s3pTxgbp4GlU(5+bSH`>Q z`5*u!FsSF#-R=R6OV`x4oq(Br8@Z(}wj<|T;-}E2nuw?XS>To*TdWulyIVol)!6hW z_$z%@36Nav_rpcR#)TRy5HL+CP;+bAz|VX z>Wl|PYFU`rD(4l@)orAnmQBa_QR4El+~N;FNhTE{fdXGql9jZh-%z)|ouxCd>~3dV zuoSZQ_N(aeS5ckNq*vrC3(-M@ytjo6Y`aCDa(z2mg)~QiIiL2hH@4QgdE# z`;=C1*$D(&8IC2Gn0`K)oE!b3iO4fUust~d`pA186UAncHw$4(W%}i0HVf=P!UTD@ z8nKb!57RWw-q|R1Eo`Dt4|wMKw)F?6qv$6*T z5j5wn7$_%PvbyU@M6YsC!KR9V5syN7m-(}vkp)Z0RRk^*`^# z1Qh*bq!bLP61yPpJ%kbHsaN@oR#ih+{Nub$3!!b!a+|mx{_#{&oZyA>N=0u{MA8u z5maB;Sq)q>v|4#+wHGw^cf!!=QRw?B?N+0&tbgZOlYsyo?4a0vFsIt6`Zwv^gM z;E*-O^sTH7B0h83J0=Ro@xYsbf8}sQ++7SZ$}(FT%RbcWQ9@M+JyWTKTA=AB|C|gQ zS&*hlG%IbV&zgiDZ8do!A93@5uq;-z0Ju44SuD#pFH3IN;_$c8of~QNAV3vnwR#JD z7lCRwiCuYY0}fVs0eV@`ay5ggw;+0X*ZylD-38psf!Xv2YHhFctngjU*SG(uywG1W zr@y<;u3H=k^RY<&#;ThHiq5IFvf6&7(af3Njds)`5dlGBA7M>uHa;TNIm(Z?;vPlX z%7{becke!xmcT&l6Ix;A1bxt-hlE1>QdvGe zvG$V8_-y<_zh|iL%rTgG$R{B~PPR+j2Fz?f%r7+PX5}3BEEs)(Es?&43UKN$)K#JcV$%s^~k}41(A>%-ND`U|n%^0C6@+Ub>xfy zXAB2GW6yJKHEjN>WJ#o|o(>7ge~HdBDr3bcoh&3}oH;51f=jXTFIw)Gl&^rI2!}&E{l1qbp!@YIFq~u4pqGG zpx2F%)un|40%h5~K68BSM>|?D9EWq4e&CA!$ce=3+AedpsLtE&96mHj0AFaV3FOsr z)46YC`=M1MW&TfJ1Py7?K6=*87)#~ROQJpkfWbSx2_@SA(d#U3#yQr>Q6VJ+UsH4v zpWJyzSm(D@2S?@Hp->YY-B8#oqEZ5b@t|YOq)*jqMNu(c8!?@C{8avRFiaI%SF<*X zOp2mCSM*N#Eu6UHpMmP?8P!Q5V@Fe_6O%n6FMmJMaMEtOdh4kZsV`!vnL5Q;aJpFy zcg>~GC3uNH05f?loTQm&+|Y&t0D3&K9rxu(?uh9j+*7;0pAcc~Je9gpE-n&_H-Y{D z012g8`a1M6!uuLi#C2T=BKhl3d{(&q^%e2d^4f@FByxb_+PdfJ_!~)s;amDuiuXz0 zM~b`C?uG}$wm1ON=3`$&+rYghz3a*twG88R`7 z6@&M6PE%{d0NRlPs+nHU_GNx;Z3~>m$sfaZXqg$%tIddZ_m%*MBjB%!%xd5qz$~E zFQn-!aIRkPM+oy*g)TAxN*}Q^WVF zN;SYnA>(~Ym6B2C6WX%cw>&n2epiH9wl zM=d1NuwB!NnIrgp>y{7dM9&U9sCg)?!+2=5qa#)9fB>LJMAOudD;6 z^rNF$qbw~;%NIy=ZZbZbA_CzvMH!!#mAG5@=H)m|->$+FSS!R&481jbh@ug3wF*+d z>AojDU%%s9&g%aC4VI=WVl1ICm@&`li#@Tevx75hz@CElQecR^@Os)Uf)7B^zKNq5 zdT?y^4ryBCw<*cpC$0) zz^}rS5Z0k5QrlM+-~C$uO^xvkUb;J8`=r7+C3rV%fbN3K&iIv%zvt{a9zL7j&{G_= ztN7VQb3?n32Cca#Rg(1y7}Jop^0?j3a*@Ig1<(k;H=6%qxlP`t<9{?&Ik0|_-kZ(< z&{egfjs{mwltci-Q=`z_VsG8z?}R9Ab9#|4lH8Lj(URX>lN1CxxZ_#>+G{v`n^P!K~Q?? zg)3NUe)bsOV@~skzB}fZU;xKwRXSPGxTe#;N4gmRIVt{B%fui%r;l;bDu- zhlgz+rQ$w&EakCKmi;GWB4eN0&kx0G<71xih`@73yJw-4~Ovpk_uzd%(hDp zTZs%*8z<>E>*A(-p=&Anm;K7uRn`+^h7`8zZHlsW4ieOkNJY56{nHgcI2lo-ef~AdyiL}^ z1|(+^#@I)L!$16URYj+kF8I!n#qdoKEz`@d(ZA7G7~|tPS7-Fe7o^Rx`!2GvBB!ox z@AmJas=rWa+%k|ljKQg$FA1@QU8^e|g~1{vmA3ba-e@|n!y73)LtvoX@s;ndDE$(g z8s?ER(flf*9SOP$cXw$lVZQ`#m{%w^ObA7x#K#)GU$WfH70jv+Nv6pq*opIF=mGY$ zTsLF|1qepfVEVDZXVah7lbUzE$M&2bIs{&BHzmxgt_M=7)g14%?XyK4$AY z9>kz@vuUKwG$yZko8$-*G|x}qQAE+gCRts|q81P49$80gDL0FWBF-zD@b+BaG6Q5; z7bjib)I|tjqgR7vrU93ge+G*X#0LGua{Vg;(^>$s=V1zf#k4smcVxGZOL3RkB`%us zlf-@DN__p;!r!tR-}5YK_AqSJ?Mi_9_wfR*XQEXV9{^%xM zmG2XMiDu8%3eYalgyC)O*dXl5nsCGpE65Ou^^s4Yz?u5|Qw&C$Xq$?&8OUsIn^*^Nm( zd`(2?2=6`viq_o+@zcE3pL(Va7VM9`V7}>*l#9E(gpEbFA9Pab1qa%#X|A;twS?>#lr~E*>-UE4U7IMNn`EI@4!*1+LmS( z#JU_D|A}tjD3nE5IA&T$U@I~9xUoY>9$_umeP`+!`o8N0wz`sTwQIu_FQ0@>@7`IO zpYAue-8g^FL!FGbC6&knxRAH2Apv2@;bvI<525;GX4GNW^1}h{2ujdx^5>LsuJNq+ z`AB+om?nLjZc}x&5rFu)7)+xg1*#Kg7y@zvmeoy?yV{_gqz$;JZlPiW^I?1XYI$qoq$~!v_dFs-%l-Sn>*C<{{vpmwi>-*Z}&Tib9q?Ep61H9%lj3#`(u9dce7e> zxvYwhm+}{5qdo~4>EnrLd0j9m=_tx0p4pS+Op1};4M%MJIe#Otske@Dlrqy@rm%i8 z;o>~8Wc|wotG~N{)0R@9oJybn*xbT;!zreoW9)TfOtUTwRV!C`HkZ*{K0G19o9^_b z$UF^i@47`F6su98`6G&^mn4C4%njEaVs7_X`;BUG>T!}O1e)v)ye%BhvbBb?>roX> z1&E<4(3jcgwVu#v60U>+vxLmHF7c__EX>t1UiRj@8=uZqZYbWhBAwV7 zgUphly0uFy_Py-z)#X47;2{Oka0md`^c@9B$hNrF9K2o{J#HUP`y_eo z%oJ$TEQ%iXW=2CQMvfAP=hl+SVJ*B{gvp%Hob@(+NJsw{gXf|)YrZwIBrB?SS(elB z^he$`(|3KC)szc5w112h4-KaSF6gc&OIBL4j$n$qF-pJxt{x66EIDH`cO`ix4spI^ z2?U1MyR_ZXn;cnW)611Pg&J!vS=XcG$MdZsgl&k!GOWR4(NQY4U3%F%1$hCMq!ctO zK~`LH_^WnEPt5?($=x{F1F+jtPppXu?y1A(DBi-6@Rmiczqg8BZL0uO2!oTJ!KVmz zwV-$5waeV19focp5`vXg)|28xs$XNwf@hatkvz!n;ubu*BesOA&1Qp_n7m#{>;{V> zqQ`(+l=aKA_X)mCUvKcC@9h-hN4YR&s0gj_H%^+SnrXJNB zVa&HxC&fenhl;TMxud6OC|L^2X<3!0U%y z8@z^-J*jR03*DcOX7i23OjRUA#az}1@XJ?qWv)Lk-2uz3KG&eac*~lXD@^rX{9GYV zY&sOQ-tA6z%*>gmr(^NZlWoj^oNEl{@ml_Tbq2pZ+-MT{$;G~tcypBvZYIy%+#msd z@4AvFttqavO&9qp-Y%8vDt^oH9;8U*hhN+iZqQ3*wJG(HkrXK@wZ<3}S6U z(EXvl(rzO?o<^-O^DJ1RGdui&T8E4cQQ=+a+4{s~YLAQEja6D5m$u^;__Fp2#xOYA zFrsXeR#he{XnkfX*8VIyjVTg0V)$E5{w@A+DbDl8D`-(}=SBC5$d5)|WiXo#p5`|f zEmpF~#-8g}51TxEKAQ-I2&AY%_A{GShV8vcvLg^uk90^p!W0VS?JYRWa{<&ma*_uUH#VapjWr%$URI~qq<98UAm~##dGTkORD)Jzal+A zWPZQg;#Og@9*3-y+$A$mKh08Nd)u-~2y!0&2CL>(_V51!FquC@4VYyF_*mO`I=cy8 zFxjw?zS_jmZWZo{!fqBLdnL7YM4u~8wc_=P;GkZWnJ z6qep1Fvg|i@BASTA5S_mtL0@)lDI-2ZJ|xs<6#J+$Fu67Fa7OYK!&qV3_93ee|8B6 zgPx+8KJGGm%81VNZ(?FIX5L?H`|5RX>!}VG(;z^3J3cni+hLiDx8}aG?S0X#;V&G# z`Y(hX>J~hP|A(XVj%M?J-*_U#3MpEG8m*%C-YcqB?NO^n)ZSYYtHB3Vu~$*6 z_O4YcRBKavm7-<^MXVxdf4;wepFf`SoO7S^yzlF}ulx1(i3v1UTM{KrUyu}`Wxu8dY!Flea1zi)hy=q zK6mIglsA6Cj7=B>{glv6GZo}44=PXg0iR4~AV z>hO!&trB3q9}m=BTI1K+nI~75&rd@KkAj_J3C>lcPh`d)Vp#e}3x9lC zdP~Y6`qTI9_xypWo#eP_atQ26{%mjo%_6bm8n^M7zISBX+HyGr1X=?-B4A*th8&jG z09lppiDsbpC>c_%7&4I*6T|$YIS8F7ZN0lYuY{yZuucGBMvZPR$~!XU87;J4plQ1+ zQVm`f!}uMBKHQg?DZ%99e8KOBiS*`ivqKuPsZkH6JquAE(#O9iTY1+AHtm`+1o?!mV1wE(i353e7 zXUQ*5skJ*lQLV$({z;9ONB zGZ#vGN%eB1uIs9u22e9T*Y|vpY!UCi8z)&mU|Ne3tKT9)Ft>Hl;y$jSIIMM1A^)pe z*#dv)+(`$37RadcMGmM`XzYnElObX|9F7YL79ab3OuCRs1y{hzO}PED&Xre z_BncUd&=!`%q3IAy!V))H%G?q4Y{V_oV!Si}&Wt zSA!a({<6 zYQPIka7Ku;vTYrJGK!!?{Mar%{8=Z8lA zc}aMV8f*XlCqGHQ<#m+FUttIu41XhL8EU6xX9g2R1xEk*6U>?(!c4P-hk)RsSEP4u zu(2YxAB#owaf}j8!}$KqtWZk8X!91&b^3k~3vCpt0|Eif^g&vqbInDKV z+NjfuFZ??+_*cCL`Kmg}(Qo{pscSuj(#iW6}vkN>G*dwV<&OWConZm(f&~J-&-bwrSJ&@P87rFD5LhUYYi_$CTnFSJd!_2cQX6H{Vi$A7{#8e!@ZIv|7~`=> z*Je6N#6yJ*)0GF_L=nyMSz^NL%jQq+2_1^CBdyF?gxszLuB(kaTa%K&Wc)}&X^ly3!FIiH@Xg<`!v>8W0UZ-x~oSPt5TFb7`GuI zJ*&VnirHTimETe-GYN4{DHBK9l)sMCEbgxLq3*+zYSoyVt{UukHY#FTUTcRZ)5xmHl3FZ7%T$T_Ey+Qy-BK1;pPp~ zBxgn3(3_OnYUEx-5Q%(om1!_Bb{2@44dv*ZJSeRj^uTjF{<*8-&hK6B^yY~6=CP1s|BQDWM8h_75Z@UA3L zlH#UEq>imK!Gcj6UzLx0#&~9-NCJUV!h^$H)N8QE^hOZakuj=9sL9 zZ52qDN{p^TUGS*u)>S-hA~Fcr=d8<9;!0dXcP=t3qU+)Jl~9|S?a;Cu`HOno$pZ@W zA^(CzqTayc^`5xsOqrU%*;0@s$A5|P?v9Y_0>98gZbYkautr;(#4o(1g;s5UsdmFm z&FdlmTgUXJq^IKu48Sbakz>OY34ko&;DhmhH3DNS1nrP8p73OVDCC}S+JK4?JzI37 zK{qqo+3K>xQM0isD(B5>v1& z5&W#pO*t=2!gliC@R~zve1mh8^>RUeVDGb6kL$t$M#O%dQoRmZZ{rU2^`Lc@KjMxP z%eJ<9&?4JhczEx6nbcp4U&&IAV4nFsNTnm^rAEQl&@yclHJC|Lq&X9)A;9yj zeW`Vd@t#`uH<(`k8`DMB+nGn!>GIO`ZvEZiIAUIm+4u#D67$9ll_4^UXOUE1En>wo zmS^a6+GmU-MAR0)-f>lDHrc{+gTgRWvRX}fRzzk25@aBAa0<{~I=tA)y_O_oP@6ua z_~ae%H<`^6h_F%_;WKH|KlC(~bw|r?KBgg_|xn_-igVX9mNldj04VI#CJW| zk3e4;8~nWilHiX2h^$5aUfT5MOxBIBa6b6{@i=cH+E%x@tzXx;fZ}e+$yoIx3b;|8 zVj!OWX6B(VseddztdQi%@M47p8$=&W_^&)e#;Qn5VgHhd$AO|`3P7DL+Wo`n2%RO1 zFj)C!7H+$qXH!`gCeJwCRLBM6@mffW*|nrYM00BfAyP&{br;qZ78wRU7 ztk*Mo8F36kCafG0nc~sug+B3_zL=CCm}a-+Dc9b5|`pm!wG7G3gfMhU`5pZ8z8m|I51X`=+JI&=GR`@$uEsrzAfn~9TI-Hsf>O6OK zjQm^EE~qVAGc38D4Pe3jQcr;jiK(I3gxY&PUYS>qnw_aGvFBKX?0ODOYc3ibhdg4T zFxx%dCEBy83%Dbk^5>-Am&OR1_;wQNaN{F*C@c@)=;r^Z6}^YEl2r&vp++N9YhxkZ zu32-cL!bfT*5lnmQ(s~n^yRpY4mFE~fUYQ|TI zMKLYaN~oU#X|=h^FDpWI!T1k}!{=15{@V1%i1>g+|6r7g02%-W4tww@QX0lQ@98Wh z!|`ZTXA~ep3!!A+S{@ppEFcn$CW4EyV@Qh-c8Q5~KR((?j;*f6WB?!1fd*9inDs^I zcU36)QB=diZ|vPJH?{o8kmQTcxXxbXH0$NyIa9+Bc;bF4mN1M9vv2p%AV~YB51-=j zANL=?4J{@|k(heBJ-_PUjstd19{R@%wn=u?#w$nCg%$~&zUVsg zlMEc&ghL;_$hS`ZF}lj1HA$#i&@!$I!T zC?%h-UG!@Q?NIB4LUg1LVZ1t@gyyx9<_5c9atFh7Hu)`@ZfER*%o(P$k7zmqC1Ipd#mz^(FJzjIPi>fe0}}Cl3I%l} zvfW0cZwVMdMur>b2nS5OROnjsLg!LmfxI0c36n0p40P{KjnVYlERs-5unu)b7gMfZ z5b@kr5AAD0isM`^{K@6CtCH9<#Fm(mkd);)EcR!8@omfmT3ZmiOm`Y>S=;===5Y~L z+-IwO{O#moeyO=ud&y*aiF66?vS3$#PZLpXldQFk^|l81wu~})##2c9=YG|`kS2!B zn~=G*x*lXd*ju5+m|FU{TbLvyt>|yT*sALone-q*j0x!jQO z9bzfjy11B~rAD{auY)203^YgzE4J~UQqdO>g3L-R+Fl>p!(EFdpdUtR(9e6=&y2rW zi>mWKTPKBF?Qt)DSF0ZRFkpJ=S=K(QB?!J#qd3W`HZmo`p(*Img*rFrEsoFwVEI5)PCXvs<9MVZQ!>&bdQc<`9jjqqvCmqwhV5{Z_)acG*@JRZJIQV+qEN#Wh*Wi zHO6Jo`166*Zl0~S@e<#)n=vwzd%OW0S6bbPsoUe&WAagpV9tHu0{~04OMmpim%@P2 zgF4?306K9@6!XgH?xIc|2Ee|>CuC(V9uZ^-GF>T@<|t+DPuA|%vSh^Kzl=*16+uAL zw#x-6;XXeW7I-W~CCi^VL5{x8H>2|rQxp9}u`a zC9J(s-Fe&ZPacPVrNh+Ia8_?3vhMn>KdI6={!WDow!*nx(KX6XX%)IMmzir+9&jPrj022T9I)_0v{2FGVgW>9F z*rviT)knskb`iCLE1k=OguvuxTegU#{q1qA7OHdl?MCjunELJ6wl${zV4+eK%yiBo ztdPi@Y@mMsw?+5)EQ6QgORE?7XFGBkX!C5Y`1tG0BW!$sSPT0 z^Fe?>q2~nr*`eV7x$YbUI7+6t;RdLt-r*z9Gs;QB+3eK4zS%2#)wyRy!qxv)mq~78 zf;y=it7tw`~ff??l;o{LB1kYME)rWBW0g=`_#MS17w(;L|c`rWeZBq zPgBOGUwIV8P^0UtP6s7A3+%jtfBbl+7E%nlnBxpuLVw?;m3@6$;%!JcYI+z#`|o|F zquX~!{Q_(cAmSDG&93?lUbKj<3JOQ2C^}oi?;JWXs!#z!Z;7B6Pjk;f`|q}9eK^BC z6$I@%7A}`^a)4w7COJWA^ zX?)g=X|a-SHcOViBWZ3t*O89xN*bUXk#RvY%>hCJ1{=ksf?kC4a{-wPQ%zVOK0Ny+ zYo1=$mGNNmr8p>shm_a@zvgiKHk>*;K39d0Y*VhAmx-Znh_D0)UG8x+iP_Ky5})KWWYK2h5Y#(&&1_yn2NEx7FL9 z=x*jxx-zAEACOG=t4+4Nl&pCO&f?}a4+^#47;&ylO@1=|&aBd55GHgvmM0++h)h;p zkbHxwWJ!jw0{YZ%ZsTPk4sX_8&J6aH%QP{1-4t3OE7@v-U}m39^a6dr7FQFZQyiPt zZ>ejTeM7JJZwbS*di@r!QKLPuJr&vV&&->@ode<%k3_lpC(QOs$Jy3I?n~^Sk|x+)A~R&y1x0uAe3-QuMP>$!t|b)~*RiZzoeJ}fb4zSL zRf&{j`8`B`)1y-0wrAVPHa|V&%cr8fze56EsA99^&*QX%ZUQh2i+e@OBC96_12p0~ zc8L-2E{RHQ!Y6=>kT|?3i3CA>H}hx?Y1Ms?3}Db77DiQIOqv$r)35eGT7R6CuFfgY zKB?4w{Q@-pVZ512N`BZPf-2q-M%lw)RV96iw2l(dq}*G-hplKLyw8<=$h^2%pCiA| z1HF^qG$7?c4yq<$XOsIx@VA0PH;Bf^^bCO^$H=-kT)C|FLw<#mFdgc_rTvFF;`=pD z2^G_Pk5BFzlB}M~j`Kg6+2e(af9o_I%GorZGb8-{c{_fzRvSKH@maN_UsBtZs6*)h zIag2UjJpS`?t8k9l-@4c1_qZnE<*09td{<|%qj%^khFjgL)D5vCJ=@oI9Fn_&+?(l zvz|DEN2D8Hr9T}#jd{&noZ0!?VXOXe54)(wE$Wt(@)4sxf=B0$ll{uo%6SG2XAxmA zTB(QPx_7HW0?6*OQ?%gT( zzZ|}8$#iXS_4!I-c^3d?ad_H%jET&t^JbRDnV7S$d1*TIkM;*GJggOe#Ayg z4VeL--Y+B~nWrfNw4+5%&#;F1G2_Ys1ED2UeZ*DS@u)0{6J{RZPVT_5Ay!eGsOfn;t67Ta`(gZ1F;QxUd}Ix7(1=lj;JsQ>%7RBr#By;GFs%Hk^Bn$#5Hv%1T++s#`|-tA@~ zv7Yb3d@?HG%HBn<5QuLt!-+W7`vZ+Y_vI*ZJMF#$$k}0((LGu9Cwav-x~l>0YvJ4* z>?;9Bt9ZNXAhofHin#FBcbp;xrHaSG77(h)CxQT{9m>zSxw+3k2M{I>{zQXEZ0sAr z@0cE>h@*Xgi4usXmdf5o0H7j28*|v6JVn3b@o`hr2)g*cEnV(2mgT8K!n=ewpa%d~ zEXmd;Gjr%@Y7>8@JE?3nWPIhKkVF;<%>6Tmi}3AE@B~@`cs+mP{*#@kn3w+WT*(^u zeo|&yNVKZal-6=uCzUhkmY)%Oe{A=aO)J|B34aNndVaQ0&~>^O%ibT^pN~Uxe+^;s zdG$SewN8shtwm42cn&5Xy=fl%&G9EAvu%)?>8GGoTHIEa1KG=h^GNL+Q-yh~8grfI z94mmFubc=g|5J-CvuwbRxBxr+=$;0?QoQn8FfN>%=Dz)7cuKANn0zxKJ$3VB43Oq9 zZ2f^VvH`0%&RLX50^c^IE=Z5R12qt+{{^{=%4-L7QfX|qK;ko(n-!IuWEdy7+(`6Y zNDJ0=qPHkcQ-BiajmR%I7e0DHrBQaAF>n7#Zf4OPE@; zU*yzxQRoC;y1*^{_B@b`7)DBh(g2T&I6qT;C^3wVs6WQ0oWG5>j1Yy;hB*@u-gw8E znVoM*qEFxqNzLKDT--&KH@ij|M~~!G$`tzz&2KmosBIcj$aCES+}wi22!Xe%7%egv zv+PC48PL$vZs5=TV?We~@w~ z%@~shBE|Dgv)xZYA1n2kI)Uq_n63#bab&UzqsuW~`!p zhyhm^G{d*Nrr2%;q6>5V68GE07z)aG0UUBzVpUs=0sr#xa#SvjZ#5eEt+s%+P|iF) zh2ftxO+00?$ryTbmwk=&4Eb9AQ2`)nH`S}5_QBij#OB`ezr8@%#OAl2&AUU0M^tr| z_;2zVjXq?Fi^#MPYg_NX?E~du0OC-iCZw?ij!C9=exJ*xmL_JY6TD)4Lm*j z9}p8rg|mzAJ8X=Zj0NwU2MK0{+}x!mnIjAvy0_K-FXpe(F0;JZ{YDCmy%kd40Aezv zDTY31hZ-CM^gh`re9yd6&Gs%kRt}`l-6JeBA;yHHghV))vI#hywugc5Q7ym}qmz$p z?;P2}w?t}(&ByKyJ`QzqD#O0;sDEG0>f3a5;+|3XQom$vXjQ~4g3}T_>C0*kgNq+C zx?V0iEm-6!+P)czSZO%>e|uB+-)Zqz7|g~6FnY1$G@o&`^Hw}2meRs*D)rHP|99y? z=T3=V{dv^P`HCPJAK7>%>;8Le?eNz#s%#TPCf7r{^L;x!3(YE_@adZgIGYIm#@>Y)fTH#tabs#({SqRirbva7*b}) zP$;MgFy+RE)n_f-v-nK`*mirJKBx3U74An?Kr$$B3n>YmYT+2LRjZNQz>}r^YTKM` zx)OeZU)+mRDXelTNd}EO5N_BZt`T3|w3X%$P1JZYv&_rc#`k^S(GHwTAjW?7fm3N>1- z4iFty#5{%8)YCt06cL*vFe)U83-*(}yETUiY!ehUk^RQ9LMggMMsrUoTi0SU6hDCG zE>cq!rzst994x9@U|H~g%>2wV>C^P5!>*Jo7b%%t6{a~&nFs4-xtnwolmvsM&#bbc z3i~F#diNfOf2AMEKjGhtQm+oi)Wu70^(hxMy+&eS~#g)Tf~|YioOW(tE6gR@ve!nQ!~LBx>?5He{8Y zQ^g?P1ipZyT1TLxu0Dfs3Y1O0rvc|d%RBY{rit;;z{z%aFO3G+d9-7^u(vBfXKngc49jNMw)4wHmy);bciXN^t$6A2%8fj3>A ztMScUq9*7ktSleI`WG)gh=7N)S7B}&OPBqNW(9QU4XexysR?p{LS(3l$iWZoamwk{r-c*<6(^= zl~aF(!54=kXV@2vO3(K{%~*`29X+H3*!7R7XvU58tsdWD#1lTb{XQ)H1`FtRrW=14 z9mZ$ES`MrhwdD)$B!Sa>7d<{Qf=qB3=6FolR0)}LLiH(Jh9*Y3yDfw9;R|yelUnrSLm2yFfLONkjKo*E;DRfg${~7% zwb2&qNtPRr`^7t6^Eh0VNGaR?ETd_6<-f_GJf6?o!NW{^r~L!1gA8~nlm0nnuNe+O zmd*y;kdD*NodrC@;1BlbF@-|G_CCs9ke)Kih0D)BDT%sp`o)+Qh=b6SXvrANsO)VUK zv~6|s@AtAtwWIlSZu|*$sWJ@c^OOc8J1*h;4$5m_{cvg(;Ng8&?k!jUQ4|!zrVW#D z1%HSQ5!HQn$BEYI8X@lbw@i6NrgOD?lEFZO8lby;d#eYA84qWrP z0;)PH32iNvp7~a1OMYWv=E3{T^Va`5|150Z9|>0v9?{1$lZCn-S?epS#hoE}qSJVpI*dgUnEWhn1-r74N>IgTUyWPOL=1*JpA$6g{w{ zW8EW;9B7BO8QRCIbO3WyaqRXHP)Yu|LLr|Z|GmQtBl_3$4>PQ7YU#=ZI2(J5_WwR^ z4};B7=Z`!zTEXj%IW0srS=c? z`n~`Z9*{I_w}ENV(7YihNalHo_Lzg8QX;AOIpGN%&b)L+q3=U$ahwo?FlqQl*D~kz z>85rkvcU+OEg6QMSg4lP#K@$jvh2sIVZXJRDN#7-UmBfe26n9_ir3qBbVGDAiBswT z3OlyVyRQrpS<>A?t87_>B){SD2+|)rP@z!o{Mn9I+ZEr%(oTKye1|?^W8R-&SENld zEHiJ!qBfl#3)6x_Kx}aLkA;aC0LT__9;yg>A+rNk)HjSi0D%dU|W0<#~ly5|Gcn7ik}64 z?BFW&Uf^r037d`A!|$^0uaed+7I>myb0U_4K-r$uO{x?|^ArJS96vDGuc5gfqMy|9 z*M@}NIx99FOL+6UlZhHIsS{fD@2pUKbtb5$Zc;rn?5ZMX<;<1h&hswrq~n4O*0uuA z_R7C=(9pw}Px(4dQxg-q*a;Lt6?|b*CcmgD8G)@@dv;WX(!C0)fe&>P$sRK063@cI z&WURL7AG2+CqNG~I69llB>(k(?3j1txhp3B;QZdu#Bp(n<-oO#;09N`6E}bvZXjpv zM=ZZ(Rlgt8Kq?3y&y<@W4m&~LNz|2D$=CPVA_u`4*x=1@eh1`N(7y&)>CgU%Ca8P z3m)MM?B%wo;A_wOsLH9@D5C~AEPfINB&=*6YQs_Qy zcW04I`qLyp94BnN4x|a=ud9H1i@HPN7dqXPSHRx=9}n$@%RCa0GbRB|G<`XQG#Z#P zwmfdlh+b%TWF8?%g>dCw!7l*nShohe+lX=R*s@X#f_>Ic-Ok(e-pg=%UEbe;b`~}g zVs%rle*JPh%l|w7xk^2BlJEX7?>t@0Tqam7s7efs6EnaA!X5TX z7-A@v;JPDmX$-s{&R^Fgznlh20vMDuH)Z+Vnxj=LRhs7!L_WKZ?~KbN&IlUk!~kkz z{uPn-5Ssa5-#gvOL*o;meh{KT)j-464X1 z+n+^}tPdSpwFfp&m4T6|$!Tw|m+K(#sR8_}q+v(kNOr-aFd-?K&NF8@koxzB-C}oP zM4&N*SOKE|=(|J_F>#69tKV18z``I-*mW3&F$nX{fvX>^&~%@XtO*F|cFD%%#>0li zTrmlN))~tBH1+S4L=f*73_c!xKVUF1agNhr^9v|9Ii{;J z^5F95%`9i<4<4I6#k`xvNY0@-p6hDxk@|+owBCA%jK$p31#t3m!8HG%@Q7eGRsQzi z9|J&BaIDDKwKm7}I`z4-aIi3#3CP2jq)f@>`Xfp+Y2yXH69> zNr#3xzO~JUuohosN?y&~e{f-V&S0b_cSQElqoLv|9r>)yB5)Liiqa%S9v?dkR1p0M zYVoMui487V6l&|zrhRw@aomm5rJi1ro#H}-@Z1|$fgqf&OKy@Ka25a9&)HF_KWGNU zF~Du6r?EM0V}1|CzUutkcPJIE+3&14#r!Avu)FWu99-f`!uh6G%osiXBT&A|836*T zMccZ;ZDDB+j|o?yohruJj4~Er39rO8zcIPz<1g#WIf^(&sh=Jl3#(zqqbM16v0sKd z1%Y}j^rTpQtQTF&o2c@t<^S z1ZfWH$2c+>N_!nW++E>RE&vT3>kUykI=%r;k7$coIHw4&K9&fa{x^0Oc|DwkoeXF% z9JktgMR49C4h>ZsPg8C&)x(1x9g(-1 z(6-JuIgE~9g7loK3ZxT3^Vo!ei2bzSD3(>1Bx35R-*=->@JTS6dUs=TFHYrQ#^=&|bro*YFY3a`fSEww*nQ&_ZwD=5`szPC9_T-Z8 z3U}^afvQCmmSydtJ?_w;9muP9RMP3wygc6f)0_fA@=?r;%D+F7M!10aVzCvV{_AV1o59@BE_Sit4DedoZqZq42sZX$Uz-uf{qF6x?<794E{>gddmr}ue%cLw$5@)gE6SwQbY(b-63Y*oC~2I4Bx|$?fOtW-1*80n z9i`A}cfDR5J*>VXCJMC_kcdld@B&WhT!=O_n{^>?#*GNNa zVV<6rBVzB_?QH6bn7p90SpGCR?$NWC^~nEzPss7=`IND|TWlur`neYW{jq2wO63q1?@T zsI9SrQ&*rT61QSV0?PwTlSgmk)l%DrV1(bvu3UOd_e25t{TfB0bR)fhZszL0JlOhNmS$mqI@%l}rM~cN*I*&hdrv`o#km)8nW57Ij#F zZ+n6K;_&%N?^w9t3cgCw4rs+*Rn4JiwA^11f~0Fw&NZbtrf^<)(;ZkRRGgc^xxJK! zs^-M3{G5P|fcFYFYH-E= z_ahdf=@?1x^#!8NuX&bkT&s1g^cqs$l_2k zU)H82&S)bS`zn1;d(s$cHj-VA8S87r>EUlzRS)bde%K?peM!P_!MamL68pKXOJVwi z5ZqaA7V*~>EB)l3M-<&qSbr4 zB?lR~P~p+t`Y`-@?#MV?L=flc>1l#pKm|J-iv{66#C~dkP)2fe#>Y2-AEEYdx#YsV z84l@oZzfdoAM`NW#UxT58AgGXz=%5shRCW9QnabWAFB~W46*47soZ=On&-HYLi{$A(Q^^b51XcHA+{OWi58-Xt z2e+v*=uV;HYz*PvYk6brl+e~}te($UJWYEXw?DePAbu+J*~pK)iB!_nN-dUQSH8t5 zba5b0Tw>9hTI9Mxm}O6RbJXHdkUGR2khs0c*qLjF^F#BOf7w`q(q`RXh$T1U=TLKO zjvd(k^oIkh`EZ$GiTpy9fkGPa&7;e1J`#TPlI}}~KLiC!PZ$(({%Tic+Q->& z;8ZD=6+uNJiQJDDK5#Nw=miR|lG`JF|BIqWyCt2fy{FJj)TM_#WdEFh5(aLxjx2jn z=<;FpPrjbzgWp@=$)ffaGsvUGgr9^9e`kQI1HXFJXZt&j&88AmQ*v1aW}*t2{a)NR zApkFKl9QR|2OV7d!b-wwF__)RA7IU5i~RW~{PCaOzsODRF(-E%g;3eqW{tolaiPm9 zOdJ4dh(9>4-gXe;s~%mT{1mkf?h=Z;cuS_zCw%k}Cb9!iMX7z^?jTkhJ1$46LB0>V zjVP(~!PgAT&uf^7`%az;xHN~KnB-j@bkyO7>vWFAQY1qQM($KLcAC}Y8g0i}pMD@H zmiZxuTSZ(kIg$WWTnN_@mzdYkqyixN-o3De^4T}r`s zUJ&L|Q~O>T&`F9T9sErg+rc5H&0!|diaRRX>suF~1tADHTwt9DI| zpUlu1A=Y!bIHCo6J~Re1Eu&TNHL^tG3*{YTd?vnR<$gGH6_|i7wMHai;V(oGS^Ngn z$y$H?OwKj?P+90%kwvXokETb=&F%UegA$&Kdy1~QEzD4T_m-fRP>!N-x0&&`8!|BGaYeRjC7gOB6eIM$ulcZf+7~FUs!8`;n?Ne!( z{g1ud+$OmGG<0x;_+x))oi9(^fjI>rNy-VpE3X1j{lgMn z`0>ZhUyPvEi~{?|b{L>^_YC;_?QQhtuJA~rULx-*PyrFkHQ`{{tp4NZ_aOeNpqcag zt!fSj-@Dkg3gRw>lS*Va}*vE8YW z(yP~P2eRoTuEUo@MW46I#D*z%i33lGJpv}F+IjR&Fp0H#j7<~8QpeBAHjbycfeHa^ zR62eVe_LB;PgA91NZlxnOe6#u@L4~yh%O#(9HS$M6z6^i?a(`11vj+5#{J#UJ@5!3 z<-)v2n&hc@N0BZXW(+X}t@%&}|E2bZpWV94-m@Ih^6`60gL$V!gJ5)QX zm(`fNd+dnp;d4`hi&)9!d%*^I7A5(5LC1UQ=lq=@$$!(ATIlMn7xJszl(%z8DIH$N*AukM{mjtIUC$o&-eT`#a2Mco# zsf1;{guP&oT3!-jwzO<{P)R5JM?M4dB1kTm7sE5EBkZfAL&p z#(Q+5$%^{e&weifNYRkD-5RLv3O6v?l)UM-Uj_k@qG8S;(KBAkHvmREa$%}4FpYkN zsZ77R^;Vj?I^w_000A!$$1Mr-nPQ{g>C6{)5feymT?X0I#PevH%-a3MBJF8A;h|>} zYL`P#x;suJOYdD0|Mh!MGrxVB5JEB^Mo7R6)dAH%QveKc*!|0_UVpaJ%J8mx>I^q& zstiKIuR3c$yG5k_?*%78Uu0ybcIxFX40TxpC~>hxq`PjNC7@xx7}EVzuFvA_(QJ0H zx^aFr7{X?e)2P?;z$m4~z--$EX1B^o(oBzuq1-s6;(u&z??Lz~Dm3F< zwZzTr&9~ImPl-I|zu0{9g(y;{WW^B;&oJA6yBZ*8?GfKewe+aIi= z??oEYw3d3iHQ`poH3ro=+VwYv9@0{U$hww^gSB!ow0TW>@7tRUnCu|_N7F|ahOFpM zn3(}wvu$6Tzj*(xErM3tBWFzh94113ypjAufL&$V-;fRWx}nTwoj=lK(Jl-CfCDt2 zDjR1{490NPRR=u(c?+lJ((u>5CFoQr&ARxilA`l86UejtP&*)Kl6AA^aGZLm0MvrO zCU7IjmS;)1Sg5<7F8Dc?XM7$toi4~`F*ZBxqRv_VzQ99@S2%W$Qa;7(8l~^Tls1iB zjHiIV{C2)BI~wr>9h*rkF9ka@^FF-WOdiu>W^E6-kbK3vv+~GJ#z)BKz>mn-dO@Y_ zGN$$__YVDP5b?x&Hsr^v+N&%Spwzu=mTx%)s*$U=oS{Tn?pvN)RH^s(*n+N18BmcC zW#q}Hw9?>TaNjEQg4I!=W}UpI_=u^BszSY!z$%0jNj>xY-n(-r?{W52+`mEI_O#$n zBY#*AP!vf-Z4)Cyu zbMEt-5Su_+Mn|(N)mU>e&?_m+ZuU0;InNyy$&*vRV7VVaB0auG9ZyaAoV!#sG&p$<}V>BY->pHq(ZHFjx?;68wkpo#BhWT&5vh)l~P7;j>gd+Cqpf1YI!fM=^BV zm=n>o#lE+NO|B+NBbd&ag0n5%8c<77{)DC#=ZCRDw4ZKxDK*q3%m$qe}S>f$S zhtY3Jj>Ydlze>R=tfR>axdCEz2M_=RsE5yEAhRvz`)oE|ku9zW&5&h~V7|9?w?~u( z%BcF?sDLb>DAJkQULr)e5WM7a^y)n-@v``H_%{_@n3`5Lg2bijCc{!Z5JJC->un5h z04bg2^XA|asud`F1`1=a`9IYdRemFgRw1%+5N=`LefG0LlU!uxR~hl^HXk?Q+*!bwm%upd_2r-5I8iTxw zQGQ3|9IU367tQVgY|*pu$@^P;nV(1ti>9d{k&fAsai+E5fzF$5W`w7TXb)0YuJM~eQf()> znOf&hUpZF;J5CJ#Wny&FNm$`=1Z{t2JzHMW5cc4$ghSp{j!O0v}PZ+4cvw4u$cG!)P zdJM^@D$L#OMFG>GP%}n|3e53XR1GK5lucfBvjtQE+&U6rhth6Ze?n7QOeX2VAo>p> zsx7GCQ+$MdSn{hxOJf453w1~6#x&HJ3?6_y!2;Wc{Fl`FsDzoGZ&cw3F3 zrs~R0;j4UmQplSf@Csx4G4-}{EZlJQkcSS=nvWDgm^OBzd!xEi<;p8 zxU{siR`A4}rFTTo6!FcQWaT!+t%V&oZ*AO+hVEIrqIzo1X%BiVy}qF%pA1X9@*vwV z^>|1IWRO=C?JSGST5%@H*y3`P9N=8RtA#g!xD7pp)h^cZ0p@cwNc5FQDkVZpxz0;; zQR6V;Kcg{My6LPhFXIsCKpM08bmhlTQ+m@kg+orfkJkntNr4aVy5 z{p@xO47aVm!x<(}5w~s982BOIq3Pd1q>zS_-&KV1J8N>+TY~WcJS;^lI!i_^oa4BR z3&ZdLi2xz2t&YAwLGnB|{}V^m#1{qG40Dqg7m22XG0<9sctQ)gCDfiG@nbhcef`bq zCVmMMdCNKcIRh&G4d@YuM{2ryxnC)IOfO)UHn)iBnz%aPyqNtzJ=+|1Nh~?OyH|DRIIH|Xruiqq_bZP8i0q?eXEMDJtlB^ zZ>fe=`9}b58Hu{2crX&LIn?l@Q*3!5Lz{P8B?P|tIb=$QDB6@z0`q*bqa%-_%e85u zX+k$Ip2{CR-!f#|EM!@1QfAyoDQP7pTAN&kmXfLH8e5(S(N$+ZX zM_b^(ne8-LLqGJxUv@bZDfTp~JqD|-+w#-|;qgxP^n+&(8KmIy zgW{Cv+3qIfmCuvyXPVQi`#>o~fmS21OvX>`tsnGsON;sFkuW|w#|BL-yP5v#Y?AZR z4myNhoqK76cZlPWdGNMS<>}$&_nHbF#Z>|QvPb47`2cAeEr2bT{4%mlD=cJ(SaxcSs<_SULgP8ulBFR zVne)?)H;L_hVJ*>gq%=+pbAiw$8$`Mc#Vg$YxQQ%FV`g^QR8naRKBrHuuVr;(6Bw` zp+6t#9{_JxMe+PorlazYFU()NUoY(?EXb`{TZ@JLURkYH9V`^NAP) zMUza33@}pX*`P9SKzG#udO*N7AXHR8R{5T|xHIJY8htp-1n~Hwnwo6kweDIW9QE{67vCXp!C!>uTizv*g+}>R`cQUQc-uPxp3Y3GuYYs0#|lqt-LilowM$VkWaBaPC_*9*3N9jhO zI+B|G?iQyr#)N){{?eOS`)2CqCqT`<7-)0(o<4A7mndm!^4VOGE-QAOLil)sIZ#`D z%Pm`i?g-4XBfhLYjKIg+?Uz)8Zj1%!s8Xv3l9e1_6#c!dqh1N~yTqDn#FIFSSJA@K z5%Y;Azng-ae;=}sKNC>eU}Zzp0lDFU>PM&@Id*k*Z zo~hN6Bk(z36UGUqGQx?5*R1{JAh}yk#*O@cNMfeE(gS2#l$}5d<0;3_e9TV zEdvW%0H0bEV4#ug!hPkyvkVENIiF5n;q$v8_o^qw(^7oIDTjuOXy1T03IQ^_Il(We zjz}_k3;m4+WOz|Yb0m$g3Q9$$=Jw0NSTW5J@b)r8ki zq<-q(muwwadcXaJp-?3oRpjN&*_4ed)^~%=T(%&(*82mr=pp@lS5(S%|Dc{3$%T$w z#ohZQ!1wLZsWE$2%jY%L6OK9B9IcK&1W<3|Fzt&Gi6@ms<6c=OBMEOBq`XSSW{9ga zR!>M(xAYO@m;^W86gF(jI2kRFN%zb3@atb1z?T33$$&Ra4sKua%N4OaO76++8$l)j zbsj0PNg4GTk3Wvg>OHBIlLd-Q_wz@V;}SEV>ClT6kOX_f=@I*mMHeN5n)J|cy=KK5 ztqI>EyVw-}%=o(xeoDJ%b~wEInv)Zl(A z>O!XI4+G;>vk9Vj-+-umH0?xRRM$^E5g#@D(EN_qw(1=(BgYl zWi%JKuZw>;54iHcQ*osnNuw6b>G-h}p^kJ%-^5eM%Glq-gXAp)J{Rg$j3js8; za0j}cA8Xmi9~lnaDN(%n{oPr&T?&TlhIb79luEA>5i$I=IoH!4g)T6&o>C|Dm;{QFY(b9r}wWvtR5*0(>U+{pvVKYEOC^7J$y}1b9=@s z2}kBSo`1P#-1$#(=DT{@h=TTUEs|uo^%z48eqE@~lTV@NS}HrRwJks_{;H3_ro=*o zyMa)sQ`mqNBre5_kQQui*chxiC#B6BlvavXm$&h_P~m~fZZ({jJf@#Nyss~+ESn#BnVkup>q$# z-~o}5UU90^a5)UoR&=a~E9%#d`3RcxWQRL2&OPU!cURI}x9P6SqeOWsP0wWUeFT*{2jFt|yk z3A_9DAbsR`NMFg?0@fMud(yV;aj=(-#M{9H4r;9``I)0Hop<0Xq)8nb{w_0LxcsR@ z2HQzS#L2#hmfGdyQ*lLkF4_sl1=w>ta9UYELBv5GB1NA@M>~i0<{cV0D_1@hRtAbf z2FB?E!7LQjVK#b2~dkn zL{89ONlSwX^FPkJcajH_6~Vq!tlFOl$=03IsEWy&XPOTKqrP5WF1}W8(MS&ZHL7sl zJRbOiHhCpqL1&&7EtHXB1k8|)A-7ScCdt~7Q22&!bC?vp%s(WimBj4Gm@D@;;JXVy zIRlsv4YZ;k?|W+>CgGj>XY(p6TUmq6%u2FnJQCCd)F*uA@@_L#B4Ca z29y;(|CB&u3D4kMBd08@2P~L+eL_%$w>@)iIq;dIu{&NHRha)(Jm=HR>&D>fJyLSC z1>1guZC;Ja8IMROI^x1S?uN48iwFP*tT!BthFOl6XFNs3gN>=R2Pov|Z3MhFv^adw z61L~yUsv)oFL0_qG0QyY>X?~dIWvD3v~t;assmr~iG6qjrcP*lnpb#pg;iHF2_q8$ z(e1w?Vt{OWF96=Itj!`BiTgsTz$9wjdoa?WY0RKT;07bWmf(fk?Ls5{CXT=|$KqTY zv!8`d8CBH=B||YRMr6@(wb(01uq;#%25_C<{DDaV2K@mxMOR$ElX75NSkn$1>m^&< zG?5RD6oya=N3YEXF3;bk@V?F=&G#AplB&|Wyn&6#{=TfVrQ*x;z<_HY-E44byH21n zK^Q5EGrdt&Y7x3|OyH@mz08W8WJUH)if`lQ?SpV|{p_*iZzSf0^c#~Y1eDRAeZL*; zQ0BnznPNQtr(~?QTP5PBDrUQ-Z4Ll)@7Y;kbY%q&O_(X9b|^;+)GA+vmeJ+I`uVEn-&ndt_EBY~QGTt7}rk z8~AP06630U{X~(jFK#L6d0p(;OUb_oz-f|Y62uykn~+8|d=oOx0ckU-=tgJ68=Ja2 z%|-Hz;Wi0h0H4-eLtBOUAl1dh1LPo`%u<=Tx}(=03LeVsx}Fx=YSZPPcplgHpcbZI zCZ?{H%Ub5mv{|5ajhs>dR7jTcMZ*W7hYy5D-+%e}Q7KW*M=E#7 zWHjE=y{FJ7bRCDZl^vPiVSSs?-vBCxjBidN$leO(Lx2ihIX|O^8yAR<#$3|~EpLEc zchdsmysoL|wtE3c57UQV_L`Xw$3stia%mE_SS0pH5CZCBV4@U71x`d2fFA<_F%A*G zh*qSU3XgoH5eVVG5a>R>l~@Mv4;*hXG`ykjP^s&>Z=Cd#3j5R5=^|Bs4>^h{WG|yq z2XG5<3I8~FUL6;zgjmOGzmxYzg5_E)R1Q`ueG&bYw%hvx$;TEYThEE~n^JVdH6o%B z5k6G6Z$v2fLSSy!X2(EVxN9M8x*1W`tB?VwLS5Xtq;p;5W4}+no4=2}4s#xN7xg6Y zyPvasdWo;2f%=7Y+W#c9#yb_hj$^up6t@xXMmVzZw~K)Mj?uXoK0u+FWt2_c$gf@? zx7wrjAu*Mp17{{_oV7#xsNdU1WU)o;|2LQncR)8p~(e{rVa z&1bQ^p*oEktqigrL$}}w@<%SlaUQAt&shs2W2GGZLmlq2{F7G!p<)!{8alpy`Oroe z^>_!gd`u|Ji8m|Wm1`-mY=?~T2>a#fZk6=6k5p9y6UZoAs%A?%nc(Kr4=A|>^^}Lw*1e(9V!!^HpzguD zPwGcxsG1hajH}Jb^$^NH0IA7KV=J-n@(ZdYfF3LveXmdTi4@3Z{Eo?9uTMQA_W6So zj!les=3qChsBOME-|{!d_CW}aXQzBEptn)$DG$hF64%}kS&^DV(qz@hZ6?g48>9KD zFi~#btYe?Yl^k)dEtL#5@I9N5lk2d`=ot>^M(A zTX$}iHEo>DFQk(y6xup45Qom)mPz9lmxu;*Tg4Gb0wVVyEuIcX6$~`z7&CDclzP*4 zVt5`E9yHHe&1QmKZ2Kni^|t6wJFBHmocteUTC2~Yw_k?kC*~S<5m3n`GCnef2FyqH zVXIoN|Mc^37QzyVZNk|uz$auL6vdhV>-e*C9 z{1ZxA>z5%1m3_l*o&`#nX=&_WiQ5jC6;f4cb4eN4QqsxNOHgcJL|X*|0ecDzfmGUirt`_>R;Zu(YnlqqCvV(k+8o5Ym!P~ zL@%lCJ8L=ljJ9iuU~s}1I3>sV$DnyPX;1gH=pd$2Fja@ZEZLCP%5?q>x{rcH9CcZ@ zherY1`DREN^N8HZ2SCv1n{OP)#&*#LuNlSj7#7_0sIQB=-*(ey)#yWN5ZIL)8A~3G z2H+36i9e+b@l_zEs30&xJQ8&Wnkygmju0w@=!^Oim_V+6b~^cE0#UOmZ-P5cVw73x`jd_&GpfC})wMt^UZD(-iHg$Co<`s>ejmDX4iKJ<;Bv zQkbc1%4z#ukdOJpwJG6*OCO%GSB%#ox7;b2XoM;PiKKY>aJjnV8B8t!Nl@}U^1~0<3lyTgs25pl-)tx0w;RnE3qcrV`IZ|J>hr+ zme*F#5OXLaQGyD0howTaUB8rpC{FPe6@E#M<1~V8gPfGrSP}Q=FPvZ;;j$!l@j-42 zA_dpiiZ}-0cqk}{>@_UsCQ}YfW%Dct=@3}@mLjFoDq`p|@J7jo-#> zLi}{nk-b=HaW6c_qo6{xo~dWBj;SZx*N9&aM5LDS4c!|9{JO;;65+mIpXC*tpg8Cu zjS{06GKQVH6#I2jK@zD&Jfy*7KCQ`G2)Fb@xd|uw}Zj~85II=8F*s_RA(UN zH}V;ETZBWb@Xo}BW#K=R9NtkRVch^J2gV@q^cw}pdk(8pMo~z_SgyH=kOHKgp!!hHYkB4I3T00Pu+iCR0JN$@jX{QI!?m&sMlztzxk_(9?ozc zSG}uGl7r_|Qst?lU}&+seix9PD}ST|i%#}(-PIrtB_NgJ+Dxva*FDMNqJp^2Aq=(B zj9yA6xjVtKz5LVkmli>RYorb+%7=-qK^w0KxMyaGiR7xz%Zvl8zU>a7YjbW}-jw#< zFg_ONvJ5ZTouS-0jTpoF*EeW0$^Ln+w5%U4RluwBbF#Qv-le6;9Cwr$E|66nwz)w_ zuWtsl!x=XfS_MP7DJrWCLaz0^Dhdbb~Z6GN;6E=3yLj^_lLsv;ks z$(lNy{42MqZ>_%{L(f=#NdSl|>=#7$3Wwfty9}3J-5dTsRkZ&rUl*PE!?Y(>mgwpC;RIh!)*{&o&NKpP z^Ou%?)E6-c)Pc{Uw|l5XtfJq0^-JA>Ya$_CYxWEb^va5Tx=gB8U;m|#2Ye!^DNVTR>|`g5G{qN`t}T(iSur>w({7d zEyHYhFo7ZYd?L&&FdFkrH&0AS`Ct93Lr&ua`nUe*>+TK z)P;MeS*?BrrMLS?c3~|@ZpIeIu zFa5m1+5yAlTlKePWQXSGd2}nCj~jFzxXIUBFiSgBhNb+p>8<>fdwO9KLUXWZ0Y$wp z7uI`PcRDB+$>kYcM(F@-j}(UWKh>@9`INX(Q4Mtdl%Ma zoN0=SkthqdZ;LrMflzjStNu>Gp5cqoxX?*a_9`8O8$F=brw42R%f0?tqhwL#72GRZ zV|FZYNwSF^A1!d}K9spsR&#;hY~=(W7w+CwI0yyVx3coZ({32p!-(M`PzTceVky1+@umyDevwiw1^AEWgi-KyXb$0cfpDxJ z`D~ryiGDR3%xrV`;UYpAef!S1l^7yA=@cRr_AE<&u|LA8F!wjVFj{tyth0+j81b^R z@Otsb_Tv3FP%W}J;&jr>>DN7yNaQEI;JCVu_{Ota_cPYw+7+jG;S^6m{5K%?5I)v8 zD)YdPU&XwuLgg!eqHeq1lqq7c>9UKVNx4FkaxG8PClV>28v5up!?Y+;7N=~wh(4|` zXyFRaL5fOeWxBJ?o|WC+zFuB+8-^Ie+ZSH{E&8YNF_xx3#!DKUE@Hoop)&x5m{wh{ z^XNuCDX@z)mbVh#r?aqi{xq*~DXG6FFhS0@G=+F!_fF&0G_&gxbA6I&tCW5pz4)&N z?==6Is>Iarw9bZUNgWFXSx{Vpws#1xZJBU95jDc*k3q7%C|FxdSD@Z1?J^`r`_a^r zaLn@kae+Xym@0ZO*Z7;RewteIuLs5D;o%Moj4B4d>p66OPjy4x^F62=r#OXh<^H7; zlF5hm8#{t>K3e)___$CfP9^jQz;iK6#l`qUfnA>BltfpT+S6gxm(7K`ABgEcQ~Z!6 z6*=gg&RRUqkZ(2a$T=MH@O{T90ABqDzso?XHf*&ov)v}M_APIqn>0eYY4X*JQ$f`M zQqdRDAFrYBulGfV#wYSPt3y`v2xtn>(gb|Ioy~^~TUv7AHA*VUde#tc-NnEyF==Q? zQa{VtDT_$?V_n}6`OGI)aon)w>$+AD2J_9-Uko=XbcS9hr*S~W6Y$@rY^q9{+$h2*ar;F+&o*04`?8N0qY{Fr=b!E1vitH5@$(y zzS{9n5;D-7RZy#r-YhE%4R;uvNx=8kbws+v0uGu}0AvFTI2Su(@l(V~-@Bd&_ zqPCLit?9J6wB+e1uarF1tW;C@-4$T=`Sd{<+x<_=ZEhc(7bMEkNr?y>*Y>@-*Pn&6 zsEJrB54AoeRJ`stf6AR=%xDa#_<(9Z#`-VAyd_!c99p*&F;dFt!*{laltfED88ixq~E zSuMiD>&?Q!_`mD%U0ABEd|O$RK>cdFFzn-RanB6|-2ujrJ?9H;V{pV@F)c37ZsCecCy&E z{EOXIVOJ=$U#d-^ul407?cJuL5}S!c7QZj&4TLp%Ru-{HevG9h z1)ew=>EJOHkzPri5RUUsmYq2*(R>*Hs3bP7^iD6smJ;STx?el(<@U*FS*f)aAO5C15u5#HJ z6|dO-nN!>XM<=W}ed{_{wfu{*ocnbrbQ*474|NIqzBb=SiJDnUp4a_}k!+%HfmA9; z??i`qtBp+2PE1>LAu9!qLIl=I z1yeRz7$sqBEjQO0zlXhNCBa60CEW`>pgRoEu%^ggcIG!OHJEO{;wA>OL__@OSFtJn7Md4H8a9 zoFVevj=h=Mdsipj&6XT-izW&~!oyY>k0X#qqWdGNC5^;+*3~|ciF6Vpgk8$r4~}gL z=!B-mU&U+9r5Ga^o!*wY&M|3dfyU!HwSG^vP)6@?i-2vW-})R#X^ z;d#MYT-Y0$Xo>WwV!X9draXoc0S%>VpHL^c6-I{Tz42(j=F>se1H~7|@S&fatJOF2 zKibGMN}q|K5LkdiZ<%T!3jOSL+T@)HtC0zIUZ3*tipAYoHTG!X?I4?`TB3n-PPU7I z8Y2Ns0|Sz$il^Ba*A|tOG0UTO^w4ucZm;`>-6D5V0oC0)&CA1sHS!DWms@$3=QFNw zKBLBQQ^eA$B^`8l9#lOPG=3g1e$)k~x)bPkj5F+PxxC}*SAMud5fpSYAKY%h-zNP# zv-2WT3!NnCc=g-u-|uo};nU%A$i(wQ99L9O=KYRsg+sn<-x#TfKPDczJte}oF!fk! z|MwD66sB#f(uB1nWxu`cr)JK$v!C}-LB8u`&FuI4Uy~oa9v(Z`0dpKTnnPFmTkfs{ zZsiiLHBj&_8i86J=fSyOj0Z5P>F!J4?3Pt&a_fVh8lsQk;T6h+gZ;*9#LR25u7<5l zKT;*rdrpi~q35Q`>bZF!E(>VKRh+C!ZUQmkD@Y8t`2*8I`7`2F?in`R4=n6)xAc%& zdbcAhfxk}V@9Y@&)TAx9l}QH}y;&I>dOUWl1y}yz%cu|e?!(Ny{Rix>pl?XBLbL;bmWqACiu+0Z#lD!fe{Ep_Og!^omX_+to9^_K96bkYRa+dw6+mQY!$YRHNwY!MQDs zP9x0{x#Jx+T7etVG%Qr1$dbNxrfP)W@?vOx)Gg@b$UgYDeZ$uH)e8gjjZ;SIV%{-) zKI{}#ttc&YsuXl&UDkf4Z$8xkHs5YDINd4sbP%G8nzGq358tfIz1bToe1qIchy=0v zXs=Exk84rA{}ueQp#Q(EVvDd<9Df6hEqxtK+YViNn(0cE!eD8k1?aDubnL3NxPjyq z5K;H13Ldkl>Hsv3?dWyrE;Nl+FixC0jAySGqBt7)dTFp00MZ{VmLx{Yts@#;!l83b z#C}Neu48ge;LE%e+deBhK{-GFQDxXL=}+RC1};Z^-Klns`~P-xN{bgX<}ABC4@km- ziB*c^p9CCJH;+B6P9+2Qtk@1wT$rtKSy+F(Yt{VLX)}JCr(t*#hT{A3GDl26TC!M2 zq81WEKQqWL8vh0tDS*q&jbC^#P7?%oU#qsLhwto_Hk3s^m8Wv_KnT~p(;GvgM0OM% z3z%IpJnQP5NP`#kGvE9EeMnXosy7C=x-;^fk+v^KRD||xQjd(N=Hi1fc6*tTuM|O6 zedN?AVkUa)3aB5rJtnm+sERmD-MFtGy6hF{Aa>_i6b_}Dh^Ox|F4tFsb=~i5VP0BN z_l`-Ckw1AdvNw9f$S#{lfz8|TGQ-t9+AWPP{3^``cxmhk?r>ca_#98b7qi?iq?Au6 zJo&G>!js2Pc5_MBvhiBr)f8KZkaw^oY5Zq-9)Yb2svi7ZpF z$G>d<@N9;b?bjILV8qMU$#S`YS5=3XRiFpgSj(0$HIlaSMA*X?y3=O(IY6Yt6n!Mz z5$a(#lJE8$PH(yzqrQW!N_l3m^ekIesA~7&;HF84=lRJ$2Gij#wNlX~IsAl+0bk8Y zd$%LNn|D~hLVDdkaqt^=TpFfpspw=!5S?TsR&Qs@Z1Rp&pEQ$wML|Z9s%Fg=51Z7S zsi}5*Hw_Q}wq0P-S5Ny^8nEsWxx$KrS)W#=n4Z@KklVF+eYGHhnfS0tK1nH=yY<3F z4^*325B!a2x9~236DaR?=+^@=ohmlNUk9bNnQ7xoXJ~>H^fT<yMso7Hq*)+X|}HzSEze=(O`FrIBV!6ZVWviaeiIUF6z3kSY2RSidgYD>0Z!50SsO^Cx(FcSiNXh_%VIR5MpB{1; z;GuBgg+aBq4_@qO^!_?k^^k~85C~SU-nwPelZ4UsWgS{uJqd)*Nx~W^7@RxB9Da+x zeSA%J9WEcs^q<5eMZi6QE_T%Up{F_zwXm^6SXw|amHG5-LW(R%8n2?e6lHn6(V|Ye z)i!Nt9*n0Ces&sActW9VnU(qB9V?(2lJdYh)|iGz$z4k1M**m$tp0Ky0W(zQE){YFayWG$AYEG6ki{@hx#xrTzE37`TtGdJ-qQ zgWx<(%|*8b?2G8&eK^|w){=NGY2_1kX#*s3C3M(kG&Lu&hG?g~Y2k#|mXC9#*u1X$ zqFxR~AjLe%KYzZ{!)pwBm*OQjZ1Vm0z?d?j1q%rN$8nx)?=PB{5-L7CU@<{0Cl~U} zEz~v+B>fF8X(NrGFdDX$m#E#e1sNgz`4WHtxV#LEn=>?wTT)G3_7W9~2MldY*s>(s zN*s0996^CavKi`fPx0jy^3Z6u!cg_I{QfjCBWQ$dJy;269}N^!-C3j(45Ki=nE7TT zcexPvj?Q8WnAI*&Dik7*DkpmPz|q^X_JMVnz@Z_n8DR-N3Ozw2&} zKub!(G8`J(s=Q3GKU&Of??Edb4^Yy}e0pLrFo7yZc?a|6KA*BfF@=mA95vhH@k=Mw zxM3%>JP#Yd+maIloY+pV%p5otIbFlMeFz!KG)&@>!0PLH*tOTP1E?83ViiBNtK8Fp?^V8z{V^u|Q|MRy=-E1wc>>)`~ zMryWMM+3vEBxzR-%06r#Z(FBjuvrc0e|aB8d1QBgxzVYR>{?1%nml6gu?hHV?N$%= z%Kel9#uxH(Qzz##v}2N3j7v_|#;|rU93h6G$Pn4#zsc_$Sg9>nq|?0 z9jD#bDOTDo6N&v?6SuV!l>*)9n|=ZjT_qH9gz7lcvjJfiVt$VyNAl$vJ6YYgKzZ|C zn@+3z{*T-?KEvp*g%kZPGRNwR9%pQWzSgPE#6uUprig~~( zQhmXO%lLykza$UCRxyFoX1uv#ITsQfrBt@Ox!a0w_Z%c2MkczHrH=e*lAlk|Zu32l zZhtw@KD&H6y%mdSMC#F6Wk?`ivN4+8TTx_N&&khIf;y>1tiSSR;17dXJ&|UoaH@N) zbiu%73k|rS@D>l~L+2muRySofgJHud*z#%xsjyfNJd=!io+G`0YL{LaRVlL9IFyzN zewP|#CC^XZbh&bO^Zho&e{F!F08O74DW%u|*3}-4SN~qK9!jvcY>rU!@Fby}N%c&# zqp%eQp;S2YTUk&Kma^t}`t4S;kwCednKbp3pkHY$f|vFKgpgcW9RVJfgwZ)q*4p$ zU}#3ck!93UKC=lnw?^1s{8=QJUjPwuh9U=epZH^0o?Ap)_n+y#6W>;Td`=(uk`o7{ z8&=JEA1o{tp+La^+(uEzKQ#*ka_v{vKQT<)J@ZEP!iquPQ(imIJK@$n#!>!5e$PTE z6iF72wiva4zG*X^lu5KV|gnQje8O5-e+w7^WQ^4=XlCWw0Ro zEuM%pr_KEexJWo{E0ps7Xc4cexPs`qE)eXrzaJ;gIc_9+?|@!Z@v@zy0O;CGLoH@E z6-ZS>(sAX{HDWba0*}T!Rii^x4cm@`pxFyjOoXvw=pp_16A@}CacB=IAqgrhwC3>< z9Mq0fPZfEJdnOI9k1kC^^tcl)wjk#%i1;=1FlQy z(b#6iv8KE0yhm)ullE*kSaoO2yXdpJj&w( zil)0*t5a4dHwQO*orv@HB>Z-Q?k^WQ4>^a6dF%VvvkBwq%*f5{&9~5h3O%xY69_RD zjB4L)f*v#}^o)Y3dSV@hYrx^ZSJeuUKof-|N86%hl_V{Q`N%$lC^)0}6 zbHU{t@?IAK52|q+*6E*nE6@m{Q&46@=**Q45-I+KJcRb0*Gu)lPoI}cw^m2R?YiXh z$e>~4B?0m#MOK~nok+nJsu2ejbLdLL<99=w_JxhvN1 zA-HRKocWgbp#Gkb;)}%@cODRU+=#I$2tXP4hw*)E*UU(&D8Rj|s|#`m758+4di=f! z*AP%%g4h=G%7K9oNZoAbz?3$TJT3|56NXLF&Twlh+A@l&`-ltS3@wcNrk^u|qYafD zhaQBdv=Cpf8wTw}yG|>o0%=hXy8HAp;ZIa^pV>1^y66_%iVlWx05dzEIx*>?2(|+A z&C{?;2o~RVTB(>^g&xe94_C9C))p&?!s7Y~q_S1v%@b{mrzW<;e*R2XXn<_o2kwh~F85e1ctR zHup}9+aB~0NEWY5c^K1t-|5)w4gUm}FSyp_Uc*izj7>rAU8J)6J+zp!89O%T4{(7h zE7#|PJonD#2-R9{BZ6(-k3Ir_p+Z=*Q4kGFzm>*4W;i%jzNUPYBPTUV!+;F;Gag4q zx*%WQe)nCO`pa z+APl<1btEqS*(7i$hsQ%9_zg}k3q8}ZU_HEqr;CD$RJJMD5x0%#a-)6GPwcDq2cB^ z5C!xY+&*ID4@H2M#sNi!sA?UFYw$l^S;-4 zf_c2TQe~!0B5*fosun7C$6qNVRx%IkEXHNiqDJEXod{mMqq>rNmol)(Z6Igmf%-YB zU~ojs;y3|EzEYY>fw)Sj&CJYvY@aN5)}(atjVj3f&wrSVDQR?iX&sog;PbKUVV+Lg z`TLJSmy`6EopfJ*=PcmmoFwfB^6(t7wL2}WZF`@|Dsv4J-?Ad-KuM#g|E{`P!-bIx zovg67&2-W4QlYQuSio%CF|-C+alYRcQO~POX}1-vy22;z(}w*>pg0)2t}xisK6Zfm$5ZJd9kB-xYGnV6|0K_d#PhB}@L9*b#Ol=tE6 zftj2+FS2h&>y`?)ZAzvcz)BGP$szD!%e_!r(y)D&0U}j9M3nEl^s9q^sVcRvWW!H6 zz!h*y>0o!oLnago;Cyy*6lBWYB1IG5?7G6oBAjFxY(+1y5cWGY;ICU)=hbQd(EW`y z0iw|CZ+?GIaxGuF5QPE&f{_2Z0K&TAzW;7Bh*?yz0-0=V2-RWm_;~9)LTrt~1@$Tq zEP(+OdPBaotAss;S%A8~$rv%&JO!|HfBz%;9{Pc?B>*)H#z7gn*H=npQStsyhD7Dx zF8dhHc8f^X9N%KJJ}V#|Xy~>9r_9X||JYBleG*cAjGKqhLbMR@w8?|?4lyjAaEYwf zS>pufx4u3hB?E*VP>H?q*T}j2s2EolnOLlT!$H+PJ-_8j!-M|I?RN8o5U5{n2q>>^ zf2@u~?jvp*EUy~Yss64}h0VA9lB5#$m-0GJUrK`;|DEmUG2WP6pKqI@`qp6kTI(iT zz3s9CW7<)CI>@Cd2Q2$4oma>|@ldN>Wg1RTq3-c{{l7wzX_??9_(F{P>Cd36V3?G} zO>S8B9xkgVJ8N;qW=FU(@=%}M`0(v$EtgfrHi_2~)qRuY_b`%ZUzf)7tT#n_9m>#p zm0`;H7IbQxZ^KwyWxvim>b2_x88uel2XCZ6Pf7$d%5x$!X;w0>{zS{Dd%QMAtz~{- z=m+JbqM8eQd04qTZbO&om+yq-{i&S77p1+;flYt>{!xOjvGC3D{IzN~Pdh(wzK zrH=7s&$>WPttr8HA9o`b@EORl*YP?Ke}yA5Ijj8*$k49PL*LV}2QIJ>boPL)&R|pA zII^i~RKWs9wYF<}v}c;8c$B8WkdMCdr84zPP8m8)%C0(DqVD*!x|%e=ZC*dFVwDA; zEbKurW>qng^_3o8IaC)50r;p2XJE9Py-gyXfveOMc|)aq&V8dzrQrKa*Ek~qI%3~I zs;N&ftz3%#wfB{8QGH+E%+S&y3@y^qoerg>go>n;p>zz=(j5Xbq<{_~-6`E& z(jYL@J>TE&`}_&db=@!S^KPB%T6^uY_S)xs_Btz)EC-LdMvlw$XxH;iHphS)?ifr^ zj2Ri+?p{e2wv|w_g@uI*Hzk@JcFei(@1A`y@OsR5H~D#N_g4Z*di?GU^kBun@on{^R*=$~Xl=NpY zF&$%AxhM%lm2@!OuQE-sFz+RWhex#7nH2V|iTibk%gEsG^~EDYe6X%H3U4#LFyhcX zs?VZKUD$o0xg6&P^RdqlI;igsbBP@eSNxK{UunwHE?a4$t{P3F;^YUtaCZy&Z>ABn z;0K3?fSFUj50(aPHZ(~BLD8FCAm=Adsgrop7IriOD=XEp{sXn7%)rcUI?U2C^Id;K z6H(8^VLEL4M5sXu`>H{(E~VLr>nYxBX`ubC#U;5pd;H(i+~04W)FrBD!b3;r+7iBB zMX8=pn-Dm!XQ^fw(h^mvUc&SY%t%NTx7+UI2l4^*PCL8Q8Ai`8CddZi2 zY=0I$ToUhZ{t0?E|Js4d)#C{(%Zwl3kz#0R!6-7qqvOa6q^t7q9z*7O&$QE zo5=;fVovpkoZOmO{pDJja!eQX66Y9jSNCzzyEYOUTiB0Rcoh-0;hy=E>wW8j3_s#p z4lR0eis6;moT9mpgH~>{ZxJmnjdwTq9mgbE*Qx3VUYw>BBbH2{)C!f+>MC@EMrbaZ zzv3nehc-sTRR3cIbwYIXV+2D%^|kMmo44b&ECGhjmJBW6E}x{yBx>@;%s;fi#EtrR zHu6$7x`)bEKZJ*Rr1DczIguEn1^!Bzk@83CqpBe3+|GVN8%Z3SSt4}M0C}XbR%WG(-3PY!_M~`tSYrYU z+c$5tIk8}` zOith^(`_hYHls6nepK*SaOB(~@o>^)jz7Dbx>i~W$Yx&u0$D>nw8Nyl^*kJ^4Cx0Hq=?=_)8vv{cDW(_ zD~h>p@QX4LAMRnqjp+~YJKXFI2xC`Yc#DLxR8)&d-oU7-gJ9fFmQ>R22P-xsq9Wn6p5(VAI%_5D{u5FB7b$GuA!Bm+DmNE5=tpq7|>${$B&e!dWh z6?3JX{TkQ^%my)woB)wnVWsj^P8hExaVU0tj15}xjEqmy`_|vxfCPVS(yO17USSZDtkhzUix}$+3lLq&WrszQ zHtll+6+FE1*@;E6^RHceVJJEe$yS|^MH#mOrF@DsAv^u$f#_-s-Z5l96rJ9ePj6_& zw*u(#=m;_Z&_uv5P{G@|kYYQe)LPfxXS*706I)*k8ISn5kplT!NO-+>66lE7>vx${ zAU@+jH{{1T!jj3XHkPjjgO_j+yC$p44s1Cx%aj^-9hrh(37-?}_nwFASF(m0U;b zm!mty1&!lNiFdmh6eIM);`3bjjJ0z-fubTb`MrNMMT2ipMfky(uNRL!mx@Yi712 zGQkPvqfNs3=BA7z7mtQX^EfXEBPCAbM}llr<{D|v$AcJH#=0&JkZgBm9xDo-at+keQeDUU!Z7w-T%jpg|G2yf zT^lz1Zq4nk+!P~K$UTy8NBC}9YBo{!NA41i@Fi!mA~n;wy!XJ#d5-2N5jU&MyY;rT z_|)t^7!`^=6Bs0lA0LOCd&rs1=S!$0jg2m&*V9$D-FQ`CrM2f%DHo|qM2^=;H%;`% z!V2`TAVR(ac9TKO0OA}WrWRkga)rp?Abe_;8tMdGZ>>HAHo!N zA?h*l^{GY8$#`nZIhn(0@95a*-xJ9Z?_rjN9b?=(R`;d#rP_IjaWU+miy@WILDVD= zfpa-1ohIU;&$}Mr6+Q`-S}+$iS#a@jd%uu;Dz=yihI{N@aMpev57}KGlUctQVg~ec zN&LMY`Zc@0oqsVpc4lq8YTYLnvxhYx z4R67qs$jkJ`$@h7F;!fGrY^gM|Lh_1LM{9s6jcH_}%Y znC(3&K20~;lzyy#4Hv%~>o?{)P&=7(c|SMV&7jvZklvVG41fM+0#O_eXVxMC#rozG zrrVK@Xrx|5jw-i>E91&xV0>C0ctM0Gg`&B$1;p$|HJ(;q2>< z6kh4J6QRR>Vf&>48iWhY!laYQBa+D~;3f%rHzk^#{EKDfqe*8ONd%48@JTz=h_=HB zlhpR_ZUQn_KJrmzP+WsXg1V zLNdZnFiAnaxos;(CRk}0(R!2FUqzM}j?`tGVma^{c~*hsj9Is~fERQ=8}iHOgQRUR z#St-QA3-ig>1o@bzlO}I<4v+PQqru5Fo+z(_7f#P&IkrwECb0voe(VqSGw2L>(Sg|_UGI*<&=x~eIG0j5xy^(S8F}Letx;|_OyA) zTD-aESs>e!H^i|$`EEt$++E^}>sM0nn8x)r7N+) zIwcZ}OmZiDnr+35K|uORk{#Nl(f5}4lQ+`IZceq=)zz5V1^7@vx%jCqE@?-J4i@{_zX^l=D6LRAxT#ggVs0%OCU@Q)t$XL=DnA_W3 zhWtGk(oSs=yS^F?2kTtc?#A8!%$5s-J(kj9V&Z=6r`#?oWHNgUiYUr?OEcBw(Z-D$$M!!(V8?_05GN$H*-a>i#lCHJQL zF4kjz*OPH-!A+I>#lK+r#EYsQE{dxBt)A#!pH$7Y`r+fgG_9w+X}=*gxAnSpY97J6 zJXvtoV&deG`j#&E)b(qOpp6djc`1Fcg(*zV+n-_S^zDz48>l~})4`iX&z^sHQhAMZ zZjiA3%3bJ37HvlURKdS7YAdB=6N3}<&Ney~lNGPy)Qt_X`(C$dDy?f7O)KTfd<~#4 zTk0g2km^-}ouZ`nOX(4?{#kAh9lnBq=l5Xnvxy$9lR3^9Id6wkTDKf|{DmEPD9%eM zG000`K|m$mI@NRI7V~Q=s{l*iq&Cjr*T4cSwC?J#&|^dJVdu*DG2|dN0kxHsls3Gi z2KUR@LD+w8m?gETs+(c;C#D>$1pYrxM+iPzlDgM&@9qDtp%%1rZ}a(4`K#H!hcwye zg&d2N3VwTUbEJ@etoZ4&A8xl1$vOKD+uhyW$Cb;d$_|Hy#qYWSN*}~Ef#p))zfm_V z2l!rGWO*%lYYZ;>UoLjkW?xj;JrlNW@x+(8nH^y?L5-)Hxczb=G|lQgY+R39NHwjFRLsmHg);Pkp!Iw>XYe&D= zN+x!X|KaV}H+?{@vhjPXPTutEwYWl;&ay8Xy&IQ2-(==IT<0*gpvqfOE@uMdjVI(1 z-z>^~P9B?{Jf563y?AHpF&QHSJiovVSiyz=7)(1su^xYtz52wqe|>RoOGeUgiw=EsMd^@yEzjPAkMTqv0O?QOOtTZ$qICMDOO*s)cc@G$cp}VrYBq;%m zEMLVggO*TJ4O2&Yffst=CC?8a$@lv1Ozf`79Me<#daCCiYw!AUZu^dBM*=*r&P!zd z>tAZ}EKlUzpQk6^w)5Y%A7@`8OZKjpj_#IL5%+tDFcSYAMOgV#Mp+iDoY`Wvhb_23 z%37e|Ubu9cmeFS?Zx!7!cj$QK6N!o4nBaq`+DdA`ZYs{wJ-Vl*XbOF;Y&sS?azKxe zKk#}W{GaGsM(}l?7P0L8x-9s1aO8H-`Qh#|mHK*ay2TT^5{w)6PcQ*Pz)pBT={Wc# zQj0L~;WE%vGo^1$>)~9BL@VGlF?_oD(4zx(+Y2Lf@>{11S1$P3&~RzX!;sL<1B{u?kA zSOFQn_FZ01Z?(GH^2zpDzHV`gliUI=3wFEFTEy9GXAv|WK0iX9(K=G4HHhisIV_*Cf!-W)Vory6@gmI7`L zww8R49F_tf?$!*C{UEk*r{;?(9M~W3hc0T<_lIm7$(K_`PP{YEFMhurS`BAfs(9a2 zW42R@3Bh!5?I02tSw@e6Gtw(d_q6ImSJc*zeK@y+%cwlAXyEOM^6SDwZMy)obsum(-$m({P7u=vw4b0Kd83*O+Qhx$#}~T?N;Dk8&Nq-!Ybj0-dSPZV}P+ z)wg%$vGN&rF)bEza&Pms4SXXPjE^`a!q*h*q`hCBL(w1mcITfidkC<4sO+ zB0t{9eUA)>?_7uNPA%8PX`MHJYPELFS=n7FFo=`nL&?+SmwCx&HIPv z>Lr)-j|jTV(c#NZnrJ)mOg;@H0QeJTCsD(h7{d}ZrOJNEj1o)#(Vn|0N;NSY(Xnl* zTSu>NRULm(RXJ?(E0;O&F8%aYs3^H6gO6XUZ~P?YybUI3!P*lOG~3}sm6)nJsE5H*DHs)s3%N8yWIvXHV$J`9X1J-#?@ z(I(IFJMDATFvJ-SXA022C)qS2AH2R;b}P=2lmvL7RV!WyE{=T-Iv24+hk6dqJ$m}e zxS&t_6fZ zN5Qwp9c)^d8$p=FoK%a^{4M$-P+fNG2*P|V*}FQIAxl93sMC)_XBoO4%l^3~_yWCX z)aF*syY6shhBXu5-_rqpeh+gtB@PjrqC5oJ!V^fkR?v&e-$2vozq$QgAY5Vposv~h ziDu=iel2MwXYad<=>f^z`0eS$ojt8SRTK%ZVbRm*buk{R8l81N!{>9^X)@-1V2s#? zf!WEv>;d@uKKy5j@0=+r@m>wT@Qzj;1t!4~*P-T01&<$I&dpryKciryytwFrZ@)UA zr)KO%PMi2vn(El{fb6=7`G2LF23*5FUYd)EgvF}LCU#UQ7FB} z6fUpNtnJ&-yK{4Y)0X0rFjU#i$Lxb8p8&zD5_frI5G4vEeF)LwzCEANdMOy=OK$)> z9AhVuIhOM;yLH^&r$NTbe+GZDjYxT={eko|>xadcq3^m^90*7ZL+n1&jR$M|#xVzt zMU0PY52c>_4F){@9C=o!&~DIOaJv8|%GdUfJHnTrQRC7)jBTrU%^~t_v9D zDJgjTIJyDedXFM{LuT(EQiE82`zXAB1K@w>@+n;FiiCtXulIup?~4d+iTdj5iI@Iq zydq&YS5&Z01;5U;qTUgyuqOAP<0Kb|5!nZ%&Sg2G#n9AYLXFas5uP>OBz6*p#!EKM zJ>}&&Kbp2?{cnXCLu^iuzbbU-k!5R|m-V@aoylKOMJKI#tcFsja3LDEW|9%&yzLTS zy3ZL49RJZR@$6-7~up0UTfreRvC{fgR0d|Nc=_ed3dZKLTC0M2lzQ%HoO z#6O@+Nv|6V^WQCkP;BD6B%l4zer6DzG{U^McPa89*e`Ovuo)05U@7>TvjX1fJLpB0 zxo~hcItpT3Gpao%OWBaI03GeAF@=%M zA!oIfxLu*#7=GZsP@rpWp8Z*>_yzY_;L>Cb4gpcWT6X~q`~$BR%DC@ddb_v!m4~VS zQ_Yo@N=*Rdwbau}Z5o4Xuxc%{S#bAjWrlZ21ekA`{yg=Mw?YtUkeOjnwvPV(c?iiN z=n4xP9G5&B6pq&Gyh*@fhp7(Q^)&n6Ev3;GygJF`V#HUw?RbxHSzi~$d`qo(n@13x zCn(d|V76>RR(o!Obq8p(>^Fw2`j6%?QT!i?zHOGODTW- zh1=0D&ffRPFU6H*h&i18%_(hv18druohmv7hH`5`84JYDFh!LY{zcy0?fZaPmFf2-Fy^<>c*e_Zte-kF5x-ztLah|M09`(tk-o zgqv#7j;GpPzYc|oUHaYdx#`2<{-vT7?HN;Gz{+~(H({v#$87aeW_ zn|Eq$?#1ek@@&7n@UZ+ra1ww01cyxTMBzH6)6Ea<2n@Rqvxk!%+y^oe`RjHlSHA;4SPeVY4!;TPBe81BY+oY*NTPLuS@7=%Lvit#`;*)k$61AE@Q$ zjg7$h{j%0p%7uy9NVrU*HAxxhrxG#p_TE!cJjJEqECcmm*tfTDXAIgAwm8p#+u+n5 zx9|+~Afcn$txV;wPAX*nvQ&+N4nI!cFNh(9jzElRt%94S>Y}<}kL(kpRw8xTVTZkS zYshQIkEEyGk#bDH3h`(uyuzVaB%i>@)4ZX|TZ8NuW=&7xLtLBcbW()LRItc{U#ytQ zo7Eazpb)>oOzC*6z(~2L@pwEza*z74G5QDoL$Lyl#L&6$+H>x0>g~Fy`aVhip6;5P zzZdWa-EeQGiKzPOUQewh8$(cK=h%R7g@xvK~r=kL0(;^M@w>FO4!{XKJ&YLXu7^(d=0He=Dx z-fMd&^r7nwLr+bdWMkUxi-!nTzO8%j!)m+M)IBajv6K;wiEVlQ33gyDi(KSUbkR)m z0CM-|Dd;Sd`sNeA!SPhwru0@V=fO#Z;8_+20xgJTDveb6?~|CJ5rZ%746`Xi>R4Vst(Sr5Sa^4227$Tv2`UdwYyOn|jhJGwqP3 z_|1)^$eA7ArX=ZsuXsGvSONizf*JY|l!~ODp{LQP!3^->Jf*UUL<;=5DNE8qG4!z5 zPifmXN#wKldRqND%)3YZ1wlxUv;bD(4s(78UhGr8!bPe-3nL*EM->bN8mNf3x}St7 z?RY#bccRR##r=%@$wIQ3EHk8jzM8?u^S?dmDT)#KDnSid@11OW^w=ZF%sg-Wn>!U8 z__JiDfAC4;heb`rY}MTP>X4#tEBgWV%@fAVcrpJCD--ED=h(Rl{ka*X{*@1R{mKk~ z95-gD6DNdq;nC`SZ;}y<{PuB60VMr@A#0tp*(1X*C`slOX0H`8Y=sM7)ply|M4oYz z&4iG)G2xLaTUK20Himea8zfcx>M^KS52<%8GpH?Nb78hSiegphWgIgjC}trQ{D%m? zW1RVrHK%ScIBL5wRlDa1#N?@{7!yevM+nR?`~B#zwj@Z(bC&F)mvK^o&Iexk@`R;2 zpv!)dzH}nLuEbRDk3zblX{Jm}dXTofbm)xf8;;1dsI-cG5WI56o%RdS3%yY&7JX_C z1L!FgE&I|-#p-TbYb-b9C3|25;Vdx_KJ!Mp&#Bk?>-o;<~= zChmi8RyQiZTK<#|8L4w&Zk+zqDcxfC13#6HXAXxXWr#?6-p;uMRu;9<*=IrK6%|GU z=I}x=pMO_T1LlLxZn76(&Y`a-IO$JzHRI2l^I= zk(lsyh`9-E!wWY3FRs%Wh=%=d1>=8y=S1rpG9-DZkyYWA0_1bal5j#6<=c4~HtSsk ztdzXJ1l8{~j5?ykm;Kxz+@E@#FhhZIztT7yKX}^)umO!QfPW3^xxh;e=)O*&HzvBs0aa8hs*LV}| z!&ZS~NmT2HFW^W9%$fJF^_2{H+4IOQRjx=fFYm`VCnm+EtKK|i#_{%)142`jl!%;f zOp3ikNZC((&Qc?fesX(nnQV?d->i*g%lYTp*hQB{#o6F;WLpxMfM$~}4MByv3|sN5 z-}9h7^jmJLNOAY)RU$(Mo=ud<2r1z6v8f5O0{Ns%pmDiH+36#cb4h+g<(_!3n)a}Q z@n*zLqYIf8Q>eOE%3aa`QN~XBTkV<`Td@{Xak9m??-RB-A@6{Wd#uc?S0$nT3JbnL zkGhRC;Wvg+AnPw){+90|E4%&sU4H{~5hl&xB||-=QdZ`ZHO=phz0FwmgJn}xwle#H zQ`jb(Ay!1Rauq_2xp_Zo<_d+6^`meyiIu7-5(vHeIh8sO?7*r z%E=+!viDqT{Zw1#he~443o~^kjFEMDsjV~%HTtdyNdLYtrFwPjtTu}8ej^}TN`X9* zwR7{?BjV_UlMw0~2A4n@oGXL)WvDq`uhfTFF1SHiIeqQY&!)nC$|S$Z&l!*NdGHhl zOX6g^FaIo34W{4JMmJui-BMMNk^>sM*mbkVt?`Ht0gf-)KTz#OiEe?TJvs%9n$U^0 zox9W@o$ zEA|_~?v_oD()x!!jHX${B-dk=EyKOVWX*FpmwCUHR^?#8eW=7yEKV`xUA|mag=@(6liXx*6FU!H1buvxeR1S@{0R)eQZn-v;pcvl9rP#`>p(ZvDVs|R<;XwBv7*%8gEIx~r#z#gUYNPe3UX+(p2 za=}us?BRSSEGxuS&}9&{1{*6K%$nrGjb-I4#O6o?yDhW2*m4=4MTkaJ*Gx8fTco`N zXXjC%t9CHS z@Yf^jKO6L;o+RXG4ohvE7BSaQWgSIp*viM*P$VT$dJs)RVtsE9rD^Rcvs)S?2`0G^ z96%!=@H4A9gbgx;8UBHbTt95h2@Ujld`I zDy0+q^2-wz9PInx5M?acWZZoUrz37#gSa7I_XGSB& zW5$m6JO+U713e?-=%I4|9KRv_VTz6zwk-;(57Hy>2j|h=gDQPv7oH)-J!ke&NF0yr z;Tr|Xg;C>?2si(<%jDqE!pfRI^YFKPdRITia4wP^VvxcxG|~Yv0W4CeW6a?AN1aUV zin^v5R+&9&lVT%fX9kX~xY(Pn<%3%$CJenuEOB+x>F9UX>Ulh!!l!BfMP5}Q+EcLSMxi{4X?2e1WD}Geo(Q|N966R6s7y9tEK@ z)&B}iV@1;(vlRwq|IVnIR7GBrD&ecvzXDmw&~%^mkQ&>6pDHF4jXkU52mSsP$R3HN zRmJRdpZz-{9<+|)LM^uv{}rf;rZsB}YTx`jqyJOE{|_s;<$qa_BS`ZF{|yHEQhllU J0Xevl5okMLemP+S~-Ry43TGO~6swQ(eTE=U2-IANxw z=BOqu#cg0?#h_336MpBaB zk2qTJk*Z0{kqFw@89bBy)^<3z!9mwtr`MVq;BL@R}Gh0V98*7qZlK!gb&)@xf8o8MLrzUHMznTSaAmgt)j7$t~8UK_G&&vDjDz}`Oi;<d5^P}=I{uwiV)Wc|Gbp(WW2;xHTm0TX|q&-Q+?wGzy-vcMj zE7zeX2)+|yke7ea;i7-=uH!n?L@cWl(PnIttTVq|)gZLFQT-bZ zM^t-1l83>2gTwQ8ZeMC34bYvvr0KK{-NV=Q4fWxWW^EQtS)j5k;PmvA^36vCl>a)u z8H>D|@1OBo|F5g?hdz=c7$FlrKzfJpkK;oH{HjTXN0BM^e;4y^6&ji$h`eu~d%7K$ z&Vp9i6o>WB+jF3URc3L6P)u zLy(zZ?|E1bgQo0oO*1uh#Bg)?iO;E_HEJs zK_e922I!oF;#fnCw<|8Xmr%6g7 z_DIc%p@~&|cUIGAw>(4~S9_IOcD^CSae%GB5ix;L)oiBnWX;%B-=HcYm(~6of*+B` z+xME5OY}w;wrPW$WWsHM8DUcoI&kyrNqYnOqG5KTb-DI3GR0K=^&+V?OkWOLJZv zACd5#54?rZOLlaIQFh0HNf`s zxjW4bd(Ancva)U^c1!8sBHwWH9f|oWDZgoZyXl9nR3LP|X)r?M{z^$zRReg;_?g2f z_X<)IzpOeioE{=M%nRths*Z0x63mt}kB=_bM||y9AJyE)p3_b`#%WDH9_9_M9AAVy zl6XQZmx@Ceu6~UuY|KDuG*8Lw2Fe)Yhjn9n_7eK$IYT?R{+@{MPBBo5cIH5u)lNq1 z{f~o%u-#xz#j9o?#{Kdf#my~nW*lVGjQf8W>b2ZZ&;sdMs2Q8s=rtc|wyO<`Q%d9U zu!}fAHKeQx7@9ft(wA$Ku;g${v!@mp^ESM3x#&He7&e=@=Ddl2PGC| zQ(2|Jg$^om^Zt{ghexYX=Z%xgG^STY4>2A*BtiIn$l)M8q~*yKYidK|*0vW9c9~Ht zR%uTHdcoXBa(D zq8iM8+N3{D6JR{3RNh-7QM7Xx@)BS#-BSR`%PAj)M7$^DrfxkFZVis*vtsyk1G~mQ z0p7*r1U|;J3K_vsB{#d?l{U8|Pv(%#v|BOf4SSlrkmlOz&-t9lQlby9G$M&ZHdm7I zl%J6YcGyL=>5t`jxbtahx((kZR~DGle&O7l_7YT3Gx^rATgL#v=Qq12?>bS?bQvHJpb*Sd<`hv`C$X?@-8pke^4` zeK%LKx_`T@OUdoZ3~J=7ds(;hRwd*6U}a8W!iPfFfwSx6Mkd75J` z5_?pwcz-E~xVm4Xpqr|1o-}u;DtB94{TMMxdp2^R#(|rktyZVgPH5n+DJ^`+8I#qs z*&YM^@1gi{ghXJK*;<}zE1>YKR}oyr)OZ$zEQ3t&L(HI)Gi367rVm4L($c5sfrAMX zXmf5l$z1agc@JR}^u#`QRof|HGO;9_?Wsr%r1Q$I`syL+XRxyK~vl#O2 z&TczyWY%}Re@uIhtCJ6jOCver8My))JaSnUa@WW`^|-jKwlEoaguCGymj*kZ%*E_x z8y|nIPoH+jokC%hJx-}CC12skkXLIb2h^6?LKn!!dcRm*k=mJu+Vwc;jp4miStd)4d#@jpE(oivQe`>L) zQ!Dy6-P`4Zo$)>~T5esB%pZqcUH(~ExooZ97~W9vhReBJls0J zUS^oxzof5G8;aPjOy4i->TIv4mZo;{k}N236oJt9?2OB!<_@aIy&T-3lX4`@r)5`I zxx60D6CKLv#E-}bbeG8^-scI3<_RGtQAJ5!h{J*WB~cI_DvM;O)A6iyQc&YnEfA&K zOGwWw+pdH$F^$v8@a!4}155$slZf=1>l+^mu+e+5m$K9|8Cy~t!w(t%XkjfuGZ;tHPKJNF><6J+ zJ|)2uRzvkU`yOTLLGVcT=-G{b25dlkon^?>@eVdIsef~U=XNq&TiI!=xr>qKJ>$Ad zCX3Usj%ULCbJoUTu^MauIGSC<-|C%C+>uLITmB4MP2x&%L6eJh=qFZnq{J}MCU&r^9myHVfs(L98FIHaEpHAew(n??-?_sc671Nd?W?8L&#SmbmiaYbv?w=9`Tw9qu&3$aR}}_Cr5y z=1j~F@gJY_9>pmSUbIK?#0=Mj(3PKsn=NG3*v3j&b&@V6U+td2(yj3XjrV1+feuK* z3|^hV=*j%rcrt(Ny)R)OoefprY;J8Ae?Ok7n)V~pk+VV8c?+91xqYk+BD&@TSw?$Z z&nnIM8g|WgiM8KhQ}f7jg*!mM2yA}cy1iaJZec>FZE;`X?dyvt(|o;jN?BpzuDL|j zv>TXGY)6&8Qd)fRTB7NwyCx@g0nL$Ls zC>FA}=>br1pLeNP98N>poI8&MQA;5m&~4FCU-Z%5H~jD!S;ngo$et#)yZ+0LQht9i zODXf9jLlsSPT#-nRwZH|abEoUc)q7CzCJO<(k7ItEbpEoXi z5)M})(#h|IdP)9EQ6qkFqzo>BT=xLjeB_kvIITrJ%W^kr} zWPGHSWOQk$^FkT6qVk$sqBHwyr%3oQm1wiug*qCZVKAG}ZEu02cOMmG@j^PKoU87b zJ?KW3|8-P+1Iyss_NzC7_2JMep-J8Jti?Ni;UI!#DN)Bh6)R{@CLh3VuvwvKW0cq} zuXMVc2H(3}Cg9jtN|^fSlBQhirJBss%F>oxcw60Uk^YEn{)YouJ6|8RPWYk`mOnT! zjsj8VU`(0W6WY}G9JN;qNYy#JJFQeUxg91Gd;6`LdbLTGn0t0Kor5V~?%-Cd#7TN- zlIX|{ecz=YXinHpOagQG8buiLj&Cjng$Q0AiV9Pc3K8-cI}G9^NCpbn>3R`+=& z4L=)qZ#3uOY*9@_46s{V9XM!ovp#MT%)B;ekv=)8>4yzwj(>f_N%^(uL)mEtg#h3v z-9GrOZe44>{NU-$<@8G=;O2C6tIzr5A=X53#mIiG!P$psZSMrUy(SI`kx{gBODF1= z@I~CwJJ`4n@itxufV98d=v^I$Fp6v>8knywNYgDQGSzX(CXG<1$$VXT0&-ta@X;3K z&~p7+#7~;~VvP6DOGlnnuPN$1C)p2o7hK&A;dB*0kN+|vxjX*C$qREs0 zQLMVb2qfq+t{mRCyf;5>RK}Lyt0k!)qKBU2%B|7-!JTsjCOfy3>JV-3C+VzJ;-Dim zlxd?YSgUpxA4Tg~w;~aB$I)_FpV)k%A3~*xJg10cl?2Oy3U3fh`OSrKa1Zq{_?`c( zJC-rYxIP(;U;EMw_J3+=5_!|GnA^MlYPq@?JAmcSwxPVl)=q*o=V312RrOeEHJ!rQNi?s>zPV0~Js)XZXoYdJVgZz?C zZ204YyeZ*@4A{91xlYc&o(EF9bbHwZw?kp+y`zPaGy!6-DKUKZ#F3e{ZTl%F zwjf-cPZ;P&u3gtjEcl-we1|6mGOZOwO=>L|r#yR~dcve#-`~Q{saAEE8^hOzMXM?` zp#qnZO{&2+{cH2i_@-xvh8cku1$I

*Yq{yYsu(3&aJ(&b**a&lRqp<*(78?K+=p+A{?G)p#$t? zGyC5=17P&|jb2wKKbR%s7G=Hpmr=AWD+~Mfv3MwddVRNWR{N|+JEJIz19p2|DZM6@ z&g&tnps#Yr4%!z4@_VU(4qIU-@zu_3b{uD8$gvnilP9q2QCY-lN~39K!)F+Tm1%2v zW$RJryhcdU`#qsg|MC?Pe7?Miygs!OJABrrpk;3ag*h4bf8DFto@w?Jr{QjN?yZB0 zjJnquuEU@}GW$iWh0s{R>$6}b{p#7l*OnF6=Cj2tw6eTT!8mE-g`fB8y6~`*jJ>8^ zW_~=vZTF{QQAAsIrE(>D=e)H#76ni(+tvy>-Q}$Yf4d&BMWF?vOXzwk<7^uhvCm3$ z6FLihf>0O*l58?I(200or%>XSIn?!6$`Xe>ZOFOZAlv_NQM+PJVM9cBtOG3CI0($S zgOzqPO>xIbsXJ&Bd)OB52+pBZW7-4DandLx8@XCfIBFi6By`F!a83>N*W2Hoj{?)i zZiiaCZ4&k%z+-2>*}g@H52Co*J9_8k8%(&xqPB3V6WDjK$zQW=9iN>ZoH9{7eI&G) zD9fbxfEf$G+)zbka8a!=ytJL%a+^Y$PFEAtYw+U)++Ta|eZ#-=@g7PvHGRl=Ej;6H zqrK<8LbK1Jr}Or}iC$2y zKNWYt)Efa~lw^Ju?+Bv6pXOpAGYPshtr7`$No7tSAy|V+*$T}CpOe;t>h=~FGcpC8 zHidlX<@p-yLWdTLs7|&Czw>GTx zd!i!~H*!j`8Ji(5KOy~*Hv=LW!m(+_7W2j$@(gRaa*BR=j7l%}eEwFNzgFZsi#L&X zIGz?}4_5yun7^9uLx7aAv-;7O`tKQbuYi0eWJ%m{+_!B;jTe2n9I&ri?neEo=q(Pt z%N`?3>lX3OA^)wZeih_1@eaWPq|v768~W$P?h`&wKHzD7Fzmi}!T)^!z(aXAZT4LD z3G*NAelI$ZC=raP-ZC5h8J+ut>2vsNRt7?lUjIRW?(L(8SRc!=UcF}iBY5r;m5(3F z{V(tHZu&{+v)6yDtNVlo;sa`);w8X)k$?5WH+a2BB7x8T)vRJ4gxIu+gIE%>zg60O zf4}*Zcpw|9|g(AF-bVT+ACV5P8MWJLU!( z$&EYP@pkFQEG zM4LY)_6LW7PbxVWk^n8w)sl&Xa1b85{7$u9PKhSHX5rzTA`xT^jI8Xvty$*(b1|5h zNa&wy-t^_e%veH2HLFnVv#5t6l)!iu$2m+<?you!rBUC%V--w2DXOx!)#6T#lTic}{Ayi#oF40j_i< z&N;q_1EysPP{pke=~G1jWf3IgPwK9Di+`FxA~@BKKBMpxByYREPHTwb-x6YWvlb=4 z`gAl(Nje-<8F42#1KD?5ZGZHS!9_svR{%MdJ?=o8;kkV|w=JM9e!H$=u`8iytRi

s1>BX2e(XdM*HZbc@+hBx|^ z6dr-)2B2->PMx6W@*|5ZN+Spt7#A3^%7*UtF?pB!h10e)Ak)PHmvFr<=#RDVTSTMe z?nKHxG{gW;-UNji z8jgPEa!KS>Tuc+#619oJv>_Ly=I@ko&y5L;18TqHl1+~CmMfz@ZH(?pHTYa^%q0wN z^sDSR?lGNxf0CvRs5*b~zC#Ma(XR0&M@?~!iduIlySp!f#FI$vXAH8GBJ0J+h?IA1 zXF*eG33bBlzX4~Tf)ZzZO3Z72b5u&zv-4xTyz>N9#J)u-x~b4U#-W&_%x;w)v+EVAo{DsH*^uOyZT}w~bec zl@=uU7@dX*%pS0w@%e@dJBZ`F1luDipFoleWu7TvkKlGb;{Ulq`SJE=UX-Vfl}9;+ z(6e6?yVClhIrU+Srh$>g?1Cz&q6aglNINc02ey~uNWl1R=-HRAKWhCjZ4|yH=M~rO z2k@y*7EvcwVP8IdNpNP&a)eH!p9@Z4hv5KFZM0GvulR%SE?-OB>^)w7uKeP^^ePFi zk6b+AX~TGqgPGM0fJaHwWIQd@r03h{z(}TX$cb46*z%^@)=8PtTk?owlz{}5jP_jH zYVTU8^>YCK(JSU^d;tk*!b6S1*ozH)dTD^efYanmk*|G-SxTb{%I2}$!*t#c$ywi# zJ?4bgim?F0){!Yb#%TvvDVQMS)VWktU^FOeV zVn|F6`*)SEim&9TvU;YIiFw}M`ify^K07>6U-Y6X_sHYw340KaZ=u7X82*70tNc}k zMT9*zRUftbEiv6TPD4F|Xg;gA@(xohW1>I-wF$~~V`V8n#cg}3d!kq^8He-jBY6~~ zpsA=wnqfEo0S+jePd`3Pe`woIfAD~q!^eCF-TKlN?Uy}~^5j8ob93`Ii<_HbDWW4< zW`AThv>D)jPIv$0=x3)gj&QG?Y3znBH-o_mV)qE_-D!6KGt4My0vlhDvU8CP(pJ_7 z-7u)>by(lwyFzbdScP5UF@Xoz^SW05?!Q~+qHBb&`yz5jBvT@OL zkzQy8HRz6bXQRkK?vmxHSOum|OO|(2=$K8s5#EA#^V$)2m-J4-IIp*caXbC2@l<$sz>UtO_K zjHdO-c@bnj@yWOx%fMFcV!4;4xY7o&-O~?JK+ZqStc&_zHSAHvW;k?DS$SuLEk4=T zXh5;*)ELTcI?Csf+;BLBapaU61P@TIc&Axfc>(6+3yGVBcec2tsFl5p$2qr<6xu6W zR+Y~&i*em=4=5pwd;(F=Y#hAS3R%5R+iH5Sukp$R@Nw}&X$lh}>tKUk9mi>d`^O^@ zH_s1)ROm=m48>1a>Oi6)kx8Fojy4;bw}k}$VLke!Bm3AcOeIgX-?{+`^cnHErm$7; zR6Hz&MSBwQ+Ewsn`g}%{c=n9|+^zVUhOPTOyK%(@F1=h;#b%yi1(LW=KqDveDd!K& zvKY8X*6aP*d?7kX^H({e{#;MUS{lGpRx6+4J&mdg1aU)RKB!3KlizhqqC;MnlcB0O zVlN%3yKmVjtZLoRUN**-@>fiqZb+_wMeN=IDrtaCPZfd}Jaem{GJv;Hxc@M1KU9!m zxZ!D1K2d!3Gwf<1=jJQeWj|Wr`_Bi3Y8!)!natWaxV@_M=U?P+B@Q|2KUK*JOv?vk zDL(gsh$&plX?R(Gbm)AT8B6)b*q_;e71E^9`CUb%3&jJyl)6$zd0b=d~3Gh(i004OsfsipGRL z+ns0R+D2L=;>-|~PiAC5R#3>Ua1wU;s8IZLSEw_?+OWEq!fL4o+tu4{@I{XAIWPO}r~J^wbG(ok6_arlfz+2H`41`7h*rc0CI?oj|?KB+K| zC2a6E*Vt20jyBOoACCFnsB& zb^QGdy|%!S*iY8;QZx3F0o+dI7PLc$TZM#A2V((YV^tQey;YL0nS~&tMB;7q9l~ATlh*tHW=1 zqy}tnG(vNg4#%$!yXNAQe@)IV=>Y}DPekrgxjg%hUdVH1Uk)4JzdDa+P;R%0d%ruQ z4m%!^RAe=eWr#gVjut|@Zv3)#o|Dsg-Cs1QF21E|;jawwd8W4}zB>^TtLBdh-Ie_! zr&GCxKSEK4X-LaGQ+b(Fa_JM@LLerQz&>^WVX7Q|9g#OWL-oG5=J@BmD3?q9#q+41 zEia~JF=3Y@&-$@lYJrpVSf%mxc*1hBg#sMf*<>>4>NMTc+W&aD9D+4Y#Y!$AYh{?L z-$(yBoTr34Hf<%muwxW}=)>^+@6yLV&43Q=%i1} zEpYin$fPu5qaecNDVRGw6irjEO`EFM#WUS22X^e|h*vQ6sj&N)SaF~tz5AluJtTk0 zhAKL%AePe-rGs)P>QJv&R@EQtw*dFa`b9VpmZXdP5Jc!$zZ#8wSXrjQ1k!AXH@$L< z+pBH62069*BOT%kqFK$TJtFd~lpz!0M8vsmyPYx!zqsCoU_q7&3{pjL88=jm6-?Kq zC<;9a+k0U^)5u{~>A;NuTvGL5w8_+IP$aMF(Tg8O<0d$%fqq1bY#-)Aut2&>G#xr$5g zL&I{}?KVot%{P%1JWF>;y^fSn%*)r8{!AvCSk5)H2{{(R!i<-U(edIUg;eY|H;h78 zr4NbGnYpyQJ!4-of;juc4j1E8DNTQn#N^40Zya_N^TT&*Z%<2~=sl>EtO_?t--VU9 z>|eE@lA$Lw!_K(1?SzA;lKX;hd>_$hJ4lE2uFVV4ixH zHB+ru+Di`CTt}DaK#Vl+=1FeMN+2?<*|sUypJgyV(|N%x)^jzOHkvCgP2%9$u{&mU z%e<|if>cU%vmddSnzjYu_$e@|+>kJ-siQu1Z+A3;nM+@@;D@b$@y3DcQO0+VNT0Yj zn$u+~%n_HpLsCH&_ru!yi@ac4AH5HT(-+X9cdC%JNJ?Q#K*PWI3pOQi{z9b9c(FwB zrcN3UmebzOGo@#O=hQqki{Nez=eAMh3l@7rt!Fb$h)L1-N*N#9(4F%Hq!WMIU=aDs zCNSiAWcQIaUYV0wHC2&GwRq*pNi91bd}lkEcb<61`%IR>ZtAVz#AtJqOc2o*NHLK| zMBMOG#<9^}8H`IV?;k%}THfIHXkHfae@As_08wh&K48o^@2Zn)niD}QqUOIYqKqR{ zA#p!tZa;Y=S}<+RqloslD_r_X2eUiL-~`DYR1v~m6|kA!auL8#>?Z>tpD2A@X_-V8 za;+12{PxH;g~**QN@r}yLg#F5G)GnE^HT^K6M8mDx$VpgGDrO+bMw^Av>T6_g_%gi zD@EC`H6=RO*vf5l?P!H^J6cg~onYcE!RqyLNnz~qq>kcde)hA&*$w*KXx_FPu>Ypb z94T0(ckw-%lT)BtwqcrT-(As$tsJySEX44{A{ncxHEAO6+*Gun%~=ZahAC}8wp+P5 z-9rrVH&*r&gW7X!HCFi`l%AVcZP|&>B%Kh)51RPZO>O*qg*QU`5bQl{VoJC3DM4d$4_QTeQJ~Yu8rI^Z5;AM-&zp z4ZIz`ybX-nt)7jB%gOx)n8zj0;Lyin%^f~^%ZpVk6|LgMnC%jWh5aeJiQ#MJoY>nP z=rv|FebVLnpp#c?&Fr9SkAgT@&r7!Ttfv30`h?A0+5p|+b2cb1-I|AzUZ#C5P zk^x(pOc$D6SxJzf;gQKv_ucDVmi}r2X!d_J+=1}7%f5YD*IJ>!=n_+4dx_`8I#w{B z=EKfJ+b)6xhrtMbZs9XGlJk^prC?;PVB3l>pSZR!p*c`{{63rOuF&D!N1xLkvZ{WC z{5uc1{}N%^rrGYev|?`3qcZL5phWL_3un&t#nmJq8s!T-FwX`z+76y9fh1m(08rYmgQY739!-nJ00+U~%ZR{yNU> zh!va-n9?L7sgre2QggkzvAF}~e>raY zy25;%kPXDWYBrou?L9qO3#YLBh7j|Tp)yZiCE6r$G3G0*7@HlwE9$rqjA!kHO`zWV zbzy9QCv9v$Wg+yFm}1dd)DkjnIHV}4i94Fvn@w2vI#nS^{UuQWww3Lz*aiI}4Z+<# z3-p5G2VL*r&%A=(LKS(9;j%}oHH$S1$=H5`(1>bJ#(uk1u{4(#%$mG&Zya|0u662$ ztW-x2Yg^dkTDyo6XRXw}zKc>En$lFPd#Kqp7c6632M0*hRhlhyygOcg8_rhLxAK*^ zscuePN;IIO=&+)IQvj8zdFoA)Nha%TGbtzX$@2x_9EQQ|PXy|2r{y_rN8(h2^d@X4 zLkg=&oWrvva0Z2hQBdEUNqVfBAMOoR0L0twXMy28bz`CeBk;rP+PgAkmvqloS{@bg z+grveAntYZMNF&imoWUa#aFWiMpcK7HRPsuEysgmZovyC>0DM$3DcHPaV8$UOE+c< zA!3{4K;wxT3WJ8h98Z{)#; z4+ui)y`g^b2E)T}88Q~idU`tX!FYFO2dHwq&Slq#0IL{k^eYI>I?@RzOvzciWsj>S zF`^6=YV4I=huQ0t;%ZVK1m^Ax^vO~O3iiOQ7gCGi0WDA z>f0IodN&76Pq$gC;>8#HO-H(MGwC6oy1jrhE8%r!T*hjN5_T}1^3?6w99&jJjkm^M z>f+#kwzgY)T5g}c@-lYDK~nIT+d4XZaH?5M}@HYM3WyPe80bQAe*6n8x5y+e3-T%nOm-N_OqE~pF>Ea=W3h= zw7}Llj(3*AnxYSR?auPp^pRR#gC;em9ZFJ~?8e6~EM#*pV`pZhQ&8J1&@Nq9guITu zJ6{LNkw4$uN}UveTO+|sz=>C1D#J!EcXE*<4b6t8VT3EYmMPt4FUGG7*9j5Ks4}?qz7w8tQ&y zOtI;jgsQn#0jzH7JXh&*?$Z6t(aT_pg(%2;MSbsf-P&6+ts;Q(Y)gxIc1&UGQyMjZ z9bKB12cLdh+WdSWUX`6`oSxmN1bf_3-Juevb^ZfbF8_vC9pm|LZ5A2yu7aAU=;Og` zC!7b8`*VO}_p5EDbEIh(F3*Bv%-Ux-A?L`&X~p9=5ya%3Tz*mh@p7|VdDeOJZSriU zBy9|_g>vpCHcqYBL(qygb*$vA{>}6VvspAnPn2k$|FS{x+QvwL#Ei*mJ677`a;G;5 z1hZDqDw-noY>CPB8{@P!wMI2@_d@s87yFZ6v|trKSh}4URe3nI0Y?Xc@pEt(g|C{E zPJKDd8M1Wjadgnxwj&=2p{Xx6NxDqgt{=PA+PPL31Wm~>yKJSxw0b*O7LQSByy08u zrrHB(I@k8k%dRmUGTyFnJaY2%yEw%K>6fLW1GNmHvH+_xzl{FrYWkVXH#x}Eg#mj(S@DV z2X`C;3n{LLj6c^4_z0%99AdKGaok65@%2 zPN)gIQ!o4)IJO>mobiZ=^uTih(+8lReYW~b~~qKwJ|pxY0+ETEX!}_)hoHC zzT;Xq3x%G;buYV-MD_(gTlY}==ZRaDy(`VDxhYCb*I|C0_?NV#blfxcU5}j1Cv}d% z^*>V_lLe^idKqJh&hIhT@+X|$Zz}fV=sOo~V&*4woZ?mls@HZwOYV`5|4eGROI>m>3HueW=NbI=sJ(+X(a+yt&Q6?e(Tuums z{Y*bs(DTu?1#%D|_n@rr!2P6c)J7dtudsIBcK3@u0yUWI5v^t(o6ta9RW59GG6G|E zZGYrE08`w6=3q;kW?^9}ggetighVbRG}@jHE&OL{g~Z3$z5R0Lcl~swQ%+3a-0n8C z*K>L|F57Nxk6B7<+VzhPNFC9vW-;eovdm zAv?c@D?F(Ur2{d>nUq1-tW(k#V-&9NdEA%SkEnK7#cLY%23M$dBzkmD26~gREkKxE z&*Bbu%m&c#XqoYgPdPi!^d$rpe_T6L7^vB};v{hoh393gL0FdWIf>tJAMAVJ>#F-w z=|d2ozRdZgolWGN`i4E&f?TJ)Z_j@h@YefEagWQ8u{r;VjVhqbm7I~thMY+0a8`&& zseIcUjj<6UGlWs5X8>wEXh{MVnJCMyddh>2bb)S^Y1>7}R96O&)vLd|^`Dy+G{mw_ zWh;Y-S=XV)b)7S`G>SX}@oXv}555rQmEKQi-dOH+$c zyien3aMx$83yD46Uen^_c^@&Hf;{*3u7CPHse2i=rrWHA2a=QGNPnoWAiaBNUmO6Zp{h!zZ41^bn)eT4-_7%n z^dPWN=F*zQ2i=t?wvKA-wx9DZcMy4}!%+lLkrsxNl|@;~(-h*>Iw|sr10fTSG#TQ& z8%N{Rd%zBxA`*sIZyJB|1th{8$^rirz=3-!KbAw7>; z8W7_;&~yQn^)^h+`pm1!f-Tts`V33uQjM!zra?n|6D0kt$9zEs=MpY?jA`FE z&*y%wQmVrd9#oYgl5vJp?w zaF5ysW65ppJ{j*Aji>KeaNo8kPEBH&w$M2H`PNdHkUP;n_!X`8XkMI&Ew)O0zXv>m zqLn+NPk8EPeH=U!l@wk|+d-wO9rvj)=Z5#uS6O03wMFb?Dr4URFh?yLk^g^WLFodijvrJ^hVwzr!$nVT8Q;ZvZ-D1WDs8 z&Ma3m=;&X!ysF^<^o=DkAKvf%mp|xn3J0A2k#c@4y!~JMW{yh3C z0pHR1SYF`@)U8DO2iA^&^uHJHb2AIJS=hZ*uMR)2vkek(ht-ZQHS!{TYvCo3NBs}# zeL(>S!chw3vlUq3(@LB=cCDo0XrEk{S~quJ8ayXYvC_{!G=NGspD8 z*6-?!&1^*^YY3=Xpivi_S=StFDs$_F#J!$~eYzoEtJ?zii5eeRTcE-tMl#yaIZW%O zPHwx&EHq;_xQuqEhBI_w5(#ic=K-Z1Zds;9Z2RJB~&synrCKjyC00| zc=dmUo7qUVe!jF7y z^X52atVDZ>Urtf5SZ2Dcp~~}FYYyJ1*Lj)*RXPDA87}~hUkx`{tNNicH0{ZkVrA1) z^V@k_FBV@fVptv!nu_hTlPFCa_0|X`%bx@@$z?mQSq0B3+{}5350}T)U2M9`?atfC zuVx#Wk$lDikr`ZHDz*a=DhER{LKj3q30;$%`xGK-fRDdF0 zfyH4sY zbc{M}kXzEUmrKB6$Hv%GQ*!t+Q=XblQe3^vC-nWi*rE}>g8mD00*>gdPN3|}*1l0l z)j4iVxwT^W1XeC+m*SXOvZb%S^d7Gko1S_X`1L3UR53z1IIF7>1;?t(k4PT=UTYbg z@TDsJY95qwoHr)J?O=>3Op4lcTdxvj_5s9Kyy-H)1}NBo?~{ZP;%C=6G>xXi!`FtB zlaDK+PAi76xuL0Zh@sQdA&*>6)^#lYOtE!5G;efRh zp=Tuvdb)wj&x0w0!Ic>sU>fIhS-vIS`oxJA^Ed$(6B_k3O$wF0yZ3(2X1v@bZ{eg~ zLjbpygK-MiAY(ca-?RG5b@Icjk7WiH$q=@^mYys{Mwv=q=RC0TaFy2^;+RuS&q|2fUW7#NEj6n zls{)A7CPT2eo=EMy*(~%~5m%;<+K1Hb0(ou;bDWo21b8_LO=n)4iF$_|&iUIR|G8 z;P-$*W6nca%s0}U@d9uXHttbp57*<4#b1asS#{o`*M(kR5iG=`oEPFUGjf_!bm`My zVkNde%VmP+Y-k?AKk~(3>#^`%(>G6AXkGm+l|pmg&AigNZu721=gf%e47FQd*sn@>lUFhwpov&LxNKtr9gKhY-T5!{ z+4{NTj+TdEfFF=dw6i0l>2hI$*sHecW3o}=+wY4cyeR1m+ESODiGALu<03O|7W@?g z_vo`epWySutH)@1F80lOZO_zYug|#QAw_$38{c~2yAWGuMpU0}v_QY1XKcJo`tA>> zPgD|Tt5`ODpPm@2f_y6z;;u6V)0(%fufuupDvt;AE{ISD;)2cGmN9Vwe7=@Dh-s`ldSDw$3 znk*)n_;{>2r}Vp)?SD)(y~^-n%;PO4NgYM6a=UnfF{D4OnuBLccGnQiEafBlesi3rt4)%3{`QSY6 z3KLpi10gkN)_okCbQ?T+rvWSgZG7p6_&<>2Se7Y1Fz6)0o7LEp`C2x2){G zl!KGT*euu19iJ%Ym{n;UR%PAJP#9}4b#@g6EYjjwctv*W`ExPuc(6j}ZR0sufW_Da z5(3w}kEM0RZtEPP;oa$yJ2hR+dPzK+z` zXbqYHuQsr!w|(FtM~_k95pwo8OP$Jx{ojX*;C6QfU&`TF9+QFNCSUj;(AVg{K;L-~ z9P}-peDds{kZ(y{XA<7Y*(`5HCHA1g>QE8YBAcdYEpg*tA#2)=YPk*j>k+Dl1FC`P zE?|3B7hBNJVEN|1{}({7^?a(2xkKe-{I{XwrW^Zh;Rp9&bdf~A!srZGU5W}ob??J- zD<>mv-W&Evxz9Vv*TX;%7&Lvqa#05Vu2cYRkPqDd9Lz~{m(SEJ!F5WPV*9^W%GFod`KUKASK)}aMF~OgI(nGaS zbAEaBC=BXkXww*_&0ZQ%E(q_6lD?tiHCPI#$I<8G=x>89E@c9<))u+}JnIn_xtK$0;)cKzF45HTG%S*7{x$ah~L6V7mp+ipIGXHJ{#t3oPM;bI4pfOkmRb{({La&mqx-X8pS zOdRQbOkBXj{cJ%^jUno*bzIk&FZlRoA+)-Y=V9TRauPfHF}y~c6oUkBDv97=YcLO6 zwgt$_OERtdE?h=N9akPZ1RdqD?_ev^UDtCm8-7QY2sk1c=#17s0s0&HL1G;416B_x_8O3 z+oLX5M5W^^-_W?HuApeY)n&tWFYo^J=;d>@uNlwKc`AHgHp`&xihp)Ei&GFvzx}## z!X}f*J!UVJ!Jr|zRi7uEBs`Ppb&l2H@4nsLm);xO^TIP^^_$hbCF_C2-qIp+sWB6J zc=qrJ4wTZa4P5VhwbkRi;g~mc)z>WZ^>^^qxLP4LSPt`6D$@NNEG+{=KXbv8;%c4L z)!hBC7E-L-Applo3tOf<|KOxl(!nE3L6azqc23K$Mg5T(B)>4|pFP_*7}0uT>K z^h?6-m(U)2EPB!xveRx@O!!}W_R&>nl$^dljjgqe#ik-X8~NO12p|nuWto|XW)e~Z z34LnhFO?ffJ+EX8n0)@C-{+KTpA7Ra%hYFJyHx)0j9oG~j<)!FViVB6VPrTv?fbiR zHzFCxw#tH4P1Q)<@eCBcQ$aGcd)eI#?PBuTRkr+*vGYAkTPAX)>0Bhh!m_Yv@os_V zpjTN2;9(!9N;A?^6L$2Lec>h*{&c2=sts`6 zGgIRE_JsOc1^#ybhyC-|*Tk#brtW^RgzUQ)hw+NOxssp3ZoO`jb{#lOObtD;*E2VV z5#i?@zm5Cjs!RtHKhXTRLaReDq&J~d?gq|o8QDbQ0Vi_GTe6M|z$4uM4|{JF6<6AI z;U)n>fB?aR6Wj?N+}+(FxI=J<5FCQLySqCC3l`kn-CYaLCZzl8?*Hc8oV#;VqXvVq ztM;ziZ@p`-IiE$(_>{-vc+TUs(1`3;vszmwJD}e7tx4*c$@$iT9lo;qU0`$Z0b5z} zW%CPhYJQZ}qv zC!aMr!8L*1Su{HJ_e3vB&8u0eXc%9AiKK4mF{aC3C&+S(RM#%Vld$ zJ^P;&x)$Sy;y0@*makr2aMRMjGuLlkEo+OKOaZC|ov8^d08zn;{3A`eZY?BkemW{QdBMZuo1-~Gs06N?d?qAL50z5-={1mC ze-7Rai2%Vne}OUBjDf&;N=BP7S?E+9YrVy*4tjd2^1a`e-Jig=oVJKMl?#a8J^X+f zznQ5(Impj#XQ?5btWm$}sB(C4^?4m&wfGY9{rO=dtd4p7su;qMf`T9ExVGMlL8ZE`U|rfkPVBCQ!GAZS!o#cj zSeJyi)ctXXWk`}O{**azs5niU&KP=X8lj?C_cD3XRUD^Nsyh(wNWkW>Ugq}xY<~OkX2^eD z$d{R5;|Cb4;#2akVe^x{7Kc*>VCq?~-FT8UZyW$w6IXxi7Y!ynKXo0R;NDcCEK5Q0 z#zL=1)XI3<1vo4~uArFv!cJ^9K(q^X|VkC^Y9-OB9}yp)pl zQm*!TEzDI%YAR7}Z0h3=PeNn}u>k#Sr~B);W83J)$7wrcw%Mk)slLr=2OB(f3w|@? zBgL4#5?raSqq3v>w+q&7mC_I{-0Y{T%-ObXYDyU_;fx@A=e$cBXw*L*j zM+vJ<*Me)MJ`re##9lIdPWAK$*rY>?gJp&nygj7`PfMtJ?b3O?n=dx;v2V#f*2XZO zX~0y1{_8s@!_5KlSf>NYBhDdlr4dsul%U{XdcIxmldg?23nT&5;>tmr`%<@xr0wpy zDlC9ul7)gTSrEv`W;fL$K6?twVvP^|d$Iii|1x_~^TjF&lGPv1}X^JG+9%xcCJgJKV5?B}i3IhUvhw(gZH8Dpmmx2190{BNb z2jX|RA93gZrW5^%-(^1;Xh$I-%l{*6LIZ-NTpax2e^Pu^vcUSQy5r?F{am*G{pbS) z$ZfwM9sY9|RWjh67N58AnEhUV{*D%Uwgaz=yy?~W_W_=t6h{HOVa3~JJf?r20Jk>q zy3l8B8vi+rqA1|crEvT54)gbi_?*219@C!UcRn}E)c-jQ#giNw&H2gyxe5EXt5^Cd ze%J2$<)2pPr^7@e0)AmpT&&K&u`AEljr1vgr_EUh^ShV(_hE)bfy-c=4G*XDHZv;OUY3|NG0&|EjLQpwl;+r~8(d$~4{Sl`0lmTkF!T5O?WdjZLG~Hz(~k&&ONuIFwg{OL zN!;O5Ife^`{4NX8-c(Bl`VsgK(KPaj>>H-&qObnGmtMXzGJZuAdZVbRkd1#7jp{ny&H^EhW{s|$TD^tz)*vUA8DLA)EBR=QQm`uo6|hdMsIf=uQxgF ztQQ=(<9+jOq#ko8Q<5-q%bs6HBNhl5W&laZyKAm>%~q70W_3epr%zI056epK)M)?A z^QPTGc`MqFL*UAp93Scdi5}&dnS&QIst2I_D8xQV17USrwVGGs)g&X-cVXrIEy#Cw zj60M?+`ajx_&+sqbuQ6`??rwG45!h#Pdj0nFKoAYeWhJ(WrSj)1&~p>9*6irlpEgt zOl%esC)mDn2PoZHh0v}M;ysiW8%5IS+Ou<5>~g$q@;Zz-Bf(QCeJs%f$Vrh??As!y z(EYej{aT{zx(68@qgU-!vGkDPeq)e3@I32V75_?q{SK`H@BN+SzEdBn8u~t&S@_jb z+IRq(UbVUiLj>#IQkMI%!K|@o%a~>qyDocp*)$=L8hwfxo(cSk8H(6D;!W-w4J`;g zsETe5I3QbJg*q2?Ra~_=`9Ajq7V6c4NBW@ZVb8<(@T2O+%wNoeyPEso+6& zlWE5f_a3K!iq;IulDe6B^Co5SxwF8IVkQm(v`**_-i`IEf zb)Q;P5&Z?lmK34zSX`c4_NpHw@Nqdtzk^pFK_Be5^bhg>WUnARkNZN5T9`}$yU{sc zXG7GjrVhdbiBtNxx}DA>N6Kv0(4#Q<>&*}X|AZ*)D||-*aR+(ax3~U!mLo+fdy6ZQPr1()xaN!;tA_jgX6%q!Pu_(Qfnb!~$<|hb# z!bAgDb(q=L1Qq3oIW1@80^S$>*zHxdqwFf27mb#qIu-Xmuhhz?p>v@I0kdt`Vf9j~ zV8V4BU)*Ki>8l>3DlYKwrG=P`E#BVT*R;t)QlA~xg;P_Juh$Jb9DY3I@7m8H9o&C! zR(}}q0(od5&@MeKe39qd8Xf;Ms6xr|w5wey!pnNvS~C*C$4f#+S~s(PrmhOqCd+el zLddyrvd}H@Eu7DdNO|aosnHuS0n;PAkmV(L-qJQ>mSj#nrNT>hA7v9RiRc98F6275 z!XnA+r>-L=A!afZ0&_K5mNFZJl`Fkv4fkEZ(RCh)6zSCHzz^V~BeYOJWU)G`{;;EH z83b79n~qkpq>#XKuoR!2`}=F;HP5@JZN>2H)2j7FcLIJ1U$>M`zmbtvfJ#faoE|J? zF-CU@J)R_$V$&7Epfh(W=1ndn&$onfvI4}%-o8bKU}|BNc;n1R=Wo}5TFE2$n6BeC zCTzM8u8bDN?#3QXr=K>;PCqBRubTJ}SoQe?N4&T2C{nbn;!8={IXfQ)Mb`kQqdXc8()OM@-sk&c^wGv8@3Rj(|$-eb^yJGv} z-JYFr5eyWjqg6fjIKP*hDx;9y0rV<7$bpUsNSdKTVo|YA!a`GNWjpyIh$r50jx@EHw?o5K=uz zR?4dAuscC!kSJP%!XO`@&ttcDmSER<_%eKVz|TryrxQp(VXr-B5{tdQ?f$@X%SW_s z2nms|^%zQX;>1&qkA;lqW}&_unHYo(!^spdFLc~H&=sQ3iGhVY{ppFHH2wVzaLulD zMw&y#a{`Se;@jR=2pL3e&6-)Snb{w#1PnDSyIFbr2;nkCtgB`efh!=Uvx$LbZg>rj zCl)uCv{Lb)8pBk-0B)=mbwr>IHJdkoxIt6*j-zi|G~Hhj-tgA;(~w{9G8D ziq~|FFuFwo!Fe-tjQ!_^Z%fAAdiqKMabF`GeLvTt(y7nn`wB@!pY{PZ-DE*T@oA zRx3q#c9&=e1GYTgWEZ(#E{QA($4>w97GLYY{B??Px?4(?H;NEwn=8vgeXF<4<)91` zS|5ZV)#SEP*lfT0qB{-rq3FJgKVtC(Ze6-E-H;o~4hK6O%@2}D|0@jFCU&|~;OU!^ z-=FRoG2jx0Ys8T}X@Dr-lDHol3cJ05)U!vlyz641#yO`@b*GhISs8ejD4U>T(|4^! z64?&@t<1kn*SlwqCMQ*LeSs|NQHMb$v?U6|g(@3JJL*SEGk9+?XI{NndARB}kh3Sn zh{V~Q7So7W8i$GPHAsXTJ=KH3LO3k5f#5nYhfB%#l8lfw7HD2i;#P?V*Or@|vG2@tbS~Ix%9#H`#@brB}O#KHGH{_``Qweg`^D$ds z<-`}+2fFA>U!XIe7rP)-qsdJvha-<2^errY-*wfxJ%FDeZ$0wG|M1TXnZR91!M2lN z^}EmW&+-g~Fio+{4EaBm(~DPBf=?OAbfK<){xk4A8Xy_xM%c>yx0DM)0BS0oZ5i5s zyy{bNKm^oI`Ggu#|9OF7ou?A@y|et=f7e>lBCkA|QHrxZl0MgdX?E|nhuazj=58;n zF;^x(uxC9ZQ?6$Kgvwc^)3_1on|IIH<078j@qCP8^&Q4T95>s**_!G@sg$CT+9l^B zC9sZ{U~ipId%@##L;xzVf_m2fiDTLVSmnSewE-0ICj*Vnl7T}UgGe?MlFnh?z%DyW z6Fj;bYs5@8EZGusM1vWJz|t+gA!cOjwpiBY!yzfGNT6$3XXMcKV#xV}S|kABipSm+ zo+0hist(Vv{B@Pp@l2`U{sNS|-{|?^-WgSc|DhXOE<4P0Jy|zj=l+E^o{M?L8|&vq z{y`+CV;M0R%Q_)@H?WGK%SH96A}Z%QAGd*Xn^fr zVmPEohQq8k3ZRq=&MS`z}yMFXy~I9 zyHXXSrYLD0koL;uFvw1o+z?uTPX6DRLMkx|-Rh!9cbd4D!Og0BQN~#)L_j9NbxY4~ zkUgS)sifN0DtzO9=Jh_`PtOu5{*yBC(t8fCtR68B@azn6*d@^NMM~Un(5T!P$Md*W z(;C2_QLy%Ai9DwhgTkq{y3k1W<*=A-UhS^h0o(RDWY7_QZg%M)QL_@HNz)B!{+nz; zIJ|>il|fKWiCzb06NX3TwLSF`yYv~m7edV7Qn=G z;sX`H{rL>P%qSdxDlN&`M3kJ(?e_h6x)<+~E8i-W+htW2=yGglJJW78U&DO%-3~8} zYPD#3JUz;jwS$UFF5%+`9y8D7AI2>JmcAvhqy=~*m^6md24$sJi6peR1;xhE49n{vYd#v~f$7FO6>D9!q z*-!K2icyOoNbMCA6RG}ALo!mBhvK|maJ7k$UG;gKE@u?jfbT!6Ta&fzL|`3A$PV1G z{AW;6eEFGIY-o}W@QRE7W&LnnwKDkI`LRNM=ZhJUL8A=X?0{D@D3)K3+^`5A-TJo! z16!*E$qpoyMX4eLfH?JR(X?KJKYz^9;1xoc>47}NPmnAA&;J7rd)-zJR^(JQUnU6V zCT}L&cN{c;F8L=L-YUL%4)+z9jt(rD((s9ERMJq1$r#e2?$6H@1RcHiP08L*@^FtB zWT)TA_bZm_@I?pst3{OhYy<$^`^k3ENS)yh5~nQ-9czP}8g^Lnkpp^k^Ez$Wl5t@! z?+(X}l9RviMwHaGQ@9*05<>1i=MLW-?~kmv`kOVJ{(>U&FV^tf z!5i!SrKNY!!5k8!yGTXv{sSBCw|jyOA1H;XCVnsnV8eC`IZ4qw96lYMv!wYtCJ7Bp z4hc!?&^Qr*#OC&-vZ-+c(<{WK(I!pW}*|?hZ|1k7s5h#AdW9 zI!RJV+k3gaIUkh613Tjli2-Yz+;}tF2rM(<_U#@O%uuO23XD6H6zg?aCFYnw5p#PD>Y-m-UgY7*}aB$!9h!2Ra!X( z44z^AywYk-*4Sx&2b5%48LThj-)%D$U--6W`xqYt1gq1}I{`wVfU0Z=YhM};hp;k3 zgzcR9OkgA~kOZ*ppRUZcV|1zErD;loLPtqY!_YYh&m8xOUeb_CKLY}MIUsYyH4qnw zj8`sK(7VF?9Yu@~&Q6a^-glEmL)+PiUz*t2%DYJlEM2BaUu; z_M->#g2T$?q(l#zHE!+y<(2^0WTJ0(cs|pA_z~D2_CW-LnVM`~LTzmH^dP!oD`iFz z017e~e5Wo#BSbrxQwCfUl;qE@iFQ?hD{LEu%~tGoKbA^qIvUD_h;19D3vqL;D?zH1 zaJ;=K?pb+ud=hWSpnXy9{_|&OX}S<@u$bx3<+l2<#)^0&Vt3-6i%jPOOFaty)z>ABX|9JA5R@8_UF(x< zv_F(@8~mMWo4SoEjcW5MW&?~BZh*03jPsANf>NWtzrg$6e&I6wiolwJ)xOD%637sK z*AdcO>O!Sn+%leJP*8@l;oACTeb_{gpTnhEp6V8psBMt4Stt2yZ|EtoX8GX1z?__c z4lTW=LLkib1uve1OGe7C4Q|ReXe_@Z=e)0h?PU1Y z_@pA?qz#Sq*bf)-BV!AZ_N#}K_klwe4oXUnyK@s_93Xj)u9W2>YAWH!LqjduKhRD+ z$sb&@J?yx$fR?}i0vweFZn))+ylbPEM9xDSmy=zz^|2YD@^dFM$NO^%u9K@V4QA7v zoD?ez`;#OI<>uMchghxgugX(4v4&&B5qoO$c0xNu1x50TSr>aqkZWQwbyiK>T#LQD zwCka<_NEy^dRh^#>sKgIn>wRecp4tfAFdo%^MlP!)M_O&w^CrBO{I1peKkEeE}9u8 zP%aeZ#c6_4>RXEl2%|9U<=^41qF}dZJ+!OenwQ3mu6%X+f|l_~p9D``mJJoRaE4mX zALN#?1)J8>1?DrUD`#{$dTsLMPp0bS%SYi4UT=kgy=&RpyZ2n2!u_#9R#Qde9?*{F zT|MEVBQtg3M!VxLI8MAJLpck^=Ic#9(!><5VnJXSl?zFek>!MmFoL%(KRi4N{;AoqGW z2_;-UwX~NJ^}jS13rFzlui*1g3v<3z4V?8#b*DKxo=vj-P@)g~w0X$D*t?4g_+4s8jAK*Er5_UK%HCddi6*I;DD2%*_)cWJlrpux&g_5H z5O6p-fNGHmGxyU>?Cy|FQCi%%OVl7ZfF=}$dr`j9cuFlW3z=%^Jmso;tzhf3qS z;GGNO6TuZV`;oLTm7RqUOPy3ilBElvQA~H$#g!8ocmeKDvW4*6$jX+Zcn%6O>keAk z@5|r2klp3T@Kt*C$tcpWMIQ%Q^mqH+@ihkwuJUX%p6YX;Gtv{m4Z1%{%nlO;?6^x3f?>8ST=|c(Qm{XJ0($T-OO}g_@!{rD>>&%!jA6b#s;}X$uEB3 zi?B(d%>)KZ6h&|$5&H)_?UKbMt4dD{bob7B=}<||P~dJ628;+%sv~}w8L!oYP(4T> z3KD!SAGuM%5rt?}^aN#r3yz)obuB&k%H_ltfgnTYOxjX>^~M)g6k&U5DV3R%sF8nj zI5$)RAn)Q{pE5Lb;}p($9=aUma|MIFo(6as)`|N)^QEaGmaPYUYi1!BaHh8XR2H+7 z#Z;^p@)M|~7ky+TvAQ|zm1JyMH%dj)Lv=QWVs&q%9+Hk4D9G8zZjP!=x)OuPA&d`Z z*B?>JE8p1f3~=4Bw)OZ1Fc(kcKq)M^e>=}Xz1D+>4zOe0;XU6z)Z1U8{s6_s_=S?; zwwprd%5-oxHN(#~M1ze)rrdzU+F8pf->rEt;0aa*2s?OUui}2j5Pc+s^h^%^5k9o) zScwEAzWBRwOHs?ta9BEg1vXw?8mx9OS+=7qxG=N!2Dvw#{G>}@sZ@1-)p*PsG|1T~ zS_0&(AWpn2>{-if^LZ8;=NN4B1iW4=1XZzjNfk?IYj=Oo*AG$hrRs|^^zG`^yXkv8 z?$BNhmYV@x(hu?b7u#m2y#jaNr_t4qYgUV-)zd1tN$nslnS9EK4K7t|(Wj%Vaoj%!qe9`U`;8CDF5(wXPL*_?VJ048w zj_aV#GLV@2dd;j_TL?NNqtZIN6>m|?Z_IkxHo42s*`RBzN-*SYFRVI`wgo%tQ?`v0hPuKM=&>A$8hQ8rE+&y*`A#-hH(#_?wz`H=Qz?%0I|Jb;d@_an z03|}wX>sk6h?=g??QeG8~Lq0v8we zNlEtFSj?&&?Z(!_Sa~K@5f=uP3h((rZMNx1@6}A4d1BatvXL8aFN|49#*YLla4mBnGxn26YeMq%s?c6g_<0VF^dsU|N zygr(%GAbzEB1xuTrIqV;JoMme0aI(F`(s3R5*Wp#jOL7U(Z}<`8@S99B)J~~bTUP~Hgrdpd-u)U#74y!Y84?r3>7LbUr00WEB4dB~-yEMx@lf*-QGf)M zAx2Fr7t?BAEXcfo9N|?F6(G9rTccq!7HO8J86NMxW;&7~@UkGkTu=S(vPSwXM?yM{ zz7-ANYZR48$ZNQo8_JQ%RM#)GGflK;9Po!KGg0_zFchM3D~WXzd2&KTSstXMnV(~S zAWRC$Dv_f89wI%1m&^|?Qim}usO>$>rw2RnvQRoA7-3 z#Zq;>A;!>|Vw8y_yB9MY^QENeFq*=o)D4!Hf%A@LyzD~b>W+BP92b_*10d=hH~#1E z9dgQ(>wvy^3{j~F?{)(%7=yW{D@_)5_iBDD=VXn*w&%l!9l021v>VC85&WCXpQWvv za)F6glWH2-IzPXgm`wCFD`^>m?(R^=gQx=yC`Hq6^wh0Vpz3K38wv#n61P;Ou?>$F z=CXi%hCgS1xc@(Hi-1q9XR6FAqduAjwYsc#yBPk#-813>9z?pA8P{PuicwyeRP$=*q8?`xm1h z`;A_3oVBi8{jiNi6RjvbyL4RXPM5{;a5}6IZGW_YQ@tQ0w%%xy)2d!z)29vSl6>Zg~X}9jW79cKyoT(b6k^zn-Ae360bS_XxW__bgMg$vh z2Zfrdq7^w|i&o&gZw9bJ%xFfnKn(imb${-MPfw1K?g~QDhOLy3%@>NnQ9ikiP92Lb ziM9)NuTQF|6@4d5NfPKuxZ%0>Re73roQi+JGQS@O@MU9D{yI~o@WbEHUzYn4%LMc> zfe1qRJJGBygZX2%Qq)mN6sAgY;xY`SYb|Q9{HZlC-pRGK%ad+_>2^;_mul8j@gLuQ zClY&Q3%c0Rx7GvZ0JNw_nsQRt{Rr!m><&R?G%pwl<%%d{B}z4jrAigQX}#8gRR|!G z-J68i&dU^^ZBWR(JA{!vT4YMLQ)fLiAMCjTn;!AGWKBN zesb?Q$Yks%VpFD`Kl=9$zt{&poKJkH-a&r;jPnH7Y8PKOI1s z-3C`hWA+>lClyU**Z^$5C!Kg4%CmDsFj+oGG*IC40LBF)EAnWb3O(cJwFbv`{i5F- zlKK4L2q6)La8#(Uz^`GX&GR7U_A+s7v8=z7bLZHy zA*nJo9D(N|#LcVN2i|M?m+5lfvh2>B+NF|on;}>jNZ8&p7X4f{I4q-4K6rt=qF-c* zS>I~AaZufkc^Eam@Wd$=^)%n#oPmv(XY$+~m8Jw#ZklY0CsQ{KYt*hq(_(VY92;f} zLNFFvOlg>7FiT3zSW`;GY8Z^(9qpCdY5n>+=kSS(0{q@)T!v9cTBD{}91+Y!OkBf; z8f6Go$8|cxM~)^SU)$hYMTaCab<6aU&7822i~k9bsE%#4A zkiq->`BWtFYDc&aHt+>F5I$|b_fj5NDKm*?`(hXb2d`LbR^ElS820|&+qe(;;(D&? zgLd0VDQ^9vJEMf*98*T3CEVys$fz-NL+>uu*BWo}kuYP;ovF2_%jkd!W$%Kq;%B}_ zoRwwJyEjR8VE4}oQxeKe1-qRY3zLt zReTN=3Z!Drw5avo>!Bp{G`1u8C))y-(jjId6Ir%*a~O+f@w-&l z3@ojWE{E{@wm(oUUd)WNFE}*14svmcZzUl`a1CMsx9lEpqB186Av4swR}KcSiZ5-^ll3aJch zj$-9BiBGrM$H-Dc&F3QIZBeO4J8hsvYb;xfky_^@dlcMBJj}b*Zw<}$nY`}+QE7WV z2|xExtd+yjS$rK23%OHy`8UBJP~t^QvJO&7=Bbm(TNi)U6MhHzPi_qfmo@{8;c>5Q z7oGI2ZxMsKSO45N*NL>sBz~IAS?60Tt%nyB!n~6{QYXg)T6OKoc$GolNS%t*V z&9qM`CY_w(q8l@}6i4>1$3gXrYGd6o0krt>T&Ybkxmrm(`?CQATK@qUq*qI=cGJeC=izp)PKA@_C6uxEvz>r|sN@pne6ua>G#znx=%sPCVqBDG71a91(T_e~ZLzL?K^XBJw znLa2Ap>CW#RdlXLb&>}w>L{7Y5`W zCU6infu*Exp0}`eyg%4xiz1S9b2iU4CV+{F7UYj;(Ps_3_7mekh9A5Otw2l$S zcoi#QC2_c8^@p&bNGxnEH31XR#4_7&QNp`q-E?qampT2u^M%_7IC|Dy_12%pn6&e=Xu#xV6(POIY@y#UN^82@B}ZfMpY4sbljH4D{T8v@ zK60jH@~NDCT})RHSk+OBsM9IyiyloAj}WsP%c&*359|WL9hR;6ne;t0HnA)IKIbyG zprZw{2=eSZw)eKh+!kgAh64#I<<)BYt1O9S&edETjoMpjd-eU5BHyK)_-6I`H0frn zfrOED;D=VZ8k_ls2^KN;UqTP-M8rQ0=D3m(H9ZzUY@3~oQM#YS7!Rz^kjY9W%+ToI zcKJunUQ4g9dJ?vzNdqdC?4_|8li6fX8^}J<~5lFs`6)JQ9PT)-y>jpf!-T7V40TVdXTFbJZ7i#8SGo z%;9WZO`Yf2AV{GU@x?wYPn_ix_B>1#}%TpD7RD{DH*MZXL%HolqsP)JW!phU43 z1vX*!-?|6E?-;_|!CmOV_( z%$7M@#i}ajV^Zz{o+z|%6iT;iYyEHQ=@(sVnJg!>glJMsfEEH7;*IsXJFP>Bq+!a= zR*Z}BLsHkO$5C@1(%kMu)N*yHn~P>-WW4Nh>}2z4Lx4f->XPf)VqqvS)NsvRug}gx z(-g=tTf4Q&Mk{SQ+9Rbnq+u(xrJEOIVZI7GcF2{62q2mK)}{JEDxZR<{hIt{(62s1q|-E zHlTk+U>IwfZ`P@lg!9UV2q6;B+zZVwIxX|M}3o)`ATgW|0+hq1E~={RuW_s6jOWr+^gu5*{MCmLxR7e z{oo&ii$AH070CZrbwZ+1HE<{!L@uM%y&tP}+_HPnCi;er#9&d>Tg}G4y{53wVKFLpb+^##%F>I|j4D+IA_Aq19TE) z--b6cr@b*AOy+TPM8Z>=roxwJTS^F0XRENLi9sNQc$ljIdF@?!jr|q9o`()iuzId? zyKhsVvOOCT_G510A}~2PTF1~N?T(C!B}OFNb|<7kBZHLQ&rf&gGEVY=Y_RwziARfWBYPe!`*q z_RYnHSP#?0Qh6ZTBEH*(Ae~Dsv2IU`{27;@%xACTY)x#U#^#Fcyi--R_jz)cdpQpM>OwG0>88A&%@svDlHgri_Dig`0%oFDD9Qx{Bd*N7km zJD=m7Kxo05sEA;2u!=Wrg)r+SwpeP}yQVd19+dm3A@*-}UTv?`zAlUCN|dYc3FIhc z5q)E6(YyCj79u6bW!IFbr)`bvg=-*5es~C+pfUhI@wcYU$~$f2)6{|&&Y;S3zKa$VbH?=oJhz6 zd!?F9|DhF*oDU_NXL*=Ug4Vyv_`&tEAo`R4xoEGPJ*$0Hw%Q(%n6M*)7}xd?Q*&*J z*`U)Su07@Ph|tbPZ;m(#mE~}s%TXDG&J3M|a@Q!m^=Wi_dE9*>Q#AydobqKA_!hE{ z1smJo_IQBNnqZ=1C^i4pt3Z-x>x&8 z5$@K3tDEG{z(8(nKva{143qiyT$Zog3rI$vQj7LdU`?L;3eTqqJQ_WXZDLsVgBNOT%bz$M9W(XES zgURNz6+YXArLWGXb<@8^FTI25yK*!0H@DYgnq&IVSV23JBa%L(#4_?{`eqaTq58qr&?VqBsUZl9p0(4jmMoZ1@h)SAL50A0fos6K2 zmOWneC|Q?EW2vJ>;^t#s{&VzT%KjWFE?D6pK+9pmc1#mML75?&n;B20HqSr)b>${L z^;5R#YA!Ca_i#D`S-?yD`I}Mw^lgVpOTM|R&`*%ccRK09*j<>*0V*@Vyd!Zk(V8+q zsKTC<&evZl+-yTgMKiUX<|PhH6X)n&0)<4U-lBKLVp!FDDbGL(o@H=#j6qLmJf3ewmZ#~7k9_%pq1W%qdg$2@bsAJ8-Jw{`-OS|XSYpejFoNbw7^-ZKC z+W=w8Zq?l(zs@aZu}0y@{Y`>VWNS#dEoy2q;FsOLD$iIh*!@1-dxFv`;j>0Hv)set zCEZes8`Z2ibH+p=BjDh9=XNG>xL4tPS>=C6;72C+4Jr_>yPHclWX{DhvZQekFU3HG z+IH_^FJSW*6k(S6*v||A=7Cu1hsoI_Uc@Fw<52=K+?Mu|iKvE7k5VbP!QfkfDxx~x ze)h-#e|UST;ML){a(iBGwB%+^`+21r&xE_fly921Q@h<8gM|Ya%f1l3JZ+ zhxrh+SgBJXd!B`0C4|m$_lSHxsQhU z9@HSe>{a*v3kGAIQ7Do)PDtD$S1q?{bUFKqaIThvc=a>L5GbT15>72q6 zIyrK-`*QDSWjGX+80Ed3!M$6Dn={-AyXd^erVJ4rUYr`;;_ z=RYw$m9dsEIc90ryx;}1GdgxGTUbc-R~XDdI{mZ2fc2Q8SjtL@v8oLWWI*gPvAJH^ zRUxjVwhHL7u&lXHR;)nT-O2Up>|0_xGK%1m;%eMX;P)Bmm75Dk(Sc)RETL0X!>QRW z>+q&hGt=gQg4)2REaKhOFdp;u79eo)803FYzYSGdtT6}3H9@Gx8CtLPm)!5nlWWXv zzHi*pVrMU{Y3R6n+wROQ-qv+19- z*|9|+=$$RwzID`;8T7K6stA^SAf)r0iNZeg$Pg0{)B|ZAWzygC`!pIe!qQAE3Ury# z^e0n!qojwLQb$Uc7H&q{N>)Ox6kfEEQWi%k z3OAjf&c5=3zeQ1{W<$EEJmBip+sxOgUD%ZLaD8+;bP-K)U6)c+s`ym%VBP9*CXo!V z=!b%+B15?bxdPN9qCKCTr+|IJ2Uw}q^A0+lYRs&nlX)GHT^^h~(6G2TNu#kJL|cwp zh^bVg)IX4(6D;p&v%gRLMC;_X_%gTlFf)X%%l4yKiOtE+$_t{YA7i1Pj#sbSyd(fs zP~Q$gSnu;5!Wqkc*?koDLxacN0Ydtx{BOAuHpTV@Ih{*gMl@3q6pyVB6H6X3)D!FD zRF^n$reD-0rpD{sI5bq6o%0(_r)0%PtVV&QKJ4LsD^FT8GFIX3O>#pr!4+C*##$#^ zx9hq?U*18_-pq7+*B$#n3U-j*@Es|a=hgQxqy(Z_9Fpar4ot9*v*ooRa|<+l2R+Ls=x!%t}Es+Czs z>wN7D+$&znGjM3HZopJ^eB?-^#MT)Vuu@#J@YM9X;LhcKd z?oy{{T1lB2QrI3P6344(QY7O=@`~h#v_ZF>ZJ*fYzr3OuzGAIkzSikE8sEaIwXhqE zz+ata722Q;eeIp@W-o%*e57CwGbUsoLD$&~R&*yac4U6+7ryw`vFwun&69ufS+ z{vv#7=4uY_>TUBq(&8yGkIW;@-{EHXZ17TP4l-F%?=%mh)>zm<=H~b5hz<6Hn*_fu zW&Rwhwh!@rs`~uM5=!W`nUhF##Asw;u4wlueppvleteQ9nWJRm2jV>0#?HC@x4HZRstxfvG0 z+&B^F)X2kO8U$SMp+a~i9QO&@ZY96gu=3&Q#yyh69;j{Z`D>7*Ca`^OV)&v-;n@MN zq*Xq1dpag%g4f+AQZQVkQoxqKhD{-6zW9?j9~L1WM#{R|RAcwakQ5Y2c*?)vQVPs7 zcV@h4GP8=fJaCeb#K23jmQA);EE0j&Wxv?E*@7AGL5?0sE*y(D%u!1CeJ;61qHP(i zcOiGxWX1NqMYJa<Vc!dL-5A zQ>o%rH=|LXvq8C#mq`rWSZkUdplY=eo7B({G_r?V&AesT=&fcE6PW1e0?krGR+1r4 z$Q;X3;{vAa#BV=iAmEx>CCR*XYGdc(U>|kpop$rXj$3l4D<{%x$_#>?H3!{4E}nZq zHsV5_+GP)J7>s%}T^L%Yl-}1jh05i=-Z>xZ-_TT}Tnqcq%Q6%vLzNSw*o$i~2TZAY ze*ZIwUxbQgHu-OpeP2lFHk^;<#mOoVp#7{=0A@U?4@sJ>tbBrNn({|-1miQb5hS60 zaGcS1r!j6yCxLvJ-A{hCK2WRUgQ0GJXa*JgYbP4Uvc+~wE{AkaFqN}r9(*D(X6|uX z_mI2)MEU1ks$+*gf=szn9y9TYYsYIMHYo=&6h|2*$jdN*+|{RF%1m|CMsJZs5qhOb zI~cT}8N-74&}F3S8V{&A4-CL&ek@Ps!Em@Vm23%uBy_DLaUpNXIw-Nm&Qxq)B>T2< z%6VhGeWf*&hE9dn$$rH%8g7n9s+>SlWcV?#VN^Eq5tjt z`9iS4y%g7-vr5r#Q>z%_WTH}D*6>g3b-IG*Kt>Mq$Eae9u0Y8#l*%9ot=i5EE%2_$ zm|#8LY6`|Qr2}0pL3U!fvoWPP-JgtWL^_mi1!Fk9d<2|DSqfk6iqW*jbuEgVrkoas zqr4nIzW|iu`Yc9>Ry8@^CBKa592mTJXTwWAvmbevM(9kG}o4D5^Gbh{%!-3*0D zq2DyKa(|=HIhK;ZSh+EH9%2JQ&7~5@su0`QW78OausKk3uR65nKCM9ON7FjKv)~}n z8$ks&uV{aR4LxJ+j0t~>wLzzX?Gr*_@1nA3c8%8H*4x+kPZyP#0Dcf;wZuo&`Gqo+}VY9$gYr`_Mle%W@4-%3?nW(D;tJ%}%MM@lhu2{z{J zA3YJIxk?wbiF}KVB8jt8MdKwO8tTwE%xDVg_ur{R=QIY+l+tMN*5p47%Fmym?of0o zVf^vSN8m3%Oi+`R9IPGcO7n|y2^QEl+v_OwiOB$_h- z6La_C>ky{KojPEra6iP_&1hDa%DHEu^3#LHWebqL8mCQN0>~wjXPfzLpVZ9jjy?qr z_C-HLIC)?{&E>N@6bD+5&CZT;bEPe!_i~9r_wkpwt+v%#8~CkqCd5Yst(fzgTg^J9 zAw}C|vY(u7l^yNH*E=>`9#NhCl6chrmUw`l?N#J&&m*U~N8T7k4|?BcD0qHzAb!=v zESbo}?SlVgoy8f8`$y&kZ^cCnF6MA z%Qpt%XSXEQl5m~#$gVUJxKf+XCx$Am^?Emy#cyuhcBV&ACzXSNF$pUWWsXM@)aF7s zzlDF zJlAu-g8QHSA@^qOHCb!UF~4IBAA$&A>Oydo80Q%pMZ-hE#0vdCl^auAXuL&}ZrH$A zQ2!N-F%Adl4;O+2PX9$>VWkS3cEXF6;b89%Km#;b7UT}3`v~Aa z9g`_MwCfTDz*}8?{li;5NktiqPbM|#*?fyUGTXy?*npqr3fG&-ZT^GQS~Zp1{+Keo z8=bhqqFe7=%LN&msm(=mzA$)wj6XZ5FlVWzmD?2m7)--@zog){^9Qx9Az)rTR&_%AzlB#iu{2kzU(+?{hpJ_Wg+Y zw$frsY@^G3@*)emN*AQ)TJJY7kgB9}8}HdR&5+HfgZ&XM35dnsv21wR2xybpld1tB3PG zOJ4N<0!JAF1!d6v#F%s{!~Ac)={TQI5&ov5zHlp6-?L$2`y%G-TO}2GNlh;zx@Bk3`jjiB1U}&nK}scq zrWxFVDsUEn;tbtq85pRA!x`x})1j1SeD}7GeWU-Y_|c(u+hHat zj;}vzmY3L})abmF+JogjGFyW;m|jNF^Um4Qe;TUI2S7%fUcePTnZP`1<(QgduD9|m z)S^rOGC~XC`GtMCHmwsoC*4lBt4OVXOklT{H9-DpkZRfF_T`-L`5?z*ff%jv$5vp< znQx&+0g0h$gBA^xmb`q)0yGlOsyi-uDYA5YXn5hMrz{Pr#q>}SU2<@mjrD8@>&0J)I(MTq%ePbSV!L+MpftzhdpR* z#T(bN4^A3ocgU5))!ixAG#?^L) z)`-KBRP|$bUE#9)@Gch0CNsQD&S)czbq0~a_w}bn*4pyXl(~++D^Aou`l!pW9b!@~ z*CT8^D5st-*x&4OB@2NfIM1~%b{(hK#P>6=S$krn=%*AF^@D5l6311iSw9Z*8Ti@4 z&t(2YI{r=Z+ZXDg#3bnE&gJ;YS9g#FeYq;icWaTtStvor`W z^yI}#`rON(>~|bL@nu#R`ZXRo=Q*W%HYBbe=+ljl$-@D0!|mroJW1!jy2ge}>nRoWrFDf2EE}B*E1$?3 zX_<|P-U~NlKnvn+9<8yG9(9<_6isrK6YRY_sB@aF9h8kNy0=Ey89r>)yFe{H+f4R5 zok_D3Q!fr34S1i#Z{xL8qXi%R4c=!$EC04nu==1=U)gK8SNWo&{(Nt2OVLs9M2Pgy z{Ue6{xw^B|<%mEzLD(~SFQ8_Tb|plUtk!_{@jLj(QT0`l1t}I{LD>=@6Nv3i(ok%r zd9)ksY9Jp}MKI(Bygpy{>pkPy7QNsIFG_$oWIU=nI}^8(#3dkZtaBwROd52*QHaF`PQe{h%{#PxT>`5?nA@%WKYrb!74u`*qnYBDOr zq^x%^5qX3kF;3ld6MNE;hF$C33KLvP5>9XPZsqw;yQiXelkyDgK|tfjAAO=3mH&|w zvOX1|G@+62T9otN`3vS{oTz!SH`zgViIEGIE{8KiR!>-W)a4Hl&399$Z-pXUf9|C) z3ON=3-AKROD$SD z?a6Ah8VDEXE_F2EcBai+J#plvI(E`EgXTRR+EQmuWO8+nLQz zC(|}MbWb?S%6|NE=BC^E71UB=>2*fSeR2gX+*^v3r`R&Ths zKo)VG?v!i1o@$Nj5|+Ym!*$?30m;(o8pzOL@<^4mY(<9gqxVM>n4Ca89jU5T@|`z*}gmRc;0%SdA;p^ zcxpMDo$FP<7d|Q-GkgYcIVYpm3wT6ptwZA8V9A0qN?F9wi>WvE5qVo_hFdSuzx7z0 z&pQa}A4ond0WGR|E%6Pt?TaHF4fuH+0gLw$Wyi;K=?a4--Iz7=hrvHxaB=^frW^sl z7)A{fO#A|Ve;NAYuxi;tPCO-~onY~iq@KHXc8kqoUaeM<%mhA;r~G8iuiBFJN zX*iY}Y;gQBUhevGZX7WrI=6OhzMebP?c-^Iq1>X!kxJUMYA6N5iSF`j-By8RA`Oh3 z+lhEtGT=h6Tw&+t7hTW=UlBO4+ctE)#UoB^y_SuKn$QZ&54o>mW_q z6nbg|XlF#IedrI1ycfI3crl!xG^@nCf?Y0gPlR6cs^@H#t%a{a9X%MNsHqkT;>){* zqQVg-P`7e~nHAPL?#A$^8g{NW>+kaLUMNerf|aaVRzqet3i`KVX@)IdZPK-_O_Z1n z55V316&X7DrKCpx%PmD+H#}2af@bE_?M{}0o?vw!+BQH~x^%W|U*nyJ=9KyJ&-A_> zT>`%utJE?E8jARr5`p~qsXwJj*8H+iFy6~8?T2s7Mxm6%hbQ6*#Wutwlt~tTuV-B%B~paOBNF$ zSE=t2M`vq#A#?^N==e?>mmhp&z5?{XP5HAm85*kCr26?C@9JOCd`1xnxEtv$<=tYQGNN;tNV=&eOBVTqE4}Va(0cH?0#Ea`HtT!{@-szqMfj4yXS^U{BF|- zL!&f!GZDTbR?ZP=1y(!nWK9LccVnc)x%qbEY-_9U!H0m%c1fRZHd}Hh53ok18Dt~N z-^P%(uO)Hizj>JSLLK#h7goP)pEpnrW%;wOjwnEUvsDd+^@S8z^^9jQ zVF!8~$v%|$Tumi%$kU+nE+5V(W@r8!^ZxBR5>$#!mTc0`R#kA#=p(^Uq}o56wUZv~ zQ=KZ68quf=2Xaa#U>8~0Gyog?Z+t?0<5zYtWo$O1POaK%FMxji+yBIP^8e$1s`rHD zePu%T1_UQQqESDpr@%N&hkH}CvJ?OIK?QI*QBU6Pc=`dN9#%szk1Gc|m5nj0s&tes`#tUvq(ZI5P z!W&!|+)~<)7k|S=h*5vj6`%;ACudNGEA)T3l0rh&EDU;OlV|M_7+e zA+qGHHH(vK^l}i#AX;(J)bVFoHsoBol04`SR6|VyNU~Df`T|)0MJNFOqWmrywi{XG z|M`vQX!*Fnuk6C`(EeBWC-swesgv@{f0r8VK5av|w}ngn7h?ec$9-}Y2w9&0`2s%f zBmnWCTb>0tD1UQ5e;<7eetVZf7KCE{$jJ(}P)$cs9NBXoJ;^9rf0x|~@lU=b3ajyn zWrP%uQo)sSy!Gark8kxIdR0s40YqJ?_6%52Q%o&>9Hi%lcv37?n{hMfrJ2regb~4^ zRA=u4K^D`W|3Cc0x~xmrYuFm=l2@-`N5GJxk*##N?X7goy;Ugyb9R#hEo87;-TPUE zUww92LheBpXtt|QnVMYG?z7x>%atw4?UMr20lP%MrYrQp>nP5~j@ELj!+gEg%5t}L zAf@9qY#w!_k>5(e^a=b2r4c~<$P^VNKi(W)(2K=0MAA=PXKNbyjr9ayC&6k z(Fs}vx1Ku(LAJAKY3asHfd-anIokM2cQ7zcuw&ybs;vn|f~gv=8eQtPXH3X|9E8R3 z-T7Lp-KjDm-GL+(*})`=++Y#Q0xY2Y1kx1+@bWi$kiyKaun7l=V#&^?+d?^1{)GJE z94R8AbTf~&Gwie5Shd0e9UcsPrzBpktJ)2^HLoktd~wtqv^pD`eis9AHRnQzEp*}w zp1WT_5gF~FXYx4_`^~D|Un31SbQIW}f#8N10X~M_M;JvBCn^g2ZNLXqzHHcDk3&hv z%|u1L!n>mg3DLmVc*QJW?eIiO+}npKI|86Y1ZWc2_)cB)U=mPK!BTqG9AI}pnv+!S zJ=5XVt{+y~x|jhZSe#IXrkW(Dy;D`g^g0WRJKriQ8>JJj2#HQvA6+Ex#Nsvov+U2@ z97NJ}RE1e|w@_D~>f0E;y{LB>Djao}(RNtzVFp}64{QOt5B{bPOxXc`%4{Dc_@q7; z{u#*TWXq5aO)c|z0E`Smhlggxdq*h*Y}3^pc3{M8_bx#Qv6NQlKhwQ=y&81KDpjK5+4P*n8r>=7WtfvgprlZF@sOl>5Y+^FO8 z#woqBNY#|aqwrs;E}wUN;7CV>s+{OX0Mi4a_HY`G(?Q{6w@f02jDq9$p+F+%vAn1! zTgL6OpLy>=ZgM6McRc*XfyIb*BYKH$$;d%npnpyuTf>=G?Y8Z-m&-)qn4H6uirq`PaHi&U zhy%Z4z93b)52ou*&a;OD8|$TBWp4_>%htPd=AF-PUYgHM zMtPe1``A3(J{wGkY(QNCqyp*<^M-j}n8zCZ8R@TD;oCpt-hW$}56}F$HDc&-A_%Mc zIb)xb)%Ld|bd+=%vQ$xRINTC|2TlwHDBi`@)9o^qDs>~!_`L1 z#ioN2La)q**$5&VsNVA$;-AaLVQ@`Kz=P&7{^)-Hc=t>;wQvkzHw<*bCF#_}3Jk?# z@8Y!PpTF%+ag5^8vDsIL@WqmyExj{=HAimTxmSWk@ssPjNw-_EJN|iU?Asp70V=8KiG}xDdeli8n z_OefOL{W@eYJim4!Gsicjk`m!M3t-|i`*_|V{Y7BjRFU($)77Zh0u=&Pjyl#!Iw|c zsijsHPyjzx4kQbxz`pN&T=r8e*uKA|L)f5}fWudi1Kh^zNtm^04;xJ8c+>Kr0-xoT zz&xfZHwU&~4^yr8N^S2a(&-<8g>%Pg`Og5*z2F3gOR3n|=1srll$@7FS%DqgRBvBD zx%G*`mAqU$U?zB-OdzFwF-e#rgXR0lbU$K$ir<3A$BT1yOV z^}kew@@bfywJ&u`lV)@59O9*?jTG6SwVDt3-{tZk=}(fv5+EtW|CSWq&~?ALm2d43 zDY*Gb>_(V!DM~+No;lh{`lm*RSOEiiK2lsV=mm*D#tPc(!CMU=%OJv5h0)hRyDU17NdZhL=#_o?zQa^W9E(UJ6}xi zYZBrq`4c?ap9%xsj~bz!cDz&ZjK|6q(o76w&hbNpP)AMgo-zWsjrmXWipD%5@-FQF zb%AdZG81)ky+*=}JznGPb{5lDzu?$-*QV#s@ez;4?IRCv|*&AroZTfI=cz{wUEOfMTK@QLXa6{omJAjs? zxN_@&pjG?b*l1O;xc0n>@pEh!&;+b!k33TwkIjIx-{-Nw4QhpFzokIs?sYe?Fd>(!0GP$8!DIa0eTk#j`C%Lf$4n)UVz!ZUZB!DptD_9UEz-U3-9R1IZX3rsgl!SgWm2B&$0(*$HuLwn{Ftr6|f{ zT;B>anyKWnOrXFrk=CSjV;BKCLJD+ z#ay@ME4t`^_aN5czmp|JVIo8M2>c}eN94$2{dWF+tQ~)c12DsMGoyJG(>Yy0r%zFqf9i7PG7s zu!||<2ut33wES|~I{30`{@D}QQr>B>iHtI7_!u7C1z7Wt>B1h13C-H<>^sIBx+2CS z7-Y?6Q@ND#Hu_(jCnw0R?f0%OIF8a# zjjgRkOi6G|Tk6=cvu-psc^ggA=a^QI1%wkUJiqWbqDh=y1%hZ=kpcO{z&(u)+=Q=< zV&mIq=Bk4><xH zdzUb-LTFW5bd|SGUrAw17z$8F6sZ1O#b5zT4#NuxAfl-TeYtF{DWbRKj?#PK@l-l> z(Q67TSz6P8@5`)Fln!m6P_44AD_S?=Crs~0F5;^tyLpw?+d_BQde5}ku9d8anD?ve zz2}@CKE0+hoMp`saXVYImrj61E{r;?b~_?^yd7HUded*ZIbgo?daoUcfjOr%q}F<3 zJ*Gj~?-xK_o3%k53E{|=&H?*7#9Wimz;!S8YLnsIjs3tl?}cEgXfeTGmU~_JNtf}I646DQ_CauUjPh4q^sw2rf#aA* z%M~Y@*!Ykh>sP8{wL2Z@5}?Ld0J<9hO=|&t-;k{9{C)qrMf)+%Nun*?-0r(Wr8u}+ zj0HCn`@KHk?;~hRTm8N^zat7z4~)5c1#L81%$n5-r$9@TS_6i<9nqEB;D|g3{p52F zRf+=Rq}4Ut<4o>WQpy%u`cy0_q)KM4pY7z4d*Jg6hn+v-&{HH0Q1DCfSa3o6oh9qq z*s}YedN|l6y!iUGg?ETm%-N_-iJ;L@QK~$ean2ABah%Fm-T#U>Qap4!^JS@FHe3r0 zPEy}Y+}w0tdCUL~^w{>1te@@g^hk+@w!B&v9a_}lNmyOD0@7X6EmypgoS7nMxSOVi zO0$;or4IMb|PZ({x7%+Eja6Hd=!y2A;q^dCk##0mkWW{>t5*$27b zw8mOSbqx`b5giX7>dy=IKJ}-ZM!-Y;7uT>ZM0_*vqb()$hnx5xdddGq*a4o3GY(LT z|6C~lK4$noH5`8ne6IK(Uw#ISC=SRpE9#m5r33k3kODG|KOwBhe{&K~>3ac&!BPM9 zJW@e`420qS3JvDJUfA|2mL;6xKPo5y&FB9e!0-DQ@GkzpGw^rB{9lHU?+uPI3TIMr zABu>qCWh6Fz-$CaVYw)Rrrb%XMRdySaW^ox@3!x-DX7{Ch{iuOij7U;?KN8GbcnbV zA!xu*QHy*`kBFkIN>YnjFt%}%hqyYAvet--mEucZ>Uw$hp7+Wt9RDc z306axkphT+r@0?UEeK(9_bffd)p@J@FUS&DWKhTun;3V`S`dYxK=d+07BG@bLSA{b zt0OX|MB6giw;>z3Y|FK^f<$kpkT4Fn-b7m5B$X;mX9t4=ka8&HS2S~_R!z*(IHYv9 zv*ctno7~P5jR-t>N0^dn)QqW)FHDRklzUH02=Agjbu~BTX|J{#o5KY*ohSmz`Rv7y zPr`Ks{sCVEmuFHg`}?e={Tu%ZJm>Tr{PANU;S{KWC@Sz z@Qd|_ADO5d%<+0{E{{06YF;HD)9uqdbKKQ`H0F#1XnQ5+hVwX<9X+oo<=P*+8!fJD z(+)j2d+eOYx5#N|MuhzS#fNvjoR8So_Jlj_LhH~)I%<`deE!8l0J{@M&XS3x{y<0(1ASGsmBDW!a5(8UZE6eTcz3P6fUb2J$QsT*<|?Izi4BGP5>wL6ctcw_A`) z$_eq7Kg3Jn#iJf2_guGiI0Q3H!hte>Y|U0G)ww(k22)}jX_Fa>F-PXoE^=z#a8S)wy?8A| zdE_43@HG%de+zA-s_fDM!(LP9gc*jcY=Ys_ZSx+_G`vuAj+I=#uO3zMXtZZV#eF>U)f?vJg zZxA$83-w0E#PhWb`c!RKe`c3mYrfo1#?WH?A}oJtT!iGNe)4XpQ4Xbpt&NJBHyXxU zof2DUFT=2x_rq8DT+8(<TnGpm}%3?>QF3f;-qZBX!dKpL>qcXCU@z&37B<%gj$Yg2Ekl;B{E0wrURp&cq z|4v%YDvkA^#4Q$f>YUy*5i^;)7@ zXQnsDlaagpq+1=C9^CLlmHx5446^40L#75DU&a6o34piCViWJA-5 z(HqX61;_Qw4H2HJndHq)^9>6hD*dB>@dGMVXzcRAu%6~>El=UHS;*p7V32M0Z}N_9 zS)g#s;`FPg{E`NTsGxhFQyRn%hf~!}BiluV-FF_Mc0JS2nK{H}zR#mGFo5k;7SmF< zp2kdby9dk_smpKHXsC1b?cpB{NoQoWB#R;z+6fD=S0UR7y{tqQ3+nSbP>wMSH~y7hfJdU!S8dwjL_22Xb!IiIQV z=+vKnChiDJ;VfvjjKXp5hJRzAei(;db-$WzNl^jty5x{XE6}?YLhc*xq0(u(wKs;d z!&17ilybg=+C<`{RgMT7v#$jy1$3@oy(gh-RKt($X+CgnW$6Z&eL=mquV z&$(=(Nn!{Zov7Fpu*PbuZE%sKhb^+ZOT=j`2YaPMOV}{v-moBa#_8!@`&1wH7Fc>z zXMLL1o}ASxnOb4vJNXuqR>lxxhN77w4EMTDKebw<4?0bcf&zTTmt!=0TSJI2Q83le zi9)-Ys_KeOF!XKWK9|Kh-MNtQ_MxP#Q@EPt#QV{x1H zo8^f+mhgRo!GR!uh)(Un2a^|a@FE?Wi7$n8dWI*TX{lpOSH&wkCq#dh4V}}=TTipe zmqBMuCGg`Fi2km?#C6k87xQBTFJgIDxdGP2px@bUD8zle#_2W8N{{bU3yBw^=5jRD zz~xg#71Q%`IHs@;hhs^j)iB`Gu#Pi~jc97q(*$2?p2bWj=8~XT0uC&xckc!I8^l{^IYf@^;Uw@`yOoW_s#)I5 zAUt;{SAULmSmss|$`Avidw+-wogQe?S)#QP>BG(kDCga37&)gm8+e@TpTRQay z{5~AZpQ`El$6dmc z&Wh!=uM*zS>Fe4l>c@5xG{>0QNKi->X<0EFo|2^-hv@yxn&Q5=7+Aj#Wb^imK9WJ2>oK7)JeR&0=PJY zRZEIkN0VH-pN*z~&^mgX!tbA^se-R;BIC+*+ZBD_eJG^3&Nq73Zu;!K6)j};Q5L*9 zH{H?ElqQNV4fLp(v7SdVqw+q4<1QxZTzykWDOSCDFn)RDpiBke z^5xj9(Zo&M7^8WVF#H978ixLt^Ywl`n%cN8Aq5{xL>`|K&eNxk@@tE=aj~tm<)c}O z3&V`TuO7dm(>?j%1qZpzpVpMp`_exd?VHoGQtmt*aRQW5FrgeEWIf-vDPzy$2bG=g zZWb+1d81D;S%QNck*0x5Z87J59A~+)A5-I63ElN9W;Qq@1>Y4DOE%3+s}2v16FgL(h@?SBeaiQ>P_FNa32s!{~2P0f_3WFLJ!B&RqpS?e0huQz7ES} zT*`hk%BQDvuC^B9VT>-Qn8sNA9{**9T4ZnOkmxZtb&oi3m4VX@UE6=26Dn)x=dc*X zGS_Yg&m;1oNJW721p-1IF@6&YB7Pps>1QBZhC?!bvmIUhdbkkGb@hAG?$7Gk=d&1b zotdQpDuy%j07&tXg|4Y=#-I$NmX(u)dY*_1$tPkdvJb_>Xze+*2M3w{bHpGgu6FI zgnU^Omd{IapUL9YEo~|~vv$?eE2E3}(le=Gs?Y?XI!@bOBPS zfHxHI6Zd_g;D;@zV%z&9Xb?6hw!&u%s=q=hq~(&bo0S)=Ai{ z4F7~Ju_FyX=@r)LW~OpQ5&h>YT7(wL7Dg~DpIL=Z`V`s&dCF^eV1*U^fkJY9%D+nD)!r!u@4%tSmFC9nM@UC*5DkR0W2(EC%R zqFuP{?M%~2jzUYe_G)5}52Ohkav_@DN#3XOs1Epxf_~J=9!x5 z+J{f)RI6^1bx_%OKHEKZ12vb2@$t^{0yVGSL}tD$z(sHdu7gnQ_8uInN!3V`; z-p7?+RtWu69dn%;eeFa^{!bOC4}rhHV&4!-`}4tn&hqd7lIb@1AUE~D^yHrnwWr7O zHK2^CYK>2+8vdU(#*+>t0AyA8S^tm4@$a7&2I_FDg!xrj|8yq*OYabP)`xQYJErpw zF#Fqif+7hxPf%{uN2vc=r+ytT^!Sa9RgOA{P$C7>|L&BXw z_HcVjq3kqxiJa?_+m%%kC9s~&Ux_-N;`J=(lRz^j{71UB6i#;{PFSH@5AHQ9LZ_Q$3?0UXd`kSb;u1Hre zf1W1_=jsBwLRg3-0Jlv(d3t-b*@Uvj4zAU|@>xE*spMZ#^qWhw-z>O@Z)Zo-Yu1Ep z$0+q7k#2n@fkl4xL2+w{-D*bYd_wIx?S!}LS6CATiHchXSe1B@sGjU)ai1+2eLPuWFtX}6|huTx$pH}#*V&^R9(Rtkf!N{GPzdXJIiSIMA zbP{uod=4TVu4qZGlYWMBJtaLY(`%H4qpVB9?X zko`9xxki7Y@EKs@ZXDQI{|gX7+;&;r?Db*Iv9Zl<^UVqgxDZt36A?R?%o|xE+tXa~hNQwBr3n9L+`-=wQL6HY1tOCdSn(cP|gD>~BrDHCXD^fHyU| z0Z#~TOFqqEK>XvQ#PNO=`m8Z7nC1m+0;^?$A`?+m$OPztq4=Rt{h|IcX%7@o(Rz)V zjGf@5B>}nZhW5#XbIMGL42;gDqGe*kC6L&NXccc8_CDSS{leSsa?p5P)0MX`a%CkP z`6l9m!j93Lk@ss~+AT-GruUY}h9_%dO=eOR3b7V7k{rCwv9ALj4~|xvwri#BUyl-I znxCDyUg7s0C&XfOJw{%D&v>r-0rVJN{Cw3deKEdIS8to9P!`@C?>Hi=xa35_cnRb>>$pthyPXNe)EdS{qC$>3mfRl|F89ii zLlJKMAZ}jgk%USZDLe}eGpCOIILY4kBcP1wCN2<6tNJ})WO^`VF%)B~F~5M!-C?*k z=I%k9h6olz(IU};U+M}4Nx(-X1Vfv>WX57BTq$D+$z-d`M?9q~q%A2>rg?8(+|w;% zC?)FWFM$>*h$bn~<8ih4?taQ8z47Sv;qegH)#8h0RirwxFnF!d0y9Q?Dle`r_wTsO9@xVQ7Kxs@yJ>+Pj2F(>O1vB5m;;^kKxuq zIc=8K>+%{svv7UwD6V+)aHccyLz$WWw~y#%(yf#hfx1SAqw&>_QJO=qWm6g5V=&Uo z82i#)EzlK*bQDCPOs%9M`M2JUf^MVIIifo?31ub~y)Oq8g+gQ0Pn`-Zza5sOx^m9Q zCI?Eg=VhE$VYzhGOq1qVf37WHQa)m0uuCo43SY zAOvbQA+cVgIofk2%ki z#y!taMeL)g&V%7T!d8V?6iJiK+^b2xit?3P4TFhUzOBqV(5j@LFOEyEgxMnMXnWVc zX-w=j^nRChC(%>#=I4^`mEM`k_<7|g=(?I(Qwqga>li*q_?*0<$cS-8l3%&-9XQT_ znaV%xGQ!&kUO%s(*I>&aOf4!{%{X*W;c{sy8`xt<$VE-I6zbS4skTfMd-u`QaV_ky zka5v_G`koL#WuW}czwY^zIy;>>TP%ZR+_;j9181B)7ghv!>W1$MTaU`B5+DZZ!{*W zM=b>I^~NWKrE+~7t0v}=(HuM-XN{1};j6MB9-6fW$VHh0tAW4lQ-e!K@S{tZ8mXf4 zz2YztBw+(v4IGx2s+yMmO;{GdMg4%7ocu`RESb-^K5=_M1f`tI(t%thUGG!IAjV?mbz#D35s8%h9yO|vmT6orHLQkFXF7R|wWG!EOUzRex?24`%&E~f_+ zr{gX%^qQix@fJOY6$pthGReJ|6S+MPLmp!Qg>A1TU-^)HI3wvk?r?dp#Axyra{04LWwasg6-tgHDk*6FDPKN^= z3Tc9NdzrLeZPNR(O@$~JHHCf}kEoC8#o4qCZ3P+m!JTM&%VXTZ^TjK5`p zvnJ{DhbS2wZjB!w7k^-JT0nuvl13s)Okfty%cb;lUYJmHNwY_+<`$6$rDjCSofak9 zK|a5!6m`B%KwGvs-+l?%{*LL}d|5f|h+Ho)gnGWon`YTkU!++>UnMckwO5Rv>RGu` z1Xoo5Gf>O%?f@+g>YW$k13>wi_A`izt}fNi&EEfv|5jo6#&n}^7J=6qxrQq=1Z2M8 zVWU*s<<9kK((Gh)^{T^v|FAJfBXbNk0nMhNK-MJP>einCo(+Y|D+6!<13pD&yU2s9 z==6m1)Be)dp3mb%?&r1vj!c(rXH2d1)`1_AG4vJXVQW`mx|*LY?Z|g8N1PZr^YW{5aMwB(6yh`>8vBC(>k?PnP*J zJ1eL08evN}LtQn1U21NNgQT8vG9dN)mGlH|*>gwBdDm-1b1{RfT2B1}T#7s8KU0qI zZzyH$1AL@5M0RZ8Karihe8=CtlfI1Iij@CkEbR(==k=T=BN)=jG~io~832*ujPbxR zZn}tLHjkmf*|9BCq6+oWYL=gSoHsalDWSJ}bp<~t8G4qSRVArHgVFX3Pbs^~ENLjZ zHy>IM4mwPXZQOOrV#0`Ny#yN+0OdzTam+engqGdf=zq@E_bvFoUks2;b_e%^>m;i!MKgEPBxX8{~+Ol%POXHIDPD3}}^&w^}#<34z z#^br2zJhG@e4_S=fm{v z=%w1)F0Oj{ctRxjXL5;@AveqMCA}6!tFn_Yq%H*nq9HqFOJr&R5ygaA` z(^H~+79KM`wz#=vJt{^$F<=r^F?kWZWVVK!10u$oR#C%7g6Ph#bFtDb-KEhP_1s-> z3T62bKRe#5KW=Ab(98~wwUYVjaYZ?~y&;j*(|JRfRc*t!$fW)e7?F$+G)L=ZHbGQS zN`@b*Gi%l{SJV9|{=@y&p>Oy)ljZGR+3-nS5du+TQK@~4cmnd8mS629D!6BKM4ZPf zPY+Z?ygiU!RxwG_X=Z6XjBl~vt`&jY*fZI5-= zyKfPMv8f z489*klafH?yK!<{P$^EzR~(FEgv<<$Fv&{iT{6nlQ;ka4=ZHocis2C)HP-VdmifJ_l1Q|#QW1GsZrj_pJCmILHC_BnrR8K}eQO=TL;e^jS8zo8 za<5DVrOIt%mxHXWZ&*;nfe>-u8h(_QxH{tkZ+m^8ak$#|$udrjAzM3-t0M8i?3zDakNGU?ucZoV~t4=?F;*ASfrjHhCa zpO4l1Q)r(jiwnF-@p97~hI%W1?2S9MBOt?s{ZvuQnPFuU<~cB`n#os0b6)j~P@Ls> zIb0)wx#1Dq52+g7b?hb>x?(mC8KU$R0bTph2)&DU4}81B)WS(u&DjIK-Pvh(xu17H zz)`o-m9Zr~)gNf*2tPuFW*9o@ZZur^ZinzlnCz8g6Zv)(WXdP-b`D8c@h-V;;O&}2 z%HvMSi>`cjc6sk z5&JcuavFfR$>4Ng!Nbn>!mQ|Bdv>|9Vonm`2cG6$mJh)8Hl<7h>zb5kn`s-nDZG*P zErYsGUni6A)vx5f@5v>o3Hi}G^V2e?D4o2J~` zlibY~bt9$c4)l5;Ml+reo8JnVbyBfc^Qefl(J?aL5|~0a`^ueT+;hq7&~*qEc6tlO z;U}D>lkNI_u&!W=z;M2wuGxr%#B+%a0x?c!5#P_&cAW%Jah!GwxNdjk!`egakKI^y zH5)&_eO^U_CX^xeEl2ucXJgl$6g{1&{&eSbCp ztAmTG!7G%DsO7ghjQN2wN{8yhmkeqq33vLf@!#*^UL*^QF$ADrzi2rN zPw#)bWBkh6bS)g1^p@C5+s_t*!Ff6xLW8TF)>?hldY;eq^BU|-CTKAp8FFx#jQAD} zf1ll|c#f1Z#&Fwx>G#Nx7GGLz5ds@y#R%T_yg2%e`IK*567MaL)~Kx@{kU`aBhe0 zzQLxmd3z8=9`MYKVCxkugmYsN41QlsE}!t>q@#<}pXIaF9k$x5eUA^y=M0g)^2gLS z(_e32_+tLJ;d<$HnW*~q^~-2}>m)~SeN?>f#K2ePK#h)(px`#;*s{HamRO6jd)9%g z_ZE*Q1Rp$wZ6n@d$sEx`n*mi+;p}zVugjWNzwk7KyT5J0i3ng|_>LPMVSn*qe^DP! z>lzX(z1FOE^tf3WbaruzJF|e~oHa8wHn?GPgPEfk)mVN> zeqM_2TGj20&4zNA>z>t~v_aEY>800(=8A%~P5aPJ;E_l@9~_o{DlGfV>HEX-RR1&g z(~X;$>m#8nMaFr~!;jQp)nFpS>&cCG?&;;P-*^f)VZq9q=0n>Z`(}Jd^aLkb*mnsc zWjqf}TI@$1DoK-@6F>{cR3=r|t(ltbJALFWiPbS*ujb(b6UKk?q+D|E@^3`K~g%UTNFm`6)h#XvkLZ44`=2JYoVOlw0i+HmZO;*KzQh5$dNL=K<97L`tr{tQdN3M z@%JHbUsTcaym7Ja_=RNDoATztHNBcM@97yfg{U*C2uQ(K5PV6+z$K_v`NgPgwd7@* znAErLzT}e$JioqqV}8i}^$G~@;K1Tsi=D5;rQ=7Xhy!-3Fd5#6cTVk=|IkF<{Bg{N zD;m<|Oi!XFy+q$5lJA-21@AZeO7o6ozRlyhUaC3RJ=hvdr&xAlTLzi2Y%aU7sr4y< zHpR(+cw6YvNQ>~~R_D$!uox%`TO@XUlgMA$Cgl!)KYzJjwkcVu45_G!8&<5Q=(p=S zo8Qn!3YiLeH1Hq&l&VP_@IWRgw6!??HB7?SpF-j`?iH@QtT>|4YA)8?0R|{6RY1KU z@feNg-q0C@YL!B;A;~m>bR2Gpn-q{&Rq)dUoh(YS!j4F$sC)qj&K18t%1S>6!yiR5 zrr8h0f7H%8b>v$b+c-@k()9)%`<0x6iYEdIl#e!tU$XF%=*MtrLM3QB0uKF|!4sII zkr6~d5wn=prL|4|d4n2*Zw>j;J%(xMT3z-&=cVW~1R>8c5*2h9b^31@6OgU61z7fE zh%TIRF_!0B*(Uc|v#L`P;$(LE3F+%oNxqh?Y;0l{i{Rh_f$HRnCOz*BpA789mib|m z=F|GccIEovcXP%!I|%UdWC!k^@vSLpN-3IXtPu)*6KY5$tLWE{oVfeF3N8%Bs1`H> zI3|~eACDA&EMlDHmYI{AfrKB2AHKIczT(3!ZNcm|Q8N*wVMjjwCY2e7##PFwJaut< z5EL+cKkNIwr)MiPNYq|lU-RcD$A%qE#T@_Q3{^u|A;Nu-Uqr_JR2ZVF95L7|el9U$ zEcg-J>~y!wUA3BVt$U*VWY@J=hDH8~#%xF7fO-`M7pyTb%vle^5TbnIov&GW;^>QQ zd`Rh{kPb%Bt7Gt)nFEH7H*jw#>{1~39xcn>LN>kOm3_(D@WbCkw5)?-dPeHkr;`S@ zxq@#=O3d}9;HW*ocPlnOZtt_*6tY!{?0o*s4}XH->EGwXT=m1R8+(afu;Ct+UROh}JhLmcvCw=?&*&2Q}D z0}2}+R3=w)&TtB#;*2$#PhA(=4eN~lV(olH&}pRG&@k!Z3kPFD&&*k!Ftv_YwR0MJfy41V$sHT3*p100p`C0nc3NN9czZ{e<;};!*y&V7-eM~jCXZ=M{*`v z(T861bGU}|c-n+aRrrGH=-OaF@jNi;i#gILyK??}A~D%x`WWVjrTcKLOVD*0 zbhk7D|81K8^ham(cwU9AdpT%FW54HzFN>f36B5$G9oj}nIM{AdDv{-{K6iy5l@MBo z3qD$#+;~?Ga`;?eezok4F!9Gn7@}=*%oEvd);g*sh4OWH`n35sX|H>E>gzNxA0$Mj4A(mewU)JG`FW$DmW z{B?Rar7C71dlk@OTzFIljhu5``j-W>8br``LO&E=h?nb0ZkXy4tukF26VkV99h;rU z4rFm&ZL*#AW_Kj(wia1n<<5AKB4ei{;i~Ow8e%F})%Qk~l;f(@E3qXYl7>r|)=3V# zTBs4WM4R+)gYheZ_9L7wb1ZK9T+ik$hnsCd=ds8kM zmWIW$UlK>E;nHZN!lx+bF(89k)In5BTxLAU9m($S>#CV24&&!odk1OrEB2Nl`ap1s zPt{4nw}4PJ!@JMI&xAw;^rKxSU&LcoFaaUFV`+{zr12GuWbq5LTo!om-LMriM3S@u zJQEqHJG|fD?l8o1^a-N}o+EV1)tFNvP>8~dW<3iIo5z5=rjPt7Lc6V|5%{p=?6OZK z%%z2&L=aD#q9izWn~taUbcSa-R&zMv-~JqfqDO!WH2Gq0UKQKDey;b?KKU{Ve^L?w z60?hh?%;)Or$hIm#MPe+2;L*acp-0pYl6*a$D5EQ%UPKyc);TqUeMg+J{WZU=G>5R z(}yvmbP#Vm3I!~xI(Dutnz15ibCT2M+&p< z9J_aI?R&Rb9w$dN8cMhx2IKx3gvwk?FEa<57S==fWdt2ali!eZvZO|rhc$-=(W5CY zi=I3WEE+-MIk}9*ocY9$f*}5zr5!AMK*BdZWUCUkZTNO%P#shZetJz_%Gq>bznu4e zEYuj0>r51P(-V>Sw!u!%wLoq9?Cl_>Eu!(;A6v3Pxh^N8kW*sfz z1wwL2s_t1T@v#}t1jeKM^0!^gw5$TyLmb#mk!7BMe8?Jvuc~n8$BAYv{46j#cl6$W z0_r_Y%kJym)n$ve*i9nIuqgQa(^2npX5manJ((7k3RD}FUz%jumkCIFwKQdk?>QER zs8YD}v92D@pGdbqR*U<*kgzgkQ3LrbJB*^mK_TG3 z!h)XHb#6qpfx-7(80^0$67_2QIdHeS9Jh9e8uGoG^obQK>K8`V5OI_d6n&|rQsI;6 z3UwdLRCF#I)a0M`xtD)E4|g!`Bt<6AkUor7W|FtOt|F%->Zrmhu8HTDX{C#uPNXgd zc`gQJ^l`tab+yfqy4|}h%{_g)f}N&=#X+ERN-QKjP7oxEQ6@gfE`jAeDU&gpKA~Af zeAd{1|6XWTvN9VxsdDAjm4&buvh{6!-Zm#bdYWE-2?o41-NDp0j!H2qT#&DD_9K{v zvRP$~%HmGSxY!icFDk@$Zb~Oba!gW^u$C>|nCmXCjgQ;L*weNvO_k;tq=kHhlZk}Hph{m9hf?==V ze>D29jVjCEW_!8p&HB$4c1b5*Wu6o$Zv*=a?t_YsOPnKA!mdR0MUJu>V`UQ_d*Jfg z8e@2tE)4J4{l96Dj|pM^B;iPKfDp;`L))a$VO}Kx4vkNh)2o3Q0WaU1jghs*D4-mr z*~+PUEZU3~$XR3lNbh)E}biS0#=iukO*eDKyw96$OsoP#aTCYDpIj15$2t~w(mgd8;%Qcffg zKzpM(%{D%S1Ia*l374-=9}f^t=?ehsDD=`4f!;`RjV2vkt!soi0gWygVQ0)<2`+PRh6GC8>f$KPq!p zyC=I_JEQG}t10f~-%?I)Uy%srB_ADYI!48@LM}IJ>gE%M4(ljNIBi9nzSI;KwH^>k z@n8Ef>o78Pn-ubMQZBI3vWFu-VNH$S&~_LWY0bW#CYp*b_2d7!%*DttEYtcU0qeZ& zMPgg6Xs_?lr^B)E1E$D?n;UwmCszYY4Pgkz!pacw&12=b1${#5lOnlT`jza{wg~yb z#!LL1zzq1fOWs|(&Jldm*WWLHt?J#}Zett1#}xPs+4R1yRaj~5j*ms)zfd?tC8dUtvj#jn2X@&>B`pah3C6RTS zFwhmJx{XSO>(QeMA_3w?eW?r$xM-!EO9}bC;y~3NqV-^26RWlsF(9)*633eCLJONi zo+LKaYc?;gwol<~i*ahMQR>uxJr4xzEo^~CY|uG zVo16$$9i?GbI;T|coUehIMPDv+0oHTarVY>;%LflA4+q1M}7A3Ah%HmV}PihaE|Xb zIpJ=6Wy5@R7U&Wd+|%yaGSb@0I;L5h-q^09$)M<%C;W;76(L5`Bl)dNhN-R48RsHO zONB!E%sd3NPJ3Dl=%7QIaEfJQUL|(Dw=?Jl_83?i`@m1cA3;Fk{-c)eEyR}FNUyqX z&VS;1hzyiZ_#Ou)RmVzD(UL?1LWxT}tgGqSSuNnmBlDeOCvtCjwZo{9*gdN7jL^u6ap$ypRFNFGf@`h_w*~T zVFGEhid9k_uGdcV%1bquD`wnC68q{1V7X`0xVtrd(cozcQfU1rXO~f?kwAA@G&J_` z4_bG%>cgC_yV9CGl8oCCK+;ftsnAh1yiNJ$+7O!0=9SX(oQwU^F@IZz@3yJ^hKv|g z`!o>GEt;=lQVh3EqUCn=zvTGR4+@66C`StS%pODymh~C6k^Eo2XVeqv$48UYI%U-G z=6GwgV%@*>u7bcHOoy1!eNGzlv`H{P%oW0ho0>))RTxSA!0&RZc(3JOE9q9R^yy&l zg4}w1Ag9lMp7XKW%EG{ax{u2G66{i1_9Gs>%xHU}4MU8%iezO6_=sK3{GiXry2fWs zrTsFs^Tia4o%MOVam9Y0Wrgf%_W-+C<7U!}w6WRdGa082MDC`eCPTiNOV^JNeG-D+ zdSyn}CtZ>p#*S=5+nJU?d<7^3Pp%GzZNTnVQ0`7du7BJQ+rA***>K><@UTc-_8j#N zCK%;q-Y?;@@c8s}A~H-p_3(I%4-|GO$Z)APA9@|1z4>zDV2&We$Kw#XvvxwdA*)jX z1-%ZKLny|RFLx6YIDB`0+FJY%G-3PygC=(VMib$(MS=LLhz1`}c|tjH75w)HGwW>o ztL39%Y3IQf$aD(zdaNdQ67K!UkNWtg>KgI*D7M>f$Od9XXka|1%fRWJHi} z*e1yU$^zp=b*}A}8T}TFr*=u9nV+hq|Cnoice9Qlo0* z4*iZ20>OtE`(4+FWy5cyKLs`tJXDr9yctGA)-Z@_O2tdBXr4ICr0z0_GWNDjBnEHC=OqGR&$ui}JimWhPtp>-96zI@raL^*H;?2Ixt$Fms-) zci*6kVLoMeCz)w_r+QF{4cc0=8a=sk@?`yvM7)E0?%Hn)kUNl*gLp#COQM(K)a{Vw;rmr<@9)eU*=M3% zS$a&N68ULmiCGIZ&<-{^R2~{;*OTAERp8(?RNmS>+ukEtVOFy=-28?|t=!5(wDW2r zG~Ts^P}(tf_kNPbnv;Mo{_r-+A*r#fGV+o7PykO9QGKPnjOkb@Z|r+E0l7)n&p{qC zh(m4T^q#Yjl1&ql#61vVEIg1*HBjtoVdbMdX>NdRCGhH#?Up9Wp2LgBR7;@0b^MK+ zBLjTdOh~!sMys#!@85Gc9NF4e@>;<0ShVMU>frQheRl#FzYaL$?_)Qo<&rbHo*Gt7 zRPK&cMQP`5wYOX4bib-)vML?B&__fi0IiKp^bkpsVL+a9RZ_Uz)R_sr`Xa8bBbU!s zcka4^eES)rzFW#}rkpC0(DV+TM)2nTUrGQ`zMt>`0VuV#f^=dn*iygp(jd;%*nQqn zKHits>n(+l;F5#1w9Idxi(EEF?HxI@x`h!#KdNN;y$vCcl;aHVIt_{gQCZT&tU;#1 ziCBrI&QFDM9FI4B939c{^ss60P(tTevR>0oproE`D$S#T_f0EMha1Rwjhz#T!9SHJ z4;fZejt}@vnS6t|-}Q1mF`7>{bpuLu>=~^%>3NPcn&qR3$7lFpK_AuyO?ay5!L55; zcp@OrKiz5Me{Zs2V|gwt8~j*I0D4l*=6XcG-Qy?8iK=|%+#I(VMPQ6d4xY*2(O@|E zNqy+}U7h#&L~`%NikW?{TT29fEC^{Ve;XI1c zO74<2XY+he(3^Q&1mdwc$|u*Do{Qb}^p^7|aUeCI{tz4PEW;I}9ksRMiKuy3aEI-) zTXxMV|DC-OWx&;-0N!+w)2x2!!GGp*W;-zZ9H>-e;On5qPGi3RnLUMmJEoAaK%Qa+6Gc!?wff9?|U9H@zfiyyAi(0U89P& z@^M1jhINF>!-W}4IaYiqDf4H~sf*2lj>qd|$3WtA+nPw)??qh62(0y<$BdaVWCKLs zRqbhB!W8eKlM6}st(p$&62``inu!4mvgN;>ZuIH~82Xx>r;PY6l1R7s_S|p^hORz5 zCw&?7^o7?Reem;i3+r5SC*#?u#>e+sgL%2A*FC7b5^8924X7wL2#VFEy%ZX}mzeQ% zw+tEq&k(CiY5Jmi*ZiM!h6h@ON}_r~`m!;BG$TsWiukR(}i1fl@q z0cpmyI`dFMG@00PPM(Xf#2*xU0`-?idl&^&S}%oXxwq4;4E&)0E+C@p*EsF^WZdo> zQE3j@qsb*Z07|`;hY%uBjT3yfpZ4Oo5xM{hk|ciEWKEHaB()9Ov9}Ypk@w#Prq+l( ziU#|XeicNh3Cw=fxQ)e7Id4_Bb|c;X0>i*lh(%VEm;Y2$7$n|+JUse`PUy-;#|h9u zPJ-Zt!W|z@kA6fEChNnBO|o1RDI!j6(W9@&hJwfu3e3>L=1G4Q9`BzGDwp~>E!>yZ zEM6teO2?}sfI%XPlWKI6KeDSHuUPOe3wt{|^k)e2PAb(Z))4(WyFSY0oRQYT+)7|G zZCIr^EoO00fUw-GB(Vsicw0=ar*RB2d@rS_nv}O$M+xKc)M430f zvv95HZ5UM?Laf%E8`z2+`k6*Yv*8>~H}9w`wjrI!oUkXeQDT8j)eG@Vt7+l4tIQ3T zCBV(IPsB@G%9zf<-pieej=trqSGx5Ky_C|Z&sDT_vfQ&kf9+MB_Lq^Qc(0f0aQ?Ti z0(H^1REV0iQF(=F22S__5K9#9w{F7nqP)JBz1ihlPV-|7H<+G60JxncIF`}nuT3=eWuIaH=ZlYVOr&exB?;X z$;;v2sas&dbfhv`zWeH(%2VrfE*!LrM}jP$k|p%I5%x3zpX4eGe~t;Jy8KLJ zSnazd)BLHyzAWK$Z*33SSeNY)KhmUAN1 zmaA=>X#2NjMu-t|&E%^&>}4Bkr^zW{d|et>@qYN|MJizb3+u@sQXzpxu6EmJTWlPb z@zuyx@)CAE8UOYT-ZZvIK|i%|?`K2$wOT7pQfAzK8pabU*gTBzq3o-<<#^X55!imw zZHV%k5V{F{XeDe6&jI}$7>g>s7)ol7+f~#{gVjz$Jrc@;@BS`;JqY}Cd$!i$bEJJuLL?~7 z-CwWN?B?|^3Za8trJwm}g82aD?29gR#~7bkkAr5>|3v6kNK?b@7|vx-W5=AUDb0MoG)p{4bRgFjlowp zYQ}6Z3>=M9-V_zg5S!+euGLQ51|c8NV&;tsI8v|ZH2sw4Ncncg&c;0(feDP$*dZsu ziHbL;5w8uZ*7?~m69LizB1%7ZVWOFrS0PVUw^5&1qhWNb3T zor9c9|H^iR)^0(IJ@J#a;zU>o{pP@SziK^aX;C6%g<-m*zjFnJ_X7~J8 zE(Eg(gVK#%E?6UT{mI+dSK71+Op6WLAM{r9_-{k+TF1;#3{9W1$x{Ew2mc;GKD-Op z^69_}kwrJYF+bLDTL#$`vCCM?8$V2&SH zVm*_DNVtUUBg}0#((F0u)P0QhC>j%H)!eF?W*KIBX3aJ!MI5EOZM>79<(Q_=>EggOtXagx z(jDvI`%9g&Va03!NHqNmNQeeK%Kr;UECgiz=B>SIO^t}_i9eP4RMW;tV{v=;&4h&C z{WeDSi(n*Y8%@-Wsr6EsT@<$CJtM8-k=aU%10F~rW`jmAZta3IWm-c-y{0R{%cPuv z?xITN9*I@!)>h0^ulA)-nH4yVlZtMbj+qKU(nuEbq0COk0}l`s`(DJhS9+!eIk?d{ zHZhB~?P;(Wk;Q(&u`J|WnaTcr_Ah5!eeS?uDiQHhLI@Q*4rIO$l zdd;_`F9HA-q3!W-niukmDxmf;g7ZZB`*?2Q_jFZ!3}R zYV(qH9qv|s#&TqMmbb}cklIu?7PLVmWSRFnFfX6lV9D6Vo!@ccXE&37$aOD&zvPMT z{HqIL|L($}8&YGS3#0Whcb?x^R*-S)`fLm^UR_kWt2Vzfi0|AQ>AO2DpF=`)6=}YKiq(EX>Tdv?)svcYfX1f7uy)MT?_G0Db zSa)dtaDJuz@7ry{X6}4(V6mXE9@HAm8sotM+(ZzlGd{{Y3QnsZP8pYBS@&(k${{t# z@gq%@3S643s-h)2vu)!a^h1b==8CZJKWfNj(@PvExvt@I({cbixyyNEb!5+*{Pq>oJ21b1&w~WC7Y=s+b`3nNldhtXO|*8;58c>j2(fIh8-m` zm4xr$dpu(=O){zJ^HpHNAZ|*aVRX+EHwb2NCqGpW0#rwm1|!U%7e=$Ls`9k(p5H~Y z?;GzpJQu~YXGmj`qCzUd{U+`?>K3jSMDlLmzq4LeinEQo!npEN#5i_$hX`N${~m-> z&cV&p@1PDzt@+eN9m0u+NWP{ykBy5rp7kOsFX?u!H7XiWehQ!+H~GDyWv53oV#`Xf zN<5Iv>;+Ed2YtW5f8mZRT-W?t9HtW{hc~mkXHaE$6K~>(to9Oxlxtb}FSPKyDY)>e~w5oRrA>P|f$<|A${O04a z#G!4q;PW(#trh0mgZnd=alq8z2!mwW)YWCCJG$xLJ&KU~k{OcUQQg&=q$IdG!{u|A zx@!BMn4WR!6V;;OH-{FDSbsu4Qmy7X$V%{XO8Ssy^c5)_4<#_eWKtRQAtWKh7RkFb za|1?MVJgc`vrs*NhBK?T9m$!#ZI?pYj>Zdi(%*9G#V_vkVHDyZaU-L>vTrxZBa`_> z-fdMA$vY>0vsbK4T%S!ua)bnQ2{i3~MnGo14?i5t$JA54W<)6PfbC$pXsz(UBrh%D9?4t7Fh z{;Km%eH z&T-ai%Q!N9E#@@L9`(_Lany0Zd<3ZPe!I2G%;8d6GDpZ;rx+mwZY6(VK=c>hz^zx9 zy>PD&6ovz(oNOkG&i-~pgktKB4CPr^cr>b-Ywf_?w&+d638ETT<}i8!Q);|@*A=Y+O$+6V7h;U z4;Ih3{{kQNZ@e)wKWuW+^*C0IZx}NKs(_Be!M_M~?zn6_)z@+p6Hi3ZH`kdz1l>2C z0|EhigLCM3`uCL z-MMvVoNREs{OuK|Mni|eFk%&%Qom?L>eX-*Dc!dZkPC>0wQTh40sG^2a<~68)ZThu z@G(bV1Rc#|ds@(Yu_<9(Cw+^Qr~MMSVz?nf5+AJ#>?#Q?G|sVSUw)i+qmZxOYRUdZ zLOPA7J)}M-*zL}QssKyW!o2N%Pl8|QXbz)U)qRm=k?hC=zZ@h)?dibwBfmR$YjDUP zhWBOVX84SE#pGusaBv8DP%vWDImHMWLVHL{wZb&b{&5%*R~*nZbLIVk9Sd4KY{cF6@ugKZKHGUI%pE>&wTRFZHb_^=Hs-?1|$1PCLjbo^BH!a&QQFT{bz|)NUv(lH! z3veJx^c?fwiQ=!z{43weV2b>Tcx#0)aH-n!sBvJbMyy% z{No6~uYM^YtJf}^?>ZFc{==KjcyN>lr9Z3-xzzsVBLCQ%jx0Mc1NC>2#Q#1fTu^&c zxG$E=ucbQWbo&2RApb@uIADcNIYhguxBocU-zV2!5)(w>-M3kw9r+I!1oaOFf#=$b z{SO%A=nc>s=la7}e+ruD$gYNmHzK_`=tZ4rsk+F zV@>=2HmArJxNvm7xg`J4Gynce_L+dzXt*xO*_Z#{=BNn%hCRO^iI=$DKFE9q{78z) KiIxlN`~N@jIy%(= literal 0 HcmV?d00001 diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index 9614253eb..cbf507584 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -15,8 +15,8 @@ To conduct the delta process, the following items are needed: 2. A guidance file (XCCDF): a. Download either a DISA STIG Benchmark from the appropriate site. -::: note Using Generated Profile Stubs -Although not a requirement, it is recommended to use a generated profile stub from the `saf generate inspec_profile` command to create a skeleton profile structure based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. +::: details What if there is no existing InSpec profile? +If the InSpec profile for your target of interest does not exist, you can generate the profile stub from the `saf generate inspec_profile` command to create a skeleton profile structure based on the XCCDF benchmark guidance (STIG or CIS). This ensures consistency across profiles. For more information on this command, refer to the documentation for [`inspec_profile`](https://saf-cli.mitre.org/#inspec-profile). diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 03fc80d90..7a192b740 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -58,16 +58,46 @@ From these results we can gather that: New guidance often contains new controls that weren't previously defined. In this case, running the delta process generates the control stubs with all metadata, except for the describe block (code) content. -Suppose we want to update our [RedHat Enterprise Linux 8 STIG Baseline](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline) from [Version 1 Release 14](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline) to version 2 release 1. +Suppose we want to update our [RedHat Enterprise Linux 8 STIG Baseline](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline) from [Version 1 Release 14](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/releases/tag/v1.14.1) to version 2 release 1. #### Step 1: Collect necessary files -![File directory containing an inspec profile, and XCCDF XML file, and a profile summary JSON](../../assets/img/Delta_Class/use_case_2_1.png) +![File directory containing an inspec profile, and XCCDF XML file, and a generated profile summary JSON](../../assets/img/Delta_Class/use_case_2_1.png) +This include the profile summary JSON file generated used `cinc-auditor json redhat-enterprise-linux-8-stig-baseline > profile.json` #### **OPTIONAL**: Run update_controls4delta -If we were to run the update controls method on this profile, we would observe the following output: +Running the update controls command on this profile can give us information on what needs to be updated: +`saf generate update_controls4delta -X rhel_8_xccdf.xml -J profile.json -c ./redhat-enterprise-linux-8-stig-baseline/controls` + +![update_controls4delta output](../../assets/img/Delta_Class/use_case_2_2.png) + +From this we can gather: +1. No existing controls needed to be renamed in the new STIG guidance (366 controls with correct identification, 0 processed files). +2. 9 controls were removed in the updated STIG guidance (9 skipped files). +3. 1 new control was found in the updated STIG guidance. + +From this output, we know that the Delta command needs to be run, because Delta is able to generate files for new controls and make any changes needed to the other controls. #### Step 2: Run Delta +Use the `delta` command to perform a delta on the profile and the STIG guidance file: +`saf generate delta -X ./rhel_8_V2R1_xccdf.xml -J ./profile.json -r ./report.md -o ./redhat-8-updated/` +In this case, we will be outputting a report file to `report.md` and the updated inspec profile to the `./redhat-8-updated/` directory. + +You should receive the following output: +![Delta command output](../../assets/img/Delta_Class/use_case_2-3.png) + +The `["+","SV-268322"]` indicates that a new control was created with the ID SV-258322. + +After running the command, you should see the following: +![Generated files and folders from delta](../../assets/img/Delta_Class/use_case_2-4.png) + +1. `redhat-8-updated` directory: A folder container the updated inspec profile. + ![Updated profile output directory](../../assets/img/Delta_Class/use_case_2-5.png) + a. A `controls` directory containing all of the updated and new controls in the STIG guidance file. This does NOT contain removed controls so no further modifications need to be done. + b. A delta.json file containing a JSON formatted summary of the delta process. +2. `report.md`: Markdown report containin formatted version of delta.json summary results. +3. `saf-cli.log` a log of the SAF CLI output from running the command + **Process:** Run `delta` [return to top](#41-use-cases-for-running-delta) @@ -76,6 +106,31 @@ If we were to run the update controls method on this profile, we would observe t Running update controls may result in no controls being updated or no mappings being found from baseline X to baseline Y. This could be due to the baselines belonging to different platforms, or too many revisions were released between the two baselines, creating no way to map between them. In this case, use Delta with fuzzy matching. +In this use case, we will be mapping the Windows Server 2019 STIG profile using the Windows Server 2022 STIG guidance in order to determine how much of our old profile we can use for this new profile. The controls between these two profiles share no similarities, and there are no legacy tags in which we can correlate them together. To find out how much of our old profile we can use, do the following: + +#### Step 1: Collect necessary files +![File directory containing an inspec profile, and XCCDF XML file, and a generated profile summary JSON](../../assets/img/Delta_Class/use_case_3-1.png) + +#### Step 2: Run the delta command with fuzzy matching + +To enable fuzzy matching, use the `-M` flag and specify the controls directory using the `-c` flag: +`saf generate delta -X ./windows-server-2022-v2r2-xccdf.xml -J ./profile.json -r ./report.md -o ./windows-server-2022-stig-baseline -M -c ./microsoft-windows-server-2019-stig-baseline/controls` + +The output is long, but what's important is the results and statistics section: +![Delta fuzzy matching command output](../../assets/img/Delta_Class/use_case_3-2.png) + +We can observe that: +1. Delta found 266 total matches and mapped these matched controls over into the new profile. +2. Delta was unable to find matches for 6 of the controls in the Windows Server 2022 STIG guidance (No Match Controls). + +Of the 273 controls specified by the Windows Server 2022 STIG guidance, delta found mappings for 266 of them. This means that about 97% of the Windows Server 2019 profile was able to be used for the Windows Server 2022 profile. + +Similar to use case 2, there should be the same generated files: +1. `windows-server-2022-stig-baseline` directory containing a `controls` directory with the mapped controls and updated metadata and a `delta.json` file containing a summarized report of the delta process. +2. `report.md` +3. `saf-cli.log` + + **Process:** Run `delta` [return to top](#41-use-cases-for-running-delta) From 73c1b5e6b4be4d8de93a2e27bced4872a6e432ba Mon Sep 17 00:00:00 2001 From: Daniel Medina Date: Thu, 12 Dec 2024 15:45:01 -0500 Subject: [PATCH 62/71] more fixes + image link fix --- src/courses/delta/02.md | 2 -- src/courses/delta/03.md | 6 +----- src/courses/delta/04.md | 2 +- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/src/courses/delta/02.md b/src/courses/delta/02.md index cbf507584..e4a2de82f 100644 --- a/src/courses/delta/02.md +++ b/src/courses/delta/02.md @@ -23,8 +23,6 @@ For more information on this command, refer to the documentation for [`inspec_pr This command is similar to the Chef InSpec [Initialize a new profile](../beginner/03.md#creating-the-profile), but it uses the XCCDF content to configure (generate) the profile controls metadata and [supporting structure](../beginner/02.md#the-structure-of-an-inspec-profile). ::: -The [Delta CLI Tools section](./03.md#31-cli-tools) covers specific requirements for both the `delta` and `update_controls4delta` commands. - ## 2.2 Glossary of Terms For definitions of terms used within the Delta Process, refer to [Terms & Definitions](../profile-dev-test/27.md#terms--definitions). diff --git a/src/courses/delta/03.md b/src/courses/delta/03.md index 0ee4cce16..e85ae1f93 100644 --- a/src/courses/delta/03.md +++ b/src/courses/delta/03.md @@ -80,8 +80,4 @@ saf generate delta --help For more information on these commands, refer to the following documentation: - [update_controls4delta](https://saf-cli.mitre.org/#delta-supporting-options) -- [saf generate delta](https://saf-cli.mitre.org/#delta) - -::: warning Delta Process Limitations -The Delta process has been tested using DISA XCCDF STIG Benchmark Guidances only. -::: +- [saf generate delta](https://saf-cli.mitre.org/#delta) \ No newline at end of file diff --git a/src/courses/delta/04.md b/src/courses/delta/04.md index 7a192b740..4cec9e9b3 100644 --- a/src/courses/delta/04.md +++ b/src/courses/delta/04.md @@ -68,7 +68,7 @@ This include the profile summary JSON file generated used `cinc-auditor json red Running the update controls command on this profile can give us information on what needs to be updated: `saf generate update_controls4delta -X rhel_8_xccdf.xml -J profile.json -c ./redhat-enterprise-linux-8-stig-baseline/controls` -![update_controls4delta output](../../assets/img/Delta_Class/use_case_2_2.png) +![update_controls4delta output](../../assets/img/Delta_Class/use_case_2-2.png) From this we can gather: 1. No existing controls needed to be renamed in the new STIG guidance (366 controls with correct identification, 0 processed files). From 6d10d7ca9cd03b6541ed20e2e6cee1030e1dd349 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Thu, 12 Dec 2024 14:16:25 -0500 Subject: [PATCH 63/71] Update actions/setup-node@v3 to v4 Signed-off-by: Joyce Quach --- .github/workflows/cypress.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index 69c167e0b..9a0d0f066 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 22 cache: npm From 58e1dae9cccd49e5d0e5d275b49bc0a0e0fe34f7 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Thu, 12 Dec 2024 14:54:13 -0500 Subject: [PATCH 64/71] Update Markdown files to use actions v4 Signed-off-by: Joyce Quach --- src/courses/advanced/09.md | 4 ++-- src/courses/advanced/10.md | 20 +++++++++---------- src/courses/advanced/11.md | 4 ++-- ...peline for Validating an InSpec Profile.md | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/courses/advanced/09.md b/src/courses/advanced/09.md index 6ba8b7372..8064b6297 100644 --- a/src/courses/advanced/09.md +++ b/src/courses/advanced/09.md @@ -81,7 +81,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -137,7 +137,7 @@ jobs: # save our results to the pipeline artifacts, even if the InSpec run found failing tests - name: VALIDATE - Save Test Result JSON - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: results/pipeline_run_attested.json diff --git a/src/courses/advanced/10.md b/src/courses/advanced/10.md index 15f258db5..bbf17f586 100644 --- a/src/courses/advanced/10.md +++ b/src/courses/advanced/10.md @@ -26,7 +26,7 @@ First, we need to make sure that the node that runs our pipeline will have acces # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 ``` @tab `pipeline.yml` after adding more steps @@ -62,7 +62,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 ``` ::: @@ -128,7 +128,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -195,7 +195,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -277,7 +277,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -335,7 +335,7 @@ Let's run InSpec: # save our results to the pipeline artifacts, even if the InSpec run found failing tests - name: VALIDATE - Save Test Result JSON - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: results/pipeline_run_attested.json ``` @@ -373,7 +373,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -418,7 +418,7 @@ jobs: # save our results to the pipeline artifacts, even if the InSpec run found failing tests - name: VALIDATE - Save Test Result JSON - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: results/pipeline_run_attested.json ``` @@ -623,7 +623,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -668,7 +668,7 @@ jobs: # save our results to the pipeline artifacts, even if the InSpec run found failing tests - name: VALIDATE - Save Test Result JSON - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: results/pipeline_run_attested.json diff --git a/src/courses/advanced/11.md b/src/courses/advanced/11.md index ed1204393..d91e38fa9 100644 --- a/src/courses/advanced/11.md +++ b/src/courses/advanced/11.md @@ -67,7 +67,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -112,7 +112,7 @@ jobs: # save our results to the pipeline artifacts, even if the InSpec run found failing tests - name: VALIDATE - Save Test Result JSON - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: results/pipeline_run_attested.json diff --git a/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md b/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md index 29fb6f780..a37570ce0 100644 --- a/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md +++ b/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md @@ -57,7 +57,7 @@ jobs: aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Clone full repository so we can push run: git fetch --prune --unshallow - name: Setup Ruby @@ -83,7 +83,7 @@ jobs: with: command_string: 'validate threshold -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: path: spec/results/ ``` From 1360b1a0c648915ed2578b7660620096718a53a2 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Thu, 12 Dec 2024 17:06:38 -0500 Subject: [PATCH 65/71] Revert version change Signed-off-by: Joyce Quach --- .github/workflows/cypress.yml | 2 +- src/courses/advanced/09.md | 2 +- src/courses/advanced/10.md | 14 +++++++------- src/courses/advanced/11.md | 2 +- ...le Pipeline for Validating an InSpec Profile.md | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index 9a0d0f066..69c167e0b 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v3 with: node-version: 22 cache: npm diff --git a/src/courses/advanced/09.md b/src/courses/advanced/09.md index 8064b6297..9fcb639c0 100644 --- a/src/courses/advanced/09.md +++ b/src/courses/advanced/09.md @@ -81,7 +81,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check diff --git a/src/courses/advanced/10.md b/src/courses/advanced/10.md index bbf17f586..4fc0622aa 100644 --- a/src/courses/advanced/10.md +++ b/src/courses/advanced/10.md @@ -26,7 +26,7 @@ First, we need to make sure that the node that runs our pipeline will have acces # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 ``` @tab `pipeline.yml` after adding more steps @@ -62,7 +62,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 ``` ::: @@ -128,7 +128,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -195,7 +195,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -277,7 +277,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -373,7 +373,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check @@ -623,7 +623,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check diff --git a/src/courses/advanced/11.md b/src/courses/advanced/11.md index d91e38fa9..7c0d2e318 100644 --- a/src/courses/advanced/11.md +++ b/src/courses/advanced/11.md @@ -67,7 +67,7 @@ jobs: # checkout the profile, because that's where our profile is! - name: PREP - Check out this repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 # double-check that we don't have any serious issues in our profile code - name: LINT - Run InSpec Check diff --git a/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md b/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md index a37570ce0..dbb4769cf 100644 --- a/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md +++ b/src/courses/advanced/Appendix D - Example Pipeline for Validating an InSpec Profile.md @@ -57,7 +57,7 @@ jobs: aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: Check out repository - uses: actions/checkout@v4 + uses: actions/checkout@v2 - name: Clone full repository so we can push run: git fetch --prune --unshallow - name: Setup Ruby From 2c6a8d70e8e09858eb638ffe2251217885beff8e Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:04:07 -0800 Subject: [PATCH 66/71] all the test kitchen ones Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/15.md | 8 +- src/courses/profile-dev-test/16.md | 3 +- src/courses/profile-dev-test/17.md | 35 +++--- src/courses/profile-dev-test/18.md | 11 +- src/courses/profile-dev-test/19.md | 2 +- src/courses/profile-dev-test/20.md | 115 ++++++++++++++++-- src/courses/profile-dev-test/21.md | 179 +++++++++++++++++++---------- src/courses/profile-dev-test/22.md | 150 ++++++++++++------------ src/courses/profile-dev-test/23.md | 120 ------------------- 9 files changed, 330 insertions(+), 293 deletions(-) delete mode 100644 src/courses/profile-dev-test/23.md diff --git a/src/courses/profile-dev-test/15.md b/src/courses/profile-dev-test/15.md index 7b634b18f..83070fb4d 100644 --- a/src/courses/profile-dev-test/15.md +++ b/src/courses/profile-dev-test/15.md @@ -1,7 +1,7 @@ --- order: 15 next: 16.md -title: Understanding Test Kitchen +title: 15. Understanding Test Kitchen author: Aaron Lippold --- @@ -77,8 +77,6 @@ We use two main testing configurations: Failed: 1: Passed: 5: ``` - ## Behind the Scenes: System Access @@ -88,3 +86,7 @@ To enable testing, Test Kitchen makes minimal system modifications: - Sets up appropriate access protocols: - SSH for Unix/Linux systems - WinRM for Windows systems + +## Where do we put it? + +We put our Test Kitchen code that we use to assess our InSpec code in the same repository. The example that we will be working through for the next few sections will use the [RHEL 9 InSpec repository](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline). diff --git a/src/courses/profile-dev-test/16.md b/src/courses/profile-dev-test/16.md index 0dc021f15..31f50c925 100644 --- a/src/courses/profile-dev-test/16.md +++ b/src/courses/profile-dev-test/16.md @@ -1,9 +1,8 @@ --- order: 16 next: 17.md -title: Test Kitchen - Understanding the Create Stage +title: 16. Test Kitchen - Create author: Aaron Lippold -index: true --- ## Test Kitchen Create Stage diff --git a/src/courses/profile-dev-test/17.md b/src/courses/profile-dev-test/17.md index 488cb1e1a..052859db7 100644 --- a/src/courses/profile-dev-test/17.md +++ b/src/courses/profile-dev-test/17.md @@ -1,9 +1,8 @@ --- order: 17 next: 18.md -title: Test Kitchen - Converge +title: 17. Test Kitchen - Converge author: Aaron Lippold -index: true --- ## Learning Objectives @@ -18,7 +17,9 @@ By the end of this section, you will understand: The `converge` stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration. -> **Key Concept**: Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). +::: info Let 'em cook +Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). +::: Supported configuration tools include: @@ -44,44 +45,46 @@ We implement two distinct configurations using 'wrapper playbooks': - Ansible Galaxy dependencies - Custom roles and requirements -> **Note**: While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. +::: note While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. +::: + +## Hands-on Practice -## Container Converge +### Container Converge -Our container strategy utilizes two RedHat UBI8 (Universal Base Image) variants: +Our container strategy utilizes two Red Hat UBI9 (Universal Base Image) variants. Take a look at the SAF's [RHEL9 InSpec profile](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/tree/main) which also includes our Test Kitchen and Ansible code that we use to test that our InSpec tests work properly. 1. **Vanilla Container** -This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. +This container uses the `registry.access.redhat.com/ubi9/ubi:9.3-1610` image from RedHat's community repositories. It represents a standard, out-of-the-box configuration. - - Community maintained - Standard configuration -1. **Hardened Container** -hardened: This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. +2. **Hardened Container** -It represents a security-enhanced configuration. +This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi9` image from Red Hat's Platform One Iron Bank project. +It represents a security-enhanced configuration. - STIG-compliant - Regular security updates - Platform One certified -## Hands-on Practice Try these exercises: 1. Compare the contents of vanilla and hardened playbooks -2. Identify key security configurations in the RHEL8-STIG role +2. Identify key security configurations in the RHEL9-STIG role 3. Examine the wrapper playbook structure in the spec/ directory -### Summary +## Summary - Converge stage implements your desired system configurations - Multiple implementation tools available (Ansible, Puppet, Chef, etc.) - Two primary configurations: vanilla (baseline) and hardened (security-enhanced) -- Container implementations use RedHat UBI8 images with different security postures +- Container implementations use different images with different security postures -::: info Next Steps: Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. +::: info Next Steps +Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. ::: diff --git a/src/courses/profile-dev-test/18.md b/src/courses/profile-dev-test/18.md index 02b48d4fa..867acde6e 100644 --- a/src/courses/profile-dev-test/18.md +++ b/src/courses/profile-dev-test/18.md @@ -1,16 +1,17 @@ --- order: 18 next: 19.md -title: Test Kitchen - Validate +title: 18. Test Kitchen - Verify author: Aaron Lippold -index: true --- -## Test Kitchen Validate Stage +## Test Kitchen Verify Stage -The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the inspec profile against the test targets. +The `verify` stage is when we are able to use Test Kitchen to validate that our InSpec profile was written properly. -For this stage, the inspec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. +The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the InSpec profile against the test targets. + +For this stage, the InSpec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing incorrect results. They are located at the root of the project and are named something like `kitchen.inputs.yml`. diff --git a/src/courses/profile-dev-test/19.md b/src/courses/profile-dev-test/19.md index 08e0f12d0..382de54a2 100644 --- a/src/courses/profile-dev-test/19.md +++ b/src/courses/profile-dev-test/19.md @@ -1,7 +1,7 @@ --- order: 19 next: 20.md -title: Test Kitchen - Destroy +title: 19. Test Kitchen - Destroy author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/20.md b/src/courses/profile-dev-test/20.md index 45ace5336..7f4af4c96 100644 --- a/src/courses/profile-dev-test/20.md +++ b/src/courses/profile-dev-test/20.md @@ -1,24 +1,117 @@ --- order: 20 next: 21.md -title: Test Kitchen - .kitchen/ Directory +title: 20. Test Kitchen - `kitchen.yml` File author: Aaron Lippold --- -## The `.kitchen/` Directory +## Understanding the `kitchen.yml` File -The [`.kitchen/`](/.kitchen/) directory contains the state files for Test Kitchen. These files are automatically generated when you first run Test Kitchen. +The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. -### Understanding the `.kitchen/` Directory +Each of the subsequent Kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child Kitchen file. -The `.kitchen/` directory is crucial for managing the state of your Test Kitchen instances. It includes configuration and state information that Test Kitchen uses to manage your test environments. +## Example `kitchen.yml` File -### Using the `.kitchen/` Directory +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" + +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + +transport: + max_ssh_sessions: 6 +``` + +# Breakdown of the `kitchen.yml` file + +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" +``` + +This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. + +- `sudo: true` means that InSpec will run with sudo privileges. +- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). Note that variables will be templated into this filename by Kitchen to help you differentiate between the different testing configurations you're iterating over. +- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 9 STIG v1r2" profile located in the current directory (`path: .`). +- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. +- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. +- `load_plugins: true` means that InSpec will load any available plugins. + +```yaml +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml +``` + +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name` and a `provisioner`. +- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. + +```yaml +transport: + max_ssh_sessions: 6 +``` + +The last section allows you to configure attributes of the transport. In this case, we're setting the maximum number of parallel SSH sessions. + +## Environment Variables in `kitchen.yml` + +- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. -Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to learn how to use the `.kitchen/` directory effectively. This section will guide you on locating and utilizing the login details for your test targets stored within this directory. +# Recap on Kitchen Stages -### Key Points to Remember +The workflow of Test Kitchen involves the following steps: -- The `.kitchen/` directory is automatically created when you run Test Kitchen for the first time. -- It stores state and configuration files necessary for managing test environments. -- Understanding the contents of this directory can help you troubleshoot and manage your test instances more effectively. +1. **Create:** Test Kitchen uses the driver to create an instance of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. +3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 08250aaa0..2ad522407 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,100 +1,157 @@ --- -order: 21 -next: 22.md -title: Test Kitchen - `kitchen.yml` File +order: 22 +next: 23.md +title: Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.yml` File +## Understanding the `kitchen.ec2.yml` File -The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. +The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. -Each of the subsequent kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child kitchen file. +This file leverages the AWS CLI and your AWS credentials, environment variables, and settings that you should have configured as described in the [Environment Setup Guide](./03.md) section. -## Example `kitchen.yml` File +## Example `kitchen.ec2.yml` File ```yaml --- -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 + +driver: + name: ec2 + subnet_id: "<%= ENV['SAF_PIPELINE_SUBNET'] %>" + security_group_ids: + - "<%= ENV['SAF_PIPELINE_SG'] %>" + metadata_options: + http_tokens: required + http_put_response_hop_limit: 1 + instance_metadata_tags: enabled + instance_type: t2.small + associate_public_ip: true + interface: public + skip_cost_warning: true + privileged: true + instance_initiated_shutdown_behavior: terminate + +provisioner: + name: ansible_playbook + hosts: all + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_binary_path: /usr/local/bin + # require_pip3: true + ansible_verbose: true + roles_path: spec/ansible/roles + galaxy_ignore_certs: true + requirements_path: spec/ansible/roles/requirements.yml + requirements_collection_path: spec/ansible/roles/requirements.yml + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> suites: - name: vanilla provisioner: playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + driver: + tags: + Name: Vanilla-<%= ENV['USER'] %> + CreatedBy: test-kitchen + - name: hardened provisioner: playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + driver: + tags: + Name: Hardened-<%= ENV['USER'] %> + CreatedBy: test-kitchen + +lifecycle: + pre_converge: + - remote: | + # echo "+++ Refreshing DNF package cache +++" + # sudo dnf -y clean all + echo "" + echo "+++ Updating DNF Packages +++" + sudo dnf -y update --nogpgcheck --nobest + echo "" + echo "+++ Installing needed packages for workflow and utility +++\n\n" + sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel + echo "" + echo "+++ Installing Python 3.9 and Ansible +++\n\n" + export PATH=/usr/local/bin:$PATH + sudo dnf -y install python3-pip + sudo python3 -m pip install ansible jmespath + echo "" + echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n" + sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user + echo "" + echo "+++ updating ec2-user sudo config for hardening phase +++\n\n" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + sudo dnf -y install git + echo "+++ add cinc-auditor for local shell +++\n\n" + curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor + +transport: + name: ssh + #https://github.com/neillturner/kitchen-ansible/issues/295 + max_ssh_sessions: 2 ``` -# Breakdown of the `kitchen.yml` file +# Breakdown of the `kitchen.ec2.yml` file ```yaml -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 ``` -This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. +This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 9. -- `sudo: true` means that InSpec will run with sudo privileges. -- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). -- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 8 STIG v1r12" profile located in the current directory (`path: .`). -- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. -- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. -- `load_plugins: true` means that InSpec will load any available plugins. +```yaml +driver: + name: ec2 + ... +``` + +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`t2.small`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. + +```yaml +provisioner: + name: ansible_playbook + ... +``` + +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`) and the paths to the roles and requirements files. ```yaml suites: - name: vanilla - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml - - name: hardened - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + ... ``` -This section defines the test suites. Each suite represents a different configuration to test. +This section configures the test suites, which are the various configurations that are being tested. Here, we outline how to spin up our vanilla and hardened containers. Each suite contains various options such as one to specify the path to the playbook that the provisioner should use. -- Each suite has a `name` and a `provisioner`. -- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. +```yaml +lifecycle: + pre_converge: + - remote: | + ... +``` -## Environment Variables in `kitchen.yml` +This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. -- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. +```yaml +transport: + name: ssh + max_ssh_sessions: 2 +``` -# Recap on Kitchen Stages +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. The workflow of Test Kitchen involves the following steps: 1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. -3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. +3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the instance. diff --git a/src/courses/profile-dev-test/22.md b/src/courses/profile-dev-test/22.md index 46d0f2d61..c3555ebd2 100644 --- a/src/courses/profile-dev-test/22.md +++ b/src/courses/profile-dev-test/22.md @@ -1,118 +1,120 @@ --- order: 22 next: 23.md -title: Test Kitchen - `kitchen.ec2.yml` File +title: 22. Test Kitchen - `kitchen.container.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.ec2.yml` File +## Understanding the `kitchen.container.yml` File -The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. +The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. -This file leverages the `AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. +Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. -Alternatively, if you've set up AWS Environment Variables, the file will use those for AWS interactions. +This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. -## Example `kitchen.ec2.yml` File +## Example `kitchen.container.yml` file ```yaml --- -platforms: - - name: rhel-8 - -driver: - name: ec2 - metadata_options: - http_tokens: required - http_put_response_hop_limit: 1 - instance_metadata_tags: enabled - instance_type: m5.large - associate_public_ip: true - interface: public - skip_cost_warning: true - privileged: true - tags: - CreatedBy: test-kitchen +# see: https://kitchen.ci/docs/drivers/dokken/ provisioner: - name: ansible_playbook - hosts: all - require_chef_for_busser: false - require_ruby_for_busser: false - ansible_binary_path: /usr/local/bin - require_pip3: true - ansible_verbose: true - roles_path: spec/ansible/roles - galaxy_ignore_certs: true - requirements_path: spec/ansible/roles/requirements.yml - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> - -lifecycle: - pre_converge: - - remote: | - echo "NOTICE - Installing needed packages" - sudo dnf -y clean all - sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim - echo "updating system packages" - sudo dnf -y update --nogpgcheck --nobest - sudo dnf -y distro-sync - echo "NOTICE - Updating the ec2-user to keep sudo working" - sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user - echo "NOTICE - updating ec2-user sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + name: dummy + +driver: + name: dokken + pull_platform_image: false transport: - name: ssh - max_ssh_sessions: 2 + name: dokken + +platforms: + - name: ubi9 + +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml + # creds_file: './creds.json' ``` -# Breakdown of the `kitchen.ec2.yml` file +# Breakdown of the `kitchen.container.yml` file ```yaml -platforms: - - name: rhel-8 +provisioner: + name: dummy ``` -This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 8. +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using the dummy provisioner, which means no provisioning will be done. ```yaml driver: - name: ec2 - ... + name: dokken + pull_platform_image: false ``` -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`m5.large`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. ```yaml -provisioner: - name: ansible_playbook - ... +transport: + name: dokken ``` -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`), whether to require pip3 (`require_pip3: true`), and the path to the roles and requirements files. +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. ```yaml -lifecycle: - pre_converge: - - remote: | - ... +platforms: + - name: ubi9 ``` -This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. +This section defines the platforms on which your tests will run. In this case, it's UBI 9 (Red Hat's Universal Base Image 9). ```yaml -transport: - name: ssh - max_ssh_sessions: 2 +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml ``` -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name`, a `driver`, and a `verifier`. +- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. +- The `verifier` section specifies files that contain input variables for the InSpec profile. The workflow of Test Kitchen involves the following steps: -1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. -3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. +1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. +3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the container. + +## Environment Variables in `kitchen.container.yml` + +The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. -The `transport` is used in all these steps to communicate with the instance. +- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. + - default: `registry.access.redhat.com/ubi9/ubi:9.3-1610` +- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. + - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi9` diff --git a/src/courses/profile-dev-test/23.md b/src/courses/profile-dev-test/23.md deleted file mode 100644 index 6abc9ae40..000000000 --- a/src/courses/profile-dev-test/23.md +++ /dev/null @@ -1,120 +0,0 @@ ---- -order: 23 -next: 24.md -title: Test Kitchen - `kitchen.container.yml` -author: Aaron Lippold ---- - -## Understanding the [`kitchen.container.yml`](./kitchen.container.yml) - -The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. - -Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. - -This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. - -## Example `kitchen.container.yml` file - -```yaml ---- -# see: https://kitchen.ci/docs/drivers/dokken/ - -provisioner: - name: dummy - -driver: - name: dokken - pull_platform_image: false - -transport: - name: dokken - -platforms: - - name: ubi8 - -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml - # creds_file: './creds.json' -``` - -# Breakdown of the `kitchen.container.yml` file - -```yaml -provisioner: - name: dummy -``` - -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using a dummy provisioner, which means no provisioning will be done. - -```yaml -driver: - name: dokken - pull_platform_image: false -``` - -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. - -```yaml -transport: - name: dokken -``` - -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. - -```yaml -platforms: - - name: ubi8 -``` - -This section defines the platforms on which your tests will run. In this case, it's UBI 8 (Red Hat's Universal Base Image 8). - -```yaml -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml -``` - -This section defines the test suites. Each suite represents a different configuration to test. - -- Each suite has a `name`, a `driver`, and a `verifier`. -- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. -- The `verifier` section specifies files that contain input variables for the InSpec profile. - -The workflow of Test Kitchen involves the following steps: - -1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. -3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. - -The `transport` is used in all these steps to communicate with the container. - -## Environment Variables in `kitchen.container.yml` - -The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. - -- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. - - default: `registry.access.redhat.com/ubi8/ubi:8.9-1028` -- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. - - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` From 6251f30dddca644bace0db9f970620ec807702ab Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:26:31 -0800 Subject: [PATCH 67/71] pg 23 - github Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/21.md | 4 ++-- src/courses/profile-dev-test/{24.md => 23.md} | 20 +++++++------------ 2 files changed, 9 insertions(+), 15 deletions(-) rename src/courses/profile-dev-test/{24.md => 23.md} (57%) diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 2ad522407..94fb6c7d7 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,6 +1,6 @@ --- -order: 22 -next: 23.md +order: 21 +next: 22.md title: Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/23.md similarity index 57% rename from src/courses/profile-dev-test/24.md rename to src/courses/profile-dev-test/23.md index 42e35d0a8..9c244a1b8 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/23.md @@ -1,7 +1,7 @@ --- -order: 24 -next: 25.md -title: GitHub Actions +order: 23 +next: 24.md +title: 23. GitHub Actions author: Aaron Lippold --- @@ -9,11 +9,11 @@ author: Aaron Lippold Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing. -### [`lint-profile.yml`](.github/workflows/lint-profile.yml) +### [`lint-profile.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/lint-profile.yml) This action checks out the repository, installs Ruby and InSpec, then runs `bundle exec inspec check .` to validate the structure and syntax of the InSpec profile and its Ruby code. -### [`verify-ec2.yml`](.github/workflows/verify-ec2.yml) +### [`verify-ec2.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-ec2.yml) This action performs the following steps: @@ -27,12 +27,6 @@ This action performs the following steps: 8. Uploads the results to our Heimdall Demo server. 9. Determines the success or failure of the test run based on the validation of the test suite results against the `threshold.yml` files for each test suite (`hardened` and `vanilla`). -### [`verify-container.yml`](.github/workflows/verify-container.yml) +### [`verify-container.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-container.yml) -This action performs similar steps to `verify-ec2.yml`, with some differences: - -1. Configures access to the required container registries - Platform One and Red Hat. - -### [`verify-vagrant.yml.example`](.github/workflows/verify-vagrant.yml.example) - -This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifying the GitHub Action. +This action performs similar steps to `verify-ec2.yml`, with a key additional step of configuring access to the required container registries - Platform One and Red Hat. From 592361aa5b3a02c977939ca51bfe0a9d7dbb7cd3 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:37:14 -0800 Subject: [PATCH 68/71] pg 24 - tips Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/21.md | 2 +- src/courses/profile-dev-test/{25.md => 24.md} | 22 +++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) rename src/courses/profile-dev-test/{25.md => 24.md} (66%) diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 94fb6c7d7..b3ae927c3 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,7 +1,7 @@ --- order: 21 next: 22.md -title: Test Kitchen - `kitchen.ec2.yml` File +title: 21. Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/24.md similarity index 66% rename from src/courses/profile-dev-test/25.md rename to src/courses/profile-dev-test/24.md index 728b4f02d..60abdd1a6 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/24.md @@ -1,7 +1,7 @@ --- -order: 25 -next: 26.md -title: Tips, Tricks, and Troubleshooting +order: 24 +next: 25.md +title: 24. Tips, Tricks, and Troubleshooting shortTitle: Tips & Troubleshooting author: Aaron Lippold --- @@ -28,11 +28,15 @@ Test Kitchen stores the current host details of your provisioned test targets in #### Restoring Access to a Halted or Restarted Test Target -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. +If your test target reboots or updates its network information, you don't need to execute `bundle exec kitchen destroy`. Instead, update the corresponding `.kitchen/#{suite}-#{target}.yml` file with the updated information. This will ensure that your `kitchen login`, `kitchen validate`, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. #### AWS Console and EC2 Oddities -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. +Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or reboot in the background if you stop interacting with them, halt them, put them in a stop state, or leave them unattended overnight. To regain access, edit the `.kitchen/#{suite}-#{target}.yml` file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. + +:::warning Auto-generated, sensitive files +Since the `.kitchen/` directory is automatically generated by Test Kitchen, you need to be careful not to accidentally mess up its internal workings when editing it by hand as suggested above. Additionally, be sure not to place this directory underneath version control since you could unintentionally leak sensitive information such as your ip addresses and credentials! +::: ## InSpec / Ruby @@ -46,13 +50,13 @@ When developing InSpec controls, it's beneficial to use the `kitchen-test` suite 2. Then, insert `binding.pry` at the point in your code where you want to start debugging. 3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. -***!Pro Tip!*** - -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +::: tip Linter +Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +::: ### Streamlining Your Testing with `inspec shell` -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Locating Test Target Login Details](#locating-test-target-login-details) section. Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: From 11d1cd193f64a277e6907811e22cf0c9d38a3848 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:47:34 -0800 Subject: [PATCH 69/71] last few Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/24.md | 1 - src/courses/profile-dev-test/25.md | 30 ++ src/courses/profile-dev-test/26.md | 42 +- src/courses/profile-dev-test/27.md | 22 - .../kitchen-workflow-dark.svg | 481 ------------------ 5 files changed, 47 insertions(+), 529 deletions(-) create mode 100644 src/courses/profile-dev-test/25.md delete mode 100644 src/courses/profile-dev-test/27.md delete mode 100644 src/courses/profile-dev-test/kitchen-workflow-dark.svg diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/24.md index 60abdd1a6..55cf4a2c5 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/24.md @@ -2,7 +2,6 @@ order: 24 next: 25.md title: 24. Tips, Tricks, and Troubleshooting -shortTitle: Tips & Troubleshooting author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md new file mode 100644 index 000000000..d04297ed4 --- /dev/null +++ b/src/courses/profile-dev-test/25.md @@ -0,0 +1,30 @@ +--- +order: 25 +next: 26.md +title: 25. Background & Definitions +author: Aaron Lippold +--- + +## Background and Definitions + +### Background + +#### Evolution of STIGs and Security Benchmarks + +The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. + +Initially, the system was known as the Vulnerability Management System (VMS). + +In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. + +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. + +When DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. + +Examples of tools that still use either fully or in part the 'STIG ID' instead of the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. + +While these elements might seem confusing, understanding their historical context is essential. + +In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between the XCCDF Benchmark and OHDF Profile. + +It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index 48ee12ecc..3cf3cca0f 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -1,30 +1,22 @@ --- order: 26 -next: 27.md -title: Background & Definitions +title: 26. Terms & Definitions author: Aaron Lippold --- -## Background and Definitions - -### Background - -#### Evolution of STIGs and Security Benchmarks - -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. - -Initially, the system was known as the Vulnerability Management System (VMS). - -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. - -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. - -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. - -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. - -While these elements might seem confusing, understanding their historical context is essential. - -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. - -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. +## Terms & Definitions + +- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). +- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., Red Hat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. +- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. +- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. +- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md deleted file mode 100644 index 496c4d319..000000000 --- a/src/courses/profile-dev-test/27.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -order: 27 -title: Terms & Definitions -author: Aaron Lippold ---- - -## Terms & Definitions - -- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. -- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. -- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/kitchen-workflow-dark.svg b/src/courses/profile-dev-test/kitchen-workflow-dark.svg deleted file mode 100644 index 7a552a96f..000000000 --- a/src/courses/profile-dev-test/kitchen-workflow-dark.svg +++ /dev/null @@ -1,481 +0,0 @@ -1
Setup
Setup
Checkout Repo
Checkout Repo
Install Tools
Install Tools
Setup Runner
Setup Runner
Configure
Configure
Setup Vanilla Instance
Setup Vanilla Instance
Setup Hardened Instance
Setup Hardened Instance
Run Test Suite
Run Test Suite
Run Tests on Vanilla
Run Tests on Vanilla
Run Tests on Hardened
Run Tests on Hardened
Record Results
Record Results
Save Tests in Pipeline
Save Tests in Pipeline
Upload Tests to Heimdall Server
Upload Tests to Heimdall Server
Validate Aginst Threshold
Validate Aginst Threshold
Validate the 'vanilla' threshold
Validate the 'vanilla' threshold
Validate the 'hardened' threshold
Validate the 'hardened' threshold
Pass/Fail the Run
Pass/Fail the Run
Threshold Met
Threshold Met1
Threshold Not Met
Threshold Not MetTest Kitchen Workflow - - - - - - - - - - - - 1 - - - - - - - - - - -
-
- Setup -
-
- - - - Setup - - - - - - - - - - - - - - - - - - -
-
- Checkout Repo -
-
- - - - Checkout Repo - - - - - - - - - - - - - - - - - - -
-
- Install Tools -
-
- - - - Install Tools - - - - - - - - - - - - - - - - - - -
-
- Setup Runner -
-
- - - - Setup Runner - - - - - - - - -
-
- Configure -
-
- - - - Configure - - - - - - - - - - - - - - - - - - -
-
- Setup Vanilla Instance -
-
- - - - Setup Vanilla Instance - - - - - - - - - - - - - - - - - - -
-
- Setup Hardened Instance -
-
- - - - Setup Hardened Instance - - - - - - - - -
-
- Run Test Suite -
-
- - - - Run Test Suite - - - - - - - - - - - - - - - - - - -
-
- Run Tests on Vanilla -
-
- - - - Run Tests on Vanilla - - - - - - - - - - - - - - - - - - -
-
- Run Tests on Hardened -
-
- - - - Run Tests on Hardened - - - - - - - - -
-
- Record Results -
-
- - - - Record Results - - - - - - - - - - - - - - - - - - -
-
- Save Tests in Pipeline -
-
- - - - Save Tests in Pipeline - - - - - - - - - - - - - - - - - - -
-
- Upload Tests to Heimdall Server -
-
- - - - Upload Tests to Heimdall Server - - - - - - - - -
-
- Validate Aginst Threshold -
-
- - - - Validate Aginst Threshold - - - - - - - - - - - - - - - - - - -
-
- Validate the 'vanilla' threshold -
-
- - - - Validate the 'vanilla' threshold - - - - - - - - - - - - - - - - - - -
-
- Validate the 'hardened' threshold -
-
- - - - Validate the 'hardened' threshold - - - - - - - - -
-
- Pass/Fail the Run -
-
- - - - Pass/Fail the Run - - - - - - - - - - - - - - - - - - -
-
- Threshold Met -
-
- - - - Threshold Met - - - - - - - - - - - - - - - - 1 - - - - -
-
- Threshold Not Met -
-
- - - - Threshold Not Met - - - - - - Test Kitchen Workflow - - - \ No newline at end of file From dd54750a5837b743cc55b8b82703993d68d66e4a Mon Sep 17 00:00:00 2001 From: Will Date: Thu, 12 Dec 2024 23:56:22 -0800 Subject: [PATCH 70/71] module --> class, fixing weird indentation on code blocks Signed-off-by: Will --- src/courses/profile-dev-test/05.md | 26 +++++++++++++------------- src/courses/profile-dev-test/README.md | 6 +++--- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index f1bbfc018..a8bf539d3 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -28,9 +28,9 @@ This guide assumes basic familiarity with AWS. If you're new to AWS, please revi 6. (Optional) Target a specific control: - ```bash - export INSPEC_CONTROL='SV-230222' - ``` +```bash +export INSPEC_CONTROL='SV-230222' +``` ## Running Through the AWS Test Suite @@ -40,24 +40,24 @@ This guide assumes basic familiarity with AWS. If you're new to AWS, please revi 7. List the kitchen instances: ```bash - bundle exec kitchen list +bundle exec kitchen list ``` You should see something like this: ```shell - Instance Driver Provisioner Verifier Transport Last Action Last Error - vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None - hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +Instance Driver Provisioner Verifier Transport Last Action Last Error +vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None ``` ### Key Testing Steps Explained 8. **Create** the test instance: - ```bash - bundle exec kitchen create vanilla - ``` +```bash +bundle exec kitchen create vanilla +``` Executing that line launches a fresh EC2 instance for testing: @@ -72,9 +72,9 @@ Executing that line launches a fresh EC2 instance for testing: 9. **Converge** the instance: - ```bash - bundle exec kitchen converge vanilla - ``` +```bash +bundle exec kitchen converge vanilla +``` Convergence applies the necessary configurations to prepare the system for testing: diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index 09db9f566..5e17a28ab 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -10,7 +10,7 @@ author: Aaron Lippold ## Learning Objectives -By completing this module, you will be able to: +By the end of this class, you will be able to: - Build and validate InSpec profiles using Test Kitchen - Configure local testing environments for security compliance @@ -20,7 +20,7 @@ By completing this module, you will be able to: ## Prerequisites -Before starting this module, ensure you have: +Before starting this class, ensure you have: - Basic knowledge of Ruby ([Learn Ruby Basics](https://ruby-lang.org/en/documentation/quickstart/)) - Docker or Podman installed ([Docker Installation Guide](https://docs.docker.com/get-docker/)) @@ -39,7 +39,7 @@ Before proceeding, verify you can: ## Overview -The development and testing of profiles are accomplished using a variety of tools, including Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. +The development and testing of InSpec validation profiles can be accomplished using a variety of tools working in concert, including Ruby, the Test Kitchen suite, the InSpec compliance language itself, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. ### Key Tools Explained From 40ad023cabecda3550d71238603851042f5f3a1d Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 13 Dec 2024 00:07:22 -0800 Subject: [PATCH 71/71] typo Signed-off-by: Will --- src/courses/profile-dev-test/07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index b68dbfd4b..dcedf2b03 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -81,7 +81,7 @@ The choice between micro and massive PRs can significantly impact the workflows - **Patch and Release Updates:** These updates typically involve minor changes or additions, which can be easily managed with either micro or massive PRs. The choice depends on your team's preference for review speed and context switching. -- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granitary control and review of changes. It's also easier to isolate and fix issues that arise during testing. +- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granular control and review of changes. It's also easier to isolate and fix issues that arise during testing. ## Practice Exercise